<?php if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; } if(!isset($_GET['host'])) { highlight_file(__FILE__); } else { $host = $_GET['host']; $host = escapeshellarg($host); $host = escapeshellcmd($host); $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']); echo 'you are in sandbox '.$sandbox; @mkdir($sandbox); chdir($sandbox); echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host); }
system()命令执行函数中存在可控变量,考虑为rce漏洞,这就是利用点了。
参考文章:
https://github.com/hongriSec/PHP-Audit-Labs/blob/master/Part1/Day5/files/README.md
https://blog.csdn.net/mochu7777777/article/details/110605396