![\"image-20240129223941741\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347420.png\")
<\/div><\/p>\n\u7ec8\u4e8e\u5f00\u59cb\u6362\u9776\u573a\u4e86\uff01<\/p>\n
\u73af\u5883\u914d\u7f6e<\/h2>\n
\u4e0b\u8f7d\u4e0b\u6765\u662f\u4e00\u4e2a \u51fabug\u4e86\uff0c\u4e0d\u8fc7\u4e5f\u5f88\u6b63\u5e38\uff0c\u8fd9\u79cd\u6bd4\u8f83\u8001\u7684\u90fd\u6709\u70b9bug\uff0c\u770b\u6765\u662f\u9700\u8981\u66f4\u6539\u4e00\u4e0b\u7f51\u5361\u914d\u7f6e\u4e86\uff0c\u66f4\u6539\u4ee5\u540e\u53d1\u73b0\u8fd8\u662f\u6709\u62a5\u9519\uff0c\u5c1d\u8bd5\u4e00\u4e0bvmware\uff1a\u4f1a\u62a5\u4e4b\u524d\u90a3\u4e2a \u7136\u540e\u6253\u5f00\u4ee5\u540e\u53d1\u73b0\uff1a<\/p>\n \u4ed6\u8bf4\u4e86\u4ed6\u53ef\u80fd\u9700\u8981\u4e00\u4e2a\u6865\u63a5\u6a21\u5f0f\uff0c\u6216\u8005DHCP\u670d\u52a1\u7684\u6a21\u5f0f\uff0c\u6539\u56de\u6765\u5427\uff0c\u4e2d\u95f4\u6709\u4e2a \u7136\u540e\u53d1\u73b0\uff1a<\/p>\n \u597d\u4e86\uff0c\u770b\u6765\u4ee5\u540e\u8fd8\u662f\u5f97\u591a\u770b\u4f5c\u8005\u7684\u89e3\u7b54\uff01\uff01\uff01<\/p>\n \u5c1d\u8bd5\u8bbf\u95ee\u4e00\u4e0b\uff0c\u770b\u770b\u662f\u4e0d\u662f\u6b63\u5e38\u8fde\u63a5\u7684\uff01<\/p>\n \u4e00\u5207\u6b63\u5e38\uff0c\u53ef\u4ee5\u5f00\u59cb\u5b66\u4e60\u4e86\u3002<\/p>\n \u4f7f\u7528\u6d4f\u89c8\u5668\u63d2\u4ef6 \u67e5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff1a<\/p>\n \u5c1d\u8bd5\u8bbf\u95ee\u4e00\u4e0b \u67e5\u770b\u4e00\u4e0b\u8fd9\u4e09\u4e2a\u76ee\u5f55\uff1a<\/p>\n \u770b\u6765\u662f\u4e0d\u884c\u4e86\uff0c\u987a\u4fbf\u67e5\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u6ca1\u627e\u5230\u6709\u7528\u7684\u4e1c\u897f\u3002<\/p>\n \u4eca\u5929\u6709\u70b9\u6162\uff0c\u6ca1\u4e8b\u6b63\u597d\u5c1d\u8bd5\u4e86\u5176\u4ed6\u51e0\u4e2a\u5de5\u5177\uff1a<\/p>\n \u53ea\u626b\u51fa\u6765\u4e8680\u7aef\u53e3\u3002<\/p>\n nmap \u626b\u4e00\u4e0b\u76f8\u5173\u7248\u672c\uff1a<\/p>\n \u548c\u6211\u4eec\u6d4f\u89c8\u5668\u63d2\u4ef6\u5f97\u5230\u4e1c\u897f\u5dee\u4e0d\u591a\u3002<\/p>\n \u6ca1\u5565\u6536\u83b7\uff0c\u987a\u4fbf\u4e5f\u7528 \u5c1d\u8bd5\u5728\u7f51\u7ad9\u4e0a\u641c\u5bfb\u4fe1\u606f\uff0c\u770b\u770b\u6709\u6ca1\u6709\u53ef\u4ee5\u8bbf\u95ee\u5230\u7684\u654f\u611f\u8d44\u6e90\uff1a<\/p>\n \u70b9\u5f00\u8fde\u63a5\u67e5\u770b\u4e86\u4e00\u4e0b\uff0c\u627e\u5230\u4e86\u8fd9\u6837\u4e00\u4e2a\u7167\u7247\uff1a<\/p>\n \u5c1d\u8bd5\u641c\u4e00\u4e0b\u8fd9\u4e2a \u53d1\u73b0\u662f\u4e00\u4e2a\u9178\u5976\u54c1\u724c\uff0c\u5c1d\u8bd5\u8bbf\u95ee\u4e00\u4e0b\u8fd9\u4e2a\u76ee\u5f55\uff0c\u770b\u770b\u6709\u6ca1\u6709\u6536\u83b7\uff1a<\/p>\n \u5999\u54c9\uff01\uff01\uff01\u5c1d\u8bd5\u4e07\u80fd\u5bc6\u7801\uff0c\u5931\u8d25\uff0c\u591a\u6b21\u5c1d\u8bd5\u90fd\u6ca1\u6210\u529f\uff0c\u5c1d\u8bd5\u4f7f\u7528 sqlmap \u8fdb\u884c\u626b\u63cf\uff0c\u672c\u6765\u60f3\u6253\u5f00\u6e90\u4ee3\u7801\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u6709\u4f20\u53c2\u65b9\u5f0f\u7684\uff0c\u7ed3\u679c\u53d1\u73b0\u4e86\u5acc\u7591\u5b57\u7b26\uff1a<\/p>\n \u4e5f\u53ef\u4ee5\u53d1\u73b0\u786e\u5b9e\u6709\u4f20\u53c2\u65b9\u5f0f\uff0c\u662f\u4f7f\u7528POST\u4f20\u53c2\u7684\uff0c\u6211\u4eec\u5148\u4f7f\u7528sqlmap\u67e5\u4e00\u4e0b\u662f\u5426\u6709\u6ce8\u5165\u70b9\uff1a<\/p>\n \u4f3c\u4e4e\u7206\u7834\u5931\u8d25\u4e86\uff0c\u5c1d\u8bd5\u89e3\u5bc6\u4e00\u4e0b\u521a\u521a\u627e\u5230\u7684\u90a3\u4e2a \u53ef\u4ee5\u770b\u5230\u662f\u4e00\u4e2a\u7167\u7247\uff0c\u5185\u5bb9\u4e3a \u5c1d\u8bd5\u5c06\u7528\u6237\u8bbe\u7f6e\u4e3a \u6709\u4e00\u4e2a\u4e0a\u4f20\u6587\u4ef6\u7684\u9009\u9879\uff0c\u770b\u770b\u6e90\u7801\uff0c\u4f3c\u4e4e\u5c31\u662f\u4e2a\u4e0a\u4f20\u6587\u4ef6\u7684\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u53e5\u8bdd\u56fe\u7247\u9a6c\uff1a<\/p>\n \u66f4\u6539\u540e\u7f00\u540d\uff0c\u9690\u85cf\u4e3a png \u5c1d\u8bd5\u4e0a\u4f20\uff1a<\/p>\n \u4e00\u53e5\u8bdd\u6728\u9a6c\u53ef\u4ee5\u9690\u85cf\u8fdbpng\u6587\u4ef6\uff0c\u8fd9\u4e3b\u8981\u662f\u5229\u7528\u4e86\u4e00\u79cd\u53eb\u505a\u9690\u5199\u672f\u7684\u6280\u672f\u3002\u9690\u5199\u672f\u662f\u4e00\u79cd\u53ef\u4ee5\u5728\u56fe\u50cf\u6216\u5176\u4ed6\u6587\u4ef6\u4e2d\u9690\u85cf\u6570\u636e\u7684\u6280\u672f\uff0c\u4f8b\u5982\u5728\u56fe\u50cf\u6587\u4ef6\u4e2d\u52a0\u5165\u9690\u85cf\u7684\u6807\u7b7e\u4fe1\u606f\u3002<\/p>\n \u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u6076\u610f\u4ee3\u7801\uff08\u4f8b\u5982\u4e00\u53e5\u8bdd\u6728\u9a6c\uff09\u53ef\u4ee5\u88ab\u5d4c\u5165\u5230\u56fe\u50cf\u6587\u4ef6\uff08\u5982PNG\uff09\u4e2d\uff0c\u7136\u540e\u8fd9\u4e2a\u6587\u4ef6\u53ef\u4ee5\u88ab\u4e0a\u4f20\u5230\u670d\u52a1\u5668\u3002\u5982\u679c\u670d\u52a1\u5668\u914d\u7f6e\u4e86\u67d0\u4e9b\u89c4\u5219\uff08\u4f8b\u5982.htaccess\u7b49\uff09\uff0c\u53ef\u4ee5\u5c06\u8fd9\u4e2a\u56fe\u50cf\u6587\u4ef6\u89e3\u6790\u4e3aPHP\u6216\u8005ASP\u6587\u4ef6\uff0c\u4ece\u800c\u8fbe\u5230\u6267\u884c\u56fe\u7247\u5185\u4ee3\u7801\u7684\u76ee\u7684\u3002<\/p>\n<\/blockquote>\n \u5c1d\u8bd5\u4f7f\u7528\u83dc\u5200\u8fde\u63a5\uff1a\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n \u53ef\u80fd\u662f\u88ab\u62e6\u622a\u4e86\uff1f\u5c1d\u8bd5\u4f7f\u7528php\u53cd\u5f39shell\uff0c\u7136\u540e\u901a\u8fc7\u6293\u5305\u6539\u5305\u8fdb\u884c\u4e0a\u4f20\uff1a<\/p>\n \u4f7f\u7528\u63d2\u4ef6\u751f\u6210\u4e00\u4e2ashell\uff1a<\/p>\n \u7136\u540e\u4e0a\u4f20\uff0c\u6293\u5305\u6539\u5305\uff0c\u8fd9\u91cc\u5df2\u7ecf\u67e5\u770b\u4e86\u4e0d\u662f\u524d\u7aef\u9a8c\u8bc1\u4e86\uff1a<\/p>\n \u8bbf\u95ee\u4e00\u4e0b\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u770b\u5230\uff1a<\/p>\n \u6b63\u5e38\u53cd\u5f39\u4e86\u4e00\u4e2ashell\u4e0a\u53bb\u4e86\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\u57fa\u7840\u6f0f\u6d1e\u6709\u6ca1\u6709\uff1a<\/p>\n \u6ca1\u6709\u6211\u4eec\u60f3\u8981\u7684\u3002<\/p>\n \u6ca1\u6709\u76f8\u5e94\u5e93\u65e0\u6cd5\u63d0\u6743\u3002<\/p>\n \u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n \u5c1d\u8bd5\u4e00\u4e0b\u8fd9\u4e2a\uff1a<\/p>\n \u770b\u6765\u5931\u8d25\u4e86\uff0c\u6362\u4e00\u4e2a\uff1a<\/p>\n.ova<\/code>\u6587\u4ef6\uff0c\u4ee5\u9632bug\uff0c\u91c7\u7528virtualbox<\/code>\u6253\u5f00\uff1a<\/p>\n![\"image-20240131181756354\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347423.png\")
<\/div><\/p>\nvmui<\/code>\u7684\u9519\u8bef\uff0c\u5148\u53f3\u952e\u8fdb\u884c\u5347\u7ea7\u518d\u6253\u5f00\u8bd5\u8bd5\uff1a<\/p>\n![\"image-20240131183815341\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347425.png\")
<\/div><\/p>\n![\"image-20240131183903786\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347426.png\")
<\/div><\/p>\nide 1:0<\/code>\u65ad\u5f00\u8fde\u63a5\u7684\u62a5\u9519\uff0c\u6ca1\u7ba1\u5b83\uff0c\u5148\u770b\u770b\u80fd\u4e0d\u80fd\u6b63\u5e38\u5de5\u4f5c\uff0c\u8fd8\u662f\u4e0d\u884c\uff0c\u5220\u9664\u7f51\u5361\u91cd\u65b0\u6dfb\u52a0\u8bd5\u8bd5\uff0c\u4e0d\u884c\u3002\u3002\u3002\u3002\u6309\u7167\u4f5c\u8005\u8bf4\u7684\u66f4\u6539\u4e00\u4e0bmac\u5730\u5740\u8bd5\u4e00\u4e0b\uff1a<\/p>\n![\"image-20240131190350523\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347427.png\")
<\/div><\/p>\n![\"image-20240131190503613\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347428.png\")
<\/div><\/p>\n![\"image-20240131190545653\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347429.png\")
<\/div><\/p>\n![\"image-20240131190628013\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347430.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n
wappalyzer<\/code>\u770b\u4e00\u4e0b\u670d\u52a1\u5668\u76f8\u5173\u914d\u7f6e\uff1a<\/p>\n![\"image-20240131190739131\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347431.png\")
<\/div><\/p>\n<!-- Welcome to #Fristleaks, a quick hackme VM by @Ar0xA\n\nGoal: get UID 0 (root) and read the special flag file.\nTimeframe: should be doable in 4 hours.\n-->\n<html>\n<body bgcolor="#FF69B4">\n<br \/>\n<center><h1> The <a href="https:\/\/twitter.com\/search?q=%23fristileaks">#fristileaks<\/a> motto:<\/h1> <\/center>\n<center> <img src="images\/keep-calm.png" \/> <\/center>\n<br \/>\nFristileaks 2015-12-11 are:<br> \n@meneer, @barrebas, @rikvduijn, @wez3forsec, @PyroBatNL, @0xDUDE, @annejanbrouwer, @Sander2121, Reinierk, @DearCharles, @miamat, MisterXE, BasB, Dwight, Egeltje, @pdersjant, @tcp130x10, @spierenburg, @ielmatani, @renepieters, Mystery guest, @EQ_uinix, @WhatSecurity, @mramsmeets, @Ar0xA\n<\/body>\n<\/html><\/code><\/pre>\nimage<\/code>\u770b\u770b\u80fd\u4e0d\u80fd\u770b\u5230\uff0c\u4e0d\u884c\uff0c\u67e5\u770b\u4e00\u4e0b\u94ed\u611f\u76ee\u5f55\uff0c\u5982 robots.txt \u7b49\u3002<\/p>\n![\"image-20240131191011179\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347432.png\")
<\/div><\/p>\n![\"image-20240131191048601\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347433.png\")
<\/div>
\n![\"image-20240131191107777\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347434.png\")
<\/div>
\n![\"image-20240131191132156\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347435.png\")
<\/div><\/p>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 192.168.244.145\n# .----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n# | {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n# | .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n# `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\n# The Modern Day Port Scanner.\n# ________________________________________\n# : https:\/\/discord.gg\/GFrQsGy :\n# : https:\/\/github.com\/RustScan\/RustScan :\n# --------------------------------------\n# Nmap? More like slowmap.\ud83d\udc22\n\n# [~] The config file is expected to be at "\/root\/.rustscan.toml"\n# [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n# [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \n# Open 192.168.244.145:80\n# [~] Starting Script(s)\n# [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n# [~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-01-31 06:22 EST\n# Initiating ARP Ping Scan at 06:22\n# Scanning 192.168.244.145 [1 port]\n# Completed ARP Ping Scan at 06:22, 0.04s elapsed (1 total hosts)\n# Initiating Parallel DNS resolution of 1 host. at 06:22\n# Completed Parallel DNS resolution of 1 host. at 06:22, 0.21s elapsed\n# DNS resolution of 1 IPs took 0.21s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\n# Initiating SYN Stealth Scan at 06:22\n# Scanning 192.168.244.145 [1 port]\n# Discovered open port 80\/tcp on 192.168.244.145\n# Completed SYN Stealth Scan at 06:22, 0.02s elapsed (1 total ports)\n# Nmap scan report for 192.168.244.145\n# Host is up, received arp-response (0.00054s latency).\n# Scanned at 2024-01-31 06:22:21 EST for 0s\n\n# PORT STATE SERVICE REASON\n# 80\/tcp open http syn-ack ttl 64\n# MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)\n\n# Read data files from: \/usr\/bin\/..\/share\/nmap\n# Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds\n# Raw packets sent: 2 (72B) | Rcvd: 2 (72B)<\/code><\/pre>\nmasscan --rate=100000 -p 0-65535 192.168.244.145\n# Starting masscan 1.3.2 (http:\/\/bit.ly\/14GZzcT) at 2024-01-31 11:26:19 GMT\n# Initiating SYN Stealth Scan\n# Scanning 1 hosts [65536 ports\/host]\n# Discovered open port 80\/tcp on 192.168.244.145<\/code><\/pre>\nnmap -T4 -sV 192.168.244.145 -p 80\n# Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-01-31 06:28 EST\n# Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan\n# Service scan Timing: About 0.00% done\n# Nmap scan report for 192.168.244.145\n# Host is up (0.00049s latency).\n\n# PORT STATE SERVICE VERSION\n# 80\/tcp open http Apache httpd 2.2.15 ((CentOS) DAV\/2 PHP\/5.3.3)\n# MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)\n\n# Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done: 1 IP address (1 host up) scanned in 9.25 seconds<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
dirb http:\/\/192.168.244.145\n# ---- Scanning URL: http:\/\/192.168.244.145\/ ----\n# + http:\/\/192.168.244.145\/cgi-bin\/ (CODE:403|SIZE:210) \n# ==> DIRECTORY: http:\/\/192.168.244.145\/images\/ \n# + http:\/\/192.168.244.145\/index.html (CODE:200|SIZE:703) \n# + http:\/\/192.168.244.145\/robots.txt (CODE:200|SIZE:62) <\/code><\/pre>\ngobuster<\/code>\u626b\u4e00\u4e0b\u8bd5\u8bd5\u770b\uff0c\u548cdirb\u626b\u51fa\u6765\u7684\u7ed3\u679c\u5dee\u4e0d\u591a\uff1a<\/p>\n![\"image-20240131194048296\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347436.png\")
<\/div><\/p>\n\u7f51\u9875\u6307\u7eb9\u8bc6\u522b<\/h3>\n
whatweb http:\/\/192.168.244.145\n# http:\/\/192.168.244.145 [200 OK] Apache[2.2.15], Country[RESERVED][ZZ], HTTPServer[CentOS][Apache\/2.2.15 (CentOS) DAV\/2 PHP\/5.3.3], IP[192.168.244.145], PHP[5.3.3], WebDAV[2]<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n
![\"image-20240131194625214\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347437.png\")
<\/div><\/p>\nFristi<\/code>\u770b\u770b\u662f\u5565\uff1a<\/p>\n![\"image-20240131194723847\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347438.png\")
<\/div><\/p>\n![\"image-20240131194825619\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347439.png\")
<\/div><\/p>\nbase64\u89e3\u5bc6\u8f6c\u4e3a\u56fe\u7247<\/h3>\n
![\"image-20240131195139330\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347440.png\")
<\/div><\/p>\n# POST:myusername=adb&mypassword=acd\nsqlmap -u http:\/\/192.168.244.145\/fristi --data "myusername=adb&mypassword=acd" --method POST<\/code><\/pre>\n![\"image-20240131200250447\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347441.png\")
<\/div><\/p>\nbase64<\/code>\u5bc6\u6587\uff08\u731c\u6d4b\u662f\u7684\uff09\uff1a<\/p>\n![\"image-20240131200823854\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347442.png\")
<\/div><\/p>\nkeKkeKKeKKeKkEkkEk<\/code>\uff0c\u4e0a\u9762\u7684\u94fe\u63a5\u5176\u5b9e\u4e5f\u5f88\u53ef\u7591\uff0c\u4f46\u662f\u6211\u627e\u4e0d\u5230\u6709\u5565\u529e\u6cd5\uff0c\u4e0a\u9762\u8fd8\u6709\u4e2a\u63d0\u793a\uff1a<\/p>\n![\"image-20240131201052875\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347443.png\")
<\/div><\/p>\neezeepz<\/code>\u770b\u770b\u80fd\u4e0d\u80fd\u8fdb\u5165\uff1a<\/p>\n![\"image-20240131201247264\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347444.png\")
<\/div><\/p>\n\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u53e5\u8bdd\u56fe\u7247\u9a6c<\/h3>\n
![\"image-20240131202128953\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347445.png\")
<\/div><\/p>\n\n
![\"image-20240131202405192\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347446.png\")
<\/div><\/p>\n![\"image-20240131212446706\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347447.png\")
<\/div><\/p>\n\u5c1d\u8bd5php\u53cd\u5f39shell<\/h3>\n
![\"image-20240131212857463\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347448.png\")
<\/div><\/p>\n![\"image-20240131213408499\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347450.png\")
<\/div><\/p>\n![\"image-20240131213755700\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347451.png\")
<\/div><\/p>\n\u5c1d\u8bd5SUID\u63d0\u6743<\/h3>\n
sh-4.1$ find \/ -perm -u=s -type f 2>\/dev\/null\n# \/bin\/mount\n# \/bin\/fusermount\n# \/bin\/umount\n# \/bin\/su\n# \/bin\/ping\n# \/bin\/ping6\n# \/sbin\/pam_timestamp_check\n# \/sbin\/unix_chkpwd\n# \/usr\/bin\/crontab\n# \/usr\/bin\/chsh\n# \/usr\/bin\/sudo\n# \/usr\/bin\/chfn\n# \/usr\/bin\/newgrp\n# \/usr\/bin\/chage\n# \/usr\/bin\/gpasswd\n# \/usr\/bin\/passwd\n# \/usr\/libexec\/openssh\/ssh-keysign\n# \/usr\/libexec\/pt_chown\n# \/usr\/sbin\/suexec\n# \/usr\/sbin\/usernetctl<\/code><\/pre>\n\u5c1d\u8bd5UDF\u63d0\u6743<\/h3>\n
whereis lib_mysqludf_sys.so\n# whereis lib_mysqludf_sys.so\n# lib_mysqludf_sys:<\/code><\/pre>\n\u67e5\u770b\u5185\u6838\u4fe1\u606f<\/h3>\n
sh-4.1$ uname -a\n# uname -a\n# Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU\/Linux<\/code><\/pre>\n![\"image-20240131214729975\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347452.png\")
<\/div><\/p>\n![\"image-20240131215048380\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347453.png\")
<\/div><\/p>\n
![\"image-20240131215428825\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347454.png\")
<\/div><\/p>\n![\"image-20240131215639129\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347455.png\")
<\/div><\/p>\n![\"image-20240131220026246\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347456.png\")
<\/div><\/p>\n![\"image-20240131224407951\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347457.png\")
<\/div><\/p>\n![\"image-20240131224829825\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347458.png\")
<\/div><\/p>\n![\"image-20240131225054712\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347459.png\")
<\/div><\/p>\n![\"image-20240131225339129\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347460.png\")
<\/div><\/p>\n![\"image-20240131225546188\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347461.png\")
<\/div>![\"image-20240131225613846\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347462.png\")
<\/div><\/p>\n![\"image-20240131225910889\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347463.png\")
<\/div><\/p>\n![\"image-20240131231632041\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347464.png\")
<\/div><\/p>\n![\"image-20240131232748575\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347465.png\")
<\/div><\/p>\n![\"image-20240131232854115\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347466.png\")
<\/div><\/p>\n![\"image-20240131234628053\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202401312347467.png\")
<\/div><\/p>\n