PWNHUB-one-flask

看一道还算有意思的题

源码直接仍这里了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import time
import re,os,sys
from flask import Flask,render_template,request

nums,locked = 0, False
app = Flask(__name__)

@app.route('/')
@app.route('/index')
def domain():
return 'Hello'

@app.route('/create')
def create():
try:
global nums, locked
assert not locked, "LOCKED"
default_content = "<h1>2</h1>"
locked = True
if nums > 9999:
raise Exception("templates full")

with open(f'./templates/{nums}.html', 'w') as f:
f.write(default_content)

msg = render_template(f'{nums}.html')
if msg != default_content:
kill()
nums += 1
except Exception as e:
msg = f"Something fail. {e}"
locked = False
return msg

@app.route('/show/<int:tid>')
def show(tid):
try:
global locked
assert not locked, "LOCKED"

locked = True
if not os.path.exists(f'./templates/{tid}.html'):
raise Exception('file not found')

msg = render_template(f'{tid}.html')
except Exception as e:
msg = f"Something fail. {e}"
locked = False
return msg

@app.route('/edit/<int:tid>', methods = ["POST"])
def edit(tid):
try:
global locked
assert not locked, "LOCKED"
locked = True

if not os.path.exists(f'./templates/{tid}.html'):
raise Exception('file not found')

if not request.files.get('edit.html'):
raise Exception('Please give me edit file')

f = request.files['edit.html']
f.save(f'./templates/{tid}.html')
msg = 'ok'
except Exception as e:
msg = f"Something fail. {e}"
locked = False
return msg

@app.route('/kill')
def kill():
func = request.environ.get('werkzeug.server.shutdown')
func()
return 'server exiting.'

if not os.path.exists('templates'):
os.system('mkdir templates')
else:
os.system('rm ./templates/*.html')

app.run(host='0.0.0.0', port=5001)

做这题的时候遇到了一个匪夷所思的事情 那就是 我一直用一个端口

第二次环境就不能正常搭建 大无语?不知道是什么神奇的bug

发现我们更改过文件后仍然储存的是原来的模板

考虑让模版溢出?

image-20220505222209998

果然 重新渲染了 可以直接ssti 咯

改一下html文件里的payload就ok