零:WEB
# 0x00 web237-openlitespeed
SSRF
<?php
highlight_file(__FILE__);
if (isset($_POST["curl_opt"]) && is_array($_POST["curl_opt"])){
$ch = curl_init();
foreach ($_POST["curl_opt"] as $key=>$value){
curl_setopt($ch, $key, $value);
}
$result = curl_exec($ch);
curl_close($ch);
echo $result;
}
?>- ssrf
- 尝试写shell失败:
# 0x01 web441-ezjava
路由绕过
payload http://localhost/;Evil 绕过 if (path.startsWith("/Evil"))
@ResponseBody
@RequestMapping({"/Evil"})
public String Evil(HttpServletRequest request, HttpServletResponse response) throws IOException, ClassNotFoundException {
String path = request.getRequestURI();
if (path.startsWith("/Evil"))
return "nonono!!!";
String base = request.getParameter("base");
EInputStream in = new EInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(base)));
Object a = in.readObject();
return "OK";
}