高校运维赛 2024 easyshell
没有环境,过一遍思路吧 考点: pickle反序列化+urllib库注入redis缓存 from flask import Flask,request from redis import Redis import hashlib import pickle import base64 import urllib app = Flask(__name__) redis = Redis(host='127.0.0.1', port=6379) def get_result(url): url_key=hashlib.md5(url.encode()).hexdigest() res=redis.get(url_key) if res: return pickle.loads(base64.b64decode(res)) else: try: print(url) info = urllib.request.urlopen(url) res = info.read() pickres=pickle.dumps(res) b64res=base64.b64encode(pickres) redis.set(url_key,b64res,ex=300) return res except urllib.error.URLError as e: print(e) @app.route('/') def hello(): url = request.args.get("url") return '''<h1>give me your url via GET method like: ?url=127.0.0.1:8080<h1> <h2>Here is your result</h2> <h3>source code in /source</h3> %s ''' % get_result('http://'+url).decode(encoding='utf8',errors='ignore') @app.route('/source') def source(): return 这里触发 ssrf 是通过 python3.7 的 urllib.request.urlopen(url) 触发 存在 CRLF注入 控制 缓存应用命令(redis) (CVE-2019-9947) https://www.freebuf.com/vuls/222679.html ...