Site updated: 2019-07-24 14:01:34

2019-07-24 14:01:50 +08:00 · 2019-07-24 14:01:50 +08:00 · 8eeaf683b8
commit 8eeaf683b8
parent d8a6a905c7
97 changed files with 152 additions and 140 deletions
--- a/2000/01/01/hello-world/index.html
+++ b/2000/01/01/hello-world/index.html
@ -641,7 +641,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2018/11/16/BIBA访问控制模型实现(python)/index.html
+++ b/2018/11/16/BIBA访问控制模型实现(python)/index.html
@ -829,7 +829,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2018/12/15/miio-control/index.html
+++ b/2018/12/15/miio-control/index.html
@ -731,7 +731,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2018/12/23/基于规则引擎发现IOT设备/index.html
+++ b/2018/12/23/基于规则引擎发现IOT设备/index.html
@ -731,7 +731,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
+++ b/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
@ -736,7 +736,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
+++ b/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html
@ -859,7 +859,7 @@ Server   -------wire----------|
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/02/22/qq数据库的加密解密/index.html
+++ b/2019/02/22/qq数据库的加密解密/index.html
@ -708,7 +708,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/03/16/小米固件工具mkxqimage/index.html
+++ b/2019/03/16/小米固件工具mkxqimage/index.html
@ -715,7 +715,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/03/23/auto-send-WX/index.html
+++ b/2019/03/23/auto-send-WX/index.html
@ -725,7 +725,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/03/25/Samba-CVE/index.html
+++ b/2019/03/25/Samba-CVE/index.html
@ -750,7 +750,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/03/28/逆向工程实验/index.html
+++ b/2019/03/28/逆向工程实验/index.html
@ -853,7 +853,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/04/15/Caving-db-storage/index.html
+++ b/2019/04/15/Caving-db-storage/index.html
@ -774,7 +774,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/04/21/XIAOMI-UPnP/index.html
+++ b/2019/04/21/XIAOMI-UPnP/index.html
@ -898,7 +898,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/05/13/PE-file/index.html
+++ b/2019/05/13/PE-file/index.html
@ -817,7 +817,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/05/14/pack-and-unpack/index.html
+++ b/2019/05/14/pack-and-unpack/index.html
@ -739,7 +739,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/07/01/AFL-first-learn/index.html
+++ b/2019/07/01/AFL-first-learn/index.html
@ -1012,7 +1012,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/07/09/afl-first-try/index.html
+++ b/2019/07/09/afl-first-try/index.html
@ -802,7 +802,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/07/10/x86basic/index.html
+++ b/2019/07/10/x86basic/index.html
@ -834,7 +834,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/07/16/linux-pwn-32/index.html
+++ b/2019/07/16/linux-pwn-32/index.html
@ -817,7 +817,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/07/24/web-dvwa/index.html
+++ b/2019/07/24/web-dvwa/index.html
@ -87,7 +87,7 @@
 <meta property="og:site_name" content="混元霹雳手">
 <meta property="og:description" content="搭建环境最好使用docker来搭建，方便迁移 https://hub.docker.com/r/vulnerables/web-dvwa/ 暴力破解easy模式 密码破解是从存储在计算机系统中或由计算机系统传输的数据中恢复密码的过程。一种常见的方法是反复尝试密码的猜测。用户经常选择弱密码。不安全选择的例子包括在词典中找到的单个单词，姓氏，任何太短的密码（通常被认为少于6或7个字符），或可预测的模式">
 <meta property="og:locale" content="zh-Hans">
-<meta property="og:updated_time" content="2019-07-24T03:48:23.821Z">
+<meta property="og:updated_time" content="2019-07-24T06:00:56.862Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="DVWA黑客攻防平台">
 <meta name="twitter:description" content="搭建环境最好使用docker来搭建，方便迁移 https://hub.docker.com/r/vulnerables/web-dvwa/ 暴力破解easy模式 密码破解是从存储在计算机系统中或由计算机系统传输的数据中恢复密码的过程。一种常见的方法是反复尝试密码的猜测。用户经常选择弱密码。不安全选择的例子包括在词典中找到的单个单词，姓氏，任何太短的密码（通常被认为少于6或7个字符），或可预测的模式">
@ -481,18 +481,14 @@
 <h2 id="medium模式-2"><a href="#medium模式-2" class="headerlink" title="medium模式"></a>medium模式</h2><p>检查 HTTP_REFERER（http包头的Referer参数的值，表示来源地址）中是否包含SERVER_NAME（http包头的Host参数，及要访问的主机名，）<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">// Checks to see where the request came from</span><br><span class="line">    if( stripos( $_SERVER[ &apos;HTTP_REFERER&apos; ] ,$_SERVER[ &apos;SERVER_NAME&apos; ]) !== false ) &#123;</span><br></pre></td></tr></table></figure></p>
 <p>想要通过验证，就必须保证在http请求中Referer字段中必须包含Host<br>我们这需要把上面的攻击页面名字改成包含host就可以了。(把攻击页面放在服务器上)</p>
 <h1 id="文件包含"><a href="#文件包含" class="headerlink" title="文件包含"></a>文件包含</h1><h2 id="easy模式-3"><a href="#easy模式-3" class="headerlink" title="easy模式"></a>easy模式</h2><p>某些Web应用程序允许用户指定直接用于文件流的输入，或允许用户将文件上载到服务器。稍后，Web应用程序访问Web应用程序上下文中的用户提供的输入。通过这样做，Web应用程序允许潜在的恶意文件执行。<br>如果选择要包含的文件在目标计算机上是本地的，则称为“本地文件包含（LFI）。但是文件也可以包含在其他计算机上，然后攻击是”远程文件包含（RFI）。<br>当RFI不是一种选择时。使用LFI的另一个漏洞（例如文件上传和目录遍历）通常可以达到同样的效果。<br>注意，术语“文件包含”与“任意文件访问”或“文件公开”不同。<br>只使用文件包含来阅读’../hackable/flags/fi.php’中的所有五个着名引号。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">// The page we wish to display</span><br><span class="line">$file = $_GET[ &apos;page&apos; ];</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure></p>
-<p>文件包含漏洞的一般特征如下：</p>
-<p>?page=a.php</p>
-<p>?home=a.html</p>
-<p>?file=content</p>
-<p>几种经典的测试方法：</p>
-<p>?file=../../../../../etc/passwdd<br>?page=file:///etc/passwd<br>?home=main.cgi<br>?page=<a href="http://www.a.com/1.php" target="_blank" rel="noopener">http://www.a.com/1.php</a><br>=<a href="http://1.1.1.1/../../../../dir/file.txt" target="_blank" rel="noopener">http://1.1.1.1/../../../../dir/file.txt</a><br>（通过多个../可以让目录回到根目录中然后再进入目标目录）</p>
+<p>文件包含漏洞的一般特征如下：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">?page=a.php</span><br><span class="line"></span><br><span class="line">?home=a.html</span><br><span class="line"></span><br><span class="line">?file=content</span><br></pre></td></tr></table></figure></p>
+<p>几种经典的测试方法：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">?file=../../../../../etc/passwdd</span><br><span class="line">?page=file:///etc/passwd</span><br><span class="line">?home=main.cgi</span><br><span class="line">?page=http://www.a.com/1.php</span><br><span class="line">=http://1.1.1.1/../../../../dir/file.txt</span><br><span class="line">（通过多个../可以让目录回到根目录中然后再进入目标目录）</span><br></pre></td></tr></table></figure></p>
 <h2 id="medium模式-3"><a href="#medium模式-3" class="headerlink" title="medium模式"></a>medium模式</h2><p>增加对绝对路径http和相对路径的检查<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">// Input validation</span><br><span class="line">$file = str_replace( array( &quot;http://&quot;, &quot;https://&quot; ), &quot;&quot;, $file );</span><br><span class="line">$file = str_replace( array( &quot;../&quot;, &quot;..\&quot;&quot; ), &quot;&quot;, $file );</span><br></pre></td></tr></table></figure></p>
 <p>但依然可以使用?page=file:///etc/passwd<br>以及重复字符过滤方法,构造url</p>
 <ol>
-<li>构造url为httphttp://  –&gt; http</li>
-<li>构造url为httphttp://://  –&gt;http://</li>
-<li>构造url为…/./   –&gt;  ../</li>
+<li>构造url为   httphttp://  –&gt; http</li>
+<li>构造url为   httphttp://://  –&gt;http://</li>
+<li>构造url为   …/./   –&gt;  ../</li>
 </ol>
 <h1 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h1><h2 id="easy模式-4"><a href="#easy模式-4" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
 <p>上传的文件对Web应用程序构成重大风险。许多攻击的第一步是将一些代码提供给系统进行攻击。然后攻击者只需要找到一种方法来执行代码。使用文件上传有助于攻击者完成第一步。<br>不受限制的文件上载的后果可能会有所不同，包括完整的系统接管，过载的文件系统，向后端系统转发攻击以及简单的污损。这取决于应用程序对上传文件的作用，包括存储位置。<br>由于此文件上载漏洞，请在目标系统上执行您选择的任何PHP函数（例如phpinfo（）或system（））。</p>
@ -513,11 +509,11 @@
 <h1 id="SQL盲注"><a href="#SQL盲注" class="headerlink" title="SQL盲注"></a>SQL盲注</h1><blockquote>
 <p>盲注，与一般注入的区别在于，一般的注入攻击者可以直接从页面上看到注入语句的执行结果，而盲注时攻击者通常是无法从显示页面上获取执行结果，甚至连注入语句是否执行都无从得知，因此盲注的难度要比一般注入高。目前网络上现存的SQL注入漏洞大多是SQL盲注。<br>1.判断是否存在注入，注入是字符型还是数字型<br>2.猜解当前数据库名<br>3.猜解数据库中的表名<br>4.猜解表中的字段名<br>5.猜解数据</p>
 </blockquote>
-<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">if( isset( $_GET[ &apos;Submit&apos; ] ) ) &#123;</span><br><span class="line">    // Get input</span><br><span class="line">    $id = $_GET[ &apos;id&apos; ];</span><br><span class="line"></span><br><span class="line">    // Check database</span><br><span class="line">    $getid  = &quot;SELECT first_name, last_name FROM users WHERE user_id = &apos;$id&apos;;&quot;;</span><br><span class="line">    $result = mysqli_query($GLOBALS[&quot;___mysqli_ston&quot;],  $getid ); // Removed &apos;or die&apos; to suppress mysql errors</span><br><span class="line"></span><br><span class="line">    // Get results</span><br><span class="line">    $num = @mysqli_num_rows( $result ); // The &apos;@&apos; character suppresses errors</span><br><span class="line">    if( $num &gt; 0 ) &#123;</span><br><span class="line">        // Feedback for end user</span><br><span class="line">        echo &apos;&lt;pre&gt;User ID exists in the database.&lt;/pre&gt;&apos;;</span><br><span class="line">    &#125;</span><br><span class="line">    else &#123;</span><br><span class="line">        // User wasn&apos;t found, so the page wasn&apos;t!</span><br><span class="line">        header( $_SERVER[ &apos;SERVER_PROTOCOL&apos; ] . &apos; 404 Not Found&apos; );</span><br><span class="line"></span><br><span class="line">        // Feedback for end user</span><br><span class="line">        echo &apos;&lt;pre&gt;User ID is MISSING from the database.&lt;/pre&gt;&apos;;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ((is_null($___mysqli_res = mysqli_close($GLOBALS[&quot;___mysqli_ston&quot;]))) ? false : $___mysqli_res);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
+<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( $_GET[ <span class="string">'Submit'</span> ] ) ) &#123;</span><br><span class="line">    <span class="comment">// Get input</span></span><br><span class="line">    $id = $_GET[ <span class="string">'id'</span> ];</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Check database</span></span><br><span class="line">    $getid  = <span class="string">"SELECT first_name, last_name FROM users WHERE user_id = '$id';"</span>;</span><br><span class="line">    $result = mysqli_query($GLOBALS[<span class="string">"___mysqli_ston"</span>],  $getid ); <span class="comment">// Removed 'or die' to suppress mysql errors</span></span><br><span class="line"></span><br><span class="line">    <span class="comment">// Get results</span></span><br><span class="line">    $num = @mysqli_num_rows( $result ); <span class="comment">// The '@' character suppresses errors</span></span><br><span class="line">    <span class="keyword">if</span>( $num &gt; <span class="number">0</span> ) &#123;</span><br><span class="line">        <span class="comment">// Feedback for end user</span></span><br><span class="line">        <span class="keyword">echo</span> <span class="string">'&lt;pre&gt;User ID exists in the database.&lt;/pre&gt;'</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="comment">// User wasn't found, so the page wasn't!</span></span><br><span class="line">        header( $_SERVER[ <span class="string">'SERVER_PROTOCOL'</span> ] . <span class="string">' 404 Not Found'</span> );</span><br><span class="line"></span><br><span class="line">        <span class="comment">// Feedback for end user</span></span><br><span class="line">        <span class="keyword">echo</span> <span class="string">'&lt;pre&gt;User ID is MISSING from the database.&lt;/pre&gt;'</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ((is_null($___mysqli_res = mysqli_close($GLOBALS[<span class="string">"___mysqli_ston"</span>]))) ? <span class="keyword">false</span> : $___mysqli_res);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
 <p>查看源码发现还是没有对id做过滤，但是它不会返回错误信息，只会告诉你User ID exists in the database.以及User ID is MISSING from the database.</p>
 <p>盲注分为基于布尔的盲注、基于时间的盲注以及基于报错的盲注。<br>如果手工盲注的话，需要对sql语法相当熟悉。类似：<br><a href="https://www.freebuf.com/articles/web/120985.html" target="_blank" rel="noopener">https://www.freebuf.com/articles/web/120985.html</a><br>如果自动盲注的话，可以使用sqlmap来完成，类似：<br><a href="https://www.jianshu.com/p/ec2ca79e74b2" target="_blank" rel="noopener">https://www.jianshu.com/p/ec2ca79e74b2</a></p>
 <h1 id="弱session-id"><a href="#弱session-id" class="headerlink" title="弱session-id"></a>弱session-id</h1><h2 id="easy模式-6"><a href="#easy模式-6" class="headerlink" title="easy模式"></a>easy模式</h2><p>session-ID通常是在登录后作为特定用户访问站点所需的唯一内容，如果能够计算或轻易猜到该会话ID，则攻击者将有一种简单的方法来获取访问权限。无需知道账户密码或查找其他漏洞，如跨站点脚本。</p>
-<p>根据源码可以看出来session每次加1<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">$html = &quot;&quot;;</span><br><span class="line"></span><br><span class="line">if ($_SERVER[&apos;REQUEST_METHOD&apos;] == &quot;POST&quot;) &#123;</span><br><span class="line">    if (!isset ($_SESSION[&apos;last_session_id&apos;])) &#123;</span><br><span class="line">        $_SESSION[&apos;last_session_id&apos;] = 0;</span><br><span class="line">    &#125;</span><br><span class="line">    $_SESSION[&apos;last_session_id&apos;]++;</span><br><span class="line">    $cookie_value = $_SESSION[&apos;last_session_id&apos;];</span><br><span class="line">    setcookie(&quot;dvwaSession&quot;, $cookie_value);</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure></p>
+<p>根据源码可以看出来session每次加1<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">$html = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> ($_SERVER[<span class="string">'REQUEST_METHOD'</span>] == <span class="string">"POST"</span>) &#123;</span><br><span class="line">    <span class="keyword">if</span> (!<span class="keyword">isset</span> ($_SESSION[<span class="string">'last_session_id'</span>])) &#123;</span><br><span class="line">        $_SESSION[<span class="string">'last_session_id'</span>] = <span class="number">0</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    $_SESSION[<span class="string">'last_session_id'</span>]++;</span><br><span class="line">    $cookie_value = $_SESSION[<span class="string">'last_session_id'</span>];</span><br><span class="line">    setcookie(<span class="string">"dvwaSession"</span>, $cookie_value);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></p>
 <p>按f12看application-cookies也能发现这个规律。<br>然后使用hackbar这个扩展程序攻击。</p>
 <h2 id="medium模式-6"><a href="#medium模式-6" class="headerlink" title="medium模式"></a>medium模式</h2><p>从源码中可以看到dvwaSession就是时间戳<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">$html = &quot;&quot;;</span><br><span class="line"></span><br><span class="line">if ($_SERVER[&apos;REQUEST_METHOD&apos;] == &quot;POST&quot;) &#123;</span><br><span class="line">    $cookie_value = time();</span><br><span class="line">    setcookie(&quot;dvwaSession&quot;, $cookie_value);</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure></p>
 <h1 id="基于DOM的XSS"><a href="#基于DOM的XSS" class="headerlink" title="基于DOM的XSS"></a>基于DOM的XSS</h1><h2 id="easy模式-7"><a href="#easy模式-7" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
@ -537,38 +533,28 @@
 <p>绕过有两种方式</p>
 <ol>
 <li>方式1<br>url中有一个字符为#，该字符后的数据不会发送到服务器端，从而绕过服务端过滤<br><code>http://192.168.31.84:81/vulnerabilities/xss_d/?default=English#&lt;script&gt;alert(document.cookie)&lt;/script&gt;</code></li>
-<li>方法2<br>或者就是用img标签或其他标签的特性去执行js代码，比如img标签的onerror事件，构造连接(通过加载一个不存在的图片出错出发javascript onerror事件,继续弹框，证明出来有xss)<br>`<a href="http://192.168.31.84:81/vulnerabilities/xss_d/?default=English%3E/option%3E%3C/select%3E%3Cimg%20src=#%20onerror=alert(/xss/)%3E&#39;" target="_blank" rel="noopener">http://192.168.31.84:81/vulnerabilities/xss_d/?default=English%3E/option%3E%3C/select%3E%3Cimg%20src=#%20onerror=alert(/xss/)%3E&#39;</a></li>
+<li>方法2<br>或者就是用img标签或其他标签的特性去执行js代码，比如img标签的onerror事件，构造连接(通过加载一个不存在的图片出错出发javascript onerror事件,继续弹框，证明出来有xss)<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"># 反射型xss</span><br><span class="line">## easy模式</span><br><span class="line">&gt; 反射型（非持久）：主要用于将恶意代码附加到URL地址的参数中，常用于窃取客户端cookie信息和钓鱼欺骗。</span><br><span class="line"></span><br><span class="line">查看源码，服务器直接把客户端的输入返回回来显示</span><br><span class="line">```php</span><br><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">header (&quot;X-XSS-Protection: 0&quot;);</span><br><span class="line"></span><br><span class="line">// Is there any input?</span><br><span class="line">if( array_key_exists( &quot;name&quot;, $_GET ) &amp;&amp; $_GET[ &apos;name&apos; ] != NULL ) &#123;</span><br><span class="line">    // Feedback for end user</span><br><span class="line">    echo &apos;&lt;pre&gt;Hello &apos; . $_GET[ &apos;name&apos; ] . &apos;&lt;/pre&gt;&apos;;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
+</li>
 </ol>
-<h1 id="反射型xss"><a href="#反射型xss" class="headerlink" title="反射型xss"></a>反射型xss</h1><h2 id="easy模式-8"><a href="#easy模式-8" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
-<p>反射型（非持久）：主要用于将恶意代码附加到URL地址的参数中，常用于窃取客户端cookie信息和钓鱼欺骗。</p>
-</blockquote>
-<p>查看源码，服务器直接把客户端的输入返回回来显示<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">header (<span class="string">"X-XSS-Protection: 0"</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment">// Is there any input?</span></span><br><span class="line"><span class="keyword">if</span>( array_key_exists( <span class="string">"name"</span>, $_GET ) &amp;&amp; $_GET[ <span class="string">'name'</span> ] != <span class="keyword">NULL</span> ) &#123;</span><br><span class="line">    <span class="comment">// Feedback for end user</span></span><br><span class="line">    <span class="keyword">echo</span> <span class="string">'&lt;pre&gt;Hello '</span> . $_GET[ <span class="string">'name'</span> ] . <span class="string">'&lt;/pre&gt;'</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></p>
 <p><a href="http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E" target="_blank" rel="noopener">http://192.168.31.84:81/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E</a></p>
 <h2 id="medium模式-8"><a href="#medium模式-8" class="headerlink" title="medium模式"></a>medium模式</h2><p>源码里检查了script标签<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">// Get input</span><br><span class="line">   $name = str_replace( &apos;&lt;script&gt;&apos;, &apos;&apos;, $_GET[ &apos;name&apos; ] );</span><br></pre></td></tr></table></figure></p>
-<p>str_replace这个函数是不区分大小写的，而且只替换一次<br>改成大写就可以了<script>alert(‘xss’)</script><br>或者嵌套&lt;scr<script>ipt&gt;alert(‘xss’)</script></p>
-<p>但对name审查没有这么严格，同样可以采用嵌套或大小写的方法：</p>
-<p>&lt;scr<script>ipt&gt;alert(‘fuck’)</script></p>
-<p><script>alert(‘fuck’)</script></p>
-<h1 id="存储型xss"><a href="#存储型xss" class="headerlink" title="存储型xss"></a>存储型xss</h1><h2 id="easy模式-9"><a href="#easy模式-9" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
+<p>str_replace这个函数是不区分大小写的，而且只替换一次<br>改成大写就可以了<code>&lt;SCRIPT&gt;alert(&#39;xss&#39;)&lt;/script&gt;</code><br>或者嵌套<code>&lt;scr&lt;script&gt;ipt&gt;alert(&#39;xss&#39;)&lt;/script&gt;</code></p>
+<p>但对name审查没有这么严格，同样可以采用嵌套或大小写的方法：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;scr&lt;script&gt;ipt&gt;alert(&apos;fuck&apos;)&lt;/script&gt;</span><br><span class="line">&lt;SCRIPT&gt;alert(&apos;fuck&apos;)&lt;/script&gt;</span><br></pre></td></tr></table></figure></p>
+<h1 id="存储型xss"><a href="#存储型xss" class="headerlink" title="存储型xss"></a>存储型xss</h1><h2 id="easy模式-8"><a href="#easy模式-8" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
 <p>“跨站点脚本（XSS）”攻击是一种注入问题，其中恶意脚本被注入到其他良性和可信赖的网站中。当攻击者使用Web应用程序将恶意代码（通常以浏览器端脚本的形式）发送给不同的最终用户时，就会发生XSS攻击。允许这些攻击成功的缺陷非常普遍，并且发生在使用输出中的用户输入的Web应用程序的任何地方，而不验证或编码它。</p>
 <p>攻击者可以使用XSS将恶意脚本发送给毫无戒心的用户。最终用户的浏览器无法知道该脚本不应该被信任，并将执行JavaScript。因为它认为脚本来自可靠来源，所以恶意脚本可以访问您的浏览器保留并与该站点一起使用的任何cookie，会话令牌或其他敏感信息。这些脚本甚至可以重写HTML页面的内容。</p>
 <p>XSS存储在数据库中。 XSS是永久性的，直到重置数据库或手动删除有效负载。</p>
 </blockquote>
-<p>查看源码<br>trim是去除掉用户输入内容前后的空格。stripslashes是去除反斜杠，两个只会去除一个。mysqli_real_escap_string过滤掉内容中特殊字符，像x00,n,r,,’,”,x1a等，来预防数据库攻击。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">if( isset( $_POST[ &apos;btnSign&apos; ] ) ) &#123;</span><br><span class="line">    // Get input</span><br><span class="line">    $message = trim( $_POST[ &apos;mtxMessage&apos; ] );</span><br><span class="line">    $name    = trim( $_POST[ &apos;txtName&apos; ] );</span><br><span class="line"></span><br><span class="line">    // Sanitize message input</span><br><span class="line">    $message = stripslashes( $message );</span><br><span class="line">    $message = ((isset($GLOBALS[&quot;___mysqli_ston&quot;]) &amp;&amp; is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_real_escape_string($GLOBALS[&quot;___mysqli_ston&quot;],  $message ) : ((trigger_error(&quot;[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.&quot;, E_USER_ERROR)) ? &quot;&quot; : &quot;&quot;));</span><br><span class="line"></span><br><span class="line">    // Sanitize name input</span><br><span class="line">    $name = ((isset($GLOBALS[&quot;___mysqli_ston&quot;]) &amp;&amp; is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_real_escape_string($GLOBALS[&quot;___mysqli_ston&quot;],  $name ) : ((trigger_error(&quot;[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.&quot;, E_USER_ERROR)) ? &quot;&quot; : &quot;&quot;));</span><br><span class="line"></span><br><span class="line">    // Update database</span><br><span class="line">    $query  = &quot;INSERT INTO guestbook ( comment, name ) VALUES ( &apos;$message&apos;, &apos;$name&apos; );&quot;;</span><br><span class="line">    $result = mysqli_query($GLOBALS[&quot;___mysqli_ston&quot;],  $query ) or die( &apos;&lt;pre&gt;&apos; . ((is_object($GLOBALS[&quot;___mysqli_ston&quot;])) ? mysqli_error($GLOBALS[&quot;___mysqli_ston&quot;]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . &apos;&lt;/pre&gt;&apos; );</span><br><span class="line"></span><br><span class="line">    //mysql_close();</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure></p>
+<p>查看源码<br>trim是去除掉用户输入内容前后的空格。stripslashes是去除反斜杠，两个只会去除一个。mysqli_real_escap_string过滤掉内容中特殊字符，像x00,n,r,,’,”,x1a等，来预防数据库攻击。<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( $_POST[ <span class="string">'btnSign'</span> ] ) ) &#123;</span><br><span class="line">    <span class="comment">// Get input</span></span><br><span class="line">    $message = trim( $_POST[ <span class="string">'mtxMessage'</span> ] );</span><br><span class="line">    $name    = trim( $_POST[ <span class="string">'txtName'</span> ] );</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Sanitize message input</span></span><br><span class="line">    $message = stripslashes( $message );</span><br><span class="line">    $message = ((<span class="keyword">isset</span>($GLOBALS[<span class="string">"___mysqli_ston"</span>]) &amp;&amp; is_object($GLOBALS[<span class="string">"___mysqli_ston"</span>])) ? mysqli_real_escape_string($GLOBALS[<span class="string">"___mysqli_ston"</span>],  $message ) : ((trigger_error(<span class="string">"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work."</span>, E_USER_ERROR)) ? <span class="string">""</span> : <span class="string">""</span>));</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Sanitize name input</span></span><br><span class="line">    $name = ((<span class="keyword">isset</span>($GLOBALS[<span class="string">"___mysqli_ston"</span>]) &amp;&amp; is_object($GLOBALS[<span class="string">"___mysqli_ston"</span>])) ? mysqli_real_escape_string($GLOBALS[<span class="string">"___mysqli_ston"</span>],  $name ) : ((trigger_error(<span class="string">"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work."</span>, E_USER_ERROR)) ? <span class="string">""</span> : <span class="string">""</span>));</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Update database</span></span><br><span class="line">    $query  = <span class="string">"INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );"</span>;</span><br><span class="line">    $result = mysqli_query($GLOBALS[<span class="string">"___mysqli_ston"</span>],  $query ) <span class="keyword">or</span> <span class="keyword">die</span>( <span class="string">'&lt;pre&gt;'</span> . ((is_object($GLOBALS[<span class="string">"___mysqli_ston"</span>])) ? mysqli_error($GLOBALS[<span class="string">"___mysqli_ston"</span>]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : <span class="keyword">false</span>)) . <span class="string">'&lt;/pre&gt;'</span> );</span><br><span class="line"></span><br><span class="line">    <span class="comment">//mysql_close();</span></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure></p>
 <p>插入之后会成为页面的元素显示出来<br><code>&lt;div id=&quot;guestbook_comments&quot;&gt;Name: 11&lt;br /&gt;Message: 111&lt;br /&gt;&lt;/div&gt;</code><br>看一下提交的方式：<br><code>txtName=22&amp;mtxMessage=222&amp;btnSign=Sign+Guestbook</code><br>直接插入script语句，<code>txtName=22&lt;script&gt;alert(1)&lt;/script&gt;&amp;mtxMessage=222&amp;btnSign=Sign+Guestbook</code></p>
-<h2 id="medium模式-9"><a href="#medium模式-9" class="headerlink" title="medium模式"></a>medium模式</h2><p>源码中增加了几个函数的使用：</p>
-<ul>
-<li>$message = strip_tags(addslashes($message)); 剥去字符串中的 HTML、XML 以及 PHP 的标签。</li>
-<li>$message = htmlspecialchars( $message ); 把预定义的字符 “&lt;” （小于）和 “&gt;” （大于）转换为 HTML 实体：</li>
-<li>$name = str_replace( ‘<script>‘, ‘’, $name );</li>
-</ul>
-<h1 id="绕过安全策略"><a href="#绕过安全策略" class="headerlink" title="绕过安全策略"></a>绕过安全策略</h1><h2 id="easy模式-10"><a href="#easy模式-10" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
+<h2 id="medium模式-9"><a href="#medium模式-9" class="headerlink" title="medium模式"></a>medium模式</h2><p>源码中增加了几个函数的使用：<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">*  $message = strip_tags(addslashes($message)); 剥去字符串中的 HTML、XML 以及 PHP 的标签。</span><br><span class="line">* $message = htmlspecialchars( $message ); 把预定义的字符 &quot;&lt;&quot; （小于）和 &quot;&gt;&quot; （大于）转换为 HTML 实体：</span><br><span class="line">*  $name = str_replace( &apos;&lt;script&gt;&apos;, &apos;&apos;, $name );</span><br></pre></td></tr></table></figure></p>
+<h1 id="绕过安全策略"><a href="#绕过安全策略" class="headerlink" title="绕过安全策略"></a>绕过安全策略</h1><h2 id="easy模式-9"><a href="#easy模式-9" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
 <p>内容安全策略（CSP）用于定义可以从中加载或执行脚本和其他资源的位置。本单元将引导您根据开发人员常见错误绕过策略。<br>这些漏洞都不是CSP中的实际漏洞，它们是实施漏洞的漏洞。</p>
 </blockquote>
-<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">$headerCSP = &quot;Content-Security-Policy: script-src &apos;self&apos; https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;&quot;; // allows js from self, pastebin.com, jquery and google analytics.</span><br><span class="line"></span><br><span class="line">header($headerCSP);</span><br><span class="line"></span><br><span class="line"># https://pastebin.com/raw/R570EE00</span><br><span class="line"></span><br><span class="line">?&gt;</span><br><span class="line">&lt;?php</span><br><span class="line">if (isset ($_POST[&apos;include&apos;])) &#123;</span><br><span class="line">$page[ &apos;body&apos; ] .= &quot;</span><br><span class="line">    &lt;script src=&apos;&quot; . $_POST[&apos;include&apos;] . &quot;&apos;&gt;&lt;/script&gt;</span><br><span class="line">&quot;;</span><br><span class="line">&#125;</span><br><span class="line">$page[ &apos;body&apos; ] .= &apos;</span><br><span class="line">&lt;form name=&quot;csp&quot; method=&quot;POST&quot;&gt;</span><br><span class="line">    &lt;p&gt;You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:&lt;/p&gt;</span><br><span class="line">    &lt;input size=&quot;50&quot; type=&quot;text&quot; name=&quot;include&quot; value=&quot;&quot; id=&quot;include&quot; /&gt;</span><br><span class="line">    &lt;input type=&quot;submit&quot; value=&quot;Include&quot; /&gt;</span><br><span class="line">&lt;/form&gt;</span><br><span class="line">&apos;;</span><br></pre></td></tr></table></figure>
-<p>会在页面里增加一个body<code>&lt;script src=&#39;&quot; . $_POST[&#39;include&#39;] . &quot;&#39;&gt;&lt;/script&gt;</code><br>这里在源码中规定了信任的脚本源：<br><code>script-src &#39;self&#39; https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;&quot;; // allows js from self, pastebin.com, jquery and google analytics.</code><br>输入源码中提示的<a href="https://pastebin.com/raw/R570EE00，弹窗成功">https://pastebin.com/raw/R570EE00，弹窗成功</a></p>
+<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line">$headerCSP = <span class="string">"Content-Security-Policy: script-src 'self' https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;"</span>; <span class="comment">// allows js from self, pastebin.com, jquery and google analytics.</span></span><br><span class="line"></span><br><span class="line">header($headerCSP);</span><br><span class="line"></span><br><span class="line"><span class="comment"># https://pastebin.com/raw/R570EE00</span></span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span> ($_POST[<span class="string">'include'</span>])) &#123;</span><br><span class="line">$page[ <span class="string">'body'</span> ] .= <span class="string">"</span></span><br><span class="line"><span class="string">    &lt;script src='"</span> . $_POST[<span class="string">'include'</span>] . <span class="string">"'&gt;&lt;/script&gt;</span></span><br><span class="line"><span class="string">"</span>;</span><br><span class="line">&#125;</span><br><span class="line">$page[ <span class="string">'body'</span> ] .= <span class="string">'</span></span><br><span class="line"><span class="string">&lt;form name="csp" method="POST"&gt;</span></span><br><span class="line"><span class="string">    &lt;p&gt;You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:&lt;/p&gt;</span></span><br><span class="line"><span class="string">    &lt;input size="50" type="text" name="include" value="" id="include" /&gt;</span></span><br><span class="line"><span class="string">    &lt;input type="submit" value="Include" /&gt;</span></span><br><span class="line"><span class="string">&lt;/form&gt;</span></span><br><span class="line"><span class="string">'</span>;</span><br></pre></td></tr></table></figure>
+<p>会在页面里增加一个body<code>&lt;script src=&#39;&quot; . $_POST[&#39;include&#39;] . &quot;&#39;&gt;&lt;/script&gt;</code><br>这里在源码中规定了信任的脚本源：<br><code>script-src &#39;self&#39; https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;&quot;; // allows js from self, pastebin.com, jquery and google analytics.</code><br>输入源码中提示的<a href="https://pastebin.com/raw/R570EE00，弹窗成功" target="_blank" rel="noopener">https://pastebin.com/raw/R570EE00，弹窗成功</a></p>
 <h2 id="medium模式-10"><a href="#medium模式-10" class="headerlink" title="medium模式"></a>medium模式</h2><p>如果你要使用 script 标签加载 javascript, 你需要指明其 nonce 值<br><code>$headerCSP = &quot;Content-Security-Policy: script-src &#39;self&#39; &#39;unsafe-inline&#39; &#39;nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=&#39;;&quot;;</code><br>比如：<br><code>&lt;script nonce=&quot;TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=&quot;&gt;alert(1)&lt;/script&gt;</code></p>
-<h1 id="JavaScript-Attacks"><a href="#JavaScript-Attacks" class="headerlink" title="JavaScript Attacks"></a>JavaScript Attacks</h1><h2 id="easy模式-11"><a href="#easy模式-11" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
+<h1 id="JavaScript-Attacks"><a href="#JavaScript-Attacks" class="headerlink" title="JavaScript Attacks"></a>JavaScript Attacks</h1><h2 id="easy模式-10"><a href="#easy模式-10" class="headerlink" title="easy模式"></a>easy模式</h2><blockquote>
 <p>本节中的攻击旨在帮助您了解JavaScript在浏览器中的使用方式以及如何操作它。攻击可以通过分析网络流量来进行，但这不是重点，也可能要困难得多。<br>只需提交“成功”一词即可赢得关卡。显然，它并不那么容易，每个级别实现不同的保护机制，页面中包含的JavaScript必须进行分析，然后进行操作以绕过保护。</p>
 </blockquote>
 <p>提示我们Submit the word “success” to win.但是输入success却返回Invalid token.说明token值不对劲，后台应该是比较输入的字符串与‘success’。<br>查看源码发现token值是在前台计算的，md5(rot13(phrase))<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">function generate_token() &#123;</span><br><span class="line">    var phrase = document.getElementById(&quot;phrase&quot;).value;</span><br><span class="line">    document.getElementById(&quot;token&quot;).value = md5(rot13(phrase));</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">generate_token();</span><br></pre></td></tr></table></figure></p>
@ -576,7 +562,7 @@
 <p>把值给隐藏的元素<code>&lt;input type=&quot;hidden&quot; name=&quot;token&quot; value=&quot;8b479aefbd90795395b3e7089ae0dc09&quot; id=&quot;token&quot;&gt;</code><br>然后提交success</p>
 <h2 id="medium模式-11"><a href="#medium模式-11" class="headerlink" title="medium模式"></a>medium模式</h2><p>生成token的代码在js文件中<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">do_something</span>(<span class="params">e</span>) </span>&#123;</span><br><span class="line">    <span class="keyword">for</span> (<span class="keyword">var</span> t = <span class="string">""</span>, n = e.length - <span class="number">1</span>; n &gt;= <span class="number">0</span>; n--) t += e[n];</span><br><span class="line">    <span class="keyword">return</span> t</span><br><span class="line">&#125;</span><br><span class="line">setTimeout(<span class="function"><span class="keyword">function</span> (<span class="params"></span>) </span>&#123;</span><br><span class="line">    do_elsesomething(<span class="string">"XX"</span>)</span><br><span class="line">&#125;, <span class="number">300</span>);</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">do_elsesomething</span>(<span class="params">e</span>) </span>&#123;</span><br><span class="line">    <span class="built_in">document</span>.getElementById(<span class="string">"token"</span>).value = do_something(e + <span class="built_in">document</span>.getElementById(<span class="string">"phrase"</span>).value + <span class="string">"XX"</span>)</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure></p>
 <p>输入success，然后控制台运行do_elsesomething(“XX”)就可以拿到token</p>
-</script></li></ul>
+
      
    </div>
    
@ -812,7 +798,7 @@
            

            
-              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#搭建环境"><span class="nav-text">搭建环境</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#暴力破解"><span class="nav-text">暴力破解</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#命令执行"><span class="nav-text">命令执行</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-1"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-1"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#CSRF"><span class="nav-text">CSRF</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-2"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-2"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#文件包含"><span class="nav-text">文件包含</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-3"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-3"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#文件上传"><span class="nav-text">文件上传</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-4"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-4"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL注入"><span class="nav-text">SQL注入</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-5"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-5"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL盲注"><span class="nav-text">SQL盲注</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#弱session-id"><span class="nav-text">弱session-id</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-6"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-6"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#基于DOM的XSS"><span class="nav-text">基于DOM的XSS</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-7"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-7"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#反射型xss"><span class="nav-text">反射型xss</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-8"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-8"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#存储型xss"><span class="nav-text">存储型xss</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-9"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-9"><span class="nav-text">medium模式</span></a></li></ol></li></ol></div>
+              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#搭建环境"><span class="nav-text">搭建环境</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#暴力破解"><span class="nav-text">暴力破解</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#命令执行"><span class="nav-text">命令执行</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-1"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-1"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#CSRF"><span class="nav-text">CSRF</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-2"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-2"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#文件包含"><span class="nav-text">文件包含</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-3"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-3"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#文件上传"><span class="nav-text">文件上传</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-4"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-4"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL注入"><span class="nav-text">SQL注入</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-5"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-5"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL盲注"><span class="nav-text">SQL盲注</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#弱session-id"><span class="nav-text">弱session-id</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-6"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-6"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#基于DOM的XSS"><span class="nav-text">基于DOM的XSS</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-7"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-7"><span class="nav-text">medium模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-8"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#存储型xss"><span class="nav-text">存储型xss</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-8"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-9"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#绕过安全策略"><span class="nav-text">绕过安全策略</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-9"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-10"><span class="nav-text">medium模式</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#JavaScript-Attacks"><span class="nav-text">JavaScript Attacks</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#easy模式-10"><span class="nav-text">easy模式</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#medium模式-11"><span class="nav-text">medium模式</span></a></li></ol></li></ol></div>
            

          </div>
@ -844,7 +830,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/2019/07/24/获取固件/index.html
+++ b/2019/07/24/获取固件/index.html
@ -88,7 +88,7 @@
 <meta property="og:description" content="通过分析物联网设备遭受攻击的链条可以发现，黑客获取固件，把固件逆向成汇编或C程序语言后，能分析出设备的运行流程和网络行为，还能找到安全加密相关的密钥相关的信息。如果这些“有心人”没能获取到固件信息，他们也很难发现这些漏洞。从这一点看，物联网设备的安全性，在很大程度上决定于其固件的安全性。 http://blog.nsfocus.net/security-analysis-of-the-firmwa">
 <meta property="og:locale" content="zh-Hans">
 <meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1563606353/samples/1.png">
-<meta property="og:updated_time" content="2019-07-24T03:50:46.543Z">
+<meta property="og:updated_time" content="2019-07-24T06:01:00.825Z">
 <meta name="twitter:card" content="summary">
 <meta name="twitter:title" content="获取固件的几种方法">
 <meta name="twitter:description" content="通过分析物联网设备遭受攻击的链条可以发现，黑客获取固件，把固件逆向成汇编或C程序语言后，能分析出设备的运行流程和网络行为，还能找到安全加密相关的密钥相关的信息。如果这些“有心人”没能获取到固件信息，他们也很难发现这些漏洞。从这一点看，物联网设备的安全性，在很大程度上决定于其固件的安全性。 http://blog.nsfocus.net/security-analysis-of-the-firmwa">
@ -359,8 +359,8 @@
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
-                  <a href="/categories/IoT/" itemprop="url" rel="index">
-                    <span itemprop="name">IoT</span>
+                  <a href="/categories/IOT/" itemprop="url" rel="index">
+                    <span itemprop="name">IOT</span>
                  </a>
                </span>

@ -709,7 +709,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/about/index.html
+++ b/about/index.html
@ -460,7 +460,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2000/01/index.html
+++ b/archives/2000/01/index.html
@ -493,7 +493,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2000/index.html
+++ b/archives/2000/index.html
@ -493,7 +493,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2018/11/index.html
+++ b/archives/2018/11/index.html
@ -493,7 +493,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2018/12/index.html
+++ b/archives/2018/12/index.html
@ -563,7 +563,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2018/index.html
+++ b/archives/2018/index.html
@ -598,7 +598,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2019/01/index.html
+++ b/archives/2019/01/index.html
@ -493,7 +493,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2019/02/index.html
+++ b/archives/2019/02/index.html
@ -493,7 +493,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2019/03/index.html
+++ b/archives/2019/03/index.html
@ -598,7 +598,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2019/04/index.html
+++ b/archives/2019/04/index.html
@ -528,7 +528,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2019/05/index.html
+++ b/archives/2019/05/index.html
@ -528,7 +528,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2019/07/index.html
+++ b/archives/2019/07/index.html
@ -668,7 +668,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2019/index.html
+++ b/archives/2019/index.html
@ -812,7 +812,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/2019/page/2/index.html
+++ b/archives/2019/page/2/index.html
@ -672,7 +672,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/index.html
+++ b/archives/index.html
@ -812,7 +812,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/page/2/index.html
+++ b/archives/page/2/index.html
@ -817,7 +817,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/archives/page/3/index.html
+++ b/archives/page/3/index.html
@ -497,7 +497,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/bookmarks/index.html
+++ b/bookmarks/index.html
@ -512,7 +512,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/categories/IOT/index.html
+++ b/categories/IOT/index.html
@ -303,6 +303,32 @@
      
        

+  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
+    <header class="post-header">
+
+      <h2 class="post-title">
+        
+            <a class="post-title-link" href="/2019/07/24/获取固件/" itemprop="url">
+              
+                <span itemprop="name">获取固件的几种方法</span>
+              
+            </a>
+        
+      </h2>
+
+      <div class="post-meta">
+        <time class="post-time" itemprop="dateCreated" datetime="2019-07-24T11:49:28+08:00" content="2019-07-24">
+          07-24
+        </time>
+      </div>
+
+    </header>
+  </article>
+
+
+      
+        
+
  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
    <header class="post-header">

@ -552,7 +578,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/categories/Pwn二进制漏洞/index.html
+++ b/categories/Pwn二进制漏洞/index.html
@ -500,7 +500,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/categories/index.html
+++ b/categories/index.html
@ -314,7 +314,7 @@
                目前共计 9 个分类
            </div>
            <div class="category-all">
-              <ul class="category-list"><li class="category-list-item"><a class="category-list-link" href="/categories/IOT/">IOT</a><span class="category-list-count">4</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/IoT/">IoT</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/Pwn二进制漏洞/">Pwn二进制漏洞</a><span class="category-list-count">2</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/web/">web</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/二进制/">二进制</a><span class="category-list-count">5</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/加密解密/">加密解密</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/杂七杂八/">杂七杂八</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/理论学习/">理论学习</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/顶会论文/">顶会论文</a><span class="category-list-count">3</span></li></ul>
+              <ul class="category-list"><li class="category-list-item"><a class="category-list-link" href="/categories/IOT/">IOT</a><span class="category-list-count">5</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/Pwn二进制漏洞/">Pwn二进制漏洞</a><span class="category-list-count">2</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/web/">web</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/二进制/">二进制</a><span class="category-list-count">5</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/加密解密/">加密解密</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/杂七杂八/">杂七杂八</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/理论学习/">理论学习</a><span class="category-list-count">1</span></li><li class="category-list-item"><a class="category-list-link" href="/categories/顶会论文/">顶会论文</a><span class="category-list-count">3</span></li></ul>
            </div>
          </div>
        
@ -465,7 +465,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/categories/web/index.html
+++ b/categories/web/index.html
@ -474,7 +474,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/categories/二进制/index.html
+++ b/categories/二进制/index.html
@ -578,7 +578,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/categories/加密解密/index.html
+++ b/categories/加密解密/index.html
@ -474,7 +474,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/categories/杂七杂八/index.html
+++ b/categories/杂七杂八/index.html
@ -474,7 +474,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/categories/理论学习/index.html
+++ b/categories/理论学习/index.html
@ -474,7 +474,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/categories/顶会论文/index.html
+++ b/categories/顶会论文/index.html
@ -526,7 +526,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/index.html
+++ b/index.html
@ -358,8 +358,8 @@
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
-                  <a href="/categories/IoT/" itemprop="url" rel="index">
-                    <span itemprop="name">IoT</span>
+                  <a href="/categories/IOT/" itemprop="url" rel="index">
+                    <span itemprop="name">IOT</span>
                  </a>
                </span>

@ -2297,7 +2297,7 @@ MotivationDBMS(数据库管理系统)
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/page/2/index.html
+++ b/page/2/index.html
@ -2351,7 +2351,7 @@ ettercap嗅探智能设备和网关之间的流量sudo ettercap -i ens33 -T -q
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/page/3/index.html
+++ b/page/3/index.html
@ -601,7 +601,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/search.xml
+++ b/search.xml
--- a/sitemap.xml
+++ b/sitemap.xml
@ -4,14 +4,14 @@
  <url>
    <loc>https://cool-y.github.io/2019/07/24/%E8%8E%B7%E5%8F%96%E5%9B%BA%E4%BB%B6/</loc>
    
-    <lastmod>2019-07-24T03:50:46.543Z</lastmod>
+    <lastmod>2019-07-24T06:01:00.825Z</lastmod>
    
  </url>
  
  <url>
    <loc>https://cool-y.github.io/2019/07/24/web-dvwa/</loc>
    
-    <lastmod>2019-07-24T03:48:23.821Z</lastmod>
+    <lastmod>2019-07-24T06:00:56.862Z</lastmod>
    
  </url>
  
--- a/tags/AFL/index.html
+++ b/tags/AFL/index.html
@ -499,7 +499,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/CVE/index.html
+++ b/tags/CVE/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/IoT/index.html
+++ b/tags/IoT/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/MiniUPnP/index.html
+++ b/tags/MiniUPnP/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/PE/index.html
+++ b/tags/PE/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/QQ/index.html
+++ b/tags/QQ/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/SSH/index.html
+++ b/tags/SSH/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/Samba/index.html
+++ b/tags/Samba/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/TCPDUMP/index.html
+++ b/tags/TCPDUMP/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/USENIX/index.html
+++ b/tags/USENIX/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/Windows/index.html
+++ b/tags/Windows/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/ctf/index.html
+++ b/tags/ctf/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/index.html
+++ b/tags/index.html
@ -465,7 +465,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/itchat/index.html
+++ b/tags/itchat/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/linux/index.html
+++ b/tags/linux/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/miio/index.html
+++ b/tags/miio/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/pwn/index.html
+++ b/tags/pwn/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/python/index.html
+++ b/tags/python/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/web/index.html
+++ b/tags/web/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/wifi/index.html
+++ b/tags/wifi/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/中间人/index.html
+++ b/tags/中间人/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/二进制/index.html
+++ b/tags/二进制/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/侧信道攻击/index.html
+++ b/tags/侧信道攻击/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/取证/index.html
+++ b/tags/取证/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/复原文件/index.html
+++ b/tags/复原文件/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/密码/index.html
+++ b/tags/密码/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/小米/index.html
+++ b/tags/小米/index.html
@ -525,7 +525,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/微信/index.html
+++ b/tags/微信/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/拒绝服务攻击/index.html
+++ b/tags/拒绝服务攻击/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/数据库/index.html
+++ b/tags/数据库/index.html
@ -499,7 +499,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/数据挖掘/index.html
+++ b/tags/数据挖掘/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/文件格式/index.html
+++ b/tags/文件格式/index.html
@ -499,7 +499,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/栈溢出/index.html
+++ b/tags/栈溢出/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/模型实现/index.html
+++ b/tags/模型实现/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/模糊测试/index.html
+++ b/tags/模糊测试/index.html
@ -499,7 +499,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/漏洞/index.html
+++ b/tags/漏洞/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/破解/index.html
+++ b/tags/破解/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/硬件层/index.html
+++ b/tags/硬件层/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/自然语言处理/index.html
+++ b/tags/自然语言处理/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/访问控制/index.html
+++ b/tags/访问控制/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/路由器/index.html
+++ b/tags/路由器/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/远程执行/index.html
+++ b/tags/远程执行/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/逆向/index.html
+++ b/tags/逆向/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>

--- a/tags/重放攻击/index.html
+++ b/tags/重放攻击/index.html
@ -473,7 +473,7 @@
      <i class="fa fa-area-chart"></i>
    </span>
    
-    <span title="Site words total count">64.5k</span>
+    <span title="Site words total count">64.4k</span>
  
 </div>