<?php
header("content-type:text/html;charset=utf8;");
$url="http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php";
function request_post($url){
//创建一次会话,目的是获得cookie,和计算结果
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, true); //返回头信息
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);//返回数据不直接输出
$filecontent=curl_exec($ch);
curl_close($ch);
//正则获取算式,并计算出来
$pattern="/\d+\*\d+\+\d+\*\((\d+\+\d+)\)/";
preg_match($pattern,$filecontent,$match);
$res=$match[0];
$pattern1="/\d+/";
preg_match_all($pattern1,$res,$match1);
$arr=$match1[0];
$last=(int)$arr[0]*(int)$arr[1]+(int)$arr[2]*((int)$arr[3]+(int)$arr[4]);
//echo $last;
//提取cookie信息
$pattert="/Set-Cookie: (\w+\=\w+)/";
preg_match($pattert,$filecontent,$match);
$cookie=$match[1];
//echo $cookie;
$cont="v=".$last;
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch,CURLOPT_POSTFIELDS,$cont); //发送POST数据
$content=curl_exec($ch);
//echo $cont;
curl_close($ch);
var_dump($content);
}
request_post($url);
结果:
key is 123iohHKHJ%^&*(jkh