0x01
修改金币到8位,才能买东西
robots.txt中发现.git泄露
下载附件,得到源码
审计api.php
我们传入的值与随机生成的值进行比较,
按照相同的个数,得到不同的钱
if($numbers[$i] == $win_numbers[$i])
存在若类型比较
function buy($req){
require_registered();
require_min_money(2);
$money = $_SESSION['money'];
$numbers = $req['numbers'];
$win_numbers = random_win_nums();
$same_count = 0;
for($i=0; $i<7; $i++){
if($numbers[$i] == $win_numbers[$i]){
$same_count++;
}
}
switch ($same_count) {
case 2:
$prize = 5;
break;
case 3:
$prize = 20;
break;
case 4:
$prize = 300;
break;
case 5:
$prize = 1800;
break;
case 6:
$prize = 200000;
break;
case 7:
$prize = 5000000;
break;
default:
$prize = 0;
break;
}
抓包修改json值
true与任何数字("1",4,5等)都相等(0除外)
得到flag
参考链接:
https://blog.csdn.net/destiny1507/article/details/89815564