diff --git a/source/_posts/DIR-802-OS-Command-Injection.md b/source/_posts/DIR-802-OS-Command-Injection.md
index 9996f9da..cf064348 100644
--- a/source/_posts/DIR-802-OS-Command-Injection.md
+++ b/source/_posts/DIR-802-OS-Command-Injection.md
@@ -39,6 +39,7 @@ s.close()
 
 #### 漏洞复现
 使用firmadyne进行固件模拟，运行UPnP服务
-![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1614665628/cve/carbon.png)
+<img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1614665628/cve/carbon.png" width="50%" height="50%">
+
 攻击者可以是连接到路由器局域网内并且能够向UPnP端口发送请求的任何人。可以通过编写简单的python脚本将精心制作的数据包发送到特定的upnp端口，该脚本随后将作为精心制作的请求的一部分执行提供的命令。共享的POC将打开端口8089上的telnet服务。
-![](https://res.cloudinary.com/dozyfkbg3/image/upload/v1614665899/cve/carbon_1.png)
+<img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1614665899/cve/carbon_1.png" width="50%" height="50%">
diff --git a/source/_posts/vm-escape1.md b/source/_posts/vm-escape1.md
index 4b4d14ed..dfa56e67 100644
--- a/source/_posts/vm-escape1.md
+++ b/source/_posts/vm-escape1.md
@@ -8,11 +8,6 @@ tags:
 categories:
 - Pwn
 ---
-# VM escape-QEMU Case Study
-
-http://jiayy.me/2019/04/15/CVE-2015-5165-7504/
-http://jiayy.me/2019/04/15/CVE-2015-5165-7504/#cve-2015-5165-exp
-https://programlife.net/2020/06/30/cve-2015-5165-qemu-rtl8139-vulnerability-analysis/
 
 ## 1 Intro
 
@@ -562,3 +557,8 @@ plt=.plt
 通过 gdb 调试验证结果正确性：
 
 <img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1618050992/VMescape/image_32.png" width="50%" height="50%">
+
+## ref
+http://jiayy.me/2019/04/15/CVE-2015-5165-7504/
+http://jiayy.me/2019/04/15/CVE-2015-5165-7504/#cve-2015-5165-exp
+https://programlife.net/2020/06/30/cve-2015-5165-qemu-rtl8139-vulnerability-analysis/