0x01 Intro
High school summer vacation along with younger brother secretly mixed with a university of science and technology team recruit new group group announcement, there are welcome address their platform, they made do with school brother together, most of the subject is relatively simple, just right for me to do this chicken dish, It will be recorded as follows WriteUp
0x02 Web
Get
Look at the subject name can get to know the use of mass participation can be obtained flag
When the incoming id = 3 can be obtained flag
Post
Similar to the previous question, but replaced the post of mass participation
Open hackbar in the post data in the past to pass id = 3
Of course, also be other parameter passing method post way
As modified by f12 in the network, CURL, write scripts, etc.
Here is a post script mass participation was py
import requests r = requests.post('http://47.98.139.42:8083/post.php', data={'id' : '3'}) print(r.text)
Ip spoofing
Open only found this sentence
That site is now only allowed to visit a local address, so we have to fake ip address
Analyzing the viewer server ip have the following three methods are generally
l HTTP_CLIENT_IP head yes, but unsuccessfully standard, the server may not have achieved.
l HTTP_X_FORWARDED_FOR standard is defined to identify the client through the HTTP proxy client IP address, the format: clientip, proxy1, proxy2. And explained http://zh.wikipedia.org/wiki/X-Forwarded-For
l REMOTE_ADDR is reliable, it is the last handshake with your server IP, is caused by a proxy server, it may be their own reverse proxy.
We can fake ip by modifying the X-Forwarded-For or Clint-Ip http header
The following presentations to modify the X-Forwarded-For by firebug
First, press F12 to open firebug, click on the network, select Edit and resend
After sending in the response can be seen flag
Of course, can also be used to modify burp capture head and put the package to get the flag, not in this demo
Cookie deception
The topic can be found modify cookie
Capture, modify the cookie field, add a package
Bingo
302 jumps
302 Jump to: when the domain name or URL temporarily abandoned, in order to facilitate this domain name or URL can be redirected to the new domain name or url.
Tap the title will jump to other pages after the flag, rather than the flag points to /redirect.php
We can jump to block 302 via packet capture, you can also get information directly to the page with curl, resulting flag
Referer
Burp capture, modify http referer header field is https://www.google.com to
HTTP Response
According to the meaning of problems, you should view the response server flag
or
or
import requests r = requests.get('http://47.98.139.42:8083/HTTPResponse.php') print(r.headers)
To be continued