强网杯2020 writeup
被二进制爷爷们带飞Orz Web half_infiltration 首先反序列化,由于print之后无论走哪都会有ob_end_clean(),永远也不会输出,所以尝试输出之后让他报错来绕过 这样global$$this就会输出并报错 传入两个User,一个输出,一个报错绕过ob_end_clean() <?php $flag='…
HTB-Cache
靶机:10.10.10.188 在login.html的js源码中发现账号 登陆后来到author.html,这里好像有点脑洞,用crew生成字典,然后wfuzz找域名 cewl -w w.txt -d 10 -m 1 http://10.10.10.188/author.html wfuzz -w w.txt -H "HOST: FUZ…
thumbnail
WMCTF2020
Checkin1 神头鬼脸,应该是没过滤好,直接/flag就出了 Checkin2 预期解还是得写shell 因为"file_put_contents中可以调⽤伪协议,⽽伪协议处理时会对过滤器urldecode⼀次",所以可以二次编码特殊字符绕,如 php://filter/write=string.%2572ot13|<?…
2020天翼杯–APITest
时间是真的紧源码const express = require("express"); const cors = require("cors"); const app = express(); const uuidv4 = require("uuid/v4"); const md5 = r…
CyBRICS CTF 2020
Gif2png import logging import re import subprocess import uuid from pathlib import Path from flask import Flask, render_template, request, redirect, url_for, flash, send_from_…
python杂乱总结
命令执行&文件读取的姿势os.system os.popenexec & eval :exec('__import__("os").system("whoami")') eval('__import__("os").system("whoami")')timeit模块(…
thumbnail
SCTF 2020 web
CloudDisk 这题二血 const fs = require('fs'); const path = require('path'); const crypto = require('crypto'); const Koa = require('koa'); co…
安恒6月赛
calc1 #!/usr/bin/env python3 # -*- coding: utf-8 -*- from flask import Flask, render_template, request,session from config import create import os app = Flask(__name__) app.co…
Vulnhub dc4-5
dc4靶机:192.168.101.236kali: 192.168.101.207端口:2280扫目录没东西,只有个登录框hydra爆破:hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 192.168.101.236 http-post-form "/login.php:use…
Vulnhub dc-3.2
靶机:192.168.101.233kali: 192.168.101.207只开放了一个80端口cms为joomla首先需要知道cms版本,才方便找对应的漏洞,可用用msf自带的版本探测:或者github上joomla的扫描工具https://github.com/rezasp/joomscanperl joomscan.pl -u 192.16…