考察:任意文件读取
获取网卡地址
伪随机
打开界面,点击read somethings直接进行了跳转
直接修改url,发现没显示,但是访问错误的路由就会有no response
读取flag也无果,那就读一下/app/app.py,为什么读这个,因为做了很多题文件路径都是这个
# encoding:utf-8
import re, random, uuid, urllib
from flask import Flask, session, request
app = Flask(__name__)
random.seed(uuid.getnode())
app.config['SECRET_KEY'] = str(random.random()*233)
app.debug = True
@app.route('/')
def index():
session['username'] = 'www-data'
return 'Hello World! <a href="/read?url=https://baidu.com">Read somethings</a>'
@app.route('/read')
def read():
try:
url = request.args.get('url')
m = re.findall('^file.*', url, re.IGNORECASE)
n = re.findall('flag', url, re.IGNORECASE)
if m or n:
return 'No Hack'
res = urllib.urlopen(url)
return res.read()
except Exception as ex:
print str(ex)
return 'no response'
@app.route('/flag')
def flag():
if session and session['username'] == 'fuck':
return open('/flag.txt').read()
else:
return 'Access denied'
if __name__=='__main__':
app.run(
debug=True,
host="0.0.0.0"
)
发现需要修改cookie,密钥就是网卡mac伪随机生成的
直接读取网卡 /sys/class/net/eth0/address
import random random.seed(0x0242ac02b16c) print(str(random.random()*233))
这里如果python3不对,就改为python2,然后flask_session生成cookie
最后获得flag