速度要快 BugKuCTF

原题地址：https://ctf.bugku.com/challenges#速度要快

测试网页：http://123.206.87.240:8002/web6/

分析

先看看服务器的行为：

ex@Ex:~/test$ curl -v http://123.206.87.240:8002/web6/
*   Trying 123.206.87.240...
* TCP_NODELAY set
* Connected to 123.206.87.240 (123.206.87.240) port 8002 (#0)
> GET /web6/ HTTP/1.1
> Host: 123.206.87.240:8002
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 06 Mar 2019 07:11:35 GMT
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=60
< Set-Cookie: PHPSESSID=8kcadugbl86hj0kjp72netbvl8maha18; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< flag: 6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogT1RRM016VTI=
< 
</br>我感觉你得快点!!!<!-- OK ,now you have to post the margin what you find -->
* Connection #0 to host 123.206.87.240 left intact
ex@Ex:~/test$ echo -n "6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogT1RRM016VTI=" | base64 -d
跑的还不错，给你flag吧: OTQ3MzU2ex@Ex:~/test$ echo -n "OTQ3MzU2" | base64 -d
947356ex@Ex:~/test$

从上面的分析即可看出本题的做法，只要写出相应的脚本即可，本题考验的是基本的洞察能力和编程能力，下面是对服务器行为的复现：

<?php
session_start();

function initial()
{
    $key = mt_rand(10000, 100000);
    $_SESSION['key'] = $key;
    $_SESSION['time'] = date_timestamp_get(date_create());
    $str = "跑的还不错，给你flag吧: " . base64_encode((string) $key);

    header('flag: ' . base64_encode($str));

    echo "</br>我感觉你得快点!!!<!-- OK ,now you have to post the margin what you find -->";
}

if (isset($_SESSION['key']) && isset($_SESSION['time'])) {
    if (!isset($_POST['margin'])) {
        initial();
    } else {

        if (date_timestamp_get(date_create()) - $_SESSION['time'] < 2) {
            if ((int) $_POST['margin'] === (int) $_SESSION['key']) {
                echo "flag{***********}";
            } else {
                echo "我都说了让你快点。。。";
                initial();
            }
        } else {
            echo "我都说了让你快点。。。";
            initial();
        }
    }
} else {
    initial();
}
?>

下面是相对应的脚本：

#! /usr/bin/python3
# -*- coding: utf-8 -*-

import requests
import base64

s = requests.Session()

url = 'http://123.206.87.240:8002/web6/'

raw = s.get(url)

flag = raw.headers['flag']
flag = base64.b64decode(flag).decode()
flag = flag[flag.find(': ')+2:]

flag = base64.b64decode(flag)
raw = s.post(url, {'margin': flag})

print(raw.content.decode())