kaiili

## runjs.html
<html>
<head>
  <title>JavaScript Execution</title>
  <script>
    function executeCode() {
      const input = document.getElementById('inputCode').value;
      const output = document.getElementById('outputResult');
      try {
        const result = eval(input);
        output.textContent = result;

## 2024-01-hack-review.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                kaiili
                / 2024-01-hack-review.md
            
            
              Last active
              January 20, 2024 13:54
            
              
                [review] Top 10 web hacking techniques of 2023 by portswigger
              
          
    原文:
https://portswigger.net/research/top-10-web-hacking-techniques-of-2023-nominations-open

Ransacking your password reset tokens

分类: 漏洞披露-Ruby

  
## tes.ql
// send 需要2 参数可控
// public_send 需要 3 参数可控
// (1) todo 对参数本身的类型检查
// (2) todo 对方法本身的检查
// (3) 对 location的检查, 去除 _spec.rb, _example.rb, 直接删除然后构建 database
import codeql.ruby.DataFlow

from DataFlow::CallNode call
where
  call.getNumberOfArguments() = 2 and

## poc.py
import struct
import asyncio

# JDBC 客户端会去请求的地址
# 最终的请求: http://127.0.0.1:1881/.well-known/openid-configuration
url = "http://127.0.0.1:1881/"


# 自动化拼接字符串
# 0x 是占位符, 大量的数据来自 OCR, 为了对齐缺少的行

## test.ipynb

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                kaiili
                / test.ipynb
            
            
              Created
              March 15, 2023 05:11
            
          
        Loading

      Sorry, something went wrong. Reload?
      Sorry, we cannot display this file.
      Sorry, this file is invalid so it cannot be displayed.
      
          Viewer requires iframe.
      
    
## test.json
{
"swagger": "2.0",
"info": {
"description": "<select><template><img src=x onerror=alert(1)></template></select>",
"version": "1.0.6",
"title": "Swagger Petstore",
"termsOfService": "11",
"contact": {
"email": "apiteam@swagger.io"
},

## check.js
dom.querySelector("script") ||
dom.querySelector("svg") ||
dom.querySelector("meta") ||
dom.querySelector("x") || // todo: x:script
dom.querySelector("object[data]") ||
dom.querySelector("iframe[src]") ||
dom.querySelector("iframe[srcdoc]") ||
dom.querySelector("embed[src]") ||
dom.querySelector("base[href]") ||
dom.querySelector("form[formaction]") ||

## match.sh
iptables -t nat -A OUTPUT -p tcp ! -d 127.0.0.1 -m owner --uid-owner 2000 -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1:8080


## day1_simple_game_exp.move
// code : https://github.com/movebit/movectf-6
// sui move build --dump-bytecode-as-base64 --path .
// sui client publish --path ./ --gas-budget 30000
module c6::exp {
    use ctf::hero;
    use ctf::adventure;
    use sui::tx_context::TxContext;
    public entry fun start(
        h: &mut hero::Hero, ctx: &mut TxContext
    ): () {

## reentrancy_babybank.sol


pragma solidity ^0.8.7;

interface Target {
    function profit() external;
    function guess(uint guess_secret) external;
    function transfer(address to, uint amount) external;
    function payforflag(string memory md5ofteamtoken,string memory b64email)external;
    function withdraw(uint amount) external;
	<html>
	<head>
	<title>JavaScript Execution</title>
	<script>
	function executeCode() {
	const input = document.getElementById('inputCode').value;
	const output = document.getElementById('outputResult');
	try {
	const result = eval(input);
	output.textContent = result;
	// send 需要2 参数可控
	// public_send 需要 3 参数可控
	// (1) todo 对参数本身的类型检查
	// (2) todo 对方法本身的检查
	// (3) 对 location的检查, 去除 _spec.rb, _example.rb, 直接删除然后构建 database
	import codeql.ruby.DataFlow

	from DataFlow::CallNode call
	where
	call.getNumberOfArguments() = 2 and
	import struct
	import asyncio

	# JDBC 客户端会去请求的地址
	# 最终的请求: http://127.0.0.1:1881/.well-known/openid-configuration
	url = "http://127.0.0.1:1881/"


	# 自动化拼接字符串
	# 0x 是占位符, 大量的数据来自 OCR, 为了对齐缺少的行
	{
	"swagger": "2.0",
	"info": {
	"description": "<select><template><img src=x onerror=alert(1)></template></select>",
	"version": "1.0.6",
	"title": "Swagger Petstore",
	"termsOfService": "11",
	"contact": {
	"email": "apiteam@swagger.io"
	},
	dom.querySelector("script") \|\|
	dom.querySelector("svg") \|\|
	dom.querySelector("meta") \|\|
	dom.querySelector("x") \|\| // todo: x:script
	dom.querySelector("object[data]") \|\|
	dom.querySelector("iframe[src]") \|\|
	dom.querySelector("iframe[srcdoc]") \|\|
	dom.querySelector("embed[src]") \|\|
	dom.querySelector("base[href]") \|\|
	dom.querySelector("form[formaction]") \|\|
	iptables -t nat -A OUTPUT -p tcp ! -d 127.0.0.1 -m owner --uid-owner 2000 -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1:8080
	// code : https://github.com/movebit/movectf-6
	// sui move build --dump-bytecode-as-base64 --path .
	// sui client publish --path ./ --gas-budget 30000
	module c6::exp {
	use ctf::hero;
	use ctf::adventure;
	use sui::tx_context::TxContext;
	public entry fun start(
	h: &mut hero::Hero, ctx: &mut TxContext
	): () {


	pragma solidity ^0.8.7;

	interface Target {
	function profit() external;
	function guess(uint guess_secret) external;
	function transfer(address to, uint amount) external;
	function payforflag(string memory md5ofteamtoken,string memory b64email)external;
	function withdraw(uint amount) external;