GHCTF2025 (> ﹤ ﹏<) writeup

1,663 Views
No Comments

Total 1178 characters, estimated reading time: 3 minutes.

Reminder: This article was last updated at 2026-05-13 23:21. The information associated with this article may have changed. Please know!

Title

Also Flask The title and gave the source code:

from flask import Flask,request
import base64
from lxml import etree
import re
app = Flask(__name__)

@app.route('/')
def index():
    return open(__file__).read()

@app.route('/ghctf',methods=['POST'])
def parse():
    xml=request.form.get('xml')
    print(xml)
    if xml is None:
        return "No System is Safe."
    parser = etree.XMLParser(load_dtd=True, resolve_entities=True)
    root = etree.fromstring(xml, parser)
    name=root.find('name').text
    return name or None

if __name__=="__main__":
    app.run(host='0.0.0.0',port=8080)

Ideas

The code is very simple and clear, the key point. /ghctf Page. By POST To xml=某些内容 to access, and then the parser parses the passed contentXML, it is obviousXXE(XML External Entity Injection Vulnerability).

So what is XML This is a markup language that can be used to represent or mark a class of things, such as the following marked a person:

<person>
    <name value="xiao ming" />
    <age value="13" />
</person>

Back to the source code, look at these words:

root = etree.fromstring(xml, parser)
name = root.find('name').text
return name or None

Our input is parsed XML and record to the parameter root In, and then in this XML Find in content. name The value of the tag and returns. Incoming xml=<root><name>xiao ming</name></root> Try?

GHCTF2025 (> ﹤ <) problem solution

Return xiao ming is that we're passing in name The value. So do we just put name Change the value of to what we want flag Just do it?

XMLIs it possible to run some kind of command? resolve_entities=True, allowing the use XML Entities. In Here. You can query the usage of the entity with the following tags:

<!ENTITY xxe SYSTEM "http://baidu.com">

Equivalent to reading. http://baidu.com Give variable xxe. In addition, it also supports pseudo-protocols, which can be changed file:///etc/passwd Can read the user file!

Solution

POSTTo xml Pass in the following parameters:

<!DOCTYPE x [<!ENTITY flag SYSTEM "file:///flag">]><root><name>&flag;</name></root>

get flag echo:

GHCTF2025 (> ﹤ <) problem solution
END
ctf xxe Solution
Posted to: CTF
2025-3-9
 0
XYCTF2025 Now you see me 1 Writeup
XYCTF2025 Now you see me 2 writeup
GHCTF2025 Escape! Solution
XYCTF2025 ez_puzzle writeup
Comment(No Comments)
Captcha