看一道还算有意思的题
源码直接仍这里了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
| import time import re,os,sys from flask import Flask,render_template,request
nums,locked = 0, False app = Flask(__name__)
@app.route('/') @app.route('/index') def domain(): return 'Hello'
@app.route('/create') def create(): try: global nums, locked assert not locked, "LOCKED" default_content = "<h1>2</h1>" locked = True if nums > 9999: raise Exception("templates full")
with open(f'./templates/{nums}.html', 'w') as f: f.write(default_content)
msg = render_template(f'{nums}.html') if msg != default_content: kill() nums += 1 except Exception as e: msg = f"Something fail. {e}" locked = False return msg
@app.route('/show/<int:tid>') def show(tid): try: global locked assert not locked, "LOCKED" locked = True if not os.path.exists(f'./templates/{tid}.html'): raise Exception('file not found')
msg = render_template(f'{tid}.html') except Exception as e: msg = f"Something fail. {e}" locked = False return msg
@app.route('/edit/<int:tid>', methods = ["POST"]) def edit(tid): try: global locked assert not locked, "LOCKED" locked = True
if not os.path.exists(f'./templates/{tid}.html'): raise Exception('file not found')
if not request.files.get('edit.html'): raise Exception('Please give me edit file')
f = request.files['edit.html'] f.save(f'./templates/{tid}.html') msg = 'ok' except Exception as e: msg = f"Something fail. {e}" locked = False return msg
@app.route('/kill') def kill(): func = request.environ.get('werkzeug.server.shutdown') func() return 'server exiting.'
if not os.path.exists('templates'): os.system('mkdir templates') else: os.system('rm ./templates/*.html')
app.run(host='0.0.0.0', port=5001)
|
做这题的时候遇到了一个匪夷所思的事情 那就是 我一直用一个端口
第二次环境就不能正常搭建 大无语?不知道是什么神奇的bug
发现我们更改过文件后仍然储存的是原来的模板
考虑让模版溢出?
果然 重新渲染了 可以直接ssti 咯
改一下html文件里的payload就ok