Smartbi 审计笔记
Smartbi登陆绕过补丁分析下载补丁 利用脚本 解码获得本次 补丁信息 12345678910111213141516171819202122232425262728293031{ "url": "/smartbix/api/monitor/setServiceAddress", "rules": [{ "type": "RejectSmartbixSetAddress" }] }, { "url": "/smartbix/api/monitor/setServiceAddress/", "rules": [{ "type": "RejectSmartbixSetAddress" }] }, { ...
Geekcon jdk高版本利用方式探索
old-loggroovy写的一个web服务,用的框架是Grails,依赖中存在log4j 2.14.1,并且有可控的log参数,那就变成了一个jndi的利用 jdk 1.8jdk 11jdk 17jdk 21
梧桐杯 AWD 复现
梧桐杯决赛的awd题目,一共三台靶机,其中一台靶机上运行了两个java服务,这里做一下awd中java题目的总结 关于patch jar包可以参考 https://github.com/H4cking2theGate/JarPatcher actuator-testbed本题的依赖如下,springboot版本为2.0.5.RELEASE 123456789101112131415161718192021222324252627282930<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> ...
红明谷 赛题复现
Simp1escape题目有一个curl路由,允许访问url,但只能用http或者https协议,这里可以用302来ssrf 123456789101112131415161718192021@RequestMapping({"/curl"})public String curl(@RequestParam String url, HttpServletRequest request, HttpServletResponse response) throws Exception { if (!url.startsWith("http:") && !url.startsWith("https:")) { System.out.println(url.startsWith("http")); return "No protocol: " + url; } else { ...
AliyunCTF2024
chain17agent17依赖如下,给了一个入口的hessian2反序列化,题目自己给了一个Bean,其中的getter可以触发原生反序列化,不过存在很多黑名单 123456789101112131415161718<dependency> <groupId>com.alibaba</groupId> <artifactId>hessian-lite</artifactId> <version>3.2.13</version></dependency><dependency> <groupId>cn.hutool</groupId> <artifactId>hutool-all</artifactId> <version>5.8.16</version></dependency><!--...
qmb 线下java赛题复现
...
Javolution出题小记
Javolution A modern java challenge prepared for u, bypass it and achieve RCE ! 源码 https://github.com/H4cking2theGate/My-CTF-Challenges/tree/main/DubheCTF%202024/Javolution bypass/pal/cheat修改自己的defense为负数,让opponentPower溢出为负值,打败jetragon 升到50级后,传入localhost%00dubhe绕过host检测 123456789def levelup(): r = requests.get(url+"/pal/cheat?defense=-800000") print(r.text) r = requests.get(url+"/pal/battle/jetragon") print(r.text)def deser(): r =...
EKS Cluster Games Walkthrough
一个AWS EKS的靶场,正好学习一下EKS安全,地址https://eksclustergames.com/ Welcome To The ChallengeYou’ve hacked into a low-privileged AWS EKS pod. Use the web terminal below to find flags across the environment. Each challenge runs in a different Kubernetes namespaces with varying permissions. All K8s resources are crucial; challenges are based on real EKS misconfigurations and security issues. Click “Begin Challenge” on your desktop, and for guidance, click the question mark icon for useful cheat...
泛微E-cology 审计笔记
2741b02c3d329547ef81e21cfc3f87cadf4f60ecaddc3a31c5f5e34fabffc6269ff0331cb44f30e021838f19acc48ca3d961fd691d52adde32875d8c04561f7833115c0515b6abf8e709740473b950685f13f118d3470b739137c29cecfb0a05001638dd8ddbef9b91231cd845fe941247b6f3061a87d845741669a8b9fba76ecf46c38cb7d6a6caf58da46416bff740f8383c5e08b3edd3d63c982b56c339e92e1df5e73d14e1c831686e5fb3a981432604c3d3b34066d3eeadb914af3bde88350005bf581785c7c9a3451ade0d474a Hey, password is required here.