[Yugong Series] June 2023 Bugku-Web (GET)

---

foreword

Source code audit refers to the process of analyzing and inspecting software or system source code, discovering possible loopholes, security weaknesses, etc., and proposing repair suggestions and measures. The function of source code audit is to discover and solve security problems in the process of software development and operation and maintenance, and ensure the security, stability and reliability of the system.

In the field of network security, source code auditing is a very important task. Through in-depth analysis of source code, it is possible to discover vulnerabilities that hackers can exploit, and it can also help development teams and operation and maintenance personnel to better understand the working principles of software and systems, find potential problems and make corrections. If a piece of software is heavily used, source code auditing is an essential step to ensure safety and reliability.

The following are some relevant cases of source code audit:

1. OpenSSL vulnerability incident: In 2014, someone discovered a vulnerability in the OpenSSL library, which may allow hackers to obtain users' private information. Security researchers then conducted a source code audit of the library and submitted a patch to fix it after discovering the vulnerability.

2. Apache Struts 2 vulnerability incident: In 2017, a serious vulnerability was discovered in the Apache Struts 2 framework. Hackers can implement remote command execution by exploiting this vulnerability, causing the system to be attacked. By auditing the source code, security researchers successfully discovered vulnerabilities and provided targeted fixes.

3. Unauthorized access vulnerability events: Some application source codes may have unauthorized access vulnerabilities. Attackers could exploit these vulnerabilities to bypass login authentication and gain access to sensitive information. Security researchers can find and fix these vulnerabilities by auditing the source code.

HTTP GET request is an HTTP request method used to obtain resources from the server, such as documents, images, audio files, etc. It is a stateless request that sends a request to a web server for a copy of a specified resource, and the server sends that resource back to the client as an HTTP response. GET requests pass parameters through the URL, and these parameters can be used to specify the requested resource, for example: http://www.example.com/index.html?page=1. Among them, "page=1" is a parameter, indicating that the page number of the requested resource is 1. GET request is one of the most commonly used HTTP request methods for fetching static and dynamic content.

The HTTP GET request message format is as follows:

GET /path/to/resource HTTP/1.1         // 请求行，包括请求方法、请求URI和HTTP协议版本 
Host: example.com                     // 请求头，指定服务器的主机名，必须包含在HTTP/1.1协议中的所有请求头之中
User-Agent: Mozilla/5.0              // 请求头，指定客户端使用的浏览器或其他应用程序
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8   // 请求头，指定客户端可以接收的响应格式
Connection: keep-alive               // 请求头，指定客户端与服务器之间的连接状态，keep-alive表示要保持长连接

Among them, the request line includes the request method, request URI and HTTP protocol version, and the format is METHOD URI HTTP_VERSION, for example GET /path/to/resource HTTP/1.1. The request header includes multiple key-value pairs, separated by colons, each key-value pair occupies one line, and ends with an empty line. In a GET request, the request body is empty because the request parameters are included in the URI.

1. GET

1. Topic

2. Answer questions

Open the topic to get

Source code audit needs to add what parameter and the value is equal to flag

http://114.67.175.224:19450/?what=flag

Get the flag:flag{cf7379480f6ac10fdbc7859fef43c291}