d3go write up
目录穿越读取源代码 directory traversal to dump source code go embed * 的错误使用,导致源代码被打包进程序。 The incorrect use of go embed * results in the source code being packed into the program. 再结合错误的静态文件托管,导致/../路径可以列目录获取源代码 This, combined with incorrect static file serving, results in /../ listing directory to get the source code. Gorm 软删除注入 代码审计,发现 管理员账户是数据库中的第一个用户,而这个用户目前无法登陆 对于/register接口,controller使用了c.ShouldBindJSON(), db层对其返的值直接进行一个db.Save()到数据库的操作,可以注入gorm.Model相关字段 因此可以构造注入deletedat字段,使得原来的admin被软删除 A code audit was performed and found that the administrator account is the first user in the database, and this user is currently unable to log in For the /register api, the controller uses c.ShouldBindJSON(), and the db layer writes the variables bound to it directly to the database with db.Save(). So you can construct the following payload to inject the deletedat field, so that the original admin is soft-deleted. ...