跳转至

Failure To Restrict URL Access Challenge 1(没有限制URL访问 1)

题介绍

需要以管理员的权限获得通关密钥

功能实现

点击页面按钮获得请求包

POST /challenges/4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c99 HTTP/1.1


userData=4816283

对应后端文件 /src/main/java/servlets/module/challenge/UrlAccess1.java

String userData = request.getParameter("userData");
boolean tamperedRequest = !userData.equalsIgnoreCase("4816283");
if(!tamperedRequest)
    log.debug("No request tampering detected");
else
    log.debug("User Submitted - " + userData);

if(!tamperedRequest)
    htmlOutput = "<h2 class='title'>" + bundle.getString("response.status") + "</h2>"
        + "<p>" + bundle.getString("response.status.message") + "</p>";
else
    htmlOutput = "<h2 class='title'>" + bundle.getString("response.statusFail") + "</h2>"
            + "<p>" + bundle.getString("response.statusFail.message") + "</p>"
            + "<!-- " + Encode.forHtml(userData) + " -->";
代码很简单,只需要输入userData=4816283就可以,但是却没有通关密钥

又研究前端代码发现下面的javascript代码

$("#leAdminForm").submit(function(){
        $("#submitButton").hide("fast");
        $("#loadingSign").show("slow");
        $("#resultsDiv").hide("slow", function(){
            var ajaxCall = $.ajax({
                type: "POST",
                url: "4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c992",
                data: {
                    userData: "4816283", 
                },
                async: false
            }
请求的路径是 4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c992 比原来请求的路径 4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c99 多了一个2

查看 /challenges/4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c992 对应的后端代码

src/main/java/servlets/module/challenge/UrlAccess1Admin.java

String userData = request.getParameter("userData");
boolean tamperedRequest = !userData.equalsIgnoreCase("4816283"); //只需要userData=4816283 
if(!tamperedRequest)
    log.debug("No request tampering detected");
else
    log.debug("User Submitted - " + userData);

if(!tamperedRequest)
{
    String userKey = Hash.generateUserSolution(levelResult, (String)ses.getAttribute("userName")); //生成通关密钥的代码 
    htmlOutput = "<h2 class='title'>" + bundle.getString("response.status") + "</h2>"
        + "<p>" + bundle.getString("result.keyMessage.1") + "<br />"
        + "<a>" + userKey + "</a><br /> " 
        + bundle.getString("result.keyMessage.2") + "</p>";

解题步骤

将post请求的地址 /challenges/4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c99 修改为 /challenges/4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c992 即可

总结

任何URL都需要添加正确的访问限制

汉化说明

src/main/resources/i18n/challenges/urlAccess/4a1bc73dd68f64107db3bbc7ee74e3f1336d350c4e1e51d4eda5b52dddf86c99_zh.properties
Back to top