原题地址:https://ctf.bugku.com/challenges#速度要快
测试网页:http://123.206.87.240:8002/web6/
分析
先看看服务器的行为:
ex@Ex:~/test$ curl -v http://123.206.87.240:8002/web6/
* Trying 123.206.87.240...
* TCP_NODELAY set
* Connected to 123.206.87.240 (123.206.87.240) port 8002 (#0)
> GET /web6/ HTTP/1.1
> Host: 123.206.87.240:8002
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 06 Mar 2019 07:11:35 GMT
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=60
< Set-Cookie: PHPSESSID=8kcadugbl86hj0kjp72netbvl8maha18; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< flag: 6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogT1RRM016VTI=
<
</br>我感觉你得快点!!!<!-- OK ,now you have to post the margin what you find -->
* Connection #0 to host 123.206.87.240 left intact
ex@Ex:~/test$ echo -n "6LeR55qE6L+Y5LiN6ZSZ77yM57uZ5L2gZmxhZ+WQpzogT1RRM016VTI=" | base64 -d
跑的还不错,给你flag吧: OTQ3MzU2ex@Ex:~/test$ echo -n "OTQ3MzU2" | base64 -d
947356ex@Ex:~/test$
从上面的分析即可看出本题的做法,只要写出相应的脚本即可,本题考验的是基本的洞察能力和编程能力,下面是对服务器行为的复现:
<?php
session_start();
function initial()
{
$key = mt_rand(10000, 100000);
$_SESSION['key'] = $key;
$_SESSION['time'] = date_timestamp_get(date_create());
$str = "跑的还不错,给你flag吧: " . base64_encode((string) $key);
header('flag: ' . base64_encode($str));
echo "</br>我感觉你得快点!!!<!-- OK ,now you have to post the margin what you find -->";
}
if (isset($_SESSION['key']) && isset($_SESSION['time'])) {
if (!isset($_POST['margin'])) {
initial();
} else {
if (date_timestamp_get(date_create()) - $_SESSION['time'] < 2) {
if ((int) $_POST['margin'] === (int) $_SESSION['key']) {
echo "flag{***********}";
} else {
echo "我都说了让你快点。。。";
initial();
}
} else {
echo "我都说了让你快点。。。";
initial();
}
}
} else {
initial();
}
?>
下面是相对应的脚本:
#! /usr/bin/python3
# -*- coding: utf-8 -*-
import requests
import base64
s = requests.Session()
url = 'http://123.206.87.240:8002/web6/'
raw = s.get(url)
flag = raw.headers['flag']
flag = base64.b64decode(flag).decode()
flag = flag[flag.find(': ')+2:]
flag = base64.b64decode(flag)
raw = s.post(url, {'margin': flag})
print(raw.content.decode())