![\"image-20240418131317889\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352827.png\")
<\/div>\n
![\"image-20240418131453754\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352828.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 192.168.0.139 -- -A\n\nOpen 192.168.0.139:80\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))\n|_http-title: Access system\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.38 (Debian)<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.139 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.139\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: png,php,zip,git,jpg,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php (Status: 200) [Size: 1161]\n\/.php (Status: 403) [Size: 278]\n\/includes (Status: 301) [Size: 317] [--> http:\/\/192.168.0.139\/includes\/]\n\/todo.txt (Status: 200) [Size: 51]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240418131631863\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/192.168.0.139\/todo.txt<\/code><\/pre>\n******* Remember to delete the bak files!! *******<\/code><\/pre>\n\u91cd\u65b0\u626b\u63cf\uff0c\u5c1d\u8bd5\u627e\u5230\u8fd9\u4e2abak\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.139 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x bak \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.139\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: bak\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/includes (Status: 301) [Size: 317] [--> http:\/\/192.168.0.139\/includes\/]\n\/server-status (Status: 403) [Size: 278]\nProgress: 441120 \/ 441122 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u641c\u7d22\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ wget http:\/\/192.168.0.139\/includes\/php\/access.php.bak \n--2024-04-18 01:26:48-- http:\/\/192.168.0.139\/includes\/php\/access.php.bak\nConnecting to 192.168.0.139:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 319 [application\/x-trash]\nSaving to: \u2018access.php.bak\u2019\n\naccess.php.bak 100%[=========================================================================>] 319 --.-KB\/s in 0s \n\n2024-04-18 01:26:48 (49.8 MB\/s) - \u2018access.php.bak\u2019 saved [319\/319]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ cat access.php.bak \n<?php\n require_once 'GoogleAuthenticator.php';\n $ga = new PHPGangsta_GoogleAuthenticator();\n $secret = "S4I22IG3KHZIGQCJ";\n\n if ($_POST['action'] == 'check_code') {\n $code = $_POST['code'];\n $result = $ga->verifyCode($secret, $code, 1);\n\n if ($result) {\n include('coder.php');\n } else {\n echo "wrong";\n }\n }\n?> <\/code><\/pre>\nhttp:\/\/192.168.0.139\/includes\/php\/coder.php<\/code><\/pre>\nDon't be a cheater!<\/code><\/pre>\nhttp:\/\/192.168.0.139\/includes\/php\/runcode.php<\/code><\/pre>\nDon't be a cheater!<\/code><\/pre>\n\u5c1d\u8bd5fuzz\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ ffuf -u http:\/\/192.168.0.139\/FUZZ -w \/usr\/share\/wordlists\/dirb\/common.txt -e .bak\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.139\/FUZZ\n :: Wordlist : FUZZ: \/usr\/share\/wordlists\/dirb\/common.txt\n :: Extensions : .bak \n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n [Status: 200, Size: 1161, Words: 49, Lines: 33, Duration: 2ms]\n.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1ms]\n.htaccess.bak [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1ms]\n.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2ms]\n.hta.bak [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2ms]\n.hta [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2ms]\n.htpasswd.bak [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 243ms]\nincludes [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 1ms]\nindex.php [Status: 200, Size: 1161, Words: 49, Lines: 33, Duration: 0ms]\nserver-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1ms]\n:: Progress: [9228\/9228] :: Job [1\/1] :: 53 req\/sec :: Duration: [0:00:04] :: Errors: 0 ::<\/code><\/pre>\nGoogleAuthenticator<\/h3>\n
<\/div><\/p>\n
rustscan -a 192.168.0.139 -- -A\n\nOpen 192.168.0.139:80\n\nPORT STATE SERVICE REASON VERSION\n80\/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))\n|_http-title: Access system\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.38 (Debian)<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.139 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.139\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: png,php,zip,git,jpg,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php (Status: 200) [Size: 1161]\n\/.php (Status: 403) [Size: 278]\n\/includes (Status: 301) [Size: 317] [--> http:\/\/192.168.0.139\/includes\/]\n\/todo.txt (Status: 200) [Size: 51]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u67e5\u770b\u654f\u611f\u76ee\u5f55<\/h3>\nhttp:\/\/192.168.0.139\/todo.txt<\/code><\/pre>\n******* Remember to delete the bak files!! *******<\/code><\/pre>\n\u91cd\u65b0\u626b\u63cf\uff0c\u5c1d\u8bd5\u627e\u5230\u8fd9\u4e2abak\u3002<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.139 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x bak \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.139\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: bak\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/includes (Status: 301) [Size: 317] [--> http:\/\/192.168.0.139\/includes\/]\n\/server-status (Status: 403) [Size: 278]\nProgress: 441120 \/ 441122 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u641c\u7d22\u654f\u611f\u76ee\u5f55\uff1a<\/p>\n
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ wget http:\/\/192.168.0.139\/includes\/php\/access.php.bak \n--2024-04-18 01:26:48-- http:\/\/192.168.0.139\/includes\/php\/access.php.bak\nConnecting to 192.168.0.139:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 319 [application\/x-trash]\nSaving to: \u2018access.php.bak\u2019\n\naccess.php.bak 100%[=========================================================================>] 319 --.-KB\/s in 0s \n\n2024-04-18 01:26:48 (49.8 MB\/s) - \u2018access.php.bak\u2019 saved [319\/319]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ cat access.php.bak \n<?php\n require_once 'GoogleAuthenticator.php';\n $ga = new PHPGangsta_GoogleAuthenticator();\n $secret = "S4I22IG3KHZIGQCJ";\n\n if ($_POST['action'] == 'check_code') {\n $code = $_POST['code'];\n $result = $ga->verifyCode($secret, $code, 1);\n\n if ($result) {\n include('coder.php');\n } else {\n echo "wrong";\n }\n }\n?> <\/code><\/pre>\nhttp:\/\/192.168.0.139\/includes\/php\/coder.php<\/code><\/pre>\nDon't be a cheater!<\/code><\/pre>\nhttp:\/\/192.168.0.139\/includes\/php\/runcode.php<\/code><\/pre>\nDon't be a cheater!<\/code><\/pre>\n\u5c1d\u8bd5fuzz\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/learn2code]\n\u2514\u2500$ ffuf -u http:\/\/192.168.0.139\/FUZZ -w \/usr\/share\/wordlists\/dirb\/common.txt -e .bak\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.0.139\/FUZZ\n :: Wordlist : FUZZ: \/usr\/share\/wordlists\/dirb\/common.txt\n :: Extensions : .bak \n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n [Status: 200, Size: 1161, Words: 49, Lines: 33, Duration: 2ms]\n.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1ms]\n.htaccess.bak [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1ms]\n.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2ms]\n.hta.bak [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2ms]\n.hta [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2ms]\n.htpasswd.bak [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 243ms]\nincludes [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 1ms]\nindex.php [Status: 200, Size: 1161, Words: 49, Lines: 33, Duration: 0ms]\nserver-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1ms]\n:: Progress: [9228\/9228] :: Job [1\/1] :: 53 req\/sec :: Duration: [0:00:04] :: Errors: 0 ::<\/code><\/pre>\nGoogleAuthenticator<\/h3>\n
<\/div><\/p>\n
![\"image-20240418131631863\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352829.png\")
<\/div>![\"image-20240418131640776\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352830.png\")
<\/div>![\"image-20240418131704529\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352831.png\")
<\/div><\/p>\n![\"image-20240418132523287\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352832.png\")
<\/div>![\"image-20240418132552442\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352833.png\")
<\/div>![\"image-20240418132607533\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352834.png\")
<\/div><\/p>\n![\"image-20240420153041477\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352835.png\")
<\/div><\/p>\n![\"image-20240420154911538\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352836.png\")
<\/div>![\"image-20240420154936021\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352837.png\")
<\/div><\/p>\n![\"image-20240420161705171\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352838.png\")
<\/div><\/p>\n![\"image-20240420163658652\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352839.png\")
<\/div><\/p>\n![\"image-20240420171032153\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352840.png\")
<\/div>![\"image-20240420171109280\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352841.png\")
<\/div><\/p>\n![\"image-20240420171237405\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352842.png\")
<\/div><\/p>\n![\"image-20240420174153765\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352843.png\")
<\/div><\/p>\n![\"image-20240420175715938\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352844.png\")
<\/div><\/p>\n![\"image-20240420191648559\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352845.png\")
<\/div><\/p>\n![\"image-20240420234438401\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404202352846.png\")
<\/div><\/p>\n