De1CTF Ssrfme 详解
由于比赛期间去培训了,没有参加比赛,复盘一下
FLASK框架
http://139.180.128.86/
一上来给了源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111
|
from flask import Flask from flask import request import socket import hashlib import urllib import sys import os import json reload(sys) sys.setdefaultencoding('latin1')
app = Flask(__name__)
secert_key = os.urandom(16)
class Task: def __init__(self, action, param, sign, ip): self.action = action self.param = param self.sign = sign self.sandbox = md5(ip) if(not os.path.exists(self.sandbox)): os.mkdir(self.sandbox)
def Exec(self): result = {} result['code'] = 500 if (self.checkSign()): if "scan" in self.action: tmpfile = open("./%s/result.txt" % self.sandbox, 'w') resp = scan(self.param) if (resp == "Connection Timeout"): result['data'] = resp else: print resp tmpfile.write(resp) tmpfile.close() result['code'] = 200 if "read" in self.action: f = open("./%s/result.txt" % self.sandbox, 'r') result['code'] = 200 result['data'] = f.read() if result['code'] == 500: result['data'] = "Action Error" else: result['code'] = 500 result['msg'] = "Sign Error" return result
def checkSign(self): if (getSign(self.action, self.param) == self.sign): return True else: return False
@app.route("/geneSign", methods=['GET', 'POST']) def geneSign(): param = urllib.unquote(request.args.get("param", "")) action = "scan" return getSign(action, param)
@app.route('/De1ta',methods=['GET','POST']) def challenge(): action = urllib.unquote(request.cookies.get("action")) param = urllib.unquote(request.args.get("param", "")) sign = urllib.unquote(request.cookies.get("sign")) ip = request.remote_addr if(waf(param)): return "No Hacker!!!!" task = Task(action, param, sign, ip) return json.dumps(task.Exec()) @app.route('/') def index(): return open("code.txt","r").read()
def scan(param): socket.setdefaulttimeout(1) try: return urllib.urlopen(param).read()[:50] except: return "Connection Timeout"
def getSign(action, param): return hashlib.md5(secert_key + param + action).hexdigest()
def md5(content): return hashlib.md5(content).hexdigest()
def waf(param): check=param.strip().lower() if check.startswith("gopher") or check.startswith("file"): return True else: return False
if __name__ == '__main__': app.debug = False app.run(host='0.0.0.0',port=80)
|
访问http://139.180.128.86/geneSign?param=1
1 2 3 4 5 6 7 8 9 10
| @app.route("/geneSign", methods=['GET', 'POST']) def geneSign(): param = urllib.unquote(request.args.get("param", "")) action = "scan" return getSign(action, param) ... def getSign(action, param): return hashlib.md5(secert_key + param + action).hexdigest()
|
能得到md5(secert_key + param + action)
在scan函数
1 2 3 4 5 6
| def scan(param): socket.setdefaulttimeout(1) try: return urllib.urlopen(param).read()[:50] except: return "Connection Timeout"
|
param可控,盲猜这里就是ssrf的点
然后De1ta路由
自己补上cookie和param,会发送请求,调用scan函数
会有checkSign函数,先带着param访问/geneSign注册sign
接着带着sign和param,cookie访问/De1ta
/etc/passwd
的返回值是200
得到flag.txt
的sign
接着访问De1ta
为什么没有返回值呢,发现,好像不能用scan
函数,需要调用read
否则只能拿到statuscode
但是在getsign
里,action=scan
是写死了的,后面获取的md5值,带入的action
也就是scan
bypass waf
在waf里
1 2 3 4 5 6
| def waf(param): check=param.strip().lower() if check.startswith("gopher") or check.startswith("file"): return True else: return False
|
检测了禁止以file开头来读文件
试了%00,%0a都没用
假如,我们传入的param是flag.txtread
得到的md5值如下
1 2
| md5(secert_keyflag.txtreadscan)
|
这样,我们只要让action=readscan
在Exec做检测的时候,就能进入判断
1
| if "read" in self.action:
|
action = readscan
所以payload
拿到flag