[De1CTF 2019]SSRF Me

The source code is given at the beginning

It seems that it is time for code audit But this code is really hard to change All in one line

Always enter and change

#! /usr/bin/env python
# #encoding=utf-8
from flask import Flask
from flask import request
import socket
import hashlib
import urllib
import sys
import os
import json
reload(sys)
sys.setdefaultencoding('latin1')
 
app = Flask(__name__)
 
secert_key = os.urandom(16)
 
class Task:
    def __init__(self, action, param, sign, ip):		# Is a simple assignment function 
        self.action = action
        self.param = param
        self.sign = sign
        self.sandbox = md5(ip)
        if(not os.path.exists(self.sandbox)):		# If there is no such folder , Then create a folder 
            os.mkdir(self.sandbox)
 
    def Exec(self):
        result = {}
        result['code'] = 500
        if (self.checkSign()):
            if "scan" in self.action:
                tmpfile = open("./%s/result.txt" % self.sandbox, 'w')   # Be careful w, It can be done to result.txt File modification 
                resp = scan(self.param)
                if (resp == "Connection Timeout"):
                    result['data'] = resp
                else:
                    print resp
                    tmpfile.write(resp)	# This will resp Data write in result.txt in , It can be used to flag.txt Put the data in result.txt in 
                    tmpfile.close()
                result['code'] = 200
            if "read" in self.action:
                f = open("./%s/result.txt" % self.sandbox, 'r')	# Open as read-only 
                result['code'] = 200
                result['data'] = f.read()	# Read result.txt Data in 
            if result['code'] == 500:
                result['data'] = "Action Error"
        else:
            result['code'] = 500
            result['msg'] = "Sign Error"
        return result
 
    def checkSign(self):
        if (getSign(self.action, self.param) == self.sign):
            return True
        else:
            return False
 
@app.route("/geneSign", methods=['GET', 'POST'])
def geneSign():
    param = urllib.unquote(request.args.get("param", ""))
    action = "scan"
    return getSign(action, param)
 
@app.route('/De1ta',methods=['GET','POST'])		# Notice this binding , The next few functions are very important , This is equivalent to c The main function in language , Next is the process of calling other functions 
def challenge():
    action = urllib.unquote(request.cookies.get("action"))		#cookie Pass on action Parameters , Corresponding to different processing methods 
    param = urllib.unquote(request.args.get("param", ""))		# Pass on get Parameters of the way param
    sign = urllib.unquote(request.cookies.get("sign"))			#cookie Pass on sign Parameters sign
    ip = request.remote_addr				# Get the of the requester ip Address 
    if(waf(param)):			# call waf Function to filter 
        return "No Hacker!!!!"
    task = Task(action, param, sign, ip) 			# establish Task Class object 
    return json.dumps(task.Exec())			# With json Return to the client in the form of 
 
@app.route('/')
def index():
    return open("code.txt","r").read()
 
def scan(param):
    socket.setdefaulttimeout(1)
    try:
        return urllib.urlopen(param).read()[:50]		# This can be used to access flag.txt. Read and then for the next step flag.txt Put the things in the file result.txt To pave the way 
    except:
        return "Connection Timeout"
 
def getSign(action, param):				#getSign The function of is to splice secret_key,param,action, Then return the concatenated string md5 Encrypted value 
    return hashlib.md5(secert_key + param + action).hexdigest()
 
def md5(content):			# The passed in string is md5 encryption 
    return hashlib.md5(content).hexdigest()
 
def waf(param):						# The function of firewall is to judge whether the first few letters are gopher  Or is it file   If so , return true
    check=param.strip().lower()
    if check.startswith("gopher") or check.startswith("file"):
        return True
    else:
        return False
if __name__ == '__main__':
    app.debug = False
    app.run(host='0.0.0.0',port=9999)

It's a flask frame  

Task The heavyweight in the class is read and write And they all use action To execute different functions Judge action When in instead of == So you can action=scanread perhaps action=readscan To fully implement if All satisfied with

Ideas ：

First bypass self.checkSign(), And the incoming action Need to include both scan and read, then if "scan" in self.action: The executive will flag.txt Data write in result.txt in , continue if "read" in self.action: Perform read result.txt Data in , And put it in result['data'] in , return json.dumps(task.Exec())   Then return with json Return to the client in the form of .

Bypass self.checkSign(), need getSign(self.action, self.param) == self.sign,（ and sign Value through cookie Pass value ）, Need hashlib.md5(secert_key + param + action).hexdigest() == self.sign, Namely hashlib.md5(secert_key + 'flag.txt' + 'readscan').hexdigest() == self.sign, In general, we need to get secert_key + 'flag.txtreadscan' Hash value of

But we don't know the hash value Just go online and get the hash value adopt geneSign Method , To return the encoded hash value we need be aware /geneSign The action As the scan, So we introduced param It can be for flag.txtread, In this case, it will still be spliced into secert_key + 'flag.txtreadscan'

/geneSign?param=flag.txtread

Then, according to the analysis just made by the code audit, the parameters will be passed in  

  That's all.

Open pendulum ！