Rooty https://blog.hatena.ne.jp/Rooty/ 「配枪朱丽叶。」 https://shawroot.hatenablog.com/ web 先注册，然后登录了，提示admin账号才给flag： 查看源码发现action.php?callback=getInfo 这个页面存在当前用户的csrftoken 御剑扫到了可疑的东西： 访问test.php得到E5xqqsvHoznsjlfDm5ryLg== 访问action.php?callback=getInfo，抓包把username改为E5xqqsvHoznsjlfDm5ryLg%3D%3D getInfo({'username':'admin','website':'http://127.0.0.1','csrftoken':'bd498025476fae642c66017b466… 190 <iframe src="https://hatenablog-parts.com/embed?url=https%3A%2F%2Fshawroot.hatenablog.com%2Fentry%2F2019%2F11%2F20%2FXCTF_3rd-HITB_CTF-2017_Website" title="XCTF 3rd-HITB CTF-2017 Website - 「配枪朱丽叶。」" class="embed-card embed-blogcard" scrolling="no" frameborder="0" style="display: block; width: 100%; height: 190px; max-width: 500px; margin: 10px 0px;"></iframe> https://i.loli.net/2019/11/20/ejOJPxzp6qANITW.png Hatena Blog https://hatena.blog 2019-11-20 18:33:58 rich https://shawroot.hatenablog.com/entry/2019/11/20/XCTF_3rd-HITB_CTF-2017_Website 1.0 100%