Google Drive
Gist
Clipboard
Author: Sean 韋詠祥
Slide: https://tg.pe/sdy
Path Traversal / CVE-2021-43798
CVSS Score: 7.5 (High)
Please refer to "grafana/grafana@c798c0e".
It's not safe to use "filepath.Join" for user input.
Rel"?func Rel(basepath, targpath)
/* Join(basepath, Rel(basepath, targpath)) == targpath */
Returns a relative path that is equivalent to targpath when joined to basepath with an /.
Return error if targpath can't be made relative to basepath.
Check if it's relative path before
Get "/flag" using skill you learn.
Hint: Use "curl --path-as-is" to preserve "../" path.
Path Traversal / CVE-2021-41773
CVSS Score: 7.5 (High)
We could use "%2e" or "%2E" to exploit it.
The flag is located in "/flag" file.
Path Traversal / CVE-2021-42013
CVSS Score: 9.8 (Critical)
Let's review previous security patch.
Assert "%" will follow by two "[0-9a-f]" char.
Use "%%32%65" to double encode.
Command Injection / CVE-2021-32682
CVSS Score: 9.8 (Critical)
zip command$ zip -r9 -q 'target.zip' './source.txt'
-q, --quiet
Quiet mode; eliminate informational messages and
comment prompts. (Useful, for example, in shell
scripts and background tasks).
-r, --recurse-paths
Travel the directory structure recursively;
for example: `zip -r archive.zip folder/`
-# (-0, -1, -2, -3, -4, -5, -6, -7, -8, -9)
The speed of compression.
-0 means no compression.
-1 indicates the fastest compression speed.
-9 uses the optimal compression.
-v, --verbose
Verbose mode or print diagnostic version info.
-T, --test
Test the integrity of the new zip file.
-TT, --unzip-command
Use custom command to test an archive
when the -T option is used.
Add ./ before filename.
We could leverage zip -TT option.
$ zip -T -TT 'echo' file.zip
Hint: File name could be "-v hello.zip".
Any questions?
JNDI Injection / CVE-2021-44228
CVSS Score: 10.0 (Critical)
Homework: http://sqlab.nycu.dev:44228/
Fix Commit: apache/logging-log4j2@c77b3cb
or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe