드림핵 Where-is-localhost WriteUp

문제 풀이

키워드: IPv4-mapped IPv6 address

소스코드

from flask import Flask, render_template, request
import ipaddress
import urllib.parse
import urllib.request
import urllib.error

app = Flask(__name__)

try:
    with open('flag') as f:
        flag = f.read()
except FileNotFoundError:
    flag = 'flag{this_is_a_fake_flag}'

@app.route('/')
def form():
    return render_template('index.html')

@app.route('/vuln', methods=['POST'])
def vuln():
    name = request.form.get('vulntest')
    try:
        address = ipaddress.ip_address(name)
        if address.version == 4:
            return "no..."
        url = urllib.parse.urlparse(f"http://[{address.exploded}]:5000/localonly")
        if url.netloc != f'[{address.exploded}]:5000':
            print(url.netloc, f'[{address.exploded}]')
            return "no..."
        req = urllib.request.Request(url.geturl())
        return urllib.request.urlopen(req).read().decode('utf-8')
    except ValueError:
        return "no..."
    except urllib.error.URLError:
        return "connection refused"

@app.route('/localonly', methods=['GET'])
def localonly():
    addr = ipaddress.ip_address(request.remote_addr)
    if addr.is_loopback and addr.version == 4:
        return flag
    else:
        return 'not loopback'

if __name__ == '__main__':
    app.run('0.0.0.0', 5000, debug=True)

1. address.version == 4이면 no를 리턴하기 때문에 IPv6 주소를 입력해야 함.
2. request 요청을 날리는데 IPv4로 요청을 날려야함
3. is_loopback 주소여야함.

결론!!

IPv6 주소인데 IPv4로도 날릴 수 있는 루프백 ip주소가 필요함.

 

IPv4-mapped IPv6 address로 해결 가능!!

POC

0:0:0:0:0:ffff:127.0.0.1
::ffff:127.0.0.1

 

FLAG

 

참고 자료

IPv6 - IPv4-mapped IPv6 address

 

PayloadsAllTheThings/Server Side Request Forgery/README.md at master · swisskyrepo/PayloadsAllTheThings

The TCP/IP Guide - IPv6/IPv4 Address Embedding