Hack the Box INSANE难度题目ArtificialUniversity题解<\/h1>

0x00 题目概述<\/h2>
这是一个Flask框架构建的Web应用程序，模拟了一个购物网站系统。题目难度为INSANE级别，涉及多个漏洞的串联利用，包括逻辑漏洞、路径穿越、SSRF、XSS和gRPC服务中的代码执行漏洞。<\/p>

0x01 系统架构分析<\/h2>

路由结构<\/h3>

用户侧路由:<\/strong><\/p>

\/register<\/code> - 用户注册<\/li>
\/login<\/code> - 用户登录<\/li>
\/product\/<product_id><\/code> - 查看商品<\/li>
\/checkout<\/code> - 下单<\/li>
\/checkout\/success<\/code> - 支付回调<\/li>
\/subs<\/code> - 查看订单<\/li>
\/logout<\/code> - 登出<\/li> <\/ul> 管理员侧路由(需admin权限):<\/strong><\/p> \/admin\/users<\/code> - 查看用户列表<\/li> \/admin\/products<\/code> - 查看所有商品<\/li> \/admin\/orders<\/code> - 查看所有订单<\/li> \/admin\/view-pdf<\/code> - 查看PDF<\/li> \/admin\/api-health<\/code> - 查看API接口状态<\/li> \/admin\/product-stream<\/code> - 获取新产品<\/li> \/admin\/save-product<\/code> - 保存产品<\/li> \/admin\/saved-products<\/code> - 查看已保存产品<\/li> <\/ul> 配置文件分析<\/h3> config.py<\/code>中关键配置:<\/p> class<\/span> Config<\/span>(object): <\/span><\/span> SECRET_KEY =<\/span> os.<\/span>urandom(50<\/span>).<\/span>hex() <\/span><\/span> ADMIN_EMAIL =<\/span> "ed@artificialuniversity.htb"<\/span> <\/span><\/span> ADMIN_PASS =<\/span> os.<\/span>urandom(32<\/span>).<\/span>hex() <\/span><\/span><\/code><\/pre>管理员凭据是随机生成的，无法爆破。<\/p> 0x02 漏洞分析与利用链<\/h2> 1. 逻辑漏洞+路径穿越<\/h3> 漏洞点1: 价格可控<\/strong><\/p> 在\/checkout<\/code>路由中，当不传入product_id<\/code>时，价格参数完全可控:<\/p> @web<\/span>.<\/span>route("\/checkout"<\/span>, methods=<\/span>["GET"<\/span>]) <\/span><\/span>def<\/span> checkout<\/span>(): <\/span><\/span> product_id =<\/span> request.<\/span>args.<\/span>get("product_id"<\/span>) <\/span><\/span> if<\/span> product_id and<\/span> not<\/span> session.<\/span>get("loggedin"<\/span>): <\/span><\/span> return<\/span> render_template("error.html"<\/span>, title=<\/span>"Error"<\/span>, error=<\/span>"Must have an account in order to purchase"<\/span>), 200<\/span> <\/span><\/span> <\/span><\/span> price =<\/span> request.<\/span>args.<\/span>get("price"<\/span>) # 价格可控<\/span> <\/span><\/span> title =<\/span> request.<\/span>args.<\/span>get("title"<\/span>) <\/span><\/span> user_id =<\/span> request.<\/span>args.<\/span>get("user_id"<\/span>) <\/span><\/span> email =<\/span> request.<\/span>args.<\/span>get("email"<\/span>) <\/span><\/span> <\/span><\/span> if<\/span> not<\/span> product_id and<\/span> (not<\/span> price or<\/span> not<\/span> title or<\/span> not<\/span> user_id or<\/span> not<\/span> email): <\/span><\/span> return<\/span> render_template("error.html"<\/span>, title=<\/span>"Error"<\/span>, error=<\/span>"Missing external order details"<\/span>), 400<\/span> <\/span><\/span> <\/span><\/span> db_session =<\/span> Database() <\/span><\/span> payment_link =<\/span> None<\/span> <\/span><\/span> <\/span><\/span> if<\/span> product_id: <\/span><\/span> # 正常流程<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> product_data =<\/span> { <\/span><\/span> "title"<\/span>: title, <\/span><\/span> "price"<\/span>: int(price) # 可设置为负数<\/span> <\/span><\/span> } <\/span><\/span> payment_link, payment_id =<\/span> generate_payment_link(product_data["price"<\/span>]) <\/span><\/span> order_id =<\/span> db_session.<\/span>create_order(title, user_id, email, int(price), payment_id) <\/span><\/span><\/code><\/pre>漏洞点2: 支付回调中的路径穿越<\/strong><\/p> \/checkout\/success<\/code>路由中的bot_runner<\/code>函数会访问PDF文件，但payment_id<\/code>可控:<\/p> def<\/span> bot_runner<\/span>(email, password, payment_id): <\/span><\/span> # ...<\/span> <\/span><\/span> client.<\/span>get(f<\/span>"http:\/\/127.0.0.1:1337\/static\/invoices\/invoice_<\/span>{<\/span>payment_id}<\/span>.pdf"<\/span>) <\/span><\/span> # ...<\/span> <\/span><\/span><\/code><\/pre>通过设置payment_id<\/code>为..admin\/xxx#<\/code>，浏览器会解析为http:\/\/127.0.0.1:1337\/admin#pdf<\/code>，而后端实际接收到的是http:\/\/127.0.0.1:1337\/admin<\/code>。<\/p> 利用步骤:<\/strong><\/p> 访问\/checkout<\/code>不传product_id<\/code>，设置price=-1<\/code>创建负价订单<\/li> 在\/checkout\/success<\/code>回调中设置payment_id=..admin\/xxx#<\/code>实现路径穿越<\/li> 利用bot自动登录管理员账号后访问admin路由<\/li> <\/ol> 2. SSRF漏洞利用<\/h3> 漏洞点1: \/admin\/view-pdf<\/code><\/strong><\/p> @web<\/span>.<\/span>route("\/admin\/view-pdf"<\/span>, methods=<\/span>["GET"<\/span>]) <\/span><\/span>def<\/span> admin_view_pdf<\/span>(): <\/span><\/span> pdf_url =<\/span> request.<\/span>args.<\/span>get("url"<\/span>) <\/span><\/span> response =<\/span> requests.<\/span>get(pdf_url) # SSRF<\/span> <\/span><\/span><\/code><\/pre>漏洞点2: \/admin\/api-health<\/code><\/strong><\/p> @web<\/span>.<\/span>route("\/admin\/api-health"<\/span>, methods=<\/span>["GET"<\/span>, "POST"<\/span>]) <\/span><\/span>def<\/span> api_health<\/span>(): <\/span><\/span> url =<\/span> request.<\/span>form.<\/span>get("url"<\/span>) <\/span><\/span> status_code =<\/span> get_url_status_code(url) # 使用curl实现的SSRF<\/span> <\/span><\/span> <\/span><\/span>def<\/span> get_url_status_code<\/span>(url): <\/span><\/span> curl_args =<\/span> ["curl"<\/span>, "-o"<\/span>, "\/dev\/null"<\/span>, "-w"<\/span>, "%<\/span>{http_code}<\/span>"<\/span>, url] <\/span><\/span> result =<\/span> subprocess.<\/span>run(curl_args, capture_output=<\/span>True<\/span>, text=<\/span>True<\/span>, check=<\/span>True<\/span>) <\/span><\/span><\/code><\/pre>3. PDF.js漏洞利用(CVE-2024-4367)<\/h3> 题目使用的Firefox 125.0.1版本存在PDF.js漏洞(CVE-2024-4367)，允许通过特制PDF执行任意JavaScript代码。<\/p> 利用方法:<\/strong><\/p> 构造恶意PDF触发XSS<\/li> 通过XSS自动提交表单访问\/admin\/api-health<\/code><\/li> 利用curl的SSRF功能攻击内网服务<\/li> <\/ol> 4. gRPC服务代码执行<\/h3> 内网gRPC服务(50051端口)存在任意代码执行漏洞:<\/p> class<\/span> ProductService<\/span>(product_pb2_grpc.<\/span>ProductServiceServicer): <\/span><\/span> def<\/span> GenerateProduct<\/span>(self): <\/span><\/span> if<\/span> hasattr(self, "price_formula"<\/span>): <\/span><\/span> price =<\/span> eval(self.<\/span>price_formula) # 任意代码执行<\/span> <\/span><\/span> <\/span><\/span> def<\/span> DebugService<\/span>(self, request, context): <\/span><\/span> input_dict =<\/span> {k: v.<\/span>string_value for<\/span> k, v in<\/span> request.<\/span>input.<\/span>items()} <\/span><\/span> self.<\/span>UpdateService(input_dict, self) # 可设置price_formula属性<\/span> <\/span><\/span><\/code><\/pre>利用链:<\/strong><\/p> 通过DebugService<\/code>设置price_formula<\/code>属性<\/li> 调用GetNewProducts<\/code>触发GenerateProduct<\/code>执行eval<\/code><\/li> <\/ol> 5. 完整利用链<\/h3> 初始访问:<\/strong><\/p> 利用逻辑漏洞创建负价订单<\/li> 通过路径穿越访问admin接口<\/li> <\/ul> <\/li> 权限提升:<\/strong><\/p> 利用\/admin\/view-pdf<\/code>的SSRF和PDF.js漏洞执行XSS<\/li> 通过XSS自动提交表单访问\/admin\/api-health<\/code><\/li> <\/ul> <\/li> 内网横向移动:<\/strong><\/p> 构造gopher协议请求攻击内网gRPC服务<\/li> 通过DebugService<\/code>设置price_formula<\/code><\/li> 调用GetNewProducts<\/code>触发代码执行<\/li> <\/ul> <\/li> <\/ol> 0x03 防御建议<\/h2> 修复逻辑漏洞:<\/strong><\/p> 价格参数应由服务端计算，不可由客户端控制<\/li> 支付回调应验证payment_id<\/code>格式<\/li> <\/ul> <\/li> 防止路径穿越:<\/strong><\/p> 规范化路径处理<\/li> 验证文件名不包含特殊字符<\/li> <\/ul> <\/li> SSRF防护:<\/strong><\/p> 限制URL访问范围(协议、域名、端口)<\/li> 使用白名单机制<\/li> <\/ul> <\/li> gRPC服务安全:<\/strong><\/p> 避免使用eval<\/code>等危险函数<\/li> 对输入参数进行严格过滤<\/li> 限制服务访问权限<\/li> <\/ul> <\/li> 组件安全:<\/strong><\/p> 及时更新存在漏洞的组件版本<\/li> 实施最小权限原则<\/li> <\/ul> <\/li> <\/ol> 0x04 参考链接<\/h2> CVE-2024-4367详情<\/a><\/li> gRPC安全最佳实践<\/li> SSRF防御指南<\/li> <\/ul>

Hack the Box INSANE难度题目ArtificialUniversity题解<\/h1>

0x00 题目概述<\/h2> 这是一个Flask框架构建的Web应用程序，模拟了一个购物网站系统。题目难度为INSANE级别，涉及多个漏洞的串联利用，包括逻辑漏洞、路径穿越、SSRF、XSS和gRPC服务中的代码执行漏洞。<\/p>

0x01 系统架构分析<\/h2>

0x02 漏洞分析与利用链<\/h2>

0x04 参考链接<\/h2> CVE-2024-4367详情<\/a><\/li> gRPC安全最佳实践<\/li> SSRF防御指南<\/li> <\/ul>

0x00 题目概述<\/h2>
这是一个Flask框架构建的Web应用程序，模拟了一个购物网站系统。题目难度为INSANE级别，涉及多个漏洞的串联利用，包括逻辑漏洞、路径穿越、SSRF、XSS和gRPC服务中的代码执行漏洞。<\/p>

0x04 参考链接<\/h2>

CVE-2024-4367详情<\/a><\/li>
gRPC安全最佳实践<\/li>
SSRF防御指南<\/li> <\/ul>