You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/post/[2025]N1CTF WP for n1cat,eezzjs.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -86,11 +86,11 @@ when you submit `?templ=abc.ddw`,it would try to require ddw modules. It gives u
86
86
87
87
But we couldn't create dir or `js` file.How do we attack?
88
88
89
-
In [documents]("https://nodejs.org/api/modules.html") we could know
89
+
In [documents](https://nodejs.org/api/modules.html) we could know
90
90
91
91
> If the exact filename is not found, then Node.js will attempt to load the required filename with the added extensions: `.js`, `.json`, and finally `.node`. When loading a file that has a different extension (e.g. `.cjs`), its full name must be passed to `require()`, including its file extension (e.g. `require('./file.cjs')`).
92
92
93
-
So we could use `.node` file to finish our attack,[My exploit]("https://github.com/Nu1LCTF/n1ctf-2025/tree/main/web/eezzjs/solution")
93
+
So we could use `.node` file to finish our attack,[My exploit](https://github.com/Nu1LCTF/n1ctf-2025/tree/main/web/eezzjs/solution)
94
94
95
95
At last, i felt sorry for this challenge really has some issues,and there many unexpected solutions can solve this challenge that could use simply `../` or `./` bypass my ez waf haha.
96
96
@@ -167,9 +167,9 @@ You could directly find a JNDI Injection vuln. Now first step is over.
167
167
168
168
The second step is try to use this vulnerability to get an rce.JDK version is 17,many ways of JNDI attack might not working.I uses RMI communicate deserialize(Communication between the RMI server and RMI client employs serialisation and deserialisation).About deserialize chains,we uses Jackson+SpringAOP to solve this (You could find `Jackson` dependence in `welcomeServlet`,`SpringAOP`dependence and version could use `CVE-2025-55752` to detect).
169
169
170
-
About this chains analysis,could see [this]("https://fushuling.com/index.php/2025/08/21/%e9%ab%98%e7%89%88%e6%9c%acjdk%e4%b8%8b%e7%9a%84spring%e5%8e%9f%e7%94%9f%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e9%93%be/")
170
+
About this chains analysis,could see [this](https://fushuling.com/index.php/2025/08/21/%e9%ab%98%e7%89%88%e6%9c%acjdk%e4%b8%8b%e7%9a%84spring%e5%8e%9f%e7%94%9f%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e9%93%be/)
0 commit comments