Topic link: http://www.shiyanbar.com/ctf/1788
Click on the topic link, it is a topic about PHP auditing:
Observe the code, there is no function in the code, the key is: password = $_session['password'].
At this point, let's put this down and analyze Session and Cookies in PHP first.
Cookie and Session are generally considered to be two independent and completely different things. Session adopts the scheme of maintaining state on the server side, while Cookie adopts the scheme of maintaining status on the client side. By default in the PHP configuration , the session uses the session ID to determine the server session corresponding to the current conversation, and the session ID is passed through the cookie. Disabling cookies is equivalent to losing the session ID, and thus the session cannot be obtained. .
Having said that, let's go back to the topic. Here, the editor still uses Burp Suite to capture packets:
From the content of the captured packet, we can see that the Sessid is already included in the cookie, and the sent password is passed in the URL in the form of Get.
Then we can solve it in this way. First, we delete all cookies and delete the PHPSessid value directly, so that the $_session['password'] value will be empty, then we will clear the password value in the URL, so that we can achieve password = $ The effect of _session['password'].
Right click, send to Repeater, delete cookies and passwords, and click go to get our results:
