知識點
文件上傳常見驗證:后綴名,類型,文件頭等
1.后綴名:黑名單,白名單
- 黑名單:明確不讓上傳的格式后綴,比如asp,php,jsp,aspx,cgi,war等,但是黑名單易被繞過,比如上傳php5,Phtml等
- 白名單:明確可以上傳的格式后綴,比如jpg,png,zip,rar,gif等,推薦白名單。
2.文件類型:MIME信息
- content-type字段校驗,可以通過抓包改包方式繞過
3.文件頭:內容頭信息
- 每種類型的文件都有自己固定的文件頭信息,比如GIF89a是git圖片的文件頭信息,可以通過手動在腳本文件前面增加文件頭的方式繞過。
4.windows特性
- windows下文件名不區分大小寫,linux下文件名區分大小寫
- windows下ADS流特性,導致上傳文件xxx.php::$DATA = xxx.php
- windows下文件名結尾加入“.”、“空格”、“<”、“>”、“>>>”、“0x81-0xff”等字符,最終生成的文件均被windows忽略。
本課重點
案例:uploadlabs關卡分析
下載:https://github.com/c0ny1/upload-labs
- 案例1:$_FILES['upfile']訪問文件的有關信息
- 案例2:Pass-02 MIME-Type驗證
- 案例3:Pass-3 黑名單繞過 特殊解析后綴
- 案例4:Pass-4 .htaccess繞過
- 案例5:Pass-5 大小寫繞過
- 案例6:Pass-6 后綴名空格繞過
- 案例7:Pass-7 點繞過
- 案例8:Pass-8 ::$DATA繞過
- 案例9:Pass-9 點+空格+點繞過(循環遞歸過濾)
- 案例10:Pass-10 雙寫繞過
- 案例11:Pass-11 %00截斷 GET請求
- 案例12:Pass-12 %00截斷 POST請求
案例1:PHP基礎知識:若文件上傳域的name屬性值為upfile,則可以使用$_FILES['upfile']訪問文件的有關信息。
- $_FILES['upfile']['name']; //客戶端上傳文件的原名稱,不包含路徑
- $_FILES['upfile']['type']; //上傳文件的MIME類型
- $_FILES['upfile']['tmp_name']; //已上傳文件在服務器端保存的臨時文件名,包含路徑
- $_FILES['upfile']['error']; //上傳文件出現的錯誤號,為一個整數
- $_FILES['upfile']['size']; //已上傳文件的大小,單位為字節
案例2:Pass-02 MIME-Type驗證
MIME(multipurpose Internet mail extensions)多用途互聯網郵件擴展類型。是設定某種擴展名的文件用一種應用程序來打開的方式類型,當該擴展名文件被訪問的時候,瀏覽器會自動使用指定應用程序來打開。多用於指定一些客戶端自定義的文件名,以及一些媒體文件打開方式。
查看代碼,系統校驗了MIME-Type
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' . $_FILES['upload_file']['name'];
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '文件類型不正確,請重新上傳!';
}
} else {
$msg = UPLOAD_PATH.'文件夾不存在,請手工創建!';
}
}
因此只要修改content-type值為符合條件的值即可繞過。
修改
上傳成功。
附各類文件MIME_type對照表
{".3gp", "video/3gpp"},
{".apk", "application/vnd.android.package-archive"},
{".asf", "video/x-ms-asf"},
{".avi", "video/x-msvideo"},
{".bin", "application/octet-stream"},
{".bmp", "image/bmp"},
{".c", "text/plain"},
{".class", "application/octet-stream"},
{".conf", "text/plain"},
{".cpp", "text/plain"},
{".doc", "application/msword"},
{".docx", "application/vnd.openxmlformats-officedocument.wordprocessingml.document"},
{".xls", "application/vnd.ms-excel"},
{".xlsx", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"},
{".exe", "application/octet-stream"},
{".gif", "image/gif"},
{".gtar", "application/x-gtar"},
{".gz", "application/x-gzip"},
{".h", "text/plain"},
{".htm", "text/html"},
{".html", "text/html"},
{".jar", "application/java-archive"},
{".java", "text/plain"},
{".jpeg", "image/jpeg"},
{".jpg", "image/jpeg"},
{".js", "application/x-javascript"},
{".log", "text/plain"},
{".m3u", "audio/x-mpegurl"},
{".m4a", "audio/mp4a-latm"},
{".m4b", "audio/mp4a-latm"},
{".m4p", "audio/mp4a-latm"},
{".m4u", "video/vnd.mpegurl"},
{".m4v", "video/x-m4v"},
{".mov", "video/quicktime"},
{".mp2", "audio/x-mpeg"},
{".mp3", "audio/x-mpeg"},
{".mp4", "video/mp4"},
{".mpc", "application/vnd.mpohun.certificate"},
{".mpe", "video/mpeg"},
{".mpeg", "video/mpeg"},
{".mpg", "video/mpeg"},
{".mpg4", "video/mp4"},
{".mpga", "audio/mpeg"},
{".msg", "application/vnd.ms-outlook"},
{".ogg", "audio/ogg"},
{".pdf", "application/pdf"},
{".png", "image/png"},
{".pps", "application/vnd.ms-powerpoint"},
{".ppt", "application/vnd.ms-powerpoint"},
{".pptx", "application/vnd.openxmlformats-officedocument.presentationml.presentation"},
{".prop", "text/plain"},
{".rc", "text/plain"},
{".rmvb", "audio/x-pn-realaudio"},
{".rtf", "application/rtf"},
{".sh", "text/plain"},
{".tar", "application/x-tar"},
{".tgz", "application/x-compressed"},
{".txt", "text/plain"},
{".wav", "audio/x-wav"},
{".wma", "audio/x-ms-wma"},
{".wmv", "audio/x-ms-wmv"},
{".wps", "application/vnd.ms-works"},
{".xml", "text/plain"},
{".z", "application/x-compress"},
{".zip", "application/x-zip-compressed"},
{"", "*/*"}
案例3:Pass-3 黑名單繞過 特殊解析后綴
源碼配置了黑名單,不允許上傳.asp,.aspx,.php,.jsp后綴的文件
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array('.asp','.aspx','.php','.jsp');
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if(!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '不允許上傳.asp,.aspx,.php,.jsp后綴文件!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
}
}
但apache服務器能夠使用php解析.phtml .php3 .php5
前提是apache的httpd.conf中有如下配置代碼
AddType application/x-httpd-php .php .phtml .php3 .php5
因此可以上傳.phtml .php3 .php5文件,繞過黑名單
案例4:Pass-4 .htaccess繞過
源碼配置了黑名單,拒絕了幾乎所有有問題的后綴名,除了.htaccess
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //收尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此文件不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
}
}
.htaccess作為局部變量成功作用於當前目錄下文件的兩個條件(1.啟用AllowOverride,2.開啟mod_rewrite模塊)
修改httpd.conf: 1、Allow Override All 2、LoadModule rewrite_module modules/mod_rewrite.so
本關正好符合,因此先上傳一個.htaccess文件,內容如下:
<FilesMatch "hello"> setHandler application/x-httpd-php </FilesMatch>
作用是使當前目錄下所有文件名包含“hello”字符串的文件當作php文件解析。
然后再上傳一個hello.jpg文件,內容如下:
<?php phpinfo(); ?>
此時訪問該文件web路徑,服務器執行hello.jpg文件中的PHP代碼。
htaccess上傳漏洞前提條件:
- 1、apache服務器。
- 2、能夠上傳.htaccess文件,一般為黑名單限制。
- 3、AllowOverride All,默認配置為關閉None。
- 4、LoadModule rewrite_module modules/mod_rewrite.so #mod_rewrite模塊為開啟狀態
- 5、上傳目錄具有可執行權限。
補充:.htaccess簡介
- .htaccess文件是Apache服務器中的一個配置文件,它負責相關目錄下的網頁配置。通過htaccess文件,可以幫我們實現:網頁301重定向、自定義404錯誤頁面、改變文件擴展名、允許/阻止特定的用戶或者目錄的訪問、禁止目錄列表、配置默認文檔等功能。
- .htaccess文件(或者"分布式配置文件")提供了針對每個目錄改變配置的方法,即在一個特定的目錄中放置一個包含指令的文件,其中的指令作用於此目錄及其所有子目錄。
- 啟用.htaccess,需要修改httpd.conf,啟用AllowOverride。一旦啟用.htaccess,意味着允許用戶自己修改服務器的配置,可能會導致某些意想不到的修改。安全起見,應該盡可能地避免使用.htaccess文件。
案例5:Pass-5 大小寫繞過
源碼相比於pass-4,過濾了.htaccess,但去掉了將后綴轉換為小寫,因此可以使用大小繞過。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此文件類型不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
}
}
可以上傳.PHP文件,繞過黑名單。
案例6:Pass-6 后綴名空格繞過
源碼相較於pass-4、pass-5,沒有對后綴名進行去空,利用windows特性,會自動去掉后綴名中最后的空格,因此可以后綴名加空格繞過。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = $_FILES['upload_file']['name'];
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file,$img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此文件不允許上傳';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
}
}
可以在上傳文件時,抓包,將文件后綴改為.php+空格,繞過黑名單。
原理是 服務器在校驗黑名單時,校驗的后綴名是.php+空格,由於.php+空格不在黑名單內,可以通過校驗,而windows系統在保存文件時,會自動去掉后面的空格,因此文件最終保存在服務器上的后綴名為.php。(linux系統在保存文件時應該也會自動去除空格,可以自行測試一下?)
案例7:Pass-7 點繞過
源碼相較於pass-4,沒有刪除文件名末尾的點,利用windows特性,會自動去掉后綴名中最后的”.”,可在后綴名中加”.”繞過。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此文件類型不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
}
}
案例8:Pass-8 ::$DATA繞過
源碼相較於pass-4,沒有對后綴名中的“::$DATA”進行過濾。在php+windows的情況下,如果文件名+“::$DATA”會把“::$DATA”之后的數據當成文件流處理,不會檢測后綴名,且保持“::$DATA”之前的文件名。利用windows特性,可在后綴名后面加“::$DATA”繞過。
例如“phpinfo.php::$DATA” Windows會自動去掉末尾的“::$DATA”變成“phpinfo.php”。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.date("YmdHis").rand(1000,9999).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此文件類型不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
}
}
使用burpsuite抓包在文件后綴加::$DATA繞過。
案例9:Pass-9 點+空格+點繞過(循環遞歸過濾)
源碼相較於前幾關,所有的過濾都有。貌似沒有問題,但是所有的過濾僅一次,先刪除文件名末尾的點(僅刪除一次),然后再首尾去空,導致可以利用1.php+(點+空格+點)來繞過。
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = deldot($file_name);//刪除文件名末尾的點
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext); //轉換為小寫
$file_ext = str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext = trim($file_ext); //首尾去空
if (!in_array($file_ext, $deny_ext)) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = '此文件類型不允許上傳!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
}
}
使用burpsuite抓包在文件后綴加“點+空格+點”繞過。
原理是1.php+(點+空格+點)上傳時,
- 首先,刪除文件名末尾的點,變成1.php+點+空格,
- 然后,通過strrchar函數來確認文件的后綴名為.php+點+空格,
- 接着,將文件的后綴名轉換為小寫、去除字符串::$DATA、首尾去空,變成.php+點,
- 最后,判斷文件后綴名是否在黑名單內。由於“.php.”不在黑名單中,可以通過校驗,而windows特性,保存文件時會自動去掉后綴名中最后的”.”,最終文件成功上傳並保存為1.php。
案例10:Pass-10 雙寫繞過
黑名單過濾,將黑名單里的后綴名替換為空且只替換一次,因此可以用雙寫繞過
$is_upload = false;
$msg = null;
if (isset($_POST['submit'])) {
if (file_exists(UPLOAD_PATH)) {
$deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
$file_name = trim($_FILES['upload_file']['name']);
$file_name = str_ireplace($deny_ext,"", $file_name);
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH.'/'.$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else {
$msg = UPLOAD_PATH . '文件夾不存在,請手工創建!';
}
使用burpsuite抓包將文件后綴改為.pphphp繞過。
案例11:Pass-11 %00截斷
源碼
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
//獲取文件名最后一個點后面的字符串
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = '上傳出錯!';
}
} else{
$msg = "只允許上傳.jpg|.png|.gif類型文件!";
}
}
白名單過濾,但$img_path是直接拼接而成,因此可以利用%00截斷繞過。
$img_path = $_GET['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
截斷條件:php版本小於5.3.4,php的magic_quotes_gpc為OFF狀態
案例12:Pass-12 %00截斷
源碼
$is_upload = false;
$msg = null;
if(isset($_POST['submit'])){
$ext_arr = array('jpg','png','gif');
$file_ext = substr($_FILES['upload_file']['name'],strrpos($_FILES['upload_file']['name'],".")+1);
if(in_array($file_ext,$ext_arr)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
if(move_uploaded_file($temp_file,$img_path)){
$is_upload = true;
} else {
$msg = "上傳失敗";
}
} else {
$msg = "只允許上傳.jpg|.png|.gif類型文件!";
}
}
源碼相較於pass-11,save_path參數通過POST方式傳遞
$img_path = $_POST['save_path']."/".rand(10, 99).date("YmdHis").".".$file_ext;
還是利用%00截斷,因為POST不會像GET對%00進行自動解碼,所以需要在二進制中進行修改。
參考:
- https://blog.csdn.net/weixin_44677409/article/details/92799366
- https://www.cnblogs.com/adforce/archive/2012/11/23/2784664.html
- 等等