一道简单的flask-web题

Comments

PKU的一道简单flask web题 感觉挺有意思的
代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import os
import json
from shutil import copyfile
from flask import Flask,request,render_template,url_for,send_from_directory,make_response,redirect
from werkzeug.middleware.proxy_fix import ProxyFix
from flask import jsonify
from hashlib import md5
import signal
from http.server import HTTPServer, SimpleHTTPRequestHandler

os.environ['TEMP']='/dev/shm'

app = Flask("access")
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1 ,x_proto=1)


@app.route('/',methods=['POST', 'GET'])
def index():
    if request.method == 'POST':
        f=request.files['file']
        os.system("rm -rf /dev/shm/zip/media/*")
        path=os.path.join("/dev/shm/zip/media",'tmp.zip')# 拼接文件路径
        f.save(path)
        os.system('timeout -k 1 3 unzip /dev/shm/zip/media/tmp.zip -d /dev/shm/zip/media/')
        os.system('rm /dev/shm/zip/media/tmp.zip')
        return redirect('/media/')
    response = render_template('index.html')
    return response

@app.route('/media/',methods=['GET'])
@app.route('/media',methods=['GET'])
@app.route('/media/<path>',methods=['GET'])
def media(path=""):
    npath=os.path.join("/dev/shm/zip/media",path)
    if not os.path.exists(npath):
        return make_response("404",404)
    if not os.path.isdir(npath):
        f=open(npath,'rb')
        response = make_response(f.read())
        response.headers['Content-Type'] = 'application/octet-stream'
        return response
    else:
        fn=os.listdir(npath)
        fn=[".."]+fn
        f=open("templates/template.html")
        x=f.read()
        f.close()
        ret="<h1>文件列表:</h1><br><hr>"
        for i in fn:
            tpath=os.path.join('/media/',path,i)
            ret+="<a href='"+tpath+"'>"+i+"</a><br>"
        x=x.replace("HTMLTEXT",ret)
        return x


os.system('mkdir /dev/shm/zip')
os.system('mkdir /dev/shm/zip/media')

app.run(host="0.0.0.0",port=8080,debug=False,threaded=True)

大意为用户上传一个zip压缩包,服务器端解压后显示压缩包内的内容并且可以下载paste image类似这样。

我们可以利用Linux的软链接实现文件读取paste image下面制作一个存在软连接的zip压缩包

zip flag.zip flag –symlinks

paste image直接下载文件得到读取的flag文件

flag{NeV3r_trUSt_Any_C0mprEsSEd_File}

  • Copyright Notice: All articles in this blog, unless otherwise stated, are under the CC BY 4.0 CN agreement.Reprint please indicate the source!

PoloCTFer&Cybersec Researcher

Wong