-
csrf-2web hacking/dreamhack(드림핵) 2023. 4. 6. 00:32
#!/usr/bin/python3 from flask import Flask, request, render_template, make_response, redirect, url_for from selenium import webdriver import urllib import os app = Flask(__name__) app.secret_key = os.urandom(32) try: FLAG = open("./flag.txt", "r").read() except: FLAG = "[**FLAG**]" users = { 'guest': 'guest', 'admin': FLAG } session_storage = {} def read_url(url, cookie={"name": "name", "value": "value"}): cookie.update({"domain": "127.0.0.1"}) try: options = webdriver.ChromeOptions() for _ in [ "headless", "window-size=1920x1080", "disable-gpu", "no-sandbox", "disable-dev-shm-usage", ]: options.add_argument(_) driver = webdriver.Chrome("/chromedriver", options=options) driver.implicitly_wait(3) driver.set_page_load_timeout(3) driver.get("http://127.0.0.1:8000/") driver.add_cookie(cookie) driver.get(url) except Exception as e: driver.quit() print(str(e)) # return str(e) return False driver.quit() return True def check_csrf(param, cookie={"name": "name", "value": "value"}): url = f"http://127.0.0.1:8000/vuln?param={urllib.parse.quote(param)}" return read_url(url, cookie) # index 페이지. @app.route("/") def index(): session_id = request.cookies.get('sessionid', None) try: username = session_storage[session_id] except KeyError: return render_template('index.html', text='please login') return render_template('index.html', text=f'Hello {username}, {"flag is " + FLAG if username == "admin" else "you are not an admin"}') # xss, csrf 취약 페이지. # <img src="https://bsgzhcm.request.dreamhack.games?ppaa=ppap"/> @app.route("/vuln") def vuln(): param = request.args.get("param", "").lower() xss_filter = ["frame", "script", "on"] for _ in xss_filter: param = param.replace(_, "*") return param # admin이 접속하는 vuln페이지의 param을 지정해준다. # <img src="/change_password?pw=1234"/> @app.route("/flag", methods=["GET", "POST"]) def flag(): if request.method == "GET": return render_template("flag.html") elif request.method == "POST": param = request.form.get("param", "") session_id = os.urandom(16).hex() session_storage[session_id] = 'admin' if not check_csrf(param, {"name":"sessionid", "value": session_id}): return '<script>alert("wrong??");history.go(-1);</script>' return '<script>alert("good");history.go(-1);</script>' # 로그인 페이지 # admin으로는 로그인 불가능하다. passwd로 flag를 쳐야 하기 때문. @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'GET': return render_template('login.html') elif request.method == 'POST': username = request.form.get('username') password = request.form.get('password') try: pw = users[username] except: return '<script>alert("not found user");history.go(-1);</script>' if pw == password: resp = make_response(redirect(url_for('index')) ) session_id = os.urandom(8).hex() session_storage[session_id] = username resp.set_cookie('sessionid', session_id) return resp return '<script>alert("wrong password");history.go(-1);</script>' # 패스워드를 바꾸는 페이지. @app.route("/change_password") def change_password(): pw = request.args.get("pw", "") session_id = request.cookies.get('sessionid', None) try: username = session_storage[session_id] except KeyError: return render_template('index.html', text='please login') users[username] = pw return 'Done' app.run(host="0.0.0.0", port=8000)change_password 페이지를 이용하여 admin의 비밀번호를 바꿔 admin의 계정으로 로그인하면 플래그를 획득 할 수 있다.
'web hacking > dreamhack(드림핵)' 카테고리의 다른 글
simple_sqli (0) 2023.04.14 csrf-1 (0) 2023.04.05 xss-2 (0) 2023.04.03 xss-1 (0) 2023.04.02 session-basic (0) 2023.03.19