二月场爆破-3
<?php error_reporting(0); session_start(); require('./flag.php'); if(!isset($_SESSION['nums'])){ $_SESSION['nums'] = 0; $_SESSION['time'] = time(); $_SESSION['whoami'] = 'ea'; } if($_SESSION['time']+120<time()){ session_destroy(); } $value = $_REQUEST['value']; $str_rand = range('a', 'z'); $str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)]; //生成两个字母 if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){ //这里很关键,前面那个要为真,第一次传ea两个字母 后面那个md5直接传一个数组就可以了,循环10次就出flag了 $_SESSION['nums']++; $_SESSION['whoami'] = $str_rands; echo $str_rands; } if($_SESSION['nums']>=10){ echo $flag; } show_source(__FILE__); ?>