参数注入 on 办公AI智能小助手 https://blog.qife122.com/tags/%E5%8F%82%E6%95%B0%E6%B3%A8%E5%85%A5/ Recent content in 参数注入 on 办公AI智能小助手 Hugo zh-cn qife Sun, 09 Nov 2025 00:57:03 +0800 HTB Dump靶机渗透实战:参数注入与权限提升 https://blog.qife122.com/p/htb-dump%E9%9D%B6%E6%9C%BA%E6%B8%97%E9%80%8F%E5%AE%9E%E6%88%98%E5%8F%82%E6%95%B0%E6%B3%A8%E5%85%A5%E4%B8%8E%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87/ Sun, 09 Nov 2025 00:57:03 +0800 https://blog.qife122.com/p/htb-dump%E9%9D%B6%E6%9C%BA%E6%B8%97%E9%80%8F%E5%AE%9E%E6%88%98%E5%8F%82%E6%95%B0%E6%B3%A8%E5%85%A5%E4%B8%8E%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87/ <h2 id="初始侦察">初始侦察</h2> <p>Nmap扫描发现两个开放端口:</p> <ul> <li>SSH (22)</li> <li>HTTP (80)</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap -p- -vvv --min-rate <span class="m">10000</span> 10.129.26.68 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="网站分析">网站分析</h2> <p>网站提供数据包捕获功能,具有以下特性:</p> <ul> <li>用户注册/登录系统</li> <li>实时流量捕获(端口27714)</li> <li>PCAP文件上传下载</li> <li>使用PHP开发</li> </ul> <h2 id="参数注入攻击">参数注入攻击</h2> <h3 id="特殊字符模糊测试">特殊字符模糊测试</h3> <p>通过上传包含特殊字符的文件名,发现zip命令存在参数注入漏洞:</p> 利用SSRF与参数注入攻破HTB Down靶机 https://blog.qife122.com/p/%E5%88%A9%E7%94%A8ssrf%E4%B8%8E%E5%8F%82%E6%95%B0%E6%B3%A8%E5%85%A5%E6%94%BB%E7%A0%B4htb-down%E9%9D%B6%E6%9C%BA/ Fri, 19 Sep 2025 21:25:46 +0800 https://blog.qife122.com/p/%E5%88%A9%E7%94%A8ssrf%E4%B8%8E%E5%8F%82%E6%95%B0%E6%B3%A8%E5%85%A5%E6%94%BB%E7%A0%B4htb-down%E9%9D%B6%E6%9C%BA/ <h1 id="htb-down">HTB: Down</h1> <h2 id="初始扫描">初始扫描</h2> <p>Nmap扫描显示目标开放SSH(22)和HTTP(80)端口:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">oxdf@hacky$ nmap -p- --min-rate <span class="m">10000</span> 10.129.234.87 </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-05-03 04:25 UTC </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.129.234.87 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.093s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">65533</span> closed tcp ports <span class="o">(</span>reset<span class="o">)</span> </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">22/tcp open ssh </span></span><span class="line"><span class="cl">80/tcp open http </span></span></code></pre></td></tr></table> </div> </div><p>详细版本扫描确认服务信息:</p> CVE-2024-4577 - 又一个PHP远程代码执行漏洞:让PHP-CGI参数注入再次伟大! https://blog.qife122.com/p/cve-2024-4577-%E5%8F%88%E4%B8%80%E4%B8%AAphp%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E8%AE%A9php-cgi%E5%8F%82%E6%95%B0%E6%B3%A8%E5%85%A5%E5%86%8D%E6%AC%A1%E4%BC%9F%E5%A4%A7/ Fri, 05 Sep 2025 22:36:52 +0800 https://blog.qife122.com/p/cve-2024-4577-%E5%8F%88%E4%B8%80%E4%B8%AAphp%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E8%AE%A9php-cgi%E5%8F%82%E6%95%B0%E6%B3%A8%E5%85%A5%E5%86%8D%E6%AC%A1%E4%BC%9F%E5%A4%A7/ <h1 id="cve-2024-4577---yet-another-php-rce-make-php-cgi-argument-injection-great-again">CVE-2024-4577 - Yet Another PHP RCE: Make PHP-CGI Argument Injection Great Again!</h1> <p>这是我在准备Black Hat USA演讲时发现的一个额外漏洞/旁支故事。我相信大部分细节已经在官方公告中涵盖(应该很快就会发布)。尽管PHP-CGI随着时间的推移已逐渐被淘汰,但这个漏洞默认影响Windows版的XAMPP,允许未经认证的攻击者通过特定字符序列在远程XAMPP服务器上执行任意代码。</p>