cmseasy v7.7.7.7 (20230520) Path Traversal

ppk published on 2023-06-06

Product

cmseasy v7.7.7.7 20230520

Official site

https://www.cmseasy.cn/

Exp

In lib/admin/language_admin.php, the method add_action:

php

LineCTF 2023 - web (partial)

ppk published on 2023-03-27

to be continued…

Old Pal

Just an appetizer.

Input a password to make the expression eval to true and pass filters.

perl

hxp ctf 2022 (2023): true_web_assembly

ppk published on 2023-03-13

Challenge description

https://board.asm32.info/asmbb-v2-9-has-been-released.328/

From the post:

“AsmBB is very secure web application, because of the internal design and the reduced dependencies. But it also supports encrypted databases, for even higher security.”

“Download, install and hack”

Yes

Goal is to get the admin to visit a page on the forum, HACK-HACK-HACK, /readflag will print out the flag.

Please don’t submit too many requests or try to abuse anything with the setup.

Linux Service Unit File Format

ppk published on 2023-01-09

References

https://www.digitalocean.com/community/tutorials/understanding-systemd-units-and-unit-files

[Unit] Section

Description=

just description

Documentation=

ususlly a link to the official website

Requires=

lists any units upon which this unit essentially depends
the current unit starts when the required units are actived successfully
required units are started in parallel by default

Wants=

similar to Requires=, but less strict
The systemd will attempt to start any units listed by Wants= when the current unit is actived. If wanted units are not found or failed to start, the current unit will continue to function.
Wanted units are started in parallel unless modified by other directives.

BindsTo=

Hitcon2022

ppk published on 2022-11-29

secure paste

题面是一个端到端加密的 pastebin，key 在前端生成不走后端，访问的时候放在 hash 里，flag 的 url 是可以直接拿到的，但是没有key。

在访问提供的 url 之前，bot 会先把 flag 的 url 带上 key 访问一遍，然后直接page.goto，所以 key 应该是要用 history.back 拿到。

首先是一个显而易见的注入，在 paste.ejs 里

js

SECCON2022 Quals

ppk published on 2022-11-17

写在前面

未完待续…

piyosay

主要逻辑为把message参数和emoji参数处理之后放到一个p标签里：

js

Python Socket Programming

ppk published on 2021-12-07

How to build socket server and socket client by python?

The first think to decide is which protocol to use, TCP or UDP?

The main difference is that TCP is connection-oriented while UDP is connectionless.

In detail, the server or the client must maintain a connection if they use TCP.

How is this reflected in socket programming?

For UDP

For example, if we want to send a message using UDP

python

Python Virtual Environment Mangement

ppk published on 2021-11-16

First, two packages:

bash

pip3 install virtualenv
pip3 install virtualenvwrapper

virtualenv makes one can create new virtual environment conveniently, like:

About RSA

ppk published on 2021-10-30

RSA procedure

choose two primes, $p$ and $q$
calculate $N = p \times q$
calculate $r = φ (N) = φ (p \times q) = (p - 1) (q - 1)$
- $φ$ is the Eular function, $φ (n)$ represents the number of integers prime with $n$
- if $n$ is a prime, then obviously $φ (n) = n - 1$
- $φ (mn) = φ (m) φ (n)$
choose $e$ no more than $N$ and prime with $r$
calculate $d$ such that $e d \equiv 1 mod r$
then $(e, N)$ is public key and $(d, N)$ is private key
don’t forget to destroy $p$ and $q$

Now Alice wants to send some message to Bob.

外部排序

ppk published on 2021-08-20

一般讨论的排序都是内部排序，所谓外部和内部，是针对排序时的条件而言的，内部指所有的数据都可以直接拿到，而外部就是每次只能拿到一部分数据，最典型的现实场景

对数组进行排序，整个数组当然都是在内存里的，可以直接拿到
而对磁盘数据（比如文件）进行排序，要先把数据读进内存，而且限于内存的大小，内存中在某一时刻只能有一部分数据

外部排序的限制在于从磁盘读数据是一件很麻烦的事情，因为在磁盘上的数据存储并不是和在内存中那样是连续的，有个地址就可以直接访问，而是分散的，而且每次找一个数据都得寻道，旋转，再数据传输，排序的结果还得再写回磁盘，实际磁盘I/O的时间会远超在内存上操作的时间，所以要尽可能减少对磁盘的访问，I/O次数也成为外部排序时主要考虑的代价

这时候可以选什么排序算法来进行外部排序呢，很明显，选择排序，冒泡排序，这种每一趟都得把数据基本过一遍的算法是不行的，实际上可以想到，归并排序是个不错的选择

例如，一个有2000个记录的文件，每个磁盘块可以容纳125个记录，首先通过8次内部排序得到8个初始归并段R1到R8，每个段有250个记录，然后对该文件做两两归并，直至得到一个有序的文件

把内存分出三个缓冲区，两个输入一个输出，从R1和R2分别读一个磁盘块到输入缓冲区，归并到输出缓冲区，钥匙其中一个缓冲区空了就再读一个，然后把输出写到磁盘，再归并R3和R4，R5和R6，R7和R8，分别得到R1’-R4'

text