php框架代码审计思路(下)
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/c4ff2de39d8e4e16a18bceb06f0ffd14~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=BC4JJP3BG%2FXW%2FvgqRH2VBcM9Q%2BM%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">程序员写在<span style="color: black;">文案</span>前:</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">上周,程序员小星<span style="color: black;">已然</span>和<span style="color: black;">大众</span>分享了在“php框架代码审计”中自己对兼容模式和path_info模式、命名空间、tp5的正常调用流程等内容的审计思路。本周我将就“路由动态测试”、“思路总结”、“漏洞<span style="color: black;">源自</span>”、“Nday<span style="color: black;">运用</span><span style="color: black;">办法</span>”、“扩大攻击面”五大部分与<span style="color: black;">大众</span>继续探讨,并附上我在<span style="color: black;">科研</span>过程中对CTF比赛的<span style="color: black;">有些</span>小心得。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">上期回顾:<a style="color: black;">《php框架代码审计思路(上)》</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">(一)路由调用动态调试</span></strong></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1. 如下图所示,<span style="color: black;">这儿</span>会调用一个Middleware类下run()<span style="color: black;">办法</span>来把闭包函数注册一个中间件。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/9b37716852e3404f98b0109af4ef0d61~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=TXbAnQ4dA6wx9nZa4Jw5EAfz7io%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">2.继续回到这个app中,调用一个dispatch()的<span style="color: black;">办法</span>。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/95fcb456905746e8aced23e42903bbd5~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=2o%2FFQHTOQrJNme9%2F%2B5GHr4AfWxQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/77655ae59e0f40aeb36fd6f5dc6314e7~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=%2FpjwnFw6l9%2BwwkYUcOaM7hYanic%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">3. <span style="color: black;">这儿</span>的call_user_func回调函数,算是ctf比赛中比较经典的一个代码执行函数,<span style="color: black;">然则</span><span style="color: black;">由于</span><span style="color: black;">这儿</span><span style="color: black;">已然</span>把函数写死了,<span style="color: black;">因此</span><span style="color: black;">咱们</span><span style="color: black;">亦</span><span style="color: black;">不可</span><span style="color: black;">运用</span>。但其实<span style="color: black;">咱们</span><span style="color: black;">能够</span>尝试<span style="color: black;">运用</span>反序列化的方式,只是这与<span style="color: black;">咱们</span>今天分享的内容无关,<span style="color: black;">因此</span><span style="color: black;">咱们</span>暂且跳过,继续看回resolve()。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/c862e92968a64a4fa45676a5a56585b8~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=dWHjl9nN3chgRrqZ5dmYoJEevyQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">4. <span style="color: black;">刚才</span><span style="color: black;">咱们</span><span style="color: black;">已然</span>运行到了435行,<span style="color: black;">运用</span>resolve()<span style="color: black;">办法</span>后回调到了这个闭包函数中,所以<span style="color: black;">咱们</span><span style="color: black;">此刻</span>又<span style="color: black;">能够</span>回到432行去调用闭包函数中的run()<span style="color: black;">办法</span>。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/8e2f6ff94676441188f9dd191210026b~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=zqZJPPLN0PBPua0tit6RIzRDhqo%3D" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/88a07f867ca149218ae8d6253b30472d~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=qvactCPykIyiUe%2F64Wx0odHP7Ss%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">5.前面进行的部分都是解析,<span style="color: black;">此刻</span>才<span style="color: black;">起始</span><span style="color: black;">咱们</span>真正的路由调度,<span style="color: black;">咱们</span>从<span style="color: black;">这儿</span>直接<span style="color: black;">运用</span>这个exec()<span style="color: black;">办法</span>。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/f69f463aa9814560afb1a38c7070a51d~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=5QNiqCM%2FpBOpYajc41Qe4ISah8A%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">6. 像监听这一类的<span style="color: black;">办法</span>,<span style="color: black;">咱们</span><span style="color: black;">能够</span><span style="color: black;">选取</span>忽略不看,直接往<span style="color: black;">重点</span>的调用内容上看,否则恐怕会越调试越偏离。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/5efd058c3edc4f27b33febe987e2eaad~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=uHmzgEv9%2BOS5339qokju35XKGjw%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">7. 进入一个parseModuleAndClass()<span style="color: black;">办法</span>来解析模块和类。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/6bad560cbc2540dea72167a687d54b4a~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=k7q7NFXRHIKsVBehrgQWRlJwtb0%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">8. <span style="color: black;">咱们</span>获取了一个命名空间,<span style="color: black;">经过</span>这命名空间<span style="color: black;">咱们</span>就<span style="color: black;">能够</span>去创建一个对象,<span style="color: black;">而后</span>调用他的<span style="color: black;">办法</span>。从以下这段代码<span style="color: black;">能够</span>看出:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">if (false !== strpos($name, \\))</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">他会把只要是\开头的部分都当做一个命名空间的<span style="color: black;">起始</span>,<span style="color: black;">然则</span><span style="color: black;">通常</span><span style="color: black;">来讲</span>,调用的时候是不会去写\,而是去调用这个else,<span style="color: black;">这儿</span>解析的<span style="color: black;">便是</span>/开头,紧接着把解析后的一组东西(<span style="color: black;">包括</span>命名空间)返回到controller<span style="color: black;">办法</span><span style="color: black;">其中</span>。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/4fe44cc40e4b407db98366e84df0be84~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=idCL64CHmw%2Fwt8VI6N1BuerioKA%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">9. 用class_exists来判断这个命名空间下的类<span style="color: black;">是不是</span>存在,<span style="color: black;">倘若</span>存在,就进去调用Container的</span><span style="color: black;">get <span style="color: black;">办法</span>。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/b0cc54faa8244c808237f4bca6055ad1~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=95Vwi0DGU7xd2wzZox%2B%2FiWYcMqY%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">比赛心得分享:</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1. <span style="color: black;">这儿</span><span style="color: black;">显现</span>一个Loader.php,他里面有一个include的<span style="color: black;">办法</span>。在<span style="color: black;">这儿</span>,<span style="color: black;">倘若</span>你写入一个恶意文件(后缀不限),其实是<span style="color: black;">能够</span>进行代码执行的。<span style="color: black;">不外</span>,此漏洞在高版本的thinkphp中<span style="color: black;">已然</span>被修复了。<span style="color: black;">然则</span>,以这个框架的<span style="color: black;">繁杂</span>度来看,<span style="color: black;">咱们</span>还是<span style="color: black;">能够</span>想办法构造<span style="color: black;">有些</span>poc来调用到这个<span style="color: black;">办法</span>中来进行<span style="color: black;">有些</span>操作。有时候在<span style="color: black;">有些</span>比赛<span style="color: black;">其中</span>,出题人<span style="color: black;">亦</span>会去寻找<span style="color: black;">有些</span>类似<span style="color: black;">这般</span>的奇奇怪怪<span style="color: black;">办法</span>,<span style="color: black;">而后</span><span style="color: black;">经过</span>改造,让你<span style="color: black;">能够</span><span style="color: black;">拜访</span>,<span style="color: black;">然则</span>我估计<span style="color: black;">大众</span>得<span style="color: black;">经过</span><span style="color: black;">有些</span>绕圈子的<span style="color: black;">办法</span>后<span style="color: black;">才可</span>绕到这个<span style="color: black;">办法</span><span style="color: black;">其中</span>。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/a6ac66bac21e415da5fdaa9204726b3c~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=9XiFXDFm48mwP7mk%2BcSSubdtpyU%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">2.接下来他将会<span style="color: black;">运用</span>反射来实例化,但到<span style="color: black;">日前</span>为止,他的路由调度<span style="color: black;">亦</span>算是完<span style="color: black;">成为了</span>。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/e517b54de2934c50b5f39ff68c259eb1~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=BL1SSsIl7vN9ORhWOqKnD5VU2Ec%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">(二)总结</span></strong></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">简单<span style="color: black;">来讲</span>,总结如下:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">1. 当你传入了一个URL后,thinkphp会把你的URL提取出来;</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">2. thinkphp对传入的URL进行解析;</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">3. 解析后,thinkphp对URL进行拆分;</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">4. 拆分后,重组为一个命名空间;</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">5. tp5取得命名空间后,<span style="color: black;">经过</span>反射的方式实例化。</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">(三)漏洞<span style="color: black;">源自</span></span></strong></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">咱们</span><span style="color: black;">刚才</span><span style="color: black;">始终</span>在提,tp5是<span style="color: black;">怎么样</span>解析这个<span style="color: black;">咱们</span>传入的URL?tp5是<span style="color: black;">怎么样</span>处理URL?</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">\、/这两个符号的处理方式是不<span style="color: black;">同样</span>的:<span style="color: black;">倘若</span><span style="color: black;">咱们</span>传入的是\,那他会把\前面的部分和后面的部分当做是一个整体;<span style="color: black;">倘若</span><span style="color: black;">咱们</span>传入的是/,那他就会拆开/前后的字符串,<span style="color: black;">而后</span>分别赋值。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">举例:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">你传入了一个:1\2,那tp5会认为这个1和2是<span style="color: black;">掰开</span>的;</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">你传入了一个:1/2,那tp5会认为这个1和2不是<span style="color: black;">掰开</span>的;</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">这个<span style="color: black;">便是</span>tp5系列路由漏洞的成因了。</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">那<span style="color: black;">咱们</span>就有几个问题:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1. 怎么<span style="color: black;">拜访</span>到可能<span style="color: black;">包括</span>恶意代码的文件中去?</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">2. <span style="color: black;">倘若</span>你想<span style="color: black;">拜访</span>这个恶意代码,你得怎么构造?</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">3. 你构造出来的话,怎么去用?</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">这儿</span><span style="color: black;">咱们</span>再写一下正常的构造方式:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">http://localhost/index.php/admin/index/hello</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">咱们</span>构造一个<span style="color: black;">拜访</span>thinkphp/think下的Container.php</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">http://localhost/index.php/模块名/File/get?name=path</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">恶意命名空间构造</p>http://localhost/index.php/index/think\Container/exists
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">然则</span>这个斜杠<span style="color: black;">咱们</span>在<span style="color: black;">运用</span>的时候就<span style="color: black;">已然</span>直接给转换了,<span style="color: black;">因此</span><span style="color: black;">咱们</span>用不了,</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span>就得<span style="color: black;">运用</span>这个兼容模式来构造了。</p><span style="color: black;">http://localhost/index.php?s=index/think\Container/exists</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在<span style="color: black;">这儿</span>,他就获取了一个<span style="color: black;">能够</span>说是恶意的命名空间了。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/452a1f1c08204bd496f948de267ba364~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=mJjrUvId4Eteit%2BQHbcU1WvgJl4%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">(四)Nday <span style="color: black;">运用</span><span style="color: black;">办法</span></span></strong></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">?s=index/think\request/input?data=whoami&filter=system</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/b20165eefd804f67a8fd1511a095cec9~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729839321&x-signature=48CNwu80hQqfaoiPqkZZTOr41f0%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">这儿</span>跟进后,你<span style="color: black;">能够</span>看到一个非public的<span style="color: black;">办法</span>,这<span style="color: black;">亦</span>验证了<span style="color: black;">咱们</span>之前说的一个事情,<span style="color: black;">便是</span>你挖洞<span style="color: black;">或</span>打CTF的时候,<span style="color: black;">倘若</span>你在一个框架中,<span style="color: black;">无</span>找到直接<span style="color: black;">拜访</span>恶意代码的<span style="color: black;">地区</span>,你<span style="color: black;">能够</span>去<span style="color: black;">有些</span>曾经调用过这些<span style="color: black;">办法</span>的办法中一级一级地往上溯源,直到找到入口。<span style="color: black;">而后</span>再<span style="color: black;">起始</span>构造poc,<span style="color: black;">循序渐进</span>地测试。在这个<span style="color: black;">办法</span>中,<span style="color: black;">咱们</span><span style="color: black;">能够</span>看到1437行中有一个call_user_func(),并且这个<span style="color: black;">办法</span>中的传参并<span style="color: black;">无</span>被写死,<span style="color: black;">因此</span><span style="color: black;">咱们</span><span style="color: black;">能够</span>尝试去构造<span style="color: black;">有些</span>东西。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><strong style="color: blue;"><span style="color: black;">(五)扩大攻击面</span></strong></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">咱们</span><span style="color: black;">经过</span>这次分享,<span style="color: black;">晓得</span>了tp、命名空间是怎么用,<span style="color: black;">认识</span>到<span style="color: black;">怎样</span><span style="color: black;">经过</span><span style="color: black;">运用</span>命名空间去<span style="color: black;">拜访</span>一个含有恶意代码的类。<span style="color: black;">经过</span>这种方式,<span style="color: black;">咱们</span><span style="color: black;">能够</span>尝试扩大自己的攻击面,不<span style="color: black;">必定</span>要从call_user_func这种<span style="color: black;">办法</span>直接入手,<span style="color: black;">然则</span><span style="color: black;">咱们</span><span style="color: black;">能够</span>去尝试读文件<span style="color: black;">或</span>任意删除这种东西。虽然<span style="color: black;">咱们</span>相比于这种低危<span style="color: black;">或</span>中危漏洞,更倾向于RCE拿到权限,但有时候<span style="color: black;">有些</span>中低危<span style="color: black;">亦</span>有可能会<span style="color: black;">包括</span><span style="color: black;">有些</span>比较隐蔽的、<span style="color: black;">提高</span><span style="color: black;">害处</span>的<span style="color: black;">办法</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">(六)<span style="color: black;">认识</span>小星,<span style="color: black;">认识</span>星云博创</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">星云博创科技有限<span style="color: black;">机构</span>(简<span style="color: black;">叫作</span>“星云博创”)成立于2016年,是国内新兴的网络安全<span style="color: black;">制品</span>、可信安全管理平台、专业安全服务与<span style="color: black;">处理</span><span style="color: black;">方法</span>的综合<span style="color: black;">供给</span>商。星云博创设北京为北方总部,广州为南方总部,并于成都、合肥、南昌、贵州、武汉、太原、哈尔滨等多个城市设立分支<span style="color: black;">公司</span>。<span style="color: black;">同期</span>,星云博创为<span style="color: black;">持续</span>完善客户服务体系和应急响应体系,在全国10余个省、市、自治区、直辖市<span style="color: black;">创立</span>三级服务支持中心,7×24小时接受客户<span style="color: black;">需要</span>,<span style="color: black;">即时</span><span style="color: black;">供给</span>标准一致的安全服务。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">做为</span>一家以技术先导的企业,星云博创始终<span style="color: black;">保持</span>在网络安全、数据安全、态势感知、等级<span style="color: black;">守护</span>、合规性安全管理等<span style="color: black;">行业</span>进行技术创新,利用安全分析、大数据分析、人工智能等技术,对网络空间安全要素、安全<span style="color: black;">危害</span>进行深度挖掘与<span style="color: black;">相关</span>分析,构建了多层次的纵深防御体系,<span style="color: black;">连续</span>推出态势感知平台、静态脱敏系统、终端安全监测系统等一系列优秀的安全<span style="color: black;">制品</span>和行业<span style="color: black;">处理</span><span style="color: black;">方法</span>,广泛应用于政府、运营商、医疗、教育、电力、能源等多个<span style="color: black;">行业</span>,让<span style="color: black;">危害</span>无所遁形。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">星云博创已<span style="color: black;">得到</span>ISO9001、ISO27001、 ISO20000管理体系认证,CMMI5软件成熟度认证,信息系统安全集成服务、信息安全<span style="color: black;">危害</span><span style="color: black;">评定</span>服务、软件安全<span style="color: black;">研发</span>服务资质的CCRC二级认证,及安全运维服务资质、应急处理服务资质的CCRC三级认证。<span style="color: black;">另外</span>,星云博创还是国家信息安全漏洞库(CNNVD)技术支撑单位、海南省网络安全应急技术支撑单位、广州市应急联动<span style="color: black;">公司</span>支撑单位。</span></p>
“沙发”(SF,第一个回帖的人)
页:
[1]