本文共 4197 字,大约阅读时间需要 13 分钟。
#! /usr/bin/env python#encoding=utf-8from flask import Flaskfrom flask import requestimport socketimport hashlibimport urllibimport sysimport osimport jsonreload(sys)sys.setdefaultencoding('latin1')app = Flask(__name__)secert_key = os.urandom(16)class Task: def __init__(self, action, param, sign, ip): #python对象的初始化构造方法 self.action = action self.param = param self.sign = sign self.sandbox = md5(ip) if(not os.path.exists(self.sandbox)): #SandBox For Remote_Addr os.mkdir(self.sandbox) def Exec(self): #命令执行,并且调用了下面的Scan函数 result = { } result['code'] = 500 if (self.checkSign()):#调用checkSign函数来判段 if "scan" in self.action: #action中要有scan tmpfile = open("./%s/result.txt" % self.sandbox, 'w') resp = scan(self.param) # 自定义的scan()函数读取文件 if (resp == "Connection Timeout"): result['data'] = resp else: print resp # 输出结果 tmpfile.write(resp) tmpfile.close() result['code'] = 200 if "read" in self.action: # action中要有read f = open("./%s/result.txt" % self.sandbox, 'r') result['code'] = 200 result['data'] = f.read() if result['code'] == 500: result['data'] = "Action Error" else: result['code'] = 500 result['msg'] = "Sign Error" return result def checkSign(self): # checkSign用于上面的校验 if (getSign(self.action, self.param) == self.sign): return True else: return False#generate Sign For Action Scan.@app.route("/geneSign", methods=['GET', 'POST'])# /geneSign路由 def geneSign(): param = urllib.unquote(request.args.get("param", "")) # request.args.get()用于获取url上的参数 这里获取param action = "scan" return getSign(action, param)@app.route('/De1ta',methods=['GET','POST']) # 这里执行了Exec(),应该是最后的注入点# /De1ta路由def challenge(): action = urllib.unquote(request.cookies.get("action")) param = urllib.unquote(request.args.get("param", "")) sign = urllib.unquote(request.cookies.get("sign")) ip = request.remote_addr if(waf(param)): return "No Hacker!!!!" task = Task(action, param, sign, ip) return json.dumps(task.Exec()) # json.dump将python对象转为python对象@app.route('/')def index(): return open("code.txt","r").read() # 我们点入题目后的页面 返回的就是源代码def scan(param): socket.setdefaulttimeout(1) # 经过1秒后,如果还未下载成功,自动跳入下一次操作, try: return urllib.urlopen(param).read()[:50] except: return "Connection Timeout"def getSign(action, param): return hashlib.md5(secert_key + param + action).hexdigest() # action和param的md5加密def md5(content): return hashlib.md5(content).hexdigest() # 文件内容的md5加密def waf(param): check=param.strip().lower() if check.startswith("gopher") or check.startswith("file"): # gopher协议和file协议的waf 提醒我去复习gopher协议了 return True else: return Falseif __name__ == '__main__': app.debug = False app.run(host='0.0.0.0') /geneSign:用于测试页面返回的是md5加密后的secert_key + param + action/De1ta:题目的核心部分action = urllib.unquote(request.cookies.get("action"))param = urllib.unquote(request.args.get("param", ""))sign = urllib.unquote(request.cookies.get("sign"))ip = request.remote_addrtask = Task(action, param, sign, ip)return json.dumps(task.Exec()) /:返回源代码,没什么用 题目给了下载的地方if(self.checkSign())def checkSign(self): # checkSign用于上面的校验 if (getSign(self.action, self.param) == self.sign): return True else: eturn Falsedef getSign(action, param): return hashlib.md5(secert_key + param + action).hexdigest()
/geneSign路由get上传?param=flag.txtreadadf80ee5dfe9c60c8575ebd2c8baacf1页面返回def geneSign(): param = urllib.unquote(request.args.get("param", "")) # request.args.get()用于获取url上的参数 这里获取param action = "scan" return getSign(action, param) 转载地址:http://eywmf.baihongyu.com/