• [De1CTF 2019]SSRF Me


    0x01

    题目给出了源码,我们看一下源码

    #! /usr/bin/env python
    #encoding=utf-8
    from flask import Flask
    from flask import request
    import socket
    import hashlib
    import urllib
    import sys
    import os
    import json
    reload(sys)
    sys.setdefaultencoding('latin1')
    
    app = Flask(__name__)
    
    secert_key = os.urandom(16)
    
    
    class Task:
        def __init__(self, action, param, sign, ip):
            self.action = action
            self.param = param
            self.sign = sign
            self.sandbox = md5(ip)
            if(not os.path.exists(self.sandbox)):          #SandBox For Remote_Addr
                os.mkdir(self.sandbox)
    
        def Exec(self):
            result = {}
            result['code'] = 500
            if (self.checkSign()):
                if "scan" in self.action:
                    tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
                    resp = scan(self.param)
                    if (resp == "Connection Timeout"):
                        result['data'] = resp
                    else:
                        print resp
                        tmpfile.write(resp)
                        tmpfile.close()
                    result['code'] = 200
                if "read" in self.action:
                    f = open("./%s/result.txt" % self.sandbox, 'r')
                    result['code'] = 200
                    result['data'] = f.read()
                if result['code'] == 500:
                    result['data'] = "Action Error"
            else:
                result['code'] = 500
                result['msg'] = "Sign Error"
            return result
    
        def checkSign(self):
            if (getSign(self.action, self.param) == self.sign):
                return True
            else:
                return False
    
    
    #generate Sign For Action Scan.
    @app.route("/geneSign", methods=['GET', 'POST'])
    def geneSign():
        param = urllib.unquote(request.args.get("param", ""))
        action = "scan"
        return getSign(action, param)
    
    
    @app.route('/De1ta',methods=['GET','POST'])
    def challenge():
        action = urllib.unquote(request.cookies.get("action"))
        param = urllib.unquote(request.args.get("param", ""))
        sign = urllib.unquote(request.cookies.get("sign"))
        ip = request.remote_addr
        if(waf(param)):
            return "No Hacker!!!!"
        task = Task(action, param, sign, ip)
        return json.dumps(task.Exec())
    @app.route('/')
    def index():
        return open("code.txt","r").read()
    
    
    def scan(param):
        socket.setdefaulttimeout(1)
        try:
            return urllib.urlopen(param).read()[:50]
        except:
            return "Connection Timeout"
    
    
    
    def getSign(action, param):
        return hashlib.md5(secert_key + param + action).hexdigest()
    
    
    def md5(content):
        return hashlib.md5(content).hexdigest()
    
    
    def waf(param):
        check=param.strip().lower()
        if check.startswith("gopher") or check.startswith("file"):
            return True
        else:
            return False
    
    
    if __name__ == '__main__':
        app.debug = False
        app.run(host='0.0.0.0')
    
    

    我们发现在Exec中有scan和read,可以进行文件扫描和读取的功能,那看来我们要是想读取flag.txt文件,就需要利用这个函数

    @app.route('/De1ta',methods=['GET','POST'])
    def challenge():
        action = urllib.unquote(request.cookies.get("action"))
        param = urllib.unquote(request.args.get("param", ""))
        sign = urllib.unquote(request.cookies.get("sign"))
        ip = request.remote_addr
        if(waf(param)):
            return "No Hacker!!!!"
        task = Task(action, param, sign, ip)
        return json.dumps(task.Exec())
    

    在这段代码中,我们知道向Exec中传入的参数有action,param,sign三个参数,其中action和sign是从cookie中获取,然后调用Task类,返回执行Exec函数后的结果

    那么action即要执行的操作,这个好说,就是scan和read,那么sign如何得到呢?

    #generate Sign For Action Scan.
    @app.route("/geneSign", methods=['GET', 'POST'])
    def geneSign():
        param = urllib.unquote(request.args.get("param", ""))
        action = "scan"
        return getSign(action, param)
    

    在源码中人家也给出了相应的注释,这段代码就是生成sign的,我们只需要访问/geneSign页面,然后传入相应参数即可获得sign

    0x02

    首先获取读取falg.txt的sign,这里的flag.txt是题目在最开始就给出的hint

    然后我们访问/De1ta页面,传入参数读取flag,如下操作

    拿到flag

    总结

    本体考察的就是代码的审计,考察参数的传入和调用。

  • 相关阅读:
    CodeForces
    CodeForces
    Simple Robot Gym
    Gym
    Java课程03总结
    Java课程03总结
    判断字符串是否回文
    Java课程02总结
    有关二进制原码、反码、补码
    Java课程01总结
  • 原文地址:https://www.cnblogs.com/Jleixin/p/13300459.html
Copyright © 2020-2023  润新知