Posted 2019-11-08Updated 2020-07-11web security4 minutes read (About 531 words)记一次简单的寻找前端加密爆破的逻辑过程过程比较简单,属于一篇水文Read more
Posted 2019-11-01Updated 2020-07-11web security2 minutes read (About 357 words)wordpress xmlrpc.php have ssrf vuln(use dns rebinding bypass limit)In the wordpress xmlrpc.php pingback_ping function, the domain which be passed in was parsed three times.Read more
Posted 2019-10-25Updated 2024-10-05redteam25 minutes read (About 3727 words)CobaltStrike External C2信道CS的扩展C2接口(Cobalt Strike External Command and Control)可以允许第三方程序作为teamserver和Beacon之间的一个额外通信层。以下简称External C2。Read more
Posted 2019-10-18Updated 2020-07-11web security20 minutes read (About 3051 words)thinkphp 反序列化系列gadget 复现thinkphp 反序列化系列gadget 复现 草稿Read more
Posted 2019-10-18Updated 2020-07-11ad security16 minutes read (About 2435 words)用域委派打烂kerberos狗头用域委派打烂kerberos狗头Read more
Posted 2019-10-09Updated 2024-08-11web security14 minutes read (About 2034 words)s2-001 代码分析s2-001 代码分析Read more
Posted 2019-10-02Updated 2020-07-11web security22 minutes read (About 3248 words)fastjson 反序列化流程硬核跟踪fastjson用于将Java Bean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBean。Read more
Posted 2019-09-20Updated 2020-07-11web security19 minutes read (About 2847 words)shiro 反序列化复现只要rememberMe的AES加密密钥泄露,无论shiro是什么版本都会有RCE风险。Read more
Posted 2018-06-26Updated 2020-07-11web security5 minutes read (About 769 words)nginx的秘密wpsctf2018 nginx的秘密 官方writeupRead more
Posted 2018-04-24Updated 2020-07-11web security11 minutes read (About 1697 words)用python继承链搞事情继承链这个这个词是我自己发明的。看到有的师傅博客中将它称为egg或者ssti,但是我喜欢叫它继承链因为感觉很生动。最早遇到这种姿势是在学习python bypass沙盒的时候。当时不是很理解形如().__class__.__bases__[0].__subclasses__()的意思。学习一段时间后,我决定来总结一下构造继承链的方法,并且用此方法在django有格式化字符串漏洞的情况下读取配置文件(灵感来自p师傅博客)。Read more