Posted 2019-09-20Updated 2020-07-11web security19 minutes read (About 2847 words)shiro 反序列化复现只要rememberMe的AES加密密钥泄露,无论shiro是什么版本都会有RCE风险。Read more
Posted 2018-06-26Updated 2020-07-11web security5 minutes read (About 769 words)nginx的秘密wpsctf2018 nginx的秘密 官方writeupRead more
Posted 2018-04-24Updated 2020-07-11web security11 minutes read (About 1697 words)用python继承链搞事情继承链这个这个词是我自己发明的。看到有的师傅博客中将它称为egg或者ssti,但是我喜欢叫它继承链因为感觉很生动。最早遇到这种姿势是在学习python bypass沙盒的时候。当时不是很理解形如().__class__.__bases__[0].__subclasses__()的意思。学习一段时间后,我决定来总结一下构造继承链的方法,并且用此方法在django有格式化字符串漏洞的情况下读取配置文件(灵感来自p师傅博客)。Read more
Posted 2018-04-08Updated 2020-07-11web security9 minutes read (About 1424 words)opcache缓存getshellopencache是一种php7自带的缓存引擎,它将编译过一遍的的php脚本以字节码文件的形式缓存在特定目录中(在php.ini中指定)。这样节省了每次访问同一脚本都要加载和解析的时间开销。(先检查有没有bin文件,有就直接用)Read more
Posted 2018-01-28Updated 2020-07-11web security10 minutes read (About 1477 words)DNS rebinding利用服务器两次解析同一域名的短暂间隙,更换域名背后的ip达到突破同源策略或过waf进行ssrf的目的。Read more
Posted 2018-01-20Updated 2020-07-11web security13 minutes read (About 1882 words)记录一道题的多种解法题目是:工控云管理系统客服中心存在漏洞,flag就在flag/flag/flag/flag/flag/flag/flag.php文件里面。Read more
Posted 2018-01-12Updated 2020-07-11web security14 minutes read (About 2027 words)MONGODB注入学习With MongoDB we are not building queries from strings, so traditional SQL injection attacks are not a problem. -MongoDB Developer FAQRead more
Posted 2017-10-01Updated 2020-07-11web security10 minutes read (About 1511 words)POP链学习那么问题来了,一个可控的unserialize点意味着什么?Read more
Posted 2017-09-27Updated 2020-07-11web security6 minutes read (About 882 words)Xdebug原理学习及其攻击面复现攻击思路来自 rr师傅,记得那年师傅的博客叫初心を忘れずRead more
Posted 2017-09-01Updated 2020-07-11web security6 minutes read (About 890 words)记录xss挑战赛14题解题过程只思考了这道题,然后就陷进去了。先来看题,考点是输出点出现在input hidden框里面,因为文本框被隐藏一般的和点击有关的事件(如 onfocus)就不会被触发了。Read more