Web ez_tp 判断是thinkphp 3.2 参考官方手册:https://www.kancloud.cn/manual/thinkphp/1697 判断路由模式 ...

没有环境,过一遍思路吧 考点: pickle反序列化+urllib库注入redis缓存 from flask import Flask,request from redis import Redis import hashlib import pickle import base64 import urllib app = Flask(__name__) redis = Redis(host='127.0.0.1', port=6379) def get_result(url): url_key=hashlib.md5(url.encode()).hexdigest() res=redis.get(url_key) if res: return pickle.loads(base64.b64decode(res)) else: try: print(url) info = urllib.request.urlopen(url) res = info.read() pickres=pickle.dumps(res) b64res=base64.b64encode(pickres) redis.set(url_key,b64res,ex=300) return res except urllib.error.URLError as e: print(e) @app.route('/') def hello(): url = request.args.get("url") return '''<h1>give me your url via GET method like: ?url=127.0.0.1:8080<h1> <h2>Here is your result</h2> <h3>source code in /source</h3> %s ''' % get_result('http://'+url).decode(encoding='utf8',errors='ignore') @app.route('/source') def source(): return 这里触发 ssrf 是通过 python3.7 的 urllib.request.urlopen(url) 触发 存在 CRLF注入 控制 缓存应用命令(redis) (CVE-2019-9947) https://www.freebuf.com/vuls/222679.html ...

今年CISCN的Tough DNS 的前戏就是DNS协议分析 直接可以查找到flag的base64形式Zmxh 发现就是请求的dnslog 携带的数据 过滤器就是 dns tshark -r dns.pcapng -T json -Y "dns" >1.json 字段选择 dns.qry.name tshark -r dns.pcapng -T json -Y "dns" -e dns.qry.name >2.json 像往常一样提数据即可 ...

**Warning**: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in **/var/www/html/index.php** on line **24** 2024-06-03 12:35:13 pm 一直刷新 直接抓包看参数 读 index.php <?php $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents"); function gettime($func, $p) { $result = call_user_func($func, $p); $a= gettype($result); if ($a == "string") { return $result; } else {return "";} } class Test { var $p = "Y-m-d h:i:s a"; var $func = "date"; function __destruct() { if ($this->func != "") { echo gettime($this->func, $this->p); } } } $func = $_REQUEST["func"]; $p = $_REQUEST["p"]; if ($func != null) { $func = strtolower($func); if (!in_array($func,$disable_fun)) { echo gettime($func, $p); }else { die("Hacker..."); } } ?> 非预期: 命名空间绕过: \system 等价于 system ...

ThinkPHP代码审计(1) 不安全的SQL注入&PHP反序列化链子phar利用&简单的CMS审计实例 [TOC] 一.Thinkphp5不安全的SQL写法 Thinkphp官方提供了SQL接口，已经为SQL语句进行了预编译 ...

Web easycms 发现目录下存在 flag.php 有hint 提示1： /flag.php： if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){ echo "Just input 'cmd' From 127.0.0.1"; return; }else{ system($_GET['cmd']); } 提示2：github找一下源码? 看见 $_SERVER[“REMOTE_ADDR”] != “127.0.0.1” 首先考虑找ssrf 全局搜索一下 curl_exec 函数的调用 在 dayrui\Fcms\Core\Helper.php中 存在 dr_catcher_data 对 curl_exec 进行了调用 再往上找 在 dayrui\Fcms\Control\Api.php ...

Misc gogogo 考点:内存取证 得到 gogogo.raw 内存取证的题用volatility和AXIOM结合分析 AXIOM 分析存在云服务 但是百度网盘要密码 https://pan.baidu.com/share/init?surl=ZllFd8IK-oHvTCYl61_7Kw 发现访问过sqlite数据库 可以尝试提取数据库文件出来 结合 volatility 第一步先看 粘贴板 vol.py -f gogogo.raw --profile=Win7SP0x86 clipboard 有 cwqs 猜测可能是百度网盘密码 ...

O!!!SPF!!!!!! Enhanced 题目描述 I'm apologized for the missing part of the treasure map. Luckily this is a way to recover it. 2a13:b487:11aa::d3:c7f:2f will tell you the key at its path. But it seems not easy to reach it? The dungeon and the flag inside it is waiting for you. 很抱歉藏宝图丢失了一部分。幸运的是，我们有办法找回它。2a13:b487:11aa::d3:c7f:2f 会告诉你钥匙的路径。但要找到它似乎并不容易？地牢和里面的旗帜正在等着你。 什么玩意 ...