题目

  • 从下方的代码可以看出需要我们计算结果发送过去。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>给你一秒你把握住</title>
</head>
<body>
<div style="text-align: center;">听说你<a style="color: green">单身了十八年</a></div>
<div style="text-align: center;">那你<a style="color: blue">肯定</a>能把这段文字复制下来发给我吧?</div>
<div style="text-align: center;">VZueaGo7</div>
<div style="text-align: center;"><form method="post" action="">
    <input type="text" name="randomstring"/>
    <input type="submit" value='冲了'>
</form></div>
<div style="text-align: center;"></div>
<div style="text-align: center;"><a href=".">我不服,再来</a></div>

<!--
手速不够可以用工具:
import requests
import re
-->
</body>
</html>

测试

  • 尝试发送正确答案。

  • 下方的结果不能正确响应应该是我们缺少参数,尝试加入Cookie。

1
2
3
4
5
6
┌──(kali㉿kali)-[~/桌面]
└─$ curl -d "randomstring=答案" "http://你的靶机ID.ctf.nynusec.com/"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
  • 获取Cookie。
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/桌面]
└─$ curl -v "http://你的靶机ID.ctf.nynusec.com/" 
...
< Set-Cookie: session=eyJjdGltZSI6MTY2MTM2MDAyNSwicmFuZG9tc3RyaW5nIjoib1VKclN4NzQifQ.YwZXmQ.F2Cg6ksvPrFSUJ4fB5A1azrQxVs; HttpOnly; Path=/
...
<div style="text-align: center;">oUJrSx74</div>
...
  • 提交正确答案。接下来应该需要使用Python。
1
2
3
4
5
┌──(kali㉿kali)-[~/桌面]
└─$ curl -d "randomstring=答案" -b "session=eyJjdGltZSI6MTY2MTM2MDAyNSwicmFuZG9tc3RyaW5nIjoib1VKclN4NzQifQ.YwZXmQ.F2Cg6ksvPrFSUJ4fB5A1azrQxVs" "http://你的靶机ID.ctf.nynusec.com/"
...
<div style="text-align: center;">就这速度还想拿到flag?</div>
...
  • 编写Python代码。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import re

url = "http://你的靶机ID.ctf.nynusec.com/"
// 请求靶机题目和Cookie。
response = requests.get(url)
// 使用正则匹配答案。
answer = re.search("(\d|[a-z]|[A-Z]){8}", response.text).group()
// 将答案和Cookie发送到靶机。
result = requests.post(
    url,
    data={
        "randomstring": answer
    },
    headers={
        "Cookie": "session=" + response.cookies.get("session"),
    }
)
// 匹配flag
flag = re.findall("(flag\{.+\})", result.text)[0]
print(flag)
  • 运行脚本
1
2
3
┌──(kali㉿kali)-[~]
└─$ python main.py 
flag{4e293a2c-****-****-****-12dc79a1461b}