[XYCTF 2025 Web Signin]快速理解bottle模板的set_cookie和get_cookie的原理，利用get_cookie伪造cookie进行pickle反序列化执行命令

bottle模板的set_cookie和get_cookie的理解

我们来看这道题的源码

 # -*- encoding: utf-8 -*-
 '''
 @File    :   main.py
 @Time    :   2025/03/28 22:20:49
 @Author  :   LamentXU 
 '''
 '''
 flag in /flag_{uuid4}
 '''
 from bottle import Bottle, request, response, redirect, static_file, run, route
 with open('../../secret.txt', 'r') as f:
     secret = f.read()
 ​
 app = Bottle()
 @route('/')
 def index():
     return '''HI'''
 @route('/download')
 def download():
     name = request.query.filename
     if '../../' in name or name.startswith('/') or name.startswith('../') or '\\' in name:
         response.status = 403
         return 'Forbidden'
     with open(name, 'rb') as f:
         data = f.read()
     return data
 ​
 @route('/secret')
 def secret_page():
     try:
         session = request.get_cookie("name", secret=secret)
         if not session or session["name"] == "guest":
             session = {"name": "guest"}
             response.set_cookie("name", session, secret=secret)
             return 'Forbidden!'
         if session["name"] == "admin":
             return 'The secret has been deleted!'
     except:
         return "Error!"
 run(host='0.0.0.0', port=8080, debug=False)

目录穿越访问/secret.txt

 def get_cookie(self, key, default=None, secret=None, digestmod=hashlib.sha256):
         value = self.cookies.get(key)
         if secret:
             # See BaseResponse.set_cookie for details on signed cookies.
             if value and value.startswith('!') and '?' in value:
                 sig, msg = map(tob, value[1:].split('?', 1))
                 hash = hmac.new(tob(secret), msg, digestmod=digestmod).digest()
                 if _lscmp(sig, base64.b64encode(hash)):
                     dst = pickle.loads(base64.b64de