or
or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up
Syntax | Example | Reference | |
---|---|---|---|
# Header | Header | 基本排版 | |
- Unordered List |
|
||
1. Ordered List |
|
||
- [ ] Todo List |
|
||
> Blockquote | Blockquote |
||
**Bold font** | Bold font | ||
*Italics font* | Italics font | ||
~~Strikethrough~~ | |||
19^th^ | 19th | ||
H~2~O | H2O | ||
++Inserted text++ | Inserted text | ||
==Marked text== | Marked text | ||
[link text](https:// "title") | Link | ||
 | Image | ||
`Code` | Code |
在筆記中貼入程式碼 | |
```javascript var i = 0; ``` |
|
||
:smile: | ![]() |
Emoji list | |
{%youtube youtube_id %} | Externals | ||
$L^aT_eX$ | LaTeX | ||
:::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
xxxxxxxxxx
Capture The Flag
CTF 入門體驗
投影片連結:https://hackmd.io/@Sean64/sec-bbf2022
講者介紹
Welcome to CTF
請開啟 https://ctf.sean.cat/ 第一題
Flag 格式為
FLAG{Print@b1e}
Capture the Flag (CTF) 分為…
Attack and Defense (A&D)
HITCON DEFENSE
King of the Hill (KoH)
KoH 題目舉例
Jeopardy
FLAG{printable}
的字串Jeopardy 常見形式 - CTFd
Jeopardy 基本分類
Reverse 逆向工程
Binary 執行檔滲透
Web 網頁安全
Broken Access Control
Crypto 密碼學
Forensic 數位鑑識
Misc 其他雜類
Web 經典漏洞
Command Injection
id
看身份、ls
及cat
看檔案Path Traversal
../%2e%2e/.%2e/etc/passwd
字樣XSS
<script>alert(1);</script>
驗證Crypto 經典玩法
Caesar Cipher 凱薩密碼
Ecoji
Forensic 經典玩法
Memory Dump 記憶體傾印
Steganography 隱寫術
Misc 經典題型
QR code 修復
學習資源
PicoCTF
https://play.picoctf.org/
CTFtime
https://ctftime.org/
AIS3 新型態資安暑期課程
四月報名、五月測驗、七月上課
https://ais3.org/
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →Q&A
投影片連結:https://hackmd.io/@Sean64/sec-bbf2022
這份投影片以 創用 CC - 姓名標示 授權公眾使用,原始碼及講稿請見 此連結。
延伸閱讀 / 參考資料
補充:Web CVE Exploit
後面是 3 個最基本的 Path Traversal 漏洞
以及 1 個 unzip 的特殊用法
如果正課講完有時間就帶大家玩玩看
Grafana
Path Traversal / CVE-2021-43798
CVSS Score: 7.5 (High)
Fix Commit
請參考 "
grafana/grafana@c798c0e9
"Why?
用 "
filepath.Join()
" 處理使用者輸入會出問題What is "
Rel()
"?回傳一個當
basepath
與結果Join()
時,會等價於
targpath
的相對路徑當
targpath
無法轉換為相對於basepath
的相對路徑時,會回傳錯誤How to fix it?
在
Join()
前,先用Rel()
排除相對路徑Try it!
/public/plugins/alertlist/../../sdk.ts
Hint: 請用 "
curl --path-as-is
",否則 "../
" 會被瀏覽器吃掉Apache 2.4.49
Path Traversal / CVE-2021-41773

CVSS Score: 7.5 (High)
Fix Commit
Looks familar?
他叫我們不要用 "
%2e
" 或 "%2E
"Try it!
/icons/.%2e/conf/httpd.conf
這題同樣只有特定目錄才有漏洞
Apache 2.4.50 (Hum?)
Path Traversal / CVE-2021-42013
CVSS Score: 9.8 (Critical)
Why?
讓我們再看一次之前的 patch
Fix Commit
現在 "
%
" 後面只能接兩個 "[0-9a-f]
" 字元了Try it!
/icons/.%%32%65/conf/httpd.conf
使用 "
%%32%65
" 來做 double encodingelFinder (zip)
Command Injection / CVE-2021-32682
CVSS Score: 9.8 (Critical)
How to use
zip
commandThere are more options…
Fix Commit
對檔名加上
./
前綴How to run arbitrary code?
我們可以善用
zip -TT
選項Try it!
(不在計分系統上)
Hint: 檔名可以用 "
-v hello.zip
" 試試看