[D3CTF 2019]EasyWeb (c) 阅读源码发现CodeIgniter-3.1.11,网上搜一下发现是个代码框架(CI框架),php框架 尝试找框架漏洞,无果 登录框尝试sql注入,单引号等测试无果,发现后端同时使用了mysqli和pdd,一般认为pdd的预编译可以完全杜绝sql注入 尝试代码审计 $route['defaul…
import requests import re import os import time import requests data='{"offset":0,"limit":10}' url="https://api.ctfhub.com/User_API/Event/ge…
[*ctf 2022]oh-my-lotto 简单复现 参考(43条消息) *CTF2022 - Web_A丶R的博客-CSDN博客 直接用师傅的脚本可以 import requests url = "http://121.36.217.177:53001/" def lotto(key,value): data = {&quo…
shiro 环境搭建 jdk7u21 https://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html 某些平台还要钱? tomcat8 p神的shiro环境: https://github.com/phith0n/JavaThings/tree/maste…
import requests import re import os #from bs4 import BeautifulSoup # url='https://www.ctfhub.com/#/calendar' # rsp = requests.get(url); # print(rsp.text) url='h…
Apache Commons BeanUtils 环境搭建 <dependency> <groupId>commons-beanutils</groupId> <artifactId>commons-beanutils</artifactId> <version>1.9.4&l…
Rome1.0 之前见过,当时参考这个ROME反序列化分析 (c014.cn) yso里的rome1.0利用链如下 TemplatesImpl.getOutputProperties() NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) NativeMethodAccessorIm…
a=os.popen("curl https://ctftime.org/event/list/upcoming") #使用a接收返回值 #print(a.readlines()) for key in a.readlines(): pattern0 = r'(.*) teams will participate…
node弱类型比较 const adminHash = sha256(sha256(salt + 'admin') + sha256(salt + 'admin')) if(!username || !password || username === password || username.length =…
cc2 就是一条cc的链子最后一步的时候不要用runtime.exec,而是改用getTemplatesImpl poc package org.apache.commons.collections; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import …