题目地址:https://buuoj.cn/challenges
解题思路
第一步:进入题目,发现源码的乱码,整理后得到python的flask框架的源码,题目提示flag in ./flag.txt
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding('latin1')app = Flask(__name__)secert_key = os.urandom(16)class Task:def __init__(self, action, param, sign, ip):self.action = actionself.param = paramself.sign = signself.sandbox = md5(ip)if(not os.path.exists(self.sandbox)):os.mkdir(self.sandbox)def Exec(self):result = {
}result['code'] = 500if (self.checkSign()):if "scan" in self.action:tmpfile = open("./%s/result.txt" % self.sandbox, 'w')resp = scan(self.param)if (resp == "Connection Timeout"):result['data'] = respelse:print resptmpfile.write(resp)tmpfile.close()result['code'] = 200if "read" in self.action:f = open("./%s/result.txt" % self.sandbox, 'r')result['code'] = 200result['data'] = f.read()if result['code'] == 500:result['data'] = "Action Error"else:result['code'] = 500result['msg'] = "Sign Error"return resultdef checkSign(self):if (getSign(self.action, self.param) == self.sign):return Trueelse:return False@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():param = urllib.unquote(request.args.get("param", ""))action = "scan"return getSign(action, param)@app.route('/De1ta',methods=['GET','POST'])
def challenge():action = urllib.unquote(request.cookies.get("action"))param = urllib.unquote(request.args.get("param", ""))sign = urllib.unquote(request.cookies.get("sign"))ip = request.remote_addrif(waf(param)):return "No Hacker!!!!"task = Task(action, param, sign, ip)return json.dumps(task.Exec())@app.route('/')
def index():return open("code.txt","r").read()def scan(param):socket.setdefaulttimeout(1)try:return urllib.urlopen(param).read()[:50]except:return "Connection Timeout"def getSign(action, param):return hashlib.md5(secert_key + param + action).hexdigest()def md5(content):return hashlib.md5(content).hexdigest()def waf(param):check=param.strip().lower()if check.startswith("gopher") or check.startswith("file"):return Trueelse:return False
if __name__ == '__main__':app.debug = Falseapp.run(host='0.0.0.0',port=9999)
第二步:代码审计
- 规定了三个界面的路由,一个是/geneSign,一个是/De1ta,最后一个是/
- /geneSign路由从POST或GET获取param参数数据,然后将数据提交给getSign函数;getSign函数返回secert_key + param + action的MD5值的16进制数。
- /De1ta路由从POST或GET获取参数action,param,sign;之后对param参数进行合规判断;再使用参数生成Task对象后,执行Exec函数,最后以jason形式返回执行后的结果。
- Exec函数对参数action进行判断,若action值里面有scan字符串,就将param参数指定的文件读取后打印,并写入result.txt中;若action里面有read字符串,就将result.txt内容读取并打印出来。
第三步:获取flag
- 根据提示我们需要执行Exec函数,并传入param=flag.txt,以及action=readscan,将flag写入result.txt后读取出再以jason形式呈现出来
- Exec在执行前需要对参数使用checkSign函数进行合规检测,而checkSign函数需要调用getSign函数,我们并不知道secert_key的值,就无法确定sign传入的值。
- 但是/geneSign路由可以获取到加工好的16进制数,但是/geneSign路由里面的action为scan,而Exec里面action需要为readscan,我们就可以在/geneSign的param参数传入时使用flag.txtread进行拼接,获取到sign:a5315f93c6a6ef015232e41ab094e7b4
- 访问/De1ta页面,传入参数获取flag
