current position：Home>I spring and autumn CTF ssrfme (get command vulnerability in Peal function) command execution detailed problem solution + principle learning process
I spring and autumn CTF ssrfme (get command vulnerability in Peal function) command execution detailed problem solution + principle learning process
2022-01-26 21:54:41 【AAAAAAAAAAAA66】
Just a few days ago, I was tired of doing a problem of command execution , This will brush the question and encounter another , I saw a lot of write up There are no different places , And the environment of this question is a little different from that of other platforms , There are some wirte up Reproduction can't even do , Finally, when you think alone , Just found a lot of fine energy-saving improvements . So to sum up , Sort out all the knowledge you have learned . Avoid people stepping on some unnecessary pits , Waste time in vain .
peal Function get Command vulnerability
Here we refer to the analysis of a blogger , I checked it write up The most detailed written in , Of course, the problem he did is different from that on our platform , But it has reference value .
About this loophole , Foreigners have articles , It's written like this ：
Perl saw that your “file” ended with a “pipe” (vertical
bar) character. So it interpreted the “file” as a command to be executed, and interpreted the command’s output as the “file”'s contents. The command is “who” (which prints information on currently logged-in users). If you execute that command, you will see that the output is exactly what the Perl program gave you.
Translation means ：
perl Function to see if the name of the file to be opened is marked with a pipe character （ The vertical bar on the keyboard |） ending , Will interrupt the original open file operation , And execute the file name as a command , And write the execution result of the command as the content of this file . The execution authority of this command is the current login . If you execute this command , You'll see perl Results of program operation .
So we can url Parameter obtain flag The order of the document , After execution , take flag Put the content in the file we uploaded , When we open the file we uploaded, we can see flag 了 .
<?php $sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]); @mkdir($sandbox); @chdir($sandbox); $data = shell_exec("GET " . escapeshellarg($_GET["url"])); $info = pathinfo($_GET["filename"]); $dir = str_replace(".", "", basename($info["dirname"])); @mkdir($dir); @chdir($dir); @file_put_contents(basename($info["basename"]), $data); highlight_file(__FILE__);
Simply audit the code
$sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]);
Get the user's ip, And will MD5 after orangeip As the folder name （ here ip Order your own ip）
$data = shell_exec("GET " . escapeshellarg($_GET["url"]));
get The request for url value , And use escapeshellarg The function will input url transcoding ,. after shell_exec perform （ Command execution ） By escapeshellarg After transcoding url Parameter values , And store the result of command execution in data in , In the following code , Will data（ That is, the result of this command execution ） Put it in the folder we passed in .
In fact, here , You can use rebound shell The way to do ,
(PHP 4 >= 4.0.3, PHP 5, PHP 7)
Transcoding a string so that it can be used in shell The parameters used in the command
string escapeshellarg ( string $arg )
escapeshellarg() Will add a single quotation mark to the string and can reference or transcode any existing single quotation marks , This ensures that a string can be passed directly into shell function , And it's safe . This function should be used for some parameters entered by the user .shell Function contains exec(), system() The execution operator
1. Ensure that the user passes only one parameter to the command
2. The user cannot specify more parameters
3. Users cannot execute different commands
$info = pathinfo($_GET["filename"]);
$dir = str_replace(".", "", basename($info["dirname"]));
Next get Request file name , And use str_replace Filter ., It is not allowed to pass through ../ Change the location of file transfer . If filename Address , Will change the current directory to filename Under the absolute path .
Last , hold data The content in （url Value executed ） The incoming to filename in .
Ideas 1. First use ?url=/&filename=qqq Use here /, As a parameter url Value ,/ stay linux Inside is the syntax to return to the previous level , This is to execute /, Get and change the server root directory . 2. then visit /sandbox/md5/qqq Get the file directory Here you can see flag and readflag file ,flag stay readflag Inside So we have to execute readflag Documents can be obtained flag Construct the following statement 3.?url=&filename=bash -c /readflag| Create a folder The folder name is command execution statement Content is empty （ Random filling , No effect ） 4.?url=file:bash -c /readflag|&filename=321 To execute by command , Finish the execution readflag The obtained value is stored in 321 file 5. visit /sandbox/md5/321 get flag
obtain MD5 value
Baidu Input ip Get your own ip value , Than ipconfig fast , ha-ha .
Then Baidu search MD5 encryption
obtain MD5 value
Look at the root directory
?url=&filename=bash -c /readflag|
?url=file:bash -c /readflag|&filename=321
There's a question mark here. Don't mind （ No effect ）
Thinking about this problem
1. First of all, this question url Obviously it can pass parameters , Why not url Directly execute the command to view flag, Why use it GET Medium open Function command execution , I'm in some write up We can also see such a solution in （ Finally, I tried , At most, you can get a garbled file ）, It's all the same question ,[hitcon 2017]ssrfme, Pass directly to url Command execution to get flag. in addition , If you must use every time get If there is a loophole in the function , That first step is useless | Pipe, , Did you succeed in executing the command . The suspicion here is i Spring and autumn website has this prevention or filtering for command execution ？
2. Since there are commands to execute , You can rebound shell Method to obtain flag, Refer to a topic I just wrote recently , But it may also be because i Spring and autumn website , Filtering of some commands results in no .（ Maybe it's my food , ha-ha ） Here's the process I wrote , Welcome the boss to correct
flowers 2 Look for the cover in minutes
author[AAAAAAAAAAAA66],Please bring the original link to reprint, thank you.
The sidebar is recommended
- Spring IOC container loading process
- [thinking] the difference between singleton mode and static method - object-oriented programming
- Hadoop environment setup (MySQL environment configuration)
- 10 minutes, using node JS creates a real-time early warning system for bad weather!
- Git tool
- Force deduction algorithm - 92 Reverse linked list II
- What is the sub problem of dynamic programming?
- C / C + +: static keyword summary
- Idea does not have the artifacts option when configuring Tomcat
- Anaconda can't open it
guess what you like
I don't know how to start this
Matlab simulation of transportation optimization algorithm based on PSO
MySQL slow log optimization
[Vue] as the window is stretched (larger, smaller, wider and higher), the text will not be displayed
Popular Linux distributions for embedded computing
Suzhou computer research
After installing SSL Certificate in Windows + tomcat, the domain name request is not successful. Please answer!!
Implementation time output and greetings of jQuery instance
The 72 year old uncle became popular. Wu Jing and Guo fan made his story into a film, which made countless dreamers blush
How to save computer research
- Springboot implements excel import and export, which is easy to use, and poi can be thrown away
- The final examination subjects of a class are mathematical programming, and the scores are sorted and output from high to low
- Two pronged approach, Tsinghua Professor Pro code JDK and hotspot source code notes, one-time learning to understand
- C + + recursive knapsack problem
- The use of GIT and GitHub and the latest git tutorial are easy to understand -- Video notes of crazy God speaking
- PostgreSQL statement query
- Ignition database test
- Context didn't understand why he got a high salary?, Nginxfair principle
- Bootstrap switch switch control user's guide, springcloud actual combat video
- A list that contains only strings. What other search methods can be used except sequential search
- [matlab path planning] multi ant colony algorithm grid map path planning [including GUI source code 650]
- [matlab path planning] improved genetic algorithm grid map path planning [including source code phase 525]
- Iinternet network path management system
- Appium settings app is not running after 5000ms
- Reactnative foundation - 07 (background image, status bar, statusbar)
- Reactnative foundation - 04 (custom rpx)
- If you want an embedded database (H2, hsql or Derby), please put it on the classpath
- When using stm32g070 Hal library, if you want to write to flash, you must perform an erase. If you don't let it, you can't write continuously.
- Linux checks where the software is installed and what files are installed
- SQL statement fuzzy query and time interval filtering
- 69. Sqrt (x) (c + + problem solving version with vs runnable source program)
- Fresh students are about to graduate. Do you choose Java development or big data?
- Java project: OA management system (java + SSM + bootstrap + MySQL + JSP)
- Titanic passenger survival prediction
- Vectorization of deep learning formula
- Configuration and use of private image warehouse of microservice architect docker
- For someone, delete return 1 and return 0
- How does Java dynamically obtain what type of data is passed? It is used to judge whether the data is the same, dynamic data type
- How does the database cow optimize SQL?
- [data structure] chain structure of binary tree (pre order traversal) (middle order traversal) (post order traversal) (sequence traversal)
- Webpack packaging optimization solution
- 5. Operation element
- Detailed explanation of red and black trees
- redhat7. 9 install database 19C
- Blue Bridge Cup notes: (the given elements are not repeated) complete arrangement (arrangement cannot be repeated, arrangement can be repeated)
- Detailed explanation of springboot default package scanning mechanism and @ componentscan specified scanning path
- How to solve the run-time exception of test times
- Detailed explanation of k8s management tool kubectl
- Android system view memory command