Title: 2024 Great Wall Cup WP

Posted April 10Apr 10

WEB

Open the question and gave a login page to inject SQL with the guess name

Check the source code and find that there is a hint prompting the developer to use pattern matching

So I tried using % to fuzzy match, login succeeded

username=adminpassword=% After entering the panel, I found that there is a file upload function

Try to upload a php file, but the result is waf, and the file name cannot appear p

I've thought of using .htaccess file to parse gif files to getshell

Upload the .htaccess file first, and parse 1.gif as php

FilesMatch '1.gif'

SetHandler application/x-httpd-php

/FilesMatch

Then upload 1.gif file

Then access uploads/1.gif to getshell, but you still need to escalate the permission to read the flag

Looking for an order to escalate power

find/-perm -u=s -type f 2/dev/null discovery tac command can be used

The source code is as follows

import datetime

from flask import Flask, render_template, render_template_string, request, redirect, url_for, session, make_response

from wtforms import StringField, PasswordField, SubmitField

from wtforms.validators import DataRequired, Length

from flask_wtf import FlaskForm

import re

app=Flask(__name__)

app.config['SECRET_KEY']='

Quote