Notice
Recent Posts
Recent Comments
Link
«   2025/01   »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
Tags more
Archives
Today
Total
관리 메뉴

FU11M00N

[ DreamHack ] file-download-1 본문

Web Hacking/DreamHack

[ DreamHack ] file-download-1

호IT 2021. 3. 28. 05:14

- 문제 정보

File Download 취약점이 존재하는 웹 서비스입니다.
flag.py를 다운로드 받으면 플래그를 획득할 수 있습니다.

#!/usr/bin/env python3
import os
import shutil

from flask import Flask, request, render_template, redirect

from flag import FLAG

APP = Flask(__name__)

UPLOAD_DIR = 'uploads'


@APP.route('/')
def index():
    files = os.listdir(UPLOAD_DIR)
    return render_template('index.html', files=files)


@APP.route('/upload', methods=['GET', 'POST'])
def upload_memo():
    if request.method == 'POST':
        filename = request.form.get('filename')
        content = request.form.get('content').encode('utf-8')

        if filename.find('..') != -1:
            return render_template('upload_result.html', data='bad characters,,')

        with open(f'{UPLOAD_DIR}/{filename}', 'wb') as f:
            f.write(content)

        return redirect('/')

    return render_template('upload.html')


@APP.route('/read')
def read_memo():
    error = False
    data = b''

    filename = request.args.get('name', '')

    try:
        with open(f'{UPLOAD_DIR}/{filename}', 'rb') as f:
            data = f.read()
    except (IsADirectoryError, FileNotFoundError):
        error = True


    return render_template('read.html',
                           filename=filename,
                           content=data.decode('utf-8'),
                           error=error)


if __name__ == '__main__':
    if os.path.exists(UPLOAD_DIR):
        shutil.rmtree(UPLOAD_DIR)

    os.mkdir(UPLOAD_DIR)

    APP.run(host='0.0.0.0', port=8000)

파일을 아무거나 하나 작성하고 읽어보면

read?name=test

name 파라미터로 값을 요청함.

 

name파라미터에 flag.py로 요청하면 플래그가 출력할것같았으나 아니길래,

상위 경로를 추가해서 ../flag.py로 요청하니 flag 출력이됨.

 

 

 

'Web Hacking > DreamHack' 카테고리의 다른 글

[ DreamHack ] proxy-1  (0) 2021.03.28
[ DreamHack ] image-storage  (0) 2021.03.28
[ DreamHack ] xss-1  (0) 2021.03.28
[ DreamHack ] pathtraversal  (0) 2021.03.28
[ Dreamhack ] simplesqli  (0) 2021.03.28
'Web Hacking/DreamHack' Related Articles more
Comments