Penetration_Testing_POC/books/一次有趣的锐捷前台无条件RCE漏洞分析.html

<!DOCTYPE html> <html><!--
 Page saved with SingleFile 
 url: https://forum.butian.net/share/2829 
--><meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content="IE=edge">
<meta name=viewport content="width=device-width, initial-scale=1">
<meta name=csrf-token content=VD0owLiLrat8LaN2vBAqJtnLFngrtZgXtzYM7DqG>
<title>一次有趣的锐捷前台无条件RCE漏洞分析</title>
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
<meta name=description content=奇安信攻防社区-一次有趣的锐捷前台无条件RCE漏洞分析>
<meta name=author content="QIANXIN Team">
<meta name=copyright content="2021 QIANXIN.com">
<style>@media(max-width:767px){}</style>
<style>/*!
 * Bootstrap v3.4.1 (https://getbootstrap.com/)
 * Copyright 2011-2019 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}a:active,a:hover{outline:0}img{border:0}textarea{color:inherit;font:inherit;margin:0}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:after,:before{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{-webkit-tap-highlight-color:rgba(0,0,0,0)}a:focus,a:hover{color:#23527c;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}img{vertical-align:middle}h2,h3{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h3{margin-top:20px;margin-bottom:10px}h3{font-size:24px}p{margin:0 0 10px}@media(min-width:768px){}.text-muted{color:#777}ul{margin-top:0;margin-bottom:10px}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}@media(min-width:768px){}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media(min-width:768px){.container{width:750px}}@media(min-width:992px){.container{width:970px}}@media(min-width:1200px){.container{width:1170px}}.row{margin-right:-15px;margin-left:-15px}.col-xs-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-12{float:left}.col-xs-12{width:100%}@media(min-width:768px){}@media(min-width:992px){.col-md-9{float:left}}@media(min-width:1200px){}@media screen and (max-width:767px){}@media screen and (-webkit-min-device-pixel-ratio:0){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-device-width:480px) and (orientation:landscape){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(max-width:767px){}@media screen and (min-width:768px){}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@media(min-width:768px){}@media(min-width:992px){}@media all and (transform-3d),(-webkit-transform-3d){}@media screen and (min-width:768px){}.btn-group-vertical>.btn-group:after,.btn-group-vertical>.btn-group:before,.btn-toolbar:after,.btn-toolbar:before,.clearfix:after,.clearfix:before,.container-fluid:after,.container-fluid:before,.container:after,.container:before,.dl-horizontal dd:after,.dl-horizontal dd:before,.form-horizontal .form-group:after,.form-horizontal .form-group:before,.modal-footer:after,.modal-footer:before,.modal-header:after,.modal-header:before,.nav:after,.nav:before,.navbar-collapse:after,.navbar-collapse:before,.navbar-header:after,.navbar-header:before,.navbar:after,.navbar:before,.pager:after,.pager:before,.panel-body:after,.panel-body:before,.row:after,.row:before{display:table;content:" "}.btn-group-vertical>.btn-group:after,.btn-toolbar:after,.clearfix:after,.container-fluid:after,.container:after,.dl-horizontal dd:after,.form-horizontal .form-group:after,.modal-footer:after,.modal-header:after,.nav:after,.navbar-collapse:after,.navbar-header:after,.navbar:after,.pager:after,.panel-body:after,.row:after{clear:both}@-ms-viewport{width:device-width}@media(max-width:767px){}@media(max-width:767px){}@media(max-width:767px){}@media(max-width:767px){}@media(min-width:768px) and (max-width:991px){}@media
<style>/*!
 *  Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
 *  License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
 */@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
<style>@media(min-width:1200px){}@media(min-width:768px){}@media(max-width:767px){}@media(max-width:767px){}@media(min-width:768px){}@media(min-width:992px){}@media(min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mt-10{margin-top:10px}.mt-30{margin-top:30px}.taglist-inline{list-style:none;padding:0;font-size:0}.taglist-inline li{padding:0;font-size:13px}.taglist-inline>li{display:inline-block;margin-right:5px}.taglist-inline>li:last-child{margin-right:0}.widget-article .quote{padding:25px;background:#f3f5f9;line-height:24px;overflow:hidden}@media(min-width:768px){}.word-wrap{word-wrap:break-word;word-break:normal}::-webkit-scrollbar{width:6px;height:6px}::-webkit-scrollbar-thumb{background-color:#e4e6eb;outline:0;border-radius:2px}::-webkit-scrollbar-track{box-shadow:none;border-radius:2px}</style>
<style>a{text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}@media(max-width:767px){}@media(max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#e7f2ed;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}</style>
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#ffebe9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#fff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body h2,.markdown-body h3{margin-top:24px;margin-bottom:16px;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body h3{font-weight:600;font-size:1.25em}.markdown-body ol{padding-left:2em}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0 !important}.markdown-body>*:last-child{margin-bottom:0 !important}.markdown-body p,.markdown-body ol{margin-top:0;margin-bottom:16px}.markdown-body li>p{margin-top:16px}.markdown-body li+li{margin-top:.25em}.markdown-body ::-webkit-calendar-picker-indicator{-webkit-filter:invert(50%);filter:invert(50%)}</style>
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
<!--[if lt IE 9]>
    <script src="/static/js/html5shiv.min.js"></script>
    <script src="/static/js/respond.min.js"></script>
    <![endif]-->
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
 * Waves v0.7.5
 * http://fian.my.id/Waves
 * 
 * Copyright 2014-2016 Alfiana E. Sibuea and other contributors
 * Released under the MIT license
 * https://github.com/fians/Waves/blob/master/LICENSE
 */</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
<body>
<div class="global-nav mb-50" style="display:none !important">
 
</div>
<div class="top-alert mt-60 clearfix text-center" style="display:none !important">
 <!--[if lt IE 9]>
    <div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>，放学别走，升级完浏览器再说
        <a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
    </div>
    <![endif]-->
 
 </div>
<div class=wrap>
 <div class=container>
 <div class="row mt-10">
 <div class="col-xs-12 col-md-9 main">
 <div class=widget-article>
 <h3 class="title word-wrap">一次有趣的锐捷前台无条件RCE漏洞分析</h3>
 <ul class=taglist-inline>
 <li class=tagPopup><a class=tag href=https://forum.butian.net/topic/47>渗透测试</a></li>
 </ul>
 <div class="content mt-10">
 <div class="quote mb-20">
 本篇文章对锐捷前台无条件RCE漏洞进行细致分析和代码审计，带你一步步进入最高权限的天堂，感受CNVD满分漏洞的无穷魅力
 </div>
 <textarea id=md_view_content style=display:none>前言
--

之前提交过一次锐捷RG-EG系列出口网关的逻辑漏洞，最近几天有时间再次审计一下，这次主要针对WEB管理端的登录功能进行审计。锐捷RG-EG系列的出口网关是网络设备，类似这种网络设备一般都会内置web管理端，网络设备最主要的是设备功能，从而导致开发者在web端的逻辑设计方面存在疏忽，造成漏洞的产生。这次审计最终成功找到了前台无条件命令执行漏洞，也算是给之前的逻辑漏洞成因画上了一个完美的句号，接下来我将回到当初审计的视角，带大家一起复盘这次有趣的审计过程。

审计过程
----

### 接口发现

1. 这次我手中的是WEB管理端的源码，这种设备说实话是不太好审的，因为这是网关设备，我们本地无法搭建完整的环境， 小伙伴们如果想测试可以去fofa上搜一下相关的在线资产，我这里也是拿一个朋友公司的网站，叫他帮我搭了一个，供我们进行测试。
    
    ![image-20240221092423857.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-d8e595ee59d2c96602006bc6d388666a7323ad5b.png)
2. 同时我们使用浏览器的SwitchyOmega插件，把本地代理端口切到8080，打开Burp，抓一下登录功能的接口及参数，从返回包可以看到登录功能为login.php，登录逻辑非常的朴实无华，POST发送用户名密码，返回json带着状态和数据。
    
    ![image-20240221093105444.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-7aee5918b125e8bc1b6ed38e56631554a033918a.png)

### 代码审计

1. 找到了登录功能后，我们打开login.php，大概看一下这个登录逻辑
    
    ![image-20240221094134792.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-46cf0676f0a8db64cb90ddcb93394dc1e5580507.png)
    
    ![image-20240221094420667.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-13a9670c778f3bd5ceedeccc5a8c1c43c7ad3400.png)
2. 负责登录处理的函数就是上面这个，其中首先会传进来两个变量"username"和"password"，就是账号和密码，是我们可控的变量，同时会首先判断不能让这两个变量是空的，然而其实这么写是有个逻辑问题，光靠判断是否=false实际并不能判断是否为空，哈哈，不过这无关紧要。
    
    ![image-20240221094509689.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-da4518321ce2c77e2ee194c2c6e36539dd1cb3e7.png)
3. 接下来可以看到有个$res变量，这个变量装载着执行execCli()函数的返回结果。
    
    ![image-20240221095011990.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-978f71519f6704febd084a1c23eb402c05a4a86a.png)
4. 从下面的代码我们可以看出下面的大多是对$res的值进行判断，从而直接给出结果，所以我们大概能猜到这是一个状态码变量，通过它的值来判断登陆成功与否，又因为他是execCli函数的返回结果，因此我们判断execCli会接管登录逻辑判断这一任务
    
    ![image-20240221095849296.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-3fde1f0bacbd9870234370064fcc76c98be77499.png)
5. 跟进到execCli函数，我们可以看到这个函数有三个形式参数，$mode, $command, $answer，初步猜测第一个是模式，第二个是命令，从上面我们也可以知道从login.php传过来的时候，$mode=exec, $command="webmaster $username $password"，到这里我们确定了execCli函数会执行命令，但是这个命令我们没有见过，不是常见的系统命令，于是接着往下进一步分析下execCli这个函数是怎么处理这条命令的。
    
    ![image-20240221100400262.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-7f41e78e3ed73bfcdf25d529cfdca3f414723607.png)
6. 往下看这个函数的内部一开始也是在判断参数是否为空，然后在下面会传入到一个php\_exec\_cli函数中，我一开始想着又是要看另一个函数，于是按着Ctrl对函数名一阵狂点，试图跟进，但是死活不管用....
    
    ![image-20240221103449264.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-52c5ec10bb73e51bf188e063d2cd8b34f2d39c9d.png)
7. 仔细一看，哈哈，原来是上面自己定义的一个函数，动态加载php cli的通信模块，与其他命令行进行了互联通信，但是我们本地的源码并没有client.so。此时陷入了僵局，当时我也不知道webmaster 这究竟是一条什么命令。
    
    ![image-20240221103640889.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-6c8482377a8ce455372f3961c81cd04783594330.png)
8. 再次回看，复盘分析，去群里问，去百度，谷歌搜索，我坐下来再次思考，这是一套网络设备的web管理系统，里面的许多功能更多地是以web的方式展示设备的各项数据，再加上除了login.php，其他功能点也有很多用了execCli这个函数，因此大胆猜测，这里执行的应该是网关设备的命令，类似于路由器命令。
9. 假如你是一名运维小哥，那么看到这里也许你心里已经自动有了Payload，然而，在此之前我从未接触过这种网络设备的命令都有什么，也不知道不同的设备有没有通用的命令，因此我还是回归渗透测试的视角，进入官网点击客服，开始社工！(小小的咨询)
    
    ![{FAE6F06E-F6C2-40ae-BB41-F6407F0AA3ED}.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-5b5ac21c34a7f7bf9a2ab7b7eabdf0b51bc9f1d9.png)
10. 三下五除二拿到了设备命令手册，详细地看了下，发现了许多敏感命令，例如直接操作更改设备相关信息，更改ip信息，更改路由等等，结合百度，发现了一些没有危害的命令: Show命令，主要用于返回信息。
    
    ![image-20240221104644609.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-ec6ac6775cb853a5d3730ca14963f2c584188722.png)

### 复现开始

1. 经过审计阶段，我们如今已经知道login.php存在命令执行，POST请求的username和password参数最终会被拼到webmaster命令里，最终到后端设备会执行webmaster username password 命令，之后后端会再将执行的结果返回给前端，如果成功，那么直接返回1，如果不成功，会返回错误+报错信息，如下我画了一张图，举例：如果让username=abc, password=bcd, 那么程序的命令执行过程是这样的:
    
    ![image-20240221105420247.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-25bbf53e4f8ed3b496647c0c2059a92199525d75.png)
2. 因为password拼接了命令的后半部分，因此我们只需要构造一下password参数即可，使用"?"符号可以用来分割两条命令，类似Linux的管道符"||"，之后再加上我们要执行的命令，Payload打造完成:
    
    ![image-20240221105811558.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-8ac1c6822076adfcc68e636f70d4149ff29023cd.png)
3. 这样以来，我们直接到burp中发送payload，即可实现任意命令执行，如图burp中的返回包中已经返回了show version命令的执行结果，显示了当前设备的详细版本等信息
    
    ![image-20240221111054396.png](https://shs3.b.qianxin.com/attack_forum/2024/03/attach-42cf0e3c2fe31a1c0e9fc7da78637763746913e7.png)

总结复盘
----

这次命令执行审计出现的最终原因还是因为没有进行参数过滤，使得其他命令传到了后端，并且被设备执行了，但这对于渗透测试人员来说，也是一种提示，当今许多的网络设备都配有web管理端，许多开发者为了开发方便，直接写一个执行设备命令的接口，然后通过增加路由器命令来验证账号密码对错与否，虽说这种方式对于其他功能的二次开发以及整合确实省事了不少，但也导致了安全问题，我审计这个系统之后也找了其他的设备源码进行分析，发现不少设备厂商都有像这篇文章写的这样大同小异的问题，由此可知，即使是网络设备，我们也不能放过蛛丝马迹，即使执行的是设备命令或者配置命令，也会有很大的危害！

我是小安，感谢你能看到这里，欢迎对我的文章发表评论和批评，祝你生活愉快~</textarea>
 <div id=layer-photos-demo>
 <div id=md_view><div class=markdown-body><h2 blockindex=0>前言</h2>
<p blockindex=1>之前提交过一次锐捷RG-EG系列出口网关的逻辑漏洞，最近几天有时间再次审计一下，这次主要针对WEB管理端的登录功能进行审计。锐捷RG-EG系列的出口网关是网络设备，类似这种网络设备一般都会内置web管理端，网络设备最主要的是设备功能，从而导致开发者在web端的逻辑设计方面存在疏忽，造成漏洞的产生。这次审计最终成功找到了前台无条件命令执行漏洞，也算是给之前的逻辑漏洞成因画上了一个完美的句号，接下来我将回到当初审计的视角，带大家一起复盘这次有趣的审计过程。</p>
<h2 blockindex=2>审计过程</h2>
<h3 blockindex=3>接口发现</h3>
<ol blockindex=4>
<li>
<p>这次我手中的是WEB管理端的源码，这种设备说实话是不太好审的，因为这是网关设备，我们本地无法搭建完整的环境， 小伙伴们如果想测试可以去fofa上搜一下相关的在线资产，我这里也是拿一个朋友公司的网站，叫他帮我搭了一个，供我们进行测试。</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABd4AAANWCAYAAADgO57dAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXidZYH//8/J0qRJ94WCLAJSoKCCBauAhUFxAS0/hNFR/AojDsiFzOCMwCg66jjAoDjfQVkGdaw/YFAGBJQKbigDDDAWh01ZpMhSQApd0pY0TZrlfP8oOSRNmqbtk6Str9d1cZHznGe5c5pwXbyfu/dTOven55YDAAAAAAAUomqkBwAAAAAAANuSmsHsVCqVMnXi9pkwdmLGjZmQcWMmpL5u9IDHtLa1ZmXz8qxsXp7lLy/L4qZFKZc3f3L9tMmvyfhXxjB+7MTUjarf7HMCa7Wtac2Kl5dnZXNTljc35aWlLwzdxcpJSoPYBgAAAABbmQ2G94b6xuy395szcdzkjTpxfV196uu2z3aTt0+SNK1cmgcfuzctras2aaANoxuz/96zMmHspE06HtiwulH12W5y79/bBx6bn9WtLYWcv5xySt1lvb/AXlrPvgAAAACwFSkNtMb7zjvsmhm7vzE11bWFXKyjsz2P/OGhPLfo6Y06bucddss+u78x1dWDmqAPFKijsz2PPPlQnnvh6Y0/uJTK33TZ5IhuFjwAAAAAW5n1luxddtg9r5/+pmIvVl2bN+55QKpKVVn4wpODOua1r3ld9t1j/0LHAQxeTXVt3jj9gFRl8L+3FeWkVC5tXjh/Jd6XSuo7AAAAAFuHfh+u2jB6TGbs/oYhu+iM3d+QhtFjNrhfw+gx2XsIxwEM3ozd35DR9Q0bdUy5XC5ktnqpVCrkGREAAAAAMBz6hPdSqZT99jpwSJd1qa6uyX57HbjBGaz77z0r1VXVQzYOYPDW/t6+efAHlFPoLPVSqbR22RkAAAAA2ML1Ce/jx07c6AepboqJ4yZn/NiJ631/0vgpmTDA+8DwmzR+SiaOHcR/H4ZqXXarzQAAAACwFegT3ieMnTRsFx/oWsM5DmDwxo8fxA0xgRwAAACAP2F91pOZPGHqsF18wrhJyfP9vzfQbPhuteVRqW4dm47Ocsopp5TS2uUoSkkppeSVZS7K5a6UkzSM7kpzaWW60lngdwF/Wga8KVZK0pUhD+/dv+8AAAAAsCXqE96Hc6b5xAGuNWn8hm8AVHc25Ad3rciqNR3pKpdTSjnVpXJK5VKqq6pSVVWb2traVFeXUlVK9n1NXfZ63Zi8XFoxqPFdedHcHPzO2dlj3+lJkjOOOzVfv/7yyvszG2bkl8/clYlT134f82+7J0teXJKjPjSn13lmNszIfS2P9jn/zIYZgxpHz2PXPdcZx52aL11+fmUMG+vCM8/P9y+7qte2a++9KXf/4s6c8KmTMv+2e/LYg4/mhE+d1Ouad/7k9vWe89y5X81RH5qTpsXL8o7XHjLosVx/349z3Mz3DXr/np89w2fApag2YYmZy06/LCklp1182qCPEd0BAAAA2JL1Ce91o+qH7eKj6xvX+17dqLoBj61KdRY+U5ObHnwpdXWvrJjT1Zk1rW3pbG9PurpS1VVOdU1dlnbUp7OqOlXl5F2vn5S/PWZimquaNji+i865sFdw/tLl51fi+4Vnnp9r772p3/DbX3DuGdkvv3luZh1+UGYfeVivkN+fM447tfL1LdfMy7X33pSmxcsyceqkzL/tntz5k9v7XKu/yL8+Z33tnJz1tXMq51+yaHH22Hd6Lv7Cv+TF5xYlSf7q70/tdcxAY77lmnmVrydOndRnLP2F/IHGfuGZ5+f9H/tA5eYHm+a7X/t2lr60JGd+9bO9tn/t7H/O5O2m5GNnnjzoc42uayh6eJukXC4X+vBWAAAAAChKn/A+WD+++kfZZ+a+2X3GHr22P/Hwgvz+oUfz3g8fvdmDG0hXOrPL7q257u/2SuuS2rS+Mut9/ITapHF1utKZctYuYv/iolL+7prn0rR6TX7y8OIc/7bxadxu4PM/8fCCJK8G80+df1YuOufCXtu+f9lVlXjec+b47CMP63eWetPiZfn3r1yeWYcfVHnvwjPPz1lfO6fyXncEf+LhBbn7F3f2Gdce+07PGcedmgNmz8pF51zYK95fedHcjf4czzju1Lz7A+/NlGlT8vmTzq6M+yOnn1gJ5PNvuye333xbZWz9zZLv6dy5X+31ur/9uz/LJL2+h1uumZfPn3R2r337u1b3rHoGZ01bW753yZUZVTcqf/NPn06yNrp/75Ir84nPfbK4Cw3VQ1X7YdY7AAAAAFuqTQrvy5cuz5dP+4eMGT8m3/3l9/La6bsmSZ5+/KmccuSJWbWyOQe/c3YmThnEQxg3Q2upOZ0tNfnIxf+dFS1tqS2V8h9nvi2jxvReSmba5GmpKnVkTUd76qvrUlu14W/7xu9e12spkysvmluZqd6tafGyfOnUtTH6rK+dk8Pee3hlqZl1l5Hp+fq5pxZWQvP7P/aBXHnR3EzZfmqm7bR9rrxobk741Em5+xd35uB3zs7/3jm/cv2Lzrkwnz/p7Hzq/LMyZfupufbem3qd+1Pnn7XemeTr8/XrL8+VF82tnHfdcV90zoX58Gkf7TXrvecs+XX1nPHe0/qWhen5GXbr/px7znbveWNifddg/T7xudOTJN8879LU1delrbWtEt2739vaWOcdAAAAgC3VJoX3CZMn5F+uuTif/ovTc/K7T8h3f/W9lEqlnPKeE9K8ojn/cs3FQx7dk6S2VJM7H2zJky1JVXVdDn7tpEyc1pVVSapSlTFVjVn0QnXOuvHxPLm0JaOq6/IXb9k+46e0ZPUGzv39y66qzLT+8GkfzbSdtt+osQ00471ntN5j3+m5+xd3Vmab33LNvNxyzbz8753ze0X0Ez51Uk741Ek547hTe22/8MzzK1+ve8xgzL/tnlx0zoWVML7u8ReeeX6m7bR9Jk6dtFFrtn/+pLNz7b039btEzLpr5Q/kg29+9W9OfPi0jw7qGPrXM76vfT0y0f07Z3+n1+slzy/pd/vHv/rxAc9jmRkAAAAAtlSbvNTM7CMPy/+99pL83QdPzyeO/Mt0dnRm+ZLl+dfrLs0h7z60yDGuV30a8tNHn09dQ306OpP3vmnn1FXXptw6MY8/05Hr5y/JXU8sT7lUlbfuOiXHzdwuh8wsZ2V55QbP3R3Bk+SoD83JlRfNzanv7Ru1Zx95WK/Xnz/p7Dz8m99m2k7b91pOpXsmeX/xeO/9ZlTOc9SH5lSWf1nX/NvuyV9/ee0yId0POL323pt6LU8zs2FGPnzaR9c7I33d8119yRW5/Oa5Awb1D5/20cxsmJHLb57b7/rxGxPSN1Z3vO++acHW76mHnuqzrbq2egRGAgAAAABDY5PDe5K87T2H5Rs3fjN/c+zaZUi+ceM389Z3HFzIwAajaVlNHvpjc0bV1mZyQ1Xeud+EvPBsOadf/UheaG5LR1cpf/nWnfJXh09LqaE5rVmdleU1gzp3zyVXupdhufzmubn6kivy9esvzxnHnZq//vKnc/EX/iXJq+uY91x7vHv2+Loz3td16ntPyrlzv5r5t92TWYcflDt/cnsOmD2rz36333xbZRb+fS2P5ozjTu01IzxZeyOge834njH9l8/clQW/+33l5kH3uuqzDj8o82+7Z71rpl950dzsvd+MXiF/ZsOMPvt3jz1ZG+K/dPn5/S4tw8j55nmX5JvnXZpPfO6TaWtt6zHzfXhnvZ/703N7vb7s9Mvy8rKXNzjDfV0ergoAAADAlmqzwnuSvPUdB+ei6y6tfD1cako1+eXvmtO8ppya6uTgXSen3LgiYxu68peH7pjzfvJEakdV54bf/jG7TavN22dVpb1rcNE96TvjPVm7HnlPk7ebXJnp3XON92RtiO5e773bxKmT+sxEv/KiuZWIfcZxp+axBx/NtffelBu/e13lAa/d5/v+ZVf1mXG+7uszjju1cq1135t1+EH9zlhP1t5cWPehpt0uv/nVh7Y2LV5W+WyuvGhuXnxuUZLk6kuuyKTtpuSDbz661/7r6vk9DYalZorRHd3/8tN/VQnta9rWFB7fy6XhW3fd+u4AAAAAbKk2
</li>
<li>
<p>同时我们使用浏览器的SwitchyOmega插件，把本地代理端口切到8080，打开Burp，抓一下登录功能的接口及参数，从返回包可以看到登录功能为login.php，登录逻辑非常的朴实无华，POST发送用户名密码，返回json带着状态和数据。</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA28AAAIHCAYAAAAIH2R/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeVyU1f7A8Q/LyKogDAiigIiiIyouaOaGVGYulGW2b+TVMmyxrpaV+Uvjttxri0tl6c12l5tFZmZmpJl7KiKCILLJjuyLgvD7Y5iRYZEZZhDQ7/v18hXzPOc55zwz05zne55zzmP26KOP1iCEEEIIIYQQol2zjDoR3dZ1EEIIIYQQQgjRDPO2roAQQgghhBBCiOZZXqgob+s6CCGEECYRGBjIoUOH2roaQgghhMkFBgbKnTchhBBCCCGE6AgkeBNCCCGEEEKIDkCCNyGEEEIIIYToACR4E0IIIYQQQogOwLKtKyCEEEIIIYS4+qysbQAoGfLkVS/b8cRaujo6XPVyNfILCtus/JzcHABasnCk3HkTQgghhBDiOtUWgdv1zkXp0uJjJXgTQgghhBDiOiSBW9tpaQAnwZsQQgghhBBCdAASvAkhhBBCCCFEByALlgghhBBCCCF0WFma4ePUdKiQUnAJAE9HiybTJJ6v4kJVjVH16Nq1Kw4OXQw6prCwiPz8fKPKbS/l1yfBmxBCCCGEEEJHVxtzHg3s3OT+Tw4UA1wxzbu7C8ksvmRUPfz8+hIQMNigY44dO87+/QeMKre9lF+fDJsUQgghhBBCiA5AgjchhBBCCCGE6AAkeBNCCCGEEEKIDkDmvAkhhBBCCCHapVOnYklNTTPomJKSklaqTduTO29CCCGEEEII0QHInTchhBBCCCFEu9S/f792tdpjW5M7b0IIIYQQQgjRAUjwJoQQQgghhBAdgARvQgghhBBCCNEByJw3IYQQQgghhI788mo+O1Tc5P6MoksAV0yTX15tdD3i4k6TmZlp0DGFhUVGl9teyq9PgjchhBBCCCGEjgtVNZzKrmw23als4wO0K8nPzyc/P79Vy2jP5ddnUPCmmr+VjaHeTeyNZJF/GBHG10kIIYS4qqR9E0II0RGYcM5bEOHRW5mvMl2O7UsIK6OjiV4Z0tYVEUIIcVVd6+2bEEKIjqLFwVvkIn/8/dX/FkVqtnoTOvcaDG5U89kaHU5QW9dDCCFEq7uu2jchxHXN/uiHbV2F61ZObk6LjjPJnbeIHZGmyEYIIYRoV6R9E0Jc6ySAu/paGrjBVVmwJISV9e5aJa2bydTlMfWSrSQ6PKhOmkXsCg4n1BtIWsfMqcuJQcX8rRvrbatXhs52fctvmAaSWDdzKglzowmvuyMonOjocIhchH+YzIAQQojrl3Hty/KYOm0akSzy38HEumkbbWcay6/+nLz6+a7GV/savdrJy3U05FyFEB3NhYpyABT7ll/1skuB0pLCq16uTh3auPyWMMGdtxBWaqObJNatrtPQNDHc0Dt0o87cMdX8rTqBmzpNOE3OHdeXPuXLkEghhBCNMrJ9M6h9CSK8ftqgcN151iEriW40vyDCo6NpfEp2EOHRG3XbU+9QNhpSRz3bciGEEK2vxcFbUHg00dHRdRqS+r10Kua/HYo3qHv5aucP+GsmEATNrp38HcJcbasSyaLadDPXJbW0aoaV7+uDtvQ68xw05UeE+eM/cx3a2kQuUqeRu25CCHFNMln71kz7Ul/Supm1aRYRqa3M5bZSJ5Cc6d8gbVD4ShoLpbT51m3Lgiaq0zZbR33bciGEEFeDyVabTFq3AJ3RE6pJBHvX/u0dysbo2sZQ2/h4EzxJBSETtb15SetWa4d9xCxfgFHxm77l1xEUHk301vmogJjlYchoECGEEC1u3+povn2JZI12YwSrtQ2gNz6+1Gsr69anbtogJjaI3urkG7OdXUn19zdTxxacqxBCiNZj5GqTM7UBlnfoRt0hG3V68/SVlGDCaEnf8iPC6qwmRp3GqfEeTCGEENc2k7VvHaF9aa6OLWjLhRBCtB4jFyyJYfmCdQRvVA+pCApfSUhEwweZXnFSc50WzNtXBdop1L74eF+haG8ffOukvpLmJlVHhPmr66yzaEoQ4StDiJDhkUIIcR0yQftGc+1LQmtU3GBXrOOOy+lkgRIhhGh7xg+bjFnOgjpDNsI13ZMRO7Tj8L1D3643Jj6ElZp0CYnaMfjeoXO1sZxq/uxmJnlfHh7SaFo9y1fN33q5RzUiTHdOQGO8fZEBIkIIcR0wsn0zrH0JYrYmI9V83q4zF3xHRP0y59bp99SdN77DwP7GZuuob1suhBDiqjDJowJilq8hMrR2YndQOCtDIgiLiCBs0cTaXjxvQjdGE1r3oMhFmoNZExlauxy/esWs8KZLYvuuJEJrG6qg8Giim0ysZ/lXyCdS0wrGJJAE6qEj3qFsjA6VRwUIIcR1wKj2jebaF92uQO/QjUSH6qa7PBe8bpmNt5WRixreGdRHc22gvucqhBCi9ZlowZIIwuoMmteueNVkT6PukssRYf66Y+5JYt3MmY0uWBKzfGq9tJEsqrsyl0619Cu/IfWql5djswjCmrsjJ4QQ4hpkXPvWUP32pc523caNyEX+usMUI8J0V6JsNs+Wqpdfi89VCCGEqZkNGDCgpq0r0bimHsgthBBCNC4wMJBDhw61dTX0VP9h2i27cyaEEOL6EBgYaLpHBQghhBBCCCGEaD0SvAkhhBBCCCFEByDBmxBCCCGEEEJ0AO14zpsQQghhmI41500IIYTQn8x5E0IIIYQQQogOQoI3IYQQQgghhOgAJHgTQgghhBBCiA5AgjchhBBCCCGE6AAkeBNCCCGEEEKIDkCCNyGEEEIIIYToACzbugJCCHEtqRw13yT5KPYtN0k+QgghhKlIG9f25M6bEEKYiKkaNVPnJYQQQhhL2rj2QYI3IYQwgdZoiKRxE0II0R5IG9d+SPAmhBBCCCGEEB2ABG9CCHGNMjMza+sqCCGEEK3iem3jZMESIYRoBf+cEcisWwfqnf5cXgm3LNrEpeoak5SvUCj417/+xeeff05UVJRJ8jSUi4sLDg4OeqUtLCwkJyenlWskhBDCFKSNa7s2ToI3IYRoBXui0+hqb42+HYOxqedN1qgBVFZWUl5eTr9+/XQatltvvRVHR0csLCzw8vIiLy+PP//8k5iYGJOVrTFv3jy6dOmiV9qioiIWL15s8joIIYQwPWnj2q6Nk+BNCCFawf7YDPbHZrRpHc6ePYuPj4/Otj59+uDr60tpaSnR0dF069aN2bNn8+WXX3L48GGTlr9ixQqDeiWFEEJ0DNLGtV0bZ3Tw5tJvHH2d624pI+3YYZJLjc25YwpZGU14UL2NkYvwD4toi+q0Gs8Zb/CK21Zmr9zXYN8NYWuZnPl/LN6c0gY1E0JonDlzhoEDB2JnZ0dp6eUf5crKSpYvX05eXh5mZmY8/vjjhISEmLxhy8nJ6dBDIRv+niexbuZUlpu+A7dDuCFsLaEB9TYe+7TRdqAju9bbt4bXbUBeLHtjs1u1XDuv4QTYpLR6OeL6cb22cSa581aedoS/a6M1O6/hBAQMB2MCOBcVo3uWcezvJEqvtK290gnWQlgZHc7W+QlMvV5bfCGuQ1YKCwb1cml2QvWFi1XEpZ2novKSyeuQmJiImZkZPj4+nDhxQrv93Llz5OXlAVBTU0NUVBT+/v507dqV/Px8k9ejI0taN1P7262av5WNG7eCMQFcyEqiZycyc+pyYq60rb3SCdZG8dSns3h9xrkOHcxcl3SCNVf6je7HUK9S7bWcEM2RNq7tmHzYZGnyKdKch+GstCO5VH4EIILV62azMXgSquUx7b9hFkKYxNKHRnP7KF+90lZdquajbcdZEXHUpHU4d+4cFRUVDRq2qqoq3fJrXysUCpOWf/fdd9OtWze90mZlZbFp0yaTlm9qMcsXsC54I8GTVCxvhfkTHc8+ftw+lVcCRuC5OQUJ3zqqbFLTPAlwdsEuubT9d5CLdkHauLZr41p5zpsdXkOHYZMaC3374Uwup/fGkEPtHboetrXpLg+1rHs7P2C0J+TFcpp+jW9D9za/nddwApxz2+fduaSEy4Gbaj5bN4bird23TtvjGrIymnAa3rljkT+a
</li>
</ol>
<h3 blockindex=5>代码审计</h3>
<ol blockindex=6>
<li>
<p>找到了登录功能后，我们打开login.php，大概看一下这个登录逻辑</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABlQAAAQQCAYAAACUWLbrAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3yV5f3/8fd9VvYeZLP3RqYKIiKoiIoLd1sVbdWqVevP1Vq/jlJbrXZoFe1wKwoi4AAUqcossiGEEUgIZO99cs79+yMQVtYJSU4Cr+c/Oee+r/u6Pvc5KfZxv3NdlzH0nCtNSZJZ+6PWsa8PvzdPPmfW17YF/Zz03mz4nHnkdVP9mE2McVwt9Zw77uWxd1pPu3prqb+PBmtu5H6OP9VIP41+9gAAAAAAAAAAoKUsnl9itH4VHo3u3fHb3ul+fwAAAAAAAAAAdD4NBCr1PNRv1+f8rTBYh84l2ujz7dD3DAAAAAAAAABA59WCGSqtpSM//SfdAAAAAAAAAAAAR7VxoOLtmS6NITQBAAAAAAAAAADN0wqBSkcOFTrI0mFe+Yg68vcCAAAAAAAAAEDn0sxApSM/nO/ItbW1M/neAQAAAAAAAABoP0cDFaMjP5zvyLUBAAAAAAAAAIDTnRc3pT9FXliKyzuxDmESAAAAAAAAAADe1oEClTM5ODiT7x0AAAAAAAAAgI7PdioXG5LMNr6iY+isdQMAAAAA4H2BVqvuTIjTB5lZyqiqrjt+TXSUimpqtCS/wIvVAQA6i7MHB+n2adHqFuujfYeq9MbibK3cUuLtsnAGMYaec+XRpMA8NjQ4MUAwjzlkntDqhLYt6Oe492Yj5ySZx7U7sa15wstTrOWEfsxW6MPTWsxmfi7H91FfWwAAAAAA2l5UZJQGDxki05Q2bdqg6qIi/bVvb0nSE3v2KqOqWrfFx2p6ZITeOZSlj7NzvFwxALSe8PBwXXfdDerff4AkaceO7frgg/eUn5/v5co6Bz8/Pz388CPq3r2HJCk1da+eeupJnT04SC/c3fWk9g/+fT+hCtrNKc1QaTNemRDSCWahdIISAQAAAABntgnjz9NPf3qr7A67JOlAxgE99bvf6ok9e/VMzx56pmcPbSgp0aTwMC3MzSNMwRnLN8JXklSZV+nlStCawsPD9eyzs2W1WrRq1SpJ0rhx4zR48BA9/vgjXg1VggKDNGXqRRo+fIS6dOkiScrKytKGDT9qyVdfqqS0Y4QS06dfrh49emrx4kWSpGnTLpUk3T4tut72t0+LJlBBu2nhDJWj59tkhspJfRx/rm1mqDSvn8ZnqLRWLQ3MUJEa/VyYoQIAAAAA8KaoqGj9YfYftX3Hdr355hxJ0q233S5fHx89++zTivdx6M99esthMfRNfoH+kp7h5YpxuvOP8Vf3GT1kmqayfshU3pY8b5ckn1Af9by2l/zj/CVJ5QfLteej3aoqrPJKPZcefli96PDDa5yau+66R8OGDdPjTzyunOwsSVJUdBc9+8yz2rhxo1555W9eqWvUqNGaNetOORwOJScna/++fZKkrt26qV+/fqqurtacOa9p3bq1XqnviPj4eD39f89p1ZqVmvP6a8ed+/ql/vL3tZ50TXmlSxfcv6O9SsQZrpEZKqfjdIjT8Z4AAAAAAOgYBg0cJLvDrn/+6w0VFNT+FfY/33xDvXv3kiRdFBkhh8VQtdvU8KAgxfs4jttTBWhtsRPiZAuwyVnsVPereihqVLTSvkxT+cEyr9XU7crucoQ6tG9BqiQp4cJEdbuyu3b+M7nda4mNi9XPf/ELSdL6Det16OChdq/hdNOvf3+tXr2qLkyRpJzsLK1evUrDho/wSk2jRo3WL395n3btStGc119TZlbmcedjusRo1h136pe/vE9//evL7RqqxMbE6pFHHlN4RISKi4sVFBSk4uJizf3ow7o2oaGhKiws1P7MavXv5ndSH/sz+e8I2k/HXPKrQyOUAQAAAADAYrFo1MhR2rxliyoqymUYhnr37SNJevmlv9a1W7x4oT744P26PVMW5ubpy9y8uuW/juyp0hmYpr96jB2vs/p1U6RRrLStK7R0XYachuHt0jximmEaednF6ht0womCrVr4+SYVB43WbfeOUeobf9U32T10/g09dfCTpUqp6lz3KUk2f5sqcyu18z/JihwWqfgLEtR/Vn/lbcxTxtcH5Cx1tm89fjYFJQYp8/uDqiqonZGSuz5bMefGyepnk6uipl3rycrK1tKlS+te4/QTFBSsWbPu1K5dKZo9+zk5nSf/zmdmZWr27Of0yCOPadasO5WcnKySkuJ2qe/2WXfI7uPQ/PmfKCg4WAX5+fruu+9UWFhY1+bI6zcWZ9e7h8obi/ndbQ1bN29o9PygIcPbqZLm27p5Q5N1NaeNJzwLVDpFltApigQAAAAAoFOLiIzS3ff8UmVl5Vq4cIGioqM1/twJ2rkzWTt37pTLVftgeOUPPyjO4agLU97MqP0L+CN7qsyM6aIX96d781aaxfTppSsfeVw3dMvTj+t3Kc/soQvvv1pXb31Fj85epix1nLCh+5VP6TbbO3rio10NtIjUiMuv01npX2nLsVvYuP1qHxSZLtU4naoxJVm6a+L1F2nD4qVK8c6KVK3DlHI35Kpge4Fix8eqy7gYhQ0I06HvDilrVaZMV9s9S+pzcx+5Klw68M0B+YT5SjIVMz5OMePjjpbnMhUQH6Cq/EolTEqQ1c+qlLdT2qymI9wul15++aU2H+dMkrxjh8aOHaeFixYdt+TX2LHjtHHjxnavZ8qUqXI4HJrz+mv1hilHOJ1OzXn9Nc3+wx81ZcpUffLJ3DavbeDAgerTp6/+/e9/6uuvlx13rk+fvho6dJgkadOmjUpJ2amVW0r04N/36/Zp0eoW66N9h6r0xuJs9k9pRQ0FD02FLd4yaMjwRgOT1g5TJGaodApERAAAAACAjiYnO0tPPPGYZs68Qddff6MkacmSJXr77X/X2/7u5F3KqKrS6NGjFRsbrwUL5uvelIYe+Hcspmmo98wHdGPICj1+97+0s7w2PDHfGqH7X/yN7r1kvR5bXK7gCF8584tUeThcsfqFKkQlyq9wyTQdCo7wVVV+kVwhSUp05Cg1233SsX05lYfHtCogOlYhzmxlFVTJfXgWzLH9OH0iFBvmVm5mgaoPj2nzD1OXuK7qZo9VRHiWyo6p53hO7fryb/r7mhPOGYZUulXz39wtZ74kS32fR/21dQauKpcOLDugnB9zlDglSQmTExQ1IkrpS9JUmFzYdActULSrSPGT4hU2IEymy1RFdoUOfXeobnaMPdCu2PGx6j2zlwyrIZfTrYPL2V+os/rgg/c0ePAQPfvMs8dtSu9yufXBB++1ez3Dh4/QjuQdJy3zVZ/MrEztSN6h4cNHtEugYrHYDv88fl+Ua66Zqcsuu1zV1bWzFy+77HJ99tkCzZ37oVZuKSFAaWXHhiX1BScdcWbKsRoKVdoiTJEIVAAAAAAAQAulpaXpj3+crZkzr9Oll16mRQsXNNg2o6pK1157nUzTrblzP5IkldS42qvUU2OM1hXT/bXsybfrwhRJMkp+1Nuv/EeXhoXLYhmhB/9ziTbc9KAWFNWe733TC3rU/hf95JVNkvVcPfifS5Q7Xzr3ojgd+uwp3f9e/EnHfvXOTvl2u0j3PvxTjfArVblfsFzb3tMffj9fu2uMw/1MVca7ZRp5QTcFRkTLlr5Asx95XRsqDPW76gnNOjtMQcbP9Gyf7Zr76+f1damH93u41g03PahPT3hu2WhtDQiPiFB+Xv2bwTd2ri1V5Vdp9we7FNw9WImXJKnXdb1VvKdYqfP3tvoyYFmrs5S3JV89r+6hgPgApbydctIYJftKNPjewSrdX6o9H+9VTVn7LUUWHFy79ltxMQ+pW0N+fr4ef/wRXXfdDRox4ixJ0saNG/XBB+8pPz+/3euJjo7Wtm1bm90+bf9+nX/+pDas6KgtWzZp69Ytuuqqq7Vq1Q8qLS1V3779NH36ZVq2bInefvstSdLNN9+i6dMv0+bNm7RzZ7ICAwP1pz/9Wampe/WHP/y+XWo93XW2mSknOjFUaaswRSJQaR1MIQEAAAAAnMGOLCNTUFjQaLvp0y/T/PmftEdJrSu6qxLtu/VJco10
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABWUAAAOzCAYAAADQpGQiAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXiU9b3//+c9JJA9IWSZLCRsSTCRQCAgAQRF1Fq0Wjdsfz3fti7V0822Wj3anvZ004Pac+r3as+xy6m1p6ffoqXVKuJyRFCRnQAalgQKCVkmK8lkDySf3x+TZSYbM5BkArwe19XrYu753J/7fd8Z04sXn3l/rKw58wxeanQ6vR0qIiIiIiIiIiIiIoOw+bsAERERERERERERkUuJQlkRERERERERERGRMaRQVkRERERERERERGQMKZQVERERERERERERGUMKZUVERERERERERETGkEJZERERERERERERkTGkUFZERERERERERERkDCmUFRERERERERERERlDCmVFRERERERERERExpBCWREREREREREREZExpFBWREREREREREREZAwplBUREREREREREREZQxdkKGuYyXV3ryYzyJz/XJF5fPnH3+b6xPOfa8DcI1iniIiIiIiIiIiIXBz8FsqGJ8wn9/49WLYJvp88IZ1Vn7+RrOARKMR0cvrMaU53jcBc/Y1knWeRlJxCbFz8gOOxcfEkJaeMfgEiIiIiIiIiIiLilTEJZUNiZxOetJDwpIVMCk8CIDQui46mSsIS5hMalwlAwKSI3nFh9nlYtgCvr2GMjVB7CkmRg59jCCR6air20ACMLYjJMWEEGAMN+3jxF8/zoQOMmUhkbCQTMRAUQ0pStOvPQ16zb3xgZCKpSRGuOQcbGxhNytQYgm3mnM4/m9bmZhZekUdcvL33WFy8nYVX5NHa3HxOc4qIiIiIiIiIiMjI8z71PA/pn/xPOtvr6OrsJCQmg0N//TwhsZlYEwJIWvQVwu05nHj3X7AmBDB1yUO0VB8mKDqN5sp9FG74ylnnD0q7mce+9wCLQp00T5pM58f/zY9/8ns+cloARMz9B77/z/+Hy6ijJbCLfev3MOPOiTy3+ifsCLiG7/z5U+y65QFedF7Dd/68mpPPN3PF9dMJj7UTUPwS//L1/8uuZmvghQOu4Tt/voETv2zlqjUz6eqKILJlO//5vR/xt2OnuwfZSPr0k/zPdTMJjU4gpPpN1n7jx2yqtrw83zt1p2rZ/uEHLF6yjF07tgGQu2gx2z/8gLpTtT7NJSIiIiIiIiIiIqNn1FfKBobEMDEsjqKN36TgpTtpqy8mPHE+obFZlO/8Tw7/9Qu0nTqOLSCIkNhMTh1/l0Mvf4Hi939ERPIVZ53fTJjN3d+7n8lvfoNPf/pObvvUF/mDuZXvf3kxE43BBMzlvu9+Bmvdl7j5tju57c7vUrzwGmYMOWMW80L+hy/ddQe33v4wW0Lu4O5bEoapYB7XZn/AN2+9jTW3fJqHN9v5x8f/gWm9K17TyQ55kQfW3MmnP/0lXm67jnvvzPLhfO/V1dawY9tWFl6Rx8Ir8ti5fSt1tTU+zyMiIiIiIiIiIiKjZ9RD2dC4LDrbG2lzniRgUgSTIpJoO1VCUNQ0mqsPYk2YSNDkaTTXHiY0NouW6oOu82KyaKkpPPsFZl/LVRFb+P0fD9NmWVidZfztN2/Qtvw6FgBkXUWe7V1+/+LfOW1ZWO3H+OO6rQz9hf7jbHl1Py2WRWf9Tt7YXkny1GnDFFDFO3/4G2WdFpbVzMe/W8eeqctYntw33+ZX8mmyLGg+zIb3j5EwNRWrN3Q92/kiIiIiIiIiIiJyMRn19gWhsZkY08XMVf9KWEIO9cc3c6a9HtN1mtZTRwmJvQyw0Vp7jJApaXROu4rIqUsJjc+mcMOXz34BewxTqv5OaSfQ02HgZDlVoVnYw4CYaCafOk6l2ylnampoIHqICdtpbep71dTSii08cJgCaqlxn7yjgqr6KcTEA46B8zU2N2PZArABXWc7v2yYyw4iekoMV+Qt7W1fsGjxUlf7Aq2WFRERERERERERGTdGPZQNic2ksWIPDSUfUrn/DzRVfURQZArH3n4E09XJmdZ6jr39bSZFJoE1gZrCDXS21dP4zuOcaa07+wUqqqmJSyB5Aji6uo+lJBLXXI2jCShzUGWfxsyJUNHdpjVkWgoxNA01o4/iSEi2oLr7ZdBUEibXUFAxVue7RE+ewuIly9i9czvVVa6Ud/fO7SxesoztH7yvvrIiIiIiIiIiIiLjxOi3L4jNorZoAzVHXqGp6iMA2hpKOPX3dwBod5ZSd/RNQuMup63+BDWH/sKp45u8C2QBDr/Fuw3L+eL/ySLYGExgKrfeewMTN7/BboBDr7GhNI9/fPw25s9IZnrubTxyRza+d2wFYyKZf8e93Dg7yO1oNFd/bg3TAg3GRJB7/13MP76ZzeXeznq+57sEh4aya8c2qiodvceqKh3s2rGN4NBQ3yYTERERERERERGRUTPqK2X3vbDSq3HVBS9RXfCSz/NbXYX89l9+wbe/+wx/va2d9sBgGvf8jn/5xU5XD1lO8ofH/gm++kW++uM12KrzefEPrzHroaHaFwx3sVmsvOsuMsPf5bXDx7oPHuKtPVn861/+RqAVSlDdezz7vf9HqWUNO1Wf8z3fpay0ZNDjPatmRUREREREREREZHywsubM83rRaKPTOZq1nBdjYFK0nfC2SmpbPW/JCg8j2NlIS3fQaRZ8m1ceaeexO5/lkI/hp5lgI+BMJ52WhZlwA09v+hS7bnmAv7TFEBfWhqOqCePlnOd7voiIiIiIiIiIiFx4Rn2l7FixLOg45aB/51Rj7Nz1r79mVfFv+PWGIjqT5nHdmqtp2/7PFJ7LdTq76BwkNO1sraWitbuQc3C+54uIiIiIiIiIiMiF4aIJZYdiWQ7+9P0fMOGeO/jcg59iYnstJ95/gof+sHvQcNUnpoqD2/ZT3uGn80VEREREREREROSCc9G0LxARERERERERERG5ENj8XYCIiIiIiIiIiIjIpUShrIiIiIiIiIiIiMgYUigrIiIiIiIiIiIiMoYUyoqIiIiIiIiIiIiMIYWyIiIiIiIiIiIiImNIoayIiIiIiIiIiIjIGFIoKyIiIiIiIiIiIjKGFMqKiIiIiIiIiIiIjKEAX08Ivew+QrPux7KU516MjOmiueCXNB/6tb9LERERERERERERuSj5nKyGKZC9qFmWjbCs+/1dhoiIiIiIiIiIyEVL6aqIiIiIiIiIiIjIGApodDp9OmHC4Z/QOePLMGnKKJUkftVey4S//wdJySn+rkREREREREREROSiZGXNmWe8HexrgCuepsTGUVtd5e8y/CI090oWZjdy8L/yqbIsf5cjIiIiIiIiIiJnkZScQllpib/LuCipfYGMOhOdTmZ2KM0HjiqQFRERERERERGRS16AvwuQi59VV8iu3xb6uwwREREREREREZFxQStlRURERERERERERMaQQlkRERERERERERGRMaRQVkRERERERERERGQMKZQVERERERERERERGUMKZUVERERERERERETGkEJZERERERERERERkTGkUFZERERERERERERkDCmUFRERERERERERERlDCmVFRERERERERERExpBCWREREREREREREZExpFBWREREREREREREZAwplBUREREREREREREZQwplRURERERERERERMaQQlkRERERERERERGRMRTg7wJkfDIGQqYkE2XqKK9rZWJEDLHRYZjmKqqqm+i0rAHnWEERTI6eQrjVSn1dDfUtp7EGGTfgGpyiorYJuscaE0h4fDyh7dVUNrS7jQ8kLD6eKaET6Wyrp7qylo4uq9+cFsHRicREhTChs4WGqnLq28yg1w4MjSY6Joqg041UV1bRMjGGxMk2GiqraHGb15oUzuQpMYQHtOOsqeJUy5lB5jt7bSIiIiIiIiIiIqBQVoZkYc++hvmdu9nWkcEVKUF0mQACJhhay3ey5b3DNPeGqBOZctkyFs+ZSjBn6CSACVYbdYUfsn1fCa0MFU52X8PazsubDtPZezyCGVdcQ2rF27y6u9x1jeAUFly1hOkRE+ns6MCaOAmaC9n+5odUnO6uY1Ii2cuu
</li>
<li>
<p>负责登录处理的函数就是上面这个，其中首先会传进来两个变量"username"和"password"，就是账号和密码，是我们可控的变量，同时会首先判断不能让这两个变量是空的，然而其实这么写是有个逻辑问题，光靠判断是否=false实际并不能判断是否为空，哈哈，不过这无关紧要。</p>
<p><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAvIAAAEUCAYAAABJbtJOAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3yU5Z34/c8VAhJIJgeSMDMJCYIkkCgSCMigghwUIaJWENC17a8oW3/7tOIWt1Tbbp/dbuGFxa306bNrf7b6aHe7olJFTp4RFcI54ZBAQIGEZDIkEJKZBAKEXM8f98xkJpmEmSSQA9/368VLZ+aa677ue2bge3/v73XdKiV1mEYIIYQQQgjRo4R19QCEEEIIIYQQoZNAXgghhBBCiB5IAnkhhBBCCCF6IAnkhRBCCCGE6IEkkBdCCCGEEKIHkkBeCCGEEEKIHkgCeSGEEEIIIXogCeSFEEIIIYTogcK7asPDJk3h37NdrF69ly1KtdpOJ6Tzn48NJ8ndRld9w0/ePMLxVt7jaW/FcdW+O5vWVn6+ZAx3+Gxz50cbWH7k+o2ho7ry+AVDx4xmxvRRRFHGnne/orQTx6d1KnfMm0hU0Yd8dqim0/rtTq7l8QuW7Zk3yCn/Jb94p8Tv+dRHV/LPWXv51+fXUNypn2sK81b8mhyLQuu9/OkHL5Pbzb7XQgghRHt0WSAfLFVZxD/8vgiAqXNmsySmiwfUCk8QP+FEPg+tt/u80vUBg2dsyXu+5B+213b1cEQn60knILZn3uCpMQ42rSum+W/j5K69lM/K4Z+XlPLk77d32jYnLfk1s837ePV/uQN4CeKFEEL0Et0+kA+Vb+B/Xf/BHmVmAnX8bUcZ3SF4b68uO35BUtUH+GztAfeD7je+YOkhd/HIHclo7eToZxsprL4++9KVx0/blrA4S7Hv//yUtcUtt62K3+bnr1p4/e+f5ke2bfwht+Pj03oS48ZA+eb3JAsvhBCi15Ea+U4yPC4KcHGqoqtHInqCIclJ6LJCjrqisCR308tMnUjrSfx48Vh03ittBugqdzWv5mmyFj+LTetO276jtLjT+hJCCCG6i6Az8sMmTeHfhzv4yZsuFvrUgZft3upXrhGo9t237ORhv7ITgCi+993JzI1ztz2eF6DN1YVcSz9yLB/MtDQ9bud2gxXscWntOLc2vrb2Y9ikKfxufGRT4/FTWDe+6aHvZxfK8QtmLkCo+3E1ntpuk6cfZyFbPtpPTbPxRd86m6nWUrZ8VEP6vIlN+1OWy/u5/sGc1tFkzryfdJN/H84W++vfrnkW3VPaYsUV9PNWK9h37acsOpk0ayrRB1vuCzRl7r2PffYj+tbZTBtpamo8chbfGemzH0c2e0ttgj1+vuNO8nmtbOf/sOtU0+NQjjPA0PkPkcU+/rR621WvBGxft5GcMTnkzE8lt1kdvRBCCCGahFRao+Ju4XfPGkHbQ0eUO/ibzAtVG9s1oVMpC88+a2nW3xj+Y5Iz5FruUGrpPQGub/CpR47l5yPLQtqP5kE0RPLssw/wrOf1q5xMtLovzY/zyLF8MDOLF5qN72r7cXz7Vh7aHlyNfLDHzxPws+dLHnL3NWzSFH438wFewD+YD3Y/gjomPiUhybYFZEe10daUwbRHjeDzvVPKHQzbmDDkpDcY9QS2FH3Iex+7g11Prbnv/nqCcfsO3vvYJ4Ce8RiR7uBWqWJ2fhbNjOmjSJtwO2XuAHnIpJZBPAApQ7BSxp4SqI4txZWeTFLsfmqq/ffDE6j7BtF6yF3c4d6PmkObeO9QcDXywR4/v+Pi7iv61tlMu+MxJuAfzAdznI1jmEJ2lhny1wVV3qKK32Zjfg5PZU0k9e3iTp34KoQQQvQmIZfW+AaNqrKId07AhPEjGdbOy+CB+rMOT2p3f1ejE9J5LnsgZbu3+gedR/aFHlwe2cdDqzfy0OqN/OPuWrQu5+WXN3ife/gvRSEH8R5+Ge7DDnZqTXJcU/TVmfsRLK0j+f79w7GeyPc7ITi+fSsvH9cBvwdX249rxS+DXHKKMq2Jim46OxkyahRRrsPsOVjdSg+GmNsyjaB7+0nvc9UHt1Hk1FiTh3qfU9UH+HRXGcqUQXqKEXCPT1K4ira1qH8fkpwE9lPGijHnanDRsrxGx4wmOz0K55HN/sHzqa/9HncmraPJnDCKKPsOvxOCmkOb2F2msY66nehmn+/VjjMAQyeSZYby8tKgx2Ivd4B5HNlD27s3nm0nY+5gF0IIIUR3FVIgr3U5uYf9nys+WwexA0ltx8Y7u79gDB9hxoqDd7a5rtEWOi7QcQGwDmoqo+iS/UhMYmIs2M82Lz6Bz485INbMXYlNzwWzH9eC1qXYA1RkREXFuF83Sltc9uKApSVN/USTZI1qCrrdlKrB6QKiov0CW3Xqa3aXaZLueMyYyFqW2yJD7i2rKT3p7qsYux2irKl+fcUkJxNFGUVXOdHoVLGpWKLA5Wq5zVOlZRCVTFJs03NXO85eVgtWpUKqUz9ZakcpCxZr0G8JaOiEcVjYx97OWwRHCCGE6DZ63ao1V5M6aCDQfYP4YHXlfpRWuejJK/MEL4bIKFAmG9+ZZ2vxqtYmogDfUP3U9h1YPXXxh0/S4jilDDFe8/noTpWWMf6ODNJT9rPrlPFcVFQULav1rw9XTTWd/flqXU55KFMj7OXYO3BVLvXRlfxqtgX7pl/w5KKSHr3CkRBCCNGaDgfyqYMGwjkHPWVNiOKzdXBzV4+i47pyP4zSGP9a++HXoVzm+qum1gXaFXgCJ9AiQBwyaSJWVxl2kvzq5b2vJyehlCJ9xmOkN+vKmjwUThnbcbm67mQzKjoGTvlfSYiJ7thVFG92Pdi/KKwWLDjIa+f88+J3lrHoHSOg//NrdrkJlBBCiF6pQ8tPah3JkBig2tV2LXhiFMmtv+rX313DB8IJxzW7o+i3VS6UsmAbdU26D02QxyWQ0PbDSem5TihpqShjRyv9eE7ovu4Ry28aAXrzEpCY2zL9VmpprYSmNdG3zibb6uLorq/YueswrqhRZN/WtA1PWY3zyGbee/ctvz+7yzRYh5Ds3k51jROlkrGmtH9/QnaumPJW+omKigJXKWXn2tGvO7tuTg6+YG5ocgdratxO7tpLOWMZN6lTuhNCCCG6lQ4F8tMenMwjsQ5Wf1Dmfe7bYw7smL0BZvNlDdsy/M5xPBLruanSNXL4KGurNBPuu4fvJTQFZ3rkWF4YeW0m2ELHjktAIeyHUrWcqgZuHuHXNlRK1fLGbgdqWBb/MalpWcthk6aw5OY6/vZh6Cv0dAWlaiizu8CaSUaMcTyM5RSdlDn9j8+pw0ZAPnXS0Db79ExOxV5AYbVCVR9gT5EL08hZTBji7tNdVlNeGrgG3S9wLzloTKidkOMdIxiTaL39+eyP04Xf/rSHUjUUHC5DJdmYfmu09/mmE5TAy1Ve1ckd5DnAYgn+tNVqMYNjL3tOhr45/22X4uhgF0IIIUR3Fdryk8rScnnF1f7Bm6osYtUeM7+b+QDrZhq1satXf8mQ703mEZ++vj3mwJ49/Kr9tVgLnVv43bO3AP7roAfbTqla3vzLJk7Nmc2zjz/AXM+2j+fx8PprF4QGe1yC7i/E/fj8A2Nbc33atuv4HdnHg4zlg5lNa9Ib+7L3ml1FgQBrppPBtEczAP/10oNVc2gTe6IWMN5d4qLLcnnvo2oyZyb5LT+pqg/w6bs13DFvYos6ec92PUs2RnlWt3Efh+qDBZSlTyTJvXSjPTkJXIeNrHbzQ1VyirIJSd7yGqVqKPx4DU5b0xjBs057y+N8avuHmGbe71ey43tcgj1+6tTX/I27eOSOpjXptS5lz7tf+U34DYVSJezJczB71kPMTd0W8K6uvnTqfHLGQPnmHbL0pBBCCNEGlZI6LKgUXqAbGgkhRDC0nsSPX/8hWfl/5Mnft72EjO2ZN3hqzL5OqWv3bJdXv9fmHWWFEEKInqhDpTVCCBEMpbazfrMDlfU0P7K1njvQtiUszlLkvSqTU4UQQoirkUBeCHFdFL+zjFfzNFmLX2RuastgXqfO5zeLx6LzXunE7Hkp5Q7ImrOA1Gt0kzkhhBCiq0ggL4S4brav/iWbHGayJrRcwWbohHFYgii9CYVSJbz7/C/ZRA6/+v/+w
</li>
<li>
<p>接下来可以看到有个$res变量，这个变量装载着执行execCli()函数的返回结果。</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABOEAAANhCAYAAAChMq+9AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3SU1aH///dGsF6SEAKBmSQkiJpAokgAkUFL5KJIIuoRBOqvl29BvvI7qzW02FLU057THmHF4lG6us6xX1v9ac/p14i0Wrl4qSBVCCqQACYG8EJCLiOBECYgatH9+2OSyUwySWZyz/B5reVaPs/s2c/eT57Hrvl0X0xyymiLiIiIiIiIiIhIOxKTkqmsKO/tZvRLA3q7ASIiIiIiIiIiIpFOIZyIiIiIiIiIiEg3UwgnIiIiIiIiIiLSzRTCiYiIiIiIiIiIdDOFcCIiIiIiIiIiIt1MIZyIiIiIiIiIiEg3G9ibFx89NYv/mFTPunV72GZMq+VsfBr/9a3LSWwoY2s/5MfPlvJxK99pLJ+Au926u5q1CTyYO57r/K75zqsbWV3ac23orN68f6GwseOYNXMs0VSy+4W3qOjC9lmbwnXzpxB98BXeeP9Ul9Xbl3Tn/QuV675nyKn+Fx5aH7itdcpdefw8cw+/XJVPWZf+XZOZv+ZX5DgN1u7h999/nII+9lyLiIiIiIhIZOvVEC5UpuYg//ybgwBMn5tNbmwvN6gVjQHc5E+KuP3lKr9Pev/HfmPbknb/nX/eebq3myNdrD+Fh677nuGe8W42v1RG83fjyLt7qJ6Tw89zK1jym51dds2pub8i27GXJ/9XQ/imAE5ERERERER6WL8I4cLlH9r16I/tsQ4mc4Y/76qkLwRvHdVr9y9Epm4/b2zY33DQ99oXKjvyBu68LglrPRx6YxMldT3Tl968f9aVy9JMw97/81M2lLW8til7ngefdPL0/17GD1w7+G1B59tn7VQmjofqLX/R6DcRERERERHpNVoTrgtdHhcN1HP0WG+3RPqDkUmJ2MoSDtVH40zqo8M7u5C1U/nh0gnYwifaDNdMwTqeLLRkLl2Oy9ouu767oqzL6hIREREREREJV1gj4UZPzeI/Lnfz42frWeS37lnle9sDpjgGW+vNf6rmHQFTNQGi+e53pjEvrqHsx4VByrQv7LXjxkzgr7OdTccdvG6oQr0vrd3n1trXVj9GT83isWujmgpfm8VL1zYd+v/twrl/oax9F24/2tO4lllMYz2eEra9uo9Tzdo3+KpspidUsO3VU6TNn9LUn8oCXiwIDGKsHUzG7FtIiwmsw9Oiv4Hlmo9ea5wOmkB9yOcTEqDq3X1UDk4iNSGFwQda9gWaRsz5jv36MfiqbGaMiWkqPGYO/zTGrx+lW3zTU0O9f/7tTvT7rPKd/8u7R5uOw7nPAKMW3E4me/n9uh3tjsDb+dImcsbnkLMghYJm68aJiIiIiIiI9EdhT0c1cVfw2HJv4HJ7qWkIbqbxQO2mDm0+YIyT5cudzeobz39O9YS9dlk4a8c1hlP+wZEdM4EHx1SG1Y/mARhEsXz5rSxv/LydILDVvjS/z2Mm8NfZmTzQrH3t9ePjndu5fWdoa8KFev8awzp2/53bG+oaPTWLx2bfygMEBnGh9iOke+I3jTLJtZBJ0W2UjUlnxl3e4OgvR01DkOVi8sgjviCpMZTi4Cv85bWGoKpxbTX//jYGaVW7+MtrfuHXrG8R1RBMGVPGO28MZtbMsaROvobKhnBr5NSWARwAySNJoJLd5VA3pIL6tCQSh+zjVF1gPxpDNv8AzI68gesa+nHq/c385f3Q1oQL9f4F3JeGugZflc2M677FZAKDuFDus/ceJjMp0wFFL4U0JdSUPc+mohzuyZxCyvNlXbpJg4iIiIiIiEhv6NB0VP/Ax9QcZP0nMPnaMYzu4NSxYPUlXJ7Y4fraY+PTuH/SpVS+tz0wMCrdG34wVLqX29dt4vZ1m/jRe6extprHH9/oO3fHHw+GHcA1ChhZ9oGbd6wlKa4pOenKfoTK2ii+d8vlJHxSFBDmfbxzO49/bIM+B+31o7sEjNwqP0qltUQPbkoWR44dS3T9B+w+UNdKDV6xV2d4A7OdR3zn6g7s4KDHkpA0ynfO1O3nb+9WYmLSSUv2hmXXJhrqD+5osd7byKREqDrq3Zn05CnqaTkl1caOY1JaNJ7SLYHB19G3A467krWDyZg8luiqXQFh3qn3N/NepSVh7DUMbvb3be8+AzBqCpkOqK6uCLktVdVucExk0qiO9qbx2kk4OlmFiIiIiIiISGeFHcJZW03BB4Hnyk6cgSGXktKBBnR1faG4/EoHCbhZv6O+m67QecHuC0DC0Kaph73Sj+GJTBkCVSeaT9iErYfdMMTBDcObzoXSj+5gbQVVQWYxRkfHNnzunQ5aX1UWdDpmUz2DSUyIbgrMGhhzCk89ED04IJQyR9/mvUpL4nXf8m66UFnQYmSabypqxZGGusqoqoLohJSAumKTkoimkoPthIRdakgKzmior295zaMVlRCdROKQpnPt3WefBCcJxoS1LtuRiiqMceJMCPkrQY2aPBEne9nTdZutioiIiIiIiIQtIndHbU/K0EuBvhvAhao3+1FRW09/3gE2dLFERYOJcfFP810tPrU2hmjAP2Y7unMXCY3rwH1whBb3KXmk9zO/P93RikquvS6dtOR9vHvUey46OpqWq9P1jPpTdXT139faaqrDWQqwqpqqToyGTbkrj19kO6na/BBLFpf36510RUREREREpP/rkhAuZeilcNJNf9l7sOzEGbist1vReb3ZD+900sC15S7vgSmmPa+O0/Vg64NvNgC0CHdGTp1CQn0lVSQGrA/n+zwpEWMMabO+RVqzqhKSRsFR73Xq63svKI4eHAtHA0fwxQ7u3OhF36i2UP9DkeDEiZvCDu6VUrZ+JYvXe8O4PzxVxe+//3hI69GJiIiIiIiIdIcOrQnnz9ooRsYCdfVtr302PJqk1j8NqO+Gyy+FT9y+HUS72ke19RjjxDW2W6oPT4j3JZjw+uGh4mQXTAM9VsmuVuppDGPfPta5S/QMb7jWfNpk7NUZATuCtjbttDWDr8pmUkI9h959i3fe/YD66LFMurrpGo1TUT2lW/jLC88F/PNepYWEkSQ1XKfulAdjkkhI7nh/wnayjOpW6omOjob6CipPdqDehlFtjqTQJ5mPSurkPNQGR97dQzUTmDi1S6oTERERERER6ZBOh3AzbpvGnUPcrPtrpe/cR4fdVOHwhUONu2kmhhCqXX79RO4ccoY/76pst2yHfXCIDbWWyTffyHfjm4IVO2YCD4zpns0goHP3Jagw+mHMaY7WAZddGVA2XMac5pn33JjRmfzn1Cjf+dFTs8i97Ax/fiX8nWB7gzGnqKyqh4QM0mO992PwVdlMT/BQ6Qm8P0c/8IZp06eOarPOxo0UqCqmpM5g6vaz+2A9MWPmMHlkQ50NU1GrK4KvuRYQupUf8G7+MDnH10bwbvjgq8+vP556AvrTEcacoviDSkyii5lXDfadbwoX97W5hl6rjuyi0A1OZ+iRc4LTAe497D4S/uUCr12Bu5NViIiIiIiIiHRW2NNRjXGyfPmtLG84trUf8uN1gcGLqTnI2t0OHpt9Ky/N9q4FtW7d3xn53Wnc6VfXR4fdVE26vN36Rk/N4rFro/y+eQWPLb8CgMr3tvt26Qy1nDGnefaPmzk6N5vld9/KvMZrf1zIHS93X4AU6n0Jub4w+7H1r95rzfMr26H7V7qX25jAX2dn8dK1Dde01axbt6fbRi+CNwiaMcZ/BF46M+5KB7wjy5pvgNCeU+9vZnf0Qq5tmBZqKwv4y6t1ZMxOxH9iranbz99eOMV186e0WBeu8bo2dhyzZo4lunEX1Yb7UHegmMq0KSRe9y0m83+pSkqE+g+8o8ma36ryo1ROTvRNSTXmFCWv5eNxNbWRhna+WNDyPh/d+Qoxs28JmObqf19CvX/m6Nv8mRu487o5/NOYhmvaCna/8FbA5hThMKac3YVusufczryUHWwoa7sem7KAnPFQvWUXZf0g1BURERERERFpj0lOGR3ysJnRU7P4j0n13R62iEjksXYqP3z6XjKLfseS37S9Vanrvme4Z/ze
</li>
<li>
<p>从下面的代码我们可以看出下面的大多是对$res的值进行判断，从而直接给出结果，所以我们大概能猜到这是一个状态码变量，通过它的值来判断登陆成功与否，又因为他是execCli函数的返回结果，因此我们判断execCli会接管登录逻辑判断这一任务</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABTEAAAK4CAYAAACs67lnAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3zU1b3v/9cKUZNAEkhImISQIJpwU0gAKQMqglZLoujxAtZ27xaUrWcfFVutFrTt77QVfnjZSuvZ1W0rm+7TC1i6qxKotoI3EqqQBIRws5WEXIYk3CZAggLr/DG5zOQ6kwszkPfz8fAh85016/tZMyv5fueTdTGpaSMsF5j4hEQOVVcFO4x2Kb7eccW0pUyrXc4r213BDqXLrE3lzqU/IavwBzz1emmww2lik8cw/TsZ8N4GPsh1+zwXk3MD186IpvK3f2RrgenyOdLuWsYPZ1Xwy3kvkm+6Xo9IT4rJuYFrrnNT+NjfqFC/lBDVW/20p+u1dioPrbifLFcuP160ihL9TImIiIg0GZqSSnlZ6OQBQlF4sAMQ6Sk7Ni1iR7CDuFCVuzkBOMamELN2J+6GL57WppB+3QBs1R72bQX0fVRE5IJgJ0zm2hnRuDd+3O0EZuMf6HKSDLbwZe79WR4ogSkiIiIiAVISUyQEJWf/lNeyPf+uWPdU0EdlGlPGlsfcjHxiJtc+P9LnObvzE3JXlHXpC2naXcv4UXZSc122otuxiohI1zWOrge6PcK+kTGlrFn8LdZ0uyYRERER6cuMppOfe4pPREREREREREQaaTp558KCHYCIiIiIiIiIiIhIR5TEFBERERERERERkZCmJKaIiIiIiIiIiIiENCUxRUREREREREREJKQpiSkiIiIiIiIiIiIhTUlMERERERERERERCWlKYoqIiIiIiIiIiEhIUxJTREREREREREREQpqSmCIiIiIiIiIiIhLSlMSUC05Udi7OZ3cy5duzgx1KUEVl5zLlmZ8Tb22vncP58Ep+eldqu89b62DGrKXcP87hV33WZnLHHP/L97a0u5bxqyVzSOvF91BEREREREREOqckpoh0ifPhldyX6aLw45IOSjmIi4aao5XnJKaeToLu/3grlY4cfrhwWo/UJyIiIiIiIiJdE97ygB2YzrhL45oeH/t8M6VHzTkNSqQ7Tq7LIX9dsKO4sFnnQhZkGQr+43HWlLT+/WAHfo0HbpxOvGl4zrmMRVOq2fzOc2w8j36fmJLVPPlqEiv+5QEedG7ipfzzJ3YRERERERGRC4lPEjP20skMiz1CacFmjjUmH9CXdhFpZu1UHlowAVv4cptJvSHjHuXe0QnsyX+Cl92zeODGBDat+jU7jOF8/H1i8pfz6lUruW/BIzjzXiTfnH9tEBERERERETnfNSUx7cB0hsUe4UDhXq8Epkjoi8rOZfyM4a2On9x4J9vW7fI5Zu1sRj67pGmEoLX7KXsxm7IK02E5gEO/HcPewubHUdm5jBu7ge3P7CPFu86di9j8n292qS3WjmbY468zLLHj+ABs1s+Zes/M5sftnncMKd9rrtOf96Wt9jYaPudWsijgl8s3gWn5vjkYM3Qw1v0eH5UAaQnEtarBt/zM7IU4Y3zrOdSyXMuRncCe/CdYU+p53Jg4bTL6ERaP9qpv14u8st3ld30t5b2RS05mDjlz0sh/vbSdtkzloRX3k+XK5ceLVlGi36MiIiIiIiIiPaYpiTlw0CDqD25XAlPOOy2njzcm5CJblGs8Hle8mPyGZJ+1sxn5+GNEPfMcJxuTkMmPkvnIPHjvLvIbkn1R2bmMv6eYDHwTeyZxPuOf8yT88gtNQ2JxKRlZb7SZAOyIT3zPvtl83u8UE9VGAnX8jOE+iUab9XNGtjivMTPJeG5mi/j+QEal1+sCaK+1qUzKckDRGx2PSIxOIAFgYCLU7qS6rfY2JBLZvZwl610N9Wdy59y5DPZ5XzK50wl/WvV9DprmpOX8KY8xw+2Znn5w+/Ms2e71+t3LfZKWBFhfS6ZkNblFOdyXNYW01SVtJyinXsUEY7COiUwavoqSjpYKFREREREREZGAhAFYG09sLHxR15/UzMlcmfUVrsz6CleMSiFCu/LKhWJoOpHA4W1vNB0y5k32Pvt8cwLTjmbYN+YRWbzYZ7TiyXU57N1pibvhMaJa/Ez4jFgs+AuHrCUyaUzA4fXPuZ84NrJvRXN8J3If40CVJW78rU3HbPKjpF+XxsmNd/omLAsfajNx2lF8Abd3+BSyHFBZWdZmG4xxsWFnMcaMZfbdyzyjI92upmShtyvHTieu9n3+tK3jTX+MKWLN+j/71OHa9i57GUxGalKHr+3J+ioqXeCYyKTh7RTI+4QCa8G1lS37Aw5LRERERERERDrgszt5zPA4jhX+jU8L/8b2gm1UkczlIwa391qR80v5PuqA+HuKychqJzk/NJv4BKir2tfqqZptGyFhJnFDm49Zu4FDBa2riUxMDyg0a0cTNzYNiv/CIeM9knIXddVAQnpTMrF/5kwi2UhZbrEf9XYSX4DtJTmJZGNwlbU/zNCU/hdP//5F8t2eeE3K3Sya8ygzBja/59ZmMnIoHC4vajPBGYr2l1VgTBJJyW0/b0weL83/FvcuXq2p5CIiIiIiIiI9zGdjH/f+5vUwjannoOsIicOHkhhZQ1WdvpTL+c2YN9nzvX2eNSfvKcZ5T/trTtZVFnNuN6FJJyoBTOJSnM8ubfWstcOJBE4CkYlpwD969OyBtNfaSiorOi5jjIsN61YRN3cu7H6fwaOm47xpGRkt1qb0V6s1Lxu0XDuzV+urqKRCI9NFREREREREgsIniXlxZCQcrQ9WLCK9zphdlD17BWU0r0E5rI01JyOTxkCh7+Y3/ZNG9GJk+zhZDXHVHWwK1PAHhrqqEgh8tnqHAmlv02hEv9Z8rOFw6Xr+sK2ImdkLmTLqq1yx7dd8GkBs3rudN26809bamb1eX3ISSbgo7CSBKyIiIiIiIiI9r2E6+Qnq6yEior/Pk5GRkUAdp06e+8BEeptnZOZi3zUsy9dxqLrt6eCRiWlQvYHD5b0RS+tp4+05UfkPjJlJ/IQeOHGg7W0YjehISeu87kGODpKCLg7XQly0w+eoY/z1jDTeGwm12O28U23X2/X6mg1PaWceeVPdU3nwtZX86rVl3JGmEZsiIiIiIiIiPSkMmqeOEzuUxEjPl29r40kcEkH9wQPasVwuCDbr54zPHu1zzLOZTgmHijzrSxqziwN/3YgZu9SnbFR2LuljSij7TfMu5j2t5p0V1CXMY9y8WzsuWPDvns1+vr6OlGSvdSazft7+Wp/tCLi9+zdT6IKkpJTOK49JII4qqo8AaV/FGWM4vPsv7DAGY1wUl9fA0Oub1socMu5R5g+tYo+7uQ3GuKh2A9FjGTOooZ0Dv8YDc+f6JDtblfeqt83n/azPW3KSo+NNe4an4MAzUjX71mkd1iUiIiIiIiIigQlPHWgpPWowR/fx2cFxpI+awpCGJ+tc2/isUtPL5cJgCh9iX1IuzmeHNx1ra01MU/gQefycqff8AeeMxnIb2Pe9B3023enx+Cqep+h7+xj57JJW62Ke3Hhn0+7hjVPi6769g4zvFDOssS07F7H5PwOPL5D2GlPKlkIX2bNu5Y60Tawp8X2+cVq2d0Jw9t3LuMVWk//2E2w82nz84PbneSt6KbNvWoYTsGW/Z8k6FzOzx/iM4Pz0o+UkZC/E2VjOVrP5neXgXEhGG+1pWR7gkNdanIHWB2DT5pCTCZXrN7e7aY8pWU1uUQ4LstqpRERERERERES6zKSmjbjg5j3GJyRyqLoq2GG0S/H1Lpv8KJmPzIP37mpK/EnPsXYqD624n6yiV7j3Z3ntlrti2lJuYRVLNxWdw+h6h/PhldyXWcAv571IfgeJ7LS7lvGj7CQq1j3FU6+XnsMIRURERERE5Hw2NCWV8jJ9j+xIWLADEOlxQ4YTZUzDjtvS04zJ4631LkzWAzzo7PhvIIdrA9+JPNRY50IWZBkKX+04gWntVG6Z5cBWruXV1QEuuCkiIiIiIiIiHVISU85r1o4m5duPNm2GY+1sRn59BrbqNcoKghzcBazk9Sd4tdCSteCZdjex2bFpUdMU7vOVTZvD0wsmYAtf5qX8
</li>
<li>
<p>跟进到execCli函数，我们可以看到这个函数有三个形式参数，$mode, $command, $answer，初步猜测第一个是模式，第二个是命令，从上面我们也可以知道从login.php传过来的时候，$mode=exec, $command="webmaster $username $password"，到这里我们确定了execCli函数会执行命令，但是这个命令我们没有见过，不是常见的系统命令，于是接着往下进一步分析下execCli这个函数是怎么处理这条命令的。</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA10AAAKmCAYAAAC2WfQxAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3yU5b33+89ltasqCUkgODlIOEg4BCEJSJlojYCKhINuT1B3WyvWJU93NVZtKWrrs9olvOL2FHf3qq2tLvFZXaKlVTkttXKwkKBCEpBDAAUTchgIJGGC2j519Xr+mMxkJpkkM0kmk8P3/Xr5kpm55ndf9z3X3Ll/cx1uMzJtjKUDwxJHcLruZEdFREREREREpB3nRLsCIiIiIiIiA5mSLhERERERkQhS0iUiIiIiIhJBSrpEREREREQiSEmXiIiIiIhIBCnpEhERERERiaCvDI2L/58dFbjgwgv54vPPgr5mbTIP53+DB2em883m/8acOcxfTplI1DUibOJ4fvW9r3PX12M4sbOGT03/qXt/YJPvZ+rDv2b0Nd8n9ZrvkzL1fBqKivh7O8fZW37U1RP56zsb+SKEz8N570ssG1nC5gNngse0DmbnPczcC/az+8TZbu1PV1ibyc2L87nyK9HZfldYG8v45fOYeUMqZv8nnIrJIPdnlzM56xxObD/J3/rJ96Qv7Ee0219f15e+H6G2F7Urgci0l7RbCnjqWwns+fM+zvRgO7J2JDevepYffetGFl0/krrXd1LVT87jIgPFuV19oyfhymTGsTKuX1fj90r0v8TeuqXueo/vF+mPUTSZmqfY+5OnABh2+14uGd6z8Z33vsT3Ml1sfKOC9tueg4QYONVY20EZkUhR+5NIULsaiD79YDe18+bzs/wq7ny2qMfi5uT/gjxHCc9/9xmKjQElXCK9rstJFxMdzOAz/rizmv58wjd1h/j+s4eaH/Tf/YgWm/UsziWzWh7bLXy8/B5Od/FY+idpnX0e1pnPXVmGkt/8mLUVbcvauOtYdm0uw7xxnAWsmFnHzrefYEujPuuOGOPmbB2Q6OZsNYCbz4CYOjfufvQ9ieZ+qP31P6G2F7Urgci0F1PxKg8/n8SL/7yMHzh38Mvi7n+m1uYwLRNqN/3Jk3CJSFR0OekamxADNHH8JP0555IusnYiFz+4hpTECqoKJ1NV4x1GsZD0Bx/giyee5PMIntytzeGeu7Kxpc8F/aN00ZQHuHNiIoeKl/Ocex7Lrk1kx5rV7DMGNViJNLU/iQS1q8HBFBfy/GUv8b277sNZ9EyPJUquqo5GhIhIpHW9p6sTY3JyeWp6E4WFu9niG9fcMiTxhuYhiWNycnlqrIv7VzexJD+Tr3vLHi31lfFnJ2Tz5tyklsd+5cbk5PL0ZUNaCl+WyxuXtTys/nCbb7ihTRzPr745lhTv9uo/5v7V5RwNcnLz1vvrfq+9/9Z6Vpa3PA53P0LhTWxSR3iP36dUP7sgMMEpeIwEKkJ8vuN4Adtu3YN14CHef2md7/GFeY+TOsJw+pXA9xuzjiNPEnavoU2+n6n3fpcLvMft5It81EHiNurW68mihN8W7mizLWsdTEoZjnVvZXsFkJZIQrBtxl3HsmszOPz2uyRcu5jxxnCoeDnb4x7kzomJWPdWXti4iRO+9pvJzYs95bwOFS9nbWXb7c/Oy8cZG/j86dbbb1XO2r71a3XNi69TA2AMhip2/6gqaDnPfIXZpPvaVRNHnn6Hw752l8r0J6bj4GyIz3ccL2Db2TNYeFtKy+P9H7LhxcB6hrofPSXU9hfwnpHf5mFnRsvjqldYtaOsVdyO21+o7dkVPy+8dt+6Z4W27f6iKQ+wNGU/L2x0cYVfHYPvR2jfj2gJtb309XbV859bYPtrfb6afPkqFsZuC2g7rd87vLyQX+91+fans/NfS5t+ggMjPe2zvbLREqn2UvTGBuZnzmf+rWkUv1bZ09UWkSgIK+lqnfDAEO67bwH3eV/vIHHpiEm4hKfv8yQy15eb5u1k8dCE6jaJzdOXDQlIeOyEbB5uLne0aBvXF4U2p8t/WOGshXnkx7Wzz83JGbve4/rmWGNycnl67gIeIjDxCnU/QuFLnA4+zM4nPcnOBfPWMSV/H+e/MpkjpQZj1nH42XFMvfe7pHzzAeqbk5Th3+0gEesgntcF89Yx5apRnPZ73mY9S3rWmxwpNVg7kYRJadiTL1JdQo/8cBbO3C9rRzI9ywFlb3T8C2BMIokAcSOgaT917RRLd87h8NuFFDvzcToLSK96hcfecrDs2lyuSNvE2sqWCxjKC1nZfNFw0ZQHuNNZwE20vvBtLrfJe3HRfMERsA+e59Kr17ByU1lLvLkFJARJ5PoqX+J0YBfrH/dcRMTOv5or77+RmN//kd0lBmOq2PV0LLk/TGfctzJwFezHbQwpSztIxDqI5xU7/2qunBVDrd/zNnsG07OPB5SLmhDbn3/vha8djfw2N48sDd6uOmh/0Hl7/oM7tHJrK5vbqRNeX/MT34X0RVMeYOnMB5nlDrzoNbFXcecSz4X9ykrTnEgu4ab29qOD74d0IIR21eOfm//5qjkZszaTm/PmcVFzklXXdApSPHU70ckuhHf+G45zbgEzq15h5ZoyX7I20zmPA0ESvIHCVLzKhrL5fC9rJmmvVlAxQPdTZDAJK+ky5SVcX+75d7CeLE+hrp0YAnqODrp4/1oHqQkxQEvP1IPTL6T6w22BiU55CSsj1F1u7RBuv24sycfKuMEveTtatI1nhuWRf9kExhwMTDI7249QXZj3zySwlY///U3fMf1s44+pmrSGlCmLoNSTOJmap9izZhTOJXeQkv0kh3mWcZMMn2/9cUAPVKjxbPL9XJKbxudbbw1IxEzpvRzxHueUeSQkAgePRHQIYbtGzSTLAbWlwX8pNMbF5v0HcDozWLSkAABb5Wrnj/NwEtxr2NLoYrIbbEwdO/eXAvN8Jax1MNuZS0L1GlY1X/ACnNj7JG/GrGJhxjwuqvD88b80I5eEpm28sKe2w++CY+oc0jnAuu2lvnKuPf9BcUo+My/Ogsqydt/bmmdVql8wPyn49mzten6+Yk1E/mgPXTABBzWUvnDctx9n1n/A4YzZjJt6MZR4PiNTc4Bt/zmEhbeNZ9y0/exiBtkZBveWDwJ6sEKNZ5MnkXnVENxb3g1IsEzJB+yO8vCZcNqfjbuOGyYM5/TBZwIuNE3ly6zFe8EbWvvzvNJ5eyaMcsaUsXYTAW3ZteddDk9YTPrIJLY0ugLKB/SkVHzEoZmTGB6XBJWecqF+P0IRzXYfDeG0q57+3Ih3MBw4fLwU769srbfhajwJjCAxHmhs7vlijafHrPn93kU/wj3/+fe8GePiQPUpZk4ILcHzxeiH7aWm1gWZ05g+ag0VFd0INCoVB+DqtKCIRFLEhheGw9paig/SpsckeVgs3mRl7DgHybgo3NHUewtejEhhZjzUfOJu89LmIy7yr3VwxYhyjjb/1BjKfoTC25PEwd8ELEhhzEG+OAUMH8cF1voSHlN6L0em7GXckn048QwF3LvpYJfiXTh1FuezlY83Huj0OH9x8uOQ96lHJSeRbAwlHYxPN5Uv81hFy/AVk7qEFbfOCTokxf9Cgqb9HGgA4v0KxGeSHgP11W3/ZH10/AALZ2YwKX4TroZMxqdAfXlZh7++eocJUf1u81yM5jobF3VuINbBRdaG/AuuMZWsfeh21nZcKKRY4bA2FkfGEDhQTk3QSeOxxFrrmyhuSj6gZOoNZN92IwvxDAV8b4O7S/GGZiUTQw2l68/0yQVwQm1/jpEZJHCAdR0lIaG2v+bnOm3PYZYLlbX7ORTkK5kQ47ncsza070eootXuoymc81qoOvvcAGhwcQoYH6Rn1cddRz0jmmN6Pmu4lMm2lI8AOEW9u2vnv4C2iucHh1V7Cevz7Y/t5dOqGoyZRlIy0I2ka9SMaSRRwoYiNKVLJIr6RNIVirRhFwJNUdl2VX0TvXumuoTzE8GMWMnMgpVtXrV2FOcDn/s9d+rfHybBO4/rnTcJrG/o8c4fkQYcC6mW54+4BDjYablIsLaW2k6myhnjYvPGNSQsXgzl2xg+IRfn3ALSDz7jm1cQjp5bmtmz1LOJXcJDi5e0edXa8H7BjZ5Y
</li>
<li>
<p>往下看这个函数的内部一开始也是在判断参数是否为空，然后在下面会传入到一个php_exec_cli函数中，我一开始想着又是要看另一个函数，于是按着Ctrl对函数名一阵狂点，试图跟进，但是死活不管用....</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA0UAAAKtCAYAAADo58XuAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3xU1b3//9fy0lOFhCQQmFwkXCRcgpAEpEy8REBFwkV/3qD+2lqhHvn2V41VW4ra+j3tER7x5y3++ju1tdUjfk+PaGlVbketXCwkqJAE5BJAwYRcBgJJmKC233q6vn9MZjKTTJKZ3CaX9/Px4EH27DVrr71nzZ792euyzciUMZZWDI0fzpmaU62tFhERERER6fPOi3QBREREREREIklBkYiIiIiIDGgKikREREREZEBTUCQiIiIiIgOagiIRERERERnQFBSJiIiIiMiApqBIREREREQGtPOHxMT+z9ZWXjxoEF9+8XnQddYm8kjuVTw0M5VvNv4bc/YIfzltuqusXc7Gj+dX3/sGd38jipO7qvjM9J2y9wU28QGmPvJrRl/3fZKv+z5JUy+irqCAv7dynL3pR107kb++u4kvQ/g8nPe9zPKRRWw5eDZ4ntbB7JxHmHvxAfacPNep/ekIa9O5dXEuV58fme13hLXRjF8xj5k3JWMOfMrpqDSyf3YFkzPO4+SOU/ytj3xPesN+RLr+9Xa96fsRan1RvRLonvqSclseT38rjr1/3s/ZLqxH1o7k1tXP8aNv3cyiG0dS88YuKvrIeVykJ13QkTd5AqJ0Zhwv4cb1VX5rIv8l85Yteff7fL9APxaRZKqeZt9PngZg6J37uHRY1+bvvO9lvpfuYtObZbRe9xzERcHp+uo20oh0F9U/6Q6qV/3RZx/uoXrefH6WW8Gy5wq6LN+s3F+Q4yjihe8+S6ExoIBIJKgOBUVMdDCDz/njrkr68gnZ1Bzm+88dblzou/sRKTbjOZxLZjUt2618suJeznTwWPoHUe19HtaZy90ZhqLf/Jh1ZS3T2pgbWH59NkO9+TjzWDmzhl3vPMnWen3WbTHGzbkaIN7NuUoAN58DUTVu3H3oexLJ/VD963tCrS+qVwLdU19M2Ws88kICL/3zcn7g3MkvCzv/mVqbxbR0qN78J09AJCKt6lBQNDYuCmjgxCn6ckwkHWTtRC55aC1J8WVU5E+mosrbTWAhqQ89yJdPPsUX3XjytTaLe+/OxBY/H/RHY8SUB1k2MZ7DhSt43j2P5dfHs3PtGvYbgyqsdDfVP+kOqlcDgynM54XLX+Z7d9+Ps+DZLgtkXBVt9agQEehoS1E7xmRl8/T0BvLz97DV16+2qcvdTY1d7sZkZfP0WBcPrGlgSW463/CmPVbsS+PPTsjkrbkJTct+6cZkZfPM5YObEl+ezZuXNy1WfrTd153Oxo/nV98cS5J3e7Wf8MCaUo4FOfl4y/0Nv3UfvL2BVaVNy+HuRyi8gUfycO/x+4zK5xYEBiB5jxNHWYivt51fwLabtwAdfJgPXl7vWx6U8wTJww1nXg18vzHrOfoUYbe62cQHmHrfd7nYe9xOvcTHbQRWo26/kQyK+G3+zhbbstbBpKRhWPc2dpQBKfHEBdtmzA0svz6NI++8R9z1ixlvDIcLV7Aj5iGWTYzHurfx4qbNnPTV33RuXexJ53W4cAXryltuf3ZOLs7owNfPNN9+s3TW9q67vVUvvUEVgDEYKtjzo4qg6Tz95WeT6qtXDRx95l2O+OpdMtOfnI6DcyG+3nZ+AdvOnMHCO5Kalg98xMaXAssZ6n50lVDrX8B7Rn6bR5xpTcsVr7J6Z0mzfNuuf6HWZ1fsvPDqffOWCVrW+xFTHmRp0gFe3OTiSr8yBt+P0L4fkRJqfent9arrP7fA+tf8fDX5itUsjN4eUHeav3dYaT6/3ufy7U9757+mOv0kB0d66mdraSOlu+pLwZsbmZ8+n/m3p1D4enlXF1tEWhFyUNQ8IIHB3H//Au73rm8jsGiLibuUZ+73BBo3lprG7WTw8ITKFoHHM5cPDghI7IRMHmlMd6xgOzcWhDamyL/b3KyFOeTGtLLPjcETu9/nxsa8xmRl88zcBTxMYGAU6n6EwhfYHHqEXU95gpGL561nSu5+Lnp1MkeLDcas58hz45h633dJ+uaD1DYGEcO+20ag1EZ+XhfPW8+Ua0Zxxu91m/EcqRlvcbTYYO1E4ialYE+9RGURXXLjKZyxR9aOZHqGA0rebPsOWlQ88QAxw6HhADWtJEt1zuHIO/kUOnNxOvNIrXiVx992sPz6bK5M2cy68qYLDErzWdX4oz5iyoMsc+ZxC80vTBvTbfb++DdeEATsg+e11Mq1rNpc0pTf3DziggRavZUvsDm4mw1PeH7ko+dfy9UP3EzU7//IniKDMRXsfiaa7B+mMu5babjyDuA2hqSlbQRKbeTnFT3/Wq6eFUW13+s2cwbTM08EpIuYEOuf/91/Xz0a+W1uHVkcvF61Uf+g/fr8B3do6daVN9ZTJ7yx9ie+C90RUx5k6cyHmOUOvCg10dewbInnwntVuWkM9JZwS2v70cb3Q9oQQr3q8s/N/3zVGCxZm86tOfMY0RgE1TSchiRP2U62swvhnf+G4Zybx8yKV1m1tsQXTM10zuNgkACsvzBlr7GxZD7fy5hJymtllPXT/RTpbUIOikxpETeWev4O1hLkSdSxL25Ay8shFx9c7yA5Lgpoatl5aPogKj/aHhiIlBaxqpuag60dzJ03jCXxeAk3+QVXxwq28+zQHHIvn8CYQ4FBYHv7EapBOf9MHNv45N/f8h3Tzzf9mIpJa0masgiKPYGNqXqavWtH4VxyF0mZT3GE5xg3yfDFth8HtOCEmp9NfIBLs1P4YtvtAYGSKb6Po97jnDSPuHjg0NFu7SLXqlEzyXBAdXHwO23GuNhy4CBOZxqLluQBYCtcrfx4DiPOvZat9S4mu8FG1bDrQDEwz5fCWgezndnEVa5ldeMFKcDJfU/xVtRqFqbNY0SZ58f5srRs4hq28+Le6ja/C46pc0jlIOt3FPvSufb+B4VJucy8JAPKS1p9b3OeWYV+wfyE4Nuz1Rv4+cq13fKjOmTBBBxUUfziCd9+nN3wIUfSZjNu6iVQ5PmMTNVBtv/nYBbeMZ5x0w6wmxlkphncWz8MaAEKNT+bOIn0awbj3vpeQABkij5kT4S7h4RT/2zMDdw0YRhnDj0bcCFoyl9hHd4L0tDqn2dN+/WZMNIZU8K6zQTUZdfe9zgyYTGpIxPYWu8KSB/QElH2MYdnTmJYTAKUe9KF+v0IRSTrfSSEU6+6+nMj1sEw4MiJYrx3wZpvw1V/ChhOfCxQ39hyxFpPi1Pj+72TQoR7/vNvuTLGxcHK08ycEFoA5sujD9aXqmoXpE9j+qi1lJV1IqNRyTgAV7sJRaRbus+Fw9pqCg/RosUhcWg03mBi7DgHibjI39nQcxMiDE9iZixUfepusWrLURe51zu4cngpxxpv1YWyH6HwtsRw6DcBExYYc4gvTwPDxnGxtb6AxBTfx9Ep+xi3ZD9OPF3d9m0+1KH8Bk2dxUVs45NNB9s9zl+e+iTkfepSiQkkGkNRG/2jTfkrPF7W1D3DJC9h5e1zgna58P+hp+EAB+uAWL8EsemkRkFtZcuflI9PHGThzDQmxW7GVZfO+CSoLS1p8+6ltxsMle81jgVoLLNxUeMGoh2MsDbkO6DGlLPu4TtZ13aikPIKh7XRONIGw8FSqoIOKo4m2lrfQGJT9CFFU28i846bWYinq9v7G90dym9IRiJRVFG84WyvnCAl1PrnGJlGHAdZ31aQEGr9a3yt3focZrpQWXuAw0G+knFRnssxa0P7foQqUvU+ksI5r4Wqvc8NgDoXp4HxQVomfdw11DK8MU/PZw2XMdkW8zEAp6l1d+z8F1BX8dwQWL2PsD7fvlhfPquowphpJCQCnQiKRs2YRgJFbCxAQ4pE2hHxoCgUKUMHAQ0R2XZFbQM9eya5lIviwQxfxcy8VS3WWjuKi4Av/F47/e+PEOcdR/TuWwSWN/T8LhqeAhwPqZQXDb8UONRuuu5gbTXV7QzVMsbFlk1riVu8GEq3M2xCNs65eaQeetbXrz0cXTf1rWcqXRO9hIcXL2mx1trw7oBG
</li>
<li>
<p>仔细一看，哈哈，原来是上面自己定义的一个函数，动态加载php cli的通信模块，与其他命令行进行了互联通信，但是我们本地的源码并没有client.so。此时陷入了僵局，当时我也不知道webmaster 这究竟是一条什么命令。</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA6EAAAKqCAYAAADL61hdAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3xU1b3//9cC/KpIYogEJhcJooRLEBNAZNASAQUJF/16g/prtWI98u3jaKx6SlGr57RHeKRfb/j1tPbY6lHP6TFaWpTbUauIFYIKJNxDUGtiLgOBAJOorSLr98dkJjPJJJlJJjOZ8H4+HjwezOw1a6+9Z2XP/ux1M0Mzh1tasDaF3KvzGVa3gVXFlS03d7jdX7/075B/2Xl8e2gP+z6u48RZaVwwLIV+ZyRzetVbrN5ag7VnMzb/akadVsXubTupOnaShMFDuWDcOAY1fMAbb5fxJSnkzJ/DsL/tY8euAxxqgLOGjODCsSM4+0z4/L3/ZGut8ZQvYTTTrpjEwBMuKj938RVnMejcNOwXXzM45WtK/7ieT74xmJSJXDVtJCc/L2XX/s9xf9uf5HPHMi47jW8PvMH/bHNxkqQOy/aVMe2eAxEREREREfHo1907+KbqQz7Y15+JI8eSm3KCr47VcODDDzjz0tlkNqUx5jh733+fM5wTGXPZHC40Bmu/4YuaXRR/5AnyDIfZXbyNAZMvYuLlYwD49ssqdpXsZfiUMQH7NA372PhGA6PGZjFkyDCSv22gbvfb7O0zkXkpfX3pTh7ayob3TjBx4kVccuVE+hqDPdHIkQN/4aNSF9YYDB2XTUREREREREJjgrWEdgfbpx+n9/2Wr79pe3fWGk47cwBnnWH4urGBr060Tmvpw+kJSfTv83cajzdygtCDwP6j5zB77N/YuvLPVJxs/py1lj5nJpJ4uuWrxka+/rZzZRMREREREZH2dXtLqJc5eYKvT3aQxlhO/K2B439rJw0n+bqhnq+bXrVkrWVA5hQmnf81O/+ylSMnmrro9jmH4ZnJ0LCLw98GftQYg+1ovyGUTURERERERNoXtSA0Wowx/P1vf6NP0jimzk3n8KGjfGVP5+zBqSSddpzy93bzhbrQioiIiIiIxETUuuNGmzlzEEOHn8eghAGcxt/5W+MRqj8pp+6rXnm4IiIiIiIicaHXBqEiIiIiIiLS8/SJdQFERERERETk1KEgVERERERERKJGQaiIiIiIiIhEjYJQERERERERiRoFoSIiIiIiIhI1CkJFREREREQkahSEioiIiIiISNQoCBUREREREZGoURAqIiIiIiIiUdP37KSB/xxsg7VpPFDwHe6bnMV3m/4NP17OXw6bKBex82zKSH79w0u4/ZIEDm6p4TMTP2WPBzbtHi564Decd+WPyLjyR6RfdCZHN2/mmzbOszf9sCtG87e31vFVCN+H864XWDx0O+/sPR48T+tgev4DzOq/h20HG7t0PJ1hbQ7XLyhgat/Y7L8zrE1k5JLZTL4mA7PnEw4nZJP30KWMze3DwfcP8fc4+TvpCccR6/rX0/Wkv49Q64vqlUD31JfMGwp5/HvJ7Pjzbo5HsB5ZO5Trlz/FP33vWuZfPZS6VVuoipPruIicuvoFe9MTgOYw6a+lXL26xm9L7C9q3rJlbH2PH23Wj3MsmZrH2fnTxwE455adXDAosvk773qBH+a4WPdaBW3XPQfJCXD4WG07aUS6i+qfdAfVq97osw+3UTt7Dg8VVHHbU5sjlu+Ugl+Q79jOsz94kmJjQAGoiMSBoEEoox1M4gv+uKWaeP4BNHX7+dFT+5texO9xxIrNfQrnwmnNr+0GPl5yJ0c6eS79g9aOvg/rLOD2XMP2f/8JKytap7VJV7F4Zh7nePNxFrJ0ch1b3nyUDcf0XbfHGDeNdUCKm8ZqADdfAAl1btxx9HcSy+NQ/Ys/odYX1SuB7qkvpuIVHng2lef/YTH/6NzE08Vd/06tncKEHKhd/ydPACoiEieCBqHnJycADXx+iHiOQaWTrB3NufcVkZ5SQdWKsVTVeLsdzSPrvnv56tHH+LIbf+ysncKdt4/HljwT9Ed6yLh7uW10CvuLl/CMezaLZ6awqehFdhuDKqx0N9U/6Q6qV6cGU7yCZy9+gR/efjfOzU9GLHB0VbXXY0hEpOcJ3hLageFT8nh8YgMrVmxjg29cRHMX3muauvAOn5LH4+e7uOfFBhYW5HCJN+2nJb40/uyo8bw+K7X5tV+64VPyeOLiAc2JL87jtYubX1Z/tNHXPdemjOTX3z2fdO/+6j/mnhfL+DTIxd5b7kv8tn3wxhqWlTW/Dvc4QuEN9DIGe8/fZ1Q/NTcw4Ct8hGQqQny//fwC9t2yhXPv/Xzwwmrf67Pyf0nGYMORlwM/b8xqDjxG2K3KNu0eLrrrB/T3nrdDz7OrnUB22I1Xk8t2frtiU6t9WetgTPogrPtd3q8AMlNIDrbPpKtYPDOb8jffJnnmAkYaw/7iJbyfdB+3jU7But/luXXrOeirvzlcv8CTzmt/8RJWVrbe//T8ApyJge8fabn/Fums7VmtGTXPr6IGwBgMVWz7p6qg6TzjnaaT5atXDRx44i3KffUug4mPTsRBY4jvt59fwL7HT2LeTenNr/d8xNrnA8sZ6nFESqj1L+AzQ7/PA87s5tdVL7N8U2mLfNuvf6HWZ9fA2eHV+5Ytb7Su90PG3cui9D08t87FZX5lDH4cof19xEqo9aWn16vIf2+B9a/l9WrspcuZl7gxoO60/OygshX8ZqfLdzwdXf+a6/Sj7B3qqZ9tpY2V7qovm19by5ycOcy5MZPiVysjXWwRkbjgC0JbBoAwgLvvnsvd3u3tBHLtMckX8MTdnsDu6jLTtJ9c7h9V3SrQe+LiAQEBoB01ngea0n26eSNXbw5tTKh/N9xp8/IpSApeNm+wytb3uLopr+FT8nhi1lzuJzAQDfU4QuELJPc9wJbHPMFf/9mrGVewmzNfHsuBEoMxqyl/agQX3fUD0r97L/VNQdugH7QTmLaTn1f/2asZd/kwjvi9b3OfIiv3dQ6UGKwdTfKYTOyh56neTkQerIYzdtTaoUzMdUDpa+0/IU5IIQUgaTA07KGujWRZzhmUv7mCYmcBTmchWVUv88gbDhbPzOOyzPWsrGy+oaNsBcuabqKGjLuX25yFXEfLQKAp3XrvzVbTDVjAMXjey6ouYtn60ub8ZhWSHCSw7al8geTeraz5peemKnHOFUy951oSfv9Htm03GFPF1icSyftxFiO+l42rcA9uY0hf1E5g2k5+XolzrmDqtARq/d634ycxcfznAeliJsT659+65atHQ7/P9UNLgterduofdFyf/+AOLd3KyqZ66oRVRT/1BRZDxt3Losn3Mc0dGASYxMu5baEn0FlWaZoC64Vc19ZxtPP3Ie0IoV5F/Hvzv141BafW5nB9/myGNAWddQ2HId1TtoMdHEJ4179BOGcVMrnqZZYVlfqC18nO2ewNEvD2FqbiFdaWzuGHuZPJfKWCil56nCIi7fEFoaZsO1eXef4frKXTk6hzF8qAlsV9Lj6Y6SAjOQFobrm8b+JZVH+0MTDwK9vOsm7qXmLtAG656nzS/lrKNX7B7KebN/LkOfkUXDyK4fsCg+6OjiNUZ+X/A8m8y8f/8brvnH6x7idUjSkifdx8KPEEkqbmcXYUDcO58FbSxz9GOU8xYozhy3d/EtBCGWp+Nu0eLsjL5Mt3bwwITE3JXRzwnuf02SSnAPsOdGuX2zYNm0yuA2pLgj9JNsbFO3v24nRmM39hIQC2ytXGzcogkt1FbDjmYqwbbEIdW/aUALN9Kax1MN2ZR3J1EcubAgCAgzsf4/WE5czLns2QCs/N0IXZeSQ3bOS5HbXt/i04LppBFntZ/X6JL51rx39RnF7A5HNzobK0zc+25Jn18BfMSQ2+P1u7hp8vLeqWm5iz547CQQ0lz33uO47jaz6kPHs6Iy46F7Z7viNTs5eN/z2AeTeNZMSEPWxlEuOzDe4NHwa0cIaan00bQ87lA3BveDsg4DTbP2RbjLubhVP/bNJVXDNqEEf2PRlw420qX2Il3gAgtPrn2dJxfSaMdMaUsnI9AXXZteNtykctIGtoKhuOuQLSB7S0Vexi/+QxDEpKhUpP
</li>
<li>
<p>再次回看，复盘分析，去群里问，去百度，谷歌搜索，我坐下来再次思考，这是一套网络设备的web管理系统，里面的许多功能更多地是以web的方式展示设备的各项数据，再加上除了login.php，其他功能点也有很多用了execCli这个函数，因此大胆猜测，这里执行的应该是网关设备的命令，类似于路由器命令。</p>
</li>
<li>
<p>假如你是一名运维小哥，那么看到这里也许你心里已经自动有了Payload，然而，在此之前我从未接触过这种网络设备的命令都有什么，也不知道不同的设备有没有通用的命令，因此我还是回归渗透测试的视角，进入官网点击客服，开始社工！(小小的咨询)</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABEUAAAMFCAYAAACS5EhaAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOyde3xVxbn3f7MTLnIVCALeUFEjxBvYtwexQCgVz8upbxtKD1qlp8aeCFrbV7GAQltaQQVF22MRTEs8p9gqLUJ7bGkNRwmgwHmrCVTDRUSMVgkYrgICSfa8f6w1a83MmrX2TuR2yO/rJ917rzXzrGee2Xw+nWf/5hmxZ/9BCR8pg7eIu6Z/bsq9THYJIYQQQgghhBDS8hBCZH3fbpvtvbhruepNUoLD/ux6n6k/mAQhhBBCCCGEEEKIRSR/kJAkkVIGiQ0hRNDXfq/b1RMhen/AT4pkmxBJSoYYfTIoRiSYICGEEEIIIYQQQoiHgJYIcSU3EhIlruRIUiJE/5ybjSLEvhZp4+qDDMqRLO8RQgghhBBCCCHk9MLexqLnECJKDwhAS2TYSRKV5NCTIy5brsRIrt44GyWI8WpfQ4J6BMk7aJgYIYQQQgghhBBCTn9cyYvwnpkfEEJAQoYKEF9RIhAmR2x7ulpEWskUOzHirCniSoDEJUP0REjYBhFb9nsbJkUIIYQQQgghhJDTn6TCqnbh1HBbTLg9Rk+Q6MkR2042iZFITZG4hEjQRn2Gfd/R/9BhyDPaRGy7YFKEEEIIIYQQQgg5/ck6KfLpEaBdWz+xoSc6/MSGryoJkiMOW5kSI7lZJ0QsdYieDJFSIqdmB1q9vglY/w7khhqk334fct8BoKHxs8aLEEIIIYQQQgghLY3cHIjOHZC69HyIfr2Bqy5G/ecuQ2PvHhACRnIEEkGpVj05kikxInbt/USqC/arnhCJS4a0WrsBOS/9PzQuXQP5950nKjSEEEIIIYQQQghpYYhzz0LOyGvReMPnUT+wn7+dJtxWIyD8RIkIr2lH+NqvRlKkKQkRvL8DbRe+goayP0LuO3gSQkEIIYQQQgghhJCWiOjcHrnFX8bhMV8Ezu/RpMSIsUVn195PZFMSIum0RKtVf0Nq/h/RuOyvJ2XwhBBCCCGEEEIIITnX/y+kb/8y6gdfiVRKNDkxEqkpkikh0mZ5FeSjv0Hj+ndOyoAJIYQQQgghhBBCAKBx2V+R2rkHbRq+gSPD+iOV8m9odUbsGiNAWFMkpT64cClE5KO/QZoJEUIIIYQQQgghhJwCpNe/A/nob9Bq1d+QTmulPyLn0XjoOZCUfjGiEtESInh/B1Lz/8iECCGEEEIIIYQQQk4p0uvfQWr+H4H3d5iJEUeOQyGlRMo+dSa6bca7d8Zvl7OGCCGEEEIIIYQQQk5JGpf9FWf8drmRy1C5DThO3AVgbp8JXq2ESKu1G9BQ9scTPiBCCCGEEEIIIYSQbGko+yNard0QSYwA0dwHoG2f8e84T6HJLf8rj90lhBBCCCGEEELIKY3cd9DLYVjbZXS1SNBWbZ8xGmoqEQDIeb8WjUvXnNBBEEIIIYQQQgghhDSHxqVrkPN+LQA41SJ6DiRUisSoRFq9/jbk33ee4CEQQgghhBBCCCGENB35951eLiMLtUhKb6AahTVXJcQ6njZDCCGEEEIIIYSQ/zmIde9oyRA48h62UgTh1hm9kdxYc6J8JoQQQgghhBBCCPnMyI01EZWI2kITtJEyTIq4siZSSqTffv8EuUwIIYQQQgghhBDy2Um//X5k+wxg5j4ApRQx1CHa3UOHIfcdOO7OEkIIIYQQQgghhBwr7FyGsYVGP5JXP3UmbOxnU85oAzQ0Hn9vCSGEEEIIIYQQQo4VDY1upYh1Co1ZU8SSkZwo6luH79MC2N5OIK03ECfaI0IIIYQQQgghhJxOuHIeufYNPZNyIpIkDe0EDpzRCHyai63d2mDZxWegrh1wzpbdGP+ORFsIHOgs0WGPYG6EEEIIIYQQQgghWWHnN4QQwXX1PvdkOlifI7DtvLb4S89W2Ng+B7v27sGh3bvQu7YeL7UC3uqTwuN7zoSQjWjMkchtZFqEEEIIIYQQQgghx4aUXmRV53grRdac1wYTvtQZP+7RgBd3vo+1r7+OdX/7Gza9/TZyPtqB2p078XbDQWy9tJ3nT85neNg9T6KHLEe3e7RrZb9Brz1Por3R8GZ027MavTbebxnwrncvc5tv/0q5o08m7kd32ydCCCGEEEIIIYQcE1x5DbvYaq558/gnQxTXfnAEF/bqghm5+7G/bRuc3asnhBBobEzj7P2HcUH7VviHhnbIP5KLBgBmkZEmckU3pDYtx64ntGvF38Cha1ej08b7cbDvwwCA9q/chtZnvodDXR5OMHYzuu25G63PtK/fiF7yRu3zARy9d4T5TIOHcXTTjWj3+G/Q+YlvYF/CEztvXI12l2kX9r6B/V0+Qjt5Y7zUZ+8b2N/lbhxMsEsIIYQQQgghhJzuhFtoBIS1AeWkbp/pcOAQSoZfiz7fuwNnndUDOTk5OHr0KPbs2IHB69bhwkdfQONHH+GoADp9hq0zna+9ALjsgiBp0fDMIHxcDOzr+yRy99yGbvc8jF1P3I92w4Cj95oJCiMhcdtq9LrtAI7eOwjbtWRH+1fK0anXcmzv60qm3I/uSckLXIB2cjXaRa6/h0Mi9CW9/Ens+OJznsKlKGylxqLj+fMREyKEEEIIIYQQQk4tLh6B9kXA4UfLcSqcdXvSkiIyN4UDPc9E/j134oOde/D3jw8gLSXatErhgnPOQuHw4Tic2xYH7piJT1ql0F1KAM1QsNzzJNr2fAP7ha6asBIVj69Gr8fN9yoJsa/vIOzz1SGpJX4C4p4n0UNeYx7dYylF7GRF+Nl7dkolOWJ87vF4t6aP1Se3V4dm9yWEEEIIIYQQQo4LN96NbmU3o3Xee8h9tDxxx8SJIjEpcjy30YgubbDnzn/B5m37kZPTCoDwnndE4MPNdbjy/E5o9867aADQeb+EaE5CBEDnkmuQXjLIoZqI297iJUASA/PE3dgRqxTxEyjB3YfxsVAKkpvRbY+fjBl2N3rJux3GPYXIjthtNy7sLT3v4ZBI2gJECCGEEEIIIYScOHK+Pxt5P7kWqbb2nRHo8sE0tNn7IvZc8TCOHMNnZpPT8I7kbWbC4bOQPrMTcs87F2fs34ezz+qBM9q1w47aHfj08BF06todBw8dQetGgfqCPui5cmuzn5OLA0jdthq9blNX3sMh8eZn8j1S4wNApKbIbavRq0iv66ElLlz1Pu55Ej0evwZY/qIzW5bSkyh7d1l3n8OuLjGqE0IIIYQQQggh5KRxNs546iF0Gn+ptdtCUY4DpTei9U9uxJmvvIe6Lz533LfVSEgIX5gRK4g4rsVWc1LIff5BnNOlA87t1Q0H9u5Bqh7ofU4PSEg0Njai8fBBpG68Hufc+jU0XnwLUN/QrEft6jsCsLe/4H50b46xC55ED9kNh8UgbNcuO5UiS/TtM776pOpJbP/ic+i8cTU6yXK0vXcEdj0RJktc9UEUcTVFco2EjwYLrRJCCCGEEEIIOQm0Ky9H5+szlXUoRJdtD6FN7hp8Muxu7L1iEbp+/WvoeP1z2Lvs2PmSKbcRJEVOxIkzCnHuWejctw86AVi/fh06duiI9999B0eOHEHhsGEQqRQaGzqhvr4eAhKNl1+AnKp3jrEXHdBaryVioR9203mjr/DoD+wX38BBX9WRWFPE6p9bFdYQ2dd3EPbd8yR6qOdvehHbE0+8iadh+RtIDeuGw1pRVhZaJYQQQgghhBByshBZVS+twP5ZFej2eCE6PvMt1N72Bhq+fiNajz0bWPbRcfNNSgmhHUHjVq8cb9q0wpH6ekgpUVW1Dr/97W+xacMGvPXWW2jTpg3at2uHjp06oX379oBIATnNd7PbntXoJb2kRu5tq9FLrkaPV86GV1PkSRzd6yk0tosX0aBdU3TeuBqt1/jtlvjKiyfuxg4xCNv9v/3LD3iJDTEI24XZH/CSIDu++JxfoNXzodfj1yD9zCBsv/cNpC+70bsmf4POTR3ge6vRsPcCtC5TF25G2/4dkN7+XrPiRQghhBBCCCGEnAga5z6Ag2sOQFx+Ddq/8x7SewFx7tAT
</li>
<li>
<p>三下五除二拿到了设备命令手册，详细地看了下，发现了许多敏感命令，例如直接操作更改设备相关信息，更改ip信息，更改路由等等，结合百度，发现了一些没有危害的命令: Show命令，主要用于返回信息。</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABUcAAAGqCAYAAAAoSvW1AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3zU9Zn3/9ccMzkygUAGDZbhUAlFS6i2JNVWhqVdhuqWsLglqfbWUPfWoFtMtJUEtsVgXZrAFhPZVSL3qom95ZfoahlupQwttglbK6FKicphkONwzOQ8mdP398eEHCfJJATC4Xo+Hn00me/pM5lhxnnP9bk+KkVRFIQQQgghhBBCCCGEEOIGox7pAQghhBBCCCGEEEIIIcRIkHBUCCGEEEIIIYQQQghxQ5JwVAghhBBCCCGEEEIIcUOScFQIIYQQQgghhBBCCHFDknBUCCGEEEIIIYQQQghxQ5JwVAghhBBCCCGEEEIIcUOScFQIIYQQQgghhBBCCHFDknBUCCGEEEIIIYQQQghxQ5JwVAghhBBCCCGEEEIIcUOScFQIIYQQQgghhBBCCHFDknBUCCGEEEIIIYQQQghxQ9KO9ACEuB6cv+DCVd9Ic3Mr7rY2vF7fSA9JCCGEEEIIIUQXa9+YMtJDENc5jRrGxqtJiFdhvlnD1FvUTDNrSRyjGumhiX5IOCrEEPn9AY6fdHL6zHkJQ4UQQgghhBBCiBucPwDO8wGc52HfQT8AXxqv4Ru3afhmipaJN2lGeIQiFAlHhRiC02fO88WxkxKKCiGEEEIIIYQQok9fnPLzxSk/H9X6+LvZeubN1qGTNO6qIg+HEIN0yHEM5+lz3W6LjDQwZvQojHGxREYa0Om0qFRSNi+EEEIIIYQQV403Gkd6BOIGduhYgEPH3Jw6G2DxPD1xMZIZXC0kHBViED7c8zc8Hk/H75GRBibcbGJsQvwIjkoIIYQQQgghhBDXgnd+76G1TeH+7+gZN1rWSb8aSDh6BSkK+AMKapUK9SCe/36/AqhQqRTUavlmYaQcchzrFowmjhvDZPMEqRAVQgghhBBCCCFE2LZXe4mMUJG1MGKkhyKQcPSyCwTgyBc+Xtpcz7b3W/B6FQBmTNfzxGNGUr9uQBOiH68/AH/+0M2vX6znb7Ue/H6FqCg18+dF8eOH45hwsxbJ5K6c02fOd5tKHxsbzZRJt4zgiIQQQgghhBBCCHGt+u0uD+PHqrHepRvpodzwpH73Mjtw0MtPV57jXVtzRzAKsG+/h5Wrz/OHP7aGPO6325pZ/rNzfLyvrb1yFFpaAlT8dxP/knuOv37iCXmcGH5+f4Avjp3s+D1x3Bhu/8qXR3BEQgghhBBCCCGEuJYFArDtAw9HTvpHeig3PAlHL7ONm+rZ/6kHRem97fQZP7947gLNLd03Oo74ePGlehoaAiHP+flBD+VvNtLYFHq7GF7HTzo7VqWPjDQw2TxhhEckhBBCCCGEEEKIa91RZ4A/1fhGehg3PAlHL6Pq/3Gz3d4SMhi96Ow5PxVvN3X8rihQtbuV02f6/uZAUWDXH1up/dQ7nMMVfTh95nzHzxNuNkmPUSGEEEIIIYQQQgyL//nET10fxXHiypBw9DIq/a/GfoPRi3bu6pxa7/MpHD3uw+Pp/8CGxgDv72i51CGKAZy/4OpWNSqr0gshhBBCCCGEEGK4fHHKz8efy9T6kSTh6GXi8ykcPhJeZWddXaAjRPX5CHu6fM1f24Y6PBEmV31jx89jRo8awZEIIYQQQgghhBDievT5F1I5OpIkHL1M/H4FJZyyUUBRlI5wNKAo+HzhHXfuvHyzcLk1N3dW9RrjYkdwJEIIIYQQQgghhLgeyaJMI0vC0ctksH0pL+6uVoFeF97DotFI78vLzd3WWZ0bGWkYwZEIIYQQQgghhBDienTUKZWjI0nC0ctEqw0/IFWr1Z3hqEaFXh/ecTffpB3q8ESYLvYbBdDp5O8thBBCCCGEEEKI4dXcEt4MYnF5SDh6majVKlK/EV6l4eyv6zt+1mlVJCZq0ITxyKTNjhjq8MQQyCr1QgghhBBCCCGEGG5+KRwdUVIKNwy8XoVz5wPExaqJju4M0B5+IJb3d7TQ3Nz3s1ylUrHw3uiO39VquG26nrg4DXWuvntOjDdpmPOtqG63NTUFaG5RiI9Xo9dJkCeEEEIIIYQQYnh4PF5OOc9y8tQZzp69gD8Q6LXOhkqlQqNWM3bsaG4aP47xprHo9boRGrEQQoRHKkcvQX1DgF+X1DN7zgnmLjjBXfOO88y/nqehMfgGMXmSjp9kj0LbR29QlQq+/71ovjxV3+32O78WwW0z9PRVqKjTqfjHhTF8eUrwTebMGT/P/Ot5Zs85wZz5J/im5QT/XlJPY6OUZQshhBBCCCGEuDRtbR4u1Lk48sUJzpy9gMfrIxDo/XlTCSi0ebycOXuBI1+c4EJdPW0e7wiMWAxG4tci+NnPYih5UOrnxI1JnvlDdOKkj5WrL/A/f3F3rDTf1qbw379t5sBBL8/9fAxfnqoj/b4YvF6oeLuJL4768PmDO48apWHutyN58gljr3PrdCqeXTmaf1vnomp3K/UNARQl2Md04pd03Ds/mgeWxKJWw9FjPp751wvU/NXdcXxzS4BN/6eBT/a1kf+zeMxfkm/qhBBCCCGEEEIMTWNjMydPnuXIFyfQaDTEG+PQ6bWoe1T0BBQFr8eHq74RV30jMTHRaLUa9KON0qYMADW3z9RgvJwf0b0BPtvr5/QgDkm6XUvqeBUkRrDsf3wUf3bZRifEVUnC0SHw++HZ5+vY/aE75PbPDngpe7ORFbnxREaq+OEPYvnWNw04T/vxeBTUahWxsSqmTNITGxv6DWJsgoaf543m0GEvLpefQAAMBhUmk5YvTdCibq/5XV/s6haMXhQIKPz5L238n9ca+UX+6GG770IIIYQQQghx3Ws8yt/O6Jk22YRmSCfwcPbQQdzjbmVC7NDO0J+WllaioiKH/byh+P1+nGfOc/DwUVRqNZMn38KtU81oNOpegaeiKPj9AT773MGBQ19w8PBRIiJ0xBvj2hcivtEDUi2LfxDB7ZfzoWv1s3lvC28P4pCPNnv5+PkIbo9U8+2/11P8meeyDW/QvhtJScrlnfR8rKaZ59+7rJcQVzkJR4dg95/d/Pmj0MEogN+v8M5vm1nyj7FMu1WHVguTzDommQf39VBMtIqv3qbvc/sfPnDz3u9a+h5HQOGtd5r556xR3DR++N+QhRgxPuTVSwghhBBCXCZO/vjOLvbUQ/XkO8n47q1EDXxQF0189p6N9w55YFQDP8yczbVSrtLW5qG5pZWGhiY8Hi8+nw+vz8/xE6dpbW0jKcnEzeMTiTfGAr0Xrb3Yg/TmmxJpdbs5dtzJkS9O4vP50eu0aLVa9Ho9o0bFEBVpICKi78+71ycFbyt4ws36dKBXA17whLtgT6tCZ7RpYP1aHUlhXgtAPymCLWsHWvw5wCe/bWb1rjDHdCnGqEkaf5k7Qh69vKcXVz+JFwbJ5wP7rlba2vrv59nmUXh3WzPTbu09bX44KAr89v81D7ifz6/wH5vqWb3yWnk7FpfVERu5G06RtTqL5JiBdq6hJKOM+BX5ZMwI43l8xQLLGorunkVJfB6bXi3AknAlrnl9c2xZxtKXa8GYTmF5NinD/Di695ZTsv0UaJNJX27FPLynp+aFueS+CymPl1F4r2mYz951/Gasj6aTbBj2SwghhBDiqjKWpJv17Kn30HLoQ8rfYxABaZdgFIi62XRNBKMXKz5d9Q04T5/j9OnztLa24fP78HqD/4uOjsQ88WYSxvQ9Rf7i7QljjPj8Pi5cqKeurp6mpmZ07eFopCGCxMQxjE8cy+jRxpAVqNcvL6t/EW4PVj3PPh/B7ZEKH29rYuWOoV1RHwGDjaD1A2WjqNBdqRVszgc4fiqM/SLVJLV/bK07FWDgtKTTsfNDGZi4nkg4OkgNjQGOHfOihLHW0R8+aOWpn1yecLS+PsBhR3gvqlV/biMQoGMqvri6uHaXUvqBa9jOZ7w7i6zZoZ53LqpfKaBofTVlB13YynNI6Scgdbycz7I3bOCIx7w9j9Q+93VRsz6TRTstVIQ8Zw0l38mlcoBxhxts1azPJnc3pD63iDQJRi+ZY8tS
</li>
</ol>
<h3 blockindex=7>复现开始</h3>
<ol blockindex=8>
<li>
<p>经过审计阶段，我们如今已经知道login.php存在命令执行，POST请求的username和password参数最终会被拼到webmaster命令里，最终到后端设备会执行webmaster username password 命令，之后后端会再将执行的结果返回给前端，如果成功，那么直接返回1，如果不成功，会返回错误+报错信息，如下我画了一张图，举例：如果让username=abc, password=bcd, 那么程序的命令执行过程是这样的:</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAl8AAACGCAYAAADjEe/TAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nO2deXgUVdb/v70n6SzNHgIEQkBAIosJooDiCA6IvKKIgwyyjPPCqLyA+wKKryC4jK8CraLgq6Dzc8TBOEFkG/ZRnMHkxQUloiaQBMgCobN00mv174/m3HRXdyfpTqeznc/z8ISqrlt3qXurzj33nHMVLpfLBT/YbDYAgFar9fdzvVRVVQEA4uLigk7b1LxbKi3XOXi4zm0jLdc5eLjObSMt1zl4uM7hSasMqSQMwzAMwzBMSLDwxTAMwzAME0FY+GIYhmEYhokgCqvV6tfmy+l0AgBUKlXQN62pqYFKpYJOpwupUE3Ju6XScp2Dh+vcNtJynYOH69w20nKdg4frHJ60rPliGIZhGIaJIOpA1vtNse63Wq0hp21q3i2VluscPFzntpGW6xw8XOe2kZbrHDxc5/CkZc0XwzAMwzBMBGHhi2EYhmEYJoKw8MUwDMMwDBNBWPhiGIZhGIaJICx8MQzDMAzDRBAWvhiGYRiGYSIIC18MwzAMwzARhIUvhmEYhmGYCMLCF8MwDMMwTARh4YthGIZhGCaCsPDFMAzDMAwTQVj4YhiGYRiGiSAKq9Xq8veD0+kEAKhUqqBvWlNTA5VKBZ1OF1KhmpJ3S6XlOgcP17ltpOU6Bw/XuW2k5ToHD9c5PGlZ88W0OiRJgiRJLV0MhmEYhmkW1Fqt1u8PNpsNABDo9/qwWq0hp21q3i2VluscPIHyJsFLqQw8N2hvdW7NabnOwcN1bhtpuc7Bw3UOT1p1SCVhmGbAbrcDqFPTRkVFtWRxGIZhGKZZ4GVHhmEYhmGYCMKaL6bVUFNTAwCIjo5u4ZIwDMMwTPPBmi+GYRiGYZgIwpovpsVxOBwAAIvFAgCIi4tryeIwDMMwTLMSMeFr26fb8cnfP2vUtY3xdmttaZsSB6Spebf1OlN6fbTbwL66prbRaYMt99Rbfou7pk8LKk1bRD7eWsNz7oh9u6PVecqkiZh3z6yQ0jNMRyJiy46f/P0znMz9qVHXKpXKkF4eLZlWpVKF/NJqat5tvc7RUTpER+lgdzhhdziDShsMJ3N/wo5de0MpaptDPt5aw3NuS2m5zsHz06mfsXPPvpDTM0xHIqLLjkMGD8Jft2yKZJZMK8blcm+ucOHCBQB1cVASEhKaJb9Z8xY0y31bKzzemEgya94CDo7MMI2Ebb6YFoNsvMxmMwCgU6dOLVkchmEYhokI7O3IMAzDMAwTQVjzxfhQW+s2eKclBL1e3yz5mEwmAIBarfb6yzAMwzDtGdZ8MQzDMAzDRBB1VVWV3x/I7Zg2pAwGq9UKnU4Hz3s7nc4medIw4YOeLW34SZHlyfaK9ljs3r17s+RPmrXq6moAQLdu3ZolH384nU5R33D17WDzDzXvYNLyeGNaAkmSQhobkRoXctrKeA5nWq5z8DRHuQNqvpridqzT6ThQJtNqacm+3ZS8mxoKgGGaG4VCEVK6lhoXbW08v/zhD3jmnW+DSjv3+S/xzmc/i+NI17m6xo65z3+Jz48WNTrt+Yu1uPXxAziRZwo5X09a43NWByoQaUXI/T8YqqqqUFVV5VVZ/mi0HKTJIs0W/SVJnCLMEzqdzutvuKAZANl6UZ8Idz71oVKpRH7h6tvB0JRxFUxaHm9MS6BQKEIaG5EaF3LayngGgK37fkXm4QI8MWdEUO+wm6/pgzc++QGjhiZh3PDEiNf50TeP4PzFWlx/dTJ0Ok2j0mqjYtDNEI1n3/0O7z19I3p107e758w2XwzDMAzTiqky2/DSB9/g9hv6Ye4tVwSV9oE7h2Lc8ESsfDcHVnvjgliHi4/3/4ovvi3GK4uvQ69ujXfc0mlUWP/wWFSabXjzkx+asYQtBwtf7QCXywWXywWLxQKLxYKKigpUVFSgsLAQhYWFOH36NE6fPo3S0lKUlpbCbDbDbDbD4XD4aL0At3ejXq+HVqsNSdIPRHV1tdc/yr+kpAQlJSVidiJJEgdrZBiGucybmT8CAB66e5g49+SGbLz4wTd+r//9iv1eQsuKe9NxwWRB1pHTzVpOOe9sz8W44YkYNzwRAHDuQg0mLtmF/dlnfa49W2bG+Ae244tviwEAvbrpseC2Ifj7kdPIO1cZ0XJHAha+GIZhGKYVsz/7LGZOTEVXg3v/220H87Hn30UYPqCL3+uHDeyCNz75Ad/+fBGAW5AZNzwRfz98OlJFRu5pE86WmfHH/xgszq3e8g1sDgmD+xp8ru/VTY+4GI2Xhu6eWwZCp1HhQM65iJU7UrDw1YYgDZfT6YTT6RSaovPnz3v9I01SbW0tamtrRbqGUCgUwmYjnA4TpMkymUwwmUw+5bHZbLDZbEIzV1xcjOLiYnGeYRimo5J3rhJny8zIGFLnFf7e5z9j0ujeuOW6Pn7TPHT3VUhJisPaj74X525KT8K3v1zE+Yu1zV5mANj1r0LoNCpcc6Xbaz7vXCWOfl+K5fNGBFyCfOW/rsMFkwVb9/0KwL38OG54Ir78pjgiZY4kLHwxDMMwTCsl/5w7PAJpufLOVeLchRpMGt1LXGO323Hkn1/g0iW3M5NOo8Id41Nw7GSp0CINH+hOf7Ei+HAJoXCuzIzhAzqL46wjZ6DTqLzKXVxcgq/+9W9xPLifASlJccg+WSbODR/YBUUXzBEpcyThkOKtGLLHoj0QKS4W/Q23XVR0dDSA8HsfVla61+sb0mKRNyTVj+Jxde7sHsC04TZ78jEM01EgYYmWHM9fcL8XU3rGims0Gg2qq81Qqur0KbS0d67MjJSkeMTFuO13z1+sRVp/32W/cHPBVIuuhmhxXFVjw6DkBK9rJJfkE/9qcN9OyD1zSRzHxWhxrqz9CV+s+WIYhmGYVkpcjDs8g9xT8YJMg6VSKhETXSfsnL0ssJDQRcTrNc1RTB/i9FqfMlfWeE/AtVotoqNjvM5V1dgQH6PxOo6LiUyZIwkLX62YyspKVFZWChsoOg63N2Bz2XqRzRZ5XzbW9oygepaXl6O8vBw1NTVCG8YwDNMR6JLgXokg7c+w1M7QaVT4Pu9Sfcnw7c/l6NVNLzRmJIx1ig2fB3t9dDVEeXkpDkvtjNPnq3Hugvc7XJLqBDSr3YljP5ZicL9O4lyZyRJUmIq2AgtfDMMwDNNKGdLXAJ1GhX9eDsEQp9cifXAXbDuQjwsmi980uadN+PuRfBHiAQAO5JyDTqPCFcnxESn3sNTOyD9XJYS+ccN7QqdR4e2/5wZMs3Xfr6iqsWPytXWOBF98e96vd2Rbh4WvVgxpipo77hXF84qJiUFMTEzDCRoJxfOyWq0h7YlFRKodGIZhWhtxei2GD+iCrCOnxTLeo7+/ChcrrHgz038A0pf+8g26JkThoZlXAXBrlHZ9VYCbMnr5vb45mJDRCzqNSsT06mqIwn23D8b2LwpELC9PzpaZ8dIH3+CW65KFc0DuaRPyz1Vh3PCeESt3pGCDe4ZhGIZpxdxzy0AsefVL7P/6LKaMSUZKzzi8/sh1kFx1+hO7wwG73QGNRoNp1/fF4H6dEKd3LzFmHTmNs2VmvPXE9RErc5xei9vH98P/bs/FzImp0GlUmH/rQLgUdc4ADrtdbH/X1RCFh2cNw+9u6i/u8drW75CSFIdbruvT7sIOsfDFIDbW7TWj0YTHqJEGSUVFRVju11agepeWlgLw3TOze/fusNvtwqu0paHyFRUV+f2d7P+6dPEfyDFcUHuRtyttzmwwuF/QUVFR9aa/eNEdSFL+cqbdGZq7/A1Bdo60pyl5LxM0/sJlb0kfs2DsKwFArXZ/DpRK/wsi1L5UD3pedelVkKTQNtYGgNraWjgcDvHeoPJTuwTbPsXFxV73IahfhToOqd4UcxHwHevB3KcxaceP6IHrh3fH+o+/Q1p/A7olaDByYCdotVq/z/n28Sni/7lnTHj1r99h5sRU9E+KR1VVVdBlDZU//sdg/P3waSx59Uusf3gsFAD+MGWg351TdBqVV0DW93edwhffFuPtJ26I
</li>
<li>
<p>因为password拼接了命令的后半部分，因此我们只需要构造一下password参数即可，使用"?"符号可以用来分割两条命令，类似Linux的管道符"||"，之后再加上我们要执行的命令，Payload打造完成:</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA9QAAACUCAYAAAByZGF1AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nO29fXxU5Zn//5mZTDJJSJhEQIIRG5DHIFEmogUUu1hBN5o2aFtbKeiK7m4bKLtf6lrKc2ntsq1CXLsK6y8Uu7X9xnyN0goVdFFBRaYVKopSCMRAwlMykKeZJDPz+yNed2ZO5iQzJ5OHST7v14tXyMy5z31f9znnzn2d68nk8Xj8ABAfH49IqaurAwCkpKRE3BYAmpubYbTvvmpLmSOHMsdGW8ocOZQ5NtpS5sihzLHRljJHDmWOjbaUOXIoc9+1NUd8BkIIIYQQQgghhFChJoQQQgghhBBCjGCqra31A4DFYom4scfjQUJCguHOvV4vjPbdV20pc+RQ5thoS5kjhzLHRlvKHDmUOTbaUubIocyx0ZYyRw5l7ru2psuXL/sjPksAKSkpyv99sECZBweUeXBAmQcHlHlwQJkHB5R5cECZBwcDQWYTk5JFBmWOHMocG20pc+RQ5thoS5kjhzLHRlvKHDmUOTbaUubIocx915Yx1IQQQgghhBBCiAGoUBNCCCGEEEIIIQagQk0IIYQQQgghhBiACjUhhBBCCCGEEGIAKtSEEEIIIYQQQogBqFATQgghhBBCCCEGoEJNCCGEEEIIIYQYgAo1IYQQQgghhBBiACrUhBBCCCGEEEKIAahQE0IIIYQQQgghBqBCTQghhBBCCCGEGIAKNSGEEEIIIYQQYoC4vh4AIYQMFl75w0688ofXAAA+nw8AYDZH/l6zO21bW1sBAHFxxpb/vho3ZY4Myhw5Pp8PeXfORUF+nqH2hBBCBidxXq8XANDc3BxxY6/XC4vFYqittO9O333VljL3bt991ZYy927ffdW2N2X+n9/9Xxz55CiyrrnGUH+EkJ6j/OQpNDY2Iu/OOyJuO1jWsP7SljL3bt991ZYy927ffdV2IMhMCzUhhPQiUyZPwm+3be3rYRBCNNy/8GH4/f6+HgYhhJAYI85isQAA4uPjI27s8XgMtwXatXoj7fuqLWWOHMocG20pc+RE2rfZbOaGnZB+Dtew/t2WMkcOZY6NtpQ5cvqLzExKRgghhBBCCCGEGIAKNSGEEEIIIYQQYgAq1IQQQgghhBBCiAFiOilZ8fb/wauv/SnidhLDaDKZIm4rWd0k9rw3++6rtpQ5cmJd5nvumofFD3034nMQQgghhBAymIhphXrP/76NM1VVyJ12Q18PhZABw8E//wVv7H2bCjUhhBBCCCFdENMKNQCMv/ZaPFv0y74eBiEDhvsXLu7rIQwafD4fgLbs34QQQgghJPaIeYWaEEIIIYQQ0juU/L9X8NLLr3Z5XHdeGnc39K47ffdV28Eo8+1fuRXfmP+1iNv1N2gWIYSQXqalpQUtLS1obm5WtQwJIYT0PD/99SH8268ORtRm/uN/wjMvHemhEXVNfWMLvvuTfXh5b3nYbU6fb8Dsf34Fh45djPp4Xnr5VXxy9NMujzObzYY9sCwWi2HFsrt991XbwSbzJ0c/xa7dbxrqs79BCzUhhBBCCBnw/G73cfzfN8rxf759XUTt5uRehf986Qgmf2koZlw3oodGp8+Pt36IMxcacePk8PseZrdh2FAblj/9Hp57bCZGDUuK6pgmTZyA327bEtVzksHF/QsXK6t8rEMLNSGE9DKNjY1obGzs1hthQggh4VPX0Iyfb/8Q98waje/cMTaitv88PxuzckZiw7YP4WnpXQXg93uO470jF/CTxTfgquHJYbdLsFqw+V9m4nJDM559+WgPjpAQwp0cIYQQQggZ0DxT+jEAYMl92eqz/1P0Hp7Y/mHI47+9ak+Qm/eqhxy4eMmDV9+p6NmBatj6ylHcnD0MN2cPA/CFK/c/vYI9B093OFbcvN85VA0AuGp4MhbfMwmvvFOB8qq6Xh03IYMJKtSEENJLmEwmmEwmuN1uuN1uxMXFIS6OkTeEENLT7Dl4Gt+8fSyuGJoAoM3y+9q7Fci59oqQx08ddwX+86UjKgb5quHJmHHdCLz6zue9NuajJ104fb4BC+aOUZ+te94JT4sXE6+xdzj+quHJSEmyqmMA4IE7xyHBasH//qW618ZNyGAjTnzXjSTG8Xq9sFgshpPqdLdvQkjP4PP5In4uo/E890Xb3lzDfD4fTCaTob4IIb0D17D+3zZSmcur6nD6fAOuH5em+t5S9gnm3pSJOY4rQ57rewUT8PaHZ/DL/zmELY/PAgDcmjMCa/+/Qzh5xhVxTLIRmXfsO4kEqwXXX9umPH966iLeOVSNJ/7pRgwfag15rp89mouFP3kL/7PrM3znjrEwAfjylOHYf+gsHrxrXERj1hu3z+djuBKJCn6/H4CxtQDoP2sYnwZCCOlh/H4//H4/khJtSLQlwGazwWazMYaaEEJ6gZNV9QCAqWPTAbQp2GcuNGLuTVepY1paWvDue+/D5boEoC0GOf+Wa3Dw0wvK2nvd2DQAwAWXu1fGXXWhEdeNabdEv/rO50iwWoLGfe7ceXxw0Kl+n3DNUHwpYwicRy+oz64bm4bTFxt7ZcyEDEbiJD17fHx8xI09Ho/htkC7Vm+kPUvNENJzmM3miJ/LaDzPvd22t9YweQNrMpnU/wkh/ROuYf27rRGZLzW0KcQZw1PQ3NyM8662/sePTlPniY+PR0NDIxJsCeqz7DFt7uAXLrUga1Qi7CmJAIDzl1p65W9kzWUPRqQnq1JKjZ42V+/Ac5gtZrS0BI9n0pfScfRUrfosNTkBVRcao3at+CKYRAvx2ov1NYxPBCGE9DASM50Qb0VCfDySk5ORnBx+tlZCCCHGSUmyAkCHDN3nNZZmi9mMpMRE9fvp8w1ftA/ecKcmW3timB1ISY7vMObLjcEGpfj4eCQmBruf1zU2IzWpfYz1TS1qDggh0YcKNSGEEEIIGbBIIrIzXyjIU7LsSLBacPh4TaftDh2rwVXDkzHMbgPQrmBfkWrrwdG2M8xuw4kzl9XvU8emo/xMnRqH4PO1K92eFi8OfHwOE7+Upj4773JHvQ41IaQdKtSEkEGLWI4bGhrQ0NDQdQODuFwuuFwu+Hx++Pw+ZvcmhJBeZNI1bQr021+Uk0pJjseNk4fj97uP68ZDHz3pwstvlWNWzkj12f/+pRoJVgsmfqljhu2eQBToqotNAIBZORlIsFqCynlp+d3u46hrbMG8m69Wn+3/61lMGD20x8dLyGCFCjUhhBBCCBmwpCTHI+faK1D21knlQv3YgutxweXGM6WhldOfv/Ahhg21Ydk3rwPQZvnd9X4lbpuW0WvjnpN7FRKsFuz98CyANov19+Zn4+W3Tqpa04GcPt+An2//EHd+eTRyxrXFfx896cLJqnrMuO7KXhs3IYMNmkgIIQMWbVmDxsa2LKdijb58uc2V7pprrumR/pua2qwK9fVtGWbdzc0Ak5IRQkiv88Cd47Dkl/vwprMK827OxJhRqfivx25Bc4tPHdPS2oqWllZYrVbk33INJn4pDSnJbfHTZW+dxJkLjXj6X7/ca2NOSY7H12Z/Cdt3nsDXb70aKQD+4Z6J8Jug6lC3trSgpaUFQJvC/S/3T8U3/q69bvWTvzuML2UMCcoMTgiJLrRQE0IIIYSQAc2c3KswK2ckiko+xpkLbS9Xp08eEeTSHcjXZmcppfXoKRd++dvDuO/vspCVkdJrYwaAf7h7IuqbWvHYr/6srOsP3z1RxXUHkmC14B/unqheAvz6tc/wzqFqLP/21F4dMyGDDSrUhJABQ8sXb+olZrm6uhrV1dWoqqpCVVUVLl68iIsXL6rYaYllTkhIQEJCQtTG4fV64fV61TgsFgssFgt8Xh+8Xl/XJyBRweVyYcWKFXC5XAAAp9OJFStWwO1uj5ksKytDWVlZUJuioqKgYwCgvLwcP/vZzzp8Hory8nLk5eWhqKgo7LFKG6fT2fXBhBBDrHrIAQDYsO3DiNqt+K8DGGZPROH8ST0xrE65angyVnx3Cv7yWS1e218Rdjtx/15w53jMuG5ED46QEEKFmgxaQm2u
</li>
<li>
<p>这样以来，我们直接到burp中发送payload，即可实现任意命令执行，如图burp中的返回包中已经返回了show version命令的执行结果，显示了当前设备的详细版本等信息</p>
<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABMoAAAJLCAYAAAAWz3p+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXiU1dnH8e9kgyxA9gQIgUBYEvZVEFCDGkEWN7DVapWouBT0LbYgrrRosSq4oNSi4FJrW+NWoqCojYIKEpQ1CZCQnSSQBEjISpZ5/5hkyJBAJpnJAvw+18VV55nznHMmM73mnvs5534MQ0eONdZUnaKTizMiIiIiIiIiIiIXK4f2noCIiIiIiIiIiEhHoESZiIiIiIiIiIgISpSJiIiIiIiIiIgASpSJiIiIiIiIiIgA4FT3H8OGDmnPeYiIiIiIiIiIiLQrc6IsLi6uPechIiIiclEbO3as4jERERGRdqatlyIiIiIiIiIiIihRJiIiIiIiIiIiAihRJiIiIiIiIiIiAihRJiIiIiIiIiIiAtQr5i8iIiIiIiIiIq2jU2dXAIpH3t/mY3vuXYuXZ7c2H7fO8ROF7TZ+Xn4eABXlZVa114oyEREREREREZE20B5Jsoudn69fs9orUSYiIiIiIiIi0sqUJGs/zUmWKVEmIiIiIiIiIiKCEmUiIiIiIiIiIiKAivmLiIiIiIiIiLSrTk4G+nqfPUWTcaIagGBPx7O2STlWRUWV0aZ5eHl50a1b12adU1hYxPHjx20at6OMD0qUiYiIiIiIiIi0Ky9XB+4c2+Wsz7/x00mAc7Z5cXMhuSerbZrHwIEDGDFieLPO2bVrN9u2/WTTuB1lfNDWSxEREREREREREUCJMhEREREREREREUCJMhEREREREREREUA1ykREREREREREBEhM3E9mZlazzikuLm6l2bQPrSgTERERERERERFBK8pERERERERERAQICxvU7nedbG9aUSYiIiIiIiIiIoISZSIiIiIiIiIiIoASZSIiIiIiIiIiIoBqlImIiIiIiIiItKvjZTW8HXfyrM/nFFUDnLPN8bIam+dx4MBBcnNzm3VOYWGRzeN2lPFBiTIRERERERERkXZVUWUk8Whlk+0Sj9qeDDuX48ePc/z48VYdoyOPDy1MlIUtjCE6KuQsz8ayZPB8YgwGG6YlIiIiItZQXCYiIiJiP61QoyyC5fGfsTDMaP+uOwCjcSar9u1j36qZ7T0VERERkSZc2HGZiIiIiL3ZnCiLXTKYIUOGMGTIEJbE1h0NIeqBWbZ23eEYwxbyWfxyItp7IiIiIiKNuJjiMhERkfONx86/tfcULlp5+XlWt7XrirL1m2KbbiQiIiIirU5xmYiISMejZFnba06SDNqwmL/ROJNXz1iNlbpuDjNXJlq2m7mK+OUR9dosITZiOVEhQOo65sxYQQLhPPxZtMWxRIPBcox6x60dv7E2kMq6OTNIeiCe5fWfiFjOvn3LIXYJQxbE2PKnEREREWlTtsZFKxLqxWLEsmTwJiLrt20kPmq8P8saakZj2Bn9rqa/+TFWxXd1c1yZaH0MKCIi0hYqyssAcN66ss3HLgFKigvbfFyLObTz+Nay24oyo3Emr5ozSamsW73+9HNn2bIYEhVtUesrbGGMRZLM1GY5Z61Pa+3crBhf2ypFRETkQmFrXNa8uCiC5We2jVhuEeMZZ64ivtH+IlgeH8+qmY3VUItgeXy0ZRwYEkX0q7OsnqO1MaiIiIhIHZsTZRHL49m3b1+94OfMq3hhPPxcFCFgugo42FQ7Y3Bd4YyIeSwMM2I0zuQBcyQUy5LadnPWpdo0P2vHJzQE8+j16nvMWZcGQMyCIQyesw7zbGKXmNpoNZmIiIh0EPaKy5qKi86Uum6OqZ/BSzBv+KwX41kk7eYMbtA2YvmrzDQ2TJaZ+60fg0VEmto2MUerX6uIiIhIPXa/62XqukXmYAyA8GlE1EUxIVFEx9cGcOaAKYSIaeEwK9J8tS913WrzEvyEFYuwKVdm7fj1RCyPZ1/MQsKMRhJXLrB8PSIiIiLniRbHZfU0HRfFsmZFAgAGQwyrzYFbCCGhnBHjnZ6PZdsIIhvcb+B0vyRsJPYc8WCjc2zBaxURERGxy10vBw+eY05mhURFWy6fr3e1z1ppSQm2TqvZ4xtiFtS7OxT1AqpVjV7hFBEREelo7BWXnQ9xUZNzbEEMKiIiImKXYv4GQyIrFq0jItq0vD1i+avMXH+6MGudcxZOrVcmok//cKCuXSgh54pyQkIIrdf6XJoq3BqzYAgxnHlDgQiWvzqLGG2xFBERkfOAXeIyzh0XrZ+f3Grzb45zznHT6XYq3i8iIiLWstvWS0PiShbVWz6/vLbQKus3metPhEQ9Z1ELwmicyaq6QqrJqebaEyFRD5ivVoY/PK+JQrKnl+o32tbK8cMWxpivuBpiFljWwmhMn/6EdZArqiIiIiL12RqXNS8uimDew6YtjMawhTxXr+bspvVnjnk6xjuzPu2m9TRLk3O0NgYVERERqccuK8rqJKxYQ2xUbfHYiOWsmrmeBTExzF8SWXuVL4So6Hii6p8UuwQwBXRrYqMwXQw03QFp+VnGMRgS2RibSlTtUrOI5fHsO0tjg8G68c/VT+ym9YABEpJIA9My/pAoouOjGr39uYiIiEh7syUuM51yrrjIsrZXSFQ0+6Is29XVnDVQf8zGY7zYJbUr3pp5DfJcczQYDFa/VhEREZE6di3mb0pKnS4WUXcHo7NfibS8XXnMgiGWtSZIZd2cOY0W809cOfOMtrEsqX+npfrzsnL8hkx331wQc7ro7PymVpqJiIiIdAC2xmUNWcZFFsctgzJilwy22OpoiFlgeUfMJvtsqTNitxa/VhEREblYGYaOHGusqToFNVXtPZdGGY1hPPxZNFEhmG7tPWMFiQZ7BVMiIiIiHcPYsWOJi4tr72lYxSI+I5YlgxvWQBMRERE5H9l1RZmIiIiIiIiIiMj5SokyERERERERERERlCgTEREREREREREBzoMaZSIiIiIXg/OpRpmIiIjIhUorykRERERERERERFCiTEREREREREREBFCiTEREREREREREBFCiTEREREREREREBFCiTEREREREREREBFCiTEREREREREREBACn9p6AiIiIdAyVExbapR/nrSvt0o+IiIjIxUyxWfvQijIRERGxWyBm775ERERELkaKzdqPEmUiIiIXudYInhSQiYiIiLSMYrP2pUSZiIiIiIiIiIgISpSJiIhIB2QwGNp7CiIiIiJS62KKzVTMX0RERCz8cfZY7r5mqNXtDxcUc/Wj0VTXGO0yvrOzM8uXL+fdd99lz549dumzufz8/OjWrZtVbQsLC8nLy2vlGYmIiMjFSrFZ28ZmSpSJiIiIhS37svDy6Iy1Fw73Zx6zWyAGUFlZSVlZGYMGDbIIxq655ho8PT1xdHSkd+/eFBQU8P3335OQkGC3sessWLCArl27WtW2qKiIJ5980u5zEBEREQHFZtC2sZkSZSIiImJh2/4ctu3Padc5pKam0rdvX4tj/fv3JzQ0lJKSEvbt20dAQADz5s3jvffeY8eOHXYdf9WqVc26aikiIiLSWhSbtW1sZrdEme/AyQz0PZ3eNBpLyNq1g4zSi2cfa30zV+1jecQZB2OXMGRBTLvMp7UE3/Q0j3X/nHtf3drgufHz32Razp956qOMdpiZiIiczw4dOsTQoUNxd3enpKTEfLyyspKVK1dSUFCAwWDg7rvvZtasWXYPxvLy8s7r7ZQN45BU1s2ZwcrEizMuGz//TaJGWL524643G41fzmcXelx25u8NAGN+Ij8eaN3/r7oFj2aEa0arjyMi0pFdTLGZXVeUlWT+zK4M0x/MLXg0I0aMARuSZUbfMCYGlbFrZyqltWsMGzvWYdVLjBmNM3k1fjkxC5OZuTKxnScmIiJydp2cHRkW4tdk0daKU1UcyDpGeWW13eeQkpKCwWCgb9++7N2713z88OHDFBQUAGA0Gtm9ezeDBw/Gy8uL48eP230e57PUdXPMMUfYwhiioz8DG5JlxpmriJ+XypwZK0isi8saOdZR1U+MGY0TmP/mXfzppsPndeLoYlQ/MWY0+jFo4iBGBJeaf4OIiFyIFJu1
</li>
</ol>
<h2 blockindex=9>总结复盘</h2>
<p blockindex=10>这次命令执行审计出现的最终原因还是因为没有进行参数过滤，使得其他命令传到了后端，并且被设备执行了，但这对于渗透测试人员来说，也是一种提示，当今许多的网络设备都配有web管理端，许多开发者为了开发方便，直接写一个执行设备命令的接口，然后通过增加路由器命令来验证账号密码对错与否，虽说这种方式对于其他功能的二次开发以及整合确实省事了不少，但也导致了安全问题，我审计这个系统之后也找了其他的设备源码进行分析，发现不少设备厂商都有像这篇文章写的这样大同小异的问题，由此可知，即使是网络设备，我们也不能放过蛛丝马迹，即使执行的是设备命令或者配置命令，也会有很大的危害！</p>
<p blockindex=11>我是小安，感谢你能看到这里，欢迎对我的文章发表评论和批评，祝你生活愉快~</p></div></div>
 </div>
 <div class="post-opt mt-30">
 <ul class="list-inline text-muted">
 <li>
 <i class="fa fa-clock-o"></i>
 发表于 2024-04-07 10:00:01
 </li>
 
 
 
 </ul>
 </div>
 </div>
 
 </div>
 
 
 </div>
 
 
 </div>
 </div>
</div>