Add shortest solution of lixi_2018

Question

Add shortest solution of lixi_2018

WangYihang opened this issue 6 years ago · comments

22 Bytes

?%E2%81%A3=${${`cu\\rl 0:88\88`}};

not for arbitrary command execution, ssrf to get flag~

Luật Nguyễn · Answer 1 · Fri Jun 01 2018 20:53:03 GMT+0800 (China Standard Time)

Cool! Actually, prior to releasing the challenge, I already removed curl wget telnet stuff.
But it turns out that busybox can be used.

Yihang Wang · Answer 2 · Fri Jun 01 2018 20:53:38 GMT+0800 (China Standard Time)

oh, ${{}} is useless

`cu\\rl 0:88\88`;

Yihang Wang · Answer 3 · Fri Jun 01 2018 20:54:17 GMT+0800 (China Standard Time)

wow, I did not notice that... I just test it in my computer~ thank you for your excellent challenge, pretty cool~

Luật Nguyễn · Answer 4 · Fri Jun 01 2018 20:55:36 GMT+0800 (China Standard Time)

Glad you liked it! Enjoy other ones ~

Yihang Wang · Answer 5 · Fri Jun 01 2018 21:00:19 GMT+0800 (China Standard Time)

Oh, I think there was a mistake.. I didn't noticed that the function shell_exec will not print the output of the command... so I was my fault, I think die() or any other functions can print string are necessary;

Luật Nguyễn · Answer 6 · Sat Jun 02 2018 20:15:14 GMT+0800 (China Standard Time)

Yea, you can check the solutions out, there is one payload which using die(`ssh... got the same idea to yours.