<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-03 11:43:51
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-03 11:56:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/
error_reporting(0);include('flag.php');
if(isset($_GET['token'])){$token = md5($_GET['token']);if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){echo $flag;}}
}else{highlight_file(__FILE__);}
?>代码的意思就是取传递的token值,如果token的第二位强等于第十五位并且第十五位强等于第十八位,如果第二位取整与第十五位取整再与第十八位再除以第二位强等于第三十二位则会输出flag,根据以上代码编写脚本即可
import hashlib
import random
import stringdef find_token():while True:# 生成随机字符串token = ''.join(random.choices(string.ascii_letters + string.digits, k=8))md5 = hashlib.md5(token.encode()).hexdigest()# 检查第2、15、18位是否相同c2 = md5[1]c15 = md5[14]c18 = md5[17]if c2 == c15 == c18:# 检查第32位是否是 '3'if md5[31] == '3':print(f"Found valid token: {token}")print(f"MD5: {md5}")print(f"Positions: 2={c2}, 15={c15}, 18={c18}, 32={md5[31]}")return tokenfind_token()
由于随机生成字符串(md5值不可逆向只能暴力尝试),所以可能需要多生成几次才会生成符合条件的token值
