{"id":608,"date":"2023-11-07T23:59:55","date_gmt":"2023-11-07T14:59:55","guid":{"rendered":"https:\/\/web.cloudfree.jp\/journal\/?p=608"},"modified":"2023-11-09T23:33:52","modified_gmt":"2023-11-09T14:33:52","slug":"%e4%bd%9c%e6%a5%ad%e5%8a%b9%e7%8e%87%e5%80%8d%e5%a2%97%e3%83%a9%e3%83%b3%e3%83%81%e3%83%a3%e3%83%bc%e3%82%92%e4%bd%9c%e3%82%8b2-3","status":"publish","type":"post","link":"https:\/\/web.cloudfree.jp\/journal\/%e4%bd%9c%e6%a5%ad%e5%8a%b9%e7%8e%87%e5%80%8d%e5%a2%97%e3%83%a9%e3%83%b3%e3%83%81%e3%83%a3%e3%83%bc%e3%82%92%e4%bd%9c%e3%82%8b2-3\/","title":{"rendered":"\u4f5c\u696d\u52b9\u7387\u500d\u5897\u30e9\u30f3\u30c1\u30e3\u30fc\u3092\u4f5c\u308b(2\/3)"},"content":{"rendered":"

\u4f5c\u696d\u52b9\u7387\u500d\u5897\u30e9\u30f3\u30c1\u30e3\u30fc\u3092\u4f5c\u308b(2\/3)<\/h3>\r\n\n

2023-11-07 \u8a18\u8f09
\u6982\u8981 : HTML\u30da\u30fc\u30b81\u679a\u306b\u3042\u3089\u3086\u308bOpen\u51e6\u7406\u3092\u96c6\u7d04\u3055\u305b\u305f\u30e9\u30f3\u30c1\u30e3\u30fc\u306e\u4f5c\u6210
\u524d\u5f8c\u306e\u8a18\u4e8b\uff1a(1\/3)<\/a>, (3\/3)<\/a>
Keyword : \u30d7\u30ed\u30bb\u30b9\u8d77\u52d5, Apache, PHP, runas, <\/p>\n\n\n\n

Apache\u304b\u3089\u547c\u3070\u308c\u305fPHP\u306b\u30d7\u30ed\u30bb\u30b9\u8d77\u52d5\u3092\u3057\u3066\u3082\u3089\u3063\u3066\u3082\u3001\u753b\u9762\u3092\u30c7\u30b9\u30af\u30c8\u30c3\u30d7\u306b\u51fa\u3057\u3066\u304f\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u305d\u306e\u7d4c\u7def\u3092\u66f8\u3044\u3066\u304a\u304d\u307e\u3059\u3068\u3002

\u307e\u305a\u306f\u3082\u3063\u3068\u3082\u30aa\u30fc\u30bd\u30c9\u30c3\u30af\u30b9\u306a exec()
test.php \u306b exec(“notepad.exe”); \u3068\u3060\u3051\u66f8\u3044\u3066\u3001DOS\u7a93\u3067 php shell.php \u3067\u8d77\u52d5\u3092\u78ba\u8a8d\u3002\u3053\u308c\u306fOK\u3002
\u3057\u304b\u3057\u3053\u306etest.php \u3092 http:\/\/localhost\/test.php \u304b\u3089\u547c\u3093\u3060\u3089\u7acb\u3061\u4e0a\u304c\u3063\u3066\u3053\u305a\u3002
\u30d1\u30b9\u304c\u60aa\u3044\uff1f\u3068\u601d\u3044\u3001notepad.exe \u3092\u7d76\u5bfe\u30d1\u30b9\u3067\u6307\u5b9a\u3057\u3066\u3082\u30c0\u30e1\u3002

\u6b21\u306b\u8a66\u3057\u305f\u306e\u306fCOM\u3092\u4f7f\u3046\u66f8\u304d\u65b9\u3002

$WshShell = new COM(“WScript.Shell”);
$oExec = $WshShell->Run(“notepad”, 5, true);

\u3057\u304b\u3057\u30a8\u30e9\u30fc\u3002<\/p>\n\n\n\n

Fatal error: Uncaught Error: Class “COM” not found in \u2026\u2026<\/mark><\/p>\n\n\n\n

\u8abf\u3079\u308b\u3068\u3001Class “COM”\u3092\u4f7f\u3046\u306b\u306f\u3001php.ini\u3067
extension=php_com_dotnet.dll
\u304c\u5fc5\u8981\u3068\u306e\u3053\u3068\u3002
\\ext \u306b php_com_dotnet.dll \u304c\u3042\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u3066ini\u3092\u7de8\u96c6\u3002Apache Restart\u3002<\/p>\n\n\n\n

\u3057\u304b\u3057\u3053\u308c\u3067\u3082\u753b\u9762\u306f\u51fa\u3066\u3053\u305a\u3002
\u30bf\u30b9\u30af\u30de\u30cd\u30fc\u30b8\u30e3\u306e\u8a73\u7d30\u30bf\u30d6\u3067\u78ba\u8a8d\u3059\u308b\u3068\u30d7\u30ed\u30bb\u30b9\u8d77\u52d5\u306f\u3067\u304d\u3066\u3044\u307e\u3059\u3002
\u305f\u3060\u3057\u30e6\u30fc\u30b6\u30fc\u304cSYSTEM \u306a\u306e\u3067\u3059\u3002
\u3055\u3089\u306b\u8abf\u3079\u3066\u3001\u30e6\u30fc\u30b6\u30fc\u3092\u6307\u5b9a\u3057\u3066\u30d7\u30ed\u30bb\u30b9\u8d77\u52d5\u3059\u308b\u306b\u306f
runas
\u3060\u3068\u5224\u660e\u3002

$WshShell = new COM(“WScript.Shell”);
$WshShell->Run(“runas \/savecred \/user:myname notepad.exe”, 5, false);<\/p>\n\n\n\n

\u30b3\u30f3\u30bd\u30fc\u30eb\u3067\u8a66\u3059\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u554f\u3046\u3066\u304d\u305f\u306e\u3067\u3001\u7a7a\u3060\u3088\u3001\u3068Enter\u3057\u305f\u3089\u3001\u7a7a\u306f\u30c0\u30e1\u3067\u3059\u3068\u8a00\u3046\u3002\u308f\u3056\u308f\u3056\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u8a2d\u5b9a\u3057\u3066\u3001\u8a66\u3057\u305f\u3089\u958b\u3051\u307e\u3057\u305f\u3002\/savecred \u3082\u52b9\u304b\u305b\u307e\u3057\u305f\u3002
\u3053\u308c\u3092http\u7d4c\u7531\u3067\u3001\u3068\u3057\u305f\u3089\u53cd\u5fdc\u306a\u3057\u3002\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u554f\u3046\u3066\u308b\u898b\u3048\u306a\u3044\u753b\u9762\u3067\u3068\u307e\u3063\u3066\u3044\u308b\u306e\u304b\uff1f\u3068\u60f3\u50cf\u3059\u308b\u3082\u6253\u3064\u624b\u306a\u3057\u3002\u305d\u3046\u3060\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u7a7a\u306b\u3057\u305f\u3089\u305d\u306e\u753b\u9762\u3067\u6b62\u307e\u3089\u306a\u3044\u306e\u3067\u306f\uff1f\u3068\u601d\u3044\u3001\u518d\u3073\u7a7a\u306b\u3057\u3066\u30ed\u30fc\u30ab\u30eb\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc\u3067\u30ed\u30b0\u30a4\u30f3\u4ee5\u5916\u3067\u3082\u7a7a\u3092\u8a8d\u3081\u308b\u8a2d\u5b9a\u3092\u3057\u3066\u3001\u4eca\u5ea6\u3053\u305d\u3068\u8a66\u3057\u307e\u3057\u305f\u304c\u305d\u308c\u3067\u3082\u753b\u9762\u306f\u51fa\u3066\u3053\u305a\u3002

\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u30d1\u30cd\u30eb\u2192[\u30b7\u30b9\u30c6\u30e0\u3068\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3]\u2192[\u7ba1\u7406\u30c4\u30fc\u30eb]\u2192
[\u30ed\u30fc\u30ab\u30eb\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30dd\u30ea\u30b7\u30fc]\u2192[\u30ed\u30fc\u30ab\u30eb\u30dd\u30ea\u30b7\u30fc]\u2192[\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30aa\u30d7\u30b7\u30e7\u30f3]\u2192
[\u30a2\u30ab\u30a6\u30f3\u30c8: \u30ed\u30fc\u30ab\u30eb\u30a2\u30ab\u30a6\u30f3\u30c8\u306e\u7a7a\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u4f7f\u7528\u3092\u30b3\u30f3\u30bd\u30fc\u30eb\u306e\u30ed\u30b0\u30aa\u30f3\u306e\u307f\u306b\u5236\u9650\u3059\u308b]<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Apache\u30b5\u30fc\u30d3\u30b9\u306e\u30d7\u30ed\u30d1\u30c6\u30a3\u306b\u30c7\u30b9\u30af\u30c8\u30c3\u30d7\u3068\u306e\u5bfe\u8a71\u3092\u8a31\u53ef\u3001\u3053\u306e\u30c1\u30a7\u30c3\u30af\u3092\u5165\u308c\u305f\u3089\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u308c\u308b\u753b\u9762\u304c\u51fa\u308b\u306e\u3067\u306f\uff1f\u3068\u304b\u3001\u3044\u3063\u305d\u3046\u306e\u3053\u3068Apache\u30b5\u30fc\u30d3\u30b9\u3092\u81ea\u5206\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u7a3c\u50cd\u3055\u305b\u3088\u3046\u304b\uff1f\u4e0b\u7b56\u3060\u3051\u3069\u3053\u308c\u306a\u3089\u3068\u308a\u3042\u3048\u305a\u52d5\u304f\u306f\u305a\u3001\u3068\u3084\u3063\u3066\u307f\u305f\u3089\u305d\u308c\u3067\u3082\u30c0\u30e1\u3067\u3057\u305f\u3002<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u3082\u3046\u53c2\u308a\u307e\u3057\u305f\u3002
\u3053\u3046\u306a\u3063\u305f\u3089\u3042\u306e\u624b\u3092\u4f7f\u3046\u304b\u3001\u3068\u982d\u306e\u7247\u9685\u306b\u3042\u3063\u305f\u3042\u308b\u624b\u6bb5\u306b\u7740\u624b\u3057\u307e\u3057\u305f\u3002

\u305d\u308c\u306fHTML\u6bb5\u968e\u3067\u306e\u4ed5\u8fbc\u307f\u3002
<a href=”ms-excel:ofe|u|http:\/\/localhost\/helper.xlsm”>\u3067URI\u547c\u3073\u51fa\u3057\u3059\u308b\u524d\u306b Ajax\uff08javascript\u306eXMLHttpRequest\uff09\u3067localhost\u306e.php\u3092\u547c\u3073Excel\u306b\u6e21\u3057\u3066\u3082\u3089\u3044\u305f\u3044\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u3001Apache24\/htdocs\/cmd.txt \u30d5\u30a1\u30a4\u30eb\u306b\u51fa\u529b\u3057\u3066\u3082\u3089\u3046\u3068\u3044\u3046\u3082\u306e\u3002
\u3067\u3001Excel\u30de\u30af\u30ed\u306f\u8d77\u52d5\u3057\u305f\u3089\u305d\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u8aad\u307f\u8fbc\u307f\u3001\u30d1\u30e9\u30e1\u30fc\u30bf\u306b\u5f93\u3063\u3066\u51e6\u7406\u3092\u3059\u308b\u3002
\u753b\u9762\u306f\u51fa\u3066\u3053\u306a\u304f\u3066\u3082\u30d5\u30a1\u30a4\u30eb\u306a\u3089\u96a0\u305b\u306a\u3044\u306f\u305a\u3002

\u7d50\u679c\u304b\u3089\u66f8\u304f\u3068\u305d\u308c\u3067\u3088\u3046\u3084\u304f\u6210\u529f\u3057\u307e\u3057\u305f\u3002
\u305d\u308c\u306f \u3064\u3065\u304d<\/a> \u3067\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

Apache\u304b\u3089\u547c\u3070\u308c\u305fPHP\u306b\u30d7\u30ed\u30bb\u30b9\u8d77\u52d5\u3092\u3057\u3066\u3082\u3089\u3063\u3066\u3082\u3001\u753b\u9762\u3092\u30c7\u30b9\u30af\u30c8\u30c3\u30d7\u306b\u51fa\u3057\u3066\u304f\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u305d\u306e\u8a66\u884c\u932f\u8aa4\u3002<\/p>\n","protected":false},"author":1,"featured_media":600,"comment_status":"open","ping_status":"closed","sticky":false,"template":"wp-custom-template-x24-index","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[21,23,14,24],"_links":{"self":[{"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/posts\/608"}],"collection":[{"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/comments?post=608"}],"version-history":[{"count":0,"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/posts\/608\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/media\/600"}],"wp:attachment":[{"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/media?parent=608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/categories?post=608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/web.cloudfree.jp\/journal\/wp-json\/wp\/v2\/tags?post=608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}