GSBP0
diff --git a/‎content/post/d3ctf2025.md‎
Lines changed: 180 additions & 1 deletion b/‎content/post/d3ctf2025.md‎
Lines changed: 180 additions & 1 deletion
diff --git a/‎public/categories/index.xml‎
Lines changed: 9 additions & 9 deletions b/‎public/categories/index.xml‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎public/categories/java安全/index.html‎
Lines changed: 10 additions & 10 deletions b/‎public/categories/java安全/index.html‎
Lines changed: 10 additions & 10 deletions
@@ -384,4 +384,183 @@ download_file("flag", "downloaded_example.txt")
 
 ## tidy quic
 
-在写了在写了
+这题考的是http3协议
+
+先分析题目
+
+```
+package main
+
+import (
+	"bytes"
+	"errors"
+	"github.com/libp2p/go-buffer-pool"
+	"github.com/quic-go/quic-go/http3"
+	"io"
+	"log"
+	"net/http"
+)
+
+var p pool.BufferPool
+var ErrWAF = errors.New("WAF")
+
+func main() {
+	go func() {
+		err := http.ListenAndServeTLS(":8088", "./server.crt", "./server.key", &mux{})
+		log.Fatalln(err)
+	}()
+	go func() {
+		err := http3.ListenAndServeQUIC(":8088", "./server.crt", "./server.key", &mux{})
+		log.Fatalln(err)
+	}()
+	select {}
+}
+
+type mux struct {
+}
+
+func (*mux) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		_, _ = w.Write([]byte("Hello D^3CTF 2025,I'm tidy quic in web."))
+		return
+	}
+	if r.Method != http.MethodPost {
+		w.WriteHeader(400)
+		return
+	}
+
+	var buf []byte
+	length := int(r.ContentLength)
+	if length == -1 {
+		var err error
+		buf, err = io.ReadAll(textInterrupterWrap(r.Body))
+		if err != nil {
+			if errors.Is(err, ErrWAF) {
+				w.WriteHeader(400)
+				_, _ = w.Write([]byte("WAF"))
+			} else {
+				w.WriteHeader(500)
+				_, _ = w.Write([]byte("error"))
+			}
+			return
+		}
+	} else {
+		buf = p.Get(length)
+		defer p.Put(buf)
+		rd := textInterrupterWrap(r.Body)
+		i := 0
+		for {
+			n, err := rd.Read(buf[i:])
+			if err != nil {
+				if errors.Is(err, io.EOF) {
+					break
+				} else if errors.Is(err, ErrWAF) {
+					w.WriteHeader(400)
+					_, _ = w.Write([]byte("WAF"))
+					return
+				} else {
+					w.WriteHeader(500)
+					_, _ = w.Write([]byte("error"))
+					return
+				}
+			}
+			i += n
+		}
+	} 
+	if !bytes.HasPrefix(buf, []byte("I want")) {
+		_, _ = w.Write([]byte("Sorry I'm not clear what you want."))
+		return
+	}
+	item := bytes.TrimSpace(bytes.TrimPrefix(buf, []byte("I want")))
+	if bytes.Equal(item, []byte("flag")) {
+		_, _ = w.Write([]byte("flfag{test}"))
+	} else {
+		_, _ = w.Write(item)
+	}
+}
+
+type wrap struct {
+	io.ReadCloser
+	ban []byte
+	idx int
+}
+
+func (w *wrap) Read(p []byte) (int, error) {
+	n, err := w.ReadCloser.Read(p)
+	if err != nil && !errors.Is(err, io.EOF) {
+		return n, err
+	}
+	for i := 0; i < n; i++ {
+		if p[i] == w.ban[w.idx] {
+			w.idx++
+			if w.idx == len(w.ban) {
+				return n, ErrWAF
+			}
+		} else {
+			w.idx = 0
+		}
+	}
+	return n, err
+}
+
+func textInterrupterWrap(rc io.ReadCloser) io.ReadCloser {
+	return &wrap{
+		rc, []byte("flag"), 0,
+	}
+}
+```
+
+我们在go中的题目主要要关注的点就是在于题目中的全局变量，这差不多是经验之谈了hh
+
+所以我们可以看到题目中的`var p pool.BufferPool`，一个缓冲池
+
+在http通信中，如果`Content-Length!=-1`(即没写CL头)，则不会调用缓冲区来读取数据，反之则会使用
+
+```
+		buf = p.Get(length)
+		defer p.Put(buf)
+```
+
+这里主要在于`defer p.Put(buf)`，观察代码上下文也没有对已经写入了body数据的buf缓冲区进行重置清零的操作，而是直接将她放回的缓冲池,这就会导致缓冲池会出现一个被污染的状态，下一次从缓冲池中取出缓冲区也会受到这些数据的影响
+
+第一次
+
+![image-20250602150550525](https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250602150550525.png)
+
+第二次
+
+![image-20250602150620439](https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250602150620439.png)
+
+所以我们现在的想法就是，让上次的buf影响到下次的结果
+
+我们可以让第一次的数据为a bcde flag 第二次的为i want，这样在被污染过后就会成为i want flag，注意这里两次的请求的Content-Length都要为11，即使第二次只post了6个数据，否则取不到对应长度的buf
+
+接下来的操作体现了http3和http2的区别
+
+http2
+
+省略了前面post i want flag的一步
+
+![image-20250602151342432](https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250602151342432.png)
+
+![image-20250602151408560](https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250602151408560.png)
+
+结果在读取我们post的10个数据之后，读取行为并没结束，http2还在等待剩下的一位继续输入而并没有发送eof结束
+
+![image-20250602151504499](https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250602151504499.png)
+
+http3
+
+![image-20250602151644729](https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250602151644729.png)
+
+结果http3在一次读取之后就到了eof结束的地方
+
+![image-20250602151732504](https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250602151732504.png)
+
+![image-20250602151855662](https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250602151855662.png)
+
+
+
+这里体现出来http2和http3的区别：http2在Content-Length比body实际长度大时，会等待一会儿的输入，来使两者相等，而http3则会更精准的检测出body的实际长度并且在body发送完毕之后迅速的发送结束流，也可以说是quic不会根据http请求包中的Content-Length来界定body的结束
+
+![image-20250602152322273](https://tuchuang-1322176132.cos.ap-chengdu.myqcloud.com//imgimage-20250602152322273.png)
@@ -6,12 +6,19 @@
     <description>Recent content in Categories on GSBP&#39;s Blog</description>
     <generator>Hugo</generator>
     <language>en-us</language>
-    <lastBuildDate>Thu, 15 May 2025 16:57:31 +0800</lastBuildDate>
+    <lastBuildDate>Sun, 01 Jun 2025 21:00:00 +0800</lastBuildDate>
     <atom:link href="http://localhost:1313/categories/index.xml" rel="self" type="application/rss+xml" />
+    <item>
+      <title>Java安全</title>
+      <link>http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/</link>
+      <pubDate>Sun, 01 Jun 2025 21:00:00 +0800</pubDate>
+      <guid>http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/</guid>
+      <description></description>
+    </item>
     <item>
       <title>WP</title>
       <link>http://localhost:1313/categories/wp/</link>
-      <pubDate>Thu, 15 May 2025 16:57:31 +0800</pubDate>
+      <pubDate>Sun, 01 Jun 2025 21:00:00 +0800</pubDate>
       <guid>http://localhost:1313/categories/wp/</guid>
       <description></description>
     </item>
@@ -22,13 +29,6 @@
       <guid>http://localhost:1313/categories/%E4%BA%91%E5%AE%89%E5%85%A8/</guid>
       <description></description>
     </item>
-    <item>
-      <title>Java安全</title>
-      <link>http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/</link>
-      <pubDate>Mon, 24 Mar 2025 22:00:00 +0800</pubDate>
-      <guid>http://localhost:1313/categories/java%E5%AE%89%E5%85%A8/</guid>
-      <description></description>
-    </item>
     <item>
       <title>CVE</title>
       <link>http://localhost:1313/categories/cve/</link>
 
@@ -146,49 +146,49 @@ <h2 class="archive-title">Category: Java安全</h2>
 
 
         <article class="archive-item">
-            <a href="http://localhost:1313/post/%E8%BD%AF%E4%BB%B6%E6%94%BB%E9%98%B2%E8%B5%9B%E7%8E%B0%E5%9C%BA%E8%B5%9B%E4%B8%8A%E5%AF%B9justdeserialize%E6%94%BB%E5%87%BB%E7%9A%84%E5%87%A0%E6%AC%A1%E5%B0%9D%E8%AF%95/" class="archive-item-link hover-underline-animation">软件攻防赛现场赛上对justDeserialize攻击的几次尝试</a>
+            <a href="http://localhost:1313/post/d3ctf2025/" class="archive-item-link hover-underline-animation">D3CTF 2025-WP</a>
             <span class="archive-item-date">
-                March 24, 2025
+                June 1, 2025
             </span>
 
         </article>
 
 
 
         <article class="archive-item">
-            <a href="http://localhost:1313/post/tomcatcve-2025-24813%E5%A4%8D%E7%8E%B0%E5%8F%8A%E5%8E%9F%E7%90%86%E5%88%86%E6%9E%90/" class="archive-item-link hover-underline-animation">[Tomcat]CVE-2025-24813复现及原理分析</a>
+            <a href="http://localhost:1313/post/%E8%BD%AF%E4%BB%B6%E6%94%BB%E9%98%B2%E8%B5%9B%E7%8E%B0%E5%9C%BA%E8%B5%9B%E4%B8%8A%E5%AF%B9justdeserialize%E6%94%BB%E5%87%BB%E7%9A%84%E5%87%A0%E6%AC%A1%E5%B0%9D%E8%AF%95/" class="archive-item-link hover-underline-animation">软件攻防赛现场赛上对justDeserialize攻击的几次尝试</a>
             <span class="archive-item-date">
-                March 12, 2025
+                March 24, 2025
             </span>
 
         </article>
 
 
 
         <article class="archive-item">
-            <a href="http://localhost:1313/post/springaop/" class="archive-item-link hover-underline-animation">SpringAOP链学习</a>
+            <a href="http://localhost:1313/post/tomcatcve-2025-24813%E5%A4%8D%E7%8E%B0%E5%8F%8A%E5%8E%9F%E7%90%86%E5%88%86%E6%9E%90/" class="archive-item-link hover-underline-animation">[Tomcat]CVE-2025-24813复现及原理分析</a>
             <span class="archive-item-date">
-                January 23, 2025
+                March 12, 2025
             </span>
 
         </article>
 
 
 
         <article class="archive-item">
-            <a href="http://localhost:1313/post/jdk17%E6%89%93jackson&#43;ldapattruibute%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/" class="archive-item-link hover-underline-animation">JDK17打Jackson&#43;LdapAttruibute反序列化</a>
+            <a href="http://localhost:1313/post/springaop/" class="archive-item-link hover-underline-animation">SpringAOP链学习</a>
             <span class="archive-item-date">
-                January 20, 2025
+                January 23, 2025
             </span>
 
         </article>
 
 
 
         <article class="archive-item">
-            <a href="http://localhost:1313/post/d3ctf2025/" class="archive-item-link hover-underline-animation">D3CTF 2025-WP</a>
+            <a href="http://localhost:1313/post/jdk17%E6%89%93jackson&#43;ldapattruibute%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/" class="archive-item-link hover-underline-animation">JDK17打Jackson&#43;LdapAttruibute反序列化</a>
             <span class="archive-item-date">
-                January 1, 0001
+                January 20, 2025
             </span>
 
         </article>