https:\/\/www.runoob.com\/http\/http-content-type.html<\/a><\/p>\n![\"1746003589691-9eccee30-6a0a-45b6-ba9c-0b4b93f5aad7.png\"](\"https:\/\/www.youvii.site\/wp-content\/themes\/lolimeow-lolimeowV13.13\/assets\/images\/loading.gif\")
<\/p>\n
\u4fee\u6539\u540e Content-Type: image\/jpeg<\/p>\n
<\/p>\n
\u7ed5\u8fc7\u9ed1\u540d\u5355\u4e0a\u4f20<\/h2>\n
\u4e0a\u4f20\u6a21\u5757\uff0c\u6709\u65f6\u5019\u4f1a\u5199\u6210\u9ed1\u540d\u5355\u9650\u5236\uff0c\u5728\u4e0a\u4f20\u6587\u4ef6\u7684\u65f6\u83b7\u53d6\u540e\u7f00\u540d\uff0c\u518d\u628a\u540e\u7f00\u540d\u4e0e\u7a0b\u5e8f\u4e2d\u9ed1\u540d\u5355\u8fdb\u884c\u68c0\u6d4b\uff0c\u5982\u679c\u540e\u7f00\u540d\u5728\u9ed1\u540d\u5355\u7684\u5217\u8868\u5185\uff0c\u6587\u4ef6\u5c06\u7981\u6b62\u6587\u4ef6\u4e0a\u4f20\u3002<\/p>\n
\u9ed1\u540d\u5355\u4ee3\u7801\u5206\u6790<\/h3>\n
\u9996\u5148\u662f\u68c0\u6d4b submit \u662f\u5426\u6709\u503c\uff0c\u83b7\u53d6\u6587\u4ef6\u7684\u540e\u7f00\u540d\uff0c\u8fdb\u884c\u9ed1\u540d\u5355\u5bf9\u6bd4\uff0c\u540e\u7f00\u540d\u4e0d\u5728\u9ed1\u540d\u5355\u5185\uff0c\u5141\u8bb8\u4e0a\u4f20\u3002<\/p>\n
<\/p>\n
\u7ed5\u8fc7\u9ed1\u540d\u5355\u4e0a\u4f20\u7684\u653b\u51fb<\/h3>\n
\u4e0a\u4f20\u56fe\u7247\u65f6\uff0c\u5982\u679c\u63d0\u793a\u4e0d\u5141\u8bb8 php\u3001asp \u8fd9\u79cd\u4fe1\u606f\u63d0\u793a\uff0c\u53ef\u5224\u65ad\u4e3a\u9ed1\u540d\u5355\u9650\u5236\uff0c\u4e0a\u4f20\u9ed1\u540d\u5355\u4ee5\u5916\u7684\u540e\u7f00\u540d\u5373\u53ef\u3002<\/p>\n
\u5728 iis \u91cc asp \u7981\u6b62\u4e0a\u4f20\u4e86\uff0c\u53ef\u4ee5\u4e0a\u4f20 asa cer cdx \u8fd9\u4e9b\u540e\u7f00\uff0c\u5982\u5728\u7f51\u7ad9\u91cc\u5141\u8bb8.net\u6267\u884c \u53ef\u4ee5\u4e0a\u4f20 ashx \u4ee3\u66ff aspx\u3002\u5982\u679c\u7f51\u7ad9\u53ef\u4ee5\u6267\u884c\u8fd9\u4e9b\u811a\u672c\uff0c\u901a\u8fc7\u4e0a\u4f20\u540e\u95e8\u5373\u53ef\u83b7\u53d6 webshell\u3002<\/p>\n
\u5728\u4e0d\u540c\u7684\u4e2d\u95f4\u4ef6\u4e2d\u6709\u7279\u6b8a\u7684\u60c5\u51b5\uff0c\u5982\u679c\u5728 apache \u53ef\u4ee5\u5f00\u542f application\/x-httpd-php<\/p>\n
\u5728 AddType application\/x-httpd-php .php .phtml .php3\u540e\u7f00\u540d\u4e3a phtml \u3001php3 \u5747\u88ab\u89e3\u6790\u6210 php \u6709\u7684 apache \u7248\u672c\u9ed8\u8ba4\u5c31\u4f1a\u5f00\u542f\u3002\u4e0a\u4f20\u76ee\u6807\u4e2d\u95f4\u4ef6\u53ef\u652f\u6301\u7684\u73af\u5883\u7684\u8bed\u8a00\u811a\u672c\u5373\u53ef\uff0c\u5982.phtml\u3001php3\u3002<\/p>\n
<\/p>\n
htaccess\u91cd\u5199\u89e3\u6790\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u4e0a\u4f20\u6a21\u5757\uff0c\u9ed1\u540d\u5355\u8fc7\u6ee4\u4e86\u6240\u6709\u7684\u80fd\u6267\u884c\u7684\u540e\u7f00\u540d,\u5982\u679c\u5141\u8bb8\u4e0a\u4f20.htaccess\u3002htaccess\u6587\u4ef6\u7684\u4f5c\u7528\u662f \u53ef\u4ee5\u5e2e\u6211\u4eec\u5b9e\u73b0\u5305\u62ec\uff1a\u6587\u4ef6\u5939\u5bc6\u7801\u4fdd\u62a4\u3001\u7528\u6237\u81ea\u52a8\u91cd\u5b9a\u5411\u3001\u81ea\u5b9a\u4e49\u9519\u8bef\u9875\u9762\u3001\u6539\u53d8\u4f60\u7684\u6587\u4ef6\u6269\u5c55\u540d\u3001\u5c01\u7981\u7279\u5b9a IP \u5730\u5740\u7684\u7528\u6237\u3001\u53ea\u5141\u8bb8\u7279\u5b9a IP \u5730\u5740\u7684\u7528\u6237\u3001\u7981\u6b62\u76ee\u5f55\u5217\u8868\uff0c\u4ee5\u53ca\u4f7f\u7528\u5176\u4ed6\u6587\u4ef6\u4f5c\u4e3a index \u6587\u4ef6\u7b49\u4e00\u4e9b\u529f\u80fd\u3002\u5728 htaccess \u91cc\u5199\u5165 SetHandler application\/x-httpd-php \u5219\u53ef\u4ee5\u6587\u4ef6\u91cd\u5199\u6210 php \u6587\u4ef6\u3002\u8981 htaccess \u7684\u89c4\u5219\u751f\u6548 \u5219\u9700\u8981\u5728 apache \u5f00\u542f rewrite \u91cd\u5199\u6a21\u5757\uff0c\u56e0\u4e3a apache\u662f\u591a\u6570\u90fd\u5f00\u542f\u8fd9\u4e2a\u6a21\u5757\uff0c\u6240\u4ee5\u89c4\u5219\u4e00\u822c\u90fd\u751f\u6548\u3002<\/p>\n
<\/p>\n
\u9ed1\u540d\u5355\u4e0a\u4f20\u4ee3\u7801\u5206\u6790<\/h3>\n
<\/p>\n
\u5982\u679c submit \u6709\u503c\uff0c$deny_ext =<\/p>\n
array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");<\/p>\n
\u4e0a\u4f20\u7684\u6587\u4ef6\u540e\u7f00\u540d\u5728\u5217\u8868\u5185\u7981\u6b62\u4e0a\u4f20\u3002\u5305\u62ec\u4e86\u6240\u6709\u7684\u6267\u884c\u811a\u672c\u3002<\/p>\n
htaccess\u91cd\u5199\u89e3\u6790\u653b\u51fb<\/h3>\n
\u4e0a\u4f20.htaccess \u5230\u7f51\u7ad9\u91cc.htaccess \u5185\u5bb9\u662f<\/p>\n
<FilesMatch "jpg"><\/p>\n
SetHandler application\/x-httpd-php<\/p>\n
<\/FilesMatch><\/p>\n
\u518d\u4e0a\u4f20\u6076\u610f\u7684 jpg \u5230.htaccess \u76f8\u540c\u76ee\u5f55\u91cc\uff0c\u8bbf\u95ee\u56fe\u7247\u5373\u53ef\u83b7\u53d6\u6267\u884c\u811a\u672c\u3002<\/p>\n
<\/p>\n
\u91cd\u70b9 fck \u7f16\u8f91\u5668<\/p>\n
\u5927\u5c0f\u5199\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u6709\u7684\u4e0a\u4f20\u6a21\u5757 \u540e\u7f00\u540d\u91c7\u7528\u9ed1\u540d\u5355\u5224\u65ad\uff0c\u4f46\u662f\u6ca1\u6709\u5bf9\u540e\u7f00\u540d\u7684\u5927\u5c0f\u5199\u8fdb\u884c\u4e25\u683c\u5224\u65ad\uff0c\u5bfc\u81f4\u53ef\u4ee5\u66f4\u6539\u540e\u7f00\u5927\u5c0f\u5199\u53ef\u4ee5\u88ab\u7ed5\u8fc7\u3002\u5982 PHP\u3001 Php\u3001 phP\u3001pHp<\/p>\n
\u9ed1\u540d\u5355\u5927\u5c0f\u5199\u7ed5\u8fc7\u4ee3\u7801\u5206\u6790<\/h3>\n
<\/p>\n
\u83b7\u53d6\u6587\u4ef6\u540e\u7f00\u540d\u8fdb\u884c\u5224\u65ad\uff0c\u5982\u679c\u540e\u7f00\u5728\u8fd9\u4e2a\u5b57\u5178\u91cc\u5c31\u7981\u6b62\u4e0a\u4f20\u3002<\/p>\n
$deny_ext =<\/p>\n
array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");<\/p>\n
\u9ed1\u540d\u5355\u5927\u5c0f\u5199\u7ed5\u8fc7\u653b\u51fb<\/h3>\n
\u4ed4\u7ec6\u9605\u8bfb\u9ed1\u540d\u5355\uff0c\u67e5\u770b\u662f\u5426\u6709\u88ab\u5ffd\u7565\u7684\u540e\u7f00\u540d\uff0c\u5f53\u524d\u53ef\u4ee5\u4f7f\u7528 phP \u7ed5\u8fc7<\/p>\n
<\/p>\n
\u7a7a\u683c\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u5728\u4e0a\u4f20\u6a21\u5757\u91cc\uff0c\u91c7\u7528\u9ed1\u540d\u5355\u4e0a\u4f20\uff0c\u5982\u679c\u6ca1\u6709\u5bf9\u7a7a\u683c\u8fdb\u884c\u53bb\u6389\u53ef\u80fd\u88ab\u7ed5\u8fc7<\/p>\n
\u7a7a\u683c\u7ed5\u8fc7\u4e0a\u4f20\u4ee3\u7801\u5206\u6790<\/h3>\n
\u68c0\u6d4b submit \u540e \u4e0a\u4f20\u76ee\u5f55\u5b58\u5728\u65f6\uff0c\u8fdb\u5165\u9ed1\u540d\u5355\u5224\u65ad\u3002\u5982\u679c\u6587\u4ef6\u540e\u7f00\u540d\u5728\u9ed1\u540d\u5355\u91cc\u3002\u4e0d\u5141\u8bb8\u4e0a\u4f20\uff0c\u4f46\u662f\u6587\u4ef6\u540e\u7f00\u540d\uff0c\u6ca1\u6709\u8fc7\u6ee4\u7a7a\u683c\uff0c\u53ef\u4ee5\u6dfb\u52a0\u7a7a\u683c\u7ed5\u8fc7\u3002<\/p>\n
\u7a7a\u683c\u7ed5\u8fc7\u4e0a\u4f20\u653b\u51fb<\/h3>\n
\u6293\u5305\u4e0a\u4f20\uff0c\u5728\u540e\u7f00\u540d\u540e\u6dfb\u52a0\u7a7a\u683c<\/p>\n
<\/p>\n
\u5229\u7528windows\u7cfb\u7edf\u7279\u5f81\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u5728 windows \u4e2d\u6587\u4ef6\u540e\u7f00\u540d. \u7cfb\u7edf\u4f1a\u81ea\u52a8\u5ffd\u7565.\u6240\u4ee5 shell.php. \u50cf shell.php \u7684\u6548\u679c\u4e00\u6837\u3002\u6240\u4ee5\u53ef\u4ee5\u5728\u6587\u4ef6\u540d\u540e\u9762\u673a\u4e0a.\u7ed5\u8fc7<\/p>\n
Windows\u7cfb\u7edf\u7279\u5f81\u7ed5\u8fc7\u6f0f\u6d1e\u4ee3\u7801\u5206\u6790<\/h3>\n
<\/p>\n
\u540c\u6837\u662f\u9ed1\u540d\u5355\u7981\u6b62\u4e0a\u4f20\uff0c\u4f46\u662f\u53ef\u4ee5\u4e0a\u4f20.php.\u8fd9\u79cd\u6587\u4ef6\u540e\u7f00\u3002<\/p>\n
windows\u7cfb\u7edf\u7279\u5f81\u7ed5\u8fc7\u653b\u51fb<\/h3>\n
\u6293\u5305\u4fee\u6539\u5728\u540e\u7f00\u540d\u540e\u52a0\u4e0a.\u5373\u53ef\u7ed5\u8fc7\u3002<\/p>\n
<\/p>\n
NTFS\u4ea4\u6362\u6570\u636e\u6d41::$DATA\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u5982\u679c\u540e\u7f00\u540d\u6ca1\u6709\u5bf9::$DATA \u8fdb\u884c\u5224\u65ad\uff0c\u5229\u7528 windows \u7cfb\u7edf NTFS \u7279\u5f81\u53ef\u4ee5\u7ed5\u8fc7\u4e0a\u4f20\u3002<\/p>\n
NTFS\u4ea4\u6362\u6570\u636e\u6d41::$DATA\u4ee3\u7801\u5206\u6790<\/h3>\n
<\/p>\n
$deny_ext =array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");<\/p>\n
\u540c \u6837 \u7528 \u9ed1 \u540d \u5355 \u8fc7 \u6ee4 \u540e \u7f00 \u540d \u3002 \u4f46 \u662f \u7a0b \u5e8f \u4e2d \u6ca1 \u6709 \u5bf9 ::$DATA \u8fdb \u884c \u8fc7 \u6ee4 \u53ef \u4ee5 \u6dfb\u52a0::$DATA \u7ed5\u8fc7\u4e0a\u4f20\u3002<\/p>\n
NTFS\u4ea4\u6362\u6570\u636e\u6d41::$DATA\u653b\u51fb\u7ed5\u8fc7\u4e0a\u4f20<\/h3>\n
burpsuite \u6293\u5305\uff0c\u4fee\u6539\u540e\u7f00\u540d\u4e3a php::$DATA<\/p>\n
<\/p>\n
<\/p>\n
\u5229\u7528windows\u73af\u5883\u7684\u53e0\u52a0\u7279\u5f81\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u5728 windwos \u4e2d\u5982\u679c\u4e0a\u4f20\u6587\u4ef6\u540d moonsec.php:.jpg \u7684\u65f6\u5019\uff0c\u4f1a\u5728\u76ee\u5f55\u4e0b\u751f\u4ea7\u7a7a\u767d\u7684<\/p>\n
\u6587\u4ef6\u540d moonsec.php<\/p>\n
\u518d\u5229\u7528 php \u548c windows \u73af\u5883\u7684\u53e0\u52a0\u5c5e\u6027\uff0c<\/p>\n
\u4ee5\u4e0b\u7b26\u53f7\u5728\u6b63\u5219\u5339\u914d\u65f6\u76f8\u7b49<\/p>\n
\u53cc\u5f15\u53f7" \u7b49\u4e8e \u70b9\u53f7.<\/p>\n
\u5927\u4e8e\u7b26\u53f7> \u7b49\u4e8e \u95ee\u53f7?<\/p>\n
\u5c0f\u4e8e\u7b26\u53f7< \u7b49\u4e8e \u661f\u53f7*<\/p>\n
\u6587\u4ef6\u540d.<\u6216\u6587\u4ef6\u540d.<<<\u6216\u6587\u4ef6\u540d.>>>\u6216\u6587\u4ef6\u540d.>><\u7a7a\u6587\u4ef6\u540d<\/p>\n
\u9ed1\u540d\u5355\u4ee3\u7801\u5206\u6790<\/h3>\n
<\/p>\n
\u540c\u6837\u662f\u9ed1\u540d\u5355\u5339\u914d\uff0c\u628a.\u53bb\u6389 \u628a\u7a7a\u683c\u4e5f\u8fc7\u6ee4\u4e86\u3002::$data \u4e5f\u8fc7\u6ee4\u4e86<\/p>\n
\u5229\u7528windows\u73af\u5883\u7684\u53e0\u52a0\u7279\u5f81\u7ed5\u8fc7\u4e0a\u4f20\u653b\u51fb<\/h3>\n
\u9996\u5148\u6293\u5305\u4e0a\u4f20 a.php:.php \u4e0a\u4f20\u4f1a\u5728\u76ee\u5f55\u91cc\u751f\u6210 a.php \u7a7a\u767d\u6587\u4ef6\uff0c\u63a5\u7740\u518d\u6b21\u63d0\u4ea4\u628aa.php \u6539\u6210 a.>>><\/p>\n
<\/p>\n
\u53cc\u5199\u540e\u7f00\u540d\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u5728\u4e0a\u4f20\u6a21\u5757\uff0c\u6709\u7684\u4ee3\u7801\u4f1a\u628a\u9ed1\u540d\u5355\u7684\u540e\u7f00\u540d\u66ff\u6362\u6210\u7a7a\uff0c\u4f8b\u5982 a.php \u4f1a\u628a php \u66ff\u6362\u6210\u7a7a\uff0c\u4f46\u662f\u53ef\u4ee5\u4f7f\u7528\u53cc\u5199\u7ed5\u8fc7\u4f8b\u5982 asaspp\uff0cpphphp\uff0c\u5373\u53ef\u7ed5\u8fc7\u4e0a\u4f20\u3002<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u53cc\u5199\u7ed5\u8fc7\u6f0f\u6d1e\u5206\u6790<\/h3>\n
<\/p>\n
\u540c\u6837\u662f\u9ed1\u540d\u5355\u8fc7\u6ee4\u3002str_ireplace \u5bf9\u4e0a\u4f20\u7684\u540e\u7f00\u540d\u662f\u9ed1\u540d\u5355\u5185\u7684\u5b57\u7b26\u4e32\u8f6c\u6362\u6210\u7a7a\u3002<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u53cc\u5199\u7ed5\u8fc7\u653b\u51fb<\/h3>\n
\u6293\u5305\u4e0a\u4f20\uff0c\u628a\u540e\u7f00\u540d\u6539\u6210 pphphp \u5373\u53ef\u7ed5\u8fc7\u4e0a\u4f20<\/p>\n
<\/p>\n
\u76ee\u5f55\u53ef\u63a7%00 \u622a\u65ad\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u4ee5\u4e0a\u90fd\u662f\u4e00\u4e9b\u9ed1\u540d\u5355\u88ab\u7ed5\u8fc7\u7684\uff0c\u5982\u679c\u9ed1\u540d\u5355\u4e0a\u4f20\u68c0\u6d4b\u540e\uff0c\u6ca1\u6709\u9650\u5b9a\u540e\u7f00\u540d\uff0c\u7ed5\u8fc7\u7684\u65b9\u6cd5\u5f88\u591a\uff0c\u4e0e\u9ed1\u540d\u5355\u76f8\u5bf9\u7684\u5c31\u662f\u767d\u540d\u5355\uff0c\u4f7f\u7528\u767d\u540d\u5355\u9a8c\u8bc1\u4f1a\u76f8\u5bf9\u6bd4\u8f83\u5b89\u5168\uff0c\u56e0\u4e3a\u53ea\u5141\u8bb8\u6307\u5b9a\u7684\u6587\u4ef6\u540e\u7f00\u540d\u3002\u4f46\u662f\u5982\u679c\u6709\u53ef\u63a7\u7684\u53c2\u6570\u76ee\u5f55\uff0c\u4e5f\u5b58\u5728\u88ab\u7ed5\u8fc7\u7684\u98ce\u9669\u3002<\/p>\n
\u4e0a\u4f20\u53c2\u6570\u76ee\u5f55\u53ef\u63a7\u4ee3\u7801\u5206\u6790<\/h3>\n
<\/p>\n
\u4ee3\u7801\u4e2d\u4f7f\u7528\u767d\u540d\u5355\u9650\u5236\u4e0a\u4f20\u7684\u6587\u4ef6\u540e\u7f00\u540d\uff0c\u53ea\u5141\u8bb8\u6307\u5b9a\u7684\u56fe\u7247\u683c\u5f0f\u3002\u4f46\u662f$_GET[‘save_path’]\u670d\u52a1\u5668\u63a5\u53d7\u5ba2\u6237\u7aef\u7684\u503c\uff0c\u8fd9\u4e2a\u503c\u53ef\u88ab\u5ba2\u6237\u7aef\u4fee\u6539\u3002\u6240\u4ee5\u4f1a\u7559\u4e0b\u5b89\u5168\u95ee\u9898\u3002<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u53c2\u6570\u76ee\u5f55\u53ef\u63a7\u653b\u51fb<\/h3>\n
\u4e0a\u4f20\u53c2\u6570\u53ef\u63a7<\/p>\n
\u5f53 gpc \u5173\u95ed\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u7528%00 \u5bf9\u76ee\u5f55\u6216\u8005\u6587\u4ef6\u540d\u8fdb\u884c\u622a\u65ad\u3002 php \u7248\u672c\u5c0f\u4e8e 5.3.4<\/p>\n
\u9996\u5148\u622a\u65ad\u653b\u51fb\uff0c\u6293\u5305\u4e0a\u4f20\u5c06%00 \u81ea\u52a8\u622a\u65ad\u540e\u95e8\u5185\u5bb9\u3002<\/p>\n
\u4f8b\u5982 1.php%00.1.jpg \u53d8\u6210 1.php<\/p>\n
\u76ee\u5f55\u53ef\u63a7 POST \u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u4e0a\u9762\u662f GET \u8bf7\u6c42\u7684\uff0c\u53ef\u4ee5\u76f4\u63a5\u5728 url \u8f93\u5165%00 \u5373\u53ef\u622a\u65ad\uff0c\u4f46\u662f\u5728 post \u4e0b\u76f4\u63a5\u6ce8\u5165%00 \u662f\u4e0d\u884c\u7684\uff0c\u9700\u8981\u628a%00 \u89e3\u7801\u53d8\u6210\u7a7a\u767d\u7b26\uff0c\u622a\u65ad\u624d\u6709\u6548\u3002\u624d\u80fd\u628a\u76ee\u5f55\u622a\u65ad\u6210\u6587\u4ef6\u540d<\/p>\n
\u76ee\u5f55\u53ef\u63a7 post \u4e0a\u4f20\u4ee3\u7801\u5206\u6790<\/h3>\n
\u8fd9\u6bb5\u4ee3\u7801\u540c\u6837\u662f\u767d\u540d\u5355\u9650\u5236\u540e\u7f00\u540d\uff0c$_POST[‘save_path’]\u662f\u63a5\u6536\u5ba2\u6237\u7aef\u63d0\u4ea4\u7684\u503c\uff0c<\/p>\n
\u5ba2\u6237\u7aef\u53ef\u4efb\u610f\u4fee\u6539\u3002\u6240\u4ee5\u4f1a\u4ea7\u751f\u5b89\u5168\u6f0f\u6d1e\u3002<\/p>\n
\u76ee\u5f55\u53ef\u63a7\u4e0a\u4f20\u653b\u51fb<\/h3>\n
\u6587\u4ef6\u540d\u53ef\u63a7\uff0c\u901a\u8fc7\u6293\u5305\u4fee\u6539\u53ef\u63a7\u7684\u53c2\u6570\uff0c\u4e0e\u4e0d\u540c\u7684\u4e2d\u95f4\u4ef6\u7684\u7f3a\u9677\u914d\u5408\u4f7f\u7528\u3002<\/p>\n
\u4f7f\u7528%00 \u622a\u65ad\u6587\u4ef6\u540d \u518d post \u73af\u5883\u4e0b%00 \u8981\u7ecf\u8fc7 decode \u4f46\u662f\u53d7 gpc \u9650\u5236<\/p>\n
\u4f7f\u7528 burpsutie POST %00 \u622a\u65ad\u6587\u4ef6\u540d<\/p>\n
<\/p>\n
\u5982\u679c\u76ee\u5f55\u5f53\u524d\u76ee\u5f55\u4e0d\u80fd\u89e3\u6790\u811a\u672c\uff0c\u53ef\u4ee5\u79fb\u52a8\u5230\u5176\u4ed6\u76ee\u5f55\u518d\u8fdb\u884c\u622a\u65ad\u63d0\u4ea4\u3002<\/p>\n
\u6587\u4ef6\u5934\u68c0\u6d4b\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u6709\u7684\u6587\u4ef6\u4e0a\u4f20\uff0c\u4e0a\u4f20\u65f6\u5019\u4f1a\u68c0\u6d4b\u5934\u6587\u4ef6\uff0c\u4e0d\u540c\u7684\u6587\u4ef6\uff0c\u5934\u6587\u4ef6\u4e5f\u4e0d\u5c3d\u76f8\u540c\u3002\u5e38\u89c1<\/p>\n
\u7684\u6587\u4ef6\u4e0a\u4f20\u56fe\u7247\u5934\u68c0\u6d4b \u5b83\u68c0\u6d4b\u56fe\u7247\u662f\u4e24\u4e2a\u5b57\u8282\u7684\u957f\u5ea6\uff0c\u5982\u679c\u4e0d\u662f\u56fe\u7247\u7684\u683c\u5f0f\uff0c<\/p>\n
\u4f1a\u7981\u6b62\u4e0a\u4f20\u3002<\/p>\n
\u5e38\u89c1\u7684\u6587\u4ef6\u5934<\/p>\n
JPEG (jpg)\uff0c\u6587\u4ef6\u5934\uff1aFFD8FF<\/p>\n
PNG (png)\uff0c\u6587\u4ef6\u5934\uff1a89504E47<\/p>\n
GIF (gif)\uff0c\u6587\u4ef6\u5934\uff1a47494638<\/p>\n
TIFF (tif)\uff0c\u6587\u4ef6\u5934\uff1a49492A00<\/p>\n
Windows Bitmap (bmp)\uff0c\u6587\u4ef6\u5934\uff1a424D<\/p>\n
\u6587\u4ef6\u5934\u68c0\u6d4b\u4e0a\u4f20\u4ee3\u7801\u5206\u6790<\/h3>\n
\u8fd9\u4e2a\u662f\u5b58\u5728\u6587\u4ef6\u5934\u68c0\u6d4b\u7684\u4e0a\u4f20\uff0cgetReailFileType \u662f\u68c0\u6d4b jpg\u3001png\u3001gif \u7684\u6587\u4ef6\u5934<\/p>\n
\u5982\u679c\u4e0a\u4f20\u7684\u6587\u4ef6\u7b26\u5408\u6570\u5b57\u5373\u53ef\u901a\u8fc7\u68c0\u6d4b\u3002<\/p>\n
\u6587\u4ef6\u5934\u68c0\u6d4b\u7ed5\u8fc7\u4f20\u653b\u51fb\u65b9\u6cd5<\/h3>\n
1.\u5236\u4f5c\u56fe\u7247\u4e00\u53e5\u8bdd\uff0c\u4f7f\u7528 copy 1.gif\/b+moon.php shell.php \u5c06 php \u6587\u4ef6\u9644\u52a0\u518d jpg\u56fe\u7247\u4e0a\uff0c\u76f4\u63a5\u4e0a\u4f20\u5373\u53ef\u3002<\/p>\n
\u56e0\u4e3a\u9650\u5236\u4e86\u540e\u7f00\u4e3a jpg\uff0c\u53ef\u4ee5\u8003\u8651\u6587\u4ef6\u5305\u542b\u5c06\u56fe\u7247\u6587\u4ef6\u5305\u542b\u8fdb\u53bb getshell<\/p>\n
burpsuite \u4e0a\u4f20\u7684\u6570\u636e\u5305\u5934\u52a0\u4e0a GIF89a<\/p>\n
<\/p>\n
\u56fe\u7247\u68c0\u6d4b\u51fd\u6570\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u67e5\u770b\u4ee3\u7801<\/p>\n
<\/p>\n
getimagesize \u662f\u83b7\u53d6\u56fe\u7247\u7684\u5927\u5c0f\uff0c\u5982\u679c\u5934\u6587\u4ef6\u4e0d\u662f\u56fe\u7247\u4f1a\u62a5\u9519\u76f4\u63a5\u53ef\u4ee5\u7528\u56fe\u7247\u9a6c\u7ed5\u8fc7\u68c0\u6d4b<\/p>\n
\u518d\u7528\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u5f15\u5165 jpeg \u56fe\u7247\u5373\u53ef getshell<\/p>\n
\u7ed5\u8fc7\u56fe\u7247\u4e8c\u6b21\u6e32\u67d3\u4e0a\u4f20<\/h2>\n
\u6709\u4e9b\u56fe\u7247\u4e0a\u4f20\uff0c\u4f1a\u5bf9\u4e0a\u4f20\u7684\u56fe\u7247\u8fdb\u884c\u4e8c\u6b21\u6e32\u67d3\u540e\u5728\u4fdd\u5b58\uff0c\u4f53\u79ef\u53ef\u80fd\u4f1a\u66f4\u5c0f\uff0c\u56fe\u7247\u4f1a\u6a21\u7cca\u4e00\u4e9b\uff0c\u4f46\u662f\u7b26\u5408\u7f51\u7ad9\u7684\u9700\u6c42\u3002\u4f8b\u5982\u65b0\u95fb\u56fe\u7247\u5c01\u9762\u7b49\u53ef\u80fd\u9700\u8981\u4e8c\u6b21\u6e32\u67d3\uff0c\u56e0\u4e3a\u539f\u56fe\u7247\u5360\u7528\u7684\u4f53\u79ef\u66f4\u5927\u3002\u8bbf\u95ee\u7684\u4eba\u6570\u592a\u591a\u65f6\u5019\u4f1a\u5360\u7528\uff0c\u5f88\u5927\u5e26\u5bbd\u3002\u4e8c\u6b21\u6e32\u67d3\u540e\u7684\u56fe\u7247\u5185\u5bb9\u4f1a\u51cf\u5c11\uff0c\u5982\u679c\u91cc\u9762\u5305\u542b\u540e\u95e8\u4ee3\u7801\uff0c\u53ef\u80fd\u4f1a\u88ab\u7701\u7565\u3002\u5bfc\u81f4\u4e0a\u4f20\u7684\u56fe\u7247\u9a6c\uff0c\u6076\u610f\u4ee3\u7801\u88ab\u6e05\u9664\u3002<\/p>\n
\u56fe\u7247\u4e8c\u6b21\u6e32\u67d3\u5206\u6790\u4ee3\u7801<\/h3>\n
<\/p>\n
<\/p>\n
\u53ea\u5141\u8bb8\u4e0a\u4f20 JPG PNG gif \u5728\u6e90\u7801\u4e2d\u4f7f\u7528 imagecreatefromgif \u51fd\u6570\u5bf9\u56fe\u7247\u8fdb\u884c\u4e8c\u6b21\u751f\u6210\u3002\u751f\u6210\u7684\u56fe\u7247\u4fdd\u5b58\u5728\uff0cupload \u76ee\u5f55\u4e0b\u3002<\/p>\n
\u7ed5\u8fc7\u56fe\u7247\u4e8c\u6b21\u6e32\u67d3\u653b\u51fb<\/h3>\n
\u9996\u5148\u5224\u65ad\u56fe\u7247\u662f\u5426\u5141\u8bb8\u4e0a\u4f20 gif\uff0cgif \u56fe\u7247\u5728\u4e8c\u6b21\u6e32\u67d3\u540e\uff0c\u4e0e\u539f\u56fe\u7247\u5dee\u522b\u4e0d\u4f1a\u592a\u5927\u3002<\/p>\n
\u6240\u4ee5\u4e8c\u6b21\u6e32\u67d3\u653b\u51fb\u6700\u597d\u7528 git \u56fe\u7247\u9a6c\u3002<\/p>\n
\u5236\u4f5c\u56fe\u7247\u9a6c<\/p>\n
\u5c06\u539f\u56fe\u7247\u4e0a\u4f20\uff0c\u4e0b\u8f7d\u6e32\u67d3\u540e\u7684\u56fe\u7247\u8fdb\u884c\u5bf9\u6bd4\uff0c\u627e\u76f8\u540c\u5904\uff0c\u8986\u76d6\u5b57\u7b26\u4e32\uff0c\u586b\u5199\u4e00\u53e5<\/p>\n
\u8bdd\u540e\u95e8\uff0c\u6216\u8005\u6076\u610f\u6307\u4ee4\u3002<\/p>\n
<\/p>\n
\u539f\u56fe\u7247\u4e0e\u6e32\u67d3\u540e\u7684\u56fe\u7247\u8fd9\u4e2a\u4f4d\u7f6e\u7684\u5b57\u7b26\u4e32\u6ca1\u6709\u6539\u53d8\u6240\u5728\u539f\u56fe\u7247\u8fd9\u91cc\u66ff\u6362\u6210<?<\/p>\n
php phpinfo();?>\u76f4\u63a5\u4e0a\u4f20\u5373\u53ef\u3002<\/p>\n
<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u6761\u4ef6\u7ade\u4e89\u6f0f\u6d1e\u7ed5\u8fc7<\/h2>\n
\u5728 \u6587 \u4ef6 \u4e0a \u4f20 \u65f6 \uff0c \u5982 \u679c \u903b \u8f91 \u4e0d \u5bf9 \uff0c \u4f1a \u9020 \u6210 \u5f88 \u5927 \u5371 \u5bb3 \uff0c \u4f8b \u5982 \u6587 \u4ef6 \u4e0a \u4f20 \u65f6 \uff0c \u7528move_uploaded_file \u628a\u4e0a\u4f20\u7684\u4e34\u65f6\u6587\u4ef6\u79fb\u52a8\u5230\u6307\u5b9a\u76ee\u5f55\uff0c\u63a5\u7740\u518d\u7528 rename \u6587\u4ef6\u8bbe\u7f6e\u4e3a\u56fe\u7247\u683c\u5f0f\uff0c\u5982\u679c\u5728 rename \u4e4b\u524d move_uploaded_file \u8fd9\u4e2a\u6b65\u9aa4 \u5982\u679c\u8fd9\u4e2a\u6587\u4ef6\u53ef\u88ab\u5ba2\u6237\u7aef\u8bbf\u95ee\uff0c\u8fd9\u6837\u6211\u4eec\u4e5f\u53ef\u4ee5\u83b7\u53d6\u4e00\u4e2a webshell\u3002<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u6761\u4ef6\u7ade\u4e89\u6e90\u7801\u5206\u6790<\/h3>\n
<\/p>\n
\u91c7\u7528\u767d\u540d\u5355\u4e0a\u4f20\uff0c$upload_file = UPLOAD_PATH . ‘\/’ . $file_name; \u8bbe\u7f6e\u4e0a\u4f20\u8def\u5f84\uff0c\u540e\u7f00\u540d\u6ca1\u6709\u9650\u5b9a\u4e3a\u56fe\u7247\u7c7b\u578b\uff0c\u63a5\u7740 move_uploaded_file($temp_file, $upload_file)\u5c06\u56fe\u7247\u79fb\u52a8\u6307\u5b9a\u7684\u76ee\u5f55\uff0c\u63a5\u7740\u4f7f\u7528 rename \u91cd\u540d\u4e3a\u56fe\u7247\u7c7b\u578b\u3002\u5728\u91cd\u540d\u4e4b\u524d\u5982\u679c\u88ab\u6d4f\u89c8\u5668\u8bbf\u95ee\uff0c\u53ef\u4ee5\u5f97\u5230\u4e00\u4e2a webshell<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u6761\u4ef6\u7ade\u4e89\u653b\u51fb\u65b9\u6cd5<\/h3>\n
\u4e0a\u4f20 php \u540e\u95e8\u811a\u672c\uff0c\u4e0a\u4f20\u4e4b\u540e\u7528 burpsutie \u8bbe\u7f6e\u8bbf\u95ee\uff0c\u7ebf\u7a0b\u5efa\u8bae\u4f53\u63d0\u9ad8\u4e00\u4e9b\u3002\u6293\u5305\u4e0a\u4f20 php \u6587\u4ef6 \u8bbe\u7f6e\u53d8\u91cf\u4e0d\u505c\u7684\u63d0\u4ea4\u8fd9\u5305<\/p>\n
<\/p>\n
\u9700\u8981\u77e5\u9053 php \u7684\u8bbf\u95ee\u8def\u5f84\uff0c\u6293\u5305 \u4e0d\u505c\u7684\u63d0\u4ea4\u8bbf\u95ee\u3002\u9996\u5148\u63d0\u4ea4\u8bbf\u95ee\u4e0a\u4f20\u540e\u7684 php \u8def\u5f84 \u7b2c\u4e8c\u63d0\u4ea4\u4e0a\u4f20\u7684\u6587\u4ef6\u7684\u6570\u636e\u5305\u5373\u53ef<\/p>\n
\u53ef\u4ee5\u770b\u5230\u9875\u9762\u8fd4\u56de 200 \u8bc1\u660e\u4e0a\u4f20\u6210\u529f<\/p>\n
\u6587\u4ef6\u540d\u53ef\u63a7\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u6587\u4ef6\u4e0a\u4f20\u65f6,\u6587\u4ef6\u540d\u7684\u53ef\u88ab\u5ba2\u6237\u7aef\u4fee\u6539\u63a7\u5236,\u4f1a\u5bfc\u81f4\u6f0f\u6d1e\u4ea7\u751f\u3002<\/p>\n
\u6587\u4ef6\u540d\u63a7\u4ee3\u7801\u5206\u6790<\/h3>\n
<\/p>\n
\u91c7\u7528\u9ed1\u540d\u5355\u9650\u5236\u4e0a\u4f20\u6587\u4ef6,\u4f46\u662f $_POST[‘save_name’]\u6587\u4ef6\u662f\u53ef\u63a7\u7684,\u53ef\u88ab\u5ba2\u6237\u7aef\u4efb\u610f\u4fee\u6539,\u9020\u6210\u5b89\u5168\u6f0f\u6d1e.<\/p>\n
\u6587\u4ef6\u540d\u63a7\u53ef\u63a7\u653b\u51fb\u65b9\u6cd5<\/h3>\n
\u6587\u4ef6\u540d\u653b\u51fb\u7684\u65b9\u6cd5\u4e3b\u8981\u6709\u4e24\u79cd<\/p>\n
1.\u4e0a \u4f20 \u6587 \u4ef6 , \u6587 \u4ef6 \u5417 \u91c7 \u7528 %00 \u622a \u65ad , \u6293 \u5305 \u89e3 \u7801 \u4f8b \u5982 moon.php%00.php \u622a \u65ad \u540emoon.php \u6216\u8005\u4f7f\u7528\/.<\/p>\n
2.\u4e0e\u4e2d\u95f4\u7684\u6f0f\u6d1e\u914d\u5408\u4f7f\u7528 \u4f8b\u5982 iis6.0 \u4e0a\u4f20 1.php;1.jpg apache \u4e0a\u4f20 1.php.a \u4e5f<\/p>\n
\u80fd\u89e3\u6790\u6587\u4ef6 a.asp;1.jpg \u89e3\u6790\u6210 asp<\/p>\n
%00 \u622a\u65ad \u9700\u8981 gpc \u5173\u95ed \u6293\u5305 \u89e3\u7801 \u63d0\u4ea4\u5373\u53ef \u622a\u65ad\u6587\u4ef6\u540d php \u7248\u672c\u5c0f\u4e8e 5.3.4<\/p>\n
\u5c06\u6587\u4ef6\u540d 1.php;.jpg \u6539\u6210 iis6.0 \u53ef\u89e3\u6790\u6587\u4ef6 \u4e5f\u53ef\u4ee5\u4f7f\u7528 \/.<\/p>\n
\u6570\u7ec4\u7ed5\u8fc7\u4e0a\u4f20<\/h2>\n
\u6709\u7684\u6587\u4ef6\u4e0a\u4f20\uff0c\u5982\u679c\u652f\u6301\u6570\u7ec4\u4e0a\u4f20\u6216\u8005\u6570\u7ec4\u547d\u540d\u3002\u5982\u679c\u903b\u8f91\u5199\u7684\u6709\u95ee\u9898\u4f1a\u9020\u6210\u5b89\u5168\u9690\u60a3\uff0c\u5bfc\u81f4\u4e0d\u53ef\u9884\u671f\u7684\u4e0a\u4f20\u3002\u8fd9\u79cd\u4e0a\u4f20\u653b\u51fb\uff0c\u5b83\u662f\u5c5e\u4e8e\u653b\u51fb\u8005\u767d\u76d2\u5ba1\u8ba1\u540e\u53d1\u73b0\u7684\u6f0f\u6d1e\u5c45\u591a\u3002<\/p>\n
\u6570\u7ec4\u7ed5\u8fc7\u4ee3\u7801\u5206\u6790<\/h3>\n
<\/p>\n
\u9996\u5148\u68c0\u6d4b\u6587\u4ef6\u7c7b\u578b\uff0c\u770b\u5230\u53ef\u63a7\u53c2\u6570 save_name \u5982\u679c\u4e0d\u662f\u6570\u7ec4\u5982\u679c\u540e\u7f00\u540d\u4e0d\u662f\u56fe<\/p>\n
\u7247\u7981\u6b62\u4e0a\u4f20\u3002<\/p>\n
\u5982\u679c\u662f\u6570\u7ec4\u7ed5\u8fc7\u56fe\u7247\u7c7b\u578b\u68c0\u6d4b \u63a5\u7740\u5904\u7406\u6570\u7ec4\u3002<\/p>\n
\u9996\u5148 \u4e00\u4e2a\u4f8b\u5b50\u7684\u5904\u7406\u3002<\/p>\n
<?php\n $file= $_GET['save_name'];\necho $file_name = reset($file) . '.' . $file[count($file) - 1];\n?><\/code><\/pre>\n\u5982\u679c\u662f\u4e24\u4e2a\u53c2\u6570 \u62fc\u63a5\u5b57\u7b26\u4e32\u662f xx.php\/.png<\/p>\n
<\/p>\n
\u6570\u7ec4\u7ed5\u8fc7\u653b\u51fb\u65b9\u6cd5<\/h3>\n
\u6784\u9020\u4e0a\u4f20\u8868\u5355\uff0c\u8bbe\u7f6e\u6570\u7ec4\u4e0a\u4f20\u3002\u4ece\u4ee3\u7801\u4e2d\uff0c\u53ef\u4ee5\u77e5\u9053\u7b2c\u4e8c\u4e2a\u6570\u7ec4\u5fc5\u987b\u5927\u4e8e 1 \u5373\u53ef\u7b2c \u4e8c \u4e2a \u6570 \u7ec4 \u7684 \u503c \u5c31 \u83b7 \u53d6 \u4e0d \u4e86 \uff0c \u5b57 \u7b26 \u4e32 \u62fc \u63a5 \u8d77 \u6765 \u5c31 \u662f moon.php\/. \u5c31 \u80fd\u4e0a \u4f20moon.php<\/p>\n
<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u5176\u4ed6\u6f0f\u6d1e<\/h2>\n
nginx 0.83 \/1.jpg%00php<\/p>\n
apahce 1x \u6216\u8005 2x\u5f53 apache \u9047\u89c1\u4e0d\u8ba4\u8bc6\u7684\u540e\u7f00\u540d\uff0c\u4f1a\u4ece\u540e\u5411\u524d\u89e3\u6790\u4f8b\u5982 1.php.rar \u4e0d\u8ba4\u8bc6 rar \u5c31\u5411\u524d\u89e3\u6790\uff0c\u76f4\u5230\u77e5\u9053\u5b83\u8ba4\u8bc6\u7684\u540e\u7f00\u540d\u3002<\/p>\n
phpcgi \u6f0f\u6d1e(nginx iis7 \u6216\u8005\u4ee5\u4e0a) \u4e0a\u4f20\u56fe\u7247\u540e 1.jpg\u3002\u8bbf\u95ee 1.jpg\/1.php \u4e5f\u4f1a\u89e3\u6790\u6210php\u3002<\/p>\n
Apache HTTPD \u6362\u884c\u89e3\u6790\u6f0f\u6d1e\uff08CVE-2017-15715\uff09<\/p>\n
apache \u901a\u8fc7 mod_php \u6765\u8fd0\u884c\u811a\u672c\uff0c\u5176 2.4.0-2.4.29 \u4e2d\u5b58\u5728 apache \u6362\u884c\u89e3\u6790\u6f0f\u6d1e\uff0c<\/p>\n
\u5728\u89e3\u6790 php \u65f6 xxx.phpx0A \u5c06\u88ab\u6309\u7167 PHP \u540e\u7f00\u8fdb\u884c\u89e3\u6790\uff0c\u5bfc\u81f4\u7ed5\u8fc7\u4e00\u4e9b\u670d\u52a1\u5668\u7684<\/p>\n
\u5b89\u5168\u7b56\u7565\u3002<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u901a\u7528\u68c0\u6d4b\u65b9\u6cd5<\/h3>\n
\u5224\u65ad\u662f\u5426\u4e3a\u9ed1\u767d\u540d\u5355\uff0c\u5982\u679c\u662f\u767d\u540d\u5355 \u5bfb\u627e\u53ef\u63a7\u53c2\u6570\u3002\u5982\u679c\u662f\u9ed1\u540d\u5355\u7981\u6b62\u4e0a\u4f20\uff0c<\/p>\n
\u53ef\u4ee5\u7528\u6709\u5371\u5bb3\u7684\u540e\u7f00\u540d\u6279\u91cf\u63d0\u4ea4\u6d4b\u8bd5\uff0c\u5bfb\u627e\u9057\u7559\u7684\u6267\u884c\u811a\u672c\u3002<\/p>\n
.php\n.php5\n.php4\n.php3\n.php2\n.html\n.htm\n.phtml\n.pht\n.pHp\n.phP\n.pHp5\n.pHp4\n.pHp3\n.pHp2\n.Html\n.Htm\n.pHtml\n.jsp\n.jspa\n.jspx\n.jsw\n.jsv\n.jspf\n.jtml\n.jSp\n.jSpx\n.jSpa\n.jSw\n.jSv\n.jSpf\n.jHtml\n.asp\n.aspx\n.asa\n.asax\n.ascx\n.ashx\n.asmx\n.cer\n.aSp\n.aSpx\n.aSa\n.aSax\n.aScx\n.aShx\n.aSmx\n.cEr\n.sWf\n.swf\n.htaccess<\/code><\/pre>\n\u4f7f\u7528 burpsuite \u6293\u5305\u4e0a\u4f20\u5c06\u540e\u7f00\u540d\u8bbe\u7f6e\u6210\u53d8\u91cf\uff0c\u628a\u8fd9\u4e9b\u6587\u4ef6\u8bbe\u7f6e\u6210\u4e00\u4e2a\u5b57\u5178\u6279\u91cf<\/p>\n
<\/p>\n
<\/p>\n
\u67e5\u770b\u6570\u636e\u5305\u5927\u5c0f \u67e5\u770b\u786e\u5b9a\u65f6\u5019\u53ef\u4e0a\u4f20\u5373\u53ef<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u7684\u9632\u5fa1\u65b9\u6cd5<\/h1>\n
\u670d\u52a1\u5668\u7aef\u4f7f\u7528\u767d\u540d\u5355\u9632\u5fa1\uff0c\u4fee\u590d web \u4e2d\u95f4\u4ef6\u7684\u6f0f\u6d1e\uff0c\u7981\u6b62\u5ba2\u6237\u7aef\u5b58\u5728\u53ef\u63a7\u53c2\u6570\uff0c\u5b58\u653e\u6587\u4ef6\u76ee\u5f55\u7981\u6b62\u811a\u672c\u6267\u884c\uff0c\u9650\u5236\u540e\u7f00\u540d \u4e00\u5b9a\u8981\u8bbe\u7f6e\u56fe\u7247\u683c\u5f0f jpg\u3001gif \u3001png \u6587\u4ef6\u540d\u968f\u673a\u7684\uff0c\u4e0d\u53ef\u9884\u6d4b<\/p>\n
\u6587\u4ef6\u4e0a\u4f20\u7684\u653b\u51fb\u65b9\u6cd5<\/h1>\n
<\/p>\n
\n\u66f4\u65b0: 2025-05-03 19:56:48
\n\u539f\u6587: https:\/\/www.yuque.com\/yuhui.net\/network\/awtbxlnblhgrzpro<\/a><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"\u6587\u4ef6\u4e0a\u4f20 \u6982\u8ff0 \u7531\u4e8e\u7a0b\u5e8f\u5458\u672a\u5bf9\u4e0a\u4f20\u7684\u6587\u4ef6\u8fdb\u884c\u4e25\u683c\u7684\u9a8c\u8bc1\u548c\u8fc7\u6ee4\uff0c\u800c\u5bfc\u81f4\u7684\u7528\u6237\u53ef\u4ee5\u8d8a\u8fc7\u5176\u672c\u8eab\u6743\u9650\u5411\u670d\u52a1\u5668\u4e0a\u4e0a\u4f20\u53ef\u6267\u884c\u7684\u52a8\u6001\u811a\u672c\u6587\u4ef6\u3002\u5982\u5e38\u89c1\u7684\u5934\u50cf\u4e0a\u4f20\uff0c\u56fe\u7247\u4e0a\u4f20\uff0coa \u529e\u516c\u6587\u4ef6\u4e0a\u4f20\uff0c\u5a92\u4f53\u4e0a\u4f20\uff0c\u5141\u8bb8\u7528\u6237\u4e0a\u4f20\u6587\u4ef6\uff0c\u5982\u679c\u8fc7\u6ee4\u4e0d\u4e25\u683c\uff0c\u6076\u610f\u7528\u6237\u5229\u7528\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u4e0a\u4f20\u6709\u5bb3\u7684\u53ef\u4ee5\u6267\u884c\u811a\u672c\u6587\u4ef6\u5230\u670d\u52a1\u5668\u4e2d\uff0c\u53ef\u4ee5\u83b7\u53d6\u670d\u52a1\u5668\u7684\u6743\u9650\uff0c\u6216\u8fdb\u4e00\u6b65\u5371\u5bb3\u670d\u52a1\u5668\u3002 \u5371\u5bb3 \u975e\u6cd5\u7528\u6237\u53ef\u4ee5\u4e0a\u4f20\u7684\u6076\u610f\u6587\u4ef6\u63a7\u5236\u6574\u4e2a\u7f51\u7ad9\uff0c\u751a\u81f3\u662f\u63a7\u5236\u670d\u52a1\u5668\uff0c\u8fd9\u4e2a\u6076\u610f […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[119,120,2],"tags":[22,43],"class_list":["post-788","post","type-post","status-publish","format-standard","hentry","category-shentouceshijichu-network_sec","category-loudongleibie","category-network_sec","tag-windows","tag-43"],"_links":{"self":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/788","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/comments?post=788"}],"version-history":[{"count":0,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/posts\/788\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/media?parent=788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/categories?post=788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youvii.site\/index.php\/wp-json\/wp\/v2\/tags?post=788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"1746000858529-09cb61bd-0720-42bc-bc64-bc1af5cb136f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8a1a2b26.png\")
\u76f4\u63a5\u4e0a\u4f20\u6587\u4ef6 \u7f51\u9875\u4f1a\u8fd4\u56de\u8def\u5f84 \u8bbf\u95ee url \u5373\u53ef getshell<\/p>\n![\"1746000917078-408e93af-9649-4a5e-a83f-ca7b54e11875.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8a4b6296.png\")
<\/p>\n![\"1746002117494-4c5d54c9-05e5-4a2e-a1a6-ed258e7e94fa.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8a6d3007.png\")
<\/p>\n![\"1746003554636-c91e0a91-f316-4d63-a600-7d053d41f897.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8a9becf3.png\")
<\/p>\n![\"1746003589691-9eccee30-6a0a-45b6-ba9c-0b4b93f5aad7.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8ac8a327.png\")
<\/p>\n![\"1746003600338-bc6cd743-ff83-403d-99f2-0efdaf6ae2a4.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8af9053d.png\")
<\/p>\n![\"1746003637913-bbc64679-7afe-4655-a25e-d5233fe49b58.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8b31ef24.png\")
<\/p>\n![\"1746003735909-6ba16a27-86b8-418b-9b93-352065097de9.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8b713fe5.png\")
<\/p>\n![\"1746003768621-e55ceea7-b93f-456a-b22e-bc9dd43bdda2.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8bb132db.png\")
<\/p>\n![\"1746003783023-d4f1d802-f749-4513-b6c6-f993d9291e20.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8be195bb.png\")
<\/p>\n![\"1746003826588-03a226da-9aeb-4e2b-b8c5-f4e0538c283e.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8c1bf26a.png\")
<\/p>\n![\"1746003933108-416b13c6-6769-4d51-9034-42f211d2260c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8c533225.png\")
<\/p>\n![\"1746003971955-b15991d6-59fc-4629-85e5-610635207bb4.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8c94ea73.png\")
<\/p>\n![\"1746004001231-8b72a03b-d016-47b0-90f7-20fd84100c5c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8cc4ad73.png\")
\u68c0\u6d4b submit \u540e \u4e0a\u4f20\u76ee\u5f55\u5b58\u5728\u65f6\uff0c\u8fdb\u5165\u9ed1\u540d\u5355\u5224\u65ad\u3002\u5982\u679c\u6587\u4ef6\u540e\u7f00\u540d\u5728\u9ed1\u540d\u5355\u91cc\u3002\u4e0d\u5141\u8bb8\u4e0a\u4f20\uff0c\u4f46\u662f\u6587\u4ef6\u540e\u7f00\u540d\uff0c\u6ca1\u6709\u8fc7\u6ee4\u7a7a\u683c\uff0c\u53ef\u4ee5\u6dfb\u52a0\u7a7a\u683c\u7ed5\u8fc7\u3002<\/p>\n![\"1746004082787-0b97aa22-f9fd-478f-af47-afebda445e16.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8cfb05b6.png\")
<\/p>\n![\"1746004126463-d543c085-edb8-4e26-baed-39159610a168.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8d346523.png\")
<\/p>\n![\"1746004155528-85d49247-f897-4116-8723-7fd887749da3.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8d71ee36.png\")
<\/p>\n![\"1746004195406-fd863661-e4aa-4773-8263-5a2cf95eb145.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8da22516.png\")
<\/p>\n![\"1746004237951-84e525bf-1f14-4845-9a79-691d5bf15a6c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8de63f66.png\")
<\/p>\n![\"1746004246471-e3d7723e-56c6-4535-8ffa-2415821a18fd.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8e1cd6a7.png\")
<\/p>\n![\"1746004289242-e1adf3e7-c544-4019-97ed-bb6534f0e310.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8e556b32.png\")
<\/p>\n![\"1746004331501-b511cac4-5ccf-4c6a-a488-f0c205ffe4dc.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8e9337a3.png\")
<\/p>\n![\"1746004368028-b9373ef8-7ed3-4473-b099-b7963b2a18ac.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8ecd41f6.png\")
<\/p>\n![\"1746004388579-e92dcb73-d1b0-459c-bf04-f19af68a8e93.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8f05dbd7.png\")
<\/p>\n![\"1746004417812-ce39224d-4de2-4771-8e07-4104c8fd8952.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8f55731f.png\")
<\/p>\n![\"1746004497676-b9ab64dd-5048-4623-953f-90dea4607ea4.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8f956ea9.png\")
<\/h3>\n![\"1746004523437-17fb5884-42bf-422f-9105-cf05a081a048.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8fc34f67.png\")
<\/p>\n![\"1746004570751-eaf94552-2a6a-42d0-a1a6-e369a47473ab.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae8ffb6dbb.png\")
\u5982\u679c\u4e0a\u4f20\u7684\u6587\u4ef6\u7b26\u5408\u6570\u5b57\u5373\u53ef\u901a\u8fc7\u68c0\u6d4b\u3002<\/p>\n![\"1746004624438-9732ae2e-e2de-430c-9584-20e873fc1e2e.png\"](\".\/img\/gY0m8IMj2wm6cdNz\/1746004624438-9732ae2e-e2de-430c-9584-20e873fc1e2e-029544.png\")
\u56e0\u4e3a\u9650\u5236\u4e86\u540e\u7f00\u4e3a jpg\uff0c\u53ef\u4ee5\u8003\u8651\u6587\u4ef6\u5305\u542b\u5c06\u56fe\u7247\u6587\u4ef6\u5305\u542b\u8fdb\u53bb getshell![\"1746004645664-0f01bec8-6842-4f9f-bbaf-9c7a021034c5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae9036db63.png\")
<\/p>\n![\"1746004658253-c6c68a1b-b9a3-4caa-a83b-f41927e4448d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae907a7e52.png\")
<\/p>\n![\"1746004674172-44ed8648-5709-421b-b783-c178eff5621b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae90b06bce.png\")
<\/p>\n![\"1746004722254-a6fbeb71-3ae4-4831-8d34-a6c89a6d354a.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae90ea6aef.png\")
<\/p>\n![\"1746004729199-f83d964c-8c26-4090-8f30-7c8370d6dacf.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae911f3e6a.png\")
<\/p>\n![\"1746004765639-7f28079d-394e-460f-841c-970dca8c2987.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae915bd79e.png\")
<\/p>\n![\"1746004777053-be95f3a9-7a11-48c7-968c-58ebe70391a6.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae9199669c.png\")
<\/p>\n![\"1746004803814-6a37a1e7-97cb-46fa-93ab-e5b57015667d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae91c8a4ef.png\")
<\/p>\n![\"1746004829948-b7280b2e-cc92-4fab-8aa6-be5d30272bbf.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae91f57111.png\")
<\/p>\n![\"1746004843614-c0c4bf79-a70c-418a-b20c-d32fa368de47.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae9220ea78.png\")
\u53ef\u4ee5\u770b\u5230\u9875\u9762\u8fd4\u56de 200 \u8bc1\u660e\u4e0a\u4f20\u6210\u529f<\/p>\n![\"1746004870139-87f16667-5ae4-4d8e-a15c-18fdfe7811b5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae924efa8a.png\")
<\/p>\n![\"1746004915562-9b3a47f0-8590-4fec-89d4-093a426a7c27.png\"](\".\/img\/gY0m8IMj2wm6cdNz\/1746004915562-9b3a47f0-8590-4fec-89d4-093a426a7c27-406529.png\")
![\"1746004922291-a4b496d6-24e9-4d94-a672-6da88e587980.png\"](\".\/img\/gY0m8IMj2wm6cdNz\/1746004922291-a4b496d6-24e9-4d94-a672-6da88e587980-542351.png\")
\u5c06\u6587\u4ef6\u540d 1.php;.jpg \u6539\u6210 iis6.0 \u53ef\u89e3\u6790\u6587\u4ef6 \u4e5f\u53ef\u4ee5\u4f7f\u7528 \/.![\"1746004943871-d759a85f-1a66-4609-8f23-bfecd266ded5.png\"](\".\/img\/gY0m8IMj2wm6cdNz\/1746004943871-d759a85f-1a66-4609-8f23-bfecd266ded5-748569.png\")
![\"1746004950865-2578eff4-3be8-405e-8f14-89b067c69461.png\"](\".\/img\/gY0m8IMj2wm6cdNz\/1746004950865-2578eff4-3be8-405e-8f14-89b067c69461-190773.png\")
![\"1746004962625-330ddb71-a500-48f1-8636-31ea514edb31.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae928e6193.png\")
<\/p>\n![\"1746005079672-5f6b968c-112a-4db5-926b-25babe0af918.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae92bcbf6d.png\")
<\/p>\n![\"1746005103281-ae9ce270-c161-48b3-8a3c-ebfe42a2c2e2.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae92f45af2.png\")
<\/p>\n![\"1746005131233-9532eda9-ecfd-4b6e-85d7-7ae9321b2839.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68faf1922ae58.png\")
<\/p>\n![\"1746005157418-c874f062-546e-456f-85af-d7bdc50e2f2a.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68faf19540b42.png\")
\u6587\u4ef6\u4e0a\u4f20\u5176\u4ed6\u6f0f\u6d1e<\/h2>\n![\"1746005221418-884e4fe8-fc9c-4cf0-8f91-70acfa2b0554.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68faf1987ec80.png\")
<\/p>\n![\"1746005226579-d27747b4-2118-4c1c-b748-e1f8b4f74856.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68faf19e5778e.png\")
<\/p>\n![\"\u753b\u677f\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68faf1a1c20a7.jpeg\")
<\/p>\n