Cybersecurity information flow

用友NC runStateServlet注入漏洞分析

在实际复现过程中也遇到了很多的问题，关键就是要利用前后端服务器对数据包的处理不同。

burp手工检测fastjson辅助

Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.

" 今年年初，大约在1月中旬，您可能会看到GitHub发布的这个安全公告。在本文中，我将揭示我如何发现CVE-2024-0200这个看似简单的一行漏洞，并将其转变为GitHub漏洞赏金历史上最具影响力的漏洞之一的惊人故事。剧透：这个漏洞允许泄露GitHub上所有生产容器的环境变量。"

This is a write-up for turing-complete, turing-incomplete, and turing-incomplete64 from the BSides San Francisco 2024 CTF!
turing-complete is a 101-level reversing challenge, and turing-incomplete is a much more difficult exploitation challenge with a very similar structure. turing-incomplete64 is a 64-bit version of turing-incomplete, which isn’t necessarily harder, but is different.
Let’s look at the levels!
turing-complete
My ideas doc said “Turing Machine?” from a long time ago. I don’t really remember what I was thinking, but what I decided was to make a simple reversing challenge with a finite tape and 4 operations - go left, go right, read, and write. All commands and responses are binary (1s and 0s), which is hinted at by the instructions being a series of binary bits.
The actual main loop, in C, is quite simple:
uint8_t tape[128]; // ...write the flag to the tape... for(;;) { uint8_t a = r(); if(a == 2) break; uint8_t b = r(); if(b == 2) break; if(a == 0 && b == 0) { ptr++; } else if(a == 0 && b == 1

Slay the Spider is a Minesweeper-like game where the user and computer try to uncover a spider. The challenge name and trappings are based on Slay the Spire, which is one of my favourite games.
When you start the game, there are several different enemy AI options:
1: The Angry One - Plays at Random 2: Cheater Mc Cheaterly - Knows the best places to play 3: Smartypants - Uses magical super AI for the best chance of winning 4: Captain Fastidious - Is sure that playing left to right is best
Those are loosely based on the classes from Slay the Spire.
The third - Smarypants - is the key. It chooses the target square based on a silly algorithm:
case AI_SMART: // Picks the average of the human move and the last computer move move.row = (human_move.row + last_computer_move.row) / 2; move.col = (human_move.col + last_computer_move.col) / 2;
The problem is that the human_move.row and human_move.col are set even when the move is invalid:
static move_t do_human_turn(game_t *game) { move_t move; printf("It's your (human) 

This is a write-up for Safer Streets. I apparently wrote this in more “note to self” style, not blog style, so enjoy!
First, browse the application. You should be able to create an error:
$ curl 'http://localhost:8080/display?name=test' Error in script /app/server.rb: No such file or directory @ rb_sysopen - /app/data/test
Note that has a image/jpeg content-type, so it might confuse the browser.
That issue grants access to two primitives:
a) Read any file via path traversal
b) The full path to the server
For example:
$ curl -s 'http://localhost:8080/display?name=../server.rb' | head -n20 require 'json' require 'sinatra' require 'pp' require 'singlogger' require 'open3' ::SingLogger.set_level_from_string(level: ENV['log_level'] || 'debug') LOGGER = ::SingLogger.instance() # Ideally, we set all these in the Dockerfile set :bind, ENV['HOST'] || '0.0.0.0' set :port, ENV['PORT'] || '8080' SAFER_STREETS_PATH = ENV['SAFER_STREETS'] || '/app/safer-streets' SCRIPT = File.expand_path(__FILE__) LOGGER.info("Checking for

No Tools is a fairly simple terminal challenge, something for new players to chew on.
I suspect there are several different ways to solve it, but the basic idea is to read a file using only built-in functions from sh.
I personally solved it with the read built-in:
$ read FLAG < /home/ctf/flag.txt && echo $FLAG CTF{where-are-my-tools}
Another solution that my co-organizer developed used exec:
$ exec < /home/ctf/flag.txt $ /bin/sh: 2: CTF{where-are-my-tools}: not found

" 无工具挑战是一个相对简单的终端挑战，适合新手玩家尝试。\n我认为解决这个问题有几种不同的方法，但基本思路是仅使用sh内置函数读取文件。\n我本人是用read内置函数解决的：\n$ read FLAG < /home/ctf/flag.txt && echo $FLAG CTF{where-are-my-tools}\n我的另一位共同组织者开发的解决方案使用了exec：\n$ exec < /home/ctf/flag.txt $ /bin/sh: 2: CTF{where-are-my-tools}: not found"

The premise of the three challenges cant-give-in, cant-give-in-secure, and cant-give-in-securer are to learn how to exploit and debug compiled code that’s loaded as a CGI module. You might think that’s unlikely, but a surprising number of enterprise applications (usually hardware stuff - firewalls, network “security” appliances, stuff like that) is powered by CGI scripts. You never know!
This challenge was inspired by one of my co-workers at GreyNoise asking how to debug a CGI script. I thought it’d be cool to make a multi-challenge series in case others didn’t know!
This write-up is intended to be fairly detailed, to help new players understand their first stack overflow!
Part 1: cant-give-in
The vulnerability
First, let’s look at the vuln! All three challenges have pretty similar vulnerabilities, but here’s what the first looks like:
char *strlength = getenv("CONTENT_LENGTH"); if(!strlength) { printf("ERROR: Please send data!"); exit(0); } int length = atoi(strlength); read(fileno(stdin), data, length); if(

Earlier this year, in mid-January, you might have come across this security announcement by GitHub. In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHub’s bug bounty history. Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.

" 今年年初，大约在1月中旬，您可能会看到GitHub发布的这个安全公告。在本文中，我将揭示我如何发现CVE-2024-0200这个看似简单的一行漏洞，并将其转变为GitHub漏洞赏金历史上最具影响力的漏洞之一的故事。剧透：这个漏洞允许泄露GitHub上所有生产容器的环境变量。"

用yakit的热加载魔术方法实现webfuzzer功能中的验证码识别。

PPPwn - PlayStation 4 PPPoE RCE

PSTI 明确禁止使用 "admin "或 "12345 "等弱密码或容易被猜到的默认密码，还要求制造商公布联系方式，以便用户报告漏洞。

Deep Reinforcement Learning: Zero to Hero!

创新沙盒：VulnCheck。

Topic: Kobiz Design - Blind Sql Injection Risk: Medium Text:********************************************************* #Exploit Title: Kobiz Design - Blind Sql Injection #Date: 2024-05-0...

Topic: Oracuz - Blind Sql Injection Risk: Medium Text:********************************************************* #Exploit Title: Oracuz - Blind Sql Injection #Date: 2024-05-03 #Ex...

Topic: htmlLawed 1.2.5 Remote Command Execution Risk: High Text:#!/bin/bash # Exploit Title: htmlLawed < = 1.2.5 - Remote Code Execution # Date: 2024-05-02 # Exploit Author: Miguel Redo...

Okta Verify and Okta FastPass Abuse Tool

Clario through 2024-04-11 for Desktop has weak permissions for %PROGRAMDATA%\Clario and tries to load DLLs from there as SYSTEM.
[GitHub] Clario through 2024-04-11 for Windows Desktop has weak permissions for %PROGRAMDATA%\Clario and tries to load DLLs from there as SYSTEM.

" 截至2024年4月11日，Clario桌面版权限较弱，试图以系统身份从%PROGRAMDATA%\\Clario加载DLL。\n[GitHub] 截至2024年4月11日，Windows桌面版Clario权限较弱，试图以系统身份从%PROGRAMDATA%\\Clario加载DLL。"

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
[GitHub]Fix open source package uses tough-cookie 2.5.0 to process their clients' cookies. Unfortunately, it is affected by CVE-2023-26136.

" 版本在 4.1.3 之前的 tough-cookie 软件包，在使用 CookieJar 时由于处理 Cookie 不当，导致拒绝公共后缀模式（rejectPublicSuffixes=false）下容易出现原型污染漏洞。此问题源于对象初始化的方式。\n\n[GitHub] 修复开源软件包使用 tough-cookie 2.5.0 处理客户端的 Cookie。不幸的是，它受到了 CVE-2023-26136 影响。"

大模型安全开源项目汇总 https://mp.weixin.qq.com/s/ofMytXbFEhkaCDQWQy0KqA

Specific C2 Detection Tool Written To Detect C2 Servers From Rhadamanthys Stealer Malware.

A .NET Runtime for Cobalt Strike's Beacon Object Files