WeChall - Trivia

Posted on In Views: Disqus:

Challenge

WeChall 自带的随机问答挑战。每次访问页面会随机显示一道选择题,需要在 60 秒内提交正确答案。答对若干题后自动完成。

题目范围覆盖计算机历史、技术术语、影视、文学、地理等类别,随机抽取。

Solution

每道题都有一个 60 秒的计时器,表面看需要广泛的知识储备才能通过。但挑战的题库文件意外地暴露在 Web 上。

题库泄露

挑战页面所在的目录下有一个隐藏子目录:

1
/challenge/trivia/74k37h053/

目录名 74k37h053 是 leetspeak,指向 3 个纯文本文件,包含了完整的问答数据库:

文件 题数 内容
gizmore.txt 7 Gizmore 自创的冷门题
z.txt 116 综合题库(影视/文学/历史/技术)
InternalAffairs-Computers.txt 59 计算机/技术专项(缩写/历史/网络)

每题的格式统一:

1
/Category/Answer1/AlternativeAnswer//Question text?

例如:

1
2
3
4
5
6
7
/Acronyms-Hardware/Central Processing Unit//What does CPU stand for?
/History-Computers/Moore's Law/Moore//What law says that the number of transistors doubles every 18 months?
/Technical-Networks/Tier-1 (T1)/Tier-1/T-1/T1//1.544 Mbps is the transfer rate of which common broadband technology?
/Computers/Dmitry Sklyarov//Who was arrested at DEFCON in 2001?
/Computers/Pretty Good Privacy//PGP is the acronym for?
/Computers/town hall//What is the primary structure in Warcraft: Orcs & Humans?
/Celebrity/Bill Gates//Who is the most famous for getting a cake in his face?

自动化答题

拿到题库后,解法就很简单了:

  1. 读取页面,提取问题文本
  2. 在题库中逐条匹配,找到对应的答案
  3. 在 60 秒内提交

由于每次加载页面都会刷新 CSRF token,提取题目和提交需要在同一次请求中完成。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import subprocess, re

cookie = 'WC=...'
url = 'https://www.wechall.net/challenge/trivia/index.php'
qa_bank = {}  # 从 3 个 txt 文件解析

# 解析题库
def load_qa(path):
    for line in open(path):
        parts = line.strip().split('//')
        if len(parts) == 2:
            meta, question = parts
            # /category/answer1/answer2 → answer1
            answer = meta.rsplit('/')[-1]
            qa_bank[question.strip()] = answer

# 一次提取 + 提交
html = subprocess.run(['curl', '-sL', '-b', cookie, url],
    capture_output=True, text=True).stdout

question = re.search(r'Question:<br/>\s*(.*?)<br/>', html).group(1)
csrf = re.search(r'gwf3_csrf" value="([^"]+)"', html).group(1)
answer = qa_bank.get(question.strip())

subprocess.run(['curl', '-sL', '-b', cookie, url,
    '--data-urlencode', f'answer={answer}',
    '--data-urlencode', 'cmd=Answer',
    '--data-urlencode', f'gwf3_csrf={csrf}'],
    capture_output=True, text=True)

答对约 10-15 道不同的题后,页面显示 "already solved",挑战完成。