SQL Injection is a kind of vulnerability that allows attackers to insert some codes into original SQL statements to trigger some evil function, such as dumping the database or writing
[……]
Note for GraphQL
This is a rough translation from one article on my old Chinese blog. The original one was written on Sept. 19th, 2017. Last weekend, when I was playing a CTF game, I got an interesting challenge about GraphQL. That was my first time to see GraphQL. At that time, I spent some time on Google, trying to get more detail about it, but finally found a few things impressive. This time, I took a twice look at it. Although it may lack some depth, it is enough to be a note.
[……]
针对REST API的Web应用防火墙
前言
个人毕业设计,挺水的。本来想好好弄,把防火墙和机器学习综合一下,结果学校突然通知提前一个月验收,只好匆匆完成,不过最后答辩老师的评价还挺不错,大概是没有细看吧。总之是让大家见笑了。
[……]
Pwn-RET Address Overwrite
Last week, I saw a challenge of pwn. The source code has been provided, and what you are asked to do is to pwn the vulnerable program.
[……]
全国大学生信息安全竞赛线下赛-Web-Writeup
第九届全国大学生信息安全竞赛 Web攻防
比赛是8月中旬在上海进行的。这套源码一共发现了一个注入和一个后门。其实当时本来很早挖出了后门,但是补的第一波莫名其妙就把服务弄挂了,所以一直没补成,被打到最后还有两个小时,又试了一下,莫名其妙的这次就行了。
[……]
南邮CTF-综合题2-writeup
GDT和LDT的区别与联系
Injection Without Knowing the Column Names
Just discover a SQL injection point, but fail to know the column names? Stumble against the Access database or MySQL 4.0 database? Do not worry, here I am gonna share a method to dump the database even without knowing column names.
[……]