admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-11-06 19:24:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/books/【翻译】从设置字符集到RCE:利用 GLIBC 攻击 PHP 引擎(篇一).html

790 lines
2.9 MiB
HTML
Raw Normal View History

Update README.md
2024-06-27 08:44:44 -07:00
<!DOCTYPE html> <html lang=en style><!--
Page saved with SingleFile
url: https://xz.aliyun.com/t/14690
--><meta charset=utf-8>
<title>【翻译】从设置字符集到RCE利用 GLIBC 攻击 PHP 引擎(篇一)</title>
<meta name=description content=先知社区,先知安全技术社区>
<meta name=viewport content="width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no">
<style>/*!
* Bootstrap v2.3.1
*
* Copyright 2012 Twitter, Inc
* Licensed under the Apache License v2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Designed and built with all the love in the world @twitter by @mdo and @fat.
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}footer{display:block}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}img{height:auto;vertical-align:middle;-ms-interpolation-mode:bicubic}input{margin:0}button{-webkit-appearance:button}body{margin:0;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:20px;color:#333}a{text-decoration:none}a:hover,a:focus{color:#005580;text-decoration:underline}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}.container{width:940px}.span10{width:780px}.container{margin-right:auto;margin-left:auto}.container:before,.container:after{display:table;line-height:0;content:""}.container:after{clear:both}p{margin:0 0 10px}strong{font-weight:bold}.text-right{text-align:right}.text-center{text-align:center}h1,h2,h3,h4{margin:10px 0;font-family:inherit;font-weight:bold;line-height:20px;color:inherit;text-rendering:optimizelegibility}h4{font-size:17.5px}ul{padding:0}hr{margin:20px 0;border:0;border-top:1px solid #eee;border-bottom:1px solid #fff}blockquote p{font-size:17.5px;font-weight:300;line-height:1.25}q:before,q:after,blockquote:before,blockquote:after{content:""}code,pre{color:#333;-webkit-border-radius:3px;-moz-border-radius:3px}code{color:#d14;white-space:nowrap;border:1px solid #e1e1e8}pre{display:block;margin:0 0 10px;white-space:pre-wrap;border:1px solid rgba(0,0,0,0.15);-webkit-border-radius:4px;-moz-border-radius:4px}input{font-weight:normal}input{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif}input[type="text"]{display:inline-block;padding:4px 6px;margin-bottom:10px;font-size:14px;line-height:20px;vertical-align:middle;-webkit-border-radius:4px;-moz-border-radius:4px}input{width:206px}input[type="text"]{background-color:#fff;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border linear .2s,box-shadow linear .2s;-moz-transition:border linear .2s,box-shadow linear .2s;-o-transition:border linear .2s,box-shadow linear .2s;transition:border linear .2s,box-shadow linear .2s}textarea:focus,input[type="text"]:focus,input[type="password"]:focus,input[type="datetime"]:focus,input[type="datetime-local"]:focus,input[type="date"]:focus,input[type="month"]:focus,input[type="time"]:focus,input[type="week"]:focus,input[type="number"]:focus,input[type="email"]:focus,input[type="url"]:focus,input[type="search"]:focus,input[type="tel"]:focus,input[type="color"]:focus,.uneditable-input:focus{border-color:rgba(82,168,236,0.8);outline:0;outline:thin dotted \9;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6)}input::-webkit-input-placeholder,textarea::-webkit-input-placeholder{color:#999}input{margin-left:0}input:focus:invalid,textarea:focus:invalid,select:focus:invalid{color:#b94a48;border-color:#ee5f5b}input:focus:invalid:focus,textarea:focus:invalid:focus,select:focus:invalid:focus{border-color:#e9322d;-webkit-box-shadow:0 0 6px #f8b9b7;-moz-box-shadow:0 0 6px #f8b9b7;box-shadow:0 0 6px #f8b9b7}table{max-width:100%;background-color:transparent}.fade{opacity:0;-webkit-transition:opacity .15s linear;-moz-transition:opacity .15s linear;-o-transition:opacity .15s linear}.collapse{position:relative;-webkit-transition:height .35s ease;-moz-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.btn{text-shadow:0 1px 1px rgba(255,255,255,0.75);vertical-align:middle;background-image:-moz-linear-gradient(top,#fff,#e6e6e6);background-image:-webkit-gradient(linear,0 0,0 100%,from(#fff),to(#e6e6e6));background-image:-webkit-linear-gradient(top,#fff,#e6e6e6);background-image:-o-linear-gradient(top,#fff,#e6e6e6);bac
<style>/*! Editor.md v1.5.0 | editormd.min.css | Open source online markdown editor. | MIT License | By: Pandao | https://github.com/pandao/editor.md | 2015-06-09 *//*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:FontAwesome;src:url(data:font/woff2;base64,d09GMgABAAAAAN3MAA4AAAAB3OQAAN1sAAQAxQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGh4GYACFQhEICobjZIW0WgE2AiQDkSoLiFwABCAFhwAHqx4/d2ViZgZbBYBxhnF7IVHRnVDqt/fSG4cZBbodREHF77duhex8Mb6j/fmp2f///78gWYzh7g+8R0BUdTpLW1Uzsp76hCzI4aYUR8pes2MocNQ2YvKKbApmLWu/bv7ALkc1B+aeVCsz1YrjaYsVnkxwJujIZWwn5gjVfIgmhc3in0QhmV5maXZNM1xTKb1RmAdM/OaNTl/mtoIrW/khyLhT5xe7bVH4fZGXVpFvuchr9JDG3Mcoh7mswgQxQVK8XUETf1CxbfHOtB+kxeznYk7Tc0VQvAs3ZHw4fkX+eKbZae3Ga4yTuqW4ivdfEynv1GrGUEu4OnTzzcjOrvA9euKJJn93ZAnl2I4SDS0d71OE52stez2NiwEECTzlA0CWsDwIHxnjUh747oQ+4/cPz8+ttyIXzTZiY4wxosaI3F8QvVEho0JSWt0kWiUlDEAMbFRUsJgZKGcUGHVmnTf/P6e9Zz8P5jE8wRUMwwiRViAUd39KoXMKlV2UsWpdN25qBwAP0n35Mpmf+bvg9ZtKfIuWauEin8QFPnQhqjHdubkgORdjw60F1Hm3BRSOpS8r3c6XU/9/JMdJqrGKafqQYMBQSgy6BEkN2ozu0jp/p5EMSdFJDElKASzB5dwOFDbt5x1Rt2WVqTHYdx+5Xp9Ufm9KBtkmlgURoo8tj////Z9a0ixLyWLsAGIB+Eoqp6lnC5QCOfox/PnFQ4BJkcOC2NkzE2qySKkd7EB0X2SssjuTJ374/zn7zhne2jm7fiUkyEiwBGin9SnjfqWFGqXyrNPtdoTk/iS7nvwSR9pOTPBCIAlSpUo50teOPKprzxRrm9+ChuQfqzJE8Bbl26JpGFbqfrX84LxQBx3aIebKK51pt3LCe3dPaIcrAGrDFXAd7qRJJ7W7e7L0z7L00hPYSSrgWlB0qYKDoXOBwQPRquJvWcPzc+sBI3pUj9GjxgIGG+yvAlaMBaxgY2PUYERvgIiAEiaIJ1NUPDFQwcLAujTqTr1QLioZ3GbIHTEdYnpCesfDy9dvB4B4+Vba/vPP6au23oy0eHeVXxgzGuGtTG1zt4lDgpCDCDHInDqlDmgAeK+jJZIEuJ9bmCpbL8Z0vvFwr84+jRRnNzOSkyPg6srryLIDS/CREjejVnMMEDioCIrqv3XCmO6lA/N4Lf1ua0oVVekIinqBkbCY5N/3nRqiAWisW2xsNBbsUxu11kXxz8lWB4c3sN3ekYiAEGAAByO382+qZQuQxImXstYh60J3LrpdOaX23OWinx9mwP//fAAzA5CcGYAkAFIiAEriDAiJAMndAQjqAJCgKWrvHpebtWs/re72nVaXEjCgtAQp6RHUJspJ2gupsq9yyLHo/Vy5u+v8rqhclS5d2qVdtLX/3nRVKsauMS47Z4JoNru6yNjUBvn73WqpW0jQLWxLIxDCSgwlBzcSzMxJwozQOiGBVpiZtY7hnPstYGiNbWEF5wTrxFmYdcxak56xPgku3HDDS8ILnYkuDi8MnQvCI3jcT216ZaMrjPl5GWYAIByhr51xVXZju0G5EtXIfqYwq7s4NLhgeu2nvYsxpRohhSTYCoItYM27+X/m/PxE6+tJNw9faWYRRohBDMIYh3z8h1yy6QEzqRlrM0ghSOsQ+ShkO2LOCgqadP5MQjyDih2k2EHqttndgXsdI1Oga0jEvEe50TXItrpN9NIEBcQhscEo44wiaoTxcU2AAvxdwsQC+Ppw/kum+fD5u8BrSYNSgIiihg2AMccnArqsYJ2gmNlhnADg/vHOjV6AesO+/MmrlN8grD8CAnD8ERERq2e4xrw61HwHQX8hVkPGCIADEJRmLCNsYzeTnAWcZnbH7osIzSEbGYvULv/7qJdPYalrqK/xvNrG/vmB3hmw4yOMWoM+4zyt158PeG80n4NP5BkGyRJu62dDPTINSpg2S/aEQH1fYmH9GoDFAURIy8JOAPQ+olD/RszU+DcQnfyXjKqKpWkxC3B+cn7qu+8P/zw8HGWmGhXmmMGhgEUOgwwppiB4OIEDmIPxlOSe+zqPfVuXeRqHvhveVZsW/nw1V6A6M4KhLcWhuFu/4O3fRKWuHfUc9G7G94SL4vR/rZ8Ub5iZP5cz9tlk/wtG9+s3PxmuMdIjm1qu7k+tQYQCZTRkuAtSmLSs0uOxI64zaboh3cTIf720EgwvjBKMYQmjxBNnkRyxseNc0nKZeZURGC+VioZVLFpliSPBSR6sepFcJRcWptiE61cRFstAMUgzXiIy9GFHp+YbdyPuTxi7mhkEy8HFEDtgQNiOpK3nWM1fDipB52FSVfCgaWZDZnBCmAEeY8qnhJXDtZpO3WARXEKSWONEF/OsMAUcncfXXJFOO07iwB9ZEC0Rx0w1XBF7LMNQps6RTRBgUkR4wysExmnkzVyanU2yQYoszPOCt7CyWSNhx2qJx6pQUFg9hF2rc4J4PRPD0s0/9mU9Xqti6iyt5m0wwu0LiQ7ss4x0xMnZYuElJ+YetZyQxFx641j/Yal5weLc8H/4fYKnutlzOe9R93rRMaSyJxXDwDOMtpVPhX8gHQkPZmFUmIukZ5itm4mgwdiCoXPLPt00dun4zJgyQ9WC7G9fKMSWv+rce6CmkNdcMj+29sKV6uuvzwGeYccKULEvDBbrFO98vT95Kr/X7EtB7aHcN4I8HwSyFyfYSQs5dWoQETxfhzg8XPRHDn4aAy4I0jgMd/YKhhTQGIIUaXr2SIGtQ7a8shpQ3Kd5HJl3uSm6jiggOo0lmJgU7BnW+tsbN8Ytnz/NF85mdb1xJBbSr53bKHWNFTs3NfjC7NyZs68AVT/AmfztCK2JuKyYoe3JQOL1Ez4+e4nP3Tznw51cp8n/f29xXJIeDFoytH2UdswpLxZj5TQ/jKFp0HleHN6iBgbGIDNIoG0AbzSe+hYvI/CmIZ9/+tzFx4LT+VwmKJiHptTdPu9IqvO/cQB4Z8WYj9vFB3NNh/CqqTs3L8sqbfk18wPSsZY1c3ac68eisCvjt+6GslRjWA1Zxq+qdEAqc7sJOkCYAQZdZAG6Znb2s8hRfrlyeWqbnEMQ6RI2UMe1AQiF2QdBy28lB0y3Y9QUnneWbXwuEZlXIjGOWtQT75f9QOantcglVhUBA9/nscgFUqkPfpE3sEQNV0z5MgnVbqu6yqG0r1FihEcFynAafHXrm5sP+HRIVMrrc83SlwaAHpUNNtGUAG/NorLNojJrBbedljpgk7Y8n6QG7/0NlwJtE+j0URxOmtVfeGtPSSRmNoSRyVr0HTRbX6Vk74l5MrdxqLL/wsT+m8xKkTi52Q2Vbxac4ZGt4Arfhrgb/AND4tFY3Xm/Toh0KeIA86aziD28hvsDsGZM3xLKLrjCGsjCSanjTV/lp53WIUI5X7DkOtim0kaMQABwbaw1JvjjCooVnahJrl2NbeOlHmQesdeWcDDm151Uw4itkyRyhHa+o8AqzpAolQfERlyYrXU8TcoyZc3bc2TTc9bOxCSFlgOR+CCm78ShGPMgUNHUVT+NGMgx9p5S8ojoislOGDXJ/HWbpevnAhZjcJG83YRHZrg4cCyLbyfJZI3zAA43Mui7Z//EogzN/udIIqnSdh6czyF/f34cAaTNOCJtklgk8XEIm2roZAY9panWtZblERHrIhdamihzQ9G2dGx+KoTBSBdtWsddqEJaROCI9aSpbRbbKkm2iJSmPo9YyQRe6KnaxDO5/G4Kofm8n6jc6PLyujtlEPm9TWjKBUTWEmENgIcjSPJu8Kez/W0AQSD+uunlV58AGIOEAnOKGdJJPzDL9PHxvFpS0+BkDk/hBSfK9wOjj9+TiDzPD9nA03EcaR0V+XC5e98nuyq4N5VTHJYHXyrmvTNVz2v8PaVPXoRE184+h7lQcjXseY0bfJd/5ctBpc
<style>/*!
* Bootstrap Responsive v2.3.1
*
* Copyright 2012 Twitter, Inc
* Licensed under the Apache License v2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Designed and built with all the love in the world @twitter by @mdo and @fat.
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}@-ms-viewport{width:device-width}@media(min-width:768px) and (max-width:979px){}@media(max-width:767px){}@media(min-width:1200px){.row{margin-left:-30px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:30px}.container{width:1170px}.span10{width:970px}input{margin-left:0}}@media(min-width:768px) and (max-width:979px){.row{margin-left:-20px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:20px}.container{width:724px}.span10{width:600px}input{margin-left:0}}@media(max-width:767px){body{padding-right:0px;padding-left:0px}.container{width:auto}.row{margin-left:0}[class*="span"]{display:block;float:none;width:100%;margin-left:0;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.modal{position:fixed;right:20px;left:20px;width:auto;margin:0}.modal.fade{top:-100px}}@media(max-width:480px){.nav-collapse{-webkit-transform:translate3d(0,0,0)}.modal{top:10px;right:10px;left:10px}}@media(max-width:979px){body{padding-top:0}.navbar .container{width:auto;padding:0}.navbar .brand{padding-right:10px;padding-left:10px}.nav-collapse{clear:both}.nav-collapse.collapse{height:0;overflow:hidden}}@media(min-width:980px){.nav-collapse.collapse{height:auto !important;overflow:visible !important}}</style>
<style>li{line-height:26px}a:hover{text-decoration:none}.post-user-action>span{margin-right:10px;line-height:21px;border:0}.post-user-action .i-seprator{color:rgba(0,0,0,0.1);margin:0 2px}.navbar .brand{padding:0;height:50px;margin-left:0;display:inline-block !important;background-repeat:no-repeat;width:120px;background-size:207px 50px;background-image:url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDIxLjEuMCwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IuWbvuWxgl8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgODAwLjQgMTMwLjQiIHN0eWxlPSJlbmFibGUtYmFja2dyb3VuZDpuZXcgMCAwIDgwMC40IDEzMC40OyIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+Cgkuc3Qwe2ZpbGw6IzM3M0Q0MTt9Cjwvc3R5bGU+Cjx0aXRsZT7lhYjnn6XmioDmnK/npL7ljLo8L3RpdGxlPgo8Zz4KCTxwb2x5Z29uIGNsYXNzPSJzdDAiIHBvaW50cz0iMCwxMjEuNCAwLDI3LjMgNTYuMywyNy4zIAkiLz4KCTxwb2x5Z29uIGNsYXNzPSJzdDAiIHBvaW50cz0iODkuOSw4LjQgODkuOSwxMDIuNSAzMy41LDEwMi41IAkiLz4KPC9nPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMTMwLjcsNTguNGMtMi4zLTEuNC00LjctMi45LTcuMi00LjVjNi02LjksMTAuNy0xNi4yLDE0LjEtMjcuOWw4LjMsMS43Yy0wLjcsMS42LTEuNiwzLjktMi44LDYuOQoJYy0wLjcsMi4zLTEuMywzLjktMS43LDQuOGgxNy41VjI0aDguM3YxNS41aDI5LjZWNDdoLTI5LjZ2MTUuMWgzNC43VjcwaC0yNi41djIxLjNjLTAuMiwzLjQsMS42LDUsNS41LDQuOGg3LjIKCWMzLjIsMC4yLDUuMy0xLjMsNi4yLTQuNWMwLjItMS40LDAuNS00LjEsMC43LTguM2MwLDAuNywwLjEtMC4xLDAuMy0yLjRsNy42LDIuOGMtMC4yLDQuMS0wLjcsNy45LTEuNCwxMS40CgljLTEuNiw2LTUuOCw4LjgtMTIuNyw4LjZoLTEwLjdjLTcuNiwwLjItMTEuMi0zLjItMTEtMTAuM1Y3MC4xaC0xNS44djMuMWMwLDE1LjQtOS4xLDI2LjQtMjcuMiwzM2MtMS40LTIuMS0zLTQuNi00LjgtNy42CglDMTM1LjEsOTQsMTQzLDg1LjQsMTQzLDcyLjhWNzBoLTIyLjd2LTcuOWgzOC41VjQ3aC0yMS4zQzEzNS41LDUxLjEsMTMzLjIsNTQuOSwxMzAuNyw1OC40eiIvPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMjEzLjIsNTQuNmMtMC41LTAuMi0xLjItMC43LTIuMS0xLjRjLTEuOC0xLjQtMy4yLTIuMy00LjEtMi44YzQuOC04LjksOC4xLTE3LjksMTAtMjYuOGw3LjYsMS40CgljLTAuNSwxLjgtMS4zLDQuNC0yLjQsNy42Yy0wLjIsMS4yLTAuNSwyLTAuNywyLjRoMjQuMXY3LjJoLTEyYzAsOC43LTAuMSwxNC45LTAuMywxOC42aDE0LjFWNjhoLTE0LjhjMCwyLjMtMC4yLDQuNS0wLjcsNi41CgljMS42LDEuNiwzLjgsNCw2LjUsNy4yYzQuNiw0LjgsOCw4LjYsMTAuMywxMS40bC01LjgsNS4yYy0wLjktMS4yLTIuMy0yLjgtNC4xLTQuOGMtMS44LTIuMy00LjgtNS44LTguOS0xMC43CgljLTIuNSw3LjgtOC40LDE1LjUtMTcuNSwyMy4xYy0yLjMtMi44LTQuMS00LjgtNS41LTYuMmMxMS4yLTguOSwxNy4zLTE5LjUsMTguMi0zMS43aC0xNy4ydi03LjJoMTcuNWMwLjItMy45LDAuMy0xMC4xLDAuMy0xOC42CgloLTYuOUMyMTcuMSw0Ni4zLDIxNS4zLDUwLjQsMjEzLjIsNTQuNnogTTI1MS40LDEwMi43VjMxLjloMzUuOHY3MC41aC04LjN2LTcuNmgtMTkuNnY3LjlDMjU5LjMsMTAyLjcsMjUxLjQsMTAyLjcsMjUxLjQsMTAyLjd6CgkgTTI1OS4zLDM5LjR2NDcuOGgxOS42VjM5LjRIMjU5LjN6Ii8+CjxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik0yOTcuMiw4MS4xYy0wLjItMC45LTAuNi0yLjMtMS00LjFjLTAuNy0xLjgtMS4yLTMuMi0xLjQtNC4xYzkuMi02LjIsMTYuNC0xNC4zLDIxLjctMjQuNGgtMTkuNnYtNi45aDI3LjV2Ny4yCgljLTIuNSw1LjUtNS40LDEwLjQtOC42LDE0Ljh2NDIuM2gtNy42VjcyLjFDMzA1LDc1LjEsMzAxLjQsNzguMSwyOTcuMiw4MS4xeiBNMzExLjcsNDAuNWMtMC4yLTAuNS0wLjYtMS4xLTEtMi4xCgljLTIuOC02LTQuNi05LjctNS41LTExLjRsNi45LTMuMWMwLjcsMS4yLDEuOCwzLjMsMy40LDYuNWMxLjYsMywyLjgsNS4yLDMuNCw2LjVMMzExLjcsNDAuNXogTTMyNi44LDgwLjcKCWMtMS42LTIuMS00LjctNS42LTkuMy0xMC43Yy0wLjItMC4yLTAuNS0wLjUtMC43LTAuN2w0LjgtNC41YzIuMSwxLjgsNC45LDQuNiw4LjYsOC4zYzEuMSwxLjIsMS45LDIsMi40LDIuNEwzMjYuOCw4MC43egoJIE0zMjguNSw1Ni42VjQ5aDE4LjZWMjQuM2g4LjN2MjQuOEgzNzV2Ny42aC0xOS42djM5LjJoMjIuNHY2LjloLTUzdi02LjloMjIuNFY1Ni42SDMyOC41eiIvPgo8cGF0aCBjbGFzcz0ic3QwIiBkPSJNMzg5LjgsMTAxLjRWMjkuMUg0NjJ2Ny42aC02NC4zdjU3LjhoNjUuN3Y2LjlIMzg5Ljh6IE00NTAuMyw5MC40Yy02LjItNi42LTEyLjYtMTMtMTkuMy0xOC45CgljLTYsNS43LTEzLjQsMTIuMy0yMi40LDE5LjZjLTEuNC0xLjYtMy40LTMuOC02LjItNi41YzguMy01LjcsMTUuOC0xMiwyMi43LTE4LjljLTYuOS02LjQtMTMuOC0xMi43LTIwLjYtMTguOWw2LjItNS4yTDQzMSw2MC4yCgljNS41LTYuMiwxMC45LTEyLjgsMTYuMi0yMGw3LjIsNC41Yy01LjcsNy42LTExLjYsMTQuNC0xNy41LDIwLjZjNi45LDYuNywxMy42LDEzLDIwLjMsMTguOUw0NTAuMyw5MC40eiIvPgo8L3N2Zz4K)}.brand-box{position:absolute}.related-section{min-height:42px;padding:5px 0;margin-top:25px;border-top:1px solid #eee}.related-section>.related-
<style>a{color:#778087}.topic-list p{margin:0}.topic-content{min-height:40px}.collapse form{position:relative;width:300px;float:right}div.search{padding:10px 0}.d1 input{height:20px;padding-left:18px;border:1px solid #ddd;border-radius:15px;outline:0;background:#fff;color:#9e9c9c;float:right}.vote{font-weight:normal;margin-left:6px}.topic-list{word-break:break-all;word-wrap:break-word}ul{margin:0 0 10px 0}/*!*border-bottom: solid #eee 1px;*!*/.user-info{padding:5px 0 5px 0}.topic-info a,.topic-info{padding-top:5px}.topic-info a:hover{text-decoration:solid}.reminder{min-height:200px;border:1px #ddd solid;border-radius:3px;line-height:200px;text-align:center}</style>
<style>body{background-color:#eee}form{margin:0 !important}a:focus{text-decoration:none}.markdown-body p>code{white-space:normal;word-break:break-all;border:none !important}.box ul,ol{margin-bottom:0px !important}.markdown-body ul{list-style-type:disc}.markdown-body ul,.markdown-body ol{margin:0 0 24px 0 !important}.box a:hover{text-decoration:none}.box-container>ul>li{list-style-type:none}#Wrapper .row.box{margin-left:0px}.navbar-inner{border-radius:0px;min-height:40px;padding-right:0px;padding-left:0px;outline:0;margin-bottom:0;list-style:none;z-index:1050;background:#fff;-webkit-box-shadow:0 1px 4px rgba(0,21,41,0.08);box-shadow:0 1px 4px rgba(0,21,41,0.08);line-height:46px;-webkit-transition:background .3s,width .2s;-o-transition:background .3s,width .2s;transition:background .3s,width .2s}.bs-docs-footer{text-align:left;color:#99979c;height:64px;background-color:#FFF;border-top:1px solid rgba(0,0,0,0.22);line-height:64px}.bs-docs-footer .links>a{display:inline-block;padding:0 12px;border-left:1px solid #e8e8e8;color:#8c8c8c;line-height:1}.bs-docs-footer .links>a:first-child{border-left:0}.box-container .user-info{margin-bottom:10px;background:#fff}.content-title{font-size:24px;color:#333;text-decoration:none;line-height:24px;text-shadow:0 1px 0#fff}.markdown-body h1,.markdown-body h2{border-bottom:0}.box-container{padding:20px}.breadcrumb{padding:8px 10px 8px 15px;margin-bottom:10px;border-radius:0;color:#000;background-color:#fff}.breadcrumb>li{text-shadow:none !important;margin:2px 0px}.active{text-shadow:none !important}.breadcrumb .active{color:#555;display:inline-block;text-shadow:none !important}.label{background-color:#f4f4f4;line-height:12px;display:inline-block;padding:4px 4px 4px 4px;-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;text-decoration:none;text-shadow:none;font-weight:normal}.topic-info{color:#999 !important;font-size:12px !important}.topic-info a{padding:0px;color:#555 !important;font-size:12px !important}.topic-info a:hover{color:#4d5256;text-decoration:underline}.topic-info .cell{padding-left:0 !important;margin-left:0px;font-size:10px;font-weight:bold}.markdown-body img{max-width:90% !important;text-align:center;margin-left:auto;margin-right:auto;display:block;padding:10px 0px 10px 0px}.topic-info span{margin-left:0px;font-size:10px;color:rgba(0,0,0,0.45)}.btn{display:inline-block;padding:4px 12px;margin-bottom:0;font-size:14px;line-height:20px;background-color:#f4f4f4;color:#444;border-color:#ddd;font-family:"Helvetica Neue For Number",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"PingFang SC","Hiragino Sans GB","Microsoft YaHei","Helvetica Neue",Helvetica,Arial,sans-serif;-webkit-box-sizing:border-box;box-sizing:border-box;margin:0;list-style:none;font-weight:400;text-align:center;cursor:pointer;background-image:none;white-space:nowrap;border-radius:2px;height:32px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none}.box{font-family:Monospaced Number,Chinese Quote,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,PingFang SC,Hiragino Sans GB,Microsoft YaHei,Helvetica Neue,Helvetica,Arial,sans-serif;font-size:14px;line-height:1.5;color:rgba(0,0,0,0.65);-webkit-box-sizing:border-box;box-sizing:border-box;margin-top:0 !important;margin-bottom:20px;padding:0;list-style:none;background:#fff;border-radius:2px;position:relative;-webkit-transition:all .3s;-o-transition:all .3s;transition:all .3s;-moz-box-shadow:0 1px 1px rgba(0,0,0,0.15);-webkit-box-shadow:0 1px 1px rgba(143,168,191,.35);box-shadow:0 1px 1px rgba(143,168,191,.35);border-bottom:1px solid #e2e2e9}.span10{float:left;min-height:1px}#Wrapper .span10{margin-left:0px !important;max-width:960px}@media(min-width:1200px){.container{width:82% !important}}@media screen and (min-width:1500px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px !important}#Wrapper .span10{max-width:810px !important}}@media screen and (min-width:980px) and (max-width:1499px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px !importa
<style>/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAN3MAA4AAAAB3OQAAN1sAAQAxQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGh4GYACFQhEICobjZIW0WgE2AiQDkSoLiFwABCAFhwAHqx4/d2ViZgZbBYBxhnF7IVHRnVDqt/fSG4cZBbodREHF77duhex8Mb6j/fmp2f///78gWYzh7g+8R0BUdTpLW1Uzsp76hCzI4aYUR8pes2MocNQ2YvKKbApmLWu/bv7ALkc1B+aeVCsz1YrjaYsVnkxwJujIZWwn5gjVfIgmhc3in0QhmV5maXZNM1xTKb1RmAdM/OaNTl/mtoIrW/khyLhT5xe7bVH4fZGXVpFvuchr9JDG3Mcoh7mswgQxQVK8XUETf1CxbfHOtB+kxeznYk7Tc0VQvAs3ZHw4fkX+eKbZae3Ga4yTuqW4ivdfEynv1GrGUEu4OnTzzcjOrvA9euKJJn93ZAnl2I4SDS0d71OE52stez2NiwEECTzlA0CWsDwIHxnjUh747oQ+4/cPz8+ttyIXzTZiY4wxosaI3F8QvVEho0JSWt0kWiUlDEAMbFRUsJgZKGcUGHVmnTf/P6e9Zz8P5jE8wRUMwwiRViAUd39KoXMKlV2UsWpdN25qBwAP0n35Mpmf+bvg9ZtKfIuWauEin8QFPnQhqjHdubkgORdjw60F1Hm3BRSOpS8r3c6XU/9/JMdJqrGKafqQYMBQSgy6BEkN2ozu0jp/p5EMSdFJDElKASzB5dwOFDbt5x1Rt2WVqTHYdx+5Xp9Ufm9KBtkmlgURoo8tj////Z9a0ixLyWLsAGIB+Eoqp6lnC5QCOfox/PnFQ4BJkcOC2NkzE2qySKkd7EB0X2SssjuTJ374/zn7zhne2jm7fiUkyEiwBGin9SnjfqWFGqXyrNPtdoTk/iS7nvwSR9pOTPBCIAlSpUo50teOPKprzxRrm9+ChuQfqzJE8Bbl26JpGFbqfrX84LxQBx3aIebKK51pt3LCe3dPaIcrAGrDFXAd7qRJJ7W7e7L0z7L00hPYSSrgWlB0qYKDoXOBwQPRquJvWcPzc+sBI3pUj9GjxgIGG+yvAlaMBaxgY2PUYERvgIiAEiaIJ1NUPDFQwcLAujTqTr1QLioZ3GbIHTEdYnpCesfDy9dvB4B4+Vba/vPP6au23oy0eHeVXxgzGuGtTG1zt4lDgpCDCDHInDqlDmgAeK+jJZIEuJ9bmCpbL8Z0vvFwr84+jRRnNzOSkyPg6srryLIDS/CREjejVnMMEDioCIrqv3XCmO6lA/N4Lf1ua0oVVekIinqBkbCY5N/3nRqiAWisW2xsNBbsUxu11kXxz8lWB4c3sN3ekYiAEGAAByO382+qZQuQxImXstYh60J3LrpdOaX23OWinx9mwP//fAAzA5CcGYAkAFIiAEriDAiJAMndAQjqAJCgKWrvHpebtWs/re72nVaXEjCgtAQp6RHUJspJ2gupsq9yyLHo/Vy5u+v8rqhclS5d2qVdtLX/3nRVKsauMS47Z4JoNru6yNjUBvn73WqpW0jQLWxLIxDCSgwlBzcSzMxJwozQOiGBVpiZtY7hnPstYGiNbWEF5wTrxFmYdcxak56xPgku3HDDS8ILnYkuDi8MnQvCI3jcT216ZaMrjPl5GWYAIByhr51xVXZju0G5EtXIfqYwq7s4NLhgeu2nvYsxpRohhSTYCoItYM27+X/m/PxE6+tJNw9faWYRRohBDMIYh3z8h1yy6QEzqRlrM0ghSOsQ+ShkO2LOCgqadP5MQjyDih2k2EHqttndgXsdI1Oga0jEvEe50TXItrpN9NIEBcQhscEo44wiaoTxcU2AAvxdwsQC+Ppw/kum+fD5u8BrSYNSgIiihg2AMccnArqsYJ2gmNlhnADg/vHOjV6AesO+/MmrlN8grD8CAnD8ERERq2e4xrw61HwHQX8hVkPGCIADEJRmLCNsYzeTnAWcZnbH7osIzSEbGYvULv/7qJdPYalrqK/xvNrG/vmB3hmw4yOMWoM+4zyt158PeG80n4NP5BkGyRJu62dDPTINSpg2S/aEQH1fYmH9GoDFAURIy8JOAPQ+olD/RszU+DcQnfyXjKqKpWkxC3B+cn7qu+8P/zw8HGWmGhXmmMGhgEUOgwwppiB4OIEDmIPxlOSe+zqPfVuXeRqHvhveVZsW/nw1V6A6M4KhLcWhuFu/4O3fRKWuHfUc9G7G94SL4vR/rZ8Ub5iZP5cz9tlk/wtG9+s3PxmuMdIjm1qu7k+tQYQCZTRkuAtSmLSs0uOxI64zaboh3cTIf720EgwvjBKMYQmjxBNnkRyxseNc0nKZeZURGC+VioZVLFpliSPBSR6sepFcJRcWptiE61cRFstAMUgzXiIy9GFHp+YbdyPuTxi7mhkEy8HFEDtgQNiOpK3nWM1fDipB52FSVfCgaWZDZnBCmAEeY8qnhJXDtZpO3WARXEKSWONEF/OsMAUcncfXXJFOO07iwB9ZEC0Rx0w1XBF7LMNQps6RTRBgUkR4wysExmnkzVyanU2yQYoszPOCt7CyWSNhx2qJx6pQUFg9hF2rc4J4PRPD0s0/9mU9Xqti6iyt5m0wwu0LiQ7ss4x0xMnZYuElJ+YetZyQxFx641j/Yal5weLc8H/4fYKnutlzOe9R93rRMaSyJxXDwDOMtpVPhX8gHQkPZmFUmIukZ5itm4mgwdiCoXPLPt00dun4zJgyQ9WC7G9fKMSWv+rce6CmkNdcMj+29sKV6uuvzwGeYccKULEvDBbrFO98vT95Kr/X7EtB7aHcN4I8HwSyFyfYSQs5dWoQETxfhzg8XPRHDn4aAy4I0jgMd/YKhhTQGIIUaXr2SIGtQ7a8shpQ3Kd5HJl3uSm6jiggOo0lmJgU7BnW+tsbN8Ytnz/NF85mdb1xJBbSr53bKHWNFTs3NfjC7NyZs68AVT/AmfztCK2JuKyYoe3JQOL1Ez4+e4nP3Tznw51cp8n/f29xXJIeDFoytH2UdswpLxZj5TQ/jKFp0HleHN6iBgbGIDNIoG0AbzSe+hYvI/CmIZ9/+tzFx4LT+VwmKJiHptTdPu9IqvO/cQB4Z8WYj9vFB3NNh/CqqTs3L8sqbfk18wPSsZY1c3ac68eisCvjt+6GslRjWA1Zxq+qdEAqc7sJOkCYAQZdZAG6Znb2s8hRfrlyeWqbnEMQ6RI2UMe1AQiF2QdBy28lB0y3Y9QUnneWbXwuEZlXIjGOWtQT75f9QOantcglVhUBA9/nscgFUqkPfpE3sEQNV0z5MgnVbqu6yqG0r1FihEcFynAafHXrm5sP+HRIVMrrc83SlwaAHpUNNtGUAG/NorLNojJrBbedljpgk7Y8n6QG7/0NlwJtE+j0URxOmtVfeGtPSSRmNoSRyVr0HTRbX6Vk74l5MrdxqLL/wsT+m8xKkTi52Q2Vbxac4ZGt4Arfhrgb/AND4tFY3Xm/Toh0KeIA86aziD28hvsDsGZM3xLKLrjCGsjCSanjTV/lp53WIUI5X7DkOtim0kaMQABwbaw1JvjjCooVnahJrl2NbeOlHmQesdeWcDDm151Uw4itkyRyhHa+o8AqzpAolQfERlyYrXU8TcoyZc3bc2TTc9bOxCSFlgOR+CCm78ShGPMgUNHUVT+NGMgx9p5S8ojoislOGDXJ/HWbpevnAhZjcJG83YRHZrg4cCyLbyfJZI3zAA43Mui7Z//EogzN/udIIqnSdh6czyF/f34cAaTNOCJtklgk8XEIm2roZAY9panWtZblERHrIhdamihzQ9G2dGx+KoTBSBdtWsddqEJaROCI9aSpbRbbKkm2iJSmPo9YyQRe6KnaxDO5/G4Kofm8n6jc6PLyujtlEPm9TWjKBUTWEmENgIcjSPJu8Kez/W0AQSD+uunlV58AGIOEAnOKGdJJPzDL9PHxvFpS0+BkDk/hBSfK9wOjj9+TiDzPD9nA03EcaR0V+XC5e98nuyq4N5VTHJYHXyrmvTNVz2v8PaVPXoRE184+h7lQcjXseY0bfJd/5ctB
<style>.highlight .k{color:#204a87;font-weight:bold}.highlight .n{color:#000}.highlight .o{color:#ce5c00;font-weight:bold}.highlight .x{color:#000}.highlight .p{color:#000;font-weight:bold}.highlight .cm{color:#8f5902;font-style:italic}.highlight .cp{color:#8f5902;font-style:italic}.highlight .c1{color:#8f5902;font-style:italic}.highlight .kr{color:#204a87;font-weight:bold}.highlight .kt{color:#204a87;font-weight:bold}.highlight .m{color:#0000cf;font-weight:bold}.highlight .s{color:#4e9a06}.highlight .na{color:#c4a000}.highlight .nb{color:#204a87}.highlight .ni{color:#ce5c00}.highlight .nf{color:#000}.highlight .nt{color:#204a87;font-weight:bold}.highlight .nv{color:#000}.highlight .mh{color:#0000cf;font-weight:bold}.highlight .mi{color:#0000cf;font-weight:bold}.highlight .sc{color:#4e9a06}.highlight .se{color:#4e9a06}.highlight .s1{color:#4e9a06}</style>
<style>@-webkit-keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@media(max-width:800px){}</style>
<!--[if lte IE 8]>
<script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
<![endif]-->
<!--[if !IE]> -->
<style>#waf_nc_block{position:fixed;width:100%;height:100%;top:0;bottom:0;left:0;z-index:99999}</style><style data-id=immersive-translate-input-injected-css>@-webkit-keyframes immersive-translate-loading-animation{from{-webkit-transform:rotate(0deg)}to{-webkit-transform:rotate(359deg)}}@keyframes immersive-translate-loading-animation{from{transform:rotate(0deg)}to{transform:rotate(359deg)}}@keyframes immersiveTranslateShadowRolling{0%{box-shadow:0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}12%{box-shadow:100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}25%{box-shadow:110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}36%{box-shadow:120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0)}50%{box-shadow:130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color)}62%{box-shadow:200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color)}75%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color)}87%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color)}100%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0)}}@media(prefers-color-scheme:dark){}@media screen and (max-width:768px){}</style><meta name=referrer content=no-referrer><link rel=icon href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAADDUExURUxpcVVVVUNDVT5CTz1BUEBVVT1BUD1BTz5CTz5GT0BDUVVVVT5CTz5BUj1CTz5BT05OYj1CUD5GVUJCUj5CUD5BTz5BT0lJbT5CUEJCVT9DUUBHVT5CUD5CTz9CUD5BTz1BTz5CUEREUz5CUD5BUD5DTz5CUD5BT0BDUT5CTz1CUD5EUUBgYEBDUT5CUT1CTz1BUD5BUD9DUT1CT0REVT5BUENDUT1BUEBGUz1BUD9DT0FBUz1CTz5BTz1CUD1BUD1BT5JdbS4AAABAdFJOUwAJKr76DPbywR1MBuRO5fsNsyEfvdtKB4MbfiTa+FnegYwitbBXfPdYrt0pCEiL9XmsRdgeVhO8KI2KK45a2b/ePQx7AAAAwUlEQVQ4y4XTxw7CQAwE0A2E0BN67733Xv3/X4U0kYgimKxP9vgdfNhVildaBVfmpQGPaPD+7mjAW74g5q8Ewqd4QHy1T+JCm4IdsqswsEUUchhYHxCFhYENkpYw0MCFEZuCJYKuMDB1LzQZsPLehX/BCONEGCiWcWGKghKmlTAwwDA3GbByGArCQA39UBiYLfwX/gD3mdyEgSy6i8nAuIfuLAx00ByFgbaB5hT3VdUDmk8mfc0fa9Y1oKLZKyNo+QEJQV3gLnHrKwAAAABJRU5ErkJggg==" type=image/x-icon><style>.sf-hidden{display:none !important}</style><link rel=canonical href="https://xz.aliyun.com/t/14690?time__1311=mqmx9QDtDQ0%3Dex0y34%2BEa5G8FaZD7Kiqix&amp;alichlgref=https%3A%2F%2Fxz.aliyun.com%2Fu%2F43270"><meta http-equiv=content-security-policy content="default-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'unsafe-inline'; media-src 'self' data:; script-src 'unsafe-inline' data:; object-src 'self' data:; frame-src 'self' data:;"><style>img[src="data:,"],source[src="data:,"]{display:none!important}</style></head>
<body>
<div class="navbar navbar-default">
<div class=navbar-inner>
<div class=container style=text-align:center;position:relative>
<!--[if lte IE 8]>
<span style="display:inline-block;margin:0 auto;color:red;">为了更好的体验请使用IE10及以上版本</span>
<![endif]-->
<div class=brand-box>
<a class=brand href=https://xz.aliyun.com/tab/1></a>
</div>
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F14690&amp;from_type=xianzhi" class="pull-right anonymous-user hh_loding sf-hidden">
登录</a>
<div class="nav-collapse collapse">
<div class="search d1 text-right">
<form action=/search>
<input type=text placeholder=搜索 name=keyword value>
</form>
</div>
</div>
</div>
</div>
</div>
<div id=Wrapper class=container>
<div class=row2>
<div class=span10>
<div class="row box content" width="1200px !important" style=width:1200px>
<div class=box-container>
<div class=main-topic>
<div class="clearfix user-info topic-list">
<p><span class=content-title>【翻译】从设置字符集到RCE利用 GLIBC 攻击 PHP 引擎(篇一)</span>
</p>
<div class=topic-info>
<span class=info-left>
<a href=https://xz.aliyun.com/u/43270>
<span class="username cell"> 朝闻道道可道</span></a> <span class=i-seprator> / </span>
<span> 2024-05-28 16:43:12</span><span class=i-seprator> / </span>
<span>发表于湖北 / </span>
<span>浏览数 642</span>
<span class=content-node>
<span class="label label-default label-node-first">
<a href=https://xz.aliyun.com/tab/4>社区板块</a></span>
<span class="label label-default">
<a href=https://xz.aliyun.com/node/1>漏洞分析</a></span>
</span>
</span>
<span class="pull-right t-vote cell info-right"><a class="vote vote-up" href=javascript:void(0)>
顶(23)</a>
<a class="vote vote-down" href=javascript:void(0)>
踩(16)</a></span>
</div>
</div>
<hr>
<div id=topic_content class="topic-content markdown-body">
<p>翻译:<a href=https://www.ambionics.io/blog/iconv-cve-2024-2961-p1#sql-injection-to-rce target=_blank>https://www.ambionics.io/blog/iconv-cve-2024-2961-p1#sql-injection-to-rce</a></p>
<h1>介绍</h1>
<p>几个月前,我偶然发现了一个存在于glibc(Linux程序基础库)中已有24年之久的缓冲区溢出漏洞。尽管该漏洞可以在多个知名库或可执行文件中被触发,但实际上很难被利用利用。原因有二:一是漏洞给予的可操作空间十分有限;二是漏洞的利用需要满足一些非常苛刻的前置条件。在寻找可利用目标的过程中,无法找到可利用的目标是常有的事。然而,在PHP环境中,这个漏洞却展现出了其独特之处,并证明能通过两种不同的方式有效利用PHP引擎。</p>
<p>由于涉及的材料众多关于此漏洞的影响和利用将分三部分系列进行记录。在本系列的第一部分中我将描述我是如何遇到这个漏洞的为何合适的攻击目标稀少并最终深入到PHP引擎内部展示一个新的利用途径在PHP应用中将文件读取基本操作转换为<code>RCE</code>远程代码执行。</p>
<p><strong>如果您不熟悉 Web 开发、PHP 或 PHP 引擎,请不要介意:我将一路解释相关概念。</strong></p>
<h1>发现:一个关于过滤器的故事</h1>
<h2 id=toc-0>在PHP中的文件读取原语</h2>
<p>首先,我们来了解一下基础知识。假设在进行评估时,你发现了一个文件读取原语,例如下面这个:</p>
<div class=highlight><pre><span></span><span class=x>echo file_get_contents($_GET['file']);</span>
</pre></div>
<p>你能用它做什么?嗯,显然是读取文件。例如,您可以阅读 <code>/etc/passwd</code> 。但 PHP 还允许您使用其他协议,例如 <code>http://</code><code>ftp://</code>。因此,您可以使用<code>http://google.com</code> 让 PHP 为您获取 google 的首页;或者使用 <code>ftp://user:passwd@ftp.target.com/file.bin</code> 从 FTP 服务器下载文件。但这还不是全部。 PHP 还实现了自定义协议,例如 <code>phar://</code><br>
phar:// 让您可以读取 PHAR 存档的内部内容。 PHAR 代表 PHP 存档,就像 JAR 代表 Java 存档一样。它是一组文件,例如:</p>
<ul>
<li>源代码</li>
<li>资源</li>
<li>序列化的元数据</li>
</ul>
<p>这个协议多年来一直是PHP的致命弱点因为当你使用它访问一个PHAR文件时其元数据会被反序列化。常见的PHAR攻击方式如下所示</p>
<ol>
<li>将PHAR归档文件上传至目标服务器PHAR文件非常灵活可以使其看起来像是一张图片、一个PDF文档或其他任何类型的文件</li>
<li>使用文件读取基本操作访问PHAR文件路径为<code>phar:///path/to/file.phar/test</code></li>
<li>任意载荷在此过程中被反序列化。</li>
</ol>
<p>将反序列化转换为代码执行有多种方法但人们通常依赖PHP中的首选反序列化工具——PHPGGC。</p>
<p>PHAR攻击的影响不容小觑。自2018年出现以来它们在获取PHP目标的shell方面发挥了关键作用。然而这场盛宴即将结束<br>
从PHP 8.0版本发布于2020年开始<code>phar://</code>不再反序列化元数据反正他们也不使用元数据所以为何要反序列化它。这彻底终结了PHAR攻击的可能性。<br>
大型应用程序如Drupal或Magento已经禁用了<code>phar://</code>协议。<br>
随着时间的推移,利用反序列化漏洞将会变得更加困难:库正在修补其反序列化链,而类型系统的复兴也大幅减少了可被利用的反序列化路径。<br>
但是<code>phar://</code>并非攻击者唯一有用的协议;另一个名为<code>php://filter</code>的协议同样取得了显著成效。</p>
<h2 id=toc-1>PHP 过滤器简介</h2>
<p>在过去的几年中,人们对<code>php://filter</code>这一PHP特有的协议产生了兴趣如果名称还不够明显的话。它提供了一种在返回流之前对其应用转换的方法。其语法如下</p>
<div class=highlight><pre><span></span><span class=x>php://filter/[filters...]/resource=[resource]</span>
</pre></div>
<p>资源可以是我们在前一节中已经讨论过的任何东西:一个简单的文件,一个 HTTP 响应,来自 FTP 服务器的文件...<br>
过滤器是一系列你希望PHP对流应用的转换操作。在这里我们请求PHP使用<code>convert.base64-encode</code>过滤器将资源的内</p>
<div class=highlight><pre><span></span><span class=x>php://filter/convert.base64-encode/resource=/etc/passwd</span>
</pre></div>
<p>它返回:</p>
<div class=highlight><pre><span></span><span class=x>cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYXNoCmJpbjp4OjE6MTpiaW46L2Jpbjovc2Jpbi9u</span>
<span class=x>b2xvZ2luCmRhZW1vbjp4OjI6MjpkYWVtb246L3NiaW46L3NiaW4vbm9sb2dpbgphZG06eDozOjQ6</span>
<span class=x>...</span>
<span class=x>Yi92bnN0YXQ6L2Jpbi9mYWxzZQpyZWRpczp4OjEwMjoxMDM6cmVkaXM6L3Zhci9saWIvcmVkaXM6</span>
<span class=x>L2Jpbi9mYWxzZQo=</span>
</pre></div>
<p>您可以根据需要添加任意数量的过滤器。在这里,我要求 PHP 对流进行两次 Base64 编码:</p>
<div class=highlight><pre><span></span><span class=x>php://filter/convert.base64-encode|convert.base64-encode/resource=/etc/passwd</span>
</pre></div>
<p>然后得到</p>
<div class=highlight><pre><span></span><span class=x>Y205dmREcDRPakE2TURweWIyOTBPaTl5YjI5ME9pOWlhVzR2WVhOb0NtSnBianA0T2pFNk1UcGlh</span>
<span class=x>...</span>
<span class=x>RXdNam94TURNNmNtVmthWE02TDNaaGNpOXNhV0l2Y21Wa2FYTTZMMkpwYmk5bVlXeHpaUW89</span>
</pre></div>
<p>显然base64编码并非唯一可行的操作。众多过滤器可供选择其中包括</p>
<ul>
<li>string.upper ,将字符串转换为大写</li>
<li>string.lower ,将字符串转换为小写</li>
<li>string.rot13 ,执行一些 BC 加密</li>
<li>convert.iconv.X.Y ,将字符集从 X 转换为 Y<br>
让我们看一下最后一个过滤器: convert.iconv.X.Y 。假设我需要将文件从 UTF8 转换为 UTF16。我可以用<div class=highlight><pre><span></span><span class=x>php://filter/convert.iconv.UTF-8.UTF-16/resource=/etc/passwd</span>
</pre></div>
十六进制形式:<div class=highlight><pre><span></span><span class=x>00000000: fffe 7200 6f00 6f00 7400 3a00 7800 3a00 ..r.o.o.t.:.x.:.</span>
<span class=x>00000010: 3000 3a00 3000 3a00 7200 6f00 6f00 7400 0.:.0.:.r.o.o.t.</span>
<span class=x> ...</span>
<span class=x>00000a40: 2f00 6200 6900 6e00 2f00 6600 6100 6c00 /.b.i.n./.f.a.l.</span>
<span class=x>00000a50: 7300 6500 0a00 s.e...</span>
</pre></div>
</li>
</ul>
<p>众多的过滤器以及将它们链接起来的可能性促成了一些关于PHP的出色研究比如<a href="https://gynvael.coldwind.pl/?id=671" target=_blank>这里</a><a href=https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d target=_blank>这里</a>或者<a href=https://github.com/DownUnderCTF/Challenges_2022_Public/blob/main/web/minimal-php/solve/solution.py target=_blank>这里</a>。实际上,通过精确挑选过滤器(一个过滤链),攻击者可以做一些惊人的事情,比如<a href=https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it target=_blank>完全改变一个文件的内容</a>,或者使用<a href=https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle target=_blank>基于错误的预言机逐个提取其字节</a></p>
<p>例如,这里有一个过滤器链,它会在<code>/etc/passwd</code>前添加<code>Hello world!</code></p>
<div class=highlight><pre><span></span><span class=x>php://filter/convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.CSGB2312.UTF-32|</span>
<span class=x>convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|</span>
<span class=x>convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.IBM860.UTF16|</span>
<span class=x>convert.iconv.ISO-IR-143.ISO2022CNEXT|convert.base64-decode|convert.base64-encode|</span>
<span class=x>convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|</span>
<span class=x>convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|</span>
<span class=x>convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|</span>
<span class=x>convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.JS.UNICODE|</span>
<span class=x>convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|</span>
<span class=x>convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|</span>
<span class=x>convert.iconv.855.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|</span>
<span class=x>convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|</span>
<span class=x>convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|</span>
<span class=x>convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.UTF8.UTF16LE|</span>
<span class=x>convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2|</span>
<span class=x>convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.INIS.UTF16|</span>
<span class=x>convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|</span>
<span class=x>convert.iconv.855.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|</span>
<span class=x>convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L5.UTF-32|</span>
<span class=x>convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|</span>
<span class=x>convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|</span>
<span class=x>convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.ISO2022KR.UTF16|</span>
<span class=x>convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|</span>
<span class=x>convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|</span>
<span class=x>convert.iconv.855.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|</span>
<span class=x>convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|</span>
<span class=x>convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|</span>
<span class=x>convert.iconv.855.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|</span>
<span class=x>convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|convert.iconv.L6.UNICODE|</span>
<span class=x>convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.855.UTF7|</span>
<span class=x>convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|</span>
<span class=x>convert.base64-encode|convert.iconv.855.UTF7|convert.base64-decode/resource=/etc/passwd</span>
</pre></div>
<p>结果是:</p>
<div class=highlight><pre><span></span><span class=x>Hello, world!!!root:x:0:0:root:/root:/bin/bash...</span>
</pre></div>
<h2 id=toc-2>PHP过滤器前缀、后缀和崩溃</h2>
<p>遗憾的是,文件读取并非总是那么容易:</p>
<div class=highlight><pre><span></span><span class=x>echo file_get_contents($_POST['file']);</span>
</pre></div>
<p>通常情况下文件不会原样返回而是会以某种方式进行解析或检查。例如我经常遇到这样的代码片段它要求您的文件必须是有效的JSON格式</p>
<div class=highlight><pre><span></span><span class=x>$data = file_get_contents($_POST['url']);</span>
<span class=x>$data = json_decode($data);</span>
<span class=x>echo $data-&gt;message;</span>
</pre></div>
<p>我们在此读取了一个文件但其内容随后被JSON反序列化处理并且仅返回文档的一部分。为了读取标准文件<code>/etc/passwd</code>),我们需要向数据流中添加一个任意的前缀和后缀。类似于:<code>{"message": "&lt;contents-of-/etc/passwd&gt;"}</code>。到了2023年末情况是你可以使用<code>php://filter</code>链来为数据流添加前缀,但不能添加后缀。因此我着手开发一种算法来实现后者。</p>
<ul>
<li>注:该研究产生了一个于 2023 年 12 月发布的工具:<a href=https://github.com/ambionics/wrapwrap target=_blank>wrapwrap</a><blockquote><p><a href=https://www.ambionics.io/blog/wrapwrap-php-filters-suffix target=_blank>https://www.ambionics.io/blog/wrapwrap-php-filters-suffix</a></p>
</blockquote>
</li>
</ul>
<p>当时我对字符集或编码一无所知坦白说我现在也分不清楚它们的区别。为了起步我编写了一个暴力破解脚本该脚本将几个iconv过滤器叠加在一起并展示结果。大概是这样的</p>
<div class=highlight><pre><span></span><span class=x>php://filter/convert.iconv.A.B/convert.iconv.C.D/convert.iconv.E.F/resource=data:,test123</span>
</pre></div>
<p>在某个时刻,我的模糊测试工具崩溃了。<br>
由于我大部分时间都在使用PHP,我很快就将矛头指向了它。但我当时并不知道,这个bug实际上存在于更底层的调用链路中:一直深入到glibc库的底层。</p>
<h1>CVE-2024-2961glibc 中的bug</h1>
<h2 id=toc-3>iconv() API</h2>
<p>当PHP从一个字符集转换到另一个字符集时它使用<a href=https://www.gnu.org/software/libc/manual/html_node/glibc-iconv-Implementation.html target=_blank><code>iconv</code></a>这是一个用于“使用转换描述符将输入缓冲区中的字符转换为输出缓冲区”的API。在Linux系统上这个API由<a href=https://www.gnu.org/software/libc/ target=_blank>glibc</a>实现。<br>
API非常简单。首先你需要打开一个转换描述符该描述符指定了输入和输出字符集。</p>
<div class=highlight><pre><span></span><span class=x>iconv_t iconv_open(const char *tocode, const char *fromcode);</span>
</pre></div>
<p>然后,您可以使用<code>iconv()</code>将输入缓冲区<code>inbuf</code>转换为输出缓冲区<code>outbuf</code>中的新字符集。</p>
<div class=highlight><pre><span></span><span class=kt>size_t</span> <span class=nf>iconv</span><span class=p>(</span><span class=n>iconv_t</span> <span class=n>cd</span><span class=p>,</span>
<span class=kt>char</span> <span class=o>**</span><span class=kr>restrict</span> <span class=n>inbuf</span><span class=p>,</span> <span class=kt>size_t</span> <span class=o>*</span><span class=kr>restrict</span> <span class=n>inbytesleft</span><span class=p>,</span>
<span class=kt>char</span> <span class=o>**</span><span class=kr>restrict</span> <span class=n>outbuf</span><span class=p>,</span> <span class=kt>size_t</span> <span class=o>*</span><span class=kr>restrict</span> <span class=n>outbytesleft</span><span class=p>);</span>
</pre></div>
<p>缓冲区管理是调用者的责任。如果输出缓冲区不够大,<code>iconv()</code> 将返回一个错误指示此情况,您可以通过重新分配 <code>outbuf</code> 并再次调用 <code>iconv()</code> 来继续转换。该函数保证的是,它永远不会从 <code>inbuf</code> 读取超过 <code>inbytesleft</code> 字节的数据,或向 <code>outbuf</code> 写入超过 <code>outbytesleft</code> 字节的数据。永远不吗?嗯,理论上...</p>
<h2 id=toc-4>转换为 ISO-2022-CN-EXT 时出现越界写入</h2>
<p>恰好在将数据转换为ISO-2022-CN-EXT字符集时iconv可能在写入输出缓冲区之前未能检查是否有足够的空间剩余。<br>
实际上ISO-2022-CN-EXT是一系列字符集的集合当需要编码一个字符时它会选取适当的字符集并发出一个转义序列以指示解码器需切换到该字符集。<br>
下面的代码片段负责发出这样的转义序列。它由三个if块组成每个块向outbuf由outptr指向写入不同的转义序列。如果你查看第一个if<code>[1]</code>你会发现它前面有一个额外的if()块来检查输出缓冲区是否足够大以容纳四个字符。而其他两个if()<code>[2][3]</code>则没有这个检查。因此,转义序列可能会越界写入。</p>
<div class=highlight><pre><span></span><span class=c1>// iconvdata/iso-2022-cn-ext.c</span>
<span class=cm>/* See whether we have to emit an escape sequence. */</span>
<span class=k>if</span> <span class=p>(</span><span class=n>set</span> <span class=o>!=</span> <span class=n>used</span><span class=p>)</span>
<span class=p>{</span>
<span class=cm>/* First see whether we announced that we use this</span>
<span class=cm> character set. */</span>
<span class=k>if</span> <span class=p>((</span><span class=n>used</span> <span class=o>&amp;</span> <span class=n>SO_mask</span><span class=p>)</span> <span class=o>!=</span> <span class=mi>0</span> <span class=o>&amp;&amp;</span> <span class=p>(</span><span class=n>ann</span> <span class=o>&amp;</span> <span class=n>SO_ann</span><span class=p>)</span> <span class=o>!=</span> <span class=p>(</span><span class=n>used</span> <span class=o>&lt;&lt;</span> <span class=mi>8</span><span class=p>))</span> <span class=c1>// [1]</span>
<span class=p>{</span>
<span class=k>const</span> <span class=kt>char</span> <span class=o>*</span><span class=n>escseq</span><span class=p>;</span>
<span class=k>if</span> <span class=p>(</span><span class=n>outptr</span> <span class=o>+</span> <span class=mi>4</span> <span class=o>&gt;</span> <span class=n>outend</span><span class=p>)</span> <span class=c1>// &lt;-------------------- BOUND CHECK</span>
<span class=p>{</span>
<span class=n>result</span> <span class=o>=</span> <span class=n>__GCONV_FULL_OUTPUT</span><span class=p>;</span>
<span class=k>break</span><span class=p>;</span>
<span class=p>}</span>
<span class=n>assert</span><span class=p>(</span><span class=n>used</span> <span class=o>&gt;=</span> <span class=mi>1</span> <span class=o>&amp;&amp;</span> <span class=n>used</span> <span class=o>&lt;=</span> <span class=mi>4</span><span class=p>);</span>
<span class=n>escseq</span> <span class=o>=</span> <span class=s>")A</span><span class=se>\0\0</span><span class=s>)G)E"</span> <span class=o>+</span> <span class=p>(</span><span class=n>used</span> <span class=o>-</span> <span class=mi>1</span><span class=p>)</span> <span class=o>*</span> <span class=mi>2</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=n>ESC</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=sc>'$'</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=o>*</span><span class=n>escseq</span><span class=o>++</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=o>*</span><span class=n>escseq</span><span class=o>++</span><span class=p>;</span>
<span class=n>ann</span> <span class=o>=</span> <span class=p>(</span><span class=n>ann</span> <span class=o>&amp;</span> <span class=o>~</span><span class=n>SO_ann</span><span class=p>)</span> <span class=o>|</span> <span class=p>(</span><span class=n>used</span> <span class=o>&lt;&lt;</span> <span class=mi>8</span><span class=p>);</span>
<span class=p>}</span>
<span class=k>else</span> <span class=k>if</span> <span class=p>((</span><span class=n>used</span> <span class=o>&amp;</span> <span class=n>SS2_mask</span><span class=p>)</span> <span class=o>!=</span> <span class=mi>0</span> <span class=o>&amp;&amp;</span> <span class=p>(</span><span class=n>ann</span> <span class=o>&amp;</span> <span class=n>SS2_ann</span><span class=p>)</span> <span class=o>!=</span> <span class=p>(</span><span class=n>used</span> <span class=o>&lt;&lt;</span> <span class=mi>8</span><span class=p>))</span> <span class=c1>// [2]</span>
<span class=p>{</span>
<span class=k>const</span> <span class=kt>char</span> <span class=o>*</span><span class=n>escseq</span><span class=p>;</span>
<span class=c1>// &lt;-------------------- NO BOUND CHECK</span>
<span class=n>assert</span><span class=p>(</span><span class=n>used</span> <span class=o>==</span> <span class=n>CNS11643_2_set</span><span class=p>);</span> <span class=cm>/* XXX */</span>
<span class=n>escseq</span> <span class=o>=</span> <span class=s>"*H"</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=n>ESC</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=sc>'$'</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=o>*</span><span class=n>escseq</span><span class=o>++</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=o>*</span><span class=n>escseq</span><span class=o>++</span><span class=p>;</span>
<span class=n>ann</span> <span class=o>=</span> <span class=p>(</span><span class=n>ann</span> <span class=o>&amp;</span> <span class=o>~</span><span class=n>SS2_ann</span><span class=p>)</span> <span class=o>|</span> <span class=p>(</span><span class=n>used</span> <span class=o>&lt;&lt;</span> <span class=mi>8</span><span class=p>);</span>
<span class=p>}</span>
<span class=k>else</span> <span class=k>if</span> <span class=p>((</span><span class=n>used</span> <span class=o>&amp;</span> <span class=n>SS3_mask</span><span class=p>)</span> <span class=o>!=</span> <span class=mi>0</span> <span class=o>&amp;&amp;</span> <span class=p>(</span><span class=n>ann</span> <span class=o>&amp;</span> <span class=n>SS3_ann</span><span class=p>)</span> <span class=o>!=</span> <span class=p>(</span><span class=n>used</span> <span class=o>&lt;&lt;</span> <span class=mi>8</span><span class=p>))</span> <span class=c1>// [3]</span>
<span class=p>{</span>
<span class=k>const</span> <span class=kt>char</span> <span class=o>*</span><span class=n>escseq</span><span class=p>;</span>
<span class=c1>// &lt;-------------------- NO BOUND CHECK</span>
<span class=n>assert</span><span class=p>((</span><span class=n>used</span> <span class=o>&gt;&gt;</span> <span class=mi>5</span><span class=p>)</span> <span class=o>&gt;=</span> <span class=mi>3</span> <span class=o>&amp;&amp;</span> <span class=p>(</span><span class=n>used</span> <span class=o>&gt;&gt;</span> <span class=mi>5</span><span class=p>)</span> <span class=o>&lt;=</span> <span class=mi>7</span><span class=p>);</span>
<span class=n>escseq</span> <span class=o>=</span> <span class=s>"+I+J+K+L+M"</span> <span class=o>+</span> <span class=p>((</span><span class=n>used</span> <span class=o>&gt;&gt;</span> <span class=mi>5</span><span class=p>)</span> <span class=o>-</span> <span class=mi>3</span><span class=p>)</span> <span class=o>*</span> <span class=mi>2</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=n>ESC</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=sc>'$'</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=o>*</span><span class=n>escseq</span><span class=o>++</span><span class=p>;</span>
<span class=o>*</span><span class=n>outptr</span><span class=o>++</span> <span class=o>=</span> <span class=o>*</span><span class=n>escseq</span><span class=o>++</span><span class=p>;</span>
<span class=n>ann</span> <span class=o>=</span> <span class=p>(</span><span class=n>ann</span> <span class=o>&amp;</span> <span class=o>~</span><span class=n>SS3_ann</span><span class=p>)</span> <span class=o>|</span> <span class=p>(</span><span class=n>used</span> <span class=o>&lt;&lt;</span> <span class=mi>8</span><span class=p>);</span>
<span class=p>}</span>
<span class=p>}</span>
</pre></div>
<p>要触发此漏洞我们需要迫使iconv()在输出缓冲区结束前发出一个转义序列。为此我们可以使用诸如“劄”、“䂚”、“峛”或“湿”等特殊字符。这将导致1到3字节的溢出其值如下<br>
<code>$*H [24 2A 48]</code><br>
<code>$+I [24 2B 49]</code><br>
<code>$+J [24 2B 4A]</code><br>
<code>$+K [24 2B 4B]</code><br>
<code>$+L [24 2B 4C]</code><br>
<code>$+M [24 2B 4D]</code></p>
<p>一个简短的POC演示了该bug</p>
<div class=highlight><pre><span></span><span class=cm>/*</span>
<span class=cm>$ gcc -o poc ./poc.c &amp;&amp; ./poc</span>
<span class=cm>*/</span>
<span class=p>...</span>
<span class=kt>void</span> <span class=n>hexdump</span><span class=p>(</span><span class=kt>void</span> <span class=o>*</span><span class=n>ptr</span><span class=p>,</span> <span class=kt>int</span> <span class=n>buflen</span><span class=p>)</span>
<span class=p>{</span>
<span class=p>...</span>
<span class=p>}</span>
<span class=kt>void</span> <span class=n>main</span><span class=p>()</span>
<span class=p>{</span>
<span class=n>iconv_t</span> <span class=n>cd</span> <span class=o>=</span> <span class=n>iconv_open</span><span class=p>(</span><span class=s>"ISO-2022-CN-EXT"</span><span class=p>,</span> <span class=s>"UTF-8"</span><span class=p>);</span>
<span class=kt>char</span> <span class=n>input</span><span class=p>[</span><span class=mh>0x10</span><span class=p>]</span> <span class=o>=</span> <span class=s>"AAAAA劄"</span><span class=p>;</span>
<span class=kt>char</span> <span class=n>output</span><span class=p>[</span><span class=mh>0x10</span><span class=p>]</span> <span class=o>=</span> <span class=p>{</span><span class=mi>0</span><span class=p>};</span>
<span class=kt>char</span> <span class=o>*</span><span class=n>pinput</span> <span class=o>=</span> <span class=n>input</span><span class=p>;</span>
<span class=kt>char</span> <span class=o>*</span><span class=n>poutput</span> <span class=o>=</span> <span class=n>output</span><span class=p>;</span>
<span class=c1>// Same size for input and output buffer: 8 bytes</span>
<span class=kt>size_t</span> <span class=n>sinput</span> <span class=o>=</span> <span class=n>strlen</span><span class=p>(</span><span class=n>input</span><span class=p>);</span>
<span class=kt>size_t</span> <span class=n>soutput</span> <span class=o>=</span> <span class=n>sinput</span><span class=p>;</span>
<span class=n>iconv</span><span class=p>(</span><span class=n>cd</span><span class=p>,</span> <span class=o>&amp;</span><span class=n>pinput</span><span class=p>,</span> <span class=o>&amp;</span><span class=n>sinput</span><span class=p>,</span> <span class=o>&amp;</span><span class=n>poutput</span><span class=p>,</span> <span class=o>&amp;</span><span class=n>soutput</span><span class=p>);</span>
<span class=n>printf</span><span class=p>(</span><span class=s>"Remaining bytes (should be &gt; 0): %zd</span><span class=se>\n</span><span class=s>"</span><span class=p>,</span> <span class=n>soutput</span><span class=p>);</span>
<span class=n>hexdump</span><span class=p>(</span><span class=n>output</span><span class=p>,</span> <span class=mh>0x10</span><span class=p>);</span>
<span class=p>}</span>
</pre></div>
<p>这会在脆弱的系统上产生以下结果:</p>
<div class=highlight><pre><span></span>$ gcc -o poc ./poc.c <span class=o>&amp;&amp;</span> ./poc
Remaining bytes <span class=o>(</span>should be &gt; <span class=m>0</span><span class=o>)</span>: -1
<span class=m>000000</span>: <span class=m>41</span> <span class=m>41</span> <span class=m>41</span> <span class=m>41</span> <span class=m>41</span> 1b <span class=m>24</span> 2a <span class=m>48</span> <span class=m>00</span> <span class=m>00</span> <span class=m>00</span> <span class=m>00</span> <span class=m>00</span> <span class=m>00</span> <span class=m>00</span> AAAA A.<span class=nv>$*</span> H... ....
</pre></div>
<p>尽管告诉iconv()最多写入8字节但实际上已写入了9字节。<br>
检查提交历史记录时,我注意到这个 bug 很古老:它出现在 2000 年,已经有 24 年的历史了。</p>
<p>现在可以用这个bug做什么</p>
<h2 id=toc-5>条件和原语</h2>
<p>通过这个漏洞我实现了1到3字节的溢出涉及非受控字符。这并不算多。除此之外还存在一些前提条件。我需要找到一个对iconv()的调用,在其中我能:</p>
<ul>
<li>控制输出字符集( ISO-2022-CN-EXT </li>
<li>输入缓冲区的受控部分(用于放入<strong>漂亮的汉字</strong>(<strong>汉语又立大功啊</strong>)</li>
</ul>
<p>以此为出发点,我开始寻找目标。从在我的<code>/lib</code><code>/bin</code>目录中搜索<code>iconv</code>开始,到遍历数百个开源软件项目,我发现了一些有趣的目标。但遗憾的是,这些目标实际上都不可被利用。<br>
例如让我们来看一个非常有前景的目标libxml2。</p>
<h3 id=toc-6>libxml2一片字节之海</h3>
<p>libxml2 仅处理 UTF-8 编码的 XML。如果一个 XML 文档不是 UTF-8 编码,它将被转换为 UTF-8然后进行处理并在一切完成后转回其原始字符集。这些转换是通过使用 <code>iconv()</code> 函数完成的。<br>
因此,我们可以满足这样的文档预设条件:</p>
<div class=highlight><pre><span></span><span class=cp>&lt;?xml version="1.0" encoding="ISO-2022-CN-EXT"?&gt;</span>
<span class=nt>&lt;root&gt;</span><span class=ni>&amp;21124;</span><span class=nt>&lt;/root&gt;</span>
</pre></div>
<p>注意21124 是“札”的 unicode 代码点(codepoint)。</p>
<p>现在请记住缓冲区管理是调用者的责任。当libxml2使用iconv()将我们的文档转换回其原始字符集时,它会分配一个输出缓冲区,该缓冲区的容量是输入缓冲区的四倍(代码)。这对我们来说太大了:我们无法触及缓冲区的边界以实现溢出。这是一个死胡同。</p>
<h3 id=toc-7>pkexec: 4字节太多了</h3>
<p>另一个有趣的目标是pkexec这是一个存在于许多Linux发行版中的setuid二进制文件。该二进制文件允许你通过设置CHARSET环境变量来为它输出的每条消息选择字符集。例如</p>
<div class=highlight><pre><span></span>$ <span class=nv>CHARSET</span><span class=o>=</span>ISO-2022-CN-EXT pkexec <span class=s1>'trigger劄'</span> <span class=m>2</span>&gt;<span class=p>&amp;</span><span class=m>1</span> <span class=p>|</span> hexyl
┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ <span class=m>43</span> <span class=m>61</span> 6e 6e 6f <span class=m>74</span> <span class=m>20</span> <span class=m>72</span><span class=m>75</span> 6e <span class=m>20</span> <span class=m>70</span> <span class=m>72</span> 6f <span class=m>67</span> <span class=m>72</span> │Cannot r┊un progr│
│00000010│ <span class=m>61</span> 6d <span class=m>20</span> <span class=m>74</span> <span class=m>72</span> <span class=m>69</span> <span class=m>67</span> <span class=m>67</span><span class=m>65</span> <span class=m>72</span> 1b <span class=m>24</span> 2a <span class=m>48</span> 1b 4e │am trigg┊er•<span class=nv>$*</span>H•N│
│00000020│ 4c <span class=m>61</span> 0f 3a <span class=m>20</span> 4e 6f <span class=m>20</span><span class=m>73</span> <span class=m>75</span> <span class=m>63</span> <span class=m>68</span> <span class=m>20</span> <span class=m>66</span> <span class=m>69</span> 6c │La•: No ┊such fil│
│00000030│ <span class=m>65</span> <span class=m>20</span> 6f <span class=m>72</span> <span class=m>20</span> <span class=m>64</span> <span class=m>69</span> <span class=m>72</span><span class=m>65</span> <span class=m>63</span> <span class=m>74</span> 6f <span class=m>72</span> <span class=m>79</span> 0a │e or dir┊ectory_ │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘
</pre></div>
<p>在内部, <code>pkexec</code> 使用 <code>GLib</code> 输出其消息。它执行以下操作:</p>
<div class=highlight><pre><span></span><span class=cp>#define NUL_TERMINATOR_LENGTH 4</span>
<span class=n>outbuf_size</span> <span class=o>=</span> <span class=n>len</span> <span class=o>+</span> <span class=n>NUL_TERMINATOR_LENGTH</span><span class=p>;</span>
<span class=n>outbytes_remaining</span> <span class=o>=</span> <span class=n>outbuf_size</span> <span class=o>-</span> <span class=n>NUL_TERMINATOR_LENGTH</span><span class=p>;</span>
<span class=n>outp</span> <span class=o>=</span> <span class=n>dest</span> <span class=o>=</span> <span class=n>g_malloc</span> <span class=p>(</span><span class=n>outbuf_size</span><span class=p>);</span>
<span class=p>...</span>
<span class=n>err</span> <span class=o>=</span> <span class=n>g_iconv</span> <span class=p>(</span><span class=n>converter</span><span class=p>,</span> <span class=nb>NULL</span><span class=p>,</span> <span class=o>&amp;</span><span class=n>inbytes_remaining</span><span class=p>,</span> <span class=o>&amp;</span><span class=n>outp</span><span class=p>,</span> <span class=o>&amp;</span><span class=n>outbytes_remaining</span><span class=p>);</span>
</pre></div>
<p>虽然它分配了一个大小为N + 4字节的缓冲区但它只告诉iconv使用N字节。我们的溢出最多只有3字节长。因此无论我们如何努力都无法超出这个缓冲区的范围。<br>
又是一个死胡同。</p>
<h3 id=toc-8>条件和原语(更新)</h3>
<p>满怀失望,我只能更新我的需求列表。为了利用这个漏洞,我们需要:</p>
<ul>
<li>控制输出字符集( ISO-2022-CN-EXT </li>
<li>控制输入缓冲区的一部分</li>
<li><strong>有一个合适的输出缓冲区</strong></li>
</ul>
<h1>利用 PHP 过滤器</h1>
<p>即便经过数日的搜寻我仍未能找到一个有效的目标。盲目地在库和二进制文件中搜索iconv()调用,遍历开源生态系统,寻找可以触发的漏洞实例,我迫切地渴望找到一次崩溃。就一次崩溃。但徒劳无功。<br>
为了重燃希望我回到了PHP毕竟它曾经在我未曾请求的情况下自行崩溃过。<br>
我的目标很简单:将那些无聊的文件读取漏洞转化为远程代码执行能力。</p>
<h2 id=toc-9>PHP 堆入门</h2>
<p>注意在本节及描述PHP内部结构的每一节中我将会进行一些近似处理并忽略某些细节。<br>
为了理解本节的走向我们需要了解PHP堆的工作原理至少是其一部分。不用担心这是一个非常简单的堆结构。<br>
在PHP中进行内存分配时你使用<code>emalloc(N)</code>函数其中N是你希望分配的字节数。返回的结果是一个指向能够存储至少N字节的内存块即chunk的指针。当你完成对这块内存的使用后通过调用<code>efree(ptr)</code>来释放它。PHP中的内存块有多种大小8, 0x10, 0x18, ... 0x200, 0x280, ...)。<br>
PHP堆由一个2MB大小的区域组成被分割成512个页面每个页面大小为0x1000字节。每个页面上可能包含特定大小的chunks。例如第10页可能包含大小为0x100的chunks第11页包含大小为ox38的chunks第12页包含大小为ox18o的chunks等等。各chunk之间没有元数据信息存在.<br>
当你释放一个块时它会被放置在一个名为空闲列表的单向链表的开头。每种大小的块都有一个对应的空闲列表。例如如果我释放了一个大小为0x38的块它将被放入大小为0x38的块的空闲列表中。如果我释放了一个大小为0x200的块它将被放入大小为0x200的块的空闲列表中...<br>
为了分配N字节的空间PHP会查找对应大小的空闲列表取出头部元素并返回。如果空闲列表是空的即所有可用的块都已被分配, PHP会查看堆元数据以找到未使用的页面。然后在该页面上创建空白块并将其放入空闲列表中。<br>
空闲列表遵循后进先出(LIFO)原则,意味着当我释放某个大小的块时,它会变为该尺寸下free list的头节点. 当进行内存分配操作时,则直接从头部取走所需部分. 这与glibc中的tcache机制非常相似但无限制使用次数.</p>
<table>
<thead><tr>
<th><a id=img0 href=https://xzfile.aliyuncs.com/media/upload/picture/20240528153531-dcbb0c5c-1cc4-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACsQAAAXMCAYAAACcYnslAAEAAElEQVR4nOzdd1yV9f//8ScIIqCgiHujflCcuPfHWblKTc3KTzbVNC1Hu7TMskzNbA9Ty1FqZQxXjtySOXLmzI0DEZCljPP7w5/ny8URPAc4HA4+7rdbt5vv17ne1/U6JpwLzvO83y4mk8kkO4qOjta///6rM2fO6MKFC7py5YpiY2OVmJio1NRU2fnyAAAAcnFxkZubm7y8vOTr66vSpUurfPnyqlKlimrUqCE/Pz9HtwgAAAAAAAAAAAAAAIBccLFHIPbo0aPas2ePDhw4oMjIyLw+PQAAQJ6qUKGC6tWrp8aNG6t27dqObgcAAAAAAAAAAAAAAAA2yrNAbFJSkjZu3Kht27YRggUAAE6rQoUKat26tTp06CBPT09HtwMAAAAAAAAAAAAAAAAr5DoQm5SUpFWrVmnNmjVKSUnJq74AAAAcyt3dXV27dtW9995LMBYAAAAAAAAAAAAAAKCAy1Ugdt26dQoNDVViYmK2x9WsWVNVq1ZVxYoV5e/vr5IlS8rLy0vu7u5ycXHJ6eUBAACsYjKZlJKSosTERMXExCgqKkrnz5/X6dOndfz48Wznenl5qXfv3urcuXM+dQsAAAAAAAAAAAAAAABb5SgQe/bsWS1evFiHDx/O8pgmTZqoYcOGqlu3rooWLZqrJgEAAOzlxo0bOnTokPbu3atdu3ZleVxgYKAGDhyoypUr52N3AAAAAAAAAAAAAAAAsIbNgdhNmzZpwYIFut00Hx8ftW/fXq1bt5a3t3eeNQkAAJAfEhIStG3bNm3atElxcXEWj7u4uOjRRx9V+/btHdAdAAAAAAAAAAAAAAAAsmJTIHbJkiVas2aNRd3NzU333nuvunTpIhcXlzxtEAAAIL+ZTCatXbtWq1atUmpqqsXjXbt21YABAxzQGQAAAAAAAAAAAAAAAG7H6kDs7Nmz9eeff1rUmzRpot69e6tkyZJ53RsAAIBDxcTEKDQ0VLt27bJ4rEWLFnrqqacc0BUAAAAAAAAAAAAAAAAysyoQ++WXX2r37t0W9YEDB6p169Z2aQwAAKCg2LZtmxYvXmxRDw4O1vDhwx3QEQAAAAAAAAAAAAAAADK6YyD2divDli5dWoMHD1b16tXt2RsAAECBcfLkSc2fP19Xrlwx1FkpFgAAAAAAAAAAAAAAwPGyDcQuWbJEa9asMdSqVq2qJ554QiVLlrR3bwAAAAVKTEyM5syZo9OnTxvqXbt21YABAxzUFQAAAAAAAAAAAAAAAFyzemDTpk23DcMOHTqUMCwAALgrlSxZUkOHDlXVqlUN9TVr1mjTpk0O6goAAAAAAAAAAAAAAAC3DcSePXtWCxYsMNRKly6tJ554Qt7e3vnSGAAAQEHk7e2tJ554QqVLlzbUFyxYoLNnzzqoKwAAAAAAAAAAAAAAgLvbbQOxixcvlslkMtQGDx7MyrAAAAC6uVLs4MGDDTWTyaTFixc7qCMAAAAAAAAAAAAAAIC7m0Ugdt26dTp8+LChNnDgQFWvXj2/egIAACjwqlevroEDBxpqhw8f1rp16xzUEQAAAAAAAAAAAAAAwN3LEIhNSkpSaGio4YAmTZqodevW+doUAACAM2jdurWaNGliqIWGhiopKclBHQEAAAAAAAAAAAAAANydDIHYVatWKTEx0Tx2c3NT7969870pAAAAZ9G7d2+5ubmZx4mJiVq1apUDOwIAAAAAAAAAAAAAALj7mAOxSUlJWrNmjeHBe++9VyVLlszvngAAAJxGyZIlde+99xpqa9asYZVYAAAAAAAAAAAAAACAfGQOxG7cuFEpKSnmB3x8fNSlSxeHNAUAAOBMunTpIh8fH/M4JSVFGzdudGBHAAAAAAAAAAAAAAAAdxdzIHbbtm2GB9q3by8XF5d8bwgAAMDZuLi4qH379oZa5nsrAAAAAAAAAAAAAAAA2I+rJB09elSRkZGGB1q3bu2QhgAAAJxR5nunyMhIHT161EHdAAAAAAAAAAAAAAAA3F1cJWnPnj2GYpMmTeTt7e2IfgAAAJySt7e3mjRpYqhlvscCAAAAAAAAAAAAAACAfbhK0oEDBwzFhg0bOqQZAAAAZ5b5HirzPRYAAAAAAAAAAAAAAADswzU6OlqRkZGGYt26dR3UDgAAgPPKfA8VGRmp6OhoB3UDAAAAAAAAAAAAAABw93D9999/DYWaNWuqaNGiDmoHAADAeRUtWlQ1a9Y01DLfawEAAAAAAAAAAAAAACDvuZ45c8ZQqFq1qoNaAQAAcH6Z76Uy32sBAAAAAAAAAAAAAAAg77leuHDBUKhYsaKDWgEAAHB+me+lMt9rAQAAAAAAAAAAAAAAIO+5XrlyxVDw9/d3UCsAAADOL/O9VOZ7LQAAAAAAAAAAAAAAAOQ919jYWEOhZMmSjukEAACgEMh8L5X5XgsAAAAAAAAAAAAAAAB5zzUxMdFQ8PLyclArAAAAzi/zvVTmey0AAAAAAAAAAAAAAADkPdfU1FRDwd3d3UGtAAAAOL/M91KZ77UAAAAAAAAAAAAAAACQ91xNJpOh4OLi4qBWAAAAnF/me6nM91oAAAAAAAAAAAAAAADIe66ObgAAAAAAAAAAAAAAAAAAAADIDQKxAAAAAAAAAAAAAAAAAAAAcGoEYgEAAAAAAAAAAAAAAAAAAODUCMQCAAAAAAAAAAAAAAAAAADAqRGIBQAAAAAAAAAAAAAAAAAAgFMjEAsAAAAAAAAAAAAAAAAAAACnRiAWAAAAAAAAAAAAAAAAAAAATo1ALAAAAAAAAAAAAAAAAAAAAJwagVigkKldu7a8vb3N/82fP9/mczRr1sxwji+//NKqeb/++qthXm7+a9Sokc19Z3Tq1Knbnvfxxx/P1XlvadWq1R2fg7+/vwICAhQcHKyHH35Y77//vjZt2iSTyZQnPQAAAAAAAAAAAAAAAAAAbnJzdAMAcDs1atTI1fyQkJDb1leuXKkbN26oaNGiuTq/NZKSkpSUlKSLFy/qyJEj5p6qVKmixx9/XKNHj5aXl5fd+wAAAAAAAAAAAAAAAACAwo4VYgEUSAEBAbmaHxoaetv6tWvX9Mcff+Tq3Ll15swZvfPOO2ratKnWrl3r0F4AAAAAAAAAAAAAAAAAoDBghVgAdlOkSBENHz48R3O7d++e4+tGRUVp+/bt5nHRokV148YN8zgkJET33HNPjs9/O926dVP79u0NtdTUVEVHRysyMlKbN2/WxYsXDY+fPn1aDz74oObMmaO+ffvmaT8AAAAAAAAAAAAAAAAAcDchEAvAbtzc3DR16tR8v254eLjS0tLM41GjRmnGjBkymUzmx2fNmiVX17xbJLt9+/YaN25ctsdERETozTff1JYtW8y1lJQUPf7446pVq5YaNGiQZ/0AAAAAAAAAAAAAAAAAwN0k79JgAFBAhIaGGsZPPvmkgoODzeNLly4pIiIiv9tSy5YttXr1aj333HOGempqqsaOHZvv/QAAAAAAAAAAAAAAAABAYUEgFkChEh8fr/Xr15vHQUFBql69urp37244LiQkJL9bM3v//ffVrVs3Q23r1q3avXu3gzoCAAAAAAAAAAAAAAAAAOdGIBZAobJ69WolJyebxz169JAki0BsWFhYvvaVkYuLiyZMmGBRX7FihQO6AQAAAAAAAAAAAAAAAADnRyAWQKESGhpqGPfs2VOS1LhxY1WoUMFcP3HihA4cOJCvvWXUpEkTlS9f3lDbvn27g7oBAAAAAAAAAAAAAAAAAOdGIBZAoZGSkqKVK1eax2XKlFGzZs0k3VyV9d577zUcHxISkq/9ZRYYGGgYX7p0yUGdAAAAAAAAAAAAAAAAAIBzIxALoNDYuHGj4uLizOP77rtPrq7/922uR48ehuMzryab30qVKmUYR0VFOagTAAAAAAAAAAAAAAAAAHBuBGIBFBqZV3z
</tr>
</thead>
<tbody>
<tr>
<td>PHP 堆的可视化表示</td>
</tr>
</tbody>
</table>
<p>在上面的例子中我们左边有一个堆的视觉表示。它包含512个页面这里第5页存储大小为0x400的块。如果我们查看这一页的内容可以看到它包含4个块因为4 × 0x400 = 0x1000即一页的大小。这里块#1和#3已被分配而块#2和#4已被释放。因此它们处于大小为0x400的块的空闲列表中。</p>
<p>空闲列表是一个单向链表每个未分配的块在其前8个字节内包含指向下一个空闲块的指针。这就是我们在块#2中看到的一个指向0x7ff10201400 的指针那是大小为0x400 的下一个空闲块地址。现在, 如果我们从 块 #1 溢出到 块 #2, 我们会覆盖掉这个指针. 这对于利用来说是一个好起点: 即使只有一字节溢出, 我们也能改变空闲列表指针, 从而更改空闲列表。</p>
<p>应该注意PHP对每个HTTP请求创建新堆。这是远程PHP利用困难的原因之一 - 但将在第二部分介绍。</p>
<h2 id=toc-10>PHP filters内部结构</h2>
<p>既然我们已经了解了PHP如何分配和释放内存接下来可以探讨一下PHP是如何处理<code>php://filter/</code>字符串的。我们很幸运这里无需深入了解内部PHP结构例如<code>zval</code><code>zend_string</code><code>zend_array</code>等。</p>
<p>为了处理过滤器PHP首先会获取流即读取资源。它将流存储在一系列桶中这些桶是双向链接的结构每个桶包含一定大小的缓冲区。以我们的<code>/etc/passwd</code>示例来说可能会有3个桶第一个可能包含文件的前5个字节第二个桶再增加30个字节第三个桶则再增加1000个字节。它们连接在一起构成了一个bucket传送带系统。</p>
<table>
<thead><tr>
<th><a id=img1 href=https://xzfile.aliyuncs.com/media/upload/picture/20240528154327-f86e502a-1cc5-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACkAAAAIMCAYAAACnw/JkAAEAAElEQVR4nOzdZ3hU5fb38V86CaGGmkAElFAEAakJVbp4gCMgchQRC0qxIKgIFsQuKh5EUAGPoIIHgYMFJXSlCoKCFAHpvRlaSEibeV7wZP6zp2UmmWQmyfdzXXNl9j179l5DyExW9rrXHWA2m80CAAAAAAAAAAAAAAAAAAAoRAJ9HQAAAAAAAAAAAAAAAAAAAICnKIAEAAAAAAAAAAAAAAAAAACFDgWQAAAAAAAAAAAAAAAAAACg0KEAEgAAAAAAAAAAAAAAAAAAFDoUQAIAAAAAAAAAAAAAAAAAgEIn2NcBAAAAAAAAAAAAAABQmJnNZl+HAADIhYCAAF+HACCP6AAJAAAAAAAAAAAAAAAAAAAKHTpAAgAAAAAAAAAAAADgQG47O9IREgD8k23HR3ffr+kUCfgvOkACAAAAAAAAAAAAAOAlFD8CgP/iPRooeugACSBH/AIAAPmDmWIAAMDbyN8AIH+QvwEAUPTllE95km+RmwFA0ZGdDzp7bydfBHyPAkgAAAAAAAAAAAAAAJxwVvRiO+7NIkoAQN45K07Mfj+2fdzR/mazmSJHwM9RAAkUYSRRAODfvPU+TdIFAEDhR/4GAP6N/A0AgKIjN0WK3iiAJO8DgIKXn8WLdIYE/AcFkAAAAAAAAAAAAACAYs9ZQaOrQkd3iyApgAQA33BWiBgQEGB4b7bedvWcbHSGBPwHBZBAIeZuokRCBQBFU04zy2z3AwAAvkP+BgDFG/kbAAAFzxudHh0VQNqOuVs06U5MAADvcpRjZY85W/46uxAyt/kZnSGBgkcBJFDE5Sa5y8t+AAD3uJvcuNqPmWUAABQt5G8A4J/I3wAAKHo8KV50VvBoNptzdRxnsQAA8sadro3uFD/a7mNdEOlOh0jyP6DgUQAJFAJ5uQjGBTQAKL6YYQYAQMEjfwMA5Ab5GwAAeedJgaGnhY7ZX1NSUnTmzBmdO3dOSUlJunDhgi5fvqyrV68qJSVF165dU1pamrKysmQymbz34gAAFoGBgQoKClJoaKhKlCihiIgIRUREqHTp0ipbtqzKlSunqKgoVapUSeHh4ZbnOSpstH7MWfFjTgWRnk6as/1cIt8D8i7AzF/FAb/nyQWynLbd3cfTOAAA7stt9xBXbfo9eY6ncQAAAPeRvwFA0UL+BgBA4eFOAaQn3RxTUlJ08OBBHT16VMePH9eJEyd08eLF/AofAJAPypQpoypVqigmJkYxMTG64YYbFB4eblfgaFvo6OhxR4+5GrP+anvfGvkekHcUQAJ+KDcz1NzZzs3FNlfjAIC8cTfRcbWdmwtoJFgAAHgP+RsAFA/kbwAA+C9PJpc5K3zMvu3Zs0d79+7V/v37dezYsXyOHADgC9HR0apZs6Zq1aqluLg4p0WOrm7Z+zna3/Yx66/WPJkUB8A1CiABP+TJhTJ3xnPaN6fHnMUEAMg9b1wkc7SPO/s62nY2BgAAXCN/A4Cij/wNAAD/5k7+5KzTY0ZGhrZv364dO3Zo165dSk9PL6CoAQD+ICQkRHFxcapXr57q16+v4OBgl4WPgYGBbhVLWj+Wfd/6q+19R9sA3EcBJOBDOf34uXOBy922/e4+J6fzAQC8w90LaK4uknnSTt+TC3Q5xQoAQHFE/gYAxRf5GwAA/iW3S11b3/78809t3bpV27ZtU0ZGhtvnDgwMVOXKlVWxYkVVqFBB5cqVU5kyZVSqVClFREQoPDxcoaGhCgkJUWBgYB5eJQDAGZPJpIyMDKWnpys1NVUpKSm6cuWKLl26pAsXLuj8+fM6d+6czpw5I5PJ5PZxg4ODVa9ePTVs2FA33XSTpdjRuujR+r6rMcm9zpC2962R3wHuowAS8CFXP36uLnplb7uatZaSkqIzZ87o3LlzSkpK0oULF3T58mVdvXpVKSkpunbtmtLS0pSVleXRhz4AwH2BgYEKCgpSaGioSpQooYiICEVERKhUqVIqV66cypUrp6ioKFWsWFERERGW57lzgczTx3K6QOcqiSLBAgCA/A0AijryNwAACo/cLnGdkpKi9evXa9OmTTp79qxb54qJiVGNGjUUGxuratWqKTo62kuvAgBQEE6ePKnjx4/r6NGjOnz4sE6cOOHW86KionTLLbeoadOmCg8PNxRDOiqIdFQEmVN3SEdfrZHfAe6jABIoQO7MSLMdc9b1w/Zi2aFDh3TkyBEdP35cJ06c0MWLF70cPQAgP5UpU0ZVqlRRTEyMYmJidMMNNyg8PNzlBTFPZpHZXkTLS2JFwgUAKA7I3wAAzpC/AQDgG7lZ6tpsNuvMmTNau3at1q1bl+OksnLlyqlu3bqqU6eObrrpJpUsWdLLrwIA4EtXr17V/v37tXfvXu3Zs0cXLlxwuX9AQIBuvfVWNWvWTBUqVDAUQNoWRXpaDJl9fOuvtvcdbQOwRwEkUIBy25I/+6v1/T///FN79+7V/v37dezYsfwMGwDgI9HR0apZs6Zq1aqluLg4SfYXytxJnJyNZd939NX2vjUSLQBAcUD+BgDwBPkbAAD5z9Nu+6dOndKqVav0yy+/uDxuVFSUGjVqpIYNG6pGjRreDxwA4LcOHz6sHTt2aPv27fr7779d7tuwYUO1aNFClSpVsit+DAoKyrFLpPV9yfNVAQA4RwEkUABczUizHXN2wSwjI0Pbt2/Xjh07tGvXLqWnp+dz1AAAfxISEqK4uDjVrVtX9evXV3BwsNszyKz3k+w7iuQ00ywbCRcAoDggfwMA5BX5GwAA3uEqH7Petr1duHBBy5cv17p161wev3nz5mratKnq1Knj1bgBAIXT3r17tXXrVv36668u92vUqJFatWqlsmXL2hVA2t4cdYp0NgnO3eJH8jvAHgWQQAHITUv+7Pu7d+/W1q1btW3bNmVkZLh9zsDAQFWuXFkVK1ZUhQoVVK5cOZUpU0alSpVSRESEwsPDFRoaqpCQEAUGBub1JQIAHDCZTMrIyFB6erpSU1OVkpKiK1eu6NKlS7pw4YLOnz+vc+fO6cyZMzkuvWItODhY9erVU8OGDXXTTTe5bKnvbrt9KecLaVxAAwAUB+RvAFA8kb8BAOB/3M3PrG9LlizR0qVLnX5eR0VFKT4+Xq1atWJ5awCAQ1evXtUvv/yijRs3Ou0KGRAQoFatWikhIcGuADL7vqOukLb5nqP8L/v41ueyPTcAIwoggXyQ26XSsm8pKSnasGGDNm3apDNnzrh1zpiYGNWoUUOxsbGqVq2aoqOj8/gqAAAF6eTJkzp+/LiOHj2qw4cP68SJE249LyoqSrfccouaNm2q8PBwh7PJnLXXd9Zq39MLaTmNAwDgz8jfAACeIn8DACB/5abwcfv27Vq8eLHTvCwmJkbt2rVTixYt8i9wAECRs3nzZq1Zs8Zp3leuXDklJCQoLi7OUPiYfXPUHdLdCXAShZCAuyiABPKBu0ukZX/Nvp05c0Zr167VunXrcpxJXq5cOdWtW1d16tTRTTfdxCw1AChirl69qv3792vv3r3as2ePLly44HL/gIAA3XrrrWrWrJkqVKjgsJ2+p4mVqwtptNwHABQV5G8AgLwifwMAwLucLXNt/Vj22JUrV7Ro0SKny5VWrVpVHTt2VLNmzfI3aABAkbZlyxatWrVKp06dcvh4XFyc2rVrp8jISEMBpKtCSEd5n6v8jgJIwDkKIAEvys1SaWazWadOndLq1av1yy+/uDx+VFSUGjVqpIYNG6pGjRreDR4A4NcOHz6sHTt2aPv27U7b7Wdr2LChWrRooYoVKzpMpHIzy4yl1QAARQ35GwAgv5C/AQCQOznlaba3rVu3auHChUpOTrY7VmRkpLp166Y2bdrke9wAgOJj3bp1Wrp0qcPPnvDwcLVp00Z16tRRcHCww0JIV8WQ7kx4k8jrAEcogAS8yFli5mxm2oULF7R
</tr>
</thead>
<tbody>
<tr>
<td>一个包含/etc/passwd的3桶接力队列</td>
</tr>
</tbody>
</table>
<p>这是一种将流表示为不同大小缓冲区集合的标准方法。你可以想象这就像一个网络接收到的数据包列表。第一个数据包包含前N字节的数据第二个数据包包含接下来的M字节以此类推。<br>
既然PHP已经将资源的内容读入到一个由“桶队”bucket brigade表示的流中它就可以在其上应用过滤器了。它取第一个过滤器并对第一个“桶”进行处理。为此它会分配一个与“桶”缓冲区大小相同的输出缓冲区在我们的例子中是5字节并进行转换。例如如果过滤器是<code>string.upper</code>,它会将输入缓冲区中的每个小写字符转换为其在输出缓冲区中的大写等价物。然后它可以创建一个新的指向这个缓冲区的“桶”。</p>
<table>
<thead><tr>
<th><a id=img2 href=https://xzfile.aliyuncs.com/media/upload/picture/20240528154758-99f41f6a-1cc6-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAACkAAAAUoCAYAAAD+WYvKAAEAAElEQVR4nOzdZ3hU5fb38V86CaGGmkAElFAEAakJVbp4gCMgchQRC0qxIKgIFsQuKh5EUAGPoIIHgYMFJXSlCoKCFAHpvRlaSEibeV7wZP6zp2UmmWQmyfdzXXNl9j179l5DyExW9rrXHWA2m80CAAAAAAAAAAAAAAAAAAAoRAJ9HQAAAAAAAAAAAAAAAAAAAICnKIAEAAAAAAAAAAAAAAAAAACFDgWQAAAAAAAAAAAAAAAAAACg0KEAEgAAAAAAAAAAAAAAAAAAFDoUQAIAAAAAAAAAAAAAAAAAgEIn2NcBAAAAAAAAAAAAAABQmJnNZl+HAADIhYCAAF+HACCP6AAJAAAAAAAAAAAAAAAAAAAKHTpAAgAAAAAAAAAAAADgQG47O9IREgD8k23HR3ffr+kUCfgvOkACAAAAAAAAAAAAAOAlFD8CgP/iPRooeugACSBH/AIAAPmDmWIAAMDbyN8AIH+QvwEAUPTllE95km+RmwFA0ZGdDzp7bydfBHyPAkgAAAAAAAAAAAAAAJxwVvRiO+7NIkoAQN45K07Mfj+2fdzR/mazmSJHwM9RAAkUYSRRAODfvPU+TdIFAEDhR/4GAP6N/A0AgKIjN0WK3iiAJO8DgIKXn8WLdIYE/AcFkAAAAAAAAAAAAACAYs9ZQaOrQkd3iyApgAQA33BWiBgQEGB4b7bedvWcbHSGBPwHBZBAIeZuokRCBQBFU04zy2z3AwAAvkP+BgDFG/kbAAAFzxudHh0VQNqOuVs06U5MAADvcpRjZY85W/46uxAyt/kZnSGBgkcBJFDE5Sa5y8t+AAD3uJvcuNqPmWUAABQt5G8A4J/I3wAAKHo8KV50VvBoNptzdRxnsQAA8sadro3uFD/a7mNdEOlOh0jyP6DgUQAJFAJ5uQjGBTQAKL6YYQYAQMEjfwMA5Ab5GwAAeedJgaGnhY7ZX1NSUnTmzBmdO3dOSUlJunDhgi5fvqyrV68qJSVF165dU1pamrKysmQymbz34gAAFoGBgQoKClJoaKhKlCihiIgIRUREqHTp0ipbtqzKlSunqKgoVapUSeHh4ZbnOSpstH7MWfFjTgWRnk6as/1cIt8D8i7AzF/FAb/nyQWynLbd3cfTOAAA7stt9xBXbfo9eY6ncQAAAPeRvwFA0UL+BgBA4eFOAaQn3RxTUlJ08OBBHT16VMePH9eJEyd08eLF/AofAJAPypQpoypVqigmJkYxMTG64YYbFB4eblfgaFvo6OhxR4+5GrP+anvfGvkekHcUQAJ+KDcz1NzZzs3FNlfjAIC8cTfRcbWdmwtoJFgAAHgP+RsAFA/kbwAA+C9PJpc5K3zMvu3Zs0d79+7V/v37dezYsXyOHADgC9HR0apZs6Zq1aqluLg4p0WOrm7Z+zna3/Yx66/WPJkUB8A1CiABP+TJhTJ3xnPaN6fHnMUEAMg9b1wkc7SPO/s62nY2BgAAXCN/A4Cij/wNAAD/5k7+5KzTY0ZGhrZv364dO3Zo165dSk9PL6CoAQD+ICQkRHFxcapXr57q16+v4OBgl4WPgYGBbhVLWj+Wfd/6q+19R9sA3EcBJOBDOf34uXOBy922/e4+J6fzAQC8w90LaK4uknnSTt+TC3Q5xQoAQHFE/gYAxRf5GwAA/iW3S11b3/78809t3bpV27ZtU0ZGhtvnDgwMVOXKlVWxYkVVqFBB5cqVU5kyZVSqVClFREQoPDxcoaGhCgkJUWBgYB5eJQDAGZPJpIyMDKWnpys1NVUpKSm6cuWKLl26pAsXLuj8+fM6d+6czpw5I5PJ5PZxg4ODVa9ePTVs2FA33XSTpdjRuujR+r6rMcm9zpC2962R3wHuowAS8CFXP36uLnplb7uatZaSkqIzZ87o3LlzSkpK0oULF3T58mVdvXpVKSkpunbtmtLS0pSVleXRhz4AwH2BgYEKCgpSaGioSpQooYiICEVERKhUqVIqV66cypUrp6ioKFWsWFERERGW57lzgczTx3K6QOcqiSLBAgCA/A0AijryNwAACo/cLnGdkpKi9evXa9OmTTp79qxb54qJiVGNGjUUGxuratWqKTo62kuvAgBQEE6ePKnjx4/r6NGjOnz4sE6cOOHW86KionTLLbeoadOmCg8PNxRDOiqIdFQEmVN3SEdfrZHfAe6jABIoQO7MSLMdc9b1w/Zi2aFDh3TkyBEdP35cJ06c0MWLF70cPQAgP5UpU0ZVqlRRTEyMYmJidMMNNyg8PNzlBTFPZpHZXkTLS2JFwgUAKA7I3wAAzpC/AQDgG7lZ6tpsNuvMmTNau3at1q1bl+OksnLlyqlu3bqqU6eObrrpJpUsWdLLrwIA4EtXr17V/v37tXfvXu3Zs0cXLlxwuX9AQIBuvfVWNWvWTBUqVDAUQNoWRXpaDJl9fOuvtvcdbQOwRwEkUIBy25I/+6v1/T///FN79+7V/v37dezYsfwMGwDgI9HR0apZs6Zq1aqluLg4SfYXytxJnJyNZd939NX2vjUSLQBAcUD+BgDwBPkbAAD5z9Nu+6dOndKqVav0yy+/uDxuVFSUGjVqpIYNG6pGjRreDxwA4LcOHz6sHTt2aPv27fr7779d7tuwYUO1aNFClSpVsit+DAoKyrFLpPV9yfNVAQA4RwEkUABczUizHXN2wSwjI0Pbt2/Xjh07tGvXLqWnp+dz1AAAfxISEqK4uDjVrVtX9evXV3BwsNszyKz3k+w7iuQ00ywbCRcAoDggfwMA5BX5GwAA3uEqH7Petr1duHBBy5cv17p161wev3nz5mratKnq1Knj1bgBAIXT3r17tXXrVv36668u92vUqJFatWqlsmXL2hVA2t4cdYp0NgnO3eJH8jvAHgWQQAHITUv+7Pu7d+/W1q1btW3bNmVkZLh9zsDAQFWuXFkVK1ZUhQoVVK5cOZUpU0alSpVSRESEwsPDFRoaqpCQEAUGBub1JQIAHDCZTMrIyFB6erpSU1OVkpKiK1eu6NKlS7pw4YLOnz+vc+fO6cyZMzkuvWItODhY9erVU8OGDXXTTTe5bKnvbrt9KecLaVxAAwAUB+RvAFA8kb8BAOB/3M3PrG9LlizR0qVLnX5eR0VFKT4+Xq1atWJ5awCAQ1evXtUvv/yijRs3Ou0KGRAQoFatWikhIcGuADL7vqOukLb5nqP8L/v41ueyPTcAIwoggXyQ26XSsm8pKSnasGGDNm3apDNnzrh1zpiYGNWoUUOxsbGqVq2aoqOj8/gqAAAF6eTJkzp+/LiOHj2qw4cP68SJE249LyoqSrfccouaNm2q8PBwh7PJnLXXd9Zq39MLaTmNAwDgz8jfAACeIn8DACB/5abwcfv27Vq8eLHTvCwmJkbt2rVTixYt8i9wAECRs3nzZq1Zs8Zp3leuXDklJCQoLi7OUPiYfXPUHdLdCXAShZCAuyiABPKBu0ukZX/Nvp05c0Zr167VunXrcpxJXq5cOdWtW1d16tTRTTfdxCw1AChirl69qv3792vv3r3as2ePLly44HL/gIAA3XrrrWrWrJkqVKjgsJ2+p4mVqwtptNwHABQV5G8AgLwifwMAwLucLXNt/Vj22JUrV7Ro0SKny5VWrVpVHTt2VLNmzfI3aABAkbZlyxatWrVKp06dcvh4XFyc2rVrp8jISEMBpKtCSEd5n6v8jgJIwDkKIAEvys1SaWazWadOndLq1av1yy+/uDx+VFSUGjVqpIYNG6pGjRreDR4A4NcOHz6sHTt2aPv27U7b7Wdr2LChWrRooYoVKzpMpHIzy4yl1QAARQ35GwAgv5C/AQCQOznlaba3rVu3auHChUpOTrY7VmRkpLp166Y2bdrke9wAgOJj3bp1Wrp0qcPPnvDwcLVp00Z16tRRcHCww0JIV8WQ7kx4k8jrAEcogAS8yFli5mxm2oULF7R
</tr>
</thead>
<tbody>
<tr>
<td>将 string.upper 应用于 Bucket Brigade</td>
</tr>
</tbody>
</table>
<p>随后,它处理第二个桶,接着是第三个桶,以此类推直至到达最后一个桶。现在,每个输出桶都形成了一个新的传送带序列。接下来,它可以在这个序列上应用第二个过滤器,并持续进行直到处理完最后一个过滤器。</p>
<h2 id=toc-11>情况和目标</h2>
<p>我们已经完成了定义。让我们回到最初的漏洞:文件读取。</p>
<div class=highlight><pre><span></span><span class=nb>echo</span> file_get_contents<span class=o>(</span><span class=nv>$_GET</span><span class=o>[</span><span class=s1>'file'</span><span class=o>])</span><span class=p>;</span>
</pre></div>
<p>既然我们可以利用<code>convert.iconv.XXX.ISO-2022-CN-EXT</code>过滤器触发内存损坏,我们的目标是实现远程代码执行。而且,这看起来并不难于利用。</p>
<p>首先由于我们拥有文件读取的基本能力我们可以读取二进制文件如PHP、Apache等。我们甚至可以下载libc库来检查其是否已打补丁对于ASLR和PIE我们也无需担忧我们可以读取<code>/proc/self/maps</code>。最后,感觉上我们几乎可以任意分配或释放缓冲区使用桶机制,这一点非常便利。</p>
<p>另一方面你可以在多种情境下获得文件读取的能力可能在运行在PHP 7.0上的Symfony 4.x中得到它或在某个鲜为人知的Wordpress插件中运行在PHP 8.3上;甚至在黑盒评估期间也可能获取到这种能力。理想的漏洞利用需要具备韧性:它必须在大多数目标上都能工作,无需任何调整即可奏效。</p>
<h2 id=toc-12>利用</h2>
<p>考虑到这些因素我们开始进行利用。其思路是利用单字节缓冲区溢出来修改指向空闲块的指针的最低有效位LSB以便获得对某些空闲列表的控制权。</p>
<h3 id=toc-13>Single bucket</h3>
<p>我们面临的首个问题是尽管拥有bucket队列技术PHP却仅创建一个bucket。无论是读取文件还是请求HTTP URL亦或是使用<code>ftp://</code>协议PHP都只生成包含整个响应内容的一个bucket。这至少可以说是非常不切实际的我们无法利用这些单一的bucket来填充堆、喷射数据或操作修改后的空闲列表。</p>
<p>试想一下借助单个bucket我们可以溢出到一个空闲块并修改空闲列表但随后我们就用完了所有的bucket而要利用已修改的空闲列表进行操作至少还需要再分配两个以上的新资源</p>
<p>幸运的是,有一种过滤器为我们带来了转机:<code>zlib.inflate</code>。该过滤器接收我们的流并对其进行解压缩处理。为此目的它会分配一个大小为8页0x8000字节的缓冲区并将流膨胀至其中。如果这个缓冲区不足以容纳全部数据时, 它将再创建一个相同大小的新的缓存区域以存储剩余部分;若前两者仍不够用, 则继续增加更多此类型的内存空间.每次扩充出来的每个区块都会被加入到各自的bucket当中去。完美:通过此滤镜功能就可以随心所欲地产生所需数量的各种不同规格型号的bucket设备了——这是一个重大进步。</p>
<table>
<thead><tr>
<th><a id=img3 href=https://xzfile.aliyuncs.com/media/upload/picture/20240528155909-29e4beb2-1cc8-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAADbAAAAUgCAYAAAArfZC9AAEAAElEQVR4nOzdd3iTZf/+8TPpooMNZZdSRpkCyh6C8LAFZAiIPICAGwcqIsMHB+LAhQioiIIDByBDposhQ0bZgpS9N2V2N/n94a/59k460jZpOt6v48jRXNd93ff1aZs2OWhOPiar1WoVAAAAAAAAAAAAAAAAAAAAAAAAAAAuZvZ0AQAAAAAAAAAAAAAAAAAAAAAAAACA/IkAGwAAAAAAAAAAAAAAAAAAAAAAAADALQiwAQAAAAAAAAAAAAAAAAAAAAAAAADcggAbAAAAAAAAAAAAAAAAAAAAAAAAAMAtCLABAAAAAAAAAAAAAAAAAAAAAAAAANyCABsAAAAAAAAAAAAAAAAAAAAAAAAAwC0IsAEAAAAAAAAAAAAAAAAAAAAAAAAA3IIAGwAAAAAAAAAAAAAAAAAAAAAAAADALQiwAQAAAAAAAAAAAAAAAAAAAAAAAADcwtvTBQAAAAAAAAAAgPzDarV6ugQAgBuYTCZPlwAAAAAAAAAAAPIoOrABAAAAAAAAAACXILwGAPkXv+MBAAAAAAAAAEBW0YENAAAAAAAAAAA4jQADABRc6T0H0KENAAAAAAAAAACkhQAbAAAAAAAAAABwiivCawTgACB3ym4AzWq1EmIDAAAAAAAAAACpMln5SzEAAAAAAAAAALCT3T8f8OcHAMgfshtKI9QGAAAAAAAAAAAIsAEAAAAAAAAAAIPM/unA3esBAO6V2ZCZu9cDAAAAAAAAAID8hQAbAAAAAAAAAABweQgtM9fjTxUAkLMyEyjLaC1hNgAAAAAAAAAAkBECbAAAAAAAAAAAFHDO/KkgvTXR0dE6f/68Ll68qKtXr+rq1au6fv26bt26pdu3bys2NlZxcXFKTEyUxWJxZekAgP/PbDbL29tbfn5+KlSokAIDAxUUFKQiRYqoRIkSKlGihEqXLq2yZcsqICAgw+ulFzTL6rHMrAEAAAAAAAAAAPkHATYAAAAAAAAAAAqQ7HZai46O1pEjR3TixAmdPHlSp0+fVlRUlCtLBAC4WbFixVSxYkVVqlRJlStXVlhYmEOoLbWQmbNz6c2nhVAbAAAAAAAAAAD5FwE2AAAAAAAAAAAKkKx0W/v777918OBBHTx4UCdPnnRXaQAADwoJCVH16tUVHh6uWrVqSXIMlWU0zsxcVtYAAAAAAAAAAIC8iQAbAAAAAAAAAAD5mLN/Bki5LjExUbt27dKuXbu0d+9excfHu6s8AEAu5Ovrq7p16+qOO+5Q/fr15e3tLSlzgbbsdmYj0AYAAAAAAAAAQP5BgA0AAAAAAAAAgHwsoz8DpDy+f/9+bd26VTt27FBCQoLTe5jNZpUpU0alS5dWqVKlVLx4cRUtWlSFCxdWQECA/P395evrKx8fH5nN5ix/LgCAtFksFiUkJCg+Pl4xMTGKjo7WzZs3df36dUVFReny5cu6dOmSLly4IIvF4vR1fXx81KBBAzVq1Ei1atVKN6SWPM5qp7bMHAcAAAAAAAAAAHkHATYAAAAAAAAAAPIhZ4Nr0dHR2rBhgzZv3qzz5887de0KFSooNDRUISEhqlixosqXL5/tegEAOefs2bM6ffq0Tp48qePHj+vMmTNOnVemTBk1bdpULVq0UEBAgKTUu66lFXIjyAYAAAAAAAAAQMFEgA0AAAAAAAAAgHwmvX/6Tz524cIFrVu3TuvWrcuwE0/x4sVVs2ZNhYeHq1q1agoMDHRpvQAAz7p9+7YOHz6sgwcP6p9//lFUVFS6681ms1q1aqXWrVsrODg43eCas2G29IJqhNgAAAAAAAAAAMjbCLABAAAAAAAAAJAPONtx7dy5c/rtt9+0adOmdNeXLFlS9evXV7169RQaGuqqMgEAecDx48e1d+9e7d69W1euXEl3bdOmTdWuXTuVLVtWkmNwzZVBNmeOAwAAAAAAAACA3IcAGwAAAAAAAAAA+UBGXdeioqK0atUqrV+/Pt3rNG7cWHfddZfCw8NdXSIAIA86ePCgIiIitG3btnTXtWzZUh06dFCxYsVSDa9lpztbSgTYAAAAAAAAAADIewiwAQAAAAAAAACQh2UUXJOkFStWaPny5bJYLKmuK1mypJo3b65mzZopMDDQLXUCAPK227dv66+//tLmzZvT7MpmNpvVqVMndezYMdXwmv39ZKnNpTZ29hgAAAAAAAAAAMhdCLABAAAAAAAAAJBHZRRe27Vrl5YsWaLz58+nuqZChQq6++671aRJE3eVCADIh7Zu3ar169frzJkzqR4PDg5Wt27ddMcddzgdZKMbGwAAAAAAAAAA+RcBNgAAAAAAAAAA8pCM/lnfarXq5s2bWrhwobZs2ZLqmnLlyqldu3Zq1KiRO0oEABQQ27dv1x9//KFz586lerxRo0bq0aOHChcuLOn/gmuuDrI5cxwAAAAAAAAAAHgOATYAAAAAAAAAAPKQjLqubd++XT/++KNu3rzpcDwoKEidOnVSq1at3FkiAKCA2bBhg1avXq1bt245HAsKCtJ9992nO++80yG45kyQjW5sAAAAAAAAAADkfQTYAAAAAAAAAADIAzIKrknSd999p/Xr16e6pm3bturcubP8/PzcUh8AoGCLi4vTqlWrtHbt2lSPt2jRQn369Ek1uJZWmC15nPKj/X17BNkAAAAAAAAAAMh9CLABAAAAAAAAAJAHpPXP+VarVadOndK3336rEydOOBwPCwtT9+7dFRoa6uYKAQCQjh8/rp9//llHjx51OFaxYkXdf//9qlixYprBtex2YyPABgAAAAAAAABA7kOADQAAAAAAAACAXCy94JokbdmyRV999ZUsFovDmq5du6pDhw5urQ8AgNT8+uuvWrFihcO82WxWv3791KhRI4fQWnoBttRCbKmNM5oHAAAAAAAAAAA5jwAbAAAAAAAAAAC5WHoBtmXLlmn58uUOxypUqKC+ffvSdQ0A4FHHjx/XggULdObMGYdjHTp0UMeOHdMNsaXWoS1ZWoE2++MAAAAAAAAAAMDzCLABAAAAAAAAAJALZdR57euvv9amTZscjjdv3lz9+vVza20AAGTGjz/+qM2bNzvMN27cWPfff79MJpPMZrPTAbbUwmsE2QAAAAAAAAAAyL0IsAEAAAAAAAAAkAul9s/3VqtViYmJ+vTTT7Vv3z6H43369FGrVq1yojwAADJlw4YNWrhwocN8zZo1NXjwYPn4+DjVjS2zITYCbAAAAAAAAAAAeB4BNgAAAAAAAAAAcpH0Oq9FR0dr5syZOnz4sOFYUFCQBg0apPDw8JwoEQCALDl48KC++eYb3bp1yzBfpUoVDRkyRAEBARl2Y0uvI5v9/ZQIsgEAAAAAAAAA4DkE2AAAAAAAAAAAyEXS6rx28+ZNzZgxQ8ePHzccq1ChggYPHqzg4OAcqhAAgKy7ePGivvrqK505c8YwX6lSJQ0ZMkSFCxc2BNjSCrNJxhBb8jjlx5QIsAEAAAAAAAAA4DkE2AAAAAAAAAAAyAUy6rz28ccf69ixY4ZjNWrU0NChQ+Xv758TJQIA4BIxMTGaM2eOIiMjDfOVKlXSsGHD0uzElnIsOXZhoxMbAAAAAAAAAAC5EwE2AAAAAAAAAABygbQ6ryUmJmrq1Kk6fPiw4VjdunU1fPjwnCoPAACXmz17tvbt22eYCw0N1fDhw+Xj42MLrKXVhS21jmypfUyJABsAAAAAAAAAADnP7OkCAAAAAAAAAAAoyKxWa5rhNUn69NNPHcJrd9xxB+E1AECeN3z4cN1xxx2GuePHj+ubb76RxWJxuCU/Z6Z2kxzD4Gk9v/J/vAIAAAAAAAAAkLMIsAEAAAAAAAAAkMskv7H+66+/duhMU7duXT300EOeKAsAAJd76KGHVLduXcPcwYMHtXDhQofwWkZBNkkZhtoAAAAAAAAAAEDOI8AGAAAAAAAAAIA
</tr>
</thead>
<tbody>
<tr>
<td>应用 zlib.inflate 创建多个bucket</td>
</tr>
</tbody>
</table>
<p>然而这些存储bucket的缓冲区大小为0x8000这个大小并不利于利用这种大小的缓冲区分配方式与我之前所述的不同并且在释放后不会进入空闲列表。我们需要调整我们的存储bucket大小。</p>
<h3 id=toc-14>正确分块</h3>
<p>为了实现这一目标我们将使用一个未被PHP文档记录但广受攻击者熟知的方法<code>dechunk</code>。该过滤器用于解码经过HTTP-chunked编码的字符串。</p>
<p>HTTP-chunked是一种非常简单的编码方式它通过数据块非堆内存块发送数据。首先你发送一个以ASCII十六进制表示的大小紧接着是一个换行符然后是相应大小的数据块再接一个换行符。接着你发送另一个大小、另一个数据块、再一个大小、又一个数据块并通过发送大小为0来指示数据的结束。</p>
<table>
<thead><tr>
<th><a id=img4 href=https://xzfile.aliyuncs.com/media/upload/picture/20240528160124-7a2dab54-1cc8-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA+wAAAMkCAYAAAAiYqpRAADkjklEQVR4nOzdd3gU5d7G8XvTe+hVpIN0kK50BKWIVBEQbKgH1NcCHI/t4DlWrNgLKio2RCz0XqRIb9J7CR0S0ttm5/2DEyVkd5NNdrOT7PdzXXspOzPP/Haz7Z555nkskgwBAAAAAABT8fN2AQAAAAAAIDcCOwAAAAAAJkRgBwAAAADAhAKuvsMwuKQdAAAAAICiZrFYcvybM+wAAAAAAJgQgR0AAAAAABMisAMAAAAAYEIEdgAAAAAATIjADgAAAACACRHYAQAAAAAwIQI7AAAAAAAmRGAHAAAAAMCECOwAAAAAAJgQgR0AAAAAABMisAMAAAAAYEIEdgAAAAAATIjADgAAAACACRHYAQAAAAAwIQI7AAAAAAAmRGAHAAAAAMCECOwAAAAAAJgQgR0AAAAAABMisAMAAAAAYEIEdgAAAAAATIjADgAAAACACRHYAQAAAAAwIQI7AAAAAAAmRGAHAAAAAMCECOwAAAAAAJgQgR0AAAAAABMisAMAAAAAYEIEdgAAAAAATIjADgAAAACACRHYAQAAAAAwIQI7AAAAAAAmRGAHAAAAAMCECOwAAAAAAJgQgR0AAAAAABMisAMAAAAAYEIEdgAAAAAATIjADgAAAACACRHYAQAAAAAwIQI7AAAAAAAmRGAHAAAAAMCECOwAAAAAAJgQgR0AAAAAABMisAMAAAAAYEIEdgAAAAAATIjADgAAAACACRHYAQAAAAAwIQI7AAAAAAAmRGAHAAAAAMCECOwAAAAAAJgQgR0AAAAAABMisAMAAAAAYEIEdgAAAAAATIjADgAAAACACRHYAQAAAAAwIQI7AAAAAAAmRGAHAAAAAMCECOwAAAAAAJgQgR0AAAAAABMisAMAAAAAYEIEdgAAAAAATIjADgAAAACACRHYAQAAAAAwIQI7AAAAAAAmRGAHAAAAAMCECOwAAAAAAJgQgR0AAAAAABMisAMAAAAAYEIEdgAAAAAATIjADgAAAACACRHYAQAAAAAwIQI7AAAAAAAmRGAHAAAAAMCECOwAAAAAAJhQgLcLQPFgs0l7t2Xo5LEsZaQbLm8fGChVvjZADVsEyZ9XHQAAAADkieiEPKUkGZr6dqJOHbMWuq0KVfx1z+ORiipN5w4AAAAAcIbUhDzN/i7ZLWFdks6dytIvXye7pS0AAAAAKMk4w+4Cq1U6cciqMzFWXTxn06WLNqWnGcpIMySLFBRsUXCIRdFl/FS2vJ8qVvVXtdoBCgq2eLv0ArNapV1bMtza5oGdmUpNMRQaVnyfFwAAAADwNAJ7HjLSDe3anKFt6zJ09IBV1kzXrt/295euqRmgZm2D1aR1kMIiildITU6wKeuKk+utOwWr99Awl9uZNz1FG39PlyQZhpQQZ1NomL+7ygQAAACAEofA7kBaqqE1i9K0Zkma0lNdH2QtW1aWdOygVccOWjVverJadQxR594hxeYabpst57/9/S0F6jHg759zm6vbBQAAAADkRGC348+NGZr1bbJSkgoe1O2xWqV1y9O0eU26egwI1Q03hchSvE64AwAAAACKCIH9CllZ0q9fJWvL2nSP7iczw9C86Sna/2emho+NUHAIqR0AAAAAkFPx6JddBDIzDE17N9HjYf1KB3dn6rPXE5Wa7N4z+QAAAACA4o/ArsuDoM34LFkHdmUW+b5PHbPqu4+SuKYbAAAAAJADgV3S7/NT3T51mSsO783UslmpXts/AAAAAMB8fD6wx563adnsNG+XoVULUnXxXFaR79dqzXsdAAAAAEDR8/lB5xb9nOLy3OqSVLN+gFp3CtG1tQMUEWWRYUjxcTYd2p2p1YvSFHfBtT7uVqv0+/w0Dbgr3OVaCurArkydPZmlDj1DimyfAAAAAID88ekz7MmJNu12sSu8n5804K5wjZ4QpWZtg1S6nJ8Cgy7PTV6+kr/adQvRYy+WUsMWQS7Xs2NDhjLSi2YAugO7MvXN+0nKzGDAOwAAAAAwI58O7H9uzFCWi73QbxoQplYdg52uExAgDX0wQhWq+LvUdka6oSP7PN9H/eDuy2G9ID0LAAAAAABFw6cD+9EDroXjyGg/deiRv+7jAQHSzYPDXK7pxGHPBvZDhHUAAAAAKBZ8OrCfOuba6fUGzQPl78JV//WbBCoswuLSPi6c9dzAc4f2ZGoa3eABAAAAoFjw6cCeGO/awHBVqrs2Rp/FIlWr6do2qcmeCdOH92Zq2nuEdQAAAAAoLnw2sNtscnmAN1fPlktSRLRrT7Enuqof3pupr98lrAMAAABAceKzgb0gsgpwebnFxYwfGu7eP8mRfYR1AAAAACiOfDaw+/lJAYGupem4C65fX+5qt/voMu77kxzZZ9VX7+QM66FhrvcSAAAAAAAUPZ8N7JIUGe1aeN33Z6ZL6xuG6wPbXVvbtWveHTm636qv303MEdbLV/LXkNERbmkfAAAAAOBZPh3YK13jWjg+dsCqI/vyH9pPHLa6dIY9INCieo0DXarJnqMHrPrqncQc1+iXq+iv+yZEKiKKM+wAAAAAUBz4dGC/to7rZ7NnfJ6c7xD++/w0l9pu1iZIoeGFC9THDlj11eScYb1shcthPdLFAfAAAAAAAN7j0wmuccsgl7eJj7Xpk1cSdDbGeVf3nZsytGdbRr7bDQ616KYBoS7Xc6VjB6368qqwXqa8n+6bEKmoUj79pwYAAACAYsenU1yZ8n5q0Nz10B53waYPX4zXstmpdkdfP37IqplTk11qs//I8EKF6mMHrfry7ZxhvXQ5P903IUrRpX36zwwAAAAAxZJ7Rjgrxm4eFKoDOzNkdXHKNqtVWvpbqjasSFenW0LUskOwgkMt2rcjUz98kuTSHO89B4WpaRvXDxxkO34odzf4UmX9NHpClErlMer88jmpTrvuG8wGBwAAAABe4fOBvXxlf906Ily/fOXaGfFsifE2zZ2eosW/pqpW/QDt+zMz3yHXYpH6Dg9Tu64hBdq3dDmsf/l2otLT/t5pdJn/hfWyeZ9Zz7JKWVZSOQAAAACYjc8Hdklq1TFY8XE2LZuVWuA2MtIN7d2R/xHkI6P9NOS+cNVuWPBR4U8cvnzN+pVhPar05bBeuhzd4AEAAACgOCOw/0/3fqEKCLRo8c8pHu8G3qR1kG4dHqbwyIKH6hOHrZr6dqLSU68I66X8NHp8pMqUd9xucKhFtRsU/CBB+cocCAAAAACAokBgv0LnXiEqX8lPP32enOOstTsNuCtcrToGF6qNmCP/6wZ/RViPjPbTfeMjVbaiv9Nty1X0173jIgu1fwAAAACA53G69CoNWwTpkeejVaOuZ45lzP4uRYt/SS3wAYGYo1ZNfStRaVeE9fDIy2G9XCXnYR0AAAAAUHwQ2O2IKu2nZu2C5e+BzG7NNLRibqomPxuvg7vzf8279L+w/ubVYd2i0RMiVb4yYR0AAAAAShK6xF9l1+YMzZ+RorgLNo/uJ+GSTV++nagbeoTolsFh8svj0MlJO2fWwyIsundclCpUIawDAAAAQElDYP+flCRDv01L1s7NGUW2T8OQ1ixK08WzWRr2jwgFBFrsrnfymFVfvJWotJS/w3po+OWwXukawjoAAAAAlER0iZd04WyWPn45waWw7ud3eb5zd9i7PVNfTk5SljX3slPH/tcN/sqwHmbRvU9EqnI1wjoAAAAAlFQ+f4b9bEyWpryeoNTk/A8CFxntpzv+EaHqdQJ0dL9Vm1alaefmTFkzCz6y/JF9mZr1bbIG3BWe4/6ls1KVmpKz3RY3BKtKdZ//0wEAAABAiebTZ9gvxdr05eREl8J6qTJ+euBfUapRN0AWi1SzfoCGjI7Qk6+X0k39QxUWYb9be35sWpWurWvTc9w39IHLBwautHZJmtYuTivwfgAAAAAA5uezgd0wpOmfJCnhUv4HlwsOsei
</tr>
</thead>
<tbody>
<tr>
<td>使用 HTTP-chunked 编码进行编码的数据</td>
</tr>
</tbody>
</table>
<p>在示例中第一个块长8字节第二个块长17字节11h最后一个块长13字节。解块后结果将是这就是分块编码的工作原理。</p>
<p>通过这个过滤器调整我们的桶大小听起来就像儿戏一样简单在每个桶中我们首先以前缀形式添加所需的数据大小例如第一个桶为0x148第二个桶为0x100等然后放入数据最后以一个最终的0表示完成。</p>
<table>
<thead><tr>
<th><a id=img5 href=https://xzfile.aliyuncs.com/media/upload/picture/20240528160254-affd36aa-1cc8-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAADbQAAAboCAYAAADuxbaDAAEAAElEQVR4nOzdeXhU5d3/8c9kJxCWQCBACIuyg7LKJpuAuIMIapEqtbjVtm6PbbGLT+3z69OqpS6tWneqYCmuFAUEREE22WQV2XcIgYSQkH1mfn/kyTBnZs4sSWbN+3VdXObcc2bOHcWZfHKf7/e22O12uwAAAAAAAAAAAAAAAAAAAAAAAAAACLK4cE8AAAAAAAAAAAAAAAAAAAAAAAAAAFA/UNAGAAAAAAAAAAAAAAAAAAAAAAAAAAgJCtoAAAAAAAAAAAAAAAAAAAAAAAAAACFBQRsAAAAAAAAAAAAAAAAAAAAAAAAAICQoaAMAAAAAAAAAAAAAAAAAAAAAAAAAhAQFbQAAAAAAAAAAAAAAAAAAAAAAAACAkKCgDQAAAAAAAAAAAAAAAAAAAAAAAAAQEgnhngAAAAAAAAAAAAAAALHMbreHewoAUC9ZLJZwTwEAAAAAAAAesEMbAAAAAAAAAAAAAABBQjEbAIQP78EAAAAAAACRiR3aALjhF7oAEB50iAQAAIEivwFAeJDfAACov8hhABB9avLeTe4DAAAAAAAILnZoA2DAIhwAhA/vwQAAIBD87AAA4cN7MAAA9RM/AwBA/cF7PgAAAAAAQHBZ7PwGBohZ/O8NAPUDHSIBAIh+5DcAqB/IbwAARI9g5TTyHwCERrDyF7kOAIDYR24DgPAgbwH1DwVtQIzif20AqF8IcwAARC/yGwDUL+Q3AAAiX01yGtkOAKJTTTIauQ4AgNhFtgOA8CJvAfULBW1ADKBDJABENzpEAgBQf5DfACC6kd8AAIg9Nc1T/j6PvAYAkcHf3FXTfEauAwAg8pDHAKB+II8B0YuCNiDK0SESAOoPOkQCABDdyG8AUH+Q3wAAiA6BZC5/zqXIDQAiQ10WrwWS1ch1AABEDnIXANQv5DEgOlHQBkQROkQCQP1Ah0gAAKIf+Q0A6gfyGwAA0aeuitjOnTunnJwcnTlzRnl5ecrPz9f58+dVWFiokpISlZaWqry8XBUVFbLZbHUxdQCot+Li4pSYmKikpCQlJycrNTVVaWlpSktLU7NmzZSenq4WLVqoZcuWatq0qc/X85a1avpYbc4FAAC1E6x1M9bjACA0gpWfyGVA5KOgDYgSdIgEgNhEh0gAAGIP+Q0AYhP5DQCA6FfTDHb69GkdPHhQR44c0dGjR3XixAlduHAhGFMEANRSw4YN1aZNG2VlZSk7O1sdOnRQRkaG4RyznBXIeF1nPwAAUDM1WR9jTQ0AolNNMha5DIhsFLQBEYwOkQAQfegQCQBA/UR+A4DoQ34DACD21bRBSF5ennbv3q3du3dr3759ys/PD8b0AAAh0rRpU1166aXq0qWLunXrpmbNmvlVpObr2Nd4Tc8DAACe1fR2Z5pHAkB0CXbGIpsBkYOCNiBC0SESAGIfHSIBAIgN5DcAiH3kNwAAok+gWe3o0aPatm2btm3bpiNHjgRzagCAMMvOzlavXr3Uu3dvZWVlOca9FbDVpADOEzIdAAA1U1fNJQN9PW6xBoDgqsviNZpIAtGHgjYgQtAhEgAg0SESAIBoQH4DAEjkNwAAIpWvzOb8eF5enjZs2KBNmzbp6NGjAV0nJSVFLVu2VEZGhtLT09W0aVM1adJEjRo1UmpqqlJSUpScnKyEhATFxcXV6HsBAFSx2WyqrKxUWVmZSktLVVxcrKKiIhUUFOjcuXPKy8tTbm6uTp8+rdLS0oBeOysrS3379tWAAQPccp0/X3s6NhsL5HEAAFB3RWznzp1TTk6Ozpw5o7y8POXn5+v8+fMqLCxUSUmJSktLVV5eroqKCtlstrqYOgDUW3FxcUpMTFRSUpKSk5OVmpqqtLQ0paWlqVmzZkpPT1eLFi3UsmVLNW3a1OfrectONX2sNucCqFsUtAERgA6RAAAzdIgEACCykN8AAGbIbwAAhJ+3zOb82LZt27RmzRpt3brVr9dNSkpShw4d1L59e7Vr105t2rRR8+bNaz1fAEDdO3v2rE6cOKGjR4/q8OHDOnTokMrLy/16bu/evTV48GD17t3bMVadt2pS6GY25s9jAADUdzXdZe306dM6ePCgjhw5oqNHj+rEiRO6cOFCMKYIAKilhg0bqk2bNsrKylJ2drY6dOigjIwMwzmBNoasScMRf88BUPcoaAPCiA6RABB76BAJAEBsIr8BQOwhvwEAEBv8zWs2m00rV67UypUrdfLkSZ+v26lTJ3Xt2lWdO3dWx44d62SuAIDwOHjwoPbu3avvv/9eBw4c8Hl+Zmamhg0bpiuvvFLx8fGOcW/FbbUpbPPncQAAYp2/tzK7npeXl6fdu3dr9+7d2rdvn/Lz84MxPQBAiDRt2lSXXnqpunTpom7durmts1Xzta4WaCFcTc8DUDsUtAFhQodIAAAdIgEAiA7kNwAA+Q0AgMhlltmqx8vLy7V8+XKtWLFChYWFXl+rR48e6t27t3r27Km0tLQ6nysAIPwKCwu1c+dObd++Xbt27fJ6bqNGjTRixAiNHj1aSUlJktzzXCD5ztOxr3EAAOqDQHdjO3r0qLZt26Zt27bpyJEjwZwaACDMsrOz1atXL/Xu3VtZWVmOcW9ZqyYFcJ6Q04Dgo6ANCCE6RAIAfKFDJAAAkYH8BgDwhfwGAED4+JvZlixZoqVLl+rChQum52ZnZ6t///7q27cvRWwAUM8UFhZqy5Yt2rRpk9eb4VNTU3XVVVdp7NixPgvafGU7T8euyHIAgPrC32wnVe3EtmHDBm3atElHjx4N6DopKSlq2bKlMjIylJ6erqZNm6pJkyZq1KiRUlNTlZKSouTkZCUkJCguLq5G3wsAoIrNZlNlZaXKyspUWlqq4uJiFRUVqaCgQOfOnVNeXp5yc3N1+vRplZaWBvTaWVlZ6tu3rwYMGOC2c1ttmoyQ0YDwoaANCCE6RAIAAkGHSAAAwof8BgAIBPkNAIDQ8WcX7TVr1uizzz7T2bNnTc8dNGiQBg0aRLMRAICkqqYl69ev1/r1603PSU9P19VXX63BgwdL8pzh/M11no79fQwAgFjgT7aTpG3btmnNmjXaunWrX6+blJSkDh06qH379mrXrp3atGmj5s2b13q+AIC6d/bsWZ04cUJHjx7V4cOHdejQIZWXl/v13N69e2vw4MHq3bu3YyyQ9bVAC9vIaEBwUNAGBBkdIgEAdYEOkQAABB/5DQBQF8hvAAAEhz83O+7bt08LFizQ3r17PZ6XkpKi4cOHa9iwYWrSpElQ5gkAiG4FBQVavXq1Vq1aZbpbwCWXXKLrrrtOnTp1Mi1mo7ANAAB3/q7F2Ww2rVy5UitXrtTJkyd9vm6nTp3UtWtXde7cmaYlABDlDh48qL179+r777/XgQMHfJ6fmZmpYcOG6corr1R8fLxj3N81NnZsA8KLgjYgiOgQCQAIBjpEAgBQ98hvAIBgIL8BAFB3vO2kbbVa9eGHH+qLL77weE5KSopGjx6tUaNGOXZIBQDAm/Lycn355ZdasWKFaWHbiBEjdOONNyohIaHWhW3svA0AqA+85Tqp6vN3+fLlWrFihQoLC72+Vo8ePdS7d2/17NmT5pIAEKMKCwu1c+dObd++Xbt27fJ6bqNGjTRixAiNHj3a8fu/QBpJun7t6djXOIDAUdAGBAEdIgEAoUCHSAAAao/8BgAIBfIbAAA15+uGx23btun9999Xbm6ux/PGjBmjsWPHKiUlJWhzBADErtLSUi1btkzLly/3+Hjz5s01YcIE9erVy2OGC2RHbk/HvsYBAIh0/u7KtmTJEi1dulQXLlwwPTc7O1v9+/dX3759KWIDgHqmsLBQW7Zs0aZNm3TkyBHT81JTU3XVVVdp7NixAeWxQDOav48D8I6CNiAI6BAJAAglOkQCAFBz5DcAQCiR3wAACIyvYrb58+ebZrb+/ftr/Pj
</tr>
</thead>
<tbody>
<tr>
<td>为 dechunk 设置bucket</td>
</tr>
</tbody>
</table>
<p>看起来不错但实际上行不通。尽管桶被单独处理它们并非独立所有桶都被解析成一个大流。当dechunk过滤器处理这个流时它会读取第一个桶中的大小即0x148取出0x148字节后接着读到一个大小为零的值这导致它停止解析。它不会转到第二个桶。而是完全停止了解析过程。我们操作的最终结果是从拥有多个桶退回到了只有一个桶的状态。</p>
<p>幸运的是,找到绕过这个问题的方法并不太难:在每个桶中,我们提供一个大小和一个数据块。为此,我们不是简单地写入一个大小,而是在其后面填充数千个零,以达到如下效果:</p>
<table>
<thead><tr>
<th><a id=img6 href=https://xzfile.aliyuncs.com/media/upload/picture/20240528160449-f4cfc068-1cc8-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAADbQAAAb0CAYAAACa0XRjAAEAAElEQVR4nOzdd3xUZd7//3d6KKEEAhFDIGhCVxGQJk1AFFEQsSzLKuuNq26z/dxd3eKte3+3qGtfde3cKtwuVpZVqigIiIBKFQk91CQkQEJ6Zn5/ZGcyZ+ZMSzL99Xw8eJhzzZk514XknPOZ63w+V5zVarUKAAAAAAAAAAAAAAAAAAAAAAAAAIAAiw91BwAAAAAAAAAAAAAAAAAAAAAAAAAAsYGENgAAAAAAAAAAAAAAAAAAAAAAAABAUJDQBgAAAAAAAAAAAAAAAAAAAAAAAAAIChLaAAAAAAAAAAAAAAAAAAAAAAAAAABBQUIbAAAAAAAAAAAAAAAAAAAAAAAAACAoSGgDAAAAAAAAAAAAAAAAAAAAAAAAAAQFCW0AAAAAAAAAAAAAAAAAAAAAAAAAgKBIDHUHAASe1WoNdRcAAE0QFxcX6i4AAAAAAAAAAAAAAAAAAAAAQItihTYgypHMBgCRi3M4AAAAAAAAAAAAAAAAAAAAgGjDCm1ABCPRAQCiny/nelZyAwAAAAAAAAAAAAAAAAAAABApSGgDIlRLJrORGAcAodFSiWhWq5WkNgAAAAAAAAAAAAAAAAAAAAARIc5KJgsQ9lrq15RfdwCIDC2VnEaSGwAAAAAAAACEB+bpACA0mC8DAAAAAAAIT6zQBkQhfybEmDwDgNAym0Rzd25mwg0AAAAAAAAAIg/zcQAQOlarlTk2AAAAAACAMMQKbUAY8vfX0tv+JLgBQPjwZ8LM277+Tr4xWQcAQPQhhgOA0CC+AgAgdhGHAUBsIO4DAAAAAAAILBLagDDj66+ku/2sVqtOnz6tEydOqLi4WCUlJSotLdWZM2dUVlamyspKVVVVqaamRrW1tbJYLC3ZfQCIOfHx8UpKSlJycrJSUlLUunVrpaWlKS0tTR07dlR6ero6d+6sLl26qEOHDj59pqcJMnev+TqpxuQbAADRg690ACC0iK8AAIg9xGEAEFuI+wAAAAAAAAKHhDYgDDQnia2wsFD79+/XoUOHVFBQoKNHj+rs2bMt3UUAQAto06aNunXrpqysLGVnZ6tnz57KyMhw2c9scszXNk/tTd0PAAAEHl/PAEBsIA4DACByBCpOI/4DgOAIVPxFXAcAQPQjbgOA0CDeAmIPCW1AiHn7FXR+vaSkRLt27dKuXbu0Z88elZaWBrJ7AIAA69Chg84//3zl5eWpT58+6tixo0/Ja962vbX7+joAAAg8vpoBgNhCHAYAQPhrSpxGbAcAkakpMRpxHQAA0YvYDgBCi3gLiC0ktAEh4MuvneM+BQUF2rp1q7Zu3apDhw4FsmsAgBDLzs7WgAEDNHDgQGVlZdnbPSWw+ZLc5kugRzAIAEDgUeEfACIbFf4BAIg+TY2nfH0f8RoAhAdf466mxmfEdQAAhB/iMQCIDcRjQOQioQ0IMk+/co6vlZSUaOPGjdq8ebMKCgr8OkZqaqq6dOmijIwMpaenq0OHDmrfvr3atm2r1q1bKzU1VSkpKUpMTFR8fHyTxwIAkCwWi+rq6lRdXa2qqipVVFSovLxcp0+f1qlTp1RSUqKioiIVFhaqqqrKr8/OysrSoEGDNGTIEJeV23z52WzbXZsvrwEAgOahwj8AxA4q/AMAEBn8ibn8LVjZUscFAPivJZPX/InViOsAAAgfxF0AEFuIx4DIREIbEATefs0cX9+6davWrVunLVu2+PTZycnJ6tmzp3r06KHu3burW7du6tSpU7P6CwAIjJMnT+ro0aMqKCjQwYMHdeDAAdXU1Pj03oEDB2r48OEaOHCgvc0WhDUl0c1dmz+vAwAA96jwDwCxgQr/AABEnpZKYjt16pROnDih4uJilZSUqLS0VGfOnFFZWZkqKytVVVWlmpoa1dbWymKxtETXASBmxcfHKykpScnJyUpJSVHr1q2VlpamtLQ0dezYUenp6ercubO6dOmiDh06eP28phZ/JLkNAIDwFKh5M+bjACA4AhU/EZcB4Y+ENiDAfFmRzWKxaPXq1Vq9erWOHTvm9TN79eql3r17Kzc3Vzk5OS3WVwBA8O3fv1/5+fn6/vvvtW/fPq/7Z2ZmatSoUbr00ksVHx/vktTmLcnNl21fXwMAAOao8A8A0YkK/wAARL6mxmCFhYXav3+/Dh06pIKCAh09elRnz54NRBcBAM3Upk0bdevWTVlZWcrOzlbPnj2VkZFh2MddnOVPe0vHfgAAoGmaMj/GnBoARKamxFjEZUB4I6ENCABfV2SrqanRypUrtWrVKpWVlXl8T79+/TRw4ED1799faWlpLdZXAED4KCsr044dO7Rt2zbt3LnT475t27bVmDFjNH78eCUnJ0tyn9TmS5KbuzZ/XgcAIJZR4R8AIg8V/gEAiH5NLRBSUlKiXbt2adeuXdqzZ49KS0sD0T0AQJB06NBB559/vvLy8tSnTx917NjRp7kyX4tEBnr1bgAA0KCpjztTPBIAIkugYyxiMyB8kNAGBIAvq7ItXbpUy5cv91i9MTs7W4MHD9agQYNIYgOAGFNWVqZvvvlGmzdv1qFDh9zu17p1a1122WWaOHGipIZgy9+ENm+Jbr68BgBALKPCPwBEPyr8AwAQefyN1QoKCrR161Zt3brV43eyAIDIl52drQEDBmjgwIHKysqyt3tKYGtKApwZYjoAAJqmpYpL+vt5PGINAIHVkslrFJEEIg8JbUAL8iWRbd26dfr444918uRJt/sOGzZMw4YNU05OTov3EQAQefbv368NGzZow4YNbvdJT0/X5ZdfrmHDhrkktfmS2ObPhBvBHAAg1lHhHwAgUeEfAIBw5S1mc3y9pKREGzdu1ObNm1VQUODXcVJTU9WlSxdlZGQoPT1dHTp0UPv27dW2bVu1bt1aqampSklJUWJiouLj45s0FgBAA4vForq6OlVXV6uqqkoVFRUqLy/X6dOnderUKZWUlKioqEiFhYWqqqry67OzsrI0aNAgDRkyxCWu87VAZFMKlhDLAQDgXUslsZ06dUonTpxQcXGxSkpKVFpaqjNnzqisrEyVlZWqqqpSTU2NamtrZbFYWqLrABCz4uPjlZSUpOTkZKWkpKh169ZKS0tTWlqaOnbsqPT0dHXu3FldunRRhw4dvH5eU59jJLkNiAwktAEtxFsy2549e7Ro0SLl5+eb7pOamqrRo0dr1KhRat++faC6CQCIYKdPn9batWu1Zs0at5Nx5513nqZMmaJevXq5TWZrysptzgjiAACxigr/AAB3qPAPAEDo+VJ8UpK2bt2qdevWacuWLT59bnJysnr27KkePXqoe/fu6tatmzp16tTs/gIAWt7Jkyd19OhRFRQU6ODBgzpw4IBqamp8eu/AgQM1fPhwDRw40N7mz3yav4ltxHIAALjX1FXWCgsLtX//fh06dEgFBQU6evSozp49G4guAgCaqU2bNurWrZuysrKUnZ2tnj17KiMjw7CPv4Uhm1JwxNd9ALQ8EtqAZvClwmN9fb3ef/99ffrpp6b7pKamavz48Ro3bpySk5MD0U0AQJSpqanRZ599plWrVrlNbBszZoyuvvpqJSYmuiSzuUtoa0pimy+vAwAQDajwDwDRhwr/AABEB1/jNYvFotWrV2v16tU6duyY18/t1auXevfurdzcXOXk5LRIXwEAobF//37l5+fr+++/1759+7zun5mZqVGjRunSSy9VQkKCvd3TnFpzEtt8eR0AgGjn66PMzvuVlJRo165d2rVrl/bs2aPS0tJAdA8AECQdOnTQ+eefr7y8PPXp08dlns3G27yav4lwTd0PQPOQ0AY0g7tfH1v71q1b9e6776qoqMh0vwkTJmjixIlKTU0NWB8BANGrqqpKK1as0MqVK01f79Spk6ZNm6YBAwa4JLL5ktjW0kEeAACRigr/AAAq/AMAEL68zdfV1NRo5cq
</tr>
</thead>
<tbody>
<tr>
<td>正确设置 dechunk 的存储桶</td>
</tr>
</tbody>
</table>
<p>现在处理完桶1之后去块解析器跳转到桶2准备读取新的尺寸接着是桶3以此类推。它成功了我们现在可以根据需要创建任意数量的桶设定我们想要的尺寸。这是一个巨大的进步和飞跃。</p>
<h3 id=toc-15>空闲列表控制write-what-where</h3>
<p>我们的目标是通过将某些指针的最低有效位LSB覆盖为值48hASCII中的H来修改某个自由列表。为了无条件地达到相同效果我们针对大小为0x100的块因为这些块地址的最低有效位总是零。这意味着我们的溢出效果始终相同给一个块指针增加0x48。</p>
<p>为了利用这一漏洞我们遵循了一个非常标准的6步程序。我们将大小为0x100的块的自由列表命名为FL[0x100]。</p>
<table>
<thead><tr>
<th><a id=img7 href=https://xzfile.aliyuncs.com/media/upload/picture/20240528160638-355817a2-1cc9-1.png><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAE2AAAAcoCAYAAADzIGN9AAEAAElEQVR4nOzcd5zV9ZU//jOdYWAKMCAg0qQoFlBALMFuNIqxRqMxxsSYxE3bjWlrTEwz+a0xu2mru1ET/WrUxIh9E1vEigqKKBbEggjSBxiGMu3+/lAmc+8UZoaZuVOez8fj87j3fT7vcu71yoU/7isCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaKuMdDcAAAAAAAAAAAAAAAAAAABAi/mNONDTJNLdAAAAvU9muhsAAAAAAAAAAAAAAAAAAACgRYSvAT2RP9sAAOh0/hIKAAAAAAAAAAAAAAAAAACQPn7zDdAyiXQ3AABAz5GZ7gYAAAAAAAAAAAAAAAAAAAB6KeFrAC3nz0wAANqNv1wCAAAAAAAAAAAAAAAAAAB0vPb+bbffigPdXaKL7QMAQC/iH9UAAAAAAAAAAAAAAAAAAAAdr7W/7fZbcKC3akugmhA2AABaxT+6AQAAAAAAAAAAAAAAAAAA2l9HBa75jTjQ0+wsPK2t4WpC2QAAaJJ/XAMAAAAAAAAAAAAAAAAAALSv9ghTy4iInIgYGBElEdE3IvIiIrMN5wB0lJqIqIyIzRGxMSLWRkT1Tta0JBituTktDVYTwAYAQJP8gxoAAAAAAAAAAAAAAAAAAGDX7Uro2sSImBwRe0fEhIgYExG7R8TgdukMoHOtioj3IuKtiHg9Il6JiBcj4o0P77clXK219V2dCwBADyeADQAAAAAAAAAAAAAAAAAAYNfs7HfbqfenRcSREfGRiDg4Iko6oimALmZtRDwTEY9HxD8i4oVG5jQWkrYrtdbcBwCgFxHABgAAAAAAAAAAAAAAAAAA0Hot+a12/TknRMTJEXFiRAzvkI4AupdlEXF/RNwdEQ99WEsNSWvtuKlaYwSyAQD0YgLYAAAAAAAAAAAAAAAAAAAAWq+532rvuLd/RHwqIs6OiGFtOWTw4MFRUlIS/fr1i7y8vMjKymrLNgAdoqamJrZv3x6bN2+O9evXx5o1a9q61XsRcWtE/CkiXonkcLSWPG/JOJUANgCAXkwAGwAAAAAAAAAAAAAAAAAAwM615LfZO+acGhFfiIhjW7LxwIED48ADD4z9998/9tprrxg3blyMGjUqhg8fHhkZfhIOdB+1tbWxfPnyeOedd+KNN96IV155JV588cWYP39+lJWVtXSbv0XEtRFx74fjnQWwCWIDAKDV/GsbAAAAAAAAAAAAAAAAAABg55r7bfaOe5+OiK9FxOTmNiosLIzjjjsujjrqqJg5c2ZMmjSpnVoE6LoWLlwYjz/+eDzyyCPx97//PSoqKna2ZH5E/DYibo3mg9d2FtDW1HhndQAAejABbAAAAAAAAAAAAAAAAAAAAE1rSfDaGRHxnYiY0tTEoqKiOPPMM+PUU0+Nj33sY+3ZH0C3dM8998Ts2bPjL3/5S2zevLm5qfMi4sqIuCeSQ9faO4htZ/cAAOhBBLABAAAAAAAAAAAAAAAAAAA0ranfZGdExNSI+GFEHN/U4mOOOSbOP//8OPfccyMjw8+7AVJVV1fHzTffHH/84x/j0UcfbW7qfRHx44hYGE2Hr7U1lC1aeA8AgB7Cv9ABAAAAAAAAAAAAAAAAAAAaai54LSLiioj4dlOLP/OZz8TFF18c06ZNa/fGAHqqp59+Ov77v/87brrppuam/Tw+CGKrH7LWlkC2xsYtvQcAQDcngA0AAAAAAAAAAAAAAAAAACBZc+FrR0bEf0bEvo1NuPDCC+Mb3/hGTJw4saN6A+jxXn755fjFL34RN9xwQ1NTXogPQjCf/HCcGsLWXDhbc8+jBXUAAHoAAWwAAAAAAAAAAAAAAAAAAADN//Z6x73vR8QPGptwyimnxGWXXRYHHHBAuzcG0Fs988wz8eMf/zjuu+++pqZcHhG/+PB5IuWKRp439hhNjHdWBwCgGxPABgAAAAAAAAAAAAAAAAAA0PRvrzMiojQiro2Ik1Jvjh07Nq644or4xCc+0ZG9AfRqN998c3z3u9+NZcuWNXb7roj4l4jYGA1D2JoKYqsfqtbU8+ZqAAB0cwLYAAAAAAAAAAAAAAAAAACA3qy531xnRMShEfHHiBiTevMrX/lK/OIXv4jc3NwOag2AHSoqKuKSSy6Ja665prHbr0fEFyNiXjQMWttZGFv9x9Tn0YI6AADdkAA2AAAAAAAAAAAAAAAAAACgN2vqN9cZEfGJiPhT6pyhQ4fG7373uzj11FM7ujcAUvz5z3+Oiy++ONatW5d6a3tEfC4i7o7Gw9caC2aLRh5TnzdXAwCgmxLABgAAAAAAAAAAAAAAAAAA9EbNBa9FRFwcEb9JvXniiSfG73//+xg6dGiHNQZA85YuXRqf//zn48EHH2zs9lcj4oZoOoStqUC2iJ2HsDVXBwCgG8lMdwMAAAAAAAAAAAAAAAAAAABdzCXRSPjaJZdcEvfee6/wNYA0GzlyZDzwwAPx1a9+tbHbv46IL8UHmRo7roxWXhE7D+oEAKAb85c6AAAAAAAAAAAAAAAAAACgN9lZoM63IuJnqTd/85vfxJe//OUOawqAtrnqqqvikksuaezWv0fE1RFRGxGJFl7RzGOqpuoAAHQDAtgAAAAAAAAAAAAAAAAAAIDepLkAtq9GxH+m3rj11lvjrLPO6tCmAGi7G2+8Mc4///zGbn0jIq6PfwastSSMLZp5rE8AGwBANyaADQAAAAAAAAAAAAAAAAAA6C0a+331jtp5EfHHpBsZGXH33XfHSSed1NF9AbCL/vrXv8YZZ5zR2K3PRcTsSA5g21kQWzTzmEoQGwBANySADQAAAAAAAAAAAAAAAAAA6A2a+m11RkQcExF/T71x7733xoknntihTQHQfu644444/fTTU8uJiJgVEU9H4wFsTYWxRTOPqfsDANDNZKa7AQAAAAAAAAAAAAAAAAAAgDTI+PAaHRE3pN68/fbbha8BdDOnnXZa3HzzzanljIi4OiKGxgc5G/WvjHqPqVc085i6f1MhnwAAdFEC2AAAAAAAAAAAAAAAAAAAgJ6uuWCc6yJit/qF//3f/43TTz+9YzsCoEOcc8458etf/zq1PCIifh1Nh6/taggbAADdjAA2AAAAAAAAAAAAAAAAAACgJ2ssKGdH7aqIOLz+je9///vx+c9/vsObAqDjfOUrX4lvfetbqeWjIuKySA5hSw1jayyILZp5rC+jiToAAF2Qv7gBAAAAAAAAAAAAAAAAAAA9WepvqneMz4iI2+rfOPvss+OWW27plKYA6Hinnnpq3Hnnnanl8yLi7xFR++GVSHmeSHm+44pmHutrrAYAQBcjgA0AAAAAAAAAAAAAAAAAAOiJGvst9Y7agIh4MSKG7bgxceLEmDdvXhQUFHRGbwB0gnXr1sXUqVPjnXfeqV9eGhFHRERFtD2ErX7IWmrgmgA2AIBuIDPdDQAAAAAAAAAAAAAAAAAAAHSy/4h64WsREVdffbXwNYAeZuDAgXH11VenlkdGxOXxQebGjisj5XlT1w6NhXy25B4AAF2EADYAAAAAAAAAAAAAAAAAAKCnaSz8ZkdtVkRcUP/GD3/4wzjiiCM6uicA0uD444+P73znO6nl8yPiiIjIiqZD2JoLY4tGHusTwgYA0MX5CxsAAAAAAAAAAAAAAAAAANCTNBeEkxERz0fEfjtuHHzwwfHUU091Rl8ApNGUKVNiwYIF9UvPxwehnDURUZtyJVKeJ+o9j3q1aOQxmhgDANCFZKa7AQAAAAAAAAAAAAAAAAA
</tr>
</thead>
<tbody>
<tr>
<td>控制 FL[0x100]</td>
</tr>
</tbody>
</table>
<p>考虑我们已经通过分配大量0x100大小的块成功填充了堆。因此在内存中的某个位置我们有三个连续的空闲块A、B和C其中A是FL[100]的头。A指向BB指向C。我们可以分配这三个块步骤2然后再次释放它们步骤3。此时空闲列表被反转我们得到的是C→B→A。接着我们再次进行分配但这次我们在C的偏移量48h处放置了一个任意指针0x1122334455步骤4。再次释放它们步骤5状态与步骤1完全相同但有一个小差异在C+48h处存在一个任意指针。现在我们可以从块A执行溢出操作这将改变B中包含的指针的位置。它现在指向了C+48h的位置,结果使得空闲列表变为 B→ C+48h → 0x1122334455. 再经过三次更多的分配操作,就能够使PHP在我们的任意地址上进行分配.</p>
<p>我们现在拥有了一个“写入任何内容到任何位置”的条件;这几乎完成了整个过程.</p>
<p>但是让我回到漏洞利用的实现上来.在描述的各种步骤中,有部分数据段会被分配并随后释放掉.但我们不能真正摆脱这些"桶":只能让它们的尺寸发生变化而已.然而,我们只对尺寸为0x10的数据段感兴趣——就好像其他大小的数据段并不存在一样!所以我就把每个"桶"构建成了HTTP分片式的俄罗斯套娃:</p>
<table>
<thead><tr>
<th><a id=img8 href=https://xzfile.aliyuncs.com/media/upload/picture/20240528160816-6fd8112a-1cc9-1.png><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABOAAAAZMCAYAAACn+v3MAAEAAElEQVR4nOzdeZgc5Xnv/V9193TPotG+7ysSYtGG0IYWdpBivAQMMdhgG8d27PN6OZeTk8055yTnJCdxvCSOndhObBwDxsRmM4gdLYAWBEhIIIQkhPZdGs3aPb3U+4c8w+x1d3fVTHfz/VzXXFL3VHVX39P13E/dT9VTjuu6rgAAAAAAAAAEItTXGwAAAAAAAACUMgpwAAAAAAAAQIAowAEAAAAAAAABogAHAAAAAAAABIgCHAAAAAAAABAgCnAAAAAAAABAgCjAAQAAAAAAAAGK9PUGFDrXdft6EwAAAAAAAIqa4zh9vQl9ijPgekDxDQAAAAAAIH8f9BrLB/4MuA/6FwAAAAAAAKA39FSDKfUz5D7QBTg/im8U8AAAAAAAwAddvgU013VLugjnuB+QClK+H/MDEiYAAAAAAADf5FtUK5Wi3AeiAJfNRwxqWQAAAAAAgFKWTbEsqGULVckV4LL9OF7LU5ADAAAAAADozM8iWrZFtmIryn0g54DrrlCWTCZ14sQJHT9+XCdOnNCJEydUU1OjRCKheDyu5uZmxeNxJRIJJZPJXt5qAAAAAACAYJWVlSkWi7X7KS8v14ABAzR8+HANGzZMI0aM0PDhw1VWVub5ei2Fsq5qMW2LaG1/X2zFNYuiPwPOuvldLXfo0CHt2bNH77zzjg4cOKDTp0/7vXkAAAAAAAAlafDgwRo/frymTZumqVOnasyYMZ2W6aqYZn2up+dzXa6vlHwBru3vT58+re3bt2v37t3as2ePamtrg948AAAAAACAD4Tq6mpNnTpVU6dO1cUXX6zBgwd7FtvyLdBZf9/Xiq4Al+0Zb/F4XK+99pq2bNminTt3BrlpAAAAAAAA+J0ZM2Zozpw5mjdvnmKxWOvzPRXgcinOdaXQCnIlV4Br+f22bdu0ZcsWvfrqq1ndHGHo0KEaNmxY68/QoUM7Xfsci8VM1zkDAAAAAAAUk2QyqUQi0enn1KlTOnnyZOvPqVOnzK/pOI7mzp2rOXPm6NJLL219ru2/bZft6fnuHnf1noWkaApwPW1m29+9/PLLWrNmjQ4ePOj5mhUVFZoyZUrrz+jRoxUOh33ZXgAAAAAAgFKVTqd15MgR7d27t/WnqanJc70xY8Zo2bJlWrhwYZfFtp6e6/j/np6z/K43FUUBzqv45rquXnjhBa1Zs0YnT57s8bUmTpyoSy+9VFOmTNH48eP93lQAAAAAAIAPpAMHDmjv3r1644039N577/W47NChQ7V06VItX75cjuN0Krx5FeW6W6YrhVCEK9gCnPVS02effVZPP/206urqul12+PDhmj17tmbPnq1Ro0b5up0AAAAAAABo7+jRo9q6dau2bt2qEydOdLtcv379dPXVV+vKK6/stghnKc5197ijvirGFV0BruX5nTt36pFHHtH+/fu7fY3LL79cl19+uaZMmRLINgIAAAAAAKBne/fu1ebNm7V58+Zulxk/frxWrlypGTNmSFKPZ8XlU4ijAPc7Xpebnj17Vo899pg2bNjQ7XJLly7V0qVLNWzYsCA2EQAAAAAAAFk6efKk1q9fr/Xr13e7zOWXX64bb7xRAwcO7FSEy6Yg19Vj6++CUDQFONd19dxzz+mRRx5RMpns9PtYLKZly5Zp6dKlqq6uDnozAQAAAAAAkIO6ujqtX79e69atUyKR6PT7srIyrVq1SsuWLWstvOVaiCuUM+EKpgDXU+EtHo/rvvvu0yuvvNLlMgsXLtTKlSspvAEAAAAAABSJuro6PfHEE9q4cWOXv587d65uvvlmlZeXexbicrl7ak/P+60gCnA9Fd927dql++67r8sJ+yZOnKiVK1dq2rRpQW8iAAAAAAAAArB792498cQTXd45dejQobr55ps1bdq0dkW4bM+K6/j/tnqjCNfnBbieim9PPfWUHn744U6/i0ajraciAgAAAAAAoPitW7dOjz/+uJqbmzv9btWqVa13Su3uR+q5GNfx/20FXYTr0wJcV2/d8tw999zT5SmIU6dO1S233KLhw4cHvn0AAAAAAADoPSdOnNCDDz6oPXv2dPrdZZddpltvvbW1yBYKhToV3vI5Gy7IIlyfFeC6K76lUin9+Mc/1htvvNHp91deeaVuuumm3tg8AAAAAAAA9JFHH31UL7zwQqfnZ86cqU9+8pMqKysL5Gy4oIpwfVKA6674Vltbqx/96Efau3dvu99VVlbqlltu0ezZs3tpCwEAAAAAANCXtm7dqgcffFCNjY3tnp84caI++clPqn///j0W4bzOiOv4/56ey1evF+C6K74dPXpUP/nJT3TkyJF2vxs7dqzuuusuDRkypLc2EQAAAAAAAAXg9OnT+tnPfqZDhw61e37EiBG64447NGLEiHaXo2Z7RlzH//f0XD56tQDXU/Htn/7pn1RTU9Pud9OmTdOnP/1pVVRU9NIWAgAAAAAAoJA0NTXppz/9qXbv3t3u+f79++vuu+/WiBEj2hXguirGSer2jLiO/+/puVz1SgGupzud1tbW6nvf+16nM99mzZqlu+66K+hNAwAAAAAAQBH42c9+pm3btrV7bsSIEbr77rtbL0f1OhOuuzPiWh53xY9CXCjvV/DQU/EtlUrpRz/6Uafi26JFiyi+AQAAAAAAoNVdd92lRYsWtXvu+PHj+sUvfqHm5mZlMpnWH9d1e/yR1O7/LY+74se5a4EX4LrSsuE//vGPO91wYdGiRfr4xz/eF5sFAAAAAACAAvbxj3+8UxFu//79uu+++9oV4CyFOMlehMtXoAW47uZ8k6R77rlHb7zxRrvfzZo1i+IbAAAAAAAAuvXxj39cs2bNavfczp079eCDD3ZZhOupECfZinD5FuYCK8D1tLFPP/20Nm7c2O5306ZN47JTAAAAAAAAeLrrrrs0bdq0ds+9/vrreuGFF9oV3Tr+210RTlKgRbheuwS1ZSPffvttPfTQQ+1+N3bsWH3605/urU0BAAAAAABAkfv0pz+tsWPHtnvumWee0Z49e7o8A856NlwLPy9H9b0A17F62FY8Htf999/f7rnKykrdddddqqio8HtTAAAAAAAAUKIqKip01113qbKyst3zjzzyiJqamrKeE66rIlxHPdW9etIrZ8C1bNh9992nEydOtPvdLbfcoiFDhvTGZgAAAAAAAKCEDBkyRLfccku7586cOaNHHnlE6XS6y+Kb9eYMbf/Nl28FuO4qgC3PPf/883rllVfa/e7KK6/U7Nmz/doEAAAAAAAAfMDMnj1bV155Zbvntm/frpdeeqnbs+DyLcJleyZcr9wF9ezZs3r44Yfb/W7q1Km66aabgnx7AAAAAAAAfADcdNNNmjp1arvnnnvuOdXU1JiKcG0FcSZcr9wF9bHHHlMymWx9HI1GO50eCAAAAAAAAOTqlltuUTQabX2cSqX0/PPPd1mA63gGXFfFuK4Kc7kKfA64t956Sxs2bGj33KpVqzR8+PCg3xoAAAAAAAAfEMOHD9eqVavaPbd169Z2d0XtWHTzuiuq5M88cHkX4Lo7Va/l30cffbTd7yZOnKhly5bl+7YAAAAAAABAO8uWLdPEiRPbPffcc8/ldEdUy6Wo1rngfD8Dru2bPvvss9q/f3+7369cudLvtwQAAAAAAAAkda49HT16VC+//HK3l6J2VYxr0dOJZ9kIdA64Z555pt1zCxcu1LRp04J6SwAAAAAAAHzATZs2TQsXLmz3XFcFuI5Ft54KcVIfzgHX06Wnzz//vOrq6lp/F4vFOPsNAAAAAAAAgVu5cqVisVjr48bGRm3atKnTXVCzuSRV6vlS1J7kXIDzeuG1a9e2e7xs2TJVV1fn+nYAAAAAAACASXV1dad7EGzZsiWnolsLr1pYT7/37RLUthXAl19+WSdPnmz3+6VLl/r1VgAAAAAAAECPOtai
</tr>
</thead>
<tbody>
<tr>
<td>一个俄罗斯bucket套娃它的大小在每个 dechunk 上都会变化</td>
</tr>
</tbody>
</table>
<p>对于每一次利用步骤都会调用dechunk过滤器因此每个桶的大小会发生变化。有些桶的大小变为0x100从而在利用过程中“显现”出来而有些则变得更小因而消失。这为我们提供了一个完美的方法使得桶能在特定时刻实质化出现并在不需要它们时将其丢弃。</p>
<p>解决了这个问题后,我们开始执行代码。</p>
<h3 id=toc-16>代码执行</h3>
<p>尽管我们通过读取<code>/proc/self/maps</code>来查看内存区域但我们并不精确知道我们在堆中的位置。幸运的是我们可以通过定位PHP的堆完全忽略这个问题。由于其对齐方式~0x1fffff和大小2MB它很容易识别。在其顶部存在一个zend_mm_heap结构该结构包含非常有用的字段</p>
<div class=highlight><pre><span></span><span class=k>struct</span> <span class=n>_zend_mm_heap</span> <span class=p>{</span>
<span class=p>...</span>
<span class=kt>int</span> <span class=n>use_custom_heap</span><span class=p>;</span>
<span class=p>...</span>
<span class=n>zend_mm_free_slot</span> <span class=o>*</span><span class=n>free_slot</span><span class=p>[</span><span class=n>ZEND_MM_BINS</span><span class=p>];</span> <span class=cm>/* free lists for small sizes */</span>
<span class=p>...</span>
<span class=k>union</span> <span class=p>{</span>
<span class=k>struct</span> <span class=p>{</span>
<span class=kt>void</span> <span class=o>*</span><span class=p>(</span><span class=o>*</span><span class=n>_malloc</span><span class=p>)(</span><span class=kt>size_t</span><span class=p>);</span>
<span class=kt>void</span> <span class=p>(</span><span class=o>*</span><span class=n>_free</span><span class=p>)(</span><span class=kt>void</span><span class=o>*</span><span class=p>);</span>
<span class=kt>void</span> <span class=o>*</span><span class=p>(</span><span class=o>*</span><span class=n>_realloc</span><span class=p>)(</span><span class=kt>void</span><span class=o>*</span><span class=p>,</span> <span class=kt>size_t</span><span class=p>);</span>
<span class=p>}</span> <span class=n>std</span><span class=p>;</span>
<span class=p>}</span> <span class=n>custom_heap</span><span class=p>;</span>
<span class=p>};</span>
</pre></div>
<p>首先,它控制了所有的自由列表。通过重写这些自由列表,我们能够获得任意数量、任意大小的“写入-何处-写什么”write-what-where漏洞。利用这些漏洞我们可以覆盖最后一个字段<code>custom_heap</code>,该字段包含了<code>emalloc()</code><code>efree()</code><code>erealloc()</code>的替代函数类似于glibc中的<code>__malloc_hook</code>及其同类)。接着,我们将<code>use_custom_heap</code>设置为1并对一个桶调用free()方法这样就能实现对一个可控参数的任意函数调用。由于我们可以使用文件读取功能访问二进制文件本可以构建复杂的ROP链但我们希望尽可能保持通用性因此我将 <code>custom_heap._free</code>设置为 <code>system</code>函数, 这样就可以在CTF环境中执行任意的bash命令了。</p>
<p>注:关于这一攻击手段的具体细节我略去了很多(实际上非常多),但整个攻击过程都有详细的注释说明。</p>
<h3 id=toc-17>利用性能</h3>
<p>我们的利用程序执行了三个请求:首先,它下载<code>/proc/self/maps</code>文件并从中提取PHP堆的地址和libc库的文件名。接着它下载libc二进制文件以提取<code>system()</code>函数的地址。最后,执行一次最终请求来触发溢出并执行我们预设的任意命令。<br>
它的表现非常好:</p>
<p><strong>适用于任何目标</strong></p>
<ul>
<li>从 PHP 7.0.0 (2015) 到 8.3.7 (2024)</li>
<li>任何 PHP 应用程序Wordpress、Laravel 等。</li>
</ul>
<p><strong>100%可靠</strong></p>
<ul>
<li>由于它的实现,它永远不会(?)产生崩溃</li>
<li>二进制漏洞利用感觉就像网络漏洞利用!</li>
</ul>
<p><strong>有效负载小于 1000 字节</strong></p>
<ul>
<li>通过使用 zlib.inflate 和仅 12 个过滤器,有效负载非常小</li>
<li>它适合 GET 请求</li>
</ul>
<p><strong>独立的漏洞利用</strong></p>
<ul>
<li>无需以 GET 或 POST 方式发送额外参数:该漏洞利用程序自行完成所有操作,从填充堆到设置空闲列表,最后获取代码执行</li>
</ul>
<p>这是一条单一的、不足1000字节的数据包能够在过去十年间的所有PHP版本中导致远程代码执行。</p>
<h3 id=toc-18>demo</h3>
<p>为了说明我将针对运行在PHP 8.3.x上的WordPress实例。为了引入文件读取漏洞我添加了BuddyForms插件版本2.7.7该插件存在CVE-2023-26326缺陷。此漏洞最初被报告为PHAR反序列化漏洞但WordPress没有任何反序列化gadget链。无论如何目标系统运行的是PHP 8+因此它不受PHAR攻击的影响。<br>
视频地址:<a href=https://www.ambionics.io/images/iconv-cve-2024-2961-p1/demo.mp4 target=_blank>https://www.ambionics.io/images/iconv-cve-2024-2961-p1/demo.mp4</a><br>
注意:如果您阅读了原发现者提供的<a href=https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthenticated-insecure-deserialization-cve-2023-26326-3becb5575ed8 target=_blank>建议</a>,您可能会注意到在文件读取基本操作之前,会执行一个<code>getimagesize()</code>调用以检查该文件是否为图像。因此,为了使漏洞利用能够读取<code>/proc/self/maps</code><code>libc</code>,我使用了<code>wrapwrap</code>工具将它们伪装成GIF图像。</p>
<h1>影响</h1>
<p>这对PHP生态系统有何影响这不是一个新的漏洞而是一个新的利用途径。然而有多种方法可以让PHP读取文件文件读取原语在Web应用中非常常见。</p>
<h2 id=toc-19>标准数据流出口</h2>
<p>显然PHP的所有标准文件读取操作都受到了影响file_get_contents()、file()、readfile()、fgets()、getimagesize()、SplFileObject-&gt;read()等。文件写入操作同样受到影响如file_put_contents()及其同类函数)。</p>
<h2 id=toc-20>利用漏洞</h2>
<h3 id=toc-21>从SQL注入到远程代码执行RCE</h3>
<p>如果你在PDO/MySQL环境中获得了一个SQL注入漏洞你可能能够利用<code>LOAD DATA LOCAL INFILE</code></p>
<div class=highlight><pre><span></span><span class=k>LOAD</span> <span class=k>DATA</span> <span class=k>LOCAL</span> <span class=n>INFILE</span> <span class=s1>'php://filter/cnext...'</span><span class=p>;</span>
</pre></div>
<h3 id=toc-22>XXE</h3>
<p>XXES现在是RCES</p>
<div class=highlight><pre><span></span><span class=cp>&lt;?xml version="1.0" ?&gt;</span>
<span class=cp>&lt;!DOCTYPE root [</span>
<span class=cp> &lt;!ENTITY exploit SYSTEM "php://filter/cnext..."&gt;</span>
]&gt;
<span class=nt>&lt;root&gt;</span><span class=ni>&amp;exploit;</span><span class=nt>&lt;/root&gt;</span>
</pre></div>
<h2 id=toc-23>作为 PHAR 的替代品</h2>
<p>与PHAR攻击相反仅执行文件检查的功能<code>file_exists()</code><code>is_file()</code>并不受影响。然而在其他情况下该漏洞可以作为PHAR攻击的替代方案使用正如演示所示。禁用<code>phar://</code>或升级到PHP 8并不能保证安全。</p>
<h2 id=toc-24>解析库</h2>
<p>任何以某种方式操作URL的库都可能存在漏洞。以下是我在研究漏洞利用过程中发现的一些新目标</p>
<ul>
<li><strong>meyfa/php-svg</strong>最流行的SVG处理库</li>
<li><strong>symfony/translation</strong>XLIFF解析器存在漏洞</li>
</ul>
<p>例如PHP-SVG库可以通过如下载荷受到攻击</p>
<div class=highlight><pre><span></span><span class=nt>&lt;svg</span> <span class=na>width=</span><span class=s>"100"</span> <span class=na>height=</span><span class=s>"100"</span><span class=nt>&gt;</span>
<span class=nt>&lt;image</span> <span class=na>href=</span><span class=s>"php://filter/cnext/..."</span> <span class=na>width=</span><span class=s>"1"</span> <span class=na>height=</span><span class=s>"1"</span> <span class=nt>/&gt;</span>
<span class=nt>&lt;/svg&gt;</span>
</pre></div>
<p>HTML转PDF解析器如dompdf、tcpdf以及其他类似工具也可能成为目标。</p>
<h2 id=toc-25>类实例化</h2>
<p>有时在攻击PHP时你会遇到以下原语</p>
<div class=highlight><pre><span></span><span class=x>new $_GET['cls']($_GET['argument']);</span>
</pre></div>
<p>这篇来自PTswarm的优秀<a href=https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/ target=_blank>博文</a>描述了多种从该原生组件读取文件的方法,这些方法均可用于触发漏洞。示例包括使用<code>SoapClient</code><code>Imagick</code><code>tidy</code><code>SimpleXMLElement</code>等。</p>
<h2 id=toc-26>作为一种改进的小工具链</h2>
<p>如果你发现了一个文件读取反序列化(<code>unserialize()</code>的小工具链你可以利用这个漏洞将其升级为远程代码执行RCE。随着近期应用程序的发展以及PHP库越来越多地使用类型这一技巧可能会派上用场。</p>
<h2 id=toc-27>其他情况</h2>
<p>只要你能控制文件读取或写入端点的前缀你就可能实现远程代码执行RCE</p>
<h1>时间线</h1>
<ul>
<li>去年发现crash</li>
<li>二月开始修复bug</li>
<li>3 月 26 日 Bug 报告给 glibc 安全团队<br>
他们做得非常出色!</li>
<li>4 月 4 日 向 Linux 发行版报告bug</li>
<li>4 月 17 日 Bug 发布为 CVE-2024-2961</li>
</ul>
<p>注意glibc 安全团队快速、礼貌且技术精湛。他们在一周内发布了补丁(及其附带的所有内容)。非常感谢!</p>
<h1>结论</h1>
<p>至此我们完成了关于CNEXTCVE-2024-2961系列的第一部分。该漏洞利用现已发布在我们的GitHub上。还有更多内容等待探索直接调用iconv()会怎样?如果文件读取是不可见的,又会出现什么情况?</p>
<p>在第二部分中我们将深入探讨PHP引擎针对一个在非常流行的PHP网页邮件客户端中发现的iconv()调用进行分析。我将描述这种直接调用对PHP生态系统的影响并向您展示一些意想不到的隐患点。<br>
最后,在第三部分中,我们将讨论盲目文件读取的利用方法。</p>
<p>敬请期待!</p>
</div>
<div class=post-user-action style=margin-top:34px>
<span class="btn btn-default pull-right" id=mark data-action=topic data-pk=14690>
<span id=mark-text>点击收藏 </span><span class=i-seprator> | </span><span id=mark-count>0</span>
</span>
<span class="btn btn-default pull-right" id=follow_topic data-pk=14690>
<span>关注</span><span class=i-seprator> | </span><span id=follow-count>1</span>
</span>
<span class="btn btn-default pull-right">
<span>
<span id=ready_reward data-toggle=modal data-target=#myModal>打赏</span>
</span>
</span>
<div class=clearfix></div>
</div>
<div class=related-section>
<div class=related-box>
<span><a class=pull-left href=https://xz.aliyun.com/t/14687 title=针对韩国实体的载荷投递,多阶段链路执行,通过二进制“.a3x”文件释放和执行Darkgate恶意软件><span class=related-label style="padding:3px 4px;margin-right:3px">上一篇:</span>针对韩国实体的载荷投递,多阶段链路...</a></span>
<span><a class=pull-left href=https://xz.aliyun.com/t/14691 title=有关ETW的对抗技术><span class=related-label>下一篇:</span>有关ETW的对抗技术</a></span>
</div>
</div>
</div>
</div>
</div>
<div class="modal fade" id=myModal role=dialog aria-labelledby=myModalLabel aria-hidden=true>
<div class=modal-dialog>
<div class=modal-content>
<div class=modal-header>
<h4 class=modal-title id=myModalLabel style=text-align:center>
积分打赏
</h4>
</div>
<div class=modal-body id=button-value>
<div style=text-align:center>
<div role=group>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type1>
1分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type2>
2分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type3>
5分
</button>
</div>
<br>
<div style=margin-top:20px>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type4>
8分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type5>
10分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type6>
20分
</button>
</div>
</div>
</div>
<div class=modal-footer id=confirm>
<button type=button class="btn btn-default" data-dismiss=modal>关闭</button>
<button type=button class="btn btn-primary" id=reward_topic data-pk=14690>确定</button>
</div>
</div>
</div>
</div>
<div class="row box">
<ol class=breadcrumb>
<li class=active>0 条回复</li>
</ol>
<div class="box-container post-container">
<ul>
<li style=min-height:50px;line-height:60px;margin-left:15px><strong>动动手指,沙发就是你的了!</strong></li>
</ul>
</div>
</div>
<div class="row box" id=reply-box>
<div class="box-container clearfix">
<div class=reminder>
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F14690&amp;from_type=xianzhi"><strong>登录</strong></a> 后跟帖
</div>
</div>
</div>
</div>
</div>
</div>
<footer class=bs-docs-footer>
<div class="container text-center">
<div class=links>
<a href=https://xz.aliyun.com/feed target=_blank>RSS</a>
<a href=https://xz.aliyun.com/about target=_blank><span>关于社区</span></a>
<a href=https://xz.aliyun.com/partner target=_blank><span>友情链接</span></a>
<a href=https://xz.aliyun.com/notice>社区小黑板</a>
<a href=https://xz.aliyun.com/connection>联系我们</a>
<a href=https://report.aliyun.com/ target=_blank>举报中心</a>
<a href=https://www.aliyun.com/complaint target=_blank>我要投诉</a>
</div>
</div>
</footer>
<div id=waf_nc_block style=display:none></div><div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
* Pico.css v1.5.6 (https://picocss.com)
* Copyright 2019-2022 - Licensed under MIT
*/#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:.5rem;--nav-link-spacing-vertical:.5rem;--nav-link-spacing-horizontal:.5rem;--form-label-font-weight:var(--font-weight);--transition:.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media(min-width:576px){#mount{--font-size:17px}}@media(min-width:768px){#mount{--font-size:18px}}@media(min-width:992px){#mount{--font-size:19px}}@media(min-width:1200px){#mount{--font-size:20px}}@media(min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media(min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media(min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media(min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media(min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media(min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media(min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media(min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media(min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#f5f7f9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-color);--button-box-sha
Reference in New Issue Copy Permalink