-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
314 lines (263 loc) · 47.5 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
<!DOCTYPE html><html lang="zh CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>Y0n3er</title><meta name="author" content="Y0n3er"><meta name="copyright" content="Y0n3er"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta property="og:type" content="website">
<meta property="og:title" content="Y0n3er">
<meta property="og:url" content="https://y0n3er.github.io/index.html">
<meta property="og:site_name" content="Y0n3er">
<meta property="og:locale">
<meta property="og:image" content="https://s1.ax1x.com/2022/12/27/zzBdET.jpg">
<meta property="article:author" content="Y0n3er">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://s1.ax1x.com/2022/12/27/zzBdET.jpg"><link rel="shortcut icon" href="https://s1.ax1x.com/2022/12/27/zzBdET.jpg"><link rel="canonical" href="https://y0n3er.github.io/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><meta name="google-site-verification" content="cSE3ms5xTRF6lPYKYoBFufBNgzQms6e9odca93mSfBw"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="/Y0n3er" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: {"path":"/search.xml","preload":false,"languages":{"hits_empty":"We didn't find any results for the search: ${query}"}},
translate: undefined,
noticeOutdate: undefined,
highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
copy: {
success: 'Copy successfully',
error: 'Copy error',
noSupport: 'The browser does not support'
},
relativeDate: {
homepage: false,
post: false
},
runtime: 'days',
date_suffix: {
just: 'Just',
min: 'minutes ago',
hour: 'hours ago',
day: 'days ago',
month: 'months ago'
},
copyright: undefined,
lightbox: 'fancybox',
Snackbar: undefined,
source: {
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.css'
}
},
isPhotoFigcaption: false,
islazyload: false,
isAnchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
title: 'Y0n3er',
isPost: false,
isHome: true,
isHighlightShrink: false,
isToc: false,
postUpdate: '2025-01-04 20:08:26'
}</script><noscript><style type="text/css">
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
#recent-posts time,
#post-meta time {
display: inline !important
}
</style></noscript><script>(win=>{
win.saveToLocal = {
set: function setWithExpiry(key, value, ttl) {
if (ttl === 0) return
const now = new Date()
const expiryDay = ttl * 86400000
const item = {
value: value,
expiry: now.getTime() + expiryDay,
}
localStorage.setItem(key, JSON.stringify(item))
},
get: function getWithExpiry(key) {
const itemStr = localStorage.getItem(key)
if (!itemStr) {
return undefined
}
const item = JSON.parse(itemStr)
const now = new Date()
if (now.getTime() > item.expiry) {
localStorage.removeItem(key)
return undefined
}
return item.value
}
}
win.getScript = url => new Promise((resolve, reject) => {
const script = document.createElement('script')
script.src = url
script.async = true
script.onerror = reject
script.onload = script.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
script.onload = script.onreadystatechange = null
resolve()
}
document.head.appendChild(script)
})
win.activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
}
}
win.activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
}
}
const t = saveToLocal.get('theme')
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
if (asideStatus === 'hide') {
document.documentElement.classList.add('hide-aside')
} else {
document.documentElement.classList.remove('hide-aside')
}
}
const detectApple = () => {
if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
document.documentElement.classList.add('apple')
}
}
detectApple()
})(window)</script><link rel="stylesheet" href="/css/background.css" media="defer" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/gitalk@1/dist/gitalk.css"><!-- hexo injector head_end start --><link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/Zfour/[email protected]/cardlistpost.min.css"/>
<style>#recent-posts > .recent-post-item >.recent-post-info > .article-meta-wrap > .tags:before {content:"\A";
white-space: pre;}#recent-posts > .recent-post-item >.recent-post-info > .article-meta-wrap > .tags > .article-meta__separator{display:none}</style>
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 7.0.0-rc1"><link rel="alternate" href="/atom.xml" title="Y0n3er" type="application/atom+xml">
</head><body><div id="web_bg"></div><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="https://s1.ax1x.com/2022/12/27/zzBdET.jpg" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="sidebar-site-data site-data is-center"><a href="/archives/"><div class="headline">Articles</div><div class="length-num">50</div></a><a href="/tags/"><div class="headline">Tags</div><div class="length-num">0</div></a><a href="/categories/"><div class="headline">Categories</div><div class="length-num">6</div></a></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> List</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fas fa-music"></i><span> Music</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> Link</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div></div></div><div class="page" id="body-wrap"><header class="full_page" id="page-header"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">Y0n3er</a></span><div id="menus"><div id="search-button"><a class="site-page social-icon search"><i class="fas fa-search fa-fw"></i><span> Search</span></a></div><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> List</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fas fa-music"></i><span> Music</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> Link</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="site-info"><h1 id="site-title">Y0n3er</h1><div id="site-subtitle"><span id="subtitle"></span></div><div id="site_social_icons"><a class="social-icon" href="https://y0n3er.github.io/atom.xml" target="_blank" title=""><i class="fas fa-rss"></i></a></div></div><div id="scroll-down"><i class="fas fa-angle-down scroll-down-effects"></i></div></header><main class="layout" id="content-inner"><div class="recent-posts" id="recent-posts"><div class="recent-post-item"><div class="post_cover left"><a href="/2024/11/PolarCTF-2024%E7%A7%8B%E5%AD%A3%E4%B8%AA%E4%BA%BA%E6%8C%91%E6%88%98%E8%B5%9B-Java/" title="PolarCTF_2024秋季个人挑战赛_Java"><img class="post_bg" src="https://pic.20988.xyz/2024-05-29/1716947049-304546-001-8.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="PolarCTF_2024秋季个人挑战赛_Java"></a></div><div class="recent-post-info"><a class="article-title" href="/2024/11/PolarCTF-2024%E7%A7%8B%E5%AD%A3%E4%B8%AA%E4%BA%BA%E6%8C%91%E6%88%98%E8%B5%9B-Java/" title="PolarCTF_2024秋季个人挑战赛_Java">PolarCTF_2024秋季个人挑战赛_Java</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2024-11-17T15:37:21.000Z" title="Created 2024-11-17 23:37:21">2024-11-17</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span></div><div class="content">前言遇到两个之前没练过的Java题类型,做一下学学
一写一个不吱声
💡
fatjar rce
根据描述肯定是存在一个任意文件写入的,看依赖有个aspectjweaver-1.9.5.jar,简单分析一下这个jar的任意文件写入
在\org\aspectj\weaver\tools\cache\SimpleCache.class下有个内部类StoreableCachingMap
在里面的put方法中存在文件写入
1234567891011public Object put(Object key, Object value) { IOException e; try { e = null; byte[] valueBytes = (byte[])((byte[])value); String path; if (Arrays.equals(valueBytes, SimpleCache.SAME_BYTES)) { path = "IDEM" ...</div></div></div><div class="recent-post-item"><div class="post_cover right"><a href="/2024/08/2024%E7%BE%8A%E5%9F%8E%E6%9D%AF-ezjava/" title="2024羊城杯-ezjava"><img class="post_bg" src="https://pic.20988.xyz/2024-08-27/1724760303-676108-wallpaper1724760145015.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="2024羊城杯-ezjava"></a></div><div class="recent-post-info"><a class="article-title" href="/2024/08/2024%E7%BE%8A%E5%9F%8E%E6%9D%AF-ezjava/" title="2024羊城杯-ezjava">2024羊城杯-ezjava</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2024-08-31T03:50:28.000Z" title="Created 2024-08-31 11:50:28">2024-08-31</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span></div><div class="content">这个题链子很简单,都是已经公开的,就是有些点有点坑
拿到附件反编译,本地起环境用cfr就行,确实比较方便
题目分析这里我一开始是直接找反序列化的点,在UserControler 下
但是这里有shiro权限校验
看shiro版本1.2.4是可以绕过的,加个/ 即可绕过
所以可以直接来到反序列化这里,然后就是黑名单了
12private static final String[] blacklist = new String[]{"java.lang.Runtime", "java.lang.ProcessBuilder", "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", "java.security.SignedObject", "com.sun.jndi.ldap.LdapAttribute", "org.apache.commons.beanutils", "or ...</div></div></div><div class="recent-post-item"><div class="post_cover left"><a href="/2024/08/%E5%B8%86%E8%BD%AF-FineReport-FineBI-channel%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/" title="帆软 FineReport/FineBI channel反序列化分析"><img class="post_bg" src="https://pic.20988.xyz/2024-08-02/1722561685-257170-1-1.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="帆软 FineReport/FineBI channel反序列化分析"></a></div><div class="recent-post-info"><a class="article-title" href="/2024/08/%E5%B8%86%E8%BD%AF-FineReport-FineBI-channel%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/" title="帆软 FineReport/FineBI channel反序列化分析">帆软 FineReport/FineBI channel反序列化分析</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2024-08-04T03:02:24.000Z" title="Created 2024-08-04 11:02:24">2024-08-04</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">代码审计</a></span></div><div class="content">随手记录一下
触发点分析我这里的代码是FineBI5.1.0的,在这个版本路由是通过注解形式实现的,因为是复现所以直接来到漏洞接口
可以看到这个channel接口就是我们漏洞点了,在这个文件的接口都是在/remote/design 路由下
但是实际访问需要加上包名/decision/至于/webroot/应该就是整个项目的目录名了,具体的路由定义没找到,只能这样猜测了,关于路由分析还是得再练练。。。
可以看到在channel接口下获取了request请求,将其转化为输入流,然后写进输出流(感觉Java的IO流也得好好学学,整的我一愣一愣的),过程中调用了WorkContext.handleMessage() **对请求进行了处理,直接跟进这个方法
然后*messageListener* 是WorkspaceMessageHandler 的对象自然也就跳转到这个接口了,这里实现了这个接口的类应该只有一个,我点击跟进直接就跳转了
看到了类似反序列化的方法deserializeInvocation 跟进
此时就得注意了,除了我们可控的参数流 ...</div></div></div><div class="recent-post-item"><div class="post_cover right"><a href="/2024/07/JFinalCMS%E5%AE%A1%E8%AE%A1%E7%BB%83%E4%B9%A0/" title="JFinalCMS审计练习"><img class="post_bg" src="https://pic.20988.xyz/2024-06-21/1718950224-18771-360wallpaper.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="JFinalCMS审计练习"></a></div><div class="recent-post-info"><a class="article-title" href="/2024/07/JFinalCMS%E5%AE%A1%E8%AE%A1%E7%BB%83%E4%B9%A0/" title="JFinalCMS审计练习">JFinalCMS审计练习</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2024-07-01T04:11:45.000Z" title="Created 2024-07-01 12:11:45">2024-07-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">代码审计</a></span></div><div class="content">本文首发于先知社区:https://xz.aliyun.com/t/14957
前言看到星球发布了一个作业,由于考试没及时弄。所以就自己随便看看了,这套系统确实漏洞很多,可以说是靶场。。。危险操作几乎都没有做过滤,而且很久没更新了
后台任意文件删除这个洞提了cve,看大家都在水我也水一个
漏洞很简单,甚至不需要白盒,黑盒能直接测出来,但是代码审计还是看代码吧,我审这个的时候也是直接看的代码,代码位置在src/main/java/com/cms/controller/admin/DatabaseController.java 文件下的/delete 接口
跟进这个delete方法
可以看到对这个参数没有做任何的检测,仅仅只看了文件是否存在
poc如下
123456789101112131415161718192021POST /admin/database/delete HTTP/1.1Host: 127.0.0.1:8888Cache-Control: max-age=0sec-ch-ua: "Chromium";v="113", " ...</div></div></div><div class="recent-post-item"><div class="post_cover left"><a href="/2024/06/Showdoc3-2-5-SQL%E6%B3%A8%E5%85%A5%E5%8F%8A%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/" title="Showdoc <= 3.2.5 SQL注入及反序列化分析"><img class="post_bg" src="https://pic.20988.xyz/2024-06-07/1717747418-732849-nachoneko2.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Showdoc <= 3.2.5 SQL注入及反序列化分析"></a></div><div class="recent-post-info"><a class="article-title" href="/2024/06/Showdoc3-2-5-SQL%E6%B3%A8%E5%85%A5%E5%8F%8A%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/" title="Showdoc <= 3.2.5 SQL注入及反序列化分析">Showdoc <= 3.2.5 SQL注入及反序列化分析</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2024-06-15T12:05:37.000Z" title="Created 2024-06-15 20:05:37">2024-06-15</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">代码审计</a></span></div><div class="content">
SQL注入点寻找当时的通报是这个,当时在3.2.5版本根本没有修复这个sql注入,对着commit提交的那几个路由一直找也没找出注入点。。。不久后发布了3.2.6版本一眼就能看出注入点
很明显看到对item_id 进行了修复做了应该是预处理,来到源码看一下
记得当时分析的时候对page_id/d 这种写法看了很久,后面调试的时候一步步跟进去才明白作用,其实就是做强转处理
所有这里的I接收的参数后面只能为空或者s这两种,否则就会被强转为其它的,很明显没有做任何处理,直接拼接进了sql语句中符合要求即注入点
注入过程在注入的过程中遇到了一个点就是下面这段检测代码
1234if (!D("Captcha")->check($captcha_id, $captcha)) { $this->sendError(10206, L('verification_code_are_incorrect')); return;}
当时半天没搞懂这怎么绕,后面翻译了一下这个单词,其实就是验证码。。。那么就只需要去弄个 ...</div></div></div><div class="recent-post-item"><div class="post_cover right"><a href="/2024/04/C3P0%E9%93%BE%E5%AD%A6%E4%B9%A0/" title="C3P0链学习"><img class="post_bg" src="https://s21.ax1x.com/2024/04/11/pFXBjOJ.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="C3P0链学习"></a></div><div class="recent-post-info"><a class="article-title" href="/2024/04/C3P0%E9%93%BE%E5%AD%A6%E4%B9%A0/" title="C3P0链学习">C3P0链学习</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2024-04-11T09:54:52.000Z" title="Created 2024-04-11 17:54:52">2024-04-11</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/Java%E5%AE%89%E5%85%A8/">Java安全</a></span></div><div class="content">先看看C3p0是干什么的
C3P0是一个开源的JDBC连接池,它实现了数据源和JNDI绑定,支持JDBC3规范和JDBC2的标准扩展。目前使用它的开源项目有Hibernate,Spring等。
JDBC是Java DataBase Connectivity的缩写,它是Java程序访问数据库的标准接口。使用Java程序访问数据库时,Java代码并不是直接通过TCP连接去访问数据库,而是通过JDBC接口来访问,而JDBC接口则通过JDBC驱动来实现真正对数据库的访问。
连接池类似于线程池,在一些情况下我们会频繁地操作数据库,此时Java在连接数据库时会频繁地创建或销毁句柄,增大资源的消耗。为了避免这样一种情况,我们可以提前创建好一些连接句柄,需要使用时直接使用句柄,不需要时可将其放回连接池中,准备下一次的使用。类似这样一种能够复用句柄的技术就是池技术。
说实话,还是没能理解在开发中的作用,还是得开发实战一下才能理解。。。依赖
12345<dependency> <groupId>com.mchange</groupId> &l ...</div></div></div><div class="recent-post-item"><div class="post_cover left"><a href="/2024/03/PB-CMS%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%AD%A6%E4%B9%A0/" title="PB-CMS代码审计学习"><img class="post_bg" src="https://s21.ax1x.com/2024/03/19/pFR7nfg.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="PB-CMS代码审计学习"></a></div><div class="recent-post-info"><a class="article-title" href="/2024/03/PB-CMS%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%AD%A6%E4%B9%A0/" title="PB-CMS代码审计学习">PB-CMS代码审计学习</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2024-03-19T05:16:08.000Z" title="Created 2024-03-19 13:16:08">2024-03-19</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">代码审计</a></span></div><div class="content">前言好久没更新博客了,感觉学到后面不懂的东西更多,通常学一个东西为了理解它就要学更多的东西,所以越来越不想更新博客了。。。
环境项目地址:https://gitee.com/LinZhaoguan/pb-cms/tree/v1.0.0/
shiro反序列化漏洞直接来看pom.xml文件,搜到shiro1.4.1版本,采用的加密模式还是AES-CBC,从1.4.2版本开始采用的是AES-GCM所以直接拿工具一把梭即可然后命令执行在这里1.4.1版本其实shiro550不能打,打shiro550版本要小于1.2.4。但是在shiro反序列化漏洞修复的时候如果仅对shiro版本升级而没有重新生成密钥那么AES加密的默认密钥硬编码仍然会在代码里面,就会同样存在反序列化风险,这里去看看是否存在确实存在,位置在src/main/java/com/puboot/common/config/ShiroConfig.java搜了一下这里怎么生成一个新的shirokey,可以利用官方提供的方法生成一个
123456789101112131415161718import org.apache.shiro.c ...</div></div></div><div class="recent-post-item"><div class="post_cover right"><a href="/2023/12/disable-functions%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/" title="disable_functions绕过总结"><img class="post_bg" src="https://z1.ax1x.com/2023/12/07/pigYT8H.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="disable_functions绕过总结"></a></div><div class="recent-post-info"><a class="article-title" href="/2023/12/disable-functions%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/" title="disable_functions绕过总结">disable_functions绕过总结</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-12-06T08:45:49.000Z" title="Created 2023-12-06 16:45:49">2023-12-06</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/CTF/">CTF</a></span></div><div class="content">黑名单绕过(常规手段)这个绕过就是利用黑名单之外的函数去执行命令,但是我在测试这个黑名单绕过的时候发现了一个很迷惑的点,在Windows下我禁用了eval和system函数hackbar确实不能执行system函数了但是蚁剑上面任然可以命令执行另外eval函数也任然可以执行岂不是相当于禁用eval函数没用??这个时候的php版本为5.4.45,然后是Linux下的测试,我也禁用了eval、system做测试,eval函数照样正常执行然后尝试system函数然后尝试用以蚁剑去执行命令蚁剑还是可以正常执行命令,然后我再网上找了一下经常禁掉的函数全部加上去
1exec,passthru,popen,shell_exec,proc_open,proc_terminate,curl_exec,curl_multi_exec,show_source,touch,escapeshellcmd,escapeshellarg,eval,system
此时蚁剑无法正常命令执行了然后我在Windows下也加上那一堆函数,然后蚁剑此时也无法正常命令执行了然后把system放出来之后可以正常执行命令,此时就猜测 ...</div></div></div><div class="recent-post-item"><div class="post_cover left"><a href="/2023/08/%E6%A2%A6%E6%83%B3CMS-1-4%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%AD%A6%E4%B9%A0/" title="梦想CMS 1.4代码审计学习"><img class="post_bg" src="https://z1.ax1x.com/2023/12/07/pigYLrt.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="梦想CMS 1.4代码审计学习"></a></div><div class="recent-post-info"><a class="article-title" href="/2023/08/%E6%A2%A6%E6%83%B3CMS-1-4%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%AD%A6%E4%B9%A0/" title="梦想CMS 1.4代码审计学习">梦想CMS 1.4代码审计学习</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-08-28T13:56:06.000Z" title="Created 2023-08-28 21:56:06">2023-08-28</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">代码审计</a></span></div><div class="content">一些审计方法对于未公开POC的1day复现,直接看cnvd的提交,我们这里审计梦想CMS 1.4所以直接搜索就行可以看到很多,虽然文件名未全部显示但是就那几个文件,显示了大部分字母就能找到了,这是复现1day的方法,当然也可以直接拿最新版本审0day
BookAction.class.php下sql注入这个系统是个MVC架构,emmm不太了解得找时间学学了,不然代审有点难,先来看下这个文件下的注入在reply方法下GET接收一个id直接跟进getReply看看找到底层的sql语句,最终在db.class.php找到可以看到直接拼接了field即一开始的id,而且这个整个项目的sql调用都在这个文件,但是这个底层的sql调用没有做预编译,那么你就得在用的时候去写这样就很容易遗漏出现sql注入,在这里打印一下sql语句方便调试,来到这个BookAction.class.php文件下进入reply方法传个id直接闭合一下,这里得用)闭合,从sql语句即可看出,然后用报错注入注一下版本,payload如下
1id=1) or updatexml(0,concat(0x7e,version()) ...</div></div></div><div class="recent-post-item"><div class="post_cover right"><a href="/2023/08/Fastjson1-2-62-1-2-68%E7%BB%95%E8%BF%87/" title="Fastjson1.2.62-1.2.68绕过"><img class="post_bg" src="https://s1.ax1x.com/2023/08/28/pPUWtRU.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Fastjson1.2.62-1.2.68绕过"></a></div><div class="recent-post-info"><a class="article-title" href="/2023/08/Fastjson1-2-62-1-2-68%E7%BB%95%E8%BF%87/" title="Fastjson1.2.62-1.2.68绕过">Fastjson1.2.62-1.2.68绕过</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-08-27T15:56:10.000Z" title="Created 2023-08-27 23:56:10">2023-08-27</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/Java%E5%AE%89%E5%85%A8/">Java安全</a></span></div><div class="content">1.2.62漏洞分析前言学的过程发现有些依赖导入真的慢,所以这里直接把整个pom.xml贴出来可以一次性导完算了,看自己选择
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112<dependencies> <dependency> <groupId>com.unboundid</groupId> <artifactId>unboundid-ldapsdk</artifactId> <version>4.0.9</version> ...</div></div></div><div class="recent-post-item"><div class="post_cover left"><a href="/2023/08/Fastjson1-2-25-1-2-47%E7%BB%95%E8%BF%87/" title="Fastjson1.2.25-1.2.47绕过"><img class="post_bg" src="https://s21.ax1x.com/2024/03/19/pFR7ttU.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Fastjson1.2.25-1.2.47绕过"></a></div><div class="recent-post-info"><a class="article-title" href="/2023/08/Fastjson1-2-25-1-2-47%E7%BB%95%E8%BF%87/" title="Fastjson1.2.25-1.2.47绕过">Fastjson1.2.25-1.2.47绕过</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-08-27T15:55:43.000Z" title="Created 2023-08-27 23:55:43">2023-08-27</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/Java%E5%AE%89%E5%85%A8/">Java安全</a></span></div><div class="content">1.2.25 修复分析首先导入1.2.25版本的修复吧,在pom.xml中导入对应版本
12345<dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.25</version> </dependency>
运行一下TemplatesImpl这条链发现存在之前没有的报错调试一下发现来到了下面这里在1.2.24版本中这里是直接调用了loadClass如下图而在1.2.25里是调用了checkAutoType进去看看这个方法干了什么,这里白日梦组长根据流程画了一个流程图如下,手工复制可能会有些错误在checkAutoType中通过黑(denyList)白(acceptList)名单对类进行检验这里白名单默认为空,可手动添加,黑名单默认不为空,在默认情况下,autoTypeSupport为False,即先进行黑名单过滤,遍历denyList, ...</div></div></div><div class="recent-post-item"><div class="post_cover right"><a href="/2023/08/Java%E5%AD%A6%E4%B9%A0%E4%B9%8BFastjson1-2-24%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90/" title="Fastjson1.2.24利用链分析"><img class="post_bg" src="https://s21.ax1x.com/2024/03/19/pFR7s76.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Fastjson1.2.24利用链分析"></a></div><div class="recent-post-info"><a class="article-title" href="/2023/08/Java%E5%AD%A6%E4%B9%A0%E4%B9%8BFastjson1-2-24%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90/" title="Fastjson1.2.24利用链分析">Fastjson1.2.24利用链分析</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">Created</span><time datetime="2023-08-21T13:15:28.000Z" title="Created 2023-08-21 21:15:28">2023-08-21</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/Java%E5%AE%89%E5%85%A8/">Java安全</a></span></div><div class="content">环境pom.xml依赖如下
1234567891011121314151617181920<dependency> <groupId>com.unboundid</groupId> <artifactId>unboundid-ldapsdk</artifactId> <version>4.0.9</version></dependency><dependency> <groupId>commons-io</groupId> <artifactId>commons-io</artifactId> <version>2.5</version></dependency><dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</ar ...</div></div></div><nav id="pagination"><div class="pagination"><span class="page-number current">1</span><a class="page-number" href="/page/2/#content-inner">2</a><span class="space">…</span><a class="page-number" href="/page/5/#content-inner">5</a><a class="extend next" rel="next" href="/page/2/#content-inner"><i class="fas fa-chevron-right fa-fw"></i></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="https://s1.ax1x.com/2022/12/27/zzBdET.jpg" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">Y0n3er</div><div class="author-info__description"></div></div><div class="card-info-data site-data is-center"><a href="/archives/"><div class="headline">Articles</div><div class="length-num">50</div></a><a href="/tags/"><div class="headline">Tags</div><div class="length-num">0</div></a><a href="/categories/"><div class="headline">Categories</div><div class="length-num">6</div></a></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/Y0n3er"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://y0n3er.github.io/atom.xml" target="_blank" title=""><i class="fas fa-rss"></i></a></div></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn fa-shake"></i><span>Announcement</span></div><div class="announcement_content">纯纯记录一下</div></div><div class="sticky_layout"><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>Recent Post</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2024/11/PolarCTF-2024%E7%A7%8B%E5%AD%A3%E4%B8%AA%E4%BA%BA%E6%8C%91%E6%88%98%E8%B5%9B-Java/" title="PolarCTF_2024秋季个人挑战赛_Java"><img src="https://pic.20988.xyz/2024-05-29/1716947049-304546-001-8.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="PolarCTF_2024秋季个人挑战赛_Java"/></a><div class="content"><a class="title" href="/2024/11/PolarCTF-2024%E7%A7%8B%E5%AD%A3%E4%B8%AA%E4%BA%BA%E6%8C%91%E6%88%98%E8%B5%9B-Java/" title="PolarCTF_2024秋季个人挑战赛_Java">PolarCTF_2024秋季个人挑战赛_Java</a><time datetime="2024-11-17T15:37:21.000Z" title="Created 2024-11-17 23:37:21">2024-11-17</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2024/08/2024%E7%BE%8A%E5%9F%8E%E6%9D%AF-ezjava/" title="2024羊城杯-ezjava"><img src="https://pic.20988.xyz/2024-08-27/1724760303-676108-wallpaper1724760145015.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="2024羊城杯-ezjava"/></a><div class="content"><a class="title" href="/2024/08/2024%E7%BE%8A%E5%9F%8E%E6%9D%AF-ezjava/" title="2024羊城杯-ezjava">2024羊城杯-ezjava</a><time datetime="2024-08-31T03:50:28.000Z" title="Created 2024-08-31 11:50:28">2024-08-31</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2024/08/%E5%B8%86%E8%BD%AF-FineReport-FineBI-channel%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/" title="帆软 FineReport/FineBI channel反序列化分析"><img src="https://pic.20988.xyz/2024-08-02/1722561685-257170-1-1.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="帆软 FineReport/FineBI channel反序列化分析"/></a><div class="content"><a class="title" href="/2024/08/%E5%B8%86%E8%BD%AF-FineReport-FineBI-channel%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/" title="帆软 FineReport/FineBI channel反序列化分析">帆软 FineReport/FineBI channel反序列化分析</a><time datetime="2024-08-04T03:02:24.000Z" title="Created 2024-08-04 11:02:24">2024-08-04</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2024/07/JFinalCMS%E5%AE%A1%E8%AE%A1%E7%BB%83%E4%B9%A0/" title="JFinalCMS审计练习"><img src="https://pic.20988.xyz/2024-06-21/1718950224-18771-360wallpaper.jpg" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="JFinalCMS审计练习"/></a><div class="content"><a class="title" href="/2024/07/JFinalCMS%E5%AE%A1%E8%AE%A1%E7%BB%83%E4%B9%A0/" title="JFinalCMS审计练习">JFinalCMS审计练习</a><time datetime="2024-07-01T04:11:45.000Z" title="Created 2024-07-01 12:11:45">2024-07-01</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2024/06/Showdoc3-2-5-SQL%E6%B3%A8%E5%85%A5%E5%8F%8A%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/" title="Showdoc <= 3.2.5 SQL注入及反序列化分析"><img src="https://pic.20988.xyz/2024-06-07/1717747418-732849-nachoneko2.png" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Showdoc <= 3.2.5 SQL注入及反序列化分析"/></a><div class="content"><a class="title" href="/2024/06/Showdoc3-2-5-SQL%E6%B3%A8%E5%85%A5%E5%8F%8A%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/" title="Showdoc <= 3.2.5 SQL注入及反序列化分析">Showdoc <= 3.2.5 SQL注入及反序列化分析</a><time datetime="2024-06-15T12:05:37.000Z" title="Created 2024-06-15 20:05:37">2024-06-15</time></div></div></div></div><div class="card-widget card-categories"><div class="item-headline">
<i class="fas fa-folder-open"></i>
<span>Categories</span>
</div>
<ul class="card-category-list" id="aside-cat-list">
<li class="card-category-list-item "><a class="card-category-list-link" href="/categories/CTF/"><span class="card-category-list-name">CTF</span><span class="card-category-list-count">11</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/categories/Doker/"><span class="card-category-list-name">Doker</span><span class="card-category-list-count">2</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/categories/Java%E5%AE%89%E5%85%A8/"><span class="card-category-list-name">Java安全</span><span class="card-category-list-count">18</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"><span class="card-category-list-name">代码审计</span><span class="card-category-list-count">5</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/categories/%E5%86%85%E7%BD%91/"><span class="card-category-list-name">内网</span><span class="card-category-list-count">1</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/categories/%E6%B8%97%E9%80%8F/"><span class="card-category-list-name">渗透</span><span class="card-category-list-count">12</span></a></li>
</ul></div><div class="card-widget card-archives"><div class="item-headline"><i class="fas fa-archive"></i><span>Archives</span><a class="card-more-btn" href="/archives/" title="More">
<i class="fas fa-angle-right"></i></a></div><ul class="card-archive-list"><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2024/11/"><span class="card-archive-list-date">November 2024</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2024/08/"><span class="card-archive-list-date">August 2024</span><span class="card-archive-list-count">2</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2024/07/"><span class="card-archive-list-date">July 2024</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2024/06/"><span class="card-archive-list-date">June 2024</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2024/04/"><span class="card-archive-list-date">April 2024</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2024/03/"><span class="card-archive-list-date">March 2024</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/12/"><span class="card-archive-list-date">December 2023</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/08/"><span class="card-archive-list-date">August 2023</span><span class="card-archive-list-count">7</span></a></li></ul></div><div class="card-widget card-webinfo"><div class="item-headline"><i class="fas fa-chart-line"></i><span>Info</span></div><div class="webinfo"><div class="webinfo-item"><div class="item-name">Article :</div><div class="item-count">50</div></div><div class="webinfo-item"><div class="item-name">Run time :</div><div class="item-count" id="runtimeshow" data-publishDate="2022-10-03T16:00:00.000Z"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">UV :</div><div class="item-count" id="busuanzi_value_site_uv"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">PV :</div><div class="item-count" id="busuanzi_value_site_pv"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">Last Push :</div><div class="item-count" id="last-push-date" data-lastPushDate="2025-01-04T12:08:25.844Z"><i class="fa-solid fa-spinner fa-spin"></i></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">©2022 - 2025 By <i id="heartbeat" class="fa fas fa-heartbeat"></i> Y0n3er</div><div class="framework-info"><span>Framework </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>Theme </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/HCLonely/images@master/others/heartbeat.min.css"></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="Toggle Between Light And Dark Mode"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="Toggle between single-column and double-column"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="Setting"><i class="fas fa-cog fa-spin"></i></button><button id="go-up" type="button" title="Back To Top"><i class="fas fa-arrow-up"></i></button></div></div><div id="local-search"><div class="search-dialog"><nav class="search-nav"><span class="search-dialog-title">Search</span><span id="loading-status"></span><button class="search-close-button"><i class="fas fa-times"></i></button></nav><div class="is-center" id="loading-database"><i class="fas fa-spinner fa-pulse"></i><span> Loading the Database</span></div><div class="search-wrap"><div id="local-search-input"><div class="local-search-box"><input class="local-search-box--input" placeholder="Search for Posts" type="text"/></div></div><hr/><div id="local-search-results"></div></div></div><div id="search-mask"></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.min.js"></script><script src="/js/search/local-search.js"></script><div class="js-pjax"><script>function subtitleType () {
if (true) {
window.typed = new Typed("#subtitle", {
strings: ["Suffering is the most powerful teacher of life"],
startDelay: 300,
typeSpeed: 150,
loop: true,
backSpeed: 50
})
} else {
document.getElementById("subtitle").innerHTML = 'Suffering is the most powerful teacher of life'
}
}
if (true) {
if (typeof Typed === 'function') {
subtitleType()
} else {
getScript('https://cdn.jsdelivr.net/npm/typed.js/lib/typed.min.js').then(subtitleType)
}
} else {
subtitleType()
}</script></div><script src="source/background.js"></script><script src="https://cdn.jsdelivr.net/npm/gitalk@1/dist/gitalk.min.js"></script><script id="click-heart" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc/dist/click-heart.min.js" async="async" mobile="true"></script><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/aplayer/dist/APlayer.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/aplayer/dist/APlayer.min.js"></script><script src="https://cdn.jsdelivr.net/npm/butterfly-extsrc/metingjs/dist/Meting.min.js"></script><script src="https://cdn.jsdelivr.net/npm/pjax/pjax.min.js"></script><script>let pjaxSelectors = ["head > title","#config-diff","#body-wrap","#rightside-config-hide","#rightside-config-show",".js-pjax"]
var pjax = new Pjax({
elements: 'a:not([target="_blank"])',
selectors: pjaxSelectors,
cacheBust: false,
analytics: false,
scrollRestoration: false
})
document.addEventListener('pjax:send', function () {
// removeEventListener scroll
window.tocScrollFn && window.removeEventListener('scroll', window.tocScrollFn)
window.scrollCollect && window.removeEventListener('scroll', scrollCollect)
document.getElementById('rightside').style.cssText = "opacity: ''; transform: ''"
if (window.aplayers) {
for (let i = 0; i < window.aplayers.length; i++) {
if (!window.aplayers[i].options.fixed) {
window.aplayers[i].destroy()
}
}
}
typeof typed === 'object' && typed.destroy()
//reset readmode
const $bodyClassList = document.body.classList
$bodyClassList.contains('read-mode') && $bodyClassList.remove('read-mode')
typeof disqusjs === 'object' && disqusjs.destroy()
})
document.addEventListener('pjax:complete', function () {
window.refreshFn()
document.querySelectorAll('script[data-pjax]').forEach(item => {
const newScript = document.createElement('script')
const content = item.text || item.textContent || item.innerHTML || ""
Array.from(item.attributes).forEach(attr => newScript.setAttribute(attr.name, attr.value))
newScript.appendChild(document.createTextNode(content))
item.parentNode.replaceChild(newScript, item)
})
GLOBAL_CONFIG.islazyload && window.lazyLoadInstance.update()
typeof chatBtnFn === 'function' && chatBtnFn()
typeof panguInit === 'function' && panguInit()
// google analytics
typeof gtag === 'function' && gtag('config', '', {'page_path': window.location.pathname});
// baidu analytics
typeof _hmt === 'object' && _hmt.push(['_trackPageview',window.location.pathname]);
typeof loadMeting === 'function' && document.getElementsByClassName('aplayer').length && loadMeting()
// prismjs
typeof Prism === 'object' && Prism.highlightAll()
})
document.addEventListener('pjax:error', (e) => {
if (e.request.status === 404) {
pjax.loadUrl('/404.html')
}
})</script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html><link rel="stylesheet" type="text/css" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/APlayer.min.css"><script type="text/javascript" src="https://cdn.jsdelivr.net/npm/[email protected]/dist/APlayer.min.js"></script><script type="text/javascript" src="https://cdn.jsdelivr.net/npm/[email protected]/dist/Meting.min.js"></script>