CTF入门 WECALL4+hackthebox-REVERSE

wechall register_globals

register_globals 在php 5.4.0 后被移除 其会自动生成各种变量 如html请求变量
http://1.1.1.1/report.asp?id=123&kehu=222
login[0]=admin 直接login=admin 只取第一第二个字符


hackthebox

invite challenge 浏览器console 下运行函数 加()
curl -X POST https://…


hackthebox – Enumeration

ports=$(nmap -p- –min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d ‘/‘ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//)
nmap -sC -sV -p$ports 10.10.10.27

command 1 | command 2 把第一个命令command 1执行的结果作为command 2的输入传给command 2
-T4 可以加快执行速度
-p- 扫描所有端口
-min-rate 1000 to request that Nmap send at least 1,000 packets per secondcut
cut Print selected parts of lines from each FILE to standard output.
-f 指定第一列 -d 指定列分隔符
tr 命令用于转换或删除文件中的字符 ‘\n’ 转换为‘,’
sed ‘s/regexp/replacement/flags’.
Its basic concept is simple: the s command attempts to match the pattern space against the supplied regular expression regexp; if the match is successful, then that portion of the pattern space which was matched is replaced with replacement.
regexp匹配成功后用replace替代

select IS_SRVROLEMEMBER (‘sysadmin’)


remote code execution (RCE)

A reverse shell

is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.

Bind shell

Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection. The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.


netcat
nc -lvnp 443 监听模式 443 外来请求


ollydbg

显示当前EIP *
执行到光标位置 F4
F2 断点
CALL 把接下来的地址先压入栈
win 压入参数逆序 f(a,b) 先压b 后 a
test = and 不改变操作数值

x64dbg

file test.py