exec-01
ping一下ip
这里用管道符来命令分割没有用,测了一下,最终有用的是%0a
,linux下一般的命令分隔符有这几个
| || & && . ; - <> $ %0a %0d `
ls一下
cat一下,得到
'',
';' => '',
'|' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',//%0A
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// var_dump($target);
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 1 ' . $target );
}
// Feedback for the end user
echo "
{$cmd}
";
}
else{
echo "please input a get type parameter as ip!!";
}
?>
确实是过滤了好多分隔符啊,接着ls
发现flag.txt,cat一下,得到flag
exec-02
前面的步骤和上一题一样,不过发现cat命令被ban了,测试发现很多读取文件的命令也被ban了,测试中发现paste
命令有用,得到flag
题目是已经做完了,不过来读一下index.php看看,但是相关的变量并没有在里面。。
'',
';' => '',
'|' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',//%0A
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// var_dump($target);
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 1 ' . $target );
}
// Feedback for the end user
echo "
{$cmd}
";
}
else{
echo "please input a get type parameter as ip!!";
}
?>