标签：攻防比赛 xxe mezzanine virtualenv

虚拟部署

virtualenv是python环境配置和切换工具，进入该虚拟环境后，pip安装的软件不影响当前主环境，这样就能很好的安装几个python版本了，解决了库之间的依赖关系。 
安装virtualenv和pipsudo apt-get install python-virtualenv python-pip

创建虚拟部署环境

1. gongfangbisai@ubuntu:~$virtualenv -p /usr//bin/python2.7 app

2. gongfangbisai@ubuntu:~$ cd app/

3. gongfangbisai@ubuntu:~/app$ ls

4. bin include lib local

5. gongfangbisai@ubuntu:~/app$ source bin/activate

6. (app)gongfangbisai@ubuntu:~/app$ pip install mezzanine

7. Downloading/unpacking mezzanine

8. Downloading Mezzanine-3.1.10-py2.py3-none-any.whl (5.7MB): 5.7MB downloaded

9. Downloading/unpacking bleach>=1.4 (from mezzanine)

10. Downloading bleach-1.4.1.tar.gz

首先使用virtualenv创建一个虚拟节点app，然后使用source激活，再在激活的节点下pip安装mezzanine，安装完mezzanine之后使用mezzanine-project来创建一个工程。

1. (app)gongfangbisai@ubuntu:~/app$ mezzanine-project myproject

2. (app)gongfangbisai@ubuntu:~/app$ cd myproject/

3. (app)gongfangbisai@ubuntu:~/app/myproject$ ls

4. deploy fabfile.py __init__.py local_settings.py manage.py requirements.txt settings.py urls.py wsgi.py

5. (app)gongfangbisai@ubuntu:~/app/myproject$ python manage.py createdb

6. Creating tables ...

7. Creating table auth_permission

8. Creating table auth_group_permissions

9. Creating table auth_group

10. ..........

11. You just installed Django‘s auth system, which means you don‘t have any superusers defined.

12. Would you like to create one now? (yes/no): yes

13. Username (leave blank to use ‘gongfangbisai‘): gongfangbisai

14. Email address: shengqi158@gmail.com

15. Password:

16. Password (again):

17. Superuser created successfully.

18. A site record is required.

19. Please enter the domain and optional port in the format ‘domain:port‘.

20. For example ‘localhost:8000‘ or ‘www.example.com‘.

21. Hit enter to use the default (127.0.0.1:8000):

22. Creating default site record: 127.0.0.1:8000 ...

23. Installed 2 object(s) from 1 fixture(s)

24. Would you like to install some initial demo pages?

25. Eg: About us, Contact form, Gallery. (yes/no): yes

26. Creating demo pages: About us, Contact form, Gallery ...

27. Installed 16 object(s) from 3 fixture(s)

28. Installing custom SQL ...

29. Installing indexes ...

30. Installed 0 object(s) from 0 fixture(s)

31. (app)gongfangbisai@ubuntu:~/app/myproject$ ls

32. deploy fabfile.py __init__.pyc local_settings.pyc requirements.txt settings.pyc urls.py

33. dev.db __init__.py local_settings.py manage.py settings.py static wsgi.py

使用mezzanine-project myproject创建完工程之后就是创建数据库，使用命令python manage.py createdb 即可，由于mezzanine是基于django框架的，可以看到一些基于django的数据库的创建。再接着会提示输入超级管理用户的用户名，email，密码，请记住，这是mezzanine系统的超级管理员。接下来我们试运行一下：

1. (app)gongfangbisai@ubuntu:~/app/myproject$ python manage.py runserver 0.0.0.0:8000

再接着在浏览器访问127.0.0.1：8000，如果正常说明mezzanine的搭建第一步ok。

采用uwsgi + nginx 方案部署

前期准备

首先是安装nginx，uwsgi，再接着集中模板和静态文件，这样好配置静态路径

1. python manager.py collectstatic

2. python manager.py collecttemplates

3. sudo apt-get install nginx

4. sudo apt-get install uwsgi

请求的发送过程大概如下,如果在最后的测试中报错的话就得按照数据的走向来排查问题：

client --> nginx --> uwsgi --> mezzanine(django)

nginx 配置

安装好nginx之后，/etc/init.d/nginx start 即可以启动nginx，在页面访问80端口就能查看到nginx的欢迎页面。重要是配置： 
nginx的默认配置文件路径：/etc/nginx/ 
在/etc/nginx/sites-enabled 新建自己的配置文件，从sites-available拷贝一个default重命名为mysite_nginx.conf,编辑如下：

1. server {

2. listen 80 default_server;

3. listen [::]:80 default_server ipv6only=on;

4. root /home/gongfangbisai/app/myproject/; #网站的root目录

5. index index.html index.htm;

6. # Make site accessible from http://localhost/

7. server_name localhost;

8. location /static { #静态配置文件

9. autoindex on;

10. alias /home/gongfangbisai/app/myproject/static;

11. access_log off;

12. log_not_found off;

13. }

14. location / { #非静态请求，通过本地的8630端口来通信，这就是uwsgi后续要启动的端口

15. # First attempt to serve request as file, then

16. # as directory, then fall back to displaying a 404.

17. try_files $uri $uri/ =404;

18. # Uncomment to enable naxsi on this location

19. # include /etc/nginx/naxsi.rules

20. uwsgi_pass 127.0.0.1:8630;

21. include /home/gongfangbisai/app/myproject/uwsgi_params;

22. }

23. <div class="md-section-divider"></div>

修改完之后，可通过nginx -t 来测试配置文件是否有语法错误，确认ok之后即可启动。

uwsg 配置

wsgi.py的内容具体如下：

1. from __future__ import unicode_literals

2. import os

3. PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))

4. settings_module = "%s.settings" % PROJECT_ROOT.split(os.sep)[-1]

5. os.environ.setdefault("DJANGO_SETTINGS_MODULE", settings_module)

6. from django.core.wsgi import get_wsgi_application

7. application = get_wsgi_application()

8. <div class="md-section-divider"></div>

下面是配置wsgi： 
在网站根目录新建wsgi.xml，具体如下： 
(app)gongfangbisai@ubuntu:~/app/myproject$ cat wsgi.xml

1. <uwsgi>

2. <socket>127.0.0.1:8630</socket>

3. <master>true</master>

4. <chdir>/home/gongfangbisai/app/myproject/</chdir>

5. <pythonpath>..</pythonpath>

6. <module>wsgi</module>

7. <wsgi-file>wsgi.py</wsgi-file>

8. <enable-threads>true</enable-threads>>

9. <processes>4</processes>>

10. <plugin>python</plugin>

11. </uwsgi>

12. <div class="md-section-divider"></div>

socket 是和nginx通信接口，pythonpath 为..，这样才能包含djaong的setting，chdir为网站根目录。 
(app)gongfangbisai@ubuntu:~/app/myproject$ uwsgi -x wsgi.xml， 
启动起来之后访问首页ok，但是到一些具体的功能页的时候就报404，查看输出日志，uwsgi出现404的时候没动，nginx有日志，也就是说请求到了nginx就没发到uwsgi了，按道理应该是nginx的配置有问题，就查nginx的日志实在找不出问题，而且关键是想不到搜索的关键字，总报404于是就将nginx的配置文件的try_files uriuri/ =404;注释掉，这回uwsgi有输出了，显示如下： 
-- unavailable modifier requested: 0 -- 
搜索该关键字，很多人遇到这个问题，好吧，再把相应的库给装上吧

sudo apt-get install uwsgi-plugin-python 
装上库之后再sudo uwsgi -x wsgi.xml总报：

1. ImportError: No module named mezzanine

2. unable to load app 0 (mountpoint=‘‘) (callable not found or import error)

3. <div class="md-section-divider"></div>

找了一下，说是python的路径问题，直接在该环境下python，再找sys.path没问题，后来再一看是自己手贱多加了个sudo，导致python环境不对，去掉sudo 运行uwsgi OK。

XXE漏洞的构造

前期调研未做好，装了ubuntu13.04，装它的原因就是因为他最近没有报本地提权漏洞，有点因小失大。好吧，总不能从头安装mezzine吧，于是拿libxml下手，选用的python的lxml作为问题程序，其etree.so依赖libxml2和libxslt. 
于是安装存在xxe漏洞的libxml和libxlst，低于2.9.0，到http://xmlsoft.org/sources/ 下载相应的软件包，这里libxml选择2.8，libxlst选择1.2.27

1. gongfangbisai@ubuntu:~$ tar -zxvf libxslt-1.1.27.tar.gz

2. gongfangbisai@ubuntu:~$ cd libxslt-1.1.27/

3. gongfangbisai@ubuntu:~/libxslt-1.1.27$ ./configure&make 最后make install 它会装在/usr/local/lib目录下

4. <div class="md-section-divider"></div>

1. gongfangbisai@ubuntu:~/libxslt-1.1.27$ python

2. Python 2.7.6 (default, Jun 22 2015, 17:58:13)

3. [GCC 4.8.2] on linux2

4. Type "help", "copyright", "credits" or "license" for more information.

5. >>> from lxml import etree

6. Traceback (most recent call last):

7. File "<stdin>", line 1, in <module>

8. ImportError: /usr/lib/x86_64-linux-gnu/libxml2.so.2: version `LIBXML2_2.9.0‘ not found (required by /usr/lib/python2.7/dist-packages/lxml/etree.so)

9. >>>

10. gongfangbisai@ubuntu:~/libxslt-1.1.27$ ldd /usr/lib/python2.7/dist-packages/lxml/etree.so

11. /usr/lib/python2.7/dist-packages/lxml/etree.so: /usr/lib/x86_64-linux-gnu/libxml2.so.2: version `LIBXML2_2.9.0‘ not found (required by /usr/lib/python2.7/dist-packages/lxml/etree.so)

12. /usr/lib/python2.7/dist-packages/lxml/etree.so: /usr/lib/x86_64-linux-gnu/libxml2.so.2: version `LIBXML2_2.9.0‘ not found (required by /usr/lib/x86_64-linux-gnu/libxslt.so.1)

13. linux-vdso.so.1 => (0x00007fffb9cc6000)

14. libxslt.so.1 => /usr/lib/x86_64-linux-gnu/libxslt.so.1 (0x00007fca6d652000)

15. libexslt.so.0 => /usr/lib/x86_64-linux-gnu/libexslt.so.0 (0x00007fca6d43d000)

16. libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fca6d0df000)

17. libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fca6cec1000)

18. libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fca6cafc000)

19. libgcrypt.so.11 => /lib/x86_64-linux-gnu/libgcrypt.so.11 (0x00007fca6c87d000)

20. libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fca6c679000)

21. libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fca6c460000)

22. libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fca6c159000)

23. /lib64/ld-linux-x86-64.so.2 (0x00007fca6dc02000)

24. libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fca6bf55000)

安装完这两个软件后，通过strace python test.py > test.log 2>&1发现其还是依赖原先libxml，第一步想到的是update-alternatives,

1. gongfangbisai@ubuntu:~/app/myproject/static/media/uploads$ update-alternatives --list libxml

2. update-alternatives: error: no alternatives for libxml

怎么都不提示有两个版本的的libxml，那怎么办呢，强制修改软链接：

1. gongfangbisai@ubuntu:/usr/lib/x86_64-linux-gnu$ sudo ln -s /usr/local/lib/libxslt.so.1.1.27 libxslt.so

2. gongfangbisai@ubuntu:/usr/lib/x86_64-linux-gnu$ sudo rm libxslt.so.1

3. gongfangbisai@ubuntu:/usr/lib/x86_64-linux-gnu$ sudo ln -s /usr/local/lib/libxslt.so.1.1.27 libxslt.so.1

4. gongfangbisai@ubuntu:/usr/lib/x86_64-linux-gnu$ ldconfig

这样libxslt.so的依赖关系搞定了，通过同样的方式搞定libxml2，搞定这两个库之后，还是会提示etree.so依赖2.9的接口，怎么办呢，直接pip install -v lxml==3.0 这个xml版本就不存在依赖2.9接口的问题。在这里也引入了后面会遇到的一个问题，xx测试在python命令行中没有问题，但是在django环境中就有问题，总报库的依赖有问题，猛一回头发现是python虚拟环境搞得鬼，这个虚拟环境会引入libxml和libxslt这种系统lib下的库，但是像python的环境就不会引入，比如/usr/local/lib/python2.7/site-packages/下的，没办法只能在虚拟环境下重新安装了一遍lxml，这样就不会有库依赖的问题了。

gongfangbisai@ubuntu:~/app/myproject/static/media/uploads$ xmllint --noent a.xml //命令行测试比python更容易跟踪

解决了依赖问题，下面就是编码问题了： 
django的登录认证： 
./django/contrib/auth/views.py 在这里去掉修改密码的功能，注释掉password_change函数

去掉重置密码链接：直接注释用{#xxxx#}注释url链接 
编辑grappelli_safe/templates/registration/ 相关页面

修改上传页面的逻辑处理，对于xml加上对entity的解释功能，这样就能导入一个xxe漏洞，修改filebrowser_safe/views.py

1. def decode_string(target):

2. try:

3. result = target.decode(‘utf8‘).encode(‘utf8‘)

4. return (1,result)

5. except:

6. pass

7. try:

8. result = target.decode(‘gbk‘).encode(‘utf8‘)

9. return (2,result)

10. except:

11. pass

12. try:

13. result = target.decode(‘gb2312‘).encode(‘utf8‘)

14. return (3,result)

15. except:

16. pass

17. try:

18. result = target.decode(‘utf16‘).encode(‘utf8‘)

19. return (4,result)

20. except:

21. pass

22. try:

23. result = target.decode(‘latin1‘).encode(‘utf8‘)

24. return (5,result)

25. except:

26. pass

27. return ‘‘

28. def _upload_file(request):

29. for line in filedata.chunks():

30. code_type, line = decode_string(line)

31. if code_type != 4 and ‘ENTITY‘ in line:

32. msg = _(‘illegal xml, ENTITY found!!!!‘)

33. return HttpResponse(msg)

34. uploadedfile = default_storage.save(file_path, filedata)

35. if default_storage.exists(file_path) and file_path != uploadedfile:

36. default_storage.move(smart_text(uploadedfile), smart_text(file_path), allow_overwrite=True)

37. if file_path.lower().endswith(".xml"):

38. from lxml import etree

39. try:

40. msg = _(‘path:%s:%s:%s:%s‘ %(uploadedfile, file_path,directory,type(filedata.chunks())))

41. if default_storage.exists(file_path):

42. abs_path = smart_text(django_settings.MEDIA_ROOT + "/" + file_path)

43. tree = etree.parse(abs_path)

44. tree.write(abs_path)

45. # return HttpResponse(msg)

46. except Exception,e:

47. msg = _(‘IOERROR:%s‘ %(e))

48. return HttpResponse(msg)

本文出自 “python ubuntu” 博客，请务必保留此出处http://3502990.blog.51cto.com/3492990/1680126

基于mezzanine的攻防比赛环境搭建及漏洞构造

标签：攻防比赛 xxe mezzanine virtualenv

原文地址：http://3502990.blog.51cto.com/3492990/1680126