ma4ter

Index | Photo | About | Friends | Archives

极客大挑战flagshop writeup

提示是CSRF极客大挑战flagshop writeup
打开后注册了两个账号ma4ter1 ma4ter2
极客大挑战flagshop writeup
发现每个注册的账号都有10块钱 但是买FLAG要很多钱极客大挑战flagshop writeup
点到报告处发现说会好好处理报告 那应该就是构造CSRF给我们转账了
极客大挑战flagshop writeup
极客大挑战flagshop writeup
先自己转账抓个包
极客大挑战flagshop writeup
极客大挑战flagshop writeup
发现要POST的数据有target money
直接在报告处构造
发现有个md5截断
极客大挑战flagshop writeup
随便百度一搜 也有前辈发出来
https://www.cnblogs.com/yesec/p/11297568.html
http://www.beesfun.com/2017/03/21/%E3%80%90CTF%E3%80%91MD5%E6%88%AA%E6%96%AD%E6%AF%94%E8%BE%83/

from multiprocessing.dummy import Pool as tp
import hashlib

knownMd5 = 'ba381'  
def md5(text):    
    return hashlib.md5(str(text).encode('utf-8')).hexdigest()

def findCode(code):   
    key = code.split(':')
    start = int(key[0])  
    end = int(key[1]) 
    for code in range(start, end):
        if md5(code)[0:5] == knownMd5:            
            print (code)
            break
list=[] 
for i in range(3):    
    list.append(str(10000000*i) + ':' + str(10000000*(i+1)))
pool = tp()    
pool.map(findCode, list) 
pool.close()
pool.join()

极客大挑战flagshop writeup
提交后发现是这样
极客大挑战flagshop writeup
稍微闭合一下 构造payload
后面发现踩了个坑
极客大挑战flagshop writeup
极客大挑战flagshop writeup
这里就想到是应该是直接在报告内容提交url进行csrf
用自己vps上传了个简单的自动提交表单post转账
极客大挑战flagshop writeup
成功转账 直接买flag就行了
极客大挑战flagshop writeup
极客大挑战flagshop writeup

</> Copyright © ma4ter's Blog