该漏洞已修复,仅做参考。
1.BP代理登录游戏抓包
2.获得通关请求
GET /sheep/v1/game/game_over?rank_score=1&rank_state=01&rank_time=123&rank_role=1&skin=1 HTTP/1.1
Host: cat-match.easygame2021.com
Connection: close
t: xxx
content-type: application/json
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/8.0.27(0x18001b36) NetType/WIFI Language/zh_CN
Referer: qqq
Content-Length: 2
HTTP/1.1 200 OK
Date: Fri, 16 Sep 2022 06:45:33 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 36
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Methods: GET, POST
{"err_code":0,"err_msg":"","data":0}
3.重放通关请求
4.查看分数结果
5.实现刷分脚本(python3)
header_t字段为个人身份token,需替换为自己的。
import requests
import sys
import os
requests.packages.urllib3.disable_warnings()
header_t = "XXX"
finish_api = "https://cat-match.easygame2021.com/sheep/v1/game/game_over?rank_score=1&rank_state=03&rank_time=1314&rank_role=1&skin=1"
headers = {"Host": "cat-match.easygame2021.com",
"content-type": "application/json",
"User-Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148",
"t": header_t}
def finish_game():
res = requests.get(url=finish_api, headers=headers,verify=False,timeout=10)
# err_code为0则成功
if res.json()["err_code"] == 0:
print("状态成功")
else:
print(res.json())
for i in range(99):
finish_game()
最后执行脚本即可。
修复点1:关键在于通关请求是由客户端发起,解决问题需在服务器判断。
修复点2:请求可以重放,可以对接口进行限制,每次请求需获取一个唯一校验值。
最后,此漏洞仅能刷个分炫耀一下,可能会占用一部分服务器资源,实际危害有限。
另外一个角度看未必不是一波广告呢?