Skip to content

Instantly share code, notes, and snippets.

View Firebasky's full-sized avatar
😀
Learing

Firebasky Firebasky

😀
Learing
View GitHub Profile
@Firebasky
Firebasky / writeup.md
Created May 4, 2022 12:31 — forked from loknop/writeup.md
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@Firebasky
Firebasky / AgentDemo.java
Created May 2, 2022 09:43
java agent 防御
import com.sun.tools.attach.VirtualMachine;
import com.sun.tools.attach.VirtualMachineDescriptor;
import javassist.*;
import java.io.File;
import java.io.UnsupportedEncodingException;
import java.lang.instrument.ClassDefinition;
import java.lang.instrument.Instrumentation;
import java.net.URLDecoder;
import java.util.List;
@Firebasky
Firebasky / main.java
Created April 11, 2022 13:39
change class version
import java.io.FileOutputStream;
import java.nio.file.Files;
import java.nio.file.Paths;
/**
* java -jar version.jar demo.class jdk6
*/
public class main {
private static byte[] bytesVersion={49,50,51,52,53,54,55,56,57,58,59};
@Firebasky
Firebasky / CVE-2022-21371
Created January 26, 2022 04:15 — forked from picar0jsu/CVE-2022-21371
Oracle WebLogic Server 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 Local File Inclusion
# Exploit Title: Oracle WebLogic Server 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 Local File Inclusion
# Date: 25/1/2022
# Exploit Author: Jonah Tan (@picar0jsu)
# Vendor Homepage: https://www.oracle.com
# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
# Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
# Tested on: Windows Server 2019
# CVE : CVE-2022-21371
# Description
@Firebasky
Firebasky / exploit.java
Created January 12, 2022 06:42
fastjson1.2.68的利用代码在jre/classes下写文件rce
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtMethod;
import java.io.*;
import java.util.Base64;
import java.util.zip.Deflater;
/**
* 触发:
@Firebasky
Firebasky / agent.cpp
Last active January 9, 2022 06:26
远程加载c语言实现的dll注入恶意代码.
#include "pch.h"
#include "jvmti.h"
#include <iostream>
/*
* java agent有2个启动函数分别为Agent_OnLoad和Agent_OnAttach
* Agent_OnLoad在onload阶段被调用
* Agent_OnAttach在live阶段被调用
* 但是每个agent只有一个启动函数会被调用
*/