Skip to content

Instantly share code, notes, and snippets.

@Last-Order
Last active November 14, 2017 12:32
Show Gist options
  • Save Last-Order/2f7a914201d57dc7a9245a69c3e6e9c2 to your computer and use it in GitHub Desktop.
Save Last-Order/2f7a914201d57dc7a9245a69c3e6e9c2 to your computer and use it in GitHub Desktop.
Who are you

进入界面,右上登录,Steam 账号授权。

然后进Home发现有infomationshopshop里可以买flag推测但显示余额不足。

购买动作的URL为http://gogogo.2017.hctf.io/shop/3,修改3为4可以发现调试模式没关,源码泄露。

 public function buy(Request $request)
    {
        $itemId = $request->route('id');
        $item = Item::find($itemId);
        $prize = $item->prize;
        $balance = Info::find(Auth::id())->amount;
        if ($balance >= $prize) {
            return view('message', ['message' => $item->note]);
        }
 
        return view('message', ['message' => 'Sorry Sir! You don\'t have enough money']);
    }

得知后端框架为 Laravel,账户余额字段名为amount

infomation页尝试把表单中的name字段改成amount字段并提交,即可充值。

购买拿到flag:hctf{csgo_is_best_fps_game_dA3jf}

推测没有限定提交表单的参数,可以反推后端代码可能为。

public function update(Request $request)
{
  $user = Info::where('id', Auth::id())->update($request->all());
}

Laravel 使用update方法批量赋值时应在Model中声明fillable白名单或者guard黑名单限制参数,或者使用$request->only()来限制。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment