访问/source下载源代码www.zip
直接看源码
from flask import Flask, request, redirect, g, send_from_directory
import sqlite3
import os
import uuid
app = Flask(name)
SCHEMA = “””CREATE TABLE files (
id text primary key,
path text
);
“””
def db():
g_db = getattr(g, ‘_database’, None)
if g_db is None:
g_db = g._database = sqlite3.connect(“database.db”)
return g_db
@app.before_first_request
def setup():
os.remove(“database.db”)
cur = db().cursor()
cur.executescript(SCHEMA)
@app.route(‘/’)
def hello_world():
return “””
Select image to upload:
“””
@app.route(‘/source’)
def source():
return send_from_directory(directory=”/var/www/html/”, path=”www.zip”, as_attachment=True)
@app.route(‘/upload’, methods=[‘POST’])
def upload():
if ‘file’ not in request.files:
return redirect(‘/’)
file = request.files[‘file’]
if “.” in file.filename:
return “Bad filename!”, 403
conn = db()
cur = conn.cursor()
uid = uuid.uuid4().hex
try:
cur.execute(“insert into files (id, path) values (?, ?)”, (uid, file.filename,))
except sqlite3.IntegrityError:
return “Duplicate file”
conn.commit()
file.save('uploads/' + file.filename)
return redirect('/file/' + uid)@app.route(‘/file/’)
def file(id):
conn = db()
cur = conn.cursor()
cur.execute(“select path from files where id=?”, (id,))
res = cur.fetchone()
if res is None:
return “File not found”, 404
# print(res[0])
with open(os.path.join("uploads/", res[0]), "r") as f:
return f.read()if name == ‘main‘:
app.run(host=’0.0.0.0′, port=80)
最后一行有点问题
with open(os.path.join(“uploads/”, res[0]), “r”) as f: return f.read()
当res[0]为绝对路径时,打开的就是绝对路径,不会进行拼接
所以用burp修改文件名为 //flag,跳转就读取到//flag文件了
意思是在上传文件
有一个小问题,我们在尝试上传图片马也就是//php木马时,burp会自行改形式为image/jpeg图片内容,我们既然需要伪造//flag文件,就需要改相应的格式。如: text/plain
具体包如下:
给了上传地址直接访问就可
这道题学会了个新姿势就是当res[0]为绝对路径时,我们可以直接跳转到最后文件地址而不需要补齐界面的文件,直接跳转//flag界面