Blue Star's Blog

首先代码审计，这是一个利用 Bottle 写的 Web 框架。 /download 支持下载文件，作了路径穿越过滤 /secret 进行了 guest 和 admin 的认证，用了 session = request.get_cookie("name", secret=secret) 而源码里告诉了路径 ../../secret.txt 也就是说可以用 secret.txt 对 cookie 进行伪造 根据提示，有反序列化的过程，session 认后也没有其他可用功能，于是去看 bottle 如何解析cookie 看到他的 get_cookie 123456789101112131415161718192021222324252627282930313233def get_cookie(self, key, default=None, secret=None, digestmod=hashlib.sha256): """ Return the content of a cookie. To read a...

外部打点arp-scan -l 12345678910111213┌──(root㉿kali)-[~]└─# arp-scan -lInterface: eth0, type: EN10MB, MAC: 00:0c:29:74:07:c6, IPv4: 192.168.0.9Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.0.1 30:3f:7b:d5:aa:de Shenzhen YOUHUA Technology Co., Ltd192.168.0.8 2c:9c:58:8e:96:a5 (Unknown)192.168.0.12 08:00:27:08:28:cf PCS Systemtechnik GmbH192.168.0.4 f2:13:09:db:48:25 (Unknown: locally administered)192.168.0.2 ...

常用操作 hexo new "标题" 新建文章 hexo server 本地预览 hexo generate (hexo g) 生成静态文件 hexo deploy (hexo d) 部署到远程 hexo clean 清除缓存

首先看 js 的 express 框架 12345678910111213app.get('/flag', (req, res) => { if(!req.query.admin.includes('false') && req.headers.admin.includes('true')){ res.send(flag); }else{ res.send('try hard'); }}); 必须满足查询参数中不包含 flase，请求头有 admin:true （这里的请求头是 post 中的请求头） 再看 web php 代码 $input = file_get_contents('php://input'); 这里是直接获取的 post 内容 $headers = (array)json_decode($input)->headers; 将一个...

点击猫猫信息看到文件读取功能 环境变量里没有 1http://61.147.171.103:60316/info?file=../../../../proc/self/environ /proc/self/cmdline，用于获取当前启动进程的完整命令 得到 b’python\x00app.py\x00’ 再次读取上级目录的 ../app.py app是个Flask对象，而secret...

mainarp-scan -l 123456Interface: eth0, type: EN10MB, MAC: 08:00:27:82:4b:5b, IPv4: 192.168.43.160Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.43.1 12:dd:b5:07:19:10 (Unknown: locally administered)192.168.43.73 2c:9c:58:8e:96:a5 (Unknown)192.168.43.74 08:00:27:cf:d8:16 PCS Systemtechnik GmbH192.168.43.135 08:00:27:dc:f8:76 PCS Systemtechnik GmbH nmap 12345678910PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol...

mainarp-scan -l 123456Interface: eth0, type: EN10MB, MAC: 08:00:27:82:4b:5b, IPv4: 192.168.43.160Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.43.1 12:dd:b5:07:19:10 (Unknown: locally administered)192.168.43.73 2c:9c:58:8e:96:a5 (Unknown)192.168.43.74 08:00:27:cf:d8:16 PCS Systemtechnik GmbH192.168.43.73 2c:9c:58:8e:96:a5 (Unknown) (DUP: 2) nmap -p- -A -T5 192.168.43.73 123456789101112131415161718192021222324252627282930PORT STATE SERVICE...

arp-scan -l 12345678910Interface: eth0, type: EN10MB, MAC: 08:00:27:82:4b:5b, IPv4: 192.168.43.160Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)192.168.43.1 12:dd:b5:07:19:10 (Unknown: locally administered)192.168.43.22 08:00:27:fa:74:72 PCS Systemtechnik GmbH192.168.43.73 2c:9c:58:8e:96:a5 (Unknown)192.168.43.74 08:00:27:cf:d8:16 PCS Systemtechnik GmbH192.168.43.80 08:00:27:3e:86:10 PCS Systemtechnik GmbH8 packets received by filter, 0 packets dropped by...

Beatifulsoup 快速实现12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091import requestsimport pandas as pdfrom bs4 import BeautifulSoupfrom datetime import datetimeimport matplotlib.pyplot as pltdef fetch_github_trending(keyword="python", date_range="Today"): """ 获取 GitHub 上某个编程语言的趋势仓库。 参数: keyword (str): 要获取趋势仓库的编程语言。默认为...

warm up123456789101112131415161718192021222324252627<?phpinclude 'next.php';highlight_file(__FILE__);$XYCTF = "Warm up";extract($_GET);if (isset($_GET['val1']) && isset($_GET['val2']) && $_GET['val1'] != $_GET['val2'] && md5($_GET['val1']) == md5($_GET['val2'])) { echo "ez" . "<br>";} else { die("什么情况,这么基础的md5做不来");}if...