{"id":372,"date":"2026-02-08T20:45:52","date_gmt":"2026-02-08T12:45:52","guid":{"rendered":"https:\/\/index.cmiteam.cn\/?p=372"},"modified":"2026-02-08T21:02:23","modified_gmt":"2026-02-08T13:02:23","slug":"372","status":"publish","type":"post","link":"https:\/\/index.cmiteam.cn\/index.php\/2026\/02\/08\/372\/","title":{"rendered":"\u843d\u9e21\u5c71\u519c\u5546\u884c CTF WriteUp"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">\u843d\u9e21\u5c71\u519c\u5546\u884c CTF WriteUp<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\u76ee\u6807<\/h2>\n\n\n\n<p>\u4ece\u521d\u59cb\u4f59\u989d $2,000 \u5f00\u59cb\uff0c\u901a\u8fc7\u6316\u6398\u548c\u5229\u7528Web\u5e94\u7528\u6f0f\u6d1e\uff0c\u83b7\u53d6\u5c3d\u53ef\u80fd\u591a\u7684\u8d44\u91d1\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>\u7b2c\u4e00\u7b14\u8d44\u91d1\uff1aXXS\u8ba9\u8001\u5e08\u7ed9\u53d1\u4e861000\uff08\uff09<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e00\u3001\u4fe1\u606f\u6536\u96c6\u4e0e\u6f0f\u6d1e\u626b\u63cf<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1.1 \u521d\u59cb\u4fa6\u5bdf<\/h3>\n\n\n\n<p><strong>\u76ee\u6807URL<\/strong>: <code>http:\/\/192.140.176.35:10000<\/code><\/p>\n\n\n\n<p><strong>\u521d\u59cb\u4f1a\u8bdd<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>PHPSESSID=5a401e21df548b6e8ca8f69d115a4ce2<\/code><\/li>\n\n\n\n<li>\u521d\u59cb\u4f59\u989d: $1,000<\/li>\n\n\n\n<li>\u7528\u6237\u540d: cmijohnson<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">1.2 \u9875\u9762\u529f\u80fd\u626b\u63cf<\/h3>\n\n\n\n<p>\u901a\u8fc7\u624b\u52a8\u6d4f\u89c8\u548c\u5de5\u5177\u626b\u63cf\uff0c\u53d1\u73b0\u4ee5\u4e0b\u529f\u80fd\u9875\u9762:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u9875\u9762<\/th><th>\u529f\u80fd<\/th><th>\u53c2\u6570<\/th><\/tr><\/thead><tbody><tr><td>index.php<\/td><td>\u8d26\u6237\u603b\u89c8<\/td><td>-<\/td><\/tr><tr><td>transfer.php<\/td><td>\u8f6c\u8d26\u529f\u80fd<\/td><td>to_user, amount<\/td><\/tr><tr><td>balance_check.php<\/td><td>\u4f59\u989d\u67e5\u8be2<\/td><td>user_id (GET)<\/td><\/tr><tr><td>poverty_relief.php<\/td><td>\u8d44\u91d1\u8865\u52a9\u5165\u53e3<\/td><td>-<\/td><\/tr><tr><td>aid_apply.php<\/td><td>\u8d44\u91d1\u7533\u8bf7<\/td><td>XML (POST)<\/td><\/tr><tr><td>aid_redeem.php<\/td><td>\u8d44\u91d1\u5151\u6362<\/td><td>code (POST)<\/td><\/tr><tr><td>redeem.php<\/td><td>\u5956\u5b66\u91d1\u5151\u6362<\/td><td>code (POST)<\/td><\/tr><tr><td>ranking.php<\/td><td>\u5bcc\u8c6a\u699c<\/td><td>-<\/td><\/tr><tr><td>messages.php<\/td><td>\u7559\u8a00\u677f<\/td><td>content, title (POST)<\/td><\/tr><tr><td>bank_intro.php<\/td><td>\u94f6\u884c\u4ecb\u7ecd<\/td><td>file (GET)<\/td><\/tr><tr><td>ops_tool.php<\/td><td>\u8fd0\u7ef4\u5de5\u5177<\/td><td>target (POST)<\/td><\/tr><tr><td>exchange_x9s8f7.php<\/td><td>\u9690\u85cf\u5151\u6362\u9875<\/td><td>code (POST)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">1.3 Cookie\u5206\u6790<\/h3>\n\n\n\n<p>\u5728\u6d4f\u89c8\u5668DevTools\u4e2d\u53d1\u73b0\u91cd\u8981\u7684Cookie\u914d\u7f6e:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&nbsp;PHPSESSID=5a401e21df548b6e8ca8f69d115a4ce2<br>&nbsp;role=user<\/pre>\n\n\n\n<p><strong>\u53d1\u73b0<\/strong>: <code>role<\/code> cookie\u53ef\u4ee5\u88ab\u5ba2\u6237\u7aef\u4fee\u6539\uff01<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4e8c\u3001\u6f0f\u6d1e\u53d1\u73b0\u4e0e\u5206\u6790<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">2.1 \u8bbf\u95ee\u63a7\u5236\u5931\u6548 (A01:2021)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u6f0f\u6d1e\u63cf\u8ff0<\/h4>\n\n\n\n<p>\u5e94\u7528\u4f7f\u7528\u5ba2\u6237\u7aefCookie <code>role<\/code> \u6765\u5224\u65ad\u7528\u6237\u6743\u9650\uff0c\u5b58\u5728\u4e25\u91cd\u7684\u8bbf\u95ee\u63a7\u5236\u7ed5\u8fc7\u6f0f\u6d1e\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">POC<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">&nbsp;# \u4fee\u6539Cookie<br>&nbsp;Cookie: PHPSESSID=5a401e21df548b6e8ca8f69d115a4ce2; role=admin<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">\u5229\u7528\u6548\u679c<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8bbf\u95ee <code>ops_tool.php<\/code> (\u8fd0\u7ef4\u5de5\u5177)<\/li>\n\n\n\n<li>\u83b7\u5f97\u7ba1\u7406\u5458\u6807\u8bc6<\/li>\n\n\n\n<li>\u53ef\u80fd\u5f71\u54cd\u5176\u4ed6\u6743\u9650\u68c0\u67e5<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">\u5229\u7528\u72b6\u6001<\/h4>\n\n\n\n<p>\u2705 <strong>\u6210\u529f\u5229\u7528<\/strong> - \u83b7\u5f97\u7ba1\u7406\u5458\u6743\u9650\u8bbf\u95ee<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/usual-1375058827.cos.ap-shanghai.myqcloud.com\/20260208162327797.png\" alt=\"image-20260208162327637\"\/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">2.2 \u672c\u5730\u6587\u4ef6\u5305\u542b (LFI)<\/h3>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/usual-1375058827.cos.ap-shanghai.myqcloud.com\/20260208162345483.png\" alt=\"\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">\u6f0f\u6d1e\u4f4d\u7f6e<\/h4>\n\n\n\n<p><code>bank_intro.php?file=xxx<\/code><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u53d1\u73b0\u8fc7\u7a0b<\/h4>\n\n\n\n<p>\u6d4b\u8bd5\u5e38\u89c1LFI payload:<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.yuque.com\/u2333-ohan5\/yr4n8f\/ymy90nh1xyq7lc1i?singleDoc\" target=\"_blank\"  rel=\"nofollow\" >\u9605\u8bfb\u5168\u6587<\/a><\/div>\n<\/div>\n\n\n","protected":false},"excerpt":{"rendered":"<p>\u843d\u9e21\u5c71\u519c\u5546\u884c CTF WriteUp \u76ee\u6807 \u4ece\u521d\u59cb\u4f59\u989d $2,000 \u5f00\u59cb\uff0c\u901a\u8fc7\u6316\u6398\u548c\u5229\u7528Web\u5e94\u7528\u6f0f\u6d1e\uff0c\u83b7\u53d6\u5c3d\u53ef\u80fd\u591a\u7684\u8d44\u91d1\u3002 \u7b2c ...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":""},"categories":[1],"tags":[],"class_list":["post-372","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/posts\/372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/comments?post=372"}],"version-history":[{"count":0,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/posts\/372\/revisions"}],"wp:attachment":[{"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/media?parent=372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/categories?post=372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/index.cmiteam.cn\/index.php\/wp-json\/wp\/v2\/tags?post=372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}