[De1CTF 2019]SSRF Me
SSRF?没怎么体会到,这道题我更愿意称它为python中的flask框架代码审计题。吐槽一下这个鬼题目,缩进都没有,纯纯一个文本文件。我会美化代码?不存在的,我直接从别的师傅那偷一个优化好的python源代码。
#! /usr/bin/env python
# #encoding=utf-8
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding('latin1')
app = Flask(__name__)
secert_key = os.urandom(16)
class Task:
def __init__(self, action, param, sign, ip):
self.action = action
self.param = param
self.sign = sign
self.sandbox = md5(ip)
if(not os.path.exists(self.sandbox)):
os.mkdir(self.sandbox)
def Exec(self):
result = {}
result['code'] = 500
if (self.checkSign()):
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result['data'] = resp
else:
print resp
tmpfile.write(resp)
tmpfile.close()
result['code'] = 200
if "read" in self.action:
f = open("./%s/result.txt" % self.sandbox, 'r')
result['code'] = 200
result['data'] = f.read()
if result['code'] == 500:
result['data'] = "Action Error"
else:
result['code'] = 500
result['msg'] = "Sign Error"
return result
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
param = urllib.unquote(request.args.get("param", ""))
action = "scan"
return getSign(action, param)
@app.route('/De1ta',methods=['GET','POST'])
def challenge():
action = urllib.unquote(request.cookies.get("action"))
param = urllib.unquote(request.args.get("param", ""))
sign = urllib.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if(waf(param)):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())
@app.route('/')
def index():
return open("code.txt","r").read()
def scan(param):
socket.setdefaulttimeout(1)
try:
return urllib.urlopen(param).read()[:50]
except:
return "Connection Timeout"
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()
def md5(content):
return hashlib.md5(content).hexdigest()
def waf(param):
check=param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
if __name__ == '__main__':
app.debug = False
app.run(host='0.0.0.0',port=9999)flask框架找路由,这里有三个路由,
@app.route("/geneSign", methods=['GET', 'POST'])
@app.route('/De1ta',methods=['GET','POST'])
@app.route('/')分别是/geneSign 、/De1ta、/ 三个。根据分析,这里最核心的是/De1ta,不过我们也不急分析这个,先看看/geneSign路由,从易到难。
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
param = urllib.unquote(request.args.get("param", ""))
action = "scan"
return getSign(action, param)这里接受一个GET参数param,和action一起传入getSign函数中,看看getSign(),
def getSign(action, param):
return hashlib.md5(secert_key + param + action).hexdigest()把密匙secert_key于传入的param和action经过MD5加密返回,这玩意儿有什么用呢?后面就知道了。我们再看看关键的路由,
@app.route('/De1ta',methods=['GET','POST'])
def challenge():
action = urllib.unquote(request.cookies.get("action"))
param = urllib.unquote(request.args.get("param", ""))
sign = urllib.unquote(request.cookies.get("sign"))
ip = request.remote_addr
if(waf(param)):
return "No Hacker!!!!"
task = Task(action, param, sign, ip)
return json.dumps(task.Exec())这里有四个参数:action、sign读取cookie值,param获取GET的值,IP自然就是获得本地IP的值。这里有个waf()函数,我们需要绕过,看看waf(),
def waf(param):
check = param.strip().lower()
if check.startswith("gopher") or check.startswith("file"):
return True
else:
return False
strip()默认剔除首尾空格,lower()全部小写,startswitch()匹配字符串第一个是否为参数中的值。所以waf()相当于是把file协议和gopher协议给禁用了。
接着看上面的/De1ta路由,task实例化了一个对象,调用了一次对象中的Exec()函数,以json.dumps()输出,json.dumps()输出格式如下,
![[De1CTF 2019]SSRF Me_第1张图片](http://img.e-com-net.com/image/info8/7fb16b58fa8d48e49b2f59523bf16635.jpg)
def Exec(self):
result = {}
result['code'] = 500
if (self.checkSign()):
if "scan" in self.action:
tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
resp = scan(self.param)
if (resp == "Connection Timeout"):
result['data'] = resp
else:
print resp
tmpfile.write(resp)
tmpfile.close()
result['code'] = 200
if "read" in self.action:
f = open("./%s/result.txt" % self.sandbox, 'r')
result['code'] = 200
result['data'] = f.read()
if result['code'] == 500:
result['data'] = "Action Error"
else:
result['code'] = 500
result['msg'] = "Sign Error"
return result
直接看Exec()函数,第一步要绕checkSign(),看看checkSign(),
def checkSign(self):
if (getSign(self.action, self.param) == self.sign):
return True
else:
return False看到getSign()函数了,这是我们最开始审计的那个MD5加密的那个,也就是说我们需要判断action与param传入进去的值与密匙配合MD5加密过后的值与本身GET传入的sign值是否相匹配。
继续往下看,
if "scan" in self.action:
if "read" in self.action:这里我们笃定action中需要存在这两个段字符串也就是“scanread”或者“readscan”。到这里基本就分析完了,因为如果能绕过action这两个判断,就会执行如下,
resp = scan(self.param)def scan(param):
socket.setdefaulttimeout(1)
try:
return urllib.urlopen(param).read()[:50]
except:
return "Connection Timeout"因为hint给了,flag就在/flag.txt中
![[De1CTF 2019]SSRF Me_第2张图片](http://img.e-com-net.com/image/info8/713d14c69b98477c83db0ab8d6df6b12.jpg)
OK,现在我们需要做的事就是给sign找到一个MD5的值绕过checkSign(),因为不知道密匙所以我们可以利用/geneSign,但是action在/geneSign中的值不能修改为‘scan’,而我们要用密匙+param+action,而且我们能控制param的值所以我们赋值给param=flag.txtread,最后得到的MD5就是我们想要的,演示如下:
![[De1CTF 2019]SSRF Me_第3张图片](http://img.e-com-net.com/image/info8/7566670b96014916a44d7f9bdcd72ac3.jpg)
![[De1CTF 2019]SSRF Me_第4张图片](http://img.e-com-net.com/image/info8/b8a8269f93724e75bafcf4794a6686b4.jpg)
参考:https://www.jb51.net/article/212376.htm
[De1CTF 2019]SSRF Me_为之。的博客-CSDN博客
学习笔记37.[De1CTF 2019]SSRF Me - 简书