admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-11-04 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/books/记一次Spring boot框架代审与思考.html

468 lines
322 KiB
HTML
Raw Permalink Normal View History

add 漏洞复现+代码审计+IOT相关文章合计61篇 (Nday)泛微E-office 10 OfficeServer.php 下载_上传漏洞分析 2024 RWCTF群晖 BC500摄像头RCE--未授权_栈溢出 CVE-2024-30188 Apache DolphinScheduler 任意文件读写漏洞分析 CVE-2024-36412 SuiteCRM未授权sql注入分析 CVE-2024-38856 Apache OFBiz Authentication Bypass CVE-2024-43044 Jenkins Remoting远程代码执行漏洞分析 Dedecms后台RCE的一些方法 – fushulingのblog Exchange邮服渗透技巧 H3C-iMC智能管理中心autoDeploy. JAVA安全之Velocity模板注入刨析 Laravel 11.x 反序列化链分析 Nacos 0day(derby_源码)分析 _ 不出网利用 Nacos <=2.4.0.1 任意文件读写删 Spring Cloud Data Flow 漏洞分析(CVE-2024-22263_CVE-2024-37084) Unnamed page.NET恶意软件Dark Crystal RAT的详细样本分析 Zimbra 邮服渗透技巧 Zimbra邮服渗透技巧 java中js命令执行与绕过 - unam4 java中js命令执行的攻与防 wookteam协作平台searchinfo接口SQL注入漏洞分析 【原创】Xinhu RockOA v2.6.2 SQL注入漏洞 _ 安全团队贡献平台 【原创】(CVE-2024-7919)安徽德顺智能科技有限公司 JIELINK_ INTELLIGENT TERMINAL OPERATION PLATROFM 未授权访问漏洞 _ 安全团队贡献平台 【原创】(CVE-2024-7920)安徽德顺智能科技有限公司 JIELINK_ INTELLIGENT TERMINAL OPERATION PLATROFM 信息泄露漏洞 _ 安全团队贡献平台 【原创】(CVE-2024-7921)安徽德顺智能科技有限公司 JIELINK_ INTELLIGENT TERMINAL OPERATION PLATROFM 信息泄露漏洞 _ 安全团队贡献平台 万户graph include.jsp sql注入的漏洞分析 万户oa中receivefile_gd存在SQL注入 亿赛通新一代电子文档安全管理系统 SecretKeyService SQL注入漏洞 亿赛通新一代电子文档安全管理系统 logincontroller JNDI注入致远程代码执行漏洞(XVE-2024-8758) 亿赛通新一代电子文档安全管理系统-LogDownLoadService-mssql-sql注入漏洞分析 亿赛通电子文档安全管理系统 CDGAuthoriseTempletService1 SecretLevelId SQL注入漏洞代码分析 亿赛通电子文档安全管理系统 CDGAuthoriseTempletService1 SecretLevelId SQL注入漏洞代码分析2 亿赛通电子文档安全管理系统DecryptionApp反序列化漏洞RCE 从seacms12.9教你学会代码审计 代码审计之nbcio-boot从信息泄露到Getshell 信呼OA nickName SQL注入漏洞复现(XVE-2024-19304) 内网活动目录利用方法 内网渗透横向移动技巧 域内日志分析 安卓逆向——Frida的进阶用法 帆软 FineReport ReportServer SQL注入致RCE漏洞 悦库企业网盘 userlogin 护网红队-从apk反编译审计到getshell全过程 易宝oa软件两处-ExecuteSqlForSingle注入分析与复现 智慧校园(安校易)管理系统 ReceiveClassVideo.ashx 存在文件上传漏洞 比较有意思的几个漏洞挖掘记录 泛微e-cology testConnByBasePassword JDNI注入致远程代码执行漏洞分析(XVE-2024-20913) 泛微云桥e-Bridge addResume任意文件上传漏洞分析 浅析通天星CMSV6车载定位监控平台远程代码执行漏洞 海康威视iSecure Center综合安防管理平台认证绕过分析 海康威视综合安防管理平台clusters页面文件上传漏洞 海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞复现分析 海康威视综合安防系统 detection 接口远程命令执行 深澜认证计费系统代码审计(登录绕过_前后台RCE_文件读取_信息泄漏_XXS_SSRF) 用友NC complainbilldetail SQL注入漏洞 用友致远OA后台RCE constDef.do命令执行漏洞分析 积木报表AviatorScript代码注入RCE分析 章管家印章智慧管理平台 listUploadIntelligent接口sql注入漏洞分析与复现 蓝凌OA WechatLoginHelper.do SQL注入漏洞复现分析 记一次Spring boot框架代审与思考 记一次对通天星CMSV6车载视频监控平台的多个漏洞(getImage、delete.do、disable、merge、upload、SESSION伪造、StandardLoginAction_getAllUser、反序列化、xz_center)分析复现 记一次有趣的通达OA审计过程
2024-08-30 22:09:31 -07:00
<!DOCTYPE html> <html lang=en style><!--
Page saved with SingleFile
url: https://xz.aliyun.com/t/15389
--><meta charset=utf-8>
<title>记一次Spring boot框架代审与思考</title>
<meta name=description content=先知社区,先知安全技术社区>
<meta name=viewport content="width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no">
<style>/*!
* Bootstrap v2.3.1
*
* Copyright 2012 Twitter, Inc
* Licensed under the Apache License v2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Designed and built with all the love in the world @twitter by @mdo and @fat.
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}footer{display:block}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}img{height:auto;vertical-align:middle;border:0;-ms-interpolation-mode:bicubic}input{margin:0}button{-webkit-appearance:button}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" ("attr(href)")"}.ir a:after,a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre{border:1px solid #999;page-break-inside:avoid}img{page-break-inside:avoid}img{max-width:100%!important}@page{margin:.5cm}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}}body{margin:0;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:20px;color:#333}a{text-decoration:none}a:hover,a:focus{color:#005580;text-decoration:underline}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}.container{width:940px}.span10{width:780px}.container{margin-right:auto;margin-left:auto}.container:before,.container:after{display:table;line-height:0;content:""}.container:after{clear:both}p{margin:0 0 10px}strong{font-weight:bold}.text-right{text-align:right}.text-center{text-align:center}h1,h2,h3,h4{margin:10px 0;font-family:inherit;font-weight:bold;line-height:20px;color:inherit;text-rendering:optimizelegibility}h4{font-size:17.5px}ul{padding:0}hr{margin:20px 0;border:0;border-top:1px solid #eee;border-bottom:1px solid #fff}code,pre{color:#333;-webkit-border-radius:3px;-moz-border-radius:3px}code{color:#d14}pre{display:block;margin:0 0 10px;word-break:break-all;white-space:pre-wrap;border:1px solid rgba(0,0,0,0.15);-webkit-border-radius:4px;-moz-border-radius:4px}pre code{color:inherit}input{font-weight:normal}input{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif}input[type="text"]{display:inline-block;padding:4px 6px;margin-bottom:10px;font-size:14px;line-height:20px;vertical-align:middle;-webkit-border-radius:4px;-moz-border-radius:4px}input{width:206px}input[type="text"]{background-color:#fff;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border linear .2s,box-shadow linear .2s;-moz-transition:border linear .2s,box-shadow linear .2s;-o-transition:border linear .2s,box-shadow linear .2s;transition:border linear .2s,box-shadow linear .2s}textarea:focus,input[type="text"]:focus,input[type="password"]:focus,input[type="datetime"]:focus,input[type="datetime-local"]:focus,input[type="date"]:focus,input[type="month"]:focus,input[type="time"]:focus,input[type="week"]:focus,input[type="number"]:focus,input[type="email"]:focus,input[type="url"]:focus,input[type="search"]:focus,input[type="tel"]:focus,input[type="color"]:focus,.uneditable-input:focus{border-color:rgba(82,168,236,0.8);outline:0;outline:thin dotted \9;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6)}input::-webkit-input-placeholder,textarea::-webkit-input-placeholder{color:#999}input{margin-left:0}input:focus:invalid,textarea:focus:invalid,select:focus:invalid{color:#b94a48;border-color:#ee5f5b}input:focus:invalid:focus,textarea:focus:invalid:focus,select:focus:invalid:focus{border-color:#e9322d;-webkit-box-shadow:0 0 6px #f8b9b7;-moz-box-shadow:0 0 6px #f8b9b7;box-shadow:0 0 6px #f8b9b7}.fade{opacity:0;-webkit-transition:opacity .15s linear;-moz-transition:opacity .15s linear;-o-transition:opacity .15s linear}.collapse{position:relative;-webkit-transition:height .35s ease;-moz-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.btn{text-shadow:0 1px 1px rgba(25
<style>/*! Editor.md v1.5.0 | editormd.min.css | Open source online markdown editor. | MIT License | By: Pandao | https://github.com/pandao/editor.md | 2015-06-09 *//*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:FontAwesome;src:/* original URL: https://xz.aliyun.com/static/editor.md/fonts/fontawesome-webfont.woff2?v=4.3.0 */url(data:font/woff2;base64,d09GMgABAAAAAN3MAA4AAAAB3OQAAN1sAAQAxQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGh4GYACFQhEICobjZIW0WgE2AiQDkSoLiFwABCAFhwAHqx4/d2ViZgZbBYBxhnF7IVHRnVDqt/fSG4cZBbodREHF77duhex8Mb6j/fmp2f///78gWYzh7g+8R0BUdTpLW1Uzsp76hCzI4aYUR8pes2MocNQ2YvKKbApmLWu/bv7ALkc1B+aeVCsz1YrjaYsVnkxwJujIZWwn5gjVfIgmhc3in0QhmV5maXZNM1xTKb1RmAdM/OaNTl/mtoIrW/khyLhT5xe7bVH4fZGXVpFvuchr9JDG3Mcoh7mswgQxQVK8XUETf1CxbfHOtB+kxeznYk7Tc0VQvAs3ZHw4fkX+eKbZae3Ga4yTuqW4ivdfEynv1GrGUEu4OnTzzcjOrvA9euKJJn93ZAnl2I4SDS0d71OE52stez2NiwEECTzlA0CWsDwIHxnjUh747oQ+4/cPz8+ttyIXzTZiY4wxosaI3F8QvVEho0JSWt0kWiUlDEAMbFRUsJgZKGcUGHVmnTf/P6e9Zz8P5jE8wRUMwwiRViAUd39KoXMKlV2UsWpdN25qBwAP0n35Mpmf+bvg9ZtKfIuWauEin8QFPnQhqjHdubkgORdjw60F1Hm3BRSOpS8r3c6XU/9/JMdJqrGKafqQYMBQSgy6BEkN2ozu0jp/p5EMSdFJDElKASzB5dwOFDbt5x1Rt2WVqTHYdx+5Xp9Ufm9KBtkmlgURoo8tj////Z9a0ixLyWLsAGIB+Eoqp6lnC5QCOfox/PnFQ4BJkcOC2NkzE2qySKkd7EB0X2SssjuTJ374/zn7zhne2jm7fiUkyEiwBGin9SnjfqWFGqXyrNPtdoTk/iS7nvwSR9pOTPBCIAlSpUo50teOPKprzxRrm9+ChuQfqzJE8Bbl26JpGFbqfrX84LxQBx3aIebKK51pt3LCe3dPaIcrAGrDFXAd7qRJJ7W7e7L0z7L00hPYSSrgWlB0qYKDoXOBwQPRquJvWcPzc+sBI3pUj9GjxgIGG+yvAlaMBaxgY2PUYERvgIiAEiaIJ1NUPDFQwcLAujTqTr1QLioZ3GbIHTEdYnpCesfDy9dvB4B4+Vba/vPP6au23oy0eHeVXxgzGuGtTG1zt4lDgpCDCDHInDqlDmgAeK+jJZIEuJ9bmCpbL8Z0vvFwr84+jRRnNzOSkyPg6srryLIDS/CREjejVnMMEDioCIrqv3XCmO6lA/N4Lf1ua0oVVekIinqBkbCY5N/3nRqiAWisW2xsNBbsUxu11kXxz8lWB4c3sN3ekYiAEGAAByO382+qZQuQxImXstYh60J3LrpdOaX23OWinx9mwP//fAAzA5CcGYAkAFIiAEriDAiJAMndAQjqAJCgKWrvHpebtWs/re72nVaXEjCgtAQp6RHUJspJ2gupsq9yyLHo/Vy5u+v8rqhclS5d2qVdtLX/3nRVKsauMS47Z4JoNru6yNjUBvn73WqpW0jQLWxLIxDCSgwlBzcSzMxJwozQOiGBVpiZtY7hnPstYGiNbWEF5wTrxFmYdcxak56xPgku3HDDS8ILnYkuDi8MnQvCI3jcT216ZaMrjPl5GWYAIByhr51xVXZju0G5EtXIfqYwq7s4NLhgeu2nvYsxpRohhSTYCoItYM27+X/m/PxE6+tJNw9faWYRRohBDMIYh3z8h1yy6QEzqRlrM0ghSOsQ+ShkO2LOCgqadP5MQjyDih2k2EHqttndgXsdI1Oga0jEvEe50TXItrpN9NIEBcQhscEo44wiaoTxcU2AAvxdwsQC+Ppw/kum+fD5u8BrSYNSgIiihg2AMccnArqsYJ2gmNlhnADg/vHOjV6AesO+/MmrlN8grD8CAnD8ERERq2e4xrw61HwHQX8hVkPGCIADEJRmLCNsYzeTnAWcZnbH7osIzSEbGYvULv/7qJdPYalrqK/xvNrG/vmB3hmw4yOMWoM+4zyt158PeG80n4NP5BkGyRJu62dDPTINSpg2S/aEQH1fYmH9GoDFAURIy8JOAPQ+olD/RszU+DcQnfyXjKqKpWkxC3B+cn7qu+8P/zw8HGWmGhXmmMGhgEUOgwwppiB4OIEDmIPxlOSe+zqPfVuXeRqHvhveVZsW/nw1V6A6M4KhLcWhuFu/4O3fRKWuHfUc9G7G94SL4vR/rZ8Ub5iZP5cz9tlk/wtG9+s3PxmuMdIjm1qu7k+tQYQCZTRkuAtSmLSs0uOxI64zaboh3cTIf720EgwvjBKMYQmjxBNnkRyxseNc0nKZeZURGC+VioZVLFpliSPBSR6sepFcJRcWptiE61cRFstAMUgzXiIy9GFHp+YbdyPuTxi7mhkEy8HFEDtgQNiOpK3nWM1fDipB52FSVfCgaWZDZnBCmAEeY8qnhJXDtZpO3WARXEKSWONEF/OsMAUcncfXXJFOO07iwB9ZEC0Rx0w1XBF7LMNQps6RTRBgUkR4wysExmnkzVyanU2yQYoszPOCt7CyWSNhx2qJx6pQUFg9hF2rc4J4PRPD0s0/9mU9Xqti6iyt5m0wwu0LiQ7ss4x0xMnZYuElJ+YetZyQxFx641j/Yal5weLc8H/4fYKnutlzOe9R93rRMaSyJxXDwDOMtpVPhX8gHQkPZmFUmIukZ5itm4mgwdiCoXPLPt00dun4zJgyQ9WC7G9fKMSWv+rce6CmkNdcMj+29sKV6uuvzwGeYccKULEvDBbrFO98vT95Kr/X7EtB7aHcN4I8HwSyFyfYSQs5dWoQETxfhzg8XPRHDn4aAy4I0jgMd/YKhhTQGIIUaXr2SIGtQ7a8shpQ3Kd5HJl3uSm6jiggOo0lmJgU7BnW+tsbN8Ytnz/NF85mdb1xJBbSr53bKHWNFTs3NfjC7NyZs68AVT/AmfztCK2JuKyYoe3JQOL1Ez4+e4nP3Tznw51cp8n/f29xXJIeDFoytH2UdswpLxZj5TQ/jKFp0HleHN6iBgbGIDNIoG0AbzSe+hYvI/CmIZ9/+tzFx4LT+VwmKJiHptTdPu9IqvO/cQB4Z8WYj9vFB3NNh/CqqTs3L8sqbfk18wPSsZY1c3ac68eisCvjt+6GslRjWA1Zxq+qdEAqc7sJOkCYAQZdZAG6Znb2s8hRfrlyeWqbnEMQ6RI2UMe1AQiF2QdBy28lB0y3Y9QUnneWbXwuEZlXIjGOWtQT75f9QOantcglVhUBA9/nscgFUqkPfpE3sEQNV0z5MgnVbqu6yqG0r1FihEcFynAafHXrm5sP+HRIVMrrc83SlwaAHpUNNtGUAG/NorLNojJrBbedljpgk7Y8n6QG7/0NlwJtE+j0URxOmtVfeGtPSSRmNoSRyVr0HTRbX6Vk74l5MrdxqLL/wsT+m8xKkTi52Q2Vbxac4ZGt4Arfhrgb/AND4tFY3Xm/Toh0KeIA86aziD28hvsDsGZM3xLKLrjCGsjCSanjTV/lp53WIUI5X7DkOtim0kaMQABwbaw1JvjjCooVnahJrl2NbeOlHmQesdeWcDDm151Uw4itkyRyhHa+o8AqzpAolQfERlyYrXU8TcoyZc3bc2TTc9bOxCSFlgOR+CCm78ShGPMgUNHUVT+NGMgx9p5S8ojoislOGDXJ/HWbpevnAhZjcJG83YRHZrg4cCyLbyfJZI3zAA43Mui7Z//EogzN/udIIqnSdh6czyF/f34cAaTNOCJtklgk8XEIm2roZAY9panWtZblERHrIhdamihzQ9G2dGx+KoTBSBdtWsddqEJaROCI9aSpbRbbKkm2iJSmPo9YyQRe6KnaxDO5/G4Kofm8n6jc6PLyujtlEPm9TWjKBUTWEmENgIcjSPJu8Kez/W0AQSD+uunlV58AGIOEAnOKGdJJPzDL9PHxvFpS0+Bk
<style>/*!
* Bootstrap Responsive v2.3.1
*
* Copyright 2012 Twitter, Inc
* Licensed under the Apache License v2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Designed and built with all the love in the world @twitter by @mdo and @fat.
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}@-ms-viewport{width:device-width}@media (min-width:768px) and (max-width:979px){}@media (max-width:767px){}@media print{}@media (min-width:1200px){.row{margin-left:-30px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:30px}.container{width:1170px}.span10{width:970px}input{margin-left:0}}@media (min-width:768px) and (max-width:979px){.row{margin-left:-20px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:20px}.container{width:724px}.span10{width:600px}input{margin-left:0}}@media (max-width:767px){body{padding-right:0px;padding-left:0px}.container{width:auto}.row{margin-left:0}[class*="span"]{display:block;float:none;width:100%;margin-left:0;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.modal{position:fixed;right:20px;left:20px;width:auto;margin:0}.modal.fade{top:-100px}}@media (max-width:480px){.nav-collapse{-webkit-transform:translate3d(0,0,0)}.modal{top:10px;right:10px;left:10px}}@media (max-width:979px){body{padding-top:0}.navbar .container{width:auto;padding:0}.navbar .brand{padding-right:10px;padding-left:10px}.nav-collapse{clear:both}.nav-collapse.collapse{height:0;overflow:hidden}}@media (min-width:980px){.nav-collapse.collapse{height:auto!important;overflow:visible!important}}</style>
<style>li{line-height:26px}a:hover{text-decoration:none}.post-user-action>span{margin-right:10px;line-height:21px;border:none}.post-user-action .i-seprator{color:rgba(0,0,0,0.1);margin:0 2px}.navbar .brand{padding:0;height:50px;margin-left:0;display:inline-block!important;background-repeat:no-repeat;width:120px;background-size:207px 50px;background-image:/* original URL: https://xz.aliyun.com/static/icon/xianzhi-brand.svg */url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDIxLjEuMCwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IuWbvuWxgl8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgODAwLjQgMTMwLjQiIHN0eWxlPSJlbmFibGUtYmFja2dyb3VuZDpuZXcgMCAwIDgwMC40IDEzMC40OyIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+Cgkuc3Qwe2ZpbGw6IzM3M0Q0MTt9Cjwvc3R5bGU+Cjx0aXRsZT7lhYjnn6XmioDmnK/npL7ljLo8L3RpdGxlPgo8Zz4KCTxwb2x5Z29uIGNsYXNzPSJzdDAiIHBvaW50cz0iMCwxMjEuNCAwLDI3LjMgNTYuMywyNy4zIAkiLz4KCTxwb2x5Z29uIGNsYXNzPSJzdDAiIHBvaW50cz0iODkuOSw4LjQgODkuOSwxMDIuNSAzMy41LDEwMi41IAkiLz4KPC9nPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMTMwLjcsNTguNGMtMi4zLTEuNC00LjctMi45LTcuMi00LjVjNi02LjksMTAuNy0xNi4yLDE0LjEtMjcuOWw4LjMsMS43Yy0wLjcsMS42LTEuNiwzLjktMi44LDYuOQoJYy0wLjcsMi4zLTEuMywzLjktMS43LDQuOGgxNy41VjI0aDguM3YxNS41aDI5LjZWNDdoLTI5LjZ2MTUuMWgzNC43VjcwaC0yNi41djIxLjNjLTAuMiwzLjQsMS42LDUsNS41LDQuOGg3LjIKCWMzLjIsMC4yLDUuMy0xLjMsNi4yLTQuNWMwLjItMS40LDAuNS00LjEsMC43LTguM2MwLDAuNywwLjEtMC4xLDAuMy0yLjRsNy42LDIuOGMtMC4yLDQuMS0wLjcsNy45LTEuNCwxMS40CgljLTEuNiw2LTUuOCw4LjgtMTIuNyw4LjZoLTEwLjdjLTcuNiwwLjItMTEuMi0zLjItMTEtMTAuM1Y3MC4xaC0xNS44djMuMWMwLDE1LjQtOS4xLDI2LjQtMjcuMiwzM2MtMS40LTIuMS0zLTQuNi00LjgtNy42CglDMTM1LjEsOTQsMTQzLDg1LjQsMTQzLDcyLjhWNzBoLTIyLjd2LTcuOWgzOC41VjQ3aC0yMS4zQzEzNS41LDUxLjEsMTMzLjIsNTQuOSwxMzAuNyw1OC40eiIvPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMjEzLjIsNTQuNmMtMC41LTAuMi0xLjItMC43LTIuMS0xLjRjLTEuOC0xLjQtMy4yLTIuMy00LjEtMi44YzQuOC04LjksOC4xLTE3LjksMTAtMjYuOGw3LjYsMS40CgljLTAuNSwxLjgtMS4zLDQuNC0yLjQsNy42Yy0wLjIsMS4yLTAuNSwyLTAuNywyLjRoMjQuMXY3LjJoLTEyYzAsOC43LTAuMSwxNC45LTAuMywxOC42aDE0LjFWNjhoLTE0LjhjMCwyLjMtMC4yLDQuNS0wLjcsNi41CgljMS42LDEuNiwzLjgsNCw2LjUsNy4yYzQuNiw0LjgsOCw4LjYsMTAuMywxMS40bC01LjgsNS4yYy0wLjktMS4yLTIuMy0yLjgtNC4xLTQuOGMtMS44LTIuMy00LjgtNS44LTguOS0xMC43CgljLTIuNSw3LjgtOC40LDE1LjUtMTcuNSwyMy4xYy0yLjMtMi44LTQuMS00LjgtNS41LTYuMmMxMS4yLTguOSwxNy4zLTE5LjUsMTguMi0zMS43aC0xNy4ydi03LjJoMTcuNWMwLjItMy45LDAuMy0xMC4xLDAuMy0xOC42CgloLTYuOUMyMTcuMSw0Ni4zLDIxNS4zLDUwLjQsMjEzLjIsNTQuNnogTTI1MS40LDEwMi43VjMxLjloMzUuOHY3MC41aC04LjN2LTcuNmgtMTkuNnY3LjlDMjU5LjMsMTAyLjcsMjUxLjQsMTAyLjcsMjUxLjQsMTAyLjd6CgkgTTI1OS4zLDM5LjR2NDcuOGgxOS42VjM5LjRIMjU5LjN6Ii8+CjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0yOTcuMiw4MS4xYy0wLjItMC45LTAuNi0yLjMtMS00LjFjLTAuNy0xLjgtMS4yLTMuMi0xLjQtNC4xYzkuMi02LjIsMTYuNC0xNC4zLDIxLjctMjQuNGgtMTkuNnYtNi45aDI3LjV2Ny4yCgljLTIuNSw1LjUtNS40LDEwLjQtOC42LDE0Ljh2NDIuM2gtNy42VjcyLjFDMzA1LDc1LjEsMzAxLjQsNzguMSwyOTcuMiw4MS4xeiBNMzExLjcsNDAuNWMtMC4yLTAuNS0wLjYtMS4xLTEtMi4xCgljLTIuOC02LTQuNi05LjctNS41LTExLjRsNi45LTMuMWMwLjcsMS4yLDEuOCwzLjMsMy40LDYuNWMxLjYsMywyLjgsNS4yLDMuNCw2LjVMMzExLjcsNDAuNXogTTMyNi44LDgwLjcKCWMtMS42LTIuMS00LjctNS42LTkuMy0xMC43Yy0wLjItMC4yLTAuNS0wLjUtMC43LTAuN2w0LjgtNC41YzIuMSwxLjgsNC45LDQuNiw4LjYsOC4zYzEuMSwxLjIsMS45LDIsMi40LDIuNEwzMjYuOCw4MC43egoJIE0zMjguNSw1Ni42VjQ5aDE4LjZWMjQuM2g4LjN2MjQuOEgzNzV2Ny42aC0xOS42djM5LjJoMjIuNHY2LjloLTUzdi02LjloMjIuNFY1Ni42SDMyOC41eiIvPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMzg5LjgsMTAxLjRWMjkuMUg0NjJ2Ny42aC02NC4zdjU3LjhoNjUuN3Y2LjlIMzg5Ljh6IE00NTAuMyw5MC40Yy02LjItNi42LTEyLjYtMTMtMTkuMy0xOC45CgljLTYsNS43LTEzLjQsMTIuMy0yMi40LDE5LjZjLTEuNC0xLjYtMy40LTMuOC02LjItNi41YzguMy01LjcsMTUuOC0xMiwyMi43LTE4LjljLTYuOS02LjQtMTMuOC0xMi43LTIwLjYtMTguOWw2LjItNS4yTDQzMSw2MC4yCgljNS41LTYuMiwxMC45LTEyLjgsMTYuMi0yMGw3LjIsNC41Yy01LjcsNy42LTExLjYsMTQuNC0xNy41LDIwLjZjNi45LDYuNywxMy42LDEzLDIwLjMsMTguOUw0NTAuMyw5MC40eiIvPgo8L3N2Zz4K)}.brand-box{position:absolute}.related-section{min-height:42px;padding:5
<style>a{color:#778087}.topic-list p{margin:0 0 0 0}.topic-content{min-height:40px}.attachment{padding:5px 10px}.collapse form{position:relative;width:300px;float:right}div.search{padding:10px 0}.d1 input{height:20px;padding-left:18px;border:1px solid #ddd;border-radius:15px;outline:none;background:#ffffff;color:#9E9C9C;float:right}.vote{font-weight:normal;margin-left:6px}.topic-list{word-break:break-all;word-wrap:break-word}ul{margin:0 0 10px 0}/*!*border-bottom: solid #eee 1px;*!*/.user-info{padding:5px 0 5px 0}.topic-info a,.topic-info{padding-top:5px}.topic-info a:hover{text-decoration:solid}.reminder{min-height:200px;border:1px #ddd solid;border-radius:3px;line-height:200px;text-align:center}</style>
<style>body{background-color:#eee}img{max-width:100%}form{margin:0!important}a:focus{text-decoration:none}.markdown-body p>code{white-space:normal;word-break:break-all;border:none!important}.box ul,ol{margin-bottom:0px!important}.box a:hover{text-decoration:none}.box-container>ul>li{list-style-type:none}#Wrapper .row.box{margin-left:0px}.navbar-inner{border-radius:0px;min-height:40px;padding-right:0px;padding-left:0px;outline:none;margin-bottom:0;list-style:none;z-index:1050;background:#fff;-webkit-box-shadow:0 1px 4px rgba(0,21,41,0.08);box-shadow:0 1px 4px rgba(0,21,41,0.08);line-height:46px;-webkit-transition:background .3s,width .2s;-o-transition:background .3s,width .2s;transition:background .3s,width .2s}.bs-docs-footer{text-align:left;color:#99979c;height:64px;background-color:#FFF;border-top:1px solid rgba(0,0,0,0.22);line-height:64px}.bs-docs-footer .links>a{display:inline-block;padding:0 12px;border-left:1px solid #e8e8e8;color:#8c8c8c;line-height:1}.bs-docs-footer .links>a:first-child{border-left:none}.box-container .user-info{margin-bottom:10px;background:#fff}.content-title{font-size:24px;color:#333;text-decoration:none;line-height:24px;text-shadow:0 1px 0#fff}.markdown-body h1,.markdown-body h2{border-bottom:none}.box-container{padding:20px}.breadcrumb{padding:8px 10px 8px 15px;margin-bottom:10px;border-radius:0;color:#000;background-color:#fff}.breadcrumb>li{text-shadow:none!important;margin:2px 0px}.active{text-shadow:none!important}.breadcrumb .active{color:#555;display:inline-block;text-shadow:none!important}.label{background-color:#f4f4f4;line-height:12px;display:inline-block;padding:4px 4px 4px 4px;-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;text-decoration:none;text-shadow:none;font-weight:normal}.topic-info{color:#999!important;font-size:12px!important}.topic-info a{padding:0px;color:#555!important;font-size:12px!important}.topic-info a:hover{color:#4d5256;text-decoration:underline}.topic-info .cell{padding-left:0!important;margin-left:0px;font-size:10px;font-weight:bold}.markdown-body img{max-width:90%!important;text-align:center;margin-left:auto;margin-right:auto;display:block;padding:10px 0px 10px 0px}.topic-info span{margin-left:0px;font-size:10px;color:rgba(0,0,0,0.45)}.btn{display:inline-block;padding:4px 12px;margin-bottom:0;font-size:14px;line-height:20px;background-color:#f4f4f4;color:#444;border-color:#ddd;font-family:"Helvetica Neue For Number",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"PingFang SC","Hiragino Sans GB","Microsoft YaHei","Helvetica Neue",Helvetica,Arial,sans-serif;-webkit-box-sizing:border-box;box-sizing:border-box;margin:0;list-style:none;font-weight:400;text-align:center;cursor:pointer;background-image:none;white-space:nowrap;border-radius:2px;height:32px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none}.box{font-family:Monospaced Number,Chinese Quote,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,PingFang SC,Hiragino Sans GB,Microsoft YaHei,Helvetica Neue,Helvetica,Arial,sans-serif;font-size:14px;line-height:1.5;color:rgba(0,0,0,0.65);-webkit-box-sizing:border-box;box-sizing:border-box;margin-top:0!important;margin-bottom:20px;padding:0;list-style:none;background:#fff;border-radius:2px;position:relative;-webkit-transition:all .3s;-o-transition:all .3s;transition:all .3s;-moz-box-shadow:0 1px 1px rgba(0,0,0,0.15);-webkit-box-shadow:0 1px 1px rgba(143,168,191,.35);box-shadow:0 1px 1px rgba(143,168,191,.35);border-bottom:1px solid #e2e2e9}.span10{float:left;min-height:1px}#Wrapper .span10{margin-left:0px!important;max-width:960px}@media (min-width:1200px){.container{width:82%!important}}@media screen and (min-width:1500px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px!important}#Wrapper .span10{max-width:810px!important}}@media screen and (min-width:980px) and (max-width:1499px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px!important}#Wrapper .span10{max-width:74%!important}}@media screen and (min-width:768px) and (max-wid
<style>/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:"FontAwesome";src:/* original URL: https://xz.aliyun.com/static/editor.md/fonts/fontawesome-webfont.woff2?v=4.3.0 */url(data:font/woff2;base64,d09GMgABAAAAAN3MAA4AAAAB3OQAAN1sAAQAxQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGh4GYACFQhEICobjZIW0WgE2AiQDkSoLiFwABCAFhwAHqx4/d2ViZgZbBYBxhnF7IVHRnVDqt/fSG4cZBbodREHF77duhex8Mb6j/fmp2f///78gWYzh7g+8R0BUdTpLW1Uzsp76hCzI4aYUR8pes2MocNQ2YvKKbApmLWu/bv7ALkc1B+aeVCsz1YrjaYsVnkxwJujIZWwn5gjVfIgmhc3in0QhmV5maXZNM1xTKb1RmAdM/OaNTl/mtoIrW/khyLhT5xe7bVH4fZGXVpFvuchr9JDG3Mcoh7mswgQxQVK8XUETf1CxbfHOtB+kxeznYk7Tc0VQvAs3ZHw4fkX+eKbZae3Ga4yTuqW4ivdfEynv1GrGUEu4OnTzzcjOrvA9euKJJn93ZAnl2I4SDS0d71OE52stez2NiwEECTzlA0CWsDwIHxnjUh747oQ+4/cPz8+ttyIXzTZiY4wxosaI3F8QvVEho0JSWt0kWiUlDEAMbFRUsJgZKGcUGHVmnTf/P6e9Zz8P5jE8wRUMwwiRViAUd39KoXMKlV2UsWpdN25qBwAP0n35Mpmf+bvg9ZtKfIuWauEin8QFPnQhqjHdubkgORdjw60F1Hm3BRSOpS8r3c6XU/9/JMdJqrGKafqQYMBQSgy6BEkN2ozu0jp/p5EMSdFJDElKASzB5dwOFDbt5x1Rt2WVqTHYdx+5Xp9Ufm9KBtkmlgURoo8tj////Z9a0ixLyWLsAGIB+Eoqp6lnC5QCOfox/PnFQ4BJkcOC2NkzE2qySKkd7EB0X2SssjuTJ374/zn7zhne2jm7fiUkyEiwBGin9SnjfqWFGqXyrNPtdoTk/iS7nvwSR9pOTPBCIAlSpUo50teOPKprzxRrm9+ChuQfqzJE8Bbl26JpGFbqfrX84LxQBx3aIebKK51pt3LCe3dPaIcrAGrDFXAd7qRJJ7W7e7L0z7L00hPYSSrgWlB0qYKDoXOBwQPRquJvWcPzc+sBI3pUj9GjxgIGG+yvAlaMBaxgY2PUYERvgIiAEiaIJ1NUPDFQwcLAujTqTr1QLioZ3GbIHTEdYnpCesfDy9dvB4B4+Vba/vPP6au23oy0eHeVXxgzGuGtTG1zt4lDgpCDCDHInDqlDmgAeK+jJZIEuJ9bmCpbL8Z0vvFwr84+jRRnNzOSkyPg6srryLIDS/CREjejVnMMEDioCIrqv3XCmO6lA/N4Lf1ua0oVVekIinqBkbCY5N/3nRqiAWisW2xsNBbsUxu11kXxz8lWB4c3sN3ekYiAEGAAByO382+qZQuQxImXstYh60J3LrpdOaX23OWinx9mwP//fAAzA5CcGYAkAFIiAEriDAiJAMndAQjqAJCgKWrvHpebtWs/re72nVaXEjCgtAQp6RHUJspJ2gupsq9yyLHo/Vy5u+v8rqhclS5d2qVdtLX/3nRVKsauMS47Z4JoNru6yNjUBvn73WqpW0jQLWxLIxDCSgwlBzcSzMxJwozQOiGBVpiZtY7hnPstYGiNbWEF5wTrxFmYdcxak56xPgku3HDDS8ILnYkuDi8MnQvCI3jcT216ZaMrjPl5GWYAIByhr51xVXZju0G5EtXIfqYwq7s4NLhgeu2nvYsxpRohhSTYCoItYM27+X/m/PxE6+tJNw9faWYRRohBDMIYh3z8h1yy6QEzqRlrM0ghSOsQ+ShkO2LOCgqadP5MQjyDih2k2EHqttndgXsdI1Oga0jEvEe50TXItrpN9NIEBcQhscEo44wiaoTxcU2AAvxdwsQC+Ppw/kum+fD5u8BrSYNSgIiihg2AMccnArqsYJ2gmNlhnADg/vHOjV6AesO+/MmrlN8grD8CAnD8ERERq2e4xrw61HwHQX8hVkPGCIADEJRmLCNsYzeTnAWcZnbH7osIzSEbGYvULv/7qJdPYalrqK/xvNrG/vmB3hmw4yOMWoM+4zyt158PeG80n4NP5BkGyRJu62dDPTINSpg2S/aEQH1fYmH9GoDFAURIy8JOAPQ+olD/RszU+DcQnfyXjKqKpWkxC3B+cn7qu+8P/zw8HGWmGhXmmMGhgEUOgwwppiB4OIEDmIPxlOSe+zqPfVuXeRqHvhveVZsW/nw1V6A6M4KhLcWhuFu/4O3fRKWuHfUc9G7G94SL4vR/rZ8Ub5iZP5cz9tlk/wtG9+s3PxmuMdIjm1qu7k+tQYQCZTRkuAtSmLSs0uOxI64zaboh3cTIf720EgwvjBKMYQmjxBNnkRyxseNc0nKZeZURGC+VioZVLFpliSPBSR6sepFcJRcWptiE61cRFstAMUgzXiIy9GFHp+YbdyPuTxi7mhkEy8HFEDtgQNiOpK3nWM1fDipB52FSVfCgaWZDZnBCmAEeY8qnhJXDtZpO3WARXEKSWONEF/OsMAUcncfXXJFOO07iwB9ZEC0Rx0w1XBF7LMNQps6RTRBgUkR4wysExmnkzVyanU2yQYoszPOCt7CyWSNhx2qJx6pQUFg9hF2rc4J4PRPD0s0/9mU9Xqti6iyt5m0wwu0LiQ7ss4x0xMnZYuElJ+YetZyQxFx641j/Yal5weLc8H/4fYKnutlzOe9R93rRMaSyJxXDwDOMtpVPhX8gHQkPZmFUmIukZ5itm4mgwdiCoXPLPt00dun4zJgyQ9WC7G9fKMSWv+rce6CmkNdcMj+29sKV6uuvzwGeYccKULEvDBbrFO98vT95Kr/X7EtB7aHcN4I8HwSyFyfYSQs5dWoQETxfhzg8XPRHDn4aAy4I0jgMd/YKhhTQGIIUaXr2SIGtQ7a8shpQ3Kd5HJl3uSm6jiggOo0lmJgU7BnW+tsbN8Ytnz/NF85mdb1xJBbSr53bKHWNFTs3NfjC7NyZs68AVT/AmfztCK2JuKyYoe3JQOL1Ez4+e4nP3Tznw51cp8n/f29xXJIeDFoytH2UdswpLxZj5TQ/jKFp0HleHN6iBgbGIDNIoG0AbzSe+hYvI/CmIZ9/+tzFx4LT+VwmKJiHptTdPu9IqvO/cQB4Z8WYj9vFB3NNh/CqqTs3L8sqbfk18wPSsZY1c3ac68eisCvjt+6GslRjWA1Zxq+qdEAqc7sJOkCYAQZdZAG6Znb2s8hRfrlyeWqbnEMQ6RI2UMe1AQiF2QdBy28lB0y3Y9QUnneWbXwuEZlXIjGOWtQT75f9QOantcglVhUBA9/nscgFUqkPfpE3sEQNV0z5MgnVbqu6yqG0r1FihEcFynAafHXrm5sP+HRIVMrrc83SlwaAHpUNNtGUAG/NorLNojJrBbedljpgk7Y8n6QG7/0NlwJtE+j0URxOmtVfeGtPSSRmNoSRyVr0HTRbX6Vk74l5MrdxqLL/wsT+m8xKkTi52Q2Vbxac4ZGt4Arfhrgb/AND4tFY3Xm/Toh0KeIA86aziD28hvsDsGZM3xLKLrjCGsjCSanjTV/lp53WIUI5X7DkOtim0kaMQABwbaw1JvjjCooVnahJrl2NbeOlHmQesdeWcDDm151Uw4itkyRyhHa+o8AqzpAolQfERlyYrXU8TcoyZc3bc2TTc9bOxCSFlgOR+CCm78ShGPMgUNHUVT+NGMgx9p5S8ojoislOGDXJ/HWbpevnAhZjcJG83YRHZrg4cCyLbyfJZI3zAA43Mui7Z//EogzN/udIIqnSdh6czyF/f34cAaTNOCJtklgk8XEIm2roZAY9panWtZblERHrIhdamihzQ9G2dGx+KoTBSBdtWsddqEJaROCI9aSpbRbbKkm2iJSmPo9YyQRe6KnaxDO5/G4Kofm8n6jc6PLyujtlEPm9TWjKBUTWEmENgIcjSPJu8Kez/W0AQSD+uunlV58AGIOEAnOKGdJJPzDL9PHxvFpS0+
<style>@-webkit-keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@media (max-width:800px){}</style>
<!--[if lte IE 8]>
<script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
<![endif]-->
<!--[if !IE]> -->
<style>#waf_nc_block{position:fixed;width:100%;height:100%;top:0;bottom:0;left:0;z-index:99999}</style><style>@media (pointer:coarse){@media only screen and (max-device-width:1024px){}@media only screen and (max-device-width:414px){}@media only screen and (max-device-width:320px){}}</style><style>@media screen and (max-width:768px){}</style><style>/*!
* Waves v0.7.5
* http://fian.my.id/Waves
*
* Copyright 2014-2016 Alfiana E. Sibuea and other contributors
* Released under the MIT license
* https://github.com/fians/Waves/blob/master/LICENSE
*/</style><style>@media (max-height:620px){}@media (max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media (pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:tra
<body>
<div class="navbar navbar-default">
<div class=navbar-inner>
<div class=container style=text-align:center;position:relative>
<!--[if lte IE 8]>
<span style="display:inline-block;margin:0 auto;color:red;">为了更好的体验请使用IE10及以上版本</span>
<![endif]-->
<div class=brand-box>
<a class=brand href=https://xz.aliyun.com/tab/1></a>
</div>
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F15389&amp;from_type=xianzhi" class="pull-right anonymous-user hh_loding sf-hidden">
登录</a>
<div class="nav-collapse collapse">
<div class="search d1 text-right">
<form action=/search>
<input type=text placeholder=搜索 name=keyword value>
</form>
</div>
</div>
</div>
</div>
</div>
<div id=Wrapper class=container>
<div class=row2>
<div class=span10>
<div class="row box content" width="1200px !important" style=width:1200px>
<div class=box-container>
<div class=main-topic>
<div class="clearfix user-info topic-list">
<p><span class=content-title>记一次Spring boot框架代审与思考</span>
</p>
<div class=topic-info>
<span class=info-left>
<a href=https://xz.aliyun.com/u/78442>
<span class="username cell"> 爱*年</span></a> <span class=i-seprator> / </span>
<span> 2024-08-23 20:49:18</span><span class=i-seprator> / </span>
<span>发表于福建 / </span>
<span>浏览数 37</span>
<span class=content-node>
<span class="label label-default label-node-first">
<a href=https://xz.aliyun.com/tab/4>社区板块</a></span>
<span class="label label-default">
<a href=https://xz.aliyun.com/node/1>漏洞分析</a></span>
</span>
</span>
<span class="pull-right t-vote cell info-right"><a class="vote vote-up" href=javascript:void(0)>
顶(0)</a>
<a class="vote vote-down" href=javascript:void(0)>
踩(0)</a></span>
</div>
</div>
<hr>
<div id=topic_content class="topic-content markdown-body">
<h1>项目介绍</h1>
<p>这是一款基于SpringBoot+SpringSecurity的RBAC权限管理系统。原本只想着做成基于SpringSecurity的权限管理系统但随着功能的增加感觉有些刹不住车了之后可能会往后台管理系统方向发展。无任何重度依赖非常适合新手练习上手,项目文档从零开始,十分详细。</p>
<h1>项目搭建</h1>
<p>项目地址:<a href=https://gitee.com/witmy/my-springsecurity-plus target=_blank>https://gitee.com/witmy/my-springsecurity-plus</a></p>
<p>这个地址项目的是目前最新版,文章中审计的是先前的版本,部分漏洞最新版也存在,这个在文章中会说明,我会把老版本的漏洞产生代码段与新版本做对比,方便更直观理解漏洞的产生</p>
<p>打开项目等待maven加载</p>
<p><a id=img0 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202426-a316c714-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202426-a316c714-614a-1.png></a></p>
<p>修改配置文件,创建对应数据库</p>
<p>my-springsecurity-plus\src\main\resources\application.yml</p>
<p><a id=img1 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202434-a7b681ec-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202434-a7b681ec-614a-1.png></a></p>
<p>导入sql文件</p>
<p>sql文件my-springsecurity-plus\docs\sql\my-springsecurity-plus.sql</p>
<p><a id=img2 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202445-ae8748d0-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202445-ae8748d0-614a-1.png></a></p>
<p>导入完成后配置spring bootjdk版本1.8</p>
<p>配置完成后启动项目即可</p>
<p><a href=http://127.0.0.1:8088/login.html target=_blank>http://127.0.0.1:8088/login.html</a></p>
<p><a id=img3 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202454-b3bffdd8-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202454-b3bffdd8-614a-1.png></a></p>
<p>管理员账号admin/123456</p>
<p><a id=img4 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202459-b6d89dfe-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202459-b6d89dfe-614a-1.png></a></p>
<h1>漏洞挖掘</h1>
<h2 id=toc-0>SQL注入</h2>
<p>检查pom.xml文件发现导入了mybatis依赖</p>
<p><a id=img5 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202535-cc62170e-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202535-cc62170e-614a-1.png></a></p>
<p>初步判断使用,全局搜索关键词<code>${</code></p>
<p><a id=img6 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202542-d03bf82c-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202542-d03bf82c-614a-1.png></a></p>
<h3 id=toc-1>第一处</h3>
<p>my-springsecurity-plus\src\main\resources\mybatis-mappers\DictMapper.xml</p>
<p><a id=img7 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202547-d3b0d482-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202547-d3b0d482-614a-1.png></a></p>
<p>根据<strong>id</strong>搜索Dao层对应方法</p>
<p><a id=img8 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202553-d6e702de-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202553-d6e702de-614a-1.png></a></p>
<p>往上查调用到controller层</p>
<p><a id=img9 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202558-d9be9c4c-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202558-d9be9c4c-614a-1.png></a></p>
<p>接着查调用</p>
<p><a id=img10 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202606-def1653c-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202606-def1653c-614a-1.png></a></p>
<p>查到controller文件查看myDict是从哪来的分析下这段代码</p>
<p><code>@RequestMapping</code>定义了基础路由 <code>/api/dict</code></p>
<p><code>@Api</code> 是Swagger文档生成标记控制器的</p>
<p><code>@Autowired</code>:注入 <code>DictService</code> 服务类,用于业务逻辑处理</p>
<p><code>index()</code>:处理 <code>GET /api/dict/index</code>请求,返回视图名 <code>system/dict/dict</code>。需要 <code>dict:list</code> 权限。</p>
<p><code>getDictAll()</code>:处理 <code>GET /api/dict</code> 请求,返回字典列表。需要 <code>dict:list</code> 权限,并记录操作日志 (<code>@MyLog("查询字典列表")</code>)。使用 <code>PageTableRequest</code><code>MyDict</code> 作为请求参数,调用 <code>dictService.getDictPage()</code> 返回分页数据。</p>
<p>什么你说你看不懂代码GPT啊</p>
<p><a id=img11 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202620-e70a6020-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202620-e70a6020-614a-1.png></a></p>
<p>初期代码基础差,要学会使用工具,在这些信息中我们只提取我们需要的信息分析</p>
<p>首先这处功能点是在字典管理(代码中有注释,路由是触发/api/dict)</p>
<p>结合xml中的sql语句<code>%%</code>,应该是查询字典的功能</p>
<p>带入getDictPage方法执行的参数myDict会通过参数传递所以可控</p>
<p>分析完后,开始漏洞复现</p>
<p>在后台找到字典查询的功能点</p>
<p><a id=img12 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202628-ec0ef8e2-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202628-ec0ef8e2-614a-1.png></a></p>
<p>burp抓包</p>
<p><a id=img13 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202633-eefe7d70-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202633-eefe7d70-614a-1.png></a></p>
<p>参数名跟代码中对应上保存数据包Sqlmap一把搜哈</p>
<p><a id=img14 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202640-f2d26646-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202640-f2d26646-614a-1.png></a></p>
<p>漏洞存在,新版本中这处注入修复了</p>
<p><a id=img15 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202644-f5789e24-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202644-f5789e24-614a-1.png></a></p>
<h3 id=toc-2>第二处</h3>
<p>my-springsecurity-plus\src\main\resources\mybatis-mappers\DeptMapper.xml</p>
<p><a id=img16 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202649-f82e9b96-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202649-f82e9b96-614a-1.png></a></p>
<p>一样的思路根据id关键字追到controller层调用</p>
<p><a id=img17 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202653-fac4bc64-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202653-fac4bc64-614a-1.png></a></p>
<p><a id=img18 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202656-fce303ca-614a-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202656-fce303ca-614a-1.png></a></p>
<p>跟到controller层调用</p>
<p>my-springsecurity-plus\src\main\java\com\codermy\myspringsecurityplus\admin\controller\DeptController.java</p>
<p><a id=img19 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202703-00c894b4-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202703-00c894b4-614b-1.png></a></p>
<p>这一处有点不一样如果通过后台访问功能点数据包中是没有params这个参数的这一块代码段也没发现params参数那么它是哪来的呢这一处卡了我很久</p>
<p>全局搜索params</p>
<p>定位到了这个类my-springsecurity-plus-master\src\main\java\com\codermy\myspringsecurityplus\admin\entity\BaseEntity.java</p>
<p><a id=img20 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202710-04b274be-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202710-04b274be-614b-1.png></a></p>
<p>注释中也表明了是请求参数params是Map类型的如果为空就是new一个空的map有值就会返回</p>
<p>通过类定位发现这是个抽象类,我们看下谁继承了它</p>
<p><a id=img21 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202717-08f562f2-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202717-08f562f2-614b-1.png></a></p>
<p>通过继承的类名也可以看出都是些数据库操作类,我们看下controller的导入</p>
<p><a id=img22 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202722-0bdb2d94-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202722-0bdb2d94-614b-1.png></a></p>
<p>发现是存在的那么我们构造对应url</p>
<p><a href=http://192.168.37.1:8088/api/dept/build?params[ target=_blank>http://192.168.37.1:8088/api/dept/build?params["dataScope"]=1</a></p>
<p><a id=img23 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202728-0f621130-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202728-0f621130-614b-1.png></a></p>
<p>报错400不应该啊</p>
<p><a id=img24 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202745-19beab84-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202745-19beab84-614b-1.png></a></p>
<p>考虑到可能是字符的问题url编码一下</p>
<p><a href="http://192.168.37.1:8088/api/dept/build?params%5B%22dataScope%22%5D=1" target=_blank>http://192.168.37.1:8088/api/dept/build?params%5B%22dataScope%22%5D=1</a></p>
<p><a id=img25 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202753-1e46d8f2-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202753-1e46d8f2-614b-1.png></a></p>
<p>发现可以解析了上sqlmap</p>
<p><a id=img26 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202758-21550460-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202758-21550460-614b-1.png></a></p>
<p>新版本这处没改</p>
<h2 id=toc-3>XSS(存储型)</h2>
<p>由于这套系统只有后端管理,可以尝试的功能点不多,依旧是选择管理员能交互到的功能</p>
<p>我们先创建一个普通用户看下能操作哪些功能</p>
<p><a id=img27 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202815-2b626b64-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202815-2b626b64-614b-1.png></a></p>
<p>那么就是在这两处尝试插入xss了</p>
<h3 id=toc-4>第一处</h3>
<p><a id=img28 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202825-31be27b4-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202825-31be27b4-614b-1.png></a></p>
<p>创建完成时已经弹窗了,基本确定了</p>
<p>模拟管理员查看用户</p>
<p><a id=img29 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202833-364d9774-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202833-364d9774-614b-1.png></a></p>
<h3 id=toc-5>第二处</h3>
<p><a id=img30 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202839-39ba726a-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202839-39ba726a-614b-1.png></a></p>
<p>模拟管理员</p>
<p><a id=img31 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202845-3d4e3a10-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202845-3d4e3a10-614b-1.png></a></p>
<p>这个最新的也有,没对参数做校验</p>
<h2 id=toc-6>垂直越权</h2>
<p>查找用户操作的功能点,找到用户删除这个功能点,抓下包</p>
<p><a id=img32 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202852-41874fae-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202852-41874fae-614b-1.png></a></p>
<p>数据包中校验删除用户的条件貌似是userID,我们执行看下数据库执行记录</p>
<p><a id=img33 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202856-44452b26-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202856-44452b26-614b-1.png></a></p>
<p>看来是通过urse_id确认删除目标的正常功能我们只能删除下级用户</p>
<p>那么我们可以尝试下删除同级用户</p>
<p><a id=img34 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202903-4865a53c-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202903-4865a53c-614b-1.png></a></p>
<p>成功删除test6</p>
<p><a id=img35 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202908-4b50ecde-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202908-4b50ecde-614b-1.png></a></p>
<p>最新版无法越权删除用户貌似是加上JWT身份认证的原因在做删除用户操作前会通过JWT校验用户权限</p>
<h2 id=toc-7>druid未授权(不存在)</h2>
<p>虽然不存在但是分析过程我感觉不错也写上</p>
<p>在pom.xml文件中看到了druid的依赖</p>
<p><a id=img36 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202916-5022492e-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202916-5022492e-614b-1.png></a></p>
<p>在后台发现确实存在对应功能</p>
<p><a id=img37 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202920-5246bcc6-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202920-5246bcc6-614b-1.png></a></p>
<p>在代码中查看对应配置发现是允许访问Druid的监控界面</p>
<p><a id=img38 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202924-54964faa-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202924-54964faa-614b-1.png></a></p>
<p>我们在未登录的情况下尝试访问</p>
<p><a id=img39 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202929-57c6ef86-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202929-57c6ef86-614b-1.png></a></p>
<p>发现实际上是有做限制的限制了访问ip仅允许本地访问我尝试了xff绕过不了说明不是从这里获取IP</p>
<p>我尝试在源码中寻找发现是存在获取ip的代码段</p>
<p><a id=img40 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202936-5bc53688-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202936-5bc53688-614b-1.png></a></p>
<p>但是跟踪getIP这个方法的调用没发现异常到这里就断了这时我想到是不是把代码封装在jar里了使用maven下载源代码</p>
<p>这次搜索报错信息</p>
<p><code>Sorry, you are not permitted to view this page.</code></p>
<p>定位到这个文件</p>
<p><a id=img41 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202942-5fb58252-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202942-5fb58252-614b-1.png></a></p>
<p>我一看路径果然是jar包里面的全局搜索文件名</p>
<p><a id=img42 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202947-6285e7ec-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202947-6285e7ec-614b-1.png></a></p>
<p>定位到验证代码段,代码中可以看出是关键是<code>isPermittedRequest</code>这个方法,我们跟进去看下</p>
<p><a id=img43 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202953-65cf45ec-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202953-65cf45ec-614b-1.png></a></p>
<p>看样子这个<code>getRemoteAddress</code>方法就是获取IP的了继续跟进方法</p>
<p><a id=img44 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823202957-68700d5e-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823202957-68700d5e-614b-1.png></a></p>
<p>先判断remoteAddressHeader != null查看remoteAddressHeader是个常量为null那么直接看下面的if</p>
<p>通过request.getRemoteAddr()方法获取ip确认了ip获取的方法</p>
<p>我尝试搜索了一下这个方法</p>
<p><a id=img45 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203004-6cbdeab6-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203004-6cbdeab6-614b-1.png></a></p>
<p>没想到第一篇就这么劲爆,看来这个方法是有绕过可能的</p>
<p>由于环境在本地本地搭建dns服务器过程就不放了搭建完成后再次尝试</p>
<p><a id=img46 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203012-716ce526-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203012-716ce526-614b-1.png></a></p>
<p>本地再起个测试环境看下获取到的ip</p>
<p><a id=img47 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203018-750c6b84-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203018-750c6b84-614b-1.png></a></p>
<p>客户端ip为192.168.37.130</p>
<p>服务端ip为192.168.37.1</p>
<p><a id=img48 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203023-77e3d702-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203023-77e3d702-614b-1.png></a></p>
<p>呜呜呜!欺骗我感情</p>
<p>自此判断不存在druid未授权</p>
<p>新版本取消了post方法的未授权访问也就说可以未授权看到登入界面但是登入不了难崩</p>
<p><a id=img49 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203030-7c54ff32-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203030-7c54ff32-614b-1.png></a></p>
<p><a id=img50 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203034-7e8d4bf6-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203034-7e8d4bf6-614b-1.png></a></p>
<h2 id=toc-8>Spring boot Actuator未授权访问</h2>
<p>这个其实是我之前一直没注意到的一个点Spring boot框架已经成为java的主流之一很多系统都采用Spring boot搭建关于它上面的安全确实应该重视我自己也在思考总结思路之后应该会专门出一篇见解下Spring boot的审计方向</p>
<p>这篇不会提太多</p>
<p>依旧是通过pom.xml发现引入了Actuator依赖</p>
<p><a id=img51 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203055-8ae125b2-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203055-8ae125b2-614b-1.png></a></p>
<p>稍微看过java审计文章的就会发现pom.xml对于java代审而言真的很重要是可以等到很多信息的要重点查看</p>
<p>在配置文件中寻找配置查看开放的端点</p>
<p>如果设置了<code>management.endpoints.web.exposure.include</code><code>*</code>,就可以在 <code>/actuator</code> 看到所有存在的端点</p>
<p><a id=img52 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203101-8ea55d80-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203101-8ea55d80-614b-1.png></a></p>
<p>但是它这里只开放了这几个</p>
<pre><code>/info
显示任意的应用信息
展示了关于应用的一般信息,这些信息从编译文件比如 META-INF/build-info.properties 或者 git 文件比如 git.properties 或者任何环境的 property 中获取
/health
显示应用的健康信息当使用一个未认证连接访问时显示一个简单的status使用认证连接访问则显示全部信息详情
health一般只展示了简单的UP和DOWN状态
/beans
//显示一个应用中所有Spring Beans的完整列表
/env
//显示来自Spring的 ConfigurableEnvironment的属性
可能会泄露数据库账号密码等敏感信息
/metrics
//展示当前应用的metrics信息
获得每个度量的名称其中主要监控了JVM内容使用、GC情况、类加载信息等</code></pre>
<p>比较重点的是/env可能会泄露配置文件信息并不是说其它没有</p>
<p><a id=img53 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203111-94ce81fa-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203111-94ce81fa-614b-1.png></a></p>
<p><a id=img54 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203116-97d9168a-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203116-97d9168a-614b-1.png></a></p>
<p>针对env这种路径下泄露的密码会用<code>*</code>进行脱敏想要获取对应的明文密码可以尝试通过分析heapdump数据的方式</p>
<p>但是很可惜这套系统没有开放/heapdump端点</p>
<p>新版本也是直接不允许未授权访问/actuator了</p>
<p><a id=img55 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203126-9d4e5896-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203126-9d4e5896-614b-1.png></a></p>
<h2 id=toc-9>Swagger API泄露</h2>
<p>依旧是通过pom.xml发现依赖</p>
<p><a id=img56 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203131-a0b5903a-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203131-a0b5903a-614b-1.png></a></p>
<p>也设置了静态资源,也就是未授权了</p>
<p><a id=img57 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203135-a2cf5108-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203135-a2cf5108-614b-1.png></a></p>
<p>尝试访问</p>
<p><a href=http://127.0.0.1:8088/swagger-ui.html#/ target=_blank>http://127.0.0.1:8088/swagger-ui.html#/</a></p>
<p><a id=img58 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203141-a695ba52-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203141-a695ba52-614b-1.png></a></p>
<p>提供了很多接口,但是能不能用,得测试</p>
<p>我们可以访问它提供的api地址</p>
<p><a href=http://127.0.0.1:8088/v2/api-docs target=_blank>http://127.0.0.1:8088/v2/api-docs</a></p>
<p><a id=img59 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203147-aa09a8ce-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203147-aa09a8ce-614b-1.png></a></p>
<p>然后使用工具批量爬取接口测试存活</p>
<p><strong>swagger-hack</strong></p>
<p>项目地址:<a href=https://github.com/jayus0821/swagger-hack target=_blank>https://github.com/jayus0821/swagger-hack</a></p>
<pre><code>python swagger-hack2.0.py -u "http://ip:8088/v2/api-docs"</code></pre>
<p><a id=img60 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203153-adb0d9ca-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203153-adb0d9ca-614b-1.png></a></p>
<p>测试结果会保存在csv文件中</p>
<p><a id=img61 href=https://xzfile.aliyuncs.com/media/upload/picture/20240823203158-b0d7a6e2-614b-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240823203158-b0d7a6e2-614b-1.png></a></p>
<p>新版本和老版本这块没差别</p>
<h1>总结</h1>
<p>关于Spring boot框架常见的漏洞平时我确实没有注意更多的都是通用漏洞和组件挖掘为主对于框架易产生的漏洞较为疏忽接触的也少要让自己的思路扩展开来多个攻击面出洞的几率就更高。这套源码实际上属于半成品很多功能点都没开发不知道后面作者会不会加部分漏洞修补的也比较潦草。</p>
</div>
<div class=attachment>
<img src=data:image/gif;base64,R0lGODlhEAAQANUuAPDj6bqvtIlvgVB1oeba4oCAgNd9X/j5+Pf//M9IaEt2odlTmP/D3a+kqf+H9sVZgYadcFR2oYrjaI/c6E51oZN2e/9r1fPo7vX29WSEhubX3f+x/ld8qePc3+7j6Pzu9spFaLWqr9d7csA2Wvhj2Pd+9fk2q0vNbOo7fzKs94jH8GrciP///4SDhPb29gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAAC4ALAAAAAAQABAAAAZ8QJdwSCwKW8ikEokZAioGlHQqfbQOQgBLIDJ5v95F68hCCDaltLrkGLtCrS2DRK+TLG5AoyUwgEaAgQl5LAFLS0NxhSqMjY1uGnEBEymVlpV5HS0BEBkKFAOhERxuHiwEh0pDBRenK6+wsG4uBR8EEie5urmzLqmqRsFEQQA7 alt data-sf-original-src=https://xz.aliyun.com/static/images/zip.gif>my-springsecurity-plus.zip
(9.083 MB) <a href=https://xzfile.aliyuncs.com/upload/affix/20240823204423-6cd33b08-614d-1.zip>下载附件</a>
</div>
<div class=post-user-action style=margin-top:34px>
<span class="btn btn-default pull-right" id=mark data-action=topic data-pk=15389>
<span id=mark-text>点击收藏 </span><span class=i-seprator> | </span><span id=mark-count>0</span>
</span>
<span class="btn btn-default pull-right" id=follow_topic data-pk=15389>
<span>关注</span><span class=i-seprator> | </span><span id=follow-count>1</span>
</span>
<span class="btn btn-default pull-right">
<span>
<span id=ready_reward data-toggle=modal data-target=#myModal>打赏</span>
</span>
</span>
<div class=clearfix></div>
</div>
<div class=related-section>
<div class=related-box>
<span><a class=pull-left href=https://xz.aliyun.com/t/15387 title=护网红队-从apk反编译审计到getshell全过程><span class=related-label style="padding:3px 4px;margin-right:3px">上一篇:</span>护网红队-从apk反编译审计到ge...</a></span>
</div>
</div>
</div>
</div>
</div>
<div class="modal fade" id=myModal role=dialog aria-labelledby=myModalLabel aria-hidden=true>
<div class=modal-dialog>
<div class=modal-content>
<div class=modal-header>
<h4 class=modal-title id=myModalLabel style=text-align:center>
积分打赏
</h4>
</div>
<div class=modal-body id=button-value>
<div style=text-align:center>
<div role=group>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type1>
1分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type2>
2分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type3>
5分
</button>
</div>
<br>
<div style=margin-top:20px>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type4>
8分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type5>
10分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type6>
20分
</button>
</div>
</div>
</div>
<div class=modal-footer id=confirm>
<button type=button class="btn btn-default" data-dismiss=modal>关闭</button>
<button type=button class="btn btn-primary" id=reward_topic data-pk=15389>确定</button>
</div>
</div>
</div>
</div>
<div class="row box">
<ol class=breadcrumb>
<li class=active>0 条回复</li>
</ol>
<div class="box-container post-container">
<ul>
<li style=min-height:50px;line-height:60px;margin-left:15px><strong>动动手指,沙发就是你的了!</strong></li>
</ul>
</div>
</div>
<div class="row box" id=reply-box>
<div class="box-container clearfix">
<div class=reminder>
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F15389&amp;from_type=xianzhi"><strong>登录</strong></a> 后跟帖
</div>
</div>
</div>
</div>
</div>
</div>
<footer class=bs-docs-footer>
<div class="container text-center">
<div class=links>
<a href=https://xz.aliyun.com/feed target=_blank>RSS</a>
<a href=https://xz.aliyun.com/about target=_blank><span>关于社区</span></a>
<a href=https://xz.aliyun.com/partner target=_blank><span>友情链接</span></a>
<a href=https://xz.aliyun.com/notice>社区小黑板</a>
<a href=https://xz.aliyun.com/connection>联系我们</a>
<a href=https://report.aliyun.com/ target=_blank>举报中心</a>
<a href=https://www.aliyun.com/complaint target=_blank>我要投诉</a>
</div>
</div>
</footer>
<div id=waf_nc_block style=display:none></div><div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
* Pico.css v1.5.6 (https://picocss.com)
* Copyright 2019-2022 - Licensed under MIT
*/#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:0.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:0.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:0.5rem;--nav-link-spacing-vertical:0.5rem;--nav-link-spacing-horizontal:0.5rem;--form-label-font-weight:var(--font-weight);--transition:0.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media (min-width:576px){#mount{--font-size:17px}}@media (min-width:768px){#mount{--font-size:18px}}@media (min-width:992px){#mount{--font-size:19px}}@media (min-width:1200px){#mount{--font-size:20px}}@media (min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media (min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media (min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media (min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media (min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media (min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media (min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media (min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:0.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:0.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#F5F7F9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-c
Reference in New Issue Copy Permalink