PHP - `shell_exec` not working with NMap (Windows Server)

Question

I've been trying to figure out why I can't get NMap to give me any sort of output nor even work for that matter via PHP.

Things I've tried so far:

// this doesn't return anything because it's wrong
$output = passthru('nmap -V');
echo $output;

// this returns a negated integer value
passthru('nmap -V', $output);
echo $output;

// this doesn't return anything either
$stream = popen('C:\nmap -V', 'r');
while (!feof($stream))
{
    $buffer = fread($stream, 1024);
    echo $buffer;
}
pclose($stream);

// this doesn't do anything as well
$output = system('C:\nmap -V');
echo $output;

// this does nothing also...
ob_start(); // start output buffering
fpassthru('C:\nmap -V'); // flush COMPLETE output of nmap
$output = ob_get_contents(); // capture output buffer contents
ob_end_clean(); // shutdown output buffers
echo $output; // echo it

.

// okay, how about we try a 'proc_open()'?
// nope, this doesn't work either. I just get a value of "command returned -1073741515"
$descriptorspec = array(
    0 => array("pipe", "r"), // stdin is a pipe that the child will read from
    1 => array("pipe", "w"), // stdout is a pipe that the child will write to
    2 => array("file", "errors/errors.txt", "a") // stderr is a file to write to
 );
 
 $cwd = 'errors';
 $env = array('some_option' => 'aeiou');
 
 $process = proc_open('C:/nmap -V', $descriptorspec, $pipes, $cwd, $env);
 
 if (is_resource($process))
 {
     // $pipes now looks like this:
     // 0 => writeable handle connected to child stdin
     // 1 => readable handle connected to child stdout
     // Any error output will be appended to /errors/errors.txt
 
     fwrite($pipes[0], '<?php print_r($_ENV); ?>');
     fclose($pipes[0]);
 
     echo stream_get_contents($pipes[1]);
     fclose($pipes[1]);
 
     // It is important that you close any pipes before calling
     // proc_close in order to avoid a deadlock
     $return_value = proc_close($process);
 
     echo "command returned $return_value\n";
 }

And many others, but I get absolutely NOTHING back from $output. I've done a lot of Google searching too, but I still can't figure it out. Many examples also seem to be for Linux which doesn't help.

Thanks.

Answer 1

Okay, I get an output using this code. I will continue coding and finish the rest of the program. Thanks to 'Chris Haas' for the suggestion in using proc_open

NOTE: The directory that contains the 'errors.txt' file must have 'IIS_IUSRS' write permissions. When in doubt, check your PHP error log.

 $descriptorSpec = array(
    0 => array("pipe", "r"), // stdin is a pipe that the child will read from
    1 => array("pipe", "w"), // stdout is a pipe that the child will write to
    2 => array("file", "errors/errors.txt", "a") // stderr is a file to write to
 );

 $env = array('bypass_shell' => true);
 $process = proc_open("NMAP.EXE -V", $descriptorSpec, $pipes, "C:\\Program Files (x86)\\NMap", $env);

 if (is_resource($process))
 {
     // '$pipes' now looks like this:
     // 0 => writeable handle connected to child stdin
     // 1 => readable handle connected to child stdout
     fwrite($pipes[0], '<?php print_r($_ENV); ?>');
     fclose($pipes[0]);
 
     echo stream_get_contents($pipes[1]);
     fclose($pipes[1]);
 
     // it is important that you close any pipes before calling
     // proc_close in order to avoid a deadlock
     $return_value = proc_close($process);
 
     echo "<br /><br />Command Returned: $return_value\n";
 }

Nmap version 7.91 ( https://nmap.org ) Platform: i686-pc-windows-windows Compiled with: nmap-liblua-5.3.5 openssl-1.1.1h nmap-libssh2-1.9.0 nmap-libz-1.2.11 nmap-libpcre-7.6 Npcap-1.00 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: iocp poll select

Command Returned: 0