简介 :

分值：10分 类型：Misc Web未解答
题目：
这个真的是爆破。

题目 :

<?php 
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
  $_SESSION['nums'] = 0;
  $_SESSION['time'] = time();
  $_SESSION['whoami'] = 'ea';
}

if($_SESSION['time']+120<time()){
  session_destroy(); // Session的有效期为 120 秒
}

$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)];
// 生成一个两位长度的随机字符串

// value 的前两个字符需要和 whoami 相同 , 而且 value 的 md5 的 5 - 9 个字符应该是 "0000"
if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
  $_SESSION['nums']++; // 只有条件成立 , nums 才会自增
  $_SESSION['whoami'] = $str_rands;
  echo $str_rands; // 这里又打印出下一次的 whoami , 这样就可以根据这个值来推算出下一个 whoami , 从而再次使 if 成立 , nums 自增
}

if($_SESSION['nums']>=10){
  echo $flag;
}

show_source(__FILE__);
?>

脚本 :

构建密码字典
主要的作用是能快速地根据字符串的前两位找到 md5 的 5 - 9 位为 "0000" 的字符串 , 提高爆破效率

import hashlib
import random

MAX = 100000
data = ["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"]

def get_md5(content):
    md5 = hashlib.md5()
    md5.update(content)
    return md5.hexdigest()

def check(password):
    global MAX
    old_password = password
    MAX = 1000000
    for i in range(MAX):
        password = old_password
        password += random.choice(data)
        password += random.choice(data)
        password += random.choice(data)
        password += random.choice(data)
        password += random.choice(data)
        password += random.choice(data)
        password += random.choice(data)
        password += random.choice(data)
        md5 = get_md5(password)
        if md5[5:9] == "0000":
            result = open("md5.txt", "a+")
            result.write(password + "\n")
            result.close()
            print "[ " + password[0:2] + " ] Found!"
            return True
    print "\tTry again."
    return check(old_password) 

for i in data:
    for j in data:
        print "Start searching : [ " + i + j + " ]"
        check(i + j)

爆破

import requests

def find(string):
    libs = open("md5.txt", "r")
    for i in libs:
        if i.startswith(string):
            return i[:-1]
            libs.close()
    libs.close()
    return "Not found ? "

session = requests.Session()
password = "ea"

for i in range(11): # if($_SESSION['nums']>=10){echo $flag;}
    print "[ %d ]" % i
    url = "http://xxxxxx.ctf.game/?value="
    response = session.get(url + password)
    content = response.text
    password = find(content[0:2])

print content[2:128]

密码字典 :

aajbbruara
abrldtcekc
acdrhwoxil
adrvzlekbd
aeiglmgubw
afctprfhiq
aguybhvupw
ahlskoitdv
aiagpmyhyn
ajqabnstlp
akapnpsbkv
alygxhalbd
amvhafvbey
anhnnogxgv
aoulrnpxbf
apswmidjwn
aqhshspjhe
arkmopnndw
asdxtgxxrm
atkuvgsxuv
ausclkvzzb
avlkoaytod
awvneopqof
axuilysrpv
aydxesszfz
azniecrbrq
batcwnohzq
bbydiyzpzv
bcepdhmghg
bdxqwdwklq
bedlksupll
bflvuikjfg
bgjnimrlzc
bhhqwzftyh
bimlroxyug
bjetqxlmhr
bkauvuruzg
blxhyapxhj
bmxtujzaov
bnbkuobhye
botcihqoyc
bpphitdgbf
bqrfesvflq
brhlgrcfmc
bspbwknmcc
btzsggzgis
bupeakfmet
bvctuovmqy
bwkbryfoqf
bxwqrcoqzr
byewwhgyhh
bznvrzkkqy
casfpaqwbt
cbclxacyob
ccogivyymg
cdsfbwbmmo
cetxsuxtjt
cfxtgkhozt
cgmritlxkh
chbcbdeaot
cijtkuztfb
cjehnwerbb
ckykrbtdvm
clknzxcbkh
cmozgvaocl
cnpitodoss
cohyljdjub
cplblctjle
cqqyycmblv
crvdtivdtz
csymsaagxn
ctqlgxcsqn
cugpmajxyz
cvmrwrfyrr
cwjwgjbffp
cxdxorrsrg
cybspfkqqb
czyppqmxwo
daybnbckfc
dbhobnevxh
dcfgbmycvs
ddoyrxikio
delxuraugd
dfnnqswwzp
dgtiwcohyq
dhukfyfmgv
dieurujlau
djrnhlwoga
dkrjgygekz
dlympdpurj
dmzwxtdoud
dntqgztdjm
dojllqhcbt
dpwxllnzfe
dqixsqbdqn
dragpgyysr
dskpzalylk
dtprkopyfo
duvxmbbipl
dvmgndnoah
dwtqympddc
dxrygxpdwz
dypxlbufzh
dzoageqsmd
eamdxdjuec
ebaleskpxu
ecwoaacxpy
edsfiwbxbd
eeonhwpodd
efhewblrny
egxarbgltp
ehzdvncwme
eimghvokzo
ejmsolylhr
ekyszoiruj
elxoesmerz
emdkjamdgd
engnsnnqbq
eopihajlah
epncrgwjdj
eqcqqpydiy
erxhgthbih
esfvhvnvom
etemrfrnxx
euwbworrzr
evppmgeykq
ewllhuvelp
exhaqesyxr
eyclvkonjp
ezvgwnhgpl
faubklgigd
fbstergzfc
fcqcxdmzhm
fdvdwtzoli
febcdufpkf
ffqpjebivl
fghizxeuju
fhufvhfggf
fiktijypnz
fjpxnysfnl
fkvrgxsjib
flqukwfbow
fmyqnivazr
fntiigdecb
fosuefyukl
fplvzkrily
fqzpuprqhu
frkvzlhdkp
fstatuypey
ftypifbxwe
fuqmdrvokq
fvefehgmiy
fwjfydfwqx
fxlumsgguy
fyczepenrm
fzqonedvqo
gayfxwtkmo
gbqqjnkzvb
gcxeiydsqw
gdqienvpym
gefbinynnq
gfhpicjthv
ggzydjnlzb
ghpqwixxlm
giizsyznep
gjwlzjherq
gkbewyzihi
glwkgfiavb
gmvlggujfv
gnagdiantx
goavgllhqf
gpjuihxjxz
gqtbirpluz
grufiurjkf
gsqjcpdmgh
gtsvmzyvao
guzhrbrltr
gvykwjilad
gwlarfnumr
gxvnthwitj
gykcefvjcn
gzksffwtch
hagnenglpu
hbigrfhgot
hcbswoubhv
hdudodzgxp
hedilffseu
hfriftumha
hgpreuguxm
hhwaslrlfo
hiuminawtk
hjaithhujc
hkegnfydcz
hlksnhekhv
hmruhjdpgl
hnuzffietm
hoahtnljnq
hpmnvufibw
hqzzjwtdba
hrcybenzeu
hswzjliico
htnxqfiyzb
husxdxsogb
hvupkkhhtu
hwcrenrpjl
hxuobyihli
hynltpkaxw
hzemsrvnlw
iaifinefcq
ibrnhmzrtk
icfpqgrdwx
idnyiiasrc
iegjefioel
ifmyalnrws
ignzaxdyps
ihtieiqdbd
iiktgwmhxl
ijlgcplmrh
ikorsonrso
ilrhyhvvwr
imuvjtzpom
inlxeguwkv
iomzwoxatv
ipmxxtsjdr
iqstqxlhiv
irozkwpmrv
isrrqdiqnu
itvdedmadu
iujzcwfuqn
ivdpvjkgco
iwgesaaidx
ixuireiehc
iylaimgfrk
izduuswcka
jamdearkct
jbitiphsfd
jcvjpdabxq
jdkstjlpcg
jeygzwmdis
jfzbdvodeu
jgmmxayzul
jhmjluapri
jihrizcwmg
jjqjduyabq
jkerqtrfhp
jlmgafnolp
jmthicxdcd
jnmmeoyroc
joejhhoyhp
jpcbxnfoxd
jquppacxcr
jrsqibhikc
jstlsmyvxd
jthjextkoq
juqdqjsvsv
jvbjlfekoh
jwvrujktuz
jxwmdvtpqy
jyewcvgeal
jzzsjhxapd
kanuzmsrhd
kbjnofysxz
kccknmsfuq
kdrixobdwb
kesfcuvsvc
kfmzycovvg
kgrsdsjqnf
khlzgwjmxa
kilkqsimtv
kjlbqzvpku
kkmdyljett
klitrvoalr
kmhmqehvzf
knpxaazvje
kodrsjeghf
kpdfwxxfef
kqzsqgfvdm
krvkxbkfuf
ksidbgkvhp
ktbiualdwx
kuvujoqtbw
kvsvjtoqod
kwbrexjvxs
kxtvifbzkp
kyczeyjuca
kzzjogtyae
ladfaarrwc
lbphkzevfv
lcziaurxul
lddmquitrd
legtnvlncr
lfdhwsxgrv
lgrtuuuwwd
lhoyxcmeyy
libgfbjryw
ljgigrvxzu
lknautujuf
llmyqawmcf
lmyccopxhe
lnwivkpkjs
lozozoezqg
lpijagvugy
lqoimlmdfv
lruiuqygfx
lsvknlowki
ltywcxcymx
lueyyywfoj
lvfsbezilq
lwqlnagblv
lxicuwvzmz
lyqwucwoti
lzbfongval
masqodfmnt
mbpmxgyqlr
mcseqpvvle
mdbylgxqjz
meklwupatd
mfurtoaukb
mgvvvqggra
mhgrzlsqbm
mizlnamnxk
mjmnaqzyef
mkczkdpgfy
mldobnxeoj
mmckjgznlo
mnyxztaphr
mowkxijgrr
mpdefahfgp
mqjnldajsn
mrdkdfzggb
msfecbunfc
mtrqlmzmda
muocqekacz
mvvebwfbql
mwbmaxoizp
mxqminjwcs
mylntfkpmf
mzbntszzvp
nappdyapdt
nbnprvbjgz
nceyknmhll
ndllmodfum
nebnwhockj
nfepjwmymy
nguhylbfys
nhelntmecw
nixrjoelth
njjbnswwfu
nknlupvoab
nlyubdvzyg
nmsibhuvhd
nnyhjxohqj
noutxxfxoo
npwqjtzbqn
nqlpylapup
nrwnxkwfpz
nswbcoklxo
ntgbomqnij
nudjdylths
nvfzybxgdw
nwcpisrlum
nxclaefvqj
nygizdtnld
nzcrwtbjgq
oaxghkmtfl
obpqipbkre
ocljpeaqvr
odzezhsjvt
oeiftwaefb
ofcjwocend
oghowuzwxc
ohmxqznubp
oiosypvsoc
ojtqsxzlnj
okoufxqgnl
oltosmzwqt
ommbfmgsfz
onxkxsxrrv
ootasrtwmj
opnkcdxjmm
oqzqxlespu
orcshehzee
oslrbbafwq
otruykmjfm
oumeecltho
ovfgwdqdyi
owwnluayqu
oxagtdsghu
oyaoyjyddk
ozpuhmgkms
paujunwpen
pbukqpbuyl
pcmmwthkly
pddgbflmtw
pestzpqxbr
pfrhsdogaa
pgxbclloto
phoqdoajyf
pihfwdmngp
pjdbgdmpvs
pkfqcwetjt
plrfzujyfp
pmmpgcyrvd
pnhbzxxmlu
pojzfdthco
pptmaijiox
pqgzrvzrek
prtcjealum
psslvqlqnq
ptxzwbkasa
puqjxqthic
pvvojyfhzh
pwnlniwuuj
pxuppxfhed
pytkglywea
pzckussfnl
qamoswyaln
qbmvqjrvkj
qcxjgmaenb
qdhfjhpmsm
qesrlhoyry
qfzorpkawa
qgmlzwnrvg
qhsxnktjvc
qilafbgqgh
qjbcdmyhdv
qkjzodnssc
qlzvvougwg
qmsnpkeanx
qncpndvkga
qoetsvyiwb
qplfwcqbmt
qqusnopmpz
qrdbrtxraj
qsigatsyxb
qtnupwqyvz
qudukcxwqv
qvlnjsrktk
qwdmdwvogo
qxllkxewgf
qyjncfiwsk
qzupjvldeh
ragvnqrmmx
rbefhxebxe
rcecgjfgua
rdaklsgvil
rerigkckiw
rfsjoskifg
rgjyslqssz
rheezcjztg
rirespdsoj
rjeajepqxe
rkcjylizdg
rluyaapzma
rmduioolhu
rnqezjtugz
romhreighi
rphhqcqoid
rqrbgvcpov
rrpexqkpyi
rssdjazmqv
rtjhxndnzg
rufoubijya
rvtcadtfzz
rwjvpzzajy
rxyqtbixpp
ryjvccsxho
rznpypvhic
saevyypgka
sbcgkyxwjm
scxvwgsqwz
sdhqrtfwnr
sexsvezaec
sfszflznaf
sgaqzofglx
shbdkkoawl
sixishbwsw
sjefjwqzug
sketatzvmd
slvvhwqylg
smlmcbyluz
snyodzacun
sojcwajiok
spmxkcayor
sqzssvbzyi
srorkcevtu
ssduelobvp
stcedojojk
suaavqekdj
svjwntutgc
swmklrrneg
sxegeutoye
syqtujnguz
sznmqjjaff
taemjaalqt
tbohhgfrvz
tcdpvlwjtf
tdvcdvfkbg
teslgpieqw
tfgqxdafnk
tgkntobxvz
thetsyebav
ticetdbdzi
tjwdfrmsuh
tkqgtvcyry
tlebufibrm
tmdfuzwswn
tnjyyiwwlm
tosuujjlsq
tptjckxsbj
tqszffqdpn
trlamfnksb
tsarxzkrhq
tttvhtsghp
tulzymgpcb
tvaxrcbkyd
twihrasyzg
txhubbufub
tyxliysido
tzkjdihmtd
uaeegkempm
ubltzqdsmh
ucjvjghwui
udcvjhoakk
uesxyvefiz
ufinecoskh
ugsjchysis
uhdrcovidx
uikejkeatb
ujpzakvisk
ukwalvzcxl
uluqqwwluc
umxodqtkqf
undkgftbhs
uoyidwurhu
upgorcxxrg
uqocmnsupu
urbnflcere
usndrkopik
utshicknyo
uuxqlunxxd
uvrqyfbgdb
uwhupihxhj
uxjboxyeqy
uysyhyepis
uzulfalded
vaezwqkmkt
vbyghcxlbj
vcmmkaeoay
vdsrenuppl
vevbiyfbbe
vfrkyxptla
vgliruvlxx
vhomafutzm
vitzgnkgfa
vjslwqfmfz
vkgxhgrxxx
vlmbqyezhv
vmzpoyikqf
vnmldeuffh
volvulpcmw
vpsxquzroo
vqgemvmdxr
vryozcpevf
vstkvpetgj
vtysgepkwb
vuclsbwtsr
vvdmopqqdo
vwqfrljeqp
vxerblotuy
vyrecncblq
vzumhqwqom
wajhfuslat
wbrrfohevt
wcfqqfvwso
wduakjakhx
weovbkccfw
wfttwaznbt
wgqhinnaal
whcaeorpmn
wiaehqgrkk
wjmpwupoyy
wkbuiikgrf
wlwiebpjnp
wmedapbydu
wnfkjvchxu
wopvsvowjt
wpbhgerlhb
wqjtaaivli
wrvvubntag
wsuneoyejd
wtztluamev
wuoolgmtzv
wvasblvpdr
wwnxzycnnr
wxhblvxqkg
wyshlorakp
wzkowtlelm
xavwtthnwh
xbgpqusivw
xcthmxikjf
xdizkbokfk
xebpletizw
xfxoncftkr
xghlbzqobo
xhdhclsdqm
xihcppmhna
xjsdlbbyom
xkwiaxwpgv
xlwrukzwup
xmhvemguzt
xnkecvwpxk
xoiuonmeyj
xpiluobvqj
xqmycarjmw
xrqbbbvrlc
xszykwaajo
xtkqtjowau
xubpfkitpu
xvvrzrlejy
xwrfpogwcc
xxmsgqflcm
xyvernfxiq
xzpfrrgdsg
yarjnwmjtl
ybjgcqzoev
ycvvdtwpqi
ydlctqapzv
yehnrirdlj
yfhxujhcsf
ygbrklyjsf
yhfvzdhysm
yiphdmrvjj
yjvnzwcqqb
ykytjyyivy
yllbiwosww
ymdppwlsem
ynrnoqvdui
yornktbioa
ypqigiuemk
yqgqmwdgwy
yrvtpykpem
ysfktpfuui
ytkzjoshkb
yuoomkqdkq
yvhnyztfso
ywkurfkega
yxhzqtprzj
yyuoofpduk
yztiytjsba
zaacgdlbpl
zbyjkiakhw
zcdzldvoxb
zdesfexeji
zeshkdciki
zfcqbisyyg
zgpargeanh
zhjdqdwxfj
zieytmiyai
zjosxjdzvb
zkrbeuaqga
zlqfbkwkyy
zmxjedwlzz
znqkqlobrz
zoctoknffp
zpvfmcxcsr
zqpveodnly
zrzpquabcc
zspekckkuy
ztkquinsoo
zuknlohmtf
zvaqzquwke
zwmmsqsxbu
zxdupgtgga
zytqwpkqfj
zztqeggdgx